]>
Commit | Line | Data |
---|---|---|
80f4fd18 | 1 | /* |
fecb3aae | 2 | * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. |
80f4fd18 SL |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | /* | |
11 | * RSA low level APIs are deprecated for public use, but still ok for | |
12 | * internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
fba140c7 | 15 | #include "internal/nelem.h" |
80f4fd18 | 16 | |
80f4fd18 SL |
17 | #include <openssl/crypto.h> |
18 | #include <openssl/evp.h> | |
19 | #include <openssl/core_dispatch.h> | |
20 | #include <openssl/core_names.h> | |
21 | #include <openssl/rsa.h> | |
22 | #include <openssl/params.h> | |
23 | #include <openssl/err.h> | |
9d0dd1d5 | 24 | #include "crypto/rsa.h" |
2741128e | 25 | #include <openssl/proverr.h> |
80f4fd18 SL |
26 | #include "prov/provider_ctx.h" |
27 | #include "prov/implementations.h" | |
21e5be85 | 28 | #include "prov/securitycheck.h" |
80f4fd18 SL |
29 | |
30 | static OSSL_FUNC_kem_newctx_fn rsakem_newctx; | |
21e5be85 | 31 | static OSSL_FUNC_kem_encapsulate_init_fn rsakem_encapsulate_init; |
80f4fd18 | 32 | static OSSL_FUNC_kem_encapsulate_fn rsakem_generate; |
21e5be85 | 33 | static OSSL_FUNC_kem_decapsulate_init_fn rsakem_decapsulate_init; |
80f4fd18 SL |
34 | static OSSL_FUNC_kem_decapsulate_fn rsakem_recover; |
35 | static OSSL_FUNC_kem_freectx_fn rsakem_freectx; | |
36 | static OSSL_FUNC_kem_dupctx_fn rsakem_dupctx; | |
37 | static OSSL_FUNC_kem_get_ctx_params_fn rsakem_get_ctx_params; | |
38 | static OSSL_FUNC_kem_gettable_ctx_params_fn rsakem_gettable_ctx_params; | |
39 | static OSSL_FUNC_kem_set_ctx_params_fn rsakem_set_ctx_params; | |
40 | static OSSL_FUNC_kem_settable_ctx_params_fn rsakem_settable_ctx_params; | |
41 | ||
42 | /* | |
43 | * Only the KEM for RSASVE as defined in SP800-56b r2 is implemented | |
44 | * currently. | |
45 | */ | |
46 | #define KEM_OP_UNDEFINED -1 | |
47 | #define KEM_OP_RSASVE 0 | |
48 | ||
49 | /* | |
50 | * What's passed as an actual key is defined by the KEYMGMT interface. | |
51 | * We happen to know that our KEYMGMT simply passes RSA structures, so | |
52 | * we use that here too. | |
53 | */ | |
54 | typedef struct { | |
b4250010 | 55 | OSSL_LIB_CTX *libctx; |
80f4fd18 SL |
56 | RSA *rsa; |
57 | int op; | |
58 | } PROV_RSA_CTX; | |
59 | ||
60 | static const OSSL_ITEM rsakem_opname_id_map[] = { | |
61 | { KEM_OP_RSASVE, OSSL_KEM_PARAM_OPERATION_RSASVE }, | |
62 | }; | |
63 | ||
64 | static int name2id(const char *name, const OSSL_ITEM *map, size_t sz) | |
65 | { | |
66 | size_t i; | |
67 | ||
68 | if (name == NULL) | |
69 | return -1; | |
70 | ||
71 | for (i = 0; i < sz; ++i) { | |
fba140c7 | 72 | if (OPENSSL_strcasecmp(map[i].ptr, name) == 0) |
80f4fd18 SL |
73 | return map[i].id; |
74 | } | |
75 | return -1; | |
76 | } | |
77 | ||
78 | static int rsakem_opname2id(const char *name) | |
79 | { | |
80 | return name2id(name, rsakem_opname_id_map, OSSL_NELEM(rsakem_opname_id_map)); | |
81 | } | |
82 | ||
83 | static void *rsakem_newctx(void *provctx) | |
84 | { | |
85 | PROV_RSA_CTX *prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX)); | |
86 | ||
87 | if (prsactx == NULL) | |
88 | return NULL; | |
a829b735 | 89 | prsactx->libctx = PROV_LIBCTX_OF(provctx); |
80f4fd18 SL |
90 | prsactx->op = KEM_OP_UNDEFINED; |
91 | ||
92 | return prsactx; | |
93 | } | |
94 | ||
95 | static void rsakem_freectx(void *vprsactx) | |
96 | { | |
97 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; | |
98 | ||
99 | RSA_free(prsactx->rsa); | |
100 | OPENSSL_free(prsactx); | |
101 | } | |
102 | ||
103 | static void *rsakem_dupctx(void *vprsactx) | |
104 | { | |
105 | PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx; | |
106 | PROV_RSA_CTX *dstctx; | |
107 | ||
108 | dstctx = OPENSSL_zalloc(sizeof(*srcctx)); | |
109 | if (dstctx == NULL) | |
110 | return NULL; | |
111 | ||
112 | *dstctx = *srcctx; | |
113 | if (dstctx->rsa != NULL && !RSA_up_ref(dstctx->rsa)) { | |
114 | OPENSSL_free(dstctx); | |
115 | return NULL; | |
116 | } | |
117 | return dstctx; | |
118 | } | |
119 | ||
5a084c5f P |
120 | static int rsakem_init(void *vprsactx, void *vrsa, |
121 | const OSSL_PARAM params[], int operation) | |
80f4fd18 SL |
122 | { |
123 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; | |
124 | ||
0cfbc828 TM |
125 | if (prsactx == NULL || vrsa == NULL) |
126 | return 0; | |
127 | ||
6ce58488 | 128 | if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation)) |
0cfbc828 TM |
129 | return 0; |
130 | ||
131 | if (!RSA_up_ref(vrsa)) | |
80f4fd18 SL |
132 | return 0; |
133 | RSA_free(prsactx->rsa); | |
134 | prsactx->rsa = vrsa; | |
21e5be85 | 135 | |
5a084c5f | 136 | return rsakem_set_ctx_params(prsactx, params); |
80f4fd18 SL |
137 | } |
138 | ||
5a084c5f P |
139 | static int rsakem_encapsulate_init(void *vprsactx, void *vrsa, |
140 | const OSSL_PARAM params[]) | |
21e5be85 | 141 | { |
5a084c5f | 142 | return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_ENCAPSULATE); |
21e5be85 SL |
143 | } |
144 | ||
5a084c5f P |
145 | static int rsakem_decapsulate_init(void *vprsactx, void *vrsa, |
146 | const OSSL_PARAM params[]) | |
21e5be85 | 147 | { |
5a084c5f | 148 | return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECAPSULATE); |
21e5be85 SL |
149 | } |
150 | ||
80f4fd18 SL |
151 | static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params) |
152 | { | |
153 | PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx; | |
154 | ||
5a084c5f | 155 | return ctx != NULL; |
80f4fd18 SL |
156 | } |
157 | ||
158 | static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = { | |
159 | OSSL_PARAM_END | |
160 | }; | |
161 | ||
fb67126e TM |
162 | static const OSSL_PARAM *rsakem_gettable_ctx_params(ossl_unused void *vprsactx, |
163 | ossl_unused void *provctx) | |
80f4fd18 SL |
164 | { |
165 | return known_gettable_rsakem_ctx_params; | |
166 | } | |
167 | ||
168 | static int rsakem_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) | |
169 | { | |
170 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; | |
171 | const OSSL_PARAM *p; | |
172 | int op; | |
173 | ||
5a084c5f | 174 | if (prsactx == NULL) |
80f4fd18 | 175 | return 0; |
5a084c5f P |
176 | if (params == NULL) |
177 | return 1; | |
178 | ||
80f4fd18 SL |
179 | |
180 | p = OSSL_PARAM_locate_const(params, OSSL_KEM_PARAM_OPERATION); | |
181 | if (p != NULL) { | |
182 | if (p->data_type != OSSL_PARAM_UTF8_STRING) | |
