1 /* 2 * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include "internal/constant_time_locl.h" 11 12 #include <stdio.h> 13 #include "internal/cryptlib.h" 14 #include <openssl/asn1t.h> 15 #include <openssl/x509.h> 16 #include <openssl/rsa.h> 17 #include <openssl/bn.h> 18 #include <openssl/evp.h> 19 #include <openssl/x509v3.h> 20 #include <openssl/cms.h> 21 #include "internal/evp_int.h" 22 #include "rsa_locl.h" 23 24 /* RSA pkey context structure */ 25 26 typedef struct { 27 /* Key gen parameters */ 28 int nbits; 29 BIGNUM *pub_exp; 30 int primes; 31 /* Keygen callback info */ 32 int gentmp[2]; 33 /* RSA padding mode */ 34 int pad_mode; 35 /* message digest */ 36 const EVP_MD *md; 37 /* message digest for MGF1 */ 38 const EVP_MD *mgf1md; 39 /* PSS salt length */ 40 int saltlen; 41 /* Minimum salt length or -1 if no PSS parameter restriction */ 42 int min_saltlen; 43 /* Temp buffer */ 44 unsigned char *tbuf; 45 /* OAEP label */ 46 unsigned char *oaep_label; 47 size_t oaep_labellen; 48 } RSA_PKEY_CTX; 49 50 /* True if PSS parameters are restricted */ 51 #define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1) 52 53 static int pkey_rsa_init(EVP_PKEY_CTX *ctx) 54 { 55 RSA_PKEY_CTX *rctx = OPENSSL_zalloc(sizeof(*rctx)); 56 57 if (rctx == NULL) 58 return 0; 59 rctx->nbits = 2048; 60 rctx->primes = RSA_DEFAULT_PRIME_NUM; 61 if (pkey_ctx_is_pss(ctx)) 62 rctx->pad_mode = RSA_PKCS1_PSS_PADDING; 63 else 64 rctx->pad_mode = RSA_PKCS1_PADDING; 65 /* Maximum for sign, auto for verify */ 66 rctx->saltlen = RSA_PSS_SALTLEN_AUTO; 67 rctx->min_saltlen = -1; 68 ctx->data = rctx; 69 ctx->keygen_info = rctx->gentmp; 70 ctx->keygen_info_count = 2; 71 72 return 1; 73 } 74 75 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) 76 { 77 RSA_PKEY_CTX *dctx, *sctx; 78 79 if (!pkey_rsa_init(dst)) 80 return 0; 81 sctx = src->data; 82 dctx = dst->data; 83 dctx->nbits = sctx->nbits; 84 if (sctx->pub_exp) { 85 dctx->pub_exp = BN_dup(sctx->pub_exp); 86 if (!dctx->pub_exp) 87 return 0; 88 } 89 dctx->pad_mode = sctx->pad_mode; 90 dctx->md = sctx->md; 91 dctx->mgf1md = sctx->mgf1md; 92 if (sctx->oaep_label) { 93 OPENSSL_free(dctx->oaep_label); 94 dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen); 95 if (!dctx->oaep_label) 96 return 0; 97 dctx->oaep_labellen = sctx->oaep_labellen; 98 } 99 return 1; 100 } 101 102 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) 103 { 104 if (ctx->tbuf != NULL) 105 return 1; 106 if ((ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey))) == NULL) { 107 RSAerr(RSA_F_SETUP_TBUF, ERR_R_MALLOC_FAILURE); 108 return 0; 109 } 110 return 1; 111 } 112 113 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) 114 { 115 RSA_PKEY_CTX *rctx = ctx->data; 116 if (rctx) { 117 BN_free(rctx->pub_exp); 118 OPENSSL_free(rctx->tbuf); 119 OPENSSL_free(rctx->oaep_label); 120 OPENSSL_free(rctx); 121 } 122 } 123 124 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, 125 size_t *siglen, const unsigned char *tbs, 126 size_t tbslen) 127 { 128 int ret; 129 RSA_PKEY_CTX *rctx = ctx->data; 130 RSA *rsa = ctx->pkey->pkey.rsa; 131 132 if (rctx->md) { 133 if (tbslen != (size_t)EVP_MD_size(rctx->md)) { 134 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH); 135 return -1; 136 } 137 138 if (EVP_MD_type(rctx->md) == NID_mdc2) { 139 unsigned int sltmp; 140 if (rctx->pad_mode != RSA_PKCS1_PADDING) 141 return -1; 142 ret = RSA_sign_ASN1_OCTET_STRING(0, 143 tbs, tbslen, sig, &sltmp, rsa); 144 145 if (ret <= 0) 146 return ret; 147 ret = sltmp; 148 } else if (rctx->pad_mode == RSA_X931_PADDING) { 149 if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) { 150 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_KEY_SIZE_TOO_SMALL); 151 return -1; 