forked from rpms/openssl
OpenSSL rsa_verify_recover key length checks in FIPS mode
Resolves: rhbz#2186819
This commit is contained in:
parent
ba8edd5ea8
commit
4999352324
@ -697,6 +697,26 @@ diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c
|
||||
diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen openssl-3.0.1/providers/implementations/signature/rsa_sig.c
|
||||
--- openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen 2022-05-23 14:58:07.764281242 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/signature/rsa_sig.c 2022-05-23 15:10:29.327993616 +0200
|
||||
@@ -692,6 +692,19 @@ static int rsa_verify_recover(void *vprs
|
||||
{
|
||||
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
||||
int ret;
|
||||
+# ifdef FIPS_MODULE
|
||||
+ size_t rsabits = RSA_bits(prsactx->rsa);
|
||||
+
|
||||
+ if (rsabits < 2048) {
|
||||
+ if (rsabits != 1024
|
||||
+ && rsabits != 1280
|
||||
+ && rsabits != 1536
|
||||
+ && rsabits != 1792) {
|
||||
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+# endif
|
||||
|
||||
if (!ossl_prov_is_running())
|
||||
return 0;
|
||||
@@ -770,6 +770,19 @@ static int rsa_verify(void *vprsactx, co
|
||||
{
|
||||
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
||||
|
@ -523,6 +523,8 @@ install -m644 %{SOURCE9} \
|
||||
Resolves: rhbz#2187429
|
||||
- Certificate policy check not enabled
|
||||
Resolves: rhbz#2187431
|
||||
- OpenSSL rsa_verify_recover key length checks in FIPS mode
|
||||
Resolves: rhbz#2186819
|
||||
|
||||
* Fri Mar 24 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-12
|
||||
- Change explicit FIPS indicator for RSA decryption to unapproved
|
||||
|
Loading…
Reference in New Issue
Block a user