rpms/openssl
8
1
Fork 1
Code Issues Pull Requests Releases Activity

Use PBMAC1 by default when creating PKCS#12 files in FIPS mode

Browse Source 
Related: RHEL-36659
This commit is contained in:
Dmitry Belyavskiy 2024-08-14 11:36:06 +02:00
parent 299b43d420
commit 8fc2d48423
2 changed files with 28 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
0125-PBMAC1-PKCS12-FIPS-default.patch Normal file
View File

@ -0,0 +1,21 @@
diff -up openssl-3.2.2/apps/pkcs12.c.xxx openssl-3.2.2/apps/pkcs12.c
--- openssl-3.2.2/apps/pkcs12.c.xxx 2024-08-14 11:24:41.164589397 +0200
+++ openssl-3.2.2/apps/pkcs12.c 2024-08-14 11:28:21.071004221 +0200
@@ -17,6 +17,7 @@
#include <openssl/asn1.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
+#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
#include <openssl/provider.h>
@@ -708,6 +709,9 @@ int pkcs12_main(int argc, char **argv)
}
if (maciter != -1) {
+ if (EVP_default_properties_is_fips_enabled(NULL))
+ pbmac1_pbkdf2 = 1;
+
if (pbmac1_pbkdf2 == 1) {
if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL,
macsaltlen, maciter,

8
openssl.spec
View File

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 3.2.2 Version: 3.2.2
Release: 9%{?dist} Release: 10%{?dist}
Epoch: 1 Epoch: 1
Source: openssl-%{version}.tar.gz Source: openssl-%{version}.tar.gz
Source2: Makefile.certificate Source2: Makefile.certificate
@ -160,6 +160,8 @@ Patch121: 0121-FIPS-cms-defaults.patch
Patch122: 0123-kdf-Preserve-backward-compatibility-with-older-provi.patch Patch122: 0123-kdf-Preserve-backward-compatibility-with-older-provi.patch
# https://github.com/openssl/openssl/issues/24577 # https://github.com/openssl/openssl/issues/24577
Patch124: 0124-PBMAC1-PKCS12-FIPS-support.patch Patch124: 0124-PBMAC1-PKCS12-FIPS-support.patch
# Downstream patch: enforce PBMAC1 in FIPS mode
Patch125: 0125-PBMAC1-PKCS12-FIPS-default.patch
License: Apache-2.0 License: Apache-2.0
URL: http://www.openssl.org/ URL: http://www.openssl.org/
@ -505,6 +507,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Wed Aug 14 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-10
- Use PBMAC1 by default when creating PKCS#12 files in FIPS mode
Related: RHEL-36659
* Fri Aug 09 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-9 * Fri Aug 09 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-9
- An interface to create PKCS #12 files in FIPS compliant way - An interface to create PKCS #12 files in FIPS compliant way
Related: RHEL-36659 Related: RHEL-36659