rsa_pmeth.c

Last change on this file was 108206, checked in by vboxsync, 3 months ago
openssl-3.3.2: Exported all files to OSE and removed .scm-settings bugref:10757
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 26.7 KB

Line
1	/*
2	* Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	/*
11	* RSA low level APIs are deprecated for public use, but still ok for
12	* internal use.
13	*/
14	#include "internal/deprecated.h"
15
16	#include "internal/constant_time.h"
17
18	#include <stdio.h>
19	#include "internal/cryptlib.h"
20	#include <openssl/asn1t.h>
21	#include <openssl/x509.h>
22	#include <openssl/rsa.h>
23	#include <openssl/bn.h>
24	#include <openssl/evp.h>
25	#include <openssl/x509v3.h>
26	#include <openssl/cms.h>
27	#include "crypto/evp.h"
28	#include "crypto/rsa.h"
29	#include "rsa_local.h"
30
31	/* RSA pkey context structure */
32
33	typedef struct {
34	/* Key gen parameters */
35	int nbits;
36	BIGNUM *pub_exp;
37	int primes;
38	/* Keygen callback info */
39	int gentmp[2];
40	/* RSA padding mode */
41	int pad_mode;
42	/* message digest */
43	const EVP_MD *md;
44	/* message digest for MGF1 */
45	const EVP_MD *mgf1md;
46	/* PSS salt length */
47	int saltlen;
48	/* Minimum salt length or -1 if no PSS parameter restriction */
49	int min_saltlen;
50	/* Temp buffer */
51	unsigned char *tbuf;
52	/* OAEP label */
53	unsigned char *oaep_label;
54	size_t oaep_labellen;
55	/* if to use implicit rejection in PKCS#1 v1.5 decryption */
56	int implicit_rejection;
57	} RSA_PKEY_CTX;
58
59	/* True if PSS parameters are restricted */
60	#define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1)
61
62	static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
63	{
64	RSA_PKEY_CTX rctx = OPENSSL_zalloc(sizeof(rctx));
65
66	if (rctx == NULL)
67	return 0;
68	rctx->nbits = 2048;
69	rctx->primes = RSA_DEFAULT_PRIME_NUM;
70	if (pkey_ctx_is_pss(ctx))
71	rctx->pad_mode = RSA_PKCS1_PSS_PADDING;
72	else
73	rctx->pad_mode = RSA_PKCS1_PADDING;
74	/* Maximum for sign, auto for verify */
75	rctx->saltlen = RSA_PSS_SALTLEN_AUTO;
76	rctx->min_saltlen = -1;
77	rctx->implicit_rejection = 1;
78	ctx->data = rctx;
79	ctx->keygen_info = rctx->gentmp;
80	ctx->keygen_info_count = 2;
81
82	return 1;
83	}
84
85	static int pkey_rsa_copy(EVP_PKEY_CTX dst, const EVP_PKEY_CTX src)
86	{
87	RSA_PKEY_CTX dctx, sctx;
88
89	if (!pkey_rsa_init(dst))
90	return 0;
91	sctx = src->data;
92	dctx = dst->data;
93	dctx->nbits = sctx->nbits;
94	if (sctx->pub_exp) {
95	dctx->pub_exp = BN_dup(sctx->pub_exp);
96	if (!dctx->pub_exp)
97	return 0;
98	}
99	dctx->pad_mode = sctx->pad_mode;
100	dctx->md = sctx->md;
101	dctx->mgf1md = sctx->mgf1md;
102	dctx->saltlen = sctx->saltlen;
103	dctx->implicit_rejection = sctx->implicit_rejection;
104	if (sctx->oaep_label) {
105	OPENSSL_free(dctx->oaep_label);
106	dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen);
107	if (!dctx->oaep_label)
108	return 0;
109	dctx->oaep_labellen = sctx->oaep_labellen;
110	}
111	return 1;
112	}
113
114	static int setup_tbuf(RSA_PKEY_CTX ctx, EVP_PKEY_CTX pk)
115	{
116	if (ctx->tbuf != NULL)
117	return 1;
118	if ((ctx->tbuf =
119	OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pk->pkey)))) == NULL)
120	return 0;
121	return 1;
122	}
123
124	static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
125	{
126	RSA_PKEY_CTX *rctx = ctx->data;
127	if (rctx) {
128	BN_free(rctx->pub_exp);
129	OPENSSL_free(rctx->tbuf);
130	OPENSSL_free(rctx->oaep_label);
131	OPENSSL_free(rctx);
132	}
133	}
134
135	static int pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned char sig,
136	size_t siglen, const unsigned char tbs,
137	size_t tbslen)
138	{
139	int ret;
140	RSA_PKEY_CTX *rctx = ctx->data;
141	/*
142	* Discard const. Its marked as const because this may be a cached copy of
143	* the "real" key. These calls don't make any modifications that need to
144	* be reflected back in the "original" key.
145	*/
146	RSA rsa = (RSA )EVP_PKEY_get0_RSA(ctx->pkey);
147
148	if (rctx->md) {
149	if (tbslen != (size_t)EVP_MD_get_size(rctx->md)) {
150	ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH);
151	return -1;
152	}
153
154	if (EVP_MD_get_type(rctx->md) == NID_mdc2) {
155	unsigned int sltmp;
156	if (rctx->pad_mode != RSA_PKCS1_PADDING)
157	return -1;
158	ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp, rsa);
159
160	if (ret <= 0)
161	return ret;
162	ret = sltmp;
163	} else if (rctx->pad_mode == RSA_X931_PADDING) {
164	if ((size_t)RSA_size(rsa) < tbslen + 1) {
165	ERR_raise(ERR_LIB_RSA, RSA_R_KEY_SIZE_TOO_SMALL);
166	return -1;
167	}
168	if (!setup_tbuf(rctx, ctx)) {
169	ERR_raise(ERR_LIB_RSA, ERR_R_RSA_LIB);
170	return -1;
171	}
172	memcpy(rctx->tbuf, tbs, tbslen);
173	rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_get_type(rctx->md));
174	ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
175	sig, rsa, RSA_X931_PADDING);
176	} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
177	unsigned int sltmp;
178	ret = RSA_sign(EVP_MD_get_type(rctx->md),
179	tbs, tbslen, sig, &sltmp, rsa);
180	if (ret <= 0)
181	return ret;
182	ret = sltmp;
183	} else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
184	if (!setup_tbuf(rctx, ctx))
185	return -1;
186	if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
187	rctx->tbuf, tbs,
188	rctx->md, rctx->mgf1md,
189	rctx->saltlen))
190	return -1;
191	ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
192	sig, rsa, RSA_NO_PADDING);
193	} else {
194	return -1;
195	}
196	} else {
197	ret = RSA_private_encrypt(tbslen, tbs, sig, rsa, rctx->pad_mode);
198	}
199	if (ret < 0)
200	return ret;
201	*siglen = ret;
202	return 1;
203	}
204
205	static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
206	unsigned char rout, size_t routlen,
207	const unsigned char *sig, size_t siglen)
208	{
209	int ret;
210	RSA_PKEY_CTX *rctx = ctx->data;
211	/*
212	* Discard const. Its marked as const because this may be a cached copy of
213	* the "real" key. These calls don't make any modifications that need to
214	* be reflected back in the "original" key.
215	*/
216	RSA rsa = (RSA )EVP_PKEY_get0_RSA(ctx->pkey);
217
218	if (rctx->md) {
219	if (rctx->pad_mode == RSA_X931_PADDING) {
220	if (!setup_tbuf(rctx, ctx))
221	return -1;
222	ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa,
223	RSA_X931_PADDING);
224	if (ret < 1)
225	return 0;
226	ret--;
227	if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_get_type(rctx->md))) {
228	ERR_raise(ERR_LIB_RSA, RSA_R_ALGORITHM_MISMATCH);
229	return 0;
230	}
231	if (ret != EVP_MD_get_size(rctx->md)) {
232	ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH);
233	return 0;
234	}
235	if (rout)
236	memcpy(rout, rctx->tbuf, ret);
237	} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
238	size_t sltmp;
239	ret = ossl_rsa_verify(EVP_MD_get_type(rctx->md),
240	NULL, 0, rout, &sltmp,
241	sig, siglen, rsa);
242	if (ret <= 0)
243	return 0;
244	ret = sltmp;
245	} else {
246	return -1;
247	}
248	} else {
249	ret = RSA_public_decrypt(siglen, sig, rout, rsa, rctx->pad_mode);
250	}
251	if (ret < 0)
252	return ret;
253	*routlen = ret;
254	return 1;
255	}
256
257	static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
258	const unsigned char *sig, size_t siglen,
259	const unsigned char *tbs, size_t tbslen)
260	{
261	RSA_PKEY_CTX *rctx = ctx->data;
262	/*
263	* Discard const. Its marked as const because this may be a cached copy of
264	* the "real" key. These calls don't make any modifications that need to
265	* be reflected back in the "original" key.
266	*/
267	RSA rsa = (RSA )EVP_PKEY_get0_RSA(ctx->pkey);
268	size_t rslen;
269
270	if (rctx->md) {
271	if (rctx->pad_mode == RSA_PKCS1_PADDING)
272	return RSA_verify(EVP_MD_get_type(rctx->md), tbs, tbslen,
273	sig, siglen, rsa);
274	if (tbslen != (size_t)EVP_MD_get_size(rctx->md)) {
275	ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH);
276	return -1;
277	}
278	if (rctx->pad_mode == RSA_X931_PADDING) {
279	if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0)
280	return 0;
281	} else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
282	int ret;
283	if (!setup_tbuf(rctx, ctx))
284	return -1;
285	ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
286	rsa, RSA_NO_PADDING);
287	if (ret <= 0)
288	return 0;
289	ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
290	rctx->md, rctx->mgf1md,
291	rctx->tbuf, rctx->saltlen);
292	if (ret <= 0)
293	return 0;
294	return 1;
295	} else {
296	return -1;
297	}
298	} else {
299	if (!setup_tbuf(rctx, ctx))
300	return -1;
301	rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
302	rsa, rctx->pad_mode);
303	if (rslen == 0)
304	return 0;
305	}
306
307	if ((rslen != tbslen) \|\| memcmp(tbs, rctx->tbuf, rslen))
308	return 0;
309
310	return 1;
311
312	}
313
314	static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
315	unsigned char out, size_t outlen,
316	const unsigned char *in, size_t inlen)
317	{
318	int ret;
319	RSA_PKEY_CTX *rctx = ctx->data;
320	/*
321	* Discard const. Its marked as const because this may be a cached copy of
322	* the "real" key. These calls don't make any modifications that need to
323	* be reflected back in the "original" key.
324	*/
325	RSA rsa = (RSA )EVP_PKEY_get0_RSA(ctx->pkey);
326
327	if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
328	int klen = RSA_size(rsa);
329	if (!setup_tbuf(rctx, ctx))
330	return -1;
331	if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen,
332	in, inlen,
333	rctx->oaep_label,
334	rctx->oaep_labellen,
335	rctx->md, rctx->mgf1md))
336	return -1;
337	ret = RSA_public_encrypt(klen, rctx->tbuf, out, rsa, RSA_NO_PADDING);
338	} else {
339	ret = RSA_public_encrypt(inlen, in, out, rsa, rctx->pad_mode);
340	}
341	if (ret < 0)
342	return ret;
343	*outlen = ret;
344	return 1;
345	}
346
347	static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
348	unsigned char out, size_t outlen,
349	const unsigned char *in, size_t inlen)
350	{
351	int ret;
352	int pad_mode;
353	RSA_PKEY_CTX *rctx = ctx->data;
354	/*
355	* Discard const. Its marked as const because this may be a cached copy of
356	* the "real" key. These calls don't make any modifications that need to
357	* be reflected back in the "original" key.
358	*/
359	RSA rsa = (RSA )EVP_PKEY_get0_RSA(ctx->pkey);
360
361	if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
362	if (!setup_tbuf(rctx, ctx))
363	return -1;
364	ret = RSA_private_decrypt(inlen, in, rctx->tbuf, rsa, RSA_NO_PADDING);
365	if (ret <= 0)
366	return ret;
367	ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf,
368	ret, ret,
369	rctx->oaep_label,
370	rctx->oaep_labellen,
371	rctx->md, rctx->mgf1md);
372	} else {
373	if (rctx->pad_mode == RSA_PKCS1_PADDING &&
374	rctx->implicit_rejection == 0)
375	pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING;
376	else
377	pad_mode = rctx->pad_mode;
378	ret = RSA_private_decrypt(inlen, in, out, rsa, pad_mode);
379	}
380	outlen = constant_time_select_s(constant_time_msb_s(ret), outlen, ret);
381	ret = constant_time_select_int(constant_time_msb(ret), ret, 1);
382	return ret;
383	}
384
385	static int check_padding_md(const EVP_MD *md, int padding)
386	{
387	int mdnid;
388
389	if (!md)
390	return 1;
391
392	mdnid = EVP_MD_get_type(md);
393
394	if (padding == RSA_NO_PADDING) {
395	ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
396	return 0;
397	}
398
399	if (padding == RSA_X931_PADDING) {
400	if (RSA_X931_hash_id(mdnid) == -1) {
401	ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_X931_DIGEST);
402	return 0;
403	}
404	} else {
405	switch (mdnid) {
406	/* List of all supported RSA digests */
407	case NID_sha1:
408	case NID_sha224:
409	case NID_sha256:
410	case NID_sha384:
411	case NID_sha512:
412	case NID_sha512_224:
413	case NID_sha512_256:
414	case NID_md5:
415	case NID_md5_sha1:
416	case NID_md2:
417	case NID_md4:
418	case NID_mdc2:
419	case NID_ripemd160:
420	case NID_sha3_224:
421	case NID_sha3_256:
422	case NID_sha3_384:
423	case NID_sha3_512:
424	return 1;
425
426	default:
427	ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST);
428	return 0;
429
430	}
431	}
432
433	return 1;
434	}
435
436	static int pkey_rsa_ctrl(EVP_PKEY_CTX ctx, int type, int p1, void p2)
437	{
438	RSA_PKEY_CTX *rctx = ctx->data;
439
440	switch (type) {
441	case EVP_PKEY_CTRL_RSA_PADDING:
442	if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING)) {
443	if (!check_padding_md(rctx->md, p1))
444	return 0;
445	if (p1 == RSA_PKCS1_PSS_PADDING) {
446	if (!(ctx->operation &
447	(EVP_PKEY_OP_SIGN \| EVP_PKEY_OP_VERIFY)))
448	goto bad_pad;
449	if (!rctx->md)
450	rctx->md = EVP_sha1();
451	} else if (pkey_ctx_is_pss(ctx)) {
452	goto bad_pad;
453	}
454	if (p1 == RSA_PKCS1_OAEP_PADDING) {
455	if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
456	goto bad_pad;
457	if (!rctx->md)
458	rctx->md = EVP_sha1();
459	}
460	rctx->pad_mode = p1;
461	return 1;
462	}
463	bad_pad:
464	ERR_raise(ERR_LIB_RSA, RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
465	return -2;
466
467	case EVP_PKEY_CTRL_GET_RSA_PADDING:
468	(int )p2 = rctx->pad_mode;
469	return 1;
470
471	case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
472	case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
473	if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
474	ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PSS_SALTLEN);
475	return -2;
476	}
477	if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
478	(int )p2 = rctx->saltlen;
479	} else {
480	if (p1 < RSA_PSS_SALTLEN_MAX)
481	return -2;
482	if (rsa_pss_restricted(rctx)) {
483	if (p1 == RSA_PSS_SALTLEN_AUTO
484	&& ctx->operation == EVP_PKEY_OP_VERIFY) {
485	ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PSS_SALTLEN);
486	return -2;
487	}
488	if ((p1 == RSA_PSS_SALTLEN_DIGEST
489	&& rctx->min_saltlen > EVP_MD_get_size(rctx->md))
490	\|\| (p1 >= 0 && p1 < rctx->min_saltlen)) {
