/src/openssl36/providers/implementations/signature/rsa_sig.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | /* clang-format off */ |
10 | | |
11 | | /* clang-format on */ |
12 | | |
13 | | /* |
14 | | * RSA low level APIs are deprecated for public use, but still ok for |
15 | | * internal use. |
16 | | */ |
17 | | #include "internal/deprecated.h" |
18 | | |
19 | | #include <string.h> |
20 | | #include <openssl/crypto.h> |
21 | | #include <openssl/core_dispatch.h> |
22 | | #include <openssl/core_names.h> |
23 | | #include <openssl/err.h> |
24 | | #include <openssl/obj_mac.h> |
25 | | #include <openssl/rsa.h> |
26 | | #include <openssl/params.h> |
27 | | #include <openssl/evp.h> |
28 | | #include <openssl/proverr.h> |
29 | | #include "internal/cryptlib.h" |
30 | | #include "internal/nelem.h" |
31 | | #include "internal/sizes.h" |
32 | | #include "crypto/rsa.h" |
33 | | #include "prov/providercommon.h" |
34 | | #include "prov/implementations.h" |
35 | | #include "prov/provider_ctx.h" |
36 | | #include "prov/der_rsa.h" |
37 | | #include "prov/securitycheck.h" |
38 | | |
39 | 0 | #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 |
40 | | |
41 | | static OSSL_FUNC_signature_newctx_fn rsa_newctx; |
42 | | static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; |
43 | | static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; |
44 | | static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; |
45 | | static OSSL_FUNC_signature_sign_fn rsa_sign; |
46 | | static OSSL_FUNC_signature_sign_message_update_fn rsa_signverify_message_update; |
47 | | static OSSL_FUNC_signature_sign_message_final_fn rsa_sign_message_final; |
48 | | static OSSL_FUNC_signature_verify_fn rsa_verify; |
49 | | static OSSL_FUNC_signature_verify_recover_fn rsa_verify_recover; |
50 | | static OSSL_FUNC_signature_verify_message_update_fn rsa_signverify_message_update; |
51 | | static OSSL_FUNC_signature_verify_message_final_fn rsa_verify_message_final; |
52 | | static OSSL_FUNC_signature_digest_sign_init_fn rsa_digest_sign_init; |
53 | | static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_sign_update; |
54 | | static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final; |
55 | | static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; |
56 | | static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_verify_update; |
57 | | static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; |
58 | | static OSSL_FUNC_signature_freectx_fn rsa_freectx; |
59 | | static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; |
60 | | static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types; |
61 | | static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; |
62 | | static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params; |
63 | | static OSSL_FUNC_signature_set_ctx_params_fn rsa_set_ctx_params; |
64 | | static OSSL_FUNC_signature_settable_ctx_params_fn rsa_settable_ctx_params; |
65 | | static OSSL_FUNC_signature_get_ctx_md_params_fn rsa_get_ctx_md_params; |
66 | | static OSSL_FUNC_signature_gettable_ctx_md_params_fn rsa_gettable_ctx_md_params; |
67 | | static OSSL_FUNC_signature_set_ctx_md_params_fn rsa_set_ctx_md_params; |
68 | | static OSSL_FUNC_signature_settable_ctx_md_params_fn rsa_settable_ctx_md_params; |
69 | | static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params; |
70 | | static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params; |
71 | | |
72 | | static OSSL_ITEM padding_item[] = { |
73 | | { RSA_PKCS1_PADDING, OSSL_PKEY_RSA_PAD_MODE_PKCSV15 }, |
74 | | { RSA_NO_PADDING, OSSL_PKEY_RSA_PAD_MODE_NONE }, |
75 | | { RSA_X931_PADDING, OSSL_PKEY_RSA_PAD_MODE_X931 }, |
76 | | { RSA_PKCS1_PSS_PADDING, OSSL_PKEY_RSA_PAD_MODE_PSS }, |
77 | | { 0, NULL } |
78 | | }; |
79 | | |
80 | | /* |
81 | | * What's passed as an actual key is defined by the KEYMGMT interface. |
82 | | * We happen to know that our KEYMGMT simply passes RSA structures, so |
83 | | * we use that here too. |
84 | | */ |
85 | | |
86 | | typedef struct { |
87 | | OSSL_LIB_CTX *libctx; |
88 | | char *propq; |
89 | | RSA *rsa; |
90 | | int operation; |
91 | | |
92 | | /* |
93 | | * Flag to determine if a full sigalg is run (1) or if a composable |
94 | | * signature algorithm is run (0). |
95 | | * |
96 | | * When a full sigalg is run (1), this currently affects the following |
97 | | * other flags, which are to remain untouched after their initialization: |
98 | | * |
99 | | * - flag_allow_md (initialized to 0) |
100 | | */ |
101 | | unsigned int flag_sigalg : 1; |
102 | | /* |
103 | | * Flag to determine if the hash function can be changed (1) or not (0) |
104 | | * Because it's dangerous to change during a DigestSign or DigestVerify |
105 | | * operation, this flag is cleared by their Init function, and set again |
106 | | * by their Final function. |
107 | | * Implementations of full sigalgs (such as RSA-SHA256) hard-code this |
108 | | * flag to not allow changes (0). |
109 | | */ |
110 | | unsigned int flag_allow_md : 1; |
111 | | unsigned int mgf1_md_set : 1; |
112 | | /* |
113 | | * Flags to say what are the possible next external calls in what |
114 | | * constitutes the life cycle of an algorithm. The relevant calls are: |
115 | | * - init |
116 | | * - update |
117 | | * - final |
118 | | * - oneshot |
119 | | * All other external calls are regarded as utilitarian and are allowed |
120 | | * at any time (they may be affected by other flags, like flag_allow_md, |
121 | | * though). |
122 | | */ |
123 | | unsigned int flag_allow_update : 1; |
124 | | unsigned int flag_allow_final : 1; |
125 | | unsigned int flag_allow_oneshot : 1; |
126 | | |
127 | | /* main digest */ |
128 | | EVP_MD *md; |
129 | | EVP_MD_CTX *mdctx; |
130 | | int mdnid; |
131 | | char mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */ |
132 | | |
133 | | /* RSA padding mode */ |
134 | | int pad_mode; |
135 | | /* message digest for MGF1 */ |
136 | | EVP_MD *mgf1_md; |
137 | | int mgf1_mdnid; |
138 | | char mgf1_mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */ |
139 | | /* PSS salt length */ |
140 | | int saltlen; |
141 | | /* Minimum salt length or -1 if no PSS parameter restriction */ |
142 | | int min_saltlen; |
143 | | |
144 | | /* Signature, for verification */ |
145 | | unsigned char *sig; |
146 | | size_t siglen; |
147 | | |
148 | | #ifdef FIPS_MODULE |
149 | | /* |
150 | | * FIPS 140-3 IG 2.4.B mandates that verification based on a digest of a |
151 | | * message is not permitted. However, signing based on a digest is still |
152 | | * permitted. |
153 | | */ |
154 | | int verify_message; |
155 | | #endif |
156 | | |
157 | | /* Temp buffer */ |
158 | | unsigned char *tbuf; |
159 | | |
160 | | OSSL_FIPS_IND_DECLARE |
161 | | } PROV_RSA_CTX; |
162 | | |
163 | | /* True if PSS parameters are restricted */ |
164 | 67.7k | #define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1) |
165 | | |
166 | | static int rsa_get_md_size(const PROV_RSA_CTX *prsactx) |
167 | 24.9k | { |
168 | 24.9k | int md_size; |
169 | | |
170 | 24.9k | if (prsactx->md != NULL) { |
171 | 24.9k | md_size = EVP_MD_get_size(prsactx->md); |
172 | 24.9k | if (md_size <= 0) |
173 | 0 | return 0; |
174 | 24.9k | return md_size; |
175 | 24.9k | } |
176 | 0 | return 0; |
177 | 24.9k | } |
178 | | |
179 | | static int rsa_check_padding(const PROV_RSA_CTX *prsactx, |
180 | | const char *mdname, const char *mgf1_mdname, |
181 | | int mdnid) |
182 | 129k | { |
183 | 129k | switch (prsactx->pad_mode) { |
184 | 0 | case RSA_NO_PADDING: |
185 | 0 | if (mdname != NULL || mdnid != NID_undef) { |
186 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE); |
187 | 0 | return 0; |
188 | 0 | } |
189 | 0 | break; |
190 | 0 | case RSA_X931_PADDING: |
191 | 0 | if (RSA_X931_hash_id(mdnid) == -1) { |
192 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST); |
193 | 0 | return 0; |
194 | 0 | } |
195 | 0 | break; |
196 | 57.8k | case RSA_PKCS1_PSS_PADDING: |
197 | 57.8k | if (rsa_pss_restricted(prsactx)) |
198 | 1.80k | if ((mdname != NULL && !EVP_MD_is_a(prsactx->md, mdname)) |
199 | 1.76k | || (mgf1_mdname != NULL |
200 | 439 | && !EVP_MD_is_a(prsactx->mgf1_md, mgf1_mdname))) { |
201 | 36 | ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); |
202 | 36 | return 0; |
203 | 36 | } |
204 | 57.8k | break; |
205 | 71.2k | default: |
206 | 71.2k | break; |
207 | 129k | } |
208 | | |
209 | 129k | return 1; |
210 | 129k | } |
211 | | |
212 | | static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen) |
213 | 521 | { |
214 | 521 | if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { |
215 | 521 | int max_saltlen; |
216 | | |
217 | | /* See if minimum salt length exceeds maximum possible */ |
218 | 521 | max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_get_size(prsactx->md); |
219 | 521 | if ((RSA_bits(prsactx->rsa) & 0x7) == 1) |
220 | 133 | max_saltlen--; |
221 | 521 | if (min_saltlen < 0 || min_saltlen > max_saltlen) { |
222 | 39 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); |
223 | 39 | return 0; |
224 | 39 | } |
225 | 482 | prsactx->min_saltlen = min_saltlen; |
226 | 482 | } |
227 | 482 | return 1; |
228 | 521 | } |
229 | | |
230 | | static void *rsa_newctx(void *provctx, const char *propq) |
231 | 72.1k | { |
232 | 72.1k | PROV_RSA_CTX *prsactx = NULL; |
233 | 72.1k | char *propq_copy = NULL; |
234 | | |
235 | 72.1k | if (!ossl_prov_is_running()) |
236 | 0 | return NULL; |
237 | | |
238 | 72.1k | if ((prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX))) == NULL |
239 | 72.1k | || (propq != NULL |
240 | 0 | && (propq_copy = OPENSSL_strdup(propq)) == NULL)) { |
241 | 0 | OPENSSL_free(prsactx); |
242 | 0 | return NULL; |
243 | 0 | } |
244 | | |
245 | 72.1k | OSSL_FIPS_IND_INIT(prsactx) |
246 | 72.1k | prsactx->libctx = PROV_LIBCTX_OF(provctx); |
247 | 72.1k | prsactx->flag_allow_md = 1; |
248 | | #ifdef FIPS_MODULE |
249 | | prsactx->verify_message = 1; |
250 | | #endif |
251 | 72.1k | prsactx->propq = propq_copy; |
252 | | /* Maximum up to digest length for sign, auto for verify */ |
253 | 72.1k | prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; |
254 | 72.1k | prsactx->min_saltlen = -1; |
255 | 72.1k | return prsactx; |
256 | 72.1k | } |
257 | | |
258 | | static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx) |
259 | 0 | { |
260 | 0 | int saltlen = ctx->saltlen; |
261 | 0 | int saltlenMax = -1; |
262 | | |
263 | | /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection |
264 | | * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the |
265 | | * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of |
266 | | * the hash function output block (in bytes)." |
267 | | * |
268 | | * Provide a way to use at most the digest length, so that the default does |
269 | | * not violate FIPS 186-4. */ |
270 | 0 | if (saltlen == RSA_PSS_SALTLEN_DIGEST) { |
271 | 0 | if ((saltlen = EVP_MD_get_size(ctx->md)) <= 0) { |
272 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); |
273 | 0 | return -1; |
274 | 0 | } |
275 | 0 | } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { |
276 | 0 | saltlen = RSA_PSS_SALTLEN_MAX; |
277 | 0 | if ((saltlenMax = EVP_MD_get_size(ctx->md)) <= 0) { |
278 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); |
279 | 0 | return -1; |
280 | 0 | } |
281 | 0 | } |
282 | 0 | if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) { |
283 | 0 | int mdsize, rsasize; |
284 | |
|
285 | 0 | if ((mdsize = EVP_MD_get_size(ctx->md)) <= 0) { |
286 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); |
287 | 0 | return -1; |
288 | 0 | } |
289 | 0 | if ((rsasize = RSA_size(ctx->rsa)) <= 2 || rsasize - 2 < mdsize) { |
290 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); |
291 | 0 | return -1; |
292 | 0 | } |
293 | 0 | saltlen = rsasize - mdsize - 2; |
294 | 0 | if ((RSA_bits(ctx->rsa) & 0x7) == 1) |
295 | 0 | saltlen--; |
296 | 0 | if (saltlenMax >= 0 && saltlen > saltlenMax) |
297 | 0 | saltlen = saltlenMax; |
298 | 0 | } |
299 | 0 | if (saltlen < 0) { |
300 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); |
301 | 0 | return -1; |
302 | 0 | } else if (saltlen < ctx->min_saltlen) { |
303 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_PSS_SALTLEN_TOO_SMALL, |
304 | 0 | "minimum salt length: %d, actual salt length: %d", |
305 | 0 | ctx->min_saltlen, saltlen); |
306 | 0 | return -1; |
307 | 0 | } |
308 | 0 | return saltlen; |
309 | 0 | } |
310 | | |
311 | | static unsigned char *rsa_generate_signature_aid(PROV_RSA_CTX *ctx, |
312 | | unsigned char *aid_buf, |
313 | | size_t buf_len, |
314 | | size_t *aid_len) |
315 | 0 | { |
316 | 0 | WPACKET pkt; |
317 | 0 | unsigned char *aid = NULL; |
318 | 0 | int saltlen; |
319 | 0 | RSA_PSS_PARAMS_30 pss_params; |
320 | 0 | int ret; |
321 | |
|
322 | 0 | if (!WPACKET_init_der(&pkt, aid_buf, buf_len)) { |
323 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_CRYPTO_LIB); |
324 | 0 | return NULL; |
325 | 0 | } |
326 | | |
327 | 0 | switch (ctx->pad_mode) { |
328 | 0 | case RSA_PKCS1_PADDING: |
329 | 0 | ret = ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1, |
330 | 0 | ctx->mdnid); |
331 | |
|
332 | 0 | if (ret > 0) { |
333 | 0 | break; |
334 | 0 | } else if (ret == 0) { |
335 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); |
336 | 0 | goto cleanup; |
337 | 0 | } |
338 | 0 | ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED, |
339 | 0 | "Algorithm ID generation - md NID: %d", |
340 | 0 | ctx->mdnid); |
341 | 0 | goto cleanup; |
342 | 0 | case RSA_PKCS1_PSS_PADDING: |
343 | 0 | saltlen = rsa_pss_compute_saltlen(ctx); |
344 | 0 | if (saltlen < 0) |
345 | 0 | goto cleanup; |
346 | 0 | if (!ossl_rsa_pss_params_30_set_defaults(&pss_params) |
347 | 0 | || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, ctx->mdnid) |
348 | 0 | || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params, |
349 | 0 | ctx->mgf1_mdnid) |
350 | 0 | || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen) |
351 | 0 | || !ossl_DER_w_algorithmIdentifier_RSA_PSS(&pkt, -1, |
352 | 0 | RSA_FLAG_TYPE_RSASSAPSS, |
353 | 0 | &pss_params)) { |
354 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); |
355 | 0 | goto cleanup; |
356 | 0 | } |
357 | 0 | break; |
358 | 0 | default: |
359 | 0 | ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED, |
360 | 0 | "Algorithm ID generation - pad mode: %d", |
361 | 0 | ctx->pad_mode); |
362 | 0 | goto cleanup; |
363 | 0 | } |
364 | 0 | if (WPACKET_finish(&pkt)) { |
365 | 0 | WPACKET_get_total_written(&pkt, aid_len); |
366 | 0 | aid = WPACKET_get_curr(&pkt); |
367 | 0 | } |
368 | 0 | cleanup: |
369 | 0 | WPACKET_cleanup(&pkt); |
370 | 0 | return aid; |
371 | 0 | } |
372 | | |
373 | | static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, |
374 | | const char *mdprops, const char *desc) |
375 | 45.4k | { |
376 | 45.4k | EVP_MD *md = NULL; |
377 | | |
378 | 45.4k | if (mdprops == NULL) |
379 | 45.4k | mdprops = ctx->propq; |
380 | | |
381 | 45.4k | if (mdname != NULL) { |
382 | 45.4k | int md_nid; |
383 | 45.4k | size_t mdname_len = strlen(mdname); |
384 | | |
385 | 45.4k | md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); |
386 | | |
387 | 45.4k | if (md == NULL) { |
388 | 106 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
389 | 106 | "%s could not be fetched", mdname); |
390 | 106 | goto err; |
391 | 106 | } |
392 | 45.3k | md_nid = ossl_digest_rsa_sign_get_md_nid(md); |
393 | 45.3k | if (md_nid == NID_undef) { |
394 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, |
395 | 0 | "digest=%s", mdname); |
396 | 0 | goto err; |
397 | 0 | } |
398 | | /* |
399 | | * XOF digests are not allowed except for RSA PSS. |
400 | | * We don't support XOF digests with RSA PSS (yet), so just fail. |
401 | | * When we do support them, uncomment the second clause. |
402 | | */ |
403 | 45.3k | if (EVP_MD_xof(md) |
404 | 45.3k | /* && ctx->pad_mode != RSA_PKCS1_PSS_PADDING */) { |
405 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); |
406 | 0 | goto err; |
407 | 0 | } |
408 | | #ifdef FIPS_MODULE |
409 | | { |
410 | | int sha1_allowed |
411 | | = ((ctx->operation |
412 | | & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) |
413 | | == 0); |
414 | | |
415 | | if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx), |
416 | | OSSL_FIPS_IND_SETTABLE1, |
417 | | ctx->libctx, |
418 | | md_nid, sha1_allowed, 1, desc, |
419 | | ossl_fips_config_signature_digest_check)) |
420 | | goto err; |
421 | | } |
422 | | #endif |
423 | | |
424 | 45.3k | if (!rsa_check_padding(ctx, mdname, NULL, md_nid)) |
425 | 29 | goto err; |
426 | 45.3k | if (mdname_len >= sizeof(ctx->mdname)) { |
427 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
428 | 0 | "%s exceeds name buffer length", mdname); |
429 | 0 | goto err; |
430 | 0 | } |
431 | | |
432 | 45.3k | if (!ctx->flag_allow_md) { |
433 | 0 | if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) { |
434 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, |
435 | 0 | "digest %s != %s", mdname, ctx->mdname); |
436 | 0 | goto err; |
437 | 0 | } |
438 | 0 | EVP_MD_free(md); |
439 | 0 | return 1; |
440 | 0 | } |
441 | | |
442 | 45.3k | if (!ctx->mgf1_md_set) { |
443 | 45.0k | if (!EVP_MD_up_ref(md)) { |
444 | 0 | goto err; |
445 | 0 | } |
446 | 45.0k | EVP_MD_free(ctx->mgf1_md); |
447 | 45.0k | ctx->mgf1_md = md; |
448 | 45.0k | ctx->mgf1_mdnid = md_nid; |
449 | 45.0k | OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); |
450 | 45.0k | } |
451 | | |
452 | 45.3k | EVP_MD_CTX_free(ctx->mdctx); |
453 | 45.3k | EVP_MD_free(ctx->md); |
454 | | |
455 | 45.3k | ctx->mdctx = NULL; |
456 | 45.3k | ctx->md = md; |
457 | 45.3k | ctx->mdnid = md_nid; |
458 | 45.3k | OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname)); |
459 | 45.3k | } |
460 | | |
461 | 45.3k | return 1; |
462 | 135 | err: |
463 | 135 | EVP_MD_free(md); |
464 | 135 | return 0; |
465 | 45.4k | } |
466 | | |
467 | | static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname, |
468 | | const char *mdprops) |
469 | 5.74k | { |
470 | 5.74k | size_t len; |
471 | 5.74k | EVP_MD *md = NULL; |
472 | 5.74k | int mdnid; |
473 | | |
474 | 5.74k | if (mdprops == NULL) |
475 | 5.74k | mdprops = ctx->propq; |
476 | | |
477 | 5.74k | if ((md = EVP_MD_fetch(ctx->libctx, mdname, mdprops)) == NULL) { |
478 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
479 | 0 | "%s could not be fetched", mdname); |
480 | 0 | return 0; |
481 | 0 | } |
482 | | /* The default for mgf1 is SHA1 - so allow SHA1 */ |
483 | 5.74k | if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md)) <= 0 |
484 | 5.74k | || !rsa_check_padding(ctx, NULL, mdname, mdnid)) { |
485 | 0 | if (mdnid <= 0) |
486 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, |
487 | 0 | "digest=%s", mdname); |
488 | 0 | EVP_MD_free(md); |
489 | 0 | return 0; |
490 | 0 | } |
491 | 5.74k | len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); |
492 | 5.74k | if (len >= sizeof(ctx->mgf1_mdname)) { |
493 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
494 | 0 | "%s exceeds name buffer length", mdname); |
495 | 0 | EVP_MD_free(md); |
496 | 0 | return 0; |
497 | 0 | } |
498 | | |
499 | 5.74k | EVP_MD_free(ctx->mgf1_md); |
500 | 5.74k | ctx->mgf1_md = md; |
501 | 5.74k | ctx->mgf1_mdnid = mdnid; |
502 | 5.74k | ctx->mgf1_md_set = 1; |
503 | 5.74k | return 1; |
504 | 5.74k | } |
505 | | |
506 | | static int |
507 | | rsa_signverify_init(PROV_RSA_CTX *prsactx, void *vrsa, |
508 | | OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params, |
509 | | const OSSL_PARAM params[], int operation, |
510 | | const char *desc) |
511 | 45.4k | { |
512 | 45.4k | int protect; |
513 | | |
514 | 45.4k | if (!ossl_prov_is_running() || prsactx == NULL) |
515 | 0 | return 0; |
516 | | |
517 | 45.4k | if (vrsa == NULL && prsactx->rsa == NULL) { |
518 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); |
519 | 0 | return 0; |
520 | 0 | } |
521 | | |
522 | 45.4k | if (vrsa != NULL) { |
523 | 45.4k | if (!RSA_up_ref(vrsa)) |
524 | 0 | return 0; |
525 | 45.4k | RSA_free(prsactx->rsa); |
526 | 45.4k | prsactx->rsa = vrsa; |
527 | 45.4k | } |
528 | 45.4k | if (!ossl_rsa_key_op_get_protect(prsactx->rsa, operation, &protect)) |
529 | 0 | return 0; |
530 | | |
531 | 45.4k | prsactx->operation = operation; |
532 | 45.4k | prsactx->flag_allow_update = 1; |
533 | 45.4k | prsactx->flag_allow_final = 1; |
534 | 45.4k | prsactx->flag_allow_oneshot = 1; |
535 | | |
536 | | /* Maximize up to digest length for sign, auto for verify */ |
537 | 45.4k | prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; |
538 | 45.4k | prsactx->min_saltlen = -1; |
539 | | |
540 | 45.4k | switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { |
541 | 45.0k | case RSA_FLAG_TYPE_RSA: |
542 | 45.0k | prsactx->pad_mode = RSA_PKCS1_PADDING; |
543 | 45.0k | break; |
544 | 433 | case RSA_FLAG_TYPE_RSASSAPSS: |
545 | 433 | prsactx->pad_mode = RSA_PKCS1_PSS_PADDING; |
546 | | |
547 | 433 | { |
548 | 433 | const RSA_PSS_PARAMS_30 *pss = ossl_rsa_get0_pss_params_30(prsactx->rsa); |
549 | | |
550 | 433 | if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) { |
551 | 256 | int md_nid = ossl_rsa_pss_params_30_hashalg(pss); |
552 | 256 | int mgf1md_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss); |
553 | 256 | int min_saltlen = ossl_rsa_pss_params_30_saltlen(pss); |
554 | 256 | const char *mdname, *mgf1mdname; |
555 | 256 | size_t len; |
556 | | |
557 | 256 | mdname = ossl_rsa_oaeppss_nid2name(md_nid); |
558 | 256 | mgf1mdname = ossl_rsa_oaeppss_nid2name(mgf1md_nid); |
559 | | |
560 | 256 | if (mdname == NULL) { |
561 | 1 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
562 | 1 | "PSS restrictions lack hash algorithm"); |
563 | 1 | return 0; |
564 | 1 | } |
565 | 255 | if (mgf1mdname == NULL) { |
566 | 1 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
567 | 1 | "PSS restrictions lack MGF1 hash algorithm"); |
568 | 1 | return 0; |
569 | 1 | } |
570 | | |
571 | 254 | len = OPENSSL_strlcpy(prsactx->mdname, mdname, |
572 | 254 | sizeof(prsactx->mdname)); |
573 | 254 | if (len >= sizeof(prsactx->mdname)) { |
574 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
575 | 0 | "hash algorithm name too long"); |
576 | 0 | return 0; |
577 | 0 | } |
578 | 254 | len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname, |
579 | 254 | sizeof(prsactx->mgf1_mdname)); |
580 | 254 | if (len >= sizeof(prsactx->mgf1_mdname)) { |
581 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
582 | 0 | "MGF1 hash algorithm name too long"); |
583 | 0 | return 0; |
584 | 0 | } |
585 | 254 | prsactx->saltlen = min_saltlen; |
586 | | |
587 | | /* call rsa_setup_mgf1_md before rsa_setup_md to avoid duplication */ |
588 | 254 | if (!rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq) |
589 | 254 | || !rsa_setup_md(prsactx, mdname, prsactx->propq, desc) |
590 | 254 | || !rsa_check_parameters(prsactx, min_saltlen)) |
591 | 32 | return 0; |
592 | 254 | } |
593 | 433 | } |
594 | | |
595 | 399 | break; |
596 | 399 | default: |
597 | 0 | ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); |
598 | 0 | return 0; |
599 | 45.4k | } |
600 | | |
601 | 45.4k | OSSL_FIPS_IND_SET_APPROVED(prsactx) |
602 | 45.4k | if (!set_ctx_params(prsactx, params)) |
603 | 0 | return 0; |
604 | | #ifdef FIPS_MODULE |
605 | | if (!ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND_GET(prsactx), |
606 | | OSSL_FIPS_IND_SETTABLE0, prsactx->libctx, |
607 | | prsactx->rsa, desc, protect)) |
608 | | return 0; |
609 | | #endif |
610 | 45.4k | return 1; |
611 | 45.4k | } |
612 | | |
613 | | static int setup_tbuf(PROV_RSA_CTX *ctx) |
614 | 23.0k | { |
615 | 23.0k | if (ctx->tbuf != NULL) |
616 | 0 | return 1; |
617 | 23.0k | if ((ctx->tbuf = OPENSSL_malloc(RSA_size(ctx->rsa))) == NULL) |
618 | 24 | return 0; |
619 | 23.0k | return 1; |
620 | 23.0k | } |
621 | | |
622 | | static void clean_tbuf(PROV_RSA_CTX *ctx) |
623 | 108k | { |
624 | 108k | if (ctx->tbuf != NULL) |
625 | 24.4k | OPENSSL_cleanse(ctx->tbuf, RSA_size(ctx->rsa)); |
626 | 108k | } |
627 | | |
628 | | static void free_tbuf(PROV_RSA_CTX *ctx) |
629 | 107k | { |
630 | 107k | clean_tbuf(ctx); |
631 | 107k | OPENSSL_free(ctx->tbuf); |
632 | 107k | ctx->tbuf = NULL; |
633 | 107k | } |
634 | | |
635 | | #ifdef FIPS_MODULE |
636 | | static int rsa_pss_saltlen_check_passed(PROV_RSA_CTX *ctx, const char *algoname, int saltlen) |
637 | | { |
638 | | int mdsize = rsa_get_md_size(ctx); |
639 | | /* |
640 | | * Perform the check if the salt length is compliant to FIPS 186-5. |
641 | | * |
642 | | * According to FIPS 186-5 5.4 (g), the salt length shall be between zero |
643 | | * and the output block length of the digest function (inclusive). |
644 | | */ |
645 | | int approved = (saltlen >= 0 && saltlen <= mdsize); |
646 | | |
647 | | if (!approved) { |
648 | | if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE3, |
649 | | ctx->libctx, |
650 | | algoname, "PSS Salt Length", |
651 | | ossl_fips_config_rsa_pss_saltlen_check)) { |
652 | | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); |
653 | | return 0; |
654 | | } |
655 | | } |
656 | | |
657 | | return 1; |
658 | | } |
659 | | #endif |
660 | | |
661 | | static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[]) |
662 | 0 | { |
663 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
664 | |
|
665 | | #ifdef FIPS_MODULE |
666 | | if (prsactx != NULL) |
667 | | prsactx->verify_message = 1; |
668 | | #endif |
669 | |
|
670 | 0 | return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, |
671 | 0 | EVP_PKEY_OP_SIGN, "RSA Sign Init"); |
672 | 0 | } |
673 | | |
674 | | /* |
675 | | * Sign tbs without digesting it first. This is suitable for "primitive" |
676 | | * signing and signing the digest of a message, i.e. should be used with |
677 | | * implementations of the keytype related algorithms. |
678 | | */ |
679 | | static int rsa_sign_directly(PROV_RSA_CTX *prsactx, |
680 | | unsigned char *sig, size_t *siglen, size_t sigsize, |
681 | | const unsigned char *tbs, size_t tbslen) |
682 | 8.38k | { |
683 | 8.38k | int ret; |
684 | 8.38k | size_t rsasize = RSA_size(prsactx->rsa); |
685 | 8.38k | size_t mdsize = rsa_get_md_size(prsactx); |
686 | | |
687 | 8.38k | if (!ossl_prov_is_running()) |
688 | 0 | return 0; |
689 | | |
690 | 8.38k | if (sig == NULL) { |
691 | 4.19k | *siglen = rsasize; |
692 | 4.19k | return 1; |
693 | 4.19k | } |
694 | | |
695 | 4.19k | if (sigsize < rsasize) { |
696 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE, |
697 | 0 | "is %zu, should be at least %zu", sigsize, rsasize); |
698 | 0 | return 0; |
699 | 0 | } |
700 | | |
701 | 4.19k | if (mdsize != 0) { |
702 | 4.19k | if (tbslen != mdsize) { |
703 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH); |
704 | 0 | return 0; |
705 | 0 | } |
706 | | |
707 | 4.19k | #ifndef FIPS_MODULE |
708 | 4.19k | if (EVP_MD_is_a(prsactx->md, OSSL_DIGEST_NAME_MDC2)) { |
709 | 0 | unsigned int sltmp; |
710 | |
|
711 | 0 | if (prsactx->pad_mode != RSA_PKCS1_PADDING) { |
712 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, |
713 | 0 | "only PKCS#1 padding supported with MDC2"); |
714 | 0 | return 0; |
715 | 0 | } |
716 | 0 | ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, (unsigned int)tbslen, sig, |
717 | 0 | &sltmp, prsactx->rsa); |
718 | |
|
719 | 0 | if (ret <= 0) { |
720 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
721 | 0 | return 0; |
722 | 0 | } |
723 | 0 | ret = sltmp; |
724 | 0 | goto end; |
725 | 0 | } |
726 | 4.19k | #endif |
727 | 4.19k | switch (prsactx->pad_mode) { |
728 | 0 | case RSA_X931_PADDING: |
729 | 0 | if ((size_t)RSA_size(prsactx->rsa) < tbslen + 1) { |
730 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL, |
731 | 0 | "RSA key size = %d, expected minimum = %d", |
732 | 0 | RSA_size(prsactx->rsa), tbslen + 1); |
733 | 0 | return 0; |
734 | 0 | } |
735 | 0 | if (!setup_tbuf(prsactx)) { |
736 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_PROV_LIB); |
737 | 0 | return 0; |
738 | 0 | } |
739 | 0 | memcpy(prsactx->tbuf, tbs, tbslen); |
740 | 0 | prsactx->tbuf[tbslen] = RSA_X931_hash_id(prsactx->mdnid); |
741 | 0 | ret = RSA_private_encrypt((int)(tbslen + 1), prsactx->tbuf, |
742 | 0 | sig, prsactx->rsa, RSA_X931_PADDING); |
743 | 0 | clean_tbuf(prsactx); |
744 | 0 | break; |
745 | 3.10k | case RSA_PKCS1_PADDING: { |
746 | 3.10k | unsigned int sltmp; |
747 | | |
748 | 3.10k | ret = RSA_sign(prsactx->mdnid, tbs, (unsigned int)tbslen, |
749 | 3.10k | sig, &sltmp, prsactx->rsa); |
750 | 3.10k | if (ret <= 0) { |
751 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
752 | 0 | return 0; |
753 | 0 | } |
754 | 3.10k | ret = sltmp; |
755 | 3.10k | } break; |
756 | | |
757 | 1.08k | case RSA_PKCS1_PSS_PADDING: { |
758 | 1.08k | int saltlen; |
759 | | |
760 | | /* Check PSS restrictions */ |
761 | 1.08k | if (rsa_pss_restricted(prsactx)) { |
762 | 0 | switch (prsactx->saltlen) { |
763 | 0 | case RSA_PSS_SALTLEN_DIGEST: |
764 | 0 | if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) { |
765 | 0 | ERR_raise_data(ERR_LIB_PROV, |
766 | 0 | PROV_R_PSS_SALTLEN_TOO_SMALL, |
767 | 0 | "minimum salt length set to %d, " |
768 | 0 | "but the digest only gives %d", |
769 | 0 | prsactx->min_saltlen, |
770 | 0 | EVP_MD_get_size(prsactx->md)); |
771 | 0 | return 0; |
772 | 0 | } |
773 | | /* FALLTHRU */ |
774 | 0 | default: |
775 | 0 | if (prsactx->saltlen >= 0 |
776 | 0 | && prsactx->saltlen < prsactx->min_saltlen) { |
777 | 0 | ERR_raise_data(ERR_LIB_PROV, |
778 | 0 | PROV_R_PSS_SALTLEN_TOO_SMALL, |
779 | 0 | "minimum salt length set to %d, but the" |
780 | 0 | "actual salt length is only set to %d", |
781 | 0 | prsactx->min_saltlen, |
782 | 0 | prsactx->saltlen); |
783 | 0 | return 0; |
784 | 0 | } |
785 | 0 | break; |
786 | 0 | } |
787 | 0 | } |
788 | 1.08k | if (!setup_tbuf(prsactx)) |
789 | 0 | return 0; |
790 | 1.08k | saltlen = prsactx->saltlen; |
791 | 1.08k | if (!ossl_rsa_padding_add_PKCS1_PSS_mgf1(prsactx->rsa, |
792 | 1.08k | prsactx->tbuf, tbs, |
793 | 1.08k | prsactx->md, prsactx->mgf1_md, |
794 | 1.08k | &saltlen)) { |
795 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
796 | 0 | return 0; |
797 | 0 | } |
798 | | #ifdef FIPS_MODULE |
799 | | if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Sign", saltlen)) |
800 | | return 0; |
801 | | #endif |
802 | 1.08k | ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf, |
803 | 1.08k | sig, prsactx->rsa, RSA_NO_PADDING); |
804 | 1.08k | clean_tbuf(prsactx); |
805 | 1.08k | } break; |
806 | | |
807 | 0 | default: |
808 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, |
809 | 0 | "Only X.931, PKCS#1 v1.5 or PSS padding allowed"); |
810 | 0 | return 0; |
811 | 4.19k | } |
812 | 4.19k | } else { |
813 | 0 | ret = RSA_private_encrypt((int)tbslen, tbs, sig, prsactx->rsa, |
814 | 0 | prsactx->pad_mode); |
815 | 0 | } |
816 | | |
817 | 4.19k | #ifndef FIPS_MODULE |
818 | 4.19k | end: |
819 | 4.19k | #endif |
820 | 4.19k | if (ret <= 0) { |
821 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
822 | 0 | return 0; |
823 | 0 | } |
824 | | |
825 | 4.19k | *siglen = ret; |
826 | 4.19k | return 1; |
827 | 4.19k | } |
828 | | |
829 | | static int rsa_signverify_message_update(void *vprsactx, |
830 | | const unsigned char *data, |
831 | | size_t datalen) |
832 | 25.9k | { |
833 | 25.9k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
834 | | |
835 | 25.9k | if (prsactx == NULL || prsactx->mdctx == NULL) |
836 | 0 | return 0; |
837 | | |
838 | 25.9k | if (!prsactx->flag_allow_update) { |
839 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_UPDATE_CALL_OUT_OF_ORDER); |
840 | 0 | return 0; |
841 | 0 | } |
842 | 25.9k | prsactx->flag_allow_oneshot = 0; |
843 | | |
844 | 25.9k | return EVP_DigestUpdate(prsactx->mdctx, data, datalen); |
845 | 25.9k | } |
846 | | |
847 | | static int rsa_sign_message_final(void *vprsactx, unsigned char *sig, |
848 | | size_t *siglen, size_t sigsize) |
849 | 8.38k | { |
850 | 8.38k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
851 | 8.38k | unsigned char digest[EVP_MAX_MD_SIZE]; |
852 | 8.38k | unsigned int dlen = 0; |
853 | | |
854 | 8.38k | if (!ossl_prov_is_running() || prsactx == NULL) |
855 | 0 | return 0; |
856 | 8.38k | if (prsactx->mdctx == NULL) |
857 | 0 | return 0; |
858 | 8.38k | if (!prsactx->flag_allow_final) { |
859 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER); |
860 | 0 | return 0; |
861 | 0 | } |
862 | | |
863 | | /* |
864 | | * If sig is NULL then we're just finding out the sig size. Other fields |
865 | | * are ignored. Defer to rsa_sign. |
866 | | */ |
867 | 8.38k | if (sig != NULL) { |
868 | | /* |
869 | | * The digests used here are all known (see rsa_get_md_nid()), so they |
870 | | * should not exceed the internal buffer size of EVP_MAX_MD_SIZE. |
871 | | */ |
872 | 4.19k | if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen)) |
873 | 0 | return 0; |
874 | | |
875 | 4.19k | prsactx->flag_allow_update = 0; |
876 | 4.19k | prsactx->flag_allow_oneshot = 0; |
877 | 4.19k | prsactx->flag_allow_final = 0; |
878 | 4.19k | } |
879 | | |
880 | 8.38k | return rsa_sign_directly(prsactx, sig, siglen, sigsize, digest, dlen); |
881 | 8.38k | } |
882 | | |
883 | | /* |
884 | | * If signing a message, digest tbs and sign the result. |
885 | | * Otherwise, sign tbs directly. |
886 | | */ |
887 | | static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen, |
888 | | size_t sigsize, const unsigned char *tbs, size_t tbslen) |
889 | 0 | { |
890 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
891 | |
|
892 | 0 | if (!ossl_prov_is_running() || prsactx == NULL) |
893 | 0 | return 0; |
894 | 0 | if (!prsactx->flag_allow_oneshot) { |
895 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER); |
896 | 0 | return 0; |
897 | 0 | } |
898 | | |
899 | 0 | if (prsactx->operation == EVP_PKEY_OP_SIGNMSG) { |
900 | | /* |
901 | | * If |sig| is NULL, the caller is only looking for the sig length. |
902 | | * DO NOT update the input in this case. |
903 | | */ |
904 | 0 | if (sig == NULL) |
905 | 0 | return rsa_sign_message_final(prsactx, sig, siglen, sigsize); |
906 | | |
907 | 0 | return rsa_signverify_message_update(prsactx, tbs, tbslen) |
908 | 0 | && rsa_sign_message_final(prsactx, sig, siglen, sigsize); |
909 | 0 | } |
910 | 0 | return rsa_sign_directly(prsactx, sig, siglen, sigsize, tbs, tbslen); |
911 | 0 | } |
912 | | |
913 | | static int rsa_verify_recover_init(void *vprsactx, void *vrsa, |
914 | | const OSSL_PARAM params[]) |
915 | 0 | { |
916 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
917 | |
|
918 | | #ifdef FIPS_MODULE |
919 | | if (prsactx != NULL) |
920 | | prsactx->verify_message = 0; |
921 | | #endif |
922 | |
|
923 | 0 | return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, |
924 | 0 | EVP_PKEY_OP_VERIFYRECOVER, "RSA VerifyRecover Init"); |
925 | 0 | } |
926 | | |
927 | | /* |
928 | | * There is no message variant of verify recover, so no need for |
929 | | * 'rsa_verify_recover_directly', just use this function, er, directly. |
930 | | */ |
931 | | static int rsa_verify_recover(void *vprsactx, |
932 | | unsigned char *rout, size_t *routlen, |
933 | | size_t routsize, |
934 | | const unsigned char *sig, size_t siglen) |
935 | 0 | { |
936 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
937 | 0 | int ret; |
938 | |
|
939 | 0 | if (!ossl_prov_is_running()) |
940 | 0 | return 0; |
941 | | |
942 | 0 | if (rout == NULL) { |
943 | 0 | *routlen = RSA_size(prsactx->rsa); |
944 | 0 | return 1; |
945 | 0 | } |
946 | | |
947 | 0 | if (prsactx->md != NULL) { |
948 | 0 | switch (prsactx->pad_mode) { |
949 | 0 | case RSA_X931_PADDING: |
950 | 0 | if (!setup_tbuf(prsactx)) |
951 | 0 | return 0; |
952 | 0 | ret = RSA_public_decrypt((int)siglen, sig, prsactx->tbuf, prsactx->rsa, |
953 | 0 | RSA_X931_PADDING); |
954 | 0 | if (ret <= 0) { |
955 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
956 | 0 | return 0; |
957 | 0 | } |
958 | 0 | ret--; |
959 | 0 | if (prsactx->tbuf[ret] != RSA_X931_hash_id(prsactx->mdnid)) { |
960 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_ALGORITHM_MISMATCH); |
961 | 0 | return 0; |
962 | 0 | } |
963 | 0 | if (ret != EVP_MD_get_size(prsactx->md)) { |
964 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH, |
965 | 0 | "Should be %d, but got %d", |
966 | 0 | EVP_MD_get_size(prsactx->md), ret); |
967 | 0 | return 0; |
968 | 0 | } |
969 | | |
970 | 0 | *routlen = ret; |
971 | 0 | if (rout != prsactx->tbuf) { |
972 | 0 | if (routsize < (size_t)ret) { |
973 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL, |
974 | 0 | "buffer size is %d, should be %d", |
975 | 0 | routsize, ret); |
976 | 0 | return 0; |
977 | 0 | } |
978 | 0 | memcpy(rout, prsactx->tbuf, ret); |
979 | 0 | } |
980 | 0 | break; |
981 | | |
982 | 0 | case RSA_PKCS1_PADDING: { |
983 | 0 | size_t sltmp; |
984 | |
|
985 | 0 | ret = ossl_rsa_verify(prsactx->mdnid, NULL, 0, rout, &sltmp, |
986 | 0 | sig, siglen, prsactx->rsa); |
987 | 0 | if (ret <= 0) { |
988 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
989 | 0 | return 0; |
990 | 0 | } |
991 | 0 | ret = (int)sltmp; |
992 | 0 | } break; |
993 | | |
994 | 0 | default: |
995 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, |
996 | 0 | "Only X.931 or PKCS#1 v1.5 padding allowed"); |
997 | 0 | return 0; |
998 | 0 | } |
999 | 0 | } else { |
1000 | 0 | ret = RSA_public_decrypt((int)siglen, sig, rout, prsactx->rsa, |
1001 | 0 | prsactx->pad_mode); |
1002 | 0 | if (ret <= 0) { |
1003 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
1004 | 0 | return 0; |
1005 | 0 | } |
1006 | 0 | } |
1007 | 0 | *routlen = ret; |
1008 | 0 | return 1; |
1009 | 0 | } |
1010 | | |
1011 | | static int rsa_verify_init(void *vprsactx, void *vrsa, |
1012 | | const OSSL_PARAM params[]) |
1013 | 0 | { |
1014 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1015 | |
|
1016 | | #ifdef FIPS_MODULE |
1017 | | if (prsactx != NULL) |
1018 | | prsactx->verify_message = 0; |
1019 | | #endif |
1020 | |
|
1021 | 0 | return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, |
1022 | 0 | EVP_PKEY_OP_VERIFY, "RSA Verify Init"); |
1023 | 0 | } |
1024 | | |
1025 | | static int rsa_verify_directly(PROV_RSA_CTX *prsactx, |
1026 | | const unsigned char *sig, size_t siglen, |
1027 | | const unsigned char *tbs, size_t tbslen) |
1028 | 21.7k | { |
1029 | 21.7k | size_t rslen; |
1030 | | |
1031 | 21.7k | if (!ossl_prov_is_running()) |
1032 | 0 | return 0; |
1033 | 21.7k | if (prsactx->md != NULL) { |
1034 | 21.7k | switch (prsactx->pad_mode) { |
1035 | 5.18k | case RSA_PKCS1_PADDING: |
1036 | 5.18k | if (!RSA_verify(prsactx->mdnid, tbs, (unsigned int)tbslen, |
1037 | 5.18k | sig, (unsigned int)siglen, prsactx->rsa)) { |
1038 | 4.78k | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
1039 | 4.78k | return 0; |
1040 | 4.78k | } |
1041 | 404 | return 1; |
1042 | 0 | case RSA_X931_PADDING: |
1043 | 0 | if (!setup_tbuf(prsactx)) |
1044 | 0 | return 0; |
1045 | 0 | if (rsa_verify_recover(prsactx, prsactx->tbuf, &rslen, 0, |
1046 | 0 | sig, siglen) |
1047 | 0 | <= 0) |
1048 | 0 | return 0; |
1049 | 0 | break; |
1050 | 16.5k | case RSA_PKCS1_PSS_PADDING: { |
1051 | 16.5k | int ret; |
1052 | 16.5k | int saltlen; |
1053 | 16.5k | size_t mdsize; |
1054 | | |
1055 | | /* |
1056 | | * We need to check this for the RSA_verify_PKCS1_PSS_mgf1() |
1057 | | * call |
1058 | | */ |
1059 | 16.5k | mdsize = rsa_get_md_size(prsactx); |
1060 | 16.5k | if (tbslen != mdsize) { |
1061 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH, |
1062 | 0 | "Should be %d, but got %d", |
1063 | 0 | mdsize, tbslen); |
1064 | 0 | return 0; |
1065 | 0 | } |
1066 | | |
1067 | 16.5k | if (!setup_tbuf(prsactx)) |
1068 | 17 | return 0; |
1069 | 16.5k | ret = RSA_public_decrypt((int)siglen, sig, prsactx->tbuf, |
1070 | 16.5k | prsactx->rsa, RSA_NO_PADDING); |
1071 | 16.5k | if (ret <= 0) { |
1072 | 3.54k | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
1073 | 3.54k | return 0; |
1074 | 3.54k | } |
1075 | 13.0k | saltlen = prsactx->saltlen; |
1076 | 13.0k | ret = ossl_rsa_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs, |
1077 | 13.0k | prsactx->md, prsactx->mgf1_md, |
1078 | 13.0k | prsactx->tbuf, |
1079 | 13.0k | &saltlen); |
1080 | 13.0k | if (ret <= 0) { |
1081 | 13.0k | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
1082 | 13.0k | return 0; |
1083 | 13.0k | } |
1084 | | #ifdef FIPS_MODULE |
1085 | | if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Verify", saltlen)) |
1086 | | return 0; |
1087 | | #endif |
1088 | 5 | return 1; |
1089 | 13.0k | } |
1090 | 0 | default: |
1091 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, |
1092 | 0 | "Only X.931, PKCS#1 v1.5 or PSS padding allowed"); |
1093 | 0 | return 0; |
1094 | 21.7k | } |
1095 | 21.7k | } else { |
1096 | 0 | int ret; |
1097 | |
|
1098 | 0 | if (!setup_tbuf(prsactx)) |
1099 | 0 | return 0; |
1100 | 0 | ret = RSA_public_decrypt((int)siglen, sig, prsactx->tbuf, prsactx->rsa, |
1101 | 0 | prsactx->pad_mode); |
1102 | 0 | if (ret <= 0) { |
1103 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
1104 | 0 | return 0; |
1105 | 0 | } |
1106 | 0 | rslen = (size_t)ret; |
1107 | 0 | } |
1108 | | |
1109 | 0 | if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen)) |
1110 | 0 | return 0; |
1111 | | |
1112 | 0 | return 1; |
1113 | 0 | } |
1114 | | |
1115 | | static int rsa_verify_set_sig(void *vprsactx, |
1116 | | const unsigned char *sig, size_t siglen) |
1117 | 21.7k | { |
1118 | 21.7k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1119 | 21.7k | OSSL_PARAM params[2]; |
1120 | | |
1121 | 21.7k | params[0] = OSSL_PARAM_construct_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, |
1122 | 21.7k | (unsigned char *)sig, siglen); |
1123 | 21.7k | params[1] = OSSL_PARAM_construct_end(); |
1124 | 21.7k | return rsa_sigalg_set_ctx_params(prsactx, params); |
1125 | 21.7k | } |
1126 | | |
1127 | | static int rsa_verify_message_final(void *vprsactx) |
1128 | 21.7k | { |
1129 | 21.7k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1130 | 21.7k | unsigned char digest[EVP_MAX_MD_SIZE]; |
1131 | 21.7k | unsigned int dlen = 0; |
1132 | | |
1133 | 21.7k | if (!ossl_prov_is_running() || prsactx == NULL) |
1134 | 0 | return 0; |
1135 | 21.7k | if (prsactx->mdctx == NULL) |
1136 | 0 | return 0; |
1137 | 21.7k | if (!prsactx->flag_allow_final) { |
1138 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER); |
1139 | 0 | return 0; |
1140 | 0 | } |
1141 | | |
1142 | | /* |
1143 | | * The digests used here are all known (see rsa_get_md_nid()), so they |
1144 | | * should not exceed the internal buffer size of EVP_MAX_MD_SIZE. |
1145 | | */ |
1146 | 21.7k | if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen)) |
1147 | 0 | return 0; |
1148 | | |
1149 | 21.7k | prsactx->flag_allow_update = 0; |
1150 | 21.7k | prsactx->flag_allow_final = 0; |
1151 | 21.7k | prsactx->flag_allow_oneshot = 0; |
1152 | | |
1153 | 21.7k | return rsa_verify_directly(prsactx, prsactx->sig, prsactx->siglen, |
1154 | 21.7k | digest, dlen); |
1155 | 21.7k | } |
1156 | | |
1157 | | /* |
1158 | | * If verifying a message, digest tbs and verify the result. |
1159 | | * Otherwise, verify tbs directly. |
1160 | | */ |
1161 | | static int rsa_verify(void *vprsactx, |
1162 | | const unsigned char *sig, size_t siglen, |
1163 | | const unsigned char *tbs, size_t tbslen) |
1164 | 0 | { |
1165 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1166 | |
|
1167 | 0 | if (!ossl_prov_is_running() || prsactx == NULL) |
1168 | 0 | return 0; |
1169 | 0 | if (!prsactx->flag_allow_oneshot) { |
1170 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER); |
1171 | 0 | return 0; |
1172 | 0 | } |
1173 | | |
1174 | 0 | if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG) |
1175 | 0 | return rsa_verify_set_sig(prsactx, sig, siglen) |
1176 | 0 | && rsa_signverify_message_update(prsactx, tbs, tbslen) |
1177 | 0 | && rsa_verify_message_final(prsactx); |
1178 | 0 | return rsa_verify_directly(prsactx, sig, siglen, tbs, tbslen); |
1179 | 0 | } |
1180 | | |
1181 | | /* DigestSign/DigestVerify wrappers */ |
1182 | | |
1183 | | static int rsa_digest_signverify_init(void *vprsactx, const char *mdname, |
1184 | | void *vrsa, const OSSL_PARAM params[], |
1185 | | int operation, const char *desc) |
1186 | 45.4k | { |
1187 | 45.4k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1188 | | |
1189 | | #ifdef FIPS_MODULE |
1190 | | if (prsactx != NULL) |
1191 | | prsactx->verify_message = 1; |
1192 | | #endif |
1193 | | |
1194 | 45.4k | if (!rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, |
1195 | 45.4k | operation, desc)) |
1196 | 34 | return 0; |
1197 | | |
1198 | 45.4k | if (mdname != NULL |
1199 | | /* was rsa_setup_md already called in rsa_signverify_init()? */ |
1200 | 45.4k | && (mdname[0] == '\0' || OPENSSL_strcasecmp(prsactx->mdname, mdname) != 0) |
1201 | 45.2k | && !rsa_setup_md(prsactx, mdname, prsactx->propq, desc)) |
1202 | 135 | return 0; |
1203 | | |
1204 | 45.2k | prsactx->flag_allow_md = 0; |
1205 | | |
1206 | 45.2k | if (prsactx->mdctx == NULL) { |
1207 | 45.2k | prsactx->mdctx = EVP_MD_CTX_new(); |
1208 | 45.2k | if (prsactx->mdctx == NULL) |
1209 | 0 | goto error; |
1210 | 45.2k | } |
1211 | | |
1212 | 45.2k | if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params)) |
1213 | 0 | goto error; |
1214 | | |
1215 | 45.2k | return 1; |
1216 | | |
1217 | 0 | error: |
1218 | 0 | EVP_MD_CTX_free(prsactx->mdctx); |
1219 | 0 | prsactx->mdctx = NULL; |
1220 | 0 | return 0; |
1221 | 45.2k | } |
1222 | | |
1223 | | static int rsa_digest_sign_init(void *vprsactx, const char *mdname, |
1224 | | void *vrsa, const OSSL_PARAM params[]) |
1225 | 42.7k | { |
1226 | 42.7k | if (!ossl_prov_is_running()) |
1227 | 0 | return 0; |
1228 | 42.7k | return rsa_digest_signverify_init(vprsactx, mdname, vrsa, |
1229 | 42.7k | params, EVP_PKEY_OP_SIGNMSG, |
1230 | 42.7k | "RSA Digest Sign Init"); |
1231 | 42.7k | } |
1232 | | |
1233 | | static int rsa_digest_sign_update(void *vprsactx, const unsigned char *data, |
1234 | | size_t datalen) |
1235 | 4.19k | { |
1236 | 4.19k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1237 | | |
1238 | 4.19k | if (prsactx == NULL) |
1239 | 0 | return 0; |
1240 | | /* Sigalg implementations shouldn't do digest_sign */ |
1241 | 4.19k | if (prsactx->flag_sigalg) |
1242 | 0 | return 0; |
1243 | | |
1244 | 4.19k | return rsa_signverify_message_update(prsactx, data, datalen); |
1245 | 4.19k | } |
1246 | | |
1247 | | static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig, |
1248 | | size_t *siglen, size_t sigsize) |
1249 | 8.38k | { |
1250 | 8.38k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1251 | 8.38k | int ok = 0; |
1252 | | |
1253 | 8.38k | if (prsactx == NULL) |
1254 | 0 | return 0; |
1255 | | /* Sigalg implementations shouldn't do digest_sign */ |
1256 | 8.38k | if (prsactx->flag_sigalg) |
1257 | 0 | return 0; |
1258 | | |
1259 | 8.38k | if (rsa_sign_message_final(prsactx, sig, siglen, sigsize)) |
1260 | 8.38k | ok = 1; |
1261 | | |
1262 | 8.38k | prsactx->flag_allow_md = 1; |
1263 | | |
1264 | 8.38k | return ok; |
1265 | 8.38k | } |
1266 | | |
1267 | | static int rsa_digest_verify_init(void *vprsactx, const char *mdname, |
1268 | | void *vrsa, const OSSL_PARAM params[]) |
1269 | 29.3k | { |
1270 | 29.3k | if (!ossl_prov_is_running()) |
1271 | 0 | return 0; |
1272 | 29.3k | return rsa_digest_signverify_init(vprsactx, mdname, vrsa, |
1273 | 29.3k | params, EVP_PKEY_OP_VERIFYMSG, |
1274 | 29.3k | "RSA Digest Verify Init"); |
1275 | 29.3k | } |
1276 | | |
1277 | | static int rsa_digest_verify_update(void *vprsactx, const unsigned char *data, |
1278 | | size_t datalen) |
1279 | 21.7k | { |
1280 | 21.7k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1281 | | |
1282 | 21.7k | if (prsactx == NULL) |
1283 | 0 | return 0; |
1284 | | /* Sigalg implementations shouldn't do digest_sign */ |
1285 | 21.7k | if (prsactx->flag_sigalg) |
1286 | 0 | return 0; |
1287 | | |
1288 | 21.7k | return rsa_signverify_message_update(prsactx, data, datalen); |
1289 | 21.7k | } |
1290 | | |
1291 | | int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig, |
1292 | | size_t siglen) |
1293 | 21.7k | { |
1294 | 21.7k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1295 | 21.7k | int ok = 0; |
1296 | | |
1297 | 21.7k | if (prsactx == NULL) |
1298 | 0 | return 0; |
1299 | | /* Sigalg implementations shouldn't do digest_verify */ |
1300 | 21.7k | if (prsactx->flag_sigalg) |
1301 | 0 | return 0; |
1302 | | |
1303 | 21.7k | if (rsa_verify_set_sig(prsactx, sig, siglen) |
1304 | 21.7k | && rsa_verify_message_final(vprsactx)) |
1305 | 409 | ok = 1; |
1306 | | |
1307 | 21.7k | prsactx->flag_allow_md = 1; |
1308 | | |
1309 | 21.7k | return ok; |
1310 | 21.7k | } |
1311 | | |
1312 | | static void rsa_freectx(void *vprsactx) |
1313 | 107k | { |
1314 | 107k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1315 | | |
1316 | 107k | if (prsactx == NULL) |
1317 | 0 | return; |
1318 | | |
1319 | 107k | EVP_MD_CTX_free(prsactx->mdctx); |
1320 | 107k | EVP_MD_free(prsactx->md); |
1321 | 107k | EVP_MD_free(prsactx->mgf1_md); |
1322 | 107k | OPENSSL_free(prsactx->sig); |
1323 | 107k | OPENSSL_free(prsactx->propq); |
1324 | 107k | free_tbuf(prsactx); |
1325 | 107k | RSA_free(prsactx->rsa); |
1326 | | |
1327 | 107k | OPENSSL_clear_free(prsactx, sizeof(*prsactx)); |
1328 | 107k | } |
1329 | | |
1330 | | static void *rsa_dupctx(void *vprsactx) |
1331 | 35.0k | { |
1332 | 35.0k | PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx; |
1333 | 35.0k | PROV_RSA_CTX *dstctx; |
1334 | | |
1335 | 35.0k | if (!ossl_prov_is_running()) |
1336 | 0 | return NULL; |
1337 | | |
1338 | 35.0k | dstctx = OPENSSL_zalloc(sizeof(*srcctx)); |
1339 | 35.0k | if (dstctx == NULL) |
1340 | 0 | return NULL; |
1341 | | |
1342 | 35.0k | *dstctx = *srcctx; |
1343 | 35.0k | dstctx->rsa = NULL; |
1344 | 35.0k | dstctx->md = NULL; |
1345 | 35.0k | dstctx->mgf1_md = NULL; |
1346 | 35.0k | dstctx->mdctx = NULL; |
1347 | 35.0k | dstctx->tbuf = NULL; |
1348 | 35.0k | dstctx->propq = NULL; |
1349 | | |
1350 | 35.0k | if (srcctx->rsa != NULL && !RSA_up_ref(srcctx->rsa)) |
1351 | 0 | goto err; |
1352 | 35.0k | dstctx->rsa = srcctx->rsa; |
1353 | | |
1354 | 35.0k | if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md)) |
1355 | 0 | goto err; |
1356 | 35.0k | dstctx->md = srcctx->md; |
1357 | | |
1358 | 35.0k | if (srcctx->mgf1_md != NULL && !EVP_MD_up_ref(srcctx->mgf1_md)) |
1359 | 0 | goto err; |
1360 | 35.0k | dstctx->mgf1_md = srcctx->mgf1_md; |
1361 | | |
1362 | 35.0k | if (srcctx->mdctx != NULL) { |
1363 | 35.0k | dstctx->mdctx = EVP_MD_CTX_new(); |
1364 | 35.0k | if (dstctx->mdctx == NULL |
1365 | 35.0k | || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx)) |
1366 | 0 | goto err; |
1367 | 35.0k | } |
1368 | | |
1369 | 35.0k | if (srcctx->propq != NULL) { |
1370 | 0 | dstctx->propq = OPENSSL_strdup(srcctx->propq); |
1371 | 0 | if (dstctx->propq == NULL) |
1372 | 0 | goto err; |
1373 | 0 | } |
1374 | | |
1375 | 35.0k | return dstctx; |
1376 | 0 | err: |
1377 | 0 | rsa_freectx(dstctx); |
1378 | 0 | return NULL; |
1379 | 35.0k | } |
1380 | | |
1381 | | /* clang-format off */ |
1382 | | /* Machine generated by util/perl/OpenSSL/paramnames.pm */ |
1383 | | #ifndef rsa_get_ctx_params_list |
1384 | | static const OSSL_PARAM rsa_get_ctx_params_list[] = { |
1385 | | OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0), |
1386 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), |
1387 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL), |
1388 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), |
1389 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), |
1390 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), |
1391 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL), |
1392 | | # if defined(FIPS_MODULE) |
1393 | | OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE, NULL), |
1394 | | # endif |
1395 | | # if defined(FIPS_MODULE) |
1396 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR, NULL), |
1397 | | # endif |
1398 | | OSSL_PARAM_END |
1399 | | }; |
1400 | | #endif |
1401 | | |
1402 | | #ifndef rsa_get_ctx_params_st |
1403 | | struct rsa_get_ctx_params_st { |
1404 | | OSSL_PARAM *algid; |
1405 | | OSSL_PARAM *digest; |
1406 | | # if defined(FIPS_MODULE) |
1407 | | OSSL_PARAM *ind; |
1408 | | # endif |
1409 | | OSSL_PARAM *mgf1; |
1410 | | OSSL_PARAM *pad; |
1411 | | OSSL_PARAM *slen; |
1412 | | # if defined(FIPS_MODULE) |
1413 | | OSSL_PARAM *verify; |
1414 | | # endif |
1415 | | }; |
1416 | | #endif |
1417 | | |
1418 | | #ifndef rsa_get_ctx_params_decoder |
1419 | | static int rsa_get_ctx_params_decoder |
1420 | | (const OSSL_PARAM *p, struct rsa_get_ctx_params_st *r) |
1421 | 0 | { |
1422 | 0 | const char *s; |
1423 | |
|
1424 | 0 | memset(r, 0, sizeof(*r)); |
1425 | 0 | if (p != NULL) |
1426 | 0 | for (; (s = p->key) != NULL; p++) |
1427 | 0 | switch(s[0]) { |
1428 | 0 | default: |
1429 | 0 | break; |
1430 | 0 | case 'a': |
1431 | 0 | if (ossl_likely(strcmp("lgorithm-id", s + 1) == 0)) { |
1432 | | /* OSSL_SIGNATURE_PARAM_ALGORITHM_ID */ |
1433 | 0 | if (ossl_unlikely(r->algid != NULL)) { |
1434 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1435 | 0 | "param %s is repeated", s); |
1436 | 0 | return 0; |
1437 | 0 | } |
1438 | 0 | r->algid = (OSSL_PARAM *)p; |
1439 | 0 | } |
1440 | 0 | break; |
1441 | 0 | case 'd': |
1442 | 0 | if (ossl_likely(strcmp("igest", s + 1) == 0)) { |
1443 | | /* OSSL_SIGNATURE_PARAM_DIGEST */ |
1444 | 0 | if (ossl_unlikely(r->digest != NULL)) { |
1445 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1446 | 0 | "param %s is repeated", s); |
1447 | 0 | return 0; |
1448 | 0 | } |
1449 | 0 | r->digest = (OSSL_PARAM *)p; |
1450 | 0 | } |
1451 | 0 | break; |
1452 | 0 | case 'f': |
1453 | | # if defined(FIPS_MODULE) |
1454 | | if (ossl_likely(strcmp("ips-indicator", s + 1) == 0)) { |
1455 | | /* OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR */ |
1456 | | if (ossl_unlikely(r->ind != NULL)) { |
1457 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1458 | | "param %s is repeated", s); |
1459 | | return 0; |
1460 | | } |
1461 | | r->ind = (OSSL_PARAM *)p; |
1462 | | } |
1463 | | # endif |
1464 | 0 | break; |
1465 | 0 | case 'm': |
1466 | 0 | if (ossl_likely(strcmp("gf1-digest", s + 1) == 0)) { |
1467 | | /* OSSL_SIGNATURE_PARAM_MGF1_DIGEST */ |
1468 | 0 | if (ossl_unlikely(r->mgf1 != NULL)) { |
1469 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1470 | 0 | "param %s is repeated", s); |
1471 | 0 | return 0; |
1472 | 0 | } |
1473 | 0 | r->mgf1 = (OSSL_PARAM *)p; |
1474 | 0 | } |
1475 | 0 | break; |
1476 | 0 | case 'p': |
1477 | 0 | if (ossl_likely(strcmp("ad-mode", s + 1) == 0)) { |
1478 | | /* OSSL_SIGNATURE_PARAM_PAD_MODE */ |
1479 | 0 | if (ossl_unlikely(r->pad != NULL)) { |
1480 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1481 | 0 | "param %s is repeated", s); |
1482 | 0 | return 0; |
1483 | 0 | } |
1484 | 0 | r->pad = (OSSL_PARAM *)p; |
1485 | 0 | } |
1486 | 0 | break; |
1487 | 0 | case 's': |
1488 | 0 | if (ossl_likely(strcmp("altlen", s + 1) == 0)) { |
1489 | | /* OSSL_SIGNATURE_PARAM_PSS_SALTLEN */ |
1490 | 0 | if (ossl_unlikely(r->slen != NULL)) { |
1491 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1492 | 0 | "param %s is repeated", s); |
1493 | 0 | return 0; |
1494 | 0 | } |
1495 | 0 | r->slen = (OSSL_PARAM *)p; |
1496 | 0 | } |
1497 | 0 | break; |
1498 | 0 | case 'v': |
1499 | | # if defined(FIPS_MODULE) |
1500 | | if (ossl_likely(strcmp("erify-message", s + 1) == 0)) { |
1501 | | /* OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE */ |
1502 | | if (ossl_unlikely(r->verify != NULL)) { |
1503 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1504 | | "param %s is repeated", s); |
1505 | | return 0; |
1506 | | } |
1507 | | r->verify = (OSSL_PARAM *)p; |
1508 | | } |
1509 | | # endif |
1510 | 0 | break; |
1511 | 0 | } |
1512 | 0 | return 1; |
1513 | 0 | } |
1514 | | #endif |
1515 | | /* End of machine generated */ |
1516 | | /* clang-format on */ |
1517 | | |
1518 | | static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) |
1519 | 0 | { |
1520 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1521 | 0 | struct rsa_get_ctx_params_st p; |
1522 | |
|
1523 | 0 | if (prsactx == NULL || !rsa_get_ctx_params_decoder(params, &p)) |
1524 | 0 | return 0; |
1525 | | |
1526 | 0 | if (p.algid != NULL) { |
1527 | | /* The Algorithm Identifier of the combined signature algorithm */ |
1528 | 0 | unsigned char aid_buf[128]; |
1529 | 0 | unsigned char *aid; |
1530 | 0 | size_t aid_len; |
1531 | |
|
1532 | 0 | aid = rsa_generate_signature_aid(prsactx, aid_buf, |
1533 | 0 | sizeof(aid_buf), &aid_len); |
1534 | 0 | if (aid == NULL || !OSSL_PARAM_set_octet_string(p.algid, aid, aid_len)) |
1535 | 0 | return 0; |
1536 | 0 | } |
1537 | | |
1538 | 0 | if (p.pad != NULL) { |
1539 | 0 | if (p.pad->data_type != OSSL_PARAM_UTF8_STRING) { |
1540 | 0 | if (!OSSL_PARAM_set_int(p.pad, prsactx->pad_mode)) |
1541 | 0 | return 0; |
1542 | 0 | } else { |
1543 | 0 | int i; |
1544 | 0 | const char *word = NULL; |
1545 | |
|
1546 | 0 | for (i = 0; padding_item[i].id != 0; i++) { |
1547 | 0 | if (prsactx->pad_mode == (int)padding_item[i].id) { |
1548 | 0 | word = padding_item[i].ptr; |
1549 | 0 | break; |
1550 | 0 | } |
1551 | 0 | } |
1552 | |
|
1553 | 0 | if (word != NULL) { |
1554 | 0 | if (!OSSL_PARAM_set_utf8_string(p.pad, word)) |
1555 | 0 | return 0; |
1556 | 0 | } else { |
1557 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); |
1558 | 0 | } |
1559 | 0 | } |
1560 | 0 | } |
1561 | | |
1562 | 0 | if (p.digest != NULL && !OSSL_PARAM_set_utf8_string(p.digest, prsactx->mdname)) |
1563 | 0 | return 0; |
1564 | | |
1565 | 0 | if (p.mgf1 != NULL && !OSSL_PARAM_set_utf8_string(p.mgf1, prsactx->mgf1_mdname)) |
1566 | 0 | return 0; |
1567 | | |
1568 | 0 | if (p.slen != NULL) { |
1569 | 0 | if (p.slen->data_type != OSSL_PARAM_UTF8_STRING) { |
1570 | 0 | if (!OSSL_PARAM_set_int(p.slen, prsactx->saltlen)) |
1571 | 0 | return 0; |
1572 | 0 | } else { |
1573 | 0 | const char *value = NULL; |
1574 | |
|
1575 | 0 | switch (prsactx->saltlen) { |
1576 | 0 | case RSA_PSS_SALTLEN_DIGEST: |
1577 | 0 | value = OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST; |
1578 | 0 | break; |
1579 | 0 | case RSA_PSS_SALTLEN_MAX: |
1580 | 0 | value = OSSL_PKEY_RSA_PSS_SALT_LEN_MAX; |
1581 | 0 | break; |
1582 | 0 | case RSA_PSS_SALTLEN_AUTO: |
1583 | 0 | value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO; |
1584 | 0 | break; |
1585 | 0 | case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: |
1586 | 0 | value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX; |
1587 | 0 | break; |
1588 | 0 | default: { |
1589 | 0 | int len = BIO_snprintf(p.slen->data, p.slen->data_size, "%d", |
1590 | 0 | prsactx->saltlen); |
1591 | |
|
1592 | 0 | if (len <= 0) |
1593 | 0 | return 0; |
1594 | 0 | p.slen->return_size = len; |
1595 | 0 | break; |
1596 | 0 | } |
1597 | 0 | } |
1598 | 0 | if (value != NULL |
1599 | 0 | && !OSSL_PARAM_set_utf8_string(p.slen, value)) |
1600 | 0 | return 0; |
1601 | 0 | } |
1602 | 0 | } |
1603 | | |
1604 | | #ifdef FIPS_MODULE |
1605 | | if (p.verify != NULL && !OSSL_PARAM_set_uint(p.verify, prsactx->verify_message)) |
1606 | | return 0; |
1607 | | #endif |
1608 | | |
1609 | 0 | if (!OSSL_FIPS_IND_GET_CTX_FROM_PARAM(prsactx, p.ind)) |
1610 | 0 | return 0; |
1611 | 0 | return 1; |
1612 | 0 | } |
1613 | | |
1614 | | static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, |
1615 | | ossl_unused void *provctx) |
1616 | 0 | { |
1617 | 0 | return rsa_get_ctx_params_list; |
1618 | 0 | } |
1619 | | |
1620 | | #ifdef FIPS_MODULE |
1621 | | static int rsa_x931_padding_allowed(PROV_RSA_CTX *ctx) |
1622 | | { |
1623 | | if ((ctx->operation |
1624 | | & (EVP_PKEY_OP_SIGNMSG | EVP_PKEY_OP_SIGN)) |
1625 | | != 0) { |
1626 | | if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2, |
1627 | | ctx->libctx, |
1628 | | "RSA Sign set ctx", "X931 Padding", |
1629 | | ossl_fips_config_rsa_sign_x931_disallowed)) { |
1630 | | ERR_raise(ERR_LIB_PROV, |
1631 | | PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); |
1632 | | return 0; |
1633 | | } |
1634 | | } |
1635 | | return 1; |
1636 | | } |
1637 | | #endif |
1638 | | |
1639 | | /* clang-format off */ |
1640 | | /* Machine generated by util/perl/OpenSSL/paramnames.pm */ |
1641 | | #ifndef rsa_set_ctx_params_list |
1642 | | static const OSSL_PARAM rsa_set_ctx_params_list[] = { |
1643 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), |
1644 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0), |
1645 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), |
1646 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL), |
1647 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), |
1648 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0), |
1649 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), |
1650 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL), |
1651 | | # if defined(FIPS_MODULE) |
1652 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK, NULL), |
1653 | | # endif |
1654 | | # if defined(FIPS_MODULE) |
1655 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK, NULL), |
1656 | | # endif |
1657 | | # if defined(FIPS_MODULE) |
1658 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK, NULL), |
1659 | | # endif |
1660 | | # if defined(FIPS_MODULE) |
1661 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK, NULL), |
1662 | | # endif |
1663 | | OSSL_PARAM_END |
1664 | | }; |
1665 | | #endif |
1666 | | |
1667 | | #ifndef rsa_set_ctx_params_st |
1668 | | struct rsa_set_ctx_params_st { |
1669 | | OSSL_PARAM *digest; |
1670 | | # if defined(FIPS_MODULE) |
1671 | | OSSL_PARAM *ind_d; |
1672 | | # endif |
1673 | | # if defined(FIPS_MODULE) |
1674 | | OSSL_PARAM *ind_k; |
1675 | | # endif |
1676 | | # if defined(FIPS_MODULE) |
1677 | | OSSL_PARAM *ind_slen; |
1678 | | # endif |
1679 | | # if defined(FIPS_MODULE) |
1680 | | OSSL_PARAM *ind_xpad; |
1681 | | # endif |
1682 | | OSSL_PARAM *mgf1; |
1683 | | OSSL_PARAM *mgf1pq; |
1684 | | OSSL_PARAM *pad; |
1685 | | OSSL_PARAM *propq; |
1686 | | OSSL_PARAM *slen; |
1687 | | }; |
1688 | | #endif |
1689 | | |
1690 | | #ifndef rsa_set_ctx_params_decoder |
1691 | | static int rsa_set_ctx_params_decoder |
1692 | | (const OSSL_PARAM *p, struct rsa_set_ctx_params_st *r) |
1693 | 0 | { |
1694 | 0 | const char *s; |
1695 | |
|
1696 | 0 | memset(r, 0, sizeof(*r)); |
1697 | 0 | if (p != NULL) |
1698 | 0 | for (; (s = p->key) != NULL; p++) |
1699 | 0 | switch(s[0]) { |
1700 | 0 | default: |
1701 | 0 | break; |
1702 | 0 | case 'd': |
1703 | 0 | switch(s[1]) { |
1704 | 0 | default: |
1705 | 0 | break; |
1706 | 0 | case 'i': |
1707 | 0 | switch(s[2]) { |
1708 | 0 | default: |
1709 | 0 | break; |
1710 | 0 | case 'g': |
1711 | 0 | switch(s[3]) { |
1712 | 0 | default: |
1713 | 0 | break; |
1714 | 0 | case 'e': |
1715 | 0 | switch(s[4]) { |
1716 | 0 | default: |
1717 | 0 | break; |
1718 | 0 | case 's': |
1719 | 0 | switch(s[5]) { |
1720 | 0 | default: |
1721 | 0 | break; |
1722 | 0 | case 't': |
1723 | 0 | switch(s[6]) { |
1724 | 0 | default: |
1725 | 0 | break; |
1726 | 0 | case '-': |
1727 | | # if defined(FIPS_MODULE) |
1728 | | if (ossl_likely(strcmp("check", s + 7) == 0)) { |
1729 | | /* OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK */ |
1730 | | if (ossl_unlikely(r->ind_d != NULL)) { |
1731 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1732 | | "param %s is repeated", s); |
1733 | | return 0; |
1734 | | } |
1735 | | r->ind_d = (OSSL_PARAM *)p; |
1736 | | } |
1737 | | # endif |
1738 | 0 | break; |
1739 | 0 | case '\0': |
1740 | 0 | if (ossl_unlikely(r->digest != NULL)) { |
1741 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1742 | 0 | "param %s is repeated", s); |
1743 | 0 | return 0; |
1744 | 0 | } |
1745 | 0 | r->digest = (OSSL_PARAM *)p; |
1746 | 0 | } |
1747 | 0 | } |
1748 | 0 | } |
1749 | 0 | } |
1750 | 0 | } |
1751 | 0 | } |
1752 | 0 | break; |
1753 | 0 | case 'k': |
1754 | | # if defined(FIPS_MODULE) |
1755 | | if (ossl_likely(strcmp("ey-check", s + 1) == 0)) { |
1756 | | /* OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK */ |
1757 | | if (ossl_unlikely(r->ind_k != NULL)) { |
1758 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1759 | | "param %s is repeated", s); |
1760 | | return 0; |
1761 | | } |
1762 | | r->ind_k = (OSSL_PARAM *)p; |
1763 | | } |
1764 | | # endif |
1765 | 0 | break; |
1766 | 0 | case 'm': |
1767 | 0 | switch(s[1]) { |
1768 | 0 | default: |
1769 | 0 | break; |
1770 | 0 | case 'g': |
1771 | 0 | switch(s[2]) { |
1772 | 0 | default: |
1773 | 0 | break; |
1774 | 0 | case 'f': |
1775 | 0 | switch(s[3]) { |
1776 | 0 | default: |
1777 | 0 | break; |
1778 | 0 | case '1': |
1779 | 0 | switch(s[4]) { |
1780 | 0 | default: |
1781 | 0 | break; |
1782 | 0 | case '-': |
1783 | 0 | switch(s[5]) { |
1784 | 0 | default: |
1785 | 0 | break; |
1786 | 0 | case 'd': |
1787 | 0 | if (ossl_likely(strcmp("igest", s + 6) == 0)) { |
1788 | | /* OSSL_SIGNATURE_PARAM_MGF1_DIGEST */ |
1789 | 0 | if (ossl_unlikely(r->mgf1 != NULL)) { |
1790 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1791 | 0 | "param %s is repeated", s); |
1792 | 0 | return 0; |
1793 | 0 | } |
1794 | 0 | r->mgf1 = (OSSL_PARAM *)p; |
1795 | 0 | } |
1796 | 0 | break; |
1797 | 0 | case 'p': |
1798 | 0 | if (ossl_likely(strcmp("roperties", s + 6) == 0)) { |
1799 | | /* OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES */ |
1800 | 0 | if (ossl_unlikely(r->mgf1pq != NULL)) { |
1801 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1802 | 0 | "param %s is repeated", s); |
1803 | 0 | return 0; |
1804 | 0 | } |
1805 | 0 | r->mgf1pq = (OSSL_PARAM *)p; |
1806 | 0 | } |
1807 | 0 | } |
1808 | 0 | } |
1809 | 0 | } |
1810 | 0 | } |
1811 | 0 | } |
1812 | 0 | break; |
1813 | 0 | case 'p': |
1814 | 0 | switch(s[1]) { |
1815 | 0 | default: |
1816 | 0 | break; |
1817 | 0 | case 'a': |
1818 | 0 | if (ossl_likely(strcmp("d-mode", s + 2) == 0)) { |
1819 | | /* OSSL_SIGNATURE_PARAM_PAD_MODE */ |
1820 | 0 | if (ossl_unlikely(r->pad != NULL)) { |
1821 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1822 | 0 | "param %s is repeated", s); |
1823 | 0 | return 0; |
1824 | 0 | } |
1825 | 0 | r->pad = (OSSL_PARAM *)p; |
1826 | 0 | } |
1827 | 0 | break; |
1828 | 0 | case 'r': |
1829 | 0 | if (ossl_likely(strcmp("operties", s + 2) == 0)) { |
1830 | | /* OSSL_SIGNATURE_PARAM_PROPERTIES */ |
1831 | 0 | if (ossl_unlikely(r->propq != NULL)) { |
1832 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1833 | 0 | "param %s is repeated", s); |
1834 | 0 | return 0; |
1835 | 0 | } |
1836 | 0 | r->propq = (OSSL_PARAM *)p; |
1837 | 0 | } |
1838 | 0 | } |
1839 | 0 | break; |
1840 | 0 | case 'r': |
1841 | | # if defined(FIPS_MODULE) |
1842 | | if (ossl_likely(strcmp("sa-pss-saltlen-check", s + 1) == 0)) { |
1843 | | /* OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK */ |
1844 | | if (ossl_unlikely(r->ind_slen != NULL)) { |
1845 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1846 | | "param %s is repeated", s); |
1847 | | return 0; |
1848 | | } |
1849 | | r->ind_slen = (OSSL_PARAM *)p; |
1850 | | } |
1851 | | # endif |
1852 | 0 | break; |
1853 | 0 | case 's': |
1854 | 0 | switch(s[1]) { |
1855 | 0 | default: |
1856 | 0 | break; |
1857 | 0 | case 'a': |
1858 | 0 | if (ossl_likely(strcmp("ltlen", s + 2) == 0)) { |
1859 | | /* OSSL_SIGNATURE_PARAM_PSS_SALTLEN */ |
1860 | 0 | if (ossl_unlikely(r->slen != NULL)) { |
1861 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1862 | 0 | "param %s is repeated", s); |
1863 | 0 | return 0; |
1864 | 0 | } |
1865 | 0 | r->slen = (OSSL_PARAM *)p; |
1866 | 0 | } |
1867 | 0 | break; |
1868 | 0 | case 'i': |
1869 | | # if defined(FIPS_MODULE) |
1870 | | if (ossl_likely(strcmp("gn-x931-pad-check", s + 2) == 0)) { |
1871 | | /* OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK */ |
1872 | | if (ossl_unlikely(r->ind_xpad != NULL)) { |
1873 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1874 | | "param %s is repeated", s); |
1875 | | return 0; |
1876 | | } |
1877 | | r->ind_xpad = (OSSL_PARAM *)p; |
1878 | | } |
1879 | | # endif |
1880 | 0 | break; |
1881 | 0 | } |
1882 | 0 | break; |
1883 | 0 | } |
1884 | 0 | return 1; |
1885 | 0 | } |
1886 | | #endif |
1887 | | /* End of machine generated */ |
1888 | | /* clang-format on */ |
1889 | | |
1890 | | #define rsa_set_ctx_params_no_digest_st rsa_set_ctx_params_st |
1891 | | |
1892 | | /* clang-format off */ |
1893 | | /* Machine generated by util/perl/OpenSSL/paramnames.pm */ |
1894 | | #ifndef rsa_set_ctx_params_no_digest_list |
1895 | | static const OSSL_PARAM rsa_set_ctx_params_no_digest_list[] = { |
1896 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), |
1897 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL), |
1898 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), |
1899 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0), |
1900 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), |
1901 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL), |
1902 | | # if defined(FIPS_MODULE) |
1903 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK, NULL), |
1904 | | # endif |
1905 | | # if defined(FIPS_MODULE) |
1906 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK, NULL), |
1907 | | # endif |
1908 | | # if defined(FIPS_MODULE) |
1909 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK, NULL), |
1910 | | # endif |
1911 | | # if defined(FIPS_MODULE) |
1912 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK, NULL), |
1913 | | # endif |
1914 | | OSSL_PARAM_END |
1915 | | }; |
1916 | | #endif |
1917 | | |
1918 | | #ifndef rsa_set_ctx_params_no_digest_st |
1919 | | struct rsa_set_ctx_params_no_digest_st { |
1920 | | # if defined(FIPS_MODULE) |
1921 | | OSSL_PARAM *ind_d; |
1922 | | # endif |
1923 | | # if defined(FIPS_MODULE) |
1924 | | OSSL_PARAM *ind_k; |
1925 | | # endif |
1926 | | # if defined(FIPS_MODULE) |
1927 | | OSSL_PARAM *ind_slen; |
1928 | | # endif |
1929 | | # if defined(FIPS_MODULE) |
1930 | | OSSL_PARAM *ind_xpad; |
1931 | | # endif |
1932 | | OSSL_PARAM *mgf1; |
1933 | | OSSL_PARAM *mgf1pq; |
1934 | | OSSL_PARAM *pad; |
1935 | | OSSL_PARAM *slen; |
1936 | | }; |
1937 | | #endif |
1938 | | |
1939 | | #ifndef rsa_set_ctx_params_no_digest_decoder |
1940 | | static int rsa_set_ctx_params_no_digest_decoder |
1941 | | (const OSSL_PARAM *p, struct rsa_set_ctx_params_no_digest_st *r) |
1942 | 19.2k | { |
1943 | 19.2k | const char *s; |
1944 | | |
1945 | 19.2k | memset(r, 0, sizeof(*r)); |
1946 | 19.2k | if (p != NULL) |
1947 | 38.4k | for (; (s = p->key) != NULL; p++) |
1948 | 19.2k | switch(s[0]) { |
1949 | 0 | default: |
1950 | 0 | break; |
1951 | 0 | case 'd': |
1952 | | # if defined(FIPS_MODULE) |
1953 | | if (ossl_likely(strcmp("igest-check", s + 1) == 0)) { |
1954 | | /* OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK */ |
1955 | | if (ossl_unlikely(r->ind_d != NULL)) { |
1956 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1957 | | "param %s is repeated", s); |
1958 | | return 0; |
1959 | | } |
1960 | | r->ind_d = (OSSL_PARAM *)p; |
1961 | | } |
1962 | | # endif |
1963 | 0 | break; |
1964 | 0 | case 'k': |
1965 | | # if defined(FIPS_MODULE) |
1966 | | if (ossl_likely(strcmp("ey-check", s + 1) == 0)) { |
1967 | | /* OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK */ |
1968 | | if (ossl_unlikely(r->ind_k != NULL)) { |
1969 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1970 | | "param %s is repeated", s); |
1971 | | return 0; |
1972 | | } |
1973 | | r->ind_k = (OSSL_PARAM *)p; |
1974 | | } |
1975 | | # endif |
1976 | 0 | break; |
1977 | 1.59k | case 'm': |
1978 | 1.59k | switch(s[1]) { |
1979 | 0 | default: |
1980 | 0 | break; |
1981 | 1.59k | case 'g': |
1982 | 1.59k | switch(s[2]) { |
1983 | 0 | default: |
1984 | 0 | break; |
1985 | 1.59k | case 'f': |
1986 | 1.59k | switch(s[3]) { |
1987 | 0 | default: |
1988 | 0 | break; |
1989 | 1.59k | case '1': |
1990 | 1.59k | switch(s[4]) { |
1991 | 0 | default: |
1992 | 0 | break; |
1993 | 1.59k | case '-': |
1994 | 1.59k | switch(s[5]) { |
1995 | 0 | default: |
1996 | 0 | break; |
1997 | 1.59k | case 'd': |
1998 | 1.59k | if (ossl_likely(strcmp("igest", s + 6) == 0)) { |
1999 | | /* OSSL_SIGNATURE_PARAM_MGF1_DIGEST */ |
2000 | 1.59k | if (ossl_unlikely(r->mgf1 != NULL)) { |
2001 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2002 | 0 | "param %s is repeated", s); |
2003 | 0 | return 0; |
2004 | 0 | } |
2005 | 1.59k | r->mgf1 = (OSSL_PARAM *)p; |
2006 | 1.59k | } |
2007 | 1.59k | break; |
2008 | 1.59k | case 'p': |
2009 | 0 | if (ossl_likely(strcmp("roperties", s + 6) == 0)) { |
2010 | | /* OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES */ |
2011 | 0 | if (ossl_unlikely(r->mgf1pq != NULL)) { |
2012 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2013 | 0 | "param %s is repeated", s); |
2014 | 0 | return 0; |
2015 | 0 | } |
2016 | 0 | r->mgf1pq = (OSSL_PARAM *)p; |
2017 | 0 | } |
2018 | 1.59k | } |
2019 | 1.59k | } |
2020 | 1.59k | } |
2021 | 1.59k | } |
2022 | 1.59k | } |
2023 | 1.59k | break; |
2024 | 8.81k | case 'p': |
2025 | 8.81k | if (ossl_likely(strcmp("ad-mode", s + 1) == 0)) { |
2026 | | /* OSSL_SIGNATURE_PARAM_PAD_MODE */ |
2027 | 8.81k | if (ossl_unlikely(r->pad != NULL)) { |
2028 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2029 | 0 | "param %s is repeated", s); |
2030 | 0 | return 0; |
2031 | 0 | } |
2032 | 8.81k | r->pad = (OSSL_PARAM *)p; |
2033 | 8.81k | } |
2034 | 8.81k | break; |
2035 | 8.81k | case 'r': |
2036 | | # if defined(FIPS_MODULE) |
2037 | | if (ossl_likely(strcmp("sa-pss-saltlen-check", s + 1) == 0)) { |
2038 | | /* OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK */ |
2039 | | if (ossl_unlikely(r->ind_slen != NULL)) { |
2040 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2041 | | "param %s is repeated", s); |
2042 | | return 0; |
2043 | | } |
2044 | | r->ind_slen = (OSSL_PARAM *)p; |
2045 | | } |
2046 | | # endif |
2047 | 0 | break; |
2048 | 8.81k | case 's': |
2049 | 8.81k | switch(s[1]) { |
2050 | 0 | default: |
2051 | 0 | break; |
2052 | 8.81k | case 'a': |
2053 | 8.81k | if (ossl_likely(strcmp("ltlen", s + 2) == 0)) { |
2054 | | /* OSSL_SIGNATURE_PARAM_PSS_SALTLEN */ |
2055 | 8.81k | if (ossl_unlikely(r->slen != NULL)) { |
2056 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2057 | 0 | "param %s is repeated", s); |
2058 | 0 | return 0; |
2059 | 0 | } |
2060 | 8.81k | r->slen = (OSSL_PARAM *)p; |
2061 | 8.81k | } |
2062 | 8.81k | break; |
2063 | 8.81k | case 'i': |
2064 | | # if defined(FIPS_MODULE) |
2065 | | if (ossl_likely(strcmp("gn-x931-pad-check", s + 2) == 0)) { |
2066 | | /* OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK */ |
2067 | | if (ossl_unlikely(r->ind_xpad != NULL)) { |
2068 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2069 | | "param %s is repeated", s); |
2070 | | return 0; |
2071 | | } |
2072 | | r->ind_xpad = (OSSL_PARAM *)p; |
2073 | | } |
2074 | | # endif |
2075 | 0 | break; |
2076 | 8.81k | } |
2077 | 8.81k | break; |
2078 | 19.2k | } |
2079 | 19.2k | return 1; |
2080 | 19.2k | } |
2081 | | #endif |
2082 | | /* End of machine generated */ |
2083 | | /* clang-format on */ |
2084 | | |
2085 | | static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) |
2086 | 44.8k | { |
2087 | 44.8k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2088 | 44.8k | struct rsa_set_ctx_params_st p; |
2089 | 44.8k | int pad_mode; |
2090 | 44.8k | int saltlen; |
2091 | 44.8k | char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = NULL; |
2092 | 44.8k | char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = NULL; |
2093 | 44.8k | char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL; |
2094 | 44.8k | char mgf1mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmgf1mdprops = NULL; |
2095 | | |
2096 | 44.8k | if (prsactx == NULL) |
2097 | 0 | return 0; |
2098 | | /* The processing code below doesn't handle no parameters properly */ |
2099 | 44.8k | if (ossl_param_is_empty(params)) |
2100 | 25.6k | return 1; |
2101 | | |
2102 | 19.2k | if (prsactx->flag_allow_md) { |
2103 | 0 | if (!rsa_set_ctx_params_decoder(params, &p)) |
2104 | 0 | return 0; |
2105 | 19.2k | } else { |
2106 | 19.2k | if (!rsa_set_ctx_params_no_digest_decoder(params, &p)) |
2107 | 0 | return 0; |
2108 | 19.2k | } |
2109 | | |
2110 | 19.2k | if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE0, |
2111 | 19.2k | p.ind_k)) |
2112 | 0 | return 0; |
2113 | | |
2114 | 19.2k | if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE1, |
2115 | 19.2k | p.ind_d)) |
2116 | 0 | return 0; |
2117 | | |
2118 | 19.2k | if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE2, |
2119 | 19.2k | p.ind_xpad)) |
2120 | 0 | return 0; |
2121 | | |
2122 | 19.2k | if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE3, |
2123 | 19.2k | p.ind_slen)) |
2124 | 0 | return 0; |
2125 | | |
2126 | 19.2k | pad_mode = prsactx->pad_mode; |
2127 | 19.2k | saltlen = prsactx->saltlen; |
2128 | | |
2129 | 19.2k | if (p.digest != NULL) { |
2130 | 0 | pmdname = mdname; |
2131 | 0 | if (!OSSL_PARAM_get_utf8_string(p.digest, &pmdname, sizeof(mdname))) |
2132 | 0 | return 0; |
2133 | | |
2134 | 0 | if (p.propq != NULL) { |
2135 | 0 | pmdprops = mdprops; |
2136 | 0 | if (!OSSL_PARAM_get_utf8_string(p.propq, |
2137 | 0 | &pmdprops, sizeof(mdprops))) |
2138 | 0 | return 0; |
2139 | 0 | } |
2140 | 0 | } |
2141 | | |
2142 | 19.2k | if (p.pad != NULL) { |
2143 | 8.81k | const char *err_extra_text = NULL; |
2144 | | |
2145 | 8.81k | if (p.pad->data_type != OSSL_PARAM_UTF8_STRING) { |
2146 | | /* Support for legacy pad mode number */ |
2147 | 8.81k | if (!OSSL_PARAM_get_int(p.pad, &pad_mode)) |
2148 | 0 | return 0; |
2149 | 8.81k | } else { |
2150 | 0 | int i; |
2151 | |
|
2152 | 0 | if (p.pad->data == NULL) |
2153 | 0 | return 0; |
2154 | | |
2155 | 0 | for (i = 0; padding_item[i].id != 0; i++) { |
2156 | 0 | if (strcmp(p.pad->data, padding_item[i].ptr) == 0) { |
2157 | 0 | pad_mode = padding_item[i].id; |
2158 | 0 | break; |
2159 | 0 | } |
2160 | 0 | } |
2161 | 0 | } |
2162 | | |
2163 | 8.81k | switch (pad_mode) { |
2164 | 0 | case RSA_PKCS1_OAEP_PADDING: |
2165 | | /* |
2166 | | * OAEP padding is for asymmetric cipher only so is not compatible |
2167 | | * with signature use. |
2168 | | */ |
2169 | 0 | err_extra_text = "OAEP padding not allowed for signing / verifying"; |
2170 | 0 | goto bad_pad; |
2171 | 8.81k | case RSA_PKCS1_PSS_PADDING: |
2172 | 8.81k | if ((prsactx->operation |
2173 | 8.81k | & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG |
2174 | 8.81k | | EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) |
2175 | 8.81k | == 0) { |
2176 | 0 | err_extra_text = "PSS padding only allowed for sign and verify operations"; |
2177 | 0 | goto bad_pad; |
2178 | 0 | } |
2179 | 8.81k | break; |
2180 | 8.81k | case RSA_PKCS1_PADDING: |
2181 | 0 | err_extra_text = "PKCS#1 padding not allowed with RSA-PSS"; |
2182 | 0 | goto cont; |
2183 | 0 | case RSA_NO_PADDING: |
2184 | 0 | err_extra_text = "No padding not allowed with RSA-PSS"; |
2185 | 0 | goto cont; |
2186 | 0 | case RSA_X931_PADDING: |
2187 | | #ifdef FIPS_MODULE |
2188 | | /* X9.31 only allows sizes of 1024 + 256 * s (bits) */ |
2189 | | if ((RSA_bits(prsactx->rsa) & 0xFF) != 0) { |
2190 | | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); |
2191 | | return 0; |
2192 | | } |
2193 | | /* RSA Signing with X9.31 padding is not allowed in FIPS 140-3 */ |
2194 | | if (!rsa_x931_padding_allowed(prsactx)) |
2195 | | return 0; |
2196 | | #endif |
2197 | 0 | err_extra_text = "X.931 padding not allowed with RSA-PSS"; |
2198 | 0 | cont: |
2199 | 0 | if (RSA_test_flags(prsactx->rsa, |
2200 | 0 | RSA_FLAG_TYPE_MASK) |
2201 | 0 | == RSA_FLAG_TYPE_RSA) |
2202 | 0 | break; |
2203 | | /* FALLTHRU */ |
2204 | 0 | default: |
2205 | 0 | bad_pad: |
2206 | 0 | if (err_extra_text == NULL) |
2207 | 0 | ERR_raise(ERR_LIB_PROV, |
2208 | 0 | PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); |
2209 | 0 | else |
2210 | 0 | ERR_raise_data(ERR_LIB_PROV, |
2211 | 0 | PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE, |
2212 | 0 | err_extra_text); |
2213 | 0 | return 0; |
2214 | 8.81k | } |
2215 | 8.81k | } |
2216 | | |
2217 | 19.2k | if (p.slen != NULL) { |
2218 | 8.81k | if (pad_mode != RSA_PKCS1_PSS_PADDING) { |
2219 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED, |
2220 | 0 | "PSS saltlen can only be specified if " |
2221 | 0 | "PSS padding has been specified first"); |
2222 | 0 | return 0; |
2223 | 0 | } |
2224 | | |
2225 | 8.81k | if (p.slen->data_type != OSSL_PARAM_UTF8_STRING) { |
2226 | | /* Support for legacy pad mode number */ |
2227 | 0 | if (!OSSL_PARAM_get_int(p.slen, &saltlen)) |
2228 | 0 | return 0; |
2229 | 8.81k | } else { |
2230 | 8.81k | if (strcmp(p.slen->data, OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST) == 0) |
2231 | 7.21k | saltlen = RSA_PSS_SALTLEN_DIGEST; |
2232 | 1.59k | else if (strcmp(p.slen->data, OSSL_PKEY_RSA_PSS_SALT_LEN_MAX) == 0) |
2233 | 0 | saltlen = RSA_PSS_SALTLEN_MAX; |
2234 | 1.59k | else if (strcmp(p.slen->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0) |
2235 | 0 | saltlen = RSA_PSS_SALTLEN_AUTO; |
2236 | 1.59k | else if (strcmp(p.slen->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0) |
2237 | 0 | saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; |
2238 | 1.59k | else |
2239 | 1.59k | saltlen = atoi(p.slen->data); |
2240 | 8.81k | } |
2241 | | |
2242 | | /* |
2243 | | * RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check. |
2244 | | * Contrary to what it's name suggests, it's the currently lowest |
2245 | | * saltlen number possible. |
2246 | | */ |
2247 | 8.81k | if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { |
2248 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); |
2249 | 0 | return 0; |
2250 | 0 | } |
2251 | | |
2252 | 8.81k | if (rsa_pss_restricted(prsactx)) { |
2253 | 88 | switch (saltlen) { |
2254 | 0 | case RSA_PSS_SALTLEN_AUTO: |
2255 | 0 | case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: |
2256 | 0 | if ((prsactx->operation |
2257 | 0 | & (EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) |
2258 | 0 | == 0) { |
2259 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, |
2260 | 0 | "Cannot use autodetected salt length"); |
2261 | 0 | return 0; |
2262 | 0 | } |
2263 | 0 | break; |
2264 | 7 | case RSA_PSS_SALTLEN_DIGEST: |
2265 | 7 | if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) { |
2266 | 1 | ERR_raise_data(ERR_LIB_PROV, |
2267 | 1 | PROV_R_PSS_SALTLEN_TOO_SMALL, |
2268 | 1 | "Should be more than %d, but would be " |
2269 | 1 | "set to match digest size (%d)", |
2270 | 1 | prsactx->min_saltlen, |
2271 | 1 | EVP_MD_get_size(prsactx->md)); |
2272 | 1 | return 0; |
2273 | 1 | } |
2274 | 6 | break; |
2275 | 81 | default: |
2276 | 81 | if (saltlen >= 0 && saltlen < prsactx->min_saltlen) { |
2277 | 0 | ERR_raise_data(ERR_LIB_PROV, |
2278 | 0 | PROV_R_PSS_SALTLEN_TOO_SMALL, |
2279 | 0 | "Should be more than %d, " |
2280 | 0 | "but would be set to %d", |
2281 | 0 | prsactx->min_saltlen, saltlen); |
2282 | 0 | return 0; |
2283 | 0 | } |
2284 | 88 | } |
2285 | 88 | } |
2286 | 8.81k | } |
2287 | | |
2288 | 19.2k | if (p.mgf1 != NULL) { |
2289 | 1.59k | pmgf1mdname = mgf1mdname; |
2290 | 1.59k | if (!OSSL_PARAM_get_utf8_string(p.mgf1, &pmgf1mdname, sizeof(mgf1mdname))) |
2291 | 0 | return 0; |
2292 | | |
2293 | 1.59k | if (p.mgf1pq != NULL) { |
2294 | 0 | pmgf1mdprops = mgf1mdprops; |
2295 | 0 | if (!OSSL_PARAM_get_utf8_string(p.mgf1pq, |
2296 | 0 | &pmgf1mdprops, sizeof(mgf1mdprops))) |
2297 | 0 | return 0; |
2298 | 0 | } |
2299 | | |
2300 | 1.59k | if (pad_mode != RSA_PKCS1_PSS_PADDING) { |
2301 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MGF1_MD); |
2302 | 0 | return 0; |
2303 | 0 | } |
2304 | 1.59k | } |
2305 | | |
2306 | 19.2k | prsactx->saltlen = saltlen; |
2307 | 19.2k | prsactx->pad_mode = pad_mode; |
2308 | | |
2309 | 19.2k | if (prsactx->md == NULL && pmdname == NULL |
2310 | 0 | && pad_mode == RSA_PKCS1_PSS_PADDING) |
2311 | 0 | pmdname = RSA_DEFAULT_DIGEST_NAME; |
2312 | | |
2313 | 19.2k | if (pmgf1mdname != NULL |
2314 | 1.59k | && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) |
2315 | 0 | return 0; |
2316 | | |
2317 | 19.2k | if (pmdname != NULL) { |
2318 | 0 | if (!rsa_setup_md(prsactx, pmdname, pmdprops, "RSA Sign Set Ctx")) |
2319 | 0 | return 0; |
2320 | 19.2k | } else { |
2321 | 19.2k | if (!rsa_check_padding(prsactx, NULL, NULL, prsactx->mdnid)) |
2322 | 0 | return 0; |
2323 | 19.2k | } |
2324 | 19.2k | return 1; |
2325 | 19.2k | } |
2326 | | |
2327 | | static const OSSL_PARAM *rsa_settable_ctx_params(void *vprsactx, |
2328 | | ossl_unused void *provctx) |
2329 | 51.4k | { |
2330 | 51.4k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2331 | | |
2332 | 51.4k | if (prsactx != NULL && !prsactx->flag_allow_md) |
2333 | 51.4k | return rsa_set_ctx_params_no_digest_list; |
2334 | 11 | return rsa_set_ctx_params_list; |
2335 | 51.4k | } |
2336 | | |
2337 | | static int rsa_get_ctx_md_params(void *vprsactx, OSSL_PARAM *params) |
2338 | 0 | { |
2339 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2340 | |
|
2341 | 0 | if (prsactx->mdctx == NULL) |
2342 | 0 | return 0; |
2343 | | |
2344 | 0 | return EVP_MD_CTX_get_params(prsactx->mdctx, params); |
2345 | 0 | } |
2346 | | |
2347 | | static const OSSL_PARAM *rsa_gettable_ctx_md_params(void *vprsactx) |
2348 | 0 | { |
2349 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2350 | |
|
2351 | 0 | if (prsactx->md == NULL) |
2352 | 0 | return 0; |
2353 | | |
2354 | 0 | return EVP_MD_gettable_ctx_params(prsactx->md); |
2355 | 0 | } |
2356 | | |
2357 | | static int rsa_set_ctx_md_params(void *vprsactx, const OSSL_PARAM params[]) |
2358 | 0 | { |
2359 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2360 | |
|
2361 | 0 | if (prsactx->mdctx == NULL) |
2362 | 0 | return 0; |
2363 | | |
2364 | 0 | return EVP_MD_CTX_set_params(prsactx->mdctx, params); |
2365 | 0 | } |
2366 | | |
2367 | | static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx) |
2368 | 0 | { |
2369 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2370 | |
|
2371 | 0 | if (prsactx->md == NULL) |
2372 | 0 | return 0; |
2373 | | |
2374 | 0 | return EVP_MD_settable_ctx_params(prsactx->md); |
2375 | 0 | } |
2376 | | |
2377 | | const OSSL_DISPATCH ossl_rsa_signature_functions[] = { |
2378 | | { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, |
2379 | | { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, |
2380 | | { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, |
2381 | | { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_verify_init }, |
2382 | | { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))rsa_verify }, |
2383 | | { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, |
2384 | | (void (*)(void))rsa_verify_recover_init }, |
2385 | | { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, |
2386 | | (void (*)(void))rsa_verify_recover }, |
2387 | | { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, |
2388 | | (void (*)(void))rsa_digest_sign_init }, |
2389 | | { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, |
2390 | | (void (*)(void))rsa_digest_sign_update }, |
2391 | | { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, |
2392 | | (void (*)(void))rsa_digest_sign_final }, |
2393 | | { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, |
2394 | | (void (*)(void))rsa_digest_verify_init }, |
2395 | | { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, |
2396 | | (void (*)(void))rsa_digest_verify_update }, |
2397 | | { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, |
2398 | | (void (*)(void))rsa_digest_verify_final }, |
2399 | | { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, |
2400 | | { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, |
2401 | | { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))rsa_get_ctx_params }, |
2402 | | { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, |
2403 | | (void (*)(void))rsa_gettable_ctx_params }, |
2404 | | { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))rsa_set_ctx_params }, |
2405 | | { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, |
2406 | | (void (*)(void))rsa_settable_ctx_params }, |
2407 | | { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, |
2408 | | (void (*)(void))rsa_get_ctx_md_params }, |
2409 | | { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, |
2410 | | (void (*)(void))rsa_gettable_ctx_md_params }, |
2411 | | { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, |
2412 | | (void (*)(void))rsa_set_ctx_md_params }, |
2413 | | { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, |
2414 | | (void (*)(void))rsa_settable_ctx_md_params }, |
2415 | | OSSL_DISPATCH_END |
2416 | | }; |
2417 | | |
2418 | | /* ------------------------------------------------------------------ */ |
2419 | | |
2420 | | /* |
2421 | | * So called sigalgs (composite RSA+hash) implemented below. They |
2422 | | * are pretty much hard coded, and rely on the hash implementation |
2423 | | * being available as per what OPENSSL_NO_ macros allow. |
2424 | | */ |
2425 | | |
2426 | | static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types; |
2427 | | static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params; |
2428 | | static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params; |
2429 | | |
2430 | | /* |
2431 | | * rsa_sigalg_signverify_init() is almost like rsa_digest_signverify_init(), |
2432 | | * just doesn't allow fetching an MD from whatever the user chooses. |
2433 | | */ |
2434 | | static int rsa_sigalg_signverify_init(void *vprsactx, void *vrsa, |
2435 | | OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params, |
2436 | | const OSSL_PARAM params[], |
2437 | | const char *mdname, |
2438 | | int operation, int pad_mode, |
2439 | | const char *desc) |
2440 | 0 | { |
2441 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2442 | |
|
2443 | 0 | if (!ossl_prov_is_running()) |
2444 | 0 | return 0; |
2445 | | |
2446 | 0 | if (!rsa_signverify_init(prsactx, vrsa, set_ctx_params, params, operation, |
2447 | 0 | desc)) |
2448 | 0 | return 0; |
2449 | | |
2450 | | /* PSS is currently not supported as a sigalg */ |
2451 | 0 | if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { |
2452 | 0 | ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); |
2453 | 0 | return 0; |
2454 | 0 | } |
2455 | | |
2456 | 0 | if (!rsa_setup_md(prsactx, mdname, NULL, desc)) |
2457 | 0 | return 0; |
2458 | | |
2459 | 0 | prsactx->pad_mode = pad_mode; |
2460 | 0 | prsactx->flag_sigalg = 1; |
2461 | 0 | prsactx->flag_allow_md = 0; |
2462 | |
|
