rsa: add verify_message param support

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/25211)
2025-02-17 14:32:04 +08:00 · 2024-08-19 10:40:24 +10:00 · 2024-08-19 10:40:24 +10:00 · f5c8000c0a
commit f5c8000c0a
parent b80e2ddb66
1 changed files with 61 additions and 24 deletions
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@ -143,6 +143,15 @@ typedef struct {
    unsigned char *sig;
    size_t siglen;

+#ifdef FIPS_MODULE
+    /*
+     * FIPS 140-3 IG 2.4.B mandates that verification based on a digest of a
+     * message is not permitted.  However, signing based on a digest is still
+     * permitted.
+     */
+    int verify_message;
+#endif
+
    /* Temp buffer */
    unsigned char *tbuf;

@ -234,6 +243,9 @@ static void *rsa_newctx(void *provctx, const char *propq)
    OSSL_FIPS_IND_INIT(prsactx)
    prsactx->libctx = PROV_LIBCTX_OF(provctx);
    prsactx->flag_allow_md = 1;
+#ifdef FIPS_MODULE
+    prsactx->verify_message = 1;
+#endif
    prsactx->propq = propq_copy;
    /* Maximum up to digest length for sign, auto for verify */
    prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
@ -489,12 +501,11 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
 }

 static int
-rsa_signverify_init(void *vprsactx, void *vrsa,
+rsa_signverify_init(PROV_RSA_CTX *prsactx, void *vrsa,
                    OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params,
                    const OSSL_PARAM params[], int operation,
                    const char *desc)
 {
-    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    int protect;

    if (!ossl_prov_is_running() || prsactx == NULL)
@ -647,9 +658,14 @@ static int rsa_pss_saltlen_check_passed(PROV_RSA_CTX *ctx, const char *algoname,

 static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[])
 {
-    if (!ossl_prov_is_running())
-        return 0;
-    return rsa_signverify_init(vprsactx, vrsa, rsa_set_ctx_params, params,
+    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+
+#ifdef FIPS_MODULE
+    if (prsactx != NULL)
+        prsactx->verify_message = 1;
+#endif
+
+    return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
                               EVP_PKEY_OP_SIGN, "RSA Sign Init");
 }

@ -658,10 +674,10 @@ static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[])
 * signing and signing the digest of a message, i.e. should be used with
 * implementations of the keytype related algorithms.
 */
-static int rsa_sign_directly(void *vprsactx, unsigned char *sig, size_t *siglen,
-                             size_t sigsize, const unsigned char *tbs, size_t tbslen)
+static int rsa_sign_directly(PROV_RSA_CTX *prsactx,
+                             unsigned char *sig, size_t *siglen, size_t sigsize,
+                             const unsigned char *tbs, size_t tbslen)
 {
-    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    int ret;
    size_t rsasize = RSA_size(prsactx->rsa);
    size_t mdsize = rsa_get_md_size(prsactx);
@ -863,7 +879,7 @@ static int rsa_sign_message_final(void *vprsactx, unsigned char *sig,
        prsactx->flag_allow_final = 0;
    }

-    return rsa_sign_directly(vprsactx, sig, siglen, sigsize, digest, dlen);
+    return rsa_sign_directly(prsactx, sig, siglen, sigsize, digest, dlen);
 }

 /*
@ -899,9 +915,14 @@ static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,
 static int rsa_verify_recover_init(void *vprsactx, void *vrsa,
                                   const OSSL_PARAM params[])
 {
-    if (!ossl_prov_is_running())
-        return 0;
-    return rsa_signverify_init(vprsactx, vrsa, rsa_set_ctx_params, params,
+    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+
+#ifdef FIPS_MODULE
+    if (prsactx != NULL)
+        prsactx->verify_message = 0;
+#endif
+
+    return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
                               EVP_PKEY_OP_VERIFYRECOVER, "RSA VerifyRecover Init");
 }

@ -994,17 +1015,21 @@ static int rsa_verify_recover(void *vprsactx,
 static int rsa_verify_init(void *vprsactx, void *vrsa,
                           const OSSL_PARAM params[])
 {
-    if (!ossl_prov_is_running())
-        return 0;
-    return rsa_signverify_init(vprsactx, vrsa, rsa_set_ctx_params, params,
+    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+
+#ifdef FIPS_MODULE
+    if (prsactx != NULL)
+        prsactx->verify_message = 0;
+#endif
+
+    return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
                               EVP_PKEY_OP_VERIFY, "RSA Verify Init");
 }

-static int rsa_verify_directly(void *vprsactx,
+static int rsa_verify_directly(PROV_RSA_CTX *prsactx,
                               const unsigned char *sig, size_t siglen,
                               const unsigned char *tbs, size_t tbslen)
 {
-    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    size_t rslen;

    if (!ossl_prov_is_running())
@ -1130,7 +1155,7 @@ static int rsa_verify_message_final(void *vprsactx)
    prsactx->flag_allow_final = 0;
    prsactx->flag_allow_oneshot = 0;

-    return rsa_verify_directly(vprsactx, prsactx->sig, prsactx->siglen,
+    return rsa_verify_directly(prsactx, prsactx->sig, prsactx->siglen,
                               digest, dlen);
 }

@ -1166,10 +1191,12 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
 {
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;

-    if (!ossl_prov_is_running())
-        return 0;
+#ifdef FIPS_MODULE
+    if (prsactx != NULL)
+        prsactx->verify_message = 1;
+#endif

-    if (!rsa_signverify_init(vprsactx, vrsa, rsa_set_ctx_params, params,
+    if (!rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
                             operation, desc))
        return 0;

@ -1219,7 +1246,7 @@ static int rsa_digest_sign_update(void *vprsactx, const unsigned char *data,
    if (prsactx->flag_sigalg)
        return 0;

-    return rsa_signverify_message_update(vprsactx, data, datalen);
+    return rsa_signverify_message_update(prsactx, data, datalen);
 }

 static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig,
@ -1263,7 +1290,7 @@ static int rsa_digest_verify_update(void *vprsactx, const unsigned char *data,
    if (prsactx->flag_sigalg)
        return 0;

-    return rsa_signverify_message_update(vprsactx, data, datalen);
+    return rsa_signverify_message_update(prsactx, data, datalen);
 }

 int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
@ -1453,6 +1480,13 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
                return 0;
        }
    }
+
+#ifdef FIPS_MODULE
+    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE);
+    if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->verify_message))
+        return 0;
+#endif
+
    if (!OSSL_FIPS_IND_GET_CTX_PARAM(prsactx, params))
        return 0;
    return 1;
@ -1464,6 +1498,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
    OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
    OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
    OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
+#ifdef FIPS_MODULE
+    OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE, NULL),
+#endif
    OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
    OSSL_PARAM_END
 };
@ -1891,7 +1928,7 @@ static int rsa_sigalg_signverify_init(void *vprsactx, void *vrsa,
    if (!ossl_prov_is_running())
        return 0;

-    if (!rsa_signverify_init(vprsactx, vrsa, set_ctx_params, params, operation,
+    if (!rsa_signverify_init(prsactx, vrsa, set_ctx_params, params, operation,
                             desc))
        return 0;