1 /* 2 * Copyright 2019-2026 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * RSA low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include <string.h> 17 #include <openssl/crypto.h> 18 #include <openssl/core_dispatch.h> 19 #include <openssl/core_names.h> 20 #include <openssl/err.h> 21 #include <openssl/obj_mac.h> 22 #include <openssl/rsa.h> 23 #include <openssl/params.h> 24 #include <openssl/evp.h> 25 #include <openssl/proverr.h> 26 #include "internal/cryptlib.h" 27 #include "internal/nelem.h" 28 #include "internal/sizes.h" 29 #include "crypto/rsa.h" 30 #include "prov/providercommon.h" 31 #include "prov/implementations.h" 32 #include "prov/provider_ctx.h" 33 #include "prov/der_rsa.h" 34 #include "prov/securitycheck.h" 35 36 #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 37 38 static OSSL_FUNC_signature_newctx_fn rsa_newctx; 39 static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; 40 static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; 41 static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; 42 static OSSL_FUNC_signature_sign_fn rsa_sign; 43 static OSSL_FUNC_signature_sign_message_update_fn rsa_signverify_message_update; 44 static OSSL_FUNC_signature_sign_message_final_fn rsa_sign_message_final; 45 static OSSL_FUNC_signature_verify_fn rsa_verify; 46 static OSSL_FUNC_signature_verify_recover_fn rsa_verify_recover; 47 static OSSL_FUNC_signature_verify_message_update_fn rsa_signverify_message_update; 48 static OSSL_FUNC_signature_verify_message_final_fn rsa_verify_message_final; 49 static OSSL_FUNC_signature_digest_sign_init_fn rsa_digest_sign_init; 50 static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_sign_update; 51 static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final; 52 static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; 53 static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_verify_update; 54 static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; 55 static OSSL_FUNC_signature_freectx_fn rsa_freectx; 56 static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; 57 static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types; 58 static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; 59 static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params; 60 static OSSL_FUNC_signature_set_ctx_params_fn rsa_set_ctx_params; 61 static OSSL_FUNC_signature_settable_ctx_params_fn rsa_settable_ctx_params; 62 static OSSL_FUNC_signature_get_ctx_md_params_fn rsa_get_ctx_md_params; 63 static OSSL_FUNC_signature_gettable_ctx_md_params_fn rsa_gettable_ctx_md_params; 64 static OSSL_FUNC_signature_set_ctx_md_params_fn rsa_set_ctx_md_params; 65 static OSSL_FUNC_signature_settable_ctx_md_params_fn rsa_settable_ctx_md_params; 66 static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params; 67 static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params; 68 69 static OSSL_ITEM padding_item[] = { 70 { RSA_PKCS1_PADDING, OSSL_PKEY_RSA_PAD_MODE_PKCSV15 }, 71 { RSA_NO_PADDING, OSSL_PKEY_RSA_PAD_MODE_NONE }, 72 { RSA_X931_PADDING, OSSL_PKEY_RSA_PAD_MODE_X931 }, 73 { RSA_PKCS1_PSS_PADDING, OSSL_PKEY_RSA_PAD_MODE_PSS }, 74 { 0, NULL } 75 }; 76 77 /* 78 * What's passed as an actual key is defined by the KEYMGMT interface. 79 * We happen to know that our KEYMGMT simply passes RSA structures, so 80 * we use that here too. 81 */ 82 83 typedef struct { 84 OSSL_LIB_CTX *libctx; 85 char *propq; 86 RSA *rsa; 87 int operation; 88 89 /* 90 * Flag to determine if a full sigalg is run (1) or if a composable 91 * signature algorithm is run (0). 92 * 93 * When a full sigalg is run (1), this currently affects the following 94 * other flags, which are to remain untouched after their initialization: 95 * 96 * - flag_allow_md (initialized to 0) 97 */ 98 unsigned int flag_sigalg : 1; 99 /* 100 * Flag to determine if the hash function can be changed (1) or not (0) 101 * Because it's dangerous to change during a DigestSign or DigestVerify 102 * operation, this flag is cleared by their Init function, and set again 103 * by their Final function. 104 * Implementations of full sigalgs (such as RSA-SHA256) hard-code this 105 * flag to not allow changes (0). 106 */ 107 unsigned int flag_allow_md : 1; 108 unsigned int mgf1_md_set : 1; 109 /* 110 * Flags to say what are the possible next external calls in what 111 * constitutes the life cycle of an algorithm. The relevant calls are: 112 * - init 113 * - update 114 * - final 115 * - oneshot 116 * All other external calls are regarded as utilitarian and are allowed 117 * at any time (they may be affected by other flags, like flag_allow_md, 118 * though). 119 */ 120 unsigned int flag_allow_update : 1; 121 unsigned int flag_allow_final : 1; 122 unsigned int flag_allow_oneshot : 1; 123 124 /* main digest */ 125 EVP_MD *md; 126 EVP_MD_CTX *mdctx; 127 int mdnid; 128 char mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */ 129 130 /* RSA padding mode */ 131 int pad_mode; 132 /* message digest for MGF1 */ 133 EVP_MD *mgf1_md; 134 int mgf1_mdnid; 135 char mgf1_mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */ 136 /* PSS salt length */ 137 int saltlen; 138 /* Minimum salt length or -1 if no PSS parameter restriction */ 139 int min_saltlen; 140 141 /* Signature, for verification */ 142 unsigned char *sig; 143 size_t siglen; 144 145 #ifdef FIPS_MODULE 146 /* 147 * FIPS 140-3 IG 2.4.B mandates that verification based on a digest of a 148 * message is not permitted. However, signing based on a digest is still 149 * permitted. 150 */ 151 int verify_message; 152 #endif 153 154 /* Temp buffer */ 155 unsigned char *tbuf; 156 157 OSSL_FIPS_IND_DECLARE 158 } PROV_RSA_CTX; 159 160 /* True if PSS parameters are restricted */ 161 #define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1) 162 163 static size_t rsa_get_md_size(const PROV_RSA_CTX *prsactx) 164 { 165 int md_size; 166 167 if (prsactx->md != NULL) { 168 md_size = EVP_MD_get_size(prsactx->md); 169 if (md_size <= 0) 170 return 0; 171 return md_size; 172 } 173 return 0; 174 } 175 176 static int rsa_check_padding(const PROV_RSA_CTX *prsactx, 177 const char *mdname, const char *mgf1_mdname, 178 int mdnid) 179 { 180 switch (prsactx->pad_mode) { 181 case RSA_NO_PADDING: 182 if (mdname != NULL || mdnid != NID_undef) { 183 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE); 184 return 0; 185 } 186 break; 187 case RSA_X931_PADDING: 188 if (RSA_X931_hash_id(mdnid) == -1) { 189 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST); 190 return 0; 191 } 192 break; 193 case RSA_PKCS1_PSS_PADDING: 194 if (rsa_pss_restricted(prsactx)) 195 if ((mdname != NULL && !EVP_MD_is_a(prsactx->md, mdname)) 196 || (mgf1_mdname != NULL 197 && !EVP_MD_is_a(prsactx->mgf1_md, mgf1_mdname))) { 198 ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); 199 return 0; 200 } 201 break; 202 default: 203 break; 204 } 205 206 return 1; 207 } 208 209 static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen) 210 { 211 if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { 212 int max_saltlen; 213 214 /* See if minimum salt length exceeds maximum possible */ 215 max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_get_size(prsactx->md); 216 if ((RSA_bits(prsactx->rsa) & 0x7) == 1) 217 max_saltlen--; 218 if (min_saltlen < 0 || min_saltlen > max_saltlen) { 219 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); 220 return 0; 221 } 222 prsactx->min_saltlen = min_saltlen; 223 } 224 return 1; 225 } 226 227 static void *rsa_newctx(void *provctx, const char *propq) 228 { 229 PROV_RSA_CTX *prsactx = NULL; 230 char *propq_copy = NULL; 231 232 if (!ossl_prov_is_running()) 233 return NULL; 234 235 if ((prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX))) == NULL 236 || (propq != NULL 237 && (propq_copy = OPENSSL_strdup(propq)) == NULL)) { 238 OPENSSL_free(prsactx); 239 return NULL; 240 } 241 242 OSSL_FIPS_IND_INIT(prsactx) 243 prsactx->libctx = PROV_LIBCTX_OF(provctx); 244 prsactx->flag_allow_md = 1; 245 #ifdef FIPS_MODULE 246 prsactx->verify_message = 1; 247 #endif 248 prsactx->propq = propq_copy; 249 /* Maximum up to digest length for sign, auto for verify */ 250 prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; 251 prsactx->min_saltlen = -1; 252 return prsactx; 253 } 254 255 static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx) 256 { 257 int saltlen = ctx->saltlen; 258 int saltlenMax = -1; 259 260 /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection 261 * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the 262 * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of 263 * the hash function output block (in bytes)." 