[thirdparty/openssl.git] / providers / implementations / signature / ecdsa.c

/*
 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * ECDSA low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <string.h> /* memcpy */
#include <openssl/crypto.h>
#include <openssl/core_numbers.h>
#include <openssl/core_names.h>
#include <openssl/dsa.h>
#include <openssl/params.h>
#include <openssl/evp.h>
#include <openssl/err.h>
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "internal/cryptlib.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "crypto/ec.h"
#include "prov/der_ec.h"

static OSSL_OP_signature_newctx_fn ecdsa_newctx;
static OSSL_OP_signature_sign_init_fn ecdsa_signature_init;
static OSSL_OP_signature_verify_init_fn ecdsa_signature_init;
static OSSL_OP_signature_sign_fn ecdsa_sign;
static OSSL_OP_signature_verify_fn ecdsa_verify;
static OSSL_OP_signature_digest_sign_init_fn ecdsa_digest_signverify_init;
static OSSL_OP_signature_digest_sign_update_fn ecdsa_digest_signverify_update;
static OSSL_OP_signature_digest_sign_final_fn ecdsa_digest_sign_final;
static OSSL_OP_signature_digest_verify_init_fn ecdsa_digest_signverify_init;
static OSSL_OP_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
static OSSL_OP_signature_digest_verify_final_fn ecdsa_digest_verify_final;
static OSSL_OP_signature_freectx_fn ecdsa_freectx;
static OSSL_OP_signature_dupctx_fn ecdsa_dupctx;
static OSSL_OP_signature_get_ctx_params_fn ecdsa_get_ctx_params;
static OSSL_OP_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params;
static OSSL_OP_signature_set_ctx_params_fn ecdsa_set_ctx_params;
static OSSL_OP_signature_settable_ctx_params_fn ecdsa_settable_ctx_params;
static OSSL_OP_signature_get_ctx_md_params_fn ecdsa_get_ctx_md_params;
static OSSL_OP_signature_gettable_ctx_md_params_fn ecdsa_gettable_ctx_md_params;
static OSSL_OP_signature_set_ctx_md_params_fn ecdsa_set_ctx_md_params;
static OSSL_OP_signature_settable_ctx_md_params_fn ecdsa_settable_ctx_md_params;

/*
 * What's passed as an actual key is defined by the KEYMGMT interface.
 * We happen to know that our KEYMGMT simply passes DSA structures, so
 * we use that here too.
 */

typedef struct {
    OPENSSL_CTX *libctx;
    EC_KEY *ec;
    char mdname[OSSL_MAX_NAME_SIZE];

    /* The Algorithm Identifier of the combined signature algorithm */
    unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
    unsigned char *aid;
    size_t  aid_len;
    size_t mdsize;

    EVP_MD *md;
    EVP_MD_CTX *mdctx;
    /*
     * This indicates that KAT (CAVS) test is running. Externally an app will
     * override the random callback such that the generated private key and k
     * are known.
     * Normal operation will loop to choose a new k if the signature is not
     * valid - but for this mode of operation it forces a failure instead.
     */
    unsigned int kattest;
    /*
     * Internally used to cache the results of calling the EC group
     * sign_setup() methods which are then passed to the sign operation.
     * This is used by CAVS failure tests to terminate a loop if the signature
     * is not valid.
     * This could of also been done with a simple flag.
     */
    BIGNUM *kinv;
    BIGNUM *r;
} PROV_ECDSA_CTX;

static void *ecdsa_newctx(void *provctx)
{
    PROV_ECDSA_CTX *ctx = OPENSSL_zalloc(sizeof(PROV_ECDSA_CTX));

    if (ctx == NULL)
        return NULL;

    ctx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
    return ctx;
}

static int ecdsa_signature_init(void *vctx, void *ec)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (ctx == NULL || ec == NULL || !EC_KEY_up_ref(ec))
        return 0;
    EC_KEY_free(ctx->ec);
    ctx->ec = ec;
    return 1;
}

static int ecdsa_sign(void *vctx, unsigned char *sig, size_t *siglen,
                      size_t sigsize, const unsigned char *tbs, size_t tbslen)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
    int ret;
    unsigned int sltmp;
    size_t ecsize = ECDSA_size(ctx->ec);

    if (sig == NULL) {
        *siglen = ecsize;
        return 1;
    }

    if (ctx->kattest && !ECDSA_sign_setup(ctx->ec, NULL, &ctx->kinv, &ctx->r))
        return 0;

    if (sigsize < (size_t)ecsize)
        return 0;

    if (ctx->mdsize != 0 && tbslen != ctx->mdsize)
        return 0;

    ret = ECDSA_sign_ex(0, tbs, tbslen, sig, &sltmp, ctx->kinv, ctx->r, ctx->ec);
    if (ret <= 0)
        return 0;

    *siglen = sltmp;
    return 1;
}

static int ecdsa_verify(void *vctx, const unsigned char *sig, size_t siglen,
                        const unsigned char *tbs, size_t tbslen)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (ctx->mdsize != 0 && tbslen != ctx->mdsize)
        return 0;

    return ECDSA_verify(0, tbs, tbslen, sig, siglen, ctx->ec);
}

static int get_md_nid(const EVP_MD *md)
{
    /*
     * Because the ECDSA library deals with NIDs, we need to translate.
     * We do so using EVP_MD_is_a(), and therefore need a name to NID
     * map.
     */
    static const OSSL_ITEM name_to_nid[] = {
        { NID_sha1,   OSSL_DIGEST_NAME_SHA1   },
        { NID_sha224, OSSL_DIGEST_NAME_SHA2_224 },
        { NID_sha256, OSSL_DIGEST_NAME_SHA2_256 },
        { NID_sha384, OSSL_DIGEST_NAME_SHA2_384 },
        { NID_sha512, OSSL_DIGEST_NAME_SHA2_512 },
        { NID_sha3_224, OSSL_DIGEST_NAME_SHA3_224 },
        { NID_sha3_256, OSSL_DIGEST_NAME_SHA3_256 },
        { NID_sha3_384, OSSL_DIGEST_NAME_SHA3_384 },
        { NID_sha3_512, OSSL_DIGEST_NAME_SHA3_512 },
        /* TODO - Add SHAKE OIDS when they are standardized */

    };
    size_t i;
    int mdnid = NID_undef;

    if (md == NULL)
        goto end;

    for (i = 0; i < OSSL_NELEM(name_to_nid); i++) {
        if (EVP_MD_is_a(md, name_to_nid[i].ptr)) {
            mdnid = (int)name_to_nid[i].id;
            break;
        }
    }

    if (mdnid == NID_undef)
        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);

 end:
    return mdnid;
}

static void free_md(PROV_ECDSA_CTX *ctx)
{
    EVP_MD_CTX_free(ctx->mdctx);
    EVP_MD_free(ctx->md);
    ctx->mdctx = NULL;
    ctx->md = NULL;
    ctx->mdsize = 0;
}

static int ecdsa_digest_signverify_init(void *vctx, const char *mdname,
                                        const char *props, void *ec)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
    int md_nid = NID_undef;
    WPACKET pkt;

    free_md(ctx);

    if (!ecdsa_signature_init(vctx, ec))
        return 0;

    ctx->md = EVP_MD_fetch(ctx->libctx, mdname, props);
    if ((md_nid = get_md_nid(ctx->md)) == NID_undef)
        goto error;

    ctx->mdsize = EVP_MD_size(ctx->md);
    ctx->mdctx = EVP_MD_CTX_new();
    if (ctx->mdctx == NULL)
        goto error;

    /*
     * TODO(3.0) Should we care about DER writing errors?
     * All it really means is that for some reason, there's no
     * AlgorithmIdentifier to be had, but the operation itself is
     * still valid, just as long as it's not used to construct
     * anything that needs an AlgorithmIdentifier.
     */
    ctx->aid_len = 0;
    if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf))
        && DER_w_algorithmIdentifier_ECDSA_with(&pkt, -1, ctx->ec, md_nid)
        && WPACKET_finish(&pkt)) {
        WPACKET_get_total_written(&pkt, &ctx->aid_len);
        ctx->aid = WPACKET_get_curr(&pkt);
    }
    WPACKET_cleanup(&pkt);

    if (!EVP_DigestInit_ex(ctx->mdctx, ctx->md, NULL))
        goto error;
    return 1;
error:
    free_md(ctx);
    return 0;
}

int ecdsa_digest_signverify_update(void *vctx, const unsigned char *data,
                                   size_t datalen)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (ctx == NULL || ctx->mdctx == NULL)
        return 0;

    return EVP_DigestUpdate(ctx->mdctx, data, datalen);
}

int ecdsa_digest_sign_final(void *vctx, unsigned char *sig, size_t *siglen,
                            size_t sigsize)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
    unsigned char digest[EVP_MAX_MD_SIZE];
    unsigned int dlen = 0;

    if (ctx == NULL || ctx->mdctx == NULL)
        return 0;

    /*
     * If sig is NULL then we're just finding out the sig size. Other fields
     * are ignored. Defer to ecdsa_sign.
     */
    if (sig != NULL) {
        /*
         * TODO(3.0): There is the possibility that some externally provided
         * digests exceed EVP_MAX_MD_SIZE. We should probably handle that somehow -
         * but that problem is much larger than just in DSA.
         */
        if (!EVP_DigestFinal_ex(ctx->mdctx, digest, &dlen))
            return 0;
    }

    return ecdsa_sign(vctx, sig, siglen, sigsize, digest, (size_t)dlen);
}

int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
                              size_t siglen)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
    unsigned char digest[EVP_MAX_MD_SIZE];
    unsigned int dlen = 0;

    if (ctx == NULL || ctx->mdctx == NULL)
        return 0;

    /*
     * TODO(3.0): There is the possibility that some externally provided
     * digests exceed EVP_MAX_MD_SIZE. We should probably handle that somehow -
     * but that problem is much larger than just in DSA.
     */
    if (!EVP_DigestFinal_ex(ctx->mdctx, digest, &dlen))
        return 0;

    return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen);
}

static void ecdsa_freectx(void *vctx)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    free_md(ctx);
    EC_KEY_free(ctx->ec);
    BN_clear_free(ctx->kinv);
    BN_clear_free(ctx->r);
    OPENSSL_free(ctx);
}

static void *ecdsa_dupctx(void *vctx)
{
    PROV_ECDSA_CTX *srcctx = (PROV_ECDSA_CTX *)vctx;
    PROV_ECDSA_CTX *dstctx;

    dstctx = OPENSSL_zalloc(sizeof(*srcctx));
    if (dstctx == NULL)
        return NULL;

    *dstctx = *srcctx;
    dstctx->ec = NULL;
    dstctx->md = NULL;
    dstctx->mdctx = NULL;

    if (srcctx->ec != NULL && !EC_KEY_up_ref(srcctx->ec))
        goto err;
    /* Test KATS should not need to be supported */
    if (srcctx->kinv != NULL || srcctx->r != NULL)
        goto err;
    dstctx->ec = srcctx->ec;

    if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md))
        goto err;
    dstctx->md = srcctx->md;

    if (srcctx->mdctx != NULL) {
        dstctx->mdctx = EVP_MD_CTX_new();
        if (dstctx->mdctx == NULL
                || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx))
            goto err;
    }

    return dstctx;
 err:
    ecdsa_freectx(dstctx);
    return NULL;
}

static int ecdsa_get_ctx_params(void *vctx, OSSL_PARAM *params)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
    OSSL_PARAM *p;

    if (ctx == NULL || params == NULL)
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
    if (p != NULL && !OSSL_PARAM_set_octet_string(p, ctx->aid, ctx->aid_len))
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE);
    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->mdsize))
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST);
    if (p != NULL && !OSSL_PARAM_set_utf8_string(p, ctx->md == NULL
                                                    ? ctx->mdname
                                                    : EVP_MD_name(ctx->md)))
        return 0;

    return 1;
}

static const OSSL_PARAM known_gettable_ctx_params[] = {
    OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
    OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL),
    OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
    OSSL_PARAM_END
};

static const OSSL_PARAM *ecdsa_gettable_ctx_params(void)
{
    return known_gettable_ctx_params;
}

static int ecdsa_set_ctx_params(void *vctx, const OSSL_PARAM params[])
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
    const OSSL_PARAM *p;
    char *mdname;

    if (ctx == NULL || params == NULL)
        return 0;

    if (ctx->md != NULL) {
        /*
         * You cannot set the digest name/size when doing a DigestSign or
         * DigestVerify.
         */
        return 1;
    }

    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_KAT);
    if (p != NULL && !OSSL_PARAM_get_uint(p, &ctx->kattest))
        return 0;

    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE);
    if (p != NULL && !OSSL_PARAM_get_size_t(p, &ctx->mdsize))
        return 0;

    /*
     * We never actually use the mdname, but we do support getting it later.
     * This can be useful for applications that want to know the MD that they
     * previously set.
     */
    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
    mdname = ctx->mdname;
    if (p != NULL
            && !OSSL_PARAM_get_utf8_string(p, &mdname, sizeof(ctx->mdname)))
        return 0;

    return 1;
}

static const OSSL_PARAM known_settable_ctx_params[] = {
    OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL),
    OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
    OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_KAT, NULL),
    OSSL_PARAM_END
};

static const OSSL_PARAM *ecdsa_settable_ctx_params(void)
{
    /*
     * TODO(3.0): Should this function return a different set of settable ctx
     * params if the ctx is being used for a DigestSign/DigestVerify? In that
     * case it is not allowed to set the digest size/digest name because the
     * digest is explicitly set as part of the init.
     */
    return known_settable_ctx_params;
}

static int ecdsa_get_ctx_md_params(void *vctx, OSSL_PARAM *params)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (ctx->mdctx == NULL)
        return 0;

    return EVP_MD_CTX_get_params(ctx->mdctx, params);
}

static const OSSL_PARAM *ecdsa_gettable_ctx_md_params(void *vctx)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (ctx->md == NULL)
        return 0;

    return EVP_MD_gettable_ctx_params(ctx->md);
}

static int ecdsa_set_ctx_md_params(void *vctx, const OSSL_PARAM params[])
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (ctx->mdctx == NULL)
        return 0;

    return EVP_MD_CTX_set_params(ctx->mdctx, params);
}

static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (ctx->md == NULL)
        return 0;

    return EVP_MD_settable_ctx_params(ctx->md);
}

const OSSL_DISPATCH ecdsa_signature_functions[] = {
    { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
    { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_signature_init },
    { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))ecdsa_sign },
    { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))ecdsa_signature_init },
    { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))ecdsa_verify },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
      (void (*)(void))ecdsa_digest_signverify_init },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,
      (void (*)(void))ecdsa_digest_signverify_update },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,
      (void (*)(void))ecdsa_digest_sign_final },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
      (void (*)(void))ecdsa_digest_signverify_init },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,
      (void (*)(void))ecdsa_digest_signverify_update },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,
      (void (*)(void))ecdsa_digest_verify_final },
    { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))ecdsa_freectx },
    { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))ecdsa_dupctx },
    { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))ecdsa_get_ctx_params },
    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
      (void (*)(void))ecdsa_gettable_ctx_params },
    { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))ecdsa_set_ctx_params },
    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,
      (void (*)(void))ecdsa_settable_ctx_params },
    { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS,
      (void (*)(void))ecdsa_get_ctx_md_params },
    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS,
      (void (*)(void))ecdsa_gettable_ctx_md_params },
    { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS,
      (void (*)(void))ecdsa_set_ctx_md_params },
    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS,
      (void (*)(void))ecdsa_settable_ctx_md_params },
    { 0, NULL }
};
Commit	Line	Data
edd3b7a3 SL	1	/*
	2	* Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	/*
	11	* ECDSA low level APIs are deprecated for public use, but still ok for
	12	* internal use.
	13	*/
	14	#include "internal/deprecated.h"
	15
	16	#include <string.h> /* memcpy */
	17	#include <openssl/crypto.h>
	18	#include <openssl/core_numbers.h>
	19	#include <openssl/core_names.h>
	20	#include <openssl/dsa.h>
	21	#include <openssl/params.h>
	22	#include <openssl/evp.h>
	23	#include <openssl/err.h>
	24	#include "internal/nelem.h"
	25	#include "internal/sizes.h"
2d956b32	26	#include "internal/cryptlib.h"
edd3b7a3 SL	27	#include "prov/providercommonerr.h"
	28	#include "prov/implementations.h"
	29	#include "prov/provider_ctx.h"
	30	#include "crypto/ec.h"
2d956b32	31	#include "prov/der_ec.h"
edd3b7a3 SL	32
	33	static OSSL_OP_signature_newctx_fn ecdsa_newctx;
	34	static OSSL_OP_signature_sign_init_fn ecdsa_signature_init;
	35	static OSSL_OP_signature_verify_init_fn ecdsa_signature_init;
	36	static OSSL_OP_signature_sign_fn ecdsa_sign;
	37	static OSSL_OP_signature_verify_fn ecdsa_verify;
	38	static OSSL_OP_signature_digest_sign_init_fn ecdsa_digest_signverify_init;
	39	static OSSL_OP_signature_digest_sign_update_fn ecdsa_digest_signverify_update;
	40	static OSSL_OP_signature_digest_sign_final_fn ecdsa_digest_sign_final;
	41	static OSSL_OP_signature_digest_verify_init_fn ecdsa_digest_signverify_init;
	42	static OSSL_OP_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
	43	static OSSL_OP_signature_digest_verify_final_fn ecdsa_digest_verify_final;
	44	static OSSL_OP_signature_freectx_fn ecdsa_freectx;
	45	static OSSL_OP_signature_dupctx_fn ecdsa_dupctx;
	46	static OSSL_OP_signature_get_ctx_params_fn ecdsa_get_ctx_params;
	47	static OSSL_OP_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params;
	48	static OSSL_OP_signature_set_ctx_params_fn ecdsa_set_ctx_params;
	49	static OSSL_OP_signature_settable_ctx_params_fn ecdsa_settable_ctx_params;
	50	static OSSL_OP_signature_get_ctx_md_params_fn ecdsa_get_ctx_md_params;
	51	static OSSL_OP_signature_gettable_ctx_md_params_fn ecdsa_gettable_ctx_md_params;
	52	static OSSL_OP_signature_set_ctx_md_params_fn ecdsa_set_ctx_md_params;
	53	static OSSL_OP_signature_settable_ctx_md_params_fn ecdsa_settable_ctx_md_params;
	54
	55	/*
	56	* What's passed as an actual key is defined by the KEYMGMT interface.
	57	* We happen to know that our KEYMGMT simply passes DSA structures, so
	58	* we use that here too.
	59	*/
	60
	61	typedef struct {
	62	OPENSSL_CTX *libctx;
	63	EC_KEY *ec;
	64	char mdname[OSSL_MAX_NAME_SIZE];
	65
	66	/* The Algorithm Identifier of the combined signature algorithm */
2d956b32 RL	67	unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
2d956b32 RL	68	unsigned char *aid;
edd3b7a3 SL	69	size_t aid_len;
	70	size_t mdsize;
	71
	72	EVP_MD *md;
	73	EVP_MD_CTX *mdctx;
	74	/*
	75	* This indicates that KAT (CAVS) test is running. Externally an app will
	76	* override the random callback such that the generated private key and k
	77	* are known.
	78	* Normal operation will loop to choose a new k if the signature is not
	79	* valid - but for this mode of operation it forces a failure instead.
	80	*/
	81	unsigned int kattest;
	82	/*
	83	* Internally used to cache the results of calling the EC group
	84	* sign_setup() methods which are then passed to the sign operation.
	85	* This is used by CAVS failure tests to terminate a loop if the signature
	86	* is not valid.
	87	* This could of also been done with a simple flag.
	88	*/
	89	BIGNUM *kinv;
	90	BIGNUM *r;
	91	} PROV_ECDSA_CTX;
	92
	93	static void ecdsa_newctx(void provctx)
	94	{
	95	PROV_ECDSA_CTX *ctx = OPENSSL_zalloc(sizeof(PROV_ECDSA_CTX));
	96
	97	if (ctx == NULL)
	98	return NULL;
	99
	100	ctx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
	101	return ctx;
	102	}
	103
	104	static int ecdsa_signature_init(void vctx, void ec)
	105	{
	106	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	107
	108	if (ctx == NULL \|\| ec == NULL \|\| !EC_KEY_up_ref(ec))
	109	return 0;
	110	EC_KEY_free(ctx->ec);
	111	ctx->ec = ec;
	112	return 1;
	113	}
	114
	115	static int ecdsa_sign(void vctx, unsigned char sig, size_t *siglen,
	116	size_t sigsize, const unsigned char *tbs, size_t tbslen)
	117	{
	118	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	119	int ret;
	120	unsigned int sltmp;
	121	size_t ecsize = ECDSA_size(ctx->ec);
	122
	123	if (sig == NULL) {
	124	*siglen = ecsize;
	125	return 1;
	126	}
	127
	128	if (ctx->kattest && !ECDSA_sign_setup(ctx->ec, NULL, &ctx->kinv, &ctx->r))
	129	return 0;
	130
	131	if (sigsize < (size_t)ecsize)
	132	return 0;
133
134	if (ctx->mdsize != 0 && tbslen != ctx->mdsize)
135	return 0;
136
137	ret = ECDSA_sign_ex(0, tbs, tbslen, sig, &sltmp, ctx->kinv, ctx->r, ctx->ec);
138	if (ret <= 0)
139	return 0;
140
141	*siglen = sltmp;
142	return 1;
143	}
144
145	static int ecdsa_verify(void vctx, const unsigned char sig, size_t siglen,
146	const unsigned char *tbs, size_t tbslen)
147	{
148	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
149
150	if (ctx->mdsize != 0 && tbslen != ctx->mdsize)
151	return 0;
152
153	return ECDSA_verify(0, tbs, tbslen, sig, siglen, ctx->ec);
154	}
155
156	static int get_md_nid(const EVP_MD *md)
157	{
158	/*
159	* Because the ECDSA library deals with NIDs, we need to translate.
160	* We do so using EVP_MD_is_a(), and therefore need a name to NID
161	* map.
162	*/
163	static const OSSL_ITEM name_to_nid[] = {
164	{ NID_sha1, OSSL_DIGEST_NAME_SHA1 },
165	{ NID_sha224, OSSL_DIGEST_NAME_SHA2_224 },
166	{ NID_sha256, OSSL_DIGEST_NAME_SHA2_256 },
167	{ NID_sha384, OSSL_DIGEST_NAME_SHA2_384 },
168	{ NID_sha512, OSSL_DIGEST_NAME_SHA2_512 },
169	{ NID_sha3_224, OSSL_DIGEST_NAME_SHA3_224 },
170	{ NID_sha3_256, OSSL_DIGEST_NAME_SHA3_256 },
171	{ NID_sha3_384, OSSL_DIGEST_NAME_SHA3_384 },
172	{ NID_sha3_512, OSSL_DIGEST_NAME_SHA3_512 },
173	/* TODO - Add SHAKE OIDS when they are standardized */
174
175	};
176	size_t i;
177	int mdnid = NID_undef;
178
179	if (md == NULL)
180	goto end;
181
182	for (i = 0; i < OSSL_NELEM(name_to_nid); i++) {
183	if (EVP_MD_is_a(md, name_to_nid[i].ptr)) {
184	mdnid = (int)name_to_nid[i].id;
185	break;
186	}
187	}
188
189	if (mdnid == NID_undef)
190	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
191
192	end:
193	return mdnid;
194	}
195
196	static void free_md(PROV_ECDSA_CTX *ctx)
197	{
198	EVP_MD_CTX_free(ctx->mdctx);
199	EVP_MD_free(ctx->md);
200	ctx->mdctx = NULL;
201	ctx->md = NULL;
202	ctx->mdsize = 0;
203	}
204
205	static int ecdsa_digest_signverify_init(void vctx, const char mdname,
206	const char props, void ec)
207	{
208	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
2d956b32 RL	209	int md_nid = NID_undef;
2d956b32 RL	210	WPACKET pkt;
edd3b7a3 SL	211
	212	free_md(ctx);
	213
	214	if (!ecdsa_signature_init(vctx, ec))
	215	return 0;
	216
	217	ctx->md = EVP_MD_fetch(ctx->libctx, mdname, props);
2d956b32	218	if ((md_nid = get_md_nid(ctx->md)) == NID_undef)
edd3b7a3 SL	219	goto error;
	220
	221	ctx->mdsize = EVP_MD_size(ctx->md);
	222	ctx->mdctx = EVP_MD_CTX_new();
	223	if (ctx->mdctx == NULL)
	224	goto error;
	225
2d956b32 RL	226	/*
	227	* TODO(3.0) Should we care about DER writing errors?
	228	* All it really means is that for some reason, there's no
	229	* AlgorithmIdentifier to be had, but the operation itself is
	230	* still valid, just as long as it's not used to construct
	231	* anything that needs an AlgorithmIdentifier.
	232	*/
	233	ctx->aid_len = 0;
	234	if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf))
	235	&& DER_w_algorithmIdentifier_ECDSA_with(&pkt, -1, ctx->ec, md_nid)
	236	&& WPACKET_finish(&pkt)) {
	237	WPACKET_get_total_written(&pkt, &ctx->aid_len);
	238	ctx->aid = WPACKET_get_curr(&pkt);
	239	}
	240	WPACKET_cleanup(&pkt);
edd3b7a3 SL	241
	242	if (!EVP_DigestInit_ex(ctx->mdctx, ctx->md, NULL))
	243	goto error;
	244	return 1;
	245	error:
	246	free_md(ctx);
	247	return 0;
	248	}
	249
	250	int ecdsa_digest_signverify_update(void vctx, const unsigned char data,
	251	size_t datalen)
	252	{
	253	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	254
	255	if (ctx == NULL \|\| ctx->mdctx == NULL)
	256	return 0;
	257
	258	return EVP_DigestUpdate(ctx->mdctx, data, datalen);
	259	}
	260
	261	int ecdsa_digest_sign_final(void vctx, unsigned char sig, size_t *siglen,
	262	size_t sigsize)
	263	{
	264	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	265	unsigned char digest[EVP_MAX_MD_SIZE];
	266	unsigned int dlen = 0;
	267
	268	if (ctx == NULL \|\| ctx->mdctx == NULL)
	269	return 0;
	270
	271	/*
	272	* If sig is NULL then we're just finding out the sig size. Other fields
	273	* are ignored. Defer to ecdsa_sign.
	274	*/
	275	if (sig != NULL) {
	276	/*
	277	* TODO(3.0): There is the possibility that some externally provided
	278	* digests exceed EVP_MAX_MD_SIZE. We should probably handle that somehow -
	279	* but that problem is much larger than just in DSA.
	280	*/
	281	if (!EVP_DigestFinal_ex(ctx->mdctx, digest, &dlen))
	282	return 0;
	283	}
	284
	285	return ecdsa_sign(vctx, sig, siglen, sigsize, digest, (size_t)dlen);
	286	}
	287
	288	int ecdsa_digest_verify_final(void vctx, const unsigned char sig,
	289	size_t siglen)
	290	{
	291	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	292	unsigned char digest[EVP_MAX_MD_SIZE];
	293	unsigned int dlen = 0;
	294
	295	if (ctx == NULL \|\| ctx->mdctx == NULL)
	296	return 0;
	297
	298	/*
	299	* TODO(3.0): There is the possibility that some externally provided
	300	* digests exceed EVP_MAX_MD_SIZE. We should probably handle that somehow -
	301	* but that problem is much larger than just in DSA.
	302	*/
	303	if (!EVP_DigestFinal_ex(ctx->mdctx, digest, &dlen))
	304	return 0;
305
306	return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen);
307	}
308
309	static void ecdsa_freectx(void *vctx)
310	{
311	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
312
313	free_md(ctx);
314	EC_KEY_free(ctx->ec);
315	BN_clear_free(ctx->kinv);
316	BN_clear_free(ctx->r);
317	OPENSSL_free(ctx);
318	}
319
320	static void ecdsa_dupctx(void vctx)
321	{
322	PROV_ECDSA_CTX srcctx = (PROV_ECDSA_CTX )vctx;
323	PROV_ECDSA_CTX *dstctx;
324
325	dstctx = OPENSSL_zalloc(sizeof(*srcctx));
326	if (dstctx == NULL)
327	return NULL;
328
329	dstctx = srcctx;
330	dstctx->ec = NULL;
331	dstctx->md = NULL;
332	dstctx->mdctx = NULL;
333
334	if (srcctx->ec != NULL && !EC_KEY_up_ref(srcctx->ec))
335	goto err;
336	/* Test KATS should not need to be supported */
337	if (srcctx->kinv != NULL \|\| srcctx->r != NULL)
338	goto err;
339	dstctx->ec = srcctx->ec;
340
341	if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md))
342	goto err;
343	dstctx->md = srcctx->md;
344
345	if (srcctx->mdctx != NULL) {
346	dstctx->mdctx = EVP_MD_CTX_new();
347	if (dstctx->mdctx == NULL
348	\|\| !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx))
349	goto err;
350	}
351
352	return dstctx;
353	err:
354	ecdsa_freectx(dstctx);
355	return NULL;
356	}
357
358	static int ecdsa_get_ctx_params(void vctx, OSSL_PARAM params)
359	{
360	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
361	OSSL_PARAM *p;
362
363	if (ctx == NULL \|\| params == NULL)
364	return 0;
365
366	p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
367	if (p != NULL && !OSSL_PARAM_set_octet_string(p, ctx->aid, ctx->aid_len))
368	return 0;
369
370	p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE);
371	if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->mdsize))
372	return 0;
373
374	p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST);
375	if (p != NULL && !OSSL_PARAM_set_utf8_string(p, ctx->md == NULL
376	? ctx->mdname
377	: EVP_MD_name(ctx->md)))
378	return 0;
379
380	return 1;
381	}
382
383	static const OSSL_PARAM known_gettable_ctx_params[] = {
384	OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
385	OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL),
386	OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
387	OSSL_PARAM_END
388	};
389
390	static const OSSL_PARAM *ecdsa_gettable_ctx_params(void)
391	{
392	return known_gettable_ctx_params;
393	}
394
395	static int ecdsa_set_ctx_params(void *vctx, const OSSL_PARAM params[])
396	{
397	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
398	const OSSL_PARAM *p;
399	char *mdname;
400
401	if (ctx == NULL \|\| params == NULL)
402	return 0;
403
404	if (ctx->md != NULL) {
405	/*
406	* You cannot set the digest name/size when doing a DigestSign or
407	* DigestVerify.
408	*/
409	return 1;
410	}
411
412	p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_KAT);
413	if (p != NULL && !OSSL_PARAM_get_uint(p, &ctx->kattest))
414	return 0;
415
416	p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE);
417	if (p != NULL && !OSSL_PARAM_get_size_t(p, &ctx->mdsize))
418	return 0;
419
420	/*
421	* We never actually use the mdname, but we do support getting it later.
422	* This can be useful for applications that want to know the MD that they
423	* previously set.
424	*/
425	p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
426	mdname = ctx->mdname;
427	if (p != NULL
428	&& !OSSL_PARAM_get_utf8_string(p, &mdname, sizeof(ctx->mdname)))
429	return 0;
430
431	return 1;
432	}
433
434	static const OSSL_PARAM known_settable_ctx_params[] = {
435	OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL),
436	OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
437	OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_KAT, NULL),
438	OSSL_PARAM_END
439	};
440
441	static const OSSL_PARAM *ecdsa_settable_ctx_params(void)
442	{
443	/*
444	* TODO(3.0): Should this function return a different set of settable ctx
445	* params if the ctx is being used for a DigestSign/DigestVerify? In that
446	* case it is not allowed to set the digest size/digest name because the
447	* digest is explicitly set as part of the init.
448	*/
449	return known_settable_ctx_params;
450	}
451
452	static int ecdsa_get_ctx_md_params(void vctx, OSSL_PARAM params)
453	{
454	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
455
456	if (ctx->mdctx == NULL)
457	return 0;
458
459	return EVP_MD_CTX_get_params(ctx->mdctx, params);
460	}
461
462	static const OSSL_PARAM ecdsa_gettable_ctx_md_params(void vctx)
463	{
464	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
465
466	if (ctx->md == NULL)
467	return 0;
468
469	return EVP_MD_gettable_ctx_params(ctx->md);
470	}
471
472	static int ecdsa_set_ctx_md_params(void *vctx, const OSSL_PARAM params[])
473	{
474	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
475
476	if (ctx->mdctx == NULL)
477	return 0;
478
479	return EVP_MD_CTX_set_params(ctx->mdctx, params);
480	}
481
482	static const OSSL_PARAM ecdsa_settable_ctx_md_params(void vctx)
483	{
484	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
485
486	if (ctx->md == NULL)
487	return 0;
488
489	return EVP_MD_settable_ctx_params(ctx->md);
490	}
491
492	const OSSL_DISPATCH ecdsa_signature_functions[] = {
493	{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
494	{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_signature_init },
495	{ OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))ecdsa_sign },
496	{ OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))ecdsa_signature_init },
497	{ OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))ecdsa_verify },
498	{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
499	(void (*)(void))ecdsa_digest_signverify_init },
500	{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,
501	(void (*)(void))ecdsa_digest_signverify_update },
502	{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,
503	(void (*)(void))ecdsa_digest_sign_final },
504	{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
505	(void (*)(void))ecdsa_digest_signverify_init },
506	{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,
507	(void (*)(void))ecdsa_digest_signverify_update },
508	{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,
509	(void (*)(void))ecdsa_digest_verify_final },
510	{ OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))ecdsa_freectx },
511	{ OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))ecdsa_dupctx },
512	{ OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))ecdsa_get_ctx_params },
513	{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
514	(void (*)(void))ecdsa_gettable_ctx_params },
515	{ OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))ecdsa_set_ctx_params },
516	{ OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,
517	(void (*)(void))ecdsa_settable_ctx_params },
518	{ OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS,
519	(void (*)(void))ecdsa_get_ctx_md_params },
520	{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS,
521	(void (*)(void))ecdsa_gettable_ctx_md_params },
522	{ OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS,
523	(void (*)(void))ecdsa_set_ctx_md_params },
524	{ OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS,
525	(void (*)(void))ecdsa_settable_ctx_md_params },
526	{ 0, NULL }
527	};