/src/boringssl/crypto/evp/p_rsa.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
2 | | * project 2006. |
3 | | */ |
4 | | /* ==================================================================== |
5 | | * Copyright (c) 2006 The OpenSSL Project. All rights reserved. |
6 | | * |
7 | | * Redistribution and use in source and binary forms, with or without |
8 | | * modification, are permitted provided that the following conditions |
9 | | * are met: |
10 | | * |
11 | | * 1. Redistributions of source code must retain the above copyright |
12 | | * notice, this list of conditions and the following disclaimer. |
13 | | * |
14 | | * 2. Redistributions in binary form must reproduce the above copyright |
15 | | * notice, this list of conditions and the following disclaimer in |
16 | | * the documentation and/or other materials provided with the |
17 | | * distribution. |
18 | | * |
19 | | * 3. All advertising materials mentioning features or use of this |
20 | | * software must display the following acknowledgment: |
21 | | * "This product includes software developed by the OpenSSL Project |
22 | | * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" |
23 | | * |
24 | | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
25 | | * endorse or promote products derived from this software without |
26 | | * prior written permission. For written permission, please contact |
27 | | * licensing@OpenSSL.org. |
28 | | * |
29 | | * 5. Products derived from this software may not be called "OpenSSL" |
30 | | * nor may "OpenSSL" appear in their names without prior written |
31 | | * permission of the OpenSSL Project. |
32 | | * |
33 | | * 6. Redistributions of any form whatsoever must retain the following |
34 | | * acknowledgment: |
35 | | * "This product includes software developed by the OpenSSL Project |
36 | | * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" |
37 | | * |
38 | | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
39 | | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
40 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
41 | | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
42 | | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
43 | | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
44 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
45 | | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
46 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
47 | | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
48 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
49 | | * OF THE POSSIBILITY OF SUCH DAMAGE. |
50 | | * ==================================================================== |
51 | | * |
52 | | * This product includes cryptographic software written by Eric Young |
53 | | * (eay@cryptsoft.com). This product includes software written by Tim |
54 | | * Hudson (tjh@cryptsoft.com). */ |
55 | | |
56 | | #include <openssl/evp.h> |
57 | | |
58 | | #include <limits.h> |
59 | | #include <string.h> |
60 | | |
61 | | #include <openssl/bn.h> |
62 | | #include <openssl/bytestring.h> |
63 | | #include <openssl/digest.h> |
64 | | #include <openssl/err.h> |
65 | | #include <openssl/mem.h> |
66 | | #include <openssl/nid.h> |
67 | | #include <openssl/rsa.h> |
68 | | |
69 | | #include "../internal.h" |
70 | | #include "../rsa_extra/internal.h" |
71 | | #include "internal.h" |
72 | | |
73 | | |
74 | | typedef struct { |
75 | | // Key gen parameters |
76 | | int nbits; |
77 | | BIGNUM *pub_exp; |
78 | | // RSA padding mode |
79 | | int pad_mode; |
80 | | // message digest |
81 | | const EVP_MD *md; |
82 | | // message digest for MGF1 |
83 | | const EVP_MD *mgf1md; |
84 | | // PSS salt length |
85 | | int saltlen; |
86 | | // tbuf is a buffer which is either NULL, or is the size of the RSA modulus. |
87 | | // It's used to store the output of RSA operations. |
88 | | uint8_t *tbuf; |
89 | | // OAEP label |
90 | | uint8_t *oaep_label; |
91 | | size_t oaep_labellen; |
92 | | } RSA_PKEY_CTX; |
93 | | |
94 | | typedef struct { |
95 | | uint8_t *data; |
96 | | size_t len; |
97 | | } RSA_OAEP_LABEL_PARAMS; |
98 | | |
99 | 0 | static int pkey_rsa_init(EVP_PKEY_CTX *ctx) { |
100 | 0 | RSA_PKEY_CTX *rctx = OPENSSL_zalloc(sizeof(RSA_PKEY_CTX)); |
101 | 0 | if (!rctx) { |
102 | 0 | return 0; |
103 | 0 | } |
104 | | |
105 | 0 | rctx->nbits = 2048; |
106 | 0 | rctx->pad_mode = RSA_PKCS1_PADDING; |
107 | 0 | rctx->saltlen = -2; |
108 | |
|
109 | 0 | ctx->data = rctx; |
110 | |
|
111 | 0 | return 1; |
112 | 0 | } |
113 | | |
114 | 0 | static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) { |
115 | 0 | RSA_PKEY_CTX *dctx, *sctx; |
116 | 0 | if (!pkey_rsa_init(dst)) { |
117 | 0 | return 0; |
118 | 0 | } |
119 | 0 | sctx = src->data; |
120 | 0 | dctx = dst->data; |
121 | 0 | dctx->nbits = sctx->nbits; |
122 | 0 | if (sctx->pub_exp) { |
123 | 0 | dctx->pub_exp = BN_dup(sctx->pub_exp); |
124 | 0 | if (!dctx->pub_exp) { |
125 | 0 | return 0; |
126 | 0 | } |
127 | 0 | } |
128 | | |
129 | 0 | dctx->pad_mode = sctx->pad_mode; |
130 | 0 | dctx->md = sctx->md; |
131 | 0 | dctx->mgf1md = sctx->mgf1md; |
132 | 0 | dctx->saltlen = sctx->saltlen; |
133 | 0 | if (sctx->oaep_label) { |
134 | 0 | OPENSSL_free(dctx->oaep_label); |
135 | 0 | dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen); |
136 | 0 | if (!dctx->oaep_label) { |
137 | 0 | return 0; |
138 | 0 | } |
139 | 0 | dctx->oaep_labellen = sctx->oaep_labellen; |
140 | 0 | } |
141 | | |
142 | 0 | return 1; |
143 | 0 | } |
144 | | |
145 | 0 | static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) { |
146 | 0 | RSA_PKEY_CTX *rctx = ctx->data; |
147 | |
|
148 | 0 | if (rctx == NULL) { |
149 | 0 | return; |
150 | 0 | } |
151 | | |
152 | 0 | BN_free(rctx->pub_exp); |
153 | 0 | OPENSSL_free(rctx->tbuf); |
154 | 0 | OPENSSL_free(rctx->oaep_label); |
155 | 0 | OPENSSL_free(rctx); |
156 | 0 | } |
157 | | |
158 | 0 | static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) { |
159 | 0 | if (ctx->tbuf) { |
160 | 0 | return 1; |
161 | 0 | } |
162 | 0 | ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey)); |
163 | 0 | if (!ctx->tbuf) { |
164 | 0 | return 0; |
165 | 0 | } |
166 | 0 | return 1; |
167 | 0 | } |
168 | | |
169 | | static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen, |
170 | 0 | const uint8_t *tbs, size_t tbslen) { |
171 | 0 | RSA_PKEY_CTX *rctx = ctx->data; |
172 | 0 | RSA *rsa = ctx->pkey->pkey; |
173 | 0 | const size_t key_len = EVP_PKEY_size(ctx->pkey); |
174 | |
|
175 | 0 | if (!sig) { |
176 | 0 | *siglen = key_len; |
177 | 0 | return 1; |
178 | 0 | } |
179 | | |
180 | 0 | if (*siglen < key_len) { |
181 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); |
182 | 0 | return 0; |
183 | 0 | } |
184 | | |
185 | 0 | if (rctx->md) { |
186 | 0 | unsigned out_len; |
187 | 0 | switch (rctx->pad_mode) { |
188 | 0 | case RSA_PKCS1_PADDING: |
189 | 0 | if (!RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig, &out_len, rsa)) { |
190 | 0 | return 0; |
191 | 0 | } |
192 | 0 | *siglen = out_len; |
193 | 0 | return 1; |
194 | | |
195 | 0 | case RSA_PKCS1_PSS_PADDING: |
196 | 0 | return RSA_sign_pss_mgf1(rsa, siglen, sig, *siglen, tbs, tbslen, |
197 | 0 | rctx->md, rctx->mgf1md, rctx->saltlen); |
198 | | |
199 | 0 | default: |
200 | 0 | return 0; |
201 | 0 | } |
202 | 0 | } |
203 | | |
204 | 0 | return RSA_sign_raw(rsa, siglen, sig, *siglen, tbs, tbslen, rctx->pad_mode); |
205 | 0 | } |
206 | | |
207 | | static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig, |
208 | | size_t siglen, const uint8_t *tbs, |
209 | 0 | size_t tbslen) { |
210 | 0 | RSA_PKEY_CTX *rctx = ctx->data; |
211 | 0 | RSA *rsa = ctx->pkey->pkey; |
212 | |
|
213 | 0 | if (rctx->md) { |
214 | 0 | switch (rctx->pad_mode) { |
215 | 0 | case RSA_PKCS1_PADDING: |
216 | 0 | return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa); |
217 | | |
218 | 0 | case RSA_PKCS1_PSS_PADDING: |
219 | 0 | return RSA_verify_pss_mgf1(rsa, tbs, tbslen, rctx->md, rctx->mgf1md, |
220 | 0 | rctx->saltlen, sig, siglen); |
221 | | |
222 | 0 | default: |
223 | 0 | return 0; |
224 | 0 | } |
225 | 0 | } |
226 | | |
227 | 0 | size_t rslen; |
228 | 0 | const size_t key_len = EVP_PKEY_size(ctx->pkey); |
229 | 0 | if (!setup_tbuf(rctx, ctx) || |
230 | 0 | !RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, siglen, |
231 | 0 | rctx->pad_mode) || |
232 | 0 | rslen != tbslen || |
233 | 0 | CRYPTO_memcmp(tbs, rctx->tbuf, rslen) != 0) { |
234 | 0 | return 0; |
235 | 0 | } |
236 | | |
237 | 0 | return 1; |
238 | 0 | } |
239 | | |
240 | | static int pkey_rsa_verify_recover(EVP_PKEY_CTX *ctx, uint8_t *out, |
241 | | size_t *out_len, const uint8_t *sig, |
242 | 0 | size_t sig_len) { |
243 | 0 | RSA_PKEY_CTX *rctx = ctx->data; |
244 | 0 | RSA *rsa = ctx->pkey->pkey; |
245 | 0 | const size_t key_len = EVP_PKEY_size(ctx->pkey); |
246 | |
|
247 | 0 | if (out == NULL) { |
248 | 0 | *out_len = key_len; |
249 | 0 | return 1; |
250 | 0 | } |
251 | | |
252 | 0 | if (*out_len < key_len) { |
253 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); |
254 | 0 | return 0; |
255 | 0 | } |
256 | | |
257 | 0 | if (rctx->md == NULL) { |
258 | 0 | return RSA_verify_raw(rsa, out_len, out, *out_len, sig, sig_len, |
259 | 0 | rctx->pad_mode); |
260 | 0 | } |
261 | | |
262 | 0 | if (rctx->pad_mode != RSA_PKCS1_PADDING) { |
263 | 0 | return 0; |
264 | 0 | } |
265 | | |
266 | | // Assemble the encoded hash, using a placeholder hash value. |
267 | 0 | static const uint8_t kDummyHash[EVP_MAX_MD_SIZE] = {0}; |
268 | 0 | const size_t hash_len = EVP_MD_size(rctx->md); |
269 | 0 | uint8_t *asn1_prefix; |
270 | 0 | size_t asn1_prefix_len; |
271 | 0 | int asn1_prefix_allocated; |
272 | 0 | if (!setup_tbuf(rctx, ctx) || |
273 | 0 | !RSA_add_pkcs1_prefix(&asn1_prefix, &asn1_prefix_len, |
274 | 0 | &asn1_prefix_allocated, EVP_MD_type(rctx->md), |
275 | 0 | kDummyHash, hash_len)) { |
276 | 0 | return 0; |
277 | 0 | } |
278 | | |
279 | 0 | size_t rslen; |
280 | 0 | int ok = 1; |
281 | 0 | if (!RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, sig_len, |
282 | 0 | RSA_PKCS1_PADDING) || |
283 | 0 | rslen != asn1_prefix_len || |
284 | | // Compare all but the hash suffix. |
285 | 0 | CRYPTO_memcmp(rctx->tbuf, asn1_prefix, asn1_prefix_len - hash_len) != 0) { |
286 | 0 | ok = 0; |
287 | 0 | } |
288 | |
|
289 | 0 | if (asn1_prefix_allocated) { |
290 | 0 | OPENSSL_free(asn1_prefix); |
291 | 0 | } |
292 | |
|
293 | 0 | if (!ok) { |
294 | 0 | return 0; |
295 | 0 | } |
296 | | |
297 | 0 | if (out != NULL) { |
298 | 0 | OPENSSL_memcpy(out, rctx->tbuf + rslen - hash_len, hash_len); |
299 | 0 | } |
300 | 0 | *out_len = hash_len; |
301 | |
|
302 | 0 | return 1; |
303 | 0 | } |
304 | | |
305 | | static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen, |
306 | 0 | const uint8_t *in, size_t inlen) { |
307 | 0 | RSA_PKEY_CTX *rctx = ctx->data; |
308 | 0 | RSA *rsa = ctx->pkey->pkey; |
309 | 0 | const size_t key_len = EVP_PKEY_size(ctx->pkey); |
310 | |
|
311 | 0 | if (!out) { |
312 | 0 | *outlen = key_len; |
313 | 0 | return 1; |
314 | 0 | } |
315 | | |
316 | 0 | if (*outlen < key_len) { |
317 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); |
318 | 0 | return 0; |
319 | 0 | } |
320 | | |
321 | 0 | if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { |
322 | 0 | if (!setup_tbuf(rctx, ctx) || |
323 | 0 | !RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, key_len, in, inlen, |
324 | 0 | rctx->oaep_label, rctx->oaep_labellen, |
325 | 0 | rctx->md, rctx->mgf1md) || |
326 | 0 | !RSA_encrypt(rsa, outlen, out, *outlen, rctx->tbuf, key_len, |
327 | 0 | RSA_NO_PADDING)) { |
328 | 0 | return 0; |
329 | 0 | } |
330 | 0 | return 1; |
331 | 0 | } |
332 | | |
333 | 0 | return RSA_encrypt(rsa, outlen, out, *outlen, in, inlen, rctx->pad_mode); |
334 | 0 | } |
335 | | |
336 | | static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out, |
337 | | size_t *outlen, const uint8_t *in, |
338 | 0 | size_t inlen) { |
339 | 0 | RSA_PKEY_CTX *rctx = ctx->data; |
340 | 0 | RSA *rsa = ctx->pkey->pkey; |
341 | 0 | const size_t key_len = EVP_PKEY_size(ctx->pkey); |
342 | |
|
343 | 0 | if (!out) { |
344 | 0 | *outlen = key_len; |
345 | 0 | return 1; |
346 | 0 | } |
347 | | |
348 | 0 | if (*outlen < key_len) { |
349 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); |
350 | 0 | return 0; |
351 | 0 | } |
352 | | |
353 | 0 | if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { |
354 | 0 | size_t padded_len; |
355 | 0 | if (!setup_tbuf(rctx, ctx) || |
356 | 0 | !RSA_decrypt(rsa, &padded_len, rctx->tbuf, key_len, in, inlen, |
357 | 0 | RSA_NO_PADDING) || |
358 | 0 | !RSA_padding_check_PKCS1_OAEP_mgf1( |
359 | 0 | out, outlen, key_len, rctx->tbuf, padded_len, rctx->oaep_label, |
360 | 0 | rctx->oaep_labellen, rctx->md, rctx->mgf1md)) { |
361 | 0 | return 0; |
362 | 0 | } |
363 | 0 | return 1; |
364 | 0 | } |
365 | | |
366 | 0 | return RSA_decrypt(rsa, outlen, out, key_len, in, inlen, rctx->pad_mode); |
367 | 0 | } |
368 | | |
369 | 0 | static int check_padding_md(const EVP_MD *md, int padding) { |
370 | 0 | if (!md) { |
371 | 0 | return 1; |
372 | 0 | } |
373 | | |
374 | 0 | if (padding == RSA_NO_PADDING) { |
375 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE); |
376 | 0 | return 0; |
377 | 0 | } |
378 | | |
379 | 0 | return 1; |
380 | 0 | } |
381 | | |
382 | 0 | static int is_known_padding(int padding_mode) { |
383 | 0 | switch (padding_mode) { |
384 | 0 | case RSA_PKCS1_PADDING: |
385 | 0 | case RSA_NO_PADDING: |
386 | 0 | case RSA_PKCS1_OAEP_PADDING: |
387 | 0 | case RSA_PKCS1_PSS_PADDING: |
388 | 0 | return 1; |
389 | 0 | default: |
390 | 0 | return 0; |
391 | 0 | } |
392 | 0 | } |
393 | | |
394 | 0 | static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) { |
395 | 0 | RSA_PKEY_CTX *rctx = ctx->data; |
396 | 0 | switch (type) { |
397 | 0 | case EVP_PKEY_CTRL_RSA_PADDING: |
398 | 0 | if (!is_known_padding(p1) || !check_padding_md(rctx->md, p1) || |
399 | 0 | (p1 == RSA_PKCS1_PSS_PADDING && |
400 | 0 | 0 == (ctx->operation & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) || |
401 | 0 | (p1 == RSA_PKCS1_OAEP_PADDING && |
402 | 0 | 0 == (ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))) { |
403 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); |
404 | 0 | return 0; |
405 | 0 | } |
406 | 0 | if ((p1 == RSA_PKCS1_PSS_PADDING || p1 == RSA_PKCS1_OAEP_PADDING) && |
407 | 0 | rctx->md == NULL) { |
408 | 0 | rctx->md = EVP_sha1(); |
409 | 0 | } |
410 | 0 | rctx->pad_mode = p1; |
411 | 0 | return 1; |
412 | | |
413 | 0 | case EVP_PKEY_CTRL_GET_RSA_PADDING: |
414 | 0 | *(int *)p2 = rctx->pad_mode; |
415 | 0 | return 1; |
416 | | |
417 | 0 | case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: |
418 | 0 | case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: |
419 | 0 | if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) { |
420 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PSS_SALTLEN); |
421 | 0 | return 0; |
422 | 0 | } |
423 | 0 | if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) { |
424 | 0 | *(int *)p2 = rctx->saltlen; |
425 | 0 | } else { |
426 | 0 | if (p1 < -2) { |
427 | 0 | return 0; |
428 | 0 | } |
429 | 0 | rctx->saltlen = p1; |
430 | 0 | } |
431 | 0 | return 1; |
432 | | |
433 | 0 | case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: |
434 | 0 | if (p1 < 256) { |
435 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_KEYBITS); |
436 | 0 | return 0; |
437 | 0 | } |
438 | 0 | rctx->nbits = p1; |
439 | 0 | return 1; |
440 | | |
441 | 0 | case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: |
