1 /*
2 * Copyright 2020-2026 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * ECDSA low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14 #include "internal/deprecated.h"
15
16 #include <string.h> /* memcpy */
17 #include <openssl/crypto.h>
18 #include <openssl/core_dispatch.h>
19 #include <openssl/core_names.h>
20 #include <openssl/dsa.h>
21 #include <openssl/params.h>
22 #include <openssl/evp.h>
23 #include <openssl/err.h>
24 #include <openssl/proverr.h>
25 #include "internal/nelem.h"
26 #include "internal/sizes.h"
27 #include "internal/cryptlib.h"
28 #include "internal/deterministic_nonce.h"
29 #include "prov/providercommon.h"
30 #include "prov/implementations.h"
31 #include "prov/provider_ctx.h"
32 #include "prov/securitycheck.h"
33 #include "prov/der_ec.h"
34 #include "crypto/ec.h"
35
36 static OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
37 static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init;
38 static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init;
39 static OSSL_FUNC_signature_sign_fn ecdsa_sign;
40 static OSSL_FUNC_signature_sign_message_update_fn ecdsa_signverify_message_update;
41 static OSSL_FUNC_signature_sign_message_final_fn ecdsa_sign_message_final;
42 static OSSL_FUNC_signature_verify_fn ecdsa_verify;
43 static OSSL_FUNC_signature_verify_message_update_fn ecdsa_signverify_message_update;
44 static OSSL_FUNC_signature_verify_message_final_fn ecdsa_verify_message_final;
45 static OSSL_FUNC_signature_digest_sign_init_fn ecdsa_digest_sign_init;
46 static OSSL_FUNC_signature_digest_sign_update_fn ecdsa_digest_signverify_update;
47 static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final;
48 static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init;
49 static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
50 static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final;
51 static OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
52 static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx;
53 static OSSL_FUNC_signature_query_key_types_fn ecdsa_sigalg_query_key_types;
54 static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params;
55 static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params;
56 static OSSL_FUNC_signature_set_ctx_params_fn ecdsa_set_ctx_params;
57 static OSSL_FUNC_signature_settable_ctx_params_fn ecdsa_settable_ctx_params;
58 static OSSL_FUNC_signature_get_ctx_md_params_fn ecdsa_get_ctx_md_params;
59 static OSSL_FUNC_signature_gettable_ctx_md_params_fn ecdsa_gettable_ctx_md_params;
60 static OSSL_FUNC_signature_set_ctx_md_params_fn ecdsa_set_ctx_md_params;
61 static OSSL_FUNC_signature_settable_ctx_md_params_fn ecdsa_settable_ctx_md_params;
62 static OSSL_FUNC_signature_set_ctx_params_fn ecdsa_sigalg_set_ctx_params;
63 static OSSL_FUNC_signature_settable_ctx_params_fn ecdsa_sigalg_settable_ctx_params;
64
65 /*
66 * What's passed as an actual key is defined by the KEYMGMT interface.
67 * We happen to know that our KEYMGMT simply passes DSA structures, so
68 * we use that here too.
69 */
70
71 typedef struct {
72 OSSL_LIB_CTX *libctx;
73 char *propq;
74 EC_KEY *ec;
75 /* |operation| reuses EVP's operation bitfield */
76 int operation;
77
78 /*
79 * Flag to determine if a full sigalg is run (1) or if a composable
80 * signature algorithm is run (0).
81 *
82 * When a full sigalg is run (1), this currently affects the following
83 * other flags, which are to remain untouched after their initialization:
84 *
85 * - flag_allow_md (initialized to 0)
86 */
87 unsigned int flag_sigalg : 1;
88 /*
89 * Flag to determine if the hash function can be changed (1) or not (0)
90 * Because it's dangerous to change during a DigestSign or DigestVerify
91 * operation, this flag is cleared by their Init function, and set again
92 * by their Final function.
93 */
94 unsigned int flag_allow_md : 1;
95
96 /* The Algorithm Identifier of the combined signature algorithm */
97 unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
98 size_t aid_len;
99
100 /* main digest */
101 char mdname[OSSL_MAX_NAME_SIZE];
102 EVP_MD *md;
103 EVP_MD_CTX *mdctx;
104 size_t mdsize;
105
106 /* Signature, for verification */
107 unsigned char *sig;
108 size_t siglen;
109
110 /*
111 * Internally used to cache the results of calling the EC group
112 * sign_setup() methods which are then passed to the sign operation.
113 * This is used by CAVS failure tests to terminate a loop if the signature
114 * is not valid.
115 * This could of also been done with a simple flag.
116 */
117 BIGNUM *kinv;
118 BIGNUM *r;
119 #if !defined(OPENSSL_NO_ACVP_TESTS)
120 /*
121 * This indicates that KAT (CAVS) test is running. Externally an app will
122 * override the random callback such that the generated private key and k
123 * are known.
