]>
Commit | Line | Data |
---|---|---|
0f113f3e | 1 | /* |
33388b44 | 2 | * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. |
0b6f3c66 | 3 | * |
2a7b6f39 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
2039c421 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
0b6f3c66 DSH |
8 | */ |
9 | ||
c5f87134 P |
10 | /* |
11 | * RSA low level APIs are deprecated for public use, but still ok for | |
12 | * internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
706457b7 | 16 | #include "internal/constant_time.h" |
049e64cb | 17 | |
0b6f3c66 | 18 | #include <stdio.h> |
b39fc560 | 19 | #include "internal/cryptlib.h" |
0b6f3c66 DSH |
20 | #include <openssl/asn1t.h> |
21 | #include <openssl/x509.h> | |
22 | #include <openssl/rsa.h> | |
1e26a8ba | 23 | #include <openssl/bn.h> |
b2a97be7 | 24 | #include <openssl/evp.h> |
271fef0e | 25 | #include <openssl/x509v3.h> |
3c27208f | 26 | #include <openssl/cms.h> |
25f2138b | 27 | #include "crypto/evp.h" |
6f4b7663 | 28 | #include "crypto/rsa.h" |
706457b7 | 29 | #include "rsa_local.h" |
b2a97be7 | 30 | |
07e970c7 DSH |
31 | /* RSA pkey context structure */ |
32 | ||
0f113f3e MC |
33 | typedef struct { |
34 | /* Key gen parameters */ | |
35 | int nbits; | |
36 | BIGNUM *pub_exp; | |
665d899f | 37 | int primes; |
0f113f3e MC |
38 | /* Keygen callback info */ |
39 | int gentmp[2]; | |
40 | /* RSA padding mode */ | |
41 | int pad_mode; | |
42 | /* message digest */ | |
43 | const EVP_MD *md; | |
44 | /* message digest for MGF1 */ | |
45 | const EVP_MD *mgf1md; | |
46 | /* PSS salt length */ | |
47 | int saltlen; | |
cb49e749 DSH |
48 | /* Minimum salt length or -1 if no PSS parameter restriction */ |
49 | int min_saltlen; | |
0f113f3e MC |
50 | /* Temp buffer */ |
51 | unsigned char *tbuf; | |
52 | /* OAEP label */ | |
53 | unsigned char *oaep_label; | |
54 | size_t oaep_labellen; | |
55 | } RSA_PKEY_CTX; | |
07e970c7 | 56 | |
cb49e749 | 57 | /* True if PSS parameters are restricted */ |
bc1ea030 | 58 | #define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1) |
cb49e749 | 59 | |
07e970c7 | 60 | static int pkey_rsa_init(EVP_PKEY_CTX *ctx) |
0f113f3e | 61 | { |
52ad523c | 62 | RSA_PKEY_CTX *rctx = OPENSSL_zalloc(sizeof(*rctx)); |
f291138b | 63 | |
90945fa3 | 64 | if (rctx == NULL) |
0f113f3e | 65 | return 0; |
70b0b977 | 66 | rctx->nbits = 2048; |
665d899f | 67 | rctx->primes = RSA_DEFAULT_PRIME_NUM; |
87ee7b22 | 68 | if (pkey_ctx_is_pss(ctx)) |
ad4b3d0a DSH |
69 | rctx->pad_mode = RSA_PKCS1_PSS_PADDING; |
70 | else | |
71 | rctx->pad_mode = RSA_PKCS1_PADDING; | |
137096a7 DSH |
72 | /* Maximum for sign, auto for verify */ |
73 | rctx->saltlen = RSA_PSS_SALTLEN_AUTO; | |
cb49e749 | 74 | rctx->min_saltlen = -1; |
0f113f3e MC |
75 | ctx->data = rctx; |
76 | ctx->keygen_info = rctx->gentmp; | |
77 | ctx->keygen_info_count = 2; | |
78 | ||
79 | return 1; | |
80 | } | |
b2a97be7 | 81 | |
9fdcc21f | 82 | static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src) |
0f113f3e MC |
83 | { |
84 | RSA_PKEY_CTX *dctx, *sctx; | |
52ad523c | 85 | |
0f113f3e MC |
86 | if (!pkey_rsa_init(dst)) |
87 | return 0; | |
88 | sctx = src->data; | |
89 | dctx = dst->data; | |
90 | dctx->nbits = sctx->nbits; | |
91 | if (sctx->pub_exp) { | |
92 | dctx->pub_exp = BN_dup(sctx->pub_exp); | |
93 | if (!dctx->pub_exp) | |
94 | return 0; | |
95 | } | |
96 | dctx->pad_mode = sctx->pad_mode; | |
97 | dctx->md = sctx->md; | |
98 | dctx->mgf1md = sctx->mgf1md; | |
d7fcf1fe | 99 | dctx->saltlen = sctx->saltlen; |
0f113f3e | 100 | if (sctx->oaep_label) { |
b548a1f1 | 101 | OPENSSL_free(dctx->oaep_label); |
7644a9ae | 102 | dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen); |
0f113f3e MC |
103 | if (!dctx->oaep_label) |
104 | return 0; | |
105 | dctx->oaep_labellen = sctx->oaep_labellen; | |
106 | } | |
107 | return 1; | |
108 | } | |
8bdcef40 | 109 | |
