OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters

Resolves: rhbz#1977867
epel8
Dmitry Belyavskiy 3 years ago
parent 849a9965ee
commit ea9f0a5726

@ -38,3 +38,43 @@ diff -up openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_expl
return EC_KEY_set_group(ec, group) > 0;
}
diff -up openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec openssl-3.0.1/providers/common/securitycheck.c
--- openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec 2022-02-25 11:44:19.554673396 +0100
+++ openssl-3.0.1/providers/common/securitycheck.c 2022-02-25 12:16:38.168610089 +0100
@@ -93,22 +93,22 @@ int ossl_rsa_check_key(OSSL_LIB_CTX *ctx
int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect)
{
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
- if (ossl_securitycheck_enabled(ctx)) {
- int nid, strength;
- const char *curve_name;
- const EC_GROUP *group = EC_KEY_get0_group(ec);
+ int nid, strength;
+ const char *curve_name;
+ const EC_GROUP *group = EC_KEY_get0_group(ec);
- if (group == NULL) {
- ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
- return 0;
- }
- nid = EC_GROUP_get_curve_name(group);
- if (nid == NID_undef) {
- ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
- "Explicit curves are not allowed in fips mode");
- return 0;
- }
+ if (group == NULL) {
+ ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
+ return 0;
+ }
+ nid = EC_GROUP_get_curve_name(group);
+ if (nid == NID_undef) {
+ ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
+ "Explicit curves are not allowed in this build");
+ return 0;
+ }
+ if (ossl_securitycheck_enabled(ctx)) {
curve_name = EC_curve_nid2nist(nid);
if (curve_name == NULL) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,

@ -15,7 +15,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.0.1
Release: 12%{?dist}
Release: 13%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -412,6 +412,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
* Fri Feb 25 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-13
- OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
- Resolves: rhbz#1977867
* Thu Feb 24 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 1:3.0.1-12
- Support KBKDF (NIST SP800-108) with an R value of 8bits
- Resolves: rhbz#2027261

Loading…
Cancel
Save