summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa/rsa_pmeth.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/rsa/rsa_pmeth.c')
-rw-r--r--src/lib/libcrypto/rsa/rsa_pmeth.c911
1 files changed, 0 insertions, 911 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
deleted file mode 100644
index 453570cf74..0000000000
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ /dev/null
@@ -1,911 +0,0 @@
1/* $OpenBSD: rsa_pmeth.c,v 1.43 2025/01/17 15:39:19 tb Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <limits.h>
60#include <stdio.h>
61#include <stdlib.h>
62#include <string.h>
63
64#include <openssl/opensslconf.h>
65
66#include <openssl/asn1t.h>
67#include <openssl/bn.h>
68#include <openssl/err.h>
69#include <openssl/evp.h>
70#include <openssl/rsa.h>
71#include <openssl/x509.h>
72#include <openssl/x509v3.h>
73
74#include "bn_local.h"
75#include "evp_local.h"
76#include "rsa_local.h"
77
78/* RSA pkey context structure */
79
80typedef struct {
81 /* Key gen parameters */
82 int nbits;
83 BIGNUM *pub_exp;
84 /* Keygen callback info */
85 int gentmp[2];
86 /* RSA padding mode */
87 int pad_mode;
88 /* message digest */
89 const EVP_MD *md;
90 /* message digest for MGF1 */
91 const EVP_MD *mgf1md;
92 /* PSS salt length */
93 int saltlen;
94 /* Minimum salt length or -1 if no PSS parameter restriction */
95 int min_saltlen;
96 /* Temp buffer */
97 unsigned char *tbuf;
98 /* OAEP label */
99 unsigned char *oaep_label;
100 size_t oaep_labellen;
101} RSA_PKEY_CTX;
102
103/* True if PSS parameters are restricted */
104#define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1)
105
106static int
107pkey_rsa_init(EVP_PKEY_CTX *ctx)
108{
109 RSA_PKEY_CTX *rctx;
110
111 if ((rctx = calloc(1, sizeof(RSA_PKEY_CTX))) == NULL)
112 return 0;
113
114 rctx->nbits = 2048;
115
116 if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS)
117 rctx->pad_mode = RSA_PKCS1_PSS_PADDING;
118 else
119 rctx->pad_mode = RSA_PKCS1_PADDING;
120
121 /* Maximum for sign, auto for verify */
122 rctx->saltlen = RSA_PSS_SALTLEN_AUTO;
123 rctx->min_saltlen = -1;
124
125 ctx->data = rctx;
126 ctx->keygen_info = rctx->gentmp;
127 ctx->keygen_info_count = 2;
128
129 return 1;
130}
131
132static int
133pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
134{
135 RSA_PKEY_CTX *dctx, *sctx;
136
137 if (!pkey_rsa_init(dst))
138 return 0;
139
140 sctx = src->data;
141 dctx = dst->data;
142 dctx->nbits = sctx->nbits;
143 if (sctx->pub_exp != NULL) {
144 BN_free(dctx->pub_exp);
145 if ((dctx->pub_exp = BN_dup(sctx->pub_exp)) == NULL)
146 return 0;
147 }
148 dctx->pad_mode = sctx->pad_mode;
149 dctx->md = sctx->md;
150 dctx->mgf1md = sctx->mgf1md;
151 if (sctx->oaep_label != NULL) {
152 free(dctx->oaep_label);
153 if ((dctx->oaep_label = calloc(1, sctx->oaep_labellen)) == NULL)
154 return 0;
155 memcpy(dctx->oaep_label, sctx->oaep_label, sctx->oaep_labellen);
156 dctx->oaep_labellen = sctx->oaep_labellen;
157 }
158
159 return 1;
160}
161
162static int
163setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
164{
165 if (ctx->tbuf != NULL)
166 return 1;
167 if ((ctx->tbuf = calloc(1, EVP_PKEY_size(pk->pkey))) == NULL) {
168 RSAerror(ERR_R_MALLOC_FAILURE);
169 return 0;
170 }
171 return 1;
172}
173
174static void
175pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
176{
177 RSA_PKEY_CTX *rctx = ctx->data;
178
179 if (rctx) {
180 BN_free(rctx->pub_exp);
181 free(rctx->tbuf);
182 free(rctx->oaep_label);
183 free(rctx);
184 }
185}
186
187static int
188pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
189 const unsigned char *tbs, size_t tbslen)
190{
191 int ret;
192 RSA_PKEY_CTX *rctx = ctx->data;
193 RSA *rsa = ctx->pkey->pkey.rsa;
194
195 if (rctx->md) {
196 if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
197 RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
198 return -1;
199 }
200
201 if (rctx->pad_mode == RSA_X931_PADDING) {
202 if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) {
203 RSAerror(RSA_R_KEY_SIZE_TOO_SMALL);
204 return -1;
205 }
206 if (!setup_tbuf(rctx, ctx)) {
207 RSAerror(ERR_R_MALLOC_FAILURE);
208 return -1;
209 }
210 memcpy(rctx->tbuf, tbs, tbslen);
211 rctx->tbuf[tbslen] =
212 RSA_X931_hash_id(EVP_MD_type(rctx->md));
213 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, sig,
214 rsa, RSA_X931_PADDING);
215 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
216 unsigned int sltmp;
217
218 ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig,
219 &sltmp, rsa);
220 if (ret <= 0)
221 return ret;
222 ret = sltmp;
223 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
224 if (!setup_tbuf(rctx, ctx))
225 return -1;
226 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, rctx->tbuf,
227 tbs, rctx->md, rctx->mgf1md, rctx->saltlen))
228 return -1;
229 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
230 sig, rsa, RSA_NO_PADDING);
231 } else {
232 return -1;
233 }
234 } else {
235 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
236 rctx->pad_mode);
237 }
238 if (ret < 0)
239 return ret;
240 *siglen = ret;
241 return 1;
242}
243
244static int
245pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen,
246 const unsigned char *sig, size_t siglen)
247{
248 int ret;
249 RSA_PKEY_CTX *rctx = ctx->data;
250
251 if (rctx->md) {
252 if (rctx->pad_mode == RSA_X931_PADDING) {
253 if (!setup_tbuf(rctx, ctx))
254 return -1;
255 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
256 ctx->pkey->pkey.rsa, RSA_X931_PADDING);
257 if (ret < 1)
258 return 0;
259 ret--;
260 if (rctx->tbuf[ret] !=
261 RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
262 RSAerror(RSA_R_ALGORITHM_MISMATCH);
263 return 0;
264 }
265 if (ret != EVP_MD_size(rctx->md)) {
266 RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
267 return 0;
268 }
269 if (rout)
270 memcpy(rout, rctx->tbuf, ret);
271 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
272 size_t sltmp;
273
274 ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
275 rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
276 if (ret <= 0)
277 return 0;
278 ret = sltmp;
279 } else {
280 return -1;
281 }
282 } else {
283 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
284 rctx->pad_mode);
285 }
286 if (ret < 0)
287 return ret;
288 *routlen = ret;
289 return 1;
290}
291
292static int
293pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
294 const unsigned char *tbs, size_t tbslen)
295{
296 RSA_PKEY_CTX *rctx = ctx->data;
297 RSA *rsa = ctx->pkey->pkey.rsa;
298 size_t rslen;
299
300 if (rctx->md) {
301 if (rctx->pad_mode == RSA_PKCS1_PADDING)
302 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
303 sig, siglen, rsa);
304 if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
305 RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
306 return -1;
307 }
308 if (rctx->pad_mode == RSA_X931_PADDING) {
309 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig,
310 siglen) <= 0)
311 return 0;
312 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
313 int ret;
314
315 if (!setup_tbuf(rctx, ctx))
316 return -1;
317 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
318 rsa, RSA_NO_PADDING);
319 if (ret <= 0)
320 return 0;
321 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
322 rctx->mgf1md, rctx->tbuf, rctx->saltlen);
323 if (ret <= 0)
324 return 0;
325 return 1;
326 } else {
327 return -1;
328 }
329 } else {
330 int ret;
331
332 if (!setup_tbuf(rctx, ctx))
333 return -1;
334
335 if ((ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa,
336 rctx->pad_mode)) <= 0)
337 return 0;
338
339 rslen = ret;
340 }
341
342 if (rslen != tbslen || timingsafe_bcmp(tbs, rctx->tbuf, rslen))
343 return 0;
344
345 return 1;
346}
347
348static int
349pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
350 const unsigned char *in, size_t inlen)
351{
352 RSA_PKEY_CTX *rctx = ctx->data;
353 int ret;
354
355 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
356 int klen = RSA_size(ctx->pkey->pkey.rsa);
357 if (!setup_tbuf(rctx, ctx))
358 return -1;
359 if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen,
360 in, inlen, rctx->oaep_label, rctx->oaep_labellen,
361 rctx->md, rctx->mgf1md))
362 return -1;
363 ret = RSA_public_encrypt(klen, rctx->tbuf, out,
364 ctx->pkey->pkey.rsa, RSA_NO_PADDING);
365 } else {
366 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
367 rctx->pad_mode);
368 }
369 if (ret < 0)
370 return ret;
371 *outlen = ret;
372 return 1;
373}
374
375static int
376pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
377 const unsigned char *in, size_t inlen)
378{
379 int ret;
380 RSA_PKEY_CTX *rctx = ctx->data;
381
382 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
383 if (!setup_tbuf(rctx, ctx))
384 return -1;
385 ret = RSA_private_decrypt(inlen, in, rctx->tbuf,
386 ctx->pkey->pkey.rsa, RSA_NO_PADDING);
387 if (ret <= 0)
388 return ret;
389 ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf,
390 ret, ret, rctx->oaep_label, rctx->oaep_labellen, rctx->md,
391 rctx->mgf1md);
392 } else {
393 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
394 rctx->pad_mode);
395 }
396 if (ret < 0)
397 return ret;
398 *outlen = ret;
399 return 1;
400}
401
402static int
403check_padding_md(const EVP_MD *md, int padding)
404{
405 if (md == NULL)
406 return 1;
407
408 if (padding == RSA_NO_PADDING) {
409 RSAerror(RSA_R_INVALID_PADDING_MODE);
410 return 0;
411 }
412
413 if (padding == RSA_X931_PADDING) {
414 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) {
415 RSAerror(RSA_R_INVALID_X931_DIGEST);
416 return 0;
417 }
418 } else {
419 /* List of all supported RSA digests. */
420 /* RFC 8017 and NIST CSOR. */
421 switch(EVP_MD_type(md)) {
422 case NID_sha1:
423 case NID_sha224:
424 case NID_sha256:
425 case NID_sha384:
426 case NID_sha512:
427 case NID_sha512_224:
428 case NID_sha512_256:
429 case NID_sha3_224:
430 case NID_sha3_256:
431 case NID_sha3_384:
432 case NID_sha3_512:
433 case NID_md5:
434 case NID_md5_sha1:
435 case NID_md4:
436 case NID_ripemd160:
437 return 1;
438
439 default:
440 RSAerror(RSA_R_INVALID_DIGEST);
441 return 0;
442 }
443 }
444
445 return 1;
446}
447
448static int
449pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
450{
451 RSA_PKEY_CTX *rctx = ctx->data;
452
453 switch (type) {
454 case EVP_PKEY_CTRL_RSA_PADDING:
455 if (p1 >= RSA_PKCS1_PADDING && p1 <= RSA_PKCS1_PSS_PADDING) {
456 if (!check_padding_md(rctx->md, p1))
457 return 0;
458 if (p1 == RSA_PKCS1_PSS_PADDING) {
459 if (!(ctx->operation &
460 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
461 goto bad_pad;
462 if (!rctx->md)
463 rctx->md = EVP_sha1();
464 } else if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) {
465 goto bad_pad;
466 }
467 if (p1 == RSA_PKCS1_OAEP_PADDING) {
468 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
