FIPS 186-5 [1] allows the usage deterministic ECDSA (Section 6.3) which
is compabile with RFC 6979 [2] but OpenSSL seems to follow FIPS 186-4
(Section 6.3) [3] which only allows for random k values, failing
k value generation for OpenSSL >=3.2. [4]
Fix signing by not using deterministic ECDSA when FIPS mode is active.
[1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf
[2]: https://datatracker.ietf.org/doc/html/rfc6979
[3]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
[4]: https://github.com/openssl/openssl/blob/
85f17585b0d8b55b335f561e2862db14a20b1e64/crypto/ec/ecdsa_ossl.c#L201-L207
#include <openssl/param_build.h>
#endif
+#include <isc/fips.h>
#include <isc/mem.h>
#include <isc/result.h>
#include <isc/safe.h>
}
#if OPENSSL_VERSION_NUMBER >= 0x30200000L
- ret = opensslecdsa_set_deterministic(pctx, dctx->key->key_alg);
- if (ret != ISC_R_SUCCESS) {
- goto err;
+ if (!isc_fips_mode()) {
+ ret = opensslecdsa_set_deterministic(
+ pctx, dctx->key->key_alg);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
}
#endif /* OPENSSL_VERSION_NUMBER >= 0x30200000L */
#include <cmocka.h>
#include <isc/file.h>
+#include <isc/fips.h>
#include <isc/hex.h>
#include <isc/result.h>
#include <isc/stdio.h>
dst_context_destroy(&ctx);
#if OPENSSL_VERSION_NUMBER >= 0x30200000L
- assert_memory_equal(sigbuf1->base, sigbuf2->base, siglen);
+ if (isc_fips_mode()) {
+ assert_memory_not_equal(sigbuf1->base, sigbuf2->base, siglen);
+ } else {
+ assert_memory_equal(sigbuf1->base, sigbuf2->base, siglen);
+ }
#else
assert_memory_not_equal(sigbuf1->base, sigbuf2->base, siglen);
#endif
projects / thirdparty / bind9.git / commitdiff
