openssl3/contribs10/0050-FIPS-enable-pkcs12-mac.patch

diff -up openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips openssl-3.0.1/crypto/pkcs12/p12_key.c
--- openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips    2022-02-21 12:35:24.829893907 +0100
+++ openssl-3.0.1/crypto/pkcs12/p12_key.c       2022-02-21 13:01:22.711622967 +0100
@@ -85,17 +85,41 @@ int PKCS12_key_gen_uni_ex(unsigned char
     EVP_KDF *kdf;
     EVP_KDF_CTX *ctx;
     OSSL_PARAM params[6], *p = params;
+    char *adjusted_propq = NULL;
 
     if (n <= 0)
         return 0;
 
-    kdf = EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
-    if (kdf == NULL)
+    if (ossl_get_kernel_fips_flag()) {
+        const char *nofips = "-fips";
+        size_t len = propq ? strlen(propq) + 1 + strlen(nofips) + 1 :
+                                                 strlen(nofips) + 1;
+        char *ptr = NULL;
+
+        adjusted_propq = OPENSSL_zalloc(len);
+        if (adjusted_propq != NULL) {
+            ptr = adjusted_propq;
+            if (propq) {
+                memcpy(ptr, propq, strlen(propq));
+                ptr += strlen(propq);
+                *ptr = ',';
+                ptr++;
+            }
+            memcpy(ptr, nofips, strlen(nofips));
+        }
+    }
+
+    kdf = adjusted_propq ? EVP_KDF_fetch(libctx, "PKCS12KDF", adjusted_propq) : EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
+    if (kdf == NULL) {
+        OPENSSL_free(adjusted_propq);
         return 0;
+    }
     ctx = EVP_KDF_CTX_new(kdf);
     EVP_KDF_free(kdf);
-    if (ctx == NULL)
+    if (ctx == NULL) {
+        OPENSSL_free(adjusted_propq);
         return 0;
+    }
 
     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
                                             (char *)EVP_MD_get0_name(md_type),
@@ -127,6 +149,7 @@ int PKCS12_key_gen_uni_ex(unsigned char
         } OSSL_TRACE_END(PKCS12_KEYGEN);
     }
     EVP_KDF_CTX_free(ctx);
+    OPENSSL_free(adjusted_propq);
     return res;
 }
 
diff -up openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps openssl-3.0.1/apps/pkcs12.c
--- openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps 2022-02-21 16:37:07.908923682 +0100
+++ openssl-3.0.1/apps/pkcs12.c 2022-02-21 17:38:44.555345633 +0100
@@ -765,15 +765,34 @@ int pkcs12_main(int argc, char **argv)
     }
     if (macver) {
         EVP_KDF *pkcs12kdf;
+        char *adjusted_propq = NULL;
+        const char *nofips = "-fips";
+        size_t len = app_get0_propq() ? strlen(app_get0_propq()) + 1 + strlen(nofips) + 1 :
+                                                            strlen(nofips) + 1;
+        char *ptr = NULL;
+
+        adjusted_propq = OPENSSL_zalloc(len);
+        if (adjusted_propq != NULL) {
+                ptr = adjusted_propq;
+                if (app_get0_propq()) {
+                    memcpy(ptr, app_get0_propq(), strlen(app_get0_propq()));
+                    ptr += strlen(app_get0_propq());
+                    *ptr = ',';
+                    ptr++;
+                }
+                memcpy(ptr, nofips, strlen(nofips));
+        }
 
         pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF",
-                                  app_get0_propq());
+                                  adjusted_propq ? adjusted_propq : app_get0_propq());
         if (pkcs12kdf == NULL) {
             BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
             BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
+            OPENSSL_free(adjusted_propq);
             goto end;
         }
         EVP_KDF_free(pkcs12kdf);
+        OPENSSL_free(adjusted_propq);
         /* If we enter empty password try no password first */
         if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
             /* If mac and crypto pass the same set it to NULL too */
1	jpp	1.1	diff -up openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips openssl-3.0.1/crypto/pkcs12/p12_key.c
2			--- openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips 2022-02-21 12:35:24.829893907 +0100
3			+++ openssl-3.0.1/crypto/pkcs12/p12_key.c 2022-02-21 13:01:22.711622967 +0100
4			@@ -85,17 +85,41 @@ int PKCS12_key_gen_uni_ex(unsigned char
5			EVP_KDF *kdf;
6			EVP_KDF_CTX *ctx;
7			OSSL_PARAM params[6], *p = params;
8			+ char *adjusted_propq = NULL;
9
10			if (n <= 0)
11			return 0;
12
13			- kdf = EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
14			- if (kdf == NULL)
15			+ if (ossl_get_kernel_fips_flag()) {
16			+ const char *nofips = "-fips";
17			+ size_t len = propq ? strlen(propq) + 1 + strlen(nofips) + 1 :
18			+ strlen(nofips) + 1;
19			+ char *ptr = NULL;
20			+
21			+ adjusted_propq = OPENSSL_zalloc(len);
22			+ if (adjusted_propq != NULL) {
23			+ ptr = adjusted_propq;
24			+ if (propq) {
25			+ memcpy(ptr, propq, strlen(propq));
26			+ ptr += strlen(propq);
27			+ *ptr = ',';
28			+ ptr++;
29			+ }
30			+ memcpy(ptr, nofips, strlen(nofips));
31			+ }
32			+ }
33			+
34			+ kdf = adjusted_propq ? EVP_KDF_fetch(libctx, "PKCS12KDF", adjusted_propq) : EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
35			+ if (kdf == NULL) {
36			+ OPENSSL_free(adjusted_propq);
37			return 0;
38			+ }
39			ctx = EVP_KDF_CTX_new(kdf);
40			EVP_KDF_free(kdf);
41			- if (ctx == NULL)
42			+ if (ctx == NULL) {
43			+ OPENSSL_free(adjusted_propq);
44			return 0;
45			+ }
46
47			*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
48			(char *)EVP_MD_get0_name(md_type),
49			@@ -127,6 +149,7 @@ int PKCS12_key_gen_uni_ex(unsigned char
50			} OSSL_TRACE_END(PKCS12_KEYGEN);
51			}
52			EVP_KDF_CTX_free(ctx);
53			+ OPENSSL_free(adjusted_propq);
54			return res;
55			}
56
57			diff -up openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps openssl-3.0.1/apps/pkcs12.c
58			--- openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps 2022-02-21 16:37:07.908923682 +0100
59			+++ openssl-3.0.1/apps/pkcs12.c 2022-02-21 17:38:44.555345633 +0100
60			@@ -765,15 +765,34 @@ int pkcs12_main(int argc, char **argv)
61			}
62			if (macver) {
63			EVP_KDF *pkcs12kdf;
64			+ char *adjusted_propq = NULL;
65			+ const char *nofips = "-fips";
66			+ size_t len = app_get0_propq() ? strlen(app_get0_propq()) + 1 + strlen(nofips) + 1 :
67			+ strlen(nofips) + 1;
68			+ char *ptr = NULL;
69			+
70			+ adjusted_propq = OPENSSL_zalloc(len);
71			+ if (adjusted_propq != NULL) {
72			+ ptr = adjusted_propq;
73			+ if (app_get0_propq()) {
74			+ memcpy(ptr, app_get0_propq(), strlen(app_get0_propq()));
75			+ ptr += strlen(app_get0_propq());
76			+ *ptr = ',';
77			+ ptr++;
78			+ }
79			+ memcpy(ptr, nofips, strlen(nofips));
80			+ }
81
82			pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF",
83			- app_get0_propq());
84			+ adjusted_propq ? adjusted_propq : app_get0_propq());
85			if (pkcs12kdf == NULL) {
86			BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
87			BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
88			+ OPENSSL_free(adjusted_propq);
89			goto end;
90			}
91			EVP_KDF_free(pkcs12kdf);
92			+ OPENSSL_free(adjusted_propq);
93			/* If we enter empty password try no password first */
94			if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
95			/* If mac and crypto pass the same set it to NULL too */