1 /* 2 * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * RSA low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include <string.h> 17 #include <openssl/crypto.h> 18 #include <openssl/core_dispatch.h> 19 #include <openssl/core_names.h> 20 #include <openssl/err.h> 21 #include <openssl/rsa.h> 22 #include <openssl/params.h> 23 #include <openssl/evp.h> 24 #include <openssl/proverr.h> 25 #include "internal/cryptlib.h" 26 #include "internal/nelem.h" 27 #include "internal/sizes.h" 28 #include "crypto/rsa.h" 29 #include "prov/providercommon.h" 30 #include "prov/implementations.h" 31 #include "prov/provider_ctx.h" 32 #include "prov/der_rsa.h" 33 #include "prov/securitycheck.h" 34 35 #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 36 37 static OSSL_FUNC_signature_newctx_fn rsa_newctx; 38 static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; 39 static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; 40 static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; 41 static OSSL_FUNC_signature_sign_fn rsa_sign; 42 static OSSL_FUNC_signature_verify_fn rsa_verify; 43 static OSSL_FUNC_signature_verify_recover_fn rsa_verify_recover; 44 static OSSL_FUNC_signature_digest_sign_init_fn rsa_digest_sign_init; 45 static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_signverify_update; 46 static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final; 47 static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; 48 static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update; 49 static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; 50 static OSSL_FUNC_signature_freectx_fn rsa_freectx; 51 static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; 52 static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; 53 static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params; 54 static OSSL_FUNC_signature_set_ctx_params_fn rsa_set_ctx_params; 55 static OSSL_FUNC_signature_settable_ctx_params_fn rsa_settable_ctx_params; 56 static OSSL_FUNC_signature_get_ctx_md_params_fn rsa_get_ctx_md_params; 57 static OSSL_FUNC_signature_gettable_ctx_md_params_fn rsa_gettable_ctx_md_params; 58 static OSSL_FUNC_signature_set_ctx_md_params_fn rsa_set_ctx_md_params; 59 static OSSL_FUNC_signature_settable_ctx_md_params_fn rsa_settable_ctx_md_params; 60 61 static OSSL_ITEM padding_item[] = { 62 { RSA_PKCS1_PADDING, OSSL_PKEY_RSA_PAD_MODE_PKCSV15 }, 63 { RSA_NO_PADDING, OSSL_PKEY_RSA_PAD_MODE_NONE }, 64 { RSA_X931_PADDING, OSSL_PKEY_RSA_PAD_MODE_X931 }, 65 { RSA_PKCS1_PSS_PADDING, OSSL_PKEY_RSA_PAD_MODE_PSS }, 66 { 0, NULL } 67 }; 68 69 /* 70 * What's passed as an actual key is defined by the KEYMGMT interface. 71 * We happen to know that our KEYMGMT simply passes RSA structures, so 72 * we use that here too. 73 */ 74 75 typedef struct { 76 OSSL_LIB_CTX *libctx; 77 char *propq; 78 RSA *rsa; 79 int operation; 80 81 /* 82 * Flag to determine if the hash function can be changed (1) or not (0) 83 * Because it's dangerous to change during a DigestSign or DigestVerify 84 * operation, this flag is cleared by their Init function, and set again 85 * by their Final function. 86 */ 87 unsigned int flag_allow_md : 1; 88 unsigned int mgf1_md_set : 1; 89 90 /* main digest */ 91 EVP_MD *md; 92 EVP_MD_CTX *mdctx; 93 int mdnid; 94 char mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */ 95 96 /* RSA padding mode */ 97 int pad_mode; 98 /* message digest for MGF1 */ 99 EVP_MD *mgf1_md; 100 int mgf1_mdnid; 101 char mgf1_mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */ 102 /* PSS salt length */ 103 int saltlen; 104 /* Minimum salt length or -1 if no PSS parameter restriction */ 105 int min_saltlen; 106 107 /* Temp buffer */ 108 unsigned char *tbuf; 109 110 } PROV_RSA_CTX; 111 112 /* True if PSS parameters are restricted */ 113 #define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1) 114 115 static size_t rsa_get_md_size(const PROV_RSA_CTX *prsactx) 116 { 117 if (prsactx->md != NULL) 118 return EVP_MD_get_size(prsactx->md); 119 return 0; 120 } 121 122 static int rsa_check_padding(const PROV_RSA_CTX *prsactx, 123 const char *mdname, const char *mgf1_mdname, 124 int mdnid) 125 { 126 switch(prsactx->pad_mode) { 127 case RSA_NO_PADDING: 128 if (mdname != NULL || mdnid != NID_undef) { 129 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE); 130 return 0; 131 } 132 break; 133 case RSA_X931_PADDING: 134 if (RSA_X931_hash_id(mdnid) == -1) { 135 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST); 136 return 0; 137 } 138 break; 139 case RSA_PKCS1_PSS_PADDING: 140 if (rsa_pss_restricted(prsactx)) 141 if ((mdname != NULL && !EVP_MD_is_a(prsactx->md, mdname)) 142 || (mgf1_mdname != NULL 143 && !EVP_MD_is_a(prsactx->mgf1_md, mgf1_mdname))) { 144 ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); 145 return 0; 146 } 147 break; 148 default: 149 break; 150 } 151 152 return 1; 153 } 154 155 static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen) 156 { 157 if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { 158 int max_saltlen; 159 160 /* See if minimum salt length exceeds maximum possible */ 161 max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_get_size(prsactx->md); 162 if ((RSA_bits(prsactx->rsa) & 0x7) == 1) 163 max_saltlen--; 164 if (min_saltlen < 0 || min_saltlen > max_saltlen) { 165 