]> git.ipfire.org Git - thirdparty/openssl.git/blame - providers/implementations/signature/rsa.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
prov: support params arguments to signature init calls
[thirdparty/openssl.git] / providers / implementations / signature / rsa.c
CommitLineData
6f4b7663 1/*
a28d06f3 2 * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
6f4b7663
RL		 3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/*
11 * RSA low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14#include "internal/deprecated.h"
15
bbde8566 16#include "e_os.h" /* strcasecmp */
6f4b7663
RL		 17#include <string.h>
18#include <openssl/crypto.h>
23c48d94 19#include <openssl/core_dispatch.h>
6f4b7663
RL		 20#include <openssl/core_names.h>
21#include <openssl/err.h>
22#include <openssl/rsa.h>
23#include <openssl/params.h>
24#include <openssl/evp.h>
2741128e 25#include <openssl/proverr.h>
6f4b7663
RL		 26#include "internal/cryptlib.h"
27#include "internal/nelem.h"
28#include "internal/sizes.h"
29#include "crypto/rsa.h"
f590a5ea 30#include "prov/providercommon.h"
6f4b7663
RL		 31#include "prov/implementations.h"
32#include "prov/provider_ctx.h"
6f5837dc 33#include "prov/der_rsa.h"
7a810fac 34#include "prov/securitycheck.h"
3f699197
SL		 35
36#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
6f4b7663 37
363b1e5d
DMSP		 38static OSSL_FUNC_signature_newctx_fn rsa_newctx;
39static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
40static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
41static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
42static OSSL_FUNC_signature_sign_fn rsa_sign;
43static OSSL_FUNC_signature_verify_fn rsa_verify;
44static OSSL_FUNC_signature_verify_recover_fn rsa_verify_recover;
45static OSSL_FUNC_signature_digest_sign_init_fn rsa_digest_sign_init;
46static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_signverify_update;
47static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final;
48static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
49static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update;
50static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
51static OSSL_FUNC_signature_freectx_fn rsa_freectx;
52static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
53static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
54static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params;
55static OSSL_FUNC_signature_set_ctx_params_fn rsa_set_ctx_params;
56static OSSL_FUNC_signature_settable_ctx_params_fn rsa_settable_ctx_params;
57static OSSL_FUNC_signature_get_ctx_md_params_fn rsa_get_ctx_md_params;
58static OSSL_FUNC_signature_gettable_ctx_md_params_fn rsa_gettable_ctx_md_params;
59static OSSL_FUNC_signature_set_ctx_md_params_fn rsa_set_ctx_md_params;
60static OSSL_FUNC_signature_settable_ctx_md_params_fn rsa_settable_ctx_md_params;
6f4b7663
RL		 61
62static OSSL_ITEM padding_item[] = {
b8086652 63 { RSA_PKCS1_PADDING, OSSL_PKEY_RSA_PAD_MODE_PKCSV15 },
b8086652
SL		 64 { RSA_NO_PADDING, OSSL_PKEY_RSA_PAD_MODE_NONE },
65 { RSA_X931_PADDING, OSSL_PKEY_RSA_PAD_MODE_X931 },
66 { RSA_PKCS1_PSS_PADDING, OSSL_PKEY_RSA_PAD_MODE_PSS },
6f4b7663
RL		 67 { 0, NULL }
68};
69
70/*
71 * What's passed as an actual key is defined by the KEYMGMT interface.
72 * We happen to know that our KEYMGMT simply passes RSA structures, so
73 * we use that here too.
74 */
75
76typedef struct {
b4250010 77 OSSL_LIB_CTX *libctx;
2c6094ba 78 char *propq;
6f4b7663 79 RSA *rsa;
0ec36bf1 80 int operation;
6f4b7663
RL		 81
82 /*
83 * Flag to determine if the hash function can be changed (1) or not (0)
84 * Because it's dangerous to change during a DigestSign or DigestVerify
85 * operation, this flag is cleared by their Init function, and set again
86 * by their Final function.
87 */
88 unsigned int flag_allow_md : 1;
bbde8566 89 unsigned int mgf1_md_set : 1;
6f4b7663
RL		 90
91 /* main digest */
92 EVP_MD *md;
93 EVP_MD_CTX *mdctx;
94 int mdnid;
95 char mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */
96
97 /* RSA padding mode */
98 int pad_mode;
99 /* message digest for MGF1 */
100 EVP_MD *mgf1_md;
bbde8566 101 int mgf1_mdnid;
6f4b7663
RL		 102 char mgf1_mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */
103 /* PSS salt length */
104 int saltlen;
105 /* Minimum salt length or -1 if no PSS parameter restriction */
106 int min_saltlen;
107
108 /* Temp buffer */
109 unsigned char *tbuf;
110
111} PROV_RSA_CTX;
112
bbde8566
TM		 113/* True if PSS parameters are restricted */
114#define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1)
115
6f4b7663
RL		 116static size_t rsa_get_md_size(const PROV_RSA_CTX *prsactx)
117{
118 if (prsactx->md != NULL)
119 return EVP_MD_size(prsactx->md);
120 return 0;
121}
122
bbde8566
TM		 123static int rsa_check_padding(const PROV_RSA_CTX *prsactx,
124 const char *mdname, const char *mgf1_mdname,
125 int mdnid)
6f4b7663 126{
bbde8566
TM		 127 switch(prsactx->pad_mode) {
128 case RSA_NO_PADDING:
129 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE);
6f4b7663 130 return 0;
bbde8566
TM		 131 case RSA_X931_PADDING:
132 if (RSA_X931_hash_id(mdnid) == -1) {
133 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST);
134 return 0;
135 }
136 break;
137 case RSA_PKCS1_PSS_PADDING:
138 if (rsa_pss_restricted(prsactx))
139 if ((mdname != NULL && !EVP_MD_is_a(prsactx->md, mdname))
140 || (mgf1_mdname != NULL
141 && !EVP_MD_is_a(prsactx->mgf1_md, mgf1_mdname))) {
142 ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
143 return 0;
144 }
145 break;
146 default:
147 break;
6f4b7663
RL		 148 }
149
150 return 1;
151}
152
bbde8566 153static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen)
2d553660
RL		 154{
155 if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
156 int max_saltlen;
157
158 /* See if minimum salt length exceeds maximum possible */
6ce6ad39 159 max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_size(prsactx->md);
2d553660
RL		 160 if ((RSA_bits(prsactx->rsa) & 0x7) == 1)
161 max_saltlen--;
bbde8566 162 if (min_saltlen < 0 || min_saltlen > max_saltlen) {
2d553660
RL		 163 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
164 return 0;
165 }
bbde8566 166 prsactx->min_saltlen = min_saltlen;
2d553660
RL		 167 }
168 return 1;
169}
170
2c6094ba 171static void *rsa_newctx(void *provctx, const char *propq)
6f4b7663 172{
2d553660
RL		 173 PROV_RSA_CTX *prsactx = NULL;
174 char *propq_copy = NULL;
6f4b7663 175
f590a5ea
P		 176 if (!ossl_prov_is_running())
177 return NULL;
178
2d553660
RL		 179 if ((prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX))) == NULL
180 || (propq != NULL
181 && (propq_copy = OPENSSL_strdup(propq)) == NULL)) {
182 OPENSSL_free(prsactx);
183 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
6f4b7663 184 return NULL;
2d553660 185 }
6f4b7663 186
a829b735 187 prsactx->libctx = PROV_LIBCTX_OF(provctx);
6f4b7663 188 prsactx->flag_allow_md = 1;
2d553660 189 prsactx->propq = propq_copy;
6f4b7663
RL		 190 return prsactx;
191}
192
bbde8566
TM		 193static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx)
194{
195 int saltlen = ctx->saltlen;
196
197 if (saltlen == RSA_PSS_SALTLEN_DIGEST) {
198 saltlen = EVP_MD_size(ctx->md);
199 } else if (saltlen == RSA_PSS_SALTLEN_AUTO || saltlen == RSA_PSS_SALTLEN_MAX) {
200 saltlen = RSA_size(ctx->rsa) - EVP_MD_size(ctx->md) - 2;
201 if ((RSA_bits(ctx->rsa) & 0x7) == 1)
202 saltlen--;
203 }
204 if (saltlen < 0) {
205 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
206 return -1;
207 } else if (saltlen < ctx->min_saltlen) {
208 ERR_raise_data(ERR_LIB_PROV, PROV_R_PSS_SALTLEN_TOO_SMALL,
209 "minimum salt length: %d, actual salt length: %d",
210 ctx->min_saltlen, saltlen);
211 return -1;
212 }
213 return saltlen;
214}
215
216static unsigned char *rsa_generate_signature_aid(PROV_RSA_CTX *ctx,
217 unsigned char *aid_buf,
218 size_t buf_len,
219 size_t *aid_len)
220{
221 WPACKET pkt;
222 unsigned char *aid = NULL;
223 int saltlen;
224 RSA_PSS_PARAMS_30 pss_params;
225
226 if (!WPACKET_init_der(&pkt, aid_buf, buf_len)) {
227 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
228 return NULL;
229 }
230
231 switch(ctx->pad_mode) {
232 case RSA_PKCS1_PADDING:
233 if (!ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1,
234 ctx->mdnid)) {
235 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
236 goto cleanup;
237 }
238 break;
239 case RSA_PKCS1_PSS_PADDING:
240 saltlen = rsa_pss_compute_saltlen(ctx);
241 if (saltlen < 0)
242 goto cleanup;
243 if (!ossl_rsa_pss_params_30_set_defaults(&pss_params)
244 || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, ctx->mdnid)
245 || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params,
246 ctx->mgf1_mdnid)
247 || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen)
248 || !ossl_DER_w_algorithmIdentifier_RSA_PSS(&pkt, -1,
249 RSA_FLAG_TYPE_RSASSAPSS,
250 &pss_params)) {
251 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
252 goto cleanup;
253 }
254 break;
255 default:
256 ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED,
257 "Algorithm ID generation");
258 goto cleanup;
259 }
260 if (WPACKET_finish(&pkt)) {
261 WPACKET_get_total_written(&pkt, aid_len);
262 aid = WPACKET_get_curr(&pkt);
263 }
264 cleanup:
265 WPACKET_cleanup(&pkt);
266 return aid;
267}
6f4b7663 268
6f4b7663
RL		 269static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
270 const char *mdprops)
271{
2c6094ba
RL		 272 if (mdprops == NULL)
273 mdprops = ctx->propq;
274
6f4b7663 275 if (mdname != NULL) {
3f699197 276 EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
49ed5ba8 277 int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
7b676cc8 278 int md_nid = ossl_digest_rsa_sign_get_md_nid(md, sha1_allowed);
2de64666 279 size_t mdname_len = strlen(mdname);
6f4b7663 280
6f5837dc
RL		 281 if (md == NULL
282 || md_nid == NID_undef
bbde8566 283 || !rsa_check_padding(ctx, mdname, NULL, md_nid)
2de64666 284 || mdname_len >= sizeof(ctx->mdname)) {
2d553660
RL		 285 if (md == NULL)
286 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
287 "%s could not be fetched", mdname);
288 if (md_nid == NID_undef)
289 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
290 "digest=%s", mdname);
2de64666
NT		 291 if (mdname_len >= sizeof(ctx->mdname))
292 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
293 "%s exceeds name buffer length", mdname);
6f4b7663
RL		 294 EVP_MD_free(md);
295 return 0;
296 }
297
bbde8566
TM		 298 if (!ctx->mgf1_md_set) {
299 if (!EVP_MD_up_ref(md)) {
300 EVP_MD_free(md);
301 return 0;
302 }
303 EVP_MD_free(ctx->mgf1_md);
304 ctx->mgf1_md = md;
305 ctx->mgf1_mdnid = md_nid;
306 OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname));
307 }
308
6f4b7663
RL		 309 EVP_MD_CTX_free(ctx->mdctx);
310 EVP_MD_free(ctx->md);
6f4b7663 311
6f5837dc 312 ctx->mdctx = NULL;
6f4b7663
RL		 313 ctx->md = md;
314 ctx->mdnid = md_nid;
315 OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname));
6f4b7663
RL		 316 }
317
318 return 1;
319}
320
321static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
2c6094ba 322 const char *mdprops)
6f4b7663 323{
2de64666 324 size_t len;
3f699197 325 EVP_MD *md = NULL;
bbde8566 326 int mdnid;
2de64666 327
2c6094ba
RL		 328 if (mdprops == NULL)
329 mdprops = ctx->propq;
330
3f699197 331 if ((md = EVP_MD_fetch(ctx->libctx, mdname, mdprops)) == NULL) {
2d553660
RL		 332 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
333 "%s could not be fetched", mdname);
6f4b7663 334 return 0;
2d553660 335 }
49ed5ba8 336 /* The default for mgf1 is SHA1 - so allow SHA1 */
7b676cc8 337 if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md, 1)) == NID_undef
bbde8566
TM		 338 || !rsa_check_padding(ctx, NULL, mdname, mdnid)) {
339 if (mdnid == NID_undef)
340 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
341 "digest=%s", mdname);
3f699197
SL		 342 EVP_MD_free(md);
343 return 0;
344 }
2de64666
NT		 345 len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname));
346 if (len >= sizeof(ctx->mgf1_mdname)) {
347 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
348 "%s exceeds name buffer length", mdname);
bbde8566 349 EVP_MD_free(md);
2de64666
NT		 350 return 0;
351 }
6f4b7663 352
bbde8566
TM		 353 EVP_MD_free(ctx->mgf1_md);
354 ctx->mgf1_md = md;
355 ctx->mgf1_mdnid = mdnid;
356 ctx->mgf1_md_set = 1;
6f4b7663
RL		 357 return 1;
358}
359
556b8937
P		 360static int rsa_signverify_init(void *vprsactx, void *vrsa,
361 const OSSL_PARAM params[], int operation)
2d553660
RL		 362{
363 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
364
f590a5ea
P		 365 if (!ossl_prov_is_running())
366 return 0;
367
2d553660
RL		 368 if (prsactx == NULL || vrsa == NULL || !RSA_up_ref(vrsa))
369 return 0;
370
371 RSA_free(prsactx->rsa);
372 prsactx->rsa = vrsa;
373 prsactx->operation = operation;
374
556b8937
P		 375 if (!rsa_set_ctx_params(prsactx, params))
376 return 0;
377
23b2fc0b 378 if (!ossl_rsa_check_key(vrsa, operation == EVP_PKEY_OP_SIGN)) {
3f699197
SL		 379 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
380 return 0;
381 }
382
2d553660
RL		 383 /* Maximum for sign, auto for verify */
384 prsactx->saltlen = RSA_PSS_SALTLEN_AUTO;
385 prsactx->min_saltlen = -1;
386
387 switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) {
388 case RSA_FLAG_TYPE_RSA:
389 prsactx->pad_mode = RSA_PKCS1_PADDING;
390 break;
391 case RSA_FLAG_TYPE_RSASSAPSS:
392 prsactx->pad_mode = RSA_PKCS1_PSS_PADDING;
393
394 {
395 const RSA_PSS_PARAMS_30 *pss =
23b2fc0b 396 ossl_rsa_get0_pss_params_30(prsactx->rsa);
2d553660 397
23b2fc0b
P		 398 if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) {
399 int md_nid = ossl_rsa_pss_params_30_hashalg(pss);
400 int mgf1md_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);
401 int min_saltlen = ossl_rsa_pss_params_30_saltlen(pss);
2d553660 402 const char *mdname, *mgf1mdname;
2de64666 403 size_t len;
2d553660 404
23b2fc0b
P		 405 mdname = ossl_rsa_oaeppss_nid2name(md_nid);
406 mgf1mdname = ossl_rsa_oaeppss_nid2name(mgf1md_nid);
2d553660
RL		 407
408 if (mdname == NULL) {
409 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
410 "PSS restrictions lack hash algorithm");
411 return 0;
412 }
413 if (mgf1mdname == NULL) {
414 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
415 "PSS restrictions lack MGF1 hash algorithm");
416 return 0;
417 }
418
2de64666
NT		 419 len = OPENSSL_strlcpy(prsactx->mdname, mdname,
420 sizeof(prsactx->mdname));
421 if (len >= sizeof(prsactx->mdname)) {
422 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
423 "hash algorithm name too long");
424 return 0;
425 }
426 len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname,
427 sizeof(prsactx->mgf1_mdname));
428 if (len >= sizeof(prsactx->mgf1_mdname)) {
429 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
430 "MGF1 hash algorithm name too long");
431 return 0;
432 }
2d553660
RL		 433 prsactx->saltlen = min_saltlen;
434
bbde8566
TM		 435 /* call rsa_setup_mgf1_md before rsa_setup_md to avoid duplication */
436 return rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq)
437 && rsa_setup_md(prsactx, mdname, prsactx->propq)
438 && rsa_check_parameters(prsactx, min_saltlen);
2d553660
RL		 439 }
440 }
441
442 break;
443 default:
444 ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
445 return 0;
446 }
447
448 return 1;
449}
450
6f4b7663
RL		 451static int setup_tbuf(PROV_RSA_CTX *ctx)
452{
453 if (ctx->tbuf != NULL)
454 return 1;
455 if ((ctx->tbuf = OPENSSL_malloc(RSA_size(ctx->rsa))) == NULL) {
456 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
457 return 0;
458 }
459 return 1;
460}
461
462static void clean_tbuf(PROV_RSA_CTX *ctx)
463{
464 if (ctx->tbuf != NULL)
465 OPENSSL_cleanse(ctx->tbuf, RSA_size(ctx->rsa));
466}
467
468static void free_tbuf(PROV_RSA_CTX *ctx)
469{
2d553660
RL		 470 clean_tbuf(ctx);
471 OPENSSL_free(ctx->tbuf);
6f4b7663
RL		 472 ctx->tbuf = NULL;
473}
474
556b8937 475static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[])
0ec36bf1 476{
f590a5ea
P		 477 if (!ossl_prov_is_running())
478 return 0;
556b8937 479 return rsa_signverify_init(vprsactx, vrsa, params, EVP_PKEY_OP_SIGN);
0ec36bf1
RL		 480}
481
6f4b7663
RL		 482static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,
483 size_t sigsize, const unsigned char *tbs, size_t tbslen)
484{
485 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
486 int ret;
487 size_t rsasize = RSA_size(prsactx->rsa);
488 size_t mdsize = rsa_get_md_size(prsactx);
489
f590a5ea
P		 490 if (!ossl_prov_is_running())
491 return 0;
492
6f4b7663
RL		 493 if (sig == NULL) {
494 *siglen = rsasize;
495 return 1;
496 }
497
2d553660
RL		 498 if (sigsize < rsasize) {
499 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE,
500 "is %zu, should be at least %zu", sigsize, rsasize);
6f4b7663 501 return 0;
2d553660 502 }
6f4b7663
RL		 503
504 if (mdsize != 0) {
505 if (tbslen != mdsize) {
506 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
507 return 0;
508 }
509
f844f9eb 510#ifndef FIPS_MODULE
6f4b7663
RL		 511 if (EVP_MD_is_a(prsactx->md, OSSL_DIGEST_NAME_MDC2)) {
512 unsigned int sltmp;
513
514 if (prsactx->pad_mode != RSA_PKCS1_PADDING) {
515 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
516 "only PKCS#1 padding supported with MDC2");
517 return 0;
518 }
519 ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp,
520 prsactx->rsa);
521
522 if (ret <= 0) {
c5689319 523 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 524 return 0;
525 }
526 ret = sltmp;
527 goto end;
528 }
1b6ea308 529#endif
6f4b7663
RL		 530 switch (prsactx->pad_mode) {
531 case RSA_X931_PADDING:
532 if ((size_t)RSA_size(prsactx->rsa) < tbslen + 1) {
2d553660
RL		 533 ERR_raise_data(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL,
534 "RSA key size = %d, expected minimum = %d",
535 RSA_size(prsactx->rsa), tbslen + 1);
6f4b7663
RL		 536 return 0;
537 }
538 if (!setup_tbuf(prsactx)) {
539 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
540 return 0;
541 }
542 memcpy(prsactx->tbuf, tbs, tbslen);
543 prsactx->tbuf[tbslen] = RSA_X931_hash_id(prsactx->mdnid);
544 ret = RSA_private_encrypt(tbslen + 1, prsactx->tbuf,
545 sig, prsactx->rsa, RSA_X931_PADDING);
546 clean_tbuf(prsactx);
547 break;
548
549 case RSA_PKCS1_PADDING:
550 {
551 unsigned int sltmp;
552
553 ret = RSA_sign(prsactx->mdnid, tbs, tbslen, sig, &sltmp,
554 prsactx->rsa);
555 if (ret <= 0) {
c5689319 556 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 557 return 0;
558 }
559 ret = sltmp;
560 }
561 break;
562
563 case RSA_PKCS1_PSS_PADDING:
564 /* Check PSS restrictions */
565 if (rsa_pss_restricted(prsactx)) {
566 switch (prsactx->saltlen) {
567 case RSA_PSS_SALTLEN_DIGEST:
568 if (prsactx->min_saltlen > EVP_MD_size(prsactx->md)) {
2d553660
RL		 569 ERR_raise_data(ERR_LIB_PROV,
570 PROV_R_PSS_SALTLEN_TOO_SMALL,
571 "minimum salt length set to %d, "
572 "but the digest only gives %d",
573 prsactx->min_saltlen,
574 EVP_MD_size(prsactx->md));
6f4b7663
RL		 575 return 0;
576 }
577 /* FALLTHRU */
578 default:
579 if (prsactx->saltlen >= 0
580 && prsactx->saltlen < prsactx->min_saltlen) {
2d553660
RL		 581 ERR_raise_data(ERR_LIB_PROV,
582 PROV_R_PSS_SALTLEN_TOO_SMALL,
583 "minimum salt length set to %d, but the"
584 "actual salt length is only set to %d",
585 prsactx->min_saltlen,
586 prsactx->saltlen);
6f4b7663
RL		 587 return 0;
588 }
589 break;
590 }
591 }
592 if (!setup_tbuf(prsactx))
593 return 0;
594 if (!RSA_padding_add_PKCS1_PSS_mgf1(prsactx->rsa,
595 prsactx->tbuf, tbs,
596 prsactx->md, prsactx->mgf1_md,
597 prsactx->saltlen)) {
c5689319 598 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 599 return 0;
600 }
601 ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf,
602 sig, prsactx->rsa, RSA_NO_PADDING);
603 clean_tbuf(prsactx);
604 break;
605
606 default:
607 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
608 "Only X.931, PKCS#1 v1.5 or PSS padding allowed");
609 return 0;
610 }
611 } else {
612 ret = RSA_private_encrypt(tbslen, tbs, sig, prsactx->rsa,
613 prsactx->pad_mode);
614 }
615
f844f9eb 616#ifndef FIPS_MODULE
6f4b7663
RL		 617 end:
618#endif
619 if (ret <= 0) {
c5689319 620 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 621 return 0;
622 }
623
624 *siglen = ret;
625 return 1;
626}
627
556b8937
P		 628static int rsa_verify_recover_init(void *vprsactx, void *vrsa,
629 const OSSL_PARAM params[])
0ec36bf1 630{
f590a5ea
P		 631 if (!ossl_prov_is_running())
632 return 0;
556b8937
P		 633 return rsa_signverify_init(vprsactx, vrsa, params,
634 EVP_PKEY_OP_VERIFYRECOVER);
0ec36bf1
RL		 635}
636
6f4b7663
RL		 637static int rsa_verify_recover(void *vprsactx,
638 unsigned char *rout,
639 size_t *routlen,
640 size_t routsize,
641 const unsigned char *sig,
642 size_t siglen)
643{
644 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
645 int ret;
646
f590a5ea
P		 647 if (!ossl_prov_is_running())
648 return 0;
649
6f4b7663
RL		 650 if (rout == NULL) {
651 *routlen = RSA_size(prsactx->rsa);
652 return 1;
653 }
654
655 if (prsactx->md != NULL) {
656 switch (prsactx->pad_mode) {
657 case RSA_X931_PADDING:
658 if (!setup_tbuf(prsactx))
659 return 0;
660 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,
661 RSA_X931_PADDING);
662 if (ret < 1) {
c5689319 663 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 664 return 0;
665 }
666 ret--;
667 if (prsactx->tbuf[ret] != RSA_X931_hash_id(prsactx->mdnid)) {
668 ERR_raise(ERR_LIB_PROV, PROV_R_ALGORITHM_MISMATCH);
669 return 0;
670 }
671 if (ret != EVP_MD_size(prsactx->md)) {
672 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH,
673 "Should be %d, but got %d",
674 EVP_MD_size(prsactx->md), ret);
675 return 0;
676 }
677
678 *routlen = ret;
4f2271d5
SL		 679 if (rout != prsactx->tbuf) {
680 if (routsize < (size_t)ret) {
681 ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL,
682 "buffer size is %d, should be %d",
683 routsize, ret);
684 return 0;
685 }
686 memcpy(rout, prsactx->tbuf, ret);
6f4b7663 687 }
6f4b7663
RL		 688 break;
689
690 case RSA_PKCS1_PADDING:
691 {
692 size_t sltmp;
693
694 ret = int_rsa_verify(prsactx->mdnid, NULL, 0, rout, &sltmp,
695 sig, siglen, prsactx->rsa);
696 if (ret <= 0) {
c5689319 697 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 698 return 0;
699 }
700 ret = sltmp;
701 }
702 break;
703
704 default:
705 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
706 "Only X.931 or PKCS#1 v1.5 padding allowed");
707 return 0;
708 }
709 } else {
710 ret = RSA_public_decrypt(siglen, sig, rout, prsactx->rsa,
711 prsactx->pad_mode);
712 if (ret < 0) {
c5689319 713 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 714 return 0;
715 }
716 }
717 *routlen = ret;
718 return 1;
719}
720
556b8937
P		 721static int rsa_verify_init(void *vprsactx, void *vrsa,
722 const OSSL_PARAM params[])
0ec36bf1 723{
f590a5ea
P		 724 if (!ossl_prov_is_running())
725 return 0;
556b8937 726 return rsa_signverify_init(vprsactx, vrsa, params, EVP_PKEY_OP_VERIFY);
0ec36bf1
RL		 727}
728
6f4b7663
RL		 729static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
730 const unsigned char *tbs, size_t tbslen)
731{
732 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
733 size_t rslen;
734
f590a5ea
P		 735 if (!ossl_prov_is_running())
736 return 0;
6f4b7663
RL		 737 if (prsactx->md != NULL) {
738 switch (prsactx->pad_mode) {
739 case RSA_PKCS1_PADDING:
740 if (!RSA_verify(prsactx->mdnid, tbs, tbslen, sig, siglen,
741 prsactx->rsa)) {
c5689319 742 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 743 return 0;
744 }
745 return 1;
746 case RSA_X931_PADDING:
4f2271d5
SL		 747 if (!setup_tbuf(prsactx))
748 return 0;
749 if (rsa_verify_recover(prsactx, prsactx->tbuf, &rslen, 0,
750 sig, siglen) <= 0)
6f4b7663
RL		 751 return 0;
752 break;
753 case RSA_PKCS1_PSS_PADDING:
754 {
755 int ret;
756 size_t mdsize;
757
6f4b7663
RL		 758 /*
759 * We need to check this for the RSA_verify_PKCS1_PSS_mgf1()
760 * call
761 */
762 mdsize = rsa_get_md_size(prsactx);
763 if (tbslen != mdsize) {
764 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH,
765 "Should be %d, but got %d",
766 mdsize, tbslen);
767 return 0;
768 }
769
770 if (!setup_tbuf(prsactx))
771 return 0;
772 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf,
773 prsactx->rsa, RSA_NO_PADDING);
774 if (ret <= 0) {
c5689319 775 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 776 return 0;
777 }
778 ret = RSA_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs,
779 prsactx->md, prsactx->mgf1_md,
780 prsactx->tbuf,
781 prsactx->saltlen);
782 if (ret <= 0) {
c5689319 783 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 784 return 0;
785 }
786 return 1;
787 }
788 default:
789 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
790 "Only X.931, PKCS#1 v1.5 or PSS padding allowed");
791 return 0;
792 }
793 } else {
794 if (!setup_tbuf(prsactx))
795 return 0;
796 rslen = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,
797 prsactx->pad_mode);
798 if (rslen == 0) {
c5689319 799 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 800 return 0;
801 }
802 }
803
804 if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen))
805 return 0;
806
807 return 1;
808}
809
810static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
556b8937
P		 811 void *vrsa, const OSSL_PARAM params[],
812 int operation)
6f4b7663
RL		 813{
814 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
815
f590a5ea
P		 816 if (!ossl_prov_is_running())
817 return 0;
818
db1319b7
SL		 819 if (prsactx != NULL)
820 prsactx->flag_allow_md = 0;
556b8937 821 if (!rsa_signverify_init(vprsactx, vrsa, params, operation))
bbde8566
TM		 822 return 0;
823 if (mdname != NULL
824 /* was rsa_setup_md already called in rsa_signverify_init()? */
825 && (mdname[0] == '\0' || strcasecmp(prsactx->mdname, mdname) != 0)
826 && !rsa_setup_md(prsactx, mdname, prsactx->propq))
6f4b7663
RL		 827 return 0;
828
829 prsactx->mdctx = EVP_MD_CTX_new();
2d553660
RL		 830 if (prsactx->mdctx == NULL) {
831 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
6f4b7663 832 goto error;
2d553660 833 }
6f4b7663 834
556b8937 835 if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params))
6f4b7663
RL		 836 goto error;
837
838 return 1;
839
840 error:
841 EVP_MD_CTX_free(prsactx->mdctx);
842 EVP_MD_free(prsactx->md);
843 prsactx->mdctx = NULL;
844 prsactx->md = NULL;
845 return 0;
846}
847
0ec36bf1
RL		 848static int rsa_digest_signverify_update(void *vprsactx,
849 const unsigned char *data,
850 size_t datalen)
6f4b7663
RL		 851{
852 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
853
854 if (prsactx == NULL || prsactx->mdctx == NULL)
855 return 0;
856
857 return EVP_DigestUpdate(prsactx->mdctx, data, datalen);
858}
859
0ec36bf1 860static int rsa_digest_sign_init(void *vprsactx, const char *mdname,
556b8937 861 void *vrsa, const OSSL_PARAM params[])
0ec36bf1 862{
f590a5ea
P		 863 if (!ossl_prov_is_running())
864 return 0;
2d553660 865 return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
556b8937 866 params, EVP_PKEY_OP_SIGN);
0ec36bf1
RL		 867}
868
869static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig,
870 size_t *siglen, size_t sigsize)
6f4b7663
RL		 871{
872 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
873 unsigned char digest[EVP_MAX_MD_SIZE];
874 unsigned int dlen = 0;
875
f590a5ea 876 if (!ossl_prov_is_running() || prsactx == NULL)
51bba73e 877 return 0;
6f4b7663 878 prsactx->flag_allow_md = 1;
51bba73e 879 if (prsactx->mdctx == NULL)
6f4b7663 880 return 0;
6f4b7663
RL		 881 /*
882 * If sig is NULL then we're just finding out the sig size. Other fields
883 * are ignored. Defer to rsa_sign.
884 */
885 if (sig != NULL) {
886 /*
3f699197
SL		 887 * The digests used here are all known (see rsa_get_md_nid()), so they
888 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE.
6f4b7663
RL		 889 */
890 if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))
891 return 0;
892 }
893
894 return rsa_sign(vprsactx, sig, siglen, sigsize, digest, (size_t)dlen);
895}
896
0ec36bf1 897static int rsa_digest_verify_init(void *vprsactx, const char *mdname,
556b8937 898 void *vrsa, const OSSL_PARAM params[])
0ec36bf1 899{
f590a5ea
P		 900 if (!ossl_prov_is_running())
901 return 0;
2d553660 902 return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
556b8937 903 params, EVP_PKEY_OP_VERIFY);
0ec36bf1 904}
6f4b7663
RL		 905
906int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
907 size_t siglen)
908{
909 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
910 unsigned char digest[EVP_MAX_MD_SIZE];
911 unsigned int dlen = 0;
912
f590a5ea
P		 913 if (!ossl_prov_is_running())
914 return 0;
915
db1319b7
SL		 916 if (prsactx == NULL)
917 return 0;
6f4b7663 918 prsactx->flag_allow_md = 1;
db1319b7 919 if (prsactx->mdctx == NULL)
6f4b7663
RL		 920 return 0;
921
922 /*
3f699197
SL		 923 * The digests used here are all known (see rsa_get_md_nid()), so they
924 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE.
6f4b7663
RL		 925 */
926 if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))
927 return 0;
928
929 return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen);
930}
931
932static void rsa_freectx(void *vprsactx)
933{
934 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
935
936 if (prsactx == NULL)
937 return;
938
6f4b7663
RL		 939 EVP_MD_CTX_free(prsactx->mdctx);
940 EVP_MD_free(prsactx->md);
941 EVP_MD_free(prsactx->mgf1_md);
2c6094ba 942 OPENSSL_free(prsactx->propq);
6f4b7663 943 free_tbuf(prsactx);
fdf6118b 944 RSA_free(prsactx->rsa);
6f4b7663 945
26c5ea8f 946 OPENSSL_clear_free(prsactx, sizeof(*prsactx));
6f4b7663
RL		 947}
948
949static void *rsa_dupctx(void *vprsactx)
950{
951 PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx;
952 PROV_RSA_CTX *dstctx;
953
f590a5ea
P		 954 if (!ossl_prov_is_running())
955 return NULL;
956
6f4b7663 957 dstctx = OPENSSL_zalloc(sizeof(*srcctx));
2d553660
RL		 958 if (dstctx == NULL) {
959 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
6f4b7663 960 return NULL;
2d553660 961 }
6f4b7663
RL		 962
963 *dstctx = *srcctx;
964 dstctx->rsa = NULL;
965 dstctx->md = NULL;
966 dstctx->mdctx = NULL;
967 dstctx->tbuf = NULL;
c2386b81 968 dstctx->propq = NULL;
6f4b7663
RL		 969
970 if (srcctx->rsa != NULL && !RSA_up_ref(srcctx->rsa))
971 goto err;
972 dstctx->rsa = srcctx->rsa;
973
974 if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md))
975 goto err;
976 dstctx->md = srcctx->md;
977
978 if (srcctx->mgf1_md != NULL && !EVP_MD_up_ref(srcctx->mgf1_md))
979 goto err;
980 dstctx->mgf1_md = srcctx->mgf1_md;
981
982 if (srcctx->mdctx != NULL) {
983 dstctx->mdctx = EVP_MD_CTX_new();
984 if (dstctx->mdctx == NULL
985 || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx))
986 goto err;
987 }
988
c2386b81
SL		 989 if (srcctx->propq != NULL) {
990 dstctx->propq = OPENSSL_strdup(srcctx->propq);
991 if (dstctx->propq == NULL)
992 goto err;
993 }
994
6f4b7663
RL		 995 return dstctx;
996 err:
997 rsa_freectx(dstctx);
998 return NULL;
999}
1000
1001static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
1002{
1003 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1004 OSSL_PARAM *p;
1005
556b8937 1006 if (prsactx == NULL)
6f4b7663
RL		 1007 return 0;
1008
1009 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
bbde8566
TM		 1010 if (p != NULL) {
1011 /* The Algorithm Identifier of the combined signature algorithm */
1012 unsigned char aid_buf[128];
1013 unsigned char *aid;
1014 size_t aid_len;
1015
1016 aid = rsa_generate_signature_aid(prsactx, aid_buf,
1017 sizeof(aid_buf), &aid_len);
1018 if (aid == NULL || !OSSL_PARAM_set_octet_string(p, aid, aid_len))
1019 return 0;
1020 }
6f4b7663
RL		 1021
1022 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PAD_MODE);
1023 if (p != NULL)
1024 switch (p->data_type) {
1025 case OSSL_PARAM_INTEGER:
1026 if (!OSSL_PARAM_set_int(p, prsactx->pad_mode))
1027 return 0;
1028 break;
1029 case OSSL_PARAM_UTF8_STRING:
1030 {
1031 int i;
1032 const char *word = NULL;
1033
1034 for (i = 0; padding_item[i].id != 0; i++) {
1035 if (prsactx->pad_mode == (int)padding_item[i].id) {
1036 word = padding_item[i].ptr;
1037 break;
1038 }
1039 }
1040
1041 if (word != NULL) {
1042 if (!OSSL_PARAM_set_utf8_string(p, word))
1043 return 0;
1044 } else {
1045 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
1046 }
1047 }
1048 break;
1049 default:
1050 return 0;
1051 }
1052
1053 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST);
1054 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mdname))
1055 return 0;
1056
1057 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST);
1058 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mgf1_mdname))
1059 return 0;
1060
1061 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN);
1062 if (p != NULL) {
1063 if (p->data_type == OSSL_PARAM_INTEGER) {
1064 if (!OSSL_PARAM_set_int(p, prsactx->saltlen))
1065 return 0;
1066 } else if (p->data_type == OSSL_PARAM_UTF8_STRING) {
b8086652
SL		 1067 const char *value = NULL;
1068
6f4b7663
RL		 1069 switch (prsactx->saltlen) {
1070 case RSA_PSS_SALTLEN_DIGEST:
b8086652 1071 value = OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST;
6f4b7663
RL		 1072 break;
1073 case RSA_PSS_SALTLEN_MAX:
b8086652 1074 value = OSSL_PKEY_RSA_PSS_SALT_LEN_MAX;
6f4b7663
RL		 1075 break;
1076 case RSA_PSS_SALTLEN_AUTO:
b8086652 1077 value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO;
6f4b7663
RL		 1078 break;
1079 default:
b8086652
SL		 1080 {
1081 int len = BIO_snprintf(p->data, p->data_size, "%d",
1082 prsactx->saltlen);
1083
1084 if (len <= 0)
1085 return 0;
1086 p->return_size = len;
1087 break;
1088 }
6f4b7663 1089 }
b8086652
SL		 1090 if (value != NULL
1091 && !OSSL_PARAM_set_utf8_string(p, value))
1092 return 0;
6f4b7663
RL		 1093 }
1094 }
1095
1096 return 1;
1097}
1098
1099static const OSSL_PARAM known_gettable_ctx_params[] = {
1100 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
1101 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
1102 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
1103 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
1104 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
1105 OSSL_PARAM_END
1106};
1107
fb67126e
TM		 1108static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
1109 ossl_unused void *provctx)
6f4b7663
RL		 1110{
1111 return known_gettable_ctx_params;
1112}
1113
1114static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
1115{
1116 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1117 const OSSL_PARAM *p;
93e43f4c
BK		 1118 int pad_mode;
1119 int saltlen;
bbde8566
TM		 1120 char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = NULL;
1121 char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = NULL;
1122 char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL;
1123 char mgf1mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmgf1mdprops = NULL;
6f4b7663 1124
556b8937 1125 if (prsactx == NULL)
6f4b7663 1126 return 0;
556b8937
P		 1127 if (params == NULL)
1128 return 1;
1129
93e43f4c
BK		 1130 pad_mode = prsactx->pad_mode;
1131 saltlen = prsactx->saltlen;
6f4b7663
RL		 1132
1133 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
1134 /* Not allowed during certain operations */
1135 if (p != NULL && !prsactx->flag_allow_md)
1136 return 0;
1137 if (p != NULL) {
6f4b7663
RL		 1138 const OSSL_PARAM *propsp =
1139 OSSL_PARAM_locate_const(params,
1140 OSSL_SIGNATURE_PARAM_PROPERTIES);
1141
bbde8566 1142 pmdname = mdname;
6f4b7663
RL		 1143 if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname)))
1144 return 0;
2c6094ba 1145
bbde8566
TM		 1146 if (propsp != NULL) {
1147 pmdprops = mdprops;
1148 if (!OSSL_PARAM_get_utf8_string(propsp,
1149 &pmdprops, sizeof(mdprops)))
1150 return 0;
6f4b7663 1151 }
6f4b7663
RL		 1152 }
1153
1154 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE);
1155 if (p != NULL) {
0ec36bf1 1156 const char *err_extra_text = NULL;
6f4b7663
RL		 1157
1158 switch (p->data_type) {
1159 case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */
1160 if (!OSSL_PARAM_get_int(p, &pad_mode))
1161 return 0;
1162 break;
1163 case OSSL_PARAM_UTF8_STRING:
1164 {
1165 int i;
1166
1167 if (p->data == NULL)
1168 return 0;
1169
1170 for (i = 0; padding_item[i].id != 0; i++) {
1171 if (strcmp(p->data, padding_item[i].ptr) == 0) {
1172 pad_mode = padding_item[i].id;
1173 break;
1174 }
1175 }
1176 }
1177 break;
1178 default:
1179 return 0;
1180 }
1181
1182 switch (pad_mode) {
1183 case RSA_PKCS1_OAEP_PADDING:
1184 /*
1185 * OAEP padding is for asymmetric cipher only so is not compatible
1186 * with signature use.
1187 */
0ec36bf1
RL		 1188 err_extra_text = "OAEP padding not allowed for signing / verifying";
1189 goto bad_pad;
6f4b7663 1190 case RSA_PKCS1_PSS_PADDING:
0ec36bf1
RL		 1191 if ((prsactx->operation
1192 & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)) == 0) {
1193 err_extra_text =
1194 "PSS padding only allowed for sign and verify operations";
1195 goto bad_pad;
1196 }
0ec36bf1 1197 break;
6f4b7663 1198 case RSA_PKCS1_PADDING:
0ec36bf1
RL		 1199 err_extra_text = "PKCS#1 padding not allowed with RSA-PSS";
1200 goto cont;
6f4b7663 1201 case RSA_NO_PADDING:
0ec36bf1
RL		 1202 err_extra_text = "No padding not allowed with RSA-PSS";
1203 goto cont;
6f4b7663 1204 case RSA_X931_PADDING:
0ec36bf1 1205 err_extra_text = "X.931 padding not allowed with RSA-PSS";
6f4b7663 1206 cont:
2d553660
RL		 1207 if (RSA_test_flags(prsactx->rsa,
1208 RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA)
0ec36bf1
RL		 1209 break;
1210 /* FALLTHRU */
6f4b7663 1211 default:
0ec36bf1
RL		 1212 bad_pad:
1213 if (err_extra_text == NULL)
1214 ERR_raise(ERR_LIB_PROV,
1215 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
1216 else
1217 ERR_raise_data(ERR_LIB_PROV,
1218 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE,
1219 err_extra_text);
6f4b7663
RL		 1220 return 0;
1221 }
6f4b7663
RL		 1222 }
1223
1224 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN);
1225 if (p != NULL) {
bbde8566 1226 if (pad_mode != RSA_PKCS1_PSS_PADDING) {
6f4b7663
RL		 1227 ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED,
1228 "PSS saltlen can only be specified if "
1229 "PSS padding has been specified first");
1230 return 0;
1231 }
1232
1233 switch (p->data_type) {
1234 case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */
1235 if (!OSSL_PARAM_get_int(p, &saltlen))
1236 return 0;
1237 break;
1238 case OSSL_PARAM_UTF8_STRING:
b8086652 1239 if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST) == 0)
6f4b7663 1240 saltlen = RSA_PSS_SALTLEN_DIGEST;
b8086652 1241 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_MAX) == 0)
6f4b7663 1242 saltlen = RSA_PSS_SALTLEN_MAX;
b8086652 1243 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0)
6f4b7663
RL		 1244 saltlen = RSA_PSS_SALTLEN_AUTO;
1245 else
1246 saltlen = atoi(p->data);
1247 break;
1248 default:
1249 return 0;
1250 }
1251
1252 /*
1253 * RSA_PSS_SALTLEN_MAX seems curiously named in this check.
1254 * Contrary to what it's name suggests, it's the currently
1255 * lowest saltlen number possible.
1256 */
1257 if (saltlen < RSA_PSS_SALTLEN_MAX) {
f5f29796 1258 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
6f4b7663
RL		 1259 return 0;
1260 }
1261
0ec36bf1 1262 if (rsa_pss_restricted(prsactx)) {
6ce6ad39 1263 switch (saltlen) {
0ec36bf1
RL		 1264 case RSA_PSS_SALTLEN_AUTO:
1265 if (prsactx->operation == EVP_PKEY_OP_VERIFY) {
f5f29796
TM		 1266 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH,
1267 "Cannot use autodetected salt length");
0ec36bf1
RL		 1268 return 0;
1269 }
1270 break;
1271 case RSA_PSS_SALTLEN_DIGEST:
1272 if (prsactx->min_saltlen > EVP_MD_size(prsactx->md)) {
1273 ERR_raise_data(ERR_LIB_PROV,
1274 PROV_R_PSS_SALTLEN_TOO_SMALL,
1275 "Should be more than %d, but would be "
1276 "set to match digest size (%d)",
1277 prsactx->min_saltlen,
1278 EVP_MD_size(prsactx->md));
1279 return 0;
1280 }
6ce6ad39 1281 break;
0ec36bf1
RL		 1282 default:
1283 if (saltlen >= 0 && saltlen < prsactx->min_saltlen) {
1284 ERR_raise_data(ERR_LIB_PROV,
1285 PROV_R_PSS_SALTLEN_TOO_SMALL,
1286 "Should be more than %d, "
1287 "but would be set to %d",
1288 prsactx->min_saltlen, saltlen);
1289 return 0;
1290 }
1291 }
1292 }
6f4b7663
RL		 1293 }
1294
1295 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST);
1296 if (p != NULL) {
6f4b7663
RL		 1297 const OSSL_PARAM *propsp =
1298 OSSL_PARAM_locate_const(params,
1299 OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES);
1300
bbde8566
TM		 1301 pmgf1mdname = mgf1mdname;
1302 if (!OSSL_PARAM_get_utf8_string(p, &pmgf1mdname, sizeof(mgf1mdname)))
6f4b7663 1303 return 0;
2c6094ba 1304
bbde8566
TM		 1305 if (propsp != NULL) {
1306 pmgf1mdprops = mgf1mdprops;
1307 if (!OSSL_PARAM_get_utf8_string(propsp,
1308 &pmgf1mdprops, sizeof(mgf1mdprops)))
1309 return 0;
1310 }
6f4b7663 1311
bbde8566 1312 if (pad_mode != RSA_PKCS1_PSS_PADDING) {
6f4b7663
RL		 1313 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MGF1_MD);
1314 return 0;
1315 }
bbde8566 1316 }
6f4b7663 1317
bbde8566
TM		 1318 prsactx->saltlen = saltlen;
1319 prsactx->pad_mode = pad_mode;
1320
1321 if (prsactx->md == NULL && pmdname == NULL
1322 && pad_mode == RSA_PKCS1_PSS_PADDING)
1323 pmdname = RSA_DEFAULT_DIGEST_NAME;
6f4b7663 1324
bbde8566
TM		 1325 if (pmgf1mdname != NULL
1326 && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
1327 return 0;
1328
1329 if (pmdname != NULL) {
1330 if (!rsa_setup_md(prsactx, pmdname, pmdprops))
1331 return 0;
1332 } else {
1333 if (!rsa_check_padding(prsactx, NULL, NULL, prsactx->mdnid))
6f4b7663
RL		 1334 return 0;
1335 }
6f4b7663
RL		 1336 return 1;
1337}
1338
fb67126e 1339static const OSSL_PARAM settable_ctx_params[] = {
6f4b7663
RL		 1340 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
1341 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0),
fb67126e 1342 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
6f4b7663
RL		 1343 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
1344 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0),
1345 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
1346 OSSL_PARAM_END
1347};
1348
fb67126e
TM		 1349static const OSSL_PARAM settable_ctx_params_no_digest[] = {
1350 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
1351 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
1352 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0),
1353 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
1354 OSSL_PARAM_END
1355};
1356
1357static const OSSL_PARAM *rsa_settable_ctx_params(void *vprsactx,
1358 ossl_unused void *provctx)
6f4b7663 1359{
fb67126e
TM		 1360 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1361
1362 if (prsactx != NULL && !prsactx->flag_allow_md)
1363 return settable_ctx_params_no_digest;
1364 return settable_ctx_params;
6f4b7663
RL		 1365}
1366
1367static int rsa_get_ctx_md_params(void *vprsactx, OSSL_PARAM *params)
1368{
1369 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1370
1371 if (prsactx->mdctx == NULL)
1372 return 0;
1373
1374 return EVP_MD_CTX_get_params(prsactx->mdctx, params);
1375}
1376
1377static const OSSL_PARAM *rsa_gettable_ctx_md_params(void *vprsactx)
1378{
1379 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1380
1381 if (prsactx->md == NULL)
1382 return 0;
1383
1384 return EVP_MD_gettable_ctx_params(prsactx->md);
1385}
1386
1387static int rsa_set_ctx_md_params(void *vprsactx, const OSSL_PARAM params[])
1388{
1389 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1390
1391 if (prsactx->mdctx == NULL)
1392 return 0;
1393
1394 return EVP_MD_CTX_set_params(prsactx->mdctx, params);
1395}
1396
1397static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
1398{
1399 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1400
1401 if (prsactx->md == NULL)
1402 return 0;
1403
1404 return EVP_MD_settable_ctx_params(prsactx->md);
1405}
1406
1be63951 1407const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
6f4b7663 1408 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
0ec36bf1 1409 { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
6f4b7663 1410 { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign },
0ec36bf1 1411 { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_verify_init },
6f4b7663 1412 { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))rsa_verify },
0ec36bf1
RL		 1413 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT,
1414 (void (*)(void))rsa_verify_recover_init },
1415 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER,
1416 (void (*)(void))rsa_verify_recover },
6f4b7663 1417 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
0ec36bf1 1418 (void (*)(void))rsa_digest_sign_init },
6f4b7663
RL		 1419 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,
1420 (void (*)(void))rsa_digest_signverify_update },
1421 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,
1422 (void (*)(void))rsa_digest_sign_final },
1423 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
0ec36bf1 1424 (void (*)(void))rsa_digest_verify_init },
6f4b7663
RL		 1425 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,
1426 (void (*)(void))rsa_digest_signverify_update },
1427 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,
1428 (void (*)(void))rsa_digest_verify_final },
1429 { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx },
1430 { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx },
1431 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))rsa_get_ctx_params },
1432 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
1433 (void (*)(void))rsa_gettable_ctx_params },
1434 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))rsa_set_ctx_params },
1435 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,
1436 (void (*)(void))rsa_settable_ctx_params },
1437 { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS,
1438 (void (*)(void))rsa_get_ctx_md_params },
1439 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS,
1440 (void (*)(void))rsa_gettable_ctx_md_params },
1441 { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS,
1442 (void (*)(void))rsa_set_ctx_md_params },
1443 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS,
1444 (void (*)(void))rsa_settable_ctx_md_params },
1445 { 0, NULL }
1446};
A mirror of the official openssl repository