]>
Commit | Line | Data |
---|---|---|
0f113f3e | 1 | /* |
33388b44 | 2 | * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. |
0b6f3c66 | 3 | * |
2a7b6f39 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
2039c421 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
0b6f3c66 DSH |
8 | */ |
9 | ||
c5f87134 P |
10 | /* |
11 | * RSA low level APIs are deprecated for public use, but still ok for | |
12 | * internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
706457b7 | 16 | #include "internal/constant_time.h" |
049e64cb | 17 | |
0b6f3c66 | 18 | #include <stdio.h> |
b39fc560 | 19 | #include "internal/cryptlib.h" |
0b6f3c66 DSH |
20 | #include <openssl/asn1t.h> |
21 | #include <openssl/x509.h> | |
22 | #include <openssl/rsa.h> | |
1e26a8ba | 23 | #include <openssl/bn.h> |
b2a97be7 | 24 | #include <openssl/evp.h> |
271fef0e | 25 | #include <openssl/x509v3.h> |
3c27208f | 26 | #include <openssl/cms.h> |
25f2138b | 27 | #include "crypto/evp.h" |
6f4b7663 | 28 | #include "crypto/rsa.h" |
706457b7 | 29 | #include "rsa_local.h" |
b2a97be7 | 30 | |
07e970c7 DSH |
31 | /* RSA pkey context structure */ |
32 | ||
0f113f3e MC |
33 | typedef struct { |
34 | /* Key gen parameters */ | |
35 | int nbits; | |
36 | BIGNUM *pub_exp; | |
665d899f | 37 | int primes; |
0f113f3e MC |
38 | /* Keygen callback info */ |
39 | int gentmp[2]; | |
40 | /* RSA padding mode */ | |
41 | int pad_mode; | |
42 | /* message digest */ | |
43 | const EVP_MD *md; | |
44 | /* message digest for MGF1 */ | |
45 | const EVP_MD *mgf1md; | |
46 | /* PSS salt length */ | |
47 | int saltlen; | |
cb49e749 DSH |
48 | /* Minimum salt length or -1 if no PSS parameter restriction */ |
49 | int min_saltlen; | |
0f113f3e MC |
50 | /* Temp buffer */ |
51 | unsigned char *tbuf; | |
52 | /* OAEP label */ | |
53 | unsigned char *oaep_label; | |
54 | size_t oaep_labellen; | |
55 | } RSA_PKEY_CTX; | |
07e970c7 | 56 | |
cb49e749 | 57 | /* True if PSS parameters are restricted */ |
bc1ea030 | 58 | #define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1) |
cb49e749 | 59 | |
07e970c7 | 60 | static int pkey_rsa_init(EVP_PKEY_CTX *ctx) |
0f113f3e | 61 | { |
52ad523c | 62 | RSA_PKEY_CTX *rctx = OPENSSL_zalloc(sizeof(*rctx)); |
f291138b | 63 | |
90945fa3 | 64 | if (rctx == NULL) |
0f113f3e | 65 | return 0; |
70b0b977 | 66 | rctx->nbits = 2048; |
665d899f | 67 | rctx->primes = RSA_DEFAULT_PRIME_NUM; |
87ee7b22 | 68 | if (pkey_ctx_is_pss(ctx)) |
ad4b3d0a DSH |
69 | rctx->pad_mode = RSA_PKCS1_PSS_PADDING; |
70 | else | |
71 | rctx->pad_mode = RSA_PKCS1_PADDING; | |
137096a7 DSH |
72 | /* Maximum for sign, auto for verify */ |
73 | rctx->saltlen = RSA_PSS_SALTLEN_AUTO; | |
cb49e749 | 74 | rctx->min_saltlen = -1; |
0f113f3e MC |
75 | ctx->data = rctx; |
76 | ctx->keygen_info = rctx->gentmp; | |
77 | ctx->keygen_info_count = 2; | |
78 | ||
79 | return 1; | |
80 | } | |
b2a97be7 | 81 | |
9fdcc21f | 82 | static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src) |
0f113f3e MC |
83 | { |
84 | RSA_PKEY_CTX *dctx, *sctx; | |
52ad523c | 85 | |
0f113f3e MC |
86 | if (!pkey_rsa_init(dst)) |
87 | return 0; | |
88 | sctx = src->data; | |
89 | dctx = dst->data; | |
90 | dctx->nbits = sctx->nbits; | |
91 | if (sctx->pub_exp) { | |
92 | dctx->pub_exp = BN_dup(sctx->pub_exp); | |
93 | if (!dctx->pub_exp) | |
94 | return 0; | |
95 | } | |
96 | dctx->pad_mode = sctx->pad_mode; | |
97 | dctx->md = sctx->md; | |
98 | dctx->mgf1md = sctx->mgf1md; | |
d7fcf1fe | 99 | dctx->saltlen = sctx->saltlen; |
0f113f3e | 100 | if (sctx->oaep_label) { |
b548a1f1 | 101 | OPENSSL_free(dctx->oaep_label); |
7644a9ae | 102 | dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen); |
0f113f3e MC |
103 | if (!dctx->oaep_label) |
104 | return 0; | |
105 | dctx->oaep_labellen = sctx->oaep_labellen; | |
106 | } | |
107 | return 1; | |
108 | } | |
8bdcef40 | 109 | |
