Disable DHX keys completely in FIPS mode
Resolves: rhbz#2178030
This commit is contained in:
parent
960e6deebf
commit
bfdbb139b4
90
0093-FIPS-nodhx.patch
Normal file
90
0093-FIPS-nodhx.patch
Normal file
@ -0,0 +1,90 @@
|
|||||||
|
diff -up openssl-3.0.7/providers/fips/fipsprov.c.nodhx openssl-3.0.7/providers/fips/fipsprov.c
|
||||||
|
--- openssl-3.0.7/providers/fips/fipsprov.c.nodhx 2023-03-09 13:02:21.621694715 +0100
|
||||||
|
+++ openssl-3.0.7/providers/fips/fipsprov.c 2023-03-09 13:02:34.001791831 +0100
|
||||||
|
@@ -486,8 +486,8 @@ static const OSSL_ALGORITHM fips_keymgmt
|
||||||
|
#ifndef OPENSSL_NO_DH
|
||||||
|
{ PROV_NAMES_DH, FIPS_DEFAULT_PROPERTIES, ossl_dh_keymgmt_functions,
|
||||||
|
PROV_DESCS_DH },
|
||||||
|
- { PROV_NAMES_DHX, FIPS_DEFAULT_PROPERTIES, ossl_dhx_keymgmt_functions,
|
||||||
|
- PROV_DESCS_DHX },
|
||||||
|
+/* { PROV_NAMES_DHX, FIPS_DEFAULT_PROPERTIES, ossl_dhx_keymgmt_functions,
|
||||||
|
+ PROV_DESCS_DHX }, */
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_DSA
|
||||||
|
/* We don't certify DSA in our FIPS provider */
|
||||||
|
diff -up openssl-3.0.7/test/endecode_test.c.nodhx openssl-3.0.7/test/endecode_test.c
|
||||||
|
--- openssl-3.0.7/test/endecode_test.c.nodhx 2023-03-09 13:39:10.826000162 +0100
|
||||||
|
+++ openssl-3.0.7/test/endecode_test.c 2023-03-09 13:41:26.533073598 +0100
|
||||||
|
@@ -1356,7 +1358,9 @@ int setup_tests(void)
|
||||||
|
#ifndef OPENSSL_NO_DH
|
||||||
|
TEST_info("Generating DH keys...");
|
||||||
|
MAKE_DOMAIN_KEYS(DH, "DH", NULL);
|
||||||
|
+if (is_fips == 0) {
|
||||||
|
MAKE_DOMAIN_KEYS(DHX, "X9.42 DH", NULL);
|
||||||
|
+}
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_DSA
|
||||||
|
TEST_info("Generating DSA keys...");
|
||||||
|
@@ -1386,8 +1390,10 @@ int setup_tests(void)
|
||||||
|
#ifndef OPENSSL_NO_DH
|
||||||
|
ADD_TEST_SUITE(DH);
|
||||||
|
ADD_TEST_SUITE_PARAMS(DH);
|
||||||
|
+if (is_fips == 0) {
|
||||||
|
ADD_TEST_SUITE(DHX);
|
||||||
|
ADD_TEST_SUITE_PARAMS(DHX);
|
||||||
|
+}
|
||||||
|
/*
|
||||||
|
* DH has no support for PEM_write_bio_PrivateKey_traditional(),
|
||||||
|
* so no legacy tests.
