2024-04-04 08:44:19 +00:00
|
|
|
From dc41625dc4a793f0e21188165711181ca085339b Mon Sep 17 00:00:00 2001
|
|
|
|
From: rpm-build <rpm-build>
|
|
|
|
Date: Wed, 6 Mar 2024 19:17:16 +0100
|
|
|
|
Subject: [PATCH 28/49]
|
|
|
|
0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
|
2022-07-22 16:01:52 +00:00
|
|
|
|
2024-04-04 08:44:19 +00:00
|
|
|
Patch-name: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
|
|
|
|
Patch-id: 74
|
|
|
|
Patch-status: |
|
|
|
|
# [PATCH 29/46]
|
|
|
|
# 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
|
|
|
|
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
2022-07-22 16:01:52 +00:00
|
|
|
---
|
2024-04-04 08:44:19 +00:00
|
|
|
crypto/evp/m_sigver.c | 54 ++++++++++++++++++++++++++++-----
|
|
|
|
providers/fips/self_test_kats.c | 43 +++++++++++++++-----------
|
|
|
|
2 files changed, 73 insertions(+), 24 deletions(-)
|
2022-07-22 16:01:52 +00:00
|
|
|
|
|
|
|
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
|
2024-04-04 08:44:19 +00:00
|
|
|
index fd3a4b79df..3e9f33c26c 100644
|
2022-07-22 16:01:52 +00:00
|
|
|
--- a/crypto/evp/m_sigver.c
|
|
|
|
+++ b/crypto/evp/m_sigver.c
|
2024-04-04 08:44:19 +00:00
|
|
|
@@ -90,6 +90,7 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
|
2022-07-22 16:01:52 +00:00
|
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If we get the "NULL" md then the name comes back as "UNDEF". We want to use
|
2024-04-04 08:44:19 +00:00
|
|
|
@@ -125,8 +126,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
2022-07-22 16:01:52 +00:00
|
|
|
reinit = 0;
|
|
|
|
if (e == NULL)
|
|
|
|
ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props);
|
|
|
|
+#ifndef FIPS_MODULE
|
|
|
|
else
|
|
|
|
ctx->pctx = EVP_PKEY_CTX_new(pkey, e);
|
|
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
|
|
}
|
|
|
|
if (ctx->pctx == NULL)
|
|
|
|
return 0;
|
2024-04-04 08:44:19 +00:00
|
|
|
@@ -136,8 +139,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
2022-07-22 16:01:52 +00:00
|
|
|
locpctx = ctx->pctx;
|
|
|
|
ERR_set_mark();
|
|
|
|
|
|
|
|
+#ifndef FIPS_MODULE
|
|
|
|
if (evp_pkey_ctx_is_legacy(locpctx))
|
|
|
|
goto legacy;
|
|
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
|
|
|
|
|
|
/* do not reinitialize if pkey is set or operation is different */
|
|
|
|
if (reinit
|
2024-04-04 08:44:19 +00:00
|
|
|
@@ -222,8 +227,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
2022-07-22 16:01:52 +00:00
|
|
|
signature =
|
|
|
|
evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov,
|
|
|
|
supported_sig, locpctx->propquery);
|
|
|
|
+#ifndef FIPS_MODULE
|
|
|
|
if (signature == NULL)
|
|
|
|
goto legacy;
|
|
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (signature == NULL)
|
2024-04-04 08:44:19 +00:00
|
|
|
@@ -307,6 +314,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
2022-07-22 16:01:52 +00:00
|
|
|
ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props);
|
|
|
|
if (ctx->fetched_digest != NULL) {
|
|
|
|
ctx->digest = ctx->reqdigest = ctx->fetched_digest;
|
|
|
|
+#ifndef FIPS_MODULE
|
|
|
|
} else {
|
|
|
|
/* legacy engine support : remove the mark when this is deleted */
|
|
|
|
ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname);
|
2024-04-04 08:44:19 +00:00
|
|
|
@@ -315,11 +323,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
2022-07-22 16:01:52 +00:00
|
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
|
|
}
|
|
|
|