124 * Normal operation will loop to choose a new k if the signature is not
125 * valid - but for this mode of operation it forces a failure instead.
126 */
127 unsigned int kattest;
128 #endif
129 #ifdef FIPS_MODULE
130 /*
131 * FIPS 140-3 IG 2.4.B mandates that verification based on a digest of a
132 * message is not permitted. However, signing based on a digest is still
133 * permitted.
134 */
135 int verify_message;
136 #endif
137 /* If this is set then the generated k is not random */
138 unsigned int nonce_type;
139 OSSL_FIPS_IND_DECLARE
140 } PROV_ECDSA_CTX;
141
ecdsa_newctx(void * provctx,const char * propq)142 static void *ecdsa_newctx(void *provctx, const char *propq)
143 {
144 PROV_ECDSA_CTX *ctx;
145
146 if (!ossl_prov_is_running())
147 return NULL;
148
149 ctx = OPENSSL_zalloc(sizeof(PROV_ECDSA_CTX));
150 if (ctx == NULL)
151 return NULL;
152
153 OSSL_FIPS_IND_INIT(ctx)
154 ctx->flag_allow_md = 1;
155 #ifdef FIPS_MODULE
156 ctx->verify_message = 1;
157 #endif
158 ctx->libctx = PROV_LIBCTX_OF(provctx);
159 if (propq != NULL && (ctx->propq = OPENSSL_strdup(propq)) == NULL) {
160 OPENSSL_free(ctx);
161 ctx = NULL;
162 }
163 return ctx;
164 }
165
ecdsa_setup_md(PROV_ECDSA_CTX * ctx,const char * mdname,const char * mdprops,const char * desc)166 static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
167 const char *mdname, const char *mdprops,
168 const char *desc)
169 {
170 EVP_MD *md = NULL;
171 size_t mdname_len;
172 int md_nid, md_size;
173 WPACKET pkt;
174 unsigned char *aid = NULL;
175
176 if (mdname == NULL)
177 return 1;
178
179 mdname_len = strlen(mdname);
180 if (mdname_len >= sizeof(ctx->mdname)) {
181 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
182 "%s exceeds name buffer length", mdname);
183 return 0;
184 }
185 if (mdprops == NULL)
186 mdprops = ctx->propq;
187 md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
188 if (md == NULL) {
189 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
190 "%s could not be fetched", mdname);
191 return 0;
192 }
193 md_size = EVP_MD_get_size(md);
194 if (md_size <= 0) {
195 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
196 "%s has invalid md size %d", mdname, md_size);
197 goto err;
198 }
199 md_nid = ossl_digest_get_approved_nid(md);
200 #ifdef FIPS_MODULE
201 if (md_nid == NID_undef) {
202 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
203 "digest=%s", mdname);
204 goto err;
205 }
206 #endif
207 /* XOF digests don't work */
208 if (EVP_MD_xof(md)) {
209 ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
210 goto err;
211 }
212
213 #ifdef FIPS_MODULE
214 {
215 int sha1_allowed
216 = ((ctx->operation
217 & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG))
218 == 0);
219
220 if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
221 OSSL_FIPS_IND_SETTABLE1,
222 ctx->libctx,
223 md_nid, sha1_allowed, 0, desc,
224 ossl_fips_config_signature_digest_check))
225 goto err;
226 }
227 #endif
228
229 if (!ctx->flag_allow_md) {
230 if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) {
231 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
232 "digest %s != %s", mdname, ctx->mdname);
233 goto err;
234 }
235 EVP_MD_free(md);
236 return 1;
237 }
238
239 EVP_MD_CTX_free(ctx->mdctx);
240 EVP_MD_free(ctx->md);
241
242 ctx->aid_len = 0;
243 #ifndef FIPS_MODULE
244 if (md_nid != NID_undef) {
245 #else
246 {
247 #endif
248 if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf))
249 && ossl_DER_w_algorithmIdentifier_ECDSA_with_MD(&pkt, -1, ctx->ec,
250 md_nid)
251 && WPACKET_finish(&pkt)) {
252 WPACKET_get_total_written(&pkt, &ctx->aid_len);
253 aid = WPACKET_get_curr(&pkt);
254 }
255 WPACKET_cleanup(&pkt);
256 if (aid != NULL && ctx->aid_len != 0)
257 memmove(ctx->aid_buf, aid, ctx->aid_len);
258 }
259
260 ctx->mdctx = NULL;
261 ctx->md = md;
262 ctx->mdsize = (size_t)md_size;
263 OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname));
264
265 return 1;
266 err:
267 EVP_MD_free(md);
268 return 0;
269 }
270
271 static int
272 ecdsa_signverify_init(PROV_ECDSA_CTX *ctx, void *ec,
273 OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params,
274 const OSSL_PARAM params[], int operation,
275 const char *desc)
276 {
277 if (!ossl_prov_is_running()
278 || ctx == NULL)
279 return 0;
280
281 if (ec == NULL && ctx->ec == NULL) {
282 ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
283 return 0;
284 }
285
286 if (ec != NULL) {
287 if (!EC_KEY_up_ref(ec))
288 return 0;
289 EC_KEY_free(ctx->ec);
290 ctx->ec = ec;
291 }
292
293 ctx->operation = operation;
294
295 OSSL_FIPS_IND_SET_APPROVED(ctx)
296 if (!set_ctx_params(ctx, params))
297 return 0;
298 #ifdef FIPS_MODULE
299 if (!ossl_fips_ind_ec_key_check(OSSL_FIPS_IND_GET(ctx),
300 OSSL_FIPS_IND_SETTABLE0, ctx->libctx,
301 EC_KEY_get0_group(ctx->ec), desc,
302 (operation & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) != 0))
303 return 0;
304 #endif
305 return 1;
306 }
307
308 static int ecdsa_sign_init(void *vctx, void *ec, const OSSL_PARAM params[])
309 {
310 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
311
312 #ifdef FIPS_MODULE
313 ctx->verify_message = 1;
314 #endif
315 return ecdsa_signverify_init(ctx, ec, ecdsa_set_ctx_params, params,
316 EVP_PKEY_OP_SIGN, "ECDSA Sign Init");
317 }
318
319 /*
320 * Sign tbs without digesting it first. This is suitable for "primitive"
321 * signing and signing the digest of a message.
322 */
323 static int ecdsa_sign_directly(void *vctx,
324 unsigned char *sig, size_t *siglen, size_t sigsize,
325 const unsigned char *tbs, size_t tbslen)
326 {
327 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
328 int ret;
329 unsigned int sltmp;
330 size_t ecsize = ECDSA_size(ctx->ec);
331
332 if (!ossl_prov_is_running())
333 return 0;
334
335 if (sig == NULL) {
336 *siglen = ecsize;
337 return 1;
338 }
339
340 #if !defined(OPENSSL_NO_ACVP_TESTS)
341 if (ctx->kattest && !ECDSA_sign_setup(ctx->ec, NULL, &ctx->kinv, &ctx->r))
342 return 0;
343 #endif
344
345 if (sigsize < (size_t)ecsize)
346 return 0;
347
348 if (ctx->mdsize != 0 && tbslen != ctx->mdsize)
349 return 0;
350
351 if (ctx->nonce_type != 0) {
352 const char *mdname = NULL;
353
354 if (ctx->mdname[0] != '\0')
355 mdname = ctx->mdname;
356 ret = ossl_ecdsa_deterministic_sign(tbs, tbslen, sig, &sltmp,
357 ctx->ec, ctx->nonce_type,
358 mdname,
359 ctx->libctx, ctx->propq);
360 } else {
361 ret = ECDSA_sign_ex(0, tbs, tbslen, sig, &sltmp, ctx->kinv, ctx->r,
362 ctx->ec);
363 }
364 if (ret <= 0)
365 return 0;
366
367 *siglen = sltmp;
368 return 1;
369 }
370
371 static int ecdsa_signverify_message_update(void *vctx,
372 const unsigned char *data,
373 size_t datalen)
374 {
375 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
376
377 if (ctx == NULL)
378 return 0;
379
380 return EVP_DigestUpdate(ctx->mdctx, data, datalen);
381 }
382
383 static int ecdsa_sign_message_final(void *vctx, unsigned char *sig,
384 size_t *siglen, size_t sigsize)
385 {
386 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
387 unsigned char digest[EVP_MAX_MD_SIZE];
388 unsigned int dlen = 0;
389
390 if (!ossl_prov_is_running() || ctx == NULL)
391 return 0;
392 if (ctx->mdctx == NULL)
393 return 0;
394 /*
395 * If sig is NULL then we're just finding out the sig size. Other fields
396 * are ignored. Defer to ecdsa_sign.
397 */
398 if (sig != NULL
399 && !EVP_DigestFinal_ex(ctx->mdctx, digest, &dlen))
400 return 0;
401 return ecdsa_sign_directly(vctx, sig, siglen, sigsize, digest, dlen);
402 }
403
404 /*
405 * If signing a message, digest tbs and sign the result.
406 * Otherwise, sign tbs directly.
407 */
408 static int ecdsa_sign(void *vctx, unsigned char *sig, size_t *siglen,
409 size_t sigsize, const unsigned char *tbs, size_t tbslen)
410 {
411 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
412
413 if (ctx->operation == EVP_PKEY_OP_SIGNMSG) {
414 /*
415 * If |sig| is NULL, the caller is only looking for the sig length.
416 * DO NOT update the input in this case.
