Add OpenSSL FIPS provider (#15153)

This adds a new package named openssl-fips-provider which will install the OpenSSL 3.1.2 FIPS provider and associated config file. This package has a mutual conflict with the SymCrypt-OpenSSL package. This change also updates the OpenSSL provider loading patch to allow loading one or the other of the FIPS-certified providers.

Co-authored-by: Tobias Brick <tobiasb@microsoft.com>

Author: corvus-callidus

LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md

@@ -1076,6 +1076,7 @@
                 "opensm",
                 "opensp",
                 "openssl",
+                "openssl-fips-provider",
                 "openssl-ibmpkcs11",
                 "openssl-pkcs11",
                 "openwsman",

LICENSES-AND-NOTICES/SPECS/data/licenses.json

@@ -0,0 +1,84 @@
+From c8978b7be6dbe388596fb899ab41a29e414ea5dc Mon Sep 17 00:00:00 2001
+From: Daniel Mihai <Daniel.Mihai@microsoft.com>
+Date: Wed, 28 Jul 2021 14:55:12 -0700
+Subject: [PATCH] Replacing deprecated functions with NULL or highest
+ supported.
+
+This is a workaround until OpenSSL issue #7048 is officially resolved.
+Issue link: https://github.com/openssl/openssl/issues/7048.
+
+The main purpose of the change is to prevent breaking applications
+as they dynamically link to 'libssl.so' where APIs for some
+deprecated protocols are no longer present. With this change
+OpenSSL's build time configuration may skip the 'no-<prot>-method'
+switch, while still not supporting the deprecated protocols disabled
+through the 'no-<prot>' switch.
+
+For deprecated DTLS protocol versions behind the scenes we're calling
+into 'DTLS_(client_|server_)?method()' set of methods, which
+automatically negotiate the highest supported protocol.
+
+For SSLv3 methods we're returning a NULL pointer as there are no
+more supported methods for the SSL protocol.
+---
+ ssl/methods.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/ssl/methods.c b/ssl/methods.c
+index c846143277..a7ae074bfd 100644
+--- a/ssl/methods.c
++++ b/ssl/methods.c
+@@ -215,17 +215,29 @@ const SSL_METHOD *TLSv1_client_method(void)
+ # ifndef OPENSSL_NO_SSL3_METHOD
+ const SSL_METHOD *SSLv3_method(void)
+ {
++#  ifdef OPENSSL_NO_SSL3
++    return NULL;
++#  else
+     return sslv3_method();
++#  endif
+ }
+ 
+ const SSL_METHOD *SSLv3_server_method(void)
+ {
++#  ifdef OPENSSL_NO_SSL3
++    return NULL;
++#  else
+     return sslv3_server_method();
++#  endif
+ }
+ 
+ const SSL_METHOD *SSLv3_client_method(void)
+ {
++#  ifdef OPENSSL_NO_SSL3
++    return NULL;
++#  else
+     return sslv3_client_method();
++#  endif
+ }
+ # endif
+ 
+@@ -249,17 +261,17 @@ const SSL_METHOD *DTLSv1_2_client_method(void)
+ # ifndef OPENSSL_NO_DTLS1_METHOD
+ const SSL_METHOD *DTLSv1_method(void)
+ {
+-    return dtlsv1_method();
++    return DTLS_method();
+ }
+ 
+ const SSL_METHOD *DTLSv1_server_method(void)
+ {
+-    return dtlsv1_server_method();
++    return DTLS_server_method();
+ }
+ 
+ const SSL_METHOD *DTLSv1_client_method(void)
+ {
+-    return dtlsv1_client_method();
++    return DTLS_client_method();
+ }
+ # endif
+ 
+-- 
+2.25.1
+

SPECS-EXTENDED/openssl-fips-provider/0001-Replacing-deprecated-functions-with-NULL-or-highest.patch

