Restoring fips=yes to SHA-1

Related: rhbz#2026445
3 years ago · d237e7f301
parent 9df33eabbe
commit d237e7f301
3 changed files with 1 additions and 64 deletions
--- a/0045-FIPS-services-minimize.patch
+++ b/0045-FIPS-services-minimize.patch
@ -11,15 +11,6 @@ diff -up openssl-3.0.0/providers/fips/fipsprov.c.fipsmin openssl-3.0.0/providers
 
 extern OSSL_FUNC_core_thread_start_fn *c_thread_start;
 int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);
-@@ -241,7 +244,7 @@ static int fips_self_test(void *provctx)
-  */
- static const OSSL_ALGORITHM fips_digests[] = {
-     /* Our primary name:NiST name[:our older names] */
-    { PROV_NAMES_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_sha1_functions },
-+    { PROV_NAMES_SHA1, FIPS_UNAPPROVED_PROPERTIES, ossl_sha1_functions },
-     { PROV_NAMES_SHA2_224, FIPS_DEFAULT_PROPERTIES, ossl_sha224_functions },
-     { PROV_NAMES_SHA2_256, FIPS_DEFAULT_PROPERTIES, ossl_sha256_functions },
-     { PROV_NAMES_SHA2_384, FIPS_DEFAULT_PROPERTIES, ossl_sha384_functions },
@@ -264,9 +267,9 @@ static const OSSL_ALGORITHM fips_digests
      * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
      * KMAC128 and KMAC256.
--- a/0046-FIPS-permitsha1-hmac.patch
+++ b/0046-FIPS-permitsha1-hmac.patch
@ -1,52 +0,0 @@
-diff -up openssl-3.0.0/providers/implementations/macs/hmac_prov.c.sha1hmac openssl-3.0.0/providers/implementations/macs/hmac_prov.c
--- openssl-3.0.0/providers/implementations/macs/hmac_prov.c.sha1hmac	2022-01-13 12:11:19.547755685 +0100
-+++ openssl-3.0.0/providers/implementations/macs/hmac_prov.c	2022-01-13 12:49:50.538432459 +0100
-@@ -14,6 +14,7 @@
- #include "internal/deprecated.h"
- 
- #include <string.h>
-+#include <strings.h>
- 
- #include <openssl/core_dispatch.h>
- #include <openssl/core_names.h>
-@@ -305,13 +306,40 @@ static int hmac_set_ctx_params(void *vma
-     struct hmac_data_st *macctx = vmacctx;
-     OSSL_LIB_CTX *ctx = PROV_LIBCTX_OF(macctx->provctx);
-     const OSSL_PARAM *p;
-+#ifdef FIPS_MODULE
-+    const OSSL_PARAM *pdgst;
-+#endif
-     int flags = 0;
- 
-     if (params == NULL)
-         return 1;
- 
-+#ifdef FIPS_MODULE
-+    /* Red Hat removes fips=yes property from SHA1, but it's still
-+     * included in FIPS provider and we want HMAC working with it */
-+    pdgst = OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST);
-+    if (pdgst != NULL) {
-+        const char *dgstname;
-+
-+        if (pdgst->data_type != OSSL_PARAM_UTF8_STRING)
-+            return 0;
-+        dgstname = pdgst->data;
-+        if (dgstname != NULL) {
-+            if ((strncasecmp("SHA1", dgstname, 4) == 0)
-+               || (strncasecmp("SHA-1", dgstname, 5) == 0)) {
-+               if (ossl_prov_digest_fetch(&macctx->digest, ctx,
-+                                   "SHA1", "provider=fips,-fips") == NULL)
-+                   return 0;
-+            } else {
-+                if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx))
-+                return 0;
-+            }
-+        }
-+    }
-+#else
-     if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx))
-         return 0;
-+#endif
- 
-     if (!set_flag(params, OSSL_MAC_PARAM_DIGEST_NOINIT, EVP_MD_CTX_FLAG_NO_INIT,
-                   &flags))
--- a/openssl.spec
+++ b/openssl.spec
@ -67,8 +67,6 @@ Patch34: 0034.fipsinstall_disable.patch
 Patch35: 0035-speed-skip-unavailable-dgst.patch
 # Minimize fips services
 Patch45: 0045-FIPS-services-minimize.patch
-# Enable SHA1 HMAC in FIPS mode
-Patch46: 0046-FIPS-permitsha1-hmac.patch
 # Execute KATS before HMAC verification
 Patch47: 0047-FIPS-early-KATS.patch

@ -218,7 +216,7 @@ export HASHBANGPERL=/usr/bin/perl
 # Do not run this in a production package the FIPS symbols must be patched-in
 #util/mkdef.pl crypto update

-make -s %{?_smp_mflags} all
+make %{?_smp_mflags} all

 # Clean up the .pc files
 for i in libcrypto.pc libssl.pc openssl.pc ; do