b2a97be7 | 110 | static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) |
0f113f3e | 111 | { |
52ad523c | 112 | if (ctx->tbuf != NULL) |
0f113f3e | 113 | return 1; |
9767a3dc | 114 | if ((ctx->tbuf = OPENSSL_malloc(RSA_size(pk->pkey->pkey.rsa))) == NULL) { |
cdb10bae | 115 | RSAerr(RSA_F_SETUP_TBUF, ERR_R_MALLOC_FAILURE); |
0f113f3e | 116 | return 0; |
cdb10bae | 117 | } |
0f113f3e MC |
118 | return 1; |
119 | } | |
07e970c7 DSH |
120 | |
121 | static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) | |
0f113f3e MC |
122 | { |
123 | RSA_PKEY_CTX *rctx = ctx->data; | |
124 | if (rctx) { | |
23a1d5e9 | 125 | BN_free(rctx->pub_exp); |
b548a1f1 RS |
126 | OPENSSL_free(rctx->tbuf); |
127 | OPENSSL_free(rctx->oaep_label); | |
0f113f3e MC |
128 | OPENSSL_free(rctx); |
129 | } | |
130 | } | |
131 | ||
132 | static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, | |
133 | size_t *siglen, const unsigned char *tbs, | |
134 | size_t tbslen) | |
135 | { | |
136 | int ret; | |
137 | RSA_PKEY_CTX *rctx = ctx->data; | |
138 | RSA *rsa = ctx->pkey->pkey.rsa; | |
139 | ||
140 | if (rctx->md) { | |
141 | if (tbslen != (size_t)EVP_MD_size(rctx->md)) { | |
142 | RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH); | |
143 | return -1; | |
144 | } | |
145 | ||
146 | if (EVP_MD_type(rctx->md) == NID_mdc2) { | |
147 | unsigned int sltmp; | |
148 | if (rctx->pad_mode != RSA_PKCS1_PADDING) | |
149 | return -1; | |
a773b52a | 150 | ret = RSA_sign_ASN1_OCTET_STRING(0, |
0f113f3e MC |
151 | tbs, tbslen, sig, &sltmp, rsa); |
152 | ||
153 | if (ret <= 0) | |
154 | return ret; | |
155 | ret = sltmp; | |
156 | } else if (rctx->pad_mode == RSA_X931_PADDING) { | |
9767a3dc | 157 | if ((size_t)RSA_size(rsa) < tbslen + 1) { |
34166d41 | 158 | RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_KEY_SIZE_TOO_SMALL); |
0f113f3e | 159 | return -1; |
34166d41 MC |
160 | } |
161 | if (!setup_tbuf(rctx, ctx)) { | |
162 | RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE); | |
163 | return -1; | |
164 | } | |
0f113f3e MC |
165 | memcpy(rctx->tbuf, tbs, tbslen); |
166 | rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md)); | |
167 | ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, | |
168 | sig, rsa, RSA_X931_PADDING); | |
169 | } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { | |
170 | unsigned int sltmp; | |
171 | ret = RSA_sign(EVP_MD_type(rctx->md), | |
172 | tbs, tbslen, sig, &sltmp, rsa); | |
173 | if (ret <= 0) | |
174 | return ret; | |
175 | ret = sltmp; | |
176 | } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { | |
177 | if (!setup_tbuf(rctx, ctx)) | |
178 | return -1; | |
179 | if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, | |
180 | rctx->tbuf, tbs, | |
181 | rctx->md, rctx->mgf1md, | |
182 | rctx->saltlen)) | |
183 | return -1; | |
184 | ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, | |
185 | sig, rsa, RSA_NO_PADDING); | |
90862ab4 | 186 | } else { |
0f113f3e | 187 | return -1; |
90862ab4 PY |
188 | } |
189 | } else { | |
0f113f3e MC |
190 | ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, |
191 | rctx->pad_mode); | |
90862ab4 | 192 | } |
0f113f3e MC |
193 | if (ret < 0) |
194 | return ret; | |
195 | *siglen = ret; | |
196 | return 1; | |
197 | } | |
07e970c7 DSH |
198 | |
199 | static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, | |
0f113f3e MC |
200 | unsigned char *rout, size_t *routlen, |
201 | const unsigned char *sig, size_t siglen) | |
202 | { | |
203 | int ret; | |
204 | RSA_PKEY_CTX *rctx = ctx->data; | |
205 | ||
206 | if (rctx->md) { | |
207 | if (rctx->pad_mode == RSA_X931_PADDING) { | |
208 | if (!setup_tbuf(rctx, ctx)) | |
209 | return -1; | |
210 | ret = RSA_public_decrypt(siglen, sig, | |
211 | rctx->tbuf, ctx->pkey->pkey.rsa, | |
212 | RSA_X931_PADDING); | |
213 | if (ret < 1) | |
214 | return 0; | |
215 | ret--; | |
216 | if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_type(rctx->md))) { | |