b2a97be7 | 110 | static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) |
0f113f3e | 111 | { |
52ad523c | 112 | if (ctx->tbuf != NULL) |
0f113f3e | 113 | return 1; |
9767a3dc | 114 | if ((ctx->tbuf = OPENSSL_malloc(RSA_size(pk->pkey->pkey.rsa))) == NULL) { |
cdb10bae | 115 | RSAerr(RSA_F_SETUP_TBUF, ERR_R_MALLOC_FAILURE); |
0f113f3e | 116 | return 0; |
cdb10bae | 117 | } |
0f113f3e MC |
118 | return 1; |
119 | } | |
07e970c7 DSH |
120 | |
121 | static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) | |
0f113f3e MC |
122 | { |
123 | RSA_PKEY_CTX *rctx = ctx->data; | |
124 | if (rctx) { | |
23a1d5e9 | 125 | BN_free(rctx->pub_exp); |
b548a1f1 RS |
126 | OPENSSL_free(rctx->tbuf); |
127 | OPENSSL_free(rctx->oaep_label); | |
0f113f3e MC |
128 | OPENSSL_free(rctx); |
129 | } | |
130 | } | |
131 | ||
132 | static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, | |
133 | size_t *siglen, const unsigned char *tbs, | |
134 | size_t tbslen) | |
135 | { | |
136 | int ret; | |
137 | RSA_PKEY_CTX *rctx = ctx->data; | |
138 | RSA *rsa = ctx->pkey->pkey.rsa; | |
139 | ||
140 | if (rctx->md) { | |
141 | if (tbslen != (size_t)EVP_MD_size(rctx->md)) { | |
142 | RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH); | |
143 | return -1; | |
144 | } | |
145 | ||
146 | if (EVP_MD_type(rctx->md) == NID_mdc2) { | |
147 | unsigned int sltmp; | |
148 | if (rctx->pad_mode != RSA_PKCS1_PADDING) | |
149 | return -1; | |
a773b52a | 150 | ret = RSA_sign_ASN1_OCTET_STRING(0, |
0f113f3e MC |
151 | tbs, tbslen, sig, &sltmp, rsa); |
152 | ||
153 | if (ret <= 0) | |
154 | return ret; | |
155 | ret = sltmp; | |
156 | } else if (rctx->pad_mode == RSA_X931_PADDING) { | |
9767a3dc | 157 | if ((size_t)RSA_size(rsa) < tbslen + 1) { |
34166d41 | 158 | RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_KEY_SIZE_TOO_SMALL); |
0f113f3e | 159 | return -1; |
34166d41 MC |
160 | } |
161 | if (!setup_tbuf(rctx, ctx)) { | |
162 | RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE); | |
163 | return -1; | |
164 | } | |
0f113f3e MC |
165 | memcpy(rctx->tbuf, tbs, tbslen); |
166 | rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md)); | |
167 | ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, | |
168 | sig, rsa, RSA_X931_PADDING); | |
169 | } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { | |
170 | unsigned int sltmp; | |
171 | ret = RSA_sign(EVP_MD_type(rctx->md), | |
172 | tbs, tbslen, sig, &sltmp, rsa); | |
173 | if (ret <= 0) | |
174 | return ret; | |
175 | ret = sltmp; | |
176 | } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { | |
177 | if (!setup_tbuf(rctx, ctx)) | |
178 | return -1; | |
179 | if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, | |
180 | rctx->tbuf, tbs, | |
181 | rctx->md, rctx->mgf1md, | |
182 | rctx->saltlen)) | |
183 | return -1; | |
184 | ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, | |
185 | sig, rsa, RSA_NO_PADDING); | |
90862ab4 | 186 | } else { |
0f113f3e | 187 | return -1; |
90862ab4 PY |
188 | } |
189 | } else { | |
0f113f3e MC |
190 | ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, |
191 | rctx->pad_mode); | |
90862ab4 | 192 | } |
0f113f3e MC |
193 | if (ret < 0) |
194 | return ret; | |
195 | *siglen = ret; | |
196 | return 1; | |
197 | } | |
07e970c7 DSH |
198 | |
199 | static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, | |
0f113f3e MC |
200 | unsigned char *rout, size_t *routlen, |
201 | const unsigned char *sig, size_t siglen) | |
202 | { | |
203 | int ret; | |
204 | RSA_PKEY_CTX *rctx = ctx->data; | |
205 | ||
206 | if (rctx->md) { | |
207 | if (rctx->pad_mode == RSA_X931_PADDING) { | |
208 | if (!setup_tbuf(rctx, ctx)) | |
209 | return -1; | |
210 | ret = RSA_public_decrypt(siglen, sig, | |
211 | rctx->tbuf, ctx->pkey->pkey.rsa, | |
212 | RSA_X931_PADDING); | |
213 | if (ret < 1) | |
214 | return 0; | |
215 | ret--; | |
216 | if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_type(rctx->md))) { | |
