2016-05-18 02:51:34 +08:00
|
|
|
/*
|
2021-01-28 20:54:57 +08:00
|
|
|
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
1998-12-21 18:52:47 +08:00
|
|
|
*
|
2018-12-06 20:54:02 +08:00
|
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
2016-05-18 02:51:34 +08:00
|
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
|
|
|
* in the file LICENSE in the source distribution or at
|
|
|
|
|
* https://www.openssl.org/source/license.html
|
1998-12-21 18:52:47 +08:00
|
|
|
*/
|
|
|
|
|
|
2020-02-12 13:03:51 +08:00
|
|
|
/*
|
|
|
|
|
* RSA low level APIs are deprecated for public use, but still ok for
|
|
|
|
|
* internal use.
|
|
|
|
|
*/
|
|
|
|
|
#include "internal/deprecated.h"
|
|
|
|
|
|
1999-04-24 06:13:45 +08:00
|
|
|
#include <openssl/crypto.h>
|
2019-10-28 21:40:39 +08:00
|
|
|
#include <openssl/core_names.h>
|
|
|
|
|
#include <openssl/engine.h>
|
|
|
|
|
#include <openssl/evp.h>
|
2021-02-23 23:52:49 +08:00
|
|
|
#include <openssl/param_build.h>
|
2015-05-14 22:56:48 +08:00
|
|
|
#include "internal/cryptlib.h"
|
2017-08-22 05:17:35 +08:00
|
|
|
#include "internal/refcount.h"
|
2019-09-28 06:45:33 +08:00
|
|
|
#include "crypto/bn.h"
|
|
|
|
|
#include "crypto/evp.h"
|
2019-10-16 02:28:02 +08:00
|
|
|
#include "crypto/rsa.h"
|
2020-03-07 05:47:58 +08:00
|
|
|
#include "crypto/security_bits.h"
|
2019-09-28 06:45:40 +08:00
|
|
|
#include "rsa_local.h"
|
1998-12-21 18:52:47 +08:00
|
|
|
|
2020-10-15 17:55:50 +08:00
|
|
|
static RSA *rsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx);
|
2020-01-17 22:47:18 +08:00
|
|
|
|
2020-04-14 04:34:56 +08:00
|
|
|
#ifndef FIPS_MODULE
|
1999-04-20 05:31:43 +08:00
|
|
|
RSA *RSA_new(void)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
2020-01-17 22:47:18 +08:00
|
|
|
return rsa_new_intern(NULL, NULL);
|
2015-01-22 11:40:55 +08:00
|
|
|
}
|
1999-06-30 06:22:42 +08:00
|
|
|
|
2000-11-07 06:34:17 +08:00
|
|
|
const RSA_METHOD *RSA_get_method(const RSA *rsa)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
|
|
|
|
return rsa->meth;
|
|
|
|
|
}
|
2001-09-26 04:23:40 +08:00
|
|
|
|
|
|
|
|
int RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* NB: The caller is specifically setting a method, so it's not up to us
|
|
|
|
|
* to deal with which ENGINE it comes from.
|
|
|
|
|
*/
|
|
|
|
|
const RSA_METHOD *mtmp;
|
|
|
|
|
mtmp = rsa->meth;
|
|
|
|
|
if (mtmp->finish)
|
|
|
|
|
mtmp->finish(rsa);
|
2003-01-31 01:39:26 +08:00
|
|
|
#ifndef OPENSSL_NO_ENGINE
|
2016-02-26 01:09:06 +08:00
|
|
|
ENGINE_finish(rsa->engine);
|
|
|
|
|
rsa->engine = NULL;
|
2003-01-31 01:39:26 +08:00
|
|
|
#endif
|
2015-01-22 11:40:55 +08:00
|
|
|
rsa->meth = meth;
|
|
|
|
|
if (meth->init)
|
|
|
|
|
meth->init(rsa);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
1999-06-30 06:22:42 +08:00
|
|
|
|
2000-10-27 05:07:28 +08:00
|
|
|
RSA *RSA_new_method(ENGINE *engine)
|
2020-01-17 22:47:18 +08:00
|
|
|
{
|
|
|
|
|
return rsa_new_intern(engine, NULL);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2020-10-15 17:55:50 +08:00
|
|
|
RSA *ossl_rsa_new_with_ctx(OSSL_LIB_CTX *libctx)
|
2020-01-17 22:47:18 +08:00
|
|
|
{
|
|
|
|
|
return rsa_new_intern(NULL, libctx);
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-15 17:55:50 +08:00
|
|
|
static RSA *rsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
2016-05-18 03:21:46 +08:00
|
|
|
RSA *ret = OPENSSL_zalloc(sizeof(*ret));
|
1998-12-21 18:52:47 +08:00
|
|
|
|
2015-01-22 11:40:55 +08:00
|
|
|
if (ret == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
|
2015-01-22 11:40:55 +08:00
|
|
|
return NULL;
|
|
|
|
|
}
|
1998-12-21 18:52:47 +08:00
|
|
|
|
2016-05-18 03:21:46 +08:00
|
|
|
ret->references = 1;
|
|
|
|
|
ret->lock = CRYPTO_THREAD_lock_new();
|
|
|
|
|
if (ret->lock == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
|
2016-05-18 03:21:46 +08:00
|
|
|
OPENSSL_free(ret);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-17 22:47:18 +08:00
|
|
|
ret->libctx = libctx;
|
2015-01-22 11:40:55 +08:00
|
|
|
ret->meth = RSA_get_default_method();
|
2020-04-14 04:34:56 +08:00
|
|
|
#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
|
2016-05-18 03:21:46 +08:00
|
|
|
ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
|
2015-01-22 11:40:55 +08:00
|
|
|
if (engine) {
|
|
|
|
|
if (!ENGINE_init(engine)) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_RSA, ERR_R_ENGINE_LIB);
|
2016-05-18 03:21:46 +08:00
|
|
|
goto err;
|
2015-01-22 11:40:55 +08:00
|
|
|
}
|
|
|
|
|
ret->engine = engine;
|
2017-08-23 01:36:49 +08:00
|
|
|
} else {
|
2015-01-22 11:40:55 +08:00
|
|
|
ret->engine = ENGINE_get_default_RSA();
|
2017-08-23 01:36:49 +08:00
|
|
|
}
|
2015-01-22 11:40:55 +08:00
|
|
|
if (ret->engine) {
|
|
|
|
|
ret->meth = ENGINE_get_RSA(ret->engine);
|
2016-02-26 01:09:06 +08:00
|
|
|
if (ret->meth == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_RSA, ERR_R_ENGINE_LIB);
|
2016-05-18 03:21:46 +08:00
|
|
|
goto err;
|
2015-01-22 11:40:55 +08:00
|
|
|
}
|
|
|
|
|
}
|
2003-01-31 01:39:26 +08:00
|
|
|
#endif
|
2001-06-24 07:07:34 +08:00
|
|
|
|
2015-01-22 11:40:55 +08:00
|
|
|
ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
|
2020-04-14 04:34:56 +08:00
|
|
|
#ifndef FIPS_MODULE
|
2015-01-22 11:40:55 +08:00
|
|
|
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
|
2016-05-18 03:21:46 +08:00
|
|
|
goto err;
|
2016-03-04 23:43:46 +08:00
|
|
|
}
|
2020-01-14 09:32:42 +08:00
|
|
|
#endif
|
2016-03-04 23:43:46 +08:00
|
|
|
|
|
|
|
|
if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_RSA, ERR_R_INIT_FAIL);
|
2016-05-18 03:21:46 +08:00
|
|
|
goto err;
|
2015-01-22 11:40:55 +08:00
|
|
|
}
|
2016-03-04 23:43:46 +08:00
|
|
|
|
|
|
|
|
return ret;
|
2016-05-18 03:21:46 +08:00
|
|
|
|
2018-09-05 17:08:12 +08:00
|
|
|
err:
|
2016-05-18 03:21:46 +08:00
|
|
|
RSA_free(ret);
|
|
|
|
|
return NULL;
|
2015-01-22 11:40:55 +08:00
|
|
|
}
|
1998-12-21 18:52:47 +08:00
|
|
|
|
1999-04-20 05:31:43 +08:00
|
|
|
void RSA_free(RSA *r)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
|
|
|
|
int i;
|
1998-12-21 18:52:47 +08:00
|
|
|
|
2015-01-22 11:40:55 +08:00
|
|
|
if (r == NULL)
|
|
|
|
|
return;
|
1998-12-21 18:52:47 +08:00
|
|
|
|
2016-08-27 22:01:08 +08:00
|
|
|
CRYPTO_DOWN_REF(&r->references, &i, r->lock);
|
2016-01-31 01:04:25 +08:00
|
|
|
REF_PRINT_COUNT("RSA", r);
|
2015-01-22 11:40:55 +08:00
|
|
|
if (i > 0)
|
|
|
|
|
return;
|
2016-01-31 01:04:25 +08:00
|
|
|
REF_ASSERT_ISNT(i < 0);
|
1998-12-21 18:52:47 +08:00
|
|
|
|
2018-09-05 16:58:55 +08:00
|
|
|
if (r->meth != NULL && r->meth->finish != NULL)
|
2015-01-22 11:40:55 +08:00
|
|
|
r->meth->finish(r);
|
2020-04-14 04:34:56 +08:00
|
|
|
#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
|
2016-02-26 05:34:27 +08:00
|
|
|
ENGINE_finish(r->engine);
|
2003-01-31 01:39:26 +08:00
|
|
|
#endif
|
1998-12-21 18:52:47 +08:00
|
|
|
|
2020-04-14 04:34:56 +08:00
|
|
|
#ifndef FIPS_MODULE
|
2015-01-22 11:40:55 +08:00
|
|
|
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
|
2020-01-14 09:32:42 +08:00
|
|
|
#endif
|
2000-11-27 02:34:45 +08:00
|
|
|
|
2016-03-04 23:43:46 +08:00
|
|
|
CRYPTO_THREAD_lock_free(r->lock);
|
|
|
|
|
|
2018-10-11 12:07:26 +08:00
|
|
|
BN_free(r->n);
|
|
|
|
|
BN_free(r->e);
|
2015-05-01 09:37:06 +08:00
|
|
|
BN_clear_free(r->d);
|
|
|
|
|
BN_clear_free(r->p);
|
|
|
|
|
BN_clear_free(r->q);
|
|
|
|
|
BN_clear_free(r->dmp1);
|
|
|
|
|
BN_clear_free(r->dmq1);
|
|
|
|
|
BN_clear_free(r->iqmp);
|
2020-06-17 09:33:16 +08:00
|
|
|
|
|
|
|
|
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
|
2021-03-09 08:14:45 +08:00
|
|
|
ossl_rsa_acvp_test_free(r->acvp_test);
|
2020-06-17 09:33:16 +08:00
|
|
|
#endif
|
|
|
|
|
|
2020-04-14 04:34:56 +08:00
|
|
|
#ifndef FIPS_MODULE
|
2016-11-21 09:34:56 +08:00
|
|
|
RSA_PSS_PARAMS_free(r->pss);
|
2021-03-09 08:14:45 +08:00
|
|
|
sk_RSA_PRIME_INFO_pop_free(r->prime_infos, ossl_rsa_multip_info_free);
|
2020-01-17 22:47:18 +08:00
|
|
|
#endif
|
2015-05-01 09:37:06 +08:00
|
|
|
BN_BLINDING_free(r->blinding);
|
|
|
|
|
BN_BLINDING_free(r->mt_blinding);
|
2015-01-22 11:40:55 +08:00
|
|
|
OPENSSL_free(r);
|
|
|
|
|
}
|
1998-12-21 18:52:47 +08:00
|
|
|
|
2001-09-03 21:40:07 +08:00
|
|
|
int RSA_up_ref(RSA *r)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
2016-03-04 23:43:46 +08:00
|
|
|
int i;
|
|
|
|
|
|
2016-08-27 22:01:08 +08:00
|
|
|
if (CRYPTO_UP_REF(&r->references, &i, r->lock) <= 0)
|
2016-03-04 23:43:46 +08:00
|
|
|
return 0;
|
2016-01-31 01:04:25 +08:00
|
|
|
|
|
|
|
|
REF_PRINT_COUNT("RSA", r);
|
|
|
|
|
REF_ASSERT_ISNT(i < 2);
|
2017-08-23 01:25:23 +08:00
|
|
|
return i > 1 ? 1 : 0;
|
2015-01-22 11:40:55 +08:00
|
|
|
}
|
2001-08-26 01:24:21 +08:00
|
|
|
|
2020-10-15 17:55:50 +08:00
|
|
|
OSSL_LIB_CTX *ossl_rsa_get0_libctx(RSA *r)
|
2020-05-02 19:31:47 +08:00
|
|
|
{
|
|
|
|
|
return r->libctx;
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-11 18:01:09 +08:00
|
|
|
void ossl_rsa_set0_libctx(RSA *r, OSSL_LIB_CTX *libctx)
|
|
|
|
|
{
|
|
|
|
|
r->libctx = libctx;
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-14 04:34:56 +08:00
|
|
|
#ifndef FIPS_MODULE
|
2000-01-24 07:41:49 +08:00
|
|
|
int RSA_set_ex_data(RSA *r, int idx, void *arg)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
2017-08-23 01:25:23 +08:00
|
|
|
return CRYPTO_set_ex_data(&r->ex_data, idx, arg);
|
2015-01-22 11:40:55 +08:00
|
|
|
}
|
1998-12-21 18:56:39 +08:00
|
|
|
|
2000-11-07 06:34:17 +08:00
|
|
|
void *RSA_get_ex_data(const RSA *r, int idx)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
2017-08-23 01:25:23 +08:00
|
|
|
return CRYPTO_get_ex_data(&r->ex_data, idx);
|
2015-01-22 11:40:55 +08:00
|
|
|
}
|
2020-01-14 09:32:42 +08:00
|
|
|
#endif
|
1998-12-21 18:56:39 +08:00
|
|
|
|
2018-10-05 07:19:30 +08:00
|
|
|
/*
|
|
|
|
|
* Define a scaling constant for our fixed point arithmetic.
