summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa/rsa_ameth.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/rsa/rsa_ameth.c')
-rw-r--r--src/lib/libcrypto/rsa/rsa_ameth.c1275
1 files changed, 0 insertions, 1275 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c
deleted file mode 100644
index 5a87522289..0000000000
--- a/src/lib/libcrypto/rsa/rsa_ameth.c
+++ /dev/null
@@ -1,1275 +0,0 @@
1/* $OpenBSD: rsa_ameth.c,v 1.62 2024/11/02 07:11:14 tb Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdint.h>
60#include <stdio.h>
61#include <stdlib.h>
62
63#include <openssl/opensslconf.h>
64
65#include <openssl/asn1.h>
66#include <openssl/bio.h>
67#include <openssl/bn.h>
68#include <openssl/cms.h>
69#include <openssl/err.h>
70#include <openssl/evp.h>
71#include <openssl/objects.h>
72#include <openssl/pkcs7.h>
73#include <openssl/rsa.h>
74#include <openssl/sha.h>
75#include <openssl/x509.h>
76
77#include "asn1_local.h"
78#include "bn_local.h"
79#include "evp_local.h"
80#include "rsa_local.h"
81#include "x509_local.h"
82
83#ifndef OPENSSL_NO_CMS
84static int rsa_cms_sign(CMS_SignerInfo *si);
85static int rsa_cms_verify(CMS_SignerInfo *si);
86static int rsa_cms_decrypt(CMS_RecipientInfo *ri);
87static int rsa_cms_encrypt(CMS_RecipientInfo *ri);
88#endif
89
90static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg);
91
92static int rsa_alg_set_pkcs1_padding(X509_ALGOR *alg);
93
94/* Set any parameters associated with pkey */
95static int
96rsa_param_encode(const EVP_PKEY *pkey, ASN1_STRING **pstr, int *pstrtype)
97{
98 const RSA *rsa = pkey->pkey.rsa;
99
100 *pstr = NULL;
101
102 /* If RSA it's just NULL type */
103 if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) {
104 *pstrtype = V_ASN1_NULL;
105 return 1;
106 }
107
108 /* If no PSS parameters we omit parameters entirely */
109 if (rsa->pss == NULL) {
110 *pstrtype = V_ASN1_UNDEF;
111 return 1;
112 }
113
114 /* Encode PSS parameters */
115 if (ASN1_item_pack(rsa->pss, &RSA_PSS_PARAMS_it, pstr) == NULL)
116 return 0;
117
118 *pstrtype = V_ASN1_SEQUENCE;
119 return 1;
120}
121
122/* Decode any parameters and set them in RSA structure */
123static int
124rsa_param_decode(RSA *rsa, const X509_ALGOR *alg)
125{
126 const ASN1_OBJECT *algoid;
127 const void *algp;
128 int algptype;
129
130 X509_ALGOR_get0(&algoid, &algptype, &algp, alg);
131 if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS)
132 return 1;
133 if (algptype == V_ASN1_UNDEF)
134 return 1;
135 if (algptype != V_ASN1_SEQUENCE) {
136 RSAerror(RSA_R_INVALID_PSS_PARAMETERS);
137 return 0;
138 }
139 rsa->pss = rsa_pss_decode(alg);
140 if (rsa->pss == NULL)
141 return 0;
142 return 1;
143}
144
145static int
146rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
147{
148 ASN1_STRING *str = NULL;
149 int strtype;
150 unsigned char *penc = NULL;
151 int penclen = 0;
152 ASN1_OBJECT *aobj;
153
154 if (!rsa_param_encode(pkey, &str, &strtype))
155 goto err;
156 if ((penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc)) <= 0) {
157 penclen = 0;
158 goto err;
159 }
160 if ((aobj = OBJ_nid2obj(pkey->ameth->pkey_id)) == NULL)
161 goto err;
162 if (!X509_PUBKEY_set0_param(pk, aobj, strtype, str, penc, penclen))
163 goto err;
164
165 return 1;
166
167 err:
168 ASN1_STRING_free(str);
169 freezero(penc, penclen);
170
171 return 0;
172}
173
174static int
175rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
176{
177 const unsigned char *p;
178 int pklen;
179 X509_ALGOR *alg;
180 RSA *rsa = NULL;
181
182 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey))
183 return 0;
184 if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL) {
185 RSAerror(ERR_R_RSA_LIB);
186 return 0;
187 }
188 if (!rsa_param_decode(rsa, alg)) {
189 RSA_free(rsa);
190 return 0;
191 }
192 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) {
193 RSA_free(rsa);
194 return 0;
195 }
196 return 1;
197}
198
199static int
200rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
201{
202 if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 ||
203 BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
204 return 0;
205
206 return 1;
207}
208
209static int
210old_rsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
211{
212 RSA *rsa;
213 int ret = 0;
214
215 if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL) {
216 RSAerror(ERR_R_RSA_LIB);
217 goto err;
218 }
219 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa))
220 goto err;
221 rsa = NULL;
222
223 ret = 1;
224
225 err:
226 RSA_free(rsa);
227
228 return ret;
229}
230
231static int
232old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
