Adaptation of upstream patches disabling explicit EC parameters in FIPS mode
Resolves: rhbz#2058663
This commit is contained in:
parent
4dc19fe033
commit
1b2d08b2c2
77
0013-FIPS-provider-explicit-ec.patch
Normal file
77
0013-FIPS-provider-explicit-ec.patch
Normal file
@ -0,0 +1,77 @@
|
||||
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
|
||||
index 78dc69082fab..8a86c9108d0d 100644
|
||||
--- a/providers/implementations/keymgmt/ec_kmgmt.c
|
||||
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
|
||||
@@ -470,9 +470,6 @@ int ec_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
|
||||
if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0
|
||||
&& (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) == 0)
|
||||
return 0;
|
||||
- if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0
|
||||
- && (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
|
||||
- return 0;
|
||||
|
||||
tmpl = OSSL_PARAM_BLD_new();
|
||||
if (tmpl == NULL)
|
||||
diff --git a/test/recipes/15-test_ecparam.t b/test/recipes/15-test_ecparam.t
|
||||
index 766524e8cfa9..80bac6741290 100644
|
||||
--- a/test/recipes/15-test_ecparam.t
|
||||
+++ b/test/recipes/15-test_ecparam.t
|
||||
@@ -13,7 +13,7 @@ use warnings;
|
||||
use File::Spec;
|
||||
use File::Compare qw/compare_text/;
|
||||
use OpenSSL::Glob;
|
||||
-use OpenSSL::Test qw/:DEFAULT data_file/;
|
||||
+use OpenSSL::Test qw/:DEFAULT data_file srctop_file bldtop_dir/;
|
||||
use OpenSSL::Test::Utils;
|
||||
|
||||
setup("test_ecparam");
|
||||
@@ -25,7 +25,7 @@ my @valid = glob(data_file("valid", "*.pem"));
|
||||
my @noncanon = glob(data_file("noncanon", "*.pem"));
|
||||
my @invalid = glob(data_file("invalid", "*.pem"));
|
||||
|
||||
-plan tests => 11;
|
||||
+plan tests => 12;
|
||||
|
||||
sub checkload {
|
||||
my $files = shift; # List of files
|
||||
@@ -59,6 +59,8 @@ sub checkcompare {
|
||||
}
|
||||
}
|
||||
|
||||
+my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
+
|
||||
subtest "Check loading valid parameters by ecparam with -check" => sub {
|
||||
plan tests => scalar(@valid);
|
||||
checkload(\@valid, 1, "ecparam", "-check");
|
||||
@@ -113,3 +115,31 @@ subtest "Check pkeyparam does not change the parameter file on output" => sub {
|
||||
plan tests => 2 * scalar(@valid);
|
||||
checkcompare(\@valid, "pkeyparam");
|
||||
};
|
||||
+
|
||||
+subtest "Check loading of fips and non-fips params" => sub {
|
||||
+ plan skip_all => "FIPS is disabled"
|
||||
+ if $no_fips;
|
||||
+ plan tests => 3;
|
||||
+
|
||||
+ my $fipsconf = srctop_file("test", "fips-and-base.cnf");
|
||||
+ my $defaultconf = srctop_file("test", "default.cnf");
|
||||
+
|
||||
+ $ENV{OPENSSL_CONF} = $fipsconf;
|
||||
+
|
||||
+ ok(run(app(['openssl', 'ecparam',
|
||||
+ '-in', data_file('valid', 'secp384r1-explicit.pem'),
|
||||
+ '-check'])),
|
||||
+ "Loading explicitly encoded valid curve");
|
||||
+
|
||||
+ ok(run(app(['openssl', 'ecparam',
|
||||
+ '-in', data_file('valid', 'secp384r1-named.pem'),
|
||||
+ '-check'])),
|
||||
+ "Loading named valid curve");
|
||||
+
|
||||
+ ok(!run(app(['openssl', 'ecparam',
|
||||
+ '-in', data_file('valid', 'secp112r1-named.pem'),
|
||||
+ '-check'])),
|
||||
+ "Fail loading named non-fips curve");
|
||||
+
|
||||
+ $ENV{OPENSSL_CONF} = $defaultconf;
|
||||
+};
|
421
0014-FIPS-disable-explicit-ec.patch
Normal file
421
0014-FIPS-disable-explicit-ec.patch
Normal file
@ -0,0 +1,421 @@
|
||||
diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c
|
||||
index 9dc143c2ac69..4d6f2a76ad20 100644
|
||||
--- a/crypto/ec/ec_err.c
|
||||
+++ b/crypto/ec/ec_err.c
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -35,6 +35,8 @@ static const ERR_STRING_DATA EC_str_reasons[] = {
|
||||
"discriminant is zero"},
|
||||
{ERR_PACK(ERR_LIB_EC, 0, EC_R_EC_GROUP_NEW_BY_NAME_FAILURE),
|
||||
"ec group new by name failure"},
|
||||
+ {ERR_PACK(ERR_LIB_EC, 0, EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED),
|
||||
+ "explicit params not supported"},
|
||||
{ERR_PACK(ERR_LIB_EC, 0, EC_R_FAILED_MAKING_PUBLIC_KEY),
|
||||
"failed making public key"},
|
||||
{ERR_PACK(ERR_LIB_EC, 0, EC_R_FIELD_TOO_LARGE), "field too large"},
|
||||
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
|
||||
index 2aeab7e3b6b5..f686e45f899d 100644
|
||||
--- a/crypto/ec/ec_lib.c
|
||||
+++ b/crypto/ec/ec_lib.c
|
||||
@@ -1387,6 +1387,7 @@ int EC_GROUP_get_pentanomial_basis(const EC_GROUP *group, unsigned int *k1,
|
||||
}
|
||||
#endif
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
/*
|
||||
* Check if the explicit parameters group matches any built-in curves.
|
||||
*
|
||||
@@ -1424,7 +1425,7 @@ static EC_GROUP *ec_group_explicit_to_named(const EC_GROUP *group,
|
||||
* parameters with one created from a named group.
|
||||
*/
|
||||
|
||||
-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||
+# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||
/*
|
||||
* NID_wap_wsg_idm_ecid_wtls12 and NID_secp224r1 are both aliases for
|
||||
* the same curve, we prefer the SECP nid when matching explicit
|
||||
@@ -1432,7 +1433,7 @@ static EC_GROUP *ec_group_explicit_to_named(const EC_GROUP *group,
|
||||
*/
|
||||
if (curve_name_nid == NID_wap_wsg_idm_ecid_wtls12)
|
||||
curve_name_nid = NID_secp224r1;
|
||||
-#endif /* !def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
|
||||
+# endif /* !def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
|
||||
|
||||
ret_group = EC_GROUP_new_by_curve_name_ex(libctx, propq, curve_name_nid);
|
||||
if (ret_group == NULL)
|
||||
@@ -1467,6 +1468,7 @@ static EC_GROUP *ec_group_explicit_to_named(const EC_GROUP *group,
|
||||
EC_GROUP_free(ret_group);
|
||||
return NULL;
|
||||
}
|
||||
+#endif /* FIPS_MODULE */
|
||||
|
||||
static EC_GROUP *group_new_from_name(const OSSL_PARAM *p,
|
||||
OSSL_LIB_CTX *libctx, const char *propq)
|
||||
@@ -1536,9 +1538,13 @@ int ossl_ec_group_set_params(EC_GROUP *group, const OSSL_PARAM params[])
|
||||
EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
|
||||
OSSL_LIB_CTX *libctx, const char *propq)
|
||||
{
|
||||
- const OSSL_PARAM *ptmp, *pa, *pb;
|
||||
+ const OSSL_PARAM *ptmp;
|
||||
+ EC_GROUP *group = NULL;
|
||||
+
|
||||
+#ifndef FIPS_MODULE
|
||||
+ const OSSL_PARAM *pa, *pb;
|
||||
int ok = 0;
|
||||
- EC_GROUP *group = NULL, *named_group = NULL;
|
||||
+ EC_GROUP *named_group = NULL;
|
||||
BIGNUM *p = NULL, *a = NULL, *b = NULL, *order = NULL, *cofactor = NULL;
|
||||
EC_POINT *point = NULL;
|
||||
int field_bits = 0;
|
||||
@@ -1546,6 +1552,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
|
||||
BN_CTX *bnctx = NULL;
|
||||
const unsigned char *buf = NULL;
|
||||
int encoding_flag = -1;
|
||||
+#endif
|
||||
|
||||
/* This is the simple named group case */
|
||||
ptmp = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_GROUP_NAME);
|
||||
@@ -1559,6 +1566,10 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