152 } 153 if (!setup_tbuf(rctx, ctx)) { 154 RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE); 155 return -1; 156 } 157 memcpy(rctx->tbuf, tbs, tbslen); 158 rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md)); 159 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, 160 sig, rsa, RSA_X931_PADDING); 161 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { 162 unsigned int sltmp; 163 ret = RSA_sign(EVP_MD_type(rctx->md), 164 tbs, tbslen, sig, &sltmp, rsa); 165 if (ret <= 0) 166 return ret; 167 ret = sltmp; 168 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { 169 if (!setup_tbuf(rctx, ctx)) 170 return -1; 171 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, 172 rctx->tbuf, tbs, 173 rctx->md, rctx->mgf1md, 174 rctx->saltlen)) 175 return -1; 176 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, 177 sig, rsa, RSA_NO_PADDING); 178 } else { 179 return -1; 180 } 181 } else { 182 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, 183 rctx->pad_mode); 184 } 185 if (ret < 0) 186 return ret; 187 *siglen = ret; 188 return 1; 189 } 190 191 static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, 192 unsigned char *rout, size_t *routlen, 193 const unsigned char *sig, size_t siglen) 194 { 195 int ret; 196 RSA_PKEY_CTX *rctx = ctx->data; 197 198 if (rctx->md) { 199 if (rctx->pad_mode == RSA_X931_PADDING) { 200 if (!setup_tbuf(rctx, ctx)) 201 return -1; 202 ret = RSA_public_decrypt(siglen, sig, 203 rctx->tbuf, ctx->pkey->pkey.rsa, 204 RSA_X931_PADDING); 205 if (ret < 1) 206 return 0; 207 ret--; 208 if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_type(rctx->md))) { 209 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, 210 RSA_R_ALGORITHM_MISMATCH); 211 return 0; 212 } 213 if (ret != EVP_MD_size(rctx->md)) { 214 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, 215 RSA_R_INVALID_DIGEST_LENGTH); 216 return 0; 217 } 218 if (rout) 219 memcpy(rout, rctx->tbuf, ret); 220 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { 221 size_t sltmp; 222 ret = int_rsa_verify(EVP_MD_type(rctx->md), 223 NULL, 0, rout, &sltmp, 224 sig, siglen, ctx->pkey->pkey.rsa); 225 if (ret <= 0) 226 return 0; 227 ret = sltmp; 228 } else { 229 return -1; 230 } 231 } else { 232 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa, 233 rctx->pad_mode); 234 } 235 if (ret < 0) 236 return ret; 237 *routlen = ret; 238 return 1; 239 } 240 241 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, 242 const unsigned char *sig, size_t siglen, 243 const unsigned char *tbs, size_t tbslen) 244 { 245 RSA_PKEY_CTX *rctx = ctx->data; 246 RSA *rsa = ctx->pkey->pkey.rsa; 247 size_t rslen; 248 249 if (rctx->md) { 250 if (rctx->pad_mode == RSA_PKCS1_PADDING) 251 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, 252 sig, siglen, rsa); 253 if (tbslen != (size_t)EVP_MD_size(rctx->md)) { 254 RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH); 255 return -1; 256 } 257 if (rctx->pad_mode == RSA_X931_PADDING) { 258 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0) 259 return 0; 260 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { 261 int ret; 262 if (!setup_tbuf(rctx, ctx)) 263 return -1; 264 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, 265 rsa, RSA_NO_PADDING); 266 if (ret <= 0) 267 return 0; 268 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, 269 rctx->md, rctx->mgf1md, 270 rctx->tbuf, rctx->saltlen); 271 if (ret <= 0) 272 return 0; 273 return 1; 274 } else { 275 return -1; 276 } 277 } else { 278 if (!setup_tbuf(rctx, ctx)) 279 return -1; 280 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, 281 rsa, rctx->pad_mode); 282 if (rslen == 0) 283 return 0; 284 } 285 286 if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen)) 287 return 0; 288 289 return 1; 290 291 } 292 293 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, 294 unsigned char *out, size_t *outlen, 295 const unsigned char *in, size_t inlen) 296 { 297 int ret; 298 RSA_PKEY_CTX *rctx = ctx->data; 299 300 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { 301 int klen = RSA_size(ctx->pkey->pkey.rsa); 302 if (!setup_tbuf(rctx, ctx)) 303 return -1; 304 if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen, 305 in, inlen, 306 rctx->oaep_label, 307 rctx->oaep_labellen, 308 rctx->md, rctx->mgf1md)) 309 return -1; 310 ret = RSA_public_encrypt(klen, rctx->tbuf, out, 311 ctx->pkey->pkey.rsa, RSA_NO_PADDING); 312 } else { 313 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, 314 rctx->pad_mode); 315 } 316 if (ret < 0) 317 return ret; 318 *outlen = ret; 319 return 1; 320 } 321 322 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, 323 unsigned char *out, size_t *outlen, 324 const unsigned char *in, size_t inlen) 325 { 326 int ret; 327 RSA_PKEY_CTX *rctx = ctx->data; 328 329 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { 330 if (!setup_tbuf(rctx, ctx)) 331 return -1; 332 ret = RSA_private_decrypt(inlen, in, rctx->tbuf, 333 ctx->pkey->pkey.rsa, RSA_NO_PADDING); 334 if (ret <= 0) 335 return ret; 336 ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf, 337 ret, ret, 338 rctx->oaep_label, 339 rctx->oaep_labellen, 340 rctx->md, rctx->mgf1md); 341 } else { 342 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, 343 rctx->pad_mode); 344 } 345 *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); 346 ret = constant_time_select_int(constant_time_msb(ret), ret, 1); 347 return ret; 348 } 349 350 static int check_padding_md(const EVP_MD *md, int padding) 351 { 352 int mdnid; 353 354 if (!md) 355 return 1; 356 357 mdnid = EVP_MD_type(md); 358 359 if (padding == RSA_NO_PADDING) { 360 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE); 361 return 0; 362 } 363 364 if (padding == RSA_X931_PADDING) { 365 if (RSA_X931_hash_id(mdnid) == -1) { 366 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_X931_DIGEST); 367 return 0; 368 } 369 } else { 370 switch(mdnid) { 371 /* List of all supported RSA digests */ 372 case NID_sha1: 373 case NID_sha224: 374 case NID_sha256: 375 case NID_sha384: 376 case NID_sha512: 377 case NID_md5: 378 case NID_md5_sha1: 379 case NID_md2: 380 case NID_md4: 381 case NID_mdc2: 382 case NID_ripemd160: 383 case NID_sha3_224: 384 case NID_sha3_256: 385 case NID_sha3_384: 386 case NID_sha3_512: 387 return 1; 388 389 default: 390 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_DIGEST); 391 return 0; 392 393 } 394 } 395 396 return 1; 397 } 398 399 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) 400 { 401 RSA_PKEY_CTX *rctx = ctx->data; 402 403 switch (type) { 404 case EVP_PKEY_CTRL_RSA_PADDING: 405 if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING)) { 406 if (!check_padding_md(rctx->md, p1)) 407 return 0; 408 if (p1 == RSA_PKCS1_PSS_PADDING) { 409 if (!(ctx->operation & 410 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) 411 goto bad_pad; 412 if (!rctx->md) 413 rctx->md = EVP_sha1(); 414 } else if (pkey_ctx_is_pss(ctx)) { 415 goto bad_pad; 416 } 417 if (p1 == RSA_PKCS1_OAEP_PADDING) { 418 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT)) 419 goto bad_pad; 420 if (!rctx->md) 421 rctx->md = EVP_sha1(); 422 } 423 rctx->pad_mode = p1; 424 return 1; 425 } 426 bad_pad: 427 RSAerr(RSA_F_PKEY_RSA_CTRL, 428 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 429 return -2; 430 431 case EVP_PKEY_CTRL_GET_RSA_PADDING: 432 *(int *)p2 = rctx->pad_mode; 433 return 1; 434 435 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: 436 