2 * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/asn1t.h>
13 #include <openssl/x509.h>
14 #include <openssl/rsa.h>
15 #include <openssl/bn.h>
16 #include <openssl/evp.h>
17 #include <openssl/x509v3.h>
18 #include <openssl/cms.h>
19 #include "internal/evp_int.h"
22 /* RSA pkey context structure */
25 /* Key gen parameters */
28 /* Keygen callback info */
30 /* RSA padding mode */
34 /* message digest for MGF1 */
41 unsigned char *oaep_label
;
45 static int pkey_rsa_init(EVP_PKEY_CTX
*ctx
)
48 rctx
= OPENSSL_zalloc(sizeof(*rctx
));
52 rctx
->pad_mode
= RSA_PKCS1_PADDING
;
55 ctx
->keygen_info
= rctx
->gentmp
;
56 ctx
->keygen_info_count
= 2;
61 static int pkey_rsa_copy(EVP_PKEY_CTX
*dst
, EVP_PKEY_CTX
*src
)
63 RSA_PKEY_CTX
*dctx
, *sctx
;
64 if (!pkey_rsa_init(dst
))
68 dctx
->nbits
= sctx
->nbits
;
70 dctx
->pub_exp
= BN_dup(sctx
->pub_exp
);
74 dctx
->pad_mode
= sctx
->pad_mode
;
76 dctx
->mgf1md
= sctx
->mgf1md
;
77 if (sctx
->oaep_label
) {
78 OPENSSL_free(dctx
->oaep_label
);
79 dctx
->oaep_label
= OPENSSL_memdup(sctx
->oaep_label
, sctx
->oaep_labellen
);
80 if (!dctx
->oaep_label
)
82 dctx
->oaep_labellen
= sctx
->oaep_labellen
;
87 static int setup_tbuf(RSA_PKEY_CTX
*ctx
, EVP_PKEY_CTX
*pk
)
91 ctx
->tbuf
= OPENSSL_malloc(EVP_PKEY_size(pk
->pkey
));
92 if (ctx
->tbuf
== NULL
)
97 static void pkey_rsa_cleanup(EVP_PKEY_CTX
*ctx
)
99 RSA_PKEY_CTX
*rctx
= ctx
->data
;
101 BN_free(rctx
->pub_exp
);
102 OPENSSL_free(rctx
->tbuf
);
103 OPENSSL_free(rctx
->oaep_label
);
108 static int pkey_rsa_sign(EVP_PKEY_CTX
*ctx
, unsigned char *sig
,
109 size_t *siglen
, const unsigned char *tbs
,
113 RSA_PKEY_CTX
*rctx
= ctx
->data
;
114 RSA
*rsa
= ctx
->pkey
->pkey
.rsa
;
117 if (tbslen
!= (size_t)EVP_MD_size(rctx
->md
)) {
118 RSAerr(RSA_F_PKEY_RSA_SIGN
, RSA_R_INVALID_DIGEST_LENGTH
);
122 if (EVP_MD_type(rctx
->md
) == NID_mdc2
) {
124 if (rctx
->pad_mode
!= RSA_PKCS1_PADDING
)
126 ret
= RSA_sign_ASN1_OCTET_STRING(0,
127 tbs
, tbslen
, sig
, &sltmp
, rsa
);
132 } else if (rctx
->pad_mode
== RSA_X931_PADDING
) {
133 if ((size_t)EVP_PKEY_size(ctx
->pkey
) < tbslen
+ 1) {
134 RSAerr(RSA_F_PKEY_RSA_SIGN
, RSA_R_KEY_SIZE_TOO_SMALL
);
137 if (!setup_tbuf(rctx
, ctx
)) {
138 RSAerr(RSA_F_PKEY_RSA_SIGN
, ERR_R_MALLOC_FAILURE
);
141 memcpy(rctx
->tbuf
, tbs
, tbslen
);
142 rctx
->tbuf
[tbslen
] = RSA_X931_hash_id(EVP_MD_type(rctx
->md
));
143 ret
= RSA_private_encrypt(tbslen
