From 4999352324b8f7cd7144a7916e1cba5b57df2c11 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 17 Apr 2023 16:08:19 +0200 Subject: [PATCH] OpenSSL rsa_verify_recover key length checks in FIPS mode Resolves: rhbz#2186819 --- 0045-FIPS-services-minimize.patch | 20 ++++++++++++++++++++ openssl.spec | 2 ++ 2 files changed, 22 insertions(+) diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch index abb13e0..d2bea7f 100644 --- a/0045-FIPS-services-minimize.patch +++ b/0045-FIPS-services-minimize.patch @@ -697,6 +697,26 @@ diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen openssl-3.0.1/providers/implementations/signature/rsa_sig.c --- openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen 2022-05-23 14:58:07.764281242 +0200 +++ openssl-3.0.1/providers/implementations/signature/rsa_sig.c 2022-05-23 15:10:29.327993616 +0200 +@@ -692,6 +692,19 @@ static int rsa_verify_recover(void *vprs + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + int ret; ++# ifdef FIPS_MODULE ++ size_t rsabits = RSA_bits(prsactx->rsa); ++ ++ if (rsabits < 2048) { ++ if (rsabits != 1024 ++ && rsabits != 1280 ++ && rsabits != 1536 ++ && rsabits != 1792) { ++ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++ } ++# endif + + if (!ossl_prov_is_running()) + return 0; @@ -770,6 +770,19 @@ static int rsa_verify(void *vprsactx, co { PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; diff --git a/openssl.spec b/openssl.spec index e178aac..4da5cec 100644 --- a/openssl.spec +++ b/openssl.spec @@ -523,6 +523,8 @@ install -m644 %{SOURCE9} \ Resolves: rhbz#2187429 - Certificate policy check not enabled Resolves: rhbz#2187431 +- OpenSSL rsa_verify_recover key length checks in FIPS mode + Resolves: rhbz#2186819 * Fri Mar 24 2023 Clemens Lang - 1:3.0.7-12 - Change explicit FIPS indicator for RSA decryption to unapproved