217 | RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, | |
218 | RSA_R_ALGORITHM_MISMATCH); | |
219 | return 0; | |
220 | } | |
221 | if (ret != EVP_MD_size(rctx->md)) { | |
222 | RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, | |
223 | RSA_R_INVALID_DIGEST_LENGTH); | |
224 | return 0; | |
225 | } | |
226 | if (rout) | |
227 | memcpy(rout, rctx->tbuf, ret); | |
228 | } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { | |
229 | size_t sltmp; | |
230 | ret = int_rsa_verify(EVP_MD_type(rctx->md), | |
231 | NULL, 0, rout, &sltmp, | |
232 | sig, siglen, ctx->pkey->pkey.rsa); | |
233 | if (ret <= 0) | |
234 | return 0; | |
235 | ret = sltmp; | |
90862ab4 | 236 | } else { |
0f113f3e | 237 | return -1; |
90862ab4 PY |
238 | } |
239 | } else { | |
0f113f3e MC |
240 | ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa, |
241 | rctx->pad_mode); | |
90862ab4 | 242 | } |
0f113f3e MC |
243 | if (ret < 0) |
244 | return ret; | |
245 | *routlen = ret; | |
246 | return 1; | |
247 | } | |
07e970c7 | 248 | |
4f59b658 | 249 | static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, |
0f113f3e MC |
250 | const unsigned char *sig, size_t siglen, |
251 | const unsigned char *tbs, size_t tbslen) | |
252 | { | |
253 | RSA_PKEY_CTX *rctx = ctx->data; | |
254 | RSA *rsa = ctx->pkey->pkey.rsa; | |
255 | size_t rslen; | |
52ad523c | 256 | |
0f113f3e MC |
257 | if (rctx->md) { |
258 | if (rctx->pad_mode == RSA_PKCS1_PADDING) | |
259 | return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, | |
260 | sig, siglen, rsa); | |
71bbc79b DSH |
261 | if (tbslen != (size_t)EVP_MD_size(rctx->md)) { |
262 | RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH); | |
263 | return -1; | |
264 | } | |
0f113f3e MC |
265 | if (rctx->pad_mode == RSA_X931_PADDING) { |
266 | if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0) | |
267 | return 0; | |
268 | } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { | |
269 | int ret; | |
270 | if (!setup_tbuf(rctx, ctx)) | |
271 | return -1; | |
272 | ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, | |
273 | rsa, RSA_NO_PADDING); | |
274 | if (ret <= 0) | |
275 | return 0; | |
276 | ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, | |
277 | rctx->md, rctx->mgf1md, | |
278 | rctx->tbuf, rctx->saltlen); | |
279 | if (ret <= 0) | |
280 | return 0; | |
281 | return 1; | |
90862ab4 | 282 | } else { |
0f113f3e | 283 | return -1; |
90862ab4 | 284 | } |
0f113f3e MC |
285 | } else { |
286 | if (!setup_tbuf(rctx, ctx)) | |
287 | return -1; | |
288 | rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, | |
289 | rsa, rctx->pad_mode); | |
290 | if (rslen == 0) | |
291 | return 0; | |
292 | } | |
293 | ||
294 | if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen)) | |
295 | return 0; | |
296 | ||
297 | return 1; | |
298 | ||
299 | } | |
4f59b658 | 300 | |
eaff5a14 | 301 | static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, |
0f113f3e MC |
302 | unsigned char *out, size_t *outlen, |
303 | const unsigned char *in, size_t inlen) | |
304 | { | |
305 | int ret; | |
306 | RSA_PKEY_CTX *rctx = ctx->data; | |
52ad523c | 307 | |
0f113f3e MC |
308 | if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { |
309 | int klen = RSA_size(ctx->pkey->pkey.rsa); | |
310 | if (!setup_tbuf(rctx, ctx)) | |
311 | return -1; | |
312 | if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen, | |
313 | in, inlen, | |
314 | rctx->oaep_label, | |
315 | rctx->oaep_labellen, | |
316 | rctx->md, rctx->mgf1md)) | |
317 | return -1; | |
318 | ret = RSA_public_encrypt(klen, rctx->tbuf, out, | |
319 | ctx->pkey->pkey.rsa, RSA_NO_PADDING); | |
90862ab4 | 320 | } else { |
0f113f3e MC |
321 | ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, |
322 | rctx->pad_mode); | |
90862ab4 | 323 | } |
0f113f3e MC |
324 | if (ret < 0) |
