1 /* 2 * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * ECDSA low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include <string.h> /* memcpy */ 17 #include <openssl/crypto.h> 18 #include <openssl/core_dispatch.h> 19 #include <openssl/core_names.h> 20 #include <openssl/dsa.h> 21 #include <openssl/params.h> 22 #include <openssl/evp.h> 23 #include <openssl/err.h> 24 #include <openssl/proverr.h> 25 #include "internal/nelem.h" 26 #include "internal/sizes.h" 27 #include "internal/cryptlib.h" 28 #include "internal/deterministic_nonce.h" 29 #include "prov/providercommon.h" 30 #include "prov/implementations.h" 31 #include "prov/provider_ctx.h" 32 #include "prov/securitycheck.h" 33 #include "prov/der_ec.h" 34 #include "crypto/ec.h" 35 36 static OSSL_FUNC_signature_newctx_fn ecdsa_newctx; 37 static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init; 38 static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init; 39 static OSSL_FUNC_signature_sign_fn ecdsa_sign; 40 static OSSL_FUNC_signature_sign_message_update_fn ecdsa_signverify_message_update; 41 static OSSL_FUNC_signature_sign_message_final_fn ecdsa_sign_message_final; 42 static OSSL_FUNC_signature_verify_fn ecdsa_verify; 43 static OSSL_FUNC_signature_verify_message_update_fn ecdsa_signverify_message_update; 44 static OSSL_FUNC_signature_verify_message_final_fn ecdsa_verify_message_final; 45 static OSSL_FUNC_signature_digest_sign_init_fn ecdsa_digest_sign_init; 46 static OSSL_FUNC_signature_digest_sign_update_fn ecdsa_digest_signverify_update; 47 static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final; 48 static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init; 49 static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update; 50 static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final; 51 static OSSL_FUNC_signature_freectx_fn ecdsa_freectx; 52 static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx; 53 static OSSL_FUNC_signature_query_key_types_fn ecdsa_sigalg_query_key_types; 54 static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params; 55 static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params; 56 static OSSL_FUNC_signature_set_ctx_params_fn ecdsa_set_ctx_params; 57 static OSSL_FUNC_signature_settable_ctx_params_fn ecdsa_settable_ctx_params; 58 static OSSL_FUNC_signature_get_ctx_md_params_fn ecdsa_get_ctx_md_params; 59 static OSSL_FUNC_signature_gettable_ctx_md_params_fn ecdsa_gettable_ctx_md_params; 60 static OSSL_FUNC_signature_set_ctx_md_params_fn ecdsa_set_ctx_md_params; 61 static OSSL_FUNC_signature_settable_ctx_md_params_fn ecdsa_settable_ctx_md_params; 62 static OSSL_FUNC_signature_set_ctx_params_fn ecdsa_sigalg_set_ctx_params; 63 static OSSL_FUNC_signature_settable_ctx_params_fn ecdsa_sigalg_settable_ctx_params; 64 65 /* 66 * What's passed as an actual key is defined by the KEYMGMT interface. 67 * We happen to know that our KEYMGMT simply passes DSA structures, so 68 * we use that here too. 69 */ 70 71 typedef struct { 72 OSSL_LIB_CTX *libctx; 73 char *propq; 74 EC_KEY *ec; 75 /* |operation| reuses EVP's operation bitfield */ 76 int operation; 77 78 /* 79 * Flag to determine if a full sigalg is run (1) or if a composable 80 * signature algorithm is run (0). 81 * 82 * When a full sigalg is run (1), this currently affects the following 83 * other flags, which are to remain untouched after their initialization: 84 * 85 * - flag_allow_md (initialized to 0) 86 */ 87 unsigned int flag_sigalg : 1; 88 /* 89 * Flag to determine if the hash function can be changed (1) or not (0) 90 * Because it's dangerous to change during a DigestSign or DigestVerify 91 * operation, this flag is cleared by their Init function, and set again 92 * by their Final function. 93 */ 94 unsigned int flag_allow_md : 1; 95 96 /* The Algorithm Identifier of the combined signature algorithm */ 97 unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE]; 98 size_t aid_len; 99 100 /* main digest */ 101 char mdname[OSSL_MAX_NAME_SIZE]; 102 EVP_MD *md; 103 EVP_MD_CTX *mdctx; 104 size_t mdsize; 105 106 /* Signature, for verification */ 107 unsigned char *sig; 108 size_t siglen; 109 110 /* 111 * Internally used to cache the results of calling the EC group 112 * sign_setup() methods which are then passed to the sign operation. 113 * This is used by CAVS failure tests to terminate a loop if the signature 114 * is not valid. 115 * This could of also been done with a simple flag. 116 */ 117 BIGNUM *kinv; 118 BIGNUM *r; 119 #if !defined(OPENSSL_NO_ACVP_TESTS) 120 /* 121 * This indicates that KAT (CAVS) test is running. Externally an app will 122 * override the random callback such that the generated private key and k 123 * are known. 124 * Normal operation will loop to choose a new k if the signature is not 125 * valid - but for this mode of operation it forces a failure instead. 126 */ 127 unsigned int kattest; 128 #endif 129 #ifdef FIPS_MODULE 130 /* 131 * FIPS 140-3 IG 2.4.B mandates that verification based on a digest of a 132 * message is not permitted. However, signing based on a digest is still 133 * permitted. 134 */ 135 int verify_message; 136 #endif 137 /* If this is set then the generated k is not random */ 138 unsigned int nonce_type; 139 OSSL_FIPS_IND_DECLARE 140 } PROV_ECDSA_CTX; 141 142 static void *ecdsa_newctx(void *provctx, const char *propq) 143 { 144 PROV_ECDSA_CTX *ctx; 145 146 if (!ossl_prov_is_running()) 147 return NULL; 148 149 ctx = OPENSSL_zalloc(sizeof(PROV_ECDSA_CTX)); 150 if (ctx == NULL) 151 return NULL; 152 153 OSSL_FIPS_IND_INIT(ctx) 154 ctx->flag_allow_md = 1; 155 #ifdef FIPS_MODULE 156 ctx->verify_message = 1; 157 #endif 158 ctx->libctx = PROV_LIBCTX_OF(provctx); 159 if (propq != NULL && (ctx->propq = OPENSSL_strdup(propq)) == NULL) { 160 OPENSSL_free(ctx); 161 ctx = NULL; 162 } 163 return ctx; 164 } 165 166 static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, 167 const char *mdname, const char *mdprops, 168 const char *desc) 169 { 170 EVP_MD *md = NULL; 171 size_t mdname_len; 172 int md_nid, md_size; 173 WPACKET pkt; 174 unsigned char *aid = NULL; 175 176 if (mdname == NULL) 177 return 1; 178 179 mdname_len = strlen(mdname); 180 if (mdname_len >= sizeof(ctx->mdname)) { 181 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 182 "%s exceeds name buffer length", mdname); 183 return 0; 184 } 185 if (mdprops == NULL) 186 mdprops = ctx->propq; 187 md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); 188 if (md == NULL) { 189 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 190 "%s could not be fetched", mdname); 191 return 0; 192 } 193 md_size = EVP_MD_get_size(md); 194 if (md_size <= 0) { 195 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 196 "%s has invalid md size %d", mdname, md_size); 197 goto err; 198 } 199 md_nid = ossl_digest_get_approved_nid(md); 200 #ifdef FIPS_MODULE 201 if (md_nid == NID_undef) { 202 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, 203 "digest=%s", mdname); 204 goto err; 205 } 206 #endif 207 /* XOF digests don't work */ 208 if (EVP_MD_xof(md)) { 209 ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); 210 goto err; 211 } 212 213 #ifdef FIPS_MODULE 214 { 215 int sha1_allowed 216 = ((ctx->operation 217 & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0); 218 219 if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx), 220 OSSL_FIPS_IND_SETTABLE1, 221 ctx->libctx, 222 md_nid, sha1_allowed, desc, 223 ossl_fips_config_signature_digest_check)) 224 goto err; 225 } 226 #endif 227 228 if (!ctx->flag_allow_md) { 229 if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) { 230 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, 231 "digest %s != %s", mdname, ctx->mdname); 232 goto err; 233 } 234 EVP_MD_free(md); 235 return 1; 236 } 237 238 EVP_MD_CTX_free(ctx->mdctx); 239 EVP_MD_free(ctx->md); 240 241 ctx->aid_len = 0; 242 #ifndef FIPS_MODULE 243 if (md_nid != NID_undef) { 244 #else 245 { 246 #endif 247 if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf)) 248 && ossl_DER_w_algorithmIdentifier_ECDSA_with_MD(&pkt, -1, ctx->ec, 249 md_nid) 250 && WPACKET_finish(&pkt)) { 251 WPACKET_get_total_written(&pkt, &ctx->aid_len); 252 aid = WPACKET_get_curr(&pkt); 253 } 254 WPACKET_cleanup(&pkt); 255 if (aid != NULL && ctx->aid_len != 0) 256 memmove(ctx->aid_buf, aid, ctx->aid_len); 257 } 258 259 ctx->mdctx = NULL; 260 ctx->md = md; 261 ctx->mdsize = (size_t)md_size; 262 OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname)); 263 264 return 1; 265 err: 266 EVP_MD_free(md); 267 return 0; 268 } 269 270 static int 271 ecdsa_signverify_init(PROV_ECDSA_CTX *ctx, void *ec, 272 OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params, 273 const OSSL_PARAM params[], int operation, 274 const char *desc) 275 { 276 if (!ossl_prov_is_running() 277 || ctx == NULL) 278 return 0; 279 280 if (ec == NULL && ctx->ec == NULL) { 281 ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); 282 return 0; 283 } 284 285 if (ec != NULL) { 286 if (!EC_KEY_up_ref(ec)) 287 return 0; 288 EC_KEY_free(ctx->ec); 289 ctx->ec = ec; 290 } 291 292 ctx->operation = operation; 293 294 OSSL_FIPS_IND_SET_APPROVED(ctx) 295 if (!set_ctx_params(ctx, params)) 296 return 0; 297 #ifdef FIPS_MODULE 298 if (!ossl_fips_ind_ec_key_check(OSSL_FIPS_IND_GET(ctx), 299 OSSL_FIPS_IND_SETTABLE0, ctx->libctx, 300 EC_KEY_get0_group(ctx->ec), desc, 301 (operation & (EVP_PKEY_OP_SIGN 302 | EVP_PKEY_OP_SIGNMSG)) != 0)) 303 return 0; 304 #endif 305 return 1; 306 } 307 308 static int ecdsa_sign_init(void *vctx, void *ec, const OSSL_PARAM params[]) 309 { 310 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 311 312 #ifdef FIPS_MODULE 313 ctx->verify_message = 1; 314 #endif 315 return ecdsa_signverify_init(ctx, ec, ecdsa_set_ctx_params, params, 316 EVP_PKEY_OP_SIGN, "ECDSA Sign Init"); 317 } 318 319 /* 320 * Sign tbs without digesting it first. This is suitable for "primitive" 321 * signing and signing the digest of a message. 322 */ 323 static int ecdsa_sign_directly(void *vctx, 324 unsigned char *sig, size_t *siglen, size_t sigsize, 325 const unsigned char *tbs, size_t tbslen) 326 { 327 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 328 int ret; 329 unsigned int sltmp; 330 size_t ecsize = ECDSA_size(ctx->ec); 331 332 if (!ossl_prov_is_running()) 333 return 0; 334 335 if (sig == NULL) { 336 *siglen = ecsize; 337 return 1; 338 } 339 340 #if !defined(OPENSSL_NO_ACVP_TESTS) 341 if (ctx->kattest && !ECDSA_sign_setup(ctx->ec, NULL, &ctx->kinv, &ctx->r)) 342 return 0; 343 #endif 344 345 if (sigsize < (size_t)ecsize) 346 return 0; 347 348 if (ctx->mdsize != 0 && tbslen != ctx->mdsize) 349 return 0; 350 351 if (ctx->nonce_type != 0) { 352 const char *mdname = NULL; 353 354 if (ctx->mdname[0] != '\0') 355 mdname = ctx->mdname; 356 ret = ossl_ecdsa_deterministic_sign(tbs, tbslen, sig, &sltmp, 357 ctx->ec, ctx->nonce_type, 358 mdname, 359 ctx->libctx, ctx->propq); 360 } else { 361 ret = ECDSA_sign_ex(0, tbs, tbslen, sig, &sltmp, ctx->kinv, ctx->r, 362 ctx->ec); 363 } 364 if (ret <= 0) 365 return 0; 366 367 *siglen = sltmp; 368 return 1; 369 } 370 371 static int ecdsa_signverify_message_update(void *vctx, 372 const unsigned char *data, 373 size_t datalen) 374 { 375 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 376 377 if (ctx == NULL) 378 return 0; 379 380 return EVP_DigestUpdate(ctx->mdctx, data, datalen); 381 } 382 383 static int ecdsa_sign_message_final(void *vctx, unsigned char *sig, 384 size_t *siglen, size_t sigsize) 385 { 386 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 387 unsigned char digest[EVP_MAX_MD_SIZE]; 388 unsigned int dlen = 0; 389 390 if (!ossl_prov_is_running() || ctx == NULL) 391 return 0; 392 if (ctx->mdctx == NULL) 393 return 0; 394 /* 395 * If sig is NULL then we're just finding out the sig size. Other fields 396 * are ignored. Defer to ecdsa_sign. 397 */ 398 if (sig != NULL 399 && !EVP_DigestFinal_ex(ctx->mdctx, digest, &dlen)) 400 return 0; 401 return ecdsa_sign_directly(vctx, sig, siglen, sigsize, digest, dlen); 402 } 403 404 /* 405 * If signing a message, digest tbs and sign the result. 406 * Otherwise, sign tbs directly. 407 */ 408 static int ecdsa_sign(void *vctx, unsigned char *sig, size_t *siglen, 409 size_t sigsize, const unsigned char *tbs, size_t tbslen) 410 { 411 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 412 413 if (ctx->operation == EVP_PKEY_OP_SIGNMSG) { 414 /* 415 * If |sig| is NULL, the caller is only looking for the sig length. 416 * DO NOT update the input in this case. 417 */ 418 if (sig == NULL) 419 return ecdsa_sign_message_final(ctx, sig, siglen, sigsize); 420 421 if (ecdsa_signverify_message_update(ctx, tbs, tbslen) <= 0) 422 return 0; 423 return ecdsa_sign_message_final(ctx, sig, siglen, sigsize); 424 } 425 return ecdsa_sign_directly(ctx, sig, siglen, sigsize, tbs, tbslen); 426 } 427 428 static int ecdsa_verify_init(void *vctx, void *ec, const OSSL_PARAM params[]) 429 { 430 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 431 432 #ifdef FIPS_MODULE 433 ctx->verify_message = 0; 434 #endif 435 return ecdsa_signverify_init(ctx, ec, ecdsa_set_ctx_params, params, 436 EVP_PKEY_OP_VERIFY, "ECDSA Verify Init"); 437 } 438 439 static int ecdsa_verify_directly(void *vctx, 440 const unsigned char *sig, size_t siglen, 441 const unsigned char *tbs, size_t tbslen) 442 { 443 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 444 445 if (!ossl_prov_is_running() || (ctx->mdsize != 0 && tbslen != ctx->mdsize)) 446 return 0; 447 448 return ECDSA_verify(0, tbs, tbslen, sig, siglen, ctx->ec); 449 } 450 451 static int ecdsa_verify_set_sig(void *vctx, 452 const unsigned char *sig, size_t siglen) 453 { 454 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 455 OSSL_PARAM params[2]; 456 457 params[0] = 458 OSSL_PARAM_construct_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, 459 (unsigned char *)sig, siglen); 460 params[1] = OSSL_PARAM_construct_end(); 461 return ecdsa_sigalg_set_ctx_params(ctx, params); 462 } 463 464 static int ecdsa_verify_message_final(void *vctx) 465 { 466 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 467 unsigned char digest[EVP_MAX_MD_SIZE]; 468 unsigned int dlen = 0; 469 470 if (!ossl_prov_is_running() || ctx == NULL || ctx->mdctx == NULL) 471 return 0; 472 473 /* 474 * The digests used here are all known (see ecdsa_get_md_nid()), so they 475 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE. 476 */ 477 if (!EVP_DigestFinal_ex(ctx->mdctx, digest, &dlen)) 478 return 0; 479 480 return ecdsa_verify_directly(vctx, ctx->sig, ctx->siglen, 481 digest, dlen); 482 } 483 484 /* 485 * If verifying a message, digest tbs and verify the result. 486 * Otherwise, verify tbs directly. 487 */ 488 static int ecdsa_verify(void *vctx, 489 const unsigned char *sig, size_t siglen, 490 const unsigned char *tbs, size_t tbslen) 491 { 492 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 493 494 if (ctx->operation == EVP_PKEY_OP_VERIFYMSG) { 495 if (ecdsa_verify_set_sig(ctx, sig, siglen) <= 0) 496 return 0; 497 if (ecdsa_signverify_message_update(ctx, tbs, tbslen) <= 0) 498 return 0; 499 return ecdsa_verify_message_final(ctx); 500 } 501 return ecdsa_verify_directly(ctx, sig, siglen, tbs, tbslen); 502 } 503 504 /* DigestSign/DigestVerify wrappers */ 505 506 static int ecdsa_digest_signverify_init(void *vctx, const char *mdname, 507 void *ec, const OSSL_PARAM params[], 508 int operation, const char *desc) 509 { 510 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 511 512 if (!ossl_prov_is_running()) 513 return 0; 514 515 #ifdef FIPS_MODULE 516 ctx->verify_message = 1; 517 #endif 518 if (!ecdsa_signverify_init(vctx, ec, ecdsa_set_ctx_params, params, 519 operation, desc)) 520 return 0; 521 522 if (mdname != NULL 523 /* was ecdsa_setup_md already called in ecdsa_signverify_init()? */ 524 && (mdname[0] == '\0' || OPENSSL_strcasecmp(ctx->mdname, mdname) != 0) 525 && !ecdsa_setup_md(ctx, mdname, NULL, desc)) 526 return 0; 527 528 ctx->flag_allow_md = 0; 529 530 if (ctx->mdctx == NULL) { 531 ctx->mdctx = EVP_MD_CTX_new(); 532 if (ctx->mdctx == NULL) 533 goto error; 534 } 535 536 if (!EVP_DigestInit_ex2(ctx->mdctx, ctx->md, params)) 537 goto error; 538 return 1; 539 error: 540 EVP_MD_CTX_free(ctx->mdctx); 541 ctx->mdctx = NULL; 542 return 0; 543 } 544 545 static int ecdsa_digest_sign_init(void *vctx, const char *mdname, void *ec, 546 const OSSL_PARAM params[]) 547 { 548 return ecdsa_digest_signverify_init(vctx, mdname, ec, params, 549 EVP_PKEY_OP_SIGNMSG, 550 "ECDSA Digest Sign Init"); 551 } 552 553 static int ecdsa_digest_signverify_update(void *vctx, const unsigned char *data, 554 size_t datalen) 555 { 556 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 557 558 if (ctx == NULL || ctx->mdctx == NULL) 559 return 0; 560 /* Sigalg implementations shouldn't do digest_sign */ 561 if (ctx->flag_sigalg) 562 return 0; 563 564 return ecdsa_signverify_message_update(vctx, data, datalen); 565 } 566 567 int ecdsa_digest_sign_final(void *vctx, unsigned char *sig, size_t *siglen, 568 size_t sigsize) 569 { 570 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 571 int ok = 0; 572 573 if (ctx == NULL) 574 return 0; 575 /* Sigalg implementations shouldn't do digest_sign */ 576 if (ctx->flag_sigalg) 577 return 0; 578 579 ok = ecdsa_sign_message_final(ctx, sig, siglen, sigsize); 580 581 