/src/openssl36/providers/implementations/signature/rsa_sig.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2019-2026 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | /* clang-format off */ |
10 | | |
11 | | /* clang-format on */ |
12 | | |
13 | | /* |
14 | | * RSA low level APIs are deprecated for public use, but still ok for |
15 | | * internal use. |
16 | | */ |
17 | | #include "internal/deprecated.h" |
18 | | |
19 | | #include <string.h> |
20 | | #include <openssl/crypto.h> |
21 | | #include <openssl/core_dispatch.h> |
22 | | #include <openssl/core_names.h> |
23 | | #include <openssl/err.h> |
24 | | #include <openssl/obj_mac.h> |
25 | | #include <openssl/rsa.h> |
26 | | #include <openssl/params.h> |
27 | | #include <openssl/evp.h> |
28 | | #include <openssl/proverr.h> |
29 | | #include "internal/cryptlib.h" |
30 | | #include "internal/nelem.h" |
31 | | #include "internal/sizes.h" |
32 | | #include "crypto/rsa.h" |
33 | | #include "prov/providercommon.h" |
34 | | #include "prov/implementations.h" |
35 | | #include "prov/provider_ctx.h" |
36 | | #include "prov/der_rsa.h" |
37 | | #include "prov/securitycheck.h" |
38 | | |
39 | 0 | #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 |
40 | | |
41 | | static OSSL_FUNC_signature_newctx_fn rsa_newctx; |
42 | | static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; |
43 | | static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; |
44 | | static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; |
45 | | static OSSL_FUNC_signature_sign_fn rsa_sign; |
46 | | static OSSL_FUNC_signature_sign_message_update_fn rsa_signverify_message_update; |
47 | | static OSSL_FUNC_signature_sign_message_final_fn rsa_sign_message_final; |
48 | | static OSSL_FUNC_signature_verify_fn rsa_verify; |
49 | | static OSSL_FUNC_signature_verify_recover_fn rsa_verify_recover; |
50 | | static OSSL_FUNC_signature_verify_message_update_fn rsa_signverify_message_update; |
51 | | static OSSL_FUNC_signature_verify_message_final_fn rsa_verify_message_final; |
52 | | static OSSL_FUNC_signature_digest_sign_init_fn rsa_digest_sign_init; |
53 | | static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_sign_update; |
54 | | static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final; |
55 | | static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; |
56 | | static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_verify_update; |
57 | | static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; |
58 | | static OSSL_FUNC_signature_freectx_fn rsa_freectx; |
59 | | static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; |
60 | | static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types; |
61 | | static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; |
62 | | static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params; |
63 | | static OSSL_FUNC_signature_set_ctx_params_fn rsa_set_ctx_params; |
64 | | static OSSL_FUNC_signature_settable_ctx_params_fn rsa_settable_ctx_params; |
65 | | static OSSL_FUNC_signature_get_ctx_md_params_fn rsa_get_ctx_md_params; |
66 | | static OSSL_FUNC_signature_gettable_ctx_md_params_fn rsa_gettable_ctx_md_params; |
67 | | static OSSL_FUNC_signature_set_ctx_md_params_fn rsa_set_ctx_md_params; |
68 | | static OSSL_FUNC_signature_settable_ctx_md_params_fn rsa_settable_ctx_md_params; |
69 | | static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params; |
70 | | static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params; |
71 | | |
72 | | static OSSL_ITEM padding_item[] = { |
73 | | { RSA_PKCS1_PADDING, OSSL_PKEY_RSA_PAD_MODE_PKCSV15 }, |
74 | | { RSA_NO_PADDING, OSSL_PKEY_RSA_PAD_MODE_NONE }, |
75 | | { RSA_X931_PADDING, OSSL_PKEY_RSA_PAD_MODE_X931 }, |
76 | | { RSA_PKCS1_PSS_PADDING, OSSL_PKEY_RSA_PAD_MODE_PSS }, |
77 | | { 0, NULL } |
78 | | }; |
79 | | |
80 | | /* |
81 | | * What's passed as an actual key is defined by the KEYMGMT interface. |
82 | | * We happen to know that our KEYMGMT simply passes RSA structures, so |
83 | | * we use that here too. |
84 | | */ |
85 | | |
86 | | typedef struct { |
87 | | OSSL_LIB_CTX *libctx; |
88 | | char *propq; |
89 | | RSA *rsa; |
90 | | int operation; |
91 | | |
92 | | /* |
93 | | * Flag to determine if a full sigalg is run (1) or if a composable |
94 | | * signature algorithm is run (0). |
95 | | * |
96 | | * When a full sigalg is run (1), this currently affects the following |
97 | | * other flags, which are to remain untouched after their initialization: |
98 | | * |
99 | | * - flag_allow_md (initialized to 0) |
100 | | */ |
101 | | unsigned int flag_sigalg : 1; |
102 | | /* |
103 | | * Flag to determine if the hash function can be changed (1) or not (0) |
104 | | * Because it's dangerous to change during a DigestSign or DigestVerify |
105 | | * operation, this flag is cleared by their Init function, and set again |
106 | | * by their Final function. |
107 | | * Implementations of full sigalgs (such as RSA-SHA256) hard-code this |
108 | | * flag to not allow changes (0). |
109 | | */ |
110 | | unsigned int flag_allow_md : 1; |
111 | | unsigned int mgf1_md_set : 1; |
112 | | /* |
113 | | * Flags to say what are the possible next external calls in what |
114 | | * constitutes the life cycle of an algorithm. The relevant calls are: |
115 | | * - init |
116 | | * - update |
117 | | * - final |
118 | | * - oneshot |
119 | | * All other external calls are regarded as utilitarian and are allowed |
120 | | * at any time (they may be affected by other flags, like flag_allow_md, |
121 | | * though). |
122 | | */ |
123 | | unsigned int flag_allow_update : 1; |
124 | | unsigned int flag_allow_final : 1; |
125 | | unsigned int flag_allow_oneshot : 1; |
126 | | |
127 | | /* main digest */ |
128 | | EVP_MD *md; |
129 | | EVP_MD_CTX *mdctx; |
130 | | int mdnid; |
131 | | char mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */ |
132 | | |
133 | | /* RSA padding mode */ |
134 | | int pad_mode; |
135 | | /* message digest for MGF1 */ |
136 | | EVP_MD *mgf1_md; |
137 | | int mgf1_mdnid; |
138 | | char mgf1_mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */ |
139 | | /* PSS salt length */ |
140 | | int saltlen; |
141 | | /* Minimum salt length or -1 if no PSS parameter restriction */ |
142 | | int min_saltlen; |
143 | | |
144 | | /* Signature, for verification */ |
145 | | unsigned char *sig; |
146 | | size_t siglen; |
147 | | |
148 | | #ifdef FIPS_MODULE |
149 | | /* |
150 | | * FIPS 140-3 IG 2.4.B mandates that verification based on a digest of a |
151 | | * message is not permitted. However, signing based on a digest is still |
152 | | * permitted. |
153 | | */ |
154 | | int verify_message; |
155 | | #endif |
156 | | |
157 | | /* Temp buffer */ |
158 | | unsigned char *tbuf; |
159 | | |
160 | | OSSL_FIPS_IND_DECLARE |
161 | | } PROV_RSA_CTX; |
162 | | |
163 | | /* True if PSS parameters are restricted */ |
164 | 69.0k | #define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1) |
165 | | |
166 | | static int rsa_get_md_size(const PROV_RSA_CTX *prsactx) |
167 | 25.1k | { |
168 | 25.1k | int md_size; |
169 | | |
170 | 25.1k | if (prsactx->md != NULL) { |
171 | 25.1k | md_size = EVP_MD_get_size(prsactx->md); |
172 | 25.1k | if (md_size <= 0) |
173 | 0 | return 0; |
174 | 25.1k | return md_size; |
175 | 25.1k | } |
176 | 0 | return 0; |
177 | 25.1k | } |
178 | | |
179 | | static int rsa_check_padding(const PROV_RSA_CTX *prsactx, |
180 | | const char *mdname, const char *mgf1_mdname, |
181 | | int mdnid) |
182 | 128k | { |
183 | 128k | switch (prsactx->pad_mode) { |
184 | 0 | case RSA_NO_PADDING: |
185 | 0 | if (mdname != NULL || mdnid != NID_undef) { |
186 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE); |
187 | 0 | return 0; |
188 | 0 | } |
189 | 0 | break; |
190 | 0 | case RSA_X931_PADDING: |
191 | 0 | if (RSA_X931_hash_id(mdnid) == -1) { |
192 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST); |
193 | 0 | return 0; |
194 | 0 | } |
195 | 0 | break; |
196 | 59.2k | case RSA_PKCS1_PSS_PADDING: |
197 | 59.2k | if (rsa_pss_restricted(prsactx)) |
198 | 1.82k | if ((mdname != NULL && !EVP_MD_is_a(prsactx->md, mdname)) |
199 | 1.79k | || (mgf1_mdname != NULL |
200 | 445 | && !EVP_MD_is_a(prsactx->mgf1_md, mgf1_mdname))) { |
201 | 36 | ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); |
202 | 36 | return 0; |
203 | 36 | } |
204 | 59.2k | break; |
205 | 69.0k | default: |
206 | 69.0k | break; |
207 | 128k | } |
208 | | |
209 | 128k | return 1; |
210 | 128k | } |
211 | | |
212 | | static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen) |
213 | 529 | { |
214 | 529 | if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { |
215 | 529 | int max_saltlen; |
216 | | |
217 | | /* See if minimum salt length exceeds maximum possible */ |
218 | 529 | max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_get_size(prsactx->md); |
219 | 529 | if ((RSA_bits(prsactx->rsa) & 0x7) == 1) |
220 | 161 | max_saltlen--; |
221 | 529 | if (min_saltlen < 0 || min_saltlen > max_saltlen) { |
222 | 42 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); |
223 | 42 | return 0; |
224 | 42 | } |
225 | 487 | prsactx->min_saltlen = min_saltlen; |
226 | 487 | } |
227 | 487 | return 1; |
228 | 529 | } |
229 | | |
230 | | static void *rsa_newctx(void *provctx, const char *propq) |
231 | 70.0k | { |
232 | 70.0k | PROV_RSA_CTX *prsactx = NULL; |
233 | 70.0k | char *propq_copy = NULL; |
234 | | |
235 | 70.0k | if (!ossl_prov_is_running()) |
236 | 0 | return NULL; |
237 | | |
238 | 70.0k | if ((prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX))) == NULL |
239 | 70.0k | || (propq != NULL |
240 | 0 | && (propq_copy = OPENSSL_strdup(propq)) == NULL)) { |
241 | 0 | OPENSSL_free(prsactx); |
242 | 0 | return NULL; |
243 | 0 | } |
244 | | |
245 | 70.0k | OSSL_FIPS_IND_INIT(prsactx) |
246 | 70.0k | prsactx->libctx = PROV_LIBCTX_OF(provctx); |
247 | 70.0k | prsactx->flag_allow_md = 1; |
248 | | #ifdef FIPS_MODULE |
249 | | prsactx->verify_message = 1; |
250 | | #endif |
251 | 70.0k | prsactx->propq = propq_copy; |
252 | | /* Maximum up to digest length for sign, auto for verify */ |
253 | 70.0k | prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; |
254 | 70.0k | prsactx->min_saltlen = -1; |
255 | 70.0k | return prsactx; |
256 | 70.0k | } |
257 | | |
258 | | static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx) |
259 | 0 | { |
260 | 0 | int saltlen = ctx->saltlen; |
261 | 0 | int saltlenMax = -1; |
262 | | |
263 | | /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection |
264 | | * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the |
265 | | * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of |
266 | | * the hash function output block (in bytes)." |
267 | | * |
268 | | * Provide a way to use at most the digest length, so that the default does |
269 | | * not violate FIPS 186-4. */ |
270 | 0 | if (saltlen == RSA_PSS_SALTLEN_DIGEST) { |
271 | 0 | if ((saltlen = EVP_MD_get_size(ctx->md)) <= 0) { |
272 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); |
273 | 0 | return -1; |
274 | 0 | } |
275 | 0 | } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { |
276 | 0 | saltlen = RSA_PSS_SALTLEN_MAX; |
277 | 0 | if ((saltlenMax = EVP_MD_get_size(ctx->md)) <= 0) { |
278 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); |
279 | 0 | return -1; |
280 | 0 | } |
281 | 0 | } |
282 | 0 | if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) { |
283 | 0 | int mdsize, rsasize; |
284 | |
|
285 | 0 | if ((mdsize = EVP_MD_get_size(ctx->md)) <= 0) { |
286 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); |
287 | 0 | return -1; |
288 | 0 | } |
289 | 0 | if ((rsasize = RSA_size(ctx->rsa)) <= 2 || rsasize - 2 < mdsize) { |
290 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); |
291 | 0 | return -1; |
292 | 0 | } |
293 | 0 | saltlen = rsasize - mdsize - 2; |
294 | 0 | if ((RSA_bits(ctx->rsa) & 0x7) == 1) |
295 | 0 | saltlen--; |
296 | 0 | if (saltlenMax >= 0 && saltlen > saltlenMax) |
297 | 0 | saltlen = saltlenMax; |
298 | 0 | } |
299 | 0 | if (saltlen < 0) { |
300 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); |
301 | 0 | return -1; |
302 | 0 | } else if (saltlen < ctx->min_saltlen) { |
303 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_PSS_SALTLEN_TOO_SMALL, |
304 | 0 | "minimum salt length: %d, actual salt length: %d", |
305 | 0 | ctx->min_saltlen, saltlen); |
306 | 0 | return -1; |
307 | 0 | } |
308 | 0 | return saltlen; |
309 | 0 | } |
310 | | |
311 | | static unsigned char *rsa_generate_signature_aid(PROV_RSA_CTX *ctx, |
312 | | unsigned char *aid_buf, |
313 | | size_t buf_len, |
314 | | size_t *aid_len) |
315 | 0 | { |
316 | 0 | WPACKET pkt; |
317 | 0 | unsigned char *aid = NULL; |
318 | 0 | int saltlen; |
319 | 0 | RSA_PSS_PARAMS_30 pss_params; |
320 | 0 | int ret; |
321 | |
|
322 | 0 | if (!WPACKET_init_der(&pkt, aid_buf, buf_len)) { |
323 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_CRYPTO_LIB); |
324 | 0 | return NULL; |
325 | 0 | } |
326 | | |
327 | 0 | switch (ctx->pad_mode) { |
328 | 0 | case RSA_PKCS1_PADDING: |
329 | 0 | ret = ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1, |
330 | 0 | ctx->mdnid); |
331 | |
|
332 | 0 | if (ret > 0) { |
333 | 0 | break; |
334 | 0 | } else if (ret == 0) { |
335 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); |
336 | 0 | goto cleanup; |
337 | 0 | } |
338 | 0 | ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED, |
339 | 0 | "Algorithm ID generation - md NID: %d", |
340 | 0 | ctx->mdnid); |
341 | 0 | goto cleanup; |
342 | 0 | case RSA_PKCS1_PSS_PADDING: |
343 | 0 | saltlen = rsa_pss_compute_saltlen(ctx); |
344 | 0 | if (saltlen < 0) |
345 | 0 | goto cleanup; |
346 | 0 | if (!ossl_rsa_pss_params_30_set_defaults(&pss_params) |
347 | 0 | || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, ctx->mdnid) |
348 | 0 | || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params, |
349 | 0 | ctx->mgf1_mdnid) |
350 | 0 | || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen) |
351 | 0 | || !ossl_DER_w_algorithmIdentifier_RSA_PSS(&pkt, -1, |
352 | 0 | RSA_FLAG_TYPE_RSASSAPSS, |
353 | 0 | &pss_params)) { |
354 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); |
355 | 0 | goto cleanup; |
356 | 0 | } |
357 | 0 | break; |
358 | 0 | default: |
359 | 0 | ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED, |
360 | 0 | "Algorithm ID generation - pad mode: %d", |
361 | 0 | ctx->pad_mode); |
362 | 0 | goto cleanup; |
363 | 0 | } |
364 | 0 | if (WPACKET_finish(&pkt)) { |
365 | 0 | WPACKET_get_total_written(&pkt, aid_len); |
366 | 0 | aid = WPACKET_get_curr(&pkt); |
367 | 0 | } |
368 | 0 | cleanup: |
369 | 0 | WPACKET_cleanup(&pkt); |
370 | 0 | return aid; |
371 | 0 | } |
372 | | |
373 | | static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, |
374 | | const char *mdprops, const char *desc) |
375 | 44.5k | { |
376 | 44.5k | EVP_MD *md = NULL; |
377 | | |
378 | 44.5k | if (mdprops == NULL) |
379 | 44.5k | mdprops = ctx->propq; |
380 | | |
381 | 44.5k | if (mdname != NULL) { |
382 | 44.5k | int md_nid; |
383 | 44.5k | size_t mdname_len = strlen(mdname); |
384 | | |
385 | 44.5k | md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); |
386 | | |
387 | 44.5k | if (md == NULL) { |
388 | 94 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
389 | 94 | "%s could not be fetched", mdname); |
390 | 94 | goto err; |
391 | 94 | } |
392 | 44.4k | md_nid = ossl_digest_rsa_sign_get_md_nid(md); |
393 | 44.4k | if (md_nid == NID_undef) { |
394 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, |
395 | 0 | "digest=%s", mdname); |
396 | 0 | goto err; |
397 | 0 | } |
398 | | /* |
399 | | * XOF digests are not allowed except for RSA PSS. |
400 | | * We don't support XOF digests with RSA PSS (yet), so just fail. |
401 | | * When we do support them, uncomment the second clause. |
402 | | */ |
403 | 44.4k | if (EVP_MD_xof(md) |
404 | 44.4k | /* && ctx->pad_mode != RSA_PKCS1_PSS_PADDING */) { |
405 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); |
406 | 0 | goto err; |
407 | 0 | } |
408 | | #ifdef FIPS_MODULE |
409 | | { |
410 | | int sha1_allowed |
411 | | = ((ctx->operation |
412 | | & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) |
413 | | == 0); |
414 | | |
415 | | if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx), |
416 | | OSSL_FIPS_IND_SETTABLE1, |
417 | | ctx->libctx, |
418 | | md_nid, sha1_allowed, 1, desc, |
419 | | ossl_fips_config_signature_digest_check)) |
420 | | goto err; |
421 | | } |
422 | | #endif |
423 | | |
424 | 44.4k | if (!rsa_check_padding(ctx, mdname, NULL, md_nid)) |
425 | 27 | goto err; |
426 | 44.4k | if (mdname_len >= sizeof(ctx->mdname)) { |
427 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
428 | 0 | "%s exceeds name buffer length", mdname); |
429 | 0 | goto err; |
430 | 0 | } |
431 | | |
432 | 44.4k | if (!ctx->flag_allow_md) { |
433 | 0 | if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) { |
434 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, |
435 | 0 | "digest %s != %s", mdname, ctx->mdname); |
436 | 0 | goto err; |
437 | 0 | } |
438 | 0 | EVP_MD_free(md); |
439 | 0 | return 1; |
440 | 0 | } |
441 | | |
442 | 44.4k | if (!ctx->mgf1_md_set) { |
443 | 44.1k | if (!EVP_MD_up_ref(md)) { |
444 | 0 | goto err; |
445 | 0 | } |
446 | 44.1k | EVP_MD_free(ctx->mgf1_md); |
447 | 44.1k | ctx->mgf1_md = md; |
448 | 44.1k | ctx->mgf1_mdnid = md_nid; |
449 | 44.1k | OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); |
450 | 44.1k | } |
451 | | |
452 | 44.4k | EVP_MD_CTX_free(ctx->mdctx); |
453 | 44.4k | EVP_MD_free(ctx->md); |
454 | | |
455 | 44.4k | ctx->mdctx = NULL; |
456 | 44.4k | ctx->md = md; |
457 | 44.4k | ctx->mdnid = md_nid; |
458 | 44.4k | OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname)); |
459 | 44.4k | } |
460 | | |
461 | 44.4k | return 1; |
462 | 121 | err: |
463 | 121 | EVP_MD_free(md); |
464 | 121 | return 0; |
465 | 44.5k | } |
466 | | |
467 | | static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname, |
468 | | const char *mdprops) |
469 | 5.97k | { |
470 | 5.97k | size_t len; |
471 | 5.97k | EVP_MD *md = NULL; |
472 | 5.97k | int mdnid; |
473 | | |
474 | 5.97k | if (mdprops == NULL) |
475 | 5.97k | mdprops = ctx->propq; |
476 | | |
477 | 5.97k | if ((md = EVP_MD_fetch(ctx->libctx, mdname, mdprops)) == NULL) { |
478 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
479 | 0 | "%s could not be fetched", mdname); |
480 | 0 | return 0; |
481 | 0 | } |
482 | | /* The default for mgf1 is SHA1 - so allow SHA1 */ |
483 | 5.97k | if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md)) <= 0 |
484 | 5.97k | || !rsa_check_padding(ctx, NULL, mdname, mdnid)) { |
485 | 0 | if (mdnid <= 0) |
486 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, |
487 | 0 | "digest=%s", mdname); |
488 | 0 | EVP_MD_free(md); |
489 | 0 | return 0; |
490 | 0 | } |
491 | 5.97k | len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); |
492 | 5.97k | if (len >= sizeof(ctx->mgf1_mdname)) { |
493 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
494 | 0 | "%s exceeds name buffer length", mdname); |
495 | 0 | EVP_MD_free(md); |
496 | 0 | return 0; |
497 | 0 | } |
498 | | |
499 | 5.97k | EVP_MD_free(ctx->mgf1_md); |
500 | 5.97k | ctx->mgf1_md = md; |
501 | 5.97k | ctx->mgf1_mdnid = mdnid; |
502 | 5.97k | ctx->mgf1_md_set = 1; |
503 | 5.97k | return 1; |
504 | 5.97k | } |
505 | | |
506 | | static int |
507 | | rsa_signverify_init(PROV_RSA_CTX *prsactx, void *vrsa, |
508 | | OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params, |
509 | | const OSSL_PARAM params[], int operation, |
510 | | const char *desc) |
511 | 44.5k | { |
512 | 44.5k | int protect; |
513 | | |
514 | 44.5k | if (!ossl_prov_is_running() || prsactx == NULL) |
515 | 0 | return 0; |
516 | | |
517 | 44.5k | if (vrsa == NULL && prsactx->rsa == NULL) { |
518 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); |
519 | 0 | return 0; |
520 | 0 | } |
521 | | |
522 | 44.5k | if (vrsa != NULL) { |
523 | 44.5k | if (!RSA_up_ref(vrsa)) |
524 | 0 | return 0; |
525 | 44.5k | RSA_free(prsactx->rsa); |
526 | 44.5k | prsactx->rsa = vrsa; |
527 | 44.5k | } |
528 | 44.5k | if (!ossl_rsa_key_op_get_protect(prsactx->rsa, operation, &protect)) |
529 | 0 | return 0; |
530 | | |
531 | 44.5k | prsactx->operation = operation; |
532 | 44.5k | prsactx->flag_allow_update = 1; |
533 | 44.5k | prsactx->flag_allow_final = 1; |
534 | 44.5k | prsactx->flag_allow_oneshot = 1; |
535 | | |
536 | | /* Maximize up to digest length for sign, auto for verify */ |
537 | 44.5k | prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; |
538 | 44.5k | prsactx->min_saltlen = -1; |
539 | | |
540 | 44.5k | switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { |
541 | 44.0k | case RSA_FLAG_TYPE_RSA: |
542 | 44.0k | prsactx->pad_mode = RSA_PKCS1_PADDING; |
543 | 44.0k | break; |
544 | 456 | case RSA_FLAG_TYPE_RSASSAPSS: |
545 | 456 | prsactx->pad_mode = RSA_PKCS1_PSS_PADDING; |
546 | | |
547 | 456 | { |
548 | 456 | const RSA_PSS_PARAMS_30 *pss = ossl_rsa_get0_pss_params_30(prsactx->rsa); |
549 | | |
550 | 456 | if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) { |
551 | 250 | int md_nid = ossl_rsa_pss_params_30_hashalg(pss); |
552 | 250 | int mgf1md_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss); |
553 | 250 | int min_saltlen = ossl_rsa_pss_params_30_saltlen(pss); |
554 | 250 | const char *mdname, *mgf1mdname; |
555 | 250 | size_t len; |
556 | | |
557 | 250 | mdname = ossl_rsa_oaeppss_nid2name(md_nid); |
558 | 250 | mgf1mdname = ossl_rsa_oaeppss_nid2name(mgf1md_nid); |
559 | | |
560 | 250 | if (mdname == NULL) { |
561 | 1 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
562 | 1 | "PSS restrictions lack hash algorithm"); |
563 | 1 | return 0; |
564 | 1 | } |
565 | 249 | if (mgf1mdname == NULL) { |
566 | 1 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
567 | 1 | "PSS restrictions lack MGF1 hash algorithm"); |
568 | 1 | return 0; |
569 | 1 | } |
570 | | |
571 | 248 | len = OPENSSL_strlcpy(prsactx->mdname, mdname, |
572 | 248 | sizeof(prsactx->mdname)); |
573 | 248 | if (len >= sizeof(prsactx->mdname)) { |
574 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
575 | 0 | "hash algorithm name too long"); |
576 | 0 | return 0; |
577 | 0 | } |
578 | 248 | len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname, |
579 | 248 | sizeof(prsactx->mgf1_mdname)); |
580 | 248 | if (len >= sizeof(prsactx->mgf1_mdname)) { |
581 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, |
582 | 0 | "MGF1 hash algorithm name too long"); |
583 | 0 | return 0; |
584 | 0 | } |
585 | 248 | prsactx->saltlen = min_saltlen; |
586 | | |
587 | | /* call rsa_setup_mgf1_md before rsa_setup_md to avoid duplication */ |
588 | 248 | if (!rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq) |
589 | 248 | || !rsa_setup_md(prsactx, mdname, prsactx->propq, desc) |
590 | 248 | || !rsa_check_parameters(prsactx, min_saltlen)) |
591 | 25 | return 0; |
592 | 248 | } |
593 | 456 | } |
594 | | |
595 | 429 | break; |
596 | 429 | default: |
597 | 0 | ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); |
598 | 0 | return 0; |
599 | 44.5k | } |
600 | | |
601 | 44.4k | OSSL_FIPS_IND_SET_APPROVED(prsactx) |
602 | 44.4k | if (!set_ctx_params(prsactx, params)) |
603 | 0 | return 0; |
604 | | #ifdef FIPS_MODULE |
605 | | if (!ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND_GET(prsactx), |
606 | | OSSL_FIPS_IND_SETTABLE0, prsactx->libctx, |
607 | | prsactx->rsa, desc, protect)) |
608 | | return 0; |
609 | | #endif |
610 | 44.4k | return 1; |
611 | 44.4k | } |
612 | | |
613 | | static int setup_tbuf(PROV_RSA_CTX *ctx) |
614 | 23.4k | { |
615 | 23.4k | if (ctx->tbuf != NULL) |
616 | 0 | return 1; |
617 | 23.4k | if ((ctx->tbuf = OPENSSL_malloc(RSA_size(ctx->rsa))) == NULL) |
618 | 25 | return 0; |
619 | 23.4k | return 1; |
620 | 23.4k | } |
621 | | |
622 | | static void clean_tbuf(PROV_RSA_CTX *ctx) |
623 | 106k | { |
624 | 106k | if (ctx->tbuf != NULL) |
625 | 24.7k | OPENSSL_cleanse(ctx->tbuf, RSA_size(ctx->rsa)); |
626 | 106k | } |
627 | | |
628 | | static void free_tbuf(PROV_RSA_CTX *ctx) |
629 | 104k | { |
630 | 104k | clean_tbuf(ctx); |
631 | 104k | OPENSSL_free(ctx->tbuf); |
632 | 104k | ctx->tbuf = NULL; |
633 | 104k | } |
634 | | |
635 | | #ifdef FIPS_MODULE |
636 | | static int rsa_pss_saltlen_check_passed(PROV_RSA_CTX *ctx, const char *algoname, int saltlen) |
637 | | { |
638 | | int mdsize = rsa_get_md_size(ctx); |
639 | | /* |
640 | | * Perform the check if the salt length is compliant to FIPS 186-5. |
641 | | * |
642 | | * According to FIPS 186-5 5.4 (g), the salt length shall be between zero |
643 | | * and the output block length of the digest function (inclusive). |
644 | | */ |
645 | | int approved = (saltlen >= 0 && saltlen <= mdsize); |
646 | | |
647 | | if (!approved) { |
648 | | if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE3, |
649 | | ctx->libctx, |
650 | | algoname, "PSS Salt Length", |
651 | | ossl_fips_config_rsa_pss_saltlen_check)) { |
652 | | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); |
653 | | return 0; |
654 | | } |
655 | | } |
656 | | |
657 | | return 1; |
658 | | } |
659 | | #endif |
660 | | |
661 | | static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[]) |
662 | 0 | { |
663 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
664 | |
|
665 | | #ifdef FIPS_MODULE |
666 | | if (prsactx != NULL) |
667 | | prsactx->verify_message = 1; |
668 | | #endif |
669 | |
|
670 | 0 | return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, |
671 | 0 | EVP_PKEY_OP_SIGN, "RSA Sign Init"); |
672 | 0 | } |
673 | | |
674 | | /* |
675 | | * Sign tbs without digesting it first. This is suitable for "primitive" |
676 | | * signing and signing the digest of a message, i.e. should be used with |
677 | | * implementations of the keytype related algorithms. |
678 | | */ |
679 | | static int rsa_sign_directly(PROV_RSA_CTX *prsactx, |
680 | | unsigned char *sig, size_t *siglen, size_t sigsize, |
681 | | const unsigned char *tbs, size_t tbslen) |
682 | 8.36k | { |
683 | 8.36k | int ret; |
684 | 8.36k | size_t rsasize = RSA_size(prsactx->rsa); |
685 | 8.36k | size_t mdsize = rsa_get_md_size(prsactx); |
686 | | |
687 | 8.36k | if (!ossl_prov_is_running()) |
688 | 0 | return 0; |
689 | | |
690 | 8.36k | if (sig == NULL) { |
691 | 4.18k | *siglen = rsasize; |
692 | 4.18k | return 1; |
693 | 4.18k | } |
694 | | |
695 | 4.18k | if (sigsize < rsasize) { |
696 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE, |
697 | 0 | "is %zu, should be at least %zu", sigsize, rsasize); |
698 | 0 | return 0; |
699 | 0 | } |
700 | | |
701 | 4.18k | if (mdsize != 0) { |
702 | 4.18k | if (tbslen != mdsize) { |
703 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH); |
704 | 0 | return 0; |
705 | 0 | } |
706 | | |
707 | 4.18k | #ifndef FIPS_MODULE |
708 | 4.18k | if (EVP_MD_is_a(prsactx->md, OSSL_DIGEST_NAME_MDC2)) { |
709 | 0 | unsigned int sltmp; |
710 | |
|
711 | 0 | if (prsactx->pad_mode != RSA_PKCS1_PADDING) { |
712 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, |
713 | 0 | "only PKCS#1 padding supported with MDC2"); |
714 | 0 | return 0; |
715 | 0 | } |
716 | 0 | ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, (unsigned int)tbslen, sig, |
717 | 0 | &sltmp, prsactx->rsa); |
718 | |
|
719 | 0 | if (ret <= 0) { |
720 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
721 | 0 | return 0; |
722 | 0 | } |
723 | 0 | ret = sltmp; |
724 | 0 | goto end; |
725 | 0 | } |
726 | 4.18k | #endif |
727 | 4.18k | switch (prsactx->pad_mode) { |
728 | 0 | case RSA_X931_PADDING: |
729 | 0 | if ((size_t)RSA_size(prsactx->rsa) < tbslen + 1) { |
730 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL, |
731 | 0 | "RSA key size = %d, expected minimum = %d", |
732 | 0 | RSA_size(prsactx->rsa), tbslen + 1); |
733 | 0 | return 0; |
734 | 0 | } |
735 | 0 | if (!setup_tbuf(prsactx)) { |
736 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_PROV_LIB); |
737 | 0 | return 0; |
738 | 0 | } |
739 | 0 | memcpy(prsactx->tbuf, tbs, tbslen); |
740 | 0 | prsactx->tbuf[tbslen] = RSA_X931_hash_id(prsactx->mdnid); |
741 | 0 | ret = RSA_private_encrypt((int)(tbslen + 1), prsactx->tbuf, |
742 | 0 | sig, prsactx->rsa, RSA_X931_PADDING); |
743 | 0 | clean_tbuf(prsactx); |
744 | 0 | break; |
745 | 3.12k | case RSA_PKCS1_PADDING: { |
746 | 3.12k | unsigned int sltmp; |
747 | | |
748 | 3.12k | ret = RSA_sign(prsactx->mdnid, tbs, (unsigned int)tbslen, |
749 | 3.12k | sig, &sltmp, prsactx->rsa); |
750 | 3.12k | if (ret <= 0) { |
751 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
752 | 0 | return 0; |
753 | 0 | } |
754 | 3.12k | ret = sltmp; |
755 | 3.12k | } break; |
756 | | |
757 | 1.05k | case RSA_PKCS1_PSS_PADDING: { |
758 | 1.05k | int saltlen; |
759 | | |
760 | | /* Check PSS restrictions */ |
761 | 1.05k | if (rsa_pss_restricted(prsactx)) { |
762 | 0 | switch (prsactx->saltlen) { |
763 | 0 | case RSA_PSS_SALTLEN_DIGEST: |
764 | 0 | if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) { |
765 | 0 | ERR_raise_data(ERR_LIB_PROV, |
766 | 0 | PROV_R_PSS_SALTLEN_TOO_SMALL, |
767 | 0 | "minimum salt length set to %d, " |
768 | 0 | "but the digest only gives %d", |
769 | 0 | prsactx->min_saltlen, |
770 | 0 | EVP_MD_get_size(prsactx->md)); |
771 | 0 | return 0; |
772 | 0 | } |
773 | | /* FALLTHRU */ |
774 | 0 | default: |
775 | 0 | if (prsactx->saltlen >= 0 |
776 | 0 | && prsactx->saltlen < prsactx->min_saltlen) { |
777 | 0 | ERR_raise_data(ERR_LIB_PROV, |
778 | 0 | PROV_R_PSS_SALTLEN_TOO_SMALL, |
779 | 0 | "minimum salt length set to %d, but the" |
780 | 0 | "actual salt length is only set to %d", |
781 | 0 | prsactx->min_saltlen, |
782 | 0 | prsactx->saltlen); |
783 | 0 | return 0; |
784 | 0 | } |
785 | 0 | break; |
786 | 0 | } |
787 | 0 | } |
788 | 1.05k | if (!setup_tbuf(prsactx)) |
789 | 0 | return 0; |
790 | 1.05k | saltlen = prsactx->saltlen; |
791 | 1.05k | if (!ossl_rsa_padding_add_PKCS1_PSS_mgf1(prsactx->rsa, |
792 | 1.05k | prsactx->tbuf, tbs, |
793 | 1.05k | prsactx->md, prsactx->mgf1_md, |
794 | 1.05k | &saltlen)) { |
795 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
796 | 0 | return 0; |
797 | 0 | } |
798 | | #ifdef FIPS_MODULE |
799 | | if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Sign", saltlen)) |
800 | | return 0; |
801 | | #endif |
802 | 1.05k | ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf, |
803 | 1.05k | sig, prsactx->rsa, RSA_NO_PADDING); |
804 | 1.05k | clean_tbuf(prsactx); |
805 | 1.05k | } break; |
806 | | |
807 | 0 | default: |
808 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, |
809 | 0 | "Only X.931, PKCS#1 v1.5 or PSS padding allowed"); |
810 | 0 | return 0; |
811 | 4.18k | } |
812 | 4.18k | } else { |
813 | 0 | ret = RSA_private_encrypt((int)tbslen, tbs, sig, prsactx->rsa, |
814 | 0 | prsactx->pad_mode); |
815 | 0 | } |
816 | | |
817 | 4.18k | #ifndef FIPS_MODULE |
818 | 4.18k | end: |
819 | 4.18k | #endif |
820 | 4.18k | if (ret <= 0) { |
821 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
822 | 0 | return 0; |
823 | 0 | } |
824 | | |
825 | 4.18k | *siglen = ret; |
826 | 4.18k | return 1; |
827 | 4.18k | } |
828 | | |
829 | | static int rsa_signverify_message_update(void *vprsactx, |
830 | | const unsigned char *data, |
831 | | size_t datalen) |
832 | 25.6k | { |
833 | 25.6k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
834 | | |
835 | 25.6k | if (prsactx == NULL || prsactx->mdctx == NULL) |
836 | 0 | return 0; |
837 | | |
838 | 25.6k | if (!prsactx->flag_allow_update) { |
839 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_UPDATE_CALL_OUT_OF_ORDER); |
840 | 0 | return 0; |
841 | 0 | } |
842 | 25.6k | prsactx->flag_allow_oneshot = 0; |
843 | | |
844 | 25.6k | return EVP_DigestUpdate(prsactx->mdctx, data, datalen); |
845 | 25.6k | } |
846 | | |
847 | | static int rsa_sign_message_final(void *vprsactx, unsigned char *sig, |
848 | | size_t *siglen, size_t sigsize) |
849 | 8.36k | { |
850 | 8.36k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
851 | 8.36k | unsigned char digest[EVP_MAX_MD_SIZE]; |
852 | 8.36k | unsigned int dlen = 0; |
853 | | |
854 | 8.36k | if (!ossl_prov_is_running() || prsactx == NULL) |
855 | 0 | return 0; |
856 | 8.36k | if (prsactx->mdctx == NULL) |
857 | 0 | return 0; |
858 | 8.36k | if (!prsactx->flag_allow_final) { |
859 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER); |
860 | 0 | return 0; |
861 | 0 | } |
862 | | |
863 | | /* |
864 | | * If sig is NULL then we're just finding out the sig size. Other fields |
865 | | * are ignored. Defer to rsa_sign. |
866 | | */ |
867 | 8.36k | if (sig != NULL) { |
868 | | /* |
869 | | * The digests used here are all known (see rsa_get_md_nid()), so they |
870 | | * should not exceed the internal buffer size of EVP_MAX_MD_SIZE. |
871 | | */ |
872 | 4.18k | if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen)) |
873 | 0 | return 0; |
874 | | |
875 | 4.18k | prsactx->flag_allow_update = 0; |
876 | 4.18k | prsactx->flag_allow_oneshot = 0; |
877 | 4.18k | prsactx->flag_allow_final = 0; |
878 | 4.18k | } |
879 | | |
880 | 8.36k | return rsa_sign_directly(prsactx, sig, siglen, sigsize, digest, dlen); |
881 | 8.36k | } |
882 | | |
883 | | /* |
884 | | * If signing a message, digest tbs and sign the result. |
885 | | * Otherwise, sign tbs directly. |
886 | | */ |
887 | | static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen, |
888 | | size_t sigsize, const unsigned char *tbs, size_t tbslen) |
889 | 0 | { |
890 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
891 | |
|
892 | 0 | if (!ossl_prov_is_running() || prsactx == NULL) |
893 | 0 | return 0; |
894 | 0 | if (!prsactx->flag_allow_oneshot) { |
895 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER); |
896 | 0 | return 0; |
897 | 0 | } |
898 | | |
899 | 0 | if (prsactx->operation == EVP_PKEY_OP_SIGNMSG) { |
900 | | /* |
901 | | * If |sig| is NULL, the caller is only looking for the sig length. |
902 | | * DO NOT update the input in this case. |
903 | | */ |
904 | 0 | if (sig == NULL) |
905 | 0 | return rsa_sign_message_final(prsactx, sig, siglen, sigsize); |
906 | | |
907 | 0 | return rsa_signverify_message_update(prsactx, tbs, tbslen) |
908 | 0 | && rsa_sign_message_final(prsactx, sig, siglen, sigsize); |
909 | 0 | } |
910 | 0 | return rsa_sign_directly(prsactx, sig, siglen, sigsize, tbs, tbslen); |
911 | 0 | } |
912 | | |
913 | | static int rsa_verify_recover_init(void *vprsactx, void *vrsa, |
914 | | const OSSL_PARAM params[]) |
915 | 0 | { |
916 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
917 | |
|
918 | | #ifdef FIPS_MODULE |
919 | | if (prsactx != NULL) |
920 | | prsactx->verify_message = 0; |
921 | | #endif |
922 | |
|
923 | 0 | return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, |
924 | 0 | EVP_PKEY_OP_VERIFYRECOVER, "RSA VerifyRecover Init"); |
925 | 0 | } |
926 | | |
927 | | /* |
928 | | * There is no message variant of verify recover, so no need for |
929 | | * 'rsa_verify_recover_directly', just use this function, er, directly. |
930 | | */ |
931 | | static int rsa_verify_recover(void *vprsactx, |
932 | | unsigned char *rout, size_t *routlen, |
933 | | size_t routsize, |
934 | | const unsigned char *sig, size_t siglen) |
935 | 0 | { |
936 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
937 | 0 | int ret; |
938 | |
|
939 | 0 | if (!ossl_prov_is_running()) |
940 | 0 | return 0; |
941 | | |
942 | 0 | if (rout == NULL) { |
943 | 0 | *routlen = RSA_size(prsactx->rsa); |
944 | 0 | return 1; |
945 | 0 | } |
946 | | |
947 | 0 | if (prsactx->md != NULL) { |
948 | 0 | switch (prsactx->pad_mode) { |
949 | 0 | case RSA_X931_PADDING: |
950 | 0 | if (!setup_tbuf(prsactx)) |
951 | 0 | return 0; |
952 | 0 | ret = RSA_public_decrypt((int)siglen, sig, prsactx->tbuf, prsactx->rsa, |
953 | 0 | RSA_X931_PADDING); |
954 | 0 | if (ret <= 0) { |
955 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
956 | 0 | return 0; |
957 | 0 | } |
958 | 0 | ret--; |
959 | 0 | if (prsactx->tbuf[ret] != RSA_X931_hash_id(prsactx->mdnid)) { |
960 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_ALGORITHM_MISMATCH); |
961 | 0 | return 0; |
962 | 0 | } |
963 | 0 | if (ret != EVP_MD_get_size(prsactx->md)) { |
964 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH, |
965 | 0 | "Should be %d, but got %d", |
966 | 0 | EVP_MD_get_size(prsactx->md), ret); |
967 | 0 | return 0; |
968 | 0 | } |
969 | | |
970 | 0 | *routlen = ret; |
971 | 0 | if (rout != prsactx->tbuf) { |
972 | 0 | if (routsize < (size_t)ret) { |
973 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL, |
974 | 0 | "buffer size is %d, should be %d", |
975 | 0 | routsize, ret); |
976 | 0 | return 0; |
977 | 0 | } |
978 | 0 | memcpy(rout, prsactx->tbuf, ret); |
979 | 0 | } |
980 | 0 | break; |
981 | | |
982 | 0 | case RSA_PKCS1_PADDING: { |
983 | 0 | size_t sltmp; |
984 | |
|
985 | 0 | ret = ossl_rsa_verify(prsactx->mdnid, NULL, 0, rout, &sltmp, |
986 | 0 | sig, siglen, prsactx->rsa); |
987 | 0 | if (ret <= 0) { |
988 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
989 | 0 | return 0; |
990 | 0 | } |
991 | 0 | ret = (int)sltmp; |
992 | 0 | } break; |
993 | | |
994 | 0 | default: |
995 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, |
996 | 0 | "Only X.931 or PKCS#1 v1.5 padding allowed"); |
997 | 0 | return 0; |
998 | 0 | } |
999 | 0 | } else { |
1000 | 0 | ret = RSA_public_decrypt((int)siglen, sig, rout, prsactx->rsa, |
1001 | 0 | prsactx->pad_mode); |
1002 | 0 | if (ret <= 0) { |
1003 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
1004 | 0 | return 0; |
1005 | 0 | } |
1006 | 0 | } |
1007 | 0 | *routlen = ret; |
1008 | 0 | return 1; |
1009 | 0 | } |
1010 | | |
1011 | | static int rsa_verify_init(void *vprsactx, void *vrsa, |
1012 | | const OSSL_PARAM params[]) |
1013 | 0 | { |
1014 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1015 | |
|
1016 | | #ifdef FIPS_MODULE |
1017 | | if (prsactx != NULL) |
1018 | | prsactx->verify_message = 0; |
1019 | | #endif |
1020 | |
|
1021 | 0 | return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, |
1022 | 0 | EVP_PKEY_OP_VERIFY, "RSA Verify Init"); |
1023 | 0 | } |
1024 | | |
1025 | | static int rsa_verify_directly(PROV_RSA_CTX *prsactx, |
1026 | | const unsigned char *sig, size_t siglen, |
1027 | | const unsigned char *tbs, size_t tbslen) |
1028 | 21.4k | { |
1029 | 21.4k | size_t rslen; |
1030 | | |
1031 | 21.4k | if (!ossl_prov_is_running()) |
1032 | 0 | return 0; |
1033 | 21.4k | if (prsactx->md != NULL) { |
1034 | 21.4k | switch (prsactx->pad_mode) { |
1035 | 4.64k | case RSA_PKCS1_PADDING: |
1036 | 4.64k | if (!RSA_verify(prsactx->mdnid, tbs, (unsigned int)tbslen, |
1037 | 4.64k | sig, (unsigned int)siglen, prsactx->rsa)) { |
1038 | 4.25k | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
1039 | 4.25k | return 0; |
1040 | 4.25k | } |
1041 | 391 | return 1; |
1042 | 0 | case RSA_X931_PADDING: |
1043 | 0 | if (!setup_tbuf(prsactx)) |
1044 | 0 | return 0; |
1045 | 0 | if (rsa_verify_recover(prsactx, prsactx->tbuf, &rslen, 0, |
