diff -up openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pad openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c --- openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pad 2022-05-02 16:04:47.000091901 +0200 +++ openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c 2022-05-02 16:14:50.922443581 +0200 @@ -132,6 +132,17 @@ static int rsa_decrypt_init(void *vprsac return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECRYPT); } +# ifdef FIPS_MODULE +static int fips_padding_allowed(const PROV_RSA_CTX *prsactx) +{ + if (prsactx->pad_mode == RSA_PKCS1_PADDING + || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) + return 0; + + return 1; +} +# endif + static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, size_t outsize, const unsigned char *in, size_t inlen) { @@ -141,6 +152,13 @@ static int rsa_encrypt(void *vprsactx, u if (!ossl_prov_is_running()) return 0; +# ifdef FIPS_MODULE + if (fips_padding_allowed(prsactx) == 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); + return 0; + } +# endif + if (out == NULL) { size_t len = RSA_size(prsactx->rsa); @@ -202,6 +220,13 @@ static int rsa_decrypt(void *vprsactx, u if (!ossl_prov_is_running()) return 0; +# ifdef FIPS_MODULE + if (fips_padding_allowed(prsactx) == 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); + return 0; + } +# endif + if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) { if (out == NULL) { *outlen = SSL_MAX_MASTER_KEY_LENGTH; diff -up openssl-3.0.1/test/recipes/80-test_cms.t.no_bad_pad openssl-3.0.1/test/recipes/80-test_cms.t --- openssl-3.0.1/test/recipes/80-test_cms.t.no_bad_pad 2022-05-02 17:04:07.610782138 +0200 +++ openssl-3.0.1/test/recipes/80-test_cms.t 2022-05-02 17:06:03.595814620 +0200 @@ -232,7 +232,7 @@ my @smime_pkcs7_tests = ( \&final_compare ], - [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients", + [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no Red Hat FIPS", [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-aes256", "-stream", "-out", "{output}.cms", $smrsa1, @@ -865,5 +865,8 @@ sub check_availability { return "$tnam: skipped, DSA disabled\n" if ($no_dsa && $tnam =~ / DSA/); + return "$tnam: skipped, Red Hat FIPS\n" + if ($tnam =~ /no Red Hat FIPS/); + return ""; } diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.no_bad_pad openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt --- openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.no_bad_pad 2022-05-02 17:16:00.408148809 +0200 +++ openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt 2022-05-02 17:17:34.351988456 +0200 @@ -248,12 +248,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974 Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef # RSA decrypt - +Availablein = default Decrypt = RSA-2048 Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 Output = "Hello World" # Corrupted ciphertext +Availablein = default Decrypt = RSA-2048 Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 Output = "Hello World" diff -up openssl-3.0.1/test/recipes/80-test_ssl_old.t.no_bad_pad openssl-3.0.1/test/recipes/80-test_ssl_old.t --- openssl-3.0.1/test/recipes/80-test_ssl_old.t.no_bad_pad 2022-05-02 17:26:37.962838053 +0200 +++ openssl-3.0.1/test/recipes/80-test_ssl_old.t 2022-05-02 17:34:20.297950449 +0200 @@ -483,6 +483,18 @@ sub testssl { # the default choice if TLSv1.3 enabled my $flag = $protocol eq "-tls1_3" ? "" : $protocol; my $ciphersuites = ""; + my %redhat_skip_cipher = map {$_ => 1} qw( +AES256-GCM-SHA384:@SECLEVEL=0 +AES256-CCM8:@SECLEVEL=0 +AES256-CCM:@SECLEVEL=0 +AES128-GCM-SHA256:@SECLEVEL=0 +AES128-CCM8:@SECLEVEL=0 +AES128-CCM:@SECLEVEL=0 +AES256-SHA256:@SECLEVEL=0 +AES128-SHA256:@SECLEVEL=0 +AES256-SHA:@SECLEVEL=0 +AES128-SHA:@SECLEVEL=0 + ); foreach my $cipher (@{$ciphersuites{$protocol}}) { if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) { note "*****SKIPPING $protocol $cipher"; @@ -494,11 +506,16 @@ sub testssl { } else { $cipher = $cipher.':@SECLEVEL=0'; } - ok(run(test([@ssltest, @exkeys, "-cipher", - $cipher, - "-ciphersuites", $ciphersuites, - $flag || ()])), - "Testing $cipher"); + if ($provider eq "fips" && exists $redhat_skip_cipher{$cipher}) { + note "*****SKIPPING $cipher in Red Hat FIPS mode"; + ok(1); + } else { + ok(run(test([@ssltest, @exkeys, "-cipher", + $cipher, + "-ciphersuites", $ciphersuites, + $flag || ()])), + "Testing $cipher"); + } } } next if $protocol eq "-tls1_3";