Add missing ECDH Public Key Check in FIPS mode

Resolves: RHEL-15990
This commit is contained in:
Dmitry Belyavskiy 2023-11-08 11:55:53 +01:00
parent 9a075c13c3
commit 72772f737e
2 changed files with 17 additions and 1 deletions

View File

@ -57,7 +57,21 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c
dh->dirty_cnt++; dh->dirty_cnt++;
ok = 1; ok = 1;
err: err:
diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips3 openssl-3.0.1/crypto/ec/ec_key.c diff -up openssl-3.0.7/crypto/ec/ec_key.c.f188 openssl-3.0.7/crypto/ec/ec_key.c
--- openssl-3.0.7/crypto/ec/ec_key.c.f188 2023-11-08 10:58:05.910031253 +0100
+++ openssl-3.0.7/crypto/ec/ec_key.c 2023-11-08 10:59:42.338526883 +0100
@@ -326,6 +326,11 @@ static int ec_generate_key(EC_KEY *eckey
eckey->dirty_cnt++;
#ifdef FIPS_MODULE
+ if (ossl_ec_key_public_check(eckey, ctx) <= 0) {
+ ERR_raise(ERR_LIB_EC, EC_R_INVALID_KEY);
+ goto err;
+ }
+
pairwise_test = 1;
#endif /* FIPS_MODULE */
diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c
--- openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 2022-07-25 13:42:46.814952053 +0200 --- openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 2022-07-25 13:42:46.814952053 +0200
+++ openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c 2022-07-25 13:52:12.292065706 +0200 +++ openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c 2022-07-25 13:52:12.292065706 +0200

View File

@ -553,6 +553,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
Resolves: RHEL-14083 Resolves: RHEL-14083
- Backport the check required by SP800-56Br2 6.4.1.2.1 (3.c) - Backport the check required by SP800-56Br2 6.4.1.2.1 (3.c)
Resolves: RHEL-14083 Resolves: RHEL-14083
- Add missing ECDH Public Key Check in FIPS mode
Resolves: RHEL-15990
* Wed Jul 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-24 * Wed Jul 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-24
- Make FIPS module configuration more crypto-policies friendly - Make FIPS module configuration more crypto-policies friendly