summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/libcrypto/rsa/rsa.h64
-rw-r--r--src/lib/libcrypto/rsa/rsa_ameth.c120
-rw-r--r--src/lib/libcrypto/rsa/rsa_err.c7
-rw-r--r--src/lib/libcrypto/rsa/rsa_locl.h7
-rw-r--r--src/lib/libcrypto/rsa/rsa_pmeth.c237
5 files changed, 370 insertions, 65 deletions
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index d3f9bee3a5..48d6d64bd1 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa.h,v 1.44 2019/10/29 08:00:18 jsing Exp $ */ 1/* $OpenBSD: rsa.h,v 1.45 2019/10/31 13:56:29 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -201,46 +201,55 @@ struct rsa_st {
201 */ 201 */
202#define RSA_FLAG_NO_BLINDING 0x0080 202#define RSA_FLAG_NO_BLINDING 0x0080
203 203
204/* Salt length matches digest */
205#define RSA_PSS_SALTLEN_DIGEST -1
206/* Verify only: auto detect salt length */
207#define RSA_PSS_SALTLEN_AUTO -2
208/* Set salt length to maximum possible */
209#define RSA_PSS_SALTLEN_MAX -3
210
204#define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \ 211#define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
205 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \ 212 RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_RSA_PADDING, pad, NULL)
206 pad, NULL)
207 213
208#define EVP_PKEY_CTX_get_rsa_padding(ctx, ppad) \ 214#define EVP_PKEY_CTX_get_rsa_padding(ctx, ppad) \
209 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, \ 215 RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, 0, ppad)
210 EVP_PKEY_CTRL_GET_RSA_PADDING, 0, ppad)
211 216
212#define EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, len) \ 217#define EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, len) \
213 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \ 218 RSA_pkey_ctx_ctrl(ctx, (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \
214 (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \ 219 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, len, NULL)
215 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, \ 220
216 len, NULL) 221#define EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, len) \
222 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, \
223 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, len, NULL)
217 224
218#define EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx, plen) \ 225#define EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx, plen) \
219 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \ 226 RSA_pkey_ctx_ctrl(ctx, (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \
220 (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \ 227 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, plen)
221 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, \
222 0, plen)
223 228
224#define EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) \ 229#define EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) \
225 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \ 230 RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_KEYGEN, \
226 EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL) 231 EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL)
227 232
228#define EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp) \ 233#define EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp) \
229 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \ 234 RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_KEYGEN, \
230 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp) 235 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp)
231 236
232#define EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md) \ 237#define EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md) \
233 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \ 238 RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, \
234 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)md) 239 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md))
235 240
236#define EVP_PKEY_CTX_get_rsa_mgf1_md(ctx, pmd) \ 241#define EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(ctx, md) \
237 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \ 242 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, \
238 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)pmd) 243 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md))
239 244
240#define EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) \ 245#define EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) \
241 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \ 246 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \
242 EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md)) 247 EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md))
243 248
249#define EVP_PKEY_CTX_get_rsa_mgf1_md(ctx, pmd) \
250 RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, \
251 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)(pmd))
252
244#define EVP_PKEY_CTX_get_rsa_oaep_md(ctx, pmd) \ 253#define EVP_PKEY_CTX_get_rsa_oaep_md(ctx, pmd) \
245 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \ 254 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \
246 EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)(pmd)) 255 EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)(pmd))
@@ -253,6 +262,10 @@ struct rsa_st {
253 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \ 262 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \
254 EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, (void *)(l)) 263 EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, (void *)(l))
255 264
265#define EVP_PKEY_CTX_set_rsa_pss_keygen_md(ctx, md) \
266 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, \
267 EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_MD, 0, (void *)(md))
268
256#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1) 269#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1)
257#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2) 270#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2)
258 271
@@ -602,12 +615,14 @@ void ERR_load_RSA_strings(void);
602#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 132 615#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 132
603#define RSA_R_DATA_TOO_SMALL 111 616#define RSA_R_DATA_TOO_SMALL 111
604#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 122 617#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 122
618#define RSA_R_DIGEST_NOT_ALLOWED 145
605#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 112 619#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 112
606#define RSA_R_DMP1_NOT_CONGRUENT_TO_D 124 620#define RSA_R_DMP1_NOT_CONGRUENT_TO_D 124
607#define RSA_R_DMQ1_NOT_CONGRUENT_TO_D 125 621#define RSA_R_DMQ1_NOT_CONGRUENT_TO_D 125
608#define RSA_R_D_E_NOT_CONGRUENT_TO_1 123 622#define RSA_R_D_E_NOT_CONGRUENT_TO_1 123
609#define RSA_R_FIRST_OCTET_INVALID 133 623#define RSA_R_FIRST_OCTET_INVALID 133
610#define RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 144 624#define RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 144
625#define RSA_R_INVALID_DIGEST 157
611#define RSA_R_INVALID_DIGEST_LENGTH 143 626#define RSA_R_INVALID_DIGEST_LENGTH 143
612#define RSA_R_INVALID_HEADER 137 627#define RSA_R_INVALID_HEADER 137
613#define RSA_R_INVALID_KEYBITS 145 628#define RSA_R_INVALID_KEYBITS 145
@@ -624,6 +639,7 @@ void ERR_load_RSA_strings(void);
624#define RSA_R_KEY_SIZE_TOO_SMALL 120 639#define RSA_R_KEY_SIZE_TOO_SMALL 120
625#define RSA_R_LAST_OCTET_INVALID 134 640#define RSA_R_LAST_OCTET_INVALID 134
626#define RSA_R_MODULUS_TOO_LARGE 105 641#define RSA_R_MODULUS_TOO_LARGE 105
642#define RSA_R_MGF1_DIGEST_NOT_ALLOWED 152
627#define RSA_R_NON_FIPS_RSA_METHOD 157 643#define RSA_R_NON_FIPS_RSA_METHOD 157
628#define RSA_R_NO_PUBLIC_EXPONENT 140 644#define RSA_R_NO_PUBLIC_EXPONENT 140
629#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 645#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
@@ -632,6 +648,7 @@ void ERR_load_RSA_strings(void);
632#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158 648#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158
633#define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 649#define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
634#define RSA_R_PADDING_CHECK_FAILED 114 650#define RSA_R_PADDING_CHECK_FAILED 114
651#define RSA_R_PSS_SALTLEN_TOO_SMALL 164
635#define RSA_R_P_NOT_PRIME 128 652#define RSA_R_P_NOT_PRIME 128
636#define RSA_R_Q_NOT_PRIME 129 653#define RSA_R_Q_NOT_PRIME 129
637#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130 654#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130
@@ -640,6 +657,7 @@ void ERR_load_RSA_strings(void);
640#define RSA_R_SSLV3_ROLLBACK_ATTACK 115 657#define RSA_R_SSLV3_ROLLBACK_ATTACK 115
641#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116 658#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116
642#define RSA_R_UNKNOWN_ALGORITHM_TYPE 117 659#define RSA_R_UNKNOWN_ALGORITHM_TYPE 117
660#define RSA_R_UNKNOWN_DIGEST 166
643#define RSA_R_UNKNOWN_MASK_DIGEST 151 661#define RSA_R_UNKNOWN_MASK_DIGEST 151
644#define RSA_R_UNKNOWN_PADDING_TYPE 118 662#define RSA_R_UNKNOWN_PADDING_TYPE 118
645#define RSA_R_UNKNOWN_PSS_DIGEST 152 663#define RSA_R_UNKNOWN_PSS_DIGEST 152
diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c
index ce3e9b3509..f71cee8ec1 100644
--- a/src/lib/libcrypto/rsa/rsa_ameth.c
+++ b/src/lib/libcrypto/rsa/rsa_ameth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_ameth.c,v 1.19 2018/08/24 20:22:15 tb Exp $ */ 1/* $OpenBSD: rsa_ameth.c,v 1.20 2019/10/31 13:56:29 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006. 3 * project 2006.
4 */ 4 */
@@ -433,6 +433,124 @@ rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
433 return 1; 433 return 1;
434} 434}
435 435
436/* Allocate and set algorithm ID from EVP_MD, defaults to SHA1. */
437static int
438rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md)
439{
440 if (md == NULL || EVP_MD_type(md) == NID_sha1)
441 return 1;
442 *palg = X509_ALGOR_new();
443 if (*palg == NULL)
444 return 0;
445 X509_ALGOR_set_md(*palg, md);
446 return 1;
447}
448
449/* Allocate and set MGF1 algorithm ID from EVP_MD. */
450static int
451rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md)
452{
453 X509_ALGOR *algtmp = NULL;
454 ASN1_STRING *stmp = NULL;
455
456 *palg = NULL;
457 if (mgf1md == NULL || EVP_MD_type(mgf1md) == NID_sha1)
458 return 1;
459 /* need to embed algorithm ID inside another */
460 if (!rsa_md_to_algor(&algtmp, mgf1md))
461 goto err;
462 if (ASN1_item_pack(algtmp, &X509_ALGOR_it, &stmp) == NULL)
463 goto err;
464 *palg = X509_ALGOR_new();
465 if (*palg == NULL)
466 goto err;
467 X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp);
468 stmp = NULL;
469 err:
470 ASN1_STRING_free(stmp);
471 X509_ALGOR_free(algtmp);
472 if (*palg)
473 return 1;
474 return 0;
475}
476
477/* Convert algorithm ID to EVP_MD, defaults to SHA1. */
478static const EVP_MD *
479rsa_algor_to_md(X509_ALGOR *alg)
480{
481 const EVP_MD *md;
482
483 if (!alg)
484 return EVP_sha1();
485 md = EVP_get_digestbyobj(alg->algorithm);
486 if (md == NULL)
487 RSAerror(RSA_R_UNKNOWN_DIGEST);
488 return md;
489}
490
491/* convert algorithm ID to EVP_MD, default SHA1 */
492RSA_PSS_PARAMS *
493rsa_pss_params_create(const EVP_MD *sigmd, const EVP_MD *mgf1md, int saltlen)
494{
495 RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new();
496
497 if (pss == NULL)
498 goto err;
499 if (saltlen != 20) {
500 pss->saltLength = ASN1_INTEGER_new();
501 if (pss->saltLength == NULL)
502 goto err;
503 if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
504 goto err;
505 }
506 if (!rsa_md_to_algor(&pss->hashAlgorithm, sigmd))
507 goto err;
508 if (mgf1md == NULL)
509 mgf1md = sigmd;
510 if (!rsa_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md))
511 goto err;
512 if (!rsa_md_to_algor(&pss->maskHash, mgf1md))
513 goto err;
514 return pss;
515 err:
516 RSA_PSS_PARAMS_free(pss);
517 return NULL;
518}
519
520int
521rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd,
522 const EVP_MD **pmgf1md, int *psaltlen)
523{
524 if (pss == NULL)
525 return 0;
526 *pmd = rsa_algor_to_md(pss->hashAlgorithm);
527 if (*pmd == NULL)
528 return 0;
529 *pmgf1md = rsa_algor_to_md(pss->maskHash);
530 if (*pmgf1md == NULL)
531 return 0;
532 if (pss->saltLength) {
533 *psaltlen = ASN1_INTEGER_get(pss->saltLength);
534 if (*psaltlen < 0) {
535 RSAerror(RSA_R_INVALID_SALT_LENGTH);
536 return 0;
537 }
538 } else {
539 *psaltlen = 20;
540 }
541
542 /*
543 * low-level routines support only trailer field 0xbc (value 1) and
544 * PKCS#1 says we should reject any other value anyway.
545 */
546 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) {
547 RSAerror(RSA_R_INVALID_TRAILER);
548 return 0;
549 }
550
551 return 1;
552}
553
436/* Customised RSA item verification routine. This is called 554/* Customised RSA item verification routine. This is called
437 * when a signature is encountered requiring special handling. We 555 * when a signature is encountered requiring special handling. We
438 * currently only handle PSS. 556 * currently only handle PSS.
diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c
index c2b197c581..91d74307f0 100644
--- a/src/lib/libcrypto/rsa/rsa_err.c
+++ b/src/lib/libcrypto/rsa/rsa_err.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_err.c,v 1.17 2017/01/29 17:49:23 beck Exp $ */ 1/* $OpenBSD: rsa_err.c,v 1.18 2019/10/31 13:56:29 jsing Exp $ */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 * 4 *
@@ -90,12 +90,14 @@ static ERR_STRING_DATA RSA_str_reasons[] = {
90 {ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_MODULUS), "data too large for modulus"}, 90 {ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_MODULUS), "data too large for modulus"},
91 {ERR_REASON(RSA_R_DATA_TOO_SMALL) , "data too small"}, 91 {ERR_REASON(RSA_R_DATA_TOO_SMALL) , "data too small"},
92 {ERR_REASON(RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE), "data too small for key size"}, 92 {ERR_REASON(RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE), "data too small for key size"},
93 {ERR_REASON(RSA_R_DIGEST_NOT_ALLOWED) , "digest not allowed"},
93 {ERR_REASON(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY), "digest too big for rsa key"}, 94 {ERR_REASON(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY), "digest too big for rsa key"},
94 {ERR_REASON(RSA_R_DMP1_NOT_CONGRUENT_TO_D), "dmp1 not congruent to d"}, 95 {ERR_REASON(RSA_R_DMP1_NOT_CONGRUENT_TO_D), "dmp1 not congruent to d"},
95 {ERR_REASON(RSA_R_DMQ1_NOT_CONGRUENT_TO_D), "dmq1 not congruent to d"}, 96 {ERR_REASON(RSA_R_DMQ1_NOT_CONGRUENT_TO_D), "dmq1 not congruent to d"},
96 {ERR_REASON(RSA_R_D_E_NOT_CONGRUENT_TO_1), "d e not congruent to 1"}, 97 {ERR_REASON(RSA_R_D_E_NOT_CONGRUENT_TO_1), "d e not congruent to 1"},
97 {ERR_REASON(RSA_R_FIRST_OCTET_INVALID) , "first octet invalid"}, 98 {ERR_REASON(RSA_R_FIRST_OCTET_INVALID) , "first octet invalid"},
98 {ERR_REASON(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE), "illegal or unsupported padding mode"}, 99 {ERR_REASON(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE), "illegal or unsupported padding mode"},
100 {ERR_REASON(RSA_R_INVALID_DIGEST) , "invalid digest"},
99 {ERR_REASON(RSA_R_INVALID_DIGEST_LENGTH) , "invalid digest length"}, 101 {ERR_REASON(RSA_R_INVALID_DIGEST_LENGTH) , "invalid digest length"},
100 {ERR_REASON(RSA_R_INVALID_HEADER) , "invalid header"}, 102 {ERR_REASON(RSA_R_INVALID_HEADER) , "invalid header"},
101 {ERR_REASON(RSA_R_INVALID_KEYBITS) , "invalid keybits"}, 103 {ERR_REASON(RSA_R_INVALID_KEYBITS) , "invalid keybits"},
@@ -111,6 +113,7 @@ static ERR_STRING_DATA RSA_str_reasons[] = {
111 {ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) , "iqmp not inverse of q"}, 113 {ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) , "iqmp not inverse of q"},
112 {ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) , "key size too small"}, 114 {ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) , "key size too small"},
113 {ERR_REASON(RSA_R_LAST_OCTET_INVALID) , "last octet invalid"}, 115 {ERR_REASON(RSA_R_LAST_OCTET_INVALID) , "last octet invalid"},
116 {ERR_REASON(RSA_R_MGF1_DIGEST_NOT_ALLOWED), "mgf1 digest not allowed"},
114 {ERR_REASON(RSA_R_MODULUS_TOO_LARGE) , "modulus too large"}, 117 {ERR_REASON(RSA_R_MODULUS_TOO_LARGE) , "modulus too large"},
115 {ERR_REASON(RSA_R_NON_FIPS_RSA_METHOD) , "non fips rsa method"}, 118 {ERR_REASON(RSA_R_NON_FIPS_RSA_METHOD) , "non fips rsa method"},
116 {ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) , "no public exponent"}, 119 {ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) , "no public exponent"},
@@ -120,6 +123,7 @@ static ERR_STRING_DATA RSA_str_reasons[] = {
120 {ERR_REASON(RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE), "operation not allowed in fips mode"}, 123 {ERR_REASON(RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE), "operation not allowed in fips mode"},
121 {ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), "operation not supported for this keytype"}, 124 {ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), "operation not supported for this keytype"},
122 {ERR_REASON(RSA_R_PADDING_CHECK_FAILED) , "padding check failed"}, 125 {ERR_REASON(RSA_R_PADDING_CHECK_FAILED) , "padding check failed"},
126 {ERR_REASON(RSA_R_PSS_SALTLEN_TOO_SMALL) , "pss saltlen too small"},
123 {ERR_REASON(RSA_R_P_NOT_PRIME) , "p not prime"}, 127 {ERR_REASON(RSA_R_P_NOT_PRIME) , "p not prime"},
124 {ERR_REASON(RSA_R_Q_NOT_PRIME) , "q not prime"}, 128 {ERR_REASON(RSA_R_Q_NOT_PRIME) , "q not prime"},
125 {ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED), "rsa operations not supported"}, 129 {ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED), "rsa operations not supported"},
@@ -128,6 +132,7 @@ static ERR_STRING_DATA RSA_str_reasons[] = {
128 {ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) , "sslv3 rollback attack"}, 132 {ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) , "sslv3 rollback attack"},
129 {ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD), "the asn1 object identifier is not known for this md"}, 133 {ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD), "the asn1 object identifier is not known for this md"},
130 {ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE), "unknown algorithm type"}, 134 {ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE), "unknown algorithm type"},
135 {ERR_REASON(RSA_R_UNKNOWN_DIGEST) , "unknown digest"},
131 {ERR_REASON(RSA_R_UNKNOWN_MASK_DIGEST) , "unknown mask digest"}, 136 {ERR_REASON(RSA_R_UNKNOWN_MASK_DIGEST) , "unknown mask digest"},
132 {ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) , "unknown padding type"}, 137 {ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) , "unknown padding type"},
133 {ERR_REASON(RSA_R_UNKNOWN_PSS_DIGEST) , "unknown pss digest"}, 138 {ERR_REASON(RSA_R_UNKNOWN_PSS_DIGEST) , "unknown pss digest"},
diff --git a/src/lib/libcrypto/rsa/rsa_locl.h b/src/lib/libcrypto/rsa/rsa_locl.h
index a10ea958b5..d69946f95c 100644
--- a/src/lib/libcrypto/rsa/rsa_locl.h
+++ b/src/lib/libcrypto/rsa/rsa_locl.h
@@ -1,9 +1,14 @@
1/* $OpenBSD: rsa_locl.h,v 1.7 2019/10/31 13:10:40 jsing Exp $ */ 1/* $OpenBSD: rsa_locl.h,v 1.8 2019/10/31 13:56:29 jsing Exp $ */
2 2
3__BEGIN_HIDDEN_DECLS 3__BEGIN_HIDDEN_DECLS
4 4
5#define RSA_MIN_MODULUS_BITS 512 5#define RSA_MIN_MODULUS_BITS 512
6 6
7RSA_PSS_PARAMS *rsa_pss_params_create(const EVP_MD *sigmd, const EVP_MD *mgf1md,
8 int saltlen);
9int rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd,
10 const EVP_MD **pmgf1md, int *psaltlen);
11
7typedef struct rsa_oaep_params_st { 12typedef struct rsa_oaep_params_st {
8 X509_ALGOR *hashFunc; 13 X509_ALGOR *hashFunc;
9 X509_ALGOR *maskGenFunc; 14 X509_ALGOR *maskGenFunc;
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
index 1b6d1de35d..5fd6309298 100644
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_pmeth.c,v 1.30 2019/10/31 13:10:40 jsing Exp $ */ 1/* $OpenBSD: rsa_pmeth.c,v 1.31 2019/10/31 13:56:29 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006. 3 * project 2006.
4 */ 4 */
@@ -89,6 +89,8 @@ typedef struct {
89 const EVP_MD *mgf1md; 89 const EVP_MD *mgf1md;
90 /* PSS salt length */ 90 /* PSS salt length */
91 int saltlen; 91 int saltlen;
92 /* Minimum salt length or -1 if no PSS parameter restriction */
93 int min_saltlen;
92 /* Temp buffer */ 94 /* Temp buffer */
93 unsigned char *tbuf; 95 unsigned char *tbuf;
94 /* OAEP label */ 96 /* OAEP label */
@@ -96,6 +98,9 @@ typedef struct {
96 size_t oaep_labellen; 98 size_t oaep_labellen;
97} RSA_PKEY_CTX; 99} RSA_PKEY_CTX;
98 100
101/* True if PSS parameters are restricted */
102#define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1)
103
99static int 104static int
100pkey_rsa_init(EVP_PKEY_CTX *ctx) 105pkey_rsa_init(EVP_PKEY_CTX *ctx)
101{ 106{
@@ -105,9 +110,15 @@ pkey_rsa_init(EVP_PKEY_CTX *ctx)
105 return 0; 110 return 0;
106 111
107 rctx->nbits = 2048; 112 rctx->nbits = 2048;
108 rctx->pad_mode = RSA_PKCS1_PADDING;
109 113
110 rctx->saltlen = -2; 114 if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS)
115 rctx->pad_mode = RSA_PKCS1_PSS_PADDING;
116 else
117 rctx->pad_mode = RSA_PKCS1_PADDING;
118
119 /* Maximum for sign, auto for verify */
120 rctx->saltlen = RSA_PSS_SALTLEN_AUTO;
121 rctx->min_saltlen = -1;
111 122
112 ctx->data = rctx; 123 ctx->data = rctx;
113 ctx->keygen_info = rctx->gentmp; 124 ctx->keygen_info = rctx->gentmp;
@@ -385,7 +396,7 @@ pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
385static int 396static int
386check_padding_md(const EVP_MD *md, int padding) 397check_padding_md(const EVP_MD *md, int padding)
387{ 398{
388 if (!md) 399 if (md == NULL)
389 return 1; 400 return 1;
390 401
391 if (padding == RSA_NO_PADDING) { 402 if (padding == RSA_NO_PADDING) {
@@ -398,7 +409,24 @@ check_padding_md(const EVP_MD *md, int padding)
398 RSAerror(RSA_R_INVALID_X931_DIGEST); 409 RSAerror(RSA_R_INVALID_X931_DIGEST);
399 return 0; 410 return 0;
400 } 411 }
401 return 1; 412 } else {
413 /* List of all supported RSA digests. */
414 switch(EVP_MD_type(md)) {
415 case NID_sha1:
416 case NID_sha224:
417 case NID_sha256:
418 case NID_sha384:
419 case NID_sha512:
420 case NID_md5:
421 case NID_md5_sha1:
422 case NID_md4:
423 case NID_ripemd160:
424 return 1;
425
426 default:
427 RSAerror(RSA_R_INVALID_DIGEST);
428 return 0;
429 }
402 } 430 }
403 431
404 return 1; 432 return 1;
@@ -420,6 +448,8 @@ pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
420 goto bad_pad; 448 goto bad_pad;
421 if (!rctx->md) 449 if (!rctx->md)
422 rctx->md = EVP_sha1(); 450 rctx->md = EVP_sha1();
451 } else if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) {
452 goto bad_pad;
423 } 453 }
424 if (p1 == RSA_PKCS1_OAEP_PADDING) { 454 if (p1 == RSA_PKCS1_OAEP_PADDING) {
425 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT)) 455 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
@@ -447,8 +477,21 @@ pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
447 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) { 477 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
448 *(int *)p2 = rctx->saltlen; 478 *(int *)p2 = rctx->saltlen;
449 } else { 479 } else {
450 if (p1 < -2) 480 if (p1 < RSA_PSS_SALTLEN_MAX)
451 return -2; 481 return -2;
482 if (rsa_pss_restricted(rctx)) {
483 if (p1 == RSA_PSS_SALTLEN_AUTO &&
484 ctx->operation == EVP_PKEY_OP_VERIFY) {
485 RSAerror(RSA_R_INVALID_PSS_SALTLEN);
486 return -2;
487 }
488 if ((p1 == RSA_PSS_SALTLEN_DIGEST &&
489 rctx->min_saltlen > EVP_MD_size(rctx->md)) ||
490 (p1 >= 0 && p1 < rctx->min_saltlen)) {
491 RSAerror(RSA_R_PSS_SALTLEN_TOO_SMALL);
492 return 0;
493 }
494 }
452 rctx->saltlen = p1; 495 rctx->saltlen = p1;
453 } 496 }
454 return 1; 497 return 1;
@@ -486,6 +529,12 @@ pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
486 case EVP_PKEY_CTRL_MD: 529 case EVP_PKEY_CTRL_MD:
487 if (!check_padding_md(p2, rctx->pad_mode)) 530 if (!check_padding_md(p2, rctx->pad_mode))
488 return 0; 531 return 0;
532 if (rsa_pss_restricted(rctx)) {
533 if (EVP_MD_type(rctx->md) == EVP_MD_type(p2))
534 return 1;
535 RSAerror(RSA_R_DIGEST_NOT_ALLOWED);
536 return 0;
537 }
489 rctx->md = p2; 538 rctx->md = p2;
490 return 1; 539 return 1;
491 540
@@ -505,8 +554,15 @@ pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
505 *(const EVP_MD **)p2 = rctx->mgf1md; 554 *(const EVP_MD **)p2 = rctx->mgf1md;
506 else 555 else
507 *(const EVP_MD **)p2 = rctx->md; 556 *(const EVP_MD **)p2 = rctx->md;
508 } else 557 } else {
558 if (rsa_pss_restricted(rctx)) {
559 if (EVP_MD_type(rctx->mgf1md) == EVP_MD_type(p2))
560 return 1;
561 RSAerror(RSA_R_MGF1_DIGEST_NOT_ALLOWED);
562 return 0;
563 }
509 rctx->mgf1md = p2; 564 rctx->mgf1md = p2;
565 }
510 return 1; 566 return 1;
511 567
