From afb638f137958205b6b089da8967f4775b4c9bb6 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 17 Jan 2020 14:47:18 +0000
Subject: Make the RSA ASYM_CIPHER implementation available inside the FIPS
 module

RSA ASYM_CIPHER was already available within the default provider. We
now make it also available from inside the FIPS module.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10881)
---
 crypto/rsa/rsa_pk1.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'crypto/rsa/rsa_pk1.c')

diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c
index 007e9b8cd5..eedc558e3f 100644
--- a/crypto/rsa/rsa_pk1.c
+++ b/crypto/rsa/rsa_pk1.c
@@ -251,8 +251,15 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
     }
 
     OPENSSL_clear_free(em, num);
+#ifndef FIPS_MODE
+    /*
+     * This trick doesn't work in the FIPS provider because libcrypto manages
+     * the error stack. Instead we opt not to put an error on the stack at all
+     * in case of padding failure in the FIPS provider.
+     */
     RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, RSA_R_PKCS_DECODING_ERROR);
     err_clear_last_constant_time(1 & good);
+#endif
 
     return constant_time_select_int(good, mlen, -1);
 }
-- 
cgit v1.2.3