@@ -0,0 +1,68 @@
+From 41df9ae215cee9574e17e6f887c96a7c97d588f5 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Thu, 24 Sep 2020 09:03:40 +0200
+Subject: Use more general default values in openssl.cnf
+
+Also set sha256 as default hash, although that should not be
+necessary anymore.
+
+(was openssl-1.1.1-defaults.patch)
+---
+ apps/openssl.cnf | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/apps/openssl.cnf b/apps/openssl.cnf
+index 97567a67be..eb25a0ac48 100644
+--- a/apps/openssl.cnf
++++ b/apps/openssl.cnf
+@@ -104,7 +104,7 @@ cert_opt 	= ca_default		# Certificate field options
+ 
+ default_days	= 365			# how long to certify for
+ default_crl_days= 30			# how long before next CRL
+-default_md	= default		# use public key default MD
++default_md	= sha256		# use SHA-256 by default
+ preserve	= no			# keep passed DN ordering
+ 
+ # A few difference way of specifying how similar the request should look
+@@ -136,6 +136,7 @@ emailAddress		= optional
+ ####################################################################
+ [ req ]
+ default_bits		= 2048
++default_md		= sha256
+ default_keyfile 	= privkey.pem
+ distinguished_name	= req_distinguished_name
+ attributes		= req_attributes
+@@ -158,17 +159,18 @@ string_mask = utf8only
+ 
+ [ req_distinguished_name ]
+ countryName			= Country Name (2 letter code)
+-countryName_default		= AU
++countryName_default		= XX
+ countryName_min			= 2
+ countryName_max			= 2
+ 
+ stateOrProvinceName		= State or Province Name (full name)
+-stateOrProvinceName_default	= Some-State
++#stateOrProvinceName_default	= Default Province
+ 
+ localityName			= Locality Name (eg, city)
++localityName_default		= Default City
+ 
+ 0.organizationName		= Organization Name (eg, company)
+-0.organizationName_default	= Internet Widgits Pty Ltd
++0.organizationName_default	= Default Company Ltd
+ 
+ # we can do this but it is not needed normally :-)
+ #1.organizationName		= Second Organization Name (eg, company)
+@@ -177,7 +179,7 @@ localityName			= Locality Name (eg, city)
+ organizationalUnitName		= Organizational Unit Name (eg, section)
+ #organizationalUnitName_default	=
+ 
+-commonName			= Common Name (e.g. server FQDN or YOUR name)
++commonName			= Common Name (eg, your name or your server\'s hostname)
+ commonName_max			= 64
+ 
+ emailAddress			= Email Address
+-- 
+2.26.2
+

SPECS-EXTENDED/openssl-fips-provider/0002-Use-more-general-default-values-in-openssl.cnf.patch

@@ -0,0 +1,25 @@
+From 3a175899a03d7d74ab5b6af0a0c056924afea04c Mon Sep 17 00:00:00 2001
+From: Tobias Brick <tobiasb@microsoft.com>
+Date: Wed, 17 Apr 2024 20:41:39 +0000
+Subject: [PATCH] Do not install html docs
+
+---
+ Configurations/unix-Makefile.tmpl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index 17e194f..77e8b53 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -611,7 +611,7 @@ install_sw: install_dev install_engines install_modules install_runtime
+ 
+ uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev
+ 
+-install_docs: install_man_docs install_html_docs
++install_docs: install_man_docs ## Install manpages but not HTML documentation
+ 
+ uninstall_docs: uninstall_man_docs uninstall_html_docs
+ 	$(RM) -r $(DESTDIR)$(DOCDIR)
+-- 
+2.45.4
+

SPECS-EXTENDED/openssl-fips-provider/0003-Do-not-install-html-docs-3.1.2-AZL.patch

