Change explicit FIPS indicator for RSA decryption to unapproved
Resolves: rhbz#2179379 Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
Clemens Lang
parent
1bd2a0cee3
commit
0dea6db970
@ -21,9 +21,9 @@ Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|||||||
---
|
---
|
||||||
include/openssl/core_names.h | 2 ++
|
include/openssl/core_names.h | 2 ++
|
||||||
include/openssl/evp.h | 4 +++
|
include/openssl/evp.h | 4 +++
|
||||||
.../implementations/asymciphers/rsa_enc.c | 31 +++++++++++++++++++
|
.../implementations/asymciphers/rsa_enc.c | 24 +++++++++++++++
|
||||||
providers/implementations/kem/rsa_kem.c | 30 +++++++++++++++++-
|
providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++-
|
||||||
4 files changed, 66 insertions(+), 1 deletion(-)
|
4 files changed, 59 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
||||||
index 832502a034..e15d208421 100644
|
index 832502a034..e15d208421 100644
|
||||||
@ -61,10 +61,10 @@ index ec2ba46fbd..3803b03422 100644
|
|||||||
const char *properties);
|
const char *properties);
|
||||||
int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
|
int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
|
||||||
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
|
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
|
||||||
index 568452ec56..0a9adb4056 100644
|
index 568452ec56..2e7ea632d7 100644
|
||||||
--- a/providers/implementations/asymciphers/rsa_enc.c
|
--- a/providers/implementations/asymciphers/rsa_enc.c
|
||||||
+++ b/providers/implementations/asymciphers/rsa_enc.c
|
+++ b/providers/implementations/asymciphers/rsa_enc.c
|
||||||
@@ -399,6 +399,34 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
@@ -399,6 +399,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
||||||
if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version))
|
if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
@ -73,23 +73,16 @@ index 568452ec56..0a9adb4056 100644
|
|||||||
+ if (p != NULL) {
|
+ if (p != NULL) {
|
||||||
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
|
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||||
+
|
+
|
||||||
+ if (prsactx->operation == EVP_PKEY_OP_ENCRYPT) {
|
|
||||||
+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
|
+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
|
||||||
+ * confirmation (section 6.4.2.3.2), or assurance from a trusted
|
+ * confirmation (section 6.4.2.3.2), or assurance from a trusted third
|
||||||
+ * third party (section 6.4.2.3.1) for the KTS-OAEP key transport
|
+ * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but
|
||||||
+ * scheme, but explicit key confirmation is not implemented here
|
+ * explicit key confirmation is not implemented here and cannot be
|
||||||
+ * and cannot be implemented without protocol changes, and the FIPS
|
+ * implemented without protocol changes, and the FIPS provider does not
|
||||||
+ * provider does not implement trusted third party validation,
|
+ * implement trusted third party validation, since it relies on its
|
||||||
+ * since it relies on its callers to do that. We must thus mark
|
+ * callers to do that. We must thus mark RSA-OAEP as unapproved until
|
||||||
+ * RSA-OAEP as unapproved until we have received clarification from
|
+ * we have received clarification from NIST on how library modules such
|
||||||
+ * NIST on how library modules such as OpenSSL should implement TTP
|
+ * as OpenSSL should implement TTP validation. */
|
||||||
+ * validation.
|
|
||||||
+ *
|
|
||||||
+ * This does not affect decryption, because it is approved as
|
|
||||||
+ * a component according to the FIPS 140-3 IG, section 2.4.G.
|
|
||||||
+ */
|
|
||||||
+ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
+ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
+ }
|
|
||||||
+
|
+
|
||||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||||
+ return 0;
|
+ return 0;
|
||||||
|
|||||||
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
|
|||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 3.0.7
|
Version: 3.0.7
|
||||||
Release: 11%{?dist}
|
Release: 12%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -507,6 +507,10 @@ install -m644 %{SOURCE9} \
|
|||||||
%ldconfig_scriptlets libs
|
%ldconfig_scriptlets libs
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Mar 24 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-12
|
||||||
|
- Change explicit FIPS indicator for RSA decryption to unapproved
|
||||||
|
Resolves: rhbz#2179379
|
||||||
|
|
||||||
* Mon Mar 20 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-11
|
* Mon Mar 20 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-11
|
||||||
- Add missing reference to patchfile to add explicit FIPS indicator to RSA
|
- Add missing reference to patchfile to add explicit FIPS indicator to RSA
|
||||||
encryption and RSASVE and fix the gettable parameter list for the RSA
|
encryption and RSASVE and fix the gettable parameter list for the RSA
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user