+ 1, rctx
->tbuf
,
144 sig
, rsa
, RSA_X931_PADDING
);
145 } else if (rctx
->pad_mode
== RSA_PKCS1_PADDING
) {
147 ret
= RSA_sign(EVP_MD_type(rctx
->md
),
148 tbs
, tbslen
, sig
, &sltmp
, rsa
);
152 } else if (rctx
->pad_mode
== RSA_PKCS1_PSS_PADDING
) {
153 if (!setup_tbuf(rctx
, ctx
))
155 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa
,
157 rctx
->md
, rctx
->mgf1md
,
160 ret
= RSA_private_encrypt(RSA_size(rsa
), rctx
->tbuf
,
161 sig
, rsa
, RSA_NO_PADDING
);
165 ret
= RSA_private_encrypt(tbslen
, tbs
, sig
, ctx
->pkey
->pkey
.rsa
,
173 static int pkey_rsa_verifyrecover(EVP_PKEY_CTX
*ctx
,
174 unsigned char *rout
, size_t *routlen
,
175 const unsigned char *sig
, size_t siglen
)
178 RSA_PKEY_CTX
*rctx
= ctx
->data
;
181 if (rctx
->pad_mode
== RSA_X931_PADDING
) {
182 if (!setup_tbuf(rctx
, ctx
))
184 ret
= RSA_public_decrypt(siglen
, sig
,
185 rctx
->tbuf
, ctx
->pkey
->pkey
.rsa
,
190 if (rctx
->tbuf
[ret
] != RSA_X931_hash_id(EVP_MD_type(rctx
->md
))) {
191 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER
,
192 RSA_R_ALGORITHM_MISMATCH
);
195 if (ret
!= EVP_MD_size(rctx
->md
)) {
196 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER
,
197 RSA_R_INVALID_DIGEST_LENGTH
);
201 memcpy(rout
, rctx
->tbuf
, ret
);
202 } else if (rctx
->pad_mode
== RSA_PKCS1_PADDING
) {
204 ret
= int_rsa_verify(EVP_MD_type(rctx
->md
),
205 NULL
, 0, rout
, &sltmp
,
206 sig
, siglen
, ctx
->pkey
->pkey
.rsa
);
213 ret
= RSA_public_decrypt(siglen
, sig
, rout
, ctx
->pkey
->pkey
.rsa
,
221 static int pkey_rsa_verify(EVP_PKEY_CTX
*ctx
,
222 const unsigned char *sig
, size_t siglen
,
223 const unsigned char *tbs
, size_t tbslen
)
225 RSA_PKEY_CTX
*rctx
= ctx
->data
;
226 RSA
*rsa
= ctx
->pkey
->pkey
.rsa
;
229 if (rctx
->pad_mode
== RSA_PKCS1_PADDING
)
230 return RSA_verify(EVP_MD_type(rctx
->md
), tbs
, tbslen
,
232 if (rctx
->pad_mode
== RSA_X931_PADDING
) {
233 if (pkey_rsa_verifyrecover(ctx
, NULL
, &rslen
, sig
, siglen
) <= 0)
235 } else if (rctx
->pad_mode
== RSA_PKCS1_PSS_PADDING
) {
237 if (!setup_tbuf(rctx
, ctx
))
239 ret
= RSA_public_decrypt(siglen
, sig
, rctx
->tbuf
,
240 rsa
, RSA_NO_PADDING
);
243 ret
= RSA_verify_PKCS1_PSS_mgf1(rsa
, tbs
,
244 rctx
->md
, rctx
->mgf1md
,
245 rctx
->tbuf
, rctx
->saltlen
);
252 if (!setup_tbuf(rctx
, ctx
))
254 rslen
= RSA_public_decrypt(siglen
, sig
, rctx
->tbuf
,
255 rsa
, rctx
->pad_mode
);
