1 /* 2 * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include "internal/cryptlib.h" 12 #include <openssl/asn1t.h> 13 #include <openssl/x509.h> 14 #include <openssl/rsa.h> 15 #include <openssl/bn.h> 16 #include <openssl/evp.h> 17 #include <openssl/x509v3.h> 18 #include <openssl/cms.h> 19 #include "internal/evp_int.h" 20 #include "rsa_locl.h" 21 22 /* RSA pkey context structure */ 23 24 typedef struct { 25 /* Key gen parameters */ 26 int nbits; 27 BIGNUM *pub_exp; 28 int primes; 29 /* Keygen callback info */ 30 int gentmp[2]; 31 /* RSA padding mode */ 32 int pad_mode; 33 /* message digest */ 34 const EVP_MD *md; 35 /* message digest for MGF1 */ 36 const EVP_MD *mgf1md; 37 /* PSS salt length */ 38 int saltlen; 39 /* Minimum salt length or -1 if no PSS parameter restriction */ 40 int min_saltlen; 41 /* Temp buffer */ 42 unsigned char *tbuf; 43 /* OAEP label */ 44 unsigned char *oaep_label; 45 size_t oaep_labellen; 46 } RSA_PKEY_CTX; 47 48 /* True if PSS parameters are restricted */ 49 #define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1) 50 51 static int pkey_rsa_init(EVP_PKEY_CTX *ctx) 52 { 53 RSA_PKEY_CTX *rctx = OPENSSL_zalloc(sizeof(*rctx)); 54 55 if (rctx == NULL) 56 return 0; 57 rctx->nbits = 1024; 58 rctx->primes = RSA_DEFAULT_PRIME_NUM; 59 if (pkey_ctx_is_pss(ctx)) 60 rctx->pad_mode = RSA_PKCS1_PSS_PADDING; 61 else 62 rctx->pad_mode = RSA_PKCS1_PADDING; 63 /* Maximum for sign, auto for verify */ 64 rctx->saltlen = RSA_PSS_SALTLEN_AUTO; 65 rctx->min_saltlen = -1; 66 ctx->data = rctx; 67 ctx->keygen_info = rctx->gentmp; 68 ctx->keygen_info_count = 2; 69 70 return 1; 71 } 72 73 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) 74 { 75 RSA_PKEY_CTX *dctx, *sctx; 76 77 if (!pkey_rsa_init(dst)) 78 return 0; 79 sctx = src->data; 80 dctx = dst->data; 81 dctx->nbits = sctx->nbits; 82 if (sctx->pub_exp) { 83 dctx->pub_exp = BN_dup(sctx->pub_exp); 84 if (!dctx->pub_exp) 85 return 0; 86 } 87 dctx->pad_mode = sctx->pad_mode; 88 dctx->md = sctx->md; 89 dctx->mgf1md = sctx->mgf1md; 90 if (sctx->oaep_label) { 91 OPENSSL_free(dctx->oaep_label); 92 dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen); 93 if (!dctx->oaep_label) 94 return 0; 95 dctx->oaep_labellen = sctx->oaep_labellen; 96 } 97 return 1; 98 } 99 100 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) 101 { 102 if (ctx->tbuf != NULL) 103 return 1; 104 if ((ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey))) == NULL) { 105 RSAerr(RSA_F_SETUP_TBUF, ERR_R_MALLOC_FAILURE); 106 return 0; 107 } 108 return 1; 109 } 110 111 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) 112 { 113 RSA_PKEY_CTX *rctx = ctx->data; 114 if (rctx) { 115 BN_free(rctx->pub_exp); 116 OPENSSL_free(rctx->tbuf); 117 OPENSSL_free(rctx->oaep_label); 118 OPENSSL_free(rctx); 119 } 120 } 121 122 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, 123 size_t *siglen, const unsigned char *tbs, 124 size_t tbslen) 125 { 126 int ret; 127 RSA_PKEY_CTX *rctx = ctx->data; 128 RSA *rsa = ctx->pkey->pkey.rsa; 129 130 if (rctx->md) { 131 if (tbslen != (size_t)EVP_MD_size(rctx->md)) { 132 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH); 133 return -1; 134 } 135 136 if (EVP_MD_type(rctx->md) == NID_mdc2) { 137 unsigned int sltmp; 138 if (rctx->pad_mode != RSA_PKCS1_PADDING) 139 return -1; 140 ret = RSA_sign_ASN1_OCTET_STRING(0, 141 tbs, tbslen, sig, &sltmp, rsa); 142 143 if (ret <= 0) 144 return ret; 145 ret = sltmp; 146 } else if (rctx->pad_mode == RSA_X931_PADDING) { 147 if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) { 148 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_KEY_SIZE_TOO_SMALL); 149 return -1; 150 } 151 if (!setup_tbuf(rctx, ctx)) { 152 RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE); 153 return -1; 154 } 155 memcpy(rctx->tbuf, tbs, tbslen); 156 rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md)); 157 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, 158 sig, rsa, RSA_X931_PADDING); 159 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { 160 unsigned int sltmp; 161 ret = RSA_sign(EVP_MD_type(rctx->md), 162 tbs, tbslen, sig, &sltmp, rsa); 163 if (ret <= 0) 164 return ret; 165 ret = sltmp; 166 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { 167 if (!setup_tbuf(rctx, ctx)) 168 return -1; 169 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, 170 rctx->tbuf, tbs, 171 rctx->md, rctx->mgf1md, 172 rctx->saltlen)) 173 return -1; 174 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, 175 sig, rsa, RSA_NO_PADDING); 176 } else { 177 return -1; 178 } 179 } else { 180 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, 181 rctx->pad_mode); 182 } 183 if (ret < 0) 184 return ret; 185 *siglen = ret; 186 return 1; 187 } 188 189 static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, 190 unsigned char *rout, size_t *routlen, 191 const unsigned char *sig, size_t siglen) 192 { 193 int ret; 194 RSA_PKEY_CTX *rctx = ctx->data; 195 196 if (rctx->md) { 197 if (rctx->pad_mode == RSA_X931_PADDING) { 198 if (!setup_tbuf(rctx, ctx)) 199 return -1; 200 ret = RSA_public_decrypt(siglen, sig, 201 rctx->tbuf, ctx->pkey->pkey.rsa, 202 RSA_X931_PADDING); 203 if (ret < 1) 204 return 0; 205 ret--; 206 if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_type(rctx->md))) { 207 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, 208 RSA_R_ALGORITHM_MISMATCH); 209 return 0; 210 } 211 if (ret != EVP_MD_size(rctx->md)) { 212 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, 213 RSA_R_INVALID_DIGEST_LENGTH); 214 return 0; 215 } 216 if (rout) 217 memcpy(rout, rctx->tbuf, ret); 218 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { 219 size_t sltmp; 220 ret = int_rsa_verify(EVP_MD_type(rctx->md), 221 NULL, 0, rout, &sltmp, 222 sig, siglen, ctx->pkey->pkey.rsa); 223 if (ret <= 0) 224 return 0; 225 ret = sltmp; 226 } else { 227 return -1; 228 } 229 } else { 230 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa, 231 rctx->pad_mode); 232 } 233 if (ret < 0) 234 return ret; 235 *routlen = ret; 236 return 1; 237 } 238 239 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, 240 const unsigned char *sig, size_t siglen, 241 const unsigned char *tbs, size_t tbslen) 242 { 243 RSA_PKEY_CTX *rctx = ctx->data; 244 RSA *rsa = ctx->pkey->pkey.rsa; 245 size_t rslen; 246 247 if (rctx->md) { 248 if (rctx->pad_mode == RSA_PKCS1_PADDING) 249 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, 250 sig, siglen, rsa); 251 if (tbslen != (size_t)EVP_MD_size(rctx->md)) { 252 RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH); 253 return -1; 254 } 255 if (rctx->pad_mode == RSA_X931_PADDING) { 256 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0) 257 return 0; 258 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { 259 int ret; 260 if (!setup_tbuf(rctx, ctx)) 261 return -1; 262 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, 263 rsa, RSA_NO_PADDING); 264 if (ret <= 0) 265 return 0; 266 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, 267 rctx->md, rctx->mgf1md, 268 rctx->tbuf, rctx->saltlen); 269 if (ret <= 0) 270 return 0; 271 return 1; 272 } else { 273 return -1; 274 } 275 } else { 276 if (!setup_tbuf(rctx, ctx)) 277 return -1; 278 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, 279 rsa, rctx->pad_mode); 280 if (rslen == 0) 281 return 0; 282 } 283 284 if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen)) 285 return 0; 286 287 return 1; 288 289 } 290 291 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, 292 unsigned char *out, size_t *outlen, 293 const unsigned char *in, size_t inlen) 294 { 295 int ret; 296 RSA_PKEY_CTX *rctx = ctx->data; 297 298 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { 299 int klen = RSA_size(ctx->pkey->pkey.rsa); 300 if (!setup_tbuf(rctx, ctx)) 301 return -1; 302 if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen, 303 in, inlen, 304 rctx->oaep_label, 305 rctx->oaep_labellen, 306 rctx->md, rctx->mgf1md)) 307 return -1; 308 ret = RSA_public_encrypt(klen, rctx->tbuf, out, 309 ctx->pkey->pkey.rsa, RSA_NO_PADDING); 310 } else { 311 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, 312 rctx->pad_mode); 313 } 314 if (ret < 0) 315 return ret; 316 *outlen = ret; 317 return 1; 318 } 319 320 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, 321 unsigned char *out, size_t *outlen, 322 const unsigned char *in, size_t inlen) 323 { 324 int ret; 325 RSA_PKEY_CTX *rctx = ctx->data; 326 327 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { 328 if (!setup_tbuf(rctx, ctx)) 329 return -1; 330 ret = RSA_private_decrypt(inlen, in, rctx->tbuf, 331 ctx->pkey->pkey.rsa, RSA_NO_PADDING); 332 if (ret <= 0) 333 return ret; 334 ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf, 335 ret, ret, 336 rctx->oaep_label, 337 rctx->oaep_labellen, 338 rctx->md, rctx->mgf1md); 339 } else { 340 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, 341 rctx->pad_mode); 342 } 343 if (ret < 0) 344 return ret; 345 *outlen = ret; 346 return 1; 347 } 348 349 static int check_padding_md(const EVP_MD *md, int padding) 350 { 351 int mdnid; 352 353 if (!md) 354 return 1; 355 356 mdnid = EVP_MD_type(md); 357 358 if (padding == RSA_NO_PADDING) { 359 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE); 360 return 0; 361 } 362 363 if (padding == RSA_X931_PADDING) { 364 if (RSA_X931_hash_id(mdnid) == -1) { 365 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_X931_DIGEST); 366 return 0; 367 } 368 } else { 369 switch(mdnid) { 370 /* List of all supported RSA digests */ 371 case NID_sha1: 372 case NID_sha224: 373 case NID_sha256: 374 case NID_sha384: 375 case NID_sha512: 376 case NID_md5: 377 case NID_md5_sha1: 378 case NID_md2: 379 case NID_md4: 380 case NID_mdc2: 381 case NID_ripemd160: 382 case NID_sha3_224: 383 case NID_sha3_256: 384 case NID_sha3_384: 385 case NID_sha3_512: 386 return 1; 387 388 default: 389 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_DIGEST); 390 return 0; 391 392 } 393 } 394 395 return 1; 396 } 397 398 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) 399 { 400 RSA_PKEY_CTX *rctx = ctx->data; 401 402 switch (type) { 403 case EVP_PKEY_CTRL_RSA_PADDING: 404 if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING)) { 405 if (!check_padding_md(rctx->md, p1)) 406 return 0; 407 if (p1 == RSA_PKCS1_PSS_PADDING) { 408 if (!(ctx->operation & 409 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) 410 goto bad_pad; 411 if (!rctx->md) 412 rctx->md = EVP_sha1(); 413 } else if (pkey_ctx_is_pss(ctx)) { 414 goto bad_pad; 415 } 416 if (p1 == RSA_PKCS1_OAEP_PADDING) { 417 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT)) 418 goto bad_pad; 419 if (!rctx->md) 420 rctx->md = EVP_sha1(); 421 } 422 rctx->pad_mode = p1; 423 return 1; 424 } 425 bad_pad: 426 RSAerr(RSA_F_PKEY_RSA_CTRL, 427 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 428 return -2; 429 430 case EVP_PKEY_CTRL_GET_RSA_PADDING: 431 *(int *)p2 = rctx->pad_mode; 432 return 1; 433 434 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: 435 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: 436 