264 * 265 * Provide a way to use at most the digest length, so that the default does 266 * not violate FIPS 186-4. */ 267 if (saltlen == RSA_PSS_SALTLEN_DIGEST) { 268 if ((saltlen = EVP_MD_get_size(ctx->md)) <= 0) { 269 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); 270 return -1; 271 } 272 } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { 273 saltlen = RSA_PSS_SALTLEN_MAX; 274 if ((saltlenMax = EVP_MD_get_size(ctx->md)) <= 0) { 275 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); 276 return -1; 277 } 278 } 279 if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) { 280 int mdsize, rsasize; 281 282 if ((mdsize = EVP_MD_get_size(ctx->md)) <= 0) { 283 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); 284 return -1; 285 } 286 if ((rsasize = RSA_size(ctx->rsa)) <= 2 || rsasize - 2 < mdsize) { 287 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); 288 return -1; 289 } 290 saltlen = rsasize - mdsize - 2; 291 if ((RSA_bits(ctx->rsa) & 0x7) == 1) 292 saltlen--; 293 if (saltlenMax >= 0 && saltlen > saltlenMax) 294 saltlen = saltlenMax; 295 } 296 if (saltlen < 0) { 297 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 298 return -1; 299 } else if (saltlen < ctx->min_saltlen) { 300 ERR_raise_data(ERR_LIB_PROV, PROV_R_PSS_SALTLEN_TOO_SMALL, 301 "minimum salt length: %d, actual salt length: %d", 302 ctx->min_saltlen, saltlen); 303 return -1; 304 } 305 return saltlen; 306 } 307 308 static unsigned char *rsa_generate_signature_aid(PROV_RSA_CTX *ctx, 309 unsigned char *aid_buf, 310 size_t buf_len, 311 size_t *aid_len) 312 { 313 WPACKET pkt; 314 unsigned char *aid = NULL; 315 int saltlen; 316 RSA_PSS_PARAMS_30 pss_params; 317 int ret; 318 319 if (!WPACKET_init_der(&pkt, aid_buf, buf_len)) { 320 ERR_raise(ERR_LIB_PROV, ERR_R_CRYPTO_LIB); 321 return NULL; 322 } 323 324 switch (ctx->pad_mode) { 325 case RSA_PKCS1_PADDING: 326 ret = ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1, 327 ctx->mdnid); 328 329 if (ret > 0) { 330 break; 331 } else if (ret == 0) { 332 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 333 goto cleanup; 334 } 335 ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED, 336 "Algorithm ID generation - md NID: %d", 337 ctx->mdnid); 338 goto cleanup; 339 case RSA_PKCS1_PSS_PADDING: 340 saltlen = rsa_pss_compute_saltlen(ctx); 341 if (saltlen < 0) 342 goto cleanup; 343 if (!ossl_rsa_pss_params_30_set_defaults(&pss_params) 344 || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, ctx->mdnid) 345 || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params, 346 ctx->mgf1_mdnid) 347 || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen) 348 || !ossl_DER_w_algorithmIdentifier_RSA_PSS(&pkt, -1, 349 RSA_FLAG_TYPE_RSASSAPSS, 350 &pss_params)) { 351 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 352 goto cleanup; 353 } 354 break; 355 default: 356 ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED, 357 "Algorithm ID generation - pad mode: %d", 358 ctx->pad_mode); 359 goto cleanup; 360 } 361 if (WPACKET_finish(&pkt)) { 362 WPACKET_get_total_written(&pkt, aid_len); 363 aid = WPACKET_get_curr(&pkt); 364 } 365 cleanup: 366 WPACKET_cleanup(&pkt); 367 return aid; 368 } 369 370 static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, 371 const char *mdprops, const char *desc) 372 { 373 EVP_MD *md = NULL; 374 375 if (mdprops == NULL) 376 mdprops = ctx->propq; 377 378 if (mdname != NULL) { 379 int md_nid; 380 size_t mdname_len = strlen(mdname); 381 382 md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); 383 384 if (md == NULL) { 385 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 386 "%s could not be fetched", mdname); 387 goto err; 388 } 389 md_nid = ossl_digest_rsa_sign_get_md_nid(md); 390 if (md_nid == NID_undef) { 391 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, 392 "digest=%s", mdname); 393 goto err; 394 } 395 /* 396 * XOF digests are not allowed except for RSA PSS. 397 * We don't support XOF digests with RSA PSS (yet), so just fail. 398 * When we do support them, uncomment the second clause. 399 */ 400 if (EVP_MD_xof(md) 401 /* && ctx->pad_mode != RSA_PKCS1_PSS_PADDING */) { 402 ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); 403 goto err; 404 } 405 #ifdef FIPS_MODULE 406 { 407 int sha1_allowed 408 = ((ctx->operation 409 & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) 410 == 0); 411 412 if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx), 413 OSSL_FIPS_IND_SETTABLE1, 414 ctx->libctx, 415 md_nid, sha1_allowed, 1, desc, 416 ossl_fips_config_signature_digest_check)) 417 goto err; 418 } 419 #endif 420 421 if (!rsa_check_padding(ctx, mdname, NULL, md_nid)) 422 goto err; 423 if (mdname_len >= sizeof(ctx->mdname)) { 424 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 425 "%s exceeds name buffer length", mdname); 426 goto err; 427 } 428 429 if (!ctx->flag_allow_md) { 430 if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) { 431 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, 432 "digest %s != %s", mdname, ctx->mdname); 433 goto err; 434 } 435 EVP_MD_free(md); 436 return 1; 437 } 438 439 if (!ctx->mgf1_md_set) { 440 if (!EVP_MD_up_ref(md)) { 441 goto err; 442 } 443 EVP_MD_free(ctx->mgf1_md); 444 ctx->mgf1_md = md; 445 ctx->mgf1_mdnid = md_nid; 446 OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); 447 } 448 449 EVP_MD_CTX_free(ctx->mdctx); 450 EVP_MD_free(ctx->md); 451 452 ctx->mdctx = NULL; 453 ctx->md = md; 454 ctx->mdnid = md_nid; 455 OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname)); 456 } 457 458 return 1; 459 err: 460 EVP_MD_free(md); 461 return 0; 462 } 463 464 static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname, 465 const char *mdprops) 466 { 467 size_t len; 468 EVP_MD *md = NULL; 469 int mdnid; 470 471 if (mdprops == NULL) 472 mdprops = ctx->propq; 473 474 if ((md = EVP_MD_fetch(ctx->libctx, mdname, mdprops)) == NULL) { 475 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 476 "%s could not be fetched", mdname); 477 return 0; 478 } 479 /* The default for mgf1 is SHA1 - so allow SHA1 */ 480 if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md)) <= 0 481 || !rsa_check_padding(ctx, NULL, mdname, mdnid)) { 482 if (mdnid <= 0) 483 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, 484 "digest=%s", mdname); 485 EVP_MD_free(md); 486 return 0; 487 } 488 len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); 489 if (len >= sizeof(ctx->mgf1_mdname)) { 490 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 491 "%s exceeds name buffer length", mdname); 492 EVP_MD_free(md); 493 return 0; 494 } 495 496 EVP_MD_free(ctx->mgf1_md); 497 ctx->mgf1_md = md; 498 ctx->mgf1_mdnid = mdnid; 499 ctx->mgf1_md_set = 1; 500 return 1; 501 } 502 503 static int 504 rsa_signverify_init(PROV_RSA_CTX *prsactx, void *vrsa, 505 OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params, 506 const OSSL_PARAM params[], int operation, 507 const char *desc) 508 { 509 int protect; 510 511 if (!ossl_prov_is_running() || prsactx == NULL) 512 return 0; 513 514 if (vrsa == NULL && prsactx->rsa == NULL) { 515 ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); 516 return 0; 517 } 518 519 if (vrsa != NULL) { 520 if (!RSA_up_ref(vrsa)) 521 return 0; 522 RSA_free(prsactx->rsa); 523 prsactx->rsa = vrsa; 524 } 525 if (!ossl_rsa_key_op_get_protect(prsactx->rsa, operation, &protect)) 526 return 0; 527 528 prsactx->operation = operation; 529 prsactx->flag_allow_update = 1; 530 prsactx->flag_allow_final = 1; 531 prsactx->flag_allow_oneshot = 1; 532 533 /* Maximize up to digest length for sign, auto for verify */ 534 prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; 