512 case EVP_PKEY_CTRL_RSA_OAEP_LABEL: 568 case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
@@ -533,25 +589,28 @@ pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
533 return rctx->oaep_labellen; 589 return rctx->oaep_labellen;
534 590
535 case EVP_PKEY_CTRL_DIGESTINIT: 591 case EVP_PKEY_CTRL_DIGESTINIT:
536 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
537 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
538 case EVP_PKEY_CTRL_PKCS7_SIGN: 592 case EVP_PKEY_CTRL_PKCS7_SIGN:
539 return 1; 593 return 1;
594
595 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
596 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
597 if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
598 return 1;
599
600 /* fall through */
540 case EVP_PKEY_CTRL_PEER_KEY: 601 case EVP_PKEY_CTRL_PEER_KEY:
541 RSAerror(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); 602 RSAerror(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
542 return -2; 603 return -2;
543 604
544 default: 605 default:
545 return -2; 606 return -2;
607
546 } 608 }
547} 609}
548 610
549static int 611static int
550pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value) 612pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
551{ 613{
552 long lval;
553 char *ep;
554
555 if (!value) { 614 if (!value) {
556 RSAerror(RSA_R_VALUE_MISSING); 615 RSAerror(RSA_R_VALUE_MISSING);
557 return 0; 616 return 0;
@@ -577,39 +636,29 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
577 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm); 636 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
578 } 637 }
579 638
580 if (!strcmp(type, "rsa_pss_saltlen")) { 639 if (strcmp(type, "rsa_pss_saltlen") == 0) {
581 int saltlen; 640 int saltlen;
582 641
583 errno = 0; 642 if (!strcmp(value, "digest"))
584 lval = strtol(value, &ep, 10); 643 saltlen = RSA_PSS_SALTLEN_DIGEST;
585 if (value[0] == '\0' || *ep != '\0') 644 else if (!strcmp(value, "max"))
586 goto not_a_number; 645 saltlen = RSA_PSS_SALTLEN_MAX;
587 if ((errno == ERANGE && 646 else if (!strcmp(value, "auto"))
588 (lval == LONG_MAX || lval == LONG_MIN)) || 647 saltlen = RSA_PSS_SALTLEN_AUTO;
589 (lval > INT_MAX || lval < INT_MIN)) 648 else
590 goto out_of_range; 649 saltlen = atoi(value);
591 saltlen = lval;
592 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen); 650 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
593 } 651 }
594 652
595 if (!strcmp(type, "rsa_keygen_bits")) { 653 if (strcmp(type, "rsa_keygen_bits") == 0) {
596 int nbits; 654 int nbits = atoi(value);
597 655
598 errno = 0;
599 lval = strtol(value, &ep, 10);
600 if (value[0] == '\0' || *ep != '\0')
601 goto not_a_number;
602 if ((errno == ERANGE &&
603 (lval == LONG_MAX || lval == LONG_MIN)) ||
604 (lval > INT_MAX || lval < INT_MIN))
605 goto out_of_range;
606 nbits = lval;
607 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits); 656 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
608 } 657 }
609 658
610 if (!strcmp(type, "rsa_keygen_pubexp")) { 659 if (strcmp(type, "rsa_keygen_pubexp") == 0) {
611 int ret;
612 BIGNUM *pubexp = NULL; 660 BIGNUM *pubexp = NULL;
661 int ret;
613 662
614 if (!BN_asc2bn(&pubexp, value)) 663 if (!BN_asc2bn(&pubexp, value))
615 return 0; 664 return 0;
@@ -624,6 +673,22 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
624 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, 673 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
625 EVP_PKEY_CTRL_RSA_MGF1_MD, value); 674 EVP_PKEY_CTRL_RSA_MGF1_MD, value);
626 675
676 if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) {
677 if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0)
678 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
679 EVP_PKEY_CTRL_RSA_MGF1_MD, value);
680
681 if (strcmp(type, "rsa_pss_keygen_md") == 0)
682 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
683 EVP_PKEY_CTRL_MD, value);
684
685 if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) {