233{
234 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
235}
236
237static int
238rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
239{
240 ASN1_STRING *str = NULL;
241 ASN1_OBJECT *aobj;
242 int strtype;
243 unsigned char *rk = NULL;
244 int rklen = 0;
245
246 if (!rsa_param_encode(pkey, &str, &strtype))
247 goto err;
248 if ((rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk)) <= 0) {
249 RSAerror(ERR_R_MALLOC_FAILURE);
250 rklen = 0;
251 goto err;
252 }
253 if ((aobj = OBJ_nid2obj(pkey->ameth->pkey_id)) == NULL)
254 goto err;
255 if (!PKCS8_pkey_set0(p8, aobj, 0, strtype, str, rk, rklen)) {
256 RSAerror(ERR_R_MALLOC_FAILURE);
257 goto err;
258 }
259
260 return 1;
261
262 err:
263 ASN1_STRING_free(str);
264 freezero(rk, rklen);
265
266 return 0;
267}
268
269static int
270rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
271{
272 const unsigned char *p;
273 RSA *rsa = NULL;
274 int pklen;
275 const X509_ALGOR *alg;
276 int ret = 0;
277
278 if (!PKCS8_pkey_get0(NULL, &p, &pklen, &alg, p8))
279 goto err;
280 if ((rsa = d2i_RSAPrivateKey(NULL, &p, pklen)) == NULL)
281 goto err;
282 if (!rsa_param_decode(rsa, alg))
283 goto err;
284 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa))
285 goto err;
286 rsa = NULL;
287
288 ret = 1;
289
290 err:
291 RSA_free(rsa);
292
293 return ret;
294}
295
296static int
297rsa_size(const EVP_PKEY *pkey)
298{
299 return RSA_size(pkey->pkey.rsa);
300}
301
302static int
303rsa_bits(const EVP_PKEY *pkey)
304{
305 return BN_num_bits(pkey->pkey.rsa->n);
306}
307
308static int
309rsa_security_bits(const EVP_PKEY *pkey)
310{
311 return RSA_security_bits(pkey->pkey.rsa);
312}
313
314static void
315rsa_free(EVP_PKEY *pkey)
316{
317 RSA_free(pkey->pkey.rsa);
318}
319
320static X509_ALGOR *
321rsa_mgf1_decode(X509_ALGOR *alg)
322{
323 if (OBJ_obj2nid(alg->algorithm) != NID_mgf1)
324 return NULL;
325
326 return ASN1_TYPE_unpack_sequence(&X509_ALGOR_it, alg->parameter);
327}
328
329static RSA_PSS_PARAMS *
330rsa_pss_decode(const X509_ALGOR *alg)
331{
332 RSA_PSS_PARAMS *pss;
333
334 pss = ASN1_TYPE_unpack_sequence(&RSA_PSS_PARAMS_it, alg->parameter);
335 if (pss == NULL)
336 return NULL;
337
338 if (pss->maskGenAlgorithm != NULL) {
339 pss->maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);
340 if (pss->maskHash == NULL) {
341 RSA_PSS_PARAMS_free(pss);
342 return NULL;
343 }
344 }
345
346 return pss;
347}
348
349static int
350rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss, int indent)
351{
352 int rv = 0;
353 X509_ALGOR *maskHash = NULL;
354
355 if (!BIO_indent(bp, indent, 128))
356 goto err;
357 if (pss_key) {
358 if (pss == NULL) {
359 if (BIO_puts(bp, "No PSS parameter restrictions\n") <= 0)
360 return 0;
361 return 1;
362 } else {
363 if (BIO_puts(bp, "PSS parameter restrictions:") <= 0)
364 return 0;
365 }
366 } else if (pss == NULL) {
367 if (BIO_puts(bp,"(INVALID PSS PARAMETERS)\n") <= 0)
368 return 0;
369 return 1;
370 }
371 if (BIO_puts(bp, "\n") <= 0)
372 goto err;
373 if (pss_key)
374 indent += 2;
375 if (!BIO_indent(bp, indent, 128))
376 goto err;
377 if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
378 goto err;
379
380 if (pss->hashAlgorithm) {
381 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
382 goto err;
383 } else if (BIO_puts(bp, "sha1 (default)") <= 0) {
384 goto err;
385 }
386
387 if (BIO_puts(bp, "\n") <= 0)
388 goto err;
389
390 if (!BIO_indent(bp, indent, 128))
391 goto err;
392
393 if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
394 goto err;
395 if (pss->maskGenAlgorithm) {
396 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
397 goto err;
398 if (BIO_puts(bp, " with ") <= 0)
399 goto err;
400 maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);
401 if (maskHash != NULL) {
402 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
403 goto err;
404 } else if (BIO_puts(bp, "INVALID") <= 0) {
405 goto err;
406 }
407 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) {
408 goto err;
409 }
410 BIO_puts(bp, "\n");
411
412 if (!BIO_indent(bp, indent, 128))
413 goto err;
414 if (BIO_printf(bp, "%s Salt Length: 0x", pss_key ? "Minimum" : "") <= 0)
415 goto err;
416 if (pss->saltLength) {
417 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
418 goto err;
419 } else if (BIO_puts(bp, "14 (default)") <= 0) {
420 goto err;
421 }
422 BIO_puts(bp, "\n");
423
424 if (!BIO_indent(bp, indent, 128))
425 goto err;
426 if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
427 goto err;
428 if (pss->trailerField) {
429 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
430 goto err;
431 } else if (BIO_puts(bp, "BC (default)") <= 0) {
432 goto err;
433 }
434 BIO_puts(bp, "\n");
435
436 rv = 1;
437
438 err:
439 X509_ALGOR_free(maskHash);
440 return rv;
441
442}
443
444static int
445pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv)
446{
447 const RSA *x = pkey->pkey.rsa;
448 char *str;
449 const char *s;
450 int ret = 0, mod_len = 0;
451
452 if (x->n != NULL)
453 mod_len = BN_num_bits(x->n);
454
455 if (!BIO_indent(bp, off, 128))
456 goto err;
457
458 if (BIO_printf(bp, "%s ",
459 pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS ? "RSA-PSS" : "RSA") <= 0)
460 goto err;
461
462 if (priv && x->d != NULL) {
463 if (BIO_printf(bp, "Private-Key: (%d bit)\n", mod_len) <= 0)
464 goto err;
465 str = "modulus:";
466 s = "publicExponent:";
467 } else {
468 if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0)
469 goto err;
470 str = "Modulus:";
471 s = "Exponent:";
472 }
473 if (!bn_printf(bp, x->n, off, "%s", str))
474 goto err;
475 if (!bn_printf(bp, x->e, off, "%s", s))
476 goto err;
477 if (priv) {
478 if (!bn_printf(bp, x->d, off, "privateExponent:"))
479 goto err;
480 if (!bn_printf(bp, x->p, off, "prime1:"))
481 goto err;
482 if (!bn_printf(bp, x->q, off, "prime2:"))
483 goto err;
484 if (!bn_printf(bp, x->dmp1, off, "exponent1:"))
485 goto err;
486 if (!bn_printf(bp, x->dmq1, off, "exponent2:"))
487 goto err;
488 if (!bn_printf(bp, x->iqmp, off, "coefficient:"))
489 goto err;
490 }
491 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS &&
492 !rsa_pss_param_print(bp, 1, x->pss, off))
493 goto err;
494 ret = 1;
495 err:
496 return ret;
497}
498
499static int
500rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
501{
502 return pkey_rsa_print(bp, pkey, indent, 0);
503}
504
505static int
506rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
507{
508 return pkey_rsa_print(bp, pkey, indent, 1);
509}
510
511static int
512rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig,
513 int indent, ASN1_PCTX *pctx)
514{
515 if (OBJ_obj2nid(sigalg->algorithm) == EVP_PKEY_RSA_PSS) {
516 int rv;
517 RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg);
518
519 rv = rsa_pss_param_print(bp, 0, pss, indent);
520 RSA_PSS_PARAMS_free(pss);
521 if (!rv)
522 return 0;
523 } else if (!sig && BIO_puts(bp, "\n") <= 0) {
524 return 0;
525 }
526 if (sig)
527 return X509_signature_dump(bp, sig, indent);
528 return 1;
529}
530
531static int
532rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
533{
534 X509_ALGOR *alg = NULL;
535 const EVP_MD *md;
536 const EVP_MD *mgf1md;
537 int min_saltlen;
538
539 switch (op) {
540 case ASN1_PKEY_CTRL_PKCS7_SIGN:
541 if (arg1 == 0)
542 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
543 break;
544
545 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
546 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS)
547 return -2;
548 if (arg1 == 0)
549 PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
550 break;
551#ifndef OPENSSL_NO_CMS
552 case ASN1_PKEY_CTRL_CMS_SIGN:
553 if (arg1 == 0)
554 return rsa_cms_sign(arg2);
555 else if (arg1 == 1)
556 return rsa_cms_verify(arg2);
557 break;
558
559 case ASN1_PKEY_CTRL_CMS_ENVELOPE:
560 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS)
561 return -2;
562 if (arg1 == 0)
563 return rsa_cms_encrypt(arg2);
564 else if (arg1 == 1)
565 return rsa_cms_decrypt(arg2);
566 break;
567
568 case ASN1_PKEY_CTRL_CMS_RI_TYPE:
569 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS)
570 return -2;
571 *(int *)arg2 = CMS_RECIPINFO_TRANS;
572 return 1;
573#endif
574
575 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
576 if (pkey->pkey.rsa->pss != NULL) {
577 if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md,
578 &min_saltlen)) {
579 RSAerror(ERR_R_INTERNAL_ERROR);
580 return 0;
581 }
582 *(int *)arg2 = EVP_MD_type(md);
583 /* Return of 2 indicates this MD is mandatory */
584 return 2;
585 }
586 *(int *)arg2 = NID_sha256;
587 return 1;
588
589 default:
590 return -2;
591 }
592
593 if (alg != NULL)
594 return rsa_alg_set_pkcs1_padding(alg);
595
596 return 1;
597}
598
599static int
600rsa_md_to_algor(const EVP_MD *md, X509_ALGOR **out_alg)
601{
602 X509_ALGOR *alg = NULL;
603 int ret = 0;
604
605 X509_ALGOR_free(*out_alg);
606 *out_alg = NULL;
607
608 /* RFC 8017 - default hash is SHA-1 and hence omitted. */
609 if (md == NULL || EVP_MD_type(md) == NID_sha1)
610 goto done;
611
612 if ((alg = X509_ALGOR_new()) == NULL)
613 goto err;
614 /*
615 * XXX - This omits the parameters, whereas RFC 4055, section 2.1
616 * explicitly states that an explicit ASN.1 NULL is required.