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) { 437 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); 438 return -2; 439 } 440 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) { 441 *(int *)p2 = rctx->saltlen; 442 } else { 443 if (p1 < RSA_PSS_SALTLEN_MAX) 444 return -2; 445 if (rsa_pss_restricted(rctx)) { 446 if (p1 == RSA_PSS_SALTLEN_AUTO 447 && ctx->operation == EVP_PKEY_OP_VERIFY) { 448 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); 449 return -2; 450 } 451 if ((p1 == RSA_PSS_SALTLEN_DIGEST 452 && rctx->min_saltlen > EVP_MD_size(rctx->md)) 453 || (p1 >= 0 && p1 < rctx->min_saltlen)) { 454 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_PSS_SALTLEN_TOO_SMALL); 455 return 0; 456 } 457 } 458 rctx->saltlen = p1; 459 } 460 return 1; 461 462 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: 463 if (p1 < RSA_MIN_MODULUS_BITS) { 464 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_SIZE_TOO_SMALL); 465 return -2; 466 } 467 rctx->nbits = p1; 468 return 1; 469 470 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: 471 if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) || BN_is_one((BIGNUM *)p2)) { 472 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_BAD_E_VALUE); 473 return -2; 474 } 475 BN_free(rctx->pub_exp); 476 rctx->pub_exp = p2; 477 return 1; 478 479 case EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES: 480 if (p1 < RSA_DEFAULT_PRIME_NUM || p1 > RSA_MAX_PRIME_NUM) { 481 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_PRIME_NUM_INVALID); 482 return -2; 483 } 484 rctx->primes = p1; 485 return 1; 486 487 case EVP_PKEY_CTRL_RSA_OAEP_MD: 488 case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: 489 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 490 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); 491 return -2; 492 } 493 if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) 494 *(const EVP_MD **)p2 = rctx->md; 495 else 496 rctx->md = p2; 497 return 1; 498 499 case EVP_PKEY_CTRL_MD: 500 if (!check_padding_md(p2, rctx->pad_mode)) 501 return 0; 502 if (rsa_pss_restricted(rctx)) { 503 if (EVP_MD_type(rctx->md) == EVP_MD_type(p2)) 504 return 1; 505 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_DIGEST_NOT_ALLOWED); 506 return 0; 507 } 508 rctx->md = p2; 509 return 1; 510 511 case EVP_PKEY_CTRL_GET_MD: 512 *(const EVP_MD **)p2 = rctx->md; 513 return 1; 514 515 case EVP_PKEY_CTRL_RSA_MGF1_MD: 516 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: 517 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING 518 && rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 519 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD); 520 return -2; 521 } 522 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) { 523 if (rctx->mgf1md) 524 *(const EVP_MD **)p2 = rctx->mgf1md; 525 else 526 *(const EVP_MD **)p2 = rctx->md; 527 } else { 528 if (rsa_pss_restricted(rctx)) { 529 if (EVP_MD_type(rctx->mgf1md) == EVP_MD_type(p2)) 530 return 1; 531 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_MGF1_DIGEST_NOT_ALLOWED); 532 return 0; 533 } 534 rctx->mgf1md = p2; 535 } 536 return 1; 537 538 case EVP_PKEY_CTRL_RSA_OAEP_LABEL: 539 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 540 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); 541 return -2; 542 } 543 OPENSSL_free(rctx->oaep_label); 544 if (p2 && p1 > 0) { 545 rctx->oaep_label = p2; 546 rctx->oaep_labellen = p1; 547 } else { 548 rctx->oaep_label = NULL; 549 rctx->oaep_labellen = 0; 550 } 551 return 1; 552 553 case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: 554 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 555 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); 556 return -2; 557 } 558 *(unsigned char **)p2 = rctx->oaep_label; 559 return rctx->oaep_labellen; 560 561 case EVP_PKEY_CTRL_DIGESTINIT: 562 case EVP_PKEY_CTRL_PKCS7_SIGN: 563 #ifndef OPENSSL_NO_CMS 564 case EVP_PKEY_CTRL_CMS_SIGN: 565 #endif 566 return 1; 567 568 case EVP_PKEY_CTRL_PKCS7_ENCRYPT: 569 case EVP_PKEY_CTRL_PKCS7_DECRYPT: 570 #ifndef OPENSSL_NO_CMS 571 case EVP_PKEY_CTRL_CMS_DECRYPT: 572 case EVP_PKEY_CTRL_CMS_ENCRYPT: 573 #endif 574 if (!pkey_ctx_is_pss(ctx)) 575 return 1; 576 /* fall through */ 577 case EVP_PKEY_CTRL_PEER_KEY: 578 RSAerr(RSA_F_PKEY_RSA_CTRL, 579 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); 580 return -2; 581 582 default: 583 return -2; 584 585 } 586 } 587 588 static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, 589 const char *type, const char *value) 590 { 591 if (value == NULL) { 592 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING); 593 return 0; 594 } 595 if (strcmp(type, "rsa_padding_mode") == 0) { 596 int pm; 597 598 if (strcmp(value, "pkcs1") == 0) { 599 pm = RSA_PKCS1_PADDING; 600 } else if (strcmp(value, "sslv23") == 0) { 601 pm = RSA_SSLV23_PADDING; 602 } else if (strcmp(value, "none") == 0) { 603 pm = RSA_NO_PADDING; 604 } else if (strcmp(value, "oeap") == 0) { 605 pm = RSA_PKCS1_OAEP_PADDING; 606 } else if (strcmp(value, "oaep") == 0) { 607 pm = RSA_PKCS1_OAEP_PADDING; 608 } else if (strcmp(value, "x931") == 0) { 609 pm = RSA_X931_PADDING; 610 } else if (strcmp(value, "pss") == 0) { 611 pm = RSA_PKCS1_PSS_PADDING; 612 } else { 613 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_UNKNOWN_PADDING_TYPE); 614 return -2; 615 } 616 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm); 617 } 618 619 if (strcmp(type, "rsa_pss_saltlen") == 0) { 620 int saltlen; 621 622 if (!strcmp(value, "digest")) 623 saltlen = RSA_PSS_SALTLEN_DIGEST; 624 else if (!strcmp(value, "max")) 625 saltlen = RSA_PSS_SALTLEN_MAX; 626 else if (!strcmp(value, "auto")) 627 saltlen = RSA_PSS_SALTLEN_AUTO; 628 else 629 saltlen = atoi(value); 630 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen); 631 } 632 633 if (strcmp(type, "rsa_keygen_bits") == 0) { 634 int nbits = atoi(value); 635 636 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits); 637 } 638 639 if (strcmp(type, "rsa_keygen_pubexp") == 0) { 640 int ret; 641 642 BIGNUM *pubexp = NULL; 643 if (!BN_asc2bn(&pubexp, value)) 644 return 0; 645 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp); 646 if (ret <= 0) 647 BN_free(pubexp); 648 return ret; 649 } 650 651 if (strcmp(type, "rsa_keygen_primes") == 0) { 652 int nprimes = atoi(value); 653 654 return EVP_PKEY_CTX_set_rsa_keygen_primes(ctx, nprimes); 655 } 656 657 if (strcmp(type, "rsa_mgf1_md") == 0) 658 return EVP_PKEY_CTX_md(ctx, 659 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, 660 EVP_PKEY_CTRL_RSA_MGF1_MD, value); 661 662 if (pkey_ctx_is_pss(ctx)) { 663 664 if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0) 665 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, 666 EVP_PKEY_CTRL_RSA_MGF1_MD, value); 667 668 if (strcmp(type, "rsa_pss_keygen_md") == 0) 669 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, 670 EVP_PKEY_CTRL_MD, value); 671 672 if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) { 673 int saltlen = atoi(value); 674 675 return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen); 676 } 677 } 678 679 if (strcmp(type, "rsa_oaep_md") == 0) 680 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT, 681 EVP_PKEY_CTRL_RSA_OAEP_MD, value); 682 683 if (strcmp(type, "rsa_oaep_label") == 0) { 684 unsigned char *lab; 685 long lablen; 686 int ret; 687 688 lab = OPENSSL_hexstr2buf(value, &lablen); 689 if (!lab) 690 return 0; 691 ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen); 692 if (ret <= 0) 693 OPENSSL_free(lab); 694 return ret; 695 } 696 697 return -2; 698 } 699 700 /* Set PSS parameters when generating a key, if necessary */ 701 static int rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx) 702 { 703 RSA_PKEY_CTX *rctx = ctx->data; 704 705 if (!pkey_ctx_is_pss(ctx)) 706 return 1; 707 /* If all parameters are default values don't set pss */ 708 if (rctx->md == NULL && rctx->mgf1md == NULL && rctx->saltlen == -2) 709 return 1; 710 rsa->pss = rsa_pss_params_create(rctx->md, rctx->mgf1md, 711 rctx->saltlen == -2 ? 0 : rctx->saltlen); 712 if (rsa->pss == NULL) 713 return 0; 714 return 1; 715 } 716 717 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) 718 { 719 RSA *rsa = NULL; 720 RSA_PKEY_CTX *rctx = ctx->data; 721 BN_GENCB *pcb; 722 int ret; 723 724 if (rctx->pub_exp == NULL) { 725 rctx->pub_exp = BN_new(); 726 if (rctx->pub_exp == NULL || !BN_set_word(rctx->pub_exp, RSA_F4)) 727 return 0; 728 } 729 rsa = RSA_new(); 730 if (rsa == NULL) 731 return 0; 732 if (ctx->pkey_gencb) { 733 pcb = BN_GENCB_new(); 734 if (pcb == NULL) { 735 RSA_free(rsa); 736 return 0; 737 } 738 evp_pkey_set_cb_translate(pcb, ctx); 739 } else { 740 pcb = NULL; 741 } 742 ret = RSA_generate_multi_prime_key(rsa, rctx->nbits, rctx->primes, 743 rctx->pub_exp, pcb); 744 BN_GENCB_free(pcb); 745 if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) { 746 RSA_free(rsa); 747 return 0; 748 } 749 if (ret > 0) 750 EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa); 751 else 752 RSA_free(rsa); 753 return ret; 754 } 755 756 const EVP_PKEY_METHOD rsa_pkey_meth = { 757 EVP_PKEY_RSA, 758 EVP_PKEY_FLAG_AUTOARGLEN, 759 pkey_rsa_init, 760 pkey_rsa_copy, 761 pkey_rsa_cleanup, 762 763 0, 0, 764 765 0, 766 pkey_rsa_keygen, 767 768 0, 769 pkey_rsa_sign, 770 771 0, 772 pkey_rsa_verify, 773 774 0, 775 pkey_rsa_verifyrecover, 776 777 0, 0, 0, 0, 778 779 0, 780 pkey_rsa_encrypt, 781 782 0, 783 pkey_rsa_decrypt, 784 785 0, 0, 786 787 pkey_rsa_ctrl, 788 pkey_rsa_ctrl_str 789 }; 790 791 /* 792 * Called for PSS sign or verify initialisation: checks PSS parameter 793 * sanity and sets any restrictions on key usage. 794 */ 795 796 static int pkey_pss_init(EVP_PKEY_CTX *ctx) 797 { 798 RSA *rsa; 799 RSA_PKEY_CTX *rctx = ctx->data; 800 const EVP_MD *md; 801 const EVP_MD *mgf1md; 802 int min_saltlen, max_saltlen; 803 804 /* Should never happen */ 805 if (!pkey_ctx_is_pss(ctx)) 806 return 0; 807 rsa = ctx->pkey->pkey.rsa; 808 /* If no restrictions just return */ 809 if (rsa->pss == NULL) 810 return 1; 811 /* Get and check parameters */ 812 if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen)) 813 return 0; 814 815 /* See if minimum salt length exceeds maximum possible */ 816 max_saltlen = RSA_size(rsa) - EVP_MD_size(md); 817 if ((RSA_bits(rsa) & 0x7) == 1) 818 max_saltlen--; 819 if (min_saltlen > max_saltlen) { 820 RSAerr(RSA_F_PKEY_PSS_INIT, RSA_R_INVALID_SALT_LENGTH); 821 return 0; 822 } 823 824 rctx->min_saltlen = min_saltlen; 825 826 /* 827 * Set PSS restrictions as defaults: we can then block any attempt to 828 * use invalid values in pkey_rsa_ctrl 829 */ 830 831 rctx->md = md; 832 rctx->mgf1md = mgf1md; 833 rctx->saltlen = min_saltlen; 834 835 return 1; 836 } 837 838 const EVP_PKEY_METHOD rsa_pss_pkey_meth = { 839 EVP_PKEY_RSA_PSS, 840 EVP_PKEY_FLAG_AUTOARGLEN, 841 pkey_rsa_init, 842 pkey_rsa_copy, 843 pkey_rsa_cleanup, 844 845 0, 0, 846 847 0, 848 pkey_rsa_keygen, 849 850 pkey_pss_init, 851 pkey_rsa_sign, 852 853 pkey_pss_init, 854 pkey_rsa_verify, 855 856 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 857 858 pkey_rsa_ctrl, 859 pkey_rsa_ctrl_str 860 }; 861