535 prsactx->min_saltlen = -1; 536 537 switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { 538 case RSA_FLAG_TYPE_RSA: 539 prsactx->pad_mode = RSA_PKCS1_PADDING; 540 break; 541 case RSA_FLAG_TYPE_RSASSAPSS: 542 prsactx->pad_mode = RSA_PKCS1_PSS_PADDING; 543 544 { 545 const RSA_PSS_PARAMS_30 *pss = ossl_rsa_get0_pss_params_30(prsactx->rsa); 546 547 if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) { 548 int md_nid = ossl_rsa_pss_params_30_hashalg(pss); 549 int mgf1md_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss); 550 int min_saltlen = ossl_rsa_pss_params_30_saltlen(pss); 551 const char *mdname, *mgf1mdname; 552 size_t len; 553 554 mdname = ossl_rsa_oaeppss_nid2name(md_nid); 555 mgf1mdname = ossl_rsa_oaeppss_nid2name(mgf1md_nid); 556 557 if (mdname == NULL) { 558 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 559 "PSS restrictions lack hash algorithm"); 560 return 0; 561 } 562 if (mgf1mdname == NULL) { 563 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 564 "PSS restrictions lack MGF1 hash algorithm"); 565 return 0; 566 } 567 568 len = OPENSSL_strlcpy(prsactx->mdname, mdname, 569 sizeof(prsactx->mdname)); 570 if (len >= sizeof(prsactx->mdname)) { 571 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 572 "hash algorithm name too long"); 573 return 0; 574 } 575 len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname, 576 sizeof(prsactx->mgf1_mdname)); 577 if (len >= sizeof(prsactx->mgf1_mdname)) { 578 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, 579 "MGF1 hash algorithm name too long"); 580 return 0; 581 } 582 prsactx->saltlen = min_saltlen; 583 584 /* call rsa_setup_mgf1_md before rsa_setup_md to avoid duplication */ 585 if (!rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq) 586 || !rsa_setup_md(prsactx, mdname, prsactx->propq, desc) 587 || !rsa_check_parameters(prsactx, min_saltlen)) 588 return 0; 589 } 590 } 591 592 break; 593 default: 594 ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); 595 return 0; 596 } 597 598 OSSL_FIPS_IND_SET_APPROVED(prsactx) 599 if (!set_ctx_params(prsactx, params)) 600 return 0; 601 #ifdef FIPS_MODULE 602 if (!ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND_GET(prsactx), 603 OSSL_FIPS_IND_SETTABLE0, prsactx->libctx, 604 prsactx->rsa, desc, protect)) 605 return 0; 606 #endif 607 return 1; 608 } 609 610 static int setup_tbuf(PROV_RSA_CTX *ctx) 611 { 612 if (ctx->tbuf != NULL) 613 return 1; 614 if ((ctx->tbuf = OPENSSL_malloc(RSA_size(ctx->rsa))) == NULL) 615 return 0; 616 return 1; 617 } 618 619 static void clean_tbuf(PROV_RSA_CTX *ctx) 620 { 621 if (ctx->tbuf != NULL) 622 OPENSSL_cleanse(ctx->tbuf, RSA_size(ctx->rsa)); 623 } 624 625 static void free_tbuf(PROV_RSA_CTX *ctx) 626 { 627 clean_tbuf(ctx); 628 OPENSSL_free(ctx->tbuf); 629 ctx->tbuf = NULL; 630 } 631 632 #ifdef FIPS_MODULE 633 static int rsa_pss_saltlen_check_passed(PROV_RSA_CTX *ctx, const char *algoname, int saltlen) 634 { 635 int mdsize = rsa_get_md_size(ctx); 636 /* 637 * Perform the check if the salt length is compliant to FIPS 186-5. 638 * 639 * According to FIPS 186-5 5.4 (g), the salt length shall be between zero 640 * and the output block length of the digest function (inclusive). 641 */ 642 int approved = (saltlen >= 0 && saltlen <= mdsize); 643 644 if (!approved) { 645 if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE3, 646 ctx->libctx, 647 algoname, "PSS Salt Length", 648 ossl_fips_config_rsa_pss_saltlen_check)) { 649 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); 650 return 0; 651 } 652 } 653 654 return 1; 655 } 656 #endif 657 658 static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[]) 659 { 660 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 661 662 #ifdef FIPS_MODULE 663 if (prsactx != NULL) 664 prsactx->verify_message = 1; 665 #endif 666 667 return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, 668 EVP_PKEY_OP_SIGN, "RSA Sign Init"); 669 } 670 671 /* 672 * Sign tbs without digesting it first. This is suitable for "primitive" 673 * signing and signing the digest of a message, i.e. should be used with 674 * implementations of the keytype related algorithms. 675 */ 676 static int rsa_sign_directly(PROV_RSA_CTX *prsactx, 677 unsigned char *sig, size_t *siglen, size_t sigsize, 678 const unsigned char *tbs, size_t tbslen) 679 { 680 int ret; 681 size_t rsasize = RSA_size(prsactx->rsa); 682 size_t mdsize = rsa_get_md_size(prsactx); 683 684 if (!ossl_prov_is_running()) 685 return 0; 686 687 if (sig == NULL) { 688 *siglen = rsasize; 689 return 1; 690 } 691 692 if (sigsize < rsasize) { 693 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE, 694 "is %zu, should be at least %zu", sigsize, rsasize); 695 return 0; 696 } 697 698 if (mdsize != 0) { 699 if (tbslen != mdsize) { 700 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH); 701 return 0; 702 } 703 704 #ifndef FIPS_MODULE 705 if (EVP_MD_is_a(prsactx->md, OSSL_DIGEST_NAME_MDC2)) { 706 unsigned int sltmp; 707 708 if (prsactx->pad_mode != RSA_PKCS1_PADDING) { 709 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 710 "only PKCS#1 padding supported with MDC2"); 711 return 0; 712 } 713 ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp, 714 prsactx->rsa); 715 716 if (ret <= 0) { 717 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 718 return 0; 719 } 720 ret = sltmp; 721 goto end; 722 } 723 #endif 724 switch (prsactx->pad_mode) { 725 case RSA_X931_PADDING: 726 if ((size_t)RSA_size(prsactx->rsa) < tbslen + 1) { 727 ERR_raise_data(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL, 728 "RSA key size = %d, expected minimum = %d", 729 RSA_size(prsactx->rsa), tbslen + 1); 730 return 0; 731 } 732 if (!setup_tbuf(prsactx)) { 733 ERR_raise(ERR_LIB_PROV, ERR_R_PROV_LIB); 734 return 0; 735 } 736 memcpy(prsactx->tbuf, tbs, tbslen); 737 prsactx->tbuf[tbslen] = RSA_X931_hash_id(prsactx->mdnid); 738 ret = RSA_private_encrypt(tbslen + 1, prsactx->tbuf, 739 sig, prsactx->rsa, RSA_X931_PADDING); 740 clean_tbuf(prsactx); 741 break; 742 case RSA_PKCS1_PADDING: { 743 unsigned int sltmp; 744 745 ret = RSA_sign(prsactx->mdnid, tbs, tbslen, sig, &sltmp, 746 prsactx->rsa); 747 if (ret <= 0) { 748 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 749 return 0; 750 } 751 ret = sltmp; 752 } break; 753 754 case RSA_PKCS1_PSS_PADDING: { 755 int saltlen; 756 757 /* Check PSS restrictions */ 758 if (rsa_pss_restricted(prsactx)) { 759 switch (prsactx->saltlen) { 760 case RSA_PSS_SALTLEN_DIGEST: 761 if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) { 762 ERR_raise_data(ERR_LIB_PROV, 763 PROV_R_PSS_SALTLEN_TOO_SMALL, 764 "minimum salt length set to %d, " 765 "but the digest only gives %d", 766 prsactx->min_saltlen, 767 EVP_MD_get_size(prsactx->md)); 768 return 0; 769 } 770 /* FALLTHRU */ 771 default: 772 if (prsactx->saltlen >= 0 773 && prsactx->saltlen < prsactx->min_saltlen) { 774 ERR_raise_data(ERR_LIB_PROV, 775 PROV_R_PSS_SALTLEN_TOO_SMALL, 776 "minimum salt length set to %d, but the" 777 "actual salt length is only set to %d", 778 prsactx->min_saltlen, 779 prsactx->saltlen); 780 return 0; 781 } 782 break; 783 } 784 } 785 if (!setup_tbuf(prsactx)) 786 return 0; 787 saltlen = prsactx->saltlen; 788 if (!ossl_rsa_padding_add_PKCS1_PSS_mgf1(prsactx->rsa, 789 prsactx->tbuf, tbs, 790 prsactx->md, prsactx->mgf1_md, 791 &saltlen)) { 792 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 793 return 0; 794 } 795 #ifdef FIPS_MODULE 796 if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Sign", saltlen)) 797 return 0; 798 #endif 799 ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf, 800 sig, prsactx->rsa, RSA_NO_PADDING); 801 clean_tbuf(prsactx); 802 } break; 803 804 default: 805 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 806 "Only X.931, PKCS#1 v1.5 or PSS padding allowed"); 807 return 0; 808 } 809 } else { 810 ret = RSA_private_encrypt(tbslen, tbs, sig, prsactx->rsa, 811 prsactx->pad_mode); 812 } 813 814 #ifndef FIPS_MODULE 815 end: 816 #endif 817 if (ret <= 0) { 818 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 819 return 0; 820 } 821 822 *siglen = ret; 823 return 1; 824 } 825 826 static int