1 /*
2 * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include "internal/constant_time.h"
11
12 #include <stdio.h>
13 #include "internal/cryptlib.h"
14 #include <openssl/asn1t.h>
15 #include <openssl/x509.h>
16 #include <openssl/rsa.h>
17 #include <openssl/bn.h>
18 #include <openssl/evp.h>
19 #include <openssl/x509v3.h>
20 #include <openssl/cms.h>
21 #include "crypto/evp.h"
22 #include "rsa_local.h"
23
24 /* RSA pkey context structure */
25
26 typedef struct {
27 /* Key gen parameters */
28 int nbits;
29 BIGNUM *pub_exp;
30 int primes;
31 /* Keygen callback info */
32 int gentmp[2];
33 /* RSA padding mode */
34 int pad_mode;
35 /* message digest */
36 const EVP_MD *md;
37 /* message digest for MGF1 */
38 const EVP_MD *mgf1md;
39 /* PSS salt length */
40 int saltlen;
41 /* Minimum salt length or -1 if no PSS parameter restriction */
42 int min_saltlen;
43 /* Temp buffer */
44 unsigned char *tbuf;
45 /* OAEP label */
46 unsigned char *oaep_label;
47 size_t oaep_labellen;
48 } RSA_PKEY_CTX;
49
50 /* True if PSS parameters are restricted */
51 #define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1)
52
pkey_rsa_init(EVP_PKEY_CTX * ctx)53 static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
54 {
55 RSA_PKEY_CTX *rctx = OPENSSL_zalloc(sizeof(*rctx));
56
57 if (rctx == NULL)
58 return 0;
59 rctx->nbits = 2048;
60 rctx->primes = RSA_DEFAULT_PRIME_NUM;
61 if (pkey_ctx_is_pss(ctx))
62 rctx->pad_mode = RSA_PKCS1_PSS_PADDING;
63 else
64 rctx->pad_mode = RSA_PKCS1_PADDING;
65 /* Maximum for sign, auto for verify */
66 rctx->saltlen = RSA_PSS_SALTLEN_AUTO;
67 rctx->min_saltlen = -1;
68 ctx->data = rctx;
69 ctx->keygen_info = rctx->gentmp;
70 ctx->keygen_info_count = 2;
71
72 return 1;
73 }
74
pkey_rsa_copy(EVP_PKEY_CTX * dst,EVP_PKEY_CTX * src)75 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
76 {
77 RSA_PKEY_CTX *dctx, *sctx;
78
79 if (!pkey_rsa_init(dst))
80 return 0;
81 sctx = src->data;
82 dctx = dst->data;
83 dctx->nbits = sctx->nbits;
84 if (sctx->pub_exp) {
85 dctx->pub_exp = BN_dup(sctx->pub_exp);
86 if (!dctx->pub_exp)
87 return 0;
88 }
89 dctx->pad_mode = sctx->pad_mode;
90 dctx->md = sctx->md;
91 dctx->mgf1md = sctx->mgf1md;
92 if (sctx->oaep_label) {
93 OPENSSL_free(dctx->oaep_label);
94 dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen);
95 if (!dctx->oaep_label)
96 return 0;
97 dctx->oaep_labellen = sctx->oaep_labellen;
98 }
99 return 1;
100 }
101
setup_tbuf(RSA_PKEY_CTX * ctx,EVP_PKEY_CTX * pk)102 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
103 {
104 if (ctx->tbuf != NULL)
105 return 1;
106 if ((ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey))) == NULL) {
107 RSAerr(RSA_F_SETUP_TBUF, ERR_R_MALLOC_FAILURE);
108 return 0;
109 }
110 return 1;
111 }
112
pkey_rsa_cleanup(EVP_PKEY_CTX * ctx)113 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
114 {
115 RSA_PKEY_CTX *rctx = ctx->data;
116 if (rctx) {
117 BN_free(rctx->pub_exp);
118 OPENSSL_free(rctx->tbuf);
119 OPENSSL_free(rctx->oaep_label);
120 OPENSSL_free(rctx);
121 }
122 }
123
pkey_rsa_sign(EVP_PKEY_CTX * ctx,unsigned char * sig,size_t * siglen,const unsigned char * tbs,size_t tbslen)124 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
125 size_t *siglen, const unsigned char *tbs,
126 size_t tbslen)
127 {
128 int ret;
129 RSA_PKEY_CTX *rctx = ctx->data;
130 RSA *rsa = ctx->pkey->pkey.rsa;
131
132 if (rctx->md) {
133 if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
134 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH);
135 return -1;
136 }
137
138 if (EVP_MD_type(rctx->md) == NID_mdc2) {
139 unsigned int sltmp;
140 if (rctx->pad_mode != RSA_PKCS1_PADDING)
141 return -1;
142 ret = RSA_sign_ASN1_OCTET_STRING(0,
143 tbs, tbslen, sig, &sltmp, rsa);
144
145 if (ret <= 0)
146 return ret;
147 ret = sltmp;
148 } else if (rctx->pad_mode == RSA_X931_PADDING) {
149 if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) {
150 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_KEY_SIZE_TOO_SMALL);
151 return -1;
152 }
153 if (!setup_tbuf(rctx, ctx)) {
154 RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE);
155 return -1;
156 }
157 memcpy(rctx->tbuf, tbs, tbslen);
158 rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md));
159 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
160 sig, rsa, RSA_X931_PADDING);
161 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
162 unsigned int sltmp;
163 ret = RSA_sign(EVP_MD_type(rctx->md),
164 tbs, tbslen, sig, &sltmp, rsa);
165 if (ret <= 0)
166 return ret;
167 ret = sltmp;
168 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
169 if (!setup_tbuf(rctx, ctx))
170 return -1;
171 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
172 rctx->tbuf, tbs,
173 rctx->md, rctx->mgf1md,
174 rctx->saltlen))
175 return -1;
176 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
177 sig, rsa, RSA_NO_PADDING);
178 } else {
179 return -1;
180 }
181 } else {
182 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
183 rctx->pad_mode);
184 }
185 if (ret < 0)
186 return ret;
187 *siglen = ret;
188 return 1;
189 }
190
pkey_rsa_verifyrecover(EVP_PKEY_CTX * ctx,unsigned char * rout,size_t * routlen,const unsigned char * sig,size_t siglen)191 static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
192 unsigned char *rout, size_t *routlen,
193 const unsigned char *sig, size_t siglen)
194 {
195 int ret;
196 RSA_PKEY_CTX *rctx = ctx->data;
197
198 if (rctx->md) {
199 if (rctx->pad_mode == RSA_X931_PADDING) {
200 if (!setup_tbuf(rctx, ctx))
201 return -1;
202 ret = RSA_public_decrypt(siglen, sig,
203 rctx->tbuf, ctx->pkey->pkey.rsa,
204 RSA_X931_PADDING);
205 if (ret < 1)
206 return 0;
207 ret--;
208 if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
209 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
210 RSA_R_ALGORITHM_MISMATCH);
211 return 0;
212 }
213 if (ret != EVP_MD_size(rctx->md)) {
214 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
215 RSA_R_INVALID_DIGEST_LENGTH);
216 return 0;
217 }
218 if (rout)
219 memcpy(rout, rctx->tbuf, ret);
220 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
221 size_t sltmp;
222 ret = int_rsa_verify(EVP_MD_type(rctx->md),
223 NULL, 0, rout, &sltmp,
224 sig, siglen, ctx->pkey->pkey.rsa);
225 if (ret <= 0)
226 return 0;
227 ret = sltmp;
228 } else {
229 return -1;
230 }
231 } else {
232 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
233 rctx->pad_mode);
234 }
235 if (ret < 0)
236 return ret;
237 *routlen = ret;
238 return 1;
239 }
240
pkey_rsa_verify(EVP_PKEY_CTX * ctx,const unsigned char * sig,size_t siglen,const unsigned char * tbs,size_t tbslen)241 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