|
||||
}
|
||||
return group;
|
||||
}
|
||||
+#ifdef FIPS_MODULE
|
||||
+ ERR_raise(ERR_LIB_EC, EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED);
|
||||
+ return NULL;
|
||||
+#else
|
||||
/* If it gets here then we are trying explicit parameters */
|
||||
bnctx = BN_CTX_new_ex(libctx);
|
||||
if (bnctx == NULL) {
|
||||
@@ -1623,10 +1634,10 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
|
||||
/* create the EC_GROUP structure */
|
||||
group = EC_GROUP_new_curve_GFp(p, a, b, bnctx);
|
||||
} else {
|
||||
-#ifdef OPENSSL_NO_EC2M
|
||||
+# ifdef OPENSSL_NO_EC2M
|
||||
ERR_raise(ERR_LIB_EC, EC_R_GF2M_NOT_SUPPORTED);
|
||||
goto err;
|
||||
-#else
|
||||
+# else
|
||||
/* create the EC_GROUP structure */
|
||||
group = EC_GROUP_new_curve_GF2m(p, a, b, NULL);
|
||||
if (group != NULL) {
|
||||
@@ -1636,7 +1647,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
-#endif /* OPENSSL_NO_EC2M */
|
||||
+# endif /* OPENSSL_NO_EC2M */
|
||||
}
|
||||
|
||||
if (group == NULL) {
|
||||
@@ -1733,4 +1744,5 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
|
||||
BN_CTX_free(bnctx);
|
||||
|
||||
return group;
|
||||
+#endif /* FIPS_MODULE */
|
||||
}
|
||||
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
|
||||
index c4a94f955905..41df7127403c 100644
|
||||
--- a/crypto/err/openssl.txt
|
||||
+++ b/crypto/err/openssl.txt
|
||||
@@ -553,6 +553,7 @@ EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing
|
||||
EC_R_DECODE_ERROR:142:decode error
|
||||
EC_R_DISCRIMINANT_IS_ZERO:118:discriminant is zero
|
||||
EC_R_EC_GROUP_NEW_BY_NAME_FAILURE:119:ec group new by name failure
|
||||
+EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED:127:explicit params not supported
|
||||
EC_R_FAILED_MAKING_PUBLIC_KEY:166:failed making public key
|
||||
EC_R_FIELD_TOO_LARGE:143:field too large
|
||||
EC_R_GF2M_NOT_SUPPORTED:147:gf2m not supported
|
||||
diff --git a/include/crypto/ecerr.h b/include/crypto/ecerr.h
|
||||
index 07b6c7aa62dd..4658ae8fb2cd 100644
|
||||
--- a/include/crypto/ecerr.h
|
||||
+++ b/include/crypto/ecerr.h
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
diff --git a/include/openssl/ecerr.h b/include/openssl/ecerr.h
|
||||
index 49088d208b2c..46405ac62d91 100644
|
||||
--- a/include/openssl/ecerr.h
|
||||
+++ b/include/openssl/ecerr.h
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -35,6 +35,7 @@
|
||||
# define EC_R_DECODE_ERROR 142
|
||||
# define EC_R_DISCRIMINANT_IS_ZERO 118
|
||||
# define EC_R_EC_GROUP_NEW_BY_NAME_FAILURE 119
|
||||
+# define EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED 127
|
||||
# define EC_R_FAILED_MAKING_PUBLIC_KEY 166
|
||||
# define EC_R_FIELD_TOO_LARGE 143
|
||||
# define EC_R_GF2M_NOT_SUPPORTED 147
|
||||
diff --git a/test/endecode_test.c b/test/endecode_test.c
|
||||
index 0c33dff0ee2b..3d78bea50ea3 100644
|
||||
--- a/test/endecode_test.c
|
||||
+++ b/test/endecode_test.c
|
||||
@@ -147,6 +147,7 @@ typedef int (checker)(const char *file, const int line,
|
||||
typedef void (dumper)(const char *label, const void *data, size_t data_len);
|
||||
|
||||
#define FLAG_DECODE_WITH_TYPE 0x0001
|
||||
+#define FLAG_FAIL_IF_FIPS 0x0002
|
||||
|
||||
static int test_encode_decode(const char *file, const int line,
|
||||
const char *type, EVP_PKEY *pkey,
|
||||
@@ -170,8 +171,19 @@ static int test_encode_decode(const char *file, const int line,
|
||||
* dumping purposes.