rsa_signverify_message_update(void *vprsactx, 827 const unsigned char *data, 828 size_t datalen) 829 { 830 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 831 832 if (prsactx == NULL || prsactx->mdctx == NULL) 833 return 0; 834 835 if (!prsactx->flag_allow_update) { 836 ERR_raise(ERR_LIB_PROV, PROV_R_UPDATE_CALL_OUT_OF_ORDER); 837 return 0; 838 } 839 prsactx->flag_allow_oneshot = 0; 840 841 return EVP_DigestUpdate(prsactx->mdctx, data, datalen); 842 } 843 844 static int rsa_sign_message_final(void *vprsactx, unsigned char *sig, 845 size_t *siglen, size_t sigsize) 846 { 847 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 848 unsigned char digest[EVP_MAX_MD_SIZE]; 849 unsigned int dlen = 0; 850 851 if (!ossl_prov_is_running() || prsactx == NULL) 852 return 0; 853 if (prsactx->mdctx == NULL) 854 return 0; 855 if (!prsactx->flag_allow_final) { 856 ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER); 857 return 0; 858 } 859 860 /* 861 * If sig is NULL then we're just finding out the sig size. Other fields 862 * are ignored. Defer to rsa_sign. 863 */ 864 if (sig != NULL) { 865 /* 866 * The digests used here are all known (see rsa_get_md_nid()), so they 867 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE. 868 */ 869 if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen)) 870 return 0; 871 872 prsactx->flag_allow_update = 0; 873 prsactx->flag_allow_oneshot = 0; 874 prsactx->flag_allow_final = 0; 875 } 876 877 return rsa_sign_directly(prsactx, sig, siglen, sigsize, digest, dlen); 878 } 879 880 /* 881 * If signing a message, digest tbs and sign the result. 882 * Otherwise, sign tbs directly. 883 */ 884 static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen, 885 size_t sigsize, const unsigned char *tbs, size_t tbslen) 886 { 887 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 888 889 if (!ossl_prov_is_running() || prsactx == NULL) 890 return 0; 891 if (!prsactx->flag_allow_oneshot) { 892 ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER); 893 return 0; 894 } 895 896 if (prsactx->operation == EVP_PKEY_OP_SIGNMSG) { 897 /* 898 * If |sig| is NULL, the caller is only looking for the sig length. 899 * DO NOT update the input in this case. 900 */ 901 if (sig == NULL) 902 return rsa_sign_message_final(prsactx, sig, siglen, sigsize); 903 904 return rsa_signverify_message_update(prsactx, tbs, tbslen) 905 && rsa_sign_message_final(prsactx, sig, siglen, sigsize); 906 } 907 return rsa_sign_directly(prsactx, sig, siglen, sigsize, tbs, tbslen); 908 } 909 910 static int rsa_verify_recover_init(void *vprsactx, void *vrsa, 911 const OSSL_PARAM params[]) 912 { 913 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 914 915 #ifdef FIPS_MODULE 916 if (prsactx != NULL) 917 prsactx->verify_message = 0; 918 #endif 919 920 return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, 921 EVP_PKEY_OP_VERIFYRECOVER, "RSA VerifyRecover Init"); 922 } 923 924 /* 925 * There is no message variant of verify recover, so no need for 926 * 'rsa_verify_recover_directly', just use this function, er, directly. 927 */ 928 static int rsa_verify_recover(void *vprsactx, 929 unsigned char *rout, size_t *routlen, 930 size_t routsize, 931 const unsigned char *sig, size_t siglen) 932 { 933 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 934 int ret; 935 936 if (!ossl_prov_is_running()) 937 return 0; 938 939 if (rout == NULL) { 940 *routlen = RSA_size(prsactx->rsa); 941 return 1; 942 } 943 944 if (prsactx->md != NULL) { 945 switch (prsactx->pad_mode) { 946 case RSA_X931_PADDING: 947 if (!setup_tbuf(prsactx)) 948 return 0; 949 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, 950 RSA_X931_PADDING); 951 if (ret <= 0) { 952 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 953 return 0; 954 } 955 ret--; 956 if (prsactx->tbuf[ret] != RSA_X931_hash_id(prsactx->mdnid)) { 957 ERR_raise(ERR_LIB_PROV, PROV_R_ALGORITHM_MISMATCH); 958 return 0; 959 } 960 if (ret != EVP_MD_get_size(prsactx->md)) { 961 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH, 962 "Should be %d, but got %d", 963 EVP_MD_get_size(prsactx->md), ret); 964 return 0; 965 } 966 967 *routlen = ret; 968 if (rout != prsactx->tbuf) { 969 if (routsize < (size_t)ret) { 970 ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL, 971 "buffer size is %d, should be %d", 972 routsize, ret); 973 return 0; 974 } 975 memcpy(rout, prsactx->tbuf, ret); 976 } 977 break; 978 979 case RSA_PKCS1_PADDING: { 980 size_t sltmp; 981 982 ret = ossl_rsa_verify(prsactx->mdnid, NULL, 0, rout, &sltmp, 983 sig, siglen, prsactx->rsa); 984 if (ret <= 0) { 985 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 986 return 0; 987 } 988 ret = sltmp; 989 } break; 990 991 default: 992 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 993 "Only X.931 or PKCS#1 v1.5 padding allowed"); 994 return 0; 995 } 996 } else { 997 ret = RSA_public_decrypt(siglen, sig, rout, prsactx->rsa, 998 prsactx->pad_mode); 999 if (ret <= 0) { 1000 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 1001 return 0; 1002 } 1003 } 1004 *routlen = ret; 1005 return 1; 1006 } 1007 1008 static int rsa_verify_init(void *vprsactx, void *vrsa, 1009 const OSSL_PARAM params[]) 1010 { 1011 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1012 1013 #ifdef FIPS_MODULE 1014 if (prsactx != NULL) 1015 prsactx->verify_message = 0; 1016 #endif 1017 1018 return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, 1019 EVP_PKEY_OP_VERIFY, "RSA Verify Init"); 1020 } 1021 1022 static int rsa_verify_directly(PROV_RSA_CTX *prsactx, 1023 const unsigned char *sig, size_t siglen, 1024 const unsigned char *tbs, size_t tbslen) 1025 { 1026 size_t rslen; 1027 1028 if (!ossl_prov_is_running()) 1029 return 0; 1030 if (prsactx->md != NULL) { 1031 switch (prsactx->pad_mode) { 1032 case RSA_PKCS1_PADDING: 1033 if (!RSA_verify(prsactx->mdnid, tbs, tbslen, sig, siglen, 1034 prsactx->rsa)) { 1035 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 1036 return 0; 1037 } 1038 return 1; 1039 case RSA_X931_PADDING: 1040 if (!setup_tbuf(prsactx)) 1041 return 0; 1042 if (rsa_verify_recover(prsactx, prsactx->tbuf, &rslen, 0, 1043 sig, siglen) 1044 <= 0) 1045 return 0; 1046 break; 1047 case RSA_PKCS1_PSS_PADDING: { 1048 int ret; 1049 int saltlen; 1050 size_t mdsize; 1051 1052 /* 1053 * We need to check this for the RSA_verify_PKCS1_PSS_mgf1() 1054 * call 1055 */ 1056 mdsize = rsa_get_md_size(prsactx); 1057 if (tbslen != mdsize) { 1058 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH, 1059 "Should be %d, but got %d", 1060 mdsize, tbslen); 1061 return 0; 1062 } 1063 1064 if (!setup_tbuf(prsactx)) 1065 return 0; 1066 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, 1067 prsactx->rsa, RSA_NO_PADDING); 1068 if (ret <= 0) { 1069 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 1070 return 0; 1071 } 1072 saltlen = prsactx->saltlen; 1073 ret = ossl_rsa_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs, 1074 prsactx->md, prsactx->mgf1_md, 1075 prsactx->tbuf, 1076 &saltlen); 1077 if (ret <= 0) { 1078 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 1079 return 0; 1080 } 1081 #ifdef FIPS_MODULE 1082 if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Verify", saltlen)) 1083 return 0; 1084 #endif 1085 return 1; 1086 } 1087 default: 1088 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE, 1089 "Only X.931, PKCS#1 v1.5 or PSS padding allowed"); 1090 return 0; 1091 } 1092 } else { 1093 int ret; 1094 1095 if (!setup_tbuf(prsactx)) 1096 return 0; 1097 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, 1098 prsactx->pad_mode); 1099 if (ret <= 0) { 1100 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); 1101 return 0; 1102 } 1103 rslen = (size_t)ret; 1104 } 1105 1106 if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen)) 1107 return 0; 1108 1109 return 1; 1110 } 1111 1112 static int rsa_verify_set_sig(void *vprsactx, 1113 const unsigned char *sig, size_t siglen) 1114 { 1115 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1116 OSSL_PARAM params[2]; 1117 1118 params[0] = OSSL_PARAM_construct_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, 1119 (unsigned char *)sig, siglen); 1120 params[1] = OSSL_PARAM_construct_end(); 1121 return rsa_sigalg_set_ctx_params(prsactx, params); 1122 } 1123 1124 static int rsa_verify_message_final(void *vprsactx) 1125 { 1126 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1127 unsigned char digest[EVP_MAX_MD_SIZE]; 1128 unsigned int dlen = 0; 1129 1130 if (!ossl_prov_is_running() || prsactx == NULL) 1131 return 0; 1132 if (prsactx->mdctx == NULL) 1133 return 0; 1134 if (!prsactx->flag_allow_final) { 1135 ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER); 1136 return 0; 1137 } 1138 1139 /* 1140 * The digests used here are all known (see rsa_get_md_nid()), so they 1141 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE. 1142 */ 1143 if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen)) 1144 return 0; 1145 1146 prsactx->flag_allow_update = 0; 1147 prsactx->flag_allow_final = 0; 1148 prsactx->flag_allow_oneshot = 0; 1149 1150 return rsa_verify_directly(prsactx, prsactx->sig, prsactx->siglen, 1151 digest, dlen); 1152 } 1153 1154 /* 1155 * If verifying a message, digest tbs and verify the result. 1156 * Otherwise, verify tbs directly. 1157 */ 1158 static int rsa_verify(void *vprsactx, 1159 const unsigned char *sig, size_t siglen, 1160 const unsigned char *tbs, size_t tbslen) 1161 { 1162 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1163 1164 if (!ossl_prov_is_running() || prsactx == NULL) 1165 return 0; 1166 if (!prsactx->flag_allow_oneshot) { 1167 ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER); 1168 return 0; 1169 } 1170 1171 if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG) 1172 return rsa_verify_set_sig(prsactx, sig, siglen) 1173 && rsa_signverify_message_update(prsactx, tbs, tbslen) 1174 && rsa_verify_message_final(prsactx); 1175 return rsa_verify_directly(prsactx, sig, siglen, tbs, tbslen); 1176 } 1177 1178 /* DigestSign/DigestVerify wrappers */ 1179 1180 static int rsa_digest_signverify_init(void *vprsactx, const char *mdname, 1181 void *vrsa, const OSSL_PARAM params[], 1182 int operation, const char *desc) 1183 { 1184 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1185 1186 #ifdef FIPS_MODULE 1187 if (prsactx != NULL) 1188 prsactx->verify_message = 1; 1189 #endif 1190 1191 if (!rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params, 1192 operation, desc)) 1193 return 0; 1194 1195 if (mdname != NULL 1196 /* was rsa_setup_md already called in rsa_signverify_init()? */ 1197 && (mdname[0] == '\0' || OPENSSL_strcasecmp(prsactx->mdname, mdname) != 0) 1198 && !rsa_setup_md(prsactx, mdname, prsactx->propq, desc)) 1199 return 0; 1200 1201 prsactx->flag_allow_md = 0; 1202 1203 if (prsactx->mdctx == NULL) { 1204 prsactx->mdctx = EVP_MD_CTX_new(); 1205 if (prsactx->mdctx == NULL) 1206 goto error; 1207 } 1208 1209 if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params)) 1210 goto error; 1211 1212 return 1; 1213 1214 error: 1215 EVP_MD_CTX_free(prsactx->mdctx); 1216 prsactx->mdctx = NULL; 1217 return 0; 1218 } 1219 1220 static int rsa_digest_sign_init(void *vprsactx, const char *mdname, 1221 void *vrsa, const OSSL_PARAM params[]) 1222 { 1223 if (!ossl_prov_is_running()) 1224 return 0; 1225 return rsa_digest_signverify_init(vprsactx, mdname, vrsa, 1226 params, EVP_PKEY_OP_SIGNMSG, 1227 "RSA Digest Sign Init"); 1228 } 1229 1230 static int rsa_digest_sign_update(void *vprsactx, const unsigned char *data, 1231 size_t datalen) 1232 { 1233 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1234 1235 if (prsactx == NULL) 1236 return 0; 1237 /* Sigalg implementations shouldn't do digest_sign */ 1238 if (prsactx->flag_sigalg) 1239 return 0; 1240 1241 return rsa_signverify_message_update(prsactx, data, datalen); 1242 } 1243 1244 static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig, 1245 size_t *siglen, size_t sigsize) 1246 { 1247 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1248 int ok = 0; 1249 1250 if (prsactx == NULL) 1251 return 0; 1252 /* Sigalg implementations shouldn't do digest_sign */ 1253 if (prsactx->flag_sigalg) 1254 return 0; 1255 1256 if (rsa_sign_message_final(prsactx, sig, siglen, sigsize)) 1257 ok = 1; 1258 1259 prsactx->flag_allow_md = 1; 1260 1261 return ok; 1262 } 1263 1264 static int rsa_digest_verify_init(void *vprsactx, const char *mdname, 1265 void *vrsa, const OSSL_PARAM params[]) 1266 { 1267 if (!ossl_prov_is_running()) 1268 return 0; 1269 return rsa_digest_signverify_init(vprsactx, mdname, vrsa, 1270 params, EVP_PKEY_OP_VERIFYMSG, 1271 "RSA Digest Verify Init"); 1272 } 1273 1274 static int rsa_digest_verify_update(void *vprsactx, const unsigned char *data, 1275 size_t datalen) 1276 { 1277 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1278 1279 if (prsactx == NULL) 1280 return 0; 1281 /* Sigalg implementations shouldn't do digest_sign */ 1282 if (prsactx->flag_sigalg) 1283 return 0; 1284 1285 return rsa_signverify_message_update(prsactx, data, datalen); 1286 } 1287 1288 int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig, 1289 size_t siglen) 1290 { 1291 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1292 int ok = 0; 1293 1294 if (prsactx == NULL) 1295 return 0; 1296 /* Sigalg implementations shouldn't do digest_verify */ 1297 if (prsactx->flag_sigalg) 1298 return 0; 1299 1300 if (rsa_verify_set_sig(prsactx, sig, siglen) 1301 && rsa_verify_message_final(vprsactx)) 1302 ok = 1; 1303 1304 prsactx->flag_allow_md = 1; 1305 1306 return ok; 1307 } 1308 1309 static void rsa_freectx(void *vprsactx) 1310 { 1311 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1312 1313 if (prsactx == NULL) 1314 return; 1315 1316 EVP_MD_CTX_free(prsactx->mdctx); 1317 EVP_MD_free(prsactx->md); 1318 EVP_MD_free(prsactx->mgf1_md); 1319 OPENSSL_free(prsactx->sig); 1320 OPENSSL_free(prsactx->propq); 1321 free_tbuf(prsactx); 1322 RSA_free(prsactx->rsa); 1323 1324 OPENSSL_clear_free(prsactx, sizeof(*prsactx)); 1325 } 1326 1327 static void *rsa_dupctx(void *vprsactx) 1328 { 1329 PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx; 1330 PROV_RSA_CTX *dstctx; 1331 1332 if (!ossl_prov_is_running()) 1333 return NULL; 1334 1335 dstctx = OPENSSL_zalloc(sizeof(*srcctx)); 1336 if (dstctx == NULL) 1337 return NULL; 1338 1339 *dstctx = *srcctx; 1340 dstctx->rsa = NULL; 1341 dstctx->md = NULL; 1342 dstctx->mgf1_md = NULL; 1343 dstctx->mdctx = NULL; 1344 dstctx->tbuf = NULL; 1345 dstctx->propq = NULL; 1346 dstctx->sig = NULL; 1347 1348 if (srcctx->rsa != NULL && !RSA_up_ref(srcctx->rsa)) 1349 goto err; 1350 dstctx->rsa = srcctx->rsa; 1351 1352 if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md)) 1353 goto err; 1354 dstctx->md = srcctx->md; 1355 1356 if (srcctx->mgf1_md != NULL && !EVP_MD_up_ref(srcctx->mgf1_md)) 1357 goto err; 1358 dstctx->mgf1_md = srcctx->mgf1_md; 1359 1360 if (srcctx->mdctx != NULL) { 1361 dstctx->mdctx = EVP_MD_CTX_new(); 1362 if (dstctx->mdctx == NULL 1363 || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx)) 1364 goto err; 1365 } 1366 1367 if (srcctx->propq != NULL) { 1368 dstctx->propq = OPENSSL_strdup(srcctx->propq); 1369 if (dstctx->propq == NULL) 1370 goto err; 1371 } 1372 1373 if (srcctx->sig != NULL) { 1374 dstctx->sig = OPENSSL_memdup(srcctx->sig, srcctx->siglen); 1375 if (dstctx->sig == NULL) 1376 goto err; 1377 } 1378 1379 return dstctx; 1380 err: 1381 rsa_freectx(dstctx); 1382 return NULL; 1383 } 1384 1385 static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) 1386 { 1387 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1388 OSSL_PARAM *p; 1389 1390 if (prsactx == NULL) 1391 return 0; 1392 1393 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID); 1394 if (p != NULL) { 1395 /* The Algorithm Identifier of the combined signature algorithm */ 1396 unsigned char aid_buf[128]; 1397 unsigned char *aid; 1398 size_t aid_len; 1399 1400 aid = rsa_generate_signature_aid(prsactx, aid_buf, 1401 sizeof(aid_buf), &aid_len); 1402 if (aid == NULL || !OSSL_PARAM_set_octet_string(p, aid, aid_len)) 1403 return 0; 1404 } 1405 1406 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PAD_MODE); 1407 if (p != NULL) 1408 switch (p->data_type) { 1409 case OSSL_PARAM_INTEGER: 1410 if (!OSSL_PARAM_set_int(p, prsactx->pad_mode)) 1411 return 0; 1412 break; 1413 case OSSL_PARAM_UTF8_STRING: { 1414 int i; 1415 const char *word = NULL; 1416 1417 for (i = 0; padding_item[i].id != 0; i++) { 1418 if (prsactx->pad_mode == (int)padding_item[i].id) { 1419 word = padding_item[i].ptr; 1420 break; 1421 } 1422 } 1423 1424 if (word != NULL) { 1425 if (!OSSL_PARAM_set_utf8_string(p, word)) 1426 return 0; 1427 } else { 1428 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 1429 } 1430 } break; 1431 default: 1432 return 0; 1433 } 1434 1435 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST); 1436 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mdname)) 1437 return 0; 1438 1439 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST); 1440 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mgf1_mdname)) 1441 return 0; 1442 1443 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN); 1444 if (p != NULL) { 1445 if (p->data_type == OSSL_PARAM_INTEGER) { 1446 if (!OSSL_PARAM_set_int(p, prsactx->saltlen)) 1447 return 0; 1448 } else if (p->data_type == OSSL_PARAM_UTF8_STRING) { 1449 const char *value = NULL; 1450 1451 switch (prsactx->saltlen) { 1452 case RSA_PSS_SALTLEN_DIGEST: 1453 value = OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST; 1454 break; 1455 case RSA_PSS_SALTLEN_MAX: 1456 value = OSSL_PKEY_RSA_PSS_SALT_LEN_MAX; 1457 break; 1458 case RSA_PSS_SALTLEN_AUTO: 1459 value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO; 1460 break; 1461 case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: 1462 value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX; 1463 break; 1464 default: { 1465 int len = BIO_snprintf(p->data, p->data_size, "%d", 1466 prsactx->saltlen); 1467 1468 if (len <= 0) 1469 return 0; 1470 p->return_size = len; 1471 break; 1472 } 1473 } 1474 if (value != NULL 1475 && !OSSL_PARAM_set_utf8_string(p, value)) 1476 return 0; 1477 } 1478 } 1479 1480 #ifdef FIPS_MODULE 1481 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE); 1482 if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->verify_message)) 1483 return 0; 1484 #endif 1485 1486 if (!OSSL_FIPS_IND_GET_CTX_PARAM(prsactx, params)) 1487 return 0; 1488 return 1; 1489 } 1490 1491 static const OSSL_PARAM known_gettable_ctx_params[] = { 1492 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0), 1493 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), 1494 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), 1495 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), 1496 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), 1497 #ifdef FIPS_MODULE 1498 OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE, NULL), 1499 #endif 1500 OSSL_FIPS_IND_GETTABLE_CTX_PARAM() 1501 OSSL_PARAM_END 1502 }; 1503 1504 static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, 1505 ossl_unused void *provctx) 1506 { 1507 return known_gettable_ctx_params; 1508 } 1509 1510 #ifdef FIPS_MODULE 1511 static int rsa_x931_padding_allowed(PROV_RSA_CTX *ctx) 1512 { 1513 if ((ctx->operation 1514 & (EVP_PKEY_OP_SIGNMSG | EVP_PKEY_OP_SIGN)) 1515 != 0) { 1516 if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2, 1517 ctx->libctx, 1518 "RSA Sign set ctx", "X931 Padding", 1519 ossl_fips_config_rsa_sign_x931_disallowed)) { 1520 ERR_raise(ERR_LIB_PROV, 1521 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 1522 return 0; 1523 } 1524 } 1525 return 1; 1526 } 1527 #endif 1528 1529 static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) 1530 { 1531 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1532 const OSSL_PARAM *p; 1533 int pad_mode; 1534 int saltlen; 1535 char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = NULL; 1536 char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = NULL; 1537 char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL; 1538 char mgf1mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmgf1mdprops = NULL; 1539 1540 if (prsactx == NULL) 1541 return 0; 1542 if (ossl_param_is_empty(params)) 1543 return 1; 1544 1545 if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE0, params, 1546 OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK)) 1547 return 0; 1548 1549 if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE1, params, 1550 OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK)) 1551 return 0; 1552 1553 if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE2, params, 1554 OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK)) 1555 return 0; 1556 1557 if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE3, params, 1558 OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK)) 1559 return 0; 1560 1561 pad_mode = prsactx->pad_mode; 1562 saltlen = prsactx->saltlen; 1563 1564 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST); 1565 if (p != NULL) { 1566 const OSSL_PARAM *propsp = OSSL_PARAM_locate_const(params, 1567 OSSL_SIGNATURE_PARAM_PROPERTIES); 1568 1569 pmdname = mdname; 1570 if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname))) 1571 return 0; 1572 1573 if (propsp != NULL) { 1574 pmdprops = mdprops; 1575 if (!OSSL_PARAM_get_utf8_string(propsp, 1576 &pmdprops, sizeof(mdprops))) 1577 return 0; 1578 } 1579 } 1580 1581 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE); 1582 if (p != NULL) { 1583 const char *err_extra_text = NULL; 1584 1585 switch (p->data_type) { 1586 case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */ 1587 if (!OSSL_PARAM_get_int(p, &pad_mode)) 1588 return 0; 1589 break; 1590 case OSSL_PARAM_UTF8_STRING: { 1591 int i; 1592 1593 if (p->data == NULL) 1594 return 0; 1595 1596 for (i = 0; padding_item[i].id != 0; i++) { 1597 if (strcmp(p->data, padding_item[i].ptr) == 0) { 1598 pad_mode = padding_item[i].id; 1599 break; 1600 } 1601 } 1602 } break; 1603 default: 1604 return 0; 1605 } 1606 1607 switch (pad_mode) { 1608 case RSA_PKCS1_OAEP_PADDING: 1609 /* 1610 * OAEP padding is for asymmetric cipher only so is not compatible 1611 * with signature use. 1612 */ 1613 err_extra_text = "OAEP padding not allowed for signing / verifying"; 1614 goto bad_pad; 1615 case RSA_PKCS1_PSS_PADDING: 1616 if ((prsactx->operation 1617 & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG 1618 | EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) 1619 == 0) { 1620 err_extra_text = "PSS padding only allowed for sign and verify operations"; 1621 goto bad_pad; 1622 } 1623 break; 1624 case RSA_PKCS1_PADDING: 1625 err_extra_text = "PKCS#1 padding not allowed with RSA-PSS"; 1626 goto cont; 1627 case RSA_NO_PADDING: 1628 err_extra_text = "No padding not allowed with RSA-PSS"; 1629 goto cont; 1630 case RSA_X931_PADDING: 1631 #ifdef FIPS_MODULE 1632 /* X9.31 only allows sizes of 1024 + 256 * s (bits) */ 1633 if ((RSA_bits(prsactx->rsa) & 0xFF) != 0) { 1634 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); 1635 return 0; 1636 } 1637 /* RSA Signing with X9.31 padding is not allowed in FIPS 140-3 */ 1638 if (!rsa_x931_padding_allowed(prsactx)) 1639 return 0; 1640 #endif 1641 err_extra_text = "X.931 padding not allowed with RSA-PSS"; 1642 cont: 1643 if (RSA_test_flags(prsactx->rsa, 1644 RSA_FLAG_TYPE_MASK) 1645 == RSA_FLAG_TYPE_RSA) 1646 break; 1647 /* FALLTHRU */ 1648 default: 1649 bad_pad: 1650 if (err_extra_text == NULL) 1651 ERR_raise(ERR_LIB_PROV, 1652 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 1653 else 1654 ERR_raise_data(ERR_LIB_PROV, 1655 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE, 1656 err_extra_text); 1657 return 0; 1658 } 1659 } 1660 1661 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN); 1662 if (p != NULL) { 1663 if (pad_mode != RSA_PKCS1_PSS_PADDING) { 1664 ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED, 1665 "PSS saltlen can only be specified if " 1666 "PSS padding has been specified first"); 1667 return 0; 1668 } 1669 1670 switch (p->data_type) { 1671 case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */ 1672 if (!OSSL_PARAM_get_int(p, &saltlen)) 1673 return 0; 1674 break; 1675 case OSSL_PARAM_UTF8_STRING: 1676 if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST) == 0) 1677 saltlen = RSA_PSS_SALTLEN_DIGEST; 1678 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_MAX) == 0) 1679 saltlen = RSA_PSS_SALTLEN_MAX; 1680 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0) 1681 saltlen = RSA_PSS_SALTLEN_AUTO; 1682 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0) 1683 saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; 1684 else 1685 saltlen = atoi(p->data); 1686 break; 1687 default: 1688 return 0; 1689 } 1690 1691 /* 1692 * RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check. 1693 * Contrary to what it's name suggests, it's the currently lowest 1694 * saltlen number possible. 1695 */ 1696 if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { 1697 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); 1698 return 0; 1699 } 1700 1701 if (rsa_pss_restricted(prsactx)) { 1702 switch (saltlen) { 1703 case RSA_PSS_SALTLEN_AUTO: 1704 case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: 1705 if ((prsactx->operation 1706 & (EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) 1707 == 0) { 1708 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, 1709 "Cannot use autodetected salt length"); 1710 return 0; 1711 } 1712 break; 1713 case RSA_PSS_SALTLEN_DIGEST: 1714 if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) { 1715 ERR_raise_data(ERR_LIB_PROV, 1716 PROV_R_PSS_SALTLEN_TOO_SMALL, 1717 "Should be more than %d, but would be " 1718 "set to match digest size (%d)", 1719 prsactx->min_saltlen, 1720 EVP_MD_get_size(prsactx->md)); 1721 return 0; 1722 } 1723 break; 1724 default: 1725 if (saltlen >= 0 && saltlen < prsactx->min_saltlen) { 1726 ERR_raise_data(ERR_LIB_PROV, 1727 PROV_R_PSS_SALTLEN_TOO_SMALL, 1728 "Should be more than %d, " 1729 "but would be set to %d", 1730 prsactx->min_saltlen, saltlen); 1731 return 0; 1732 } 1733 } 1734 } 1735 } 1736 1737 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST); 1738 if (p != NULL) { 1739 const OSSL_PARAM *propsp = OSSL_PARAM_locate_const(params, 1740 OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES); 1741 1742 pmgf1mdname = mgf1mdname; 1743 if (!OSSL_PARAM_get_utf8_string(p, &pmgf1mdname, sizeof(mgf1mdname))) 1744 return 0; 1745 1746 if (propsp != NULL) { 1747 pmgf1mdprops = mgf1mdprops; 1748 if (!OSSL_PARAM_get_utf8_string(propsp, 1749 &pmgf1mdprops, sizeof(mgf1mdprops))) 1750 return 0; 1751 } 1752 1753 if (pad_mode != RSA_PKCS1_PSS_PADDING) { 1754 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MGF1_MD); 1755 return 0; 1756 } 1757 } 1758 1759 prsactx->saltlen = saltlen; 1760 prsactx->pad_mode = pad_mode; 1761 1762 if (prsactx->md == NULL && pmdname == NULL 1763 && pad_mode == RSA_PKCS1_PSS_PADDING) 1764 pmdname = RSA_DEFAULT_DIGEST_NAME; 1765 1766 if (pmgf1mdname != NULL 1767 && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) 1768 return 0; 1769 1770 if (pmdname != NULL) { 1771 if (!rsa_setup_md(prsactx, pmdname, pmdprops, "RSA Sign Set Ctx")) 1772 return 0; 1773 } else { 1774 if (!rsa_check_padding(prsactx, NULL, NULL, prsactx->mdnid)) 1775 return 0; 1776 } 1777 return 1; 1778 } 1779 1780 static const OSSL_PARAM settable_ctx_params[] = { 1781 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), 1782 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0), 1783 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), 1784 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), 1785 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0), 1786 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), 1787 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) 1788 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) 1789 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK) 1790 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK) 1791 OSSL_PARAM_END 1792 }; 1793 1794 static const OSSL_PARAM settable_ctx_params_no_digest[] = { 1795 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0), 1796 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), 1797 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0), 1798 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), 1799 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) 1800 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) 1801 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK) 1802 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK) 1803 OSSL_PARAM_END 1804 }; 1805 1806 static const OSSL_PARAM *rsa_settable_ctx_params(void *vprsactx, 1807 ossl_unused void *provctx) 1808 { 1809 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1810 1811 if (prsactx != NULL && !prsactx->flag_allow_md) 1812 return settable_ctx_params_no_digest; 1813 return settable_ctx_params; 1814 } 1815 1816 static int rsa_get_ctx_md_params(void *vprsactx, OSSL_PARAM *params) 1817 { 1818 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1819 1820 if (prsactx->mdctx == NULL) 1821 return 0; 1822 1823 return EVP_MD_CTX_get_params(prsactx->mdctx, params); 1824 } 1825 1826 static const OSSL_PARAM *rsa_gettable_ctx_md_params(void *vprsactx) 1827 { 1828 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1829 1830 if (prsactx->md == NULL) 1831 return 0; 1832 1833 return EVP_MD_gettable_ctx_params(prsactx->md); 1834 } 1835 1836 static int rsa_set_ctx_md_params(void *vprsactx, const OSSL_PARAM params[]) 1837 { 1838 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1839 1840 if (prsactx->mdctx == NULL) 1841 return 0; 1842 1843 return EVP_MD_CTX_set_params(prsactx->mdctx, params); 1844 } 1845 1846 static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx) 1847 { 1848 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1849 1850 if (prsactx->md == NULL) 1851 return 0; 1852 1853 return EVP_MD_settable_ctx_params(prsactx->md); 1854 } 1855 1856 const OSSL_DISPATCH ossl_rsa_signature_functions[] = { 1857 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, 1858 { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, 1859 { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, 1860 { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_verify_init }, 1861 { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))rsa_verify }, 1862 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, 1863 (void (*)(void))rsa_verify_recover_init }, 1864 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, 1865 (void (*)(void))rsa_verify_recover }, 1866 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, 1867 (void (*)(void))rsa_digest_sign_init }, 1868 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, 1869 (void (*)(void))rsa_digest_sign_update }, 1870 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, 1871 (void (*)(void))rsa_digest_sign_final }, 1872 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, 1873 (void (*)(void))rsa_digest_verify_init }, 1874 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, 1875 (void (*)(void))rsa_digest_verify_update }, 1876 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, 1877 (void (*)(void))rsa_digest_verify_final }, 1878 { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, 1879 { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, 1880 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))rsa_get_ctx_params }, 1881 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, 1882 (void (*)(void))rsa_gettable_ctx_params }, 1883 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))rsa_set_ctx_params }, 1884 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, 1885 (void (*)(void))rsa_settable_ctx_params }, 1886 { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, 1887 (void (*)(void))rsa_get_ctx_md_params }, 1888 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, 1889 (void (*)(void))rsa_gettable_ctx_md_params }, 1890 { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, 1891 (void (*)(void))rsa_set_ctx_md_params }, 1892 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, 1893 (void (*)(void))rsa_settable_ctx_md_params }, 1894 OSSL_DISPATCH_END 1895 }; 1896 1897 /* ------------------------------------------------------------------ */ 1898 1899 /* 1900 * So called sigalgs (composite RSA+hash) implemented below. They 1901 * are pretty much hard coded, and rely on the hash implementation 1902 * being available as per what OPENSSL_NO_ macros allow. 