pool/openssl-3
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
dd8139948c
openssl-3/openssl-Add-FIPS_mode-compatibility-macro.patch
Otto Hollmann 259f0441ec Accepting request 1129505 from home:ohollmann:branches:security:tls 
- Update to 3.2.0:
  * The BLAKE2b hash algorithm supports a configurable output length
    by setting the "size" parameter.
  * Enable extra Arm64 optimization on Windows for GHASH, RAND and
    AES.
  * Added a function to delete objects from store by URI -
    OSSL_STORE_delete() and the corresponding provider-storemgmt API
    function OSSL_FUNC_store_delete().
  * Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to
    pass a passphrase callback when opening a store.
  * Changed the default salt length used by PBES2 KDF's (PBKDF2 and
    scrypt) from 8 bytes to 16 bytes. The PKCS5 (RFC 8018) standard
    uses a 64 bit salt length for PBE, and recommends a minimum of 64
    bits for PBES2. For FIPS compliance PBKDF2 requires a salt length
    of 128 bits. This affects OpenSSL command line applications such
    as "genrsa" and "pkcs8" and API's such as
    PEM_write_bio_PrivateKey() that are reliant on the default value.
    The additional commandline option 'saltlen' has been added to the
    OpenSSL command line applications for "pkcs8" and "enc" to allow
    the salt length to be set to a non default value.
  * Changed the default value of the ess_cert_id_alg configuration
    option which is used to calculate the TSA's public key
    certificate identifier. The default algorithm is updated to be
    sha256 instead of sha1.
  * Added optimization for SM2 algorithm on aarch64. It uses a huge
    precomputed table for point multiplication of the base point,
    which increases the size of libcrypto from 4.4 MB to 4.9 MB. A
    new configure option no-sm2-precomp has been added to disable the
    precomputed table.
  * Added client side support for QUIC

OBS-URL: https://build.opensuse.org/request/show/1129505
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=80
2023-11-28 11:04:23 +00:00

80 lines
2.3 KiB
Diff
Raw Blame History

From 8e29a10b39a649d751870eb1fd1b8c388e66acc3 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:27 +0200
Subject: [PATCH 08/35] 0008-Add-FIPS_mode-compatibility-macro.patch
Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch
Patch-id: 8
Patch-status: |
# Add FIPS_mode() compatibility macro
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
include/openssl/fips.h | 26 ++++++++++++++++++++++++++
test/property_test.c | 14 ++++++++++++++
2 files changed, 40 insertions(+)
create mode 100644 include/openssl/fips.h
Index: openssl-3.2.0/include/openssl/fips.h
===================================================================
--- /dev/null
+++ openssl-3.2.0/include/openssl/fips.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OPENSSL_FIPS_H
+# define OPENSSL_FIPS_H
+# pragma once
+
+# include <openssl/evp.h>
+# include <openssl/macros.h>
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+
+# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
+
+# ifdef __cplusplus
+}
+# endif
+#endif
Index: openssl-3.2.0/test/property_test.c
===================================================================
--- openssl-3.2.0.orig/test/property_test.c
+++ openssl-3.2.0/test/property_test.c
@@ -680,6 +680,19 @@ static int test_property_list_to_string(
return ret;
}
+#include <openssl/fips.h>
+static int test_downstream_FIPS_mode(void)
+{
+ int ret = 0;
+
+ ret = TEST_true(EVP_set_default_properties(NULL, "fips=yes"))
+ && TEST_true(FIPS_mode())
+ && TEST_true(EVP_set_default_properties(NULL, "fips=no"))
+ && TEST_false(FIPS_mode());
+
+ return ret;
+}
+
int setup_tests(void)
{
ADD_TEST(test_property_string);
@@ -693,6 +706,7 @@ int setup_tests(void)
ADD_TEST(test_property);
ADD_TEST(test_query_cache_stochastic);
ADD_TEST(test_fips_mode);
+ ADD_TEST(test_downstream_FIPS_mode);
ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
return 1;
}
Reference in New Issue View Git Blame Copy Permalink