diff options
-rw-r--r-- | crypto/err/openssl.txt | 11 | ||||
-rw-r--r-- | crypto/evp/pmeth_lib.c | 118 | ||||
-rw-r--r-- | crypto/rsa/build.info | 2 | ||||
-rw-r--r-- | crypto/rsa/rsa_aid.c | 98 | ||||
-rw-r--r-- | crypto/rsa/rsa_lib.c | 113 | ||||
-rw-r--r-- | crypto/rsa/rsa_local.h | 4 | ||||
-rw-r--r-- | crypto/rsa/rsa_pmeth.c | 1 | ||||
-rw-r--r-- | crypto/rsa/rsa_sign.c | 40 | ||||
-rw-r--r-- | doc/man3/EVP_PKEY_CTX_ctrl.pod | 59 | ||||
-rw-r--r-- | include/crypto/rsa.h | 8 | ||||
-rw-r--r-- | include/openssl/core_names.h | 26 | ||||
-rw-r--r-- | include/openssl/rsa.h | 10 | ||||
-rw-r--r-- | providers/common/include/prov/providercommonerr.h | 10 | ||||
-rw-r--r-- | providers/common/provider_err.c | 19 | ||||
-rw-r--r-- | providers/defltprov.c | 1 | ||||
-rw-r--r-- | providers/implementations/include/prov/implementations.h | 1 | ||||
-rw-r--r-- | providers/implementations/signature/build.info | 3 | ||||
-rw-r--r-- | providers/implementations/signature/rsa.c | 1113 | ||||
-rw-r--r-- | util/libcrypto.num | 2 |
19 files changed, 1517 insertions, 122 deletions
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index e6a45ac03a..47a20e828f 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -2752,6 +2752,7 @@ PROP_R_PARSE_FAILED:108:parse failed PROP_R_STRING_TOO_LONG:109:string too long PROP_R_TRAILING_CHARACTERS:110:trailing characters PROV_R_AES_KEY_SETUP_FAILED:101:aes key setup failed +PROV_R_ALGORITHM_MISMATCH:173:algorithm mismatch PROV_R_BAD_DECRYPT:100:bad decrypt PROV_R_BAD_ENCODING:141:bad encoding PROV_R_BAD_LENGTH:142:bad length @@ -2759,17 +2760,21 @@ PROV_R_BAD_TLS_CLIENT_VERSION:161:bad tls client version PROV_R_BN_ERROR:160:bn error PROV_R_BOTH_MODE_AND_MODE_INT:127:both mode and mode int PROV_R_CIPHER_OPERATION_FAILED:102:cipher operation failed +PROV_R_DIGEST_NOT_ALLOWED:174:digest not allowed PROV_R_FAILED_DURING_DERIVATION:164:failed during derivation PROV_R_FAILED_TO_DECRYPT:162:failed to decrypt PROV_R_FAILED_TO_GENERATE_KEY:121:failed to generate key PROV_R_FAILED_TO_GET_PARAMETER:103:failed to get parameter PROV_R_FAILED_TO_SET_PARAMETER:104:failed to set parameter +PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE:165:\ + illegal or unsupported padding mode PROV_R_INAVLID_UKM_LENGTH:146:inavlid ukm length PROV_R_INVALID_AAD:108:invalid aad PROV_R_INVALID_CONSTANT_LENGTH:157:invalid constant length PROV_R_INVALID_CUSTOM_LENGTH:111:invalid custom length PROV_R_INVALID_DATA:115:invalid data PROV_R_INVALID_DIGEST:122:invalid digest +PROV_R_INVALID_DIGEST_LENGTH:166:invalid digest length PROV_R_INVALID_ITERATION_COUNT:123:invalid iteration count PROV_R_INVALID_IVLEN:116:invalid ivlen PROV_R_INVALID_IV_LENGTH:109:invalid iv length @@ -2778,12 +2783,17 @@ PROV_R_INVALID_KEYLEN:117:invalid keylen PROV_R_INVALID_KEY_LEN:124:invalid key len PROV_R_INVALID_KEY_LENGTH:105:invalid key length PROV_R_INVALID_MAC:151:invalid mac +PROV_R_INVALID_MGF1_MD:167:invalid mgf1 md PROV_R_INVALID_MODE:125:invalid mode PROV_R_INVALID_MODE_INT:126:invalid mode int +PROV_R_INVALID_PADDING_MODE:168:invalid padding mode +PROV_R_INVALID_PSS_SALTLEN:169:invalid pss saltlen PROV_R_INVALID_SALT_LENGTH:112:invalid salt length PROV_R_INVALID_SEED_LENGTH:154:invalid seed length PROV_R_INVALID_TAG:110:invalid tag PROV_R_INVALID_TAGLEN:118:invalid taglen +PROV_R_INVALID_X931_DIGEST:170:invalid x931 digest +PROV_R_KEY_SIZE_TOO_SMALL:171:key size too small PROV_R_MISSING_CEK_ALG:144:missing cek alg PROV_R_MISSING_CIPHER:155:missing cipher PROV_R_MISSING_CONSTANT:156:missing constant @@ -2801,6 +2811,7 @@ PROV_R_NOT_SUPPORTED:136:not supported PROV_R_NOT_XOF_OR_INVALID_LENGTH:113:not xof or invalid length PROV_R_NO_KEY_SET:114:no key set PROV_R_OUTPUT_BUFFER_TOO_SMALL:106:output buffer too small +PROV_R_PSS_SALTLEN_TOO_SMALL:172:pss saltlen too small PROV_R_READ_KEY:159:read key PROV_R_TAG_NOTSET:119:tag notset PROV_R_TAG_NOT_NEEDED:120:tag not needed diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index 6be796fafc..cb64b95bf6 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -786,69 +786,73 @@ static int legacy_ctrl_to_param(EVP_PKEY_CTX *ctx, int keytype, int optype, # ifndef OPENSSL_NO_EC if (keytype == EVP_PKEY_EC) { switch (cmd) { - case EVP_PKEY_CTRL_EC_ECDH_COFACTOR: - if (p1 == -2) { - return EVP_PKEY_CTX_get_ecdh_cofactor_mode(ctx); - } else if (p1 < -1 || p1 > 1) { - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } else { - return EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, p1); - } - case EVP_PKEY_CTRL_EC_KDF_TYPE: - if (p1 == -2) { - return EVP_PKEY_CTX_get_ecdh_kdf_type(ctx); - } else { - return EVP_PKEY_CTX_set_ecdh_kdf_type(ctx, p1); - } - case EVP_PKEY_CTRL_GET_EC_KDF_MD: - return EVP_PKEY_CTX_get_ecdh_kdf_md(ctx, p2); - case EVP_PKEY_CTRL_EC_KDF_MD: - return EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, p2); - case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN: - return EVP_PKEY_CTX_get_ecdh_kdf_outlen(ctx, p2); - case EVP_PKEY_CTRL_EC_KDF_OUTLEN: - return EVP_PKEY_CTX_set_ecdh_kdf_outlen(ctx, p1); - case EVP_PKEY_CTRL_GET_EC_KDF_UKM: - return EVP_PKEY_CTX_get0_ecdh_kdf_ukm(ctx, p2); - case EVP_PKEY_CTRL_EC_KDF_UKM: - return EVP_PKEY_CTX_set0_ecdh_kdf_ukm(ctx, p2, p1); + case EVP_PKEY_CTRL_EC_ECDH_COFACTOR: + if (p1 == -2) { + return EVP_PKEY_CTX_get_ecdh_cofactor_mode(ctx); + } else if (p1 < -1 || p1 > 1) { + /* Uses the same return values as EVP_PKEY_CTX_ctrl */ + return -2; + } else { + return EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, p1); + } + case EVP_PKEY_CTRL_EC_KDF_TYPE: + if (p1 == -2) { + return EVP_PKEY_CTX_get_ecdh_kdf_type(ctx); + } else { + return EVP_PKEY_CTX_set_ecdh_kdf_type(ctx, p1); + } + case EVP_PKEY_CTRL_GET_EC_KDF_MD: + return EVP_PKEY_CTX_get_ecdh_kdf_md(ctx, p2); + case EVP_PKEY_CTRL_EC_KDF_MD: + return EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, p2); + case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN: + return EVP_PKEY_CTX_get_ecdh_kdf_outlen(ctx, p2); + case EVP_PKEY_CTRL_EC_KDF_OUTLEN: + return EVP_PKEY_CTX_set_ecdh_kdf_outlen(ctx, p1); + case EVP_PKEY_CTRL_GET_EC_KDF_UKM: + return EVP_PKEY_CTX_get0_ecdh_kdf_ukm(ctx, p2); + case EVP_PKEY_CTRL_EC_KDF_UKM: + return EVP_PKEY_CTX_set0_ecdh_kdf_ukm(ctx, p2, p1); } } # endif if (keytype == -1) { switch (cmd) { - case EVP_PKEY_CTRL_MD: - return EVP_PKEY_CTX_set_signature_md(ctx, p2); - case EVP_PKEY_CTRL_GET_MD: - return EVP_PKEY_CTX_get_signature_md(ctx, p2); - case EVP_PKEY_CTRL_RSA_PADDING: - return EVP_PKEY_CTX_set_rsa_padding(ctx, p1); - case EVP_PKEY_CTRL_GET_RSA_PADDING: - return EVP_PKEY_CTX_get_rsa_padding(ctx, p2); - case EVP_PKEY_CTRL_RSA_OAEP_MD: - return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, p2); - case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: - return EVP_PKEY_CTX_get_rsa_oaep_md(ctx, p2); - case EVP_PKEY_CTRL_RSA_MGF1_MD: - return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, p2); - case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: - return EVP_PKEY_CTX_get_rsa_oaep_md(ctx, p2); - case EVP_PKEY_CTRL_RSA_OAEP_LABEL: - return EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, p2, p1); - case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: - return EVP_PKEY_CTX_get0_rsa_oaep_label(ctx, (unsigned char **)p2); - case EVP_PKEY_CTRL_PKCS7_ENCRYPT: - case EVP_PKEY_CTRL_PKCS7_DECRYPT: + case EVP_PKEY_CTRL_MD: + return EVP_PKEY_CTX_set_signature_md(ctx, p2); + case EVP_PKEY_CTRL_GET_MD: + return EVP_PKEY_CTX_get_signature_md(ctx, p2); + case EVP_PKEY_CTRL_RSA_PADDING: + return EVP_PKEY_CTX_set_rsa_padding(ctx, p1); + case EVP_PKEY_CTRL_GET_RSA_PADDING: + return EVP_PKEY_CTX_get_rsa_padding(ctx, p2); + case EVP_PKEY_CTRL_RSA_OAEP_MD: + return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, p2); + case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: + return EVP_PKEY_CTX_get_rsa_oaep_md(ctx, p2); + case EVP_PKEY_CTRL_RSA_MGF1_MD: + return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, p2); + case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: + return EVP_PKEY_CTX_get_rsa_oaep_md(ctx, p2); + case EVP_PKEY_CTRL_RSA_OAEP_LABEL: + return EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, p2, p1); + case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: + return EVP_PKEY_CTX_get0_rsa_oaep_label(ctx, (unsigned char **)p2); + case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: + return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, p1); + case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: + return EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx, p2); + case EVP_PKEY_CTRL_PKCS7_ENCRYPT: + case EVP_PKEY_CTRL_PKCS7_DECRYPT: # ifndef OPENSSL_NO_CMS - case EVP_PKEY_CTRL_CMS_DECRYPT: - case EVP_PKEY_CTRL_CMS_ENCRYPT: + case EVP_PKEY_CTRL_CMS_DECRYPT: + case EVP_PKEY_CTRL_CMS_ENCRYPT: # endif - if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) - return 1; - ERR_raise(ERR_LIB_EVP, - EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); - return -2; + if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) + return 1; + ERR_raise(ERR_LIB_EVP, + EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); + return -2; } } return 0; @@ -918,6 +922,8 @@ static int legacy_ctrl_str_to_param(EVP_PKEY_CTX *ctx, const char *name, name = OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST; else if (strcmp(name, "rsa_oaep_label") == 0) name = OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL; + else if (strcmp(name, "rsa_pss_saltlen") == 0) + name = OSSL_SIGNATURE_PARAM_PSS_SALTLEN; # ifndef OPENSSL_NO_DH else if (strcmp(name, "dh_pad") == 0) name = OSSL_EXCHANGE_PARAM_PAD; diff --git a/crypto/rsa/build.info b/crypto/rsa/build.info index 274f376979..ddb4e6fc5a 100644 --- a/crypto/rsa/build.info +++ b/crypto/rsa/build.info @@ -1,6 +1,6 @@ LIBS=../../libcrypto -$COMMON=rsa_ossl.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_pk1.c \ +$COMMON=rsa_ossl.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_aid.c rsa_pk1.c \ rsa_none.c rsa_oaep.c rsa_chk.c rsa_pss.c rsa_x931.c rsa_crpt.c \ rsa_x931g.c rsa_sp800_56b_gen.c rsa_sp800_56b_check.c diff --git a/crypto/rsa/rsa_aid.c b/crypto/rsa/rsa_aid.c new file mode 100644 index 0000000000..4b4d3a62f1 --- /dev/null +++ b/crypto/rsa/rsa_aid.c @@ -0,0 +1,98 @@ +/* + * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <stdlib.h> + +#include <openssl/objects.h> +#include "crypto/rsa.h" + +#define ASN1_SEQUENCE 0x30 +#define ASN1_OID 0x06 + +/* + * -- RFC 2313 + * pkcs-1 OBJECT IDENTIFIER ::= { + * iso(1) member-body(2) US(840) rsadsi(113549) pkcs(1) 1 + * } + */ + +/* + * -- RFC 3279 + * md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 } + * md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 } + * sha1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 } + */ +#define ENCODE_ALGORITHMIDENTIFIER_PKCS1(name, n) \ + static