183 | return 0; | |
184 | op = rsakem_opname2id(p->data); | |
185 | if (op < 0) | |
186 | return 0; | |
187 | prsactx->op = op; | |
188 | } | |
189 | return 1; | |
190 | } | |
191 | ||
192 | static const OSSL_PARAM known_settable_rsakem_ctx_params[] = { | |
193 | OSSL_PARAM_utf8_string(OSSL_KEM_PARAM_OPERATION, NULL, 0), | |
194 | OSSL_PARAM_END | |
195 | }; | |
196 | ||
fb67126e TM |
197 | static const OSSL_PARAM *rsakem_settable_ctx_params(ossl_unused void *vprsactx, |
198 | ossl_unused void *provctx) | |
80f4fd18 SL |
199 | { |
200 | return known_settable_rsakem_ctx_params; | |
201 | } | |
202 | ||
203 | /* | |
204 | * NIST.SP.800-56Br2 | |
205 | * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE). | |
206 | * | |
207 | * Generate a random in the range 1 < z < (n – 1) | |
208 | */ | |
209 | static int rsasve_gen_rand_bytes(RSA *rsa_pub, | |
210 | unsigned char *out, int outlen) | |
211 | { | |
212 | int ret = 0; | |
213 | BN_CTX *bnctx; | |
214 | BIGNUM *z, *nminus3; | |
215 | ||
23b2fc0b | 216 | bnctx = BN_CTX_secure_new_ex(ossl_rsa_get0_libctx(rsa_pub)); |
80f4fd18 SL |
217 | if (bnctx == NULL) |
218 | return 0; | |
219 | ||
220 | /* | |
221 | * Generate a random in the range 1 < z < (n – 1). | |
222 | * Since BN_priv_rand_range_ex() returns a value in range 0 <= r < max | |
223 | * We can achieve this by adding 2.. but then we need to subtract 3 from | |
224 | * the upper bound i.e: 2 + (0 <= r < (n - 3)) | |
225 | */ | |
226 | BN_CTX_start(bnctx); | |
227 | nminus3 = BN_CTX_get(bnctx); | |
228 | z = BN_CTX_get(bnctx); | |
229 | ret = (z != NULL | |
230 | && (BN_copy(nminus3, RSA_get0_n(rsa_pub)) != NULL) | |
231 | && BN_sub_word(nminus3, 3) | |
965fa9c0 | 232 | && BN_priv_rand_range_ex(z, nminus3, 0, bnctx) |
80f4fd18 SL |
233 | && BN_add_word(z, 2) |
234 | && (BN_bn2binpad(z, out, outlen) == outlen)); | |
235 | BN_CTX_end(bnctx); | |
236 | BN_CTX_free(bnctx); | |
237 | return ret; | |
238 | } | |
239 | ||
240 | /* | |
241 | * NIST.SP.800-56Br2 | |
242 | * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE). | |
243 | */ | |
244 | static int rsasve_generate(PROV_RSA_CTX *prsactx, | |
245 | unsigned char *out, size_t *outlen, | |
246 | unsigned char *secret, size_t *secretlen) | |
247 | { | |
248 | int ret; | |
249 | size_t nlen; | |
250 | ||
251 | /* Step (1): nlen = Ceil(len(n)/8) */ | |
252 | nlen = RSA_size(prsactx->rsa); | |
253 | ||
254 | if (out == NULL) { | |
255 | if (nlen == 0) { | |
256 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); | |
257 | return 0; | |
258 | } | |
259 | if (outlen == NULL && secretlen == NULL) | |
260 | return 0; | |
261 | if (outlen != NULL) | |
262 | *outlen = nlen; | |
263 | if (secretlen != NULL) | |
264 | *secretlen = nlen; | |
265 | return 1; | |
266 | } | |
267 | /* | |
268 | * Step (2): Generate a random byte string z of nlen bytes where | |
269 | * 1 < z < n - 1 | |
270 | */ | |
271 | if (!rsasve_gen_rand_bytes(prsactx->rsa, secret, nlen)) | |
272 | return 0; | |
273 | ||
274 | /* Step(3): out = RSAEP((n,e), z) */ | |
275 | ret = RSA_public_encrypt(nlen, secret, out, prsactx->rsa, RSA_NO_PADDING); | |
276 | if (ret) { | |
277 | ret = 1; | |
278 | if (outlen != NULL) | |
279 | *outlen = nlen; | |
280 | if (secretlen != NULL) | |
281 | *secretlen = nlen; | |
282 | } else { | |
283 | OPENSSL_cleanse(secret, nlen); | |
284 | } | |
285 | return ret; | |
286 | } | |
287 | ||
288 | /* | |
289 | * NIST.SP.800-56Br2 | |
290 | * 7.2.1.3 RSASVE Recovery Operation (RSASVE.RECOVER). | |
291 | */ | |
292 | static int rsasve_recover(PROV_RSA_CTX *prsactx, | |
293 | unsigned char *out, size_t *outlen, | |
294 | const unsigned char *in, size_t inlen) | |
295 | { | |
296 | size_t nlen; | |
297 | ||
298 | /* Step (1): get the byte length of n */ | |
299 | nlen = RSA_size(prsactx->rsa); | |
300 | ||
301 | if (out == NULL) { | |
302 | if (nlen == 0) { | |
303 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); | |
304 | return 0; | |
305 | } | |
306 | *outlen = nlen; | |
307 | return 1; | |
308 | } | |
309 | ||
310 | /* Step (2): check the input ciphertext 'inlen' matches the nlen */ | |
311 | if (inlen != nlen) { | |
312 | ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); | |
313 | return 0; | |
314 | } | |
315 | /* Step (3): out = RSADP((n,d), in) */ | |
316 | return (RSA_private_decrypt(inlen, in, out, prsactx->rsa, RSA_NO_PADDING) > 0); | |
317 | } | |
318 | ||
319 | static int rsakem_generate(void *vprsactx, unsigned char *out, size_t *outlen, | |
320 | unsigned char *secret, size_t *secretlen) | |
321 | { | |
322 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; | |
323 | ||
324 | switch (prsactx->op) { | |
325 | case KEM_OP_RSASVE: | |
326 | return rsasve_generate(prsactx, out, outlen, secret, secretlen); | |
327 | default: | |
328 | return -2; | |
329 | } | |
330 | } | |
331 | ||
332 | static int rsakem_recover(void *vprsactx, unsigned char *out, size_t *outlen, | |
333 | const unsigned char *in, size_t inlen) | |
334 | { | |
335 | PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; | |
336 | ||
337 | switch (prsactx->op) { | |
338 | case KEM_OP_RSASVE: | |
339 | return rsasve_recover(prsactx, out, outlen, in, inlen); | |
340 | default: | |
341 | return -2; | |
342 | } | |
343 | } | |
344 | ||
1be63951 | 345 | const OSSL_DISPATCH ossl_rsa_asym_kem_functions[] = { |
80f4fd18 SL |
346 | { OSSL_FUNC_KEM_NEWCTX, (void (*)(void))rsakem_newctx }, |
347 | { OSSL_FUNC_KEM_ENCAPSULATE_INIT, | |
21e5be85 | 348 | (void (*)(void))rsakem_encapsulate_init }, |
80f4fd18 SL |
349 | { OSSL_FUNC_KEM_ENCAPSULATE, (void (*)(void))rsakem_generate }, |
350 | { OSSL_FUNC_KEM_DECAPSULATE_INIT, | |
21e5be85 | 351 | (void (*)(void))rsakem_decapsulate_init }, |
80f4fd18 SL |
352 | { OSSL_FUNC_KEM_DECAPSULATE, (void (*)(void))rsakem_recover }, |
353 | { OSSL_FUNC_KEM_FREECTX, (void (*)(void))rsakem_freectx }, | |
354 | { OSSL_FUNC_KEM_DUPCTX, (void (*)(void))rsakem_dupctx }, | |
355 | { OSSL_FUNC_KEM_GET_CTX_PARAMS, | |
356 | (void (*)(void))rsakem_get_ctx_params }, | |
357 | { OSSL_FUNC_KEM_GETTABLE_CTX_PARAMS, | |
358 | (void (*)(void))rsakem_gettable_ctx_params }, | |
359 | { OSSL_FUNC_KEM_SET_CTX_PARAMS, | |
360 | (void (*)(void))rsakem_set_ctx_params }, | |
361 | { OSSL_FUNC_KEM_SETTABLE_CTX_PARAMS, | |
362 | (void (*)(void))rsakem_settable_ctx_params }, | |
363 | { 0, NULL } | |
364 | }; |