260 if ((rslen
!= tbslen
) || memcmp(tbs
, rctx
->tbuf
, rslen
))
267 static int pkey_rsa_encrypt(EVP_PKEY_CTX
*ctx
,
268 unsigned char *out
, size_t *outlen
,
269 const unsigned char *in
, size_t inlen
)
272 RSA_PKEY_CTX
*rctx
= ctx
->data
;
273 if (rctx
->pad_mode
== RSA_PKCS1_OAEP_PADDING
) {
274 int klen
= RSA_size(ctx
->pkey
->pkey
.rsa
);
275 if (!setup_tbuf(rctx
, ctx
))
277 if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx
->tbuf
, klen
,
281 rctx
->md
, rctx
->mgf1md
))
283 ret
= RSA_public_encrypt(klen
, rctx
->tbuf
, out
,
284 ctx
->pkey
->pkey
.rsa
, RSA_NO_PADDING
);
286 ret
= RSA_public_encrypt(inlen
, in
, out
, ctx
->pkey
->pkey
.rsa
,
294 static int pkey_rsa_decrypt(EVP_PKEY_CTX
*ctx
,
295 unsigned char *out
, size_t *outlen
,
296 const unsigned char *in
, size_t inlen
)
299 RSA_PKEY_CTX
*rctx
= ctx
->data
;
300 if (rctx
->pad_mode
== RSA_PKCS1_OAEP_PADDING
) {
302 if (!setup_tbuf(rctx
, ctx
))
304 ret
= RSA_private_decrypt(inlen
, in
, rctx
->tbuf
,
305 ctx
->pkey
->pkey
.rsa
, RSA_NO_PADDING
);
308 for (i
= 0; i
< ret
; i
++) {
312 ret
= RSA_padding_check_PKCS1_OAEP_mgf1(out
, ret
, rctx
->tbuf
+ i
,
316 rctx
->md
, rctx
->mgf1md
);
318 ret
= RSA_private_decrypt(inlen
, in
, out
, ctx
->pkey
->pkey
.rsa
,
326 static int check_padding_md(const EVP_MD
*md
, int padding
)
332 mdnid
= EVP_MD_type(md
);
334 if (padding
== RSA_NO_PADDING
) {
335 RSAerr(RSA_F_CHECK_PADDING_MD
, RSA_R_INVALID_PADDING_MODE
);
339 if (padding
== RSA_X931_PADDING
) {
340 if (RSA_X931_hash_id(mdnid
) == -1) {
341 RSAerr(RSA_F_CHECK_PADDING_MD
, RSA_R_INVALID_X931_DIGEST
);
346 /* List of all supported RSA digests */
361 RSAerr(RSA_F_CHECK_PADDING_MD
, RSA_R_INVALID_DIGEST
);
370 static int pkey_rsa_ctrl(EVP_PKEY_CTX
*ctx
, int type
, int p1
, void *p2
)
372 RSA_PKEY_CTX
*rctx
= ctx
->data
;
374 case EVP_PKEY_CTRL_RSA_PADDING
:
375 if ((p1
>= RSA_PKCS1_PADDING
) && (p1
<= RSA_PKCS1_PSS_PADDING
)) {
376 if (!check_padding_md(rctx
->md
, p1
))
378 if (p1
== RSA_PKCS1_PSS_PADDING
) {
379 if (!(ctx
->operation
&
380 (EVP_PKEY_OP_SIGN
| EVP_PKEY_OP_VERIFY
)))
383 rctx
->md
= EVP_sha1();
385 if (p1
== RSA_PKCS1_OAEP_PADDING
) {
386 if (!(ctx
->operation
& EVP_PKEY_OP_TYPE_CRYPT
))
389 rctx
->md
= EVP_sha1();
395 RSAerr(RSA_F_PKEY_RSA_CTRL
,
396 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE
);
399 case EVP_PKEY_CTRL_GET_RSA_PADDING
:
400 *(int *)p2
= rctx
->pad_mode
