From: Pauli <ppzgs1@gmail.com>
Date: Wed, 29 Jan 2025 00:31:33 +0000 (+1100)
Subject: rsa (fips): add PCT for key import
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a1924a867248757440c3d9f82c3307debf18400;p=thirdparty%2Fopenssl.git

rsa (fips): add PCT for key import

FIPS 140-3 IG 10.3.A additional comment 1 mandates a PCT on key import.

Fixes #26572

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28122)

(cherry picked from commit 57230da2bd0be6b219cec2995832034b1e09e0e9)
---

diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
index 77d09500942..380c1c087b4 100644
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -25,6 +25,7 @@
 #include "prov/provider_ctx.h"
 #include "crypto/rsa.h"
 #include "crypto/cryptlib.h"
+#include "internal/fips.h"
 #include "internal/param_build_set.h"
 
 static OSSL_FUNC_keymgmt_new_fn rsa_newdata;
@@ -196,6 +197,23 @@ static int rsa_import(void *keydata, int selection, const OSSL_PARAM params[])
         ok = ok && ossl_rsa_fromdata(rsa, params, include_private);
     }
 
+#ifdef FIPS_MODULE
+    if (ok > 0 && !ossl_fips_self_testing()) {
+        const BIGNUM *n, *e, *d, *dp, *dq, *iq, *p, *q;
+
+        RSA_get0_key(rsa, &n, &e, &d);
+        RSA_get0_crt_params(rsa, &dp, &dq, &iq);
+        p = RSA_get0_p(rsa);
+        q = RSA_get0_q(rsa);
+
+        /* Check for the public key */
+        if (n != NULL && e != NULL)
+            /* Check for private key in straightforward or CRT form */
+            if (d != NULL || (p != NULL && q != NULL && dp != NULL
+                              && dq != NULL && iq != NULL))
+                ok = ossl_rsa_key_pairwise_test(rsa);
+    }
+#endif  /* FIPS_MODULE */
     return ok;
 }