Add RSA CMS support.

From OpenSSL 1.1.1d. ok tb@
author: jsing <> 2019-11-01 15:13:05 +0000
committer: jsing <> 2019-11-01 15:13:05 +0000
commit: 628860a8cbda02902b4ecf9df3ed29952a9906dc (patch)
tree: 9670b0581913a617788b7a7b9a4f23aa38dcda51 /src/lib
parent: 1b53be8dd5796a109c3b7931b481f05e3c082740 (diff)
download: openbsd-628860a8cbda02902b4ecf9df3ed29952a9906dc.tar.gz
openbsd-628860a8cbda02902b4ecf9df3ed29952a9906dc.tar.bz2
openbsd-628860a8cbda02902b4ecf9df3ed29952a9906dc.zip
3 files changed, 262 insertions, 5 deletions
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index 86e5f8e20f..638bad7cc6 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa.h,v 1.46 2019/11/01 03:45:13 jsing Exp $ */
+/* $OpenBSD: rsa.h,v 1.47 2019/11/01 15:13:05 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -627,8 +627,10 @@ void ERR_load_RSA_strings(void);
 #define RSA_R_INVALID_DIGEST_LENGTH                      143
 #define RSA_R_INVALID_HEADER                             137
 #define RSA_R_INVALID_KEYBITS                            145
+#define RSA_R_INVALID_LABEL                              160
 #define RSA_R_INVALID_MESSAGE_LENGTH                     131
 #define RSA_R_INVALID_MGF1_MD                            156
+#define RSA_R_INVALID_OAEP_PARAMETERS                    161
 #define RSA_R_INVALID_PADDING                            138
 #define RSA_R_INVALID_PADDING_MODE                       141
 #define RSA_R_INVALID_PSS_PARAMETERS                     149
@@ -662,6 +664,8 @@ void ERR_load_RSA_strings(void);
 #define RSA_R_UNKNOWN_MASK_DIGEST                        151
 #define RSA_R_UNKNOWN_PADDING_TYPE                       118
 #define RSA_R_UNKNOWN_PSS_DIGEST                         152
+#define RSA_R_UNSUPPORTED_ENCRYPTION_TYPE                162
+#define RSA_R_UNSUPPORTED_LABEL_SOURCE                   163
 #define RSA_R_UNSUPPORTED_MASK_ALGORITHM                 153
 #define RSA_R_UNSUPPORTED_MASK_PARAMETER                 154
 #define RSA_R_UNSUPPORTED_SIGNATURE_TYPE                 155
diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c
index d23848d0d5..a7e042ef2c 100644
--- a/src/lib/libcrypto/rsa/rsa_ameth.c
+++ b/src/lib/libcrypto/rsa/rsa_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_ameth.c,v 1.21 2019/11/01 03:45:13 jsing Exp $ */
+/* $OpenBSD: rsa_ameth.c,v 1.22 2019/11/01 15:13:05 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -62,13 +62,22 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
+#include <openssl/cms.h>
 #include <openssl/err.h>
-#include <openssl/rsa.h>
 #include <openssl/x509.h>
 #include "asn1_locl.h"
+#include "cryptlib.h"
+#include "evp_locl.h"
 #include "rsa_locl.h"
+#ifndef OPENSSL_NO_CMS
+static int rsa_cms_sign(CMS_SignerInfo *si);
+static int rsa_cms_verify(CMS_SignerInfo *si);
+static int rsa_cms_decrypt(CMS_RecipientInfo *ri);
+static int rsa_cms_encrypt(CMS_RecipientInfo *ri);
+#endif
 static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg);
 /* Set any parameters associated with pkey */
@@ -490,6 +499,29 @@ rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
                if (arg1 == 0)
                        PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
                break;
+#ifndef OPENSSL_NO_CMS
+        case ASN1_PKEY_CTRL_CMS_SIGN:
+                if (arg1 == 0)
+                        return rsa_cms_sign(arg2);
+                else if (arg1 == 1)
+                        return rsa_cms_verify(arg2);
+                break;
+        case ASN1_PKEY_CTRL_CMS_ENVELOPE:
+                if (pkey_is_pss(pkey))
+                        return -2;
+                if (arg1 == 0)
+                        return rsa_cms_encrypt(arg2);
+                else if (arg1 == 1)
+                        return rsa_cms_decrypt(arg2);
+                break;
+        case ASN1_PKEY_CTRL_CMS_RI_TYPE:
+                if (pkey_is_pss(pkey))
+                        return -2;
+                *(int *)arg2 = CMS_RECIPINFO_TRANS;
+                return 1;
+#endif
        case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
                if (pkey->pkey.rsa->pss != NULL) {
@@ -735,11 +767,38 @@ rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd,
        return 1;
 }
+#ifndef OPENSSL_NO_CMS
+static int
+rsa_cms_verify(CMS_SignerInfo *si)
+{
+        int nid, nid2;
+        X509_ALGOR *alg;
+        EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
+        CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
+        nid = OBJ_obj2nid(alg->algorithm);
+        if (nid == EVP_PKEY_RSA_PSS)
+                return rsa_pss_to_ctx(NULL, pkctx, alg, NULL);
+        /* Only PSS allowed for PSS keys */
+        if (pkey_ctx_is_pss(pkctx)) {
+                RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
+                return 0;
+        }
+        if (nid == NID_rsaEncryption)
+                return 1;
+        /* Workaround for some implementation that use a signature OID */
+        if (OBJ_find_sigid_algs(nid, NULL, &nid2)) {
+                if (nid2 == NID_rsaEncryption)
+                        return 1;
+        }
+        return 0;
+}
+#endif
 /*
 * Customised RSA item verification routine. This is called when a signature
 * is encountered requiring special handling. We currently only handle PSS.
 */
 static int
 rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
    X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, EVP_PKEY *pkey)
@@ -756,6 +815,35 @@ rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
        return -1;
 }
+#ifndef OPENSSL_NO_CMS
+static int
+rsa_cms_sign(CMS_SignerInfo *si)
+{
+        int pad_mode = RSA_PKCS1_PADDING;
+        X509_ALGOR *alg;
+        EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
+        ASN1_STRING *os = NULL;
+        CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
+        if (pkctx) {
+                if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
+                        return 0;
+        }
+        if (pad_mode == RSA_PKCS1_PADDING) {
+                X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
+                return 1;
+        }
+        /* We don't support it */
+        if (pad_mode != RSA_PKCS1_PSS_PADDING)
+                return 0;
+        os = rsa_ctx_to_pss_string(pkctx);
+        if (!os)
+                return 0;
+        X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os);
+        return 1;
+}
+#endif
 static int
 rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
    X509_ALGOR *alg1, X509_ALGOR *alg2, ASN1_BIT_STRING *sig)
@@ -789,6 +877,167 @@ rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
        return 2;
 }
+#ifndef OPENSSL_NO_CMS
+static RSA_OAEP_PARAMS *
+rsa_oaep_decode(const X509_ALGOR *alg)
+{
+        RSA_OAEP_PARAMS *oaep;
+        oaep = ASN1_TYPE_unpack_sequence(&RSA_OAEP_PARAMS_it, alg->parameter);
+        if (oaep == NULL)
+                return NULL;
+        if (oaep->maskGenFunc != NULL) {
+                oaep->maskHash = rsa_mgf1_decode(oaep->maskGenFunc);
+                if (oaep->maskHash == NULL) {
+                        RSA_OAEP_PARAMS_free(oaep);
+                        return NULL;
+                }
+        }
+        return oaep;
+}
+static int
+rsa_cms_decrypt(CMS_RecipientInfo *ri)
+{
+        EVP_PKEY_CTX *pkctx;
+        X509_ALGOR *cmsalg;
+        int nid;
+        int rv = -1;
+        unsigned char *label = NULL;
+        int labellen = 0;
+        const EVP_MD *mgf1md = NULL, *md = NULL;
+        RSA_OAEP_PARAMS *oaep;
+        pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
+        if (pkctx == NULL)
+                return 0;
+        if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &cmsalg))
+                return -1;
+        nid = OBJ_obj2nid(cmsalg->algorithm);
+        if (nid == NID_rsaEncryption)
+                return 1;
+        if (nid != NID_rsaesOaep) {
+                RSAerror(RSA_R_UNSUPPORTED_ENCRYPTION_TYPE);
+                return -1;
+        }
+        /* Decode OAEP parameters */
+        oaep = rsa_oaep_decode(cmsalg);
+        if (oaep == NULL) {
+                RSAerror(RSA_R_INVALID_OAEP_PARAMETERS);
+                goto err;
+        }
+        mgf1md = rsa_algor_to_md(oaep->maskHash);
+        if (mgf1md == NULL)
+                goto err;
+        md = rsa_algor_to_md(oaep->hashFunc);
+        if (md == NULL)
+                goto err;
+        if (oaep->pSourceFunc != NULL) {
+                X509_ALGOR *plab = oaep->pSourceFunc;
+                if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
+                        RSAerror(RSA_R_UNSUPPORTED_LABEL_SOURCE);
+                        goto err;
+                }
+                if (plab->parameter->type != V_ASN1_OCTET_STRING) {
+                        RSAerror(RSA_R_INVALID_LABEL);
+                        goto err;
+                }
+                label = plab->parameter->value.octet_string->data;
+                /* Stop label being freed when OAEP parameters are freed */
+                /* XXX - this leaks label on error... */
+                plab->parameter->value.octet_string->data = NULL;
+                labellen = plab->parameter->value.octet_string->length;
+        }
+        if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
+                goto err;
+        if (EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, md) <= 0)
+                goto err;
+        if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
+                goto err;
+        if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0)
+                goto err;
+        rv = 1;
+ err:
+        RSA_OAEP_PARAMS_free(oaep);
+        return rv;
+}
+static int
+rsa_cms_encrypt(CMS_RecipientInfo *ri)
+{
+        const EVP_MD *md, *mgf1md;
+        RSA_OAEP_PARAMS *oaep = NULL;
+        ASN1_STRING *os = NULL;
+        X509_ALGOR *alg;
+        EVP_PKEY_CTX *pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
+        int pad_mode = RSA_PKCS1_PADDING, rv = 0, labellen;
+        unsigned char *label;
+        if (CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg) <= 0)
+                return 0;
+        if (pkctx) {
+                if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
+                        return 0;
+        }
+        if (pad_mode == RSA_PKCS1_PADDING) {
+                X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
+                return 1;
+        }
+        /* Not supported */
+        if (pad_mode != RSA_PKCS1_OAEP_PADDING)
+                return 0;
+        if (EVP_PKEY_CTX_get_rsa_oaep_md(pkctx, &md) <= 0)
+                goto err;
+        if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
+                goto err;
+        labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkctx, &label);
+        if (labellen < 0)
+                goto err;
+        oaep = RSA_OAEP_PARAMS_new();
+        if (oaep == NULL)
+                goto err;
+        if (!rsa_md_to_algor(&oaep->hashFunc, md))
+                goto err;
+        if (!rsa_md_to_mgf1(&oaep->maskGenFunc, mgf1md))
+                goto err;
+        if (labellen > 0) {
+                ASN1_OCTET_STRING *los;
+                oaep->pSourceFunc = X509_ALGOR_new();
+                if (oaep->pSourceFunc == NULL)
+                        goto err;
+                los = ASN1_OCTET_STRING_new();
+                if (los == NULL)
+                        goto err;
+                if (!ASN1_OCTET_STRING_set(los, label, labellen)) {
+                        ASN1_OCTET_STRING_free(los);
+                        goto err;
+                }
+                X509_ALGOR_set0(oaep->pSourceFunc, OBJ_nid2obj(NID_pSpecified),
+                    V_ASN1_OCTET_STRING, los);
+        }
+        /* create string with pss parameter encoding. */
+        if (!ASN1_item_pack(oaep, &RSA_OAEP_PARAMS_it, &os))
+                 goto err;
+        X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os);
+        os = NULL;
+        rv = 1;
+ err:
+        RSA_OAEP_PARAMS_free(oaep);
+        ASN1_STRING_free(os);
+        return rv;
+}
+#endif
 const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
        {
                .pkey_id = EVP_PKEY_RSA,
diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c
index 9924dac581..46149370d8 100644
--- a/src/lib/libcrypto/rsa/rsa_err.c
+++ b/src/lib/libcrypto/rsa/rsa_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_err.c,v 1.19 2019/11/01 03:45:13 jsing Exp $ */
+/* $OpenBSD: rsa_err.c,v 1.20 2019/11/01 15:13:05 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
 *
@@ -101,9 +101,11 @@ static ERR_STRING_DATA RSA_str_reasons[] = {
        {ERR_REASON(RSA_R_INVALID_DIGEST)        , "invalid digest"},
        {ERR_REASON(RSA_R_INVALID_DIGEST_LENGTH) , "invalid digest length"},
        {ERR_REASON(RSA_R_INVALID_HEADER)        , "invalid header"},
+        {ERR_REASON(RSA_R_INVALID_LABEL)         , "invalid label"},
        {ERR_REASON(RSA_R_INVALID_KEYBITS)       , "invalid keybits"},
        {ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH), "invalid message length"},
        {ERR_REASON(RSA_R_INVALID_MGF1_MD)       , "invalid mgf1 md"},
+        {ERR_REASON(RSA_R_INVALID_OAEP_PARAMETERS), "invalid oaep parameters"},
        {ERR_REASON(RSA_R_INVALID_PADDING)       , "invalid padding"},
        {ERR_REASON(RSA_R_INVALID_PADDING_MODE)  , "invalid padding mode"},
        {ERR_REASON(RSA_R_INVALID_PSS_PARAMETERS), "invalid pss parameters"},
@@ -137,6 +139,8 @@ static ERR_STRING_DATA RSA_str_reasons[] = {
        {ERR_REASON(RSA_R_UNKNOWN_MASK_DIGEST)   , "unknown mask digest"},
        {ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE)  , "unknown padding type"},
        {ERR_REASON(RSA_R_UNKNOWN_PSS_DIGEST)    , "unknown pss digest"},
+        {ERR_REASON(RSA_R_UNSUPPORTED_ENCRYPTION_TYPE), "unsupported encryption type"},
+        {ERR_REASON(RSA_R_UNSUPPORTED_LABEL_SOURCE), "unsupported label source"},
        {ERR_REASON(RSA_R_UNSUPPORTED_MASK_ALGORITHM), "unsupported mask algorithm"},
        {ERR_REASON(RSA_R_UNSUPPORTED_MASK_PARAMETER), "unsupported mask parameter"},
        {ERR_REASON(RSA_R_UNSUPPORTED_SIGNATURE_TYPE), "unsupported signature type"},
author	jsing <>	2019-11-01 15:13:05 +0000
committer	jsing <>	2019-11-01 15:13:05 +0000
commit	628860a8cbda02902b4ecf9df3ed29952a9906dc (patch)
tree	9670b0581913a617788b7a7b9a4f23aa38dcda51 /src/lib
parent	1b53be8dd5796a109c3b7931b481f05e3c082740 (diff)
download	openbsd-628860a8cbda02902b4ecf9df3ed29952a9906dc.tar.gz openbsd-628860a8cbda02902b4ecf9df3ed29952a9906dc.tar.bz2 openbsd-628860a8cbda02902b4ecf9df3ed29952a9906dc.zip

diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h index 86e5f8e20f..638bad7cc6 100644 --- a/src/lib/libcrypto/rsa/rsa.h +++ b/src/lib/libcrypto/rsa/rsa.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa.h,v 1.46 2019/11/01 03:45:13 jsing Exp $ */	1	/* $OpenBSD: rsa.h,v 1.47 2019/11/01 15:13:05 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -627,8 +627,10 @@ void ERR_load_RSA_strings(void);
627	#define RSA_R_INVALID_DIGEST_LENGTH 143	627	#define RSA_R_INVALID_DIGEST_LENGTH 143
628	#define RSA_R_INVALID_HEADER 137	628	#define RSA_R_INVALID_HEADER 137
629	#define RSA_R_INVALID_KEYBITS 145	629	#define RSA_R_INVALID_KEYBITS 145
		630	#define RSA_R_INVALID_LABEL 160
630	#define RSA_R_INVALID_MESSAGE_LENGTH 131	631	#define RSA_R_INVALID_MESSAGE_LENGTH 131
631	#define RSA_R_INVALID_MGF1_MD 156	632	#define RSA_R_INVALID_MGF1_MD 156
		633	#define RSA_R_INVALID_OAEP_PARAMETERS 161
632	#define RSA_R_INVALID_PADDING 138	634	#define RSA_R_INVALID_PADDING 138
633	#define RSA_R_INVALID_PADDING_MODE 141	635	#define RSA_R_INVALID_PADDING_MODE 141
634	#define RSA_R_INVALID_PSS_PARAMETERS 149	636	#define RSA_R_INVALID_PSS_PARAMETERS 149
@@ -662,6 +664,8 @@ void ERR_load_RSA_strings(void);
662	#define RSA_R_UNKNOWN_MASK_DIGEST 151	664	#define RSA_R_UNKNOWN_MASK_DIGEST 151
663	#define RSA_R_UNKNOWN_PADDING_TYPE 118	665	#define RSA_R_UNKNOWN_PADDING_TYPE 118
664	#define RSA_R_UNKNOWN_PSS_DIGEST 152	666	#define RSA_R_UNKNOWN_PSS_DIGEST 152
		667	#define RSA_R_UNSUPPORTED_ENCRYPTION_TYPE 162
		668	#define RSA_R_UNSUPPORTED_LABEL_SOURCE 163
665	#define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153	669	#define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153
666	#define RSA_R_UNSUPPORTED_MASK_PARAMETER 154	670	#define RSA_R_UNSUPPORTED_MASK_PARAMETER 154
667	#define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155	671	#define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155


diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c index d23848d0d5..a7e042ef2c 100644 --- a/src/lib/libcrypto/rsa/rsa_ameth.c +++ b/src/lib/libcrypto/rsa/rsa_ameth.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa_ameth.c,v 1.21 2019/11/01 03:45:13 jsing Exp $ */	1	/* $OpenBSD: rsa_ameth.c,v 1.22 2019/11/01 15:13:05 jsing Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.	3	* project 2006.
4	*/	4	*/
@@ -62,13 +62,22 @@
62		62
63	#include <openssl/asn1t.h>	63	#include <openssl/asn1t.h>
64	#include <openssl/bn.h>	64	#include <openssl/bn.h>
		65	#include <openssl/cms.h>
65	#include <openssl/err.h>	66	#include <openssl/err.h>
66	#include <openssl/rsa.h>
67	#include <openssl/x509.h>	67	#include <openssl/x509.h>
68		68
69	#include "asn1_locl.h"	69	#include "asn1_locl.h"
		70	#include "cryptlib.h"
		71	#include "evp_locl.h"
70	#include "rsa_locl.h"	72	#include "rsa_locl.h"
71		73
		74	#ifndef OPENSSL_NO_CMS
		75	static int rsa_cms_sign(CMS_SignerInfo *si);
		76	static int rsa_cms_verify(CMS_SignerInfo *si);
		77	static int rsa_cms_decrypt(CMS_RecipientInfo *ri);
		78	static int rsa_cms_encrypt(CMS_RecipientInfo *ri);
		79	#endif
		80
72	static RSA_PSS_PARAMS rsa_pss_decode(const X509_ALGOR alg);	81	static RSA_PSS_PARAMS rsa_pss_decode(const X509_ALGOR alg);
73		82
74	/* Set any parameters associated with pkey */	83	/* Set any parameters associated with pkey */
@@ -490,6 +499,29 @@ rsa_pkey_ctrl(EVP_PKEY pkey, int op, long arg1, void arg2)
490	if (arg1 == 0)	499	if (arg1 == 0)
491	PKCS7_RECIP_INFO_get0_alg(arg2, &alg);	500	PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
492	break;	501	break;
		502	#ifndef OPENSSL_NO_CMS
		503	case ASN1_PKEY_CTRL_CMS_SIGN:
		504	if (arg1 == 0)
		505	return rsa_cms_sign(arg2);
		506	else if (arg1 == 1)
		507	return rsa_cms_verify(arg2);
		508	break;
		509
		510	case ASN1_PKEY_CTRL_CMS_ENVELOPE:
		511	if (pkey_is_pss(pkey))
		512	return -2;
		513	if (arg1 == 0)
		514	return rsa_cms_encrypt(arg2);
		515	else if (arg1 == 1)
		516	return rsa_cms_decrypt(arg2);
		517	break;
		518
		519	case ASN1_PKEY_CTRL_CMS_RI_TYPE:
		520	if (pkey_is_pss(pkey))
		521	return -2;
		522	(int )arg2 = CMS_RECIPINFO_TRANS;
		523	return 1;
		524	#endif
493		525
494	case ASN1_PKEY_CTRL_DEFAULT_MD_NID:	526	case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
495	if (pkey->pkey.rsa->pss != NULL) {	527	if (pkey->pkey.rsa->pss != NULL) {
@@ -735,11 +767,38 @@ rsa_pss_get_param(const RSA_PSS_PARAMS pss, const EVP_MD *pmd,
735	return 1;	767	return 1;
736	}	768	}
737		769
		770	#ifndef OPENSSL_NO_CMS
		771	static int
		772	rsa_cms_verify(CMS_SignerInfo *si)
		773	{
		774	int nid, nid2;
		775	X509_ALGOR *alg;
		776	EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
		777
		778	CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
		779	nid = OBJ_obj2nid(alg->algorithm);
		780	if (nid == EVP_PKEY_RSA_PSS)
		781	return rsa_pss_to_ctx(NULL, pkctx, alg, NULL);
		782	/* Only PSS allowed for PSS keys */
		783	if (pkey_ctx_is_pss(pkctx)) {
		784	RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
		785	return 0;
		786	}
		787	if (nid == NID_rsaEncryption)
		788	return 1;
		789	/* Workaround for some implementation that use a signature OID */
		790	if (OBJ_find_sigid_algs(nid, NULL, &nid2)) {
		791	if (nid2 == NID_rsaEncryption)
		792	return 1;
		793	}
		794	return 0;
		795	}
		796	#endif
		797
738	/*	798	/*
739	* Customised RSA item verification routine. This is called when a signature	799	* Customised RSA item verification routine. This is called when a signature
740	* is encountered requiring special handling. We currently only handle PSS.	800	* is encountered requiring special handling. We currently only handle PSS.
741	*/	801	*/
742
743	static int	802	static int
744	rsa_item_verify(EVP_MD_CTX ctx, const ASN1_ITEM it, void *asn,	803	rsa_item_verify(EVP_MD_CTX ctx, const ASN1_ITEM it, void *asn,
745	X509_ALGOR sigalg, ASN1_BIT_STRING sig, EVP_PKEY *pkey)	804	X509_ALGOR sigalg, ASN1_BIT_STRING sig, EVP_PKEY *pkey)
@@ -756,6 +815,35 @@ rsa_item_verify(EVP_MD_CTX ctx, const ASN1_ITEM it, void *asn,
756	return -1;	815	return -1;
757	}	816	}
758		817
		818	#ifndef OPENSSL_NO_CMS
		819	static int
		820	rsa_cms_sign(CMS_SignerInfo *si)
		821	{
		822	int pad_mode = RSA_PKCS1_PADDING;
		823	X509_ALGOR *alg;
		824	EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
		825	ASN1_STRING *os = NULL;
		826
		827	CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
		828	if (pkctx) {
		829	if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
		830	return 0;
		831	}
		832	if (pad_mode == RSA_PKCS1_PADDING) {
		833	X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
		834	return 1;
		835	}
		836	/* We don't support it */
		837	if (pad_mode != RSA_PKCS1_PSS_PADDING)
		838	return 0;
		839	os = rsa_ctx_to_pss_string(pkctx);
		840	if (!os)
		841	return 0;
		842	X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os);
		843	return 1;
		844	}
		845	#endif
		846
759	static int	847	static int
760	rsa_item_sign(EVP_MD_CTX ctx, const ASN1_ITEM it, void *asn,	848	rsa_item_sign(EVP_MD_CTX ctx, const ASN1_ITEM it, void *asn,
761	X509_ALGOR alg1, X509_ALGOR alg2, ASN1_BIT_STRING *sig)	849	X509_ALGOR alg1, X509_ALGOR alg2, ASN1_BIT_STRING *sig)
@@ -789,6 +877,167 @@ rsa_item_sign(EVP_MD_CTX ctx, const ASN1_ITEM it, void *asn,
789	return 2;	877	return 2;
790	}	878	}
791		879
		880	#ifndef OPENSSL_NO_CMS
		881	static RSA_OAEP_PARAMS *
		882	rsa_oaep_decode(const X509_ALGOR *alg)
		883	{
		884	RSA_OAEP_PARAMS *oaep;
		885
		886	oaep = ASN1_TYPE_unpack_sequence(&RSA_OAEP_PARAMS_it, alg->parameter);
		887	if (oaep == NULL)
		888	return NULL;
		889
		890	if (oaep->maskGenFunc != NULL) {
		891	oaep->maskHash = rsa_mgf1_decode(oaep->maskGenFunc);
		892	if (oaep->maskHash == NULL) {
		893	RSA_OAEP_PARAMS_free(oaep);
		894	return NULL;
		895	}
		896	}
		897	return oaep;
		898	}
		899
		900	static int
		901	rsa_cms_decrypt(CMS_RecipientInfo *ri)
		902	{
		903	EVP_PKEY_CTX *pkctx;
		904	X509_ALGOR *cmsalg;
		905	int nid;
		906	int rv = -1;
		907	unsigned char *label = NULL;
		908	int labellen = 0;
		909	const EVP_MD mgf1md = NULL, md = NULL;
		910	RSA_OAEP_PARAMS *oaep;
		911
		912	pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
		913	if (pkctx == NULL)
		914	return 0;
		915	if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &cmsalg))
		916	return -1;
		917	nid = OBJ_obj2nid(cmsalg->algorithm);
		918	if (nid == NID_rsaEncryption)
		919	return 1;
		920	if (nid != NID_rsaesOaep) {
		921	RSAerror(RSA_R_UNSUPPORTED_ENCRYPTION_TYPE);
		922	return -1;
		923	}
		924	/* Decode OAEP parameters */
		925	oaep = rsa_oaep_decode(cmsalg);
		926
		927	if (oaep == NULL) {
		928	RSAerror(RSA_R_INVALID_OAEP_PARAMETERS);
		929	goto err;
		930	}
		931
		932	mgf1md = rsa_algor_to_md(oaep->maskHash);
		933	if (mgf1md == NULL)
		934	goto err;
		935	md = rsa_algor_to_md(oaep->hashFunc);
		936	if (md == NULL)
		937	goto err;
		938
		939	if (oaep->pSourceFunc != NULL) {
		940	X509_ALGOR *plab = oaep->pSourceFunc;
		941
		942	if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
		943	RSAerror(RSA_R_UNSUPPORTED_LABEL_SOURCE);
		944	goto err;
		945	}
		946	if (plab->parameter->type != V_ASN1_OCTET_STRING) {
		947	RSAerror(RSA_R_INVALID_LABEL);
		948	goto err;
		949	}
		950
		951	label = plab->parameter->value.octet_string->data;
		952
		953	/* Stop label being freed when OAEP parameters are freed */
		954	/* XXX - this leaks label on error... */
		955	plab->parameter->value.octet_string->data = NULL;
		956	labellen = plab->parameter->value.octet_string->length;
		957	}
		958
		959	if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
		960	goto err;
		961	if (EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, md) <= 0)
		962	goto err;
		963	if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
		964	goto err;
		965	if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0)
		966	goto err;
		967
		968	rv = 1;
		969
		970	err:
		971	RSA_OAEP_PARAMS_free(oaep);
		972	return rv;
		973	}
		974
		975	static int
		976	rsa_cms_encrypt(CMS_RecipientInfo *ri)
		977	{
		978	const EVP_MD md, mgf1md;
		979	RSA_OAEP_PARAMS *oaep = NULL;
		980	ASN1_STRING *os = NULL;
		981	X509_ALGOR *alg;
		982	EVP_PKEY_CTX *pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
		983	int pad_mode = RSA_PKCS1_PADDING, rv = 0, labellen;
		984	unsigned char *label;
		985
		986	if (CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg) <= 0)
		987	return 0;
		988	if (pkctx) {
		989	if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
		990	return 0;
		991	}
		992	if (pad_mode == RSA_PKCS1_PADDING) {
		993	X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
		994	return 1;
		995	}
		996	/* Not supported */
		997	if (pad_mode != RSA_PKCS1_OAEP_PADDING)
		998	return 0;
		999	if (EVP_PKEY_CTX_get_rsa_oaep_md(pkctx, &md) <= 0)
		1000	goto err;
		1001	if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
		1002	goto err;
		1003	labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkctx, &label);
		1004	if (labellen < 0)
		1005	goto err;
		1006	oaep = RSA_OAEP_PARAMS_new();
		1007	if (oaep == NULL)
		1008	goto err;
		1009	if (!rsa_md_to_algor(&oaep->hashFunc, md))
		1010	goto err;
		1011	if (!rsa_md_to_mgf1(&oaep->maskGenFunc, mgf1md))
		1012	goto err;
		1013	if (labellen > 0) {
		1014	ASN1_OCTET_STRING *los;
		1015	oaep->pSourceFunc = X509_ALGOR_new();
		1016	if (oaep->pSourceFunc == NULL)
		1017	goto err;
		1018	los = ASN1_OCTET_STRING_new();
		1019	if (los == NULL)
		1020	goto err;
		1021	if (!ASN1_OCTET_STRING_set(los, label, labellen)) {
		1022	ASN1_OCTET_STRING_free(los);
		1023	goto err;
		1024	}
		1025	X509_ALGOR_set0(oaep->pSourceFunc, OBJ_nid2obj(NID_pSpecified),
		1026	V_ASN1_OCTET_STRING, los);
		1027	}
		1028	/* create string with pss parameter encoding. */
		1029	if (!ASN1_item_pack(oaep, &RSA_OAEP_PARAMS_it, &os))
		1030	goto err;
		1031	X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os);
		1032	os = NULL;
		1033	rv = 1;
		1034	err:
		1035	RSA_OAEP_PARAMS_free(oaep);
		1036	ASN1_STRING_free(os);
		1037	return rv;
		1038	}
		1039	#endif
		1040
792	const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {	1041	const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
