1b077aed3SPierre Pronchery /* 2*e7be843bSPierre Pronchery * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. 3b077aed3SPierre Pronchery * 4b077aed3SPierre Pronchery * Licensed under the Apache License 2.0 (the "License"). You may not use 5b077aed3SPierre Pronchery * this file except in compliance with the License. You can obtain a copy 6b077aed3SPierre Pronchery * in the file LICENSE in the source distribution or at 7b077aed3SPierre Pronchery * https://www.openssl.org/source/license.html 8b077aed3SPierre Pronchery */ 9b077aed3SPierre Pronchery 10b077aed3SPierre Pronchery /* 11b077aed3SPierre Pronchery * RSA low level APIs are deprecated for public use, but still ok for 12b077aed3SPierre Pronchery * internal use. 13b077aed3SPierre Pronchery */ 14b077aed3SPierre Pronchery #include "internal/deprecated.h" 15b077aed3SPierre Pronchery 16b077aed3SPierre Pronchery #include <string.h> 17b077aed3SPierre Pronchery #include <openssl/crypto.h> 18b077aed3SPierre Pronchery #include <openssl/core_dispatch.h> 19b077aed3SPierre Pronchery #include <openssl/core_names.h> 20b077aed3SPierre Pronchery #include <openssl/err.h> 21*e7be843bSPierre Pronchery #include <openssl/obj_mac.h> 22b077aed3SPierre Pronchery #include <openssl/rsa.h> 23b077aed3SPierre Pronchery #include <openssl/params.h> 24b077aed3SPierre Pronchery #include <openssl/evp.h> 25b077aed3SPierre Pronchery #include <openssl/proverr.h> 26b077aed3SPierre Pronchery #include "internal/cryptlib.h" 27b077aed3SPierre Pronchery #include "internal/nelem.h" 28b077aed3SPierre Pronchery #include "internal/sizes.h" 29b077aed3SPierre Pronchery #include "crypto/rsa.h" 30b077aed3SPierre Pronchery #include "prov/providercommon.h" 31b077aed3SPierre Pronchery #include "prov/implementations.h" 32b077aed3SPierre Pronchery #include "prov/provider_ctx.h" 33b077aed3SPierre Pronchery #include "prov/der_rsa.h" 34b077aed3SPierre Pronchery #include "prov/securitycheck.h" 35b077aed3SPierre Pronchery 36b077aed3SPierre Pronchery #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 37b077aed3SPierre Pronchery 38b077aed3SPierre Pronchery static OSSL_FUNC_signature_newctx_fn rsa_newctx; 39b077aed3SPierre Pronchery static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; 40b077aed3SPierre Pronchery static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; 41b077aed3SPierre Pronchery static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; 42b077aed3SPierre Pronchery static OSSL_FUNC_signature_sign_fn rsa_sign; 43*e7be843bSPierre Pronchery static OSSL_FUNC_signature_sign_message_update_fn rsa_signverify_message_update; 44*e7be843bSPierre Pronchery static OSSL_FUNC_signature_sign_message_final_fn rsa_sign_message_final; 45b077aed3SPierre Pronchery static OSSL_FUNC_signature_verify_fn rsa_verify; 46b077aed3SPierre Pronchery static OSSL_FUNC_signature_verify_recover_fn rsa_verify_recover; 47*e7be843bSPierre Pronchery static OSSL_FUNC_signature_verify_message_update_fn rsa_signverify_message_update; 48*e7be843bSPierre Pronchery static OSSL_FUNC_signature_verify_message_final_fn rsa_verify_message_final; 49b077aed3SPierre Pronchery static OSSL_FUNC_signature_digest_sign_init_fn rsa_digest_sign_init; 50*e7be843bSPierre Pronchery static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_sign_update; 51b077aed3SPierre Pronchery static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final; 52b077aed3SPierre Pronchery static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; 53*e7be843bSPierre Pronchery static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_verify_update; 54b077aed3SPierre Pronchery static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; 55b077aed3SPierre Pronchery static OSSL_FUNC_signature_freectx_fn rsa_freectx; 56b077aed3SPierre Pronchery static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; 57*e7be843bSPierre Pronchery static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types; 58b077aed3SPierre Pronchery static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; 59b077aed3SPierre Pronchery static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params; 60b077aed3SPierre Pronchery static OSSL_FUNC_signature_set_ctx_params_fn rsa_set_ctx_params; 61b077aed3SPierre Pronchery static OSSL_FUNC_signature_settable_ctx_params_fn rsa_settable_ctx_params; 62b077aed3SPierre Pronchery static OSSL_FUNC_signature_get_ctx_md_params_fn rsa_get_ctx_md_params; 63b077aed3SPierre Pronchery static OSSL_FUNC_signature_gettable_ctx_md_params_fn rsa_gettable_ctx_md_params; 64b077aed3SPierre Pronchery static OSSL_FUNC_signature_set_ctx_md_params_fn rsa_set_ctx_md_params; 65b077aed3SPierre Pronchery static OSSL_FUNC_signature_settable_ctx_md_params_fn rsa_settable_ctx_md_params; 66*e7be843bSPierre Pronchery static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params; 67*e7be843bSPierre Pronchery static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params; 68b077aed3SPierre Pronchery 69b077aed3SPierre Pronchery static OSSL_ITEM padding_item[] = { 70b077aed3SPierre Pronchery { RSA_PKCS1_PADDING, OSSL_PKEY_RSA_PAD_MODE_PKCSV15 }, 71b077aed3SPierre Pronchery { RSA_NO_PADDING, OSSL_PKEY_RSA_PAD_MODE_NONE }, 72b077aed3SPierre Pronchery { RSA_X931_PADDING, OSSL_PKEY_RSA_PAD_MODE_X931 }, 73b077aed3SPierre Pronchery { RSA_PKCS1_PSS_PADDING, OSSL_PKEY_RSA_PAD_MODE_PSS }, 74b077aed3SPierre Pronchery { 0, NULL } 75b077aed3SPierre Pronchery }; 76b077aed3SPierre Pronchery 77b077aed3SPierre Pronchery /* 78b077aed3SPierre Pronchery * What's passed as an actual key is defined by the KEYMGMT interface. 79b077aed3SPierre Pronchery * We happen to know that our KEYMGMT simply passes RSA structures, so 80b077aed3SPierre Pronchery * we use that here too. 81b077aed3SPierre Pronchery */ 82b077aed3SPierre Pronchery 83b077aed3SPierre Pronchery typedef struct { 84b077aed3SPierre Pronchery OSSL_LIB_CTX *libctx; 85b077aed3SPierre Pronchery char *propq; 86b077aed3SPierre Pronchery RSA *rsa; 87b077aed3SPierre Pronchery int operation; 88b077aed3SPierre Pronchery 89b077aed3SPierre Pronchery /* 90*e7be843bSPierre Pronchery * Flag to determine if a full sigalg is run (1) or if a composable 91*e7be843bSPierre Pronchery * signature algorithm is run (0). 92*e7be843bSPierre Pronchery * 93*e7be843bSPierre Pronchery * When a full sigalg is run (1), this currently affects the following 94*e7be843bSPierre Pronchery * other flags, which are to remain untouched after their initialization: 95*e7be843bSPierre Pronchery * 96*e7be843bSPierre Pronchery * - flag_allow_md (initialized to 0) 97*e7be843bSPierre Pronchery */ 98*e7be843bSPierre Pronchery unsigned int flag_sigalg : 1; 99*e7be843bSPierre Pronchery /* 100b077aed3SPierre Pronchery * Flag to determine if the hash function can be changed (1) or not (0) 101b077aed3SPierre Pronchery * Because it's dangerous to change during a DigestSign or DigestVerify 102b077aed3SPierre Pronchery * operation, this flag is cleared by their Init function, and set again 103b077aed3SPierre Pronchery * by their Final function. 104*e7be843bSPierre Pronchery * Implementations of full sigalgs (such as RSA-SHA256) hard-code this 105*e7be843bSPierre Pronchery * flag to not allow changes (0). 106b077aed3SPierre Pronchery */ 107b077aed3SPierre Pronchery unsigned int flag_allow_md : 1; 108b077aed3SPierre Pronchery unsigned int mgf1_md_set : 1; 109*e7be843bSPierre Pronchery /* 110*e7be843bSPierre Pronchery * Flags to say what are the possible next external calls in what 111*e7be843bSPierre Pronchery * consitutes the life cycle of an algorithm. The relevant calls are: 112*e7be843bSPierre Pronchery * - init 113*e7be843bSPierre Pronchery * - update 114*e7be843bSPierre Pronchery * - final 115*e7be843bSPierre Pronchery * - oneshot 116*e7be843bSPierre Pronchery * All other external calls are regarded as utilitarian and are allowed 117*e7be843bSPierre Pronchery * at any time (they may be affected by other flags, like flag_allow_md, 118*e7be843bSPierre Pronchery * though). 119*e7be843bSPierre Pronchery */ 120*e7be843bSPierre Pronchery unsigned int flag_allow_update : 1; 121*e7be843bSPierre Pronchery unsigned int flag_allow_final : 1; 122*e7be843bSPierre Pronchery unsigned int flag_allow_oneshot : 1; 123b077aed3SPierre Pronchery 124b077aed3SPierre Pronchery /* main digest */ 125b077aed3SPierre Pronchery EVP_MD *md; 126b077aed3SPierre Pronchery EVP_MD_CTX *mdctx; 127b077aed3SPierre Pronchery int mdnid; 128b077aed3SPierre Pronchery char mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */ 129b077aed3SPierre Pronchery 130b077aed3SPierre Pronchery /* RSA padding mode */ 131b077aed3SPierre Pronchery int pad_mode; 132b077aed3SPierre Pronchery /* message digest for MGF1 */ 133b077aed3SPierre Pronchery EVP_MD *mgf1_md; 134b077aed3SPierre Pronchery int mgf1_mdnid; 135b077aed3SPierre Pronchery char mgf1_mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */ 136b077aed3SPierre Pronchery /* PSS salt length */ 137b077aed3SPierre Pronchery int saltlen; 138b077aed3SPierre Pronchery /* Minimum salt length or -1 if no PSS parameter restriction */ 139b077aed3SPierre Pronchery int min_saltlen; 140b077aed3SPierre Pronchery 141*e7be843bSPierre Pronchery /* Signature, for verification */ 142*e7be843bSPierre Pronchery unsigned char *sig; 143*e7be843bSPierre Pronchery size_t siglen; 144*e7be843bSPierre Pronchery 145*e7be843bSPierre Pronchery #ifdef FIPS_MODULE 146*e7be843bSPierre Pronchery /* 147*e7be843bSPierre Pronchery * FIPS 140-3 IG 2.4.B mandates that verification based on a digest of a 148*e7be843bSPierre Pronchery * message is not permitted. However, signing based on a digest is still 149*e7be843bSPierre Pronchery * permitted. 150*e7be843bSPierre Pronchery */ 151*e7be843bSPierre Pronchery int verify_message; 152*e7be843bSPierre Pronchery #endif 153*e7be843bSPierre Pronchery 154b077aed3SPierre Pronchery /* Temp buffer */ 155b077aed3SPierre Pronchery unsigned char *tbuf; 156b077aed3SPierre Pronchery 157*e7be843bSPierre Pronchery OSSL_FIPS_IND_DECLARE 158b077aed3SPierre Pronchery } PROV_RSA_CTX; 159b077aed3SPierre Pronchery 160b077aed3SPierre Pronchery /* True if PSS parameters are restricted */ 161b077aed3SPierre Pronchery #define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1) 162b077aed3SPierre Pronchery 163b077aed3SPierre Pronchery static size_t rsa_get_md_size(const PROV_RSA_CTX *prsactx) 164b077aed3SPierre Pronchery { 165*e7be843bSPierre Pronchery int md_size; 166*e7be843bSPierre Pronchery 167*e7be843bSPierre Pronchery if (prsactx->md != NULL) { 168*e7be843bSPierre Pronchery md_size = EVP_MD_get_size(prsactx->md); 169*e7be843bSPierre Pronchery if (md_size <= 0) 170*e7be843bSPierre Pronchery return 0; 171*e7be843bSPierre Pronchery return md_size; 172*e7be843bSPierre Pronchery } 173b077aed3SPierre Pronchery return 0; 174b077aed3SPierre Pronchery } 175b077aed3SPierre Pronchery 176b077aed3SPierre Pronchery static int rsa_check_padding(const PROV_RSA_CTX *prsactx, 177b077aed3SPierre Pronchery const char *mdname, const char *mgf1_mdname, 178b077aed3SPierre Pronchery int mdnid) 179b077aed3SPierre Pronchery { 180b077aed3SPierre Pronchery switch (prsactx->pad_mode) { 181b077aed3SPierre Pronchery case RSA_NO_PADDING: 182b077aed3SPierre Pronchery if (mdname != NULL || mdnid != NID_undef) { 183b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE); 184b077aed3SPierre Pronchery return 0; 185b077aed3SPierre Pronchery } 186b077aed3SPierre Pronchery break; 187b077aed3SPierre Pronchery case RSA_X931_PADDING: 188b077aed3SPierre Pronchery if (RSA_X931_hash_id(mdnid) == -1) { 189b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST); 190b077aed3SPierre Pronchery return 0; 191b077aed3SPierre Pronchery } 192b077aed3SPierre Pronchery break; 193b077aed3SPierre Pronchery case RSA_PKCS1_PSS_PADDING: 194b077aed3SPierre Pronchery if (rsa_pss_restricted(prsactx)) 195b077aed3SPierre Pronchery if ((mdname != NULL && !EVP_MD_is_a(prsactx->md, mdname)) 196b077aed3SPierre Pronchery || (mgf1_mdname != NULL 197b077aed3SPierre Pronchery && !EVP_MD_is_a(prsactx->mgf1_md, mgf1_mdname))) { 198b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); 199b077aed3SPierre Pronchery return 0; 200b077aed3SPierre Pronchery } 201b077aed3SPierre Pronchery break; 202b077aed3SPierre Pronchery default: 203b077aed3SPierre Pronchery break; 204b077aed3SPierre Pronchery } 205b077aed3SPierre Pronchery 206b077aed3SPierre Pronchery return 1; 207b077aed3SPierre Pronchery } 208b077aed3SPierre Pronchery 209b077aed3SPierre Pronchery static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen) 210b077aed3SPierre Pronchery { 211b077aed3SPierre Pronchery if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { 212b077aed3SPierre Pronchery int max_saltlen; 213b077aed3SPierre Pronchery 214b077aed3SPierre Pronchery /* See if minimum salt length exceeds maximum possible */ 215b077aed3SPierre Pronchery max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_get_size(prsactx->md); 216b077aed3SPierre Pronchery if ((RSA_bits(prsactx->rsa) & 0x7) == 1) 217b077aed3SPierre Pronchery max_saltlen--; 218b077aed3SPierre Pronchery if (min_saltlen < 0 || min_saltlen > max_saltlen) { 219b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); 220b077aed3SPierre Pronchery return 0; 221b077aed3SPierre Pronchery } 222b077aed3SPierre Pronchery prsactx->min_saltlen = min_saltlen; 223b077aed3SPierre Pronchery } 224b077aed3SPierre Pronchery return 1; 225b077aed3SPierre Pronchery } 226b077aed3SPierre Pronchery 227b077aed3SPierre Pronchery static void *rsa_newctx(void *provctx, const char *propq) 228b077aed3SPierre Pronchery { 229b077aed3SPierre Pronchery PROV_RSA_CTX *prsactx = NULL; 230b077aed3SPierre Pronchery char *propq_copy = NULL; 231b077aed3SPierre Pronchery 232b077aed3SPierre Pronchery if (!ossl_prov_is_running()) 233b077aed3SPierre Pronchery return NULL; 234b077aed3SPierre Pronchery 235b077aed3SPierre Pronchery if ((prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX))) == NULL 236b077aed3SPierre Pronchery || (propq != NULL 237b077aed3SPierre Pronchery && (propq_copy = OPENSSL_strdup(propq)) == NULL)) { 238b077aed3SPierre Pronchery OPENSSL_free(prsactx); 239b077aed3SPierre Pronchery return NULL; 240b077aed3SPierre Pronchery } 241b077aed3SPierre Pronchery 242*e7be843bSPierre Pronchery OSSL_FIPS_IND_INIT(prsactx) 243b077aed3SPierre Pronchery prsactx->libctx = PROV_LIBCTX_OF(provctx); 244b077aed3SPierre Pronchery prsactx->flag_allow_md = 1; 245*e7be843bSPierre Pronchery #ifdef FIPS_MODULE 246*e7be843bSPierre Pronchery prsactx->verify_message = 1; 247*e7be843bSPierre Pronchery #endif 248b077aed3SPierre Pronchery prsactx->propq = propq_copy; 249*e7be843bSPierre Pronchery /* Maximum up to digest length for sign, auto for verify */ 250*e7be843bSPierre Pronchery prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; 251b077aed3SPierre Pronchery prsactx->min_saltlen = -1; 252b077aed3SPierre Pronchery return prsactx; 253b077aed3SPierre Pronchery } 254b077aed3SPierre Pronchery 255b077aed3SPierre Pronchery static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx) 256b077aed3SPierre Pronchery { 257b077aed3SPierre Pronchery int saltlen = ctx->saltlen; 258*e7be843bSPierre Pronchery int saltlenMax = -1; 259b077aed3SPierre Pronchery 260*e7be843bSPierre Pronchery /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection 261*e7be843bSPierre Pronchery * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the 262*e7be843bSPierre Pronchery * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of 263*e7be843bSPierre Pronchery * the hash function output block (in bytes)." 264*e7be843bSPierre Pronchery * 265*e7be843bSPierre Pronchery * Provide a way to use at most the digest length, so that the default does 266*e7be843bSPierre Pronchery * not violate FIPS 186-4. */ 267b077aed3SPierre Pronchery if (saltlen == RSA_PSS_SALTLEN_DIGEST) { 268*e7be843bSPierre Pronchery if ((saltlen = EVP_MD_get_size(ctx->md)) <= 0) { 269*e7be843bSPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); 270*e7be843bSPierre Pronchery return -1; 271*e7be843bSPierre Pronchery } 272*e7be843bSPierre Pronchery } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { 273*e7be843bSPierre Pronchery saltlen = RSA_PSS_SALTLEN_MAX; 274*e7be843bSPierre Pronchery if ((saltlenMax = EVP_MD_get_size(ctx->md)) <= 0) { 275*e7be843bSPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); 276*e7be843bSPierre Pronchery return -1; 277*e7be843bSPierre Pronchery } 278*e7be843bSPierre Pronchery } 279*e7be843bSPierre Pronchery if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) { 280*e7be843bSPierre Pronchery int mdsize, rsasize; 281*e7be843bSPierre Pronchery 282*e7be843bSPierre Pronchery if ((mdsize = EVP_MD_get_size(ctx->md)) <= 0) { 283*e7be843bSPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); 284*e7be843bSPierre Pronchery return -1; 285*e7be843bSPierre Pronchery } 286*e7be843bSPierre Pronchery if ((rsasize = RSA_size(ctx->rsa)) <= 2 || rsasize - 2 < mdsize) { 287*e7be843bSPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); 288*e7be843bSPierre Pronchery return -1; 289*e7be843bSPierre Pronchery } 290*e7be843bSPierre Pronchery saltlen = rsasize - mdsize - 2; 291b077aed3SPierre Pronchery if ((RSA_bits(ctx->rsa) & 0x7) == 1) 292b077aed3SPierre Pronchery saltlen--; 293*e7be843bSPierre Pronchery if (saltlenMax >= 0 && saltlen > saltlenMax) 294*e7be843bSPierre Pronchery saltlen = saltlenMax; 295b077aed3SPierre Pronchery } 296b077aed3SPierre Pronchery if (saltlen < 0) { 297b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 298b077aed3SPierre Pronchery return -1; 299b077aed3SPierre Pronchery } else if (saltlen < ctx->min_saltlen) { 300b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_PSS_SALTLEN_TOO_SMALL, 301b077aed3SPierre Pronchery "minimum salt length: %d, actual salt length: %d", 302b077aed3SPierre Pronchery ctx->min_saltlen, saltlen); 303b077aed3SPierre Pronchery return -1; 304b077aed3SPierre Pronchery } 305b077aed3SPierre Pronchery return saltlen; 306b077aed3SPierre Pronchery } 307b077aed3SPierre Pronchery 308b077aed3SPierre Pronchery static unsigned char *rsa_generate_signature_aid(PROV_RSA_CTX *ctx, 309b077aed3SPierre Pronchery unsigned char *aid_buf, 310b077aed3SPierre Pronchery size_t buf_len, 311b077aed3SPierre Pronchery size_t *aid_len) 312b077aed3SPierre Pronchery { 313b077aed3SPierre Pronchery WPACKET pkt; 314b077aed3SPierre Pronchery unsigned char *aid = NULL; 315b077aed3SPierre Pronchery int saltlen; 316b077aed3SPierre Pronchery RSA_PSS_PARAMS_30 pss_params; 317b077aed3SPierre Pronchery int ret; 318b077aed3SPierre Pronchery 319b077aed3SPierre Pronchery if (!WPACKET_init_der(&pkt, aid_buf, buf_len)) { 320*e7be843bSPierre Pronchery ERR_raise(ERR_LIB_PROV, ERR_R_CRYPTO_LIB); 321b077aed3SPierre Pronchery return NULL; 322b077aed3SPierre Pronchery } 323b077aed3SPierre Pronchery 324b077aed3SPierre Pronchery switch (ctx->pad_mode) { 325b077aed3SPierre Pronchery case RSA_PKCS1_PADDING: 326b077aed3SPierre Pronchery ret = ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1, 327b077aed3SPierre Pronchery ctx->mdnid); 328b077aed3SPierre Pronchery 329b077aed3SPierre Pronchery if (ret > 0) { 330b077aed3SPierre Pronchery break; 331b077aed3SPierre Pronchery } else if (ret == 0) { 332b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 333b077aed3SPierre Pronchery goto cleanup; 334b077aed3SPierre Pronchery } 335b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED, 336b077aed3SPierre Pronchery "Algorithm ID generation - md NID: %d", 337b077aed3SPierre Pronchery ctx->mdnid); 338b077aed3SPierre Pronchery goto cleanup; 339b077aed3SPierre Pronchery case RSA_PKCS1_PSS_PADDING: 340b077aed3SPierre Pronchery saltlen = rsa_pss_compute_saltlen(ctx); 341b077aed3SPierre Pronchery if (saltlen < 0) 342b077aed3SPierre Pronchery goto cleanup; 343b077aed3SPierre Pronchery if (!ossl_rsa_pss_params_30_set_defaults(&pss_params) 344b077aed3SPierre Pronchery || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, ctx->mdnid) 345b077aed3SPierre Pronchery || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params, 346b077aed3SPierre Pronchery ctx->mgf1_mdnid) 347b077aed3SPierre Pronchery || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen) 348b077aed3SPierre Pronchery || !ossl_DER_w_algorithmIdentifier_RSA_PSS(&pkt, -1, 349b077aed3SPierre Pronchery RSA_FLAG_TYPE_RSASSAPSS, 350b077aed3SPierre Pronchery &pss_params)) { 351b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 352b077aed3SPierre Pronchery goto cleanup; 353b077aed3SPierre Pronchery } 354b077aed3SPierre Pronchery break; 355b077aed3SPierre Pronchery default: 356b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED, 357b077aed3SPierre Pronchery "Algorithm ID generation - pad mode: %d", 358b077aed3SPierre Pronchery ctx->pad_mode); 359b077aed3SPierre Pronchery goto cleanup; 360b077aed3SPierre Pronchery } 361b077aed3SPierre Pronchery if (WPACKET_finish(&pkt)) { 362b077aed3SPierre Pronchery WPACKET_get_total_written(&pkt, aid_len); 363b077aed3SPierre Pronchery aid = WPACKET_get_curr(&pkt); 364b077aed3SPierre Pronchery } 365b077aed3SPierre Pronchery cleanup: 366b077aed3SPierre Pronchery WPACKET_cleanup(&pkt); 367b077aed3SPierre Pronchery return aid; 368b077aed3SPierre Pronchery } 369b077aed3SPierre Pronchery 370b077aed3SPierre Pronchery static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, 371*e7be843bSPierre Pronchery const char *mdprops, const char *desc) 372b077aed3SPierre Pronchery { 373*e7be843bSPierre Pronchery EVP_MD *md = NULL; 374*e7be843bSPierre Pronchery 375b077aed3SPierre Pronchery if (mdprops == NULL) 376b077aed3SPierre Pronchery mdprops = ctx->propq; 377b077aed3SPierre Pronchery 378b077aed3SPierre Pronchery if (mdname != NULL) { 379*e7be843bSPierre Pronchery int md_nid; 380b077aed3SPierre Pronchery size_t mdname_len = strlen(mdname); 381b077aed3SPierre Pronchery 382*e7be843bSPierre Pronchery md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); 383*e7be843bSPierre Pronchery 384*e7be843bSPierre Pronchery if (md == NULL) { 385b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 386b077aed3SPierre Pronchery "%s could not be fetched", mdname); 387*e7be843bSPierre Pronchery goto err; 388*e7be843bSPierre Pronchery } 389*e7be843bSPierre Pronchery md_nid = ossl_digest_rsa_sign_get_md_nid(md); 390*e7be843bSPierre Pronchery if (md_nid == NID_undef) { 391b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, 392b077aed3SPierre Pronchery "digest=%s", mdname); 393*e7be843bSPierre Pronchery goto err; 394*e7be843bSPierre Pronchery } 395*e7be843bSPierre Pronchery /* 396*e7be843bSPierre Pronchery * XOF digests are not allowed except for RSA PSS. 397*e7be843bSPierre Pronchery * We don't support XOF digests with RSA PSS (yet), so just fail. 398*e7be843bSPierre Pronchery * When we do support them, uncomment the second clause. 399*e7be843bSPierre Pronchery */ 400*e7be843bSPierre Pronchery if (EVP_MD_xof(md) 401*e7be843bSPierre Pronchery /* && ctx->pad_mode != RSA_PKCS1_PSS_PADDING */) { 402*e7be843bSPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); 403*e7be843bSPierre Pronchery goto err; 404*e7be843bSPierre Pronchery } 405*e7be843bSPierre Pronchery #ifdef FIPS_MODULE 406*e7be843bSPierre Pronchery { 407*e7be843bSPierre Pronchery int sha1_allowed 408*e7be843bSPierre Pronchery = ((ctx->operation 409*e7be843bSPierre Pronchery & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0); 410*e7be843bSPierre Pronchery 411*e7be843bSPierre Pronchery if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx), 412*e7be843bSPierre Pronchery OSSL_FIPS_IND_SETTABLE1, 413*e7be843bSPierre Pronchery ctx->libctx, 414*e7be843bSPierre Pronchery md_nid, sha1_allowed, desc, 415*e7be843bSPierre Pronchery ossl_fips_config_signature_digest_check)) 416*e7be843bSPierre Pronchery goto err; 417*e7be843bSPierre Pronchery } 418*e7be843bSPierre Pronchery #endif 419*e7be843bSPierre Pronchery 420*e7be843bSPierre Pronchery if (!rsa_check_padding(ctx, mdname, NULL, md_nid)) 421*e7be843bSPierre Pronchery goto err; 422*e7be843bSPierre Pronchery if (mdname_len >= sizeof(ctx->mdname)) { 423b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 424b077aed3SPierre Pronchery "%s exceeds name buffer length", mdname); 425*e7be843bSPierre Pronchery goto err; 426b077aed3SPierre Pronchery } 427b077aed3SPierre Pronchery 428b077aed3SPierre Pronchery if (!ctx->flag_allow_md) { 429b077aed3SPierre Pronchery if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) { 430b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, 431b077aed3SPierre Pronchery "digest %s != %s", mdname, ctx->mdname); 432*e7be843bSPierre Pronchery goto err; 433b077aed3SPierre Pronchery } 434b077aed3SPierre Pronchery EVP_MD_free(md); 435b077aed3SPierre Pronchery return 1; 436b077aed3SPierre Pronchery } 437b077aed3SPierre Pronchery 438b077aed3SPierre Pronchery if (!ctx->mgf1_md_set) { 439b077aed3SPierre Pronchery if (!EVP_MD_up_ref(md)) { 440*e7be843bSPierre Pronchery goto err; 441b077aed3SPierre Pronchery } 442b077aed3SPierre Pronchery EVP_MD_free(ctx->mgf1_md); 443b077aed3SPierre Pronchery ctx->mgf1_md = md; 444b077aed3SPierre Pronchery ctx->mgf1_mdnid = md_nid; 445b077aed3SPierre Pronchery OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); 446b077aed3SPierre Pronchery } 447b077aed3SPierre Pronchery 448b077aed3SPierre Pronchery EVP_MD_CTX_free(ctx->mdctx); 449b077aed3SPierre Pronchery EVP_MD_free(ctx->md); 450b077aed3SPierre Pronchery 451b077aed3SPierre Pronchery ctx->mdctx = NULL; 452b077aed3SPierre Pronchery ctx->md = md; 453b077aed3SPierre Pronchery ctx->mdnid = md_nid; 454b077aed3SPierre Pronchery OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname)); 455b077aed3SPierre Pronchery } 456b077aed3SPierre Pronchery 457b077aed3SPierre Pronchery return 1; 458*e7be843bSPierre Pronchery err: 459*e7be843bSPierre Pronchery EVP_MD_free(md); 460*e7be843bSPierre Pronchery return 0; 461b077aed3SPierre Pronchery } 462b077aed3SPierre Pronchery 463b077aed3SPierre Pronchery static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname, 464b077aed3SPierre Pronchery const char *mdprops) 465b077aed3SPierre Pronchery { 466b077aed3SPierre Pronchery size_t len; 467b077aed3SPierre Pronchery EVP_MD *md = NULL; 468b077aed3SPierre Pronchery int mdnid; 469b077aed3SPierre Pronchery 470b077aed3SPierre Pronchery if (mdprops == NULL) 471b077aed3SPierre Pronchery mdprops = ctx->propq; 472b077aed3SPierre Pronchery 473b077aed3SPierre Pronchery if ((md = EVP_MD_fetch(ctx->libctx, mdname, mdprops)) == NULL) { 474b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 475b077aed3SPierre Pronchery "%s could not be fetched", mdname); 476b077aed3SPierre Pronchery return 0; 477b077aed3SPierre Pronchery } 478b077aed3SPierre Pronchery /* The default for mgf1 is SHA1 - so allow SHA1 */ 479*e7be843bSPierre Pronchery if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md)) <= 0 480b077aed3SPierre Pronchery || !rsa_check_padding(ctx, NULL, mdname, mdnid)) { 481b077aed3SPierre Pronchery if (mdnid <= 0) 482b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, 483b077aed3SPierre Pronchery "digest=%s", mdname); 484b077aed3SPierre Pronchery EVP_MD_free(md); 485b077aed3SPierre Pronchery return 0; 486b077aed3SPierre Pronchery } 487b077aed3SPierre Pronchery len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); 488b077aed3SPierre Pronchery if (len >= sizeof(ctx->mgf1_mdname)) { 489b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 490b077aed3SPierre Pronchery "%s exceeds name buffer length", mdname); 491b077aed3SPierre Pronchery EVP_MD_free(md); 492b077aed3SPierre Pronchery return 0; 493b077aed3SPierre Pronchery } 494b077aed3SPierre Pronchery 495b077aed3SPierre Pronchery EVP_MD_free(ctx->mgf1_md); 496b077aed3SPierre Pronchery ctx->mgf1_md = md; 497b077aed3SPierre Pronchery ctx->mgf1_mdnid = mdnid; 498b077aed3SPierre Pronchery ctx->mgf1_md_set = 1; 499b077aed3SPierre Pronchery return 1; 500b077aed3SPierre Pronchery } 501b077aed3SPierre Pronchery 502*e7be843bSPierre Pronchery static int 503*e7be843bSPierre Pronchery rsa_signverify_init(PROV_RSA_CTX *prsactx, void *vrsa, 504*e7be843bSPierre Pronchery OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params, 505*e7be843bSPierre Pronchery const OSSL_PARAM params[], int operation, 506*e7be843bSPierre Pronchery const char *desc) 507b077aed3SPierre Pronchery { 508*e7be843bSPierre Pronchery int protect; 509b077aed3SPierre Pronchery 510b077aed3SPierre Pronchery if (!ossl_prov_is_running() || prsactx == NULL) 511b077aed3SPierre Pronchery return 0; 512b077aed3SPierre Pronchery 513b077aed3SPierre Pronchery if (vrsa == NULL && prsactx->rsa == NULL) { 514b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); 515b077aed3SPierre Pronchery return 0; 516b077aed3SPierre Pronchery } 517b077aed3SPierre Pronchery 518b077aed3SPierre Pronchery if (vrsa != NULL) { 519b077aed3SPierre Pronchery if (!RSA_up_ref(vrsa)) 520b077aed3SPierre Pronchery return 0; 521b077aed3SPierre Pronchery RSA_free(prsactx->rsa); 522b077aed3SPierre Pronchery prsactx->rsa = vrsa; 523b077aed3SPierre Pronchery } 524*e7be843bSPierre Pronchery if (!ossl_rsa_key_op_get_protect(prsactx->rsa, operation, &protect)) 525*e7be843bSPierre Pronchery return 0; 526b077aed3SPierre Pronchery 527b077aed3SPierre Pronchery prsactx->operation = operation; 528*e7be843bSPierre Pronchery prsactx->flag_allow_update = 1; 529*e7be843bSPierre