]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/rsa/rsa_pmeth.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Update copyright year
[thirdparty/openssl.git] / crypto / rsa / rsa_pmeth.c
CommitLineData
0f113f3e 1/*
33388b44 2 * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
0b6f3c66 3 *
2a7b6f39 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2039c421
RS		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
0b6f3c66
DSH		 8 */
9
c5f87134
P		 10/*
11 * RSA low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14#include "internal/deprecated.h"
15
706457b7 16#include "internal/constant_time.h"
049e64cb 17
0b6f3c66 18#include <stdio.h>
b39fc560 19#include "internal/cryptlib.h"
0b6f3c66
DSH		 20#include <openssl/asn1t.h>
21#include <openssl/x509.h>
22#include <openssl/rsa.h>
1e26a8ba 23#include <openssl/bn.h>
b2a97be7 24#include <openssl/evp.h>
271fef0e 25#include <openssl/x509v3.h>
3c27208f 26#include <openssl/cms.h>
25f2138b 27#include "crypto/evp.h"
6f4b7663 28#include "crypto/rsa.h"
706457b7 29#include "rsa_local.h"
b2a97be7 30
07e970c7
DSH		 31/* RSA pkey context structure */
32
0f113f3e
MC		 33typedef struct {
34 /* Key gen parameters */
35 int nbits;
36 BIGNUM *pub_exp;
665d899f 37 int primes;
0f113f3e
MC		 38 /* Keygen callback info */
39 int gentmp[2];
40 /* RSA padding mode */
41 int pad_mode;
42 /* message digest */
43 const EVP_MD *md;
44 /* message digest for MGF1 */
45 const EVP_MD *mgf1md;
46 /* PSS salt length */
47 int saltlen;
cb49e749
DSH		 48 /* Minimum salt length or -1 if no PSS parameter restriction */
49 int min_saltlen;
0f113f3e
MC		 50 /* Temp buffer */
51 unsigned char *tbuf;
52 /* OAEP label */
53 unsigned char *oaep_label;
54 size_t oaep_labellen;
55} RSA_PKEY_CTX;
07e970c7 56
cb49e749 57/* True if PSS parameters are restricted */
bc1ea030 58#define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1)
cb49e749 59
07e970c7 60static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
0f113f3e 61{
52ad523c 62 RSA_PKEY_CTX *rctx = OPENSSL_zalloc(sizeof(*rctx));
f291138b 63
90945fa3 64 if (rctx == NULL)
0f113f3e 65 return 0;
70b0b977 66 rctx->nbits = 2048;
665d899f 67 rctx->primes = RSA_DEFAULT_PRIME_NUM;
87ee7b22 68 if (pkey_ctx_is_pss(ctx))
ad4b3d0a
DSH		 69 rctx->pad_mode = RSA_PKCS1_PSS_PADDING;
70 else
71 rctx->pad_mode = RSA_PKCS1_PADDING;
137096a7
DSH		 72 /* Maximum for sign, auto for verify */
73 rctx->saltlen = RSA_PSS_SALTLEN_AUTO;
cb49e749 74 rctx->min_saltlen = -1;
0f113f3e
MC		 75 ctx->data = rctx;
76 ctx->keygen_info = rctx->gentmp;
77 ctx->keygen_info_count = 2;
78
79 return 1;
80}
b2a97be7 81
9fdcc21f 82static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
0f113f3e
MC		 83{
84 RSA_PKEY_CTX *dctx, *sctx;
52ad523c 85
0f113f3e
MC		 86 if (!pkey_rsa_init(dst))
87 return 0;
88 sctx = src->data;
89 dctx = dst->data;
90 dctx->nbits = sctx->nbits;
91 if (sctx->pub_exp) {
92 dctx->pub_exp = BN_dup(sctx->pub_exp);
93 if (!dctx->pub_exp)
94 return 0;
95 }
96 dctx->pad_mode = sctx->pad_mode;
97 dctx->md = sctx->md;
98 dctx->mgf1md = sctx->mgf1md;
d7fcf1fe 99 dctx->saltlen = sctx->saltlen;
0f113f3e 100 if (sctx->oaep_label) {
b548a1f1 101 OPENSSL_free(dctx->oaep_label);
7644a9ae 102 dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen);
0f113f3e
MC		 103 if (!dctx->oaep_label)
104 return 0;
105 dctx->oaep_labellen = sctx->oaep_labellen;
106 }
107 return 1;
108}
8bdcef40 109
b2a97be7 110static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
0f113f3e 111{
52ad523c 112 if (ctx->tbuf != NULL)
0f113f3e 113 return 1;
9767a3dc 114 if ((ctx->tbuf = OPENSSL_malloc(RSA_size(pk->pkey->pkey.rsa))) == NULL) {
cdb10bae 115 RSAerr(RSA_F_SETUP_TBUF, ERR_R_MALLOC_FAILURE);
0f113f3e 116 return 0;
cdb10bae 117 }
0f113f3e
MC		 118 return 1;
119}
07e970c7
DSH		 120
121static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
0f113f3e
MC		 122{
123 RSA_PKEY_CTX *rctx = ctx->data;
124 if (rctx) {
23a1d5e9 125 BN_free(rctx->pub_exp);
b548a1f1
RS		 126 OPENSSL_free(rctx->tbuf);
127 OPENSSL_free(rctx->oaep_label);
0f113f3e
MC		 128 OPENSSL_free(rctx);
129 }
130}
131
132static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
133 size_t *siglen, const unsigned char *tbs,
134 size_t tbslen)
135{
136 int ret;
137 RSA_PKEY_CTX *rctx = ctx->data;
138 RSA *rsa = ctx->pkey->pkey.rsa;
139
140 if (rctx->md) {
141 if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
142 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH);
143 return -1;
144 }
145
146 if (EVP_MD_type(rctx->md) == NID_mdc2) {
147 unsigned int sltmp;
148 if (rctx->pad_mode != RSA_PKCS1_PADDING)
149 return -1;
a773b52a 150 ret = RSA_sign_ASN1_OCTET_STRING(0,
0f113f3e
MC		 151 tbs, tbslen, sig, &sltmp, rsa);
152
153 if (ret <= 0)
154 return ret;
155 ret = sltmp;
156 } else if (rctx->pad_mode == RSA_X931_PADDING) {
9767a3dc 157 if ((size_t)RSA_size(rsa) < tbslen + 1) {
34166d41 158 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_KEY_SIZE_TOO_SMALL);
0f113f3e 159 return -1;
34166d41
MC		 160 }
161 if (!setup_tbuf(rctx, ctx)) {
162 RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE);
163 return -1;
164 }
0f113f3e
MC		 165 memcpy(rctx->tbuf, tbs, tbslen);
166 rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md));
167 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
168 sig, rsa, RSA_X931_PADDING);
169 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
170 unsigned int sltmp;
171 ret = RSA_sign(EVP_MD_type(rctx->md),
172 tbs, tbslen, sig, &sltmp, rsa);
173 if (ret <= 0)
174 return ret;
175 ret = sltmp;
176 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
177 if (!setup_tbuf(rctx, ctx))
178 return -1;
179 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
180 rctx->tbuf, tbs,
181 rctx->md, rctx->mgf1md,
182 rctx->saltlen))
183 return -1;
184 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
185 sig, rsa, RSA_NO_PADDING);
90862ab4 186 } else {
0f113f3e 187 return -1;
90862ab4
PY		 188 }
189 } else {
0f113f3e
MC		 190 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
191 rctx->pad_mode);
90862ab4 192 }
0f113f3e
MC		 193 if (ret < 0)
194 return ret;
195 *siglen = ret;
196 return 1;
197}
07e970c7
DSH		 198
199static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
0f113f3e
MC		 200 unsigned char *rout, size_t *routlen,
201 const unsigned char *sig, size_t siglen)
202{
203 int ret;
204 RSA_PKEY_CTX *rctx = ctx->data;
205
206 if (rctx->md) {
207 if (rctx->pad_mode == RSA_X931_PADDING) {
208 if (!setup_tbuf(rctx, ctx))
209 return -1;
210 ret = RSA_public_decrypt(siglen, sig,
