rpms
/
openssl
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Additional FIPS mode check for EC key generation

This commit is contained in:
Tomas Mraz 2020-07-20 14:51:05 +02:00
parent 04d5ef4d72
commit 067d5800f2
2 changed files with 30 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
openssl-1.1.1-fips-dh.patch
View File

@ -2388,9 +2388,29 @@ diff -up openssl-1.1.1g/crypto/dh/dh_rfc7919.c.fips-dh openssl-1.1.1g/crypto/dh/
+}
+
diff -up openssl-1.1.1g/crypto/ec/ec_key.c.fips-dh openssl-1.1.1g/crypto/ec/ec_key.c
--- openssl-1.1.1g/crypto/ec/ec_key.c.fips-dh 2020-07-17 10:36:29.183787931 +0200
+++ openssl-1.1.1g/crypto/ec/ec_key.c 2020-07-17 10:36:29.247788458 +0200
@@ -296,8 +296,20 @@ int ec_key_simple_generate_key(EC_KEY *e
--- openssl-1.1.1g/crypto/ec/ec_key.c.fips-dh 2020-07-17 11:00:53.958175227 +0200
+++ openssl-1.1.1g/crypto/ec/ec_key.c 2020-07-20 13:24:03.941107320 +0200
@@ -280,9 +280,18 @@ int ec_key_simple_generate_key(EC_KEY *e
if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx))
goto err;
- eckey->priv_key = priv_key;
eckey->pub_key = pub_key;
+ if (FIPS_mode()) {
+ eckey->priv_key = NULL;
+ if (EC_KEY_check_key(eckey) <= 0) {
+ eckey->pub_key = NULL;
+ goto err;
+ }
+ }
+
+ eckey->priv_key = priv_key;
+
ok = 1;
err:
@@ -296,8 +305,23 @@ int ec_key_simple_generate_key(EC_KEY *e
int ec_key_simple_generate_public_key(EC_KEY *eckey)
{
@ -2408,6 +2428,9 @@ diff -up openssl-1.1.1g/crypto/ec/ec_key.c.fips-dh openssl-1.1.1g/crypto/ec/ec_k
+ ret = EC_KEY_check_key(eckey);
+ eckey->priv_key = priv_key;
+
+ if (ret <= 0)
+ EC_POINT_set_to_infinity(eckey->group, eckey->pub_key);
+
+ return ret;
}

5
openssl.spec
View File

@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1g
Release: 12%{?dist}
Release: 13%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -475,6 +475,9 @@ export LD_LIBRARY_PATH
%ldconfig_scriptlets libs
%changelog
* Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-13
- Additional FIPS mode check for EC key generation
* Fri Jul 17 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-12
- Further changes for SP 800-56A rev3 requirements