1 /*
2  * Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * RSA low level APIs are deprecated for public use, but still ok for
12  * internal use.
13  */
14 #include "internal/deprecated.h"
15 
16 #include "internal/constant_time.h"
17 
18 #include <stdio.h>
19 #include "internal/cryptlib.h"
20 #include <openssl/asn1t.h>
21 #include <openssl/x509.h>
22 #include <openssl/rsa.h>
23 #include <openssl/bn.h>
24 #include <openssl/evp.h>
25 #include <openssl/x509v3.h>
26 #include <openssl/cms.h>
27 #include "crypto/evp.h"
28 #include "crypto/rsa.h"
29 #include "rsa_local.h"
30 
31 /* RSA pkey context structure */
32 
33 typedef struct {
34     /* Key gen parameters */
35     int nbits;
36     BIGNUM *pub_exp;
37     int primes;
38     /* Keygen callback info */
39     int gentmp[2];
40     /* RSA padding mode */
41     int pad_mode;
42     /* message digest */
43     const EVP_MD *md;
44     /* message digest for MGF1 */
45     const EVP_MD *mgf1md;
46     /* PSS salt length */
47     int saltlen;
48     /* Minimum salt length or -1 if no PSS parameter restriction */
49     int min_saltlen;
50     /* Temp buffer */
51     unsigned char *tbuf;
52     /* OAEP label */
53     unsigned char *oaep_label;
54     size_t oaep_labellen;
55     /* if to use implicit rejection in PKCS#1 v1.5 decryption */
56     int implicit_rejection;
57 } RSA_PKEY_CTX;
58 
59 /* True if PSS parameters are restricted */
60 #define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1)
61 
pkey_rsa_init(EVP_PKEY_CTX * ctx)62 static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
63 {
64     RSA_PKEY_CTX *rctx = OPENSSL_zalloc(sizeof(*rctx));
65 
66     if (rctx == NULL)
67         return 0;
68     rctx->nbits = 2048;
69     rctx->primes = RSA_DEFAULT_PRIME_NUM;
70     if (pkey_ctx_is_pss(ctx))
71         rctx->pad_mode = RSA_PKCS1_PSS_PADDING;
72     else
73         rctx->pad_mode = RSA_PKCS1_PADDING;
74     /* Maximum for sign, auto for verify */
75     rctx->saltlen = RSA_PSS_SALTLEN_AUTO;
76     rctx->min_saltlen = -1;
77     rctx->implicit_rejection = 1;
78     ctx->data = rctx;
79     ctx->keygen_info = rctx->gentmp;
80     ctx->keygen_info_count = 2;
81 
82     return 1;
83 }
84 
pkey_rsa_copy(EVP_PKEY_CTX * dst,const EVP_PKEY_CTX * src)85 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
86 {
87     RSA_PKEY_CTX *dctx, *sctx;
88 
89     if (!pkey_rsa_init(dst))
90         return 0;
91     sctx = src->data;
92     dctx = dst->data;
93     dctx->nbits = sctx->nbits;
94     if (sctx->pub_exp) {
95         dctx->pub_exp = BN_dup(sctx->pub_exp);
96         if (!dctx->pub_exp)
97             return 0;
98     }
99     dctx->pad_mode = sctx->pad_mode;
100     dctx->md = sctx->md;
101     dctx->mgf1md = sctx->mgf1md;
102     dctx->saltlen = sctx->saltlen;
103     dctx->implicit_rejection = sctx->implicit_rejection;
104     if (sctx->oaep_label) {
105         OPENSSL_free(dctx->oaep_label);
106         dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen);
107         if (!dctx->oaep_label)
108             return 0;
109         dctx->oaep_labellen = sctx->oaep_labellen;
110     }
111     return 1;
112 }
113 
setup_tbuf(RSA_PKEY_CTX * ctx,EVP_PKEY_CTX * pk)114 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
115 {
116     if (ctx->tbuf != NULL)
117         return 1;
118     if ((ctx->tbuf =
119             OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pk->pkey)))) == NULL)
120         return 0;
121     return 1;
122 }
123 
pkey_rsa_cleanup(EVP_PKEY_CTX * ctx)124 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
125 {
126     RSA_PKEY_CTX *rctx = ctx->data;
127     if (rctx) {
128         BN_free(rctx->pub_exp);
129         OPENSSL_free(rctx->tbuf);
130         OPENSSL_free(rctx->oaep_label);
131         OPENSSL_free(rctx);
132     }
133 }
134 
pkey_rsa_sign(EVP_PKEY_CTX * ctx,unsigned char * sig,size_t * siglen,const unsigned char * tbs,size_t tbslen)135 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
136                          size_t *siglen, const unsigned char *tbs,
137                          size_t tbslen)
138 {
139     int ret;
140     RSA_PKEY_CTX *rctx = ctx->data;
141     /*
142      * Discard const. Its marked as const because this may be a cached copy of
143      * the "real" key. These calls don't make any modifications that need to
144      * be reflected back in the "original" key.
