diff --git a/0044-FIPS-140-3-keychecks.patch b/0044-FIPS-140-3-keychecks.patch index 6c69089..ba2818c 100644 --- a/0044-FIPS-140-3-keychecks.patch +++ b/0044-FIPS-140-3-keychecks.patch @@ -129,7 +129,7 @@ diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise ope + /* Pairwise consistency test */ + if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0 + && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1) -+ goto err; ++ abort(); +#endif if (gctx->group_check != NULL) @@ -263,7 +263,7 @@ diff -up openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c.pairwise op +#ifdef FIPS_MODULE + /* Pairwise consistency test */ + if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1) -+ goto err; ++ abort(); +#endif err: BN_GENCB_free(gencb); @@ -316,7 +316,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op { PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; -@@ -1504,6 +1504,35 @@ static const OSSL_PARAM *rsa_settable_ct +@@ -1504,6 +1504,45 @@ static const OSSL_PARAM *rsa_settable_ct return EVP_MD_settable_ctx_params(prsactx->md); } @@ -324,8 +324,9 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op +int do_rsa_pct(void *vctx, const char *mdname, void *rsa) +{ + static const char data[32]; -+ unsigned char sigbuf[256]; -+ size_t siglen = sizeof(sigbuf); ++ unsigned char *sigbuf = NULL; ++ size_t siglen = 0; ++ int ret = 0; + + if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0) + return 0; @@ -333,19 +334,28 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op + if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) + return 0; + -+ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0) ++ if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0) + return 0; + ++ if ((sigbuf = OPENSSL_malloc(siglen)) == NULL) ++ return 0; ++ ++ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0) ++ goto err; ++ + if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0) -+ return 0; ++ goto err; + + if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) -+ return 0; ++ goto err; + + if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0) -+ return 0; ++ goto err; ++ ret = 1; + -+ return 1; ++ err: ++ OPENSSL_free(sigbuf); ++ return ret; +} +#endif +