1 /* $OpenBSD: rsa_pmeth.c,v 1.16 2015/02/11 04:05:14 beck Exp $ */ 2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project 2006. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59 #include <limits.h> 60 #include <stdio.h> 61 #include <string.h> 62 63 #include <openssl/opensslconf.h> 64 65 #include <openssl/asn1t.h> 66 #include <openssl/bn.h> 67 #include <openssl/err.h> 68 #include <openssl/evp.h> 69 #include <openssl/rsa.h> 70 #include <openssl/x509.h> 71 72 #ifndef OPENSSL_NO_CMS 73 #include <openssl/cms.h> 74 #endif 75 76 #include "evp_locl.h" 77 #include "rsa_locl.h" 78 79 /* RSA pkey context structure */ 80 81 typedef struct { 82 /* Key gen parameters */ 83 int nbits; 84 BIGNUM *pub_exp; 85 /* Keygen callback info */ 86 int gentmp[2]; 87 /* RSA padding mode */ 88 int pad_mode; 89 /* message digest */ 90 const EVP_MD *md; 91 /* message digest for MGF1 */ 92 const EVP_MD *mgf1md; 93 /* PSS/OAEP salt length */ 94 int saltlen; 95 /* Temp buffer */ 96 unsigned char *tbuf; 97 } RSA_PKEY_CTX; 98 99 static int 100 pkey_rsa_init(EVP_PKEY_CTX *ctx) 101 { 102 RSA_PKEY_CTX *rctx; 103 104 rctx = malloc(sizeof(RSA_PKEY_CTX)); 105 if (!rctx) 106 return 0; 107 rctx->nbits = 2048; 108 rctx->pub_exp = NULL; 109 rctx->pad_mode = RSA_PKCS1_PADDING; 110 rctx->md = NULL; 111 rctx->mgf1md = NULL; 112 rctx->tbuf = NULL; 113 114 rctx->saltlen = -2; 115 116 ctx->data = rctx; 117 ctx->keygen_info = rctx->gentmp; 118 ctx->keygen_info_count = 2; 119 120 return 1; 121 } 122 123 static int 124 pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) 125 { 126 RSA_PKEY_CTX *dctx, *sctx; 127 128 if (!pkey_rsa_init(dst)) 129 return 0; 130 sctx = src->data; 131 dctx = dst->data; 132 dctx->nbits = sctx->nbits; 133 if (sctx->pub_exp) { 134 dctx->pub_exp = BN_dup(sctx->pub_exp); 135 if (!dctx->pub_exp) 136 return 0; 137 } 138 dctx->pad_mode = sctx->pad_mode; 139 dctx->md = sctx->md; 140 return 1; 141 } 142 143 static int 144 setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) 145 { 146 if (ctx->tbuf) 147 return 1; 148 ctx->tbuf = malloc(EVP_PKEY_size(pk->pkey)); 149 if (!ctx->tbuf) 150 return 0; 151 return 1; 152 } 153 154 static void 155 pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) 156 { 157 RSA_PKEY_CTX *rctx = ctx->data; 158 159 if (rctx) { 160 BN_free(rctx->pub_exp); 161 free(rctx->tbuf); 162 free(rctx); 163 } 164 } 165 166 static int 167 pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, 168 const unsigned char *tbs, size_t tbslen) 169 { 170 int ret; 171 RSA_PKEY_CTX *rctx = ctx->data; 172 RSA *rsa = ctx->pkey->pkey.rsa; 173 174 if (rctx->md) { 175 if (tbslen != (size_t)EVP_MD_size(rctx->md)) { 176 RSAerr(RSA_F_PKEY_RSA_SIGN, 177 RSA_R_INVALID_DIGEST_LENGTH); 178 return -1; 179 } 180 181 if (rctx->pad_mode == RSA_X931_PADDING) { 182 if (!setup_tbuf(rctx, ctx)) 183 return -1; 184 memcpy(rctx->tbuf, tbs, tbslen); 185 rctx->tbuf[tbslen] = 186 RSA_X931_hash_id(EVP_MD_type(rctx->md)); 187 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, sig, 188 rsa, RSA_X931_PADDING); 189 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { 190 unsigned int sltmp; 191 192 ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig, 193 &sltmp, rsa); 194 if (ret <= 0) 195 return ret; 196 ret = sltmp; 197 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { 198 if (!setup_tbuf(rctx, ctx)) 199 return -1; 200 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, rctx->tbuf, 201 tbs, rctx->md, rctx->mgf1md, rctx->saltlen)) 202 return -1; 203 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, 204 sig, rsa, RSA_NO_PADDING); 205 } else 206 return -1; 207 } else 208 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, 209 rctx->pad_mode); 210 if (ret < 0) 211 return ret; 212 *siglen = ret; 213 return 1; 214 } 215 216 static int 217 pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen, 218 const unsigned char *sig, size_t siglen) 219 { 220 int ret; 221 RSA_PKEY_CTX *rctx = ctx->data; 222 223 if (rctx->md) { 224 if (rctx->pad_mode == RSA_X931_PADDING) { 225 if (!setup_tbuf(rctx, ctx)) 226 return -1; 227 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, 228 ctx->pkey->pkey.rsa, RSA_X931_PADDING); 229 if (ret < 1) 230 return 0; 231 ret--; 232 if (rctx->tbuf[ret] != 233 RSA_X931_hash_id(EVP_MD_type(rctx->md))) { 234 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, 235 RSA_R_ALGORITHM_MISMATCH); 236 return 0; 237 } 238 if (ret != EVP_MD_size(rctx->md)) { 239 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, 240 RSA_R_INVALID_DIGEST_LENGTH); 241 return 0; 242 } 243 if (rout) 244 memcpy(rout, rctx->tbuf, ret); 245 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { 246 size_t sltmp; 247 248 ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0, 249 rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa); 250 if (ret <= 0) 251 return 0; 252 ret = sltmp; 253 } else 254 return -1; 255 } else 256 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa, 257 rctx->pad_mode); 258 if (ret < 0) 259 return ret; 260 *routlen = ret; 261 return 1; 262 } 263 264 static int 265 pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen, 266 const unsigned char *tbs, size_t tbslen) 267 { 268 RSA_PKEY_CTX *rctx = ctx->data; 269 RSA *rsa = ctx->pkey->pkey.rsa; 270 size_t rslen; 271 272 if (rctx->md) { 273 if (rctx->pad_mode == RSA_PKCS1_PADDING) 274 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, 275 sig, siglen, rsa); 276 if (rctx->pad_mode == RSA_X931_PADDING) { 277 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, 278 siglen) <= 0) 279 return 0; 280 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { 281 int ret; 282 283 if (!setup_tbuf(rctx, ctx)) 284 return -1; 285 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, 286 rsa, RSA_NO_PADDING); 287 if (ret <= 0) 288 return 0; 289 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md, 290 rctx->mgf1md, rctx->tbuf, rctx->saltlen); 291 if (ret <= 0) 292 return 0; 293 return 1; 294 } else 295 return -1; 296 } else { 297 if (!setup_tbuf(rctx, ctx)) 298 return -1; 299 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa, 300 rctx->pad_mode); 301 if (rslen == 0) 302 return 0; 303 } 304 305 if (rslen != tbslen || memcmp(tbs, rctx->tbuf, rslen)) 306 return 0; 307 308 return 1; 309 } 310 311 static int 312 pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, 313 const unsigned char *in, size_t inlen) 314 { 315 int ret; 316 RSA_PKEY_CTX *rctx = ctx->data; 317 318 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, 319 rctx->pad_mode); 320 if (ret < 0) 321 return ret; 322 *outlen = ret; 323 return 1; 324 } 325 326 static int 327 pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, 328 const unsigned char *in, size_t inlen) 329 { 330 int ret; 331 RSA_PKEY_CTX *rctx = ctx->data; 332 333 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, 334 rctx->pad_mode); 335 if (ret < 0) 336 return ret; 337 *outlen = ret; 338 return 1; 339 } 340 341 static int 342 check_padding_md(const EVP_MD *md, int padding) 343 { 344 if (!md) 345 return 1; 346 347 if (padding == RSA_NO_PADDING) { 348 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE); 349 return 0; 350 } 351 352 if (padding == RSA_X931_PADDING) { 353 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) { 354 RSAerr(RSA_F_CHECK_PADDING_MD, 355 RSA_R_INVALID_X931_DIGEST); 356 return 0; 357 } 358 return 1; 359 } 360 361 return 1; 362 } 363 364 static int 365 pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) 366 { 367 RSA_PKEY_CTX *rctx = ctx->data; 368 369 switch (type) { 370 case EVP_PKEY_CTRL_RSA_PADDING: 371 if (p1 >= RSA_PKCS1_PADDING && p1 <= RSA_PKCS1_PSS_PADDING) { 372 if (!check_padding_md(rctx->md, p1)) 373 return 0; 374 if (p1 == RSA_PKCS1_PSS_PADDING) { 375 if (!(ctx->operation & 376 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) 377 goto bad_pad; 378 if (!rctx->md) 379 rctx->md = EVP_sha1(); 380 } 381 if (p1 == RSA_PKCS1_OAEP_PADDING) { 382 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT)) 383 goto bad_pad; 384 if (!rctx->md) 385 rctx->md = EVP_sha1(); 386 } 387 rctx->pad_mode = p1; 388 return 1; 389 } 390 bad_pad: 391 RSAerr(RSA_F_PKEY_RSA_CTRL, 392 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 393 return -2; 394 395 case EVP_PKEY_CTRL_GET_RSA_PADDING: 396 *(int *)p2 = rctx->pad_mode; 397 return 1; 398 399 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: 400 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: 401 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) { 402 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); 403 return -2; 404 } 405 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) 406 *(int *)p2 = rctx->saltlen; 407 else { 408 if (p1 < -2) 409 return -2; 410 rctx->saltlen = p1; 411 } 412 return 1; 413 414 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: 415 if (p1 < 256) { 416 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS); 417 return -2; 418 } 419 rctx->nbits = p1; 420 return 1; 421 422 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: 423 if (!p2) 424 return -2; 425 rctx->pub_exp = p2; 426 return 1; 427 428 case EVP_PKEY_CTRL_MD: 429 if (!check_padding_md(p2, rctx->pad_mode)) 430 return 0; 431 rctx->md = p2; 432 return 1; 433 434 case EVP_PKEY_CTRL_RSA_MGF1_MD: 435 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: 436 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) { 437 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD); 438 return -2; 439 } 440 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) { 441 if (rctx->mgf1md) 442 *(const EVP_MD **)p2 = rctx->mgf1md; 443 else 444 *(const EVP_MD **)p2 = rctx->md; 445 } else 446 rctx->mgf1md = p2; 447 return 1; 448 449 case EVP_PKEY_CTRL_DIGESTINIT: 450 case EVP_PKEY_CTRL_PKCS7_ENCRYPT: 451 case EVP_PKEY_CTRL_PKCS7_DECRYPT: 452 case EVP_PKEY_CTRL_PKCS7_SIGN: 453 return 1; 454 #ifndef OPENSSL_NO_CMS 455 case EVP_PKEY_CTRL_CMS_DECRYPT: 456 { 457 X509_ALGOR *alg = NULL; 458 ASN1_OBJECT *encalg = NULL; 459 460 if (p2) 461 CMS_RecipientInfo_ktri_get0_algs(p2, NULL, 462 NULL, &alg); 463 if (alg) 464 X509_ALGOR_get0(&encalg, NULL, NULL, alg); 465 if (encalg && OBJ_obj2nid(encalg) == NID_rsaesOaep) 466 rctx->pad_mode = RSA_PKCS1_OAEP_PADDING; 467 } 468 /* FALLTHROUGH */ 469 470 case EVP_PKEY_CTRL_CMS_ENCRYPT: 471 case EVP_PKEY_CTRL_CMS_SIGN: 472 return 1; 473 #endif 474 case EVP_PKEY_CTRL_PEER_KEY: 475 RSAerr(RSA_F_PKEY_RSA_CTRL, 476 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); 477 return -2; 478 479 default: 480 return -2; 481 } 482 } 483 484 static int 485 pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value) 486 { 487 long lval; 488 char *ep; 489 490 if (!value) { 491 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING); 492 return 0; 493 } 494 if (!strcmp(type, "rsa_padding_mode")) { 495 int pm; 496 if (!strcmp(value, "pkcs1")) 497 pm = RSA_PKCS1_PADDING; 498 else if (!strcmp(value, "sslv23")) 499 pm = RSA_SSLV23_PADDING; 500 else if (!strcmp(value, "none")) 501 pm = RSA_NO_PADDING; 502 else if (!strcmp(value, "oeap")) 503 pm = RSA_PKCS1_OAEP_PADDING; 504 else if (!strcmp(value, "oaep")) 505 pm = RSA_PKCS1_OAEP_PADDING; 506 else if (!strcmp(value, "x931")) 507 pm = RSA_X931_PADDING; 508 else if (!strcmp(value, "pss")) 509 pm = RSA_PKCS1_PSS_PADDING; 510 else { 511 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, 512 RSA_R_UNKNOWN_PADDING_TYPE); 513 return -2; 514 } 515 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm); 516 } 517 518 if (!strcmp(type, "rsa_pss_saltlen")) { 519 int saltlen; 520 521 errno = 0; 522 lval = strtol(value, &ep, 10); 523 if (value[0] == '\0' || *ep != '\0') 524 goto not_a_number; 525 if ((errno == ERANGE && 526 (lval == LONG_MAX || lval == LONG_MIN)) || 527 (lval > INT_MAX || lval < INT_MIN)) 528 goto out_of_range; 529 saltlen = lval; 530 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen); 531 } 532 533 if (!strcmp(type, "rsa_keygen_bits")) { 534 int nbits; 535 536 errno = 0; 537 lval = strtol(value, &ep, 10); 538 if (value[0] == '\0' || *ep != '\0') 539 goto not_a_number; 540 if ((errno == ERANGE && 541 (lval == LONG_MAX || lval == LONG_MIN)) || 542 (lval > INT_MAX || lval < INT_MIN)) 543 goto out_of_range; 544 nbits = lval; 545 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits); 546 } 547 548 if (!strcmp(type, "rsa_keygen_pubexp")) { 549 int ret; 550 BIGNUM *pubexp = NULL; 551 552 if (!BN_asc2bn(&pubexp, value)) 553 return 0; 554 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp); 555 if (ret <= 0) 556 BN_free(pubexp); 557 return ret; 558 } 559 560 not_a_number: 561 out_of_range: 562 return -2; 563 } 564 565 static int 566 pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) 567 { 568 RSA *rsa = NULL; 569 RSA_PKEY_CTX *rctx = ctx->data; 570 BN_GENCB *pcb, cb; 571 int ret; 572 573 if (!rctx->pub_exp) { 574 rctx->pub_exp = BN_new(); 575 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) 576 return 0; 577 } 578 rsa = RSA_new(); 579 if (!rsa) 580 return 0; 581 if (ctx->pkey_gencb) { 582 pcb = &cb; 583 evp_pkey_set_cb_translate(pcb, ctx); 584 } else 585 pcb = NULL; 586 ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb); 587 if (ret > 0) 588 EVP_PKEY_assign_RSA(pkey, rsa); 589 else 590 RSA_free(rsa); 591 return ret; 592 } 593 594 const EVP_PKEY_METHOD rsa_pkey_meth = { 595 .pkey_id = EVP_PKEY_RSA, 596 .flags = EVP_PKEY_FLAG_AUTOARGLEN, 597 598 .init = pkey_rsa_init, 599 .copy = pkey_rsa_copy, 600 .cleanup = pkey_rsa_cleanup, 601 602 .keygen = pkey_rsa_keygen, 603 604 .sign = pkey_rsa_sign, 605 606 .verify = pkey_rsa_verify, 607 608 .verify_recover = pkey_rsa_verifyrecover, 609 610 .encrypt = pkey_rsa_encrypt, 611 612 .decrypt = pkey_rsa_decrypt, 613 614 .ctrl = pkey_rsa_ctrl, 615 .ctrl_str = pkey_rsa_ctrl_str 616 }; 617