325 | return ret; | |
326 | *outlen = ret; | |
327 | return 1; | |
328 | } | |
8cd44e36 | 329 | |
eaff5a14 | 330 | static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, |
0f113f3e MC |
331 | unsigned char *out, size_t *outlen, |
332 | const unsigned char *in, size_t inlen) | |
333 | { | |
334 | int ret; | |
335 | RSA_PKEY_CTX *rctx = ctx->data; | |
52ad523c | 336 | |
0f113f3e | 337 | if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { |
0f113f3e MC |
338 | if (!setup_tbuf(rctx, ctx)) |
339 | return -1; | |
340 | ret = RSA_private_decrypt(inlen, in, rctx->tbuf, | |
341 | ctx->pkey->pkey.rsa, RSA_NO_PADDING); | |
342 | if (ret <= 0) | |
343 | return ret; | |
237bc6c9 BE |
344 | ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf, |
345 | ret, ret, | |
0f113f3e MC |
346 | rctx->oaep_label, |
347 | rctx->oaep_labellen, | |
348 | rctx->md, rctx->mgf1md); | |
90862ab4 | 349 | } else { |
0f113f3e MC |
350 | ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, |
351 | rctx->pad_mode); | |
90862ab4 | 352 | } |
049e64cb BE |
353 | *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); |
354 | ret = constant_time_select_int(constant_time_msb(ret), ret, 1); | |
355 | return ret; | |
0f113f3e | 356 | } |
07e970c7 | 357 | |
75d44c04 | 358 | static int check_padding_md(const EVP_MD *md, int padding) |
0f113f3e | 359 | { |
7f572e95 | 360 | int mdnid; |
52ad523c | 361 | |
0f113f3e MC |
362 | if (!md) |
363 | return 1; | |
364 | ||
7f572e95 DSH |
365 | mdnid = EVP_MD_type(md); |
366 | ||
0f113f3e MC |
367 | if (padding == RSA_NO_PADDING) { |
368 | RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE); | |
369 | return 0; | |
370 | } | |
371 | ||
372 | if (padding == RSA_X931_PADDING) { | |
7f572e95 | 373 | if (RSA_X931_hash_id(mdnid) == -1) { |
0f113f3e MC |
374 | RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_X931_DIGEST); |
375 | return 0; | |
376 | } | |
7f572e95 DSH |
377 | } else { |
378 | switch(mdnid) { | |
379 | /* List of all supported RSA digests */ | |
380 | case NID_sha1: | |
381 | case NID_sha224: | |
382 | case NID_sha256: | |
383 | case NID_sha384: | |
384 | case NID_sha512: | |
385 | case NID_md5: | |
386 | case NID_md5_sha1: | |
387 | case NID_md2: | |
388 | case NID_md4: | |
389 | case NID_mdc2: | |
390 | case NID_ripemd160: | |
cfb5bc69 AP |
391 | case NID_sha3_224: |
392 | case NID_sha3_256: | |
393 | case NID_sha3_384: | |
394 | case NID_sha3_512: | |
7f572e95 DSH |
395 | return 1; |
396 | ||
397 | default: | |
398 | RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_DIGEST); | |
399 | return 0; | |
400 | ||
401 | } | |
0f113f3e MC |
402 | } |
403 | ||
404 | return 1; | |
405 | } | |
b2a97be7 | 406 | |
4a3dc3c0 | 407 | static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) |
0f113f3e MC |
408 | { |
409 | RSA_PKEY_CTX *rctx = ctx->data; | |
52ad523c | 410 | |
0f113f3e MC |
411 | switch (type) { |
412 | case EVP_PKEY_CTRL_RSA_PADDING: | |
413 | if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING)) { | |
414 | if (!check_padding_md(rctx->md, p1)) | |
415 | return 0; | |
416 | if (p1 == RSA_PKCS1_PSS_PADDING) { | |
417 | if (!(ctx->operation & | |
418 | (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) | |
419 | goto bad_pad; | |
420 | if (!rctx->md) | |
421 | rctx->md = EVP_sha1(); | |
87ee7b22 | 422 | } else if (pkey_ctx_is_pss(ctx)) { |
a300c725 | 423 | goto bad_pad; |
0f113f3e MC |
424 | } |
425 | if (p1 == RSA_PKCS1_OAEP_PADDING) { | |
426 | if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT)) | |
427 | goto bad_pad; | |
428 | if (!rctx->md) | |
429 | rctx->md = EVP_sha1(); | |
430 | } | |
431 | rctx->pad_mode = p1; | |
432 | return 1; | |
433 | } | |
434 | bad_pad: | |
435 | RSAerr(RSA_F_PKEY_RSA_CTRL, | |
436 | RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); | |
437 | return -2; | |
438 | ||
439 | case EVP_PKEY_CTRL_GET_RSA_PADDING: | |
440 | *(int *)p2 = rctx->pad_mode; | |
441 | return 1; | |
442 | ||
443 | case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: | |
444 | case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: | |
445 | if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) { | |
446 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); | |
447 | return -2; | |
448 | } | |
cb49e749 | 449 | if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) { |
0f113f3e | 450 | *(int *)p2 = rctx->saltlen; |
cb49e749 | 451 | } else { |
137096a7 | 452 | if (p1 < RSA_PSS_SALTLEN_MAX) |
0f113f3e | 453 | return -2; |
79ebfc46 | 454 | if (rsa_pss_restricted(rctx)) { |
137096a7 DSH |
455 | if (p1 == RSA_PSS_SALTLEN_AUTO |
456 | && ctx->operation == EVP_PKEY_OP_VERIFY) { | |
79ebfc46 DSH |
457 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); |
458 | return -2; | |
459 | } | |
137096a7 DSH |
460 | if ((p1 == RSA_PSS_SALTLEN_DIGEST |
461 | && rctx->min_saltlen > EVP_MD_size(rctx->md)) | |
79ebfc46 DSH |
462 | || (p1 >= 0 && p1 < rctx->min_saltlen)) { |
463 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_PSS_SALTLEN_TOO_SMALL); | |
464 | return 0; | |
465 | } | |
cb49e749 | 466 | } |
0f113f3e MC |
467 | rctx->saltlen = p1; |
468 | } | |
469 | return 1; | |
470 | ||
471 | case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: | |
cac19d19 | 472 | if (p1 < RSA_MIN_MODULUS_BITS) { |
0f113f3e MC |
473 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_SIZE_TOO_SMALL); |
474 | return -2; | |
475 | } | |
476 | rctx->nbits = p1; | |
477 | return 1; | |
478 | ||
479 | case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: | |
464d59a5 RS |
480 | if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) || BN_is_one((BIGNUM *)p2)) { |
481 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_BAD_E_VALUE); | |
0f113f3e | 482 | return -2; |
464d59a5 | 483 | } |
0f113f3e MC |
484 | BN_free(rctx->pub_exp); |
485 | rctx->pub_exp = p2; | |
486 | return 1; | |
487 | ||
665d899f PY |
488 | case EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES: |
489 | if (p1 < RSA_DEFAULT_PRIME_NUM || p1 > RSA_MAX_PRIME_NUM) { | |
490 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_PRIME_NUM_INVALID); | |
491 | return -2; | |
492 | } | |
493 | rctx->primes = p1; | |
494 | return 1; | |
495 | ||
0f113f3e MC |
496 | case EVP_PKEY_CTRL_RSA_OAEP_MD: |
497 | case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: | |
498 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { | |
499 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); | |
500 | return -2; | |
501 | } | |
502 | if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) | |
503 | *(const EVP_MD **)p2 = rctx->md; | |
504 | else | |
505 | rctx->md = p2; | |
506 | return 1; | |
507 | ||
508 | case EVP_PKEY_CTRL_MD: | |
509 | if (!check_padding_md(p2, rctx->pad_mode)) | |
510 | return 0; | |
bc1ea030 | 511 | if (rsa_pss_restricted(rctx)) { |
cb49e749 DSH |
512 | if (EVP_MD_type(rctx->md) == EVP_MD_type(p2)) |
513 | return 1; | |
514 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_DIGEST_NOT_ALLOWED); | |
515 | return 0; | |
516 | } | |
0f113f3e MC |
517 | rctx->md = p2; |
518 | return 1; | |
519 | ||
520 | case EVP_PKEY_CTRL_GET_MD: | |
521 | *(const EVP_MD **)p2 = rctx->md; | |
522 | return 1; | |
523 | ||
524 | case EVP_PKEY_CTRL_RSA_MGF1_MD: | |
525 | case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: | |
526 | if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING | |
527 | && rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { | |
528 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD); | |
529 | return -2; | |
530 | } | |
531 | if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) { | |
532 | if (rctx->mgf1md) | |
533 | *(const EVP_MD **)p2 = rctx->mgf1md; | |
534 | else | |
535 | *(const EVP_MD **)p2 = rctx->md; | |
cb49e749 | 536 | } else { |
bc1ea030 | 537 | if (rsa_pss_restricted(rctx)) { |
8a3cde7d | 538 | if (EVP_MD_type(rctx->mgf1md) == EVP_MD_type(p2)) |
cb49e749 DSH |
539 | return 1; |
540 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_MGF1_DIGEST_NOT_ALLOWED); | |
541 | return 0; | |
542 | } | |
0f113f3e | 543 | rctx->mgf1md = p2; |
cb49e749 | 544 | } |
0f113f3e MC |
545 | return 1; |
546 | ||
547 | case EVP_PKEY_CTRL_RSA_OAEP_LABEL: | |
548 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { | |
549 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); | |
550 | return -2; | |
551 | } | |
b548a1f1 | 552 | OPENSSL_free(rctx->oaep_label); |
0f113f3e MC |
553 | if (p2 && p1 > 0) { |
554 | rctx->oaep_label = p2; | |
555 | rctx->oaep_labellen = p1; | |
556 | } else { | |
557 | rctx->oaep_label = NULL; | |
558 | rctx->oaep_labellen = 0; | |
559 | } | |
560 | return 1; | |
561 | ||
562 | case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: | |
563 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { | |
564 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); | |
565 | return -2; | |
566 | } | |
567 | *(unsigned char **)p2 = rctx->oaep_label; | |
568 | return rctx->oaep_labellen; | |
569 | ||
570 | case EVP_PKEY_CTRL_DIGESTINIT: | |
186e48cd DSH |
571 | case EVP_PKEY_CTRL_PKCS7_SIGN: |
572 | #ifndef OPENSSL_NO_CMS | |
573 | case EVP_PKEY_CTRL_CMS_SIGN: | |
574 | #endif | |
575 | return 1; | |
576 | ||
0f113f3e MC |
577 | case EVP_PKEY_CTRL_PKCS7_ENCRYPT: |
578 | case EVP_PKEY_CTRL_PKCS7_DECRYPT: | |
8931b30d | 579 | #ifndef OPENSSL_NO_CMS |
0f113f3e MC |
580 | case EVP_PKEY_CTRL_CMS_DECRYPT: |
581 | case EVP_PKEY_CTRL_CMS_ENCRYPT: | |
1bcbf658 | 582 | #endif |
186e48cd | 583 | if (!pkey_ctx_is_pss(ctx)) |
0f113f3e | 584 | return 1; |
1bcbf658 | 585 | /* fall through */ |
0f113f3e MC |
586 | case EVP_PKEY_CTRL_PEER_KEY: |
587 | RSAerr(RSA_F_PKEY_RSA_CTRL, | |
588 | RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); | |
589 | return -2; | |
590 | ||
591 | default: | |
592 | return -2; | |
399a6f0b | 593 | |
0f113f3e MC |
594 | } |
595 | } | |
4a3dc3c0 | 596 | |
4a3dc3c0 | 597 | static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, |
0f113f3e MC |
598 | const char *type, const char *value) |
599 | { | |
52ad523c | 600 | if (value == NULL) { |
0f113f3e MC |
601 | RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING); |
602 | return 0; | |
603 | } | |
86885c28 | 604 | if (strcmp(type, "rsa_padding_mode") == 0) { |
0f113f3e | 605 | int pm; |
665d899f | 606 | |
90862ab4 | 607 | if (strcmp(value, "pkcs1") == 0) { |
0f113f3e | 608 | pm = RSA_PKCS1_PADDING; |
90862ab4 | 609 | } else if (strcmp(value, "sslv23") == 0) { |
0f113f3e | 610 | pm = RSA_SSLV23_PADDING; |
90862ab4 | 611 | } else if (strcmp(value, "none") == 0) { |
0f113f3e | 612 | pm = RSA_NO_PADDING; |
90862ab4 | 613 | } else if (strcmp(value, "oeap") == 0) { |
0f113f3e | 614 | pm = RSA_PKCS1_OAEP_PADDING; |
90862ab4 | 615 | } else if (strcmp(value, "oaep") == 0) { |
0f113f3e | 616 | pm = RSA_PKCS1_OAEP_PADDING; |
90862ab4 | 617 | } else if (strcmp(value, "x931") == 0) { |
0f113f3e | 618 | pm = RSA_X931_PADDING; |
90862ab4 | 619 | } else if (strcmp(value, "pss") == 0) { |
0f113f3e | 620 | pm = RSA_PKCS1_PSS_PADDING; |
90862ab4 | 621 | } else { |
0f113f3e MC |
622 | RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_UNKNOWN_PADDING_TYPE); |
623 | return -2; | |
624 | } | |
625 | return EVP_PKEY_CTX_set_rsa_padding(ctx, pm); | |
626 | } | |
627 | ||
86885c28 | 628 | if (strcmp(type, "rsa_pss_saltlen") == 0) { |
0f113f3e | 629 | int saltlen; |
665d899f | 630 | |
137096a7 DSH |
631 | if (!strcmp(value, "digest")) |
632 | saltlen = RSA_PSS_SALTLEN_DIGEST; | |
633 | else if (!strcmp(value, "max")) | |
634 | saltlen = RSA_PSS_SALTLEN_MAX; | |
635 | else if (!strcmp(value, "auto")) | |
636 | saltlen = RSA_PSS_SALTLEN_AUTO; | |
637 | else | |
638 | saltlen = atoi(value); | |
0f113f3e MC |
639 | return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen); |
640 | } | |
641 | ||
86885c28 | 642 | if (strcmp(type, "rsa_keygen_bits") == 0) { |
665d899f PY |
643 | int nbits = atoi(value); |
644 | ||
0f113f3e MC |
645 | return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits); |
646 | } | |
647 | ||
86885c28 | 648 | if (strcmp(type, "rsa_keygen_pubexp") == 0) { |
0f113f3e | 649 | int ret; |
665d899f | 650 | |
0f113f3e MC |
651 | BIGNUM *pubexp = NULL; |
652 | if (!BN_asc2bn(&pubexp, value)) | |
653 | return 0; | |
654 | ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp); | |
655 | if (ret <= 0) | |
656 | BN_free(pubexp); | |
657 | return ret; | |
658 | } | |
659 | ||
665d899f PY |
660 | if (strcmp(type, "rsa_keygen_primes") == 0) { |
661 | int nprimes = atoi(value); | |
662 | ||
663 | return EVP_PKEY_CTX_set_rsa_keygen_primes(ctx, nprimes); | |
664 | } | |
665 | ||
410877ba DSH |
666 | if (strcmp(type, "rsa_mgf1_md") == 0) |
667 | return EVP_PKEY_CTX_md(ctx, | |
668 | EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, | |
669 | EVP_PKEY_CTRL_RSA_MGF1_MD, value); | |
0f113f3e | 670 | |
87ee7b22 | 671 | if (pkey_ctx_is_pss(ctx)) { |
e64b2b5c DSH |
672 | |
673 | if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0) | |
674 | return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, | |
675 | EVP_PKEY_CTRL_RSA_MGF1_MD, value); | |
676 | ||
677 | if (strcmp(type, "rsa_pss_keygen_md") == 0) | |
678 | return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, | |
679 | EVP_PKEY_CTRL_MD, value); | |
680 | ||
681 | if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) { | |
c82bafc5 DSH |
682 | int saltlen = atoi(value); |
683 | ||
e64b2b5c | 684 | return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen); |
0f113f3e | 685 | } |
0f113f3e | 686 | } |
410877ba DSH |
687 | |
688 | if (strcmp(type, "rsa_oaep_md") == 0) | |
689 | return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT, | |
690 | EVP_PKEY_CTRL_RSA_OAEP_MD, value); | |
691 | ||
86885c28 | 692 | if (strcmp(type, "rsa_oaep_label") == 0) { |
0f113f3e MC |
693 | unsigned char *lab; |
694 | long lablen; | |
695 | int ret; | |
665d899f | 696 | |
14f051a0 | 697 | lab = OPENSSL_hexstr2buf(value, &lablen); |
0f113f3e MC |
698 | if (!lab) |
699 | return 0; | |
700 | ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen); | |
701 | if (ret <= 0) | |
702 | OPENSSL_free(lab); | |
703 | return ret; | |
704 | } | |
705 | ||
706 | return -2; | |
707 | } | |
4a3dc3c0 | 708 | |
e64b2b5c DSH |
709 | /* Set PSS parameters when generating a key, if necessary */ |
710 | static int rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx) | |
711 | { | |
712 | RSA_PKEY_CTX *rctx = ctx->data; | |
52ad523c | 713 | |
87ee7b22 | 714 | if (!pkey_ctx_is_pss(ctx)) |
e64b2b5c | 715 | return 1; |
87ee7b22 | 716 | /* If all parameters are default values don't set pss */ |
e64b2b5c DSH |
717 | if (rctx->md == NULL && rctx->mgf1md == NULL && rctx->saltlen == -2) |
718 | return 1; | |
719 | rsa->pss = rsa_pss_params_create(rctx->md, rctx->mgf1md, | |
720 | rctx->saltlen == -2 ? 0 : rctx->saltlen); | |
721 | if (rsa->pss == NULL) | |
722 | return 0; | |
723 | return 1; | |
724 | } | |
725 | ||
f5cda4cb | 726 | static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) |
0f113f3e MC |
727 | { |
728 | RSA *rsa = NULL; | |
729 | RSA_PKEY_CTX *rctx = ctx->data; | |
730 | BN_GENCB *pcb; | |
731 | int ret; | |
52ad523c | 732 | |
90945fa3 | 733 | if (rctx->pub_exp == NULL) { |
0f113f3e | 734 | rctx->pub_exp = BN_new(); |
90945fa3 | 735 | if (rctx->pub_exp == NULL || !BN_set_word(rctx->pub_exp, RSA_F4)) |
0f113f3e MC |
736 | return 0; |
737 | } | |
738 | rsa = RSA_new(); | |
90945fa3 | 739 | if (rsa == NULL) |
0f113f3e MC |
740 | return 0; |
741 | if (ctx->pkey_gencb) { | |
742 | pcb = BN_GENCB_new(); | |
90945fa3 | 743 | if (pcb == NULL) { |
0f113f3e MC |
744 | RSA_free(rsa); |
745 | return 0; | |
746 | } | |
747 | evp_pkey_set_cb_translate(pcb, ctx); | |
90862ab4 | 748 | } else { |
0f113f3e | 749 | pcb = NULL; |
90862ab4 | 750 | } |
665d899f PY |
751 | ret = RSA_generate_multi_prime_key(rsa, rctx->nbits, rctx->primes, |
752 | rctx->pub_exp, pcb); | |
0f113f3e | 753 | BN_GENCB_free(pcb); |
e64b2b5c DSH |
754 | if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) { |
755 | RSA_free(rsa); | |
756 | return 0; | |
757 | } | |
0f113f3e | 758 | if (ret > 0) |
faa02fe2 | 759 | EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa); |
0f113f3e MC |
760 | else |
761 | RSA_free(rsa); | |
762 | return ret; | |
763 | } | |
764 | ||
19bd1fa1 | 765 | static const EVP_PKEY_METHOD rsa_pkey_meth = { |
0f113f3e MC |
766 | EVP_PKEY_RSA, |
767 | EVP_PKEY_FLAG_AUTOARGLEN, | |
768 | pkey_rsa_init, | |
769 | pkey_rsa_copy, | |
770 | pkey_rsa_cleanup, | |
771 | ||
772 | 0, 0, | |
773 | ||
774 | 0, | |
775 | pkey_rsa_keygen, | |
776 | ||
777 | 0, | |
778 | pkey_rsa_sign, | |
779 | ||
780 | 0, | |
781 | pkey_rsa_verify, | |
782 | ||
783 | 0, | |
784 | pkey_rsa_verifyrecover, | |
785 | ||
786 | 0, 0, 0, 0, | |
787 | ||
788 | 0, | |
789 | pkey_rsa_encrypt, | |
790 | ||
791 | 0, | |
792 | pkey_rsa_decrypt, | |
793 | ||
794 | 0, 0, | |
795 | ||
796 | pkey_rsa_ctrl, | |
797 | pkey_rsa_ctrl_str | |
798 | }; | |
6577e008 | 799 | |
19bd1fa1 PS |
800 | const EVP_PKEY_METHOD *rsa_pkey_method(void) |
801 | { | |
802 | return &rsa_pkey_meth; | |
803 | } | |
804 | ||
59029ca1 DSH |
805 | /* |
806 | * Called for PSS sign or verify initialisation: checks PSS parameter | |
807 | * sanity and sets any restrictions on key usage. | |
808 | */ | |
809 | ||
810 | static int pkey_pss_init(EVP_PKEY_CTX *ctx) | |
811 | { | |
812 | RSA *rsa; | |
813 | RSA_PKEY_CTX *rctx = ctx->data; | |
814 | const EVP_MD *md; | |
815 | const EVP_MD *mgf1md; | |
79ebfc46 | 816 | int min_saltlen, max_saltlen; |
52ad523c | 817 | |
59029ca1 DSH |
818 | /* Should never happen */ |
819 | if (!pkey_ctx_is_pss(ctx)) | |
820 | return 0; | |
821 | rsa = ctx->pkey->pkey.rsa; | |
822 | /* If no restrictions just return */ | |
823 | if (rsa->pss == NULL) | |
824 | return 1; | |
825 | /* Get and check parameters */ | |
826 | if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen)) | |
827 | return 0; | |
828 | ||
46f4e1be | 829 | /* See if minimum salt length exceeds maximum possible */ |
79ebfc46 DSH |
830 | max_saltlen = RSA_size(rsa) - EVP_MD_size(md); |
831 | if ((RSA_bits(rsa) & 0x7) == 1) | |
832 | max_saltlen--; | |
833 | if (min_saltlen > max_saltlen) { | |
834 | RSAerr(RSA_F_PKEY_PSS_INIT, RSA_R_INVALID_SALT_LENGTH); | |
835 | return 0; | |
836 | } | |
837 | ||
59029ca1 DSH |
838 | rctx->min_saltlen = min_saltlen; |
839 | ||
840 | /* | |
841 | * Set PSS restrictions as defaults: we can then block any attempt to | |
842 | * use invalid values in pkey_rsa_ctrl | |
843 | */ | |
844 | ||
845 | rctx->md = md; | |
846 | rctx->mgf1md = mgf1md; | |
847 | rctx->saltlen = min_saltlen; | |
848 | ||
849 | return 1; | |
850 | } | |
851 | ||
19bd1fa1 | 852 | static const EVP_PKEY_METHOD rsa_pss_pkey_meth = { |
6577e008 DSH |
853 | EVP_PKEY_RSA_PSS, |
854 | EVP_PKEY_FLAG_AUTOARGLEN, | |
855 | pkey_rsa_init, | |
856 | pkey_rsa_copy, | |
857 | pkey_rsa_cleanup, | |
858 | ||
859 | 0, 0, | |
860 | ||
861 | 0, | |
862 | pkey_rsa_keygen, | |
863 | ||
59029ca1 | 864 | pkey_pss_init, |
6577e008 DSH |
865 | pkey_rsa_sign, |
866 | ||
59029ca1 | 867 | pkey_pss_init, |
6577e008 DSH |
868 | pkey_rsa_verify, |
869 | ||
870 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, | |
871 | ||
872 | pkey_rsa_ctrl, | |
873 | pkey_rsa_ctrl_str | |
874 | }; | |
19bd1fa1 PS |
875 | |
876 | const EVP_PKEY_METHOD *rsa_pss_pkey_method(void) | |
877 | { | |
878 | return &rsa_pss_pkey_meth; | |
879 | } |