491	ERR_raise(ERR_LIB_RSA, RSA_R_PSS_SALTLEN_TOO_SMALL);
492	return 0;
493	}
494	}
495	rctx->saltlen = p1;
496	}
497	return 1;
498
499	case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
500	if (p1 < RSA_MIN_MODULUS_BITS) {
501	ERR_raise(ERR_LIB_RSA, RSA_R_KEY_SIZE_TOO_SMALL);
502	return -2;
503	}
504	rctx->nbits = p1;
505	return 1;
506
507	case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
508	if (p2 == NULL \|\| !BN_is_odd((BIGNUM )p2) \|\| BN_is_one((BIGNUM )p2)) {
509	ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
510	return -2;
511	}
512	BN_free(rctx->pub_exp);
513	rctx->pub_exp = p2;
514	return 1;
515
516	case EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES:
517	if (p1 < RSA_DEFAULT_PRIME_NUM \|\| p1 > RSA_MAX_PRIME_NUM) {
518	ERR_raise(ERR_LIB_RSA, RSA_R_KEY_PRIME_NUM_INVALID);
519	return -2;
520	}
521	rctx->primes = p1;
522	return 1;
523
524	case EVP_PKEY_CTRL_RSA_OAEP_MD:
525	case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
526	if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
527	ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
528	return -2;
529	}
530	if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD)
531	(const EVP_MD *)p2 = rctx->md;
532	else
533	rctx->md = p2;
534	return 1;
535
536	case EVP_PKEY_CTRL_MD:
537	if (!check_padding_md(p2, rctx->pad_mode))
538	return 0;
539	if (rsa_pss_restricted(rctx)) {
540	if (EVP_MD_get_type(rctx->md) == EVP_MD_get_type(p2))
541	return 1;
542	ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
543	return 0;
544	}
545	rctx->md = p2;
546	return 1;
547
548	case EVP_PKEY_CTRL_GET_MD:
549	(const EVP_MD *)p2 = rctx->md;
550	return 1;
551
552	case EVP_PKEY_CTRL_RSA_MGF1_MD:
553	case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
554	if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING
555	&& rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
556	ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MGF1_MD);
557	return -2;
558	}
559	if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
560	if (rctx->mgf1md)
561	(const EVP_MD *)p2 = rctx->mgf1md;
562	else
563	(const EVP_MD *)p2 = rctx->md;
564	} else {
565	if (rsa_pss_restricted(rctx)) {
566	if (EVP_MD_get_type(rctx->mgf1md) == EVP_MD_get_type(p2))
567	return 1;
568	ERR_raise(ERR_LIB_RSA, RSA_R_MGF1_DIGEST_NOT_ALLOWED);
569	return 0;
570	}
571	rctx->mgf1md = p2;
572	}
573	return 1;
574
575	case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
576	if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
577	ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
578	return -2;
579	}
580	OPENSSL_free(rctx->oaep_label);
581	if (p2 && p1 > 0) {
582	rctx->oaep_label = p2;
583	rctx->oaep_labellen = p1;
584	} else {
585	rctx->oaep_label = NULL;
586	rctx->oaep_labellen = 0;
587	}
588	return 1;
589
590	case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
591	if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
592	ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
593	return -2;
594	}
595	if (p2 == NULL) {
596	ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
597	return 0;
598	}
599	(unsigned char *)p2 = rctx->oaep_label;
600	return rctx->oaep_labellen;
601
602	case EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION:
603	if (rctx->pad_mode != RSA_PKCS1_PADDING) {
604	ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
605	return -2;
606	}
607	rctx->implicit_rejection = p1;
608	return 1;
609
610	case EVP_PKEY_CTRL_DIGESTINIT:
611	case EVP_PKEY_CTRL_PKCS7_SIGN:
612	#ifndef OPENSSL_NO_CMS
613	case EVP_PKEY_CTRL_CMS_SIGN:
614	#endif
615	return 1;
616
617	case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
618	case EVP_PKEY_CTRL_PKCS7_DECRYPT:
619	#ifndef OPENSSL_NO_CMS
620	case EVP_PKEY_CTRL_CMS_DECRYPT:
621	case EVP_PKEY_CTRL_CMS_ENCRYPT:
622	#endif
623	if (!pkey_ctx_is_pss(ctx))
624	return 1;
625	/* fall through */
626	case EVP_PKEY_CTRL_PEER_KEY:
627	ERR_raise(ERR_LIB_RSA, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
628	return -2;
629
630	default:
631	return -2;
632
633	}
634	}
635
636	static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
637	const char type, const char value)
638	{
639	if (value == NULL) {
640	ERR_raise(ERR_LIB_RSA, RSA_R_VALUE_MISSING);
641	return 0;
642	}
643	if (strcmp(type, "rsa_padding_mode") == 0) {
644	int pm;
645
646	if (strcmp(value, "pkcs1") == 0) {
647	pm = RSA_PKCS1_PADDING;
648	} else if (strcmp(value, "none") == 0) {
649	pm = RSA_NO_PADDING;
650	} else if (strcmp(value, "oeap") == 0) {
651	pm = RSA_PKCS1_OAEP_PADDING;
652	} else if (strcmp(value, "oaep") == 0) {
653	pm = RSA_PKCS1_OAEP_PADDING;
654	} else if (strcmp(value, "x931") == 0) {
655	pm = RSA_X931_PADDING;
656	} else if (strcmp(value, "pss") == 0) {
657	pm = RSA_PKCS1_PSS_PADDING;
658	} else {
659	ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
660	return -2;
661	}
662	return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
663	}
664
665	if (strcmp(type, "rsa_pss_saltlen") == 0) {
666	int saltlen;
667
668	if (!strcmp(value, "digest"))
669	saltlen = RSA_PSS_SALTLEN_DIGEST;
670	else if (!strcmp(value, "max"))
671	saltlen = RSA_PSS_SALTLEN_MAX;
672	else if (!strcmp(value, "auto"))
673	saltlen = RSA_PSS_SALTLEN_AUTO;
674	else
675	saltlen = atoi(value);
676	return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
677	}
678
679	if (strcmp(type, "rsa_keygen_bits") == 0) {
680	int nbits = atoi(value);
681
682	return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
683	}
684
685	if (strcmp(type, "rsa_keygen_pubexp") == 0) {
686	int ret;
687
688	BIGNUM *pubexp = NULL;
689	if (!BN_asc2bn(&pubexp, value))
690	return 0;
691	ret = EVP_PKEY_CTX_set1_rsa_keygen_pubexp(ctx, pubexp);
692	BN_free(pubexp);
693	return ret;
694	}
695
696	if (strcmp(type, "rsa_keygen_primes") == 0) {
697	int nprimes = atoi(value);
698
699	return EVP_PKEY_CTX_set_rsa_keygen_primes(ctx, nprimes);
700	}
701
702	if (strcmp(type, "rsa_mgf1_md") == 0)
703	return EVP_PKEY_CTX_md(ctx,
704	EVP_PKEY_OP_TYPE_SIG \| EVP_PKEY_OP_TYPE_CRYPT,
705	EVP_PKEY_CTRL_RSA_MGF1_MD, value);
706
707	if (pkey_ctx_is_pss(ctx)) {
708
709	if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0)
710	return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
711	EVP_PKEY_CTRL_RSA_MGF1_MD, value);
712
713	if (strcmp(type, "rsa_pss_keygen_md") == 0)
714	return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
715	EVP_PKEY_CTRL_MD, value);
716
717	if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) {
718	int saltlen = atoi(value);
719
720	return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen);
721	}
722	}
723
724	if (strcmp(type, "rsa_oaep_md") == 0)
725	return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT,
726	EVP_PKEY_CTRL_RSA_OAEP_MD, value);
727
728	if (strcmp(type, "rsa_oaep_label") == 0) {
729	unsigned char *lab;
730	long lablen;
731	int ret;
732
733	lab = OPENSSL_hexstr2buf(value, &lablen);
734	if (!lab)
735	return 0;
736	ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen);
737	if (ret <= 0)
738	OPENSSL_free(lab);
739	return ret;
740	}
741
742	return -2;
743	}
744
745	/* Set PSS parameters when generating a key, if necessary */
746	static int rsa_set_pss_param(RSA rsa, EVP_PKEY_CTX ctx)
747	{
748	RSA_PKEY_CTX *rctx = ctx->data;
749
750	if (!pkey_ctx_is_pss(ctx))
751	return 1;
752	/* If all parameters are default values don't set pss */
753	if (rctx->md == NULL && rctx->mgf1md == NULL && rctx->saltlen == -2)
754	return 1;
755	rsa->pss = ossl_rsa_pss_params_create(rctx->md, rctx->mgf1md,
756	rctx->saltlen == -2
757	? 0 : rctx->saltlen);
758	if (rsa->pss == NULL)
759	return 0;
760	return 1;
761	}
762
763	static int pkey_rsa_keygen(EVP_PKEY_CTX ctx, EVP_PKEY pkey)
764	{
765	RSA *rsa = NULL;
766	RSA_PKEY_CTX *rctx = ctx->data;
767	BN_GENCB *pcb;
768	int ret;
769
770	if (rctx->pub_exp == NULL) {
771	rctx->pub_exp = BN_new();
772	if (rctx->pub_exp == NULL \|\| !BN_set_word(rctx->pub_exp, RSA_F4))
773	return 0;
774	}
775	rsa = RSA_new();
776	if (rsa == NULL)
777	return 0;
778	if (ctx->pkey_gencb) {
779	pcb = BN_GENCB_new();
780	if (pcb == NULL) {
781	RSA_free(rsa);
782	return 0;
783	}
784	evp_pkey_set_cb_translate(pcb, ctx);
785	} else {
786	pcb = NULL;
787	}
788	ret = RSA_generate_multi_prime_key(rsa, rctx->nbits, rctx->primes,
789	rctx->pub_exp, pcb);
790	BN_GENCB_free(pcb);
791	if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) {
792	RSA_free(rsa);
793	return 0;
794	}
795	if (ret > 0)
796	EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa);
797	else
798	RSA_free(rsa);
799	return ret;
800	}
801
802	static const EVP_PKEY_METHOD rsa_pkey_meth = {
803	EVP_PKEY_RSA,
804	EVP_PKEY_FLAG_AUTOARGLEN,
805	pkey_rsa_init,
806	pkey_rsa_copy,
807	pkey_rsa_cleanup,
808
809	0, 0,
810
811	0,
812	pkey_rsa_keygen,
813
814	0,
815	pkey_rsa_sign,
816
817	0,
818	pkey_rsa_verify,
819
820	0,
821	pkey_rsa_verifyrecover,
822
823	0, 0, 0, 0,
824
825	0,
826	pkey_rsa_encrypt,
827
828	0,
829	pkey_rsa_decrypt,
830
831	0, 0,
832
833	pkey_rsa_ctrl,
834	pkey_rsa_ctrl_str
835	};
836
837	const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void)
838	{
839	return &rsa_pkey_meth;
840	}
841
842	/*
843	* Called for PSS sign or verify initialisation: checks PSS parameter
844	* sanity and sets any restrictions on key usage.
845	*/
846
847	static int pkey_pss_init(EVP_PKEY_CTX *ctx)
848	{
849	const RSA *rsa;
850	RSA_PKEY_CTX *rctx = ctx->data;
851	const EVP_MD *md;
852	const EVP_MD *mgf1md;
853	int min_saltlen, max_saltlen;
854
855	/* Should never happen */
856	if (!pkey_ctx_is_pss(ctx))
857	return 0;
858	rsa = EVP_PKEY_get0_RSA(ctx->pkey);
859	/* If no restrictions just return */
860	if (rsa->pss == NULL)
861	return 1;
862	/* Get and check parameters */
863	if (!ossl_rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen))
864	return 0;
865
866	/* See if minimum salt length exceeds maximum possible */
867	max_saltlen = RSA_size(rsa) - EVP_MD_get_size(md);
868	if ((RSA_bits(rsa) & 0x7) == 1)
869	max_saltlen--;
870	if (min_saltlen > max_saltlen) {
871	ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_SALT_LENGTH);
872	return 0;
873	}
874
875	rctx->min_saltlen = min_saltlen;
876
877	/*
878	* Set PSS restrictions as defaults: we can then block any attempt to
879	* use invalid values in pkey_rsa_ctrl
880	*/
881
882	rctx->md = md;
883	rctx->mgf1md = mgf1md;
884	rctx->saltlen = min_saltlen;
885
886	return 1;
887	}
888
889	static const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
890	EVP_PKEY_RSA_PSS,
891	EVP_PKEY_FLAG_AUTOARGLEN,
892	pkey_rsa_init,
893	pkey_rsa_copy,
894	pkey_rsa_cleanup,
895
896	0, 0,
897
898	0,
899	pkey_rsa_keygen,
900
901	pkey_pss_init,
902	pkey_rsa_sign,
903
904	pkey_pss_init,
905	pkey_rsa_verify,
906
907	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
908
909	pkey_rsa_ctrl,
910	pkey_rsa_ctrl_str
911	};
912
913	const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void)
914	{
915	return &rsa_pss_pkey_meth;
916	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-3.3.2/crypto/rsa/rsa_pmeth.c

Download in other formats: