|
|
@ -694,3 +694,26 @@ diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c
|
|
|
|
/*
|
|
|
|
/*
|
|
|
|
* We ignore any errors from the fetches below. They are expected to fail
|
|
|
|
* We ignore any errors from the fetches below. They are expected to fail
|
|
|
|
* if theose algorithms are not available.
|
|
|
|
* if theose algorithms are not available.
|
|
|
|
|
|
|
|
diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen openssl-3.0.1/providers/implementations/signature/rsa_sig.c
|
|
|
|
|
|
|
|
--- openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen 2022-05-23 14:58:07.764281242 +0200
|
|
|
|
|
|
|
|
+++ openssl-3.0.1/providers/implementations/signature/rsa_sig.c 2022-05-23 15:10:29.327993616 +0200
|
|
|
|
|
|
|
|
@@ -770,6 +770,19 @@ static int rsa_verify(void *vprsactx, co
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
|
|
|
|
|
|
|
size_t rslen;
|
|
|
|
|
|
|
|
+# ifdef FIPS_MODULE
|
|
|
|
|
|
|
|
+ size_t rsabits = RSA_bits(prsactx->rsa);
|
|
|
|
|
|
|
|
+
|
|
|
|
|
|
|
|
+ if (rsabits < 2048) {
|
|
|
|
|
|
|
|
+ if (rsabits != 1024
|
|
|
|
|
|
|
|
+ && rsabits != 1280
|
|
|
|
|
|
|
|
+ && rsabits != 1536
|
|
|
|
|
|
|
|
+ && rsabits != 1792) {
|
|
|
|
|
|
|
|
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
|
|
|
|
|
|
|
|
+ return 0;
|
|
|
|
|
|
|
|
+ }
|
|
|
|
|
|
|
|
+ }
|
|
|
|
|
|
|
|
+# endif
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (!ossl_prov_is_running())
|
|
|
|
|
|
|
|
return 0;
|
|
|
|