211 rctx->tbuf, ctx->pkey->pkey.rsa,
212 RSA_X931_PADDING);
213 if (ret < 1)
214 return 0;
215 ret--;
216 if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
217 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
218 RSA_R_ALGORITHM_MISMATCH);
219 return 0;
220 }
221 if (ret != EVP_MD_size(rctx->md)) {
222 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
223 RSA_R_INVALID_DIGEST_LENGTH);
224 return 0;
225 }
226 if (rout)
227 memcpy(rout, rctx->tbuf, ret);
228 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
229 size_t sltmp;
230 ret = int_rsa_verify(EVP_MD_type(rctx->md),
231 NULL, 0, rout, &sltmp,
232 sig, siglen, ctx->pkey->pkey.rsa);
233 if (ret <= 0)
234 return 0;
235 ret = sltmp;
90862ab4 236 } else {
0f113f3e 237 return -1;
90862ab4
PY		 238 }
239 } else {
0f113f3e
MC		 240 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
241 rctx->pad_mode);
90862ab4 242 }
0f113f3e
MC		 243 if (ret < 0)
244 return ret;
245 *routlen = ret;
246 return 1;
247}
07e970c7 248
4f59b658 249static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
0f113f3e
MC		 250 const unsigned char *sig, size_t siglen,
251 const unsigned char *tbs, size_t tbslen)
252{
253 RSA_PKEY_CTX *rctx = ctx->data;
254 RSA *rsa = ctx->pkey->pkey.rsa;
255 size_t rslen;
52ad523c 256
0f113f3e
MC		 257 if (rctx->md) {
258 if (rctx->pad_mode == RSA_PKCS1_PADDING)
259 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
260 sig, siglen, rsa);
71bbc79b
DSH		 261 if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
262 RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH);
263 return -1;
264 }
0f113f3e
MC		 265 if (rctx->pad_mode == RSA_X931_PADDING) {
266 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0)
267 return 0;
268 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
269 int ret;
270 if (!setup_tbuf(rctx, ctx))
271 return -1;
272 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
273 rsa, RSA_NO_PADDING);
274 if (ret <= 0)
275 return 0;
276 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
277 rctx->md, rctx->mgf1md,
278 rctx->tbuf, rctx->saltlen);
279 if (ret <= 0)
280 return 0;
281 return 1;
90862ab4 282 } else {
0f113f3e 283 return -1;
90862ab4 284 }
0f113f3e
MC		 285 } else {
286 if (!setup_tbuf(rctx, ctx))
287 return -1;
288 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
289 rsa, rctx->pad_mode);
290 if (rslen == 0)
291 return 0;
292 }
293
294 if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen))
295 return 0;
296
297 return 1;
298
299}
4f59b658 300
eaff5a14 301static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
0f113f3e
MC		 302 unsigned char *out, size_t *outlen,
303 const unsigned char *in, size_t inlen)
304{
305 int ret;
306 RSA_PKEY_CTX *rctx = ctx->data;
52ad523c 307
0f113f3e
MC		 308 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
309 int klen = RSA_size(ctx->pkey->pkey.rsa);
310 if (!setup_tbuf(rctx, ctx))
311 return -1;
312 if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen,
313 in, inlen,
314 rctx->oaep_label,
315 rctx->oaep_labellen,
316 rctx->md, rctx->mgf1md))
317 return -1;
318 ret = RSA_public_encrypt(klen, rctx->tbuf, out,
319 ctx->pkey->pkey.rsa, RSA_NO_PADDING);
90862ab4 320 } else {
0f113f3e
MC		 321 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
322 rctx->pad_mode);
90862ab4 323 }
0f113f3e
MC		 324 if (ret < 0)
325 return ret;
326 *outlen = ret;
327 return 1;
328}
8cd44e36 329
eaff5a14 330static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
0f113f3e
MC		 331 unsigned char *out, size_t *outlen,
332 const unsigned char *in, size_t inlen)
333{
334 int ret;
335 RSA_PKEY_CTX *rctx = ctx->data;
52ad523c 336
0f113f3e 337 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
0f113f3e
MC		 338 if (!setup_tbuf(rctx, ctx))
339 return -1;
340 ret = RSA_private_decrypt(inlen, in, rctx->tbuf,
341 ctx->pkey->pkey.rsa, RSA_NO_PADDING);
342 if (ret <= 0)
343 return ret;
237bc6c9
BE		 344 ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf,
345 ret, ret,
0f113f3e
MC		 346 rctx->oaep_label,
347 rctx->oaep_labellen,
348 rctx->md, rctx->mgf1md);
90862ab4 349 } else {
0f113f3e
MC		 350 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
351 rctx->pad_mode);
90862ab4 352 }
049e64cb
BE		 353 *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
354 ret = constant_time_select_int(constant_time_msb(ret), ret, 1);
355 return ret;
0f113f3e 356}
07e970c7 357
75d44c04 358static int check_padding_md(const EVP_MD *md, int padding)
0f113f3e 359{
7f572e95 360 int mdnid;
52ad523c 361
0f113f3e
MC		 362 if (!md)
363 return 1;
364
7f572e95
DSH		 365 mdnid = EVP_MD_type(md);
366
0f113f3e
MC		 367 if (padding == RSA_NO_PADDING) {
368 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
369 return 0;
370 }
371
372 if (padding == RSA_X931_PADDING) {
7f572e95 373 if (RSA_X931_hash_id(mdnid) == -1) {
0f113f3e
MC		 374 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_X931_DIGEST);
375 return 0;
376 }
7f572e95
DSH		 377 } else {
378 switch(mdnid) {
379 /* List of all supported RSA digests */
380 case NID_sha1:
381 case NID_sha224:
382 case NID_sha256:
383 case NID_sha384:
384 case NID_sha512:
385 case NID_md5:
386 case NID_md5_sha1:
387 case NID_md2:
388 case NID_md4:
389 case NID_mdc2:
390 case NID_ripemd160:
cfb5bc69
AP		 391 case NID_sha3_224:
392 case NID_sha3_256:
393 case NID_sha3_384:
394 case NID_sha3_512:
7f572e95
DSH		 395 return 1;
396
397 default:
398 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_DIGEST);
399 return 0;
400
401 }
0f113f3e
MC		 402 }
403
404 return 1;
405}
b2a97be7 406
4a3dc3c0 407static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
0f113f3e
MC		 408{
409 RSA_PKEY_CTX *rctx = ctx->data;
52ad523c 410
0f113f3e
MC		 411 switch (type) {
412 case EVP_PKEY_CTRL_RSA_PADDING:
413 if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING)) {
414 if (!check_padding_md(rctx->md, p1))
415 return 0;
416 if (p1 == RSA_PKCS1_PSS_PADDING) {
417 if (!(ctx->operation &
418 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
419 goto bad_pad;
420 if (!rctx->md)
421 rctx->md = EVP_sha1();
87ee7b22 422 } else if (pkey_ctx_is_pss(ctx)) {
a300c725 423 goto bad_pad;
0f113f3e
MC		 424 }
425 if (p1 == RSA_PKCS1_OAEP_PADDING) {
426 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
427 goto bad_pad;
428 if (!rctx->md)
429 rctx->md = EVP_sha1();
430 }
431 rctx->pad_mode = p1;
432 return 1;
433 }
434 bad_pad:
435 RSAerr(RSA_F_PKEY_RSA_CTRL,
436 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
437 return -2;
438
439 case EVP_PKEY_CTRL_GET_RSA_PADDING:
440 *(int *)p2 = rctx->pad_mode;
441 return 1;
442
443 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
444 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
445 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
446 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
447 return -2;
448 }
cb49e749 449 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
0f113f3e 450 *(int *)p2 = rctx->saltlen;
cb49e749 451 } else {
137096a7 452 if (p1 < RSA_PSS_SALTLEN_MAX)
0f113f3e 453 return -2;
79ebfc46 454 if (rsa_pss_restricted(rctx)) {
137096a7
DSH		 455 if (p1 == RSA_PSS_SALTLEN_AUTO
456 && ctx->operation == EVP_PKEY_OP_VERIFY) {
79ebfc46
DSH		 457 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
458 return -2;
459 }
137096a7
DSH		 460 if ((p1 == RSA_PSS_SALTLEN_DIGEST
461 && rctx->min_saltlen > EVP_MD_size(rctx->md))
79ebfc46
DSH		 462 || (p1 >= 0 && p1 < rctx->min_saltlen)) {
463 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_PSS_SALTLEN_TOO_SMALL);
464 return 0;
465 }
cb49e749 466 }
0f113f3e
MC		 467 rctx->saltlen = p1;
468 }
469 return 1;
470
471 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
cac19d19 472 if (p1 < RSA_MIN_MODULUS_BITS) {
0f113f3e
MC		 473 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_SIZE_TOO_SMALL);
474 return -2;
475 }
476 rctx->nbits = p1;
477 return 1;
478
479 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
464d59a5
RS		 480 if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) || BN_is_one((BIGNUM *)p2)) {
481 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_BAD_E_VALUE);
0f113f3e 482 return -2;
464d59a5 483 }
0f113f3e
MC		 484 BN_free(rctx->pub_exp);
485 rctx->pub_exp = p2;
486 return 1;
487
665d899f
PY		 488 case EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES:
489 if (p1 < RSA_DEFAULT_PRIME_NUM || p1 > RSA_MAX_PRIME_NUM) {
490 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_PRIME_NUM_INVALID);
491 return -2;
492 }
493 rctx->primes = p1;
494 return 1;
495
0f113f3e
MC		 496 case EVP_PKEY_CTRL_RSA_OAEP_MD:
497 case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
498 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
499 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
500 return -2;
501 }
502 if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD)
503 *(const EVP_MD **)p2 = rctx->md;
504 else
505 rctx->md = p2;
506 return 1;
507
508 case EVP_PKEY_CTRL_MD:
509 if (!check_padding_md(p2, rctx->pad_mode))
510 return 0;
bc1ea030 511 if (rsa_pss_restricted(rctx)) {
cb49e749
DSH		 512 if (EVP_MD_type(rctx->md) == EVP_MD_type(p2))
513 return 1;
514 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_DIGEST_NOT_ALLOWED);
515 return 0;
516 }
0f113f3e
MC		 517 rctx->md = p2;
518 return 1;
519
520 case EVP_PKEY_CTRL_GET_MD:
521 *(const EVP_MD **)p2 = rctx->md;
522 return 1;
523
524 case EVP_PKEY_CTRL_RSA_MGF1_MD:
525 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
526 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING
527 && rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
528 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
529 return -2;
530 }
531 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
532 if (rctx->mgf1md)
533 *(const EVP_MD **)p2 = rctx->mgf1md;
534 else