793	{	1042	{
794	.pkey_id = EVP_PKEY_RSA,	1043	.pkey_id = EVP_PKEY_RSA,


diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c index 9924dac581..46149370d8 100644 --- a/src/lib/libcrypto/rsa/rsa_err.c +++ b/src/lib/libcrypto/rsa/rsa_err.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa_err.c,v 1.19 2019/11/01 03:45:13 jsing Exp $ */	1	/* $OpenBSD: rsa_err.c,v 1.20 2019/11/01 15:13:05 jsing Exp $ */
2	/* ====================================================================	2	/* ====================================================================
3	* Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.	3	* Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4	*	4	*
@@ -101,9 +101,11 @@ static ERR_STRING_DATA RSA_str_reasons[] = {
101	{ERR_REASON(RSA_R_INVALID_DIGEST) , "invalid digest"},	101	{ERR_REASON(RSA_R_INVALID_DIGEST) , "invalid digest"},
102	{ERR_REASON(RSA_R_INVALID_DIGEST_LENGTH) , "invalid digest length"},	102	{ERR_REASON(RSA_R_INVALID_DIGEST_LENGTH) , "invalid digest length"},
103	{ERR_REASON(RSA_R_INVALID_HEADER) , "invalid header"},	103	{ERR_REASON(RSA_R_INVALID_HEADER) , "invalid header"},
		104	{ERR_REASON(RSA_R_INVALID_LABEL) , "invalid label"},
104	{ERR_REASON(RSA_R_INVALID_KEYBITS) , "invalid keybits"},	105	{ERR_REASON(RSA_R_INVALID_KEYBITS) , "invalid keybits"},
105	{ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH), "invalid message length"},	106	{ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH), "invalid message length"},
106	{ERR_REASON(RSA_R_INVALID_MGF1_MD) , "invalid mgf1 md"},	107	{ERR_REASON(RSA_R_INVALID_MGF1_MD) , "invalid mgf1 md"},
		108	{ERR_REASON(RSA_R_INVALID_OAEP_PARAMETERS), "invalid oaep parameters"},
107	{ERR_REASON(RSA_R_INVALID_PADDING) , "invalid padding"},	109	{ERR_REASON(RSA_R_INVALID_PADDING) , "invalid padding"},
108	{ERR_REASON(RSA_R_INVALID_PADDING_MODE) , "invalid padding mode"},	110	{ERR_REASON(RSA_R_INVALID_PADDING_MODE) , "invalid padding mode"},
109	{ERR_REASON(RSA_R_INVALID_PSS_PARAMETERS), "invalid pss parameters"},	111	{ERR_REASON(RSA_R_INVALID_PSS_PARAMETERS), "invalid pss parameters"},
@@ -137,6 +139,8 @@ static ERR_STRING_DATA RSA_str_reasons[] = {
137	{ERR_REASON(RSA_R_UNKNOWN_MASK_DIGEST) , "unknown mask digest"},	139	{ERR_REASON(RSA_R_UNKNOWN_MASK_DIGEST) , "unknown mask digest"},
138	{ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) , "unknown padding type"},	140	{ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) , "unknown padding type"},
139	{ERR_REASON(RSA_R_UNKNOWN_PSS_DIGEST) , "unknown pss digest"},	141	{ERR_REASON(RSA_R_UNKNOWN_PSS_DIGEST) , "unknown pss digest"},
		142	{ERR_REASON(RSA_R_UNSUPPORTED_ENCRYPTION_TYPE), "unsupported encryption type"},
		143	{ERR_REASON(RSA_R_UNSUPPORTED_LABEL_SOURCE), "unsupported label source"},
140	{ERR_REASON(RSA_R_UNSUPPORTED_MASK_ALGORITHM), "unsupported mask algorithm"},	144	{ERR_REASON(RSA_R_UNSUPPORTED_MASK_ALGORITHM), "unsupported mask algorithm"},
141	{ERR_REASON(RSA_R_UNSUPPORTED_MASK_PARAMETER), "unsupported mask parameter"},	145	{ERR_REASON(RSA_R_UNSUPPORTED_MASK_PARAMETER), "unsupported mask parameter"},
142	{ERR_REASON(RSA_R_UNSUPPORTED_SIGNATURE_TYPE), "unsupported signature type"},	146	{ERR_REASON(RSA_R_UNSUPPORTED_SIGNATURE_TYPE), "unsupported signature type"},