const unsigned char algorithmidentifier_##name##_der[] = { \ + ASN1_SEQUENCE, 0x0b, \ + ASN1_OID, 0x09, 1 * 40 + 2, 134, 72, 134, 247, 13, 1, 1, n \ +} +#ifndef FIPS_MODE +ENCODE_ALGORITHMIDENTIFIER_PKCS1(md2, 2); +ENCODE_ALGORITHMIDENTIFIER_PKCS1(md5, 4); +#endif +ENCODE_ALGORITHMIDENTIFIER_PKCS1(sha1, 5); + +/* + * -- RFC 4055 + * sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 } + * sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 } + * sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 } + * sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 } + */ +ENCODE_ALGORITHMIDENTIFIER_PKCS1(sha224, 14); +ENCODE_ALGORITHMIDENTIFIER_PKCS1(sha256, 11); +ENCODE_ALGORITHMIDENTIFIER_PKCS1(sha384, 12); +ENCODE_ALGORITHMIDENTIFIER_PKCS1(sha512, 13); + +/* + * -- https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration + * + * sigAlgs OBJECT IDENTIFIER ::= { 2 16 840 1 101 3 4 3 } + * + * id-rsassa-pkcs1-v1_5-with-sha3-224 ::= { sigAlgs 13 } + * id-rsassa-pkcs1-v1_5-with-sha3-256 ::= { sigAlgs 14 } + * id-rsassa-pkcs1-v1_5-with-sha3-384 ::= { sigAlgs 15 } + * id-rsassa-pkcs1-v1_5-with-sha3-512 ::= { sigAlgs 16 } + */ +#define ENCODE_ALGORITHMIDENTIFIER_SIGALGS(name, n) \ + static const unsigned char algorithmidentifier_##name##_der[] = { \ + ASN1_SEQUENCE, 0x0c, \ + ASN1_OID, 0x0a, 1 * 40 + 2, 16, 134, 72, 1, 101, 3, 4, 3, n \ +} +ENCODE_ALGORITHMIDENTIFIER_SIGALGS(sha3_224, 13); +ENCODE_ALGORITHMIDENTIFIER_SIGALGS(sha3_256, 14); +ENCODE_ALGORITHMIDENTIFIER_SIGALGS(sha3_384, 15); +ENCODE_ALGORITHMIDENTIFIER_SIGALGS(sha3_512, 16); + +#define MD_CASE(name) \ + case NID_##name: \ + *len = sizeof(algorithmidentifier_##name##_der); \ + return algorithmidentifier_##name##_der + +const unsigned char *rsa_algorithmidentifier_encoding(int md_nid, size_t *len) +{ + switch (md_nid) { +#ifndef FIPS_MODE + MD_CASE(md2); + MD_CASE(md5); +#endif + MD_CASE(sha1); + MD_CASE(sha224); + MD_CASE(sha256); + MD_CASE(sha384); + MD_CASE(sha512); + MD_CASE(sha3_224); + MD_CASE(sha3_256); + MD_CASE(sha3_384); + MD_CASE(sha3_512); + default: + return NULL; + } +} diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index c43c9fdd48..39d7f5f54a 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -817,12 +817,14 @@ int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad_mode) return -1; /* TODO(3.0): Remove this eventually when no more legacy */ - if (!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx) - || ctx->op.ciph.ciphprovctx == NULL) + if ((!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx) + || ctx->op.ciph.ciphprovctx == NULL) + && (!EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) + || ctx->op.sig.sigprovctx == NULL)) return EVP_PKEY_CTX_ctrl(ctx, -1, -1, EVP_PKEY_CTRL_RSA_PADDING, pad_mode, NULL); - *p++ = OSSL_PARAM_construct_int(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, &pad_mode); + *p++ = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_PAD_MODE, &pad_mode); *p++ = OSSL_PARAM_construct_end(); return EVP_PKEY_CTX_set_params(ctx, pad_params); @@ -845,12 +847,14 @@ int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad_mode) return -1; /* TODO(3.0): Remove this eventually when no more legacy */ - if (!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx) - || ctx->op.ciph.ciphprovctx == NULL) + if ((!