Pronchery prsactx->flag_allow_final = 1; 530*e7be843bSPierre Pronchery prsactx->flag_allow_oneshot = 1; 531b077aed3SPierre Pronchery 532*e7be843bSPierre Pronchery /* Maximize up to digest length for sign, auto for verify */ 533*e7be843bSPierre Pronchery prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; 534b077aed3SPierre Pronchery prsactx->min_saltlen = -1; 535b077aed3SPierre Pronchery 536b077aed3SPierre Pronchery switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { 537b077aed3SPierre Pronchery case RSA_FLAG_TYPE_RSA: 538b077aed3SPierre Pronchery prsactx->pad_mode = RSA_PKCS1_PADDING; 539b077aed3SPierre Pronchery break; 540b077aed3SPierre Pronchery case RSA_FLAG_TYPE_RSASSAPSS: 541b077aed3SPierre Pronchery prsactx->pad_mode = RSA_PKCS1_PSS_PADDING; 542b077aed3SPierre Pronchery 543b077aed3SPierre Pronchery { 544b077aed3SPierre Pronchery const RSA_PSS_PARAMS_30 *pss = 545b077aed3SPierre Pronchery ossl_rsa_get0_pss_params_30(prsactx->rsa); 546b077aed3SPierre Pronchery 547b077aed3SPierre Pronchery if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) { 548b077aed3SPierre Pronchery int md_nid = ossl_rsa_pss_params_30_hashalg(pss); 549b077aed3SPierre Pronchery int mgf1md_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss); 550b077aed3SPierre Pronchery int min_saltlen = ossl_rsa_pss_params_30_saltlen(pss); 551b077aed3SPierre Pronchery const char *mdname, *mgf1mdname; 552b077aed3SPierre Pronchery size_t len; 553b077aed3SPierre Pronchery 554b077aed3SPierre Pronchery mdname = ossl_rsa_oaeppss_nid2name(md_nid); 555b077aed3SPierre Pronchery mgf1mdname = ossl_rsa_oaeppss_nid2name(mgf1md_nid); 556b077aed3SPierre Pronchery 557b077aed3SPierre Pronchery if (mdname == NULL) { 558b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 559b077aed3SPierre Pronchery "PSS restrictions lack hash algorithm"); 560b077aed3SPierre Pronchery return 0; 561b077aed3SPierre Pronchery } 562b077aed3SPierre Pronchery if (mgf1mdname == NULL) { 563b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 564b077aed3SPierre Pronchery "PSS restrictions lack MGF1 hash algorithm"); 565b077aed3SPierre Pronchery return 0; 566b077aed3SPierre Pronchery } 567b077aed3SPierre Pronchery 568b077aed3SPierre Pronchery len = OPENSSL_strlcpy(prsactx->mdname, mdname, 569b077aed3SPierre Pronchery sizeof(prsactx->mdname)); 570b077aed3SPierre Pronchery if (len >= sizeof(prsactx->mdname)) { 571b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 572b077aed3SPierre Pronchery "hash algorithm name too long"); 573b077aed3SPierre Pronchery return 0; 574b077aed3SPierre Pronchery } 575b077aed3SPierre Pronchery len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname, 576b077aed3SPierre Pronchery sizeof(prsactx->mgf1_mdname)); 577b077aed3SPierre Pronchery if (len >= sizeof(prsactx->mgf1_mdname)) { 578b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 579b077aed3SPierre Pronchery "MGF1 hash algorithm name too long"); 580b077aed3SPierre Pronchery return 0; 581b077aed3SPierre Pronchery } 582b077aed3SPierre Pronchery prsactx->saltlen = min_saltlen; 583b077aed3SPierre Pronchery 584b077aed3SPierre Pronchery /* call rsa_setup_mgf1_md before rsa_setup_md to avoid duplication */ 585b077aed3SPierre Pronchery if (!rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq) 586*e7be843bSPierre Pronchery || !rsa_setup_md(prsactx, mdname, prsactx->propq, desc) 587b077aed3SPierre Pronchery || !rsa_check_parameters(prsactx, min_saltlen)) 588b077aed3SPierre Pronchery return 0; 589b077aed3SPierre Pronchery } 590b077aed3SPierre Pronchery } 591b077aed3SPierre Pronchery 592b077aed3SPierre Pronchery break; 593b077aed3SPierre Pronchery default: 594b077aed3SPierre Pronchery ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); 595b077aed3SPierre Pronchery return 0; 596b077aed3SPierre Pronchery } 597b077aed3SPierre Pronchery 598*e7be843bSPierre Pronchery OSSL_FIPS_IND_SET_APPROVED(prsactx) 599*e7be843bSPierre Pronchery if (!set_ctx_params(prsactx, params)) 600b077aed3SPierre Pronchery return 0; 601*e7be843bSPierre Pronchery #ifdef FIPS_MODULE 602*e7be843bSPierre Pronchery if (!ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND_GET(prsactx), 603*e7be843bSPierre Pronchery OSSL_FIPS_IND_SETTABLE0, prsactx->libctx, 604*e7be843bSPierre Pronchery prsactx->rsa, desc, protect)) 605*e7be843bSPierre Pronchery return 0; 606*e7be843bSPierre Pronchery #endif 607b077aed3SPierre Pronchery return 1; 608b077aed3SPierre Pronchery } 609b077aed3SPierre Pronchery 610b077aed3SPierre Pronchery static int setup_tbuf(PROV_RSA_CTX *ctx) 611b077aed3SPierre Pronchery { 612b077aed3SPierre Pronchery if (ctx->tbuf != NULL) 613b077aed3SPierre Pronchery return 1; 614*e7be843bSPierre Pronchery if ((ctx->tbuf = OPENSSL_malloc(RSA_size(ctx->rsa))) == NULL) 615b077aed3SPierre Pronchery return 0; 616b077aed3SPierre Pronchery return 1; 617b077aed3SPierre Pronchery } 618b077aed3SPierre Pronchery 619b077aed3SPierre Pronchery static void clean_tbuf(PROV_RSA_CTX *ctx) 620b077aed3SPierre Pronchery { 621b077aed3SPierre Pronchery if (ctx->tbuf != NULL) 622b077aed3SPierre Pronchery OPENSSL_cleanse(ctx->tbuf, RSA_size(ctx->rsa)); 623b077aed3SPierre Pronchery } 624b077aed3SPierre Pronchery 625b077aed3SPierre Pronchery static void free_tbuf(PROV_RSA_CTX *ctx) 626b077aed3SPierre Pronchery { 627b077aed3SPierre Pronchery clean_tbuf(ctx); 628b077aed3SPierre Pronchery OPENSSL_free(ctx->tbuf); 629b077aed3SPierre Pronchery ctx->tbuf = NULL; 630b077aed3SPierre Pronchery } 631b077aed3SPierre Pronchery 632*e7be843bSPierre Pronchery #ifdef FIPS_MODULE 633*e7be843bSPierre Pronchery static int rsa_pss_saltlen_check_passed(PROV_RSA_CTX *ctx, const char *algoname, int saltlen) 634b077aed3SPierre Pronchery { 635*e7be843bSPierre Pronchery int mdsize = rsa_get_md_size(ctx); 636*e7be843bSPierre Pronchery /* 637*e7be843bSPierre Pronchery * Perform the check if the salt length is compliant to FIPS 186-5. 638*e7be843bSPierre Pronchery * 639*e7be843bSPierre Pronchery * According to FIPS 186-5 5.4 (g), the salt length shall be between zero 640*e7be843bSPierre Pronchery * and the output block length of the digest function (inclusive). 641*e7be843bSPierre Pronchery */ 642*e7be843bSPierre Pronchery int approved = (saltlen >= 0 && saltlen <= mdsize); 643*e7be843bSPierre Pronchery 644*e7be843bSPierre Pronchery if (!approved) { 645*e7be843bSPierre Pronchery if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE3, 646*e7be843bSPierre Pronchery ctx->libctx, 647*e7be843bSPierre Pronchery algoname, "PSS Salt Length", 648*e7be843bSPierre Pronchery ossl_fips_config_rsa_pss_saltlen_check)) { 649*e7be843bSPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); 650b077aed3SPierre Pronchery return 0; 651*e7be843bSPierre Pronchery } 652b077aed3SPierre Pronchery } 653b077aed3SPierre Pronchery 654*e7be843bSPierre Pronchery return 1; 655*e7be843bSPierre Pronchery } 656*e7be843bSPierre Pronchery #endif 657*e7be843bSPierre Pronchery 658*e7be843bSPierre Pronchery static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[]) 659b077aed3SPierre Pronchery { 660b077aed3SPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 661*e7be843bSPierre Pronchery 662*e7be843bSPierre Pronchery #ifdef FIPS_MODULE 663*e7be843bSPierre Pronchery if (prsactx != NULL) 664*e7be843bSPierre Pronchery prsactx->verify_message = 1; 665*e7be843bSPierre Pronchery #endif 666*e7be843bSPierre Pronchery 667*e7be843bSPierre Pronchery return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, 668*e7be843bSPierre Pronchery EVP_PKEY_OP_SIGN, "RSA Sign Init"); 669*e7be843bSPierre Pronchery } 670*e7be843bSPierre Pronchery 671*e7be843bSPierre Pronchery /* 672*e7be843bSPierre Pronchery * Sign tbs without digesting it first. This is suitable for "primitive" 673*e7be843bSPierre Pronchery * signing and signing the digest of a message, i.e. should be used with 674*e7be843bSPierre Pronchery * implementations of the keytype related algorithms. 675*e7be843bSPierre Pronchery */ 676*e7be843bSPierre Pronchery static int rsa_sign_directly(PROV_RSA_CTX *prsactx, 677*e7be843bSPierre Pronchery unsigned char *sig, size_t *siglen, size_t sigsize, 678*e7be843bSPierre Pronchery const unsigned char *tbs, size_t tbslen) 679*e7be843bSPierre Pronchery { 680b077aed3SPierre Pronchery int ret; 681b077aed3SPierre Pronchery size_t rsasize = RSA_size(prsactx->rsa); 682b077aed3SPierre Pronchery size_t mdsize = rsa_get_md_size(prsactx); 683b077aed3SPierre Pronchery 684b077aed3SPierre Pronchery if (!ossl_prov_is_running()) 685b077aed3SPierre Pronchery return 0; 686b077aed3SPierre Pronchery 687b077aed3SPierre Pronchery if (sig == NULL) { 688b077aed3SPierre Pronchery *siglen = rsasize; 689b077aed3SPierre Pronchery return 1; 690b077aed3SPierre Pronchery } 691b077aed3SPierre Pronchery 692b077aed3SPierre Pronchery if (sigsize < rsasize) { 693b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE, 694b077aed3SPierre Pronchery "is %zu, should be at least %zu", sigsize, rsasize); 695b077aed3SPierre Pronchery return 0; 696b077aed3SPierre Pronchery } 697b077aed3SPierre Pronchery 698b077aed3SPierre Pronchery if (mdsize != 0) { 699b077aed3SPierre Pronchery if (tbslen != mdsize) { 700b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH); 701b077aed3SPierre Pronchery return 0; 702b077aed3SPierre Pronchery } 703b077aed3SPierre Pronchery 704b077aed3SPierre Pronchery #ifndef FIPS_MODULE 705b077aed3SPierre Pronchery if (EVP_MD_is_a(prsactx->md, OSSL_DIGEST_NAME_MDC2)) { 706b077aed3SPierre Pronchery unsigned int sltmp; 707b077aed3SPierre Pronchery 708b077aed3SPierre Pronchery if (prsactx->pad_mode != RSA_PKCS1_PADDING) { 709b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 710b077aed3SPierre Pronchery "only PKCS#1 padding supported with MDC2"); 711b077aed3SPierre Pronchery return 0; 712b077aed3SPierre Pronchery } 713b077aed3SPierre Pronchery ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp, 714b077aed3SPierre Pronchery prsactx->rsa); 715b077aed3SPierre Pronchery 716b077aed3SPierre Pronchery if (ret <= 0) { 717b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 718b077aed3SPierre Pronchery return 0; 719b077aed3SPierre Pronchery } 720b077aed3SPierre Pronchery ret = sltmp; 721b077aed3SPierre Pronchery goto end; 722b077aed3SPierre Pronchery } 723b077aed3SPierre Pronchery #endif 724b077aed3SPierre Pronchery switch (prsactx->pad_mode) { 725b077aed3SPierre Pronchery case RSA_X931_PADDING: 726b077aed3SPierre Pronchery if ((size_t)RSA_size(prsactx->rsa) < tbslen + 1) { 727b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL, 728b077aed3SPierre Pronchery "RSA key size = %d, expected minimum = %d", 729b077aed3SPierre Pronchery RSA_size(prsactx->rsa), tbslen + 1); 730b077aed3SPierre Pronchery return 0; 731b077aed3SPierre Pronchery } 732b077aed3SPierre Pronchery if (!setup_tbuf(prsactx)) { 733*e7be843bSPierre Pronchery ERR_raise(ERR_LIB_PROV, ERR_R_PROV_LIB); 734b077aed3SPierre Pronchery return 0; 735b077aed3SPierre Pronchery } 736b077aed3SPierre Pronchery memcpy(prsactx->tbuf, tbs, tbslen); 737b077aed3SPierre Pronchery prsactx->tbuf[tbslen] = RSA_X931_hash_id(prsactx->mdnid); 738b077aed3SPierre Pronchery ret = RSA_private_encrypt(tbslen + 1, prsactx->tbuf, 739b077aed3SPierre Pronchery sig, prsactx->rsa, RSA_X931_PADDING); 740b077aed3SPierre Pronchery clean_tbuf(prsactx); 741b077aed3SPierre Pronchery break; 742b077aed3SPierre Pronchery case RSA_PKCS1_PADDING: 743b077aed3SPierre Pronchery { 744b077aed3SPierre Pronchery unsigned int sltmp; 745b077aed3SPierre Pronchery 746b077aed3SPierre Pronchery ret = RSA_sign(prsactx->mdnid, tbs, tbslen, sig, &sltmp, 747b077aed3SPierre Pronchery prsactx->rsa); 748b077aed3SPierre Pronchery if (ret <= 0) { 749b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 750b077aed3SPierre Pronchery return 0; 751b077aed3SPierre Pronchery } 752b077aed3SPierre Pronchery ret = sltmp; 753b077aed3SPierre Pronchery } 754b077aed3SPierre Pronchery break; 755b077aed3SPierre Pronchery 756b077aed3SPierre Pronchery case RSA_PKCS1_PSS_PADDING: 757*e7be843bSPierre Pronchery { 758*e7be843bSPierre Pronchery int saltlen; 759*e7be843bSPierre Pronchery 760b077aed3SPierre Pronchery /* Check PSS restrictions */ 761b077aed3SPierre Pronchery if (rsa_pss_restricted(prsactx)) { 762b077aed3SPierre Pronchery switch (prsactx->saltlen) { 763b077aed3SPierre Pronchery case RSA_PSS_SALTLEN_DIGEST: 764b077aed3SPierre Pronchery if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) { 765b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, 766b077aed3SPierre Pronchery PROV_R_PSS_SALTLEN_TOO_SMALL, 767b077aed3SPierre Pronchery "minimum salt length set to %d, " 768b077aed3SPierre Pronchery "but the digest only gives %d", 769b077aed3SPierre Pronchery prsactx->min_saltlen, 770b077aed3SPierre Pronchery EVP_MD_get_size(prsactx->md)); 771b077aed3SPierre Pronchery return 0; 772b077aed3SPierre Pronchery } 773b077aed3SPierre Pronchery /* FALLTHRU */ 774b077aed3SPierre Pronchery default: 775b077aed3SPierre Pronchery if (prsactx->saltlen >= 0 776b077aed3SPierre Pronchery && prsactx->saltlen < prsactx->min_saltlen) { 777b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, 778b077aed3SPierre Pronchery PROV_R_PSS_SALTLEN_TOO_SMALL, 779b077aed3SPierre Pronchery "minimum salt length set to %d, but the" 780b077aed3SPierre Pronchery "actual salt length is only set to %d", 781b077aed3SPierre Pronchery prsactx->min_saltlen, 782b077aed3SPierre Pronchery prsactx->saltlen); 783b077aed3SPierre Pronchery return 0; 784b077aed3SPierre Pronchery } 785b077aed3SPierre Pronchery break; 786b077aed3SPierre Pronchery } 787b077aed3SPierre Pronchery } 788b077aed3SPierre Pronchery if (!setup_tbuf(prsactx)) 789b077aed3SPierre Pronchery return 0; 790*e7be843bSPierre Pronchery saltlen = prsactx->saltlen; 791*e7be843bSPierre Pronchery if (!ossl_rsa_padding_add_PKCS1_PSS_mgf1(prsactx->rsa, 792b077aed3SPierre Pronchery prsactx->tbuf, tbs, 793b077aed3SPierre Pronchery prsactx->md, prsactx->mgf1_md, 794*e7be843bSPierre Pronchery &saltlen)) { 795b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 796b077aed3SPierre Pronchery return 0; 797b077aed3SPierre Pronchery } 798*e7be843bSPierre Pronchery #ifdef FIPS_MODULE 799*e7be843bSPierre Pronchery if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Sign", saltlen)) 800*e7be843bSPierre Pronchery return 0; 801*e7be843bSPierre Pronchery #endif 802b077aed3SPierre Pronchery ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf, 803b077aed3SPierre Pronchery sig, prsactx->rsa, RSA_NO_PADDING); 804b077aed3SPierre Pronchery clean_tbuf(prsactx); 805*e7be843bSPierre Pronchery } 806b077aed3SPierre Pronchery break; 807b077aed3SPierre Pronchery 808b077aed3SPierre Pronchery