rsa_pmeth.c source code [ClickHouse/contrib/openssl/crypto/rsa/rsa_pmeth.c]

1	/*
2	* Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	#include "internal/constant_time.h"
11
12	#include <stdio.h>
13	#include "internal/cryptlib.h"
14	#include <openssl/asn1t.h>
15	#include <openssl/x509.h>
16	#include <openssl/rsa.h>
17	#include <openssl/bn.h>
18	#include <openssl/evp.h>
19	#include <openssl/x509v3.h>
20	#include <openssl/cms.h>
21	#include "crypto/evp.h"
22	#include "rsa_local.h"
23
24	/ RSA pkey context structure /
25
26	typedef struct {
27	/ Key gen parameters /
28	int nbits;
29	BIGNUM *pub_exp;
30	int primes;
31	/ Keygen callback info /
32	int gentmp[`2`];
33	/ RSA padding mode /
34	int pad_mode;
35	/ message digest /
36	const EVP_MD *md;
37	/ message digest for MGF1 /
38	const EVP_MD *mgf1md;
39	/ PSS salt length /
40	int saltlen;
41	/ Minimum salt length or -1 if no PSS parameter restriction /
42	int min_saltlen;
43	/ Temp buffer /
44	unsigned char *tbuf;
45	/ OAEP label /
46	unsigned char *oaep_label;
47	size_t oaep_labellen;
48	} RSA_PKEY_CTX;
49
50	/ True if PSS parameters are restricted /
51	#define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1)
52
53	static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
54	{
55	RSA_PKEY_CTX rctx = OPENSSL_zalloc(sizeof(rctx));
56
57	if (rctx == NULL)
58	return `0`;
59	rctx->nbits = `2048`;
60	rctx->primes = RSA_DEFAULT_PRIME_NUM;
61	if (pkey_ctx_is_pss(ctx))
62	rctx->pad_mode = RSA_PKCS1_PSS_PADDING;
63	else
64	rctx->pad_mode = RSA_PKCS1_PADDING;
65	/ Maximum for sign, auto for verify /
66	rctx->saltlen = RSA_PSS_SALTLEN_AUTO;
67	rctx->min_saltlen = -`1`;
68	ctx->data = rctx;
69	ctx->keygen_info = rctx->gentmp;
70	ctx->keygen_info_count = `2`;
71
72	return `1`;
73	}
74
75	static int pkey_rsa_copy(EVP_PKEY_CTX dst, const* EVP_PKEY_CTX *src)
76	{
77	RSA_PKEY_CTX dctx, sctx;
78
79	if (!pkey_rsa_init(dst))
80	return `0`;
81	sctx = src->data;
82	dctx = dst->data;
83	dctx->nbits = sctx->nbits;
84	if (sctx->pub_exp) {
85	dctx->pub_exp = BN_dup(sctx->pub_exp);
86	if (!dctx->pub_exp)
87	return `0`;
88	}
89	dctx->pad_mode = sctx->pad_mode;
90	dctx->md = sctx->md;
91	dctx->mgf1md = sctx->mgf1md;
92	dctx->saltlen = sctx->saltlen;
93	if (sctx->oaep_label) {
94	OPENSSL_free(dctx->oaep_label);
95	dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen);
96	if (!dctx->oaep_label)
97	return `0`;
98	dctx->oaep_labellen = sctx->oaep_labellen;
99	}
100	return `1`;
101	}
102
103	static int setup_tbuf(RSA_PKEY_CTX ctx, EVP_PKEY_CTX pk)
104	{
105	if (ctx->tbuf != NULL)
106	return `1`;
107	if ((ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey))) == NULL) {
108	RSAerr(RSA_F_SETUP_TBUF, ERR_R_MALLOC_FAILURE);
109	return `0`;
110	}
111	return `1`;
112	}
113
114	static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
115	{
116	RSA_PKEY_CTX *rctx = ctx->data;
117	if (rctx) {
118	BN_free(rctx->pub_exp);
119	OPENSSL_free(rctx->tbuf);
120	OPENSSL_free(rctx->oaep_label);
121	OPENSSL_free(rctx);
122	}
123	}
124
125	static int pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned* char *sig,
126	size_t siglen, const* unsigned char *tbs,
127	size_t tbslen)
128	{
129	int ret;
130	RSA_PKEY_CTX *rctx = ctx->data;
131	RSA *rsa = ctx->pkey->pkey.rsa;
132
133	if (rctx->md) {
134	if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
135	RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH);
136	return -`1`;
137	}
138
139	if (EVP_MD_type(rctx->md) == NID_mdc2) {
140	unsigned int sltmp;
141	if (rctx->pad_mode != RSA_PKCS1_PADDING)
142	return -`1`;
143	ret = RSA_sign_ASN1_OCTET_STRING(`0`,
144	tbs, tbslen, sig, &sltmp, rsa);
145
146	if (ret <= `0`)
147	return ret;
148	ret = sltmp;
149	} else if (rctx->pad_mode == RSA_X931_PADDING) {
150	if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + `1`) {
151	RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_KEY_SIZE_TOO_SMALL);
152	return -`1`;
153	}
154	if (!setup_tbuf(rctx, ctx)) {
155	RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE);
156	return -`1`;
157	}
158	memcpy(rctx->tbuf, tbs, tbslen);
159	rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md));
160	ret = RSA_private_encrypt(tbslen + `1`, rctx->tbuf,
161	sig, rsa, RSA_X931_PADDING);
162	} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
163	unsigned int sltmp;
164	ret = RSA_sign(EVP_MD_type(rctx->md),
165	tbs, tbslen, sig, &sltmp, rsa);
166	if (ret <= `0`)
167	return ret;
168	ret = sltmp;
169	} else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
170	if (!setup_tbuf(rctx, ctx))
171	return -`1`;
172	if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
173	rctx->tbuf, tbs,
174	rctx->md, rctx->mgf1md,
175	rctx->saltlen))
176	return -`1`;
177	ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
178	sig, rsa, RSA_NO_PADDING);
179	} else {
180	return -`1`;
181	}
182	} else {
183	ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
184	rctx->pad_mode);
185	}
186	if (ret < `0`)
187	return ret;
188	*siglen = ret;
189	return `1`;
190	}
191
192	static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
193	unsigned char rout, size_t routlen,
194	const unsigned char *sig, size_t siglen)
195	{
196	int ret;
197	RSA_PKEY_CTX *rctx = ctx->data;
198
199	if (rctx->md) {
200	if (rctx->pad_mode == RSA_X931_PADDING) {
201	if (!setup_tbuf(rctx, ctx))
202	return -`1`;
203	ret = RSA_public_decrypt(siglen, sig,
204	rctx->tbuf, ctx->pkey->pkey.rsa,
205	RSA_X931_PADDING);
206	if (ret < `1`)
207	return `0`;
208	ret--;
209	if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
210	RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
211	RSA_R_ALGORITHM_MISMATCH);
212	return `0`;
213	}
214	if (ret != EVP_MD_size(rctx->md)) {
215	RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
216	RSA_R_INVALID_DIGEST_LENGTH);
217	return `0`;
218	}
219	if (rout)
220	memcpy(rout, rctx->tbuf, ret);
221	} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
222	size_t sltmp;
223	ret = int_rsa_verify(EVP_MD_type(rctx->md),
224	NULL, `0`, rout, &sltmp,
225	sig, siglen, ctx->pkey->pkey.rsa);
226	if (ret <= `0`)
227	return `0`;
228	ret = sltmp;
229	} else {
230	return -`1`;
231	}
232	} else {
233	ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
234	rctx->pad_mode);
235	}
236	if (ret < `0`)
237	return ret;
238	*routlen = ret;
239	return `1`;
240	}
241
242	static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
243	const unsigned char *sig, size_t siglen,
244	const unsigned char *tbs, size_t tbslen)
245	{
246	RSA_PKEY_CTX *rctx = ctx->data;
247	RSA *rsa = ctx->pkey->pkey.rsa;
248	size_t rslen;
249
250	if (rctx->md) {
251	if (rctx->pad_mode == RSA_PKCS1_PADDING)
252	return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
253	sig, siglen, rsa);
254	if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
255	RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH);
256	return -`1`;
257	}
258	if (rctx->pad_mode == RSA_X931_PADDING) {
259	if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= `0`)
260	return `0`;
261	} else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
262	int ret;
263	if (!setup_tbuf(rctx, ctx))
264	return -`1`;
265	ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
266	rsa, RSA_NO_PADDING);
267	if (ret <= `0`)
268	return `0`;
269	ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
270	rctx->md, rctx->mgf1md,
271	rctx->tbuf, rctx->saltlen);
272	if (ret <= `0`)
273	return `0`;
274	return `1`;
275	} else {
276	return -`1`;
277	}
278	} else {
279	if (!setup_tbuf(rctx, ctx))
280	return -`1`;
281	rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
282	rsa, rctx->pad_mode);
283	if (rslen == `0`)
284	return `0`;
285	}
286
287	if ((rslen != tbslen) \|\| memcmp(tbs, rctx->tbuf, rslen))
288	return `0`;
289
290	return `1`;
291
292	}
293
294	static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
295	unsigned char out, size_t outlen,
296	const unsigned char *in, size_t inlen)
297	{
298	int ret;
299	RSA_PKEY_CTX *rctx = ctx->data;
300
301	if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
302	int klen = RSA_size(ctx->pkey->pkey.rsa);
303	if (!setup_tbuf(rctx, ctx))
304	return -`1`;
305	if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen,
306	in, inlen,
307	rctx->oaep_label,
308	rctx->oaep_labellen,
309	rctx->md, rctx->mgf1md))
310	return -`1`;
311	ret = RSA_public_encrypt(klen, rctx->tbuf, out,
312	ctx->pkey->pkey.rsa, RSA_NO_PADDING);
313	} else {
314	ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
315	rctx->pad_mode);
316	}
317	if (ret < `0`)
318	return ret;
319	*outlen = ret;
320	return `1`;
321	}
322
323	static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
324	unsigned char out, size_t outlen,
325	const unsigned char *in, size_t inlen)
326	{
327	int ret;
328	RSA_PKEY_CTX *rctx = ctx->data;
329
330	if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
331	if (!setup_tbuf(rctx, ctx))
332	return -`1`;
333	ret = RSA_private_decrypt(inlen, in, rctx->tbuf,
334	ctx->pkey->pkey.rsa, RSA_NO_PADDING);
335	if (ret <= `0`)
336	return ret;
337	ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf,
338	ret, ret,
339	rctx->oaep_label,
340	rctx->oaep_labellen,
341	rctx->md, rctx->mgf1md);
342	} else {
343	ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
344	rctx->pad_mode);
345	}
346	outlen = constant_time_select_s(constant_time_msb_s(ret), outlen, ret);
347	ret = constant_time_select_int(constant_time_msb(ret), ret, `1`);
348	return ret;
349	}
350
351	static int check_padding_md(const EVP_MD md, int* padding)
352	{
353	int mdnid;
354
355	if (!md)
356	return `1`;
357
358	mdnid = EVP_MD_type(md);
359
360	if (padding == RSA_NO_PADDING) {
361	RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
362	return `0`;
363	}
364
365	if (padding == RSA_X931_PADDING) {
366	if (RSA_X931_hash_id(mdnid) == -`1`) {
367	RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_X931_DIGEST);
368	return `0`;
369	}
370	} else {
371	switch(mdnid) {