242 const unsigned char *sig, size_t siglen,
243 const unsigned char *tbs, size_t tbslen)
244 {
245 RSA_PKEY_CTX *rctx = ctx->data;
246 RSA *rsa = ctx->pkey->pkey.rsa;
247 size_t rslen;
248
249 if (rctx->md) {
250 if (rctx->pad_mode == RSA_PKCS1_PADDING)
251 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
252 sig, siglen, rsa);
253 if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
254 RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH);
255 return -1;
256 }
257 if (rctx->pad_mode == RSA_X931_PADDING) {
258 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0)
259 return 0;
260 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
261 int ret;
262 if (!setup_tbuf(rctx, ctx))
263 return -1;
264 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
265 rsa, RSA_NO_PADDING);
266 if (ret <= 0)
267 return 0;
268 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
269 rctx->md, rctx->mgf1md,
270 rctx->tbuf, rctx->saltlen);
271 if (ret <= 0)
272 return 0;
273 return 1;
274 } else {
275 return -1;
276 }
277 } else {
278 if (!setup_tbuf(rctx, ctx))
279 return -1;
280 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
281 rsa, rctx->pad_mode);
282 if (rslen == 0)
283 return 0;
284 }
285
286 if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen))
287 return 0;
288
289 return 1;
290
291 }
292
pkey_rsa_encrypt(EVP_PKEY_CTX * ctx,unsigned char * out,size_t * outlen,const unsigned char * in,size_t inlen)293 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
294 unsigned char *out, size_t *outlen,
295 const unsigned char *in, size_t inlen)
296 {
297 int ret;
298 RSA_PKEY_CTX *rctx = ctx->data;
299
300 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
301 int klen = RSA_size(ctx->pkey->pkey.rsa);
302 if (!setup_tbuf(rctx, ctx))
303 return -1;
304 if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen,
305 in, inlen,
306 rctx->oaep_label,
307 rctx->oaep_labellen,
308 rctx->md, rctx->mgf1md))
309 return -1;
310 ret = RSA_public_encrypt(klen, rctx->tbuf, out,
311 ctx->pkey->pkey.rsa, RSA_NO_PADDING);
312 } else {
313 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
314 rctx->pad_mode);
315 }
316 if (ret < 0)
317 return ret;
318 *outlen = ret;
319 return 1;
320 }
321
pkey_rsa_decrypt(EVP_PKEY_CTX * ctx,unsigned char * out,size_t * outlen,const unsigned char * in,size_t inlen)322 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
323 unsigned char *out, size_t *outlen,
324 const unsigned char *in, size_t inlen)
325 {
326 int ret;
327 RSA_PKEY_CTX *rctx = ctx->data;
328
329 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
330 if (!setup_tbuf(rctx, ctx))
331 return -1;
332 ret = RSA_private_decrypt(inlen, in, rctx->tbuf,
333 ctx->pkey->pkey.rsa, RSA_NO_PADDING);
334 if (ret <= 0)
335 return ret;
336 ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf,
337 ret, ret,
338 rctx->oaep_label,
339 rctx->oaep_labellen,
340 rctx->md, rctx->mgf1md);
341 } else {
342 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
343 rctx->pad_mode);
344 }
345 *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
346 ret = constant_time_select_int(constant_time_msb(ret), ret, 1);
347 return ret;
348 }
349
check_padding_md(const EVP_MD * md,int padding)350 static int check_padding_md(const EVP_MD *md, int padding)
351 {
352 int mdnid;
353
354 if (!md)
355 return 1;
356
357 mdnid = EVP_MD_type(md);
358
359 if (padding == RSA_NO_PADDING) {
360 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
361 return 0;
362 }
363
364 if (padding == RSA_X931_PADDING) {
365 if (RSA_X931_hash_id(mdnid) == -1) {
366 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_X931_DIGEST);
367 return 0;
368 }
369 } else {
370 switch(mdnid) {
371 /* List of all supported RSA digests */
372 case NID_sha1:
373 case NID_sha224:
374 case NID_sha256:
375 case NID_sha384:
376 case NID_sha512:
377 case NID_md5:
378 case NID_md5_sha1:
379 case NID_md2:
380 case NID_md4:
381 case NID_mdc2:
382 case NID_ripemd160:
383 case NID_sha3_224:
384 case NID_sha3_256:
385 case NID_sha3_384:
386 case NID_sha3_512:
387 return 1;
388
389 default:
390 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_DIGEST);
391 return 0;
392
393 }
394 }
395
396 return 1;
397 }
398
pkey_rsa_ctrl(EVP_PKEY_CTX * ctx,int type,int p1,void * p2)399 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
400 {
401 RSA_PKEY_CTX *rctx = ctx->data;
402
403 switch (type) {
404 case EVP_PKEY_CTRL_RSA_PADDING:
405 if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING)) {
406 if (!check_padding_md(rctx->md, p1))
407 return 0;
408 if (p1 == RSA_PKCS1_PSS_PADDING) {
409 if (!(ctx->operation &
410 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
411 goto bad_pad;
412 if (!rctx->md)
413 rctx->md = EVP_sha1();
414 } else if (pkey_ctx_is_pss(ctx)) {
415 goto bad_pad;
416 }
417 if (p1 == RSA_PKCS1_OAEP_PADDING) {
418 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
419 goto bad_pad;
420 if (!rctx->md)
421 rctx->md = EVP_sha1();
422 }
423 rctx->pad_mode = p1;
424 return 1;
425 }
426 bad_pad:
427 RSAerr(RSA_F_PKEY_RSA_CTRL,
428 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
429 return -2;
430
431 case EVP_PKEY_CTRL_GET_RSA_PADDING:
432 *(int *)p2 = rctx->pad_mode;
433 return 1;
434
435 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
436 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
437 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
438 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
439 return -2;
440 }
441 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
442 *(int *)p2 = rctx->saltlen;
443 } else {
444 if (p1 < RSA_PSS_SALTLEN_MAX)
445 return -2;
446 if (rsa_pss_restricted(rctx)) {
447 if (p1 == RSA_PSS_SALTLEN_AUTO
448 && ctx->operation == EVP_PKEY_OP_VERIFY) {
449 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
450 return -2;
451 }
452 if ((p1 == RSA_PSS_SALTLEN_DIGEST
453 && rctx->min_saltlen > EVP_MD_size(rctx->md))
454 || (p1 >= 0 && p1 < rctx->min_saltlen)) {
455 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_PSS_SALTLEN_TOO_SMALL);
456 return 0;
457 }
458 }
459 rctx->saltlen = p1;
460 }
461 return 1;
462
463 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
464 if (p1 < RSA_MIN_MODULUS_BITS) {
465 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_SIZE_TOO_SMALL);
466 return -2;
467 }
468 rctx->nbits = p1;
469 return 1;
470
471 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
472 if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) || BN_is_one((BIGNUM *)p2)) {
473 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_BAD_E_VALUE);
474 return -2;
475 }
476 BN_free(rctx->pub_exp);
477 rctx->pub_exp = p2;
478 return 1;
479
480 case EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES:
481 if (p1 < RSA_DEFAULT_PRIME_NUM || p1 > RSA_MAX_PRIME_NUM) {
482 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_PRIME_NUM_INVALID);
483 return -2;
484 }
485 rctx->primes = p1;
486 return 1;
487
488 case EVP_PKEY_CTRL_RSA_OAEP_MD:
489 case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
490 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
491 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
492 return -2;
493 }
494 if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD)
495 *(const EVP_MD **)p2 = rctx->md;
496 else
497 rctx->md = p2;
498 return 1;
499
500 case EVP_PKEY_CTRL_MD:
501 if (!check_padding_md(p2, rctx->pad_mode))
502 return 0;
503 if (rsa_pss_restricted(rctx)) {
504 if (EVP_MD_type(rctx->md) == EVP_MD_type(p2))
505 return 1;
506 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_DIGEST_NOT_ALLOWED);
507 return 0;
508 }
509 rctx->md = p2;
510 return 1;
511
512 case EVP_PKEY_CTRL_GET_MD:
513 *(const EVP_MD **)p2 = rctx->md;
514 return 1;
515
516 case EVP_PKEY_CTRL_RSA_MGF1_MD:
517 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
518 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING
519 && rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
520 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
521 return -2;
522 }
523 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
524 if (rctx->mgf1md)
525 *(const EVP_MD **)p2 = rctx->mgf1md;
526 else
527 *(const EVP_MD **)p2 = rctx->md;
528 } else {
529 if (rsa_pss_restricted(rctx)) {
530 if (EVP_MD_type(rctx->mgf1md) == EVP_MD_type(p2))
531 return 1;
532 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_MGF1_DIGEST_NOT_ALLOWED);
533 return 0;
534 }
535 rctx->mgf1md = p2;
536 }
537 return 1;
538
539 case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
540 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
541 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
542 return -2;
543 }
544 OPENSSL_free(rctx->oaep_label);
545 if (p2 && p1 > 0) {
546 rctx->oaep_label = p2;
547 rctx->oaep_labellen = p1;
548 } else {
549 rctx->oaep_label = NULL;
550 rctx->oaep_labellen = 0;
551 }
552 return 1;
553
554 case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
555 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
556 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
557 return -2;
558 }
559 *(unsigned char **)p2 = rctx->oaep_label;
560 return rctx->oaep_labellen;
561
562 case EVP_PKEY_CTRL_DIGESTINIT:
563 case EVP_PKEY_CTRL_PKCS7_SIGN:
564 #ifndef OPENSSL_NO_CMS
565 case EVP_PKEY_CTRL_CMS_SIGN:
566 #endif
567 return 1;
568
569 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
570 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
571 #ifndef OPENSSL_NO_CMS
572 case EVP_PKEY_CTRL_CMS_DECRYPT:
573 case EVP_PKEY_CTRL_CMS_ENCRYPT:
574 #endif
575 if (!pkey_ctx_is_pss(ctx))
576 return 1;
577 /* fall through */
578 case EVP_PKEY_CTRL_PEER_KEY:
579 RSAerr(RSA_F_PKEY_RSA_CTRL,
580 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
581 return -2;
582
583 default:
584 return -2;
585
586 }
587 }
588
pkey_rsa_ctrl_str(EVP_PKEY_CTX * ctx,const char * type,const char * value)589 static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
590 const char *type, const char *value)
591 {
592 if (value == NULL) {
593 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
594 return 0;
595 }
596 if (strcmp(type, "rsa_padding_mode") == 0) {
597 int pm;
598
599 if (strcmp(value, "pkcs1") == 0) {
600 pm = RSA_PKCS1_PADDING;
601 } else if (strcmp(value, "sslv23") == 0) {
602 pm = RSA_SSLV23_PADDING;
603 } else if (strcmp(value, "none") == 0) {
604 pm = RSA_NO_PADDING;
605 } else if (strcmp(value, "oeap") == 0) {
606 pm = RSA_PKCS1_OAEP_PADDING;
607 } else if (strcmp(value, "oaep") == 0) {
608 pm = RSA_PKCS1_OAEP_PADDING;
609 } else if (strcmp(value, "x931") == 0) {
610 pm = RSA_X931_PADDING;
611 } else if (strcmp(value, "pss") == 0) {
612 pm = RSA_PKCS1_PSS_PADDING;
613 } else {
614 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_UNKNOWN_PADDING_TYPE);
615 return -2;
616 }
617 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
618 }
619
620 if (strcmp(type, "rsa_pss_saltlen") == 0) {
621 int saltlen;
622
623 if (!strcmp(value, "digest"))
624 saltlen = RSA_PSS_SALTLEN_DIGEST;
625 else if (!strcmp(value, "max"))
626 saltlen = RSA_PSS_SALTLEN_MAX;
627 else if (!strcmp(value, "auto"))
628 saltlen = RSA_PSS_SALTLEN_AUTO;
629 else
630 saltlen = atoi(value);
631 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
632 }
633
634 if (strcmp(type, "rsa_keygen_bits") == 0) {
635 int nbits = atoi(value);
636
637 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
638 }
639
640 if (strcmp(type, "rsa_keygen_pubexp") == 0) {
641 int ret;
642
643 BIGNUM *pubexp = NULL;
644 if (!BN_asc2bn(&pubexp, value))
645 return 0;
646 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
647 if (ret <= 0)
648 BN_free(pubexp);
649 return ret;
650 }
651
652 if (strcmp(type, "rsa_keygen_primes") == 0) {
653 int nprimes = atoi(value);
654
655 return EVP_PKEY_CTX_set_rsa_keygen_primes(ctx, nprimes);
656 }
657
658 if (strcmp(type, "rsa_mgf1_md") == 0)
659 return EVP_PKEY_CTX_md(ctx,
660 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
661 EVP_PKEY_CTRL_RSA_MGF1_MD, value);
662
663 if (pkey_ctx_is_pss(ctx)) {
664
665 if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0)
666 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
667 EVP_PKEY_CTRL_RSA_MGF1_MD, value);
668
669 if (strcmp(type, "rsa_pss_keygen_md") == 0)
670 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
671 EVP_PKEY_CTRL_MD, value);
672
673 if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) {
674 int saltlen = atoi(value);
675
676 return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen);
677 }
678 }
679
680 if (strcmp(type, "rsa_oaep_md") == 0)
681 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT,
682 EVP_PKEY_CTRL_RSA_OAEP_MD, value);
683
684 if (strcmp(type, "rsa_oaep_label") == 0) {
685 unsigned char *lab;
686 long lablen;
687 int ret;
688
689 lab = OPENSSL_hexstr2buf(value, &lablen);
690 if (!lab)
691 return 0;
692 ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen);
693 if (ret <= 0)
694 OPENSSL_free(lab);
695 return ret;
696 }
697
698 return -2;
699 }
700
701 /* Set PSS parameters when generating a key, if necessary */
rsa_set_pss_param(RSA * rsa,EVP_PKEY_CTX * ctx)702 static int rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx)
703 {
704 RSA_PKEY_CTX *rctx = ctx->data;
705
706 if (!pkey_ctx_is_pss(ctx))
707 return 1;
708 /* If all parameters are default values don't set pss */
