/src/openssl31/providers/implementations/signature/rsa_sig.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | /* |
11 | | * RSA low level APIs are deprecated for public use, but still ok for |
12 | | * internal use. |
13 | | */ |
14 | | #include "internal/deprecated.h" |
15 | | |
16 | | #include <string.h> |
17 | | #include <openssl/crypto.h> |
18 | | #include <openssl/core_dispatch.h> |
19 | | #include <openssl/core_names.h> |
20 | | #include <openssl/err.h> |
21 | | #include <openssl/rsa.h> |
22 | | #include <openssl/params.h> |
23 | | #include <openssl/evp.h> |
24 | | #include <openssl/proverr.h> |
25 | | #include "internal/cryptlib.h" |
26 | | #include "internal/nelem.h" |
27 | | #include "internal/sizes.h" |
28 | | #include "crypto/rsa.h" |
29 | | #include "prov/providercommon.h" |
30 | | #include "prov/implementations.h" |
31 | | #include "prov/provider_ctx.h" |
32 | | #include "prov/der_rsa.h" |
33 | | #include "prov/securitycheck.h" |
34 | | |
35 | 0 | #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 |
36 | | |
37 | | static OSSL_FUNC_signature_newctx_fn rsa_newctx; |
38 | | static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; |
39 | | static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; |
40 | | static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; |
41 | | static OSSL_FUNC_signature_sign_fn rsa_sign; |
42 | | static OSSL_FUNC_signature_verify_fn rsa_verify; |
43 | | static OSSL_FUNC_signature_verify_recover_fn rsa_verify_recover; |
44 | | static OSSL_FUNC_signature_digest_sign_init_fn rsa_digest_sign_init; |
45 | | static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_signverify_update; |
46 | | static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final; |
47 | | static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; |
48 | | static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update; |
49 | | static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; |
50 | | static OSSL_FUNC_signature_freectx_fn rsa_freectx; |
51 | | static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; |
52 | | static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; |
53 | | static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params; |
54 | | static OSSL_FUNC_signature_set_ctx_params_fn rsa_set_ctx_params; |
55 | | static OSSL_FUNC_signature_settable_ctx_params_fn rsa_settable_ctx_params; |
56 | | static OSSL_FUNC_signature_get_ctx_md_params_fn rsa_get_ctx_md_params; |
57 | | static OSSL_FUNC_signature_gettable_ctx_md_params_fn rsa_gettable_ctx_md_params; |
58 | | static OSSL_FUNC_signature_set_ctx_md_params_fn rsa_set_ctx_md_params; |
59 | | static OSSL_FUNC_signature_settable_ctx_md_params_fn rsa_settable_ctx_md_params; |
60 | | |
61 | | static OSSL_ITEM padding_item[] = { |
62 | | { RSA_PKCS1_PADDING, OSSL_PKEY_RSA_PAD_MODE_PKCSV15 }, |
63 | | { RSA_NO_PADDING, OSSL_PKEY_RSA_PAD_MODE_NONE }, |
64 | | { RSA_X931_PADDING, OSSL_PKEY_RSA_PAD_MODE_X931 }, |
65 | | { RSA_PKCS1_PSS_PADDING, OSSL_PKEY_RSA_PAD_MODE_PSS }, |
66 | | { 0, NULL } |
67 | | }; |
68 | | |
69 | | /* |
70 | | * What's passed as an actual key is defined by the KEYMGMT interface. |
71 | | * We happen to know that our KEYMGMT simply passes RSA structures, so |
72 | | * we use that here too. |
73 | | */ |
74 | | |
75 | | typedef struct { |
76 | | OSSL_LIB_CTX *libctx; |
77 | | char *propq; |
78 | | RSA *rsa; |
79 | | int operation; |
80 | | |
81 | | /* |
82 | | * Flag to determine if the hash function can be changed (1) or not (0) |
83 | | * Because it's dangerous to change during a DigestSign or DigestVerify |
84 | | * operation, this flag is cleared by their Init function, and set again |
85 | | * by their Final function. |
86 | | */ |
87 | | unsigned int flag_allow_md : 1; |
88 | | unsigned int mgf1_md_set : 1; |
89 | | |
90 | | /* main digest */ |
91 | | EVP_MD *md; |
92 | | EVP_MD_CTX *mdctx; |
93 | | int mdnid; |
94 | | char mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */ |
95 | | |
96 | | /* RSA padding mode */ |
97 | | int pad_mode; |
98 | | /* message digest for MGF1 */ |
99 | | EVP_MD *mgf1_md; |
100 | | int mgf1_mdnid; |
101 | | char mgf1_mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */ |
102 | | /* PSS salt length */ |
103 | | int saltlen; |
104 | | /* Minimum salt length or -1 if no PSS parameter restriction */ |
105 | | int min_saltlen; |
106 | | |
107 | | /* Temp buffer */ |
108 | | unsigned char *tbuf; |
109 | | |
110 | | } PROV_RSA_CTX; |
111 | | |
112 | | /* True if PSS parameters are restricted */ |
113 | 39.5k | #define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1) |
114 | | |
115 | | static size_t rsa_get_md_size(const PROV_RSA_CTX *prsactx) |
116 | 10.5k | { |
117 | 10.5k | if (prsactx->md != NULL) |
118 | 10.5k | return EVP_MD_get_size(prsactx->md); |
119 | 0 | return 0; |
120 | 10.5k | } |
121 | | |
122 | | static int rsa_check_padding(const PROV_RSA_CTX *prsactx, |
123 | | const char *mdname, const char *mgf1_mdname, |
124 | | int mdnid) |
125 | 83.6k | { |
126 | 83.6k | switch(prsactx->pad_mode) { |
127 | 0 | case RSA_NO_PADDING: |
128 | 0 | if (mdname != NULL || mdnid != NID_undef) { |
129 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE); |
130 | 0 | return 0; |
131 | 0 | } |
132 | 0 | break; |
133 | 0 | case RSA_X931_PADDING: |
134 | 0 | if (RSA_X931_hash_id(mdnid) == -1) { |
135 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST); |
136 | 0 | return 0; |
137 | 0 | } |
138 | 0 | break; |
139 | 33.1k | case RSA_PKCS1_PSS_PADDING: |
140 | 33.1k | if (rsa_pss_restricted(prsactx)) |
141 | 1.39k | if ((mdname != NULL && !EVP_MD_is_a(prsactx->md, mdname)) |
142 | 1.39k | || (mgf1_mdname != NULL |
143 | 1.37k | && !EVP_MD_is_a(prsactx->mgf1_md, mgf1_mdname))) { |
144 | 22 | ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); |
145 | 22 | return 0; |
146 | 22 | } |
147 | 33.1k | break; |
148 | 50.4k | default: |
149 | 50.4k | break; |
150 | 83.6k | } |
151 | | |
152 | 83.6k | return 1; |
153 | 83.6k | } |
154 | | |
155 | | static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen) |
156 | 385 | { |
157 | 385 | if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { |
158 | 385 | int max_saltlen; |
159 | | |
160 | | /* See if minimum salt length exceeds maximum possible */ |
161 | 385 | max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_get_size(prsactx->md); |
162 | 385 | if ((RSA_bits(prsactx->rsa) & 0x7) == 1) |
163 | 32 | max_saltlen--; |
164 | 385 | if (min_saltlen < 0 || min_saltlen > max_saltlen) { |
165 | 20 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); |
166 | 20 | return 0; |
167 | 20 | } |
168 | 365 | prsactx->min_saltlen = min_saltlen; |
169 | 365 | } |
170 | 365 | return 1; |
171 | 385 | } |
172 | | |
173 | | static void *rsa_newctx(void *provctx, const char *propq) |
174 | 50.9k | { |
175 | 50.9k | PROV_RSA_CTX *prsactx = NULL; |
176 | 50.9k | char *propq_copy = NULL; |
177 | | |
178 | 50.9k | if (!ossl_prov_is_running()) |
179 | 0 | return NULL; |
180 | | |
181 | 50.9k | if ((prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX))) == NULL |
182 | 50.9k | || (propq != NULL |
183 | 50.9k | && (propq_copy = OPENSSL_strdup(propq)) == NULL)) { |
184 | 0 | OPENSSL_free(prsactx); |
185 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); |
186 | 0 | return NULL; |
187 | 0 | } |
188 | | |
189 | 50.9k | prsactx->libctx = PROV_LIBCTX_OF(provctx); |
190 | 50.9k | prsactx->flag_allow_md = 1; |
191 | 50.9k | prsactx->propq = propq_copy; |
192 | | /* Maximum up to digest length for sign, auto for verify */ |
193 | 50.9k | prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; |
194 | 50.9k | prsactx->min_saltlen = -1; |
195 | 50.9k | return prsactx; |
196 | 50.9k | } |
197 | | |
198 | | static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx) |
199 | 0 | { |
200 | 0 | int saltlen = ctx->saltlen; |
201 | 0 | int saltlenMax = -1; |
202 | | |
203 | | /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection |
204 | | * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the |
205 | | * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of |
206 | | * the hash function output block (in bytes)." |
207 | | * |
208 | | * Provide a way to use at most the digest length, so that the default does |
209 | | * not violate FIPS 186-4. */ |
210 | 0 | if (saltlen == RSA_PSS_SALTLEN_DIGEST) { |
211 | 0 | if ((saltlen = EVP_MD_get_size(ctx->md)) <= 0) { |
212 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); |
213 | 0 | return -1; |
214 | 0 | } |
215 | 0 | } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { |
216 | 0 | saltlen = RSA_PSS_SALTLEN_MAX; |
217 | 0 | if ((saltlenMax = EVP_MD_get_size(ctx->md)) <= 0) { |
218 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); |
219 | 0 | return -1; |
220 | 0 | } |
221 | 0 | } |
222 | 0 | if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) { |
223 | 0 | int mdsize, rsasize; |
224 | |
|
225 | 0 | if ((mdsize = EVP_MD_get_size(ctx->md)) <= 0) { |
226 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); |
227 | 0 | return -1; |
228 | 0 | } |
229 | 0 | if ((rsasize = RSA_size(ctx->rsa)) <= 2 || rsasize - 2 < mdsize) { |
230 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); |
231 | 0 | return -1; |
232 | 0 | } |
233 | 0 | saltlen = rsasize - mdsize - 2; |
234 | 0 | if ((RSA_bits(ctx->rsa) & 0x7) == 1) |
235 | 0 | saltlen--; |
236 | 0 | if (saltlenMax >= 0 && saltlen > saltlenMax) |
237 | 0 | saltlen = saltlenMax; |
238 | 0 | } |
239 | 0 | if (saltlen < 0) { |
240 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); |
241 | 0 | return -1; |
242 | 0 | } else if (saltlen < ctx->min_saltlen) { |
243 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_PSS_SALTLEN_TOO_SMALL, |
244 | 0 | "minimum salt length: %d, actual salt length: %d", |
245 | 0 | ctx->min_saltlen, saltlen); |
246 | 0 | return -1; |
247 | 0 | } |
248 | 0 | return saltlen; |
249 | 0 | } |
250 | | |
251 | | static unsigned char *rsa_generate_signature_aid(PROV_RSA_CTX *ctx, |
252 | | unsigned char *aid_buf, |
253 | | size_t buf_len, |
254 | | size_t *aid_len) |
255 | 0 | { |
256 | 0 | WPACKET pkt; |
257 | 0 | unsigned char *aid = NULL; |
258 | 0 | int saltlen; |
259 | 0 | RSA_PSS_PARAMS_30 pss_params; |
260 | 0 | int ret; |
261 | |
|
262 | 0 | if (!WPACKET_init_der(&pkt, aid_buf, buf_len)) { |
263 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); |
264 | 0 | return NULL; |
265 | 0 | } |
266 | | |
267 | 0 | switch(ctx->pad_mode) { |
268 | 0 | case RSA_PKCS1_PADDING: |
269 | 0 | ret = ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1, |
270 | 0 | ctx->mdnid); |
271 | |
|
272 | 0 | if (ret > 0) { |
273 | 0 | break; |
274 | 0 | } else if (ret == 0) { |
275 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); |
276 | 0 | goto cleanup; |
277 | 0 | } |
278 | 0 | ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED, |
279 | 0 | "Algorithm ID generation - md NID: %d", |
280 | 0 | ctx->mdnid); |
281 | 0 | goto cleanup; |
282 | 0 | case RSA_PKCS1_PSS_PADDING: |
283 | 0 | saltlen = rsa_pss_compute_saltlen(ctx); |
284 | 0 | if (saltlen < 0) |
285 | 0 | goto cleanup; |
286 | 0 | if (!ossl_rsa_pss_params_30_set_defaults(&pss_params) |
287 | 0 | || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, ctx->mdnid) |
288 | 0 | || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params, |
289 | 0 | ctx->mgf1_mdnid) |
290 | 0 | || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen) |
291 | 0 | || !ossl_DER_w_algorithmIdentifier_RSA_PSS(&pkt, -1, |
292 | 0 | RSA_FLAG_TYPE_RSASSAPSS, |
293 | 0 | &pss_params)) { |
294 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); |
295 | 0 | goto cleanup; |
296 | 0 | } |
297 | 0 | break; |
298 | 0 | default: |
299 | 0 | ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED, |
300 | 0 | "Algorithm ID generation - pad mode: %d", |
301 | 0 | ctx->pad_mode); |
302 | 0 | goto cleanup; |
303 | 0 | } |
304 | 0 | if (WPACKET_finish(&pkt)) { |
305 | 0 | WPACKET_get_total_written(&pkt, aid_len); |
306 | 0 | aid = WPACKET_get_curr(&pkt); |
307 | 0 | } |
308 | 0 | cleanup: |
309 | 0 | WPACKET_cleanup(&pkt); |
310 | 0 | return aid; |
311 | 0 | } |
312 | | |
313 | | static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, |
314 | | const char *mdprops) |
315 | 35.4k | { |
316 | 35.4k | if (mdprops == NULL) |
317 | 35.4k | mdprops = ctx->propq; |
318 | | |
319 | 35.4k | if (mdname != NULL) { |
320 | 35.4k | EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); |
321 | 35.4k | int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); |
322 | 35.4k | int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, |
323 | 35.4k | sha1_allowed); |
324 | 35.4k | size_t mdname_len = strlen(mdname); |
325 | | |
326 | 35.4k | if (md == NULL |
327 | 35.4k | || md_nid <= 0 |
328 | 35.4k | || !rsa_check_padding(ctx, mdname, NULL, md_nid) |
329 | 35.4k | || mdname_len >= sizeof(ctx->mdname)) { |
330 | 57 | if (md == NULL) |
331 | 45 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
332 | 45 | "%s could not be fetched", mdname); |
333 | 57 | if (md_nid <= 0) |
334 | 45 | ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, |
335 | 45 | "digest=%s", mdname); |
336 | 57 | if (mdname_len >= sizeof(ctx->mdname)) |
337 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
338 | 0 | "%s exceeds name buffer length", mdname); |
339 | 57 | EVP_MD_free(md); |
340 | 57 | return 0; |
341 | 57 | } |
342 | | |
343 | 35.3k | if (!ctx->flag_allow_md) { |
344 | 0 | if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) { |
345 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, |
346 | 0 | "digest %s != %s", mdname, ctx->mdname); |
347 | 0 | EVP_MD_free(md); |
348 | 0 | return 0; |
349 | 0 | } |
350 | 0 | EVP_MD_free(md); |
351 | 0 | return 1; |
352 | 0 | } |
353 | | |
354 | 35.3k | if (!ctx->mgf1_md_set) { |
355 | 35.0k | if (!EVP_MD_up_ref(md)) { |
356 | 0 | EVP_MD_free(md); |
357 | 0 | return 0; |
358 | 0 | } |
359 | 35.0k | EVP_MD_free(ctx->mgf1_md); |
360 | 35.0k | ctx->mgf1_md = md; |
361 | 35.0k | ctx->mgf1_mdnid = md_nid; |
362 | 35.0k | OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); |
363 | 35.0k | } |
364 | | |
365 | 35.3k | EVP_MD_CTX_free(ctx->mdctx); |
366 | 35.3k | EVP_MD_free(ctx->md); |
367 | | |
368 | 35.3k | ctx->mdctx = NULL; |
369 | 35.3k | ctx->md = md; |
370 | 35.3k | ctx->mdnid = md_nid; |
371 | 35.3k | OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname)); |
372 | 35.3k | } |
373 | | |
374 | 35.3k | return 1; |
375 | 35.4k | } |
376 | | |
377 | | static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname, |
378 | | const char *mdprops) |
379 | 4.32k | { |
380 | 4.32k | size_t len; |
381 | 4.32k | EVP_MD *md = NULL; |
382 | 4.32k | int mdnid; |
383 | | |
384 | 4.32k | if (mdprops == NULL) |
385 | 4.32k | mdprops = ctx->propq; |
386 | | |
387 | 4.32k | if ((md = EVP_MD_fetch(ctx->libctx, mdname, mdprops)) == NULL) { |
388 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
389 | 0 | "%s could not be fetched", mdname); |
390 | 0 | return 0; |
391 | 0 | } |
392 | | /* The default for mgf1 is SHA1 - so allow SHA1 */ |
393 | 4.32k | if ((mdnid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, 1)) <= 0 |
394 | 4.32k | || !rsa_check_padding(ctx, NULL, mdname, mdnid)) { |
395 | 0 | if (mdnid <= 0) |
396 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, |
397 | 0 | "digest=%s", mdname); |
398 | 0 | EVP_MD_free(md); |
399 | 0 | return 0; |
400 | 0 | } |
401 | 4.32k | len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); |
402 | 4.32k | if (len >= sizeof(ctx->mgf1_mdname)) { |
403 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
404 | 0 | "%s exceeds name buffer length", mdname); |
405 | 0 | EVP_MD_free(md); |
406 | 0 | return 0; |
407 | 0 | } |
408 | | |
409 | 4.32k | EVP_MD_free(ctx->mgf1_md); |
410 | 4.32k | ctx->mgf1_md = md; |
411 | 4.32k | ctx->mgf1_mdnid = mdnid; |
412 | 4.32k | ctx->mgf1_md_set = 1; |
413 | 4.32k | return 1; |
414 | 4.32k | } |
415 | | |
416 | | static int rsa_signverify_init(void *vprsactx, void *vrsa, |
417 | | const OSSL_PARAM params[], int operation) |
418 | 35.3k | { |
419 | 35.3k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
420 | | |
421 | 35.3k | if (!ossl_prov_is_running() || prsactx == NULL) |
422 | 0 | return 0; |
423 | | |
424 | 35.3k | if (vrsa == NULL && prsactx->rsa == NULL) { |
425 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); |
426 | 0 | return 0; |
427 | 0 | } |
428 | | |
429 | 35.3k | if (vrsa != NULL) { |
430 | 35.3k | if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation)) |
431 | 0 | return 0; |
432 | | |
433 | 35.3k | if (!RSA_up_ref(vrsa)) |
434 | 0 | return 0; |
435 | 35.3k | RSA_free(prsactx->rsa); |
436 | 35.3k | prsactx->rsa = vrsa; |
437 | 35.3k | } |
438 | | |
439 | 35.3k | prsactx->operation = operation; |
440 | | |
441 | | /* Maximize up to digest length for sign, auto for verify */ |
442 | 35.3k | prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; |
443 | 35.3k | prsactx->min_saltlen = -1; |
444 | | |
445 | 35.3k | switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { |
446 | 35.0k | case RSA_FLAG_TYPE_RSA: |
447 | 35.0k | prsactx->pad_mode = RSA_PKCS1_PADDING; |
448 | 35.0k | break; |
449 | 340 | case RSA_FLAG_TYPE_RSASSAPSS: |
450 | 340 | prsactx->pad_mode = RSA_PKCS1_PSS_PADDING; |
451 | | |
452 | 340 | { |
453 | 340 | const RSA_PSS_PARAMS_30 *pss = |
454 | 340 | ossl_rsa_get0_pss_params_30(prsactx->rsa); |
455 | | |
456 | 340 | if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) { |
457 | 338 | int md_nid = ossl_rsa_pss_params_30_hashalg(pss); |
458 | 338 | int mgf1md_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss); |
459 | 338 | int min_saltlen = ossl_rsa_pss_params_30_saltlen(pss); |
460 | 338 | const char *mdname, *mgf1mdname; |
461 | 338 | size_t len; |
462 | | |
463 | 338 | mdname = ossl_rsa_oaeppss_nid2name(md_nid); |
464 | 338 | mgf1mdname = ossl_rsa_oaeppss_nid2name(mgf1md_nid); |
465 | | |
466 | 338 | if (mdname == NULL) { |
467 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
468 | 0 | "PSS restrictions lack hash algorithm"); |
469 | 0 | return 0; |
470 | 0 | } |
471 | 338 | if (mgf1mdname == NULL) { |
472 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
473 | 0 | "PSS restrictions lack MGF1 hash algorithm"); |
474 | 0 | return 0; |
475 | 0 | } |
476 | | |
477 | 338 | len = OPENSSL_strlcpy(prsactx->mdname, mdname, |
478 | 338 | sizeof(prsactx->mdname)); |
479 | 338 | if (len >= sizeof(prsactx->mdname)) { |
480 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
481 | 0 | "hash algorithm name too long"); |
482 | 0 | return 0; |
483 | 0 | } |
484 | 338 | len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname, |
485 | 338 | sizeof(prsactx->mgf1_mdname)); |
486 | 338 | if (len >= sizeof(prsactx->mgf1_mdname)) { |
487 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
488 | 0 | "MGF1 hash algorithm name too long"); |
489 | 0 | return 0; |
490 | 0 | } |
491 | 338 | prsactx->saltlen = min_saltlen; |
492 | | |
493 | | /* call rsa_setup_mgf1_md before rsa_setup_md to avoid duplication */ |
494 | 338 | if (!rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq) |
495 | 338 | || !rsa_setup_md(prsactx, mdname, prsactx->propq) |
496 | 338 | || !rsa_check_parameters(prsactx, min_saltlen)) |
497 | 15 | return 0; |
498 | 338 | } |
499 | 340 | } |
500 | | |
501 | 325 | break; |
502 | 325 | default: |
503 | 0 | ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); |
504 | 0 | return 0; |
505 | 35.3k | } |
506 | | |
507 | 35.3k | if (!rsa_set_ctx_params(prsactx, params)) |
508 | 0 | return 0; |
509 | | |
510 | 35.3k | return 1; |
511 | 35.3k | } |
512 | | |
513 | | static int setup_tbuf(PROV_RSA_CTX *ctx) |
514 | 12.2k | { |
515 | 12.2k | if (ctx->tbuf != NULL) |
516 | 0 | return 1; |
517 | 12.2k | if ((ctx->tbuf = OPENSSL_malloc(RSA_size(ctx->rsa))) == NULL) { |
518 | 14 | ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); |
519 | 14 | return 0; |
520 | 14 | } |
521 | 12.2k | return 1; |
522 | 12.2k | } |
523 | | |
524 | | static void clean_tbuf(PROV_RSA_CTX *ctx) |
525 | 69.4k | { |
526 | 69.4k | if (ctx->tbuf != NULL) |
527 | 13.1k | OPENSSL_cleanse(ctx->tbuf, RSA_size(ctx->rsa)); |
528 | 69.4k | } |
529 | | |
530 | | static void free_tbuf(PROV_RSA_CTX *ctx) |
531 | 68.5k | { |
532 | 68.5k | clean_tbuf(ctx); |
533 | 68.5k | OPENSSL_free(ctx->tbuf); |
534 | 68.5k | ctx->tbuf = NULL; |
535 | 68.5k | } |
536 | | |
537 | | static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[]) |
538 | 0 | { |
539 | 0 | if (!ossl_prov_is_running()) |
540 | 0 | return 0; |
541 | 0 | return rsa_signverify_init(vprsactx, vrsa, params, EVP_PKEY_OP_SIGN); |
542 | 0 | } |
543 | | |
544 | | static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen, |
545 | | size_t sigsize, const unsigned char *tbs, size_t tbslen) |
546 | 3.67k | { |
547 | 3.67k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
548 | 3.67k | int ret; |
549 | 3.67k | size_t rsasize = RSA_size(prsactx->rsa); |
550 | 3.67k | size_t mdsize = rsa_get_md_size(prsactx); |
551 | | |
552 | 3.67k | if (!ossl_prov_is_running()) |
553 | 0 | return 0; |
554 | | |
555 | 3.67k | if (sig == NULL) { |
556 | 1.83k | *siglen = rsasize; |
557 | 1.83k | return 1; |
558 | 1.83k | } |
559 | | |
560 | 1.83k | if (sigsize < rsasize) { |
561 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE, |
562 | 0 | "is %zu, should be at least %zu", sigsize, rsasize); |
563 | 0 | return 0; |
564 | 0 | } |
565 | | |
566 | 1.83k | if (mdsize != 0) { |
567 | 1.83k | if (tbslen != mdsize) { |
568 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH); |
569 | 0 | return 0; |
570 | 0 | } |
571 | | |
572 | 1.83k | #ifndef FIPS_MODULE |
573 | 1.83k | if (EVP_MD_is_a(prsactx->md, OSSL_DIGEST_NAME_MDC2)) { |
574 | 0 | unsigned int sltmp; |
575 | |
|
576 | 0 | if (prsactx->pad_mode != RSA_PKCS1_PADDING) { |
577 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, |
578 | 0 | "only PKCS#1 padding supported with MDC2"); |
579 | 0 | return 0; |
580 | 0 | } |
581 | 0 | ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp, |
582 | 0 | prsactx->rsa); |
583 | |
|
584 | 0 | if (ret <= 0) { |
585 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
586 | 0 | return 0; |
587 | 0 | } |
588 | 0 | ret = sltmp; |
589 | 0 | goto end; |
590 | 0 | } |
591 | 1.83k | #endif |
592 | 1.83k | switch (prsactx->pad_mode) { |
593 | 0 | case RSA_X931_PADDING: |
594 | 0 | if ((size_t)RSA_size(prsactx->rsa) < tbslen + 1) { |
595 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL, |
596 | 0 | "RSA key size = %d, expected minimum = %d", |
597 | 0 | RSA_size(prsactx->rsa), tbslen + 1); |
598 | 0 | return 0; |
599 | 0 | } |
600 | 0 | if (!setup_tbuf(prsactx)) { |
601 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); |
602 | 0 | return 0; |
603 | 0 | } |
604 | 0 | memcpy(prsactx->tbuf, tbs, tbslen); |
605 | 0 | prsactx->tbuf[tbslen] = RSA_X931_hash_id(prsactx->mdnid); |
606 | 0 | ret = RSA_private_encrypt(tbslen + 1, prsactx->tbuf, |
607 | 0 | sig, prsactx->rsa, RSA_X931_PADDING); |
608 | 0 | clean_tbuf(prsactx); |
609 | 0 | break; |
610 | | |
611 | 1.47k | case RSA_PKCS1_PADDING: |
612 | 1.47k | { |
613 | 1.47k | unsigned int sltmp; |
614 | | |
615 | 1.47k | ret = RSA_sign(prsactx->mdnid, tbs, tbslen, sig, &sltmp, |
616 | 1.47k | prsactx->rsa); |
617 | 1.47k | if (ret <= 0) { |
618 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
619 | 0 | return 0; |
620 | 0 | } |
621 | 1.47k | ret = sltmp; |
622 | 1.47k | } |
623 | 0 | break; |
624 | | |
625 | 361 | case RSA_PKCS1_PSS_PADDING: |
626 | | /* Check PSS restrictions */ |
627 | 361 | if (rsa_pss_restricted(prsactx)) { |
628 | 0 | switch (prsactx->saltlen) { |
629 | 0 | case RSA_PSS_SALTLEN_DIGEST: |
630 | 0 | if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) { |
631 | 0 | ERR_raise_data(ERR_LIB_PROV, |
632 | 0 | PROV_R_PSS_SALTLEN_TOO_SMALL, |
633 | 0 | "minimum salt length set to %d, " |
634 | 0 | "but the digest only gives %d", |
635 | 0 | prsactx->min_saltlen, |
636 | 0 | EVP_MD_get_size(prsactx->md)); |
637 | 0 | return 0; |
638 | 0 | } |
639 | | /* FALLTHRU */ |
640 | 0 | default: |
641 | 0 | if (prsactx->saltlen >= 0 |
642 | 0 | && prsactx->saltlen < prsactx->min_saltlen) { |
643 | 0 | ERR_raise_data(ERR_LIB_PROV, |
644 | 0 | PROV_R_PSS_SALTLEN_TOO_SMALL, |
645 | 0 | "minimum salt length set to %d, but the" |
646 | 0 | "actual salt length is only set to %d", |
647 | 0 | prsactx->min_saltlen, |
648 | 0 | prsactx->saltlen); |
649 | 0 | return 0; |
650 | 0 | } |
651 | 0 | break; |
652 | 0 | } |
653 | 0 | } |
654 | 361 | if (!setup_tbuf(prsactx)) |
655 | 0 | return 0; |
656 | 361 | if (!RSA_padding_add_PKCS1_PSS_mgf1(prsactx->rsa, |
657 | 361 | prsactx->tbuf, tbs, |
658 | 361 | prsactx->md, prsactx->mgf1_md, |
659 | 361 | prsactx->saltlen)) { |
660 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
661 | 0 | return 0; |
662 | 0 | } |
663 | 361 | ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf, |
664 | 361 | sig, prsactx->rsa, RSA_NO_PADDING); |
665 | 361 | clean_tbuf(prsactx); |
666 | 361 | break; |
667 | | |
668 | 0 | default: |
669 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, |
670 | 0 | "Only X.931, PKCS#1 v1.5 or PSS padding allowed"); |
671 | 0 | return 0; |
672 | 1.83k | } |
673 | 1.83k | } else { |
674 | 0 | ret = RSA_private_encrypt(tbslen, tbs, sig, prsactx->rsa, |
675 | 0 | prsactx->pad_mode); |
676 | 0 | } |
677 | | |
678 | 1.83k | #ifndef FIPS_MODULE |
679 | 1.83k | end: |
680 | 1.83k | #endif |
681 | 1.83k | if (ret <= 0) { |
682 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
683 | 0 | return 0; |
684 | 0 | } |
685 | | |
686 | 1.83k | *siglen = ret; |
687 | 1.83k | return 1; |
688 | 1.83k | } |
689 | | |
690 | | static int rsa_verify_recover_init(void *vprsactx, void *vrsa, |
691 | | const OSSL_PARAM params[]) |
692 | 0 | { |
693 | 0 | if (!ossl_prov_is_running()) |
694 | 0 | return 0; |
695 | 0 | return rsa_signverify_init(vprsactx, vrsa, params, |
696 | 0 | EVP_PKEY_OP_VERIFYRECOVER); |
697 | 0 | } |
698 | | |
699 | | static int rsa_verify_recover(void *vprsactx, |
700 | | unsigned char *rout, |
701 | | size_t *routlen, |
702 | | size_t routsize, |
703 | | const unsigned char *sig, |
704 | | size_t siglen) |
705 | 0 | { |
706 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
707 | 0 | int ret; |
708 | |
|
709 | 0 | if (!ossl_prov_is_running()) |
710 | 0 | return 0; |
711 | | |
712 | 0 | if (rout == NULL) { |
713 | 0 | *routlen = RSA_size(prsactx->rsa); |
714 | 0 | return 1; |
715 | 0 | } |
716 | | |
717 | 0 | if (prsactx->md != NULL) { |
718 | 0 | switch (prsactx->pad_mode) { |
719 | 0 | case RSA_X931_PADDING: |
720 | 0 | if (!setup_tbuf(prsactx)) |
721 | 0 | return 0; |
722 | 0 | ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, |
723 | 0 | RSA_X931_PADDING); |
724 | 0 | if (ret < 1) { |
725 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
726 | 0 | return 0; |
727 | 0 | } |
728 | 0 | ret--; |
729 | 0 | if (prsactx->tbuf[ret] != RSA_X931_hash_id(prsactx->mdnid)) { |
730 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_ALGORITHM_MISMATCH); |
731 | 0 | return 0; |
732 | 0 | } |
733 | 0 | if (ret != EVP_MD_get_size(prsactx->md)) { |
734 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH, |
735 | 0 | "Should be %d, but got %d", |
736 | 0 | EVP_MD_get_size(prsactx->md), ret); |
737 | 0 | return 0; |
738 | 0 | } |
739 | | |
740 | 0 | *routlen = ret; |
741 | 0 | if (rout != prsactx->tbuf) { |
742 | 0 | if (routsize < (size_t)ret) { |
743 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL, |
744 | 0 | "buffer size is %d, should be %d", |
745 | 0 | routsize, ret); |
746 | 0 | return 0; |
747 | 0 | } |
748 | 0 | memcpy(rout, prsactx->tbuf, ret); |
749 | 0 | } |
750 | 0 | break; |
751 | | |
752 | 0 | case RSA_PKCS1_PADDING: |
753 | 0 | { |
754 | 0 | size_t sltmp; |
755 | |
|
756 | 0 | ret = ossl_rsa_verify(prsactx->mdnid, NULL, 0, rout, &sltmp, |
757 | 0 | sig, siglen, prsactx->rsa); |
758 | 0 | if (ret <= 0) { |
759 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
760 | 0 | return 0; |
761 | 0 | } |
762 | 0 | ret = sltmp; |
763 | 0 | } |
764 | 0 | break; |
765 | | |
766 | 0 | default: |
767 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, |
768 | 0 | "Only X.931 or PKCS#1 v1.5 padding allowed"); |
769 | 0 | return 0; |
770 | 0 | } |
771 | 0 | } else { |
772 | 0 | ret = RSA_public_decrypt(siglen, sig, rout, prsactx->rsa, |
773 | 0 | prsactx->pad_mode); |
774 | 0 | if (ret < 0) { |
775 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
776 | 0 | return 0; |
777 | 0 | } |
778 | 0 | } |
779 | 0 | *routlen = ret; |
780 | 0 | return 1; |
781 | 0 | } |
782 | | |
783 | | static int rsa_verify_init(void *vprsactx, void *vrsa, |
784 | | const OSSL_PARAM params[]) |
785 | 0 | { |
786 | 0 | if (!ossl_prov_is_running()) |
787 | 0 | return 0; |
788 | 0 | return rsa_signverify_init(vprsactx, vrsa, params, EVP_PKEY_OP_VERIFY); |
789 | 0 | } |
790 | | |
791 | | static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen, |
792 | | const unsigned char *tbs, size_t tbslen) |
793 | 9.10k | { |
794 | 9.10k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
795 | 9.10k | size_t rslen; |
796 | | |
797 | 9.10k | if (!ossl_prov_is_running()) |
798 | 0 | return 0; |
799 | 9.10k | if (prsactx->md != NULL) { |
800 | 9.10k | switch (prsactx->pad_mode) { |
801 | 2.27k | case RSA_PKCS1_PADDING: |
802 | 2.27k | if (!RSA_verify(prsactx->mdnid, tbs, tbslen, sig, siglen, |
803 | 2.27k | prsactx->rsa)) { |
804 | 2.01k | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
805 | 2.01k | return 0; |
806 | 2.01k | } |
807 | 257 | return 1; |
808 | 0 | case RSA_X931_PADDING: |
809 | 0 | if (!setup_tbuf(prsactx)) |
810 | 0 | return 0; |
811 | 0 | if (rsa_verify_recover(prsactx, prsactx->tbuf, &rslen, 0, |
812 | 0 | sig, siglen) <= 0) |
813 | 0 | return 0; |
814 | 0 | break; |
815 | 6.83k | case RSA_PKCS1_PSS_PADDING: |
816 | 6.83k | { |
817 | 6.83k | int ret; |
818 | 6.83k | size_t mdsize; |
819 | | |
820 | | /* |
821 | | * We need to check this for the RSA_verify_PKCS1_PSS_mgf1() |
822 | | * call |
823 | | */ |
824 | 6.83k | mdsize = rsa_get_md_size(prsactx); |
825 | 6.83k | if (tbslen != mdsize) { |
826 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH, |
827 | 0 | "Should be %d, but got %d", |
828 | 0 | mdsize, tbslen); |
829 | 0 | return 0; |
830 | 0 | } |
831 | | |
832 | 6.83k | if (!setup_tbuf(prsactx)) |
833 | 10 | return 0; |
834 | 6.82k | ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, |
835 | 6.82k | prsactx->rsa, RSA_NO_PADDING); |
836 | 6.82k | if (ret <= 0) { |
837 | 1.29k | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
838 | 1.29k | return 0; |
839 | 1.29k | } |
840 | 5.52k | ret = RSA_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs, |
841 | 5.52k | prsactx->md, prsactx->mgf1_md, |
842 | 5.52k | prsactx->tbuf, |
843 | 5.52k | prsactx->saltlen); |
844 | 5.52k | if (ret <= 0) { |
845 | 5.52k | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
846 | 5.52k | return 0; |
847 | 5.52k | } |
848 | 7 | return 1; |
849 | 5.52k | } |
850 | 0 | default: |
851 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, |
852 | 0 | "Only X.931, PKCS#1 v1.5 or PSS padding allowed"); |
853 | 0 | return 0; |
854 | 9.10k | } |
855 | 9.10k | } else { |
856 | 0 | int ret; |
857 | |
|
858 | 0 | if (!setup_tbuf(prsactx)) |
859 | 0 | return 0; |
860 | 0 | ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, |
861 | 0 | prsactx->pad_mode); |
862 | 0 | if (ret <= 0) { |
863 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
864 | 0 | return 0; |
865 | 0 | } |
866 | 0 | rslen = (size_t)ret; |
867 | 0 | } |
868 | | |
869 | 0 | if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen)) |
870 | 0 | return 0; |
871 | | |
872 | 0 | return 1; |
873 | 0 | } |
874 | | |
875 | | static int rsa_digest_signverify_init(void *vprsactx, const char *mdname, |
876 | | void *vrsa, const OSSL_PARAM params[], |
877 | | int operation) |
878 | 35.3k | { |
879 | 35.3k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
880 | | |
881 | 35.3k | if (!ossl_prov_is_running()) |
882 | 0 | return 0; |
883 | | |
884 | 35.3k | if (!rsa_signverify_init(vprsactx, vrsa, params, operation)) |
885 | 15 | return 0; |
886 | | |
887 | 35.3k | if (mdname != NULL |
888 | | /* was rsa_setup_md already called in rsa_signverify_init()? */ |
889 | 35.3k | && (mdname[0] == '\0' || OPENSSL_strcasecmp(prsactx->mdname, mdname) != 0) |
890 | 35.3k | && !rsa_setup_md(prsactx, mdname, prsactx->propq)) |
891 | 57 | return 0; |
892 | | |
893 | 35.3k | prsactx->flag_allow_md = 0; |
894 | | |
895 | 35.3k | if (prsactx->mdctx == NULL) { |
896 | 35.3k | prsactx->mdctx = EVP_MD_CTX_new(); |
897 | 35.3k | if (prsactx->mdctx == NULL) |
898 | 0 | goto error; |
899 | 35.3k | } |
900 | | |
901 | 35.3k | if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params)) |
902 | 0 | goto error; |
903 | | |
904 | 35.3k | return 1; |
905 | | |
906 | 0 | error: |
907 | 0 | EVP_MD_CTX_free(prsactx->mdctx); |
908 | 0 | prsactx->mdctx = NULL; |
909 | 0 | return 0; |
910 | 35.3k | } |
911 | | |
912 | | static int rsa_digest_signverify_update(void *vprsactx, |
913 | | const unsigned char *data, |
914 | | size_t datalen) |
915 | 10.9k | { |
916 | 10.9k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
917 | | |
918 | 10.9k | if (prsactx == NULL || prsactx->mdctx == NULL) |
919 | 0 | return 0; |
920 | | |
921 | 10.9k | return EVP_DigestUpdate(prsactx->mdctx, data, datalen); |
922 | 10.9k | } |
923 | | |
924 | | static int rsa_digest_sign_init(void *vprsactx, const char *mdname, |
925 | | void *vrsa, const OSSL_PARAM params[]) |
926 | 36.5k | { |
927 | 36.5k | if (!ossl_prov_is_running()) |
928 | 0 | return 0; |
929 | 36.5k | return rsa_digest_signverify_init(vprsactx, mdname, vrsa, |
930 | 36.5k | params, EVP_PKEY_OP_SIGN); |
931 | 36.5k | } |
932 | | |
933 | | static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig, |
934 | | size_t *siglen, size_t sigsize) |
935 | 3.67k | { |
936 | 3.67k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
937 | 3.67k | unsigned char digest[EVP_MAX_MD_SIZE]; |
938 | 3.67k | unsigned int dlen = 0; |
939 | | |
940 | 3.67k | if (!ossl_prov_is_running() || prsactx == NULL) |
941 | 0 | return 0; |
942 | 3.67k | prsactx->flag_allow_md = 1; |
943 | 3.67k | if (prsactx->mdctx == NULL) |
944 | 0 | return 0; |
945 | | /* |
946 | | * If sig is NULL then we're just finding out the sig size. Other fields |
947 | | * are ignored. Defer to rsa_sign. |
948 | | */ |
949 | 3.67k | if (sig != NULL) { |
950 | | /* |
951 | | * The digests used here are all known (see rsa_get_md_nid()), so they |
952 | | * should not exceed the internal buffer size of EVP_MAX_MD_SIZE. |
953 | | */ |
954 | 1.83k | if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen)) |
955 | 0 | return 0; |
956 | 1.83k | } |
957 | | |
958 | 3.67k | return rsa_sign(vprsactx, sig, siglen, sigsize, digest, (size_t)dlen); |
959 | 3.67k | } |
960 | | |
961 | | static int rsa_digest_verify_init(void *vprsactx, const char *mdname, |
962 | | void *vrsa, const OSSL_PARAM params[]) |
963 | 14.3k | { |
964 | 14.3k | if (!ossl_prov_is_running()) |
965 | 0 | return 0; |
966 | 14.3k | return rsa_digest_signverify_init(vprsactx, mdname, vrsa, |
967 | 14.3k | params, EVP_PKEY_OP_VERIFY); |
968 | 14.3k | } |
969 | | |
970 | | int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig, |
971 | | size_t siglen) |
972 | 9.10k | { |
973 | 9.10k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
974 | 9.10k | unsigned char digest[EVP_MAX_MD_SIZE]; |
975 | 9.10k | unsigned int dlen = 0; |
976 | | |
977 | 9.10k | if (!ossl_prov_is_running()) |
978 | 0 | return 0; |
979 | | |
980 | 9.10k | if (prsactx == NULL) |
981 | 0 | return 0; |
982 | 9.10k | prsactx->flag_allow_md = 1; |
983 | 9.10k | if (prsactx->mdctx == NULL) |
984 | 0 | return 0; |
985 | | |
986 | | /* |
987 | | * The digests used here are all known (see rsa_get_md_nid()), so they |
988 | | * should not exceed the internal buffer size of EVP_MAX_MD_SIZE. |
989 | | */ |
990 | 9.10k | if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen)) |
991 | 0 | return 0; |
992 | | |
993 | 9.10k | return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen); |
994 | 9.10k | } |
995 | | |
996 | | static void rsa_freectx(void *vprsactx) |
997 | 68.5k | { |
998 | 68.5k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
999 | | |
1000 | 68.5k | if (prsactx == NULL) |
1001 | 0 | return; |
1002 | | |
1003 | 68.5k | EVP_MD_CTX_free(prsactx->mdctx); |
1004 | 68.5k | EVP_MD_free(prsactx->md); |
1005 | 68.5k | EVP_MD_free(prsactx->mgf1_md); |
1006 | 68.5k | OPENSSL_free(prsactx->propq); |
1007 | 68.5k | free_tbuf(prsactx); |
1008 | 68.5k | RSA_free(prsactx->rsa); |
1009 | | |
1010 | 68.5k | OPENSSL_clear_free(prsactx, sizeof(*prsactx)); |
1011 | 68.5k | } |
1012 | | |
1013 | | static void *rsa_dupctx(void *vprsactx) |
1014 | 17.5k | { |
1015 | 17.5k | PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx; |
1016 | 17.5k | PROV_RSA_CTX *dstctx; |
1017 | | |
1018 | 17.5k | if (!ossl_prov_is_running()) |
1019 | 0 | return NULL; |
1020 | | |
1021 | 17.5k | dstctx = OPENSSL_zalloc(sizeof(*srcctx)); |
1022 | 17.5k | if (dstctx == NULL) { |
1023 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); |
1024 | 0 | return NULL; |
1025 | 0 | } |
1026 | | |
1027 | 17.5k | *dstctx = *srcctx; |
1028 | 17.5k | dstctx->rsa = NULL; |
1029 | 17.5k | dstctx->md = NULL; |
1030 | 17.5k | dstctx->mgf1_md = NULL; |
1031 | 17.5k | dstctx->mdctx = NULL; |
1032 | 17.5k | dstctx->tbuf = NULL; |
1033 | 17.5k | dstctx->propq = NULL; |
1034 | | |
1035 | 17.5k | if (srcctx->rsa != NULL && !RSA_up_ref(srcctx->rsa)) |
1036 | 0 | goto err; |
1037 | 17.5k | dstctx->rsa = srcctx->rsa; |
1038 | | |
1039 | 17.5k | if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md)) |
1040 | 0 | goto err; |
1041 | 17.5k | dstctx->md = srcctx->md; |
1042 | | |
1043 | 17.5k | if (srcctx->mgf1_md != NULL && !EVP_MD_up_ref(srcctx->mgf1_md)) |
1044 | 0 | goto err; |
1045 | 17.5k | dstctx->mgf1_md = srcctx->mgf1_md; |
1046 | | |
1047 | 17.5k | if (srcctx->mdctx != NULL) { |
1048 | 17.5k | dstctx->mdctx = EVP_MD_CTX_new(); |
1049 | 17.5k | if (dstctx->mdctx == NULL |
1050 | 17.5k | || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx)) |
1051 | 0 | goto err; |
1052 | 17.5k | } |
1053 | | |
1054 | 17.5k | if (srcctx->propq != NULL) { |
1055 | 0 | dstctx->propq = OPENSSL_strdup(srcctx->propq); |
1056 | 0 | if (dstctx->propq == NULL) |
1057 | 0 | goto err; |
1058 | 0 | } |
1059 | | |
1060 | 17.5k | return dstctx; |
1061 | 0 | err: |
1062 | 0 | rsa_freectx(dstctx); |
1063 | 0 | return NULL; |
1064 | 17.5k | } |
1065 | | |
1066 | | static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) |
1067 | 0 | { |
1068 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1069 | 0 | OSSL_PARAM *p; |
1070 | |
|
1071 | 0 | if (prsactx == NULL) |
1072 | 0 | return 0; |
1073 | | |
1074 | 0 | p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID); |
1075 | 0 | if (p != NULL) { |
1076 | | /* The Algorithm Identifier of the combined signature algorithm */ |
1077 | 0 | unsigned char aid_buf[128]; |
1078 | 0 | unsigned char *aid; |
1079 | 0 | size_t aid_len; |
1080 | |
|
1081 | 0 | aid = rsa_generate_signature_aid(prsactx, aid_buf, |
1082 | 0 | sizeof(aid_buf), &aid_len); |
1083 | 0 | if (aid == NULL || !OSSL_PARAM_set_octet_string(p, aid, aid_len)) |
1084 | 0 | return 0; |
1085 | 0 | } |
1086 | | |
1087 | 0 | p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PAD_MODE); |
1088 | 0 | if (p != NULL) |
1089 | 0 | switch (p->data_type) { |
1090 | 0 | case OSSL_PARAM_INTEGER: |
1091 | 0 | if (!OSSL_PARAM_set_int(p, prsactx->pad_mode)) |
1092 | 0 | return 0; |
1093 | 0 | break; |
1094 | 0 | case OSSL_PARAM_UTF8_STRING: |
1095 | 0 | { |
1096 | 0 | int i; |
1097 | 0 | const char *word = NULL; |
1098 | |
|
1099 | 0 | for (i = 0; padding_item[i].id != 0; i++) { |
1100 | 0 | if (prsactx->pad_mode == (int)padding_item[i].id) { |
1101 | 0 | word = padding_item[i].ptr; |
1102 | 0 | break; |
1103 | 0 | } |
1104 | 0 | } |
1105 | |
|
1106 | 0 | if (word != NULL) { |
1107 | 0 | if (!OSSL_PARAM_set_utf8_string(p, word)) |
1108 | 0 | return 0; |
1109 | 0 | } else { |
1110 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); |
1111 | 0 | } |
1112 | 0 | } |
1113 | 0 | break; |
1114 | 0 | default: |
1115 | 0 | return 0; |
1116 | 0 | } |
1117 | | |
1118 | 0 | p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST); |
1119 | 0 | if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mdname)) |
1120 | 0 | return 0; |
1121 | | |
1122 | 0 | p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST); |
1123 | 0 | if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mgf1_mdname)) |
1124 | 0 | return 0; |
1125 | | |
1126 | 0 | p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN); |
1127 | 0 | if (p != NULL) { |
1128 | 0 | if (p->data_type == OSSL_PARAM_INTEGER) { |
1129 | 0 | if (!OSSL_PARAM_set_int(p, prsactx->saltlen)) |
1130 | 0 | return 0; |
1131 | 0 | } else if (p->data_type == OSSL_PARAM_UTF8_STRING) { |
1132 | 0 | const char *value = NULL; |
1133 | |
|
1134 | 0 | switch (prsactx->saltlen) { |
1135 | 0 | case RSA_PSS_SALTLEN_DIGEST: |
1136 | 0 | value = OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST; |
1137 | 0 | break; |
1138 | 0 | case RSA_PSS_SALTLEN_MAX: |
1139 | 0 | value = OSSL_PKEY_RSA_PSS_SALT_LEN_MAX; |
1140 | 0 | break; |
1141 | 0 | case RSA_PSS_SALTLEN_AUTO: |
1142 | 0 | value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO; |
1143 | 0 | break; |
1144 | 0 | case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: |
1145 | 0 | value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX; |
1146 | 0 | break; |
1147 | 0 | default: |
1148 | 0 | { |
1149 | 0 | int len = BIO_snprintf(p->data, p->data_size, "%d", |
1150 | 0 | prsactx->saltlen); |
1151 | |
|
1152 | 0 | if (len <= 0) |
1153 | 0 | return 0; |
1154 | 0 | p->return_size = len; |
1155 | 0 | break; |
1156 | 0 | } |
1157 | 0 | } |
1158 | 0 | if (value != NULL |
1159 | 0 | && !OSSL_PARAM_set_utf8_string(p, value)) |
1160 | 0 | return 0; |
1161 | 0 | } |
1162 | 0 | } |
1163 | | |
1164 | 0 | return 1; |
1165 | 0 | } |
1166 | | |
1167 | | static const OSSL_PARAM known_gettable_ctx_params[] = { |
1168 | | OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0), |
1169 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), |
1170 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), |
1171 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), |
1172 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), |
1173 | | OSSL_PARAM_END |
1174 | | }; |
1175 | | |
1176 | | static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, |
1177 | | ossl_unused void *provctx) |
1178 | 0 | { |
1179 | 0 | return known_gettable_ctx_params; |
1180 | 0 | } |
1181 | | |
1182 | | static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) |
1183 | 37.7k | { |
1184 | 37.7k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1185 | 37.7k | const OSSL_PARAM *p; |
1186 | 37.7k | int pad_mode; |
1187 | 37.7k | int saltlen; |
1188 | 37.7k | char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = NULL; |
1189 | 37.7k | char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = NULL; |
1190 | 37.7k | char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL; |
1191 | 37.7k | char mgf1mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmgf1mdprops = NULL; |
1192 | | |
1193 | 37.7k | if (prsactx == NULL) |
1194 | 0 | return 0; |
1195 | 37.7k | if (params == NULL) |
1196 | 23.6k | return 1; |
1197 | | |
1198 | 14.0k | pad_mode = prsactx->pad_mode; |
1199 | 14.0k | saltlen = prsactx->saltlen; |
1200 | | |
1201 | 14.0k | p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST); |
1202 | 14.0k | if (p != NULL) { |
1203 | 0 | const OSSL_PARAM *propsp = |
1204 | 0 | OSSL_PARAM_locate_const(params, |
1205 | 0 | OSSL_SIGNATURE_PARAM_PROPERTIES); |
1206 | |
|
1207 | 0 | pmdname = mdname; |
1208 | 0 | if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname))) |
1209 | 0 | return 0; |
1210 | | |
1211 | 0 | if (propsp != NULL) { |
1212 | 0 | pmdprops = mdprops; |
1213 | 0 | if (!OSSL_PARAM_get_utf8_string(propsp, |
1214 | 0 | &pmdprops, sizeof(mdprops))) |
1215 | 0 | return 0; |
1216 | 0 | } |
1217 | 0 | } |
1218 | | |
1219 | 14.0k | p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE); |
1220 | 14.0k | if (p != NULL) { |
1221 | 6.04k | const char *err_extra_text = NULL; |
1222 | | |
1223 | 6.04k | switch (p->data_type) { |
1224 | 6.04k | case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */ |
1225 | 6.04k | if (!OSSL_PARAM_get_int(p, &pad_mode)) |
1226 | 0 | return 0; |
1227 | 6.04k | break; |
1228 | 6.04k | case OSSL_PARAM_UTF8_STRING: |
1229 | 0 | { |
1230 | 0 | int i; |
1231 | |
|
1232 | 0 | if (p->data == NULL) |
1233 | 0 | return 0; |
1234 | | |
1235 | 0 | for (i = 0; padding_item[i].id != 0; i++) { |
1236 | 0 | if (strcmp(p->data, padding_item[i].ptr) == 0) { |
1237 | 0 | pad_mode = padding_item[i].id; |
1238 | 0 | break; |
1239 | 0 | } |
1240 | 0 | } |
1241 | 0 | } |
1242 | 0 | break; |
1243 | 0 | default: |
1244 | 0 | return 0; |
1245 | 6.04k | } |
1246 | | |
1247 | 6.04k | switch (pad_mode) { |
1248 | 0 | case RSA_PKCS1_OAEP_PADDING: |
1249 | | /* |
1250 | | * OAEP padding is for asymmetric cipher only so is not compatible |
1251 | | * with signature use. |
1252 | | */ |
1253 | 0 | err_extra_text = "OAEP padding not allowed for signing / verifying"; |
1254 | 0 | goto bad_pad; |
1255 | 6.04k | case RSA_PKCS1_PSS_PADDING: |
1256 | 6.04k | if ((prsactx->operation |
1257 | 6.04k | & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)) == 0) { |
1258 | 0 | err_extra_text = |
1259 | 0 | "PSS padding only allowed for sign and verify operations"; |
1260 | 0 | goto bad_pad; |
1261 | 0 | } |
1262 | 6.04k | break; |
1263 | 6.04k | case RSA_PKCS1_PADDING: |
1264 | 0 | err_extra_text = "PKCS#1 padding not allowed with RSA-PSS"; |
1265 | 0 | goto cont; |
1266 | 0 | case RSA_NO_PADDING: |
1267 | 0 | err_extra_text = "No padding not allowed with RSA-PSS"; |
1268 | 0 | goto cont; |
1269 | 0 | case RSA_X931_PADDING: |
1270 | 0 | err_extra_text = "X.931 padding not allowed with RSA-PSS"; |
1271 | 0 | cont: |
1272 | 0 | if (RSA_test_flags(prsactx->rsa, |
1273 | 0 | RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA) |
1274 | 0 | break; |
1275 | | /* FALLTHRU */ |
1276 | 0 | default: |
1277 | 0 | bad_pad: |
1278 | 0 | if (err_extra_text == NULL) |
1279 | 0 | ERR_raise(ERR_LIB_PROV, |
1280 | 0 | PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); |
1281 | 0 | else |
1282 | 0 | ERR_raise_data(ERR_LIB_PROV, |
1283 | 0 | PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE, |
1284 | 0 | err_extra_text); |
1285 | 0 | return 0; |
1286 | 6.04k | } |
1287 | 6.04k | } |
1288 | | |
1289 | 14.0k | p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN); |
1290 | 14.0k | if (p != NULL) { |
1291 | 6.04k | if (pad_mode != RSA_PKCS1_PSS_PADDING) { |
1292 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED, |
1293 | 0 | "PSS saltlen can only be specified if " |
1294 | 0 | "PSS padding has been specified first"); |
1295 | 0 | return 0; |
1296 | 0 | } |
1297 | | |
1298 | 6.04k | switch (p->data_type) { |
1299 | 0 | case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */ |
1300 | 0 | if (!OSSL_PARAM_get_int(p, &saltlen)) |
1301 | 0 | return 0; |
1302 | 0 | break; |
1303 | 6.04k | case OSSL_PARAM_UTF8_STRING: |
1304 | 6.04k | if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST) == 0) |
1305 | 4.06k | saltlen = RSA_PSS_SALTLEN_DIGEST; |
1306 | 1.98k | else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_MAX) == 0) |
1307 | 0 | saltlen = RSA_PSS_SALTLEN_MAX; |
1308 | 1.98k | else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0) |
1309 | 0 | saltlen = RSA_PSS_SALTLEN_AUTO; |
1310 | 1.98k | else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0) |
1311 | 0 | saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; |
1312 | 1.98k | else |
1313 | 1.98k | saltlen = atoi(p->data); |
1314 | 6.04k | break; |
1315 | 0 | default: |
1316 | 0 | return 0; |
1317 | 6.04k | } |
1318 | | |
1319 | | /* |
1320 | | * RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check. |
1321 | | * Contrary to what it's name suggests, it's the currently lowest |
1322 | | * saltlen number possible. |
1323 | | */ |
1324 | 6.04k | if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { |
1325 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); |
1326 | 0 | return 0; |
1327 | 0 | } |
1328 | | |
1329 | 6.04k | if (rsa_pss_restricted(prsactx)) { |
1330 | 40 | switch (saltlen) { |
1331 | 0 | case RSA_PSS_SALTLEN_AUTO: |
1332 | 0 | case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: |
1333 | 0 | if (prsactx->operation == EVP_PKEY_OP_VERIFY) { |
1334 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, |
1335 | 0 | "Cannot use autodetected salt length"); |
1336 | 0 | return 0; |
1337 | 0 | } |
1338 | 0 | break; |
1339 | 0 | case RSA_PSS_SALTLEN_DIGEST: |
1340 | 0 | if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) { |
1341 | 0 | ERR_raise_data(ERR_LIB_PROV, |
1342 | 0 | PROV_R_PSS_SALTLEN_TOO_SMALL, |
1343 | 0 | "Should be more than %d, but would be " |
1344 | 0 | "set to match digest size (%d)", |
1345 | 0 | prsactx->min_saltlen, |
1346 | 0 | EVP_MD_get_size(prsactx->md)); |
1347 | 0 | return 0; |
1348 | 0 | } |
1349 | 0 | break; |
1350 | 40 | default: |
1351 | 40 | if (saltlen >= 0 && saltlen < prsactx->min_saltlen) { |
1352 | 0 | ERR_raise_data(ERR_LIB_PROV, |
1353 | 0 | PROV_R_PSS_SALTLEN_TOO_SMALL, |
1354 | 0 | "Should be more than %d, " |
1355 | 0 | "but would be set to %d", |
1356 | 0 | prsactx->min_saltlen, saltlen); |
1357 | 0 | return 0; |
1358 | 0 | } |
1359 | 40 | } |
1360 | 40 | } |
1361 | 6.04k | } |
1362 | | |
1363 | 14.0k | p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST); |
1364 | 14.0k | if (p != NULL) { |
1365 | 1.98k | const OSSL_PARAM *propsp = |
1366 | 1.98k | OSSL_PARAM_locate_const(params, |
1367 | 1.98k | OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES); |
1368 | | |
1369 | 1.98k | pmgf1mdname = mgf1mdname; |
1370 | 1.98k | if (!OSSL_PARAM_get_utf8_string(p, &pmgf1mdname, sizeof(mgf1mdname))) |
1371 | 0 | return 0; |
1372 | | |
1373 | 1.98k | if (propsp != NULL) { |
1374 | 0 | pmgf1mdprops = mgf1mdprops; |
1375 | 0 | if (!OSSL_PARAM_get_utf8_string(propsp, |
1376 | 0 | &pmgf1mdprops, sizeof(mgf1mdprops))) |
1377 | 0 | return 0; |
1378 | 0 | } |
1379 | | |
1380 | 1.98k | if (pad_mode != RSA_PKCS1_PSS_PADDING) { |
1381 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MGF1_MD); |
1382 | 0 | return 0; |
1383 | 0 | } |
1384 | 1.98k | } |
1385 | | |
1386 | 14.0k | prsactx->saltlen = saltlen; |
1387 | 14.0k | prsactx->pad_mode = pad_mode; |
1388 | | |
1389 | 14.0k | if (prsactx->md == NULL && pmdname == NULL |
1390 | 14.0k | && pad_mode == RSA_PKCS1_PSS_PADDING) |
1391 | 0 | pmdname = RSA_DEFAULT_DIGEST_NAME; |
1392 | | |
1393 | 14.0k | if (pmgf1mdname != NULL |
1394 | 14.0k | && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) |
1395 | 0 | return 0; |
1396 | | |
1397 | 14.0k | if (pmdname != NULL) { |
1398 | 0 | if (!rsa_setup_md(prsactx, pmdname, pmdprops)) |
1399 | 0 | return 0; |
1400 | 14.0k | } else { |
1401 | 14.0k | if (!rsa_check_padding(prsactx, NULL, NULL, prsactx->mdnid)) |
1402 | 0 | return 0; |
1403 | 14.0k | } |
1404 | 14.0k | return 1; |
1405 | 14.0k | } |
1406 | | |
1407 | | static const OSSL_PARAM settable_ctx_params[] = { |
1408 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), |
1409 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0), |
1410 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), |
1411 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), |
1412 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0), |
1413 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), |
1414 | | OSSL_PARAM_END |
1415 | | }; |
1416 | | |
1417 | | static const OSSL_PARAM settable_ctx_params_no_digest[] = { |
1418 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), |
1419 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), |
1420 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0), |
1421 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), |
1422 | | OSSL_PARAM_END |
1423 | | }; |
1424 | | |
1425 | | static const OSSL_PARAM *rsa_settable_ctx_params(void *vprsactx, |
1426 | | ossl_unused void *provctx) |
1427 | 28.4k | { |
1428 | 28.4k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1429 | | |
1430 | 28.4k | if (prsactx != NULL && !prsactx->flag_allow_md) |
1431 | 28.4k | return settable_ctx_params_no_digest; |
1432 | 1 | return settable_ctx_params; |
1433 | 28.4k | } |
1434 | | |
1435 | | static int rsa_get_ctx_md_params(void *vprsactx, OSSL_PARAM *params) |
1436 | 0 | { |
1437 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1438 | |
|
1439 | 0 | if (prsactx->mdctx == NULL) |
1440 | 0 | return 0; |
1441 | | |
1442 | 0 | return EVP_MD_CTX_get_params(prsactx->mdctx, params); |
1443 | 0 | } |
1444 | | |
1445 | | static const OSSL_PARAM *rsa_gettable_ctx_md_params(void *vprsactx) |
1446 | 0 | { |
1447 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1448 | |
|
1449 | 0 | if (prsactx->md == NULL) |
1450 | 0 | return 0; |
1451 | | |
1452 | 0 | return EVP_MD_gettable_ctx_params(prsactx->md); |
1453 | 0 | } |
1454 | | |
1455 | | static int rsa_set_ctx_md_params(void *vprsactx, const OSSL_PARAM params[]) |
1456 | 0 | { |
1457 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1458 | |
|
1459 | 0 | if (prsactx->mdctx == NULL) |
1460 | 0 | return 0; |
1461 | | |
1462 | 0 | return EVP_MD_CTX_set_params(prsactx->mdctx, params); |
1463 | 0 | } |
1464 | | |
1465 | | static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx) |
1466 | 0 | { |
1467 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1468 | |
|
1469 | 0 | if (prsactx->md == NULL) |
1470 | 0 | return 0; |
1471 | | |
1472 | 0 | return EVP_MD_settable_ctx_params(prsactx->md); |
1473 | 0 | } |
1474 | | |
1475 | | const OSSL_DISPATCH ossl_rsa_signature_functions[] = { |
1476 | | { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, |
1477 | | { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, |
1478 | | { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, |
1479 | | { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_verify_init }, |
1480 | | { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))rsa_verify }, |
1481 | | { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, |
1482 | | (void (*)(void))rsa_verify_recover_init }, |
1483 | | { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, |
1484 | | (void (*)(void))rsa_verify_recover }, |
1485 | | { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, |
1486 | | (void (*)(void))rsa_digest_sign_init }, |
1487 | | { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, |
1488 | | (void (*)(void))rsa_digest_signverify_update }, |
1489 | | { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, |
1490 | | (void (*)(void))rsa_digest_sign_final }, |
1491 | | { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, |
1492 | | (void (*)(void))rsa_digest_verify_init }, |
1493 | | { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, |
1494 | | (void (*)(void))rsa_digest_signverify_update }, |
1495 | | { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, |
1496 | | (void (*)(void))rsa_digest_verify_final }, |
1497 | | { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, |
1498 | | { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, |
1499 | | { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))rsa_get_ctx_params }, |
1500 | | { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, |
1501 | | (void (*)(void))rsa_gettable_ctx_params }, |
1502 | | { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))rsa_set_ctx_params }, |
1503 | | { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, |
1504 | | (void (*)(void))rsa_settable_ctx_params }, |
1505 | | { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, |
1506 | | (void (*)(void))rsa_get_ctx_md_params }, |
1507 | | { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, |
1508 | | (void (*)(void))rsa_gettable_ctx_md_params }, |
1509 | | { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, |
1510 | | (void (*)(void))rsa_set_ctx_md_params }, |
1511 | | { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, |
1512 | | (void (*)(void))rsa_settable_ctx_md_params }, |
1513 | | { 0, NULL } |
1514 | | }; |