rpms
/
openssl3
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Adaptation of upstream patches disabling explicit EC parameters in FIPS mode

Browse Source 
Resolves: rhbz#2058663
epel8
Dmitry Belyavskiy 3 years ago
parent 4dc19fe033
commit 1b2d08b2c2
4 changed files with 542 additions and 2 deletions
Show Stats Download Patch File Download Diff File

77
0013-FIPS-provider-explicit-ec.patch
Unescape View File

@ -0,0 +1,77 @@
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index 78dc69082fab..8a86c9108d0d 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -470,9 +470,6 @@ int ec_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0
&& (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) == 0)
return 0;
- if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0
- && (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
- return 0;
tmpl = OSSL_PARAM_BLD_new();
if (tmpl == NULL)
diff --git a/test/recipes/15-test_ecparam.t b/test/recipes/15-test_ecparam.t
index 766524e8cfa9..80bac6741290 100644
--- a/test/recipes/15-test_ecparam.t
+++ b/test/recipes/15-test_ecparam.t
@@ -13,7 +13,7 @@ use warnings;
use File::Spec;
use File::Compare qw/compare_text/;
use OpenSSL::Glob;
-use OpenSSL::Test qw/:DEFAULT data_file/;
+use OpenSSL::Test qw/:DEFAULT data_file srctop_file bldtop_dir/;
use OpenSSL::Test::Utils;
setup("test_ecparam");
@@ -25,7 +25,7 @@ my @valid = glob(data_file("valid", "*.pem"));
my @noncanon = glob(data_file("noncanon", "*.pem"));
my @invalid = glob(data_file("invalid", "*.pem"));
-plan tests => 11;
+plan tests => 12;
sub checkload {
my $files = shift; # List of files
@@ -59,6 +59,8 @@ sub checkcompare {
}
}
+my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+
subtest "Check loading valid parameters by ecparam with -check" => sub {
plan tests => scalar(@valid);
checkload(\@valid, 1, "ecparam", "-check");
@@ -113,3 +115,31 @@ subtest "Check pkeyparam does not change the parameter file on output" => sub {
plan tests => 2 * scalar(@valid);
checkcompare(\@valid, "pkeyparam");
};
+
+subtest "Check loading of fips and non-fips params" => sub {
+ plan skip_all => "FIPS is disabled"
+ if $no_fips;
+ plan tests => 3;
+
+ my $fipsconf = srctop_file("test", "fips-and-base.cnf");
+ my $defaultconf = srctop_file("test", "default.cnf");
+
+ $ENV{OPENSSL_CONF} = $fipsconf;
+
+ ok(run(app(['openssl', 'ecparam',
+ '-in', data_file('valid', 'secp384r1-explicit.pem'),
+ '-check'])),
+ "Loading explicitly encoded valid curve");
+
+ ok(run(app(['openssl', 'ecparam',
+ '-in', data_file('valid', 'secp384r1-named.pem'),
+ '-check'])),
+ "Loading named valid curve");
+
+ ok(!run(app(['openssl', 'ecparam',
+ '-in', data_file('valid', 'secp112r1-named.pem'),
+ '-check'])),
+ "Fail loading named non-fips curve");
+
+ $ENV{OPENSSL_CONF} = $defaultconf;
+};

421
0014-FIPS-disable-explicit-ec.patch
Unescape View File

@ -0,0 +1,421 @@
diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c
index 9dc143c2ac69..4d6f2a76ad20 100644
--- a/crypto/ec/ec_err.c
+++ b/crypto/ec/ec_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -35,6 +35,8 @@ static const ERR_STRING_DATA EC_str_reasons[] = {
"discriminant is zero"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_EC_GROUP_NEW_BY_NAME_FAILURE),
"ec group new by name failure"},
+ {ERR_PACK(ERR_LIB_EC, 0, EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED),
+ "explicit params not supported"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_FAILED_MAKING_PUBLIC_KEY),
"failed making public key"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_FIELD_TOO_LARGE), "field too large"},
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index 2aeab7e3b6b5..f686e45f899d 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -1387,6 +1387,7 @@ int EC_GROUP_get_pentanomial_basis(const EC_GROUP *group, unsigned int *k1,
}
#endif
+#ifndef FIPS_MODULE
/*
* Check if the explicit parameters group matches any built-in curves.
