1 /* 2 * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * RSA low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include <string.h> 17 #include <openssl/crypto.h> 18 #include <openssl/core_dispatch.h> 19 #include <openssl/core_names.h> 20 #include <openssl/err.h> 21 #include <openssl/obj_mac.h> 22 #include <openssl/rsa.h> 23 #include <openssl/params.h> 24 #include <openssl/evp.h> 25 #include <openssl/proverr.h> 26 #include "internal/cryptlib.h" 27 #include "internal/nelem.h" 28 #include "internal/sizes.h" 29 #include "crypto/rsa.h" 30 #include "prov/providercommon.h" 31 #include "prov/implementations.h" 32 #include "prov/provider_ctx.h" 33 #include "prov/der_rsa.h" 34 #include "prov/securitycheck.h" 35 36 #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 37 38 static OSSL_FUNC_signature_newctx_fn rsa_newctx; 39 static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; 40 static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; 41 static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; 42 static OSSL_FUNC_signature_sign_fn rsa_sign; 43 static OSSL_FUNC_signature_sign_message_update_fn rsa_signverify_message_update; 44 static OSSL_FUNC_signature_sign_message_final_fn rsa_sign_message_final; 45 static OSSL_FUNC_signature_verify_fn rsa_verify; 46 static OSSL_FUNC_signature_verify_recover_fn rsa_verify_recover; 47 static OSSL_FUNC_signature_verify_message_update_fn rsa_signverify_message_update; 48 static OSSL_FUNC_signature_verify_message_final_fn rsa_verify_message_final; 49 static OSSL_FUNC_signature_digest_sign_init_fn rsa_digest_sign_init; 50 static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_sign_update; 51 static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final; 52 static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; 53 static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_verify_update; 54 static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; 55 static OSSL_FUNC_signature_freectx_fn rsa_freectx; 56 static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; 57 static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types; 58 static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; 59 static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params; 60 static OSSL_FUNC_signature_set_ctx_params_fn rsa_set_ctx_params; 61 static OSSL_FUNC_signature_settable_ctx_params_fn rsa_settable_ctx_params; 62 static OSSL_FUNC_signature_get_ctx_md_params_fn rsa_get_ctx_md_params; 63 static OSSL_FUNC_signature_gettable_ctx_md_params_fn rsa_gettable_ctx_md_params; 64 static OSSL_FUNC_signature_set_ctx_md_params_fn rsa_set_ctx_md_params; 65 static OSSL_FUNC_signature_settable_ctx_md_params_fn rsa_settable_ctx_md_params; 66 static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params; 67 static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params; 68 69 static OSSL_ITEM padding_item[] = { 70 { RSA_PKCS1_PADDING, OSSL_PKEY_RSA_PAD_MODE_PKCSV15 }, 71 { RSA_NO_PADDING, OSSL_PKEY_RSA_PAD_MODE_NONE }, 72 { RSA_X931_PADDING, OSSL_PKEY_RSA_PAD_MODE_X931 }, 73 { RSA_PKCS1_PSS_PADDING, OSSL_PKEY_RSA_PAD_MODE_PSS }, 74 { 0, NULL } 75 }; 76 77 /* 78 * What's passed as an actual key is defined by the KEYMGMT interface. 79 * We happen to know that our KEYMGMT simply passes RSA structures, so 80 * we use that here too. 81 */ 82 83 typedef struct { 84 OSSL_LIB_CTX *libctx; 85 char *propq; 86 RSA *rsa; 87 int operation; 88 89 /* 90 * Flag to determine if a full sigalg is run (1) or if a composable 91 * signature algorithm is run (0). 92 * 93 * When a full sigalg is run (1), this currently affects the following 94 * other flags, which are to remain untouched after their initialization: 95 * 96 * - flag_allow_md (initialized to 0) 97 */ 98 unsigned int flag_sigalg : 1; 99 /* 100 * Flag to determine if the hash function can be changed (1) or not (0) 101 * Because it's dangerous to change during a DigestSign or DigestVerify 102 * operation, this flag is cleared by their Init function, and set again 103 * by their Final function. 104 * Implementations of full sigalgs (such as RSA-SHA256) hard-code this 105 * flag to not allow changes (0). 106 */ 107 unsigned int flag_allow_md : 1; 108 unsigned int mgf1_md_set : 1; 109 /* 110 * Flags to say what are the possible next external calls in what 111 * consitutes the life cycle of an algorithm. The relevant calls are: 112 * - init 113 * - update 114 * - final 115 * - oneshot 116 * All other external calls are regarded as utilitarian and are allowed 117 * at any time (they may be affected by other flags, like flag_allow_md, 118 * though). 119 */ 120 unsigned int flag_allow_update : 1; 121 unsigned int flag_allow_final : 1; 122 unsigned int flag_allow_oneshot : 1; 123 124 /* main digest */ 125 EVP_MD *md; 126 EVP_MD_CTX *mdctx; 127 int mdnid; 128 char mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */ 129 130 /* RSA padding mode */ 131 int pad_mode; 132 /* message digest for MGF1 */ 133 EVP_MD *mgf1_md; 134 int mgf1_mdnid; 135 char mgf1_mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */ 136 /* PSS salt length */ 137 int saltlen; 138 /* Minimum salt length or -1 if no PSS parameter restriction */ 139 int min_saltlen; 140 141 /* Signature, for verification */ 142 unsigned char *sig; 143 size_t siglen; 144 145 #ifdef FIPS_MODULE 146 /* 147 * FIPS 140-3 IG 2.4.B mandates that verification based on a digest of a 148 * message is not permitted. However, signing based on a digest is still 149 * permitted. 150 */ 151 int verify_message; 152 #endif 153 154 /* Temp buffer */ 155 unsigned char *tbuf; 156 157 OSSL_FIPS_IND_DECLARE 158 } PROV_RSA_CTX; 159 160 /* True if PSS parameters are restricted */ 161 #define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1) 162 163 static size_t rsa_get_md_size(const PROV_RSA_CTX *prsactx) 164 { 165 int md_size; 166 167 if (prsactx->md != NULL) { 168 md_size = EVP_MD_get_size(prsactx->md); 169 if (md_size <= 0) 170 return 0; 171 return md_size; 172 } 173 return 0; 174 } 175 176 static int rsa_check_padding(const PROV_RSA_CTX *prsactx, 177 const char *mdname, const char *mgf1_mdname, 178 int mdnid) 179 { 180 switch (prsactx->pad_mode) { 181 case RSA_NO_PADDING: 182 if (mdname != NULL || mdnid != NID_undef) { 183 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE); 184 return 0; 185 } 186 break; 187 case RSA_X931_PADDING: 188 if (RSA_X931_hash_id(mdnid) == -1) { 189 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST); 190 return 0; 191 } 192 break; 193 case RSA_PKCS1_PSS_PADDING: 194 if (rsa_pss_restricted(prsactx)) 195 if ((mdname != NULL && !EVP_MD_is_a(prsactx->md, mdname)) 196 || (mgf1_mdname != NULL 197 && !EVP_MD_is_a(prsactx->mgf1_md, mgf1_mdname))) { 198 ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); 199 return 0; 200 } 201 break; 202 default: 203 break; 204 } 205 206 return 1; 207 } 208 209 static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen) 210 { 211 if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { 212 int max_saltlen; 213 214 /* See if minimum salt length exceeds maximum possible */ 215 max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_get_size(prsactx->md); 216 if ((RSA_bits(prsactx->rsa) & 0x7) == 1) 217 max_saltlen--; 218 if (min_saltlen < 0 || min_saltlen > max_saltlen) { 219 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); 220 return 0; 221 } 222 prsactx->min_saltlen = min_saltlen; 223 } 224 return 1; 225 } 226 227 static void *rsa_newctx(void *provctx, const char *propq) 228 { 229 PROV_RSA_CTX *prsactx = NULL; 230 char *propq_copy = NULL; 231 232 if (!ossl_prov_is_running()) 233 return NULL; 234 235 if ((prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX))) == NULL 236 || (propq != NULL 237 && (propq_copy = OPENSSL_strdup(propq)) == NULL)) { 238 OPENSSL_free(prsactx); 239 return NULL; 240 } 241 242 OSSL_FIPS_IND_INIT(prsactx) 243 prsactx->libctx = PROV_LIBCTX_OF(provctx); 244 prsactx->flag_allow_md = 1; 245 #ifdef FIPS_MODULE 246 prsactx->verify_message = 1; 247 #endif 248 prsactx->propq = propq_copy; 249 /* Maximum up to digest length for sign, auto for verify */ 250 prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; 251 prsactx->min_saltlen = -1; 252 return prsactx; 253 } 254 255 static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx) 256 { 257 int saltlen = ctx->saltlen; 258 int saltlenMax = -1; 259 260 /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection 261 * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the 262 * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of 263 * the hash function output block (in bytes)." 264 * 265 * Provide a way to use at most the digest length, so that the default does 266 * not violate FIPS 186-4. */ 267 if (saltlen == RSA_PSS_SALTLEN_DIGEST) { 268 if ((saltlen = EVP_MD_get_size(ctx->md)) <= 0) { 269 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); 270 return -1; 271 } 272 } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { 273 saltlen = RSA_PSS_SALTLEN_MAX; 274 if ((saltlenMax = EVP_MD_get_size(ctx->md)) <= 0) { 275 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); 276 return -1; 277 } 278 } 279 if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) { 280 int mdsize, rsasize; 281 282 if ((mdsize = EVP_MD_get_size(ctx->md)) <= 0) { 283 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); 284 return -1; 285 } 286 if ((rsasize = RSA_size(ctx->rsa)) <= 2 || rsasize - 2 < mdsize) { 287 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); 288 return -1; 289 } 290 saltlen = rsasize - mdsize - 2; 291 if ((RSA_bits(ctx->rsa) & 0x7) == 1) 292 saltlen--; 293 if (saltlenMax >= 0 && saltlen > saltlenMax) 294 saltlen = saltlenMax; 295 } 296 if (saltlen < 0) { 297 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 298 return -1; 299 } else if (saltlen < ctx->min_saltlen) { 300 ERR_raise_data(ERR_LIB_PROV, PROV_R_PSS_SALTLEN_TOO_SMALL, 301 "minimum salt length: %d, actual salt length: %d", 302 ctx->min_saltlen, saltlen); 303 return -1; 304 } 305 return saltlen; 306 } 307 308 static unsigned char *rsa_generate_signature_aid(PROV_RSA_CTX *ctx, 309 unsigned char *aid_buf, 310 size_t buf_len, 311 size_t *aid_len) 312 { 313 WPACKET pkt; 314 unsigned char *aid = NULL; 315 int saltlen; 316 RSA_PSS_PARAMS_30 pss_params; 317 int ret; 318 319 if (!WPACKET_init_der(&pkt, aid_buf, buf_len)) { 320 ERR_raise(ERR_LIB_PROV, ERR_R_CRYPTO_LIB); 321 return NULL; 322 } 323 324 switch (ctx->pad_mode) { 325 case RSA_PKCS1_PADDING: 326 ret = ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1, 327 ctx->mdnid); 328 329 if (ret > 0) { 330 break; 331 } else if (ret == 0) { 332 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 333 goto cleanup; 334 } 335 ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED, 336 "Algorithm ID generation - md NID: %d", 337 ctx->mdnid); 338 goto cleanup; 339 case RSA_PKCS1_PSS_PADDING: 340 saltlen = rsa_pss_compute_saltlen(ctx); 341 if (saltlen < 0) 342 goto cleanup; 343 if (!ossl_rsa_pss_params_30_set_defaults(&pss_params) 344 || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, ctx->mdnid) 345 || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params, 346 ctx->mgf1_mdnid) 347 || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen) 348 || !ossl_DER_w_algorithmIdentifier_RSA_PSS(&pkt, -1, 349 RSA_FLAG_TYPE_RSASSAPSS, 350 &pss_params)) { 351 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 352 goto cleanup; 353 } 354 break; 355 default: 356 ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED, 357 "Algorithm ID generation - pad mode: %d", 358 ctx->pad_mode); 359 goto cleanup; 360 } 361 if (WPACKET_finish(&pkt)) { 362 WPACKET_get_total_written(&pkt, aid_len); 363 aid = WPACKET_get_curr(&pkt); 364 } 365 cleanup: 366 WPACKET_cleanup(&pkt); 367 return aid; 368 } 369 370 static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, 371 const char *mdprops, const char *desc) 372 { 373 EVP_MD *md = NULL; 374 375 if (mdprops == NULL) 376 mdprops = ctx->propq; 377 378 if (mdname != NULL) { 379 int md_nid; 380 size_t mdname_len = strlen(mdname); 381 382 md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); 383 384 if (md == NULL) { 385 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 386 "%s could not be fetched", mdname); 387 goto err; 388 } 389 md_nid = ossl_digest_rsa_sign_get_md_nid(md); 390 if (md_nid == NID_undef) { 391 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, 392 "digest=%s", mdname); 393 goto err; 394 } 395 /* 396 * XOF digests are not allowed except for RSA PSS. 397 * We don't support XOF digests with RSA PSS (yet), so just fail. 398 * When we do support them, uncomment the second clause. 399 */ 400 if (EVP_MD_xof(md) 401 /* && ctx->pad_mode != RSA_PKCS1_PSS_PADDING */) { 402 ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); 403 goto err; 404 } 405 #ifdef FIPS_MODULE 406 { 407 int sha1_allowed 408 = ((ctx->operation 409 & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0); 410 411 if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx), 412 OSSL_FIPS_IND_SETTABLE1, 413 ctx->libctx, 414 md_nid, sha1_allowed, desc, 415 ossl_fips_config_signature_digest_check)) 416 goto err; 417 } 418 #endif 419 420 if (!rsa_check_padding(ctx, mdname, NULL, md_nid)) 421 goto err; 422 if (mdname_len >= sizeof(ctx->mdname)) { 423 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 424 "%s exceeds name buffer length", mdname); 425 goto err; 426 } 427 428 if (!ctx->flag_allow_md) { 429 if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) { 430 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, 431 "digest %s != %s", mdname, ctx->mdname); 432 goto err; 433 } 434 EVP_MD_free(md); 435 return 1; 436 } 437 438 if (!ctx->mgf1_md_set) { 439 if (!EVP_MD_up_ref(md)) { 440 goto err; 441 } 442 EVP_MD_free(ctx->mgf1_md); 443 ctx->mgf1_md = md; 444 ctx->mgf1_mdnid = md_nid; 445 OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); 446 } 447 448 EVP_MD_CTX_free(ctx->mdctx); 449 EVP_MD_free(ctx->md); 450 451 ctx->mdctx = NULL; 452 ctx->md = md; 453 ctx->mdnid = md_nid; 454 OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname)); 455 } 456 457 return 1; 458 err: 459 EVP_MD_free(md); 460 return 0; 461 } 462 463 static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname, 464 const char *mdprops) 465 { 466 size_t len; 467 EVP_MD *md = NULL; 468 int mdnid; 469 470 if (mdprops == NULL) 471 mdprops = ctx->propq; 472 473 if ((md = EVP_MD_fetch(ctx->libctx, mdname, mdprops)) == NULL) { 474 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 475 "%s could not be fetched", mdname); 476 return 0; 477 } 478 /* The default for mgf1 is SHA1 - so allow SHA1 */ 479 if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md)) <= 0 480 || !rsa_check_padding(ctx, NULL, mdname, mdnid)) { 481 if (mdnid <= 0) 482 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, 483 "digest=%s", mdname); 484 EVP_MD_free(md); 485 return 0; 486 } 487 len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); 488 if (len >= sizeof(ctx->mgf1_mdname)) { 489 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 490 "%s exceeds name buffer length", mdname); 491 EVP_MD_free(md); 492 return 0; 493 } 494 495 EVP_MD_free(ctx->mgf1_md); 496 ctx->mgf1_md = md; 497 ctx->mgf1_mdnid = mdnid; 498 ctx->mgf1_md_set = 1; 499 return 1; 500 } 501 502 static int 503 rsa_signverify_init(PROV_RSA_CTX *prsactx, void *vrsa, 504 OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params, 505 const OSSL_PARAM params[], int operation, 506 const char *desc) 507 { 508 int protect; 509 510 if (!ossl_prov_is_running() || prsactx == NULL) 511 return 0; 512 513 if (vrsa == NULL && prsactx->rsa == NULL) { 514 ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); 515 return 0; 516 } 517 518 if (vrsa != NULL) { 519 if (!RSA_up_ref(vrsa)) 520 return 0; 521 RSA_free(prsactx->rsa); 522 prsactx->rsa = vrsa; 523 } 524 if (!ossl_rsa_key_op_get_protect(prsactx->rsa, operation, &protect)) 525 return 0; 526 527 prsactx->operation = operation; 528 prsactx->flag_allow_update = 1; 529 prsactx->flag_allow_final = 1; 530 prsactx->flag_allow_oneshot = 1; 531 532 /* Maximize up to digest length for sign, auto for verify */ 533 prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; 534 prsactx->min_saltlen = -1; 535 536 switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { 537 case RSA_FLAG_TYPE_RSA: 538 prsactx->pad_mode = RSA_PKCS1_PADDING; 539 break; 540 case RSA_FLAG_TYPE_RSASSAPSS: 541 prsactx->pad_mode = RSA_PKCS1_PSS_PADDING; 542 543 { 544 const RSA_PSS_PARAMS_30 *pss = 545 ossl_rsa_get0_pss_params_30(prsactx->rsa); 546 547 if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) { 548 int md_nid = ossl_rsa_pss_params_30_hashalg(pss); 549 int mgf1md_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss); 550 int min_saltlen = ossl_rsa_pss_params_30_saltlen(pss); 551 const char *mdname, *mgf1mdname; 552 size_t len; 553 554 mdname = ossl_rsa_oaeppss_nid2name(md_nid); 555 mgf1mdname = ossl_rsa_oaeppss_nid2name(mgf1md_nid); 556 557 if (mdname == NULL) { 558 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 559 "PSS restrictions lack hash algorithm"); 560 return 0; 561 } 562 if (mgf1mdname == NULL) { 563 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 564 "PSS restrictions lack MGF1 hash algorithm"); 565 return 0; 566 } 567 568 len = OPENSSL_strlcpy(prsactx->mdname, mdname, 569 sizeof(prsactx->mdname)); 570 if (len >= sizeof(prsactx->mdname)) { 571 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 572 "hash algorithm name too long"); 573 return 0; 574 } 575 len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname, 576 sizeof(prsactx->mgf1_mdname)); 577 if (len >= sizeof(prsactx->mgf1_mdname)) { 578 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 579 "MGF1 hash algorithm name too long"); 580 return 0; 581 } 582 prsactx->saltlen = min_saltlen; 583 584 /* call rsa_setup_mgf1_md before rsa_setup_md to avoid duplication */ 585 if (!rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq) 586 || !rsa_setup_md(prsactx, mdname, prsactx->propq, desc) 587 || !rsa_check_parameters(prsactx, min_saltlen)) 588 return 0; 589 } 590 } 591 592 break; 593 default: 594 ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); 595 return 0; 596 } 597 598 OSSL_FIPS_IND_SET_APPROVED(prsactx) 599 if (!set_ctx_params(prsactx, params)) 600 return 0; 601 #ifdef FIPS_MODULE 602 if (!ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND_GET(prsactx), 603 OSSL_FIPS_IND_SETTABLE0, prsactx->libctx, 604 prsactx->rsa, desc, protect)) 605 return 0; 606 #endif 607 return 1; 608 } 609 610 static int setup_tbuf(PROV_RSA_CTX *ctx) 611 { 612 if (ctx->tbuf != NULL) 613 return 1; 614 if ((ctx->tbuf = OPENSSL_malloc(RSA_size(ctx->rsa))) == NULL) 615 return 0; 616 return 1; 617 } 618 619 static void clean_tbuf(PROV_RSA_CTX *ctx) 620 { 621 if (ctx->tbuf != NULL) 622 OPENSSL_cleanse(ctx->tbuf, RSA_size(ctx->rsa)); 623 } 624 625 static void free_tbuf(PROV_RSA_CTX *ctx) 626 { 627 clean_tbuf(ctx); 628 OPENSSL_free(ctx->tbuf); 629 ctx->tbuf = NULL; 630 } 631 632 #ifdef FIPS_MODULE 633 static int rsa_pss_saltlen_check_passed(PROV_RSA_CTX *ctx, const char *algoname, int saltlen) 634 { 635 int mdsize = rsa_get_md_size(ctx); 636 /* 637 * Perform the check if the salt length is compliant to FIPS 186-5. 638 * 639 * According to FIPS 186-5 5.4 (g), the salt length shall be between zero 640 * and the output block length of the digest function (inclusive). 641 */ 642 int approved = (saltlen >= 0 && saltlen <= mdsize); 643 644 if (!approved) { 645 if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE3, 646 ctx->libctx, 647 algoname, "PSS Salt Length", 648 ossl_fips_config_rsa_pss_saltlen_check)) { 649 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); 650 return 0; 651 } 652 } 653 654 return 1; 655 } 656 #endif 657 658 static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[]) 659 { 660 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 661 662 #ifdef FIPS_MODULE 663 if (prsactx != NULL) 664 prsactx->verify_message = 1; 665 #endif 666 667 return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, 668 EVP_PKEY_OP_SIGN, "RSA Sign Init"); 669 } 670 671 /* 672 * Sign tbs without digesting it first. This is suitable for "primitive" 673 * signing and signing the digest of a message, i.e. should be used with 674 * implementations of the keytype related algorithms. 675 */ 676 static int rsa_sign_directly(PROV_RSA_CTX *prsactx, 677 unsigned char *sig, size_t *siglen, size_t sigsize, 678 const unsigned char *tbs, size_t tbslen) 679 { 680 int ret; 681 size_t rsasize = RSA_size(prsactx->rsa); 682 size_t mdsize = rsa_get_md_size(prsactx); 683 684 if (!ossl_prov_is_running()) 685 return 0; 686 687 if (sig == NULL) { 688 *siglen = rsasize; 689 return 1; 690 } 691 692 if (sigsize < rsasize) { 693 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE, 694 "is %zu, should be at least %zu", sigsize, rsasize); 695 return 0; 696 } 697 698 if (mdsize != 0) { 699 if (tbslen != mdsize) { 700 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH); 701 return 0; 702 } 703 704 #ifndef FIPS_MODULE 705 if (EVP_MD_is_a(prsactx->md, OSSL_DIGEST_NAME_MDC2)) { 706 unsigned int sltmp; 707 708 if (prsactx->pad_mode != RSA_PKCS1_PADDING) { 709 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 710 "only PKCS#1 padding supported with MDC2"); 711 return 0; 712 } 713 ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp, 714 prsactx->rsa); 715 716 if (ret <= 0) { 717 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 718 return 0; 719 } 720 ret = sltmp; 721 goto end; 722 } 723 #endif 724 switch (prsactx->pad_mode) { 725 case RSA_X931_PADDING: 726 if ((size_t)RSA_size(prsactx->rsa) < tbslen + 1) { 727 ERR_raise_data(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL, 728 "RSA key size = %d, expected minimum = %d", 729 RSA_size(prsactx->rsa), tbslen + 1); 730 return 0; 731 } 732 if (!setup_tbuf(prsactx)) { 733 ERR_raise(ERR_LIB_PROV, ERR_R_PROV_LIB); 734 return 0; 735 } 736 memcpy(prsactx->tbuf, tbs, tbslen); 737 prsactx->tbuf[tbslen] = RSA_X931_hash_id(prsactx->mdnid); 738 ret = RSA_private_encrypt(tbslen + 1, prsactx->tbuf, 739 sig, prsactx->rsa, RSA_X931_PADDING); 740 clean_tbuf(prsactx); 741 break; 742 case RSA_PKCS1_PADDING: 743 { 744 unsigned int sltmp; 745 746 ret = RSA_sign(prsactx->mdnid, tbs, tbslen, sig, &sltmp, 747 prsactx->rsa); 748 if (ret <= 0) { 749 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 750 return 0; 751 } 752 ret = sltmp; 753 } 754 break; 755 756 case RSA_PKCS1_PSS_PADDING: 757 { 758 int saltlen; 759 760 /* Check PSS restrictions */ 761 if (rsa_pss_restricted(prsactx)) { 762 switch (prsactx->saltlen) { 763 case RSA_PSS_SALTLEN_DIGEST: 764 if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) { 765 ERR_raise_data(ERR_LIB_PROV, 766 PROV_R_PSS_SALTLEN_TOO_SMALL, 767 "minimum salt length set to %d, " 768 "but the digest only gives %d", 769 prsactx->min_saltlen, 770 EVP_MD_get_size(prsactx->md)); 771 return 0; 772 } 773 /* FALLTHRU */ 774 default: 775 if (prsactx->saltlen >= 0 776 && prsactx->saltlen < prsactx->min_saltlen) { 777 ERR_raise_data(ERR_LIB_PROV, 778 PROV_R_PSS_SALTLEN_TOO_SMALL, 779 "minimum salt length set to %d, but the" 780 "actual salt length is only set to %d", 781 prsactx->min_saltlen, 782 prsactx->saltlen); 783 return 0; 784 } 785 break; 786 } 787 } 788 if (!setup_tbuf(prsactx)) 789 return 0; 790 saltlen = prsactx->saltlen; 791 if (!ossl_rsa_padding_add_PKCS1_PSS_mgf1(prsactx->rsa, 792 prsactx->tbuf, tbs, 793 prsactx->md, prsactx->mgf1_md, 794 &saltlen)) { 795 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 796 return 0; 797 } 798 #ifdef FIPS_MODULE 799 if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Sign", saltlen)) 800 return 0; 801 #endif 802 ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf, 803 sig, prsactx->rsa, RSA_NO_PADDING); 804 clean_tbuf(prsactx); 805 } 806 break; 807 808 default: 809 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 810 "Only X.931, PKCS#1 v1.5 or PSS padding allowed"); 811 return 0; 812 } 813 } else { 814 ret = RSA_private_encrypt(tbslen, tbs, sig, prsactx->rsa, 815 prsactx->pad_mode); 816 } 817 818 #ifndef FIPS_MODULE 819 end: 820 #endif 821 if (ret <= 0) { 822 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 823 return 0; 824 } 825 826 *siglen = ret; 827 return 1; 828 } 829 830 static int rsa_signverify_message_update(void *vprsactx, 831 const unsigned char *data, 832 size_t datalen) 833 { 834 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 835 836 if (prsactx == NULL || prsactx->mdctx == NULL) 837 return 0; 838 839 if (!prsactx->flag_allow_update) { 840 ERR_raise(ERR_LIB_PROV, PROV_R_UPDATE_CALL_OUT_OF_ORDER); 841 return 0; 842 } 843 prsactx->flag_allow_oneshot = 0; 844 845 return EVP_DigestUpdate(prsactx->mdctx, data, datalen); 846 } 847 848 static int rsa_sign_message_final(void *vprsactx, unsigned char *sig, 849 size_t *siglen, size_t sigsize) 850 { 851 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 852 unsigned char digest[EVP_MAX_MD_SIZE]; 853 unsigned int dlen = 0; 854 855 if (!ossl_prov_is_running() || prsactx == NULL) 856 return 0; 857 if (prsactx->mdctx == NULL) 858 return 0; 859 if (!prsactx->flag_allow_final) { 860 ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER); 861 return 0; 862 } 863 864 /* 865 * If sig is NULL then we're just finding out the sig size. Other fields 866 * are ignored. Defer to rsa_sign. 867 */ 868 if (sig != NULL) { 869 /* 870 * The digests used here are all known (see rsa_get_md_nid()), so they 871 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE. 872 */ 873 if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen)) 874 return 0; 875 876 prsactx->flag_allow_update = 0; 877 prsactx->flag_allow_oneshot = 0; 878 prsactx->flag_allow_final = 0; 879 } 880 881 return rsa_sign_directly(prsactx, sig, siglen, sigsize, digest, dlen); 882 } 883 884 /* 885 * If signing a message, digest tbs and sign the result. 886 * Otherwise, sign tbs directly. 887 */ 888 static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen, 889 size_t sigsize, const unsigned char *tbs, size_t tbslen) 890 { 891 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 892 893 if (!ossl_prov_is_running() || prsactx == NULL) 894 return 0; 895 if (!prsactx->flag_allow_oneshot) { 896 ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER); 897 return 0; 898 } 899 900 if (prsactx->operation == EVP_PKEY_OP_SIGNMSG) { 901 /* 902 * If |sig| is NULL, the caller is only looking for the sig length. 903 * DO NOT update the input in this case. 904 */ 905 if (sig == NULL) 906 return rsa_sign_message_final(prsactx, sig, siglen, sigsize); 907 908 return rsa_signverify_message_update(prsactx, tbs, tbslen) 909 && rsa_sign_message_final(prsactx, sig, siglen, sigsize); 910 } 911 return rsa_sign_directly(prsactx, sig, siglen, sigsize, tbs, tbslen); 912 } 913 914 static int rsa_verify_recover_init(void *vprsactx, void *vrsa, 915 const OSSL_PARAM params[]) 916 { 917 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 918 919 #ifdef FIPS_MODULE 920 if (prsactx != NULL) 921 prsactx->verify_message = 0; 922 #endif 923 924 return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, 925 EVP_PKEY_OP_VERIFYRECOVER, "RSA VerifyRecover Init"); 926 } 927 928 /* 929 * There is no message variant of verify recover, so no need for 930 * 'rsa_verify_recover_directly', just use this function, er, directly. 931 */ 932 static int rsa_verify_recover(void *vprsactx, 933 unsigned char *rout, size_t *routlen, 934 size_t routsize, 935 const unsigned char *sig, size_t siglen) 936 { 937 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 938 int ret; 939 940 if (!ossl_prov_is_running()) 941 return 0; 942 943 if (rout == NULL) { 944 *routlen = RSA_size(prsactx->rsa); 945 return 1; 946 } 947 948 if (prsactx->md != NULL) { 949 switch (prsactx->pad_mode) { 950 case RSA_X931_PADDING: 951 if (!setup_tbuf(prsactx)) 952 return 0; 953 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, 954 RSA_X931_PADDING); 955 if (ret < 1) { 956 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 957 return 0; 958 } 959 ret--; 960 if (prsactx->tbuf[ret] != RSA_X931_hash_id(prsactx->mdnid)) { 961 ERR_raise(ERR_LIB_PROV, PROV_R_ALGORITHM_MISMATCH); 962 return 0; 963 } 964 if (ret != EVP_MD_get_size(prsactx->md)) { 965 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH, 966 "Should be %d, but got %d", 967 EVP_MD_get_size(prsactx->md), ret); 968 return 0; 969 } 970 971 *routlen = ret; 972 if (rout != prsactx->tbuf) { 973 if (routsize < (size_t)ret) { 974 ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL, 975 "buffer size is %d, should be %d", 976 routsize, ret); 977 return 0; 978 } 979 memcpy(rout, prsactx->tbuf, ret); 980 } 981 break; 982 983 case RSA_PKCS1_PADDING: 984 { 985 size_t sltmp; 986 987 ret = ossl_rsa_verify(prsactx->mdnid, NULL, 0, rout, &sltmp, 988 sig, siglen, prsactx->rsa); 989 if (ret <= 0) { 990 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 991 return 0; 992 } 993 ret = sltmp; 994 } 995 break; 996 997 default: 998 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 999 "Only X.931 or PKCS#1 v1.5 padding allowed"); 1000 return 0; 1001 } 1002 } else { 1003 ret = RSA_public_decrypt(siglen, sig, rout, prsactx->rsa, 1004 prsactx->pad_mode); 1005 if (ret < 0) { 1006 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 1007 return 0; 1008 } 1009 } 1010 *routlen = ret; 1011 return 1; 1012 } 1013 1014 static int rsa_verify_init(void *vprsactx, void *vrsa, 1015 const OSSL_PARAM params[]) 1016 { 1017 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1018 1019 #ifdef FIPS_MODULE 1020 if (prsactx != NULL) 1021 prsactx->verify_message = 0; 1022 #endif 1023 1024 return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, 1025 EVP_PKEY_OP_VERIFY, "RSA Verify Init"); 1026 } 1027 1028 static int rsa_verify_directly(PROV_RSA_CTX *prsactx, 1029 const unsigned char *sig, size_t siglen, 1030 const unsigned char *tbs, size_t tbslen) 1031 { 1032 size_t rslen; 1033 1034 if (!ossl_prov_is_running()) 1035 return 0; 1036 if (prsactx->md != NULL) { 1037 switch (prsactx->pad_mode) { 1038 case RSA_PKCS1_PADDING: 1039 if (!RSA_verify(prsactx->mdnid, tbs, tbslen, sig, siglen, 1040 prsactx->rsa)) { 1041 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 1042 return 0; 1043 } 1044 return 1; 1045 case RSA_X931_PADDING: 1046 if (!setup_tbuf(prsactx)) 1047 return 0; 1048 if (rsa_verify_recover(prsactx, prsactx->tbuf, &rslen, 0, 1049 sig, siglen) <= 0) 1050 return 0; 1051 break; 1052 case RSA_PKCS1_PSS_PADDING: 1053 { 1054 int ret; 1055 int saltlen; 1056 size_t mdsize; 1057 1058 /* 1059 * We need to check this for the RSA_verify_PKCS1_PSS_mgf1() 1060 * call 1061 */ 1062 mdsize = rsa_get_md_size(prsactx); 1063 if (tbslen != mdsize) { 1064 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH, 1065 "Should be %d, but got %d", 1066 mdsize, tbslen); 1067 return 0; 1068 } 1069 1070 if (!setup_tbuf(prsactx)) 1071 return 0; 1072 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, 1073 prsactx->rsa, RSA_NO_PADDING); 1074 if (ret <= 0) { 1075 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 1076 return 0; 1077 } 1078 saltlen = prsactx->saltlen; 1079 ret = ossl_rsa_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs, 1080 prsactx->md, prsactx->mgf1_md, 1081 prsactx->tbuf, 1082 &saltlen); 1083 if (ret <= 0) { 1084 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 1085 return 0; 1086 } 1087 #ifdef FIPS_MODULE 1088 if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Verify", saltlen)) 1089 return 0; 1090 #endif 1091 return 1; 1092 } 1093 default: 1094 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 1095 "Only X.931, PKCS#1 v1.5 or PSS padding allowed"); 1096 return 0; 1097 } 1098 } else { 1099 int ret; 1100 1101 if (!setup_tbuf(prsactx)) 1102 return 0; 1103 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, 1104 prsactx->pad_mode); 1105 if (ret <= 0) { 1106 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 1107 return 0; 1108 } 1109 rslen = (size_t)ret; 1110 } 1111 1112 if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen)) 1113 return 0; 1114 1115 return 1; 1116 } 1117 1118 static int rsa_verify_set_sig(void *vprsactx, 1119 const unsigned char *sig, size_t siglen) 1120 { 1121 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1122 OSSL_PARAM params[2]; 1123 1124 params[0] = 1125 OSSL_PARAM_construct_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, 1126 (unsigned char *)sig, siglen); 1127 params[1] = OSSL_PARAM_construct_end(); 1128 return rsa_sigalg_set_ctx_params(prsactx, params); 1129 } 1130 1131 static int rsa_verify_message_final(void *vprsactx) 1132 { 1133 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1134 unsigned char digest[EVP_MAX_MD_SIZE]; 1135 unsigned int dlen = 0; 1136 1137 if (!ossl_prov_is_running() || prsactx == NULL) 1138 return 0; 1139 if (prsactx->mdctx == NULL) 1140 return 0; 1141 if (!prsactx->flag_allow_final) { 1142 ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER); 1143 return 0; 1144 } 1145 1146 /* 1147 * The digests used here are all known (see rsa_get_md_nid()), so they 1148 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE. 1149 */ 1150 if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen)) 1151 return 0; 1152 1153 prsactx->flag_allow_update = 0; 1154 prsactx->flag_allow_final = 0; 1155 prsactx->flag_allow_oneshot = 0; 1156 1157 return rsa_verify_directly(prsactx, prsactx->sig, prsactx->siglen, 1158 digest, dlen); 1159 } 1160 1161 /* 1162 * If verifying a message, digest tbs and verify the result. 1163 * Otherwise, verify tbs directly. 1164 */ 1165 static int rsa_verify(void *vprsactx, 1166 const unsigned char *sig, size_t siglen, 1167 const unsigned char *tbs, size_t tbslen) 1168 { 1169 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1170 1171 if (!ossl_prov_is_running() || prsactx == NULL) 1172 return 0; 1173 if (!prsactx->flag_allow_oneshot) { 1174 ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER); 1175 return 0; 1176 } 1177 1178 if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG) 1179 return rsa_verify_set_sig(prsactx, sig, siglen) 1180 && rsa_signverify_message_update(prsactx, tbs, tbslen) 1181 && rsa_verify_message_final(prsactx); 1182 return rsa_verify_directly(prsactx, sig, siglen, tbs, tbslen); 1183 } 1184 1185 /* DigestSign/DigestVerify wrappers */ 1186 1187 static int rsa_digest_signverify_init(void *vprsactx, const char *mdname, 1188 void *vrsa, const OSSL_PARAM params[], 1189 int operation, const char *desc) 1190 { 1191 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1192 1193 #ifdef FIPS_MODULE 1194 if (prsactx != NULL) 1195 prsactx->verify_message = 1; 1196 #endif 1197 1198 if (!rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, 1199 operation, desc)) 1200 return 0; 1201 1202 if (mdname != NULL 1203 /* was rsa_setup_md already called in rsa_signverify_init()? */ 1204 && (mdname[0] == '\0' || OPENSSL_strcasecmp(prsactx->mdname, mdname) != 0) 1205 && !rsa_setup_md(prsactx, mdname, prsactx->propq, desc)) 1206 return 0; 1207 1208 prsactx->flag_allow_md = 0; 1209 1210 if (prsactx->mdctx == NULL) { 1211 prsactx->mdctx = EVP_MD_CTX_new(); 1212 if (prsactx->mdctx == NULL) 1213 goto error; 1214 } 1215 1216 if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params)) 1217 goto error; 1218 1219 return 1; 1220 1221 error: 1222 EVP_MD_CTX_free(prsactx->mdctx); 1223 prsactx->mdctx = NULL; 1224 return 0; 1225 } 1226 1227 static int rsa_digest_sign_init(void *vprsactx, const char *mdname, 1228 void *vrsa, const OSSL_PARAM params[]) 1229 { 1230 if (!ossl_prov_is_running()) 1231 return 0; 1232 return rsa_digest_signverify_init(vprsactx, mdname, vrsa, 1233 params, EVP_PKEY_OP_SIGNMSG, 1234 "RSA Digest Sign Init"); 1235 } 1236 1237 static int rsa_digest_sign_update(void *vprsactx, const unsigned char *data, 1238 size_t datalen) 1239 { 1240 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1241 1242 if (prsactx == NULL) 1243 return 0; 1244 /* Sigalg implementations shouldn't do digest_sign */ 1245 if (prsactx->flag_sigalg) 1246 return 0; 1247 1248 return rsa_signverify_message_update(prsactx, data, datalen); 1249 } 1250 1251 static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig, 1252 size_t *siglen, size_t sigsize) 1253 { 1254 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1255 int ok = 0; 1256 1257 if (prsactx == NULL) 1258 return 0; 1259 /* Sigalg implementations shouldn't do digest_sign */ 1260 if (prsactx->flag_sigalg) 1261 return 0; 1262 1263 if (rsa_sign_message_final(prsactx, sig, siglen, sigsize)) 1264 ok = 1; 1265 1266 prsactx->flag_allow_md = 1; 1267 1268 return ok; 1269 } 1270 1271 static int rsa_digest_verify_init(void *vprsactx, const char *mdname, 1272 void *vrsa, const OSSL_PARAM params[]) 1273 { 1274 if (!ossl_prov_is_running()) 1275 return 0; 1276 return rsa_digest_signverify_init(vprsactx, mdname, vrsa, 1277 params, EVP_PKEY_OP_VERIFYMSG, 1278 "RSA Digest Verify Init"); 1279 } 1280 1281 static int rsa_digest_verify_update(void *vprsactx, const unsigned char *data, 1282 size_t datalen) 1283 { 1284 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1285 1286 if (prsactx == NULL) 1287 return 0; 1288 /* Sigalg implementations shouldn't do digest_sign */ 1289 if (prsactx->flag_sigalg) 1290 return 0; 1291 1292 return rsa_signverify_message_update(prsactx, data, datalen); 1293 } 1294 1295 int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig, 1296 size_t siglen) 1297 { 1298 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1299 int ok = 0; 1300 1301 if (prsactx == NULL) 1302 return 0; 1303 /* Sigalg implementations shouldn't do digest_verify */ 1304 if (prsactx->flag_sigalg) 1305 return 0; 1306 1307 if (rsa_verify_set_sig(prsactx, sig, siglen) 1308 && rsa_verify_message_final(vprsactx)) 1309 ok = 1; 1310 1311 prsactx->flag_allow_md = 1; 1312 1313 return ok; 1314 } 1315 1316 static void rsa_freectx(void *vprsactx) 1317 { 1318 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1319 1320 if (prsactx == NULL) 1321 return; 1322 1323 EVP_MD_CTX_free(prsactx->mdctx); 1324 EVP_MD_free(prsactx->md); 1325 EVP_MD_free(prsactx->mgf1_md); 1326 OPENSSL_free(prsactx->sig); 1327 OPENSSL_free(prsactx->propq); 1328 free_tbuf(prsactx); 1329 RSA_free(prsactx->rsa); 1330 1331 OPENSSL_clear_free(prsactx, sizeof(*prsactx)); 1332 } 1333 1334 static void *rsa_dupctx(void *vprsactx) 1335 { 1336 PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx; 1337 PROV_RSA_CTX *dstctx; 1338 1339 if (!ossl_prov_is_running()) 1340 return NULL; 1341 1342 dstctx = OPENSSL_zalloc(sizeof(*srcctx)); 1343 if (dstctx == NULL) 1344 return NULL; 1345 1346 *dstctx = *srcctx; 1347 dstctx->rsa = NULL; 1348 dstctx->md = NULL; 1349 dstctx->mgf1_md = NULL; 1350 dstctx->mdctx = NULL; 1351 dstctx->tbuf = NULL; 1352 dstctx->propq = NULL; 1353 1354 if (srcctx->rsa != NULL && !RSA_up_ref(srcctx->rsa)) 1355 goto err; 1356 dstctx->rsa = srcctx->rsa; 1357 1358 if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md)) 1359 goto err; 1360 dstctx->md = srcctx->md; 1361 1362 if (srcctx->mgf1_md != NULL && !EVP_MD_up_ref(srcctx->mgf1_md)) 1363 goto err; 1364 dstctx->mgf1_md = srcctx->mgf1_md; 1365 1366 if (srcctx->mdctx != NULL) { 1367 dstctx->mdctx = EVP_MD_CTX_new(); 1368 if (dstctx->mdctx == NULL 1369 || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx)) 1370 goto err; 1371 } 1372 1373 if (srcctx->propq != NULL) { 1374 dstctx->propq = OPENSSL_strdup(srcctx->propq); 1375 if (dstctx->propq == NULL) 1376 goto err; 1377 } 1378 1379 return dstctx; 1380 err: 1381 rsa_freectx(dstctx); 1382 return NULL; 1383 } 1384 1385 static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) 1386 { 1387 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1388 OSSL_PARAM *p; 1389 1390 if (prsactx == NULL) 1391 return 0; 1392 1393 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID); 1394 if (p != NULL) { 1395 /* The Algorithm Identifier of the combined signature algorithm */ 1396 unsigned char aid_buf[128]; 1397 unsigned char *aid; 1398 size_t aid_len; 1399 1400 aid = rsa_generate_signature_aid(prsactx, aid_buf, 1401 sizeof(aid_buf), &aid_len); 1402 if (aid == NULL || !OSSL_PARAM_set_octet_string(p, aid, aid_len)) 1403 return 0; 1404 } 1405 1406 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PAD_MODE); 1407 if (p != NULL) 1408 switch (p->data_type) { 1409 case OSSL_PARAM_INTEGER: 1410 if (!OSSL_PARAM_set_int(p, prsactx->pad_mode)) 1411 return 0; 1412 break; 1413 case OSSL_PARAM_UTF8_STRING: 1414 { 1415 int i; 1416 const char *word = NULL; 1417 1418 for (i = 0; padding_item[i].id != 0; i++) { 1419 if (prsactx->pad_mode == (int)padding_item[i].id) { 1420 word = padding_item[i].ptr; 1421 break; 1422 } 1423 } 1424 1425 if (word != NULL) { 1426 if (!OSSL_PARAM_set_utf8_string(p, word)) 1427 return 0; 1428 } else { 1429 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 1430 } 1431 } 1432 break; 1433 default: 1434 return 0; 1435 } 1436 1437 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST); 1438 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mdname)) 1439 return 0; 1440 1441 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST); 1442 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mgf1_mdname)) 1443 return 0; 1444 1445 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN); 1446 if (p != NULL) { 1447 if (p->data_type == OSSL_PARAM_INTEGER) { 1448 if (!OSSL_PARAM_set_int(p, prsactx->saltlen)) 1449 return 0; 1450 } else if (p->data_type == OSSL_PARAM_UTF8_STRING) { 1451 const char *value = NULL; 1452 1453 switch (prsactx->saltlen) { 1454 case RSA_PSS_SALTLEN_DIGEST: 1455 value = OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST; 1456 break; 1457 case RSA_PSS_SALTLEN_MAX: 1458 value = OSSL_PKEY_RSA_PSS_SALT_LEN_MAX; 1459 break; 1460 case RSA_PSS_SALTLEN_AUTO: 1461 value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO; 1462 break; 1463 case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: 1464 value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX; 1465 break; 1466 default: 1467 { 1468 int len = BIO_snprintf(p->data, p->data_size, "%d", 1469 prsactx->saltlen); 1470 1471 if (len <= 0) 1472 return 0; 1473 p->return_size = len; 1474 break; 1475 } 1476 } 1477 if (value != NULL 1478 && !OSSL_PARAM_set_utf8_string(p, value)) 1479 return 0; 1480 } 1481 } 1482 1483 #ifdef FIPS_MODULE 1484 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE); 1485 if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->verify_message)) 1486 return 0; 1487 #endif 1488 1489 if (!OSSL_FIPS_IND_GET_CTX_PARAM(prsactx, params)) 1490 return 0; 1491 return 1; 1492 } 1493 1494 static const OSSL_PARAM known_gettable_ctx_params[] = { 1495 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0), 1496 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), 1497 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), 1498 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), 1499 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), 1500 #ifdef FIPS_MODULE 1501 OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE, NULL), 1502 #endif 1503 OSSL_FIPS_IND_GETTABLE_CTX_PARAM() 1504 OSSL_PARAM_END 1505 }; 1506 1507 static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, 1508 ossl_unused void *provctx) 1509 { 1510 return known_gettable_ctx_params; 1511 } 1512 1513 #ifdef FIPS_MODULE 1514 static int rsa_x931_padding_allowed(PROV_RSA_CTX *ctx) 1515 { 1516 int approved = ((ctx->operation & EVP_PKEY_OP_SIGN) == 0); 1517 1518 if (!approved) { 1519 if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2, 1520 ctx->libctx, 1521 "RSA Sign set ctx", "X931 Padding", 1522 ossl_fips_config_rsa_sign_x931_disallowed)) { 1523 ERR_raise(ERR_LIB_PROV, 1524 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 1525 return 0; 1526 } 1527 } 1528 return 1; 1529 } 1530 #endif 1531 1532 static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) 1533 { 1534 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1535 const OSSL_PARAM *p; 1536 int pad_mode; 1537 int saltlen; 1538 char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = NULL; 1539 char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = NULL; 1540 char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL; 1541 char mgf1mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmgf1mdprops = NULL; 1542 1543 if (prsactx == NULL) 1544 return 0; 1545 if (ossl_param_is_empty(params)) 1546 return 1; 1547 1548 if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE0, params, 1549 OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK)) 1550 return 0; 1551 1552 if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE1, params, 1553 OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK)) 1554 return 0; 1555 1556 if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE2, params, 1557 OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK)) 1558 return 0; 1559 1560 if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE3, params, 1561 OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK)) 1562 return 0; 1563 1564 pad_mode = prsactx->pad_mode; 1565 saltlen = prsactx->saltlen; 1566 1567 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST); 1568 if (p != NULL) { 1569 const OSSL_PARAM *propsp = 1570 OSSL_PARAM_locate_const(params, 1571 OSSL_SIGNATURE_PARAM_PROPERTIES); 1572 1573 pmdname = mdname; 1574 if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname))) 1575 return 0; 1576 1577 if (propsp != NULL) { 1578 pmdprops = mdprops; 1579 if (!OSSL_PARAM_get_utf8_string(propsp, 1580 &pmdprops, sizeof(mdprops))) 1581 return 0; 1582 } 1583 } 1584 1585 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE); 1586 if (p != NULL) { 1587 const char *err_extra_text = NULL; 1588 1589 switch (p->data_type) { 1590 case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */ 1591 if (!OSSL_PARAM_get_int(p, &pad_mode)) 1592 return 0; 1593 break; 1594 case OSSL_PARAM_UTF8_STRING: 1595 { 1596 int i; 1597 1598 if (p->data == NULL) 1599 return 0; 1600 1601 for (i = 0; padding_item[i].id != 0; i++) { 1602 if (strcmp(p->data, padding_item[i].ptr) == 0) { 1603 pad_mode = padding_item[i].id; 1604 break; 1605 } 1606 } 1607 } 1608 break; 1609 default: 1610 return 0; 1611 } 1612 1613 switch (pad_mode) { 1614 case RSA_PKCS1_OAEP_PADDING: 1615 /* 1616 * OAEP padding is for asymmetric cipher only so is not compatible 1617 * with signature use. 1618 */ 1619 err_extra_text = "OAEP padding not allowed for signing / verifying"; 1620 goto bad_pad; 1621 case RSA_PKCS1_PSS_PADDING: 1622 if ((prsactx->operation 1623 & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG 1624 | EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) == 0) { 1625 err_extra_text = 1626 "PSS padding only allowed for sign and verify operations"; 1627 goto bad_pad; 1628 } 1629 break; 1630 case RSA_PKCS1_PADDING: 1631 err_extra_text = "PKCS#1 padding not allowed with RSA-PSS"; 1632 goto cont; 1633 case RSA_NO_PADDING: 1634 err_extra_text = "No padding not allowed with RSA-PSS"; 1635 goto cont; 1636 case RSA_X931_PADDING: 1637 #ifdef FIPS_MODULE 1638 /* X9.31 only allows sizes of 1024 + 256 * s (bits) */ 1639 if ((RSA_bits(prsactx->rsa) & 0xFF) != 0) { 1640 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); 1641 return 0; 1642 } 1643 /* RSA Signing with X9.31 padding is not allowed in FIPS 140-3 */ 1644 if (!rsa_x931_padding_allowed(prsactx)) 1645 return 0; 1646 #endif 1647 err_extra_text = "X.931 padding not allowed with RSA-PSS"; 1648 cont: 1649 if (RSA_test_flags(prsactx->rsa, 1650 RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA) 1651 break; 1652 /* FALLTHRU */ 1653 default: 1654 bad_pad: 1655 if (err_extra_text == NULL) 1656 ERR_raise(ERR_LIB_PROV, 1657 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 1658 else 1659 ERR_raise_data(ERR_LIB_PROV, 1660 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE, 1661 err_extra_text); 1662 return 0; 1663 } 1664 } 1665 1666 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN); 1667 if (p != NULL) { 1668 if (pad_mode != RSA_PKCS1_PSS_PADDING) { 1669 ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED, 1670 "PSS saltlen can only be specified if " 1671 "PSS padding has been specified first"); 1672 return 0; 1673 } 1674 1675 switch (p->data_type) { 1676 case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */ 1677 if (!OSSL_PARAM_get_int(p, &saltlen)) 1678 return 0; 1679 break; 1680 case OSSL_PARAM_UTF8_STRING: 1681 if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST) == 0) 1682 saltlen = RSA_PSS_SALTLEN_DIGEST; 1683 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_MAX) == 0) 1684 saltlen = RSA_PSS_SALTLEN_MAX; 1685 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0) 1686 saltlen = RSA_PSS_SALTLEN_AUTO; 1687 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0) 1688 saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; 1689 else 1690 saltlen = atoi(p->data); 1691 break; 1692 default: 1693 return 0; 1694 } 1695 1696 /* 1697 * RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check. 1698 * Contrary to what it's name suggests, it's the currently lowest 1699 * saltlen number possible. 1700 */ 1701 if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { 1702 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); 1703 return 0; 1704 } 1705 1706 if (rsa_pss_restricted(prsactx)) { 1707 switch (saltlen) { 1708 case RSA_PSS_SALTLEN_AUTO: 1709 case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: 1710 if ((prsactx->operation 1711 & (EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) == 0) { 1712 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, 1713 "Cannot use autodetected salt length"); 1714 return 0; 1715 } 1716 break; 1717 case RSA_PSS_SALTLEN_DIGEST: 1718 if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) { 1719 ERR_raise_data(ERR_LIB_PROV, 1720 PROV_R_PSS_SALTLEN_TOO_SMALL, 1721 "Should be more than %d, but would be " 1722 "set to match digest size (%d)", 1723 prsactx->min_saltlen, 1724 EVP_MD_get_size(prsactx->md)); 1725 return 0; 1726 } 1727 break; 1728 default: 1729 if (saltlen >= 0 && saltlen < prsactx->min_saltlen) { 1730 ERR_raise_data(ERR_LIB_PROV, 1731 PROV_R_PSS_SALTLEN_TOO_SMALL, 1732 "Should be more than %d, " 1733 "but would be set to %d", 1734 prsactx->min_saltlen, saltlen); 1735 return 0; 1736 } 1737 } 1738 } 1739 } 1740 1741 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST); 1742 if (p != NULL) { 1743 const OSSL_PARAM *propsp = 1744 OSSL_PARAM_locate_const(params, 1745 OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES); 1746 1747 pmgf1mdname = mgf1mdname; 1748 if (!OSSL_PARAM_get_utf8_string(p, &pmgf1mdname, sizeof(mgf1mdname))) 1749 return 0; 1750 1751 if (propsp != NULL) { 1752 pmgf1mdprops = mgf1mdprops; 1753 if (!OSSL_PARAM_get_utf8_string(propsp, 1754 &pmgf1mdprops, sizeof(mgf1mdprops))) 1755 return 0; 1756 } 1757 1758 if (pad_mode != RSA_PKCS1_PSS_PADDING) { 1759 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MGF1_MD); 1760 return 0; 1761 } 1762 } 1763 1764 prsactx->saltlen = saltlen; 1765 prsactx->pad_mode = pad_mode; 1766 1767 if (prsactx->md == NULL && pmdname == NULL 1768 && pad_mode == RSA_PKCS1_PSS_PADDING) 1769 pmdname = RSA_DEFAULT_DIGEST_NAME; 1770 1771 if (pmgf1mdname != NULL 1772 && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) 1773 return 0; 1774 1775 if (pmdname != NULL) { 1776 if (!rsa_setup_md(prsactx, pmdname, pmdprops, "RSA Sign Set Ctx")) 1777 return 0; 1778 } else { 1779 if (!rsa_check_padding(prsactx, NULL, NULL, prsactx->mdnid)) 1780 return 0; 1781 } 1782 return 1; 1783 } 1784 1785 static const OSSL_PARAM settable_ctx_params[] = { 1786 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), 1787 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0), 1788 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), 1789 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), 1790 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0), 1791 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), 1792 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) 1793 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) 1794 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK) 1795 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK) 1796 OSSL_PARAM_END 1797 }; 1798 1799 static const OSSL_PARAM settable_ctx_params_no_digest[] = { 1800 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), 1801 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), 1802 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0), 1803 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), 1804 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) 1805 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) 1806 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK) 1807 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK) 1808 OSSL_PARAM_END 1809 }; 1810 1811 static const OSSL_PARAM *rsa_settable_ctx_params(void *vprsactx, 1812 ossl_unused void *provctx) 1813 { 1814 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1815 1816 if (prsactx != NULL && !prsactx->flag_allow_md) 1817 return settable_ctx_params_no_digest; 1818 return settable_ctx_params; 1819 } 1820 1821 static int rsa_get_ctx_md_params(void *vprsactx, OSSL_PARAM *params) 1822 { 1823 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1824 1825 if (prsactx->mdctx == NULL) 1826 return 0; 1827 1828 return EVP_MD_CTX_get_params(prsactx->mdctx, params); 1829 } 1830 1831 static const OSSL_PARAM *rsa_gettable_ctx_md_params(void *vprsactx) 1832 { 1833 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1834 1835 if (prsactx->md == NULL) 1836 return 0; 1837 1838 return EVP_MD_gettable_ctx_params(prsactx->md); 1839 } 1840 1841 static int rsa_set_ctx_md_params(void *vprsactx, const OSSL_PARAM params[]) 1842 { 1843 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1844 1845 if (prsactx->mdctx == NULL) 1846 return 0; 1847 1848 return EVP_MD_CTX_set_params(prsactx->mdctx, params); 1849 } 1850 1851 static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx) 1852 { 1853 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1854 1855 if (prsactx->md == NULL) 1856 return 0; 1857 1858 return EVP_MD_settable_ctx_params(prsactx->md); 1859 } 1860 1861 const OSSL_DISPATCH ossl_rsa_signature_functions[] = { 1862 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, 1863 { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, 1864 { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, 1865 { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_verify_init }, 1866 { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))rsa_verify }, 1867 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, 1868 (void (*)(void))rsa_verify_recover_init }, 1869 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, 1870 (void (*)(void))rsa_verify_recover }, 1871 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, 1872 (void (*)(void))rsa_digest_sign_init }, 1873 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, 1874 (void (*)(void))rsa_digest_sign_update }, 1875 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, 1876 (void (*)(void))rsa_digest_sign_final }, 1877 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, 1878 (void (*)(void))rsa_digest_verify_init }, 1879 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, 1880 (void (*)(void))rsa_digest_verify_update }, 1881 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, 1882 (void (*)(void))rsa_digest_verify_final }, 1883 { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, 1884 { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, 1885 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))rsa_get_ctx_params }, 1886 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, 1887 (void (*)(void))rsa_gettable_ctx_params }, 1888 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))rsa_set_ctx_params }, 1889 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, 1890 (void (*)(void))rsa_settable_ctx_params }, 1891 { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, 1892 (void (*)(void))rsa_get_ctx_md_params }, 1893 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, 1894 (void (*)(void))rsa_gettable_ctx_md_params }, 1895 { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, 1896 (void (*)(void))rsa_set_ctx_md_params }, 1897 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, 1898 (void (*)(void))rsa_settable_ctx_md_params }, 1899 OSSL_DISPATCH_END 1900 }; 1901 1902 /* ------------------------------------------------------------------ */ 1903 1904 /* 1905 * So called sigalgs (composite RSA+hash) implemented below. They 1906 * are pretty much hard coded, and rely on the hash implementation 1907 * being available as per what OPENSSL_NO_ macros allow. 