Coverage Report

Created: 2025-06-13 06:58

/src/openssl31/crypto/rsa/rsa_pmeth.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
10
/*
11
 * RSA low level APIs are deprecated for public use, but still ok for
12
 * internal use.
13
 */
14
#include "internal/deprecated.h"
15
16
#include "internal/constant_time.h"
17
18
#include <stdio.h>
19
#include "internal/cryptlib.h"
20
#include <openssl/asn1t.h>
21
#include <openssl/x509.h>
22
#include <openssl/rsa.h>
23
#include <openssl/bn.h>
24
#include <openssl/evp.h>
25
#include <openssl/x509v3.h>
26
#include <openssl/cms.h>
27
#include "crypto/evp.h"
28
#include "crypto/rsa.h"
29
#include "rsa_local.h"
30
31
/* RSA pkey context structure */
32
33
typedef struct {
34
    /* Key gen parameters */
35
    int nbits;
36
    BIGNUM *pub_exp;
37
    int primes;
38
    /* Keygen callback info */
39
    int gentmp[2];
40
    /* RSA padding mode */
41
    int pad_mode;
42
    /* message digest */
43
    const EVP_MD *md;
44
    /* message digest for MGF1 */
45
    const EVP_MD *mgf1md;
46
    /* PSS salt length */
47
    int saltlen;
48
    /* Minimum salt length or -1 if no PSS parameter restriction */
49
    int min_saltlen;
50
    /* Temp buffer */
51
    unsigned char *tbuf;
52
    /* OAEP label */
53
    unsigned char *oaep_label;
54
    size_t oaep_labellen;
55
} RSA_PKEY_CTX;
56
57
/* True if PSS parameters are restricted */
58
0
#define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1)
59
60
static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
61
0
{
62
0
    RSA_PKEY_CTX *rctx = OPENSSL_zalloc(sizeof(*rctx));
63
64
0
    if (rctx == NULL)
65
0
        return 0;
66
0
    rctx->nbits = 2048;
67
0
    rctx->primes = RSA_DEFAULT_PRIME_NUM;
68
0
    if (pkey_ctx_is_pss(ctx))
69
0
        rctx->pad_mode = RSA_PKCS1_PSS_PADDING;
70
0
    else
71
0
        rctx->pad_mode = RSA_PKCS1_PADDING;
72
    /* Maximum for sign, auto for verify */
73
0
    rctx->saltlen = RSA_PSS_SALTLEN_AUTO;
74
0
    rctx->min_saltlen = -1;
75
0
    ctx->data = rctx;
76
0
    ctx->keygen_info = rctx->gentmp;
77
0
    ctx->keygen_info_count = 2;
78
79
0
    return 1;
80
0
}
81
82
static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
83
0
{
84
0
    RSA_PKEY_CTX *dctx, *sctx;
85
86
0
    if (!pkey_rsa_init(dst))
87
0
        return 0;
88
0
    sctx = src->data;
89
0
    dctx = dst->data;
90
0
    dctx->nbits = sctx->nbits;
91
0
    if (sctx->pub_exp) {
92
0
        dctx->pub_exp = BN_dup(sctx->pub_exp);
93
0
        if (!dctx->pub_exp)
94
0
            return 0;
95
0
    }
96
0
    dctx->pad_mode = sctx->pad_mode;
97
0
    dctx->md = sctx->md;
98
0
    dctx->mgf1md = sctx->mgf1md;
99
0
    dctx->saltlen = sctx->saltlen;
100
0
    if (sctx->oaep_label) {
101
0
        OPENSSL_free(dctx->oaep_label);
102
0
        dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen);
103
0
        if (!dctx->oaep_label)
104
0
            return 0;
105
0
        dctx->oaep_labellen = sctx->oaep_labellen;
106
0
    }
107
0
    return 1;
108
0
}
109
110
static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
111
0
{
112
0
    if (ctx->tbuf != NULL)
113
0
        return 1;
114
0
    if ((ctx->tbuf =
115
0
            OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pk->pkey)))) == NULL) {
116
0
        ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
117
0
        return 0;
118
0
    }
119
0
    return 1;
120
0
}
121
122
static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
123
0
{
124
0
    RSA_PKEY_CTX *rctx = ctx->data;
125
0
    if (rctx) {
126
0
        BN_free(rctx->pub_exp);
127
0
        OPENSSL_free(rctx->tbuf);
128
0
        OPENSSL_free(rctx->oaep_label);
129
0
        OPENSSL_free(rctx);
130
0
    }
131
0
}
132
133
static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
134
                         size_t *siglen, const unsigned char *tbs,
135
                         size_t tbslen)
136
0
{
137
0
    int ret;
138
0
    RSA_PKEY_CTX *rctx = ctx->data;
139
    /*
140
     * Discard const. Its marked as const because this may be a cached copy of
141
     * the "real" key. These calls don't make any modifications that need to
142
     * be reflected back in the "original" key.