default: 809b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 810b077aed3SPierre Pronchery "Only X.931, PKCS#1 v1.5 or PSS padding allowed"); 811b077aed3SPierre Pronchery return 0; 812b077aed3SPierre Pronchery } 813b077aed3SPierre Pronchery } else { 814b077aed3SPierre Pronchery ret = RSA_private_encrypt(tbslen, tbs, sig, prsactx->rsa, 815b077aed3SPierre Pronchery prsactx->pad_mode); 816b077aed3SPierre Pronchery } 817b077aed3SPierre Pronchery 818b077aed3SPierre Pronchery #ifndef FIPS_MODULE 819b077aed3SPierre Pronchery end: 820b077aed3SPierre Pronchery #endif 821b077aed3SPierre Pronchery if (ret <= 0) { 822b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 823b077aed3SPierre Pronchery return 0; 824b077aed3SPierre Pronchery } 825b077aed3SPierre Pronchery 826b077aed3SPierre Pronchery *siglen = ret; 827b077aed3SPierre Pronchery return 1; 828b077aed3SPierre Pronchery } 829b077aed3SPierre Pronchery 830*e7be843bSPierre Pronchery static int rsa_signverify_message_update(void *vprsactx, 831*e7be843bSPierre Pronchery const unsigned char *data, 832*e7be843bSPierre Pronchery size_t datalen) 833*e7be843bSPierre Pronchery { 834*e7be843bSPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 835*e7be843bSPierre Pronchery 836*e7be843bSPierre Pronchery if (prsactx == NULL || prsactx->mdctx == NULL) 837*e7be843bSPierre Pronchery return 0; 838*e7be843bSPierre Pronchery 839*e7be843bSPierre Pronchery if (!prsactx->flag_allow_update) { 840*e7be843bSPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_UPDATE_CALL_OUT_OF_ORDER); 841*e7be843bSPierre Pronchery return 0; 842*e7be843bSPierre Pronchery } 843*e7be843bSPierre Pronchery prsactx->flag_allow_oneshot = 0; 844*e7be843bSPierre Pronchery 845*e7be843bSPierre Pronchery return EVP_DigestUpdate(prsactx->mdctx, data, datalen); 846*e7be843bSPierre Pronchery } 847*e7be843bSPierre Pronchery 848*e7be843bSPierre Pronchery static int rsa_sign_message_final(void *vprsactx, unsigned char *sig, 849*e7be843bSPierre Pronchery size_t *siglen, size_t sigsize) 850*e7be843bSPierre Pronchery { 851*e7be843bSPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 852*e7be843bSPierre Pronchery unsigned char digest[EVP_MAX_MD_SIZE]; 853*e7be843bSPierre Pronchery unsigned int dlen = 0; 854*e7be843bSPierre Pronchery 855*e7be843bSPierre Pronchery if (!ossl_prov_is_running() || prsactx == NULL) 856*e7be843bSPierre Pronchery return 0; 857*e7be843bSPierre Pronchery if (prsactx->mdctx == NULL) 858*e7be843bSPierre Pronchery return 0; 859*e7be843bSPierre Pronchery if (!prsactx->flag_allow_final) { 860*e7be843bSPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER); 861*e7be843bSPierre Pronchery return 0; 862*e7be843bSPierre Pronchery } 863*e7be843bSPierre Pronchery 864*e7be843bSPierre Pronchery /* 865*e7be843bSPierre Pronchery * If sig is NULL then we're just finding out the sig size. Other fields 866*e7be843bSPierre Pronchery * are ignored. Defer to rsa_sign. 867*e7be843bSPierre Pronchery */ 868*e7be843bSPierre Pronchery if (sig != NULL) { 869*e7be843bSPierre Pronchery /* 870*e7be843bSPierre Pronchery * The digests used here are all known (see rsa_get_md_nid()), so they 871*e7be843bSPierre Pronchery * should not exceed the internal buffer size of EVP_MAX_MD_SIZE. 872*e7be843bSPierre Pronchery */ 873*e7be843bSPierre Pronchery if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen)) 874*e7be843bSPierre Pronchery return 0; 875*e7be843bSPierre Pronchery 876*e7be843bSPierre Pronchery prsactx->flag_allow_update = 0; 877*e7be843bSPierre Pronchery prsactx->flag_allow_oneshot = 0; 878*e7be843bSPierre Pronchery prsactx->flag_allow_final = 0; 879*e7be843bSPierre Pronchery } 880*e7be843bSPierre Pronchery 881*e7be843bSPierre Pronchery return rsa_sign_directly(prsactx, sig, siglen, sigsize, digest, dlen); 882*e7be843bSPierre Pronchery } 883*e7be843bSPierre Pronchery 884*e7be843bSPierre Pronchery /* 885*e7be843bSPierre Pronchery * If signing a message, digest tbs and sign the result. 886*e7be843bSPierre Pronchery * Otherwise, sign tbs directly. 887*e7be843bSPierre Pronchery */ 888*e7be843bSPierre Pronchery static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen, 889*e7be843bSPierre Pronchery size_t sigsize, const unsigned char *tbs, size_t tbslen) 890*e7be843bSPierre Pronchery { 891*e7be843bSPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 892*e7be843bSPierre Pronchery 893*e7be843bSPierre Pronchery if (!ossl_prov_is_running() || prsactx == NULL) 894*e7be843bSPierre Pronchery return 0; 895*e7be843bSPierre Pronchery if (!prsactx->flag_allow_oneshot) { 896*e7be843bSPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER); 897*e7be843bSPierre Pronchery return 0; 898*e7be843bSPierre Pronchery } 899*e7be843bSPierre Pronchery 900*e7be843bSPierre Pronchery if (prsactx->operation == EVP_PKEY_OP_SIGNMSG) { 901*e7be843bSPierre Pronchery /* 902*e7be843bSPierre Pronchery * If |sig| is NULL, the caller is only looking for the sig length. 903*e7be843bSPierre Pronchery * DO NOT update the input in this case. 904*e7be843bSPierre Pronchery */ 905*e7be843bSPierre Pronchery if (sig == NULL) 906*e7be843bSPierre Pronchery return rsa_sign_message_final(prsactx, sig, siglen, sigsize); 907*e7be843bSPierre Pronchery 908*e7be843bSPierre Pronchery return rsa_signverify_message_update(prsactx, tbs, tbslen) 909*e7be843bSPierre Pronchery && rsa_sign_message_final(prsactx, sig, siglen, sigsize); 910*e7be843bSPierre Pronchery } 911*e7be843bSPierre Pronchery return rsa_sign_directly(prsactx, sig, siglen, sigsize, tbs, tbslen); 912*e7be843bSPierre Pronchery } 913*e7be843bSPierre Pronchery 914b077aed3SPierre Pronchery static int rsa_verify_recover_init(void *vprsactx, void *vrsa, 915b077aed3SPierre Pronchery const OSSL_PARAM params[]) 916b077aed3SPierre Pronchery { 917*e7be843bSPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 918*e7be843bSPierre Pronchery 919*e7be843bSPierre Pronchery #ifdef FIPS_MODULE 920*e7be843bSPierre Pronchery if (prsactx != NULL) 921*e7be843bSPierre Pronchery prsactx->verify_message = 0; 922*e7be843bSPierre Pronchery #endif 923*e7be843bSPierre Pronchery 924*e7be843bSPierre Pronchery return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, 925*e7be843bSPierre Pronchery EVP_PKEY_OP_VERIFYRECOVER, "RSA VerifyRecover Init"); 926b077aed3SPierre Pronchery } 927b077aed3SPierre Pronchery 928*e7be843bSPierre Pronchery /* 929*e7be843bSPierre Pronchery * There is no message variant of verify recover, so no need for 930*e7be843bSPierre Pronchery * 'rsa_verify_recover_directly', just use this function, er, directly. 931*e7be843bSPierre Pronchery */ 932b077aed3SPierre Pronchery static int rsa_verify_recover(void *vprsactx, 933*e7be843bSPierre Pronchery unsigned char *rout, size_t *routlen, 934b077aed3SPierre Pronchery size_t routsize, 935*e7be843bSPierre Pronchery const unsigned char *sig, size_t siglen) 936b077aed3SPierre Pronchery { 937b077aed3SPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 938b077aed3SPierre Pronchery int ret; 939b077aed3SPierre Pronchery 940b077aed3SPierre Pronchery if (!ossl_prov_is_running()) 941b077aed3SPierre Pronchery return 0; 942b077aed3SPierre Pronchery 943b077aed3SPierre Pronchery if (rout == NULL) { 944b077aed3SPierre Pronchery *routlen = RSA_size(prsactx->rsa); 945b077aed3SPierre Pronchery return 1; 946b077aed3SPierre Pronchery } 947b077aed3SPierre Pronchery 948b077aed3SPierre Pronchery if (prsactx->md != NULL) { 949b077aed3SPierre Pronchery switch (prsactx->pad_mode) { 950b077aed3SPierre Pronchery case RSA_X931_PADDING: 951b077aed3SPierre Pronchery if (!setup_tbuf(prsactx)) 952b077aed3SPierre Pronchery return 0; 953b077aed3SPierre Pronchery ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, 954b077aed3SPierre Pronchery RSA_X931_PADDING); 955b077aed3SPierre Pronchery if (ret < 1) { 956b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 957b077aed3SPierre Pronchery return 0; 958b077aed3SPierre Pronchery } 959b077aed3SPierre Pronchery ret--; 960b077aed3SPierre Pronchery if (prsactx->tbuf[ret] != RSA_X931_hash_id(prsactx->mdnid)) { 961b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_ALGORITHM_MISMATCH); 962b077aed3SPierre Pronchery return 0; 963b077aed3SPierre Pronchery } 964b077aed3SPierre Pronchery if (ret != EVP_MD_get_size(prsactx->md)) { 965b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH, 966b077aed3SPierre Pronchery "Should be %d, but got %d", 967b077aed3SPierre Pronchery EVP_MD_get_size(prsactx->md), ret); 968b077aed3SPierre Pronchery return 0; 969b077aed3SPierre Pronchery } 970b077aed3SPierre Pronchery 971b077aed3SPierre Pronchery *routlen = ret; 972b077aed3SPierre Pronchery if (rout != prsactx->tbuf) { 973b077aed3SPierre Pronchery if (routsize < (size_t)ret) { 974b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL, 975b077aed3SPierre Pronchery "buffer size is %d, should be %d", 976b077aed3SPierre Pronchery routsize, ret); 977b077aed3SPierre Pronchery return 0; 978b077aed3SPierre Pronchery } 979b077aed3SPierre Pronchery memcpy(rout, prsactx->tbuf, ret); 980b077aed3SPierre Pronchery } 981b077aed3SPierre Pronchery break; 982b077aed3SPierre Pronchery 983b077aed3SPierre Pronchery case RSA_PKCS1_PADDING: 984b077aed3SPierre Pronchery { 985b077aed3SPierre Pronchery size_t sltmp; 986b077aed3SPierre Pronchery 987b077aed3SPierre Pronchery ret = ossl_rsa_verify(prsactx->mdnid, NULL, 0, rout, &sltmp, 988b077aed3SPierre Pronchery sig, siglen, prsactx->rsa); 989b077aed3SPierre Pronchery if (ret <= 0) { 990b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 991b077aed3SPierre Pronchery return 0; 992b077aed3SPierre Pronchery } 993b077aed3SPierre Pronchery ret = sltmp; 994b077aed3SPierre Pronchery } 995b077aed3SPierre Pronchery break; 996b077aed3SPierre Pronchery 997b077aed3SPierre Pronchery default: 998b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 999b077aed3SPierre Pronchery "Only X.931 or PKCS#1 v1.5 padding allowed"); 1000b077aed3SPierre Pronchery return 0; 1001b077aed3SPierre Pronchery } 1002b077aed3SPierre Pronchery } else { 1003b077aed3SPierre Pronchery ret = RSA_public_decrypt(siglen, sig, rout, prsactx->rsa, 1004b077aed3SPierre Pronchery prsactx->pad_mode); 1005b077aed3SPierre Pronchery if (ret < 0) { 1006b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 1007b077aed3SPierre Pronchery return 0; 1008b077aed3SPierre Pronchery } 1009b077aed3SPierre Pronchery } 1010b077aed3SPierre Pronchery *routlen = ret; 1011b077aed3SPierre Pronchery return 1; 1012b077aed3SPierre Pronchery } 1013b077aed3SPierre Pronchery 1014b077aed3SPierre Pronchery static int rsa_verify_init(void *vprsactx, void *vrsa, 1015b077aed3SPierre Pronchery const OSSL_PARAM params[]) 1016b077aed3SPierre Pronchery { 1017*e7be843bSPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1018*e7be843bSPierre Pronchery 1019*e7be843bSPierre Pronchery #ifdef FIPS_MODULE 1020*e7be843bSPierre Pronchery if (prsactx != NULL) 1021*e7be843bSPierre Pronchery prsactx->verify_message = 0; 1022*e7be843bSPierre Pronchery #endif 1023*e7be843bSPierre Pronchery 1024*e7be843bSPierre Pronchery return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, 1025*e7be843bSPierre Pronchery EVP_PKEY_OP_VERIFY, "RSA Verify Init"); 1026b077aed3SPierre Pronchery } 1027b077aed3SPierre Pronchery 1028*e7be843bSPierre Pronchery static int rsa_verify_directly(PROV_RSA_CTX *prsactx, 1029*e7be843bSPierre Pronchery const unsigned char *sig, size_t siglen, 1030b077aed3SPierre Pronchery const unsigned char *tbs, size_t tbslen) 1031b077aed3SPierre Pronchery { 1032b077aed3SPierre Pronchery size_t rslen; 1033b077aed3SPierre Pronchery 1034b077aed3SPierre Pronchery if (!ossl_prov_is_running()) 1035b077aed3SPierre Pronchery return 0; 1036b077aed3SPierre Pronchery if (prsactx->md != NULL) { 1037b077aed3SPierre Pronchery switch (prsactx->pad_mode) { 1038b077aed3SPierre Pronchery case RSA_PKCS1_PADDING: 1039b077aed3SPierre Pronchery if (!RSA_verify(prsactx->mdnid, tbs, tbslen, sig, siglen, 1040b077aed3SPierre Pronchery prsactx->rsa)) { 1041b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 1042b077aed3SPierre Pronchery return 0; 1043b077aed3SPierre Pronchery } 1044b077aed3SPierre Pronchery return 1; 1045b077aed3SPierre Pronchery case RSA_X931_PADDING: 1046b077aed3SPierre Pronchery if (!setup_tbuf(prsactx)) 1047b077aed3SPierre Pronchery return 0; 1048b077aed3SPierre Pronchery if (rsa_verify_recover(prsactx, prsactx->tbuf, &rslen, 0, 1049b077aed3SPierre Pronchery sig, siglen) <= 0) 1050b077aed3SPierre Pronchery return 0; 1051b077aed3SPierre Pronchery break; 1052b077aed3SPierre Pronchery case RSA_PKCS1_PSS_PADDING: 1053b077aed3SPierre Pronchery { 1054b077aed3SPierre Pronchery int ret; 1055*e7be843bSPierre Pronchery int saltlen; 1056b077aed3SPierre Pronchery size_t mdsize; 1057b077aed3SPierre Pronchery 1058b077aed3SPierre Pronchery /* 1059b077aed3SPierre Pronchery * We need to check this for the RSA_verify_PKCS1_PSS_mgf1() 1060b077aed3SPierre Pronchery * call 1061b077aed3SPierre Pronchery */ 1062b077aed3SPierre Pronchery mdsize = rsa_get_md_size(prsactx); 1063b077aed3SPierre Pronchery if (tbslen != mdsize) { 1064b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH, 1065b077aed3SPierre Pronchery "Should be %d, but got %d", 1066b077aed3SPierre Pronchery mdsize, tbslen); 1067b077aed3SPierre Pronchery return 0; 1068b077aed3SPierre Pronchery } 1069b077aed3SPierre Pronchery 1070b077aed3SPierre Pronchery if (!setup_tbuf(prsactx)) 1071b077aed3SPierre Pronchery return 0; 1072b077aed3SPierre Pronchery ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, 1073b077aed3SPierre Pronchery prsactx->rsa, RSA_NO_PADDING); 1074b077aed3SPierre Pronchery if (ret <= 0) { 1075b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 1076b077aed3SPierre Pronchery return 0; 1077b077aed3SPierre Pronchery } 1078*e7be843bSPierre Pronchery saltlen = prsactx->saltlen; 1079*e7be843bSPierre Pronchery ret = ossl_rsa_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs, 1080b077aed3SPierre Pronchery prsactx->md, prsactx->mgf1_md, 1081b077aed3SPierre Pronchery prsactx->tbuf, 1082*e7be843bSPierre Pronchery &saltlen); 1083b077aed3SPierre Pronchery if (ret <= 0) { 1084b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 1085b077aed3SPierre Pronchery return 0; 1086b077aed3SPierre Pronchery } 1087*e7be843bSPierre Pronchery #ifdef FIPS_MODULE 1088*e7be843bSPierre Pronchery if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Verify", saltlen)) 1089*e7be843bSPierre Pronchery return 0; 1090*e7be843bSPierre Pronchery #endif 1091b077aed3SPierre Pronchery return 1; 1092b077aed3SPierre Pronchery } 1093b077aed3SPierre Pronchery default: 1094b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 1095b077aed3SPierre Pronchery "Only X.931, PKCS#1 v1.5 or PSS padding allowed"); 1096b077aed3SPierre Pronchery return 0; 1097b077aed3SPierre Pronchery } 1098b077aed3SPierre Pronchery } else { 1099b077aed3SPierre Pronchery int ret; 1100b077aed3SPierre Pronchery 1101b077aed3SPierre Pronchery if (!setup_tbuf(prsactx)) 1102b077aed3SPierre Pronchery return 0; 1103b077aed3SPierre Pronchery ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, 1104b077aed3SPierre Pronchery prsactx->pad_mode); 1105b077aed3SPierre Pronchery if (ret <= 0) { 1106b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 1107b077aed3SPierre Pronchery return 0; 1108b077aed3SPierre Pronchery } 1109b077aed3SPierre Pronchery rslen = (size_t)ret; 1110b077aed3SPierre Pronchery } 1111b077aed3SPierre Pronchery 1112b077aed3SPierre Pronchery if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen)) 1113b077aed3SPierre Pronchery return 0; 1114b077aed3SPierre Pronchery 1115b077aed3SPierre Pronchery return 1; 1116b077aed3SPierre Pronchery } 1117b077aed3SPierre Pronchery 1118*e7be843bSPierre Pronchery static int rsa_verify_set_sig(void *vprsactx, 1119*e7be843bSPierre Pronchery const unsigned char *sig, size_t siglen) 1120*e7be843bSPierre Pronchery { 1121*e7be843bSPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1122*e7be843bSPierre Pronchery OSSL_PARAM params[2]; 1123*e7be843bSPierre Pronchery 1124*e7be843bSPierre Pronchery params[0] = 1125*e7be843bSPierre Pronchery OSSL_PARAM_construct_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, 1126*e7be843bSPierre Pronchery (unsigned char *)sig, siglen); 1127*e7be843bSPierre Pronchery params[1] = OSSL_PARAM_construct_end(); 1128*e7be843bSPierre Pronchery return rsa_sigalg_set_ctx_params(prsactx, params); 1129*e7be843bSPierre Pronchery } 1130*e7be843bSPierre Pronchery 1131*e7be843bSPierre Pronchery static int rsa_verify_message_final(void *vprsactx) 1132*e7be843bSPierre Pronchery { 1133*e7be843bSPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1134*e7be843bSPierre Pronchery unsigned char digest[EVP_MAX_MD_SIZE]; 1135*e7be843bSPierre Pronchery unsigned int dlen = 0; 1136*e7be843bSPierre Pronchery 1137*e7be843bSPierre Pronchery if (!ossl_prov_is_running() || prsactx == NULL) 1138*e7be843bSPierre Pronchery return 0; 1139*e7be843bSPierre Pronchery if (prsactx->mdctx == NULL) 1140*e7be843bSPierre Pronchery return 0; 1141*e7be843bSPierre Pronchery if (!prsactx->flag_allow_final) { 1142*e7be843bSPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER); 1143*e7be843bSPierre Pronchery return 0; 1144*e7be843bSPierre Pronchery } 1145*e7be843bSPierre Pronchery 1146*e7be843bSPierre Pronchery /* 1147*e7be843bSPierre Pronchery * The digests used here are all known (see rsa_get_md_nid()), so they 1148*e7be843bSPierre Pronchery * should not exceed the internal buffer size of EVP_MAX_MD_SIZE. 1149*e7be843bSPierre Pronchery */ 1150*e7be843bSPierre Pronchery if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen)) 1151*e7be843bSPierre Pronchery return 0; 1152*e7be843bSPierre Pronchery 1153*e7be843bSPierre Pronchery prsactx->flag_allow_update = 0; 1154*e7be843bSPierre Pronchery prsactx->flag_allow_final = 0; 1155*e7be843bSPierre Pronchery prsactx->flag_allow_oneshot = 0; 1156*e7be843bSPierre Pronchery 1157*e7be843bSPierre Pronchery return rsa_verify_directly(prsactx, prsactx->sig, prsactx->siglen, 1158*e7be843bSPierre Pronchery digest, dlen); 1159*e7be843bSPierre Pronchery } 1160*e7be843bSPierre Pronchery 1161*e7be843bSPierre Pronchery /* 1162*e7be843bSPierre Pronchery * If verifying a message, digest tbs and verify the result. 1163*e7be843bSPierre Pronchery * Otherwise, verify tbs directly. 1164*e7be843bSPierre Pronchery */ 1165*e7be843bSPierre Pronchery static int rsa_verify(void *vprsactx, 1166*e7be843bSPierre Pronchery const unsigned char *sig, size_t siglen, 1167*e7be843bSPierre Pronchery const unsigned char *tbs, size_t tbslen) 1168b077aed3SPierre Pronchery { 1169b077aed3SPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1170b077aed3SPierre Pronchery 1171*e7be843bSPierre Pronchery if (!ossl_prov_is_running() || prsactx == NULL) 1172b077aed3SPierre Pronchery return 0; 1173*e7be843bSPierre Pronchery if (!prsactx->flag_allow_oneshot) { 1174*e7be843bSPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER); 1175*e7be843bSPierre Pronchery return 0; 1176*e7be843bSPierre Pronchery } 1177b077aed3SPierre Pronchery 1178*e7be843bSPierre Pronchery if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG) 1179*e7be843bSPierre Pronchery return rsa_verify_set_sig(prsactx, sig, siglen) 1180*e7be843bSPierre Pronchery && rsa_signverify_message_update(prsactx, tbs, tbslen) 1181*e7be843bSPierre Pronchery && rsa_verify_message_final(prsactx); 1182*e7be843bSPierre Pronchery return rsa_verify_directly(prsactx, sig, siglen, tbs, tbslen); 1183*e7be843bSPierre Pronchery } 1184*e7be843bSPierre Pronchery 1185*e7be843bSPierre Pronchery /* DigestSign/DigestVerify wrappers */ 1186*e7be843bSPierre Pronchery 1187*e7be843bSPierre Pronchery static int rsa_digest_signverify_init(void *vprsactx, const char *mdname, 1188*e7be843bSPierre Pronchery void *vrsa, const OSSL_PARAM params[], 1189*e7be843bSPierre Pronchery int operation, const char *desc) 1190*e7be843bSPierre Pronchery { 1191*e7be843bSPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1192*e7be843bSPierre Pronchery 1193*e7be843bSPierre Pronchery #ifdef FIPS_MODULE 1194*e7be843bSPierre Pronchery if (prsactx != NULL) 1195*e7be843bSPierre Pronchery prsactx->verify_message = 1; 1196*e7be843bSPierre Pronchery #endif 1197*e7be843bSPierre Pronchery 1198*e7be843bSPierre Pronchery if (!rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, 1199*e7be843bSPierre Pronchery operation, desc)) 1200b077aed3SPierre Pronchery return 0; 1201b077aed3SPierre Pronchery 1202b077aed3SPierre Pronchery if (mdname != NULL 1203b077aed3SPierre Pronchery /* was rsa_setup_md already called in rsa_signverify_init()? */ 1204b077aed3SPierre Pronchery && (mdname[0] == '\0' || OPENSSL_strcasecmp(prsactx->mdname, mdname) != 0) 1205*e7be843bSPierre Pronchery && !rsa_setup_md(prsactx, mdname, prsactx->propq, desc)) 1206b077aed3SPierre Pronchery return 0; 1207b077aed3SPierre Pronchery 1208b077aed3SPierre Pronchery prsactx->flag_allow_md = 0; 1209b077aed3SPierre Pronchery 1210b077aed3SPierre Pronchery if (prsactx->mdctx == NULL) { 1211b077aed3SPierre Pronchery prsactx->mdctx = EVP_MD_CTX_new(); 1212b077aed3SPierre Pronchery if (prsactx->mdctx == NULL) 1213b077aed3SPierre Pronchery goto error; 1214b077aed3SPierre Pronchery } 1215b077aed3SPierre Pronchery 1216b077aed3SPierre Pronchery if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params)) 1217b077aed3SPierre Pronchery goto error; 1218b077aed3SPierre Pronchery 1219b077aed3SPierre Pronchery return 1; 1220b077aed3SPierre Pronchery 1221b077aed3SPierre Pronchery error: 1222b077aed3SPierre Pronchery EVP_MD_CTX_free(prsactx->mdctx); 1223b077aed3SPierre Pronchery prsactx->mdctx = NULL; 1224b077aed3SPierre Pronchery return 0; 1225b077aed3SPierre Pronchery } 1226b077aed3SPierre Pronchery 1227b077aed3SPierre Pronchery static int rsa_digest_sign_init(void *vprsactx, const char *mdname, 1228b077aed3SPierre Pronchery void *vrsa, const OSSL_PARAM params[]) 1229b077aed3SPierre Pronchery { 1230b077aed3SPierre Pronchery if (!ossl_prov_is_running()) 1231b077aed3SPierre Pronchery return 0; 1232b077aed3SPierre Pronchery return rsa_digest_signverify_init(vprsactx, mdname, vrsa, 1233*e7be843bSPierre Pronchery params, EVP_PKEY_OP_SIGNMSG, 1234*e7be843bSPierre Pronchery "RSA Digest Sign Init"); 1235*e7be843bSPierre Pronchery } 1236*e7be843bSPierre Pronchery 1237*e7be843bSPierre Pronchery static int rsa_digest_sign_update(void *vprsactx, const unsigned char *data, 1238*e7be843bSPierre Pronchery size_t datalen) 1239*e7be843bSPierre Pronchery { 1240*e7be843bSPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1241*e7be843bSPierre Pronchery 1242*e7be843bSPierre Pronchery if (prsactx == NULL) 1243*e7be843bSPierre Pronchery return 0; 1244*e7be843bSPierre Pronchery /* Sigalg implementations shouldn't do digest_sign */ 1245*e7be843bSPierre Pronchery if (prsactx->flag_sigalg) 1246*e7be843bSPierre Pronchery return 0; 1247*e7be843bSPierre Pronchery 1248*e7be843bSPierre Pronchery return rsa_signverify_message_update(prsactx, data, datalen); 1249b077aed3SPierre Pronchery } 1250b077aed3SPierre Pronchery 1251b077aed3SPierre Pronchery static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig, 1252b077aed3SPierre Pronchery size_t *siglen, size_t sigsize) 1253b077aed3SPierre Pronchery { 1254b077aed3SPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1255*e7be843bSPierre Pronchery int ok = 0; 1256b077aed3SPierre Pronchery 1257*e7be843bSPierre Pronchery if (prsactx == NULL) 1258b077aed3SPierre Pronchery return 0; 1259*e7be843bSPierre Pronchery /* Sigalg implementations shouldn't do digest_sign */ 1260*e7be843bSPierre Pronchery if (prsactx->flag_sigalg) 1261*e7be843bSPierre Pronchery return 0; 1262*e7be843bSPierre Pronchery 1263*e7be843bSPierre Pronchery if (rsa_sign_message_final(prsactx, sig, siglen, sigsize)) 1264*e7be843bSPierre Pronchery ok = 1; 1265*e7be843bSPierre Pronchery 1266b077aed3SPierre Pronchery prsactx->flag_allow_md = 1; 1267b077aed3SPierre Pronchery 1268*e7be843bSPierre Pronchery return ok; 1269b077aed3SPierre Pronchery } 1270b077aed3SPierre Pronchery 1271b077aed3SPierre Pronchery static int rsa_digest_verify_init(void *vprsactx, const char *mdname, 1272b077aed3SPierre Pronchery void *vrsa, const OSSL_PARAM params[]) 1273b077aed3SPierre Pronchery { 1274b077aed3SPierre Pronchery if (!ossl_prov_is_running()) 1275b077aed3SPierre Pronchery return 0; 1276b077aed3SPierre Pronchery return rsa_digest_signverify_init(vprsactx, mdname, vrsa, 1277*e7be843bSPierre Pronchery params, EVP_PKEY_OP_VERIFYMSG, 1278*e7be843bSPierre Pronchery "RSA Digest Verify Init"); 1279*e7be843bSPierre Pronchery } 1280*e7be843bSPierre Pronchery 1281*e7be843bSPierre Pronchery static int rsa_digest_verify_update(void *vprsactx, const unsigned char *data, 1282*e7be843bSPierre Pronchery size_t datalen) 1283*e7be843bSPierre Pronchery { 1284*e7be843bSPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1285*e7be843bSPierre Pronchery 1286*e7be843bSPierre Pronchery if (prsactx == NULL) 1287*e7be843bSPierre Pronchery return 0; 1288*e7be843bSPierre Pronchery /* Sigalg implementations shouldn't do digest_sign */ 1289*e7be843bSPierre Pronchery if (prsactx->flag_sigalg) 1290*e7be843bSPierre Pronchery return 0; 1291*e7be843bSPierre Pronchery 1292*e7be843bSPierre Pronchery return rsa_signverify_message_update(prsactx, data, datalen); 1293b077aed3SPierre Pronchery } 1294b077aed3SPierre Pronchery 1295b077aed3SPierre Pronchery int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig, 1296b077aed3SPierre Pronchery size_t siglen) 1297b077aed3SPierre Pronchery { 1298b077aed3SPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1299*e7be843bSPierre Pronchery int ok = 0; 1300b077aed3SPierre Pronchery 1301b077aed3SPierre Pronchery if (prsactx == NULL) 1302b077aed3SPierre Pronchery return 0; 1303*e7be843bSPierre Pronchery /* Sigalg implementations shouldn't do digest_verify */ 1304*e7be843bSPierre Pronchery if (prsactx->flag_sigalg) 1305*e7be843bSPierre Pronchery return 0; 1306*e7be843bSPierre Pronchery 1307*e7be843bSPierre Pronchery if (rsa_verify_set_sig(prsactx, sig, siglen) 1308*e7be843bSPierre Pronchery && rsa_verify_message_final(vprsactx)) 1309*e7be843bSPierre Pronchery ok = 1; 1310*e7be843bSPierre Pronchery 1311b077aed3SPierre Pronchery prsactx->flag_allow_md = 1; 1312b077aed3SPierre Pronchery 1313*e7be843bSPierre Pronchery return ok; 1314b077aed3SPierre Pronchery } 1315b077aed3SPierre Pronchery 1316b077aed3SPierre Pronchery static void rsa_freectx(void *vprsactx) 1317b077aed3SPierre Pronchery { 1318b077aed3SPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1319b077aed3SPierre Pronchery 1320b077aed3SPierre Pronchery if (prsactx == NULL) 1321b077aed3SPierre Pronchery return; 1322b077aed3SPierre Pronchery 1323b077aed3SPierre Pronchery EVP_MD_CTX_free(prsactx->mdctx); 1324b077aed3SPierre Pronchery EVP_MD_free(prsactx->md); 1325b077aed3SPierre Pronchery EVP_MD_free(prsactx->mgf1_md); 1326*e7be843bSPierre Pronchery OPENSSL_free(prsactx->sig); 1327b077aed3SPierre Pronchery OPENSSL_free(prsactx->propq); 1328b077aed3SPierre Pronchery free_tbuf(prsactx); 1329b077aed3SPierre Pronchery RSA_free(prsactx->rsa); 1330b077aed3SPierre Pronchery 1331b077aed3SPierre Pronchery OPENSSL_clear_free(prsactx, sizeof(*prsactx)); 1332b077aed3SPierre Pronchery } 1333b077aed3SPierre Pronchery 1334b077aed3SPierre Pronchery static void *rsa_dupctx(void *vprsactx) 1335b077aed3SPierre Pronchery { 1336b077aed3SPierre Pronchery PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx; 1337b077aed3SPierre Pronchery PROV_RSA_CTX *dstctx; 1338b077aed3SPierre Pronchery 1339b077aed3SPierre Pronchery if (!ossl_prov_is_running()) 1340b077aed3SPierre Pronchery return NULL; 1341b077aed3SPierre Pronchery 1342b077aed3SPierre Pronchery dstctx = OPENSSL_zalloc(sizeof(*srcctx)); 1343*e7be843bSPierre Pronchery if (dstctx == NULL) 1344b077aed3SPierre Pronchery return NULL; 1345b077aed3SPierre Pronchery 1346b077aed3SPierre Pronchery *dstctx = *srcctx; 1347b077aed3SPierre Pronchery dstctx->rsa = NULL; 1348b077aed3SPierre Pronchery dstctx->md = NULL; 1349e0c4386eSCy Schubert dstctx->mgf1_md = NULL; 1350b077aed3SPierre Pronchery dstctx->mdctx = NULL; 1351b077aed3SPierre Pronchery dstctx->tbuf = NULL; 1352b077aed3SPierre Pronchery dstctx->propq = NULL; 1353b077aed3SPierre Pronchery 1354b077aed3SPierre Pronchery if (srcctx->rsa != NULL && !RSA_up_ref(srcctx->rsa)) 1355b077aed3SPierre Pronchery goto err; 1356b077aed3SPierre Pronchery dstctx->rsa = srcctx->rsa; 1357b077aed3SPierre Pronchery 1358b077aed3SPierre Pronchery if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md)) 1359b077aed3SPierre Pronchery goto err; 1360b077aed3SPierre Pronchery dstctx->md = srcctx->md; 1361b077aed3SPierre Pronchery 1362b077aed3SPierre Pronchery if (srcctx->mgf1_md != NULL && !EVP_MD_up_ref(srcctx->mgf1_md)) 1363b077aed3SPierre Pronchery goto err; 1364b077aed3SPierre Pronchery dstctx->mgf1_md = srcctx->mgf1_md; 1365b077aed3SPierre Pronchery 1366b077aed3SPierre Pronchery if (srcctx->mdctx != NULL) { 1367b077aed3SPierre Pronchery dstctx->mdctx = EVP_MD_CTX_new(); 1368b077aed3SPierre Pronchery if (dstctx->mdctx == NULL 1369b077aed3SPierre Pronchery || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx)) 1370b077aed3SPierre Pronchery goto err; 1371b077aed3SPierre Pronchery } 1372b077aed3SPierre Pronchery 1373b077aed3SPierre Pronchery if (srcctx->propq != NULL) { 1374b077aed3SPierre Pronchery dstctx->propq = OPENSSL_strdup(srcctx->propq); 1375b077aed3SPierre Pronchery if (dstctx->propq == NULL) 1376b077aed3SPierre Pronchery goto err; 1377b077aed3SPierre Pronchery } 1378b077aed3SPierre Pronchery 1379b077aed3SPierre Pronchery return dstctx; 1380b077aed3SPierre Pronchery err: 1381b077aed3SPierre Pronchery rsa_freectx(dstctx); 1382b077aed3SPierre Pronchery return NULL; 1383b077aed3SPierre Pronchery } 1384b077aed3SPierre Pronchery 1385b077aed3SPierre Pronchery static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) 1386b077aed3SPierre Pronchery { 1387b077aed3SPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1388b077aed3SPierre Pronchery OSSL_PARAM *p; 1389b077aed3SPierre Pronchery 1390b077aed3SPierre Pronchery if (prsactx == NULL) 1391b077aed3SPierre Pronchery return 0; 1392b077aed3SPierre Pronchery 1393b077aed3SPierre Pronchery p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID); 1394b077aed3SPierre Pronchery if (p != NULL) { 1395b077aed3SPierre Pronchery /* The Algorithm Identifier of the combined signature algorithm */ 1396b077aed3SPierre Pronchery unsigned char aid_buf[128]; 1397b077aed3SPierre Pronchery unsigned char *aid; 1398b077aed3SPierre Pronchery size_t aid_len; 1399b077aed3SPierre Pronchery 1400b077aed3SPierre Pronchery aid = rsa_generate_signature_aid(prsactx, aid_buf, 1401b077aed3SPierre Pronchery sizeof(aid_buf), &aid_len); 1402b077aed3SPierre Pronchery if (aid == NULL || !OSSL_PARAM_set_octet_string(p, aid, aid_len)) 1403b077aed3SPierre Pronchery return 0; 1404b077aed3SPierre Pronchery } 1405b077aed3SPierre Pronchery 1406b077aed3SPierre Pronchery p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PAD_MODE); 1407b077aed3SPierre Pronchery if (p != NULL) 1408b077aed3SPierre Pronchery switch (p->data_type) { 1409b077aed3SPierre Pronchery case OSSL_PARAM_INTEGER: 1410b077aed3SPierre Pronchery if (!OSSL_PARAM_set_int(p, prsactx->pad_mode)) 1411b077aed3SPierre Pronchery return 0; 1412b077aed3SPierre Pronchery break; 1413b077aed3SPierre Pronchery case OSSL_PARAM_UTF8_STRING: 1414b077aed3SPierre Pronchery { 1415b077aed3SPierre Pronchery int i; 1416b077aed3SPierre Pronchery const char *word = NULL; 1417b077aed3SPierre Pronchery 1418b077aed3SPierre Pronchery for (i = 0; padding_item[i].id != 0; i++) { 1419b077aed3SPierre Pronchery if (prsactx->pad_mode == (int)padding_item[i].id) { 1420b077aed3SPierre Pronchery word = padding_item[i].ptr; 1421b077aed3SPierre Pronchery break; 1422b077aed3SPierre Pronchery } 1423b077aed3SPierre Pronchery } 1424b077aed3SPierre Pronchery 1425b077aed3SPierre Pronchery if (word != NULL) { 1426b077aed3SPierre Pronchery if (!OSSL_PARAM_set_utf8_string(p, word)) 1427b077aed3SPierre Pronchery return 0; 1428b077aed3SPierre Pronchery } else { 1429b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 1430b077aed3SPierre Pronchery } 1431b077aed3SPierre Pronchery } 1432b077aed3SPierre Pronchery break; 1433b077aed3SPierre Pronchery default: 1434b077aed3SPierre Pronchery return 0; 1435b077aed3SPierre Pronchery } 1436b077aed3SPierre Pronchery 1437b077aed3SPierre Pronchery p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST); 1438b077aed3SPierre Pronchery if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mdname)) 1439b077aed3SPierre Pronchery return 0; 1440b077aed3SPierre Pronchery 1441b077aed3SPierre Pronchery p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST); 1442b077aed3SPierre Pronchery if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mgf1_mdname)) 1443b077aed3SPierre Pronchery return 0; 1444b077aed3SPierre Pronchery 1445b077aed3SPierre Pronchery p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN); 1446b077aed3SPierre Pronchery if (p != NULL) { 1447b077aed3SPierre Pronchery if (p->data_type == OSSL_PARAM_INTEGER) { 1448b077aed3SPierre Pronchery if (!OSSL_PARAM_set_int(p, prsactx->saltlen)) 1449b077aed3SPierre Pronchery return 0; 1450b077aed3SPierre Pronchery } else if (p->data_type == OSSL_PARAM_UTF8_STRING) { 1451b077aed3SPierre Pronchery const char *value = NULL; 1452b077aed3SPierre Pronchery 1453b077aed3SPierre Pronchery switch (prsactx->saltlen) { 1454b077aed3SPierre Pronchery case RSA_PSS_SALTLEN_DIGEST: 1455b077aed3SPierre Pronchery value = OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST; 1456b077aed3SPierre Pronchery break; 1457b077aed3SPierre Pronchery case RSA_PSS_SALTLEN_MAX: 1458b077aed3SPierre Pronchery value = OSSL_PKEY_RSA_PSS_SALT_LEN_MAX; 1459b077aed3SPierre Pronchery break; 1460b077aed3SPierre Pronchery case RSA_PSS_SALTLEN_AUTO: 1461b077aed3SPierre Pronchery value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO; 1462b077aed3SPierre Pronchery break; 1463*e7be843bSPierre Pronchery case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: 1464*e7be843bSPierre Pronchery value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX; 1465*e7be843bSPierre Pronchery break; 1466b077aed3SPierre Pronchery default: 1467b077aed3SPierre Pronchery { 1468b077aed3SPierre Pronchery int len = BIO_snprintf(p->data, p->data_size, "%d", 1469b077aed3SPierre Pronchery prsactx->saltlen); 1470b077aed3SPierre Pronchery 1471b077aed3SPierre Pronchery if (len <= 0) 1472b077aed3SPierre Pronchery return 0; 1473b077aed3SPierre Pronchery p->return_size = len; 1474b077aed3SPierre Pronchery break; 1475b077aed3SPierre Pronchery } 1476b077aed3SPierre Pronchery } 1477b077aed3SPierre Pronchery if (value != NULL 1478b077aed3SPierre Pronchery && !OSSL_PARAM_set_utf8_string(p, value)) 1479b077aed3SPierre Pronchery return 0; 1480b077aed3SPierre Pronchery } 1481b077aed3SPierre Pronchery } 1482b077aed3SPierre Pronchery 1483*e7be843bSPierre Pronchery #ifdef FIPS_MODULE 1484*e7be843bSPierre Pronchery p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE); 1485*e7be843bSPierre Pronchery if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->verify_message)) 1486*e7be843bSPierre Pronchery return 0; 1487*e7be843bSPierre Pronchery #endif 1488*e7be843bSPierre Pronchery 1489*e7be843bSPierre Pronchery if (!OSSL_FIPS_IND_GET_CTX_PARAM(prsactx, params)) 1490*e7be843bSPierre Pronchery return 0; 1491b077aed3SPierre Pronchery return 1; 1492b077aed3SPierre Pronchery } 1493b077aed3SPierre Pronchery 1494b077aed3SPierre Pronchery static const OSSL_PARAM known_gettable_ctx_params[] = { 1495b077aed3SPierre Pronchery OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0), 1496b077aed3SPierre Pronchery OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), 1497b077aed3SPierre Pronchery OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), 1498b077aed3SPierre Pronchery OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), 1499b077aed3SPierre Pronchery OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), 1500*e7be843bSPierre Pronchery #ifdef FIPS_MODULE 1501*e7be843bSPierre Pronchery OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE, NULL), 1502*e7be843bSPierre Pronchery #endif 1503*e7be843bSPierre Pronchery OSSL_FIPS_IND_GETTABLE_CTX_PARAM() 1504b077aed3SPierre Pronchery OSSL_PARAM_END 1505b077aed3SPierre Pronchery }; 1506b077aed3SPierre Pronchery 1507b077aed3SPierre Pronchery static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, 1508b077aed3SPierre Pronchery ossl_unused void *provctx) 1509b077aed3SPierre Pronchery { 1510b077aed3SPierre Pronchery return known_gettable_ctx_params; 1511b077aed3SPierre Pronchery } 1512b077aed3SPierre Pronchery 1513*e7be843bSPierre Pronchery #ifdef FIPS_MODULE 1514*e7be843bSPierre Pronchery static int rsa_x931_padding_allowed(PROV_RSA_CTX *ctx) 1515*e7be843bSPierre Pronchery { 1516*e7be843bSPierre Pronchery int approved = ((ctx->operation & EVP_PKEY_OP_SIGN) == 0); 1517*e7be843bSPierre Pronchery 1518*e7be843bSPierre Pronchery if (!approved) { 1519*e7be843bSPierre Pronchery if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2, 1520*e7be843bSPierre Pronchery ctx->libctx, 1521*e7be843bSPierre Pronchery "RSA Sign set ctx", "X931 Padding", 1522*e7be843bSPierre Pronchery ossl_fips_config_rsa_sign_x931_disallowed)) { 1523*e7be843bSPierre Pronchery ERR_raise(ERR_LIB_PROV, 1524*e7be843bSPierre Pronchery PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 1525*e7be843bSPierre Pronchery return 0; 1526*e7be843bSPierre Pronchery } 1527*e7be843bSPierre Pronchery } 1528*e7be843bSPierre Pronchery return 1; 1529*e7be843bSPierre Pronchery } 1530*e7be843bSPierre Pronchery #endif 1531*e7be843bSPierre Pronchery 1532b077aed3SPierre Pronchery static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) 1533b077aed3SPierre Pronchery { 1534b077aed3SPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1535b077aed3SPierre Pronchery const OSSL_PARAM *p; 1536b077aed3SPierre Pronchery int pad_mode; 1537b077aed3SPierre Pronchery int saltlen; 1538b077aed3SPierre Pronchery char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = NULL; 1539b077aed3SPierre Pronchery char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = NULL; 1540b077aed3SPierre Pronchery char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL; 1541b077aed3SPierre Pronchery char mgf1mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmgf1mdprops = NULL; 1542b077aed3SPierre Pronchery 1543b077aed3SPierre Pronchery if (prsactx == NULL) 1544b077aed3SPierre Pronchery return 0; 1545*e7be843bSPierre Pronchery if (ossl_param_is_empty(params)) 1546b077aed3SPierre Pronchery return 1; 1547b077aed3SPierre Pronchery 1548*e7be843bSPierre Pronchery if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE0, params, 1549*e7be843bSPierre Pronchery OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK)) 1550*e7be843bSPierre Pronchery return 0; 1551*e7be843bSPierre Pronchery 1552*e7be843bSPierre Pronchery if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE1, params, 1553*e7be843bSPierre Pronchery OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK)) 1554*e7be843bSPierre Pronchery return 0; 1555*e7be843bSPierre Pronchery 1556*e7be843bSPierre Pronchery if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE2, params, 1557*e7be843bSPierre Pronchery OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK)) 1558*e7be843bSPierre Pronchery return 0; 1559*e7be843bSPierre Pronchery 1560*e7be843bSPierre Pronchery if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE3, params, 1561*e7be843bSPierre Pronchery OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK)) 1562*e7be843bSPierre Pronchery return 0; 1563*e7be843bSPierre Pronchery 1564b077aed3SPierre Pronchery pad_mode = prsactx->pad_mode; 1565b077aed3SPierre Pronchery saltlen = prsactx->saltlen; 1566b077aed3SPierre Pronchery 1567b077aed3SPierre Pronchery p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST); 1568b077aed3SPierre Pronchery if (p != NULL) { 1569b077aed3SPierre Pronchery const OSSL_PARAM *propsp = 1570b077aed3SPierre Pronchery OSSL_PARAM_locate_const(params, 1571b077aed3SPierre Pronchery OSSL_SIGNATURE_PARAM_PROPERTIES); 1572b077aed3SPierre Pronchery 1573b077aed3SPierre Pronchery pmdname = mdname; 1574b077aed3SPierre Pronchery if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname))) 1575b077aed3SPierre Pronchery return 0; 1576b077aed3SPierre Pronchery 1577b077aed3SPierre Pronchery if (propsp != NULL) { 1578b077aed3SPierre Pronchery pmdprops = mdprops; 1579b077aed3SPierre Pronchery if (!OSSL_PARAM_get_utf8_string(propsp, 1580b077aed3SPierre Pronchery &pmdprops, sizeof(mdprops))) 1581b077aed3SPierre Pronchery return 0; 1582b077aed3SPierre Pronchery } 1583b077aed3SPierre Pronchery } 1584b077aed3SPierre Pronchery 1585b077aed3SPierre Pronchery p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE); 1586b077aed3SPierre Pronchery if (p != NULL) { 1587b077aed3SPierre Pronchery const char *err_extra_text = NULL; 1588b077aed3SPierre Pronchery 1589b077aed3SPierre Pronchery switch (p->data_type) { 1590b077aed3SPierre Pronchery case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */ 1591b077aed3SPierre Pronchery if (!OSSL_PARAM_get_int(p, &pad_mode)) 1592b077aed3SPierre Pronchery return 0; 1593b077aed3SPierre Pronchery break; 1594b077aed3SPierre Pronchery case OSSL_PARAM_UTF8_STRING: 1595b077aed3SPierre Pronchery { 1596b077aed3SPierre Pronchery int i; 1597b077aed3SPierre Pronchery 1598b077aed3SPierre Pronchery if (p->data == NULL) 1599b077aed3SPierre Pronchery return 0; 1600b077aed3SPierre Pronchery 1601b077aed3SPierre Pronchery for (i = 0; padding_item[i].id != 0; i++) { 1602b077aed3SPierre Pronchery if (strcmp(p->data, padding_item[i].ptr) == 0) { 1603b077aed3SPierre Pronchery pad_mode = padding_item[i].id; 1604b077aed3SPierre Pronchery break; 1605b077aed3SPierre Pronchery } 1606b077aed3SPierre Pronchery } 1607b077aed3SPierre Pronchery } 1608b077aed3SPierre Pronchery break; 1609b077aed3SPierre Pronchery default: 1610b077aed3SPierre Pronchery return 0; 1611b077aed3SPierre Pronchery } 1612b077aed3SPierre Pronchery 1613b077aed3SPierre Pronchery switch (pad_mode) { 1614b077aed3SPierre Pronchery case RSA_PKCS1_OAEP_PADDING: 1615b077aed3SPierre Pronchery /* 1616b077aed3SPierre Pronchery * OAEP padding is for asymmetric cipher only so is not compatible 1617b077aed3SPierre Pronchery * with signature use. 1618b077aed3SPierre Pronchery */ 1619b077aed3SPierre Pronchery err_extra_text = "OAEP padding not allowed for signing / verifying"; 1620b077aed3SPierre Pronchery goto bad_pad; 1621b077aed3SPierre Pronchery case RSA_PKCS1_PSS_PADDING: 1622b077aed3SPierre Pronchery if ((prsactx->operation 1623*e7be843bSPierre Pronchery & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG 1624*e7be843bSPierre Pronchery | EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) == 0) { 1625b077aed3SPierre Pronchery err_extra_text = 1626b077aed3SPierre Pronchery "PSS padding only allowed for sign and verify operations"; 1627b077aed3SPierre Pronchery goto bad_pad; 1628b077aed3SPierre Pronchery } 1629b077aed3SPierre Pronchery break; 1630b077aed3SPierre Pronchery case RSA_PKCS1_PADDING: 1631b077aed3SPierre Pronchery err_extra_text = "PKCS#1 padding not allowed with RSA-PSS"; 1632b077aed3SPierre Pronchery goto cont; 1633b077aed3SPierre Pronchery case RSA_NO_PADDING: 1634b077aed3SPierre Pronchery err_extra_text = "No padding not allowed with RSA-PSS"; 1635b077aed3SPierre Pronchery goto cont; 1636b077aed3SPierre Pronchery case RSA_X931_PADDING: 1637*e7be843bSPierre Pronchery #ifdef FIPS_MODULE 1638*e7be843bSPierre Pronchery /* X9.31 only allows sizes of 1024 + 256 * s (bits) */ 1639*e7be843bSPierre Pronchery if ((RSA_bits(prsactx->rsa) & 0xFF) != 0) { 1640*e7be843bSPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); 1641*e7be843bSPierre Pronchery return 0; 1642*e7be843bSPierre Pronchery } 1643*e7be843bSPierre Pronchery /* RSA Signing with X9.31 padding is not allowed in FIPS 140-3 */ 1644*e7be843bSPierre Pronchery if (!rsa_x931_padding_allowed(prsactx)) 1645*e7be843bSPierre Pronchery return 0; 1646*e7be843bSPierre Pronchery #endif 1647b077aed3SPierre Pronchery err_extra_text = "X.931 padding not allowed with RSA-PSS"; 1648b077aed3SPierre Pronchery cont: 1649b077aed3SPierre Pronchery if (RSA_test_flags(prsactx->rsa, 1650b077aed3SPierre Pronchery RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA) 1651b077aed3SPierre Pronchery break; 1652b077aed3SPierre Pronchery /* FALLTHRU */ 1653b077aed3SPierre Pronchery default: 1654b077aed3SPierre Pronchery bad_pad: 1655b077aed3SPierre Pronchery if (err_extra_text == NULL) 1656b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, 1657b077aed3SPierre Pronchery PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 1658b077aed3SPierre Pronchery else 1659b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, 1660b077aed3SPierre Pronchery PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE, 1661b077aed3SPierre Pronchery err_extra_text); 1662b077aed3SPierre Pronchery return 0; 1663b077aed3SPierre Pronchery } 1664b077aed3SPierre Pronchery } 1665b077aed3SPierre Pronchery 1666b077aed3SPierre Pronchery p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN); 1667b077aed3SPierre Pronchery if (p != NULL) { 1668b077aed3SPierre Pronchery if (pad_mode != RSA_PKCS1_PSS_PADDING) { 1669b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED, 1670b077aed3SPierre Pronchery "PSS saltlen can only be specified if " 1671b077aed3SPierre Pronchery "PSS padding has been specified first"); 1672b077aed3SPierre Pronchery return 0; 1673b077aed3SPierre Pronchery } 1674b077aed3SPierre Pronchery 1675b077aed3SPierre Pronchery switch (p->data_type) { 1676b077aed3SPierre Pronchery case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */ 1677b077aed3SPierre Pronchery if (!OSSL_PARAM_get_int(p, &saltlen)) 1678b077aed3SPierre Pronchery return 0; 1679b077aed3SPierre Pronchery break; 1680b077aed3SPierre Pronchery case OSSL_PARAM_UTF8_STRING: 1681b077aed3SPierre Pronchery if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST) == 0) 1682b077aed3SPierre Pronchery saltlen = RSA_PSS_SALTLEN_DIGEST; 1683b077aed3SPierre Pronchery else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_MAX) == 0) 1684b077aed3SPierre Pronchery saltlen = RSA_PSS_SALTLEN_MAX; 1685b077aed3SPierre Pronchery else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0) 1686b077aed3SPierre Pronchery saltlen = RSA_PSS_SALTLEN_AUTO; 1687*e7be843bSPierre Pronchery else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0) 1688*e7be843bSPierre Pronchery saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; 1689b077aed3SPierre Pronchery else 1690b077aed3SPierre Pronchery saltlen = atoi(p->data); 1691b077aed3SPierre Pronchery break; 1692b077aed3SPierre Pronchery default: 1693b077aed3SPierre Pronchery return 0; 1694b077aed3SPierre Pronchery } 1695b077aed3SPierre Pronchery 1696b077aed3SPierre Pronchery /* 1697*e7be843bSPierre Pronchery * RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check. 1698*e7be843bSPierre Pronchery * Contrary to what it's name suggests, it's the currently lowest 1699*e7be843bSPierre Pronchery * saltlen number possible. 1700b077aed3SPierre Pronchery */ 1701*e7be843bSPierre Pronchery if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { 1702b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); 1703b077aed3SPierre Pronchery return 0; 1704b077aed3SPierre Pronchery } 1705b077aed3SPierre Pronchery 1706b077aed3SPierre Pronchery if (rsa_pss_restricted(prsactx)) { 1707b077aed3SPierre Pronchery switch (saltlen) { 1708b077aed3SPierre Pronchery case RSA_PSS_SALTLEN_AUTO: 1709*e7be843bSPierre Pronchery case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: 1710*e7be843bSPierre Pronchery if ((prsactx->operation 1711*e7be843bSPierre Pronchery & (EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) == 0) { 1712b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, 1713b077aed3SPierre Pronchery "Cannot use autodetected salt length"); 1714b077aed3SPierre Pronchery return 0; 1715b077aed3SPierre Pronchery } 1716b077aed3SPierre Pronchery break; 1717b077aed3SPierre Pronchery case RSA_PSS_SALTLEN_DIGEST: 1718b077aed3SPierre Pronchery if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) { 1719b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, 1720b077aed3SPierre Pronchery PROV_R_PSS_SALTLEN_TOO_SMALL, 1721b077aed3SPierre Pronchery "Should be more than %d, but would be " 1722b077aed3SPierre Pronchery "set to match digest size (%d)", 1723b077aed3SPierre Pronchery prsactx->min_saltlen, 1724b077aed3SPierre Pronchery EVP_MD_get_size(prsactx->md)); 1725b077aed3SPierre Pronchery return 0; 1726b077aed3SPierre Pronchery } 1727b077aed3SPierre Pronchery break; 1728b077aed3SPierre Pronchery default: 1729b077aed3SPierre Pronchery if (saltlen >= 0 && saltlen < prsactx->min_saltlen) { 1730b077aed3SPierre Pronchery ERR_raise_data(ERR_LIB_PROV, 1731b077aed3SPierre Pronchery PROV_R_PSS_SALTLEN_TOO_SMALL, 1732b077aed3SPierre Pronchery "Should be more than %d, " 1733b077aed3SPierre Pronchery "but would be set to %d", 1734b077aed3SPierre Pronchery prsactx->min_saltlen, saltlen); 1735b077aed3SPierre Pronchery return 0; 1736b077aed3SPierre Pronchery } 1737b077aed3SPierre Pronchery } 1738b077aed3SPierre Pronchery } 1739b077aed3SPierre Pronchery } 1740b077aed3SPierre Pronchery 1741b077aed3SPierre Pronchery p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST); 1742b077aed3SPierre Pronchery if (p != NULL) { 1743b077aed3SPierre Pronchery const OSSL_PARAM *propsp = 1744b077aed3SPierre Pronchery OSSL_PARAM_locate_const(params, 1745b077aed3SPierre Pronchery OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES); 1746b077aed3SPierre Pronchery 1747b077aed3SPierre Pronchery pmgf1mdname = mgf1mdname; 1748b077aed3SPierre Pronchery if (!OSSL_PARAM_get_utf8_string(p, &pmgf1mdname, sizeof(mgf1mdname))) 1749b077aed3SPierre Pronchery return 0; 1750b077aed3SPierre Pronchery 1751b077aed3SPierre Pronchery if (propsp != NULL) { 1752b077aed3SPierre Pronchery pmgf1mdprops = mgf1mdprops; 1753b077aed3SPierre Pronchery if (!OSSL_PARAM_get_utf8_string(propsp, 1754b077aed3SPierre Pronchery &pmgf1mdprops, sizeof(mgf1mdprops))) 1755b077aed3SPierre Pronchery return 0; 1756b077aed3SPierre Pronchery } 1757b077aed3SPierre Pronchery 1758b077aed3SPierre Pronchery if (pad_mode != RSA_PKCS1_PSS_PADDING) { 1759b077aed3SPierre Pronchery ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MGF1_MD); 1760b077aed3SPierre Pronchery return 0; 1761b077aed3SPierre Pronchery } 1762b077aed3SPierre Pronchery } 1763b077aed3SPierre Pronchery 1764b077aed3SPierre Pronchery prsactx->saltlen = saltlen; 1765b077aed3SPierre Pronchery prsactx->pad_mode = pad_mode; 1766b077aed3SPierre Pronchery 1767b077aed3SPierre Pronchery if (prsactx->md == NULL && pmdname == NULL 1768b077aed3SPierre Pronchery && pad_mode == RSA_PKCS1_PSS_PADDING) 1769b077aed3SPierre Pronchery pmdname = RSA_DEFAULT_DIGEST_NAME; 1770b077aed3SPierre Pronchery 1771b077aed3SPierre Pronchery if (pmgf1mdname != NULL 1772b077aed3SPierre Pronchery && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) 1773b077aed3SPierre Pronchery return 0; 1774b077aed3SPierre Pronchery 1775b077aed3SPierre Pronchery if (pmdname != NULL) { 1776*e7be843bSPierre Pronchery if (!rsa_setup_md(prsactx, pmdname, pmdprops, "RSA Sign Set Ctx")) 1777b077aed3SPierre Pronchery return 0; 1778b077aed3SPierre Pronchery } else { 1779b077aed3SPierre Pronchery if (!rsa_check_padding(prsactx, NULL, NULL, prsactx->mdnid)) 1780b077aed3SPierre Pronchery return 0; 1781b077aed3SPierre Pronchery } 1782b077aed3SPierre Pronchery return 1; 1783b077aed3SPierre Pronchery } 1784b077aed3SPierre Pronchery 1785b077aed3SPierre Pronchery static const OSSL_PARAM settable_ctx_params[] = { 1786b077aed3SPierre Pronchery OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), 1787b077aed3SPierre Pronchery OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0), 1788b077aed3SPierre Pronchery OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), 1789b077aed3SPierre Pronchery OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), 1790b077aed3SPierre Pronchery OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0), 1791b077aed3SPierre Pronchery OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), 1792*e7be843bSPierre Pronchery OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) 1793*e7be843bSPierre Pronchery OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) 1794*e7be843bSPierre Pronchery OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK) 1795*e7be843bSPierre Pronchery OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK) 1796b077aed3SPierre Pronchery OSSL_PARAM_END 1797b077aed3SPierre Pronchery }; 1798b077aed3SPierre Pronchery 1799b077aed3SPierre Pronchery static const OSSL_PARAM settable_ctx_params_no_digest[] = { 1800b077aed3SPierre Pronchery OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), 1801b077aed3SPierre Pronchery OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), 1802b077aed3SPierre Pronchery OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0), 1803b077aed3SPierre Pronchery OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), 1804*e7be843bSPierre Pronchery OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) 1805*e7be843bSPierre Pronchery OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) 1806*e7be843bSPierre Pronchery OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK) 1807*e7be843bSPierre Pronchery OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK) 1808b077aed3SPierre Pronchery OSSL_PARAM_END 1809b077aed3SPierre Pronchery }; 1810b077aed3SPierre Pronchery 1811b077aed3SPierre Pronchery static const OSSL_PARAM *rsa_settable_ctx_params(void *vprsactx, 1812b077aed3SPierre Pronchery ossl_unused void *provctx) 1813b077aed3SPierre Pronchery { 1814b077aed3SPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1815b077aed3SPierre Pronchery 1816b077aed3SPierre Pronchery if (prsactx != NULL && !prsactx->flag_allow_md) 1817b077aed3SPierre Pronchery return settable_ctx_params_no_digest; 1818b077aed3SPierre Pronchery return settable_ctx_params; 1819b077aed3SPierre Pronchery } 1820b077aed3SPierre Pronchery 1821b077aed3SPierre Pronchery static int rsa_get_ctx_md_params(void *vprsactx, OSSL_PARAM *params) 1822b077aed3SPierre Pronchery { 1823b077aed3SPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1824b077aed3SPierre Pronchery 1825b077aed3SPierre Pronchery if (prsactx->mdctx == NULL) 1826b077aed3SPierre Pronchery return 0; 1827b077aed3SPierre Pronchery 1828b077aed3SPierre Pronchery return EVP_MD_CTX_get_params(prsactx->mdctx, params); 1829b077aed3SPierre Pronchery } 1830b077aed3SPierre Pronchery 1831b077aed3SPierre Pronchery static const OSSL_PARAM *rsa_gettable_ctx_md_params(void *vprsactx) 1832b077aed3SPierre Pronchery { 1833b077aed3SPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1834b077aed3SPierre Pronchery 1835b077aed3SPierre Pronchery if (prsactx->md == NULL) 1836b077aed3SPierre Pronchery return 0; 1837b077aed3SPierre Pronchery 1838b077aed3SPierre Pronchery return EVP_MD_gettable_ctx_params(prsactx->md); 1839b077aed3SPierre Pronchery } 1840b077aed3SPierre Pronchery 1841b077aed3SPierre Pronchery static int rsa_set_ctx_md_params(void *vprsactx, const OSSL_PARAM params[]) 1842b077aed3SPierre Pronchery { 1843b077aed3SPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1844b077aed3SPierre Pronchery 1845b077aed3SPierre Pronchery if (prsactx->mdctx == NULL) 1846b077aed3SPierre Pronchery return 0; 1847b077aed3SPierre Pronchery 1848b077aed3SPierre Pronchery return EVP_MD_CTX_set_params(prsactx->mdctx, params); 1849b077aed3SPierre Pronchery } 1850b077aed3SPierre Pronchery 1851b077aed3SPierre Pronchery static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx) 1852b077aed3SPierre Pronchery { 1853b077aed3SPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1854b077aed3SPierre Pronchery 1855b077aed3SPierre Pronchery if (prsactx->md == NULL) 1856b077aed3SPierre Pronchery return 0; 1857b077aed3SPierre Pronchery 1858b077aed3SPierre Pronchery return EVP_MD_settable_ctx_params(prsactx->md); 1859b077aed3SPierre Pronchery } 1860b077aed3SPierre Pronchery 1861b077aed3SPierre Pronchery const OSSL_DISPATCH ossl_rsa_signature_functions[] = { 1862b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, 1863b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, 1864b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, 1865b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_verify_init }, 1866b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))rsa_verify }, 1867b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, 1868b077aed3SPierre Pronchery (void (*)(void))rsa_verify_recover_init }, 1869b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, 1870b077aed3SPierre Pronchery (void (*)(void))rsa_verify_recover }, 1871b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, 1872b077aed3SPierre Pronchery (void (*)(void))rsa_digest_sign_init }, 1873b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, 1874*e7be843bSPierre Pronchery (void (*)(void))rsa_digest_sign_update }, 1875b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, 1876b077aed3SPierre Pronchery (void (*)(void))rsa_digest_sign_final }, 1877b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, 1878b077aed3SPierre Pronchery (void (*)(void))rsa_digest_verify_init }, 1879b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, 1880*e7be843bSPierre Pronchery (void (*)(void))rsa_digest_verify_update }, 1881b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, 1882b077aed3SPierre Pronchery (void (*)(void))rsa_digest_verify_final }, 1883b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, 1884b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, 1885b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))rsa_get_ctx_params }, 1886b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, 1887b077aed3SPierre Pronchery (void (*)(void))rsa_gettable_ctx_params }, 1888b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))rsa_set_ctx_params }, 1889b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, 1890b077aed3SPierre Pronchery (void (*)(void))rsa_settable_ctx_params }, 1891b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, 1892b077aed3SPierre Pronchery (void (*)(void))rsa_get_ctx_md_params }, 1893b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, 1894b077aed3SPierre Pronchery (void (*)(void))rsa_gettable_ctx_md_params }, 1895b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, 1896b077aed3SPierre Pronchery (void (*)(void))rsa_set_ctx_md_params }, 1897b077aed3SPierre Pronchery { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, 1898b077aed3SPierre Pronchery (void (*)(void))rsa_settable_ctx_md_params }, 1899*e7be843bSPierre Pronchery OSSL_DISPATCH_END 1900b077aed3SPierre Pronchery }; 1901*e7be843bSPierre Pronchery 1902*e7be843bSPierre Pronchery /* ------------------------------------------------------------------ */ 1903*e7be843bSPierre Pronchery 1904*e7be843bSPierre Pronchery /* 1905*e7be843bSPierre Pronchery * So called sigalgs (composite RSA+hash) implemented below. They 1906*e7be843bSPierre Pronchery * are pretty much hard coded, and rely on the hash implementation 1907*e7be843bSPierre Pronchery * being available as per what OPENSSL_NO_ macros allow. 