/src/boringssl/crypto/evp/internal.h
Line | Count | Source |
1 | | // Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. |
2 | | // |
3 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
4 | | // you may not use this file except in compliance with the License. |
5 | | // You may obtain a copy of the License at |
6 | | // |
7 | | // https://www.apache.org/licenses/LICENSE-2.0 |
8 | | // |
9 | | // Unless required by applicable law or agreed to in writing, software |
10 | | // distributed under the License is distributed on an "AS IS" BASIS, |
11 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 | | // See the License for the specific language governing permissions and |
13 | | // limitations under the License. |
14 | | |
15 | | #ifndef OPENSSL_HEADER_CRYPTO_EVP_INTERNAL_H |
16 | | #define OPENSSL_HEADER_CRYPTO_EVP_INTERNAL_H |
17 | | |
18 | | #include <openssl/evp.h> |
19 | | |
20 | | #include <array> |
21 | | |
22 | | #include <openssl/span.h> |
23 | | |
24 | | #include "../internal.h" |
25 | | #include "../mem_internal.h" |
26 | | |
27 | | |
28 | | DECLARE_OPAQUE_STRUCT(evp_pkey_st, EvpPkey) |
29 | | DECLARE_OPAQUE_STRUCT(evp_pkey_ctx_st, EvpPkeyCtx) |
30 | | |
31 | | BSSL_NAMESPACE_BEGIN |
32 | | |
33 | | typedef struct evp_pkey_asn1_method_st EVP_PKEY_ASN1_METHOD; |
34 | | typedef struct evp_pkey_ctx_method_st EVP_PKEY_CTX_METHOD; |
35 | | |
36 | | BSSL_NAMESPACE_END |
37 | | |
38 | | struct evp_pkey_alg_st { |
39 | | // method implements operations for this |EVP_PKEY_ALG|. |
40 | | const bssl::EVP_PKEY_ASN1_METHOD *method; |
41 | | }; |
42 | | |
43 | | BSSL_NAMESPACE_BEGIN |
44 | | |
45 | | enum evp_decode_result_t { |
46 | | evp_decode_error = 0, |
47 | | evp_decode_ok = 1, |
48 | | evp_decode_unsupported = 2, |
49 | | }; |
50 | | |
51 | | struct evp_pkey_asn1_method_st { |
52 | | // pkey_id contains one of the |EVP_PKEY_*| values and corresponds to the OID |
53 | | // in the key type's AlgorithmIdentifier. |
54 | | int pkey_id; |
55 | | uint8_t oid[9]; |
56 | | uint8_t oid_len; |
57 | | |
58 | | const EVP_PKEY_CTX_METHOD *pkey_method; |
59 | | |
60 | | // pub_decode decodes |params| and |key| as a SubjectPublicKeyInfo |
61 | | // and writes the result into |out|. It returns |evp_decode_ok| on success, |
62 | | // and |evp_decode_error| on error, and |evp_decode_unsupported| if the input |
63 | | // was not supported by this |EVP_PKEY_ALG|. In case of |
64 | | // |evp_decode_unsupported|, it does not add an error to the error queue. May |
65 | | // modify |params| and |key|. Callers must make a copy if calling in a loop. |
66 | | // |
67 | | // |params| is the AlgorithmIdentifier after the OBJECT IDENTIFIER type field, |
68 | | // and |key| is the contents of the subjectPublicKey with the leading padding |
69 | | // byte checked and removed. Although X.509 uses BIT STRINGs to represent |
70 | | // SubjectPublicKeyInfo, every key type defined encodes the key as a byte |
71 | | // string with the same conversion to BIT STRING. |
72 | | evp_decode_result_t (*pub_decode)(const EVP_PKEY_ALG *alg, EvpPkey *out, |
73 | | CBS *params, CBS *key); |
74 | | |
75 | | // pub_encode encodes |key| as a SubjectPublicKeyInfo and appends the result |
76 | | // to |out|. It returns one on success and zero on error. |
77 | | int (*pub_encode)(CBB *out, const EvpPkey *key); |
78 | | |
79 | | bool (*pub_equal)(const EvpPkey *a, const EvpPkey *b); |
80 | | |
81 | | // pub_present returns true iff the |pk| has a public key. (If so, validity |
82 | | // is not guaranteed and should be checked separately.) |
83 | | bool (*pub_present)(const EvpPkey *pk); |
84 | | |
85 | | // priv_decode decodes |params| and |key| as a PrivateKeyInfo and writes the |
86 | | // result into |out|. It returns |evp_decode_ok| on success, and |
87 | | // |evp_decode_error| on error, and |evp_decode_unsupported| if the key type |
88 | | // was not supported by this |EVP_PKEY_ALG|. In case of |
89 | | // |evp_decode_unsupported|, it does not add an error to the error queue. May |
90 | | // modify |params| and |key|. Callers must make a copy if calling in a loop. |
91 | | // |
92 | | // |params| is the AlgorithmIdentifier after the OBJECT IDENTIFIER type field, |
93 | | // and |key| is the contents of the OCTET STRING privateKey field. |
94 | | evp_decode_result_t (*priv_decode)(const EVP_PKEY_ALG *alg, EvpPkey *out, |
95 | | CBS *params, CBS *key); |
96 | | |
97 | | // priv_encode encodes |key| as a PrivateKeyInfo and appends the result to |
98 | | // |out|. It returns one on success and zero on error. |
99 | | int (*priv_encode)(CBB *out, const EvpPkey *key); |
100 | | |
101 | | // priv_present returns true iff the |pk| has a private key. (If so, validity |
102 | | // is not guaranteed and should be checked separately.) |
103 | | bool (*priv_present)(const EvpPkey *pk); |
104 | | |
105 | | int (*set_priv_raw)(EvpPkey *pkey, const uint8_t *in, size_t len); |
106 | | int (*set_priv_seed)(EvpPkey *pkey, const uint8_t *in, size_t len); |
107 | | int (*set_pub_raw)(EvpPkey *pkey, const uint8_t *in, size_t len); |
108 | | int (*get_priv_raw)(const EvpPkey *pkey, uint8_t *out, size_t *out_len); |
109 | | int (*get_priv_seed)(const EvpPkey *pkey, uint8_t *out, size_t *out_len); |
110 | | int (*get_pub_raw)(const EvpPkey *pkey, uint8_t *out, size_t *out_len); |
111 | | |
112 | | // TODO(davidben): Can these be merged with the functions above? OpenSSL does |
113 | | // not implement |EVP_PKEY_get_raw_public_key|, etc., for |EVP_PKEY_EC|, but |
114 | | // the distinction seems unimportant. OpenSSL 3.0 has since renamed |
115 | | // |EVP_PKEY_get1_tls_encodedpoint| to |EVP_PKEY_get1_encoded_public_key|, and |
116 | | // what is the difference between "raw" and an "encoded" public key. |
117 | | // |
118 | | // One nuisance is the notion of "raw" is slightly ambiguous for EC keys. Is |
119 | | // it a DER ECPrivateKey or just the scalar? |
120 | | int (*set1_tls_encodedpoint)(EvpPkey *pkey, const uint8_t *in, size_t len); |
121 | | size_t (*get1_tls_encodedpoint)(const EvpPkey *pkey, uint8_t **out_ptr); |
122 | | |
123 | | // pkey_opaque returns 1 if the |pk| is opaque. Opaque keys are backed by |
124 | | // custom implementations which do not expose key material and parameters. |
125 | | int (*pkey_opaque)(const EvpPkey *pk); |
126 | | |
127 | | int (*pkey_size)(const EvpPkey *pk); |
128 | | int (*pkey_bits)(const EvpPkey *pk); |
129 | | |
130 | | int (*param_missing)(const EvpPkey *pk); |
131 | | int (*param_copy)(EvpPkey *to, const EvpPkey *from); |
132 | | bool (*param_equal)(const EvpPkey *a, const EvpPkey *b); |
133 | | |
134 | | void (*pkey_free)(EvpPkey *pkey); |
135 | | } /* EVP_PKEY_ASN1_METHOD */; |
136 | | |
137 | | class EvpPkey : public evp_pkey_st, public RefCounted<EvpPkey> { |
138 | | public: |
139 | | EvpPkey(); |
140 | | |
141 | | // pkey contains a pointer to a structure dependent on |ameth|. |
142 | | void *pkey = nullptr; |
143 | | |
144 | | // ameth contains a pointer to a method table that determines the key type, or |
145 | | // nullptr if the key is empty. |
146 | | const bssl::EVP_PKEY_ASN1_METHOD *ameth = nullptr; |
147 | | |
148 | | private: |
149 | | ~EvpPkey(); |
150 | | friend RefCounted; |
151 | | } /* EVP_PKEY */; |
152 | | |
153 | 147k | #define EVP_PKEY_OP_UNDEFINED 0 |
154 | 0 | #define EVP_PKEY_OP_KEYGEN (1 << 2) |
155 | 133k | #define EVP_PKEY_OP_SIGN (1 << 3) |
156 | 160k | #define EVP_PKEY_OP_VERIFY (1 << 4) |
157 | 55.8k | #define EVP_PKEY_OP_VERIFYRECOVER (1 << 5) |
158 | 0 | #define EVP_PKEY_OP_ENCRYPT (1 << 6) |
159 | 0 | #define EVP_PKEY_OP_DECRYPT (1 << 7) |
160 | 0 | #define EVP_PKEY_OP_DERIVE (1 << 8) |
161 | 0 | #define EVP_PKEY_OP_PARAMGEN (1 << 9) |
162 | | |
163 | | #define EVP_PKEY_OP_TYPE_SIG \ |
164 | 55.8k | (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYRECOVER) |
165 | | |
166 | 0 | #define EVP_PKEY_OP_TYPE_CRYPT (EVP_PKEY_OP_ENCRYPT | EVP_PKEY_OP_DECRYPT) |
167 | | |
168 | | #define EVP_PKEY_OP_TYPE_NOGEN \ |
169 | | (EVP_PKEY_OP_SIG | EVP_PKEY_OP_CRYPT | EVP_PKEY_OP_DERIVE) |
170 | | |
171 | 0 | #define EVP_PKEY_OP_TYPE_GEN (EVP_PKEY_OP_KEYGEN | EVP_PKEY_OP_PARAMGEN) |
172 | | |
173 | | // EVP_PKEY_CTX_ctrl performs |cmd| on |ctx|. The |keytype| and |optype| |
174 | | // arguments can be -1 to specify that any type and operation are acceptable, |
175 | | // otherwise |keytype| must match the type of |ctx| and the bits of |optype| |
176 | | // must intersect the operation flags set on |ctx|. |
177 | | // |
178 | | // The |p1| and |p2| arguments depend on the value of |cmd|. |
179 | | // |
180 | | // It returns one on success and zero on error. |
181 | | OPENSSL_EXPORT int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype, |
182 | | int cmd, int p1, void *p2); |
183 | | |
184 | 111k | #define EVP_PKEY_CTRL_MD 1 |
185 | 0 | #define EVP_PKEY_CTRL_GET_MD 2 |
186 | | |
187 | | // EVP_PKEY_CTRL_PEER_KEY is called with different values of |p1|: |
188 | | // 0: Is called from |EVP_PKEY_derive_set_peer| and |p2| contains a peer key. |
189 | | // If the return value is <= 0, the key is rejected. |
190 | | // 1: Is called at the end of |EVP_PKEY_derive_set_peer| and |p2| contains a |
191 | | // peer key. If the return value is <= 0, the key is rejected. |
192 | | // 2: Is called with |p2| == NULL to test whether the peer's key was used. |
193 | | // (EC)DH always return one in this case. |
194 | | // 3: Is called with |p2| == NULL to set whether the peer's key was used. |
195 | | // (EC)DH always return one in this case. This was only used for GOST. |
196 | 0 | #define EVP_PKEY_CTRL_PEER_KEY 3 |
197 | | |
198 | | // EVP_PKEY_ALG_CTRL is the base value from which key-type specific ctrl |
199 | | // commands are numbered. |
200 | 106k | #define EVP_PKEY_ALG_CTRL 0x1000 |
201 | | |
202 | 35.5k | #define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1) |
203 | 0 | #define EVP_PKEY_CTRL_GET_RSA_PADDING (EVP_PKEY_ALG_CTRL + 2) |
204 | 35.5k | #define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 3) |
205 | 35.5k | #define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 4) |
206 | 0 | #define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 5) |
207 | 0 | #define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 6) |
208 | 0 | #define EVP_PKEY_CTRL_RSA_OAEP_MD (EVP_PKEY_ALG_CTRL + 7) |
209 | 0 | #define EVP_PKEY_CTRL_GET_RSA_OAEP_MD (EVP_PKEY_ALG_CTRL + 8) |
210 | 0 | #define EVP_PKEY_CTRL_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 9) |
211 | 0 | #define EVP_PKEY_CTRL_GET_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 10) |
212 | 0 | #define EVP_PKEY_CTRL_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 11) |
213 | 0 | #define EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 12) |
214 | 0 | #define EVP_PKEY_CTRL_EC_PARAMGEN_GROUP (EVP_PKEY_ALG_CTRL + 13) |
215 | 0 | #define EVP_PKEY_CTRL_HKDF_MODE (EVP_PKEY_ALG_CTRL + 14) |
216 | 0 | #define EVP_PKEY_CTRL_HKDF_MD (EVP_PKEY_ALG_CTRL + 15) |
217 | 0 | #define EVP_PKEY_CTRL_HKDF_KEY (EVP_PKEY_ALG_CTRL + 16) |
218 | 0 | #define EVP_PKEY_CTRL_HKDF_SALT (EVP_PKEY_ALG_CTRL + 17) |
219 | 0 | #define EVP_PKEY_CTRL_HKDF_INFO (EVP_PKEY_ALG_CTRL + 18) |
220 | 0 | #define EVP_PKEY_CTRL_DH_PAD (EVP_PKEY_ALG_CTRL + 19) |
221 | 0 | #define EVP_PKEY_CTRL_SIGNATURE_CONTEXT_STRING (EVP_PKEY_ALG_CTRL + 20) |
222 | | |
223 | | class EvpPkeyCtx : public evp_pkey_ctx_st { |
224 | | public: |
225 | | static constexpr bool kAllowUniquePtr = true; |
226 | | |
227 | | ~EvpPkeyCtx(); |
228 | | |
229 | | // Method associated with this operation |
230 | | const bssl::EVP_PKEY_CTX_METHOD *pmeth = nullptr; |
231 | | // Key: may be nullptr |
232 | | bssl::UniquePtr<EvpPkey> pkey; |
233 | | // Peer key for key agreement, may be nullptr |
234 | | bssl::UniquePtr<EvpPkey> peerkey; |
235 | | // operation contains one of the |EVP_PKEY_OP_*| values. |
236 | | int operation = EVP_PKEY_OP_UNDEFINED; |
237 | | // Algorithm specific data. |
238 | | // TODO(davidben): Since a |EVP_PKEY_CTX| never has its type change after |
239 | | // creation, this should instead be a base class, with the algorithm-specific |
240 | | // data on the subclass, coming from the same allocation. |
241 | | void *data = nullptr; |
242 | | }; |
243 | | |
244 | | struct evp_pkey_ctx_method_st { |
245 | | int pkey_id; |
246 | | |
247 | | int (*init)(EvpPkeyCtx *ctx); |
248 | | int (*copy)(EvpPkeyCtx *dst, EvpPkeyCtx *src); |
249 | | void (*cleanup)(EvpPkeyCtx *ctx); |
250 | | |
251 | | int (*keygen)(EvpPkeyCtx *ctx, EvpPkey *pkey); |
252 | | |
253 | | int (*sign)(EvpPkeyCtx *ctx, uint8_t *sig, size_t *siglen, const uint8_t *tbs, |
254 | | size_t tbslen); |
255 | | |
256 | | int (*sign_message)(EvpPkeyCtx *ctx, uint8_t *sig, size_t *siglen, |
257 | | const uint8_t *tbs, size_t tbslen); |
258 | | |
259 | | int (*verify)(EvpPkeyCtx *ctx, const uint8_t *sig, size_t siglen, |
260 | | const uint8_t *tbs, size_t tbslen); |
261 | | |
262 | | int (*verify_message)(EvpPkeyCtx *ctx, const uint8_t *sig, size_t siglen, |
263 | | const uint8_t *tbs, size_t tbslen); |
264 | | |
265 | | int (*verify_recover)(EvpPkeyCtx *ctx, uint8_t *out, size_t *out_len, |
266 | | const uint8_t *sig, size_t sig_len); |
267 | | |
268 | | int (*encrypt)(EvpPkeyCtx *ctx, uint8_t *out, size_t *outlen, |
269 | | const uint8_t *in, size_t inlen); |
270 | | |
271 | | int (*decrypt)(EvpPkeyCtx *ctx, uint8_t *out, size_t *outlen, |
272 | | const uint8_t *in, size_t inlen); |
273 | | |
274 | | int (*derive)(EvpPkeyCtx *ctx, uint8_t *key, size_t *keylen); |
275 | | |
276 | | int (*paramgen)(EvpPkeyCtx *ctx, EvpPkey *pkey); |
277 | | |
278 | | int (*ctrl)(EvpPkeyCtx *ctx, int type, int p1, void *p2); |
279 | | } /* EVP_PKEY_CTX_METHOD */; |
280 | | |
281 | | extern const EVP_PKEY_CTX_METHOD rsa_pkey_meth; |
282 | | extern const EVP_PKEY_CTX_METHOD rsa_pss_pkey_meth; |
283 | | extern const EVP_PKEY_CTX_METHOD ec_pkey_meth; |
284 | | extern const EVP_PKEY_CTX_METHOD ed25519_pkey_meth; |
285 | | extern const EVP_PKEY_CTX_METHOD x25519_pkey_meth; |
286 | | extern const EVP_PKEY_CTX_METHOD hkdf_pkey_meth; |
287 | | extern const EVP_PKEY_CTX_METHOD dh_pkey_meth; |
288 | | |
289 | | // evp_pkey_set0 sets |pkey|'s method to |method| and data to |pkey_data|, |
290 | | // freeing any key that may previously have been configured. This function takes |
291 | | // ownership of |pkey_data|, which must be of the type expected by |method|. |
292 | | void evp_pkey_set0(EvpPkey *pkey, const EVP_PKEY_ASN1_METHOD *method, |
293 | | void *pkey_data); |
294 | | |
295 | 179k | inline auto GetDefaultEVPAlgorithms() { |
296 | | // A set of algorithms to use by default in |EVP_parse_public_key| and |
297 | | // |EVP_parse_private_key|. |
298 | 179k | return std::array{ |
299 | 179k | EVP_pkey_ec_p224(), |
300 | 179k | EVP_pkey_ec_p256(), |
301 | 179k | EVP_pkey_ec_p384(), |
302 | 179k | EVP_pkey_ec_p521(), |
303 | 179k | EVP_pkey_ed25519(), |
304 | 179k | EVP_pkey_rsa(), |
305 | 179k | EVP_pkey_x25519(), |
306 | 179k | EVP_pkey_ml_dsa_44(), |
307 | 179k | EVP_pkey_ml_dsa_65(), |
308 | 179k | EVP_pkey_ml_dsa_87(), |
309 | | // TODO(crbug.com/438761503): Remove DSA from this set, after callers that |
310 | | // need DSA pass in |EVP_pkey_dsa| explicitly. |
311 | 179k | EVP_pkey_dsa(), |
312 | 179k | }; |
313 | 179k | } |
314 | | |
315 | | BSSL_NAMESPACE_END |
316 | | |
317 | | #endif // OPENSSL_HEADER_CRYPTO_EVP_INTERNAL_H |