|
|
|
|
|
* This value must be a power of two because the base two logarithm code
|
|
|
|
|
* makes this assumption. The exponent must also be a multiple of three so
|
|
|
|
|
* that the scale factor has an exact cube root. Finally, the scale factor
|
|
|
|
|
* should not be so large that a multiplication of two scaled numbers
|
|
|
|
|
* overflows a 64 bit unsigned integer.
|
|
|
|
|
*/
|
|
|
|
|
static const unsigned int scale = 1 << 18;
|
|
|
|
|
static const unsigned int cbrt_scale = 1 << (2 * 18 / 3);
|
|
|
|
|
|
|
|
|
|
/* Define some constants, none exceed 32 bits */
|
|
|
|
|
static const unsigned int log_2 = 0x02c5c8; /* scale * log(2) */
|
|
|
|
|
static const unsigned int log_e = 0x05c551; /* scale * log2(M_E) */
|
|
|
|
|
static const unsigned int c1_923 = 0x07b126; /* scale * 1.923 */
|
|
|
|
|
static const unsigned int c4_690 = 0x12c28f; /* scale * 4.690 */
|
|
|
|
|
|
|
|
|
|
/*
|
2019-01-24 10:22:48 +08:00
|
|
|
* Multiply two scaled integers together and rescale the result.
|
2018-10-05 07:19:30 +08:00
|
|
|
*/
|
|
|
|
|
static ossl_inline uint64_t mul2(uint64_t a, uint64_t b)
|
|
|
|
|
{
|
|
|
|
|
return a * b / scale;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Calculate the cube root of a 64 bit scaled integer.
|
|
|
|
|
* Although the cube root of a 64 bit number does fit into a 32 bit unsigned
|
|
|
|
|
* integer, this is not guaranteed after scaling, so this function has a
|
|
|
|
|
* 64 bit return. This uses the shifting nth root algorithm with some
|
|
|
|
|
* algebraic simplifications.
|
|
|
|
|
*/
|
|
|
|
|
static uint64_t icbrt64(uint64_t x)
|
|
|
|
|
{
|
|
|
|
|
uint64_t r = 0;
|
|
|
|
|
uint64_t b;
|
|
|
|
|
int s;
|
|
|
|
|
|
|
|
|
|
for (s = 63; s >= 0; s -= 3) {
|
|
|
|
|
r <<= 1;
|
|
|
|
|
b = 3 * r * (r + 1) + 1;
|
|
|
|
|
if ((x >> s) >= b) {
|
|
|
|
|
x -= b << s;
|
|
|
|
|
r++;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return r * cbrt_scale;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Calculate the natural logarithm of a 64 bit scaled integer.
|
|
|
|
|
* This is done by calculating a base two logarithm and scaling.
|
|
|
|
|
* The maximum logarithm (base 2) is 64 and this reduces base e, so
|
|
|
|
|
* a 32 bit result should not overflow. The argument passed must be
|
|
|
|
|
* greater than unity so we don't need to handle negative results.
|
|
|
|
|
*/
|
|
|
|
|
static uint32_t ilog_e(uint64_t v)
|
|
|
|
|
{
|
|
|
|
|
uint32_t i, r = 0;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Scale down the value into the range 1 .. 2.
|
|
|
|
|
*
|
|
|
|
|
* If fractional numbers need to be processed, another loop needs
|
|
|
|
|
* to go here that checks v < scale and if so multiplies it by 2 and
|
|
|
|
|
* reduces r by scale. This also means making r signed.
|
|
|
|
|
*/
|
|
|
|
|
while (v >= 2 * scale) {
|
|
|
|
|
v >>= 1;
|
|
|
|
|
r += scale;
|
|
|
|
|
}
|
|
|
|
|
for (i = scale / 2; i != 0; i /= 2) {
|
|
|
|
|
v = mul2(v, v);
|
|
|
|
|
if (v >= 2 * scale) {
|
|
|
|
|
v >>= 1;
|
|
|
|
|
r += i;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
r = (r * (uint64_t)scale) / log_e;
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* NIST SP 800-56B rev 2 Appendix D: Maximum Security Strength Estimates for IFC
|
|
|
|
|
* Modulus Lengths.
|
|
|
|
|
*
|
2020-03-07 05:47:58 +08:00
|
|
|
* Note that this formula is also referred to in SP800-56A rev3 Appendix D:
|
|
|
|
|
* for FFC safe prime groups for modp and ffdhe.
|
|
|
|
|
* After Table 25 and Table 26 it refers to
|
|
|
|
|
* "The maximum security strength estimates were calculated using the formula in
|
|
|
|
|
* Section 7.5 of the FIPS 140 IG and rounded to the nearest multiple of eight
|
|
|
|
|
* bits".
|
|
|
|
|
*
|
|
|
|
|
* The formula is:
|
|
|
|
|
*
|
2018-10-05 07:19:30 +08:00
|
|
|
* E = \frac{1.923 \sqrt[3]{nBits \cdot log_e(2)}
|
|
|
|
|
* \cdot(log_e(nBits \cdot log_e(2))^{2/3} - 4.69}{log_e(2)}
|
|
|
|
|
* The two cube roots are merged together here.
|
|
|
|
|
*/
|
2021-02-25 07:08:54 +08:00
|
|
|
uint16_t ossl_ifc_ffc_compute_security_bits(int n)
|
2018-10-05 07:19:30 +08:00
|
|
|
{
|
|
|
|
|
uint64_t x;
|
|
|
|
|
uint32_t lx;
|
2021-05-23 13:28:30 +08:00
|
|
|
uint16_t y, cap;
|
2018-10-05 07:19:30 +08:00
|
|
|
|
2021-05-23 13:28:30 +08:00
|
|
|
/*
|
|
|
|
|
* Look for common values as listed in standards.
|
2021-06-17 21:48:35 +08:00
|
|
|
* These values are not exactly equal to the results from the formulae in
|
2021-05-23 13:28:30 +08:00
|
|
|
* the standards but are defined to be canonical.
|
|
|
|
|
*/
|
2018-10-05 07:19:30 +08:00
|
|
|
switch (n) {
|
2021-05-23 13:28:30 +08:00
|
|
|
case 2048: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
|
2018-10-05 07:19:30 +08:00
|
|
|
return 112;
|
2021-05-23 13:28:30 +08:00
|
|
|
case 3072: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
|
2018-10-05 07:19:30 +08:00
|
|
|
return 128;
|
2021-05-23 13:28:30 +08:00
|
|
|
case 4096: /* SP 800-56B rev 2 Appendix D */
|
2018-10-05 07:19:30 +08:00
|
|
|
return 152;
|
2021-05-23 13:28:30 +08:00
|
|
|
case 6144: /* SP 800-56B rev 2 Appendix D */
|
2018-10-05 07:19:30 +08:00
|
|
|
return 176;
|
2021-05-23 13:28:30 +08:00
|
|
|
case 7680: /* FIPS 140-2 IG 7.5 */
|
|
|
|
|
return 192;
|
|
|
|
|
case 8192: /* SP 800-56B rev 2 Appendix D */
|
2018-10-05 07:19:30 +08:00
|
|
|
return 200;
|
2021-05-23 13:28:30 +08:00
|
|
|
case 15360: /* FIPS 140-2 IG 7.5 */
|
|
|
|
|
return 256;
|
2018-10-05 07:19:30 +08:00
|
|
|
}
|
2021-05-23 13:28:30 +08:00
|
|
|
|
2018-10-05 07:19:30 +08:00
|
|
|
/*
|
|
|
|
|
* The first incorrect result (i.e. not accurate or off by one low) occurs
|
|
|
|
|
* for n = 699668. The true value here is 1200. Instead of using this n
|
|
|
|
|
* as the check threshold, the smallest n such that the correct result is
|
|
|
|
|
* 1200 is used instead.
|
|
|
|
|
*/
|
|
|
|
|
if (n >= 687737)
|
|
|
|
|
return 1200;
|
|
|
|
|
if (n < 8)
|
|
|
|
|
return 0;
|
|
|
|
|
|
2021-05-23 13:28:30 +08:00
|
|
|
/*
|
|
|
|
|
* To ensure that the output is non-decreasing with respect to n,
|
|
|
|
|
* a cap needs to be applied to the two values where the function over
|
|
|
|
|
* estimates the strength (according to the above fast path).
|
|
|
|
|
*/
|
|
|
|
|
if (n <= 7680)
|
|
|
|
|
cap = 192;
|
|
|
|
|
else if (n <= 15360)
|
|
|
|
|
cap = 256;
|
|
|
|
|
else
|
|
|
|
|
cap = 1200;
|
|
|
|
|
|
2018-10-05 07:19:30 +08:00
|
|
|
x = n * (uint64_t)log_2;
|
|
|
|
|
lx = ilog_e(x);
|
|
|
|
|
y = (uint16_t)((mul2(c1_923, icbrt64(mul2(mul2(x, lx), lx))) - c4_690)
|
|
|
|
|
/ log_2);
|
2021-05-23 13:28:30 +08:00
|
|
|
y = (y + 4) & ~7;
|
|
|
|
|
if (y > cap)
|
|
|
|
|
y = cap;
|
|
|
|
|
return y;
|
2018-10-05 07:19:30 +08:00
|
|
|
}
|
|
|
|
|
|
2020-03-07 05:47:58 +08:00
|
|
|
|
|
|
|
|
|
2014-01-18 22:51:40 +08:00
|
|
|
int RSA_security_bits(const RSA *rsa)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
2017-11-25 04:31:11 +08:00
|
|
|
int bits = BN_num_bits(rsa->n);
|
|
|
|
|
|
2020-04-14 04:34:56 +08:00
|
|
|
#ifndef FIPS_MODULE
|
2017-11-25 04:31:11 +08:00
|
|
|
if (rsa->version == RSA_ASN1_VERSION_MULTI) {
|
|
|
|
|
/* This ought to mean that we have private key at hand. */
|
|
|
|
|
int ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos);
|
|
|
|
|
|
2021-03-09 08:14:45 +08:00
|
|
|
if (ex_primes <= 0 || (ex_primes + 2) > ossl_rsa_multip_cap(bits))
|
2017-11-25 04:31:11 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
2020-01-17 22:47:18 +08:00
|
|
|
#endif
|
2021-02-25 07:08:54 +08:00
|
|
|
return ossl_ifc_ffc_compute_security_bits(bits);
|
2015-01-22 11:40:55 +08:00
|
|
|
}
|
2016-04-02 21:12:58 +08:00
|
|
|
|
|
|
|
|
int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
|
|
|
|
|
{
|
2016-06-14 21:48:16 +08:00
|
|
|
/* If the fields n and e in r are NULL, the corresponding input
|
RSA, DSA, DH: Allow some given input to be NULL on already initialised keys
The diverse {RSA,DSA,DH}_set0_* functions are made to allow some
parameters to be NULL IF the corresponding numbers in the given key
structure have already been previously initialised. Specifically,
this allows the addition of private components to be added to a key
that already has the public half, approximately like this:
RSA_get0_key(rsa, NULL, &e, NULL);
RSA_get0_factors(rsa, &p, &q);
/* calculate new d */
RSA_set0_key(rsa, NULL, NULL, d);
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-26 02:28:54 +08:00
|
|
|
* parameters MUST be non-NULL for n and e. d may be
|
|
|
|
|
* left NULL (in case only the public key is used).
|
|
|
|
|
*/
|
2016-06-16 17:07:32 +08:00
|
|
|
if ((r->n == NULL && n == NULL)
|
|
|
|
|
|| (r->e == NULL && e == NULL))
|
2016-04-02 21:12:58 +08:00
|
|
|
return 0;
|
|
|
|
|
|
RSA, DSA, DH: Allow some given input to be NULL on already initialised keys
The diverse {RSA,DSA,DH}_set0_* functions are made to allow some
parameters to be NULL IF the corresponding numbers in the given key
structure have already been previously initialised. Specifically,
this allows the addition of private components to be added to a key
that already has the public half, approximately like this:
RSA_get0_key(rsa, NULL, &e, NULL);
RSA_get0_factors(rsa, &p, &q);
/* calculate new d */
RSA_set0_key(rsa, NULL, NULL, d);
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-26 02:28:54 +08:00
|
|
|
if (n != NULL) {
|
|
|
|
|
BN_free(r->n);
|
|
|
|
|
r->n = n;
|
|
|
|
|
}
|
|
|
|
|
if (e != NULL) {
|
|
|
|
|
BN_free(r->e);
|
|
|
|
|
r->e = e;
|
|
|
|
|
}
|
|
|
|
|
if (d != NULL) {
|
2018-10-11 12:07:26 +08:00
|
|
|
BN_clear_free(r->d);
|
RSA, DSA, DH: Allow some given input to be NULL on already initialised keys
The diverse {RSA,DSA,DH}_set0_* functions are made to allow some
parameters to be NULL IF the corresponding numbers in the given key
structure have already been previously initialised. Specifically,
this allows the addition of private components to be added to a key
that already has the public half, approximately like this:
RSA_get0_key(rsa, NULL, &e, NULL);
RSA_get0_factors(rsa, &p, &q);
/* calculate new d */
RSA_set0_key(rsa, NULL, NULL, d);
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-26 02:28:54 +08:00
|
|
|
r->d = d;
|
2019-09-05 17:13:11 +08:00
|
|
|
BN_set_flags(r->d, BN_FLG_CONSTTIME);
|
RSA, DSA, DH: Allow some given input to be NULL on already initialised keys
The diverse {RSA,DSA,DH}_set0_* functions are made to allow some
parameters to be NULL IF the corresponding numbers in the given key
structure have already been previously initialised. Specifically,
this allows the addition of private components to be added to a key
that already has the public half, approximately like this:
RSA_get0_key(rsa, NULL, &e, NULL);
RSA_get0_factors(rsa, &p, &q);
/* calculate new d */
RSA_set0_key(rsa, NULL, NULL, d);
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-26 02:28:54 +08:00
|
|
|
}
|
2019-10-16 03:31:45 +08:00
|
|
|
r->dirty_cnt++;
|
2016-04-02 21:12:58 +08:00
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
|
|
|
|
|
{
|
2016-06-14 21:48:16 +08:00
|
|
|
/* If the fields p and q in r are NULL, the corresponding input
|
RSA, DSA, DH: Allow some given input to be NULL on already initialised keys
The diverse {RSA,DSA,DH}_set0_* functions are made to allow some
parameters to be NULL IF the corresponding numbers in the given key
structure have already been previously initialised. Specifically,
this allows the addition of private components to be added to a key
that already has the public half, approximately like this:
RSA_get0_key(rsa, NULL, &e, NULL);
RSA_get0_factors(rsa, &p, &q);
/* calculate new d */
RSA_set0_key(rsa, NULL, NULL, d);
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-26 02:28:54 +08:00
|
|
|
* parameters MUST be non-NULL.