417 */
418 if (sig == NULL)
419 return ecdsa_sign_message_final(ctx, sig, siglen, sigsize);
420
421 if (ecdsa_signverify_message_update(ctx, tbs, tbslen) <= 0)
422 return 0;
423 return ecdsa_sign_message_final(ctx, sig, siglen, sigsize);
424 }
425 return ecdsa_sign_directly(ctx, sig, siglen, sigsize, tbs, tbslen);
426 }
427
428 static int ecdsa_verify_init(void *vctx, void *ec, const OSSL_PARAM params[])
429 {
430 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
431
432 #ifdef FIPS_MODULE
433 ctx->verify_message = 0;
434 #endif
435 return ecdsa_signverify_init(ctx, ec, ecdsa_set_ctx_params, params,
436 EVP_PKEY_OP_VERIFY, "ECDSA Verify Init");
437 }
438
439 static int ecdsa_verify_directly(void *vctx,
440 const unsigned char *sig, size_t siglen,
441 const unsigned char *tbs, size_t tbslen)
442 {
443 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
444
445 if (!ossl_prov_is_running() || (ctx->mdsize != 0 && tbslen != ctx->mdsize))
446 return 0;
447
448 return ECDSA_verify(0, tbs, tbslen, sig, siglen, ctx->ec);
449 }
450
451 static int ecdsa_verify_set_sig(void *vctx,
452 const unsigned char *sig, size_t siglen)
453 {
454 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
455 OSSL_PARAM params[2];
456
457 params[0] = OSSL_PARAM_construct_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE,
458 (unsigned char *)sig, siglen);
459 params[1] = OSSL_PARAM_construct_end();
460 return ecdsa_sigalg_set_ctx_params(ctx, params);
461 }
462
463 static int ecdsa_verify_message_final(void *vctx)
464 {
465 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
466 unsigned char digest[EVP_MAX_MD_SIZE];
467 unsigned int dlen = 0;
468
469 if (!ossl_prov_is_running() || ctx == NULL || ctx->mdctx == NULL)
470 return 0;
471
472 /*
473 * The digests used here are all known (see ecdsa_get_md_nid()), so they
474 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE.
475 */
476 if (!EVP_DigestFinal_ex(ctx->mdctx, digest, &dlen))
477 return 0;
478
479 return ecdsa_verify_directly(vctx, ctx->sig, ctx->siglen,
480 digest, dlen);
481 }
482
483 /*
484 * If verifying a message, digest tbs and verify the result.
485 * Otherwise, verify tbs directly.
486 */
487 static int ecdsa_verify(void *vctx,
488 const unsigned char *sig, size_t siglen,
489 const unsigned char *tbs, size_t tbslen)
490 {
491 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
492
493 if (ctx->operation == EVP_PKEY_OP_VERIFYMSG) {
494 if (ecdsa_verify_set_sig(ctx, sig, siglen) <= 0)
495 return 0;
496 if (ecdsa_signverify_message_update(ctx, tbs, tbslen) <= 0)
497 return 0;
498 return ecdsa_verify_message_final(ctx);
499 }
500 return ecdsa_verify_directly(ctx, sig, siglen, tbs, tbslen);
501 }
502
503 /* DigestSign/DigestVerify wrappers */
504
505 static int ecdsa_digest_signverify_init(void *vctx, const char *mdname,
506 void *ec, const OSSL_PARAM params[],
507 int operation, const char *desc)
508 {
509 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
510
511 if (!ossl_prov_is_running())
512 return 0;
513
514 #ifdef FIPS_MODULE
515 ctx->verify_message = 1;
516 #endif
517 if (!ecdsa_signverify_init(vctx, ec, ecdsa_set_ctx_params, params,
518 operation, desc))
519 return 0;
520
521 if (mdname != NULL
522 /* was ecdsa_setup_md already called in ecdsa_signverify_init()? */
523 && (mdname[0] == '\0' || OPENSSL_strcasecmp(ctx->mdname, mdname) != 0)
524 && !ecdsa_setup_md(ctx, mdname, NULL, desc))
525 return 0;
526
527 ctx->flag_allow_md = 0;
528
529 if (ctx->mdctx == NULL) {
530 ctx->mdctx = EVP_MD_CTX_new();
531 if (ctx->mdctx == NULL)
532 goto error;
533 }
534
535 if (!EVP_DigestInit_ex2(ctx->mdctx, ctx->md, params))
536 goto error;
537 return 1;
538 error:
539 EVP_MD_CTX_free(ctx->mdctx);
540 ctx->mdctx = NULL;
541 return 0;
542 }
543
544 static int ecdsa_digest_sign_init(void *vctx, const char *mdname, void *ec,
545 const OSSL_PARAM params[])
546 {
547 return ecdsa_digest_signverify_init(vctx, mdname, ec, params,
548 EVP_PKEY_OP_SIGNMSG,
549 "ECDSA Digest Sign Init");
550 }
551
552 static int ecdsa_digest_signverify_update(void *vctx, const unsigned char *data,
553 size_t datalen)
554 {
555 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
556
557 if (ctx == NULL || ctx->mdctx == NULL)
558 return 0;
559 /* Sigalg implementations shouldn't do digest_sign */
560 if (ctx->flag_sigalg)
561 return 0;
562
563 return ecdsa_signverify_message_update(vctx, data, datalen);
564 }
565
566 int ecdsa_digest_sign_final(void *vctx, unsigned char *sig, size_t *siglen,
567 size_t sigsize)
568 {
569 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
570 int ok = 0;
571
572 if (ctx == NULL)
573 return 0;
574 /* Sigalg implementations shouldn't do digest_sign */
575 if (ctx->flag_sigalg)
576 return 0;
577
578 ok = ecdsa_sign_message_final(ctx, sig, siglen, sigsize);
579
580 ctx->flag_allow_md = 1;
581
582 return ok;
583 }
584
585 static int ecdsa_digest_verify_init(void *vctx, const char *mdname, void *ec,
586 const OSSL_PARAM params[])
587 {
588 return ecdsa_digest_signverify_init(vctx, mdname, ec, params,
589 EVP_PKEY_OP_VERIFYMSG,
590 "ECDSA Digest Verify Init");
591 }
592
593 int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
594 size_t siglen)
595 {
596 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
597 int ok = 0;
598
599 if (!ossl_prov_is_running() || ctx == NULL || ctx->mdctx == NULL)
600 return 0;
601
602 /* Sigalg implementations shouldn't do digest_verify */
603 if (ctx->flag_sigalg)
604 return 0;
605
606 if (ecdsa_verify_set_sig(ctx, sig, siglen))
607 ok = ecdsa_verify_message_final(ctx);
608
609 ctx->flag_allow_md = 1;
610
611 return ok;
612 }
613
614 static void ecdsa_freectx(void *vctx)
615 {
616 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
617
618 EVP_MD_CTX_free(ctx->mdctx);
619 EVP_MD_free(ctx->md);
620 OPENSSL_free(ctx->propq);
621 OPENSSL_free(ctx->sig);
622 EC_KEY_free(ctx->ec);
623 BN_clear_free(ctx->kinv);
624 BN_clear_free(ctx->r);
625 OPENSSL_free(ctx);
626 }
627
628 static void *ecdsa_dupctx(void *vctx)
629 {
630 PROV_ECDSA_CTX *srcctx = (PROV_ECDSA_CTX *)vctx;
631 PROV_ECDSA_CTX *dstctx;
632
633 /* Test KATS should not need to be supported */
634 if (!ossl_prov_is_running()
635 || srcctx->kinv != NULL
636 || srcctx->r != NULL
637 || (dstctx = OPENSSL_memdup(srcctx, sizeof(*srcctx))) == NULL)
638 return NULL;
639
640 dstctx->ec = NULL;
641 dstctx->propq = NULL;
642 dstctx->md = NULL;
643 dstctx->mdctx = NULL;
644 dstctx->sig = NULL;
645
646 if (srcctx->ec != NULL && !EC_KEY_up_ref(srcctx->ec))
647 goto err;
648 dstctx->ec = srcctx->ec;
649
650 if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md))
651 goto err;
652 dstctx->md = srcctx->md;
653
654 if (srcctx->mdctx != NULL
655 && ((dstctx->mdctx = EVP_MD_CTX_new()) == NULL
656 || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx)))
657 goto err;
658 if (srcctx->propq != NULL
659 && (dstctx->propq = OPENSSL_strdup(srcctx->propq)) == NULL)
660 goto err;
661 if (srcctx->sig != NULL
662 && (dstctx->sig = OPENSSL_memdup(srcctx->sig, srcctx->siglen)) == NULL)
663 goto err;
664
665 return dstctx;
666 err:
667 ecdsa_freectx(dstctx);
668 return NULL;
669 }
670
671 static int ecdsa_get_ctx_params(void *vctx, OSSL_PARAM *params)
672 {
673 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
674 OSSL_PARAM *p;
675
676 if (ctx == NULL)
677 return 0;
678
679 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
680 if (p != NULL && !OSSL_PARAM_set_octet_string(p, ctx->aid_len == 0 ? NULL : ctx->aid_buf, ctx->aid_len))
681 return 0;
682
683 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE);
684 if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->mdsize))
685 return 0;
686
687 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST);
688 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, ctx->md == NULL ? ctx->mdname : EVP_MD_get0_name(ctx->md)))
689 return 0;
690
691 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_NONCE_TYPE);
692 if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->nonce_type))
693 return 0;
694
695 #ifdef FIPS_MODULE
696 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE);
697 if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->verify_message))
698 return 0;
699 #endif
700
701 if (!OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params))
702 return 0;
703 return 1;
704 }
705
706 static const OSSL_PARAM known_gettable_ctx_params[] = {
707 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
708 OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL),
709 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
710 OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_NONCE_TYPE, NULL),
711 #ifdef FIPS_MODULE
712 OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE, NULL),
713 #endif
714 OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
715 OSSL_PARAM_END
716 };
717
718 static const OSSL_PARAM *ecdsa_gettable_ctx_params(ossl_unused void *vctx,
719 ossl_unused void *provctx)
720 {
721 return known_gettable_ctx_params;
722 }
723
724 /**
725 * @brief Set up common params for ecdsa_set_ctx_params and
726 * ecdsa_sigalg_set_ctx_params. The caller is responsible for checking |vctx| is
727 * not NULL and |params| is not empty.
728 */
729 static int ecdsa_common_set_ctx_params(void *vctx, const OSSL_PARAM params[])
730 {
731 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
732 const OSSL_PARAM *p;
733
734 if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, params,
735 OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK))
736 return 0;
737 if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE1, params,
738 OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK))
739 return 0;
740
741 #if !defined(OPENSSL_NO_ACVP_TESTS)
742 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_KAT);
743 if (p != NULL && !OSSL_PARAM_get_uint(p, &ctx->kattest))
744 return 0;
745 #endif
746
747 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_NONCE_TYPE);
748 if (p != NULL
749 && !OSSL_PARAM_get_uint(p, &ctx->nonce_type))
750 return 0;
751 return 1;
752 }
753
754 #define ECDSA_COMMON_SETTABLE_CTX_PARAMS \
755 OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_KAT, NULL), \
756 OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_NONCE_TYPE, NULL), \
757 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) \
758 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) \
759 OSSL_PARAM_END
760
761 static int ecdsa_set_ctx_params(void *vctx, const OSSL_PARAM params[])
762 {
763 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
764 const OSSL_PARAM *p;
765 size_t mdsize = 0;
766 int ret;
767
768 if (ctx == NULL)
769 return 0;
770 if (ossl_param_is_empty(params))
771 return 1;
772
773 if ((ret = ecdsa_common_set_ctx_params(ctx, params)) <= 0)
774 return ret;
775
776 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
777 if (p != NULL) {
778 char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = mdname;
779 char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = mdprops;
780 const OSSL_PARAM *propsp = OSSL_PARAM_locate_const(params,
781 OSSL_SIGNATURE_PARAM_PROPERTIES);
782
783 if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname)))
784 return 0;
785 if (propsp != NULL
786 && !OSSL_PARAM_get_utf8_string(propsp, &pmdprops, sizeof(mdprops)))
787 return 0;
788 if (!ecdsa_setup_md(ctx, mdname, mdprops, "ECDSA Set Ctx"))
789 return 0;
790 }
791
792 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE);
793 if (p != NULL) {
794 if (!OSSL_PARAM_get_size_t(p, &mdsize)
795 || (!ctx->flag_allow_md && mdsize != ctx->mdsize))
796 return 0;
797 ctx->mdsize = mdsize;
798 }
799 return 1;
800 }
801
802 static const OSSL_PARAM settable_ctx_params[] = {
803 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
804 OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL),
805 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0),
806 ECDSA_COMMON_SETTABLE_CTX_PARAMS
807 };
808
809 static const OSSL_PARAM *ecdsa_settable_ctx_params(void *vctx,
810 ossl_unused void *provctx)
811 {
812 return settable_ctx_params;
813 }
814
815 static int ecdsa_get_ctx_md_params(void *vctx, OSSL_PARAM *params)
816 {
817 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
818
819 if (ctx->mdctx == NULL)
820 return 0;
821
822 return EVP_MD_CTX_get_params(ctx->mdctx, params);
823 }
824
825 static const OSSL_PARAM *ecdsa_gettable_ctx_md_params(void *vctx)
826 {
827 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
828
829 if (ctx->md == NULL)
830 return 0;
831
832 return EVP_MD_gettable_ctx_params(ctx->md);
833 }
834
835 static int ecdsa_set_ctx_md_params(void *vctx, const OSSL_PARAM params[])
836 {
837 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
838
839 if (ctx->mdctx == NULL)
840 return 0;
841
842 return EVP_MD_CTX_set_params(ctx->mdctx, params);
843 }
844
845 static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
846 {
847 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
848
849 if (ctx->md == NULL)
850 return 0;
851
852 return EVP_MD_settable_ctx_params(ctx->md);
853 }
854
855 const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = {
856 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
857 { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
858 { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))ecdsa_sign },
859 { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))ecdsa_verify_init },
860 { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))ecdsa_verify },
861 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
862 (void (*)(void))ecdsa_digest_sign_init },
863 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,
864 (void (*)(void))ecdsa_digest_signverify_update },
865 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,
866 (void (*)(void))ecdsa_digest_sign_final },
867 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
868 (void (*)(void))ecdsa_digest_verify_init },
869 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,
870 (void (*)(void))ecdsa_digest_signverify_update },
871 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,
872 (void (*)(void))ecdsa_digest_verify_final },
873 { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))ecdsa_freectx },
874 { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))ecdsa_dupctx },
875 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))ecdsa_get_ctx_params },
876 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
877 (void (*)(void))ecdsa_gettable_ctx_params },
878 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))ecdsa_set_ctx_params },
879 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,
880 (void (*)(void))ecdsa_settable_ctx_params },
881 { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS,
882 (void (*)(void))ecdsa_get_ctx_md_params },
883 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS,
884 (void (*)(void))ecdsa_gettable_ctx_md_params },
885 { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS,
886 (void (*)(void))ecdsa_set_ctx_md_params },
887 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS,
888 (void (*)(void))ecdsa_settable_ctx_md_params },
889 OSSL_DISPATCH_END
890 };
891
892 /* ------------------------------------------------------------------ */
893
894 /*
895 * So called sigalgs (composite ECDSA+hash) implemented below. They
896 * are pretty much hard coded.
