Pairwise consistency tests should use Digest+Sign/Verify

Resolves: rhbz#2178034

0044-FIPS-140-3-keychecks.patch

@@ -185,3 +185,266 @@ diff -up openssl-3.0.1/crypto/rsa/rsa_gen.c.fips3 openssl-3.0.1/crypto/rsa/rsa_g
  
      return ret;
  }
+diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c
+--- openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise	2023-02-20 11:44:18.451884117 +0100
++++ openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c	2023-02-20 12:39:46.037063842 +0100
+@@ -982,8 +982,17 @@ struct ec_gen_ctx {
+     int selection;
+     int ecdh_mode;
+     EC_GROUP *gen_group;
++#ifdef FIPS_MODULE
++    void *ecdsa_sig_ctx;
++#endif
+ };
+ 
++#ifdef FIPS_MODULE
++void *ecdsa_newctx(void *provctx, const char *propq);
++void ecdsa_freectx(void *vctx);
++int do_ec_pct(void *, const char *, void *);
++#endif
++
+ static void *ec_gen_init(void *provctx, int selection,
+                          const OSSL_PARAM params[])
+ {
+@@ -1002,6 +1011,10 @@ static void *ec_gen_init(void *provctx,
+         OPENSSL_free(gctx);
+         gctx = NULL;
+     }
++#ifdef FIPS_MODULE
++    if (gctx != NULL)
++        gctx->ecdsa_sig_ctx = ecdsa_newctx(provctx, NULL);
++#endif
+     return gctx;
+ }
+ 
+@@ -1272,6 +1285,12 @@ static void *ec_gen(void *genctx, OSSL_C
+ 
+     if (gctx->ecdh_mode != -1)
+         ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode);
++#ifdef FIPS_MODULE
++    /* Pairwise consistency test */
++    if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0
++        && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1)
++        goto err;
++#endif
+ 
+     if (gctx->group_check != NULL)
+         ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check);
+@@ -1341,7 +1359,10 @@ static void ec_gen_cleanup(void *genctx)
+ 
+     if (gctx == NULL)
+         return;
+-
++#ifdef FIPS_MODULE
++    ecdsa_freectx(gctx->ecdsa_sig_ctx);
++    gctx->ecdsa_sig_ctx = NULL;
++#endif
+     EC_GROUP_free(gctx->gen_group);
+     BN_free(gctx->p);
+     BN_free(gctx->a);
+diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c
+--- openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise	2023-02-20 11:50:23.035194347 +0100
++++ openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c	2023-02-20 12:19:10.809768979 +0100
+@@ -32,7 +32,7 @@
+ #include "crypto/ec.h"
+ #include "prov/der_ec.h"
+ 
+-static OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
++OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
+ static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init;
+ static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init;
+ static OSSL_FUNC_signature_sign_fn ecdsa_sign;
+@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_f
+ static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init;
+ static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
+ static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final;
+-static OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
++OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
+ static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx;
+ static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params;
+ static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params;
+@@ -104,7 +104,7 @@ typedef struct {
+ #endif
+ } PROV_ECDSA_CTX;
+ 
+-static void *ecdsa_newctx(void *provctx, const char *propq)
++void *ecdsa_newctx(void *provctx, const char *propq)
+ {
+     PROV_ECDSA_CTX *ctx;
+ 
+@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx
+     return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen);
+ }
+ 
+-static void ecdsa_freectx(void *vctx)
++void ecdsa_freectx(void *vctx)
+ {
+     PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
+ 
+@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_
+     return EVP_MD_settable_ctx_params(ctx->md);
+ }
+ 
++#ifdef FIPS_MODULE
++int do_ec_pct(void *vctx, const char *mdname, void *ec)
++{
++    static const char data[32];
++    unsigned char sigbuf[256];
++    size_t siglen = sizeof(sigbuf);
++
++    if (ecdsa_digest_sign_init(vctx, mdname, ec, NULL) <= 0)
++        return 0;
++
++    if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
++        return 0;
++
++    if (ecdsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0)
++        return 0;
++
++    if (ecdsa_digest_verify_init(vctx, mdname, ec, NULL) <= 0)
++        return 0;
++
++    if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
++        return 0;
++
++    if (ecdsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
++        return 0;
++
++    return 1;
++}
++#endif
++
+ const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = {
+     { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
+     { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
+diff -up openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c.pairwise openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c
+--- openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c.pairwise	2023-02-20 16:04:27.103364713 +0100
++++ openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c	2023-02-20 16:14:13.848119419 +0100
+@@ -434,6 +434,7 @@ struct rsa_gen_ctx {