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); 166 return 0; 167 } 168 prsactx->min_saltlen = min_saltlen; 169 } 170 return 1; 171 } 172 173 static void *rsa_newctx(void *provctx, const char *propq) 174 { 175 PROV_RSA_CTX *prsactx = NULL; 176 char *propq_copy = NULL; 177 178 if (!ossl_prov_is_running()) 179 return NULL; 180 181 if ((prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX))) == NULL 182 || (propq != NULL 183 && (propq_copy = OPENSSL_strdup(propq)) == NULL)) { 184 OPENSSL_free(prsactx); 185 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); 186 return NULL; 187 } 188 189 prsactx->libctx = PROV_LIBCTX_OF(provctx); 190 prsactx->flag_allow_md = 1; 191 prsactx->propq = propq_copy; 192 /* Maximum for sign, auto for verify */ 193 prsactx->saltlen = RSA_PSS_SALTLEN_AUTO; 194 prsactx->min_saltlen = -1; 195 return prsactx; 196 } 197 198 static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx) 199 { 200 int saltlen = ctx->saltlen; 201 202 if (saltlen == RSA_PSS_SALTLEN_DIGEST) { 203 saltlen = EVP_MD_get_size(ctx->md); 204 } else if (saltlen == RSA_PSS_SALTLEN_AUTO || saltlen == RSA_PSS_SALTLEN_MAX) { 205 saltlen = RSA_size(ctx->rsa) - EVP_MD_get_size(ctx->md) - 2; 206 if ((RSA_bits(ctx->rsa) & 0x7) == 1) 207 saltlen--; 208 } 209 if (saltlen < 0) { 210 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 211 return -1; 212 } else if (saltlen < ctx->min_saltlen) { 213 ERR_raise_data(ERR_LIB_PROV, PROV_R_PSS_SALTLEN_TOO_SMALL, 214 "minimum salt length: %d, actual salt length: %d", 215 ctx->min_saltlen, saltlen); 216 return -1; 217 } 218 return saltlen; 219 } 220 221 static unsigned char *rsa_generate_signature_aid(PROV_RSA_CTX *ctx, 222 unsigned char *aid_buf, 223 size_t buf_len, 224 size_t *aid_len) 225 { 226 WPACKET pkt; 227 unsigned char *aid = NULL; 228 int saltlen; 229 RSA_PSS_PARAMS_30 pss_params; 230 int ret; 231 232 if (!WPACKET_init_der(&pkt, aid_buf, buf_len)) { 233 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); 234 return NULL; 235 } 236 237 switch(ctx->pad_mode) { 238 case RSA_PKCS1_PADDING: 239 ret = ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1, 240 ctx->mdnid); 241 242 if (ret > 0) { 243 break; 244 } else if (ret == 0) { 245 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 246 goto cleanup; 247 } 248 ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED, 249 "Algorithm ID generation - md NID: %d", 250 ctx->mdnid); 251 goto cleanup; 252 case RSA_PKCS1_PSS_PADDING: 253 saltlen = rsa_pss_compute_saltlen(ctx); 254 if (saltlen < 0) 255 goto cleanup; 256 if (!ossl_rsa_pss_params_30_set_defaults(&pss_params) 257 || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, ctx->mdnid) 258 || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params, 259 ctx->mgf1_mdnid) 260 || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen) 261 || !ossl_DER_w_algorithmIdentifier_RSA_PSS(&pkt, -1, 262 RSA_FLAG_TYPE_RSASSAPSS, 263 &pss_params)) { 264 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 265 goto cleanup; 266 } 267 break; 268 default: 269 ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED, 270 "Algorithm ID generation - pad mode: %d", 271 ctx->pad_mode); 272 goto cleanup; 273 } 274 if (WPACKET_finish(&pkt)) { 275 WPACKET_get_total_written(&pkt, aid_len); 276 aid = WPACKET_get_curr(&pkt); 277 } 278 cleanup: 279 WPACKET_cleanup(&pkt); 280 return aid; 281 } 282 283 static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, 284 const char *mdprops) 285 { 286 if (mdprops == NULL) 287 mdprops = ctx->propq; 288 289 if (mdname != NULL) { 290 EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); 291 int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); 292 int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, 293 sha1_allowed); 294 size_t mdname_len = strlen(mdname); 295 296 if (md == NULL 297 || md_nid <= 0 298 || !rsa_check_padding(ctx, mdname, NULL, md_nid) 299 || mdname_len >= sizeof(ctx->mdname)) { 300 if (md == NULL) 301 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 302 "%s could not be fetched", mdname); 303 if (md_nid <= 0) 304 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, 305 "digest=%s", mdname); 306 if (mdname_len >= sizeof(ctx->mdname)) 307 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 308 "%s exceeds name buffer length", mdname); 309 EVP_MD_free(md); 310 return 0; 311 } 312 313 if (!ctx->flag_allow_md) { 314 if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) { 315 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, 316 "digest %s != %s", mdname, ctx->mdname); 317 EVP_MD_free(md); 318 return 0; 319 } 320 EVP_MD_free(md); 321 return 1; 322 } 323 324 if (!ctx->mgf1_md_set) { 325 if (!EVP_MD_up_ref(md)) { 326 EVP_MD_free(md); 327 return 0; 328 } 329 EVP_MD_free(ctx->mgf1_md); 330 ctx->mgf1_md = md; 331 ctx->mgf1_mdnid = md_nid; 332 OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); 333 } 334 335 EVP_MD_CTX_free(ctx->mdctx); 336 EVP_MD_free(ctx->md); 337 338 ctx->mdctx = NULL; 339 ctx->md = md; 340 ctx->mdnid = md_nid; 341 OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname)); 342 } 343 344 return 1; 345 } 346 347 static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname, 348 const char *mdprops) 349 { 350 size_t len; 351 EVP_MD *md = NULL; 352 int mdnid; 353 354 if (mdprops == NULL) 355 mdprops = ctx->propq; 356 357 