diff options
| author | jsing <> | 2019-10-29 08:00:18 +0000 |
|---|---|---|
| committer | jsing <> | 2019-10-29 08:00:18 +0000 |
| commit | ea080b270c97cb89cf1984550c9125f8b38b0caf (patch) | |
| tree | 5aa520500126d3b5a6e1e7ef6c87bc4b779ecc58 /src/lib | |
| parent | c20b0b4d3d1da89ee904502f4241815376c15133 (diff) | |
| download | openbsd-ea080b270c97cb89cf1984550c9125f8b38b0caf.tar.gz openbsd-ea080b270c97cb89cf1984550c9125f8b38b0caf.tar.bz2 openbsd-ea080b270c97cb89cf1984550c9125f8b38b0caf.zip | |
Update RSA OAEP code.
This syncs the RSA OAEP code with OpenSSL 1.1.1d, correctly handling OAEP
padding and providing various OAEP related controls.
ok inoguchi@ tb@
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa.h | 34 | ||||
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_pmeth.c | 111 |
2 files changed, 124 insertions, 21 deletions
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h index db10049e0e..d3f9bee3a5 100644 --- a/src/lib/libcrypto/rsa/rsa.h +++ b/src/lib/libcrypto/rsa/rsa.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: rsa.h,v 1.43 2019/10/24 15:54:29 jsing Exp $ */ | 1 | /* $OpenBSD: rsa.h,v 1.44 2019/10/29 08:00:18 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -237,17 +237,39 @@ struct rsa_st { | |||
| 237 | EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \ | 237 | EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \ |
| 238 | EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)pmd) | 238 | EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)pmd) |
| 239 | 239 | ||
| 240 | #define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1) | 240 | #define EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) \ |
| 241 | #define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2) | 241 | EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \ |
| 242 | EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md)) | ||
| 242 | 243 | ||
| 243 | #define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3) | 244 | #define EVP_PKEY_CTX_get_rsa_oaep_md(ctx, pmd) \ |
| 244 | #define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4) | 245 | EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \ |
| 245 | #define EVP_PKEY_CTRL_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 5) | 246 | EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)(pmd)) |
| 247 | |||
| 248 | #define EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, l, llen) \ | ||
| 249 | EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \ | ||
| 250 | EVP_PKEY_CTRL_RSA_OAEP_LABEL, llen, (void *)(l)) | ||
| 251 | |||
| 252 | #define EVP_PKEY_CTX_get0_rsa_oaep_label(ctx, l) \ | ||
| 253 | EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \ | ||
| 254 | EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, (void *)(l)) | ||
| 255 | |||
| 256 | #define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1) | ||
| 257 | #define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2) | ||
| 258 | |||
| 259 | #define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3) | ||
| 260 | #define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4) | ||
| 261 | #define EVP_PKEY_CTRL_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 5) | ||
| 246 | 262 | ||
| 247 | #define EVP_PKEY_CTRL_GET_RSA_PADDING (EVP_PKEY_ALG_CTRL + 6) | 263 | #define EVP_PKEY_CTRL_GET_RSA_PADDING (EVP_PKEY_ALG_CTRL + 6) |
| 248 | #define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 7) | 264 | #define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 7) |
| 249 | #define EVP_PKEY_CTRL_GET_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 8) | 265 | #define EVP_PKEY_CTRL_GET_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 8) |
| 250 | 266 | ||
| 267 | #define EVP_PKEY_CTRL_RSA_OAEP_MD (EVP_PKEY_ALG_CTRL + 9) | ||
| 268 | #define EVP_PKEY_CTRL_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 10) | ||
| 269 | |||
| 270 | #define EVP_PKEY_CTRL_GET_RSA_OAEP_MD (EVP_PKEY_ALG_CTRL + 11) | ||
| 271 | #define EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 12) | ||
| 272 | |||
| 251 | #define RSA_PKCS1_PADDING 1 | 273 | #define RSA_PKCS1_PADDING 1 |
| 252 | #define RSA_SSLV23_PADDING 2 | 274 | #define RSA_SSLV23_PADDING 2 |
| 253 | #define RSA_NO_PADDING 3 | 275 | #define RSA_NO_PADDING 3 |
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c index d0cc50cd9f..a5dd86a5de 100644 --- a/src/lib/libcrypto/rsa/rsa_pmeth.c +++ b/src/lib/libcrypto/rsa/rsa_pmeth.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: rsa_pmeth.c,v 1.22 2019/09/09 18:06:26 jsing Exp $ */ | 1 | /* $OpenBSD: rsa_pmeth.c,v 1.23 2019/10/29 08:00:18 jsing Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2006. | 3 | * project 2006. |
| 4 | */ | 4 | */ |
| @@ -68,7 +68,7 @@ | |||
| 68 | #include <openssl/evp.h> | 68 | #include <openssl/evp.h> |
| 69 | #include <openssl/rsa.h> | 69 | #include <openssl/rsa.h> |
| 70 | #include <openssl/x509.h> | 70 | #include <openssl/x509.h> |
| 71 | 71 | #include <openssl/x509v3.h> | |
| 72 | 72 | ||
| 73 | #include "evp_locl.h" | 73 | #include "evp_locl.h" |
| 74 | #include "rsa_locl.h" | 74 | #include "rsa_locl.h" |
| @@ -87,10 +87,13 @@ typedef struct { | |||
| 87 | const EVP_MD *md; | 87 | const EVP_MD *md; |
| 88 | /* message digest for MGF1 */ | 88 | /* message digest for MGF1 */ |
| 89 | const EVP_MD *mgf1md; | 89 | const EVP_MD *mgf1md; |
| 90 | /* PSS/OAEP salt length */ | 90 | /* PSS salt length */ |
| 91 | int saltlen; | 91 | int saltlen; |
| 92 | /* Temp buffer */ | 92 | /* Temp buffer */ |
| 93 | unsigned char *tbuf; | 93 | unsigned char *tbuf; |
| 94 | /* OAEP label */ | ||
| 95 | unsigned char *oaep_label; | ||
| 96 | size_t oaep_labellen; | ||
| 94 | } RSA_PKEY_CTX; | 97 | } RSA_PKEY_CTX; |
| 95 | 98 | ||
| 96 | static int | 99 | static int |
| @@ -98,15 +101,11 @@ pkey_rsa_init(EVP_PKEY_CTX *ctx) | |||
| 98 | { | 101 | { |
| 99 | RSA_PKEY_CTX *rctx; | 102 | RSA_PKEY_CTX *rctx; |
| 100 | 103 | ||
| 101 | rctx = malloc(sizeof(RSA_PKEY_CTX)); | 104 | if ((rctx = calloc(1, sizeof(RSA_PKEY_CTX))) == NULL) |
| 102 | if (!rctx) | ||
| 103 | return 0; | 105 | return 0; |
| 106 | |||
| 104 | rctx->nbits = 2048; | 107 | rctx->nbits = 2048; |
| 105 | rctx->pub_exp = NULL; | ||
| 106 | rctx->pad_mode = RSA_PKCS1_PADDING; | 108 | rctx->pad_mode = RSA_PKCS1_PADDING; |
| 107 | rctx->md = NULL; | ||
| 108 | rctx->mgf1md = NULL; | ||
| 109 | rctx->tbuf = NULL; | ||
| 110 | 109 | ||
| 111 | rctx->saltlen = -2; | 110 | rctx->saltlen = -2; |
| 112 | 111 | ||
| @@ -124,6 +123,7 @@ pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) | |||
| 124 | 123 | ||
| 125 | if (!pkey_rsa_init(dst)) | 124 | if (!pkey_rsa_init(dst)) |
| 126 | return 0; | 125 | return 0; |
| 126 | |||
| 127 | sctx = src->data; | 127 | sctx = src->data; |
| 128 | dctx = dst->data; | 128 | dctx = dst->data; |
| 129 | dctx->nbits = sctx->nbits; | 129 | dctx->nbits = sctx->nbits; |
| @@ -134,6 +134,15 @@ pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) | |||
| 134 | } | 134 | } |
| 135 | dctx->pad_mode = sctx->pad_mode; | 135 | dctx->pad_mode = sctx->pad_mode; |
| 136 | dctx->md = sctx->md; | 136 | dctx->md = sctx->md; |
| 137 | dctx->mgf1md = sctx->mgf1md; | ||
| 138 | if (sctx->oaep_label != NULL) { | ||
| 139 | free(dctx->oaep_label); | ||
| 140 | if ((dctx->oaep_label = calloc(1, sctx->oaep_labellen)) == NULL) | ||
| 141 | return 0; | ||
| 142 | memcpy(dctx->oaep_label, sctx->oaep_label, sctx->oaep_labellen); | ||
| 143 | dctx->oaep_labellen = sctx->oaep_labellen; | ||
| 144 | } | ||
| 145 | |||
| 137 | return 1; | 146 | return 1; |
| 138 | } | 147 | } |
| 139 | 148 | ||
| @@ -156,6 +165,7 @@ pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) | |||
| 156 | if (rctx) { | 165 | if (rctx) { |
| 157 | BN_free(rctx->pub_exp); | 166 | BN_free(rctx->pub_exp); |
| 158 | free(rctx->tbuf); | 167 | free(rctx->tbuf); |
| 168 | free(rctx->oaep_label); | ||
| 159 | free(rctx); | 169 | free(rctx); |
| 160 | } | 170 | } |
| 161 | } | 171 | } |
| @@ -306,11 +316,23 @@ static int | |||
| 306 | pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, | 316 | pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, |
| 307 | const unsigned char *in, size_t inlen) | 317 | const unsigned char *in, size_t inlen) |
| 308 | { | 318 | { |
| 309 | int ret; | ||
| 310 | RSA_PKEY_CTX *rctx = ctx->data; | 319 | RSA_PKEY_CTX *rctx = ctx->data; |
| 320 | int ret; | ||
| 311 | 321 | ||
| 312 | ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, | 322 | if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { |
| 313 | rctx->pad_mode); | 323 | int klen = RSA_size(ctx->pkey->pkey.rsa); |
| 324 | if (!setup_tbuf(rctx, ctx)) | ||
| 325 | return -1; | ||
| 326 | if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen, | ||
| 327 | in, inlen, rctx->oaep_label, rctx->oaep_labellen, | ||
| 328 | rctx->md, rctx->mgf1md)) | ||
| 329 | return -1; | ||
| 330 | ret = RSA_public_encrypt(klen, rctx->tbuf, out, | ||
| 331 | ctx->pkey->pkey.rsa, RSA_NO_PADDING); | ||
| 332 | } else { | ||
| 333 | ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, | ||
| 334 | rctx->pad_mode); | ||
| 335 | } | ||
| 314 | if (ret < 0) | 336 | if (ret < 0) |
| 315 | return ret; | 337 | return ret; |
| 316 | *outlen = ret; | 338 | *outlen = ret; |
| @@ -324,8 +346,20 @@ pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, | |||
| 324 | int ret; | 346 | int ret; |
| 325 | RSA_PKEY_CTX *rctx = ctx->data; | 347 | RSA_PKEY_CTX *rctx = ctx->data; |
| 326 | 348 | ||
| 327 | ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, | 349 | if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { |
| 328 | rctx->pad_mode); | 350 | if (!setup_tbuf(rctx, ctx)) |
| 351 | return -1; | ||
| 352 | ret = RSA_private_decrypt(inlen, in, rctx->tbuf, | ||
| 353 | ctx->pkey->pkey.rsa, RSA_NO_PADDING); | ||
| 354 | if (ret <= 0) | ||
| 355 | return ret; | ||
| 356 | ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf, | ||
| 357 | ret, ret, rctx->oaep_label, rctx->oaep_labellen, rctx->md, | ||
| 358 | rctx->mgf1md); | ||
| 359 | } else { | ||
| 360 | ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, | ||
| 361 | rctx->pad_mode); | ||
| 362 | } | ||
| 329 | if (ret < 0) | 363 | if (ret < 0) |
| 330 | return ret; | 364 | return ret; |
| 331 | *outlen = ret; | 365 | *outlen = ret; |
| @@ -429,7 +463,8 @@ bad_pad: | |||
| 429 | 463 | ||
| 430 | case EVP_PKEY_CTRL_RSA_MGF1_MD: | 464 | case EVP_PKEY_CTRL_RSA_MGF1_MD: |
| 431 | case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: | 465 | case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: |
| 432 | if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) { | 466 | if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING && |
| 467 | rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { | ||
| 433 | RSAerror(RSA_R_INVALID_MGF1_MD); | 468 | RSAerror(RSA_R_INVALID_MGF1_MD); |
| 434 | return -2; | 469 | return -2; |
| 435 | } | 470 | } |
| @@ -442,6 +477,29 @@ bad_pad: | |||
| 442 | rctx->mgf1md = p2; | 477 | rctx->mgf1md = p2; |
| 443 | return 1; | 478 | return 1; |
| 444 | 479 | ||
| 480 | case EVP_PKEY_CTRL_RSA_OAEP_LABEL: | ||
| 481 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { | ||
| 482 | RSAerror(RSA_R_INVALID_PADDING_MODE); | ||
| 483 | return -2; | ||
| 484 | } | ||
| 485 | free(rctx->oaep_label); | ||
| 486 | if (p2 != NULL && p1 > 0) { | ||
| 487 | rctx->oaep_label = p2; | ||
| 488 | rctx->oaep_labellen = p1; | ||
| 489 | } else { | ||
| 490 | rctx->oaep_label = NULL; | ||
| 491 | rctx->oaep_labellen = 0; | ||
| 492 | } | ||
| 493 | return 1; | ||
| 494 | |||
| 495 | case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: | ||
| 496 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { | ||
| 497 | RSAerror(RSA_R_INVALID_PADDING_MODE); | ||
| 498 | return -2; | ||
| 499 | } | ||
| 500 | *(unsigned char **)p2 = rctx->oaep_label; | ||
| 501 | return rctx->oaep_labellen; | ||
| 502 | |||
| 445 | case EVP_PKEY_CTRL_DIGESTINIT: | 503 | case EVP_PKEY_CTRL_DIGESTINIT: |
| 446 | case EVP_PKEY_CTRL_PKCS7_ENCRYPT: | 504 | case EVP_PKEY_CTRL_PKCS7_ENCRYPT: |
| 447 | case EVP_PKEY_CTRL_PKCS7_DECRYPT: | 505 | case EVP_PKEY_CTRL_PKCS7_DECRYPT: |
| @@ -529,6 +587,29 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value) | |||
| 529 | return ret; | 587 | return ret; |
| 530 | } | 588 | } |
| 531 | 589 | ||
| 590 | if (strcmp(type, "rsa_mgf1_md") == 0) | ||
| 591 | return EVP_PKEY_CTX_md(ctx, | ||
| 592 | EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, | ||
| 593 | EVP_PKEY_CTRL_RSA_MGF1_MD, value); | ||
| 594 | |||
| 595 | if (strcmp(type, "rsa_oaep_md") == 0) | ||
| 596 | return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT, | ||
| 597 | EVP_PKEY_CTRL_RSA_OAEP_MD, value); | ||
| 598 | |||
| 599 | if (strcmp(type, "rsa_oaep_label") == 0) { | ||
| 600 | unsigned char *lab; | ||
| 601 | long lablen; | ||
| 602 | int ret; | ||
| 603 | |||
| 604 | if ((lab = string_to_hex(value, &lablen)) == NULL) | ||
| 605 | return 0; | ||
| 606 | ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen); | ||
| 607 | if (ret <= 0) | ||
| 608 | free(lab); | ||
| 609 | |||
| 610 | return ret; | ||
| 611 | } | ||
| 612 | |||
| 532 | not_a_number: | 613 | not_a_number: |
| 533 | out_of_range: | 614 | out_of_range: |
| 534 | return -2; | 615 | return -2; |