1 | /* |
2 | * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at |
7 | * https://www.openssl.org/source/license.html |
8 | */ |
9 | |
10 | #include "internal/constant_time.h" |
11 | |
12 | #include <stdio.h> |
13 | #include "internal/cryptlib.h" |
14 | #include <openssl/asn1t.h> |
15 | #include <openssl/x509.h> |
16 | #include <openssl/rsa.h> |
17 | #include <openssl/bn.h> |
18 | #include <openssl/evp.h> |
19 | #include <openssl/x509v3.h> |
20 | #include <openssl/cms.h> |
21 | #include "crypto/evp.h" |
22 | #include "rsa_local.h" |
23 | |
24 | /* RSA pkey context structure */ |
25 | |
26 | typedef struct { |
27 | /* Key gen parameters */ |
28 | int nbits; |
29 | BIGNUM *pub_exp; |
30 | int primes; |
31 | /* Keygen callback info */ |
32 | int gentmp[2]; |
33 | /* RSA padding mode */ |
34 | int pad_mode; |
35 | /* message digest */ |
36 | const EVP_MD *md; |
37 | /* message digest for MGF1 */ |
38 | const EVP_MD *mgf1md; |
39 | /* PSS salt length */ |
40 | int saltlen; |
41 | /* Minimum salt length or -1 if no PSS parameter restriction */ |
42 | int min_saltlen; |
43 | /* Temp buffer */ |
44 | unsigned char *tbuf; |
45 | /* OAEP label */ |
46 | unsigned char *oaep_label; |
47 | size_t oaep_labellen; |
48 | } RSA_PKEY_CTX; |
49 | |
50 | /* True if PSS parameters are restricted */ |
51 | #define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1) |
52 | |
53 | static int pkey_rsa_init(EVP_PKEY_CTX *ctx) |
54 | { |
55 | RSA_PKEY_CTX *rctx = OPENSSL_zalloc(sizeof(*rctx)); |
56 | |
57 | if (rctx == NULL) |
58 | return 0; |
59 | rctx->nbits = 2048; |
60 | rctx->primes = RSA_DEFAULT_PRIME_NUM; |
61 | if (pkey_ctx_is_pss(ctx)) |
62 | rctx->pad_mode = RSA_PKCS1_PSS_PADDING; |
63 | else |
64 | rctx->pad_mode = RSA_PKCS1_PADDING; |
65 | /* Maximum for sign, auto for verify */ |
66 | rctx->saltlen = RSA_PSS_SALTLEN_AUTO; |
67 | rctx->min_saltlen = -1; |
68 | ctx->data = rctx; |
69 | ctx->keygen_info = rctx->gentmp; |
70 | ctx->keygen_info_count = 2; |
71 | |
72 | return 1; |
73 | } |
74 | |
75 | static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src) |
76 | { |
77 | RSA_PKEY_CTX *dctx, *sctx; |
78 | |
79 | if (!pkey_rsa_init(dst)) |
80 | return 0; |
81 | sctx = src->data; |
82 | dctx = dst->data; |
83 | dctx->nbits = sctx->nbits; |
84 | if (sctx->pub_exp) { |
85 | dctx->pub_exp = BN_dup(sctx->pub_exp); |
86 | if (!dctx->pub_exp) |
87 | return 0; |
88 | } |
89 | dctx->pad_mode = sctx->pad_mode; |
90 | dctx->md = sctx->md; |
91 | dctx->mgf1md = sctx->mgf1md; |
92 | dctx->saltlen = sctx->saltlen; |
93 | if (sctx->oaep_label) { |
94 | OPENSSL_free(dctx->oaep_label); |
95 | dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen); |
96 | if (!dctx->oaep_label) |
97 | return 0; |
98 | dctx->oaep_labellen = sctx->oaep_labellen; |
99 | } |
100 | return 1; |
101 | } |
102 | |
103 | static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) |
104 | { |
105 | if (ctx->tbuf != NULL) |
106 | return 1; |
107 | if ((ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey))) == NULL) { |
108 | RSAerr(RSA_F_SETUP_TBUF, ERR_R_MALLOC_FAILURE); |
109 | return 0; |
110 | } |
111 | return 1; |
112 | } |
113 | |
114 | static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) |
115 | { |
116 | RSA_PKEY_CTX *rctx = ctx->data; |
