Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssl-1_0_0 for openSUSE:Factory checked in at 2022-10-01 17:41:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl-1_0_0 (Old) and /work/SRC/openSUSE:Factory/.openssl-1_0_0.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "openssl-1_0_0" Sat Oct 1 17:41:29 2022 rev:28 rq:1007225 version:1.0.2u Changes: -------- --- /work/SRC/openSUSE:Factory/openssl-1_0_0/openssl-1_0_0.changes 2022-07-08 14:01:34.838425413 +0200 +++ /work/SRC/openSUSE:Factory/.openssl-1_0_0.new.2275/openssl-1_0_0.changes 2022-10-01 17:41:30.477489833 +0200 @@ -1,0 +2,8 @@ +Sat Sep 24 02:40:39 UTC 2022 - Jason Sikes <jsikes@suse.com> + +- Added openssl-1_0_0-paramgen-default_to_rfc7919.patch + * bsc#1180995 + * Default to RFC7919 groups when generating ECDH parameters + using 'genpkey' or 'dhparam' in FIPS mode. + +------------------------------------------------------------------- New: ---- openssl-1_0_0-paramgen-default_to_rfc7919.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl-1_0_0.spec ++++++ --- /var/tmp/diff_new_pack.YKQOmG/_old 2022-10-01 17:41:31.429491570 +0200 +++ /var/tmp/diff_new_pack.YKQOmG/_new 2022-10-01 17:41:31.433491577 +0200 @@ -104,6 +104,7 @@ # OpenSSL Security Advisory bsc#1199166 CVE-2022-1292 Patch87: openssl-CVE-2022-1292.patch Patch88: openssl-1_0_0-Fix-file-operations-in-c_rehash.patch +Patch89: openssl-1_0_0-paramgen-default_to_rfc7919.patch # steam patches Patch100: openssl-fix-cpuid_setup.patch # compat patches to build with soversion 10 (bsc#1175429) @@ -270,6 +271,7 @@ %patch86 -p1 %patch87 -p1 %patch88 -p1 +%patch89 -p1 # clean up patching leftovers find . -name '*.orig' -delete ++++++ openssl-1_0_0-paramgen-default_to_rfc7919.patch ++++++ diff --git a/apps/dhparam.c b/apps/dhparam.c index bd91234..76e79f6 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -325,14 +325,39 @@ int MAIN(int argc, char **argv) } else # endif { - dh = DH_new(); - BIO_printf(bio_err, - "Generating DH parameters, %d bit long safe prime, generator %d\n", - num, g); - BIO_printf(bio_err, "This is going to take a long time\n"); - if (!dh || !DH_generate_parameters_ex(dh, num, g, &cb)) { +#ifdef OPENSSL_FIPS + if (FIPS_mode()) { + /* In FIPS mode, instead of generating DH parameters we use parameters from an approved group, + in this case, RFC-7919. */ + switch (num) { + case 8192: + dh =DH_rfc7919_get_8192(); + break; + case 6144: + dh =DH_rfc7919_get_6144(); + break; + case 4096: + dh =DH_rfc7919_get_4096(); + break; + case 3072: + dh =DH_rfc7919_get_3072(); + break; + default: + dh =DH_rfc7919_get_2048(); + break; + } + } else +#endif /* OPENSSL_FIPS */ + { + dh = DH_new(); + BIO_printf(bio_err, + "Generating DH parameters, %d bit long safe prime, generator %d\n", + num, g); + BIO_printf(bio_err, "This is going to take a long time\n"); + if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, &cb)) { ERR_print_errors(bio_err); goto end; + } } } diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c index 2290c3b..06dc04e 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -378,6 +378,30 @@ static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) DH_PKEY_CTX *dctx = ctx->data; BN_GENCB *pcb, cb; int ret; + +#ifdef OPENSSL_FIPS + /* In FIPS mode we default to an appropriate group. */ + if (FIPS_mode() && (!(dctx->rfc5114_param)) && (dctx->param_nid == 0)) { + switch (dctx->prime_len) { + case 8192: + dctx->param_nid = NID_ffdhe8192; + break; + case 6144: + dctx->param_nid = NID_ffdhe6144; + break; + case 4096: + dctx->param_nid = NID_ffdhe4096; + break; + case 3072: + dctx->param_nid = NID_ffdhe3072; + break; + default: + dctx->param_nid = NID_ffdhe2048; + break; + } + } +#endif /* OPENSSL_FIPS */ + if (dctx->rfc5114_param) { switch (dctx->rfc5114_param) { case 1: