Overview

File openssl-1_1-FIPS-default-RFC7919.patch of Package openssl-1_1.29121

Index: openssl-1.1.1l/apps/dhparam.c
===================================================================
--- openssl-1.1.1l.orig/apps/dhparam.c
+++ openssl-1.1.1l/apps/dhparam.c
@@ -194,15 +194,42 @@ int dhparam_main(int argc, char **argv)
         } else
 #endif
         {
-            dh = DH_new();
-            BIO_printf(bio_err,
-                       "Generating DH parameters, %d bit long safe prime, generator %d\n",
-                       num, g);
-            BIO_printf(bio_err, "This is going to take a long time\n");
-            if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) {
-                BN_GENCB_free(cb);
-                ERR_print_errors(bio_err);
-                goto end;
+#ifdef OPENSSL_FIPS
+            if (FIPS_mode()) {
+                /* In FIPS mode, instead of generating DH parameters, we use parameters
+                 * from an approved group, in this case, RFC-7919. */
+                int param_nid;
+                switch (num) {
+                case 8192:
+                  param_nid = NID_ffdhe8192;
+                  break;
+                case 6144:
+                  param_nid = NID_ffdhe6144;
+                  break;
+                case 4096:
+                  param_nid = NID_ffdhe4096;
+                  break;
+                case 3072:
+                  param_nid = NID_ffdhe3072;
+                  break;
+                default:
+                  param_nid = NID_ffdhe2048;
+                  break;
+                }
+                dh = DH_new_by_nid(param_nid);
+            } else
+#endif /* OPENSSL_FIPS */
+            {
+                dh = DH_new();
+                BIO_printf(bio_err,
+                           "Generating DH parameters, %d bit long safe prime, generator %d\n",
+                           num, g);
+                BIO_printf(bio_err, "This is going to take a long time\n");
+                if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) {
+                    BN_GENCB_free(cb);
+                    ERR_print_errors(bio_err);
+                    goto end;
+                }
             }
         }
 
Index: openssl-1.1.1l/crypto/dh/dh_pmeth.c
===================================================================
--- openssl-1.1.1l.orig/crypto/dh/dh_pmeth.c
+++ openssl-1.1.1l/crypto/dh/dh_pmeth.c
@@ -330,6 +330,30 @@ static int pkey_dh_paramgen(EVP_PKEY_CTX
     DH_PKEY_CTX *dctx = ctx->data;
     BN_GENCB *pcb;
     int ret;
+
+#ifdef OPENSSL_FIPS
+    /* In FIPS mode we default to an appropriate group. */
+    if (FIPS_mode() && (!(dctx->rfc5114_param)) && (dctx->param_nid == 0)) {
+        switch (dctx->prime_len) {
+        case 8192:
+            dctx->param_nid = NID_ffdhe8192;
+            break;
+        case 6144:
+            dctx->param_nid = NID_ffdhe6144;
+            break;
+        case 4096:
+            dctx->param_nid = NID_ffdhe4096;
+            break;
+        case 3072:
+            dctx->param_nid = NID_ffdhe3072;
+            break;
+        default:
+            dctx->param_nid = NID_ffdhe2048;
+            break;
+        }
+    }
+#endif /* OPENSSL_FIPS */
+
     if (dctx->rfc5114_param) {
         switch (dctx->rfc5114_param) {
         case 1:
openSUSE Build Service is sponsored by
Places