From: Pauli <ppzgs1@gmail.com>
Date: Mon, 19 Aug 2024 00:40:24 +0000 (+1000)
Subject: rsa: add verify_message param support
X-Git-Tag: openssl-3.4.0-alpha1~63
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f5c8000c0afb3643302db79a6d056e450b73430b;p=thirdparty%2Fopenssl.git

rsa: add verify_message param support

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25211)
---

diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index b7f6a011857..f3764ab809e 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -143,6 +143,15 @@ typedef struct {
     unsigned char *sig;
     size_t siglen;
 
+#ifdef FIPS_MODULE
+    /*
+     * FIPS 140-3 IG 2.4.B mandates that verification based on a digest of a
+     * message is not permitted.  However, signing based on a digest is still
+     * permitted.
+     */
+    int verify_message;
+#endif
+
     /* Temp buffer */
     unsigned char *tbuf;
 
@@ -234,6 +243,9 @@ static void *rsa_newctx(void *provctx, const char *propq)
     OSSL_FIPS_IND_INIT(prsactx)
     prsactx->libctx = PROV_LIBCTX_OF(provctx);
     prsactx->flag_allow_md = 1;
+#ifdef FIPS_MODULE
+    prsactx->verify_message = 1;
+#endif
     prsactx->propq = propq_copy;
     /* Maximum up to digest length for sign, auto for verify */
     prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
@@ -489,12 +501,11 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
 }
 
 static int
-rsa_signverify_init(void *vprsactx, void *vrsa,
+rsa_signverify_init(PROV_RSA_CTX *prsactx, void *vrsa,
                     OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params,
                     const OSSL_PARAM params[], int operation,
                     const char *desc)
 {
-    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
     int protect;
 
     if (!ossl_prov_is_running() || prsactx == NULL)
@@ -647,9 +658,14 @@ static int rsa_pss_saltlen_check_passed(PROV_RSA_CTX *ctx, const char *algoname,
 
 static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[])
 {
-    if (!ossl_prov_is_running())
-        return 0;
-    return rsa_signverify_init(vprsactx, vrsa, rsa_set_ctx_params, params,
+    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+
+#ifdef FIPS_MODULE
+    if (prsactx != NULL)
+        prsactx->verify_message = 1;
+#endif
+
+    return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
                                EVP_PKEY_OP_SIGN, "RSA Sign Init");
 }
 
@@ -658,10 +674,10 @@ static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[])
  * signing and signing the digest of a message, i.e. should be used with
  * implementations of the keytype related algorithms.
  */
-static int rsa_sign_directly(void *vprsactx, unsigned char *sig, size_t *siglen,
-                             size_t sigsize, const unsigned char *tbs, size_t tbslen)
+static int rsa_sign_directly(PROV_RSA_CTX *prsactx,
+                             unsigned char *sig, size_t *siglen, size_t sigsize,
+                             const unsigned char *tbs, size_t tbslen)
 {
-    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
     int ret;
     size_t rsasize = RSA_size(prsactx->rsa);
     size_t mdsize = rsa_get_md_size(prsactx);
@@ -863,7 +879,7 @@ static int rsa_sign_message_final(void *vprsactx, unsigned char *sig,
         prsactx->flag_allow_final = 0;
     }
 
-    return rsa_sign_directly(vprsactx, sig, siglen, sigsize, digest, dlen);
+    return rsa_sign_directly(prsactx, sig, siglen, sigsize, digest, dlen);
 }
 
 /*
@@ -899,9 +915,14 @@ static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,
 static int rsa_verify_recover_init(void *vprsactx, void *vrsa,
                                    const OSSL_PARAM params[])
 {
-    if (!ossl_prov_is_running())
-        return 0;
-    return rsa_signverify_init(vprsactx, vrsa, rsa_set_ctx_params, params,
+    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+
+#ifdef FIPS_MODULE
+    if (prsactx != NULL)
+        prsactx->verify_message = 0;
+#endif
+
+    return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
                                EVP_PKEY_OP_VERIFYRECOVER, "RSA VerifyRecover Init");
 }
 
@@ -994,17 +1015,21 @@ static int rsa_verify_recover(void *vprsactx,
 static int rsa_verify_init(void *vprsactx, void *vrsa,
                            const OSSL_PARAM params[])
 {
-    if (!ossl_prov_is_running())
-        return 0;
-    return rsa_signverify_init(vprsactx, vrsa, rsa_set_ctx_params, params,
+    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+
+#ifdef FIPS_MODULE
+    if (prsactx != NULL)
+        prsactx->verify_message = 0;
+#endif
+
+    return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
                                EVP_PKEY_OP_VERIFY, "RSA Verify Init");
 }
 
-static int rsa_verify_directly(void *vprsactx,
+static int rsa_verify_directly(PROV_RSA_CTX *prsactx,
                                const unsigned char *sig, size_t siglen,
                                const unsigned char *tbs, size_t tbslen)
 {
-    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
     size_t rslen;
 
     if (!ossl_prov_is_running())
@@ -1130,7 +1155,7 @@ static int rsa_verify_message_final(void *vprsactx)
     prsactx->flag_allow_final = 0;
     prsactx->flag_allow_oneshot = 0;
 
-    return rsa_verify_directly(vprsactx, prsactx->sig, prsactx->siglen,
+    return rsa_verify_directly(prsactx, prsactx->sig, prsactx->siglen,
                                digest, dlen);
 }
 
@@ -1166,10 +1191,12 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
 {
     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 
-    if (!ossl_prov_is_running())
-        return 0;
+#ifdef FIPS_MODULE
+    if (prsactx != NULL)
+        prsactx->verify_message = 1;
+#endif
 
-    if (!rsa_signverify_init(vprsactx, vrsa, rsa_set_ctx_params, params,
+    if (!rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
                              operation, desc))
         return 0;
 
@@ -1219,7 +1246,7 @@ static int rsa_digest_sign_update(void *vprsactx, const unsigned char *data,
     if (prsactx->flag_sigalg)
         return 0;
 
-    return rsa_signverify_message_update(vprsactx, data, datalen);
+    return rsa_signverify_message_update(prsactx, data, datalen);
 }
 
 static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig,
@@ -1263,7 +1290,7 @@ static int rsa_digest_verify_update(void *vprsactx, const unsigned char *data,
     if (prsactx->flag_sigalg)
         return 0;
 
-    return rsa_signverify_message_update(vprsactx, data, datalen);
+    return rsa_signverify_message_update(prsactx, data, datalen);
 }
 
 int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
@@ -1453,6 +1480,13 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
                 return 0;
         }
     }
+
+#ifdef FIPS_MODULE
+    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE);
+    if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->verify_message))
+        return 0;
+#endif
+
     if (!OSSL_FIPS_IND_GET_CTX_PARAM(prsactx, params))
         return 0;
     return 1;
@@ -1464,6 +1498,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
+#ifdef FIPS_MODULE
+    OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE, NULL),
+#endif
     OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
     OSSL_PARAM_END
 };
@@ -1891,7 +1928,7 @@ static int rsa_sigalg_signverify_init(void *vprsactx, void *vrsa,
     if (!ossl_prov_is_running())
         return 0;
 
-    if (!rsa_signverify_init(vprsactx, vrsa, set_ctx_params, params, operation,
+    if (!rsa_signverify_init(prsactx, vrsa, set_ctx_params, params, operation,
                              desc))
         return 0;