OpenSSL rsa_verify_recover key length checks in FIPS mode

Resolves: rhbz#2186819
This commit is contained in:
Dmitry Belyavskiy 2023-04-17 16:08:19 +02:00
parent ba8edd5ea8
commit 4999352324
2 changed files with 22 additions and 0 deletions

View File

@ -697,6 +697,26 @@ diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c
diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen openssl-3.0.1/providers/implementations/signature/rsa_sig.c
--- openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen 2022-05-23 14:58:07.764281242 +0200
+++ openssl-3.0.1/providers/implementations/signature/rsa_sig.c 2022-05-23 15:10:29.327993616 +0200
@@ -692,6 +692,19 @@ static int rsa_verify_recover(void *vprs
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
int ret;
+# ifdef FIPS_MODULE
+ size_t rsabits = RSA_bits(prsactx->rsa);
+
+ if (rsabits < 2048) {
+ if (rsabits != 1024
+ && rsabits != 1280
+ && rsabits != 1536
+ && rsabits != 1792) {
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+ }
+# endif
if (!ossl_prov_is_running())
return 0;
@@ -770,6 +770,19 @@ static int rsa_verify(void *vprsactx, co
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;

View File

@ -523,6 +523,8 @@ install -m644 %{SOURCE9} \
Resolves: rhbz#2187429
- Certificate policy check not enabled
Resolves: rhbz#2187431
- OpenSSL rsa_verify_recover key length checks in FIPS mode
Resolves: rhbz#2186819
* Fri Mar 24 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-12
- Change explicit FIPS indicator for RSA decryption to unapproved