zzy/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Refactor OpenSSL 'RSA' EVP_SIGNATURE to also include RSA+hash composites

Browse Source 
(in the code, "sigalg" is used to refer to these composite algorithms,
which is a nod to libcrypto and libssl, where that term is commonly used
for composite algorithms)

To make this implementation possible, wrappers were added around the hash
function itself, allowing the use of existing hash implementations through
their respective OSSL_DISPATCH tables, but also retaining the dynamic fetch
of hash implementations when the digest_sign / digest_verify functionality
is used.  This wrapper allows implementing the RSA+hash composites through
simple initializer function and a custom OSSL_DISPATCH table for each.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23416)
This commit is contained in:
Richard Levitte 2024-07-06 16:26:39 +02:00
parent e675aabb87
commit 572a8371ab
10 changed files with 668 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
crypto/err/openssl.txt
View File

@ -1049,6 +1049,7 @@ PROV_R_FAILED_TO_GENERATE_KEY:121:failed to generate key
PROV_R_FAILED_TO_GET_PARAMETER:103:failed to get parameter
PROV_R_FAILED_TO_SET_PARAMETER:104:failed to set parameter
PROV_R_FAILED_TO_SIGN:175:failed to sign
PROV_R_FINAL_CALL_OUT_OF_ORDER:237:final call out of order
PROV_R_FIPS_MODULE_CONDITIONAL_ERROR:227:fips module conditional error
PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE:224:fips module entering error state
PROV_R_FIPS_MODULE_IN_ERROR_STATE:225:fips module in error state
@ -1056,6 +1057,7 @@ PROV_R_GENERATE_ERROR:191:generate error
PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE:165:\
illegal or unsupported padding mode
PROV_R_INDICATOR_INTEGRITY_FAILURE:210:indicator integrity failure
PROV_R_INIT_CALL_OUT_OF_ORDER:238:init call out of order
PROV_R_INSUFFICIENT_DRBG_STRENGTH:181:insufficient drbg strength
PROV_R_INVALID_AAD:108:invalid aad
PROV_R_INVALID_AEAD:231:invalid aead
@ -1118,6 +1120,7 @@ PROV_R_NOT_SUPPORTED:136:not supported
PROV_R_NOT_XOF_OR_INVALID_LENGTH:113:not xof or invalid length
PROV_R_NO_KEY_SET:114:no key set
PROV_R_NO_PARAMETERS_SET:177:no parameters set
PROV_R_ONESHOT_CALL_OUT_OF_ORDER:239:oneshot call out of order
PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:178:\
operation not supported for this keytype
PROV_R_OUTPUT_BUFFER_TOO_SMALL:106:output buffer too small
@ -1152,6 +1155,7 @@ PROV_R_UNSUPPORTED_CEK_ALG:145:unsupported cek alg
PROV_R_UNSUPPORTED_KEY_SIZE:153:unsupported key size
PROV_R_UNSUPPORTED_MAC_TYPE:137:unsupported mac type
PROV_R_UNSUPPORTED_NUMBER_OF_ROUNDS:152:unsupported number of rounds
PROV_R_UPDATE_CALL_OUT_OF_ORDER:240:update call out of order
PROV_R_URI_AUTHORITY_UNSUPPORTED:223:uri authority unsupported
PROV_R_VALUE_ERROR:138:value error
PROV_R_WRONG_FINAL_BLOCK_LENGTH:107:wrong final block length

40
doc/man7/EVP_SIGNATURE-RSA.pod
View File

@ -10,6 +10,43 @@ EVP_SIGNATURE-RSA
Support for computing RSA signatures.
See L<EVP_PKEY-RSA(7)> for information related to RSA keys.
=head2 Algorithm Names
In this list, names are grouped together to signify that they are the same
algorithm having multiple names. This also includes the OID in canonical
decimal form (which means that they are possible to fetch if the caller has a
mere OID which came out in this form after a call to L<OBJ_obj2txt(3)>).
=over 4
=item "RSA", "rsaEncryption", "1.2.840.113549.1.1.1"
The base signature algorithm, supported explicitly fetched with
L<EVP_PKEY_sign_init_ex2(3)>, and implicitly fetched (through
L<RSA keys|EVP_PKEY-RSA(7)>) with L<EVP_DigestSignInit(3)> and
L<EVP_DigestVerifyInit(3)>.
Can't be used with L<EVP_PKEY_sign_message_init(3)>
=item "RSA-RIPEMD160", "ripemd160WithRSA", "1.3.36.3.3.1.2"
=item "RSA-SHA2-256", "RSA-SHA256", "sha256WithRSAEncryption", "1.2.840.113549.1.1.11"
=item "RSA-SHA2-384", "RSA-SHA384", "sha384WithRSAEncryption", "1.2.840.113549.1.1.12"
=item "RSA-SHA2-512", "RSA-SHA512", "sha512WithRSAEncryption", "1.2.840.113549.1.1.13"
=item "RSA-SHA2-224", "RSA-SHA224", "sha224WithRSAEncryption", "1.2.840.113549.1.1.14"
=item "RSA-SHA2-512/224", "RSA-SHA512-224", "sha512-224WithRSAEncryption", "1.2.840.113549.1.1.15"
=item "RSA-SHA2-512/256", "RSA-SHA512-256", "sha512-256WithRSAEncryption", "1.2.840.113549.1.1.16"
=item "RSA-SHA3-224", "id-rsassa-pkcs1-v1_5-with-sha3-224", "2.16.840.1.101.3.4.3.13"
=item "RSA-SHA3-256", "id-rsassa-pkcs1-v1_5-with-sha3-256", "2.16.840.1.101.3.4.3.14"
=item "RSA-SHA3-384", "id-rsassa-pkcs1-v1_5-with-sha3-384", "2.16.840.1.101.3.4.3.15"
=item "RSA-SHA3-512", "id-rsassa-pkcs1-v1_5-with-sha3-512", "2.16.840.1.101.3.4.3.16"
=item "RSA-SM3", "sm3WithRSAEncryption", "1.2.156.10197.1.504"
PKCS#1 v1.5 RSA signature schemes with diverse message digest algorithm. They
are all supported explicitly fetched with L<EVP_PKEY_sign_init_ex2(3)> and
L<EVP_PKEY_sign_message_init(3)>.
=back
=head2 Signature Parameters
The following signature parameters can be set using EVP_PKEY_CTX_set_params().
@ -23,6 +60,9 @@ using EVP_PKEY_sign_init_ex() or EVP_PKEY_verify_init_ex().
=item "properties" (B<OSSL_SIGNATURE_PARAM_PROPERTIES>) <UTF8 string>
These are not supported with the RSA signature schemes that already include a
message digest algorithm, See L</Algorithm Names> above.
=item "key-check" (B<OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK>) <integer>
=item "digest-check" (B<OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK>) <integer>

4
include/openssl/proverr.h
View File

@ -45,12 +45,14 @@
# define PROV_R_FAILED_TO_GET_PARAMETER 103
# define PROV_R_FAILED_TO_SET_PARAMETER 104
# define PROV_R_FAILED_TO_SIGN 175
# define PROV_R_FINAL_CALL_OUT_OF_ORDER 237
# define PROV_R_FIPS_MODULE_CONDITIONAL_ERROR 227
# define PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE 224
# define PROV_R_FIPS_MODULE_IN_ERROR_STATE 225
# define PROV_R_GENERATE_ERROR 191
# define PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 165
# define PROV_R_INDICATOR_INTEGRITY_FAILURE 210
# define PROV_R_INIT_CALL_OUT_OF_ORDER 238
# define PROV_R_INSUFFICIENT_DRBG_STRENGTH 181
# define PROV_R_INVALID_AAD 108
# define PROV_R_INVALID_AEAD 231
@ -113,6 +115,7 @@
# define PROV_R_NOT_XOF_OR_INVALID_LENGTH 113
# define PROV_R_NO_KEY_SET 114
# define PROV_R_NO_PARAMETERS_SET 177
# define PROV_R_ONESHOT_CALL_OUT_OF_ORDER 239
# define PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 178
# define PROV_R_OUTPUT_BUFFER_TOO_SMALL 106
# define PROV_R_PARENT_CANNOT_GENERATE_RANDOM_NUMBERS 228
@ -143,6 +146,7 @@
# define PROV_R_UNSUPPORTED_KEY_SIZE 153
# define PROV_R_UNSUPPORTED_MAC_TYPE 137
# define PROV_R_UNSUPPORTED_NUMBER_OF_ROUNDS 152
# define PROV_R_UPDATE_CALL_OUT_OF_ORDER 240
# define PROV_R_URI_AUTHORITY_UNSUPPORTED 223
# define PROV_R_VALUE_ERROR 138
# define PROV_R_WRONG_FINAL_BLOCK_LENGTH 107

8
providers/common/provider_err.c
View File

@ -55,6 +55,8 @@ static const ERR_STRING_DATA PROV_str_reasons[] = {
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SET_PARAMETER),
"failed to set parameter"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SIGN), "failed to sign"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FINAL_CALL_OUT_OF_ORDER),
"final call out of order"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR),
"fips module conditional error"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE),
@ -66,6 +68,8 @@ static const ERR_STRING_DATA PROV_str_reasons[] = {
"illegal or unsupported padding mode"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INDICATOR_INTEGRITY_FAILURE),
"indicator integrity failure"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INIT_CALL_OUT_OF_ORDER),
"init call out of order"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INSUFFICIENT_DRBG_STRENGTH),
"insufficient drbg strength"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_AAD), "invalid aad"},
@ -154,6 +158,8 @@ static const ERR_STRING_DATA PROV_str_reasons[] = {
"not xof or invalid length"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_NO_KEY_SET), "no key set"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_NO_PARAMETERS_SET), "no parameters set"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ONESHOT_CALL_OUT_OF_ORDER),
"oneshot call out of order"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),
"operation not supported for this keytype"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_OUTPUT_BUFFER_TOO_SMALL),
@ -209,6 +215,8 @@ static const ERR_STRING_DATA PROV_str_reasons[] = {
"unsupported mac type"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UNSUPPORTED_NUMBER_OF_ROUNDS),
"unsupported number of rounds"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UPDATE_CALL_OUT_OF_ORDER),
"update call out of order"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_URI_AUTHORITY_UNSUPPORTED),
"uri authority unsupported"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_VALUE_ERROR), "value error"},

2
providers/common/securitycheck.c
View File

@ -27,9 +27,11 @@ int ossl_rsa_key_op_get_protect(const RSA *rsa, int operation, int *outprotect)
switch (operation) {
case EVP_PKEY_OP_SIGN:
case EVP_PKEY_OP_SIGNMSG:
protect = 1;
/* fallthrough */
case EVP_PKEY_OP_VERIFY:
case EVP_PKEY_OP_VERIFYMSG:
break;
case EVP_PKEY_OP_ENCAPSULATE:
case EVP_PKEY_OP_ENCRYPT:

17
providers/defltprov.c
View File

@ -399,6 +399,23 @@ static const OSSL_ALGORITHM deflt_signature[] = {
{ PROV_NAMES_DSA, "provider=default", ossl_dsa_signature_functions },
#endif
{ PROV_NAMES_RSA, "provider=default", ossl_rsa_signature_functions },
#if !defined(OPENSSL_NO_RMD160) && !defined(FIPS_MODULE)
{ PROV_NAMES_RSA_RIPEMD160, "provider=default", ossl_rsa_ripemd160_signature_functions },
#endif
{ PROV_NAMES_RSA_SHA1, "provider=default", ossl_rsa_sha1_signature_functions },
{ PROV_NAMES_RSA_SHA224, "provider=default", ossl_rsa_sha224_signature_functions },
{ PROV_NAMES_RSA_SHA256, "provider=default", ossl_rsa_sha256_signature_functions },
{ PROV_NAMES_RSA_SHA384, "provider=default", ossl_rsa_sha384_signature_functions },
{ PROV_NAMES_RSA_SHA512, "provider=default", ossl_rsa_sha512_signature_functions },
{ PROV_NAMES_RSA_SHA512_224, "provider=default", ossl_rsa_sha512_224_signature_functions },
{ PROV_NAMES_RSA_SHA512_256, "provider=default", ossl_rsa_sha512_256_signature_functions },
{ PROV_NAMES_RSA_SHA3_224, "provider=default", ossl_rsa_sha3_224_signature_functions },
{ PROV_NAMES_RSA_SHA3_256, "provider=default", ossl_rsa_sha3_256_signature_functions },
{ PROV_NAMES_RSA_SHA3_384, "provider=default", ossl_rsa_sha3_384_signature_functions },
{ PROV_NAMES_RSA_SHA3_512, "provider=default", ossl_rsa_sha3_512_signature_functions },
#ifndef OPENSSL_NO_SM3
{ PROV_NAMES_RSA_SM3, "provider=default", ossl_rsa_sm3_signature_functions },
#endif
#ifndef OPENSSL_NO_EC
# ifndef OPENSSL_NO_ECX
{ PROV_NAMES_ED25519, "provider=default", ossl_ed25519_signature_functions },

22
providers/fips/fipsprov.c
View File

@ -581,6 +581,28 @@ static const OSSL_ALGORITHM fips_signature[] = {
{ PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
#endif
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
{ PROV_NAMES_RSA_SHA1, FIPS_DEFAULT_PROPERTIES,
ossl_rsa_sha1_signature_functions },
{ PROV_NAMES_RSA_SHA224, FIPS_DEFAULT_PROPERTIES,
ossl_rsa_sha224_signature_functions },
{ PROV_NAMES_RSA_SHA256, FIPS_DEFAULT_PROPERTIES,
ossl_rsa_sha256_signature_functions },
{ PROV_NAMES_RSA_SHA384, FIPS_DEFAULT_PROPERTIES,
ossl_rsa_sha384_signature_functions },
{ PROV_NAMES_RSA_SHA512, FIPS_DEFAULT_PROPERTIES,
ossl_rsa_sha512_signature_functions },
{ PROV_NAMES_RSA_SHA512_224, FIPS_DEFAULT_PROPERTIES,
ossl_rsa_sha512_224_signature_functions },
{ PROV_NAMES_RSA_SHA512_256, FIPS_DEFAULT_PROPERTIES,
ossl_rsa_sha512_256_signature_functions },
{ PROV_NAMES_RSA_SHA3_224, FIPS_DEFAULT_PROPERTIES,
ossl_rsa_sha3_224_signature_functions },
{ PROV_NAMES_RSA_SHA3_256, FIPS_DEFAULT_PROPERTIES,
ossl_rsa_sha3_256_signature_functions },
{ PROV_NAMES_RSA_SHA3_384, FIPS_DEFAULT_PROPERTIES,
ossl_rsa_sha3_384_signature_functions },
{ PROV_NAMES_RSA_SHA3_512, FIPS_DEFAULT_PROPERTIES,
ossl_rsa_sha3_512_signature_functions },
#ifndef OPENSSL_NO_EC
# ifndef OPENSSL_NO_ECX
{ PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES,

20
providers/implementations/include/prov/implementations.h
View File

@ -328,6 +328,26 @@ extern const OSSL_DISPATCH ossl_kdf_scrypt_keyexch_functions[];
/* Signature */
extern const OSSL_DISPATCH ossl_dsa_signature_functions[];
extern const OSSL_DISPATCH ossl_rsa_signature_functions[];
#ifndef OPENSSL_NO_MD5
extern const OSSL_DISPATCH ossl_rsa_md5_signature_functions[];
#endif
#ifndef OPENSSL_NO_RMD160
extern const OSSL_DISPATCH ossl_rsa_ripemd160_signature_functions[];
#endif
extern const OSSL_DISPATCH ossl_rsa_sha1_signature_functions[];
extern const OSSL_DISPATCH ossl_rsa_sha224_signature_functions[];
extern const OSSL_DISPATCH ossl_rsa_sha256_signature_functions[];
extern const OSSL_DISPATCH ossl_rsa_sha384_signature_functions[];
extern const OSSL_DISPATCH ossl_rsa_sha512_signature_functions[];
extern const OSSL_DISPATCH ossl_rsa_sha512_224_signature_functions[];
extern const OSSL_DISPATCH ossl_rsa_sha512_256_signature_functions[];
extern const OSSL_DISPATCH ossl_rsa_sha3_224_signature_functions[];
extern const OSSL_DISPATCH ossl_rsa_sha3_256_signature_functions[];
extern const OSSL_DISPATCH ossl_rsa_sha3_384_signature_functions[];
extern const OSSL_DISPATCH ossl_rsa_sha3_512_signature_functions[];
#ifndef OPENSSL_NO_SM3
extern const OSSL_DISPATCH ossl_rsa_sm3_signature_functions[];
#endif
extern const OSSL_DISPATCH ossl_ed25519_signature_functions[];
extern const OSSL_DISPATCH ossl_ed448_signature_functions[];
extern const OSSL_DISPATCH ossl_ecdsa_signature_functions[];

16
providers/implementations/include/prov/names.h
View File

@ -338,6 +338,22 @@
#define PROV_NAMES_DSA "DSA:dsaEncryption:1.2.840.10040.4.1"
#define PROV_DESCS_DSA "OpenSSL DSA implementation"
#define PROV_NAMES_RSA "RSA:rsaEncryption:1.2.840.113549.1.1.1"
#define PROV_NAMES_RSA_MD2 "RSA-MD2:md2WithRSAEncryption:1.2.840.113549.1.1.2"
#define PROV_NAMES_RSA_MD4 "RSA-MD4:md4WithEncryption:1.2.840.113549.1.1.3"
#define PROV_NAMES_RSA_MD5 "RSA-MD5:md5WithRSAEncryption:1.2.840.113549.1.1.4"
#define PROV_NAMES_RSA_RIPEMD160 "RSA-RIPEMD160:ripemd160WithRSA:1.3.36.3.3.1.2"
#define PROV_NAMES_RSA_SHA1 "RSA-SHA1:RSA-SHA-1:sha1WithRSAEncryption:1.2.840.113549.1.1.5"
#define PROV_NAMES_RSA_SHA256 "RSA-SHA2-256:RSA-SHA256:sha256WithRSAEncryption:1.2.840.113549.1.1.11"
#define PROV_NAMES_RSA_SHA384 "RSA-SHA2-384:RSA-SHA384:sha384WithRSAEncryption:1.2.840.113549.1.1.12"
#define PROV_NAMES_RSA_SHA512 "RSA-SHA2-512:RSA-SHA512:sha512WithRSAEncryption:1.2.840.113549.1.1.13"
#define PROV_NAMES_RSA_SHA224 "RSA-SHA2-224:RSA-SHA224:sha224WithRSAEncryption:1.2.840.113549.1.1.14"
#define PROV_NAMES_RSA_SHA512_224 "RSA-SHA2-512/224:RSA-SHA512-224:sha512-224WithRSAEncryption:1.2.840.113549.1.1.15"
#define PROV_NAMES_RSA_SHA512_256 "RSA-SHA2-512/256:RSA-SHA512-256:sha512-256WithRSAEncryption:1.2.840.113549.1.1.16"
#define PROV_NAMES_RSA_SM3 "RSA-SM3:sm3WithRSAEncryption:1.2.156.10197.1.504"
#define PROV_NAMES_RSA_SHA3_224 "RSA-SHA3-224:id-rsassa-pkcs1-v1_5-with-sha3-224:2.16.840.1.101.3.4.3.13"
#define PROV_NAMES_RSA_SHA3_256 "RSA-SHA3-256:id-rsassa-pkcs1-v1_5-with-sha3-256:2.16.840.1.101.3.4.3.14"
#define PROV_NAMES_RSA_SHA3_384 "RSA-SHA3-384:id-rsassa-pkcs1-v1_5-with-sha3-384:2.16.840.1.101.3.4.3.15"
#define PROV_NAMES_RSA_SHA3_512 "RSA-SHA3-512:id-rsassa-pkcs1-v1_5-with-sha3-512:2.16.840.1.101.3.4.3.16"
#define PROV_DESCS_RSA "OpenSSL RSA implementation"
#define PROV_NAMES_RSA_PSS "RSA-PSS:RSASSA-PSS:1.2.840.113549.1.1.10"
#define PROV_DESCS_RSA_PSS "OpenSSL RSA-PSS implementation"

610
providers/implementations/signature/rsa_sig.c
View File

@ -18,6 +18,7 @@
#include <openssl/core_dispatch.h>
#include <openssl/core_names.h>
#include <openssl/err.h>
#include <openssl/obj_mac.h>
#include <openssl/rsa.h>
#include <openssl/params.h>
#include <openssl/evp.h>
@ -40,16 +41,21 @@ static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
static OSSL_FUNC_signature_sign_fn rsa_sign;
static OSSL_FUNC_signature_sign_message_update_fn rsa_signverify_message_update;
static OSSL_FUNC_signature_sign_message_final_fn rsa_sign_message_final;
static OSSL_FUNC_signature_verify_fn rsa_verify;
static OSSL_FUNC_signature_verify_recover_fn rsa_verify_recover;
static OSSL_FUNC_signature_verify_message_update_fn rsa_signverify_message_update;
static OSSL_FUNC_signature_verify_message_final_fn rsa_verify_message_final;
static OSSL_FUNC_signature_digest_sign_init_fn rsa_digest_sign_init;
static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_signverify_update;
static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_sign_update;
static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final;
static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update;
static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_verify_update;
static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
static OSSL_FUNC_signature_freectx_fn rsa_freectx;
static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types;
static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params;
static OSSL_FUNC_signature_set_ctx_params_fn rsa_set_ctx_params;
@ -58,6 +64,8 @@ static OSSL_FUNC_signature_get_ctx_md_params_fn rsa_get_ctx_md_params;
static OSSL_FUNC_signature_gettable_ctx_md_params_fn rsa_gettable_ctx_md_params;
static OSSL_FUNC_signature_set_ctx_md_params_fn rsa_set_ctx_md_params;
static OSSL_FUNC_signature_settable_ctx_md_params_fn rsa_settable_ctx_md_params;
static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params;
static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params;
static OSSL_ITEM padding_item[] = {
{ RSA_PKCS1_PADDING, OSSL_PKEY_RSA_PAD_MODE_PKCSV15 },
@ -79,14 +87,40 @@ typedef struct {
RSA *rsa;
int operation;
/*
* Flag to determine if a full sigalg is run (1) or if a composable
* signature algorithm is run (0).
*
* When a full sigalg is run (1), this currently affects the following
* other flags, which are to remain untouched after their initialization:
*
* - flag_allow_md (initialized to 0)
*/
unsigned int flag_sigalg : 1;
/*
* Flag to determine if the hash function can be changed (1) or not (0)
* Because it's dangerous to change during a DigestSign or DigestVerify
* operation, this flag is cleared by their Init function, and set again
* by their Final function.
* Implementations of full sigalgs (such as RSA-SHA256) hard-code this
* flag to not allow changes (0).
*/
unsigned int flag_allow_md : 1;
unsigned int mgf1_md_set : 1;
/*
* Flags to say what are the possible next external calls in what
* consitutes the life cycle of an algorithm. The relevant calls are:
* - init
* - update
* - final
* - oneshot
* All other external calls are regarded as utilitarian and are allowed
* at any time (they may be affected by other flags, like flag_allow_md,
* though).
*/
unsigned int flag_allow_update : 1;
unsigned int flag_allow_final : 1;
unsigned int flag_allow_oneshot : 1;
/* main digest */
EVP_MD *md;
@ -105,10 +139,14 @@ typedef struct {
/* Minimum salt length or -1 if no PSS parameter restriction */
int min_saltlen;
/* Signature, for verification */
unsigned char *sig;
size_t siglen;
/* Temp buffer */
unsigned char *tbuf;
OSSL_FIPS_IND_DECLARE
OSSL_FIPS_IND_DECLARE
} PROV_RSA_CTX;
/* True if PSS parameters are restricted */
@ -355,7 +393,9 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
}
#ifdef FIPS_MODULE
{
int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
int sha1_allowed
= ((ctx->operation
& (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
OSSL_FIPS_IND_SETTABLE1,
@ -369,8 +409,8 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
if (!rsa_check_padding(ctx, mdname, NULL, md_nid))
goto err;
if (mdname_len >= sizeof(ctx->mdname)) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
"%s exceeds name buffer length", mdname);
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
"%s exceeds name buffer length", mdname);
goto err;
}
@ -448,9 +488,11 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
return 1;
}
static int rsa_signverify_init(void *vprsactx, void *vrsa,
const OSSL_PARAM params[], int operation,
const char *desc)
static int
rsa_signverify_init(void *vprsactx, void *vrsa,
OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params,
const OSSL_PARAM params[], int operation,
const char *desc)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
int protect;
@ -473,6 +515,9 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa,
return 0;
prsactx->operation = operation;
prsactx->flag_allow_update = 1;
prsactx->flag_allow_final = 1;
prsactx->flag_allow_oneshot = 1;
/* Maximize up to digest length for sign, auto for verify */
prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
@ -541,7 +586,7 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa,
}
OSSL_FIPS_IND_SET_APPROVED(prsactx)
if (!rsa_set_ctx_params(prsactx, params))
if (!set_ctx_params(prsactx, params))
return 0;
#ifdef FIPS_MODULE
if (!ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND_GET(prsactx),
@ -604,12 +649,17 @@ static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[])
{
if (!ossl_prov_is_running())
return 0;
return rsa_signverify_init(vprsactx, vrsa, params, EVP_PKEY_OP_SIGN,
"RSA Sign Init");
return rsa_signverify_init(vprsactx, vrsa, rsa_set_ctx_params, params,
EVP_PKEY_OP_SIGN, "RSA Sign Init");
}
static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,
size_t sigsize, const unsigned char *tbs, size_t tbslen)
/*
* Sign tbs without digesting it first. This is suitable for "primitive"
* signing and signing the digest of a message, i.e. should be used with
* implementations of the keytype related algorithms.
*/
static int rsa_sign_directly(void *vprsactx, unsigned char *sig, size_t *siglen,
size_t sigsize, const unsigned char *tbs, size_t tbslen)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