;
403 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN
:
404 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN
:
405 if (rctx
->pad_mode
!= RSA_PKCS1_PSS_PADDING
) {
406 RSAerr(RSA_F_PKEY_RSA_CTRL
, RSA_R_INVALID_PSS_SALTLEN
);
409 if (type
== EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN
)
410 *(int *)p2
= rctx
->saltlen
;
418 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS
:
420 RSAerr(RSA_F_PKEY_RSA_CTRL
, RSA_R_KEY_SIZE_TOO_SMALL
);
426 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP
:
429 BN_free(rctx
->pub_exp
);
433 case EVP_PKEY_CTRL_RSA_OAEP_MD
:
434 case EVP_PKEY_CTRL_GET_RSA_OAEP_MD
:
435 if (rctx
->pad_mode
!= RSA_PKCS1_OAEP_PADDING
) {
436 RSAerr(RSA_F_PKEY_RSA_CTRL
, RSA_R_INVALID_PADDING_MODE
);
439 if (type
== EVP_PKEY_CTRL_GET_RSA_OAEP_MD
)
440 *(const EVP_MD
**)p2
= rctx
->md
;
445 case EVP_PKEY_CTRL_MD
:
446 if (!check_padding_md(p2
, rctx
->pad_mode
))
451 case EVP_PKEY_CTRL_GET_MD
:
452 *(const EVP_MD
**)p2
= rctx
->md
;
455 case EVP_PKEY_CTRL_RSA_MGF1_MD
:
456 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD
:
457 if (rctx
->pad_mode
!= RSA_PKCS1_PSS_PADDING
458 && rctx
->pad_mode
!= RSA_PKCS1_OAEP_PADDING
) {
459 RSAerr(RSA_F_PKEY_RSA_CTRL
, RSA_R_INVALID_MGF1_MD
);
462 if (type
== EVP_PKEY_CTRL_GET_RSA_MGF1_MD
) {
464 *(const EVP_MD
**)p2
= rctx
->mgf1md
;
466 *(const EVP_MD
**)p2
= rctx
->md
;
471 case EVP_PKEY_CTRL_RSA_OAEP_LABEL
:
472 if (rctx
->pad_mode
!= RSA_PKCS1_OAEP_PADDING
) {
473 RSAerr(RSA_F_PKEY_RSA_CTRL
, RSA_R_INVALID_PADDING_MODE
);
476 OPENSSL_free(rctx
->oaep_label
);
478 rctx
->oaep_label
= p2
;
479 rctx
->oaep_labellen
= p1
;
481 rctx
->oaep_label
= NULL
;
482 rctx
->oaep_labellen
= 0;
486 case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL
:
487 if (rctx
->pad_mode
!= RSA_PKCS1_OAEP_PADDING
) {
488 RSAerr(RSA_F_PKEY_RSA_CTRL
, RSA_R_INVALID_PADDING_MODE
);
491 *(unsigned char **)p2
= rctx
->oaep_label
;
492 return rctx
->oaep_labellen
;
494 case EVP_PKEY_CTRL_DIGESTINIT
:
495 case EVP_PKEY_CTRL_PKCS7_ENCRYPT
:
496 case EVP_PKEY_CTRL_PKCS7_DECRYPT
:
497 case EVP_PKEY_CTRL_PKCS7_SIGN
:
499 #ifndef OPENSSL_NO_CMS
500 case EVP_PKEY_CTRL_CMS_DECRYPT
:
501 case EVP_PKEY_CTRL_CMS_ENCRYPT
:
502 case EVP_PKEY_CTRL_CMS_SIGN
:
505 case EVP_PKEY_CTRL_PEER_KEY
:
506 RSAerr(RSA_F_PKEY_RSA_CTRL
,
507 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE
);
