Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssl-1_1 for openSUSE:Factory checked in at 2022-10-01 17:41:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old) and /work/SRC/openSUSE:Factory/.openssl-1_1.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-1_1" Sat Oct 1 17:41:27 2022 rev:38 rq:1007224 version:1.1.1q Changes: -------- --- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes 2022-07-08 14:01:25.686415614 +0200 +++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.2275/openssl-1_1.changes 2022-10-01 17:41:28.785486747 +0200 @@ -1,0 +2,8 @@ +Sat Sep 24 02:40:39 UTC 2022 - Jason Sikes <[email protected]> + +- Added openssl-1_1-paramgen-default_to_rfc7919.patch + * bsc#1180995 + * Default to RFC7919 groups when generating ECDH parameters + using 'genpkey' or 'dhparam' in FIPS mode. + +------------------------------------------------------------------- New: ---- openssl-1_1-paramgen-default_to_rfc7919.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl-1_1.spec ++++++ --- /var/tmp/diff_new_pack.Yab2AJ/_old 2022-10-01 17:41:29.989488943 +0200 +++ /var/tmp/diff_new_pack.Yab2AJ/_new 2022-10-01 17:41:29.993488950 +0200 @@ -121,6 +121,8 @@ Patch72: openssl-1_1-Optimize-AES-GCM-uarchs.patch #PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes Patch73: openssl-1_1-FIPS-fix-error-reason-codes.patch +#PATCH-FIX-SUSE bsc#1180995 Default to RFC7919 groups in FIPS mode +Patch74: openssl-1_1-paramgen-default_to_rfc7919.patch Requires: libopenssl1_1 = %{version}-%{release} BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) ++++++ openssl-1_1-paramgen-default_to_rfc7919.patch ++++++ diff --git a/apps/dhparam.c b/apps/dhparam.c index 98c7321..ac7feb4 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -194,15 +194,42 @@ int dhparam_main(int argc, char **argv) } else #endif { - dh = DH_new(); - BIO_printf(bio_err, - "Generating DH parameters, %d bit long safe prime, generator %d\n", - num, g); - BIO_printf(bio_err, "This is going to take a long time\n"); - if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) { +#ifdef OPENSSL_FIPS + if (FIPS_mode()) { + /* In FIPS mode, instead of generating DH parameters we use parameters from an approved group, + in this case, RFC-7919. */ + int param_nid; + switch (num) { + case 8192: + param_nid = NID_ffdhe8192; + break; + case 6144: + param_nid = NID_ffdhe6144; + break; + case 4096: + param_nid = NID_ffdhe4096; + break; + case 3072: + param_nid = NID_ffdhe3072; + break; + default: + param_nid = NID_ffdhe2048; + break; + } + dh = DH_new_by_nid(param_nid); + } else +#endif /* OPENSSL_FIPS */ + { + dh = DH_new(); + BIO_printf(bio_err, + "Generating DH parameters, %d bit long safe prime, generator %d\n", + num, g); + BIO_printf(bio_err, "This is going to take a long time\n"); + if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) { BN_GENCB_free(cb); ERR_print_errors(bio_err); goto end; + } } } diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c index 261c8a1..d281873 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -330,6 +330,30 @@ static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) DH_PKEY_CTX *dctx = ctx->data; BN_GENCB *pcb; int ret; + +#ifdef OPENSSL_FIPS + /* In FIPS mode we default to an appropriate group. */ + if (FIPS_mode() && (!(dctx->rfc5114_param)) && (dctx->param_nid == 0)) { + switch (dctx->prime_len) { + case 8192: + dctx->param_nid = NID_ffdhe8192; + break; + case 6144: + dctx->param_nid = NID_ffdhe6144; + break; + case 4096: + dctx->param_nid = NID_ffdhe4096; + break; + case 3072: + dctx->param_nid = NID_ffdhe3072; + break; + default: + dctx->param_nid = NID_ffdhe2048; + break; + } + } +#endif /* OPENSSL_FIPS */ + if (dctx->rfc5114_param) { switch (dctx->rfc5114_param) { case 1:
