Skip to content

Commit

Permalink
fips: Return the signature length
Browse files Browse the repository at this point in the history 
We need to pass the siglen from the fips wrapper for ECDSA signatures
to work

The OpenSSL d2i_* functions do not care about trailing data, but
rust-asn1 does not allow any trailing data so we need to pass the
signature length from the FIPS submodule to the ecc code and resize
the vector.
  • Loading branch information
@Jakuje
Jakuje committed Feb 26, 2024
1 parent 247dc11 commit ddc90dc
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 4 deletions.
10 changes: 7 additions & 3 deletions src/fips.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -746,18 +746,22 @@ impl ProviderSignatureCtx {
}
}

pub fn digest_sign_final(&mut self, signature: &mut [u8]) -> KResult<()> {
pub fn digest_sign_final(&mut self, signature: &mut [u8]) -> KResult<usize> {
unsafe {
match (*self.vtable).digest_sign_final {
Some(f) => {
let mut siglen = 0usize;
let siglen_ptr: *mut usize = &mut siglen;
res_to_err!(f(
let res = f(
self.ctx,
signature.as_mut_ptr() as *mut c_uchar,
siglen_ptr,
signature.len()
))
);
if res != 1 {
return err_rv!(CKR_DEVICE_ERROR);
}
Ok(siglen)
}
None => err_rv!(CKR_DEVICE_ERROR),
}
Expand Down
9 changes: 8 additions & 1 deletion src/ossl/rsa.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -818,7 +818,14 @@ impl Sign for RsaPKCSOperation {

#[cfg(feature = "fips")]
{
self.sigctx.as_mut().unwrap().digest_sign_final(signature)
match self.sigctx.as_mut().unwrap().digest_sign_final(signature) {
Ok(siglen) => if siglen != signature.len() {
err_rv!(CKR_DEVICE_ERROR)
} else {
Ok(())
},
Err(_) => return err_rv!(CKR_DEVICE_ERROR),
}
}
#[cfg(not(feature = "fips"))]
unsafe {
Expand Down

0 comments on commit ddc90dc

Please sign in to comment.