jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity

DH PCT should abort on failure

Browse Source 
Resolves: rhbz#2178039
This commit is contained in:
Dmitry Belyavskiy 2023-03-10 12:36:43 +01:00 committed by Clemens Lang
parent bfdbb139b4
commit fb4b72ff2f
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
0044-FIPS-140-3-keychecks.patch
View File

@ -35,7 +35,7 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
@@ -354,8 +367,23 @@ static int generate_key(DH *dh) @@ -354,8 +367,21 @@ static int generate_key(DH *dh)
if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key)) if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
goto err; goto err;
@ -50,9 +50,7 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c
dh->priv_key = priv_key; dh->priv_key = priv_key;
+#ifdef FIPS_MODULE +#ifdef FIPS_MODULE
+ if (ossl_dh_check_pairwise(dh) <= 0) { + if (ossl_dh_check_pairwise(dh) <= 0) {
+ dh->pub_key = dh->priv_key = NULL; + abort();
+ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
+ goto err;
+ } + }
+#endif +#endif
+ +

2
openssl.spec
View File

@ -521,6 +521,8 @@ install -m644 %{SOURCE9} \
Resolves: rhbz#2178034 Resolves: rhbz#2178034
- Forbid DHX keys import in FIPS mode - Forbid DHX keys import in FIPS mode
Resolves: rhbz#2178030 Resolves: rhbz#2178030
- DH PCT should abort on failure
Resolves: rhbz#2178039
* Wed Mar 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-6 * Wed Mar 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-6
- Fixes RNG slowdown in FIPS mode - Fixes RNG slowdown in FIPS mode