*
@@ -1424,7 +1425,7 @@ static EC_GROUP *ec_group_explicit_to_named(const EC_GROUP *group,
* parameters with one created from a named group.
*/
-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
/*
* NID_wap_wsg_idm_ecid_wtls12 and NID_secp224r1 are both aliases for
* the same curve, we prefer the SECP nid when matching explicit
@@ -1432,7 +1433,7 @@ static EC_GROUP *ec_group_explicit_to_named(const EC_GROUP *group,
*/
if (curve_name_nid == NID_wap_wsg_idm_ecid_wtls12)
curve_name_nid = NID_secp224r1;
-#endif /* !def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
+# endif /* !def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
ret_group = EC_GROUP_new_by_curve_name_ex(libctx, propq, curve_name_nid);
if (ret_group == NULL)
@@ -1467,6 +1468,7 @@ static EC_GROUP *ec_group_explicit_to_named(const EC_GROUP *group,
EC_GROUP_free(ret_group);
return NULL;
}
+#endif /* FIPS_MODULE */
static EC_GROUP *group_new_from_name(const OSSL_PARAM *p,
OSSL_LIB_CTX *libctx, const char *propq)
@@ -1536,9 +1538,13 @@ int ossl_ec_group_set_params(EC_GROUP *group, const OSSL_PARAM params[])
EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
OSSL_LIB_CTX *libctx, const char *propq)
{
- const OSSL_PARAM *ptmp, *pa, *pb;
+ const OSSL_PARAM *ptmp;
+ EC_GROUP *group = NULL;
+
+#ifndef FIPS_MODULE
+ const OSSL_PARAM *pa, *pb;
int ok = 0;
- EC_GROUP *group = NULL, *named_group = NULL;
+ EC_GROUP *named_group = NULL;
BIGNUM *p = NULL, *a = NULL, *b = NULL, *order = NULL, *cofactor = NULL;
EC_POINT *point = NULL;
int field_bits = 0;
@@ -1546,6 +1552,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
BN_CTX *bnctx = NULL;
const unsigned char *buf = NULL;
int encoding_flag = -1;
+#endif
/* This is the simple named group case */
ptmp = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_GROUP_NAME);
@@ -1559,6 +1566,10 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
}
return group;
}
+#ifdef FIPS_MODULE
+ ERR_raise(ERR_LIB_EC, EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED);
+ return NULL;
+#else
/* If it gets here then we are trying explicit parameters */
bnctx = BN_CTX_new_ex(libctx);
if (bnctx == NULL) {
@@ -1623,10 +1634,10 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
/* create the EC_GROUP structure */
group = EC_GROUP_new_curve_GFp(p, a, b, bnctx);
} else {
-#ifdef OPENSSL_NO_EC2M
+# ifdef OPENSSL_NO_EC2M
ERR_raise(ERR_LIB_EC, EC_R_GF2M_NOT_SUPPORTED);
goto err;
-#else
+# else
/* create the EC_GROUP structure */
group = EC_GROUP_new_curve_GF2m(p, a, b, NULL);
if (group != NULL) {
@@ -1636,7 +1647,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
goto err;
}
}
-#endif /* OPENSSL_NO_EC2M */
+# endif /* OPENSSL_NO_EC2M */
}
if (group == NULL) {
@@ -1733,4 +1744,5 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
BN_CTX_free(bnctx);
return group;
+#endif /* FIPS_MODULE */
}
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index c4a94f955905..41df7127403c 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -553,6 +553,7 @@ EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing
EC_R_DECODE_ERROR:142:decode error
EC_R_DISCRIMINANT_IS_ZERO:118:discriminant is zero
EC_R_EC_GROUP_NEW_BY_NAME_FAILURE:119:ec group new by name failure
+EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED:127:explicit params not supported
