2 * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * ECDSA low level APIs are deprecated for public use, but still ok for
14 #include "internal/deprecated.h"
16 #include <string.h> /* memcpy */
17 #include <openssl/crypto.h>
18 #include <openssl/core_dispatch.h>
19 #include <openssl/core_names.h>
20 #include <openssl/dsa.h>
21 #include <openssl/params.h>
22 #include <openssl/evp.h>
23 #include <openssl/err.h>
24 #include <openssl/proverr.h>
25 #include "internal/nelem.h"
26 #include "internal/sizes.h"
27 #include "internal/cryptlib.h"
28 #include "prov/providercommon.h"
29 #include "prov/implementations.h"
30 #include "prov/provider_ctx.h"
31 #include "prov/securitycheck.h"
32 #include "crypto/ec.h"
33 #include "prov/der_ec.h"
35 static OSSL_FUNC_signature_newctx_fn ecdsa_newctx
;
36 static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init
;
37 static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init
;
38 static OSSL_FUNC_signature_sign_fn ecdsa_sign
;
39 static OSSL_FUNC_signature_verify_fn ecdsa_verify
;
40 static OSSL_FUNC_signature_digest_sign_init_fn ecdsa_digest_sign_init
;
41 static OSSL_FUNC_signature_digest_sign_update_fn ecdsa_digest_signverify_update
;
42 static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final
;
43 static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init
;
44 static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update
;
45 static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final
;
46 static OSSL_FUNC_signature_freectx_fn ecdsa_freectx
;
47 static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx
;
48 static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params
;
49 static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params
;
50 static OSSL_FUNC_signature_set_ctx_params_fn ecdsa_set_ctx_params
;
51 static OSSL_FUNC_signature_settable_ctx_params_fn ecdsa_settable_ctx_params
;
52 static OSSL_FUNC_signature_get_ctx_md_params_fn ecdsa_get_ctx_md_params
;
53 static OSSL_FUNC_signature_gettable_ctx_md_params_fn ecdsa_gettable_ctx_md_params
;
54 static OSSL_FUNC_signature_set_ctx_md_params_fn ecdsa_set_ctx_md_params
;
55 static OSSL_FUNC_signature_settable_ctx_md_params_fn ecdsa_settable_ctx_md_params
;
58 * What's passed as an actual key is defined by the KEYMGMT interface.
59 * We happen to know that our KEYMGMT simply passes DSA structures, so
60 * we use that here too.
67 char mdname
[OSSL_MAX_NAME_SIZE
];
70 * Flag to determine if the hash function can be changed (1) or not (0)
71 * Because it's dangerous to change during a DigestSign or DigestVerify
72 * operation, this flag is cleared by their Init function, and set again
73 * by their Final function.
75 unsigned int flag_allow_md
: 1;
77 /* The Algorithm Identifier of the combined signature algorithm */
78 unsigned char aid_buf
[OSSL_MAX_ALGORITHM_ID_SIZE
];
87 * Internally used to cache the results of calling the EC group
88 * sign_setup() methods which are then passed to the sign operation.
89 * This is used by CAVS failure tests to terminate a loop if the signature
91 * This could of also been done with a simple flag.
95 #if !defined(OPENSSL_NO_ACVP_TESTS)
97 * This indicates that KAT (CAVS) test is running. Externally an app will
98 * override the random callback such that the generated private key and k
100 * Normal operation will loop to choose a new k if the signature is not
101 * valid - but for this mode of operation it forces a failure instead.
103 unsigned int kattest
;
107 static void *ecdsa_newctx(void *provctx
, const char *propq
)
111 if (!ossl_prov_is_running())
114 ctx
= OPENSSL_zalloc(sizeof(PROV_ECDSA_CTX
));
118 ctx
->flag_allow_md
= 1;
119 ctx
->libctx
= PROV_LIBCTX_OF(provctx
);
120 if (propq
!= NULL
&& (ctx
->propq
= OPENSSL_strdup(propq
)) == NULL
) {
123 ERR_raise(ERR_LIB_PROV
, ERR_R_MALLOC_FAILURE
);
128 static int ecdsa_signverify_init(void *vctx
, void *ec
, int operation
)
130 PROV_ECDSA_CTX
*ctx
= (PROV_ECDSA_CTX
*)vctx
;
132 if (!ossl_prov_is_running()
135 || !EC_KEY_up_ref(ec
))
137 EC_KEY_free(ctx
->ec
);
139 ctx
->operation
= operation
;
140 return ossl_ec_check_key(ec
, operation
== EVP_PKEY_OP_SIGN
);
143 static int ecdsa_sign_init(void *vctx
, void *ec
)
145 return ecdsa_signverify_init(vctx
, ec
, EVP_PKEY_OP_SIGN
);
148 static int ecdsa_verify_init(void *vctx
, void *ec
)
150 return ecdsa_signverify_init(vctx
, ec
, EVP_PKEY_OP_VERIFY
);
153 static int ecdsa_sign(void *vctx
, unsigned char *sig
, size_t *siglen
,
154 size_t sigsize
, const unsigned char *tbs
, size_t tbslen
)
156 PROV_ECDSA_CTX
*ctx
= (PROV_ECDSA_CTX
*)vctx
;
159 size_t ecsize
= ECDSA_size(ctx
->ec
);
161 if (!ossl_prov_is_running())
169 #if !defined(OPENSSL_NO_ACVP_TESTS)
170 if (ctx
->kattest
&& !ECDSA_sign_setup(ctx
->ec
, NULL
, &ctx
->kinv
, &ctx
->r
))
174 if (sigsize
< (size_t)ecsize
)
177 if (ctx
->mdsize
!= 0 && tbslen
!= ctx
->mdsize
)
180 ret
= ECDSA_sign_ex(0, tbs
, tbslen
, sig
, &sltmp
, ctx
->kinv
, ctx
->r
, ctx
->ec
);
188 static int ecdsa_verify(void *vctx
, const unsigned char *sig
, size_t siglen
,
189 const unsigned char *tbs
, size_t tbslen
)
191 PROV_ECDSA_CTX
*ctx
= (PROV_ECDSA_CTX
*)vctx
;
193 if (!ossl_prov_is_running() || (ctx
->mdsize
!= 0 && tbslen
!= ctx
->mdsize
))
196 return ECDSA_verify(0, tbs
, tbslen
, sig
, siglen
, ctx
->ec
);
199 static int ecdsa_setup_md(PROV_ECDSA_CTX
*ctx
, const char *mdname
,
204 int md_nid
, sha1_allowed
;
210 mdname_len
= strlen(mdname
);
211 if (mdname_len
>= sizeof(ctx
->mdname
)) {
212 ERR_raise_data(ERR_LIB_PROV
, PROV_R_INVALID_DIGEST
,
213 "%s exceeds name buffer length", mdname
);
217 mdprops
= ctx
->propq
;
218 md
= EVP_MD_fetch(ctx
->libctx
, mdname
, mdprops
);
220 ERR_raise_data(ERR_LIB_PROV
, PROV_R_INVALID_DIGEST
,
221 "%s could not be fetched", mdname
);
224 sha1_allowed
= (ctx
->operation
!= EVP_PKEY_OP_SIGN
);
225 md_nid
= ossl_digest_get_approved_nid_with_sha1(md
, sha1_allowed
);
226 if (md_nid
== NID_undef
) {
227 ERR_raise_data(ERR_LIB_PROV
, PROV_R_DIGEST_NOT_ALLOWED
,
228 "digest=%s", mdname
);
233 EVP_MD_CTX_free(ctx
->mdctx
);
234 EVP_MD_free(ctx
->md
);
237 if (WPACKET_init_der(&pkt
, ctx
->aid_buf
, sizeof(ctx
->aid_buf
))
238 && ossl_DER_w_algorithmIdentifier_ECDSA_with_MD(&pkt
, -1, ctx
->ec
,
240 && WPACKET_finish(&pkt
)) {
241 WPACKET_get_total_written(&pkt
, &ctx
->aid_len
);
242 ctx
->aid
= WPACKET_get_curr(&pkt
);
244 WPACKET_cleanup(&pkt
);
247 ctx
->mdsize
= EVP_MD_size(ctx
->md
);
248 OPENSSL_strlcpy(ctx
->mdname
, mdname
, sizeof(ctx
->mdname
));
253 static int ecdsa_digest_signverify_init(void *vctx
, const char *mdname
,
254 void *ec
, int operation
)
256 PROV_ECDSA_CTX
*ctx
= (PROV_ECDSA_CTX
*)vctx
;
258 if (!ossl_prov_is_running())
261 ctx
->flag_allow_md
= 0;
262 if (!ecdsa_signverify_init(vctx
, ec
, operation
)
263 || !ecdsa_setup_md(ctx
, mdname
, NULL
))
266 ctx
->mdctx
= EVP_MD_CTX_new();
267 if (ctx
->mdctx
== NULL
)
270 if (!EVP_DigestInit_ex(ctx
->mdctx
, ctx
->md
, NULL
))
274 EVP_MD_CTX_free(ctx
->mdctx
);
275 EVP_MD_free(ctx
->md
);
281 static int ecdsa_digest_sign_init(void *vctx
, const char *mdname
, void *ec
)
283 return ecdsa_digest_signverify_init(vctx
, mdname
, ec
, EVP_PKEY_OP_SIGN
);
286 static int ecdsa_digest_verify_init(void *vctx
, const char *mdname
, void *ec
)
288 return ecdsa_digest_signverify_init(vctx
, mdname
, ec
, EVP_PKEY_OP_VERIFY
);
291 int ecdsa_digest_signverify_update(void *vctx
, const unsigned char *data
,
294 PROV_ECDSA_CTX
*ctx
= (PROV_ECDSA_CTX
*)vctx
;
296 if (ctx
== NULL
|| ctx
->mdctx
== NULL
)
299 return EVP_DigestUpdate(ctx
->mdctx
, data
, datalen
);
302 int ecdsa_digest_sign_final(void *vctx
, unsigned char *sig
, size_t *siglen
,
305 PROV_ECDSA_CTX
*ctx
= (PROV_ECDSA_CTX
*)vctx
;
306 unsigned char digest
[EVP_MAX_MD_SIZE
];
307 unsigned int dlen
= 0;
309 if (!ossl_prov_is_running() || ctx
== NULL
|| ctx
->mdctx
== NULL
)
313 * If sig is NULL then we're just finding out the sig size. Other fields
314 * are ignored. Defer to ecdsa_sign.
317 && !EVP_DigestFinal_ex(ctx
->mdctx
, digest
, &dlen
))
319 ctx
->flag_allow_md
= 1;
320 return ecdsa_sign(vctx
, sig
, siglen
, sigsize
, digest
, (size_t)dlen
);
323 int ecdsa_digest_verify_final(void *vctx
, const unsigned char *sig
,
326 PROV_ECDSA_CTX
*ctx
= (PROV_ECDSA_CTX
*)vctx
;
327 unsigned char digest
[EVP_MAX_MD_SIZE
];
328 unsigned int dlen
= 0;
330 if (!ossl_prov_is_running() || ctx
== NULL
|| ctx
->mdctx
== NULL
)
333 if (!EVP_DigestFinal_ex(ctx
->mdctx
, digest
, &dlen
))
335 ctx
->flag_allow_md
= 1;
336 return ecdsa_verify(ctx
, sig
, siglen
, digest
, (size_t)dlen
);
339 static void ecdsa_freectx(void *vctx
)
341 PROV_ECDSA_CTX
*ctx
= (PROV_ECDSA_CTX
*)vctx
;
343 OPENSSL_free(ctx
->propq
);
344 EVP_MD_CTX_free(ctx
->mdctx
);
345 EVP_MD_free(ctx
->md
);
350 EC_KEY_free(ctx
->ec
);
351 BN_clear_free(ctx
->kinv
);
352 BN_clear_free(ctx
->r
);
356 static void *ecdsa_dupctx(void *vctx
)
358 PROV_ECDSA_CTX
*srcctx
= (PROV_ECDSA_CTX
*)vctx
;
359 PROV_ECDSA_CTX
*dstctx
;
361 if (!ossl_prov_is_running())
364 dstctx
= OPENSSL_zalloc(sizeof(*srcctx
));
371 dstctx
->mdctx
= NULL
;
372 dstctx
->propq
= NULL
;
374 if (srcctx
->ec
!= NULL
&& !EC_KEY_up_ref(srcctx
->ec
))
376 /* Test KATS should not need to be supported */
377 if (srcctx
->kinv
!= NULL
|| srcctx
->r
!= NULL
)
379 dstctx
->ec
= srcctx
->ec
;
381 if (srcctx
->md
!= NULL
&& !EVP_MD_up_ref(srcctx
->md
))
383 dstctx
->md
= srcctx
->md
;
385 if (srcctx
->mdctx
!= NULL
) {
386 dstctx
->mdctx
= EVP_MD_CTX_new();
387 if (dstctx
->mdctx
== NULL
388 || !EVP_MD_CTX_copy_ex(dstctx
->mdctx
, srcctx
->mdctx
))
392 if (srcctx
->propq
!= NULL
) {
393 dstctx
->propq
= OPENSSL_strdup(srcctx
->propq
);
394 if (dstctx
->propq
== NULL
)
400 ecdsa_freectx(dstctx
);
404 static int ecdsa_get_ctx_params(void *vctx
, OSSL_PARAM
*params
)
406 PROV_ECDSA_CTX
*ctx
= (PROV_ECDSA_CTX
*)vctx
;
409 if (ctx
== NULL
|| params
== NULL
)
412 p
= OSSL_PARAM_locate(params
, OSSL_SIGNATURE_PARAM_ALGORITHM_ID
);
413 if (p
!= NULL
&& !OSSL_PARAM_set_octet_string(p
, ctx
->aid
, ctx
->aid_len
))
416 p
= OSSL_PARAM_locate(params
, OSSL_SIGNATURE_PARAM_DIGEST_SIZE
);
417 if (p
!= NULL
&& !OSSL_PARAM_set_size_t(p
, ctx
->mdsize
))
420 p
= OSSL_PARAM_locate(params
, OSSL_SIGNATURE_PARAM_DIGEST
);
421 if (p
!= NULL
&& !OSSL_PARAM_set_utf8_string(p
, ctx
->md
== NULL
423 : EVP_MD_name(ctx
->md
)))
429 static const OSSL_PARAM known_gettable_ctx_params
[] = {
430 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID
, NULL
, 0),
431 OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE
, NULL
),
432 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST
, NULL
, 0),
436 static const OSSL_PARAM
*ecdsa_gettable_ctx_params(ossl_unused
void *vctx
,
437 ossl_unused
void *provctx
)
439 return known_gettable_ctx_params
;
442 static int ecdsa_set_ctx_params(void *vctx
, const OSSL_PARAM params
[])
444 PROV_ECDSA_CTX
*ctx
= (PROV_ECDSA_CTX
*)vctx
;
447 if (ctx
== NULL
|| params
== NULL
)
450 #if !defined(OPENSSL_NO_ACVP_TESTS)
451 p
= OSSL_PARAM_locate_const(params
, OSSL_SIGNATURE_PARAM_KAT
);
452 if (p
!= NULL
&& !OSSL_PARAM_get_uint(p
, &ctx
->kattest
))
456 p
= OSSL_PARAM_locate_const(params
, OSSL_SIGNATURE_PARAM_DIGEST
);
457 /* Not allowed during certain operations */
458 if (p
!= NULL
&& !ctx
->flag_allow_md
)
461 char mdname
[OSSL_MAX_NAME_SIZE
] = "", *pmdname
= mdname
;
462 char mdprops
[OSSL_MAX_PROPQUERY_SIZE
] = "", *pmdprops
= mdprops
;
463 const OSSL_PARAM
*propsp
=
464 OSSL_PARAM_locate_const(params
,
465 OSSL_SIGNATURE_PARAM_PROPERTIES
);
467 if (!OSSL_PARAM_get_utf8_string(p
, &pmdname
, sizeof(mdname
)))
470 && !OSSL_PARAM_get_utf8_string(propsp
, &pmdprops
, sizeof(mdprops
)))
472 if (!ecdsa_setup_md(ctx
, mdname
, mdprops
))
476 p
= OSSL_PARAM_locate_const(params
, OSSL_SIGNATURE_PARAM_DIGEST_SIZE
);
478 && (!ctx
->flag_allow_md
479 || !OSSL_PARAM_get_size_t(p
, &ctx
->mdsize
)))
485 static const OSSL_PARAM settable_ctx_params
[] = {
486 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST
, NULL
, 0),
487 OSSL_PARAM_size_t(OSSL_SIGNATURE_PARAM_DIGEST_SIZE
, NULL
),
488 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES
, NULL
, 0),
489 OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_KAT
, NULL
),
493 static const OSSL_PARAM settable_ctx_params_no_digest
[] = {
494 OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_KAT
, NULL
),
498 static const OSSL_PARAM
*ecdsa_settable_ctx_params(void *vctx
,
499 ossl_unused
void *provctx
)
501 PROV_ECDSA_CTX
*ctx
= (PROV_ECDSA_CTX
*)vctx
;
503 if (ctx
!= NULL
&& !ctx
->flag_allow_md
)
504 return settable_ctx_params_no_digest
;
505 return settable_ctx_params
;
508 static int ecdsa_get_ctx_md_params(void *vctx
, OSSL_PARAM
*params
)
510 PROV_ECDSA_CTX
*ctx
= (PROV_ECDSA_CTX
*)vctx
;
512 if (ctx
->mdctx
== NULL
)
515 return EVP_MD_CTX_get_params(ctx
->mdctx
, params
);
518 static const OSSL_PARAM
*ecdsa_gettable_ctx_md_params(void *vctx
)
520 PROV_ECDSA_CTX
*ctx
= (PROV_ECDSA_CTX
*)vctx
;
525 return EVP_MD_gettable_ctx_params(ctx
->md
);
528 static int ecdsa_set_ctx_md_params(void *vctx
, const OSSL_PARAM params
[])
530 PROV_ECDSA_CTX
*ctx
= (PROV_ECDSA_CTX
*)vctx
;
532 if (ctx
->mdctx
== NULL
)
535 return EVP_MD_CTX_set_params(ctx
->mdctx
, params
);
538 static const OSSL_PARAM
*ecdsa_settable_ctx_md_params(void *vctx
)
540 PROV_ECDSA_CTX
*ctx
= (PROV_ECDSA_CTX
*)vctx
;
545 return EVP_MD_settable_ctx_params(ctx
->md
);
548 const OSSL_DISPATCH ossl_ecdsa_signature_functions
[] = {
549 { OSSL_FUNC_SIGNATURE_NEWCTX
, (void (*)(void))ecdsa_newctx
},
550 { OSSL_FUNC_SIGNATURE_SIGN_INIT
, (void (*)(void))ecdsa_sign_init
},
551 { OSSL_FUNC_SIGNATURE_SIGN
, (void (*)(void))ecdsa_sign
},
552 { OSSL_FUNC_SIGNATURE_VERIFY_INIT
, (void (*)(void))ecdsa_verify_init
},
553 { OSSL_FUNC_SIGNATURE_VERIFY
, (void (*)(void))ecdsa_verify
},
554 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT
,
555 (void (*)(void))ecdsa_digest_sign_init
},
556 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE
,
557 (void (*)(void))ecdsa_digest_signverify_update
},
558 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL
,
559 (void (*)(void))ecdsa_digest_sign_final
},
560 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT
,
561 (void (*)(void))ecdsa_digest_verify_init
},
562 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE
,
563 (void (*)(void))ecdsa_digest_signverify_update
},
564 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL
,
565 (void (*)(void))ecdsa_digest_verify_final
},
566 { OSSL_FUNC_SIGNATURE_FREECTX
, (void (*)(void))ecdsa_freectx
},
567 { OSSL_FUNC_SIGNATURE_DUPCTX
, (void (*)(void))ecdsa_dupctx
},
568 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS
, (void (*)(void))ecdsa_get_ctx_params
},
569 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS
,
570 (void (*)(void))ecdsa_gettable_ctx_params
},
571 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS
, (void (*)(void))ecdsa_set_ctx_params
},
572 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS
,
573 (void (*)(void))ecdsa_settable_ctx_params
},
574 { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS
,
575 (void (*)(void))ecdsa_get_ctx_md_params
},
576 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS
,
577 (void (*)(void))ecdsa_gettable_ctx_md_params
},
578 { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS
,
579 (void (*)(void))ecdsa_set_ctx_md_params
},
580 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS
,
581 (void (*)(void))ecdsa_settable_ctx_md_params
},