SHA256
1
0
forked from pool/openssl-1_1
Richard Brown 2022-10-01 15:41:27 +00:00 committed by Git OBS Bridge
commit f932996074
3 changed files with 98 additions and 0 deletions

View File

@ -0,0 +1,88 @@
diff --git a/apps/dhparam.c b/apps/dhparam.c
index 98c7321..ac7feb4 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -194,15 +194,42 @@ int dhparam_main(int argc, char **argv)
} else
#endif
{
- dh = DH_new();
- BIO_printf(bio_err,
- "Generating DH parameters, %d bit long safe prime, generator %d\n",
- num, g);
- BIO_printf(bio_err, "This is going to take a long time\n");
- if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) {
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ /* In FIPS mode, instead of generating DH parameters we use parameters from an approved group,
+ in this case, RFC-7919. */
+ int param_nid;
+ switch (num) {
+ case 8192:
+ param_nid = NID_ffdhe8192;
+ break;
+ case 6144:
+ param_nid = NID_ffdhe6144;
+ break;
+ case 4096:
+ param_nid = NID_ffdhe4096;
+ break;
+ case 3072:
+ param_nid = NID_ffdhe3072;
+ break;
+ default:
+ param_nid = NID_ffdhe2048;
+ break;
+ }
+ dh = DH_new_by_nid(param_nid);
+ } else
+#endif /* OPENSSL_FIPS */
+ {
+ dh = DH_new();
+ BIO_printf(bio_err,
+ "Generating DH parameters, %d bit long safe prime, generator %d\n",
+ num, g);
+ BIO_printf(bio_err, "This is going to take a long time\n");
+ if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) {
BN_GENCB_free(cb);
ERR_print_errors(bio_err);
goto end;
+ }
}
}
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
index 261c8a1..d281873 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -330,6 +330,30 @@ static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
DH_PKEY_CTX *dctx = ctx->data;
BN_GENCB *pcb;
int ret;
+
+#ifdef OPENSSL_FIPS
+ /* In FIPS mode we default to an appropriate group. */
+ if (FIPS_mode() && (!(dctx->rfc5114_param)) && (dctx->param_nid == 0)) {
+ switch (dctx->prime_len) {
+ case 8192:
+ dctx->param_nid = NID_ffdhe8192;
+ break;
+ case 6144:
+ dctx->param_nid = NID_ffdhe6144;
+ break;
+ case 4096:
+ dctx->param_nid = NID_ffdhe4096;
+ break;
+ case 3072:
+ dctx->param_nid = NID_ffdhe3072;
+ break;
+ default:
+ dctx->param_nid = NID_ffdhe2048;
+ break;
+ }
+ }
+#endif /* OPENSSL_FIPS */
+
if (dctx->rfc5114_param) {
switch (dctx->rfc5114_param) {
case 1:

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Sat Sep 24 02:40:39 UTC 2022 - Jason Sikes <jsikes@suse.com>
- Added openssl-1_1-paramgen-default_to_rfc7919.patch
* bsc#1180995
* Default to RFC7919 groups when generating ECDH parameters
using 'genpkey' or 'dhparam' in FIPS mode.
-------------------------------------------------------------------
Thu Jul 7 02:17:23 UTC 2022 - Jason Sikes <jsikes@suse.com>

View File

@ -121,6 +121,8 @@ Patch71: openssl-1_1-Optimize-AES-XTS-aarch64.patch
Patch72: openssl-1_1-Optimize-AES-GCM-uarchs.patch
#PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes
Patch73: openssl-1_1-FIPS-fix-error-reason-codes.patch
#PATCH-FIX-SUSE bsc#1180995 Default to RFC7919 groups in FIPS mode
Patch74: openssl-1_1-paramgen-default_to_rfc7919.patch
Requires: libopenssl1_1 = %{version}-%{release}
BuildRequires: pkgconfig
BuildRequires: pkgconfig(zlib)