[thirdparty/openssl.git] / providers / implementations / signature / ecdsa.c

/*
 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * ECDSA low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <string.h> /* memcpy */
#include <openssl/crypto.h>
#include <openssl/core_dispatch.h>
#include <openssl/core_names.h>
#include <openssl/dsa.h>
#include <openssl/params.h>
#include <openssl/evp.h>
#include <openssl/err.h>
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "internal/cryptlib.h"
#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/securitycheck.h"
#include "crypto/ec.h"
#include "prov/der_ec.h"

static OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init;
static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init;
static OSSL_FUNC_signature_sign_fn ecdsa_sign;
static OSSL_FUNC_signature_verify_fn ecdsa_verify;
static OSSL_FUNC_signature_digest_sign_init_fn ecdsa_digest_sign_init;
static OSSL_FUNC_signature_digest_sign_update_fn ecdsa_digest_signverify_update;
static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final;
static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init;
static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final;
static OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx;
static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params;
static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params;
static OSSL_FUNC_signature_set_ctx_params_fn ecdsa_set_ctx_params;
static OSSL_FUNC_signature_settable_ctx_params_fn ecdsa_settable_ctx_params;
static OSSL_FUNC_signature_get_ctx_md_params_fn ecdsa_get_ctx_md_params;
static OSSL_FUNC_signature_gettable_ctx_md_params_fn ecdsa_gettable_ctx_md_params;
static OSSL_FUNC_signature_set_ctx_md_params_fn ecdsa_set_ctx_md_params;
static OSSL_FUNC_signature_settable_ctx_md_params_fn ecdsa_settable_ctx_md_params;

/*
 * What's passed as an actual key is defined by the KEYMGMT interface.
 * We happen to know that our KEYMGMT simply passes DSA structures, so
 * we use that here too.
 */

typedef struct {
    OPENSSL_CTX *libctx;
    char *propq;
    EC_KEY *ec;
    char mdname[OSSL_MAX_NAME_SIZE];

    /* The Algorithm Identifier of the combined signature algorithm */
    unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
    unsigned char *aid;
    size_t  aid_len;
    size_t mdsize;
    int operation;

    EVP_MD *md;
    EVP_MD_CTX *mdctx;
    /*
     * Internally used to cache the results of calling the EC group
     * sign_setup() methods which are then passed to the sign operation.
     * This is used by CAVS failure tests to terminate a loop if the signature
     * is not valid.
     * This could of also been done with a simple flag.
     */
    BIGNUM *kinv;
    BIGNUM *r;
#if !defined(OPENSSL_NO_ACVP_TESTS)
    /*
     * This indicates that KAT (CAVS) test is running. Externally an app will
     * override the random callback such that the generated private key and k
     * are known.
     * Normal operation will loop to choose a new k if the signature is not
     * valid - but for this mode of operation it forces a failure instead.
     */
    unsigned int kattest;
#endif
} PROV_ECDSA_CTX;

static void *ecdsa_newctx(void *provctx, const char *propq)
{
    PROV_ECDSA_CTX *ctx;

    if (!ossl_prov_is_running())
        return NULL;

    ctx = OPENSSL_zalloc(sizeof(PROV_ECDSA_CTX));
    if (ctx == NULL)
        return NULL;

    ctx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
    if (propq != NULL && (ctx->propq = OPENSSL_strdup(propq)) == NULL) {
        OPENSSL_free(ctx);
        ctx = NULL;
        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
    }
    return ctx;
}

static int ecdsa_signverify_init(void *vctx, void *ec, int operation)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (!ossl_prov_is_running()
            || ctx == NULL
            || ec == NULL
            || !EC_KEY_up_ref(ec))
        return 0;
    EC_KEY_free(ctx->ec);
    ctx->ec = ec;
    ctx->operation = operation;
    return ec_check_key(ec, operation == EVP_PKEY_OP_SIGN);
}

static int ecdsa_sign_init(void *vctx, void *ec)
{
    return ecdsa_signverify_init(vctx, ec, EVP_PKEY_OP_SIGN);
}

static int ecdsa_verify_init(void *vctx, void *ec)
{
    return ecdsa_signverify_init(vctx, ec, EVP_PKEY_OP_VERIFY);
}

static int ecdsa_sign(void *vctx, unsigned char *sig, size_t *siglen,
                      size_t sigsize, const unsigned char *tbs, size_t tbslen)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
    int ret;
    unsigned int sltmp;
    size_t ecsize = ECDSA_size(ctx->ec);

    if (!ossl_prov_is_running())
        return 0;

    if (sig == NULL) {
        *siglen = ecsize;
        return 1;
    }

#if !defined(OPENSSL_NO_ACVP_TESTS)
    if (ctx->kattest && !ECDSA_sign_setup(ctx->ec, NULL, &ctx->kinv, &ctx->r))
        return 0;
#endif

    if (sigsize < (size_t)ecsize)
        return 0;

    if (ctx->mdsize != 0 && tbslen != ctx->mdsize)
        return 0;

    ret = ECDSA_sign_ex(0, tbs, tbslen, sig, &sltmp, ctx->kinv, ctx->r, ctx->ec);
    if (ret <= 0)
        return 0;

    *siglen = sltmp;
    return 1;
}

static int ecdsa_verify(void *vctx, const unsigned char *sig, size_t siglen,
                        const unsigned char *tbs, size_t tbslen)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (!ossl_prov_is_running() || (ctx->mdsize != 0 && tbslen != ctx->mdsize))
        return 0;

    return ECDSA_verify(0, tbs, tbslen, sig, siglen, ctx->ec);
}

static void free_md(PROV_ECDSA_CTX *ctx)
{
    OPENSSL_free(ctx->propq);
    EVP_MD_CTX_free(ctx->mdctx);
    EVP_MD_free(ctx->md);
    ctx->propq = NULL;
    ctx->mdctx = NULL;
    ctx->md = NULL;
    ctx->mdsize = 0;
}

static int ecdsa_digest_signverify_init(void *vctx, const char *mdname,
                                        void *ec, int operation)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
    int md_nid = NID_undef;
    WPACKET pkt;
    int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);

    if (!ossl_prov_is_running())
        return 0;

    free_md(ctx);

    if (!ecdsa_signverify_init(vctx, ec, operation))
        return 0;

    ctx->md = EVP_MD_fetch(ctx->libctx, mdname, ctx->propq);
    md_nid = digest_get_approved_nid_with_sha1(ctx->md, sha1_allowed);
    if (md_nid == NID_undef)
        goto error;

    ctx->mdsize = EVP_MD_size(ctx->md);
    ctx->mdctx = EVP_MD_CTX_new();
    if (ctx->mdctx == NULL)
        goto error;

    /*
     * TODO(3.0) Should we care about DER writing errors?
     * All it really means is that for some reason, there's no
     * AlgorithmIdentifier to be had, but the operation itself is
     * still valid, just as long as it's not used to construct
     * anything that needs an AlgorithmIdentifier.
     */
    ctx->aid_len = 0;
    if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf))
        && ossl_DER_w_algorithmIdentifier_ECDSA_with_MD(&pkt, -1, ctx->ec,
                                                        md_nid)
        && WPACKET_finish(&pkt)) {
        WPACKET_get_total_written(&pkt, &ctx->aid_len);
        ctx->aid = WPACKET_get_curr(&pkt);
    }
    WPACKET_cleanup(&pkt);

    if (!EVP_DigestInit_ex(ctx->mdctx, ctx->md, NULL))
        goto error;
    return 1;
error:
    free_md(ctx);
    return 0;
}

static int ecdsa_digest_sign_init(void *vctx, const char *mdname, void *ec)
{
    return ecdsa_digest_signverify_init(vctx, mdname, ec, EVP_PKEY_OP_SIGN);
}

static int ecdsa_digest_verify_init(void *vctx, const char *mdname, void *ec)
{
    return ecdsa_digest_signverify_init(vctx, mdname, ec, EVP_PKEY_OP_VERIFY);
}

int ecdsa_digest_signverify_update(void *vctx, const unsigned char *data,
                                   size_t datalen)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (ctx == NULL || ctx->mdctx == NULL)
        return 0;

    return EVP_DigestUpdate(ctx->mdctx, data, datalen);
}

int ecdsa_digest_sign_final(void *vctx, unsigned char *sig, size_t *siglen,
                            size_t sigsize)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
    unsigned char digest[EVP_MAX_MD_SIZE];
    unsigned int dlen = 0;

    if (!ossl_prov_is_running() || ctx == NULL || ctx->mdctx == NULL)
        return 0;

    /*
     * If sig is NULL then we're just finding out the sig size. Other fields
     * are ignored. Defer to ecdsa_sign.
     */
    if (sig != NULL) {
        /*
         * TODO(3.0): There is the possibility that some externally provided
         * digests exceed EVP_MAX_MD_SIZE. We should probably handle that somehow -
         * but that problem is much larger than just in DSA.
         */
        if (!EVP_DigestFinal_ex(ctx->mdctx, digest, &dlen))
            return 0;
    }

    return ecdsa_sign(vctx, sig, siglen, sigsize, digest, (size_t)dlen);
}

int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
                              size_t siglen)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
    unsigned char digest[EVP_MAX_MD_SIZE];
    unsigned int dlen = 0;

    if (!ossl_prov_is_running() || ctx == NULL || ctx->mdctx == NULL)
        return 0;

    /*
     * TODO(3.0): There is the possibility that some externally provided
     * digests exceed EVP_MAX_MD_SIZE. We should probably handle that somehow -
     * but that problem is much larger than just in DSA.
     */
    if (!EVP_DigestFinal_ex(ctx->mdctx, digest, &dlen))
        return 0;

    return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen);
}

static void ecdsa_freectx(void *vctx)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    free_md(ctx);
    EC_KEY_free(ctx->ec);
    BN_clear_free(ctx->kinv);
    BN_clear_free(ctx->r);
    OPENSSL_free(ctx);
}

static void *ecdsa_dupctx(void *vctx)
{
    PROV_ECDSA_CTX *srcctx = (PROV_ECDSA_CTX *)vctx;
    PROV_ECDSA_CTX *dstctx;

    if (!ossl_prov_is_running())
        return NULL;

    dstctx = OPENSSL_zalloc(sizeof(*srcctx));
    if (dstctx == NULL)
        return NULL;

    *dstctx = *srcctx;
    dstctx->ec = NULL;
    dstctx->md = NULL;
    dstctx->mdctx = NULL;

    if (srcctx->ec != NULL && !EC_KEY_up_ref(srcctx->ec))
        goto err;
    /* Test KATS should not need to be supported */
    if (srcctx->kinv != NULL || srcctx->r != NULL)
        goto err;
    dstctx->ec = srcctx->ec;

    if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md))
        goto err;
    dstctx->md = srcctx->md;

    if (srcctx->mdctx != NULL) {
        dstctx->mdctx = EVP_MD_CTX_new();
        if (dstctx->mdctx == NULL
                || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx))
            goto err;
    }

    return dstctx;
 err:
    ecdsa_freectx(dstctx);
    return NULL;
}

static int ecdsa_get_ctx_params(void *vctx, OSSL_PARAM *params)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
    OSSL_PARAM *p;

    if (ctx == NULL || params == NULL)
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
    if (p != NULL && !OSSL_PARAM_set_octet_string(p, ctx->aid, ctx->aid_len))
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE);
    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->mdsize))
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST);
    if (p != NULL && !OSSL_PARAM_set_utf8_string(p, ctx->md == NULL
                                                    ? ctx->mdname
                                                    : EVP_MD_name(ctx->md)))
        return 0;

    return 1;
}

static const OSSL_PARAM known_gettable_ctx_params[] = {
    OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
    OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL),
    OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
    OSSL_PARAM_END
};

static const OSSL_PARAM *ecdsa_gettable_ctx_params(ossl_unused void *provctx)
{
    return known_gettable_ctx_params;
}

static int ecdsa_set_ctx_params(void *vctx, const OSSL_PARAM params[])
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
    const OSSL_PARAM *p;
    char *mdname;

    if (ctx == NULL || params == NULL)
        return 0;

    if (ctx->md != NULL) {
        /*
         * You cannot set the digest name/size when doing a DigestSign or
         * DigestVerify.
         */
        return 1;
    }
#if !defined(OPENSSL_NO_ACVP_TESTS)
    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_KAT);
    if (p != NULL && !OSSL_PARAM_get_uint(p, &ctx->kattest))
        return 0;
#endif

    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE);
    if (p != NULL && !OSSL_PARAM_get_size_t(p, &ctx->mdsize))
        return 0;

    /*
     * We never actually use the mdname, but we do support getting it later.
     * This can be useful for applications that want to know the MD that they
     * previously set.
     */
    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
    mdname = ctx->mdname;
    if (p != NULL
            && !OSSL_PARAM_get_utf8_string(p, &mdname, sizeof(ctx->mdname)))
        return 0;

    return 1;
}

static const OSSL_PARAM known_settable_ctx_params[] = {
    OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL),
    OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
    OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_KAT, NULL),
    OSSL_PARAM_END
};

static const OSSL_PARAM *ecdsa_settable_ctx_params(ossl_unused void *provctx)
{
    /*
     * TODO(3.0): Should this function return a different set of settable ctx
     * params if the ctx is being used for a DigestSign/DigestVerify? In that
     * case it is not allowed to set the digest size/digest name because the
     * digest is explicitly set as part of the init.
     */
    return known_settable_ctx_params;
}

static int ecdsa_get_ctx_md_params(void *vctx, OSSL_PARAM *params)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (ctx->mdctx == NULL)
        return 0;

    return EVP_MD_CTX_get_params(ctx->mdctx, params);
}

static const OSSL_PARAM *ecdsa_gettable_ctx_md_params(void *vctx)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (ctx->md == NULL)
        return 0;

    return EVP_MD_gettable_ctx_params(ctx->md);
}

static int ecdsa_set_ctx_md_params(void *vctx, const OSSL_PARAM params[])
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (ctx->mdctx == NULL)
        return 0;

    return EVP_MD_CTX_set_params(ctx->mdctx, params);
}

static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (ctx->md == NULL)
        return 0;

    return EVP_MD_settable_ctx_params(ctx->md);
}

const OSSL_DISPATCH ecossl_dsa_signature_functions[] = {
    { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
    { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
    { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))ecdsa_sign },
    { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))ecdsa_verify_init },
    { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))ecdsa_verify },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
      (void (*)(void))ecdsa_digest_sign_init },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,
      (void (*)(void))ecdsa_digest_signverify_update },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,
      (void (*)(void))ecdsa_digest_sign_final },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
      (void (*)(void))ecdsa_digest_verify_init },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,
      (void (*)(void))ecdsa_digest_signverify_update },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,
      (void (*)(void))ecdsa_digest_verify_final },
    { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))ecdsa_freectx },
    { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))ecdsa_dupctx },
    { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))ecdsa_get_ctx_params },
    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
      (void (*)(void))ecdsa_gettable_ctx_params },
    { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))ecdsa_set_ctx_params },
    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,
      (void (*)(void))ecdsa_settable_ctx_params },
    { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS,
      (void (*)(void))ecdsa_get_ctx_md_params },
    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS,
      (void (*)(void))ecdsa_gettable_ctx_md_params },
    { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS,
      (void (*)(void))ecdsa_set_ctx_md_params },
    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS,
      (void (*)(void))ecdsa_settable_ctx_md_params },
    { 0, NULL }
};
Commit	Line	Data
edd3b7a3 SL	1	/*
	2	* Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	/*
	11	* ECDSA low level APIs are deprecated for public use, but still ok for
	12	* internal use.
	13	*/
	14	#include "internal/deprecated.h"
	15
	16	#include <string.h> /* memcpy */
	17	#include <openssl/crypto.h>
23c48d94	18	#include <openssl/core_dispatch.h>
edd3b7a3 SL	19	#include <openssl/core_names.h>
	20	#include <openssl/dsa.h>
	21	#include <openssl/params.h>
	22	#include <openssl/evp.h>
	23	#include <openssl/err.h>
	24	#include "internal/nelem.h"
	25	#include "internal/sizes.h"
2d956b32	26	#include "internal/cryptlib.h"
f590a5ea	27	#include "prov/providercommon.h"
edd3b7a3 SL	28	#include "prov/providercommonerr.h"
	29	#include "prov/implementations.h"
	30	#include "prov/provider_ctx.h"
7a810fac	31	#include "prov/securitycheck.h"
edd3b7a3	32	#include "crypto/ec.h"
2d956b32	33	#include "prov/der_ec.h"
edd3b7a3	34
363b1e5d	35	static OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
0645110e SL	36	static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init;
0645110e SL	37	static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init;
363b1e5d DMSP	38	static OSSL_FUNC_signature_sign_fn ecdsa_sign;
363b1e5d DMSP	39	static OSSL_FUNC_signature_verify_fn ecdsa_verify;
0645110e	40	static OSSL_FUNC_signature_digest_sign_init_fn ecdsa_digest_sign_init;
363b1e5d DMSP	41	static OSSL_FUNC_signature_digest_sign_update_fn ecdsa_digest_signverify_update;
363b1e5d DMSP	42	static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final;
0645110e	43	static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init;
363b1e5d DMSP	44	static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
	45	static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final;
	46	static OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
	47	static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx;
	48	static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params;
	49	static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params;
	50	static OSSL_FUNC_signature_set_ctx_params_fn ecdsa_set_ctx_params;
	51	static OSSL_FUNC_signature_settable_ctx_params_fn ecdsa_settable_ctx_params;
	52	static OSSL_FUNC_signature_get_ctx_md_params_fn ecdsa_get_ctx_md_params;
	53	static OSSL_FUNC_signature_gettable_ctx_md_params_fn ecdsa_gettable_ctx_md_params;
	54	static OSSL_FUNC_signature_set_ctx_md_params_fn ecdsa_set_ctx_md_params;
	55	static OSSL_FUNC_signature_settable_ctx_md_params_fn ecdsa_settable_ctx_md_params;
edd3b7a3 SL	56
	57	/*
	58	* What's passed as an actual key is defined by the KEYMGMT interface.
	59	* We happen to know that our KEYMGMT simply passes DSA structures, so
	60	* we use that here too.
	61	*/
	62
	63	typedef struct {
	64	OPENSSL_CTX *libctx;
2c6094ba	65	char *propq;
edd3b7a3 SL	66	EC_KEY *ec;
	67	char mdname[OSSL_MAX_NAME_SIZE];
	68
	69	/* The Algorithm Identifier of the combined signature algorithm */
2d956b32 RL	70	unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
2d956b32 RL	71	unsigned char *aid;
edd3b7a3 SL	72	size_t aid_len;
edd3b7a3 SL	73	size_t mdsize;
0645110e	74	int operation;
edd3b7a3 SL	75
	76	EVP_MD *md;
	77	EVP_MD_CTX *mdctx;
edd3b7a3 SL	78	/*
	79	* Internally used to cache the results of calling the EC group
	80	* sign_setup() methods which are then passed to the sign operation.
	81	* This is used by CAVS failure tests to terminate a loop if the signature
	82	* is not valid.
	83	* This could of also been done with a simple flag.
	84	*/
	85	BIGNUM *kinv;
	86	BIGNUM *r;
49ed5ba8	87	#if !defined(OPENSSL_NO_ACVP_TESTS)
4f2271d5 SL	88	/*
	89	* This indicates that KAT (CAVS) test is running. Externally an app will
	90	* override the random callback such that the generated private key and k
	91	* are known.
	92	* Normal operation will loop to choose a new k if the signature is not
	93	* valid - but for this mode of operation it forces a failure instead.
	94	*/
	95	unsigned int kattest;
	96	#endif
edd3b7a3 SL	97	} PROV_ECDSA_CTX;
edd3b7a3 SL	98
2c6094ba	99	static void ecdsa_newctx(void provctx, const char *propq)
edd3b7a3	100	{
f590a5ea	101	PROV_ECDSA_CTX *ctx;
edd3b7a3	102
f590a5ea P	103	if (!ossl_prov_is_running())
	104	return NULL;
	105
	106	ctx = OPENSSL_zalloc(sizeof(PROV_ECDSA_CTX));
edd3b7a3 SL	107	if (ctx == NULL)
	108	return NULL;
	109
	110	ctx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
2c6094ba RL	111	if (propq != NULL && (ctx->propq = OPENSSL_strdup(propq)) == NULL) {
	112	OPENSSL_free(ctx);
	113	ctx = NULL;
	114	ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
	115	}
edd3b7a3 SL	116	return ctx;
	117	}
	118
0645110e	119	static int ecdsa_signverify_init(void vctx, void ec, int operation)
edd3b7a3 SL	120	{
	121	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	122
f590a5ea P	123	if (!ossl_prov_is_running()
	124	\|\| ctx == NULL
	125	\|\| ec == NULL
	126	\|\| !EC_KEY_up_ref(ec))
edd3b7a3 SL	127	return 0;
	128	EC_KEY_free(ctx->ec);
	129	ctx->ec = ec;
0645110e	130	ctx->operation = operation;
49ed5ba8	131	return ec_check_key(ec, operation == EVP_PKEY_OP_SIGN);
0645110e SL	132	}
	133
	134	static int ecdsa_sign_init(void vctx, void ec)
	135	{
	136	return ecdsa_signverify_init(vctx, ec, EVP_PKEY_OP_SIGN);
	137	}
	138
	139	static int ecdsa_verify_init(void vctx, void ec)
	140	{
	141	return ecdsa_signverify_init(vctx, ec, EVP_PKEY_OP_VERIFY);
edd3b7a3 SL	142	}
	143
	144	static int ecdsa_sign(void vctx, unsigned char sig, size_t *siglen,
	145	size_t sigsize, const unsigned char *tbs, size_t tbslen)
	146	{
	147	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	148	int ret;
	149	unsigned int sltmp;
	150	size_t ecsize = ECDSA_size(ctx->ec);
	151
f590a5ea P	152	if (!ossl_prov_is_running())
	153	return 0;
	154
edd3b7a3 SL	155	if (sig == NULL) {
	156	*siglen = ecsize;
	157	return 1;
	158	}
	159
49ed5ba8	160	#if !defined(OPENSSL_NO_ACVP_TESTS)
edd3b7a3 SL	161	if (ctx->kattest && !ECDSA_sign_setup(ctx->ec, NULL, &ctx->kinv, &ctx->r))
edd3b7a3 SL	162	return 0;
4f2271d5	163	#endif
edd3b7a3 SL	164
	165	if (sigsize < (size_t)ecsize)
	166	return 0;
	167
	168	if (ctx->mdsize != 0 && tbslen != ctx->mdsize)
	169	return 0;
	170
	171	ret = ECDSA_sign_ex(0, tbs, tbslen, sig, &sltmp, ctx->kinv, ctx->r, ctx->ec);
	172	if (ret <= 0)
	173	return 0;
	174
	175	*siglen = sltmp;
	176	return 1;
	177	}
	178
	179	static int ecdsa_verify(void vctx, const unsigned char sig, size_t siglen,
	180	const unsigned char *tbs, size_t tbslen)
	181	{
	182	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	183
f590a5ea	184	if (!ossl_prov_is_running() \|\| (ctx->mdsize != 0 && tbslen != ctx->mdsize))
edd3b7a3 SL	185	return 0;
	186
	187	return ECDSA_verify(0, tbs, tbslen, sig, siglen, ctx->ec);
	188	}
	189
edd3b7a3 SL	190	static void free_md(PROV_ECDSA_CTX *ctx)
edd3b7a3 SL	191	{
4f2271d5	192	OPENSSL_free(ctx->propq);
edd3b7a3 SL	193	EVP_MD_CTX_free(ctx->mdctx);
edd3b7a3 SL	194	EVP_MD_free(ctx->md);
4f2271d5	195	ctx->propq = NULL;
edd3b7a3 SL	196	ctx->mdctx = NULL;
	197	ctx->md = NULL;
	198	ctx->mdsize = 0;
	199	}
	200
	201	static int ecdsa_digest_signverify_init(void vctx, const char mdname,
0645110e	202	void *ec, int operation)
edd3b7a3 SL	203	{
edd3b7a3 SL	204	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
2d956b32 RL	205	int md_nid = NID_undef;
2d956b32 RL	206	WPACKET pkt;
49ed5ba8	207	int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
edd3b7a3	208
f590a5ea P	209	if (!ossl_prov_is_running())
	210	return 0;
	211
edd3b7a3 SL	212	free_md(ctx);
edd3b7a3 SL	213
0645110e	214	if (!ecdsa_signverify_init(vctx, ec, operation))
edd3b7a3 SL	215	return 0;
edd3b7a3 SL	216
2c6094ba	217	ctx->md = EVP_MD_fetch(ctx->libctx, mdname, ctx->propq);
49ed5ba8	218	md_nid = digest_get_approved_nid_with_sha1(ctx->md, sha1_allowed);
0645110e	219	if (md_nid == NID_undef)
edd3b7a3 SL	220	goto error;
	221
	222	ctx->mdsize = EVP_MD_size(ctx->md);
	223	ctx->mdctx = EVP_MD_CTX_new();
	224	if (ctx->mdctx == NULL)
	225	goto error;
	226
2d956b32 RL	227	/*
	228	* TODO(3.0) Should we care about DER writing errors?
	229	* All it really means is that for some reason, there's no
	230	* AlgorithmIdentifier to be had, but the operation itself is
	231	* still valid, just as long as it's not used to construct
	232	* anything that needs an AlgorithmIdentifier.
	233	*/
	234	ctx->aid_len = 0;
	235	if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf))
a55b00bd P	236	&& ossl_DER_w_algorithmIdentifier_ECDSA_with_MD(&pkt, -1, ctx->ec,
a55b00bd P	237	md_nid)
2d956b32 RL	238	&& WPACKET_finish(&pkt)) {
	239	WPACKET_get_total_written(&pkt, &ctx->aid_len);
	240	ctx->aid = WPACKET_get_curr(&pkt);
	241	}
	242	WPACKET_cleanup(&pkt);
edd3b7a3 SL	243
	244	if (!EVP_DigestInit_ex(ctx->mdctx, ctx->md, NULL))
	245	goto error;
	246	return 1;
	247	error:
	248	free_md(ctx);
	249	return 0;
	250	}
	251
0645110e SL	252	static int ecdsa_digest_sign_init(void vctx, const char mdname, void *ec)
	253	{
	254	return ecdsa_digest_signverify_init(vctx, mdname, ec, EVP_PKEY_OP_SIGN);
	255	}
	256
	257	static int ecdsa_digest_verify_init(void vctx, const char mdname, void *ec)
	258	{
	259	return ecdsa_digest_signverify_init(vctx, mdname, ec, EVP_PKEY_OP_VERIFY);
	260	}
	261
edd3b7a3 SL	262	int ecdsa_digest_signverify_update(void vctx, const unsigned char data,
	263	size_t datalen)
	264	{
	265	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	266
	267	if (ctx == NULL \|\| ctx->mdctx == NULL)
	268	return 0;
	269
	270	return EVP_DigestUpdate(ctx->mdctx, data, datalen);
	271	}
	272
	273	int ecdsa_digest_sign_final(void vctx, unsigned char sig, size_t *siglen,
	274	size_t sigsize)
	275	{
	276	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	277	unsigned char digest[EVP_MAX_MD_SIZE];
	278	unsigned int dlen = 0;
	279
f590a5ea	280	if (!ossl_prov_is_running() \|\| ctx == NULL \|\| ctx->mdctx == NULL)
edd3b7a3 SL	281	return 0;
	282
	283	/*
	284	* If sig is NULL then we're just finding out the sig size. Other fields
	285	* are ignored. Defer to ecdsa_sign.
	286	*/
	287	if (sig != NULL) {
	288	/*
	289	* TODO(3.0): There is the possibility that some externally provided
	290	* digests exceed EVP_MAX_MD_SIZE. We should probably handle that somehow -
	291	* but that problem is much larger than just in DSA.
	292	*/
	293	if (!EVP_DigestFinal_ex(ctx->mdctx, digest, &dlen))
	294	return 0;
	295	}
	296
	297	return ecdsa_sign(vctx, sig, siglen, sigsize, digest, (size_t)dlen);
	298	}
	299
	300	int ecdsa_digest_verify_final(void vctx, const unsigned char sig,
	301	size_t siglen)
	302	{
	303	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	304	unsigned char digest[EVP_MAX_MD_SIZE];
	305	unsigned int dlen = 0;
	306
f590a5ea	307	if (!ossl_prov_is_running() \|\| ctx == NULL \|\| ctx->mdctx == NULL)
edd3b7a3 SL	308	return 0;
	309
	310	/*
	311	* TODO(3.0): There is the possibility that some externally provided
	312	* digests exceed EVP_MAX_MD_SIZE. We should probably handle that somehow -
	313	* but that problem is much larger than just in DSA.
	314	*/
	315	if (!EVP_DigestFinal_ex(ctx->mdctx, digest, &dlen))
	316	return 0;
	317
	318	return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen);
	319	}
	320
	321	static void ecdsa_freectx(void *vctx)
	322	{
	323	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	324
	325	free_md(ctx);
	326	EC_KEY_free(ctx->ec);
	327	BN_clear_free(ctx->kinv);
	328	BN_clear_free(ctx->r);
	329	OPENSSL_free(ctx);
	330	}
	331
	332	static void ecdsa_dupctx(void vctx)
	333	{
	334	PROV_ECDSA_CTX srcctx = (PROV_ECDSA_CTX )vctx;
	335	PROV_ECDSA_CTX *dstctx;
	336
f590a5ea P	337	if (!ossl_prov_is_running())
	338	return NULL;
	339
edd3b7a3 SL	340	dstctx = OPENSSL_zalloc(sizeof(*srcctx));
	341	if (dstctx == NULL)
	342	return NULL;
	343
	344	dstctx = srcctx;
	345	dstctx->ec = NULL;
	346	dstctx->md = NULL;
	347	dstctx->mdctx = NULL;
	348
	349	if (srcctx->ec != NULL && !EC_KEY_up_ref(srcctx->ec))
	350	goto err;
	351	/* Test KATS should not need to be supported */
	352	if (srcctx->kinv != NULL \|\| srcctx->r != NULL)
	353	goto err;
	354	dstctx->ec = srcctx->ec;
	355
	356	if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md))
	357	goto err;
	358	dstctx->md = srcctx->md;
	359
	360	if (srcctx->mdctx != NULL) {
	361	dstctx->mdctx = EVP_MD_CTX_new();
	362	if (dstctx->mdctx == NULL
	363	\|\| !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx))
	364	goto err;
	365	}
	366
	367	return dstctx;
	368	err:
	369	ecdsa_freectx(dstctx);
	370	return NULL;
	371	}
	372
	373	static int ecdsa_get_ctx_params(void vctx, OSSL_PARAM params)
	374	{
	375	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	376	OSSL_PARAM *p;
	377
	378	if (ctx == NULL \|\| params == NULL)
	379	return 0;
	380
	381	p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
	382	if (p != NULL && !OSSL_PARAM_set_octet_string(p, ctx->aid, ctx->aid_len))
	383	return 0;
	384
	385	p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE);
	386	if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->mdsize))
	387	return 0;
	388
	389	p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST);
	390	if (p != NULL && !OSSL_PARAM_set_utf8_string(p, ctx->md == NULL
	391	? ctx->mdname
	392	: EVP_MD_name(ctx->md)))
	393	return 0;
	394
	395	return 1;
	396	}
	397
	398	static const OSSL_PARAM known_gettable_ctx_params[] = {
	399	OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
	400	OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL),
	401	OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
	402	OSSL_PARAM_END
	403	};
404
1017ab21	405	static const OSSL_PARAM ecdsa_gettable_ctx_params(ossl_unused void provctx)
edd3b7a3 SL	406	{
	407	return known_gettable_ctx_params;
	408	}
	409
	410	static int ecdsa_set_ctx_params(void *vctx, const OSSL_PARAM params[])
	411	{
	412	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	413	const OSSL_PARAM *p;
	414	char *mdname;
	415
	416	if (ctx == NULL \|\| params == NULL)
	417	return 0;
	418
	419	if (ctx->md != NULL) {
	420	/*
	421	* You cannot set the digest name/size when doing a DigestSign or
	422	* DigestVerify.
	423	*/
	424	return 1;
	425	}
49ed5ba8	426	#if !defined(OPENSSL_NO_ACVP_TESTS)
edd3b7a3 SL	427	p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_KAT);
	428	if (p != NULL && !OSSL_PARAM_get_uint(p, &ctx->kattest))
	429	return 0;
4f2271d5	430	#endif
edd3b7a3 SL	431
	432	p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE);
	433	if (p != NULL && !OSSL_PARAM_get_size_t(p, &ctx->mdsize))
	434	return 0;
	435
	436	/*
	437	* We never actually use the mdname, but we do support getting it later.
	438	* This can be useful for applications that want to know the MD that they
	439	* previously set.
	440	*/
	441	p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
	442	mdname = ctx->mdname;
	443	if (p != NULL
	444	&& !OSSL_PARAM_get_utf8_string(p, &mdname, sizeof(ctx->mdname)))
	445	return 0;
	446
	447	return 1;
	448	}
	449
	450	static const OSSL_PARAM known_settable_ctx_params[] = {
	451	OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL),
	452	OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
	453	OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_KAT, NULL),
	454	OSSL_PARAM_END
	455	};
	456
1017ab21	457	static const OSSL_PARAM ecdsa_settable_ctx_params(ossl_unused void provctx)
edd3b7a3 SL	458	{
	459	/*
	460	* TODO(3.0): Should this function return a different set of settable ctx
	461	* params if the ctx is being used for a DigestSign/DigestVerify? In that
	462	* case it is not allowed to set the digest size/digest name because the
	463	* digest is explicitly set as part of the init.
	464	*/
	465	return known_settable_ctx_params;
	466	}
	467
	468	static int ecdsa_get_ctx_md_params(void vctx, OSSL_PARAM params)
	469	{
	470	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	471
	472	if (ctx->mdctx == NULL)
	473	return 0;
	474
	475	return EVP_MD_CTX_get_params(ctx->mdctx, params);
	476	}
	477
	478	static const OSSL_PARAM ecdsa_gettable_ctx_md_params(void vctx)
	479	{
	480	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	481
	482	if (ctx->md == NULL)
	483	return 0;
	484
	485	return EVP_MD_gettable_ctx_params(ctx->md);
	486	}
	487
	488	static int ecdsa_set_ctx_md_params(void *vctx, const OSSL_PARAM params[])
	489	{
	490	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	491
	492	if (ctx->mdctx == NULL)
	493	return 0;
	494
	495	return EVP_MD_CTX_set_params(ctx->mdctx, params);
	496	}
	497
	498	static const OSSL_PARAM ecdsa_settable_ctx_md_params(void vctx)
	499	{
	500	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	501
	502	if (ctx->md == NULL)
	503	return 0;
	504
	505	return EVP_MD_settable_ctx_params(ctx->md);
	506	}
	507
1be63951	508	const OSSL_DISPATCH ecossl_dsa_signature_functions[] = {
edd3b7a3	509	{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
0645110e	510	{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
edd3b7a3	511	{ OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))ecdsa_sign },
0645110e	512	{ OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))ecdsa_verify_init },
edd3b7a3 SL	513	{ OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))ecdsa_verify },
edd3b7a3 SL	514	{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
0645110e	515	(void (*)(void))ecdsa_digest_sign_init },
edd3b7a3 SL	516	{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,
	517	(void (*)(void))ecdsa_digest_signverify_update },
	518	{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,
	519	(void (*)(void))ecdsa_digest_sign_final },
	520	{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
0645110e	521	(void (*)(void))ecdsa_digest_verify_init },
edd3b7a3 SL	522	{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,
	523	(void (*)(void))ecdsa_digest_signverify_update },
	524	{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,
	525	(void (*)(void))ecdsa_digest_verify_final },
	526	{ OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))ecdsa_freectx },
	527	{ OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))ecdsa_dupctx },
	528	{ OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))ecdsa_get_ctx_params },
	529	{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
	530	(void (*)(void))ecdsa_gettable_ctx_params },
	531	{ OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))ecdsa_set_ctx_params },
	532	{ OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,
	533	(void (*)(void))ecdsa_settable_ctx_params },
	534	{ OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS,
	535	(void (*)(void))ecdsa_get_ctx_md_params },
	536	{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS,
	537	(void (*)(void))ecdsa_gettable_ctx_md_params },
	538	{ OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS,
	539	(void (*)(void))ecdsa_set_ctx_md_params },
	540	{ OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS,
	541	(void (*)(void))ecdsa_settable_ctx_md_params },
	542	{ 0, NULL }
	543	};