if ((md = EVP_MD_fetch(ctx->libctx, mdname, mdprops)) == NULL) { 358 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 359 "%s could not be fetched", mdname); 360 return 0; 361 } 362 /* The default for mgf1 is SHA1 - so allow SHA1 */ 363 if ((mdnid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, 1)) <= 0 364 || !rsa_check_padding(ctx, NULL, mdname, mdnid)) { 365 if (mdnid <= 0) 366 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, 367 "digest=%s", mdname); 368 EVP_MD_free(md); 369 return 0; 370 } 371 len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); 372 if (len >= sizeof(ctx->mgf1_mdname)) { 373 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 374 "%s exceeds name buffer length", mdname); 375 EVP_MD_free(md); 376 return 0; 377 } 378 379 EVP_MD_free(ctx->mgf1_md); 380 ctx->mgf1_md = md; 381 ctx->mgf1_mdnid = mdnid; 382 ctx->mgf1_md_set = 1; 383 return 1; 384 } 385 386 static int rsa_signverify_init(void *vprsactx, void *vrsa, 387 const OSSL_PARAM params[], int operation) 388 { 389 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 390 391 if (!ossl_prov_is_running() || prsactx == NULL) 392 return 0; 393 394 if (vrsa == NULL && prsactx->rsa == NULL) { 395 ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); 396 return 0; 397 } 398 399 if (vrsa != NULL) { 400 if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation)) 401 return 0; 402 403 if (!RSA_up_ref(vrsa)) 404 return 0; 405 RSA_free(prsactx->rsa); 406 prsactx->rsa = vrsa; 407 } 408 409 prsactx->operation = operation; 410 411 /* Maximum for sign, auto for verify */ 412 prsactx->saltlen = RSA_PSS_SALTLEN_AUTO; 413 prsactx->min_saltlen = -1; 414 415 switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { 416 case RSA_FLAG_TYPE_RSA: 417 prsactx->pad_mode = RSA_PKCS1_PADDING; 418 break; 419 case RSA_FLAG_TYPE_RSASSAPSS: 420 prsactx->pad_mode = RSA_PKCS1_PSS_PADDING; 421 422 { 423 const RSA_PSS_PARAMS_30 *pss = 424 ossl_rsa_get0_pss_params_30(prsactx->rsa); 425 426 if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) { 427 int md_nid = ossl_rsa_pss_params_30_hashalg(pss); 428 int mgf1md_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss); 429 int min_saltlen = ossl_rsa_pss_params_30_saltlen(pss); 430 const char *mdname, *mgf1mdname; 431 size_t len; 432 433 mdname = ossl_rsa_oaeppss_nid2name(md_nid); 434 mgf1mdname = ossl_rsa_oaeppss_nid2name(mgf1md_nid); 435 436 if (mdname == NULL) { 437 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 438 "PSS restrictions lack hash algorithm"); 439 return 0; 440 } 441 if (mgf1mdname == NULL) { 442 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 443 "PSS restrictions lack MGF1 hash algorithm"); 444 return 0; 445 } 446 447 len = OPENSSL_strlcpy(prsactx->mdname, mdname, 448 sizeof(prsactx->mdname)); 449 if (len >= sizeof(prsactx->mdname)) { 450 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 451 "hash algorithm name too long"); 452 return 0; 453 } 454 len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname, 455 sizeof(prsactx->mgf1_mdname)); 456 if (len >= sizeof(prsactx->mgf1_mdname)) { 457 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 458 "MGF1 hash algorithm name too long"); 459 return 0; 460 } 461 prsactx->saltlen = min_saltlen; 462 463 /* call rsa_setup_mgf1_md before rsa_setup_md to avoid duplication */ 464 if (!rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq) 465 || !rsa_setup_md(prsactx, mdname, prsactx->propq) 466 || !rsa_check_parameters(prsactx, min_saltlen)) 467 return 0; 468 } 469 } 470 471 break; 472 default: 473 ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); 474 return 0; 475 } 476 477 if (!rsa_set_ctx_params(prsactx, params)) 478 return 0; 479 480 return 1; 481 } 482 483 static int setup_tbuf(PROV_RSA_CTX *ctx) 484 { 485 if (ctx->tbuf != NULL) 486 return 1; 487 if ((ctx->tbuf = OPENSSL_malloc(RSA_size(ctx->rsa))) == NULL) { 488 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); 489 return 0; 490 } 491 return 1; 492 } 493 494 static void clean_tbuf(PROV_RSA_CTX *ctx) 495 { 496 if (ctx->tbuf != NULL) 497 OPENSSL_cleanse(ctx->tbuf, RSA_size(ctx->rsa)); 498 } 499 500 static void free_tbuf(PROV_RSA_CTX *ctx) 501 { 502 clean_tbuf(ctx); 503 OPENSSL_free(ctx->tbuf); 504 ctx->tbuf = NULL; 505 } 506 507 static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[]) 508 { 509 if (!ossl_prov_is_running()) 510 return 0; 511 return rsa_signverify_init(vprsactx, vrsa, params, EVP_PKEY_OP_SIGN); 512 } 513 514 static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen, 515 size_t sigsize, const unsigned char *tbs, size_t tbslen) 516 { 517 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 518 int ret; 519 size_t rsasize = RSA_size(prsactx->rsa); 520 size_t mdsize = rsa_get_md_size(prsactx); 521 522 if (!ossl_prov_is_running()) 523 return 0; 524 525 if (sig == NULL) { 526 *siglen = rsasize; 527 return 1; 528 } 529 530 if (sigsize < rsasize) { 531 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE, 532 "is %zu, should be at least %zu", sigsize, rsasize); 533 return 0; 534 } 535 536 if (mdsize != 0) { 537 if (tbslen != mdsize) { 538 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH); 539 return 0; 540 } 541 542 #ifndef FIPS_MODULE 543 if (EVP_MD_is_a(prsactx->md, OSSL_DIGEST_NAME_MDC2)) { 544 unsigned int sltmp; 545 546 if (prsactx->pad_mode != RSA_PKCS1_PADDING) { 547 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 548 "only PKCS#1 padding supported with MDC2"); 549 return 0; 550 } 551 ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp, 552 prsactx->rsa); 553 554 if (ret <= 0) { 555 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 556 return 0; 557 } 558 ret = sltmp; 559 goto end; 560 } 561 #endif 562 switch (prsactx->pad_mode) { 563 case RSA_X931_PADDING: 564 if ((size_t)RSA_size(prsactx->rsa) < tbslen + 1) { 565 ERR_raise_data(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL, 566 "RSA key size = %d, expected minimum = %d", 567 RSA_size(prsactx->rsa), tbslen + 1); 568 return 0; 569 } 570 if (!setup_tbuf(prsactx)) { 571 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); 572 return 0; 573 } 574 memcpy(prsactx->tbuf, tbs, tbslen); 575 prsactx->tbuf[tbslen] = RSA_X931_hash_id(prsactx->mdnid); 576 ret = RSA_private_encrypt(tbslen + 1, prsactx->tbuf, 577 sig, prsactx->rsa, RSA_X931_PADDING); 578 clean_tbuf(prsactx); 579 break; 580 581 case RSA_PKCS1_PADDING: 582 { 583 unsigned int sltmp; 584 585 ret = RSA_sign(prsactx->mdnid, tbs, tbslen, sig, &sltmp, 586 prsactx->rsa); 587 if (ret <= 0) { 588 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 589 return 0; 590 } 591 ret = sltmp; 592 } 593 break; 594 595 case RSA_PKCS1_PSS_PADDING: 596 /* Check PSS restrictions */ 597 if (rsa_pss_restricted(prsactx)) { 598 switch (prsactx->saltlen) { 599 case RSA_PSS_SALTLEN_DIGEST: 600 if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) { 601 ERR_raise_data(ERR_LIB_PROV, 602 PROV_R_PSS_SALTLEN_TOO_SMALL, 603 "minimum salt length set to %d, " 604 "but the digest only gives %d", 605 prsactx->min_saltlen, 606 EVP_MD_get_size(prsactx->md)); 607 return 0; 608 } 609 /* FALLTHRU */ 610 default: 611 if (prsactx->saltlen >= 0 612 && prsactx->saltlen < prsactx->min_saltlen) { 613 ERR_raise_data(ERR_LIB_PROV, 614 PROV_R_PSS_SALTLEN_TOO_SMALL, 615 "minimum salt length set to %d, but the" 616 "actual salt length is only set to %d", 617 prsactx->min_saltlen, 618 prsactx->saltlen); 619 return 0; 620 } 621 break; 622 } 623 } 624 if (!setup_tbuf(prsactx)) 625 return 0; 626 if (!RSA_padding_add_PKCS1_PSS_mgf1(prsactx->rsa, 627 prsactx->tbuf, tbs, 628 prsactx->md, prsactx->mgf1_md, 629 prsactx->saltlen)) { 630 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 631 return 0; 632 } 633 ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf, 634 sig, prsactx->rsa, RSA_NO_PADDING); 635 clean_tbuf(prsactx); 636 break; 637 638 default: 639 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 640 "Only X.931, PKCS#1 v1.5 or PSS padding allowed"); 641 return 0; 642 } 643 } else { 644 ret = RSA_private_encrypt(tbslen, tbs, sig, prsactx->rsa, 645 prsactx->pad_mode); 646 } 647 648 #ifndef FIPS_MODULE 649 end: 650 #endif 651 if (ret <= 0) { 652 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 653 return 0; 654 } 655 656 *siglen = ret; 657 return 1; 658 } 659 660 static int rsa_verify_recover_init(void *vprsactx, void *vrsa, 661 const OSSL_PARAM params[]) 662 { 663 if (!ossl_prov_is_running()) 664 return 0; 665 return rsa_signverify_init(vprsactx, vrsa, params, 666 EVP_PKEY_OP_VERIFYRECOVER); 667 } 668 669 static int rsa_verify_recover(void *vprsactx, 670 unsigned char *rout, 671 size_t *routlen, 672 size_t routsize, 673 const unsigned char *sig, 674 size_t siglen) 675 { 676 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 677 int ret; 678 679 if (!ossl_prov_is_running()) 680 return 0; 681 682 if (rout == NULL) { 683 *routlen = RSA_size(prsactx->rsa); 684 return 1; 685 } 686 687 if (prsactx->md != NULL) { 688 switch (prsactx->pad_mode) { 689 case RSA_X931_PADDING: 690 if (!setup_tbuf(prsactx)) 691 return 0; 692 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, 693 RSA_X931_PADDING); 694 if (ret < 1) { 695 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 696 return 0; 697 } 698 ret--; 699 if (prsactx->tbuf[ret] != RSA_X931_hash_id(prsactx->mdnid)) { 700 ERR_raise(ERR_LIB_PROV, PROV_R_ALGORITHM_MISMATCH); 701 return 0; 702 } 703 if (ret != EVP_MD_get_size(prsactx->md)) { 704 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH, 705 "Should be %d, but got %d", 706 EVP_MD_get_size(prsactx->md), ret); 707 return 0; 708 } 709 710 *routlen = ret; 711 if (rout != prsactx->tbuf) { 712 if (routsize < (size_t)ret) { 713 ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL, 714 "buffer size is %d, should be %d", 715 routsize, ret); 716 return 0; 717 } 718 memcpy(rout, prsactx->tbuf, ret); 719 } 720 break; 721 722 case RSA_PKCS1_PADDING: 723 { 724 size_t sltmp; 725 726 ret = ossl_rsa_verify(prsactx->mdnid, NULL, 0, rout, &sltmp, 727 sig, siglen, prsactx->rsa); 728 if (ret <= 0) { 729 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 730 return 0; 731 } 732 ret = sltmp; 733 } 734 break; 735 736 default: 737 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 738 "Only X.931 or PKCS#1 v1.5 padding allowed"); 739 return 0; 740 } 741 } else { 742 ret = RSA_public_decrypt(siglen, sig, rout, prsactx->rsa, 743 prsactx->pad_mode); 744 if (ret < 0) { 745 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 746 return 0; 747 } 748 } 749 *routlen = ret; 750 return 1; 751 } 752 753 static int rsa_verify_init(void *vprsactx, void *vrsa, 754 const OSSL_PARAM params[]) 755 { 756 if (!ossl_prov_is_running()) 757 return 0; 758 return rsa_signverify_init(vprsactx, vrsa, params, EVP_PKEY_OP_VERIFY); 759 } 760 761 static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen, 762 const unsigned char *tbs, size_t tbslen) 763 { 764 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 765 size_t rslen; 766 767 if (!ossl_prov_is_running()) 768 return 0; 769 if (prsactx->md != NULL) { 770 switch (prsactx->pad_mode) { 771 case RSA_PKCS1_PADDING: 772 if (!RSA_verify(prsactx->mdnid, tbs, tbslen, sig, siglen, 773 prsactx->rsa)) { 774 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 775 return 0; 776 } 777 return 1; 778 case RSA_X931_PADDING: 779 if (!setup_tbuf(prsactx)) 780 return 0; 781 if (rsa_verify_recover(prsactx, prsactx->tbuf, &rslen, 0, 782 sig, siglen) <= 0) 783 return 0; 784 break; 785 case RSA_PKCS1_PSS_PADDING: 786 { 787 int ret; 788 size_t mdsize; 789 790 /* 791 * We need to check this for the RSA_verify_PKCS1_PSS_mgf1() 792 * call 793 */ 794 mdsize = rsa_get_md_size(prsactx); 795 if (tbslen != mdsize) { 796 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH, 797 "Should be %d, but got %d", 798 mdsize, tbslen); 799 return 0; 800 } 801 802 if (!setup_tbuf(prsactx)) 803 return 0; 804 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, 805 prsactx->rsa, RSA_NO_PADDING); 806 if (ret <= 0) { 807 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 808 return 0; 809 } 810 ret = RSA_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs, 811 prsactx->md, prsactx->mgf1_md, 812 prsactx->tbuf, 813 prsactx->saltlen); 814 if (ret <= 0) { 815 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 816 return 0; 817 } 818 return 1; 819 } 820 default: 821 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 822 "Only X.931, PKCS#1 v1.5 or PSS padding allowed"); 823 return 0; 824 } 825 } else { 826 int ret; 827 828 if (!setup_tbuf(prsactx)) 829 return 0; 830 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, 831 prsactx->pad_mode); 832 if (ret <= 0) { 833 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 834 return 0; 835 } 836 rslen = (size_t)ret; 837 } 838 839 if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen)) 840 return 0; 841 842 return 1; 843 } 844 845 static int rsa_digest_signverify_init(void *vprsactx, const char *mdname, 846 void *vrsa, const OSSL_PARAM params[], 847 int operation) 848 { 849 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 850 851 if (!ossl_prov_is_running()) 852 return 0; 853 854 if (!rsa_signverify_init(vprsactx, vrsa, params, operation)) 855 return 0; 856 857 if (mdname != NULL 858 /* was rsa_setup_md already called in rsa_signverify_init()? */ 859 && (mdname[0] == '\0' || OPENSSL_strcasecmp(prsactx->mdname, mdname) != 0) 860 && !rsa_setup_md(prsactx, mdname, prsactx->propq)) 861 return 0; 862 863 prsactx->flag_allow_md = 0; 864 865 if (prsactx->mdctx == NULL) { 866 prsactx->mdctx = EVP_MD_CTX_new(); 867 if (prsactx->mdctx == NULL) 868 goto error; 869 } 870 871 if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params)) 872 goto error; 873 874 return 1; 875 876 error: 877 EVP_MD_CTX_free(prsactx->mdctx); 878 prsactx->mdctx = NULL; 879 return 0; 880 } 881 882 static int rsa_digest_signverify_update(void *vprsactx, 883 const unsigned char *data, 884 size_t datalen) 885 { 886 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 887 888 if (prsactx == NULL || prsactx->mdctx == NULL) 889 return 0; 890 891 return EVP_DigestUpdate(prsactx->mdctx, data, datalen); 892 } 893 894 static int rsa_digest_sign_init(void *vprsactx, const char *mdname, 895 void *vrsa, const OSSL_PARAM params[]) 896 { 897 if (!ossl_prov_is_running()) 898 return 0; 899 return rsa_digest_signverify_init(vprsactx, mdname, vrsa, 900 params, EVP_PKEY_OP_SIGN); 901 } 902 903 static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig, 904 size_t *siglen, size_t sigsize) 905 { 906 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 907 unsigned char digest[EVP_MAX_MD_SIZE]; 908 unsigned int dlen = 0; 909 910 if (!ossl_prov_is_running() || prsactx == NULL) 911 return 0; 912 prsactx->flag_allow_md = 1; 913 if (prsactx->mdctx == NULL) 914 return 0; 915 /* 916 * If sig is NULL then we're just finding out the sig size. Other fields 917 * are ignored. Defer to rsa_sign. 918 */ 919 if (sig != NULL) { 920 /* 921 * The digests used here are all known (see rsa_get_md_nid()), so they 922 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE. 923 */ 924 if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen)) 925 return 0; 926 } 927 928 return rsa_sign(vprsactx, sig, siglen, sigsize, digest, (size_t)dlen); 929 } 930 931 static int rsa_digest_verify_init(void *vprsactx, const char *mdname, 932 void *vrsa, const OSSL_PARAM params[]) 933 { 934 if (!ossl_prov_is_running()) 935 return 0; 936 return rsa_digest_signverify_init(vprsactx, mdname, vrsa, 937 params, EVP_PKEY_OP_VERIFY); 938 } 939 940 int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig, 941 size_t siglen) 942 { 943 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 944 unsigned char digest[EVP_MAX_MD_SIZE]; 945 unsigned int dlen = 0; 946 947 if (!ossl_prov_is_running()) 948 return 0; 949 950 if (prsactx == NULL) 951 return 0; 952 prsactx->flag_allow_md = 1; 953 if (prsactx->mdctx == NULL) 954 return 0; 955 956 /* 