From 72772f737e4c581b02066779177c07b64e7c6845 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 8 Nov 2023 11:55:53 +0100 Subject: [PATCH] Add missing ECDH Public Key Check in FIPS mode Resolves: RHEL-15990 --- 0044-FIPS-140-3-keychecks.patch | 16 +++++++++++++++- openssl.spec | 2 ++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/0044-FIPS-140-3-keychecks.patch b/0044-FIPS-140-3-keychecks.patch index 38efa07..1b0d1fa 100644 --- a/0044-FIPS-140-3-keychecks.patch +++ b/0044-FIPS-140-3-keychecks.patch @@ -57,7 +57,21 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c dh->dirty_cnt++; ok = 1; err: -diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips3 openssl-3.0.1/crypto/ec/ec_key.c +diff -up openssl-3.0.7/crypto/ec/ec_key.c.f188 openssl-3.0.7/crypto/ec/ec_key.c +--- openssl-3.0.7/crypto/ec/ec_key.c.f188 2023-11-08 10:58:05.910031253 +0100 ++++ openssl-3.0.7/crypto/ec/ec_key.c 2023-11-08 10:59:42.338526883 +0100 +@@ -326,6 +326,11 @@ static int ec_generate_key(EC_KEY *eckey + eckey->dirty_cnt++; + + #ifdef FIPS_MODULE ++ if (ossl_ec_key_public_check(eckey, ctx) <= 0) { ++ ERR_raise(ERR_LIB_EC, EC_R_INVALID_KEY); ++ goto err; ++ } ++ + pairwise_test = 1; + #endif /* FIPS_MODULE */ + diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c --- openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 2022-07-25 13:42:46.814952053 +0200 +++ openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c 2022-07-25 13:52:12.292065706 +0200 diff --git a/openssl.spec b/openssl.spec index 33def63..a22b793 100644 --- a/openssl.spec +++ b/openssl.spec @@ -553,6 +553,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-14083 - Backport the check required by SP800-56Br2 6.4.1.2.1 (3.c) Resolves: RHEL-14083 +- Add missing ECDH Public Key Check in FIPS mode + Resolves: RHEL-15990 * Wed Jul 12 2023 Dmitry Belyavskiy - 1:3.0.7-24 - Make FIPS module configuration more crypto-policies friendly