testing/openssl-3
SHA256
3
0
Fork 0
forked from pool/openssl-3
Code Pull Requests Activity
main
openssl-3/openssl-3-FIPS-PCT_rsa_keygen.patch
Pedro Monreal Gonzalez 6bc57d937f - FIPS: Deny SHA-1 signature verification in FIPS provider [bsc#1221365] 
* SHA-1 is not allowed anymore in FIPS 186-5 for signature
    verification operations. After 12/31/2030, NIST will disallow
    SHA-1 for all of its usages.
  * Add openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch

- FIPS: RSA keygen PCT requirements.
  * Skip the rsa_keygen_pairwise_test() PCT in rsa_keygen() as the
    self-test requirements are covered by do_rsa_pct() for both
    RSA-OAEP and RSA signatures [bsc#1221760]
  * Enforce error state if rsa_keygen PCT is run and fails [bsc#1221753]
  * Add openssl-3-FIPS-PCT_rsa_keygen.patch

- FIPS: Check that the fips provider is available before setting
  it as the default provider in FIPS mode. [bsc#1220523]
  * Rebase openssl-Force-FIPS.patch

- FIPS: Port openssl to use jitterentropy [bsc#1220523]
  * Set the module in error state if the jitter RNG fails either on
    initialization or entropy gathering because health tests failed.
  * Add jitterentropy as a seeding source output also in crypto/info.c
  * Move the jitter entropy collector and the associated lock out
    of the header file to avoid redefinitions.
  * Add the fips_local.cnf symlink to the spec file. This simlink
    points to the openssl_fips.config file that is provided by the
    crypto-policies package.
  * Rebase openssl-3-jitterentropy-3.4.0.patch
  * Rebase openssl-FIPS-enforce-EMS-support.patch

- FIPS: Block non-Approved Elliptic Curves [bsc#1221786]

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=110
2024-08-07 21:54:42 +00:00

29 lines
1.1 KiB
Diff
Raw Permalink Blame History

Index: openssl-3.1.4/crypto/rsa/rsa_gen.c
===================================================================
--- openssl-3.1.4.orig/crypto/rsa/rsa_gen.c
+++ openssl-3.1.4/crypto/rsa/rsa_gen.c
@@ -428,7 +428,12 @@ static int rsa_keygen(OSSL_LIB_CTX *libc
#ifdef FIPS_MODULE
ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb);
- pairwise_test = 1; /* FIPS MODE needs to always run the pairwise test */
+ /* FIPS MODE needs to always run the pairwise test. But, the
+ * rsa_keygen_pairwise_test() PCT as self-test requirements will be
+ * covered by do_rsa_pct() for both RSA-OAEP and RSA signatures and
+ * this PCT can be skipped here. See bsc#1221760 for more info.
+ */
+ pairwise_test = 0;
#else
/*
* Only multi-prime keys or insecure keys with a small key length or a
@@ -463,6 +468,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libc
rsa->dmp1 = NULL;
rsa->dmq1 = NULL;
rsa->iqmp = NULL;
+#ifdef FIPS_MODULE
+ abort();
+#endif /* FIPS_MODULE */
}
}
return ok;
View Git Blame Copy Permalink