217 | RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, | |
218 | RSA_R_ALGORITHM_MISMATCH); | |
219 | return 0; | |
220 | } | |
221 | if (ret != EVP_MD_size(rctx->md)) { | |
222 | RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, | |
223 | RSA_R_INVALID_DIGEST_LENGTH); | |
224 | return 0; | |
225 | } | |
226 | if (rout) | |
227 | memcpy(rout, rctx->tbuf, ret); | |
228 | } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { | |
229 | size_t sltmp; | |
230 | ret = int_rsa_verify(EVP_MD_type(rctx->md), | |
231 | NULL, 0, rout, &sltmp, | |
232 | sig, siglen, ctx->pkey->pkey.rsa); | |
233 | if (ret <= 0) | |
234 | return 0; | |
235 | ret = sltmp; | |
90862ab4 | 236 | } else { |
0f113f3e | 237 | return -1; |
90862ab4 PY |
238 | } |
239 | } else { | |
0f113f3e MC |
240 | ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa, |
241 | rctx->pad_mode); | |
90862ab4 | 242 | } |
0f113f3e MC |
243 | if (ret < 0) |
244 | return ret; | |
245 | *routlen = ret; | |
246 | return 1; | |
247 | } | |
07e970c7 | 248 | |
4f59b658 | 249 | static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, |
0f113f3e MC |
250 | const unsigned char *sig, size_t siglen, |
251 | const unsigned char *tbs, size_t tbslen) | |
252 | { | |
253 | RSA_PKEY_CTX *rctx = ctx->data; | |
254 | RSA *rsa = ctx->pkey->pkey.rsa; | |
255 | size_t rslen; | |
52ad523c | 256 | |
0f113f3e MC |
257 | if (rctx->md) { |
258 | if (rctx->pad_mode == RSA_PKCS1_PADDING) | |
259 | return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, | |
260 | sig, siglen, rsa); | |
71bbc79b DSH |
261 | if (tbslen != (size_t)EVP_MD_size(rctx->md)) { |
262 | RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH); | |
263 | return -1; | |
264 | } | |
0f113f3e MC |
265 | if (rctx->pad_mode == RSA_X931_PADDING) { |
266 | if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0) | |
267 | return 0; | |
268 | } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { | |
269 | int ret; | |
270 | if (!setup_tbuf(rctx, ctx)) | |
271 | return -1; | |
272 | ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, | |
273 | rsa, RSA_NO_PADDING); | |
274 | if (ret <= 0) | |
275 | return 0; | |
276 | ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, | |
277 | rctx->md, rctx->mgf1md, | |
278 | rctx->tbuf, rctx->saltlen); | |
279 | if (ret <= 0) | |
280 | return 0; | |
281 | return 1; | |
90862ab4 | 282 | } else { |
0f113f3e | 283 | return -1; |
90862ab4 | 284 | } |
0f113f3e MC |
285 | } else { |
286 | if (!setup_tbuf(rctx, ctx)) | |
287 | return -1; | |
288 | rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, | |
289 | rsa, rctx->pad_mode); | |
290 | if (rslen == 0) | |
291 | return 0; | |
292 | } | |
293 | ||
294 | if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen)) | |
295 | return 0; | |
296 | ||
297 | return 1; | |
298 | ||
299 | } | |
4f59b658 | 300 | |
eaff5a14 | 301 | static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, |
0f113f3e MC |
302 | unsigned char *out, size_t *outlen, |
303 | const unsigned char *in, size_t inlen) | |
304 | { | |
305 | int ret; | |
306 | RSA_PKEY_CTX *rctx = ctx->data; | |
52ad523c | 307 | |
0f113f3e MC |
308 | if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { |
309 | int klen = RSA_size(ctx->pkey->pkey.rsa); | |
310 | if (!setup_tbuf(rctx, ctx)) | |
311 | return -1; | |
312 | if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen, | |
313 | in, inlen, | |
314 | rctx->oaep_label, | |
315 | rctx->oaep_labellen, | |
316 | rctx->md, rctx->mgf1md)) | |
317 | return -1; | |
318 | ret = RSA_public_encrypt(klen, rctx->tbuf, out, | |
319 | ctx->pkey->pkey.rsa, RSA_NO_PADDING); | |
90862ab4 | 320 | } else { |
0f113f3e MC |
321 | ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, |
322 | rctx->pad_mode); | |
90862ab4 | 323 | } |
0f113f3e MC |
324 | if (ret < 0) |
325 | return ret; | |
326 | *outlen = ret; | |
327 | return 1; | |
328 | } | |
8cd44e36 | 329 | |
eaff5a14 | 330 | static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, |
0f113f3e MC |
331 | unsigned char *out, size_t *outlen, |
332 | const unsigned char *in, size_t inlen) | |
333 | { | |
334 | int ret; | |
335 | RSA_PKEY_CTX *rctx = ctx->data; | |
52ad523c | 336 | |
0f113f3e | 337 | if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { |
0f113f3e MC |
338 | if (!setup_tbuf(rctx, ctx)) |
339 | return -1; | |
340 | ret = RSA_private_decrypt(inlen, in, rctx->tbuf, | |
341 | ctx->pkey->pkey.rsa, RSA_NO_PADDING); | |
342 | if (ret <= 0) | |
343 | return ret; | |
237bc6c9 BE |
344 | ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf, |
345 | ret, ret, | |
0f113f3e MC |
346 | rctx->oaep_label, |
347 | rctx->oaep_labellen, | |
348 | rctx->md, rctx->mgf1md); | |
90862ab4 | 349 | } else { |
0f113f3e MC |
350 | ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, |
351 | rctx->pad_mode); | |
90862ab4 | 352 | } |
049e64cb BE |
353 | *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); |
354 | ret = constant_time_select_int(constant_time_msb(ret), ret, 1); | |
355 | return ret; | |
0f113f3e | 356 | } |
07e970c7 | 357 | |
75d44c04 | 358 | static int check_padding_md(const EVP_MD *md, int padding) |
0f113f3e | 359 | { |
7f572e95 | 360 | int mdnid; |
52ad523c | 361 | |
0f113f3e MC |
362 | if (!md) |
363 | return 1; | |
364 | ||
7f572e95 DSH |
365 | mdnid = EVP_MD_type(md); |
366 | ||
0f113f3e MC |
367 | if (padding == RSA_NO_PADDING) { |
368 | RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE); | |
369 | return 0; | |
370 | } | |
371 | ||
372 | if (padding == RSA_X931_PADDING) { | |
7f572e95 | 373 | if (RSA_X931_hash_id(mdnid) == -1) { |
0f113f3e MC |
374 | RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_X931_DIGEST); |
375 | return 0; | |
376 | } | |
7f572e95 DSH |
377 | } else { |
378 | switch(mdnid) { | |
379 | /* List of all supported RSA digests */ | |
380 | case NID_sha1: | |
381 | case NID_sha224: | |
382 | case NID_sha256: | |
383 | case NID_sha384: | |
384 | case NID_sha512: | |
45c236ad SL |
385 | case NID_sha512_224: |
386 | case NID_sha512_256: | |
7f572e95 DSH |
387 | case NID_md5: |
388 | case NID_md5_sha1: | |
389 | case NID_md2: | |
390 | case NID_md4: | |
391 | case NID_mdc2: | |
392 | case NID_ripemd160: | |
cfb5bc69 AP |
393 | case NID_sha3_224: |
394 | case NID_sha3_256: | |
395 | case NID_sha3_384: | |
396 | case NID_sha3_512: | |
7f572e95 DSH |
397 | return 1; |
398 | ||
399 | default: | |
400 | RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_DIGEST); | |
401 | return 0; | |
402 | ||
403 | } | |
0f113f3e MC |
404 | } |
405 | ||
406 | return 1; | |
407 | } | |
b2a97be7 | 408 | |
4a3dc3c0 | 409 | static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) |
0f113f3e MC |
410 | { |
411 | RSA_PKEY_CTX *rctx = ctx->data; | |
52ad523c | 412 | |
0f113f3e MC |
413 | switch (type) { |
414 | case EVP_PKEY_CTRL_RSA_PADDING: | |
415 | if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING)) { | |
416 | if (!check_padding_md(rctx->md, p1)) | |
417 | return 0; | |
418 | if (p1 == RSA_PKCS1_PSS_PADDING) { | |
419 | if (!(ctx->operation & | |
420 | (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) | |
421 | goto bad_pad; | |
422 | if (!rctx->md) | |
423 | rctx->md = EVP_sha1(); | |
87ee7b22 | 424 | } else if (pkey_ctx_is_pss(ctx)) { |
a300c725 | 425 | goto bad_pad; |
0f113f3e MC |
426 | } |
427 | if (p1 == RSA_PKCS1_OAEP_PADDING) { | |
428 | if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT)) | |
429 | goto bad_pad; | |
430 | if (!rctx->md) | |
431 | rctx->md = EVP_sha1(); | |
432 | } | |
433 | rctx->pad_mode = p1; | |
434 | return 1; | |
435 | } | |
436 | bad_pad: | |
437 | RSAerr(RSA_F_PKEY_RSA_CTRL, | |
438 | RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); | |
439 | return -2; | |
440 | ||
