[thirdparty/openssl.git] / providers / implementations / signature / ecdsa.c

/*
 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * ECDSA low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <string.h> /* memcpy */
#include <openssl/crypto.h>
#include <openssl/core_numbers.h>
#include <openssl/core_names.h>
#include <openssl/dsa.h>
#include <openssl/params.h>
#include <openssl/evp.h>
#include <openssl/err.h>
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "internal/cryptlib.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "crypto/ec.h"
#include "prov/der_ec.h"

static OSSL_OP_signature_newctx_fn ecdsa_newctx;
static OSSL_OP_signature_sign_init_fn ecdsa_signature_init;
static OSSL_OP_signature_verify_init_fn ecdsa_signature_init;
static OSSL_OP_signature_sign_fn ecdsa_sign;
static OSSL_OP_signature_verify_fn ecdsa_verify;
static OSSL_OP_signature_digest_sign_init_fn ecdsa_digest_signverify_init;
static OSSL_OP_signature_digest_sign_update_fn ecdsa_digest_signverify_update;
static OSSL_OP_signature_digest_sign_final_fn ecdsa_digest_sign_final;
static OSSL_OP_signature_digest_verify_init_fn ecdsa_digest_signverify_init;
static OSSL_OP_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
static OSSL_OP_signature_digest_verify_final_fn ecdsa_digest_verify_final;
static OSSL_OP_signature_freectx_fn ecdsa_freectx;
static OSSL_OP_signature_dupctx_fn ecdsa_dupctx;
static OSSL_OP_signature_get_ctx_params_fn ecdsa_get_ctx_params;
static OSSL_OP_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params;
static OSSL_OP_signature_set_ctx_params_fn ecdsa_set_ctx_params;
static OSSL_OP_signature_settable_ctx_params_fn ecdsa_settable_ctx_params;
static OSSL_OP_signature_get_ctx_md_params_fn ecdsa_get_ctx_md_params;
static OSSL_OP_signature_gettable_ctx_md_params_fn ecdsa_gettable_ctx_md_params;
static OSSL_OP_signature_set_ctx_md_params_fn ecdsa_set_ctx_md_params;
static OSSL_OP_signature_settable_ctx_md_params_fn ecdsa_settable_ctx_md_params;

/*
 * What's passed as an actual key is defined by the KEYMGMT interface.
 * We happen to know that our KEYMGMT simply passes DSA structures, so
 * we use that here too.
 */

typedef struct {
    OPENSSL_CTX *libctx;
    char *propq;
    EC_KEY *ec;
    char mdname[OSSL_MAX_NAME_SIZE];

    /* The Algorithm Identifier of the combined signature algorithm */
    unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
    unsigned char *aid;
    size_t  aid_len;
    size_t mdsize;

    EVP_MD *md;
    EVP_MD_CTX *mdctx;
    /*
     * Internally used to cache the results of calling the EC group
     * sign_setup() methods which are then passed to the sign operation.
     * This is used by CAVS failure tests to terminate a loop if the signature
     * is not valid.
     * This could of also been done with a simple flag.
     */
    BIGNUM *kinv;
    BIGNUM *r;
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
    /*
     * This indicates that KAT (CAVS) test is running. Externally an app will
     * override the random callback such that the generated private key and k
     * are known.
     * Normal operation will loop to choose a new k if the signature is not
     * valid - but for this mode of operation it forces a failure instead.
     */
    unsigned int kattest;
#endif
} PROV_ECDSA_CTX;

static void *ecdsa_newctx(void *provctx, const char *propq)
{
    PROV_ECDSA_CTX *ctx = OPENSSL_zalloc(sizeof(PROV_ECDSA_CTX));

    if (ctx == NULL)
        return NULL;

    ctx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
    if (propq != NULL && (ctx->propq = OPENSSL_strdup(propq)) == NULL) {
        OPENSSL_free(ctx);
        ctx = NULL;
        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
    }
    return ctx;
}

static int ecdsa_signature_init(void *vctx, void *ec)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (ctx == NULL || ec == NULL || !EC_KEY_up_ref(ec))
        return 0;
    EC_KEY_free(ctx->ec);
    ctx->ec = ec;
    return 1;
}

static int ecdsa_sign(void *vctx, unsigned char *sig, size_t *siglen,
                      size_t sigsize, const unsigned char *tbs, size_t tbslen)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
    int ret;
    unsigned int sltmp;
    size_t ecsize = ECDSA_size(ctx->ec);

    if (sig == NULL) {
        *siglen = ecsize;
        return 1;
    }

#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
    if (ctx->kattest && !ECDSA_sign_setup(ctx->ec, NULL, &ctx->kinv, &ctx->r))
        return 0;
#endif

    if (sigsize < (size_t)ecsize)
        return 0;

    if (ctx->mdsize != 0 && tbslen != ctx->mdsize)
        return 0;

    ret = ECDSA_sign_ex(0, tbs, tbslen, sig, &sltmp, ctx->kinv, ctx->r, ctx->ec);
    if (ret <= 0)
        return 0;

    *siglen = sltmp;
    return 1;
}

static int ecdsa_verify(void *vctx, const unsigned char *sig, size_t siglen,
                        const unsigned char *tbs, size_t tbslen)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (ctx->mdsize != 0 && tbslen != ctx->mdsize)
        return 0;

    return ECDSA_verify(0, tbs, tbslen, sig, siglen, ctx->ec);
}

static int get_md_nid(const EVP_MD *md)
{
    /*
     * Because the ECDSA library deals with NIDs, we need to translate.
     * We do so using EVP_MD_is_a(), and therefore need a name to NID
     * map.
     */
    static const OSSL_ITEM name_to_nid[] = {
        { NID_sha1,   OSSL_DIGEST_NAME_SHA1   },
        { NID_sha224, OSSL_DIGEST_NAME_SHA2_224 },
        { NID_sha256, OSSL_DIGEST_NAME_SHA2_256 },
        { NID_sha384, OSSL_DIGEST_NAME_SHA2_384 },
        { NID_sha512, OSSL_DIGEST_NAME_SHA2_512 },
        { NID_sha3_224, OSSL_DIGEST_NAME_SHA3_224 },
        { NID_sha3_256, OSSL_DIGEST_NAME_SHA3_256 },
        { NID_sha3_384, OSSL_DIGEST_NAME_SHA3_384 },
        { NID_sha3_512, OSSL_DIGEST_NAME_SHA3_512 },
        /* TODO - Add SHAKE OIDS when they are standardized */

    };
    size_t i;
    int mdnid = NID_undef;

    if (md == NULL)
        goto end;

    for (i = 0; i < OSSL_NELEM(name_to_nid); i++) {
        if (EVP_MD_is_a(md, name_to_nid[i].ptr)) {
            mdnid = (int)name_to_nid[i].id;
            break;
        }
    }

    if (mdnid == NID_undef)
        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);

 end:
    return mdnid;
}

static void free_md(PROV_ECDSA_CTX *ctx)
{
    OPENSSL_free(ctx->propq);
    EVP_MD_CTX_free(ctx->mdctx);
    EVP_MD_free(ctx->md);
    ctx->propq = NULL;
    ctx->mdctx = NULL;
    ctx->md = NULL;
    ctx->mdsize = 0;
}

static int ecdsa_digest_signverify_init(void *vctx, const char *mdname,
                                        void *ec)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
    int md_nid = NID_undef;
    WPACKET pkt;

    free_md(ctx);

    if (!ecdsa_signature_init(vctx, ec))
        return 0;

    ctx->md = EVP_MD_fetch(ctx->libctx, mdname, ctx->propq);
    if ((md_nid = get_md_nid(ctx->md)) == NID_undef)
        goto error;

    ctx->mdsize = EVP_MD_size(ctx->md);
    ctx->mdctx = EVP_MD_CTX_new();
    if (ctx->mdctx == NULL)
        goto error;

    /*
     * TODO(3.0) Should we care about DER writing errors?
     * All it really means is that for some reason, there's no
     * AlgorithmIdentifier to be had, but the operation itself is
     * still valid, just as long as it's not used to construct
     * anything that needs an AlgorithmIdentifier.
     */
    ctx->aid_len = 0;
    if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf))
        && DER_w_algorithmIdentifier_ECDSA_with_MD(&pkt, -1, ctx->ec, md_nid)
        && WPACKET_finish(&pkt)) {
        WPACKET_get_total_written(&pkt, &ctx->aid_len);
        ctx->aid = WPACKET_get_curr(&pkt);
    }
    WPACKET_cleanup(&pkt);

    if (!EVP_DigestInit_ex(ctx->mdctx, ctx->md, NULL))
        goto error;
    return 1;
error:
    free_md(ctx);
    return 0;
}

int ecdsa_digest_signverify_update(void *vctx, const unsigned char *data,
                                   size_t datalen)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (ctx == NULL || ctx->mdctx == NULL)
        return 0;

    return EVP_DigestUpdate(ctx->mdctx, data, datalen);
}

int ecdsa_digest_sign_final(void *vctx, unsigned char *sig, size_t *siglen,
                            size_t sigsize)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
    unsigned char digest[EVP_MAX_MD_SIZE];
    unsigned int dlen = 0;

    if (ctx == NULL || ctx->mdctx == NULL)
        return 0;

    /*
     * If sig is NULL then we're just finding out the sig size. Other fields
     * are ignored. Defer to ecdsa_sign.
     */
    if (sig != NULL) {
        /*
         * TODO(3.0): There is the possibility that some externally provided
         * digests exceed EVP_MAX_MD_SIZE. We should probably handle that somehow -
         * but that problem is much larger than just in DSA.
         */
        if (!EVP_DigestFinal_ex(ctx->mdctx, digest, &dlen))
            return 0;
    }

    return ecdsa_sign(vctx, sig, siglen, sigsize, digest, (size_t)dlen);
}

int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
                              size_t siglen)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
    unsigned char digest[EVP_MAX_MD_SIZE];
    unsigned int dlen = 0;

    if (ctx == NULL || ctx->mdctx == NULL)
        return 0;

    /*
     * TODO(3.0): There is the possibility that some externally provided
     * digests exceed EVP_MAX_MD_SIZE. We should probably handle that somehow -
     * but that problem is much larger than just in DSA.
     */
    if (!EVP_DigestFinal_ex(ctx->mdctx, digest, &dlen))
        return 0;

    return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen);
}

static void ecdsa_freectx(void *vctx)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    free_md(ctx);
    EC_KEY_free(ctx->ec);
    BN_clear_free(ctx->kinv);
    BN_clear_free(ctx->r);
    OPENSSL_free(ctx);
}

static void *ecdsa_dupctx(void *vctx)
{
    PROV_ECDSA_CTX *srcctx = (PROV_ECDSA_CTX *)vctx;
    PROV_ECDSA_CTX *dstctx;

    dstctx = OPENSSL_zalloc(sizeof(*srcctx));
    if (dstctx == NULL)
        return NULL;

    *dstctx = *srcctx;
    dstctx->ec = NULL;
    dstctx->md = NULL;
    dstctx->mdctx = NULL;

    if (srcctx->ec != NULL && !EC_KEY_up_ref(srcctx->ec))
        goto err;
    /* Test KATS should not need to be supported */
    if (srcctx->kinv != NULL || srcctx->r != NULL)
        goto err;
    dstctx->ec = srcctx->ec;

    if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md))
        goto err;
    dstctx->md = srcctx->md;

    if (srcctx->mdctx != NULL) {
        dstctx->mdctx = EVP_MD_CTX_new();
        if (dstctx->mdctx == NULL
                || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx))
            goto err;
    }

    return dstctx;
 err:
    ecdsa_freectx(dstctx);
    return NULL;
}

static int ecdsa_get_ctx_params(void *vctx, OSSL_PARAM *params)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
    OSSL_PARAM *p;

    if (ctx == NULL || params == NULL)
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
    if (p != NULL && !OSSL_PARAM_set_octet_string(p, ctx->aid, ctx->aid_len))
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE);
    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->mdsize))
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST);
    if (p != NULL && !OSSL_PARAM_set_utf8_string(p, ctx->md == NULL
                                                    ? ctx->mdname
                                                    : EVP_MD_name(ctx->md)))
        return 0;

    return 1;
}

static const OSSL_PARAM known_gettable_ctx_params[] = {
    OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
    OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL),
    OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
    OSSL_PARAM_END
};

static const OSSL_PARAM *ecdsa_gettable_ctx_params(void)
{
    return known_gettable_ctx_params;
}

static int ecdsa_set_ctx_params(void *vctx, const OSSL_PARAM params[])
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
    const OSSL_PARAM *p;
    char *mdname;

    if (ctx == NULL || params == NULL)
        return 0;

    if (ctx->md != NULL) {
        /*
         * You cannot set the digest name/size when doing a DigestSign or
         * DigestVerify.
         */
        return 1;
    }
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_KAT);
    if (p != NULL && !OSSL_PARAM_get_uint(p, &ctx->kattest))
        return 0;
#endif

    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE);
    if (p != NULL && !OSSL_PARAM_get_size_t(p, &ctx->mdsize))
        return 0;

    /*
     * We never actually use the mdname, but we do support getting it later.
     * This can be useful for applications that want to know the MD that they
     * previously set.
     */
    p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
    mdname = ctx->mdname;
    if (p != NULL
            && !OSSL_PARAM_get_utf8_string(p, &mdname, sizeof(ctx->mdname)))
        return 0;

    return 1;
}

static const OSSL_PARAM known_settable_ctx_params[] = {
    OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL),
    OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
    OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_KAT, NULL),
    OSSL_PARAM_END
};

static const OSSL_PARAM *ecdsa_settable_ctx_params(void)
{
    /*
     * TODO(3.0): Should this function return a different set of settable ctx
     * params if the ctx is being used for a DigestSign/DigestVerify? In that
     * case it is not allowed to set the digest size/digest name because the
     * digest is explicitly set as part of the init.
     */
    return known_settable_ctx_params;
}

static int ecdsa_get_ctx_md_params(void *vctx, OSSL_PARAM *params)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (ctx->mdctx == NULL)
        return 0;

    return EVP_MD_CTX_get_params(ctx->mdctx, params);
}

static const OSSL_PARAM *ecdsa_gettable_ctx_md_params(void *vctx)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (ctx->md == NULL)
        return 0;

    return EVP_MD_gettable_ctx_params(ctx->md);
}

static int ecdsa_set_ctx_md_params(void *vctx, const OSSL_PARAM params[])
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (ctx->mdctx == NULL)
        return 0;

    return EVP_MD_CTX_set_params(ctx->mdctx, params);
}

static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
{
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

    if (ctx->md == NULL)
        return 0;

    return EVP_MD_settable_ctx_params(ctx->md);
}

const OSSL_DISPATCH ecdsa_signature_functions[] = {
    { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
    { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_signature_init },
    { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))ecdsa_sign },
    { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))ecdsa_signature_init },
    { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))ecdsa_verify },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
      (void (*)(void))ecdsa_digest_signverify_init },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,
      (void (*)(void))ecdsa_digest_signverify_update },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,
      (void (*)(void))ecdsa_digest_sign_final },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
      (void (*)(void))ecdsa_digest_signverify_init },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,
      (void (*)(void))ecdsa_digest_signverify_update },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,
      (void (*)(void))ecdsa_digest_verify_final },
    { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))ecdsa_freectx },
    { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))ecdsa_dupctx },
    { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))ecdsa_get_ctx_params },
    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
      (void (*)(void))ecdsa_gettable_ctx_params },
    { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))ecdsa_set_ctx_params },
    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,
      (void (*)(void))ecdsa_settable_ctx_params },
    { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS,
      (void (*)(void))ecdsa_get_ctx_md_params },
    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS,
      (void (*)(void))ecdsa_gettable_ctx_md_params },
    { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS,
      (void (*)(void))ecdsa_set_ctx_md_params },
    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS,
      (void (*)(void))ecdsa_settable_ctx_md_params },
    { 0, NULL }
};
Commit	Line	Data
edd3b7a3 SL	1	/*
	2	* Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	/*
	11	* ECDSA low level APIs are deprecated for public use, but still ok for
	12	* internal use.
	13	*/
	14	#include "internal/deprecated.h"
	15
	16	#include <string.h> /* memcpy */
	17	#include <openssl/crypto.h>
	18	#include <openssl/core_numbers.h>
	19	#include <openssl/core_names.h>
	20	#include <openssl/dsa.h>
	21	#include <openssl/params.h>
	22	#include <openssl/evp.h>
	23	#include <openssl/err.h>
	24	#include "internal/nelem.h"
	25	#include "internal/sizes.h"
2d956b32	26	#include "internal/cryptlib.h"
edd3b7a3 SL	27	#include "prov/providercommonerr.h"
	28	#include "prov/implementations.h"
	29	#include "prov/provider_ctx.h"
	30	#include "crypto/ec.h"
2d956b32	31	#include "prov/der_ec.h"
edd3b7a3 SL	32
	33	static OSSL_OP_signature_newctx_fn ecdsa_newctx;
	34	static OSSL_OP_signature_sign_init_fn ecdsa_signature_init;
	35	static OSSL_OP_signature_verify_init_fn ecdsa_signature_init;
	36	static OSSL_OP_signature_sign_fn ecdsa_sign;
	37	static OSSL_OP_signature_verify_fn ecdsa_verify;
	38	static OSSL_OP_signature_digest_sign_init_fn ecdsa_digest_signverify_init;
	39	static OSSL_OP_signature_digest_sign_update_fn ecdsa_digest_signverify_update;
	40	static OSSL_OP_signature_digest_sign_final_fn ecdsa_digest_sign_final;
	41	static OSSL_OP_signature_digest_verify_init_fn ecdsa_digest_signverify_init;
	42	static OSSL_OP_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
	43	static OSSL_OP_signature_digest_verify_final_fn ecdsa_digest_verify_final;
	44	static OSSL_OP_signature_freectx_fn ecdsa_freectx;
	45	static OSSL_OP_signature_dupctx_fn ecdsa_dupctx;
	46	static OSSL_OP_signature_get_ctx_params_fn ecdsa_get_ctx_params;
	47	static OSSL_OP_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params;
	48	static OSSL_OP_signature_set_ctx_params_fn ecdsa_set_ctx_params;
	49	static OSSL_OP_signature_settable_ctx_params_fn ecdsa_settable_ctx_params;
	50	static OSSL_OP_signature_get_ctx_md_params_fn ecdsa_get_ctx_md_params;
	51	static OSSL_OP_signature_gettable_ctx_md_params_fn ecdsa_gettable_ctx_md_params;
	52	static OSSL_OP_signature_set_ctx_md_params_fn ecdsa_set_ctx_md_params;
	53	static OSSL_OP_signature_settable_ctx_md_params_fn ecdsa_settable_ctx_md_params;
	54
	55	/*
	56	* What's passed as an actual key is defined by the KEYMGMT interface.
	57	* We happen to know that our KEYMGMT simply passes DSA structures, so
	58	* we use that here too.
	59	*/
	60
	61	typedef struct {
	62	OPENSSL_CTX *libctx;
2c6094ba	63	char *propq;
edd3b7a3 SL	64	EC_KEY *ec;
	65	char mdname[OSSL_MAX_NAME_SIZE];
	66
	67	/* The Algorithm Identifier of the combined signature algorithm */
2d956b32 RL	68	unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
2d956b32 RL	69	unsigned char *aid;
edd3b7a3 SL	70	size_t aid_len;
	71	size_t mdsize;
	72
	73	EVP_MD *md;
	74	EVP_MD_CTX *mdctx;
edd3b7a3 SL	75	/*
	76	* Internally used to cache the results of calling the EC group
	77	* sign_setup() methods which are then passed to the sign operation.
	78	* This is used by CAVS failure tests to terminate a loop if the signature
	79	* is not valid.
	80	* This could of also been done with a simple flag.
	81	*/
	82	BIGNUM *kinv;
	83	BIGNUM *r;
4f2271d5 SL	84	#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
	85	/*
	86	* This indicates that KAT (CAVS) test is running. Externally an app will
	87	* override the random callback such that the generated private key and k
	88	* are known.
	89	* Normal operation will loop to choose a new k if the signature is not
	90	* valid - but for this mode of operation it forces a failure instead.
	91	*/
	92	unsigned int kattest;
	93	#endif
edd3b7a3 SL	94	} PROV_ECDSA_CTX;
edd3b7a3 SL	95
2c6094ba	96	static void ecdsa_newctx(void provctx, const char *propq)
edd3b7a3 SL	97	{
	98	PROV_ECDSA_CTX *ctx = OPENSSL_zalloc(sizeof(PROV_ECDSA_CTX));
	99
	100	if (ctx == NULL)
	101	return NULL;
	102
	103	ctx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
2c6094ba RL	104	if (propq != NULL && (ctx->propq = OPENSSL_strdup(propq)) == NULL) {
	105	OPENSSL_free(ctx);
	106	ctx = NULL;
	107	ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
	108	}
edd3b7a3 SL	109	return ctx;
	110	}
	111
	112	static int ecdsa_signature_init(void vctx, void ec)
	113	{
	114	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	115
	116	if (ctx == NULL \|\| ec == NULL \|\| !EC_KEY_up_ref(ec))
	117	return 0;
	118	EC_KEY_free(ctx->ec);
	119	ctx->ec = ec;
	120	return 1;
	121	}
	122
	123	static int ecdsa_sign(void vctx, unsigned char sig, size_t *siglen,
	124	size_t sigsize, const unsigned char *tbs, size_t tbslen)
	125	{
	126	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	127	int ret;
	128	unsigned int sltmp;
	129	size_t ecsize = ECDSA_size(ctx->ec);
	130
	131	if (sig == NULL) {
	132	*siglen = ecsize;
	133	return 1;
	134	}
	135
4f2271d5	136	#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
edd3b7a3 SL	137	if (ctx->kattest && !ECDSA_sign_setup(ctx->ec, NULL, &ctx->kinv, &ctx->r))
edd3b7a3 SL	138	return 0;
4f2271d5	139	#endif
edd3b7a3 SL	140
	141	if (sigsize < (size_t)ecsize)
	142	return 0;
	143
	144	if (ctx->mdsize != 0 && tbslen != ctx->mdsize)
	145	return 0;
	146
	147	ret = ECDSA_sign_ex(0, tbs, tbslen, sig, &sltmp, ctx->kinv, ctx->r, ctx->ec);
	148	if (ret <= 0)
	149	return 0;
	150
	151	*siglen = sltmp;
	152	return 1;
	153	}
	154
	155	static int ecdsa_verify(void vctx, const unsigned char sig, size_t siglen,
	156	const unsigned char *tbs, size_t tbslen)
	157	{
	158	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	159
	160	if (ctx->mdsize != 0 && tbslen != ctx->mdsize)
	161	return 0;
	162
	163	return ECDSA_verify(0, tbs, tbslen, sig, siglen, ctx->ec);
	164	}
	165
	166	static int get_md_nid(const EVP_MD *md)
	167	{
	168	/*
	169	* Because the ECDSA library deals with NIDs, we need to translate.
	170	* We do so using EVP_MD_is_a(), and therefore need a name to NID
	171	* map.
	172	*/
	173	static const OSSL_ITEM name_to_nid[] = {
	174	{ NID_sha1, OSSL_DIGEST_NAME_SHA1 },
	175	{ NID_sha224, OSSL_DIGEST_NAME_SHA2_224 },
	176	{ NID_sha256, OSSL_DIGEST_NAME_SHA2_256 },
	177	{ NID_sha384, OSSL_DIGEST_NAME_SHA2_384 },
	178	{ NID_sha512, OSSL_DIGEST_NAME_SHA2_512 },
	179	{ NID_sha3_224, OSSL_DIGEST_NAME_SHA3_224 },
	180	{ NID_sha3_256, OSSL_DIGEST_NAME_SHA3_256 },
	181	{ NID_sha3_384, OSSL_DIGEST_NAME_SHA3_384 },
	182	{ NID_sha3_512, OSSL_DIGEST_NAME_SHA3_512 },
	183	/* TODO - Add SHAKE OIDS when they are standardized */
	184
	185	};
	186	size_t i;
	187	int mdnid = NID_undef;
	188
	189	if (md == NULL)
	190	goto end;
	191
	192	for (i = 0; i < OSSL_NELEM(name_to_nid); i++) {
	193	if (EVP_MD_is_a(md, name_to_nid[i].ptr)) {
	194	mdnid = (int)name_to_nid[i].id;
	195	break;
	196	}
	197	}
	198
	199	if (mdnid == NID_undef)
	200	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
	201
	202	end:
	203	return mdnid;
204	}
205
206	static void free_md(PROV_ECDSA_CTX *ctx)
207	{
4f2271d5	208	OPENSSL_free(ctx->propq);
edd3b7a3 SL	209	EVP_MD_CTX_free(ctx->mdctx);
edd3b7a3 SL	210	EVP_MD_free(ctx->md);
4f2271d5	211	ctx->propq = NULL;
edd3b7a3 SL	212	ctx->mdctx = NULL;
	213	ctx->md = NULL;
	214	ctx->mdsize = 0;
	215	}
	216
	217	static int ecdsa_digest_signverify_init(void vctx, const char mdname,
2c6094ba	218	void *ec)
edd3b7a3 SL	219	{
edd3b7a3 SL	220	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
2d956b32 RL	221	int md_nid = NID_undef;
2d956b32 RL	222	WPACKET pkt;
edd3b7a3 SL	223
	224	free_md(ctx);
	225
	226	if (!ecdsa_signature_init(vctx, ec))
	227	return 0;
	228
2c6094ba	229	ctx->md = EVP_MD_fetch(ctx->libctx, mdname, ctx->propq);
2d956b32	230	if ((md_nid = get_md_nid(ctx->md)) == NID_undef)
edd3b7a3 SL	231	goto error;
	232
	233	ctx->mdsize = EVP_MD_size(ctx->md);
	234	ctx->mdctx = EVP_MD_CTX_new();
	235	if (ctx->mdctx == NULL)
	236	goto error;
	237
2d956b32 RL	238	/*
