OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
Resolves: rhbz#1977867
This commit is contained in:
parent
849a9965ee
commit
ea9f0a5726
@ -38,3 +38,43 @@ diff -up openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_expl
|
||||
return EC_KEY_set_group(ec, group) > 0;
|
||||
}
|
||||
|
||||
diff -up openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec openssl-3.0.1/providers/common/securitycheck.c
|
||||
--- openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec 2022-02-25 11:44:19.554673396 +0100
|
||||
+++ openssl-3.0.1/providers/common/securitycheck.c 2022-02-25 12:16:38.168610089 +0100
|
||||
@@ -93,22 +93,22 @@ int ossl_rsa_check_key(OSSL_LIB_CTX *ctx
|
||||
int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect)
|
||||
{
|
||||
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
|
||||
- if (ossl_securitycheck_enabled(ctx)) {
|
||||
- int nid, strength;
|
||||
- const char *curve_name;
|
||||
- const EC_GROUP *group = EC_KEY_get0_group(ec);
|
||||
+ int nid, strength;
|
||||
+ const char *curve_name;
|
||||
+ const EC_GROUP *group = EC_KEY_get0_group(ec);
|
||||
|
||||
- if (group == NULL) {
|
||||
- ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
|
||||
- return 0;
|
||||
- }
|
||||
- nid = EC_GROUP_get_curve_name(group);
|
||||
- if (nid == NID_undef) {
|
||||
- ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
|
||||
- "Explicit curves are not allowed in fips mode");
|
||||
- return 0;
|
||||
- }
|
||||
+ if (group == NULL) {
|
||||
+ ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
|
||||
+ return 0;
|
||||
+ }
|
||||
+ nid = EC_GROUP_get_curve_name(group);
|
||||
+ if (nid == NID_undef) {
|
||||
+ ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
|
||||
+ "Explicit curves are not allowed in this build");
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
+ if (ossl_securitycheck_enabled(ctx)) {
|
||||
curve_name = EC_curve_nid2nist(nid);
|
||||
if (curve_name == NULL) {
|
||||
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
|
||||
|
@ -15,7 +15,7 @@
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 3.0.1
|
||||
Release: 12%{?dist}
|
||||
Release: 13%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -412,6 +412,10 @@ install -m644 %{SOURCE9} \
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%changelog
|
||||
* Fri Feb 25 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-13
|
||||
- OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
|
||||
- Resolves: rhbz#1977867
|
||||
|
||||
* Thu Feb 24 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 1:3.0.1-12
|
||||
- Support KBKDF (NIST SP800-108) with an R value of 8bits
|
||||
- Resolves: rhbz#2027261
|
||||
|
Loading…
Reference in New Issue
Block a user