285 lines
10 KiB
Diff
285 lines
10 KiB
Diff
diff -rupN --no-dereference openssl-3.0.9/crypto/evp/m_sigver.c openssl-3.0.9-new/crypto/evp/m_sigver.c
|
|
--- openssl-3.0.9/crypto/evp/m_sigver.c 2023-05-31 14:33:15.778113438 +0200
|
|
+++ openssl-3.0.9-new/crypto/evp/m_sigver.c 2023-05-31 14:33:17.990112478 +0200
|
|
@@ -98,6 +98,7 @@ static int update(EVP_MD_CTX *ctx, const
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED);
|
|
return 0;
|
|
}
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
|
|
/*
|
|
* If we get the "NULL" md then the name comes back as "UNDEF". We want to use
|
|
@@ -140,8 +141,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
|
|
reinit = 0;
|
|
if (e == NULL)
|
|
ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props);
|
|
+#ifndef FIPS_MODULE
|
|
else
|
|
ctx->pctx = EVP_PKEY_CTX_new(pkey, e);
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
}
|
|
if (ctx->pctx == NULL)
|
|
return 0;
|
|
@@ -149,8 +152,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
|
|
locpctx = ctx->pctx;
|
|
ERR_set_mark();
|
|
|
|
+#ifndef FIPS_MODULE
|
|
if (evp_pkey_ctx_is_legacy(locpctx))
|
|
goto legacy;
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
|
|
/* do not reinitialize if pkey is set or operation is different */
|
|
if (reinit
|
|
@@ -235,8 +240,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
|
|
signature =
|
|
evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov,
|
|
supported_sig, locpctx->propquery);
|
|
+#ifndef FIPS_MODULE
|
|
if (signature == NULL)
|
|
goto legacy;
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
break;
|
|
}
|
|
if (signature == NULL)
|
|
@@ -320,6 +327,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
|
|
ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props);
|
|
if (ctx->fetched_digest != NULL) {
|
|
ctx->digest = ctx->reqdigest = ctx->fetched_digest;
|
|
+#ifndef FIPS_MODULE
|
|
} else {
|
|
/* legacy engine support : remove the mark when this is deleted */
|
|
ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname);
|
|
@@ -328,11 +336,13 @@ static int do_sigver_init(EVP_MD_CTX *ct
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
|
goto err;
|
|
}
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
}
|
|
(void)ERR_pop_to_mark();
|
|
}
|
|
}
|
|
|
|
+#ifndef FIPS_MODULE
|
|
if (ctx->reqdigest != NULL
|
|
&& !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
|
|
&& !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
|
|
@@ -347,6 +357,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
|
|
}
|
|
}
|
|
}
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
|
|
if (ver) {
|
|
if (signature->digest_verify_init == NULL) {
|
|
@@ -379,6 +390,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
|
|
EVP_KEYMGMT_free(tmp_keymgmt);
|
|
return 0;
|
|
|
|
+#ifndef FIPS_MODULE
|
|
legacy:
|
|
/*
|
|
* If we don't have the full support we need with provided methods,
|
|
@@ -450,6 +462,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
|
|
ctx->pctx->flag_call_digest_custom = 1;
|
|
|
|
ret = 1;
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
|
|
end:
|
|
#ifndef FIPS_MODULE
|
|
@@ -492,7 +505,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx
|
|
return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1,
|
|
NULL);
|
|
}
|
|
-#endif /* FIPS_MDOE */
|
|
|
|
int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
|
|
{
|
|
@@ -554,23 +566,29 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *c
|
|
return EVP_DigestUpdate(ctx, data, dsize);
|
|
}
|
|
|
|
-#ifndef FIPS_MODULE
|
|
int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
|
|
size_t *siglen)
|
|
{
|
|
- int sctx = 0, r = 0;
|
|
- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx;
|
|
+ int r = 0;
|
|
+#ifndef FIPS_MODULE
|
|
+ int sctx = 0;
|
|
+ EVP_PKEY_CTX *dctx;
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
+ EVP_PKEY_CTX *pctx = ctx->pctx;
|
|
|
|
+#ifndef FIPS_MODULE
|
|
if (pctx == NULL
|
|
|| pctx->operation != EVP_PKEY_OP_SIGNCTX
|
|
|| pctx->op.sig.algctx == NULL
|
|
|| pctx->op.sig.signature == NULL)
|
|
goto legacy;
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
|
|
if (sigret == NULL || (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0)
|
|
return pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
|
|
sigret, siglen,
|
|
sigret == NULL ? 0 : *siglen);
|
|
+#ifndef FIPS_MODULE
|
|
dctx = EVP_PKEY_CTX_dup(pctx);
|
|
if (dctx == NULL)
|
|
return 0;
|
|
@@ -579,8 +597,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
|
|
sigret, siglen,
|
|
*siglen);
|
|
EVP_PKEY_CTX_free(dctx);
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
return r;
|
|
|
|
+#ifndef FIPS_MODULE
|
|
legacy:
|
|
if (pctx == NULL || pctx->pmeth == NULL) {
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
|
@@ -652,6 +672,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
|
|
}
|
|
}
|
|
return 1;
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
}
|
|
|
|
int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
|
|