1046 | 0 | sig, siglen) |
1047 | 0 | <= 0) |
1048 | 0 | return 0; |
1049 | 0 | break; |
1050 | 16.8k | case RSA_PKCS1_PSS_PADDING: { |
1051 | 16.8k | int ret; |
1052 | 16.8k | int saltlen; |
1053 | 16.8k | size_t mdsize; |
1054 | | |
1055 | | /* |
1056 | | * We need to check this for the RSA_verify_PKCS1_PSS_mgf1() |
1057 | | * call |
1058 | | */ |
1059 | 16.8k | mdsize = rsa_get_md_size(prsactx); |
1060 | 16.8k | if (tbslen != mdsize) { |
1061 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH, |
1062 | 0 | "Should be %d, but got %d", |
1063 | 0 | mdsize, tbslen); |
1064 | 0 | return 0; |
1065 | 0 | } |
1066 | | |
1067 | 16.8k | if (!setup_tbuf(prsactx)) |
1068 | 18 | return 0; |
1069 | 16.8k | ret = RSA_public_decrypt((int)siglen, sig, prsactx->tbuf, |
1070 | 16.8k | prsactx->rsa, RSA_NO_PADDING); |
1071 | 16.8k | if (ret <= 0) { |
1072 | 3.67k | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
1073 | 3.67k | return 0; |
1074 | 3.67k | } |
1075 | 13.1k | saltlen = prsactx->saltlen; |
1076 | 13.1k | ret = ossl_rsa_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs, |
1077 | 13.1k | prsactx->md, prsactx->mgf1_md, |
1078 | 13.1k | prsactx->tbuf, |
1079 | 13.1k | &saltlen); |
1080 | 13.1k | if (ret <= 0) { |
1081 | 13.1k | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
1082 | 13.1k | return 0; |
1083 | 13.1k | } |
1084 | | #ifdef FIPS_MODULE |
1085 | | if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Verify", saltlen)) |
1086 | | return 0; |
1087 | | #endif |
1088 | 5 | return 1; |
1089 | 13.1k | } |
1090 | 0 | default: |
1091 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, |
1092 | 0 | "Only X.931, PKCS#1 v1.5 or PSS padding allowed"); |
1093 | 0 | return 0; |
1094 | 21.4k | } |
1095 | 21.4k | } else { |
1096 | 0 | int ret; |
1097 | |
|
1098 | 0 | if (!setup_tbuf(prsactx)) |
1099 | 0 | return 0; |
1100 | 0 | ret = RSA_public_decrypt((int)siglen, sig, prsactx->tbuf, prsactx->rsa, |
1101 | 0 | prsactx->pad_mode); |
1102 | 0 | if (ret <= 0) { |
1103 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); |
1104 | 0 | return 0; |
1105 | 0 | } |
1106 | 0 | rslen = (size_t)ret; |
1107 | 0 | } |
1108 | | |
1109 | 0 | if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen)) |
1110 | 0 | return 0; |
1111 | | |
1112 | 0 | return 1; |
1113 | 0 | } |
1114 | | |
1115 | | static int rsa_verify_set_sig(void *vprsactx, |
1116 | | const unsigned char *sig, size_t siglen) |
1117 | 21.4k | { |
1118 | 21.4k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1119 | 21.4k | OSSL_PARAM params[2]; |
1120 | | |
1121 | 21.4k | params[0] = OSSL_PARAM_construct_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, |
1122 | 21.4k | (unsigned char *)sig, siglen); |
1123 | 21.4k | params[1] = OSSL_PARAM_construct_end(); |
1124 | 21.4k | return rsa_sigalg_set_ctx_params(prsactx, params); |
1125 | 21.4k | } |
1126 | | |
1127 | | static int rsa_verify_message_final(void *vprsactx) |
1128 | 21.4k | { |
1129 | 21.4k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1130 | 21.4k | unsigned char digest[EVP_MAX_MD_SIZE]; |
1131 | 21.4k | unsigned int dlen = 0; |
1132 | | |
1133 | 21.4k | if (!ossl_prov_is_running() || prsactx == NULL) |
1134 | 0 | return 0; |
1135 | 21.4k | if (prsactx->mdctx == NULL) |
1136 | 0 | return 0; |
1137 | 21.4k | if (!prsactx->flag_allow_final) { |
1138 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER); |
1139 | 0 | return 0; |
1140 | 0 | } |
1141 | | |
1142 | | /* |
1143 | | * The digests used here are all known (see rsa_get_md_nid()), so they |
1144 | | * should not exceed the internal buffer size of EVP_MAX_MD_SIZE. |
1145 | | */ |
1146 | 21.4k | if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen)) |
1147 | 0 | return 0; |
1148 | | |
1149 | 21.4k | prsactx->flag_allow_update = 0; |
1150 | 21.4k | prsactx->flag_allow_final = 0; |
1151 | 21.4k | prsactx->flag_allow_oneshot = 0; |
1152 | | |
1153 | 21.4k | return rsa_verify_directly(prsactx, prsactx->sig, prsactx->siglen, |
1154 | 21.4k | digest, dlen); |
1155 | 21.4k | } |
1156 | | |
1157 | | /* |
1158 | | * If verifying a message, digest tbs and verify the result. |
1159 | | * Otherwise, verify tbs directly. |
1160 | | */ |
1161 | | static int rsa_verify(void *vprsactx, |
1162 | | const unsigned char *sig, size_t siglen, |
1163 | | const unsigned char *tbs, size_t tbslen) |
1164 | 0 | { |
1165 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1166 | |
|
1167 | 0 | if (!ossl_prov_is_running() || prsactx == NULL) |
1168 | 0 | return 0; |
1169 | 0 | if (!prsactx->flag_allow_oneshot) { |
1170 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER); |
1171 | 0 | return 0; |
1172 | 0 | } |
1173 | | |
1174 | 0 | if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG) |
1175 | 0 | return rsa_verify_set_sig(prsactx, sig, siglen) |
1176 | 0 | && rsa_signverify_message_update(prsactx, tbs, tbslen) |
1177 | 0 | && rsa_verify_message_final(prsactx); |
1178 | 0 | return rsa_verify_directly(prsactx, sig, siglen, tbs, tbslen); |
1179 | 0 | } |
1180 | | |
1181 | | /* DigestSign/DigestVerify wrappers */ |
1182 | | |
1183 | | static int rsa_digest_signverify_init(void *vprsactx, const char *mdname, |
1184 | | void *vrsa, const OSSL_PARAM params[], |
1185 | | int operation, const char *desc) |
1186 | 44.5k | { |
1187 | 44.5k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1188 | | |
1189 | | #ifdef FIPS_MODULE |
1190 | | if (prsactx != NULL) |
1191 | | prsactx->verify_message = 1; |
1192 | | #endif |
1193 | | |
1194 | 44.5k | if (!rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, |
1195 | 44.5k | operation, desc)) |
1196 | 27 | return 0; |
1197 | | |
1198 | 44.4k | if (mdname != NULL |
1199 | | /* was rsa_setup_md already called in rsa_signverify_init()? */ |
1200 | 44.4k | && (mdname[0] == '\0' || OPENSSL_strcasecmp(prsactx->mdname, mdname) != 0) |
1201 | 44.2k | && !rsa_setup_md(prsactx, mdname, prsactx->propq, desc)) |
1202 | 121 | return 0; |
1203 | | |
1204 | 44.3k | prsactx->flag_allow_md = 0; |
1205 | | |
1206 | 44.3k | if (prsactx->mdctx == NULL) { |
1207 | 44.3k | prsactx->mdctx = EVP_MD_CTX_new(); |
1208 | 44.3k | if (prsactx->mdctx == NULL) |
1209 | 0 | goto error; |
1210 | 44.3k | } |
1211 | | |
1212 | 44.3k | if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params)) |
1213 | 0 | goto error; |
1214 | | |
1215 | 44.3k | return 1; |
1216 | | |
1217 | 0 | error: |
1218 | 0 | EVP_MD_CTX_free(prsactx->mdctx); |
1219 | 0 | prsactx->mdctx = NULL; |
1220 | 0 | return 0; |
1221 | 44.3k | } |
1222 | | |
1223 | | static int rsa_digest_sign_init(void *vprsactx, const char *mdname, |
1224 | | void *vrsa, const OSSL_PARAM params[]) |
1225 | 40.9k | { |
1226 | 40.9k | if (!ossl_prov_is_running()) |
1227 | 0 | return 0; |
1228 | 40.9k | return rsa_digest_signverify_init(vprsactx, mdname, vrsa, |
1229 | 40.9k | params, EVP_PKEY_OP_SIGNMSG, |
1230 | 40.9k | "RSA Digest Sign Init"); |
1231 | 40.9k | } |
1232 | | |
1233 | | static int rsa_digest_sign_update(void *vprsactx, const unsigned char *data, |
1234 | | size_t datalen) |
1235 | 4.18k | { |
1236 | 4.18k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1237 | | |
1238 | 4.18k | if (prsactx == NULL) |
1239 | 0 | return 0; |
1240 | | /* Sigalg implementations shouldn't do digest_sign */ |
1241 | 4.18k | if (prsactx->flag_sigalg) |
1242 | 0 | return 0; |
1243 | | |
1244 | 4.18k | return rsa_signverify_message_update(prsactx, data, datalen); |
1245 | 4.18k | } |
1246 | | |
1247 | | static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig, |
1248 | | size_t *siglen, size_t sigsize) |
1249 | 8.36k | { |
1250 | 8.36k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1251 | 8.36k | int ok = 0; |
1252 | | |
1253 | 8.36k | if (prsactx == NULL) |
1254 | 0 | return 0; |
1255 | | /* Sigalg implementations shouldn't do digest_sign */ |
1256 | 8.36k | if (prsactx->flag_sigalg) |
1257 | 0 | return 0; |
1258 | | |
1259 | 8.36k | if (rsa_sign_message_final(prsactx, sig, siglen, sigsize)) |
1260 | 8.36k | ok = 1; |
1261 | | |
1262 | 8.36k | prsactx->flag_allow_md = 1; |
1263 | | |
1264 | 8.36k | return ok; |
1265 | 8.36k | } |
1266 | | |
1267 | | static int rsa_digest_verify_init(void *vprsactx, const char *mdname, |
1268 | | void *vrsa, const OSSL_PARAM params[]) |
1269 | 29.0k | { |
1270 | 29.0k | if (!ossl_prov_is_running()) |
1271 | 0 | return 0; |
1272 | 29.0k | return rsa_digest_signverify_init(vprsactx, mdname, vrsa, |
1273 | 29.0k | params, EVP_PKEY_OP_VERIFYMSG, |
1274 | 29.0k | "RSA Digest Verify Init"); |
1275 | 29.0k | } |
1276 | | |
1277 | | static int rsa_digest_verify_update(void *vprsactx, const unsigned char *data, |
1278 | | size_t datalen) |
1279 | 21.4k | { |
1280 | 21.4k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1281 | | |
1282 | 21.4k | if (prsactx == NULL) |
1283 | 0 | return 0; |
1284 | | /* Sigalg implementations shouldn't do digest_sign */ |
1285 | 21.4k | if (prsactx->flag_sigalg) |
1286 | 0 | return 0; |
1287 | | |
1288 | 21.4k | return rsa_signverify_message_update(prsactx, data, datalen); |
1289 | 21.4k | } |
1290 | | |
1291 | | int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig, |
1292 | | size_t siglen) |
1293 | 21.4k | { |
1294 | 21.4k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1295 | 21.4k | int ok = 0; |
1296 | | |
1297 | 21.4k | if (prsactx == NULL) |
1298 | 0 | return 0; |
1299 | | /* Sigalg implementations shouldn't do digest_verify */ |
1300 | 21.4k | if (prsactx->flag_sigalg) |
1301 | 0 | return 0; |
1302 | | |
1303 | 21.4k | if (rsa_verify_set_sig(prsactx, sig, siglen) |
1304 | 21.4k | && rsa_verify_message_final(vprsactx)) |
1305 | 396 | ok = 1; |
1306 | | |
1307 | 21.4k | prsactx->flag_allow_md = 1; |
1308 | | |
1309 | 21.4k | return ok; |
1310 | 21.4k | } |
1311 | | |
1312 | | static void rsa_freectx(void *vprsactx) |
1313 | 104k | { |
1314 | 104k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1315 | | |
1316 | 104k | if (prsactx == NULL) |
1317 | 0 | return; |
1318 | | |
1319 | 104k | EVP_MD_CTX_free(prsactx->mdctx); |
1320 | 104k | EVP_MD_free(prsactx->md); |
1321 | 104k | EVP_MD_free(prsactx->mgf1_md); |
1322 | 104k | OPENSSL_free(prsactx->sig); |
1323 | 104k | OPENSSL_free(prsactx->propq); |
1324 | 104k | free_tbuf(prsactx); |
1325 | 104k | RSA_free(prsactx->rsa); |
1326 | | |
1327 | 104k | OPENSSL_clear_free(prsactx, sizeof(*prsactx)); |
1328 | 104k | } |
1329 | | |
1330 | | static void *rsa_dupctx(void *vprsactx) |
1331 | 25.6k | { |
1332 | 25.6k | PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx; |
1333 | 25.6k | PROV_RSA_CTX *dstctx; |
1334 | | |
1335 | 25.6k | if (!ossl_prov_is_running()) |
1336 | 0 | return NULL; |
1337 | | |
1338 | 25.6k | dstctx = OPENSSL_zalloc(sizeof(*srcctx)); |
1339 | 25.6k | if (dstctx == NULL) |
1340 | 0 | return NULL; |
1341 | | |
1342 | 25.6k | *dstctx = *srcctx; |
1343 | 25.6k | dstctx->rsa = NULL; |
1344 | 25.6k | dstctx->md = NULL; |
1345 | 25.6k | dstctx->mgf1_md = NULL; |
1346 | 25.6k | dstctx->mdctx = NULL; |
1347 | 25.6k | dstctx->tbuf = NULL; |
1348 | 25.6k | dstctx->propq = NULL; |
1349 | 25.6k | dstctx->sig = NULL; |
1350 | | |
1351 | 25.6k | if (srcctx->rsa != NULL && !RSA_up_ref(srcctx->rsa)) |
1352 | 0 | goto err; |
1353 | 25.6k | dstctx->rsa = srcctx->rsa; |
1354 | | |
1355 | 25.6k | if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md)) |
1356 | 0 | goto err; |
1357 | 25.6k | dstctx->md = srcctx->md; |
1358 | | |
1359 | 25.6k | if (srcctx->mgf1_md != NULL && !EVP_MD_up_ref(srcctx->mgf1_md)) |
1360 | 0 | goto err; |
1361 | 25.6k | dstctx->mgf1_md = srcctx->mgf1_md; |
1362 | | |
1363 | 25.6k | if (srcctx->mdctx != NULL) { |
1364 | 25.6k | dstctx->mdctx = EVP_MD_CTX_new(); |
1365 | 25.6k | if (dstctx->mdctx == NULL |
1366 | 25.6k | || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx)) |
1367 | 0 | goto err; |
1368 | 25.6k | } |
1369 | | |
1370 | 25.6k | if (srcctx->propq != NULL) { |
1371 | 0 | dstctx->propq = OPENSSL_strdup(srcctx->propq); |
1372 | 0 | if (dstctx->propq == NULL) |
1373 | 0 | goto err; |
1374 | 0 | } |
1375 | | |
1376 | 25.6k | if (srcctx->sig != NULL) { |
1377 | 0 | dstctx->sig = OPENSSL_memdup(srcctx->sig, srcctx->siglen); |
1378 | 0 | if (dstctx->sig == NULL) |
1379 | 0 | goto err; |
1380 | 0 | } |
1381 | | |
1382 | 25.6k | return dstctx; |
1383 | 0 | err: |
1384 | 0 | rsa_freectx(dstctx); |
1385 | 0 | return NULL; |
1386 | 25.6k | } |
1387 | | |
1388 | | /* clang-format off */ |
1389 | | /* Machine generated by util/perl/OpenSSL/paramnames.pm */ |
1390 | | #ifndef rsa_get_ctx_params_list |
1391 | | static const OSSL_PARAM rsa_get_ctx_params_list[] = { |
1392 | | OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0), |
1393 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), |
1394 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL), |
1395 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), |
1396 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), |
1397 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), |
1398 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL), |
1399 | | # if defined(FIPS_MODULE) |
1400 | | OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE, NULL), |
1401 | | # endif |
1402 | | # if defined(FIPS_MODULE) |
1403 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR, NULL), |
1404 | | # endif |
1405 | | OSSL_PARAM_END |
1406 | | }; |
1407 | | #endif |
1408 | | |
1409 | | #ifndef rsa_get_ctx_params_st |
1410 | | struct rsa_get_ctx_params_st { |
1411 | | OSSL_PARAM *algid; |
1412 | | OSSL_PARAM *digest; |
1413 | | # if defined(FIPS_MODULE) |
1414 | | OSSL_PARAM *ind; |
1415 | | # endif |
1416 | | OSSL_PARAM *mgf1; |
1417 | | OSSL_PARAM *pad; |
1418 | | OSSL_PARAM *slen; |
1419 | | # if defined(FIPS_MODULE) |
1420 | | OSSL_PARAM *verify; |
1421 | | # endif |
1422 | | }; |
1423 | | #endif |
1424 | | |
1425 | | #ifndef rsa_get_ctx_params_decoder |
1426 | | static int rsa_get_ctx_params_decoder |
1427 | | (const OSSL_PARAM *p, struct rsa_get_ctx_params_st *r) |
1428 | 0 | { |
1429 | 0 | const char *s; |
1430 | |
|
1431 | 0 | memset(r, 0, sizeof(*r)); |
1432 | 0 | if (p != NULL) |
1433 | 0 | for (; (s = p->key) != NULL; p++) |
1434 | 0 | switch(s[0]) { |
1435 | 0 | default: |
1436 | 0 | break; |
1437 | 0 | case 'a': |
1438 | 0 | if (ossl_likely(strcmp("lgorithm-id", s + 1) == 0)) { |
1439 | | /* OSSL_SIGNATURE_PARAM_ALGORITHM_ID */ |
1440 | 0 | if (ossl_unlikely(r->algid != NULL)) { |
1441 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1442 | 0 | "param %s is repeated", s); |
1443 | 0 | return 0; |
1444 | 0 | } |
1445 | 0 | r->algid = (OSSL_PARAM *)p; |
1446 | 0 | } |
1447 | 0 | break; |
1448 | 0 | case 'd': |
1449 | 0 | if (ossl_likely(strcmp("igest", s + 1) == 0)) { |
1450 | | /* OSSL_SIGNATURE_PARAM_DIGEST */ |
1451 | 0 | if (ossl_unlikely(r->digest != NULL)) { |
1452 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1453 | 0 | "param %s is repeated", s); |
1454 | 0 | return 0; |
1455 | 0 | } |
1456 | 0 | r->digest = (OSSL_PARAM *)p; |
1457 | 0 | } |
1458 | 0 | break; |
1459 | 0 | case 'f': |
1460 | | # if defined(FIPS_MODULE) |
1461 | | if (ossl_likely(strcmp("ips-indicator", s + 1) == 0)) { |
1462 | | /* OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR */ |
1463 | | if (ossl_unlikely(r->ind != NULL)) { |
1464 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1465 | | "param %s is repeated", s); |
1466 | | return 0; |
1467 | | } |
1468 | | r->ind = (OSSL_PARAM *)p; |
1469 | | } |
1470 | | # endif |
1471 | 0 | break; |
1472 | 0 | case 'm': |
1473 | 0 | if (ossl_likely(strcmp("gf1-digest", s + 1) == 0)) { |
1474 | | /* OSSL_SIGNATURE_PARAM_MGF1_DIGEST */ |
1475 | 0 | if (ossl_unlikely(r->mgf1 != NULL)) { |
1476 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1477 | 0 | "param %s is repeated", s); |
1478 | 0 | return 0; |
1479 | 0 | } |
1480 | 0 | r->mgf1 = (OSSL_PARAM *)p; |
1481 | 0 | } |
1482 | 0 | break; |
1483 | 0 | case 'p': |
1484 | 0 | if (ossl_likely(strcmp("ad-mode", s + 1) == 0)) { |
1485 | | /* OSSL_SIGNATURE_PARAM_PAD_MODE */ |
1486 | 0 | if (ossl_unlikely(r->pad != NULL)) { |
1487 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1488 | 0 | "param %s is repeated", s); |
1489 | 0 | return 0; |
1490 | 0 | } |
1491 | 0 | r->pad = (OSSL_PARAM *)p; |
1492 | 0 | } |
1493 | 0 | break; |
1494 | 0 | case 's': |
1495 | 0 | if (ossl_likely(strcmp("altlen", s + 1) == 0)) { |
1496 | | /* OSSL_SIGNATURE_PARAM_PSS_SALTLEN */ |
1497 | 0 | if (ossl_unlikely(r->slen != NULL)) { |
1498 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1499 | 0 | "param %s is repeated", s); |
1500 | 0 | return 0; |
1501 | 0 | } |
1502 | 0 | r->slen = (OSSL_PARAM *)p; |
1503 | 0 | } |
1504 | 0 | break; |
1505 | 0 | case 'v': |
1506 | | # if defined(FIPS_MODULE) |
1507 | | if (ossl_likely(strcmp("erify-message", s + 1) == 0)) { |
1508 | | /* OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE */ |
1509 | | if (ossl_unlikely(r->verify != NULL)) { |
1510 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1511 | | "param %s is repeated", s); |
1512 | | return 0; |
1513 | | } |
1514 | | r->verify = (OSSL_PARAM *)p; |
1515 | | } |
1516 | | # endif |
1517 | 0 | break; |
1518 | 0 | } |
1519 | 0 | return 1; |
1520 | 0 | } |
1521 | | #endif |
1522 | | /* End of machine generated */ |
1523 | | /* clang-format on */ |
1524 | | |
1525 | | static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) |
1526 | 0 | { |
1527 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
1528 | 0 | struct rsa_get_ctx_params_st p; |
1529 | |
|
1530 | 0 | if (prsactx == NULL || !rsa_get_ctx_params_decoder(params, &p)) |
1531 | 0 | return 0; |
1532 | | |
1533 | 0 | if (p.algid != NULL) { |
1534 | | /* The Algorithm Identifier of the combined signature algorithm */ |
1535 | 0 | unsigned char aid_buf[128]; |
1536 | 0 | unsigned char *aid; |
1537 | 0 | size_t aid_len; |
1538 | |
|
1539 | 0 | aid = rsa_generate_signature_aid(prsactx, aid_buf, |
1540 | 0 | sizeof(aid_buf), &aid_len); |
1541 | 0 | if (aid == NULL || !OSSL_PARAM_set_octet_string(p.algid, aid, aid_len)) |
1542 | 0 | return 0; |
1543 | 0 | } |
1544 | | |
1545 | 0 | if (p.pad != NULL) { |
1546 | 0 | if (p.pad->data_type != OSSL_PARAM_UTF8_STRING) { |
1547 | 0 | if (!OSSL_PARAM_set_int(p.pad, prsactx->pad_mode)) |
1548 | 0 | return 0; |
1549 | 0 | } else { |
1550 | 0 | int i; |
1551 | 0 | const char *word = NULL; |
1552 | |
|
1553 | 0 | for (i = 0; padding_item[i].id != 0; i++) { |
1554 | 0 | if (prsactx->pad_mode == (int)padding_item[i].id) { |
1555 | 0 | word = padding_item[i].ptr; |
1556 | 0 | break; |
1557 | 0 | } |
1558 | 0 | } |
1559 | |
|
1560 | 0 | if (word != NULL) { |
1561 | 0 | if (!OSSL_PARAM_set_utf8_string(p.pad, word)) |
1562 | 0 | return 0; |
1563 | 0 | } else { |
1564 | 0 | ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); |
1565 | 0 | } |
1566 | 0 | } |
1567 | 0 | } |
1568 | | |
1569 | 0 | if (p.digest != NULL && !OSSL_PARAM_set_utf8_string(p.digest, prsactx->mdname)) |
1570 | 0 | return 0; |
1571 | | |
1572 | 0 | if (p.mgf1 != NULL && !OSSL_PARAM_set_utf8_string(p.mgf1, prsactx->mgf1_mdname)) |
1573 | 0 | return 0; |
1574 | | |
1575 | 0 | if (p.slen != NULL) { |
1576 | 0 | if (p.slen->data_type != OSSL_PARAM_UTF8_STRING) { |
1577 | 0 | if (!OSSL_PARAM_set_int(p.slen, prsactx->saltlen)) |
1578 | 0 | return 0; |
1579 | 0 | } else { |
1580 | 0 | const char *value = NULL; |
1581 | |
|
1582 | 0 | switch (prsactx->saltlen) { |
1583 | 0 | case RSA_PSS_SALTLEN_DIGEST: |
1584 | 0 | value = OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST; |
1585 | 0 | break; |
1586 | 0 | case RSA_PSS_SALTLEN_MAX: |
1587 | 0 | value = OSSL_PKEY_RSA_PSS_SALT_LEN_MAX; |
1588 | 0 | break; |
1589 | 0 | case RSA_PSS_SALTLEN_AUTO: |
1590 | 0 | value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO; |
1591 | 0 | break; |
1592 | 0 | case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: |
1593 | 0 | value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX; |
1594 | 0 | break; |
1595 | 0 | default: { |
1596 | 0 | int len = BIO_snprintf(p.slen->data, p.slen->data_size, "%d", |
1597 | 0 | prsactx->saltlen); |
1598 | |
|
1599 | 0 | if (len <= 0) |
1600 | 0 | return 0; |
1601 | 0 | p.slen->return_size = len; |
1602 | 0 | break; |
1603 | 0 | } |
1604 | 0 | } |
1605 | 0 | if (value != NULL |
1606 | 0 | && !OSSL_PARAM_set_utf8_string(p.slen, value)) |
1607 | 0 | return 0; |
1608 | 0 | } |
1609 | 0 | } |
1610 | | |
1611 | | #ifdef FIPS_MODULE |
1612 | | if (p.verify != NULL && !OSSL_PARAM_set_uint(p.verify, prsactx->verify_message)) |
1613 | | return 0; |
1614 | | #endif |
1615 | | |
1616 | 0 | if (!OSSL_FIPS_IND_GET_CTX_FROM_PARAM(prsactx, p.ind)) |
1617 | 0 | return 0; |
1618 | 0 | return 1; |
1619 | 0 | } |
1620 | | |
1621 | | static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, |
1622 | | ossl_unused void *provctx) |
1623 | 0 | { |
1624 | 0 | return rsa_get_ctx_params_list; |
1625 | 0 | } |
1626 | | |
1627 | | #ifdef FIPS_MODULE |
1628 | | static int rsa_x931_padding_allowed(PROV_RSA_CTX *ctx) |
1629 | | { |
1630 | | if ((ctx->operation |
1631 | | & (EVP_PKEY_OP_SIGNMSG | EVP_PKEY_OP_SIGN)) |
1632 | | != 0) { |
1633 | | if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2, |
1634 | | ctx->libctx, |
1635 | | "RSA Sign set ctx", "X931 Padding", |
1636 | | ossl_fips_config_rsa_sign_x931_disallowed)) { |
1637 | | ERR_raise(ERR_LIB_PROV, |
1638 | | PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); |
1639 | | return 0; |
1640 | | } |
1641 | | } |
1642 | | return 1; |
1643 | | } |
1644 | | #endif |
1645 | | |
1646 | | /* clang-format off */ |
1647 | | /* Machine generated by util/perl/OpenSSL/paramnames.pm */ |
1648 | | #ifndef rsa_set_ctx_params_list |
1649 | | static const OSSL_PARAM rsa_set_ctx_params_list[] = { |
1650 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), |
1651 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0), |
1652 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), |
1653 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL), |
1654 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), |
1655 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0), |
1656 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), |
1657 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL), |
1658 | | # if defined(FIPS_MODULE) |
1659 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK, NULL), |
1660 | | # endif |
1661 | | # if defined(FIPS_MODULE) |
1662 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK, NULL), |
1663 | | # endif |
1664 | | # if defined(FIPS_MODULE) |
1665 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK, NULL), |
1666 | | # endif |
1667 | | # if defined(FIPS_MODULE) |
1668 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK, NULL), |
1669 | | # endif |
1670 | | OSSL_PARAM_END |
1671 | | }; |
1672 | | #endif |
1673 | | |
1674 | | #ifndef rsa_set_ctx_params_st |
1675 | | struct rsa_set_ctx_params_st { |
1676 | | OSSL_PARAM *digest; |
1677 | | # if defined(FIPS_MODULE) |
1678 | | OSSL_PARAM *ind_d; |
1679 | | # endif |
1680 | | # if defined(FIPS_MODULE) |
1681 | | OSSL_PARAM *ind_k; |
1682 | | # endif |
1683 | | # if defined(FIPS_MODULE) |
1684 | | OSSL_PARAM *ind_slen; |
1685 | | # endif |
1686 | | # if defined(FIPS_MODULE) |
1687 | | OSSL_PARAM *ind_xpad; |
1688 | | # endif |
1689 | | OSSL_PARAM *mgf1; |
1690 | | OSSL_PARAM *mgf1pq; |
1691 | | OSSL_PARAM *pad; |
1692 | | OSSL_PARAM *propq; |
1693 | | OSSL_PARAM *slen; |
1694 | | }; |
1695 | | #endif |
1696 | | |
1697 | | #ifndef rsa_set_ctx_params_decoder |
1698 | | static int rsa_set_ctx_params_decoder |
1699 | | (const OSSL_PARAM *p, struct rsa_set_ctx_params_st *r) |
1700 | 0 | { |
1701 | 0 | const char *s; |
1702 | |
|
1703 | 0 | memset(r, 0, sizeof(*r)); |
1704 | 0 | if (p != NULL) |
1705 | 0 | for (; (s = p->key) != NULL; p++) |
1706 | 0 | switch(s[0]) { |
1707 | 0 | default: |
1708 | 0 | break; |
1709 | 0 | case 'd': |
1710 | 0 | switch(s[1]) { |
1711 | 0 | default: |
1712 | 0 | break; |
1713 | 0 | case 'i': |
1714 | 0 | switch(s[2]) { |
1715 | 0 | default: |
1716 | 0 | break; |
1717 | 0 | case 'g': |
1718 | 0 | switch(s[3]) { |
1719 | 0 | default: |
1720 | 0 | break; |
1721 | 0 | case 'e': |
1722 | 0 | switch(s[4]) { |
1723 | 0 | default: |
1724 | 0 | break; |
1725 | 0 | case 's': |
1726 | 0 | switch(s[5]) { |
1727 | 0 | default: |
1728 | 0 | break; |
1729 | 0 | case 't': |
1730 | 0 | switch(s[6]) { |
1731 | 0 | default: |
1732 | 0 | break; |
1733 | 0 | case '-': |
1734 | | # if defined(FIPS_MODULE) |
1735 | | if (ossl_likely(strcmp("check", s + 7) == 0)) { |
1736 | | /* OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK */ |
1737 | | if (ossl_unlikely(r->ind_d != NULL)) { |
1738 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1739 | | "param %s is repeated", s); |
1740 | | return 0; |
1741 | | } |
1742 | | r->ind_d = (OSSL_PARAM *)p; |
1743 | | } |
1744 | | # endif |
1745 | 0 | break; |
1746 | 0 | case '\0': |
1747 | 0 | if (ossl_unlikely(r->digest != NULL)) { |
1748 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1749 | 0 | "param %s is repeated", s); |
1750 | 0 | return 0; |
1751 | 0 | } |
1752 | 0 | r->digest = (OSSL_PARAM *)p; |
1753 | 0 | } |
1754 | 0 | } |
1755 | 0 | } |
1756 | 0 | } |
1757 | 0 | } |
1758 | 0 | } |
1759 | 0 | break; |
1760 | 0 | case 'k': |
1761 | | # if defined(FIPS_MODULE) |
1762 | | if (ossl_likely(strcmp("ey-check", s + 1) == 0)) { |
1763 | | /* OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK */ |
1764 | | if (ossl_unlikely(r->ind_k != NULL)) { |
1765 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1766 | | "param %s is repeated", s); |
1767 | | return 0; |
1768 | | } |
1769 | | r->ind_k = (OSSL_PARAM *)p; |
1770 | | } |
1771 | | # endif |
1772 | 0 | break; |
1773 | 0 | case 'm': |
1774 | 0 | switch(s[1]) { |
1775 | 0 | default: |
1776 | 0 | break; |
1777 | 0 | case 'g': |
1778 | 0 | switch(s[2]) { |
1779 | 0 | default: |
1780 | 0 | break; |
1781 | 0 | case 'f': |
1782 | 0 | switch(s[3]) { |