442 | 0 | if (!p2) { |
443 | 0 | return 0; |
444 | 0 | } |
445 | 0 | BN_free(rctx->pub_exp); |
446 | 0 | rctx->pub_exp = p2; |
447 | 0 | return 1; |
448 | | |
449 | 0 | case EVP_PKEY_CTRL_RSA_OAEP_MD: |
450 | 0 | case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: |
451 | 0 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { |
452 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE); |
453 | 0 | return 0; |
454 | 0 | } |
455 | 0 | if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) { |
456 | 0 | *(const EVP_MD **)p2 = rctx->md; |
457 | 0 | } else { |
458 | 0 | rctx->md = p2; |
459 | 0 | } |
460 | 0 | return 1; |
461 | | |
462 | 0 | case EVP_PKEY_CTRL_MD: |
463 | 0 | if (!check_padding_md(p2, rctx->pad_mode)) { |
464 | 0 | return 0; |
465 | 0 | } |
466 | 0 | rctx->md = p2; |
467 | 0 | return 1; |
468 | | |
469 | 0 | case EVP_PKEY_CTRL_GET_MD: |
470 | 0 | *(const EVP_MD **)p2 = rctx->md; |
471 | 0 | return 1; |
472 | | |
473 | 0 | case EVP_PKEY_CTRL_RSA_MGF1_MD: |
474 | 0 | case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: |
475 | 0 | if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING && |
476 | 0 | rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { |
477 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_MGF1_MD); |
478 | 0 | return 0; |
479 | 0 | } |
480 | 0 | if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) { |
481 | 0 | if (rctx->mgf1md) { |
482 | 0 | *(const EVP_MD **)p2 = rctx->mgf1md; |
483 | 0 | } else { |
484 | 0 | *(const EVP_MD **)p2 = rctx->md; |
485 | 0 | } |
486 | 0 | } else { |
487 | 0 | rctx->mgf1md = p2; |
488 | 0 | } |
489 | 0 | return 1; |
490 | | |
491 | 0 | case EVP_PKEY_CTRL_RSA_OAEP_LABEL: { |
492 | 0 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { |
493 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE); |
494 | 0 | return 0; |
495 | 0 | } |
496 | 0 | OPENSSL_free(rctx->oaep_label); |
497 | 0 | RSA_OAEP_LABEL_PARAMS *params = p2; |
498 | 0 | rctx->oaep_label = params->data; |
499 | 0 | rctx->oaep_labellen = params->len; |
500 | 0 | return 1; |
501 | 0 | } |
502 | | |
503 | 0 | case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: |
504 | 0 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { |
505 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE); |
506 | 0 | return 0; |
507 | 0 | } |
508 | 0 | CBS_init((CBS *)p2, rctx->oaep_label, rctx->oaep_labellen); |
509 | 0 | return 1; |
510 | | |
511 | 0 | default: |
512 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED); |
513 | 0 | return 0; |
514 | 0 | } |
515 | 0 | } |
516 | | |
517 | 0 | static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { |
518 | 0 | RSA *rsa = NULL; |
519 | 0 | RSA_PKEY_CTX *rctx = ctx->data; |
520 | |
|
521 | 0 | if (!rctx->pub_exp) { |
522 | 0 | rctx->pub_exp = BN_new(); |
523 | 0 | if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) { |
524 | 0 | return 0; |
525 | 0 | } |
526 | 0 | } |
527 | 0 | rsa = RSA_new(); |
528 | 0 | if (!rsa) { |
529 | 0 | return 0; |
530 | 0 | } |
531 | | |
532 | 0 | if (!RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, NULL)) { |
533 | 0 | RSA_free(rsa); |
534 | 0 | return 0; |
535 | 0 | } |
536 | | |
537 | 0 | EVP_PKEY_assign_RSA(pkey, rsa); |
538 | 0 | return 1; |
539 | 0 | } |
540 | | |
541 | | const EVP_PKEY_METHOD rsa_pkey_meth = { |
542 | | EVP_PKEY_RSA, |
543 | | pkey_rsa_init, |
544 | | pkey_rsa_copy, |
545 | | pkey_rsa_cleanup, |
546 | | pkey_rsa_keygen, |
547 | | pkey_rsa_sign, |
548 | | NULL /* sign_message */, |
549 | | pkey_rsa_verify, |
550 | | NULL /* verify_message */, |
551 | | pkey_rsa_verify_recover, |
552 | | pkey_rsa_encrypt, |
553 | | pkey_rsa_decrypt, |
554 | | NULL /* derive */, |
555 | | NULL /* paramgen */, |
556 | | pkey_rsa_ctrl, |
557 | | }; |
558 | | |
559 | 0 | int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int padding) { |
560 | 0 | return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, |
561 | 0 | padding, NULL); |
562 | 0 | } |
563 | | |
564 | 0 | int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *out_padding) { |
565 | 0 | return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, |
566 | 0 | 0, out_padding); |
567 | 0 | } |
568 | | |
569 | 0 | int EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { |
570 | 0 | return 0; |
571 | 0 | } |
572 | | |
573 | 0 | int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, int salt_len) { |
574 | 0 | return 0; |
575 | 0 | } |
576 | | |
577 | | int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx, |
578 | 0 | const EVP_MD *md) { |
579 | 0 | return 0; |
580 | 0 | } |
581 | | |
582 | 0 | int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int salt_len) { |
583 | 0 | return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, |
584 | 0 | (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY), |
585 | 0 | EVP_PKEY_CTRL_RSA_PSS_SALTLEN, salt_len, NULL); |
586 | 0 | } |
587 | | |
588 | 0 | int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *out_salt_len) { |
589 | 0 | return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, |
590 | 0 | (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY), |
591 | 0 | EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, out_salt_len); |
592 | 0 | } |
593 | | |
594 | 0 | int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits) { |
595 | 0 | return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, |
596 | 0 | EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL); |
597 | 0 | } |
598 | | |
599 | 0 | int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *e) { |
600 | 0 | return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, |
601 | 0 | EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, e); |
602 | 0 | } |
603 | | |
604 | 0 | int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { |
605 | 0 | return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, |
606 | 0 | EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)md); |
607 | 0 | } |
608 | | |
609 | 0 | int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) { |
610 | 0 | return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, |
611 | 0 | EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void*) out_md); |
612 | 0 | } |
613 | | |
614 | 0 | int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { |
615 | 0 | return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, |
616 | 0 | EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, |
617 | 0 | EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void*) md); |
618 | 0 | } |
619 | | |
620 | 0 | int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) { |
621 | 0 | return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, |
622 | 0 | EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, |
623 | 0 | EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void*) out_md); |
624 | 0 | } |
625 | | |
626 | | int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, uint8_t *label, |
627 | 0 | size_t label_len) { |
628 | 0 | RSA_OAEP_LABEL_PARAMS params = {label, label_len}; |
629 | 0 | return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, |
630 | 0 | EVP_PKEY_CTRL_RSA_OAEP_LABEL, 0, ¶ms); |
631 | 0 | } |
632 | | |
633 | | int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, |
634 | 0 | const uint8_t **out_label) { |
635 | 0 | CBS label; |
636 | 0 | if (!EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, |
637 | 0 | EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, &label)) { |
638 | 0 | return -1; |
639 | 0 | } |
640 | 0 | if (CBS_len(&label) > INT_MAX) { |
641 | 0 | OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW); |
642 | 0 | return -1; |
643 | 0 | } |
644 | 0 | *out_label = CBS_data(&label); |
645 | 0 | return (int)CBS_len(&label); |
646 | 0 | } |