File openssl-1_1-ossl-sli-013-Mark-SHA1-unapproved.patch of Package openssl-1_1.37526
From e2d31d05225422d1087c1d6336b885b52f45297a Mon Sep 17 00:00:00 2001
From: Christopher Dickerman <chrisd@atsec.com>
Date: Wed, 31 Jul 2024 12:02:38 -0500
Subject: [PATCH] 1224266 Consider deprecating sha1
---
crypto/evp/m_sha1.c | 3 ++-
crypto/fips/fips_sli.c | 15 ++++++++++++---
include/internal/fips_sli_local.h | 1 +
3 files changed, 15 insertions(+), 4 deletions(-)
Index: openssl-1.1.1w/crypto/evp/m_sha1.c
===================================================================
--- openssl-1.1.1w.orig/crypto/evp/m_sha1.c
+++ openssl-1.1.1w/crypto/evp/m_sha1.c
@@ -9,7 +9,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
-
+#include "internal/fips_sli_local.h"
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/sha.h>
@@ -19,6 +19,7 @@
static int init(EVP_MD_CTX *ctx)
{
+ fips_sli_check_hash_universal_EVP_MD_CTX(ctx, EVP_MD_CTX_md(ctx)); // guarantees SHA1 is non-approved, but might not be in accordance with style
return SHA1_Init(EVP_MD_CTX_md_data(ctx));
}
Index: openssl-1.1.1w/crypto/fips/fips_sli.c
===================================================================
--- openssl-1.1.1w.orig/crypto/fips/fips_sli.c
+++ openssl-1.1.1w/crypto/fips/fips_sli.c
@@ -137,7 +137,8 @@ typedef enum hash_usage_e {
HASH_KDF_PBKDF2,
HASH_KDF_TLS,
HASH_RNG,
- HASH_MAC
+ HASH_MAC,
+ HASH_UNIVERSAL
} HASH_USAGE;
static FIPS_STATUS get_fips_hash_status(const EVP_MD *md, HASH_USAGE u) {
@@ -151,15 +152,14 @@ static FIPS_STATUS get_fips_hash_status(
case NID_sha256: /* TLSv1.2 */
case NID_sha384:
case NID_sha512:
- case NID_md5_sha1: /* used in TLS v1.0 / v1.1 */
return FIPS_APPROVED;
+ case NID_md5_sha1:
default:
return FIPS_NONAPPROVED;
}
case HASH_KDF_PBKDF2:
case HASH_MAC:
switch (EVP_MD_type(md)) {
- case NID_sha1:
case NID_sha224:
case NID_sha256:
case NID_sha384:
@@ -173,12 +173,12 @@ static FIPS_STATUS get_fips_hash_status(
case NID_shake128:
case NID_shake256:
return FIPS_APPROVED;
+ case NID_sha1:
default:
return FIPS_NONAPPROVED;
}
case HASH_KDF_SSHKDF:
switch (EVP_MD_type(md)) {
- case NID_sha1:
case NID_sha224:
case NID_sha256:
case NID_sha384:
@@ -207,6 +207,13 @@ static FIPS_STATUS get_fips_hash_status(
default:
return FIPS_NONAPPROVED;
}
+ case HASH_UNIVERSAL:
+ switch (EVP_MD_type(md)) {
+ case NID_sha1:
+ return FIPS_NONAPPROVED;
+ default:
+ return FIPS_UNSET;
+ }
}
return FIPS_ERROR;
}
@@ -217,6 +224,7 @@ void fips_sli_check_hash_##fn##_##CTXTYP
fips_sli_fsm_##CTXTYPE(ctx, get_fips_hash_status(md, usage)); \
}
+make_fips_sli_check_hash(EVP_MD_CTX, universal, HASH_UNIVERSAL)
make_fips_sli_check_hash(EVP_MD_CTX, siggen, HASH_SIGGEN)
make_fips_sli_check_hash(EVP_MD_CTX, sigver, HASH_SIGVER)
make_fips_sli_check_hash(EVP_PKEY_CTX, siggen, HASH_SIGGEN)
Index: openssl-1.1.1w/include/internal/fips_sli_local.h
===================================================================
--- openssl-1.1.1w.orig/include/internal/fips_sli_local.h
+++ openssl-1.1.1w/include/internal/fips_sli_local.h
@@ -60,6 +60,7 @@ void fips_sli_error_##CTXTYPE(CTXTYPE *c
fips_sli_fsm_##CTXTYPE(ctx, FIPS_ERROR); \
}
+void fips_sli_check_hash_universal_EVP_MD_CTX(EVP_MD_CTX * ctx, const EVP_MD * md);
void fips_sli_check_hash_siggen_EVP_MD_CTX(EVP_MD_CTX * ctx, const EVP_MD * md);
void fips_sli_check_hash_sigver_EVP_MD_CTX(EVP_MD_CTX * ctx, const EVP_MD * md);
void fips_sli_check_hash_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const EVP_MD * md);
Index: openssl-1.1.1w/test/fips_slitest.c
===================================================================
--- openssl-1.1.1w.orig/test/fips_slitest.c
+++ openssl-1.1.1w/test/fips_slitest.c
@@ -492,7 +492,7 @@ typedef struct {
} SLI_PBKDF2_TEST;
static const SLI_PBKDF2_TEST pbkdf2_tests[] = {
{
- 1, 4096, NID_sha1, {
+ 0, 4096, NID_sha1, {
0x3D, 0x2E, 0xEC, 0x4F, 0xE4, 0x1C, 0x84, 0x9B, 0x80, 0xC8, 0xD8, 0x36, 0x62, 0xC0, 0xE4, 0x4A,
0x8B, 0x29, 0x1A, 0x96, 0x4C, 0xF2, 0xF0, 0x70, 0x38, 0xB6, 0xB8, 0x9A, 0x48, 0x61, 0x2C, 0x5A
}
