]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/rsa/rsa_ameth.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
This part fixes braces around if-else.
[thirdparty/openssl.git] / crypto / rsa / rsa_ameth.c
CommitLineData
0f113f3e 1/*
90862ab4 2 * Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
448be743 3 *
2039c421
RS		 4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
448be743
DSH		 8 */
9
10#include <stdio.h>
b39fc560 11#include "internal/cryptlib.h"
448be743
DSH		 12#include <openssl/asn1t.h>
13#include <openssl/x509.h>
1e26a8ba 14#include <openssl/bn.h>
3c27208f 15#include <openssl/cms.h>
5fe736e5 16#include "internal/asn1_int.h"
3aeb9348 17#include "internal/evp_int.h"
9862e9aa 18#include "rsa_locl.h"
448be743 19
e968561d 20#ifndef OPENSSL_NO_CMS
0574cadf
DSH		 21static int rsa_cms_sign(CMS_SignerInfo *si);
22static int rsa_cms_verify(CMS_SignerInfo *si);
23static int rsa_cms_decrypt(CMS_RecipientInfo *ri);
24static int rsa_cms_encrypt(CMS_RecipientInfo *ri);
e968561d 25#endif
0574cadf 26
b35b8d11
DSH		 27static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg);
28
42009ae8
DSH		 29/* Set any parameters associated with pkey */
30static int rsa_param_encode(const EVP_PKEY *pkey,
31 ASN1_STRING **pstr, int *pstrtype)
32{
33 const RSA *rsa = pkey->pkey.rsa;
52ad523c 34
42009ae8
DSH		 35 *pstr = NULL;
36 /* If RSA it's just NULL type */
37 if (pkey->ameth->pkey_id == EVP_PKEY_RSA) {
38 *pstrtype = V_ASN1_NULL;
39 return 1;
40 }
41 /* If no PSS parameters we omit parameters entirely */
42 if (rsa->pss == NULL) {
43 *pstrtype = V_ASN1_UNDEF;
44 return 1;
45 }
46 /* Encode PSS parameters */
f291138b 47 if (ASN1_item_pack(rsa->pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), pstr) == NULL)
42009ae8 48 return 0;
42009ae8
DSH		 49
50 *pstrtype = V_ASN1_SEQUENCE;
51 return 1;
52}
53/* Decode any parameters and set them in RSA structure */
54static int rsa_param_decode(RSA *rsa, const X509_ALGOR *alg)
55{
56 const ASN1_OBJECT *algoid;
57 const void *algp;
58 int algptype;
59
60 X509_ALGOR_get0(&algoid, &algptype, &algp, alg);
61 if (OBJ_obj2nid(algoid) == EVP_PKEY_RSA)
62 return 1;
63 if (algptype == V_ASN1_UNDEF)
64 return 1;
635fe50f
DSH		 65 if (algptype != V_ASN1_SEQUENCE) {
66 RSAerr(RSA_F_RSA_PARAM_DECODE, RSA_R_INVALID_PSS_PARAMETERS);
42009ae8 67 return 0;
635fe50f 68 }
b35b8d11 69 rsa->pss = rsa_pss_decode(alg);
42009ae8
DSH		 70 if (rsa->pss == NULL)
71 return 0;
72 return 1;
73}
74
6f81892e 75static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
0f113f3e
MC		 76{
77 unsigned char *penc = NULL;
78 int penclen;
42009ae8
DSH		 79 ASN1_STRING *str;
80 int strtype;
52ad523c 81
42009ae8
DSH		 82 if (!rsa_param_encode(pkey, &str, &strtype))
83 return 0;
0f113f3e
MC		 84 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
85 if (penclen <= 0)
86 return 0;
42009ae8
DSH		 87 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
88 strtype, str, penc, penclen))
0f113f3e
MC		 89 return 1;
90
91 OPENSSL_free(penc);
92 return 0;
93}
448be743
DSH		 94
95static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
0f113f3e
MC		 96{
97 const unsigned char *p;
98 int pklen;
42009ae8 99 X509_ALGOR *alg;
0f113f3e 100 RSA *rsa = NULL;
75ebbd9a 101
42009ae8 102 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey))
0f113f3e 103 return 0;
75ebbd9a 104 if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL) {
0f113f3e
MC		 105 RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB);
106 return 0;
107 }
42009ae8
DSH		 108 if (!rsa_param_decode(rsa, alg)) {
109 RSA_free(rsa);
110 return 0;
111 }
faa02fe2 112 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
0f113f3e
MC		 113 return 1;
114}
448be743 115
6f81892e 116static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
0f113f3e
MC		 117{
118 if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0
119 || BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
120 return 0;
121 return 1;
122}
6f81892e 123
e4263314 124static int old_rsa_priv_decode(EVP_PKEY *pkey,
0f113f3e
MC		 125 const unsigned char **pder, int derlen)
126{
127 RSA *rsa;
75ebbd9a
RS		 128
129 if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL) {
0f113f3e
MC		 130 RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
131 return 0;
132 }
faa02fe2 133 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
0f113f3e
MC		 134 return 1;
135}
448be743 136
e4263314 137static int old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
0f113f3e
MC		 138{
139 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
140}
e4263314 141
6f81892e 142static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
0f113f3e
MC		 143{
144 unsigned char *rk = NULL;
145 int rklen;
42009ae8
DSH		 146 ASN1_STRING *str;
147 int strtype;
52ad523c 148
42009ae8
DSH		 149 if (!rsa_param_encode(pkey, &str, &strtype))
150 return 0;
0f113f3e
MC		 151 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk);
152
153 if (rklen <= 0) {
154 RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
285c7d9c 155 ASN1_STRING_free(str);
0f113f3e
MC		 156 return 0;
157 }
158
faa02fe2 159 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(pkey->ameth->pkey_id), 0,
42009ae8 160 strtype, str, rk, rklen)) {
0f113f3e 161 RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
285c7d9c 162 ASN1_STRING_free(str);
0f113f3e
MC		 163 return 0;
164 }
165
166 return 1;
167}
448be743 168
245c6bc3 169static int rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
0f113f3e
MC		 170{
171 const unsigned char *p;
42009ae8 172 RSA *rsa;
0f113f3e 173 int pklen;
42009ae8
DSH		 174 const X509_ALGOR *alg;
175
176 if (!PKCS8_pkey_get0(NULL, &p, &pklen, &alg, p8))
177 return 0;
178 rsa = d2i_RSAPrivateKey(NULL, &p, pklen);
179 if (rsa == NULL) {
180 RSAerr(RSA_F_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
181 return 0;
182 }
183 if (!rsa_param_decode(rsa, alg)) {
184 RSA_free(rsa);
0f113f3e 185 return 0;
42009ae8
DSH		 186 }
187 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
188 return 1;
0f113f3e 189}
e4263314 190
6f81892e 191static int int_rsa_size(const EVP_PKEY *pkey)
0f113f3e
MC		 192{
193 return RSA_size(pkey->pkey.rsa);
194}
6f81892e
DSH		 195
196static int rsa_bits(const EVP_PKEY *pkey)
0f113f3e
MC		 197{
198 return BN_num_bits(pkey->pkey.rsa->n);
199}
6f81892e 200
2514fa79 201static int rsa_security_bits(const EVP_PKEY *pkey)
0f113f3e
MC		 202{
203 return RSA_security_bits(pkey->pkey.rsa);
204}
2514fa79 205
6f81892e 206static void int_rsa_free(EVP_PKEY *pkey)
0f113f3e
MC		 207{
208 RSA_free(pkey->pkey.rsa);
209}
35208f36 210
9503ed8b
DSH		 211static X509_ALGOR *rsa_mgf1_decode(X509_ALGOR *alg)
212{
213 if (OBJ_obj2nid(alg->algorithm) != NID_mgf1)
214 return NULL;
215 return ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(X509_ALGOR),
216 alg->parameter);
217}
218
219static int rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss,
220 int indent)
221{
222 int rv = 0;
223 X509_ALGOR *maskHash = NULL;
52ad523c 224
9503ed8b
DSH		 225 if (!BIO_indent(bp, indent, 128))
226 goto err;
227 if (pss_key) {
228 if (pss == NULL) {
229 if (BIO_puts(bp, "No PSS parameter restrictions\n") <= 0)
230 return 0;
231 return 1;
232 } else {
233 if (BIO_puts(bp, "PSS parameter restrictions:") <= 0)
234 return 0;
235 }
236 } else if (pss == NULL) {
237 if (BIO_puts(bp,"(INVALID PSS PARAMETERS)\n") <= 0)
238 return 0;
239 return 1;
240 }
241 if (BIO_puts(bp, "\n") <= 0)
242 goto err;
243 if (pss_key)
244 indent += 2;
245 if (!BIO_indent(bp, indent, 128))
246 goto err;
247 if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
248 goto err;
249
250 if (pss->hashAlgorithm) {
251 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
252 goto err;
90862ab4 253 } else if (BIO_puts(bp, "sha1 (default)") <= 0) {
9503ed8b 254 goto err;
90862ab4 255 }
9503ed8b
DSH		 256
257 if (BIO_puts(bp, "\n") <= 0)
258 goto err;
259
260 if (!BIO_indent(bp, indent, 128))
261 goto err;
262
263 if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
264 goto err;
265 if (pss->maskGenAlgorithm) {
266 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
267 goto err;
268 if (BIO_puts(bp, " with ") <= 0)
269 goto err;
270 maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);
271 if (maskHash != NULL) {
272 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
273 goto err;
90862ab4 274 } else if (BIO_puts(bp, "INVALID") <= 0) {
9503ed8b 275 goto err;
90862ab4
PY		 276 }
277 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) {
9503ed8b 278 goto err;
90862ab4 279 }
9503ed8b
DSH		 280 BIO_puts(bp, "\n");
281
282 if (!BIO_indent(bp, indent, 128))
283 goto err;
284 if (BIO_printf(bp, "%s Salt Length: 0x", pss_key ? "Minimum" : "") <= 0)
285 goto err;
286 if (pss->saltLength) {
287 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
288 goto err;
90862ab4 289 } else if (BIO_puts(bp, "14 (default)") <= 0) {
9503ed8b 290 goto err;
90862ab4 291 }
9503ed8b
DSH		 292 BIO_puts(bp, "\n");
293
294 if (!BIO_indent(bp, indent, 128))
295 goto err;
296 if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
297 goto err;
298 if (pss->trailerField) {
299 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
300 goto err;
90862ab4 301 } else if (BIO_puts(bp, "BC (default)") <= 0) {
9503ed8b 302 goto err;
90862ab4 303 }
9503ed8b
DSH		 304 BIO_puts(bp, "\n");
305
306 rv = 1;
307
308 err:
309 X509_ALGOR_free(maskHash);
310 return rv;
311
312}
313
314static int pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv)
0f113f3e 315{
9503ed8b 316 const RSA *x = pkey->pkey.rsa;
0f113f3e
MC		 317 char *str;
318 const char *s;
0f113f3e 319 int ret = 0, mod_len = 0;
0f113f3e
MC		 320
321 if (x->n != NULL)
322 mod_len = BN_num_bits(x->n);
323
324 if (!BIO_indent(bp, off, 128))
325 goto err;
326
87ee7b22 327 if (BIO_printf(bp, "%s ", pkey_is_pss(pkey) ? "RSA-PSS" : "RSA") <= 0)
9503ed8b
DSH		 328 goto err;
329
0f113f3e 330 if (priv && x->d) {
a773b52a 331 if (BIO_printf(bp, "Private-Key: (%d bit)\n", mod_len) <= 0)
0f113f3e
MC		 332 goto err;
333 str = "modulus:";
334 s = "publicExponent:";
335 } else {
a773b52a 336 if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0)
0f113f3e
MC		 337 goto err;
338 str = "Modulus:";
339 s = "Exponent:";
340 }
a773b52a 341 if (!ASN1_bn_print(bp, str, x->n, NULL, off))
0f113f3e 342 goto err;
a773b52a 343 if (!ASN1_bn_print(bp, s, x->e, NULL, off))
0f113f3e
MC		 344 goto err;
345 if (priv) {
a773b52a 346 if (!ASN1_bn_print(bp, "privateExponent:", x->d, NULL, off))
0f113f3e 347 goto err;
a773b52a 348 if (!ASN1_bn_print(bp, "prime1:", x->p, NULL, off))
0f113f3e 349 goto err;
a773b52a 350 if (!ASN1_bn_print(bp, "prime2:", x->q, NULL, off))
0f113f3e 351 goto err;
a773b52a 352 if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, NULL, off))
0f113f3e 353 goto err;
a773b52a 354 if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, NULL, off))
0f113f3e 355 goto err;
a773b52a 356 if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, NULL, off))
0f113f3e
MC		 357 goto err;
358 }
87ee7b22 359 if (pkey_is_pss(pkey) && !rsa_pss_param_print(bp, 1, x->pss, off))
9503ed8b 360 goto err;
0f113f3e
MC		 361 ret = 1;
362 err:
9503ed8b 363 return ret;
0f113f3e 364}
35208f36
DSH		 365
366static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent,
0f113f3e
MC		 367 ASN1_PCTX *ctx)
368{
9503ed8b 369 return pkey_rsa_print(bp, pkey, indent, 0);
0f113f3e 370}
35208f36
DSH		 371
372static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
0f113f3e
MC		 373 ASN1_PCTX *ctx)
374{
9503ed8b 375 return pkey_rsa_print(bp, pkey, indent, 1);
0f113f3e 376}
0574cadf 377
6745a1ff 378static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg)
0f113f3e 379{
0f113f3e
MC		 380 RSA_PSS_PARAMS *pss;
381
e93c8748
DSH		 382 pss = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(RSA_PSS_PARAMS),
383 alg->parameter);
0f113f3e 384
6745a1ff 385 if (pss == NULL)
0f113f3e
MC		 386 return NULL;
387
6745a1ff
DSH		 388 if (pss->maskGenAlgorithm != NULL) {
389 pss->maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);
390 if (pss->maskHash == NULL) {
391 RSA_PSS_PARAMS_free(pss);
392 return NULL;
393 }
394 }
0f113f3e
MC		 395
396 return pss;
397}
398
ff04bbe3 399static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
0f113f3e
MC		 400 const ASN1_STRING *sig, int indent, ASN1_PCTX *pctx)
401{
ffc6fad5 402 if (OBJ_obj2nid(sigalg->algorithm) == EVP_PKEY_RSA_PSS) {
0f113f3e 403 int rv;
52ad523c 404 RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg);
c82bafc5 405
9503ed8b 406 rv = rsa_pss_param_print(bp, 0, pss, indent);
25aaa98a 407 RSA_PSS_PARAMS_free(pss);
0f113f3e
MC		 408 if (!rv)
409 return 0;
52ad523c 410 } else if (!sig && BIO_puts(bp, "\n") <= 0) {
0f113f3e 411 return 0;
52ad523c 412 }
0f113f3e
MC		 413 if (sig)
414 return X509_signature_dump(bp, sig, indent);
415 return 1;
416}
492a9e24
DSH		 417
418static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
0f113f3e
MC		 419{
420 X509_ALGOR *alg = NULL;
52ad523c 421
0f113f3e
MC		 422 switch (op) {
423
424 case ASN1_PKEY_CTRL_PKCS7_SIGN:
425 if (arg1 == 0)
426 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
427 break;
428
429 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
53d2260c
DSH		 430 if (pkey_is_pss(pkey))
431 return -2;
0f113f3e
MC		 432 if (arg1 == 0)
433 PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
434 break;
8931b30d 435#ifndef OPENSSL_NO_CMS
0f113f3e
MC		 436 case ASN1_PKEY_CTRL_CMS_SIGN:
437 if (arg1 == 0)
438 return rsa_cms_sign(arg2);
439 else if (arg1 == 1)
440 return rsa_cms_verify(arg2);
441 break;
442
443 case ASN1_PKEY_CTRL_CMS_ENVELOPE:
53d2260c
DSH		 444 if (pkey_is_pss(pkey))
445 return -2;
0f113f3e
MC		 446 if (arg1 == 0)
447 return rsa_cms_encrypt(arg2);
448 else if (arg1 == 1)
449 return rsa_cms_decrypt(arg2);
450 break;
451
452 case ASN1_PKEY_CTRL_CMS_RI_TYPE:
53d2260c
DSH		 453 if (pkey_is_pss(pkey))
454 return -2;
0f113f3e
MC		 455 *(int *)arg2 = CMS_RECIPINFO_TRANS;
456 return 1;
8931b30d 457#endif
a78568b7 458
0f113f3e
MC		 459 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
460 *(int *)arg2 = NID_sha256;
461 return 1;
03919683 462
0f113f3e
MC		 463 default:
464 return -2;
492a9e24 465
0f113f3e 466 }
492a9e24 467
0f113f3e
MC		 468 if (alg)
469 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
4f1aa191 470
0f113f3e 471 return 1;
4f1aa191 472
0f113f3e 473}
492a9e24 474
0574cadf
DSH		 475/* allocate and set algorithm ID from EVP_MD, default SHA1 */
476static int rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md)
0f113f3e 477{
47e42b3c 478 if (md == NULL || EVP_MD_type(md) == NID_sha1)
0f113f3e
MC		 479 return 1;
480 *palg = X509_ALGOR_new();
90945fa3 481 if (*palg == NULL)
0f113f3e
MC		 482 return 0;
483 X509_ALGOR_set_md(*palg, md);
484 return 1;
485}
0574cadf
DSH		 486
487/* Allocate and set MGF1 algorithm ID from EVP_MD */
488static int rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md)
0f113f3e
MC		 489{
490 X509_ALGOR *algtmp = NULL;
491 ASN1_STRING *stmp = NULL;
52ad523c 492
0f113f3e 493 *palg = NULL;
47e42b3c 494 if (mgf1md == NULL || EVP_MD_type(mgf1md) == NID_sha1)
0f113f3e
MC		 495 return 1;
496 /* need to embed algorithm ID inside another */
497 if (!rsa_md_to_algor(&algtmp, mgf1md))
498 goto err;
f291138b 499 if (ASN1_item_pack(algtmp, ASN1_ITEM_rptr(X509_ALGOR), &stmp) == NULL)
0f113f3e
MC		 500 goto err;
501 *palg = X509_ALGOR_new();
90945fa3 502 if (*palg == NULL)
0f113f3e
MC		 503 goto err;
504 X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp);
505 stmp = NULL;
506 err:
0dfb9398 507 ASN1_STRING_free(stmp);
222561fe 508 X509_ALGOR_free(algtmp);
0f113f3e
MC		 509 if (*palg)
510 return 1;
511 return 0;
512}
0574cadf
DSH		 513
514/* convert algorithm ID to EVP_MD, default SHA1 */
515static const EVP_MD *rsa_algor_to_md(X509_ALGOR *alg)
0f113f3e
MC		 516{
517 const EVP_MD *md;
52ad523c 518
0f113f3e
MC		 519 if (!alg)
520 return EVP_sha1();
521 md = EVP_get_digestbyobj(alg->algorithm);
522 if (md == NULL)
523 RSAerr(RSA_F_RSA_ALGOR_TO_MD, RSA_R_UNKNOWN_DIGEST);
524 return md;
525}
526
0f113f3e 527/*
47e42b3c 528 * Convert EVP_PKEY_CTX in PSS mode into corresponding algorithm parameter,
0574cadf 529 * suitable for setting an AlgorithmIdentifier.
