Restoring fips=yes to SHA-1

Related: rhbz#2026445
This commit is contained in:
Dmitry Belyavskiy 2022-01-21 10:51:59 +01:00
parent 9df33eabbe
commit d237e7f301
3 changed files with 1 additions and 64 deletions

View File

@ -11,15 +11,6 @@ diff -up openssl-3.0.0/providers/fips/fipsprov.c.fipsmin openssl-3.0.0/providers
extern OSSL_FUNC_core_thread_start_fn *c_thread_start; extern OSSL_FUNC_core_thread_start_fn *c_thread_start;
int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);
@@ -241,7 +244,7 @@ static int fips_self_test(void *provctx)
*/
static const OSSL_ALGORITHM fips_digests[] = {
/* Our primary name:NiST name[:our older names] */
- { PROV_NAMES_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_sha1_functions },
+ { PROV_NAMES_SHA1, FIPS_UNAPPROVED_PROPERTIES, ossl_sha1_functions },
{ PROV_NAMES_SHA2_224, FIPS_DEFAULT_PROPERTIES, ossl_sha224_functions },
{ PROV_NAMES_SHA2_256, FIPS_DEFAULT_PROPERTIES, ossl_sha256_functions },
{ PROV_NAMES_SHA2_384, FIPS_DEFAULT_PROPERTIES, ossl_sha384_functions },
@@ -264,9 +267,9 @@ static const OSSL_ALGORITHM fips_digests @@ -264,9 +267,9 @@ static const OSSL_ALGORITHM fips_digests
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
* KMAC128 and KMAC256. * KMAC128 and KMAC256.

View File

@ -1,52 +0,0 @@
diff -up openssl-3.0.0/providers/implementations/macs/hmac_prov.c.sha1hmac openssl-3.0.0/providers/implementations/macs/hmac_prov.c
--- openssl-3.0.0/providers/implementations/macs/hmac_prov.c.sha1hmac 2022-01-13 12:11:19.547755685 +0100
+++ openssl-3.0.0/providers/implementations/macs/hmac_prov.c 2022-01-13 12:49:50.538432459 +0100
@@ -14,6 +14,7 @@
#include "internal/deprecated.h"
#include <string.h>
+#include <strings.h>
#include <openssl/core_dispatch.h>
#include <openssl/core_names.h>
@@ -305,13 +306,40 @@ static int hmac_set_ctx_params(void *vma
struct hmac_data_st *macctx = vmacctx;
OSSL_LIB_CTX *ctx = PROV_LIBCTX_OF(macctx->provctx);
const OSSL_PARAM *p;
+#ifdef FIPS_MODULE
+ const OSSL_PARAM *pdgst;
+#endif
int flags = 0;
if (params == NULL)
return 1;
+#ifdef FIPS_MODULE
+ /* Red Hat removes fips=yes property from SHA1, but it's still
+ * included in FIPS provider and we want HMAC working with it */
+ pdgst = OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST);
+ if (pdgst != NULL) {
+ const char *dgstname;
+
+ if (pdgst->data_type != OSSL_PARAM_UTF8_STRING)
+ return 0;
+ dgstname = pdgst->data;
+ if (dgstname != NULL) {
+ if ((strncasecmp("SHA1", dgstname, 4) == 0)
+ || (strncasecmp("SHA-1", dgstname, 5) == 0)) {
+ if (ossl_prov_digest_fetch(&macctx->digest, ctx,
+ "SHA1", "provider=fips,-fips") == NULL)
+ return 0;
+ } else {
+ if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx))
+ return 0;
+ }
+ }
+ }
+#else
if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx))
return 0;
+#endif
if (!set_flag(params, OSSL_MAC_PARAM_DIGEST_NOINIT, EVP_MD_CTX_FLAG_NO_INIT,
&flags))

View File

@ -67,8 +67,6 @@ Patch34: 0034.fipsinstall_disable.patch
Patch35: 0035-speed-skip-unavailable-dgst.patch Patch35: 0035-speed-skip-unavailable-dgst.patch
# Minimize fips services # Minimize fips services
Patch45: 0045-FIPS-services-minimize.patch Patch45: 0045-FIPS-services-minimize.patch
# Enable SHA1 HMAC in FIPS mode
Patch46: 0046-FIPS-permitsha1-hmac.patch
# Execute KATS before HMAC verification # Execute KATS before HMAC verification
Patch47: 0047-FIPS-early-KATS.patch Patch47: 0047-FIPS-early-KATS.patch
@ -218,7 +216,7 @@ export HASHBANGPERL=/usr/bin/perl
# Do not run this in a production package the FIPS symbols must be patched-in # Do not run this in a production package the FIPS symbols must be patched-in
#util/mkdef.pl crypto update #util/mkdef.pl crypto update
make -s %{?_smp_mflags} all make %{?_smp_mflags} all
# Clean up the .pc files # Clean up the .pc files
for i in libcrypto.pc libssl.pc openssl.pc ; do for i in libcrypto.pc libssl.pc openssl.pc ; do