{
return ERR_pop_to_mark();
}
-#endif
+#endif /* FIPS_MODE */
/*
* Functions provided by the core. Blank line separates "families" of related
{ OSSL_FUNC_CORE_SET_ERROR_MARK, (void (*)(void))core_set_error_mark },
{ OSSL_FUNC_CORE_CLEAR_LAST_ERROR_MARK,
(void (*)(void))core_clear_last_error_mark },
- { OSSL_FUNC_CORE_POP_ERROR_TO_MARK,
- (void (*)(void))core_pop_error_to_mark },
+ { OSSL_FUNC_CORE_POP_ERROR_TO_MARK, (void (*)(void))core_pop_error_to_mark },
{ OSSL_FUNC_BIO_NEW_FILE, (void (*)(void))BIO_new_file },
{ OSSL_FUNC_BIO_NEW_MEMBUF, (void (*)(void))BIO_new_mem_buf },
{ OSSL_FUNC_BIO_READ_EX, (void (*)(void))BIO_read_ex },
{ OSSL_FUNC_BIO_FREE, (void (*)(void))BIO_free },
{ OSSL_FUNC_BIO_VPRINTF, (void (*)(void))BIO_vprintf },
+ { OSSL_FUNC_BIO_VSNPRINTF, (void (*)(void))BIO_vsnprintf },
{ OSSL_FUNC_SELF_TEST_CB, (void (*)(void))OSSL_SELF_TEST_get_callback },
#endif
{ OSSL_FUNC_CRYPTO_MALLOC, (void (*)(void))CRYPTO_malloc },
return r->iqmp;
}
-/* TODO(3.0): Temporary until we move PSS support into the FIPS module */
-#ifndef FIPS_MODE
const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *r)
{
return r->pss;
}
-#endif
void RSA_clear_flags(RSA *r, int flags)
{
BIGNUM *dmp1;
BIGNUM *dmq1;
BIGNUM *iqmp;
- /* TODO(3.0): Support PSS in FIPS_MODE */
+ /* If a PSS only key this contains the parameter restrictions */
+ RSA_PSS_PARAMS *pss;
#ifndef FIPS_MODE
/* for multi-prime RSA, defined in RFC 8017 */
STACK_OF(RSA_PRIME_INFO) *prime_infos;
- /* If a PSS only key this contains the parameter restrictions */
- RSA_PSS_PARAMS *pss;
- /* be careful using this if the RSA structure is shared */
+ /* Be careful using this if the RSA structure is shared */
CRYPTO_EX_DATA ex_data;
#endif
CRYPTO_REF_COUNT references;
}
}
+#define MD_NID_CASE(name, sz) \
+ case NID_##name: \
+ return sz;
+
+static int digest_sz_from_nid(int nid)
+{
+ switch (nid) {
+#ifndef FIPS_MODE
+# ifndef OPENSSL_NO_MDC2
+ MD_NID_CASE(mdc2, MDC2_DIGEST_LENGTH)
+# endif
+# ifndef OPENSSL_NO_MD2
+ MD_NID_CASE(md2, MD2_DIGEST_LENGTH)
+# endif
+# ifndef OPENSSL_NO_MD4
+ MD_NID_CASE(md4, MD4_DIGEST_LENGTH)
+# endif
+# ifndef OPENSSL_NO_MD5
+ MD_NID_CASE(md5, MD5_DIGEST_LENGTH)
+# endif
+# ifndef OPENSSL_NO_RMD160
+ MD_NID_CASE(ripemd160, RIPEMD160_DIGEST_LENGTH)
+# endif
+#endif /* FIPS_MODE */
+ MD_NID_CASE(sha1, SHA_DIGEST_LENGTH)
+ MD_NID_CASE(sha224, SHA224_DIGEST_LENGTH)
+ MD_NID_CASE(sha256, SHA256_DIGEST_LENGTH)
+ MD_NID_CASE(sha384, SHA384_DIGEST_LENGTH)
+ MD_NID_CASE(sha512, SHA512_DIGEST_LENGTH)
+ MD_NID_CASE(sha512_224, SHA224_DIGEST_LENGTH)
+ MD_NID_CASE(sha512_256, SHA256_DIGEST_LENGTH)
+ MD_NID_CASE(sha3_224, SHA224_DIGEST_LENGTH)
+ MD_NID_CASE(sha3_256, SHA256_DIGEST_LENGTH)
+ MD_NID_CASE(sha3_384, SHA384_DIGEST_LENGTH)
+ MD_NID_CASE(sha3_512, SHA512_DIGEST_LENGTH)
+ default:
+ return 0;
+ }
+}
+
+
/* Size of an SSL signature: MD5+SHA1 */
#define SSL_SIG_LENGTH 36
unsigned char *tmps = NULL;
const unsigned char *encoded = NULL;
+#ifndef FIPS_MODE
if (rsa->meth->rsa_sign != NULL)
return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
+#endif /* FIPS_MODE */
/* Compute the encoded digest. */
if (type == NID_md5_sha1) {
goto err;
decrypt_len = len;
+#ifndef FIPS_MODE
if (type == NID_md5_sha1) {
/*
* NID_md5_sha1 corresponds to the MD5/SHA1 combination in TLS 1.1 and
goto err;
}
}
- } else {
+ } else
+#endif /* FIPS_MODE */
+ {
/*
* If recovering the digest, extract a digest-sized output from the end
* of |decrypt_buf| for |encode_pkcs1|, then compare the decryption
* output as in a standard verification.
