From d237e7f3018f9e939f33fb4e9155f563fce0b3e3 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 21 Jan 2022 10:51:59 +0100 Subject: [PATCH] Restoring fips=yes to SHA-1 Related: rhbz#2026445 --- 0045-FIPS-services-minimize.patch | 9 ------ 0046-FIPS-permitsha1-hmac.patch | 52 ------------------------------- openssl.spec | 4 +-- 3 files changed, 1 insertion(+), 64 deletions(-) delete mode 100644 0046-FIPS-permitsha1-hmac.patch diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch index e572d86..1c92bbe 100644 --- a/0045-FIPS-services-minimize.patch +++ b/0045-FIPS-services-minimize.patch @@ -11,15 +11,6 @@ diff -up openssl-3.0.0/providers/fips/fipsprov.c.fipsmin openssl-3.0.0/providers extern OSSL_FUNC_core_thread_start_fn *c_thread_start; int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); -@@ -241,7 +244,7 @@ static int fips_self_test(void *provctx) - */ - static const OSSL_ALGORITHM fips_digests[] = { - /* Our primary name:NiST name[:our older names] */ -- { PROV_NAMES_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_sha1_functions }, -+ { PROV_NAMES_SHA1, FIPS_UNAPPROVED_PROPERTIES, ossl_sha1_functions }, - { PROV_NAMES_SHA2_224, FIPS_DEFAULT_PROPERTIES, ossl_sha224_functions }, - { PROV_NAMES_SHA2_256, FIPS_DEFAULT_PROPERTIES, ossl_sha256_functions }, - { PROV_NAMES_SHA2_384, FIPS_DEFAULT_PROPERTIES, ossl_sha384_functions }, @@ -264,9 +267,9 @@ static const OSSL_ALGORITHM fips_digests * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for * KMAC128 and KMAC256. diff --git a/0046-FIPS-permitsha1-hmac.patch b/0046-FIPS-permitsha1-hmac.patch deleted file mode 100644 index cd302b7..0000000 --- a/0046-FIPS-permitsha1-hmac.patch +++ /dev/null @@ -1,52 +0,0 @@ -diff -up openssl-3.0.0/providers/implementations/macs/hmac_prov.c.sha1hmac openssl-3.0.0/providers/implementations/macs/hmac_prov.c ---- openssl-3.0.0/providers/implementations/macs/hmac_prov.c.sha1hmac 2022-01-13 12:11:19.547755685 +0100 -+++ openssl-3.0.0/providers/implementations/macs/hmac_prov.c 2022-01-13 12:49:50.538432459 +0100 -@@ -14,6 +14,7 @@ - #include "internal/deprecated.h" - - #include -+#include - - #include - #include -@@ -305,13 +306,40 @@ static int hmac_set_ctx_params(void *vma - struct hmac_data_st *macctx = vmacctx; - OSSL_LIB_CTX *ctx = PROV_LIBCTX_OF(macctx->provctx); - const OSSL_PARAM *p; -+#ifdef FIPS_MODULE -+ const OSSL_PARAM *pdgst; -+#endif - int flags = 0; - - if (params == NULL) - return 1; - -+#ifdef FIPS_MODULE -+ /* Red Hat removes fips=yes property from SHA1, but it's still -+ * included in FIPS provider and we want HMAC working with it */ -+ pdgst = OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST); -+ if (pdgst != NULL) { -+ const char *dgstname; -+ -+ if (pdgst->data_type != OSSL_PARAM_UTF8_STRING) -+ return 0; -+ dgstname = pdgst->data; -+ if (dgstname != NULL) { -+ if ((strncasecmp("SHA1", dgstname, 4) == 0) -+ || (strncasecmp("SHA-1", dgstname, 5) == 0)) { -+ if (ossl_prov_digest_fetch(&macctx->digest, ctx, -+ "SHA1", "provider=fips,-fips") == NULL) -+ return 0; -+ } else { -+ if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx)) -+ return 0; -+ } -+ } -+ } -+#else - if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx)) - return 0; -+#endif - - if (!set_flag(params, OSSL_MAC_PARAM_DIGEST_NOINIT, EVP_MD_CTX_FLAG_NO_INIT, - &flags)) diff --git a/openssl.spec b/openssl.spec index 2cc2b70..c976131 100644 --- a/openssl.spec +++ b/openssl.spec @@ -67,8 +67,6 @@ Patch34: 0034.fipsinstall_disable.patch Patch35: 0035-speed-skip-unavailable-dgst.patch # Minimize fips services Patch45: 0045-FIPS-services-minimize.patch -# Enable SHA1 HMAC in FIPS mode -Patch46: 0046-FIPS-permitsha1-hmac.patch # Execute KATS before HMAC verification Patch47: 0047-FIPS-early-KATS.patch @@ -218,7 +216,7 @@ export HASHBANGPERL=/usr/bin/perl # Do not run this in a production package the FIPS symbols must be patched-in #util/mkdef.pl crypto update -make -s %{?_smp_mflags} all +make %{?_smp_mflags} all # Clean up the .pc files for i in libcrypto.pc libssl.pc openssl.pc ; do