117 | if (rctx) { |
118 | BN_free(rctx->pub_exp); |
119 | OPENSSL_free(rctx->tbuf); |
120 | OPENSSL_free(rctx->oaep_label); |
121 | OPENSSL_free(rctx); |
122 | } |
123 | } |
124 | |
125 | static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, |
126 | size_t *siglen, const unsigned char *tbs, |
127 | size_t tbslen) |
128 | { |
129 | int ret; |
130 | RSA_PKEY_CTX *rctx = ctx->data; |
131 | RSA *rsa = ctx->pkey->pkey.rsa; |
132 | |
133 | if (rctx->md) { |
134 | if (tbslen != (size_t)EVP_MD_size(rctx->md)) { |
135 | RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH); |
136 | return -1; |
137 | } |
138 | |
139 | if (EVP_MD_type(rctx->md) == NID_mdc2) { |
140 | unsigned int sltmp; |
141 | if (rctx->pad_mode != RSA_PKCS1_PADDING) |
142 | return -1; |
143 | ret = RSA_sign_ASN1_OCTET_STRING(0, |
144 | tbs, tbslen, sig, &sltmp, rsa); |
145 | |
146 | if (ret <= 0) |
147 | return ret; |
148 | ret = sltmp; |
149 | } else if (rctx->pad_mode == RSA_X931_PADDING) { |
150 | if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) { |
151 | RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_KEY_SIZE_TOO_SMALL); |
152 | return -1; |
153 | } |
154 | if (!setup_tbuf(rctx, ctx)) { |
155 | RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE); |
156 | return -1; |
157 | } |
158 | memcpy(rctx->tbuf, tbs, tbslen); |
159 | rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md)); |
160 | ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, |
161 | sig, rsa, RSA_X931_PADDING); |
162 | } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { |
163 | unsigned int sltmp; |
164 | ret = RSA_sign(EVP_MD_type(rctx->md), |
165 | tbs, tbslen, sig, &sltmp, rsa); |
166 | if (ret <= 0) |
167 | return ret; |
168 | ret = sltmp; |
169 | } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { |
170 | if (!setup_tbuf(rctx, ctx)) |
171 | return -1; |
172 | if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, |
173 | rctx->tbuf, tbs, |
174 | rctx->md, rctx->mgf1md, |
175 | rctx->saltlen)) |
176 | return -1; |
177 | ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, |
178 | sig, rsa, RSA_NO_PADDING); |
179 | } else { |
180 | return -1; |
181 | } |
182 | } else { |
183 | ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, |
184 | rctx->pad_mode); |
185 | } |
186 | if (ret < 0) |
187 | return ret; |
188 | *siglen = ret; |
189 | return 1; |
190 | } |
191 | |
192 | static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, |
193 | unsigned char *rout, size_t *routlen, |
194 | const unsigned char *sig, size_t siglen) |
195 | { |
196 | int ret; |
197 | RSA_PKEY_CTX *rctx = ctx->data; |
198 | |
199 | if (rctx->md) { |
200 | if (rctx->pad_mode == RSA_X931_PADDING) { |
201 | if (!setup_tbuf(rctx, ctx)) |
202 | return -1; |
203 | ret = RSA_public_decrypt(siglen, sig, |
204 | rctx->tbuf, ctx->pkey->pkey.rsa, |
205 | RSA_X931_PADDING); |
206 | if (ret < 1) |
207 | return 0; |
208 | ret--; |
209 | if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_type(rctx->md))) { |
210 | RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, |
211 | RSA_R_ALGORITHM_MISMATCH); |
212 | return 0; |
213 | } |
214 | if (ret != EVP_MD_size(rctx->md)) { |
215 | RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, |
216 | RSA_R_INVALID_DIGEST_LENGTH); |
217 | return 0; |
218 | } |
219 | if (rout) |
220 | memcpy(rout, rctx->tbuf, ret); |
221 | } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { |
222 | size_t sltmp; |
223 | ret = int_rsa_verify(EVP_MD_type(rctx->md), |
224 | NULL, 0, rout, &sltmp, |
225 | sig, siglen, ctx->pkey->pkey.rsa); |
226 | if (ret <= 0) |
227 | return 0; |
228 | ret = sltmp; |
229 | } else { |
230 | return -1; |
231 | } |
232 | } else { |
233 | ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa, |
234 | rctx->pad_mode); |
235 | } |
236 | if (ret < 0) |
237 | return ret; |
238 | *routlen = ret; |
239 | return 1; |
240 | } |
241 | |
242 | static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, |
243 | const unsigned char *sig, size_t siglen, |
244 | const unsigned char *tbs, size_t tbslen) |
245 | { |
246 | RSA_PKEY_CTX *rctx = ctx->data; |
247 | RSA *rsa = ctx->pkey->pkey.rsa; |
248 | size_t rslen; |
249 | |
250 | if (rctx->md) { |
251 | if (rctx->pad_mode == RSA_PKCS1_PADDING) |
252 | return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, |
253 | sig, siglen, rsa); |
254 | if (tbslen != (size_t)EVP_MD_size(rctx->md)) { |
255 | RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH); |
256 | return -1; |
257 | } |
258 | if (rctx->pad_mode == RSA_X931_PADDING) { |
259 | if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0) |
260 | return 0; |
261 | } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { |
262 | int ret; |
263 | if (!setup_tbuf(rctx, ctx)) |
264 | return -1; |
265 | ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, |
266 | rsa, RSA_NO_PADDING); |
267 | if (ret <= 0) |
268 | return 0; |
269 | ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, |
270 | rctx->md, rctx->mgf1md, |
271 | rctx->tbuf, rctx->saltlen); |
272 | if (ret <= 0) |
273 | return 0; |
274 | return 1; |
275 | } else { |
276 | return -1; |
277 | } |
278 | } else { |
279 | if (!setup_tbuf(rctx, ctx)) |
280 | return -1; |
281 | rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, |
282 | rsa, rctx->pad_mode); |
283 | if (rslen == 0) |
284 | return 0; |
285 | } |
286 | |
287 | if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen)) |
288 | return 0; |
289 | |
290 | return 1; |
291 | |
292 | } |
293 | |
294 | static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, |
295 | unsigned char *out, size_t *outlen, |
296 | const unsigned char *in, size_t inlen) |
297 | { |
298 | int ret; |
299 | RSA_PKEY_CTX *rctx = ctx->data; |
300 | |
301 | if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { |
302 | int klen = RSA_size(ctx->pkey->pkey.rsa); |
303 | if (!setup_tbuf(rctx, ctx)) |
304 | return -1; |
305 | if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen, |
306 | in, inlen, |
307 | rctx->oaep_label, |
308 | rctx->oaep_labellen, |
309 | rctx->md, rctx->mgf1md)) |
310 | return -1; |
311 | ret = RSA_public_encrypt(klen, rctx->tbuf, out, |
312 | ctx->pkey->pkey.rsa, RSA_NO_PADDING); |
313 | } else { |
314 | ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, |
315 | rctx->pad_mode); |
316 | } |
317 | if (ret < 0) |
318 | return ret; |
319 | *outlen = ret; |
320 | return 1; |
321 | } |
322 | |
323 | static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, |
324 | unsigned char *out, size_t *outlen, |
325 | const unsigned char *in, size_t inlen) |
326 | { |
327 | int ret; |
328 | RSA_PKEY_CTX *rctx = ctx->data; |
329 | |
330 | if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { |
331 | if (!setup_tbuf(rctx, ctx)) |
332 | return -1; |
333 | ret = RSA_private_decrypt(inlen, in, rctx->tbuf, |
334 | ctx->pkey->pkey.rsa, RSA_NO_PADDING); |
335 | if (ret <= 0) |
336 | return ret; |
337 | ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf, |
338 | ret, ret, |
339 | rctx->oaep_label, |
340 | rctx->oaep_labellen, |
341 | rctx->md, rctx->mgf1md); |
342 | } else { |
343 | ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, |
344 | rctx->pad_mode); |
345 | } |
346 | *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); |
347 | ret = constant_time_select_int(constant_time_msb(ret), ret, 1); |
348 | return ret; |
349 | } |
350 | |
351 | static int check_padding_md(const EVP_MD *md, int padding) |
352 | { |
353 | int mdnid; |
354 | |
355 | if (!md) |
356 | return 1; |
357 | |
358 | mdnid = EVP_MD_type(md); |
359 | |
360 | if (padding == RSA_NO_PADDING) { |
361 | RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE); |
362 | return 0; |
363 | } |
364 | |
365 | if (padding == RSA_X931_PADDING) { |
366 | if (RSA_X931_hash_id(mdnid) == -1) { |
367 | RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_X931_DIGEST); |
368 | return 0; |
369 | } |
370 | } else { |
371 | switch(mdnid) { |
372 | /* List of all supported RSA digests */ |
373 | case NID_sha1: |
374 | case NID_sha224: |
375 | case NID_sha256: |
376 | case NID_sha384: |
377 | case NID_sha512: |
378 | case NID_md5: |
379 | case NID_md5_sha1: |
380 | case NID_md2: |
381 | case NID_md4: |
382 | case NID_mdc2: |
383 | case NID_ripemd160: |
384 | case NID_sha3_224: |
385 | case NID_sha3_256: |
386 | case NID_sha3_384: |
387 | case NID_sha3_512: |
388 | return 1; |
389 | |
390 | default: |
391 | RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_DIGEST); |
392 | return 0; |
393 | |
394 | } |
395 | } |
396 | |
397 | return 1; |
398 | } |
399 | |
400 | static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) |
401 | { |
402 | RSA_PKEY_CTX *rctx = ctx->data; |
403 | |
404 | switch (type) { |
405 | case EVP_PKEY_CTRL_RSA_PADDING: |
406 | if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING)) { |
407 | if (!check_padding_md(rctx->md, p1)) |
408 | return 0; |
409 | if (p1 == RSA_PKCS1_PSS_PADDING) { |
410 | if (!(ctx->operation & |
411 | (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) |
412 | goto bad_pad; |
413 | if (!rctx->md) |
414 | rctx->md = EVP_sha1(); |
415 | } else if (pkey_ctx_is_pss(ctx)) { |
416 | goto bad_pad; |
417 | } |
418 | if (p1 == RSA_PKCS1_OAEP_PADDING) { |
419 | if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT)) |
420 | goto bad_pad; |
421 | if (!rctx->md) |
422 | rctx->md = EVP_sha1(); |
423 | } |
424 | rctx->pad_mode = p1; |
425 | return 1; |
426 | } |
427 | bad_pad: |
428 | RSAerr(RSA_F_PKEY_RSA_CTRL, |
429 | RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); |
430 | return -2; |
431 | |
432 | case EVP_PKEY_CTRL_GET_RSA_PADDING: |
433 | *(int *)p2 = rctx->pad_mode; |
434 | return 1; |
435 | |
436 | case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: |
437 | case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: |
438 | if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) { |
439 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); |
440 | return -2; |
441 | } |
442 | if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) { |
443 | *(int *)p2 = rctx->saltlen; |
444 | } else { |
445 | if (p1 < RSA_PSS_SALTLEN_MAX) |
446 | return -2; |
447 | if (rsa_pss_restricted(rctx)) { |
448 | if (p1 == RSA_PSS_SALTLEN_AUTO |
449 | && ctx->operation == EVP_PKEY_OP_VERIFY) { |
450 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); |
451 | return -2; |
452 | } |
453 | if ((p1 == RSA_PSS_SALTLEN_DIGEST |
454 | && rctx->min_saltlen > EVP_MD_size(rctx->md)) |
455 | || (p1 >= 0 && p1 < rctx->min_saltlen)) { |
456 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_PSS_SALTLEN_TOO_SMALL); |
457 | return 0; |
458 | } |
459 | } |
460 | rctx->saltlen = p1; |
461 | } |
462 | return 1; |
463 | |
464 | case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: |
465 | if (p1 < RSA_MIN_MODULUS_BITS) { |
466 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_SIZE_TOO_SMALL); |
467 | return -2; |
468 | } |
469 | rctx->nbits = p1; |
470 | return 1; |
471 | |
472 | case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: |
473 | if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) || BN_is_one((BIGNUM *)p2)) { |
474 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_BAD_E_VALUE); |
475 | return -2; |
476 | } |
477 | BN_free(rctx->pub_exp); |
478 | rctx->pub_exp = p2; |
479 | return 1; |
480 | |
481 | case EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES: |
482 | if (p1 < RSA_DEFAULT_PRIME_NUM || p1 > RSA_MAX_PRIME_NUM) { |
483 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_PRIME_NUM_INVALID); |
484 | return -2; |
485 | } |
486 | rctx->primes = p1; |
487 | return 1; |
488 | |
489 | case EVP_PKEY_CTRL_RSA_OAEP_MD: |
490 | case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: |
491 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { |
492 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); |
493 | return -2; |
494 | } |
495 | if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) |
496 | *(const EVP_MD **)p2 = rctx->md; |
497 | else |
498 | rctx->md = p2; |
499 | return 1; |
500 | |
501 | case EVP_PKEY_CTRL_MD: |
502 | if (!check_padding_md(p2, rctx->pad_mode)) |
503 | return 0; |
504 | if (rsa_pss_restricted(rctx)) { |
505 | if (EVP_MD_type(rctx->md) == EVP_MD_type(p2)) |
506 | return 1; |
507 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_DIGEST_NOT_ALLOWED); |
508 | return 0; |
509 | } |
510 | rctx->md = p2; |
511 | return 1; |
512 | |
513 | case EVP_PKEY_CTRL_GET_MD: |
514 | *(const EVP_MD **)p2 = rctx->md; |
515 | return 1; |
516 | |
517 | case EVP_PKEY_CTRL_RSA_MGF1_MD: |
518 | case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: |
519 | if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING |
520 | && rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { |
521 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD); |
522 | return -2; |
523 | } |
524 | if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) { |
525 | if (rctx->mgf1md) |
526 | *(const EVP_MD **)p2 = rctx->mgf1md; |
527 | else |
528 | *(const EVP_MD **)p2 = rctx->md; |
529 | } else { |
530 | if (rsa_pss_restricted(rctx)) { |
531 | if (EVP_MD_type(rctx->mgf1md) == EVP_MD_type(p2)) |
532 | return 1; |
533 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_MGF1_DIGEST_NOT_ALLOWED); |
534 | return 0; |
535 | } |
536 | rctx->mgf1md = p2; |
537 | } |
538 | return 1; |
539 | |
540 | case EVP_PKEY_CTRL_RSA_OAEP_LABEL: |
541 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { |
542 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); |
543 | return -2; |
544 | } |
545 | OPENSSL_free(rctx->oaep_label); |
546 | if (p2 && p1 > 0) { |
547 | rctx->oaep_label = p2; |
548 | rctx->oaep_labellen = p1; |
549 | } else { |
550 | rctx->oaep_label = NULL; |
551 | rctx->oaep_labellen = 0; |
552 | } |
553 | return 1; |
554 | |
555 | case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: |
556 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { |
557 | RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); |
558 | return -2; |
559 | } |
560 | *(unsigned char **)p2 = rctx->oaep_label; |
561 | return rctx->oaep_labellen; |
562 | |
563 | case EVP_PKEY_CTRL_DIGESTINIT: |
564 | case EVP_PKEY_CTRL_PKCS7_SIGN: |
565 | #ifndef OPENSSL_NO_CMS |
566 | case EVP_PKEY_CTRL_CMS_SIGN: |
567 | #endif |
568 | return 1; |
569 | |
570 | case EVP_PKEY_CTRL_PKCS7_ENCRYPT: |
571 | case EVP_PKEY_CTRL_PKCS7_DECRYPT: |
572 | #ifndef OPENSSL_NO_CMS |
573 | case EVP_PKEY_CTRL_CMS_DECRYPT: |
574 | case EVP_PKEY_CTRL_CMS_ENCRYPT: |
575 | #endif |
576 | if (!pkey_ctx_is_pss(ctx)) |
577 | return 1; |
578 | /* fall through */ |
579 | case EVP_PKEY_CTRL_PEER_KEY: |
580 | RSAerr(RSA_F_PKEY_RSA_CTRL, |
581 | RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); |
582 | return -2; |
583 | |
584 | default: |
585 | return -2; |
586 | |
587 | } |
588 | } |
589 | |
590 | static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, |
591 | const char *type, const char *value) |
592 | { |
593 | if (value == NULL) { |
594 | RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING); |
595 | return 0; |
596 | } |
597 | if (strcmp(type, "rsa_padding_mode" ) == 0) { |
598 | int pm; |
599 | |
600 | if (strcmp(value, "pkcs1" ) == 0) { |
601 | pm = RSA_PKCS1_PADDING; |
602 | } else if (strcmp(value, "sslv23" ) == 0) { |
603 | pm = RSA_SSLV23_PADDING; |
604 | } else if (strcmp(value, "none" ) == 0) { |
605 | pm = RSA_NO_PADDING; |
606 | } else if (strcmp(value, "oeap" ) == 0) { |
607 | pm = RSA_PKCS1_OAEP_PADDING; |
608 | } else if (strcmp(value, "oaep" ) == 0) { |
609 | pm = RSA_PKCS1_OAEP_PADDING; |
610 | } else if (strcmp(value, "x931" ) == 0) { |
611 | pm = RSA_X931_PADDING; |
612 | } else if (strcmp(value, "pss" ) == 0) { |
613 | pm = RSA_PKCS1_PSS_PADDING; |
614 | } else { |
615 | RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_UNKNOWN_PADDING_TYPE); |
616 | return -2; |
617 | } |
618 | return EVP_PKEY_CTX_set_rsa_padding(ctx, pm); |
619 | } |
620 | |
621 | if (strcmp(type, "rsa_pss_saltlen" ) == 0) { |
622 | int saltlen; |
623 | |
624 | if (!strcmp(value, "digest" )) |
625 | saltlen = RSA_PSS_SALTLEN_DIGEST; |
626 | else if (!strcmp(value, "max" )) |
627 | saltlen = RSA_PSS_SALTLEN_MAX; |
628 | else if (!strcmp(value, "auto" )) |
629 | saltlen = RSA_PSS_SALTLEN_AUTO; |
630 | else |
631 | saltlen = atoi(value); |
632 | return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen); |
633 | } |
634 | |
635 | if (strcmp(type, "rsa_keygen_bits" ) == 0) { |
636 | int nbits = atoi(value); |
637 | |
638 | return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits); |
639 | } |
640 | |
641 | if (strcmp(type, "rsa_keygen_pubexp" ) == 0) { |
642 | int ret; |
643 | |
644 | BIGNUM *pubexp = NULL; |
645 | if (!BN_asc2bn(&pubexp, value)) |
646 | return 0; |
647 | ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp); |
648 | if (ret <= 0) |
649 | BN_free(pubexp); |
650 | return ret; |
651 | } |
652 | |
653 | if (strcmp(type, "rsa_keygen_primes" ) == 0) { |
654 | int nprimes = atoi(value); |
655 | |
656 | return EVP_PKEY_CTX_set_rsa_keygen_primes(ctx, nprimes); |
657 | } |
658 | |
659 | if (strcmp(type, "rsa_mgf1_md" ) == 0) |
660 | return EVP_PKEY_CTX_md(ctx, |
661 | EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, |
662 | EVP_PKEY_CTRL_RSA_MGF1_MD, value); |
663 | |
664 | if (pkey_ctx_is_pss(ctx)) { |
665 | |
666 | if (strcmp(type, "rsa_pss_keygen_mgf1_md" ) == 0) |
667 | return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, |
668 | EVP_PKEY_CTRL_RSA_MGF1_MD, value); |
669 | |
670 | if (strcmp(type, "rsa_pss_keygen_md" ) == 0) |
671 | return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, |
672 | EVP_PKEY_CTRL_MD, value); |
673 | |
674 | if (strcmp(type, "rsa_pss_keygen_saltlen" ) == 0) { |
675 | int saltlen = atoi(value); |
676 | |
677 | return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen); |
678 | } |
679 | } |
680 | |
681 | if (strcmp(type, "rsa_oaep_md" ) == 0) |
682 | return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT, |
683 | EVP_PKEY_CTRL_RSA_OAEP_MD, value); |
684 | |
685 | if (strcmp(type, "rsa_oaep_label" ) == 0) { |
686 | unsigned char *lab; |
687 | long lablen; |
688 | int ret; |
689 | |
690 | lab = OPENSSL_hexstr2buf(value, &lablen); |
691 | if (!lab) |
692 | return 0; |
693 | ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen); |
694 | if (ret <= 0) |
695 | OPENSSL_free(lab); |
696 | return ret; |
697 | } |
698 | |
699 | return -2; |
700 | } |
701 | |
702 | /* Set PSS parameters when generating a key, if necessary */ |
703 | static int rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx) |
704 | { |
705 | RSA_PKEY_CTX *rctx = ctx->data; |
706 | |
707 | if (!pkey_ctx_is_pss(ctx)) |
708 | return 1; |
709 | /* If all parameters are default values don't set pss */ |
710 | if (rctx->md == NULL && rctx->mgf1md == NULL && rctx->saltlen == -2) |
711 | return 1; |
712 | rsa->pss = rsa_pss_params_create(rctx->md, rctx->mgf1md, |
713 | rctx->saltlen == -2 ? 0 : rctx->saltlen); |
714 | if (rsa->pss == NULL) |
715 | return 0; |
716 | return 1; |
717 | } |
718 | |
719 | static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) |
720 | { |
721 | RSA *rsa = NULL; |
722 | RSA_PKEY_CTX *rctx = ctx->data; |
723 | BN_GENCB *pcb; |
724 | int ret; |
725 | |
726 | if (rctx->pub_exp == NULL) { |
727 | rctx->pub_exp = BN_new(); |
728 | if (rctx->pub_exp == NULL || !BN_set_word(rctx->pub_exp, RSA_F4)) |
729 | return 0; |
730 | } |
731 | rsa = RSA_new(); |
732 | if (rsa == NULL) |
733 | return 0; |
734 | if (ctx->pkey_gencb) { |
735 | pcb = BN_GENCB_new(); |
736 | if (pcb == NULL) { |
737 | RSA_free(rsa); |
