/src/openssl36/providers/implementations/signature/rsa_sig.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | |
11 | | /* |
12 | | * RSA low level APIs are deprecated for public use, but still ok for |
13 | | * internal use. |
14 | | */ |
15 | | #include "internal/deprecated.h" |
16 | | |
17 | | #include <string.h> |
18 | | #include <openssl/crypto.h> |
19 | | #include <openssl/core_dispatch.h> |
20 | | #include <openssl/core_names.h> |
21 | | #include <openssl/err.h> |
22 | | #include <openssl/obj_mac.h> |
23 | | #include <openssl/rsa.h> |
24 | | #include <openssl/params.h> |
25 | | #include <openssl/evp.h> |
26 | | #include <openssl/proverr.h> |
27 | | #include "internal/cryptlib.h" |
28 | | #include "internal/nelem.h" |
29 | | #include "internal/sizes.h" |
30 | | #include "crypto/rsa.h" |
31 | | #include "prov/providercommon.h" |
32 | | #include "prov/implementations.h" |
33 | | #include "prov/provider_ctx.h" |
34 | | #include "prov/der_rsa.h" |
35 | | #include "prov/securitycheck.h" |
36 | | |
37 | 0 | #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 |
38 | | |
39 | | static OSSL_FUNC_signature_newctx_fn rsa_newctx; |
40 | | static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; |
41 | | static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; |
42 | | static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; |
43 | | static OSSL_FUNC_signature_sign_fn rsa_sign; |
44 | | static OSSL_FUNC_signature_sign_message_update_fn rsa_signverify_message_update; |
45 | | static OSSL_FUNC_signature_sign_message_final_fn rsa_sign_message_final; |
46 | | static OSSL_FUNC_signature_verify_fn rsa_verify; |
47 | | static OSSL_FUNC_signature_verify_recover_fn rsa_verify_recover; |
48 | | static OSSL_FUNC_signature_verify_message_update_fn rsa_signverify_message_update; |
49 | | static OSSL_FUNC_signature_verify_message_final_fn rsa_verify_message_final; |
50 | | static OSSL_FUNC_signature_digest_sign_init_fn rsa_digest_sign_init; |
51 | | static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_sign_update; |
52 | | static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final; |
53 | | static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; |
54 | | static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_verify_update; |
55 | | static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; |
56 | | static OSSL_FUNC_signature_freectx_fn rsa_freectx; |
57 | | static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; |
58 | | static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types; |
59 | | static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; |
60 | | static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params; |
61 | | static OSSL_FUNC_signature_set_ctx_params_fn rsa_set_ctx_params; |
62 | | static OSSL_FUNC_signature_settable_ctx_params_fn rsa_settable_ctx_params; |
63 | | static OSSL_FUNC_signature_get_ctx_md_params_fn rsa_get_ctx_md_params; |
64 | | static OSSL_FUNC_signature_gettable_ctx_md_params_fn rsa_gettable_ctx_md_params; |
65 | | static OSSL_FUNC_signature_set_ctx_md_params_fn rsa_set_ctx_md_params; |
66 | | static OSSL_FUNC_signature_settable_ctx_md_params_fn rsa_settable_ctx_md_params; |
67 | | static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params; |
68 | | static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params; |
69 | | |
70 | | static OSSL_ITEM padding_item[] = { |
71 | | { RSA_PKCS1_PADDING, OSSL_PKEY_RSA_PAD_MODE_PKCSV15 }, |
72 | | { RSA_NO_PADDING, OSSL_PKEY_RSA_PAD_MODE_NONE }, |
73 | | { RSA_X931_PADDING, OSSL_PKEY_RSA_PAD_MODE_X931 }, |
74 | | { RSA_PKCS1_PSS_PADDING, OSSL_PKEY_RSA_PAD_MODE_PSS }, |
75 | | { 0, NULL } |
76 | | }; |
77 | | |
78 | | /* |
79 | | * What's passed as an actual key is defined by the KEYMGMT interface. |
80 | | * We happen to know that our KEYMGMT simply passes RSA structures, so |
81 | | * we use that here too. |
82 | | */ |
83 | | |
84 | | typedef struct { |
85 | | OSSL_LIB_CTX *libctx; |
86 | | char *propq; |
87 | | RSA *rsa; |
88 | | int operation; |
89 | | |
90 | | /* |
91 | | * Flag to determine if a full sigalg is run (1) or if a composable |
92 | | * signature algorithm is run (0). |
93 | | * |
94 | | * When a full sigalg is run (1), this currently affects the following |
95 | | * other flags, which are to remain untouched after their initialization: |
96 | | * |
97 | | * - flag_allow_md (initialized to 0) |
98 | | */ |
99 | | unsigned int flag_sigalg : 1; |
100 | | /* |
101 | | * Flag to determine if the hash function can be changed (1) or not (0) |
102 | | * Because it's dangerous to change during a DigestSign or DigestVerify |
103 | | * operation, this flag is cleared by their Init function, and set again |
104 | | * by their Final function. |
105 | | * Implementations of full sigalgs (such as RSA-SHA256) hard-code this |
106 | | * flag to not allow changes (0). |
107 | | */ |
108 | | unsigned int flag_allow_md : 1; |
109 | | unsigned int mgf1_md_set : 1; |
110 | | /* |
111 | | * Flags to say what are the possible next external calls in what |
112 | | * consitutes the life cycle of an algorithm. The relevant calls are: |
113 | | * - init |
114 | | * - update |
115 | | * - final |
116 | | * - oneshot |
117 | | * All other external calls are regarded as utilitarian and are allowed |
118 | | * at any time (they may be affected by other flags, like flag_allow_md, |
119 | | * though). |
120 | | */ |
121 | | unsigned int flag_allow_update : 1; |
122 | | unsigned int flag_allow_final : 1; |
123 | | unsigned int flag_allow_oneshot : 1; |
124 | | |
125 | | /* main digest */ |
126 | | EVP_MD *md; |
127 | | EVP_MD_CTX *mdctx; |
128 | | int mdnid; |
129 | | char mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */ |
130 | | |
131 | | /* RSA padding mode */ |
132 | | int pad_mode; |
133 | | /* message digest for MGF1 */ |
134 | | EVP_MD *mgf1_md; |
135 | | int mgf1_mdnid; |
136 | | char mgf1_mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */ |
137 | | /* PSS salt length */ |
138 | | int saltlen; |
139 | | /* Minimum salt length or -1 if no PSS parameter restriction */ |
140 | | int min_saltlen; |
141 | | |
142 | | /* Signature, for verification */ |
143 | | unsigned char *sig; |
144 | | size_t siglen; |
145 | | |
146 | | #ifdef FIPS_MODULE |
147 | | /* |
148 | | * FIPS 140-3 IG 2.4.B mandates that verification based on a digest of a |
149 | | * message is not permitted. However, signing based on a digest is still |
150 | | * permitted. |
151 | | */ |
152 | | int verify_message; |
153 | | #endif |
154 | | |
155 | | /* Temp buffer */ |
156 | | unsigned char *tbuf; |
157 | | |
158 | | OSSL_FIPS_IND_DECLARE |
159 | | } PROV_RSA_CTX; |
160 | | |
161 | | /* True if PSS parameters are restricted */ |
162 | 67.5k | #define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1) |
163 | | |
164 | | static int rsa_get_md_size(const PROV_RSA_CTX *prsactx) |
165 | 21.6k | { |
166 | 21.6k | int md_size; |
167 | | |
168 | 21.6k | if (prsactx->md != NULL) { |
169 | 21.6k | md_size = EVP_MD_get_size(prsactx->md); |
170 | 21.6k | if (md_size <= 0) |
171 | 0 | return 0; |
172 | 21.6k | return md_size; |
173 | 21.6k | } |
174 | 0 | return 0; |
175 | 21.6k | } |
176 | | |
177 | | static int rsa_check_padding(const PROV_RSA_CTX *prsactx, |
178 | | const char *mdname, const char *mgf1_mdname, |
179 | | int mdnid) |
180 | 136k | { |
181 | 136k | switch (prsactx->pad_mode) { |
182 | 0 | case RSA_NO_PADDING: |
183 | 0 | if (mdname != NULL || mdnid != NID_undef) { |
184 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE); |
185 | 0 | return 0; |
186 | 0 | } |
187 | 0 | break; |
188 | 0 | case RSA_X931_PADDING: |
189 | 0 | if (RSA_X931_hash_id(mdnid) == -1) { |
190 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST); |
191 | 0 | return 0; |
192 | 0 | } |
193 | 0 | break; |
194 | 59.9k | case RSA_PKCS1_PSS_PADDING: |
195 | 59.9k | if (rsa_pss_restricted(prsactx)) |
196 | 1.52k | if ((mdname != NULL && !EVP_MD_is_a(prsactx->md, mdname)) |
197 | 1.49k | || (mgf1_mdname != NULL |
198 | 373 | && !EVP_MD_is_a(prsactx->mgf1_md, mgf1_mdname))) { |
199 | 35 | ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); |
200 | 35 | return 0; |
201 | 35 | } |
202 | 59.9k | break; |
203 | 76.1k | default: |
204 | 76.1k | break; |
205 | 136k | } |
206 | | |
207 | 136k | return 1; |
208 | 136k | } |
209 | | |
210 | | static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen) |
211 | 442 | { |
212 | 442 | if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { |
213 | 442 | int max_saltlen; |
214 | | |
215 | | /* See if minimum salt length exceeds maximum possible */ |
216 | 442 | max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_get_size(prsactx->md); |
217 | 442 | if ((RSA_bits(prsactx->rsa) & 0x7) == 1) |
218 | 136 | max_saltlen--; |
219 | 442 | if (min_saltlen < 0 || min_saltlen > max_saltlen) { |
220 | 34 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); |
221 | 34 | return 0; |
222 | 34 | } |
223 | 408 | prsactx->min_saltlen = min_saltlen; |
224 | 408 | } |
225 | 408 | return 1; |
226 | 442 | } |
227 | | |
228 | | static void *rsa_newctx(void *provctx, const char *propq) |
229 | 76.9k | { |
230 | 76.9k | PROV_RSA_CTX *prsactx = NULL; |
231 | 76.9k | char *propq_copy = NULL; |
232 | | |
233 | 76.9k | if (!ossl_prov_is_running()) |
234 | 0 | return NULL; |
235 | | |
236 | 76.9k | if ((prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX))) == NULL |
237 | 76.9k | || (propq != NULL |
238 | 0 | && (propq_copy = OPENSSL_strdup(propq)) == NULL)) { |
239 | 0 | OPENSSL_free(prsactx); |
240 | 0 | return NULL; |
241 | 0 | } |
242 | | |
243 | 76.9k | OSSL_FIPS_IND_INIT(prsactx) |
244 | 76.9k | prsactx->libctx = PROV_LIBCTX_OF(provctx); |
245 | 76.9k | prsactx->flag_allow_md = 1; |
246 | | #ifdef FIPS_MODULE |
247 | | prsactx->verify_message = 1; |
248 | | #endif |
249 | 76.9k | prsactx->propq = propq_copy; |
250 | | /* Maximum up to digest length for sign, auto for verify */ |
251 | 76.9k | prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; |
252 | 76.9k | prsactx->min_saltlen = -1; |
253 | 76.9k | return prsactx; |
254 | 76.9k | } |
255 | | |
256 | | static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx) |
257 | 0 | { |
258 | 0 | int saltlen = ctx->saltlen; |
259 | 0 | int saltlenMax = -1; |
260 | | |
261 | | /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection |
262 | | * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the |
263 | | * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of |
264 | | * the hash function output block (in bytes)." |
265 | | * |
266 | | * Provide a way to use at most the digest length, so that the default does |
267 | | * not violate FIPS 186-4. */ |
268 | 0 | if (saltlen == RSA_PSS_SALTLEN_DIGEST) { |
269 | 0 | if ((saltlen = EVP_MD_get_size(ctx->md)) <= 0) { |
270 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); |
271 | 0 | return -1; |
272 | 0 | } |
273 | 0 | } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { |
274 | 0 | saltlen = RSA_PSS_SALTLEN_MAX; |
275 | 0 | if ((saltlenMax = EVP_MD_get_size(ctx->md)) <= 0) { |
276 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); |
277 | 0 | return -1; |
278 | 0 | } |
279 | 0 | } |
280 | 0 | if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) { |
281 | 0 | int mdsize, rsasize; |
282 | |
|
283 | 0 | if ((mdsize = EVP_MD_get_size(ctx->md)) <= 0) { |
284 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); |
285 | 0 | return -1; |
286 | 0 | } |
287 | 0 | if ((rsasize = RSA_size(ctx->rsa)) <= 2 || rsasize - 2 < mdsize) { |
288 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); |
289 | 0 | return -1; |
290 | 0 | } |
291 | 0 | saltlen = rsasize - mdsize - 2; |
292 | 0 | if ((RSA_bits(ctx->rsa) & 0x7) == 1) |
293 | 0 | saltlen--; |
294 | 0 | if (saltlenMax >= 0 && saltlen > saltlenMax) |
295 | 0 | saltlen = saltlenMax; |
296 | 0 | } |
297 | 0 | if (saltlen < 0) { |
298 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); |
299 | 0 | return -1; |
300 | 0 | } else if (saltlen < ctx->min_saltlen) { |
301 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_PSS_SALTLEN_TOO_SMALL, |
302 | 0 | "minimum salt length: %d, actual salt length: %d", |
303 | 0 | ctx->min_saltlen, saltlen); |
304 | 0 | return -1; |
305 | 0 | } |
306 | 0 | return saltlen; |
307 | 0 | } |
308 | | |
309 | | static unsigned char *rsa_generate_signature_aid(PROV_RSA_CTX *ctx, |
310 | | unsigned char *aid_buf, |
311 | | size_t buf_len, |
312 | | size_t *aid_len) |
313 | 0 | { |
314 | 0 | WPACKET pkt; |
315 | 0 | unsigned char *aid = NULL; |
316 | 0 | int saltlen; |
317 | 0 | RSA_PSS_PARAMS_30 pss_params; |
318 | 0 | int ret; |
319 | |
|
320 | 0 | if (!WPACKET_init_der(&pkt, aid_buf, buf_len)) { |
321 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_CRYPTO_LIB); |
322 | 0 | return NULL; |
323 | 0 | } |
324 | | |
325 | 0 | switch (ctx->pad_mode) { |
326 | 0 | case RSA_PKCS1_PADDING: |
327 | 0 | ret = ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1, |
328 | 0 | ctx->mdnid); |
329 | |
|
330 | 0 | if (ret > 0) { |
331 | 0 | break; |
332 | 0 | } else if (ret == 0) { |
333 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); |
334 | 0 | goto cleanup; |
335 | 0 | } |
336 | 0 | ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED, |
337 | 0 | "Algorithm ID generation - md NID: %d", |
338 | 0 | ctx->mdnid); |
339 | 0 | goto cleanup; |
340 | 0 | case RSA_PKCS1_PSS_PADDING: |
341 | 0 | saltlen = rsa_pss_compute_saltlen(ctx); |
342 | 0 | if (saltlen < 0) |
343 | 0 | goto cleanup; |
344 | 0 | if (!ossl_rsa_pss_params_30_set_defaults(&pss_params) |
345 | 0 | || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, ctx->mdnid) |
346 | 0 | || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params, |
347 | 0 | ctx->mgf1_mdnid) |
348 | 0 | || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen) |
349 | 0 | || !ossl_DER_w_algorithmIdentifier_RSA_PSS(&pkt, -1, |
350 | 0 | RSA_FLAG_TYPE_RSASSAPSS, |
351 | 0 | &pss_params)) { |
352 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); |
353 | 0 | goto cleanup; |
354 | 0 | } |
355 | 0 | break; |
356 | 0 | default: |
357 | 0 | ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED, |
358 | 0 | "Algorithm ID generation - pad mode: %d", |
359 | 0 | ctx->pad_mode); |
360 | 0 | goto cleanup; |
361 | 0 | } |
362 | 0 | if (WPACKET_finish(&pkt)) { |
363 | 0 | WPACKET_get_total_written(&pkt, aid_len); |
364 | 0 | aid = WPACKET_get_curr(&pkt); |
365 | 0 | } |
366 | 0 | cleanup: |
367 | 0 | WPACKET_cleanup(&pkt); |
368 | 0 | return aid; |
369 | 0 | } |
370 | | |
371 | | static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, |
372 | | const char *mdprops, const char *desc) |
373 | 39.8k | { |
374 | 39.8k | EVP_MD *md = NULL; |
375 | | |
376 | 39.8k | if (mdprops == NULL) |
377 | 39.8k | mdprops = ctx->propq; |
378 | | |
379 | 39.8k | if (mdname != NULL) { |
380 | 39.8k | int md_nid; |
381 | 39.8k | size_t mdname_len = strlen(mdname); |
382 | | |
383 | 39.8k | md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); |
384 | | |
385 | 39.8k | if (md == NULL) { |
386 | 92 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
387 | 92 | "%s could not be fetched", mdname); |
388 | 92 | goto err; |
389 | 92 | } |
390 | 39.7k | md_nid = ossl_digest_rsa_sign_get_md_nid(md); |
391 | 39.7k | if (md_nid == NID_undef) { |
392 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, |
393 | 0 | "digest=%s", mdname); |
394 | 0 | goto err; |
395 | 0 | } |
396 | | /* |
397 | | * XOF digests are not allowed except for RSA PSS. |
398 | | * We don't support XOF digests with RSA PSS (yet), so just fail. |
399 | | * When we do support them, uncomment the second clause. |
400 | | */ |
401 | 39.7k | if (EVP_MD_xof(md) |
402 | 39.7k | /* && ctx->pad_mode != RSA_PKCS1_PSS_PADDING */) { |
403 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); |
404 | 0 | goto err; |
405 | 0 | } |
406 | | #ifdef FIPS_MODULE |
407 | | { |
408 | | int sha1_allowed |
409 | | = ((ctx->operation |
410 | | & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0); |
411 | | |
412 | | if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx), |
413 | | OSSL_FIPS_IND_SETTABLE1, |
414 | | ctx->libctx, |
415 | | md_nid, sha1_allowed, 1, desc, |
416 | | ossl_fips_config_signature_digest_check)) |
417 | | goto err; |
418 | | } |
419 | | #endif |
420 | | |
421 | 39.7k | if (!rsa_check_padding(ctx, mdname, NULL, md_nid)) |
422 | 23 | goto err; |
423 | 39.7k | if (mdname_len >= sizeof(ctx->mdname)) { |
424 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
425 | 0 | "%s exceeds name buffer length", mdname); |
426 | 0 | goto err; |
427 | 0 | } |
428 | | |
429 | 39.7k | if (!ctx->flag_allow_md) { |
430 | 0 | if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) { |
431 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, |
432 | 0 | "digest %s != %s", mdname, ctx->mdname); |
433 | 0 | goto err; |
434 | 0 | } |
435 | 0 | EVP_MD_free(md); |
436 | 0 | return 1; |
437 | 0 | } |
438 | | |
439 | 39.7k | if (!ctx->mgf1_md_set) { |
440 | 39.5k | if (!EVP_MD_up_ref(md)) { |
441 | 0 | goto err; |
442 | 0 | } |
443 | 39.5k | EVP_MD_free(ctx->mgf1_md); |
444 | 39.5k | ctx->mgf1_md = md; |
445 | 39.5k | ctx->mgf1_mdnid = md_nid; |
446 | 39.5k | OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); |
447 | 39.5k | } |
448 | | |
449 | 39.7k | EVP_MD_CTX_free(ctx->mdctx); |
450 | 39.7k | EVP_MD_free(ctx->md); |
451 | | |
452 | 39.7k | ctx->mdctx = NULL; |
453 | 39.7k | ctx->md = md; |
454 | 39.7k | ctx->mdnid = md_nid; |
455 | 39.7k | OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname)); |
456 | 39.7k | } |
457 | | |
458 | 39.7k | return 1; |
459 | 115 | err: |
460 | 115 | EVP_MD_free(md); |
461 | 115 | return 0; |
462 | 39.8k | } |
463 | | |
464 | | static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname, |
465 | | const char *mdprops) |
466 | 5.63k | { |
467 | 5.63k | size_t len; |
468 | 5.63k | EVP_MD *md = NULL; |
469 | 5.63k | int mdnid; |
470 | | |
471 | 5.63k | if (mdprops == NULL) |
472 | 5.63k | mdprops = ctx->propq; |
473 | | |
474 | 5.63k | if ((md = EVP_MD_fetch(ctx->libctx, mdname, mdprops)) == NULL) { |
475 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
476 | 0 | "%s could not be fetched", mdname); |
477 | 0 | return 0; |
478 | 0 | } |
479 | | /* The default for mgf1 is SHA1 - so allow SHA1 */ |
480 | 5.63k | if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md)) <= 0 |
481 | 5.63k | || !rsa_check_padding(ctx, NULL, mdname, mdnid)) { |
482 | 0 | if (mdnid <= 0) |
483 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, |
484 | 0 | "digest=%s", mdname); |
485 | 0 | EVP_MD_free(md); |
486 | 0 | return 0; |
487 | 0 | } |
488 | 5.63k | len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); |
489 | 5.63k | if (len >= sizeof(ctx->mgf1_mdname)) { |
490 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
491 | 0 | "%s exceeds name buffer length", mdname); |
492 | 0 | EVP_MD_free(md); |
493 | 0 | return 0; |
494 | 0 | } |
495 | | |
496 | 5.63k | EVP_MD_free(ctx->mgf1_md); |
497 | 5.63k | ctx->mgf1_md = md; |
498 | 5.63k | ctx->mgf1_mdnid = mdnid; |
499 | 5.63k | ctx->mgf1_md_set = 1; |
500 | 5.63k | return 1; |
501 | 5.63k | } |
502 | | |
503 | | static int |
504 | | rsa_signverify_init(PROV_RSA_CTX *prsactx, void *vrsa, |
505 | | OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params, |
506 | | const OSSL_PARAM params[], int operation, |
507 | | const char *desc) |
508 | 39.8k | { |
509 | 39.8k | int protect; |
510 | | |
511 | 39.8k | if (!ossl_prov_is_running() || prsactx == NULL) |
512 | 0 | return 0; |
513 | | |
514 | 39.8k | if (vrsa == NULL && prsactx->rsa == NULL) { |
515 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); |
516 | 0 | return 0; |
517 | 0 | } |
518 | | |
519 | 39.8k | if (vrsa != NULL) { |
520 | 39.8k | if (!RSA_up_ref(vrsa)) |
521 | 0 | return 0; |
522 | 39.8k | RSA_free(prsactx->rsa); |
523 | 39.8k | prsactx->rsa = vrsa; |
524 | 39.8k | } |
525 | 39.8k | if (!ossl_rsa_key_op_get_protect(prsactx->rsa, operation, &protect)) |
526 | 0 | return 0; |
527 | | |
528 | 39.8k | prsactx->operation = operation; |
529 | 39.8k | prsactx->flag_allow_update = 1; |
530 | 39.8k | prsactx->flag_allow_final = 1; |
531 | 39.8k | prsactx->flag_allow_oneshot = 1; |
532 | | |
533 | | /* Maximize up to digest length for sign, auto for verify */ |
534 | 39.8k | prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; |
535 | 39.8k | prsactx->min_saltlen = -1; |
536 | | |
537 | 39.8k | switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { |
538 | 39.5k | case RSA_FLAG_TYPE_RSA: |
539 | 39.5k | prsactx->pad_mode = RSA_PKCS1_PADDING; |
540 | 39.5k | break; |
541 | 349 | case RSA_FLAG_TYPE_RSASSAPSS: |
542 | 349 | prsactx->pad_mode = RSA_PKCS1_PSS_PADDING; |
543 | | |
544 | 349 | { |
545 | 349 | const RSA_PSS_PARAMS_30 *pss = |
546 | 349 | ossl_rsa_get0_pss_params_30(prsactx->rsa); |
547 | | |
548 | 349 | if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) { |
549 | 179 | int md_nid = ossl_rsa_pss_params_30_hashalg(pss); |
550 | 179 | int mgf1md_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss); |
551 | 179 | int min_saltlen = ossl_rsa_pss_params_30_saltlen(pss); |
552 | 179 | const char *mdname, *mgf1mdname; |
553 | 179 | size_t len; |
554 | | |
555 | 179 | mdname = ossl_rsa_oaeppss_nid2name(md_nid); |
556 | 179 | mgf1mdname = ossl_rsa_oaeppss_nid2name(mgf1md_nid); |
557 | | |
558 | 179 | if (mdname == NULL) { |
559 | 1 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
560 | 1 | "PSS restrictions lack hash algorithm"); |
561 | 1 | return 0; |
562 | 1 | } |
563 | 178 | if (mgf1mdname == NULL) { |
564 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
565 | 0 | "PSS restrictions lack MGF1 hash algorithm"); |
566 | 0 | return 0; |
567 | 0 | } |
568 | | |
569 | 178 | len = OPENSSL_strlcpy(prsactx->mdname, mdname, |
570 | 178 | sizeof(prsactx->mdname)); |
571 | 178 | if (len >= sizeof(prsactx->mdname)) { |
572 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
573 | 0 | "hash algorithm name too long"); |
574 | 0 | return 0; |
575 | 0 | } |
576 | 178 | len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname, |
577 | 178 | sizeof(prsactx->mgf1_mdname)); |
578 | 178 | if (len >= sizeof(prsactx->mgf1_mdname)) { |
579 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
580 | 0 | "MGF1 hash algorithm name too long"); |
581 | 0 | return 0; |
582 | 0 | } |
583 | 178 | prsactx->saltlen = min_saltlen; |
584 | | |
585 | | /* call rsa_setup_mgf1_md before rsa_setup_md to avoid duplication */ |
586 | 178 | if (!rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq) |
587 | 178 | || !rsa_setup_md(prsactx, mdname, prsactx->propq, desc) |
588 | 178 | || !rsa_check_parameters(prsactx, min_saltlen)) |
589 | 17 | return 0; |
590 | 178 | } |
591 | 349 | } |
592 | | |
593 | 331 | break; |
594 | 331 | default: |
595 | 0 | ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); |
596 | 0 | return 0; |
597 | 39.8k | } |
598 | | |
599 | 39.8k | OSSL_FIPS_IND_SET_APPROVED(prsactx) |
600 | 39.8k | if (!set_ctx_params(prsactx, params)) |
601 | 0 | return 0; |
602 | | #ifdef FIPS_MODULE |
603 | | if (!ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND_GET(prsactx), |
604 | | OSSL_FIPS_IND_SETTABLE0, prsactx->libctx, |
605 | | prsactx->rsa, desc, protect)) |
606 | | return 0; |
607 | | #endif |
608 | 39.8k | return 1; |
609 | 39.8k | } |
610 | | |
611 | | static int setup_tbuf(PROV_RSA_CTX *ctx) |
612 | 24.2k | { |
613 | 24.2k | if (ctx->tbuf != NULL) |
614 | 0 | return 1; |
615 | 24.2k | if ((ctx->tbuf = OPENSSL_malloc(RSA_size(ctx->rsa))) == NULL) |
616 | 28 | return 0; |
617 | 24.2k | return 1; |
618 | 24.2k | } |
619 | | |
620 | | static void clean_tbuf(PROV_RSA_CTX *ctx) |
621 | 115k | { |
622 | 115k | if (ctx->tbuf != NULL) |
623 | 25.4k | OPENSSL_cleanse(ctx->tbuf, RSA_size(ctx->rsa)); |
624 | 115k | } |
625 | | |
626 | | static void free_tbuf(PROV_RSA_CTX *ctx) |
627 | 114k | { |
628 | 114k | clean_tbuf(ctx); |
629 | 114k | OPENSSL_free(ctx->tbuf); |
630 | 114k | ctx->tbuf = NULL; |
631 | 114k | } |
632 | | |
633 | | #ifdef FIPS_MODULE |
634 | | static int rsa_pss_saltlen_check_passed(PROV_RSA_CTX *ctx, const char *algoname, int saltlen) |
635 | | { |
636 | | int mdsize = rsa_get_md_size(ctx); |
637 | | /* |
638 | | * Perform the check if the salt length is compliant to FIPS 186-5. |
639 | | * |
640 | | * According to FIPS 186-5 5.4 (g), the salt length shall be between zero |
641 | | * and the output block length of the digest function (inclusive). |
642 | | */ |
643 | | int approved = (saltlen >= 0 && saltlen <= mdsize); |
644 | | |
645 | | if (!approved) { |
646 | | if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE3, |
647 | | ctx->libctx, |
648 | | algoname, "PSS Salt Length", |
649 | | ossl_fips_config_rsa_pss_saltlen_check)) { |
650 | | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); |
651 | | return 0; |
652 | | } |
653 | | } |
654 | | |
655 | | return 1; |
656 | | } |
657 | | #endif |
658 | | |
659 | | static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[]) |
660 | 0 | { |
661 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
662 | |
|
663 | | #ifdef FIPS_MODULE |
664 | | if (prsactx != NULL) |
665 | | prsactx->verify_message = 1; |
666 | | #endif |
667 | |
|
668 | 0 | return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, |
669 | 0 | EVP_PKEY_OP_SIGN, "RSA Sign Init"); |
670 | 0 | } |
671 | | |
672 | | /* |
673 | | * Sign tbs without digesting it first. This is suitable for "primitive" |
674 | | * signing and signing the digest of a message, i.e. should be used with |
675 | | * implementations of the keytype related algorithms. |
676 | | */ |
677 | | static int rsa_sign_directly(PROV_RSA_CTX *prsactx, |
678 | | unsigned char *sig, size_t *siglen, size_t sigsize, |
679 | | const unsigned char *tbs, size_t tbslen) |
680 | 7.72k | { |
681 | 7.72k | int ret; |
682 | 7.72k | size_t rsasize = RSA_size(prsactx->rsa); |
683 | 7.72k | size_t mdsize = rsa_get_md_size(prsactx); |
684 | | |
685 | 7.72k | if (!ossl_prov_is_running()) |
686 | 0 | return 0; |
687 | | |
688 | 7.72k | if (sig == NULL) { |
689 | 3.86k | *siglen = rsasize; |
690 | 3.86k | return 1; |
691 | 3.86k | } |
692 | | |
693 | 3.86k | if (sigsize < rsasize) { |
694 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE, |
695 | 0 | "is %zu, should be at least %zu", sigsize, rsasize); |
696 | 0 | return 0; |
697 | 0 | } |
698 | | |
699 | 3.86k | if (mdsize != 0) { |
700 | 3.86k | if (tbslen != mdsize) { |
701 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH); |
702 | 0 | return 0; |
703 | 0 | } |
704 | | |
705 | 3.86k | #ifndef FIPS_MODULE |
706 | 3.86k | if (EVP_MD_is_a(prsactx->md, OSSL_DIGEST_NAME_MDC2)) { |
707 | 0 | unsigned int sltmp; |
708 | |
|
709 | 0 | if (prsactx->pad_mode != RSA_PKCS1_PADDING) { |
710 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, |
711 | 0 | "only PKCS#1 padding supported with MDC2"); |
712 | 0 | return 0; |
713 | 0 | } |
714 | 0 | ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, (unsigned int)tbslen, sig, |
715 | 0 | &sltmp, prsactx->rsa); |
716 | |
|
717 | 0 | if (ret <= 0) { |
718 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
719 | 0 | return 0; |
720 | 0 | } |
721 | 0 | ret = sltmp; |
722 | 0 | goto end; |
723 | 0 | } |
724 | 3.86k | #endif |
725 | 3.86k | switch (prsactx->pad_mode) { |
726 | 0 | case RSA_X931_PADDING: |
727 | 0 | if ((size_t)RSA_size(prsactx->rsa) < tbslen + 1) { |
728 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL, |
729 | 0 | "RSA key size = %d, expected minimum = %d", |
730 | 0 | RSA_size(prsactx->rsa), tbslen + 1); |
731 | 0 | return 0; |
732 | 0 | } |
733 | 0 | if (!setup_tbuf(prsactx)) { |
734 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_PROV_LIB); |
735 | 0 | return 0; |
736 | 0 | } |
737 | 0 | memcpy(prsactx->tbuf, tbs, tbslen); |
738 | 0 | prsactx->tbuf[tbslen] = RSA_X931_hash_id(prsactx->mdnid); |
739 | 0 | ret = RSA_private_encrypt((int)(tbslen + 1), prsactx->tbuf, |
740 | 0 | sig, prsactx->rsa, RSA_X931_PADDING); |
741 | 0 | clean_tbuf(prsactx); |
742 | 0 | break; |
743 | 2.95k | case RSA_PKCS1_PADDING: |
744 | 2.95k | { |
745 | 2.95k | unsigned int sltmp; |
746 | | |
747 | 2.95k | ret = RSA_sign(prsactx->mdnid, tbs, (unsigned int)tbslen, |
748 | 2.95k | sig, &sltmp, prsactx->rsa); |
749 | 2.95k | if (ret <= 0) { |
750 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
751 | 0 | return 0; |
752 | 0 | } |
753 | 2.95k | ret = sltmp; |
754 | 2.95k | } |
755 | 0 | break; |
756 | | |
757 | 907 | case RSA_PKCS1_PSS_PADDING: |
758 | 907 | { |
759 | 907 | int saltlen; |
760 | | |
761 | | /* Check PSS restrictions */ |
762 | 907 | if (rsa_pss_restricted(prsactx)) { |
763 | 0 | switch (prsactx->saltlen) { |
764 | 0 | case RSA_PSS_SALTLEN_DIGEST: |
765 | 0 | if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) { |
766 | 0 | ERR_raise_data(ERR_LIB_PROV, |
767 | 0 | PROV_R_PSS_SALTLEN_TOO_SMALL, |
768 | 0 | "minimum salt length set to %d, " |
769 | 0 | "but the digest only gives %d", |
770 | 0 | prsactx->min_saltlen, |
771 | 0 | EVP_MD_get_size(prsactx->md)); |
772 | 0 | return 0; |
773 | 0 | } |
774 | | /* FALLTHRU */ |
775 | 0 | default: |
776 | 0 | if (prsactx->saltlen >= 0 |
777 | 0 | && prsactx->saltlen < prsactx->min_saltlen) { |
778 | 0 | ERR_raise_data(ERR_LIB_PROV, |
779 | 0 | PROV_R_PSS_SALTLEN_TOO_SMALL, |
780 | 0 | "minimum salt length set to %d, but the" |
781 | 0 | "actual salt length is only set to %d", |
782 | 0 | prsactx->min_saltlen, |
783 | 0 | prsactx->saltlen); |
784 | 0 | return 0; |
785 | 0 | } |
786 | 0 | break; |
787 | 0 | } |
788 | 0 | } |
789 | 907 | if (!setup_tbuf(prsactx)) |
790 | 0 | return 0; |
791 | 907 | saltlen = prsactx->saltlen; |
792 | 907 | if (!ossl_rsa_padding_add_PKCS1_PSS_mgf1(prsactx->rsa, |
793 | 907 | prsactx->tbuf, tbs, |
794 | 907 | prsactx->md, prsactx->mgf1_md, |
795 | 907 | &saltlen)) { |
796 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
797 | 0 | return 0; |
798 | 0 | } |
799 | | #ifdef FIPS_MODULE |
800 | | if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Sign", saltlen)) |
801 | | return 0; |
802 | | #endif |
803 | 907 | ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf, |
804 | 907 | sig, prsactx->rsa, RSA_NO_PADDING); |
805 | 907 | clean_tbuf(prsactx); |
806 | 907 | } |
807 | 0 | break; |
808 | | |
809 | 0 | default: |
810 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, |
811 | 0 | "Only X.931, PKCS#1 v1.5 or PSS padding allowed"); |
812 | 0 | return 0; |
813 | 3.86k | } |
814 | 3.86k | } else { |
815 | 0 | ret = RSA_private_encrypt((int)tbslen, tbs, sig, prsactx->rsa, |
816 | 0 | prsactx->pad_mode); |
817 | 0 | } |
818 | | |
819 | 3.86k | #ifndef FIPS_MODULE |
820 | 3.86k | end: |
821 | 3.86k | #endif |
822 | 3.86k | if (ret <= 0) { |
823 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
824 | 0 | return 0; |
825 | 0 | } |
826 | | |
827 | 3.86k | *siglen = ret; |
828 | 3.86k | return 1; |
829 | 3.86k | } |
830 | | |
831 | | static int rsa_signverify_message_update(void *vprsactx, |
832 | | const unsigned char *data, |
833 | | size_t datalen) |
834 | 22.9k | { |
835 | 22.9k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
836 | | |
837 | 22.9k | if (prsactx == NULL || prsactx->mdctx == NULL) |
838 | 0 | return 0; |
839 | | |
840 | 22.9k | if (!prsactx->flag_allow_update) { |
841 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_UPDATE_CALL_OUT_OF_ORDER); |
842 | 0 | return 0; |
843 | 0 | } |
844 | 22.9k | prsactx->flag_allow_oneshot = 0; |
845 | | |
846 | 22.9k | return EVP_DigestUpdate(prsactx->mdctx, data, datalen); |
847 | 22.9k | } |
848 | | |
849 | | static int rsa_sign_message_final(void *vprsactx, unsigned char *sig, |
850 | | size_t *siglen, size_t sigsize) |
851 | 7.72k | { |
852 | 7.72k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
853 | 7.72k | unsigned char digest[EVP_MAX_MD_SIZE]; |
854 | 7.72k | unsigned int dlen = 0; |
855 | | |
856 | 7.72k | if (!ossl_prov_is_running() || prsactx == NULL) |
857 | 0 | return 0; |
858 | 7.72k | if (prsactx->mdctx == NULL) |
859 | 0 | return 0; |
860 | 7.72k | if (!prsactx->flag_allow_final) { |
861 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER); |
862 | 0 | return 0; |
863 | 0 | } |
864 | | |
865 | | /* |
866 | | * If sig is NULL then we're just finding out the sig size. Other fields |
867 | | * are ignored. Defer to rsa_sign. |
868 | | */ |
869 | 7.72k | if (sig != NULL) { |
870 | | /* |
871 | | * The digests used here are all known (see rsa_get_md_nid()), so they |
872 | | * should not exceed the internal buffer size of EVP_MAX_MD_SIZE. |
873 | | */ |
874 | 3.86k | if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen)) |
875 | 0 | return 0; |
876 | | |
877 | 3.86k | prsactx->flag_allow_update = 0; |
878 | 3.86k | prsactx->flag_allow_oneshot = 0; |
879 | 3.86k | prsactx->flag_allow_final = 0; |
880 | 3.86k | } |
881 | | |
882 | 7.72k | return rsa_sign_directly(prsactx, sig, siglen, sigsize, digest, dlen); |
883 | 7.72k | } |
884 | | |
885 | | /* |
886 | | * If signing a message, digest tbs and sign the result. |
887 | | * Otherwise, sign tbs directly. |
888 | | */ |
889 | | static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen, |
890 | | size_t sigsize, const unsigned char *tbs, size_t tbslen) |
891 | 0 | { |
892 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
893 | |
|
894 | 0 | if (!ossl_prov_is_running() || prsactx == NULL) |
895 | 0 | return 0; |
896 | 0 | if (!prsactx->flag_allow_oneshot) { |
897 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER); |
898 | 0 | return 0; |
899 | 0 | } |
900 | | |
901 | 0 | if (prsactx->operation == EVP_PKEY_OP_SIGNMSG) { |
902 | | /* |
903 | | * If |sig| is NULL, the caller is only looking for the sig length. |
904 | | * DO NOT update the input in this case. |
905 | | */ |
906 | 0 | if (sig == NULL) |
907 | 0 | return rsa_sign_message_final(prsactx, sig, siglen, sigsize); |
908 | | |
909 | 0 | return rsa_signverify_message_update(prsactx, tbs, tbslen) |
910 | 0 | && rsa_sign_message_final(prsactx, sig, siglen, sigsize); |
911 | 0 | } |
912 | 0 | return rsa_sign_directly(prsactx, sig, siglen, sigsize, tbs, tbslen); |
913 | 0 | } |
914 | | |
915 | | static int rsa_verify_recover_init(void *vprsactx, void *vrsa, |
916 | | const OSSL_PARAM params[]) |
917 | 0 | { |
918 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
919 | |
|
920 | | #ifdef FIPS_MODULE |
921 | | if (prsactx != NULL) |
922 | | prsactx->verify_message = 0; |
923 | | #endif |
924 | |
|
925 | 0 | return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, |
926 | 0 | EVP_PKEY_OP_VERIFYRECOVER, "RSA VerifyRecover Init"); |
927 | 0 | } |
928 | | |
929 | | /* |
930 | | * There is no message variant of verify recover, so no need for |
931 | | * 'rsa_verify_recover_directly', just use this function, er, directly. |
932 | | */ |
933 | | static int rsa_verify_recover(void *vprsactx, |
934 | | unsigned char *rout, size_t *routlen, |
935 | | size_t routsize, |
936 | | const unsigned char *sig, size_t siglen) |
937 | 0 | { |
938 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
939 | 0 | int ret; |
940 | |
|
941 | 0 | if (!ossl_prov_is_running()) |
942 | 0 | return 0; |
943 | | |
944 | 0 | if (rout == NULL) { |
945 | 0 | *routlen = RSA_size(prsactx->rsa); |
946 | 0 | return 1; |
947 | 0 | } |
948 | | |
949 | 0 | if (prsactx->md != NULL) { |
950 | 0 | switch (prsactx->pad_mode) { |
951 | 0 | case RSA_X931_PADDING: |
952 | 0 | if (!setup_tbuf(prsactx)) |
953 | 0 | return 0; |
954 | 0 | ret = RSA_public_decrypt((int)siglen, sig, prsactx->tbuf, prsactx->rsa, |
955 | 0 | RSA_X931_PADDING); |
956 | 0 | if (ret <= 0) { |
957 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
958 | 0 | return 0; |
959 | 0 | } |
960 | 0 | ret--; |
961 | 0 | if (prsactx->tbuf[ret] != RSA_X931_hash_id(prsactx->mdnid)) { |
962 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_ALGORITHM_MISMATCH); |
963 | 0 | return 0; |
964 | 0 | } |
965 | 0 | if (ret != EVP_MD_get_size(prsactx->md)) { |
966 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH, |
967 | 0 | "Should be %d, but got %d", |
968 | 0 | EVP_MD_get_size(prsactx->md), ret); |
969 | 0 | return 0; |
970 | 0 | } |
971 | | |
972 | 0 | *routlen = ret; |
973 | 0 | if (rout != prsactx->tbuf) { |
974 | 0 | if (routsize < (size_t)ret) { |
975 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL, |
976 | 0 | "buffer size is %d, should be %d", |
977 | 0 | routsize, ret); |
978 | 0 | return 0; |
979 | 0 | } |
980 | 0 | memcpy(rout, prsactx->tbuf, ret); |
981 | 0 | } |
982 | 0 | break; |
983 | | |
984 | 0 | case RSA_PKCS1_PADDING: |
985 | 0 | { |
986 | 0 | size_t sltmp; |
987 | |
|
988 | 0 | ret = ossl_rsa_verify(prsactx->mdnid, NULL, 0, rout, &sltmp, |
989 | 0 | sig, siglen, prsactx->rsa); |
990 | 0 | if (ret <= 0) { |
991 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
992 | 0 | return 0; |
993 | 0 | } |
994 | 0 | ret = (int)sltmp; |
995 | 0 | } |
996 | 0 | break; |
997 | | |
998 | 0 | default: |
999 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, |
1000 | 0 | "Only X.931 or PKCS#1 v1.5 padding allowed"); |
1001 | 0 | return 0; |
1002 | 0 | } |
1003 | 0 | } else { |
1004 | 0 | ret = RSA_public_decrypt((int)siglen, sig, rout, prsactx->rsa, |
1005 | 0 | prsactx->pad_mode); |
1006 | 0 | if (ret <= 0) { |
1007 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
1008 | 0 | return 0; |
1009 | 0 | } |
1010 | 0 | } |
1011 | 0 | *routlen = ret; |
1012 | 0 | return 1; |
1013 | 0 | } |
1014 | | |
1015 | | static int rsa_verify_init(void *vprsactx, void *vrsa, |
1016 | | const OSSL_PARAM params[]) |
1017 | 0 | { |
1018 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1019 | |
|
1020 | | #ifdef FIPS_MODULE |
1021 | | if (prsactx != NULL) |
1022 | | prsactx->verify_message = 0; |
1023 | | #endif |
1024 | |
|
1025 | 0 | return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, |
1026 | 0 | EVP_PKEY_OP_VERIFY, "RSA Verify Init"); |
1027 | 0 | } |
1028 | | |
1029 | | static int rsa_verify_directly(PROV_RSA_CTX *prsactx, |
1030 | | const unsigned char *sig, size_t siglen, |
1031 | | const unsigned char *tbs, size_t tbslen) |
1032 | 19.0k | { |
1033 | 19.0k | size_t rslen; |
1034 | | |
1035 | 19.0k | if (!ossl_prov_is_running()) |
1036 | 0 | return 0; |
1037 | 19.0k | if (prsactx->md != NULL) { |
1038 | 19.0k | switch (prsactx->pad_mode) { |
1039 | 5.13k | case RSA_PKCS1_PADDING: |
1040 | 5.13k | if (!RSA_verify(prsactx->mdnid, tbs, (unsigned int)tbslen, |
1041 | 5.13k | sig, (unsigned int)siglen, prsactx->rsa)) { |
1042 | 4.73k | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
1043 | 4.73k | return 0; |
1044 | 4.73k | } |
1045 | 406 | return 1; |
1046 | 0 | case RSA_X931_PADDING: |
1047 | 0 | if (!setup_tbuf(prsactx)) |
1048 | 0 | return 0; |
1049 | 0 | if (rsa_verify_recover(prsactx, prsactx->tbuf, &rslen, 0, |
1050 | 0 | sig, siglen) <= 0) |
1051 | 0 | return 0; |
1052 | 0 | break; |
1053 | 13.9k | case RSA_PKCS1_PSS_PADDING: |
1054 | 13.9k | { |
1055 | 13.9k | int ret; |
1056 | 13.9k | int saltlen; |
1057 | 13.9k | size_t mdsize; |
1058 | | |
1059 | | /* |
1060 | | * We need to check this for the RSA_verify_PKCS1_PSS_mgf1() |
1061 | | * call |
1062 | | */ |
1063 | 13.9k | mdsize = rsa_get_md_size(prsactx); |
1064 | 13.9k | if (tbslen != mdsize) { |
1065 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH, |
1066 | 0 | "Should be %d, but got %d", |
1067 | 0 | mdsize, tbslen); |
1068 | 0 | return 0; |
1069 | 0 | } |
1070 | | |
1071 | 13.9k | if (!setup_tbuf(prsactx)) |
1072 | 17 | return 0; |
1073 | 13.9k | ret = RSA_public_decrypt((int)siglen, sig, prsactx->tbuf, |
1074 | 13.9k | prsactx->rsa, RSA_NO_PADDING); |
1075 | 13.9k | if (ret <= 0) { |
1076 | 2.66k | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
1077 | 2.66k | return 0; |
1078 | 2.66k | } |
1079 | 11.2k | saltlen = prsactx->saltlen; |
1080 | 11.2k | ret = ossl_rsa_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs, |
1081 | 11.2k | prsactx->md, prsactx->mgf1_md, |
1082 | 11.2k | prsactx->tbuf, |
1083 | 11.2k | &saltlen); |
1084 | 11.2k | if (ret <= 0) { |
1085 | 11.2k | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
1086 | 11.2k | return 0; |
1087 | 11.2k | } |
1088 | | #ifdef FIPS_MODULE |
1089 | | if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Verify", saltlen)) |
1090 | | return 0; |
1091 | | #endif |
1092 | 5 | return 1; |
1093 | 11.2k | } |
1094 | 0 | default: |
1095 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, |
1096 | 0 | "Only X.931, PKCS#1 v1.5 or PSS padding allowed"); |
1097 | 0 | return 0; |
1098 | 19.0k | } |
1099 | 19.0k | } else { |
1100 | 0 | int ret; |
1101 | |
|
1102 | 0 | if (!setup_tbuf(prsactx)) |
1103 | 0 | return 0; |
1104 | 0 | ret = RSA_public_decrypt((int)siglen, sig, prsactx->tbuf, prsactx->rsa, |
1105 | 0 | prsactx->pad_mode); |
1106 | 0 | if (ret <= 0) { |
1107 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
1108 | 0 | return 0; |
1109 | 0 | } |
1110 | 0 | rslen = (size_t)ret; |
1111 | 0 | } |
1112 | | |
1113 | 0 | if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen)) |
1114 | 0 | return 0; |
1115 | | |
1116 | 0 | return 1; |
1117 | 0 | } |
1118 | | |
1119 | | static int rsa_verify_set_sig(void *vprsactx, |
1120 | | const unsigned char *sig, size_t siglen) |
1121 | 19.0k | { |
1122 | 19.0k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1123 | 19.0k | OSSL_PARAM params[2]; |
1124 | | |
1125 | 19.0k | params[0] = |
1126 | 19.0k | OSSL_PARAM_construct_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, |
1127 | 19.0k | (unsigned char *)sig, siglen); |
1128 | 19.0k | params[1] = OSSL_PARAM_construct_end(); |
1129 | 19.0k | return rsa_sigalg_set_ctx_params(prsactx, params); |
1130 | 19.0k | } |
1131 | | |
1132 | | static int rsa_verify_message_final(void *vprsactx) |
1133 | 19.0k | { |
1134 | 19.0k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1135 | 19.0k | unsigned char digest[EVP_MAX_MD_SIZE]; |
1136 | 19.0k | unsigned int dlen = 0; |
1137 | | |
1138 | 19.0k | if (!ossl_prov_is_running() || prsactx == NULL) |
1139 | 0 | return 0; |
1140 | 19.0k | if (prsactx->mdctx == NULL) |
1141 | 0 | return 0; |
1142 | 19.0k | if (!prsactx->flag_allow_final) { |
1143 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER); |
1144 | 0 | return 0; |
1145 | 0 | } |
1146 | | |
1147 | | /* |
1148 | | * The digests used here are all known (see rsa_get_md_nid()), so they |
1149 | | * should not exceed the internal buffer size of EVP_MAX_MD_SIZE. |
1150 | | */ |
1151 | 19.0k | if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen)) |
1152 | 0 | return 0; |
1153 | | |
1154 | 19.0k | prsactx->flag_allow_update = 0; |
1155 | 19.0k | prsactx->flag_allow_final = 0; |
1156 | 19.0k | prsactx->flag_allow_oneshot = 0; |
1157 | | |
1158 | 19.0k | return rsa_verify_directly(prsactx, prsactx->sig, prsactx->siglen, |
1159 | 19.0k | digest, dlen); |
1160 | 19.0k | } |
1161 | | |
1162 | | /* |
1163 | | * If verifying a message, digest tbs and verify the result. |
1164 | | * Otherwise, verify tbs directly. |
1165 | | */ |
1166 | | static int rsa_verify(void *vprsactx, |
1167 | | const unsigned char *sig, size_t siglen, |
1168 | | const unsigned char *tbs, size_t tbslen) |
1169 | 0 | { |
1170 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1171 | |
|
1172 | 0 | if (!ossl_prov_is_running() || prsactx == NULL) |
1173 | 0 | return 0; |
1174 | 0 | if (!prsactx->flag_allow_oneshot) { |
1175 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER); |
1176 | 0 | return 0; |
1177 | 0 | } |
1178 | | |
1179 | 0 | if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG) |
1180 | 0 | return rsa_verify_set_sig(prsactx, sig, siglen) |
1181 | 0 | && rsa_signverify_message_update(prsactx, tbs, tbslen) |
1182 | 0 | && rsa_verify_message_final(prsactx); |
1183 | 0 | return rsa_verify_directly(prsactx, sig, siglen, tbs, tbslen); |
1184 | 0 | } |
1185 | | |
1186 | | /* DigestSign/DigestVerify wrappers */ |
1187 | | |
1188 | | static int rsa_digest_signverify_init(void *vprsactx, const char *mdname, |
1189 | | void *vrsa, const OSSL_PARAM params[], |
1190 | | int operation, const char *desc) |
1191 | 39.8k | { |
1192 | 39.8k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1193 | | |
1194 | | #ifdef FIPS_MODULE |
1195 | | if (prsactx != NULL) |
1196 | | prsactx->verify_message = 1; |
1197 | | #endif |
1198 | | |
1199 | 39.8k | if (!rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, |
1200 | 39.8k | operation, desc)) |
1201 | 18 | return 0; |
1202 | | |
1203 | 39.8k | if (mdname != NULL |
1204 | | /* was rsa_setup_md already called in rsa_signverify_init()? */ |
1205 | 39.8k | && (mdname[0] == '\0' || OPENSSL_strcasecmp(prsactx->mdname, mdname) != 0) |
1206 | 39.6k | && !rsa_setup_md(prsactx, mdname, prsactx->propq, desc)) |
1207 | 115 | return 0; |
1208 | | |
1209 | 39.7k | prsactx->flag_allow_md = 0; |
1210 | | |
1211 | 39.7k | if (prsactx->mdctx == NULL) { |
1212 | 39.7k | prsactx->mdctx = EVP_MD_CTX_new(); |
1213 | 39.7k | if (prsactx->mdctx == NULL) |
1214 | 0 | goto error; |
1215 | 39.7k | } |
1216 | | |
1217 | 39.7k | if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params)) |
1218 | 0 | goto error; |
1219 | | |
1220 | 39.7k | return 1; |
1221 | | |
1222 | 0 | error: |
1223 | 0 | EVP_MD_CTX_free(prsactx->mdctx); |
1224 | 0 | prsactx->mdctx = NULL; |
1225 | 0 | return 0; |
1226 | 39.7k | } |
1227 | | |
1228 | | static int rsa_digest_sign_init(void *vprsactx, const char *mdname, |
1229 | | void *vrsa, const OSSL_PARAM params[]) |
1230 | 45.7k | { |
1231 | 45.7k | if (!ossl_prov_is_running()) |
1232 | 0 | return 0; |
1233 | 45.7k | return rsa_digest_signverify_init(vprsactx, mdname, vrsa, |
1234 | 45.7k | params, EVP_PKEY_OP_SIGNMSG, |
1235 | 45.7k | "RSA Digest Sign Init"); |
1236 | 45.7k | } |
1237 | | |
1238 | | static int rsa_digest_sign_update(void *vprsactx, const unsigned char *data, |
1239 | | size_t datalen) |
1240 | 3.86k | { |
1241 | 3.86k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1242 | | |
1243 | 3.86k | if (prsactx == NULL) |
1244 | 0 | return 0; |
1245 | | /* Sigalg implementations shouldn't do digest_sign */ |
1246 | 3.86k | if (prsactx->flag_sigalg) |
1247 | 0 | return 0; |
1248 | | |
1249 | 3.86k | return rsa_signverify_message_update(prsactx, data, datalen); |
1250 | 3.86k | } |
1251 | | |
1252 | | static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig, |
1253 | | size_t *siglen, size_t sigsize) |
1254 | 7.72k | { |
1255 | 7.72k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1256 | 7.72k | int ok = 0; |
1257 | | |
1258 | 7.72k | if (prsactx == NULL) |
1259 | 0 | return 0; |
1260 | | /* Sigalg implementations shouldn't do digest_sign */ |
1261 | 7.72k | if (prsactx->flag_sigalg) |
1262 | 0 | return 0; |
1263 | | |
1264 | 7.72k | if (rsa_sign_message_final(prsactx, sig, siglen, sigsize)) |
1265 | 7.72k | ok = 1; |
1266 | | |
1267 | 7.72k | prsactx->flag_allow_md = 1; |
1268 | | |
1269 | 7.72k | return ok; |
1270 | 7.72k | } |
1271 | | |
1272 | | static int rsa_digest_verify_init(void *vprsactx, const char *mdname, |
1273 | | void *vrsa, const OSSL_PARAM params[]) |
1274 | 31.1k | { |
1275 | 31.1k | if (!ossl_prov_is_running()) |
1276 | 0 | return 0; |
1277 | 31.1k | return rsa_digest_signverify_init(vprsactx, mdname, vrsa, |
1278 | 31.1k | params, EVP_PKEY_OP_VERIFYMSG, |
1279 | 31.1k | "RSA Digest Verify Init"); |
1280 | 31.1k | } |
1281 | | |
1282 | | static int rsa_digest_verify_update(void *vprsactx, const unsigned char *data, |
1283 | | size_t datalen) |
1284 | 19.0k | { |
1285 | 19.0k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1286 | | |
1287 | 19.0k | if (prsactx == NULL) |
1288 | 0 | return 0; |
1289 | | /* Sigalg implementations shouldn't do digest_sign */ |
1290 | 19.0k | if (prsactx->flag_sigalg) |
1291 | 0 | return 0; |
1292 | | |
1293 | 19.0k | return rsa_signverify_message_update(prsactx, data, datalen); |
1294 | 19.0k | } |
1295 | | |
1296 | | int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig, |
1297 | | size_t siglen) |
1298 | 19.0k | { |
1299 | 19.0k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1300 | 19.0k | int ok = 0; |
1301 | | |
1302 | 19.0k | if (prsactx == NULL) |
1303 | 0 | return 0; |
1304 | | /* Sigalg implementations shouldn't do digest_verify */ |
1305 | 19.0k | if (prsactx->flag_sigalg) |
1306 | 0 | return 0; |
1307 | | |
1308 | 19.0k | if (rsa_verify_set_sig(prsactx, sig, siglen) |
1309 | 19.0k | && rsa_verify_message_final(vprsactx)) |
1310 | 411 | ok = 1; |
1311 | | |
1312 | 19.0k | prsactx->flag_allow_md = 1; |
1313 | | |
1314 | 19.0k | return ok; |
1315 | 19.0k | } |
1316 | | |
1317 | | static void rsa_freectx(void *vprsactx) |
1318 | 114k | { |
1319 | 114k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1320 | | |
1321 | 114k | if (prsactx == NULL) |
1322 | 0 | return; |
1323 | | |
1324 | 114k | EVP_MD_CTX_free(prsactx->mdctx); |
1325 | 114k | EVP_MD_free(prsactx->md); |
1326 | 114k | EVP_MD_free(prsactx->mgf1_md); |
1327 | 114k | OPENSSL_free(prsactx->sig); |
1328 | 114k | OPENSSL_free(prsactx->propq); |
1329 | 114k | free_tbuf(prsactx); |
1330 | 114k | RSA_free(prsactx->rsa); |
1331 | | |
1332 | 114k | OPENSSL_clear_free(prsactx, sizeof(*prsactx)); |
1333 | 114k | } |
1334 | | |
1335 | | static void *rsa_dupctx(void *vprsactx) |
1336 | 37.1k | { |
1337 | 37.1k | PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx; |
1338 | 37.1k | PROV_RSA_CTX *dstctx; |
1339 | | |
1340 | 37.1k | if (!ossl_prov_is_running()) |
1341 | 0 | return NULL; |
1342 | | |
1343 | 37.1k | dstctx = OPENSSL_zalloc(sizeof(*srcctx)); |
1344 | 37.1k | if (dstctx == NULL) |
1345 | 0 | return NULL; |
1346 | | |
1347 | 37.1k | *dstctx = *srcctx; |
1348 | 37.1k | dstctx->rsa = NULL; |
1349 | 37.1k | dstctx->md = NULL; |
1350 | 37.1k | dstctx->mgf1_md = NULL; |
1351 | 37.1k | dstctx->mdctx = NULL; |
1352 | 37.1k | dstctx->tbuf = NULL; |
1353 | 37.1k | dstctx->propq = NULL; |
1354 | | |
1355 | 37.1k | if (srcctx->rsa != NULL && !RSA_up_ref(srcctx->rsa)) |
1356 | 0 | goto err; |
1357 | 37.1k | dstctx->rsa = srcctx->rsa; |
1358 | | |
1359 | 37.1k | if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md)) |
1360 | 0 | goto err; |
1361 | 37.1k | dstctx->md = srcctx->md; |
1362 | | |
1363 | 37.1k | if (srcctx->mgf1_md != NULL && !EVP_MD_up_ref(srcctx->mgf1_md)) |
1364 | 0 | goto err; |
1365 | 37.1k | dstctx->mgf1_md = srcctx->mgf1_md; |
1366 | | |
1367 | 37.1k | if (srcctx->mdctx != NULL) { |
1368 | 37.1k | dstctx->mdctx = EVP_MD_CTX_new(); |
1369 | 37.1k | if (dstctx->mdctx == NULL |
1370 | 37.1k | || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx)) |
1371 | 0 | goto err; |
1372 | 37.1k | } |
1373 | | |
1374 | 37.1k | if (srcctx->propq != NULL) { |
1375 | 0 | dstctx->propq = OPENSSL_strdup(srcctx->propq); |
1376 | 0 | if (dstctx->propq == NULL) |
1377 | 0 | goto err; |
1378 | 0 | } |
1379 | | |
1380 | 37.1k | return dstctx; |
1381 | 0 | err: |
1382 | 0 | rsa_freectx(dstctx); |
1383 | 0 | return NULL; |
1384 | 37.1k | } |
1385 | | |
1386 | | /* Machine generated by util/perl/OpenSSL/paramnames.pm */ |
1387 | | #ifndef rsa_get_ctx_params_list |
1388 | | static const OSSL_PARAM rsa_get_ctx_params_list[] = { |
1389 | | OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0), |
1390 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), |
1391 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL), |
1392 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), |
1393 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), |
1394 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), |
1395 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL), |
1396 | | # if defined(FIPS_MODULE) |
1397 | | OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE, NULL), |
1398 | | # endif |
1399 | | # if defined(FIPS_MODULE) |
1400 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR, NULL), |
1401 | | # endif |
1402 | | OSSL_PARAM_END |
1403 | | }; |
1404 | | #endif |
1405 | | |
1406 | | #ifndef rsa_get_ctx_params_st |
1407 | | struct rsa_get_ctx_params_st { |
1408 | | OSSL_PARAM *algid; |
1409 | | OSSL_PARAM *digest; |
1410 | | # if defined(FIPS_MODULE) |
1411 | | OSSL_PARAM *ind; |
1412 | | # endif |
1413 | | OSSL_PARAM *mgf1; |
1414 | | OSSL_PARAM *pad; |
1415 | | OSSL_PARAM *slen; |
1416 | | # if defined(FIPS_MODULE) |
1417 | | OSSL_PARAM *verify; |
1418 | | # endif |
1419 | | }; |
1420 | | #endif |
1421 | | |
1422 | | #ifndef rsa_get_ctx_params_decoder |
1423 | | static int rsa_get_ctx_params_decoder |
1424 | | (const OSSL_PARAM *p, struct rsa_get_ctx_params_st *r) |
1425 | 0 | { |
1426 | 0 | const char *s; |
1427 | |
|
1428 | 0 | memset(r, 0, sizeof(*r)); |
1429 | 0 | if (p != NULL) |
1430 | 0 | for (; (s = p->key) != NULL; p++) |
1431 | 0 | switch(s[0]) { |
1432 | 0 | default: |
1433 | 0 | break; |
1434 | 0 | case 'a': |
1435 | 0 | if (ossl_likely(strcmp("lgorithm-id", s + 1) == 0)) { |
1436 | | /* OSSL_SIGNATURE_PARAM_ALGORITHM_ID */ |
1437 | 0 | if (ossl_unlikely(r->algid != NULL)) { |
1438 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1439 | 0 | "param %s is repeated", s); |
1440 | 0 | return 0; |
1441 | 0 | } |
1442 | 0 | r->algid = (OSSL_PARAM *)p; |
1443 | 0 | } |
1444 | 0 | break; |
1445 | 0 | case 'd': |
1446 | 0 | if (ossl_likely(strcmp("igest", s + 1) == 0)) { |
1447 | | /* OSSL_SIGNATURE_PARAM_DIGEST */ |
1448 | 0 | if (ossl_unlikely(r->digest != NULL)) { |
1449 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1450 | 0 | "param %s is repeated", s); |
1451 | 0 | return 0; |
1452 | 0 | } |
1453 | 0 | r->digest = (OSSL_PARAM *)p; |
1454 | 0 | } |
1455 | 0 | break; |
1456 | 0 | case 'f': |
1457 | | # if defined(FIPS_MODULE) |
1458 | | if (ossl_likely(strcmp("ips-indicator", s + 1) == 0)) { |
1459 | | /* OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR */ |
1460 | | if (ossl_unlikely(r->ind != NULL)) { |
1461 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1462 | | "param %s is repeated", s); |
1463 | | return 0; |
1464 | | } |
1465 | | r->ind = (OSSL_PARAM *)p; |
1466 | | } |
1467 | | # endif |
1468 | 0 | break; |
1469 | 0 | case 'm': |
1470 | 0 | if (ossl_likely(strcmp("gf1-digest", s + 1) == 0)) { |
1471 | | /* OSSL_SIGNATURE_PARAM_MGF1_DIGEST */ |
1472 | 0 | if (ossl_unlikely(r->mgf1 != NULL)) { |
1473 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1474 | 0 | "param %s is repeated", s); |
1475 | 0 | return 0; |
1476 | 0 | } |
1477 | 0 | r->mgf1 = (OSSL_PARAM *)p; |
1478 | 0 | } |
1479 | 0 | break; |
1480 | 0 | case 'p': |
1481 | 0 | if (ossl_likely(strcmp("ad-mode", s + 1) == 0)) { |
1482 | | /* OSSL_SIGNATURE_PARAM_PAD_MODE */ |
1483 | 0 | if (ossl_unlikely(r->pad != NULL)) { |
1484 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1485 | 0 | "param %s is repeated", s); |
1486 | 0 | return 0; |
1487 | 0 | } |
1488 | 0 | r->pad = (OSSL_PARAM *)p; |
1489 | 0 | } |
1490 | 0 | break; |
1491 | 0 | case 's': |
1492 | 0 | if (ossl_likely(strcmp("altlen", s + 1) == 0)) { |
1493 | | /* OSSL_SIGNATURE_PARAM_PSS_SALTLEN */ |
1494 | 0 | if (ossl_unlikely(r->slen != NULL)) { |
1495 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1496 | 0 | "param %s is repeated", s); |
1497 | 0 | return 0; |
1498 | 0 | } |
1499 | 0 | r->slen = (OSSL_PARAM *)p; |
1500 | 0 | } |
1501 | 0 | break; |
1502 | 0 | case 'v': |
1503 | | # if defined(FIPS_MODULE) |
1504 | | if (ossl_likely(strcmp("erify-message", s + 1) == 0)) { |
1505 | | /* OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE */ |
1506 | | if (ossl_unlikely(r->verify != NULL)) { |
1507 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1508 | | "param %s is repeated", s); |
1509 | | return 0; |
1510 | | } |
1511 | | r->verify = (OSSL_PARAM *)p; |
1512 | | } |
1513 | | # endif |
1514 | 0 | break; |
1515 | 0 | } |
1516 | 0 | return 1; |
1517 | 0 | } |
1518 | | #endif |
1519 | | /* End of machine generated */ |
1520 | | |
1521 | | static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) |
1522 | 0 | { |
1523 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1524 | 0 | struct rsa_get_ctx_params_st p; |
1525 | |
|
1526 | 0 | if (prsactx == NULL || !rsa_get_ctx_params_decoder(params, &p)) |
1527 | 0 | return 0; |
1528 | | |
1529 | 0 | if (p.algid != NULL) { |
1530 | | /* The Algorithm Identifier of the combined signature algorithm */ |
1531 | 0 | unsigned char aid_buf[128]; |
1532 | 0 | unsigned char *aid; |
1533 | 0 | size_t aid_len; |
1534 | |
|
1535 | 0 | aid = rsa_generate_signature_aid(prsactx, aid_buf, |
1536 | 0 | sizeof(aid_buf), &aid_len); |
1537 | 0 | if (aid == NULL || !OSSL_PARAM_set_octet_string(p.algid, aid, aid_len)) |
1538 | 0 | return 0; |
1539 | 0 | } |
1540 | | |
1541 | 0 | if (p.pad != NULL) { |
1542 | 0 | if (p.pad->data_type != OSSL_PARAM_UTF8_STRING) { |
1543 | 0 | if (!OSSL_PARAM_set_int(p.pad, prsactx->pad_mode)) |
1544 | 0 | return 0; |
1545 | 0 | } else { |
1546 | 0 | int i; |
1547 | 0 | const char *word = NULL; |
1548 | |
|
1549 | 0 | for (i = 0; padding_item[i].id != 0; i++) { |
1550 | 0 | if (prsactx->pad_mode == (int)padding_item[i].id) { |
1551 | 0 | word = padding_item[i].ptr; |
1552 | 0 | break; |
1553 | 0 | } |
1554 | 0 | } |
1555 | |
|
1556 | 0 | if (word != NULL) { |
1557 | 0 | if (!OSSL_PARAM_set_utf8_string(p.pad, word)) |
1558 | 0 | return 0; |
1559 | 0 | } else { |
1560 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); |
1561 | 0 | } |
1562 | 0 | } |
1563 | 0 | } |
1564 | | |
1565 | 0 | if (p.digest != NULL && !OSSL_PARAM_set_utf8_string(p.digest, prsactx->mdname)) |
1566 | 0 | return 0; |
1567 | | |
1568 | 0 | if (p.mgf1 != NULL && !OSSL_PARAM_set_utf8_string(p.mgf1, prsactx->mgf1_mdname)) |
1569 | 0 | return 0; |
1570 | | |
1571 | 0 | if (p.slen != NULL) { |
1572 | 0 | if (p.slen->data_type != OSSL_PARAM_UTF8_STRING) { |
1573 | 0 | if (!OSSL_PARAM_set_int(p.slen, prsactx->saltlen)) |
1574 | 0 | return 0; |
1575 | 0 | } else { |
1576 | 0 | const char *value = NULL; |
1577 | |
|
1578 | 0 | switch (prsactx->saltlen) { |
1579 | 0 | case RSA_PSS_SALTLEN_DIGEST: |
1580 | 0 | value = OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST; |
1581 | 0 | break; |
1582 | 0 | case RSA_PSS_SALTLEN_MAX: |
1583 | 0 | value = OSSL_PKEY_RSA_PSS_SALT_LEN_MAX; |
1584 | 0 | break; |
1585 | 0 | case RSA_PSS_SALTLEN_AUTO: |
1586 | 0 | value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO; |
1587 | 0 | break; |
1588 | 0 | case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: |
1589 | 0 | value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX; |
1590 | 0 | break; |
1591 | 0 | default: |
1592 | 0 | { |
1593 | 0 | int len = BIO_snprintf(p.slen->data, p.slen->data_size, "%d", |
1594 | 0 | prsactx->saltlen); |
1595 | |
|
1596 | 0 | if (len <= 0) |
1597 | 0 | return 0; |
1598 | 0 | p.slen->return_size = len; |
1599 | 0 | break; |
1600 | 0 | } |
1601 | 0 | } |
1602 | 0 | if (value != NULL |
1603 | 0 | && !OSSL_PARAM_set_utf8_string(p.slen, value)) |
1604 | 0 | return 0; |
1605 | 0 | } |
1606 | 0 | } |
1607 | | |
1608 | | #ifdef FIPS_MODULE |
1609 | | if (p.verify != NULL && !OSSL_PARAM_set_uint(p.verify, prsactx->verify_message)) |
1610 | | return 0; |
1611 | | #endif |
1612 | | |
1613 | 0 | if (!OSSL_FIPS_IND_GET_CTX_FROM_PARAM(prsactx, p.ind)) |
1614 | 0 | return 0; |
1615 | 0 | return 1; |
1616 | 0 | } |
1617 | | |
1618 | | static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, |
1619 | | ossl_unused void *provctx) |
1620 | 0 | { |
1621 | 0 | return rsa_get_ctx_params_list; |
1622 | 0 | } |
1623 | | |
1624 | | #ifdef FIPS_MODULE |
1625 | | static int rsa_x931_padding_allowed(PROV_RSA_CTX *ctx) |
1626 | | { |
1627 | | if ((ctx->operation |
1628 | | & (EVP_PKEY_OP_SIGNMSG | EVP_PKEY_OP_SIGN)) != 0) { |
1629 | | if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2, |
1630 | | ctx->libctx, |
1631 | | "RSA Sign set ctx", "X931 Padding", |
1632 | | ossl_fips_config_rsa_sign_x931_disallowed)) { |
1633 | | ERR_raise(ERR_LIB_PROV, |
1634 | | PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); |
1635 | | return 0; |
1636 | | } |
1637 | | } |
1638 | | return 1; |
1639 | | } |
1640 | | #endif |
1641 | | |
1642 | | /* Machine generated by util/perl/OpenSSL/paramnames.pm */ |
1643 | | #ifndef rsa_set_ctx_params_list |
1644 | | static const OSSL_PARAM rsa_set_ctx_params_list[] = { |
1645 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), |
1646 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0), |
1647 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), |
1648 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL), |
1649 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), |
1650 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0), |
1651 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), |
1652 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL), |
1653 | | # if defined(FIPS_MODULE) |
1654 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK, NULL), |
1655 | | # endif |
1656 | | # if defined(FIPS_MODULE) |
1657 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK, NULL), |
1658 | | # endif |
1659 | | # if defined(FIPS_MODULE) |
1660 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK, NULL), |
1661 | | # endif |
1662 | | # if defined(FIPS_MODULE) |
1663 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK, NULL), |
1664 | | # endif |
1665 | | OSSL_PARAM_END |
1666 | | }; |
1667 | | #endif |
1668 | | |
1669 | | #ifndef rsa_set_ctx_params_st |
1670 | | struct rsa_set_ctx_params_st { |
1671 | | OSSL_PARAM *digest; |
1672 | | # if defined(FIPS_MODULE) |
1673 | | OSSL_PARAM *ind_d; |
1674 | | # endif |
1675 | | # if defined(FIPS_MODULE) |
1676 | | OSSL_PARAM *ind_k; |
1677 | | # endif |
1678 | | # if defined(FIPS_MODULE) |
1679 | | OSSL_PARAM *ind_slen; |
1680 | | # endif |
1681 | | # if defined(FIPS_MODULE) |
1682 | | OSSL_PARAM *ind_xpad; |
1683 | | # endif |
1684 | | OSSL_PARAM *mgf1; |
1685 | | OSSL_PARAM *mgf1pq; |
1686 | | OSSL_PARAM *pad; |
1687 | | OSSL_PARAM *propq; |
1688 | | OSSL_PARAM *slen; |
1689 | | }; |
1690 | | #endif |
1691 | | |
1692 | | #ifndef rsa_set_ctx_params_decoder |
1693 | | static int rsa_set_ctx_params_decoder |
1694 | | (const OSSL_PARAM *p, struct rsa_set_ctx_params_st *r) |
1695 | 0 | { |
1696 | 0 | const char *s; |
1697 | |
|
1698 | 0 | memset(r, 0, sizeof(*r)); |
1699 | 0 | if (p != NULL) |
1700 | 0 | for (; (s = p->key) != NULL; p++) |
1701 | 0 | switch(s[0]) { |
1702 | 0 | default: |
1703 | 0 | break; |
1704 | 0 | case 'd': |
1705 | 0 | switch(s[1]) { |
1706 | 0 | default: |
1707 | 0 | break; |
1708 | 0 | case 'i': |
1709 | 0 | switch(s[2]) { |
1710 | 0 | default: |
1711 | 0 | break; |
1712 | 0 | case 'g': |
1713 | 0 | switch(s[3]) { |
1714 | 0 | default: |
1715 | 0 | break; |
1716 | 0 | case 'e': |
1717 | 0 | switch(s[4]) { |
1718 | 0 | default: |
1719 | 0 | break; |
1720 | 0 | case 's': |
1721 | 0 | switch(s[5]) { |
1722 | 0 | default: |
1723 | 0 | break; |
1724 | 0 | case 't': |
1725 | 0 | switch(s[6]) { |
1726 | 0 | default: |
1727 | 0 | break; |
1728 | 0 | case '-': |
1729 | | # if defined(FIPS_MODULE) |
1730 | | if (ossl_likely(strcmp("check", s + 7) == 0)) { |
1731 | | /* OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK */ |
1732 | | if (ossl_unlikely(r->ind_d != NULL)) { |
1733 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1734 | | "param %s is repeated", s); |
1735 | | return 0; |
1736 | | } |
1737 | | r->ind_d = (OSSL_PARAM *)p; |
1738 | | } |
1739 | | # endif |
1740 | 0 | break; |
1741 | 0 | case '\0': |
1742 | 0 | if (ossl_unlikely(r->digest != NULL)) { |
1743 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1744 | 0 | "param %s is repeated", s); |
1745 | 0 | return 0; |
1746 | 0 | } |
1747 | 0 | r->digest = (OSSL_PARAM *)p; |
1748 | 0 | } |
1749 | 0 | } |
1750 | 0 | } |
1751 | 0 | } |
1752 | 0 | } |
1753 | 0 | } |
1754 | 0 | break; |
1755 | 0 | case 'k': |
1756 | | # if defined(FIPS_MODULE) |
1757 | | if (ossl_likely(strcmp("ey-check", s + 1) == 0)) { |
1758 | | /* OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK */ |
1759 | | if (ossl_unlikely(r->ind_k != NULL)) { |
1760 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1761 | | "param %s is repeated", s); |
1762 | | return 0; |
1763 | | } |
1764 | | r->ind_k = (OSSL_PARAM *)p; |
1765 | | } |
1766 | | # endif |
1767 | 0 | break; |
1768 | 0 | case 'm': |
1769 | 0 | switch(s[1]) { |
1770 | 0 | default: |
1771 | 0 | break; |
1772 | 0 | case 'g': |
1773 | 0 | switch(s[2]) { |
1774 | 0 | default: |
1775 | 0 | break; |
1776 | 0 | case 'f': |
1777 | 0 | switch(s[3]) { |
1778 | 0 | default: |
1779 | 0 | break; |
1780 | 0 | case '1': |
1781 | 0 | switch(s[4]) { |
1782 | 0 | default: |
1783 | 0 | break; |
1784 | 0 | case '-': |
1785 | 0 | switch(s[5]) { |
1786 | 0 | default: |
1787 | 0 | break; |
1788 | 0 | case 'd': |
1789 | 0 | if (ossl_likely(strcmp("igest", s + 6) == 0)) { |
1790 | | /* OSSL_SIGNATURE_PARAM_MGF1_DIGEST */ |
1791 | 0 | if (ossl_unlikely(r->mgf1 != NULL)) { |
1792 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1793 | 0 | "param %s is repeated", s); |
1794 | 0 | return 0; |
1795 | 0 | } |
1796 | 0 | r->mgf1 = (OSSL_PARAM *)p; |
1797 | 0 | } |
1798 | 0 | break; |
1799 | 0 | case 'p': |
1800 | 0 | if (ossl_likely(strcmp("roperties", s + 6) == 0)) { |
1801 | | /* OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES */ |
1802 | 0 | if (ossl_unlikely(r->mgf1pq != NULL)) { |
1803 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1804 | 0 | "param %s is repeated", s); |
1805 | 0 | return 0; |
1806 | 0 | } |
1807 | 0 | r->mgf1pq = (OSSL_PARAM *)p; |
1808 | 0 | } |
1809 | 0 | } |
1810 | 0 | } |
1811 | 0 | } |
1812 | 0 | } |
1813 | 0 | } |
1814 | 0 | break; |
1815 | 0 | case 'p': |
1816 | 0 | switch(s[1]) { |
1817 | 0 | default: |
1818 | 0 | break; |
1819 | 0 | case 'a': |
1820 | 0 | if (ossl_likely(strcmp("d-mode", s + 2) == 0)) { |
1821 | | /* OSSL_SIGNATURE_PARAM_PAD_MODE */ |
1822 | 0 | if (ossl_unlikely(r->pad != NULL)) { |
1823 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1824 | 0 | "param %s is repeated", s); |
1825 | 0 | return 0; |
1826 | 0 | } |
1827 | 0 | r->pad = (OSSL_PARAM *)p; |
1828 | 0 | } |
1829 | 0 | break; |
1830 | 0 | case 'r': |
1831 | 0 | if (ossl_likely(strcmp("operties", s + 2) == 0)) { |
1832 | | /* OSSL_SIGNATURE_PARAM_PROPERTIES */ |
1833 | 0 | if (ossl_unlikely(r->propq != NULL)) { |
1834 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1835 | 0 | "param %s is repeated", s); |
1836 | 0 | return 0; |
1837 | 0 | } |
1838 | 0 | r->propq = (OSSL_PARAM *)p; |
1839 | 0 | } |
1840 | 0 | } |
1841 | 0 | break; |
1842 | 0 | case 'r': |
1843 | | # if defined(FIPS_MODULE) |
1844 | | if (ossl_likely(strcmp("sa-pss-saltlen-check", s + 1) == 0)) { |
1845 | | /* OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK */ |
1846 | | if (ossl_unlikely(r->ind_slen != NULL)) { |
1847 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1848 | | "param %s is repeated", s); |
1849 | | return 0; |
1850 | | } |
1851 | | r->ind_slen = (OSSL_PARAM *)p; |
1852 | | } |
1853 | | # endif |
1854 | 0 | break; |
1855 | 0 | case 's': |
1856 | 0 | switch(s[1]) { |
1857 | 0 | default: |
1858 | 0 | break; |
1859 | 0 | case 'a': |
1860 | 0 | if (ossl_likely(strcmp("ltlen", s + 2) == 0)) { |
1861 | | /* OSSL_SIGNATURE_PARAM_PSS_SALTLEN */ |
1862 | 0 | if (ossl_unlikely(r->slen != NULL)) { |
1863 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1864 | 0 | "param %s is repeated", s); |
1865 | 0 | return 0; |
1866 | 0 | } |
1867 | 0 | r->slen = (OSSL_PARAM *)p; |
1868 | 0 | } |
1869 | 0 | break; |
1870 | 0 | case 'i': |
1871 | | # if defined(FIPS_MODULE) |
1872 | | if (ossl_likely(strcmp("gn-x931-pad-check", s + 2) == 0)) { |
1873 | | /* OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK */ |
1874 | | if (ossl_unlikely(r->ind_xpad != NULL)) { |
1875 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1876 | | "param %s is repeated", s); |
1877 | | return 0; |
1878 | | } |
1879 | | r->ind_xpad = (OSSL_PARAM *)p; |
1880 | | } |
1881 | | # endif |
1882 | 0 | break; |
1883 | 0 | } |
1884 | 0 | break; |
1885 | 0 | } |
1886 | 0 | return 1; |
1887 | 0 | } |
1888 | | #endif |
1889 | | /* End of machine generated */ |
1890 | | |
1891 | | #define rsa_set_ctx_params_no_digest_st rsa_set_ctx_params_st |
1892 | | |
1893 | | /* Machine generated by util/perl/OpenSSL/paramnames.pm */ |
1894 | | #ifndef rsa_set_ctx_params_no_digest_list |
1895 | | static const OSSL_PARAM rsa_set_ctx_params_no_digest_list[] = { |
1896 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), |
1897 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL), |
1898 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), |
1899 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0), |
1900 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), |
1901 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL), |
1902 | | # if defined(FIPS_MODULE) |
1903 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK, NULL), |
1904 | | # endif |
1905 | | # if defined(FIPS_MODULE) |
1906 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK, NULL), |
1907 | | # endif |
1908 | | # if defined(FIPS_MODULE) |
1909 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK, NULL), |
1910 | | # endif |
1911 | | # if defined(FIPS_MODULE) |
1912 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK, NULL), |
1913 | | # endif |
1914 | | OSSL_PARAM_END |
1915 | | }; |
1916 | | #endif |
1917 | | |
1918 | | #ifndef rsa_set_ctx_params_no_digest_st |
1919 | | struct rsa_set_ctx_params_no_digest_st { |
1920 | | # if defined(FIPS_MODULE) |
1921 | | OSSL_PARAM *ind_d; |
1922 | | # endif |
1923 | | # if defined(FIPS_MODULE) |
1924 | | OSSL_PARAM *ind_k; |
1925 | | # endif |
1926 | | # if defined(FIPS_MODULE) |
1927 | | OSSL_PARAM *ind_slen; |
1928 | | # endif |
1929 | | # if defined(FIPS_MODULE) |
1930 | | OSSL_PARAM *ind_xpad; |
1931 | | # endif |
1932 | | OSSL_PARAM *mgf1; |
1933 | | OSSL_PARAM *mgf1pq; |
1934 | | OSSL_PARAM *pad; |
1935 | | OSSL_PARAM *slen; |
1936 | | }; |
1937 | | #endif |
1938 | | |
1939 | | #ifndef rsa_set_ctx_params_no_digest_decoder |
1940 | | static int rsa_set_ctx_params_no_digest_decoder |
1941 | | (const OSSL_PARAM *p, struct rsa_set_ctx_params_no_digest_st *r) |
1942 | 14.5k | { |
1943 | 14.5k | const char *s; |
1944 | | |
1945 | 14.5k | memset(r, 0, sizeof(*r)); |
1946 | 14.5k | if (p != NULL) |
1947 | 29.0k | for (; (s = p->key) != NULL; p++) |
1948 | 14.5k | switch(s[0]) { |
1949 | 0 | default: |
1950 | 0 | break; |
1951 | 0 | case 'd': |
1952 | | # if defined(FIPS_MODULE) |
1953 | | if (ossl_likely(strcmp("igest-check", s + 1) == 0)) { |
1954 | | /* OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK */ |
1955 | | if (ossl_unlikely(r->ind_d != NULL)) { |
1956 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1957 | | "param %s is repeated", s); |
1958 | | return 0; |
1959 | | } |
1960 | | r->ind_d = (OSSL_PARAM *)p; |
1961 | | } |
1962 | | # endif |
1963 | 0 | break; |
1964 | 0 | case 'k': |
1965 | | # if defined(FIPS_MODULE) |
1966 | | if (ossl_likely(strcmp("ey-check", s + 1) == 0)) { |
1967 | | /* OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK */ |
1968 | | if (ossl_unlikely(r->ind_k != NULL)) { |
1969 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1970 | | "param %s is repeated", s); |
1971 | | return 0; |
1972 | | } |
1973 | | r->ind_k = (OSSL_PARAM *)p; |
1974 | | } |
1975 | | # endif |
1976 | 0 | break; |
1977 | 1.19k | case 'm': |
1978 | 1.19k | switch(s[1]) { |
1979 | 0 | default: |
1980 | 0 | break; |
1981 | 1.19k | case 'g': |
1982 | 1.19k | switch(s[2]) { |
1983 | 0 | default: |
1984 | 0 | break; |
1985 | 1.19k | case 'f': |
1986 | 1.19k | switch(s[3]) { |
1987 | 0 | default: |
1988 | 0 | break; |
1989 | 1.19k | case '1': |
1990 | 1.19k | switch(s[4]) { |
1991 | 0 | default: |
1992 | 0 | break; |
1993 | 1.19k | case '-': |
1994 | 1.19k | switch(s[5]) { |
1995 | 0 | default: |
1996 | 0 | break; |
1997 | 1.19k | case 'd': |
1998 | 1.19k | if (ossl_likely(strcmp("igest", s + 6) == 0)) { |
1999 | | /* OSSL_SIGNATURE_PARAM_MGF1_DIGEST */ |
2000 | 1.19k | if (ossl_unlikely(r->mgf1 != NULL)) { |
2001 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2002 | 0 | "param %s is repeated", s); |
2003 | 0 | return 0; |
2004 | 0 | } |
2005 | 1.19k | r->mgf1 = (OSSL_PARAM *)p; |
2006 | 1.19k | } |
2007 | 1.19k | break; |
2008 | 1.19k | case 'p': |
2009 | 0 | if (ossl_likely(strcmp("roperties", s + 6) == 0)) { |
2010 | | /* OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES */ |
2011 | 0 | if (ossl_unlikely(r->mgf1pq != NULL)) { |
2012 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2013 | 0 | "param %s is repeated", s); |
2014 | 0 | return 0; |
2015 | 0 | } |
2016 | 0 | r->mgf1pq = (OSSL_PARAM *)p; |
2017 | 0 | } |
2018 | 1.19k | } |
2019 | 1.19k | } |
2020 | 1.19k | } |
2021 | 1.19k | } |
2022 | 1.19k | } |
2023 | 1.19k | break; |
2024 | 6.65k | case 'p': |
2025 | 6.65k | if (ossl_likely(strcmp("ad-mode", s + 1) == 0)) { |
2026 | | /* OSSL_SIGNATURE_PARAM_PAD_MODE */ |
2027 | 6.65k | if (ossl_unlikely(r->pad != NULL)) { |
2028 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2029 | 0 | "param %s is repeated", s); |
2030 | 0 | return 0; |
2031 | 0 | } |
2032 | 6.65k | r->pad = (OSSL_PARAM *)p; |
2033 | 6.65k | } |
2034 | 6.65k | break; |
2035 | 6.65k | case 'r': |
2036 | | # if defined(FIPS_MODULE) |
2037 | | if (ossl_likely(strcmp("sa-pss-saltlen-check", s + 1) == 0)) { |
2038 | | /* OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK */ |
2039 | | if (ossl_unlikely(r->ind_slen != NULL)) { |
2040 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2041 | | "param %s is repeated", s); |
2042 | | return 0; |
2043 | | } |
2044 | | r->ind_slen = (OSSL_PARAM *)p; |
2045 | | } |
2046 | | # endif |
2047 | 0 | break; |
2048 | 6.65k | case 's': |
2049 | 6.65k | switch(s[1]) { |
2050 | 0 | default: |
2051 | 0 | break; |
2052 | 6.65k | case 'a': |
2053 | 6.65k | if (ossl_likely(strcmp("ltlen", s + 2) == 0)) { |
2054 | | /* OSSL_SIGNATURE_PARAM_PSS_SALTLEN */ |
2055 | 6.65k | if (ossl_unlikely(r->slen != NULL)) { |
2056 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2057 | 0 | "param %s is repeated", s); |
2058 | 0 | return 0; |
2059 | 0 | } |
2060 | 6.65k | r->slen = (OSSL_PARAM *)p; |
2061 | 6.65k | } |
2062 | 6.65k | break; |
2063 | 6.65k | case 'i': |
2064 | | # if defined(FIPS_MODULE) |
2065 | | if (ossl_likely(strcmp("gn-x931-pad-check", s + 2) == 0)) { |
2066 | | /* OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK */ |
2067 | | if (ossl_unlikely(r->ind_xpad != NULL)) { |
2068 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2069 | | "param %s is repeated", s); |
2070 | | return 0; |
2071 | | } |
2072 | | r->ind_xpad = (OSSL_PARAM *)p; |
2073 | | } |
2074 | | # endif |
2075 | 0 | break; |
2076 | 6.65k | } |
2077 | 6.65k | break; |
2078 | 14.5k | } |
2079 | 14.5k | return 1; |
2080 | 14.5k | } |
2081 | | #endif |
2082 | | /* End of machine generated */ |
2083 | | |
2084 | | static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) |
2085 | 36.1k | { |
2086 | 36.1k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2087 | 36.1k | struct rsa_set_ctx_params_st p; |
2088 | 36.1k | int pad_mode; |
2089 | 36.1k | int saltlen; |
2090 | 36.1k | char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = NULL; |
2091 | 36.1k | char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = NULL; |
2092 | 36.1k | char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL; |
2093 | 36.1k | char mgf1mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmgf1mdprops = NULL; |
2094 | | |
2095 | 36.1k | if (prsactx == NULL) |
2096 | 0 | return 0; |
2097 | | /* The processing code below doesn't handle no parameters properly */ |
2098 | 36.1k | if (ossl_param_is_empty(params)) |
2099 | 21.6k | return 1; |
2100 | | |
2101 | 14.5k | if (prsactx->flag_allow_md) { |
2102 | 0 | if (!rsa_set_ctx_params_decoder(params, &p)) |
2103 | 0 | return 0; |
2104 | 14.5k | } else { |
2105 | 14.5k | if (!rsa_set_ctx_params_no_digest_decoder(params, &p)) |
2106 | 0 | return 0; |
2107 | 14.5k | } |
2108 | | |
2109 | 14.5k | if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE0, |
2110 | 14.5k | p.ind_k)) |
2111 | 0 | return 0; |
2112 | | |
2113 | 14.5k | if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE1, |
2114 | 14.5k | p.ind_d)) |
2115 | 0 | return 0; |
2116 | | |
2117 | 14.5k | if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE2, |
2118 | 14.5k | p.ind_xpad)) |
2119 | 0 | return 0; |
2120 | | |
2121 | 14.5k | if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE3, |
2122 | 14.5k | p.ind_slen)) |
2123 | 0 | return 0; |
2124 | | |
2125 | 14.5k | pad_mode = prsactx->pad_mode; |
2126 | 14.5k | saltlen = prsactx->saltlen; |
2127 | | |
2128 | 14.5k | if (p.digest != NULL) { |
2129 | 0 | pmdname = mdname; |
2130 | 0 | if (!OSSL_PARAM_get_utf8_string(p.digest, &pmdname, sizeof(mdname))) |
2131 | 0 | return 0; |
2132 | | |
2133 | 0 | if (p.propq != NULL) { |
2134 | 0 | pmdprops = mdprops; |
2135 | 0 | if (!OSSL_PARAM_get_utf8_string(p.propq, |
2136 | 0 | &pmdprops, sizeof(mdprops))) |
2137 | 0 | return 0; |
2138 | 0 | } |
2139 | 0 | } |
2140 | | |
2141 | 14.5k | if (p.pad != NULL) { |
2142 | 6.65k | const char *err_extra_text = NULL; |
2143 | | |
2144 | 6.65k | if (p.pad->data_type != OSSL_PARAM_UTF8_STRING) { |
2145 | | /* Support for legacy pad mode number */ |
2146 | 6.65k | if (!OSSL_PARAM_get_int(p.pad, &pad_mode)) |
2147 | 0 | return 0; |
2148 | 6.65k | } else { |
2149 | 0 | int i; |
2150 | |
|
2151 | 0 | if (p.pad->data == NULL) |
2152 | 0 | return 0; |
2153 | | |
2154 | 0 | for (i = 0; padding_item[i].id != 0; i++) { |
2155 | 0 | if (strcmp(p.pad->data, padding_item[i].ptr) == 0) { |
2156 | 0 | pad_mode = padding_item[i].id; |
2157 | 0 | break; |
2158 | 0 | } |
2159 | 0 | } |
2160 | 0 | } |
2161 | | |
2162 | 6.65k | switch (pad_mode) { |
2163 | 0 | case RSA_PKCS1_OAEP_PADDING: |
2164 | | /* |
2165 | | * OAEP padding is for asymmetric cipher only so is not compatible |
2166 | | * with signature use. |
2167 | | */ |
2168 | 0 | err_extra_text = "OAEP padding not allowed for signing / verifying"; |
2169 | 0 | goto bad_pad; |
2170 | 6.65k | case RSA_PKCS1_PSS_PADDING: |
2171 | 6.65k | if ((prsactx->operation |
2172 | 6.65k | & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG |
2173 | 6.65k | | EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) == 0) { |
2174 | 0 | err_extra_text = |
2175 | 0 | "PSS padding only allowed for sign and verify operations"; |
2176 | 0 | goto bad_pad; |
2177 | 0 | } |
2178 | 6.65k | break; |
2179 | 6.65k | case RSA_PKCS1_PADDING: |
2180 | 0 | err_extra_text = "PKCS#1 padding not allowed with RSA-PSS"; |
2181 | 0 | goto cont; |
2182 | 0 | case RSA_NO_PADDING: |
2183 | 0 | err_extra_text = "No padding not allowed with RSA-PSS"; |
2184 | 0 | goto cont; |
2185 | 0 | case RSA_X931_PADDING: |
2186 | | #ifdef FIPS_MODULE |
2187 | | /* X9.31 only allows sizes of 1024 + 256 * s (bits) */ |
2188 | | if ((RSA_bits(prsactx->rsa) & 0xFF) != 0) { |
2189 | | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); |
2190 | | return 0; |
2191 | | } |
2192 | | /* RSA Signing with X9.31 padding is not allowed in FIPS 140-3 */ |
2193 | | if (!rsa_x931_padding_allowed(prsactx)) |
2194 | | return 0; |
2195 | | #endif |
2196 | 0 | err_extra_text = "X.931 padding not allowed with RSA-PSS"; |
2197 | 0 | cont: |
2198 | 0 | if (RSA_test_flags(prsactx->rsa, |
2199 | 0 | RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA) |
2200 | 0 | break; |
2201 | | /* FALLTHRU */ |
2202 | 0 | default: |
2203 | 0 | bad_pad: |
2204 | 0 | if (err_extra_text == NULL) |
2205 | 0 | ERR_raise(ERR_LIB_PROV, |
2206 | 0 | PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); |
2207 | 0 | else |
2208 | 0 | ERR_raise_data(ERR_LIB_PROV, |
2209 | 0 | PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE, |
2210 | 0 | err_extra_text); |
2211 | 0 | return 0; |
2212 | 6.65k | } |
2213 | 6.65k | } |
2214 | | |
2215 | 14.5k | if (p.slen != NULL) { |
2216 | 6.65k | if (pad_mode != RSA_PKCS1_PSS_PADDING) { |
2217 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED, |
2218 | 0 | "PSS saltlen can only be specified if " |
2219 | 0 | "PSS padding has been specified first"); |
2220 | 0 | return 0; |
2221 | 0 | } |
2222 | | |
2223 | 6.65k | if (p.slen->data_type != OSSL_PARAM_UTF8_STRING) { |
2224 | | /* Support for legacy pad mode number */ |
2225 | 0 | if (!OSSL_PARAM_get_int(p.slen, &saltlen)) |
2226 | 0 | return 0; |
2227 | 6.65k | } else { |
2228 | 6.65k | if (strcmp(p.slen->data, OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST) == 0) |
2229 | 5.45k | saltlen = RSA_PSS_SALTLEN_DIGEST; |
2230 | 1.19k | else if (strcmp(p.slen->data, OSSL_PKEY_RSA_PSS_SALT_LEN_MAX) == 0) |
2231 | 0 | saltlen = RSA_PSS_SALTLEN_MAX; |
2232 | 1.19k | else if (strcmp(p.slen->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0) |
2233 | 0 | saltlen = RSA_PSS_SALTLEN_AUTO; |
2234 | 1.19k | else if (strcmp(p.slen->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0) |
2235 | 0 | saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; |
2236 | 1.19k | else |
2237 | 1.19k | saltlen = atoi(p.slen->data); |
2238 | 6.65k | } |
2239 | | |
2240 | | /* |
2241 | | * RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check. |
2242 | | * Contrary to what it's name suggests, it's the currently lowest |
2243 | | * saltlen number possible. |
2244 | | */ |
2245 | 6.65k | if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { |
2246 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); |
2247 | 0 | return 0; |
2248 | 0 | } |
2249 | | |
2250 | 6.65k | if (rsa_pss_restricted(prsactx)) { |
2251 | 25 | switch (saltlen) { |
2252 | 0 | case RSA_PSS_SALTLEN_AUTO: |
2253 | 0 | case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: |
2254 | 0 | if ((prsactx->operation |
2255 | 0 | & (EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) == 0) { |
2256 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, |
2257 | 0 | "Cannot use autodetected salt length"); |
2258 | 0 | return 0; |
2259 | 0 | } |
2260 | 0 | break; |
2261 | 0 | case RSA_PSS_SALTLEN_DIGEST: |
2262 | 0 | if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) { |
2263 | 0 | ERR_raise_data(ERR_LIB_PROV, |
2264 | 0 | PROV_R_PSS_SALTLEN_TOO_SMALL, |
2265 | 0 | "Should be more than %d, but would be " |
2266 | 0 | "set to match digest size (%d)", |
2267 | 0 | prsactx->min_saltlen, |
2268 | 0 | EVP_MD_get_size(prsactx->md)); |
2269 | 0 | return 0; |
2270 | 0 | } |
2271 | 0 | break; |
2272 | 25 | default: |
2273 | 25 | if (saltlen >= 0 && saltlen < prsactx->min_saltlen) { |
2274 | 0 | ERR_raise_data(ERR_LIB_PROV, |
2275 | 0 | PROV_R_PSS_SALTLEN_TOO_SMALL, |
2276 | 0 | "Should be more than %d, " |
2277 | 0 | "but would be set to %d", |
2278 | 0 | prsactx->min_saltlen, saltlen); |
2279 | 0 | return 0; |
2280 | 0 | } |
2281 | 25 | } |
2282 | 25 | } |
2283 | 6.65k | } |
2284 | | |
2285 | 14.5k | if (p.mgf1 != NULL) { |
2286 | 1.19k | pmgf1mdname = mgf1mdname; |
2287 | 1.19k | if (!OSSL_PARAM_get_utf8_string(p.mgf1, &pmgf1mdname, sizeof(mgf1mdname))) |
2288 | 0 | return 0; |
2289 | | |
2290 | 1.19k | if (p.mgf1pq != NULL) { |
2291 | 0 | pmgf1mdprops = mgf1mdprops; |
2292 | 0 | if (!OSSL_PARAM_get_utf8_string(p.mgf1pq, |
2293 | 0 | &pmgf1mdprops, sizeof(mgf1mdprops))) |
2294 | 0 | return 0; |
2295 | 0 | } |
2296 | | |
2297 | 1.19k | if (pad_mode != RSA_PKCS1_PSS_PADDING) { |
2298 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MGF1_MD); |
2299 | 0 | return 0; |
2300 | 0 | } |
2301 | 1.19k | } |
2302 | | |
2303 | 14.5k | prsactx->saltlen = saltlen; |
2304 | 14.5k | prsactx->pad_mode = pad_mode; |
2305 | | |
2306 | 14.5k | if (prsactx->md == NULL && pmdname == NULL |
2307 | 0 | && pad_mode == RSA_PKCS1_PSS_PADDING) |
2308 | 0 | pmdname = RSA_DEFAULT_DIGEST_NAME; |
2309 | | |
2310 | 14.5k | if (pmgf1mdname != NULL |
2311 | 1.19k | && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) |
2312 | 0 | return 0; |
2313 | | |
2314 | 14.5k | if (pmdname != NULL) { |
2315 | 0 | if (!rsa_setup_md(prsactx, pmdname, pmdprops, "RSA Sign Set Ctx")) |
2316 | 0 | return 0; |
2317 | 14.5k | } else { |
2318 | 14.5k | if (!rsa_check_padding(prsactx, NULL, NULL, prsactx->mdnid)) |
2319 | 0 | return 0; |
2320 | 14.5k | } |
2321 | 14.5k | return 1; |
2322 | 14.5k | } |
2323 | | |
2324 | | static const OSSL_PARAM *rsa_settable_ctx_params(void *vprsactx, |
2325 | | ossl_unused void *provctx) |
2326 | 53.7k | { |
2327 | 53.7k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2328 | | |
2329 | 53.7k | if (prsactx != NULL && !prsactx->flag_allow_md) |
2330 | 53.7k | return rsa_set_ctx_params_no_digest_list; |
2331 | 11 | return rsa_set_ctx_params_list; |
2332 | 53.7k | } |
2333 | | |
2334 | | static int rsa_get_ctx_md_params(void *vprsactx, OSSL_PARAM *params) |
2335 | 0 | { |
2336 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2337 | |
|
2338 | 0 | if (prsactx->mdctx == NULL) |
2339 | 0 | return 0; |
2340 | | |
2341 | 0 | return EVP_MD_CTX_get_params(prsactx->mdctx, params); |
2342 | 0 | } |
2343 | | |
2344 | | static const OSSL_PARAM *rsa_gettable_ctx_md_params(void *vprsactx) |
2345 | 0 | { |
2346 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2347 | |
|
2348 | 0 | if (prsactx->md == NULL) |
2349 | 0 | return 0; |
2350 | | |
2351 | 0 | return EVP_MD_gettable_ctx_params(prsactx->md); |
2352 | 0 | } |
2353 | | |
2354 | | static int rsa_set_ctx_md_params(void *vprsactx, const OSSL_PARAM params[]) |
2355 | 0 | { |
2356 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2357 | |
|
2358 | 0 | if (prsactx->mdctx == NULL) |
2359 | 0 | return 0; |
2360 | | |
2361 | 0 | return EVP_MD_CTX_set_params(prsactx->mdctx, params); |
2362 | 0 | } |
2363 | | |
2364 | | static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx) |
2365 | 0 | { |
2366 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2367 | |
|
2368 | 0 | if (prsactx->md == NULL) |
2369 | 0 | return 0; |
2370 | | |
2371 | 0 | return EVP_MD_settable_ctx_params(prsactx->md); |
2372 | 0 | } |
2373 | | |
2374 | | const OSSL_DISPATCH ossl_rsa_signature_functions[] = { |
2375 | | { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, |
2376 | | { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, |
2377 | | { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, |
2378 | | { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_verify_init }, |
2379 | | { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))rsa_verify }, |
2380 | | { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, |
2381 | | (void (*)(void))rsa_verify_recover_init }, |
2382 | | { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, |
2383 | | (void (*)(void))rsa_verify_recover }, |
2384 | | { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, |
2385 | | (void (*)(void))rsa_digest_sign_init }, |
2386 | | { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, |
2387 | | (void (*)(void))rsa_digest_sign_update }, |
2388 | | { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, |
2389 | | (void (*)(void))rsa_digest_sign_final }, |
2390 | | { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, |
2391 | | (void (*)(void))rsa_digest_verify_init }, |
2392 | | { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, |
2393 | | (void (*)(void))rsa_digest_verify_update }, |
2394 | | { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, |
2395 | | (void (*)(void))rsa_digest_verify_final }, |
2396 | | { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, |
2397 | | { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, |
2398 | | { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))rsa_get_ctx_params }, |
2399 | | { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, |
2400 | | (void (*)(void))rsa_gettable_ctx_params }, |
2401 | | { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))rsa_set_ctx_params }, |
2402 | | { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, |
2403 | | (void (*)(void))rsa_settable_ctx_params }, |
2404 | | { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, |
2405 | | (void (*)(void))rsa_get_ctx_md_params }, |
2406 | | { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, |
2407 | | (void (*)(void))rsa_gettable_ctx_md_params }, |
2408 | | { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, |
2409 | | (void (*)(void))rsa_set_ctx_md_params }, |
2410 | | { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, |
2411 | | (void (*)(void))rsa_settable_ctx_md_params }, |
2412 | | OSSL_DISPATCH_END |
2413 | | }; |
2414 | | |
2415 | | /* ------------------------------------------------------------------ */ |
2416 | | |
2417 | | /* |
2418 | | * So called sigalgs (composite RSA+hash) implemented below. They |
2419 | | * are pretty much hard coded, and rely on the hash implementation |
2420 | | * being available as per what OPENSSL_NO_ macros allow. |
2421 | | */ |
2422 | | |
2423 | | static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types; |
2424 | | static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params; |
2425 | | static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params; |
2426 | | |
2427 | | /* |
2428 | | * rsa_sigalg_signverify_init() is almost like rsa_digest_signverify_init(), |
2429 | | * just doesn't allow fetching an MD from whatever the user chooses. |
2430 | | */ |
2431 | | static int rsa_sigalg_signverify_init(void *vprsactx, void *vrsa, |
2432 | | OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params, |
2433 | | const OSSL_PARAM params[], |
2434 | | const char *mdname, |
2435 | | int operation, int pad_mode, |
2436 | | const char *desc) |
2437 | 0 | { |
2438 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2439 | |
|
2440 | 0 | if (!ossl_prov_is_running()) |
2441 | 0 | return 0; |
2442 | | |
2443 | 0 | if (!rsa_signverify_init(prsactx, vrsa, set_ctx_params, params, operation, |
2444 | 0 | desc)) |
2445 | 0 | return 0; |
2446 | | |
2447 | | /* PSS is currently not supported as a sigalg */ |
2448 | 0 | if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { |
2449 | 0 | ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); |
2450 | 0 | return 0; |
2451 | 0 | } |
2452 | | |
2453 | 0 | if (!rsa_setup_md(prsactx, mdname, NULL, desc)) |
2454 | 0 | return 0; |
2455 | | |
2456 | 0 | prsactx->pad_mode = pad_mode; |
2457 | 0 | prsactx->flag_sigalg = 1; |
2458 | 0 | prsactx->flag_allow_md = 0; |
2459 | |
|
2460 | 0 | if (prsactx->mdctx == NULL) { |
2461 | 0 | prsactx->mdctx = EVP_MD_CTX_new(); |
2462 | 0 | if (prsactx->mdctx == NULL) |
2463 | 0 | goto error; |
2464 | 0 | } |
2465 | | |
2466 | 0 | if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params)) |
2467 | 0 | goto error; |
2468 | | |
2469 | 0 | return 1; |
2470 | | |
2471 | 0 | error: |
2472 | 0 | EVP_MD_CTX_free(prsactx->mdctx); |
2473 | 0 | prsactx->mdctx = NULL; |
2474 | 0 | return 0; |
2475 | 0 | } |
2476 | | |
2477 | | static const char **rsa_sigalg_query_key_types(void) |
2478 | 0 | { |
2479 | 0 | static const char *keytypes[] = { "RSA", NULL }; |
2480 | |
|
2481 | 0 | return keytypes; |
2482 | 0 | } |
2483 | | |
2484 | | /* Machine generated by util/perl/OpenSSL/paramnames.pm */ |
2485 | | #ifndef rsa_sigalg_set_ctx_params_list |
2486 | | static const OSSL_PARAM rsa_sigalg_set_ctx_params_list[] = { |
2487 | | OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, NULL, 0), |
2488 | | OSSL_PARAM_END |
2489 | | }; |
2490 | | #endif |
2491 | | |
2492 | | #ifndef rsa_sigalg_set_ctx_params_st |
2493 | | struct rsa_sigalg_set_ctx_params_st { |
2494 | | OSSL_PARAM *sig; |
2495 | | }; |
2496 | | #endif |
2497 | | |
2498 | | #ifndef rsa_sigalg_set_ctx_params_decoder |
2499 | | static int rsa_sigalg_set_ctx_params_decoder |
2500 | | (const OSSL_PARAM *p, struct rsa_sigalg_set_ctx_params_st *r) |
2501 | 8.75k | { |
2502 | 8.75k | const char *s; |
2503 | | |
2504 | 8.75k | memset(r, 0, sizeof(*r)); |
2505 | 8.75k | if (p != NULL) |
2506 | 17.5k | for (; (s = p->key) != NULL; p++) |
2507 | 8.75k | if (ossl_likely(strcmp("signature", s + 0) == 0)) { |
2508 | | /* OSSL_SIGNATURE_PARAM_SIGNATURE */ |
2509 | 8.75k | if (ossl_unlikely(r->sig != NULL)) { |
2510 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2511 | 0 | "param %s is repeated", s); |
2512 | 0 | return 0; |
2513 | 0 | } |
2514 | 8.75k | r->sig = (OSSL_PARAM *)p; |
2515 | 8.75k | } |
2516 | 8.75k | return 1; |
2517 | 8.75k | } |
2518 | | #endif |
2519 | | /* End of machine generated */ |
2520 | | |
2521 | | static const OSSL_PARAM *rsa_sigalg_settable_ctx_params(void *vprsactx, |
2522 | | ossl_unused void *provctx) |
2523 | 4 | { |
2524 | 4 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2525 | | |
2526 | 4 | if (prsactx != NULL && prsactx->operation == EVP_PKEY_OP_VERIFYMSG) |
2527 | 0 | return rsa_sigalg_set_ctx_params_list; |
2528 | 4 | return NULL; |
2529 | 4 | } |
2530 | | |
2531 | | static int rsa_sigalg_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) |
2532 | 8.75k | { |
2533 | 8.75k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2534 | 8.75k | struct rsa_sigalg_set_ctx_params_st p; |
2535 | | |
2536 | 8.75k | if (prsactx == NULL || !rsa_sigalg_set_ctx_params_decoder(params, &p)) |
2537 | 0 | return 0; |
2538 | | |
2539 | 8.75k | if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG) { |
2540 | 8.75k | if (p.sig != NULL) { |
2541 | 8.75k | OPENSSL_free(prsactx->sig); |
2542 | 8.75k | prsactx->sig = NULL; |
2543 | 8.75k | prsactx->siglen = 0; |
2544 | 8.75k | if (!OSSL_PARAM_get_octet_string(p.sig, (void **)&prsactx->sig, |
2545 | 8.75k | 0, &prsactx->siglen)) |
2546 | 0 | return 0; |
2547 | 8.75k | } |
2548 | 8.75k | } |
2549 | 8.75k | return 1; |
2550 | 8.75k | } |
2551 | | |
2552 | | #define IMPL_RSA_SIGALG(md, MD) \ |
2553 | | static OSSL_FUNC_signature_sign_init_fn rsa_##md##_sign_init; \ |
2554 | | static OSSL_FUNC_signature_sign_message_init_fn \ |
2555 | | rsa_##md##_sign_message_init; \ |
2556 | | static OSSL_FUNC_signature_verify_init_fn rsa_##md##_verify_init; \ |
2557 | | static OSSL_FUNC_signature_verify_message_init_fn \ |
2558 | | rsa_##md##_verify_message_init; \ |
2559 | | \ |
2560 | | static int \ |
2561 | | rsa_##md##_sign_init(void *vprsactx, void *vrsa, \ |
2562 | | const OSSL_PARAM params[]) \ |
2563 | 0 | { \ |
2564 | 0 | static const char desc[] = "RSA Sigalg Sign Init"; \ |
2565 | 0 | \ |
2566 | 0 | return rsa_sigalg_signverify_init(vprsactx, vrsa, \ |
2567 | 0 | rsa_sigalg_set_ctx_params, \ |
2568 | 0 | params, MD, \ |
2569 | 0 | EVP_PKEY_OP_SIGN, \ |
2570 | 0 | RSA_PKCS1_PADDING, \ |
2571 | 0 | desc); \ |
2572 | 0 | } \ Unexecuted instantiation: rsa_sig.c:rsa_ripemd160_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha1_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha224_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha256_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha384_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_224_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_256_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_224_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_256_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_384_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_512_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sm3_sign_init |
2573 | | \ |
2574 | | static int \ |
2575 | | rsa_##md##_sign_message_init(void *vprsactx, void *vrsa, \ |
2576 | | const OSSL_PARAM params[]) \ |
2577 | 0 | { \ |
2578 | 0 | static const char desc[] = "RSA Sigalg Sign Message Init"; \ |
2579 | 0 | \ |
2580 | 0 | return rsa_sigalg_signverify_init(vprsactx, vrsa, \ |
2581 | 0 | rsa_sigalg_set_ctx_params, \ |
2582 | 0 | params, MD, \ |
2583 | 0 | EVP_PKEY_OP_SIGNMSG, \ |
2584 | 0 | RSA_PKCS1_PADDING, \ |
2585 | 0 | desc); \ |
2586 | 0 | } \ Unexecuted instantiation: rsa_sig.c:rsa_ripemd160_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha1_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha224_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha256_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha384_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_224_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_256_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_224_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_256_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_384_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_512_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sm3_sign_message_init |
2587 | | \ |
2588 | | static int \ |
2589 | | rsa_##md##_verify_init(void *vprsactx, void *vrsa, \ |
2590 | | const OSSL_PARAM params[]) \ |
2591 | 0 | { \ |
2592 | 0 | static const char desc[] = "RSA Sigalg Verify Init"; \ |
2593 | 0 | \ |
2594 | 0 | return rsa_sigalg_signverify_init(vprsactx, vrsa, \ |
2595 | 0 | rsa_sigalg_set_ctx_params, \ |
2596 | 0 | params, MD, \ |
2597 | 0 | EVP_PKEY_OP_VERIFY, \ |
2598 | 0 | RSA_PKCS1_PADDING, \ |
2599 | 0 | desc); \ |
2600 | 0 | } \ Unexecuted instantiation: rsa_sig.c:rsa_ripemd160_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha1_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha224_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha256_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha384_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_224_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_256_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_224_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_256_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_384_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_512_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sm3_verify_init |
2601 | | \ |
2602 | | static int \ |
2603 | | rsa_##md##_verify_recover_init(void *vprsactx, void *vrsa, \ |
2604 | | const OSSL_PARAM params[]) \ |
2605 | 0 | { \ |
2606 | 0 | static const char desc[] = "RSA Sigalg Verify Recover Init"; \ |
2607 | 0 | \ |
2608 | 0 | return rsa_sigalg_signverify_init(vprsactx, vrsa, \ |
2609 | 0 | rsa_sigalg_set_ctx_params, \ |
2610 | 0 | params, MD, \ |
2611 | 0 | EVP_PKEY_OP_VERIFYRECOVER, \ |
2612 | 0 | RSA_PKCS1_PADDING, \ |
2613 | 0 | desc); \ |
2614 | 0 | } \ Unexecuted instantiation: rsa_sig.c:rsa_ripemd160_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha1_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha224_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha256_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha384_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_224_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_256_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_224_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_256_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_384_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_512_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sm3_verify_recover_init |
2615 | | \ |
2616 | | static int \ |
2617 | | rsa_##md##_verify_message_init(void *vprsactx, void *vrsa, \ |
2618 | | const OSSL_PARAM params[]) \ |
2619 | 0 | { \ |
2620 | 0 | static const char desc[] = "RSA Sigalg Verify Message Init"; \ |
2621 | 0 | \ |
2622 | 0 | return rsa_sigalg_signverify_init(vprsactx, vrsa, \ |
2623 | 0 | rsa_sigalg_set_ctx_params, \ |
2624 | 0 | params, MD, \ |
2625 | 0 | EVP_PKEY_OP_VERIFYMSG, \ |
2626 | 0 | RSA_PKCS1_PADDING, \ |
2627 | 0 | desc); \ |
2628 | 0 | } \ Unexecuted instantiation: rsa_sig.c:rsa_ripemd160_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha1_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha224_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha256_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha384_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_224_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_256_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_224_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_256_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_384_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_512_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sm3_verify_message_init |
2629 | | \ |
2630 | | const OSSL_DISPATCH ossl_rsa_##md##_signature_functions[] = { \ |
2631 | | { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, \ |
2632 | | { OSSL_FUNC_SIGNATURE_SIGN_INIT, \ |
2633 | | (void (*)(void))rsa_##md##_sign_init }, \ |
2634 | | { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, \ |
2635 | | { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT, \ |
2636 | | (void (*)(void))rsa_##md##_sign_message_init }, \ |
2637 | | { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_UPDATE, \ |
2638 | | (void (*)(void))rsa_signverify_message_update }, \ |
2639 | | { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_FINAL, \ |
2640 | | (void (*)(void))rsa_sign_message_final }, \ |
2641 | | { OSSL_FUNC_SIGNATURE_VERIFY_INIT, \ |
2642 | | (void (*)(void))rsa_##md##_verify_init }, \ |
2643 | | { OSSL_FUNC_SIGNATURE_VERIFY, \ |
2644 | | (void (*)(void))rsa_verify }, \ |
2645 | | { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT, \ |
2646 | | (void (*)(void))rsa_##md##_verify_message_init }, \ |
2647 | | { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_UPDATE, \ |
2648 | | (void (*)(void))rsa_signverify_message_update }, \ |
2649 | | { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_FINAL, \ |
2650 | | (void (*)(void))rsa_verify_message_final }, \ |
2651 | | { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, \ |
2652 | | (void (*)(void))rsa_##md##_verify_recover_init }, \ |
2653 | | { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, \ |
2654 | | (void (*)(void))rsa_verify_recover }, \ |
2655 | | { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, \ |
2656 | | { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, \ |
2657 | | { OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPES, \ |
2658 | | (void (*)(void))rsa_sigalg_query_key_types }, \ |
2659 | | { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, \ |
2660 | | (void (*)(void))rsa_get_ctx_params }, \ |
2661 | | { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, \ |
2662 | | (void (*)(void))rsa_gettable_ctx_params }, \ |
2663 | | { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, \ |
2664 | | (void (*)(void))rsa_sigalg_set_ctx_params }, \ |
2665 | | { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, \ |
2666 | | (void (*)(void))rsa_sigalg_settable_ctx_params }, \ |
2667 | | OSSL_DISPATCH_END \ |
2668 | | } |
2669 | | |
2670 | | #if !defined(OPENSSL_NO_RMD160) && !defined(FIPS_MODULE) |
2671 | | IMPL_RSA_SIGALG(ripemd160, "RIPEMD160"); |
2672 | | #endif |
2673 | | IMPL_RSA_SIGALG(sha1, "SHA1"); |
2674 | | IMPL_RSA_SIGALG(sha224, "SHA2-224"); |
2675 | | IMPL_RSA_SIGALG(sha256, "SHA2-256"); |
2676 | | IMPL_RSA_SIGALG(sha384, "SHA2-384"); |
2677 | | IMPL_RSA_SIGALG(sha512, "SHA2-512"); |
2678 | | IMPL_RSA_SIGALG(sha512_224, "SHA2-512/224"); |
2679 | | IMPL_RSA_SIGALG(sha512_256, "SHA2-512/256"); |
2680 | | IMPL_RSA_SIGALG(sha3_224, "SHA3-224"); |
2681 | | IMPL_RSA_SIGALG(sha3_256, "SHA3-256"); |
2682 | | IMPL_RSA_SIGALG(sha3_384, "SHA3-384"); |
2683 | | IMPL_RSA_SIGALG(sha3_512, "SHA3-512"); |
2684 | | #if !defined(OPENSSL_NO_SM3) && !defined(FIPS_MODULE) |
2685 | | IMPL_RSA_SIGALG(sm3, "SM3"); |
2686 | | #endif |