|
||||||
|
@@ -1465,7 +1471,9 @@ void cleanup_tests(void)
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_DH
|
||||||
|
FREE_DOMAIN_KEYS(DH);
|
||||||
|
+if (is_fips == 0) {
|
||||||
|
FREE_DOMAIN_KEYS(DHX);
|
||||||
|
+}
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_DSA
|
||||||
|
FREE_DOMAIN_KEYS(DSA);
|
||||||
|
diff -up openssl-3.0.7/test/recipes/80-test_cms.t.nodhx openssl-3.0.7/test/recipes/80-test_cms.t
|
||||||
|
--- openssl-3.0.7/test/recipes/80-test_cms.t.nodhx 2023-03-09 13:31:36.851432859 +0100
|
||||||
|
+++ openssl-3.0.7/test/recipes/80-test_cms.t 2023-03-09 13:32:35.987888417 +0100
|
||||||
|
@@ -869,6 +869,8 @@ sub check_availability {
|
||||||
|
if ($no_ec2m && $tnam =~ /K-283/);
|
||||||
|
return "$tnam: skipped, DH disabled\n"
|
||||||
|
if ($no_dh && $tnam =~ /X9\.42/);
|
||||||
|
+ return "$tnam: skipped, DHX disabled in RHEL\n"
|
||||||
|
+ if ($provname eq 'fips' && $tnam =~ /X9\.42/);
|
||||||
|
return "$tnam: skipped, RC2 disabled\n"
|
||||||
|
if ($no_rc2 && $tnam =~ /RC2/);
|
||||||
|
return "$tnam: skipped, DES disabled\n"
|
||||||
|
diff -up openssl-3.0.7/providers/implementations/exchange/dh_exch.c.nodhx openssl-3.0.7/providers/implementations/exchange/dh_exch.c
|
||||||
|
--- openssl-3.0.7/providers/implementations/exchange/dh_exch.c.nodhx 2023-03-09 16:33:07.092040809 +0100
|
||||||
|
+++ openssl-3.0.7/providers/implementations/exchange/dh_exch.c 2023-03-09 16:42:30.594837565 +0100
|
||||||
|
@@ -102,6 +102,11 @@ static int dh_init(void *vpdhctx, void *
|
||||||
|
|| vdh == NULL
|
||||||
|
|| !DH_up_ref(vdh))
|
||||||
|
return 0;
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ if (ossl_ffc_numbers_to_dh_named_group(DH_get0_p(vdh),
|
||||||
|
+ DH_get0_q(vdh), DH_get0_g(vdh)) == NULL)
|
||||||
|
+ return 0;
|
||||||
|
+#endif
|
||||||
|
DH_free(pdhctx->dh);
|
||||||
|
pdhctx->dh = vdh;
|
||||||
|
pdhctx->kdf_type = PROV_DH_KDF_NONE;
|
||||||
|
diff -up openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c.nodhx openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c
|
||||||
|
--- openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c.nodhx 2023-03-09 15:38:04.024555943 +0100
|
||||||
|
+++ openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c 2023-03-09 16:32:04.142490068 +0100
|
||||||
|
@@ -498,6 +499,11 @@ static int dh_gen_set_template(void *gen
|
||||||
|
|
||||||
|
if (!ossl_prov_is_running() || gctx == NULL || dh == NULL)
|
||||||
|
return 0;
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ if (ossl_ffc_numbers_to_dh_named_group(DH_get0_p(dh),
|
||||||
|
+ DH_get0_q(dh), DH_get0_g(dh)) == NULL)
|
||||||
|
+ return 0;
|
||||||
|
+#endif
|
||||||
|
gctx->ffc_params = ossl_dh_get0_params(dh);
|
||||||
|
return 1;
|
||||||
|
}
|
@ -155,6 +155,8 @@ Patch90: 0090-signature-Clamp-PSS-salt-len-to-MD-len.patch
|
|||||||
Patch91: 0091-FIPS-RSA-encapsulate.patch
|
Patch91: 0091-FIPS-RSA-encapsulate.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2142517
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2142517
|
||||||
Patch92: 0092-provider-improvements.patch
|
Patch92: 0092-provider-improvements.patch
|
||||||
|
# FIPS-95
|
||||||
|
Patch93: 0093-FIPS-nodhx.patch
|
||||||
|
|
||||||
# OpenSSL 3.0.8 CVEs
|
# OpenSSL 3.0.8 CVEs
|
||||||
Patch101: 0101-CVE-2022-4203-nc-match.patch
|
Patch101: 0101-CVE-2022-4203-nc-match.patch
|
||||||
@ -517,6 +519,8 @@ install -m644 %{SOURCE9} \
|
|||||||
Resolves: rhbz#2178029
|
Resolves: rhbz#2178029
|
||||||
- Pairwise consistency tests should use Digest+Sign/Verify
|
- Pairwise consistency tests should use Digest+Sign/Verify
|
||||||
Resolves: rhbz#2178034
|
Resolves: rhbz#2178034
|
||||||
|
- Forbid DHX keys import in FIPS mode
|
||||||
|
Resolves: rhbz#2178030
|
||||||
|
|
||||||
* Wed Mar 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-6
|
* Wed Mar 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-6
|
||||||
- Fixes RNG slowdown in FIPS mode
|
- Fixes RNG slowdown in FIPS mode
|
||||||
|
Loading…
Reference in New Issue
Block a user