openssl/0093-FIPS-nodhx.patch

91 lines
3.8 KiB
Diff
Raw Normal View History

diff -up openssl-3.0.7/providers/fips/fipsprov.c.nodhx openssl-3.0.7/providers/fips/fipsprov.c
--- openssl-3.0.7/providers/fips/fipsprov.c.nodhx 2023-03-09 13:02:21.621694715 +0100
+++ openssl-3.0.7/providers/fips/fipsprov.c 2023-03-09 13:02:34.001791831 +0100
@@ -486,8 +486,8 @@ static const OSSL_ALGORITHM fips_keymgmt
#ifndef OPENSSL_NO_DH
{ PROV_NAMES_DH, FIPS_DEFAULT_PROPERTIES, ossl_dh_keymgmt_functions,
PROV_DESCS_DH },
- { PROV_NAMES_DHX, FIPS_DEFAULT_PROPERTIES, ossl_dhx_keymgmt_functions,
- PROV_DESCS_DHX },
+/* { PROV_NAMES_DHX, FIPS_DEFAULT_PROPERTIES, ossl_dhx_keymgmt_functions,
+ PROV_DESCS_DHX }, */
#endif
#ifndef OPENSSL_NO_DSA
/* We don't certify DSA in our FIPS provider */
diff -up openssl-3.0.7/test/endecode_test.c.nodhx openssl-3.0.7/test/endecode_test.c
--- openssl-3.0.7/test/endecode_test.c.nodhx 2023-03-09 13:39:10.826000162 +0100
+++ openssl-3.0.7/test/endecode_test.c 2023-03-09 13:41:26.533073598 +0100
@@ -1356,7 +1358,9 @@ int setup_tests(void)
#ifndef OPENSSL_NO_DH
TEST_info("Generating DH keys...");
MAKE_DOMAIN_KEYS(DH, "DH", NULL);
+if (is_fips == 0) {
MAKE_DOMAIN_KEYS(DHX, "X9.42 DH", NULL);
+}
#endif
#ifndef OPENSSL_NO_DSA
TEST_info("Generating DSA keys...");
@@ -1386,8 +1390,10 @@ int setup_tests(void)
#ifndef OPENSSL_NO_DH
ADD_TEST_SUITE(DH);
ADD_TEST_SUITE_PARAMS(DH);
+if (is_fips == 0) {
ADD_TEST_SUITE(DHX);
ADD_TEST_SUITE_PARAMS(DHX);
+}
/*
* DH has no support for PEM_write_bio_PrivateKey_traditional(),
* so no legacy tests.
@@ -1465,7 +1471,9 @@ void cleanup_tests(void)
#ifndef OPENSSL_NO_DH
FREE_DOMAIN_KEYS(DH);
+if (is_fips == 0) {
FREE_DOMAIN_KEYS(DHX);
+}
#endif
#ifndef OPENSSL_NO_DSA
FREE_DOMAIN_KEYS(DSA);
diff -up openssl-3.0.7/test/recipes/80-test_cms.t.nodhx openssl-3.0.7/test/recipes/80-test_cms.t
--- openssl-3.0.7/test/recipes/80-test_cms.t.nodhx 2023-03-09 13:31:36.851432859 +0100
+++ openssl-3.0.7/test/recipes/80-test_cms.t 2023-03-09 13:32:35.987888417 +0100
@@ -869,6 +869,8 @@ sub check_availability {
if ($no_ec2m && $tnam =~ /K-283/);
return "$tnam: skipped, DH disabled\n"
if ($no_dh && $tnam =~ /X9\.42/);
+ return "$tnam: skipped, DHX disabled in RHEL\n"
+ if ($provname eq 'fips' && $tnam =~ /X9\.42/);
return "$tnam: skipped, RC2 disabled\n"
if ($no_rc2 && $tnam =~ /RC2/);
return "$tnam: skipped, DES disabled\n"
diff -up openssl-3.0.7/providers/implementations/exchange/dh_exch.c.nodhx openssl-3.0.7/providers/implementations/exchange/dh_exch.c
--- openssl-3.0.7/providers/implementations/exchange/dh_exch.c.nodhx 2023-03-09 16:33:07.092040809 +0100
+++ openssl-3.0.7/providers/implementations/exchange/dh_exch.c 2023-03-09 16:42:30.594837565 +0100
@@ -102,6 +102,11 @@ static int dh_init(void *vpdhctx, void *
|| vdh == NULL
|| !DH_up_ref(vdh))
return 0;
+#ifdef FIPS_MODULE
+ if (ossl_ffc_numbers_to_dh_named_group(DH_get0_p(vdh),
+ DH_get0_q(vdh), DH_get0_g(vdh)) == NULL)
+ return 0;
+#endif
DH_free(pdhctx->dh);
pdhctx->dh = vdh;
pdhctx->kdf_type = PROV_DH_KDF_NONE;
diff -up openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c.nodhx openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c
--- openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c.nodhx 2023-03-09 15:38:04.024555943 +0100
+++ openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c 2023-03-09 16:32:04.142490068 +0100
@@ -498,6 +499,11 @@ static int dh_gen_set_template(void *gen
if (!ossl_prov_is_running() || gctx == NULL || dh == NULL)
return 0;
+#ifdef FIPS_MODULE
+ if (ossl_ffc_numbers_to_dh_named_group(DH_get0_p(dh),
+ DH_get0_q(dh), DH_get0_g(dh)) == NULL)
+ return 0;
+#endif
gctx->ffc_params = ossl_dh_get0_params(dh);
return 1;
}