1 /*
2 * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * RSA low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14 #include "internal/deprecated.h"
15
16 #include <string.h>
17 #include <openssl/crypto.h>
18 #include <openssl/core_dispatch.h>
19 #include <openssl/core_names.h>
20 #include <openssl/err.h>
21 #include <openssl/obj_mac.h>
22 #include <openssl/rsa.h>
23 #include <openssl/params.h>
24 #include <openssl/evp.h>
25 #include <openssl/proverr.h>
26 #include "internal/cryptlib.h"
27 #include "internal/nelem.h"
28 #include "internal/sizes.h"
29 #include "crypto/rsa.h"
30 #include "prov/providercommon.h"
31 #include "prov/implementations.h"
32 #include "prov/provider_ctx.h"
33 #include "prov/der_rsa.h"
34 #include "prov/securitycheck.h"
35
36 #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
37
38 static OSSL_FUNC_signature_newctx_fn rsa_newctx;
39 static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
40 static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
41 static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
42 static OSSL_FUNC_signature_sign_fn rsa_sign;
43 static OSSL_FUNC_signature_sign_message_update_fn rsa_signverify_message_update;
44 static OSSL_FUNC_signature_sign_message_final_fn rsa_sign_message_final;
45 static OSSL_FUNC_signature_verify_fn rsa_verify;
46 static OSSL_FUNC_signature_verify_recover_fn rsa_verify_recover;
47 static OSSL_FUNC_signature_verify_message_update_fn rsa_signverify_message_update;
48 static OSSL_FUNC_signature_verify_message_final_fn rsa_verify_message_final;
49 static OSSL_FUNC_signature_digest_sign_init_fn rsa_digest_sign_init;
50 static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_sign_update;
51 static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final;
52 static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
53 static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_verify_update;
54 static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
55 static OSSL_FUNC_signature_freectx_fn rsa_freectx;
56 static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
57 static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types;
58 static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
59 static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params;
60 static OSSL_FUNC_signature_set_ctx_params_fn rsa_set_ctx_params;
61 static OSSL_FUNC_signature_settable_ctx_params_fn rsa_settable_ctx_params;
62 static OSSL_FUNC_signature_get_ctx_md_params_fn rsa_get_ctx_md_params;
63 static OSSL_FUNC_signature_gettable_ctx_md_params_fn rsa_gettable_ctx_md_params;
64 static OSSL_FUNC_signature_set_ctx_md_params_fn rsa_set_ctx_md_params;
65 static OSSL_FUNC_signature_settable_ctx_md_params_fn rsa_settable_ctx_md_params;
66 static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params;
67 static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params;
68
69 static OSSL_ITEM padding_item[] = {
70 { RSA_PKCS1_PADDING, OSSL_PKEY_RSA_PAD_MODE_PKCSV15 },
71 { RSA_NO_PADDING, OSSL_PKEY_RSA_PAD_MODE_NONE },
72 { RSA_X931_PADDING, OSSL_PKEY_RSA_PAD_MODE_X931 },
73 { RSA_PKCS1_PSS_PADDING, OSSL_PKEY_RSA_PAD_MODE_PSS },
74 { 0, NULL }
75 };
76
77 /*
78 * What's passed as an actual key is defined by the KEYMGMT interface.
79 * We happen to know that our KEYMGMT simply passes RSA structures, so
80 * we use that here too.
81 */
82
83 typedef struct {
84 OSSL_LIB_CTX *libctx;
85 char *propq;
86 RSA *rsa;
87 int operation;
88
89 /*
90 * Flag to determine if a full sigalg is run (1) or if a composable
91 * signature algorithm is run (0).
92 *
93 * When a full sigalg is run (1), this currently affects the following
94 * other flags, which are to remain untouched after their initialization:
95 *
96 * - flag_allow_md (initialized to 0)
97 */
98 unsigned int flag_sigalg : 1;
99 /*
100 * Flag to determine if the hash function can be changed (1) or not (0)
101 * Because it's dangerous to change during a DigestSign or DigestVerify
102 * operation, this flag is cleared by their Init function, and set again
103 * by their Final function.
104 * Implementations of full sigalgs (such as RSA-SHA256) hard-code this
105 * flag to not allow changes (0).
106 */
107 unsigned int flag_allow_md : 1;
108 unsigned int mgf1_md_set : 1;
109 /*
110 * Flags to say what are the possible next external calls in what
111 * consitutes the life cycle of an algorithm. The relevant calls are:
112 * - init
113 * - update
114 * - final
115 * - oneshot
116 * All other external calls are regarded as utilitarian and are allowed
117 * at any time (they may be affected by other flags, like flag_allow_md,
118 * though).
119 */
120 unsigned int flag_allow_update : 1;
121 unsigned int flag_allow_final : 1;
122 unsigned int flag_allow_oneshot : 1;
123
124 /* main digest */
125 EVP_MD *md;
126 EVP_MD_CTX *mdctx;
127 int mdnid;
128 char mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */
129
130 /* RSA padding mode */
131 int pad_mode;
132 /* message digest for MGF1 */
133 EVP_MD *mgf1_md;
134 int mgf1_mdnid;
135 char mgf1_mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */
136 /* PSS salt length */
137 int saltlen;
138 /* Minimum salt length or -1 if no PSS parameter restriction */
139 int min_saltlen;
140
141 /* Signature, for verification */
142 unsigned char *sig;
143 size_t siglen;
144
145 #ifdef FIPS_MODULE
146 /*
147 * FIPS 140-3 IG 2.4.B mandates that verification based on a digest of a
148 * message is not permitted. However, signing based on a digest is still
149 * permitted.
150 */
151 int verify_message;
152 #endif
153
154 /* Temp buffer */
155 unsigned char *tbuf;
156
157 OSSL_FIPS_IND_DECLARE
158 } PROV_RSA_CTX;
159
160 /* True if PSS parameters are restricted */
161 #define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1)
162
rsa_get_md_size(const PROV_RSA_CTX * prsactx)163 static size_t rsa_get_md_size(const PROV_RSA_CTX *prsactx)
164 {
165 int md_size;
166
167 if (prsactx->md != NULL) {
168 md_size = EVP_MD_get_size(prsactx->md);
169 if (md_size <= 0)
170 return 0;
171 return md_size;
172 }
173 return 0;
174 }
175
rsa_check_padding(const PROV_RSA_CTX * prsactx,const char * mdname,const char * mgf1_mdname,int mdnid)176 static int rsa_check_padding(const PROV_RSA_CTX *prsactx,
177 const char *mdname, const char *mgf1_mdname,
178 int mdnid)
179 {
180 switch (prsactx->pad_mode) {
181 case RSA_NO_PADDING:
182 if (mdname != NULL || mdnid != NID_undef) {
183 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE);
184 return 0;
185 }
186 break;
187 case RSA_X931_PADDING:
188 if (RSA_X931_hash_id(mdnid) == -1) {
189 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST);
190 return 0;
191 }
192 break;
193 case RSA_PKCS1_PSS_PADDING:
194 if (rsa_pss_restricted(prsactx))
195 if ((mdname != NULL && !EVP_MD_is_a(prsactx->md, mdname))
196 || (mgf1_mdname != NULL
197 && !EVP_MD_is_a(prsactx->mgf1_md, mgf1_mdname))) {
198 ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
199 return 0;
200 }
201 break;
202 default:
203 break;
204 }
205
206 return 1;
207 }
208
rsa_check_parameters(PROV_RSA_CTX * prsactx,int min_saltlen)209 static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen)
210 {
211 if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
212 int max_saltlen;
213
214 /* See if minimum salt length exceeds maximum possible */
215 max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_get_size(prsactx->md);
216 if ((RSA_bits(prsactx->rsa) & 0x7) == 1)
217 max_saltlen--;
218 if (min_saltlen < 0 || min_saltlen > max_saltlen) {
219 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
220 return 0;
221 }
222 prsactx->min_saltlen = min_saltlen;
223 }
224 return 1;
225 }
226
rsa_newctx(void * provctx,const char * propq)227 static void *rsa_newctx(void *provctx, const char *propq)
228 {
229 PROV_RSA_CTX *prsactx = NULL;
230 char *propq_copy = NULL;
231
232 if (!ossl_prov_is_running())
233 return NULL;
234
235 if ((prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX))) == NULL
236 || (propq != NULL
237 && (propq_copy = OPENSSL_strdup(propq)) == NULL)) {
238 OPENSSL_free(prsactx);
239 return NULL;
240 }
241
242 OSSL_FIPS_IND_INIT(prsactx)
243 prsactx->libctx = PROV_LIBCTX_OF(provctx);
244 prsactx->flag_allow_md = 1;
245 #ifdef FIPS_MODULE
246 prsactx->verify_message = 1;
247 #endif
248 prsactx->propq = propq_copy;
249 /* Maximum up to digest length for sign, auto for verify */
250 prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
251 prsactx->min_saltlen = -1;
252 return prsactx;
253 }
254
rsa_pss_compute_saltlen(PROV_RSA_CTX * ctx)255 static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx)
256 {
257 int saltlen = ctx->saltlen;
258 int saltlenMax = -1;
259
260 /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
261 * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
262 * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
263 * the hash function output block (in bytes)."
264 *
265 * Provide a way to use at most the digest length, so that the default does
266 * not violate FIPS 186-4. */
267 if (saltlen == RSA_PSS_SALTLEN_DIGEST) {
268 if ((saltlen = EVP_MD_get_size(ctx->md)) <= 0) {
269 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
270 return -1;
271 }
272 } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
273 saltlen = RSA_PSS_SALTLEN_MAX;
274 if ((saltlenMax = EVP_MD_get_size(ctx->md)) <= 0) {
275 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
276 return -1;
277 }
278 }
279 if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) {
280 int mdsize, rsasize;
281
282 if ((mdsize = EVP_MD_get_size(ctx->md)) <= 0) {
283 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
284 return -1;
285 }
286 if ((rsasize = RSA_size(ctx->rsa)) <= 2 || rsasize - 2 < mdsize) {
287 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
288 return -1;
289 }
290 saltlen = rsasize - mdsize - 2;
291 if ((RSA_bits(ctx->rsa) & 0x7) == 1)
292 saltlen--;
293 if (saltlenMax >= 0 && saltlen > saltlenMax)
294 saltlen = saltlenMax;
295 }
296 if (saltlen < 0) {
297 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
298 return -1;
299 } else if (saltlen < ctx->min_saltlen) {
300 ERR_raise_data(ERR_LIB_PROV, PROV_R_PSS_SALTLEN_TOO_SMALL,
301 "minimum salt length: %d, actual salt length: %d",
302 ctx->min_saltlen, saltlen);
303 return -1;
304 }
305 return saltlen;
306 }
307
rsa_generate_signature_aid(PROV_RSA_CTX * ctx,unsigned char * aid_buf,size_t buf_len,size_t * aid_len)308 static unsigned char *rsa_generate_signature_aid(PROV_RSA_CTX *ctx,
309 unsigned char *aid_buf,
310 size_t buf_len,
311 size_t *aid_len)
312 {
313 WPACKET pkt;
314 unsigned char *aid = NULL;
315 int saltlen;
316 RSA_PSS_PARAMS_30 pss_params;
317 int ret;
318
319 if (!WPACKET_init_der(&pkt, aid_buf, buf_len)) {
320 ERR_raise(ERR_LIB_PROV, ERR_R_CRYPTO_LIB);
321 return NULL;
322 }
323
324 switch (ctx->pad_mode) {
325 case RSA_PKCS1_PADDING:
326 ret = ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1,
327 ctx->mdnid);
328
329 if (ret > 0) {
330 break;
331 } else if (ret == 0) {
332 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
333 goto cleanup;
334 }
335 ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED,
336 "Algorithm ID generation - md NID: %d",
337 ctx->mdnid);
338 goto cleanup;
339 case RSA_PKCS1_PSS_PADDING:
340 saltlen = rsa_pss_compute_saltlen(ctx);
341 if (saltlen < 0)
342 goto cleanup;
343 if (!ossl_rsa_pss_params_30_set_defaults(&pss_params)
344 || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, ctx->mdnid)
345 || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params,
346 ctx->mgf1_mdnid)
347 || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen)
348 || !ossl_DER_w_algorithmIdentifier_RSA_PSS(&pkt, -1,
349 RSA_FLAG_TYPE_RSASSAPSS,
350 &pss_params)) {
351 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
352 goto cleanup;
353 }
354 break;
355 default:
356 ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED,
357 "Algorithm ID generation - pad mode: %d",
358 ctx->pad_mode);
359 goto cleanup;
360 }
361 if (WPACKET_finish(&pkt)) {
362 WPACKET_get_total_written(&pkt, aid_len);
363 aid = WPACKET_get_curr(&pkt);
364 }
365 cleanup:
366 WPACKET_cleanup(&pkt);
367 return aid;
368 }
369
rsa_setup_md(PROV_RSA_CTX * ctx,const char * mdname,const char * mdprops,const char * desc)370 static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
371 const char *mdprops, const char *desc)
372 {
373 EVP_MD *md = NULL;
374
375 if (mdprops == NULL)
376 mdprops = ctx->propq;
377
378 if (mdname != NULL) {
379 int md_nid;
380 size_t mdname_len = strlen(mdname);
381
382 md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
383
384 if (md == NULL) {
385 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
386 "%s could not be fetched", mdname);
387 goto err;
388 }
389 md_nid = ossl_digest_rsa_sign_get_md_nid(md);
390 if (md_nid == NID_undef) {
391 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
392 "digest=%s", mdname);
393 goto err;
394 }
395 /*
396 * XOF digests are not allowed except for RSA PSS.
397 * We don't support XOF digests with RSA PSS (yet), so just fail.
398 * When we do support them, uncomment the second clause.
399 */
400 if (EVP_MD_xof(md)
401 /* && ctx->pad_mode != RSA_PKCS1_PSS_PADDING */) {
402 ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
403 goto err;
404 }
405 #ifdef FIPS_MODULE
406 {
407 int sha1_allowed
408 = ((ctx->operation
409 & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);
410
411 if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
412 OSSL_FIPS_IND_SETTABLE1,
413 ctx->libctx,
414 md_nid, sha1_allowed, desc,
415 ossl_fips_config_signature_digest_check))
416 goto err;
417 }
418 #endif
419
420 if (!rsa_check_padding(ctx, mdname, NULL, md_nid))
421 goto err;
422 if (mdname_len >= sizeof(ctx->mdname)) {
423 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
424 "%s exceeds name buffer length", mdname);
425 goto err;
426 }
427
428 if (!ctx->flag_allow_md) {
429 if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) {
430 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
431 "digest %s != %s", mdname, ctx->mdname);
432 goto err;
433 }
434 EVP_MD_free(md);
435 return 1;
436 }
437
438 if (!ctx->mgf1_md_set) {
439 if (!EVP_MD_up_ref(md)) {
440 goto err;
441 }
442 EVP_MD_free(ctx->mgf1_md);
443 ctx->mgf1_md = md;
444 ctx->mgf1_mdnid = md_nid;
445 OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname));
446 }
447
448 EVP_MD_CTX_free(ctx->mdctx);
449 EVP_MD_free(ctx->md);
450
451 ctx->mdctx = NULL;
452 ctx->md = md;
453 ctx->mdnid = md_nid;
454 OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname));
455 }
456
457 return 1;
458 err:
459 EVP_MD_free(md);
460 return 0;
461 }
462
rsa_setup_mgf1_md(PROV_RSA_CTX * ctx,const char * mdname,const char * mdprops)463 static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
464 const char *mdprops)
465 {
466 size_t len;
467 EVP_MD *md = NULL;
468 int mdnid;
469
470 if (mdprops == NULL)
471 mdprops = ctx->propq;
472
473 if ((md = EVP_MD_fetch(ctx->libctx, mdname, mdprops)) == NULL) {
474 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
475 "%s could not be fetched", mdname);
476 return 0;
477 }
478 /* The default for mgf1 is SHA1 - so allow SHA1 */
479 if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md)) <= 0
480 || !rsa_check_padding(ctx, NULL, mdname, mdnid)) {
481 if (mdnid <= 0)
482 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
483 "digest=%s", mdname);
484 EVP_MD_free(md);
485 return 0;
486 }
487 len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname));
488 if (len >= sizeof(ctx->mgf1_mdname)) {
489 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
490 "%s exceeds name buffer length", mdname);
491 EVP_MD_free(md);
492 return 0;
493 }
494
495 EVP_MD_free(ctx->mgf1_md);
496 ctx->mgf1_md = md;
497 ctx->mgf1_mdnid = mdnid;
498 ctx->mgf1_md_set = 1;
499 return 1;
500 }
501
502 static int
rsa_signverify_init(PROV_RSA_CTX * prsactx,void * vrsa,OSSL_FUNC_signature_set_ctx_params_fn * set_ctx_params,const OSSL_PARAM params[],int operation,const char * desc)503 rsa_signverify_init(PROV_RSA_CTX *prsactx, void *vrsa,
504 OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params,
505 const OSSL_PARAM params[], int operation,
506 const char *desc)
507 {
508 int protect;
509
510 if (!ossl_prov_is_running() || prsactx == NULL)
511 return 0;
512
513 if (vrsa == NULL && prsactx->rsa == NULL) {
514 ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
515 return 0;
516 }
517
518 if (vrsa != NULL) {
519 if (!RSA_up_ref(vrsa))
520 return 0;
521 RSA_free(prsactx->rsa);
522 prsactx->rsa = vrsa;
523 }
524 if (!ossl_rsa_key_op_get_protect(prsactx->rsa, operation, &protect))
525 return 0;
526
527 prsactx->operation = operation;
528 prsactx->flag_allow_update = 1;
529 prsactx->flag_allow_final = 1;
530 prsactx->flag_allow_oneshot = 1;
531
532 /* Maximize up to digest length for sign, auto for verify */
533 prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
534 prsactx->min_saltlen = -1;
535
536 switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) {
537 case RSA_FLAG_TYPE_RSA:
538 prsactx->pad_mode = RSA_PKCS1_PADDING;
539 break;
540 case RSA_FLAG_TYPE_RSASSAPSS:
541 prsactx->pad_mode = RSA_PKCS1_PSS_PADDING;
542
543 {
544 const RSA_PSS_PARAMS_30 *pss =
545 ossl_rsa_get0_pss_params_30(prsactx->rsa);
546
547 if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) {
548 int md_nid = ossl_rsa_pss_params_30_hashalg(pss);
549 int mgf1md_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);
550 int min_saltlen = ossl_rsa_pss_params_30_saltlen(pss);
551 const char *mdname, *mgf1mdname;
552 size_t len;
553
554 mdname = ossl_rsa_oaeppss_nid2name(md_nid);
555 mgf1mdname = ossl_rsa_oaeppss_nid2name(mgf1md_nid);
556
557 if (mdname == NULL) {
558 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
