53ceffb423
Those algorithms are not accepted by current FIPS mode. Disable them in that mode, because they are not allowed. Might change once they are added. Resolves: rhbz#2079548
97 lines
4.0 KiB
Diff
97 lines
4.0 KiB
Diff
From cff6307f44c79df8975b3f205e98cd1a0464824b Mon Sep 17 00:00:00 2001
|
|
From: Petr Mensik <pemensik@redhat.com>
|
|
Date: Wed, 27 Apr 2022 19:58:39 +0200
|
|
Subject: [PATCH] Disable ED25519 and ED448 in FIPS mode on openssl3
|
|
|
|
Both crypto functions are not allowed by FIPS 140-3. Use openssl 3.0
|
|
function to check FIPS mode presence and use it to make those algorithms
|
|
unsupported.
|
|
---
|
|
unbound-1.16.0/config.h.in | 4 ++++
|
|
unbound-1.16.0/configure.ac | 2 +-
|
|
unbound-1.16.0/validator/val_secalgo.c | 17 ++++++++++++++++-
|
|
3 files changed, 21 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/unbound-1.16.0/config.h.in b/unbound-1.16.0/config.h.in
|
|
index a080dde..cc1fbe8 100644
|
|
--- a/unbound-1.16.0/config.h.in
|
|
+++ b/unbound-1.16.0/config.h.in
|
|
@@ -222,6 +222,10 @@
|
|
/* Define to 1 if you have the `EVP_cleanup' function. */
|
|
#undef HAVE_EVP_CLEANUP
|
|
|
|
+/* Define to 1 if you have the `EVP_default_properties_is_fips_enabled'
|
|
+ function. */
|
|
+#undef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
|
|
+
|
|
/* Define to 1 if you have the `EVP_DigestVerify' function. */
|
|
#undef HAVE_EVP_DIGESTVERIFY
|
|
|
|
diff --git a/unbound-1.16.0/configure.ac b/unbound-1.16.0/configure.ac
|
|
index 1453b3a..69cb13b 100644
|
|
--- a/unbound-1.16.0/configure.ac
|
|
+++ b/unbound-1.16.0/configure.ac
|
|
@@ -906,7 +906,7 @@ else
|
|
AC_MSG_RESULT([no])
|
|
fi
|
|
AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h],,, [AC_INCLUDES_DEFAULT])
|
|
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex])
|
|
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex])
|
|
|
|
# these check_funcs need -lssl
|
|
BAKLIBS="$LIBS"
|
|
diff --git a/unbound-1.16.0/validator/val_secalgo.c b/unbound-1.16.0/validator/val_secalgo.c
|
|
index 7abf66f..6276675 100644
|
|
--- a/unbound-1.16.0/validator/val_secalgo.c
|
|
+++ b/unbound-1.16.0/validator/val_secalgo.c
|
|
@@ -215,6 +215,10 @@ ds_digest_size_supported(int algo)
|
|
switch(algo) {
|
|
case LDNS_SHA1:
|
|
#if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
|
|
+#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
|
|
+ if (EVP_default_properties_is_fips_enabled(NULL))
|
|
+ return 0;
|
|
+#endif
|
|
return SHA_DIGEST_LENGTH;
|
|
#else
|
|
if(fake_sha1) return 20;
|
|
@@ -325,7 +329,11 @@ dnskey_algo_id_is_supported(int id)
|
|
case LDNS_RSASHA1:
|
|
case LDNS_RSASHA1_NSEC3:
|
|
#ifdef USE_SHA1
|
|
+#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
|
|
+ return !EVP_default_properties_is_fips_enabled(NULL);
|
|
+#else
|
|
return 1;
|
|
+#endif
|
|
#else
|
|
if(fake_sha1) return 1;
|
|
return 0;
|
|
@@ -341,15 +349,22 @@ dnskey_algo_id_is_supported(int id)
|
|
case LDNS_ECDSAP256SHA256:
|
|
case LDNS_ECDSAP384SHA384:
|
|
#endif
|
|
+#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA)
|
|
+ return 1;
|
|
+#endif
|
|
#ifdef USE_ED25519
|
|
case LDNS_ED25519:
|
|
#endif
|
|
#ifdef USE_ED448
|
|
case LDNS_ED448:
|
|
#endif
|
|
-#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448)
|
|
+#if defined(USE_ED25519) || defined(USE_ED448)
|
|
+#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
|
|
+ return !EVP_default_properties_is_fips_enabled(NULL);
|
|
+#else
|
|
return 1;
|
|
#endif
|
|
+#endif
|
|
|
|
#ifdef USE_GOST
|
|
case LDNS_ECC_GOST:
|
|
--
|
|
2.36.1
|
|
|