@@ -0,0 +1,77 @@
+From 7a65ee33793fa8a28c0dfc94e6872ce92f408b15 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 31 Jul 2023 09:41:27 +0200
+Subject: [PATCH 04/35] 
+ 0004-Override-default-paths-for-the-CA-directory-tree.patch
+
+Patch-name: 0004-Override-default-paths-for-the-CA-directory-tree.patch
+Patch-id: 4
+Patch-status: |
+    # Override default paths for the CA directory tree
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ apps/CA.pl.in    |  2 +-
+ apps/openssl.cnf | 13 +++++++++++--
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/apps/CA.pl.in b/apps/CA.pl.in
+index f029470005..729f104a7e 100644
+--- a/apps/CA.pl.in
++++ b/apps/CA.pl.in
+@@ -29,7 +29,7 @@ my $X509 = "$openssl x509";
+ my $PKCS12 = "$openssl pkcs12";
+ 
+ # Default values for various configuration settings.
+-my $CATOP = "./demoCA";
++my $CATOP = "/etc/pki/CA";
+ my $CAKEY = "cakey.pem";
+ my $CAREQ = "careq.pem";
+ my $CACERT = "cacert.pem";
+diff --git a/apps/openssl.cnf b/apps/openssl.cnf
+index 8141ab20cd..3956235fda 100644
+--- a/apps/openssl.cnf
++++ b/apps/openssl.cnf
+@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7
+ 
+ [openssl_init]
+ providers = provider_sect
++# Load default TLS policy configuration
++ssl_conf = ssl_module
+ 
+ # List of providers to load
+ [provider_sect]
+@@ -71,6 +73,13 @@ default = default_sect
+ [default_sect]
+ # activate = 1
+ 
++[ ssl_module ]
++
++system_default = crypto_policy
++
++[ crypto_policy ]
++
++.include = /etc/crypto-policies/back-ends/opensslcnf.config
+ 
+ ####################################################################
+ [ ca ]
+@@ -79,7 +88,7 @@ default_ca	= CA_default		# The default ca section
+ ####################################################################
+ [ CA_default ]
+ 
+-dir		= ./demoCA		# Where everything is kept
++dir		= /etc/pki/CA		# Where everything is kept
+ certs		= $dir/certs		# Where the issued certs are kept
+ crl_dir		= $dir/crl		# Where the issued crl are kept
+ database	= $dir/index.txt	# database index file.
+@@ -311,7 +320,7 @@ default_tsa = tsa_config1	# the default TSA section
+ [ tsa_config1 ]
+ 
+ # These are used by the TSA reply generation only.
+-dir		= ./demoCA		# TSA root directory
++dir		= /etc/pki/CA		# TSA root directory
+ serial		= $dir/tsaserial	# The current serial number (mandatory)
+ crypto_device	= builtin		# OpenSSL engine to use for signing
+ signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+-- 
+2.41.0
+

SPECS-EXTENDED/openssl-fips-provider/0004-Override-default-paths-for-the-CA-directory-tree.patch

@@ -0,0 +1,28 @@
+From 3d8fa9859501b07e02b76b5577e2915d5851e927 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Thu, 24 Sep 2020 09:27:18 +0200
+Subject: apps/ca: fix md option help text
+
+upstreamable
+
+(was openssl-1.1.1-apps-dgst.patch)
+---
+ apps/ca.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/apps/ca.c b/apps/ca.c
+index 0f21b4fa1c..3d4b2c1673 100755
+--- a/apps/ca.c
++++ b/apps/ca.c
+@@ -209,7 +209,7 @@ const OPTIONS ca_options[] = {
+     {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
+ 
+     OPT_SECTION("Signing"),
+-    {"md", OPT_MD, 's', "Digest to use, such as sha256"},
++    {"md", OPT_MD, 's', "Digest to use, such as sha256; see openssl help for list"},
+     {"keyfile", OPT_KEYFILE, 's', "The CA private key"},
+     {"keyform", OPT_KEYFORM, 'f',
+      "Private key file format (ENGINE, other values ignored)"},
+-- 
+2.26.2
+

SPECS-EXTENDED/openssl-fips-provider/0005-apps-ca-fix-md-option-help-text.patch

@@ -0,0 +1,29 @@
+From 3f9deff30ae6efbfe979043b00cdf649b39793c0 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Thu, 24 Sep 2020 09:51:34 +0200
+Subject: Disable signature verification with totally unsafe hash algorithms
+
+(was openssl-1.1.1-no-weak-verify.patch)
+---
+ crypto/asn1/a_verify.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
+index b7eed914b0..af62f0ef08 100644
+--- a/crypto/asn1/a_verify.c
++++ b/crypto/asn1/a_verify.c
+@@ -152,6 +152,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
+             ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB);
+         if (ret <= 1)
+             goto err;
++    } else if ((mdnid == NID_md5
++               && ossl_safe_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) ||
++               mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) {
++        ERR_raise(ERR_LIB_ASN1, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
++        goto err;
+     } else {
+         const EVP_MD *type = NULL;
+ 
+-- 
+2.26.2
+