xref: /freebsd/crypto/openssl/crypto/rsa/rsa_ameth.c (revision 5ab1c5846ff41be24b1f6beb0317bf8258cd4409)
1 /*
2  * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the OpenSSL license (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <stdio.h>
11 #include "internal/cryptlib.h"
12 #include <openssl/asn1t.h>
13 #include <openssl/x509.h>
14 #include <openssl/bn.h>
15 #include <openssl/cms.h>
16 #include "internal/asn1_int.h"
17 #include "internal/evp_int.h"
18 #include "rsa_locl.h"
19 
20 #ifndef OPENSSL_NO_CMS
21 static int rsa_cms_sign(CMS_SignerInfo *si);
22 static int rsa_cms_verify(CMS_SignerInfo *si);
23 static int rsa_cms_decrypt(CMS_RecipientInfo *ri);
24 static int rsa_cms_encrypt(CMS_RecipientInfo *ri);
25 #endif
26 
27 static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg);
28 
29 /* Set any parameters associated with pkey */
30 static int rsa_param_encode(const EVP_PKEY *pkey,
31                             ASN1_STRING **pstr, int *pstrtype)
32 {
33     const RSA *rsa = pkey->pkey.rsa;
34 
35     *pstr = NULL;
36     /* If RSA it's just NULL type */
37     if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) {
38         *pstrtype = V_ASN1_NULL;
39         return 1;
40     }
41     /* If no PSS parameters we omit parameters entirely */
42     if (rsa->pss == NULL) {
43         *pstrtype = V_ASN1_UNDEF;
44         return 1;
45     }
46     /* Encode PSS parameters */
47     if (ASN1_item_pack(rsa->pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), pstr) == NULL)
48         return 0;
49 
50     *pstrtype = V_ASN1_SEQUENCE;
51     return 1;
52 }
53 /* Decode any parameters and set them in RSA structure */
54 static int rsa_param_decode(RSA *rsa, const X509_ALGOR *alg)
55 {
56     const ASN1_OBJECT *algoid;
57     const void *algp;
58     int algptype;
59 
60     X509_ALGOR_get0(&algoid, &algptype, &algp, alg);
61     if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS)
62         return 1;
63     if (algptype == V_ASN1_UNDEF)
64         return 1;
65     if (algptype != V_ASN1_SEQUENCE) {
66         RSAerr(RSA_F_RSA_PARAM_DECODE, RSA_R_INVALID_PSS_PARAMETERS);
67         return 0;
68     }
69     rsa->pss = rsa_pss_decode(alg);
70     if (rsa->pss == NULL)
71         return 0;
72     return 1;
73 }
74 
75 static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
76 {
77     unsigned char *penc = NULL;
78     int penclen;
79     ASN1_STRING *str;
80     int strtype;
81 
82     if (!rsa_param_encode(pkey, &str, &strtype))
83         return 0;
84     penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
85     if (penclen <= 0)
86         return 0;
87     if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
88                                strtype, str, penc, penclen))
89         return 1;
90 
91     OPENSSL_free(penc);
92     return 0;
93 }
94 
95 static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
96 {
97     const unsigned char *p;
98     int pklen;
99     X509_ALGOR *alg;
100     RSA *rsa = NULL;
101 
102     if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey))
103         return 0;
104     if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL) {
105         RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB);
106         return 0;
107     }
108     if (!rsa_param_decode(rsa, alg)) {
109         RSA_free(rsa);
110         return 0;
111     }
112     if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) {
113         RSA_free(rsa);
114         return 0;
115     }
116     return 1;
117 }
118 
119 static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
120 {
121     if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0
122         || BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
123         return 0;
124     return 1;
125 }
126 
127 static int old_rsa_priv_decode(EVP_PKEY *pkey,
128                                const unsigned char **pder, int derlen)
129 {
130     RSA *rsa;
131 
132     if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL) {
133         RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
134         return 0;
135     }
136     EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
137     return 1;
138 }
139 
140 static int old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
141 {
142     return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
143 }
144 
145 static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
146 {
147     unsigned char *rk = NULL;
148     int rklen;
149     ASN1_STRING *str;
150     int strtype;
151 
152     if (!rsa_param_encode(pkey, &str, &strtype))
153         return 0;
154     rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk);
155 
156     if (rklen <= 0) {
157         RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
158         ASN1_STRING_free(str);
159         return 0;
160     }
161 
162     if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(pkey->ameth->pkey_id), 0,
163                          strtype, str, rk, rklen)) {
164         RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
165         ASN1_STRING_free(str);
166         return 0;
167     }
168 
169     return 1;
170 }
171 
172 static int rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
173 {
174     const unsigned char *p;
175     RSA *rsa;
176     int pklen;
177     const X509_ALGOR *alg;
178 
179     if (!PKCS8_pkey_get0(NULL, &p, &pklen, &alg, p8))
180         return 0;
181     rsa = d2i_RSAPrivateKey(NULL, &p, pklen);
182     if (rsa == NULL) {
183         RSAerr(RSA_F_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
184         return 0;
185     }
186     if (!rsa_param_decode(rsa, alg)) {
187         RSA_free(rsa);
188         return 0;
189     }
190     EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
191     return 1;
192 }
193 
194 static int int_rsa_size(const EVP_PKEY *pkey)
195 {
196     return RSA_size(pkey->pkey.rsa);
197 }
198 
199 static int rsa_bits(const EVP_PKEY *pkey)
200 {
201     return BN_num_bits(pkey->pkey.rsa->n);
202 }
203 
204 static int rsa_security_bits(const EVP_PKEY *pkey)
205 {
206     return RSA_security_bits(pkey->pkey.rsa);
207 }
208 
209 static void int_rsa_free(EVP_PKEY *pkey)
210 {
211     RSA_free(pkey->pkey.rsa);
212 }
213 
214 static X509_ALGOR *rsa_mgf1_decode(X509_ALGOR *alg)
215 {
216     if (OBJ_obj2nid(alg->algorithm) != NID_mgf1)
217         return NULL;
218     return ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(X509_ALGOR),
219                                      alg->parameter);
220 }
221 
222 static int rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss,
223                                int indent)
224 {
225     int rv = 0;
226     X509_ALGOR *maskHash = NULL;
227 
228     if (!BIO_indent(bp, indent, 128))
229         goto err;
230     if (pss_key) {
231         if (pss == NULL) {
232             if (BIO_puts(bp, "No PSS parameter restrictions\n") <= 0)
233                 return 0;
234             return 1;
235         } else {
236             if (BIO_puts(bp, "PSS parameter restrictions:") <= 0)
237                 return 0;
238         }
239     } else if (pss == NULL) {
240         if (BIO_puts(bp,"(INVALID PSS PARAMETERS)\n") <= 0)
241             return 0;
242         return 1;
243     }
244     if (BIO_puts(bp, "\n") <= 0)
245         goto err;
246     if (pss_key)
247         indent += 2;
248     if (!BIO_indent(bp, indent, 128))
249         goto err;
250     if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
251         goto err;
252 
253     if (pss->hashAlgorithm) {
254         if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
255             goto err;
256     } else if (BIO_puts(bp, "sha1 (default)") <= 0) {
257         goto err;
258     }
259 
260     if (BIO_puts(bp, "\n") <= 0)
261         goto err;
262 
263     if (!BIO_indent(bp, indent, 128))
264         goto err;
265 
266     if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
267         goto err;
268     if (pss->maskGenAlgorithm) {
269         if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
270             goto err;
271         if (BIO_puts(bp, " with ") <= 0)
272             goto err;
273         maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);
274         if (maskHash != NULL) {
275             if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
276                 goto err;
277         } else if (BIO_puts(bp, "INVALID") <= 0) {
278             goto err;
279         }
280     } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) {
281         goto err;
282     }
283     BIO_puts(bp, "\n");
284 
285     if (!BIO_indent(bp, indent, 128))
286         goto err;
287     if (BIO_printf(bp, "%s Salt Length: 0x", pss_key ? "Minimum" : "") <= 0)
288         goto err;
289     if (pss->saltLength) {
290         if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
291             goto err;
292     } else if (BIO_puts(bp, "14 (default)") <= 0) {
293         goto err;
294     }
295     BIO_puts(bp, "\n");
296 
297     if (!BIO_indent(bp, indent, 128))
298         goto err;
299     if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
300         goto err;
301     if (pss->trailerField) {
302         if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
303             goto err;
304     } else if (BIO_puts(bp, "BC (default)") <= 0) {
305         goto err;
306     }
307     BIO_puts(bp, "\n");
308 
309     rv = 1;
310 
311  err:
312     X509_ALGOR_free(maskHash);
313     return rv;
314 
315 }
316 
317 static int pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv)
318 {
319     const RSA *x = pkey->pkey.rsa;
320     char *str;
321     const char *s;
322     int ret = 0, mod_len = 0, ex_primes;
323 
324     if (x->n != NULL)
325         mod_len = BN_num_bits(x->n);
326     ex_primes = sk_RSA_PRIME_INFO_num(x->prime_infos);
327 
328     if (!BIO_indent(bp, off, 128))
329         goto err;
330 
331     if (BIO_printf(bp, "%s ", pkey_is_pss(pkey) ?  "RSA-PSS" : "RSA") <= 0)
332         goto err;
333 
334     if (priv && x->d) {
335         if (BIO_printf(bp, "Private-Key: (%d bit, %d primes)\n",
336                        mod_len, ex_primes <= 0 ? 2 : ex_primes + 2) <= 0)
337             goto err;
338         str = "modulus:";
339         s = "publicExponent:";
340     } else {
341         if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0)
342             goto err;
343         str = "Modulus:";
344         s = "Exponent:";
345     }
346     if (!ASN1_bn_print(bp, str, x->n, NULL, off))
347         goto err;
348     if (!ASN1_bn_print(bp, s, x->e, NULL, off))
349         goto err;
350     if (priv) {
351         int i;
352 
353         if (!ASN1_bn_print(bp, "privateExponent:", x->d, NULL, off))
354             goto err;
355         if (!ASN1_bn_print(bp, "prime1:", x->p, NULL, off))
356             goto err;
357         if (!ASN1_bn_print(bp, "prime2:", x->q, NULL, off))
358             goto err;
359         if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, NULL, off))
360             goto err;
361         if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, NULL, off))
362             goto err;
363         if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, NULL, off))
364             goto err;
365         for (i = 0; i < sk_RSA_PRIME_INFO_num(x->prime_infos); i++) {
366             /* print multi-prime info */
367             BIGNUM *bn = NULL;
368             RSA_PRIME_INFO *pinfo;
369             int j;
370 
371             pinfo = sk_RSA_PRIME_INFO_value(x->prime_infos, i);
372             for (j = 0; j < 3; j++) {
373                 if (!BIO_indent(bp, off, 128))
374                     goto err;
375                 switch (j) {
376                 case 0:
377                     if (BIO_printf(bp, "prime%d:", i + 3) <= 0)
378                         goto err;
379                     bn = pinfo->r;
380                     break;
381                 case 1:
382                     if (BIO_printf(bp, "exponent%d:", i + 3) <= 0)
383                         goto err;
384                     bn = pinfo->d;
385                     break;
386                 case 2:
387                     if (BIO_printf(bp, "coefficient%d:", i + 3) <= 0)
388                         goto err;
389                     bn = pinfo->t;
390                     break;
391                 default:
392                     break;
393                 }
394                 if (!ASN1_bn_print(bp, "", bn, NULL, off))
395                     goto err;
396             }
397         }
398     }
399     if (pkey_is_pss(pkey) && !rsa_pss_param_print(bp, 1, x->pss, off))
400         goto err;
401     ret = 1;
402  err:
403     return ret;
404 }
405 
406 static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent,
407                          ASN1_PCTX *ctx)
408 {
409     return pkey_rsa_print(bp, pkey, indent, 0);
410 }
411 
412 static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
413                           ASN1_PCTX *ctx)
414 {
415     return pkey_rsa_print(bp, pkey, indent, 1);
416 }
417 
418 static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg)
419 {
420     RSA_PSS_PARAMS *pss;
421 
422     pss = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(RSA_PSS_PARAMS),
423                                     alg->parameter);
424 
425     if (pss == NULL)
426         return NULL;
427 
428     if (pss->maskGenAlgorithm != NULL) {
429         pss->maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);
430         if (pss->maskHash == NULL) {
431             RSA_PSS_PARAMS_free(pss);
432             return NULL;
433         }
434     }
435 
436     return pss;
437 }
438 
439 static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
440                          const ASN1_STRING *sig, int indent, ASN1_PCTX *pctx)
441 {
442     if (OBJ_obj2nid(sigalg->algorithm) == EVP_PKEY_RSA_PSS) {
443         int rv;
444         RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg);
445 
446         rv = rsa_pss_param_print(bp, 0, pss, indent);
447         RSA_PSS_PARAMS_free(pss);
448         if (!rv)
449             return 0;
450     } else if (!sig && BIO_puts(bp, "\n") <= 0) {
451         return 0;
452     }
453     if (sig)
454         return X509_signature_dump(bp, sig, indent);
455     return 1;
456 }
457 
458 static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
459 {
460     X509_ALGOR *alg = NULL;
461     const EVP_MD *md;
462     const EVP_MD *mgf1md;
463     int min_saltlen;
464 
465     switch (op) {
466 
467     case ASN1_PKEY_CTRL_PKCS7_SIGN:
468         if (arg1 == 0)
469             PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
470         break;
471 
472     case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
473         if (pkey_is_pss(pkey))
474             return -2;
475         if (arg1 == 0)
476             PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
477         break;
478 #ifndef OPENSSL_NO_CMS
479     case ASN1_PKEY_CTRL_CMS_SIGN:
480         if (arg1 == 0)
481             return rsa_cms_sign(arg2);
482         else if (arg1 == 1)
483             return rsa_cms_verify(arg2);
484         break;
485 
486     case ASN1_PKEY_CTRL_CMS_ENVELOPE:
487         if (pkey_is_pss(pkey))
488             return -2;
489         if (arg1 == 0)
490             return rsa_cms_encrypt(arg2);
491         else if (arg1 == 1)
492             return rsa_cms_decrypt(arg2);
493         break;
494 
495     case ASN1_PKEY_CTRL_CMS_RI_TYPE:
496         if (pkey_is_pss(pkey))
497             return -2;
498         *(int *)arg2 = CMS_RECIPINFO_TRANS;
499         return 1;
500 #endif
501 
502     case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
503         if (pkey->pkey.rsa->pss != NULL) {
504             if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md,
505                                    &min_saltlen)) {
506                 RSAerr(0, ERR_R_INTERNAL_ERROR);
507                 return 0;
508             }
509             *(int *)arg2 = EVP_MD_type(md);
510             /* Return of 2 indicates this MD is mandatory */
511             return 2;
512         }
513         *(int *)arg2 = NID_sha256;
514         return 1;
515 
516     default:
517         return -2;
518 
519     }
520 
521     if (alg)
522         X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
523 
524     return 1;
525 
526 }
527 
528 /* allocate and set algorithm ID from EVP_MD, default SHA1 */
529 static int rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md)
530 {
531     if (md == NULL || EVP_MD_type(md) == NID_sha1)
532         return 1;
533     *palg = X509_ALGOR_new();
534     if (*palg == NULL)
535         return 0;
536     X509_ALGOR_set_md(*palg, md);
537     return 1;
538 }
539 
540 /* Allocate and set MGF1 algorithm ID from EVP_MD */
541 static int rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md)
542 {
543     X509_ALGOR *algtmp = NULL;
544     ASN1_STRING *stmp = NULL;
545 
546     *palg = NULL;
547     if (mgf1md == NULL || EVP_MD_type(mgf1md) == NID_sha1)
548         return 1;
549     /* need to embed algorithm ID inside another */
550     if (!rsa_md_to_algor(&algtmp, mgf1md))
551         goto err;
552     if (ASN1_item_pack(algtmp, ASN1_ITEM_rptr(X509_ALGOR), &stmp) == NULL)
553          goto err;
554     *palg = X509_ALGOR_new();
555     if (*palg == NULL)
556         goto err;
557     X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp);
558     stmp = NULL;
559  err:
560     ASN1_STRING_free(stmp);
561     X509_ALGOR_free(algtmp);
562     if (*palg)
563         return 1;
564     return 0;
565 }
566 
567 /* convert algorithm ID to EVP_MD, default SHA1 */
568 static const EVP_MD *rsa_algor_to_md(X509_ALGOR *alg)
569 {
570     const EVP_MD *md;
571 
572     if (!alg)
573         return EVP_sha1();
574     md = EVP_get_digestbyobj(alg->algorithm);
575     if (md == NULL)
576         RSAerr(RSA_F_RSA_ALGOR_TO_MD, RSA_R_UNKNOWN_DIGEST);
577     return md;
578 }
579 
580 /*
581  * Convert EVP_PKEY_CTX in PSS mode into corresponding algorithm parameter,
582  * suitable for setting an AlgorithmIdentifier.
583  */
584 
585 static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
586 {
587     const EVP_MD *sigmd, *mgf1md;
588     EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
589     int saltlen;
590 
591     if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0)
592         return NULL;
593     if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
594         return NULL;
595     if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen))
596         return NULL;
597     if (saltlen == -1) {
598         saltlen = EVP_MD_size(sigmd);
599     } else if (saltlen == -2 || saltlen == -3) {
600         saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
601         if ((EVP_PKEY_bits(pk) & 0x7) == 1)
602             saltlen--;
603         if (saltlen < 0)
604             return NULL;
605     }
606 
607     return rsa_pss_params_create(sigmd, mgf1md, saltlen);
608 }
609 
610 RSA_PSS_PARAMS *rsa_pss_params_create(const EVP_MD *sigmd,
611                                       const EVP_MD *mgf1md, int saltlen)
612 {
613     RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new();
614 
615     if (pss == NULL)
616         goto err;
617     if (saltlen != 20) {
618         pss->saltLength = ASN1_INTEGER_new();
619         if (pss->saltLength == NULL)
620             goto err;
621         if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
622             goto err;
623     }
624     if (!rsa_md_to_algor(&pss->hashAlgorithm, sigmd))
625         goto err;
626     if (mgf1md == NULL)
627         mgf1md = sigmd;
628     if (!rsa_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md))
629         goto err;
630     if (!rsa_md_to_algor(&pss->maskHash, mgf1md))
631         goto err;
632     return pss;
633  err:
634     RSA_PSS_PARAMS_free(pss);
635     return NULL;
636 }
637 
638 static ASN1_STRING *rsa_ctx_to_pss_string(EVP_PKEY_CTX *pkctx)
639 {
640     RSA_PSS_PARAMS *pss = rsa_ctx_to_pss(pkctx);
641     ASN1_STRING *os;
642 
643     if (pss == NULL)
644         return NULL;
645 
646     os = ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), NULL);
647     RSA_PSS_PARAMS_free(pss);
648     return os;
649 }
650 
651 /*
652  * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL
653  * then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are
654  * passed to pkctx instead.
655  */
656 
657 static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx,
658                           X509_ALGOR *sigalg, EVP_PKEY *pkey)
659 {
660     int rv = -1;
661     int saltlen;
662     const EVP_MD *mgf1md = NULL, *md = NULL;
663     RSA_PSS_PARAMS *pss;
664 
665     /* Sanity check: make sure it is PSS */
666     if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
667         RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
668         return -1;
669     }
670     /* Decode PSS parameters */
671     pss = rsa_pss_decode(sigalg);
672 
673     if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) {
674         RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_INVALID_PSS_PARAMETERS);
675         goto err;
676     }
677 
678     /* We have all parameters now set up context */
679     if (pkey) {
680         if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey))
681             goto err;
682     } else {
683         const EVP_MD *checkmd;
684         if (EVP_PKEY_CTX_get_signature_md(pkctx, &checkmd) <= 0)
685             goto err;
686         if (EVP_MD_type(md) != EVP_MD_type(checkmd)) {
687             RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_DIGEST_DOES_NOT_MATCH);
688             goto err;
689         }
690     }
691 
692     if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
693         goto err;
694 
695     if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
696         goto err;
697 
698     if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
699         goto err;
700     /* Carry on */
701     rv = 1;
702 
703  err:
704     RSA_PSS_PARAMS_free(pss);
705     return rv;
706 }
707 
708 int rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd,
709                       const EVP_MD **pmgf1md, int *psaltlen)
710 {
711     if (pss == NULL)
712         return 0;
713     *pmd = rsa_algor_to_md(pss->hashAlgorithm);
714     if (*pmd == NULL)
715         return 0;
716     *pmgf1md = rsa_algor_to_md(pss->maskHash);
717     if (*pmgf1md == NULL)
718         return 0;
719     if (pss->saltLength) {
720         *psaltlen = ASN1_INTEGER_get(pss->saltLength);
721         if (*psaltlen < 0) {
722             RSAerr(RSA_F_RSA_PSS_GET_PARAM, RSA_R_INVALID_SALT_LENGTH);
723             return 0;
724         }
725     } else {
726         *psaltlen = 20;
727     }
728 
729     /*
730      * low-level routines support only trailer field 0xbc (value 1) and
731      * PKCS#1 says we should reject any other value anyway.
732      */
733     if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) {
734         RSAerr(RSA_F_RSA_PSS_GET_PARAM, RSA_R_INVALID_TRAILER);
735         return 0;
736     }
737 
738     return 1;
739 }
740 
741 #ifndef OPENSSL_NO_CMS
742 static int rsa_cms_verify(CMS_SignerInfo *si)
743 {
744     int nid, nid2;
745     X509_ALGOR *alg;
746     EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
747 
748     CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
749     nid = OBJ_obj2nid(alg->algorithm);
750     if (nid == EVP_PKEY_RSA_PSS)
751         return rsa_pss_to_ctx(NULL, pkctx, alg, NULL);
752     /* Only PSS allowed for PSS keys */
753     if (pkey_ctx_is_pss(pkctx)) {
754         RSAerr(RSA_F_RSA_CMS_VERIFY, RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
755         return 0;
756     }
757     if (nid == NID_rsaEncryption)
758         return 1;
759     /* Workaround for some implementation that use a signature OID */
760     if (OBJ_find_sigid_algs(nid, NULL, &nid2)) {
761         if (nid2 == NID_rsaEncryption)
762             return 1;
763     }
764     return 0;
765 }
766 #endif
767 
768 /*
769  * Customised RSA item verification routine. This is called when a signature
770  * is encountered requiring special handling. We currently only handle PSS.
771  */
772 
773 static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
774                            X509_ALGOR *sigalg, ASN1_BIT_STRING *sig,
775                            EVP_PKEY *pkey)
776 {
777     /* Sanity check: make sure it is PSS */
778     if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
779         RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
780         return -1;
781     }
782     if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) {
783         /* Carry on */
784         return 2;
785     }
786     return -1;
787 }
788 
789 #ifndef OPENSSL_NO_CMS
790 static int rsa_cms_sign(CMS_SignerInfo *si)
791 {
792     int pad_mode = RSA_PKCS1_PADDING;
793     X509_ALGOR *alg;
794     EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
795     ASN1_STRING *os = NULL;
796 
797     CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
798     if (pkctx) {
799         if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
800             return 0;
801     }
802     if (pad_mode == RSA_PKCS1_PADDING) {
803         X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
804         return 1;
805     }
806     /* We don't support it */
807     if (pad_mode != RSA_PKCS1_PSS_PADDING)
808         return 0;
809     os = rsa_ctx_to_pss_string(pkctx);
810     if (!os)
811         return 0;
812     X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os);
813     return 1;
814 }
815 #endif
816 
817 static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
818                          X509_ALGOR *alg1, X509_ALGOR *alg2,
819                          ASN1_BIT_STRING *sig)
820 {
821     int pad_mode;
822     EVP_PKEY_CTX *pkctx = EVP_MD_CTX_pkey_ctx(ctx);
823 
824     if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
825         return 0;
826     if (pad_mode == RSA_PKCS1_PADDING)
827         return 2;
828     if (pad_mode == RSA_PKCS1_PSS_PADDING) {
829         ASN1_STRING *os1 = NULL;
830         os1 = rsa_ctx_to_pss_string(pkctx);
831         if (!os1)
832             return 0;
833         /* Duplicate parameters if we have to */
834         if (alg2) {
835             ASN1_STRING *os2 = ASN1_STRING_dup(os1);
836             if (!os2) {
837                 ASN1_STRING_free(os1);
838                 return 0;
839             }
840             X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
841                             V_ASN1_SEQUENCE, os2);
842         }
843         X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
844                         V_ASN1_SEQUENCE, os1);
845         return 3;
846     }
847     return 2;
848 }
849 
850 static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg,
851                             const ASN1_STRING *sig)
852 {
853     int rv = 0;
854     int mdnid, saltlen;
855     uint32_t flags;
856     const EVP_MD *mgf1md = NULL, *md = NULL;
857     RSA_PSS_PARAMS *pss;
858 
859     /* Sanity check: make sure it is PSS */
860     if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS)
861         return 0;
862     /* Decode PSS parameters */
863     pss = rsa_pss_decode(sigalg);
864     if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen))
865         goto err;
866     mdnid = EVP_MD_type(md);
867     /*
868      * For TLS need SHA256, SHA384 or SHA512, digest and MGF1 digest must
869      * match and salt length must equal digest size
870      */
871     if ((mdnid == NID_sha256 || mdnid == NID_sha384 || mdnid == NID_sha512)
872             && mdnid == EVP_MD_type(mgf1md) && saltlen == EVP_MD_size(md))
873         flags = X509_SIG_INFO_TLS;
874     else
875         flags = 0;
876     /* Note: security bits half number of digest bits */
877     X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, EVP_MD_size(md) * 4,
878                       flags);
879     rv = 1;
880     err:
881     RSA_PSS_PARAMS_free(pss);
882     return rv;
883 }
884 
885 #ifndef OPENSSL_NO_CMS
886 static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg)
887 {
888     RSA_OAEP_PARAMS *oaep;
889 
890     oaep = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(RSA_OAEP_PARAMS),
891                                      alg->parameter);
892 
893     if (oaep == NULL)
894         return NULL;
895 
896     if (oaep->maskGenFunc != NULL) {
897         oaep->maskHash = rsa_mgf1_decode(oaep->maskGenFunc);
898         if (oaep->maskHash == NULL) {
899             RSA_OAEP_PARAMS_free(oaep);
900             return NULL;
901         }
902     }
903     return oaep;
904 }
905 
906 static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
907 {
908     EVP_PKEY_CTX *pkctx;
909     X509_ALGOR *cmsalg;
910     int nid;
911     int rv = -1;
912     unsigned char *label = NULL;
913     int labellen = 0;
914     const EVP_MD *mgf1md = NULL, *md = NULL;
915     RSA_OAEP_PARAMS *oaep;
916 
917     pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
918     if (pkctx == NULL)
919         return 0;
920     if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &cmsalg))
921         return -1;
922     nid = OBJ_obj2nid(cmsalg->algorithm);
923     if (nid == NID_rsaEncryption)
924         return 1;
925     if (nid != NID_rsaesOaep) {
926         RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_UNSUPPORTED_ENCRYPTION_TYPE);
927         return -1;
928     }
929     /* Decode OAEP parameters */
930     oaep = rsa_oaep_decode(cmsalg);
931 
932     if (oaep == NULL) {
933         RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_INVALID_OAEP_PARAMETERS);
934         goto err;
935     }
936 
937     mgf1md = rsa_algor_to_md(oaep->maskHash);
938     if (mgf1md == NULL)
939         goto err;
940     md = rsa_algor_to_md(oaep->hashFunc);
941     if (md == NULL)
942         goto err;
943 
944     if (oaep->pSourceFunc != NULL) {
945         X509_ALGOR *plab = oaep->pSourceFunc;
946 
947         if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
948             RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_UNSUPPORTED_LABEL_SOURCE);
949             goto err;
950         }
951         if (plab->parameter->type != V_ASN1_OCTET_STRING) {
952             RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_INVALID_LABEL);
953             goto err;
954         }
955 
956         label = plab->parameter->value.octet_string->data;
957         /* Stop label being freed when OAEP parameters are freed */
958         plab->parameter->value.octet_string->data = NULL;
959         labellen = plab->parameter->value.octet_string->length;
960     }
961 
962     if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
963         goto err;
964     if (EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, md) <= 0)
965         goto err;
966     if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
967         goto err;
968     if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0)
969         goto err;
970     /* Carry on */
971     rv = 1;
972 
973  err:
974     RSA_OAEP_PARAMS_free(oaep);
975     return rv;
976 }
977 
978 static int rsa_cms_encrypt(CMS_RecipientInfo *ri)
979 {
980     const EVP_MD *md, *mgf1md;
981     RSA_OAEP_PARAMS *oaep = NULL;
982     ASN1_STRING *os = NULL;
983     X509_ALGOR *alg;
984     EVP_PKEY_CTX *pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
985     int pad_mode = RSA_PKCS1_PADDING, rv = 0, labellen;
986     unsigned char *label;
987 
988     if (CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg) <= 0)
989         return 0;
990     if (pkctx) {
991         if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
992             return 0;
993     }
994     if (pad_mode == RSA_PKCS1_PADDING) {
995         X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
996         return 1;
997     }
998     /* Not supported */
999     if (pad_mode != RSA_PKCS1_OAEP_PADDING)
1000         return 0;
1001     if (EVP_PKEY_CTX_get_rsa_oaep_md(pkctx, &md) <= 0)
1002         goto err;
1003     if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
1004         goto err;
1005     labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkctx, &label);
1006     if (labellen < 0)
1007         goto err;
1008     oaep = RSA_OAEP_PARAMS_new();
1009     if (oaep == NULL)
1010         goto err;
1011     if (!rsa_md_to_algor(&oaep->hashFunc, md))
1012         goto err;
1013     if (!rsa_md_to_mgf1(&oaep->maskGenFunc, mgf1md))
1014         goto err;
1015     if (labellen > 0) {
1016         ASN1_OCTET_STRING *los;
1017         oaep->pSourceFunc = X509_ALGOR_new();
1018         if (oaep->pSourceFunc == NULL)
1019             goto err;
1020         los = ASN1_OCTET_STRING_new();
1021         if (los == NULL)
1022             goto err;
1023         if (!ASN1_OCTET_STRING_set(los, label, labellen)) {
1024             ASN1_OCTET_STRING_free(los);
1025             goto err;
1026         }
1027         X509_ALGOR_set0(oaep->pSourceFunc, OBJ_nid2obj(NID_pSpecified),
1028                         V_ASN1_OCTET_STRING, los);
1029     }
1030     /* create string with pss parameter encoding. */
1031     if (!ASN1_item_pack(oaep, ASN1_ITEM_rptr(RSA_OAEP_PARAMS), &os))
1032          goto err;
1033     X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os);
1034     os = NULL;
1035     rv = 1;
1036  err:
1037     RSA_OAEP_PARAMS_free(oaep);
1038     ASN1_STRING_free(os);
1039     return rv;
1040 }
1041 #endif
1042 
1043 static int rsa_pkey_check(const EVP_PKEY *pkey)
1044 {
1045     return RSA_check_key_ex(pkey->pkey.rsa, NULL);
1046 }
1047 
1048 const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[2] = {
1049     {
1050      EVP_PKEY_RSA,
1051      EVP_PKEY_RSA,
1052      ASN1_PKEY_SIGPARAM_NULL,
1053 
1054      "RSA",
1055      "OpenSSL RSA method",
1056 
1057      rsa_pub_decode,
1058      rsa_pub_encode,
1059      rsa_pub_cmp,
1060      rsa_pub_print,
1061 
1062      rsa_priv_decode,
1063      rsa_priv_encode,
1064      rsa_priv_print,
1065 
1066      int_rsa_size,
1067      rsa_bits,
1068      rsa_security_bits,
1069 
1070      0, 0, 0, 0, 0, 0,
1071 
1072      rsa_sig_print,
1073      int_rsa_free,
1074      rsa_pkey_ctrl,
1075      old_rsa_priv_decode,
1076      old_rsa_priv_encode,
1077      rsa_item_verify,
1078      rsa_item_sign,
1079      rsa_sig_info_set,
1080      rsa_pkey_check
1081     },
1082 
1083     {
1084      EVP_PKEY_RSA2,
1085      EVP_PKEY_RSA,
1086      ASN1_PKEY_ALIAS}
1087 };
1088 
1089 const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {
1090      EVP_PKEY_RSA_PSS,
1091      EVP_PKEY_RSA_PSS,
1092      ASN1_PKEY_SIGPARAM_NULL,
1093 
1094      "RSA-PSS",
1095      "OpenSSL RSA-PSS method",
1096 
1097      rsa_pub_decode,
1098      rsa_pub_encode,
1099      rsa_pub_cmp,
1100      rsa_pub_print,
1101 
1102      rsa_priv_decode,
1103      rsa_priv_encode,
1104      rsa_priv_print,
1105 
1106      int_rsa_size,
1107      rsa_bits,
1108      rsa_security_bits,
1109 
1110      0, 0, 0, 0, 0, 0,
1111 
1112      rsa_sig_print,
1113      int_rsa_free,
1114      rsa_pkey_ctrl,
1115      0, 0,
1116      rsa_item_verify,
1117      rsa_item_sign,
1118      0,
1119      rsa_pkey_check
1120 };
1121