]>
Commit | Line | Data |
---|---|---|
0f113f3e | 1 | /* |
049e64cb | 2 | * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. |
0b6f3c66 | 3 | * |
2a7b6f39 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
2039c421 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
0b6f3c66 DSH |
8 | */ |
9 | ||
049e64cb BE |
10 | #include "internal/constant_time_locl.h" |
11 | ||
0b6f3c66 | 12 | #include <stdio.h> |
b39fc560 | 13 | #include "internal/cryptlib.h" |
0b6f3c66 DSH |
14 | #include <openssl/asn1t.h> |
15 | #include <openssl/x509.h> | |
16 | #include <openssl/rsa.h> | |
1e26a8ba | 17 | #include <openssl/bn.h> |
b2a97be7 | 18 | #include <openssl/evp.h> |
271fef0e | 19 | #include <openssl/x509v3.h> |
3c27208f | 20 | #include <openssl/cms.h> |
27af42f9 | 21 | #include "internal/evp_int.h" |
777c47ac | 22 | #include "rsa_locl.h" |
b2a97be7 | 23 | |
07e970c7 DSH |
24 | /* RSA pkey context structure */ |
25 | ||
0f113f3e MC |
26 | typedef struct { |
27 | /* Key gen parameters */ | |
28 | int nbits; | |
29 | BIGNUM *pub_exp; | |
665d899f | 30 | int primes; |
0f113f3e MC |
31 | /* Keygen callback info */ |
32 | int gentmp[2]; | |
33 | /* RSA padding mode */ | |
34 | int pad_mode; | |
35 | /* message digest */ | |
36 | const EVP_MD *md; | |
37 | /* message digest for MGF1 */ | |
38 | const EVP_MD *mgf1md; | |
39 | /* PSS salt length */ | |
40 | int saltlen; | |
cb49e749 DSH |
41 | /* Minimum salt length or -1 if no PSS parameter restriction */ |
42 | int min_saltlen; | |
0f113f3e MC |
43 | /* Temp buffer */ |
44 | unsigned char *tbuf; | |
45 | /* OAEP label */ | |
46 | unsigned char *oaep_label; | |
47 | size_t oaep_labellen; | |
48 | } RSA_PKEY_CTX; | |
07e970c7 | 49 | |
cb49e749 | 50 | /* True if PSS parameters are restricted */ |
bc1ea030 | 51 | #define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1) |
cb49e749 | 52 | |
07e970c7 | 53 | static int pkey_rsa_init(EVP_PKEY_CTX *ctx) |
0f113f3e | 54 | { |
52ad523c | 55 | RSA_PKEY_CTX *rctx = OPENSSL_zalloc(sizeof(*rctx)); |
f291138b | 56 | |
90945fa3 | 57 | if (rctx == NULL) |
0f113f3e | 58 | return 0; |
70b0b977 | 59 | rctx->nbits = 2048; |
665d899f | 60 | rctx->primes = RSA_DEFAULT_PRIME_NUM; |
87ee7b22 | 61 | if (pkey_ctx_is_pss(ctx)) |
ad4b3d0a DSH |
62 | rctx->pad_mode = RSA_PKCS1_PSS_PADDING; |
63 | else | |
64 | rctx->pad_mode = RSA_PKCS1_PADDING; | |
137096a7 DSH |
65 | /* Maximum for sign, auto for verify */ |
66 | rctx->saltlen = RSA_PSS_SALTLEN_AUTO; | |
cb49e749 | 67 | rctx->min_saltlen = -1; |
0f113f3e MC |
68 | ctx->data = rctx; |
69 | ctx->keygen_info = rctx->gentmp; | |
70 | ctx->keygen_info_count = 2; | |
71 | ||
72 | return 1; | |
73 | } | |
b2a97be7 | 74 | |
9fdcc21f | 75 | static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src) |
0f113f3e MC |
76 | { |
77 | RSA_PKEY_CTX *dctx, *sctx; | |
52ad523c | 78 | |
0f113f3e MC |
79 | if (!pkey_rsa_init(dst)) |
80 | return 0; | |
81 | sctx = src->data; | |
82 | dctx = dst->data; | |
83 | dctx->nbits = sctx->nbits; | |
84 | if (sctx->pub_exp) { | |
85 | dctx->pub_exp = BN_dup(sctx->pub_exp); | |
86 | if (!dctx->pub_exp) | |
87 | return 0; | |
88 | } | |
89 | dctx->pad_mode = sctx->pad_mode; | |
90 | dctx->md = sctx->md; | |
91 | dctx->mgf1md = sctx->mgf1md; | |
d7fcf1fe | 92 | dctx->saltlen = sctx->saltlen; |
0f113f3e | 93 | if (sctx->oaep_label) { |
b548a1f1 | 94 | OPENSSL_free(dctx->oaep_label); |
7644a9ae | 95 | dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen); |
0f113f3e MC |
96 | if (!dctx->oaep_label) |
97 | return 0; | |
98 | dctx->oaep_labellen = sctx->oaep_labellen; | |
99 | } | |
100 | return 1; | |
101 | } | |
8bdcef40 | 102 | |
b2a97be7 | 103 | static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) |
0f113f3e | 104 | { |
52ad523c | 105 | if (ctx->tbuf != NULL) |
0f113f3e | 106 | return 1; |
cdb10bae RS |
107 | if ((ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey))) == NULL) { |
108 | RSAerr(RSA_F_SETUP_TBUF, ERR_R_MALLOC_FAILURE); | |
0f113f3e | 109 | return 0; |
cdb10bae | 110 | } |
0f113f3e MC |
111 | return 1; |
112 | } | |
07e970c7 DSH |
113 | |
114 | static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) | |
0f113f3e MC |
115 | { |
116 | RSA_PKEY_CTX *rctx = ctx->data; | |
117 | if (rctx) { | |
23a1d5e9 | 118 | BN_free(rctx->pub_exp); |
b548a1f1 RS |
119 | OPENSSL_free(rctx->tbuf); |
120 | OPENSSL_free(rctx->oaep_label); | |
0f113f3e MC |
121 | OPENSSL_free(rctx); |
122 | } | |
123 | } | |
124 | ||
125 | static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, | |
126 | size_t *siglen, const unsigned char *tbs, | |
127 | size_t tbslen) | |
128 | { | |
129 | int ret; | |
130 | RSA_PKEY_CTX *rctx = ctx->data; | |
131 | RSA *rsa = ctx->pkey->pkey.rsa; | |
132 | ||
133 | if (rctx->md) { | |
134 | if (tbslen != (size_t)EVP_MD_size(rctx->md)) { | |
135 | RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH); | |
136 | return -1; | |
137 | } | |
138 | ||
139 | if (EVP_MD_type(rctx->md) == NID_mdc2) { | |
140 | unsigned int sltmp; | |
141 | if (rctx->pad_mode != RSA_PKCS1_PADDING) | |
142 | return -1; | |
a773b52a | 143 | ret = RSA_sign_ASN1_OCTET_STRING(0, |
0f113f3e MC |
144 | tbs, tbslen, sig, &sltmp, rsa); |
145 | ||
146 | if (ret <= 0) | |
147 | return ret; | |
148 | ret = sltmp; | |
149 | } else if (rctx->pad_mode == RSA_X931_PADDING) { | |
34166d41 MC |
150 | if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) { |
151 | RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_KEY_SIZE_TOO_SMALL); | |
0f113f3e | 152 | return -1; |
34166d41 MC |
153 | } |
154 | if (!setup_tbuf(rctx, ctx)) { | |
155 | RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE); | |
156 | return -1; | |
157 | } | |
0f113f3e MC |
158 | memcpy(rctx->tbuf, tbs, tbslen); |
159 | rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md)); | |
160 | ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, | |
161 | sig, rsa, RSA_X931_PADDING); | |
162 | } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { | |
163 | unsigned int sltmp; | |
164 | ret = RSA_sign(EVP_MD_type(rctx->md), | |
165 | tbs, tbslen, sig, &sltmp, rsa); | |
166 | if (ret <= 0) | |
167 | return ret; | |
168 | ret = sltmp; | |
169 | } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { | |
170 | if (!setup_tbuf(rctx, ctx)) | |
171 | return -1; | |
172 | if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, | |
173 | rctx->tbuf, tbs, | |
174 | rctx->md, rctx->mgf1md, | |
175 | rctx->saltlen)) | |
176 | return -1; | |
177 | ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, | |
178 | sig, rsa, RSA_NO_PADDING); | |
90862ab4 | 179 | } else { |
0f113f3e | 180 | return -1; |
90862ab4 PY |
181 | } |
182 | } else { | |
0f113f3e MC |
183 | ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, |
184 | rctx->pad_mode); | |
90862ab4 | 185 | } |
0f113f3e MC |
186 | if (ret < 0) |
187 | return ret; | |
188 | *siglen = ret; | |
189 | return 1; | |
190 | } | |
07e970c7 DSH |
191 | |
192 | static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, | |
0f113f3e MC |
193 | unsigned char *rout, size_t *routlen, |
194 | const unsigned char *sig, size_t siglen) | |
195 | { | |
196 | int ret; | |
197 | RSA_PKEY_CTX *rctx = ctx->data; | |
198 | ||
199 | if (rctx->md) { | |
200 | if (rctx->pad_mode == RSA_X931_PADDING) { | |
201 | if (!setup_tbuf(rctx, ctx)) | |
202 | return -1; | |
203 | ret = RSA_public_decrypt(siglen, sig, | |
204 | rctx->tbuf, ctx->pkey->pkey.rsa, | |
205 | RSA_X931_PADDING); | |
206 | if (ret < 1) | |
207 | return 0; | |
208 | ret--; | |
209 | if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_type(rctx->md))) { | |
210 | RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, | |
211 | RSA_R_ALGORITHM_MISMATCH); | |
212 | return 0; | |
213 | } | |
214 | if (ret != EVP_MD_size(rctx->md)) { | |
215 | RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, | |
216 | RSA_R_INVALID_DIGEST_LENGTH); | |
217 | return 0; | |
218 | } | |
219 | if (rout) | |
220 | memcpy(rout, rctx->tbuf, ret); | |
221 | } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { | |
222 | size_t sltmp; | |
223 | ret = int_rsa_verify(EVP_MD_type(rctx->md), | |
224 | NULL, 0, rout, &sltmp, | |
225 | sig, siglen, ctx->pkey->pkey.rsa); | |
226 | if (ret <= 0) | |
227 | return 0; | |
228 | ret = sltmp; | |
90862ab4 | 229 | } else { |
0f113f3e | 230 | return -1; |
90862ab4 PY |
231 | } |
232 | } else { | |
0f113f3e MC |
233 | ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa, |
234 | rctx->pad_mode); | |
90862ab4 | 235 | } |
0f113f3e MC |
236 | if (ret < 0) |
237 | return ret; | |
238 | *routlen = ret; | |
239 | return 1; | |
240 | } | |
07e970c7 | 241 | |
4f59b658 | 242 | static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, |
0f113f3e MC |
243 | const unsigned char *sig, size_t siglen, |
244 | const unsigned char *tbs, size_t tbslen) | |
245 | { | |
246 | RSA_PKEY_CTX *rctx = ctx->data; | |
247 | RSA *rsa = ctx->pkey->pkey.rsa; | |
248 | size_t rslen; | |
52ad523c | 249 | |
0f113f3e MC |
250 | if (rctx->md) { |
251 | if (rctx->pad_mode == RSA_PKCS1_PADDING) | |
252 | return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, | |
253 | sig, siglen, rsa); | |
71bbc79b DSH |
254 | if (tbslen != (size_t)EVP_MD_size(rctx->md)) { |
255 | RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH); | |
256 | return -1; | |
257 | } | |
0f113f3e MC |
258 | if (rctx->pad_mode == RSA_X931_PADDING) { |
259 | if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0) | |
260 | return 0; | |
261 | } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { | |
262 | int ret; | |
263 | if (!setup_tbuf(rctx, ctx)) | |
264 | return -1; | |
265 | ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, | |
266 | rsa, RSA_NO_PADDING); | |
267 | if (ret <= 0) | |
268 | return 0; | |
269 | ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, | |
270 | rctx->md, rctx->mgf1md, | |
271 | rctx->tbuf, rctx->saltlen); | |
272 | if (ret <= 0) | |
273 | return 0; | |
274 | return 1; | |
90862ab4 | 275 | } else { |
0f113f3e | 276 | return -1; |
90862ab4 | 277 | } |
0f113f3e MC |
278 | } else { |
279 | if (!setup_tbuf(rctx, ctx)) | |
280 | return -1; | |
281 | rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, | |
282 | rsa, rctx->pad_mode); | |
283 | if (rslen == 0) | |
284 | return 0; | |
285 | } | |
286 | ||
287 | if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen)) | |
288 | return 0; | |
289 | ||
290 | return 1; | |
291 | ||
292 | } | |
4f59b658 | 293 | |
eaff5a14 | 294 | static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, |
0f113f3e MC |
295 | unsigned char *out, size_t *outlen, |
296 | const unsigned char *in, size_t inlen) | |
297 | { | |
298 | int ret; | |
299 | RSA_PKEY_CTX *rctx = ctx->data; | |
52ad523c | 300 | |
0f113f3e MC |
301 | if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { |
302 | int klen = RSA_size(ctx->pkey->pkey.rsa); | |
303 | if (!setup_tbuf(rctx, ctx)) | |
304 | return -1; | |
305 | if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen, | |
306 | in, inlen, | |
307 | rctx->oaep_label, | |
308 | rctx->oaep_labellen, | |
309 | rctx->md, rctx->mgf1md)) | |
310 | return -1; | |
311 | ret = RSA_public_encrypt(klen, rctx->tbuf, out, | |
312 | ctx->pkey->pkey.rsa, RSA_NO_PADDING); | |
90862ab4 | 313 | } else { |
0f113f3e MC |
314 | ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, |
315 | rctx->pad_mode); | |
90862ab4 | 316 | } |
0f113f3e MC |
317 | if (ret < 0) |
318 | return ret; | |
319 | *outlen = ret; | |
320 | return 1; | |
321 | } | |
8cd44e36 | 322 | |
eaff5a14 | 323 | static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, |
0f113f3e MC |
324 | unsigned char *out, size_t *outlen, |
325 | const unsigned char *in, size_t inlen) | |
326 | { | |
327 | int ret; | |
328 | RSA_PKEY_CTX *rctx = ctx->data; | |
52ad523c | 329 | |
0f113f3e | 330 | if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { |
0f113f3e MC |
331 | if (!setup_tbuf(rctx, ctx)) |
332 | return -1; | |
333 | ret = RSA_private_decrypt(inlen, in, rctx->tbuf, | |
334 | ctx->pkey->pkey.rsa, RSA_NO_PADDING); | |
335 | if (ret <= 0) | |
336 | return ret; | |
237bc6c9 BE |
337 | ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf, |
338 | ret, ret, | |
0f113f3e MC |
339 | rctx->oaep_label, |
340 | rctx->oaep_labellen, | |
341 | rctx->md, rctx->mgf1md); | |
90862ab4 | 342 | } else { |
0f113f3e MC |
343 | ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, |
344 | rctx->pad_mode); | |
90862ab4 | 345 | } |
049e64cb BE |
346 | *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); |
347 | ret = constant_time_select_int(constant_time_msb(ret), ret, 1); | |
348 | return ret; | |
0f113f3e | 349 | } |
07e970c7 | 350 | |
75d44c04 | 351 | static int check_padding_md(const EVP_MD *md, int padding) |
0f113f3e | 352 | { |
7f572e95 | 353 | int mdnid; |
52ad523c | 354 | |
0f113f3e MC |
355 | if (!md) |
356 | return 1; | |
357 | ||
7f572e95 DSH |
358 | mdnid = EVP_MD_type(md); |
359 | ||
0f113f3e MC |
360 | if (padding == RSA_NO_PADDING) { |
361 | RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE); | |
362 | return 0; | |
363 | } | |
364 | ||
365 | if (padding == RSA_X931_PADDING) { | |
7f572e95 | 366 | if (RSA_X931_hash_id(mdnid) == -1) { |
0f113f3e MC |
367 | RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_X931_DIGEST); |
368 | return 0; | |
369 | } | |
7f572e95 DSH |
370 | } else { |
371 | switch(mdnid) { | |
372 | /* List of all supported RSA digests */ | |
373 | case NID_sha1: | |
374 | case NID_sha224: | |
375 | case NID_sha256: | |
376 | case NID_sha384: | |
377 | case NID_sha512: | |
378 | case NID_md5: | |
379 | case NID_md5_sha1: | |
380 | case NID_md2: | |
381 | case NID_md4: | |
382 | case NID_mdc2: | |
383 | case NID_ripemd160: | |
cfb5bc69 AP |
384 | case NID_sha3_224: |
385 | case NID_sha3_256: | |
386 | case NID_sha3_384: | |
387 | case NID_sha3_512: | |
7f572e95 DSH |
388 | return 1; |
389 | ||
390 | default: | |
391 | RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_DIGEST); | |
392 | return 0; | |
393 | ||
394 | } | |
0f113f3e MC |
395 | } |
396 | ||
397 | return 1; | |
398 | } | |
b2a97be7 | 399 | |
4a3dc3c0 | 400 | static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) |
0f113f3e MC |
401 | { |
402 | RSA_PKEY_CTX *rctx = ctx->data; | |
52ad523c | 403 | |
0f113f3e MC |
404 | switch (type) { |
405 | case EVP_PKEY_CTRL_RSA_PADDING: | |
406 | if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING)) { | |
407 | if (!check_padding_md(rctx->md, p1)) | |
408 | return 0; | |
409 | if (p1 == RSA_PKCS1_PSS_PADDING) { | |
410 | if (!(ctx->operation & | |
411 | (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) | |
412 | goto bad_pad; | |
413 | if (!rctx->md) | |
414 | rctx->md = EVP_sha1(); | |
87ee7b22 | 415 | } else if (pkey_ctx_is_pss(ctx)) { |
a300c725 | 416 | goto bad_pad; |
0f113f3e MC |
417 | } |
418 | if (p1 == RSA_PKCS1_OAEP_PADDING) { | |
419 | if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT)) | |
420 | goto bad_pad; | |
421 | if (!rctx->md) | |
422 | rctx->md = EVP_sha1(); | |
423 | } | |
424 | rctx->pad_mode = p1; | |
425 | return 1; | |
426 | } | |
427 | bad_pad: | |
428 | RSAerr(RSA_F_PKEY_RSA_CTRL, | |
429 | RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); | |
430 | return -2; | |