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: 437 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) { 438 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); 439 return -2; 440 } 441 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) { 442 *(int *)p2 = rctx->saltlen; 443 } else { 444 if (p1 < RSA_PSS_SALTLEN_MAX) 445 return -2; 446 if (rsa_pss_restricted(rctx)) { 447 if (p1 == RSA_PSS_SALTLEN_AUTO 448 && ctx->operation == EVP_PKEY_OP_VERIFY) { 449 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); 450 return -2; 451 } 452 if ((p1 == RSA_PSS_SALTLEN_DIGEST 453 && rctx->min_saltlen > EVP_MD_size(rctx->md)) 454 || (p1 >= 0 && p1 < rctx->min_saltlen)) { 455 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_PSS_SALTLEN_TOO_SMALL); 456 return 0; 457 } 458 } 459 rctx->saltlen = p1; 460 } 461 return 1; 462 463 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: 464 if (p1 < RSA_MIN_MODULUS_BITS) { 465 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_SIZE_TOO_SMALL); 466 return -2; 467 } 468 rctx->nbits = p1; 469 return 1; 470 471 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: 472 if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) || BN_is_one((BIGNUM *)p2)) { 473 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_BAD_E_VALUE); 474 return -2; 475 } 476 BN_free(rctx->pub_exp); 477 rctx->pub_exp = p2; 478 return 1; 479 480 case EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES: 481 if (p1 < RSA_DEFAULT_PRIME_NUM || p1 > RSA_MAX_PRIME_NUM) { 482 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_PRIME_NUM_INVALID); 483 return -2; 484 } 485 rctx->primes = p1; 486 return 1; 487 488 case EVP_PKEY_CTRL_RSA_OAEP_MD: 489 case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: 490 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 491 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); 492 return -2; 493 } 494 if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) 495 *(const EVP_MD **)p2 = rctx->md; 496 else 497 rctx->md = p2; 498 return 1; 499 500 case EVP_PKEY_CTRL_MD: 501 if (!check_padding_md(p2, rctx->pad_mode)) 502 return 0; 503 if (rsa_pss_restricted(rctx)) { 504 if (EVP_MD_type(rctx->md) == EVP_MD_type(p2)) 505 return 1; 506 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_DIGEST_NOT_ALLOWED); 507 return 0; 508 } 509 rctx->md = p2; 510 return 1; 511 512 case EVP_PKEY_CTRL_GET_MD: 513 *(const EVP_MD **)p2 = rctx->md; 514 return 1; 515 516 case EVP_PKEY_CTRL_RSA_MGF1_MD: 517 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: 518 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING 519 && rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 520 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD); 521 return -2; 522 } 523 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) { 524 if (rctx->mgf1md) 525 *(const EVP_MD **)p2 = rctx->mgf1md; 526 else 527 *(const EVP_MD **)p2 = rctx->md; 528 } else { 529 if (rsa_pss_restricted(rctx)) { 530 if (EVP_MD_type(rctx->mgf1md) == EVP_MD_type(p2)) 531 return 1; 532 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_MGF1_DIGEST_NOT_ALLOWED); 533 return 0; 534 } 535 rctx->mgf1md = p2; 536 } 537 return 1; 538 539 case EVP_PKEY_CTRL_RSA_OAEP_LABEL: 540 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 541 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); 542 return -2; 543 } 544 OPENSSL_free(rctx->oaep_label); 545 if (p2 && p1 > 0) { 546 rctx->oaep_label = p2; 547 rctx->oaep_labellen = p1; 548 } else { 549 rctx->oaep_label = NULL; 550 rctx->oaep_labellen = 0; 551 } 552 return 1; 553 554 case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: 555 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 556 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); 557 return -2; 558 } 559 *(unsigned char **)p2 = rctx->oaep_label; 560 return rctx->oaep_labellen; 561 562 case EVP_PKEY_CTRL_DIGESTINIT: 563 case EVP_PKEY_CTRL_PKCS7_SIGN: 564 #ifndef OPENSSL_NO_CMS 565 case EVP_PKEY_CTRL_CMS_SIGN: 566 #endif 567 return 1; 568 569 case EVP_PKEY_CTRL_PKCS7_ENCRYPT: 570 case EVP_PKEY_CTRL_PKCS7_DECRYPT: 571 #ifndef OPENSSL_NO_CMS 572 case EVP_PKEY_CTRL_CMS_DECRYPT: 573 case EVP_PKEY_CTRL_CMS_ENCRYPT: 574 #endif 575 if (!pkey_ctx_is_pss(ctx)) 576 return 1; 577 /* fall through */ 578 case EVP_PKEY_CTRL_PEER_KEY: 579 RSAerr(RSA_F_PKEY_RSA_CTRL, 580 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); 581 return -2; 582 583 default: 584 return -2; 585 586 } 587 } 588 589 static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, 590 const char *type, const char *value) 591 { 592 if (value == NULL) { 593 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING); 594 return 0; 595 } 596 if (strcmp(type, "rsa_padding_mode") == 0) { 597 int pm; 598 599 if (strcmp(value, "pkcs1") == 0) { 600 pm = RSA_PKCS1_PADDING; 601 } else if (strcmp(value, "sslv23") == 0) { 602 pm = RSA_SSLV23_PADDING; 603 } else if (strcmp(value, "none") == 0) { 604 pm = RSA_NO_PADDING; 605 } else if (strcmp(value, "oeap") == 0) { 606 pm = RSA_PKCS1_OAEP_PADDING; 607 } else if (strcmp(value, "oaep") == 0) { 608 pm = RSA_PKCS1_OAEP_PADDING; 609 } else if (strcmp(value, "x931") == 0) { 610 pm = RSA_X931_PADDING; 611 } else if (strcmp(value, "pss") == 0) { 612 pm = RSA_PKCS1_PSS_PADDING; 613 } else { 614 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_UNKNOWN_PADDING_TYPE); 615 return -2; 616 } 617 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm); 618 } 619 620 if (strcmp(type, "rsa_pss_saltlen") == 0) { 621 int saltlen; 622 623 if (!strcmp(value, "digest")) 624 saltlen = RSA_PSS_SALTLEN_DIGEST; 625 else if (!strcmp(value, "max")) 626 saltlen = RSA_PSS_SALTLEN_MAX; 627 else if (!strcmp(value, "auto")) 628 saltlen = RSA_PSS_SALTLEN_AUTO; 629 else 630 saltlen = atoi(value); 631 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen); 632 } 633 634 if (strcmp(type, "rsa_keygen_bits") == 0) { 635 int nbits = atoi(value); 636 637 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits); 638 } 639 640 if (strcmp(type, "rsa_keygen_pubexp") == 0) { 641 int ret; 642 643 BIGNUM *pubexp = NULL; 644 if (!BN_asc2bn(&pubexp, value)) 645 return 0; 646 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp); 647 if (ret <= 0) 648 BN_free(pubexp); 649 return ret; 650 } 651 652 if (strcmp(type, "rsa_keygen_primes") == 0) { 653 int nprimes = atoi(value); 654 655 return EVP_PKEY_CTX_set_rsa_keygen_primes(ctx, nprimes); 656 } 657 658 if (strcmp(type, "rsa_mgf1_md") == 0) 659 return EVP_PKEY_CTX_md(ctx, 660 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, 661 EVP_PKEY_CTRL_RSA_MGF1_MD, value); 662 663 if (pkey_ctx_is_pss(ctx)) { 664 665 if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0) 666 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, 667 EVP_PKEY_CTRL_RSA_MGF1_MD, value); 668 669 if (strcmp(type, "rsa_pss_keygen_md") == 0) 670 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, 671 EVP_PKEY_CTRL_MD, value); 672 673 if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) { 674 int saltlen = atoi(value); 675 676 return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen); 677 } 678 } 679 680 if (strcmp(type, "rsa_oaep_md") == 0) 681 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT, 682 EVP_PKEY_CTRL_RSA_OAEP_MD, value); 683 684 if (strcmp(type, "rsa_oaep_label") == 0) { 685 unsigned char *lab; 686 long lablen; 687 int ret; 688 689 lab = OPENSSL_hexstr2buf(value, &lablen); 690 if (!lab) 691 return 0; 692 ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen); 693 if (ret <= 0) 694 OPENSSL_free(lab); 695 return ret; 696 } 697 698 return -2; 699 } 700 701 /* Set PSS parameters when generating a key, if necessary */ 702 static int rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx) 703 { 704 RSA_PKEY_CTX *rctx = ctx->data; 705 706 if (!pkey_ctx_is_pss(ctx)) 707 return 1; 708 /* If all parameters are default values don't set pss */ 709 if (rctx->md == NULL && rctx->mgf1md == NULL && rctx->saltlen == -2) 710 return 1; 711 rsa->pss = rsa_pss_params_create(rctx->md, rctx->mgf1md, 712 rctx->saltlen == -2 ? 0 : rctx->saltlen); 713 if (rsa->pss == NULL) 714 return 0; 715 return 1; 716 } 717 718 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) 719 { 720 RSA *rsa = NULL; 721 RSA_PKEY_CTX *rctx = ctx->data; 722 BN_GENCB *pcb; 723 int ret; 724 725 if (rctx->pub_exp == NULL) { 726 rctx->pub_exp = BN_new(); 727 if (rctx->pub_exp == NULL || !BN_set_word(rctx->pub_exp, RSA_F4)) 728 return 0; 729 } 730 rsa = RSA_new(); 731 if (rsa == NULL) 732 return 0; 733 if (ctx->pkey_gencb) { 734 pcb = BN_GENCB_new(); 735 if (pcb == NULL) { 736 RSA_free(rsa); 737 return 0; 738 } 739 evp_pkey_set_cb_translate(pcb, ctx); 740 } else { 741 pcb = NULL; 742 } 743 ret = RSA_generate_multi_prime_key(rsa, rctx->nbits, rctx->primes, 744 rctx->pub_exp, pcb); 745 BN_GENCB_free(pcb); 746 if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) { 747 RSA_free(rsa); 748 return 0; 749 } 750 if (ret > 0) 751 EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa); 752 else 753 RSA_free(rsa); 754 return ret; 755 } 756 757 const EVP_PKEY_METHOD rsa_pkey_meth = { 758 EVP_PKEY_RSA, 759 EVP_PKEY_FLAG_AUTOARGLEN, 760 pkey_rsa_init, 761 pkey_rsa_copy, 762 pkey_rsa_cleanup, 763 764 0, 0, 765 766 0, 767 pkey_rsa_keygen, 768 769 0, 770 pkey_rsa_sign, 771 772 0, 773 pkey_rsa_verify, 774 775 0, 776 pkey_rsa_verifyrecover, 777 778 0, 0, 0, 0, 779 780 0, 781 pkey_rsa_encrypt, 782 783 0, 784 pkey_rsa_decrypt, 785 786 0, 0, 787 788 pkey_rsa_ctrl, 789 pkey_rsa_ctrl_str 790 }; 791 792 /* 793 * Called for PSS sign or verify initialisation: checks PSS parameter 794 * sanity and sets any restrictions on key usage. 795 */ 796 797 static int pkey_pss_init(EVP_PKEY_CTX *ctx) 798 { 799 RSA *rsa; 800 RSA_PKEY_CTX *rctx = ctx->data; 801 const EVP_MD *md; 802 const EVP_MD *mgf1md; 803 int min_saltlen, max_saltlen; 804 805 /* Should never happen */ 806 if (!pkey_ctx_is_pss(ctx)) 807 return 0; 808 rsa = ctx->pkey->pkey.rsa; 809 /* If no restrictions just return */ 810 if (rsa->pss == NULL) 811 return 1; 812 /* Get and check parameters */ 813 if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen)) 814 return 0; 815 816 /* See if minimum salt length exceeds maximum possible */ 817 max_saltlen = RSA_size(rsa) - EVP_MD_size(md); 818 if ((RSA_bits(rsa) & 0x7) == 1) 819 max_saltlen--; 820 if (min_saltlen > max_saltlen) { 821 RSAerr(RSA_F_PKEY_PSS_INIT, RSA_R_INVALID_SALT_LENGTH); 822 return 0; 823 } 824 825 rctx->min_saltlen = min_saltlen; 826 827 /* 828 * Set PSS restrictions as defaults: we can then block any attempt to 829 * use invalid values in pkey_rsa_ctrl 830 */ 831 832 rctx->md = md; 833 rctx->mgf1md = mgf1md; 834 rctx->saltlen = min_saltlen; 835 836 return 1; 837 } 838 839 const EVP_PKEY_METHOD rsa_pss_pkey_meth = { 840 EVP_PKEY_RSA_PSS, 841 EVP_PKEY_FLAG_AUTOARGLEN, 842 pkey_rsa_init, 843 pkey_rsa_copy, 844 pkey_rsa_cleanup, 845 846 0, 0, 847 848 0, 849 pkey_rsa_keygen, 850 851 pkey_pss_init, 852 pkey_rsa_sign, 853 854 pkey_pss_init, 855 pkey_rsa_verify, 856 857 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 858 859 pkey_rsa_ctrl, 860 pkey_rsa_ctrl_str 861 }; 862