1 /*
2 * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * RSA low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14 #include "internal/deprecated.h"
15
16 #include "e_os.h" /* strcasecmp */
17 #include <string.h>
18 #include <openssl/crypto.h>
19 #include <openssl/core_dispatch.h>
20 #include <openssl/core_names.h>
21 #include <openssl/err.h>
22 #include <openssl/rsa.h>
23 #include <openssl/params.h>
24 #include <openssl/evp.h>
25 #include <openssl/proverr.h>
26 #include "internal/cryptlib.h"
27 #include "internal/nelem.h"
28 #include "internal/sizes.h"
29 #include "crypto/rsa.h"
30 #include "prov/providercommon.h"
31 #include "prov/implementations.h"
32 #include "prov/provider_ctx.h"
33 #include "prov/der_rsa.h"
34 #include "prov/securitycheck.h"
35
36 #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
37
38 static OSSL_FUNC_signature_newctx_fn rsa_newctx;
39 static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
40 static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
41 static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
42 static OSSL_FUNC_signature_sign_fn rsa_sign;
43 static OSSL_FUNC_signature_verify_fn rsa_verify;
44 static OSSL_FUNC_signature_verify_recover_fn rsa_verify_recover;
45 static OSSL_FUNC_signature_digest_sign_init_fn rsa_digest_sign_init;
46 static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_signverify_update;
47 static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final;
48 static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
49 static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update;
50 static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
51 static OSSL_FUNC_signature_freectx_fn rsa_freectx;
52 static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
53 static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
54 static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params;
55 static OSSL_FUNC_signature_set_ctx_params_fn rsa_set_ctx_params;
56 static OSSL_FUNC_signature_settable_ctx_params_fn rsa_settable_ctx_params;
57 static OSSL_FUNC_signature_get_ctx_md_params_fn rsa_get_ctx_md_params;
58 static OSSL_FUNC_signature_gettable_ctx_md_params_fn rsa_gettable_ctx_md_params;
59 static OSSL_FUNC_signature_set_ctx_md_params_fn rsa_set_ctx_md_params;
60 static OSSL_FUNC_signature_settable_ctx_md_params_fn rsa_settable_ctx_md_params;
61
62 static OSSL_ITEM padding_item[] = {
63 { RSA_PKCS1_PADDING, OSSL_PKEY_RSA_PAD_MODE_PKCSV15 },
64 { RSA_NO_PADDING, OSSL_PKEY_RSA_PAD_MODE_NONE },
65 { RSA_X931_PADDING, OSSL_PKEY_RSA_PAD_MODE_X931 },
66 { RSA_PKCS1_PSS_PADDING, OSSL_PKEY_RSA_PAD_MODE_PSS },
67 { 0, NULL }
68 };
69
70 /*
71 * What's passed as an actual key is defined by the KEYMGMT interface.
72 * We happen to know that our KEYMGMT simply passes RSA structures, so
73 * we use that here too.
74 */
75
76 typedef struct {
77 OSSL_LIB_CTX *libctx;
78 char *propq;
79 RSA *rsa;
80 int operation;
81
82 /*
83 * Flag to determine if the hash function can be changed (1) or not (0)
84 * Because it's dangerous to change during a DigestSign or DigestVerify
85 * operation, this flag is cleared by their Init function, and set again
86 * by their Final function.
87 */
88 unsigned int flag_allow_md : 1;
89 unsigned int mgf1_md_set : 1;
90
91 /* main digest */
92 EVP_MD *md;
93 EVP_MD_CTX *mdctx;
94 int mdnid;
95 char mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */
96
97 /* RSA padding mode */
98 int pad_mode;
99 /* message digest for MGF1 */
100 EVP_MD *mgf1_md;
101 int mgf1_mdnid;
102 char mgf1_mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */
103 /* PSS salt length */
104 int saltlen;
105 /* Minimum salt length or -1 if no PSS parameter restriction */
106 int min_saltlen;
107
108 /* Temp buffer */
109 unsigned char *tbuf;
110
111 } PROV_RSA_CTX;
112
113 /* True if PSS parameters are restricted */
114 #define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1)
115
rsa_get_md_size(const PROV_RSA_CTX * prsactx)116 static size_t rsa_get_md_size(const PROV_RSA_CTX *prsactx)
117 {
118 if (prsactx->md != NULL)
119 return EVP_MD_get_size(prsactx->md);
120 return 0;
121 }
122
rsa_check_padding(const PROV_RSA_CTX * prsactx,const char * mdname,const char * mgf1_mdname,int mdnid)123 static int rsa_check_padding(const PROV_RSA_CTX *prsactx,
124 const char *mdname, const char *mgf1_mdname,
125 int mdnid)
126 {
127 switch(prsactx->pad_mode) {
128 case RSA_NO_PADDING:
129 if (mdname != NULL || mdnid != NID_undef) {
130 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE);
131 return 0;
132 }
133 break;
134 case RSA_X931_PADDING:
135 if (RSA_X931_hash_id(mdnid) == -1) {
136 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST);
137 return 0;
138 }
139 break;
140 case RSA_PKCS1_PSS_PADDING:
141 if (rsa_pss_restricted(prsactx))
142 if ((mdname != NULL && !EVP_MD_is_a(prsactx->md, mdname))
143 || (mgf1_mdname != NULL
144 && !EVP_MD_is_a(prsactx->mgf1_md, mgf1_mdname))) {
145 ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
146 return 0;
147 }
148 break;
149 default:
150 break;
151 }
152
153 return 1;
154 }
155
rsa_check_parameters(PROV_RSA_CTX * prsactx,int min_saltlen)156 static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen)
157 {
158 if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
159 int max_saltlen;
160
161 /* See if minimum salt length exceeds maximum possible */
162 max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_get_size(prsactx->md);
163 if ((RSA_bits(prsactx->rsa) & 0x7) == 1)
164 max_saltlen--;
165 if (min_saltlen < 0 || min_saltlen > max_saltlen) {
166 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
167 return 0;
168 }
169 prsactx->min_saltlen = min_saltlen;
170 }
171 return 1;
172 }
173
rsa_newctx(void * provctx,const char * propq)174 static void *rsa_newctx(void *provctx, const char *propq)
175 {
176 PROV_RSA_CTX *prsactx = NULL;
177 char *propq_copy = NULL;
178
179 if (!ossl_prov_is_running())
180 return NULL;
181
182 if ((prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX))) == NULL
183 || (propq != NULL
184 && (propq_copy = OPENSSL_strdup(propq)) == NULL)) {
185 OPENSSL_free(prsactx);
186 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
187 return NULL;
188 }
189
190 prsactx->libctx = PROV_LIBCTX_OF(provctx);
191 prsactx->flag_allow_md = 1;
192 prsactx->propq = propq_copy;
193 return prsactx;
194 }
195
rsa_pss_compute_saltlen(PROV_RSA_CTX * ctx)196 static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx)
197 {
198 int saltlen = ctx->saltlen;
199
200 if (saltlen == RSA_PSS_SALTLEN_DIGEST) {
201 saltlen = EVP_MD_get_size(ctx->md);
202 } else if (saltlen == RSA_PSS_SALTLEN_AUTO || saltlen == RSA_PSS_SALTLEN_MAX) {
203 saltlen = RSA_size(ctx->rsa) - EVP_MD_get_size(ctx->md) - 2;
204 if ((RSA_bits(ctx->rsa) & 0x7) == 1)
205 saltlen--;
206 }
207 if (saltlen < 0) {
208 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
209 return -1;
210 } else if (saltlen < ctx->min_saltlen) {
211 ERR_raise_data(ERR_LIB_PROV, PROV_R_PSS_SALTLEN_TOO_SMALL,
212 "minimum salt length: %d, actual salt length: %d",
213 ctx->min_saltlen, saltlen);
214 return -1;
215 }
216 return saltlen;
217 }
218
rsa_generate_signature_aid(PROV_RSA_CTX * ctx,unsigned char * aid_buf,size_t buf_len,size_t * aid_len)219 static unsigned char *rsa_generate_signature_aid(PROV_RSA_CTX *ctx,
220 unsigned char *aid_buf,
221 size_t buf_len,
222 size_t *aid_len)
223 {
224 WPACKET pkt;
225 unsigned char *aid = NULL;
226 int saltlen;
227 RSA_PSS_PARAMS_30 pss_params;
228 int ret;
229
230 if (!WPACKET_init_der(&pkt, aid_buf, buf_len)) {
231 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
232 return NULL;
233 }
234
235 switch(ctx->pad_mode) {
236 case RSA_PKCS1_PADDING:
237 ret = ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1,
238 ctx->mdnid);
239
240 if (ret > 0) {
241 break;
242 } else if (ret == 0) {
243 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
244 goto cleanup;
245 }
246 ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED,
247 "Algorithm ID generation - md NID: %d",
248 ctx->mdnid);
249 goto cleanup;
250 case RSA_PKCS1_PSS_PADDING:
251 saltlen = rsa_pss_compute_saltlen(ctx);
252 if (saltlen < 0)
253 goto cleanup;
254 if (!ossl_rsa_pss_params_30_set_defaults(&pss_params)
255 || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, ctx->mdnid)
256 || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params,
257 ctx->mgf1_mdnid)
258 || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen)
259 || !ossl_DER_w_algorithmIdentifier_RSA_PSS(&pkt, -1,
260 RSA_FLAG_TYPE_RSASSAPSS,
261 &pss_params)) {
262 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
263 goto cleanup;
264 }
265 break;
266 default:
267 ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED,
268 "Algorithm ID generation - pad mode: %d",
269 ctx->pad_mode);
270 goto cleanup;
271 }
272 if (WPACKET_finish(&pkt)) {
273 WPACKET_get_total_written(&pkt, aid_len);
274 aid = WPACKET_get_curr(&pkt);
275 }
276 cleanup:
277 WPACKET_cleanup(&pkt);
278 return aid;
279 }
280
rsa_setup_md(PROV_RSA_CTX * ctx,const char * mdname,const char * mdprops)281 static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
282 const char *mdprops)
283 {
284 if (mdprops == NULL)
285 mdprops = ctx->propq;
286
287 if (mdname != NULL) {
288 EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
289 int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
290 int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
291 sha1_allowed);
292 size_t mdname_len = strlen(mdname);
293
294 if (md == NULL
295 || md_nid <= 0
296 || !rsa_check_padding(ctx, mdname, NULL, md_nid)
297 || mdname_len >= sizeof(ctx->mdname)) {
298 if (md == NULL)
299 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
300 "%s could not be fetched", mdname);
301 if (md_nid <= 0)
302 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
303 "digest=%s", mdname);
304 if (mdname_len >= sizeof(ctx->mdname))
305 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
306 "%s exceeds name buffer length", mdname);
307 EVP_MD_free(md);
308 return 0;
309 }
310
311 if (!ctx->flag_allow_md) {
312 if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) {
313 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
314 "digest %s != %s", mdname, ctx->mdname);
315 EVP_MD_free(md);
316 return 0;
317 }
318 EVP_MD_free(md);
319 return 1;
320 }
321
322 if (!ctx->mgf1_md_set) {
323 if (!EVP_MD_up_ref(md)) {
324 EVP_MD_free(md);
325 return 0;
326 }
327 EVP_MD_free(ctx->mgf1_md);
328 ctx->mgf1_md = md;
329 ctx->mgf1_mdnid = md_nid;
330 OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname));
331 }
332
333 EVP_MD_CTX_free(ctx->mdctx);
334 EVP_MD_free(ctx->md);
335
336 ctx->mdctx = NULL;
337 ctx->md = md;
338 ctx->mdnid = md_nid;
339 OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname));
340 }
341
342 return 1;
343 }
344
rsa_setup_mgf1_md(PROV_RSA_CTX * ctx,const char * mdname,const char * mdprops)345 static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
346 const char *mdprops)
347 {
348 size_t len;
349 EVP_MD *md = NULL;
350 int mdnid;
351
352 if (mdprops == NULL)
353 mdprops = ctx->propq;
354
355 if ((md = EVP_MD_fetch(ctx->libctx, mdname, mdprops)) == NULL) {
356 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
357 "%s could not be fetched", mdname);
358 return 0;
359 }
360 /* The default for mgf1 is SHA1 - so allow SHA1 */
361 if ((mdnid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, 1)) <= 0
362 || !rsa_check_padding(ctx, NULL, mdname, mdnid)) {
363 if (mdnid <= 0)
364 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
365 "digest=%s", mdname);
366 EVP_MD_free(md);
367 return 0;
368 }
369 len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname));
370 if (len >= sizeof(ctx->mgf1_mdname)) {
371 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
372 "%s exceeds name buffer length", mdname);
373 EVP_MD_free(md);
374 return 0;
375 }
376
377 EVP_MD_free(ctx->mgf1_md);
378 ctx->mgf1_md = md;
379 ctx->mgf1_mdnid = mdnid;
380 ctx->mgf1_md_set = 1;
381 return 1;
382 }
383
rsa_signverify_init(void * vprsactx,void * vrsa,const OSSL_PARAM params[],int operation)384 static int rsa_signverify_init(void *vprsactx, void *vrsa,
385 const OSSL_PARAM params[], int operation)
386 {
387 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
388
389 if (!ossl_prov_is_running())
390 return 0;
391
392 if (prsactx == NULL || vrsa == NULL)
393 return 0;
394
395 if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation))
396 return 0;
397
398 if (!RSA_up_ref(vrsa))
399 return 0;
400 RSA_free(prsactx->rsa);
401 prsactx->rsa = vrsa;
402 prsactx->operation = operation;
403
404 if (!rsa_set_ctx_params(prsactx, params))
405 return 0;
406
407 /* Maximum for sign, auto for verify */
408 prsactx->saltlen = RSA_PSS_SALTLEN_AUTO;
409 prsactx->min_saltlen = -1;
410
411 switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) {
412 case RSA_FLAG_TYPE_RSA:
413 prsactx->pad_mode = RSA_PKCS1_PADDING;
414 break;
415 case RSA_FLAG_TYPE_RSASSAPSS:
416 prsactx->pad_mode = RSA_PKCS1_PSS_PADDING;
417
418 {
419 const RSA_PSS_PARAMS_30 *pss =
420 ossl_rsa_get0_pss_params_30(prsactx->rsa);
421
422 if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) {
423 int md_nid = ossl_rsa_pss_params_30_hashalg(pss);
424 int mgf1md_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);
425 int min_saltlen = ossl_rsa_pss_params_30_saltlen(pss);
426 const char *mdname, *mgf1mdname;
427 size_t len;
428
429 mdname = ossl_rsa_oaeppss_nid2name(md_nid);
430 mgf1mdname = ossl_rsa_oaeppss_nid2name(mgf1md_nid);
431
432 if (mdname == NULL) {
433 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
434 "PSS restrictions lack hash algorithm");
435 return 0;
436 }
437 if (mgf1mdname == NULL) {
438 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
439 "PSS restrictions lack MGF1 hash algorithm");
440 return 0;
441 }
442
443 len = OPENSSL_strlcpy(prsactx->mdname, mdname,
444 sizeof(prsactx->mdname));
445 if (len >= sizeof(prsactx->mdname)) {
446 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
447 "hash algorithm name too long");
448 return 0;
449 }
450 len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname,
451 sizeof(prsactx->mgf1_mdname));
452 if (len >= sizeof(prsactx->mgf1_mdname)) {
453 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
454 "MGF1 hash algorithm name too long");
455 return 0;
456 }
457 prsactx->saltlen = min_saltlen;
458
459 /* call rsa_setup_mgf1_md before rsa_setup_md to avoid duplication */
460 return rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq)
461 && rsa_setup_md(prsactx, mdname, prsactx->propq)
462 && rsa_check_parameters(prsactx, min_saltlen);
463 }
464 }
465
466 break;
467 default:
468 ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
469 return 0;
470 }
471
472 return 1;
473 }
474
setup_tbuf(PROV_RSA_CTX * ctx)475 static int setup_tbuf(PROV_RSA_CTX *ctx)
476 {
477 if (ctx->tbuf != NULL)
478 return 1;
479 if ((ctx->tbuf = OPENSSL_malloc(RSA_size(ctx->rsa))) == NULL) {
480 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
481 return 0;
482 }
483 return 1;
484 }
485
clean_tbuf(PROV_RSA_CTX * ctx)486 static void clean_tbuf(PROV_RSA_CTX *ctx)
487 {
488 if (ctx->tbuf != NULL)
489 OPENSSL_cleanse(ctx->tbuf, RSA_size(ctx->rsa));
490 }
491
free_tbuf(PROV_RSA_CTX * ctx)492 static void free_tbuf(PROV_RSA_CTX *ctx)
493 {
494 clean_tbuf(ctx);
495 OPENSSL_free(ctx->tbuf);
496 ctx->tbuf = NULL;
497 }
498
rsa_sign_init(void * vprsactx,void * vrsa,const OSSL_PARAM params[])499 static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[])
500 {
501 if (!ossl_prov_is_running())
502 return 0;
503 return rsa_signverify_init(vprsactx, vrsa, params, EVP_PKEY_OP_SIGN);
504 }
505
rsa_sign(void * vprsactx,unsigned char * sig,size_t * siglen,size_t sigsize,const unsigned char * tbs,size_t tbslen)506 static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,
507 size_t sigsize, const unsigned char *tbs, size_t tbslen)
508 {
509 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
510 int ret;
511 size_t rsasize = RSA_size(prsactx->rsa);
512 size_t mdsize = rsa_get_md_size(prsactx);
513
514 if (!ossl_prov_is_running())
515 return 0;
516
517 if (sig == NULL) {
518 *siglen = rsasize;
519 return 1;
520 }
521
522 if (sigsize < rsasize) {
523 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE,
524 "is %zu, should be at least %zu", sigsize, rsasize);
525 return 0;
526 }
527
528 if (mdsize != 0) {
529 if (tbslen != mdsize) {
530 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
531 return 0;
532 }
533
534 #ifndef FIPS_MODULE
535 if (EVP_MD_is_a(prsactx->md, OSSL_DIGEST_NAME_MDC2)) {
536 unsigned int sltmp;
537
538 if (prsactx->pad_mode != RSA_PKCS1_PADDING) {
539 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
540 "only PKCS#1 padding supported with MDC2");
541 return 0;
542 }
543 ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp,
544 prsactx->rsa);
545
546 if (ret <= 0) {
547 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
548 return 0;
549 }
550 ret = sltmp;
551 goto end;
552 }
553 #endif
554 switch (prsactx->pad_mode) {
555 case RSA_X931_PADDING:
556 if ((size_t)RSA_size(prsactx->rsa) < tbslen + 1) {
557 ERR_raise_data(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL,
558 "RSA key size = %d, expected minimum = %d",
559 RSA_size(prsactx->rsa), tbslen + 1);
560 return 0;
561 }
562 if (!setup_tbuf(prsactx)) {
563 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
564 return 0;
565 }
566 memcpy(prsactx->tbuf, tbs, tbslen);
567 prsactx->tbuf[tbslen] = RSA_X931_hash_id(prsactx->mdnid);
568 ret = RSA_private_encrypt(tbslen + 1, prsactx->tbuf,
569 sig, prsactx->rsa, RSA_X931_PADDING);
570 clean_tbuf(prsactx);
571 break;
572
573 case RSA_PKCS1_PADDING:
574 {
575 unsigned int sltmp;
576
577 ret = RSA_sign(prsactx->mdnid, tbs, tbslen, sig, &sltmp,
578 prsactx->rsa);
579 if (ret <= 0) {
580 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
581 return 0;
582 }
583 ret = sltmp;
584 }
585 break;
586
587 case RSA_PKCS1_PSS_PADDING:
588 /* Check PSS restrictions */
589 if (rsa_pss_restricted(prsactx)) {
590 switch (prsactx->saltlen) {
591 case RSA_PSS_SALTLEN_DIGEST:
592 if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) {
593 ERR_raise_data(ERR_LIB_PROV,
594 PROV_R_PSS_SALTLEN_TOO_SMALL,
595 "minimum salt length set to %d, "
596 "but the digest only gives %d",
597 prsactx->min_saltlen,
598 EVP_MD_get_size(prsactx->md));
599 return 0;
600 }
601 /* FALLTHRU */
602 default:
603 if (prsactx->saltlen >= 0
604 && prsactx->saltlen < prsactx->min_saltlen) {
605 ERR_raise_data(ERR_LIB_PROV,
606 PROV_R_PSS_SALTLEN_TOO_SMALL,
607 "minimum salt length set to %d, but the"
608 "actual salt length is only set to %d",
609 prsactx->min_saltlen,
610 prsactx->saltlen);
611 return 0;
612 }
613 break;
614 }
615 }
616 if (!setup_tbuf(prsactx))
617 return 0;
618 if (!RSA_padding_add_PKCS1_PSS_mgf1(prsactx->rsa,
619 prsactx->tbuf, tbs,
620 prsactx->md, prsactx->mgf1_md,
621 prsactx->saltlen)) {
622 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
623 return 0;
624 }
625 ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf,
626 sig, prsactx->rsa, RSA_NO_PADDING);
627 clean_tbuf(prsactx);
628 break;
629
630 default:
631 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
632 "Only X.931, PKCS#1 v1.5 or PSS padding allowed");
633 return 0;
634 }
635 } else {
636 ret = RSA_private_encrypt(tbslen, tbs, sig, prsactx->rsa,
637 prsactx->pad_mode);
638 }
639
640 #ifndef FIPS_MODULE
641 end:
642 #endif
643 if (ret <= 0) {
644 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
645 return 0;
646 }
647
648 *siglen = ret;
649 return 1;
650 }
651
rsa_verify_recover_init(void * vprsactx,void * vrsa,const OSSL_PARAM params[])652 static int rsa_verify_recover_init(void *vprsactx, void *vrsa,
653 const OSSL_PARAM params[])
654 {
655 if (!ossl_prov_is_running())
656 return 0;
657 return rsa_signverify_init(vprsactx, vrsa, params,
658 EVP_PKEY_OP_VERIFYRECOVER);
659 }
660
rsa_verify_recover(void * vprsactx,unsigned char * rout,size_t * routlen,size_t routsize,const unsigned char * sig,size_t siglen)661 static int rsa_verify_recover(void *vprsactx,
662 unsigned char *rout,
663 size_t *routlen,
664 size_t routsize,
665 const unsigned char *sig,
666 size_t siglen)
667 {
668 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
669 int ret;
670
671 if (!ossl_prov_is_running())
672 return 0;
673
674 if (rout == NULL) {
675 *routlen = RSA_size(prsactx->rsa);
676 return 1;
677 }
678
679 if (prsactx->md != NULL) {
680 switch (prsactx->pad_mode) {
681 case RSA_X931_PADDING:
682 if (!setup_tbuf(prsactx))
683 return 0;
684 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,
685 RSA_X931_PADDING);
686 if (ret < 1) {
687 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
688 return 0;
689 }
690 ret--;
691 if (prsactx->tbuf[ret] != RSA_X931_hash_id(prsactx->mdnid)) {
692 ERR_raise(ERR_LIB_PROV, PROV_R_ALGORITHM_MISMATCH);
693 return 0;
694 }
695 if (ret != EVP_MD_get_size(prsactx->md)) {
696 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH,
697 "Should be %d, but got %d",
698 EVP_MD_get_size(prsactx->md), ret);
699 return 0;
700 }
701
702 *routlen = ret;
703 if (rout != prsactx->tbuf) {
704 if (routsize < (size_t)ret) {
705 ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL,
706 "buffer size is %d, should be %d",
707 routsize, ret);
708 return 0;
709 }
710 memcpy(rout, prsactx->tbuf, ret);
711 }
712 break;
713
714 case RSA_PKCS1_PADDING:
715 {
716 size_t sltmp;
717
718 ret = ossl_rsa_verify(prsactx->mdnid, NULL, 0, rout, &sltmp,
719 sig, siglen, prsactx->rsa);
720 if (ret <= 0) {
721 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
722 return 0;
723 }
724 ret = sltmp;
725 }
726 break;
727
728 default:
729 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
730 "Only X.931 or PKCS#1 v1.5 padding allowed");
731 return 0;
732 }
733 } else {
734 ret = RSA_public_decrypt(siglen, sig, rout, prsactx->rsa,
735 prsactx->pad_mode);
736 if (ret < 0) {
737 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
738 return 0;
739 }
740 }
741 *routlen = ret;
742 return 1;
743 }
744
rsa_verify_init(void * vprsactx,void * vrsa,const OSSL_PARAM params[])745 static int rsa_verify_init(void *vprsactx, void *vrsa,
746 const OSSL_PARAM params[])
747 {
748 if (!ossl_prov_is_running())
749 return 0;
750 return rsa_signverify_init(vprsactx, vrsa, params, EVP_PKEY_OP_VERIFY);
751 }
752
rsa_verify(void * vprsactx,const unsigned char * sig,size_t siglen,const unsigned char * tbs,size_t tbslen)753 static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
754 const unsigned char *tbs, size_t tbslen)
755 {
756 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
757 size_t rslen;
758
759 if (!ossl_prov_is_running())
760 return 0;
761 if (prsactx->md != NULL) {
762 switch (prsactx->pad_mode) {
763 case RSA_PKCS1_PADDING:
764 if (!RSA_verify(prsactx->mdnid, tbs, tbslen, sig, siglen,
765 prsactx->rsa)) {
766 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
767 return 0;
768 }
769 return 1;
770 case RSA_X931_PADDING:
771 if (!setup_tbuf(prsactx))
772 return 0;
773 if (rsa_verify_recover(prsactx, prsactx->tbuf, &rslen, 0,
774 sig, siglen) <= 0)
775 return 0;
776 break;
777 case RSA_PKCS1_PSS_PADDING:
778 {
779 int ret;
780 size_t mdsize;
781
782 /*
783 * We need to check this for the RSA_verify_PKCS1_PSS_mgf1()
784 * call
785 */
786 mdsize = rsa_get_md_size(prsactx);
787 if (tbslen != mdsize) {
788 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH,
789 "Should be %d, but got %d",
790 mdsize, tbslen);
791 return 0;
792 }
793
794 if (!setup_tbuf(prsactx))
795 return 0;
796 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf,
797 prsactx->rsa, RSA_NO_PADDING);
798 if (ret <= 0) {
799 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
800 return 0;
801 }
802 ret = RSA_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs,
803 prsactx->md, prsactx->mgf1_md,
804 prsactx->tbuf,
805 prsactx->saltlen);
806 if (ret <= 0) {
807 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
808 return 0;
809 }
810 return 1;
811 }
812 default:
813 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
814 "Only X.931, PKCS#1 v1.5 or PSS padding allowed");
815 return 0;
816 }
817 } else {
818 if (!setup_tbuf(prsactx))
819 return 0;
820 rslen = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,
821 prsactx->pad_mode);
822 if (rslen == 0) {
823 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
824 return 0;
825 }
826 }
827
828 if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen))
829 return 0;
830
831 return 1;
832 }
833
rsa_digest_signverify_init(void * vprsactx,const char * mdname,void * vrsa,const OSSL_PARAM params[],int operation)834 static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
835 void *vrsa, const OSSL_PARAM params[],
836 int operation)
837 {
838 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
839
840 if (!ossl_prov_is_running())
841 return 0;
842
843 if (!rsa_signverify_init(vprsactx, vrsa, params, operation))
844 return 0;
845 if (mdname != NULL
846 /* was rsa_setup_md already called in rsa_signverify_init()? */
847 && (mdname[0] == '\0' || strcasecmp(prsactx->mdname, mdname) != 0)
848 && !rsa_setup_md(prsactx, mdname, prsactx->propq))
849 return 0;
850
851 prsactx->flag_allow_md = 0;
852 prsactx->mdctx = EVP_MD_CTX_new();
853 if (prsactx->mdctx == NULL) {
854 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
855 goto error;
856 }
857
858 if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params))
859 goto error;
860
861 return 1;
862
863 error:
864 EVP_MD_CTX_free(prsactx->mdctx);
865 EVP_MD_free(prsactx->md);
866 prsactx->mdctx = NULL;
867 prsactx->md = NULL;
868 return 0;
869 }
870
rsa_digest_signverify_update(void * vprsactx,const unsigned char * data,size_t datalen)871 static int rsa_digest_signverify_update(void *vprsactx,
872 const unsigned char *data,
873 size_t datalen)
874 {
875 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
876
877 if (prsactx == NULL || prsactx->mdctx == NULL)
878 return 0;
879
880 return EVP_DigestUpdate(prsactx->mdctx, data, datalen);
881 }
882
rsa_digest_sign_init(void * vprsactx,const char * mdname,void * vrsa,const OSSL_PARAM params[])883 static int rsa_digest_sign_init(void *vprsactx, const char *mdname,
884 void *vrsa, const OSSL_PARAM params[])
885 {
886 if (!ossl_prov_is_running())
887 return 0;
888 return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
889 params, EVP_PKEY_OP_SIGN);
890 }
891
rsa_digest_sign_final(void * vprsactx,unsigned char * sig,size_t * siglen,size_t sigsize)892 static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig,
893 size_t *siglen, size_t sigsize)
894 {
895 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
896 unsigned char digest[EVP_MAX_MD_SIZE];
897 unsigned int dlen = 0;
898
899 if (!ossl_prov_is_running() || prsactx == NULL)
900 return 0;
901 prsactx->flag_allow_md = 1;
902 if (prsactx->mdctx == NULL)
903 return 0;
904 /*
905 * If sig is NULL then we're just finding out the sig size. Other fields
906 * are ignored. Defer to rsa_sign.
907 */
908 if (sig != NULL) {
909 /*
910 * The digests used here are all known (see rsa_get_md_nid()), so they
911 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE.
912 */
913 if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))
914 return 0;
915 }
916
917 return rsa_sign(vprsactx, sig, siglen, sigsize, digest, (size_t)dlen);
918 }
919
rsa_digest_verify_init(void * vprsactx,const char * mdname,void * vrsa,const OSSL_PARAM params[])920 static int rsa_digest_verify_init(void *vprsactx, const char *mdname,
921 void *vrsa, const OSSL_PARAM params[])
922 {
923 if (!ossl_prov_is_running())
924 return 0;
925 return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
926 params, EVP_PKEY_OP_VERIFY);
927 }
928
rsa_digest_verify_final(void * vprsactx,const unsigned char * sig,size_t siglen)929 int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
930 size_t siglen)
931 {
932 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
933 unsigned char digest[EVP_MAX_MD_SIZE];
934 unsigned int dlen = 0;
935
936 if (!ossl_prov_is_running())
937 return 0;
938
939 if (prsactx == NULL)
940 return 0;
941 prsactx->flag_allow_md = 1;
942 if (prsactx->mdctx == NULL)
943 return 0;
944
945 /*
946 * The digests used here are all known (see rsa_get_md_nid()), so they
947 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE.
948 */
949 if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))
950 return 0;
951
952 return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen);
953 }
954
rsa_freectx(void * vprsactx)955 static void rsa_freectx(void *vprsactx)
956 {
957 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
958
959 if (prsactx == NULL)
960 return;
961
962 EVP_MD_CTX_free(prsactx->mdctx);
963 EVP_MD_free(prsactx->md);
964 EVP_MD_free(prsactx->mgf1_md);
965 OPENSSL_free(prsactx->propq);
966 free_tbuf(prsactx);
967 RSA_free(prsactx->rsa);
968
969 OPENSSL_clear_free(prsactx, sizeof(*prsactx));
970 }
971
rsa_dupctx(void * vprsactx)972 static void *rsa_dupctx(void *vprsactx)
973 {
974 PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx;
975 PROV_RSA_CTX *dstctx;
976
977 if (!ossl_prov_is_running())
978 return NULL;
979
980 dstctx = OPENSSL_zalloc(sizeof(*srcctx));
981 if (dstctx == NULL) {
982 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
983 return NULL;
984 }
985
986 *dstctx = *srcctx;
987 dstctx->rsa = NULL;
988 dstctx->md = NULL;
989 dstctx->mdctx = NULL;
990 dstctx->tbuf = NULL;
991 dstctx->propq = NULL;
992
993 if (srcctx->rsa != NULL && !RSA_up_ref(srcctx->rsa))
994 goto err;
995 dstctx->rsa = srcctx->rsa;
996
997 if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md))
998 goto err;
999 dstctx->md = srcctx->md;
1000
1001 if (srcctx->mgf1_md != NULL && !EVP_MD_up_ref(srcctx->mgf1_md))
1002 goto err;
1003 dstctx->mgf1_md = srcctx->mgf1_md;
1004
1005 if (srcctx->mdctx != NULL) {
1006 dstctx->mdctx = EVP_MD_CTX_new();
1007 if (dstctx->mdctx == NULL
1008 || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx))
1009 goto err;
1010 }
1011
1012 if (srcctx->propq != NULL) {
1013 dstctx->propq = OPENSSL_strdup(srcctx->propq);
1014 if (dstctx->propq == NULL)
1015 goto err;
1016 }
1017
1018 return dstctx;
1019 err:
1020 rsa_freectx(dstctx);
1021 return NULL;
1022 }
1023
rsa_get_ctx_params(void * vprsactx,OSSL_PARAM * params)1024 static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
1025 {
1026 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1027 OSSL_PARAM *p;
1028
1029 if (prsactx == NULL)
1030 return 0;
1031
1032 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
1033 if (p != NULL) {
1034 /* The Algorithm Identifier of the combined signature algorithm */
1035 unsigned char aid_buf[128];
1036 unsigned char *aid;
1037 size_t aid_len;
1038
1039 aid = rsa_generate_signature_aid(prsactx, aid_buf,
1040 sizeof(aid_buf), &aid_len);
1041 if (aid == NULL || !OSSL_PARAM_set_octet_string(p, aid, aid_len))
1042 return 0;
1043 }
1044
1045 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PAD_MODE);
1046 if (p != NULL)
1047 switch (p->data_type) {
1048 case OSSL_PARAM_INTEGER:
1049 if (!OSSL_PARAM_set_int(p, prsactx->pad_mode))
1050 return 0;
1051 break;
1052 case OSSL_PARAM_UTF8_STRING:
1053 {
1054 int i;
1055 const char *word = NULL;
1056
1057 for (i = 0; padding_item[i].id != 0; i++) {
1058 if (prsactx->pad_mode == (int)padding_item[i].id) {
1059 word = padding_item[i].ptr;
1060 break;
1061 }
1062 }
1063
1064 if (word != NULL) {
1065 if (!OSSL_PARAM_set_utf8_string(p, word))
1066 return 0;
1067 } else {
1068 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
1069 }
1070 }
1071 break;
1072 default:
1073 return 0;
1074 }
1075
1076 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST);
1077 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mdname))
1078 return 0;
1079
1080 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST);
1081 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mgf1_mdname))
1082 return 0;
1083
1084 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN);
1085 if (p != NULL) {
1086 if (p->data_type == OSSL_PARAM_INTEGER) {
1087 if (!OSSL_PARAM_set_int(p, prsactx->saltlen))
1088 return 0;
1089 } else if (p->data_type == OSSL_PARAM_UTF8_STRING) {
1090 const char *value = NULL;
1091
1092 switch (prsactx->saltlen) {
1093 case RSA_PSS_SALTLEN_DIGEST:
1094 value = OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST;
1095 break;
1096 case RSA_PSS_SALTLEN_MAX:
1097 value = OSSL_PKEY_RSA_PSS_SALT_LEN_MAX;
1098 break;
1099 case RSA_PSS_SALTLEN_AUTO:
1100 value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO;
1101 break;
1102 default:
1103 {
1104 int len = BIO_snprintf(p->data, p->data_size, "%d",
1105 prsactx->saltlen);
1106
1107 if (len <= 0)
1108 return 0;
1109 p->return_size = len;
1110 break;
1111 }
1112 }
1113 if (value != NULL
1114 && !OSSL_PARAM_set_utf8_string(p, value))
1115 return 0;
1116 }
1117 }
1118
1119 return 1;
1120 }
1121
1122 static const OSSL_PARAM known_gettable_ctx_params[] = {
1123 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
1124 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
1125 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
1126 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
1127 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
1128 OSSL_PARAM_END
1129 };
1130
rsa_gettable_ctx_params(ossl_unused void * vprsactx,ossl_unused void * provctx)1131 static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
1132 ossl_unused void *provctx)
1133 {
1134 return known_gettable_ctx_params;
1135 }
1136
rsa_set_ctx_params(void * vprsactx,const OSSL_PARAM params[])1137 static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
1138 {
1139 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1140 const OSSL_PARAM *p;
1141 int pad_mode;
1142 int saltlen;
1143 char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = NULL;
1144 char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = NULL;
1145 char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL;
1146 char mgf1mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmgf1mdprops = NULL;
1147
1148 if (prsactx == NULL)
1149 return 0;
1150 if (params == NULL)
1151 return 1;
1152
1153 pad_mode = prsactx->pad_mode;
1154 saltlen = prsactx->saltlen;
1155
1156 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
1157 if (p != NULL) {
1158 const OSSL_PARAM *propsp =
1159 OSSL_PARAM_locate_const(params,
1160 OSSL_SIGNATURE_PARAM_PROPERTIES);
1161
1162 pmdname = mdname;
1163 if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname)))
1164 return 0;
1165
1166 if (propsp != NULL) {
1167 pmdprops = mdprops;
1168 if (!OSSL_PARAM_get_utf8_string(propsp,
1169 &pmdprops, sizeof(mdprops)))
1170 return 0;
1171 }
1172 }
1173
1174 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE);
1175 if (p != NULL) {
1176 const char *err_extra_text = NULL;
1177
1178 switch (p->data_type) {
1179 case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */
1180 if (!OSSL_PARAM_get_int(p, &pad_mode))
1181 return 0;
1182 break;
1183 case OSSL_PARAM_UTF8_STRING:
1184 {
1185 int i;
1186
1187 if (p->data == NULL)
1188 return 0;
1189
1190 for (i = 0; padding_item[i].id != 0; i++) {
1191 if (strcmp(p->data, padding_item[i].ptr) == 0) {
1192 pad_mode = padding_item[i].id;
1193 break;
1194 }
1195 }
1196 }
1197 break;
1198 default:
1199 return 0;
1200 }
1201
1202 switch (pad_mode) {
1203 case RSA_PKCS1_OAEP_PADDING:
1204 /*
1205 * OAEP padding is for asymmetric cipher only so is not compatible
1206 * with signature use.
1207 */
1208 err_extra_text = "OAEP padding not allowed for signing / verifying";
1209 goto bad_pad;
1210 case RSA_PKCS1_PSS_PADDING:
1211 if ((prsactx->operation
1212 & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)) == 0) {
1213 err_extra_text =
1214 "PSS padding only allowed for sign and verify operations";
1215 goto bad_pad;
1216 }
1217 break;
1218 case RSA_PKCS1_PADDING:
1219 err_extra_text = "PKCS#1 padding not allowed with RSA-PSS";
1220 goto cont;
1221 case RSA_NO_PADDING:
1222 err_extra_text = "No padding not allowed with RSA-PSS";
1223 goto cont;
1224 case RSA_X931_PADDING:
1225 err_extra_text = "X.931 padding not allowed with RSA-PSS";
1226 cont:
1227 if (RSA_test_flags(prsactx->rsa,
1228 RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA)
1229 break;
1230 /* FALLTHRU */
1231 default:
1232 bad_pad:
1233 if (err_extra_text == NULL)
1234 ERR_raise(ERR_LIB_PROV,
1235 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
1236 else
1237 ERR_raise_data(ERR_LIB_PROV,
1238 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE,
1239 err_extra_text);
1240 return 0;
1241 }
1242 }
1243
1244 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN);
1245 if (p != NULL) {
1246 if (pad_mode != RSA_PKCS1_PSS_PADDING) {
1247 ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED,
1248 "PSS saltlen can only be specified if "
1249 "PSS padding has been specified first");
1250 return 0;
1251 }
1252
1253 switch (p->data_type) {
1254 case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */
1255 if (!OSSL_PARAM_get_int(p, &saltlen))
1256 return 0;
1257 break;
1258 case OSSL_PARAM_UTF8_STRING:
1259 if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST) == 0)
1260 saltlen = RSA_PSS_SALTLEN_DIGEST;
1261 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_MAX) == 0)
1262 saltlen = RSA_PSS_SALTLEN_MAX;
1263 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0)
1264 saltlen = RSA_PSS_SALTLEN_AUTO;
1265 else
1266 saltlen = atoi(p->data);
1267 break;
1268 default:
1269 return 0;
1270 }
1271
1272 /*
1273 * RSA_PSS_SALTLEN_MAX seems curiously named in this check.
1274 * Contrary to what it's name suggests, it's the currently
1275 * lowest saltlen number possible.
1276 */
1277 if (saltlen < RSA_PSS_SALTLEN_MAX) {
1278 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
1279 return 0;
1280 }
1281
1282 if (rsa_pss_restricted(prsactx)) {
1283 switch (saltlen) {
1284 case RSA_PSS_SALTLEN_AUTO:
1285 if (prsactx->operation == EVP_PKEY_OP_VERIFY) {
1286 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH,
1287 "Cannot use autodetected salt length");
1288 return 0;
1289 }
1290 break;
1291 case RSA_PSS_SALTLEN_DIGEST:
1292 if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) {
1293 ERR_raise_data(ERR_LIB_PROV,
1294 PROV_R_PSS_SALTLEN_TOO_SMALL,
1295 "Should be more than %d, but would be "
1296 "set to match digest size (%d)",
1297 prsactx->min_saltlen,
1298 EVP_MD_get_size(prsactx->md));
1299 return 0;
1300 }
1301 break;
1302 default:
1303 if (saltlen >= 0 && saltlen < prsactx->min_saltlen) {
1304 ERR_raise_data(ERR_LIB_PROV,
1305 PROV_R_PSS_SALTLEN_TOO_SMALL,
1306 "Should be more than %d, "
1307 "but would be set to %d",
1308 prsactx->min_saltlen, saltlen);
1309 return 0;
1310 }
1311 }
1312 }
1313 }
1314
1315 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST);
1316 if (p != NULL) {
1317 const OSSL_PARAM *propsp =
1318 OSSL_PARAM_locate_const(params,
1319 OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES);
1320
1321 pmgf1mdname = mgf1mdname;
1322 if (!OSSL_PARAM_get_utf8_string(p, &pmgf1mdname, sizeof(mgf1mdname)))
1323 return 0;
1324
1325 if (propsp != NULL) {
1326 pmgf1mdprops = mgf1mdprops;
1327 if (!OSSL_PARAM_get_utf8_string(propsp,
1328 &pmgf1mdprops, sizeof(mgf1mdprops)))
1329 return 0;
1330 }
1331
1332 if (pad_mode != RSA_PKCS1_PSS_PADDING) {
1333 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MGF1_MD);
1334 return 0;
1335 }
1336 }
1337
1338 prsactx->saltlen = saltlen;
1339 prsactx->pad_mode = pad_mode;
1340
1341 if (prsactx->md == NULL && pmdname == NULL
1342 && pad_mode == RSA_PKCS1_PSS_PADDING)
1343 pmdname = RSA_DEFAULT_DIGEST_NAME;
1344
1345 if (pmgf1mdname != NULL
1346 && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
1347 return 0;
1348
1349 if (pmdname != NULL) {
1350 if (!rsa_setup_md(prsactx, pmdname, pmdprops))
1351 return 0;
1352 } else {
1353 if (!rsa_check_padding(prsactx, NULL, NULL, prsactx->mdnid))
1354 return 0;
1355 }
1356 return 1;
1357 }
1358
1359 static const OSSL_PARAM settable_ctx_params[] = {
1360 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
1361 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0),
1362 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
1363 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
1364 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0),
1365 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
1366 OSSL_PARAM_END
1367 };
1368
1369 static const OSSL_PARAM settable_ctx_params_no_digest[] = {
1370 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
1371 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
1372 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0),
1373 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
1374 OSSL_PARAM_END
1375 };
1376
rsa_settable_ctx_params(void * vprsactx,ossl_unused void * provctx)1377 static const OSSL_PARAM *rsa_settable_ctx_params(void *vprsactx,
1378 ossl_unused void *provctx)
1379 {
1380 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1381
1382 if (prsactx != NULL && !prsactx->flag_allow_md)
1383 return settable_ctx_params_no_digest;
1384 return settable_ctx_params;
1385 }
1386
rsa_get_ctx_md_params(void * vprsactx,OSSL_PARAM * params)1387 static int rsa_get_ctx_md_params(void *vprsactx, OSSL_PARAM *params)
1388 {
1389 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1390
1391 if (prsactx->mdctx == NULL)
1392 return 0;
1393
1394 return EVP_MD_CTX_get_params(prsactx->mdctx, params);
1395 }
1396
rsa_gettable_ctx_md_params(void * vprsactx)1397 static const OSSL_PARAM *rsa_gettable_ctx_md_params(void *vprsactx)
1398 {
1399 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1400
1401 if (prsactx->md == NULL)
1402 return 0;
1403
1404 return EVP_MD_gettable_ctx_params(prsactx->md);
1405 }
1406
rsa_set_ctx_md_params(void * vprsactx,const OSSL_PARAM params[])1407 static int rsa_set_ctx_md_params(void *vprsactx, const OSSL_PARAM params[])
1408 {
1409 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1410
1411 if (prsactx->mdctx == NULL)
1412 return 0;
1413
1414 return EVP_MD_CTX_set_params(prsactx->mdctx, params);
1415 }
1416
rsa_settable_ctx_md_params(void * vprsactx)1417 static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
1418 {
1419 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1420
1421 if (prsactx->md == NULL)
1422 return 0;
1423
1424 return EVP_MD_settable_ctx_params(prsactx->md);
1425 }
1426
1427 const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
1428 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
1429 { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
1430 { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign },
1431 { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_verify_init },
1432 { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))rsa_verify },
1433 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT,
1434 (void (*)(void))rsa_verify_recover_init },
1435 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER,
1436 (void (*)(void))rsa_verify_recover },
1437 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
1438 (void (*)(void))rsa_digest_sign_init },
1439 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,
1440 (void (*)(void))rsa_digest_signverify_update },
1441 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,
1442 (void (*)(void))rsa_digest_sign_final },
1443 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
1444 (void (*)(void))rsa_digest_verify_init },
1445 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,
1446 (void (*)(void))rsa_digest_signverify_update },
1447 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,
1448 (void (*)(void))rsa_digest_verify_final },
1449 { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx },
1450 { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx },
1451 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))rsa_get_ctx_params },
1452 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
1453 (void (*)(void))rsa_gettable_ctx_params },
1454 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))rsa_set_ctx_params },
1455 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,
1456 (void (*)(void))rsa_settable_ctx_params },
1457 { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS,
1458 (void (*)(void))rsa_get_ctx_md_params },
1459 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS,
1460 (void (*)(void))rsa_gettable_ctx_md_params },
1461 { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS,
1462 (void (*)(void))rsa_set_ctx_md_params },
1463 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS,
1464 (void (*)(void))rsa_settable_ctx_md_params },
1465 { 0, NULL }
1466 };
1467