431 | ||
432 | case EVP_PKEY_CTRL_GET_RSA_PADDING: | |
433 | *(int *)p2 = rctx->pad_mode; | |
434 | return 1; | |
435 | ||
436 | case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: | |
437 | case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: | |
438 | if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) { | |
439 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); | |
440 | return -2; | |
441 | } | |
cb49e749 | 442 | if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) { |
0f113f3e | 443 | *(int *)p2 = rctx->saltlen; |
cb49e749 | 444 | } else { |
137096a7 | 445 | if (p1 < RSA_PSS_SALTLEN_MAX) |
0f113f3e | 446 | return -2; |
79ebfc46 | 447 | if (rsa_pss_restricted(rctx)) { |
137096a7 DSH |
448 | if (p1 == RSA_PSS_SALTLEN_AUTO |
449 | && ctx->operation == EVP_PKEY_OP_VERIFY) { | |
79ebfc46 DSH |
450 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); |
451 | return -2; | |
452 | } | |
137096a7 DSH |
453 | if ((p1 == RSA_PSS_SALTLEN_DIGEST |
454 | && rctx->min_saltlen > EVP_MD_size(rctx->md)) | |
79ebfc46 DSH |
455 | || (p1 >= 0 && p1 < rctx->min_saltlen)) { |
456 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_PSS_SALTLEN_TOO_SMALL); | |
457 | return 0; | |
458 | } | |
cb49e749 | 459 | } |
0f113f3e MC |
460 | rctx->saltlen = p1; |
461 | } | |
462 | return 1; | |
463 | ||
464 | case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: | |
cac19d19 | 465 | if (p1 < RSA_MIN_MODULUS_BITS) { |
0f113f3e MC |
466 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_SIZE_TOO_SMALL); |
467 | return -2; | |
468 | } | |
469 | rctx->nbits = p1; | |
470 | return 1; | |
471 | ||
472 | case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: | |
464d59a5 RS |
473 | if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) || BN_is_one((BIGNUM *)p2)) { |
474 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_BAD_E_VALUE); | |
0f113f3e | 475 | return -2; |
464d59a5 | 476 | } |
0f113f3e MC |
477 | BN_free(rctx->pub_exp); |
478 | rctx->pub_exp = p2; | |
479 | return 1; | |
480 | ||
665d899f PY |
481 | case EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES: |
482 | if (p1 < RSA_DEFAULT_PRIME_NUM || p1 > RSA_MAX_PRIME_NUM) { | |
483 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_PRIME_NUM_INVALID); | |
484 | return -2; | |
485 | } | |
486 | rctx->primes = p1; | |
487 | return 1; | |
488 | ||
0f113f3e MC |
489 | case EVP_PKEY_CTRL_RSA_OAEP_MD: |
490 | case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: | |
491 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { | |
492 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); | |
493 | return -2; | |
494 | } | |
495 | if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) | |
496 | *(const EVP_MD **)p2 = rctx->md; | |
497 | else | |
498 | rctx->md = p2; | |
499 | return 1; | |
500 | ||
501 | case EVP_PKEY_CTRL_MD: | |
502 | if (!check_padding_md(p2, rctx->pad_mode)) | |
503 | return 0; | |
bc1ea030 | 504 | if (rsa_pss_restricted(rctx)) { |
cb49e749 DSH |
505 | if (EVP_MD_type(rctx->md) == EVP_MD_type(p2)) |
506 | return 1; | |
507 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_DIGEST_NOT_ALLOWED); | |
508 | return 0; | |
509 | } | |
0f113f3e MC |
510 | rctx->md = p2; |
511 | return 1; | |
512 | ||
513 | case EVP_PKEY_CTRL_GET_MD: | |
514 | *(const EVP_MD **)p2 = rctx->md; | |
515 | return 1; | |
516 | ||
517 | case EVP_PKEY_CTRL_RSA_MGF1_MD: | |
518 | case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: | |
519 | if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING | |
520 | && rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { | |
521 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD); | |
522 | return -2; | |
523 | } | |
524 | if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) { | |
525 | if (rctx->mgf1md) | |
526 | *(const EVP_MD **)p2 = rctx->mgf1md; | |
527 | else | |
528 | *(const EVP_MD **)p2 = rctx->md; | |
cb49e749 | 529 | } else { |
bc1ea030 | 530 | if (rsa_pss_restricted(rctx)) { |
8a3cde7d | 531 | if (EVP_MD_type(rctx->mgf1md) == EVP_MD_type(p2)) |
cb49e749 DSH |
532 | return 1; |
533 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_MGF1_DIGEST_NOT_ALLOWED); | |
534 | return 0; | |
535 | } | |
0f113f3e | 536 | rctx->mgf1md = p2; |
cb49e749 | 537 | } |
0f113f3e MC |
538 | return 1; |
539 | ||
540 | case EVP_PKEY_CTRL_RSA_OAEP_LABEL: | |
541 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { | |
542 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); | |
543 | return -2; | |
544 | } | |
b548a1f1 | 545 | OPENSSL_free(rctx->oaep_label); |
0f113f3e MC |
546 | if (p2 && p1 > 0) { |
547 | rctx->oaep_label = p2; | |
548 | rctx->oaep_labellen = p1; | |
549 | } else { | |
550 | rctx->oaep_label = NULL; | |
551 | rctx->oaep_labellen = 0; | |
552 | } | |
553 | return 1; | |
554 | ||
555 | case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: | |
556 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { | |
557 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); | |
558 | return -2; | |
559 | } | |
560 | *(unsigned char **)p2 = rctx->oaep_label; | |
561 | return rctx->oaep_labellen; | |
562 | ||
563 | case EVP_PKEY_CTRL_DIGESTINIT: | |
186e48cd DSH |
564 | case EVP_PKEY_CTRL_PKCS7_SIGN: |
565 | #ifndef OPENSSL_NO_CMS | |
566 | case EVP_PKEY_CTRL_CMS_SIGN: | |
567 | #endif | |
568 | return 1; | |
569 | ||
0f113f3e MC |
570 | case EVP_PKEY_CTRL_PKCS7_ENCRYPT: |
571 | case EVP_PKEY_CTRL_PKCS7_DECRYPT: | |
8931b30d | 572 | #ifndef OPENSSL_NO_CMS |
0f113f3e MC |
573 | case EVP_PKEY_CTRL_CMS_DECRYPT: |
574 | case EVP_PKEY_CTRL_CMS_ENCRYPT: | |
1bcbf658 | 575 | #endif |
186e48cd | 576 | if (!pkey_ctx_is_pss(ctx)) |
0f113f3e | 577 | return 1; |
1bcbf658 | 578 | /* fall through */ |
0f113f3e MC |
579 | case EVP_PKEY_CTRL_PEER_KEY: |
580 | RSAerr(RSA_F_PKEY_RSA_CTRL, | |
581 | RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); | |
582 | return -2; | |
583 | ||
584 | default: | |
585 | return -2; | |
399a6f0b | 586 | |
0f113f3e MC |
587 | } |
588 | } | |
4a3dc3c0 | 589 | |
4a3dc3c0 | 590 | static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, |
0f113f3e MC |
591 | const char *type, const char *value) |
592 | { | |
52ad523c | 593 | if (value == NULL) { |
0f113f3e MC |
594 | RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING); |
595 | return 0; | |
596 | } | |
86885c28 | 597 | if (strcmp(type, "rsa_padding_mode") == 0) { |
0f113f3e | 598 | int pm; |
665d899f | 599 | |
90862ab4 | 600 | if (strcmp(value, "pkcs1") == 0) { |
0f113f3e | 601 | pm = RSA_PKCS1_PADDING; |
90862ab4 | 602 | } else if (strcmp(value, "sslv23") == 0) { |
0f113f3e | 603 | pm = RSA_SSLV23_PADDING; |
90862ab4 | 604 | } else if (strcmp(value, "none") == 0) { |
0f113f3e | 605 | pm = RSA_NO_PADDING; |
90862ab4 | 606 | } else if (strcmp(value, "oeap") == 0) { |
0f113f3e | 607 | pm = RSA_PKCS1_OAEP_PADDING; |
90862ab4 | 608 | } else if (strcmp(value, "oaep") == 0) { |
0f113f3e | 609 | pm = RSA_PKCS1_OAEP_PADDING; |
90862ab4 | 610 | } else if (strcmp(value, "x931") == 0) { |
0f113f3e | 611 | pm = RSA_X931_PADDING; |
90862ab4 | 612 | } else if (strcmp(value, "pss") == 0) { |
0f113f3e | 613 | pm = RSA_PKCS1_PSS_PADDING; |
90862ab4 | 614 | } else { |
0f113f3e MC |
615 | RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_UNKNOWN_PADDING_TYPE); |
616 | return -2; | |
617 | } | |
618 | return EVP_PKEY_CTX_set_rsa_padding(ctx, pm); | |
619 | } | |
620 | ||
86885c28 | 621 | if (strcmp(type, "rsa_pss_saltlen") == 0) { |
0f113f3e | 622 | int saltlen; |
665d899f | 623 | |
137096a7 DSH |
624 | if (!strcmp(value, "digest")) |
625 | saltlen = RSA_PSS_SALTLEN_DIGEST; | |
626 | else if (!strcmp(value, "max")) | |
627 | saltlen = RSA_PSS_SALTLEN_MAX; | |
628 | else if (!strcmp(value, "auto")) | |
629 | saltlen = RSA_PSS_SALTLEN_AUTO; | |
630 | else | |
631 | saltlen = atoi(value); | |
0f113f3e MC |
632 | return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen); |
633 | } | |
634 | ||
86885c28 | 635 | if (strcmp(type, "rsa_keygen_bits") == 0) { |
665d899f PY |
636 | int nbits = atoi(value); |
637 | ||
0f113f3e MC |
638 | return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits); |
639 | } | |
640 | ||
86885c28 | 641 | if (strcmp(type, "rsa_keygen_pubexp") == 0) { |
0f113f3e | 642 | int ret; |
665d899f | 643 | |
0f113f3e MC |
644 | BIGNUM *pubexp = NULL; |
645 | if (!BN_asc2bn(&pubexp, value)) | |
646 | return 0; | |
647 | ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp); | |
648 | if (ret <= 0) | |
649 | BN_free(pubexp); | |
650 | return ret; | |
651 | } | |
652 | ||
665d899f PY |
653 | if (strcmp(type, "rsa_keygen_primes") == 0) { |
654 | int nprimes = atoi(value); | |
655 | ||
656 | return EVP_PKEY_CTX_set_rsa_keygen_primes(ctx, nprimes); | |
657 | } | |
658 | ||
410877ba DSH |
659 | if (strcmp(type, "rsa_mgf1_md") == 0) |
660 | return EVP_PKEY_CTX_md(ctx, | |
661 | EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, | |
662 | EVP_PKEY_CTRL_RSA_MGF1_MD, value); | |
0f113f3e | 663 | |
87ee7b22 | 664 | if (pkey_ctx_is_pss(ctx)) { |
e64b2b5c DSH |
665 | |
666 | if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0) | |
667 | return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, | |
668 | EVP_PKEY_CTRL_RSA_MGF1_MD, value); | |
669 | ||
670 | if (strcmp(type, "rsa_pss_keygen_md") == 0) | |
671 | return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, | |
672 | EVP_PKEY_CTRL_MD, value); | |
673 | ||
674 | if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) { | |
c82bafc5 DSH |
675 | int saltlen = atoi(value); |
676 | ||
e64b2b5c | 677 | return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen); |
0f113f3e | 678 | } |
0f113f3e | 679 | } |
410877ba DSH |
680 | |
681 | if (strcmp(type, "rsa_oaep_md") == 0) | |
682 | return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT, | |
683 | EVP_PKEY_CTRL_RSA_OAEP_MD, value); | |
684 | ||
86885c28 | 685 | if (strcmp(type, "rsa_oaep_label") == 0) { |
0f113f3e MC |
686 | unsigned char *lab; |
687 | long lablen; | |
688 | int ret; | |
665d899f | 689 | |
14f051a0 | 690 | lab = OPENSSL_hexstr2buf(value, &lablen); |
0f113f3e MC |
691 | if (!lab) |
692 | return 0; | |
693 | ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen); | |
694 | if (ret <= 0) | |
695 | OPENSSL_free(lab); | |
696 | return ret; | |
697 | } | |
698 | ||
699 | return -2; | |
700 | } | |
4a3dc3c0 | 701 | |
e64b2b5c DSH |
702 | /* Set PSS parameters when generating a key, if necessary */ |
703 | static int rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx) | |
704 | { | |
705 | RSA_PKEY_CTX *rctx = ctx->data; | |
52ad523c | 706 | |
87ee7b22 | 707 | if (!pkey_ctx_is_pss(ctx)) |
e64b2b5c | 708 | return 1; |
87ee7b22 | 709 | /* If all parameters are default values don't set pss */ |
e64b2b5c DSH |
710 | if (rctx->md == NULL && rctx->mgf1md == NULL && rctx->saltlen == -2) |
711 | return 1; | |
712 | rsa->pss = rsa_pss_params_create(rctx->md, rctx->mgf1md, | |
713 | rctx->saltlen == -2 ? 0 : rctx->saltlen); | |
714 | if (rsa->pss == NULL) | |
715 | return 0; | |
716 | return 1; | |
717 | } | |
718 | ||
f5cda4cb | 719 | static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) |
0f113f3e MC |
720 | { |
721 | RSA *rsa = NULL; | |
722 | RSA_PKEY_CTX *rctx = ctx->data; | |
723 | BN_GENCB *pcb; | |
724 | int ret; | |
52ad523c | 725 | |
90945fa3 | 726 | if (rctx->pub_exp == NULL) { |
0f113f3e | 727 | rctx->pub_exp = BN_new(); |
