1 files changed, 55 insertions, 1 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c
index c722188c43..d7ce931733 100644
--- a/src/lib/libcrypto/rsa/rsa_ameth.c
+++ b/src/lib/libcrypto/rsa/rsa_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_ameth.c,v 1.58 2024/03/17 07:10:00 tb Exp $ */
+/* $OpenBSD: rsa_ameth.c,v 1.59 2024/08/28 07:15:04 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -845,6 +845,58 @@ rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd,
        return 1;
 }
+static int
+rsa_pss_signature_info(const X509_ALGOR *alg, int *out_md_nid,
+    int *out_pkey_nid, int *out_security_bits, uint32_t *out_flags)
+{
+        RSA_PSS_PARAMS *pss = NULL;
+        const ASN1_OBJECT *aobj;
+        const EVP_MD *md, *mgf1md;
+        int md_len, salt_len;
+        int md_nid = NID_undef, pkey_nid = NID_undef;
+        int security_bits = -1;
+        uint32_t flags = 0;
+        X509_ALGOR_get0(&aobj, NULL, NULL, alg);
+        if (OBJ_obj2nid(aobj) != EVP_PKEY_RSA_PSS)
+                goto err;
+        if ((pss = rsa_pss_decode(alg)) == NULL)
+                goto err;
+        if (!rsa_pss_get_param(pss, &md, &mgf1md, &salt_len))
+                goto err;
+        if ((md_nid = EVP_MD_type(md)) == NID_undef)
+                goto err;
+        if ((md_len = EVP_MD_size(md)) <= 0)
+                goto err;
+        /*
+         * RFC 8446, section 4.2.3 - restricts the digest algorithm:
+         * - it must be one of SHA256, SHA384, and SHA512;
+         * - the same digest must be used in the mask generation function;
+         * - the salt length must match the output length of the digest.
+         * XXX - consider separate flags for these checks.
+         */
+        if (md_nid == NID_sha256 || md_nid == NID_sha384 || md_nid == NID_sha512) {
+                if (md_nid == EVP_MD_type(mgf1md) && salt_len == md_len)
+                        flags |= X509_SIG_INFO_TLS;
+        }
+        security_bits = md_len * 4;
+        flags |= X509_SIG_INFO_VALID;
+        *out_md_nid = md_nid;
+        *out_pkey_nid = pkey_nid;
+        *out_security_bits = security_bits;
+        *out_flags = flags;
+ err:
+        RSA_PSS_PARAMS_free(pss);
+        return (flags & X509_SIG_INFO_VALID) != 0;
+}
 #ifndef OPENSSL_NO_CMS
 static int
 rsa_cms_verify(CMS_SignerInfo *si)
@@ -1216,6 +1268,8 @@ const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {
        .pkey_bits = rsa_bits,
        .pkey_security_bits = rsa_security_bits,
+        .signature_info = rsa_pss_signature_info,
        .sig_print = rsa_sig_print,
        .pkey_free = rsa_free,

diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c index c722188c43..d7ce931733 100644 --- a/src/lib/libcrypto/rsa/rsa_ameth.c +++ b/src/lib/libcrypto/rsa/rsa_ameth.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa_ameth.c,v 1.58 2024/03/17 07:10:00 tb Exp $ */	1	/* $OpenBSD: rsa_ameth.c,v 1.59 2024/08/28 07:15:04 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.	3	* project 2006.
4	*/	4	*/
@@ -845,6 +845,58 @@ rsa_pss_get_param(const RSA_PSS_PARAMS pss, const EVP_MD *pmd,
845	return 1;	845	return 1;
846	}	846	}
847		847
		848	static int
		849	rsa_pss_signature_info(const X509_ALGOR alg, int out_md_nid,
		850	int out_pkey_nid, int out_security_bits, uint32_t *out_flags)
		851	{
		852	RSA_PSS_PARAMS *pss = NULL;
		853	const ASN1_OBJECT *aobj;
		854	const EVP_MD md, mgf1md;
		855	int md_len, salt_len;
		856	int md_nid = NID_undef, pkey_nid = NID_undef;
		857	int security_bits = -1;
		858	uint32_t flags = 0;
		859
		860	X509_ALGOR_get0(&aobj, NULL, NULL, alg);
		861	if (OBJ_obj2nid(aobj) != EVP_PKEY_RSA_PSS)
		862	goto err;
		863
		864	if ((pss = rsa_pss_decode(alg)) == NULL)
		865	goto err;
		866	if (!rsa_pss_get_param(pss, &md, &mgf1md, &salt_len))
		867	goto err;
		868
		869	if ((md_nid = EVP_MD_type(md)) == NID_undef)
		870	goto err;
		871	if ((md_len = EVP_MD_size(md)) <= 0)
		872	goto err;
		873
		874	/*
		875	* RFC 8446, section 4.2.3 - restricts the digest algorithm:
		876	* - it must be one of SHA256, SHA384, and SHA512;
		877	* - the same digest must be used in the mask generation function;
		878	* - the salt length must match the output length of the digest.
		879	* XXX - consider separate flags for these checks.
		880	*/
		881	if (md_nid == NID_sha256 \|\| md_nid == NID_sha384 \|\| md_nid == NID_sha512) {
		882	if (md_nid == EVP_MD_type(mgf1md) && salt_len == md_len)
		883	flags \|= X509_SIG_INFO_TLS;
		884	}
		885
		886	security_bits = md_len * 4;
		887	flags \|= X509_SIG_INFO_VALID;
		888
		889	*out_md_nid = md_nid;
		890	*out_pkey_nid = pkey_nid;
		891	*out_security_bits = security_bits;
		892	*out_flags = flags;
		893
		894	err:
		895	RSA_PSS_PARAMS_free(pss);
		896
		897	return (flags & X509_SIG_INFO_VALID) != 0;
		898	}
		899
848	#ifndef OPENSSL_NO_CMS	900	#ifndef OPENSSL_NO_CMS
849	static int	901	static int
850	rsa_cms_verify(CMS_SignerInfo *si)	902	rsa_cms_verify(CMS_SignerInfo *si)
@@ -1216,6 +1268,8 @@ const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {
1216	.pkey_bits = rsa_bits,	1268	.pkey_bits = rsa_bits,
1217	.pkey_security_bits = rsa_security_bits,	1269	.pkey_security_bits = rsa_security_bits,
1218		1270
		1271	.signature_info = rsa_pss_signature_info,
		1272
1219	.sig_print = rsa_sig_print,	1273	.sig_print = rsa_sig_print,
1220		1274
1221	.pkey_free = rsa_free,	1275	.pkey_free = rsa_free,