/[smecontribs]/rpms/openssl3/contribs10/0088-signature-Add-indicator-for-PSS-salt-length.patch
ViewVC logotype

Annotation of /rpms/openssl3/contribs10/0088-signature-Add-indicator-for-PSS-salt-length.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Wed Jan 31 17:24:48 2024 UTC (10 months ago) by jpp
Branch: MAIN
CVS Tags: openssl3-3_0_7-5_el7_sme_1, HEAD
Initial import

1 jpp 1.1 From a325a23bc83f4efd60130001c417ca5b96bdbff1 Mon Sep 17 00:00:00 2001
2     From: Clemens Lang <cllang@redhat.com>
3     Date: Thu, 17 Nov 2022 19:33:02 +0100
4     Subject: [PATCH 1/3] signature: Add indicator for PSS salt length
5     MIME-Version: 1.0
6     Content-Type: text/plain; charset=UTF-8
7     Content-Transfer-Encoding: 8bit
8    
9     FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
10     5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
11     salt (sLen) shall satisfy 0 ≤ sLen ≤ hLen, where hLen is the length of
12     the hash function output block (in bytes)."
13    
14     It is not exactly clear from this text whether hLen refers to the
15     message digest or the hash function used for the mask generation
16     function MGF1. PKCS#1 v2.1 suggests it is the former:
17    
18     | Typical salt lengths in octets are hLen (the length of the output of
19     | the hash function Hash) and 0. In both cases the security of
20     | RSASSA-PSS can be closely related to the hardness of inverting RSAVP1.
21     | Bellare and Rogaway [4] give a tight lower bound for the security of
22     | the original RSA-PSS scheme, which corresponds roughly to the former
23     | case, while Coron [12] gives a lower bound for the related Full Domain
24     | Hashing scheme, which corresponds roughly to the latter case. In [13]
25     | Coron provides a general treatment with various salt lengths ranging
26     | from 0 to hLen; see [27] for discussion. See also [31], which adapts
27     | the security proofs in [4][13] to address the differences between the
28     | original and the present version of RSA-PSS as listed in Note 1 above.
29    
30     Since OpenSSL defaults to creating signatures with the maximum salt
31     length, blocking the use of longer salts would probably lead to
32     significant problems in practice. Instead, introduce an explicit
33     indicator that can be obtained from the EVP_PKEY_CTX object using
34     EVP_PKEY_CTX_get_params() with the
35     OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR
36     parameter.
37    
38     Signed-off-by: Clemens Lang <cllang@redhat.com>
39     ---
40     include/openssl/core_names.h | 1 +
41     include/openssl/evp.h | 4 ++++
42     providers/implementations/signature/rsa_sig.c | 18 ++++++++++++++++++
43     3 files changed, 23 insertions(+)
44    
45     diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
46     index 94fab83193..69c59f0b46 100644
47     --- a/include/openssl/core_names.h
48     +++ b/include/openssl/core_names.h
49     @@ -453,6 +453,7 @@ extern "C" {
50     #define OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES \
51     OSSL_PKEY_PARAM_MGF1_PROPERTIES
52     #define OSSL_SIGNATURE_PARAM_DIGEST_SIZE OSSL_PKEY_PARAM_DIGEST_SIZE
53     +#define OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
54    
55     /* Asym cipher parameters */
56     #define OSSL_ASYM_CIPHER_PARAM_DIGEST OSSL_PKEY_PARAM_DIGEST
57     diff --git a/include/openssl/evp.h b/include/openssl/evp.h
58     index a5e78efd6e..f239200465 100644
59     --- a/include/openssl/evp.h
60     +++ b/include/openssl/evp.h
61     @@ -797,6 +797,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
62     __owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
63     int *outl);
64    
65     +# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
66     +# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED 1
67     +# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
68     +
69     __owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
70     EVP_PKEY *pkey);
71     __owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
72     diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
73     index 49e7f9158a..0c45008a00 100644
74     --- a/providers/implementations/signature/rsa_sig.c
75     +++ b/providers/implementations/signature/rsa_sig.c
76     @@ -1127,6 +1127,21 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
77     }
78     }
79    
80     +#ifdef FIPS_MODULE
81     + p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR);
82     + if (p != NULL) {
83     + int fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED;
84     + if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
85     + if (prsactx->md == NULL) {
86     + fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED;
87     + } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) {
88     + fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
89     + }
90     + }
91     + return OSSL_PARAM_set_int(p, fips_indicator);
92     + }
93     +#endif
94     +
95     return 1;
96     }
97    
98     @@ -1136,6 +1151,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
99     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
100     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
101     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
102     +#ifdef FIPS_MODULE
103     + OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR, NULL),
104     +#endif
105     OSSL_PARAM_END
106     };
107    
108     --
109     2.38.1
110    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed