From 2d759937e2ee78c27c83f1433f79b33256ab1a39 Mon Sep 17 00:00:00 2001 From: Pauli Date: Tue, 30 Jul 2024 14:11:49 +1000 Subject: [PATCH] EdDSA: disallow verification from a pregenerated hash when in FIPS Also includes an indicator and the capability to bypass via configuration or params. Fixes #24937 Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/25032) --- .../implementations/signature/eddsa_sig.c | 56 ++++++++++++++----- 1 file changed, 42 insertions(+), 14 deletions(-) diff --git a/providers/implementations/signature/eddsa_sig.c b/providers/implementations/signature/eddsa_sig.c index 8594af39e14..9966e96e155 100644 --- a/providers/implementations/signature/eddsa_sig.c +++ b/providers/implementations/signature/eddsa_sig.c @@ -16,6 +16,8 @@ #include #include "internal/nelem.h" #include "internal/sizes.h" +#include "prov/fipscommon.h" +#include "prov/fipsindicator.h" #include "prov/providercommon.h" #include "prov/implementations.h" #include "prov/provider_ctx.h" @@ -142,6 +144,7 @@ typedef struct { unsigned char context_string[EDDSA_MAX_CONTEXT_STRING_LEN]; size_t context_string_len; + OSSL_FIPS_IND_DECLARE } PROV_EDDSA_CTX; static void *eddsa_newctx(void *provctx, const char *propq_unused) @@ -156,6 +159,7 @@ static void *eddsa_newctx(void *provctx, const char *propq_unused) return NULL; peddsactx->libctx = PROV_LIBCTX_OF(provctx); + OSSL_FIPS_IND_INIT(peddsactx) return peddsactx; } @@ -189,6 +193,7 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname, return 0; } + OSSL_FIPS_IND_SET_APPROVED(peddsactx) peddsactx->dom2_flag = 0; peddsactx->prehash_flag = 0; peddsactx->context_string_flag = 0; @@ -232,9 +237,9 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname, return 1; } -int ed25519_digest_sign(void *vpeddsactx, unsigned char *sigret, - size_t *siglen, size_t sigsize, - const unsigned char *tbs, size_t tbslen) +static int ed25519_digest_sign(void *vpeddsactx, unsigned char *sigret, + size_t *siglen, size_t sigsize, + const unsigned char *tbs, size_t tbslen) { PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx; const ECX_KEY *edkey = peddsactx->key; @@ -318,9 +323,9 @@ static int ed448_shake256(OSSL_LIB_CTX *libctx, return ret; } -int ed448_digest_sign(void *vpeddsactx, unsigned char *sigret, - size_t *siglen, size_t sigsize, - const unsigned char *tbs, size_t tbslen) +static int ed448_digest_sign(void *vpeddsactx, unsigned char *sigret, + size_t *siglen, size_t sigsize, + const unsigned char *tbs, size_t tbslen) { PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx; const ECX_KEY *edkey = peddsactx->key; @@ -375,16 +380,29 @@ int ed448_digest_sign(void *vpeddsactx, unsigned char *sigret, return 1; } -int ed25519_digest_verify(void *vpeddsactx, const unsigned char *sig, - size_t siglen, const unsigned char *tbs, - size_t tbslen) +static int fips_check_verify(PROV_EDDSA_CTX *ctx) +{ +#ifdef FIPS_MODULE + if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, + ctx->libctx, "Verify", "EdDSA", + FIPS_eddsa_no_verify_digested)) + return 0; +#endif /* FIPS_MODULE */ + return 1; +} + +static int ed25519_digest_verify(void *vpeddsactx, const unsigned char *sig, + size_t siglen, const unsigned char *tbs, + size_t tbslen) { PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx; const ECX_KEY *edkey = peddsactx->key; uint8_t md[EVP_MAX_MD_SIZE]; size_t mdlen; - if (!ossl_prov_is_running() || siglen != ED25519_SIGSIZE) + if (!ossl_prov_is_running() + || siglen != ED25519_SIGSIZE + || !fips_check_verify(peddsactx)) return 0; #ifdef S390X_EC_ASM @@ -412,16 +430,18 @@ int ed25519_digest_verify(void *vpeddsactx, const unsigned char *sig, peddsactx->libctx, edkey->propq); } -int ed448_digest_verify(void *vpeddsactx, const unsigned char *sig, - size_t siglen, const unsigned char *tbs, - size_t tbslen) +static int ed448_digest_verify(void *vpeddsactx, const unsigned char *sig, + size_t siglen, const unsigned char *tbs, + size_t tbslen) { PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx; const ECX_KEY *edkey = peddsactx->key; uint8_t md[EDDSA_PREHASH_OUTPUT_LEN]; size_t mdlen = sizeof(md); - if (!ossl_prov_is_running() || siglen != ED448_SIGSIZE) + if (!ossl_prov_is_running() + || siglen != ED448_SIGSIZE + || !fips_check_verify(peddsactx)) return 0; #ifdef S390X_EC_ASM @@ -495,6 +515,8 @@ static int eddsa_get_ctx_params(void *vpeddsactx, OSSL_PARAM *params) peddsactx->aid_len)) return 0; + if (!OSSL_FIPS_IND_GET_CTX_PARAM(peddsactx, params)) + return 0; return 1; } @@ -502,6 +524,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0), OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_INSTANCE, NULL, 0), OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_CONTEXT_STRING, NULL, 0), + OSSL_FIPS_IND_GETTABLE_CTX_PARAM() OSSL_PARAM_END }; @@ -521,6 +544,10 @@ static int eddsa_set_ctx_params(void *vpeddsactx, const OSSL_PARAM params[]) if (params == NULL) return 1; + if (!OSSL_FIPS_IND_SET_CTX_PARAM(peddsactx, OSSL_FIPS_IND_SETTABLE0, params, + OSSL_SIGNATURE_PARAM_EDDSA_VERIFY_DIGESTED)) + return 0; + p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_INSTANCE); if (p != NULL) { char instance_name[OSSL_MAX_NAME_SIZE] = ""; @@ -580,6 +607,7 @@ static int eddsa_set_ctx_params(void *vpeddsactx, const OSSL_PARAM params[]) static const OSSL_PARAM settable_ctx_params[] = { OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_INSTANCE, NULL, 0), OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_CONTEXT_STRING, NULL, 0), + OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_EDDSA_VERIFY_DIGESTED) OSSL_PARAM_END }; -- 2.47.2