/src/boringssl/crypto/evp/p_rsa.cc
Line | Count | Source |
1 | | // Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. |
2 | | // |
3 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
4 | | // you may not use this file except in compliance with the License. |
5 | | // You may obtain a copy of the License at |
6 | | // |
7 | | // https://www.apache.org/licenses/LICENSE-2.0 |
8 | | // |
9 | | // Unless required by applicable law or agreed to in writing, software |
10 | | // distributed under the License is distributed on an "AS IS" BASIS, |
11 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 | | // See the License for the specific language governing permissions and |
13 | | // limitations under the License. |
14 | | |
15 | | #include <openssl/evp.h> |
16 | | |
17 | | #include <limits.h> |
18 | | #include <string.h> |
19 | | |
20 | | #include <openssl/bn.h> |
21 | | #include <openssl/bytestring.h> |
22 | | #include <openssl/digest.h> |
23 | | #include <openssl/err.h> |
24 | | #include <openssl/mem.h> |
25 | | #include <openssl/nid.h> |
26 | | #include <openssl/rsa.h> |
27 | | #include <openssl/span.h> |
28 | | |
29 | | #include "../fipsmodule/rsa/internal.h" |
30 | | #include "../internal.h" |
31 | | #include "../mem_internal.h" |
32 | | #include "../rsa/internal.h" |
33 | | #include "internal.h" |
34 | | |
35 | | |
36 | | using namespace bssl; |
37 | | |
38 | | namespace { |
39 | | |
40 | | struct EVP_PKEY_ALG_RSA_PSS : public EVP_PKEY_ALG { |
41 | | rsa_pss_params_t pss_params; |
42 | | }; |
43 | | |
44 | | extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meth; |
45 | | extern const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth; |
46 | | extern const EVP_PKEY_CTX_METHOD rsa_pkey_meth; |
47 | | extern const EVP_PKEY_CTX_METHOD rsa_pss_pkey_meth; |
48 | | |
49 | 1.20k | static int rsa_pub_encode(CBB *out, const EvpPkey *key) { |
50 | | // See RFC 3279, section 2.3.1. |
51 | 1.20k | const RSA *rsa = reinterpret_cast<const RSA *>(key->pkey); |
52 | 1.20k | CBB spki, algorithm, null, key_bitstring; |
53 | 1.20k | if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) || |
54 | 1.20k | !CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) || |
55 | 1.20k | !CBB_add_asn1_element(&algorithm, CBS_ASN1_OBJECT, rsa_asn1_meth.oid, |
56 | 1.20k | rsa_asn1_meth.oid_len) || |
57 | 1.20k | !CBB_add_asn1(&algorithm, &null, CBS_ASN1_NULL) || |
58 | 1.20k | !CBB_add_asn1(&spki, &key_bitstring, CBS_ASN1_BITSTRING) || |
59 | 1.20k | !CBB_add_u8(&key_bitstring, 0 /* padding */) || |
60 | 1.20k | !RSA_marshal_public_key(&key_bitstring, rsa) || // |
61 | 1.20k | !CBB_flush(out)) { |
62 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR); |
63 | 0 | return 0; |
64 | 0 | } |
65 | | |
66 | 1.20k | return 1; |
67 | 1.20k | } |
68 | | |
69 | | static bssl::evp_decode_result_t rsa_pub_decode(const EVP_PKEY_ALG *alg, |
70 | | EvpPkey *out, CBS *params, |
71 | 120k | CBS *key) { |
72 | | // See RFC 3279, section 2.3.1. |
73 | | |
74 | | // The parameters must be NULL. |
75 | 120k | CBS null; |
76 | 120k | if (!CBS_get_asn1(params, &null, CBS_ASN1_NULL) || CBS_len(&null) != 0 || |
77 | 120k | CBS_len(params) != 0) { |
78 | 608 | OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); |
79 | 608 | return evp_decode_error; |
80 | 608 | } |
81 | | |
82 | 120k | UniquePtr<RSA> rsa(RSA_public_key_from_bytes(CBS_data(key), CBS_len(key))); |
83 | 120k | if (rsa == nullptr) { |
84 | 23.8k | OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); |
85 | 23.8k | return evp_decode_error; |
86 | 23.8k | } |
87 | | |
88 | 96.2k | EVP_PKEY_assign_RSA(out, rsa.release()); |
89 | 96.2k | return evp_decode_ok; |
90 | 120k | } |
91 | | |
92 | 10.0k | static bool rsa_pub_equal(const EvpPkey *a, const EvpPkey *b) { |
93 | | // We currently assume that all |EVP_PKEY_RSA_PSS| keys have the same |
94 | | // parameters, so this vacuously compares parameters. If we ever support |
95 | | // multiple PSS parameter sets, we probably should compare them too. Note, |
96 | | // however, that OpenSSL does not compare parameters here. |
97 | 10.0k | const RSA *a_rsa = reinterpret_cast<const RSA *>(a->pkey); |
98 | 10.0k | const RSA *b_rsa = reinterpret_cast<const RSA *>(b->pkey); |
99 | 10.0k | return BN_cmp(RSA_get0_n(b_rsa), RSA_get0_n(a_rsa)) == 0 && |
100 | 10.0k | BN_cmp(RSA_get0_e(b_rsa), RSA_get0_e(a_rsa)) == 0; |
101 | 10.0k | } |
102 | | |
103 | 0 | static bool rsa_pub_present(const EvpPkey *pk) { |
104 | 0 | const RSA *pk_rsa = reinterpret_cast<const RSA *>(pk->pkey); |
105 | | // An RSA public key should always have n and e. It's possible for a (private) |
106 | | // key to have n and d, but not e, so we must explicitly check for the |
107 | | // presence of e. |
108 | 0 | return RSA_get0_n(pk_rsa) != nullptr && RSA_get0_e(pk_rsa) != nullptr; |
109 | 0 | } |
110 | | |
111 | 0 | static bool rsa_pub_copy(EvpPkey *out, const EvpPkey *pkey) { |
112 | 0 | const RSAImpl *pk_rsa = reinterpret_cast<const RSAImpl *>(pkey->pkey); |
113 | 0 | const BIGNUM *pk_n = RSA_get0_n(pk_rsa); |
114 | 0 | const BIGNUM *pk_e = RSA_get0_e(pk_rsa); |
115 | 0 | if (pk_n == nullptr || pk_e == nullptr) { |
116 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_MISSING_PUBLIC_KEY); |
117 | 0 | return false; |
118 | 0 | } |
119 | 0 | UniquePtr<RSA> public_copy_rsa(RSA_new_public_key(pk_n, pk_e)); |
120 | 0 | if (!public_copy_rsa) { |
121 | 0 | OPENSSL_PUT_ERROR(EVP, ERR_R_INTERNAL_ERROR); |
122 | 0 | return false; |
123 | 0 | } |
124 | 0 | FromOpaque(public_copy_rsa.get())->pss_params = pk_rsa->pss_params; |
125 | 0 | evp_pkey_set0(out, pkey->ameth, public_copy_rsa.release()); |
126 | 0 | return true; |
127 | 0 | } |
128 | | |
129 | 2 | static int rsa_priv_encode(CBB *out, const EvpPkey *key) { |
130 | 2 | const RSA *rsa = reinterpret_cast<const RSA *>(key->pkey); |
131 | 2 | CBB pkcs8, algorithm, null, private_key; |
132 | 2 | if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) || |
133 | 2 | !CBB_add_asn1_uint64(&pkcs8, 0 /* version */) || |
134 | 2 | !CBB_add_asn1(&pkcs8, &algorithm, CBS_ASN1_SEQUENCE) || |
135 | 2 | !CBB_add_asn1_element(&algorithm, CBS_ASN1_OBJECT, rsa_asn1_meth.oid, |
136 | 2 | rsa_asn1_meth.oid_len) || |
137 | 2 | !CBB_add_asn1(&algorithm, &null, CBS_ASN1_NULL) || |
138 | 2 | !CBB_add_asn1(&pkcs8, &private_key, CBS_ASN1_OCTETSTRING) || |
139 | 2 | !RSA_marshal_private_key(&private_key, rsa) || // |
140 | 2 | !CBB_flush(out)) { |
141 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR); |
142 | 0 | return 0; |
143 | 0 | } |
144 | | |
145 | 2 | return 1; |
146 | 2 | } |
147 | | |
148 | | static bssl::evp_decode_result_t rsa_priv_decode(const EVP_PKEY_ALG *alg, |
149 | | EvpPkey *out, CBS *params, |
150 | 1.01k | CBS *key) { |
151 | | // Per RFC 8017, A.1, the parameters have type NULL. |
152 | 1.01k | CBS null; |
153 | 1.01k | if (!CBS_get_asn1(params, &null, CBS_ASN1_NULL) || CBS_len(&null) != 0 || |
154 | 984 | CBS_len(params) != 0) { |
155 | 42 | OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); |
156 | 42 | return evp_decode_error; |
157 | 42 | } |
158 | | |
159 | 972 | UniquePtr<RSA> rsa(RSA_private_key_from_bytes(CBS_data(key), CBS_len(key))); |
160 | 972 | if (rsa == nullptr) { |
161 | 960 | OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); |
162 | 960 | return evp_decode_error; |
163 | 960 | } |
164 | | |
165 | 12 | EVP_PKEY_assign_RSA(out, rsa.release()); |
166 | 12 | return evp_decode_ok; |
167 | 972 | } |
168 | | |
169 | 0 | static bool rsa_priv_present(const EvpPkey *pk) { |
170 | 0 | const RSA *pk_rsa = reinterpret_cast<const RSA *>(pk->pkey); |
171 | 0 | return RSA_get0_n(pk_rsa) != nullptr && RSA_get0_d(pk_rsa) != nullptr; |
172 | 0 | } |
173 | | |
174 | | static bssl::evp_decode_result_t rsa_decode_pss_params( |
175 | 0 | rsa_pss_params_t expected, CBS *params) { |
176 | 0 | if (CBS_len(params) == 0) { |
177 | 0 | return evp_decode_unsupported; |
178 | 0 | } |
179 | 0 | rsa_pss_params_t pss_params; |
180 | 0 | if (!rsa_parse_pss_params(params, &pss_params, |
181 | 0 | /*allow_explicit_trailer=*/false) || |
182 | 0 | CBS_len(params) != 0) { |
183 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); |
184 | 0 | return evp_decode_error; |
185 | 0 | } |
186 | 0 | return pss_params == expected ? evp_decode_ok : evp_decode_unsupported; |
187 | 0 | } |
188 | | |
189 | 0 | static int rsa_pub_encode_pss(CBB *out, const EvpPkey *key) { |
190 | 0 | const RSAImpl *rsa = reinterpret_cast<const RSAImpl *>(key->pkey); |
191 | 0 | CBB spki, algorithm, key_bitstring; |
192 | 0 | if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) || |
193 | 0 | !CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) || |
194 | 0 | !CBB_add_asn1_element(&algorithm, CBS_ASN1_OBJECT, rsa_pss_asn1_meth.oid, |
195 | 0 | rsa_pss_asn1_meth.oid_len) || |
196 | 0 | !rsa_marshal_pss_params(&algorithm, rsa->pss_params) || |
197 | 0 | !CBB_add_asn1(&spki, &key_bitstring, CBS_ASN1_BITSTRING) || |
198 | 0 | !CBB_add_u8(&key_bitstring, 0 /* padding */) || |
199 | 0 | !RSA_marshal_public_key(&key_bitstring, rsa) || // |
200 | 0 | !CBB_flush(out)) { |
201 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR); |
202 | 0 | return 0; |
203 | 0 | } |
204 | | |
205 | 0 | return 1; |
206 | 0 | } |
207 | | |
208 | | static bssl::evp_decode_result_t rsa_pub_decode_pss(const EVP_PKEY_ALG *alg, |
209 | | EvpPkey *out, CBS *params, |
210 | 0 | CBS *key) { |
211 | 0 | const auto *alg_pss = static_cast<const EVP_PKEY_ALG_RSA_PSS *>(alg); |
212 | 0 | evp_decode_result_t ret = rsa_decode_pss_params(alg_pss->pss_params, params); |
213 | 0 | if (ret != evp_decode_ok) { |
214 | 0 | return ret; |
215 | 0 | } |
216 | | |
217 | 0 | UniquePtr<RSAImpl> rsa( |
218 | 0 | FromOpaque(RSA_public_key_from_bytes(CBS_data(key), CBS_len(key)))); |
219 | 0 | if (rsa == nullptr) { |
220 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); |
221 | 0 | return evp_decode_error; |
222 | 0 | } |
223 | | |
224 | 0 | rsa->pss_params = alg_pss->pss_params; |
225 | 0 | evp_pkey_set0(out, &rsa_pss_asn1_meth, rsa.release()); |
226 | 0 | return evp_decode_ok; |
227 | 0 | } |
228 | | |
229 | 0 | static int rsa_priv_encode_pss(CBB *out, const EvpPkey *key) { |
230 | 0 | const RSAImpl *rsa = reinterpret_cast<const RSAImpl *>(key->pkey); |
231 | 0 | CBB pkcs8, algorithm, private_key; |
232 | 0 | if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) || |
233 | 0 | !CBB_add_asn1_uint64(&pkcs8, 0 /* version */) || |
234 | 0 | !CBB_add_asn1(&pkcs8, &algorithm, CBS_ASN1_SEQUENCE) || |
235 | 0 | !CBB_add_asn1_element(&algorithm, CBS_ASN1_OBJECT, rsa_pss_asn1_meth.oid, |
236 | 0 | rsa_pss_asn1_meth.oid_len) || |
237 | 0 | !rsa_marshal_pss_params(&algorithm, rsa->pss_params) || |
238 | 0 | !CBB_add_asn1(&pkcs8, &private_key, CBS_ASN1_OCTETSTRING) || |
239 | 0 | !RSA_marshal_private_key(&private_key, rsa) || // |
240 | 0 | !CBB_flush(out)) { |
241 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR); |
242 | 0 | return 0; |
243 | 0 | } |
244 | | |
245 | 0 | return 1; |
246 | 0 | } |
247 | | |
248 | | static bssl::evp_decode_result_t rsa_priv_decode_pss(const EVP_PKEY_ALG *alg, |
