Pedro Monreal Gonzalez
30c6de24df
* Miscellaneous minor bug fixes.
* The FIPS provider now performs a PCT on key import for RSA, EC and ECX.
This is mandated by FIPS 140-3 IG 10.3.A additional comment 1.
- Rebase patches:
* openssl-FIPS-140-3-keychecks.patch
* openssl-FIPS-NO-DES-support.patch
* openssl-FIPS-enforce-EMS-support.patch
* openssl-disable-fipsinstall.patch
- Move ssl configuration files to the libopenssl package [bsc#1247463]
- Don't install unneeded NOTES
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=153
44 lines
1.3 KiB
Diff
44 lines
1.3 KiB
Diff
From afab56d09edb525dd794fcb2ae2295ab7f39400a Mon Sep 17 00:00:00 2001
|
|
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
|
Date: Mon, 21 Aug 2023 16:01:48 +0200
|
|
Subject: [PATCH 42/48] 0091-FIPS-RSA-encapsulate.patch
|
|
|
|
Patch-name: 0091-FIPS-RSA-encapsulate.patch
|
|
Patch-id: 91
|
|
---
|
|
providers/implementations/kem/rsa_kem.c | 15 +++++++++++++++
|
|
1 file changed, 15 insertions(+)
|
|
|
|
Index: openssl-3.2.4/providers/implementations/kem/rsa_kem.c
|
|
===================================================================
|
|
--- openssl-3.2.4.orig/providers/implementations/kem/rsa_kem.c
|
|
+++ openssl-3.2.4/providers/implementations/kem/rsa_kem.c
|
|
@@ -276,6 +276,13 @@ static int rsasve_generate(PROV_RSA_CTX
|
|
return 0;
|
|
}
|
|
|
|
+#ifdef FIPS_MODULE
|
|
+ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
|
|
+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
|
|
+ return 0;
|
|
+ }
|
|
+#endif
|
|
+
|
|
/*
|
|
* Step (2): Generate a random byte string z of nlen bytes where
|
|
* 1 < z < n - 1
|
|
@@ -337,6 +344,13 @@ static int rsasve_recover(PROV_RSA_CTX *
|
|
return 1;
|
|
}
|
|
|
|
+#ifdef FIPS_MODULE
|
|
+ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
|
|
+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
|
|
+ return 0;
|
|
+ }
|
|
+#endif
|
|
+
|
|
/*
|
|
* Step (2): check the input ciphertext 'inlen' matches the nlen
|
|
* and that outlen is at least nlen bytes
|