1 /* 2 * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * RSA low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include <string.h> 17 #include <openssl/crypto.h> 18 #include <openssl/core_dispatch.h> 19 #include <openssl/core_names.h> 20 #include <openssl/err.h> 21 #include <openssl/rsa.h> 22 #include <openssl/params.h> 23 #include <openssl/evp.h> 24 #include <openssl/proverr.h> 25 #include "internal/cryptlib.h" 26 #include "internal/nelem.h" 27 #include "internal/sizes.h" 28 #include "crypto/rsa.h" 29 #include "prov/providercommon.h" 30 #include "prov/implementations.h" 31 #include "prov/provider_ctx.h" 32 #include "prov/der_rsa.h" 33 #include "prov/securitycheck.h" 34 35 #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 36 37 static OSSL_FUNC_signature_newctx_fn rsa_newctx; 38 static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; 39 static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; 40 static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; 41 static OSSL_FUNC_signature_sign_fn rsa_sign; 42 static OSSL_FUNC_signature_verify_fn rsa_verify; 43 static OSSL_FUNC_signature_verify_recover_fn rsa_verify_recover; 44 static OSSL_FUNC_signature_digest_sign_init_fn rsa_digest_sign_init; 45 static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_signverify_update; 46 static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final; 47 static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; 48 static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update; 49 static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; 50 static OSSL_FUNC_signature_freectx_fn rsa_freectx; 51 static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; 52 static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; 53 static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params; 54 static OSSL_FUNC_signature_set_ctx_params_fn rsa_set_ctx_params; 55 static OSSL_FUNC_signature_settable_ctx_params_fn rsa_settable_ctx_params; 56 static OSSL_FUNC_signature_get_ctx_md_params_fn rsa_get_ctx_md_params; 57 static OSSL_FUNC_signature_gettable_ctx_md_params_fn rsa_gettable_ctx_md_params; 58 static OSSL_FUNC_signature_set_ctx_md_params_fn rsa_set_ctx_md_params; 59 static OSSL_FUNC_signature_settable_ctx_md_params_fn rsa_settable_ctx_md_params; 60 61 static OSSL_ITEM padding_item[] = { 62 { RSA_PKCS1_PADDING, OSSL_PKEY_RSA_PAD_MODE_PKCSV15 }, 63 { RSA_NO_PADDING, OSSL_PKEY_RSA_PAD_MODE_NONE }, 64 { RSA_X931_PADDING, OSSL_PKEY_RSA_PAD_MODE_X931 }, 65 { RSA_PKCS1_PSS_PADDING, OSSL_PKEY_RSA_PAD_MODE_PSS }, 66 { 0, NULL } 67 }; 68 69 /* 70 * What's passed as an actual key is defined by the KEYMGMT interface. 71 * We happen to know that our KEYMGMT simply passes RSA structures, so 72 * we use that here too. 73 */ 74 75 typedef struct { 76 OSSL_LIB_CTX *libctx; 77 char *propq; 78 RSA *rsa; 79 int operation; 80 81 /* 82 * Flag to determine if the hash function can be changed (1) or not (0) 83 * Because it's dangerous to change during a DigestSign or DigestVerify 84 * operation, this flag is cleared by their Init function, and set again 85 * by their Final function. 86 */ 87 unsigned int flag_allow_md : 1; 88 unsigned int mgf1_md_set : 1; 89 90 /* main digest */ 91 EVP_MD *md; 92 EVP_MD_CTX *mdctx; 93 int mdnid; 94 char mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */ 95 96 /* RSA padding mode */ 97 int pad_mode; 98 /* message digest for MGF1 */ 99 EVP_MD *mgf1_md; 100 int mgf1_mdnid; 101 char mgf1_mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */ 102 /* PSS salt length */ 103 int saltlen; 104 /* Minimum salt length or -1 if no PSS parameter restriction */ 105 int min_saltlen; 106 107 /* Temp buffer */ 108 unsigned char *tbuf; 109 110 } PROV_RSA_CTX; 111 112 /* True if PSS parameters are restricted */ 113 #define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1) 114 115 static size_t rsa_get_md_size(const PROV_RSA_CTX *prsactx) 116 { 117 if (prsactx->md != NULL) 118 return EVP_MD_get_size(prsactx->md); 119 return 0; 120 } 121 122 static int rsa_check_padding(const PROV_RSA_CTX *prsactx, 123 const char *mdname, const char *mgf1_mdname, 124 int mdnid) 125 { 126 switch(prsactx->pad_mode) { 127 case RSA_NO_PADDING: 128 if (mdname != NULL || mdnid != NID_undef) { 129 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE); 130 return 0; 131 } 132 break; 133 case RSA_X931_PADDING: 134 if (RSA_X931_hash_id(mdnid) == -1) { 135 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST); 136 return 0; 137 } 138 break; 139 case RSA_PKCS1_PSS_PADDING: 140 if (rsa_pss_restricted(prsactx)) 141 if ((mdname != NULL && !EVP_MD_is_a(prsactx->md, mdname)) 142 || (mgf1_mdname != NULL 143 && !EVP_MD_is_a(prsactx->mgf1_md, mgf1_mdname))) { 144 ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); 145 return 0; 146 } 147 break; 148 default: 149 break; 150 } 151 152 return 1; 153 } 154 155 static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen) 156 { 157 if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { 158 int max_saltlen; 159 160 /* See if minimum salt length exceeds maximum possible */ 161 max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_get_size(prsactx->md); 162 if ((RSA_bits(prsactx->rsa) & 0x7) == 1) 163 max_saltlen--; 164 if (min_saltlen < 0 || min_saltlen > max_saltlen) { 165 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); 166 return 0; 167 } 168 prsactx->min_saltlen = min_saltlen; 169 } 170 return 1; 171 } 172 173 static void *rsa_newctx(void *provctx, const char *propq) 174 { 175 PROV_RSA_CTX *prsactx = NULL; 176 char *propq_copy = NULL; 177 178 if (!ossl_prov_is_running()) 179 return NULL; 180 181 if ((prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX))) == NULL 182 || (propq != NULL 183 && (propq_copy = OPENSSL_strdup(propq)) == NULL)) { 184 OPENSSL_free(prsactx); 185 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); 186 return NULL; 187 } 188 189 prsactx->libctx = PROV_LIBCTX_OF(provctx); 190 prsactx->flag_allow_md = 1; 191 prsactx->propq = propq_copy; 192 /* Maximum for sign, auto for verify */ 193 prsactx->saltlen = RSA_PSS_SALTLEN_AUTO; 194 prsactx->min_saltlen = -1; 195 return prsactx; 196 } 197 198 static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx) 199 { 200 int saltlen = ctx->saltlen; 201 202 if (saltlen == RSA_PSS_SALTLEN_DIGEST) { 203 saltlen = EVP_MD_get_size(ctx->md); 204 } else if (saltlen == RSA_PSS_SALTLEN_AUTO || saltlen == RSA_PSS_SALTLEN_MAX) { 205 saltlen = RSA_size(ctx->rsa) - EVP_MD_get_size(ctx->md) - 2; 206 if ((RSA_bits(ctx->rsa) & 0x7) == 1) 207 saltlen--; 208 } 209 if (saltlen < 0) { 210 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 211 return -1; 212 } else if (saltlen < ctx->min_saltlen) { 213 ERR_raise_data(ERR_LIB_PROV, PROV_R_PSS_SALTLEN_TOO_SMALL, 214 "minimum salt length: %d, actual salt length: %d", 215 ctx->min_saltlen, saltlen); 216 return -1; 217 } 218 return saltlen; 219 } 220 221 static unsigned char *rsa_generate_signature_aid(PROV_RSA_CTX *ctx, 222 unsigned char *aid_buf, 223 size_t buf_len, 224 size_t *aid_len) 225 { 226 WPACKET pkt; 227 unsigned char *aid = NULL; 228 int saltlen; 229 RSA_PSS_PARAMS_30 pss_params; 230 int ret; 231 232 if (!WPACKET_init_der(&pkt, aid_buf, buf_len)) { 233 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); 234 return NULL; 235 } 236 237 switch(ctx->pad_mode) { 238 case RSA_PKCS1_PADDING: 239 ret = ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1, 240 ctx->mdnid); 241 242 if (ret > 0) { 243 break; 244 } else if (ret == 0) { 245 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 246 goto cleanup; 247 } 248 ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED, 249 "Algorithm ID generation - md NID: %d", 250 ctx->mdnid); 251 goto cleanup; 252 case RSA_PKCS1_PSS_PADDING: 253 saltlen = rsa_pss_compute_saltlen(ctx); 254 if (saltlen < 0) 255 goto cleanup; 256 if (!ossl_rsa_pss_params_30_set_defaults(&pss_params) 257 || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, ctx->mdnid) 258 || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params, 259 ctx->mgf1_mdnid) 260 || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen) 261 || !ossl_DER_w_algorithmIdentifier_RSA_PSS(&pkt, -1, 262 RSA_FLAG_TYPE_RSASSAPSS, 263 &pss_params)) { 264 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 265 goto cleanup; 266 } 267 break; 268 default: 269 ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED, 270 "Algorithm ID generation - pad mode: %d", 271 ctx->pad_mode); 272 goto cleanup; 273 } 274 if (WPACKET_finish(&pkt)) { 275 WPACKET_get_total_written(&pkt, aid_len); 276 aid = WPACKET_get_curr(&pkt); 277 } 278 cleanup: 279 WPACKET_cleanup(&pkt); 280 return aid; 281 } 282 283 static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, 284 const char *mdprops) 285 { 286 if (mdprops == NULL) 287 mdprops = ctx->propq; 288 289 if (mdname != NULL) { 290 EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); 291 int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); 292 int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, 293 sha1_allowed); 294 size_t mdname_len = strlen(mdname); 295 296 if (md == NULL 297 || md_nid <= 0 298 || !rsa_check_padding(ctx, mdname, NULL, md_nid) 299 || mdname_len >= sizeof(ctx->mdname)) { 300 if (md == NULL) 301 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 302 "%s could not be fetched", mdname); 303 if (md_nid <= 0) 304 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, 305 "digest=%s", mdname); 306 if (mdname_len >= sizeof(ctx->mdname)) 307 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 308 "%s exceeds name buffer length", mdname); 309 EVP_MD_free(md); 310 return 0; 311 } 312 313 if (!ctx->flag_allow_md) { 314 if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) { 315 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, 316 "digest %s != %s", mdname, ctx->mdname); 317 EVP_MD_free(md); 318 return 0; 319 } 320 EVP_MD_free(md); 321 return 1; 322 } 323 324 if (!ctx->mgf1_md_set) { 325 if (!EVP_MD_up_ref(md)) { 326 EVP_MD_free(md); 327 return 0; 328 } 329 EVP_MD_free(ctx->mgf1_md); 330 ctx->mgf1_md = md; 331 ctx->mgf1_mdnid = md_nid; 332 OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); 333 } 334 335 EVP_MD_CTX_free(ctx->mdctx); 336 EVP_MD_free(ctx->md); 337 338 ctx->mdctx = NULL; 339 ctx->md = md; 340 ctx->mdnid = md_nid; 341 OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname)); 342 } 343 344 return 1; 345 } 346 347 static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname, 348 const char *mdprops) 349 { 350 size_t len; 351 EVP_MD *md = NULL; 352 int mdnid; 353 354 if (mdprops == NULL) 355 mdprops = ctx->propq; 356 357 if ((md = EVP_MD_fetch(ctx->libctx, mdname, mdprops)) == NULL) { 358 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 359 "%s could not be fetched", mdname); 360 return 0; 361 } 362 /* The default for mgf1 is SHA1 - so allow SHA1 */ 363 if ((mdnid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, 1)) <= 0 364 || !rsa_check_padding(ctx, NULL, mdname, mdnid)) { 365 if (mdnid <= 0) 366 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, 367 "digest=%s", mdname); 368 EVP_MD_free(md); 369 return 0; 370 } 371 len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); 372 if (len >= sizeof(ctx->mgf1_mdname)) { 373 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 374 "%s exceeds name buffer length", mdname); 375 EVP_MD_free(md); 376 return 0; 377 } 378 379 EVP_MD_free(ctx->mgf1_md); 380 ctx->mgf1_md = md; 381 ctx->mgf1_mdnid = mdnid; 382 ctx->mgf1_md_set = 1; 383 return 1; 384 } 385 386 static int rsa_signverify_init(void *vprsactx, void *vrsa, 387 const OSSL_PARAM params[], int operation) 388 { 389 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 390 391 if (!ossl_prov_is_running() || prsactx == NULL) 392 return 0; 393 394 if (vrsa == NULL && prsactx->rsa == NULL) { 395 ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); 396 return 0; 397 } 398 399 if (vrsa != NULL) { 400 if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation)) 401 return 0; 402 403 if (!RSA_up_ref(vrsa)) 404 return 0; 405 RSA_free(prsactx->rsa); 406 prsactx->rsa = vrsa; 407 } 408 409 prsactx->operation = operation; 410 411 /* Maximum for sign, auto for verify */ 412 prsactx->saltlen = RSA_PSS_SALTLEN_AUTO; 413 prsactx->min_saltlen = -1; 414 415 switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { 416 case RSA_FLAG_TYPE_RSA: 417 prsactx->pad_mode = RSA_PKCS1_PADDING; 418 break; 419 case RSA_FLAG_TYPE_RSASSAPSS: 420 prsactx->pad_mode = RSA_PKCS1_PSS_PADDING; 421 422 { 423 const RSA_PSS_PARAMS_30 *pss = 424 ossl_rsa_get0_pss_params_30(prsactx->rsa); 425 426 if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) { 427 int md_nid = ossl_rsa_pss_params_30_hashalg(pss); 428 int mgf1md_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss); 429 int min_saltlen = ossl_rsa_pss_params_30_saltlen(pss); 430 const char *mdname, *mgf1mdname; 431 size_t len; 432 433 mdname = ossl_rsa_oaeppss_nid2name(md_nid); 434 mgf1mdname = ossl_rsa_oaeppss_nid2name(mgf1md_nid); 435 436 if (mdname == NULL) { 437 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 438 "PSS restrictions lack hash algorithm"); 439 return 0; 440 } 441 if (mgf1mdname == NULL) { 442 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 443 "PSS restrictions lack MGF1 hash algorithm"); 444 return 0; 445 } 446 447 len = OPENSSL_strlcpy(prsactx->mdname, mdname, 448 sizeof(prsactx->mdname)); 449 if (len >= sizeof(prsactx->mdname)) { 450 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 451 "hash algorithm name too long"); 452 return 0; 453 } 454 len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname, 455 sizeof(prsactx->mgf1_mdname)); 456 if (len >= sizeof(prsactx->mgf1_mdname)) { 457 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 458 "MGF1 hash algorithm name too long"); 459 return 0; 460 } 461 prsactx->saltlen = min_saltlen; 462 463 /* call rsa_setup_mgf1_md before rsa_setup_md to avoid duplication */ 464 if (!rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq) 465 || !rsa_setup_md(prsactx, mdname, prsactx->propq) 466 || !rsa_check_parameters(prsactx, min_saltlen)) 467 return 0; 468 } 469 } 470 471 break; 472 default: 473 ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); 474 return 0; 475 } 476 477 if (!rsa_set_ctx_params(prsactx, params)) 478 return 0; 479 480 return 1; 481 } 482 483 static int setup_tbuf(PROV_RSA_CTX *ctx) 484 { 485 if (ctx->tbuf != NULL) 486 return 1; 487 if ((ctx->tbuf = OPENSSL_malloc(RSA_size(ctx->rsa))) == NULL) { 488 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); 489 return 0; 490 } 491 return 1; 492 } 493 494 static void clean_tbuf(PROV_RSA_CTX *ctx) 495 { 496 if (ctx->tbuf != NULL) 497 OPENSSL_cleanse(ctx->tbuf, RSA_size(ctx->rsa)); 498 } 499 500 static void free_tbuf(PROV_RSA_CTX *ctx) 501 { 502 clean_tbuf(ctx); 503 OPENSSL_free(ctx->tbuf); 504 ctx->tbuf = NULL; 505 } 506 507 static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[]) 508 { 509 if (!ossl_prov_is_running()) 510 return 0; 511 return rsa_signverify_init(vprsactx, vrsa, params, EVP_PKEY_OP_SIGN); 512 } 513 514 static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen, 515 size_t sigsize, const unsigned char *tbs, size_t tbslen) 516 { 517 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 518 int ret; 519 size_t rsasize = RSA_size(prsactx->rsa); 520 size_t mdsize = rsa_get_md_size(prsactx); 521 522 if (!ossl_prov_is_running()) 523 return 0; 524 525 if (sig == NULL) { 526 *siglen = rsasize; 527 return 1; 528 } 529 530 if (sigsize < rsasize) { 531 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE, 532 "is %zu, should be at least %zu", sigsize, rsasize); 533 return 0; 534 } 535 536 if (mdsize != 0) { 537 if (tbslen != mdsize) { 538 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH); 539 return 0; 540 } 541 542 #ifndef FIPS_MODULE 543 if (EVP_MD_is_a(prsactx->md, OSSL_DIGEST_NAME_MDC2)) { 544 unsigned int sltmp; 545 546 if (prsactx->pad_mode != RSA_PKCS1_PADDING) { 547 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 548 "only PKCS#1 padding supported with MDC2"); 549 return 0; 550 } 551 ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp, 552 prsactx->rsa); 553 554 if (ret <= 0) { 555 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 556 return 0; 557 } 558 ret = sltmp; 559 goto end; 560 } 561 #endif 562 switch (prsactx->pad_mode) { 563 case RSA_X931_PADDING: 564 if ((size_t)RSA_size(prsactx->rsa) < tbslen + 1) { 565 ERR_raise_data(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL, 566 "RSA key size = %d, expected minimum = %d", 567 RSA_size(prsactx->rsa), tbslen + 1); 568 return 0; 569 } 570 if (!setup_tbuf(prsactx)) { 571 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); 572 return 0; 573 } 574 memcpy(prsactx->tbuf, tbs, tbslen); 575 prsactx->tbuf[tbslen] = RSA_X931_hash_id(prsactx->mdnid); 576 ret = RSA_private_encrypt(tbslen + 1, prsactx->tbuf, 577 sig, prsactx->rsa, RSA_X931_PADDING); 578 clean_tbuf(prsactx); 579 break; 580 581 case RSA_PKCS1_PADDING: 582 { 583 unsigned int sltmp; 584 585 ret = RSA_sign(prsactx->mdnid, tbs, tbslen, sig, &sltmp, 586 prsactx->rsa); 587 if (ret <= 0) { 588 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 589 return 0; 590 } 591 ret = sltmp; 592 } 593 break; 594 595 case RSA_PKCS1_PSS_PADDING: 596 /* Check PSS restrictions */ 597 if (rsa_pss_restricted(prsactx)) { 598 switch (prsactx->saltlen) { 599 case RSA_PSS_SALTLEN_DIGEST: 600 if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) { 601 ERR_raise_data(ERR_LIB_PROV, 602 PROV_R_PSS_SALTLEN_TOO_SMALL, 603 "minimum salt length set to %d, " 604 "but the digest only gives %d", 605 prsactx->min_saltlen, 606 EVP_MD_get_size(prsactx->md)); 607 return 0; 608 } 609 /* FALLTHRU */ 610 default: 611 if (prsactx->saltlen >= 0 612 && prsactx->saltlen < prsactx->min_saltlen) { 613 ERR_raise_data(ERR_LIB_PROV, 614 PROV_R_PSS_SALTLEN_TOO_SMALL, 615 "minimum salt length set to %d, but the" 616 "actual salt length is only set to %d", 617 prsactx->min_saltlen, 618 prsactx->saltlen); 619 return 0; 620 } 621 break; 622 } 623 } 624 if (!setup_tbuf(prsactx)) 625 return 0; 626 if (!RSA_padding_add_PKCS1_PSS_mgf1(prsactx->rsa, 627 prsactx->tbuf, tbs, 628 prsactx->md, prsactx->mgf1_md, 629 prsactx->saltlen)) { 630 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 631 return 0; 632 } 633 ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf, 634 sig, prsactx->rsa, RSA_NO_PADDING); 635 clean_tbuf(prsactx); 636 break; 637 638 default: 639 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 640 "Only X.931, PKCS#1 v1.5 or PSS padding allowed"); 641 return 0; 642 } 643 } else { 644 ret = RSA_private_encrypt(tbslen, tbs, sig, prsactx->rsa, 645 prsactx->pad_mode); 646 } 647 648 #ifndef FIPS_MODULE 649 end: 650 #endif 651 if (ret <= 0) { 652 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 653 return 0; 654 } 655 656 *siglen = ret; 657 return 1; 658 } 659 660 static int rsa_verify_recover_init(void *vprsactx, void *vrsa, 661 const OSSL_PARAM params[]) 662 { 663 if (!ossl_prov_is_running()) 664 return 0; 665 return rsa_signverify_init(vprsactx, vrsa, params, 666 EVP_PKEY_OP_VERIFYRECOVER); 667 } 668 669 static int rsa_verify_recover(void *vprsactx, 670 unsigned char *rout, 671 size_t *routlen, 672 size_t routsize, 673 const unsigned char *sig, 674 size_t siglen) 675 { 676 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 677 int ret; 678 679 if (!ossl_prov_is_running()) 680 return 0; 681 682 if (rout == NULL) { 683 *routlen = RSA_size(prsactx->rsa); 684 return 1; 685 } 686 687 if (prsactx->md != NULL) { 688 switch (prsactx->pad_mode) { 689 case RSA_X931_PADDING: 690 if (!setup_tbuf(prsactx)) 691 return 0; 692 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, 693 RSA_X931_PADDING); 694 if (ret < 1) { 695 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 696 return 0; 697 } 698 ret--; 699 if (prsactx->tbuf[ret] != RSA_X931_hash_id(prsactx->mdnid)) { 700 ERR_raise(ERR_LIB_PROV, PROV_R_ALGORITHM_MISMATCH); 701 return 0; 702 } 703 if (ret != EVP_MD_get_size(prsactx->md)) { 704 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH, 705 "Should be %d, but got %d", 706 EVP_MD_get_size(prsactx->md), ret); 707 return 0; 708 } 709 710 *routlen = ret; 711 if (rout != prsactx->tbuf) { 712 if (routsize < (size_t)ret) { 713 ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL, 714 "buffer size is %d, should be %d", 715 routsize, ret); 716 return 0; 717 } 718 memcpy(rout, prsactx->tbuf, ret); 719 } 720 break; 721 722 case RSA_PKCS1_PADDING: 723 { 724 size_t sltmp; 725 726 ret = ossl_rsa_verify(prsactx->mdnid, NULL, 0, rout, &sltmp, 727 sig, siglen, prsactx->rsa); 728 if (ret <= 0) { 729 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 730 return 0; 731 } 732 ret = sltmp; 733 } 734 break; 735 736 default: 737 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 738 "Only X.931 or PKCS#1 v1.5 padding allowed"); 739 return 0; 740 } 741 } else { 742 ret = RSA_public_decrypt(siglen, sig, rout, prsactx->rsa, 743 prsactx->pad_mode); 744 if (ret < 0) { 745 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 746 return 0; 747 } 748 } 749 *routlen = ret; 750 return 1; 751 } 752 753 static int rsa_verify_init(void *vprsactx, void *vrsa, 754 const OSSL_PARAM params[]) 755 { 756 if (!ossl_prov_is_running()) 757 return 0; 758 return rsa_signverify_init(vprsactx, vrsa, params, EVP_PKEY_OP_VERIFY); 759 } 760 761 static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen, 762 const unsigned char *tbs, size_t tbslen) 763 { 764 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 765 size_t rslen; 766 767 if (!ossl_prov_is_running()) 768 return 0; 769 if (prsactx->md != NULL) { 770 switch (prsactx->pad_mode) { 771 case RSA_PKCS1_PADDING: 772 if (!RSA_verify(prsactx->mdnid, tbs, tbslen, sig, siglen, 773 prsactx->rsa)) { 774 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 775 return 0; 776 } 777 return 1; 778 case RSA_X931_PADDING: 779 if (!setup_tbuf(prsactx)) 780 return 0; 781 if (rsa_verify_recover(prsactx, prsactx->tbuf, &rslen, 0, 782 sig, siglen) <= 0) 783 return 0; 784 break; 785 case RSA_PKCS1_PSS_PADDING: 786 { 787 int ret; 788 size_t mdsize; 789 790 /* 791 * We need to check this for the RSA_verify_PKCS1_PSS_mgf1() 792 * call 793 */ 794 mdsize = rsa_get_md_size(prsactx); 795 if (tbslen != mdsize) { 796 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH, 797 "Should be %d, but got %d", 798 mdsize, tbslen); 799 return 0; 800 } 801 802 if (!setup_tbuf(prsactx)) 803 return 0; 804 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, 805 prsactx->rsa, RSA_NO_PADDING); 806 if (ret <= 0) { 807 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 808 return 0; 809 } 810 ret = RSA_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs, 811 prsactx->md, prsactx->mgf1_md, 812 prsactx->tbuf, 813 prsactx->saltlen); 814 if (ret <= 0) { 815 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 816 return 0; 817 } 818 return 1; 819 } 820 default: 821 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 822 "Only X.931, PKCS#1 v1.5 or PSS padding allowed"); 823 return 0; 824 } 825 } else { 826 int ret; 827 828 if (!setup_tbuf(prsactx)) 829 return 0; 830 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, 831 prsactx->pad_mode); 832 if (ret <= 0) { 833 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 834 return 0; 835 } 836 rslen = (size_t)ret; 837 } 838 839 if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen)) 840 return 0; 841 842 return 1; 843 } 844 845 static int rsa_digest_signverify_init(void *vprsactx, const char *mdname, 846 void *vrsa, const OSSL_PARAM params[], 847 int operation) 848 { 849 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 850 851 if (!ossl_prov_is_running()) 852 return 0; 853 854 if (!rsa_signverify_init(vprsactx, vrsa, params, operation)) 855 return 0; 856 857 if (mdname != NULL 858 /* was rsa_setup_md already called in rsa_signverify_init()? */ 859 && (mdname[0] == '\0' || OPENSSL_strcasecmp(prsactx->mdname, mdname) != 0) 860 && !rsa_setup_md(prsactx, mdname, prsactx->propq)) 861 return 0; 862 863 prsactx->flag_allow_md = 0; 864 865 if (prsactx->mdctx == NULL) { 866 prsactx->mdctx = EVP_MD_CTX_new(); 867 if (prsactx->mdctx == NULL) 868 goto error; 869 } 870 871 if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params)) 872 goto error; 873 874 return 1; 875 876 error: 877 EVP_MD_CTX_free(prsactx->mdctx); 878 prsactx->mdctx = NULL; 879 return 0; 880 } 881 882 static int rsa_digest_signverify_update(void *vprsactx, 883 const unsigned char *data, 884 size_t datalen) 885 { 886 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 887 888 if (prsactx == NULL || prsactx->mdctx == NULL) 889 return 0; 890 891 return EVP_DigestUpdate(prsactx->mdctx, data, datalen); 892 } 893 894 static int rsa_digest_sign_init(void *vprsactx, const char *mdname, 895 void *vrsa, const OSSL_PARAM params[]) 896 { 897 if (!ossl_prov_is_running()) 898 return 0; 899 return rsa_digest_signverify_init(vprsactx, mdname, vrsa, 900 params, EVP_PKEY_OP_SIGN); 901 } 902 903 static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig, 904 size_t *siglen, size_t sigsize) 905 { 906 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 907 unsigned char digest[EVP_MAX_MD_SIZE]; 908 unsigned int dlen = 0; 909 910 if (!ossl_prov_is_running() || prsactx == NULL) 911 return 0; 912 prsactx->flag_allow_md = 1; 913 if (prsactx->mdctx == NULL) 914 return 0; 915 /* 916 * If sig is NULL then we're just finding out the sig size. Other fields 917 * are ignored. Defer to rsa_sign. 918 */ 919 if (sig != NULL) { 920 /* 921 * The digests used here are all known (see rsa_get_md_nid()), so they 922 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE. 923 */ 924 if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen)) 925 return 0; 926 } 927 928 return rsa_sign(vprsactx, sig, siglen, sigsize, digest, (size_t)dlen); 929 } 930 931 static int rsa_digest_verify_init(void *vprsactx, const char *mdname, 932 void *vrsa, const OSSL_PARAM params[]) 933 { 934 if (!ossl_prov_is_running()) 935 return 0; 936 return rsa_digest_signverify_init(vprsactx, mdname, vrsa, 937 params, EVP_PKEY_OP_VERIFY); 938 } 939 940 int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig, 941 size_t siglen) 942 { 943 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 944 unsigned char digest[EVP_MAX_MD_SIZE]; 945 unsigned int dlen = 0; 946 947 if (!ossl_prov_is_running()) 948 return 0; 949 950 if (prsactx == NULL) 951 return 0; 952 prsactx->flag_allow_md = 1; 953 if (prsactx->mdctx == NULL) 954 