686 int saltlen = atoi(value);
687
688 return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen);
689 }
690 }
691
627 if (strcmp(type, "rsa_oaep_md") == 0) 692 if (strcmp(type, "rsa_oaep_md") == 0)
628 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT, 693 return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT,
629 EVP_PKEY_CTRL_RSA_OAEP_MD, value); 694 EVP_PKEY_CTRL_RSA_OAEP_MD, value);
@@ -642,11 +707,31 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
642 return ret; 707 return ret;
643 } 708 }
644 709
645 not_a_number:
646 out_of_range:
647 return -2; 710 return -2;
648} 711}
649 712
713/* Set PSS parameters when generating a key, if necessary. */
714static int
715rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx)
716{
717 RSA_PKEY_CTX *rctx = ctx->data;
718
719 if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
720 return 1;
721
722 /* If all parameters are default values then do not set PSS. */
723 if (rctx->md == NULL && rctx->mgf1md == NULL &&
724 rctx->saltlen == RSA_PSS_SALTLEN_AUTO)
725 return 1;
726
727 rsa->pss = rsa_pss_params_create(rctx->md, rctx->mgf1md,
728 rctx->saltlen == RSA_PSS_SALTLEN_AUTO ? 0 : rctx->saltlen);
729 if (rsa->pss == NULL)
730 return 0;
731
732 return 1;
733}
734
650static int 735static int
651pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) 736pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
652{ 737{
@@ -670,8 +755,12 @@ pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
670 pcb = NULL; 755 pcb = NULL;
671 } 756 }
672 ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb); 757 ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
758 if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) {
759 RSA_free(rsa);
760 return 0;
761 }
673 if (ret > 0) 762 if (ret > 0)
674 EVP_PKEY_assign_RSA(pkey, rsa); 763 EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa);
675 else 764 else
676 RSA_free(rsa); 765 RSA_free(rsa);
677 return ret; 766 return ret;
@@ -700,3 +789,73 @@ const EVP_PKEY_METHOD rsa_pkey_meth = {
700 .ctrl = pkey_rsa_ctrl, 789 .ctrl = pkey_rsa_ctrl,
701 .ctrl_str = pkey_rsa_ctrl_str 790 .ctrl_str = pkey_rsa_ctrl_str
702}; 791};
792
793/*
794 * Called for PSS sign or verify initialisation: checks PSS parameter
795 * sanity and sets any restrictions on key usage.
796 */
797
798static int
799pkey_pss_init(EVP_PKEY_CTX *ctx)
800{
801 RSA *rsa;
802 RSA_PKEY_CTX *rctx = ctx->data;
803 const EVP_MD *md;
804 const EVP_MD *mgf1md;
805 int min_saltlen, max_saltlen;
806
807 /* Should never happen */
808 if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
809 return 0;
810 rsa = ctx->pkey->pkey.rsa;
811
812 /* If no restrictions just return */
813 if (rsa->pss == NULL)
814 return 1;
815
816 /* Get and check parameters */
817 if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen))
818 return 0;
819
820 /* See if minimum salt length exceeds maximum possible */
821 max_saltlen = RSA_size(rsa) - EVP_MD_size(md);
822 if ((RSA_bits(rsa) & 0x7) == 1)
823 max_saltlen--;
824 if (min_saltlen > max_saltlen) {
825 RSAerror(RSA_R_INVALID_SALT_LENGTH);
826 return 0;
827 }
828 rctx->min_saltlen = min_saltlen;
829
830 /*
831 * Set PSS restrictions as defaults: we can then block any attempt to
832 * use invalid values in pkey_rsa_ctrl
833 */
834
835 rctx->md = md;
836 rctx->mgf1md = mgf1md;
837 rctx->saltlen = min_saltlen;
838
839 return 1;
840}
841
842const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
843 .pkey_id = EVP_PKEY_RSA_PSS,
844 .flags = EVP_PKEY_FLAG_AUTOARGLEN,
845
846 .init = pkey_rsa_init,
847 .copy = pkey_rsa_copy,
848 .cleanup = pkey_rsa_cleanup,
849
850 .keygen = pkey_rsa_keygen,
851
852 .sign_init = pkey_pss_init,
853 .sign = pkey_rsa_sign,
854
855 .verify_init = pkey_pss_init,
856 .verify = pkey_rsa_verify,
857
858 .ctrl = pkey_rsa_ctrl,
859 .ctrl_str = pkey_rsa_ctrl_str
860};
861
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 23:34:14 +0000