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx) + || ctx->op.ciph.ciphprovctx == NULL) + && (!EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) + || ctx->op.sig.sigprovctx == NULL)) return EVP_PKEY_CTX_ctrl(ctx, -1, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, 0, pad_mode); - *p++ = OSSL_PARAM_construct_int(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode); + *p++ = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_PAD_MODE, pad_mode); *p++ = OSSL_PARAM_construct_end(); if (!EVP_PKEY_CTX_get_params(ctx, pad_params)) @@ -1026,20 +1030,20 @@ int EVP_PKEY_CTX_set_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, const char *mdname, && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) return -1; - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST, + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_MGF1_DIGEST, /* - * Cast away the const. This is read - * only so should be safe + * Cast away the const. This is + * read only so should be safe */ (char *)mdname, 0); if (mdprops != NULL) { - *p++ = OSSL_PARAM_construct_utf8_string( - OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS, - /* - * Cast away the const. This is read - * only so should be safe - */ - (char *)mdprops, 0); + *p++ = + OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_MGF1_PROPERTIES, + /* + * Cast away the const. This is + * read only so should be safe + */ + (char *)mdprops, 0); } *p++ = OSSL_PARAM_construct_end(); @@ -1065,7 +1069,7 @@ int EVP_PKEY_CTX_get_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, char *name, && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) return -1; - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST, + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_MGF1_DIGEST, name, namelen); *p++ = OSSL_PARAM_construct_end(); @@ -1133,12 +1137,12 @@ int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen) (void *)label); *p++ = OSSL_PARAM_construct_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, - /* - * Cast away the const. This is read - * only so should be safe - */ - (void *)label, - (size_t)llen); + /* + * Cast away the const. This is + * read only so should be safe + */ + (void *)label, + (size_t)llen); *p++ = OSSL_PARAM_construct_end(); if (!EVP_PKEY_CTX_set_params(ctx, rsa_params)) @@ -1183,4 +1187,67 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label) return (int)labellen; } + +int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int saltlen) +{ + OSSL_PARAM pad_params[2], *p = pad_params; + + if (ctx == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); + /* Uses the same return values as EVP_PKEY_CTX_ctrl */ + return -2; + } + + /* If key type not RSA or RSA-PSS return error */ + if (ctx->pmeth != NULL + && ctx->pmeth->pkey_id != EVP_PKEY_RSA + && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) + return -1; + + /* TODO(3.0): Remove this eventually when no more legacy */ + if (!EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) + || ctx->op.sig.sigprovctx == NULL) + return EVP_PKEY_CTX_ctrl(ctx, -1, -1, EVP_PKEY_CTRL_RSA_PSS_SALTLEN, + saltlen, NULL); + + *p++ = + OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, &saltlen); + *p++ = OSSL_PARAM_construct_end(); + + return EVP_PKEY_CTX_set_params(ctx, pad_params); +} + +int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *saltlen) +{ + OSSL_PARAM pad_params[2], *p = pad_params; + + if (ctx == NULL || saltlen == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); + /* Uses the same return values as EVP_PKEY_CTX_ctrl */ + return -2; + } + + /* If key type not RSA or RSA-PSS return error */ + if (ctx->pmeth != NULL + && ctx->pmeth->pkey_id != EVP_PKEY_RSA + && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) + return -1; + + /* TODO(3.0): Remove this eventually when no more legacy */ + if (!EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) + || ctx->op.sig.sigprovctx == NULL) + return