Use OAEP padding and aes-128-cbc by default in cms command in FIPS mode
Resolves: rhbz#2160797
This commit is contained in:
parent
032dc0839c
commit
57f6d8f4a4
65
0121-FIPS-cms-defaults.patch
Normal file
65
0121-FIPS-cms-defaults.patch
Normal file
@ -0,0 +1,65 @@
|
||||
diff -up openssl-3.0.7/apps/cms.c.fips_cms openssl-3.0.7/apps/cms.c
|
||||
--- openssl-3.0.7/apps/cms.c.fips_cms 2023-05-18 14:03:56.360555106 +0200
|
||||
+++ openssl-3.0.7/apps/cms.c 2023-05-18 14:13:33.765183185 +0200
|
||||
@@ -20,6 +20,7 @@
|
||||
#include <openssl/x509_vfy.h>
|
||||
#include <openssl/x509v3.h>
|
||||
#include <openssl/cms.h>
|
||||
+#include <openssl/fips.h>
|
||||
|
||||
static int save_certs(char *signerfile, STACK_OF(X509) *signers);
|
||||
static int cms_cb(int ok, X509_STORE_CTX *ctx);
|
||||
@@ -810,12 +811,16 @@ int cms_main(int argc, char **argv)
|
||||
|
||||
if (operation == SMIME_ENCRYPT) {
|
||||
if (!cipher) {
|
||||
+ if (FIPS_mode()) {
|
||||
+ cipher = (EVP_CIPHER *)EVP_aes_128_cbc();
|
||||
+ } else {
|
||||
#ifndef OPENSSL_NO_DES
|
||||
- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
|
||||
+ cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
|
||||
#else
|
||||
- BIO_printf(bio_err, "No cipher selected\n");
|
||||
- goto end;
|
||||
+ BIO_printf(bio_err, "No cipher selected\n");
|
||||
+ goto end;
|
||||
#endif
|
||||
+ }
|
||||
}
|
||||
|
||||
if (secret_key && !secret_keyid) {
|
||||
diff -up openssl-3.0.7/crypto/cms/cms_env.c.fips_cms openssl-3.0.7/crypto/cms/cms_env.c
|
||||
--- openssl-3.0.7/crypto/cms/cms_env.c.fips_cms 2023-05-22 10:06:50.276528155 +0200
|
||||
+++ openssl-3.0.7/crypto/cms/cms_env.c 2023-05-22 10:08:58.406073945 +0200
|
||||
@@ -14,6 +14,7 @@
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/cms.h>
|
||||
#include <openssl/evp.h>
|
||||
+#include <openssl/fips.h>
|
||||
#include "internal/sizes.h"
|
||||
#include "crypto/asn1.h"
|
||||
#include "crypto/evp.h"
|
||||
@@ -321,6 +321,10 @@ static int cms_RecipientInfo_ktri_init(C
|
||||
return 0;
|
||||
if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0)
|
||||
return 0;
|
||||
+ if (FIPS_mode()) {
|
||||
+ if (EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_padding_mode", "oaep") <= 0)
|
||||
+ return 0;
|
||||
+ }
|
||||
} else if (!ossl_cms_env_asn1_ctrl(ri, 0))
|
||||
return 0;
|
||||
return 1;
|
||||
@@ -484,6 +489,11 @@ static int cms_RecipientInfo_ktri_encryp
|
||||
|
||||
if (EVP_PKEY_encrypt_init(pctx) <= 0)
|
||||
goto err;
|
||||
+
|
||||
+ if (FIPS_mode()) {
|
||||
+ if (EVP_PKEY_CTX_ctrl_str(pctx, "rsa_padding_mode", "oaep") <= 0)
|
||||
+ goto err;
|
||||
+ }
|
||||
}
|
||||
|
||||
if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0)
|
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 3.0.7
|
||||
Release: 17%{?dist}
|
||||
Release: 18%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -192,6 +192,8 @@ Patch118: 0118-CVE-2023-1255.patch
|
||||
#https://github.com/openssl/openssl/pull/13817
|
||||
#https://bugzilla.redhat.com/show_bug.cgi?id=2153471
|
||||
Patch120: 0120-RSA-PKCS15-implicit-rejection.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2160797
|
||||
Patch121: 0121-FIPS-cms-defaults.patch
|
||||
|
||||
License: ASL 2.0
|
||||
URL: http://www.openssl.org/
|
||||
@ -515,6 +517,10 @@ install -m644 %{SOURCE9} \
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%changelog
|
||||
* Thu May 18 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-18
|
||||
- Use OAEP padding and aes-128-cbc by default in cms command in FIPS mode
|
||||
Resolves: rhbz#2160797
|
||||
|
||||
* Tue May 09 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-17
|
||||
- Enforce using EMS in FIPS mode - better alerts
|
||||
Related: rhbz#2157951
|
||||
|
Loading…
Reference in New Issue
Block a user