]>
Commit | Line | Data |
---|---|---|
80f4fd18 | 1 | /* |
fecb3aae | 2 | * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. |
80f4fd18 SL |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | /* | |
11 | * RSA low level APIs are deprecated for public use, but still ok for | |
12 | * internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
fba140c7 | 15 | #include "internal/nelem.h" |
80f4fd18 | 16 | |
80f4fd18 SL |
17 | #include <openssl/crypto.h> |
18 | #include <openssl/evp.h> | |
19 | #include <openssl/core_dispatch.h> | |
20 | #include <openssl/core_names.h> | |
21 | #include <openssl/rsa.h> | |
22 | #include <openssl/params.h> | |
23 | #include <openssl/err.h> | |
9d0dd1d5 | 24 | #include "crypto/rsa.h" |
2741128e | 25 | #include <openssl/proverr.h> |
f2a6f838 | 26 | #include "internal/nelem.h" |
80f4fd18 SL |
27 | #include "prov/provider_ctx.h" |
28 | #include "prov/implementations.h" | |
21e5be85 | 29 | #include "prov/securitycheck.h" |
80f4fd18 SL |
30 | |
31 | static OSSL_FUNC_kem_newctx_fn rsakem_newctx; | |
21e5be85 | 32 | static OSSL_FUNC_kem_encapsulate_init_fn rsakem_encapsulate_init; |
80f4fd18 | 33 | static OSSL_FUNC_kem_encapsulate_fn rsakem_generate; |
21e5be85 | 34 | static OSSL_FUNC_kem_decapsulate_init_fn rsakem_decapsulate_init; |
80f4fd18 SL |
35 | static OSSL_FUNC_kem_decapsulate_fn rsakem_recover; |
36 | static OSSL_FUNC_kem_freectx_fn rsakem_freectx; | |
37 | static OSSL_FUNC_kem_dupctx_fn rsakem_dupctx; | |
38 | static OSSL_FUNC_kem_get_ctx_params_fn rsakem_get_ctx_params; | |
39 | static OSSL_FUNC_kem_gettable_ctx_params_fn rsakem_gettable_ctx_params; | |
40 | static OSSL_FUNC_kem_set_ctx_params_fn rsakem_set_ctx_params; | |
41 | static OSSL_FUNC_kem_settable_ctx_params_fn rsakem_settable_ctx_params; | |
42 | ||
43 | /* | |
44 | * Only the KEM for RSASVE as defined in SP800-56b r2 is implemented | |
45 | * currently. | |
46 | */ | |
47 | #define KEM_OP_UNDEFINED -1 | |
48 | #define KEM_OP_RSASVE 0 | |
49 | ||
50 | /* | |
51 | * What's passed as an actual key is defined by the KEYMGMT interface. | |
52 | * We happen to know that our KEYMGMT simply passes RSA structures, so | |
53 | * we use that here too. | |
54 | */ | |
55 | typedef struct { | |
b4250010 | 56 | OSSL_LIB_CTX *libctx; |
80f4fd18 SL |
57 | RSA *rsa; |
58 | int op; | |
59 | } PROV_RSA_CTX; | |
60 | ||
61 | static const OSSL_ITEM rsakem_opname_id_map[] = { | |
62 | { KEM_OP_RSASVE, OSSL_KEM_PARAM_OPERATION_RSASVE }, | |
63 | }; | |
64 | ||
65 | static int name2id(const char *name, const OSSL_ITEM *map, size_t sz) | |
66 | { | |
67 | size_t i; | |
68 | ||
69 | if (name == NULL) | |
70 | return -1; | |
71 | ||
72 | for (i = 0; i < sz; ++i) { | |
fba140c7 | 73 | if (OPENSSL_strcasecmp(map[i].ptr, name) == 0) |
80f4fd18 SL |
74 | return map[i].id; |
75 | } | |
76 | return -1; | |
77 | } | |
78 | ||
79 | static int rsakem_opname2id(const char *name) | |
80 | { | |
81 | return name2id(name, rsakem_opname_id_map, OSSL_NELEM(rsakem_opname_id_map)); | |
82 | } | |
83 | ||
84 | static void *rsakem_newctx(void *provctx) | |
85 | { | |
86 | PROV_RSA_CTX *prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX)); | |
87 | ||
88 | if (prsactx == NULL) | |