(void)ERR_pop_to_mark();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
+#ifndef FIPS_MODULE
|
|
|
|
if (ctx->reqdigest != NULL
|
|
|
|
&& !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
|
|
|
|
&& !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
|
2024-04-04 08:44:19 +00:00
|
|
|
@@ -331,6 +341,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
2022-07-22 16:01:52 +00:00
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
|
|
|
|
|
|
if (ver) {
|
|
|
|
if (signature->digest_verify_init == NULL) {
|
2024-04-04 08:44:19 +00:00
|
|
|
@@ -363,6 +374,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
2022-07-22 16:01:52 +00:00
|
|
|
EVP_KEYMGMT_free(tmp_keymgmt);
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
+#ifndef FIPS_MODULE
|
|
|
|
legacy:
|
|
|
|
/*
|
|
|
|
* If we don't have the full support we need with provided methods,
|
2024-04-04 08:44:19 +00:00
|
|
|
@@ -434,6 +446,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
2022-07-22 16:01:52 +00:00
|
|
|
ctx->pctx->flag_call_digest_custom = 1;
|
|
|
|
|
|
|
|
ret = 1;
|
|
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
|
|
|
|
|
|
end:
|
|
|
|
#ifndef FIPS_MODULE
|
2024-04-04 08:44:19 +00:00
|
|
|
@@ -476,7 +489,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
2022-07-22 16:01:52 +00:00
|
|
|
return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1,
|
|
|
|
NULL);
|
|
|
|
}
|
|
|
|
-#endif /* FIPS_MDOE */
|
|
|
|
|
|
|
|
int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
|
|
|
|
{
|
2024-04-04 08:44:19 +00:00
|
|
|
@@ -548,24 +560,31 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
|
2022-07-22 16:01:52 +00:00
|
|
|
return EVP_DigestUpdate(ctx, data, dsize);
|
|
|
|
}
|
|
|
|
|
|
|
|
-#ifndef FIPS_MODULE
|
|
|
|
int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
|
|
|
|
size_t *siglen)
|
|
|
|
{
|
|
|
|
- int sctx = 0, r = 0;
|
2024-04-04 08:44:19 +00:00
|
|
|
- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
|
2022-07-22 16:01:52 +00:00
|
|
|
+ int r = 0;
|
|
|
|
+#ifndef FIPS_MODULE
|
|
|
|
+ int sctx = 0;
|
2024-04-04 08:44:19 +00:00
|
|
|
+ EVP_PKEY_CTX *dctx = NULL;
|
2022-07-22 16:01:52 +00:00
|
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
|
|
+ EVP_PKEY_CTX *pctx = ctx->pctx;
|
2024-04-04 08:44:19 +00:00
|
|
|
+
|
|
|
|
|
|
|
|
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
|
|
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
|
|
|
|
return 0;
|
|
|
|
}
|
2022-07-22 16:01:52 +00:00
|
|
|
|
|
|
|
+#ifndef FIPS_MODULE
|
|
|
|
if (pctx == NULL
|
|
|
|
|| pctx->operation != EVP_PKEY_OP_SIGNCTX
|
|
|
|
|| pctx->op.sig.algctx == NULL
|
|
|
|
|| pctx->op.sig.signature == NULL)
|
|
|
|
goto legacy;
|
|
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
|
|
|
|
|
|
+#ifndef FIPS_MODULE
|
2024-04-04 08:44:19 +00:00
|
|
|
if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
|
|
|
|
/* try dup */
|
|
|
|
dctx = EVP_PKEY_CTX_dup(pctx);
|
|
|
|
@@ -580,7 +599,14 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
|
|
|
|
else
|
|
|
|
EVP_PKEY_CTX_free(dctx);
|
2022-07-22 16:01:52 +00:00
|
|
|
return r;
|
2024-04-04 08:44:19 +00:00
|
|
|
+#else
|
|
|
|
+ r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
|
|
|
|
+ sigret, siglen,
|
|
|
|
+ sigret == NULL ? 0 : *siglen);
|
|
|
|
+ return r;
|
|
|
|
+#endif /* !defined(FIPS_MODULE) */
|
2022-07-22 16:01:52 +00:00
|
|
|
|
|
|
|
+#ifndef FIPS_MODULE
|
|
|
|
legacy:
|
|
|
|