535 *(const EVP_MD **)p2 = rctx->md;
cb49e749 536 } else {
bc1ea030 537 if (rsa_pss_restricted(rctx)) {
8a3cde7d 538 if (EVP_MD_type(rctx->mgf1md) == EVP_MD_type(p2))
cb49e749
DSH		 539 return 1;
540 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_MGF1_DIGEST_NOT_ALLOWED);
541 return 0;
542 }
0f113f3e 543 rctx->mgf1md = p2;
cb49e749 544 }
0f113f3e
MC		 545 return 1;
546
547 case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
548 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
549 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
550 return -2;
551 }
b548a1f1 552 OPENSSL_free(rctx->oaep_label);
0f113f3e
MC		 553 if (p2 && p1 > 0) {
554 rctx->oaep_label = p2;
555 rctx->oaep_labellen = p1;
556 } else {
557 rctx->oaep_label = NULL;
558 rctx->oaep_labellen = 0;
559 }
560 return 1;
561
562 case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
563 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
564 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
565 return -2;
566 }
567 *(unsigned char **)p2 = rctx->oaep_label;
568 return rctx->oaep_labellen;
569
570 case EVP_PKEY_CTRL_DIGESTINIT:
186e48cd
DSH		 571 case EVP_PKEY_CTRL_PKCS7_SIGN:
572#ifndef OPENSSL_NO_CMS
573 case EVP_PKEY_CTRL_CMS_SIGN:
574#endif
575 return 1;
576
0f113f3e
MC		 577 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
578 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
8931b30d 579#ifndef OPENSSL_NO_CMS
0f113f3e
MC		 580 case EVP_PKEY_CTRL_CMS_DECRYPT:
581 case EVP_PKEY_CTRL_CMS_ENCRYPT:
1bcbf658 582#endif
186e48cd 583 if (!pkey_ctx_is_pss(ctx))
0f113f3e 584 return 1;
1bcbf658 585 /* fall through */
0f113f3e
MC		 586 case EVP_PKEY_CTRL_PEER_KEY:
587 RSAerr(RSA_F_PKEY_RSA_CTRL,
588 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
589 return -2;
590
591 default:
592 return -2;
399a6f0b 593
0f113f3e
MC		 594 }
595}
4a3dc3c0 596
4a3dc3c0 597static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
0f113f3e
MC		 598 const char *type, const char *value)
599{
52ad523c 600 if (value == NULL) {
0f113f3e
MC		 601 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
602 return 0;
603 }
86885c28 604 if (strcmp(type, "rsa_padding_mode") == 0) {
0f113f3e 605 int pm;
665d899f 606
90862ab4 607 if (strcmp(value, "pkcs1") == 0) {
0f113f3e 608 pm = RSA_PKCS1_PADDING;
90862ab4 609 } else if (strcmp(value, "sslv23") == 0) {
0f113f3e 610 pm = RSA_SSLV23_PADDING;
90862ab4 611 } else if (strcmp(value, "none") == 0) {
0f113f3e 612 pm = RSA_NO_PADDING;
90862ab4 613 } else if (strcmp(value, "oeap") == 0) {
0f113f3e 614 pm = RSA_PKCS1_OAEP_PADDING;
90862ab4 615 } else if (strcmp(value, "oaep") == 0) {
0f113f3e 616 pm = RSA_PKCS1_OAEP_PADDING;
90862ab4 617 } else if (strcmp(value, "x931") == 0) {
0f113f3e 618 pm = RSA_X931_PADDING;
90862ab4 619 } else if (strcmp(value, "pss") == 0) {
0f113f3e 620 pm = RSA_PKCS1_PSS_PADDING;
90862ab4 621 } else {
0f113f3e
MC		 622 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_UNKNOWN_PADDING_TYPE);
623 return -2;
624 }
625 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
626 }
627
86885c28 628 if (strcmp(type, "rsa_pss_saltlen") == 0) {
0f113f3e 629 int saltlen;
665d899f 630
137096a7
DSH		 631 if (!strcmp(value, "digest"))
632 saltlen = RSA_PSS_SALTLEN_DIGEST;
633 else if (!strcmp(value, "max"))
634 saltlen = RSA_PSS_SALTLEN_MAX;
635 else if (!strcmp(value, "auto"))
636 saltlen = RSA_PSS_SALTLEN_AUTO;
637 else
638 saltlen = atoi(value);
0f113f3e
MC		 639 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
640 }
641
86885c28 642 if (strcmp(type, "rsa_keygen_bits") == 0) {
665d899f
PY		 643 int nbits = atoi(value);
644
0f113f3e
MC		 645 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
646 }
647
86885c28 648 if (strcmp(type, "rsa_keygen_pubexp") == 0) {
0f113f3e 649 int ret;
665d899f 650
0f113f3e
MC		 651 BIGNUM *pubexp = NULL;
652 if (!BN_asc2bn(&pubexp, value))
653 return 0;
654 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
655 if (ret <= 0)
656 BN_free(pubexp);
657 return ret;
658 }
659
665d899f
PY		 660 if (strcmp(type, "rsa_keygen_primes") == 0) {
661 int nprimes = atoi(value);
662
663 return EVP_PKEY_CTX_set_rsa_keygen_primes(ctx, nprimes);
664 }
665
410877ba
DSH		 666 if (strcmp(type, "rsa_mgf1_md") == 0)
667 return EVP_PKEY_CTX_md(ctx,
668 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
669 EVP_PKEY_CTRL_RSA_MGF1_MD, value);
0f113f3e 670
87ee7b22 671 if (pkey_ctx_is_pss(ctx)) {
e64b2b5c
DSH		 672
673 if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0)
674 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
675 EVP_PKEY_CTRL_RSA_MGF1_MD, value);
676
677 if (strcmp(type, "rsa_pss_keygen_md") == 0)
678 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
679 EVP_PKEY_CTRL_MD, value);
680
681 if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) {
c82bafc5
DSH		 682 int saltlen = atoi(value);
683
e64b2b5c 684 return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen);
0f113f3e 685 }
0f113f3e 686 }
410877ba
DSH		 687
688 if (strcmp(type, "rsa_oaep_md") == 0)
689 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT,
690 EVP_PKEY_CTRL_RSA_OAEP_MD, value);
691
86885c28 692 if (strcmp(type, "rsa_oaep_label") == 0) {
0f113f3e
MC		 693 unsigned char *lab;
694 long lablen;
695 int ret;
665d899f 696
14f051a0 697 lab = OPENSSL_hexstr2buf(value, &lablen);
0f113f3e
MC		 698 if (!lab)
699 return 0;
700 ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen);
701 if (ret <= 0)
702 OPENSSL_free(lab);
703 return ret;
704 }
705
706 return -2;
707}
4a3dc3c0 708
e64b2b5c
DSH		 709/* Set PSS parameters when generating a key, if necessary */
710static int rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx)
711{
712 RSA_PKEY_CTX *rctx = ctx->data;
52ad523c 713
87ee7b22 714 if (!pkey_ctx_is_pss(ctx))
e64b2b5c 715 return 1;
87ee7b22 716 /* If all parameters are default values don't set pss */
e64b2b5c
DSH		 717 if (rctx->md == NULL && rctx->mgf1md == NULL && rctx->saltlen == -2)
718 return 1;
719 rsa->pss = rsa_pss_params_create(rctx->md, rctx->mgf1md,
720 rctx->saltlen == -2 ? 0 : rctx->saltlen);
721 if (rsa->pss == NULL)
722 return 0;
723 return 1;
724}
725
f5cda4cb 726static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
0f113f3e
MC		 727{
728 RSA *rsa = NULL;
729 RSA_PKEY_CTX *rctx = ctx->data;
730 BN_GENCB *pcb;
731 int ret;
52ad523c 732
90945fa3 733 if (rctx->pub_exp == NULL) {
0f113f3e 734 rctx->pub_exp = BN_new();
90945fa3 735 if (rctx->pub_exp == NULL || !BN_set_word(rctx->pub_exp, RSA_F4))
0f113f3e
MC		 736 return 0;
737 }
738 rsa = RSA_new();
90945fa3 739 if (rsa == NULL)
0f113f3e
MC		 740 return 0;
741 if (ctx->pkey_gencb) {
742 pcb = BN_GENCB_new();
90945fa3 743 if (pcb == NULL) {
0f113f3e
MC		 744 RSA_free(rsa);
745 return 0;
746 }
747 evp_pkey_set_cb_translate(pcb, ctx);
90862ab4 748 } else {
0f113f3e 749 pcb = NULL;
90862ab4 750 }
665d899f
PY		 751 ret = RSA_generate_multi_prime_key(rsa, rctx->nbits, rctx->primes,
752 rctx->pub_exp, pcb);
0f113f3e 753 BN_GENCB_free(pcb);
e64b2b5c
DSH		 754 if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) {
755 RSA_free(rsa);
756 return 0;
757 }
0f113f3e 758 if (ret > 0)
faa02fe2 759 EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa);
0f113f3e
MC		 760 else
761 RSA_free(rsa);
762 return ret;
763}
764
19bd1fa1 765static const EVP_PKEY_METHOD rsa_pkey_meth = {
0f113f3e
MC		 766 EVP_PKEY_RSA,
767 EVP_PKEY_FLAG_AUTOARGLEN,
768 pkey_rsa_init,
769 pkey_rsa_copy,
770 pkey_rsa_cleanup,
771
772 0, 0,
773
774 0,
775 pkey_rsa_keygen,
776
777 0,
778 pkey_rsa_sign,
779
780 0,
781 pkey_rsa_verify,
782
783 0,
784 pkey_rsa_verifyrecover,
785
786 0, 0, 0, 0,
787
788 0,
789 pkey_rsa_encrypt,
790
791 0,
792 pkey_rsa_decrypt,
793
794 0, 0,
795
796 pkey_rsa_ctrl,
797 pkey_rsa_ctrl_str
798};
6577e008 799
19bd1fa1
PS		 800const EVP_PKEY_METHOD *rsa_pkey_method(void)
801{
802 return &rsa_pkey_meth;
803}
804
59029ca1
DSH		 805/*
806 * Called for PSS sign or verify initialisation: checks PSS parameter
807 * sanity and sets any restrictions on key usage.
808 */
809
810static int pkey_pss_init(EVP_PKEY_CTX *ctx)
811{
812 RSA *rsa;
813 RSA_PKEY_CTX *rctx = ctx->data;
814 const EVP_MD *md;
815 const EVP_MD *mgf1md;
79ebfc46 816 int min_saltlen, max_saltlen;
52ad523c 817
59029ca1
DSH		 818 /* Should never happen */
819 if (!pkey_ctx_is_pss(ctx))
820 return 0;
821 rsa = ctx->pkey->pkey.rsa;
822 /* If no restrictions just return */
823 if (rsa->pss == NULL)
824 return 1;
825 /* Get and check parameters */
826 if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen))
827 return 0;
828
46f4e1be 829 /* See if minimum salt length exceeds maximum possible */
79ebfc46
DSH		 830 max_saltlen = RSA_size(rsa) - EVP_MD_size(md);
831 if ((RSA_bits(rsa) & 0x7) == 1)
832 max_saltlen--;
833 if (min_saltlen > max_saltlen) {
834 RSAerr(RSA_F_PKEY_PSS_INIT, RSA_R_INVALID_SALT_LENGTH);
835 return 0;
836 }
837
59029ca1
DSH		 838 rctx->min_saltlen = min_saltlen;
839
840 /*
841 * Set PSS restrictions as defaults: we can then block any attempt to
842 * use invalid values in pkey_rsa_ctrl
843 */
844
845 rctx->md = md;
846 rctx->mgf1md = mgf1md;
847 rctx->saltlen = min_saltlen;
848
849 return 1;
850}
851
19bd1fa1 852static const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
6577e008
DSH		 853 EVP_PKEY_RSA_PSS,
854 EVP_PKEY_FLAG_AUTOARGLEN,
855 pkey_rsa_init,
856 pkey_rsa_copy,
857 pkey_rsa_cleanup,
858
859 0, 0,
860
861 0,
862 pkey_rsa_keygen,
863
59029ca1 864 pkey_pss_init,
6577e008
DSH		 865 pkey_rsa_sign,
866
59029ca1 867 pkey_pss_init,
6577e008
DSH		 868 pkey_rsa_verify,
869
870 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
871
872 pkey_rsa_ctrl,
873 pkey_rsa_ctrl_str
874};
19bd1fa1
PS		 875
876const EVP_PKEY_METHOD *rsa_pss_pkey_method(void)
877{
878 return &rsa_pss_pkey_meth;
879}
A mirror of the official openssl repository