From 7467c87c6e88acca887bac0bf85ec0dc76fa522d Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 8 Aug 2019 09:13:51 +0100 Subject: Ensure RSA PSS correctly returns the right default digest A default digest of SHA256 was being returned for RSA PSS even if the PSS parameters indicated a different digest must be used. We change this so that the correct default digest is returned and additionally mark this as mandatory for PSS. This bug had an impact on sig alg selection in libssl. Due to this issue an incorrect sig alg might be selected in the event that a server is configured with an RSA-PSS cert with parameter restrictions. Fixes #9545 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9553) (cherry picked from commit 9bcc9f973b2a216461dd6f140e47ef647eb733b4) --- crypto/rsa/rsa_ameth.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'crypto') diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index ab5f61518b..9dcb85d837 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -458,6 +458,9 @@ static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) { X509_ALGOR *alg = NULL; + const EVP_MD *md; + const EVP_MD *mgf1md; + int min_saltlen; switch (op) { @@ -497,6 +500,16 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) #endif case ASN1_PKEY_CTRL_DEFAULT_MD_NID: + if (pkey->pkey.rsa->pss != NULL) { + if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md, + &min_saltlen)) { + RSAerr(0, ERR_R_INTERNAL_ERROR); + return 0; + } + *(int *)arg2 = EVP_MD_type(md); + /* Return of 2 indicates this MD is mandatory */ + return 2; + } *(int *)arg2 = NID_sha256; return 1; -- cgit v1.2.3