EC_R_FAILED_MAKING_PUBLIC_KEY:166:failed making public key
EC_R_FIELD_TOO_LARGE:143:field too large
EC_R_GF2M_NOT_SUPPORTED:147:gf2m not supported
diff --git a/include/crypto/ecerr.h b/include/crypto/ecerr.h
index 07b6c7aa62dd..4658ae8fb2cd 100644
--- a/include/crypto/ecerr.h
+++ b/include/crypto/ecerr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/include/openssl/ecerr.h b/include/openssl/ecerr.h
index 49088d208b2c..46405ac62d91 100644
--- a/include/openssl/ecerr.h
+++ b/include/openssl/ecerr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -35,6 +35,7 @@
# define EC_R_DECODE_ERROR 142
# define EC_R_DISCRIMINANT_IS_ZERO 118
# define EC_R_EC_GROUP_NEW_BY_NAME_FAILURE 119
+# define EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED 127
# define EC_R_FAILED_MAKING_PUBLIC_KEY 166
# define EC_R_FIELD_TOO_LARGE 143
# define EC_R_GF2M_NOT_SUPPORTED 147
diff --git a/test/endecode_test.c b/test/endecode_test.c
index 0c33dff0ee2b..3d78bea50ea3 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -147,6 +147,7 @@ typedef int (checker)(const char *file, const int line,
typedef void (dumper)(const char *label, const void *data, size_t data_len);
#define FLAG_DECODE_WITH_TYPE 0x0001
+#define FLAG_FAIL_IF_FIPS 0x0002
static int test_encode_decode(const char *file, const int line,
const char *type, EVP_PKEY *pkey,
@@ -170,8 +171,19 @@ static int test_encode_decode(const char *file, const int line,
* dumping purposes.
*/
if (!TEST_true(encode_cb(file, line, &encoded, &encoded_len, pkey, selection,
- output_type, output_structure, pass, pcipher))
- || !TEST_true(check_cb(file, line, type, encoded, encoded_len))
+ output_type, output_structure, pass, pcipher)))
+ goto end;
+
+ if ((flags & FLAG_FAIL_IF_FIPS) != 0 && is_fips) {
+ if (TEST_false(decode_cb(file, line, (void **)&pkey2, encoded,
+ encoded_len, output_type, output_structure,
+ (flags & FLAG_DECODE_WITH_TYPE ? type : NULL),
+ selection, pass)))
+ ok = 1;
+ goto end;
+ }
+
+ if (!TEST_true(check_cb(file, line, type, encoded, encoded_len))
|| !TEST_true(decode_cb(file, line, (void **)&pkey2, encoded, encoded_len,
output_type, output_structure,
(flags & FLAG_DECODE_WITH_TYPE ? type : NULL),
@@ -525,7 +537,7 @@ static int check_unprotected_PKCS8_DER(const char *file, const int line,
return ok;
}
-static int test_unprotected_via_DER(const char *type, EVP_PKEY *key)
+static int test_unprotected_via_DER(const char *type, EVP_PKEY *key, int fips)
{
return test_encode_decode(__FILE__, __LINE__, type, key,
OSSL_KEYMGMT_SELECT_KEYPAIR
@@ -533,7 +545,7 @@ static int test_unprotected_via_DER(const char *type, EVP_PKEY *key)
"DER", "PrivateKeyInfo", NULL, NULL,
encode_EVP_PKEY_prov, decode_EVP_PKEY_prov,
test_mem, check_unprotected_PKCS8_DER,
- dump_der, 0);
+ dump_der, fips ? 0 : FLAG_FAIL_IF_FIPS);
}
static int check_unprotected_PKCS8_PEM(const char *file, const int line,
@@ -547,7 +559,7 @@ static int check_unprotected_PKCS8_PEM(const char *file, const int line,
sizeof(expected_pem_header) - 1);
}
-static int test_unprotected_via_PEM(const char *type, EVP_PKEY *key)
+static int test_unprotected_via_PEM(const char *type, EVP_PKEY *key, int fips)
{
return test_encode_decode(__FILE__, __LINE__, type, key,
OSSL_KEYMGMT_SELECT_KEYPAIR
@@ -555,7 +567,7 @@ static int test_unprotected_via_PEM(const char *type, EVP_PKEY *key)
"PEM", "PrivateKeyInfo", NULL, NULL,
encode_EVP_PKEY_prov, decode_EVP_PKEY_prov,
test_text, check_unprotected_PKCS8_PEM,
- dump_pem, 0);
+ dump_pem, fips ? 0 : FLAG_FAIL_IF_FIPS);
}
#ifndef OPENSSL_NO_KEYPARAMS
@@ -702,7 +714,7 @@ static int check_protected_PKCS8_DER(const char *file, const int line,
return ok;
}
-static int test_protected_via_DER(const char *type, EVP_PKEY *key)
+static int test_protected_via_DER(const char *type, EVP_PKEY *key, int fips)
{
return test_encode_decode(__FILE__, __LINE__, type, key,
OSSL_KEYMGMT_SELECT_KEYPAIR
@@ -711,7 +723,7 @@ static int test_protected_via_DER(const char *type, EVP_PKEY *key)
pass, pass_cipher,
encode_EVP_PKEY_prov, decode_EVP_PKEY_prov,
test_mem, check_protected_PKCS8_DER,
- dump_der, 0);
+ dump_der, fips ? 0 : FLAG_FAIL_IF_FIPS);
}
static int check_protected_PKCS8_PEM(const char *file, const int line,
@@ -725,7 +737,7 @@ static int check_protected_PKCS8_PEM(const char *file, const int line,
sizeof(expected_pem_header) - 1);
}
-static int test_protected_via_PEM(const char *type, EVP_PKEY *key)
+static int test_protected_via_PEM(const char *type, EVP_PKEY *key, int fips)
{
return test_encode_decode(__FILE__, __LINE__, type, key,
OSSL_KEYMGMT_SELECT_KEYPAIR
@@ -734,7 +746,7 @@ static int test_protected_via_PEM(const char *type, EVP_PKEY *key)
pass, pass_cipher,
encode_EVP_PKEY_prov, decode_EVP_PKEY_prov,
test_text, check_protected_PKCS8_PEM,
- dump_pem, 0);
+ dump_pem, fips ? 0 : FLAG_FAIL_IF_FIPS);
}
static int check_protected_legacy_PEM(const char *file, const int line,
@@ -795,14 +807,15 @@ static int check_public_DER(const char *file, const int line,
return ok;
}
-static int test_public_via_DER(const char *type, EVP_PKEY *key)
+static int test_public_via_DER(const char *type, EVP_PKEY *key, int fips)
{
return test_encode_decode(__FILE__, __LINE__, type, key,
OSSL_KEYMGMT_SELECT_PUBLIC_KEY
| OSSL_KEYMGMT_SELECT_ALL_PARAMETERS,
"DER", "SubjectPublicKeyInfo", NULL, NULL,
encode_EVP_PKEY_prov, decode_EVP_PKEY_prov,
- test_mem, check_public_DER, dump_der, 0);
+ test_mem, check_public_DER, dump_der,
+ fips ? 0 : FLAG_FAIL_IF_FIPS);
}
static int check_public_PEM(const char *file, const int line,
@@ -816,14 +829,15 @@ static int check_public_PEM(const char *file, const int line,
sizeof(expected_pem_header) - 1);
}
-static int test_public_via_PEM(const char *type, EVP_PKEY *key)
+static int test_public_via_PEM(const char *type, EVP_PKEY *key, int fips)
{
return test_encode_decode(__FILE__, __LINE__, type, key,
OSSL_KEYMGMT_SELECT_PUBLIC_KEY
| OSSL_KEYMGMT_SELECT_ALL_PARAMETERS,
"PEM", "SubjectPublicKeyInfo", NULL, NULL,
encode_EVP_PKEY_prov, decode_EVP_PKEY_prov,
- test_text, check_public_PEM, dump_pem, 0);
+ test_text, check_public_PEM, dump_pem,
+ fips ? 0 : FLAG_FAIL_IF_FIPS);
}
static int check_public_MSBLOB(const char *file, const int line,
@@ -868,30 +882,30 @@ static int test_public_via_MSBLOB(const char *type, EVP_PKEY *key)
EVP_PKEY_free(template_##KEYTYPE); \
EVP_PKEY_free(key_##KEYTYPE)
-#define IMPLEMENT_TEST_SUITE(KEYTYPE, KEYTYPEstr) \
+#define IMPLEMENT_TEST_SUITE(KEYTYPE, KEYTYPEstr, fips) \
static int test_unprotected_##KEYTYPE##_via_DER(void) \
{ \
- return test_unprotected_via_DER(KEYTYPEstr, key_##KEYTYPE); \
+ return test_unprotected_via_DER(KEYTYPEstr, key_##KEYTYPE, fips); \
} \
static int test_unprotected_##KEYTYPE##_via_PEM(void) \
{ \
- return test_unprotected_via_PEM(KEYTYPEstr, key_##KEYTYPE); \
+ return test_unprotected_via_PEM(KEYTYPEstr, key_##KEYTYPE, fips); \
} \
static int test_protected_##KEYTYPE##_via_DER(void) \
{ \
- return test_protected_via_DER(KEYTYPEstr, key_##KEYTYPE); \
+ return test_protected_via_DER(KEYTYPEstr, key_##KEYTYPE, fips); \
} \
static int test_protected_##KEYTYPE##_via_PEM(void) \
{ \
- return test_protected_via_PEM(KEYTYPEstr, key_##KEYTYPE); \
+ return test_protected_via_PEM(KEYTYPEstr, key_##KEYTYPE, fips); \
} \
static int test_public_##KEYTYPE##_via_DER(void) \
{ \
- return test_public_via_DER(KEYTYPEstr, key_##KEYTYPE); \
+ return test_public_via_DER(KEYTYPEstr, key_##KEYTYPE, fips); \
} \
static int test_public_##KEYTYPE##_via_PEM(void) \
{ \
- return test_public_via_PEM(KEYTYPEstr, key_##KEYTYPE); \
+ return test_public_via_PEM(KEYTYPEstr, key_##KEYTYPE, fips); \
}
#define ADD_TEST_SUITE(KEYTYPE) \
@@ -965,10 +979,10 @@ static int test_public_via_MSBLOB(const char *type, EVP_PKEY *key)
#ifndef OPENSSL_NO_DH
DOMAIN_KEYS(DH);
-IMPLEMENT_TEST_SUITE(DH, "DH")
+IMPLEMENT_TEST_SUITE(DH, "DH", 1)
IMPLEMENT_TEST_SUITE_PARAMS(DH, "DH")
DOMAIN_KEYS(DHX);
-IMPLEMENT_TEST_SUITE(DHX, "X9.42 DH")
+IMPLEMENT_TEST_SUITE(DHX, "X9.42 DH", 1)
IMPLEMENT_TEST_SUITE_PARAMS(DHX, "X9.42 DH")
/*
* DH has no support for PEM_write_bio_PrivateKey_traditional(),
@@ -977,7 +991,7 @@ IMPLEMENT_TEST_SUITE_PARAMS(DHX, "X9.42 DH")
#endif
#ifndef OPENSSL_NO_DSA
DOMAIN_KEYS(DSA);
-IMPLEMENT_TEST_SUITE(DSA, "DSA")
+IMPLEMENT_TEST_SUITE(DSA, "DSA", 1)
IMPLEMENT_TEST_SUITE_PARAMS(DSA, "DSA")
IMPLEMENT_TEST_SUITE_LEGACY(DSA, "DSA")
IMPLEMENT_TEST_SUITE_MSBLOB(DSA, "DSA")
@@ -988,41 +1002,41 @@ IMPLEMENT_TEST_SUITE_PROTECTED_PVK(DSA, "DSA")
#endif
#ifndef OPENSSL_NO_EC
DOMAIN_KEYS(EC);
-IMPLEMENT_TEST_SUITE(EC, "EC")
+IMPLEMENT_TEST_SUITE(EC, "EC", 1)
IMPLEMENT_TEST_SUITE_PARAMS(EC, "EC")
IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
-IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC")
+IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1)
IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC")
/*DOMAIN_KEYS(ECExplicitPrime2G);*/
-/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC")*/
+/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/
/*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/
# ifndef OPENSSL_NO_EC2M
DOMAIN_KEYS(ECExplicitTriNamedCurve);
-IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC")
+IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1)
IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve, "EC")
DOMAIN_KEYS(ECExplicitTri2G);
-IMPLEMENT_TEST_SUITE(ECExplicitTri2G, "EC")
+IMPLEMENT_TEST_SUITE(ECExplicitTri2G, "EC", 0)
IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitTri2G, "EC")
# endif
KEYS(ED25519);
-IMPLEMENT_TEST_SUITE(ED25519, "ED25519")
+IMPLEMENT_TEST_SUITE(ED25519, "ED25519", 1)
KEYS(ED448);
-IMPLEMENT_TEST_SUITE(ED448, "ED448")
+IMPLEMENT_TEST_SUITE(ED448, "ED448", 1)
KEYS(X25519);
-IMPLEMENT_TEST_SUITE(X25519, "X25519")
+IMPLEMENT_TEST_SUITE(X25519, "X25519", 1)
KEYS(X448);
-IMPLEMENT_TEST_SUITE(X448, "X448")
+IMPLEMENT_TEST_SUITE(X448, "X448", 1)
/*
* ED25519, ED448, X25519 and X448 have no support for
* PEM_write_bio_PrivateKey_traditional(), so no legacy tests.
