diff options
Diffstat (limited to 'fips/rsa/fips_rsa_sign.c')
| -rw-r--r-- | fips/rsa/fips_rsa_sign.c | 554 |
1 files changed, 554 insertions, 0 deletions
diff --git a/fips/rsa/fips_rsa_sign.c b/fips/rsa/fips_rsa_sign.c new file mode 100644 index 000000000000..37364621d1ac --- /dev/null +++ b/fips/rsa/fips_rsa_sign.c @@ -0,0 +1,554 @@ +/* fips_rsa_sign.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project 2007. + */ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include <string.h> +#include <openssl/evp.h> +#include <openssl/rsa.h> +#include <openssl/err.h> +#include <openssl/sha.h> + +#ifdef OPENSSL_FIPS + +/* FIPS versions of RSA_sign() and RSA_verify(). + * These will only have to deal with SHA* signatures and by including + * pregenerated encodings all ASN1 dependencies can be avoided + */ + +/* Standard encodings including NULL parameter */ + +static const unsigned char sha1_bin[] = { + 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, + 0x00, 0x04, 0x14 +}; + +static const unsigned char sha224_bin[] = { + 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c +}; + +static const unsigned char sha256_bin[] = { + 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20 +}; + +static const unsigned char sha384_bin[] = { + 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30 +}; + +static const unsigned char sha512_bin[] = { + 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40 +}; + +/* Alternate encodings with absent parameters. We don't generate signature + * using this format but do tolerate received signatures of this form. + */ + +static unsigned char sha1_nn_bin[] = { + 0x30, 0x1f, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, + 0x14 +}; + +static unsigned char sha224_nn_bin[] = { + 0x30, 0x2b, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x04, 0x04, 0x1c +}; + +static unsigned char sha256_nn_bin[] = { + 0x30, 0x2f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x01, 0x04, 0x20 +}; + +static unsigned char sha384_nn_bin[] = { + 0x30, 0x3f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x02, 0x04, 0x30 +}; + +static unsigned char sha512_nn_bin[] = { + 0x30, 0x4f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x03, 0x04, 0x40 +}; + + +static const unsigned char *fips_digestinfo_encoding(int nid, unsigned int *len) + { + switch (nid) + { + + case NID_sha1: + *len = sizeof(sha1_bin); + return sha1_bin; + + case NID_sha224: + *len = sizeof(sha224_bin); + return sha224_bin; + + case NID_sha256: + *len = sizeof(sha256_bin); + return sha256_bin; + + case NID_sha384: + *len = sizeof(sha384_bin); + return sha384_bin; + + case NID_sha512: + *len = sizeof(sha512_bin); + return sha512_bin; + + default: + return NULL; + + } + } + +static const unsigned char *fips_digestinfo_nn_encoding(int nid, unsigned int *len) + { + switch (nid) + { + + case NID_sha1: + *len = sizeof(sha1_nn_bin); + return sha1_nn_bin; + + case NID_sha224: + *len = sizeof(sha224_nn_bin); + return sha224_nn_bin; + + case NID_sha256: + *len = sizeof(sha256_nn_bin); + return sha256_nn_bin; + + case NID_sha384: + *len = sizeof(sha384_nn_bin); + return sha384_nn_bin; + + case NID_sha512: + *len = sizeof(sha512_nn_bin); + return sha512_nn_bin; + + default: + return NULL; + + } + } + +static int fips_rsa_sign(int type, const unsigned char *x, unsigned int y, + unsigned char *sigret, unsigned int *siglen, EVP_MD_SVCTX *sv) + { + int i=0,j,ret=0; + unsigned int dlen; + const unsigned char *der; + unsigned int m_len; + int pad_mode = sv->mctx->flags & EVP_MD_CTX_FLAG_PAD_MASK; + int rsa_pad_mode = 0; + RSA *rsa = sv->key; + /* Largest DigestInfo: 19 (max encoding) + max MD */ + unsigned char tmpdinfo[19 + EVP_MAX_MD_SIZE]; + unsigned char md[EVP_MAX_MD_SIZE + 1]; + + EVP_DigestFinal_ex(sv->mctx, md, &m_len); + + if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) + { + ret = rsa->meth->rsa_sign(type, md, m_len, + sigret, siglen, rsa); + goto done; + } + + if (pad_mode == EVP_MD_CTX_FLAG_PAD_X931) + { + int hash_id; + memcpy(tmpdinfo, md, m_len); + hash_id = RSA_X931_hash_id(M_EVP_MD_CTX_type(sv->mctx)); + if (hash_id == -1) + { + RSAerr(RSA_F_FIPS_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE); + return 0; + } + tmpdinfo[m_len] = (unsigned char)hash_id; + i = m_len + 1; + rsa_pad_mode = RSA_X931_PADDING; + } + else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PKCS1) + { + + der = fips_digestinfo_encoding(type, &dlen); + + if (!der) + { + RSAerr(RSA_F_FIPS_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE); + return 0; + } + memcpy(tmpdinfo, der, dlen); + memcpy(tmpdinfo + dlen, md, m_len); + + i = dlen + m_len; + rsa_pad_mode = RSA_PKCS1_PADDING; + + } + else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PSS) + { + unsigned char *sbuf; + int saltlen; + i = RSA_size(rsa); + sbuf = OPENSSL_malloc(RSA_size(rsa)); + saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(sv->mctx); + if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN) + saltlen = -1; + else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC) + saltlen = -2; + if (!sbuf) + { + RSAerr(RSA_F_FIPS_RSA_SIGN,ERR_R_MALLOC_FAILURE); + goto psserr; + } + if (!RSA_padding_add_PKCS1_PSS(rsa, sbuf, md, + M_EVP_MD_CTX_md(sv->mctx), saltlen)) + goto psserr; + j=rsa->meth->rsa_priv_enc(i,sbuf,sigret,rsa,RSA_NO_PADDING); + if (j > 0) + { + ret=1; + *siglen=j; + } + psserr: + OPENSSL_cleanse(md,m_len); + OPENSSL_cleanse(sbuf, i); + OPENSSL_free(sbuf); + return ret; + } + + j=RSA_size(rsa); + if (i > (j-RSA_PKCS1_PADDING_SIZE)) + { + RSAerr(RSA_F_FIPS_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); + goto done; + } + /* NB: call underlying method directly to avoid FIPS blocking */ + j=rsa->meth->rsa_priv_enc(i,tmpdinfo,sigret,rsa,rsa_pad_mode); + if (j > 0) + { + ret=1; + *siglen=j; + } + + done: + OPENSSL_cleanse(tmpdinfo,i); + OPENSSL_cleanse(md,m_len); + return ret; + } + +static int fips_rsa_verify(int dtype, + const unsigned char *x, unsigned int y, + unsigned char *sigbuf, unsigned int siglen, EVP_MD_SVCTX *sv) + { + int i,ret=0; + unsigned int dlen, diglen; + int pad_mode = sv->mctx->flags & EVP_MD_CTX_FLAG_PAD_MASK; + int rsa_pad_mode = 0; + unsigned char *s; + const unsigned char *der; + unsigned char dig[EVP_MAX_MD_SIZE]; + RSA *rsa = sv->key; + + if (siglen != (unsigned int)RSA_size(sv->key)) + { + RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH); + return(0); + } + + EVP_DigestFinal_ex(sv->mctx, dig, &diglen); + + if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) + { + return rsa->meth->rsa_verify(dtype, dig, diglen, + sigbuf, siglen, rsa); + } + + + s= OPENSSL_malloc((unsigned int)siglen); + if (s == NULL) + { + RSAerr(RSA_F_FIPS_RSA_VERIFY,ERR_R_MALLOC_FAILURE); + goto err; + } + if (pad_mode == EVP_MD_CTX_FLAG_PAD_X931) + rsa_pad_mode = RSA_X931_PADDING; + else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PKCS1) + rsa_pad_mode = RSA_PKCS1_PADDING; + else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PSS) + rsa_pad_mode = RSA_NO_PADDING; + + /* NB: call underlying method directly to avoid FIPS blocking */ + i=rsa->meth->rsa_pub_dec((int)siglen,sigbuf,s, rsa, rsa_pad_mode); + + if (i <= 0) goto err; + + if (pad_mode == EVP_MD_CTX_FLAG_PAD_X931) + { + int hash_id; + if (i != (int)(diglen + 1)) + { + RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + goto err; + } + hash_id = RSA_X931_hash_id(M_EVP_MD_CTX_type(sv->mctx)); + if (hash_id == -1) + { + RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_UNKNOWN_ALGORITHM_TYPE); + goto err; + } + if (s[diglen] != (unsigned char)hash_id) + { + RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + goto err; + } + if (memcmp(s, dig, diglen)) + { + RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + goto err; + } + ret = 1; + } + else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PKCS1) + { + + der = fips_digestinfo_encoding(dtype, &dlen); + + if (!der) + { + RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_UNKNOWN_ALGORITHM_TYPE); + return(0); + } + + /* Compare, DigestInfo length, DigestInfo header and finally + * digest value itself + */ + + /* If length mismatch try