1783 | 0 | default: |
1784 | 0 | break; |
1785 | 0 | case '1': |
1786 | 0 | switch(s[4]) { |
1787 | 0 | default: |
1788 | 0 | break; |
1789 | 0 | case '-': |
1790 | 0 | switch(s[5]) { |
1791 | 0 | default: |
1792 | 0 | break; |
1793 | 0 | case 'd': |
1794 | 0 | if (ossl_likely(strcmp("igest", s + 6) == 0)) { |
1795 | | /* OSSL_SIGNATURE_PARAM_MGF1_DIGEST */ |
1796 | 0 | if (ossl_unlikely(r->mgf1 != NULL)) { |
1797 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1798 | 0 | "param %s is repeated", s); |
1799 | 0 | return 0; |
1800 | 0 | } |
1801 | 0 | r->mgf1 = (OSSL_PARAM *)p; |
1802 | 0 | } |
1803 | 0 | break; |
1804 | 0 | case 'p': |
1805 | 0 | if (ossl_likely(strcmp("roperties", s + 6) == 0)) { |
1806 | | /* OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES */ |
1807 | 0 | if (ossl_unlikely(r->mgf1pq != NULL)) { |
1808 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1809 | 0 | "param %s is repeated", s); |
1810 | 0 | return 0; |
1811 | 0 | } |
1812 | 0 | r->mgf1pq = (OSSL_PARAM *)p; |
1813 | 0 | } |
1814 | 0 | } |
1815 | 0 | } |
1816 | 0 | } |
1817 | 0 | } |
1818 | 0 | } |
1819 | 0 | break; |
1820 | 0 | case 'p': |
1821 | 0 | switch(s[1]) { |
1822 | 0 | default: |
1823 | 0 | break; |
1824 | 0 | case 'a': |
1825 | 0 | if (ossl_likely(strcmp("d-mode", s + 2) == 0)) { |
1826 | | /* OSSL_SIGNATURE_PARAM_PAD_MODE */ |
1827 | 0 | if (ossl_unlikely(r->pad != NULL)) { |
1828 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1829 | 0 | "param %s is repeated", s); |
1830 | 0 | return 0; |
1831 | 0 | } |
1832 | 0 | r->pad = (OSSL_PARAM *)p; |
1833 | 0 | } |
1834 | 0 | break; |
1835 | 0 | case 'r': |
1836 | 0 | if (ossl_likely(strcmp("operties", s + 2) == 0)) { |
1837 | | /* OSSL_SIGNATURE_PARAM_PROPERTIES */ |
1838 | 0 | if (ossl_unlikely(r->propq != NULL)) { |
1839 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1840 | 0 | "param %s is repeated", s); |
1841 | 0 | return 0; |
1842 | 0 | } |
1843 | 0 | r->propq = (OSSL_PARAM *)p; |
1844 | 0 | } |
1845 | 0 | } |
1846 | 0 | break; |
1847 | 0 | case 'r': |
1848 | | # if defined(FIPS_MODULE) |
1849 | | if (ossl_likely(strcmp("sa-pss-saltlen-check", s + 1) == 0)) { |
1850 | | /* OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK */ |
1851 | | if (ossl_unlikely(r->ind_slen != NULL)) { |
1852 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1853 | | "param %s is repeated", s); |
1854 | | return 0; |
1855 | | } |
1856 | | r->ind_slen = (OSSL_PARAM *)p; |
1857 | | } |
1858 | | # endif |
1859 | 0 | break; |
1860 | 0 | case 's': |
1861 | 0 | switch(s[1]) { |
1862 | 0 | default: |
1863 | 0 | break; |
1864 | 0 | case 'a': |
1865 | 0 | if (ossl_likely(strcmp("ltlen", s + 2) == 0)) { |
1866 | | /* OSSL_SIGNATURE_PARAM_PSS_SALTLEN */ |
1867 | 0 | if (ossl_unlikely(r->slen != NULL)) { |
1868 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1869 | 0 | "param %s is repeated", s); |
1870 | 0 | return 0; |
1871 | 0 | } |
1872 | 0 | r->slen = (OSSL_PARAM *)p; |
1873 | 0 | } |
1874 | 0 | break; |
1875 | 0 | case 'i': |
1876 | | # if defined(FIPS_MODULE) |
1877 | | if (ossl_likely(strcmp("gn-x931-pad-check", s + 2) == 0)) { |
1878 | | /* OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK */ |
1879 | | if (ossl_unlikely(r->ind_xpad != NULL)) { |
1880 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1881 | | "param %s is repeated", s); |
1882 | | return 0; |
1883 | | } |
1884 | | r->ind_xpad = (OSSL_PARAM *)p; |
1885 | | } |
1886 | | # endif |
1887 | 0 | break; |
1888 | 0 | } |
1889 | 0 | break; |
1890 | 0 | } |
1891 | 0 | return 1; |
1892 | 0 | } |
1893 | | #endif |
1894 | | /* End of machine generated */ |
1895 | | /* clang-format on */ |
1896 | | |
1897 | | #define rsa_set_ctx_params_no_digest_st rsa_set_ctx_params_st |
1898 | | |
1899 | | /* clang-format off */ |
1900 | | /* Machine generated by util/perl/OpenSSL/paramnames.pm */ |
1901 | | #ifndef rsa_set_ctx_params_no_digest_list |
1902 | | static const OSSL_PARAM rsa_set_ctx_params_no_digest_list[] = { |
1903 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), |
1904 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL), |
1905 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), |
1906 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0), |
1907 | | OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), |
1908 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL), |
1909 | | # if defined(FIPS_MODULE) |
1910 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK, NULL), |
1911 | | # endif |
1912 | | # if defined(FIPS_MODULE) |
1913 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK, NULL), |
1914 | | # endif |
1915 | | # if defined(FIPS_MODULE) |
1916 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK, NULL), |
1917 | | # endif |
1918 | | # if defined(FIPS_MODULE) |
1919 | | OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK, NULL), |
1920 | | # endif |
1921 | | OSSL_PARAM_END |
1922 | | }; |
1923 | | #endif |
1924 | | |
1925 | | #ifndef rsa_set_ctx_params_no_digest_st |
1926 | | struct rsa_set_ctx_params_no_digest_st { |
1927 | | # if defined(FIPS_MODULE) |
1928 | | OSSL_PARAM *ind_d; |
1929 | | # endif |
1930 | | # if defined(FIPS_MODULE) |
1931 | | OSSL_PARAM *ind_k; |
1932 | | # endif |
1933 | | # if defined(FIPS_MODULE) |
1934 | | OSSL_PARAM *ind_slen; |
1935 | | # endif |
1936 | | # if defined(FIPS_MODULE) |
1937 | | OSSL_PARAM *ind_xpad; |
1938 | | # endif |
1939 | | OSSL_PARAM *mgf1; |
1940 | | OSSL_PARAM *mgf1pq; |
1941 | | OSSL_PARAM *pad; |
1942 | | OSSL_PARAM *slen; |
1943 | | }; |
1944 | | #endif |
1945 | | |
1946 | | #ifndef rsa_set_ctx_params_no_digest_decoder |
1947 | | static int rsa_set_ctx_params_no_digest_decoder |
1948 | | (const OSSL_PARAM *p, struct rsa_set_ctx_params_no_digest_st *r) |
1949 | 19.1k | { |
1950 | 19.1k | const char *s; |
1951 | | |
1952 | 19.1k | memset(r, 0, sizeof(*r)); |
1953 | 19.1k | if (p != NULL) |
1954 | 38.3k | for (; (s = p->key) != NULL; p++) |
1955 | 19.1k | switch(s[0]) { |
1956 | 0 | default: |
1957 | 0 | break; |
1958 | 0 | case 'd': |
1959 | | # if defined(FIPS_MODULE) |
1960 | | if (ossl_likely(strcmp("igest-check", s + 1) == 0)) { |
1961 | | /* OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK */ |
1962 | | if (ossl_unlikely(r->ind_d != NULL)) { |
1963 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1964 | | "param %s is repeated", s); |
1965 | | return 0; |
1966 | | } |
1967 | | r->ind_d = (OSSL_PARAM *)p; |
1968 | | } |
1969 | | # endif |
1970 | 0 | break; |
1971 | 0 | case 'k': |
1972 | | # if defined(FIPS_MODULE) |
1973 | | if (ossl_likely(strcmp("ey-check", s + 1) == 0)) { |
1974 | | /* OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK */ |
1975 | | if (ossl_unlikely(r->ind_k != NULL)) { |
1976 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
1977 | | "param %s is repeated", s); |
1978 | | return 0; |
1979 | | } |
1980 | | r->ind_k = (OSSL_PARAM *)p; |
1981 | | } |
1982 | | # endif |
1983 | 0 | break; |
1984 | 1.75k | case 'm': |
1985 | 1.75k | switch(s[1]) { |
1986 | 0 | default: |
1987 | 0 | break; |
1988 | 1.75k | case 'g': |
1989 | 1.75k | switch(s[2]) { |
1990 | 0 | default: |
1991 | 0 | break; |
1992 | 1.75k | case 'f': |
1993 | 1.75k | switch(s[3]) { |
1994 | 0 | default: |
1995 | 0 | break; |
1996 | 1.75k | case '1': |
1997 | 1.75k | switch(s[4]) { |
1998 | 0 | default: |
1999 | 0 | break; |
2000 | 1.75k | case '-': |
2001 | 1.75k | switch(s[5]) { |
2002 | 0 | default: |
2003 | 0 | break; |
2004 | 1.75k | case 'd': |
2005 | 1.75k | if (ossl_likely(strcmp("igest", s + 6) == 0)) { |
2006 | | /* OSSL_SIGNATURE_PARAM_MGF1_DIGEST */ |
2007 | 1.75k | if (ossl_unlikely(r->mgf1 != NULL)) { |
2008 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2009 | 0 | "param %s is repeated", s); |
2010 | 0 | return 0; |
2011 | 0 | } |
2012 | 1.75k | r->mgf1 = (OSSL_PARAM *)p; |
2013 | 1.75k | } |
2014 | 1.75k | break; |
2015 | 1.75k | case 'p': |
2016 | 0 | if (ossl_likely(strcmp("roperties", s + 6) == 0)) { |
2017 | | /* OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES */ |
2018 | 0 | if (ossl_unlikely(r->mgf1pq != NULL)) { |
2019 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2020 | 0 | "param %s is repeated", s); |
2021 | 0 | return 0; |
2022 | 0 | } |
2023 | 0 | r->mgf1pq = (OSSL_PARAM *)p; |
2024 | 0 | } |
2025 | 1.75k | } |
2026 | 1.75k | } |
2027 | 1.75k | } |
2028 | 1.75k | } |
2029 | 1.75k | } |
2030 | 1.75k | break; |
2031 | 8.70k | case 'p': |
2032 | 8.70k | if (ossl_likely(strcmp("ad-mode", s + 1) == 0)) { |
2033 | | /* OSSL_SIGNATURE_PARAM_PAD_MODE */ |
2034 | 8.70k | if (ossl_unlikely(r->pad != NULL)) { |
2035 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2036 | 0 | "param %s is repeated", s); |
2037 | 0 | return 0; |
2038 | 0 | } |
2039 | 8.70k | r->pad = (OSSL_PARAM *)p; |
2040 | 8.70k | } |
2041 | 8.70k | break; |
2042 | 8.70k | case 'r': |
2043 | | # if defined(FIPS_MODULE) |
2044 | | if (ossl_likely(strcmp("sa-pss-saltlen-check", s + 1) == 0)) { |
2045 | | /* OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK */ |
2046 | | if (ossl_unlikely(r->ind_slen != NULL)) { |
2047 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2048 | | "param %s is repeated", s); |
2049 | | return 0; |
2050 | | } |
2051 | | r->ind_slen = (OSSL_PARAM *)p; |
2052 | | } |
2053 | | # endif |
2054 | 0 | break; |
2055 | 8.70k | case 's': |
2056 | 8.70k | switch(s[1]) { |
2057 | 0 | default: |
2058 | 0 | break; |
2059 | 8.70k | case 'a': |
2060 | 8.70k | if (ossl_likely(strcmp("ltlen", s + 2) == 0)) { |
2061 | | /* OSSL_SIGNATURE_PARAM_PSS_SALTLEN */ |
2062 | 8.70k | if (ossl_unlikely(r->slen != NULL)) { |
2063 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2064 | 0 | "param %s is repeated", s); |
2065 | 0 | return 0; |
2066 | 0 | } |
2067 | 8.70k | r->slen = (OSSL_PARAM *)p; |
2068 | 8.70k | } |
2069 | 8.70k | break; |
2070 | 8.70k | case 'i': |
2071 | | # if defined(FIPS_MODULE) |
2072 | | if (ossl_likely(strcmp("gn-x931-pad-check", s + 2) == 0)) { |
2073 | | /* OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK */ |
2074 | | if (ossl_unlikely(r->ind_xpad != NULL)) { |
2075 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2076 | | "param %s is repeated", s); |
2077 | | return 0; |
2078 | | } |
2079 | | r->ind_xpad = (OSSL_PARAM *)p; |
2080 | | } |
2081 | | # endif |
2082 | 0 | break; |
2083 | 8.70k | } |
2084 | 8.70k | break; |
2085 | 19.1k | } |
2086 | 19.1k | return 1; |
2087 | 19.1k | } |
2088 | | #endif |
2089 | | /* End of machine generated */ |
2090 | | /* clang-format on */ |
2091 | | |
2092 | | static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) |
2093 | 43.6k | { |
2094 | 43.6k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2095 | 43.6k | struct rsa_set_ctx_params_st p; |
2096 | 43.6k | int pad_mode; |
2097 | 43.6k | int saltlen; |
2098 | 43.6k | char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = NULL; |
2099 | 43.6k | char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = NULL; |
2100 | 43.6k | char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL; |
2101 | 43.6k | char mgf1mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmgf1mdprops = NULL; |
2102 | | |
2103 | 43.6k | if (prsactx == NULL) |
2104 | 0 | return 0; |
2105 | | /* The processing code below doesn't handle no parameters properly */ |
2106 | 43.6k | if (ossl_param_is_empty(params)) |
2107 | 24.4k | return 1; |
2108 | | |
2109 | 19.1k | if (prsactx->flag_allow_md) { |
2110 | 0 | if (!rsa_set_ctx_params_decoder(params, &p)) |
2111 | 0 | return 0; |
2112 | 19.1k | } else { |
2113 | 19.1k | if (!rsa_set_ctx_params_no_digest_decoder(params, &p)) |
2114 | 0 | return 0; |
2115 | 19.1k | } |
2116 | | |
2117 | 19.1k | if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE0, |
2118 | 19.1k | p.ind_k)) |
2119 | 0 | return 0; |
2120 | | |
2121 | 19.1k | if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE1, |
2122 | 19.1k | p.ind_d)) |
2123 | 0 | return 0; |
2124 | | |
2125 | 19.1k | if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE2, |
2126 | 19.1k | p.ind_xpad)) |
2127 | 0 | return 0; |
2128 | | |
2129 | 19.1k | if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE3, |
2130 | 19.1k | p.ind_slen)) |
2131 | 0 | return 0; |
2132 | | |
2133 | 19.1k | pad_mode = prsactx->pad_mode; |
2134 | 19.1k | saltlen = prsactx->saltlen; |
2135 | | |
2136 | 19.1k | if (p.digest != NULL) { |
2137 | 0 | pmdname = mdname; |
2138 | 0 | if (!OSSL_PARAM_get_utf8_string(p.digest, &pmdname, sizeof(mdname))) |
2139 | 0 | return 0; |
2140 | | |
2141 | 0 | if (p.propq != NULL) { |
2142 | 0 | pmdprops = mdprops; |
2143 | 0 | if (!OSSL_PARAM_get_utf8_string(p.propq, |
2144 | 0 | &pmdprops, sizeof(mdprops))) |
2145 | 0 | return 0; |
2146 | 0 | } |
2147 | 0 | } |
2148 | | |
2149 | 19.1k | if (p.pad != NULL) { |
2150 | 8.70k | const char *err_extra_text = NULL; |
2151 | | |
2152 | 8.70k | if (p.pad->data_type != OSSL_PARAM_UTF8_STRING) { |
2153 | | /* Support for legacy pad mode number */ |