EVP_PKEY_CTX_ctrl(ctx, -1, -1, + EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, + 0, saltlen); + + *p++ = + OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, saltlen); + *p++ = OSSL_PARAM_construct_end(); + + if (!EVP_PKEY_CTX_get_params(ctx, pad_params)) + return 0; + + return 1; + +} #endif diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h index e15c1ae3d5..11d7635c35 100644 --- a/crypto/rsa/rsa_local.h +++ b/crypto/rsa/rsa_local.h @@ -122,10 +122,6 @@ struct rsa_meth_st { BIGNUM *e, BN_GENCB *cb); }; -extern int int_rsa_verify(int dtype, const unsigned char *m, - unsigned int m_len, unsigned char *rm, - size_t *prm_len, const unsigned char *sigbuf, - size_t siglen, RSA *rsa); /* Macros to test if a pkey or ctx is for a PSS key */ #define pkey_is_pss(pkey) (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS) #define pkey_ctx_is_pss(ctx) (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c index 174271874a..7a298d5d93 100644 --- a/crypto/rsa/rsa_pmeth.c +++ b/crypto/rsa/rsa_pmeth.c @@ -25,6 +25,7 @@ #include <openssl/x509v3.h> #include <openssl/cms.h> #include "crypto/evp.h" +#include "crypto/rsa.h" #include "rsa_local.h" /* RSA pkey context structure */ diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c index 31b8ed11fa..e9c4c55398 100644 --- a/crypto/rsa/rsa_sign.c +++ b/crypto/rsa/rsa_sign.c @@ -23,13 +23,20 @@ #ifndef OPENSSL_NO_MD2 # include <openssl/md2.h> /* uses MD2_DIGEST_LENGTH */ #endif +#ifndef OPENSSL_NO_MD4 +# include <openssl/md4.h> /* uses MD4_DIGEST_LENGTH */ +#endif #ifndef OPENSSL_NO_MD5 # include <openssl/md5.h> /* uses MD5_DIGEST_LENGTH */ #endif #ifndef OPENSSL_NO_MDC2 # include <openssl/mdc2.h> /* uses MDC2_DIGEST_LENGTH */ #endif +#ifndef OPENSSL_NO_RMD160 +# include <openssl/ripemd.h> /* uses RIPEMD160_DIGEST_LENGTH */ +#endif #include <openssl/sha.h> /* uses SHA???_DIGEST_LENGTH */ +#include "crypto/rsa.h" #include "rsa_local.h" /* @@ -76,7 +83,7 @@ static const unsigned char digestinfo_##name##_der[] = { \ ASN1_OCTET_STRING, sz \ }; -/* MD2 and MD5 OIDs are of the form: (1 2 840 113549 2 |n|) */ +/* MD2, MD4 and MD5 OIDs are of the form: (1 2 840 113549 2 |n|) */ #define ENCODE_DIGESTINFO_MD(name, n, sz) \ static const unsigned char digestinfo_##name##_der[] = { \ ASN1_SEQUENCE, 0x10 + sz, \ @@ -90,6 +97,9 @@ static const unsigned char digestinfo_##name##_der[] = { \ # ifndef OPENSSL_NO_MD2 ENCODE_DIGESTINFO_MD(md2, 0x02, MD2_DIGEST_LENGTH) # endif +# ifndef OPENSSL_NO_MD4 +ENCODE_DIGESTINFO_MD(md4, 0x03, MD4_DIGEST_LENGTH) +# endif # ifndef OPENSSL_NO_MD5 ENCODE_DIGESTINFO_MD(md5, 0x05, MD5_DIGEST_LENGTH) # endif @@ -103,6 +113,18 @@ static const unsigned char digestinfo_mdc2_der[] = { ASN1_OCTET_STRING, MDC2_DIGEST_LENGTH }; # endif +# ifndef OPENSSL_NO_RMD160 +/* RIPEMD160 (1 3 36 3 3 1 2) */ +static const unsigned char digestinfo_ripemd160_der[] = { + ASN1_SEQUENCE, 0x0c + RIPEMD160_DIGEST_LENGTH, + ASN1_SEQUENCE, 0x08, + ASN1_OID, 0x04, 1 * 40 + 3, 36, 3, 3, 1, 2, + ASN1_NULL, 0x00, + ASN1_OCTET_STRING, RIPEMD160_DIGEST_LENGTH +}; +# endif +#endif /* FIPS_MODE */ + /* SHA-1 (1 3 14 3 2 26) */ static const unsigned char digestinfo_sha1_der[] = { ASN1_SEQUENCE, 0x0d + SHA_DIGEST_LENGTH, @@ -112,8 +134,6 @@ static const unsigned char digestinfo_sha1_der[] = { ASN1_OCTET_STRING, SHA_DIGEST_LENGTH }; -#endif /* FIPS_MODE */ - ENCODE_DIGESTINFO_SHA(sha256, 0x01, SHA256_DIGEST_LENGTH) ENCODE_DIGESTINFO_SHA(sha384, 0x02, SHA384_DIGEST_LENGTH) ENCODE_DIGESTINFO_SHA(sha512, 0x03, SHA512_DIGEST_LENGTH) @@ -130,9 +150,9 @@ ENCODE_DIGESTINFO_SHA(sha3_512, 0x0a, SHA512_DIGEST_LENGTH) *len = sizeof(digestinfo_##name##_der); \ return digestinfo_##name##_der; -static const unsigned char *digestinfo_encoding(int nid, size_t *len) +const unsigned char *rsa_digestinfo_encoding(int md_nid, size_t *len) { - switch (nid) { + switch (md_nid) { #ifndef FIPS_MODE # ifndef OPENSSL_NO_MDC2 MD_CASE(mdc2) @@ -140,11 +160,17 @@ static const unsigned char *digestinfo_encoding(int nid, size_t *len) # ifndef OPENSSL_NO_MD2 MD_CASE(md2) # endif +# ifndef OPENSSL_NO_MD4 + MD_CASE(md4) +# endif # ifndef OPENSSL_NO_MD5 MD_CASE(md5) # endif - MD_CASE(sha1) +# ifndef OPENSSL_NO_RMD160 + MD_CASE(ripemd160) +# endif #endif /* FIPS_MODE */ + MD_CASE(sha1) MD_CASE(sha224) MD_CASE(sha256) MD_CASE(sha384) @@ -183,7 +209,7 @@ static int encode_pkcs1(unsigned char **out, size_t *out_len, int type, RSAerr(RSA_F_ENCODE_PKCS1, RSA_R_UNKNOWN_ALGORITHM_TYPE); return 0; } - di_prefix = digestinfo_encoding(type, &di_prefix_len); + di_prefix = rsa_digestinfo_encoding(type, &di_prefix_len); if (di_prefix == NULL) { RSAerr(RSA_F_ENCODE_PKCS1, RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD); diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod index 8334cfc110..08b6f69925 100644 --- a/doc/man3/EVP_PKEY_CTX_ctrl.pod +++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod @@ -94,8 +94,8 @@ EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad); int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad); - int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int len); - int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *len); + int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int saltlen); + int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *saltlen); int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int mbits); int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp); int EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX *ctx, int primes); @@ -211,8 +211,8 @@ B<optype> is a mask indicating which operations the control can be applied to. The control command is indicated in B<cmd> and any additional arguments in B<p1> and B<p2>. -For B<cmd> = B<EVP_PKEY_CTRL_SET_MAC_KEY>, B<p1> is the length of the MAC key, -and B<p2> is MAC key. This is used by Poly1305, SipHash, HMAC and CMAC. +For I<cmd> = B<EVP_PKEY_CTRL_SET_MAC_KEY>, I<p1> is the length of the MAC key, +and I<p2> is the MAC key. This is used by Poly1305, SipHash, HMAC and CMAC. Applications will not normally call EVP_PKEY_CTX_ctrl() directly but will instead call one of the algorithm specific macros below. @@ -272,20 +272,36 @@ buffer is expected to be the algorithm identifier byte. The EVP_PKEY_CTX_get_rsa_padding() function gets the RSA padding mode for B<ctx>. -The EVP_PKEY_CTX_set_rsa_pss_saltlen() macro sets the RSA PSS salt length to -B<len>. As its name implies it is only supported for PSS padding. Three special -values are supported: B<RSA_PSS_SALTLEN_DIGEST> sets the salt length to the -digest length, B<RSA_PSS_SALTLEN_MAX> sets the salt length to the maximum -permissible value. When verifying B<RSA_PSS_SALTLEN_AUTO> causes the salt length -to be automatically determined based on the B<PSS> block structure. If this -macro is not called maximum salt length is used when signing and auto detection -when verifying is used by default. +The EVP_PKEY_CTX_set_rsa_pss_saltlen() function sets the RSA PSS salt +length to I<saltlen>. As its name implies it is only supported for PSS +padding. If this function is not called then the maximum salt length +is used when signing and auto detection when verifying. Three special +values are supported: -The EVP_PKEY_CTX_get_rsa_pss_saltlen() macro gets