897 */
898
899 static OSSL_FUNC_signature_query_key_types_fn ecdsa_sigalg_query_key_types;
900 static OSSL_FUNC_signature_settable_ctx_params_fn ecdsa_sigalg_settable_ctx_params;
901 static OSSL_FUNC_signature_set_ctx_params_fn ecdsa_sigalg_set_ctx_params;
902
903 /*
904 * ecdsa_sigalg_signverify_init() is almost like ecdsa_digest_signverify_init(),
905 * just doesn't allow fetching an MD from whatever the user chooses.
906 */
907 static int ecdsa_sigalg_signverify_init(void *vctx, void *vec,
908 OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params,
909 const OSSL_PARAM params[],
910 const char *mdname,
911 int operation, const char *desc)
912 {
913 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
914
915 if (!ossl_prov_is_running())
916 return 0;
917
918 if (!ecdsa_signverify_init(vctx, vec, set_ctx_params, params, operation,
919 desc))
920 return 0;
921
922 if (!ecdsa_setup_md(ctx, mdname, NULL, desc))
923 return 0;
924
925 ctx->flag_sigalg = 1;
926 ctx->flag_allow_md = 0;
927
928 if (ctx->mdctx == NULL) {
929 ctx->mdctx = EVP_MD_CTX_new();
930 if (ctx->mdctx == NULL)
931 goto error;
932 }
933
934 if (!EVP_DigestInit_ex2(ctx->mdctx, ctx->md, params))
935 goto error;
936
937 return 1;
938
939 error:
940 EVP_MD_CTX_free(ctx->mdctx);
941 ctx->mdctx = NULL;
942 return 0;
943 }
944
945 static const char **ecdsa_sigalg_query_key_types(void)
946 {
947 static const char *keytypes[] = { "EC", NULL };
948
949 return keytypes;
950 }
951
952 static const OSSL_PARAM settable_sigalg_ctx_params[] = {
953 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, NULL, 0),
954 ECDSA_COMMON_SETTABLE_CTX_PARAMS
955 };
956
957 static const OSSL_PARAM *ecdsa_sigalg_settable_ctx_params(void *vctx,
958 ossl_unused void *provctx)
959 {
960 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
961
962 if (ctx != NULL && ctx->operation == EVP_PKEY_OP_VERIFYMSG)
963 return settable_sigalg_ctx_params;
964 return NULL;
965 }
966
967 static int ecdsa_sigalg_set_ctx_params(void *vctx, const OSSL_PARAM params[])
968 {
969 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
970 const OSSL_PARAM *p;
971 int ret;
972
973 if (ctx == NULL)
974 return 0;
975 if (ossl_param_is_empty(params))
976 return 1;
977
978 if ((ret = ecdsa_common_set_ctx_params(ctx, params)) <= 0)
979 return ret;
980
981 if (ctx->operation == EVP_PKEY_OP_VERIFYMSG) {
982 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_SIGNATURE);
983 if (p != NULL) {
984 OPENSSL_free(ctx->sig);
985 ctx->sig = NULL;
986 ctx->siglen = 0;
987 if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->sig,
988 0, &ctx->siglen))
989 return 0;
990 /* The signature must not be empty */
991 if (ctx->siglen == 0) {
992 OPENSSL_free(ctx->sig);
993 ctx->sig = NULL;
994 return 0;
995 }
996 }
997 }
998 return 1;
999 }
1000
1001 #define IMPL_ECDSA_SIGALG(md, MD) \
1002 static OSSL_FUNC_signature_sign_init_fn ecdsa_##md##_sign_init; \
1003 static OSSL_FUNC_signature_sign_message_init_fn \
1004 ecdsa_##md##_sign_message_init; \
1005 static OSSL_FUNC_signature_verify_init_fn ecdsa_##md##_verify_init; \
1006 static OSSL_FUNC_signature_verify_message_init_fn \
1007 ecdsa_##md##_verify_message_init; \
1008 \
1009 static int \
1010 ecdsa_##md##_sign_init(void *vctx, void *vec, \
1011 const OSSL_PARAM params[]) \
1012 { \
1013 static const char desc[] = "ECDSA-" #MD " Sign Init"; \
1014 \
1015 return ecdsa_sigalg_signverify_init(vctx, vec, \
1016 ecdsa_sigalg_set_ctx_params, \
1017 params, #MD, \
1018 EVP_PKEY_OP_SIGN, \
1019 desc); \
1020 } \
1021 \
1022 static int \
1023 ecdsa_##md##_sign_message_init(void *vctx, void *vec, \
1024 const OSSL_PARAM params[]) \
1025 { \
1026 static const char desc[] = "ECDSA-" #MD " Sign Message Init"; \
1027 \
1028 return ecdsa_sigalg_signverify_init(vctx, vec, \
1029 ecdsa_sigalg_set_ctx_params, \
1030 params, #MD, \
1031 EVP_PKEY_OP_SIGNMSG, \
1032 desc); \
1033 } \
1034 \
1035 static int \
1036 ecdsa_##md##_verify_init(void *vctx, void *vec, \
1037 const OSSL_PARAM params[]) \
1038 { \
1039 static const char desc[] = "ECDSA-" #MD " Verify Init"; \
1040 \
1041 return ecdsa_sigalg_signverify_init(vctx, vec, \
1042 ecdsa_sigalg_set_ctx_params, \
1043 params, #MD, \
1044 EVP_PKEY_OP_VERIFY, \
1045 desc); \
1046 } \
1047 \
1048 static int \
1049 ecdsa_##md##_verify_message_init(void *vctx, void *vec, \
1050 const OSSL_PARAM params[]) \
1051 { \
1052 static const char desc[] = "ECDSA-" #MD " Verify Message Init"; \
1053 \
1054 return ecdsa_sigalg_signverify_init(vctx, vec, \
1055 ecdsa_sigalg_set_ctx_params, \
1056 params, #MD, \
1057 EVP_PKEY_OP_VERIFYMSG, \
1058 desc); \
1059 } \
1060 \
1061 const OSSL_DISPATCH ossl_ecdsa_##md##_signature_functions[] = { \
1062 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx }, \
1063 { OSSL_FUNC_SIGNATURE_SIGN_INIT, \
1064 (void (*)(void))ecdsa_##md##_sign_init }, \
1065 { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))ecdsa_sign }, \
1066 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT, \
1067 (void (*)(void))ecdsa_##md##_sign_message_init }, \
1068 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_UPDATE, \
1069 (void (*)(void))ecdsa_signverify_message_update }, \
1070 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_FINAL, \
1071 (void (*)(void))ecdsa_sign_message_final }, \
1072 { OSSL_FUNC_SIGNATURE_VERIFY_INIT, \
1073 (void (*)(void))ecdsa_##md##_verify_init }, \
1074 { OSSL_FUNC_SIGNATURE_VERIFY, \
1075 (void (*)(void))ecdsa_verify }, \
1076 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT, \
1077 (void (*)(void))ecdsa_##md##_verify_message_init }, \
1078 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_UPDATE, \
1079 (void (*)(void))ecdsa_signverify_message_update }, \
1080 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_FINAL, \
1081 (void (*)(void))ecdsa_verify_message_final }, \
1082 { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))ecdsa_freectx }, \
1083 { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))ecdsa_dupctx }, \
1084 { OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPES, \
1085 (void (*)(void))ecdsa_sigalg_query_key_types }, \
1086 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, \
1087 (void (*)(void))ecdsa_get_ctx_params }, \
1088 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, \
1089 (void (*)(void))ecdsa_gettable_ctx_params }, \
1090 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, \
1091 (void (*)(void))ecdsa_sigalg_set_ctx_params }, \
1092 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, \
1093 (void (*)(void))ecdsa_sigalg_settable_ctx_params }, \
1094 OSSL_DISPATCH_END \
1095 }
1096
1097 /* clang-format off */
1098 IMPL_ECDSA_SIGALG(sha1, SHA1);
1099 IMPL_ECDSA_SIGALG(sha224, SHA2-224);
1100 IMPL_ECDSA_SIGALG(sha256, SHA2-256);
1101 IMPL_ECDSA_SIGALG(sha384, SHA2-384);
1102 IMPL_ECDSA_SIGALG(sha512, SHA2-512);
1103 IMPL_ECDSA_SIGALG(sha3_224, SHA3-224);
1104 IMPL_ECDSA_SIGALG(sha3_256, SHA3-256);
1105 IMPL_ECDSA_SIGALG(sha3_384, SHA3-384);
1106 IMPL_ECDSA_SIGALG(sha3_512, SHA3-512);
1107 /* clang-format on */
1108