Additional FIPS mode check for EC key generation
This commit is contained in:
parent
04d5ef4d72
commit
067d5800f2
@ -2388,9 +2388,29 @@ diff -up openssl-1.1.1g/crypto/dh/dh_rfc7919.c.fips-dh openssl-1.1.1g/crypto/dh/
|
||||
+}
|
||||
+
|
||||
diff -up openssl-1.1.1g/crypto/ec/ec_key.c.fips-dh openssl-1.1.1g/crypto/ec/ec_key.c
|
||||
--- openssl-1.1.1g/crypto/ec/ec_key.c.fips-dh 2020-07-17 10:36:29.183787931 +0200
|
||||
+++ openssl-1.1.1g/crypto/ec/ec_key.c 2020-07-17 10:36:29.247788458 +0200
|
||||
@@ -296,8 +296,20 @@ int ec_key_simple_generate_key(EC_KEY *e
|
||||
--- openssl-1.1.1g/crypto/ec/ec_key.c.fips-dh 2020-07-17 11:00:53.958175227 +0200
|
||||
+++ openssl-1.1.1g/crypto/ec/ec_key.c 2020-07-20 13:24:03.941107320 +0200
|
||||
@@ -280,9 +280,18 @@ int ec_key_simple_generate_key(EC_KEY *e
|
||||
if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx))
|
||||
goto err;
|
||||
|
||||
- eckey->priv_key = priv_key;
|
||||
eckey->pub_key = pub_key;
|
||||
|
||||
+ if (FIPS_mode()) {
|
||||
+ eckey->priv_key = NULL;
|
||||
+ if (EC_KEY_check_key(eckey) <= 0) {
|
||||
+ eckey->pub_key = NULL;
|
||||
+ goto err;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ eckey->priv_key = priv_key;
|
||||
+
|
||||
ok = 1;
|
||||
|
||||
err:
|
||||
@@ -296,8 +305,23 @@ int ec_key_simple_generate_key(EC_KEY *e
|
||||
|
||||
int ec_key_simple_generate_public_key(EC_KEY *eckey)
|
||||
{
|
||||
@ -2408,6 +2428,9 @@ diff -up openssl-1.1.1g/crypto/ec/ec_key.c.fips-dh openssl-1.1.1g/crypto/ec/ec_k
|
||||
+ ret = EC_KEY_check_key(eckey);
|
||||
+ eckey->priv_key = priv_key;
|
||||
+
|
||||
+ if (ret <= 0)
|
||||
+ EC_POINT_set_to_infinity(eckey->group, eckey->pub_key);
|
||||
+
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
|
@ -22,7 +22,7 @@
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.1.1g
|
||||
Release: 12%{?dist}
|
||||
Release: 13%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -475,6 +475,9 @@ export LD_LIBRARY_PATH
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%changelog
|
||||
* Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-13
|
||||
- Additional FIPS mode check for EC key generation
|
||||
|
||||
* Fri Jul 17 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-12
|
||||
- Further changes for SP 800-56A rev3 requirements
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user