the RSA PSS salt length -for B<ctx>. The padding mode must have been set to B<RSA_PKCS1_PSS_PADDING>. +=over 4 + +=item B<RSA_PSS_SALTLEN_DIGEST> + +sets the salt length to the digest length. + +=item B<RSA_PSS_SALTLEN_MAX> + +sets the salt length to the maximum permissible value. + +=item B<RSA_PSS_SALTLEN_AUTO> + +causes the salt length to be automatically determined based on the +B<PSS> block structure when verifying. When signing, it has the same +meaning as B<RSA_PSS_SALTLEN_MAX>. + +=back + +The EVP_PKEY_CTX_get_rsa_pss_saltlen() function gets the RSA PSS salt length +for B<ctx>. The padding mode must already have been set to +B<RSA_PKCS1_PSS_PADDING>. The EVP_PKEY_CTX_set_rsa_keygen_bits() macro sets the RSA key length for -RSA key generation to B<bits>. If not specified 1024 bits is used. +RSA key generation to I<bits>. If not specified 2048 bits is used. The EVP_PKEY_CTX_set_rsa_keygen_pubexp() macro sets the public exponent value for RSA key generation to B<pubexp>. Currently it should be an odd integer. The @@ -374,12 +390,12 @@ negotiated protocol version. Otherwise it should be left unset. =head2 DSA parameters The EVP_PKEY_CTX_set_dsa_paramgen_bits() macro sets the number of bits used -for DSA parameter generation to B<nbits>. If not specified, 1024 is used. +for DSA parameter generation to I<nbits>. If not specified, 2048 is used. The EVP_PKEY_CTX_set_dsa_paramgen_q_bits() macro sets the number of bits in the -subprime parameter B<q> for DSA parameter generation to B<qbits>. If not -specified, 160 is used. If a digest function is specified below, this parameter -is ignored and instead, the number of bits in B<q> matches the size of the +subprime parameter I<q> for DSA parameter generation to I<qbits>. If not +specified, 224 is used. If a digest function is specified below, this parameter +is ignored and instead, the number of bits in I<q> matches the size of the digest. The EVP_PKEY_CTX_set_dsa_paramgen_md() macro sets the digest function used for @@ -598,8 +614,9 @@ EVP_PKEY_CTX_set_dh_pad(), EVP_PKEY_CTX_set_rsa_padding(), EVP_PKEY_CTX_get_rsa_padding(), EVP_PKEY_CTX_get_rsa_mgf1_md(), EVP_PKEY_CTX_set_rsa_mgf1_md(), EVP_PKEY_CTX_set_rsa_oaep_md(), EVP_PKEY_CTX_get_rsa_oaep_md(), EVP_PKEY_CTX_set0_rsa_oaep_label(), -EVP_PKEY_CTX_get0_rsa_oaep_label() were macros in OpenSSL 1.1.1 and below. From -OpenSSL 3.0 they are functions. +EVP_PKEY_CTX_get0_rsa_oaep_label(), EVP_PKEY_CTX_set_rsa_pss_saltlen(), +EVP_PKEY_CTX_get_rsa_pss_saltlen(), were macros in OpenSSL 1.1.1 and below. +From OpenSSL 3.0 they are functions. EVP_PKEY_CTX_get_rsa_oaep_md_name(), EVP_PKEY_CTX_get_rsa_mgf1_md_name(), EVP_PKEY_CTX_set_rsa_mgf1_md_name() and EVP_PKEY_CTX_set_rsa_oaep_md_name() were diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h index 97fd0f7aad..51ac0148af 100644 --- a/include/crypto/rsa.h +++ b/include/crypto/rsa.h @@ -29,4 +29,12 @@ int rsa_validate_public(const RSA *key); int rsa_validate_private(const RSA *key); int rsa_validate_pairwise(const RSA *key); +int int_rsa_verify(int dtype, const unsigned char *m, + unsigned int m_len, unsigned char *rm, + size_t *prm_len, const unsigned char *sigbuf, + size_t siglen, RSA *rsa); + +const unsigned char *rsa_digestinfo_encoding(int md_nid, size_t *len); +const unsigned char *rsa_algorithmidentifier_encoding(int md_nid, size_t *len); + #endif diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index b2befd8bb5..5e3a13a34b 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -88,11 +88,16 @@ extern "C" { /* Known DIGEST names (not a complete list) */ #define OSSL_DIGEST_NAME_MD5 "MD5" +#define OSSL |