alternate encoding */ + if (i != (int)(dlen + diglen)) + der = fips_digestinfo_nn_encoding(dtype, &dlen); + + if ((i != (int)(dlen + diglen)) || memcmp(der, s, dlen) + || memcmp(s + dlen, dig, diglen)) + { + RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + goto err; + } + ret = 1; + + } + else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PSS) + { + int saltlen; + saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(sv->mctx); + if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN) + saltlen = -1; + else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC) + saltlen = -2; + ret = RSA_verify_PKCS1_PSS(rsa, dig, M_EVP_MD_CTX_md(sv->mctx), + s, saltlen); + if (ret < 0) + ret = 0; + } +err: + if (s != NULL) + { + OPENSSL_cleanse(s, siglen); + OPENSSL_free(s); + } + return(ret); + } + +#define EVP_PKEY_RSA_fips_method \ + (evp_sign_method *)fips_rsa_sign, \ + (evp_verify_method *)fips_rsa_verify, \ + {EVP_PKEY_RSA,EVP_PKEY_RSA2,0,0} + +static int init(EVP_MD_CTX *ctx) + { return SHA1_Init(ctx->md_data); } + +static int update(EVP_MD_CTX *ctx,const void *data,size_t count) + { return SHA1_Update(ctx->md_data,data,count); } + +static int final(EVP_MD_CTX *ctx,unsigned char *md) + { return SHA1_Final(md,ctx->md_data); } + +static const EVP_MD sha1_md= + { + NID_sha1, + NID_sha1WithRSAEncryption, + SHA_DIGEST_LENGTH, + EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX, + init, + update, + final, + NULL, + NULL, + EVP_PKEY_RSA_fips_method, + SHA_CBLOCK, + sizeof(EVP_MD *)+sizeof(SHA_CTX), + }; + +const EVP_MD *EVP_sha1(void) + { + return(&sha1_md); + } + +static int init224(EVP_MD_CTX *ctx) + { return SHA224_Init(ctx->md_data); } +static int init256(EVP_MD_CTX *ctx) + { return SHA256_Init(ctx->md_data); } +/* + * Even though there're separate SHA224_[Update|Final], we call + * SHA256 functions even in SHA224 context. This is what happens + * there anyway, so we can spare few CPU cycles:-) + */ +static int update256(EVP_MD_CTX *ctx,const void *data,size_t count) + { return SHA256_Update(ctx->md_data,data,count); } +static int final256(EVP_MD_CTX *ctx,unsigned char *md) + { return SHA256_Final(md,ctx->md_data); } + +static const EVP_MD sha224_md= + { + NID_sha224, + NID_sha224WithRSAEncryption, + SHA224_DIGEST_LENGTH, + EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX, + init224, + update256, + final256, + NULL, + NULL, + EVP_PKEY_RSA_fips_method, + SHA256_CBLOCK, + sizeof(EVP_MD *)+sizeof(SHA256_CTX), + }; + +const EVP_MD *EVP_sha224(void) + { return(&sha224_md); } + +static const EVP_MD sha256_md= + { + NID_sha256, + NID_sha256WithRSAEncryption, + SHA256_DIGEST_LENGTH, + EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX, + init256, + update256, + final256, + NULL, + NULL, + EVP_PKEY_RSA_fips_method, + SHA256_CBLOCK, + sizeof(EVP_MD *)+sizeof(SHA256_CTX), + }; + +const EVP_MD *EVP_sha256(void) + { return(&sha256_md); } + +static int init384(EVP_MD_CTX *ctx) + { return SHA384_Init(ctx->md_data); } +static int init512(EVP_MD_CTX *ctx) + { return SHA512_Init(ctx->md_data); } +/* See comment in SHA224/256 section */ +static int update512(EVP_MD_CTX *ctx,const void *data,size_t count) + { return SHA512_Update(ctx->md_data,data,count); } +static int final512(EVP_MD_CTX *ctx,unsigned char *md) + { return SHA512_Final(md,ctx->md_data); } + +static const EVP_MD sha384_md= + { + NID_sha384, + NID_sha384WithRSAEncryption, + SHA384_DIGEST_LENGTH, + EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX, + init384, + update512, + final512, + NULL, + NULL, + EVP_PKEY_RSA_fips_method, + SHA512_CBLOCK, + sizeof(EVP_MD *)+sizeof(SHA512_CTX), + }; + +const EVP_MD *EVP_sha384(void) + { return(&sha384_md); } + +static const EVP_MD sha512_md= + { + NID_sha512, + NID_sha512WithRSAEncryption, + SHA512_DIGEST_LENGTH, + EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX, + init512, + update512, + final512, + NULL, + NULL, + EVP_PKEY_RSA_fips_method, + SHA512_CBLOCK, + sizeof(EVP_MD *)+sizeof(SHA512_CTX), + }; + +const EVP_MD *EVP_sha512(void) + { return(&sha512_md); } + +#endif |