372	/ List of all supported RSA digests /
373	case NID_sha1:
374	case NID_sha224:
375	case NID_sha256:
376	case NID_sha384:
377	case NID_sha512:
378	case NID_md5:
379	case NID_md5_sha1:
380	case NID_md2:
381	case NID_md4:
382	case NID_mdc2:
383	case NID_ripemd160:
384	case NID_sha3_224:
385	case NID_sha3_256:
386	case NID_sha3_384:
387	case NID_sha3_512:
388	return `1`;
389
390	default:
391	RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_DIGEST);
392	return `0`;
393
394	}
395	}
396
397	return `1`;
398	}
399
400	static int pkey_rsa_ctrl(EVP_PKEY_CTX ctx, int* type, int p1, void *p2)
401	{
402	RSA_PKEY_CTX *rctx = ctx->data;
403
404	switch (type) {
405	case EVP_PKEY_CTRL_RSA_PADDING:
406	if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING)) {
407	if (!check_padding_md(rctx->md, p1))
408	return `0`;
409	if (p1 == RSA_PKCS1_PSS_PADDING) {
410	if (!(ctx->operation &
411	(EVP_PKEY_OP_SIGN \| EVP_PKEY_OP_VERIFY)))
412	goto bad_pad;
413	if (!rctx->md)
414	rctx->md = EVP_sha1();
415	} else if (pkey_ctx_is_pss(ctx)) {
416	goto bad_pad;
417	}
418	if (p1 == RSA_PKCS1_OAEP_PADDING) {
419	if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
420	goto bad_pad;
421	if (!rctx->md)
422	rctx->md = EVP_sha1();
423	}
424	rctx->pad_mode = p1;
425	return `1`;
426	}
427	bad_pad:
428	RSAerr(RSA_F_PKEY_RSA_CTRL,
429	RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
430	return -`2`;
431
432	case EVP_PKEY_CTRL_GET_RSA_PADDING:
433	(int* *)p2 = rctx->pad_mode;
434	return `1`;
435
436	case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
437	case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
438	if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
439	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
440	return -`2`;
441	}
442	if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
443	(int* *)p2 = rctx->saltlen;
444	} else {
445	if (p1 < RSA_PSS_SALTLEN_MAX)
446	return -`2`;
447	if (rsa_pss_restricted(rctx)) {
448	if (p1 == RSA_PSS_SALTLEN_AUTO
449	&& ctx->operation == EVP_PKEY_OP_VERIFY) {
450	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
451	return -`2`;
452	}
453	if ((p1 == RSA_PSS_SALTLEN_DIGEST
454	&& rctx->min_saltlen > EVP_MD_size(rctx->md))
455	\|\| (p1 >= `0` && p1 < rctx->min_saltlen)) {
456	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_PSS_SALTLEN_TOO_SMALL);
457	return `0`;
458	}
459	}
460	rctx->saltlen = p1;
461	}
462	return `1`;
463
464	case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
465	if (p1 < RSA_MIN_MODULUS_BITS) {
466	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_SIZE_TOO_SMALL);
467	return -`2`;
468	}
469	rctx->nbits = p1;
470	return `1`;
471
472	case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
473	if (p2 == NULL \|\| !BN_is_odd((BIGNUM )p2) \|\| BN_is_one((BIGNUM )p2)) {
474	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_BAD_E_VALUE);
475	return -`2`;
476	}
477	BN_free(rctx->pub_exp);
478	rctx->pub_exp = p2;
479	return `1`;
480
481	case EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES:
482	if (p1 < RSA_DEFAULT_PRIME_NUM \|\| p1 > RSA_MAX_PRIME_NUM) {
483	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_PRIME_NUM_INVALID);
484	return -`2`;
485	}
486	rctx->primes = p1;
487	return `1`;
488
489	case EVP_PKEY_CTRL_RSA_OAEP_MD:
490	case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
491	if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
492	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
493	return -`2`;
494	}
495	if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD)
496	(const* EVP_MD **)p2 = rctx->md;
497	else
498	rctx->md = p2;
499	return `1`;
500
501	case EVP_PKEY_CTRL_MD:
502	if (!check_padding_md(p2, rctx->pad_mode))
503	return `0`;
504	if (rsa_pss_restricted(rctx)) {
505	if (EVP_MD_type(rctx->md) == EVP_MD_type(p2))
506	return `1`;
507	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_DIGEST_NOT_ALLOWED);
508	return `0`;
509	}
510	rctx->md = p2;
511	return `1`;
512
513	case EVP_PKEY_CTRL_GET_MD:
514	(const* EVP_MD **)p2 = rctx->md;
515	return `1`;
516
517	case EVP_PKEY_CTRL_RSA_MGF1_MD:
518	case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
519	if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING
520	&& rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
521	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
522	return -`2`;
523	}
524	if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
525	if (rctx->mgf1md)
526	(const* EVP_MD **)p2 = rctx->mgf1md;
527	else
528	(const* EVP_MD **)p2 = rctx->md;
529	} else {
530	if (rsa_pss_restricted(rctx)) {
531	if (EVP_MD_type(rctx->mgf1md) == EVP_MD_type(p2))
532	return `1`;
533	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_MGF1_DIGEST_NOT_ALLOWED);
534	return `0`;
535	}
536	rctx->mgf1md = p2;
537	}
538	return `1`;
539
540	case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
541	if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
542	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
543	return -`2`;
544	}
545	OPENSSL_free(rctx->oaep_label);
546	if (p2 && p1 > `0`) {
547	rctx->oaep_label = p2;
548	rctx->oaep_labellen = p1;
549	} else {
550	rctx->oaep_label = NULL;
551	rctx->oaep_labellen = `0`;
552	}
553	return `1`;
554
555	case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
556	if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
557	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
558	return -`2`;
559	}
560	(unsigned* char **)p2 = rctx->oaep_label;
561	return rctx->oaep_labellen;
562
563	case EVP_PKEY_CTRL_DIGESTINIT:
564	case EVP_PKEY_CTRL_PKCS7_SIGN:
565	#ifndef OPENSSL_NO_CMS
566	case EVP_PKEY_CTRL_CMS_SIGN:
567	#endif
568	return `1`;
569
570	case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
571	case EVP_PKEY_CTRL_PKCS7_DECRYPT:
572	#ifndef OPENSSL_NO_CMS
573	case EVP_PKEY_CTRL_CMS_DECRYPT:
574	case EVP_PKEY_CTRL_CMS_ENCRYPT:
575	#endif
576	if (!pkey_ctx_is_pss(ctx))
577	return `1`;
578	/ fall through /
579	case EVP_PKEY_CTRL_PEER_KEY:
580	RSAerr(RSA_F_PKEY_RSA_CTRL,
581	RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
582	return -`2`;
583
584	default:
585	return -`2`;
586
587	}
588	}
589
590	static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
591	const char type, const* char *value)
592	{
593	if (value == NULL) {
594	RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
595	return `0`;
596	}
597	if (strcmp(type, "rsa_padding_mode") == `0`) {
598	int pm;
599
600	if (strcmp(value, "pkcs1") == `0`) {
601	pm = RSA_PKCS1_PADDING;
602	} else if (strcmp(value, "sslv23") == `0`) {
603	pm = RSA_SSLV23_PADDING;
604	} else if (strcmp(value, "none") == `0`) {
605	pm = RSA_NO_PADDING;
606	} else if (strcmp(value, "oeap") == `0`) {
607	pm = RSA_PKCS1_OAEP_PADDING;
608	} else if (strcmp(value, "oaep") == `0`) {
609	pm = RSA_PKCS1_OAEP_PADDING;
610	} else if (strcmp(value, "x931") == `0`) {
611	pm = RSA_X931_PADDING;
612	} else if (strcmp(value, "pss") == `0`) {
613	pm = RSA_PKCS1_PSS_PADDING;
614	} else {
615	RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_UNKNOWN_PADDING_TYPE);
616	return -`2`;
617	}
618	return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
619	}
620
621	if (strcmp(type, "rsa_pss_saltlen") == `0`) {
622	int saltlen;
623
624	if (!strcmp(value, "digest"))
625	saltlen = RSA_PSS_SALTLEN_DIGEST;
626	else if (!strcmp(value, "max"))
627	saltlen = RSA_PSS_SALTLEN_MAX;
628	else if (!strcmp(value, "auto"))
629	saltlen = RSA_PSS_SALTLEN_AUTO;
630	else
631	saltlen = atoi(value);
632	return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
633	}
634
635	if (strcmp(type, "rsa_keygen_bits") == `0`) {
636	int nbits = atoi(value);
637
638	return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
639	}
640
641	if (strcmp(type, "rsa_keygen_pubexp") == `0`) {
642	int ret;
643
644	BIGNUM *pubexp = NULL;
645	if (!BN_asc2bn(&pubexp, value))
646	return `0`;
647	ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
648	if (ret <= `0`)
649	BN_free(pubexp);
650	return ret;
651	}
652
653	if (strcmp(type, "rsa_keygen_primes") == `0`) {
654	int nprimes = atoi(value);
655
656	return EVP_PKEY_CTX_set_rsa_keygen_primes(ctx, nprimes);
657	}
658
659	if (strcmp(type, "rsa_mgf1_md") == `0`)
660	return EVP_PKEY_CTX_md(ctx,
661	EVP_PKEY_OP_TYPE_SIG \| EVP_PKEY_OP_TYPE_CRYPT,
662	EVP_PKEY_CTRL_RSA_MGF1_MD, value);
663
664	if (pkey_ctx_is_pss(ctx)) {
665
666	if (strcmp(type, "rsa_pss_keygen_mgf1_md") == `0`)
667	return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
668	EVP_PKEY_CTRL_RSA_MGF1_MD, value);
669
670	if (strcmp(type, "rsa_pss_keygen_md") == `0`)
671	return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
672	EVP_PKEY_CTRL_MD, value);
673
674	if (strcmp(type, "rsa_pss_keygen_saltlen") == `0`) {
675	int saltlen = atoi(value);
676
677	return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen);
678	}
679	}
680
681	if (strcmp(type, "rsa_oaep_md") == `0`)
682	return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT,
683	EVP_PKEY_CTRL_RSA_OAEP_MD, value);
684
685	if (strcmp(type, "rsa_oaep_label") == `0`) {
686	unsigned char *lab;
687	long lablen;
688	int ret;
689
690	lab = OPENSSL_hexstr2buf(value, &lablen);
691	if (!lab)
692	return `0`;
693	ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen);
694	if (ret <= `0`)
695	OPENSSL_free(lab);
696	return ret;
697	}
698
699	return -`2`;
700	}
701
702	/ Set PSS parameters when generating a key, if necessary /
703	static int rsa_set_pss_param(RSA rsa, EVP_PKEY_CTX ctx)
704	{
705	RSA_PKEY_CTX *rctx = ctx->data;
706
707	if (!pkey_ctx_is_pss(ctx))
708	return `1`;
709	/ If all parameters are default values don't set pss /
710	if (rctx->md == NULL && rctx->mgf1md == NULL && rctx->saltlen == -`2`)
711	return `1`;
712	rsa->pss = rsa_pss_params_create(rctx->md, rctx->mgf1md,
713	rctx->saltlen == -`2` ? `0` : rctx->saltlen);
714	if (rsa->pss == NULL)
715	return `0`;
716	return `1`;
717	}
718
719	static int pkey_rsa_keygen(EVP_PKEY_CTX ctx, EVP_PKEY pkey)
