2 * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/asn1t.h>
13 #include <openssl/x509.h>
14 #include <openssl/rsa.h>
15 #include <openssl/bn.h>
16 #include <openssl/evp.h>
17 #include <openssl/x509v3.h>
18 #include <openssl/cms.h>
19 #include "internal/evp_int.h"
22 /* RSA pkey context structure */
25 /* Key gen parameters */
28 /* Keygen callback info */
30 /* RSA padding mode */
34 /* message digest for MGF1 */
41 unsigned char *oaep_label;
45 static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
48 rctx = OPENSSL_zalloc(sizeof(*rctx));
52 rctx->pad_mode = RSA_PKCS1_PADDING;
55 ctx->keygen_info = rctx->gentmp;
56 ctx->keygen_info_count = 2;
61 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
63 RSA_PKEY_CTX *dctx, *sctx;
64 if (!pkey_rsa_init(dst))
68 dctx->nbits = sctx->nbits;
70 dctx->pub_exp = BN_dup(sctx->pub_exp);
74 dctx->pad_mode = sctx->pad_mode;
76 dctx->mgf1md = sctx->mgf1md;
77 if (sctx->oaep_label) {
78 OPENSSL_free(dctx->oaep_label);
79 dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen);
80 if (!dctx->oaep_label)
82 dctx->oaep_labellen = sctx->oaep_labellen;
87 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
91 ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey));
92 if (ctx->tbuf == NULL)
97 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
99 RSA_PKEY_CTX *rctx = ctx->data;
101 BN_free(rctx->pub_exp);
102 OPENSSL_free(rctx->tbuf);
103 OPENSSL_free(rctx->oaep_label);
108 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
109 size_t *siglen, const unsigned char *tbs,
113 RSA_PKEY_CTX *rctx = ctx->data;
114 RSA *rsa = ctx->pkey->pkey.rsa;
117 if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
118 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH);
122 if (EVP_MD_type(rctx->md) == NID_mdc2) {
124 if (rctx->pad_mode != RSA_PKCS1_PADDING)
126 ret = RSA_sign_ASN1_OCTET_STRING(0,
127 tbs, tbslen, sig, &sltmp, rsa);
132 } else if (rctx->pad_mode == RSA_X931_PADDING) {
133 if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) {
134 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_KEY_SIZE_TOO_SMALL);
137 if (!setup_tbuf(rctx, ctx)) {
138 RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE);
141 memcpy(rctx->tbuf, tbs, tbslen);
142 rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md));
143 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
144 sig, rsa, RSA_X931_PADDING);
145 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
147 ret = RSA_sign(EVP_MD_type(rctx->md),
148 tbs, tbslen, sig, &sltmp, rsa);
152 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
153 if (!setup_tbuf(rctx, ctx))
155 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
157 rctx->md, rctx->mgf1md,
160 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
161 sig, rsa, RSA_NO_PADDING);
165 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
173 static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
174 unsigned char *rout, size_t *routlen,
175 const unsigned char *sig, size_t siglen)
178 RSA_PKEY_CTX *rctx = ctx->data;
181 if (rctx->pad_mode == RSA_X931_PADDING) {
182 if (!setup_tbuf(rctx, ctx))
184 ret = RSA_public_decrypt(siglen, sig,
185 rctx->tbuf, ctx->pkey->pkey.rsa,
190 if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
191 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
192 RSA_R_ALGORITHM_MISMATCH);
195 if (ret != EVP_MD_size(rctx->md)) {
196 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
197 RSA_R_INVALID_DIGEST_LENGTH);
201 memcpy(rout, rctx->tbuf, ret);
202 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
204 ret = int_rsa_verify(EVP_MD_type(rctx->md),
205 NULL, 0, rout, &sltmp,
206 sig, siglen, ctx->pkey->pkey.rsa);
213 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
221 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
222 const unsigned char *sig, size_t siglen,
223 const unsigned char *tbs, size_t tbslen)
225 RSA_PKEY_CTX *rctx = ctx->data;
226 RSA *rsa = ctx->pkey->pkey.rsa;
229 if (rctx->pad_mode == RSA_PKCS1_PADDING)
230 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
232 if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
233 RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH);
236 if (rctx->pad_mode == RSA_X931_PADDING) {
237 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0)
239 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
241 if (!setup_tbuf(rctx, ctx))
243 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
244 rsa, RSA_NO_PADDING);
247 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
248 rctx->md, rctx->mgf1md,
249 rctx->tbuf, rctx->saltlen);
256 if (!setup_tbuf(rctx, ctx))
258 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
259 rsa, rctx->pad_mode);
264 if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen))
271 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
272 unsigned char *out, size_t *outlen,
273 const unsigned char *in, size_t inlen)
276 RSA_PKEY_CTX *rctx = ctx->data;
277 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
278 int klen = RSA_size(ctx->pkey->pkey.rsa);
279 if (!setup_tbuf(rctx, ctx))
281 if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen,
285 rctx->md, rctx->mgf1md))
287 ret = RSA_public_encrypt(klen, rctx->tbuf, out,
288 ctx->pkey->pkey.rsa, RSA_NO_PADDING);
290 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
298 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
299 unsigned char *out, size_t *outlen,
300 const unsigned char *in, size_t inlen)
303 RSA_PKEY_CTX *rctx = ctx->data;
304 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
306 if (!setup_tbuf(rctx, ctx))
308 ret = RSA_private_decrypt(inlen, in, rctx->tbuf,
309 ctx->pkey->pkey.rsa, RSA_NO_PADDING);
312 for (i = 0; i < ret; i++) {
316 ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf + i,
320 rctx->md, rctx->mgf1md);
322 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
330 static int check_padding_md(const EVP_MD *md, int padding)
336 mdnid = EVP_MD_type(md);
338 if (padding == RSA_NO_PADDING) {
339 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
343 if (padding == RSA_X931_PADDING) {
344 if (RSA_X931_hash_id(mdnid) == -1) {
345 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_X931_DIGEST);
350 /* List of all supported RSA digests */
365 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_DIGEST);
374 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
376 RSA_PKEY_CTX *rctx = ctx->data;
378 case EVP_PKEY_CTRL_RSA_PADDING:
379 if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING)) {
380 if (!check_padding_md(rctx->md, p1))
382 if (p1 == RSA_PKCS1_PSS_PADDING) {
383 if (!(ctx->operation &
384 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
387 rctx->md = EVP_sha1();
389 if (p1 == RSA_PKCS1_OAEP_PADDING) {
390 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
393 rctx->md = EVP_sha1();
399 RSAerr(RSA_F_PKEY_RSA_CTRL,
400 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
403 case EVP_PKEY_CTRL_GET_RSA_PADDING:
404 *(int *)p2 = rctx->pad_mode;
407 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
408 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
409 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
410 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
413 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN)
414 *(int *)p2 = rctx->saltlen;
422 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
424 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_SIZE_TOO_SMALL);
430 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
431 if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) || BN_is_one((BIGNUM *)p2)) {
432 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_BAD_E_VALUE);
435 BN_free(rctx->pub_exp);
439 case EVP_PKEY_CTRL_RSA_OAEP_MD:
440 case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
441 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
442 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
445 if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD)
446 *(const EVP_MD **)p2 = rctx->md;
451 case EVP_PKEY_CTRL_MD:
452 if (!check_padding_md(p2, rctx->pad_mode))
457 case EVP_PKEY_CTRL_GET_MD:
458 *(const EVP_MD **)p2 = rctx->md;
461 case EVP_PKEY_CTRL_RSA_MGF1_MD:
462 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
463 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING
464 && rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
465 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
468 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
470 *(const EVP_MD **)p2 = rctx->mgf1md;
472 *(const EVP_MD **)p2 = rctx->md;
477 case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
478 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
479 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
482 OPENSSL_free(rctx->oaep_label);
484 rctx->oaep_label = p2;
485 rctx->oaep_labellen = p1;
487 rctx->oaep_label = NULL;
488 rctx->oaep_labellen = 0;
492 case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
493 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
494 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
497 *(unsigned char **)p2 = rctx->oaep_label;
498 return rctx->oaep_labellen;
500 case EVP_PKEY_CTRL_DIGESTINIT:
501 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
502 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
503 case EVP_PKEY_CTRL_PKCS7_SIGN:
505 #ifndef OPENSSL_NO_CMS
506 case EVP_PKEY_CTRL_CMS_DECRYPT:
507 case EVP_PKEY_CTRL_CMS_ENCRYPT:
508 case EVP_PKEY_CTRL_CMS_SIGN:
511 case EVP_PKEY_CTRL_PEER_KEY:
512 RSAerr(RSA_F_PKEY_RSA_CTRL,
513 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
522 static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
523 const char *type, const char *value)
526 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
529 if (strcmp(type, "rsa_padding_mode") == 0) {
531 if (strcmp(value, "pkcs1") == 0)
532 pm = RSA_PKCS1_PADDING;
533 else if (strcmp(value, "sslv23") == 0)
534 pm = RSA_SSLV23_PADDING;
535 else if (strcmp(value, "none") == 0)
537 else if (strcmp(value, "oeap") == 0)
538 pm = RSA_PKCS1_OAEP_PADDING;
539 else if (strcmp(value, "oaep") == 0)
540 pm = RSA_PKCS1_OAEP_PADDING;
541 else if (strcmp(value, "x931") == 0)
542 pm = RSA_X931_PADDING;
543 else if (strcmp(value, "pss") == 0)
544 pm = RSA_PKCS1_PSS_PADDING;
546 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_UNKNOWN_PADDING_TYPE);
549 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
552 if (strcmp(type, "rsa_pss_saltlen") == 0) {
554 saltlen = atoi(value);
555 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
558 if (strcmp(type, "rsa_keygen_bits") == 0) {
561 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
564 if (strcmp(type, "rsa_keygen_pubexp") == 0) {
566 BIGNUM *pubexp = NULL;
567 if (!BN_asc2bn(&pubexp, value))
569 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
575 if (strcmp(type, "rsa_mgf1_md") == 0) {
577 if ((md = EVP_get_digestbyname(value)) == NULL) {
578 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_INVALID_DIGEST);
581 return EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md);
584 if (strcmp(type, "rsa_oaep_md") == 0) {
586 if ((md = EVP_get_digestbyname(value)) == NULL) {
587 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_INVALID_DIGEST);
590 return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md);
592 if (strcmp(type, "rsa_oaep_label") == 0) {
596 lab = OPENSSL_hexstr2buf(value, &lablen);
599 ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen);
608 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
611 RSA_PKEY_CTX *rctx = ctx->data;
614 if (rctx->pub_exp == NULL) {
615 rctx->pub_exp = BN_new();
616 if (rctx->pub_exp == NULL || !BN_set_word(rctx->pub_exp, RSA_F4))
622 if (ctx->pkey_gencb) {
623 pcb = BN_GENCB_new();
628 evp_pkey_set_cb_translate(pcb, ctx);
631 ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
634 EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa);
640 const EVP_PKEY_METHOD rsa_pkey_meth = {
642 EVP_PKEY_FLAG_AUTOARGLEN,
659 pkey_rsa_verifyrecover,
675 const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
677 EVP_PKEY_FLAG_AUTOARGLEN,
693 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,