File openssl-1_1-ossl-sli-014-PKCSv1.5-and-shake.patch of Package openssl-1_1.37526

From 1aac9c104a4dc21680e28d8f6cc0bd000349e5e9 Mon Sep 17 00:00:00 2001
From: Christopher Dickerman <chrisd@atsec.com>
Date: Fri, 2 Aug 2024 09:45:55 -0500
Subject: [PATCH] 1224271 PKCSv1.5 and shake

---
 crypto/rsa/rsa_sign.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c
index 6b1c8d2..1aa4250 100644
--- a/crypto/rsa/rsa_sign.c
+++ b/crypto/rsa/rsa_sign.c
@@ -79,6 +79,10 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
         RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD);
         return 0;
     }
+    if (FIPS_mode() && (type == NID_shake128 || type == NID_shake256)) {
+        RSAerr(RSA_F_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+        return 0;
+    }
 #endif
     if (rsa->meth->rsa_sign) {
         return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
@@ -247,6 +251,12 @@ err:
 int RSA_verify(int type, const unsigned char *m, unsigned int m_len,
                const unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
 {
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode() && (type == NID_shake128 || type == NID_shake256)) {
+        RSAerr(RSA_F_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+        return 0;
+    }
+#endif
 
     if (rsa->meth->rsa_verify) {
         return rsa->meth->rsa_verify(type, m, m_len, sigbuf, siglen, rsa);
-- 
2.39.3 (Apple Git-146)