openssl-1_1/openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch
Otto Hollmann 58799edc59 Accepting request 1181542 from home:jamborm:gcc14fixes
- Fixed C99 violations in patches bsc1185319-FIPS-KAT-for-ECDSA.patch
  (need to for explicity typecast) and
  openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch
  (missing include) to allow the package to build with GCC 14.
  [boo#1225907]

OBS-URL: https://build.opensuse.org/request/show/1181542
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=162
2024-06-19 09:54:20 +00:00

118 lines
3.5 KiB
Diff

---
crypto/asn1/ameth_lib.c | 18 ++++++++++++++++++
crypto/asn1/standard_methods.h | 29 +++++++++++++++++++++++++++++
crypto/evp/c_alld.c | 6 +++++-
3 files changed, 52 insertions(+), 1 deletion(-)
Index: openssl-1.1.1w/crypto/asn1/ameth_lib.c
===================================================================
--- openssl-1.1.1w.orig/crypto/asn1/ameth_lib.c
+++ openssl-1.1.1w/crypto/asn1/ameth_lib.c
@@ -35,7 +35,11 @@ IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_P
int EVP_PKEY_asn1_get_count(void)
{
+#ifdef OPENSSL_FIPS
+ int num = FIPS_mode() ? OSSL_NELEM(standard_fips_methods) : OSSL_NELEM(standard_methods);
+#else
int num = OSSL_NELEM(standard_methods);
+#endif
if (app_methods)
num += sk_EVP_PKEY_ASN1_METHOD_num(app_methods);
return num;
@@ -43,11 +47,19 @@ int EVP_PKEY_asn1_get_count(void)
const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx)
{
+#ifdef OPENSSL_FIPS
+ int num = FIPS_mode() ? OSSL_NELEM(standard_fips_methods) : OSSL_NELEM(standard_methods);
+#else
int num = OSSL_NELEM(standard_methods);
+#endif
if (idx < 0)
return NULL;
if (idx < num)
+#ifdef OPENSSL_FIPS
+ return FIPS_mode() ? standard_fips_methods[idx] : standard_methods[idx];
+#else
return standard_methods[idx];
+#endif
idx -= num;
return sk_EVP_PKEY_ASN1_METHOD_value(app_methods, idx);
}
@@ -63,7 +75,13 @@ static const EVP_PKEY_ASN1_METHOD *pkey_
if (idx >= 0)
return sk_EVP_PKEY_ASN1_METHOD_value(app_methods, idx);
}
+#ifdef OPENSSL_FIPS
+ ret = FIPS_mode() ? \
+ OBJ_bsearch_ameth(&t, standard_fips_methods, OSSL_NELEM(standard_fips_methods)) : \
+ OBJ_bsearch_ameth(&t, standard_methods, OSSL_NELEM(standard_methods));
+#else
ret = OBJ_bsearch_ameth(&t, standard_methods, OSSL_NELEM(standard_methods));
+#endif
if (!ret || !*ret)
return NULL;
return *ret;
Index: openssl-1.1.1w/crypto/asn1/standard_methods.h
===================================================================
--- openssl-1.1.1w.orig/crypto/asn1/standard_methods.h
+++ openssl-1.1.1w/crypto/asn1/standard_methods.h
@@ -59,3 +59,32 @@ static const EVP_PKEY_ASN1_METHOD *stand
#endif
};
+static const EVP_PKEY_ASN1_METHOD *standard_fips_methods[] = {
+#ifndef OPENSSL_NO_RSA
+ &rsa_asn1_meths[0],
+ &rsa_asn1_meths[1],
+#endif
+#ifndef OPENSSL_NO_DH
+ &dh_asn1_meth,
+#endif
+#ifndef OPENSSL_NO_DSA
+ &dsa_asn1_meths[0],
+ &dsa_asn1_meths[1],
+ &dsa_asn1_meths[2],
+ &dsa_asn1_meths[3],
+ &dsa_asn1_meths[4],
+#endif
+#ifndef OPENSSL_NO_EC
+ &eckey_asn1_meth,
+#endif
+ &hmac_asn1_meth,
+#ifndef OPENSSL_NO_CMAC
+ &cmac_asn1_meth,
+#endif
+#ifndef OPENSSL_NO_RSA
+ &rsa_pss_asn1_meth,
+#endif
+#ifndef OPENSSL_NO_DH
+ &dhx_asn1_meth,
+#endif
+};
Index: openssl-1.1.1w/crypto/evp/c_alld.c
===================================================================
--- openssl-1.1.1w.orig/crypto/evp/c_alld.c
+++ openssl-1.1.1w/crypto/evp/c_alld.c
@@ -11,13 +11,18 @@
#include "internal/cryptlib.h"
#include <openssl/evp.h>
#include "crypto/evp.h"
+#include "crypto/fips_int.h"
#include <openssl/pkcs12.h>
#include <openssl/objects.h>
void openssl_add_all_digests_int(void)
{
#ifdef OPENSSL_FIPS
- if (!FIPS_mode()) {
+ /*
+ * This function is called from FIPS_selftest_ecdsa() before FIPS mode is
+ * turned on. That is the reason why we need to also check fips_in_post().
+ */
+ if (!FIPS_mode() && !fips_in_post()) {
#endif
#ifndef OPENSSL_NO_MD4
EVP_add_digest(EVP_md4());