738 | return 0; |
739 | } |
740 | evp_pkey_set_cb_translate(pcb, ctx); |
741 | } else { |
742 | pcb = NULL; |
743 | } |
744 | ret = RSA_generate_multi_prime_key(rsa, rctx->nbits, rctx->primes, |
745 | rctx->pub_exp, pcb); |
746 | BN_GENCB_free(pcb); |
747 | if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) { |
748 | RSA_free(rsa); |
749 | return 0; |
750 | } |
751 | if (ret > 0) |
752 | EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa); |
753 | else |
754 | RSA_free(rsa); |
755 | return ret; |
756 | } |
757 | |
758 | static const EVP_PKEY_METHOD rsa_pkey_meth = { |
759 | EVP_PKEY_RSA, |
760 | EVP_PKEY_FLAG_AUTOARGLEN, |
761 | pkey_rsa_init, |
762 | pkey_rsa_copy, |
763 | pkey_rsa_cleanup, |
764 | |
765 | 0, 0, |
766 | |
767 | 0, |
768 | pkey_rsa_keygen, |
769 | |
770 | 0, |
771 | pkey_rsa_sign, |
772 | |
773 | 0, |
774 | pkey_rsa_verify, |
775 | |
776 | 0, |
777 | pkey_rsa_verifyrecover, |
778 | |
779 | 0, 0, 0, 0, |
780 | |
781 | 0, |
782 | pkey_rsa_encrypt, |
783 | |
784 | 0, |
785 | pkey_rsa_decrypt, |
786 | |
787 | 0, 0, |
788 | |
789 | pkey_rsa_ctrl, |
790 | pkey_rsa_ctrl_str |
791 | }; |
792 | |
793 | const EVP_PKEY_METHOD *rsa_pkey_method(void) |
794 | { |
795 | return &rsa_pkey_meth; |
796 | } |
797 | |
798 | /* |
799 | * Called for PSS sign or verify initialisation: checks PSS parameter |
800 | * sanity and sets any restrictions on key usage. |
801 | */ |
802 | |
803 | static int pkey_pss_init(EVP_PKEY_CTX *ctx) |
804 | { |
805 | RSA *rsa; |
806 | RSA_PKEY_CTX *rctx = ctx->data; |
807 | const EVP_MD *md; |
808 | const EVP_MD *mgf1md; |
809 | int min_saltlen, max_saltlen; |
810 | |
811 | /* Should never happen */ |
812 | if (!pkey_ctx_is_pss(ctx)) |
813 | return 0; |
814 | rsa = ctx->pkey->pkey.rsa; |
815 | /* If no restrictions just return */ |
816 | if (rsa->pss == NULL) |
817 | return 1; |
818 | /* Get and check parameters */ |
819 | if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen)) |
820 | return 0; |
821 | |
822 | /* See if minimum salt length exceeds maximum possible */ |
823 | max_saltlen = RSA_size(rsa) - EVP_MD_size(md); |
824 | if ((RSA_bits(rsa) & 0x7) == 1) |
825 | max_saltlen--; |
826 | if (min_saltlen > max_saltlen) { |
827 | RSAerr(RSA_F_PKEY_PSS_INIT, RSA_R_INVALID_SALT_LENGTH); |
828 | return 0; |
829 | } |
830 | |
831 | rctx->min_saltlen = min_saltlen; |
832 | |
833 | /* |
834 | * Set PSS restrictions as defaults: we can then block any attempt to |
835 | * use invalid values in pkey_rsa_ctrl |
836 | */ |
837 | |
838 | rctx->md = md; |
839 | rctx->mgf1md = mgf1md; |
840 | rctx->saltlen = min_saltlen; |
841 | |
842 | return 1; |
843 | } |
844 | |
845 | static const EVP_PKEY_METHOD rsa_pss_pkey_meth = { |
846 | EVP_PKEY_RSA_PSS, |
847 | EVP_PKEY_FLAG_AUTOARGLEN, |
848 | pkey_rsa_init, |
849 | pkey_rsa_copy, |
850 | pkey_rsa_cleanup, |
851 | |
852 | 0, 0, |
853 | |
854 | 0, |
855 | pkey_rsa_keygen, |
856 | |
857 | pkey_pss_init, |
858 | pkey_rsa_sign, |
859 | |
860 | pkey_pss_init, |
861 | pkey_rsa_verify, |
862 | |
863 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, |
864 | |
865 | pkey_rsa_ctrl, |
866 | pkey_rsa_ctrl_str |
867 | }; |
868 | |
869 | const EVP_PKEY_METHOD *rsa_pss_pkey_method(void) |
870 | { |
871 | return &rsa_pss_pkey_meth; |
872 | } |
873 | |