1908*e7be843bSPierre Pronchery */ 1909*e7be843bSPierre Pronchery 1910*e7be843bSPierre Pronchery static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types; 1911*e7be843bSPierre Pronchery static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params; 1912*e7be843bSPierre Pronchery static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params; 1913*e7be843bSPierre Pronchery 1914*e7be843bSPierre Pronchery /* 1915*e7be843bSPierre Pronchery * rsa_sigalg_signverify_init() is almost like rsa_digest_signverify_init(), 1916*e7be843bSPierre Pronchery * just doesn't allow fetching an MD from whatever the user chooses. 1917*e7be843bSPierre Pronchery */ 1918*e7be843bSPierre Pronchery static int rsa_sigalg_signverify_init(void *vprsactx, void *vrsa, 1919*e7be843bSPierre Pronchery OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params, 1920*e7be843bSPierre Pronchery const OSSL_PARAM params[], 1921*e7be843bSPierre Pronchery const char *mdname, 1922*e7be843bSPierre Pronchery int operation, int pad_mode, 1923*e7be843bSPierre Pronchery const char *desc) 1924*e7be843bSPierre Pronchery { 1925*e7be843bSPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1926*e7be843bSPierre Pronchery 1927*e7be843bSPierre Pronchery if (!ossl_prov_is_running()) 1928*e7be843bSPierre Pronchery return 0; 1929*e7be843bSPierre Pronchery 1930*e7be843bSPierre Pronchery if (!rsa_signverify_init(prsactx, vrsa, set_ctx_params, params, operation, 1931*e7be843bSPierre Pronchery desc)) 1932*e7be843bSPierre Pronchery return 0; 1933*e7be843bSPierre Pronchery 1934*e7be843bSPierre Pronchery /* PSS is currently not supported as a sigalg */ 1935*e7be843bSPierre Pronchery if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { 1936*e7be843bSPierre Pronchery ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); 1937*e7be843bSPierre Pronchery return 0; 1938*e7be843bSPierre Pronchery } 1939*e7be843bSPierre Pronchery 1940*e7be843bSPierre Pronchery if (!rsa_setup_md(prsactx, mdname, NULL, desc)) 1941*e7be843bSPierre Pronchery return 0; 1942*e7be843bSPierre Pronchery 1943*e7be843bSPierre Pronchery prsactx->pad_mode = pad_mode; 1944*e7be843bSPierre Pronchery prsactx->flag_sigalg = 1; 1945*e7be843bSPierre Pronchery prsactx->flag_allow_md = 0; 1946*e7be843bSPierre Pronchery 1947*e7be843bSPierre Pronchery if (prsactx->mdctx == NULL) { 1948*e7be843bSPierre Pronchery prsactx->mdctx = EVP_MD_CTX_new(); 1949*e7be843bSPierre Pronchery if (prsactx->mdctx == NULL) 1950*e7be843bSPierre Pronchery goto error; 1951*e7be843bSPierre Pronchery } 1952*e7be843bSPierre Pronchery 1953*e7be843bSPierre Pronchery if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params)) 1954*e7be843bSPierre Pronchery goto error; 1955*e7be843bSPierre Pronchery 1956*e7be843bSPierre Pronchery return 1; 1957*e7be843bSPierre Pronchery 1958*e7be843bSPierre Pronchery error: 1959*e7be843bSPierre Pronchery EVP_MD_CTX_free(prsactx->mdctx); 1960*e7be843bSPierre Pronchery prsactx->mdctx = NULL; 1961*e7be843bSPierre Pronchery return 0; 1962*e7be843bSPierre Pronchery } 1963*e7be843bSPierre Pronchery 1964*e7be843bSPierre Pronchery static const char **rsa_sigalg_query_key_types(void) 1965*e7be843bSPierre Pronchery { 1966*e7be843bSPierre Pronchery static const char *keytypes[] = { "RSA", NULL }; 1967*e7be843bSPierre Pronchery 1968*e7be843bSPierre Pronchery return keytypes; 1969*e7be843bSPierre Pronchery } 1970*e7be843bSPierre Pronchery 1971*e7be843bSPierre Pronchery static const OSSL_PARAM settable_sigalg_ctx_params[] = { 1972*e7be843bSPierre Pronchery OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, NULL, 0), 1973*e7be843bSPierre Pronchery OSSL_PARAM_END 1974*e7be843bSPierre Pronchery }; 1975*e7be843bSPierre Pronchery 1976*e7be843bSPierre Pronchery static const OSSL_PARAM *rsa_sigalg_settable_ctx_params(void *vprsactx, 1977*e7be843bSPierre Pronchery ossl_unused void *provctx) 1978*e7be843bSPierre Pronchery { 1979*e7be843bSPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1980*e7be843bSPierre Pronchery 1981*e7be843bSPierre Pronchery if (prsactx != NULL && prsactx->operation == EVP_PKEY_OP_VERIFYMSG) 1982*e7be843bSPierre Pronchery return settable_sigalg_ctx_params; 1983*e7be843bSPierre Pronchery return NULL; 1984*e7be843bSPierre Pronchery } 1985*e7be843bSPierre Pronchery 1986*e7be843bSPierre Pronchery static int rsa_sigalg_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) 1987*e7be843bSPierre Pronchery { 1988*e7be843bSPierre Pronchery PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1989*e7be843bSPierre Pronchery const OSSL_PARAM *p; 1990*e7be843bSPierre Pronchery 1991*e7be843bSPierre Pronchery if (prsactx == NULL) 1992*e7be843bSPierre Pronchery return 0; 1993*e7be843bSPierre Pronchery if (ossl_param_is_empty(params)) 1994*e7be843bSPierre Pronchery return 1; 1995*e7be843bSPierre Pronchery 1996*e7be843bSPierre Pronchery if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG) { 1997*e7be843bSPierre Pronchery p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_SIGNATURE); 1998*e7be843bSPierre Pronchery if (p != NULL) { 1999*e7be843bSPierre Pronchery OPENSSL_free(prsactx->sig); 2000*e7be843bSPierre Pronchery prsactx->sig = NULL; 2001*e7be843bSPierre Pronchery prsactx->siglen = 0; 2002*e7be843bSPierre Pronchery if (!OSSL_PARAM_get_octet_string(p, (void **)&prsactx->sig, 2003*e7be843bSPierre Pronchery 0, &prsactx->siglen)) 2004*e7be843bSPierre Pronchery return 0; 2005*e7be843bSPierre Pronchery } 2006*e7be843bSPierre Pronchery } 2007*e7be843bSPierre Pronchery return 1; 2008*e7be843bSPierre Pronchery } 2009*e7be843bSPierre Pronchery 2010*e7be843bSPierre Pronchery #define IMPL_RSA_SIGALG(md, MD) \ 2011*e7be843bSPierre Pronchery static OSSL_FUNC_signature_sign_init_fn rsa_##md##_sign_init; \ 2012*e7be843bSPierre Pronchery static OSSL_FUNC_signature_sign_message_init_fn \ 2013*e7be843bSPierre Pronchery rsa_##md##_sign_message_init; \ 2014*e7be843bSPierre Pronchery static OSSL_FUNC_signature_verify_init_fn rsa_##md##_verify_init; \ 2015*e7be843bSPierre Pronchery static OSSL_FUNC_signature_verify_message_init_fn \ 2016*e7be843bSPierre Pronchery rsa_##md##_verify_message_init; \ 2017*e7be843bSPierre Pronchery \ 2018*e7be843bSPierre Pronchery static int \ 2019*e7be843bSPierre Pronchery rsa_##md##_sign_init(void *vprsactx, void *vrsa, \ 2020*e7be843bSPierre Pronchery const OSSL_PARAM params[]) \ 2021*e7be843bSPierre Pronchery { \ 2022*e7be843bSPierre Pronchery static const char desc[] = "RSA Sigalg Sign Init"; \ 2023*e7be843bSPierre Pronchery \ 2024*e7be843bSPierre Pronchery return rsa_sigalg_signverify_init(vprsactx, vrsa, \ 2025*e7be843bSPierre Pronchery rsa_sigalg_set_ctx_params, \ 2026*e7be843bSPierre Pronchery params, #MD, \ 2027*e7be843bSPierre Pronchery EVP_PKEY_OP_SIGN, \ 2028*e7be843bSPierre Pronchery RSA_PKCS1_PADDING, \ 2029*e7be843bSPierre Pronchery desc); \ 2030*e7be843bSPierre Pronchery } \ 2031*e7be843bSPierre Pronchery \ 2032*e7be843bSPierre Pronchery static int \ 2033*e7be843bSPierre Pronchery rsa_##md##_sign_message_init(void *vprsactx, void *vrsa, \ 2034*e7be843bSPierre Pronchery const OSSL_PARAM params[]) \ 2035*e7be843bSPierre Pronchery { \ 2036*e7be843bSPierre Pronchery static const char desc[] = "RSA Sigalg Sign Message Init"; \ 2037*e7be843bSPierre Pronchery \ 2038*e7be843bSPierre Pronchery return rsa_sigalg_signverify_init(vprsactx, vrsa, \ 2039*e7be843bSPierre Pronchery rsa_sigalg_set_ctx_params, \ 2040*e7be843bSPierre Pronchery params, #MD, \ 2041*e7be843bSPierre Pronchery EVP_PKEY_OP_SIGNMSG, \ 2042*e7be843bSPierre Pronchery RSA_PKCS1_PADDING, \ 2043*e7be843bSPierre Pronchery desc); \ 2044*e7be843bSPierre Pronchery } \ 2045*e7be843bSPierre Pronchery \ 2046*e7be843bSPierre Pronchery static int \ 2047*e7be843bSPierre Pronchery rsa_##md##_verify_init(void *vprsactx, void *vrsa, \ 2048*e7be843bSPierre Pronchery const OSSL_PARAM params[]) \ 2049*e7be843bSPierre Pronchery { \ 2050*e7be843bSPierre Pronchery static const char desc[] = "RSA Sigalg Verify Init"; \ 2051*e7be843bSPierre Pronchery \ 2052*e7be843bSPierre Pronchery return rsa_sigalg_signverify_init(vprsactx, vrsa, \ 2053*e7be843bSPierre Pronchery rsa_sigalg_set_ctx_params, \ 2054*e7be843bSPierre Pronchery params, #MD, \ 2055*e7be843bSPierre Pronchery EVP_PKEY_OP_VERIFY, \ 2056*e7be843bSPierre Pronchery RSA_PKCS1_PADDING, \ 2057*e7be843bSPierre Pronchery desc); \ 2058*e7be843bSPierre Pronchery } \ 2059*e7be843bSPierre Pronchery \ 2060*e7be843bSPierre Pronchery static int \ 2061*e7be843bSPierre Pronchery rsa_##md##_verify_recover_init(void *vprsactx, void *vrsa, \ 2062*e7be843bSPierre Pronchery const OSSL_PARAM params[]) \ 2063*e7be843bSPierre Pronchery { \ 2064*e7be843bSPierre Pronchery static const char desc[] = "RSA Sigalg Verify Recover Init"; \ 2065*e7be843bSPierre Pronchery \ 2066*e7be843bSPierre Pronchery return rsa_sigalg_signverify_init(vprsactx, vrsa, \ 2067*e7be843bSPierre Pronchery rsa_sigalg_set_ctx_params, \ 2068*e7be843bSPierre Pronchery params, #MD, \ 2069*e7be843bSPierre Pronchery EVP_PKEY_OP_VERIFYRECOVER, \ 2070*e7be843bSPierre Pronchery RSA_PKCS1_PADDING, \ 2071*e7be843bSPierre Pronchery desc); \ 2072*e7be843bSPierre Pronchery } \ 2073*e7be843bSPierre Pronchery \ 2074*e7be843bSPierre Pronchery static int \ 2075*e7be843bSPierre Pronchery rsa_##md##_verify_message_init(void *vprsactx, void *vrsa, \ 2076*e7be843bSPierre Pronchery const OSSL_PARAM params[]) \ 2077*e7be843bSPierre Pronchery { \ 2078*e7be843bSPierre Pronchery static const char desc[] = "RSA Sigalg Verify Message Init"; \ 2079*e7be843bSPierre Pronchery \ 2080*e7be843bSPierre Pronchery return rsa_sigalg_signverify_init(vprsactx, vrsa, \ 2081*e7be843bSPierre Pronchery rsa_sigalg_set_ctx_params, \ 2082*e7be843bSPierre Pronchery params, #MD, \ 2083*e7be843bSPierre Pronchery EVP_PKEY_OP_VERIFYMSG, \ 2084*e7be843bSPierre Pronchery RSA_PKCS1_PADDING, \ 2085*e7be843bSPierre Pronchery desc); \ 2086*e7be843bSPierre Pronchery } \ 2087*e7be843bSPierre Pronchery \ 2088*e7be843bSPierre Pronchery const OSSL_DISPATCH ossl_rsa_##md##_signature_functions[] = { \ 2089*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, \ 2090*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_SIGN_INIT, \ 2091*e7be843bSPierre Pronchery (void (*)(void))rsa_##md##_sign_init }, \ 2092*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, \ 2093*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT, \ 2094*e7be843bSPierre Pronchery (void (*)(void))rsa_##md##_sign_message_init }, \ 2095*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_UPDATE, \ 2096*e7be843bSPierre Pronchery (void (*)(void))rsa_signverify_message_update }, \ 2097*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_FINAL, \ 2098*e7be843bSPierre Pronchery (void (*)(void))rsa_sign_message_final }, \ 2099*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_VERIFY_INIT, \ 2100*e7be843bSPierre Pronchery (void (*)(void))rsa_##md##_verify_init }, \ 2101*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_VERIFY, \ 2102*e7be843bSPierre Pronchery (void (*)(void))rsa_verify }, \ 2103*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT, \ 2104*e7be843bSPierre Pronchery (void (*)(void))rsa_##md##_verify_message_init }, \ 2105*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_UPDATE, \ 2106*e7be843bSPierre Pronchery (void (*)(void))rsa_signverify_message_update }, \ 2107*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_FINAL, \ 2108*e7be843bSPierre Pronchery (void (*)(void))rsa_verify_message_final }, \ 2109*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, \ 2110*e7be843bSPierre Pronchery (void (*)(void))rsa_##md##_verify_recover_init }, \ 2111*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, \ 2112*e7be843bSPierre Pronchery (void (*)(void))rsa_verify_recover }, \ 2113*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, \ 2114*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, \ 2115*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPES, \ 2116*e7be843bSPierre Pronchery (void (*)(void))rsa_sigalg_query_key_types }, \ 2117*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, \ 2118*e7be843bSPierre Pronchery (void (*)(void))rsa_get_ctx_params }, \ 2119*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, \ 2120*e7be843bSPierre Pronchery (void (*)(void))rsa_gettable_ctx_params }, \ 2121*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, \ 2122*e7be843bSPierre Pronchery (void (*)(void))rsa_sigalg_set_ctx_params }, \ 2123*e7be843bSPierre Pronchery { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, \ 2124*e7be843bSPierre Pronchery (void (*)(void))rsa_sigalg_settable_ctx_params }, \ 2125*e7be843bSPierre Pronchery OSSL_DISPATCH_END \ 2126*e7be843bSPierre Pronchery } 2127*e7be843bSPierre Pronchery 2128*e7be843bSPierre Pronchery #if !defined(OPENSSL_NO_RMD160) && !defined(FIPS_MODULE) 2129*e7be843bSPierre Pronchery IMPL_RSA_SIGALG(ripemd160, RIPEMD160); 2130*e7be843bSPierre Pronchery #endif 2131*e7be843bSPierre Pronchery IMPL_RSA_SIGALG(sha1, SHA1); 2132*e7be843bSPierre Pronchery IMPL_RSA_SIGALG(sha224, SHA2-224); 2133*e7be843bSPierre Pronchery IMPL_RSA_SIGALG(sha256, SHA2-256); 2134*e7be843bSPierre Pronchery IMPL_RSA_SIGALG(sha384, SHA2-384); 2135*e7be843bSPierre Pronchery IMPL_RSA_SIGALG(sha512, SHA2-512); 2136*e7be843bSPierre Pronchery IMPL_RSA_SIGALG(sha512_224, SHA2-512/224); 2137*e7be843bSPierre Pronchery IMPL_RSA_SIGALG(sha512_256, SHA2-512/256); 2138*e7be843bSPierre Pronchery IMPL_RSA_SIGALG(sha3_224, SHA3-224); 2139*e7be843bSPierre Pronchery IMPL_RSA_SIGALG(sha3_256, SHA3-256); 2140*e7be843bSPierre Pronchery IMPL_RSA_SIGALG(sha3_384, SHA3-384); 2141*e7be843bSPierre Pronchery IMPL_RSA_SIGALG(sha3_512, SHA3-512); 2142*e7be843bSPierre Pronchery #if !defined(OPENSSL_NO_SM3) && !defined(FIPS_MODULE) 2143*e7be843bSPierre Pronchery IMPL_RSA_SIGALG(sm3, SM3); 2144*e7be843bSPierre Pronchery #endif 2145