]> git.ipfire.org Git - thirdparty/openssl.git/blob - fips/rsa/fips_rsa_sign.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Redirect FIPS memory allocation to FIPS_malloc() routine, remove
[thirdparty/openssl.git] / fips / rsa / fips_rsa_sign.c
1 /* fips_rsa_sign.c */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2007.
4 */
5 /* ====================================================================
6 * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59 #define OPENSSL_FIPSAPI
60
61 #include <string.h>
62 #include <openssl/evp.h>
63 #include <openssl/rsa.h>
64 #include <openssl/err.h>
65 #include <openssl/sha.h>
66 #include <openssl/fips.h>
67
68 #ifdef OPENSSL_FIPS
69
70 /* FIPS versions of RSA_sign() and RSA_verify().
71 * These will only have to deal with SHA* signatures and by including
72 * pregenerated encodings all ASN1 dependencies can be avoided
73 */
74
75 /* Standard encodings including NULL parameter */
76
77 static const unsigned char sha1_bin[] = {
78 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
79 0x00, 0x04, 0x14
80 };
81
82 static const unsigned char sha224_bin[] = {
83 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
84 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c
85 };
86
87 static const unsigned char sha256_bin[] = {
88 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
89 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
90 };
91
92 static const unsigned char sha384_bin[] = {
93 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
94 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30
95 };
96
97 static const unsigned char sha512_bin[] = {
98 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
99 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40
100 };
101
102 /* Alternate encodings with absent parameters. We don't generate signature
103 * using this format but do tolerate received signatures of this form.
104 */
105
106 static unsigned char sha1_nn_bin[] = {
107 0x30, 0x1f, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04,
108 0x14
109 };
110
111 static unsigned char sha224_nn_bin[] = {
112 0x30, 0x2b, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
113 0x04, 0x02, 0x04, 0x04, 0x1c
114 };
115
116 static unsigned char sha256_nn_bin[] = {
117 0x30, 0x2f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
118 0x04, 0x02, 0x01, 0x04, 0x20
119 };
120
121 static unsigned char sha384_nn_bin[] = {
122 0x30, 0x3f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
123 0x04, 0x02, 0x02, 0x04, 0x30
124 };
125
126 static unsigned char sha512_nn_bin[] = {
127 0x30, 0x4f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
128 0x04, 0x02, 0x03, 0x04, 0x40
129 };
130
131
132 static const unsigned char *fips_digestinfo_encoding(int nid, unsigned int *len)
133 {
134 switch (nid)
135 {
136
137 case NID_sha1:
138 *len = sizeof(sha1_bin);
139 return sha1_bin;
140
141 case NID_sha224:
142 *len = sizeof(sha224_bin);
143 return sha224_bin;
144
145 case NID_sha256:
146 *len = sizeof(sha256_bin);
147 return sha256_bin;
148
149 case NID_sha384:
150 *len = sizeof(sha384_bin);
151 return sha384_bin;
152
153 case NID_sha512:
154 *len = sizeof(sha512_bin);
155 return sha512_bin;
156
157 default:
158 return NULL;
159
160 }
161 }
162
163 static const unsigned char *fips_digestinfo_nn_encoding(int nid, unsigned int *len)
164 {
165 switch (nid)
166 {
167
168 case NID_sha1:
169 *len = sizeof(sha1_nn_bin);
170 return sha1_nn_bin;
171
172 case NID_sha224:
173 *len = sizeof(sha224_nn_bin);
174 return sha224_nn_bin;
175
176 case NID_sha256:
177 *len = sizeof(sha256_nn_bin);
178 return sha256_nn_bin;
179
180 case NID_sha384:
181 *len = sizeof(sha384_nn_bin);
182 return sha384_nn_bin;
183
184 case NID_sha512:
185 *len = sizeof(sha512_nn_bin);
186 return sha512_nn_bin;
187
188 default:
189 return NULL;
190
191 }
192 }
193
194
195 int FIPS_rsa_sign_ctx(RSA *rsa, EVP_MD_CTX *ctx,
196 int rsa_pad_mode, int saltlen, const EVP_MD *mgf1Hash,
197 unsigned char *sigret, unsigned int *siglen)
198 {
199 int i=0,j,ret=0;
200 unsigned int dlen;
201 const unsigned char *der;
202 unsigned int m_len;
203 const EVP_MD *mhash;
204 int md_type;
205 /* Largest DigestInfo: 19 (max encoding) + max MD */
206 unsigned char tmpdinfo[19 + EVP_MAX_MD_SIZE];
207 unsigned char md[EVP_MAX_MD_SIZE + 1];
208
209 EVP_DigestFinal_ex(ctx, md, &m_len);
210
211 mhash = M_EVP_MD_CTX_md(ctx);
212 md_type = M_EVP_MD_type(mhash);
213
214 if (rsa_pad_mode == RSA_X931_PADDING)
215 {
216 int hash_id;
217 memcpy(tmpdinfo, md, m_len);
218 hash_id = RSA_X931_hash_id(md_type);
219 if (hash_id == -1)
220 {
221 RSAerr(RSA_F_FIPS_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);
222 return 0;
223 }
224 tmpdinfo[m_len] = (unsigned char)hash_id;
225 i = m_len + 1;
226 }
227 else if (rsa_pad_mode == RSA_PKCS1_PADDING)
228 {
229
230 der = fips_digestinfo_encoding(md_type, &dlen);
231
232 if (!der)
233 {
234 RSAerr(RSA_F_FIPS_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);
235 return 0;
236 }
237 memcpy(tmpdinfo, der, dlen);
238 memcpy(tmpdinfo + dlen, md, m_len);
239
240 i = dlen + m_len;
241
242 }
243 else if (rsa_pad_mode == RSA_PKCS1_PSS_PADDING)
244 {
245 unsigned char *sbuf;
246 i = RSA_size(rsa);
247 sbuf = OPENSSL_malloc(RSA_size(rsa));
248 if (!sbuf)
249 {
250 RSAerr(RSA_F_FIPS_RSA_SIGN,ERR_R_MALLOC_FAILURE);
251 goto psserr;
252 }
253 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, sbuf, md, mhash,
254 mgf1Hash, saltlen))
255 goto psserr;
256 j=rsa->meth->rsa_priv_enc(i,sbuf,sigret,rsa,RSA_NO_PADDING);
257 if (j > 0)
258 {
259 ret=1;
260 *siglen=j;
261 }
262 psserr:
263 OPENSSL_cleanse(md,m_len);
264 OPENSSL_cleanse(sbuf, i);
265 OPENSSL_free(sbuf);
266 return ret;
267 }
268
269 j=RSA_size(rsa);
270 if (i > (j-RSA_PKCS1_PADDING_SIZE))
271 {
272 RSAerr(RSA_F_FIPS_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
273 goto done;
274 }
275 /* NB: call underlying method directly to avoid FIPS blocking */
276 j=rsa->meth->rsa_priv_enc(i,tmpdinfo,sigret,rsa,rsa_pad_mode);
277 if (j > 0)
278 {
279 ret=1;
280 *siglen=j;
281 }
282
283 done:
284 OPENSSL_cleanse(tmpdinfo,i);
285 OPENSSL_cleanse(md,m_len);
286 return ret;
287 }
288
289 int FIPS_rsa_verify_ctx(RSA *rsa, EVP_MD_CTX *ctx,
290 int rsa_pad_mode, int saltlen, const EVP_MD *mgf1Hash,
291 unsigned char *sigbuf, unsigned int siglen)
292 {
293 int i,ret=0;
294 unsigned int dlen, diglen;
295 unsigned char *s;
296 const unsigned char *der;
297 unsigned char dig[EVP_MAX_MD_SIZE];
298 const EVP_MD *mhash;
299 int md_type;
300 int rsa_dec_pad_mode;
301
302 if (siglen != (unsigned int)RSA_size(rsa))
303 {
304 RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH);
305 return(0);
306 }
307
308 mhash = M_EVP_MD_CTX_md(ctx);
309 md_type = M_EVP_MD_type(mhash);
310
311 EVP_DigestFinal_ex(ctx, dig, &diglen);
312
313 s= OPENSSL_malloc((unsigned int)siglen);
314 if (s == NULL)
315 {
316 RSAerr(RSA_F_FIPS_RSA_VERIFY,ERR_R_MALLOC_FAILURE);
317 goto err;
318 }
319
320 if (rsa_pad_mode == RSA_PKCS1_PSS_PADDING)
321 rsa_dec_pad_mode = RSA_NO_PADDING;
322 else
323 rsa_dec_pad_mode = rsa_pad_mode;
324
325 /* NB: call underlying method directly to avoid FIPS blocking */
326 i=rsa->meth->rsa_pub_dec((int)siglen,sigbuf,s, rsa, rsa_dec_pad_mode);
327
328 if (i <= 0) goto err;
329
330 if (rsa_pad_mode == RSA_X931_PADDING)
331 {
332 int hash_id;
333 if (i != (int)(diglen + 1))
334 {
335 RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
336 goto err;
337 }
338 hash_id = RSA_X931_hash_id(md_type);
339 if (hash_id == -1)
340 {
341 RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_UNKNOWN_ALGORITHM_TYPE);
342 goto err;
343 }
344 if (s[diglen] != (unsigned char)hash_id)
345 {
346 RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
347 goto err;
348 }
349 if (memcmp(s, dig, diglen))
350 {
351 RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
352 goto err;
353 }
354 ret = 1;
355 }
356 else if (rsa_pad_mode == RSA_PKCS1_PADDING)
357 {
358
359 der = fips_digestinfo_encoding(md_type, &dlen);
360
361 if (!der)
362 {
363 RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_UNKNOWN_ALGORITHM_TYPE);
364 return(0);
365 }
366
367 /* Compare, DigestInfo length, DigestInfo header and finally
368 * digest value itself
369 */
370
371 /* If length mismatch try alternate encoding */
372 if (i != (int)(dlen + diglen))
373 der = fips_digestinfo_nn_encoding(md_type, &dlen);
374
375 if ((i != (int)(dlen + diglen)) || memcmp(der, s, dlen)
376 || memcmp(s + dlen, dig, diglen))
377 {
378 RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
379 goto err;
380 }
381 ret = 1;
382
383 }
384 else if (rsa_pad_mode == RSA_PKCS1_PSS_PADDING)
385 {
386 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, dig, mhash, mgf1Hash,
387 s, saltlen);
388 if (ret < 0)
389 ret = 0;
390 }
391 err:
392 if (s != NULL)
393 {
394 OPENSSL_cleanse(s, siglen);
395 OPENSSL_free(s);
396 }
397 return(ret);
398 }
399
400 #endif
A mirror of the official openssl repository