From 6a450be963275556d0b3371487810ffd39392e5f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Jan 16 2015 15:16:14 +0000 Subject: test in the non-FIPS RSA keygen for minimal distance of p and q similarly to the FIPS RSA keygen --- diff --git a/openssl-1.0.1e-cc-reqs.patch b/openssl-1.0.1e-cc-reqs.patch new file mode 100644 index 0000000..e266bb1 --- /dev/null +++ b/openssl-1.0.1e-cc-reqs.patch @@ -0,0 +1,25 @@ +diff -up openssl-1.0.1e/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.0.1e/crypto/rsa/rsa_gen.c +--- openssl-1.0.1e/crypto/rsa/rsa_gen.c.cc-reqs 2015-01-13 12:45:51.000000000 +0100 ++++ openssl-1.0.1e/crypto/rsa/rsa_gen.c 2015-01-15 17:35:04.649697922 +0100 +@@ -438,6 +438,10 @@ static int rsa_builtin_keygen(RSA *rsa, + if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err; + if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err; + ++ /* prepare minimum p and q difference */ ++ if (!BN_one(r3)) goto err; ++ if (bitsp > 100 && !BN_lshift(r3, r3, bitsp - 100)) goto err; ++ + BN_copy(rsa->e, e_value); + + /* generate p and q */ +@@ -463,7 +467,9 @@ static int rsa_builtin_keygen(RSA *rsa, + { + if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) + goto err; +- } while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3)); ++ if (!BN_sub(r2, rsa->q, rsa->p)) ++ goto err; ++ } while((BN_ucmp(r2, r3) <= 0) && (++degenerate < 3)); + if(degenerate == 3) + { + ok = 0; /* we set our own err */ diff --git a/openssl.spec b/openssl.spec index bac101b..e33bfa8 100644 --- a/openssl.spec +++ b/openssl.spec @@ -23,7 +23,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.1k -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -88,7 +88,8 @@ Patch80: openssl-1.0.1j-evp-wrap.patch Patch81: openssl-1.0.1k-padlock64.patch Patch84: openssl-1.0.1k-trusted-first.patch Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch -Patch89: openssl-1.0.1k-ephemeral-key-size.patch +Patch86: openssl-1.0.1k-ephemeral-key-size.patch +Patch87: openssl-1.0.1e-cc-reqs.patch License: OpenSSL Group: System Environment/Libraries @@ -210,7 +211,8 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch81 -p1 -b .padlock64 %patch84 -p1 -b .trusted-first %patch85 -p1 -b .armcap -%patch89 -p1 -b .ephemeral +%patch86 -p1 -b .ephemeral +%patch87 -p1 -b .cc-reqs sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h @@ -478,6 +480,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Thu Jan 15 2015 Tomáš Mráz 1.0.1k-2 +- test in the non-FIPS RSA keygen for minimal distance of p and q + similarly to the FIPS RSA keygen + * Fri Jan 9 2015 Tomáš Mráz 1.0.1k-1 - new upstream release fixing multiple security issues