+ #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
+     /* ACVP test parameters */
+     OSSL_PARAM *acvp_test_params;
++    void *prov_rsa_ctx;
+ #endif
+ };
+ 
+@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GE
+     return gctx->cb(params, gctx->cbarg);
+ }
+ 
++#ifdef FIPS_MODULE
++void *rsa_newctx(void *provctx, const char *propq);
++void rsa_freectx(void *vctx);
++int do_rsa_pct(void *, const char *, void *);
++#endif
++
+ static void *gen_init(void *provctx, int selection, int rsa_type,
+                       const OSSL_PARAM params[])
+ {
+@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int
+ 
+     if (!rsa_gen_set_params(gctx, params))
+         goto err;
++#ifdef FIPS_MODULE
++    if (gctx != NULL)
++        gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL);
++#endif
+     return gctx;
+ 
+ err:
+@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_
+ 
+     rsa = rsa_tmp;
+     rsa_tmp = NULL;
++#ifdef FIPS_MODULE
++    /* Pairwise consistency test */
++    if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1)
++        goto err;
++#endif
+  err:
+     BN_GENCB_free(gencb);
+     RSA_free(rsa_tmp);
+@@ -645,6 +662,8 @@ static void rsa_gen_cleanup(void *genctx
+ #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
+     ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
+     gctx->acvp_test_params = NULL;
++    rsa_freectx(gctx->prov_rsa_ctx);
++    gctx->prov_rsa_ctx = NULL;
+ #endif
+     BN_clear_free(gctx->pub_exp);
+     OPENSSL_free(gctx);
+diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise openssl-3.0.7/providers/implementations/signature/rsa_sig.c
+--- openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise	2023-02-20 16:04:22.548327811 +0100
++++ openssl-3.0.7/providers/implementations/signature/rsa_sig.c	2023-02-20 16:17:50.064871695 +0100
+@@ -36,7 +36,7 @@
+ 
+ #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
+ 
+-static OSSL_FUNC_signature_newctx_fn rsa_newctx;
++OSSL_FUNC_signature_newctx_fn rsa_newctx;
+ static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
+ static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
+ static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
+@@ -49,7 +49,7 @@ static OSSL_FUNC_signature_digest_sign_f
+ static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
+ static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update;
+ static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
+-static OSSL_FUNC_signature_freectx_fn rsa_freectx;
++OSSL_FUNC_signature_freectx_fn rsa_freectx;
+ static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
+ static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
+ static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params;
+@@ -172,7 +172,7 @@ static int rsa_check_parameters(PROV_RSA
+     return 1;
+ }
+ 
+-static void *rsa_newctx(void *provctx, const char *propq)
++void *rsa_newctx(void *provctx, const char *propq)
+ {
+     PROV_RSA_CTX *prsactx = NULL;
+     char *propq_copy = NULL;
+@@ -990,7 +990,7 @@ int rsa_digest_verify_final(void *vprsac
+     return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen);
+ }
+ 
+-static void rsa_freectx(void *vprsactx)
++void rsa_freectx(void *vprsactx)
+ {
+     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+ 
+@@ -1504,6 +1504,35 @@ static const OSSL_PARAM *rsa_settable_ct
+     return EVP_MD_settable_ctx_params(prsactx->md);
+ }
+ 
++#ifdef FIPS_MODULE
++int do_rsa_pct(void *vctx, const char *mdname, void *rsa)
++{
++    static const char data[32];
++    unsigned char sigbuf[256];
++    size_t siglen = sizeof(sigbuf);
++
++    if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0)
++        return 0;
++
++    if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
++        return 0;
++
++    if (rsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0)
++        return 0;
++
++    if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0)
++        return 0;
++
++    if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
++        return 0;
++
++    if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
++        return 0;
++
++    return 1;
++}
++#endif
++
+ const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
+     { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
+     { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },

0049-Selectively-disallow-SHA1-signatures.patch

@@ -399,7 +399,7 @@ index 325e855333..bea397f0c1 100644
  #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
 +#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256
  
- static OSSL_FUNC_signature_newctx_fn rsa_newctx;
+ OSSL_FUNC_signature_newctx_fn rsa_newctx;
  static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
 @@ -289,10 +291,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
  

openssl.spec

@@ -515,6 +515,8 @@ install -m644 %{SOURCE9} \
   Resolves: rhbz#2178137
 - Limit RSA_NO_PADDING for encryption and signature in FIPS mode
   Resolves: rhbz#2178029
+- Pairwise consistency tests should use Digest+Sign/Verify
+  Resolves: rhbz#2178034
 
 * Wed Mar 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-6
 - Fixes RNG slowdown in FIPS mode