2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
5 /* ====================================================================
6 * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
34 * 6. Redistributions of any form whatsoever must retain the following
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
60 #include <openssl/evp.h>
61 #include <openssl/rsa.h>
62 #include <openssl/err.h>
63 #include <openssl/sha.h>
67 /* FIPS versions of RSA_sign() and RSA_verify().
68 * These will only have to deal with SHA* signatures and by including
69 * pregenerated encodings all ASN1 dependencies can be avoided
72 /* Standard encodings including NULL parameter */
74 static const unsigned char sha1_bin[] = {
75 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
79 static const unsigned char sha224_bin[] = {
80 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
81 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c
84 static const unsigned char sha256_bin[] = {
85 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
86 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
89 static const unsigned char sha384_bin[] = {
90 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
91 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30
94 static const unsigned char sha512_bin[] = {
95 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
96 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40
99 /* Alternate encodings with absent parameters. We don't generate signature
100 * using this format but do tolerate received signatures of this form.
103 static unsigned char sha1_nn_bin[] = {
104 0x30, 0x1f, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04,
108 static unsigned char sha224_nn_bin[] = {
109 0x30, 0x2b, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
110 0x04, 0x02, 0x04, 0x04, 0x1c
113 static unsigned char sha256_nn_bin[] = {
114 0x30, 0x2f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
115 0x04, 0x02, 0x01, 0x04, 0x20
118 static unsigned char sha384_nn_bin[] = {
119 0x30, 0x3f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
120 0x04, 0x02, 0x02, 0x04, 0x30
123 static unsigned char sha512_nn_bin[] = {
124 0x30, 0x4f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
125 0x04, 0x02, 0x03, 0x04, 0x40
129 static const unsigned char *fips_digestinfo_encoding(int nid, unsigned int *len)
135 *len = sizeof(sha1_bin);
139 *len = sizeof(sha224_bin);
143 *len = sizeof(sha256_bin);
147 *len = sizeof(sha384_bin);
151 *len = sizeof(sha512_bin);
160 static const unsigned char *fips_digestinfo_nn_encoding(int nid, unsigned int *len)
166 *len = sizeof(sha1_nn_bin);
170 *len = sizeof(sha224_nn_bin);
171 return sha224_nn_bin;
174 *len = sizeof(sha256_nn_bin);
175 return sha256_nn_bin;
178 *len = sizeof(sha384_nn_bin);
179 return sha384_nn_bin;
182 *len = sizeof(sha512_nn_bin);
183 return sha512_nn_bin;
191 static int fips_rsa_sign(int type, const unsigned char *x, unsigned int y,
192 unsigned char *sigret, unsigned int *siglen, EVP_MD_SVCTX *sv)
196 const unsigned char *der;
198 int pad_mode = sv->mctx->flags & EVP_MD_CTX_FLAG_PAD_MASK;
199 int rsa_pad_mode = 0;
201 /* Largest DigestInfo: 19 (max encoding) + max MD */
202 unsigned char tmpdinfo[19 + EVP_MAX_MD_SIZE];
203 unsigned char md[EVP_MAX_MD_SIZE + 1];
205 EVP_DigestFinal_ex(sv->mctx, md, &m_len);
207 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
209 ret = rsa->meth->rsa_sign(type, md, m_len,
210 sigret, siglen, rsa);
214 if (pad_mode == EVP_MD_CTX_FLAG_PAD_X931)
217 memcpy(tmpdinfo, md, m_len);
218 hash_id = RSA_X931_hash_id(M_EVP_MD_CTX_type(sv->mctx));
221 RSAerr(RSA_F_FIPS_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);
224 tmpdinfo[m_len] = (unsigned char)hash_id;
226 rsa_pad_mode = RSA_X931_PADDING;
228 else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PKCS1)
231 der = fips_digestinfo_encoding(type, &dlen);
235 RSAerr(RSA_F_FIPS_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);
238 memcpy(tmpdinfo, der, dlen);
239 memcpy(tmpdinfo + dlen, md, m_len);
242 rsa_pad_mode = RSA_PKCS1_PADDING;
245 else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PSS)
250 sbuf = OPENSSL_malloc(RSA_size(rsa));
251 saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(sv->mctx);
252 if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
254 else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
258 RSAerr(RSA_F_FIPS_RSA_SIGN,ERR_R_MALLOC_FAILURE);
261 if (!RSA_padding_add_PKCS1_PSS(rsa, sbuf, md,
262 M_EVP_MD_CTX_md(sv->mctx), saltlen))
264 j=rsa->meth->rsa_priv_enc(i,sbuf,sigret,rsa,RSA_NO_PADDING);
271 OPENSSL_cleanse(md,m_len);
272 OPENSSL_cleanse(sbuf, i);
278 if (i > (j-RSA_PKCS1_PADDING_SIZE))
280 RSAerr(RSA_F_FIPS_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
283 /* NB: call underlying method directly to avoid FIPS blocking */
284 j=rsa->meth->rsa_priv_enc(i,tmpdinfo,sigret,rsa,rsa_pad_mode);
292 OPENSSL_cleanse(tmpdinfo,i);
293 OPENSSL_cleanse(md,m_len);
297 static int fips_rsa_verify(int dtype,
298 const unsigned char *x, unsigned int y,
299 unsigned char *sigbuf, unsigned int siglen, EVP_MD_SVCTX *sv)
302 unsigned int dlen, diglen;
303 int pad_mode = sv->mctx->flags & EVP_MD_CTX_FLAG_PAD_MASK;
304 int rsa_pad_mode = 0;
306 const unsigned char *der;
307 unsigned char dig[EVP_MAX_MD_SIZE];
310 if (siglen != (unsigned int)RSA_size(sv->key))
312 RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH);
316 EVP_DigestFinal_ex(sv->mctx, dig, &diglen);
318 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)
320 return rsa->meth->rsa_verify(dtype, dig, diglen,
321 sigbuf, siglen, rsa);
325 s= OPENSSL_malloc((unsigned int)siglen);
328 RSAerr(RSA_F_FIPS_RSA_VERIFY,ERR_R_MALLOC_FAILURE);
331 if (pad_mode == EVP_MD_CTX_FLAG_PAD_X931)
332 rsa_pad_mode = RSA_X931_PADDING;
333 else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PKCS1)
334 rsa_pad_mode = RSA_PKCS1_PADDING;
335 else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PSS)
336 rsa_pad_mode = RSA_NO_PADDING;
338 /* NB: call underlying method directly to avoid FIPS blocking */
339 i=rsa->meth->rsa_pub_dec((int)siglen,sigbuf,s, rsa, rsa_pad_mode);
341 if (i <= 0) goto err;
343 if (pad_mode == EVP_MD_CTX_FLAG_PAD_X931)
346 if (i != (int)(diglen + 1))
348 RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
351 hash_id = RSA_X931_hash_id(M_EVP_MD_CTX_type(sv->mctx));
354 RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_UNKNOWN_ALGORITHM_TYPE);
357 if (s[diglen] != (unsigned char)hash_id)
359 RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
362 if (memcmp(s, dig, diglen))
364 RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
369 else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PKCS1)
372 der = fips_digestinfo_encoding(dtype, &dlen);
376 RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_UNKNOWN_ALGORITHM_TYPE);
380 /* Compare, DigestInfo length, DigestInfo header and finally
381 * digest value itself
384 /* If length mismatch try alternate encoding */
385 if (i != (int)(dlen + diglen))
386 der = fips_digestinfo_nn_encoding(dtype, &dlen);
388 if ((i != (int)(dlen + diglen)) || memcmp(der, s, dlen)
389 || memcmp(s + dlen, dig, diglen))
391 RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
397 else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PSS)
400 saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(sv->mctx);
401 if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
403 else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
405 ret = RSA_verify_PKCS1_PSS(rsa, dig, M_EVP_MD_CTX_md(sv->mctx),
413 OPENSSL_cleanse(s, siglen);
419 #define EVP_PKEY_RSA_fips_method \
420 (evp_sign_method *)fips_rsa_sign, \
421 (evp_verify_method *)fips_rsa_verify, \
422 {EVP_PKEY_RSA,EVP_PKEY_RSA2,0,0}
424 static int init(EVP_MD_CTX *ctx)
425 { return SHA1_Init(ctx->md_data); }
427 static int update(EVP_MD_CTX *ctx,const void *data,size_t count)
428 { return SHA1_Update(ctx->md_data,data,count); }
430 static int final(EVP_MD_CTX *ctx,unsigned char *md)
431 { return SHA1_Final(md,ctx->md_data); }
433 static const EVP_MD sha1_md=
436 NID_sha1WithRSAEncryption,
438 EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX,
444 EVP_PKEY_RSA_fips_method,
446 sizeof(EVP_MD *)+sizeof(SHA_CTX),
449 const EVP_MD *EVP_sha1(void)
454 static int init224(EVP_MD_CTX *ctx)
455 { return SHA224_Init(ctx->md_data); }
456 static int init256(EVP_MD_CTX *ctx)
457 { return SHA256_Init(ctx->md_data); }
459 * Even though there're separate SHA224_[Update|Final], we call
460 * SHA256 functions even in SHA224 context. This is what happens
461 * there anyway, so we can spare few CPU cycles:-)
463 static int update256(EVP_MD_CTX *ctx,const void *data,size_t count)
464 { return SHA256_Update(ctx->md_data,data,count); }
465 static int final256(EVP_MD_CTX *ctx,unsigned char *md)
466 { return SHA256_Final(md,ctx->md_data); }
468 static const EVP_MD sha224_md=
471 NID_sha224WithRSAEncryption,
472 SHA224_DIGEST_LENGTH,
473 EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX,
479 EVP_PKEY_RSA_fips_method,
481 sizeof(EVP_MD *)+sizeof(SHA256_CTX),
484 const EVP_MD *EVP_sha224(void)
485 { return(&sha224_md); }
487 static const EVP_MD sha256_md=
490 NID_sha256WithRSAEncryption,
491 SHA256_DIGEST_LENGTH,
492 EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX,
498 EVP_PKEY_RSA_fips_method,
500 sizeof(EVP_MD *)+sizeof(SHA256_CTX),
503 const EVP_MD *EVP_sha256(void)
504 { return(&sha256_md); }
506 static int init384(EVP_MD_CTX *ctx)
507 { return SHA384_Init(ctx->md_data); }
508 static int init512(EVP_MD_CTX *ctx)
509 { return SHA512_Init(ctx->md_data); }
510 /* See comment in SHA224/256 section */
511 static int update512(EVP_MD_CTX *ctx,const void *data,size_t count)
512 { return SHA512_Update(ctx->md_data,data,count); }
513 static int final512(EVP_MD_CTX *ctx,unsigned char *md)
514 { return SHA512_Final(md,ctx->md_data); }
516 static const EVP_MD sha384_md=
519 NID_sha384WithRSAEncryption,
520 SHA384_DIGEST_LENGTH,
521 EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX,
527 EVP_PKEY_RSA_fips_method,
529 sizeof(EVP_MD *)+sizeof(SHA512_CTX),
532 const EVP_MD *EVP_sha384(void)
533 { return(&sha384_md); }
535 static const EVP_MD sha512_md=
538 NID_sha512WithRSAEncryption,
539 SHA512_DIGEST_LENGTH,
540 EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX,
546 EVP_PKEY_RSA_fips_method,
548 sizeof(EVP_MD *)+sizeof(SHA512_CTX),
551 const EVP_MD *EVP_sha512(void)
552 { return(&sha512_md); }