forked from rpms/openssl
Restoring fips=yes to SHA-1
Related: rhbz#2026445
This commit is contained in:
parent
9df33eabbe
commit
d237e7f301
@ -11,15 +11,6 @@ diff -up openssl-3.0.0/providers/fips/fipsprov.c.fipsmin openssl-3.0.0/providers
|
||||
|
||||
extern OSSL_FUNC_core_thread_start_fn *c_thread_start;
|
||||
int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);
|
||||
@@ -241,7 +244,7 @@ static int fips_self_test(void *provctx)
|
||||
*/
|
||||
static const OSSL_ALGORITHM fips_digests[] = {
|
||||
/* Our primary name:NiST name[:our older names] */
|
||||
- { PROV_NAMES_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_sha1_functions },
|
||||
+ { PROV_NAMES_SHA1, FIPS_UNAPPROVED_PROPERTIES, ossl_sha1_functions },
|
||||
{ PROV_NAMES_SHA2_224, FIPS_DEFAULT_PROPERTIES, ossl_sha224_functions },
|
||||
{ PROV_NAMES_SHA2_256, FIPS_DEFAULT_PROPERTIES, ossl_sha256_functions },
|
||||
{ PROV_NAMES_SHA2_384, FIPS_DEFAULT_PROPERTIES, ossl_sha384_functions },
|
||||
@@ -264,9 +267,9 @@ static const OSSL_ALGORITHM fips_digests
|
||||
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
|
||||
* KMAC128 and KMAC256.
|
||||
|
@ -1,52 +0,0 @@
|
||||
diff -up openssl-3.0.0/providers/implementations/macs/hmac_prov.c.sha1hmac openssl-3.0.0/providers/implementations/macs/hmac_prov.c
|
||||
--- openssl-3.0.0/providers/implementations/macs/hmac_prov.c.sha1hmac 2022-01-13 12:11:19.547755685 +0100
|
||||
+++ openssl-3.0.0/providers/implementations/macs/hmac_prov.c 2022-01-13 12:49:50.538432459 +0100
|
||||
@@ -14,6 +14,7 @@
|
||||
#include "internal/deprecated.h"
|
||||
|
||||
#include <string.h>
|
||||
+#include <strings.h>
|
||||
|
||||
#include <openssl/core_dispatch.h>
|
||||
#include <openssl/core_names.h>
|
||||
@@ -305,13 +306,40 @@ static int hmac_set_ctx_params(void *vma
|
||||
struct hmac_data_st *macctx = vmacctx;
|
||||
OSSL_LIB_CTX *ctx = PROV_LIBCTX_OF(macctx->provctx);
|
||||
const OSSL_PARAM *p;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ const OSSL_PARAM *pdgst;
|
||||
+#endif
|
||||
int flags = 0;
|
||||
|
||||
if (params == NULL)
|
||||
return 1;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ /* Red Hat removes fips=yes property from SHA1, but it's still
|
||||
+ * included in FIPS provider and we want HMAC working with it */
|
||||
+ pdgst = OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST);
|
||||
+ if (pdgst != NULL) {
|
||||
+ const char *dgstname;
|
||||
+
|
||||
+ if (pdgst->data_type != OSSL_PARAM_UTF8_STRING)
|
||||
+ return 0;
|
||||
+ dgstname = pdgst->data;
|
||||
+ if (dgstname != NULL) {
|
||||
+ if ((strncasecmp("SHA1", dgstname, 4) == 0)
|
||||
+ || (strncasecmp("SHA-1", dgstname, 5) == 0)) {
|
||||
+ if (ossl_prov_digest_fetch(&macctx->digest, ctx,
|
||||
+ "SHA1", "provider=fips,-fips") == NULL)
|
||||
+ return 0;
|
||||
+ } else {
|
||||
+ if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx))
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+#else
|
||||
if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx))
|
||||
return 0;
|
||||
+#endif
|
||||
|
||||
if (!set_flag(params, OSSL_MAC_PARAM_DIGEST_NOINIT, EVP_MD_CTX_FLAG_NO_INIT,
|
||||
&flags))
|
@ -67,8 +67,6 @@ Patch34: 0034.fipsinstall_disable.patch
|
||||
Patch35: 0035-speed-skip-unavailable-dgst.patch
|
||||
# Minimize fips services
|
||||
Patch45: 0045-FIPS-services-minimize.patch
|
||||
# Enable SHA1 HMAC in FIPS mode
|
||||
Patch46: 0046-FIPS-permitsha1-hmac.patch
|
||||
# Execute KATS before HMAC verification
|
||||
Patch47: 0047-FIPS-early-KATS.patch
|
||||
|
||||
@ -218,7 +216,7 @@ export HASHBANGPERL=/usr/bin/perl
|
||||
# Do not run this in a production package the FIPS symbols must be patched-in
|
||||
#util/mkdef.pl crypto update
|
||||
|
||||
make -s %{?_smp_mflags} all
|
||||
make %{?_smp_mflags} all
|
||||
|
||||
# Clean up the .pc files
|
||||
for i in libcrypto.pc libssl.pc openssl.pc ; do
|
||||
|
Loading…
Reference in New Issue
Block a user