forked from pool/openssl-3
Pedro Monreal Gonzalez
30c6de24df
* Miscellaneous minor bug fixes.
* The FIPS provider now performs a PCT on key import for RSA, EC and ECX.
This is mandated by FIPS 140-3 IG 10.3.A additional comment 1.
- Rebase patches:
* openssl-FIPS-140-3-keychecks.patch
* openssl-FIPS-NO-DES-support.patch
* openssl-FIPS-enforce-EMS-support.patch
* openssl-disable-fipsinstall.patch
- Move ssl configuration files to the libopenssl package [bsc#1247463]
- Don't install unneeded NOTES
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=153
136 lines
5.0 KiB
Diff
136 lines
5.0 KiB
Diff
From 3a1abccdfc3bb78dd472bbb7ff36313959ef0cdf Mon Sep 17 00:00:00 2001
|
|
From: Simo Sorce <simo@redhat.com>
|
|
Date: Fri, 7 Mar 2025 18:15:13 -0500
|
|
Subject: [PATCH 47/53] FIPS: NO DES support
|
|
|
|
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
---
|
|
providers/fips/fipsprov.c | 3 ++-
|
|
providers/fips/self_test_data.inc | 5 ++++-
|
|
test/evp_libctx_test.c | 4 +++-
|
|
.../30-test_evp_data/evpciph_des3_common.txt | 13 ++++---------
|
|
test/recipes/80-test_cms.t | 2 +-
|
|
5 files changed, 14 insertions(+), 13 deletions(-)
|
|
|
|
Index: openssl-3.5.2/providers/fips/fipsprov.c
|
|
===================================================================
|
|
--- openssl-3.5.2.orig/providers/fips/fipsprov.c
|
|
+++ openssl-3.5.2/providers/fips/fipsprov.c
|
|
@@ -360,7 +360,8 @@ static const OSSL_ALGORITHM_CAPABLE fips
|
|
ossl_cipher_capable_aes_cbc_hmac_sha256),
|
|
ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
|
|
ossl_cipher_capable_aes_cbc_hmac_sha256),
|
|
-#ifndef OPENSSL_NO_DES
|
|
+/* We don't certify 3DES in our FIPS provider */
|
|
+#if 0 /* ifndef OPENSSL_NO_DES */
|
|
ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
|
|
ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
|
|
#endif /* OPENSSL_NO_DES */
|
|
Index: openssl-3.5.2/providers/fips/self_test_data.inc
|
|
===================================================================
|
|
--- openssl-3.5.2.orig/providers/fips/self_test_data.inc
|
|
+++ openssl-3.5.2/providers/fips/self_test_data.inc
|
|
@@ -293,6 +293,7 @@ static const ST_KAT_CIPHER st_kat_cipher
|
|
CIPHER_MODE_DECRYPT,
|
|
ITM(aes_128_ecb_key)
|
|
},
|
|
+#if 0
|
|
#ifndef OPENSSL_NO_DES
|
|
{
|
|
{
|
|
@@ -305,6 +306,7 @@ static const ST_KAT_CIPHER st_kat_cipher
|
|
ITM(tdes_key)
|
|
}
|
|
#endif
|
|
+#endif
|
|
};
|
|
|
|
static const char hkdf_digest[] = "SHA256";
|
|
Index: openssl-3.5.2/test/evp_libctx_test.c
|
|
===================================================================
|
|
--- openssl-3.5.2.orig/test/evp_libctx_test.c
|
|
+++ openssl-3.5.2/test/evp_libctx_test.c
|
|
@@ -831,7 +831,9 @@ int setup_tests(void)
|
|
ADD_TEST(kem_invalid_keytype);
|
|
#endif
|
|
#ifndef OPENSSL_NO_DES
|
|
- ADD_TEST(test_cipher_tdes_randkey);
|
|
+ if (strcmp(prov_name, "fips") != 0) {
|
|
+ ADD_TEST(test_cipher_tdes_randkey);
|
|
+ }
|
|
#endif
|
|
return 1;
|
|
}
|
|
Index: openssl-3.5.2/test/recipes/30-test_evp_data/evpciph_des3_common.txt
|
|
===================================================================
|
|
--- openssl-3.5.2.orig/test/recipes/30-test_evp_data/evpciph_des3_common.txt
|
|
+++ openssl-3.5.2/test/recipes/30-test_evp_data/evpciph_des3_common.txt
|
|
@@ -14,7 +14,7 @@
|
|
Title = DES3 Tests
|
|
|
|
# DES EDE3 CBC tests (from destest)
|
|
-FIPSversion = <3.4.0
|
|
+Availablein = default
|
|
Cipher = DES-EDE3-CBC
|
|
Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
|
|
IV = fedcba9876543210
|
|
@@ -24,8 +24,7 @@ NextIV = 1c673812cfde9675
|
|
|
|
# DES EDE3 ECB test
|
|
# FIPS(3.0.0): has a bug in the IV length #17591
|
|
-FIPSversion = >3.0.0
|
|
-FIPSversion = <3.4.0
|
|
+Availablein = default
|
|
Cipher = DES-EDE3-ECB
|
|
Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
|
|
Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
|
|
@@ -42,7 +41,6 @@ Ciphertext = 4d1332e49f380e23d80a0d8b2ba
|
|
|
|
# Test that DES3 CBC mode encryption fails because it is not FIPS approved
|
|
Availablein = fips
|
|
-FIPSversion = >=3.4.0
|
|
Cipher = DES-EDE3-CBC
|
|
Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
|
|
IV = fedcba9876543210
|
|
@@ -52,7 +50,6 @@ Result = CIPHERINIT_ERROR
|
|
|
|
# Test that DES3 EBC mode encryption fails because it is not FIPS approved
|
|
Availablein = fips
|
|
-FIPSversion = >=3.4.0
|
|
Cipher = DES-EDE3-ECB
|
|
Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
|
|
Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
|
|
@@ -62,8 +59,7 @@ Result = CIPHERINIT_ERROR
|
|
Title = DES3 FIPS Indicator Tests
|
|
|
|
# Test that DES3 CBC mode encryption is not FIPS approved
|
|
-Availablein = fips
|
|
-FIPSversion = >=3.4.0
|
|
+Availablein = none
|
|
Cipher = DES-EDE3-CBC
|
|
Unapproved = 1
|
|
CtrlInit = encrypt-check:0
|
|
@@ -74,8 +70,7 @@ Plaintext = 37363534333231204E6F77206973
|
|
Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
|
|
|
|
# Test that DES3 ECB mode encryption is not FIPS approved
|
|
-Availablein = fips
|
|
-FIPSversion = >=3.4.0
|
|
+Availablein = none
|
|
Cipher = DES-EDE3-ECB
|
|
Operation = ENCRYPT
|
|
Unapproved = 1
|
|
Index: openssl-3.5.2/test/recipes/80-test_cms.t
|
|
===================================================================
|
|
--- openssl-3.5.2.orig/test/recipes/80-test_cms.t
|
|
+++ openssl-3.5.2/test/recipes/80-test_cms.t
|
|
@@ -398,7 +398,7 @@ my @smime_cms_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "encrypted content test streaming PEM format, triple DES key",
|
|
+ [ "encrypted content test streaming PEM format, triple DES key, no SUSE FIPS",
|
|
[ "{cmd1}", @defaultprov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
|
|
"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
|
|
"-stream", "-out", "{output}.cms" ],
|