617 */
618 if (!X509_ALGOR_set_evp_md(alg, md))
619 goto err;
620
621 done:
622 *out_alg = alg;
623 alg = NULL;
624
625 ret = 1;
626
627 err:
628 X509_ALGOR_free(alg);
629
630 return ret;
631}
632
633/*
634 * RFC 8017, A.2.1 and A.2.3 - encode maskGenAlgorithm for RSAES-OAEP
635 * and RSASSA-PSS. The default is mgfSHA1 and hence omitted.
636 */
637static int
638rsa_mgf1md_to_maskGenAlgorithm(const EVP_MD *mgf1md, X509_ALGOR **out_alg)
639{
640 X509_ALGOR *alg = NULL;
641 X509_ALGOR *inner_alg = NULL;
642 ASN1_STRING *astr = NULL;
643 int ret = 0;
644
645 X509_ALGOR_free(*out_alg);
646 *out_alg = NULL;
647
648 if (mgf1md == NULL || EVP_MD_type(mgf1md) == NID_sha1)
649 goto done;
650
651 if ((inner_alg = X509_ALGOR_new()) == NULL)
652 goto err;
653 /*
654 * XXX - This omits the parameters, whereas RFC 4055, section 2.1
655 * explicitly states that an explicit ASN.1 NULL is required.
656 */
657 if (!X509_ALGOR_set_evp_md(inner_alg, mgf1md))
658 goto err;
659 if ((astr = ASN1_item_pack(inner_alg, &X509_ALGOR_it, NULL)) == NULL)
660 goto err;
661
662 if ((alg = X509_ALGOR_new()) == NULL)
663 goto err;
664 if (!X509_ALGOR_set0_by_nid(alg, NID_mgf1, V_ASN1_SEQUENCE, astr))
665 goto err;
666 astr = NULL;
667
668 done:
669 *out_alg = alg;
670 alg = NULL;
671
672 ret = 1;
673
674 err:
675 X509_ALGOR_free(alg);
676 X509_ALGOR_free(inner_alg);
677 ASN1_STRING_free(astr);
678
679 return ret;
680}
681
682/* Convert algorithm ID to EVP_MD, defaults to SHA1. */
683static const EVP_MD *
684rsa_algor_to_md(X509_ALGOR *alg)
685{
686 const EVP_MD *md;
687
688 if (!alg)
689 return EVP_sha1();
690 md = EVP_get_digestbyobj(alg->algorithm);
691 if (md == NULL)
692 RSAerror(RSA_R_UNKNOWN_DIGEST);
693 return md;
694}
695
696/*
697 * Convert EVP_PKEY_CTX in PSS mode into corresponding algorithm parameter,
698 * suitable for setting an AlgorithmIdentifier.
699 */
700static RSA_PSS_PARAMS *
701rsa_ctx_to_pss(EVP_PKEY_CTX *pkey_ctx)
702{
703 const EVP_MD *sigmd, *mgf1md;
704 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkey_ctx);
705 int saltlen;
706
707 if (EVP_PKEY_CTX_get_signature_md(pkey_ctx, &sigmd) <= 0)
708 return NULL;
709 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkey_ctx, &mgf1md) <= 0)
710 return NULL;
711 if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkey_ctx, &saltlen))
712 return NULL;
713 if (saltlen == -1) {
714 saltlen = EVP_MD_size(sigmd);
715 } else if (saltlen == -2 || saltlen == -3) {
716 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
717 if ((EVP_PKEY_bits(pk) & 0x7) == 1)
718 saltlen--;
719 if (saltlen < 0)
720 return NULL;
721 }
722
723 return rsa_pss_params_create(sigmd, mgf1md, saltlen);
724}
725
726RSA_PSS_PARAMS *
727rsa_pss_params_create(const EVP_MD *sigmd, const EVP_MD *mgf1md, int saltlen)
728{
729 RSA_PSS_PARAMS *pss = NULL;
730
731 if (mgf1md == NULL)
732 mgf1md = sigmd;
733
734 if ((pss = RSA_PSS_PARAMS_new()) == NULL)
735 goto err;
736
737 if (!rsa_md_to_algor(sigmd, &pss->hashAlgorithm))
738 goto err;
739 if (!rsa_mgf1md_to_maskGenAlgorithm(mgf1md, &pss->maskGenAlgorithm))
740 goto err;
741
742 /* Translate mgf1md to X509_ALGOR in decoded form for internal use. */
743 if (!rsa_md_to_algor(mgf1md, &pss->maskHash))
744 goto err;
745
746 /* RFC 8017, A.2.3 - default saltLength is SHA_DIGEST_LENGTH. */
747 if (saltlen != SHA_DIGEST_LENGTH) {
748 if ((pss->saltLength = ASN1_INTEGER_new()) == NULL)
749 goto err;
750 if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
751 goto err;
752 }
753
754 return pss;
755
756 err:
757 RSA_PSS_PARAMS_free(pss);
758
759 return NULL;
760}
761
762/*
763 * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL
764 * then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are
765 * passed to pkey_ctx instead.
766 */
767
768static int
769rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkey_ctx,
770 X509_ALGOR *sigalg, EVP_PKEY *pkey)
771{
772 int rv = -1;
773 int saltlen;
774 const EVP_MD *mgf1md = NULL, *md = NULL;
775 RSA_PSS_PARAMS *pss;
776
777 /* Sanity check: make sure it is PSS */
778 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
779 RSAerror(RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
780 return -1;
781 }
782 /* Decode PSS parameters */
783 pss = rsa_pss_decode(sigalg);
784
785 if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) {
786 RSAerror(RSA_R_INVALID_PSS_PARAMETERS);
787 goto err;
788 }
789
790 /* We have all parameters now set up context */
791 if (pkey) {
792 if (!EVP_DigestVerifyInit(ctx, &pkey_ctx, md, NULL, pkey))
793 goto err;
794 } else {
795 const EVP_MD *checkmd;
796 if (EVP_PKEY_CTX_get_signature_md(pkey_ctx, &checkmd) <= 0)
797 goto err;
798 if (EVP_MD_type(md) != EVP_MD_type(checkmd)) {
799 RSAerror(RSA_R_DIGEST_DOES_NOT_MATCH);
800 goto err;
801 }
802 }
803
804 if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) <= 0)
805 goto err;
806
807 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, saltlen) <= 0)
808 goto err;
809
810 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, mgf1md) <= 0)
811 goto err;
812 /* Carry on */
813 rv = 1;
814
815 err:
816 RSA_PSS_PARAMS_free(pss);
817 return rv;
818}
819
820int
821rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd,
822 const EVP_MD **pmgf1md, int *psaltlen)
823{
824 if (pss == NULL)
825 return 0;
826 *pmd = rsa_algor_to_md(pss->hashAlgorithm);
827 if (*pmd == NULL)
828 return 0;
829 *pmgf1md = rsa_algor_to_md(pss->maskHash);
830 if (*pmgf1md == NULL)
831 return 0;
832 if (pss->saltLength) {
833 *psaltlen = ASN1_INTEGER_get(pss->saltLength);
834 if (*psaltlen < 0) {
835 RSAerror(RSA_R_INVALID_SALT_LENGTH);
836 return 0;
837 }
838 } else {
839 *psaltlen = 20;
840 }
841
842 /*
843 * low-level routines support only trailer field 0xbc (value 1) and
844 * PKCS#1 says we should reject any other value anyway.
845 */
846 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) {
847 RSAerror(RSA_R_INVALID_TRAILER);
848 return 0;
849 }
850
851 return 1;
852}
853
854static int
855rsa_pss_signature_info(const X509_ALGOR *alg, int *out_md_nid,
856 int *out_pkey_nid, int *out_security_bits, uint32_t *out_flags)
857{
858 RSA_PSS_PARAMS *pss = NULL;
859 const ASN1_OBJECT *aobj;
860 const EVP_MD *md, *mgf1md;
861 int md_len, salt_len;
862 int md_nid = NID_undef, pkey_nid = NID_undef;
863 int security_bits = -1;
864 uint32_t flags = 0;
865
866 X509_ALGOR_get0(&aobj, NULL, NULL, alg);
867 if (OBJ_obj2nid(aobj) != EVP_PKEY_RSA_PSS)
868 goto err;
869
870 if ((pss = rsa_pss_decode(alg)) == NULL)
871 goto err;
872 if (!rsa_pss_get_param(pss, &md, &mgf1md, &salt_len))
873 goto err;
874
875 if ((md_nid = EVP_MD_type(md)) == NID_undef)
876 goto err;
877 if ((md_len = EVP_MD_size(md)) <= 0)
878 goto err;
879
880 /*
881 * RFC 8446, section 4.2.3 - restricts the digest algorithm:
882 * - it must be one of SHA256, SHA384, and SHA512;
883 * - the same digest must be used in the mask generation function;
884 * - the salt length must match the output length of the digest.
