1 /* $OpenBSD: rsa_pmeth.c,v 1.33 2021/12/04 16:08:32 tb Exp $ */ 2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project 2006. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59 #include <limits.h> 60 #include <stdio.h> 61 #include <string.h> 62 63 #include <openssl/opensslconf.h> 64 65 #include <openssl/asn1t.h> 66 #include <openssl/bn.h> 67 #include <openssl/err.h> 68 #include <openssl/evp.h> 69 #include <openssl/rsa.h> 70 #include <openssl/x509.h> 71 #include <openssl/x509v3.h> 72 73 #include "bn_lcl.h" 74 #include "evp_locl.h" 75 #include "rsa_locl.h" 76 77 /* RSA pkey context structure */ 78 79 typedef struct { 80 /* Key gen parameters */ 81 int nbits; 82 BIGNUM *pub_exp; 83 /* Keygen callback info */ 84 int gentmp[2]; 85 /* RSA padding mode */ 86 int pad_mode; 87 /* message digest */ 88 const EVP_MD *md; 89 /* message digest for MGF1 */ 90 const EVP_MD *mgf1md; 91 /* PSS salt length */ 92 int saltlen; 93 /* Minimum salt length or -1 if no PSS parameter restriction */ 94 int min_saltlen; 95 /* Temp buffer */ 96 unsigned char *tbuf; 97 /* OAEP label */ 98 unsigned char *oaep_label; 99 size_t oaep_labellen; 100 } RSA_PKEY_CTX; 101 102 /* True if PSS parameters are restricted */ 103 #define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1) 104 105 static int 106 pkey_rsa_init(EVP_PKEY_CTX *ctx) 107 { 108 RSA_PKEY_CTX *rctx; 109 110 if ((rctx = calloc(1, sizeof(RSA_PKEY_CTX))) == NULL) 111 return 0; 112 113 rctx->nbits = 2048; 114 115 if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) 116 rctx->pad_mode = RSA_PKCS1_PSS_PADDING; 117 else 118 rctx->pad_mode = RSA_PKCS1_PADDING; 119 120 /* Maximum for sign, auto for verify */ 121 rctx->saltlen = RSA_PSS_SALTLEN_AUTO; 122 rctx->min_saltlen = -1; 123 124 ctx->data = rctx; 125 ctx->keygen_info = rctx->gentmp; 126 ctx->keygen_info_count = 2; 127 128 return 1; 129 } 130 131 static int 132 pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) 133 { 134 RSA_PKEY_CTX *dctx, *sctx; 135 136 if (!pkey_rsa_init(dst)) 137 return 0; 138 139 sctx = src->data; 140 dctx = dst->data; 141 dctx->nbits = sctx->nbits; 142 if (sctx->pub_exp != NULL) { 143 BN_free(dctx->pub_exp); 144 if ((dctx->pub_exp = BN_dup(sctx->pub_exp)) == NULL) 145 return 0; 146 } 147 dctx->pad_mode = sctx->pad_mode; 148 dctx->md = sctx->md; 149 dctx->mgf1md = sctx->mgf1md; 150 if (sctx->oaep_label != NULL) { 151 free(dctx->oaep_label); 152 if ((dctx->oaep_label = calloc(1, sctx->oaep_labellen)) == NULL) 153 return 0; 154 memcpy(dctx->oaep_label, sctx->oaep_label, sctx->oaep_labellen); 155 dctx->oaep_labellen = sctx->oaep_labellen; 156 } 157 158 return 1; 159 } 160 161 static int 162 setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) 163 { 164 if (ctx->tbuf != NULL) 165 return 1; 166 if ((ctx->tbuf = calloc(1, EVP_PKEY_size(pk->pkey))) == NULL) { 167 RSAerror(ERR_R_MALLOC_FAILURE); 168 return 0; 169 } 170 return 1; 171 } 172 173 static void 174 pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) 175 { 176 RSA_PKEY_CTX *rctx = ctx->data; 177 178 if (rctx) { 179 BN_free(rctx->pub_exp); 180 free(rctx->tbuf); 181 free(rctx->oaep_label); 182 free(rctx); 183 } 184 } 185 186 static int 187 pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, 188 const unsigned char *tbs, size_t tbslen) 189 { 190 int ret; 191 RSA_PKEY_CTX *rctx = ctx->data; 192 RSA *rsa = ctx->pkey->pkey.rsa; 193 194 if (rctx->md) { 195 if (tbslen != (size_t)EVP_MD_size(rctx->md)) { 196 RSAerror(RSA_R_INVALID_DIGEST_LENGTH); 197 return -1; 198 } 199 200 if (rctx->pad_mode == RSA_X931_PADDING) { 201 if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) { 202 RSAerror(RSA_R_KEY_SIZE_TOO_SMALL); 203 return -1; 204 } 205 if (!setup_tbuf(rctx, ctx)) { 206 RSAerror(ERR_R_MALLOC_FAILURE); 207 return -1; 208 } 209 memcpy(rctx->tbuf, tbs, tbslen); 210 rctx->tbuf[tbslen] = 211 RSA_X931_hash_id(EVP_MD_type(rctx->md)); 212 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, sig, 213 rsa, RSA_X931_PADDING); 214 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { 215 unsigned int sltmp; 216 217 ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig, 218 &sltmp, rsa); 219 if (ret <= 0) 220 return ret; 221 ret = sltmp; 222 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { 223 if (!setup_tbuf(rctx, ctx)) 224 return -1; 225 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, rctx->tbuf, 226 tbs, rctx->md, rctx->mgf1md, rctx->saltlen)) 227 return -1; 228 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, 229 sig, rsa, RSA_NO_PADDING); 230 } else { 231 return -1; 232 } 233 } else { 234 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, 235 rctx->pad_mode); 236 } 237 if (ret < 0) 238 return ret; 239 *siglen = ret; 240 return 1; 241 } 242 243 static int 244 pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen, 245 const unsigned char *sig, size_t siglen) 246 { 247 int ret; 248 RSA_PKEY_CTX *rctx = ctx->data; 249 250 if (rctx->md) { 251 if (rctx->pad_mode == RSA_X931_PADDING) { 252 if (!setup_tbuf(rctx, ctx)) 253 return -1; 254 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, 255 ctx->pkey->pkey.rsa, RSA_X931_PADDING); 256 if (ret < 1) 257 return 0; 258 ret--; 259 if (rctx->tbuf[ret] != 260 RSA_X931_hash_id(EVP_MD_type(rctx->md))) { 261 RSAerror(RSA_R_ALGORITHM_MISMATCH); 262 return 0; 263 } 264 if (ret != EVP_MD_size(rctx->md)) { 265 RSAerror(RSA_R_INVALID_DIGEST_LENGTH); 266 return 0; 267 } 268 if (rout) 269 memcpy(rout, rctx->tbuf, ret); 270 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { 271 size_t sltmp; 272 273 ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0, 274 rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa); 275 if (ret <= 0) 276 return 0; 277 ret = sltmp; 278 } else { 279 return -1; 280 } 281 } else { 282 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa, 283 rctx->pad_mode); 284 } 285 if (ret < 0) 286 return ret; 287 *routlen = ret; 288 return 1; 289 } 290 291 static int 292 pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen, 293 const unsigned char *tbs, size_t tbslen) 294 { 295 RSA_PKEY_CTX *rctx = ctx->data; 296 RSA *rsa = ctx->pkey->pkey.rsa; 297 size_t rslen; 298 299 if (rctx->md) { 300 if (rctx->pad_mode == RSA_PKCS1_PADDING) 301 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, 302 sig, siglen, rsa); 303 if (tbslen != (size_t)EVP_MD_size(rctx->md)) { 304 RSAerror(RSA_R_INVALID_DIGEST_LENGTH); 305 return -1; 306 } 307 if (rctx->pad_mode == RSA_X931_PADDING) { 308 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, 309 siglen) <= 0) 310 return 0; 311 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { 312 int ret; 313 314 if (!setup_tbuf(rctx, ctx)) 315 return -1; 316 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, 317 rsa, RSA_NO_PADDING); 318 if (ret <= 0) 319 return 0; 320 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md, 321 rctx->mgf1md, rctx->tbuf, rctx->saltlen); 322 if (ret <= 0) 323 return 0; 324 return 1; 325 } else { 326 return -1; 327 } 328 } else { 329 if (!setup_tbuf(rctx, ctx)) 330 return -1; 331 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa, 332 rctx->pad_mode); 333 if (rslen == 0) 334 return 0; 335 } 336 337 if (rslen != tbslen || timingsafe_bcmp(tbs, rctx->tbuf, rslen)) 338 return 0; 339 340 return 1; 341 } 342 343 static int 344 pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, 345 const unsigned char *in, size_t inlen) 346 { 347 RSA_PKEY_CTX *rctx = ctx->data; 348 int ret; 349 350 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { 351 int klen = RSA_size(ctx->pkey->pkey.rsa); 352 if (!setup_tbuf(rctx, ctx)) 353 return -1; 354 if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen, 355 in, inlen, rctx->oaep_label, rctx->oaep_labellen, 356 rctx->md, rctx->mgf1md)) 357 return -1; 358 ret = RSA_public_encrypt(klen, rctx->tbuf, out, 359 ctx->pkey->pkey.rsa, RSA_NO_PADDING); 360 } else { 361 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, 362 rctx->pad_mode); 363 } 364 if (ret < 0) 365 return ret; 366 *outlen = ret; 367 return 1; 368 } 369 370 static int 371 pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, 372 const unsigned char *in, size_t inlen) 373 { 374 int ret; 375 RSA_PKEY_CTX *rctx = ctx->data; 376 377 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { 378 if (!setup_tbuf(rctx, ctx)) 379 return -1; 380 ret = RSA_private_decrypt(inlen, in, rctx->tbuf, 381 ctx->pkey->pkey.rsa, RSA_NO_PADDING); 382 if (ret <= 0) 383 return ret; 384 ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf, 385 ret, ret, rctx->oaep_label, rctx->oaep_labellen, rctx->md, 386 rctx->mgf1md); 387 } else { 388 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, 389 rctx->pad_mode); 390 } 391 if (ret < 0) 392 return ret; 393 *outlen = ret; 394 return 1; 395 } 396 397 static int 398 check_padding_md(const EVP_MD *md, int padding) 399 { 400 if (md == NULL) 401 return 1; 402 403 if (padding == RSA_NO_PADDING) { 404 RSAerror(RSA_R_INVALID_PADDING_MODE); 405 return 0; 406 } 407 408 if (padding == RSA_X931_PADDING) { 409 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) { 410 RSAerror(RSA_R_INVALID_X931_DIGEST); 411 return 0; 412 } 413 } else { 414 /* List of all supported RSA digests. */ 415 switch(EVP_MD_type(md)) { 416 case NID_sha1: 417 case NID_sha224: 418 case NID_sha256: 419 case NID_sha384: 420 case NID_sha512: 421 case NID_md5: 422 case NID_md5_sha1: 423 case NID_md4: 424 case NID_ripemd160: 425 return 1; 426 427 default: 428 RSAerror(RSA_R_INVALID_DIGEST); 429 return 0; 430 } 431 } 432 433 return 1; 434 } 435 436 static int 437 pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) 438 { 439 RSA_PKEY_CTX *rctx = ctx->data; 440 441 switch (type) { 442 case EVP_PKEY_CTRL_RSA_PADDING: 443 if (p1 >= RSA_PKCS1_PADDING && p1 <= RSA_PKCS1_PSS_PADDING) { 444 if (!check_padding_md(rctx->md, p1)) 445 return 0; 446 if (p1 == RSA_PKCS1_PSS_PADDING) { 447 if (!(ctx->operation & 448 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) 449 goto bad_pad; 450 if (!rctx->md) 451 rctx->md = EVP_sha1(); 452 } else if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) { 453 goto bad_pad; 454 } 455 if (p1 == RSA_PKCS1_OAEP_PADDING) { 456 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT)) 457 goto bad_pad; 458 if (!rctx->md) 459 rctx->md = EVP_sha1(); 460 } 461 rctx->pad_mode = p1; 462 return 1; 463 } 464 bad_pad: 465 RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 466 return -2; 467 468 case EVP_PKEY_CTRL_GET_RSA_PADDING: 469 *(int *)p2 = rctx->pad_mode; 470 return 1; 471 472 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: 473 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: 474 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) { 475 RSAerror(RSA_R_INVALID_PSS_SALTLEN); 476 return -2; 477 } 478 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) { 479 *(int *)p2 = rctx->saltlen; 480 } else { 481 if (p1 < RSA_PSS_SALTLEN_MAX) 482 return -2; 483 if (rsa_pss_restricted(rctx)) { 484 if (p1 == RSA_PSS_SALTLEN_AUTO && 485 ctx->operation == EVP_PKEY_OP_VERIFY) { 486 RSAerror(RSA_R_INVALID_PSS_SALTLEN); 487 return -2; 488 } 489 if ((p1 == RSA_PSS_SALTLEN_DIGEST && 490 rctx->min_saltlen > EVP_MD_size(rctx->md)) || 491 (p1 >= 0 && p1 < rctx->min_saltlen)) { 492 RSAerror(RSA_R_PSS_SALTLEN_TOO_SMALL); 493 return 0; 494 } 495 } 496 rctx->saltlen = p1; 497 } 498 return 1; 499 500 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: 501 if (p1 < RSA_MIN_MODULUS_BITS) { 502 RSAerror(RSA_R_KEY_SIZE_TOO_SMALL); 503 return -2; 504 } 505 rctx->nbits = p1; 506 return 1; 507 508 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: 509 if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) || 510 BN_is_one((BIGNUM *)p2)) { 511 RSAerror(RSA_R_BAD_E_VALUE); 512 return -2; 513 } 514 BN_free(rctx->pub_exp); 515 rctx->pub_exp = p2; 516 return 1; 517 518 case EVP_PKEY_CTRL_RSA_OAEP_MD: 519 case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: 520 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 521 RSAerror(RSA_R_INVALID_PADDING_MODE); 522 return -2; 523 } 524 if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) 525 *(const EVP_MD **)p2 = rctx->md; 526 else 527 rctx->md = p2; 528 return 1; 529 530 case EVP_PKEY_CTRL_MD: 531 if (!check_padding_md(p2, rctx->pad_mode)) 532 return 0; 533 if (rsa_pss_restricted(rctx)) { 534 if (EVP_MD_type(rctx->md) == EVP_MD_type(p2)) 535 return 1; 536 RSAerror(RSA_R_DIGEST_NOT_ALLOWED); 537 return 0; 538 } 539 rctx->md = p2; 540 return 1; 541 542 case EVP_PKEY_CTRL_GET_MD: 543 *(const EVP_MD **)p2 = rctx->md; 544 return 1; 545 546 case EVP_PKEY_CTRL_RSA_MGF1_MD: 547 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: 548 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING && 549 rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 550 RSAerror(RSA_R_INVALID_MGF1_MD); 551 return -2; 552 } 553 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) { 554 if (rctx->mgf1md) 555 *(const EVP_MD **)p2 = rctx->mgf1md; 556 else 557 *(const EVP_MD **)p2 = rctx->md; 558 } else { 559 if (rsa_pss_restricted(rctx)) { 560 if (EVP_MD_type(rctx->mgf1md) == EVP_MD_type(p2)) 561 return 1; 562 RSAerror(RSA_R_MGF1_DIGEST_NOT_ALLOWED); 563 return 0; 564 } 565 rctx->mgf1md = p2; 566 } 567 return 1; 568 569 case EVP_PKEY_CTRL_RSA_OAEP_LABEL: 570 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 571 RSAerror(RSA_R_INVALID_PADDING_MODE); 572 return -2; 573 } 574 free(rctx->oaep_label); 575 if (p2 != NULL && p1 > 0) { 576 rctx->oaep_label = p2; 577 rctx->oaep_labellen = p1; 578 } else { 579 rctx->oaep_label = NULL; 580 rctx->oaep_labellen = 0; 581 } 582 return 1; 583 584 case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: 585 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 586 RSAerror(RSA_R_INVALID_PADDING_MODE); 587 return -2; 588 } 589 *(unsigned char **)p2 = rctx->oaep_label; 590 return rctx->oaep_labellen; 591 592 case EVP_PKEY_CTRL_DIGESTINIT: 593 case EVP_PKEY_CTRL_PKCS7_SIGN: 594 #ifndef OPENSSL_NO_CMS 595 case EVP_PKEY_CTRL_CMS_SIGN: 596 #endif 597 return 1; 598 599 case EVP_PKEY_CTRL_PKCS7_ENCRYPT: 600 case EVP_PKEY_CTRL_PKCS7_DECRYPT: 601 #ifndef OPENSSL_NO_CMS 602 case EVP_PKEY_CTRL_CMS_DECRYPT: 603 case EVP_PKEY_CTRL_CMS_ENCRYPT: 604 #endif 605 if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) 606 return 1; 607 608 /* fall through */ 609 case EVP_PKEY_CTRL_PEER_KEY: 610 RSAerror(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); 611 return -2; 612 613 default: 614 return -2; 615 616 } 617 } 618 619 static int 620 pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value) 621 { 622 if (!value) { 623 RSAerror(RSA_R_VALUE_MISSING); 624 return 0; 625 } 626 if (!strcmp(type, "rsa_padding_mode")) { 627 int pm; 628 if (!strcmp(value, "pkcs1")) 629 pm = RSA_PKCS1_PADDING; 630 else if (!strcmp(value, "none")) 631 pm = RSA_NO_PADDING; 632 else if (!strcmp(value, "oeap")) 633 pm = RSA_PKCS1_OAEP_PADDING; 634 else if (!strcmp(value, "oaep")) 635 pm = RSA_PKCS1_OAEP_PADDING; 636 else if (!strcmp(value, "x931")) 637 pm = RSA_X931_PADDING; 638 else if (!strcmp(value, "pss")) 639 pm = RSA_PKCS1_PSS_PADDING; 640 else { 641 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 642 return -2; 643 } 644 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm); 645 } 646 647 if (strcmp(type, "rsa_pss_saltlen") == 0) { 648 int saltlen; 649 650 if (!strcmp(value, "digest")) 651 saltlen = RSA_PSS_SALTLEN_DIGEST; 652 else if (!strcmp(value, "max")) 653 saltlen = RSA_PSS_SALTLEN_MAX; 654 else if (!strcmp(value, "auto")) 655 saltlen = RSA_PSS_SALTLEN_AUTO; 656 else 657 saltlen = atoi(value); 658 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen); 659 } 660 661 if (strcmp(type, "rsa_keygen_bits") == 0) { 662 int nbits = atoi(value); 663 664 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits); 665 } 666 667 if (strcmp(type, "rsa_keygen_pubexp") == 0) { 668 BIGNUM *pubexp = NULL; 669 int ret; 670 671 if (!BN_asc2bn(&pubexp, value)) 672 return 0; 673 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp); 674 if (ret <= 0) 675 BN_free(pubexp); 676 return ret; 677 } 678 679 if (strcmp(type, "rsa_mgf1_md") == 0) 680 return EVP_PKEY_CTX_md(ctx, 681 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, 682 EVP_PKEY_CTRL_RSA_MGF1_MD, value); 683 684 if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) { 685 if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0) 686 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, 687 EVP_PKEY_CTRL_RSA_MGF1_MD, value); 688 689 if (strcmp(type, "rsa_pss_keygen_md") == 0) 690 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, 691 EVP_PKEY_CTRL_MD, value); 692 693 if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) { 694 int saltlen = atoi(value); 695 696 return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen); 697 } 698 } 699 700 if (strcmp(type, "rsa_oaep_md") == 0) 701 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT, 702 EVP_PKEY_CTRL_RSA_OAEP_MD, value); 703 704 if (strcmp(type, "rsa_oaep_label") == 0) { 705 unsigned char *lab; 706 long lablen; 707 int ret; 708 709 if ((lab = string_to_hex(value, &lablen)) == NULL) 710 return 0; 711 ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen); 712 if (ret <= 0) 713 free(lab); 714 715 return ret; 716 } 717 718 return -2; 719 } 720 721 /* Set PSS parameters when generating a key, if necessary. */ 722 static int 723 rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx) 724 { 725 RSA_PKEY_CTX *rctx = ctx->data; 726 727 if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) 728 return 1; 729 730 /* If all parameters are default values then do not set PSS. */ 731 if (rctx->md == NULL && rctx->mgf1md == NULL && 732 rctx->saltlen == RSA_PSS_SALTLEN_AUTO) 733 return 1; 734 735 rsa->pss = rsa_pss_params_create(rctx->md, rctx->mgf1md, 736 rctx->saltlen == RSA_PSS_SALTLEN_AUTO ? 0 : rctx->saltlen); 737 if (rsa->pss == NULL) 738 return 0; 739 740 return 1; 741 } 742 743 static int 744 pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) 745 { 746 RSA *rsa = NULL; 747 RSA_PKEY_CTX *rctx = ctx->data; 748 BN_GENCB *pcb, cb; 749 int ret; 750 751 if (rctx->pub_exp == NULL) { 752 if ((rctx->pub_exp = BN_new()) == NULL) 753 return 0; 754 if (!BN_set_word(rctx->pub_exp, RSA_F4)) 755 return 0; 756 } 757 if ((rsa = RSA_new()) == NULL) 758 return 0; 759 if (ctx->pkey_gencb != NULL) { 760 pcb = &cb; 761 evp_pkey_set_cb_translate(pcb, ctx); 762 } else { 763 pcb = NULL; 764 } 765 ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb); 766 if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) { 767 RSA_free(rsa); 768 return 0; 769 } 770 if (ret > 0) 771 EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa); 772 else 773 RSA_free(rsa); 774 return ret; 775 } 776 777 const EVP_PKEY_METHOD rsa_pkey_meth = { 778 .pkey_id = EVP_PKEY_RSA, 779 .flags = EVP_PKEY_FLAG_AUTOARGLEN, 780 781 .init = pkey_rsa_init, 782 .copy = pkey_rsa_copy, 783 .cleanup = pkey_rsa_cleanup, 784 785 .keygen = pkey_rsa_keygen, 786 787 .sign = pkey_rsa_sign, 788 789 .verify = pkey_rsa_verify, 790 791 .verify_recover = pkey_rsa_verifyrecover, 792 793 .encrypt = pkey_rsa_encrypt, 794 795 .decrypt = pkey_rsa_decrypt, 796 797 .ctrl = pkey_rsa_ctrl, 798 .ctrl_str = pkey_rsa_ctrl_str 799 }; 800 801 /* 802 * Called for PSS sign or verify initialisation: checks PSS parameter 803 * sanity and sets any restrictions on key usage. 804 */ 805 806 static int 807 pkey_pss_init(EVP_PKEY_CTX *ctx) 808 { 809 RSA *rsa; 810 RSA_PKEY_CTX *rctx = ctx->data; 811 const EVP_MD *md; 812 const EVP_MD *mgf1md; 813 int min_saltlen, max_saltlen; 814 815 /* Should never happen */ 816 if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) 817 return 0; 818 rsa = ctx->pkey->pkey.rsa; 819 820 /* If no restrictions just return */ 821 if (rsa->pss == NULL) 822 return 1; 823 824 /* Get and check parameters */ 825 if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen)) 826 return 0; 827 828 /* See if minimum salt length exceeds maximum possible */ 829 max_saltlen = RSA_size(rsa) - EVP_MD_size(md); 830 if ((RSA_bits(rsa) & 0x7) == 1) 831 max_saltlen--; 832 if (min_saltlen > max_saltlen) { 833 RSAerror(RSA_R_INVALID_SALT_LENGTH); 834 return 0; 835 } 836 rctx->min_saltlen = min_saltlen; 837 838 /* 839 * Set PSS restrictions as defaults: we can then block any attempt to 840 * use invalid values in pkey_rsa_ctrl 841 */ 842 843 rctx->md = md; 844 rctx->mgf1md = mgf1md; 845 rctx->saltlen = min_saltlen; 846 847 return 1; 848 } 849 850 const EVP_PKEY_METHOD rsa_pss_pkey_meth = { 851 .pkey_id = EVP_PKEY_RSA_PSS, 852 .flags = EVP_PKEY_FLAG_AUTOARGLEN, 853 854 .init = pkey_rsa_init, 855 .copy = pkey_rsa_copy, 856 .cleanup = pkey_rsa_cleanup, 857 858 .keygen = pkey_rsa_keygen, 859 860 .sign_init = pkey_pss_init, 861 .sign = pkey_rsa_sign, 862 863 .verify_init = pkey_pss_init, 864 .verify = pkey_rsa_verify, 865 866 .ctrl = pkey_rsa_ctrl, 867 .ctrl_str = pkey_rsa_ctrl_str 868 }; 869 870