145      */
146     RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey);
147     int md_size;
148 
149     if (rctx->md) {
150         md_size = EVP_MD_get_size(rctx->md);
151         if (md_size <= 0) {
152             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH);
153             return -1;
154         }
155 
156         if (tbslen != (size_t)md_size) {
157             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH);
158             return -1;
159         }
160 
161         if (EVP_MD_get_type(rctx->md) == NID_mdc2) {
162             unsigned int sltmp;
163             if (rctx->pad_mode != RSA_PKCS1_PADDING)
164                 return -1;
165             ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp, rsa);
166 
167             if (ret <= 0)
168                 return ret;
169             ret = sltmp;
170         } else if (rctx->pad_mode == RSA_X931_PADDING) {
171             if ((size_t)RSA_size(rsa) < tbslen + 1) {
172                 ERR_raise(ERR_LIB_RSA, RSA_R_KEY_SIZE_TOO_SMALL);
173                 return -1;
174             }
175             if (!setup_tbuf(rctx, ctx)) {
176                 ERR_raise(ERR_LIB_RSA, ERR_R_RSA_LIB);
177                 return -1;
178             }
179             memcpy(rctx->tbuf, tbs, tbslen);
180             rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_get_type(rctx->md));
181             ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
182                                       sig, rsa, RSA_X931_PADDING);
183         } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
184             unsigned int sltmp;
185             ret = RSA_sign(EVP_MD_get_type(rctx->md),
186                            tbs, tbslen, sig, &sltmp, rsa);
187             if (ret <= 0)
188                 return ret;
189             ret = sltmp;
190         } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
191             if (!setup_tbuf(rctx, ctx))
192                 return -1;
193             if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
194                                                 rctx->tbuf, tbs,
195                                                 rctx->md, rctx->mgf1md,
196                                                 rctx->saltlen))
197                 return -1;
198             ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
199                                       sig, rsa, RSA_NO_PADDING);
200         } else {
201             return -1;
202         }
203     } else {
204         ret = RSA_private_encrypt(tbslen, tbs, sig, rsa, rctx->pad_mode);
205     }
206     if (ret < 0)
207         return ret;
208     *siglen = ret;
209     return 1;
210 }
211 
pkey_rsa_verifyrecover(EVP_PKEY_CTX * ctx,unsigned char * rout,size_t * routlen,const unsigned char * sig,size_t siglen)212 static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
213                                   unsigned char *rout, size_t *routlen,
214                                   const unsigned char *sig, size_t siglen)
215 {
216     int ret;
217     RSA_PKEY_CTX *rctx = ctx->data;
218     /*
219      * Discard const. Its marked as const because this may be a cached copy of
220      * the "real" key. These calls don't make any modifications that need to
221      * be reflected back in the "original" key.
222      */
223     RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey);
224 
225     if (rctx->md) {
226         if (rctx->pad_mode == RSA_X931_PADDING) {
227             if (!setup_tbuf(rctx, ctx))
228                 return -1;
229             ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa,
230                                      RSA_X931_PADDING);
231             if (ret <= 0)
232                 return 0;
233             ret--;
234             if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_get_type(rctx->md))) {
235                 ERR_raise(ERR_LIB_RSA, RSA_R_ALGORITHM_MISMATCH);
236                 return 0;
237             }
238             if (ret != EVP_MD_get_size(rctx->md)) {
239                 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH);
240                 return 0;
241             }
242             if (rout)
243                 memcpy(rout, rctx->tbuf, ret);
244         } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
245             size_t sltmp;
246             ret = ossl_rsa_verify(EVP_MD_get_type(rctx->md),
247                                   NULL, 0, rout, &sltmp,
248                                   sig, siglen, rsa);
249             if (ret <= 0)
250                 return 0;
251             ret = sltmp;
252         } else {
253             return -1;
254         }
255     } else {
256         ret = RSA_public_decrypt(siglen, sig, rout, rsa, rctx->pad_mode);
257     }
258     if (ret <= 0)
259         return ret;
260     *routlen = ret;
261     return 1;
262 }
263 
pkey_rsa_verify(EVP_PKEY_CTX * ctx,const unsigned char * sig,size_t siglen,const unsigned char * tbs,size_t tbslen)264 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
265                            const unsigned char *sig, size_t siglen,
266                            const unsigned char *tbs, size_t tbslen)
267 {
268     RSA_PKEY_CTX *rctx = ctx->data;
269     /*
270      * Discard const. Its marked as const because this may be a cached copy of
271      * the "real" key. These calls don't make any modifications that need to
272      * be reflected back in the "original" key.
273      */
274     RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey);
275     size_t rslen;
276     int md_size;
277 
278     if (rctx->md) {
279         if (rctx->pad_mode == RSA_PKCS1_PADDING)
280             return RSA_verify(EVP_MD_get_type(rctx->md), tbs, tbslen,
281                               sig, siglen, rsa);
282         md_size = EVP_MD_get_size(rctx->md);
283         if (md_size <= 0) {
284             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH);
285             return -1;
286         }
287         if (tbslen != (size_t)md_size) {
288             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH);
289             return -1;
290         }
291         if (rctx->pad_mode == RSA_X931_PADDING) {
292             if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0)
293                 return 0;
294         } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
295             int ret;
296             if (!setup_tbuf(rctx, ctx))
297                 return -1;
298             ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
299                                      rsa, RSA_NO_PADDING);
300             if (ret <= 0)
301                 return 0;
302             ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
303                                             rctx->md, rctx->mgf1md,
304                                             rctx->tbuf, rctx->saltlen);
305             if (ret <= 0)
306                 return 0;
307             return 1;
308         } else {
309             return -1;
310         }
311     } else {
312         if (!setup_tbuf(rctx, ctx))
313             return -1;
314         rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
315                                    rsa, rctx->pad_mode);
316         if (rslen <= 0)
317             return 0;
318     }
319 
320     if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen))
321         return 0;
322 
323     return 1;
324 
325 }
326 
pkey_rsa_encrypt(EVP_PKEY_CTX * ctx,unsigned char * out,size_t * outlen,const unsigned char * in,size_t inlen)327 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
328                             unsigned char *out, size_t *outlen,
329                             const unsigned char *in, size_t inlen)
330 {
331     int ret;
332     RSA_PKEY_CTX *rctx = ctx->data;
333     /*
334      * Discard const. Its marked as const because this may be a cached copy of
335      * the "real" key. These calls don't make any modifications that need to
336      * be reflected back in the "original" key.
337      */
338     RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey);
339 
340     if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
341         int klen = RSA_size(rsa);
342         if (!setup_tbuf(rctx, ctx))
343             return -1;
344         if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen,
345                                              in, inlen,
346                                              rctx->oaep_label,
347                                              rctx->oaep_labellen,
348                                              rctx->md, rctx->mgf1md))
349             return -1;
350         ret = RSA_public_encrypt(klen, rctx->tbuf, out, rsa, RSA_NO_PADDING);
351     } else {
352         ret = RSA_public_encrypt(inlen, in, out, rsa, rctx->pad_mode);
353     }
354     if (ret < 0)
355         return ret;
356     *outlen = ret;
357     return 1;
358 }
359 
pkey_rsa_decrypt(EVP_PKEY_CTX * ctx,unsigned char * out,size_t * outlen,const unsigned char * in,size_t inlen)360 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
361                             unsigned char *out, size_t *outlen,
362                             const unsigned char *in, size_t inlen)
363 {
364     int ret;
365     int pad_mode;
366     RSA_PKEY_CTX *rctx = ctx->data;
367     /*
368      * Discard const. Its marked as const because this may be a cached copy of
369      * the "real" key. These calls don't make any modifications that need to
370      * be reflected back in the "original" key.
371      */
372     RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey);
373 
374     if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
375         if (!setup_tbuf(rctx, ctx))
376             return -1;
377         ret = RSA_private_decrypt(inlen, in, rctx->tbuf, rsa, RSA_NO_PADDING);
378         if (ret <= 0)
379             return ret;
380         ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf,
381                                                 ret, ret,
382                                                 rctx->oaep_label,
383                                                 rctx->oaep_labellen,
384                                                 rctx->md, rctx->mgf1md);
385     } else {
386         if (rctx->pad_mode == RSA_PKCS1_PADDING &&
387               rctx->implicit_rejection == 0)
388             pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING;
389         else
390             pad_mode = rctx->pad_mode;
391         ret = RSA_private_decrypt(inlen, in, out, rsa, pad_mode);
392     }
393     *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
394     ret = constant_time_select_int(constant_time_msb(ret), ret, 1);
395     return ret;
396 }
397 
check_padding_md(const EVP_MD * md,int padding)398 static int check_padding_md(const EVP_MD *md, int padding)
399 {
400     int mdnid;
401 
402     if (!md)
403         return 1;
404 
405     mdnid = EVP_MD_get_type(md);
406 
407     if (padding == RSA_NO_PADDING) {
408         ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
409         return 0;
410     }
411 
412     if (padding == RSA_X931_PADDING) {
413         if (RSA_X931_hash_id(mdnid) == -1) {
414             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_X931_DIGEST);
415             return 0;
416         }
417     } else {
418         switch (mdnid) {
419         /* List of all supported RSA digests */
420         case NID_sha1:
421         case NID_sha224:
422         case NID_sha256:
423         case NID_sha384:
424         case NID_sha512:
425         case NID_sha512_224:
426         case NID_sha512_256:
427         case NID_md5:
428         case NID_md5_sha1:
429         case NID_md2:
430         case NID_md4:
431         case NID_mdc2:
432         case NID_ripemd160:
433         case NID_sha3_224:
434         case NID_sha3_256:
435         case NID_sha3_384:
436         case NID_sha3_512:
437             return 1;
438 
439         default:
440             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST);
441             return 0;
442 
443         }
444     }
445 
446     return 1;
447 }
448 
pkey_rsa_ctrl(EVP_PKEY_CTX * ctx,int type,int p1,void * p2)449 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
450 {
451     RSA_PKEY_CTX *rctx = ctx->data;
452     int md_size;
453 
454     switch (type) {
455     case EVP_PKEY_CTRL_RSA_PADDING:
456         if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING)) {
457             if (!check_padding_md(rctx->md, p1))
458                 return 0;
459             if (p1 == RSA_PKCS1_PSS_PADDING) {
460                 if (!(ctx->operation &
461                       (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
462                     goto bad_pad;
463                 if (!rctx->md)
464                     rctx->md = EVP_sha1();
465             } else if (pkey_ctx_is_pss(ctx)) {
466                 goto bad_pad;
467             }
468             if (p1 == RSA_PKCS1_OAEP_PADDING) {
469                 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
470                     goto bad_pad;
471                 if (!rctx->md)
472                     rctx->md = EVP_sha1();
473             }
474             rctx->pad_mode = p1;
475             return 1;
476         }
477  bad_pad:
478         ERR_raise(ERR_LIB_RSA, RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
479         return -2;
480 
481     case EVP_PKEY_CTRL_GET_RSA_PADDING:
482         *(int *)p2 = rctx->pad_mode;
483         return 1;
484 
485     case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
486     case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
487         if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
488             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PSS_SALTLEN);
489             return -2;
490         }
491         if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
492             *(int *)p2 = rctx->saltlen;
493         } else {
494             if (p1 < RSA_PSS_SALTLEN_MAX)
495                 return -2;
496             if (rsa_pss_restricted(rctx)) {
497                 if (p1 == RSA_PSS_SALTLEN_AUTO
498                     && ctx->operation == EVP_PKEY_OP_VERIFY) {
499                     ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PSS_SALTLEN);
500                     return -2;
501                 }
502                 md_size = EVP_MD_get_size(rctx->md);
503                 if (md_size <= 0) {
504                     ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH);
505                     return -2;
506                 }
507                 if ((p1 == RSA_PSS_SALTLEN_DIGEST
508                      && rctx->min_saltlen > md_size)
509                     || (p1 >= 0 && p1 < rctx->min_saltlen)) {
510                     ERR_raise(ERR_LIB_RSA, RSA_R_PSS_SALTLEN_TOO_SMALL);
511                     return 0;
512                 }
513             }
514             rctx->saltlen = p1;
515         }
516         return 1;
517 
518     case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
519         if (p1 < RSA_MIN_MODULUS_BITS) {
520             ERR_raise(ERR_LIB_RSA, RSA_R_KEY_SIZE_TOO_SMALL);
521             return -2;
522         }
523         rctx->nbits = p1;
524         return 1;
525 
526     case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
527         if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) || BN_is_one((BIGNUM *)p2)) {
528             ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
529             return -2;
530         }
531         BN_free(rctx->pub_exp);
532         rctx->pub_exp = p2;
533         return 1;
534 
535     case EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES:
536         if (p1 < RSA_DEFAULT_PRIME_NUM || p1 > RSA_MAX_PRIME_NUM) {
537             ERR_raise(ERR_LIB_RSA, RSA_R_KEY_PRIME_NUM_INVALID);
538             return -2;
539         }
540         rctx->primes = p1;
541         return 1;
542 
543     case EVP_PKEY_CTRL_RSA_OAEP_MD:
544     case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
545         if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
546             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
547             return -2;
548         }
549         if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD)
550             *(const EVP_MD **)p2 = rctx->md;
551         else
552             rctx->md = p2;
553         return 1;
554 
555     case EVP_PKEY_CTRL_MD:
556         if (!check_padding_md(p2, rctx->pad_mode))
557             return 0;
558         if (rsa_pss_restricted(rctx)) {
559             if (EVP_MD_get_type(rctx->md) == EVP_MD_get_type(p2))
560                 return 1;
561             ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
562             return 0;
563         }
564         rctx->md = p2;
565         return 1;
566 
567     case EVP_PKEY_CTRL_GET_MD:
568         *(const EVP_MD **)p2 = rctx->md;
569         return 1;
570 
571     case EVP_PKEY_CTRL_RSA_MGF1_MD:
572     case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
573         if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING
574             && rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
575             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MGF1_MD);
576             return -2;
577         }
578         if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
579             if (rctx->mgf1md)
580                 *(const EVP_MD **)p2 = rctx->mgf1md;
581             else
582                 *(const EVP_MD **)p2 = rctx->md;
583         } else {
584             if (rsa_pss_restricted(rctx)) {
585                 if (EVP_MD_get_type(rctx->mgf1md) == EVP_MD_get_type(p2))
586                     return 1;
587                 ERR_raise(ERR_LIB_RSA, RSA_R_MGF1_DIGEST_NOT_ALLOWED);
588                 return 0;
589             }
590             rctx->mgf1md = p2;
591         }
592         return 1;
593 
594     case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
595         if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
596             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
597             return -2;
598         }
599         OPENSSL_free(rctx->oaep_label);
600         if (p2 && p1 > 0) {
601             rctx->oaep_label = p2;
602             rctx->oaep_labellen = p1;
603         } else {
604             rctx->oaep_label = NULL;
605             rctx->oaep_labellen = 0;
606         }
607         return 1;
608 
609     case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
610         if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
611             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
612             return -2;
613         }
614         if (p2 == NULL) {
615             ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
616             return 0;
617         }
618         *(unsigned char **)p2 = rctx->oaep_label;
619         return rctx->oaep_labellen;
620 
621     case EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION:
622         if (rctx->pad_mode != RSA_PKCS1_PADDING) {
623             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
624             return -2;
625         }
626         rctx->implicit_rejection = p1;
627         return 1;
628 
629     case EVP_PKEY_CTRL_DIGESTINIT:
630     case EVP_PKEY_CTRL_PKCS7_SIGN:
631 #ifndef OPENSSL_NO_CMS
632     case EVP_PKEY_CTRL_CMS_SIGN:
633 #endif
634     return 1;
635 
636     case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
637     case EVP_PKEY_CTRL_PKCS7_DECRYPT:
638 #ifndef OPENSSL_NO_CMS
639     case EVP_PKEY_CTRL_CMS_DECRYPT:
640     case EVP_PKEY_CTRL_CMS_ENCRYPT:
641 #endif
642     if (!pkey_ctx_is_pss(ctx))
643         return 1;
644     /* fall through */
645     case EVP_PKEY_CTRL_PEER_KEY:
646         ERR_raise(ERR_LIB_RSA, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
647         return -2;
648 
649     default:
650         return -2;
651 
652     }
653 }
654 
pkey_rsa_ctrl_str(EVP_PKEY_CTX * ctx,const char * type,const char * value)655 static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
656                              const char *type, const char *value)
657 {
658     if (value == NULL) {
659         ERR_raise(ERR_LIB_RSA, RSA_R_VALUE_MISSING);
660         return 0;
661     }
662     if (strcmp(type, "rsa_padding_mode") == 0) {
663         int pm;
664 
665         if (strcmp(value, "pkcs1") == 0) {
666             pm = RSA_PKCS1_PADDING;
