fix FIPS RSA key generation failure

This commit is contained in:
Tomas Mraz 2018-06-19 16:05:15 +02:00
parent 357b7a7e37
commit 98bbad839c
2 changed files with 19 additions and 38 deletions

View File

@ -10809,8 +10809,8 @@ diff -up openssl-1.1.0h/crypto/rsa/rsa_err.c.fips openssl-1.1.0h/crypto/rsa/rsa_
"operation not supported for this keytype"}, "operation not supported for this keytype"},
{ERR_REASON(RSA_R_PADDING_CHECK_FAILED), "padding check failed"}, {ERR_REASON(RSA_R_PADDING_CHECK_FAILED), "padding check failed"},
diff -up openssl-1.1.0h/crypto/rsa/rsa_gen.c.fips openssl-1.1.0h/crypto/rsa/rsa_gen.c diff -up openssl-1.1.0h/crypto/rsa/rsa_gen.c.fips openssl-1.1.0h/crypto/rsa/rsa_gen.c
--- openssl-1.1.0h/crypto/rsa/rsa_gen.c.fips 2018-03-29 14:44:24.620236501 +0200 --- openssl-1.1.0h/crypto/rsa/rsa_gen.c.fips 2018-06-08 14:56:32.413411585 +0200
+++ openssl-1.1.0h/crypto/rsa/rsa_gen.c 2018-03-29 15:20:36.277287100 +0200 +++ openssl-1.1.0h/crypto/rsa/rsa_gen.c 2018-06-18 14:51:57.773846354 +0200
@@ -18,6 +18,75 @@ @@ -18,6 +18,75 @@
#include "internal/cryptlib.h" #include "internal/cryptlib.h"
#include <openssl/bn.h> #include <openssl/bn.h>
@ -10887,7 +10887,7 @@ diff -up openssl-1.1.0h/crypto/rsa/rsa_gen.c.fips openssl-1.1.0h/crypto/rsa/rsa_
static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
BN_GENCB *cb); BN_GENCB *cb);
@@ -31,11 +100,303 @@ static int rsa_builtin_keygen(RSA *rsa, @@ -31,11 +100,281 @@ static int rsa_builtin_keygen(RSA *rsa,
*/ */
int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
{ {
@ -10982,7 +10982,11 @@ diff -up openssl-1.1.0h/crypto/rsa/rsa_gen.c.fips openssl-1.1.0h/crypto/rsa/rsa_
+ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q)) + if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))
+ test = 1; + test = 1;
+ +
+ BN_set_flags(r0, BN_FLG_CONSTTIME);
+ BN_set_flags(r1, BN_FLG_CONSTTIME);
+ BN_set_flags(r2, BN_FLG_CONSTTIME); + BN_set_flags(r2, BN_FLG_CONSTTIME);
+ BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
+ BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
+ +
+ retry: + retry:
+ /* generate p and q */ + /* generate p and q */
@ -11104,35 +11108,21 @@ diff -up openssl-1.1.0h/crypto/rsa/rsa_gen.c.fips openssl-1.1.0h/crypto/rsa/rsa_
+ if (!BN_sub(r2, rsa->q, BN_value_one())) + if (!BN_sub(r2, rsa->q, BN_value_one()))
+ goto err; /* q-1 */ + goto err; /* q-1 */
+ +
+ /* note that computing gcd is not safe to timing attacks */
+ if (!BN_gcd(r0, r1, r2, ctx)) + if (!BN_gcd(r0, r1, r2, ctx))
+ goto err; + goto err;
+ +
+ { + {
+ BIGNUM *pr0 = BN_new(); + if (!BN_div(r0, NULL, r1, r0, ctx))
+
+ if (pr0 == NULL)
+ goto err; + goto err;
+ BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
+ +
+ if (!BN_div(pr0, NULL, r1, pr0, ctx)) { + if (!BN_mul(r0, r0, r2, ctx)) /* lcm(p-1, q-1) */
+ BN_free(pr0);
+ goto err; + goto err;
+ }
+ +
+ if (!BN_mul(pr0, pr0, r2, ctx)) { /* lcm(p-1, q-1) */ + if (!BN_mod_inverse(rsa->d, rsa->e, r0, ctx)) /* d */
+ BN_free(pr0);
+ goto err; + goto err;
+ } + }
+ +
+ if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) { /* d */
+ BN_free(pr0);
+ goto err;
+ }
+
+ /* We MUST free pr0 before any further use of r0 */
+ BN_free(pr0);
+ }
+
+ if (BN_num_bits(rsa->d) < pbits) + if (BN_num_bits(rsa->d) < pbits)
+ goto retry; /* d is too small */ + goto retry; /* d is too small */
+ +
@ -11154,21 +11144,9 @@ diff -up openssl-1.1.0h/crypto/rsa/rsa_gen.c.fips openssl-1.1.0h/crypto/rsa/rsa_
+ BN_free(d); + BN_free(d);
+ } + }
+ +
+ {
+ BIGNUM *p = BN_new();
+
+ if (p == NULL)
+ goto err;
+ BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
+
+ /* calculate inverse of q mod p */ + /* calculate inverse of q mod p */
+ if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) { + if (!BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx))
+ BN_free(p);
+ goto err; + goto err;
+ }
+ /* We MUST free p before any further use of rsa->p */
+ BN_free(p);
+ }
+ +
+ if (!fips_check_rsa(rsa)) + if (!fips_check_rsa(rsa))
+ goto err; + goto err;
@ -11191,7 +11169,7 @@ diff -up openssl-1.1.0h/crypto/rsa/rsa_gen.c.fips openssl-1.1.0h/crypto/rsa/rsa_
static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
BN_GENCB *cb) BN_GENCB *cb)
{ {
@@ -44,6 +405,16 @@ static int rsa_builtin_keygen(RSA *rsa, @@ -44,6 +383,16 @@ static int rsa_builtin_keygen(RSA *rsa,
BN_CTX *ctx = NULL; BN_CTX *ctx = NULL;
unsigned long error = 0; unsigned long error = 0;

View File

@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.1.0h Version: 1.1.0h
Release: 4%{?dist} Release: 5%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -435,6 +435,9 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig
%changelog %changelog
* Tue Jun 19 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-5
- fix FIPS RSA key generation failure
* Mon Jun 4 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-4 * Mon Jun 4 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-4
- ppc64le is not multilib arch (#1584994) - ppc64le is not multilib arch (#1584994)