root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Exclude EVP_DigestSign and EVP_DigestVerify related APIs from the FIPS 

provider.

Revert changes to m_sigver.c related to #ifdef FIPS_MODULE and exclude
the file using build.info instead.

Also exclude these calls inside EVP_DigestUpdate() within the FIPS
provider since this API should only be used for self testing digests.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25570)
This commit is contained in:
slontis 2024-09-30 11:20:08 +10:00 committed by Tomas Mraz
parent 349815b57f
commit ffa5465e54
3 changed files with 4 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
crypto/evp/build.info
View File

@ -1,7 +1,7 @@
LIBS=../../libcrypto LIBS=../../libcrypto
$COMMON=digest.c evp_enc.c evp_lib.c evp_fetch.c evp_utils.c \ $COMMON=digest.c evp_enc.c evp_lib.c evp_fetch.c evp_utils.c \
mac_lib.c mac_meth.c keymgmt_meth.c keymgmt_lib.c kdf_lib.c kdf_meth.c \ mac_lib.c mac_meth.c keymgmt_meth.c keymgmt_lib.c kdf_lib.c kdf_meth.c \
m_sigver.c pmeth_lib.c signature.c p_lib.c pmeth_gn.c exchange.c \ pmeth_lib.c signature.c p_lib.c pmeth_gn.c exchange.c \
evp_rand.c asymcipher.c kem.c dh_support.c ec_support.c pmeth_check.c evp_rand.c asymcipher.c kem.c dh_support.c ec_support.c pmeth_check.c
SOURCE[../../libcrypto]=$COMMON\ SOURCE[../../libcrypto]=$COMMON\
@ -16,7 +16,7 @@ SOURCE[../../libcrypto]=$COMMON\
e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \ e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \
e_chacha20_poly1305.c \ e_chacha20_poly1305.c \
legacy_sha.c ctrl_params_translate.c \ legacy_sha.c ctrl_params_translate.c \
cmeth_lib.c cmeth_lib.c m_sigver.c
# Diverse type specific ctrl functions. They are kinda sorta legacy, kinda # Diverse type specific ctrl functions. They are kinda sorta legacy, kinda
# sorta not. # sorta not.

2
crypto/evp/digest.c
View File

@ -395,6 +395,7 @@ int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
if (ctx->pctx != NULL if (ctx->pctx != NULL
&& EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx->pctx) && EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx->pctx)
&& ctx->pctx->op.sig.algctx != NULL) { && ctx->pctx->op.sig.algctx != NULL) {
#ifndef FIPS_MODULE
/* /*
* Prior to OpenSSL 3.0 EVP_DigestSignUpdate() and * Prior to OpenSSL 3.0 EVP_DigestSignUpdate() and
* EVP_DigestVerifyUpdate() were just macros for EVP_DigestUpdate(). * EVP_DigestVerifyUpdate() were just macros for EVP_DigestUpdate().
@ -407,6 +408,7 @@ int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
return EVP_DigestSignUpdate(ctx, data, count); return EVP_DigestSignUpdate(ctx, data, count);
if (ctx->pctx->operation == EVP_PKEY_OP_VERIFYCTX) if (ctx->pctx->operation == EVP_PKEY_OP_VERIFYCTX)
return EVP_DigestVerifyUpdate(ctx, data, count); return EVP_DigestVerifyUpdate(ctx, data, count);
#endif
ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR); ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
return 0; return 0;
} }

60
crypto/evp/m_sigver.c
View File

@ -16,13 +16,11 @@
#include "internal/numbers.h" /* includes SIZE_MAX */ #include "internal/numbers.h" /* includes SIZE_MAX */
#include "evp_local.h" #include "evp_local.h"
#ifndef FIPS_MODULE
static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen) static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
{ {
ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED); ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED);
return 0; return 0;
} }
#endif
/* /*
* If we get the "NULL" md then the name comes back as "UNDEF". We want to use * If we get the "NULL" md then the name comes back as "UNDEF". We want to use
@ -58,10 +56,8 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
reinit = 0; reinit = 0;
if (e == NULL) if (e == NULL)
ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props); ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props);
#ifndef FIPS_MODULE
else else
ctx->pctx = EVP_PKEY_CTX_new(pkey, e); ctx->pctx = EVP_PKEY_CTX_new(pkey, e);
#endif
} }
if (ctx->pctx == NULL) if (ctx->pctx == NULL)
return 0; return 0;
@ -243,11 +239,6 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
if (ctx->fetched_digest != NULL) { if (ctx->fetched_digest != NULL) {
ctx->digest = ctx->reqdigest = ctx->fetched_digest; ctx->digest = ctx->reqdigest = ctx->fetched_digest;
} else { } else {
#ifdef FIPS_MODULE
(void)ERR_clear_last_mark();
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
goto err;
#else
/* legacy engine support : remove the mark when this is deleted */ /* legacy engine support : remove the mark when this is deleted */
ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname); ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname);
if (ctx->digest == NULL) { if (ctx->digest == NULL) {
@ -255,7 +246,6 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
goto err; goto err;
} }
#endif
} }
(void)ERR_pop_to_mark(); (void)ERR_pop_to_mark();
} }
@ -301,9 +291,6 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
EVP_KEYMGMT_free(tmp_keymgmt); EVP_KEYMGMT_free(tmp_keymgmt);
tmp_keymgmt = NULL; tmp_keymgmt = NULL;
#ifdef FIPS_MODULE
return 0;
#else
if (type == NULL && mdname != NULL) if (type == NULL && mdname != NULL)
type = evp_get_digestbyname_ex(locpctx->libctx, mdname); type = evp_get_digestbyname_ex(locpctx->libctx, mdname);
@ -366,12 +353,9 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
ctx->pctx->flag_call_digest_custom = 1; ctx->pctx->flag_call_digest_custom = 1;
ret = 1; ret = 1;
#endif
end: end:
#ifndef FIPS_MODULE
if (ret > 0) if (ret > 0)
ret = evp_pkey_ctx_use_cached_data(locpctx); ret = evp_pkey_ctx_use_cached_data(locpctx);
#endif
EVP_KEYMGMT_free(tmp_keymgmt); EVP_KEYMGMT_free(tmp_keymgmt);
return ret > 0 ? 1 : 0; return ret > 0 ? 1 : 0;
@ -386,14 +370,12 @@ int EVP_DigestSignInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
params); params);
} }
#ifndef FIPS_MODULE
int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey) const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey)
{ {
return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 0, return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 0,
NULL); NULL);
} }
#endif
int EVP_DigestVerifyInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, int EVP_DigestVerifyInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
const char *mdname, OSSL_LIB_CTX *libctx, const char *mdname, OSSL_LIB_CTX *libctx,
@ -404,14 +386,12 @@ int EVP_DigestVerifyInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
params); params);
} }
#ifndef FIPS_MODULE
int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey) const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey)
{ {
return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1, return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1,
NULL); NULL);
} }
#endif /* FIPS_MODULE */
int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
{ {
@ -437,10 +417,6 @@ int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
data, dsize); data, dsize);
legacy: legacy:
#ifdef FIPS_MODULE
ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
return 0;
#else
if (pctx != NULL) { if (pctx != NULL) {
/* do_sigver_init() checked that |digest_custom| is non-NULL */ /* do_sigver_init() checked that |digest_custom| is non-NULL */
if (pctx->flag_call_digest_custom if (pctx->flag_call_digest_custom
@ -450,7 +426,6 @@ int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
} }
return EVP_DigestUpdate(ctx, data, dsize); return EVP_DigestUpdate(ctx, data, dsize);
#endif
} }
int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
@ -477,10 +452,6 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
data, dsize); data, dsize);
legacy: legacy:
#ifdef FIPS_MODULE
ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
return 0;
#else
if (pctx != NULL) { if (pctx != NULL) {
/* do_sigver_init() checked that |digest_custom| is non-NULL */ /* do_sigver_init() checked that |digest_custom| is non-NULL */
if (pctx->flag_call_digest_custom if (pctx->flag_call_digest_custom
@ -490,15 +461,12 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
} }
return EVP_DigestUpdate(ctx, data, dsize); return EVP_DigestUpdate(ctx, data, dsize);
#endif
} }
int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
size_t *siglen) size_t *siglen)
{ {
#ifndef FIPS_MODULE
int sctx = 0; int sctx = 0;
#endif
int r = 0; int r = 0;
EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx; EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
@ -513,14 +481,12 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
|| pctx->op.sig.signature == NULL) || pctx->op.sig.signature == NULL)
goto legacy; goto legacy;
#ifndef FIPS_MODULE
if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) { if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
/* try dup */ /* try dup */
dctx = EVP_PKEY_CTX_dup(pctx); dctx = EVP_PKEY_CTX_dup(pctx);
if (dctx != NULL) if (dctx != NULL)
pctx = dctx; pctx = dctx;
} }
#endif
r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx, r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
sigret, siglen, sigret, siglen,
sigret == NULL ? 0 : *siglen); sigret == NULL ? 0 : *siglen);
@ -531,10 +497,6 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
return r; return r;
legacy: legacy:
#ifdef FIPS_MODULE
ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
return 0;
#else
if (pctx == NULL || pctx->pmeth == NULL) { if (pctx == NULL || pctx->pmeth == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
return 0; return 0;
@ -606,7 +568,6 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
} }
} }
return 1; return 1;
#endif
} }
int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
@ -631,11 +592,6 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
sigret == NULL ? 0 : *siglen, sigret == NULL ? 0 : *siglen,
tbs, tbslen); tbs, tbslen);
} }
#ifdef FIPS_MODULE
}
ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
return 0;
#else
} else { } else {
/* legacy */ /* legacy */
if (ctx->pctx->pmeth != NULL && ctx->pctx->pmeth->digestsign != NULL) if (ctx->pctx->pmeth != NULL && ctx->pctx->pmeth->digestsign != NULL)
@ -645,17 +601,14 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
if (sigret != NULL && EVP_DigestSignUpdate(ctx, tbs, tbslen) <= 0) if (sigret != NULL && EVP_DigestSignUpdate(ctx, tbs, tbslen) <= 0)
return 0; return 0;
return EVP_DigestSignFinal(ctx, sigret, siglen); return EVP_DigestSignFinal(ctx, sigret, siglen);
#endif
} }
int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
size_t siglen) size_t siglen)
{ {
#ifndef FIPS_MODULE
int vctx = 0; int vctx = 0;
unsigned int mdlen = 0; unsigned int mdlen = 0;
unsigned char md[EVP_MAX_MD_SIZE]; unsigned char md[EVP_MAX_MD_SIZE];
#endif
int r = 0; int r = 0;
EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx; EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
@ -670,14 +623,12 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
|| pctx->op.sig.signature == NULL) || pctx->op.sig.signature == NULL)
goto legacy; goto legacy;
#ifndef FIPS_MODULE
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) { if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
/* try dup */ /* try dup */
dctx = EVP_PKEY_CTX_dup(pctx); dctx = EVP_PKEY_CTX_dup(pctx);
if (dctx != NULL) if (dctx != NULL)
pctx = dctx; pctx = dctx;
} }
#endif
r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx, r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
sig, siglen); sig, siglen);
if (dctx == NULL) if (dctx == NULL)
@ -687,10 +638,6 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
return r; return r;
legacy: legacy:
#ifdef FIPS_MODULE
ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
return 0;
#else
if (pctx == NULL || pctx->pmeth == NULL) { if (pctx == NULL || pctx->pmeth == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
return 0; return 0;
@ -730,7 +677,6 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
if (vctx || !r) if (vctx || !r)
return r; return r;
return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen); return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen);
#endif
} }
int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
@ -753,11 +699,6 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
sigret, siglen, sigret, siglen,
tbs, tbslen); tbs, tbslen);
} }
#ifdef FIPS_MODULE
}
ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
return 0;
#else
} else { } else {
/* legacy */ /* legacy */
if (ctx->pctx->pmeth != NULL && ctx->pctx->pmeth->digestverify != NULL) if (ctx->pctx->pmeth != NULL && ctx->pctx->pmeth->digestverify != NULL)
@ -766,5 +707,4 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
if (EVP_DigestVerifyUpdate(ctx, tbs, tbslen) <= 0) if (EVP_DigestVerifyUpdate(ctx, tbs, tbslen) <= 0)
return -1; return -1;
return EVP_DigestVerifyFinal(ctx, sigret, siglen); return EVP_DigestVerifyFinal(ctx, sigret, siglen);
#endif
} }