249 | | EvpPkey *out, CBS *params, |
250 | 0 | CBS *key) { |
251 | 0 | const auto *alg_pss = static_cast<const EVP_PKEY_ALG_RSA_PSS *>(alg); |
252 | 0 | evp_decode_result_t ret = rsa_decode_pss_params(alg_pss->pss_params, params); |
253 | 0 | if (ret != evp_decode_ok) { |
254 | 0 | return ret; |
255 | 0 | } |
256 | | |
257 | 0 | UniquePtr<RSAImpl> rsa( |
258 | 0 | FromOpaque(RSA_private_key_from_bytes(CBS_data(key), CBS_len(key)))); |
259 | 0 | if (rsa == nullptr) { |
260 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); |
261 | 0 | return evp_decode_error; |
262 | 0 | } |
263 | | |
264 | 0 | rsa->pss_params = alg_pss->pss_params; |
265 | 0 | evp_pkey_set0(out, &rsa_pss_asn1_meth, rsa.release()); |
266 | 0 | return evp_decode_ok; |
267 | 0 | } |
268 | | |
269 | 10.0k | static int rsa_opaque(const EvpPkey *pkey) { |
270 | 10.0k | const RSA *rsa = reinterpret_cast<const RSA *>(pkey->pkey); |
271 | 10.0k | return RSA_is_opaque(rsa); |
272 | 10.0k | } |
273 | | |
274 | 115k | static int int_rsa_size(const EvpPkey *pkey) { |
275 | 115k | const RSA *rsa = reinterpret_cast<const RSA *>(pkey->pkey); |
276 | 115k | return RSA_size(rsa); |
277 | 115k | } |
278 | | |
279 | 0 | static int rsa_bits(const EvpPkey *pkey) { |
280 | 0 | const RSA *rsa = reinterpret_cast<const RSA *>(pkey->pkey); |
281 | 0 | return RSA_bits(rsa); |
282 | 0 | } |
283 | | |
284 | 96.2k | static void int_rsa_free(EvpPkey *pkey) { |
285 | 96.2k | RSA_free(reinterpret_cast<RSA *>(pkey->pkey)); |
286 | 96.2k | pkey->pkey = nullptr; |
287 | 96.2k | } |
288 | | |
289 | 0 | static int rsa_pss_params_missing(const EvpPkey *pkey) { |
290 | 0 | const RSA *rsa = reinterpret_cast<const RSA *>(pkey->pkey); |
291 | 0 | return rsa == nullptr || FromOpaque(rsa)->pss_params == rsa_pss_none; |
292 | 0 | } |
293 | | |
294 | 0 | static int rsa_pss_params_copy(EvpPkey *to, const EvpPkey *from) { |
295 | 0 | const RSA *from_key = reinterpret_cast<const RSA *>(from->pkey); |
296 | 0 | if (from_key == nullptr) { |
297 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_NO_KEY_SET); |
298 | 0 | return 0; |
299 | 0 | } |
300 | 0 | rsa_pss_params_t pss_params = FromOpaque(from_key)->pss_params; |
301 | 0 | if (pss_params == rsa_pss_none) { |
302 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_MISSING_PARAMETERS); |
303 | 0 | return 0; |
304 | 0 | } |
305 | 0 | if (to->pkey == nullptr) { |
306 | 0 | to->pkey = RSA_new(); |
307 | 0 | if (to->pkey == nullptr) { |
308 | 0 | return 0; |
309 | 0 | } |
310 | 0 | } |
311 | 0 | FromOpaque(reinterpret_cast<RSA *>(to->pkey))->pss_params = pss_params; |
312 | 0 | return 1; |
313 | 0 | } |
314 | | |
315 | 0 | static bool rsa_pss_params_equal(const EvpPkey *a, const EvpPkey *b) { |
316 | 0 | const RSA *a_rsa = reinterpret_cast<const RSA *>(a->pkey); |
317 | 0 | const RSA *b_rsa = reinterpret_cast<const RSA *>(b->pkey); |
318 | 0 | if (a_rsa == nullptr || b_rsa == nullptr) { |
319 | 0 | return false; |
320 | 0 | } |
321 | 0 | rsa_pss_params_t a_pss_params = FromOpaque(a_rsa)->pss_params; |
322 | 0 | rsa_pss_params_t b_pss_params = FromOpaque(b_rsa)->pss_params; |
323 | 0 | if (a_pss_params == rsa_pss_none || b_pss_params == rsa_pss_none) { |
324 | 0 | return false; |
325 | 0 | } |
326 | 0 | return a_pss_params == b_pss_params; |
327 | 0 | } |
328 | | |
329 | | const EVP_PKEY_ASN1_METHOD rsa_asn1_meth = { |
330 | | EVP_PKEY_RSA, |
331 | | // 1.2.840.113549.1.1.1 |
332 | | {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01}, |
333 | | 9, |
334 | | |
335 | | &rsa_pkey_meth, |
336 | | |
337 | | rsa_pub_decode, |
338 | | rsa_pub_encode, |
339 | | rsa_pub_equal, |
340 | | rsa_pub_present, |
341 | | rsa_pub_copy, |
342 | | |
343 | | rsa_priv_decode, |
344 | | rsa_priv_encode, |
345 | | rsa_priv_present, |
346 | | |
347 | | /*set_priv_raw=*/nullptr, |
348 | | /*set_priv_seed=*/nullptr, |
349 | | /*set_pub_raw=*/nullptr, |
350 | | /*get_priv_raw=*/nullptr, |
351 | | /*get_priv_seed=*/nullptr, |
352 | | /*get_pub_raw=*/nullptr, |
353 | | /*set1_tls_encodedpoint=*/nullptr, |
354 | | /*get1_tls_encodedpoint=*/nullptr, |
355 | | |
356 | | rsa_opaque, |
357 | | |
358 | | int_rsa_size, |
359 | | rsa_bits, |
360 | | |
361 | | /*param_missing=*/nullptr, |
362 | | /*param_copy=*/nullptr, |
363 | | /*param_equal=*/nullptr, |
364 | | |
365 | | int_rsa_free, |
366 | | }; |
367 | | |
368 | | const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = { |
369 | | EVP_PKEY_RSA_PSS, |
370 | | // 1.2.840.113549.1.1.10 |
371 | | {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0a}, |
372 | | 9, |
373 | | |
374 | | &rsa_pss_pkey_meth, |
375 | | |
376 | | rsa_pub_decode_pss, |
377 | | rsa_pub_encode_pss, |
378 | | rsa_pub_equal, |
379 | | rsa_pub_present, |
380 | | rsa_pub_copy, |
381 | | |
382 | | rsa_priv_decode_pss, |
383 | | rsa_priv_encode_pss, |
384 | | rsa_priv_present, |
385 | | |
386 | | /*set_priv_raw=*/nullptr, |
387 | | /*set_priv_seed=*/nullptr, |
388 | | /*set_pub_raw=*/nullptr, |
389 | | /*get_priv_raw=*/nullptr, |
390 | | /*get_priv_seed=*/nullptr, |
391 | | /*get_pub_raw=*/nullptr, |
392 | | /*set1_tls_encodedpoint=*/nullptr, |
393 | | /*get1_tls_encodedpoint=*/nullptr, |
394 | | |
395 | | rsa_opaque, |
396 | | |
397 | | int_rsa_size, |
398 | | rsa_bits, |
399 | | |
400 | | rsa_pss_params_missing, |
401 | | rsa_pss_params_copy, |
402 | | rsa_pss_params_equal, |
403 | | |
404 | | int_rsa_free, |
405 | | }; |
406 | | |
407 | | |
408 | | struct RSA_PKEY_CTX { |
409 | | // Key gen parameters |
410 | | int nbits = 2048; |
411 | | UniquePtr<BIGNUM> pub_exp; |
412 | | // RSA padding mode |
413 | | int pad_mode = RSA_PKCS1_PADDING; |
414 | | // message digest |
415 | | const EVP_MD *md = nullptr; |
416 | | // message digest for MGF1 |
417 | | const EVP_MD *mgf1md = nullptr; |
418 | | // PSS salt length |
419 | | int saltlen = RSA_PSS_SALTLEN_DIGEST; |
420 | | // restrict_pss_params, if true, indicates that the PSS signing/verifying |
421 | | // parameters are restricted by the key's parameters. |md| and |mgf1md| may |
422 | | // not change, and |saltlen| must be at least |md|'s hash length. |
423 | | bool restrict_pss_params = false; |
424 | | Array<uint8_t> oaep_label; |
425 | | }; |
426 | | |
427 | 101k | static bool is_pss_only(const EvpPkeyCtx *ctx) { |
428 | 101k | return ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS; |
429 | 101k | } |
430 | | |
431 | 84.3k | static int pkey_rsa_init(EvpPkeyCtx *ctx, const EVP_PKEY_ALG *alg) { |
432 | 84.3k | RSA_PKEY_CTX *rctx = New<RSA_PKEY_CTX>(); |
433 | 84.3k | if (!rctx) { |
434 | 0 | return 0; |
435 | 0 | } |
436 | | |
437 | 84.3k | if (is_pss_only(ctx)) { |
438 | 0 | rctx->pad_mode = RSA_PKCS1_PSS_PADDING; |
439 | | // Pick up PSS parameters from the key or algorithm. We don't currently |
440 | | // support keygen from PSS, so the algorithm does not currently do anything. |
441 | 0 | rsa_pss_params_t pss_params = rsa_pss_none; |
442 | 0 | const auto *alg_pss = static_cast<const EVP_PKEY_ALG_RSA_PSS *>(alg); |
443 | 0 | if (alg_pss != nullptr) { |
444 | 0 | pss_params = alg_pss->pss_params; |
445 | 0 | } else if (ctx->pkey != nullptr && ctx->pkey->pkey != nullptr) { |
446 | 0 | pss_params = static_cast<const RSAImpl *>(ctx->pkey->pkey)->pss_params; |
447 | 0 | } |
448 | 0 | const EVP_MD *md = rsa_pss_params_get_md(pss_params); |
449 | 0 | if (md != nullptr) { |
450 | 0 | rctx->md = rctx->mgf1md = md; |
451 | | // All our supported modes use the digest length as the salt length. |
452 | 0 | rctx->saltlen = EVP_MD_size(rctx->md); |
453 | 0 | rctx->restrict_pss_params = true; |
454 | 0 | } |
455 | 0 | } |
456 | | |
457 | 84.3k | ctx->data = rctx; |
458 | 84.3k | return 1; |
459 | 84.3k | } |
460 | | |
461 | 42.1k | static int pkey_rsa_copy(EvpPkeyCtx *dst, EvpPkeyCtx *src) { |
462 | 42.1k | RSA_PKEY_CTX *dctx, *sctx; |
463 | 42.1k | if (!pkey_rsa_init(dst, nullptr)) { |
464 | 0 | return 0; |
465 | 0 | } |
466 | 42.1k | sctx = reinterpret_cast<RSA_PKEY_CTX *>(src->data); |
467 | 42.1k | dctx = reinterpret_cast<RSA_PKEY_CTX *>(dst->data); |
468 | 42.1k | dctx->nbits = sctx->nbits; |
469 | 42.1k | if (sctx->pub_exp) { |
470 | 0 | dctx->pub_exp.reset(BN_dup(sctx->pub_exp.get())); |
471 | 0 | if (!dctx->pub_exp) { |
472 | 0 | return 0; |
473 | 0 | } |
474 | 0 | } |
475 | | |
476 | 42.1k | dctx->pad_mode = sctx->pad_mode; |
477 | 42.1k | dctx->md = sctx->md; |
478 | 42.1k | dctx->mgf1md = sctx->mgf1md; |
479 | 42.1k | dctx->saltlen = sctx->saltlen; |
480 | 42.1k | dctx->restrict_pss_params = sctx->restrict_pss_params; |
481 | 42.1k | if (!dctx->oaep_label.CopyFrom(sctx->oaep_label)) { |
482 | 0 | return 0; |
483 | 0 | } |
484 | | |
485 | 42.1k | return 1; |
486 | 42.1k | } |
487 | | |
488 | 84.3k | static void pkey_rsa_cleanup(EvpPkeyCtx *ctx) { |
489 | 84.3k | Delete(reinterpret_cast<RSA_PKEY_CTX *>(ctx->data)); |
490 | 84.3k | } |
491 | | |
492 | | static int pkey_rsa_sign(EvpPkeyCtx *ctx, uint8_t *sig, size_t *siglen, |
493 | 20.9k | const uint8_t *tbs, size_t tbslen) { |
494 | 20.9k | RSA_PKEY_CTX *rctx = reinterpret_cast<RSA_PKEY_CTX *>(ctx->data); |
495 | 20.9k | RSA *rsa = reinterpret_cast<RSA *>(ctx->pkey->pkey); |
496 | 20.9k | const size_t key_len = EVP_PKEY_size(ctx->pkey.get()); |
497 | | |
498 | 20.9k | if (!sig) { |
499 | 0 | *siglen = key_len; |
500 | 0 | return 1; |
501 | 0 | } |
502 | | |
503 | 20.9k | if (*siglen < key_len) { |
504 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); |
505 | 0 | return 0; |
506 | 0 | } |
507 | | |
508 | 20.9k | if (rctx->md) { |
509 | 20.9k | unsigned out_len; |
510 | 20.9k | switch (rctx->pad_mode) { |
511 | 6.02k | case RSA_PKCS1_PADDING: |
512 | 6.02k | if (!RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig, &out_len, rsa)) { |
513 | 0 | return 0; |
514 | 0 | } |
515 | 6.02k | *siglen = out_len; |
516 | 6.02k | return 1; |
517 | | |
518 | 14.8k | case RSA_PKCS1_PSS_PADDING: |
519 | 14.8k | return RSA_sign_pss_mgf1(rsa, siglen, sig, *siglen, tbs, tbslen, |
520 | 14.8k | rctx->md, rctx->mgf1md, rctx->saltlen); |
521 | | |
522 | 0 | default: |
523 | 0 | return 0; |
524 | 20.9k | } |
525 | 20.9k | } |
526 | | |
527 | 0 | return RSA_sign_raw(rsa, siglen, sig, *siglen, tbs, tbslen, rctx->pad_mode); |
528 | 20.9k | } |
529 | | |
530 | | static int pkey_rsa_verify(EvpPkeyCtx *ctx, const uint8_t *sig, size_t siglen, |
531 | 21.2k | const uint8_t *tbs, size_t tbslen) { |
532 | 21.2k | RSA_PKEY_CTX *rctx = reinterpret_cast<RSA_PKEY_CTX *>(ctx->data); |
533 | 21.2k | RSA *rsa = reinterpret_cast<RSA *>(ctx->pkey->pkey); |
534 | | |
535 | 21.2k | if (rctx->md) { |
536 | 21.2k | switch (rctx->pad_mode) { |
537 | 19.1k | case RSA_PKCS1_PADDING: |
538 | 19.1k | return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa); |
539 | | |
540 | 2.07k | case RSA_PKCS1_PSS_PADDING: |
541 | 2.07k | return RSA_verify_pss_mgf1(rsa, tbs, tbslen, rctx->md, rctx->mgf1md, |
542 | 2.07k | rctx->saltlen, sig, siglen); |
543 | | |
544 | 0 | default: |
545 | 0 | return 0; |
546 | 21.2k | } |
547 | 21.2k | } |
548 | | |
549 | 0 | size_t rslen; |
550 | 0 | const size_t key_len = EVP_PKEY_size(ctx->pkey.get()); |
551 | 0 | Array<uint8_t> tbuf; |
552 | 0 | if (!tbuf.InitForOverwrite(key_len) || |
553 | 0 | !RSA_verify_raw(rsa, &rslen, tbuf.data(), tbuf.size(), sig, siglen, |
554 | 0 | rctx->pad_mode)) { |
555 | 0 | return 0; |
556 | 0 | } |
557 | 0 | if (rslen != tbslen || CRYPTO_memcmp(tbs, tbuf.data(), rslen) != 0) { |
558 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE); |
559 | 0 | return 0; |
560 | 0 | } |
561 | | |
562 | 0 | return 1; |
563 | 0 | } |
564 | | |
565 | | static int pkey_rsa_verify_recover(EvpPkeyCtx *ctx, uint8_t *out, |
566 | | size_t *out_len, const uint8_t *sig, |
567 | 0 | size_t sig_len) { |
568 | 0 | RSA_PKEY_CTX *rctx = reinterpret_cast<RSA_PKEY_CTX *>(ctx->data); |
569 | 0 | RSA *rsa = reinterpret_cast<RSA *>(ctx->pkey->pkey); |
570 | 0 | const size_t key_len = EVP_PKEY_size(ctx->pkey.get()); |
571 | |
|
572 | 0 | if (out == nullptr) { |
573 | 0 | *out_len = key_len; |
574 | 0 | return 1; |
575 | 0 | } |
576 | | |
577 | 0 | if (*out_len < key_len) { |
578 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); |
579 | 0 | return 0; |
580 | 0 | } |
581 | | |
582 | 0 | if (rctx->md == nullptr) { |
583 | 0 | return RSA_verify_raw(rsa, out_len, out, *out_len, sig, sig_len, |
584 | 0 | rctx->pad_mode); |
585 | 0 | } |
586 | | |
587 | 0 | if (rctx->pad_mode != RSA_PKCS1_PADDING) { |
588 | 0 | return 0; |
589 | 0 | } |
590 | | |
591 | | // Assemble the encoded hash, using a placeholder hash value. |
592 | 0 | static const uint8_t kDummyHash[EVP_MAX_MD_SIZE] = {0}; |
593 | 0 | const size_t hash_len = EVP_MD_size(rctx->md); |
594 | 0 | uint8_t *asn1_prefix; |
595 | 0 | size_t asn1_prefix_len; |
596 | 0 | int asn1_prefix_allocated; |
597 | 0 | if (!RSA_add_pkcs1_prefix(&asn1_prefix, &asn1_prefix_len, |
598 | 0 | &asn1_prefix_allocated, EVP_MD_type(rctx->md), |
599 | 0 | kDummyHash, hash_len)) { |
600 | 0 | return 0; |
601 | 0 | } |
602 | 0 | UniquePtr<uint8_t> free_asn1_prefix(asn1_prefix_allocated ? asn1_prefix |
603 | 0 | : nullptr); |
604 | |
|
605 | 0 | Array<uint8_t> tbuf; |
606 | 0 | size_t rslen; |
607 | 0 | if (!tbuf.InitForOverwrite(key_len) || |
608 | 0 | !RSA_verify_raw(rsa, &rslen, tbuf.data(), tbuf.size(), sig, sig_len, |
609 | 0 | RSA_PKCS1_PADDING) || |
610 | 0 | rslen != asn1_prefix_len || |
611 | | // Compare all but the hash suffix. |
612 | 0 | CRYPTO_memcmp(tbuf.data(), asn1_prefix, asn1_prefix_len - hash_len) != |
613 | 0 | 0) { |
614 | 0 | return 0; |
615 | 0 | } |
616 | | |
617 | 0 | if (out != nullptr) { |
618 | 0 | OPENSSL_memcpy(out, tbuf.data() + rslen - hash_len, hash_len); |
619 | 0 | } |
620 | 0 | *out_len = hash_len; |
621 | |
|
622 | 0 | return 1; |
623 | 0 | } |
624 | | |
625 | | static int pkey_rsa_encrypt(EvpPkeyCtx *ctx, uint8_t *out, size_t *outlen, |
626 | 0 | const uint8_t *in, size_t inlen) { |
627 | 0 | RSA_PKEY_CTX *rctx = reinterpret_cast<RSA_PKEY_CTX *>(ctx->data); |
628 | 0 | RSA *rsa = reinterpret_cast<RSA *>(ctx->pkey->pkey); |
629 | 0 | const size_t key_len = EVP_PKEY_size(ctx->pkey.get()); |
630 | |
|
631 | 0 | if (!out) { |
632 | 0 | *outlen = key_len; |
633 | 0 | return 1; |
634 | 0 | } |
635 | | |
636 | 0 | if (*outlen < key_len) { |
637 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); |
638 | 0 | return 0; |
639 | 0 | } |
640 | | |
641 | 0 | if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { |
642 | 0 | Array<uint8_t> tbuf; |
643 | 0 | if (!tbuf.InitForOverwrite(key_len) || |
644 | 0 | !RSA_padding_add_PKCS1_OAEP_mgf1( |
645 | 0 | tbuf.data(), tbuf.size(), in, inlen, rctx->oaep_label.data(), |
646 | 0 | rctx->oaep_label.size(), rctx->md, rctx->mgf1md) || |
647 | 0 | !RSA_encrypt(rsa, outlen, out, *outlen, tbuf.data(), tbuf.size(), |
648 | 0 | RSA_NO_PADDING)) { |
649 | 0 | return 0; |
650 | 0 | } |
651 | 0 | return 1; |
652 | 0 | } |
653 | | |
654 | 0 | return RSA_encrypt(rsa, outlen, out, *outlen, in, inlen, rctx->pad_mode); |
655 | 0 | } |
656 | | |
657 | | static int pkey_rsa_decrypt(EvpPkeyCtx *ctx, uint8_t *out, size_t *outlen, |
658 | 0 | const uint8_t *in, size_t inlen) { |
659 | 0 | RSA_PKEY_CTX *rctx = reinterpret_cast<RSA_PKEY_CTX *>(ctx->data); |
660 | 0 | RSA *rsa = reinterpret_cast<RSA *>(ctx->pkey->pkey); |
661 | 0 | const size_t key_len = EVP_PKEY_size(ctx->pkey.get()); |
662 | |
|
663 | 0 | if (!out) { |
664 | 0 | *outlen = key_len; |
665 | 0 | return 1; |
666 | 0 | } |
667 | | |
668 | 0 | if (*outlen < key_len) { |
669 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); |
670 | 0 | return 0; |
671 | 0 | } |
672 | | |
673 | 0 | if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { |
674 | 0 | Array<uint8_t> tbuf; |
675 | 0 | size_t padded_len; |
676 | 0 | if (!tbuf.InitForOverwrite(key_len) || |
677 | 0 | !RSA_decrypt(rsa, &padded_len, tbuf.data(), tbuf.size(), in, inlen, |
678 | 0 | RSA_NO_PADDING) || |
679 | 0 | !RSA_padding_check_PKCS1_OAEP_mgf1(out, outlen, key_len, tbuf.data(), |
680 | 0 | padded_len, rctx->oaep_label.data(), |
681 | 0 | rctx->oaep_label.size(), rctx->md, |
682 | 0 | rctx->mgf1md)) { |
683 | 0 | return 0; |
684 | 0 | } |
685 | 0 | return 1; |
686 | 0 | } |
687 | | |
688 | 0 | return RSA_decrypt(rsa, outlen, out, key_len, in, inlen, rctx->pad_mode); |
689 | 0 | } |
690 | | |
691 | 59.1k | static int check_padding_md(const EVP_MD *md, int padding) { |
692 | 59.1k | if (!md) { |
693 | 0 | return 1; |
694 | 0 | } |
695 | | |
696 | 59.1k | if (padding == RSA_NO_PADDING) { |
697 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE); |
698 | 0 | return 0; |
699 | 0 | } |
700 | | |
701 | 59.1k | return 1; |
702 | 59.1k | } |
703 | | |
704 | 16.9k | static int is_known_padding(int padding_mode) { |
705 | 16.9k | switch (padding_mode) { |
706 | 0 | case RSA_PKCS1_PADDING: |
707 | 0 | case RSA_NO_PADDING: |
708 | 0 | case RSA_PKCS1_OAEP_PADDING: |
709 | 16.9k | case RSA_PKCS1_PSS_PADDING: |
710 | 16.9k | return 1; |
711 | 0 | default: |
712 | 0 | return 0; |
713 | 16.9k | } |
714 | 16.9k | } |
715 | | |
716 | 76.1k | static int pkey_rsa_ctrl(EvpPkeyCtx *ctx, int type, int p1, void *p2) { |
717 | 76.1k | RSA_PKEY_CTX *rctx = reinterpret_cast<RSA_PKEY_CTX *>(ctx->data); |
718 | 76.1k | switch (type) { |
719 | 16.9k | case EVP_PKEY_CTRL_RSA_PADDING: |
720 | | // PSS keys cannot be switched to other padding types. |
721 | 16.9k | if (is_pss_only(ctx) && p1 != RSA_PKCS1_PSS_PADDING) { |
722 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); |
723 | 0 | return 0; |
724 | 0 | } |
725 | 16.9k | if (!is_known_padding(p1) || !check_padding_md(rctx->md, p1) || |
726 | 16.9k | (p1 == RSA_PKCS1_PSS_PADDING && |
727 | 16.9k | 0 == (ctx->operation & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) || |
728 | 16.9k | (p1 == RSA_PKCS1_OAEP_PADDING && |
729 | 0 | 0 == (ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))) { |
730 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); |
731 | 0 | return 0; |
732 | 0 | } |
733 | 16.9k | if (p1 == RSA_PKCS1_OAEP_PADDING && rctx->md == nullptr) { |
734 | 0 | rctx->md = EVP_sha1(); |
735 | 0 | } |
736 | 16.9k | rctx->pad_mode = p1; |
737 | 16.9k | return 1; |
738 | | |
739 | 0 | case EVP_PKEY_CTRL_GET_RSA_PADDING: |
740 | 0 | *(int *)p2 = rctx->pad_mode; |
741 | 0 | return 1; |
742 | | |
743 | 16.9k | case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: |
744 | 16.9k | case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: |
745 | 16.9k | if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) { |
746 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PSS_SALTLEN); |
747 | 0 | return 0; |
748 | 0 | } |
749 | 16.9k | if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) { |
750 | 0 | *(int *)p2 = rctx->saltlen; |
751 | 16.9k | } else { |
752 | | // Negative salt lengths are special values. |
753 | 16.9k | if (p1 < 0) { |
754 | 16.9k | if (p1 != RSA_PSS_SALTLEN_DIGEST && p1 != RSA_PSS_SALTLEN_AUTO) { |
755 | 0 | return 0; |
756 | 0 | } |
757 | | // All our PSS restrictions accept saltlen == hashlen, so allow |
758 | | // |RSA_PSS_SALTLEN_DIGEST|. Reject |RSA_PSS_SALTLEN_AUTO| for |
759 | | // simplicity. |
760 | 16.9k | if (rctx->restrict_pss_params && p1 != RSA_PSS_SALTLEN_DIGEST) { |
761 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PSS_SALTLEN); |
762 | 0 | return 0; |
763 | 0 | } |
764 | 16.9k | } else if (rctx->restrict_pss_params && |
765 | 0 | static_cast<size_t>(p1) < EVP_MD_size(rctx->md)) { |
766 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PSS_SALTLEN); |
767 | 0 | return 0; |
768 | 0 | } |
769 | 16.9k | rctx->saltlen = p1; |
770 | 16.9k | } |
771 | 16.9k | return 1; |
772 | | |
773 | 0 | case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: |
774 | 0 | if (p1 < 256) { |
775 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_KEYBITS); |
776 | 0 | return 0; |
777 | 0 | } |
778 | 0 | rctx->nbits = p1; |
779 | 0 | return 1; |
780 | | |
781 | 0 | case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: |
782 | 0 | if (!p2) { |
783 | 0 | return 0; |
784 | 0 | } |
785 | 0 | rctx->pub_exp.reset(reinterpret_cast<BIGNUM *>(p2)); |
786 | 0 | return 1; |
787 | | |
788 | 0 | case EVP_PKEY_CTRL_RSA_OAEP_MD: |
789 | 0 | case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: |
790 | 0 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { |
791 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE); |
792 | 0 | return 0; |
793 | 0 | } |
794 | 0 | if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) { |
795 | 0 | *(const EVP_MD **)p2 = rctx->md; |
796 | 0 | } else { |
797 | 0 | rctx->md = reinterpret_cast<EVP_MD *>(p2); |
798 | 0 | } |
799 | 0 | return 1; |
800 | | |
801 | 42.1k | case EVP_PKEY_CTRL_MD: { |
802 | 42.1k | const EVP_MD *md = reinterpret_cast<EVP_MD *>(p2); |
803 | 42.1k | if (!check_padding_md(md, rctx->pad_mode)) { |
804 | 0 | return 0; |
805 | 0 | } |
806 | 42.1k | if (rctx->restrict_pss_params && |
807 | 0 | EVP_MD_type(rctx->md) != EVP_MD_type(md)) { |
808 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_DIGEST_TYPE); |
809 | 0 | return 0; |
810 | 0 | } |
811 | 42.1k | rctx->md = md; |
812 | 42.1k | return 1; |
813 | 42.1k | } |
814 | | |
815 | 0 | case EVP_PKEY_CTRL_GET_MD: |
816 | 0 | *(const EVP_MD **)p2 = rctx->md; |
817 | 0 | return 1; |
818 | | |
819 | 0 | case EVP_PKEY_CTRL_RSA_MGF1_MD: |
820 | 0 | case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: |
821 | 0 | if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING && |
822 | 0 | rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { |
823 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_MGF1_MD); |
824 | 0 | return 0; |
825 | 0 | } |
826 | 0 | if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) { |
827 | 0 | if (rctx->mgf1md) { |
828 | 0 | *(const EVP_MD **)p2 = rctx->mgf1md; |
829 | 0 | } else { |
830 | 0 | *(const EVP_MD **)p2 = rctx->md; |
831 | 0 | } |
832 | 0 | } else { |
833 | 0 | const EVP_MD *md = reinterpret_cast<EVP_MD *>(p2); |
834 | 0 | if (rctx->restrict_pss_params && |
835 | 0 | EVP_MD_type(rctx->mgf1md) != EVP_MD_type(md)) { |
836 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_MGF1_MD); |
837 | 0 | return 0; |
838 | 0 | } |
839 | 0 | rctx->mgf1md = md; |
840 | 0 | } |
841 | 0 | return 1; |
842 | | |
843 | 0 | case EVP_PKEY_CTRL_RSA_OAEP_LABEL: { |
844 | 0 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { |
845 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE); |
846 | 0 | return 0; |
847 | 0 | } |
848 | | // |EVP_PKEY_CTRL_RSA_OAEP_LABEL| takes ownership of |label|'s underlying |
849 | | // buffer (via |Reset|), but only on success. |
850 | 0 | auto *label = reinterpret_cast<Span<uint8_t> *>(p2); |
851 | 0 | rctx->oaep_label.Reset(label->data(), label->size()); |
852 | 0 | return 1; |
853 | 0 | } |
854 | | |
855 | 0 | case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: |
856 | 0 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { |
857 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE); |
858 | 0 | return 0; |
859 | 0 | } |
860 | 0 | *reinterpret_cast<CBS *>(p2) = CBS(rctx->oaep_label); |
861 | 0 | return 1; |
862 | | |
863 | 0 | default: |
864 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED); |
865 | 0 | return 0; |
866 | 76.1k | } |
867 | 76.1k | } |
868 | | |
869 | 0 | static int pkey_rsa_keygen(EvpPkeyCtx *ctx, EvpPkey *pkey) { |
870 | 0 | RSA_PKEY_CTX *rctx = reinterpret_cast<RSA_PKEY_CTX *>(ctx->data); |
871 | 0 | if (!rctx->pub_exp) { |
872 | 0 | rctx->pub_exp.reset(BN_new()); |
873 | 0 | if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp.get(), RSA_F4)) { |
874 | 0 | return 0; |
875 | 0 | } |
876 | 0 | } |
877 | 0 | UniquePtr<RSA> rsa(RSA_new()); |
878 | 0 | if (!rsa) { |
879 | 0 | return 0; |
880 | 0 | } |
881 | | |
882 | 0 | if (!RSA_generate_key_ex(rsa.get(), rctx->nbits, rctx->pub_exp.get(), |
883 | 0 | nullptr)) { |
884 | 0 | return 0; |
885 | 0 | } |
886 | | |
887 | 0 | EVP_PKEY_assign_RSA(pkey, rsa.release()); |
888 | 0 | return 1; |
889 | 0 | } |
890 | | |
891 | | const EVP_PKEY_CTX_METHOD rsa_pkey_meth = { |
892 | | EVP_PKEY_RSA, |
893 | | pkey_rsa_init, |
894 | | pkey_rsa_copy, |
895 | | pkey_rsa_cleanup, |
896 | | pkey_rsa_keygen, |
897 | | pkey_rsa_sign, |
898 | | /*sign_message=*/nullptr, |
899 | | pkey_rsa_verify, |
900 | | /*verify_message=*/nullptr, |
901 | | pkey_rsa_verify_recover, |
902 | | pkey_rsa_encrypt, |
903 | | pkey_rsa_decrypt, |
904 | | /*derive=*/nullptr, |
905 | | /*paramgen=*/nullptr, |
906 | | /*encap=*/nullptr, |
907 | | /*decap=*/nullptr, |
908 | | pkey_rsa_ctrl, |
909 | | }; |
910 | | |
911 | | const EVP_PKEY_CTX_METHOD rsa_pss_pkey_meth = { |
912 | | EVP_PKEY_RSA_PSS, |
913 | | pkey_rsa_init, |
914 | | pkey_rsa_copy, |
915 | | pkey_rsa_cleanup, |
916 | | // In OpenSSL, |EVP_PKEY_RSA_PSS| supports key generation and fills in PSS |
917 | | // parameters based on a separate set of keygen-targetted setters: |
918 | | // |EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen|, |
919 | | // |EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md|, and |
920 | | // |EVP_PKEY_CTX_rsa_pss_key_digest|. We do not currently implement this |
921 | | // because we only support one parameter set. |
922 | | /*keygen=*/nullptr, |
923 | | pkey_rsa_sign, |
924 | | /*sign_message=*/nullptr, |
925 | | pkey_rsa_verify, |
926 | | /*verify_message=*/nullptr, |
927 | | /*verify_recover=*/nullptr, |
928 | | /*encrypt=*/nullptr, |
929 | | /*decrypt=*/nullptr, |
930 | | /*derive=*/nullptr, |
931 | | /*paramgen=*/nullptr, |
932 | | /*encap=*/nullptr, |
933 | | /*decap=*/nullptr, |
934 | | pkey_rsa_ctrl, |
935 | | }; |
936 | | |
937 | | } // namespace |
938 | | |
939 | 253k | const EVP_PKEY_ALG *EVP_pkey_rsa() { |
940 | 253k | static const EVP_PKEY_ALG kAlg = {&rsa_asn1_meth, &rsa_pkey_meth}; |
941 | 253k | return &kAlg; |
942 | 253k | } |
943 | | |
944 | 0 | const EVP_PKEY_ALG *EVP_pkey_rsa_pss_sha256() { |
945 | 0 | static const EVP_PKEY_ALG_RSA_PSS kAlg = { |
946 | 0 | {&rsa_pss_asn1_meth, &rsa_pss_pkey_meth}, rsa_pss_sha256}; |
947 | 0 | return &kAlg; |
948 | 0 | } |
949 | | |
950 | 0 | const EVP_PKEY_ALG *EVP_pkey_rsa_pss_sha384() { |
951 | 0 | static const EVP_PKEY_ALG_RSA_PSS kAlg = { |
952 | 0 | {&rsa_pss_asn1_meth, &rsa_pss_pkey_meth}, rsa_pss_sha384}; |
953 | 0 | return &kAlg; |
954 | 0 | } |
955 | | |
956 | 0 | const EVP_PKEY_ALG *EVP_pkey_rsa_pss_sha512() { |
957 | 0 | static const EVP_PKEY_ALG_RSA_PSS kAlg = { |
958 | 0 | {&rsa_pss_asn1_meth, &rsa_pss_pkey_meth}, rsa_pss_sha512}; |
959 | 0 | return &kAlg; |
960 | 0 | } |
961 | | |
962 | 0 | EVP_PKEY *EVP_RSA_gen(unsigned bits) { |
963 | | // TODO(crbug.com/487376811): After EVP_PKEY_CTX is switched to C++ |
964 | | // subclassing, it should be possible to stack-allocate enough the |
965 | | // RSA-specific subclass. |
966 | 0 | UniquePtr<EvpPkeyCtx> ctx = evp_pkey_ctx_new_alg(EVP_pkey_rsa()); |
967 | 0 | EVP_PKEY *pkey = nullptr; |
968 | 0 | if (ctx == nullptr || // |
969 | 0 | !EVP_PKEY_keygen_init(ctx.get()) || |
970 | 0 | !EVP_PKEY_CTX_set_rsa_keygen_bits(ctx.get(), bits) || |
971 | 0 | !EVP_PKEY_keygen(ctx.get(), &pkey)) { |
972 | 0 | return nullptr; |
973 | 0 | } |
974 | 0 | return pkey; |
975 | 0 | } |
976 | | |
977 | 12 | int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key) { |
978 | 12 | if (EVP_PKEY_assign_RSA(pkey, key)) { |
979 | 12 | RSA_up_ref(key); |
980 | 12 | return 1; |
981 | 12 | } |
982 | 0 | return 0; |
983 | 12 | } |
984 | | |
985 | 96.2k | int EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *key) { |
986 | 96.2k | if (key == nullptr) { |
987 | 0 | return 0; |
988 | 0 | } |
989 | 96.2k | evp_pkey_set0(FromOpaque(pkey), &rsa_asn1_meth, key); |
990 | 96.2k | return 1; |
991 | 96.2k | } |
992 | | |
993 | 3.49k | RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) { |
994 | 3.49k | int pkey_id = EVP_PKEY_id(pkey); |
995 | 3.49k | if (pkey_id != EVP_PKEY_RSA && pkey_id != EVP_PKEY_RSA_PSS) { |
996 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_EXPECTING_AN_RSA_KEY); |
997 | 0 | return nullptr; |
998 | 0 | } |
999 | 3.49k | return reinterpret_cast<RSA *>(FromOpaque(pkey)->pkey); |
1000 | 3.49k | } |
1001 | | |
1002 | 0 | RSA *EVP_PKEY_get1_RSA(const EVP_PKEY *pkey) { |
1003 | 0 | RSA *rsa = EVP_PKEY_get0_RSA(pkey); |
1004 | 0 | if (rsa != nullptr) { |
1005 | 0 | RSA_up_ref(rsa); |
1006 | 0 | } |
1007 | 0 | return rsa; |
1008 | 0 | } |
1009 | | |
1010 | | static int rsa_or_rsa_pss_ctrl(EvpPkeyCtx *ctx, int optype, int cmd, int p1, |
1011 | 33.9k | void *p2) { |
1012 | 33.9k | if (!ctx || !ctx->pmeth || !ctx->pmeth->ctrl) { |
1013 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED); |
1014 | 0 | return 0; |
1015 | 0 | } |
1016 | 33.9k | if (ctx->pmeth->pkey_id != EVP_PKEY_RSA && |
1017 | 0 | ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) { |
1018 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); |
1019 | 0 | return 0; |
1020 | 0 | } |
1021 | 33.9k | return EVP_PKEY_CTX_ctrl(ctx, /*keytype=*/-1, optype, cmd, p1, p2); |
1022 | 33.9k | } |
1023 | | |
1024 | 16.9k | int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int padding) { |
1025 | 16.9k | return rsa_or_rsa_pss_ctrl(FromOpaque(ctx), -1, EVP_PKEY_CTRL_RSA_PADDING, |
1026 | 16.9k | padding, nullptr); |
1027 | 16.9k | } |
1028 | | |
1029 | 0 | int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *out_padding) { |
1030 | 0 | return rsa_or_rsa_pss_ctrl(FromOpaque(ctx), -1, EVP_PKEY_CTRL_GET_RSA_PADDING, |
1031 | 0 | 0, out_padding); |
1032 | 0 | } |
1033 | | |
1034 | 0 | int EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { |
1035 | | // We currently do not support keygen with |EVP_PKEY_RSA_PSS|. |
1036 | 0 | return 0; |
1037 | 0 | } |
1038 | | |
1039 | 0 | int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, int salt_len) { |
1040 | | // We currently do not support keygen with |EVP_PKEY_RSA_PSS|. |
1041 | 0 | return 0; |
1042 | 0 | } |
1043 | | |
1044 | | int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx, |
1045 | 0 | const EVP_MD *md) { |
1046 | | // We currently do not support keygen with |EVP_PKEY_RSA_PSS|. |
1047 | 0 | return 0; |
1048 | 0 | } |
1049 | | |
1050 | 16.9k | int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int salt_len) { |
1051 | 16.9k | return rsa_or_rsa_pss_ctrl(FromOpaque(ctx), |
1052 | 16.9k | (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY), |
1053 | 16.9k | EVP_PKEY_CTRL_RSA_PSS_SALTLEN, salt_len, nullptr); |
1054 | 16.9k | } |
1055 | | |
1056 | 0 | int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *out_salt_len) { |
1057 | 0 | return rsa_or_rsa_pss_ctrl( |
1058 | 0 | FromOpaque(ctx), (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY), |
1059 | 0 | EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, out_salt_len); |
1060 | 0 | } |
1061 | | |
1062 | 0 | int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits) { |
1063 | 0 | return rsa_or_rsa_pss_ctrl(FromOpaque(ctx), EVP_PKEY_OP_KEYGEN, |
1064 | 0 | EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, nullptr); |
1065 | 0 | } |
1066 | | |
1067 | 0 | int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *e) { |
1068 | 0 | return rsa_or_rsa_pss_ctrl(FromOpaque(ctx), EVP_PKEY_OP_KEYGEN, |
1069 | 0 | EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, e); |
1070 | 0 | } |
1071 | | |
1072 | 0 | int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { |
1073 | 0 | return EVP_PKEY_CTX_ctrl(FromOpaque(ctx), EVP_PKEY_RSA, |
1074 | 0 | EVP_PKEY_OP_TYPE_CRYPT, EVP_PKEY_CTRL_RSA_OAEP_MD, 0, |
1075 | 0 | (void *)md); |
1076 | 0 | } |
1077 | | |
1078 | 0 | int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) { |
1079 | 0 | return EVP_PKEY_CTX_ctrl(FromOpaque(ctx), EVP_PKEY_RSA, |
1080 | 0 | EVP_PKEY_OP_TYPE_CRYPT, |
1081 | 0 | EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)out_md); |
1082 | 0 | } |
1083 | | |
1084 | 0 | int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { |
1085 | 0 | return rsa_or_rsa_pss_ctrl(FromOpaque(ctx), |
1086 | 0 | EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, |
1087 | 0 | EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)md); |
1088 | 0 | } |
1089 | | |
1090 | 0 | int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) { |
1091 | 0 | return rsa_or_rsa_pss_ctrl(FromOpaque(ctx), |
1092 | 0 | EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, |
1093 | 0 | EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)out_md); |
1094 | 0 | } |
1095 | | |
1096 | | int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, uint8_t *label, |
1097 | 0 | size_t label_len) { |
1098 | 0 | Span span(label, label_len); |
1099 | 0 | return EVP_PKEY_CTX_ctrl(FromOpaque(ctx), EVP_PKEY_RSA, |
1100 | 0 | EVP_PKEY_OP_TYPE_CRYPT, EVP_PKEY_CTRL_RSA_OAEP_LABEL, |
1101 | 0 | 0, &span); |
1102 | 0 | } |
1103 | | |
1104 | | int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, |
1105 | 0 | const uint8_t **out_label) { |
1106 | 0 | CBS label; |
1107 | 0 | if (!EVP_PKEY_CTX_ctrl(FromOpaque(ctx), EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, |
1108 | 0 | EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, &label)) { |
1109 | 0 | return -1; |
1110 | 0 | } |
1111 | 0 | if (CBS_len(&label) > INT_MAX) { |
1112 | 0 | OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW); |
1113 | 0 | return -1; |
1114 | 0 | } |
1115 | 0 | *out_label = CBS_data(&label); |
1116 | 0 | return (int)CBS_len(&label); |
1117 | 0 | } |