1908 */ 1909 1910 static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types; 1911 static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params; 1912 static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params; 1913 1914 /* 1915 * rsa_sigalg_signverify_init() is almost like rsa_digest_signverify_init(), 1916 * just doesn't allow fetching an MD from whatever the user chooses. 1917 */ 1918 static int rsa_sigalg_signverify_init(void *vprsactx, void *vrsa, 1919 OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params, 1920 const OSSL_PARAM params[], 1921 const char *mdname, 1922 int operation, int pad_mode, 1923 const char *desc) 1924 { 1925 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1926 1927 if (!ossl_prov_is_running()) 1928 return 0; 1929 1930 if (!rsa_signverify_init(prsactx, vrsa, set_ctx_params, params, operation, 1931 desc)) 1932 return 0; 1933 1934 /* PSS is currently not supported as a sigalg */ 1935 if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { 1936 ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); 1937 return 0; 1938 } 1939 1940 if (!rsa_setup_md(prsactx, mdname, NULL, desc)) 1941 return 0; 1942 1943 prsactx->pad_mode = pad_mode; 1944 prsactx->flag_sigalg = 1; 1945 prsactx->flag_allow_md = 0; 1946 1947 if (prsactx->mdctx == NULL) { 1948 prsactx->mdctx = EVP_MD_CTX_new(); 1949 if (prsactx->mdctx == NULL) 1950 goto error; 1951 } 1952 1953 if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params)) 1954 goto error; 1955 1956 return 1; 1957 1958 error: 1959 EVP_MD_CTX_free(prsactx->mdctx); 1960 prsactx->mdctx = NULL; 1961 return 0; 1962 } 1963 1964 static const char **rsa_sigalg_query_key_types(void) 1965 { 1966 static const char *keytypes[] = { "RSA", NULL }; 1967 1968 return keytypes; 1969 } 1970 1971 static const OSSL_PARAM settable_sigalg_ctx_params[] = { 1972 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, NULL, 0), 1973 OSSL_PARAM_END 1974 }; 1975 1976 static const OSSL_PARAM *rsa_sigalg_settable_ctx_params(void *vprsactx, 1977 ossl_unused void *provctx) 1978 { 1979 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1980 1981 if (prsactx != NULL && prsactx->operation == EVP_PKEY_OP_VERIFYMSG) 1982 return settable_sigalg_ctx_params; 1983 return NULL; 1984 } 1985 1986 static int rsa_sigalg_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) 1987 { 1988 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1989 const OSSL_PARAM *p; 1990 1991 if (prsactx == NULL) 1992 return 0; 1993 if (ossl_param_is_empty(params)) 1994 return 1; 1995 1996 if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG) { 1997 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_SIGNATURE); 1998 if (p != NULL) { 1999 OPENSSL_free(prsactx->sig); 2000 prsactx->sig = NULL; 2001 prsactx->siglen = 0; 2002 if (!OSSL_PARAM_get_octet_string(p, (void **)&prsactx->sig, 2003 0, &prsactx->siglen)) 2004 return 0; 2005 } 2006 } 2007 return 1; 2008 } 2009 2010 #define IMPL_RSA_SIGALG(md, MD) \ 2011 static OSSL_FUNC_signature_sign_init_fn rsa_##md##_sign_init; \ 2012 static OSSL_FUNC_signature_sign_message_init_fn \ 2013 rsa_##md##_sign_message_init; \ 2014 static OSSL_FUNC_signature_verify_init_fn rsa_##md##_verify_init; \ 2015 static OSSL_FUNC_signature_verify_message_init_fn \ 2016 rsa_##md##_verify_message_init; \ 2017 \ 2018 static int \ 2019 rsa_##md##_sign_init(void *vprsactx, void *vrsa, \ 2020 const OSSL_PARAM params[]) \ 2021 { \ 2022 static const char desc[] = "RSA Sigalg Sign Init"; \ 2023 \ 2024 return rsa_sigalg_signverify_init(vprsactx, vrsa, \ 2025 rsa_sigalg_set_ctx_params, \ 2026 params, #MD, \ 2027 EVP_PKEY_OP_SIGN, \ 2028 RSA_PKCS1_PADDING, \ 2029 desc); \ 2030 } \ 2031 \ 2032 static int \ 2033 rsa_##md##_sign_message_init(void *vprsactx, void *vrsa, \ 2034 const OSSL_PARAM params[]) \ 2035 { \ 2036 static const char desc[] = "RSA Sigalg Sign Message Init"; \ 2037 \ 2038 return rsa_sigalg_signverify_init(vprsactx, vrsa, \ 2039 rsa_sigalg_set_ctx_params, \ 2040 params, #MD, \ 2041 EVP_PKEY_OP_SIGNMSG, \ 2042 RSA_PKCS1_PADDING, \ 2043 desc); \ 2044 } \ 2045 \ 2046 static int \ 2047 rsa_##md##_verify_init(void *vprsactx, void *vrsa, \ 2048 const OSSL_PARAM params[]) \ 2049 { \ 2050 static const char desc[] = "RSA Sigalg Verify Init"; \ 2051 \ 2052 return rsa_sigalg_signverify_init(vprsactx, vrsa, \ 2053 rsa_sigalg_set_ctx_params, \ 2054 params, #MD, \ 2055 EVP_PKEY_OP_VERIFY, \ 2056 RSA_PKCS1_PADDING, \ 2057 desc); \ 2058 } \ 2059 \ 2060 static int \ 2061 rsa_##md##_verify_recover_init(void *vprsactx, void *vrsa, \ 2062 const OSSL_PARAM params[]) \ 2063 { \ 2064 static const char desc[] = "RSA Sigalg Verify Recover Init"; \ 2065 \ 2066 return rsa_sigalg_signverify_init(vprsactx, vrsa, \ 2067 rsa_sigalg_set_ctx_params, \ 2068 params, #MD, \ 2069 EVP_PKEY_OP_VERIFYRECOVER, \ 2070 RSA_PKCS1_PADDING, \ 2071 desc); \ 2072 } \ 2073 \ 2074 static int \ 2075 rsa_##md##_verify_message_init(void *vprsactx, void *vrsa, \ 2076 const OSSL_PARAM params[]) \ 2077 { \ 2078 static const char desc[] = "RSA Sigalg Verify Message Init"; \ 2079 \ 2080 return rsa_sigalg_signverify_init(vprsactx, vrsa, \ 2081 rsa_sigalg_set_ctx_params, \ 2082 params, #MD, \ 2083 EVP_PKEY_OP_VERIFYMSG, \ 2084 RSA_PKCS1_PADDING, \ 2085 desc); \ 2086 } \ 2087 \ 2088 const OSSL_DISPATCH ossl_rsa_##md##_signature_functions[] = { \ 2089 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, \ 2090 { OSSL_FUNC_SIGNATURE_SIGN_INIT, \ 2091 (void (*)(void))rsa_##md##_sign_init }, \ 2092 { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, \ 2093 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT, \ 2094 (void (*)(void))rsa_##md##_sign_message_init }, \ 2095 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_UPDATE, \ 2096 (void (*)(void))rsa_signverify_message_update }, \ 2097 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_FINAL, \ 2098 (void (*)(void))rsa_sign_message_final }, \ 2099 { OSSL_FUNC_SIGNATURE_VERIFY_INIT, \ 2100 (void (*)(void))rsa_##md##_verify_init }, \ 2101 { OSSL_FUNC_SIGNATURE_VERIFY, \ 2102 (void (*)(void))rsa_verify }, \ 2103 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT, \ 2104 (void (*)(void))rsa_##md##_verify_message_init }, \ 2105 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_UPDATE, \ 2106 (void (*)(void))rsa_signverify_message_update }, \ 2107 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_FINAL, \ 2108 (void (*)(void))rsa_verify_message_final }, \ 2109 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, \ 2110 (void (*)(void))rsa_##md##_verify_recover_init }, \ 2111 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, \ 2112 (void (*)(void))rsa_verify_recover }, \ 2113 { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, \ 2114 { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, \ 2115 { OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPES, \ 2116 (void (*)(void))rsa_sigalg_query_key_types }, \ 2117 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, \ 2118 (void (*)(void))rsa_get_ctx_params }, \ 2119 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, \ 2120 (void (*)(void))rsa_gettable_ctx_params }, \ 2121 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, \ 2122 (void (*)(void))rsa_sigalg_set_ctx_params }, \ 2123 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, \ 2124 (void (*)(void))rsa_sigalg_settable_ctx_params }, \ 2125 OSSL_DISPATCH_END \ 2126 } 2127 2128 #if !defined(OPENSSL_NO_RMD160) && !defined(FIPS_MODULE) 2129 IMPL_RSA_SIGALG(ripemd160, RIPEMD160); 2130 #endif 2131 IMPL_RSA_SIGALG(sha1, SHA1); 2132 IMPL_RSA_SIGALG(sha224, SHA2-224); 2133 IMPL_RSA_SIGALG(sha256, SHA2-256); 2134 IMPL_RSA_SIGALG(sha384, SHA2-384); 2135 IMPL_RSA_SIGALG(sha512, SHA2-512); 2136 IMPL_RSA_SIGALG(sha512_224, SHA2-512/224); 2137 IMPL_RSA_SIGALG(sha512_256, SHA2-512/256); 2138 IMPL_RSA_SIGALG(sha3_224, SHA3-224); 2139 IMPL_RSA_SIGALG(sha3_256, SHA3-256); 2140 IMPL_RSA_SIGALG(sha3_384, SHA3-384); 2141 IMPL_RSA_SIGALG(sha3_512, SHA3-512); 2142 #if !defined(OPENSSL_NO_SM3) && !defined(FIPS_MODULE) 2143 IMPL_RSA_SIGALG(sm3, SM3); 2144 #endif 2145