143
     */
144
0
    RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey);
145
146
0
    if (rctx->md) {
147
0
        if (tbslen != (size_t)EVP_MD_get_size(rctx->md)) {
148
0
            ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH);
149
0
            return -1;
150
0
        }
151
152
0
        if (EVP_MD_get_type(rctx->md) == NID_mdc2) {
153
0
            unsigned int sltmp;
154
0
            if (rctx->pad_mode != RSA_PKCS1_PADDING)
155
0
                return -1;
156
0
            ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp, rsa);
157
158
0
            if (ret <= 0)
159
0
                return ret;
160
0
            ret = sltmp;
161
0
        } else if (rctx->pad_mode == RSA_X931_PADDING) {
162
0
            if ((size_t)RSA_size(rsa) < tbslen + 1) {
163
0
                ERR_raise(ERR_LIB_RSA, RSA_R_KEY_SIZE_TOO_SMALL);
164
0
                return -1;
165
0
            }
166
0
            if (!setup_tbuf(rctx, ctx)) {
167
0
                ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
168
0
                return -1;
169
0
            }
170
0
            memcpy(rctx->tbuf, tbs, tbslen);
171
0
            rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_get_type(rctx->md));
172
0
            ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
173
0
                                      sig, rsa, RSA_X931_PADDING);
174
0
        } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
175
0
            unsigned int sltmp;
176
0
            ret = RSA_sign(EVP_MD_get_type(rctx->md),
177
0
                           tbs, tbslen, sig, &sltmp, rsa);
178
0
            if (ret <= 0)
179
0
                return ret;
180
0
            ret = sltmp;
181
0
        } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
182
0
            if (!setup_tbuf(rctx, ctx))
183
0
                return -1;
184
0
            if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
185
0
                                                rctx->tbuf, tbs,
186
0
                                                rctx->md, rctx->mgf1md,
187
0
                                                rctx->saltlen))
188
0
                return -1;
189
0
            ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
190
0
                                      sig, rsa, RSA_NO_PADDING);
191
0
        } else {
192
0
            return -1;
193
0
        }
194
0
    } else {
195
0
        ret = RSA_private_encrypt(tbslen, tbs, sig, rsa, rctx->pad_mode);
196
0
    }
197
0
    if (ret < 0)
198
0
        return ret;
199
0
    *siglen = ret;
200
0
    return 1;
201
0
}
202
203
static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
204
                                  unsigned char *rout, size_t *routlen,
205
                                  const unsigned char *sig, size_t siglen)
206
0
{
207
0
    int ret;
208
0
    RSA_PKEY_CTX *rctx = ctx->data;
209
    /*
210
     * Discard const. Its marked as const because this may be a cached copy of
211
     * the "real" key. These calls don't make any modifications that need to
212
     * be reflected back in the "original" key.
213
     */
214
0
    RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey);
215
216
0
    if (rctx->md) {
217
0
        if (rctx->pad_mode == RSA_X931_PADDING) {
218
0
            if (!setup_tbuf(rctx, ctx))
219
0
                return -1;
220
0
            ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa,
221
0
                                     RSA_X931_PADDING);
222
0
            if (ret < 1)
223
0
                return 0;
224
0
            ret--;
225
0
            if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_get_type(rctx->md))) {
226
0
                ERR_raise(ERR_LIB_RSA, RSA_R_ALGORITHM_MISMATCH);
227
0
                return 0;
228
0
            }
229
0
            if (ret != EVP_MD_get_size(rctx->md)) {
230
0
                ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH);
231
0
                return 0;
232
0
            }
233
0
            if (rout)
234
0
                memcpy(rout, rctx->tbuf, ret);
235
0
        } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
236
0
            size_t sltmp;
237
0
            ret = ossl_rsa_verify(EVP_MD_get_type(rctx->md),
238
0
                                  NULL, 0, rout, &sltmp,
239
0
                                  sig, siglen, rsa);
240
0
            if (ret <= 0)
241
0
                return 0;
242
0
            ret = sltmp;
243
0
        } else {
244
0
            return -1;
245
0
        }
246
0
    } else {
247
0
        ret = RSA_public_decrypt(siglen, sig, rout, rsa, rctx->pad_mode);
248
0
    }
249
0
    if (ret < 0)
250
0
        return ret;
251
0
    *routlen = ret;
252
0
    return 1;
253
0
}
254
255
static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
256
                           const unsigned char *sig, size_t siglen,
257
                           const unsigned char *tbs, size_t tbslen)
258
0
{
259
0
    RSA_PKEY_CTX *rctx = ctx->data;
260
    /*
261
     * Discard const. Its marked as const because this may be a cached copy of
262
     * the "real" key. These calls don't make any modifications that need to
263
     * be reflected back in the "original" key.
264
     */
265
0
    RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey);
266
0
    size_t rslen;
267
268
0
    if (rctx->md) {
269
0
        if (rctx->pad_mode == RSA_PKCS1_PADDING)
270
0
            return RSA_verify(EVP_MD_get_type(rctx->md), tbs, tbslen,
271
0
                              sig, siglen, rsa);
272
0
        if (tbslen != (size_t)EVP_MD_get_size(rctx->md)) {
273
0
            ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH);
274
0
            return -1;
275
0
        }
276
0
        if (rctx->pad_mode == RSA_X931_PADDING) {
277
0
            if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0)
278
0
                return 0;
279
0
        } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
280
0
            int ret;
281
0
            if (!setup_tbuf(rctx, ctx))
282
0
                return -1;
283
0
            ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
284
0
                                     rsa, RSA_NO_PADDING);
285
0
            if (ret <= 0)
286
0
                return 0;
287
0
            ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
288
0
                                            rctx->md, rctx->mgf1md,
289
0
                                            rctx->tbuf, rctx->saltlen);
290
0
            if (ret <= 0)
291
0
                return 0;
292
0
            return 1;
293
0
        } else {
294
0
            return -1;
295
0
        }
296
0
    } else {
297
0
        if (!setup_tbuf(rctx, ctx))
298
0
            return -1;
299
0
        rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
300
0
                                   rsa, rctx->pad_mode);
301
0
        if (rslen == 0)
302
0
            return 0;
303
0
    }
304
305
0
    if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen))
306
0
        return 0;
307
308
0
    return 1;
309
310
0
}
311
312
static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
313
                            unsigned char *out, size_t *outlen,
314
                            const unsigned char *in, size_t inlen)
315
0
{
316
0
    int ret;
317
0
    RSA_PKEY_CTX *rctx = ctx->data;
318
    /*
319
     * Discard const. Its marked as const because this may be a cached copy of
320
     * the "real" key. These calls don't make any modifications that need to
321
     * be reflected back in the "original" key.
322
     */
323
0
    RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey);
324
325
0
    if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
326
0
        int klen = RSA_size(rsa);
327
0
        if (!setup_tbuf(rctx, ctx))
328
0
            return -1;
329
0
        if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen,
330
0
                                             in, inlen,
331
0
                                             rctx->oaep_label,
332
0
                                             rctx->oaep_labellen,
333
0
                                             rctx->md, rctx->mgf1md))
334
0
            return -1;
335
0
        ret = RSA_public_encrypt(klen, rctx->tbuf, out, rsa, RSA_NO_PADDING);
336
0
    } else {
337
0
        ret = RSA_public_encrypt(inlen, in, out, rsa, rctx->pad_mode);
338
0
    }
339
0
    if (ret < 0)
340
0
        return ret;
341
0
    *outlen = ret;
342
0
    return 1;
343
0
}
344
345
static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
346
                            unsigned char *out, size_t *outlen,
347
                            const unsigned char *in, size_t inlen)
348
0
{
349
0
    int ret;
350
0
    RSA_PKEY_CTX *rctx = ctx->data;
351
    /*
352
     * Discard const. Its marked as const because this may be a cached copy of
353
     * the "real" key. These calls don't make any modifications that need to
354
     * be reflected back in the "original" key.
355
     */
356
0
    RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey);
357
358
0
    if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
359
0
        if (!setup_tbuf(rctx, ctx))
360
0
            return -1;
361
0
        ret = RSA_private_decrypt(inlen, in, rctx->tbuf, rsa, RSA_NO_PADDING);
362
0
        if (ret <= 0)
363
0
            return ret;
364
0
        ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf,
365
0
                                                ret, ret,
366
0
                                                rctx->oaep_label,
367
0
                                                rctx->oaep_labellen,
368
0
                                                rctx->md, rctx->mgf1md);
369
0
    } else {
370
0
        ret = RSA_private_decrypt(inlen, in, out, rsa, rctx->pad_mode);
371
0
    }
372
0
    *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
373
0
    ret = constant_time_select_int(constant_time_msb(ret), ret, 1);
374
0
    return ret;
375
0
}
376
377
static int check_padding_md(const EVP_MD *md, int padding)
378
0
{
379
0
    int mdnid;
380
381
0
    if (!md)
382
0
        return 1;
383
384
0
    mdnid = EVP_MD_get_type(md);
385
386
0
    if (padding == RSA_NO_PADDING) {
387
0
        ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
388
0
        return 0;
389
0
    }
390
391
0
    if (padding == RSA_X931_PADDING) {
392
0
        if (RSA_X931_hash_id(mdnid) == -1) {
393
0
            ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_X931_DIGEST);
394
0
            return 0;
395
0
        }
396
0
    } else {
397
0
        switch(mdnid) {
398
        /* List of all supported RSA digests */
399
0
        case NID_sha1:
400
0
        case NID_sha224:
401
0
        case NID_sha256:
402
0
        case NID_sha384:
403
0
        case NID_sha512:
404
0
        case NID_sha512_224:
405
0
        case NID_sha512_256:
406
0
        case NID_md5:
407
0
        case NID_md5_sha1:
408
0
        case NID_md2:
409
0
        case NID_md4:
410
0
        case NID_mdc2:
411
0
        case NID_ripemd160:
412
0
        case NID_sha3_224:
413
0
        case NID_sha3_256:
414
0
        case NID_sha3_384:
415
0
        case NID_sha3_512:
416
0
            return 1;
417
418
0
        default:
419
0
            ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST);
420
0
            return 0;
421
422
0
        }
423
0
    }
424
425
0
    return 1;
426
0
}
427
428
static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
429
0
{
430
0
    RSA_PKEY_CTX *rctx = ctx->data;
431
432
0
    switch (type) {
433
0
    case EVP_PKEY_CTRL_RSA_PADDING:
434
0
        if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING)) {
435
0
            if (!check_padding_md(rctx->md, p1))
436
0
                return 0;
437
0
            if (p1 == RSA_PKCS1_PSS_PADDING) {
438
0
                if (!(ctx->operation &
439
0
                      (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
440
0
                    goto bad_pad;
441
0
                if (!rctx->md)
442
0
                    rctx->md = EVP_sha1();
443
0
            } else if (pkey_ctx_is_pss(ctx)) {
444
0
                goto bad_pad;
445
0
            }
446
0
            if (p1 == RSA_PKCS1_OAEP_PADDING) {
447
0
                if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
448
0
                    goto bad_pad;
449
0
                if (!rctx->md)
450
0
                    rctx->md = EVP_sha1();
451
0
            }
452
0
            rctx->pad_mode = p1;
453
0
            return 1;
454
0
        }
455
0
 bad_pad:
456
0
        ERR_raise(ERR_LIB_RSA, RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
457
0
        return -2;
458
459
0
    case EVP_PKEY_CTRL_GET_RSA_PADDING:
460
0
        *(int *)p2 = rctx->pad_mode;
461
0
        return 1;
462
463
0
    case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
464
0
    case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
465
0
        if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
466
0
            ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PSS_SALTLEN);
467
0
            return -2;
468
0
        }
469
0
        if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
470
0
            *(int *)p2 = rctx->saltlen;
471
0
        } else {
472
0
            if (p1 < RSA_PSS_SALTLEN_MAX)
473
0
                return -2;
474
0
            if (rsa_pss_restricted(rctx)) {
475
0
                if (p1 == RSA_PSS_SALTLEN_AUTO
476
0
                    && ctx->operation == EVP_PKEY_OP_VERIFY) {
477
0
                    ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PSS_SALTLEN);
478
0
                    return -2;
479
0
                }
480
0
                if ((p1 == RSA_PSS_SALTLEN_DIGEST
481
0
                     && rctx->min_saltlen > EVP_MD_get_size(rctx->md))
482
0
                    || (p1 >= 0 && p1 < rctx->min_saltlen)) {
483
0
                    ERR_raise(ERR_LIB_RSA, RSA_R_PSS_SALTLEN_TOO_SMALL);
484
0
                    return 0;
485
0
                }
486
0
            }
487
0
            rctx->saltlen = p1;
488
0
        }
489
0
        return 1;
490
491
0
    case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
492
0
        if (p1 < RSA_MIN_MODULUS_BITS) {
493
0
            ERR_raise(ERR_LIB_RSA, RSA_R_KEY_SIZE_TOO_SMALL);
494
0
            return -2;
495
0
        }
496
0
        rctx->nbits = p1;
497
0
        return 1;
498
499
0
    case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
500
0
        if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) || BN_is_one((BIGNUM *)p2)) {
501
0
            ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
502
0
            return -2;
503
0
        }
504
0
        BN_free(rctx->pub_exp);
505
0
        rctx->pub_exp = p2;
506
0
        return 1;
507
508
0
    case EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES:
509
0
        if (p1 < RSA_DEFAULT_PRIME_NUM || p1 > RSA_MAX_PRIME_NUM) {
510
0
            ERR_raise(ERR_LIB_RSA, RSA_R_KEY_PRIME_NUM_INVALID);
511
0
            return -2;
512
0
        }
513
0
        rctx->primes = p1;
514
0
        return 1;
515
516
0
    case EVP_PKEY_CTRL_RSA_OAEP_MD:
517
0
    case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
518
0
        if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
519
0
            ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
520
0
            return -2;
521
0
        }
522
0
        if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD)
523
0
            *(const EVP_MD **)p2 = rctx->md;
524
0
        else
525
0
            rctx->md = p2;
526
0
        return 1;
527
528
0
    case EVP_PKEY_CTRL_MD:
529
0
        if (!check_padding_md(p2, rctx->pad_mode))
530
0
            return 0;
531
0
        if (rsa_pss_restricted(rctx)) {
532
0
            if (EVP_MD_get_type(rctx->md) == EVP_MD_get_type(p2))
533
0
                return 1;
534
0
            ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
535
0
            return 0;
536
0
        }
537
0
        rctx->md = p2;
538
0
        return 1;
539
540
0
    case EVP_PKEY_CTRL_GET_MD:
541
0
        *(const EVP_MD **)p2 = rctx->md;
542
0
        return 1;
543
544
0
    case EVP_PKEY_CTRL_RSA_MGF1_MD:
545
0
    case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
546
0
        if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING
547
0
            && rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
548
0
            ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MGF1_MD);
549
0
            return -2;
550
0
        }
551
0
        if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
552
0
            if (rctx->mgf1md)
553
0
                *(const EVP_MD **)p2 = rctx->mgf1md;
554
0
            else
555
0
                *(const EVP_MD **)p2 = rctx->md;
556
0
        } else {
557
0
            if (rsa_pss_restricted(rctx)) {
558
0
                if (EVP_MD_get_type(rctx->mgf1md) == EVP_MD_get_type(p2))
559
0
                    return 1;
560
0
                ERR_raise(ERR_LIB_RSA, RSA_R_MGF1_DIGEST_NOT_ALLOWED);
561
0
                return 0;
562
0
            }
563
0
            rctx->mgf1md = p2;
564
0
        }
565
0
        return 1;
566
567
0
    case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
568
0
        if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
569
0
            ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
570
0
            return -2;
571
0
        }
572
0
        OPENSSL_free(rctx->oaep_label);
573
0
        if (p2 && p1 > 0) {
574
0
            rctx->oaep_label = p2;
575
0
            rctx->oaep_labellen = p1;
576
0
        } else {
577
0
            rctx->oaep_label = NULL;
578
0
            rctx->oaep_labellen = 0;
579
0
        }
580
0
        return 1;
581
582
0
    case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
583
0
        if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
584
0
            ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
585
0
            return -2;
586
0
        }
587
0
        if (p2 == NULL) {
588
0
            ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
589
0
            return 0;
590
0
        }
591
0
        *(unsigned char **)p2 = rctx->oaep_label;
592
0
        return rctx->oaep_labellen;
593
594
0
    case EVP_PKEY_CTRL_DIGESTINIT:
595
0
    case EVP_PKEY_CTRL_PKCS7_SIGN:
596
0
#ifndef OPENSSL_NO_CMS
597
0
    case EVP_PKEY_CTRL_CMS_SIGN:
598
0
#endif
599
0
    return 1;
600
601
0
    case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
602
0
    case EVP_PKEY_CTRL_PKCS7_DECRYPT:
603
0
#ifndef OPENSSL_NO_CMS
604
0
    case EVP_PKEY_CTRL_CMS_DECRYPT:
605
0
    case EVP_PKEY_CTRL_CMS_ENCRYPT:
606
0
#endif
607
0
    if (!pkey_ctx_is_pss(ctx))
608
0
        return 1;
609
    /* fall through */
610
0
    case EVP_PKEY_CTRL_PEER_KEY:
611
0
        ERR_raise(ERR_LIB_RSA, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
612
0
        return -2;
613
614
0
    default:
615
0
        return -2;
616
617
0
    }
618
0
}
619
620
static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
621
                             const char *type, const char *value)
622
0
{
623
0
    if (value == NULL) {
624
0
        ERR_raise(ERR_LIB_RSA, RSA_R_VALUE_MISSING);
625
0
        return 0;
626
0
    }
627
0
    if (strcmp(type, "rsa_padding_mode") == 0) {
628
0
        int pm;
629
630
0
        if (strcmp(value, "pkcs1") == 0) {
631
0
            pm = RSA_PKCS1_PADDING;
632
0
        } else if (strcmp(value, "none") == 0) {
633
0
            pm = RSA_NO_PADDING;
634
0
        } else if (strcmp(value, "oeap") == 0) {
635
0
            pm = RSA_PKCS1_OAEP_PADDING;
636
0
        } else if (strcmp(value, "oaep") == 0) {
637
0
            pm = RSA_PKCS1_OAEP_PADDING;
638
0
        } else if (strcmp(value, "x931") == 0) {
639
0
            pm = RSA_X931_PADDING;
640
0
        } else if (strcmp(value, "pss") == 0) {
641
0
            pm = RSA_PKCS1_PSS_PADDING;
642
0
        } else {
643
0
            ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
644
0
            return -2;
645
0
        }
646
0
        return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
647
0
    }
648
649
0
    if (strcmp(type, "rsa_pss_saltlen") == 0) {
650
0
        int saltlen;
651
652
0
        if (!strcmp(value, "digest"))
653
0
            saltlen = RSA_PSS_SALTLEN_DIGEST;
654
0
        else if (!strcmp(value, "max"))
655
0
            saltlen = RSA_PSS_SALTLEN_MAX;
656
0
        else if (!strcmp(value, "auto"))
657
0
            saltlen = RSA_PSS_SALTLEN_AUTO;
658
0
        else
659
0
            saltlen = atoi(value);
660
0
        return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
661
0
    }
662
663
0
    if (strcmp(type, "rsa_keygen_bits") == 0) {
664
0
        int nbits = atoi(value);
665
666
0
        return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
667
0
    }
668
669
0
    if (strcmp(type, "rsa_keygen_pubexp") == 0) {
670
0
        int ret;
671
672
0
        BIGNUM *pubexp = NULL;
673
0
        if (!BN_asc2bn(&pubexp, value))
674
0
            return 0;
675
0
        ret = EVP_PKEY_CTX_set1_rsa_keygen_pubexp(ctx, pubexp);
676
0
        BN_free(pubexp);
677
0
        return ret;
678
0
    }
679
680
0
    if (strcmp(type, "rsa_keygen_primes") == 0) {
681
0
        int nprimes = atoi(value);
682
683
0
        return EVP_PKEY_CTX_set_rsa_keygen_primes(ctx, nprimes);
684
0
    }
685
686
0
    if (strcmp(type, "rsa_mgf1_md") == 0)
687
0
        return EVP_PKEY_CTX_md(ctx,
688
0
                               EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
689
0
                               EVP_PKEY_CTRL_RSA_MGF1_MD, value);
690
691
0
    if (pkey_ctx_is_pss(ctx)) {
692
693
0
        if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0)
694
0
            return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
695
0
                                   EVP_PKEY_CTRL_RSA_MGF1_MD, value);
696
697
0
        if (strcmp(type, "rsa_pss_keygen_md") == 0)
698
0
            return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
699
0
                                   EVP_PKEY_CTRL_MD, value);
700
701
0
        if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) {
702
0
            int saltlen = atoi(value);
703
704
0
            return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen);
705
0
        }
706
0
    }
707
708
0
    if (strcmp(type, "rsa_oaep_md") == 0)
709
0
        return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT,
710
0
                               EVP_PKEY_CTRL_RSA_OAEP_MD, value);
711
712
0
    if (strcmp(type, "rsa_oaep_label") == 0) {
713
0
        unsigned char *lab;
714
0
        long lablen;
715
0
        int ret;
716
717
0
        lab = OPENSSL_hexstr2buf(value, &lablen);
718
0
        if (!lab)
719
0
            return 0;
720
0
        ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen);
721
0
        if (ret <= 0)
722
0
            OPENSSL_free(lab);
723
0
        return ret;
724
0
    }
725
726
0
    return -2;
727
0
}
728
729
/* Set PSS parameters when generating a key, if necessary */
730
static int rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx)
731
0
{
732
0
    RSA_PKEY_CTX *rctx = ctx->data;
733
734
0
    if (!pkey_ctx_is_pss(ctx))
735
0
        return 1;
736
    /* If all parameters are default values don't set pss */
737
0
    if (rctx->md == NULL && rctx->mgf1md == NULL && rctx->saltlen == -2)
738
0
        return 1;
739
0
    rsa->pss = ossl_rsa_pss_params_create(rctx->md, rctx->mgf1md,
740
0
                                          rctx->saltlen == -2
741
0
                                          ? 0 : rctx->saltlen);
742
0
    if (rsa->pss == NULL)
743
0
        return 0;
744
0
    return 1;
745
0
}
746
747
static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
748
0
{
749
0
    RSA *rsa = NULL;
750
0
    RSA_PKEY_CTX *rctx = ctx->data;
751
0
    BN_GENCB *pcb;
752
0
    int ret;
753
754
0
    if (rctx->pub_exp == NULL) {
755
0
        rctx->pub_exp = BN_new();
756
0
        if (rctx->pub_exp == NULL || !BN_set_word(rctx->pub_exp, RSA_F4))
757
0
            return 0;
758
0
    }
759
0
    rsa = RSA_new();
760
0
    if (rsa == NULL)
761
0
        return 0;
762
0
    if (ctx->pkey_gencb) {
763
0
        pcb = BN_GENCB_new();
764
0
        if (pcb == NULL) {
765
0
            RSA_free(rsa);
766
0
            return 0;
767
0
        }
768
0
        evp_pkey_set_cb_translate(pcb, ctx);
769
0
    } else {
770
0
        pcb = NULL;
771
0
    }
772
0
    ret = RSA_generate_multi_prime_key(rsa, rctx->nbits, rctx->primes,
773
0
                                       rctx->pub_exp, pcb);
774
0
    BN_GENCB_free(pcb);
775
0
    if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) {
776
0
        RSA_free(rsa);
777
0
        return 0;
778
0
    }
779
0
    if (ret > 0)
780
0
        EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa);
781
0
    else
782
0
        RSA_free(rsa);
783
0
    return ret;
784
0
}
785
786
static const EVP_PKEY_METHOD rsa_pkey_meth = {
787
    EVP_PKEY_RSA,
788
    EVP_PKEY_FLAG_AUTOARGLEN,
789
    pkey_rsa_init,
790
    pkey_rsa_copy,
791
    pkey_rsa_cleanup,
792
793
    0, 0,
794
795
    0,
796
    pkey_rsa_keygen,
797
798
    0,
799
    pkey_rsa_sign,
800
801
    0,
802
    pkey_rsa_verify,
803
804
    0,
805
    pkey_rsa_verifyrecover,
806
807
    0, 0, 0, 0,
808
809
    0,
810
    pkey_rsa_encrypt,
811
812
    0,
813
    pkey_rsa_decrypt,
814
815
    0, 0,
816
817
    pkey_rsa_ctrl,
818
    pkey_rsa_ctrl_str
819
};
820
821
const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void)
822
0
{
823
0
    return &rsa_pkey_meth;
824
0
}
825
826
/*
827
 * Called for PSS sign or verify initialisation: checks PSS parameter
828
 * sanity and sets any restrictions on key usage.
829
 */
830
831
static int pkey_pss_init(EVP_PKEY_CTX *ctx)
832
0
{
833
0
    const RSA *rsa;
834
0
    RSA_PKEY_CTX *rctx = ctx->data;
835
0
    const EVP_MD *md;
836
0
    const EVP_MD *mgf1md;
837
0
    int min_saltlen, max_saltlen;
838
839
    /* Should never happen */
840
0
    if (!pkey_ctx_is_pss(ctx))
841
0
        return 0;
842
0
    rsa = EVP_PKEY_get0_RSA(ctx->pkey);
843
    /* If no restrictions just return */
844
0
    if (rsa->pss == NULL)
845
0
        return 1;
846
    /* Get and check parameters */
847
0
    if (!ossl_rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen))
848
0
        return 0;
849
850
    /* See if minimum salt length exceeds maximum possible */
851
0
    max_saltlen = RSA_size(rsa) - EVP_MD_get_size(md);
852
0
    if ((RSA_bits(rsa) & 0x7) == 1)
853
0
        max_saltlen--;
854
0
    if (min_saltlen > max_saltlen) {
855
0
        ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_SALT_LENGTH);
856
0
        return 0;
857
0
    }
858
859
0
    rctx->min_saltlen = min_saltlen;
860
861
    /*
862
     * Set PSS restrictions as defaults: we can then block any attempt to
863
     * use invalid values in pkey_rsa_ctrl
864
     */
865
866
0
    rctx->md = md;
867
0
    rctx->mgf1md = mgf1md;
868
0
    rctx->saltlen = min_saltlen;
869
870
0
    return 1;
871
0
}
872
873
static const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
874
    EVP_PKEY_RSA_PSS,
875
    EVP_PKEY_FLAG_AUTOARGLEN,
876
    pkey_rsa_init,
877
    pkey_rsa_copy,
878
    pkey_rsa_cleanup,
879
880
    0, 0,
881
882
    0,
883
    pkey_rsa_keygen,
884
885
    pkey_pss_init,
886
    pkey_rsa_sign,
887
888
    pkey_pss_init,
889
    pkey_rsa_verify,
890
891
    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
892
893
    pkey_rsa_ctrl,
894
    pkey_rsa_ctrl_str
895
};
896
897
const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void)
898
0
{
899
0
    return &rsa_pss_pkey_meth;
900
0
}