31904ecd
DSH		 530 */
531
47e42b3c 532static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
0f113f3e
MC		 533{
534 const EVP_MD *sigmd, *mgf1md;
0f113f3e 535 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
47e42b3c 536 int saltlen;
52ad523c 537
0f113f3e 538 if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0)
47e42b3c 539 return NULL;
0f113f3e 540 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
47e42b3c 541 return NULL;
0f113f3e 542 if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen))
47e42b3c 543 return NULL;
90862ab4 544 if (saltlen == -1) {
0f113f3e 545 saltlen = EVP_MD_size(sigmd);
90862ab4 546 } else if (saltlen == -2) {
0f113f3e 547 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
137096a7 548 if ((EVP_PKEY_bits(pk) & 0x7) == 1)
0f113f3e
MC		 549 saltlen--;
550 }
47e42b3c
DSH		 551
552 return rsa_pss_params_create(sigmd, mgf1md, saltlen);
553}
554
555RSA_PSS_PARAMS *rsa_pss_params_create(const EVP_MD *sigmd,
556 const EVP_MD *mgf1md, int saltlen)
557{
558 RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new();
52ad523c 559
90945fa3 560 if (pss == NULL)
0f113f3e
MC		 561 goto err;
562 if (saltlen != 20) {
563 pss->saltLength = ASN1_INTEGER_new();
90945fa3 564 if (pss->saltLength == NULL)
0f113f3e
MC		 565 goto err;
566 if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
567 goto err;
568 }
569 if (!rsa_md_to_algor(&pss->hashAlgorithm, sigmd))
570 goto err;
47e42b3c 571 if (mgf1md == NULL)
b6b885c6 572 mgf1md = sigmd;
0f113f3e
MC		 573 if (!rsa_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md))
574 goto err;
74753357
DSH		 575 if (!rsa_md_to_algor(&pss->maskHash, mgf1md))
576 goto err;
47e42b3c 577 return pss;
0f113f3e 578 err:
25aaa98a 579 RSA_PSS_PARAMS_free(pss);
0f113f3e
MC		 580 return NULL;
581}
582
47e42b3c
DSH		 583static ASN1_STRING *rsa_ctx_to_pss_string(EVP_PKEY_CTX *pkctx)
584{
585 RSA_PSS_PARAMS *pss = rsa_ctx_to_pss(pkctx);
f291138b 586 ASN1_STRING *os;
52ad523c 587
47e42b3c
DSH		 588 if (pss == NULL)
589 return NULL;
590
f291138b 591 os = ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), NULL);
47e42b3c
DSH		 592 RSA_PSS_PARAMS_free(pss);
593 return os;
594}
595
0f113f3e
MC		 596/*
597 * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL
0d4fb843 598 * then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are
0f113f3e 599 * passed to pkctx instead.
0574cadf 600 */
31904ecd 601
0574cadf 602static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx,
0f113f3e
MC		 603 X509_ALGOR *sigalg, EVP_PKEY *pkey)
604{
605 int rv = -1;
606 int saltlen;
607 const EVP_MD *mgf1md = NULL, *md = NULL;
608 RSA_PSS_PARAMS *pss;
52ad523c 609
0f113f3e 610 /* Sanity check: make sure it is PSS */
ffc6fad5 611 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
0f113f3e
MC		 612 RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
613 return -1;
614 }
615 /* Decode PSS parameters */
6745a1ff 616 pss = rsa_pss_decode(sigalg);
0f113f3e 617
cfd81c6d 618 if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) {
0f113f3e
MC		 619 RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_INVALID_PSS_PARAMETERS);
620 goto err;
621 }
0f113f3e
MC		 622
623 /* We have all parameters now set up context */
0f113f3e
MC		 624 if (pkey) {
625 if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey))
626 goto err;
627 } else {
628 const EVP_MD *checkmd;
629 if (EVP_PKEY_CTX_get_signature_md(pkctx, &checkmd) <= 0)
630 goto err;
631 if (EVP_MD_type(md) != EVP_MD_type(checkmd)) {
632 RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_DIGEST_DOES_NOT_MATCH);
633 goto err;
634 }
635 }
636
637 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
638 goto err;
639
640 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
641 goto err;
642
643 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
644 goto err;
645 /* Carry on */
646 rv = 1;
647
648 err:
649 RSA_PSS_PARAMS_free(pss);
0f113f3e
MC		 650 return rv;
651}
492a9e24 652
cfd81c6d
DSH		 653int rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd,
654 const EVP_MD **pmgf1md, int *psaltlen)
655{
656 if (pss == NULL)
657 return 0;
658 *pmd = rsa_algor_to_md(pss->hashAlgorithm);
659 if (*pmd == NULL)
660 return 0;
661 *pmgf1md = rsa_algor_to_md(pss->maskHash);
662 if (*pmgf1md == NULL)
663 return 0;
664 if (pss->saltLength) {
665 *psaltlen = ASN1_INTEGER_get(pss->saltLength);
666 if (*psaltlen < 0) {
667 RSAerr(RSA_F_RSA_PSS_GET_PARAM, RSA_R_INVALID_SALT_LENGTH);
668 return 0;
669 }
c82bafc5 670 } else {
cfd81c6d 671 *psaltlen = 20;
c82bafc5 672 }
cfd81c6d
DSH		 673
674 /*
675 * low-level routines support only trailer field 0xbc (value 1) and
676 * PKCS#1 says we should reject any other value anyway.
677 */
678 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) {
679 RSAerr(RSA_F_RSA_PSS_GET_PARAM, RSA_R_INVALID_TRAILER);
b6b885c6 680 return 0;
cfd81c6d
DSH		 681 }
682
683 return 1;
684}
685
e968561d 686#ifndef OPENSSL_NO_CMS
0574cadf 687static int rsa_cms_verify(CMS_SignerInfo *si)
0f113f3e
MC		 688{
689 int nid, nid2;
690 X509_ALGOR *alg;
691 EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
52ad523c 692
0f113f3e
MC		 693 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
694 nid = OBJ_obj2nid(alg->algorithm);
ffc6fad5 695 if (nid == EVP_PKEY_RSA_PSS)
0f113f3e 696 return rsa_pss_to_ctx(NULL, pkctx, alg, NULL);
08be0331
DSH		 697 /* Only PSS allowed for PSS keys */
698 if (pkey_ctx_is_pss(pkctx)) {
699 RSAerr(RSA_F_RSA_CMS_VERIFY, RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
700 return 0;
701 }
702 if (nid == NID_rsaEncryption)
703 return 1;
0f113f3e
MC		 704 /* Workaround for some implementation that use a signature OID */
705 if (OBJ_find_sigid_algs(nid, NULL, &nid2)) {
706 if (nid2 == NID_rsaEncryption)
707 return 1;
708 }
709 return 0;
710}
e968561d 711#endif
0f113f3e
MC		 712
713/*
714 * Customised RSA item verification routine. This is called when a signature
715 * is encountered requiring special handling. We currently only handle PSS.
0574cadf
DSH		 716 */
717
0574cadf 718static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
0f113f3e
MC		 719 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig,
720 EVP_PKEY *pkey)
721{
722 /* Sanity check: make sure it is PSS */
ffc6fad5 723 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
0f113f3e
MC		 724 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
725 return -1;
726 }
09f06923 727 if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) {
0f113f3e
MC		 728 /* Carry on */
729 return 2;
09f06923 730 }
0f113f3e
MC		 731 return -1;
732}
0574cadf 733
e968561d 734#ifndef OPENSSL_NO_CMS
0574cadf 735static int rsa_cms_sign(CMS_SignerInfo *si)
0f113f3e
MC		 736{
737 int pad_mode = RSA_PKCS1_PADDING;
738 X509_ALGOR *alg;
739 EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
740 ASN1_STRING *os = NULL;
52ad523c 741
0f113f3e
MC		 742 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
743 if (pkctx) {
744 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
745 return 0;
746 }
747 if (pad_mode == RSA_PKCS1_PADDING) {
748 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
749 return 1;
750 }
751 /* We don't support it */
752 if (pad_mode != RSA_PKCS1_PSS_PADDING)
753 return 0;
47e42b3c 754 os = rsa_ctx_to_pss_string(pkctx);
0f113f3e
MC		 755 if (!os)
756 return 0;
ffc6fad5 757 X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os);
0f113f3e
MC		 758 return 1;
759}
e968561d 760#endif
0574cadf 761
17c63d1c 762static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
0f113f3e
MC		 763 X509_ALGOR *alg1, X509_ALGOR *alg2,
764 ASN1_BIT_STRING *sig)
765{
766 int pad_mode;
6e59a892 767 EVP_PKEY_CTX *pkctx = EVP_MD_CTX_pkey_ctx(ctx);
52ad523c 768
0f113f3e
MC		 769 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
770 return 0;
771 if (pad_mode == RSA_PKCS1_PADDING)
772 return 2;
773 if (pad_mode == RSA_PKCS1_PSS_PADDING) {
774 ASN1_STRING *os1 = NULL;
47e42b3c 775 os1 = rsa_ctx_to_pss_string(pkctx);
0f113f3e
MC		 776 if (!os1)
777 return 0;
778 /* Duplicate parameters if we have to */
779 if (alg2) {
780 ASN1_STRING *os2 = ASN1_STRING_dup(os1);
781 if (!os2) {
782 ASN1_STRING_free(os1);
783 return 0;
784 }
ffc6fad5 785 X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
0f113f3e
MC		 786 V_ASN1_SEQUENCE, os2);
787 }
ffc6fad5 788 X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
0f113f3e
MC		 789 V_ASN1_SEQUENCE, os1);
790 return 3;
791 }
792 return 2;
793}
17c63d1c 794
629e369c
DSH		 795static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg,
796 const ASN1_STRING *sig)
797{
798 int rv = 0;
799 int mdnid, saltlen;
800 uint32_t flags;
801 const EVP_MD *mgf1md = NULL, *md = NULL;
802 RSA_PSS_PARAMS *pss;
803
804 /* Sanity check: make sure it is PSS */
805 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS)
806 return 0;
807 /* Decode PSS parameters */
808 pss = rsa_pss_decode(sigalg);
809 if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen))
810 goto err;
811 mdnid = EVP_MD_type(md);
812 /*
813 * For TLS need SHA256, SHA384 or SHA512, digest and MGF1 digest must
814 * match and salt length must equal digest size
815 */
816 if ((mdnid == NID_sha256 || mdnid == NID_sha384 || mdnid == NID_sha512)
817 && mdnid == EVP_MD_type(mgf1md) && saltlen == EVP_MD_size(md))
818 flags = X509_SIG_INFO_TLS;
819 else
820 flags = 0;
821 /* Note: security bits half number of digest bits */
822 X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, EVP_MD_size(md) * 4,
823 flags);
824 rv = 1;
825 err:
826 RSA_PSS_PARAMS_free(pss);
827 return rv;
828}
829
e968561d 830#ifndef OPENSSL_NO_CMS
6745a1ff 831static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg)
0f113f3e 832{
6745a1ff 833 RSA_OAEP_PARAMS *oaep;
0574cadf 834
6745a1ff 835 oaep = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(RSA_OAEP_PARAMS),
52ad523c 836 alg->parameter);
0574cadf 837
6745a1ff 838 if (oaep == NULL)
0f113f3e 839 return NULL;
0574cadf 840
6745a1ff
DSH		 841 if (oaep->maskGenFunc != NULL) {
842 oaep->maskHash = rsa_mgf1_decode(oaep->maskGenFunc);
843 if (oaep->maskHash == NULL) {
844 RSA_OAEP_PARAMS_free(oaep);
845 return NULL;
846 }
847 }
848 return oaep;
0f113f3e 849}
0574cadf
DSH		 850
851static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
0f113f3e
MC		 852{
853 EVP_PKEY_CTX *pkctx;
854 X509_ALGOR *cmsalg;
855 int nid;
856 int rv = -1;
857 unsigned char *label = NULL;
858 int labellen = 0;
859 const EVP_MD *mgf1md = NULL, *md = NULL;
860 RSA_OAEP_PARAMS *oaep;
52ad523c 861
0f113f3e 862 pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
52ad523c 863 if (pkctx == NULL)
0f113f3e
MC		 864 return 0;
865 if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &cmsalg))
866 return -1;
867 nid = OBJ_obj2nid(cmsalg->algorithm);
868 if (nid == NID_rsaEncryption)
869 return 1;
870 if (nid != NID_rsaesOaep) {
871 RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_UNSUPPORTED_ENCRYPTION_TYPE);
872 return -1;
873 }
874 /* Decode OAEP parameters */
6745a1ff 875 oaep = rsa_oaep_decode(cmsalg);
0f113f3e
MC		 876
877 if (oaep == NULL) {
878 RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_INVALID_OAEP_PARAMETERS);
879 goto err;
880 }
881
6745a1ff 882 mgf1md = rsa_algor_to_md(oaep->maskHash);
52ad523c 883 if (mgf1md == NULL)
0f113f3e
MC		 884 goto err;
885 md = rsa_algor_to_md(oaep->hashFunc);
52ad523c 886 if (md == NULL)
0f113f3e
MC		 887 goto err;
888
52ad523c 889 if (oaep->pSourceFunc != NULL) {
0f113f3e 890 X509_ALGOR *plab = oaep->pSourceFunc;
52ad523c 891
0f113f3e
MC		 892 if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
893 RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_UNSUPPORTED_LABEL_SOURCE);
894 goto err;
895 }
896 if (plab->parameter->type != V_ASN1_OCTET_STRING) {
897 RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_INVALID_LABEL);
898 goto err;
899 }
900
901 label = plab->parameter->value.octet_string->data;
902 /* Stop label being freed when OAEP parameters are freed */
903 plab->parameter->value.octet_string->data = NULL;
904 labellen = plab->parameter->value.octet_string->length;
905 }
906
907 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
908 goto err;
909 if (EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, md) <= 0)
910 goto err;
911 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
912 goto err;
913 if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0)
914 goto err;
915 /* Carry on */
916 rv = 1;
917
918 err:
919 RSA_OAEP_PARAMS_free(oaep);
0f113f3e
MC		 920 return rv;
921}
0574cadf
DSH		 922
923static int rsa_cms_encrypt(CMS_RecipientInfo *ri)
0f113f3e
MC		 924{
925 const EVP_MD *md, *mgf1md;
926 RSA_OAEP_PARAMS *oaep = NULL;
927 ASN1_STRING *os = NULL;
928 X509_ALGOR *alg;
929 EVP_PKEY_CTX *pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
930 int pad_mode = RSA_PKCS1_PADDING, rv = 0, labellen;
931 unsigned char *label;
52ad523c 932
0f113f3e
MC		 933 CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg);
934 if (pkctx) {
935 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
936 return 0;
937 }
938 if (pad_mode == RSA_PKCS1_PADDING) {
939 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
940 return 1;
941 }
942 /* Not supported */
943 if (pad_mode != RSA_PKCS1_OAEP_PADDING)
944 return 0;
945 if (EVP_PKEY_CTX_get_rsa_oaep_md(pkctx, &md) <= 0)
946 goto err;
947 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
948 goto err;
949 labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkctx, &label);
950 if (labellen < 0)
951 goto err;
952 oaep = RSA_OAEP_PARAMS_new();
90945fa3 953 if (oaep == NULL)
0f113f3e
MC		 954 goto err;
955 if (!rsa_md_to_algor(&oaep->hashFunc, md))
956 goto err;
957 if (!rsa_md_to_mgf1(&oaep->maskGenFunc, mgf1md))
958 goto err;
959 if (labellen > 0) {
5e8129f2 960 ASN1_OCTET_STRING *los;
0f113f3e 961 oaep->pSourceFunc = X509_ALGOR_new();
90945fa3 962 if (oaep->pSourceFunc == NULL)
0f113f3e 963 goto err;
5e8129f2 964 los = ASN1_OCTET_STRING_new();
90945fa3 965 if (los == NULL)
0f113f3e
MC		 966 goto err;
967 if (!ASN1_OCTET_STRING_set(los, label, labellen)) {
968 ASN1_OCTET_STRING_free(los);
969 goto err;
970 }
971 X509_ALGOR_set0(oaep->pSourceFunc, OBJ_nid2obj(NID_pSpecified),
972 V_ASN1_OCTET_STRING, los);
973 }
974 /* create string with pss parameter encoding. */
975 if (!ASN1_item_pack(oaep, ASN1_ITEM_rptr(RSA_OAEP_PARAMS), &os))
976 goto err;
977 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os);
978 os = NULL;
979 rv = 1;
980 err:
25aaa98a 981 RSA_OAEP_PARAMS_free(oaep);
0dfb9398 982 ASN1_STRING_free(os);
0f113f3e
MC		 983 return rv;
984}
e968561d 985#endif
0f113f3e 986
578b5514 987const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[2] = {
0f113f3e
MC		 988 {
989 EVP_PKEY_RSA,
990 EVP_PKEY_RSA,
991 ASN1_PKEY_SIGPARAM_NULL,
992
993 "RSA",
994 "OpenSSL RSA method",
995
996 rsa_pub_decode,
997 rsa_pub_encode,
998 rsa_pub_cmp,
999 rsa_pub_print,
1000
1001 rsa_priv_decode,
1002 rsa_priv_encode,
1003 rsa_priv_print,
1004
1005 int_rsa_size,
1006 rsa_bits,
1007 rsa_security_bits,
1008
1009 0, 0, 0, 0, 0, 0,
1010
1011 rsa_sig_print,
1012 int_rsa_free,
1013 rsa_pkey_ctrl,
1014 old_rsa_priv_decode,
1015 old_rsa_priv_encode,
1016 rsa_item_verify,
629e369c
DSH		 1017 rsa_item_sign,
1018 rsa_sig_info_set
1019 },
0f113f3e
MC		 1020
1021 {
1022 EVP_PKEY_RSA2,
1023 EVP_PKEY_RSA,
1024 ASN1_PKEY_ALIAS}
1025};
4e8ba747
DSH		 1026
1027const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {
1028 EVP_PKEY_RSA_PSS,
1029 EVP_PKEY_RSA_PSS,
1030 ASN1_PKEY_SIGPARAM_NULL,
1031
1032 "RSA-PSS",
1033 "OpenSSL RSA-PSS method",
1034
1035 rsa_pub_decode,
1036 rsa_pub_encode,
1037 rsa_pub_cmp,
1038 rsa_pub_print,
1039
1040 rsa_priv_decode,
1041 rsa_priv_encode,
1042 rsa_priv_print,
1043
1044 int_rsa_size,
1045 rsa_bits,
1046 rsa_security_bits,
1047
1048 0, 0, 0, 0, 0, 0,
1049
1050 rsa_sig_print,
1051 int_rsa_free,
1052 rsa_pkey_ctrl,
1053 0, 0,
1054 rsa_item_verify,
1055 rsa_item_sign,
1056};
A mirror of the official openssl repository