diff options
| author | Matt Caswell <matt@openssl.org> | 2020-01-17 15:47:18 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2020-02-13 15:14:30 +0100 |
| commit | afb638f137958205b6b089da8967f4775b4c9bb6 (patch) | |
| tree | b11c87c306131476dfad7eb0444d291e42713893 /providers | |
| parent | Add assembly config targets for UEFI build (diff) | |
| download | openssl-afb638f137958205b6b089da8967f4775b4c9bb6.tar.xz openssl-afb638f137958205b6b089da8967f4775b4c9bb6.zip | |
Make the RSA ASYM_CIPHER implementation available inside the FIPS module
RSA ASYM_CIPHER was already available within the default provider. We
now make it also available from inside the FIPS module.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10881)
Diffstat (limited to '')
| -rw-r--r-- | providers/fips/fipsprov.c | 8 | ||||
| -rw-r--r-- | providers/implementations/asymciphers/build.info | 6 | ||||
| -rw-r--r-- | providers/implementations/asymciphers/rsa_enc.c | 12 | ||||
| -rw-r--r-- | providers/implementations/keymgmt/rsa_kmgmt.c | 14 |
4 files changed, 35 insertions, 5 deletions
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index acc7edfa0d..596ece5235 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -805,6 +805,11 @@ static const OSSL_ALGORITHM fips_signature[] = { { NULL, NULL, NULL } }; +static const OSSL_ALGORITHM fips_asym_cipher[] = { + { "RSA:rsaEncryption", "fips=yes", rsa_asym_cipher_functions }, + { NULL, NULL, NULL } +}; + static const OSSL_ALGORITHM fips_keymgmt[] = { #ifndef OPENSSL_NO_DH { "DH:dhKeyAgreement", "fips=yes", dh_keymgmt_functions }, @@ -812,6 +817,7 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { #ifndef OPENSSL_NO_DSA { "DSA", "fips=yes", dsa_keymgmt_functions }, #endif + { "RSA:rsaEncryption", "default=yes", rsa_keymgmt_functions }, { NULL, NULL, NULL } }; @@ -836,6 +842,8 @@ static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov, return fips_keyexch; case OSSL_OP_SIGNATURE: return fips_signature; + case OSSL_OP_ASYM_CIPHER: + return fips_asym_cipher; } return NULL; } diff --git a/providers/implementations/asymciphers/build.info b/providers/implementations/asymciphers/build.info index aa050803d4..b4033d8a7d 100644 --- a/providers/implementations/asymciphers/build.info +++ b/providers/implementations/asymciphers/build.info @@ -1,4 +1,6 @@ -LIBS=../../../libcrypto -SOURCE[../../../libcrypto]=rsa_enc.c +# We make separate GOAL variables for each algorithm, to make it easy to +# switch each to the Legacy provider when needed. +$RSA_GOAL=../../libimplementations.a +SOURCE[$RSA_GOAL]=rsa_enc.c diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c index c72571d6bb..2cce8474cd 100644 --- a/providers/implementations/asymciphers/rsa_enc.c +++ b/providers/implementations/asymciphers/rsa_enc.c @@ -118,6 +118,11 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, PROVerr(0, ERR_R_MALLOC_FAILURE); return 0; } + if (prsactx->oaep_md == NULL) { + prsactx->oaep_md = EVP_MD_fetch(prsactx->libctx, "SHA-1", NULL); + PROVerr(0, ERR_R_INTERNAL_ERROR); + return 0; + } ret = RSA_padding_add_PKCS1_OAEP_mgf1(tbuf, rsasize, in, inlen, prsactx->oaep_label, prsactx->oaep_labellen, @@ -194,6 +199,13 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, return 0; } if (prsactx->pad_mode == RSA_PKCS1_OAEP_PADDING) { + if (prsactx->oaep_md == NULL) { + prsactx->oaep_md = EVP_MD_fetch(prsactx->libctx, "SHA-1", NULL); + if (prsactx->oaep_md == NULL) { + PROVerr(0, ERR_R_INTERNAL_ERROR); + return 0; + } + } ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, outsize, tbuf, len, len, prsactx->oaep_label, diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c index 6ab695ea7b..f43520f857 100644 --- a/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/providers/implementations/keymgmt/rsa_kmgmt.c @@ -18,6 +18,7 @@ #include "internal/param_build.h" #include "prov/implementations.h" #include "prov/providercommon.h" +#include "prov/provider_ctx.h" #include "crypto/rsa.h" static OSSL_OP_keymgmt_new_fn rsa_newdata; @@ -170,7 +171,9 @@ static int key_to_params(RSA *rsa, OSSL_PARAM_BLD *tmpl) static void *rsa_newdata(void *provctx) { - return RSA_new(); + OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx); + + return rsa_new_with_ctx(libctx); } static void rsa_freedata(void *keydata) @@ -321,7 +324,7 @@ static int rsa_get_params(void *key, OSSL_PARAM params[]) && !OSSL_PARAM_set_int(p, RSA_size(rsa))) return 0; -# if 0 /* PSS support pending */ +# if 0 /* TODO(3.0): PSS support pending */ if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MANDATORY_DIGEST)) != NULL && RSA_get0_pss_params(rsa) != NULL) { @@ -338,9 +341,14 @@ static int rsa_get_params(void *key, OSSL_PARAM params[]) } #endif if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_DEFAULT_DIGEST)) != NULL - && RSA_get0_pss_params(rsa) == NULL) +/* TODO(3.0): PSS support pending */ +#if 0 + && RSA_get0_pss_params(rsa) == NULL +#endif + ) { if (!OSSL_PARAM_set_utf8_string(p, RSA_DEFAULT_MD)) return 0; + } return 1; } |