709 if (rctx->md == NULL && rctx->mgf1md == NULL && rctx->saltlen == -2)
710 return 1;
711 rsa->pss = rsa_pss_params_create(rctx->md, rctx->mgf1md,
712 rctx->saltlen == -2 ? 0 : rctx->saltlen);
713 if (rsa->pss == NULL)
714 return 0;
715 return 1;
716 }
717
pkey_rsa_keygen(EVP_PKEY_CTX * ctx,EVP_PKEY * pkey)718 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
719 {
720 RSA *rsa = NULL;
721 RSA_PKEY_CTX *rctx = ctx->data;
722 BN_GENCB *pcb;
723 int ret;
724
725 if (rctx->pub_exp == NULL) {
726 rctx->pub_exp = BN_new();
727 if (rctx->pub_exp == NULL || !BN_set_word(rctx->pub_exp, RSA_F4))
728 return 0;
729 }
730 rsa = RSA_new();
731 if (rsa == NULL)
732 return 0;
733 if (ctx->pkey_gencb) {
734 pcb = BN_GENCB_new();
735 if (pcb == NULL) {
736 RSA_free(rsa);
737 return 0;
738 }
739 evp_pkey_set_cb_translate(pcb, ctx);
740 } else {
741 pcb = NULL;
742 }
743 ret = RSA_generate_multi_prime_key(rsa, rctx->nbits, rctx->primes,
744 rctx->pub_exp, pcb);
745 BN_GENCB_free(pcb);
746 if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) {
747 RSA_free(rsa);
748 return 0;
749 }
750 if (ret > 0)
751 EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa);
752 else
753 RSA_free(rsa);
754 return ret;
755 }
756
757 const EVP_PKEY_METHOD rsa_pkey_meth = {
758 EVP_PKEY_RSA,
759 EVP_PKEY_FLAG_AUTOARGLEN,
760 pkey_rsa_init,
761 pkey_rsa_copy,
762 pkey_rsa_cleanup,
763
764 0, 0,
765
766 0,
767 pkey_rsa_keygen,
768
769 0,
770 pkey_rsa_sign,
771
772 0,
773 pkey_rsa_verify,
774
775 0,
776 pkey_rsa_verifyrecover,
777
778 0, 0, 0, 0,
779
780 0,
781 pkey_rsa_encrypt,
782
783 0,
784 pkey_rsa_decrypt,
785
786 0, 0,
787
788 pkey_rsa_ctrl,
789 pkey_rsa_ctrl_str
790 };
791
792 /*
793 * Called for PSS sign or verify initialisation: checks PSS parameter
794 * sanity and sets any restrictions on key usage.
795 */
796
pkey_pss_init(EVP_PKEY_CTX * ctx)797 static int pkey_pss_init(EVP_PKEY_CTX *ctx)
798 {
799 RSA *rsa;
800 RSA_PKEY_CTX *rctx = ctx->data;
801 const EVP_MD *md;
802 const EVP_MD *mgf1md;
803 int min_saltlen, max_saltlen;
804
805 /* Should never happen */
806 if (!pkey_ctx_is_pss(ctx))
807 return 0;
808 rsa = ctx->pkey->pkey.rsa;
809 /* If no restrictions just return */
810 if (rsa->pss == NULL)
811 return 1;
812 /* Get and check parameters */
813 if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen))
814 return 0;
815
816 /* See if minimum salt length exceeds maximum possible */
817 max_saltlen = RSA_size(rsa) - EVP_MD_size(md);
818 if ((RSA_bits(rsa) & 0x7) == 1)
819 max_saltlen--;
820 if (min_saltlen > max_saltlen) {
821 RSAerr(RSA_F_PKEY_PSS_INIT, RSA_R_INVALID_SALT_LENGTH);
822 return 0;
823 }
824
825 rctx->min_saltlen = min_saltlen;
826
827 /*
828 * Set PSS restrictions as defaults: we can then block any attempt to
829 * use invalid values in pkey_rsa_ctrl
830 */
831
832 rctx->md = md;
833 rctx->mgf1md = mgf1md;
834 rctx->saltlen = min_saltlen;
835
836 return 1;
837 }
838
839 const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
840 EVP_PKEY_RSA_PSS,
841 EVP_PKEY_FLAG_AUTOARGLEN,
842 pkey_rsa_init,
843 pkey_rsa_copy,
844 pkey_rsa_cleanup,
845
846 0, 0,
847
848 0,
849 pkey_rsa_keygen,
850
851 pkey_pss_init,
852 pkey_rsa_sign,
853
854 pkey_pss_init,
855 pkey_rsa_verify,
856
857 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
858
859 pkey_rsa_ctrl,
860 pkey_rsa_ctrl_str
861 };
862