Deal with ECDH keys in FIPS mode according FIPS-140-3 requirements
Related: rhbz#2102537
This commit is contained in:
		
							parent
							
								
									3f7cd79d02
								
							
						
					
					
						commit
						f1dba9d301
					
				| @ -59,3 +59,48 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c | ||||
|      dh->dirty_cnt++; | ||||
|      ok = 1; | ||||
|   err: | ||||
| diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips3 openssl-3.0.1/crypto/ec/ec_key.c
 | ||||
| diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c
 | ||||
| --- openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3	2022-07-25 13:42:46.814952053 +0200
 | ||||
| +++ openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c	2022-07-25 13:52:12.292065706 +0200
 | ||||
| @@ -488,6 +488,25 @@ int ecdh_plain_derive(void *vpecdhctx, u
 | ||||
|      } | ||||
|   | ||||
|      ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk); | ||||
| +#ifdef FIPS_MODULE
 | ||||
| +    {
 | ||||
| +        BN_CTX *bn_ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(privk));
 | ||||
| +        int check = 0;
 | ||||
| +
 | ||||
| +        if (bn_ctx == NULL) {
 | ||||
| +            ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
 | ||||
| +            goto end;
 | ||||
| +        }
 | ||||
| +
 | ||||
| +        check = ossl_ec_key_public_check(pecdhctx->peerk, bn_ctx);
 | ||||
| +        BN_CTX_free(bn_ctx);
 | ||||
| +
 | ||||
| +        if (check <= 0) {
 | ||||
| +            ERR_raise(ERR_LIB_PROV, EC_R_INVALID_PEER_KEY);
 | ||||
| +            goto end;
 | ||||
| +        }
 | ||||
| +    }
 | ||||
| +#endif
 | ||||
|   | ||||
|      retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL); | ||||
|   | ||||
| diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips3 openssl-3.0.1/crypto/ec/ec_key.c
 | ||||
| --- openssl-3.0.1/crypto/ec/ec_key.c.fips3	2022-07-25 14:03:34.420222507 +0200
 | ||||
| +++ openssl-3.0.1/crypto/ec/ec_key.c	2022-07-25 14:09:00.728164294 +0200
 | ||||
| @@ -336,6 +336,11 @@ static int ec_generate_key(EC_KEY *eckey
 | ||||
|   | ||||
|          OSSL_SELF_TEST_get_callback(eckey->libctx, &cb, &cbarg); | ||||
|          ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg); | ||||
| +
 | ||||
| +#ifdef FIPS_MODULE
 | ||||
| +        ok &= ossl_ec_key_public_check(eckey, ctx);
 | ||||
| +        ok &= ossl_ec_key_pairwise_check(eckey, ctx);
 | ||||
| +#endif /* FIPS_MODULE */
 | ||||
|      } | ||||
|  err: | ||||
|      /* Step (9): If there is an error return an invalid keypair. */ | ||||
|  | ||||
| @ -488,6 +488,8 @@ install -m644 %{SOURCE9} \ | ||||
| * Fri Aug 05 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-40 | ||||
| - Deal with DH keys in FIPS mode according FIPS-140-3 requirements | ||||
|   Related: rhbz#2102536 | ||||
| - Deal with ECDH keys in FIPS mode according FIPS-140-3 requirements | ||||
|   Related: rhbz#2102537 | ||||
| 
 | ||||
| * Mon Aug 01 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-39 | ||||
| - Use RSA-OAEP in FIPS RSA encryption/decryption FIPS self-test | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user