Deal with ECDH keys in FIPS mode according FIPS-140-3 requirements
Related: rhbz#2102537
This commit is contained in:
		
							parent
							
								
									3f7cd79d02
								
							
						
					
					
						commit
						f1dba9d301
					
				| @ -59,3 +59,48 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c | |||||||
|      dh->dirty_cnt++; |      dh->dirty_cnt++; | ||||||
|      ok = 1; |      ok = 1; | ||||||
|   err: |   err: | ||||||
|  | diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips3 openssl-3.0.1/crypto/ec/ec_key.c
 | ||||||
|  | diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c
 | ||||||
|  | --- openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3	2022-07-25 13:42:46.814952053 +0200
 | ||||||
|  | +++ openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c	2022-07-25 13:52:12.292065706 +0200
 | ||||||
|  | @@ -488,6 +488,25 @@ int ecdh_plain_derive(void *vpecdhctx, u
 | ||||||
|  |      } | ||||||
|  |   | ||||||
|  |      ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk); | ||||||
|  | +#ifdef FIPS_MODULE
 | ||||||
|  | +    {
 | ||||||
|  | +        BN_CTX *bn_ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(privk));
 | ||||||
|  | +        int check = 0;
 | ||||||
|  | +
 | ||||||
|  | +        if (bn_ctx == NULL) {
 | ||||||
|  | +            ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
 | ||||||
|  | +            goto end;
 | ||||||
|  | +        }
 | ||||||
|  | +
 | ||||||
|  | +        check = ossl_ec_key_public_check(pecdhctx->peerk, bn_ctx);
 | ||||||
|  | +        BN_CTX_free(bn_ctx);
 | ||||||
|  | +
 | ||||||
|  | +        if (check <= 0) {
 | ||||||
|  | +            ERR_raise(ERR_LIB_PROV, EC_R_INVALID_PEER_KEY);
 | ||||||
|  | +            goto end;
 | ||||||
|  | +        }
 | ||||||
|  | +    }
 | ||||||
|  | +#endif
 | ||||||
|  |   | ||||||
|  |      retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL); | ||||||
|  |   | ||||||
|  | diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips3 openssl-3.0.1/crypto/ec/ec_key.c
 | ||||||
|  | --- openssl-3.0.1/crypto/ec/ec_key.c.fips3	2022-07-25 14:03:34.420222507 +0200
 | ||||||
|  | +++ openssl-3.0.1/crypto/ec/ec_key.c	2022-07-25 14:09:00.728164294 +0200
 | ||||||
|  | @@ -336,6 +336,11 @@ static int ec_generate_key(EC_KEY *eckey
 | ||||||
|  |   | ||||||
|  |          OSSL_SELF_TEST_get_callback(eckey->libctx, &cb, &cbarg); | ||||||
|  |          ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg); | ||||||
|  | +
 | ||||||
|  | +#ifdef FIPS_MODULE
 | ||||||
|  | +        ok &= ossl_ec_key_public_check(eckey, ctx);
 | ||||||
|  | +        ok &= ossl_ec_key_pairwise_check(eckey, ctx);
 | ||||||
|  | +#endif /* FIPS_MODULE */
 | ||||||
|  |      } | ||||||
|  |  err: | ||||||
|  |      /* Step (9): If there is an error return an invalid keypair. */ | ||||||
|  | |||||||
| @ -488,6 +488,8 @@ install -m644 %{SOURCE9} \ | |||||||
| * Fri Aug 05 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-40 | * Fri Aug 05 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-40 | ||||||
| - Deal with DH keys in FIPS mode according FIPS-140-3 requirements | - Deal with DH keys in FIPS mode according FIPS-140-3 requirements | ||||||
|   Related: rhbz#2102536 |   Related: rhbz#2102536 | ||||||
|  | - Deal with ECDH keys in FIPS mode according FIPS-140-3 requirements | ||||||
|  |   Related: rhbz#2102537 | ||||||
| 
 | 
 | ||||||
| * Mon Aug 01 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-39 | * Mon Aug 01 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-39 | ||||||
| - Use RSA-OAEP in FIPS RSA encryption/decryption FIPS self-test | - Use RSA-OAEP in FIPS RSA encryption/decryption FIPS self-test | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user