89 | return NULL; | |
a829b735 | 90 | prsactx->libctx = PROV_LIBCTX_OF(provctx); |
80f4fd18 SL |
91 | prsactx->op = KEM_OP_UNDEFINED; |
92 | ||
93 | return prsactx; | |
94 | } | |
95 | ||
96 | static void rsakem_freectx(void *vprsactx) | |
97 | { | |
98 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; | |
99 | ||
100 | RSA_free(prsactx->rsa); | |
101 | OPENSSL_free(prsactx); | |
102 | } | |
103 | ||
104 | static void *rsakem_dupctx(void *vprsactx) | |
105 | { | |
106 | PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx; | |
107 | PROV_RSA_CTX *dstctx; | |
108 | ||
109 | dstctx = OPENSSL_zalloc(sizeof(*srcctx)); | |
110 | if (dstctx == NULL) | |
111 | return NULL; | |
112 | ||
113 | *dstctx = *srcctx; | |
114 | if (dstctx->rsa != NULL && !RSA_up_ref(dstctx->rsa)) { | |
115 | OPENSSL_free(dstctx); | |
116 | return NULL; | |
117 | } | |
118 | return dstctx; | |
119 | } | |
120 | ||
5a084c5f P |
121 | static int rsakem_init(void *vprsactx, void *vrsa, |
122 | const OSSL_PARAM params[], int operation) | |
80f4fd18 SL |
123 | { |
124 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; | |
125 | ||
0cfbc828 TM |
126 | if (prsactx == NULL || vrsa == NULL) |
127 | return 0; | |
128 | ||
6ce58488 | 129 | if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation)) |
0cfbc828 TM |
130 | return 0; |
131 | ||
132 | if (!RSA_up_ref(vrsa)) | |
80f4fd18 SL |
133 | return 0; |
134 | RSA_free(prsactx->rsa); | |
135 | prsactx->rsa = vrsa; | |
21e5be85 | 136 | |
5a084c5f | 137 | return rsakem_set_ctx_params(prsactx, params); |
80f4fd18 SL |
138 | } |
139 | ||
5a084c5f P |
140 | static int rsakem_encapsulate_init(void *vprsactx, void *vrsa, |
141 | const OSSL_PARAM params[]) | |
21e5be85 | 142 | { |
5a084c5f | 143 | return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_ENCAPSULATE); |
21e5be85 SL |
144 | } |
145 | ||
5a084c5f P |
146 | static int rsakem_decapsulate_init(void *vprsactx, void *vrsa, |
147 | const OSSL_PARAM params[]) | |
21e5be85 | 148 | { |
5a084c5f | 149 | return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECAPSULATE); |
21e5be85 SL |
150 | } |
151 | ||
80f4fd18 SL |
152 | static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params) |
153 | { | |
154 | PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx; | |
155 | ||
5a084c5f | 156 | return ctx != NULL; |
80f4fd18 SL |
157 | } |
158 | ||
159 | static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = { | |
160 | OSSL_PARAM_END | |
161 | }; | |
162 | ||
fb67126e TM |
163 | static const OSSL_PARAM *rsakem_gettable_ctx_params(ossl_unused void *vprsactx, |
164 | ossl_unused void *provctx) | |
80f4fd18 SL |
165 | { |
166 | return known_gettable_rsakem_ctx_params; | |
167 | } | |
168 | ||
169 | static int rsakem_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) | |
170 | { | |
171 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; | |
172 | const OSSL_PARAM *p; | |
173 | int op; | |
174 | ||
5a084c5f | 175 | if (prsactx == NULL) |
80f4fd18 | 176 | return 0; |
5a084c5f P |
177 | if (params == NULL) |
178 | return 1; | |
179 | ||
80f4fd18 SL |
180 | |
181 | p = OSSL_PARAM_locate_const(params, OSSL_KEM_PARAM_OPERATION); | |
182 | if (p != NULL) { | |
183 | if (p->data_type != OSSL_PARAM_UTF8_STRING) | |
184 | return 0; | |
185 | op = rsakem_opname2id(p->data); | |
186 | if (op < 0) | |
187 | return 0; | |
188 | prsactx->op = op; | |
189 | } | |
190 | return 1; | |
191 | } | |
192 | ||
193 | static const OSSL_PARAM known_settable_rsakem_ctx_params[] = { | |
194 | OSSL_PARAM_utf8_string(OSSL_KEM_PARAM_OPERATION, NULL, 0), | |
195 | OSSL_PARAM_END | |
196 | }; | |
197 | ||
fb67126e TM |
198 | static const OSSL_PARAM *rsakem_settable_ctx_params(ossl_unused void *vprsactx, |
199 | ossl_unused void *provctx) | |
80f4fd18 SL |
200 | { |
201 | return known_settable_rsakem_ctx_params; | |
202 | } | |
203 | ||
204 | /* | |
205 | * NIST.SP.800-56Br2 | |
206 | * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE). | |
207 | * | |
208 | * Generate a random in the range 1 < z < (n – 1) | |
209 | */ | |
210 | static int rsasve_gen_rand_bytes(RSA *rsa_pub, | |
211 | unsigned char *out, int outlen) | |
212 | { | |
213 | int ret = 0; | |
214 | BN_CTX *bnctx; | |
215 | BIGNUM *z, *nminus3; | |
216 | ||
23b2fc0b | 217 | bnctx = BN_CTX_secure_new_ex(ossl_rsa_get0_libctx(rsa_pub)); |
80f4fd18 SL |
218 | if (bnctx == NULL) |
219 | return 0; | |
220 | ||
221 | /* | |
222 | * Generate a random in the range 1 < z < (n – 1). | |
223 | * Since BN_priv_rand_range_ex() returns a value in range 0 <= r < max | |
224 | * We can achieve this by adding 2.. but then we need to subtract 3 from | |
225 | * the upper bound i.e: 2 + (0 <= r < (n - 3)) | |
226 | */ | |
227 | BN_CTX_start(bnctx); | |
228 | nminus3 = BN_CTX_get(bnctx); | |
229 | z = BN_CTX_get(bnctx); | |
230 | ret = (z != NULL | |
231 | && (BN_copy(nminus3, RSA_get0_n(rsa_pub)) != NULL) | |
232 | && BN_sub_word(nminus3, 3) | |
965fa9c0 | 233 | && BN_priv_rand_range_ex(z, nminus3, 0, bnctx) |
80f4fd18 SL |
234 | && BN_add_word(z, 2) |
235 | && (BN_bn2binpad(z, out, outlen) == outlen)); | |
236 | BN_CTX_end(bnctx); | |
237 | BN_CTX_free(bnctx); | |
238 | return ret; | |
239 | } | |
240 | ||
241 | /* | |
242 | * NIST.SP.800-56Br2 | |
243 | * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE). | |
244 | */ | |
245 | static int rsasve_generate(PROV_RSA_CTX *prsactx, | |
246 | unsigned char *out, size_t *outlen, | |
247 | unsigned char *secret, size_t *secretlen) | |
248 | { | |
249 | int ret; | |
250 | size_t nlen; | |
251 | ||
252 | /* Step (1): nlen = Ceil(len(n)/8) */ | |
253 | nlen = RSA_size(prsactx->rsa); | |
254 | ||
255 | if (out == NULL) { | |
256 | if (nlen == 0) { | |
257 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); | |
258 | return 0; | |
259 | } | |
260 | if (outlen == NULL && secretlen == NULL) | |
261 | return 0; | |
262 | if (outlen != NULL) | |
263 | *outlen = nlen; | |
264 | if (secretlen != NULL) | |
265 | *secretlen = nlen; | |
266 | return 1; | |
267 | } | |
268 | /* | |
269 | * Step (2): Generate a random byte string z of nlen bytes where | |
270 | * 1 < z < n - 1 | |
271 | */ | |
272 | if (!rsasve_gen_rand_bytes(prsactx->rsa, secret, nlen)) | |
273 | return 0; | |
274 | ||
275 | /* Step(3): out = RSAEP((n,e), z) */ | |
276 | ret = RSA_public_encrypt(nlen, secret, out, prsactx->rsa, RSA_NO_PADDING); | |
277 | if (ret) { | |
278 | ret = 1; | |
279 | if (outlen != NULL) | |
280 | *outlen = nlen; | |
281 | if (secretlen != NULL) | |
282 | *secretlen = nlen; | |
283 | } else { | |
284 | OPENSSL_cleanse(secret, nlen); | |
285 | } | |
286 | return ret; | |
287 | } | |
288 | ||
289 | /* | |
290 | * NIST.SP.800-56Br2 | |
291 | * 7.2.1.3 RSASVE Recovery Operation (RSASVE.RECOVER). | |
292 | */ | |
293 | static int rsasve_recover(PROV_RSA_CTX *prsactx, | |
294 | unsigned char *out, size_t *outlen, | |
295 | const unsigned char *in, size_t inlen) | |
296 | { | |
297 | size_t nlen; | |
298 | ||
299 | /* Step (1): get the byte length of n */ | |
300 | nlen = RSA_size(prsactx->rsa); | |
301 | ||
302 | if (out == NULL) { | |
303 | if (nlen == 0) { | |
304 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); | |
305 | return 0; | |
306 | } | |
307 | *outlen = nlen; | |
308 | return 1; | |
309 | } | |
310 | ||
311 | /* Step (2): check the input ciphertext 'inlen' matches the nlen */ | |
312 | if (inlen != nlen) { | |
313 | ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); | |
314 | return 0; | |
315 | } | |
316 | /* Step (3): out = RSADP((n,d), in) */ | |
317 | return (RSA_private_decrypt(inlen, in, out, prsactx->rsa, RSA_NO_PADDING) > 0); | |
318 | } | |
319 | ||
320 | static int rsakem_generate(void *vprsactx, unsigned char *out, size_t *outlen, | |
321 | unsigned char *secret, size_t *secretlen) | |
322 | { | |
323 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; | |
324 | ||
325 | switch (prsactx->op) { | |
326 | case KEM_OP_RSASVE: | |
327 | return rsasve_generate(prsactx, out, outlen, secret, secretlen); | |
328 | default: | |
329 | return -2; | |
330 | } | |
331 | } | |
332 | ||
333 | static int rsakem_recover(void *vprsactx, unsigned char *out, size_t *outlen, | |
334 | const unsigned char *in, size_t inlen) | |
335 | { | |
336 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; | |
337 | ||
338 | switch (prsactx->op) { | |
339 | case KEM_OP_RSASVE: | |
340 | return rsasve_recover(prsactx, out, outlen, in, inlen); | |
341 | default: | |
342 | return -2; | |
343 | } | |
344 | } | |
345 | ||
1be63951 | 346 | const OSSL_DISPATCH ossl_rsa_asym_kem_functions[] = { |
80f4fd18 SL |
347 | { OSSL_FUNC_KEM_NEWCTX, (void (*)(void))rsakem_newctx }, |
348 | { OSSL_FUNC_KEM_ENCAPSULATE_INIT, | |
21e5be85 | 349 | (void (*)(void))rsakem_encapsulate_init }, |
80f4fd18 SL |
350 | { OSSL_FUNC_KEM_ENCAPSULATE, (void (*)(void))rsakem_generate }, |
351 | { OSSL_FUNC_KEM_DECAPSULATE_INIT, | |
21e5be85 | 352 | (void (*)(void))rsakem_decapsulate_init }, |
80f4fd18 SL |
353 | { OSSL_FUNC_KEM_DECAPSULATE, (void (*)(void))rsakem_recover }, |
354 | { OSSL_FUNC_KEM_FREECTX, (void (*)(void))rsakem_freectx }, | |
355 | { OSSL_FUNC_KEM_DUPCTX, (void (*)(void))rsakem_dupctx }, | |
356 | { OSSL_FUNC_KEM_GET_CTX_PARAMS, | |
357 | (void (*)(void))rsakem_get_ctx_params }, | |
358 | { OSSL_FUNC_KEM_GETTABLE_CTX_PARAMS, | |
359 | (void (*)(void))rsakem_gettable_ctx_params }, | |
360 | { OSSL_FUNC_KEM_SET_CTX_PARAMS, | |
361 | (void (*)(void))rsakem_set_ctx_params }, | |
362 | { OSSL_FUNC_KEM_SETTABLE_CTX_PARAMS, | |
363 | (void (*)(void))rsakem_settable_ctx_params }, | |
1e6bd31e | 364 | OSSL_DISPATCH_END |
80f4fd18 | 365 | }; |