Rework the MD setting in the RSA ASN.1 method

This streamlines the code to use safer idioms, do proper error checking and be slightly less convoluted. Sprinkle a few references to RFC 8017 and explain better what we are doing and why. Clarify ownership and use more consistent style. This removes the last internal use of X509_ALGOR_set_md(). ok jsing
author: tb <> 2023-10-26 07:57:54 +0000
committer: tb <> 2023-10-26 07:57:54 +0000
commit: 2ed7c6c6a013624f8a2f68bc8ceb16f790650c17 (patch)
tree: e1725cf93b7b8f6cc50b27f4f729408b98577979 /src
parent: fb35c4b4f6b87177cd121d1f1811a2557cc872f8 (diff)
download: openbsd-2ed7c6c6a013624f8a2f68bc8ceb16f790650c17.tar.gz
openbsd-2ed7c6c6a013624f8a2f68bc8ceb16f790650c17.tar.bz2
openbsd-2ed7c6c6a013624f8a2f68bc8ceb16f790650c17.zip
1 files changed, 95 insertions, 45 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c
index ae38c205af..43f52f749a 100644
--- a/src/lib/libcrypto/rsa/rsa_ameth.c
+++ b/src/lib/libcrypto/rsa/rsa_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_ameth.c,v 1.33 2023/08/12 08:02:43 tb Exp $ */
+/* $OpenBSD: rsa_ameth.c,v 1.34 2023/10/26 07:57:54 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -72,6 +72,7 @@
 #include "cryptlib.h"
 #include "evp_local.h"
 #include "rsa_local.h"
+#include "x509_local.h"
 #ifndef OPENSSL_NO_CMS
 static int rsa_cms_sign(CMS_SignerInfo *si);
@@ -574,45 +575,82 @@ rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
        return 1;
 }
-/* Allocate and set algorithm ID from EVP_MD, defaults to SHA1. */
 static int
-rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md)
+rsa_md_to_algor(const EVP_MD *md, X509_ALGOR **out_alg)
 {
+        X509_ALGOR *alg = NULL;
+        int ret = 0;
+        X509_ALGOR_free(*out_alg);
+        *out_alg = NULL;
+        /* RFC 8017 - default hash is SHA-1 and hence omitted. */
        if (md == NULL || EVP_MD_type(md) == NID_sha1)
-                return 1;
+                goto done;
-        *palg = X509_ALGOR_new();
-        if (*palg == NULL)
+        if ((alg = X509_ALGOR_new()) == NULL)
-                return 0;
+                goto err;
-        X509_ALGOR_set_md(*palg, md);
+        if (!X509_ALGOR_set_evp_md(alg, md))
-        return 1;
+                goto err;
+ done:
+        *out_alg = alg;
+        alg = NULL;
+        ret = 1;
+ err:
+        X509_ALGOR_free(alg);
+        return ret;
 }
-/* Allocate and set MGF1 algorithm ID from EVP_MD. */
+/*
+ * RFC 8017, A.2.1 and A.2.3 - encode maskGenAlgorithm for RSAES-OAEP
+ * and RSASSA-PSS. The default is mgfSHA1 and hence omitted.
+ */
 static int
-rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md)
+rsa_mgf1md_to_maskGenAlgorithm(const EVP_MD *mgf1md, X509_ALGOR **out_alg)
 {
-        X509_ALGOR *algtmp = NULL;
+        X509_ALGOR *alg = NULL;
-        ASN1_STRING *stmp = NULL;
+        X509_ALGOR *inner_alg = NULL;
+        ASN1_STRING *astr = NULL;
+        ASN1_OBJECT *aobj;
+        int ret = 0;
+        X509_ALGOR_free(*out_alg);
+        *out_alg = NULL;
-        *palg = NULL;
        if (mgf1md == NULL || EVP_MD_type(mgf1md) == NID_sha1)
-                return 1;
+                goto done;
-        /* need to embed algorithm ID inside another */
-        if (!rsa_md_to_algor(&algtmp, mgf1md))
+        if ((inner_alg = X509_ALGOR_new()) == NULL)
                goto err;
-        if (ASN1_item_pack(algtmp, &X509_ALGOR_it, &stmp) == NULL)
+        if (!X509_ALGOR_set_evp_md(inner_alg, mgf1md))
-                 goto err;
+                goto err;
-        *palg = X509_ALGOR_new();
+        if ((astr = ASN1_item_pack(inner_alg, &X509_ALGOR_it, NULL)) == NULL)
-        if (*palg == NULL)
+                goto err;
+        if ((alg = X509_ALGOR_new()) == NULL)
                goto err;
-        X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp);
+        if ((aobj = OBJ_nid2obj(NID_mgf1)) == NULL)
-        stmp = NULL;
+                goto err;
+        if (!X509_ALGOR_set0(alg, aobj, V_ASN1_SEQUENCE, astr))
+                goto err;
+        astr = NULL;
+ done:
+        *out_alg = alg;
+        alg = NULL;
+        ret = 1;
 err:
-        ASN1_STRING_free(stmp);
+        X509_ALGOR_free(alg);
-        X509_ALGOR_free(algtmp);
+        X509_ALGOR_free(inner_alg);
-        if (*palg)
+        ASN1_STRING_free(astr);
-                return 1;
-        return 0;
+        return ret;
 }
 /* Convert algorithm ID to EVP_MD, defaults to SHA1. */
@@ -662,28 +700,36 @@ rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
 RSA_PSS_PARAMS *
 rsa_pss_params_create(const EVP_MD *sigmd, const EVP_MD *mgf1md, int saltlen)
 {
-        RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new();
+        RSA_PSS_PARAMS *pss = NULL;
-        if (pss == NULL)
+        if (mgf1md == NULL)
+                mgf1md = sigmd;
+        if ((pss = RSA_PSS_PARAMS_new()) == NULL)
+                goto err;
+        if (!rsa_md_to_algor(sigmd, &pss->hashAlgorithm))
+                goto err;
+        if (!rsa_mgf1md_to_maskGenAlgorithm(mgf1md, &pss->maskGenAlgorithm))
+                goto err;
+        /* Translate mgf1md to X509_ALGOR in decoded form for internal use. */
+        if (!rsa_md_to_algor(mgf1md, &pss->maskHash))
                goto err;
-        if (saltlen != 20) {
-                pss->saltLength = ASN1_INTEGER_new();
+        /* RFC 8017, A.2.3 - default saltLength is SHA_DIGEST_LENGTH. */
-                if (pss->saltLength == NULL)
+        if (saltlen != SHA_DIGEST_LENGTH) {
+                if ((pss->saltLength = ASN1_INTEGER_new()) == NULL)
                        goto err;
                if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
                        goto err;
        }
-        if (!rsa_md_to_algor(&pss->hashAlgorithm, sigmd))
-                goto err;
-        if (mgf1md == NULL)
-                mgf1md = sigmd;
-        if (!rsa_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md))
-                goto err;
-        if (!rsa_md_to_algor(&pss->maskHash, mgf1md))
-                goto err;
        return pss;
 err:
        RSA_PSS_PARAMS_free(pss);
        return NULL;
 }
@@ -1035,13 +1081,17 @@ rsa_cms_encrypt(CMS_RecipientInfo *ri)
        labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkctx, &label);
        if (labellen < 0)
                goto err;
-        oaep = RSA_OAEP_PARAMS_new();
-        if (oaep == NULL)
+        if ((oaep = RSA_OAEP_PARAMS_new()) == NULL)
                goto err;
-        if (!rsa_md_to_algor(&oaep->hashFunc, md))
+        if (!rsa_md_to_algor(md, &oaep->hashFunc))
                goto err;
-        if (!rsa_md_to_mgf1(&oaep->maskGenFunc, mgf1md))
+        if (!rsa_mgf1md_to_maskGenAlgorithm(mgf1md, &oaep->maskGenFunc))
                goto err;
+        /* XXX - why do we not set oaep->maskHash here? */
        if (labellen > 0) {
                ASN1_OCTET_STRING *los;
                oaep->pSourceFunc = X509_ALGOR_new();
author	tb <>	2023-10-26 07:57:54 +0000
committer	tb <>	2023-10-26 07:57:54 +0000
commit	2ed7c6c6a013624f8a2f68bc8ceb16f790650c17 (patch)
tree	e1725cf93b7b8f6cc50b27f4f729408b98577979 /src
parent	fb35c4b4f6b87177cd121d1f1811a2557cc872f8 (diff)
download	openbsd-2ed7c6c6a013624f8a2f68bc8ceb16f790650c17.tar.gz openbsd-2ed7c6c6a013624f8a2f68bc8ceb16f790650c17.tar.bz2 openbsd-2ed7c6c6a013624f8a2f68bc8ceb16f790650c17.zip

diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c index ae38c205af..43f52f749a 100644 --- a/src/lib/libcrypto/rsa/rsa_ameth.c +++ b/src/lib/libcrypto/rsa/rsa_ameth.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa_ameth.c,v 1.33 2023/08/12 08:02:43 tb Exp $ */	1	/* $OpenBSD: rsa_ameth.c,v 1.34 2023/10/26 07:57:54 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.	3	* project 2006.
4	*/	4	*/
@@ -72,6 +72,7 @@
72	#include "cryptlib.h"	72	#include "cryptlib.h"
73	#include "evp_local.h"	73	#include "evp_local.h"
74	#include "rsa_local.h"	74	#include "rsa_local.h"
		75	#include "x509_local.h"
75		76
76	#ifndef OPENSSL_NO_CMS	77	#ifndef OPENSSL_NO_CMS
77	static int rsa_cms_sign(CMS_SignerInfo *si);	78	static int rsa_cms_sign(CMS_SignerInfo *si);
@@ -574,45 +575,82 @@ rsa_pkey_ctrl(EVP_PKEY pkey, int op, long arg1, void arg2)
574	return 1;	575	return 1;
575	}	576	}
576		577
577	/* Allocate and set algorithm ID from EVP_MD, defaults to SHA1. */
578	static int	578	static int
579	rsa_md_to_algor(X509_ALGOR *palg, const EVP_MD md)	579	rsa_md_to_algor(const EVP_MD md, X509_ALGOR *out_alg)
580	{	580	{
		581	X509_ALGOR *alg = NULL;
		582	int ret = 0;
		583
		584	X509_ALGOR_free(*out_alg);
		585	*out_alg = NULL;
		586
		587	/* RFC 8017 - default hash is SHA-1 and hence omitted. */
581	if (md == NULL \|\| EVP_MD_type(md) == NID_sha1)	588	if (md == NULL \|\| EVP_MD_type(md) == NID_sha1)
582	return 1;	589	goto done;
583	*palg = X509_ALGOR_new();	590
584	if (*palg == NULL)	591	if ((alg = X509_ALGOR_new()) == NULL)
585	return 0;	592	goto err;
586	X509_ALGOR_set_md(*palg, md);	593	if (!X509_ALGOR_set_evp_md(alg, md))
587	return 1;	594	goto err;
		595
		596	done:
		597	*out_alg = alg;
		598	alg = NULL;
		599
		600	ret = 1;
		601
		602	err:
		603	X509_ALGOR_free(alg);
		604
		605	return ret;
588	}	606	}
589		607
590	/* Allocate and set MGF1 algorithm ID from EVP_MD. */	608	/*
		609	* RFC 8017, A.2.1 and A.2.3 - encode maskGenAlgorithm for RSAES-OAEP
		610	* and RSASSA-PSS. The default is mgfSHA1 and hence omitted.
		611	*/
591	static int	612	static int
592	rsa_md_to_mgf1(X509_ALGOR *palg, const EVP_MD mgf1md)	613	rsa_mgf1md_to_maskGenAlgorithm(const EVP_MD mgf1md, X509_ALGOR *out_alg)
593	{	614	{
594	X509_ALGOR *algtmp = NULL;	615	X509_ALGOR *alg = NULL;
595	ASN1_STRING *stmp = NULL;	616	X509_ALGOR *inner_alg = NULL;
		617	ASN1_STRING *astr = NULL;
		618	ASN1_OBJECT *aobj;
		619	int ret = 0;
		620
		621	X509_ALGOR_free(*out_alg);
		622	*out_alg = NULL;
596		623
597	*palg = NULL;
598	if (mgf1md == NULL \|\| EVP_MD_type(mgf1md) == NID_sha1)	624	if (mgf1md == NULL \|\| EVP_MD_type(mgf1md) == NID_sha1)
599	return 1;	625	goto done;
600	/* need to embed algorithm ID inside another */	626
601	if (!rsa_md_to_algor(&algtmp, mgf1md))	627	if ((inner_alg = X509_ALGOR_new()) == NULL)
602	goto err;	628	goto err;
603	if (ASN1_item_pack(algtmp, &X509_ALGOR_it, &stmp) == NULL)	629	if (!X509_ALGOR_set_evp_md(inner_alg, mgf1md))
604	goto err;	630	goto err;
605	*palg = X509_ALGOR_new();	631	if ((astr = ASN1_item_pack(inner_alg, &X509_ALGOR_it, NULL)) == NULL)
606	if (*palg == NULL)	632	goto err;
		633
		634	if ((alg = X509_ALGOR_new()) == NULL)
607	goto err;	635	goto err;
608	X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp);	636	if ((aobj = OBJ_nid2obj(NID_mgf1)) == NULL)
609	stmp = NULL;	637	goto err;
		638	if (!X509_ALGOR_set0(alg, aobj, V_ASN1_SEQUENCE, astr))
		639	goto err;
		640	astr = NULL;
		641
		642	done:
		643	*out_alg = alg;
		644	alg = NULL;
		645
		646	ret = 1;
		647
610	err:	648	err:
611	ASN1_STRING_free(stmp);	649	X509_ALGOR_free(alg);
612	X509_ALGOR_free(algtmp);	650	X509_ALGOR_free(inner_alg);
613	if (*palg)	651	ASN1_STRING_free(astr);
614	return 1;	652
615	return 0;	653	return ret;
616	}	654	}
617		655
618	/* Convert algorithm ID to EVP_MD, defaults to SHA1. */	656	/* Convert algorithm ID to EVP_MD, defaults to SHA1. */
@@ -662,28 +700,36 @@ rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
662	RSA_PSS_PARAMS *	700	RSA_PSS_PARAMS *
663	rsa_pss_params_create(const EVP_MD sigmd, const EVP_MD mgf1md, int saltlen)	701	rsa_pss_params_create(const EVP_MD sigmd, const EVP_MD mgf1md, int saltlen)
664	{	702	{
665	RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new();	703	RSA_PSS_PARAMS *pss = NULL;
666		704
667	if (pss == NULL)	705	if (mgf1md == NULL)
		706	mgf1md = sigmd;
		707
		708	if ((pss = RSA_PSS_PARAMS_new()) == NULL)
		709	goto err;
		710
		711	if (!rsa_md_to_algor(sigmd, &pss->hashAlgorithm))
		712	goto err;
		713	if (!rsa_mgf1md_to_maskGenAlgorithm(mgf1md, &pss->maskGenAlgorithm))
		714	goto err;
		715
		716	/* Translate mgf1md to X509_ALGOR in decoded form for internal use. */
		717	if (!rsa_md_to_algor(mgf1md, &pss->maskHash))
668	goto err;	718	goto err;
669	if (saltlen != 20) {	719
670	pss->saltLength = ASN1_INTEGER_new();	720	/* RFC 8017, A.2.3 - default saltLength is SHA_DIGEST_LENGTH. */
671	if (pss->saltLength == NULL)	721	if (saltlen != SHA_DIGEST_LENGTH) {
		722	if ((pss->saltLength = ASN1_INTEGER_new()) == NULL)
672	goto err;	723	goto err;
673	if (!ASN1_INTEGER_set(pss->saltLength, saltlen))	724	if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
674	goto err;	725	goto err;
675	}	726	}
676	if (!rsa_md_to_algor(&pss->hashAlgorithm, sigmd))	727
677	goto err;
678	if (mgf1md == NULL)
679	mgf1md = sigmd;
680	if (!rsa_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md))
681	goto err;
682	if (!rsa_md_to_algor(&pss->maskHash, mgf1md))
683	goto err;
684	return pss;	728	return pss;
		729
685	err:	730	err:
686	RSA_PSS_PARAMS_free(pss);	731	RSA_PSS_PARAMS_free(pss);
		732
687	return NULL;	733	return NULL;
688	}	734	}
689		735
@@ -1035,13 +1081,17 @@ rsa_cms_encrypt(CMS_RecipientInfo *ri)
1035	labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkctx, &label);	1081	labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkctx, &label);
1036	if (labellen < 0)	1082	if (labellen < 0)
1037	goto err;	1083	goto err;
1038	oaep = RSA_OAEP_PARAMS_new();	1084
1039	if (oaep == NULL)	1085	if ((oaep = RSA_OAEP_PARAMS_new()) == NULL)
1040	goto err;	1086	goto err;
1041	if (!rsa_md_to_algor(&oaep->hashFunc, md))	1087
		1088	if (!rsa_md_to_algor(md, &oaep->hashFunc))
1042	goto err;	1089	goto err;
1043	if (!rsa_md_to_mgf1(&oaep->maskGenFunc, mgf1md))	1090	if (!rsa_mgf1md_to_maskGenAlgorithm(mgf1md, &oaep->maskGenFunc))
1044	goto err;	1091	goto err;
		1092
		1093	/* XXX - why do we not set oaep->maskHash here? */
		1094
1045	if (labellen > 0) {	1095	if (labellen > 0) {
1046	ASN1_OCTET_STRING *los;	1096	ASN1_OCTET_STRING *los;
1047	oaep->pSourceFunc = X509_ALGOR_new();	1097	oaep->pSourceFunc = X509_ALGOR_new();