|
||||
*/
|
||||
if (!TEST_true(encode_cb(file, line, &encoded, &encoded_len, pkey, selection,
|
||||
- output_type, output_structure, pass, pcipher))
|
||||
- || !TEST_true(check_cb(file, line, type, encoded, encoded_len))
|
||||
+ output_type, output_structure, pass, pcipher)))
|
||||
+ goto end;
|
||||
+
|
||||
+ if ((flags & FLAG_FAIL_IF_FIPS) != 0 && is_fips) {
|
||||
+ if (TEST_false(decode_cb(file, line, (void **)&pkey2, encoded,
|
||||
+ encoded_len, output_type, output_structure,
|
||||
+ (flags & FLAG_DECODE_WITH_TYPE ? type : NULL),
|
||||
+ selection, pass)))
|
||||
+ ok = 1;
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ if (!TEST_true(check_cb(file, line, type, encoded, encoded_len))
|
||||
|| !TEST_true(decode_cb(file, line, (void **)&pkey2, encoded, encoded_len,
|
||||
output_type, output_structure,
|
||||
(flags & FLAG_DECODE_WITH_TYPE ? type : NULL),
|
||||
@@ -525,7 +537,7 @@ static int check_unprotected_PKCS8_DER(const char *file, const int line,
|
||||
return ok;
|
||||
}
|
||||
|
||||
-static int test_unprotected_via_DER(const char *type, EVP_PKEY *key)
|
||||
+static int test_unprotected_via_DER(const char *type, EVP_PKEY *key, int fips)
|
||||
{
|
||||
return test_encode_decode(__FILE__, __LINE__, type, key,
|
||||
OSSL_KEYMGMT_SELECT_KEYPAIR
|
||||
@@ -533,7 +545,7 @@ static int test_unprotected_via_DER(const char *type, EVP_PKEY *key)
|
||||
"DER", "PrivateKeyInfo", NULL, NULL,
|
||||
encode_EVP_PKEY_prov, decode_EVP_PKEY_prov,
|
||||
test_mem, check_unprotected_PKCS8_DER,
|
||||
- dump_der, 0);
|
||||
+ dump_der, fips ? 0 : FLAG_FAIL_IF_FIPS);
|
||||
}
|
||||
|
||||
static int check_unprotected_PKCS8_PEM(const char *file, const int line,
|
||||
@@ -547,7 +559,7 @@ static int check_unprotected_PKCS8_PEM(const char *file, const int line,
|
||||
sizeof(expected_pem_header) - 1);
|
||||
}
|
||||
|
||||
-static int test_unprotected_via_PEM(const char *type, EVP_PKEY *key)
|
||||
+static int test_unprotected_via_PEM(const char *type, EVP_PKEY *key, int fips)
|
||||
{
|
||||
return test_encode_decode(__FILE__, __LINE__, type, key,
|
||||
OSSL_KEYMGMT_SELECT_KEYPAIR
|
||||
@@ -555,7 +567,7 @@ static int test_unprotected_via_PEM(const char *type, EVP_PKEY *key)
|
||||
"PEM", "PrivateKeyInfo", NULL, NULL,
|
||||
encode_EVP_PKEY_prov, decode_EVP_PKEY_prov,
|
||||
test_text, check_unprotected_PKCS8_PEM,
|
||||
- dump_pem, 0);
|
||||
+ dump_pem, fips ? 0 : FLAG_FAIL_IF_FIPS);
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_KEYPARAMS
|
||||
@@ -702,7 +714,7 @@ static int check_protected_PKCS8_DER(const char *file, const int line,
|
||||
return ok;
|
||||
}
|
||||
|
||||