441 | case EVP_PKEY_CTRL_GET_RSA_PADDING: | |
442 | *(int *)p2 = rctx->pad_mode; | |
443 | return 1; | |
444 | ||
445 | case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: | |
446 | case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: | |
447 | if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) { | |
448 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); | |
449 | return -2; | |
450 | } | |
cb49e749 | 451 | if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) { |
0f113f3e | 452 | *(int *)p2 = rctx->saltlen; |
cb49e749 | 453 | } else { |
137096a7 | 454 | if (p1 < RSA_PSS_SALTLEN_MAX) |
0f113f3e | 455 | return -2; |
79ebfc46 | 456 | if (rsa_pss_restricted(rctx)) { |
137096a7 DSH |
457 | if (p1 == RSA_PSS_SALTLEN_AUTO |
458 | && ctx->operation == EVP_PKEY_OP_VERIFY) { | |
79ebfc46 DSH |
459 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); |
460 | return -2; | |
461 | } | |
137096a7 DSH |
462 | if ((p1 == RSA_PSS_SALTLEN_DIGEST |
463 | && rctx->min_saltlen > EVP_MD_size(rctx->md)) | |
79ebfc46 DSH |
464 | || (p1 >= 0 && p1 < rctx->min_saltlen)) { |
465 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_PSS_SALTLEN_TOO_SMALL); | |
466 | return 0; | |
467 | } | |
cb49e749 | 468 | } |
0f113f3e MC |
469 | rctx->saltlen = p1; |
470 | } | |
471 | return 1; | |
472 | ||
473 | case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: | |
cac19d19 | 474 | if (p1 < RSA_MIN_MODULUS_BITS) { |
0f113f3e MC |
475 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_SIZE_TOO_SMALL); |
476 | return -2; | |
477 | } | |
478 | rctx->nbits = p1; | |
479 | return 1; | |
480 | ||
481 | case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: | |
464d59a5 RS |
482 | if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) || BN_is_one((BIGNUM *)p2)) { |
483 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_BAD_E_VALUE); | |
0f113f3e | 484 | return -2; |
464d59a5 | 485 | } |
0f113f3e MC |
486 | BN_free(rctx->pub_exp); |
487 | rctx->pub_exp = p2; | |
488 | return 1; | |
489 | ||
665d899f PY |
490 | case EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES: |
491 | if (p1 < RSA_DEFAULT_PRIME_NUM || p1 > RSA_MAX_PRIME_NUM) { | |
492 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_PRIME_NUM_INVALID); | |
493 | return -2; | |
494 | } | |
495 | rctx->primes = p1; | |
496 | return 1; | |
497 | ||
0f113f3e MC |
498 | case EVP_PKEY_CTRL_RSA_OAEP_MD: |
499 | case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: | |
500 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { | |
501 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); | |
502 | return -2; | |
503 | } | |
504 | if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) | |
505 | *(const EVP_MD **)p2 = rctx->md; | |
506 | else | |
507 | rctx->md = p2; | |
508 | return 1; | |
509 | ||
510 | case EVP_PKEY_CTRL_MD: | |
511 | if (!check_padding_md(p2, rctx->pad_mode)) | |
512 | return 0; | |
bc1ea030 | 513 | if (rsa_pss_restricted(rctx)) { |
cb49e749 DSH |
514 | if (EVP_MD_type(rctx->md) == EVP_MD_type(p2)) |
515 | return 1; | |
516 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_DIGEST_NOT_ALLOWED); | |
517 | return 0; | |
518 | } | |
0f113f3e MC |
519 | rctx->md = p2; |
520 | return 1; | |
521 | ||
522 | case EVP_PKEY_CTRL_GET_MD: | |
523 | *(const EVP_MD **)p2 = rctx->md; | |
524 | return 1; | |
525 | ||
526 | case EVP_PKEY_CTRL_RSA_MGF1_MD: | |
527 | case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: | |
528 | if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING | |
529 | && rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { | |
530 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD); | |
531 | return -2; | |
532 | } | |
533 | if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) { | |
534 | if (rctx->mgf1md) | |
535 | *(const EVP_MD **)p2 = rctx->mgf1md; | |
536 | else | |
537 | *(const EVP_MD **)p2 = rctx->md; | |
