]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
projects / thirdparty / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8736de5)
Enable RSA-SM3 in the default provider
authorRichard Levitte <levitte@openssl.org>
Mon, 19 Aug 2024 06:38:56 +0000 (08:38 +0200)
committerRichard Levitte <levitte@openssl.org>
Wed, 21 Aug 2024 06:21:06 +0000 (08:21 +0200)
It turns out that we didn't allow the combination RSA + SM3 anywhere.

This is perfectly reasonable in the FIPS module, but less so in the default
provider.  This change enables it in the default provider, and adds a simple
evp_test stanza for the RSA-SM3 signature scheme.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23416)

crypto/rsa/rsa_sign.c patch | blob | blame | history
providers/common/securitycheck_default.c patch | blob | blame | history
test/evp_test.c patch | blob | blame | history
test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt patch | blob | blame | history

diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c
index b14b134080684ae106bb0a082936ca3767ee9d10..884846e81498df0c4b262f22b0d16eb6b6ab2b05 100644 (file)
--- a/crypto/rsa/rsa_sign.c
+++ b/crypto/rsa/rsa_sign.c
@@ -34,6 +34,9 @@
 # ifndef OPENSSL_NO_RMD160
 #  include <openssl/ripemd.h> /* uses RIPEMD160_DIGEST_LENGTH */
 # endif
+# ifndef OPENSSL_NO_SM3
+#  include "internal/sm3.h" /* uses SM3_DIGEST_LENGTH */
+# endif
 #endif
 #include <openssl/sha.h> /* uses SHA???_DIGEST_LENGTH */
 #include "crypto/rsa.h"
@@ -123,6 +126,16 @@ static const unsigned char digestinfo_ripemd160_der[] = {
       ASN1_OCTET_STRING, RIPEMD160_DIGEST_LENGTH
 };
 # endif
+# ifndef OPENSSL_NO_SM3
+/* SM3 (1 2 156 10197 1 401) */
+static const unsigned char digestinfo_sm3_der[] = {
+    ASN1_SEQUENCE, 0x0f + SM3_DIGEST_LENGTH,
+      ASN1_SEQUENCE, 0x0c,
+        ASN1_OID, 0x08, 1 * 40 + 2, 0x81, 0x1c, 0xcf, 0x55, 1, 0x83, 0x78,
+        ASN1_NULL, 0x00,
+      ASN1_OCTET_STRING, SM3_DIGEST_LENGTH
+};
+# endif
 #endif /* FIPS_MODULE */
 
 /* SHA-1 (1 3 14 3 2 26) */
@@ -169,6 +182,9 @@ const unsigned char *ossl_rsa_digestinfo_encoding(int md_nid, size_t *len)
 # ifndef OPENSSL_NO_RMD160
     MD_CASE(ripemd160)
 # endif
+# ifndef OPENSSL_NO_SM3
+    MD_CASE(sm3)
+# endif
 #endif /* FIPS_MODULE */
     MD_CASE(sha1)
     MD_CASE(sha224)
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
index b9c1bda674a3872bbd448cc9d098aca57d14f7e2..19916a46ca5fa315435b2c4fe7c53efdb973e9cc 100644 (file)
--- a/providers/common/securitycheck_default.c
+++ b/providers/common/securitycheck_default.c
@@ -33,6 +33,7 @@ int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md)
         { NID_md4,       OSSL_DIGEST_NAME_MD4       },
         { NID_mdc2,      OSSL_DIGEST_NAME_MDC2      },
         { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
+        { NID_sm3,       OSSL_DIGEST_NAME_SM3 },
     };
 
     mdnid = ossl_digest_get_approved_nid(md);
diff --git a/test/evp_test.c b/test/evp_test.c
index 3e445dcf9bb1a065fc9436a932dcba5f0e8c868e..47894388465955dd1346187c649d03a90209a592 100644 (file)
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -5200,6 +5200,10 @@ static int is_pkey_disabled(const char *name)
 #ifdef OPENSSL_NO_RMD160
     if (HAS_CASE_SUFFIX(name, "-RIPEMD160"))
         return 1;
+#endif
+#ifdef OPENSSL_NO_SM3
+    if (HAS_CASE_SUFFIX(name, "-SM3"))
+        return 1;
 #endif
     return 0;
 }
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt b/test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt
index f510f04a1f1f7f870656e069c9659c04b897dcd9..cbb3e7871459725837b913129de29bb6b6dc5701 100644 (file)
--- a/test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt
@@ -182,3 +182,8 @@ Availablein = default
 Sign-Message = RSA-RIPEMD160:RSA-2048
 Input = "Hello World"
 Output = 6a7fc08e9999fc9d50cda476e973a01a06efeb52eece1c78cb1422950476cbff67408c6f5c0a5749a70d3b505d9b6ad84f6854cb290fab18b28c13233030964ce81e3cf4f34bd606322e44534c335994c9761ae989936fd33be4c53e43cc54f027e4d3eb48563be6242ffcb831d4382e5b3f155c345e6f4367ae40d92cb70376942f45ce9fde97eb282ff3767b7972821381e1c3443b0e595bc968c16119dbdeef9f91d9f15f61feb0a0a25c66c2e72513a853d6cc797e83c8719d82ed951ccce06292f07696c7f97a52a7048bd4c70c5a70dbab0470be3b75af0f28dd39535bb8fee899cb69d3b6970cc59c773c0c15122931b6904d3c5c98011650bb8283d6
+
+Availablein = default
+Sign-Message = RSA-SM3:RSA-2048
+Input = "Hello World"
+Output = 92657e22036214c343d8e95d129c0c47430d5a1ae452371a7847a963f533f96e018aa6658958e6a584cf0d380aa9435175cf2de3dfa60100aca893b76aa6d8f0cc9154ee982cb5ea8f19153fe8a9c801aa2da8bb4451c7ec6fd836e81ecdacf022b68294db068efa47decf3a7c548ea7088a16433029b8733b9573053b7e7122ea10b662726fc97bd149c663617434a9707b672b024f95865d91077edfb79c8ed4c8528032204c46c984a6c82b17794cbf9c4dfe4c1af1d59535f7755540ff36d6a2b55accbf046896c4aae9287a33f38c2a269a02abdac46c17b1b55ee89cc9eb3011a84916596f982c5375dd2110633be6dc43532919466d83bd0f3e406978
Mirror of https://github.com/openssl/openssl.git