Add missing ECDH Public Key Check in FIPS mode

Resolves: RHEL-15990
2023-11-08 11:55:53 +01:00 · 2023-11-08 11:55:53 +01:00 · 72772f737e
commit 72772f737e
parent 9a075c13c3
2 changed files with 17 additions and 1 deletions
--- a/0044-FIPS-140-3-keychecks.patch
+++ b/0044-FIPS-140-3-keychecks.patch
@ -57,7 +57,21 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c
     dh->dirty_cnt++;
     ok = 1;
  err:
-diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips3 openssl-3.0.1/crypto/ec/ec_key.c
+diff -up openssl-3.0.7/crypto/ec/ec_key.c.f188 openssl-3.0.7/crypto/ec/ec_key.c
 --- openssl-3.0.7/crypto/ec/ec_key.c.f188	2023-11-08 10:58:05.910031253 +0100
 +++ openssl-3.0.7/crypto/ec/ec_key.c	2023-11-08 10:59:42.338526883 +0100
@@ -326,6 +326,11 @@ static int ec_generate_key(EC_KEY *eckey
     eckey->dirty_cnt++;
 #ifdef FIPS_MODULE
 +    if (ossl_ec_key_public_check(eckey, ctx) <= 0) {
 +        ERR_raise(ERR_LIB_EC, EC_R_INVALID_KEY);
 +        goto err;
 +    }
 +
     pairwise_test = 1;
 #endif /* FIPS_MODULE */
 diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c
 --- openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3	2022-07-25 13:42:46.814952053 +0200
 +++ openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c	2022-07-25 13:52:12.292065706 +0200
--- a/openssl.spec
+++ b/openssl.spec
@ -553,6 +553,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
  Resolves: RHEL-14083
 - Backport the check required by SP800-56Br2 6.4.1.2.1 (3.c)
  Resolves: RHEL-14083
 - Add missing ECDH Public Key Check in FIPS mode
  Resolves: RHEL-15990
 * Wed Jul 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-24
 - Make FIPS module configuration more crypto-policies friendly