*/
if (rm != NULL) {
- const EVP_MD *md = EVP_get_digestbynid(type);
- if (md == NULL) {
- RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_UNKNOWN_ALGORITHM_TYPE);
- goto err;
- }
+ len = digest_sz_from_nid(type);
- len = EVP_MD_size(md);
if (len <= 0)
goto err;
m_len = (unsigned int)len;
# define OSSL_FUNC_CORE_CLEAR_LAST_ERROR_MARK 9
OSSL_CORE_MAKE_FUNC(int, core_clear_last_error_mark,
(const OSSL_PROVIDER *prov))
-# define OSSL_FUNC_CORE_POP_ERROR_TO_MARK 10
+# define OSSL_FUNC_CORE_POP_ERROR_TO_MARK 10
OSSL_CORE_MAKE_FUNC(int, core_pop_error_to_mark, (const OSSL_PROVIDER *prov))
/* Memory allocation, freeing, clearing. */
#define OSSL_FUNC_BIO_READ_EX 42
#define OSSL_FUNC_BIO_FREE 43
#define OSSL_FUNC_BIO_VPRINTF 44
+#define OSSL_FUNC_BIO_VSNPRINTF 45
OSSL_CORE_MAKE_FUNC(BIO *, BIO_new_file, (const char *filename, const char *mode))
OSSL_CORE_MAKE_FUNC(BIO *, BIO_new_membuf, (const void *buf, int len))
OSSL_CORE_MAKE_FUNC(int, BIO_free, (BIO *bio))
OSSL_CORE_MAKE_FUNC(int, BIO_vprintf, (BIO *bio, const char *format,
va_list args))
+OSSL_CORE_MAKE_FUNC(int, BIO_vsnprintf,
+ (char *buf, size_t n, const char *fmt, va_list args))
#define OSSL_FUNC_SELF_TEST_CB 100
OSSL_CORE_MAKE_FUNC(void, self_test_cb, (OPENSSL_CTX *ctx, OSSL_CALLBACK **cb,
static OSSL_CRYPTO_secure_free_fn *c_CRYPTO_secure_free;
static OSSL_CRYPTO_secure_clear_free_fn *c_CRYPTO_secure_clear_free;
static OSSL_CRYPTO_secure_allocated_fn *c_CRYPTO_secure_allocated;
+static OSSL_BIO_vsnprintf_fn *c_BIO_vsnprintf;
typedef struct fips_global_st {
const OSSL_PROVIDER *prov;
#ifndef OPENSSL_NO_DSA
{ "DSA:dsaEncryption", "provider=fips,fips=yes", dsa_signature_functions },
#endif
+ { "RSA:rsaEncryption", "provider=fips,fips=yes", rsa_signature_functions },
{ NULL, NULL, NULL }
};
case OSSL_FUNC_BIO_FREE:
selftest_params.bio_free_cb = OSSL_get_BIO_free(in);
break;
+ case OSSL_FUNC_BIO_VSNPRINTF:
+ c_BIO_vsnprintf = OSSL_get_BIO_vsnprintf(in);
+ break;
case OSSL_FUNC_SELF_TEST_CB: {
stcbfn = OSSL_get_self_test_cb(in);
break;
{
return c_CRYPTO_secure_allocated(ptr);
}
+
+int BIO_snprintf(char *buf, size_t n, const char *format, ...)
+{
+ va_list args;
+ int ret;
+
+ va_start(args, format);
+ ret = c_BIO_vsnprintf(buf, n, format, args);
+ va_end(args);
+ return ret;
+}
# switch each to the Legacy provider when needed.
$DSA_GOAL=../../libimplementations.a
-$RSA_GOAL=../../libimplementations.a
$EC_GOAL=../../libimplementations.a
IF[{- !$disabled{dsa} -}]
SOURCE[$EC_GOAL]=eddsa.c
ENDIF
-SOURCE[$RSA_GOAL]=rsa.c
-
-
+SOURCE[../../libfips.a]=rsa.c
+SOURCE[../../libnonfips.a]=rsa.c
goto end;
}
#endif
-
switch (prsactx->pad_mode) {
case RSA_X931_PADDING:
if ((size_t)RSA_size(prsactx->rsa) < tbslen + 1) {
projects / oweals / openssl.git / commitdiff