-static int test_protected_via_DER(const char *type, EVP_PKEY *key)
|
||||
+static int test_protected_via_DER(const char *type, EVP_PKEY *key, int fips)
|
||||
{
|
||||
return test_encode_decode(__FILE__, __LINE__, type, key,
|
||||
OSSL_KEYMGMT_SELECT_KEYPAIR
|
||||
@@ -711,7 +723,7 @@ static int test_protected_via_DER(const char *type, EVP_PKEY *key)
|
||||
pass, pass_cipher,
|
||||
encode_EVP_PKEY_prov, decode_EVP_PKEY_prov,
|
||||
test_mem, check_protected_PKCS8_DER,
|
||||
- dump_der, 0);
|
||||
+ dump_der, fips ? 0 : FLAG_FAIL_IF_FIPS);
|
||||
}
|
||||
|
||||
static int check_protected_PKCS8_PEM(const char *file, const int line,
|
||||
@@ -725,7 +737,7 @@ static int check_protected_PKCS8_PEM(const char *file, const int line,
|
||||
sizeof(expected_pem_header) - 1);
|
||||
}
|
||||
|
||||
-static int test_protected_via_PEM(const char *type, EVP_PKEY *key)
|
||||
+static int test_protected_via_PEM(const char *type, EVP_PKEY *key, int fips)
|
||||
{
|
||||
return test_encode_decode(__FILE__, __LINE__, type, key,
|
||||
OSSL_KEYMGMT_SELECT_KEYPAIR
|
||||
@@ -734,7 +746,7 @@ static int test_protected_via_PEM(const char *type, EVP_PKEY *key)
|
||||
pass, pass_cipher,
|
||||
encode_EVP_PKEY_prov, decode_EVP_PKEY_prov,
|
||||
test_text, check_protected_PKCS8_PEM,
|
||||
- dump_pem, 0);
|
||||
+ dump_pem, fips ? 0 : FLAG_FAIL_IF_FIPS);
|
||||
}
|
||||
|
||||
static int check_protected_legacy_PEM(const char *file, const int line,
|
||||
@@ -795,14 +807,15 @@ static int check_public_DER(const char *file, const int line,
|
||||
return ok;
|
||||
}
|
||||
|
||||
-static int test_public_via_DER(const char *type, EVP_PKEY *key)
|
||||
+static int test_public_via_DER(const char *type, EVP_PKEY *key, int fips)
|
||||
{
|
||||
return test_encode_decode(__FILE__, __LINE__, type, key,
|
||||
OSSL_KEYMGMT_SELECT_PUBLIC_KEY
|
||||
| OSSL_KEYMGMT_SELECT_ALL_PARAMETERS,
|
||||
"DER", "SubjectPublicKeyInfo", NULL, NULL,
|
||||
encode_EVP_PKEY_prov, decode_EVP_PKEY_prov,
|
||||
- test_mem, check_public_DER, dump_der, 0);
|
||||
+ test_mem, check_public_DER, dump_der,
|
||||
+ fips ? 0 : FLAG_FAIL_IF_FIPS);
|
||||
}
|
||||
|
||||
static int check_public_PEM(const char *file, const int line,
|
||||
@@ -816,14 +829,15 @@ static int check_public_PEM(const char *file, const int line,
|
||||
sizeof(expected_pem_header) - 1);
|
||||
}
|
||||
|
||||
-static int test_public_via_PEM(const char *type, EVP_PKEY *key)
|
||||
+static int test_public_via_PEM(const char *type, EVP_PKEY *key, int fips)
|
||||
{
|
||||
return test_encode_decode(__FILE__, __LINE__, type, key,
|
||||
OSSL_KEYMGMT_SELECT_PUBLIC_KEY
|
||||
| OSSL_KEYMGMT_SELECT_ALL_PARAMETERS,
|
||||
"PEM", "SubjectPublicKeyInfo", NULL, NULL,
|
||||
encode_EVP_PKEY_prov, decode_EVP_PKEY_prov,
|
||||
- test_text, check_public_PEM, dump_pem, 0);
|
||||
+ test_text, check_public_PEM, dump_pem,
|
||||
+ fips ? 0 : FLAG_FAIL_IF_FIPS);
|
||||
}
|
||||
|
||||
static int check_public_MSBLOB(const char *file, const int line,
|
||||
@@ -868,30 +882,30 @@ static int test_public_via_MSBLOB(const char *type, EVP_PKEY *key)
|
||||
EVP_PKEY_free(template_##KEYTYPE); \
|
||||
EVP_PKEY_free(key_##KEYTYPE)
|
||||
|
||||
-#define IMPLEMENT_TEST_SUITE(KEYTYPE, KEYTYPEstr) \
|
||||
+#define IMPLEMENT_TEST_SUITE(KEYTYPE, KEYTYPEstr, fips) \
|
||||
static int test_unprotected_##KEYTYPE##_via_DER(void) \
|
||||
{ \
|
||||
- return test_unprotected_via_DER(KEYTYPEstr, key_##KEYTYPE); \
|
||||
+ return test_unprotected_via_DER(KEYTYPEstr, key_##KEYTYPE, fips); \
|
||||
} \
|
||||
static int test_unprotected_##KEYTYPE##_via_PEM(void) \
|
||||
{ \
|
||||
- return test_unprotected_via_PEM(KEYTYPEstr, key_##KEYTYPE); \
|
||||
+ return test_unprotected_via_PEM(KEYTYPEstr, key_##KEYTYPE, fips); \
|
||||
} \
|
||||
static int test_protected_##KEYTYPE##_via_DER(void) \
|
||||
{ \
|
||||
- return test_protected_via_DER(KEYTYPEstr, key_##KEYTYPE); \
|
||||
+ return test_protected_via_DER(KEYTYPEstr, key_##KEYTYPE, fips); \
|
||||
} \
|
||||
static int test_protected_##KEYTYPE##_via_PEM(void) \
|
||||
{ \
|
||||
- return test_protected_via_PEM(KEYTYPEstr, key_##KEYTYPE); \
|
||||
+ return test_protected_via_PEM(KEYTYPEstr, key_##KEYTYPE, fips); \
|
||||
} \
|
||||
static int test_public_##KEYTYPE##_via_DER(void) \
|
||||
{ \
|
||||
- return test_public_via_DER(KEYTYPEstr, key_##KEYTYPE); \
|
||||
+ return test_public_via_DER(KEYTYPEstr, key_##KEYTYPE, fips); \
|
||||
} \
|
||||
static int test_public_##KEYTYPE##_via_PEM(void) \
|
||||
{ \
|
||||
- return test_public_via_PEM(KEYTYPEstr, key_##KEYTYPE); \
|
||||
+ return test_public_via_PEM(KEYTYPEstr, key_##KEYTYPE, fips); \
|
||||
}
|
||||
|
||||
#define ADD_TEST_SUITE(KEYTYPE) \
|
||||
@@ -965,10 +979,10 @@ static int test_public_via_MSBLOB(const char *type, EVP_PKEY *key)
|
||||
|
||||
#ifndef OPENSSL_NO_DH
|
||||
DOMAIN_KEYS(DH);
|
||||
-IMPLEMENT_TEST_SUITE(DH, "DH")
|
||||
+IMPLEMENT_TEST_SUITE(DH, "DH", 1)
|
||||
IMPLEMENT_TEST_SUITE_PARAMS(DH, "DH")
|
||||
DOMAIN_KEYS(DHX);
|
||||
-IMPLEMENT_TEST_SUITE(DHX, "X9.42 DH")
|
||||
+IMPLEMENT_TEST_SUITE(DHX, "X9.42 DH", 1)
|
||||
IMPLEMENT_TEST_SUITE_PARAMS(DHX, "X9.42 DH")
|
||||
/*
|
||||
* DH has no support for PEM_write_bio_PrivateKey_traditional(),
|
||||
@@ -977,7 +991,7 @@ IMPLEMENT_TEST_SUITE_PARAMS(DHX, "X9.42 DH")
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
DOMAIN_KEYS(DSA);
|
||||
-IMPLEMENT_TEST_SUITE(DSA, "DSA")
|
||||
+IMPLEMENT_TEST_SUITE(DSA, "DSA", 1)
|
||||
IMPLEMENT_TEST_SUITE_PARAMS(DSA, "DSA")
|
||||
IMPLEMENT_TEST_SUITE_LEGACY(DSA, "DSA")
|
||||
IMPLEMENT_TEST_SUITE_MSBLOB(DSA, "DSA")
|
||||
@@ -988,41 +1002,41 @@ IMPLEMENT_TEST_SUITE_PROTECTED_PVK(DSA, "DSA")
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_EC
|
||||
DOMAIN_KEYS(EC);
|
||||
-IMPLEMENT_TEST_SUITE(EC, "EC")
|
||||
+IMPLEMENT_TEST_SUITE(EC, "EC", 1)
|
||||
IMPLEMENT_TEST_SUITE_PARAMS(EC, "EC")
|
||||
IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
|
||||
DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
|
||||
-IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC")
|
||||
+IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1)
|
||||
IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC")
|
||||
/*DOMAIN_KEYS(ECExplicitPrime2G);*/
|
||||
-/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC")*/
|
||||
+/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/
|
||||
/*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
DOMAIN_KEYS(ECExplicitTriNamedCurve);
|
||||
-IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC")
|
||||
+IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1)
|
||||
IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve, "EC")
|
||||
DOMAIN_KEYS(ECExplicitTri2G);
|
||||
-IMPLEMENT_TEST_SUITE(ECExplicitTri2G, "EC")
|
||||
+IMPLEMENT_TEST_SUITE(ECExplicitTri2G, "EC", 0)
|
||||
IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitTri2G, "EC")
|
||||
# endif
|
||||
KEYS(ED25519);
|
||||
-IMPLEMENT_TEST_SUITE(ED25519, "ED25519")
|
||||
+IMPLEMENT_TEST_SUITE(ED25519, "ED25519", 1)
|
||||
KEYS(ED448);
|
||||
-IMPLEMENT_TEST_SUITE(ED448, "ED448")
|
||||
+IMPLEMENT_TEST_SUITE(ED448, "ED448", 1)
|
||||
KEYS(X25519);
|
||||
-IMPLEMENT_TEST_SUITE(X25519, "X25519")
|
||||
+IMPLEMENT_TEST_SUITE(X25519, "X25519", 1)
|
||||
KEYS(X448);
|
||||
-IMPLEMENT_TEST_SUITE(X448, "X448")
|
||||
+IMPLEMENT_TEST_SUITE(X448, "X448", 1)
|
||||
/*
|
||||
* ED25519, ED448, X25519 and X448 have no support for
|
||||
* PEM_write_bio_PrivateKey_traditional(), so no legacy tests.
|
||||
*/
|
||||
#endif
|
||||
KEYS(RSA);
|
||||
-IMPLEMENT_TEST_SUITE(RSA, "RSA")
|
||||
+IMPLEMENT_TEST_SUITE(RSA, "RSA", 1)
|
||||
IMPLEMENT_TEST_SUITE_LEGACY(RSA, "RSA")
|
||||
KEYS(RSA_PSS);
|
||||
-IMPLEMENT_TEST_SUITE(RSA_PSS, "RSA-PSS")
|
||||
+IMPLEMENT_TEST_SUITE(RSA_PSS, "RSA-PSS", 1)
|
||||
/*
|
||||
* RSA-PSS has no support for PEM_write_bio_PrivateKey_traditional(),
|
||||
* so no legacy tests.