int ret;
@ -762,21 +812,107 @@ static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,
return 1;
}
static int rsa_signverify_message_update(void *vprsactx,
const unsigned char *data,
size_t datalen)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
if (prsactx == NULL || prsactx->mdctx == NULL)
return 0;
if (!prsactx->flag_allow_update) {
ERR_raise(ERR_LIB_PROV, PROV_R_UPDATE_CALL_OUT_OF_ORDER);
return 0;
}
prsactx->flag_allow_oneshot = 0;
return EVP_DigestUpdate(prsactx->mdctx, data, datalen);
}
static int rsa_sign_message_final(void *vprsactx, unsigned char *sig,
size_t *siglen, size_t sigsize)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
unsigned char digest[EVP_MAX_MD_SIZE];
unsigned int dlen = 0;
if (!ossl_prov_is_running() || prsactx == NULL)
return 0;
if (prsactx->mdctx == NULL)
return 0;
if (!prsactx->flag_allow_final) {
ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER);
return 0;
}
/*
* If sig is NULL then we're just finding out the sig size. Other fields
* are ignored. Defer to rsa_sign.
*/
if (sig != NULL) {
/*
* The digests used here are all known (see rsa_get_md_nid()), so they
* should not exceed the internal buffer size of EVP_MAX_MD_SIZE.
*/
if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))
return 0;
prsactx->flag_allow_update = 0;
prsactx->flag_allow_oneshot = 0;
prsactx->flag_allow_final = 0;
}
return rsa_sign_directly(vprsactx, sig, siglen, sigsize, digest, dlen);
}
/*
* If signing a message, digest tbs and sign the result.
* Otherwise, sign tbs directly.
*/
static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,
size_t sigsize, const unsigned char *tbs, size_t tbslen)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
if (!ossl_prov_is_running() || prsactx == NULL)
return 0;
if (!prsactx->flag_allow_oneshot) {
ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER);
return 0;
}
if (prsactx->operation == EVP_PKEY_OP_SIGNMSG) {
/*
* If |sig| is NULL, the caller is only looking for the sig length.
* DO NOT update the input in this case.
*/
if (sig == NULL)
return rsa_sign_message_final(prsactx, sig, siglen, sigsize);
return rsa_signverify_message_update(prsactx, tbs, tbslen)
&& rsa_sign_message_final(prsactx, sig, siglen, sigsize);
}
return rsa_sign_directly(prsactx, sig, siglen, sigsize, tbs, tbslen);
}
static int rsa_verify_recover_init(void *vprsactx, void *vrsa,
const OSSL_PARAM params[])
{
if (!ossl_prov_is_running())
return 0;
return rsa_signverify_init(vprsactx, vrsa, params,
return rsa_signverify_init(vprsactx, vrsa, rsa_set_ctx_params, params,
EVP_PKEY_OP_VERIFYRECOVER, "RSA VerifyRecover Init");
}
/*
* There is no message variant of verify recover, so no need for
* 'rsa_verify_recover_directly', just use this function, er, directly.
*/
static int rsa_verify_recover(void *vprsactx,
unsigned char *rout,
size_t *routlen,
unsigned char *rout, size_t *routlen,
size_t routsize,
const unsigned char *sig,
size_t siglen)
const unsigned char *sig, size_t siglen)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
int ret;
@ -860,12 +996,13 @@ static int rsa_verify_init(void *vprsactx, void *vrsa,
{
if (!ossl_prov_is_running())
return 0;
return rsa_signverify_init(vprsactx, vrsa, params, EVP_PKEY_OP_VERIFY,
"RSA Verify Init");
return rsa_signverify_init(vprsactx, vrsa, rsa_set_ctx_params, params,
EVP_PKEY_OP_VERIFY, "RSA Verify Init");
}
static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
const unsigned char *tbs, size_t tbslen)
static int rsa_verify_directly(void *vprsactx,
const unsigned char *sig, size_t siglen,
const unsigned char *tbs, size_t tbslen)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
size_t rslen;
@ -954,6 +1091,75 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
return 1;
}
static int rsa_verify_set_sig(void *vprsactx,
const unsigned char *sig, size_t siglen)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
OSSL_PARAM params[2];
params[0] =
OSSL_PARAM_construct_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE,
(unsigned char *)sig, siglen);
params[1] = OSSL_PARAM_construct_end();
return rsa_sigalg_set_ctx_params(prsactx, params);
}
static int rsa_verify_message_final(void *vprsactx)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
unsigned char digest[EVP_MAX_MD_SIZE];
unsigned int dlen = 0;
if (!ossl_prov_is_running() || prsactx == NULL)
return 0;
if (prsactx->mdctx == NULL)
return 0;
if (!prsactx->flag_allow_final) {
ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER);
return 0;
}
/*
* The digests used here are all known (see rsa_get_md_nid()), so they
* should not exceed the internal buffer size of EVP_MAX_MD_SIZE.
*/
if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))
return 0;
prsactx->flag_allow_update = 0;
prsactx->flag_allow_final = 0;
prsactx->flag_allow_oneshot = 0;
return rsa_verify_directly(vprsactx, prsactx->sig, prsactx->siglen,
digest, dlen);
}
/*
* If verifying a message, digest tbs and verify the result.
* Otherwise, verify tbs directly.
*/
static int rsa_verify(void *vprsactx,
const unsigned char *sig, size_t siglen,
const unsigned char *tbs, size_t tbslen)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
if (!ossl_prov_is_running() || prsactx == NULL)
return 0;
if (!prsactx->flag_allow_oneshot) {
ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER);
return 0;
}
if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG)
return rsa_verify_set_sig(prsactx, sig, siglen)
&& rsa_signverify_message_update(prsactx, tbs, tbslen)
&& rsa_verify_message_final(prsactx);
return rsa_verify_directly(prsactx, sig, siglen, tbs, tbslen);
}
/* DigestSign/DigestVerify wrappers */
static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
void *vrsa, const OSSL_PARAM params[],
int operation, const char *desc)
@ -963,7 +1169,8 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
if (!ossl_prov_is_running())
return 0;
if (!rsa_signverify_init(vprsactx, vrsa, params, operation, desc))
if (!rsa_signverify_init(vprsactx, vrsa, rsa_set_ctx_params, params,
operation, desc))
return 0;
if (mdname != NULL
@ -991,54 +1198,48 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
return 0;
}
static int rsa_digest_signverify_update(void *vprsactx,
