rpms
/
openssl3
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Change explicit FIPS indicator for RSA decryption to unapproved

Browse Source 
Resolves: rhbz#2179379
Signed-off-by: Clemens Lang <cllang@redhat.com>
epel8
Clemens Lang 2 years ago
parent 1bd2a0cee3
commit 0dea6db970
2 changed files with 20 additions and 23 deletions
Show Stats Download Patch File Download Diff File

33
0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
Unescape View File

@ -21,9 +21,9 @@ Signed-off-by: Clemens Lang <cllang@redhat.com>
--- ---
include/openssl/core_names.h | 2 ++ include/openssl/core_names.h | 2 ++
include/openssl/evp.h | 4 +++ include/openssl/evp.h | 4 +++
.../implementations/asymciphers/rsa_enc.c | 31 +++++++++++++++++++ .../implementations/asymciphers/rsa_enc.c | 24 +++++++++++++++
providers/implementations/kem/rsa_kem.c | 30 +++++++++++++++++- providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++-
4 files changed, 66 insertions(+), 1 deletion(-) 4 files changed, 59 insertions(+), 1 deletion(-)
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index 832502a034..e15d208421 100644 index 832502a034..e15d208421 100644
@ -61,10 +61,10 @@ index ec2ba46fbd..3803b03422 100644
const char *properties); const char *properties);
int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt); int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
index 568452ec56..0a9adb4056 100644 index 568452ec56..2e7ea632d7 100644
--- a/providers/implementations/asymciphers/rsa_enc.c --- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c +++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -399,6 +399,34 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) @@ -399,6 +399,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version)) if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version))
return 0; return 0;
@ -73,23 +73,16 @@ index 568452ec56..0a9adb4056 100644
+ if (p != NULL) { + if (p != NULL) {
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; + int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
+ +
+ if (prsactx->operation == EVP_PKEY_OP_ENCRYPT) {
+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key + /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
+ * confirmation (section 6.4.2.3.2), or assurance from a trusted + * confirmation (section 6.4.2.3.2), or assurance from a trusted third
+ * third party (section 6.4.2.3.1) for the KTS-OAEP key transport + * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but
+ * scheme, but explicit key confirmation is not implemented here + * explicit key confirmation is not implemented here and cannot be
+ * and cannot be implemented without protocol changes, and the FIPS + * implemented without protocol changes, and the FIPS provider does not
+ * provider does not implement trusted third party validation, + * implement trusted third party validation, since it relies on its
+ * since it relies on its callers to do that. We must thus mark + * callers to do that. We must thus mark RSA-OAEP as unapproved until
+ * RSA-OAEP as unapproved until we have received clarification from + * we have received clarification from NIST on how library modules such
+ * NIST on how library modules such as OpenSSL should implement TTP + * as OpenSSL should implement TTP validation. */
+ * validation.
+ *
+ * This does not affect decryption, because it is approved as
+ * a component according to the FIPS 140-3 IG, section 2.4.G.
+ */
+ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+ }
+ +
+ if (!OSSL_PARAM_set_int(p, fips_indicator)) + if (!OSSL_PARAM_set_int(p, fips_indicator))
+ return 0; + return 0;

6
openssl.spec
Unescape View File

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 3.0.7 Version: 3.0.7
Release: 11%{?dist} Release: 12%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -507,6 +507,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Fri Mar 24 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-12
- Change explicit FIPS indicator for RSA decryption to unapproved
Resolves: rhbz#2179379
* Mon Mar 20 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-11 * Mon Mar 20 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-11
- Add missing reference to patchfile to add explicit FIPS indicator to RSA - Add missing reference to patchfile to add explicit FIPS indicator to RSA
encryption and RSASVE and fix the gettable parameter list for the RSA encryption and RSASVE and fix the gettable parameter list for the RSA

Write Preview
Loading…
Cancel
Save