#include "prov/der_rsa.h"
static OSSL_OP_signature_newctx_fn rsa_newctx;
-static OSSL_OP_signature_sign_init_fn rsa_signature_init;
-static OSSL_OP_signature_verify_init_fn rsa_signature_init;
-static OSSL_OP_signature_verify_recover_init_fn rsa_signature_init;
+static OSSL_OP_signature_sign_init_fn rsa_sign_init;
+static OSSL_OP_signature_verify_init_fn rsa_verify_init;
+static OSSL_OP_signature_verify_recover_init_fn rsa_verify_recover_init;
static OSSL_OP_signature_sign_fn rsa_sign;
static OSSL_OP_signature_verify_fn rsa_verify;
static OSSL_OP_signature_verify_recover_fn rsa_verify_recover;
-static OSSL_OP_signature_digest_sign_init_fn rsa_digest_signverify_init;
+static OSSL_OP_signature_digest_sign_init_fn rsa_digest_sign_init;
static OSSL_OP_signature_digest_sign_update_fn rsa_digest_signverify_update;
static OSSL_OP_signature_digest_sign_final_fn rsa_digest_sign_final;
-static OSSL_OP_signature_digest_verify_init_fn rsa_digest_signverify_init;
+static OSSL_OP_signature_digest_verify_init_fn rsa_digest_verify_init;
static OSSL_OP_signature_digest_verify_update_fn rsa_digest_signverify_update;
static OSSL_OP_signature_digest_verify_final_fn rsa_digest_verify_final;
static OSSL_OP_signature_freectx_fn rsa_freectx;
typedef struct {
OPENSSL_CTX *libctx;
RSA *rsa;
+ int operation;
/*
* Flag to determine if the hash function can be changed (1) or not (0)
/* True if PSS parameters are restricted */
#define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1)
-static int rsa_signature_init(void *vprsactx, void *vrsa)
+static int rsa_signature_init(void *vprsactx, void *vrsa, int operation)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
RSA_free(prsactx->rsa);
prsactx->rsa = vrsa;
+ prsactx->operation = operation;
if (RSA_get0_pss_params(prsactx->rsa) != NULL)
prsactx->pad_mode = RSA_PKCS1_PSS_PADDING;
else
ctx->tbuf = NULL;
}
+static int rsa_sign_init(void *vprsactx, void *vrsa)
+{
+ return rsa_signature_init(vprsactx, vrsa, EVP_PKEY_OP_SIGN);
+}
+
static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,
size_t sigsize, const unsigned char *tbs, size_t tbslen)
{
return 1;
}
+static int rsa_verify_recover_init(void *vprsactx, void *vrsa)
+{
+ return rsa_signature_init(vprsactx, vrsa, EVP_PKEY_OP_VERIFYRECOVER);
+}
+
static int rsa_verify_recover(void *vprsactx,
unsigned char *rout,
size_t *routlen,
return 1;
}
+static int rsa_verify_init(void *vprsactx, void *vrsa)
+{
+ return rsa_signature_init(vprsactx, vrsa, EVP_PKEY_OP_VERIFY);
+}
+
static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
const unsigned char *tbs, size_t tbslen)
{
int ret;
size_t mdsize;
- /* Check PSS restrictions */
- if (rsa_pss_restricted(prsactx)) {
- switch (prsactx->saltlen) {
- case RSA_PSS_SALTLEN_AUTO:
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PSS_SALTLEN);
- return 0;
- case RSA_PSS_SALTLEN_DIGEST:
- if (prsactx->min_saltlen > EVP_MD_size(prsactx->md)) {
- ERR_raise(ERR_LIB_PROV,
- PROV_R_PSS_SALTLEN_TOO_SMALL);
- return 0;
- }
- /* FALLTHRU */
- default:
- if (prsactx->saltlen >= 0
- && prsactx->saltlen < prsactx->min_saltlen) {
- ERR_raise(ERR_LIB_PROV, PROV_R_PSS_SALTLEN_TOO_SMALL);
- return 0;
- }
- break;
- }
- }
-
/*
* We need to check this for the RSA_verify_PKCS1_PSS_mgf1()
* call
}
static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
- const char *props, void *vrsa)
+ const char *props, void *vrsa,
+ int operation)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
prsactx->flag_allow_md = 0;
- if (!rsa_signature_init(vprsactx, vrsa)
+ if (!rsa_signature_init(vprsactx, vrsa, operation)
|| !rsa_setup_md(prsactx, mdname, props))
return 0;
return 0;
}
-int rsa_digest_signverify_update(void *vprsactx, const unsigned char *data,
- size_t datalen)
+static int rsa_digest_signverify_update(void *vprsactx,
+ const unsigned char *data,
+ size_t datalen)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
return EVP_DigestUpdate(prsactx->mdctx, data, datalen);
}
-int rsa_digest_sign_final(void *vprsactx, unsigned char *sig, size_t *siglen,
- size_t sigsize)
+static int rsa_digest_sign_init(void *vprsactx, const char *mdname,
+ const char *props, void *vrsa)
+{
+ return rsa_digest_signverify_init(vprsactx, mdname, props, vrsa,
+ EVP_PKEY_OP_SIGN);
+}
+
+static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig,
+ size_t *siglen, size_t sigsize)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
unsigned char digest[EVP_MAX_MD_SIZE];
return rsa_sign(vprsactx, sig, siglen, sigsize, digest, (size_t)dlen);
}
+static int rsa_digest_verify_init(void *vprsactx, const char *mdname,
+ const char *props, void *vrsa)
+{
+ return rsa_digest_signverify_init(vprsactx, mdname, props, vrsa,
+ EVP_PKEY_OP_VERIFY);
+}
int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
size_t siglen)
p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE);
if (p != NULL) {
int pad_mode = 0;
+ const char *err_extra_text = NULL;
switch (p->data_type) {
case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */
* OAEP padding is for asymmetric cipher only so is not compatible
* with signature use.
*/
- ERR_raise_data(ERR_LIB_PROV,
- PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE,
- "OAEP padding not allowed for signing / verifying");
- return 0;
+ err_extra_text = "OAEP padding not allowed for signing / verifying";
+ goto bad_pad;
case RSA_PKCS1_PSS_PADDING:
- if (prsactx->mdname[0] == '\0')
- rsa_setup_md(prsactx, "SHA1", "");
- goto cont;
+ if ((prsactx->operation
+ & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)) == 0) {
+ err_extra_text =
+ "PSS padding only allowed for sign and verify operations";
+ goto bad_pad;
+ }
+ if (prsactx->md == NULL
+ && !rsa_setup_md(prsactx, OSSL_DIGEST_NAME_SHA1, NULL)) {
+ ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
+ "%s could not be fetched",
+ OSSL_DIGEST_NAME_SHA1);
+ return 0;
+ }
+ break;
case RSA_PKCS1_PADDING:
+ err_extra_text = "PKCS#1 padding not allowed with RSA-PSS";
+ goto cont;
case RSA_SSLV23_PADDING:
+ err_extra_text = "SSLv3 padding not allowed with RSA-PSS";
+ goto cont;
case RSA_NO_PADDING:
+ err_extra_text = "No padding not allowed with RSA-PSS";
+ goto cont;
case RSA_X931_PADDING:
- if (RSA_get0_pss_params(prsactx->rsa) != NULL) {
- ERR_raise_data(ERR_LIB_PROV,
- PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE,
- "X.931 padding not allowed with RSA-PSS");
- return 0;
- }
+ err_extra_text = "X.931 padding not allowed with RSA-PSS";
cont:
- if (!rsa_check_padding(prsactx->mdnid, pad_mode))
- return 0;
- break;
+ if (RSA_get0_pss_params(prsactx->rsa) == NULL)
+ break;
+ /* FALLTHRU */
default:
+ bad_pad:
+ if (err_extra_text == NULL)
+ ERR_raise(ERR_LIB_PROV,
+ PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
+ else
+ ERR_raise_data(ERR_LIB_PROV,
+ PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE,
+ err_extra_text);
return 0;
}
+ if (!rsa_check_padding(prsactx->mdnid, pad_mode))
+ return 0;
prsactx->pad_mode = pad_mode;
}
return 0;
}
+ if (rsa_pss_restricted(prsactx)) {
+ switch (prsactx->saltlen) {
+ case RSA_PSS_SALTLEN_AUTO:
+ if (prsactx->operation == EVP_PKEY_OP_VERIFY) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PSS_SALTLEN);
+ return 0;
+ }
+ break;
+ case RSA_PSS_SALTLEN_DIGEST:
+ if (prsactx->min_saltlen > EVP_MD_size(prsactx->md)) {
+ ERR_raise_data(ERR_LIB_PROV,
+ PROV_R_PSS_SALTLEN_TOO_SMALL,
+ "Should be more than %d, but would be "
+ "set to match digest size (%d)",
+ prsactx->min_saltlen,
+ EVP_MD_size(prsactx->md));
+ return 0;
+ }
+ /* FALLTHRU */
+ default:
+ if (saltlen >= 0 && saltlen < prsactx->min_saltlen) {
+ ERR_raise_data(ERR_LIB_PROV,
+ PROV_R_PSS_SALTLEN_TOO_SMALL,
+ "Should be more than %d, "
+ "but would be set to %d",
+ prsactx->min_saltlen, saltlen);
+ return 0;
+ }
+ }
+ }
+
prsactx->saltlen = saltlen;
}
return 0;
}
- /* TODO(3.0) PSS check needs more work */
if (rsa_pss_restricted(prsactx)) {
- /* TODO(3.0) figure out what to do for prsactx->md == NULL */
+ /* TODO(3.0) figure out what to do for prsactx->mgf1_md == NULL */
if (prsactx->mgf1_md == NULL
|| EVP_MD_is_a(prsactx->mgf1_md, mdname))
return 1;
const OSSL_DISPATCH rsa_signature_functions[] = {
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
- { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_signature_init },
+ { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
{ OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign },
- { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_signature_init },
+ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_verify_init },
{ OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))rsa_verify },
- { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, (void (*)(void))rsa_signature_init },
- { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, (void (*)(void))rsa_verify_recover },
+ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT,
+ (void (*)(void))rsa_verify_recover_init },
+ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER,
+ (void (*)(void))rsa_verify_recover },
{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
- (void (*)(void))rsa_digest_signverify_init },
+ (void (*)(void))rsa_digest_sign_init },
{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,
(void (*)(void))rsa_digest_signverify_update },
{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,
(void (*)(void))rsa_digest_sign_final },
{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
- (void (*)(void))rsa_digest_signverify_init },
+ (void (*)(void))rsa_digest_verify_init },
{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,
(void (*)(void))rsa_digest_signverify_update },
{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,