const unsigned char *data,
size_t datalen)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
if (prsactx == NULL || prsactx->mdctx == NULL)
return 0;
return EVP_DigestUpdate(prsactx->mdctx, data, datalen);
}
static int rsa_digest_sign_init(void *vprsactx, const char *mdname,
void *vrsa, const OSSL_PARAM params[])
{
if (!ossl_prov_is_running())
return 0;
return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
params, EVP_PKEY_OP_SIGN,
params, EVP_PKEY_OP_SIGNMSG,
"RSA Digest Sign Init");
}
static int rsa_digest_sign_update(void *vprsactx, const unsigned char *data,
size_t datalen)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
if (prsactx == NULL)
return 0;
/* Sigalg implementations shouldn't do digest_sign */
if (prsactx->flag_sigalg)
return 0;
return rsa_signverify_message_update(vprsactx, data, datalen);
}
static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig,
size_t *siglen, size_t sigsize)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
unsigned char digest[EVP_MAX_MD_SIZE];
unsigned int dlen = 0;
int ok = 0;
if (!ossl_prov_is_running() || prsactx == NULL)
if (prsactx == NULL)
return 0;
/* Sigalg implementations shouldn't do digest_sign */
if (prsactx->flag_sigalg)
return 0;
if (rsa_sign_message_final(prsactx, sig, siglen, sigsize))
ok = 1;
prsactx->flag_allow_md = 1;
if (prsactx->mdctx == NULL)
return 0;
/*
* If sig is NULL then we're just finding out the sig size. Other fields
* are ignored. Defer to rsa_sign.
*/
if (sig != NULL) {
/*
* The digests used here are all known (see rsa_get_md_nid()), so they
* should not exceed the internal buffer size of EVP_MAX_MD_SIZE.
*/
if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))
return 0;
}
return rsa_sign(vprsactx, sig, siglen, sigsize, digest, (size_t)dlen);
return ok;
}
static int rsa_digest_verify_init(void *vprsactx, const char *mdname,
@ -1047,34 +1248,43 @@ static int rsa_digest_verify_init(void *vprsactx, const char *mdname,
if (!ossl_prov_is_running())
return 0;
return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
params, EVP_PKEY_OP_VERIFY,
params, EVP_PKEY_OP_VERIFYMSG,
"RSA Digest Verify Init");
}
static int rsa_digest_verify_update(void *vprsactx, const unsigned char *data,
size_t datalen)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
if (prsactx == NULL)
return 0;
/* Sigalg implementations shouldn't do digest_sign */
if (prsactx->flag_sigalg)
return 0;
return rsa_signverify_message_update(vprsactx, data, datalen);
}
int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
size_t siglen)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
unsigned char digest[EVP_MAX_MD_SIZE];
unsigned int dlen = 0;
if (!ossl_prov_is_running())
return 0;
int ok = 0;
if (prsactx == NULL)
return 0;
/* Sigalg implementations shouldn't do digest_verify */
if (prsactx->flag_sigalg)
return 0;
if (rsa_verify_set_sig(prsactx, sig, siglen)
&& rsa_verify_message_final(vprsactx))
ok = 1;
prsactx->flag_allow_md = 1;
if (prsactx->mdctx == NULL)
return 0;
/*
* The digests used here are all known (see rsa_get_md_nid()), so they
* should not exceed the internal buffer size of EVP_MAX_MD_SIZE.
*/
if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))
return 0;
return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen);
return ok;
}
static void rsa_freectx(void *vprsactx)
@ -1087,6 +1297,7 @@ static void rsa_freectx(void *vprsactx)
EVP_MD_CTX_free(prsactx->mdctx);
EVP_MD_free(prsactx->md);
EVP_MD_free(prsactx->mgf1_md);
OPENSSL_free(prsactx->sig);
OPENSSL_free(prsactx->propq);
free_tbuf(prsactx);
RSA_free(prsactx->rsa);
@ -1373,7 +1584,8 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
goto bad_pad;
case RSA_PKCS1_PSS_PADDING:
if ((prsactx->operation
& (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)) == 0) {
& (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG
| EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) == 0) {
err_extra_text =
"PSS padding only allowed for sign and verify operations";
goto bad_pad;
@ -1459,7 +1671,8 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
switch (saltlen) {
case RSA_PSS_SALTLEN_AUTO:
case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX:
if (prsactx->operation == EVP_PKEY_OP_VERIFY) {
if ((prsactx->operation
& (EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) == 0) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH,
"Cannot use autodetected salt length");
return 0;
@ -1622,13 +1835,13 @@ const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
(void (*)(void))rsa_digest_sign_init },
{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,
(void (*)(void))rsa_digest_signverify_update },
(void (*)(void))rsa_digest_sign_update },
{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,
(void (*)(void))rsa_digest_sign_final },
{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
(void (*)(void))rsa_digest_verify_init },
{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,
(void (*)(void))rsa_digest_signverify_update },
(void (*)(void))rsa_digest_verify_update },
{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,
(void (*)(void))rsa_digest_verify_final },
{ OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx },
@ -1649,3 +1862,250 @@ const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
(void (*)(void))rsa_settable_ctx_md_params },
OSSL_DISPATCH_END
};
/* ------------------------------------------------------------------ */
/*
* So called sigalgs (composite RSA+hash) implemented below. They
* are pretty much hard coded, and rely on the hash implementation
* being available as per what OPENSSL_NO_ macros allow.
*/
static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types;
static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params;
static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params;
/*
* rsa_sigalg_signverify_init() is almost like rsa_digest_signverify_init(),
* just doesn't allow fetching an MD from whatever the user chooses.
*/
static int rsa_sigalg_signverify_init(void *vprsactx, void *vrsa,
OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params,
const OSSL_PARAM params[],
const char *mdname,
int operation, int pad_mode,
const char *desc)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
if (!ossl_prov_is_running())
return 0;
if (!rsa_signverify_init(vprsactx, vrsa, set_ctx_params, params, operation,
desc))
return 0;
/* PSS is currently not supported as a sigalg */
if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return 0;
}
if (!rsa_setup_md(prsactx, mdname, NULL, desc))
return 0;
prsactx->pad_mode = pad_mode;
prsactx->flag_sigalg = 1;
prsactx->flag_allow_md = 0;
if (prsactx->mdctx == NULL) {
prsactx->mdctx = EVP_MD_CTX_new();
if (prsactx->mdctx == NULL)
goto error;
}
if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params))
goto error;
return 1;
error:
EVP_MD_CTX_free(prsactx->mdctx);
prsactx->mdctx = NULL;
return 0;
}
static const char **rsa_sigalg_query_key_types(void)
{
static const char *keytypes[] = { "RSA", NULL };
return keytypes;
}
static const OSSL_PARAM settable_sigalg_ctx_params[] = {
OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, NULL, 0),
OSSL_PARAM_END
};
static const OSSL_PARAM *rsa_sigalg_settable_ctx_params(void *vprsactx,
ossl_unused void *provctx)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
if (prsactx != NULL && prsactx->operation == EVP_PKEY_OP_VERIFYMSG)
return settable_sigalg_ctx_params;
return NULL;
}
static int rsa_sigalg_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
const OSSL_PARAM *p;
if (prsactx == NULL)
return 0;
if (params == NULL)
return 1;
if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG) {
p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_SIGNATURE);
if (p != NULL) {
OPENSSL_free(prsactx->sig);
prsactx->sig = NULL;
prsactx->siglen = 0;
if (!OSSL_PARAM_get_octet_string(p, (void **)&prsactx->sig,
0, &prsactx->siglen))
return 0;
}
return 1;
}
/* Wrong operation */
return 0;
}
#define IMPL_RSA_SIGALG(md, MD) \
static OSSL_FUNC_signature_sign_init_fn rsa_##md##_sign_init; \
static OSSL_FUNC_signature_sign_message_init_fn \
rsa_##md##_sign_message_init; \
static OSSL_FUNC_signature_verify_init_fn rsa_##md##_verify_init; \
static OSSL_FUNC_signature_verify_message_init_fn \
rsa_##md##_verify_message_init; \
\
static int \
rsa_##md##_sign_init(void *vprsactx, void *vrsa, \
const OSSL_PARAM params[]) \
{ \
static const char desc[] = "RSA Sigalg Sign Init"; \
\
return rsa_sigalg_signverify_init(vprsactx, vrsa, \
rsa_sigalg_set_ctx_params, \
params, #MD, \
EVP_PKEY_OP_SIGN, \
RSA_PKCS1_PADDING, \
desc); \
} \
\
static int \
rsa_##md##_sign_message_init(void *vprsactx, void *vrsa, \
const OSSL_PARAM params[]) \
{ \
static const char desc[] = "RSA Sigalg Sign Message Init"; \
\
return rsa_sigalg_signverify_init(vprsactx, vrsa, \
rsa_sigalg_set_ctx_params, \
params, #MD, \
EVP_PKEY_OP_SIGNMSG, \
RSA_PKCS1_PADDING, \
desc); \
} \
\
static int \
rsa_##md##_verify_init(void *vprsactx, void *vrsa, \
const OSSL_PARAM params[]) \
{ \
static const char desc[] = "RSA Sigalg Verify Init"; \
\
return rsa_sigalg_signverify_init(vprsactx, vrsa, \
rsa_sigalg_set_ctx_params, \
params, #MD, \
EVP_PKEY_OP_VERIFY, \
RSA_PKCS1_PADDING, \
desc); \
} \
\
static int \
rsa_##md##_verify_recover_init(void *vprsactx, void *vrsa, \
const OSSL_PARAM params[]) \
{ \
static const char desc[] = "RSA Sigalg Verify Recover Init"; \
\
return rsa_sigalg_signverify_init(vprsactx, vrsa, \
rsa_sigalg_set_ctx_params, \
params, #MD, \
EVP_PKEY_OP_VERIFYRECOVER, \
RSA_PKCS1_PADDING, \
desc); \
} \
\
static int \
rsa_##md##_verify_message_init(void *vprsactx, void *vrsa, \
const OSSL_PARAM params[]) \
{ \
static const char desc[] = "RSA Sigalg Verify Message Init"; \
\
return rsa_sigalg_signverify_init(vprsactx, vrsa, \
rsa_sigalg_set_ctx_params, \
params, #MD, \
EVP_PKEY_OP_VERIFYMSG, \
RSA_PKCS1_PADDING, \
desc); \
} \
\
const OSSL_DISPATCH ossl_rsa_##md##_signature_functions[] = { \
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, \
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, \
(void (*)(void))rsa_##md##_sign_init }, \
{ OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, \
{ OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT, \
(void (*)(void))rsa_##md##_sign_message_init }, \
{ OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_UPDATE, \
(void (*)(void))rsa_signverify_message_update }, \
{ OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_FINAL, \
(void (*)(void))rsa_sign_message_final }, \
{ OSSL_FUNC_SIGNATURE_VERIFY_INIT, \
(void (*)(void))rsa_##md##_verify_init }, \
{ OSSL_FUNC_SIGNATURE_VERIFY, \
(void (*)(void))rsa_verify }, \
{ OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT, \
(void (*)(void))rsa_##md##_verify_message_init }, \
{ OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_UPDATE, \
(void (*)(void))rsa_signverify_message_update }, \
{ OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_FINAL, \
(void (*)(void))rsa_verify_message_final }, \
{ OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, \
(void (*)(void))rsa_##md##_verify_recover_init }, \
{ OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, \
(void (*)(void))rsa_verify_recover }, \
{ OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, \
{ OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, \
{ OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPES, \
(void (*)(void))rsa_sigalg_query_key_types }, \
{ OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, \
(void (*)(void))rsa_get_ctx_params }, \
{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, \
(void (*)(void))rsa_gettable_ctx_params }, \
{ OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, \
(void (*)(void))rsa_sigalg_set_ctx_params }, \
{ OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, \
(void (*)(void))rsa_sigalg_settable_ctx_params }, \
OSSL_DISPATCH_END \
}
#if !defined(OPENSSL_NO_RMD160) && !defined(FIPS_MODULE)
IMPL_RSA_SIGALG(ripemd160, RIPEMD160);
#endif
IMPL_RSA_SIGALG(sha1, SHA1);
IMPL_RSA_SIGALG(sha224, SHA2-224);
IMPL_RSA_SIGALG(sha256, SHA2-256);
IMPL_RSA_SIGALG(sha384, SHA2-384);
IMPL_RSA_SIGALG(sha512, SHA2-512);
IMPL_RSA_SIGALG(sha512_224, SHA2-512/224);
IMPL_RSA_SIGALG(sha512_256, SHA2-512/256);
IMPL_RSA_SIGALG(sha3_224, SHA3-224);
IMPL_RSA_SIGALG(sha3_256, SHA3-256);
IMPL_RSA_SIGALG(sha3_384, SHA3-384);
IMPL_RSA_SIGALG(sha3_512, SHA3-512);
#if !defined(OPENSSL_NO_SM3) && !defined(FIPS_MODULE)
IMPL_RSA_SIGALG(sm3, SM3);
#endif