Abort on PCT failure
Related: rhbz#2168324
This commit is contained in:
parent
dd6f0d33c8
commit
960e6deebf
@ -129,7 +129,7 @@ diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise ope
|
|||||||
+ /* Pairwise consistency test */
|
+ /* Pairwise consistency test */
|
||||||
+ if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0
|
+ if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0
|
||||||
+ && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1)
|
+ && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1)
|
||||||
+ goto err;
|
+ abort();
|
||||||
+#endif
|
+#endif
|
||||||
|
|
||||||
if (gctx->group_check != NULL)
|
if (gctx->group_check != NULL)
|
||||||
@ -263,7 +263,7 @@ diff -up openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c.pairwise op
|
|||||||
+#ifdef FIPS_MODULE
|
+#ifdef FIPS_MODULE
|
||||||
+ /* Pairwise consistency test */
|
+ /* Pairwise consistency test */
|
||||||
+ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1)
|
+ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1)
|
||||||
+ goto err;
|
+ abort();
|
||||||
+#endif
|
+#endif
|
||||||
err:
|
err:
|
||||||
BN_GENCB_free(gencb);
|
BN_GENCB_free(gencb);
|
||||||
@ -316,7 +316,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op
|
|||||||
{
|
{
|
||||||
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
||||||
|
|
||||||
@@ -1504,6 +1504,35 @@ static const OSSL_PARAM *rsa_settable_ct
|
@@ -1504,6 +1504,45 @@ static const OSSL_PARAM *rsa_settable_ct
|
||||||
return EVP_MD_settable_ctx_params(prsactx->md);
|
return EVP_MD_settable_ctx_params(prsactx->md);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -324,8 +324,9 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op
|
|||||||
+int do_rsa_pct(void *vctx, const char *mdname, void *rsa)
|
+int do_rsa_pct(void *vctx, const char *mdname, void *rsa)
|
||||||
+{
|
+{
|
||||||
+ static const char data[32];
|
+ static const char data[32];
|
||||||
+ unsigned char sigbuf[256];
|
+ unsigned char *sigbuf = NULL;
|
||||||
+ size_t siglen = sizeof(sigbuf);
|
+ size_t siglen = 0;
|
||||||
|
+ int ret = 0;
|
||||||
+
|
+
|
||||||
+ if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0)
|
+ if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0)
|
||||||
+ return 0;
|
+ return 0;
|
||||||
@ -333,19 +334,28 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op
|
|||||||
+ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
|
+ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
|
||||||
+ return 0;
|
+ return 0;
|
||||||
+
|
+
|
||||||
+ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0)
|
+ if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0)
|
||||||
+ return 0;
|
+ return 0;
|
||||||
+
|
+
|
||||||
|
+ if ((sigbuf = OPENSSL_malloc(siglen)) == NULL)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0)
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
+ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0)
|
+ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0)
|
||||||
+ return 0;
|
+ goto err;
|
||||||
+
|
+
|
||||||
+ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
|
+ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
|
||||||
+ return 0;
|
+ goto err;
|
||||||
+
|
+
|
||||||
+ if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
|
+ if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
|
||||||
+ return 0;
|
+ goto err;
|
||||||
|
+ ret = 1;
|
||||||
+
|
+
|
||||||
+ return 1;
|
+ err:
|
||||||
|
+ OPENSSL_free(sigbuf);
|
||||||
|
+ return ret;
|
||||||
+}
|
+}
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
|
Loading…
Reference in New Issue
Block a user