957 * The digests used here are all known (see rsa_get_md_nid()), so they 958 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE. 959 */ 960 if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen)) 961 return 0; 962 963 return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen); 964 } 965 966 static void rsa_freectx(void *vprsactx) 967 { 968 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 969 970 if (prsactx == NULL) 971 return; 972 973 EVP_MD_CTX_free(prsactx->mdctx); 974 EVP_MD_free(prsactx->md); 975 EVP_MD_free(prsactx->mgf1_md); 976 OPENSSL_free(prsactx->propq); 977 free_tbuf(prsactx); 978 RSA_free(prsactx->rsa); 979 980 OPENSSL_clear_free(prsactx, sizeof(*prsactx)); 981 } 982 983 static void *rsa_dupctx(void *vprsactx) 984 { 985 PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx; 986 PROV_RSA_CTX *dstctx; 987 988 if (!ossl_prov_is_running()) 989 return NULL; 990 991 dstctx = OPENSSL_zalloc(sizeof(*srcctx)); 992 if (dstctx == NULL) { 993 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); 994 return NULL; 995 } 996 997 *dstctx = *srcctx; 998 dstctx->rsa = NULL; 999 dstctx->md = NULL; 1000 dstctx->mgf1_md = NULL; 1001 dstctx->mdctx = NULL; 1002 dstctx->tbuf = NULL; 1003 dstctx->propq = NULL; 1004 1005 if (srcctx->rsa != NULL && !RSA_up_ref(srcctx->rsa)) 1006 goto err; 1007 dstctx->rsa = srcctx->rsa; 1008 1009 if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md)) 1010 goto err; 1011 dstctx->md = srcctx->md; 1012 1013 if (srcctx->mgf1_md != NULL && !EVP_MD_up_ref(srcctx->mgf1_md)) 1014 goto err; 1015 dstctx->mgf1_md = srcctx->mgf1_md; 1016 1017 if (srcctx->mdctx != NULL) { 1018 dstctx->mdctx = EVP_MD_CTX_new(); 1019 if (dstctx->mdctx == NULL 1020 || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx)) 1021 goto err; 1022 } 1023 1024 if (srcctx->propq != NULL) { 1025 dstctx->propq = OPENSSL_strdup(srcctx->propq); 1026 if (dstctx->propq == NULL) 1027 goto err; 1028 } 1029 1030 return dstctx; 1031 err: 1032 rsa_freectx(dstctx); 1033 return NULL; 1034 } 1035 1036 static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) 1037 { 1038 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1039 OSSL_PARAM *p; 1040 1041 if (prsactx == NULL) 1042 return 0; 1043 1044 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID); 1045 if (p != NULL) { 1046 /* The Algorithm Identifier of the combined signature algorithm */ 1047 unsigned char aid_buf[128]; 1048 unsigned char *aid; 1049 size_t aid_len; 1050 1051 aid = rsa_generate_signature_aid(prsactx, aid_buf, 1052 sizeof(aid_buf), &aid_len); 1053 if (aid == NULL || !OSSL_PARAM_set_octet_string(p, aid, aid_len)) 1054 return 0; 1055 } 1056 1057 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PAD_MODE); 1058 if (p != NULL) 1059 switch (p->data_type) { 1060 case OSSL_PARAM_INTEGER: 1061 if (!OSSL_PARAM_set_int(p, prsactx->pad_mode)) 1062 return 0; 1063 break; 1064 case OSSL_PARAM_UTF8_STRING: 1065 { 1066 int i; 1067 const char *word = NULL; 1068 1069 for (i = 0; padding_item[i].id != 0; i++) { 1070 if (prsactx->pad_mode == (int)padding_item[i].id) { 1071 word = padding_item[i].ptr; 1072 break; 1073 } 1074 } 1075 1076 if (word != NULL) { 1077 if (!OSSL_PARAM_set_utf8_string(p, word)) 1078 return 0; 1079 } else { 1080 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 1081 } 1082 } 1083 break; 1084 default: 1085 return 0; 1086 } 1087 1088 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST); 1089 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mdname)) 1090 return 0; 1091 1092 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST); 1093 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mgf1_mdname)) 1094 return 0; 1095 1096 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN); 1097 if (p != NULL) { 1098 if (p->data_type == OSSL_PARAM_INTEGER) { 1099 if (!OSSL_PARAM_set_int(p, prsactx->saltlen)) 1100 return 0; 1101 } else if (p->data_type == OSSL_PARAM_UTF8_STRING) { 1102 const char *value = NULL; 1103 1104 switch (prsactx->saltlen) { 1105 case RSA_PSS_SALTLEN_DIGEST: 1106 value = OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST; 1107 break; 1108 case RSA_PSS_SALTLEN_MAX: 1109 value = OSSL_PKEY_RSA_PSS_SALT_LEN_MAX; 1110 break; 1111 case RSA_PSS_SALTLEN_AUTO: 1112 value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO; 1113 break; 1114 default: 1115 { 1116 int len = BIO_snprintf(p->data, p->data_size, "%d", 1117 prsactx->saltlen); 1118 1119 if (len <= 0) 1120 return 0; 1121 p->return_size = len; 1122 break; 1123 } 1124 } 1125 if (value != NULL 1126 && !OSSL_PARAM_set_utf8_string(p, value)) 1127 return 0; 1128 } 1129 } 1130 1131 return 1; 1132 } 1133 1134 static const OSSL_PARAM known_gettable_ctx_params[] = { 1135 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0), 1136 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), 1137 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), 1138 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), 1139 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), 1140 OSSL_PARAM_END 1141 }; 1142 1143 static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, 1144 ossl_unused void *provctx) 1145 { 1146 return known_gettable_ctx_params; 1147 } 1148 1149 static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) 1150 { 1151 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1152 