Utilities from the general purpose cryptography library with TLS implementation
8b08b372c8
FIPS 140-3 requires us to indicate whether an operation was using approved services or not. The FIPS 140-3 implementation guidelines provide two basic approaches to doing this: implicit indicators, and explicit indicators. Implicit indicators are basically the concept of "if the operation passes, it was approved". We were originally aiming for implicit indicators in our copy of OpenSSL. However, this proved to be a problem, because we wanted to certify a signature service, and FIPS 140-3 requires that a signature service computes the digest to be signed within the boundaries of the FIPS module. Since we were planning to certify fips.so only, this means that EVP_PKEY_sign/EVP_PKEY_verify would have to be blocked. Unfortunately, EVP_SignFinal uses EVP_PKEY_sign internally, but outside of fips.so and thus outside of the FIPS module boundary. This means that using implicit indicators in combination with certifying only fips.so would require us to block both EVP_PKEY_sign and EVP_SignFinal, which are the two APIs currently used by most users of OpenSSL for signatures. EVP_DigestSign would be acceptable, but has only been added in 3.0 and is thus not yet widely used. As a consequence, we've decided to introduce explicit indicators so that EVP_PKEY_sign and EVP_SignFinal can continue to work for now, but FIPS-aware applications can query the explicit indicator to check whether the operation was approved. To avoid affecting the ABI and public API too much, this is implemented as an exported symbol in fips.so and a private header, so applications that wish to use this will have to dlopen(3) fips.so, locate the function using dlsym(3), and then call it. These applications will have to build against the private header in order to use the returned pointer. Modify util/mkdef.pl to support exposing a symbol only for a specific provider identified by its name and path. Signed-off-by: Clemens Lang <cllang@redhat.com> Resolves: rhbz#2087147 |
||
|---|---|---|
| .gitignore | ||
| 0001-Aarch64-and-ppc64le-use-lib64.patch | ||
| 0002-Use-more-general-default-values-in-openssl.cnf.patch | ||
| 0003-Do-not-install-html-docs.patch | ||
| 0004-Override-default-paths-for-the-CA-directory-tree.patch | ||
| 0005-apps-ca-fix-md-option-help-text.patch | ||
| 0006-Disable-signature-verification-with-totally-unsafe-h.patch | ||
| 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch | ||
| 0008-Add-FIPS_mode-compatibility-macro.patch | ||
| 0009-Add-Kernel-FIPS-mode-flag-support.patch | ||
| 0011-Remove-EC-curves.patch | ||
| 0012-Disable-explicit-ec.patch | ||
| 0013-FIPS-provider-explicit-ec.patch | ||
| 0014-FIPS-disable-explicit-ec.patch | ||
| 0024-load-legacy-prov.patch | ||
| 0025-for-tests.patch | ||
| 0031-tmp-Fix-test-names.patch | ||
| 0032-Force-fips.patch | ||
| 0033-FIPS-embed-hmac.patch | ||
| 0034.fipsinstall_disable.patch | ||
| 0035-speed-skip-unavailable-dgst.patch | ||
| 0045-FIPS-services-minimize.patch | ||
| 0046-FIPS-s390x-hardening.patch | ||
| 0047-FIPS-early-KATS.patch | ||
| 0048-correctly-handle-records.patch | ||
| 0049-Selectively-disallow-SHA1-signatures.patch | ||
| 0050-FIPS-enable-pkcs12-mac.patch | ||
| 0051-Support-different-R_BITS-lengths-for-KBKDF.patch | ||
| 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch | ||
| 0053-CVE-2022-0778.patch | ||
| 0054-Replace-size-check-with-more-meaningful-pubkey-check.patch | ||
| 0055-nonlegacy-fetch-null-deref.patch | ||
| 0056-strcasecmp.patch | ||
| 0057-strcasecmp-fix.patch | ||
| 0058-FIPS-limit-rsa-encrypt.patch | ||
| 0060-FIPS-KAT-signature-tests.patch | ||
| 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch | ||
| 0062-fips-Expose-a-FIPS-indicator.patch | ||
| 0063-CVE-2022-1473.patch | ||
| 0064-CVE-2022-1343.diff | ||
| 0065-CVE-2022-1292.patch | ||
| 0066-replace-expired-certs.patch | ||
| configuration-prefix.h | ||
| configuration-switch.h | ||
| ec_curve.c | ||
| ectest.c | ||
| gating.yaml | ||
| genpatches | ||
| hobble-openssl | ||
| make-dummy-cert | ||
| Makefile.certificate | ||
| openssl.spec | ||
| renew-dummy-cert | ||
| rpminspect.yaml | ||
| sources | ||