forked from rpms/openssl
Restoring fips=yes to SHA-1
Related: rhbz#2026445
This commit is contained in:
parent
9df33eabbe
commit
d237e7f301
@ -11,15 +11,6 @@ diff -up openssl-3.0.0/providers/fips/fipsprov.c.fipsmin openssl-3.0.0/providers
|
|||||||
|
|
||||||
extern OSSL_FUNC_core_thread_start_fn *c_thread_start;
|
extern OSSL_FUNC_core_thread_start_fn *c_thread_start;
|
||||||
int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);
|
int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);
|
||||||
@@ -241,7 +244,7 @@ static int fips_self_test(void *provctx)
|
|
||||||
*/
|
|
||||||
static const OSSL_ALGORITHM fips_digests[] = {
|
|
||||||
/* Our primary name:NiST name[:our older names] */
|
|
||||||
- { PROV_NAMES_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_sha1_functions },
|
|
||||||
+ { PROV_NAMES_SHA1, FIPS_UNAPPROVED_PROPERTIES, ossl_sha1_functions },
|
|
||||||
{ PROV_NAMES_SHA2_224, FIPS_DEFAULT_PROPERTIES, ossl_sha224_functions },
|
|
||||||
{ PROV_NAMES_SHA2_256, FIPS_DEFAULT_PROPERTIES, ossl_sha256_functions },
|
|
||||||
{ PROV_NAMES_SHA2_384, FIPS_DEFAULT_PROPERTIES, ossl_sha384_functions },
|
|
||||||
@@ -264,9 +267,9 @@ static const OSSL_ALGORITHM fips_digests
|
@@ -264,9 +267,9 @@ static const OSSL_ALGORITHM fips_digests
|
||||||
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
|
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
|
||||||
* KMAC128 and KMAC256.
|
* KMAC128 and KMAC256.
|
||||||
|
@ -1,52 +0,0 @@
|
|||||||
diff -up openssl-3.0.0/providers/implementations/macs/hmac_prov.c.sha1hmac openssl-3.0.0/providers/implementations/macs/hmac_prov.c
|
|
||||||
--- openssl-3.0.0/providers/implementations/macs/hmac_prov.c.sha1hmac 2022-01-13 12:11:19.547755685 +0100
|
|
||||||
+++ openssl-3.0.0/providers/implementations/macs/hmac_prov.c 2022-01-13 12:49:50.538432459 +0100
|
|
||||||
@@ -14,6 +14,7 @@
|
|
||||||
#include "internal/deprecated.h"
|
|
||||||
|
|
||||||
#include <string.h>
|
|
||||||
+#include <strings.h>
|
|
||||||
|
|
||||||
#include <openssl/core_dispatch.h>
|
|
||||||
#include <openssl/core_names.h>
|
|
||||||
@@ -305,13 +306,40 @@ static int hmac_set_ctx_params(void *vma
|
|
||||||
struct hmac_data_st *macctx = vmacctx;
|
|
||||||
OSSL_LIB_CTX *ctx = PROV_LIBCTX_OF(macctx->provctx);
|
|
||||||
const OSSL_PARAM *p;
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ const OSSL_PARAM *pdgst;
|
|
||||||
+#endif
|
|
||||||
int flags = 0;
|
|
||||||
|
|
||||||
if (params == NULL)
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ /* Red Hat removes fips=yes property from SHA1, but it's still
|
|
||||||
+ * included in FIPS provider and we want HMAC working with it */
|
|
||||||
+ pdgst = OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST);
|
|
||||||
+ if (pdgst != NULL) {
|
|
||||||
+ const char *dgstname;
|
|
||||||
+
|
|
||||||
+ if (pdgst->data_type != OSSL_PARAM_UTF8_STRING)
|
|
||||||
+ return 0;
|
|
||||||
+ dgstname = pdgst->data;
|
|
||||||
+ if (dgstname != NULL) {
|
|
||||||
+ if ((strncasecmp("SHA1", dgstname, 4) == 0)
|
|
||||||
+ || (strncasecmp("SHA-1", dgstname, 5) == 0)) {
|
|
||||||
+ if (ossl_prov_digest_fetch(&macctx->digest, ctx,
|
|
||||||
+ "SHA1", "provider=fips,-fips") == NULL)
|
|
||||||
+ return 0;
|
|
||||||
+ } else {
|
|
||||||
+ if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx))
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+#else
|
|
||||||
if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx))
|
|
||||||
return 0;
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
if (!set_flag(params, OSSL_MAC_PARAM_DIGEST_NOINIT, EVP_MD_CTX_FLAG_NO_INIT,
|
|
||||||
&flags))
|
|
@ -67,8 +67,6 @@ Patch34: 0034.fipsinstall_disable.patch
|
|||||||
Patch35: 0035-speed-skip-unavailable-dgst.patch
|
Patch35: 0035-speed-skip-unavailable-dgst.patch
|
||||||
# Minimize fips services
|
# Minimize fips services
|
||||||
Patch45: 0045-FIPS-services-minimize.patch
|
Patch45: 0045-FIPS-services-minimize.patch
|
||||||
# Enable SHA1 HMAC in FIPS mode
|
|
||||||
Patch46: 0046-FIPS-permitsha1-hmac.patch
|
|
||||||
# Execute KATS before HMAC verification
|
# Execute KATS before HMAC verification
|
||||||
Patch47: 0047-FIPS-early-KATS.patch
|
Patch47: 0047-FIPS-early-KATS.patch
|
||||||
|
|
||||||
@ -218,7 +216,7 @@ export HASHBANGPERL=/usr/bin/perl
|
|||||||
# Do not run this in a production package the FIPS symbols must be patched-in
|
# Do not run this in a production package the FIPS symbols must be patched-in
|
||||||
#util/mkdef.pl crypto update
|
#util/mkdef.pl crypto update
|
||||||
|
|
||||||
make -s %{?_smp_mflags} all
|
make %{?_smp_mflags} all
|
||||||
|
|
||||||
# Clean up the .pc files
|
# Clean up the .pc files
|
||||||
for i in libcrypto.pc libssl.pc openssl.pc ; do
|
for i in libcrypto.pc libssl.pc openssl.pc ; do
|
||||||
|
Loading…
Reference in New Issue
Block a user