2154 | 8.70k | if (!OSSL_PARAM_get_int(p.pad, &pad_mode)) |
2155 | 0 | return 0; |
2156 | 8.70k | } else { |
2157 | 0 | int i; |
2158 | |
|
2159 | 0 | if (p.pad->data == NULL) |
2160 | 0 | return 0; |
2161 | | |
2162 | 0 | for (i = 0; padding_item[i].id != 0; i++) { |
2163 | 0 | if (strcmp(p.pad->data, padding_item[i].ptr) == 0) { |
2164 | 0 | pad_mode = padding_item[i].id; |
2165 | 0 | break; |
2166 | 0 | } |
2167 | 0 | } |
2168 | 0 | } |
2169 | | |
2170 | 8.70k | switch (pad_mode) { |
2171 | 0 | case RSA_PKCS1_OAEP_PADDING: |
2172 | | /* |
2173 | | * OAEP padding is for asymmetric cipher only so is not compatible |
2174 | | * with signature use. |
2175 | | */ |
2176 | 0 | err_extra_text = "OAEP padding not allowed for signing / verifying"; |
2177 | 0 | goto bad_pad; |
2178 | 8.70k | case RSA_PKCS1_PSS_PADDING: |
2179 | 8.70k | if ((prsactx->operation |
2180 | 8.70k | & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG |
2181 | 8.70k | | EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) |
2182 | 8.70k | == 0) { |
2183 | 0 | err_extra_text = "PSS padding only allowed for sign and verify operations"; |
2184 | 0 | goto bad_pad; |
2185 | 0 | } |
2186 | 8.70k | break; |
2187 | 8.70k | case RSA_PKCS1_PADDING: |
2188 | 0 | err_extra_text = "PKCS#1 padding not allowed with RSA-PSS"; |
2189 | 0 | goto cont; |
2190 | 0 | case RSA_NO_PADDING: |
2191 | 0 | err_extra_text = "No padding not allowed with RSA-PSS"; |
2192 | 0 | goto cont; |
2193 | 0 | case RSA_X931_PADDING: |
2194 | | #ifdef FIPS_MODULE |
2195 | | /* X9.31 only allows sizes of 1024 + 256 * s (bits) */ |
2196 | | if ((RSA_bits(prsactx->rsa) & 0xFF) != 0) { |
2197 | | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); |
2198 | | return 0; |
2199 | | } |
2200 | | /* RSA Signing with X9.31 padding is not allowed in FIPS 140-3 */ |
2201 | | if (!rsa_x931_padding_allowed(prsactx)) |
2202 | | return 0; |
2203 | | #endif |
2204 | 0 | err_extra_text = "X.931 padding not allowed with RSA-PSS"; |
2205 | 0 | cont: |
2206 | 0 | if (RSA_test_flags(prsactx->rsa, |
2207 | 0 | RSA_FLAG_TYPE_MASK) |
2208 | 0 | == RSA_FLAG_TYPE_RSA) |
2209 | 0 | break; |
2210 | | /* FALLTHRU */ |
2211 | 0 | default: |
2212 | 0 | bad_pad: |
2213 | 0 | if (err_extra_text == NULL) |
2214 | 0 | ERR_raise(ERR_LIB_PROV, |
2215 | 0 | PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); |
2216 | 0 | else |
2217 | 0 | ERR_raise_data(ERR_LIB_PROV, |
2218 | 0 | PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE, |
2219 | 0 | err_extra_text); |
2220 | 0 | return 0; |
2221 | 8.70k | } |
2222 | 8.70k | } |
2223 | | |
2224 | 19.1k | if (p.slen != NULL) { |
2225 | 8.70k | if (pad_mode != RSA_PKCS1_PSS_PADDING) { |
2226 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED, |
2227 | 0 | "PSS saltlen can only be specified if " |
2228 | 0 | "PSS padding has been specified first"); |
2229 | 0 | return 0; |
2230 | 0 | } |
2231 | | |
2232 | 8.70k | if (p.slen->data_type != OSSL_PARAM_UTF8_STRING) { |
2233 | | /* Support for legacy pad mode number */ |
2234 | 0 | if (!OSSL_PARAM_get_int(p.slen, &saltlen)) |
2235 | 0 | return 0; |
2236 | 8.70k | } else { |
2237 | 8.70k | if (strcmp(p.slen->data, OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST) == 0) |
2238 | 6.94k | saltlen = RSA_PSS_SALTLEN_DIGEST; |
2239 | 1.75k | else if (strcmp(p.slen->data, OSSL_PKEY_RSA_PSS_SALT_LEN_MAX) == 0) |
2240 | 0 | saltlen = RSA_PSS_SALTLEN_MAX; |
2241 | 1.75k | else if (strcmp(p.slen->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0) |
2242 | 0 | saltlen = RSA_PSS_SALTLEN_AUTO; |
2243 | 1.75k | else if (strcmp(p.slen->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0) |
2244 | 0 | saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; |
2245 | 1.75k | else |
2246 | 1.75k | saltlen = atoi(p.slen->data); |
2247 | 8.70k | } |
2248 | | |
2249 | | /* |
2250 | | * RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check. |
2251 | | * Contrary to what it's name suggests, it's the currently lowest |
2252 | | * saltlen number possible. |
2253 | | */ |
2254 | 8.70k | if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { |
2255 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); |
2256 | 0 | return 0; |
2257 | 0 | } |
2258 | | |
2259 | 8.70k | if (rsa_pss_restricted(prsactx)) { |
2260 | 62 | switch (saltlen) { |
2261 | 0 | case RSA_PSS_SALTLEN_AUTO: |
2262 | 0 | case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: |
2263 | 0 | if ((prsactx->operation |
2264 | 0 | & (EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) |
2265 | 0 | == 0) { |
2266 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, |
2267 | 0 | "Cannot use autodetected salt length"); |
2268 | 0 | return 0; |
2269 | 0 | } |
2270 | 0 | break; |
2271 | 6 | case RSA_PSS_SALTLEN_DIGEST: |
2272 | 6 | if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) { |
2273 | 1 | ERR_raise_data(ERR_LIB_PROV, |
2274 | 1 | PROV_R_PSS_SALTLEN_TOO_SMALL, |
2275 | 1 | "Should be more than %d, but would be " |
2276 | 1 | "set to match digest size (%d)", |
2277 | 1 | prsactx->min_saltlen, |
2278 | 1 | EVP_MD_get_size(prsactx->md)); |
2279 | 1 | return 0; |
2280 | 1 | } |
2281 | 5 | break; |
2282 | 56 | default: |
2283 | 56 | if (saltlen >= 0 && saltlen < prsactx->min_saltlen) { |
2284 | 0 | ERR_raise_data(ERR_LIB_PROV, |
2285 | 0 | PROV_R_PSS_SALTLEN_TOO_SMALL, |
2286 | 0 | "Should be more than %d, " |
2287 | 0 | "but would be set to %d", |
2288 | 0 | prsactx->min_saltlen, saltlen); |
2289 | 0 | return 0; |
2290 | 0 | } |
2291 | 62 | } |
2292 | 62 | } |
2293 | 8.70k | } |
2294 | | |
2295 | 19.1k | if (p.mgf1 != NULL) { |
2296 | 1.75k | pmgf1mdname = mgf1mdname; |
2297 | 1.75k | if (!OSSL_PARAM_get_utf8_string(p.mgf1, &pmgf1mdname, sizeof(mgf1mdname))) |
2298 | 0 | return 0; |
2299 | | |
2300 | 1.75k | if (p.mgf1pq != NULL) { |
2301 | 0 | pmgf1mdprops = mgf1mdprops; |
2302 | 0 | if (!OSSL_PARAM_get_utf8_string(p.mgf1pq, |
2303 | 0 | &pmgf1mdprops, sizeof(mgf1mdprops))) |
2304 | 0 | return 0; |
2305 | 0 | } |
2306 | | |
2307 | 1.75k | if (pad_mode != RSA_PKCS1_PSS_PADDING) { |
2308 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MGF1_MD); |
2309 | 0 | return 0; |
2310 | 0 | } |
2311 | 1.75k | } |
2312 | | |
2313 | 19.1k | prsactx->saltlen = saltlen; |
2314 | 19.1k | prsactx->pad_mode = pad_mode; |
2315 | | |
2316 | 19.1k | if (prsactx->md == NULL && pmdname == NULL |
2317 | 0 | && pad_mode == RSA_PKCS1_PSS_PADDING) |
2318 | 0 | pmdname = RSA_DEFAULT_DIGEST_NAME; |
2319 | | |
2320 | 19.1k | if (pmgf1mdname != NULL |
2321 | 1.75k | && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) |
2322 | 0 | return 0; |
2323 | | |
2324 | 19.1k | if (pmdname != NULL) { |
2325 | 0 | if (!rsa_setup_md(prsactx, pmdname, pmdprops, "RSA Sign Set Ctx")) |
2326 | 0 | return 0; |
2327 | 19.1k | } else { |
2328 | 19.1k | if (!rsa_check_padding(prsactx, NULL, NULL, prsactx->mdnid)) |
2329 | 0 | return 0; |
2330 | 19.1k | } |
2331 | 19.1k | return 1; |
2332 | 19.1k | } |
2333 | | |
2334 | | static const OSSL_PARAM *rsa_settable_ctx_params(void *vprsactx, |
2335 | | ossl_unused void *provctx) |
2336 | 52.4k | { |
2337 | 52.4k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2338 | | |
2339 | 52.4k | if (prsactx != NULL && !prsactx->flag_allow_md) |
2340 | 52.4k | return rsa_set_ctx_params_no_digest_list; |
2341 | 12 | return rsa_set_ctx_params_list; |
2342 | 52.4k | } |
2343 | | |
2344 | | static int rsa_get_ctx_md_params(void *vprsactx, OSSL_PARAM *params) |
2345 | 0 | { |
2346 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2347 | |
|
2348 | 0 | if (prsactx->mdctx == NULL) |
2349 | 0 | return 0; |
2350 | | |
2351 | 0 | return EVP_MD_CTX_get_params(prsactx->mdctx, params); |
2352 | 0 | } |
2353 | | |
2354 | | static const OSSL_PARAM *rsa_gettable_ctx_md_params(void *vprsactx) |
2355 | 0 | { |
2356 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2357 | |
|
2358 | 0 | if (prsactx->md == NULL) |
2359 | 0 | return 0; |
2360 | | |
2361 | 0 | return EVP_MD_gettable_ctx_params(prsactx->md); |
2362 | 0 | } |
2363 | | |
2364 | | static int rsa_set_ctx_md_params(void *vprsactx, const OSSL_PARAM params[]) |
2365 | 0 | { |
2366 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2367 | |
|
2368 | 0 | if (prsactx->mdctx == NULL) |
2369 | 0 | return 0; |
2370 | | |
2371 | 0 | return EVP_MD_CTX_set_params(prsactx->mdctx, params); |
2372 | 0 | } |
2373 | | |
2374 | | static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx) |
2375 | 0 | { |
2376 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2377 | |
|
2378 | 0 | if (prsactx->md == NULL) |
2379 | 0 | return 0; |
2380 | | |
2381 | 0 | return EVP_MD_settable_ctx_params(prsactx->md); |
2382 | 0 | } |
2383 | | |
2384 | | const OSSL_DISPATCH ossl_rsa_signature_functions[] = { |
2385 | | { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, |
2386 | | { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, |
2387 | | { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, |
2388 | | { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_verify_init }, |
2389 | | { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))rsa_verify }, |
2390 | | { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, |
2391 | | (void (*)(void))rsa_verify_recover_init }, |
2392 | | { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, |
2393 | | (void (*)(void))rsa_verify_recover }, |
2394 | | { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, |
2395 | | (void (*)(void))rsa_digest_sign_init }, |
2396 | | { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, |
2397 | | (void (*)(void))rsa_digest_sign_update }, |
2398 | | { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, |
2399 | | (void (*)(void))rsa_digest_sign_final }, |
2400 | | { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, |
2401 | | (void (*)(void))rsa_digest_verify_init }, |
2402 | | { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, |
2403 | | (void (*)(void))rsa_digest_verify_update }, |
2404 | | { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, |
2405 | | (void (*)(void))rsa_digest_verify_final }, |
2406 | | { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, |
2407 | | { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, |
2408 | | { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))rsa_get_ctx_params }, |
2409 | | { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, |
2410 | | (void (*)(void))rsa_gettable_ctx_params }, |
2411 | | { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))rsa_set_ctx_params }, |
2412 | | { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, |
2413 | | (void (*)(void))rsa_settable_ctx_params }, |
2414 | | { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, |
2415 | | (void (*)(void))rsa_get_ctx_md_params }, |
2416 | | { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, |
2417 | | (void (*)(void))rsa_gettable_ctx_md_params }, |
2418 | | { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, |
2419 | | (void (*)(void))rsa_set_ctx_md_params }, |
2420 | | { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, |
2421 | | (void (*)(void))rsa_settable_ctx_md_params }, |
2422 | | OSSL_DISPATCH_END |
2423 | | }; |
2424 | | |
2425 | | /* ------------------------------------------------------------------ */ |
2426 | | |
2427 | | /* |
2428 | | * So called sigalgs (composite RSA+hash) implemented below. They |
2429 | | * are pretty much hard coded, and rely on the hash implementation |
2430 | | * being available as per what OPENSSL_NO_ macros allow. |
2431 | | */ |
2432 | | |
2433 | | static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types; |
2434 | | static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params; |
2435 | | static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params; |
2436 | | |
2437 | | /* |
2438 | | * rsa_sigalg_signverify_init() is almost like rsa_digest_signverify_init(), |
2439 | | * just doesn't allow fetching an MD from whatever the user chooses. |
2440 | | */ |
2441 | | static int rsa_sigalg_signverify_init(void *vprsactx, void *vrsa, |
2442 | | OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params, |
2443 | | const OSSL_PARAM params[], |
2444 | | const char *mdname, |
2445 | | int operation, int pad_mode, |
2446 | | const char *desc) |
2447 | 0 | { |
2448 | 0 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2449 | |
|
2450 | 0 | if (!ossl_prov_is_running()) |
2451 | 0 | return 0; |
2452 | | |
2453 | 0 | if (!rsa_signverify_init(prsactx, vrsa, set_ctx_params, params, operation, |
2454 | 0 | desc)) |
2455 | 0 | return 0; |
2456 | | |
2457 | | /* PSS is currently not supported as a sigalg */ |
2458 | 0 | if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { |
2459 | 0 | ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); |
2460 | 0 | return 0; |
2461 | 0 | } |
2462 | | |
2463 | 0 | if (!rsa_setup_md(prsactx, mdname, NULL, desc)) |
2464 | 0 | return 0; |
2465 | | |
2466 | 0 | prsactx->pad_mode = pad_mode; |
2467 | 0 | prsactx->flag_sigalg = 1; |
2468 | 0 | prsactx->flag_allow_md = 0; |
2469 | |
|
2470 | 0 | if (prsactx->mdctx == NULL) { |
2471 | 0 | prsactx->mdctx = EVP_MD_CTX_new(); |
2472 | 0 | if (prsactx->mdctx == NULL) |
2473 | 0 | goto error; |
2474 | 0 | } |
2475 | | |
2476 | 0 | if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params)) |
2477 | 0 | goto error; |
2478 | | |
2479 | 0 | return 1; |
2480 | | |
2481 | 0 | error: |
2482 | 0 | EVP_MD_CTX_free(prsactx->mdctx); |
2483 | 0 | prsactx->mdctx = NULL; |
2484 | 0 | return 0; |
2485 | 0 | } |
2486 | | |
2487 | | static const char **rsa_sigalg_query_key_types(void) |
2488 | 0 | { |
2489 | 0 | static const char *keytypes[] = { "RSA", NULL }; |
2490 | |
|
2491 | 0 | return keytypes; |
2492 | 0 | } |
2493 | | |
2494 | | /* clang-format off */ |
2495 | | /* Machine generated by util/perl/OpenSSL/paramnames.pm */ |
2496 | | #ifndef rsa_sigalg_set_ctx_params_list |
2497 | | static const OSSL_PARAM rsa_sigalg_set_ctx_params_list[] = { |
2498 | | OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, NULL, 0), |
2499 | | OSSL_PARAM_END |
2500 | | }; |
2501 | | #endif |
2502 | | |
2503 | | #ifndef rsa_sigalg_set_ctx_params_st |
2504 | | struct rsa_sigalg_set_ctx_params_st { |
2505 | | OSSL_PARAM *sig; |
2506 | | }; |
2507 | | #endif |
2508 | | |
2509 | | #ifndef rsa_sigalg_set_ctx_params_decoder |
2510 | | static int rsa_sigalg_set_ctx_params_decoder |
2511 | | (const OSSL_PARAM *p, struct rsa_sigalg_set_ctx_params_st *r) |
2512 | 10.3k | { |
2513 | 10.3k | const char *s; |
2514 | | |
2515 | 10.3k | memset(r, 0, sizeof(*r)); |
2516 | 10.3k | if (p != NULL) |
2517 | 20.6k | for (; (s = p->key) != NULL; p++) |
2518 | 10.3k | if (ossl_likely(strcmp("signature", s + 0) == 0)) { |
2519 | | /* OSSL_SIGNATURE_PARAM_SIGNATURE */ |
2520 | 10.3k | if (ossl_unlikely(r->sig != NULL)) { |
2521 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
2522 | 0 | "param %s is repeated", s); |
2523 | 0 | return 0; |
2524 | 0 | } |
2525 | 10.3k | r->sig = (OSSL_PARAM *)p; |
2526 | 10.3k | } |
2527 | 10.3k | return 1; |
2528 | 10.3k | } |
2529 | | #endif |
2530 | | /* End of machine generated */ |
2531 | | /* clang-format on */ |
2532 | | |
2533 | | static const OSSL_PARAM *rsa_sigalg_settable_ctx_params(void *vprsactx, |
2534 | | ossl_unused void *provctx) |
2535 | 4 | { |
2536 | 4 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2537 | | |
2538 | 4 | if (prsactx != NULL && prsactx->operation == EVP_PKEY_OP_VERIFYMSG) |
2539 | 0 | return rsa_sigalg_set_ctx_params_list; |
2540 | 4 | return NULL; |
2541 | 4 | } |
2542 | | |
2543 | | static int rsa_sigalg_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) |
2544 | 10.3k | { |
2545 | 10.3k | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; |
2546 | 10.3k | struct rsa_sigalg_set_ctx_params_st p; |
2547 | | |
2548 | 10.3k | if (prsactx == NULL || !rsa_sigalg_set_ctx_params_decoder(params, &p)) |
2549 | 0 | return 0; |
2550 | | |
2551 | 10.3k | if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG) { |
2552 | 10.3k | if (p.sig != NULL) { |
2553 | 10.3k | OPENSSL_free(prsactx->sig); |
2554 | 10.3k | prsactx->sig = NULL; |
2555 | 10.3k | prsactx->siglen = 0; |
2556 | 10.3k | if (!OSSL_PARAM_get_octet_string(p.sig, (void **)&prsactx->sig, |
2557 | 10.3k | 0, &prsactx->siglen)) |
2558 | 0 | return 0; |
2559 | 10.3k | } |
2560 | 10.3k | } |
2561 | 10.3k | return 1; |
2562 | 10.3k | } |
2563 | | |
2564 | | #define IMPL_RSA_SIGALG(md, MD) \ |
2565 | | static OSSL_FUNC_signature_sign_init_fn rsa_##md##_sign_init; \ |
2566 | | static OSSL_FUNC_signature_sign_message_init_fn \ |
2567 | | rsa_##md##_sign_message_init; \ |
2568 | | static OSSL_FUNC_signature_verify_init_fn rsa_##md##_verify_init; \ |
2569 | | static OSSL_FUNC_signature_verify_message_init_fn \ |
2570 | | rsa_##md##_verify_message_init; \ |
2571 | | \ |
2572 | | static int \ |
2573 | | rsa_##md##_sign_init(void *vprsactx, void *vrsa, \ |
2574 | | const OSSL_PARAM params[]) \ |
2575 | 0 | { \ |
2576 | 0 | static const char desc[] = "RSA Sigalg Sign Init"; \ |
2577 | 0 | \ |
2578 | 0 | return rsa_sigalg_signverify_init(vprsactx, vrsa, \ |
2579 | 0 | rsa_sigalg_set_ctx_params, \ |
2580 | 0 | params, MD, \ |
2581 | 0 | EVP_PKEY_OP_SIGN, \ |
2582 | 0 | RSA_PKCS1_PADDING, \ |
2583 | 0 | desc); \ |
2584 | 0 | } \ Unexecuted instantiation: rsa_sig.c:rsa_ripemd160_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha1_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha224_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha256_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha384_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_224_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_256_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_224_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_256_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_384_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_512_sign_init Unexecuted instantiation: rsa_sig.c:rsa_sm3_sign_init |
2585 | | \ |
2586 | | static int \ |
2587 | | rsa_##md##_sign_message_init(void *vprsactx, void *vrsa, \ |
2588 | | const OSSL_PARAM params[]) \ |
2589 | 0 | { \ |
2590 | 0 | static const char desc[] = "RSA Sigalg Sign Message Init"; \ |
2591 | 0 | \ |
2592 | 0 | return rsa_sigalg_signverify_init(vprsactx, vrsa, \ |
2593 | 0 | rsa_sigalg_set_ctx_params, \ |
2594 | 0 | params, MD, \ |
2595 | 0 | EVP_PKEY_OP_SIGNMSG, \ |
2596 | 0 | RSA_PKCS1_PADDING, \ |
2597 | 0 | desc); \ |
2598 | 0 | } \ Unexecuted instantiation: rsa_sig.c:rsa_ripemd160_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha1_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha224_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha256_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha384_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_224_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_256_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_224_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_256_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_384_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_512_sign_message_init Unexecuted instantiation: rsa_sig.c:rsa_sm3_sign_message_init |
2599 | | \ |
2600 | | static int \ |
2601 | | rsa_##md##_verify_init(void *vprsactx, void *vrsa, \ |
2602 | | const OSSL_PARAM params[]) \ |
2603 | 0 | { \ |
2604 | 0 | static const char desc[] = "RSA Sigalg Verify Init"; \ |
2605 | 0 | \ |
2606 | 0 | return rsa_sigalg_signverify_init(vprsactx, vrsa, \ |
2607 | 0 | rsa_sigalg_set_ctx_params, \ |
2608 | 0 | params, MD, \ |
2609 | 0 | EVP_PKEY_OP_VERIFY, \ |
2610 | 0 | RSA_PKCS1_PADDING, \ |
2611 | 0 | desc); \ |
2612 | 0 | } \ Unexecuted instantiation: rsa_sig.c:rsa_ripemd160_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha1_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha224_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha256_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha384_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_224_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_256_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_224_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_256_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_384_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_512_verify_init Unexecuted instantiation: rsa_sig.c:rsa_sm3_verify_init |
2613 | | \ |
2614 | | static int \ |
2615 | | rsa_##md##_verify_recover_init(void *vprsactx, void *vrsa, \ |
2616 | | const OSSL_PARAM params[]) \ |
2617 | 0 | { \ |
2618 | 0 | static const char desc[] = "RSA Sigalg Verify Recover Init"; \ |
2619 | 0 | \ |
2620 | 0 | return rsa_sigalg_signverify_init(vprsactx, vrsa, \ |
2621 | 0 | rsa_sigalg_set_ctx_params, \ |
2622 | 0 | params, MD, \ |
2623 | 0 | EVP_PKEY_OP_VERIFYRECOVER, \ |
2624 | 0 | RSA_PKCS1_PADDING, \ |
2625 | 0 | desc); \ |
2626 | 0 | } \ Unexecuted instantiation: rsa_sig.c:rsa_ripemd160_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha1_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha224_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha256_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha384_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_224_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_256_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_224_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_256_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_384_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_512_verify_recover_init Unexecuted instantiation: rsa_sig.c:rsa_sm3_verify_recover_init |
2627 | | \ |
2628 | | static int \ |
2629 | | rsa_##md##_verify_message_init(void *vprsactx, void *vrsa, \ |
2630 | | const OSSL_PARAM params[]) \ |
2631 | 0 | { \ |
2632 | 0 | static const char desc[] = "RSA Sigalg Verify Message Init"; \ |
2633 | 0 | \ |
2634 | 0 | return rsa_sigalg_signverify_init(vprsactx, vrsa, \ |
2635 | 0 | rsa_sigalg_set_ctx_params, \ |
2636 | 0 | params, MD, \ |
2637 | 0 | EVP_PKEY_OP_VERIFYMSG, \ |
2638 | 0 | RSA_PKCS1_PADDING, \ |
2639 | 0 | desc); \ |
2640 | 0 | } \ Unexecuted instantiation: rsa_sig.c:rsa_ripemd160_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha1_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha224_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha256_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha384_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_224_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha512_256_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_224_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_256_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_384_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sha3_512_verify_message_init Unexecuted instantiation: rsa_sig.c:rsa_sm3_verify_message_init |
2641 | | \ |
2642 | | const OSSL_DISPATCH ossl_rsa_##md##_signature_functions[] = { \ |
2643 | | { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, \ |
2644 | | { OSSL_FUNC_SIGNATURE_SIGN_INIT, \ |
2645 | | (void (*)(void))rsa_##md##_sign_init }, \ |
2646 | | { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, \ |
2647 | | { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT, \ |
2648 | | (void (*)(void))rsa_##md##_sign_message_init }, \ |
2649 | | { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_UPDATE, \ |
2650 | | (void (*)(void))rsa_signverify_message_update }, \ |
2651 | | { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_FINAL, \ |
2652 | | (void (*)(void))rsa_sign_message_final }, \ |
2653 | | { OSSL_FUNC_SIGNATURE_VERIFY_INIT, \ |
2654 | | (void (*)(void))rsa_##md##_verify_init }, \ |
2655 | | { OSSL_FUNC_SIGNATURE_VERIFY, \ |
2656 | | (void (*)(void))rsa_verify }, \ |
2657 | | { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT, \ |
2658 | | (void (*)(void))rsa_##md##_verify_message_init }, \ |
2659 | | { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_UPDATE, \ |
2660 | | (void (*)(void))rsa_signverify_message_update }, \ |
2661 | | { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_FINAL, \ |
2662 | | (void (*)(void))rsa_verify_message_final }, \ |
2663 | | { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, \ |
2664 | | (void (*)(void))rsa_##md##_verify_recover_init }, \ |
2665 | | { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, \ |
2666 | | (void (*)(void))rsa_verify_recover }, \ |
2667 | | { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, \ |
2668 | | { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, \ |
2669 | | { OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPES, \ |
2670 | | (void (*)(void))rsa_sigalg_query_key_types }, \ |
2671 | | { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, \ |
2672 | | (void (*)(void))rsa_get_ctx_params }, \ |
2673 | | { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, \ |
2674 | | (void (*)(void))rsa_gettable_ctx_params }, \ |
2675 | | { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, \ |
2676 | | (void (*)(void))rsa_sigalg_set_ctx_params }, \ |
2677 | | { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, \ |
2678 | | (void (*)(void))rsa_sigalg_settable_ctx_params }, \ |
2679 | | OSSL_DISPATCH_END \ |
2680 | | } |
2681 | | |
2682 | | #if !defined(OPENSSL_NO_RMD160) && !defined(FIPS_MODULE) |
2683 | | IMPL_RSA_SIGALG(ripemd160, "RIPEMD160"); |
2684 | | #endif |
2685 | | IMPL_RSA_SIGALG(sha1, "SHA1"); |
2686 | | IMPL_RSA_SIGALG(sha224, "SHA2-224"); |
2687 | | IMPL_RSA_SIGALG(sha256, "SHA2-256"); |
2688 | | IMPL_RSA_SIGALG(sha384, "SHA2-384"); |
2689 | | IMPL_RSA_SIGALG(sha512, "SHA2-512"); |
2690 | | IMPL_RSA_SIGALG(sha512_224, "SHA2-512/224"); |
2691 | | IMPL_RSA_SIGALG(sha512_256, "SHA2-512/256"); |
2692 | | IMPL_RSA_SIGALG(sha3_224, "SHA3-224"); |
2693 | | IMPL_RSA_SIGALG(sha3_256, "SHA3-256"); |
2694 | | IMPL_RSA_SIGALG(sha3_384, "SHA3-384"); |
2695 | | IMPL_RSA_SIGALG(sha3_512, "SHA3-512"); |
2696 | | #if !defined(OPENSSL_NO_SM3) && !defined(FIPS_MODULE) |
2697 | | IMPL_RSA_SIGALG(sm3, "SM3"); |
2698 | | #endif |