diff options
| author | Richard Levitte <levitte@openssl.org> | 2019-12-01 15:01:50 +0100 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2020-02-22 01:07:15 +0100 |
| commit | 6f4b7663150e2ee264836dbc5b338bd979828312 (patch) | |
| tree | 52d0a120512bb8ea123150e2ffccd0841008cbc2 | |
| parent | e8d0819d52b2741fcb4ddb79ced4d824c3056918 (diff) | |
PROV: add RSA signature implementation
This includes legacy PSS controls to params conversion, and an attempt
to generalise the parameter names when they are suitable for more than
one operation.
Also added crypto/rsa/rsa_aid.c, containing proper AlgorithmIdentifiers
for known RSA+hash function combinations.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10557)
| -rw-r--r-- | crypto/err/openssl.txt | 11 | ||||
| -rw-r--r-- | crypto/evp/pmeth_lib.c | 118 | ||||
| -rw-r--r-- | crypto/rsa/build.info | 2 | ||||
| -rw-r--r-- | crypto/rsa/rsa_aid.c | 98 | ||||
| -rw-r--r-- | crypto/rsa/rsa_lib.c | 113 | ||||
| -rw-r--r-- | crypto/rsa/rsa_local.h | 4 | ||||
| -rw-r--r-- | crypto/rsa/rsa_pmeth.c | 1 | ||||
| -rw-r--r-- | crypto/rsa/rsa_sign.c | 40 | ||||
| -rw-r--r-- | doc/man3/EVP_PKEY_CTX_ctrl.pod | 59 | ||||
| -rw-r--r-- | include/crypto/rsa.h | 8 | ||||
| -rw-r--r-- | include/openssl/core_names.h | 26 | ||||
| -rw-r--r-- | include/openssl/rsa.h | 10 | ||||
| -rw-r--r-- | providers/common/include/prov/providercommonerr.h | 10 | ||||
| -rw-r--r-- | providers/common/provider_err.c | 19 | ||||
| -rw-r--r-- | providers/defltprov.c | 1 | ||||
| -rw-r--r-- | providers/implementations/include/prov/implementations.h | 1 | ||||
| -rw-r--r-- | providers/implementations/signature/build.info | 3 | ||||
| -rw-r--r-- | providers/implementations/signature/rsa.c | 1113 | ||||
| -rw-r--r-- | util/libcrypto.num | 2 |
19 files changed, 1517 insertions, 122 deletions
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index e6a45ac03a..47a20e828f 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -2752,6 +2752,7 @@ PROP_R_PARSE_FAILED:108:parse failed PROP_R_STRING_TOO_LONG:109:string too long PROP_R_TRAILING_CHARACTERS:110:trailing characters PROV_R_AES_KEY_SETUP_FAILED:101:aes key setup failed +PROV_R_ALGORITHM_MISMATCH:173:algorithm mismatch PROV_R_BAD_DECRYPT:100:bad decrypt PROV_R_BAD_ENCODING:141:bad encoding PROV_R_BAD_LENGTH:142:bad length @@ -2759,17 +2760,21 @@ PROV_R_BAD_TLS_CLIENT_VERSION:161:bad tls client version PROV_R_BN_ERROR:160:bn error PROV_R_BOTH_MODE_AND_MODE_INT:127:both mode and mode int PROV_R_CIPHER_OPERATION_FAILED:102:cipher operation failed +PROV_R_DIGEST_NOT_ALLOWED:174:digest not allowed PROV_R_FAILED_DURING_DERIVATION:164:failed during derivation PROV_R_FAILED_TO_DECRYPT:162:failed to decrypt PROV_R_FAILED_TO_GENERATE_KEY:121:failed to generate key PROV_R_FAILED_TO_GET_PARAMETER:103:failed to get parameter PROV_R_FAILED_TO_SET_PARAMETER:104:failed to set parameter +PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE:165:\ + illegal or unsupported padding mode PROV_R_INAVLID_UKM_LENGTH:146:inavlid ukm length PROV_R_INVALID_AAD:108:invalid aad PROV_R_INVALID_CONSTANT_LENGTH:157:invalid constant length PROV_R_INVALID_CUSTOM_LENGTH:111:invalid custom length PROV_R_INVALID_DATA:115:invalid data PROV_R_INVALID_DIGEST:122:invalid digest +PROV_R_INVALID_DIGEST_LENGTH:166:invalid digest length PROV_R_INVALID_ITERATION_COUNT:123:invalid iteration count PROV_R_INVALID_IVLEN:116:invalid ivlen PROV_R_INVALID_IV_LENGTH:109:invalid iv length @@ -2778,12 +2783,17 @@ PROV_R_INVALID_KEYLEN:117:invalid keylen PROV_R_INVALID_KEY_LEN:124:invalid key len PROV_R_INVALID_KEY_LENGTH:105:invalid key length PROV_R_INVALID_MAC:151:invalid mac +PROV_R_INVALID_MGF1_MD:167:invalid mgf1 md PROV_R_INVALID_MODE:125:invalid mode PROV_R_INVALID_MODE_INT:126:invalid mode int +PROV_R_INVALID_PADDING_MODE:168:invalid padding mode +PROV_R_INVALID_PSS_SALTLEN:169:invalid pss saltlen PROV_R_INVALID_SALT_LENGTH:112:invalid salt length PROV_R_INVALID_SEED_LENGTH:154:invalid seed length PROV_R_INVALID_TAG:110:invalid tag PROV_R_INVALID_TAGLEN:118:invalid taglen +PROV_R_INVALID_X931_DIGEST:170:invalid x931 digest +PROV_R_KEY_SIZE_TOO_SMALL:171:key size too small PROV_R_MISSING_CEK_ALG:144:missing cek alg PROV_R_MISSING_CIPHER:155:missing cipher PROV_R_MISSING_CONSTANT:156:missing constant @@ -2801,6 +2811,7 @@ PROV_R_NOT_SUPPORTED:136:not supported PROV_R_NOT_XOF_OR_INVALID_LENGTH:113:not xof or invalid length PROV_R_NO_KEY_SET:114:no key set PROV_R_OUTPUT_BUFFER_TOO_SMALL:106:output buffer too small +PROV_R_PSS_SALTLEN_TOO_SMALL:172:pss saltlen too small PROV_R_READ_KEY:159:read key PROV_R_TAG_NOTSET:119:tag notset PROV_R_TAG_NOT_NEEDED:120:tag not needed diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index 6be796fafc..cb64b95bf6 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -786,69 +786,73 @@ static int legacy_ctrl_to_param(EVP_PKEY_CTX *ctx, int keytype, int optype, # ifndef OPENSSL_NO_EC if (keytype == EVP_PKEY_EC) { switch (cmd) { - case EVP_PKEY_CTRL_EC_ECDH_COFACTOR: - if (p1 == -2) { - return EVP_PKEY_CTX_get_ecdh_cofactor_mode(ctx); - } else if (p1 < -1 || p1 > 1) { - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } else { - return EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, p1); - } - case EVP_PKEY_CTRL_EC_KDF_TYPE: - if (p1 == -2) { - return EVP_PKEY_CTX_get_ecdh_kdf_type(ctx); - } else { - return EVP_PKEY_CTX_set_ecdh_kdf_type(ctx, p1); - } - case EVP_PKEY_CTRL_GET_EC_KDF_MD: - return EVP_PKEY_CTX_get_ecdh_kdf_md(ctx, p2); - case EVP_PKEY_CTRL_EC_KDF_MD: - return EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, p2); - case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN: - return EVP_PKEY_CTX_get_ecdh_kdf_outlen(ctx, p2); - case EVP_PKEY_CTRL_EC_KDF_OUTLEN: - return EVP_PKEY_CTX_set_ecdh_kdf_outlen(ctx, p1); - case EVP_PKEY_CTRL_GET_EC_KDF_UKM: - return EVP_PKEY_CTX_get0_ecdh_kdf_ukm(ctx, p2); - case EVP_PKEY_CTRL_EC_KDF_UKM: - return EVP_PKEY_CTX_set0_ecdh_kdf_ukm(ctx, p2, p1); + case EVP_PKEY_CTRL_EC_ECDH_COFACTOR: + if (p1 == -2) { + return EVP_PKEY_CTX_get_ecdh_cofactor_mode(ctx); + } else if (p1 < -1 || p1 > 1) { + /* Uses the same return values as EVP_PKEY_CTX_ctrl */ + return -2; + } else { + return EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, p1); + } + case EVP_PKEY_CTRL_EC_KDF_TYPE: + if (p1 == -2) { + return EVP_PKEY_CTX_get_ecdh_kdf_type(ctx); + } else { + return EVP_PKEY_CTX_set_ecdh_kdf_type(ctx, p1); + } + case EVP_PKEY_CTRL_GET_EC_KDF_MD: + return EVP_PKEY_CTX_get_ecdh_kdf_md(ctx, p2); + case EVP_PKEY_CTRL_EC_KDF_MD: + return EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, p2); + case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN: + return EVP_PKEY_CTX_get_ecdh_kdf_outlen(ctx, p2); + case EVP_PKEY_CTRL_EC_KDF_OUTLEN: + return EVP_PKEY_CTX_set_ecdh_kdf_outlen(ctx, p1); + case EVP_PKEY_CTRL_GET_EC_KDF_UKM: + return EVP_PKEY_CTX_get0_ecdh_kdf_ukm(ctx, p2); + case EVP_PKEY_CTRL_EC_KDF_UKM: + return EVP_PKEY_CTX_set0_ecdh_kdf_ukm(ctx, p2, p1); } } # endif if (keytype == -1) { switch (cmd) { - case EVP_PKEY_CTRL_MD: - return EVP_PKEY_CTX_set_signature_md(ctx, p2); - case EVP_PKEY_CTRL_GET_MD: - return EVP_PKEY_CTX_get_signature_md(ctx, p2); - case EVP_PKEY_CTRL_RSA_PADDING: - return EVP_PKEY_CTX_set_rsa_padding(ctx, p1); - case EVP_PKEY_CTRL_GET_RSA_PADDING: - return EVP_PKEY_CTX_get_rsa_padding(ctx, p2); - case EVP_PKEY_CTRL_RSA_OAEP_MD: - return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, p2); - case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: - return EVP_PKEY_CTX_get_rsa_oaep_md(ctx, p2); - case EVP_PKEY_CTRL_RSA_MGF1_MD: - return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, p2); - case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: - return EVP_PKEY_CTX_get_rsa_oaep_md(ctx, p2); - case EVP_PKEY_CTRL_RSA_OAEP_LABEL: - return EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, p2, p1); - case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: - return EVP_PKEY_CTX_get0_rsa_oaep_label(ctx, (unsigned char **)p2); - case EVP_PKEY_CTRL_PKCS7_ENCRYPT: - case EVP_PKEY_CTRL_PKCS7_DECRYPT: + case EVP_PKEY_CTRL_MD: + return EVP_PKEY_CTX_set_signature_md(ctx, p2); + case EVP_PKEY_CTRL_GET_MD: + return EVP_PKEY_CTX_get_signature_md(ctx, p2); + case EVP_PKEY_CTRL_RSA_PADDING: + return EVP_PKEY_CTX_set_rsa_padding(ctx, p1); + case EVP_PKEY_CTRL_GET_RSA_PADDING: + return EVP_PKEY_CTX_get_rsa_padding(ctx, p2); + case EVP_PKEY_CTRL_RSA_OAEP_MD: + return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, p2); + case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: + return EVP_PKEY_CTX_get_rsa_oaep_md(ctx, p2); + case EVP_PKEY_CTRL_RSA_MGF1_MD: + return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, p2); + case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: + return EVP_PKEY_CTX_get_rsa_oaep_md(ctx, p2); + case EVP_PKEY_CTRL_RSA_OAEP_LABEL: + return EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, p2, p1); + case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: + return EVP_PKEY_CTX_get0_rsa_oaep_label(ctx, (unsigned char **)p2); + case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: + return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, p1); + case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: + return EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx, p2); + case EVP_PKEY_CTRL_PKCS7_ENCRYPT: + case EVP_PKEY_CTRL_PKCS7_DECRYPT: # ifndef OPENSSL_NO_CMS - case EVP_PKEY_CTRL_CMS_DECRYPT: - case EVP_PKEY_CTRL_CMS_ENCRYPT: + case EVP_PKEY_CTRL_CMS_DECRYPT: + case EVP_PKEY_CTRL_CMS_ENCRYPT: # endif - if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) - return 1; - ERR_raise(ERR_LIB_EVP, - EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); - return -2; + if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) + return 1; + ERR_raise(ERR_LIB_EVP, + EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); + return -2; } } return 0; @@ -918,6 +922,8 @@ static int legacy_ctrl_str_to_param(EVP_PKEY_CTX *ctx, const char *name, name = OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST; else if (strcmp(name, "rsa_oaep_label") == 0) name = OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL; + else if (strcmp(name, "rsa_pss_saltlen") == 0) + name = OSSL_SIGNATURE_PARAM_PSS_SALTLEN; # ifndef OPENSSL_NO_DH else if (strcmp(name, "dh_pad") == 0) name = OSSL_EXCHANGE_PARAM_PAD; diff --git a/crypto/rsa/build.info b/crypto/rsa/build.info index 274f376979..ddb4e6fc5a 100644 --- a/crypto/rsa/build.info +++ b/crypto/rsa/build.info @@ -1,6 +1,6 @@ LIBS=../../libcrypto -$COMMON=rsa_ossl.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_pk1.c \ +$COMMON=rsa_ossl.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_aid.c rsa_pk1.c \ rsa_none.c rsa_oaep.c rsa_chk.c rsa_pss.c rsa_x931.c rsa_crpt.c \ rsa_x931g.c rsa_sp800_56b_gen.c rsa_sp800_56b_check.c diff --git a/crypto/rsa/rsa_aid.c b/crypto/rsa/rsa_aid.c new file mode 100644 index 0000000000..4b4d3a62f1 --- /dev/null +++ b/crypto/rsa/rsa_aid.c @@ -0,0 +1,98 @@ +/* + * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <stdlib.h> + +#include <openssl/objects.h> +#include "crypto/rsa.h" + +#define ASN1_SEQUENCE 0x30 +#define ASN1_OID 0x06 + +/* + * -- RFC 2313 + * pkcs-1 OBJECT IDENTIFIER ::= { + * iso(1) member-body(2) US(840) rsadsi(113549) pkcs(1) 1 + * } + */ + +/* + * -- RFC 3279 + * md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 } + * md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 } + * sha1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 } + */ +#define ENCODE_ALGORITHMIDENTIFIER_PKCS1(name, n) \ + static const unsigned char algorithmidentifier_##name##_der[] = { \ + ASN1_SEQUENCE, 0x0b, \ + ASN1_OID, 0x09, 1 * 40 + 2, 134, 72, 134, 247, 13, 1, 1, n \ +} +#ifndef FIPS_MODE +ENCODE_ALGORITHMIDENTIFIER_PKCS1(md2, 2); +ENCODE_ALGORITHMIDENTIFIER_PKCS1(md5, 4); +#endif +ENCODE_ALGORITHMIDENTIFIER_PKCS1(sha1, 5); + +/* + * -- RFC 4055 + * sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 } + * sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 } + * sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 } + * sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 } + */ +ENCODE_ALGORITHMIDENTIFIER_PKCS1(sha224, 14); +ENCODE_ALGORITHMIDENTIFIER_PKCS1(sha256, 11); +ENCODE_ALGORITHMIDENTIFIER_PKCS1(sha384, 12); +ENCODE_ALGORITHMIDENTIFIER_PKCS1(sha512, 13); + +/* + * -- https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration + * + * sigAlgs OBJECT IDENTIFIER ::= { 2 16 840 1 101 3 4 3 } + * + * id-rsassa-pkcs1-v1_5-with-sha3-224 ::= { sigAlgs 13 } + * id-rsassa-pkcs1-v1_5-with-sha3-256 ::= { sigAlgs 14 } + * id-rsassa-pkcs1-v1_5-with-sha3-384 ::= { sigAlgs 15 } + * id-rsassa-pkcs1-v1_5-with-sha3-512 ::= { sigAlgs 16 } + */ +#define ENCODE_ALGORITHMIDENTIFIER_SIGALGS(name, n) \ + static const unsigned char algorithmidentifier_##name##_der[] = { \ + ASN1_SEQUENCE, 0x0c, \ + ASN1_OID, 0x0a, 1 * 40 + 2, 16, 134, 72, 1, 101, 3, 4, 3, n \ +} +ENCODE_ALGORITHMIDENTIFIER_SIGALGS(sha3_224, 13); +ENCODE_ALGORITHMIDENTIFIER_SIGALGS(sha3_256, 14); +ENCODE_ALGORITHMIDENTIFIER_SIGALGS(sha3_384, 15); +ENCODE_ALGORITHMIDENTIFIER_SIGALGS(sha3_512, 16); + +#define MD_CASE(name) \ + case NID_##name: \ + *len = sizeof(algorithmidentifier_##name##_der); \ + return algorithmidentifier_##name##_der + +const unsigned char *rsa_algorithmidentifier_encoding(int md_nid, size_t *len) +{ + switch (md_nid) { +#ifndef FIPS_MODE + MD_CASE(md2); + MD_CASE(md5); +#endif + MD_CASE(sha1); + MD_CASE(sha224); + MD_CASE(sha256); + MD_CASE(sha384); + MD_CASE(sha512); + MD_CASE(sha3_224); + MD_CASE(sha3_256); + MD_CASE(sha3_384); + MD_CASE(sha3_512); + default: + return NULL; + } +} diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index c43c9fdd48..39d7f5f54a 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -817,12 +817,14 @@ int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad_mode) return -1; /* TODO(3.0): Remove this eventually when no more legacy */ - if (!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx) - || ctx->op.ciph.ciphprovctx == NULL) + if ((!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx) + || ctx->op.ciph.ciphprovctx == NULL) + && (!EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) + || ctx->op.sig.sigprovctx == NULL)) return EVP_PKEY_CTX_ctrl(ctx, -1, -1, EVP_PKEY_CTRL_RSA_PADDING, pad_mode, NULL); - *p++ = OSSL_PARAM_construct_int(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, &pad_mode); + *p++ = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_PAD_MODE, &pad_mode); *p++ = OSSL_PARAM_construct_end(); return EVP_PKEY_CTX_set_params(ctx, pad_params); @@ -845,12 +847,14 @@ int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad_mode) return -1; /* TODO(3.0): Remove this eventually when no more legacy */ - if (!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx) - || ctx->op.ciph.ciphprovctx == NULL) + if ((!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx) + || ctx->op.ciph.ciphprovctx == NULL) + && (!EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) + || ctx->op.sig.sigprovctx == NULL)) return EVP_PKEY_CTX_ctrl(ctx, -1, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, 0, pad_mode); - *p++ = OSSL_PARAM_construct_int(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode); + *p++ = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_PAD_MODE, pad_mode); *p++ = OSSL_PARAM_construct_end(); if (!EVP_PKEY_CTX_get_params(ctx, pad_params)) @@ -1026,20 +1030,20 @@ int EVP_PKEY_CTX_set_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, const char *mdname, && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) return -1; - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST, + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_MGF1_DIGEST, /* - * Cast away the const. This is read - * only so should be safe + * Cast away the const. This is + * read only so should be safe */ (char *)mdname, 0); if (mdprops != NULL) { - *p++ = OSSL_PARAM_construct_utf8_string( - OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS, - /* - * Cast away the const. This is read - * only so should be safe - */ - (char *)mdprops, 0); + *p++ = + OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_MGF1_PROPERTIES, + /* + * Cast away the const. This is + * read only so should be safe + */ + (char *)mdprops, 0); } *p++ = OSSL_PARAM_construct_end(); @@ -1065,7 +1069,7 @@ int EVP_PKEY_CTX_get_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, char *name, && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) return -1; - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST, + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_MGF1_DIGEST, name, namelen); *p++ = OSSL_PARAM_construct_end(); @@ -1133,12 +1137,12 @@ int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen) (void *)label); *p++ = OSSL_PARAM_construct_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, - /* - * Cast away the const. This is read - * only so should be safe - */ - (void *)label, - (size_t)llen); + /* + * Cast away the const. This is + * read only so should be safe + */ + (void *)label, + (size_t)llen); *p++ = OSSL_PARAM_construct_end(); if (!EVP_PKEY_CTX_set_params(ctx, rsa_params)) @@ -1183,4 +1187,67 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label) return (int)labellen; } + +int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int saltlen) +{ + OSSL_PARAM pad_params[2], *p = pad_params; + + if (ctx == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); + /* Uses the same return values as EVP_PKEY_CTX_ctrl */ + return -2; + } + + /* If key type not RSA or RSA-PSS return error */ + if (ctx->pmeth != NULL + && ctx->pmeth->pkey_id != EVP_PKEY_RSA + && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) + return -1; + + /* TODO(3.0): Remove this eventually when no more legacy */ + if (!EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) + || ctx->op.sig.sigprovctx == NULL) + return EVP_PKEY_CTX_ctrl(ctx, -1, -1, EVP_PKEY_CTRL_RSA_PSS_SALTLEN, + saltlen, NULL); + + *p++ = + OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, &saltlen); + *p++ = OSSL_PARAM_construct_end(); + + return EVP_PKEY_CTX_set_params(ctx, pad_params); +} + +int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *saltlen) +{ + OSSL_PARAM pad_params[2], *p = pad_params; + + if (ctx == NULL || saltlen == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); + /* Uses the same return values as EVP_PKEY_CTX_ctrl */ + return -2; + } + + /* If key type not RSA or RSA-PSS return error */ + if (ctx->pmeth != NULL + && ctx->pmeth->pkey_id != EVP_PKEY_RSA + && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) + return -1; + + /* TODO(3.0): Remove this eventually when no more legacy */ + if (!EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) + || ctx->op.sig.sigprovctx == NULL) + return EVP_PKEY_CTX_ctrl(ctx, -1, -1, + EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, + 0, saltlen); + + *p++ = + OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, saltlen); + *p++ = OSSL_PARAM_construct_end(); + + if (!EVP_PKEY_CTX_get_params(ctx, pad_params)) + return 0; + + return 1; + +} #endif diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h index e15c1ae3d5..11d7635c35 100644 --- a/crypto/rsa/rsa_local.h +++ b/crypto/rsa/rsa_local.h @@ -122,10 +122,6 @@ struct rsa_meth_st { BIGNUM *e, BN_GENCB *cb); }; -extern int int_rsa_verify(int dtype, const unsigned char *m, - unsigned int m_len, unsigned char *rm, - size_t *prm_len, const unsigned char *sigbuf, - size_t siglen, RSA *rsa); /* Macros to test if a pkey or ctx is for a PSS key */ #define pkey_is_pss(pkey) (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS) #define pkey_ctx_is_pss(ctx) (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c index 174271874a..7a298d5d93 100644 --- a/crypto/rsa/rsa_pmeth.c +++ b/crypto/rsa/rsa_pmeth.c @@ -25,6 +25,7 @@ #include <openssl/x509v3.h> #include <openssl/cms.h> #include "crypto/evp.h" +#include "crypto/rsa.h" #include "rsa_local.h" /* RSA pkey context structure */ diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c index 31b8ed11fa..e9c4c55398 100644 --- a/crypto/rsa/rsa_sign.c +++ b/crypto/rsa/rsa_sign.c @@ -23,13 +23,20 @@ #ifndef OPENSSL_NO_MD2 # include <openssl/md2.h> /* uses MD2_DIGEST_LENGTH */ #endif +#ifndef OPENSSL_NO_MD4 +# include <openssl/md4.h> /* uses MD4_DIGEST_LENGTH */ +#endif #ifndef OPENSSL_NO_MD5 # include <openssl/md5.h> /* uses MD5_DIGEST_LENGTH */ #endif #ifndef OPENSSL_NO_MDC2 # include <openssl/mdc2.h> /* uses MDC2_DIGEST_LENGTH */ #endif +#ifndef OPENSSL_NO_RMD160 +# include <openssl/ripemd.h> /* uses RIPEMD160_DIGEST_LENGTH */ +#endif #include <openssl/sha.h> /* uses SHA???_DIGEST_LENGTH */ +#include "crypto/rsa.h" #include "rsa_local.h" /* @@ -76,7 +83,7 @@ static const unsigned char digestinfo_##name##_der[] = { \ ASN1_OCTET_STRING, sz \ }; -/* MD2 and MD5 OIDs are of the form: (1 2 840 113549 2 |n|) */ +/* MD2, MD4 and MD5 OIDs are of the form: (1 2 840 113549 2 |n|) */ #define ENCODE_DIGESTINFO_MD(name, n, sz) \ static const unsigned char digestinfo_##name##_der[] = { \ ASN1_SEQUENCE, 0x10 + sz, \ @@ -90,6 +97,9 @@ static const unsigned char digestinfo_##name##_der[] = { \ # ifndef OPENSSL_NO_MD2 ENCODE_DIGESTINFO_MD(md2, 0x02, MD2_DIGEST_LENGTH) # endif +# ifndef OPENSSL_NO_MD4 +ENCODE_DIGESTINFO_MD(md4, 0x03, MD4_DIGEST_LENGTH) +# endif # ifndef OPENSSL_NO_MD5 ENCODE_DIGESTINFO_MD(md5, 0x05, MD5_DIGEST_LENGTH) # endif @@ -103,6 +113,18 @@ static const unsigned char digestinfo_mdc2_der[] = { ASN1_OCTET_STRING, MDC2_DIGEST_LENGTH }; # endif +# ifndef OPENSSL_NO_RMD160 +/* RIPEMD160 (1 3 36 3 3 1 2) */ +static const unsigned char digestinfo_ripemd160_der[] = { + ASN1_SEQUENCE, 0x0c + RIPEMD160_DIGEST_LENGTH, + ASN1_SEQUENCE, 0x08, + ASN1_OID, 0x04, 1 * 40 + 3, 36, 3, 3, 1, 2, + ASN1_NULL, 0x00, + ASN1_OCTET_STRING, RIPEMD160_DIGEST_LENGTH +}; +# endif +#endif /* FIPS_MODE */ + /* SHA-1 (1 3 14 3 2 26) */ static const unsigned char digestinfo_sha1_der[] = { ASN1_SEQUENCE, 0x0d + SHA_DIGEST_LENGTH, @@ -112,8 +134,6 @@ static const unsigned char digestinfo_sha1_der[] = { ASN1_OCTET_STRING, SHA_DIGEST_LENGTH }; -#endif /* FIPS_MODE */ - ENCODE_DIGESTINFO_SHA(sha256, 0x01, SHA256_DIGEST_LENGTH) ENCODE_DIGESTINFO_SHA(sha384, 0x02, SHA384_DIGEST_LENGTH) ENCODE_DIGESTINFO_SHA(sha512, 0x03, SHA512_DIGEST_LENGTH) @@ -130,9 +150,9 @@ ENCODE_DIGESTINFO_SHA(sha3_512, 0x0a, SHA512_DIGEST_LENGTH) *len = sizeof(digestinfo_##name##_der); \ return digestinfo_##name##_der; -static const unsigned char *digestinfo_encoding(int nid, size_t *len) +const unsigned char *rsa_digestinfo_encoding(int md_nid, size_t *len) { - switch (nid) { + switch (md_nid) { #ifndef FIPS_MODE # ifndef OPENSSL_NO_MDC2 MD_CASE(mdc2) @@ -140,11 +160,17 @@ static const unsigned char *digestinfo_encoding(int nid, size_t *len) # ifndef OPENSSL_NO_MD2 MD_CASE(md2) # endif +# ifndef OPENSSL_NO_MD4 + MD_CASE(md4) +# endif # ifndef OPENSSL_NO_MD5 MD_CASE(md5) # endif - MD_CASE(sha1) +# ifndef OPENSSL_NO_RMD160 + MD_CASE(ripemd160) +# endif #endif /* FIPS_MODE */ + MD_CASE(sha1) MD_CASE(sha224) MD_CASE(sha256) MD_CASE(sha384) @@ -183,7 +209,7 @@ static int encode_pkcs1(unsigned char **out, size_t *out_len, int type, RSAerr(RSA_F_ENCODE_PKCS1, RSA_R_UNKNOWN_ALGORITHM_TYPE); return 0; } - di_prefix = digestinfo_encoding(type, &di_prefix_len); + di_prefix = rsa_digestinfo_encoding(type, &di_prefix_len); if (di_prefix == NULL) { RSAerr(RSA_F_ENCODE_PKCS1, RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD); diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod index 8334cfc110..08b6f69925 100644 --- a/doc/man3/EVP_PKEY_CTX_ctrl.pod +++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod @@ -94,8 +94,8 @@ EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad); int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad); - int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int len); - int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *len); + int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int saltlen); + int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *saltlen); int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int mbits); int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp); int EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX *ctx, int primes); @@ -211,8 +211,8 @@ B<optype> is a mask indicating which operations the control can be applied to. The control command is indicated in B<cmd> and any additional arguments in B<p1> and B<p2>. -For B<cmd> = B<EVP_PKEY_CTRL_SET_MAC_KEY>, B<p1> is the length of the MAC key, -and B<p2> is MAC key. This is used by Poly1305, SipHash, HMAC and CMAC. +For I<cmd> = B<EVP_PKEY_CTRL_SET_MAC_KEY>, I<p1> is the length of the MAC key, +and I<p2> is the MAC key. This is used by Poly1305, SipHash, HMAC and CMAC. Applications will not normally call EVP_PKEY_CTX_ctrl() directly but will instead call one of the algorithm specific macros below. @@ -272,20 +272,36 @@ buffer is expected to be the algorithm identifier byte. The EVP_PKEY_CTX_get_rsa_padding() function gets the RSA padding mode for B<ctx>. -The EVP_PKEY_CTX_set_rsa_pss_saltlen() macro sets the RSA PSS salt length to -B<len>. As its name implies it is only supported for PSS padding. Three special -values are supported: B<RSA_PSS_SALTLEN_DIGEST> sets the salt length to the -digest length, B<RSA_PSS_SALTLEN_MAX> sets the salt length to the maximum -permissible value. When verifying B<RSA_PSS_SALTLEN_AUTO> causes the salt length -to be automatically determined based on the B<PSS> block structure. If this -macro is not called maximum salt length is used when signing and auto detection -when verifying is used by default. +The EVP_PKEY_CTX_set_rsa_pss_saltlen() function sets the RSA PSS salt +length to I<saltlen>. As its name implies it is only supported for PSS +padding. If this function is not called then the maximum salt length +is used when signing and auto detection when verifying. Three special +values are supported: -The EVP_PKEY_CTX_get_rsa_pss_saltlen() macro gets the RSA PSS salt length -for B<ctx>. The padding mode must have been set to B<RSA_PKCS1_PSS_PADDING>. +=over 4 + +=item B<RSA_PSS_SALTLEN_DIGEST> + +sets the salt length to the digest length. + +=item B<RSA_PSS_SALTLEN_MAX> + +sets the salt length to the maximum permissible value. + +=item B<RSA_PSS_SALTLEN_AUTO> + +causes the salt length to be automatically determined based on the +B<PSS> block structure when verifying. When signing, it has the same +meaning as B<RSA_PSS_SALTLEN_MAX>. + +=back + +The EVP_PKEY_CTX_get_rsa_pss_saltlen() function gets the RSA PSS salt length +for B<ctx>. The padding mode must already have been set to +B<RSA_PKCS1_PSS_PADDING>. The EVP_PKEY_CTX_set_rsa_keygen_bits() macro sets the RSA key length for -RSA key generation to B<bits>. If not specified 1024 bits is used. +RSA key generation to I<bits>. If not specified 2048 bits is used. The EVP_PKEY_CTX_set_rsa_keygen_pubexp() macro sets the public exponent value for RSA key generation to B<pubexp>. Currently it should be an odd integer. The @@ -374,12 +390,12 @@ negotiated protocol version. Otherwise it should be left unset. =head2 DSA parameters The EVP_PKEY_CTX_set_dsa_paramgen_bits() macro sets the number of bits used -for DSA parameter generation to B<nbits>. If not specified, 1024 is used. +for DSA parameter generation to I<nbits>. If not specified, 2048 is used. The EVP_PKEY_CTX_set_dsa_paramgen_q_bits() macro sets the number of bits in the -subprime parameter B<q> for DSA parameter generation to B<qbits>. If not -specified, 160 is used. If a digest function is specified below, this parameter -is ignored and instead, the number of bits in B<q> matches the size of the +subprime parameter I<q> for DSA parameter generation to I<qbits>. If not +specified, 224 is used. If a digest function is specified below, this parameter +is ignored and instead, the number of bits in I<q> matches the size of the digest. The EVP_PKEY_CTX_set_dsa_paramgen_md() macro sets the digest function used for @@ -598,8 +614,9 @@ EVP_PKEY_CTX_set_dh_pad(), EVP_PKEY_CTX_set_rsa_padding(), EVP_PKEY_CTX_get_rsa_padding(), EVP_PKEY_CTX_get_rsa_mgf1_md(), EVP_PKEY_CTX_set_rsa_mgf1_md(), EVP_PKEY_CTX_set_rsa_oaep_md(), EVP_PKEY_CTX_get_rsa_oaep_md(), EVP_PKEY_CTX_set0_rsa_oaep_label(), -EVP_PKEY_CTX_get0_rsa_oaep_label() were macros in OpenSSL 1.1.1 and below. From -OpenSSL 3.0 they are functions. +EVP_PKEY_CTX_get0_rsa_oaep_label(), EVP_PKEY_CTX_set_rsa_pss_saltlen(), +EVP_PKEY_CTX_get_rsa_pss_saltlen(), were macros in OpenSSL 1.1.1 and below. +From OpenSSL 3.0 they are functions. EVP_PKEY_CTX_get_rsa_oaep_md_name(), EVP_PKEY_CTX_get_rsa_mgf1_md_name(), EVP_PKEY_CTX_set_rsa_mgf1_md_name() and EVP_PKEY_CTX_set_rsa_oaep_md_name() were diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h index 97fd0f7aad..51ac0148af 100644 --- a/include/crypto/rsa.h +++ b/include/crypto/rsa.h @@ -29,4 +29,12 @@ int rsa_validate_public(const RSA *key); int rsa_validate_private(const RSA *key); int rsa_validate_pairwise(const RSA *key); +int int_rsa_verify(int dtype, const unsigned char *m, + unsigned int m_len, unsigned char *rm, + size_t *prm_len, const unsigned char *sigbuf, + size_t siglen, RSA *rsa); + +const unsigned char *rsa_digestinfo_encoding(int md_nid, size_t *len); +const unsigned char *rsa_algorithmidentifier_encoding(int md_nid, size_t *len); + #endif diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index b2befd8bb5..5e3a13a34b 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -88,11 +88,16 @@ extern "C" { /* Known DIGEST names (not a complete list) */ #define OSSL_DIGEST_NAME_MD5 "MD5" +#define OSSL_DIGEST_NAME_MD5_SHA1 "MD5-SHA1" #define OSSL_DIGEST_NAME_SHA1 "SHA1" #define OSSL_DIGEST_NAME_SHA2_224 "SHA2-224" #define OSSL_DIGEST_NAME_SHA2_256 "SHA2-256" #define OSSL_DIGEST_NAME_SHA2_384 "SHA2-384"< |