7428af8575
* libica-02-fips-update-Change-service-indicator-implementation.patch * libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch * libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=26
117 lines
3.9 KiB
Diff
117 lines
3.9 KiB
Diff
From 238d85eec7050be5573190c519c1c8eaacae5359 Mon Sep 17 00:00:00 2001
|
|
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
|
Date: Mon, 28 Oct 2024 13:44:11 +0100
|
|
Subject: [PATCH] fips update: Change service indicator implementation
|
|
|
|
Perform checks for non-approved algorithms / parameters directly into the
|
|
APIs that perform the services.
|
|
|
|
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
|
---
|
|
src/ica_api.c | 22 ++++++++++++++++++++++
|
|
1 file changed, 22 insertions(+)
|
|
|
|
diff --git a/src/ica_api.c b/src/ica_api.c
|
|
index 0826af8..d071f61 100644
|
|
--- a/src/ica_api.c
|
|
+++ b/src/ica_api.c
|
|
@@ -1052,6 +1052,8 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle,
|
|
#ifdef ICA_FIPS
|
|
if (fips >> 1)
|
|
return EACCES;
|
|
+ if (!fips_approved(RSA_ME) && !fips_override(RSA_ME))
|
|
+ return EPERM;
|
|
#endif /* ICA_FIPS */
|
|
|
|
if (public_key->key_length != private_key->key_length)
|
|
@@ -1094,6 +1096,8 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle,
|
|
#ifdef ICA_FIPS
|
|
if (fips >> 1)
|
|
return EACCES;
|
|
+ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT))
|
|
+ return EPERM;
|
|
#endif /* ICA_FIPS */
|
|
|
|
if (public_key->key_length != private_key->key_length)
|
|
@@ -1130,6 +1134,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle,
|
|
#ifdef ICA_FIPS
|
|
if (fips >> 1)
|
|
return EACCES;
|
|
+ if (!fips_approved(RSA_ME) && !fips_override(RSA_ME))
|
|
+ return EPERM;
|
|
#endif /* ICA_FIPS */
|
|
|
|
/* check for obvious errors in parms */
|
|
@@ -1193,6 +1199,8 @@ unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key)
|
|
#ifdef ICA_FIPS
|
|
if (fips >> 1)
|
|
return EACCES;
|
|
+ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT))
|
|
+ return EPERM;
|
|
#endif /* ICA_FIPS */
|
|
|
|
/* check if p > q */
|
|
@@ -1266,6 +1274,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle,
|
|
#ifdef ICA_FIPS
|
|
if (fips >> 1)
|
|
return EACCES;
|
|
+ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT))
|
|
+ return EPERM;
|
|
#endif /* ICA_FIPS */
|
|
|
|
/* check for obvious errors in parms */
|
|
@@ -1337,6 +1347,8 @@ ICA_EC_KEY* ica_ec_key_new(unsigned int nid, unsigned int *privlen)
|
|
#ifdef ICA_FIPS
|
|
if (fips >> 1)
|
|
return NULL;
|
|
+ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN))
|
|
+ return NULL;
|
|
#endif /* ICA_FIPS */
|
|
|
|
if ((key = malloc(sizeof(ICA_EC_KEY))) == NULL)
|
|
@@ -1375,6 +1387,8 @@ int ica_ec_key_init(const unsigned char *X, const unsigned char *Y,
|
|
#ifdef ICA_FIPS
|
|
if (fips >> 1)
|
|
return EACCES;
|
|
+ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN))
|
|
+ return EPERM;
|
|
if (fips & ICA_FIPS_MODE) {
|
|
if (!curve_supported_via_openssl(key->nid) ||
|
|
!curve_supported_via_cpacf(key->nid)) {
|
|
@@ -1421,6 +1435,8 @@ int ica_ec_key_generate(ica_adapter_handle_t adapter_handle, ICA_EC_KEY *key)
|
|
#ifdef ICA_FIPS
|
|
if (fips >> 1)
|
|
return EACCES;
|
|
+ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN))
|
|
+ return EPERM;
|
|
if (fips & ICA_FIPS_MODE) {
|
|
if (!curve_supported_via_openssl(key->nid) ||
|
|
!curve_supported_via_cpacf(key->nid))
|
|
@@ -1494,6 +1510,8 @@ int ica_ecdh_derive_secret(ica_adapter_handle_t adapter_handle,
|
|
#ifdef ICA_FIPS
|
|
if (fips >> 1)
|
|
return EACCES;
|
|
+ if (!fips_approved(EC_DH) && !fips_override(EC_DH))
|
|
+ return EPERM;
|
|
if (fips & ICA_FIPS_MODE) {
|
|
if (!curve_supported_via_openssl(privkey_A->nid) ||
|
|
!curve_supported_via_cpacf(privkey_A->nid))
|
|
@@ -1567,6 +1585,8 @@ int ica_ecdsa_sign_ex_internal(ica_adapter_handle_t adapter_handle,
|
|
if (!curve_supported_via_openssl(privkey->nid) ||
|
|
!curve_supported_via_cpacf(privkey->nid))
|
|
return EPERM;
|
|
+ if (!fips_approved(EC_DSA_SIGN) && !fips_override(EC_DSA_SIGN))
|
|
+ return EPERM;
|
|
}
|
|
#endif /* ICA_FIPS */
|
|
|
|
@@ -1654,6 +1674,8 @@ int ica_ecdsa_verify(ica_adapter_handle_t adapter_handle,
|
|
#ifdef ICA_FIPS
|
|
if (fips >> 1)
|
|
return EACCES;
|
|
+ if (!fips_approved(EC_DSA_VERIFY) && !fips_override(EC_DSA_VERIFY))
|
|
+ return EPERM;
|
|
if (fips & ICA_FIPS_MODE) {
|
|
if (!curve_supported_via_openssl(pubkey->nid) ||
|
|
!curve_supported_via_cpacf(pubkey->nid))
|