667         } else if (strcmp(value, "none") == 0) {
668             pm = RSA_NO_PADDING;
669         } else if (strcmp(value, "oeap") == 0) {
670             pm = RSA_PKCS1_OAEP_PADDING;
671         } else if (strcmp(value, "oaep") == 0) {
672             pm = RSA_PKCS1_OAEP_PADDING;
673         } else if (strcmp(value, "x931") == 0) {
674             pm = RSA_X931_PADDING;
675         } else if (strcmp(value, "pss") == 0) {
676             pm = RSA_PKCS1_PSS_PADDING;
677         } else {
678             ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
679             return -2;
680         }
681         return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
682     }
683 
684     if (strcmp(type, "rsa_pss_saltlen") == 0) {
685         int saltlen;
686 
687         if (!strcmp(value, "digest"))
688             saltlen = RSA_PSS_SALTLEN_DIGEST;
689         else if (!strcmp(value, "max"))
690             saltlen = RSA_PSS_SALTLEN_MAX;
691         else if (!strcmp(value, "auto"))
692             saltlen = RSA_PSS_SALTLEN_AUTO;
693         else
694             saltlen = atoi(value);
695         return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
696     }
697 
698     if (strcmp(type, "rsa_keygen_bits") == 0) {
699         int nbits = atoi(value);
700 
701         return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
702     }
703 
704     if (strcmp(type, "rsa_keygen_pubexp") == 0) {
705         int ret;
706 
707         BIGNUM *pubexp = NULL;
708         if (!BN_asc2bn(&pubexp, value))
709             return 0;
710         ret = EVP_PKEY_CTX_set1_rsa_keygen_pubexp(ctx, pubexp);
711         BN_free(pubexp);
712         return ret;
713     }
714 
715     if (strcmp(type, "rsa_keygen_primes") == 0) {
716         int nprimes = atoi(value);
717 
718         return EVP_PKEY_CTX_set_rsa_keygen_primes(ctx, nprimes);
719     }
720 
721     if (strcmp(type, "rsa_mgf1_md") == 0)
722         return EVP_PKEY_CTX_md(ctx,
723                                EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
724                                EVP_PKEY_CTRL_RSA_MGF1_MD, value);
725 
726     if (pkey_ctx_is_pss(ctx)) {
727 
728         if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0)
729             return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
730                                    EVP_PKEY_CTRL_RSA_MGF1_MD, value);
731 
732         if (strcmp(type, "rsa_pss_keygen_md") == 0)
733             return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
734                                    EVP_PKEY_CTRL_MD, value);
735 
736         if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) {
737             int saltlen = atoi(value);
738 
739             return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen);
740         }
741     }
742 
743     if (strcmp(type, "rsa_oaep_md") == 0)
744         return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT,
745                                EVP_PKEY_CTRL_RSA_OAEP_MD, value);
746 
747     if (strcmp(type, "rsa_oaep_label") == 0) {
748         unsigned char *lab;
749         long lablen;
750         int ret;
751 
752         lab = OPENSSL_hexstr2buf(value, &lablen);
753         if (!lab)
754             return 0;
755         ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen);
756         if (ret <= 0)
757             OPENSSL_free(lab);
758         return ret;
759     }
760 
761     return -2;
762 }
763 
764 /* Set PSS parameters when generating a key, if necessary */
rsa_set_pss_param(RSA * rsa,EVP_PKEY_CTX * ctx)765 static int rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx)
766 {
767     RSA_PKEY_CTX *rctx = ctx->data;
768 
769     if (!pkey_ctx_is_pss(ctx))
770         return 1;
771     /* If all parameters are default values don't set pss */
772     if (rctx->md == NULL && rctx->mgf1md == NULL && rctx->saltlen == -2)
773         return 1;
774     rsa->pss = ossl_rsa_pss_params_create(rctx->md, rctx->mgf1md,
775                                           rctx->saltlen == -2
776                                           ? 0 : rctx->saltlen);
777     if (rsa->pss == NULL)
778         return 0;
779     return 1;
780 }
781 
pkey_rsa_keygen(EVP_PKEY_CTX * ctx,EVP_PKEY * pkey)782 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
783 {
784     RSA *rsa = NULL;
785     RSA_PKEY_CTX *rctx = ctx->data;
786     BN_GENCB *pcb;
787     int ret;
788 
789     if (rctx->pub_exp == NULL) {
790         rctx->pub_exp = BN_new();
791         if (rctx->pub_exp == NULL || !BN_set_word(rctx->pub_exp, RSA_F4))
792             return 0;
793     }
794     rsa = RSA_new();
795     if (rsa == NULL)
796         return 0;
797     if (ctx->pkey_gencb) {
798         pcb = BN_GENCB_new();
799         if (pcb == NULL) {
800             RSA_free(rsa);
801             return 0;
802         }
803         evp_pkey_set_cb_translate(pcb, ctx);
804     } else {
805         pcb = NULL;
806     }
807     ret = RSA_generate_multi_prime_key(rsa, rctx->nbits, rctx->primes,
808                                        rctx->pub_exp, pcb);
809     BN_GENCB_free(pcb);
810     if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) {
811         RSA_free(rsa);
812         return 0;
813     }
814     if (ret > 0)
815         EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa);
816     else
817         RSA_free(rsa);
818     return ret;
819 }
820 
821 static const EVP_PKEY_METHOD rsa_pkey_meth = {
822     EVP_PKEY_RSA,
823     EVP_PKEY_FLAG_AUTOARGLEN,
824     pkey_rsa_init,
825     pkey_rsa_copy,
826     pkey_rsa_cleanup,
827 
828     0, 0,
829 
830     0,
831     pkey_rsa_keygen,
832 
833     0,
834     pkey_rsa_sign,
835 
836     0,
837     pkey_rsa_verify,
838 
839     0,
840     pkey_rsa_verifyrecover,
841 
842     0, 0, 0, 0,
843 
844     0,
845     pkey_rsa_encrypt,
846 
847     0,
848     pkey_rsa_decrypt,
849 
850     0, 0,
851 
852     pkey_rsa_ctrl,
853     pkey_rsa_ctrl_str
854 };
855 
ossl_rsa_pkey_method(void)856 const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void)
857 {
858     return &rsa_pkey_meth;
859 }
860 
861 /*
862  * Called for PSS sign or verify initialisation: checks PSS parameter
863  * sanity and sets any restrictions on key usage.
864  */
865 
pkey_pss_init(EVP_PKEY_CTX * ctx)866 static int pkey_pss_init(EVP_PKEY_CTX *ctx)
867 {
868     const RSA *rsa;
869     RSA_PKEY_CTX *rctx = ctx->data;
870     const EVP_MD *md;
871     const EVP_MD *mgf1md;
872     int min_saltlen, max_saltlen, md_size;
873 
874     /* Should never happen */
875     if (!pkey_ctx_is_pss(ctx))
876         return 0;
877     rsa = EVP_PKEY_get0_RSA(ctx->pkey);
878     /* If no restrictions just return */
879     if (rsa->pss == NULL)
880         return 1;
881     /* Get and check parameters */
882     if (!ossl_rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen))
883         return 0;
884 
885     /* See if minimum salt length exceeds maximum possible */
886     md_size = EVP_MD_get_size(md);
887     if (md_size <= 0) {
888         ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH);
889         return 0;
890     }
891     max_saltlen = RSA_size(rsa) - md_size;
892     if ((RSA_bits(rsa) & 0x7) == 1)
893         max_saltlen--;
894     if (min_saltlen > max_saltlen) {
895         ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_SALT_LENGTH);
896         return 0;
897     }
898 
899     rctx->min_saltlen = min_saltlen;
900 
901     /*
902      * Set PSS restrictions as defaults: we can then block any attempt to
903      * use invalid values in pkey_rsa_ctrl
904      */
905 
906     rctx->md = md;
907     rctx->mgf1md = mgf1md;
908     rctx->saltlen = min_saltlen;
909 
910     return 1;
911 }
912 
913 static const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
914     EVP_PKEY_RSA_PSS,
915     EVP_PKEY_FLAG_AUTOARGLEN,
916     pkey_rsa_init,
917     pkey_rsa_copy,
918     pkey_rsa_cleanup,
919 
920     0, 0,
921 
922     0,
923     pkey_rsa_keygen,
924 
925     pkey_pss_init,
926     pkey_rsa_sign,
927 
928     pkey_pss_init,
929     pkey_rsa_verify,
930 
931     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
932 
933     pkey_rsa_ctrl,
934     pkey_rsa_ctrl_str
935 };
936 
ossl_rsa_pss_pkey_method(void)937 const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void)
938 {
939     return &rsa_pss_pkey_meth;
940 }
941