3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
6 /* ====================================================================
7 * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * licensing@OpenSSL.org.
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
35 * 6. Redistributions of any form whatsoever must retain the following
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
61 #include <openssl/evp.h>
62 #include <openssl/rsa.h>
63 #include <openssl/err.h>
64 #include <openssl/sha.h>
69 * FIPS versions of RSA_sign() and RSA_verify(). These will only have to deal
70 * with SHA* signatures and by including pregenerated encodings all ASN1
71 * dependencies can be avoided
74 /* Standard encodings including NULL parameter */
76 static const unsigned char sha1_bin[] = {
77 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
81 static const unsigned char sha224_bin[] = {
82 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
83 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c
86 static const unsigned char sha256_bin[] = {
87 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
88 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
91 static const unsigned char sha384_bin[] = {
92 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
93 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30
96 static const unsigned char sha512_bin[] = {
97 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
98 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40
102 * Alternate encodings with absent parameters. We don't generate signature
103 * using this format but do tolerate received signatures of this form.
106 static unsigned char sha1_nn_bin[] = {
107 0x30, 0x1f, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04,
111 static unsigned char sha224_nn_bin[] = {
112 0x30, 0x2b, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
113 0x04, 0x02, 0x04, 0x04, 0x1c
116 static unsigned char sha256_nn_bin[] = {
117 0x30, 0x2f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
118 0x04, 0x02, 0x01, 0x04, 0x20
121 static unsigned char sha384_nn_bin[] = {
122 0x30, 0x3f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
123 0x04, 0x02, 0x02, 0x04, 0x30
126 static unsigned char sha512_nn_bin[] = {
127 0x30, 0x4f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
128 0x04, 0x02, 0x03, 0x04, 0x40
131 static const unsigned char *fips_digestinfo_encoding(int nid,
137 *len = sizeof(sha1_bin);
141 *len = sizeof(sha224_bin);
145 *len = sizeof(sha256_bin);
149 *len = sizeof(sha384_bin);
153 *len = sizeof(sha512_bin);
162 static const unsigned char *fips_digestinfo_nn_encoding(int nid,
168 *len = sizeof(sha1_nn_bin);
172 *len = sizeof(sha224_nn_bin);
173 return sha224_nn_bin;
176 *len = sizeof(sha256_nn_bin);
177 return sha256_nn_bin;
180 *len = sizeof(sha384_nn_bin);
181 return sha384_nn_bin;
184 *len = sizeof(sha512_nn_bin);
185 return sha512_nn_bin;
193 static int fips_rsa_sign(int type, const unsigned char *x, unsigned int y,
194 unsigned char *sigret, unsigned int *siglen,
197 int i = 0, j, ret = 0;
199 const unsigned char *der;
201 int pad_mode = sv->mctx->flags & EVP_MD_CTX_FLAG_PAD_MASK;
202 int rsa_pad_mode = 0;
204 /* Largest DigestInfo: 19 (max encoding) + max MD */
205 unsigned char tmpdinfo[19 + EVP_MAX_MD_SIZE];
206 unsigned char md[EVP_MAX_MD_SIZE + 1];
208 EVP_DigestFinal_ex(sv->mctx, md, &m_len);
210 if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) {
211 ret = rsa->meth->rsa_sign(type, md, m_len, sigret, siglen, rsa);
215 if (pad_mode == EVP_MD_CTX_FLAG_PAD_X931) {
217 memcpy(tmpdinfo, md, m_len);
218 hash_id = RSA_X931_hash_id(M_EVP_MD_CTX_type(sv->mctx));
220 RSAerr(RSA_F_FIPS_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE);
223 tmpdinfo[m_len] = (unsigned char)hash_id;
225 rsa_pad_mode = RSA_X931_PADDING;
226 } else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PKCS1) {
228 der = fips_digestinfo_encoding(type, &dlen);
231 RSAerr(RSA_F_FIPS_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE);
234 memcpy(tmpdinfo, der, dlen);
235 memcpy(tmpdinfo + dlen, md, m_len);
238 rsa_pad_mode = RSA_PKCS1_PADDING;
240 } else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PSS) {
244 sbuf = OPENSSL_malloc(RSA_size(rsa));
245 saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(sv->mctx);
246 if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
248 else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
251 RSAerr(RSA_F_FIPS_RSA_SIGN, ERR_R_MALLOC_FAILURE);
254 if (!RSA_padding_add_PKCS1_PSS(rsa, sbuf, md,
255 M_EVP_MD_CTX_md(sv->mctx), saltlen))
257 j = rsa->meth->rsa_priv_enc(i, sbuf, sigret, rsa, RSA_NO_PADDING);
263 OPENSSL_cleanse(md, m_len);
264 OPENSSL_cleanse(sbuf, i);
270 if (i > (j - RSA_PKCS1_PADDING_SIZE)) {
271 RSAerr(RSA_F_FIPS_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
274 /* NB: call underlying method directly to avoid FIPS blocking */
275 j = rsa->meth->rsa_priv_enc(i, tmpdinfo, sigret, rsa, rsa_pad_mode);
282 OPENSSL_cleanse(tmpdinfo, i);
283 OPENSSL_cleanse(md, m_len);
287 static int fips_rsa_verify(int dtype,
288 const unsigned char *x, unsigned int y,
289 unsigned char *sigbuf, unsigned int siglen,
293 unsigned int dlen, diglen;
294 int pad_mode = sv->mctx->flags & EVP_MD_CTX_FLAG_PAD_MASK;
295 int rsa_pad_mode = 0;
297 const unsigned char *der;
298 unsigned char dig[EVP_MAX_MD_SIZE];
301 if (siglen != (unsigned int)RSA_size(sv->key)) {
302 RSAerr(RSA_F_FIPS_RSA_VERIFY, RSA_R_WRONG_SIGNATURE_LENGTH);
306 EVP_DigestFinal_ex(sv->mctx, dig, &diglen);
308 if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) {
309 return rsa->meth->rsa_verify(dtype, dig, diglen, sigbuf, siglen, rsa);
312 s = OPENSSL_malloc((unsigned int)siglen);
314 RSAerr(RSA_F_FIPS_RSA_VERIFY, ERR_R_MALLOC_FAILURE);
317 if (pad_mode == EVP_MD_CTX_FLAG_PAD_X931)
318 rsa_pad_mode = RSA_X931_PADDING;
319 else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PKCS1)
320 rsa_pad_mode = RSA_PKCS1_PADDING;
321 else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PSS)
322 rsa_pad_mode = RSA_NO_PADDING;
324 /* NB: call underlying method directly to avoid FIPS blocking */
325 i = rsa->meth->rsa_pub_dec((int)siglen, sigbuf, s, rsa, rsa_pad_mode);
330 if (pad_mode == EVP_MD_CTX_FLAG_PAD_X931) {
332 if (i != (int)(diglen + 1)) {
333 RSAerr(RSA_F_FIPS_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
336 hash_id = RSA_X931_hash_id(M_EVP_MD_CTX_type(sv->mctx));
338 RSAerr(RSA_F_FIPS_RSA_VERIFY, RSA_R_UNKNOWN_ALGORITHM_TYPE);
341 if (s[diglen] != (unsigned char)hash_id) {
342 RSAerr(RSA_F_FIPS_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
345 if (memcmp(s, dig, diglen)) {
346 RSAerr(RSA_F_FIPS_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
350 } else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PKCS1) {
352 der = fips_digestinfo_encoding(dtype, &dlen);
355 RSAerr(RSA_F_FIPS_RSA_VERIFY, RSA_R_UNKNOWN_ALGORITHM_TYPE);
360 * Compare, DigestInfo length, DigestInfo header and finally digest
364 /* If length mismatch try alternate encoding */
365 if (i != (int)(dlen + diglen))
366 der = fips_digestinfo_nn_encoding(dtype, &dlen);
368 if ((i != (int)(dlen + diglen)) || memcmp(der, s, dlen)
369 || memcmp(s + dlen, dig, diglen)) {
370 RSAerr(RSA_F_FIPS_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
375 } else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PSS) {
377 saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(sv->mctx);
378 if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
380 else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
382 ret = RSA_verify_PKCS1_PSS(rsa, dig, M_EVP_MD_CTX_md(sv->mctx),
389 OPENSSL_cleanse(s, siglen);
395 # define EVP_PKEY_RSA_fips_method \
396 (evp_sign_method *)fips_rsa_sign, \
397 (evp_verify_method *)fips_rsa_verify, \
398 {EVP_PKEY_RSA,EVP_PKEY_RSA2,0,0}
400 static int init(EVP_MD_CTX *ctx)
402 return SHA1_Init(ctx->md_data);
405 static int update(EVP_MD_CTX *ctx, const void *data, size_t count)
407 return SHA1_Update(ctx->md_data, data, count);
410 static int final(EVP_MD_CTX *ctx, unsigned char *md)
412 return SHA1_Final(md, ctx->md_data);
415 static const EVP_MD sha1_md = {
417 NID_sha1WithRSAEncryption,
419 EVP_MD_FLAG_FIPS | EVP_MD_FLAG_SVCTX,
425 EVP_PKEY_RSA_fips_method,
427 sizeof(EVP_MD *) + sizeof(SHA_CTX),
430 const EVP_MD *EVP_sha1(void)
435 static int init224(EVP_MD_CTX *ctx)
437 return SHA224_Init(ctx->md_data);
440 static int init256(EVP_MD_CTX *ctx)
442 return SHA256_Init(ctx->md_data);
446 * Even though there're separate SHA224_[Update|Final], we call
447 * SHA256 functions even in SHA224 context. This is what happens
448 * there anyway, so we can spare few CPU cycles:-)
450 static int update256(EVP_MD_CTX *ctx, const void *data, size_t count)
452 return SHA256_Update(ctx->md_data, data, count);
455 static int final256(EVP_MD_CTX *ctx, unsigned char *md)
457 return SHA256_Final(md, ctx->md_data);
460 static const EVP_MD sha224_md = {
462 NID_sha224WithRSAEncryption,
463 SHA224_DIGEST_LENGTH,
464 EVP_MD_FLAG_FIPS | EVP_MD_FLAG_SVCTX,
470 EVP_PKEY_RSA_fips_method,
472 sizeof(EVP_MD *) + sizeof(SHA256_CTX),
475 const EVP_MD *EVP_sha224(void)
480 static const EVP_MD sha256_md = {
482 NID_sha256WithRSAEncryption,
483 SHA256_DIGEST_LENGTH,
484 EVP_MD_FLAG_FIPS | EVP_MD_FLAG_SVCTX,
490 EVP_PKEY_RSA_fips_method,
492 sizeof(EVP_MD *) + sizeof(SHA256_CTX),
495 const EVP_MD *EVP_sha256(void)
500 static int init384(EVP_MD_CTX *ctx)
502 return SHA384_Init(ctx->md_data);
505 static int init512(EVP_MD_CTX *ctx)
507 return SHA512_Init(ctx->md_data);
510 /* See comment in SHA224/256 section */
511 static int update512(EVP_MD_CTX *ctx, const void *data, size_t count)
513 return SHA512_Update(ctx->md_data, data, count);
516 static int final512(EVP_MD_CTX *ctx, unsigned char *md)
518 return SHA512_Final(md, ctx->md_data);
521 static const EVP_MD sha384_md = {
523 NID_sha384WithRSAEncryption,
524 SHA384_DIGEST_LENGTH,
525 EVP_MD_FLAG_FIPS | EVP_MD_FLAG_SVCTX,
531 EVP_PKEY_RSA_fips_method,
533 sizeof(EVP_MD *) + sizeof(SHA512_CTX),
536 const EVP_MD *EVP_sha384(void)
541 static const EVP_MD sha512_md = {
543 NID_sha512WithRSAEncryption,
544 SHA512_DIGEST_LENGTH,
545 EVP_MD_FLAG_FIPS | EVP_MD_FLAG_SVCTX,
551 EVP_PKEY_RSA_fips_method,
553 sizeof(EVP_MD *) + sizeof(SHA512_CTX),
556 const EVP_MD *EVP_sha512(void)