1 files changed, 198 insertions, 39 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
index 1b6d1de35d..5fd6309298 100644
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pmeth.c,v 1.30 2019/10/31 13:10:40 jsing Exp $ */
+/* $OpenBSD: rsa_pmeth.c,v 1.31 2019/10/31 13:56:29 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -89,6 +89,8 @@ typedef struct {
        const EVP_MD *mgf1md;
        /* PSS salt length */
        int saltlen;
+        /* Minimum salt length or -1 if no PSS parameter restriction */
+        int min_saltlen;
        /* Temp buffer */
        unsigned char *tbuf;
        /* OAEP label */
@@ -96,6 +98,9 @@ typedef struct {
        size_t oaep_labellen;
 } RSA_PKEY_CTX;
+/* True if PSS parameters are restricted */
+#define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1)
 static int
 pkey_rsa_init(EVP_PKEY_CTX *ctx)
 {
@@ -105,9 +110,15 @@ pkey_rsa_init(EVP_PKEY_CTX *ctx)
                return 0;
        rctx->nbits = 2048;
-        rctx->pad_mode = RSA_PKCS1_PADDING;
-        rctx->saltlen = -2;
+        if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS)
+                rctx->pad_mode = RSA_PKCS1_PSS_PADDING;
+        else
+                rctx->pad_mode = RSA_PKCS1_PADDING;
+        /* Maximum for sign, auto for verify */
+        rctx->saltlen = RSA_PSS_SALTLEN_AUTO;
+        rctx->min_saltlen = -1;
        ctx->data = rctx;
        ctx->keygen_info = rctx->gentmp;
@@ -385,7 +396,7 @@ pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
 static int
 check_padding_md(const EVP_MD *md, int padding)
 {
-        if (!md)
+        if (md == NULL)
                return 1;
        if (padding == RSA_NO_PADDING) {
@@ -398,7 +409,24 @@ check_padding_md(const EVP_MD *md, int padding)
                        RSAerror(RSA_R_INVALID_X931_DIGEST);
                        return 0;
                }
-                return 1;
+        } else {
+                /* List of all supported RSA digests. */
+                switch(EVP_MD_type(md)) {
+                case NID_sha1:
+                case NID_sha224:
+                case NID_sha256:
+                case NID_sha384:
+                case NID_sha512:
+                case NID_md5:
+                case NID_md5_sha1:
+                case NID_md4:
+                case NID_ripemd160:
+                        return 1;
+                default:
+                        RSAerror(RSA_R_INVALID_DIGEST);
+                        return 0;
+                }
        }
        return 1;
@@ -420,6 +448,8 @@ pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
                                        goto bad_pad;
                                if (!rctx->md)
                                        rctx->md = EVP_sha1();
+                        } else if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) {
+                                goto bad_pad;
                        }
                        if (p1 == RSA_PKCS1_OAEP_PADDING) {
                                if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
@@ -447,8 +477,21 @@ pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
                if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
                        *(int *)p2 = rctx->saltlen;
                } else {
-                        if (p1 < -2)
+                        if (p1 < RSA_PSS_SALTLEN_MAX)
                                return -2;
+                        if (rsa_pss_restricted(rctx)) {
+                                if (p1 == RSA_PSS_SALTLEN_AUTO &&
+                                    ctx->operation == EVP_PKEY_OP_VERIFY) {
+                                        RSAerror(RSA_R_INVALID_PSS_SALTLEN);
+                                        return -2;
+                                }
+                                if ((p1 == RSA_PSS_SALTLEN_DIGEST &&
+                                    rctx->min_saltlen > EVP_MD_size(rctx->md)) ||
+                                    (p1 >= 0 && p1 < rctx->min_saltlen)) {
+                                        RSAerror(RSA_R_PSS_SALTLEN_TOO_SMALL);
+                                        return 0;
+                                }
+                        }
                        rctx->saltlen = p1;
                }
                return 1;
@@ -486,6 +529,12 @@ pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
        case EVP_PKEY_CTRL_MD:
                if (!check_padding_md(p2, rctx->pad_mode))
                        return 0;
+                if (rsa_pss_restricted(rctx)) {
+                        if (EVP_MD_type(rctx->md) == EVP_MD_type(p2))
+                                return 1;
+                        RSAerror(RSA_R_DIGEST_NOT_ALLOWED);
+                        return 0;
+                }
                rctx->md = p2;
                return 1;
@@ -505,8 +554,15 @@ pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
                                *(const EVP_MD **)p2 = rctx->mgf1md;
                        else
                                *(const EVP_MD **)p2 = rctx->md;
-                } else
+                } else {
+                        if (rsa_pss_restricted(rctx)) {
+                                if (EVP_MD_type(rctx->mgf1md) == EVP_MD_type(p2))
+                                        return 1;
+                                RSAerror(RSA_R_MGF1_DIGEST_NOT_ALLOWED);
+                                return 0;
+                        }
                        rctx->mgf1md = p2;
+                }
                return 1;
        case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
@@ -533,25 +589,28 @@ pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
                return rctx->oaep_labellen;
        case EVP_PKEY_CTRL_DIGESTINIT:
-        case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
-        case EVP_PKEY_CTRL_PKCS7_DECRYPT:
        case EVP_PKEY_CTRL_PKCS7_SIGN:
                return 1;
+        case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
+        case EVP_PKEY_CTRL_PKCS7_DECRYPT:
+                if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
+                        return 1;
+        /* fall through */
        case EVP_PKEY_CTRL_PEER_KEY:
                RSAerror(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
                return -2;
        default:
                return -2;
        }
 }
 static int
 pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
 {
-        long lval;
-        char *ep;
        if (!value) {
                RSAerror(RSA_R_VALUE_MISSING);
                return 0;
@@ -577,39 +636,29 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
                return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
        }
-        if (!strcmp(type, "rsa_pss_saltlen")) {
+        if (strcmp(type, "rsa_pss_saltlen") == 0) {
                int saltlen;
-                errno = 0;
+                if (!strcmp(value, "digest"))
-                lval = strtol(value, &ep, 10);
+                        saltlen = RSA_PSS_SALTLEN_DIGEST;
-                if (value[0] == '\0' || *ep != '\0')
+                else if (!strcmp(value, "max"))
-                        goto not_a_number;
+                        saltlen = RSA_PSS_SALTLEN_MAX;
-                if ((errno == ERANGE &&
+                else if (!strcmp(value, "auto"))
-                    (lval == LONG_MAX || lval == LONG_MIN)) ||
+                        saltlen = RSA_PSS_SALTLEN_AUTO;
-                    (lval > INT_MAX || lval < INT_MIN))
+                else
-                        goto out_of_range;
+                        saltlen = atoi(value);
-                saltlen = lval;
                return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
        }
-        if (!strcmp(type, "rsa_keygen_bits")) {
+        if (strcmp(type, "rsa_keygen_bits") == 0) {
-                int nbits;
+                int nbits = atoi(value);
-                errno = 0;
-                lval = strtol(value, &ep, 10);
-                if (value[0] == '\0' || *ep != '\0')
-                        goto not_a_number;
-                if ((errno == ERANGE &&
-                    (lval == LONG_MAX || lval == LONG_MIN)) ||
-                    (lval > INT_MAX || lval < INT_MIN))
-                        goto out_of_range;
-                nbits = lval;
                return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
        }
-        if (!strcmp(type, "rsa_keygen_pubexp")) {
+        if (strcmp(type, "rsa_keygen_pubexp") == 0) {
-                int ret;
                BIGNUM *pubexp = NULL;
+                int ret;
                if (!BN_asc2bn(&pubexp, value))
                        return 0;
@@ -624,6 +673,22 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
                    EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
                    EVP_PKEY_CTRL_RSA_MGF1_MD, value);
+        if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) {
+                if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0)
+                        return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
+                            EVP_PKEY_CTRL_RSA_MGF1_MD, value);
+                if (strcmp(type, "rsa_pss_keygen_md") == 0)
+                        return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
+                            EVP_PKEY_CTRL_MD, value);
+                if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) {
+                        int saltlen = atoi(value);
+                        return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen);
+                }
+        }
        if (strcmp(type, "rsa_oaep_md") == 0)
                return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT,
                    EVP_PKEY_CTRL_RSA_OAEP_MD, value);
@@ -642,11 +707,31 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
                return ret;
        }
- not_a_number:
- out_of_range:
        return -2;
 }
+/* Set PSS parameters when generating a key, if necessary. */
+static int
+rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx)
+{
+        RSA_PKEY_CTX *rctx = ctx->data;
+        if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
+                return 1;
+        /* If all parameters are default values then do not set PSS. */
+        if (rctx->md == NULL && rctx->mgf1md == NULL &&
+            rctx->saltlen == RSA_PSS_SALTLEN_AUTO)
+                return 1;
+        rsa->pss = rsa_pss_params_create(rctx->md, rctx->mgf1md,
+            rctx->saltlen == RSA_PSS_SALTLEN_AUTO ? 0 : rctx->saltlen);
+        if (rsa->pss == NULL)
+                return 0;
+        return 1;
+}
 static int
 pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
 {
@@ -670,8 +755,12 @@ pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
                pcb = NULL;
        }
        ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
+        if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) {
+                RSA_free(rsa);
+                return 0;
+        }
        if (ret > 0)
-                EVP_PKEY_assign_RSA(pkey, rsa);
+                EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa);
        else
                RSA_free(rsa);
        return ret;
@@ -700,3 +789,73 @@ const EVP_PKEY_METHOD rsa_pkey_meth = {
        .ctrl = pkey_rsa_ctrl,
        .ctrl_str = pkey_rsa_ctrl_str
 };
+/*
+ * Called for PSS sign or verify initialisation: checks PSS parameter
+ * sanity and sets any restrictions on key usage.
+ */
+static int
+pkey_pss_init(EVP_PKEY_CTX *ctx)
+{
+        RSA *rsa;
+        RSA_PKEY_CTX *rctx = ctx->data;
+        const EVP_MD *md;
+        const EVP_MD *mgf1md;
+        int min_saltlen, max_saltlen;
+        /* Should never happen */
+        if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
+                return 0;
+        rsa = ctx->pkey->pkey.rsa;
+        /* If no restrictions just return */
+        if (rsa->pss == NULL)
+                return 1;
+        /* Get and check parameters */
+        if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen))
+                return 0;
+        /* See if minimum salt length exceeds maximum possible */
+        max_saltlen = RSA_size(rsa) - EVP_MD_size(md);
+        if ((RSA_bits(rsa) & 0x7) == 1)
+                max_saltlen--;
+        if (min_saltlen > max_saltlen) {
+                RSAerror(RSA_R_INVALID_SALT_LENGTH);
+                return 0;
+        }
+        rctx->min_saltlen = min_saltlen;
+        /*
+         * Set PSS restrictions as defaults: we can then block any attempt to
+         * use invalid values in pkey_rsa_ctrl
+         */
+        rctx->md = md;
+        rctx->mgf1md = mgf1md;
+        rctx->saltlen = min_saltlen;
+        return 1;
+}
+const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
+        .pkey_id = EVP_PKEY_RSA_PSS,
+        .flags = EVP_PKEY_FLAG_AUTOARGLEN,
+        .init = pkey_rsa_init,
+        .copy = pkey_rsa_copy,
+        .cleanup = pkey_rsa_cleanup,
+        .keygen = pkey_rsa_keygen,
+        .sign_init = pkey_pss_init,
+        .sign = pkey_rsa_sign,
+        .verify_init = pkey_pss_init,
+        .verify = pkey_rsa_verify,
+        .ctrl = pkey_rsa_ctrl,
+        .ctrl_str = pkey_rsa_ctrl_str
+};

diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c index 1b6d1de35d..5fd6309298 100644 --- a/src/lib/libcrypto/rsa/rsa_pmeth.c +++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa_pmeth.c,v 1.30 2019/10/31 13:10:40 jsing Exp $ */	1	/* $OpenBSD: rsa_pmeth.c,v 1.31 2019/10/31 13:56:29 jsing Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.	3	* project 2006.
4	*/	4	*/
@@ -89,6 +89,8 @@ typedef struct {
89	const EVP_MD *mgf1md;	89	const EVP_MD *mgf1md;
90	/* PSS salt length */	90	/* PSS salt length */
91	int saltlen;	91	int saltlen;
		92	/* Minimum salt length or -1 if no PSS parameter restriction */
		93	int min_saltlen;
92	/* Temp buffer */	94	/* Temp buffer */
93	unsigned char *tbuf;	95	unsigned char *tbuf;
94	/* OAEP label */	96	/* OAEP label */
@@ -96,6 +98,9 @@ typedef struct {
96	size_t oaep_labellen;	98	size_t oaep_labellen;
97	} RSA_PKEY_CTX;	99	} RSA_PKEY_CTX;
98		100
		101	/* True if PSS parameters are restricted */
		102	#define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1)
		103
99	static int	104	static int
100	pkey_rsa_init(EVP_PKEY_CTX *ctx)	105	pkey_rsa_init(EVP_PKEY_CTX *ctx)
101	{	106	{
@@ -105,9 +110,15 @@ pkey_rsa_init(EVP_PKEY_CTX *ctx)
105	return 0;	110	return 0;
106		111
107	rctx->nbits = 2048;	112	rctx->nbits = 2048;
108	rctx->pad_mode = RSA_PKCS1_PADDING;
109		113
110	rctx->saltlen = -2;	114	if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS)
		115	rctx->pad_mode = RSA_PKCS1_PSS_PADDING;
		116	else
		117	rctx->pad_mode = RSA_PKCS1_PADDING;
		118
		119	/* Maximum for sign, auto for verify */
		120	rctx->saltlen = RSA_PSS_SALTLEN_AUTO;
		121	rctx->min_saltlen = -1;
111		122
112	ctx->data = rctx;	123	ctx->data = rctx;
113	ctx->keygen_info = rctx->gentmp;	124	ctx->keygen_info = rctx->gentmp;
@@ -385,7 +396,7 @@ pkey_rsa_decrypt(EVP_PKEY_CTX ctx, unsigned char out, size_t *outlen,
385	static int	396	static int
386	check_padding_md(const EVP_MD *md, int padding)	397	check_padding_md(const EVP_MD *md, int padding)
387	{	398	{
388	if (!md)	399	if (md == NULL)
389	return 1;	400	return 1;
390		401
391	if (padding == RSA_NO_PADDING) {	402	if (padding == RSA_NO_PADDING) {
@@ -398,7 +409,24 @@ check_padding_md(const EVP_MD *md, int padding)
398	RSAerror(RSA_R_INVALID_X931_DIGEST);	409	RSAerror(RSA_R_INVALID_X931_DIGEST);
399	return 0;	410	return 0;
400	}	411	}
401	return 1;	412	} else {
		413	/* List of all supported RSA digests. */
		414	switch(EVP_MD_type(md)) {
		415	case NID_sha1:
		416	case NID_sha224:
		417	case NID_sha256:
		418	case NID_sha384:
		419	case NID_sha512:
		420	case NID_md5:
		421	case NID_md5_sha1:
		422	case NID_md4:
		423	case NID_ripemd160:
		424	return 1;
		425
		426	default:
		427	RSAerror(RSA_R_INVALID_DIGEST);
		428	return 0;
		429	}
402	}	430	}
403		431
404	return 1;	432	return 1;
@@ -420,6 +448,8 @@ pkey_rsa_ctrl(EVP_PKEY_CTX ctx, int type, int p1, void p2)
420	goto bad_pad;	448	goto bad_pad;
421	if (!rctx->md)	449	if (!rctx->md)
422	rctx->md = EVP_sha1();	450	rctx->md = EVP_sha1();
		451	} else if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) {
		452	goto bad_pad;
423	}	453	}
424	if (p1 == RSA_PKCS1_OAEP_PADDING) {	454	if (p1 == RSA_PKCS1_OAEP_PADDING) {
425	if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))	455	if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
@@ -447,8 +477,21 @@ pkey_rsa_ctrl(EVP_PKEY_CTX ctx, int type, int p1, void p2)
447	if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {	477	if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
448	(int )p2 = rctx->saltlen;	478	(int )p2 = rctx->saltlen;
449	} else {	479	} else {
450	if (p1 < -2)	480	if (p1 < RSA_PSS_SALTLEN_MAX)
451	return -2;	481	return -2;
		482	if (rsa_pss_restricted(rctx)) {
		483	if (p1 == RSA_PSS_SALTLEN_AUTO &&
		484	ctx->operation == EVP_PKEY_OP_VERIFY) {
		485	RSAerror(RSA_R_INVALID_PSS_SALTLEN);
		486	return -2;
		487	}
		488	if ((p1 == RSA_PSS_SALTLEN_DIGEST &&
		489	rctx->min_saltlen > EVP_MD_size(rctx->md)) \|\|
		490	(p1 >= 0 && p1 < rctx->min_saltlen)) {
		491	RSAerror(RSA_R_PSS_SALTLEN_TOO_SMALL);
		492	return 0;
		493	}
		494	}
452	rctx->saltlen = p1;	495	rctx->saltlen = p1;
453	}	496	}
454	return 1;	497	return 1;
@@ -486,6 +529,12 @@ pkey_rsa_ctrl(EVP_PKEY_CTX ctx, int type, int p1, void p2)
486	case EVP_PKEY_CTRL_MD:	529	case EVP_PKEY_CTRL_MD:
487	if (!check_padding_md(p2, rctx->pad_mode))	530	if (!check_padding_md(p2, rctx->pad_mode))
488	return 0;	531	return 0;
		532	if (rsa_pss_restricted(rctx)) {
		533	if (EVP_MD_type(rctx->md) == EVP_MD_type(p2))
		534	return 1;
		535	RSAerror(RSA_R_DIGEST_NOT_ALLOWED);
		536	return 0;
		537	}
489	rctx->md = p2;	538	rctx->md = p2;
490	return 1;	539	return 1;
491		540
@@ -505,8 +554,15 @@ pkey_rsa_ctrl(EVP_PKEY_CTX ctx, int type, int p1, void p2)
505	(const EVP_MD *)p2 = rctx->mgf1md;	554	(const EVP_MD *)p2 = rctx->mgf1md;
506	else	555	else
507	(const EVP_MD *)p2 = rctx->md;	556	(const EVP_MD *)p2 = rctx->md;
508	} else	557	} else {
		558	if (rsa_pss_restricted(rctx)) {
		559	if (EVP_MD_type(rctx->mgf1md) == EVP_MD_type(p2))
		560	return 1;
		561	RSAerror(RSA_R_MGF1_DIGEST_NOT_ALLOWED);
		562	return 0;
		563	}
509	rctx->mgf1md = p2;	564	rctx->mgf1md = p2;
		565	}
510	return 1;	566	return 1;
511		567
512	case EVP_PKEY_CTRL_RSA_OAEP_LABEL:	568	case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
@@ -533,25 +589,28 @@ pkey_rsa_ctrl(EVP_PKEY_CTX ctx, int type, int p1, void p2)
533	return rctx->oaep_labellen;	589	return rctx->oaep_labellen;
534		590
535	case EVP_PKEY_CTRL_DIGESTINIT:	591	case EVP_PKEY_CTRL_DIGESTINIT:
536	case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
537	case EVP_PKEY_CTRL_PKCS7_DECRYPT:
538	case EVP_PKEY_CTRL_PKCS7_SIGN:	592	case EVP_PKEY_CTRL_PKCS7_SIGN:
539	return 1;	593	return 1;
		594
		595	case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
		596	case EVP_PKEY_CTRL_PKCS7_DECRYPT:
		597	if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
		598	return 1;
		599
		600	/* fall through */
540	case EVP_PKEY_CTRL_PEER_KEY:	601	case EVP_PKEY_CTRL_PEER_KEY:
541	RSAerror(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);	602	RSAerror(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
542	return -2;	603	return -2;
543		604
544	default:	605	default:
545	return -2;	606	return -2;
		607
546	}	608	}
547	}	609	}
548		610
549	static int	611	static int
550	pkey_rsa_ctrl_str(EVP_PKEY_CTX ctx, const char type, const char *value)	612	pkey_rsa_ctrl_str(EVP_PKEY_CTX ctx, const char type, const char *value)
551	{	613	{
552	long lval;
553	char *ep;
554
555	if (!value) {	614	if (!value) {
556	RSAerror(RSA_R_VALUE_MISSING);	615	RSAerror(RSA_R_VALUE_MISSING);
557	return 0;	616	return 0;
@@ -577,39 +636,29 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX ctx, const char type, const char *value)
577	return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);	636	return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
578	}	637	}
579		638
580	if (!strcmp(type, "rsa_pss_saltlen")) {	639	if (strcmp(type, "rsa_pss_saltlen") == 0) {
581	int saltlen;	640	int saltlen;
582		641
583	errno = 0;	642	if (!strcmp(value, "digest"))
584	lval = strtol(value, &ep, 10);	643	saltlen = RSA_PSS_SALTLEN_DIGEST;
585	if (value[0] == '\0' \|\| *ep != '\0')	644	else if (!strcmp(value, "max"))
586	goto not_a_number;	645	saltlen = RSA_PSS_SALTLEN_MAX;
587	if ((errno == ERANGE &&	646	else if (!strcmp(value, "auto"))
588	(lval == LONG_MAX \|\| lval == LONG_MIN)) \|\|	647	saltlen = RSA_PSS_SALTLEN_AUTO;
589	(lval > INT_MAX \|\| lval < INT_MIN))	648	else
590	goto out_of_range;	649	saltlen = atoi(value);
591	saltlen = lval;
592	return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);	650	return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
593	}	651	}
594		652
595	if (!strcmp(type, "rsa_keygen_bits")) {	653	if (strcmp(type, "rsa_keygen_bits") == 0) {
596	int nbits;	654	int nbits = atoi(value);
597		655
598	errno = 0;
599	lval = strtol(value, &ep, 10);
600	if (value[0] == '\0' \|\| *ep != '\0')
601	goto not_a_number;
602	if ((errno == ERANGE &&
603	(lval == LONG_MAX \|\| lval == LONG_MIN)) \|\|
604	(lval > INT_MAX \|\| lval < INT_MIN))
605	goto out_of_range;
606	nbits = lval;
607	return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);	656	return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
608	}	657	}
609		658
610	if (!strcmp(type, "rsa_keygen_pubexp")) {	659	if (strcmp(type, "rsa_keygen_pubexp") == 0) {
611	int ret;
612	BIGNUM *pubexp = NULL;	660	BIGNUM *pubexp = NULL;
		661	int ret;
613		662
614	if (!BN_asc2bn(&pubexp, value))	663	if (!BN_asc2bn(&pubexp, value))
615	return 0;	664	return 0;
@@ -624,6 +673,22 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX ctx, const char type, const char *value)
624	EVP_PKEY_OP_TYPE_SIG \| EVP_PKEY_OP_TYPE_CRYPT,	673	EVP_PKEY_OP_TYPE_SIG \| EVP_PKEY_OP_TYPE_CRYPT,
625	EVP_PKEY_CTRL_RSA_MGF1_MD, value);	674	EVP_PKEY_CTRL_RSA_MGF1_MD, value);
626		675
		676	if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) {
		677	if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0)
		678	return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
		679	EVP_PKEY_CTRL_RSA_MGF1_MD, value);
		680
		681	if (strcmp(type, "rsa_pss_keygen_md") == 0)
		682	return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
		683	EVP_PKEY_CTRL_MD, value);
		684
		685	if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) {
		686	int saltlen = atoi(value);
		687
		688	return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen);
		689	}
		690	}
		691
627	if (strcmp(type, "rsa_oaep_md") == 0)	692	if (strcmp(type, "rsa_oaep_md") == 0)
628	return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT,	693	return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT,
629	EVP_PKEY_CTRL_RSA_OAEP_MD, value);	694	EVP_PKEY_CTRL_RSA_OAEP_MD, value);
@@ -642,11 +707,31 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX ctx, const char type, const char *value)
642	return ret;	707	return ret;
643	}	708	}
644		709
645	not_a_number:
646	out_of_range:
647	return -2;	710	return -2;
648	}	711	}
649		712
		713	/* Set PSS parameters when generating a key, if necessary. */
		714	static int
		715	rsa_set_pss_param(RSA rsa, EVP_PKEY_CTX ctx)
		716	{
		717	RSA_PKEY_CTX *rctx = ctx->data;
		718
		719	if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
		720	return 1;
		721
		722	/* If all parameters are default values then do not set PSS. */
		723	if (rctx->md == NULL && rctx->mgf1md == NULL &&
		724	rctx->saltlen == RSA_PSS_SALTLEN_AUTO)
		725	return 1;
		726
		727	rsa->pss = rsa_pss_params_create(rctx->md, rctx->mgf1md,
		728	rctx->saltlen == RSA_PSS_SALTLEN_AUTO ? 0 : rctx->saltlen);
		729	if (rsa->pss == NULL)
		730	return 0;
		731
		732	return 1;
		733	}
		734
650	static int	735	static int
651	pkey_rsa_keygen(EVP_PKEY_CTX ctx, EVP_PKEY pkey)	736	pkey_rsa_keygen(EVP_PKEY_CTX ctx, EVP_PKEY pkey)
652	{	737	{
@@ -670,8 +755,12 @@ pkey_rsa_keygen(EVP_PKEY_CTX ctx, EVP_PKEY pkey)
670	pcb = NULL;	755	pcb = NULL;
671	}	756	}
672	ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);	757	ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
		758	if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) {
		759	RSA_free(rsa);
		760	return 0;
		761	}
673	if (ret > 0)	762	if (ret > 0)
674	EVP_PKEY_assign_RSA(pkey, rsa);	763	EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa);
675	else	764	else
676	RSA_free(rsa);	765	RSA_free(rsa);
677	return ret;	766	return ret;
@@ -700,3 +789,73 @@ const EVP_PKEY_METHOD rsa_pkey_meth = {
700	.ctrl = pkey_rsa_ctrl,	789	.ctrl = pkey_rsa_ctrl,
701	.ctrl_str = pkey_rsa_ctrl_str	790	.ctrl_str = pkey_rsa_ctrl_str
702	};	791	};
		792
		793	/*
		794	* Called for PSS sign or verify initialisation: checks PSS parameter
		795	* sanity and sets any restrictions on key usage.
		796	*/
		797
		798	static int
		799	pkey_pss_init(EVP_PKEY_CTX *ctx)
		800	{
		801	RSA *rsa;
		802	RSA_PKEY_CTX *rctx = ctx->data;
		803	const EVP_MD *md;
		804	const EVP_MD *mgf1md;
		805	int min_saltlen, max_saltlen;
		806
		807	/* Should never happen */
		808	if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
		809	return 0;
		810	rsa = ctx->pkey->pkey.rsa;
		811
		812	/* If no restrictions just return */
		813	if (rsa->pss == NULL)
		814	return 1;
		815
		816	/* Get and check parameters */
		817	if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen))
		818	return 0;
		819
		820	/* See if minimum salt length exceeds maximum possible */
		821	max_saltlen = RSA_size(rsa) - EVP_MD_size(md);
		822	if ((RSA_bits(rsa) & 0x7) == 1)
		823	max_saltlen--;
		824	if (min_saltlen > max_saltlen) {
		825	RSAerror(RSA_R_INVALID_SALT_LENGTH);
		826	return 0;
		827	}
		828	rctx->min_saltlen = min_saltlen;
		829
		830	/*
		831	* Set PSS restrictions as defaults: we can then block any attempt to
		832	* use invalid values in pkey_rsa_ctrl
		833	*/
		834
		835	rctx->md = md;
		836	rctx->mgf1md = mgf1md;
		837	rctx->saltlen = min_saltlen;
		838
		839	return 1;
		840	}
		841
		842	const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
		843	.pkey_id = EVP_PKEY_RSA_PSS,
		844	.flags = EVP_PKEY_FLAG_AUTOARGLEN,
		845
		846	.init = pkey_rsa_init,
		847	.copy = pkey_rsa_copy,
		848	.cleanup = pkey_rsa_cleanup,
		849
		850	.keygen = pkey_rsa_keygen,
		851
		852	.sign_init = pkey_pss_init,
		853	.sign = pkey_rsa_sign,
		854
		855	.verify_init = pkey_pss_init,
		856	.verify = pkey_rsa_verify,
		857
		858	.ctrl = pkey_rsa_ctrl,
		859	.ctrl_str = pkey_rsa_ctrl_str
		860	};
		861