720	{
721	RSA *rsa = NULL;
722	RSA_PKEY_CTX *rctx = ctx->data;
723	BN_GENCB *pcb;
724	int ret;
725
726	if (rctx->pub_exp == NULL) {
727	rctx->pub_exp = BN_new();
728	if (rctx->pub_exp == NULL \|\| !BN_set_word(rctx->pub_exp, RSA_F4))
729	return `0`;
730	}
731	rsa = RSA_new();
732	if (rsa == NULL)
733	return `0`;
734	if (ctx->pkey_gencb) {
735	pcb = BN_GENCB_new();
736	if (pcb == NULL) {
737	RSA_free(rsa);
738	return `0`;
739	}
740	evp_pkey_set_cb_translate(pcb, ctx);
741	} else {
742	pcb = NULL;
743	}
744	ret = RSA_generate_multi_prime_key(rsa, rctx->nbits, rctx->primes,
745	rctx->pub_exp, pcb);
746	BN_GENCB_free(pcb);
747	if (ret > `0` && !rsa_set_pss_param(rsa, ctx)) {
748	RSA_free(rsa);
749	return `0`;
750	}
751	if (ret > `0`)
752	EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa);
753	else
754	RSA_free(rsa);
755	return ret;
756	}
757
758	static const EVP_PKEY_METHOD rsa_pkey_meth = {
759	EVP_PKEY_RSA,
760	EVP_PKEY_FLAG_AUTOARGLEN,
761	pkey_rsa_init,
762	pkey_rsa_copy,
763	pkey_rsa_cleanup,
764
765	`0`, `0`,
766
767	`0`,
768	pkey_rsa_keygen,
769
770	`0`,
771	pkey_rsa_sign,
772
773	`0`,
774	pkey_rsa_verify,
775
776	`0`,
777	pkey_rsa_verifyrecover,
778
779	`0`, `0`, `0`, `0`,
780
781	`0`,
782	pkey_rsa_encrypt,
783
784	`0`,
785	pkey_rsa_decrypt,
786
787	`0`, `0`,
788
789	pkey_rsa_ctrl,
790	pkey_rsa_ctrl_str
791	};
792
793	const EVP_PKEY_METHOD rsa_pkey_method(void*)
794	{
795	return &rsa_pkey_meth;
796	}
797
798	/*
799	* Called for PSS sign or verify initialisation: checks PSS parameter
800	* sanity and sets any restrictions on key usage.
801	*/
802
803	static int pkey_pss_init(EVP_PKEY_CTX *ctx)
804	{
805	RSA *rsa;
806	RSA_PKEY_CTX *rctx = ctx->data;
807	const EVP_MD *md;
808	const EVP_MD *mgf1md;
809	int min_saltlen, max_saltlen;
810
811	/ Should never happen /
812	if (!pkey_ctx_is_pss(ctx))
813	return `0`;
814	rsa = ctx->pkey->pkey.rsa;
815	/ If no restrictions just return /
816	if (rsa->pss == NULL)
817	return `1`;
818	/ Get and check parameters /
819	if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen))
820	return `0`;
821
822	/ See if minimum salt length exceeds maximum possible /
823	max_saltlen = RSA_size(rsa) - EVP_MD_size(md);
824	if ((RSA_bits(rsa) & `0x7`) == `1`)
825	max_saltlen--;
826	if (min_saltlen > max_saltlen) {
827	RSAerr(RSA_F_PKEY_PSS_INIT, RSA_R_INVALID_SALT_LENGTH);
828	return `0`;
829	}
830
831	rctx->min_saltlen = min_saltlen;
832
833	/*
834	* Set PSS restrictions as defaults: we can then block any attempt to
835	* use invalid values in pkey_rsa_ctrl
836	*/
837
838	rctx->md = md;
839	rctx->mgf1md = mgf1md;
840	rctx->saltlen = min_saltlen;
841
842	return `1`;
843	}
844
845	static const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
846	EVP_PKEY_RSA_PSS,
847	EVP_PKEY_FLAG_AUTOARGLEN,
848	pkey_rsa_init,
849	pkey_rsa_copy,
850	pkey_rsa_cleanup,
851
852	`0`, `0`,
853
854	`0`,
855	pkey_rsa_keygen,
856
857	pkey_pss_init,
858	pkey_rsa_sign,
859
860	pkey_pss_init,
861	pkey_rsa_verify,
862
863	`0`, `0`, `0`, `0`, `0`, `0`, `0`, `0`, `0`, `0`, `0`, `0`,
864
865	pkey_rsa_ctrl,
866	pkey_rsa_ctrl_str
867	};
868
869	const EVP_PKEY_METHOD rsa_pss_pkey_method(void*)
870	{
871	return &rsa_pss_pkey_meth;
872	}
873

Browse the source code of ClickHouse/contrib/openssl/crypto/rsa/rsa_pmeth.c