pool/openssl-3
SHA256
4
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
openssl-3/openssl-FIPS-RSA-encapsulate.patch
Pedro Monreal Gonzalez ef668cd7fa - Update to 3.2.4: 
* Fixed RFC7250 handshakes with unauthenticated servers don't abort as
    expected. [CVE-2024-12797]
  * Fixed timing side-channel in ECDSA signature computation. [CVE-2024-13176]
  * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
    curve parameters. [CVE-2024-9143]
- Remove patch openssl-CVE-2024-13176.patch
- Rebase patches:
  * openssl-3-add_EVP_DigestSqueeze_api.patch
  * openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
  * openssl-FIPS-RSA-encapsulate.patch
  * openssl-disable-fipsinstall.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=132
2025-02-12 07:49:34 +00:00

44 lines
1.3 KiB
Diff
Raw Blame History

From afab56d09edb525dd794fcb2ae2295ab7f39400a Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 16:01:48 +0200
Subject: [PATCH 42/48] 0091-FIPS-RSA-encapsulate.patch
Patch-name: 0091-FIPS-RSA-encapsulate.patch
Patch-id: 91
---
providers/implementations/kem/rsa_kem.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
Index: openssl-3.2.4/providers/implementations/kem/rsa_kem.c
===================================================================
--- openssl-3.2.4.orig/providers/implementations/kem/rsa_kem.c
+++ openssl-3.2.4/providers/implementations/kem/rsa_kem.c
@@ -276,6 +276,13 @@ static int rsasve_generate(PROV_RSA_CTX
return 0;
}
+#ifdef FIPS_MODULE
+ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
+ return 0;
+ }
+#endif
+
/*
* Step (2): Generate a random byte string z of nlen bytes where
* 1 < z < n - 1
@@ -337,6 +344,13 @@ static int rsasve_recover(PROV_RSA_CTX *
return 1;
}
+#ifdef FIPS_MODULE
+ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
+ return 0;
+ }
+#endif
+
/*
* Step (2): check the input ciphertext 'inlen' matches the nlen
* and that outlen is at least nlen bytes
Reference in New Issue View Git Blame Copy Permalink