885 * XXX - consider separate flags for these checks.
886 */
887 if (md_nid == NID_sha256 || md_nid == NID_sha384 || md_nid == NID_sha512) {
888 if (md_nid == EVP_MD_type(mgf1md) && salt_len == md_len)
889 flags |= X509_SIG_INFO_TLS;
890 }
891
892 security_bits = md_len * 4;
893 flags |= X509_SIG_INFO_VALID;
894
895 *out_md_nid = md_nid;
896 *out_pkey_nid = pkey_nid;
897 *out_security_bits = security_bits;
898 *out_flags = flags;
899
900 err:
901 RSA_PSS_PARAMS_free(pss);
902
903 return (flags & X509_SIG_INFO_VALID) != 0;
904}
905
906#ifndef OPENSSL_NO_CMS
907static int
908rsa_cms_verify(CMS_SignerInfo *si)
909{
910 int nid, nid2;
911 X509_ALGOR *alg;
912 EVP_PKEY_CTX *pkey_ctx = CMS_SignerInfo_get0_pkey_ctx(si);
913
914 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
915 nid = OBJ_obj2nid(alg->algorithm);
916 if (nid == EVP_PKEY_RSA_PSS)
917 return rsa_pss_to_ctx(NULL, pkey_ctx, alg, NULL);
918 /* Only PSS allowed for PSS keys */
919 if (pkey_ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) {
920 RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
921 return 0;
922 }
923 if (nid == NID_rsaEncryption)
924 return 1;
925 /* Workaround for some implementation that use a signature OID */
926 if (OBJ_find_sigid_algs(nid, NULL, &nid2)) {
927 if (nid2 == NID_rsaEncryption)
928 return 1;
929 }
930 return 0;
931}
932#endif
933
934/*
935 * Customised RSA item verification routine. This is called when a signature
936 * is encountered requiring special handling. We currently only handle PSS.
937 */
938static int
939rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
940 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, EVP_PKEY *pkey)
941{
942 /* Sanity check: make sure it is PSS */
943 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
944 RSAerror(RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
945 return -1;
946 }
947 if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) {
948 /* Carry on */
949 return 2;
950 }
951 return -1;
952}
953
954static int
955rsa_alg_set_pkcs1_padding(X509_ALGOR *alg)
956{
957 return X509_ALGOR_set0_by_nid(alg, NID_rsaEncryption, V_ASN1_NULL, NULL);
958}
959
960static int
961rsa_alg_set_pss_padding(X509_ALGOR *alg, EVP_PKEY_CTX *pkey_ctx)
962{
963 RSA_PSS_PARAMS *pss = NULL;
964 ASN1_STRING *astr = NULL;
965 int ret = 0;
966
967 if (pkey_ctx == NULL)
968 goto err;
969
970 if ((pss = rsa_ctx_to_pss(pkey_ctx)) == NULL)
971 goto err;
972 if ((astr = ASN1_item_pack(pss, &RSA_PSS_PARAMS_it, NULL)) == NULL)
973 goto err;
974 if (!X509_ALGOR_set0_by_nid(alg, EVP_PKEY_RSA_PSS, V_ASN1_SEQUENCE, astr))
975 goto err;
976 astr = NULL;
977
978 ret = 1;
979
980 err:
981 ASN1_STRING_free(astr);
982 RSA_PSS_PARAMS_free(pss);
983
984 return ret;
985}
986
987#ifndef OPENSSL_NO_CMS
988static int
989rsa_alg_set_oaep_padding(X509_ALGOR *alg, EVP_PKEY_CTX *pkey_ctx)
990{
991 const EVP_MD *md, *mgf1md;
992 RSA_OAEP_PARAMS *oaep = NULL;
993 ASN1_STRING *astr = NULL;
994 ASN1_OCTET_STRING *ostr = NULL;
995 unsigned char *label;
996 int labellen;
997 int ret = 0;
998
999 if (EVP_PKEY_CTX_get_rsa_oaep_md(pkey_ctx, &md) <= 0)
1000 goto err;
1001 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkey_ctx, &mgf1md) <= 0)
1002 goto err;
1003 labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkey_ctx, &label);
1004 if (labellen < 0)
1005 goto err;
1006
1007 if ((oaep = RSA_OAEP_PARAMS_new()) == NULL)
1008 goto err;
1009
1010 if (!rsa_md_to_algor(md, &oaep->hashFunc))
1011 goto err;
1012 if (!rsa_mgf1md_to_maskGenAlgorithm(mgf1md, &oaep->maskGenFunc))
1013 goto err;
1014
1015 /* XXX - why do we not set oaep->maskHash here? */
1016
1017 if (labellen > 0) {
1018 if ((oaep->pSourceFunc = X509_ALGOR_new()) == NULL)
1019 goto err;
1020 if ((ostr = ASN1_OCTET_STRING_new()) == NULL)
1021 goto err;
1022 if (!ASN1_OCTET_STRING_set(ostr, label, labellen))
1023 goto err;
1024 if (!X509_ALGOR_set0_by_nid(oaep->pSourceFunc, NID_pSpecified,
1025 V_ASN1_OCTET_STRING, ostr))
1026 goto err;
1027 ostr = NULL;
1028 }
1029
1030 if ((astr = ASN1_item_pack(oaep, &RSA_OAEP_PARAMS_it, NULL)) == NULL)
1031 goto err;
1032 if (!X509_ALGOR_set0_by_nid(alg, NID_rsaesOaep, V_ASN1_SEQUENCE, astr))
1033 goto err;
1034 astr = NULL;
1035
1036 ret = 1;
1037
1038 err:
1039 RSA_OAEP_PARAMS_free(oaep);
1040 ASN1_STRING_free(astr);
1041 ASN1_OCTET_STRING_free(ostr);
1042
1043 return ret;
1044}
1045
1046static int
1047rsa_cms_sign(CMS_SignerInfo *si)
1048{
1049 EVP_PKEY_CTX *pkey_ctx;
1050 X509_ALGOR *alg;
1051 int pad_mode = RSA_PKCS1_PADDING;
1052
1053 if ((pkey_ctx = CMS_SignerInfo_get0_pkey_ctx(si)) != NULL) {
1054 if (EVP_PKEY_CTX_get_rsa_padding(pkey_ctx, &pad_mode) <= 0)
1055 return 0;
1056 }
1057
1058 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
1059 if (pad_mode == RSA_PKCS1_PADDING)
1060 return rsa_alg_set_pkcs1_padding(alg);
1061 if (pad_mode == RSA_PKCS1_PSS_PADDING)
1062 return rsa_alg_set_pss_padding(alg, pkey_ctx);
1063
1064 return 0;
1065}
1066#endif
1067
1068static int
1069rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
1070 X509_ALGOR *alg1, X509_ALGOR *alg2, ASN1_BIT_STRING *sig)
1071{
1072 EVP_PKEY_CTX *pkey_ctx = ctx->pctx;
1073 int pad_mode;
1074
1075 if (EVP_PKEY_CTX_get_rsa_padding(pkey_ctx, &pad_mode) <= 0)
1076 return 0;
1077 if (pad_mode == RSA_PKCS1_PADDING)
1078 return 2;
1079 if (pad_mode == RSA_PKCS1_PSS_PADDING) {
1080 if (!rsa_alg_set_pss_padding(alg1, pkey_ctx))
1081 return 0;
1082 if (alg2 != NULL) {
1083 if (!rsa_alg_set_pss_padding(alg2, pkey_ctx))
1084 return 0;
1085 }
1086 return 3;
1087 }
1088 return 2;
1089}
1090
1091#ifndef OPENSSL_NO_CMS
1092static RSA_OAEP_PARAMS *
1093rsa_oaep_decode(const X509_ALGOR *alg)
1094{
1095 RSA_OAEP_PARAMS *oaep;
1096
1097 oaep = ASN1_TYPE_unpack_sequence(&RSA_OAEP_PARAMS_it, alg->parameter);
1098 if (oaep == NULL)
1099 return NULL;
1100
1101 if (oaep->maskGenFunc != NULL) {
1102 oaep->maskHash = rsa_mgf1_decode(oaep->maskGenFunc);
1103 if (oaep->maskHash == NULL) {
1104 RSA_OAEP_PARAMS_free(oaep);
1105 return NULL;
1106 }
1107 }
1108 return oaep;
1109}
1110
1111static int
1112rsa_cms_decrypt(CMS_RecipientInfo *ri)
1113{
1114 EVP_PKEY_CTX *pkctx;
1115 X509_ALGOR *cmsalg;
1116 int nid;
1117 int rv = -1;
1118 unsigned char *label = NULL;
1119 int labellen = 0;
1120 const EVP_MD *mgf1md = NULL, *md = NULL;
1121 RSA_OAEP_PARAMS *oaep;
1122
1123 pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
1124 if (pkctx == NULL)
1125 return 0;
1126 if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &cmsalg))
1127 return -1;
1128 nid = OBJ_obj2nid(cmsalg->algorithm);
1129 if (nid == NID_rsaEncryption)
1130 return 1;
1131 if (nid != NID_rsaesOaep) {
1132 RSAerror(RSA_R_UNSUPPORTED_ENCRYPTION_TYPE);
1133 return -1;
1134 }
1135 /* Decode OAEP parameters */
1136 oaep = rsa_oaep_decode(cmsalg);
1137
1138 if (oaep == NULL) {
1139 RSAerror(RSA_R_INVALID_OAEP_PARAMETERS);
1140 goto err;
1141 }
1142
1143 mgf1md = rsa_algor_to_md(oaep->maskHash);
1144 if (mgf1md == NULL)
1145 goto err;
1146 md = rsa_algor_to_md(oaep->hashFunc);
1147 if (md == NULL)
1148 goto err;
1149
1150 if (oaep->pSourceFunc != NULL) {
