jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity

Use SHA256 in the RSA pairwise key consistency check

Browse Source
This commit is contained in:
Tomas Mraz 2019-02-06 12:56:35 +01:00
parent f565dfd7ec
commit 757524ec00
1 changed files with 6 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
openssl-1.1.1-fips.patch
View File

@ -10120,7 +10120,7 @@ diff -up openssl-1.1.1/crypto/rsa/rsa_err.c.fips openssl-1.1.1/crypto/rsa/rsa_er
diff -up openssl-1.1.1/crypto/rsa/rsa_gen.c.fips openssl-1.1.1/crypto/rsa/rsa_gen.c diff -up openssl-1.1.1/crypto/rsa/rsa_gen.c.fips openssl-1.1.1/crypto/rsa/rsa_gen.c
--- openssl-1.1.1/crypto/rsa/rsa_gen.c.fips 2018-09-11 14:48:21.000000000 +0200 --- openssl-1.1.1/crypto/rsa/rsa_gen.c.fips 2018-09-11 14:48:21.000000000 +0200
+++ openssl-1.1.1/crypto/rsa/rsa_gen.c 2018-09-13 08:51:22.118520736 +0200 +++ openssl-1.1.1/crypto/rsa/rsa_gen.c 2018-09-13 08:51:22.118520736 +0200
@@ -18,6 +18,78 @@ @@ -18,6 +18,76 @@
#include "internal/cryptlib.h" #include "internal/cryptlib.h"
#include <openssl/bn.h> #include <openssl/bn.h>
#include "rsa_locl.h" #include "rsa_locl.h"
@ -10142,11 +10142,9 @@ diff -up openssl-1.1.1/crypto/rsa/rsa_gen.c.fips openssl-1.1.1/crypto/rsa/rsa_ge
+ +
+ /* Perform pairwise consistency signature test */ + /* Perform pairwise consistency signature test */
+ if (!fips_pkey_signature_test(pk, tbs, -1, + if (!fips_pkey_signature_test(pk, tbs, -1,
+ NULL, 0, EVP_sha1(), + NULL, 0, EVP_sha256(),
+ EVP_MD_CTX_FLAG_PAD_PKCS1, NULL) + EVP_MD_CTX_FLAG_PAD_PKCS1, NULL)
+ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(), + || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha256(),
+ EVP_MD_CTX_FLAG_PAD_X931, NULL)
+ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(),
+ EVP_MD_CTX_FLAG_PAD_PSS, NULL)) + EVP_MD_CTX_FLAG_PAD_PSS, NULL))
+ goto err; + goto err;
+ /* Now perform pairwise consistency encrypt/decrypt test */ + /* Now perform pairwise consistency encrypt/decrypt test */
@ -10199,7 +10197,7 @@ diff -up openssl-1.1.1/crypto/rsa/rsa_gen.c.fips openssl-1.1.1/crypto/rsa/rsa_ge
static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
BN_GENCB *cb); BN_GENCB *cb);
@@ -31,6 +103,13 @@ static int rsa_builtin_keygen(RSA *rsa, @@ -31,6 +101,13 @@ static int rsa_builtin_keygen(RSA *rsa,
*/ */
int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
{ {
@ -10213,7 +10211,7 @@ diff -up openssl-1.1.1/crypto/rsa/rsa_gen.c.fips openssl-1.1.1/crypto/rsa/rsa_ge
if (rsa->meth->rsa_keygen != NULL) if (rsa->meth->rsa_keygen != NULL)
return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
@@ -41,6 +120,13 @@ int RSA_generate_key_ex(RSA *rsa, int bi @@ -41,6 +118,13 @@ int RSA_generate_key_ex(RSA *rsa, int bi
int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes, int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes,
BIGNUM *e_value, BN_GENCB *cb) BIGNUM *e_value, BN_GENCB *cb)
{ {
@ -10227,7 +10225,7 @@ diff -up openssl-1.1.1/crypto/rsa/rsa_gen.c.fips openssl-1.1.1/crypto/rsa/rsa_ge
/* multi-prime is only supported with the builtin key generation */ /* multi-prime is only supported with the builtin key generation */
if (rsa->meth->rsa_multi_prime_keygen != NULL) { if (rsa->meth->rsa_multi_prime_keygen != NULL) {
return rsa->meth->rsa_multi_prime_keygen(rsa, bits, primes, return rsa->meth->rsa_multi_prime_keygen(rsa, bits, primes,
@@ -57,10 +143,285 @@ int RSA_generate_multi_prime_key(RSA *rs @@ -57,10 +141,285 @@ int RSA_generate_multi_prime_key(RSA *rs
else else
return 0; return 0;
} }