90945fa3 | 728 | if (rctx->pub_exp == NULL || !BN_set_word(rctx->pub_exp, RSA_F4)) |
0f113f3e MC |
729 | return 0; |
730 | } | |
731 | rsa = RSA_new(); | |
90945fa3 | 732 | if (rsa == NULL) |
0f113f3e MC |
733 | return 0; |
734 | if (ctx->pkey_gencb) { | |
735 | pcb = BN_GENCB_new(); | |
90945fa3 | 736 | if (pcb == NULL) { |
0f113f3e MC |
737 | RSA_free(rsa); |
738 | return 0; | |
739 | } | |
740 | evp_pkey_set_cb_translate(pcb, ctx); | |
90862ab4 | 741 | } else { |
0f113f3e | 742 | pcb = NULL; |
90862ab4 | 743 | } |
665d899f PY |
744 | ret = RSA_generate_multi_prime_key(rsa, rctx->nbits, rctx->primes, |
745 | rctx->pub_exp, pcb); | |
0f113f3e | 746 | BN_GENCB_free(pcb); |
e64b2b5c DSH |
747 | if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) { |
748 | RSA_free(rsa); | |
749 | return 0; | |
750 | } | |
0f113f3e | 751 | if (ret > 0) |
faa02fe2 | 752 | EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa); |
0f113f3e MC |
753 | else |
754 | RSA_free(rsa); | |
755 | return ret; | |
756 | } | |
757 | ||
758 | const EVP_PKEY_METHOD rsa_pkey_meth = { | |
759 | EVP_PKEY_RSA, | |
760 | EVP_PKEY_FLAG_AUTOARGLEN, | |
761 | pkey_rsa_init, | |
762 | pkey_rsa_copy, | |
763 | pkey_rsa_cleanup, | |
764 | ||
765 | 0, 0, | |
766 | ||
767 | 0, | |
768 | pkey_rsa_keygen, | |
769 | ||
770 | 0, | |
771 | pkey_rsa_sign, | |
772 | ||
773 | 0, | |
774 | pkey_rsa_verify, | |
775 | ||
776 | 0, | |
777 | pkey_rsa_verifyrecover, | |
778 | ||
779 | 0, 0, 0, 0, | |
780 | ||
781 | 0, | |
782 | pkey_rsa_encrypt, | |
783 | ||
784 | 0, | |
785 | pkey_rsa_decrypt, | |
786 | ||
787 | 0, 0, | |
788 | ||
789 | pkey_rsa_ctrl, | |
790 | pkey_rsa_ctrl_str | |
791 | }; | |
6577e008 | 792 | |
59029ca1 DSH |
793 | /* |
794 | * Called for PSS sign or verify initialisation: checks PSS parameter | |
795 | * sanity and sets any restrictions on key usage. | |
796 | */ | |
797 | ||
798 | static int pkey_pss_init(EVP_PKEY_CTX *ctx) | |
799 | { | |
800 | RSA *rsa; | |
801 | RSA_PKEY_CTX *rctx = ctx->data; | |
802 | const EVP_MD *md; | |
803 | const EVP_MD *mgf1md; | |
79ebfc46 | 804 | int min_saltlen, max_saltlen; |
52ad523c | 805 | |
59029ca1 DSH |
806 | /* Should never happen */ |
807 | if (!pkey_ctx_is_pss(ctx)) | |
808 | return 0; | |
809 | rsa = ctx->pkey->pkey.rsa; | |
810 | /* If no restrictions just return */ | |
811 | if (rsa->pss == NULL) | |
812 | return 1; | |
813 | /* Get and check parameters */ | |
814 | if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen)) | |
815 | return 0; | |
816 | ||
46f4e1be | 817 | /* See if minimum salt length exceeds maximum possible */ |
79ebfc46 DSH |
818 | max_saltlen = RSA_size(rsa) - EVP_MD_size(md); |
819 | if ((RSA_bits(rsa) & 0x7) == 1) | |
820 | max_saltlen--; | |
821 | if (min_saltlen > max_saltlen) { | |
822 | RSAerr(RSA_F_PKEY_PSS_INIT, RSA_R_INVALID_SALT_LENGTH); | |
823 | return 0; | |
824 | } | |
825 | ||
59029ca1 DSH |
826 | rctx->min_saltlen = min_saltlen; |
827 | ||
828 | /* | |
829 | * Set PSS restrictions as defaults: we can then block any attempt to | |
830 | * use invalid values in pkey_rsa_ctrl | |
831 | */ | |
832 | ||
833 | rctx->md = md; | |
834 | rctx->mgf1md = mgf1md; | |
835 | rctx->saltlen = min_saltlen; | |
836 | ||
837 | return 1; | |
838 | } | |
839 | ||
6577e008 DSH |
840 | const EVP_PKEY_METHOD rsa_pss_pkey_meth = { |
841 | EVP_PKEY_RSA_PSS, | |
842 | EVP_PKEY_FLAG_AUTOARGLEN, | |
843 | pkey_rsa_init, | |
844 | pkey_rsa_copy, | |
845 | pkey_rsa_cleanup, | |
846 | ||
847 | 0, 0, | |
848 | ||
849 | 0, | |
850 | pkey_rsa_keygen, | |
851 | ||
59029ca1 | 852 | pkey_pss_init, |
6577e008 DSH |
853 | pkey_rsa_sign, |
854 | ||
59029ca1 | 855 | pkey_pss_init, |
6577e008 DSH |
856 | pkey_rsa_verify, |
857 | ||
858 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, | |
859 | ||
860 | pkey_rsa_ctrl, | |
861 | pkey_rsa_ctrl_str | |
862 | }; |