2463 | 0 | if (prsactx->mdctx == NULL) { |
2464 | 0 | prsactx->mdctx = EVP_MD_CTX_new(); |
2465 | 0 | if (prsactx->mdctx == NULL) |
2466 | 0 | goto error; |
2467 | 0 | } |
2468 | | |
2469 | 0 | if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params)) |
2470 | 0 | goto error; |
2471 | | |
2472 | 0 | return 1; |
2473 | | |
2474 | 0 | error: |
2475 | 0 | EVP_MD_CTX_free(prsactx->mdctx); |
2476 | 0 | prsactx->mdctx = NULL; |
2477 | 0 | return 0; |
2478 | 0 | } |
2479 | | |
2480 | | static const char **rsa_sigalg_query_key_types(void) |
2481 | 0 | { |
2482 | 0 | static const char *keytypes[] = { "RSA", NULL }; |
2483 | |
|
2484 | 0 | return keytypes; |
2485 | 0 | } |
2486 | | |
2487 | | /* clang-format off */ |
2488 | | /* Machine generated by util/perl/OpenSSL/paramnames.pm */ |
2489 | | #ifndef rsa_sigalg_set_ctx_params_list |
2490 | | static const OSSL_PARAM rsa_sigalg_set_ctx_params_list[] = { |
2491 | | OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, NULL, 0), |
2492 | | OSSL_PARAM_END |
2493 | | }; |
2494 | | #endif |
2495 | | |
2496 | | #ifndef rsa_sigalg_set_ctx_params_st |
2497 | | struct rsa_sigalg_set_ctx_params_st { |
2498 | | OSSL_PARAM *sig; |
2499 | | }; |
2500 | | #endif |
2501 | | |
2502 | | #ifndef rsa_sigalg_set_ctx_params_decoder |
2503 | | static int rsa_sigalg_set_ctx_params_decoder |
2504 | | (const OSSL_PARAM *p, struct rsa_sigalg_set_ctx_params_st *r) |
2505 | 10.7k | { |
2506 | 10.7k | const char *s; |
2507 | | |
2508 | 10.7k | memset(r, 0, sizeof(*r)); |
2509 | 10.7k | if (p != NULL) |
2510 | 21.5k | for (; (s = p->key) != NULL; p++) |
2511 | 10.7k | if (ossl_likely(strcmp("signature", s + 0) == 0)) { |
2512 | | /* OSSL_SIGNATURE_PARAM_SIGNATURE */ |
2513 | 10.7k | if (ossl_unlikely(r->sig != NULL)) { |
2514 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2515 | 0 | "param %s is repeated", s); |
2516 | 0 | return 0; |
2517 | 0 | } |
2518 | 10.7k | r->sig = (OSSL_PARAM *)p; |
2519 | 10.7k | } |
2520 | 10.7k | return 1; |
2521 | 10.7k | } |
2522 | | #endif |
2523 | | /* End of machine generated */ |
2524 | | /* clang-format on */ |
2525 | | |
2526 | | static const OSSL_PARAM *rsa_sigalg_settable_ctx_params(void *vprsactx, |
2527 | | ossl_unused void *provctx) |
2528 | 4 | { |
2529 | 4 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2530 | | |
2531 | 4 | if (prsactx != NULL && prsactx->operation == EVP_PKEY_OP_VERIFYMSG) |
2532 | 0 | return rsa_sigalg_set_ctx_params_list; |
2533 | 4 | return NULL; |
2534 | 4 | } |
2535 | | |
2536 | | static int rsa_sigalg_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) |
2537 | 10.7k | { |
2538 | 10.7k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2539 | 10.7k | struct rsa_sigalg_set_ctx_params_st p; |
2540 | | |
2541 | 10.7k | if (prsactx == NULL || !rsa_sigalg_set_ctx_params_decoder(params, &p)) |
2542 | 0 | return 0; |
2543 | | |
2544 | 10.7k | if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG) { |
2545 | 10.7k | if (p.sig != NULL) { |
2546 | 10.7k | OPENSSL_free(prsactx->sig); |
2547 | 10.7k | prsactx->sig = NULL; |
2548 | 10.7k | prsactx->siglen = 0; |
2549 | 10.7k | if (!OSSL_PARAM_get_octet_string(p.sig, (void **)&prsactx->sig, |
2550 | 10.7k | 0, &prsactx->siglen)) |
2551 | 0 | return 0; |
2552 | 10.7k | } |
2553 | 10.7k | } |
2554 | 10.7k | return 1; |
2555 | 10.7k | } |
2556 | | |
2557 | | #define IMPL_RSA_SIGALG(md, MD) \ |
2558 | | static OSSL_FUNC_signature_sign_init_fn rsa_##md##_sign_init; \ |
2559 | | static OSSL_FUNC_signature_sign_message_init_fn \ |
2560 | | rsa_##md##_sign_message_init; \ |
2561 | | static OSSL_FUNC_signature_verify_init_fn rsa_##md##_verify_init; \ |
2562 | | static OSSL_FUNC_signature_verify_message_init_fn \ |
2563 | | rsa_##md##_verify_message_init; \ |
2564 | | \ |
2565 | | static int \ |
2566 | | rsa_##md##_sign_init(void *vprsactx, void *vrsa, \ |
2567 | | const OSSL_PARAM params[]) \ |
2568 | 0 | { \ |
2569 | 0 | static const char desc[] = "RSA Sigalg Sign Init"; \ |
2570 | 0 | \ |
2571 | 0 | return rsa_sigalg_signverify_init(vprsactx, vrsa, \ |
2572 | 0 | rsa_sigalg_set_ctx_params, \ |
2573 | 0 | params, MD, \ |
2574 | 0 | EVP_PKEY_OP_SIGN, \ |
2575 | 0 | RSA_PKCS1_PADDING, \ |
2576 | 0 | desc); \ |
2577 | 0 | } \ Unexecuted instantiation: rsa_sig.c:rsa_ripemd160_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha1_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha224_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha256_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha384_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_224_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_256_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_224_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_256_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_384_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_512_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sm3_sign_init |
2578 | | \ |
2579 | | static int \ |
2580 | | rsa_##md##_sign_message_init(void *vprsactx, void *vrsa, \ |
2581 | | const OSSL_PARAM params[]) \ |
2582 | 0 | { \ |
2583 | 0 | static const char desc[] = "RSA Sigalg Sign Message Init"; \ |
2584 | 0 | \ |
2585 | 0 | return rsa_sigalg_signverify_init(vprsactx, vrsa, \ |
2586 | 0 | rsa_sigalg_set_ctx_params, \ |
2587 | 0 | params, MD, \ |
2588 | 0 | EVP_PKEY_OP_SIGNMSG, \ |
2589 | 0 | RSA_PKCS1_PADDING, \ |
2590 | 0 | desc); \ |
2591 | 0 | } \ Unexecuted instantiation: rsa_sig.c:rsa_ripemd160_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha1_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha224_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha256_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha384_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_224_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_256_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_224_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_256_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_384_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_512_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sm3_sign_message_init |
2592 | | \ |
2593 | | static int \ |
2594 | | rsa_##md##_verify_init(void *vprsactx, void *vrsa, \ |
2595 | | const OSSL_PARAM params[]) \ |
2596 | 0 | { \ |
2597 | 0 | static const char desc[] = "RSA Sigalg Verify Init"; \ |
2598 | 0 | \ |
2599 | 0 | return rsa_sigalg_signverify_init(vprsactx, vrsa, \ |
2600 | 0 | rsa_sigalg_set_ctx_params, \ |
2601 | 0 | params, MD, \ |
2602 | 0 | EVP_PKEY_OP_VERIFY, \ |
2603 | 0 | RSA_PKCS1_PADDING, \ |
2604 | 0 | desc); \ |
2605 | 0 | } \ Unexecuted instantiation: rsa_sig.c:rsa_ripemd160_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha1_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha224_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha256_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha384_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_224_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_256_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_224_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_256_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_384_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_512_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sm3_verify_init |
2606 | | \ |
2607 | | static int \ |
2608 | | rsa_##md##_verify_recover_init(void *vprsactx, void *vrsa, \ |
2609 | | const OSSL_PARAM params[]) \ |
2610 | 0 | { \ |
2611 | 0 | static const char desc[] = "RSA Sigalg Verify Recover Init"; \ |
2612 | 0 | \ |
2613 | 0 | return rsa_sigalg_signverify_init(vprsactx, vrsa, \ |
2614 | 0 | rsa_sigalg_set_ctx_params, \ |
2615 | 0 | params, MD, \ |
2616 | 0 | EVP_PKEY_OP_VERIFYRECOVER, \ |
2617 | 0 | RSA_PKCS1_PADDING, \ |
2618 | 0 | desc); \ |
2619 | 0 | } \ Unexecuted instantiation: rsa_sig.c:rsa_ripemd160_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha1_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha224_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha256_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha384_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_224_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_256_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_224_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_256_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_384_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_512_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sm3_verify_recover_init |
2620 | | \ |
2621 | | static int \ |
2622 | | rsa_##md##_verify_message_init(void *vprsactx, void *vrsa, \ |
2623 | | const OSSL_PARAM params[]) \ |
2624 | 0 | { \ |
2625 | 0 | static const char desc[] = "RSA Sigalg Verify Message Init"; \ |
2626 | 0 | \ |
2627 | 0 | return rsa_sigalg_signverify_init(vprsactx, vrsa, \ |
2628 | 0 | rsa_sigalg_set_ctx_params, \ |
2629 | 0 | params, MD, \ |
2630 | 0 | EVP_PKEY_OP_VERIFYMSG, \ |
2631 | 0 | RSA_PKCS1_PADDING, \ |
2632 | 0 | desc); \ |
2633 | 0 | } \ Unexecuted instantiation: rsa_sig.c:rsa_ripemd160_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha1_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha224_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha256_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha384_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_224_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_256_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_224_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_256_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_384_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_512_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sm3_verify_message_init |
2634 | | \ |
2635 | | const OSSL_DISPATCH ossl_rsa_##md##_signature_functions[] = { \ |
2636 | | { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, \ |
2637 | | { OSSL_FUNC_SIGNATURE_SIGN_INIT, \ |
2638 | | (void (*)(void))rsa_##md##_sign_init }, \ |
2639 | | { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, \ |
2640 | | { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT, \ |
2641 | | (void (*)(void))rsa_##md##_sign_message_init }, \ |
2642 | | { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_UPDATE, \ |
2643 | | (void (*)(void))rsa_signverify_message_update }, \ |
2644 | | { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_FINAL, \ |
2645 | | (void (*)(void))rsa_sign_message_final }, \ |
2646 | | { OSSL_FUNC_SIGNATURE_VERIFY_INIT, \ |
2647 | | (void (*)(void))rsa_##md##_verify_init }, \ |
2648 | | { OSSL_FUNC_SIGNATURE_VERIFY, \ |
2649 | | (void (*)(void))rsa_verify }, \ |
2650 | | { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT, \ |
2651 | | (void (*)(void))rsa_##md##_verify_message_init }, \ |
2652 | | { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_UPDATE, \ |
2653 | | (void (*)(void))rsa_signverify_message_update }, \ |
2654 | | { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_FINAL, \ |
2655 | | (void (*)(void))rsa_verify_message_final }, \ |
2656 | | { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, \ |
2657 | | (void (*)(void))rsa_##md##_verify_recover_init }, \ |
2658 | | { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, \ |
2659 | | (void (*)(void))rsa_verify_recover }, \ |
2660 | | { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, \ |
2661 | | { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, \ |
2662 | | { OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPES, \ |
2663 | | (void (*)(void))rsa_sigalg_query_key_types }, \ |
2664 | | { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, \ |
2665 | | (void (*)(void))rsa_get_ctx_params }, \ |
2666 | | { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, \ |
2667 | | (void (*)(void))rsa_gettable_ctx_params }, \ |
2668 | | { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, \ |
2669 | | (void (*)(void))rsa_sigalg_set_ctx_params }, \ |
2670 | | { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, \ |
2671 | | (void (*)(void))rsa_sigalg_settable_ctx_params }, \ |
2672 | | OSSL_DISPATCH_END \ |
2673 | | } |
2674 | | |
2675 | | #if !defined(OPENSSL_NO_RMD160) && !defined(FIPS_MODULE) |
2676 | | IMPL_RSA_SIGALG(ripemd160, "RIPEMD160"); |
2677 | | #endif |
2678 | | IMPL_RSA_SIGALG(sha1, "SHA1"); |
2679 | | IMPL_RSA_SIGALG(sha224, "SHA2-224"); |
2680 | | IMPL_RSA_SIGALG(sha256, "SHA2-256"); |
2681 | | IMPL_RSA_SIGALG(sha384, "SHA2-384"); |
2682 | | IMPL_RSA_SIGALG(sha512, "SHA2-512"); |
2683 | | IMPL_RSA_SIGALG(sha512_224, "SHA2-512/224"); |
2684 | | IMPL_RSA_SIGALG(sha512_256, "SHA2-512/256"); |
2685 | | IMPL_RSA_SIGALG(sha3_224, "SHA3-224"); |
2686 | | IMPL_RSA_SIGALG(sha3_256, "SHA3-256"); |
2687 | | IMPL_RSA_SIGALG(sha3_384, "SHA3-384"); |
2688 | | IMPL_RSA_SIGALG(sha3_512, "SHA3-512"); |
2689 | | #if !defined(OPENSSL_NO_SM3) && !defined(FIPS_MODULE) |
2690 | | IMPL_RSA_SIGALG(sm3, "SM3"); |
2691 | | #endif |