diff --git a/0125-PBMAC1-PKCS12-FIPS-default.patch b/0125-PBMAC1-PKCS12-FIPS-default.patch new file mode 100644 index 0000000..f7257ea --- /dev/null +++ b/0125-PBMAC1-PKCS12-FIPS-default.patch @@ -0,0 +1,21 @@ +diff -up openssl-3.2.2/apps/pkcs12.c.xxx openssl-3.2.2/apps/pkcs12.c +--- openssl-3.2.2/apps/pkcs12.c.xxx 2024-08-14 11:24:41.164589397 +0200 ++++ openssl-3.2.2/apps/pkcs12.c 2024-08-14 11:28:21.071004221 +0200 +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -708,6 +709,9 @@ int pkcs12_main(int argc, char **argv) + } + + if (maciter != -1) { ++ if (EVP_default_properties_is_fips_enabled(NULL)) ++ pbmac1_pbkdf2 = 1; ++ + if (pbmac1_pbkdf2 == 1) { + if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL, + macsaltlen, maciter, diff --git a/openssl.spec b/openssl.spec index 7302453..b796b9f 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.2.2 -Release: 9%{?dist} +Release: 10%{?dist} Epoch: 1 Source: openssl-%{version}.tar.gz Source2: Makefile.certificate @@ -160,6 +160,8 @@ Patch121: 0121-FIPS-cms-defaults.patch Patch122: 0123-kdf-Preserve-backward-compatibility-with-older-provi.patch # https://github.com/openssl/openssl/issues/24577 Patch124: 0124-PBMAC1-PKCS12-FIPS-support.patch +# Downstream patch: enforce PBMAC1 in FIPS mode +Patch125: 0125-PBMAC1-PKCS12-FIPS-default.patch License: Apache-2.0 URL: http://www.openssl.org/ @@ -505,6 +507,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %ldconfig_scriptlets libs %changelog +* Wed Aug 14 2024 Dmitry Belyavskiy - 1:3.2.2-10 +- Use PBMAC1 by default when creating PKCS#12 files in FIPS mode + Related: RHEL-36659 + * Fri Aug 09 2024 Dmitry Belyavskiy - 1:3.2.2-9 - An interface to create PKCS #12 files in FIPS compliant way Related: RHEL-36659