return 0; 955 956 /* 957 * The digests used here are all known (see rsa_get_md_nid()), so they 958 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE. 959 */ 960 if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen)) 961 return 0; 962 963 return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen); 964 } 965 966 static void rsa_freectx(void *vprsactx) 967 { 968 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 969 970 if (prsactx == NULL) 971 return; 972 973 EVP_MD_CTX_free(prsactx->mdctx); 974 EVP_MD_free(prsactx->md); 975 EVP_MD_free(prsactx->mgf1_md); 976 OPENSSL_free(prsactx->propq); 977 free_tbuf(prsactx); 978 RSA_free(prsactx->rsa); 979 980 OPENSSL_clear_free(prsactx, sizeof(*prsactx)); 981 } 982 983 static void *rsa_dupctx(void *vprsactx) 984 { 985 PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx; 986 PROV_RSA_CTX *dstctx; 987 988 if (!ossl_prov_is_running()) 989 return NULL; 990 991 dstctx = OPENSSL_zalloc(sizeof(*srcctx)); 992 if (dstctx == NULL) { 993 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); 994 return NULL; 995 } 996 997 *dstctx = *srcctx; 998 dstctx->rsa = NULL; 999 dstctx->md = NULL; 1000 dstctx->mdctx = NULL; 1001 dstctx->tbuf = NULL; 1002 dstctx->propq = NULL; 1003 1004 if (srcctx->rsa != NULL && !RSA_up_ref(srcctx->rsa)) 1005 goto err; 1006 dstctx->rsa = srcctx->rsa; 1007 1008 if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md)) 1009 goto err; 1010 dstctx->md = srcctx->md; 1011 1012 if (srcctx->mgf1_md != NULL && !EVP_MD_up_ref(srcctx->mgf1_md)) 1013 goto err; 1014 dstctx->mgf1_md = srcctx->mgf1_md; 1015 1016 if (srcctx->mdctx != NULL) { 1017 dstctx->mdctx = EVP_MD_CTX_new(); 1018 if (dstctx->mdctx == NULL 1019 || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx)) 1020 goto err; 1021 } 1022 1023 if (srcctx->propq != NULL) { 1024 dstctx->propq = OPENSSL_strdup(srcctx->propq); 1025 if (dstctx->propq == NULL) 1026 goto err; 1027 } 1028 1029 return dstctx; 1030 err: 1031 rsa_freectx(dstctx); 1032 return NULL; 1033 } 1034 1035 static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) 1036 { 1037 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1038 OSSL_PARAM *p; 1039 1040 if (prsactx == NULL) 1041 return 0; 1042 1043 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID); 1044 if (p != NULL) { 1045 /* The Algorithm Identifier of the combined signature algorithm */ 1046 unsigned char aid_buf[128]; 1047 unsigned char *aid; 1048 size_t aid_len; 1049 1050 aid = rsa_generate_signature_aid(prsactx, aid_buf, 1051 sizeof(aid_buf), &aid_len); 1052 if (aid == NULL || !OSSL_PARAM_set_octet_string(p, aid, aid_len)) 1053 return 0; 1054 } 1055 1056 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PAD_MODE); 1057 if (p != NULL) 1058 switch (p->data_type) { 1059 case OSSL_PARAM_INTEGER: 1060 if (!OSSL_PARAM_set_int(p, prsactx->pad_mode)) 1061 return 0; 1062 break; 1063 case OSSL_PARAM_UTF8_STRING: 1064 { 1065 int i; 1066 const char *word = NULL; 1067 1068 for (i = 0; padding_item[i].id != 0; i++) { 1069 if (prsactx->pad_mode == (int)padding_item[i].id) { 1070 word = padding_item[i].ptr; 1071 break; 1072 } 1073 } 1074 1075 if (word != NULL) { 1076 if (!OSSL_PARAM_set_utf8_string(p, word)) 1077 return 0; 1078 } else { 1079 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 1080 } 1081 } 1082 break; 1083 default: 1084 return 0; 1085 } 1086 1087 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST); 1088 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mdname)) 1089 return 0; 1090 1091 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST); 1092 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mgf1_mdname)) 1093 return 0; 1094 1095 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN); 1096 if (p != NULL) { 1097 if (p->data_type == OSSL_PARAM_INTEGER) { 1098 if (!OSSL_PARAM_set_int(p, prsactx->saltlen)) 1099 return 0; 1100 } else if (p->data_type == OSSL_PARAM_UTF8_STRING) { 1101 const char *value = NULL; 1102 1103 switch (prsactx->saltlen) { 1104 case RSA_PSS_SALTLEN_DIGEST: 1105 value = OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST; 1106 break; 1107 case RSA_PSS_SALTLEN_MAX: 1108 value = OSSL_PKEY_RSA_PSS_SALT_LEN_MAX; 1109 break; 1110 case RSA_PSS_SALTLEN_AUTO: 1111 value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO; 1112 break; 1113 default: 1114 { 1115 int len = BIO_snprintf(p->data, p->data_size, "%d", 1116 prsactx->saltlen); 1117 1118 if (len <= 0) 1119 return 0; 1120 p->return_size = len; 1121 break; 1122 } 1123 } 1124 if (value != NULL 1125 && !OSSL_PARAM_set_utf8_string(p, value)) 1126 return 0; 1127 } 1128 } 1129 1130 return 1; 1131 } 1132 1133 static const OSSL_PARAM known_gettable_ctx_params[] = { 1134 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0), 1135 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), 1136 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), 1137 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), 1138 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), 1139 OSSL_PARAM_END 1140 }; 1141 1142 static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, 1143 ossl_unused void *provctx) 1144 { 1145 return known_gettable_ctx_params; 1146 } 1147 1148 static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) 1149 { 1150 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1151 const