OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
Resolves: rhbz#1977867
This commit is contained in:
parent
d79f404164
commit
53b85f538c
40
0012-Disable-explicit-ec.patch
Normal file
40
0012-Disable-explicit-ec.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
diff -up openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec openssl-3.0.1/crypto/ec/ec_lib.c
|
||||||
|
--- openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec 2022-02-22 09:08:48.557823665 +0100
|
||||||
|
+++ openssl-3.0.1/crypto/ec/ec_lib.c 2022-02-22 09:09:26.634133847 +0100
|
||||||
|
@@ -1458,7 +1458,7 @@ static EC_GROUP *ec_group_explicit_to_na
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
- ret_group = (EC_GROUP *)group;
|
||||||
|
+ goto err;
|
||||||
|
}
|
||||||
|
EC_GROUP_free(dup);
|
||||||
|
return ret_group;
|
||||||
|
diff -up openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_explicit_ec openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c
|
||||||
|
--- openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_explicit_ec 2022-02-22 13:04:16.850856612 +0100
|
||||||
|
+++ openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c 2022-02-22 14:16:19.848369641 +0100
|
||||||
|
@@ -936,11 +936,8 @@ int ec_validate(const void *keydata, int
|
||||||
|
if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
|
||||||
|
int flags = EC_KEY_get_flags(eck);
|
||||||
|
|
||||||
|
- if ((flags & EC_FLAG_CHECK_NAMED_GROUP) != 0)
|
||||||
|
- ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),
|
||||||
|
- (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);
|
||||||
|
- else
|
||||||
|
- ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx);
|
||||||
|
+ ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),
|
||||||
|
+ (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
|
||||||
|
@@ -1217,6 +1214,10 @@ static int ec_gen_assign_group(EC_KEY *e
|
||||||
|
ERR_raise(ERR_LIB_PROV, PROV_R_NO_PARAMETERS_SET);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+ if (EC_GROUP_get_curve_name(group) == NID_undef) {
|
||||||
|
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
return EC_KEY_set_group(ec, group) > 0;
|
||||||
|
}
|
||||||
|
|
4
ectest.c
4
ectest.c
@ -2300,8 +2300,8 @@ int setup_tests(void)
|
|||||||
ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len);
|
ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len);
|
||||||
ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
|
ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
|
||||||
ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
|
ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
|
||||||
ADD_ALL_TESTS(custom_generator_test, crv_len);
|
/* ADD_ALL_TESTS(custom_generator_test, crv_len);
|
||||||
ADD_ALL_TESTS(custom_params_test, crv_len);
|
ADD_ALL_TESTS(custom_params_test, crv_len); */
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
13
openssl.spec
13
openssl.spec
@ -15,7 +15,7 @@
|
|||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 3.0.1
|
Version: 3.0.1
|
||||||
Release: 8%{?dist}
|
Release: 9%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -53,6 +53,9 @@ Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
|
|||||||
Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
||||||
# remove unsupported EC curves
|
# remove unsupported EC curves
|
||||||
Patch11: 0011-Remove-EC-curves.patch
|
Patch11: 0011-Remove-EC-curves.patch
|
||||||
|
# Disable explicit EC curves
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1977867
|
||||||
|
Patch12: 0012-Disable-explicit-ec.patch
|
||||||
# Instructions to load legacy provider in openssl.cnf
|
# Instructions to load legacy provider in openssl.cnf
|
||||||
Patch24: 0024-load-legacy-prov.patch
|
Patch24: 0024-load-legacy-prov.patch
|
||||||
# Tmp: test name change
|
# Tmp: test name change
|
||||||
@ -75,6 +78,8 @@ Patch47: 0047-FIPS-early-KATS.patch
|
|||||||
Patch48: 0048-correctly-handle-records.patch
|
Patch48: 0048-correctly-handle-records.patch
|
||||||
# Selectively disallow SHA1 signatures
|
# Selectively disallow SHA1 signatures
|
||||||
Patch49: 0049-Selectively-disallow-SHA1-signatures.patch
|
Patch49: 0049-Selectively-disallow-SHA1-signatures.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2049265
|
||||||
|
Patch50: 0050-FIPS-enable-pkcs12-mac.patch
|
||||||
|
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
URL: http://www.openssl.org/
|
URL: http://www.openssl.org/
|
||||||
@ -405,6 +410,12 @@ install -m644 %{SOURCE9} \
|
|||||||
%ldconfig_scriptlets libs
|
%ldconfig_scriptlets libs
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Feb 22 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-8
|
||||||
|
- OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
|
||||||
|
- Resolves: rhbz#1977867
|
||||||
|
- pkcs12 export broken in FIPS mode
|
||||||
|
- Resolves: rhbz#2049265
|
||||||
|
|
||||||
* Tue Feb 22 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-8
|
* Tue Feb 22 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-8
|
||||||
- Disable SHA1 signature creation and verification by default
|
- Disable SHA1 signature creation and verification by default
|
||||||
- Set rh-allow-sha1-signatures = yes to re-enable
|
- Set rh-allow-sha1-signatures = yes to re-enable
|
||||||
|
Loading…
Reference in New Issue
Block a user