openssl-3/openssl-FIPS-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch

Index: openssl-3.1.4/crypto/rsa/rsa_sp800_56b_check.c
===================================================================
--- openssl-3.1.4.orig/crypto/rsa/rsa_sp800_56b_check.c
+++ openssl-3.1.4/crypto/rsa/rsa_sp800_56b_check.c
@@ -405,7 +405,10 @@ int ossl_rsa_sp800_56b_check_keypair(con
         return 0;
     }
     /* (Step 3.b): check the modulus */
-    if (nbits != BN_num_bits(rsa->n)) {
+    /* If nBits is not a positive even integer, output an indication of an
+     * invalid key pair, and exit without further processing.
+     */
+    if (nbits <= 0 || nbits % 2 || nbits != BN_num_bits(rsa->n)) {
         ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR);
         return 0;
     }
- FIPS: Deny SHA-1 signature verification in FIPS provider [bsc#1221365] * SHA-1 is not allowed anymore in FIPS 186-5 for signature verification operations. After 12/31/2030, NIST will disallow SHA-1 for all of its usages. * Add openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch - FIPS: RSA keygen PCT requirements. * Skip the rsa_keygen_pairwise_test() PCT in rsa_keygen() as the self-test requirements are covered by do_rsa_pct() for both RSA-OAEP and RSA signatures [bsc#1221760] * Enforce error state if rsa_keygen PCT is run and fails [bsc#1221753] * Add openssl-3-FIPS-PCT_rsa_keygen.patch - FIPS: Check that the fips provider is available before setting it as the default provider in FIPS mode. [bsc#1220523] * Rebase openssl-Force-FIPS.patch - FIPS: Port openssl to use jitterentropy [bsc#1220523] * Set the module in error state if the jitter RNG fails either on initialization or entropy gathering because health tests failed. * Add jitterentropy as a seeding source output also in crypto/info.c * Move the jitter entropy collector and the associated lock out of the header file to avoid redefinitions. * Add the fips_local.cnf symlink to the spec file. This simlink points to the openssl_fips.config file that is provided by the crypto-policies package. * Rebase openssl-3-jitterentropy-3.4.0.patch * Rebase openssl-FIPS-enforce-EMS-support.patch - FIPS: Block non-Approved Elliptic Curves [bsc#1221786] OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=110 2024-08-07 23:54:42 +02:00			`Index: openssl-3.1.4/crypto/rsa/rsa_sp800_56b_check.c`
			`===================================================================`
			`--- openssl-3.1.4.orig/crypto/rsa/rsa_sp800_56b_check.c`
			`+++ openssl-3.1.4/crypto/rsa/rsa_sp800_56b_check.c`
			`@@ -405,7 +405,10 @@ int ossl_rsa_sp800_56b_check_keypair(con`
			`return 0;`
			`}`
			`/* (Step 3.b): check the modulus */`
			`- if (nbits != BN_num_bits(rsa->n)) {`
			`+ /* If nBits is not a positive even integer, output an indication of an`
			`+ * invalid key pair, and exit without further processing.`
			`+ */`
			`+ if (nbits <= 0 \|\| nbits % 2 \|\| nbits != BN_num_bits(rsa->n)) {`
			`ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR);`
			`return 0;`
			`}`