Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP5:GA
openssl-1_1
openssl-1_1-FIPS-default-RFC7919.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-1_1-FIPS-default-RFC7919.patch of Package openssl-1_1
Index: openssl-1.1.1l/apps/dhparam.c =================================================================== --- openssl-1.1.1l.orig/apps/dhparam.c +++ openssl-1.1.1l/apps/dhparam.c @@ -194,15 +194,42 @@ int dhparam_main(int argc, char **argv) } else #endif { - dh = DH_new(); - BIO_printf(bio_err, - "Generating DH parameters, %d bit long safe prime, generator %d\n", - num, g); - BIO_printf(bio_err, "This is going to take a long time\n"); - if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) { - BN_GENCB_free(cb); - ERR_print_errors(bio_err); - goto end; +#ifdef OPENSSL_FIPS + if (FIPS_mode()) { + /* In FIPS mode, instead of generating DH parameters, we use parameters + * from an approved group, in this case, RFC-7919. */ + int param_nid; + switch (num) { + case 8192: + param_nid = NID_ffdhe8192; + break; + case 6144: + param_nid = NID_ffdhe6144; + break; + case 4096: + param_nid = NID_ffdhe4096; + break; + case 3072: + param_nid = NID_ffdhe3072; + break; + default: + param_nid = NID_ffdhe2048; + break; + } + dh = DH_new_by_nid(param_nid); + } else +#endif /* OPENSSL_FIPS */ + { + dh = DH_new(); + BIO_printf(bio_err, + "Generating DH parameters, %d bit long safe prime, generator %d\n", + num, g); + BIO_printf(bio_err, "This is going to take a long time\n"); + if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) { + BN_GENCB_free(cb); + ERR_print_errors(bio_err); + goto end; + } } } Index: openssl-1.1.1l/crypto/dh/dh_pmeth.c =================================================================== --- openssl-1.1.1l.orig/crypto/dh/dh_pmeth.c +++ openssl-1.1.1l/crypto/dh/dh_pmeth.c @@ -330,6 +330,30 @@ static int pkey_dh_paramgen(EVP_PKEY_CTX DH_PKEY_CTX *dctx = ctx->data; BN_GENCB *pcb; int ret; + +#ifdef OPENSSL_FIPS + /* In FIPS mode we default to an appropriate group. */ + if (FIPS_mode() && (!(dctx->rfc5114_param)) && (dctx->param_nid == 0)) { + switch (dctx->prime_len) { + case 8192: + dctx->param_nid = NID_ffdhe8192; + break; + case 6144: + dctx->param_nid = NID_ffdhe6144; + break; + case 4096: + dctx->param_nid = NID_ffdhe4096; + break; + case 3072: + dctx->param_nid = NID_ffdhe3072; + break; + default: + dctx->param_nid = NID_ffdhe2048; + break; + } + } +#endif /* OPENSSL_FIPS */ + if (dctx->rfc5114_param) { switch (dctx->rfc5114_param) { case 1:
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor