rpms/openssl
7
1
Fork 1
Code Issues Pull Requests Releases Activity

PKCS#12 should not default to pbmac1 in FIPS mode in RHEL-9

Browse Source 
Resolves: RHEL-88912
This commit is contained in:
Dmitry Belyavskiy 2025-05-09 13:45:26 +02:00
parent 58aefe30f2
commit 3717faa9f1
2 changed files with 108 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
0101-FIPS-enable-pkcs12-mac.patch Normal file
View File

@ -0,0 +1,105 @@
diff -up openssl-3.5.0-build/openssl-3.5.0/apps/pkcs12.c.xxx openssl-3.5.0-build/openssl-3.5.0/apps/pkcs12.c
--- openssl-3.5.0/apps/pkcs12.c.xxx 2025-05-09 13:02:55.421755023 +0200
+++ openssl-3.5.0/apps/pkcs12.c 2025-05-09 13:07:10.393755067 +0200
@@ -710,9 +710,6 @@ int pkcs12_main(int argc, char **argv)
}
if (maciter != -1) {
- if (EVP_default_properties_is_fips_enabled(NULL))
- pbmac1_pbkdf2 = 1;
-
if (pbmac1_pbkdf2 == 1) {
if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL,
macsaltlen, maciter,
@@ -844,15 +841,34 @@ int pkcs12_main(int argc, char **argv)
if (OBJ_obj2nid(macobj) != NID_pbmac1) {
EVP_KDF *pkcs12kdf;
+ char *adjusted_propq = NULL;
+ const char *nofips = "-fips";
+ size_t len = app_get0_propq() ? strlen(app_get0_propq()) + 1 + strlen(nofips) + 1 :
+ strlen(nofips) + 1;
+ char *ptr = NULL;
+
+ adjusted_propq = OPENSSL_zalloc(len);
+ if (adjusted_propq != NULL) {
+ ptr = adjusted_propq;
+ if (app_get0_propq()) {
+ memcpy(ptr, app_get0_propq(), strlen(app_get0_propq()));
+ ptr += strlen(app_get0_propq());
+ *ptr = ',';
+ ptr++;
+ }
+ memcpy(ptr, nofips, strlen(nofips));
+ }
pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF",
- app_get0_propq());
+ adjusted_propq ? adjusted_propq : app_get0_propq());
if (pkcs12kdf == NULL) {
BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
+ OPENSSL_free(adjusted_propq);
goto end;
}
EVP_KDF_free(pkcs12kdf);
+ OPENSSL_free(adjusted_propq);
}
/* If we enter empty password try no password first */
diff -up openssl-3.5.0-build/openssl-3.5.0/crypto/pkcs12/p12_key.c.xxx openssl-3.5.0-build/openssl-3.5.0/crypto/pkcs12/p12_key.c
--- openssl-3.5.0/crypto/pkcs12/p12_key.c.xxx 2025-05-09 13:03:13.573182158 +0200
+++ openssl-3.5.0/crypto/pkcs12/p12_key.c 2025-05-09 13:04:25.002955528 +0200
@@ -85,17 +85,41 @@ int PKCS12_key_gen_uni_ex(unsigned char
EVP_KDF *kdf;
EVP_KDF_CTX *ctx;
OSSL_PARAM params[6], *p = params;
+ char *adjusted_propq = NULL;
if (n <= 0)
return 0;
- kdf = EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
- if (kdf == NULL)
+ if (ossl_get_kernel_fips_flag()) {
+ const char *nofips = "-fips";
+ size_t len = propq ? strlen(propq) + 1 + strlen(nofips) + 1 :
+ strlen(nofips) + 1;
+ char *ptr = NULL;
+
+ adjusted_propq = OPENSSL_zalloc(len);
+ if (adjusted_propq != NULL) {
+ ptr = adjusted_propq;
+ if (propq) {
+ memcpy(ptr, propq, strlen(propq));
+ ptr += strlen(propq);
+ *ptr = ',';
+ ptr++;
+ }
+ memcpy(ptr, nofips, strlen(nofips));
+ }
+ }
+
+ kdf = adjusted_propq ? EVP_KDF_fetch(libctx, "PKCS12KDF", adjusted_propq) : EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
+ if (kdf == NULL) {
+ OPENSSL_free(adjusted_propq);
return 0;
+ }
ctx = EVP_KDF_CTX_new(kdf);
EVP_KDF_free(kdf);
- if (ctx == NULL)
+ if (ctx == NULL) {
+ OPENSSL_free(adjusted_propq);
return 0;
+ }
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
(char *)EVP_MD_get0_name(md_type),
@@ -127,6 +151,7 @@ int PKCS12_key_gen_uni_ex(unsigned char
} OSSL_TRACE_END(PKCS12_KEYGEN);
}
EVP_KDF_CTX_free(ctx);
+ OPENSSL_free(adjusted_propq);
return res;
}

3
openssl.spec
View File

@ -91,6 +91,7 @@ Patch0049: 0049-FIPS-KDF-key-lenght-errors.patch
Patch0050: 0050-FIPS-fix-disallowed-digests-tests.patch Patch0050: 0050-FIPS-fix-disallowed-digests-tests.patch
#The patches that are different for RHEL9 and 10 start here #The patches that are different for RHEL9 and 10 start here
Patch0100: 0100-RHEL9-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch Patch0100: 0100-RHEL9-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
Patch0101: 0101-FIPS-enable-pkcs12-mac.patch
License: Apache-2.0 License: Apache-2.0
URL: http://www.openssl.org/ URL: http://www.openssl.org/
@ -426,6 +427,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
* Fri May 02 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-2 * Fri May 02 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-2
- OpenSSL ignores "rh-allow-sha1-signatures = yes" option on RHEL-9 - OpenSSL ignores "rh-allow-sha1-signatures = yes" option on RHEL-9
Resolves: RHEL-88910 Resolves: RHEL-88910
- PKCS#12 should not default to pbmac1 in FIPS mode in RHEL-9
Resolves: RHEL-88912
* Wed Apr 16 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-1 * Wed Apr 16 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-1
- Rebasing OpenSSL to 3.5 - Rebasing OpenSSL to 3.5