	239	* TODO(3.0) Should we care about DER writing errors?
	240	* All it really means is that for some reason, there's no
	241	* AlgorithmIdentifier to be had, but the operation itself is
	242	* still valid, just as long as it's not used to construct
	243	* anything that needs an AlgorithmIdentifier.
	244	*/
	245	ctx->aid_len = 0;
	246	if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf))
a30027b6	247	&& DER_w_algorithmIdentifier_ECDSA_with_MD(&pkt, -1, ctx->ec, md_nid)
2d956b32 RL	248	&& WPACKET_finish(&pkt)) {
	249	WPACKET_get_total_written(&pkt, &ctx->aid_len);
	250	ctx->aid = WPACKET_get_curr(&pkt);
	251	}
	252	WPACKET_cleanup(&pkt);
edd3b7a3 SL	253
	254	if (!EVP_DigestInit_ex(ctx->mdctx, ctx->md, NULL))
	255	goto error;
	256	return 1;
	257	error:
	258	free_md(ctx);
	259	return 0;
	260	}
	261
	262	int ecdsa_digest_signverify_update(void vctx, const unsigned char data,
	263	size_t datalen)
	264	{
	265	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	266
	267	if (ctx == NULL \|\| ctx->mdctx == NULL)
	268	return 0;
	269
	270	return EVP_DigestUpdate(ctx->mdctx, data, datalen);
	271	}
	272
	273	int ecdsa_digest_sign_final(void vctx, unsigned char sig, size_t *siglen,
	274	size_t sigsize)
	275	{
	276	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	277	unsigned char digest[EVP_MAX_MD_SIZE];
	278	unsigned int dlen = 0;
	279
	280	if (ctx == NULL \|\| ctx->mdctx == NULL)
	281	return 0;
	282
	283	/*
	284	* If sig is NULL then we're just finding out the sig size. Other fields
	285	* are ignored. Defer to ecdsa_sign.
	286	*/
	287	if (sig != NULL) {
	288	/*
	289	* TODO(3.0): There is the possibility that some externally provided
	290	* digests exceed EVP_MAX_MD_SIZE. We should probably handle that somehow -
	291	* but that problem is much larger than just in DSA.
	292	*/
	293	if (!EVP_DigestFinal_ex(ctx->mdctx, digest, &dlen))
	294	return 0;
	295	}
	296
	297	return ecdsa_sign(vctx, sig, siglen, sigsize, digest, (size_t)dlen);
	298	}
	299
	300	int ecdsa_digest_verify_final(void vctx, const unsigned char sig,
	301	size_t siglen)
	302	{
	303	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	304	unsigned char digest[EVP_MAX_MD_SIZE];
	305	unsigned int dlen = 0;
	306
	307	if (ctx == NULL \|\| ctx->mdctx == NULL)
	308	return 0;
	309
	310	/*
	311	* TODO(3.0): There is the possibility that some externally provided
	312	* digests exceed EVP_MAX_MD_SIZE. We should probably handle that somehow -
	313	* but that problem is much larger than just in DSA.
	314	*/
	315	if (!EVP_DigestFinal_ex(ctx->mdctx, digest, &dlen))
	316	return 0;
317
318	return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen);
319	}
320
321	static void ecdsa_freectx(void *vctx)
322	{
323	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
324
325	free_md(ctx);
326	EC_KEY_free(ctx->ec);
327	BN_clear_free(ctx->kinv);
328	BN_clear_free(ctx->r);
329	OPENSSL_free(ctx);
330	}
331
332	static void ecdsa_dupctx(void vctx)
333	{
334	PROV_ECDSA_CTX srcctx = (PROV_ECDSA_CTX )vctx;
335	PROV_ECDSA_CTX *dstctx;
336
337	dstctx = OPENSSL_zalloc(sizeof(*srcctx));
338	if (dstctx == NULL)
339	return NULL;
340
341	dstctx = srcctx;
342	dstctx->ec = NULL;
343	dstctx->md = NULL;
344	dstctx->mdctx = NULL;
345
346	if (srcctx->ec != NULL && !EC_KEY_up_ref(srcctx->ec))
347	goto err;
348	/* Test KATS should not need to be supported */
349	if (srcctx->kinv != NULL \|\| srcctx->r != NULL)
350	goto err;
351	dstctx->ec = srcctx->ec;
352
353	if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md))
354	goto err;
355	dstctx->md = srcctx->md;
356
357	if (srcctx->mdctx != NULL) {
358	dstctx->mdctx = EVP_MD_CTX_new();
359	if (dstctx->mdctx == NULL
360	\|\| !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx))
361	goto err;
362	}
363
364	return dstctx;
365	err:
366	ecdsa_freectx(dstctx);
367	return NULL;
368	}
369
370	static int ecdsa_get_ctx_params(void vctx, OSSL_PARAM params)
371	{
372	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
373	OSSL_PARAM *p;
374
375	if (ctx == NULL \|\| params == NULL)
376	return 0;
377
378	p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
379	if (p != NULL && !OSSL_PARAM_set_octet_string(p, ctx->aid, ctx->aid_len))
380	return 0;
381
382	p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE);
383	if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->mdsize))
384	return 0;
385
386	p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST);
387	if (p != NULL && !OSSL_PARAM_set_utf8_string(p, ctx->md == NULL
388	? ctx->mdname
389	: EVP_MD_name(ctx->md)))
390	return 0;
391
392	return 1;
393	}
394
395	static const OSSL_PARAM known_gettable_ctx_params[] = {
396	OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
397	OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL),
398	OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
399	OSSL_PARAM_END
400	};
401
402	static const OSSL_PARAM *ecdsa_gettable_ctx_params(void)
403	{
404	return known_gettable_ctx_params;
405	}
406
407	static int ecdsa_set_ctx_params(void *vctx, const OSSL_PARAM params[])
408	{
409	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
410	const OSSL_PARAM *p;
411	char *mdname;
412
413	if (ctx == NULL \|\| params == NULL)
414	return 0;
415
416	if (ctx->md != NULL) {
417	/*
418	* You cannot set the digest name/size when doing a DigestSign or
419	* DigestVerify.
420	*/
421	return 1;
422	}
4f2271d5	423	#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
edd3b7a3 SL	424	p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_KAT);
	425	if (p != NULL && !OSSL_PARAM_get_uint(p, &ctx->kattest))
	426	return 0;
4f2271d5	427	#endif
edd3b7a3 SL	428
	429	p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE);
	430	if (p != NULL && !OSSL_PARAM_get_size_t(p, &ctx->mdsize))
	431	return 0;
	432
	433	/*
	434	* We never actually use the mdname, but we do support getting it later.
	435	* This can be useful for applications that want to know the MD that they
	436	* previously set.
	437	*/
	438	p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
	439	mdname = ctx->mdname;
	440	if (p != NULL
	441	&& !OSSL_PARAM_get_utf8_string(p, &mdname, sizeof(ctx->mdname)))
	442	return 0;
	443
	444	return 1;
	445	}
	446
	447	static const OSSL_PARAM known_settable_ctx_params[] = {
	448	OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE, NULL),
	449	OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
	450	OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_KAT, NULL),
	451	OSSL_PARAM_END
	452	};
	453
	454	static const OSSL_PARAM *ecdsa_settable_ctx_params(void)
	455	{
	456	/*
	457	* TODO(3.0): Should this function return a different set of settable ctx
	458	* params if the ctx is being used for a DigestSign/DigestVerify? In that
	459	* case it is not allowed to set the digest size/digest name because the
	460	* digest is explicitly set as part of the init.
	461	*/
	462	return known_settable_ctx_params;
	463	}
	464
	465	static int ecdsa_get_ctx_md_params(void vctx, OSSL_PARAM params)
	466	{
	467	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	468
	469	if (ctx->mdctx == NULL)
	470	return 0;
	471
	472	return EVP_MD_CTX_get_params(ctx->mdctx, params);
	473	}
	474
	475	static const OSSL_PARAM ecdsa_gettable_ctx_md_params(void vctx)
	476	{
	477	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	478
	479	if (ctx->md == NULL)
	480	return 0;
	481
	482	return EVP_MD_gettable_ctx_params(ctx->md);
	483	}
	484
	485	static int ecdsa_set_ctx_md_params(void *vctx, const OSSL_PARAM params[])
	486	{
	487	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
	488
	489	if (ctx->mdctx == NULL)
	490	return 0;
	491
492	return EVP_MD_CTX_set_params(ctx->mdctx, params);
493	}
494
495	static const OSSL_PARAM ecdsa_settable_ctx_md_params(void vctx)
496	{
497	PROV_ECDSA_CTX ctx = (PROV_ECDSA_CTX )vctx;
498
499	if (ctx->md == NULL)
500	return 0;
501
502	return EVP_MD_settable_ctx_params(ctx->md);
503	}
504
505	const OSSL_DISPATCH ecdsa_signature_functions[] = {
506	{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
507	{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_signature_init },
508	{ OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))ecdsa_sign },
509	{ OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))ecdsa_signature_init },
510	{ OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))ecdsa_verify },
511	{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
512	(void (*)(void))ecdsa_digest_signverify_init },
513	{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,
514	(void (*)(void))ecdsa_digest_signverify_update },
515	{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,
516	(void (*)(void))ecdsa_digest_sign_final },
517	{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
518	(void (*)(void))ecdsa_digest_signverify_init },
519	{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,
520	(void (*)(void))ecdsa_digest_signverify_update },
521	{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,
522	(void (*)(void))ecdsa_digest_verify_final },
523	{ OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))ecdsa_freectx },
524	{ OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))ecdsa_dupctx },
525	{ OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))ecdsa_get_ctx_params },
526	{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
527	(void (*)(void))ecdsa_gettable_ctx_params },
528	{ OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))ecdsa_set_ctx_params },
529	{ OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,
530	(void (*)(void))ecdsa_settable_ctx_params },
531	{ OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS,
532	(void (*)(void))ecdsa_get_ctx_md_params },
533	{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS,
534	(void (*)(void))ecdsa_gettable_ctx_md_params },
535	{ OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS,
536	(void (*)(void))ecdsa_set_ctx_md_params },
537	{ OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS,
538	(void (*)(void))ecdsa_settable_ctx_md_params },
539	{ 0, NULL }
540	};