*/
#endif
KEYS(RSA);
-IMPLEMENT_TEST_SUITE(RSA, "RSA")
+IMPLEMENT_TEST_SUITE(RSA, "RSA", 1)
IMPLEMENT_TEST_SUITE_LEGACY(RSA, "RSA")
KEYS(RSA_PSS);
-IMPLEMENT_TEST_SUITE(RSA_PSS, "RSA-PSS")
+IMPLEMENT_TEST_SUITE(RSA_PSS, "RSA-PSS", 1)
/*
* RSA-PSS has no support for PEM_write_bio_PrivateKey_traditional(),
* so no legacy tests.

32
0045-FIPS-services-minimize.patch
Unescape View File

@ -624,3 +624,35 @@ diff -up openssl-3.0.1/test/recipes/80-test_ssl_old.t.fipsmin3 openssl-3.0.1/tes
push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey;
}
diff -up openssl-3.0.1/test/endecode_test.c.fipsmin3 openssl-3.0.1/test/endecode_test.c
--- openssl-3.0.1/test/endecode_test.c.fipsmin3 2022-05-06 16:25:57.296926271 +0200
+++ openssl-3.0.1/test/endecode_test.c 2022-05-06 16:27:42.712850840 +0200
@@ -1387,6 +1387,7 @@ int setup_tests(void)
* so no legacy tests.
*/
#endif
+ if (is_fips == 0) {
#ifndef OPENSSL_NO_DSA
ADD_TEST_SUITE(DSA);
ADD_TEST_SUITE_PARAMS(DSA);
@@ -1397,6 +1398,7 @@ int setup_tests(void)
ADD_TEST_SUITE_PROTECTED_PVK(DSA);
# endif
#endif
+ }
#ifndef OPENSSL_NO_EC
ADD_TEST_SUITE(EC);
ADD_TEST_SUITE_PARAMS(EC);
@@ -1411,10 +1413,12 @@ int setup_tests(void)
ADD_TEST_SUITE(ECExplicitTri2G);
ADD_TEST_SUITE_LEGACY(ECExplicitTri2G);
# endif
+ if (is_fips == 0) {
ADD_TEST_SUITE(ED25519);
ADD_TEST_SUITE(ED448);
ADD_TEST_SUITE(X25519);
ADD_TEST_SUITE(X448);
+ }
/*
* ED25519, ED448, X25519 and X448 have no support for
* PEM_write_bio_PrivateKey_traditional(), so no legacy tests.

14
openssl.spec
Unescape View File

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.0.1
Release: 27%{?dist}
Release: 28%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -68,8 +68,12 @@ Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
# remove unsupported EC curves
Patch11: 0011-Remove-EC-curves.patch
# Disable explicit EC curves
# https://bugzilla.redhat.com/show_bug.cgi?id=1977867
# https://bugzilla.redhat.com/show_bug.cgi?id=2066412
Patch12: 0012-Disable-explicit-ec.patch
# https://github.com/openssl/openssl/pull/17981
Patch13: 0013-FIPS-provider-explicit-ec.patch
# https://github.com/openssl/openssl/pull/17998
Patch14: 0014-FIPS-disable-explicit-ec.patch
# Instructions to load legacy provider in openssl.cnf
Patch24: 0024-load-legacy-prov.patch
# Tmp: test name change
@ -440,6 +444,12 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
* Fri May 06 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-28
- OpenSSL should not accept custom elliptic curve parameters
- Resolves rhbz#2066412
- OpenSSL should not accept explicit curve parameters in FIPS mode
- Resolves rhbz#2058663
* Fri May 06 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-27
- Change FIPS module version to include hash of specfile, patches and sources
Resolves: rhbz#2070550

Write Preview
Loading…
Cancel
Save