]>
Commit | Line | Data |
---|---|---|
80f4fd18 SL |
1 | /* |
2 | * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | /* | |
11 | * RSA low level APIs are deprecated for public use, but still ok for | |
12 | * internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
16 | #include "e_os.h" /* strcasecmp */ | |
17 | #include <openssl/crypto.h> | |
18 | #include <openssl/evp.h> | |
19 | #include <openssl/core_dispatch.h> | |
20 | #include <openssl/core_names.h> | |
21 | #include <openssl/rsa.h> | |
22 | #include <openssl/params.h> | |
23 | #include <openssl/err.h> | |
24 | #include <crypto/rsa.h> | |
25 | #include "prov/providercommonerr.h" | |
26 | #include "prov/provider_ctx.h" | |
27 | #include "prov/implementations.h" | |
21e5be85 | 28 | #include "prov/securitycheck.h" |
80f4fd18 SL |
29 | |
30 | static OSSL_FUNC_kem_newctx_fn rsakem_newctx; | |
21e5be85 | 31 | static OSSL_FUNC_kem_encapsulate_init_fn rsakem_encapsulate_init; |
80f4fd18 | 32 | static OSSL_FUNC_kem_encapsulate_fn rsakem_generate; |
21e5be85 | 33 | static OSSL_FUNC_kem_decapsulate_init_fn rsakem_decapsulate_init; |
80f4fd18 SL |
34 | static OSSL_FUNC_kem_decapsulate_fn rsakem_recover; |
35 | static OSSL_FUNC_kem_freectx_fn rsakem_freectx; | |
36 | static OSSL_FUNC_kem_dupctx_fn rsakem_dupctx; | |
37 | static OSSL_FUNC_kem_get_ctx_params_fn rsakem_get_ctx_params; | |
38 | static OSSL_FUNC_kem_gettable_ctx_params_fn rsakem_gettable_ctx_params; | |
39 | static OSSL_FUNC_kem_set_ctx_params_fn rsakem_set_ctx_params; | |
40 | static OSSL_FUNC_kem_settable_ctx_params_fn rsakem_settable_ctx_params; | |
41 | ||
42 | /* | |
43 | * Only the KEM for RSASVE as defined in SP800-56b r2 is implemented | |
44 | * currently. | |
45 | */ | |
46 | #define KEM_OP_UNDEFINED -1 | |
47 | #define KEM_OP_RSASVE 0 | |
48 | ||
49 | /* | |
50 | * What's passed as an actual key is defined by the KEYMGMT interface. | |
51 | * We happen to know that our KEYMGMT simply passes RSA structures, so | |
52 | * we use that here too. | |
53 | */ | |
54 | typedef struct { | |
55 | OPENSSL_CTX *libctx; | |
56 | RSA *rsa; | |
57 | int op; | |
58 | } PROV_RSA_CTX; | |
59 | ||
60 | static const OSSL_ITEM rsakem_opname_id_map[] = { | |
61 | { KEM_OP_RSASVE, OSSL_KEM_PARAM_OPERATION_RSASVE }, | |
62 | }; | |
63 | ||
64 | static int name2id(const char *name, const OSSL_ITEM *map, size_t sz) | |
65 | { | |
66 | size_t i; | |
67 | ||
68 | if (name == NULL) | |
69 | return -1; | |
70 | ||
71 | for (i = 0; i < sz; ++i) { | |
72 | if (strcasecmp(map[i].ptr, name) == 0) | |
73 | return map[i].id; | |
74 | } | |
75 | return -1; | |
76 | } | |
77 | ||
78 | static int rsakem_opname2id(const char *name) | |
79 | { | |
80 | return name2id(name, rsakem_opname_id_map, OSSL_NELEM(rsakem_opname_id_map)); | |
81 | } | |
82 | ||
83 | static void *rsakem_newctx(void *provctx) | |
84 | { | |
85 | PROV_RSA_CTX *prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX)); | |
86 | ||
87 | if (prsactx == NULL) | |
88 | return NULL; | |
89 | prsactx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx); | |
90 | prsactx->op = KEM_OP_UNDEFINED; | |
91 | ||
92 | return prsactx; | |
93 | } | |
94 | ||
95 | static void rsakem_freectx(void *vprsactx) | |
96 | { | |
97 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; | |
98 | ||
99 | RSA_free(prsactx->rsa); | |
100 | OPENSSL_free(prsactx); | |
101 | } | |
102 | ||
103 | static void *rsakem_dupctx(void *vprsactx) | |
104 | { | |
105 | PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx; | |
106 | PROV_RSA_CTX *dstctx; | |
107 | ||
108 | dstctx = OPENSSL_zalloc(sizeof(*srcctx)); | |
109 | if (dstctx == NULL) | |
110 | return NULL; | |
111 | ||
112 | *dstctx = *srcctx; | |
113 | if (dstctx->rsa != NULL && !RSA_up_ref(dstctx->rsa)) { | |
114 | OPENSSL_free(dstctx); | |
115 | return NULL; | |
116 | } | |
117 | return dstctx; | |
118 | } | |
119 | ||
21e5be85 | 120 | static int rsakem_init(void *vprsactx, void *vrsa, int operation) |
80f4fd18 SL |
121 | { |
122 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; | |
123 | ||
124 | if (prsactx == NULL || vrsa == NULL || !RSA_up_ref(vrsa)) | |
125 | return 0; | |
126 | RSA_free(prsactx->rsa); | |
127 | prsactx->rsa = vrsa; | |
21e5be85 | 128 | |
23b2fc0b | 129 | if (!ossl_rsa_check_key(vrsa, operation == EVP_PKEY_OP_ENCAPSULATE)) { |
21e5be85 SL |
130 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); |
131 | return 0; | |
132 | } | |
80f4fd18 SL |
133 | return 1; |
134 | } | |
135 | ||
21e5be85 SL |
136 | static int rsakem_encapsulate_init(void *vprsactx, void *vrsa) |
137 | { | |
138 | return rsakem_init(vprsactx, vrsa, EVP_PKEY_OP_ENCAPSULATE); | |
139 | } | |
140 | ||
141 | static int rsakem_decapsulate_init(void *vprsactx, void *vrsa) | |
142 | { | |
143 | return rsakem_init(vprsactx, vrsa, EVP_PKEY_OP_DECAPSULATE); | |
144 | } | |
145 | ||
80f4fd18 SL |
146 | static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params) |
147 | { | |
148 | PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx; | |
149 | ||
150 | if (ctx == NULL || params == NULL) | |
151 | return 0; | |
152 | return 1; | |
153 | } | |
154 | ||
155 | static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = { | |
156 | OSSL_PARAM_END | |
157 | }; | |
158 | ||
159 | static const OSSL_PARAM *rsakem_gettable_ctx_params(ossl_unused void *provctx) | |
160 | { | |
161 | return known_gettable_rsakem_ctx_params; | |
162 | } | |
163 | ||
164 | static int rsakem_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) | |
165 | { | |
166 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; | |
167 | const OSSL_PARAM *p; | |
168 | int op; | |
169 | ||
170 | if (prsactx == NULL || params == NULL) | |
171 | return 0; | |
172 | ||
173 | p = OSSL_PARAM_locate_const(params, OSSL_KEM_PARAM_OPERATION); | |
174 | if (p != NULL) { | |
175 | if (p->data_type != OSSL_PARAM_UTF8_STRING) | |
176 | return 0; | |
177 | op = rsakem_opname2id(p->data); | |
178 | if (op < 0) | |
179 | return 0; | |
180 | prsactx->op = op; | |
181 | } | |
182 | return 1; | |
183 | } | |
184 | ||
185 | static const OSSL_PARAM known_settable_rsakem_ctx_params[] = { | |
186 | OSSL_PARAM_utf8_string(OSSL_KEM_PARAM_OPERATION, NULL, 0), | |
187 | OSSL_PARAM_END | |
188 | }; | |
189 | ||
190 | static const OSSL_PARAM *rsakem_settable_ctx_params(ossl_unused void *provctx) | |
191 | { | |
192 | return known_settable_rsakem_ctx_params; | |
193 | } | |
194 | ||
195 | /* | |
196 | * NIST.SP.800-56Br2 | |
197 | * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE). | |
198 | * | |
199 | * Generate a random in the range 1 < z < (n – 1) | |
200 | */ | |
201 | static int rsasve_gen_rand_bytes(RSA *rsa_pub, | |
202 | unsigned char *out, int outlen) | |
203 | { | |
204 | int ret = 0; | |
205 | BN_CTX *bnctx; | |
206 | BIGNUM *z, *nminus3; | |
207 | ||
23b2fc0b | 208 | bnctx = BN_CTX_secure_new_ex(ossl_rsa_get0_libctx(rsa_pub)); |
80f4fd18 SL |
209 | if (bnctx == NULL) |
210 | return 0; | |
211 | ||
212 | /* | |
213 | * Generate a random in the range 1 < z < (n – 1). | |
214 | * Since BN_priv_rand_range_ex() returns a value in range 0 <= r < max | |
215 | * We can achieve this by adding 2.. but then we need to subtract 3 from | |
216 | * the upper bound i.e: 2 + (0 <= r < (n - 3)) | |
217 | */ | |
218 | BN_CTX_start(bnctx); | |
219 | nminus3 = BN_CTX_get(bnctx); | |
220 | z = BN_CTX_get(bnctx); | |
221 | ret = (z != NULL | |
222 | && (BN_copy(nminus3, RSA_get0_n(rsa_pub)) != NULL) | |
223 | && BN_sub_word(nminus3, 3) | |
224 | && BN_priv_rand_range_ex(z, nminus3, bnctx) | |
225 | && BN_add_word(z, 2) | |
226 | && (BN_bn2binpad(z, out, outlen) == outlen)); | |
227 | BN_CTX_end(bnctx); | |
228 | BN_CTX_free(bnctx); | |
229 | return ret; | |
230 | } | |
231 | ||
232 | /* | |
233 | * NIST.SP.800-56Br2 | |
234 | * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE). | |
235 | */ | |
236 | static int rsasve_generate(PROV_RSA_CTX *prsactx, | |
237 | unsigned char *out, size_t *outlen, | |
238 | unsigned char *secret, size_t *secretlen) | |
239 | { | |
240 | int ret; | |
241 | size_t nlen; | |
242 | ||
243 | /* Step (1): nlen = Ceil(len(n)/8) */ | |
244 | nlen = RSA_size(prsactx->rsa); | |
245 | ||
246 | if (out == NULL) { | |
247 | if (nlen == 0) { | |
248 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); | |
249 | return 0; | |
250 | } | |
251 | if (outlen == NULL && secretlen == NULL) | |
252 | return 0; | |
253 | if (outlen != NULL) | |
254 | *outlen = nlen; | |
255 | if (secretlen != NULL) | |
256 | *secretlen = nlen; | |
257 | return 1; | |
258 | } | |
259 | /* | |
260 | * Step (2): Generate a random byte string z of nlen bytes where | |
261 | * 1 < z < n - 1 | |
262 | */ | |
263 | if (!rsasve_gen_rand_bytes(prsactx->rsa, secret, nlen)) | |
264 | return 0; | |
265 | ||
266 | /* Step(3): out = RSAEP((n,e), z) */ | |
267 | ret = RSA_public_encrypt(nlen, secret, out, prsactx->rsa, RSA_NO_PADDING); | |
268 | if (ret) { | |
269 | ret = 1; | |
270 | if (outlen != NULL) | |
271 | *outlen = nlen; | |
272 | if (secretlen != NULL) | |
273 | *secretlen = nlen; | |
274 | } else { | |
275 | OPENSSL_cleanse(secret, nlen); | |
276 | } | |
277 | return ret; | |
278 | } | |
279 | ||
280 | /* | |
281 | * NIST.SP.800-56Br2 | |
282 | * 7.2.1.3 RSASVE Recovery Operation (RSASVE.RECOVER). | |
283 | */ | |
284 | static int rsasve_recover(PROV_RSA_CTX *prsactx, | |
285 | unsigned char *out, size_t *outlen, | |
286 | const unsigned char *in, size_t inlen) | |
287 | { | |
288 | size_t nlen; | |
289 | ||
290 | /* Step (1): get the byte length of n */ | |
291 | nlen = RSA_size(prsactx->rsa); | |
292 | ||
293 | if (out == NULL) { | |
294 | if (nlen == 0) { | |
295 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); | |
296 | return 0; | |
297 | } | |
298 | *outlen = nlen; | |
299 | return 1; | |
300 | } | |
301 | ||
302 | /* Step (2): check the input ciphertext 'inlen' matches the nlen */ | |
303 | if (inlen != nlen) { | |
304 | ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); | |
305 | return 0; | |
306 | } | |
307 | /* Step (3): out = RSADP((n,d), in) */ | |
308 | return (RSA_private_decrypt(inlen, in, out, prsactx->rsa, RSA_NO_PADDING) > 0); | |
309 | } | |
310 | ||
311 | static int rsakem_generate(void *vprsactx, unsigned char *out, size_t *outlen, | |
312 | unsigned char *secret, size_t *secretlen) | |
313 | { | |
314 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; | |
315 | ||
316 | switch (prsactx->op) { | |
317 | case KEM_OP_RSASVE: | |
318 | return rsasve_generate(prsactx, out, outlen, secret, secretlen); | |
319 | default: | |
320 | return -2; | |
321 | } | |
322 | } | |
323 | ||
324 | static int rsakem_recover(void *vprsactx, unsigned char *out, size_t *outlen, | |
325 | const unsigned char *in, size_t inlen) | |
326 | { | |
327 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; | |
328 | ||
329 | switch (prsactx->op) { | |
330 | case KEM_OP_RSASVE: | |
331 | return rsasve_recover(prsactx, out, outlen, in, inlen); | |
332 | default: | |
333 | return -2; | |
334 | } | |
335 | } | |
336 | ||
1be63951 | 337 | const OSSL_DISPATCH ossl_rsa_asym_kem_functions[] = { |
80f4fd18 SL |
338 | { OSSL_FUNC_KEM_NEWCTX, (void (*)(void))rsakem_newctx }, |
339 | { OSSL_FUNC_KEM_ENCAPSULATE_INIT, | |
21e5be85 | 340 | (void (*)(void))rsakem_encapsulate_init }, |
80f4fd18 SL |
341 | { OSSL_FUNC_KEM_ENCAPSULATE, (void (*)(void))rsakem_generate }, |
342 | { OSSL_FUNC_KEM_DECAPSULATE_INIT, | |
21e5be85 | 343 | (void (*)(void))rsakem_decapsulate_init }, |
80f4fd18 SL |
344 | { OSSL_FUNC_KEM_DECAPSULATE, (void (*)(void))rsakem_recover }, |
345 | { OSSL_FUNC_KEM_FREECTX, (void (*)(void))rsakem_freectx }, | |
346 | { OSSL_FUNC_KEM_DUPCTX, (void (*)(void))rsakem_dupctx }, | |
347 | { OSSL_FUNC_KEM_GET_CTX_PARAMS, | |
348 | (void (*)(void))rsakem_get_ctx_params }, | |
349 | { OSSL_FUNC_KEM_GETTABLE_CTX_PARAMS, | |
350 | (void (*)(void))rsakem_gettable_ctx_params }, | |
351 | { OSSL_FUNC_KEM_SET_CTX_PARAMS, | |
352 | (void (*)(void))rsakem_set_ctx_params }, | |
353 | { OSSL_FUNC_KEM_SETTABLE_CTX_PARAMS, | |
354 | (void (*)(void))rsakem_settable_ctx_params }, | |
355 | { 0, NULL } | |
356 | }; |