469 goto bad_pad;
470 if (!rctx->md)
471 rctx->md = EVP_sha1();
472 }
473 rctx->pad_mode = p1;
474 return 1;
475 }
476 bad_pad:
477 RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
478 return -2;
479
480 case EVP_PKEY_CTRL_GET_RSA_PADDING:
481 *(int *)p2 = rctx->pad_mode;
482 return 1;
483
484 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
485 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
486 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
487 RSAerror(RSA_R_INVALID_PSS_SALTLEN);
488 return -2;
489 }
490 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
491 *(int *)p2 = rctx->saltlen;
492 } else {
493 if (p1 < RSA_PSS_SALTLEN_MAX)
494 return -2;
495 if (rsa_pss_restricted(rctx)) {
496 if (p1 == RSA_PSS_SALTLEN_AUTO &&
497 ctx->operation == EVP_PKEY_OP_VERIFY) {
498 RSAerror(RSA_R_INVALID_PSS_SALTLEN);
499 return -2;
500 }
501 if ((p1 == RSA_PSS_SALTLEN_DIGEST &&
502 rctx->min_saltlen > EVP_MD_size(rctx->md)) ||
503 (p1 >= 0 && p1 < rctx->min_saltlen)) {
504 RSAerror(RSA_R_PSS_SALTLEN_TOO_SMALL);
505 return 0;
506 }
507 }
508 rctx->saltlen = p1;
509 }
510 return 1;
511
512 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
513 if (p1 < RSA_MIN_MODULUS_BITS) {
514 RSAerror(RSA_R_KEY_SIZE_TOO_SMALL);
515 return -2;
516 }
517 rctx->nbits = p1;
518 return 1;
519
520 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
521 if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) ||
522 BN_is_one((BIGNUM *)p2)) {
523 RSAerror(RSA_R_BAD_E_VALUE);
524 return -2;
525 }
526 BN_free(rctx->pub_exp);
527 rctx->pub_exp = p2;
528 return 1;
529
530 case EVP_PKEY_CTRL_RSA_OAEP_MD:
531 case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
532 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
533 RSAerror(RSA_R_INVALID_PADDING_MODE);
534 return -2;
535 }
536 if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD)
537 *(const EVP_MD **)p2 = rctx->md;
538 else
539 rctx->md = p2;
540 return 1;
541
542 case EVP_PKEY_CTRL_MD:
543 if (!check_padding_md(p2, rctx->pad_mode))
544 return 0;
545 if (rsa_pss_restricted(rctx)) {
546 if (EVP_MD_type(rctx->md) == EVP_MD_type(p2))
547 return 1;
548 RSAerror(RSA_R_DIGEST_NOT_ALLOWED);
549 return 0;
550 }
551 rctx->md = p2;
552 return 1;
553
554 case EVP_PKEY_CTRL_GET_MD:
555 *(const EVP_MD **)p2 = rctx->md;
556 return 1;
557
558 case EVP_PKEY_CTRL_RSA_MGF1_MD:
559 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
560 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING &&
561 rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
562 RSAerror(RSA_R_INVALID_MGF1_MD);
563 return -2;
564 }
565 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
566 if (rctx->mgf1md)
567 *(const EVP_MD **)p2 = rctx->mgf1md;
568 else
569 *(const EVP_MD **)p2 = rctx->md;
570 } else {
571 if (rsa_pss_restricted(rctx)) {
572 if (EVP_MD_type(rctx->mgf1md) == EVP_MD_type(p2))
573 return 1;
574 RSAerror(RSA_R_MGF1_DIGEST_NOT_ALLOWED);
575 return 0;
576 }
577 rctx->mgf1md = p2;
578 }
579 return 1;
580
581 case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
582 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
583 RSAerror(RSA_R_INVALID_PADDING_MODE);
584 return -2;
585 }
586 free(rctx->oaep_label);
587 if (p2 != NULL && p1 > 0) {
588 rctx->oaep_label = p2;
589 rctx->oaep_labellen = p1;
590 } else {
591 rctx->oaep_label = NULL;
592 rctx->oaep_labellen = 0;
593 }
594 return 1;
595
596 case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
597 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
598 RSAerror(RSA_R_INVALID_PADDING_MODE);
599 return -2;
600 }
601 *(unsigned char **)p2 = rctx->oaep_label;
602 return rctx->oaep_labellen;
603
604 case EVP_PKEY_CTRL_DIGESTINIT:
605 case EVP_PKEY_CTRL_PKCS7_SIGN:
606#ifndef OPENSSL_NO_CMS
607 case EVP_PKEY_CTRL_CMS_SIGN:
608#endif
609 return 1;
610
611 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
612 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
613#ifndef OPENSSL_NO_CMS
614 case EVP_PKEY_CTRL_CMS_DECRYPT:
615 case EVP_PKEY_CTRL_CMS_ENCRYPT:
616#endif
617 if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
618 return 1;
619
620 /* fall through */
621 case EVP_PKEY_CTRL_PEER_KEY:
622 RSAerror(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
623 return -2;
624
625 default:
626 return -2;
627
628 }
629}
630
631static int
632pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
633{
634 const char *errstr;
635
636 if (!value) {
637 RSAerror(RSA_R_VALUE_MISSING);
638 return 0;
639 }
640 if (strcmp(type, "rsa_padding_mode") == 0) {
641 int pm;
642 if (strcmp(value, "pkcs1") == 0)
643 pm = RSA_PKCS1_PADDING;
644 else if (strcmp(value, "none") == 0)
645 pm = RSA_NO_PADDING;
646 else if (strcmp(value, "oaep") == 0 || strcmp(value, "oeap") == 0)
647 pm = RSA_PKCS1_OAEP_PADDING;
648 else if (strcmp(value, "x931") == 0)
649 pm = RSA_X931_PADDING;
650 else if (strcmp(value, "pss") == 0)
651 pm = RSA_PKCS1_PSS_PADDING;
652 else {
653 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
654 return -2;
655 }
656 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
657 }
658
659 if (strcmp(type, "rsa_pss_saltlen") == 0) {
660 int saltlen;
661
662 if (strcmp(value, "digest") == 0)
663 saltlen = RSA_PSS_SALTLEN_DIGEST;
664 else if (strcmp(value, "max") == 0)
665 saltlen = RSA_PSS_SALTLEN_MAX;
666 else if (strcmp(value, "auto") == 0)
667 saltlen = RSA_PSS_SALTLEN_AUTO;
668 else {
669 /*
670 * Accept the special values -1, -2, -3 since that's
671 * what atoi() historically did. Lower values are later
672 * rejected in EVP_PKEY_CTRL_RSA_PSS_SALTLEN anyway.
673 */
674 saltlen = strtonum(value, -3, INT_MAX, &errstr);
675 if (errstr != NULL) {
676 RSAerror(RSA_R_INVALID_PSS_SALTLEN);
677 return -2;
678 }
679 }
680 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
681 }
682
683 if (strcmp(type, "rsa_keygen_bits") == 0) {
684 int nbits;
685
686 nbits = strtonum(value, 0, INT_MAX, &errstr);
687 if (errstr != NULL) {
688 RSAerror(RSA_R_INVALID_KEYBITS);
689 return -2;
690 }
691
692 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
693 }
694
695 if (strcmp(type, "rsa_keygen_pubexp") == 0) {
696 BIGNUM *pubexp = NULL;
697 int ret;
698
699 if (!BN_asc2bn(&pubexp, value))
700 return 0;
701 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
702 if (ret <= 0)
703 BN_free(pubexp);
704 return ret;
705 }
706
707 if (strcmp(type, "rsa_mgf1_md") == 0)
708 return EVP_PKEY_CTX_md(ctx,
709 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
710 EVP_PKEY_CTRL_RSA_MGF1_MD, value);
711
712 if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) {
713 if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0)
714 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
715 EVP_PKEY_CTRL_RSA_MGF1_MD, value);
716
717 if (strcmp(type, "rsa_pss_keygen_md") == 0)
718 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
719 EVP_PKEY_CTRL_MD, value);
720
721 if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) {
722 int saltlen;
723
724 /*
725 * Accept the special values -1, -2, -3 since that's
726 * what atoi() historically did. Lower values are later
727 * rejected in EVP_PKEY_CTRL_RSA_PSS_SALTLEN anyway.
728 */
729 saltlen = strtonum(value, -3, INT_MAX, &errstr);
730 if (errstr != NULL) {
731 RSAerror(RSA_R_INVALID_PSS_SALTLEN);
732 return -2;
733 }
734
735 return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen);
736 }
737 }
738
739 if (strcmp(type, "rsa_oaep_md") == 0)
740 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT,
741 EVP_PKEY_CTRL_RSA_OAEP_MD, value);
742
743 if (strcmp(type, "rsa_oaep_label") == 0) {
744 unsigned char *lab;
745 long lablen;
746 int ret;
747
748 if ((lab = string_to_hex(value, &lablen)) == NULL)
749 return 0;
750 ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen);
751 if (ret <= 0)
752 free(lab);
753
754 return ret;
755 }
756
757 return -2;
758}
759
760/* Set PSS parameters when generating a key, if necessary. */
761static int
762rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx)
763{
764 RSA_PKEY_CTX *rctx = ctx->data;
765
766 if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
767 return 1;
768
769 /* If all parameters are default values then do not set PSS. */
770 if (rctx->md == NULL && rctx->mgf1md == NULL &&
771 rctx->saltlen == RSA_PSS_SALTLEN_AUTO)
772 return 1;
773
774 rsa->pss = rsa_pss_params_create(rctx->md, rctx->mgf1md,
775 rctx->saltlen == RSA_PSS_SALTLEN_AUTO ? 0 : rctx->saltlen);
776 if (rsa->pss == NULL)
777 return 0;
778
779 return 1;
780}
781
782static int
783pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
784{
785 RSA *rsa = NULL;
786 RSA_PKEY_CTX *rctx = ctx->data;
787 BN_GENCB *pcb = NULL;
788 BN_GENCB cb = {0};
789 int ret = 0;
790
791 if (rctx->pub_exp == NULL) {
792 if ((rctx->pub_exp = BN_new()) == NULL)
793 goto err;
794 if (!BN_set_word(rctx->pub_exp, RSA_F4))
795 goto err;
796 }
797
798 if ((rsa = RSA_new()) == NULL)
799 goto err;
800 if (ctx->pkey_gencb != NULL) {
801 pcb = &cb;
802 evp_pkey_set_cb_translate(pcb, ctx);
803 }
804 if (!RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb))
805 goto err;
806 if (!rsa_set_pss_param(rsa, ctx))
807 goto err;
808 if (!EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa))
809 goto err;
810 rsa = NULL;
811
812 ret = 1;
813
814 err:
815 RSA_free(rsa);
816
817 return ret;
818}
819
820const EVP_PKEY_METHOD rsa_pkey_meth = {
821 .pkey_id = EVP_PKEY_RSA,
822 .flags = EVP_PKEY_FLAG_AUTOARGLEN,
823
824 .init = pkey_rsa_init,
825 .copy = pkey_rsa_copy,
826 .cleanup = pkey_rsa_cleanup,
827
828 .keygen = pkey_rsa_keygen,
829
830 .sign = pkey_rsa_sign,
831
832 .verify = pkey_rsa_verify,
833
834 .verify_recover = pkey_rsa_verifyrecover,
835
836 .encrypt = pkey_rsa_encrypt,
837
838 .decrypt = pkey_rsa_decrypt,
839
840 .ctrl = pkey_rsa_ctrl,
841 .ctrl_str = pkey_rsa_ctrl_str
842};
843
844/*
845 * Called for PSS sign or verify initialisation: checks PSS parameter
846 * sanity and sets any restrictions on key usage.
847 */
848
849static int
850pkey_pss_init(EVP_PKEY_CTX *ctx)
851{
852 RSA *rsa;
853 RSA_PKEY_CTX *rctx = ctx->data;
854 const EVP_MD *md;
855 const EVP_MD *mgf1md;
856 int min_saltlen, max_saltlen;
857
858 /* Should never happen */
859 if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
860 return 0;
861 rsa = ctx->pkey->pkey.rsa;
862
863 /* If no restrictions just return */
864 if (rsa->pss == NULL)
865 return 1;
866
867 /* Get and check parameters */
868 if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen))
869 return 0;
870
871 /* See if minimum salt length exceeds maximum possible */
872 max_saltlen = RSA_size(rsa) - EVP_MD_size(md);
873 if ((RSA_bits(rsa) & 0x7) == 1)
874 max_saltlen--;
875 if (min_saltlen > max_saltlen) {
876 RSAerror(RSA_R_INVALID_SALT_LENGTH);
877 return 0;
878 }
879 rctx->min_saltlen = min_saltlen;
880
881 /*
882 * Set PSS restrictions as defaults: we can then block any attempt to
883 * use invalid values in pkey_rsa_ctrl
884 */
885
886 rctx->md = md;
887 rctx->mgf1md = mgf1md;
888 rctx->saltlen = min_saltlen;
889
890 return 1;
891}
892
893const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
894 .pkey_id = EVP_PKEY_RSA_PSS,
895 .flags = EVP_PKEY_FLAG_AUTOARGLEN,
896
897 .init = pkey_rsa_init,
898 .copy = pkey_rsa_copy,
899 .cleanup = pkey_rsa_cleanup,
900
901 .keygen = pkey_rsa_keygen,
902
903 .sign_init = pkey_pss_init,
904 .sign = pkey_rsa_sign,
905
906 .verify_init = pkey_pss_init,
907 .verify = pkey_rsa_verify,
908
909 .ctrl = pkey_rsa_ctrl,
910 .ctrl_str = pkey_rsa_ctrl_str
911};
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-23 13:32:00 +0000