Accepting request 1007029 from home:ohollmann:branches:home:jsikes:branches:security:tls

- Added openssl-1_1-paramgen-default_to_rfc7919.patch * bsc#1180995 * Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode. OBS-URL: https://build.opensuse.org/request/show/1007029 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=119
2022-09-30 10:26:12 +00:00 · 2022-09-30 10:26:12 +00:00 · ba6be953da
commit ba6be953da
parent bc10d3dbd2
3 changed files with 98 additions and 0 deletions
--- a/openssl-1_1-paramgen-default_to_rfc7919.patch
+++ b/openssl-1_1-paramgen-default_to_rfc7919.patch
@ -0,0 +1,88 @@
+diff --git a/apps/dhparam.c b/apps/dhparam.c
+index 98c7321..ac7feb4 100644
+--- a/apps/dhparam.c
+++ b/apps/dhparam.c
+@@ -194,15 +194,42 @@ int dhparam_main(int argc, char **argv)
+         } else
+ #endif
+         {
+-            dh = DH_new();
+-            BIO_printf(bio_err,
+-                       "Generating DH parameters, %d bit long safe prime, generator %d\n",
+-                       num, g);
+-            BIO_printf(bio_err, "This is going to take a long time\n");
+-            if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) {
+#ifdef OPENSSL_FIPS
+          if (FIPS_mode()) {
+            /* In FIPS mode, instead of generating DH parameters we use parameters from an approved group,
+             in this case, RFC-7919. */
+            int param_nid;
+            switch (num) {
+            case 8192:
+              param_nid = NID_ffdhe8192;
+              break;
+            case 6144:
+              param_nid = NID_ffdhe6144;
+              break;
+            case 4096:
+              param_nid = NID_ffdhe4096;
+              break;
+            case 3072:
+              param_nid = NID_ffdhe3072;
+              break;
+            default:
+              param_nid = NID_ffdhe2048;
+              break;
+            }
+            dh = DH_new_by_nid(param_nid);
+          } else
+#endif /* OPENSSL_FIPS */
+            {
+              dh = DH_new();
+              BIO_printf(bio_err,
+                         "Generating DH parameters, %d bit long safe prime, generator %d\n",
+                         num, g);
+              BIO_printf(bio_err, "This is going to take a long time\n");
+              if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) {
+                 BN_GENCB_free(cb);
+                 ERR_print_errors(bio_err);
+                 goto end;
+              }
+             }
+         }
+ 
+diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
+index 261c8a1..d281873 100644
+--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
+@@ -330,6 +330,30 @@ static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
+     DH_PKEY_CTX *dctx = ctx->data;
+     BN_GENCB *pcb;
+     int ret;
+
+#ifdef OPENSSL_FIPS
+    /* In FIPS mode we default to an appropriate group. */
+    if (FIPS_mode() && (!(dctx->rfc5114_param)) && (dctx->param_nid == 0)) {
+      switch (dctx->prime_len) {
+      case 8192:
+        dctx->param_nid = NID_ffdhe8192;
+        break;
+      case 6144:
+        dctx->param_nid = NID_ffdhe6144;
+        break;
+      case 4096:
+        dctx->param_nid = NID_ffdhe4096;
+        break;
+      case 3072:
+        dctx->param_nid = NID_ffdhe3072;
+        break;
+      default:
+        dctx->param_nid = NID_ffdhe2048;
+        break;
+      }
+    }
+#endif /* OPENSSL_FIPS */
+
+     if (dctx->rfc5114_param) {
+         switch (dctx->rfc5114_param) {
+         case 1:
--- a/openssl-1_1.changes
+++ b/openssl-1_1.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Sat Sep 24 02:40:39 UTC 2022 - Jason Sikes <jsikes@suse.com>
+
+- Added openssl-1_1-paramgen-default_to_rfc7919.patch
+  * bsc#1180995
+  * Default to RFC7919 groups when generating ECDH parameters
+    using 'genpkey' or 'dhparam' in FIPS mode.
+
 -------------------------------------------------------------------
 Thu Jul  7 02:17:23 UTC 2022 - Jason Sikes <jsikes@suse.com>

--- a/openssl-1_1.spec
+++ b/openssl-1_1.spec
@ -121,6 +121,8 @@ Patch71:        openssl-1_1-Optimize-AES-XTS-aarch64.patch
 Patch72:        openssl-1_1-Optimize-AES-GCM-uarchs.patch
 #PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes
 Patch73:        openssl-1_1-FIPS-fix-error-reason-codes.patch
+#PATCH-FIX-SUSE bsc#1180995 Default to RFC7919 groups in FIPS mode
+Patch74:        openssl-1_1-paramgen-default_to_rfc7919.patch
 Requires:       libopenssl1_1 = %{version}-%{release}
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(zlib)