From 067b6b249b6e1aa666eae505d10bfa4c97116c41 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 2 May 2022 17:42:54 +0200
Subject: [PATCH] When FIPS provider is in use, we forbid only some padding
 modes

Resolves: rhbz#2053289
---
 0058-FIPS-limit-rsa-encrypt.patch | 132 ++++++++++++++++++++++++++++++
 1 file changed, 132 insertions(+)
 create mode 100644 0058-FIPS-limit-rsa-encrypt.patch

diff --git a/0058-FIPS-limit-rsa-encrypt.patch b/0058-FIPS-limit-rsa-encrypt.patch
new file mode 100644
index 0000000..5bda17e
--- /dev/null
+++ b/0058-FIPS-limit-rsa-encrypt.patch
@@ -0,0 +1,132 @@
+diff -up openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pad openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c
+--- openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pad	2022-05-02 16:04:47.000091901 +0200
++++ openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c	2022-05-02 16:14:50.922443581 +0200
+@@ -132,6 +132,17 @@ static int rsa_decrypt_init(void *vprsac
+     return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECRYPT);
+ }
+ 
++# ifdef FIPS_MODULE
++static int fips_padding_allowed(const PROV_RSA_CTX *prsactx)
++{
++    if (prsactx->pad_mode == RSA_PKCS1_PADDING
++        || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING)
++        return 0;
++
++    return 1;
++}
++# endif
++
+ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
+                        size_t outsize, const unsigned char *in, size_t inlen)
+ {
+@@ -141,6 +152,13 @@ static int rsa_encrypt(void *vprsactx, u
+     if (!ossl_prov_is_running())
+         return 0;
+ 
++# ifdef FIPS_MODULE
++    if (fips_padding_allowed(prsactx) == 0) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
++        return 0;
++    }
++# endif
++
+     if (out == NULL) {
+         size_t len = RSA_size(prsactx->rsa);
+ 
+@@ -202,6 +220,13 @@ static int rsa_decrypt(void *vprsactx, u
+     if (!ossl_prov_is_running())
+         return 0;
+ 
++# ifdef FIPS_MODULE
++    if (fips_padding_allowed(prsactx) == 0) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
++        return 0;
++    }
++# endif
++
+     if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) {
+         if (out == NULL) {
+             *outlen = SSL_MAX_MASTER_KEY_LENGTH;
+diff -up openssl-3.0.1/test/recipes/80-test_cms.t.no_bad_pad openssl-3.0.1/test/recipes/80-test_cms.t
+--- openssl-3.0.1/test/recipes/80-test_cms.t.no_bad_pad	2022-05-02 17:04:07.610782138 +0200
++++ openssl-3.0.1/test/recipes/80-test_cms.t	2022-05-02 17:06:03.595814620 +0200
+@@ -232,7 +232,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
++    [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
+         "-aes256", "-stream", "-out", "{output}.cms",
+         $smrsa1,
+@@ -865,5 +865,8 @@ sub check_availability {
+     return "$tnam: skipped, DSA disabled\n"
+         if ($no_dsa && $tnam =~ / DSA/);
+ 
++    return "$tnam: skipped, Red Hat FIPS\n"
++        if ($tnam =~ /no Red Hat FIPS/);
++
+     return "";
+ }
+diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.no_bad_pad openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+--- openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.no_bad_pad	2022-05-02 17:16:00.408148809 +0200
++++ openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt	2022-05-02 17:17:34.351988456 +0200
+@@ -248,12 +248,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974
+ Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
+ 
+ # RSA decrypt
+-
++Availablein = default
+ Decrypt = RSA-2048
+ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
+ Output = "Hello World"
+ 
+ # Corrupted ciphertext
++Availablein = default
+ Decrypt = RSA-2048
+ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79
+ Output = "Hello World"
+diff -up openssl-3.0.1/test/recipes/80-test_ssl_old.t.no_bad_pad openssl-3.0.1/test/recipes/80-test_ssl_old.t
+--- openssl-3.0.1/test/recipes/80-test_ssl_old.t.no_bad_pad	2022-05-02 17:26:37.962838053 +0200
++++ openssl-3.0.1/test/recipes/80-test_ssl_old.t	2022-05-02 17:34:20.297950449 +0200
+@@ -483,6 +483,18 @@ sub testssl {
+             # the default choice if TLSv1.3 enabled
+             my $flag = $protocol eq "-tls1_3" ? "" : $protocol;
+             my $ciphersuites = "";
++            my %redhat_skip_cipher = map {$_ => 1} qw(
++AES256-GCM-SHA384:@SECLEVEL=0
++AES256-CCM8:@SECLEVEL=0
++AES256-CCM:@SECLEVEL=0
++AES128-GCM-SHA256:@SECLEVEL=0
++AES128-CCM8:@SECLEVEL=0
++AES128-CCM:@SECLEVEL=0
++AES256-SHA256:@SECLEVEL=0
++AES128-SHA256:@SECLEVEL=0
++AES256-SHA:@SECLEVEL=0
++AES128-SHA:@SECLEVEL=0
++	    );
+             foreach my $cipher (@{$ciphersuites{$protocol}}) {
+                 if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) {
+                     note "*****SKIPPING $protocol $cipher";
+@@ -494,11 +506,16 @@ sub testssl {
+                     } else {
+                         $cipher = $cipher.':@SECLEVEL=0';
+                     }
+-                    ok(run(test([@ssltest, @exkeys, "-cipher",
+-                                 $cipher,
+-                                 "-ciphersuites", $ciphersuites,
+-                                 $flag || ()])),
+-                       "Testing $cipher");
++                    if ($provider eq "fips" && exists $redhat_skip_cipher{$cipher}) {
++                        note "*****SKIPPING $cipher in Red Hat FIPS mode";
++                        ok(1);
++                    } else {
++                        ok(run(test([@ssltest, @exkeys, "-cipher",
++                                     $cipher,
++                                     "-ciphersuites", $ciphersuites,
++                                     $flag || ()])),
++                           "Testing $cipher");
++                    }
+                 }
+             }
+             next if $protocol eq "-tls1_3";