559 "PSS restrictions lack hash algorithm");
560 return 0;
561 }
562 if (mgf1mdname == NULL) {
563 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
564 "PSS restrictions lack MGF1 hash algorithm");
565 return 0;
566 }
567
568 len = OPENSSL_strlcpy(prsactx->mdname, mdname,
569 sizeof(prsactx->mdname));
570 if (len >= sizeof(prsactx->mdname)) {
571 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
572 "hash algorithm name too long");
573 return 0;
574 }
575 len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname,
576 sizeof(prsactx->mgf1_mdname));
577 if (len >= sizeof(prsactx->mgf1_mdname)) {
578 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
579 "MGF1 hash algorithm name too long");
580 return 0;
581 }
582 prsactx->saltlen = min_saltlen;
583
584 /* call rsa_setup_mgf1_md before rsa_setup_md to avoid duplication */
585 if (!rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq)
586 || !rsa_setup_md(prsactx, mdname, prsactx->propq, desc)
587 || !rsa_check_parameters(prsactx, min_saltlen))
588 return 0;
589 }
590 }
591
592 break;
593 default:
594 ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
595 return 0;
596 }
597
598 OSSL_FIPS_IND_SET_APPROVED(prsactx)
599 if (!set_ctx_params(prsactx, params))
600 return 0;
601 #ifdef FIPS_MODULE
602 if (!ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND_GET(prsactx),
603 OSSL_FIPS_IND_SETTABLE0, prsactx->libctx,
604 prsactx->rsa, desc, protect))
605 return 0;
606 #endif
607 return 1;
608 }
609
setup_tbuf(PROV_RSA_CTX * ctx)610 static int setup_tbuf(PROV_RSA_CTX *ctx)
611 {
612 if (ctx->tbuf != NULL)
613 return 1;
614 if ((ctx->tbuf = OPENSSL_malloc(RSA_size(ctx->rsa))) == NULL)
615 return 0;
616 return 1;
617 }
618
clean_tbuf(PROV_RSA_CTX * ctx)619 static void clean_tbuf(PROV_RSA_CTX *ctx)
620 {
621 if (ctx->tbuf != NULL)
622 OPENSSL_cleanse(ctx->tbuf, RSA_size(ctx->rsa));
623 }
624
free_tbuf(PROV_RSA_CTX * ctx)625 static void free_tbuf(PROV_RSA_CTX *ctx)
626 {
627 clean_tbuf(ctx);
628 OPENSSL_free(ctx->tbuf);
629 ctx->tbuf = NULL;
630 }
631
632 #ifdef FIPS_MODULE
rsa_pss_saltlen_check_passed(PROV_RSA_CTX * ctx,const char * algoname,int saltlen)633 static int rsa_pss_saltlen_check_passed(PROV_RSA_CTX *ctx, const char *algoname, int saltlen)
634 {
635 int mdsize = rsa_get_md_size(ctx);
636 /*
637 * Perform the check if the salt length is compliant to FIPS 186-5.
638 *
639 * According to FIPS 186-5 5.4 (g), the salt length shall be between zero
640 * and the output block length of the digest function (inclusive).
641 */
642 int approved = (saltlen >= 0 && saltlen <= mdsize);
643
644 if (!approved) {
645 if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE3,
646 ctx->libctx,
647 algoname, "PSS Salt Length",
648 ossl_fips_config_rsa_pss_saltlen_check)) {
649 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
650 return 0;
651 }
652 }
653
654 return 1;
655 }
656 #endif
657
rsa_sign_init(void * vprsactx,void * vrsa,const OSSL_PARAM params[])658 static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[])
659 {
660 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
661
662 #ifdef FIPS_MODULE
663 if (prsactx != NULL)
664 prsactx->verify_message = 1;
665 #endif
666
667 return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
668 EVP_PKEY_OP_SIGN, "RSA Sign Init");
669 }
670
671 /*
672 * Sign tbs without digesting it first. This is suitable for "primitive"
673 * signing and signing the digest of a message, i.e. should be used with
674 * implementations of the keytype related algorithms.
675 */
rsa_sign_directly(PROV_RSA_CTX * prsactx,unsigned char * sig,size_t * siglen,size_t sigsize,const unsigned char * tbs,size_t tbslen)676 static int rsa_sign_directly(PROV_RSA_CTX *prsactx,
677 unsigned char *sig, size_t *siglen, size_t sigsize,
678 const unsigned char *tbs, size_t tbslen)
679 {
680 int ret;
681 size_t rsasize = RSA_size(prsactx->rsa);
682 size_t mdsize = rsa_get_md_size(prsactx);
683
684 if (!ossl_prov_is_running())
685 return 0;
686
687 if (sig == NULL) {
688 *siglen = rsasize;
689 return 1;
690 }
691
692 if (sigsize < rsasize) {
693 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE,
694 "is %zu, should be at least %zu", sigsize, rsasize);
695 return 0;
696 }
697
698 if (mdsize != 0) {
699 if (tbslen != mdsize) {
700 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
701 return 0;
702 }
703
704 #ifndef FIPS_MODULE
705 if (EVP_MD_is_a(prsactx->md, OSSL_DIGEST_NAME_MDC2)) {
706 unsigned int sltmp;
707
708 if (prsactx->pad_mode != RSA_PKCS1_PADDING) {
709 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
710 "only PKCS#1 padding supported with MDC2");
711 return 0;
712 }
713 ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp,
714 prsactx->rsa);
715
716 if (ret <= 0) {
717 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
718 return 0;
719 }
720 ret = sltmp;
721 goto end;
722 }
723 #endif
724 switch (prsactx->pad_mode) {
725 case RSA_X931_PADDING:
726 if ((size_t)RSA_size(prsactx->rsa) < tbslen + 1) {
727 ERR_raise_data(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL,
728 "RSA key size = %d, expected minimum = %d",
729 RSA_size(prsactx->rsa), tbslen + 1);
730 return 0;
731 }
732 if (!setup_tbuf(prsactx)) {
733 ERR_raise(ERR_LIB_PROV, ERR_R_PROV_LIB);
734 return 0;
735 }
736 memcpy(prsactx->tbuf, tbs, tbslen);
737 prsactx->tbuf[tbslen] = RSA_X931_hash_id(prsactx->mdnid);
738 ret = RSA_private_encrypt(tbslen + 1, prsactx->tbuf,
739 sig, prsactx->rsa, RSA_X931_PADDING);
740 clean_tbuf(prsactx);
741 break;
742 case RSA_PKCS1_PADDING:
743 {
744 unsigned int sltmp;
745
746 ret = RSA_sign(prsactx->mdnid, tbs, tbslen, sig, &sltmp,
747 prsactx->rsa);
748 if (ret <= 0) {
749 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
750 return 0;
751 }
752 ret = sltmp;
753 }
754 break;
755
756 case RSA_PKCS1_PSS_PADDING:
757 {
758 int saltlen;
759
760 /* Check PSS restrictions */
761 if (rsa_pss_restricted(prsactx)) {
762 switch (prsactx->saltlen) {
763 case RSA_PSS_SALTLEN_DIGEST:
764 if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) {
765 ERR_raise_data(ERR_LIB_PROV,
766 PROV_R_PSS_SALTLEN_TOO_SMALL,
767 "minimum salt length set to %d, "
768 "but the digest only gives %d",
769 prsactx->min_saltlen,
770 EVP_MD_get_size(prsactx->md));
771 return 0;
772 }
773 /* FALLTHRU */
774 default:
775 if (prsactx->saltlen >= 0
776 && prsactx->saltlen < prsactx->min_saltlen) {
777 ERR_raise_data(ERR_LIB_PROV,
778 PROV_R_PSS_SALTLEN_TOO_SMALL,
779 "minimum salt length set to %d, but the"
780 "actual salt length is only set to %d",
781 prsactx->min_saltlen,
782 prsactx->saltlen);
783 return 0;
784 }
785 break;
786 }
787 }
788 if (!setup_tbuf(prsactx))
789 return 0;
790 saltlen = prsactx->saltlen;
791 if (!ossl_rsa_padding_add_PKCS1_PSS_mgf1(prsactx->rsa,
792 prsactx->tbuf, tbs,
793 prsactx->md, prsactx->mgf1_md,
794 &saltlen)) {
795 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
796 return 0;
797 }
798 #ifdef FIPS_MODULE
799 if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Sign", saltlen))
800 return 0;
801 #endif
802 ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf,
803 sig, prsactx->rsa, RSA_NO_PADDING);
804 clean_tbuf(prsactx);
805 }
806 break;
807
808 default:
809 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
810 "Only X.931, PKCS#1 v1.5 or PSS padding allowed");
811 return 0;
812 }
813 } else {
814 ret = RSA_private_encrypt(tbslen, tbs, sig, prsactx->rsa,
815 prsactx->pad_mode);
816 }
817
818 #ifndef FIPS_MODULE
819 end:
820 #endif
821 if (ret <= 0) {
822 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
823 return 0;
824 }
825
826 *siglen = ret;
827 return 1;
828 }
829
rsa_signverify_message_update(void * vprsactx,const unsigned char * data,size_t datalen)830 static int rsa_signverify_message_update(void *vprsactx,
831 const unsigned char *data,
832 size_t datalen)
833 {
834 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
835
836 if (prsactx == NULL || prsactx->mdctx == NULL)
837 return 0;
838
839 if (!prsactx->flag_allow_update) {
840 ERR_raise(ERR_LIB_PROV, PROV_R_UPDATE_CALL_OUT_OF_ORDER);
841 return 0;
842 }
843 prsactx->flag_allow_oneshot = 0;
844
845 return EVP_DigestUpdate(prsactx->mdctx, data, datalen);
846 }
847
rsa_sign_message_final(void * vprsactx,unsigned char * sig,size_t * siglen,size_t sigsize)848 static int rsa_sign_message_final(void *vprsactx, unsigned char *sig,
849 size_t *siglen, size_t sigsize)
850 {
851 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
852 unsigned char digest[EVP_MAX_MD_SIZE];
853 unsigned int dlen = 0;
854
855 if (!ossl_prov_is_running() || prsactx == NULL)
856 return 0;
857 if (prsactx->mdctx == NULL)
858 return 0;
859 if (!prsactx->flag_allow_final) {
860 ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER);
861 return 0;
862 }
863
864 /*
865 * If sig is NULL then we're just finding out the sig size. Other fields
866 * are ignored. Defer to rsa_sign.
867 */
868 if (sig != NULL) {
869 /*
870 * The digests used here are all known (see rsa_get_md_nid()), so they
871 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE.
872 */
873 if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))
874 return 0;
875
876 prsactx->flag_allow_update = 0;
877 prsactx->flag_allow_oneshot = 0;
878 prsactx->flag_allow_final = 0;
879 }
880
881 return rsa_sign_directly(prsactx, sig, siglen, sigsize, digest, dlen);
882 }
883
884 /*
885 * If signing a message, digest tbs and sign the result.
886 * Otherwise, sign tbs directly.
887 */
rsa_sign(void * vprsactx,unsigned char * sig,size_t * siglen,size_t sigsize,const unsigned char * tbs,size_t tbslen)888 static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,
889 size_t sigsize, const unsigned char *tbs, size_t tbslen)
890 {
891 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
892
893 if (!ossl_prov_is_running() || prsactx == NULL)
894 return 0;
895 if (!prsactx->flag_allow_oneshot) {
896 ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER);
897 return 0;
898 }
899
900 if (prsactx->operation == EVP_PKEY_OP_SIGNMSG) {
901 /*
902 * If |sig| is NULL, the caller is only looking for the sig length.
903 * DO NOT update the input in this case.
904 */
905 if (sig == NULL)
906 return rsa_sign_message_final(prsactx, sig, siglen, sigsize);
907
908 return rsa_signverify_message_update(prsactx, tbs, tbslen)
909 && rsa_sign_message_final(prsactx, sig, siglen, sigsize);
910 }
911 return rsa_sign_directly(prsactx, sig, siglen, sigsize, tbs, tbslen);
912 }
913
rsa_verify_recover_init(void * vprsactx,void * vrsa,const OSSL_PARAM params[])914 static int rsa_verify_recover_init(void *vprsactx, void *vrsa,
915 const OSSL_PARAM params[])
916 {
917 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
918
919 #ifdef FIPS_MODULE
920 if (prsactx != NULL)
921 prsactx->verify_message = 0;
922 #endif
923
924 return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
925 EVP_PKEY_OP_VERIFYRECOVER, "RSA VerifyRecover Init");
926 }
927
928 /*
929 * There is no message variant of verify recover, so no need for
930 * 'rsa_verify_recover_directly', just use this function, er, directly.
931 */
rsa_verify_recover(void * vprsactx,unsigned char * rout,size_t * routlen,size_t routsize,const unsigned char * sig,size_t siglen)932 static int rsa_verify_recover(void *vprsactx,
933 unsigned char *rout, size_t *routlen,
934 size_t routsize,
935 const unsigned char *sig, size_t siglen)
936 {
937 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
938 int ret;
939
940 if (!ossl_prov_is_running())
941 return 0;
942
943 if (rout == NULL) {
944 *routlen = RSA_size(prsactx->rsa);
945 return 1;
946 }
947
948 if (prsactx->md != NULL) {
949 switch (prsactx->pad_mode) {
950 case RSA_X931_PADDING:
951 if (!setup_tbuf(prsactx))
952 return 0;
953 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,
954 RSA_X931_PADDING);
955 if (ret < 1) {
956 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
957 return 0;
958 }
959 ret--;
960 if (prsactx->tbuf[ret] != RSA_X931_hash_id(prsactx->mdnid)) {
961 ERR_raise(ERR_LIB_PROV, PROV_R_ALGORITHM_MISMATCH);
962 return 0;
963 }
964 if (ret != EVP_MD_get_size(prsactx->md)) {
965 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH,
966 "Should be %d, but got %d",
967 EVP_MD_get_size(prsactx->md), ret);
968 return 0;
969 }
970
971 *routlen = ret;
972 if (rout != prsactx->tbuf) {
973 if (routsize < (size_t)ret) {
974 ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL,
975 "buffer size is %d, should be %d",
976 routsize, ret);
977 return 0;
978 }
979 memcpy(rout, prsactx->tbuf, ret);
980 }
981 break;
982
983 case RSA_PKCS1_PADDING:
984 {
985 size_t sltmp;
986
987 ret = ossl_rsa_verify(prsactx->mdnid, NULL, 0, rout, &sltmp,
988 sig, siglen, prsactx->rsa);
989 if (ret <= 0) {
990 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
991 return 0;
992 }
993 ret = sltmp;
994 }
995 break;
996
997 default:
998 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
999 "Only X.931 or PKCS#1 v1.5 padding allowed");
1000 return 0;
1001 }
1002 } else {
1003 ret = RSA_public_decrypt(siglen, sig, rout, prsactx->rsa,
1004 prsactx->pad_mode);
1005 if (ret < 0) {
1006 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
1007 return 0;
1008 }
1009 }
1010 *routlen = ret;
1011 return 1;
1012 }
1013
rsa_verify_init(void * vprsactx,void * vrsa,const OSSL_PARAM params[])1014 static int rsa_verify_init(void *vprsactx, void *vrsa,
1015 const OSSL_PARAM params[])
1016 {
1017 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1018
1019 #ifdef FIPS_MODULE
1020 if (prsactx != NULL)
1021 prsactx->verify_message = 0;
1022 #endif
1023
1024 return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
1025 EVP_PKEY_OP_VERIFY, "RSA Verify Init");
1026 }
1027
rsa_verify_directly(PROV_RSA_CTX * prsactx,const unsigned char * sig,size_t siglen,const unsigned char * tbs,size_t tbslen)1028 static int rsa_verify_directly(PROV_RSA_CTX *prsactx,
1029 const unsigned char *sig, size_t siglen,
1030 const unsigned char *tbs, size_t tbslen)
1031 {
1032 size_t rslen;
1033
1034 if (!ossl_prov_is_running())
1035 return 0;
1036 if (prsactx->md != NULL) {
1037 switch (prsactx->pad_mode) {
1038 case RSA_PKCS1_PADDING:
1039 if (!RSA_verify(prsactx->mdnid, tbs, tbslen, sig, siglen,
1040 prsactx->rsa)) {
1041 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
1042 return 0;
1043 }
1044 return 1;
1045 case RSA_X931_PADDING:
1046 if (!setup_tbuf(prsactx))
1047 return 0;
1048 if (rsa_verify_recover(prsactx, prsactx->tbuf, &rslen, 0,
1049 sig, siglen) <= 0)
1050 return 0;
1051 break;
1052 case RSA_PKCS1_PSS_PADDING:
1053 {
1054 int ret;
1055 int saltlen;
1056 size_t mdsize;
1057
1058 /*
1059 * We need to check this for the RSA_verify_PKCS1_PSS_mgf1()
1060 * call
1061 */
1062 mdsize = rsa_get_md_size(prsactx);
1063 if (tbslen != mdsize) {
1064 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH,
1065 "Should be %d, but got %d",
1066 mdsize, tbslen);
1067 return 0;
1068 }
1069
1070 if (!setup_tbuf(prsactx))
1071 return 0;
1072 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf,
1073 prsactx->rsa, RSA_NO_PADDING);
1074 if (ret <= 0) {
1075 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
1076 return 0;
1077 }
1078 saltlen = prsactx->saltlen;
1079 ret = ossl_rsa_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs,
1080 prsactx->md, prsactx->mgf1_md,
1081 prsactx->tbuf,
1082 &saltlen);
1083 if (ret <= 0) {
1084 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
1085 return 0;
1086 }
1087 #ifdef FIPS_MODULE
1088 if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Verify", saltlen))
1089 return 0;
1090 #endif
1091 return 1;
1092 }
1093 default:
1094 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
1095 "Only X.931, PKCS#1 v1.5 or PSS padding allowed");
1096 return 0;
1097 }
1098 } else {
1099 int ret;
1100
1101 if (!setup_tbuf(prsactx))
1102 return 0;
1103 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,
1104 prsactx->pad_mode);
1105 if (ret <= 0) {
1106 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
1107 return 0;
1108 }
1109 rslen = (size_t)ret;
1110 }
1111
1112 if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen))
1113 return 0;
1114
1115 return 1;
1116 }
1117
rsa_verify_set_sig(void * vprsactx,const unsigned char * sig,size_t siglen)1118 static int rsa_verify_set_sig(void *vprsactx,
1119 const unsigned char *sig, size_t siglen)
1120 {
1121 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1122 OSSL_PARAM params[2];
1123
1124 params[0] =
1125 OSSL_PARAM_construct_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE,
1126 (unsigned char *)sig, siglen);
1127 params[1] = OSSL_PARAM_construct_end();
1128 return rsa_sigalg_set_ctx_params(prsactx, params);
1129 }
1130
rsa_verify_message_final(void * vprsactx)1131 static int rsa_verify_message_final(void *vprsactx)
1132 {
1133 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1134 unsigned char digest[EVP_MAX_MD_SIZE];
1135 unsigned int dlen = 0;
1136
1137 if (!ossl_prov_is_running() || prsactx == NULL)
1138 return 0;
1139 if (prsactx->mdctx == NULL)
1140 return 0;
1141 if (!prsactx->flag_allow_final) {
1142 ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER);
1143 return 0;
1144 }
1145
1146 /*
1147 * The digests used here are all known (see rsa_get_md_nid()), so they
1148 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE.
1149 */
1150 if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))
1151 return 0;
1152
1153 prsactx->flag_allow_update = 0;
1154 prsactx->flag_allow_final = 0;
1155 prsactx->flag_allow_oneshot = 0;
1156
1157 return rsa_verify_directly(prsactx, prsactx->sig, prsactx->siglen,
1158 digest, dlen);
1159 }
1160
1161 /*
1162 * If verifying a message, digest tbs and verify the result.
1163 * Otherwise, verify tbs directly.
1164 */
rsa_verify(void * vprsactx,const unsigned char * sig,size_t siglen,const unsigned char * tbs,size_t tbslen)1165 static int rsa_verify(void *vprsactx,
1166 const unsigned char *sig, size_t siglen,
1167 const unsigned char *tbs, size_t tbslen)
1168 {
1169 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1170
1171 if (!ossl_prov_is_running() || prsactx == NULL)
1172 return 0;
1173 if (!prsactx->flag_allow_oneshot) {
1174 ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER);
1175 return 0;
1176 }
1177
1178 if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG)
1179 return rsa_verify_set_sig(prsactx, sig, siglen)
1180 && rsa_signverify_message_update(prsactx, tbs, tbslen)
1181 && rsa_verify_message_final(prsactx);
1182 return rsa_verify_directly(prsactx, sig, siglen, tbs, tbslen);
1183 }
1184
1185 /* DigestSign/DigestVerify wrappers */
1186
rsa_digest_signverify_init(void * vprsactx,const char * mdname,void * vrsa,const OSSL_PARAM params[],int operation,const char * desc)1187 static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
1188 void *vrsa, const OSSL_PARAM params[],
1189 int operation, const char *desc)
1190 {
1191 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1192
1193 #ifdef FIPS_MODULE
1194 if (prsactx != NULL)
1195 prsactx->verify_message = 1;
1196 #endif
1197
1198 if (!rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
1199 operation, desc))
1200 return 0;
1201
1202 if (mdname != NULL
1203 /* was rsa_setup_md already called in rsa_signverify_init()? */
1204 && (mdname[0] == '\0' || OPENSSL_strcasecmp(prsactx->mdname, mdname) != 0)
1205 && !rsa_setup_md(prsactx, mdname, prsactx->propq, desc))
1206 return 0;
1207
1208 prsactx->flag_allow_md = 0;
1209
1210 if (prsactx->mdctx == NULL) {
1211 prsactx->mdctx = EVP_MD_CTX_new();
1212 if (prsactx->mdctx == NULL)
1213 goto error;
1214 }
1215
1216 if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params))
1217 goto error;
1218
1219 return 1;
1220
1221 error:
1222 EVP_MD_CTX_free(prsactx->mdctx);
1223 prsactx->mdctx = NULL;
1224 return 0;
1225 }
1226
rsa_digest_sign_init(void * vprsactx,const char * mdname,void * vrsa,const OSSL_PARAM params[])1227 static int rsa_digest_sign_init(void *vprsactx, const char *mdname,
1228 void *vrsa, const OSSL_PARAM params[])
1229 {
1230 if (!ossl_prov_is_running())
1231 return 0;
1232 return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
1233 params, EVP_PKEY_OP_SIGNMSG,
1234 "RSA Digest Sign Init");
1235 }
1236
rsa_digest_sign_update(void * vprsactx,const unsigned char * data,size_t datalen)1237 static int rsa_digest_sign_update(void *vprsactx, const unsigned char *data,
1238 size_t datalen)
1239 {
1240 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1241
1242 if (prsactx == NULL)
1243 return 0;
1244 /* Sigalg implementations shouldn't do digest_sign */
1245 if (prsactx->flag_sigalg)
1246 return 0;
1247
1248 return rsa_signverify_message_update(prsactx, data, datalen);
1249 }
1250
rsa_digest_sign_final(void * vprsactx,unsigned char * sig,size_t * siglen,size_t sigsize)1251 static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig,
1252 size_t *siglen, size_t sigsize)
1253 {
1254 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1255 int ok = 0;
1256
1257 if (prsactx == NULL)
1258 return 0;
1259 /* Sigalg implementations shouldn't do digest_sign */
1260 if (prsactx->flag_sigalg)
1261 return 0;
1262
1263 if (rsa_sign_message_final(prsactx, sig, siglen, sigsize))
1264 ok = 1;
1265
1266 prsactx->flag_allow_md = 1;
1267
1268 return ok;
1269 }
1270
rsa_digest_verify_init(void * vprsactx,const char * mdname,void * vrsa,const OSSL_PARAM params[])1271 static int rsa_digest_verify_init(void *vprsactx, const char *mdname,
1272 void *vrsa, const OSSL_PARAM params[])
1273 {
1274 if (!ossl_prov_is_running())
1275 return 0;
1276 return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
1277 params, EVP_PKEY_OP_VERIFYMSG,
1278 "RSA Digest Verify Init");
1279 }
1280
rsa_digest_verify_update(void * vprsactx,const unsigned char * data,size_t datalen)1281 static int rsa_digest_verify_update(void *vprsactx, const unsigned char *data,
1282 size_t datalen)
1283 {
1284 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1285
1286 if (prsactx == NULL)
1287 return 0;
1288 /* Sigalg implementations shouldn't do digest_sign */
1289 if (prsactx->flag_sigalg)
1290 return 0;
1291
1292 return rsa_signverify_message_update(prsactx, data, datalen);
1293 }
1294
rsa_digest_verify_final(void * vprsactx,const unsigned char * sig,size_t siglen)1295 int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
1296 size_t siglen)
1297 {
1298 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1299 int ok = 0;
1300
1301 if (prsactx == NULL)
1302 return 0;
1303 /* Sigalg implementations shouldn't do digest_verify */
1304 if (prsactx->flag_sigalg)
1305 return 0;
1306
1307 if (rsa_verify_set_sig(prsactx, sig, siglen)
1308 && rsa_verify_message_final(vprsactx))
1309 ok = 1;
1310
1311 prsactx->flag_allow_md = 1;
1312
1313 return ok;
1314 }
1315
rsa_freectx(void * vprsactx)1316 static void rsa_freectx(void *vprsactx)
1317 {
1318 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1319
1320 if (prsactx == NULL)
1321 return;
1322
1323 EVP_MD_CTX_free(prsactx->mdctx);
1324 EVP_MD_free(prsactx->md);
1325 EVP_MD_free(prsactx->mgf1_md);
1326 OPENSSL_free(prsactx->sig);
1327 OPENSSL_free(prsactx->propq);
1328 free_tbuf(prsactx);
1329 RSA_free(prsactx->rsa);
1330
1331 OPENSSL_clear_free(prsactx, sizeof(*prsactx));
1332 }
1333
rsa_dupctx(void * vprsactx)1334 static void *rsa_dupctx(void *vprsactx)
1335 {
1336 PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx;
1337 PROV_RSA_CTX *dstctx;
1338
1339 if (!ossl_prov_is_running())
1340 return NULL;
1341
1342 dstctx = OPENSSL_zalloc(sizeof(*srcctx));
1343 if (dstctx == NULL)
1344 return NULL;
1345
1346 *dstctx = *srcctx;
1347 dstctx->rsa = NULL;
1348 dstctx->md = NULL;
1349 dstctx->mgf1_md = NULL;
1350 dstctx->mdctx = NULL;
1351 dstctx->tbuf = NULL;
1352 dstctx->propq = NULL;
1353
1354 if (srcctx->rsa != NULL && !RSA_up_ref(srcctx->rsa))
1355 goto err;
1356 dstctx->rsa = srcctx->rsa;
1357
1358 if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md))
1359 goto err;
1360 dstctx->md = srcctx->md;
1361
1362 if (srcctx->mgf1_md != NULL && !EVP_MD_up_ref(srcctx->mgf1_md))
1363 goto err;
1364 dstctx->mgf1_md = srcctx->mgf1_md;
1365
1366 if (srcctx->mdctx != NULL) {
1367 dstctx->mdctx = EVP_MD_CTX_new();
1368 if (dstctx->mdctx == NULL
1369 || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx))
1370 goto err;
1371 }
1372
1373 if (srcctx->propq != NULL) {
1374 dstctx->propq = OPENSSL_strdup(srcctx->propq);
1375 if (dstctx->propq == NULL)
1376 goto err;
1377 }
1378
1379 return dstctx;
1380 err:
1381 rsa_freectx(dstctx);
1382 return NULL;
1383 }
1384
rsa_get_ctx_params(void * vprsactx,OSSL_PARAM * params)1385 static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
1386 {
1387 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1388 OSSL_PARAM *p;
1389
1390 if (prsactx == NULL)
1391 return 0;
1392
1393 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
1394 if (p != NULL) {
1395 /* The Algorithm Identifier of the combined signature algorithm */
1396 unsigned char aid_buf[128];
1397 unsigned char *aid;
1398 size_t aid_len;
1399
1400 aid = rsa_generate_signature_aid(prsactx, aid_buf,
1401 sizeof(aid_buf), &aid_len);
1402 if (aid == NULL || !OSSL_PARAM_set_octet_string(p, aid, aid_len))
1403 return 0;
1404 }
1405
1406 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PAD_MODE);
1407 if (p != NULL)
1408 switch (p->data_type) {
1409 case OSSL_PARAM_INTEGER:
1410 if (!OSSL_PARAM_set_int(p, prsactx->pad_mode))
1411 return 0;
1412 break;
1413 case OSSL_PARAM_UTF8_STRING:
1414 {
1415 int i;
1416 const char *word = NULL;
1417
1418 for (i = 0; padding_item[i].id != 0; i++) {
1419 if (prsactx->pad_mode == (int)padding_item[i].id) {
1420 word = padding_item[i].ptr;
1421 break;
1422 }
1423 }
1424
1425 if (word != NULL) {
1426 if (!OSSL_PARAM_set_utf8_string(p, word))
1427 return 0;
1428 } else {
1429 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
1430 }
1431 }
1432 break;
1433 default:
1434 return 0;
1435 }
1436
1437 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST);
1438 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mdname))
1439 return 0;
1440
1441 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST);
1442 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mgf1_mdname))
1443 return 0;
1444
1445 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN);
1446 if (p != NULL) {
1447 if (p->data_type == OSSL_PARAM_INTEGER) {
1448 if (!OSSL_PARAM_set_int(p, prsactx->saltlen))
1449 return 0;
1450 } else if (p->data_type == OSSL_PARAM_UTF8_STRING) {
1451 const char *value = NULL;
1452
1453 switch (prsactx->saltlen) {
1454 case RSA_PSS_SALTLEN_DIGEST:
1455 value = OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST;
1456 break;
1457 case RSA_PSS_SALTLEN_MAX:
1458 value = OSSL_PKEY_RSA_PSS_SALT_LEN_MAX;
1459 break;
1460 case RSA_PSS_SALTLEN_AUTO:
1461 value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO;
1462 break;
1463 case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX:
1464 value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX;
1465 break;
1466 default:
1467 {
1468 int len = BIO_snprintf(p->data, p->data_size, "%d",
1469 prsactx->saltlen);
1470
1471 if (len <= 0)
1472 return 0;
1473 p->return_size = len;
1474 break;
1475 }
1476 }
1477 if (value != NULL
1478 && !OSSL_PARAM_set_utf8_string(p, value))
1479 return 0;
1480 }
1481 }
1482
1483 #ifdef FIPS_MODULE
1484 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE);
1485 if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->verify_message))
1486 return 0;
1487 #endif
1488
1489 if (!OSSL_FIPS_IND_GET_CTX_PARAM(prsactx, params))
1490 return 0;
1491 return 1;
1492 }
1493
1494 static const OSSL_PARAM known_gettable_ctx_params[] = {
1495 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
1496 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
1497 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
1498 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
1499 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
1500 #ifdef FIPS_MODULE
1501 OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE, NULL),
1502 #endif
1503 OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
1504 OSSL_PARAM_END
1505 };
1506
rsa_gettable_ctx_params(ossl_unused void * vprsactx,ossl_unused void * provctx)1507 static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
1508 ossl_unused void *provctx)
1509 {
1510 return known_gettable_ctx_params;
1511 }
1512
1513 #ifdef FIPS_MODULE
rsa_x931_padding_allowed(PROV_RSA_CTX * ctx)1514 static int rsa_x931_padding_allowed(PROV_RSA_CTX *ctx)
1515 {
1516 int approved = ((ctx->operation & EVP_PKEY_OP_SIGN) == 0);
1517
1518 if (!approved) {
1519 if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2,
1520 ctx->libctx,
1521 "RSA Sign set ctx", "X931 Padding",
1522 ossl_fips_config_rsa_sign_x931_disallowed)) {
1523 ERR_raise(ERR_LIB_PROV,
1524 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
1525 return 0;
1526 }
1527 }
1528 return 1;
1529 }
1530 #endif
1531
rsa_set_ctx_params(void * vprsactx,const OSSL_PARAM params[])1532 static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
1533 {
1534 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1535 const OSSL_PARAM *p;
1536 int pad_mode;
1537 int saltlen;
1538 char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = NULL;
1539 char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = NULL;
1540 char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL;
1541 char mgf1mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmgf1mdprops = NULL;
1542
1543 if (prsactx == NULL)
1544 return 0;
1545 if (ossl_param_is_empty(params))
1546 return 1;
1547
1548 if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE0, params,
1549 OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK))
1550 return 0;
1551
1552 if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE1, params,
1553 OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK))
1554 return 0;
1555
1556 if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE2, params,
1557 OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK))
1558 return 0;
1559
1560 if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE3, params,
1561 OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK))
1562 return 0;
1563
1564 pad_mode = prsactx->pad_mode;
1565 saltlen = prsactx->saltlen;
1566
1567 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
1568 if (p != NULL) {
1569 const OSSL_PARAM *propsp =
1570 OSSL_PARAM_locate_const(params,
1571 OSSL_SIGNATURE_PARAM_PROPERTIES);
1572
1573 pmdname = mdname;
1574 if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname)))
1575 return 0;
1576
1577 if (propsp != NULL) {
1578 pmdprops = mdprops;
1579 if (!OSSL_PARAM_get_utf8_string(propsp,
1580 &pmdprops, sizeof(mdprops)))
1581 return 0;
1582 }
1583 }
1584
1585 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE);
1586 if (p != NULL) {
1587 const char *err_extra_text = NULL;
1588
1589 switch (p->data_type) {
1590 case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */
1591 if (!OSSL_PARAM_get_int(p, &pad_mode))
1592 return 0;
1593 break;
1594 case OSSL_PARAM_UTF8_STRING:
1595 {
1596 int i;
1597
1598 if (p->data == NULL)
1599 return 0;
1600
1601 for (i = 0; padding_item[i].id != 0; i++) {
1602 if (strcmp(p->data, padding_item[i].ptr) == 0) {
1603 pad_mode = padding_item[i].id;
1604 break;
1605 }
1606 }
1607 }
1608 break;
1609 default:
1610 return 0;
1611 }
1612
1613 switch (pad_mode) {
1614 case RSA_PKCS1_OAEP_PADDING:
1615 /*
1616 * OAEP padding is for asymmetric cipher only so is not compatible
1617 * with signature use.
