/[smecontribs]/rpms/openssl3/contribs10/0050-FIPS-enable-pkcs12-mac.patch
ViewVC logotype

Annotation of /rpms/openssl3/contribs10/0050-FIPS-enable-pkcs12-mac.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Wed Jan 31 17:24:39 2024 UTC (10 months ago) by jpp
Branch: MAIN
CVS Tags: openssl3-3_0_7-5_el7_sme_1, HEAD
Initial import

1 jpp 1.1 diff -up openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips openssl-3.0.1/crypto/pkcs12/p12_key.c
2     --- openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips 2022-02-21 12:35:24.829893907 +0100
3     +++ openssl-3.0.1/crypto/pkcs12/p12_key.c 2022-02-21 13:01:22.711622967 +0100
4     @@ -85,17 +85,41 @@ int PKCS12_key_gen_uni_ex(unsigned char
5     EVP_KDF *kdf;
6     EVP_KDF_CTX *ctx;
7     OSSL_PARAM params[6], *p = params;
8     + char *adjusted_propq = NULL;
9    
10     if (n <= 0)
11     return 0;
12    
13     - kdf = EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
14     - if (kdf == NULL)
15     + if (ossl_get_kernel_fips_flag()) {
16     + const char *nofips = "-fips";
17     + size_t len = propq ? strlen(propq) + 1 + strlen(nofips) + 1 :
18     + strlen(nofips) + 1;
19     + char *ptr = NULL;
20     +
21     + adjusted_propq = OPENSSL_zalloc(len);
22     + if (adjusted_propq != NULL) {
23     + ptr = adjusted_propq;
24     + if (propq) {
25     + memcpy(ptr, propq, strlen(propq));
26     + ptr += strlen(propq);
27     + *ptr = ',';
28     + ptr++;
29     + }
30     + memcpy(ptr, nofips, strlen(nofips));
31     + }
32     + }
33     +
34     + kdf = adjusted_propq ? EVP_KDF_fetch(libctx, "PKCS12KDF", adjusted_propq) : EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
35     + if (kdf == NULL) {
36     + OPENSSL_free(adjusted_propq);
37     return 0;
38     + }
39     ctx = EVP_KDF_CTX_new(kdf);
40     EVP_KDF_free(kdf);
41     - if (ctx == NULL)
42     + if (ctx == NULL) {
43     + OPENSSL_free(adjusted_propq);
44     return 0;
45     + }
46    
47     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
48     (char *)EVP_MD_get0_name(md_type),
49     @@ -127,6 +149,7 @@ int PKCS12_key_gen_uni_ex(unsigned char
50     } OSSL_TRACE_END(PKCS12_KEYGEN);
51     }
52     EVP_KDF_CTX_free(ctx);
53     + OPENSSL_free(adjusted_propq);
54     return res;
55     }
56    
57     diff -up openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps openssl-3.0.1/apps/pkcs12.c
58     --- openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps 2022-02-21 16:37:07.908923682 +0100
59     +++ openssl-3.0.1/apps/pkcs12.c 2022-02-21 17:38:44.555345633 +0100
60     @@ -765,15 +765,34 @@ int pkcs12_main(int argc, char **argv)
61     }
62     if (macver) {
63     EVP_KDF *pkcs12kdf;
64     + char *adjusted_propq = NULL;
65     + const char *nofips = "-fips";
66     + size_t len = app_get0_propq() ? strlen(app_get0_propq()) + 1 + strlen(nofips) + 1 :
67     + strlen(nofips) + 1;
68     + char *ptr = NULL;
69     +
70     + adjusted_propq = OPENSSL_zalloc(len);
71     + if (adjusted_propq != NULL) {
72     + ptr = adjusted_propq;
73     + if (app_get0_propq()) {
74     + memcpy(ptr, app_get0_propq(), strlen(app_get0_propq()));
75     + ptr += strlen(app_get0_propq());
76     + *ptr = ',';
77     + ptr++;
78     + }
79     + memcpy(ptr, nofips, strlen(nofips));
80     + }
81    
82     pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF",
83     - app_get0_propq());
84     + adjusted_propq ? adjusted_propq : app_get0_propq());
85     if (pkcs12kdf == NULL) {
86     BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
87     BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
88     + OPENSSL_free(adjusted_propq);
89     goto end;
90     }
91     EVP_KDF_free(pkcs12kdf);
92     + OPENSSL_free(adjusted_propq);
93     /* If we enter empty password try no password first */
94     if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
95     /* If mac and crypto pass the same set it to NULL too */

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed