libica/libica-02-fips-update-Change-service-indicator-implementation.patch
Nikolay Gueorguiev 7428af8575 - Applied updated patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305)
* libica-02-fips-update-Change-service-indicator-implementation.patch
  * libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch
  * libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=26
2024-11-13 09:12:54 +00:00

117 lines
3.9 KiB
Diff

From 238d85eec7050be5573190c519c1c8eaacae5359 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Mon, 28 Oct 2024 13:44:11 +0100
Subject: [PATCH] fips update: Change service indicator implementation
Perform checks for non-approved algorithms / parameters directly into the
APIs that perform the services.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/ica_api.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/src/ica_api.c b/src/ica_api.c
index 0826af8..d071f61 100644
--- a/src/ica_api.c
+++ b/src/ica_api.c
@@ -1052,6 +1052,8 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(RSA_ME) && !fips_override(RSA_ME))
+ return EPERM;
#endif /* ICA_FIPS */
if (public_key->key_length != private_key->key_length)
@@ -1094,6 +1096,8 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT))
+ return EPERM;
#endif /* ICA_FIPS */
if (public_key->key_length != private_key->key_length)
@@ -1130,6 +1134,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(RSA_ME) && !fips_override(RSA_ME))
+ return EPERM;
#endif /* ICA_FIPS */
/* check for obvious errors in parms */
@@ -1193,6 +1199,8 @@ unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key)
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT))
+ return EPERM;
#endif /* ICA_FIPS */
/* check if p > q */
@@ -1266,6 +1274,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT))
+ return EPERM;
#endif /* ICA_FIPS */
/* check for obvious errors in parms */
@@ -1337,6 +1347,8 @@ ICA_EC_KEY* ica_ec_key_new(unsigned int nid, unsigned int *privlen)
#ifdef ICA_FIPS
if (fips >> 1)
return NULL;
+ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN))
+ return NULL;
#endif /* ICA_FIPS */
if ((key = malloc(sizeof(ICA_EC_KEY))) == NULL)
@@ -1375,6 +1387,8 @@ int ica_ec_key_init(const unsigned char *X, const unsigned char *Y,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN))
+ return EPERM;
if (fips & ICA_FIPS_MODE) {
if (!curve_supported_via_openssl(key->nid) ||
!curve_supported_via_cpacf(key->nid)) {
@@ -1421,6 +1435,8 @@ int ica_ec_key_generate(ica_adapter_handle_t adapter_handle, ICA_EC_KEY *key)
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN))
+ return EPERM;
if (fips & ICA_FIPS_MODE) {
if (!curve_supported_via_openssl(key->nid) ||
!curve_supported_via_cpacf(key->nid))
@@ -1494,6 +1510,8 @@ int ica_ecdh_derive_secret(ica_adapter_handle_t adapter_handle,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(EC_DH) && !fips_override(EC_DH))
+ return EPERM;
if (fips & ICA_FIPS_MODE) {
if (!curve_supported_via_openssl(privkey_A->nid) ||
!curve_supported_via_cpacf(privkey_A->nid))
@@ -1567,6 +1585,8 @@ int ica_ecdsa_sign_ex_internal(ica_adapter_handle_t adapter_handle,
if (!curve_supported_via_openssl(privkey->nid) ||
!curve_supported_via_cpacf(privkey->nid))
return EPERM;
+ if (!fips_approved(EC_DSA_SIGN) && !fips_override(EC_DSA_SIGN))
+ return EPERM;
}
#endif /* ICA_FIPS */
@@ -1654,6 +1674,8 @@ int ica_ecdsa_verify(ica_adapter_handle_t adapter_handle,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(EC_DSA_VERIFY) && !fips_override(EC_DSA_VERIFY))
+ return EPERM;
if (fips & ICA_FIPS_MODE) {
if (!curve_supported_via_openssl(pubkey->nid) ||
!curve_supported_via_cpacf(pubkey->nid))