From 4f6f77f7e4c2c6b91a9ff6752ed9afd453f2d819 Mon Sep 17 00:00:00 2001 From: Shubham Mittal Date: Wed, 21 Aug 2024 17:40:36 -0700 Subject: [PATCH] moved default RSA_METHOD declaration and used macro to prevent FIPS integrity failure --- crypto/fipsmodule/rsa/internal.h | 4 ---- crypto/fipsmodule/rsa/rsa_impl.c | 7 ++----- include/openssl/rsa.h | 4 ++++ 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/crypto/fipsmodule/rsa/internal.h b/crypto/fipsmodule/rsa/internal.h index dae9e3aec5b..69e7acfe6b5 100644 --- a/crypto/fipsmodule/rsa/internal.h +++ b/crypto/fipsmodule/rsa/internal.h @@ -171,10 +171,6 @@ struct rsa_st { // Default implementations of RSA operations. -// RSA_get_default_method returns a zero initialized |RSA_METHOD| object. The -// wrapper functions will select the appropriate |rsa_default_*| implementation. -const RSA_METHOD *RSA_get_default_method(void); - size_t rsa_default_size(const RSA *rsa); int rsa_default_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, diff --git a/crypto/fipsmodule/rsa/rsa_impl.c b/crypto/fipsmodule/rsa/rsa_impl.c index d9e9b0f2fdd..86c4ae8fa2d 100644 --- a/crypto/fipsmodule/rsa/rsa_impl.c +++ b/crypto/fipsmodule/rsa/rsa_impl.c @@ -1277,12 +1277,9 @@ int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb) { return ret; } -static RSA_METHOD default_rsa_meth; - -const RSA_METHOD *RSA_get_default_method(void) { +DEFINE_METHOD_FUNCTION(RSA_METHOD, RSA_get_default_method) { // All of the methods are NULL to make it easier for the compiler/linker to // drop unused functions. The wrapper functions will select the appropriate // |rsa_default_*| implementation. - OPENSSL_memset(&default_rsa_meth, 0, sizeof(RSA_METHOD)); - return &default_rsa_meth; + OPENSSL_memset(out, 0, sizeof(RSA_METHOD)); } diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h index bcfe822a77a..c24b9408139 100644 --- a/include/openssl/rsa.h +++ b/include/openssl/rsa.h @@ -217,6 +217,10 @@ OPENSSL_EXPORT int RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1, // RSA_METHOD functions +// RSA_get_default_method returns a zero initialized |RSA_METHOD| object. The +// wrapper functions will select the appropriate |rsa_default_*| implementation. +OPENSSL_EXPORT const RSA_METHOD *RSA_get_default_method(void); + // RSA_meth_new returns a zero-initialized |RSA_METHOD| object. It sets // |flags| on the object. The |name| parameter is currently ignored and // part of the function signature for OpenSSL compatibility.