From 5d738bdd7fe0e7e68f6b423b2c3d010eecbd88b8 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Tue, 22 Nov 2022 12:57:21 +0100
Subject: [PATCH] Forbid short RSA keys for key encapsulation/decapsulation in
 FIPS mode

Resolves: rhbz#2145170
---
 0090-FIPS-RSA-encapsulate.patch | 32 ++++++++++++++++++++++++++++++++
 openssl.spec                    |  4 ++++
 2 files changed, 36 insertions(+)
 create mode 100644 0090-FIPS-RSA-encapsulate.patch

diff --git a/0090-FIPS-RSA-encapsulate.patch b/0090-FIPS-RSA-encapsulate.patch
new file mode 100644
index 0000000..0e24cf8
--- /dev/null
+++ b/0090-FIPS-RSA-encapsulate.patch
@@ -0,0 +1,32 @@
+diff -up openssl-3.0.1/providers/implementations/kem/rsa_kem.c.encap openssl-3.0.1/providers/implementations/kem/rsa_kem.c
+--- openssl-3.0.1/providers/implementations/kem/rsa_kem.c.encap	2022-11-22 12:27:30.994530801 +0100
++++ openssl-3.0.1/providers/implementations/kem/rsa_kem.c	2022-11-22 12:32:15.916875495 +0100
+@@ -264,6 +264,14 @@ static int rsasve_generate(PROV_RSA_CTX
+             *secretlen = nlen;
+         return 1;
+     }
++
++#ifdef FIPS_MODULE
++    if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
++        return 0;
++    }
++#endif
++
+     /*
+      * Step (2): Generate a random byte string z of nlen bytes where
+      *            1 < z < n - 1
+@@ -307,6 +315,13 @@ static int rsasve_recover(PROV_RSA_CTX *
+         return 1;
+     }
+ 
++#ifdef FIPS_MODULE
++    if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
++        return 0;
++    }
++#endif
++
+     /* Step (2): check the input ciphertext 'inlen' matches the nlen */
+     if (inlen != nlen) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
diff --git a/openssl.spec b/openssl.spec
index 7975059..287a6f2 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -184,6 +184,8 @@ Patch87: 0087-FIPS-RSA-selftest-params.patch
 Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2142087
 Patch89: 0089-signature-Clamp-PSS-salt-len-to-MD-len.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2144561
+Patch90: 0090-FIPS-RSA-encapsulate.patch
 
 License: ASL 2.0
 URL: http://www.openssl.org/
@@ -535,6 +537,8 @@ install -m644 %{SOURCE9} \
   Resolves: rhbz#2144012
 - Clamp default PSS salt length to digest size for FIPS 186-4 compliance
   Related: rhbz#2144012
+- Forbid short RSA keys for key encapsulation/decapsulation in FIPS mode
+  Resolves: rhbz#2145170
 
 * Tue Nov 01 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-43
 - CVE-2022-3602: X.509 Email Address Buffer Overflow