rsa_pmeth.c@ 85201

最後變更在這個檔案從85201是 83916,由 vboxsync 提交於 5 年前
openssl-1.1.1g: Applied and adjusted our OpenSSL changes to 1.1.1g. bugref:9719
檔案大小: 24.9 KB

行
1	/*
2	* Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the OpenSSL license (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	#include "internal/constant_time.h"
11
12	#include <stdio.h>
13	#include "internal/cryptlib.h"
14	#include <openssl/asn1t.h>
15	#include <openssl/x509.h>
16	#include <openssl/rsa.h>
17	#include <openssl/bn.h>
18	#include <openssl/evp.h>
19	#include <openssl/x509v3.h>
20	#include <openssl/cms.h>
21	#include "crypto/evp.h"
22	#include "rsa_local.h"
23
24	/* RSA pkey context structure */
25
26	typedef struct {
27	/* Key gen parameters */
28	int nbits;
29	BIGNUM *pub_exp;
30	int primes;
31	/* Keygen callback info */
32	int gentmp[2];
33	/* RSA padding mode */
34	int pad_mode;
35	/* message digest */
36	const EVP_MD *md;
37	/* message digest for MGF1 */
38	const EVP_MD *mgf1md;
39	/* PSS salt length */
40	int saltlen;
41	/* Minimum salt length or -1 if no PSS parameter restriction */
42	int min_saltlen;
43	/* Temp buffer */
44	unsigned char *tbuf;
45	/* OAEP label */
46	unsigned char *oaep_label;
47	size_t oaep_labellen;
48	} RSA_PKEY_CTX;
49
50	/* True if PSS parameters are restricted */
51	#define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1)
52
53	static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
54	{
55	RSA_PKEY_CTX rctx = OPENSSL_zalloc(sizeof(rctx));
56
57	if (rctx == NULL)
58	return 0;
59	rctx->nbits = 2048;
60	rctx->primes = RSA_DEFAULT_PRIME_NUM;
61	if (pkey_ctx_is_pss(ctx))
62	rctx->pad_mode = RSA_PKCS1_PSS_PADDING;
63	else
64	rctx->pad_mode = RSA_PKCS1_PADDING;
65	/* Maximum for sign, auto for verify */
66	rctx->saltlen = RSA_PSS_SALTLEN_AUTO;
67	rctx->min_saltlen = -1;
68	ctx->data = rctx;
69	ctx->keygen_info = rctx->gentmp;
70	ctx->keygen_info_count = 2;
71
72	return 1;
73	}
74
75	static int pkey_rsa_copy(EVP_PKEY_CTX dst, EVP_PKEY_CTX src)
76	{
77	RSA_PKEY_CTX dctx, sctx;
78
79	if (!pkey_rsa_init(dst))
80	return 0;
81	sctx = src->data;
82	dctx = dst->data;
83	dctx->nbits = sctx->nbits;
84	if (sctx->pub_exp) {
85	dctx->pub_exp = BN_dup(sctx->pub_exp);
86	if (!dctx->pub_exp)
87	return 0;
88	}
89	dctx->pad_mode = sctx->pad_mode;
90	dctx->md = sctx->md;
91	dctx->mgf1md = sctx->mgf1md;
92	if (sctx->oaep_label) {
93	OPENSSL_free(dctx->oaep_label);
94	dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen);
95	if (!dctx->oaep_label)
96	return 0;
97	dctx->oaep_labellen = sctx->oaep_labellen;
98	}
99	return 1;
100	}
101
102	static int setup_tbuf(RSA_PKEY_CTX ctx, EVP_PKEY_CTX pk)
103	{
104	if (ctx->tbuf != NULL)
105	return 1;
106	if ((ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey))) == NULL) {
107	RSAerr(RSA_F_SETUP_TBUF, ERR_R_MALLOC_FAILURE);
108	return 0;
109	}
110	return 1;
111	}
112
113	static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
114	{
115	RSA_PKEY_CTX *rctx = ctx->data;
116	if (rctx) {
117	BN_free(rctx->pub_exp);
118	OPENSSL_free(rctx->tbuf);
119	OPENSSL_free(rctx->oaep_label);
120	OPENSSL_free(rctx);
121	}
122	}
123
124	static int pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned char sig,
125	size_t siglen, const unsigned char tbs,
126	size_t tbslen)
127	{
128	int ret;
129	RSA_PKEY_CTX *rctx = ctx->data;
130	RSA *rsa = ctx->pkey->pkey.rsa;
131
132	if (rctx->md) {
133	if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
134	RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH);
135	return -1;
136	}
137
138	if (EVP_MD_type(rctx->md) == NID_mdc2) {
139	unsigned int sltmp;
140	if (rctx->pad_mode != RSA_PKCS1_PADDING)
141	return -1;
142	ret = RSA_sign_ASN1_OCTET_STRING(0,
143	tbs, tbslen, sig, &sltmp, rsa);
144
145	if (ret <= 0)
146	return ret;
147	ret = sltmp;
148	} else if (rctx->pad_mode == RSA_X931_PADDING) {
149	if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) {
150	RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_KEY_SIZE_TOO_SMALL);
151	return -1;
152	}
153	if (!setup_tbuf(rctx, ctx)) {
154	RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE);
155	return -1;
156	}
157	memcpy(rctx->tbuf, tbs, tbslen);
158	rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md));
159	ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
160	sig, rsa, RSA_X931_PADDING);
161	} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
162	unsigned int sltmp;
163	ret = RSA_sign(EVP_MD_type(rctx->md),
164	tbs, tbslen, sig, &sltmp, rsa);
165	if (ret <= 0)
166	return ret;
167	ret = sltmp;
168	} else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
169	if (!setup_tbuf(rctx, ctx))
170	return -1;
171	if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
172	rctx->tbuf, tbs,
173	rctx->md, rctx->mgf1md,
174	rctx->saltlen))
175	return -1;
176	ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
177	sig, rsa, RSA_NO_PADDING);
178	} else {
179	return -1;
180	}
181	} else {
182	ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
183	rctx->pad_mode);
184	}
185	if (ret < 0)
186	return ret;
187	*siglen = ret;
188	return 1;
189	}
190
191	static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
192	unsigned char rout, size_t routlen,
193	const unsigned char *sig, size_t siglen)
194	{
195	int ret;
196	RSA_PKEY_CTX *rctx = ctx->data;
197
198	if (rctx->md) {
199	if (rctx->pad_mode == RSA_X931_PADDING) {
200	if (!setup_tbuf(rctx, ctx))
201	return -1;
202	ret = RSA_public_decrypt(siglen, sig,
203	rctx->tbuf, ctx->pkey->pkey.rsa,
204	RSA_X931_PADDING);
205	if (ret < 1)
206	return 0;
207	ret--;
208	if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
209	RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
210	RSA_R_ALGORITHM_MISMATCH);
211	return 0;
212	}
213	if (ret != EVP_MD_size(rctx->md)) {
214	RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
215	RSA_R_INVALID_DIGEST_LENGTH);
216	return 0;
217	}
218	if (rout)
219	memcpy(rout, rctx->tbuf, ret);
220	} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
221	size_t sltmp;
222	ret = int_rsa_verify(EVP_MD_type(rctx->md),
223	NULL, 0, rout, &sltmp,
224	sig, siglen, ctx->pkey->pkey.rsa);
225	if (ret <= 0)
226	return 0;
227	ret = sltmp;
228	} else {
229	return -1;
230	}
231	} else {
232	ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
233	rctx->pad_mode);
234	}
235	if (ret < 0)
236	return ret;
237	*routlen = ret;
238	return 1;
239	}
240
241	static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
242	const unsigned char *sig, size_t siglen,
243	const unsigned char *tbs, size_t tbslen)
244	{
245	RSA_PKEY_CTX *rctx = ctx->data;
246	RSA *rsa = ctx->pkey->pkey.rsa;
247	size_t rslen;
248
249	if (rctx->md) {
250	if (rctx->pad_mode == RSA_PKCS1_PADDING)
251	return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
252	sig, siglen, rsa);
253	if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
254	RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH);
255	return -1;
256	}
257	if (rctx->pad_mode == RSA_X931_PADDING) {
258	if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0)
259	return 0;
260	} else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
261	int ret;
262	if (!setup_tbuf(rctx, ctx))
263	return -1;
264	ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
265	rsa, RSA_NO_PADDING);
266	if (ret <= 0)
267	return 0;
268	ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
269	rctx->md, rctx->mgf1md,
270	rctx->tbuf, rctx->saltlen);
271	if (ret <= 0)
272	return 0;
273	return 1;
274	} else {
275	return -1;
276	}
277	} else {
278	if (!setup_tbuf(rctx, ctx))
279	return -1;
280	rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
281	rsa, rctx->pad_mode);
282	if (rslen == 0)
283	return 0;
284	}
285
286	if ((rslen != tbslen) \|\| memcmp(tbs, rctx->tbuf, rslen))
287	return 0;
288
289	return 1;
290
291	}
292
293	static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
294	unsigned char out, size_t outlen,
295	const unsigned char *in, size_t inlen)
296	{
297	int ret;
298	RSA_PKEY_CTX *rctx = ctx->data;
299
300	if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
301	int klen = RSA_size(ctx->pkey->pkey.rsa);
302	if (!setup_tbuf(rctx, ctx))
303	return -1;
304	if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen,
305	in, inlen,
306	rctx->oaep_label,
307	rctx->oaep_labellen,
308	rctx->md, rctx->mgf1md))
309	return -1;
310	ret = RSA_public_encrypt(klen, rctx->tbuf, out,
311	ctx->pkey->pkey.rsa, RSA_NO_PADDING);
312	} else {
313	ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
314	rctx->pad_mode);
315	}
316	if (ret < 0)
317	return ret;
318	*outlen = ret;
319	return 1;
320	}
321
322	static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
323	unsigned char out, size_t outlen,
324	const unsigned char *in, size_t inlen)
325	{
326	int ret;
327	RSA_PKEY_CTX *rctx = ctx->data;
328
329	if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
330	if (!setup_tbuf(rctx, ctx))
331	return -1;
332	ret = RSA_private_decrypt(inlen, in, rctx->tbuf,
333	ctx->pkey->pkey.rsa, RSA_NO_PADDING);
334	if (ret <= 0)
335	return ret;
336	ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf,
337	ret, ret,
338	rctx->oaep_label,
339	rctx->oaep_labellen,
340	rctx->md, rctx->mgf1md);
341	} else {
342	ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
343	rctx->pad_mode);
344	}
345	outlen = constant_time_select_s(constant_time_msb_s(ret), outlen, ret);
346	ret = constant_time_select_int(constant_time_msb(ret), ret, 1);
347	return ret;
348	}
349
350	static int check_padding_md(const EVP_MD *md, int padding)
351	{
352	int mdnid;
353
354	if (!md)
355	return 1;
356
357	mdnid = EVP_MD_type(md);
358
359	if (padding == RSA_NO_PADDING) {
360	RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
361	return 0;
362	}
363
364	if (padding == RSA_X931_PADDING) {
365	if (RSA_X931_hash_id(mdnid) == -1) {
366	RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_X931_DIGEST);
367	return 0;
368	}
369	} else {
370	switch(mdnid) {
371	/* List of all supported RSA digests */
372	case NID_sha1:
373	case NID_sha224:
374	case NID_sha256:
375	case NID_sha384:
376	case NID_sha512:
377	case NID_md5:
378	case NID_md5_sha1:
379	case NID_md2:
380	case NID_md4:
381	case NID_mdc2:
382	case NID_ripemd160:
383	case NID_sha3_224:
384	case NID_sha3_256:
385	case NID_sha3_384:
386	case NID_sha3_512:
387	return 1;
388
389	default:
390	RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_DIGEST);
391	return 0;
392
393	}
394	}
395
396	return 1;
397	}
398
399	static int pkey_rsa_ctrl(EVP_PKEY_CTX ctx, int type, int p1, void p2)
400	{
401	RSA_PKEY_CTX *rctx = ctx->data;
402
403	switch (type) {
404	case EVP_PKEY_CTRL_RSA_PADDING:
405	if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING)) {
406	if (!check_padding_md(rctx->md, p1))
407	return 0;
408	if (p1 == RSA_PKCS1_PSS_PADDING) {
409	if (!(ctx->operation &
410	(EVP_PKEY_OP_SIGN \| EVP_PKEY_OP_VERIFY)))
411	goto bad_pad;
412	if (!rctx->md)
413	rctx->md = EVP_sha1();
414	} else if (pkey_ctx_is_pss(ctx)) {
415	goto bad_pad;
416	}
417	if (p1 == RSA_PKCS1_OAEP_PADDING) {
418	if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
419	goto bad_pad;
420	if (!rctx->md)
421	rctx->md = EVP_sha1();
422	}
423	rctx->pad_mode = p1;
424	return 1;
425	}
426	bad_pad:
427	RSAerr(RSA_F_PKEY_RSA_CTRL,
428	RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
429	return -2;
430
431	case EVP_PKEY_CTRL_GET_RSA_PADDING:
432	(int )p2 = rctx->pad_mode;
433	return 1;
434
435	case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
436	case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
437	if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
438	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
439	return -2;
440	}
441	if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
442	(int )p2 = rctx->saltlen;
443	} else {
444	if (p1 < RSA_PSS_SALTLEN_MAX)
445	return -2;
446	if (rsa_pss_restricted(rctx)) {
447	if (p1 == RSA_PSS_SALTLEN_AUTO
448	&& ctx->operation == EVP_PKEY_OP_VERIFY) {
449	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
450	return -2;
451	}
452	if ((p1 == RSA_PSS_SALTLEN_DIGEST
453	&& rctx->min_saltlen > EVP_MD_size(rctx->md))
454	\|\| (p1 >= 0 && p1 < rctx->min_saltlen)) {
455	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_PSS_SALTLEN_TOO_SMALL);
456	return 0;
457	}
458	}
459	rctx->saltlen = p1;
460	}
461	return 1;
462
463	case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
464	if (p1 < RSA_MIN_MODULUS_BITS) {
465	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_SIZE_TOO_SMALL);
466	return -2;
467	}
468	rctx->nbits = p1;
469	return 1;
470
471	case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
472	if (p2 == NULL \|\| !BN_is_odd((BIGNUM )p2) \|\| BN_is_one((BIGNUM )p2)) {
473	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_BAD_E_VALUE);
474	return -2;
475	}
476	BN_free(rctx->pub_exp);
477	rctx->pub_exp = p2;
478	return 1;
479
480	case EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES:
481	if (p1 < RSA_DEFAULT_PRIME_NUM \|\| p1 > RSA_MAX_PRIME_NUM) {
482	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_PRIME_NUM_INVALID);
483	return -2;
484	}
485	rctx->primes = p1;
486	return 1;
487
488	case EVP_PKEY_CTRL_RSA_OAEP_MD:
489	case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
490	if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
491	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
492	return -2;
493	}
494	if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD)
495	(const EVP_MD *)p2 = rctx->md;
496	else
497	rctx->md = p2;
498	return 1;
499
500	case EVP_PKEY_CTRL_MD:
501	if (!check_padding_md(p2, rctx->pad_mode))
502	return 0;
503	if (rsa_pss_restricted(rctx)) {
504	if (EVP_MD_type(rctx->md) == EVP_MD_type(p2))
505	return 1;
506	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_DIGEST_NOT_ALLOWED);
507	return 0;
508	}
509	rctx->md = p2;
510	return 1;
511
512	case EVP_PKEY_CTRL_GET_MD:
513	(const EVP_MD *)p2 = rctx->md;
514	return 1;
515
516	case EVP_PKEY_CTRL_RSA_MGF1_MD:
517	case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
518	if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING
519	&& rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
520	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
521	return -2;
522	}
523	if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
524	if (rctx->mgf1md)
525	(const EVP_MD *)p2 = rctx->mgf1md;
526	else
527	(const EVP_MD *)p2 = rctx->md;
528	} else {
529	if (rsa_pss_restricted(rctx)) {
530	if (EVP_MD_type(rctx->mgf1md) == EVP_MD_type(p2))
531	return 1;
532	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_MGF1_DIGEST_NOT_ALLOWED);
533	return 0;
534	}
535	rctx->mgf1md = p2;
536	}
537	return 1;
538
539	case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
540	if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
541	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
542	return -2;
543	}
544	OPENSSL_free(rctx->oaep_label);
545	if (p2 && p1 > 0) {
546	rctx->oaep_label = p2;
547	rctx->oaep_labellen = p1;
548	} else {
549	rctx->oaep_label = NULL;
550	rctx->oaep_labellen = 0;
551	}
552	return 1;
553
554	case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
555	if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
556	RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
557	return -2;
558	}
559	(unsigned char *)p2 = rctx->oaep_label;
560	return rctx->oaep_labellen;
561
562	case EVP_PKEY_CTRL_DIGESTINIT:
563	case EVP_PKEY_CTRL_PKCS7_SIGN:
564	#ifndef OPENSSL_NO_CMS
565	case EVP_PKEY_CTRL_CMS_SIGN:
566	#endif
567	return 1;
568
569	case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
570	case EVP_PKEY_CTRL_PKCS7_DECRYPT:
571	#ifndef OPENSSL_NO_CMS
572	case EVP_PKEY_CTRL_CMS_DECRYPT:
573	case EVP_PKEY_CTRL_CMS_ENCRYPT:
574	#endif
575	if (!pkey_ctx_is_pss(ctx))
576	return 1;
577	/* fall through */
578	case EVP_PKEY_CTRL_PEER_KEY:
579	RSAerr(RSA_F_PKEY_RSA_CTRL,
580	RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
581	return -2;
582
583	default:
584	return -2;
585
586	}
587	}
588
589	static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
590	const char type, const char value)
591	{
592	if (value == NULL) {
593	RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
594	return 0;
595	}
596	if (strcmp(type, "rsa_padding_mode") == 0) {
597	int pm;
598
599	if (strcmp(value, "pkcs1") == 0) {
600	pm = RSA_PKCS1_PADDING;
601	} else if (strcmp(value, "sslv23") == 0) {
602	pm = RSA_SSLV23_PADDING;
603	} else if (strcmp(value, "none") == 0) {
604	pm = RSA_NO_PADDING;
605	} else if (strcmp(value, "oeap") == 0) {
606	pm = RSA_PKCS1_OAEP_PADDING;
607	} else if (strcmp(value, "oaep") == 0) {
608	pm = RSA_PKCS1_OAEP_PADDING;
609	} else if (strcmp(value, "x931") == 0) {
610	pm = RSA_X931_PADDING;
611	} else if (strcmp(value, "pss") == 0) {
612	pm = RSA_PKCS1_PSS_PADDING;
613	} else {
614	RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_UNKNOWN_PADDING_TYPE);
615	return -2;
616	}
617	return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
618	}
619
620	if (strcmp(type, "rsa_pss_saltlen") == 0) {
621	int saltlen;
622
623	if (!strcmp(value, "digest"))
624	saltlen = RSA_PSS_SALTLEN_DIGEST;
625	else if (!strcmp(value, "max"))
626	saltlen = RSA_PSS_SALTLEN_MAX;
627	else if (!strcmp(value, "auto"))
628	saltlen = RSA_PSS_SALTLEN_AUTO;
629	else
630	saltlen = atoi(value);
631	return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
632	}
633
634	if (strcmp(type, "rsa_keygen_bits") == 0) {
635	int nbits = atoi(value);
636
637	return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
638	}
639
640	if (strcmp(type, "rsa_keygen_pubexp") == 0) {
641	int ret;
642
643	BIGNUM *pubexp = NULL;
644	if (!BN_asc2bn(&pubexp, value))
645	return 0;
646	ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
647	if (ret <= 0)
648	BN_free(pubexp);
649	return ret;
650	}
651
652	if (strcmp(type, "rsa_keygen_primes") == 0) {
653	int nprimes = atoi(value);
654
655	return EVP_PKEY_CTX_set_rsa_keygen_primes(ctx, nprimes);
656	}
657
658	if (strcmp(type, "rsa_mgf1_md") == 0)
659	return EVP_PKEY_CTX_md(ctx,
660	EVP_PKEY_OP_TYPE_SIG \| EVP_PKEY_OP_TYPE_CRYPT,
661	EVP_PKEY_CTRL_RSA_MGF1_MD, value);
662
663	if (pkey_ctx_is_pss(ctx)) {
664
665	if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0)
666	return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
667	EVP_PKEY_CTRL_RSA_MGF1_MD, value);
668
669	if (strcmp(type, "rsa_pss_keygen_md") == 0)
670	return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
671	EVP_PKEY_CTRL_MD, value);
672
673	if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) {
674	int saltlen = atoi(value);
675
676	return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen);
677	}
678	}
679
680	if (strcmp(type, "rsa_oaep_md") == 0)
681	return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT,
682	EVP_PKEY_CTRL_RSA_OAEP_MD, value);
683
684	if (strcmp(type, "rsa_oaep_label") == 0) {
685	unsigned char *lab;
686	long lablen;
687	int ret;
688
689	lab = OPENSSL_hexstr2buf(value, &lablen);
690	if (!lab)
691	return 0;
692	ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen);
693	if (ret <= 0)
694	OPENSSL_free(lab);
695	return ret;
696	}
697
698	return -2;
699	}
700
701	/* Set PSS parameters when generating a key, if necessary */
702	static int rsa_set_pss_param(RSA rsa, EVP_PKEY_CTX ctx)
703	{
704	RSA_PKEY_CTX *rctx = ctx->data;
705
706	if (!pkey_ctx_is_pss(ctx))
707	return 1;
708	/* If all parameters are default values don't set pss */
709	if (rctx->md == NULL && rctx->mgf1md == NULL && rctx->saltlen == -2)
710	return 1;
711	rsa->pss = rsa_pss_params_create(rctx->md, rctx->mgf1md,
712	rctx->saltlen == -2 ? 0 : rctx->saltlen);
713	if (rsa->pss == NULL)
714	return 0;
715	return 1;
716	}
717
718	static int pkey_rsa_keygen(EVP_PKEY_CTX ctx, EVP_PKEY pkey)
719	{
720	RSA *rsa = NULL;
721	RSA_PKEY_CTX *rctx = ctx->data;
722	BN_GENCB *pcb;
723	int ret;
724
725	if (rctx->pub_exp == NULL) {
726	rctx->pub_exp = BN_new();
727	if (rctx->pub_exp == NULL \|\| !BN_set_word(rctx->pub_exp, RSA_F4))
728	return 0;
729	}
730	rsa = RSA_new();
731	if (rsa == NULL)
732	return 0;
733	if (ctx->pkey_gencb) {
734	pcb = BN_GENCB_new();
735	if (pcb == NULL) {
736	RSA_free(rsa);
737	return 0;
738	}
739	evp_pkey_set_cb_translate(pcb, ctx);
740	} else {
741	pcb = NULL;
742	}
743	ret = RSA_generate_multi_prime_key(rsa, rctx->nbits, rctx->primes,
744	rctx->pub_exp, pcb);
745	BN_GENCB_free(pcb);
746	if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) {
747	RSA_free(rsa);
748	return 0;
749	}
750	if (ret > 0)
751	EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa);
752	else
753	RSA_free(rsa);
754	return ret;
755	}
756
757	const EVP_PKEY_METHOD rsa_pkey_meth = {
758	EVP_PKEY_RSA,
759	EVP_PKEY_FLAG_AUTOARGLEN,
760	pkey_rsa_init,
761	pkey_rsa_copy,
762	pkey_rsa_cleanup,
763
764	0, 0,
765
766	0,
767	pkey_rsa_keygen,
768
769	0,
770	pkey_rsa_sign,
771
772	0,
773	pkey_rsa_verify,
774
775	0,
776	pkey_rsa_verifyrecover,
777
778	0, 0, 0, 0,
779
780	0,
781	pkey_rsa_encrypt,
782
783	0,
784	pkey_rsa_decrypt,
785
786	0, 0,
787
788	pkey_rsa_ctrl,
789	pkey_rsa_ctrl_str
790	};
791
792	/*
793	* Called for PSS sign or verify initialisation: checks PSS parameter
794	* sanity and sets any restrictions on key usage.
795	*/
796
797	static int pkey_pss_init(EVP_PKEY_CTX *ctx)
798	{
799	RSA *rsa;
800	RSA_PKEY_CTX *rctx = ctx->data;
801	const EVP_MD *md;
802	const EVP_MD *mgf1md;
803	int min_saltlen, max_saltlen;
804
805	/* Should never happen */
806	if (!pkey_ctx_is_pss(ctx))
807	return 0;
808	rsa = ctx->pkey->pkey.rsa;
809	/* If no restrictions just return */
810	if (rsa->pss == NULL)
811	return 1;
812	/* Get and check parameters */
813	if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen))
814	return 0;
815
816	/* See if minimum salt length exceeds maximum possible */
817	max_saltlen = RSA_size(rsa) - EVP_MD_size(md);
818	if ((RSA_bits(rsa) & 0x7) == 1)
819	max_saltlen--;
820	if (min_saltlen > max_saltlen) {
821	RSAerr(RSA_F_PKEY_PSS_INIT, RSA_R_INVALID_SALT_LENGTH);
822	return 0;
823	}
824
825	rctx->min_saltlen = min_saltlen;
826
827	/*
828	* Set PSS restrictions as defaults: we can then block any attempt to
829	* use invalid values in pkey_rsa_ctrl
830	*/
831
832	rctx->md = md;
833	rctx->mgf1md = mgf1md;
834	rctx->saltlen = min_saltlen;
835
836	return 1;
837	}
838
839	const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
840	EVP_PKEY_RSA_PSS,
841	EVP_PKEY_FLAG_AUTOARGLEN,
842	pkey_rsa_init,
843	pkey_rsa_copy,
844	pkey_rsa_cleanup,
845
846	0, 0,
847
848	0,
849	pkey_rsa_keygen,
850
851	pkey_pss_init,
852	pkey_rsa_sign,
853
854	pkey_pss_init,
855	pkey_rsa_verify,
856
857	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
858
859	pkey_rsa_ctrl,
860	pkey_rsa_ctrl_str
861	};

注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

source: vbox/trunk/src/libs/openssl-1.1.1g/crypto/rsa/rsa_pmeth.c@ 85201

以其他格式下載: