jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity

DH PCT should abort on failure

Browse Source 
Resolves: rhbz#2178039
This commit is contained in:
Dmitry Belyavskiy 2023-03-10 12:36:43 +01:00 committed by Clemens Lang
parent bfdbb139b4
commit fb4b72ff2f
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
0044-FIPS-140-3-keychecks.patch
View File

@ -35,7 +35,7 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
@@ -354,8 +367,23 @@ static int generate_key(DH *dh)
@@ -354,8 +367,21 @@ static int generate_key(DH *dh)
if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
goto err;
@ -50,9 +50,7 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c
dh->priv_key = priv_key;
+#ifdef FIPS_MODULE
+ if (ossl_dh_check_pairwise(dh) <= 0) {
+ dh->pub_key = dh->priv_key = NULL;
+ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
+ goto err;
+ abort();
+ }
+#endif
+

2
openssl.spec
View File

@ -521,6 +521,8 @@ install -m644 %{SOURCE9} \
Resolves: rhbz#2178034
- Forbid DHX keys import in FIPS mode
Resolves: rhbz#2178030
- DH PCT should abort on failure
Resolves: rhbz#2178039
* Wed Mar 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-6
- Fixes RNG slowdown in FIPS mode