53 lines
2.4 KiB
Diff
53 lines
2.4 KiB
Diff
|
Index: openssl-1.1.1l/crypto/rsa/rsa_pmeth.c
|
||
|
|
===================================================================
|
||
|
|
--- openssl-1.1.1l.orig/crypto/rsa/rsa_pmeth.c
|
||
|
|
+++ openssl-1.1.1l/crypto/rsa/rsa_pmeth.c
|
||
|
|
@@ -140,13 +140,11 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c
|
||
|
|
unsigned int sltmp;
|
||
|
|
if (rctx->pad_mode != RSA_PKCS1_PADDING)
|
||
|
|
return -1;
|
||
|
|
- /* PKCS1-v1.5 padding is disallowed after 2023 */
|
||
|
|
- fips_sli_disapprove_EVP_PKEY_CTX(ctx);
|
||
|
|
ret = RSA_sign_ASN1_OCTET_STRING(0,
|
||
|
|
tbs, tbslen, sig, &sltmp, rsa);
|
||
|
|
-
|
||
|
|
if (ret <= 0)
|
||
|
|
return ret;
|
||
|
|
+ fips_sli_check_hash_siggen_EVP_PKEY_CTX(ctx, rctx->md);
|
||
|
|
ret = sltmp;
|
||
|
|
} else if (rctx->pad_mode == RSA_X931_PADDING) {
|
||
|
|
if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) {
|
||
|
|
@@ -179,13 +177,12 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c
|
||
|
|
ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
|
||
|
|
sig, rsa, RSA_X931_PADDING);
|
||
|
|
} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
|
||
|
|
- /* PKCS1-v1.5 padding is disallowed after 2023 */
|
||
|
|
- fips_sli_disapprove_EVP_PKEY_CTX(ctx);
|
||
|
|
unsigned int sltmp;
|
||
|
|
ret = RSA_sign(EVP_MD_type(rctx->md),
|
||
|
|
tbs, tbslen, sig, &sltmp, rsa);
|
||
|
|
if (ret <= 0)
|
||
|
|
return ret;
|
||
|
|
+ fips_sli_check_hash_siggen_EVP_PKEY_CTX(ctx, rctx->md);
|
||
|
|
ret = sltmp;
|
||
|
|
} else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
|
||
|
|
if (!setup_tbuf(rctx, ctx))
|
||
|
|
@@ -290,10 +287,13 @@ static int pkey_rsa_verify(EVP_PKEY_CTX
|
||
|
|
|
||
|
|
if (rctx->md) {
|
||
|
|
if (rctx->pad_mode == RSA_PKCS1_PADDING) {
|
||
|
|
- /* PKCS1-v1.5 padding is disallowed after 2023 */
|
||
|
|
- fips_sli_disapprove_EVP_PKEY_CTX(ctx);
|
||
|
|
- return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
|
||
|
|
- sig, siglen, rsa);
|
||
|
|
+ int ret;
|
||
|
|
+ ret = RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
|
||
|
|
+ sig, siglen, rsa);
|
||
|
|
+ if (ret <= 0)
|
||
|
|
+ return 0;
|
||
|
|
+ fips_sli_check_hash_sigver_EVP_PKEY_CTX(ctx, rctx->md);
|
||
|
|
+ return ret;
|
||
|
|
}
|
||
|
|
if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
|
||
|
|
RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH);
|