ctx->flag_allow_md = 1; 582 583 return ok; 584 } 585 586 static int ecdsa_digest_verify_init(void *vctx, const char *mdname, void *ec, 587 const OSSL_PARAM params[]) 588 { 589 return ecdsa_digest_signverify_init(vctx, mdname, ec, params, 590 EVP_PKEY_OP_VERIFYMSG, 591 "ECDSA Digest Verify Init"); 592 } 593 594 int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig, 595 size_t siglen) 596 { 597 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 598 int ok = 0; 599 600 if (!ossl_prov_is_running() || ctx == NULL || ctx->mdctx == NULL) 601 return 0; 602 603 /* Sigalg implementations shouldn't do digest_verify */ 604 if (ctx->flag_sigalg) 605 return 0; 606 607 if (ecdsa_verify_set_sig(ctx, sig, siglen)) 608 ok = ecdsa_verify_message_final(ctx); 609 610 ctx->flag_allow_md = 1; 611 612 return ok; 613 } 614 615 static void ecdsa_freectx(void *vctx) 616 { 617 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 618 619 EVP_MD_CTX_free(ctx->mdctx); 620 EVP_MD_free(ctx->md); 621 OPENSSL_free(ctx->propq); 622 OPENSSL_free(ctx->sig); 623 EC_KEY_free(ctx->ec); 624 BN_clear_free(ctx->kinv); 625 BN_clear_free(ctx->r); 626 OPENSSL_free(ctx); 627 } 628 629 static void *ecdsa_dupctx(void *vctx) 630 { 631 PROV_ECDSA_CTX *srcctx = (PROV_ECDSA_CTX *)vctx; 632 PROV_ECDSA_CTX *dstctx; 633 634 if (!ossl_prov_is_running()) 635 return NULL; 636 637 dstctx = OPENSSL_zalloc(sizeof(*srcctx)); 638 if (dstctx == NULL) 639 return NULL; 640 641 *dstctx = *srcctx; 642 dstctx->ec = NULL; 643 dstctx->propq = NULL; 644 645 if (srcctx->ec != NULL && !EC_KEY_up_ref(srcctx->ec)) 646 goto err; 647 /* Test KATS should not need to be supported */ 648 if (srcctx->kinv != NULL || srcctx->r != NULL) 649 goto err; 650 dstctx->ec = srcctx->ec; 651 652 if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md)) 653 goto err; 654 dstctx->md = srcctx->md; 655 656 if (srcctx->mdctx != NULL) { 657 dstctx->mdctx = EVP_MD_CTX_new(); 658 if (dstctx->mdctx == NULL 659 || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx)) 660 goto err; 661 } 662 663 if (srcctx->propq != NULL) { 664 dstctx->propq = OPENSSL_strdup(srcctx->propq); 665 if (dstctx->propq == NULL) 666 goto err; 667 } 668 669 return dstctx; 670 err: 671 ecdsa_freectx(dstctx); 672 return NULL; 673 } 674 675 static int ecdsa_get_ctx_params(void *vctx, OSSL_PARAM *params) 676 { 677 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 678 OSSL_PARAM *p; 679 680 if (ctx == NULL) 681 return 0; 682 683 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID); 684 if (p != NULL && !OSSL_PARAM_set_octet_string(p, 685 ctx->aid_len == 0 ? NULL : ctx->aid_buf, 686 ctx->aid_len)) 687 return 0; 688 689 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE); 690 if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->mdsize)) 691 return 0; 692 693 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST); 694 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, ctx->md == NULL 695 ? ctx->mdname 696 : EVP_MD_get0_name(ctx->md))) 697 return 0; 698 699 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_NONCE_TYPE); 700 if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->nonce_type)) 701 return 0; 702 703 #ifdef FIPS_MODULE 704 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE); 705 if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->verify_message)) 706 return 0; 707 #endif 708 709 if (!OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params)) 710 return 0; 711 return 1; 712 } 713 714 static const OSSL_PARAM known_gettable_ctx_params[] = { 715 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0), 716 OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL), 717 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), 718 OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_NONCE_TYPE, NULL), 719 #ifdef FIPS_MODULE 720 OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE, NULL), 721 #endif 722 OSSL_FIPS_IND_GETTABLE_CTX_PARAM() 723 OSSL_PARAM_END 724 }; 725 726 static const OSSL_PARAM *ecdsa_gettable_ctx_params(ossl_unused void *vctx, 727 ossl_unused void *provctx) 728 { 729 return known_gettable_ctx_params; 730 } 731 732 /** 733 * @brief Set up common params for ecdsa_set_ctx_params and 734 * ecdsa_sigalg_set_ctx_params. The caller is responsible for checking |vctx| is 735 * not NULL and |params| is not empty. 736 */ 737 static int ecdsa_common_set_ctx_params(void *vctx, const OSSL_PARAM params[]) 738 { 739 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 740 const OSSL_PARAM *p; 741 742 if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, params, 743 OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK)) 744 return 0; 745 if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE1, params, 746 OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK)) 747 return 0; 748 749 #if !defined(OPENSSL_NO_ACVP_TESTS) 750 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_KAT); 751 if (p != NULL && !OSSL_PARAM_get_uint(p, &ctx->kattest)) 752 return 0; 753 #endif 754 755 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_NONCE_TYPE); 756 if (p != NULL 757 && !OSSL_PARAM_get_uint(p, &ctx->nonce_type)) 758 return 0; 759 return 1; 760 } 761 762 #define ECDSA_COMMON_SETTABLE_CTX_PARAMS \ 763 OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_KAT, NULL), \ 764 OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_NONCE_TYPE, NULL), \ 765 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) \ 766 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) \ 767 OSSL_PARAM_END 768 769 static int ecdsa_set_ctx_params(void *vctx, const OSSL_PARAM params[]) 770 { 771 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 772 const OSSL_PARAM *p; 773 size_t mdsize = 0; 774 int ret; 775 776 if (ctx == NULL) 777 return 0; 778 if (ossl_param_is_empty(params)) 779 return 1; 780 781 if ((ret = ecdsa_common_set_ctx_params(ctx, params)) <= 0) 782 return ret; 783 784 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST); 785 if (p != NULL) { 786 char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = mdname; 787 char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = mdprops; 788 const OSSL_PARAM *propsp = 789 OSSL_PARAM_locate_const(params, 790 OSSL_SIGNATURE_PARAM_PROPERTIES); 791 792 if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname))) 793 return 0; 794 if (propsp != NULL 795 && !OSSL_PARAM_get_utf8_string(propsp, &pmdprops, sizeof(mdprops))) 796 return 0; 797 if (!ecdsa_setup_md(ctx, mdname, mdprops, "ECDSA Set Ctx")) 798 return 0; 799 } 800 801 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE); 802 if (p != NULL) { 803 if (!OSSL_PARAM_get_size_t(p, &mdsize) 804 || (!ctx->flag_allow_md && mdsize != ctx->mdsize)) 805 return 0; 806 ctx->mdsize = mdsize; 807 } 808 return 1; 809 } 810 811 static const OSSL_PARAM settable_ctx_params[] = { 812 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), 813 OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL), 814 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0), 815 ECDSA_COMMON_SETTABLE_CTX_PARAMS 816 }; 817 818 static const OSSL_PARAM *ecdsa_settable_ctx_params(void *vctx, 819 ossl_unused void *provctx) 820 { 821 return settable_ctx_params; 822 } 823 824 static int ecdsa_get_ctx_md_params(void *vctx, OSSL_PARAM *params) 825 { 826 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 827 828 if (ctx->mdctx == NULL) 829 return 0; 830 831 return EVP_MD_CTX_get_params(ctx->mdctx, params); 832 } 833 834 static const OSSL_PARAM *ecdsa_gettable_ctx_md_params(void *vctx) 835 { 836 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 837 838 if (ctx->md == NULL) 839 return 0; 840 841 return EVP_MD_gettable_ctx_params(ctx->md); 842 } 843 844 static int ecdsa_set_ctx_md_params(void *vctx, const OSSL_PARAM params[]) 845 { 846 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 847 848 if (ctx->mdctx == NULL) 849 return 0; 850 851 return EVP_MD_CTX_set_params(ctx->mdctx, params); 852 } 853 854 static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx) 855 { 856 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 857 858 if (ctx->md == NULL) 859 return 0; 860 861 return EVP_MD_settable_ctx_params(ctx->md); 862 } 863 864 const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = { 865 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx }, 866 { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init }, 867 { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))ecdsa_sign }, 868 { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))ecdsa_verify_init }, 869 { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))ecdsa_verify }, 870 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, 