516 static int pkey_rsa_ctrl_str(EVP_PKEY_CTX
*ctx
,
517 const char *type
, const char *value
)
520 RSAerr(RSA_F_PKEY_RSA_CTRL_STR
, RSA_R_VALUE_MISSING
);
523 if (strcmp(type
, "rsa_padding_mode") == 0) {
525 if (strcmp(value
, "pkcs1") == 0)
526 pm
= RSA_PKCS1_PADDING
;
527 else if (strcmp(value
, "sslv23") == 0)
528 pm
= RSA_SSLV23_PADDING
;
529 else if (strcmp(value
, "none") == 0)
531 else if (strcmp(value
, "oeap") == 0)
532 pm
= RSA_PKCS1_OAEP_PADDING
;
533 else if (strcmp(value
, "oaep") == 0)
534 pm
= RSA_PKCS1_OAEP_PADDING
;
535 else if (strcmp(value
, "x931") == 0)
536 pm
= RSA_X931_PADDING
;
537 else if (strcmp(value
, "pss") == 0)
538 pm
= RSA_PKCS1_PSS_PADDING
;
540 RSAerr(RSA_F_PKEY_RSA_CTRL_STR
, RSA_R_UNKNOWN_PADDING_TYPE
);
543 return EVP_PKEY_CTX_set_rsa_padding(ctx
, pm
);
546 if (strcmp(type
, "rsa_pss_saltlen") == 0) {
548 saltlen
= atoi(value
);
549 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx
, saltlen
);
552 if (strcmp(type
, "rsa_keygen_bits") == 0) {
555 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx
, nbits
);
558 if (strcmp(type
, "rsa_keygen_pubexp") == 0) {
560 BIGNUM
*pubexp
= NULL
;
561 if (!BN_asc2bn(&pubexp
, value
))
563 ret
= EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx
, pubexp
);
569 if (strcmp(type
, "rsa_mgf1_md") == 0) {
571 if ((md
= EVP_get_digestbyname(value
)) == NULL
) {
572 RSAerr(RSA_F_PKEY_RSA_CTRL_STR
, RSA_R_INVALID_DIGEST
);
575 return EVP_PKEY_CTX_set_rsa_mgf1_md(ctx
, md
);
578 if (strcmp(type
, "rsa_oaep_md") == 0) {
580 if ((md
= EVP_get_digestbyname(value
)) == NULL
) {
581 RSAerr(RSA_F_PKEY_RSA_CTRL_STR
, RSA_R_INVALID_DIGEST
);
584 return EVP_PKEY_CTX_set_rsa_oaep_md(ctx
, md
);
586 if (strcmp(type
, "rsa_oaep_label") == 0) {
590 lab
= OPENSSL_hexstr2buf(value
, &lablen
);
593 ret
= EVP_PKEY_CTX_set0_rsa_oaep_label(ctx
, lab
, lablen
);
602 static int pkey_rsa_keygen(EVP_PKEY_CTX
*ctx
, EVP_PKEY
*pkey
)
605 RSA_PKEY_CTX
*rctx
= ctx
->data
;
608 if (rctx
->pub_exp
== NULL
) {
609 rctx
->pub_exp
= BN_new();
610 if (rctx
->pub_exp
== NULL
|| !BN_set_word(rctx
->pub_exp
, RSA_F4
))
616 if (ctx
->pkey_gencb
) {
617 pcb
= BN_GENCB_new();
622 evp_pkey_set_cb_translate(pcb
, ctx
);
625 ret
= RSA_generate_key_ex(rsa
, rctx
->nbits
, rctx
->pub_exp
, pcb
);
628 EVP_PKEY_assign_RSA(pkey
, rsa
);
634 const EVP_PKEY_METHOD rsa_pkey_meth
= {
636 EVP_PKEY_FLAG_AUTOARGLEN
,
653 pkey_rsa_verifyrecover
,