@@ -682,21 +703,27 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsi
|
|
int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
|
|
size_t siglen)
|
|
{
|
|
- unsigned char md[EVP_MAX_MD_SIZE];
|
|
int r = 0;
|
|
+#ifndef FIPS_MODULE
|
|
+ unsigned char md[EVP_MAX_MD_SIZE];
|
|
unsigned int mdlen = 0;
|
|
int vctx = 0;
|
|
- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx;
|
|
+ EVP_PKEY_CTX *dctx;
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
+ EVP_PKEY_CTX *pctx = ctx->pctx;
|
|
|
|
+#ifndef FIPS_MODULE
|
|
if (pctx == NULL
|
|
|| pctx->operation != EVP_PKEY_OP_VERIFYCTX
|
|
|| pctx->op.sig.algctx == NULL
|
|
|| pctx->op.sig.signature == NULL)
|
|
goto legacy;
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
|
|
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0)
|
|
return pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
|
|
sig, siglen);
|
|
+#ifndef FIPS_MODULE
|
|
dctx = EVP_PKEY_CTX_dup(pctx);
|
|
if (dctx == NULL)
|
|
return 0;
|
|
@@ -704,8 +731,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
|
|
r = dctx->op.sig.signature->digest_verify_final(dctx->op.sig.algctx,
|
|
sig, siglen);
|
|
EVP_PKEY_CTX_free(dctx);
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
return r;
|
|
|
|
+#ifndef FIPS_MODULE
|
|
legacy:
|
|
if (pctx == NULL || pctx->pmeth == NULL) {
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
|
@@ -745,6 +774,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
|
|
if (vctx || !r)
|
|
return r;
|
|
return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen);
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
}
|
|
|
|
int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
|
|
@@ -770,4 +800,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, co
|
|
return -1;
|
|
return EVP_DigestVerifyFinal(ctx, sigret, siglen);
|
|
}
|
|
-#endif /* FIPS_MODULE */
|
|
diff -rupN --no-dereference openssl-3.0.9/providers/fips/self_test_kats.c openssl-3.0.9-new/providers/fips/self_test_kats.c
|
|
--- openssl-3.0.9/providers/fips/self_test_kats.c 2023-05-31 14:33:17.985112480 +0200
|
|
+++ openssl-3.0.9-new/providers/fips/self_test_kats.c 2023-05-31 14:33:17.991112477 +0200
|
|
@@ -444,11 +444,14 @@ static int self_test_sign(const ST_KAT_S
|
|
int ret = 0;
|
|
OSSL_PARAM *params = NULL, *params_sig = NULL;
|
|
OSSL_PARAM_BLD *bld = NULL;
|
|
+ EVP_MD *md = NULL;
|
|
+ EVP_MD_CTX *ctx = NULL;
|
|
EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
|
|
EVP_PKEY *pkey = NULL;
|
|
- unsigned char sig[256];
|
|
BN_CTX *bnctx = NULL;
|
|
BIGNUM *K = NULL;
|
|
+ const char *msg = "Hello World!";
|
|
+ unsigned char sig[256];
|
|
size_t siglen = sizeof(sig);
|
|
static const unsigned char dgst[] = {
|
|
0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
|
|
@@ -488,23 +491,26 @@ static int self_test_sign(const ST_KAT_S
|
|
|| EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
|
|
goto err;
|
|
|
|
- /* Create a EVP_PKEY_CTX to use for the signing operation */
|
|
- sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
|
|
- if (sctx == NULL
|
|
- || EVP_PKEY_sign_init(sctx) <= 0)
|
|
- goto err;
|
|
-
|
|
- /* set signature parameters */
|
|
- if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
|
|
- t->mdalgorithm,
|
|
- strlen(t->mdalgorithm) + 1))
|
|
- goto err;
|
|
+ /* Create a EVP_MD_CTX to use for the signature operation, assign signature
|
|
+ * parameters and sign */
|
|
params_sig = OSSL_PARAM_BLD_to_param(bld);
|
|
- if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
|
|
+ md = EVP_MD_fetch(libctx, "SHA256", NULL);
|
|
+ ctx = EVP_MD_CTX_new();
|
|
+ if (md == NULL || ctx == NULL)
|
|
+ goto err;
|
|
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
|
|
+ if (EVP_DigestSignInit(ctx, &sctx, md, NULL, pkey) <= 0
|
|
+ || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0
|
|
+ || EVP_DigestSign(ctx, sig, &siglen, (const unsigned char *)msg, strlen(msg)) <= 0
|
|
+ || EVP_MD_CTX_reset(ctx) <= 0)
|
|
goto err;
|
|
|
|
- if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
|
|
- || EVP_PKEY_verify_init(sctx) <= 0
|
|
+ /* sctx is not freed automatically inside the FIPS module */
|
|
+ EVP_PKEY_CTX_free(sctx);
|
|
+ sctx = NULL;
|
|
+
|
|
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
|
|
+ if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0
|
|
|| EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
|
|
goto err;
|
|
|
|
@@ -518,14 +524,17 @@ static int self_test_sign(const ST_KAT_S
|
|
goto err;
|
|
|
|
OSSL_SELF_TEST_oncorrupt_byte(st, sig);
|
|
- if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
|
|
+ if (EVP_DigestVerify(ctx, sig, siglen, (const unsigned char *)msg, strlen(msg)) <= 0)
|
|
goto err;
|
|
ret = 1;
|
|
err:
|
|
BN_CTX_free(bnctx);
|
|
EVP_PKEY_free(pkey);
|
|
- EVP_PKEY_CTX_free(kctx);
|
|
+ EVP_MD_free(md);
|
|
+ EVP_MD_CTX_free(ctx);
|
|
+ /* sctx is not freed automatically inside the FIPS module */
|
|
EVP_PKEY_CTX_free(sctx);
|
|
+ EVP_PKEY_CTX_free(kctx);
|
|
OSSL_PARAM_free(params);
|
|
OSSL_PARAM_free(params_sig);
|
|
OSSL_PARAM_BLD_free(bld);
|