871 (void (*)(void))ecdsa_digest_sign_init }, 872 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, 873 (void (*)(void))ecdsa_digest_signverify_update }, 874 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, 875 (void (*)(void))ecdsa_digest_sign_final }, 876 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, 877 (void (*)(void))ecdsa_digest_verify_init }, 878 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, 879 (void (*)(void))ecdsa_digest_signverify_update }, 880 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, 881 (void (*)(void))ecdsa_digest_verify_final }, 882 { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))ecdsa_freectx }, 883 { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))ecdsa_dupctx }, 884 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))ecdsa_get_ctx_params }, 885 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, 886 (void (*)(void))ecdsa_gettable_ctx_params }, 887 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))ecdsa_set_ctx_params }, 888 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, 889 (void (*)(void))ecdsa_settable_ctx_params }, 890 { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, 891 (void (*)(void))ecdsa_get_ctx_md_params }, 892 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, 893 (void (*)(void))ecdsa_gettable_ctx_md_params }, 894 { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, 895 (void (*)(void))ecdsa_set_ctx_md_params }, 896 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, 897 (void (*)(void))ecdsa_settable_ctx_md_params }, 898 OSSL_DISPATCH_END 899 }; 900 901 /* ------------------------------------------------------------------ */ 902 903 /* 904 * So called sigalgs (composite ECDSA+hash) implemented below. They 905 * are pretty much hard coded. 906 */ 907 908 static OSSL_FUNC_signature_query_key_types_fn ecdsa_sigalg_query_key_types; 909 static OSSL_FUNC_signature_settable_ctx_params_fn ecdsa_sigalg_settable_ctx_params; 910 static OSSL_FUNC_signature_set_ctx_params_fn ecdsa_sigalg_set_ctx_params; 911 912 /* 913 * ecdsa_sigalg_signverify_init() is almost like ecdsa_digest_signverify_init(), 914 * just doesn't allow fetching an MD from whatever the user chooses. 915 */ 916 static int ecdsa_sigalg_signverify_init(void *vctx, void *vec, 917 OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params, 918 const OSSL_PARAM params[], 919 const char *mdname, 920 int operation, const char *desc) 921 { 922 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 923 924 if (!ossl_prov_is_running()) 925 return 0; 926 927 if (!ecdsa_signverify_init(vctx, vec, set_ctx_params, params, operation, 928 desc)) 929 return 0; 930 931 if (!ecdsa_setup_md(ctx, mdname, NULL, desc)) 932 return 0; 933 934 ctx->flag_sigalg = 1; 935 ctx->flag_allow_md = 0; 936 937 if (ctx->mdctx == NULL) { 938 ctx->mdctx = EVP_MD_CTX_new(); 939 if (ctx->mdctx == NULL) 940 goto error; 941 } 942 943 if (!EVP_DigestInit_ex2(ctx->mdctx, ctx->md, params)) 944 goto error; 945 946 return 1; 947 948 error: 949 EVP_MD_CTX_free(ctx->mdctx); 950 ctx->mdctx = NULL; 951 return 0; 952 } 953 954 static const char **ecdsa_sigalg_query_key_types(void) 955 { 956 static const char *keytypes[] = { "EC", NULL }; 957 958 return keytypes; 959 } 960 961 static const OSSL_PARAM settable_sigalg_ctx_params[] = { 962 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, NULL, 0), 963 ECDSA_COMMON_SETTABLE_CTX_PARAMS 964 }; 965 966 static const OSSL_PARAM *ecdsa_sigalg_settable_ctx_params(void *vctx, 967 ossl_unused void *provctx) 968 { 969 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 970 971 if (ctx != NULL && ctx->operation == EVP_PKEY_OP_VERIFYMSG) 972 return settable_sigalg_ctx_params; 973 return NULL; 974 } 975 976 static int ecdsa_sigalg_set_ctx_params(void *vctx, const OSSL_PARAM params[]) 977 { 978 PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; 979 const OSSL_PARAM *p; 980 int ret; 981 982 if (ctx == NULL) 983 return 0; 984 if (ossl_param_is_empty(params)) 985 return 1; 986 987 if ((ret = ecdsa_common_set_ctx_params(ctx, params)) <= 0) 988 return ret; 989 990 if (ctx->operation == EVP_PKEY_OP_VERIFYMSG) { 991 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_SIGNATURE); 992 if (p != NULL) { 993 OPENSSL_free(ctx->sig); 994 ctx->sig = NULL; 995 ctx->siglen = 0; 996 if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->sig, 997 0, &ctx->siglen)) 998 return 0; 999 } 1000 } 1001 return 1; 1002 } 1003 1004 #define IMPL_ECDSA_SIGALG(md, MD) \ 1005 static OSSL_FUNC_signature_sign_init_fn ecdsa_##md##_sign_init; \ 1006 static OSSL_FUNC_signature_sign_message_init_fn \ 1007 ecdsa_##md##_sign_message_init; \ 1008 static OSSL_FUNC_signature_verify_init_fn ecdsa_##md##_verify_init; \ 1009 static OSSL_FUNC_signature_verify_message_init_fn \ 1010 ecdsa_##md##_verify_message_init; \ 1011 \ 1012 static int \ 1013 ecdsa_##md##_sign_init(void *vctx, void *vec, \ 1014 const OSSL_PARAM params[]) \ 1015 { \ 1016 static const char desc[] = "ECDSA-" #MD " Sign Init"; \ 1017 \ 1018 return ecdsa_sigalg_signverify_init(vctx, vec, \ 1019 ecdsa_sigalg_set_ctx_params, \ 1020 params, #MD, \ 1021 EVP_PKEY_OP_SIGN, \ 1022 desc); \ 1023 } \ 1024 \ 1025 static int \ 1026 ecdsa_##md##_sign_message_init(void *vctx, void *vec, \ 1027 const OSSL_PARAM params[]) \ 1028 { \ 1029 static const char desc[] = "ECDSA-" #MD " Sign Message Init"; \ 1030 \ 1031 return ecdsa_sigalg_signverify_init(vctx, vec, \ 1032 ecdsa_sigalg_set_ctx_params, \ 1033 params, #MD, \ 1034 EVP_PKEY_OP_SIGNMSG, \ 1035 desc); \ 1036 } \ 1037 \ 1038 static int \ 1039 ecdsa_##md##_verify_init(void *vctx, void *vec, \ 1040 const OSSL_PARAM params[]) \ 1041 { \ 1042 static const char desc[] = "ECDSA-" #MD " Verify Init"; \ 1043 \ 1044 return ecdsa_sigalg_signverify_init(vctx, vec, \ 1045 ecdsa_sigalg_set_ctx_params, \ 1046 params, #MD, \ 1047 EVP_PKEY_OP_VERIFY, \ 1048 desc); \ 1049 } \ 1050 \ 1051 static int \ 1052 ecdsa_##md##_verify_message_init(void *vctx, void *vec, \ 1053 const OSSL_PARAM params[]) \ 1054 { \ 1055 static const char desc[] = "ECDSA-" #MD " Verify Message Init"; \ 1056 \ 1057 return ecdsa_sigalg_signverify_init(vctx, vec, \ 1058 ecdsa_sigalg_set_ctx_params, \ 1059 params, #MD, \ 1060 EVP_PKEY_OP_VERIFYMSG, \ 1061 desc); \ 1062 } \ 1063 \ 1064 const OSSL_DISPATCH ossl_ecdsa_##md##_signature_functions[] = { \ 1065 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx }, \ 1066 { OSSL_FUNC_SIGNATURE_SIGN_INIT, \ 1067 (void (*)(void))ecdsa_##md##_sign_init }, \ 1068 { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))ecdsa_sign }, \ 1069 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT, \ 1070 (void (*)(void))ecdsa_##md##_sign_message_init }, \ 1071 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_UPDATE, \ 1072 (void (*)(void))ecdsa_signverify_message_update }, \ 1073 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_FINAL, \ 1074 (void (*)(void))ecdsa_sign_message_final }, \ 1075 { OSSL_FUNC_SIGNATURE_VERIFY_INIT, \ 1076 (void (*)(void))ecdsa_##md##_verify_init }, \ 1077 { OSSL_FUNC_SIGNATURE_VERIFY, \ 1078 (void (*)(void))ecdsa_verify }, \ 1079 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT, \ 1080 (void (*)(void))ecdsa_##md##_verify_message_init }, \ 1081 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_UPDATE, \ 1082 (void (*)(void))ecdsa_signverify_message_update }, \ 1083 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_FINAL, \ 1084 (void (*)(void))ecdsa_verify_message_final }, \ 1085 { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))ecdsa_freectx }, \ 1086 { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))ecdsa_dupctx }, \ 1087 { OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPES, \ 1088 (void (*)(void))ecdsa_sigalg_query_key_types }, \ 1089 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, \ 1090 (void (*)(void))ecdsa_get_ctx_params }, \ 1091 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, \ 1092 (void (*)(void))ecdsa_gettable_ctx_params }, \ 1093 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, \ 1094 (void (*)(void))ecdsa_sigalg_set_ctx_params }, \ 1095 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, \ 1096 (void (*)(void))ecdsa_sigalg_settable_ctx_params }, \ 1097 OSSL_DISPATCH_END \ 1098 } 1099 1100 IMPL_ECDSA_SIGALG(sha1, SHA1); 1101 IMPL_ECDSA_SIGALG(sha224, SHA2-224); 1102 IMPL_ECDSA_SIGALG(sha256, SHA2-256); 1103 IMPL_ECDSA_SIGALG(sha384, SHA2-384); 1104 IMPL_ECDSA_SIGALG(sha512, SHA2-512); 1105 IMPL_ECDSA_SIGALG(sha3_224, SHA3-224); 1106 IMPL_ECDSA_SIGALG(sha3_256, SHA3-256); 1107 IMPL_ECDSA_SIGALG(sha3_384, SHA3-384); 1108 IMPL_ECDSA_SIGALG(sha3_512, SHA3-512); 1109