|
|
|
|
|
*/
|
2016-06-16 17:07:32 +08:00
|
|
|
if ((r->p == NULL && p == NULL)
|
|
|
|
|
|| (r->q == NULL && q == NULL))
|
2016-04-02 21:12:58 +08:00
|
|
|
return 0;
|
|
|
|
|
|
RSA, DSA, DH: Allow some given input to be NULL on already initialised keys
The diverse {RSA,DSA,DH}_set0_* functions are made to allow some
parameters to be NULL IF the corresponding numbers in the given key
structure have already been previously initialised. Specifically,
this allows the addition of private components to be added to a key
that already has the public half, approximately like this:
RSA_get0_key(rsa, NULL, &e, NULL);
RSA_get0_factors(rsa, &p, &q);
/* calculate new d */
RSA_set0_key(rsa, NULL, NULL, d);
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-26 02:28:54 +08:00
|
|
|
if (p != NULL) {
|
2018-10-11 12:07:26 +08:00
|
|
|
BN_clear_free(r->p);
|
RSA, DSA, DH: Allow some given input to be NULL on already initialised keys
The diverse {RSA,DSA,DH}_set0_* functions are made to allow some
parameters to be NULL IF the corresponding numbers in the given key
structure have already been previously initialised. Specifically,
this allows the addition of private components to be added to a key
that already has the public half, approximately like this:
RSA_get0_key(rsa, NULL, &e, NULL);
RSA_get0_factors(rsa, &p, &q);
/* calculate new d */
RSA_set0_key(rsa, NULL, NULL, d);
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-26 02:28:54 +08:00
|
|
|
r->p = p;
|
2019-09-05 17:13:11 +08:00
|
|
|
BN_set_flags(r->p, BN_FLG_CONSTTIME);
|
RSA, DSA, DH: Allow some given input to be NULL on already initialised keys
The diverse {RSA,DSA,DH}_set0_* functions are made to allow some
parameters to be NULL IF the corresponding numbers in the given key
structure have already been previously initialised. Specifically,
this allows the addition of private components to be added to a key
that already has the public half, approximately like this:
RSA_get0_key(rsa, NULL, &e, NULL);
RSA_get0_factors(rsa, &p, &q);
/* calculate new d */
RSA_set0_key(rsa, NULL, NULL, d);
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-26 02:28:54 +08:00
|
|
|
}
|
|
|
|
|
if (q != NULL) {
|
2018-10-11 12:07:26 +08:00
|
|
|
BN_clear_free(r->q);
|
RSA, DSA, DH: Allow some given input to be NULL on already initialised keys
The diverse {RSA,DSA,DH}_set0_* functions are made to allow some
parameters to be NULL IF the corresponding numbers in the given key
structure have already been previously initialised. Specifically,
this allows the addition of private components to be added to a key
that already has the public half, approximately like this:
RSA_get0_key(rsa, NULL, &e, NULL);
RSA_get0_factors(rsa, &p, &q);
/* calculate new d */
RSA_set0_key(rsa, NULL, NULL, d);
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-26 02:28:54 +08:00
|
|
|
r->q = q;
|
2019-09-05 17:13:11 +08:00
|
|
|
BN_set_flags(r->q, BN_FLG_CONSTTIME);
|
RSA, DSA, DH: Allow some given input to be NULL on already initialised keys
The diverse {RSA,DSA,DH}_set0_* functions are made to allow some
parameters to be NULL IF the corresponding numbers in the given key
structure have already been previously initialised. Specifically,
this allows the addition of private components to be added to a key
that already has the public half, approximately like this:
RSA_get0_key(rsa, NULL, &e, NULL);
RSA_get0_factors(rsa, &p, &q);
/* calculate new d */
RSA_set0_key(rsa, NULL, NULL, d);
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-26 02:28:54 +08:00
|
|
|
}
|
2019-10-16 03:31:45 +08:00
|
|
|
r->dirty_cnt++;
|
2016-04-02 21:12:58 +08:00
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
|
|
|
|
|
{
|
2016-06-14 21:48:16 +08:00
|
|
|
/* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input
|
RSA, DSA, DH: Allow some given input to be NULL on already initialised keys
The diverse {RSA,DSA,DH}_set0_* functions are made to allow some
parameters to be NULL IF the corresponding numbers in the given key
structure have already been previously initialised. Specifically,
this allows the addition of private components to be added to a key
that already has the public half, approximately like this:
RSA_get0_key(rsa, NULL, &e, NULL);
RSA_get0_factors(rsa, &p, &q);
/* calculate new d */
RSA_set0_key(rsa, NULL, NULL, d);
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-26 02:28:54 +08:00
|
|
|
* parameters MUST be non-NULL.