const OSSL_PARAM *p; 1153 int pad_mode; 1154 int saltlen; 1155 char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = NULL; 1156 char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = NULL; 1157 char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL; 1158 char mgf1mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmgf1mdprops = NULL; 1159 1160 if (prsactx == NULL) 1161 return 0; 1162 if (params == NULL) 1163 return 1; 1164 1165 pad_mode = prsactx->pad_mode; 1166 saltlen = prsactx->saltlen; 1167 1168 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST); 1169 if (p != NULL) { 1170 const OSSL_PARAM *propsp = 1171 OSSL_PARAM_locate_const(params, 1172 OSSL_SIGNATURE_PARAM_PROPERTIES); 1173 1174 pmdname = mdname; 1175 if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname))) 1176 return 0; 1177 1178 if (propsp != NULL) { 1179 pmdprops = mdprops; 1180 if (!OSSL_PARAM_get_utf8_string(propsp, 1181 &pmdprops, sizeof(mdprops))) 1182 return 0; 1183 } 1184 } 1185 1186 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE); 1187 if (p != NULL) { 1188 const char *err_extra_text = NULL; 1189 1190 switch (p->data_type) { 1191 case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */ 1192 if (!OSSL_PARAM_get_int(p, &pad_mode)) 1193 return 0; 1194 break; 1195 case OSSL_PARAM_UTF8_STRING: 1196 { 1197 int i; 1198 1199 if (p->data == NULL) 1200 return 0; 1201 1202 for (i = 0; padding_item[i].id != 0; i++) { 1203 if (strcmp(p->data, padding_item[i].ptr) == 0) { 1204 pad_mode = padding_item[i].id; 1205 break; 1206 } 1207 } 1208 } 1209 break; 1210 default: 1211 return 0; 1212 } 1213 1214 switch (pad_mode) { 1215 case RSA_PKCS1_OAEP_PADDING: 1216 /* 1217 * OAEP padding is for asymmetric cipher only so is not compatible 1218 * with signature use. 1219 */ 1220 err_extra_text = "OAEP padding not allowed for signing / verifying"; 1221 goto bad_pad; 1222 case RSA_PKCS1_PSS_PADDING: 1223 if ((prsactx->operation 1224 & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)) == 0) { 1225 err_extra_text = 1226 "PSS padding only allowed for sign and verify operations"; 1227 goto bad_pad; 1228 } 1229 break; 1230 case RSA_PKCS1_PADDING: 1231 err_extra_text = "PKCS#1 padding not allowed with RSA-PSS"; 1232 goto cont; 1233 case RSA_NO_PADDING: 1234 err_extra_text = "No padding not allowed with RSA-PSS"; 1235 goto cont; 1236 case RSA_X931_PADDING: 1237 err_extra_text = "X.931 padding not allowed with RSA-PSS"; 1238 cont: 1239 if (RSA_test_flags(prsactx->rsa, 1240 RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA) 1241 break; 1242 /* FALLTHRU */ 1243 default: 1244 bad_pad: 1245 if (err_extra_text == NULL) 1246 ERR_raise(ERR_LIB_PROV, 1247 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 1248 else 1249 ERR_raise_data(ERR_LIB_PROV, 1250 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE, 1251 err_extra_text); 1252 return 0; 1253 } 1254 } 1255 1256 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN); 1257 if (p != NULL) { 1258 if (pad_mode != RSA_PKCS1_PSS_PADDING) { 1259 ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED, 1260 "PSS saltlen can only be specified if " 1261 "PSS padding has been specified first"); 1262 return 0; 1263 } 1264 1265 switch (p->data_type) { 1266 case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */ 1267 if (!OSSL_PARAM_get_int(p, &saltlen)) 1268 return 0; 1269 break; 1270 case OSSL_PARAM_UTF8_STRING: 1271 if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST) == 0) 1272 saltlen = RSA_PSS_SALTLEN_DIGEST; 1273 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_MAX) == 0) 1274 saltlen = RSA_PSS_SALTLEN_MAX; 1275 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0) 1276 saltlen = RSA_PSS_SALTLEN_AUTO; 1277 else 1278 saltlen = atoi(p->data); 1279 break; 1280 default: 1281 return 0; 1282 } 1283 1284 /* 1285 * RSA_PSS_SALTLEN_MAX seems curiously named in this check. 1286 * Contrary to what it's name suggests, it's the currently 1287 * lowest saltlen number possible. 1288 */ 1289 if (saltlen < RSA_PSS_SALTLEN_MAX) { 1290 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); 1291 return 0; 1292 } 1293 1294 if (rsa_pss_restricted(prsactx)) { 1295 switch (saltlen) { 1296 case RSA_PSS_SALTLEN_AUTO: 1297 if (prsactx->operation == EVP_PKEY_OP_VERIFY) { 1298 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, 1299 "Cannot use autodetected salt length"); 1300 return 0; 1301 } 1302 break; 1303 case RSA_PSS_SALTLEN_DIGEST: 1304 if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) { 1305 ERR_raise_data(ERR_LIB_PROV, 1306 PROV_R_PSS_SALTLEN_TOO_SMALL, 1307 "Should be more than %d, but would be " 1308 "set to match digest size (%d)", 1309 prsactx->min_saltlen, 1310 EVP_MD_get_size(prsactx->md)); 1311 return 0; 1312 } 1313 break; 1314 default: 1315 if (saltlen >= 0 && saltlen < prsactx->min_saltlen) { 1316 ERR_raise_data(ERR_LIB_PROV, 1317 PROV_R_PSS_SALTLEN_TOO_SMALL, 1318 "Should be more than %d, " 1319 "but would be set to %d", 1320 prsactx->min_saltlen, saltlen); 1321 return 0; 1322 } 1323 } 1324 } 1325 } 1326 1327 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST); 1328 if (p != NULL) { 1329 const OSSL_PARAM *propsp = 1330 OSSL_PARAM_locate_const(params, 1331 OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES); 1332 1333 pmgf1mdname = mgf1mdname; 1334 if (!OSSL_PARAM_get_utf8_string(p, &pmgf1mdname, sizeof(mgf1mdname))) 1335 return 0; 1336 1337 if (propsp != NULL) { 1338 pmgf1mdprops = mgf1mdprops; 1339 if (!OSSL_PARAM_get_utf8_string(propsp, 1340 &pmgf1mdprops, sizeof(mgf1mdprops))) 1341 return 0; 1342 } 1343 1344 if (pad_mode != RSA_PKCS1_PSS_PADDING) { 1345 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MGF1_MD); 1346 return 0; 1347 } 1348 } 1349 1350 prsactx->saltlen = saltlen; 1351 prsactx->pad_mode = pad_mode; 1352 1353 if (prsactx->md == NULL && pmdname == NULL 1354 && pad_mode == RSA_PKCS1_PSS_PADDING) 1355 pmdname = RSA_DEFAULT_DIGEST_NAME; 1356 1357 if (pmgf1mdname != NULL 1358 && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) 1359 return 0; 1360 1361 if (pmdname != NULL) { 1362 if (!rsa_setup_md(prsactx, pmdname, pmdprops)) 1363 return 0; 1364 } else { 1365 if (!rsa_check_padding(prsactx, NULL, NULL, prsactx->mdnid)) 1366 return 0; 1367 } 1368 return 1; 1369 } 1370 1371 static const OSSL_PARAM settable_ctx_params[] = { 1372 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), 1373 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0), 1374 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), 1375 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), 1376 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0), 1377 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), 1378 OSSL_PARAM_END 1379 }; 1380 1381 static const OSSL_PARAM settable_ctx_params_no_digest[] = { 1382 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), 1383 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), 1384 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0), 1385 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), 1386 OSSL_PARAM_END 1387 }; 1388 1389 static const OSSL_PARAM *rsa_settable_ctx_params(void *vprsactx, 1390 ossl_unused void *provctx) 1391 { 1392 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1393 1394 if (prsactx != NULL && !prsactx->flag_allow_md) 1395 return settable_ctx_params_no_digest; 1396 return settable_ctx_params; 1397 } 1398 1399 static int rsa_get_ctx_md_params(void *vprsactx, OSSL_PARAM *params) 1400 { 1401 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1402 1403 if (prsactx->mdctx == NULL) 1404 return 0; 1405 1406 return EVP_MD_CTX_get_params(prsactx->mdctx, params); 1407 } 1408 1409 static const OSSL_PARAM *rsa_gettable_ctx_md_params(void *vprsactx) 1410 { 1411 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1412 1413 if (prsactx->md == NULL) 1414 return 0; 1415 1416 return EVP_MD_gettable_ctx_params(prsactx->md); 1417 } 1418 1419 static int rsa_set_ctx_md_params(void *vprsactx, const OSSL_PARAM params[]) 1420 { 1421 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1422 1423 if (prsactx->mdctx == NULL) 1424 return 0; 1425 1426 return EVP_MD_CTX_set_params(prsactx->mdctx, params); 1427 } 1428 1429 static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx) 1430 { 1431 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1432 1433 if (prsactx->md == NULL) 1434 return 0; 1435 1436 return EVP_MD_settable_ctx_params(prsactx->md); 1437 } 1438 1439 const OSSL_DISPATCH ossl_rsa_signature_functions[] = { 1440 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, 1441 { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, 1442 { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, 1443 { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_verify_init }, 1444 { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))rsa_verify }, 1445 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, 1446 (void (*)(void))rsa_verify_recover_init }, 1447 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, 1448 (void (*)(void))rsa_verify_recover }, 1449 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, 1450 (void (*)(void))rsa_digest_sign_init }, 1451 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, 1452 (void (*)(void))rsa_digest_signverify_update }, 1453 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, 1454 (void (*)(void))rsa_digest_sign_final }, 1455 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, 1456 (void (*)(void))rsa_digest_verify_init }, 1457 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, 1458 (void (*)(void))rsa_digest_signverify_update }, 1459 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, 1460 (void (*)(void))rsa_digest_verify_final }, 1461 { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, 1462 { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, 1463 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))rsa_get_ctx_params }, 1464 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, 1465 (void (*)(void))rsa_gettable_ctx_params }, 1466 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))rsa_set_ctx_params }, 1467 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, 1468 (void (*)(void))rsa_settable_ctx_params }, 1469 { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, 1470 (void (*)(void))rsa_get_ctx_md_params }, 1471 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, 1472 (void (*)(void))rsa_gettable_ctx_md_params }, 1473 { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, 1474 (void (*)(void))rsa_set_ctx_md_params }, 1475 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, 1476 (void (*)(void))rsa_settable_ctx_md_params }, 1477 { 0, NULL } 1478 }; 1479