Pedro Monreal Gonzalez
6bc57d937f
* SHA-1 is not allowed anymore in FIPS 186-5 for signature
verification operations. After 12/31/2030, NIST will disallow
SHA-1 for all of its usages.
* Add openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
- FIPS: RSA keygen PCT requirements.
* Skip the rsa_keygen_pairwise_test() PCT in rsa_keygen() as the
self-test requirements are covered by do_rsa_pct() for both
RSA-OAEP and RSA signatures [bsc#1221760]
* Enforce error state if rsa_keygen PCT is run and fails [bsc#1221753]
* Add openssl-3-FIPS-PCT_rsa_keygen.patch
- FIPS: Check that the fips provider is available before setting
it as the default provider in FIPS mode. [bsc#1220523]
* Rebase openssl-Force-FIPS.patch
- FIPS: Port openssl to use jitterentropy [bsc#1220523]
* Set the module in error state if the jitter RNG fails either on
initialization or entropy gathering because health tests failed.
* Add jitterentropy as a seeding source output also in crypto/info.c
* Move the jitter entropy collector and the associated lock out
of the header file to avoid redefinitions.
* Add the fips_local.cnf symlink to the spec file. This simlink
points to the openssl_fips.config file that is provided by the
crypto-policies package.
* Rebase openssl-3-jitterentropy-3.4.0.patch
* Rebase openssl-FIPS-enforce-EMS-support.patch
- FIPS: Block non-Approved Elliptic Curves [bsc#1221786]
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=110
41 lines
1.3 KiB
Diff
41 lines
1.3 KiB
Diff
Index: openssl-3.1.4/providers/fips/self_test.c
|
|
===================================================================
|
|
--- openssl-3.1.4.orig/providers/fips/self_test.c
|
|
+++ openssl-3.1.4/providers/fips/self_test.c
|
|
@@ -401,6 +401,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
|
if (ev == NULL)
|
|
goto end;
|
|
|
|
+ /*
|
|
+ * Run the KAT's before HMAC verification according to FIPS-140-3 requirements
|
|
+ */
|
|
+ if (kats_already_passed == 0) {
|
|
+ if (!SELF_TEST_kats(ev, st->libctx)) {
|
|
+ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
|
|
+ goto end;
|
|
+ }
|
|
+ }
|
|
+
|
|
module_checksum = fips_hmac_container;
|
|
checksum_len = sizeof(fips_hmac_container);
|
|
|
|
@@ -451,18 +461,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
|
}
|
|
}
|
|
|
|
- /*
|
|
- * Only runs the KAT's during installation OR on_demand().
|
|
- * NOTE: If the installation option 'self_test_onload' is chosen then this
|
|
- * path will always be run, since kats_already_passed will always be 0.
|
|
- */
|
|
- if (on_demand_test || kats_already_passed == 0) {
|
|
- if (!SELF_TEST_kats(ev, st->libctx)) {
|
|
- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
|
|
- goto end;
|
|
- }
|
|
- }
|
|
-
|
|
/* Verify that the RNG has been restored properly */
|
|
rng = ossl_rand_get0_private_noncreating(st->libctx);
|
|
if (rng != NULL)
|