Tolerate DigestInfo with absent parameters in FIPS mode.

2 files changed, 72 insertions, 2 deletions

diff --git a/CHANGES b/CHANGES
index fafdfde578..9161182623 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 0.9.8e and 0.9.8f-fips  [xx XXX xxxx]
 
+  *) Tolerate DigestInfo structure with absent parameters in FIPS mode
+     (as required by several standards).
+     [Steve Henson]
+
   *) Enhance mkfipsscr.pl to cope with different directory layouts. It now
      relies on the filename and makes no assumptions about the pathname.
      In the case of PSS it scans the file to determine the salt length.
diff --git a/fips-1.0/rsa/fips_rsa_sign.c b/fips-1.0/rsa/fips_rsa_sign.c
index a90da2ebcf..6415b5b48e 100644
--- a/fips-1.0/rsa/fips_rsa_sign.c
+++ b/fips-1.0/rsa/fips_rsa_sign.c
@@ -69,6 +69,8 @@
  * pregenerated encodings all ASN1 dependencies can be avoided
  */
 
+/* Standard encodings including NULL parameter */
+
 static const unsigned char sha1_bin[] = {
   0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
   0x00, 0x04, 0x14
@@ -94,6 +96,35 @@ static const unsigned char sha512_bin[] = {
   0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40
 };
 
+/* Alternate encodings with absent parameters. We don't generate signature
+ * using this format but do tolerate received signatures of this form.
+ */
+
+static unsigned char sha1_nn_bin[] = {
+  0x30, 0x1f, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04,
+  0x14
+};
+
+static unsigned char sha224_nn_bin[] = {
+  0x30, 0x2b, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
+  0x04, 0x02, 0x04, 0x04, 0x1c
+};
+
+static unsigned char sha256_nn_bin[] = {
+  0x30, 0x2f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
+  0x04, 0x02, 0x01, 0x04, 0x20
+};
+
+static unsigned char sha384_nn_bin[] = {
+  0x30, 0x3f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
+  0x04, 0x02, 0x02, 0x04, 0x30
+};
+
+static unsigned char sha512_nn_bin[] = {
+  0x30, 0x4f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
+  0x04, 0x02, 0x03, 0x04, 0x40
+};
+
 
 static const unsigned char *fips_digestinfo_encoding(int nid, unsigned int *len)
 	{
@@ -126,6 +157,37 @@ static const unsigned char *fips_digestinfo_encoding(int nid, unsigned int *len)
 		}
 	}
 
+static const unsigned char *fips_digestinfo_nn_encoding(int nid, unsigned int *len)
+	{
+	switch (nid)
+		{
+
+		case NID_sha1:
+		*len = sizeof(sha1_nn_bin);
+		return sha1_nn_bin;
+
+		case NID_sha224:
+		*len = sizeof(sha224_nn_bin);
+		return sha224_nn_bin;
+
+		case NID_sha256:
+		*len = sizeof(sha256_nn_bin);
+		return sha256_nn_bin;
+
+		case NID_sha384:
+		*len = sizeof(sha384_nn_bin);
+		return sha384_nn_bin;
+
+		case NID_sha512:
+		*len = sizeof(sha512_nn_bin);
+		return sha512_nn_bin;
+
+		default:
+		return NULL;
+
+		}
+	}
+
 static int fips_rsa_sign(int type, const unsigned char *x, unsigned int y,
 	     unsigned char *sigret, unsigned int *siglen, EVP_MD_SVCTX *sv)
 	{
@@ -318,14 +380,18 @@ static int fips_rsa_verify(int dtype,
 		/* Compare, DigestInfo length, DigestInfo header and finally
 		 * digest value itself
 		 */
+
+		/* If length mismatch try alternate encoding */
+		if (i != (int)(dlen + diglen))
+			der = fips_digestinfo_nn_encoding(dtype, &dlen);
+
 		if ((i != (int)(dlen + diglen)) || memcmp(der, s, dlen)
 			|| memcmp(s + dlen, dig, diglen))
 			{
 			RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
 			goto err;
 			}
-		else
-			ret = 1;
+		ret = 1;
 
 		}
 	else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PSS)