openssl-3/openssl-FIPS-enforce-security-checks-during-initialization.patch

Index: openssl-3.1.4/providers/fips/fipsprov.c
===================================================================
--- openssl-3.1.4.orig/providers/fips/fipsprov.c
+++ openssl-3.1.4/providers/fips/fipsprov.c
@@ -107,7 +107,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_L
         return NULL;
     init_fips_option(&fgbl->fips_security_checks, 1);
     init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */
-    init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);
+    init_fips_option(&fgbl->fips_restricted_drgb_digests, 1); /* Enabled by default */
     return fgbl;
 }
 
@@ -820,8 +820,6 @@ int OSSL_provider_init_int(const OSSL_CO
     if (fgbl->field.option != NULL) {                                       \
         if (strcmp(fgbl->field.option, "1") == 0)                           \
             fgbl->field.enabled = 1;                                        \
-        else if (strcmp(fgbl->field.option, "0") == 0)                      \
-            fgbl->field.enabled = 0;                                        \
         else                                                                \
             goto err;                                                       \
     }
- FIPS: Deny SHA-1 signature verification in FIPS provider [bsc#1221365] * SHA-1 is not allowed anymore in FIPS 186-5 for signature verification operations. After 12/31/2030, NIST will disallow SHA-1 for all of its usages. * Add openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch - FIPS: RSA keygen PCT requirements. * Skip the rsa_keygen_pairwise_test() PCT in rsa_keygen() as the self-test requirements are covered by do_rsa_pct() for both RSA-OAEP and RSA signatures [bsc#1221760] * Enforce error state if rsa_keygen PCT is run and fails [bsc#1221753] * Add openssl-3-FIPS-PCT_rsa_keygen.patch - FIPS: Check that the fips provider is available before setting it as the default provider in FIPS mode. [bsc#1220523] * Rebase openssl-Force-FIPS.patch - FIPS: Port openssl to use jitterentropy [bsc#1220523] * Set the module in error state if the jitter RNG fails either on initialization or entropy gathering because health tests failed. * Add jitterentropy as a seeding source output also in crypto/info.c * Move the jitter entropy collector and the associated lock out of the header file to avoid redefinitions. * Add the fips_local.cnf symlink to the spec file. This simlink points to the openssl_fips.config file that is provided by the crypto-policies package. * Rebase openssl-3-jitterentropy-3.4.0.patch * Rebase openssl-FIPS-enforce-EMS-support.patch - FIPS: Block non-Approved Elliptic Curves [bsc#1221786] OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=110 2024-08-07 23:54:42 +02:00			`Index: openssl-3.1.4/providers/fips/fipsprov.c`
			`===================================================================`
			`--- openssl-3.1.4.orig/providers/fips/fipsprov.c`
			`+++ openssl-3.1.4/providers/fips/fipsprov.c`
			`@@ -107,7 +107,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_L`
			`return NULL;`
			`init_fips_option(&fgbl->fips_security_checks, 1);`
			`init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */`
			`- init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);`
			`+ init_fips_option(&fgbl->fips_restricted_drgb_digests, 1); /* Enabled by default */`
			`return fgbl;`
			`}`

			`@@ -820,8 +820,6 @@ int OSSL_provider_init_int(const OSSL_CO`
			`if (fgbl->field.option != NULL) { \`
			`if (strcmp(fgbl->field.option, "1") == 0) \`
			`fgbl->field.enabled = 1; \`
			`- else if (strcmp(fgbl->field.option, "0") == 0) \`
			`- fgbl->field.enabled = 0; \`
			`else \`
			`goto err; \`
			`}`