1618 */
1619 err_extra_text = "OAEP padding not allowed for signing / verifying";
1620 goto bad_pad;
1621 case RSA_PKCS1_PSS_PADDING:
1622 if ((prsactx->operation
1623 & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG
1624 | EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) == 0) {
1625 err_extra_text =
1626 "PSS padding only allowed for sign and verify operations";
1627 goto bad_pad;
1628 }
1629 break;
1630 case RSA_PKCS1_PADDING:
1631 err_extra_text = "PKCS#1 padding not allowed with RSA-PSS";
1632 goto cont;
1633 case RSA_NO_PADDING:
1634 err_extra_text = "No padding not allowed with RSA-PSS";
1635 goto cont;
1636 case RSA_X931_PADDING:
1637 #ifdef FIPS_MODULE
1638 /* X9.31 only allows sizes of 1024 + 256 * s (bits) */
1639 if ((RSA_bits(prsactx->rsa) & 0xFF) != 0) {
1640 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
1641 return 0;
1642 }
1643 /* RSA Signing with X9.31 padding is not allowed in FIPS 140-3 */
1644 if (!rsa_x931_padding_allowed(prsactx))
1645 return 0;
1646 #endif
1647 err_extra_text = "X.931 padding not allowed with RSA-PSS";
1648 cont:
1649 if (RSA_test_flags(prsactx->rsa,
1650 RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA)
1651 break;
1652 /* FALLTHRU */
1653 default:
1654 bad_pad:
1655 if (err_extra_text == NULL)
1656 ERR_raise(ERR_LIB_PROV,
1657 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
1658 else
1659 ERR_raise_data(ERR_LIB_PROV,
1660 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE,
1661 err_extra_text);
1662 return 0;
1663 }
1664 }
1665
1666 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN);
1667 if (p != NULL) {
1668 if (pad_mode != RSA_PKCS1_PSS_PADDING) {
1669 ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED,
1670 "PSS saltlen can only be specified if "
1671 "PSS padding has been specified first");
1672 return 0;
1673 }
1674
1675 switch (p->data_type) {
1676 case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */
1677 if (!OSSL_PARAM_get_int(p, &saltlen))
1678 return 0;
1679 break;
1680 case OSSL_PARAM_UTF8_STRING:
1681 if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST) == 0)
1682 saltlen = RSA_PSS_SALTLEN_DIGEST;
1683 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_MAX) == 0)
1684 saltlen = RSA_PSS_SALTLEN_MAX;
1685 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0)
1686 saltlen = RSA_PSS_SALTLEN_AUTO;
1687 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0)
1688 saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
1689 else
1690 saltlen = atoi(p->data);
1691 break;
1692 default:
1693 return 0;
1694 }
1695
1696 /*
1697 * RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check.
1698 * Contrary to what it's name suggests, it's the currently lowest
1699 * saltlen number possible.
1700 */
1701 if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
1702 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
1703 return 0;
1704 }
1705
1706 if (rsa_pss_restricted(prsactx)) {
1707 switch (saltlen) {
1708 case RSA_PSS_SALTLEN_AUTO:
1709 case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX:
1710 if ((prsactx->operation
1711 & (EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) == 0) {
1712 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH,
1713 "Cannot use autodetected salt length");
1714 return 0;
1715 }
1716 break;
1717 case RSA_PSS_SALTLEN_DIGEST:
1718 if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) {
1719 ERR_raise_data(ERR_LIB_PROV,
1720 PROV_R_PSS_SALTLEN_TOO_SMALL,
1721 "Should be more than %d, but would be "
1722 "set to match digest size (%d)",
1723 prsactx->min_saltlen,
1724 EVP_MD_get_size(prsactx->md));
1725 return 0;
1726 }
1727 break;
1728 default:
1729 if (saltlen >= 0 && saltlen < prsactx->min_saltlen) {
1730 ERR_raise_data(ERR_LIB_PROV,
1731 PROV_R_PSS_SALTLEN_TOO_SMALL,
1732 "Should be more than %d, "
1733 "but would be set to %d",
1734 prsactx->min_saltlen, saltlen);
1735 return 0;
1736 }
1737 }
1738 }
1739 }
1740
1741 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST);
1742 if (p != NULL) {
1743 const OSSL_PARAM *propsp =
1744 OSSL_PARAM_locate_const(params,
1745 OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES);
1746
1747 pmgf1mdname = mgf1mdname;
1748 if (!OSSL_PARAM_get_utf8_string(p, &pmgf1mdname, sizeof(mgf1mdname)))
1749 return 0;
1750
1751 if (propsp != NULL) {
1752 pmgf1mdprops = mgf1mdprops;
1753 if (!OSSL_PARAM_get_utf8_string(propsp,
1754 &pmgf1mdprops, sizeof(mgf1mdprops)))
1755 return 0;
1756 }
1757
1758 if (pad_mode != RSA_PKCS1_PSS_PADDING) {
1759 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MGF1_MD);
1760 return 0;
1761 }
1762 }
1763
1764 prsactx->saltlen = saltlen;
1765 prsactx->pad_mode = pad_mode;
1766
1767 if (prsactx->md == NULL && pmdname == NULL
1768 && pad_mode == RSA_PKCS1_PSS_PADDING)
1769 pmdname = RSA_DEFAULT_DIGEST_NAME;
1770
1771 if (pmgf1mdname != NULL
1772 && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
1773 return 0;
1774
1775 if (pmdname != NULL) {
1776 if (!rsa_setup_md(prsactx, pmdname, pmdprops, "RSA Sign Set Ctx"))
1777 return 0;
1778 } else {
1779 if (!rsa_check_padding(prsactx, NULL, NULL, prsactx->mdnid))
1780 return 0;
1781 }
1782 return 1;
1783 }
1784
1785 static const OSSL_PARAM settable_ctx_params[] = {
1786 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
1787 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0),
1788 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
1789 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
1790 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0),
1791 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
1792 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK)
1793 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK)
1794 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK)
1795 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK)
1796 OSSL_PARAM_END
1797 };
1798
1799 static const OSSL_PARAM settable_ctx_params_no_digest[] = {
1800 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
1801 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
1802 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0),
1803 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
1804 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK)
1805 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK)
1806 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK)
1807 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK)
1808 OSSL_PARAM_END
1809 };
1810
rsa_settable_ctx_params(void * vprsactx,ossl_unused void * provctx)1811 static const OSSL_PARAM *rsa_settable_ctx_params(void *vprsactx,
1812 ossl_unused void *provctx)
1813 {
1814 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1815
1816 if (prsactx != NULL && !prsactx->flag_allow_md)
1817 return settable_ctx_params_no_digest;
1818 return settable_ctx_params;
1819 }
1820
rsa_get_ctx_md_params(void * vprsactx,OSSL_PARAM * params)1821 static int rsa_get_ctx_md_params(void *vprsactx, OSSL_PARAM *params)
1822 {
1823 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1824
1825 if (prsactx->mdctx == NULL)
1826 return 0;
1827
1828 return EVP_MD_CTX_get_params(prsactx->mdctx, params);
1829 }
1830
rsa_gettable_ctx_md_params(void * vprsactx)1831 static const OSSL_PARAM *rsa_gettable_ctx_md_params(void *vprsactx)
1832 {
1833 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1834
1835 if (prsactx->md == NULL)
1836 return 0;
1837
1838 return EVP_MD_gettable_ctx_params(prsactx->md);
1839 }
1840
rsa_set_ctx_md_params(void * vprsactx,const OSSL_PARAM params[])1841 static int rsa_set_ctx_md_params(void *vprsactx, const OSSL_PARAM params[])
1842 {
1843 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1844
1845 if (prsactx->mdctx == NULL)
1846 return 0;
1847
1848 return EVP_MD_CTX_set_params(prsactx->mdctx, params);
1849 }
1850
rsa_settable_ctx_md_params(void * vprsactx)1851 static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
1852 {
1853 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1854
1855 if (prsactx->md == NULL)
1856 return 0;
1857
1858 return EVP_MD_settable_ctx_params(prsactx->md);
1859 }
1860
1861 const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
1862 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
1863 { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
1864 { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign },
1865 { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_verify_init },
1866 { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))rsa_verify },
1867 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT,
1868 (void (*)(void))rsa_verify_recover_init },
1869 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER,
1870 (void (*)(void))rsa_verify_recover },
1871 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
1872 (void (*)(void))rsa_digest_sign_init },
1873 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,
1874 (void (*)(void))rsa_digest_sign_update },
1875 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,
1876 (void (*)(void))rsa_digest_sign_final },
1877 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
1878 (void (*)(void))rsa_digest_verify_init },
1879 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,
1880 (void (*)(void))rsa_digest_verify_update },
1881 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,
1882 (void (*)(void))rsa_digest_verify_final },
1883 { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx },
1884 { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx },
1885 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))rsa_get_ctx_params },
1886 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
1887 (void (*)(void))rsa_gettable_ctx_params },
1888 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))rsa_set_ctx_params },
1889 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,
1890 (void (*)(void))rsa_settable_ctx_params },
1891 { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS,
1892 (void (*)(void))rsa_get_ctx_md_params },
1893 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS,
1894 (void (*)(void))rsa_gettable_ctx_md_params },
1895 { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS,
1896 (void (*)(void))rsa_set_ctx_md_params },
1897 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS,
1898 (void (*)(void))rsa_settable_ctx_md_params },
1899 OSSL_DISPATCH_END
1900 };
1901
1902 /* ------------------------------------------------------------------ */
1903
1904 /*
1905 * So called sigalgs (composite RSA+hash) implemented below. They
1906 * are pretty much hard coded, and rely on the hash implementation
1907 * being available as per what OPENSSL_NO_ macros allow.
1908 */
1909
1910 static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types;
1911 static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params;
1912 static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params;
1913
1914 /*
1915 * rsa_sigalg_signverify_init() is almost like rsa_digest_signverify_init(),
1916 * just doesn't allow fetching an MD from whatever the user chooses.
1917 */
rsa_sigalg_signverify_init(void * vprsactx,void * vrsa,OSSL_FUNC_signature_set_ctx_params_fn * set_ctx_params,const OSSL_PARAM params[],const char * mdname,int operation,int pad_mode,const char * desc)1918 static int rsa_sigalg_signverify_init(void *vprsactx, void *vrsa,
1919 OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params,
1920 const OSSL_PARAM params[],
1921 const char *mdname,
1922 int operation, int pad_mode,
1923 const char *desc)
1924 {
1925 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1926
1927 if (!ossl_prov_is_running())
1928 return 0;
1929
1930 if (!rsa_signverify_init(prsactx, vrsa, set_ctx_params, params, operation,
1931 desc))
1932 return 0;
1933
1934 /* PSS is currently not supported as a sigalg */
1935 if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
1936 ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
1937 return 0;
1938 }
1939
1940 if (!rsa_setup_md(prsactx, mdname, NULL, desc))
1941 return 0;
1942
1943 prsactx->pad_mode = pad_mode;
1944 prsactx->flag_sigalg = 1;
1945 prsactx->flag_allow_md = 0;
1946
1947 if (prsactx->mdctx == NULL) {
1948 prsactx->mdctx = EVP_MD_CTX_new();
1949 if (prsactx->mdctx == NULL)
1950 goto error;
1951 }
1952
1953 if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params))
1954 goto error;
1955
1956 return 1;
1957
1958 error:
1959 EVP_MD_CTX_free(prsactx->mdctx);
1960 prsactx->mdctx = NULL;
1961 return 0;
1962 }
1963
rsa_sigalg_query_key_types(void)1964 static const char **rsa_sigalg_query_key_types(void)
1965 {
1966 static const char *keytypes[] = { "RSA", NULL };
1967
1968 return keytypes;
1969 }
1970
1971 static const OSSL_PARAM settable_sigalg_ctx_params[] = {
1972 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, NULL, 0),
1973 OSSL_PARAM_END
1974 };
1975
rsa_sigalg_settable_ctx_params(void * vprsactx,ossl_unused void * provctx)1976 static const OSSL_PARAM *rsa_sigalg_settable_ctx_params(void *vprsactx,
1977 ossl_unused void *provctx)
1978 {
1979 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1980
1981 if (prsactx != NULL && prsactx->operation == EVP_PKEY_OP_VERIFYMSG)
1982 return settable_sigalg_ctx_params;
1983 return NULL;
1984 }
1985
rsa_sigalg_set_ctx_params(void * vprsactx,const OSSL_PARAM params[])1986 static int rsa_sigalg_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
1987 {
1988 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1989 const OSSL_PARAM *p;
1990
1991 if (prsactx == NULL)
1992 return 0;
1993 if (ossl_param_is_empty(params))
1994 return 1;
1995
1996 if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG) {
1997 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_SIGNATURE);
1998 if (p != NULL) {
1999 OPENSSL_free(prsactx->sig);
2000 prsactx->sig = NULL;
2001 prsactx->siglen = 0;
2002 if (!OSSL_PARAM_get_octet_string(p, (void **)&prsactx->sig,
2003 0, &prsactx->siglen))
2004 return 0;
2005 }
2006 }
2007 return 1;
2008 }
2009
2010 #define IMPL_RSA_SIGALG(md, MD) \
2011 static OSSL_FUNC_signature_sign_init_fn rsa_##md##_sign_init; \
2012 static OSSL_FUNC_signature_sign_message_init_fn \
2013 rsa_##md##_sign_message_init; \
2014 static OSSL_FUNC_signature_verify_init_fn rsa_##md##_verify_init; \
2015 static OSSL_FUNC_signature_verify_message_init_fn \
2016 rsa_##md##_verify_message_init; \
2017 \
2018 static int \
2019 rsa_##md##_sign_init(void *vprsactx, void *vrsa, \
2020 const OSSL_PARAM params[]) \
2021 { \
2022 static const char desc[] = "RSA Sigalg Sign Init"; \
2023 \
2024 return rsa_sigalg_signverify_init(vprsactx, vrsa, \
2025 rsa_sigalg_set_ctx_params, \
2026 params, #MD, \
2027 EVP_PKEY_OP_SIGN, \
2028 RSA_PKCS1_PADDING, \
2029 desc); \
2030 } \
2031 \
2032 static int \
2033 rsa_##md##_sign_message_init(void *vprsactx, void *vrsa, \
2034 const OSSL_PARAM params[]) \
2035 { \
2036 static const char desc[] = "RSA Sigalg Sign Message Init"; \
2037 \
2038 return rsa_sigalg_signverify_init(vprsactx, vrsa, \
2039 rsa_sigalg_set_ctx_params, \
2040 params, #MD, \
2041 EVP_PKEY_OP_SIGNMSG, \
2042 RSA_PKCS1_PADDING, \
2043 desc); \
2044 } \
2045 \
2046 static int \
2047 rsa_##md##_verify_init(void *vprsactx, void *vrsa, \
2048 const OSSL_PARAM params[]) \
2049 { \
2050 static const char desc[] = "RSA Sigalg Verify Init"; \
2051 \
2052 return rsa_sigalg_signverify_init(vprsactx, vrsa, \
2053 rsa_sigalg_set_ctx_params, \
2054 params, #MD, \
2055 EVP_PKEY_OP_VERIFY, \
2056 RSA_PKCS1_PADDING, \
2057 desc); \
2058 } \
2059 \
2060 static int \
2061 rsa_##md##_verify_recover_init(void *vprsactx, void *vrsa, \
2062 const OSSL_PARAM params[]) \
2063 { \
2064 static const char desc[] = "RSA Sigalg Verify Recover Init"; \
2065 \
2066 return rsa_sigalg_signverify_init(vprsactx, vrsa, \
2067 rsa_sigalg_set_ctx_params, \
2068 params, #MD, \
2069 EVP_PKEY_OP_VERIFYRECOVER, \
2070 RSA_PKCS1_PADDING, \
2071 desc); \
2072 } \
2073 \
2074 static int \
2075 rsa_##md##_verify_message_init(void *vprsactx, void *vrsa, \
2076 const OSSL_PARAM params[]) \
2077 { \
2078 static const char desc[] = "RSA Sigalg Verify Message Init"; \
2079 \
2080 return rsa_sigalg_signverify_init(vprsactx, vrsa, \
2081 rsa_sigalg_set_ctx_params, \
2082 params, #MD, \
2083 EVP_PKEY_OP_VERIFYMSG, \
2084 RSA_PKCS1_PADDING, \
2085 desc); \
2086 } \
2087 \
2088 const OSSL_DISPATCH ossl_rsa_##md##_signature_functions[] = { \
2089 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, \
2090 { OSSL_FUNC_SIGNATURE_SIGN_INIT, \
2091 (void (*)(void))rsa_##md##_sign_init }, \
2092 { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, \
2093 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT, \
2094 (void (*)(void))rsa_##md##_sign_message_init }, \
2095 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_UPDATE, \
2096 (void (*)(void))rsa_signverify_message_update }, \
2097 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_FINAL, \
2098 (void (*)(void))rsa_sign_message_final }, \
2099 { OSSL_FUNC_SIGNATURE_VERIFY_INIT, \
2100 (void (*)(void))rsa_##md##_verify_init }, \
2101 { OSSL_FUNC_SIGNATURE_VERIFY, \
2102 (void (*)(void))rsa_verify }, \
2103 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT, \
2104 (void (*)(void))rsa_##md##_verify_message_init }, \
2105 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_UPDATE, \
2106 (void (*)(void))rsa_signverify_message_update }, \
2107 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_FINAL, \
2108 (void (*)(void))rsa_verify_message_final }, \
2109 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, \
2110 (void (*)(void))rsa_##md##_verify_recover_init }, \
2111 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, \
2112 (void (*)(void))rsa_verify_recover }, \
2113 { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, \
2114 { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, \
2115 { OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPES, \
2116 (void (*)(void))rsa_sigalg_query_key_types }, \
2117 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, \
2118 (void (*)(void))rsa_get_ctx_params }, \
2119 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, \
2120 (void (*)(void))rsa_gettable_ctx_params }, \
2121 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, \
2122 (void (*)(void))rsa_sigalg_set_ctx_params }, \
2123 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, \
2124 (void (*)(void))rsa_sigalg_settable_ctx_params }, \
2125 OSSL_DISPATCH_END \
2126 }
2127
2128 #if !defined(OPENSSL_NO_RMD160) && !defined(FIPS_MODULE)
2129 IMPL_RSA_SIGALG(ripemd160, RIPEMD160);
2130 #endif
2131 IMPL_RSA_SIGALG(sha1, SHA1);
2132 IMPL_RSA_SIGALG(sha224, SHA2-224);
2133 IMPL_RSA_SIGALG(sha256, SHA2-256);
2134 IMPL_RSA_SIGALG(sha384, SHA2-384);
2135 IMPL_RSA_SIGALG(sha512, SHA2-512);
2136 IMPL_RSA_SIGALG(sha512_224, SHA2-512/224);
2137 IMPL_RSA_SIGALG(sha512_256, SHA2-512/256);
2138 IMPL_RSA_SIGALG(sha3_224, SHA3-224);
2139 IMPL_RSA_SIGALG(sha3_256, SHA3-256);
2140 IMPL_RSA_SIGALG(sha3_384, SHA3-384);
2141 IMPL_RSA_SIGALG(sha3_512, SHA3-512);
2142 #if !defined(OPENSSL_NO_SM3) && !defined(FIPS_MODULE)
2143 IMPL_RSA_SIGALG(sm3, SM3);
2144 #endif
2145