|
@ -624,3 +624,35 @@ diff -up openssl-3.0.1/test/recipes/80-test_ssl_old.t.fipsmin3 openssl-3.0.1/tes
|
||||
push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey;
|
||||
}
|
||||
|
||||
diff -up openssl-3.0.1/test/endecode_test.c.fipsmin3 openssl-3.0.1/test/endecode_test.c
|
||||
--- openssl-3.0.1/test/endecode_test.c.fipsmin3 2022-05-06 16:25:57.296926271 +0200
|
||||
+++ openssl-3.0.1/test/endecode_test.c 2022-05-06 16:27:42.712850840 +0200
|
||||
@@ -1387,6 +1387,7 @@ int setup_tests(void)
|
||||
* so no legacy tests.
|
||||
*/
|
||||
#endif
|
||||
+ if (is_fips == 0) {
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
ADD_TEST_SUITE(DSA);
|
||||
ADD_TEST_SUITE_PARAMS(DSA);
|
||||
@@ -1397,6 +1398,7 @@ int setup_tests(void)
|
||||
ADD_TEST_SUITE_PROTECTED_PVK(DSA);
|
||||
# endif
|
||||
#endif
|
||||
+ }
|
||||
#ifndef OPENSSL_NO_EC
|
||||
ADD_TEST_SUITE(EC);
|
||||
ADD_TEST_SUITE_PARAMS(EC);
|
||||
@@ -1411,10 +1413,12 @@ int setup_tests(void)
|
||||
ADD_TEST_SUITE(ECExplicitTri2G);
|
||||
ADD_TEST_SUITE_LEGACY(ECExplicitTri2G);
|
||||
# endif
|
||||
+ if (is_fips == 0) {
|
||||
ADD_TEST_SUITE(ED25519);
|
||||
ADD_TEST_SUITE(ED448);
|
||||
ADD_TEST_SUITE(X25519);
|
||||
ADD_TEST_SUITE(X448);
|
||||
+ }
|
||||
/*
|
||||
* ED25519, ED448, X25519 and X448 have no support for
|
||||
* PEM_write_bio_PrivateKey_traditional(), so no legacy tests.
|
||||
|
14
openssl.spec
14
openssl.spec
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 3.0.1
|
||||
Release: 27%{?dist}
|
||||
Release: 28%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -68,8 +68,12 @@ Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
||||
# remove unsupported EC curves
|
||||
Patch11: 0011-Remove-EC-curves.patch
|
||||
# Disable explicit EC curves
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1977867
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2066412
|
||||
Patch12: 0012-Disable-explicit-ec.patch
|
||||
# https://github.com/openssl/openssl/pull/17981
|
||||
Patch13: 0013-FIPS-provider-explicit-ec.patch
|
||||
# https://github.com/openssl/openssl/pull/17998
|
||||
Patch14: 0014-FIPS-disable-explicit-ec.patch
|
||||
# Instructions to load legacy provider in openssl.cnf
|
||||
Patch24: 0024-load-legacy-prov.patch
|
||||
# Tmp: test name change
|
||||
@ -440,6 +444,12 @@ install -m644 %{SOURCE9} \
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%changelog
|
||||
* Fri May 06 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-28
|
||||
- OpenSSL should not accept custom elliptic curve parameters
|
||||
- Resolves rhbz#2066412
|
||||
- OpenSSL should not accept explicit curve parameters in FIPS mode
|
||||
- Resolves rhbz#2058663
|
||||
|
||||
* Fri May 06 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-27
|
||||
- Change FIPS module version to include hash of specfile, patches and sources
|
||||
Resolves: rhbz#2070550
|
||||
|
Loading…
Reference in New Issue
Block a user