cb49e749 | 538 | } else { |
bc1ea030 | 539 | if (rsa_pss_restricted(rctx)) { |
8a3cde7d | 540 | if (EVP_MD_type(rctx->mgf1md) == EVP_MD_type(p2)) |
cb49e749 DSH |
541 | return 1; |
542 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_MGF1_DIGEST_NOT_ALLOWED); | |
543 | return 0; | |
544 | } | |
0f113f3e | 545 | rctx->mgf1md = p2; |
cb49e749 | 546 | } |
0f113f3e MC |
547 | return 1; |
548 | ||
549 | case EVP_PKEY_CTRL_RSA_OAEP_LABEL: | |
550 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { | |
551 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); | |
552 | return -2; | |
553 | } | |
b548a1f1 | 554 | OPENSSL_free(rctx->oaep_label); |
0f113f3e MC |
555 | if (p2 && p1 > 0) { |
556 | rctx->oaep_label = p2; | |
557 | rctx->oaep_labellen = p1; | |
558 | } else { | |
559 | rctx->oaep_label = NULL; | |
560 | rctx->oaep_labellen = 0; | |
561 | } | |
562 | return 1; | |
563 | ||
564 | case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: | |
565 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { | |
566 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); | |
567 | return -2; | |
568 | } | |
569 | *(unsigned char **)p2 = rctx->oaep_label; | |
570 | return rctx->oaep_labellen; | |
571 | ||
572 | case EVP_PKEY_CTRL_DIGESTINIT: | |
186e48cd DSH |
573 | case EVP_PKEY_CTRL_PKCS7_SIGN: |
574 | #ifndef OPENSSL_NO_CMS | |
575 | case EVP_PKEY_CTRL_CMS_SIGN: | |
576 | #endif | |
577 | return 1; | |
578 | ||
0f113f3e MC |
579 | case EVP_PKEY_CTRL_PKCS7_ENCRYPT: |
580 | case EVP_PKEY_CTRL_PKCS7_DECRYPT: | |
8931b30d | 581 | #ifndef OPENSSL_NO_CMS |
0f113f3e MC |
582 | case EVP_PKEY_CTRL_CMS_DECRYPT: |
583 | case EVP_PKEY_CTRL_CMS_ENCRYPT: | |
1bcbf658 | 584 | #endif |
186e48cd | 585 | if (!pkey_ctx_is_pss(ctx)) |
0f113f3e | 586 | return 1; |
1bcbf658 | 587 | /* fall through */ |
0f113f3e MC |
588 | case EVP_PKEY_CTRL_PEER_KEY: |
589 | RSAerr(RSA_F_PKEY_RSA_CTRL, | |
590 | RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); | |
591 | return -2; | |
592 | ||
593 | default: | |
594 | return -2; | |
399a6f0b | 595 | |
0f113f3e MC |
596 | } |
597 | } | |
4a3dc3c0 | 598 | |
4a3dc3c0 | 599 | static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, |
0f113f3e MC |
600 | const char *type, const char *value) |
601 | { | |
52ad523c | 602 | if (value == NULL) { |
0f113f3e MC |
603 | RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING); |
604 | return 0; | |
605 | } | |
86885c28 | 606 | if (strcmp(type, "rsa_padding_mode") == 0) { |
0f113f3e | 607 | int pm; |
665d899f | 608 | |
90862ab4 | 609 | if (strcmp(value, "pkcs1") == 0) { |
0f113f3e | 610 | pm = RSA_PKCS1_PADDING; |
90862ab4 | 611 | } else if (strcmp(value, "sslv23") == 0) { |
0f113f3e | 612 | pm = RSA_SSLV23_PADDING; |
90862ab4 | 613 | } else if (strcmp(value, "none") == 0) { |
0f113f3e | 614 | pm = RSA_NO_PADDING; |
90862ab4 | 615 | } else if (strcmp(value, "oeap") == 0) { |
0f113f3e | 616 | pm = RSA_PKCS1_OAEP_PADDING; |
90862ab4 | 617 | } else if (strcmp(value, "oaep") == 0) { |
0f113f3e | 618 | pm = RSA_PKCS1_OAEP_PADDING; |
90862ab4 | 619 | } else if (strcmp(value, "x931") == 0) { |
0f113f3e | 620 | pm = RSA_X931_PADDING; |
90862ab4 | 621 | } else if (strcmp(value, "pss") == 0) { |
0f113f3e | 622 | pm = RSA_PKCS1_PSS_PADDING; |
90862ab4 | 623 | } else { |
0f113f3e MC |
624 | RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_UNKNOWN_PADDING_TYPE); |
625 | return -2; | |
626 | } | |
627 | return EVP_PKEY_CTX_set_rsa_padding(ctx, pm); | |
628 | } | |
629 | ||
86885c28 | 630 | if (strcmp(type, "rsa_pss_saltlen") == 0) { |
0f113f3e | 631 | int saltlen; |
665d899f | 632 | |
137096a7 DSH |
633 | if (!strcmp(value, "digest")) |
634 | saltlen = RSA_PSS_SALTLEN_DIGEST; | |
635 | else if (!strcmp(value, "max")) | |
636 | saltlen = RSA_PSS_SALTLEN_MAX; | |
637 | else if (!strcmp(value, "auto")) | |
638 | saltlen = RSA_PSS_SALTLEN_AUTO; | |
639 | else | |
640 | saltlen = atoi(value); | |
0f113f3e MC |
641 | return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen); |
642 | } | |
643 | ||
86885c28 | 644 | if (strcmp(type, "rsa_keygen_bits") == 0) { |
665d899f PY |
645 | int nbits = atoi(value); |
646 | ||
0f113f3e MC |
647 | return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits); |
648 | } | |
649 | ||
86885c28 | 650 | if (strcmp(type, "rsa_keygen_pubexp") == 0) { |
0f113f3e | 651 | int ret; |
665d899f | 652 | |
0f113f3e MC |
653 | BIGNUM *pubexp = NULL; |
654 | if (!BN_asc2bn(&pubexp, value)) | |
655 | return 0; | |
3786d748 | 656 | ret = EVP_PKEY_CTX_set1_rsa_keygen_pubexp(ctx, pubexp); |
657 | BN_free(pubexp); | |
0f113f3e MC |
658 | return ret; |
659 | } | |
660 | ||
665d899f PY |
661 | if (strcmp(type, "rsa_keygen_primes") == 0) { |
662 | int nprimes = atoi(value); | |
663 | ||
664 | return EVP_PKEY_CTX_set_rsa_keygen_primes(ctx, nprimes); | |
665 | } | |
666 | ||
410877ba DSH |
667 | if (strcmp(type, "rsa_mgf1_md") == 0) |
668 | return EVP_PKEY_CTX_md(ctx, | |
669 | EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, | |
670 | EVP_PKEY_CTRL_RSA_MGF1_MD, value); | |
0f113f3e | 671 | |
87ee7b22 | 672 | if (pkey_ctx_is_pss(ctx)) { |
e64b2b5c DSH |
673 | |
674 | if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0) | |
675 | return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, | |
676 | EVP_PKEY_CTRL_RSA_MGF1_MD, value); | |
677 | ||
678 | if (strcmp(type, "rsa_pss_keygen_md") == 0) | |
679 | return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, | |
680 | EVP_PKEY_CTRL_MD, value); | |
681 | ||
682 | if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) { | |
c82bafc5 DSH |
683 | int saltlen = atoi(value); |
684 | ||
e64b2b5c | 685 | return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen); |
0f113f3e | 686 | } |
0f113f3e | 687 | } |
410877ba DSH |
688 | |
689 | if (strcmp(type, "rsa_oaep_md") == 0) | |
690 | return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT, | |
691 | EVP_PKEY_CTRL_RSA_OAEP_MD, value); | |
692 | ||
86885c28 | 693 | if (strcmp(type, "rsa_oaep_label") == 0) { |
0f113f3e MC |
694 | unsigned char *lab; |
695 | long lablen; | |
696 | int ret; | |
665d899f | 697 | |
14f051a0 | 698 | lab = OPENSSL_hexstr2buf(value, &lablen); |
0f113f3e MC |
699 | if (!lab) |
700 | return 0; | |
701 | ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen); | |
702 | if (ret <= 0) | |
703 | OPENSSL_free(lab); | |
704 | return ret; | |
705 | } | |
706 | ||
707 | return -2; | |
708 | } | |
4a3dc3c0 | 709 | |
e64b2b5c DSH |
710 | /* Set PSS parameters when generating a key, if necessary */ |
711 | static int rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx) | |
712 | { | |
713 | RSA_PKEY_CTX *rctx = ctx->data; | |
52ad523c | 714 | |
87ee7b22 | 715 | if (!pkey_ctx_is_pss(ctx)) |
e64b2b5c | 716 | return 1; |
87ee7b22 | 717 | /* If all parameters are default values don't set pss */ |
e64b2b5c DSH |
718 | if (rctx->md == NULL && rctx->mgf1md == NULL && rctx->saltlen == -2) |
719 | return 1; | |
720 | rsa->pss = rsa_pss_params_create(rctx->md, rctx->mgf1md, | |
721 | rctx->saltlen == -2 ? 0 : rctx->saltlen); | |
722 | if (rsa->pss == NULL) | |
723 | return 0; | |
724 | return 1; | |
725 | } | |
726 | ||
f5cda4cb | 727 | static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) |
0f113f3e MC |
728 | { |
729 | RSA *rsa = NULL; | |
730 | RSA_PKEY_CTX *rctx = ctx->data; | |
731 | BN_GENCB *pcb; | |
732 | int ret; | |
52ad523c | 733 | |
90945fa3 | 734 | if (rctx->pub_exp == NULL) { |
0f113f3e | 735 | rctx->pub_exp = BN_new(); |
90945fa3 | 736 | if (rctx->pub_exp == NULL || !BN_set_word(rctx->pub_exp, RSA_F4)) |
0f113f3e MC |
737 | return 0; |
738 | } | |
739 | rsa = RSA_new(); | |
90945fa3 | 740 | if (rsa == NULL) |
0f113f3e MC |
741 | return 0; |
742 | if (ctx->pkey_gencb) { | |
743 | pcb = BN_GENCB_new(); | |
90945fa3 | 744 | if (pcb == NULL) { |
0f113f3e MC |
745 | RSA_free(rsa); |
746 | return 0; | |
747 | } | |
748 | evp_pkey_set_cb_translate(pcb, ctx); | |
90862ab4 | 749 | } else { |
0f113f3e | 750 | pcb = NULL; |
90862ab4 | 751 | } |
665d899f PY |
752 | ret = RSA_generate_multi_prime_key(rsa, rctx->nbits, rctx->primes, |
753 | rctx->pub_exp, pcb); | |
0f113f3e | 754 | BN_GENCB_free(pcb); |
e64b2b5c DSH |
755 | if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) { |
756 | RSA_free(rsa); | |
757 | return 0; | |
758 | } | |
0f113f3e | 759 | if (ret > 0) |
faa02fe2 | 760 | EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa); |
0f113f3e MC |
761 | else |
762 | RSA_free(rsa); | |
763 | return ret; | |
764 | } | |
765 | ||
19bd1fa1 | 766 | static const EVP_PKEY_METHOD rsa_pkey_meth = { |
0f113f3e MC |
767 | EVP_PKEY_RSA, |
768 | EVP_PKEY_FLAG_AUTOARGLEN, | |
769 | pkey_rsa_init, | |
770 | pkey_rsa_copy, | |
771 | pkey_rsa_cleanup, | |
772 | ||
773 | 0, 0, | |
774 | ||
775 | 0, | |
776 | pkey_rsa_keygen, | |
777 | ||
778 | 0, | |
779 | pkey_rsa_sign, | |
780 | ||
781 | 0, | |
782 | pkey_rsa_verify, | |
783 | ||
784 | 0, | |
785 | pkey_rsa_verifyrecover, | |
786 | ||
787 | 0, 0, 0, 0, | |
788 | ||
789 | 0, | |
790 | pkey_rsa_encrypt, | |
791 | ||
792 | 0, | |
793 | pkey_rsa_decrypt, | |
794 | ||
795 | 0, 0, | |
796 | ||
797 | pkey_rsa_ctrl, | |
798 | pkey_rsa_ctrl_str | |
799 | }; | |
6577e008 | 800 | |
19bd1fa1 PS |
801 | const EVP_PKEY_METHOD *rsa_pkey_method(void) |
802 | { | |
803 | return &rsa_pkey_meth; | |
804 | } | |
805 | ||
59029ca1 DSH |
806 | /* |
807 | * Called for PSS sign or verify initialisation: checks PSS parameter | |
808 | * sanity and sets any restrictions on key usage. | |
809 | */ | |
810 | ||
811 | static int pkey_pss_init(EVP_PKEY_CTX *ctx) | |
812 | { | |
813 | RSA *rsa; | |
814 | RSA_PKEY_CTX *rctx = ctx->data; | |
815 | const EVP_MD *md; | |
816 | const EVP_MD *mgf1md; | |
79ebfc46 | 817 | int min_saltlen, max_saltlen; |
52ad523c | 818 | |
59029ca1 DSH |
819 | /* Should never happen */ |
820 | if (!pkey_ctx_is_pss(ctx)) | |
821 | return 0; | |
822 | rsa = ctx->pkey->pkey.rsa; | |
823 | /* If no restrictions just return */ | |
824 | if (rsa->pss == NULL) | |
825 | return 1; | |
826 | /* Get and check parameters */ | |
827 | if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen)) | |
828 | return 0; | |
829 | ||
46f4e1be | 830 | /* See if minimum salt length exceeds maximum possible */ |
79ebfc46 DSH |
831 | max_saltlen = RSA_size(rsa) - EVP_MD_size(md); |
832 | if ((RSA_bits(rsa) & 0x7) == 1) | |
833 | max_saltlen--; | |
834 | if (min_saltlen > max_saltlen) { | |
835 | RSAerr(RSA_F_PKEY_PSS_INIT, RSA_R_INVALID_SALT_LENGTH); | |
836 | return 0; | |
837 | } | |
838 | ||
59029ca1 DSH |
839 | rctx->min_saltlen = min_saltlen; |
840 | ||
841 | /* | |
842 | * Set PSS restrictions as defaults: we can then block any attempt to | |
843 | * use invalid values in pkey_rsa_ctrl | |
844 | */ | |
845 | ||
846 | rctx->md = md; | |
847 | rctx->mgf1md = mgf1md; | |
848 | rctx->saltlen = min_saltlen; | |
849 | ||
850 | return 1; | |
851 | } | |
852 | ||
19bd1fa1 | 853 | static const EVP_PKEY_METHOD rsa_pss_pkey_meth = { |
6577e008 DSH |
854 | EVP_PKEY_RSA_PSS, |
855 | EVP_PKEY_FLAG_AUTOARGLEN, | |
856 | pkey_rsa_init, | |
857 | pkey_rsa_copy, | |
858 | pkey_rsa_cleanup, | |
859 | ||
860 | 0, 0, | |
861 | ||
862 | 0, | |
863 | pkey_rsa_keygen, | |
864 | ||
59029ca1 | 865 | pkey_pss_init, |
6577e008 DSH |
866 | pkey_rsa_sign, |
867 | ||
59029ca1 | 868 | pkey_pss_init, |
6577e008 DSH |
869 | pkey_rsa_verify, |
870 | ||
871 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, | |
872 | ||
873 | pkey_rsa_ctrl, | |
874 | pkey_rsa_ctrl_str | |
875 | }; | |
19bd1fa1 PS |
876 | |
877 | const EVP_PKEY_METHOD *rsa_pss_pkey_method(void) | |
878 | { | |
879 | return &rsa_pss_pkey_meth; | |
880 | } |