OSSL_PARAM *p; 1152 int pad_mode; 1153 int saltlen; 1154 char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = NULL; 1155 char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = NULL; 1156 char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL; 1157 char mgf1mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmgf1mdprops = NULL; 1158 1159 if (prsactx == NULL) 1160 return 0; 1161 if (params == NULL) 1162 return 1; 1163 1164 pad_mode = prsactx->pad_mode; 1165 saltlen = prsactx->saltlen; 1166 1167 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST); 1168 if (p != NULL) { 1169 const OSSL_PARAM *propsp = 1170 OSSL_PARAM_locate_const(params, 1171 OSSL_SIGNATURE_PARAM_PROPERTIES); 1172 1173 pmdname = mdname; 1174 if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname))) 1175 return 0; 1176 1177 if (propsp != NULL) { 1178 pmdprops = mdprops; 1179 if (!OSSL_PARAM_get_utf8_string(propsp, 1180 &pmdprops, sizeof(mdprops))) 1181 return 0; 1182 } 1183 } 1184 1185 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE); 1186 if (p != NULL) { 1187 const char *err_extra_text = NULL; 1188 1189 switch (p->data_type) { 1190 case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */ 1191 if (!OSSL_PARAM_get_int(p, &pad_mode)) 1192 return 0; 1193 break; 1194 case OSSL_PARAM_UTF8_STRING: 1195 { 1196 int i; 1197 1198 if (p->data == NULL) 1199 return 0; 1200 1201 for (i = 0; padding_item[i].id != 0; i++) { 1202 if (strcmp(p->data, padding_item[i].ptr) == 0) { 1203 pad_mode = padding_item[i].id; 1204 break; 1205 } 1206 } 1207 } 1208 break; 1209 default: 1210 return 0; 1211 } 1212 1213 switch (pad_mode) { 1214 case RSA_PKCS1_OAEP_PADDING: 1215 /* 1216 * OAEP padding is for asymmetric cipher only so is not compatible 1217 * with signature use. 1218 */ 1219 err_extra_text = "OAEP padding not allowed for signing / verifying"; 1220 goto bad_pad; 1221 case RSA_PKCS1_PSS_PADDING: 1222 if ((prsactx->operation 1223 & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)) == 0) { 1224 err_extra_text = 1225 "PSS padding only allowed for sign and verify operations"; 1226 goto bad_pad; 1227 } 1228 break; 1229 case RSA_PKCS1_PADDING: 1230 err_extra_text = "PKCS#1 padding not allowed with RSA-PSS"; 1231 goto cont; 1232 case RSA_NO_PADDING: 1233 err_extra_text = "No padding not allowed with RSA-PSS"; 1234 goto cont; 1235 case RSA_X931_PADDING: 1236 err_extra_text = "X.931 padding not allowed with RSA-PSS"; 1237 cont: 1238 if (RSA_test_flags(prsactx->rsa, 1239 RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA) 1240 break; 1241 /* FALLTHRU */ 1242 default: 1243 bad_pad: 1244 if (err_extra_text == NULL) 1245 ERR_raise(ERR_LIB_PROV, 1246 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 1247 else 1248 ERR_raise_data(ERR_LIB_PROV, 1249 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE, 1250 err_extra_text); 1251 return 0; 1252 } 1253 } 1254 1255 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN); 1256 if (p != NULL) { 1257 if (pad_mode != RSA_PKCS1_PSS_PADDING) { 1258 ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED, 1259 "PSS saltlen can only be specified if " 1260 "PSS padding has been specified first"); 1261 return 0; 1262 } 1263 1264 switch (p->data_type) { 1265 case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */ 1266 if (!OSSL_PARAM_get_int(p, &saltlen)) 1267 return 0; 1268 break; 1269 case OSSL_PARAM_UTF8_STRING: 1270 if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST) == 0) 1271 saltlen = RSA_PSS_SALTLEN_DIGEST; 1272 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_MAX) == 0) 1273 saltlen = RSA_PSS_SALTLEN_MAX; 1274 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0) 1275 saltlen = RSA_PSS_SALTLEN_AUTO; 1276 else 1277 saltlen = atoi(p->data); 1278 break; 1279 default: 1280 return 0; 1281 } 1282 1283 /* 1284 * RSA_PSS_SALTLEN_MAX seems curiously named in this check. 1285 * Contrary to what it's name suggests, it's the currently 1286 * lowest saltlen number possible. 1287 */ 1288 if (saltlen < RSA_PSS_SALTLEN_MAX) { 1289 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); 1290 return 0; 1291 } 1292 1293 if (rsa_pss_restricted(prsactx)) { 1294 switch (saltlen) { 1295 case RSA_PSS_SALTLEN_AUTO: 1296 if (prsactx->operation == EVP_PKEY_OP_VERIFY) { 1297 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, 1298 "Cannot use autodetected salt length"); 1299 return 0; 1300 } 1301 break; 1302 case RSA_PSS_SALTLEN_DIGEST: 1303 if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) { 1304 ERR_raise_data(ERR_LIB_PROV, 1305 PROV_R_PSS_SALTLEN_TOO_SMALL, 1306 "Should be more than %d, but would be " 1307 "set to match digest size (%d)", 1308 prsactx->min_saltlen, 1309 EVP_MD_get_size(prsactx->md)); 1310 return 0; 1311 } 1312 break; 1313 default: 1314 if (saltlen >= 0 && saltlen < prsactx->min_saltlen) { 1315 ERR_raise_data(ERR_LIB_PROV, 1316 PROV_R_PSS_SALTLEN_TOO_SMALL, 1317 "Should be more than %d, " 1318 "but would be set to %d", 1319 prsactx->min_saltlen, saltlen); 1320 return 0; 1321 } 1322 } 1323 } 1324 } 1325 1326 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST); 1327 if (p != NULL) { 1328 const OSSL_PARAM *propsp = 1329 OSSL_PARAM_locate_const(params, 1330 OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES); 1331 1332 pmgf1mdname = mgf1mdname; 1333 if (!OSSL_PARAM_get_utf8_string(p, &pmgf1mdname, sizeof(mgf1mdname))) 1334 return 0; 1335 1336 if (propsp != NULL) { 1337 pmgf1mdprops = mgf1mdprops; 1338 if (!OSSL_PARAM_get_utf8_string(propsp, 1339 &pmgf1mdprops, sizeof(mgf1mdprops))) 1340 return 0; 1341 } 1342 1343 if (pad_mode != RSA_PKCS1_PSS_PADDING) { 1344 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MGF1_MD); 1345 return 0; 1346 } 1347 } 1348 1349 prsactx->saltlen = saltlen; 1350 prsactx->pad_mode = pad_mode; 1351 1352 if (prsactx->md == NULL && pmdname == NULL 1353 && pad_mode == RSA_PKCS1_PSS_PADDING) 1354 pmdname = RSA_DEFAULT_DIGEST_NAME; 1355 1356 if (pmgf1mdname != NULL 1357 && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) 1358 return 0; 1359 1360 if (pmdname != NULL) { 1361 if (!rsa_setup_md(prsactx, pmdname, pmdprops)) 1362 return 0; 1363 } else { 1364 if (!rsa_check_padding(prsactx, NULL, NULL, prsactx->mdnid)) 1365 return 0; 1366 } 1367 return 1; 1368 } 1369 1370 static const OSSL_PARAM settable_ctx_params[] = { 1371 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), 1372 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0), 1373 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), 1374 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), 1375 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0), 1376 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), 1377 OSSL_PARAM_END 1378 }; 1379 1380 static const OSSL_PARAM settable_ctx_params_no_digest[] = { 1381 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), 1382 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), 1383 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0), 1384 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), 1385 OSSL_PARAM_END 1386 }; 1387 1388 static const OSSL_PARAM *rsa_settable_ctx_params(void *vprsactx, 1389 ossl_unused void *provctx) 1390 { 1391 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1392 1393 if (prsactx != NULL && !prsactx->flag_allow_md) 1394 return settable_ctx_params_no_digest; 1395 return settable_ctx_params; 1396 } 1397 1398 static int rsa_get_ctx_md_params(void *vprsactx, OSSL_PARAM *params) 1399 { 1400 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1401 1402 if (prsactx->mdctx == NULL) 1403 return 0; 1404 1405 return EVP_MD_CTX_get_params(prsactx->mdctx, params); 1406 } 1407 1408 static const OSSL_PARAM *rsa_gettable_ctx_md_params(void *vprsactx) 1409 { 1410 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1411 1412 if (prsactx->md == NULL) 1413 return 0; 1414 1415 return EVP_MD_gettable_ctx_params(prsactx->md); 1416 } 1417 1418 static int rsa_set_ctx_md_params(void *vprsactx, const OSSL_PARAM params[]) 1419 { 1420 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1421 1422 if (prsactx->mdctx == NULL) 1423 return 0; 1424 1425 return EVP_MD_CTX_set_params(prsactx->mdctx, params); 1426 } 1427 1428 static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx) 1429 { 1430 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1431 1432 if (prsactx->md == NULL) 1433 return 0; 1434 1435 return EVP_MD_settable_ctx_params(prsactx->md); 1436 } 1437 1438 const OSSL_DISPATCH ossl_rsa_signature_functions[] = { 1439 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, 1440 { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, 1441 { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, 1442 { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_verify_init }, 1443 { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))rsa_verify }, 1444 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, 1445 (void (*)(void))rsa_verify_recover_init }, 1446 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, 1447 (void (*)(void))rsa_verify_recover }, 1448 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, 1449 (void (*)(void))rsa_digest_sign_init }, 1450 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, 1451 (void (*)(void))rsa_digest_signverify_update }, 1452 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, 1453 (void (*)(void))rsa_digest_sign_final }, 1454 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, 1455 (void (*)(void))rsa_digest_verify_init }, 1456 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, 1457 (void (*)(void))rsa_digest_signverify_update }, 1458 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, 1459 (void (*)(void))rsa_digest_verify_final }, 1460 { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, 1461 { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, 1462 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))rsa_get_ctx_params }, 1463 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, 1464 (void (*)(void))rsa_gettable_ctx_params }, 1465 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))rsa_set_ctx_params }, 1466 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, 1467 (void (*)(void))rsa_settable_ctx_params }, 1468 { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, 1469 (void (*)(void))rsa_get_ctx_md_params }, 1470 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, 1471 (void (*)(void))rsa_gettable_ctx_md_params }, 1472 { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, 1473 (void (*)(void))rsa_set_ctx_md_params }, 1474 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, 1475 (void (*)(void))rsa_settable_ctx_md_params }, 1476 { 0, NULL } 1477 }; 1478