if (pctx == NULL || pctx->pmeth == NULL) {
|
|
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
2024-04-04 08:44:19 +00:00
|
|
|
@@ -653,6 +679,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
|
2022-07-22 16:01:52 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return 1;
|
|
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
|
|
}
|
|
|
|
|
|
|
|
int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
|
2024-04-04 08:44:19 +00:00
|
|
|
@@ -691,23 +718,30 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
|
2022-07-22 16:01:52 +00:00
|
|
|
int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
|
|
|
|
size_t siglen)
|
|
|
|
{
|
|
|
|
- unsigned char md[EVP_MAX_MD_SIZE];
|
|
|
|
int r = 0;
|
|
|
|
+#ifndef FIPS_MODULE
|
|
|
|
+ unsigned char md[EVP_MAX_MD_SIZE];
|
|
|
|
unsigned int mdlen = 0;
|
|
|
|
int vctx = 0;
|
2024-04-04 08:44:19 +00:00
|
|
|
- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
|
|
|
|
+ EVP_PKEY_CTX *dctx = NULL;
|
2022-07-22 16:01:52 +00:00
|
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
|
|
+ EVP_PKEY_CTX *pctx = ctx->pctx;
|
2024-04-04 08:44:19 +00:00
|
|
|
+
|
|
|
|
|
|
|
|
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
|
|
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
|
|
|
|
return 0;
|
|
|
|
}
|
2022-07-22 16:01:52 +00:00
|
|
|
|
|
|
|
+#ifndef FIPS_MODULE
|
|
|
|
if (pctx == NULL
|
|
|
|
|| pctx->operation != EVP_PKEY_OP_VERIFYCTX
|
|
|
|
|| pctx->op.sig.algctx == NULL
|
|
|
|
|| pctx->op.sig.signature == NULL)
|
|
|
|
goto legacy;
|
|
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
|
|
|
|
|
|
+#ifndef FIPS_MODULE
|
2024-04-04 08:44:19 +00:00
|
|
|
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
|
|
|
|
/* try dup */
|
|
|
|
dctx = EVP_PKEY_CTX_dup(pctx);
|
|
|
|
@@ -721,7 +755,13 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
|
|
|
|
else
|
|
|
|
EVP_PKEY_CTX_free(dctx);
|
2022-07-22 16:01:52 +00:00
|
|
|
return r;
|
2024-04-04 08:44:19 +00:00
|
|
|
+#else
|
|
|
|
+ r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
|
|
|
|
+ sig, siglen);
|
|
|
|
+ return r;
|
|
|
|
+#endif /* !defined(FIPS_MODULE) */
|
2022-07-22 16:01:52 +00:00
|
|
|
|
|
|
|
+#ifndef FIPS_MODULE
|
|
|
|
legacy:
|
|
|
|
if (pctx == NULL || pctx->pmeth == NULL) {
|
|
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
2024-04-04 08:44:19 +00:00
|
|
|
@@ -762,6 +802,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
|
2022-07-22 16:01:52 +00:00
|
|
|
if (vctx || !r)
|
|
|
|
return r;
|
|
|
|
return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen);
|
|
|
|
+#endif /* !defined(FIPS_MODULE) */
|
|
|
|
}
|
|
|
|
|
|
|
|
int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
|
2024-04-04 08:44:19 +00:00
|
|
|
@@ -794,4 +835,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
|
2022-07-22 16:01:52 +00:00
|
|
|
return -1;
|
|
|
|
return EVP_DigestVerifyFinal(ctx, sigret, siglen);
|
|
|
|
}
|
|
|
|
-#endif /* FIPS_MODULE */
|
|
|
|
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
|
2024-04-04 08:44:19 +00:00
|
|
|
index 4ea10670c0..5eb27c8ed2 100644
|
2022-07-22 16:01:52 +00:00
|
|
|
--- a/providers/fips/self_test_kats.c
|
|
|
|
+++ b/providers/fips/self_test_kats.c
|
2024-04-04 08:44:19 +00:00
|
|
|
@@ -450,10 +450,13 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|
2022-07-22 16:01:52 +00:00
|
|
|
int ret = 0;
|
|
|
|
OSSL_PARAM *params = NULL, *params_sig = NULL;
|
|
|
|
OSSL_PARAM_BLD *bld = NULL;
|
|
|
|
+ EVP_MD *md = NULL;
|
|
|
|
+ EVP_MD_CTX *ctx = NULL;
|
|
|
|
EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
|
|
|
|
EVP_PKEY *pkey = NULL;
|
|
|
|
- unsigned char sig[256];
|
|
|
|
BN_CTX *bnctx = NULL;
|
|
|
|
+ const char *msg = "Hello World!";
|
|
|
|
+ unsigned char sig[256];
|
|
|
|
size_t siglen = sizeof(sig);
|
|
|
|
static const unsigned char dgst[] = {
|
|
|
|
0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
|
2024-04-04 08:44:19 +00:00
|
|
|
@@ -487,23 +490,26 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|
2022-07-22 16:01:52 +00:00
|
|
|
|| EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
- /* Create a EVP_PKEY_CTX to use for the signing operation */
|
|
|
|
- sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
|
|
|
|
- if (sctx == NULL
|
|
|
|
- || EVP_PKEY_sign_init(sctx) <= 0)
|
|
|
|
- goto err;
|
|
|
|
-
|
|
|
|
- /* set signature parameters */
|
|
|
|
- if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
|
|
|
|
- t->mdalgorithm,
|
|
|
|
- strlen(t->mdalgorithm) + 1))
|
|
|
|
- goto err;
|
|
|
|
+ /* Create a EVP_MD_CTX to use for the signature operation, assign signature
|
|
|
|
+ * parameters and sign */
|
|
|
|
params_sig = OSSL_PARAM_BLD_to_param(bld);
|
|
|
|
- if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
|
|
|
|
+ md = EVP_MD_fetch(libctx, "SHA256", NULL);
|
|
|
|
+ ctx = EVP_MD_CTX_new();
|
|
|
|
+ if (md == NULL || ctx == NULL)
|
|
|
|
+ goto err;
|
|
|
|
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
|
|
|
|
+ if (EVP_DigestSignInit(ctx, &sctx, md, NULL, pkey) <= 0
|
|
|
|
+ || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0
|
|
|
|
+ || EVP_DigestSign(ctx, sig, &siglen, (const unsigned char *)msg, strlen(msg)) <= 0
|
|
|
|
+ || EVP_MD_CTX_reset(ctx) <= 0)
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
- if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
|
|
|
|
- || EVP_PKEY_verify_init(sctx) <= 0
|
2022-08-03 16:04:36 +00:00
|
|
|
+ /* sctx is not freed automatically inside the FIPS module */
|
|
|
|
+ EVP_PKEY_CTX_free(sctx);
|
|
|
|
+ sctx = NULL;
|
|
|
|
+
|
2022-07-22 16:01:52 +00:00
|
|
|
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
|
|
|
|
+ if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0
|
|
|
|
|| EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
|
|
|
|
goto err;
|
|
|
|
|
2024-04-04 08:44:19 +00:00
|
|
|
@@ -513,14 +519,17 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|
2022-07-22 16:01:52 +00:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
OSSL_SELF_TEST_oncorrupt_byte(st, sig);
|
|
|
|
- if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
|
|
|
|
+ if (EVP_DigestVerify(ctx, sig, siglen, (const unsigned char *)msg, strlen(msg)) <= 0)
|
|
|
|
goto err;
|
|
|
|
ret = 1;
|
|
|
|
err:
|
|
|
|
BN_CTX_free(bnctx);
|
|
|
|
EVP_PKEY_free(pkey);
|
2022-08-03 16:04:36 +00:00
|
|
|
- EVP_PKEY_CTX_free(kctx);
|
2022-07-22 16:01:52 +00:00
|
|
|
+ EVP_MD_free(md);
|
|
|
|
+ EVP_MD_CTX_free(ctx);
|
2022-08-03 16:04:36 +00:00
|
|
|
+ /* sctx is not freed automatically inside the FIPS module */
|
|
|
|
EVP_PKEY_CTX_free(sctx);
|
|
|
|
+ EVP_PKEY_CTX_free(kctx);
|
2022-07-22 16:01:52 +00:00
|
|
|
OSSL_PARAM_free(params);
|
|
|
|
OSSL_PARAM_free(params_sig);
|
|
|
|
OSSL_PARAM_BLD_free(bld);
|
|
|
|
--
|
2024-04-04 08:44:19 +00:00
|
|
|
2.44.0
|
2022-07-22 16:01:52 +00:00
|
|
|
|