2
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
5
/* ====================================================================
6
* Copyright (c) 2007 The OpenSSL Project. All rights reserved.
8
* Redistribution and use in source and binary forms, with or without
9
* modification, are permitted provided that the following conditions
12
* 1. Redistributions of source code must retain the above copyright
13
* notice, this list of conditions and the following disclaimer.
15
* 2. Redistributions in binary form must reproduce the above copyright
16
* notice, this list of conditions and the following disclaimer in
17
* the documentation and/or other materials provided with the
20
* 3. All advertising materials mentioning features or use of this
21
* software must display the following acknowledgment:
22
* "This product includes software developed by the OpenSSL Project
23
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26
* endorse or promote products derived from this software without
27
* prior written permission. For written permission, please contact
28
* licensing@OpenSSL.org.
30
* 5. Products derived from this software may not be called "OpenSSL"
31
* nor may "OpenSSL" appear in their names without prior written
32
* permission of the OpenSSL Project.
34
* 6. Redistributions of any form whatsoever must retain the following
36
* "This product includes software developed by the OpenSSL Project
37
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50
* OF THE POSSIBILITY OF SUCH DAMAGE.
51
* ====================================================================
53
* This product includes cryptographic software written by Eric Young
54
* (eay@cryptsoft.com). This product includes software written by Tim
55
* Hudson (tjh@cryptsoft.com).
60
#include <openssl/evp.h>
61
#include <openssl/rsa.h>
62
#include <openssl/err.h>
63
#include <openssl/sha.h>
67
/* FIPS versions of RSA_sign() and RSA_verify().
68
* These will only have to deal with SHA* signatures and by including
69
* pregenerated encodings all ASN1 dependencies can be avoided
72
/* Standard encodings including NULL parameter */
74
static const unsigned char sha1_bin[] = {
75
0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
79
static const unsigned char sha224_bin[] = {
80
0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
81
0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c
84
static const unsigned char sha256_bin[] = {
85
0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
86
0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
89
static const unsigned char sha384_bin[] = {
90
0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
91
0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30
94
static const unsigned char sha512_bin[] = {
95
0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
96
0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40
99
/* Alternate encodings with absent parameters. We don't generate signature
100
* using this format but do tolerate received signatures of this form.
103
static unsigned char sha1_nn_bin[] = {
104
0x30, 0x1f, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04,
108
static unsigned char sha224_nn_bin[] = {
109
0x30, 0x2b, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
110
0x04, 0x02, 0x04, 0x04, 0x1c
113
static unsigned char sha256_nn_bin[] = {
114
0x30, 0x2f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
115
0x04, 0x02, 0x01, 0x04, 0x20
118
static unsigned char sha384_nn_bin[] = {
119
0x30, 0x3f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
120
0x04, 0x02, 0x02, 0x04, 0x30
123
static unsigned char sha512_nn_bin[] = {
124
0x30, 0x4f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
125
0x04, 0x02, 0x03, 0x04, 0x40
129
static const unsigned char *fips_digestinfo_encoding(int nid, unsigned int *len)
135
*len = sizeof(sha1_bin);
139
*len = sizeof(sha224_bin);
143
*len = sizeof(sha256_bin);
147
*len = sizeof(sha384_bin);
151
*len = sizeof(sha512_bin);
160
static const unsigned char *fips_digestinfo_nn_encoding(int nid, unsigned int *len)
166
*len = sizeof(sha1_nn_bin);
170
*len = sizeof(sha224_nn_bin);
171
return sha224_nn_bin;
174
*len = sizeof(sha256_nn_bin);
175
return sha256_nn_bin;
178
*len = sizeof(sha384_nn_bin);
179
return sha384_nn_bin;
182
*len = sizeof(sha512_nn_bin);
183
return sha512_nn_bin;
191
static int fips_rsa_sign(int type, const unsigned char *x, unsigned int y,
192
unsigned char *sigret, unsigned int *siglen, EVP_MD_SVCTX *sv)
196
const unsigned char *der;
198
int pad_mode = sv->mctx->flags & EVP_MD_CTX_FLAG_PAD_MASK;
199
int rsa_pad_mode = 0;
201
/* Largest DigestInfo: 19 (max encoding) + max MD */
202
unsigned char tmpdinfo[19 + EVP_MAX_MD_SIZE];
203
unsigned char md[EVP_MAX_MD_SIZE + 1];
205
EVP_DigestFinal_ex(sv->mctx, md, &m_len);
207
if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
209
ret = rsa->meth->rsa_sign(type, md, m_len,
210
sigret, siglen, rsa);
214
if (pad_mode == EVP_MD_CTX_FLAG_PAD_X931)
217
memcpy(tmpdinfo, md, m_len);
218
hash_id = RSA_X931_hash_id(M_EVP_MD_CTX_type(sv->mctx));
221
RSAerr(RSA_F_FIPS_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);
224
tmpdinfo[m_len] = (unsigned char)hash_id;
226
rsa_pad_mode = RSA_X931_PADDING;
228
else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PKCS1)
231
der = fips_digestinfo_encoding(type, &dlen);
235
RSAerr(RSA_F_FIPS_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);
238
memcpy(tmpdinfo, der, dlen);
239
memcpy(tmpdinfo + dlen, md, m_len);
242
rsa_pad_mode = RSA_PKCS1_PADDING;
245
else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PSS)
250
sbuf = OPENSSL_malloc(RSA_size(rsa));
251
saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(sv->mctx);
252
if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
254
else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
258
RSAerr(RSA_F_FIPS_RSA_SIGN,ERR_R_MALLOC_FAILURE);
261
if (!RSA_padding_add_PKCS1_PSS(rsa, sbuf, md,
262
M_EVP_MD_CTX_md(sv->mctx), saltlen))
264
j=rsa->meth->rsa_priv_enc(i,sbuf,sigret,rsa,RSA_NO_PADDING);
271
OPENSSL_cleanse(md,m_len);
272
OPENSSL_cleanse(sbuf, i);
278
if (i > (j-RSA_PKCS1_PADDING_SIZE))
280
RSAerr(RSA_F_FIPS_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
283
/* NB: call underlying method directly to avoid FIPS blocking */
284
j=rsa->meth->rsa_priv_enc(i,tmpdinfo,sigret,rsa,rsa_pad_mode);
292
OPENSSL_cleanse(tmpdinfo,i);
293
OPENSSL_cleanse(md,m_len);
297
static int fips_rsa_verify(int dtype,
298
const unsigned char *x, unsigned int y,
299
unsigned char *sigbuf, unsigned int siglen, EVP_MD_SVCTX *sv)
302
unsigned int dlen, diglen;
303
int pad_mode = sv->mctx->flags & EVP_MD_CTX_FLAG_PAD_MASK;
304
int rsa_pad_mode = 0;
306
const unsigned char *der;
307
unsigned char dig[EVP_MAX_MD_SIZE];
310
if (siglen != (unsigned int)RSA_size(sv->key))
312
RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH);
316
EVP_DigestFinal_ex(sv->mctx, dig, &diglen);
318
if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)
320
return rsa->meth->rsa_verify(dtype, dig, diglen,
321
sigbuf, siglen, rsa);
325
s= OPENSSL_malloc((unsigned int)siglen);
328
RSAerr(RSA_F_FIPS_RSA_VERIFY,ERR_R_MALLOC_FAILURE);
331
if (pad_mode == EVP_MD_CTX_FLAG_PAD_X931)
332
rsa_pad_mode = RSA_X931_PADDING;
333
else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PKCS1)
334
rsa_pad_mode = RSA_PKCS1_PADDING;
335
else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PSS)
336
rsa_pad_mode = RSA_NO_PADDING;
338
/* NB: call underlying method directly to avoid FIPS blocking */
339
i=rsa->meth->rsa_pub_dec((int)siglen,sigbuf,s, rsa, rsa_pad_mode);
341
if (i <= 0) goto err;
343
if (pad_mode == EVP_MD_CTX_FLAG_PAD_X931)
346
if (i != (int)(diglen + 1))
348
RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
351
hash_id = RSA_X931_hash_id(M_EVP_MD_CTX_type(sv->mctx));
354
RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_UNKNOWN_ALGORITHM_TYPE);
357
if (s[diglen] != (unsigned char)hash_id)
359
RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
362
if (memcmp(s, dig, diglen))
364
RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
369
else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PKCS1)
372
der = fips_digestinfo_encoding(dtype, &dlen);
376
RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_UNKNOWN_ALGORITHM_TYPE);
380
/* Compare, DigestInfo length, DigestInfo header and finally
381
* digest value itself
384
/* If length mismatch try alternate encoding */
385
if (i != (int)(dlen + diglen))
386
der = fips_digestinfo_nn_encoding(dtype, &dlen);
388
if ((i != (int)(dlen + diglen)) || memcmp(der, s, dlen)
389
|| memcmp(s + dlen, dig, diglen))
391
RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
397
else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PSS)
400
saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(sv->mctx);
401
if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
403
else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
405
ret = RSA_verify_PKCS1_PSS(rsa, dig, M_EVP_MD_CTX_md(sv->mctx),
413
OPENSSL_cleanse(s, siglen);
419
#define EVP_PKEY_RSA_fips_method \
420
(evp_sign_method *)fips_rsa_sign, \
421
(evp_verify_method *)fips_rsa_verify, \
422
{EVP_PKEY_RSA,EVP_PKEY_RSA2,0,0}
424
static int init(EVP_MD_CTX *ctx)
425
{ return SHA1_Init(ctx->md_data); }
427
static int update(EVP_MD_CTX *ctx,const void *data,size_t count)
428
{ return SHA1_Update(ctx->md_data,data,count); }
430
static int final(EVP_MD_CTX *ctx,unsigned char *md)
431
{ return SHA1_Final(md,ctx->md_data); }
433
static const EVP_MD sha1_md=
436
NID_sha1WithRSAEncryption,
438
EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX,
444
EVP_PKEY_RSA_fips_method,
446
sizeof(EVP_MD *)+sizeof(SHA_CTX),
449
const EVP_MD *EVP_sha1(void)
454
static int init224(EVP_MD_CTX *ctx)
455
{ return SHA224_Init(ctx->md_data); }
456
static int init256(EVP_MD_CTX *ctx)
457
{ return SHA256_Init(ctx->md_data); }
459
* Even though there're separate SHA224_[Update|Final], we call
460
* SHA256 functions even in SHA224 context. This is what happens
461
* there anyway, so we can spare few CPU cycles:-)
463
static int update256(EVP_MD_CTX *ctx,const void *data,size_t count)
464
{ return SHA256_Update(ctx->md_data,data,count); }
465
static int final256(EVP_MD_CTX *ctx,unsigned char *md)
466
{ return SHA256_Final(md,ctx->md_data); }
468
static const EVP_MD sha224_md=
471
NID_sha224WithRSAEncryption,
472
SHA224_DIGEST_LENGTH,
473
EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX,
479
EVP_PKEY_RSA_fips_method,
481
sizeof(EVP_MD *)+sizeof(SHA256_CTX),
484
const EVP_MD *EVP_sha224(void)
485
{ return(&sha224_md); }
487
static const EVP_MD sha256_md=
490
NID_sha256WithRSAEncryption,
491
SHA256_DIGEST_LENGTH,
492
EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX,
498
EVP_PKEY_RSA_fips_method,
500
sizeof(EVP_MD *)+sizeof(SHA256_CTX),
503
const EVP_MD *EVP_sha256(void)
504
{ return(&sha256_md); }
506
static int init384(EVP_MD_CTX *ctx)
507
{ return SHA384_Init(ctx->md_data); }
508
static int init512(EVP_MD_CTX *ctx)
509
{ return SHA512_Init(ctx->md_data); }
510
/* See comment in SHA224/256 section */
511
static int update512(EVP_MD_CTX *ctx,const void *data,size_t count)
512
{ return SHA512_Update(ctx->md_data,data,count); }
513
static int final512(EVP_MD_CTX *ctx,unsigned char *md)
514
{ return SHA512_Final(md,ctx->md_data); }
516
static const EVP_MD sha384_md=
519
NID_sha384WithRSAEncryption,
520
SHA384_DIGEST_LENGTH,
521
EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX,
527
EVP_PKEY_RSA_fips_method,
529
sizeof(EVP_MD *)+sizeof(SHA512_CTX),
532
const EVP_MD *EVP_sha384(void)
533
{ return(&sha384_md); }
535
static const EVP_MD sha512_md=
538
NID_sha512WithRSAEncryption,
539
SHA512_DIGEST_LENGTH,
540
EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX,
546
EVP_PKEY_RSA_fips_method,
548
sizeof(EVP_MD *)+sizeof(SHA512_CTX),
551
const EVP_MD *EVP_sha512(void)
552
{ return(&sha512_md); }