1903 */ 1904 1905 static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types; 1906 static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params; 1907 static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params; 1908 1909 /* 1910 * rsa_sigalg_signverify_init() is almost like rsa_digest_signverify_init(), 1911 * just doesn't allow fetching an MD from whatever the user chooses. 1912 */ 1913 static int rsa_sigalg_signverify_init(void *vprsactx, void *vrsa, 1914 OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params, 1915 const OSSL_PARAM params[], 1916 const char *mdname, 1917 int operation, int pad_mode, 1918 const char *desc) 1919 { 1920 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1921 1922 if (!ossl_prov_is_running()) 1923 return 0; 1924 1925 if (!rsa_signverify_init(prsactx, vrsa, set_ctx_params, params, operation, 1926 desc)) 1927 return 0; 1928 1929 /* PSS is currently not supported as a sigalg */ 1930 if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { 1931 ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); 1932 return 0; 1933 } 1934 1935 if (!rsa_setup_md(prsactx, mdname, NULL, desc)) 1936 return 0; 1937 1938 prsactx->pad_mode = pad_mode; 1939 prsactx->flag_sigalg = 1; 1940 prsactx->flag_allow_md = 0; 1941 1942 if (prsactx->mdctx == NULL) { 1943 prsactx->mdctx = EVP_MD_CTX_new(); 1944 if (prsactx->mdctx == NULL) 1945 goto error; 1946 } 1947 1948 if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params)) 1949 goto error; 1950 1951 return 1; 1952 1953 error: 1954 EVP_MD_CTX_free(prsactx->mdctx); 1955 prsactx->mdctx = NULL; 1956 return 0; 1957 } 1958 1959 static const char **rsa_sigalg_query_key_types(void) 1960 { 1961 static const char *keytypes[] = { "RSA", NULL }; 1962 1963 return keytypes; 1964 } 1965 1966 static const OSSL_PARAM settable_sigalg_ctx_params[] = { 1967 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, NULL, 0), 1968 OSSL_PARAM_END 1969 }; 1970 1971 static const OSSL_PARAM *rsa_sigalg_settable_ctx_params(void *vprsactx, 1972 ossl_unused void *provctx) 1973 { 1974 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1975 1976 if (prsactx != NULL && prsactx->operation == EVP_PKEY_OP_VERIFYMSG) 1977 return settable_sigalg_ctx_params; 1978 return NULL; 1979 } 1980 1981 static int rsa_sigalg_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) 1982 { 1983 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; 1984 const OSSL_PARAM *p; 1985 1986 if (prsactx == NULL) 1987 return 0; 1988 if (ossl_param_is_empty(params)) 1989 return 1; 1990 1991 if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG) { 1992 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_SIGNATURE); 1993 if (p != NULL) { 1994 OPENSSL_free(prsactx->sig); 1995 prsactx->sig = NULL; 1996 prsactx->siglen = 0; 1997 if (!OSSL_PARAM_get_octet_string(p, (void **)&prsactx->sig, 1998 0, &prsactx->siglen)) 1999 return 0; 2000 } 2001 } 2002 return 1; 2003 } 2004 2005 #define IMPL_RSA_SIGALG(md, MD) \ 2006 static OSSL_FUNC_signature_sign_init_fn rsa_##md##_sign_init; \ 2007 static OSSL_FUNC_signature_sign_message_init_fn \ 2008 rsa_##md##_sign_message_init; \ 2009 static OSSL_FUNC_signature_verify_init_fn rsa_##md##_verify_init; \ 2010 static OSSL_FUNC_signature_verify_message_init_fn \ 2011 rsa_##md##_verify_message_init; \ 2012 \ 2013 static int \ 2014 rsa_##md##_sign_init(void *vprsactx, void *vrsa, \ 2015 const OSSL_PARAM params[]) \ 2016 { \ 2017 static const char desc[] = "RSA Sigalg Sign Init"; \ 2018 \ 2019 return rsa_sigalg_signverify_init(vprsactx, vrsa, \ 2020 rsa_sigalg_set_ctx_params, \ 2021 params, #MD, \ 2022 EVP_PKEY_OP_SIGN, \ 2023 RSA_PKCS1_PADDING, \ 2024 desc); \ 2025 } \ 2026 \ 2027 static int \ 2028 rsa_##md##_sign_message_init(void *vprsactx, void *vrsa, \ 2029 const OSSL_PARAM params[]) \ 2030 { \ 2031 static const char desc[] = "RSA Sigalg Sign Message Init"; \ 2032 \ 2033 return rsa_sigalg_signverify_init(vprsactx, vrsa, \ 2034 rsa_sigalg_set_ctx_params, \ 2035 params, #MD, \ 2036 EVP_PKEY_OP_SIGNMSG, \ 2037 RSA_PKCS1_PADDING, \ 2038 desc); \ 2039 } \ 2040 \ 2041 static int \ 2042 rsa_##md##_verify_init(void *vprsactx, void *vrsa, \ 2043 const OSSL_PARAM params[]) \ 2044 { \ 2045 static const char desc[] = "RSA Sigalg Verify Init"; \ 2046 \ 2047 return rsa_sigalg_signverify_init(vprsactx, vrsa, \ 2048 rsa_sigalg_set_ctx_params, \ 2049 params, #MD, \ 2050 EVP_PKEY_OP_VERIFY, \ 2051 RSA_PKCS1_PADDING, \ 2052 desc); \ 2053 } \ 2054 \ 2055 static int \ 2056 rsa_##md##_verify_recover_init(void *vprsactx, void *vrsa, \ 2057 const OSSL_PARAM params[]) \ 2058 { \ 2059 static const char desc[] = "RSA Sigalg Verify Recover Init"; \ 2060 \ 2061 return rsa_sigalg_signverify_init(vprsactx, vrsa, \ 2062 rsa_sigalg_set_ctx_params, \ 2063 params, #MD, \ 2064 EVP_PKEY_OP_VERIFYRECOVER, \ 2065 RSA_PKCS1_PADDING, \ 2066 desc); \ 2067 } \ 2068 \ 2069 static int \ 2070 rsa_##md##_verify_message_init(void *vprsactx, void *vrsa, \ 2071 const OSSL_PARAM params[]) \ 2072 { \ 2073 static const char desc[] = "RSA Sigalg Verify Message Init"; \ 2074 \ 2075 return rsa_sigalg_signverify_init(vprsactx, vrsa, \ 2076 rsa_sigalg_set_ctx_params, \ 2077 params, #MD, \ 2078 EVP_PKEY_OP_VERIFYMSG, \ 2079 RSA_PKCS1_PADDING, \ 2080 desc); \ 2081 } \ 2082 \ 2083 const OSSL_DISPATCH ossl_rsa_##md##_signature_functions[] = { \ 2084 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, \ 2085 { OSSL_FUNC_SIGNATURE_SIGN_INIT, \ 2086 (void (*)(void))rsa_##md##_sign_init }, \ 2087 { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, \ 2088 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT, \ 2089 (void (*)(void))rsa_##md##_sign_message_init }, \ 2090 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_UPDATE, \ 2091 (void (*)(void))rsa_signverify_message_update }, \ 2092 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_FINAL, \ 2093 (void (*)(void))rsa_sign_message_final }, \ 2094 { OSSL_FUNC_SIGNATURE_VERIFY_INIT, \ 2095 (void (*)(void))rsa_##md##_verify_init }, \ 2096 { OSSL_FUNC_SIGNATURE_VERIFY, \ 2097 (void (*)(void))rsa_verify }, \ 2098 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT, \ 2099 (void (*)(void))rsa_##md##_verify_message_init }, \ 2100 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_UPDATE, \ 2101 (void (*)(void))rsa_signverify_message_update }, \ 2102 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_FINAL, \ 2103 (void (*)(void))rsa_verify_message_final }, \ 2104 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, \ 2105 (void (*)(void))rsa_##md##_verify_recover_init }, \ 2106 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, \ 2107 (void (*)(void))rsa_verify_recover }, \ 2108 { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, \ 2109 { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, \ 2110 { OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPES, \ 2111 (void (*)(void))rsa_sigalg_query_key_types }, \ 2112 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, \ 2113 (void (*)(void))rsa_get_ctx_params }, \ 2114 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, \ 2115 (void (*)(void))rsa_gettable_ctx_params }, \ 2116 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, \ 2117 (void (*)(void))rsa_sigalg_set_ctx_params }, \ 2118 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, \ 2119 (void (*)(void))rsa_sigalg_settable_ctx_params }, \ 2120 OSSL_DISPATCH_END \ 2121 } 2122 2123 /* clang-format off */ 2124 #if !defined(OPENSSL_NO_RMD160) && !defined(FIPS_MODULE) 2125 IMPL_RSA_SIGALG(ripemd160, RIPEMD160); 2126 #endif 2127 IMPL_RSA_SIGALG(sha1, SHA1); 2128 IMPL_RSA_SIGALG(sha224, SHA2-224); 2129 IMPL_RSA_SIGALG(sha256, SHA2-256); 2130 IMPL_RSA_SIGALG(sha384, SHA2-384); 2131 IMPL_RSA_SIGALG(sha512, SHA2-512); 2132 IMPL_RSA_SIGALG(sha512_224, SHA2-512/224); 2133 IMPL_RSA_SIGALG(sha512_256, SHA2-512/256); 2134 IMPL_RSA_SIGALG(sha3_224, SHA3-224); 2135 IMPL_RSA_SIGALG(sha3_256, SHA3-256); 2136 IMPL_RSA_SIGALG(sha3_384, SHA3-384); 2137 IMPL_RSA_SIGALG(sha3_512, SHA3-512); 2138 #if !defined(OPENSSL_NO_SM3) && !defined(FIPS_MODULE) 2139 IMPL_RSA_SIGALG(sm3, SM3); 2140 #endif 2141 /* clang-format on */ 2142