forked from pool/openssl-3
Pedro Monreal Gonzalez
6bc57d937f
* SHA-1 is not allowed anymore in FIPS 186-5 for signature
verification operations. After 12/31/2030, NIST will disallow
SHA-1 for all of its usages.
* Add openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
- FIPS: RSA keygen PCT requirements.
* Skip the rsa_keygen_pairwise_test() PCT in rsa_keygen() as the
self-test requirements are covered by do_rsa_pct() for both
RSA-OAEP and RSA signatures [bsc#1221760]
* Enforce error state if rsa_keygen PCT is run and fails [bsc#1221753]
* Add openssl-3-FIPS-PCT_rsa_keygen.patch
- FIPS: Check that the fips provider is available before setting
it as the default provider in FIPS mode. [bsc#1220523]
* Rebase openssl-Force-FIPS.patch
- FIPS: Port openssl to use jitterentropy [bsc#1220523]
* Set the module in error state if the jitter RNG fails either on
initialization or entropy gathering because health tests failed.
* Add jitterentropy as a seeding source output also in crypto/info.c
* Move the jitter entropy collector and the associated lock out
of the header file to avoid redefinitions.
* Add the fips_local.cnf symlink to the spec file. This simlink
points to the openssl_fips.config file that is provided by the
crypto-policies package.
* Rebase openssl-3-jitterentropy-3.4.0.patch
* Rebase openssl-FIPS-enforce-EMS-support.patch
- FIPS: Block non-Approved Elliptic Curves [bsc#1221786]
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=110
84 lines
2.3 KiB
Diff
84 lines
2.3 KiB
Diff
From 8e29a10b39a649d751870eb1fd1b8c388e66acc3 Mon Sep 17 00:00:00 2001
|
|
From: rpm-build <rpm-build>
|
|
Date: Mon, 31 Jul 2023 09:41:27 +0200
|
|
Subject: [PATCH 08/35] 0008-Add-FIPS_mode-compatibility-macro.patch
|
|
|
|
Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch
|
|
Patch-id: 8
|
|
Patch-status: |
|
|
# Add FIPS_mode() compatibility macro
|
|
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
|
---
|
|
include/openssl/fips.h | 26 ++++++++++++++++++++++++++
|
|
test/property_test.c | 14 ++++++++++++++
|
|
2 files changed, 40 insertions(+)
|
|
create mode 100644 include/openssl/fips.h
|
|
|
|
diff --git a/include/openssl/fips.h b/include/openssl/fips.h
|
|
new file mode 100644
|
|
index 0000000000..4162cbf88e
|
|
--- /dev/null
|
|
+++ b/include/openssl/fips.h
|
|
@@ -0,0 +1,26 @@
|
|
+/*
|
|
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
|
|
+ *
|
|
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
+ * this file except in compliance with the License. You can obtain a copy
|
|
+ * in the file LICENSE in the source distribution or at
|
|
+ * https://www.openssl.org/source/license.html
|
|
+ */
|
|
+
|
|
+#ifndef OPENSSL_FIPS_H
|
|
+# define OPENSSL_FIPS_H
|
|
+# pragma once
|
|
+
|
|
+# include <openssl/evp.h>
|
|
+# include <openssl/macros.h>
|
|
+
|
|
+# ifdef __cplusplus
|
|
+extern "C" {
|
|
+# endif
|
|
+
|
|
+# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
|
|
+
|
|
+# ifdef __cplusplus
|
|
+}
|
|
+# endif
|
|
+#endif
|
|
diff --git a/test/property_test.c b/test/property_test.c
|
|
index 45b1db3e85..8894c1c1cb 100644
|
|
--- a/test/property_test.c
|
|
+++ b/test/property_test.c
|
|
@@ -677,6 +677,19 @@ static int test_property_list_to_string(int i)
|
|
return ret;
|
|
}
|
|
|
|
+#include <openssl/fips.h>
|
|
+static int test_downstream_FIPS_mode(void)
|
|
+{
|
|
+ int ret = 0;
|
|
+
|
|
+ ret = TEST_true(EVP_set_default_properties(NULL, "fips=yes"))
|
|
+ && TEST_true(FIPS_mode())
|
|
+ && TEST_true(EVP_set_default_properties(NULL, "fips=no"))
|
|
+ && TEST_false(FIPS_mode());
|
|
+
|
|
+ return ret;
|
|
+}
|
|
+
|
|
int setup_tests(void)
|
|
{
|
|
ADD_TEST(test_property_string);
|
|
@@ -690,6 +703,7 @@ int setup_tests(void)
|
|
ADD_TEST(test_property);
|
|
ADD_TEST(test_query_cache_stochastic);
|
|
ADD_TEST(test_fips_mode);
|
|
+ ADD_TEST(test_downstream_FIPS_mode);
|
|
ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
|
|
return 1;
|
|
}
|
|
--
|
|
2.41.0
|
|
|