1151 X509_ALGOR *plab = oaep->pSourceFunc;
1152
1153 if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
1154 RSAerror(RSA_R_UNSUPPORTED_LABEL_SOURCE);
1155 goto err;
1156 }
1157 if (plab->parameter->type != V_ASN1_OCTET_STRING) {
1158 RSAerror(RSA_R_INVALID_LABEL);
1159 goto err;
1160 }
1161
1162 label = plab->parameter->value.octet_string->data;
1163
1164 /* Stop label being freed when OAEP parameters are freed */
1165 /* XXX - this leaks label on error... */
1166 plab->parameter->value.octet_string->data = NULL;
1167 labellen = plab->parameter->value.octet_string->length;
1168 }
1169
1170 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
1171 goto err;
1172 if (EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, md) <= 0)
1173 goto err;
1174 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
1175 goto err;
1176 if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0)
1177 goto err;
1178
1179 rv = 1;
1180
1181 err:
1182 RSA_OAEP_PARAMS_free(oaep);
1183 return rv;
1184}
1185
1186static int
1187rsa_cms_encrypt(CMS_RecipientInfo *ri)
1188{
1189 X509_ALGOR *alg;
1190 EVP_PKEY_CTX *pkey_ctx;
1191 int pad_mode = RSA_PKCS1_PADDING;
1192
1193 if ((pkey_ctx = CMS_RecipientInfo_get0_pkey_ctx(ri)) != NULL) {
1194 if (EVP_PKEY_CTX_get_rsa_padding(pkey_ctx, &pad_mode) <= 0)
1195 return 0;
1196 }
1197
1198 if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg))
1199 return 0;
1200 if (pad_mode == RSA_PKCS1_PADDING)
1201 return rsa_alg_set_pkcs1_padding(alg);
1202 if (pad_mode == RSA_PKCS1_OAEP_PADDING)
1203 return rsa_alg_set_oaep_padding(alg, pkey_ctx);
1204
1205 return 0;
1206}
1207#endif
1208
1209const EVP_PKEY_ASN1_METHOD rsa_asn1_meth = {
1210 .base_method = &rsa_asn1_meth,
1211 .pkey_id = EVP_PKEY_RSA,
1212 .pkey_flags = ASN1_PKEY_SIGPARAM_NULL,
1213
1214 .pem_str = "RSA",
1215 .info = "OpenSSL RSA method",
1216
1217 .pub_decode = rsa_pub_decode,
1218 .pub_encode = rsa_pub_encode,
1219 .pub_cmp = rsa_pub_cmp,
1220 .pub_print = rsa_pub_print,
1221
1222 .priv_decode = rsa_priv_decode,
1223 .priv_encode = rsa_priv_encode,
1224 .priv_print = rsa_priv_print,
1225
1226 .pkey_size = rsa_size,
1227 .pkey_bits = rsa_bits,
1228 .pkey_security_bits = rsa_security_bits,
1229
1230 .sig_print = rsa_sig_print,
1231
1232 .pkey_free = rsa_free,
1233 .pkey_ctrl = rsa_pkey_ctrl,
1234 .old_priv_decode = old_rsa_priv_decode,
1235 .old_priv_encode = old_rsa_priv_encode,
1236 .item_verify = rsa_item_verify,
1237 .item_sign = rsa_item_sign,
1238};
1239
1240const EVP_PKEY_ASN1_METHOD rsa2_asn1_meth = {
1241 .base_method = &rsa_asn1_meth,
1242 .pkey_id = EVP_PKEY_RSA2,
1243 .pkey_flags = ASN1_PKEY_ALIAS,
1244};
1245
1246const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {
1247 .base_method = &rsa_pss_asn1_meth,
1248 .pkey_id = EVP_PKEY_RSA_PSS,
1249 .pkey_flags = ASN1_PKEY_SIGPARAM_NULL,
1250
1251 .pem_str = "RSA-PSS",
1252 .info = "OpenSSL RSA-PSS method",
1253
1254 .pub_decode = rsa_pub_decode,
1255 .pub_encode = rsa_pub_encode,
1256 .pub_cmp = rsa_pub_cmp,
1257 .pub_print = rsa_pub_print,
1258
1259 .priv_decode = rsa_priv_decode,
1260 .priv_encode = rsa_priv_encode,
1261 .priv_print = rsa_priv_print,
1262
1263 .pkey_size = rsa_size,
1264 .pkey_bits = rsa_bits,
1265 .pkey_security_bits = rsa_security_bits,
1266
1267 .signature_info = rsa_pss_signature_info,
1268
1269 .sig_print = rsa_sig_print,
1270
1271 .pkey_free = rsa_free,
1272 .pkey_ctrl = rsa_pkey_ctrl,
1273 .item_verify = rsa_item_verify,
1274 .item_sign = rsa_item_sign
1275};
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-23 13:32:40 +0000