|
|
|
|
|
*/
|
2016-06-16 17:07:32 +08:00
|
|
|
if ((r->dmp1 == NULL && dmp1 == NULL)
|
|
|
|
|
|| (r->dmq1 == NULL && dmq1 == NULL)
|
|
|
|
|
|| (r->iqmp == NULL && iqmp == NULL))
|
2016-04-02 21:12:58 +08:00
|
|
|
return 0;
|
|
|
|
|
|
RSA, DSA, DH: Allow some given input to be NULL on already initialised keys
The diverse {RSA,DSA,DH}_set0_* functions are made to allow some
parameters to be NULL IF the corresponding numbers in the given key
structure have already been previously initialised. Specifically,
this allows the addition of private components to be added to a key
that already has the public half, approximately like this:
RSA_get0_key(rsa, NULL, &e, NULL);
RSA_get0_factors(rsa, &p, &q);
/* calculate new d */
RSA_set0_key(rsa, NULL, NULL, d);
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-26 02:28:54 +08:00
|
|
|
if (dmp1 != NULL) {
|
2018-10-11 12:07:26 +08:00
|
|
|
BN_clear_free(r->dmp1);
|
RSA, DSA, DH: Allow some given input to be NULL on already initialised keys
The diverse {RSA,DSA,DH}_set0_* functions are made to allow some
parameters to be NULL IF the corresponding numbers in the given key
structure have already been previously initialised. Specifically,
this allows the addition of private components to be added to a key
that already has the public half, approximately like this:
RSA_get0_key(rsa, NULL, &e, NULL);
RSA_get0_factors(rsa, &p, &q);
/* calculate new d */
RSA_set0_key(rsa, NULL, NULL, d);
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-26 02:28:54 +08:00
|
|
|
r->dmp1 = dmp1;
|
2019-09-05 17:13:11 +08:00
|
|
|
BN_set_flags(r->dmp1, BN_FLG_CONSTTIME);
|
RSA, DSA, DH: Allow some given input to be NULL on already initialised keys
The diverse {RSA,DSA,DH}_set0_* functions are made to allow some
parameters to be NULL IF the corresponding numbers in the given key
structure have already been previously initialised. Specifically,
this allows the addition of private components to be added to a key
that already has the public half, approximately like this:
RSA_get0_key(rsa, NULL, &e, NULL);
RSA_get0_factors(rsa, &p, &q);
/* calculate new d */
RSA_set0_key(rsa, NULL, NULL, d);
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-26 02:28:54 +08:00
|
|
|
}
|
|
|
|
|
if (dmq1 != NULL) {
|
2018-10-11 12:07:26 +08:00
|
|
|
BN_clear_free(r->dmq1);
|
RSA, DSA, DH: Allow some given input to be NULL on already initialised keys
The diverse {RSA,DSA,DH}_set0_* functions are made to allow some
parameters to be NULL IF the corresponding numbers in the given key
structure have already been previously initialised. Specifically,
this allows the addition of private components to be added to a key
that already has the public half, approximately like this:
RSA_get0_key(rsa, NULL, &e, NULL);
RSA_get0_factors(rsa, &p, &q);
/* calculate new d */
RSA_set0_key(rsa, NULL, NULL, d);
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-26 02:28:54 +08:00
|
|
|
r->dmq1 = dmq1;
|
2019-09-05 17:13:11 +08:00
|
|
|
BN_set_flags(r->dmq1, BN_FLG_CONSTTIME);
|
RSA, DSA, DH: Allow some given input to be NULL on already initialised keys
The diverse {RSA,DSA,DH}_set0_* functions are made to allow some
parameters to be NULL IF the corresponding numbers in the given key
structure have already been previously initialised. Specifically,
this allows the addition of private components to be added to a key
that already has the public half, approximately like this:
RSA_get0_key(rsa, NULL, &e, NULL);
RSA_get0_factors(rsa, &p, &q);
/* calculate new d */
RSA_set0_key(rsa, NULL, NULL, d);
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-26 02:28:54 +08:00
|
|
|
}
|
|
|
|
|
if (iqmp != NULL) {
|
2018-10-11 12:07:26 +08:00
|
|
|
BN_clear_free(r->iqmp);
|
RSA, DSA, DH: Allow some given input to be NULL on already initialised keys
The diverse {RSA,DSA,DH}_set0_* functions are made to allow some
parameters to be NULL IF the corresponding numbers in the given key
structure have already been previously initialised. Specifically,
this allows the addition of private components to be added to a key
that already has the public half, approximately like this:
RSA_get0_key(rsa, NULL, &e, NULL);
RSA_get0_factors(rsa, &p, &q);
/* calculate new d */
RSA_set0_key(rsa, NULL, NULL, d);
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-26 02:28:54 +08:00
|
|
|
r->iqmp = iqmp;
|
2019-09-05 17:13:11 +08:00
|
|
|
BN_set_flags(r->iqmp, BN_FLG_CONSTTIME);
|
RSA, DSA, DH: Allow some given input to be NULL on already initialised keys
The diverse {RSA,DSA,DH}_set0_* functions are made to allow some
parameters to be NULL IF the corresponding numbers in the given key
structure have already been previously initialised. Specifically,
this allows the addition of private components to be added to a key
that already has the public half, approximately like this:
RSA_get0_key(rsa, NULL, &e, NULL);
RSA_get0_factors(rsa, &p, &q);
/* calculate new d */
RSA_set0_key(rsa, NULL, NULL, d);
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-26 02:28:54 +08:00
|
|
|
}
|
2019-10-16 03:31:45 +08:00
|
|
|
r->dirty_cnt++;
|
2016-04-02 21:12:58 +08:00
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-14 04:34:56 +08:00
|
|
|
#ifndef FIPS_MODULE
|
2017-08-02 02:19:43 +08:00
|
|
|
/*
|
|
|
|
|
* Is it better to export RSA_PRIME_INFO structure
|
|
|
|
|
* and related functions to let user pass a triplet?
|
|
|
|
|
*/
|
|
|
|
|
int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[],
|
|
|
|
|
BIGNUM *coeffs[], int pnum)
|
|
|
|
|
{
|
|
|
|
|
STACK_OF(RSA_PRIME_INFO) *prime_infos, *old = NULL;
|
|
|
|
|
RSA_PRIME_INFO *pinfo;
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
if (primes == NULL || exps == NULL || coeffs == NULL || pnum == 0)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum);
|
|
|
|
|
if (prime_infos == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (r->prime_infos != NULL)
|
|
|
|
|
old = r->prime_infos;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < pnum; i++) {
|
2021-03-09 08:14:45 +08:00
|
|
|
pinfo = ossl_rsa_multip_info_new();
|
2017-08-02 02:19:43 +08:00
|
|
|
if (pinfo == NULL)
|
|
|
|
|
goto err;
|
|
|
|
|
if (primes[i] != NULL && exps[i] != NULL && coeffs[i] != NULL) {
|
2019-09-06 15:48:00 +08:00
|
|
|
BN_clear_free(pinfo->r);
|
|
|
|
|
BN_clear_free(pinfo->d);
|
|
|
|
|
BN_clear_free(pinfo->t);
|
2017-08-02 02:19:43 +08:00
|
|
|
pinfo->r = primes[i];
|
|
|
|
|
pinfo->d = exps[i];
|
|
|
|
|
pinfo->t = coeffs[i];
|
2019-09-06 15:48:00 +08:00
|
|
|
BN_set_flags(pinfo->r, BN_FLG_CONSTTIME);
|
|
|
|
|
BN_set_flags(pinfo->d, BN_FLG_CONSTTIME);
|
|
|
|
|
BN_set_flags(pinfo->t, BN_FLG_CONSTTIME);
|
2017-08-02 02:19:43 +08:00
|
|
|
} else {
|
2021-03-09 08:14:45 +08:00
|
|
|
ossl_rsa_multip_info_free(pinfo);
|
2017-08-02 02:19:43 +08:00
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
(void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
r->prime_infos = prime_infos;
|
|
|
|
|
|
2021-03-09 08:14:45 +08:00
|
|
|
if (!ossl_rsa_multip_calc_product(r)) {
|
2017-08-02 02:19:43 +08:00
|
|
|
r->prime_infos = old;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (old != NULL) {
|
|
|
|
|
/*
|
|
|
|
|
* This is hard to deal with, since the old infos could
|
|
|
|
|
* also be set by this function and r, d, t should not
|
|
|
|
|
* be freed in that case. So currently, stay consistent
|
|
|
|
|
* with other *set0* functions: just free it...
|
|
|
|
|
*/
|
2021-03-09 08:14:45 +08:00
|
|
|
sk_RSA_PRIME_INFO_pop_free(old, ossl_rsa_multip_info_free);
|
2017-08-02 02:19:43 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
r->version = RSA_ASN1_VERSION_MULTI;
|
2019-10-16 03:31:45 +08:00
|
|
|
r->dirty_cnt++;
|
2017-08-02 02:19:43 +08:00
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
err:
|
|
|
|
|
/* r, d, t should not be freed */
|
2021-03-09 08:14:45 +08:00
|
|
|
sk_RSA_PRIME_INFO_pop_free(prime_infos, ossl_rsa_multip_info_free_ex);
|
2017-08-02 02:19:43 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
2020-01-17 22:47:18 +08:00
|
|
|
#endif
|
2017-08-02 02:19:43 +08:00
|
|
|
|
2016-06-14 21:48:16 +08:00
|
|
|
void RSA_get0_key(const RSA *r,
|
|
|
|
|
const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
|
2016-04-02 21:12:58 +08:00
|
|
|
{
|
|
|
|
|
if (n != NULL)
|
|
|
|
|
*n = r->n;
|
|
|
|
|
if (e != NULL)
|
|
|
|
|
*e = r->e;
|
|
|
|
|
if (d != NULL)
|
|
|
|
|
*d = r->d;
|
|
|
|
|
}
|
|
|
|
|
|
2016-06-14 21:48:16 +08:00
|
|
|
void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
|
2016-04-02 21:12:58 +08:00
|
|
|
{
|
|
|
|
|
if (p != NULL)
|
|
|
|
|
*p = r->p;
|
|
|
|
|
if (q != NULL)
|
|
|
|
|
*q = r->q;
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-14 04:34:56 +08:00
|
|
|
#ifndef FIPS_MODULE
|
2017-08-02 02:19:43 +08:00
|
|
|
int RSA_get_multi_prime_extra_count(const RSA *r)
|
|
|
|
|
{
|
|
|
|
|
int pnum;
|
|
|
|
|
|
|
|
|
|
pnum = sk_RSA_PRIME_INFO_num(r->prime_infos);
|
|
|
|
|
if (pnum <= 0)
|
|
|
|
|
pnum = 0;
|
|
|
|
|
return pnum;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int RSA_get0_multi_prime_factors(const RSA *r, const BIGNUM *primes[])
|
|
|
|
|
{
|
|
|
|
|
int pnum, i;
|
|
|
|
|
RSA_PRIME_INFO *pinfo;
|
|
|
|
|
|
|
|
|
|
if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* return other primes
|
|
|
|
|
* it's caller's responsibility to allocate oth_primes[pnum]
|
|
|
|
|
*/
|
|
|
|
|
for (i = 0; i < pnum; i++) {
|
|
|
|
|
pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i);
|
|
|
|
|
primes[i] = pinfo->r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
2020-01-17 22:47:18 +08:00
|
|
|
#endif
|
2017-08-02 02:19:43 +08:00
|
|
|
|
2016-04-02 21:12:58 +08:00
|
|
|
void RSA_get0_crt_params(const RSA *r,
|
2016-06-14 21:48:16 +08:00
|
|
|
const BIGNUM **dmp1, const BIGNUM **dmq1,
|
|
|
|
|
const BIGNUM **iqmp)
|
2016-04-02 21:12:58 +08:00
|
|
|
{
|
|
|
|
|
if (dmp1 != NULL)
|
|
|
|
|
*dmp1 = r->dmp1;
|
|
|
|
|
if (dmq1 != NULL)
|
|
|
|
|
*dmq1 = r->dmq1;
|
|
|
|
|
if (iqmp != NULL)
|
|
|
|
|
*iqmp = r->iqmp;
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-14 04:34:56 +08:00
|
|
|
#ifndef FIPS_MODULE
|
2017-08-02 02:19:43 +08:00
|
|
|
int RSA_get0_multi_prime_crt_params(const RSA *r, const BIGNUM *exps[],
|
|
|
|
|
const BIGNUM *coeffs[])
|
|
|
|
|
{
|
|
|
|
|
int pnum;
|
|
|
|
|
|
|
|
|
|
if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/* return other primes */
|
|
|
|
|
if (exps != NULL || coeffs != NULL) {
|
|
|
|
|
RSA_PRIME_INFO *pinfo;
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
/* it's the user's job to guarantee the buffer length */
|
|
|
|
|
for (i = 0; i < pnum; i++) {
|
|
|
|
|
pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i);
|
|
|
|
|
if (exps != NULL)
|
|
|
|
|
exps[i] = pinfo->d;
|
|
|
|
|
if (coeffs != NULL)
|
|
|
|
|
coeffs[i] = pinfo->t;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
2020-01-17 22:47:18 +08:00
|
|
|
#endif
|
2017-08-02 02:19:43 +08:00
|
|
|
|
2018-05-27 15:01:28 +08:00
|
|
|
const BIGNUM *RSA_get0_n(const RSA *r)
|
|
|
|
|
{
|
|
|
|
|
return r->n;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const BIGNUM *RSA_get0_e(const RSA *r)
|
|
|
|
|
{
|
|
|
|
|
return r->e;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const BIGNUM *RSA_get0_d(const RSA *r)
|
|
|
|
|
{
|
|
|
|
|
return r->d;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const BIGNUM *RSA_get0_p(const RSA *r)
|
|
|
|
|
{
|
|
|
|
|
return r->p;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const BIGNUM *RSA_get0_q(const RSA *r)
|
|
|
|
|
{
|
|
|
|
|
return r->q;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const BIGNUM *RSA_get0_dmp1(const RSA *r)
|
|
|
|
|
{
|
|
|
|
|
return r->dmp1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const BIGNUM *RSA_get0_dmq1(const RSA *r)
|
|
|
|
|
{
|
|
|
|
|
return r->dmq1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const BIGNUM *RSA_get0_iqmp(const RSA *r)
|
|
|
|
|
{
|
|
|
|
|
return r->iqmp;
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-18 08:56:22 +08:00
|
|
|
const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *r)
|
|
|
|
|
{
|
RSA: Add a less loaded PSS-parameter structure
RSA_PSS_PARAMS carries with it a lot of baggage in form of X509_ALGOR
and ASN1_INTEGER, which we would rather avoid in our providers.
Therefore, we create a parallell structure - RSA_PSS_PARAMS_30 - that
contains the same information, but uses numeric identities (*) and C
integers (**). This makes it simpler to handle.
Note that neither this structure nor its contents are passed between
libcrypto and the providers. Instead, the numeric identities are
translated to and from names, which are then passed over that
boundary.
For future considerations, we might consider dropping RSA_PSS_PARAMS
entirely. For now, it's still reserved for EVP_PKEY_ASN1_METHOD code,
which RSA_PSS_PARAMS_30 is (almost entirely) reserved for use in our
providers.
(*) We use NIDs in this case, because we already have them and because
only algorithms that libcrypto knows about are permitted in PSS
restrictions. We could use any number series we want, as long as we
know for sure what they represent.
(**) That's for saltlen and for trailerfield, which are never expect
to surpass the set of numbers that fit in a regular 'int'.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11710)
2020-05-02 18:46:55 +08:00
|
|
|
#ifdef FIPS_MODULE
|
|
|
|
|
return NULL;
|
|
|
|
|
#else
|
2019-11-18 08:56:22 +08:00
|
|
|
return r->pss;
|
RSA: Add a less loaded PSS-parameter structure
RSA_PSS_PARAMS carries with it a lot of baggage in form of X509_ALGOR
and ASN1_INTEGER, which we would rather avoid in our providers.
Therefore, we create a parallell structure - RSA_PSS_PARAMS_30 - that
contains the same information, but uses numeric identities (*) and C
integers (**). This makes it simpler to handle.
Note that neither this structure nor its contents are passed between
libcrypto and the providers. Instead, the numeric identities are
translated to and from names, which are then passed over that
boundary.
For future considerations, we might consider dropping RSA_PSS_PARAMS
entirely. For now, it's still reserved for EVP_PKEY_ASN1_METHOD code,
which RSA_PSS_PARAMS_30 is (almost entirely) reserved for use in our
providers.
(*) We use NIDs in this case, because we already have them and because
only algorithms that libcrypto knows about are permitted in PSS
restrictions. We could use any number series we want, as long as we
know for sure what they represent.
(**) That's for saltlen and for trailerfield, which are never expect
to surpass the set of numbers that fit in a regular 'int'.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11710)
2020-05-02 18:46:55 +08:00
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-18 17:41:53 +08:00
|
|
|
/* Internal */
|
|
|
|
|
int ossl_rsa_set0_pss_params(RSA *r, RSA_PSS_PARAMS *pss)
|
|
|
|
|
{
|
|
|
|
|
#ifdef FIPS_MODULE
|
|
|
|
|
return 0;
|
|
|
|
|
#else
|
|
|
|
|
RSA_PSS_PARAMS_free(r->pss);
|
|
|
|
|
r->pss = pss;
|
|
|
|
|
return 1;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
RSA: Add a less loaded PSS-parameter structure
RSA_PSS_PARAMS carries with it a lot of baggage in form of X509_ALGOR
and ASN1_INTEGER, which we would rather avoid in our providers.
Therefore, we create a parallell structure - RSA_PSS_PARAMS_30 - that
contains the same information, but uses numeric identities (*) and C
integers (**). This makes it simpler to handle.
Note that neither this structure nor its contents are passed between
libcrypto and the providers. Instead, the numeric identities are
translated to and from names, which are then passed over that
boundary.
For future considerations, we might consider dropping RSA_PSS_PARAMS
entirely. For now, it's still reserved for EVP_PKEY_ASN1_METHOD code,
which RSA_PSS_PARAMS_30 is (almost entirely) reserved for use in our
providers.
(*) We use NIDs in this case, because we already have them and because
only algorithms that libcrypto knows about are permitted in PSS
restrictions. We could use any number series we want, as long as we
know for sure what they represent.
(**) That's for saltlen and for trailerfield, which are never expect
to surpass the set of numbers that fit in a regular 'int'.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11710)
2020-05-02 18:46:55 +08:00
|
|
|
/* Internal */
|
rsa: add ossl_ prefix to internal rsa_ calls.
The functions being:
rsa_check_crt_components, rsa_check_key, rsa_check_pminusq_diff,
rsa_check_prime_factor, rsa_check_prime_factor_range,
rsa_check_private_exponent, rsa_check_public_exponent,
rsa_digestinfo_encoding, rsa_fips186_4_gen_prob_primes, rsa_fromdata,
rsa_get0_all_params, rsa_get0_libctx, rsa_get0_pss_params_30,
rsa_get_lcm, rsa_mgf_nid2name, rsa_mp_coeff_names, rsa_mp_exp_names,
rsa_mp_factor_names, rsa_new_with_ctx, rsa_oaeppss_md2nid,
rsa_oaeppss_nid2name, rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx,
rsa_padding_add_PKCS1_type_2_with_libctx,
rsa_padding_add_SSLv23_with_libctx, rsa_padding_check_PKCS1_type_2_TLS,
rsa_pkey_method, rsa_pss_params_30_copy, rsa_pss_params_30_fromdata,
rsa_pss_params_30_hashalg, rsa_pss_params_30_is_unrestricted,
rsa_pss_params_30_maskgenalg, rsa_pss_params_30_maskgenhashalg,
rsa_pss_params_30_saltlen, rsa_pss_params_30_set_defaults,
rsa_pss_params_30_set_hashalg, rsa_pss_params_30_set_maskgenalg,
rsa_pss_params_30_set_maskgenhashalg, rsa_pss_params_30_set_saltlen,
rsa_pss_params_30_set_trailerfield, rsa_pss_params_30_todata,
rsa_pss_params_30_trailerfield, rsa_pss_pkey_method, rsa_set0_all_params,
rsa_sp800_56b_check_keypair, rsa_sp800_56b_check_private,
rsa_sp800_56b_check_public, rsa_sp800_56b_derive_params_from_pq,
rsa_sp800_56b_generate_key, rsa_sp800_56b_pairwise_test,
rsa_sp800_56b_validate_strength, rsa_todata, rsa_validate_pairwise,
rsa_validate_private and rsa_validate_public.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13040)
2020-09-30 12:20:14 +08:00
|
|
|
RSA_PSS_PARAMS_30 *ossl_rsa_get0_pss_params_30(RSA *r)
|
RSA: Add a less loaded PSS-parameter structure
RSA_PSS_PARAMS carries with it a lot of baggage in form of X509_ALGOR
and ASN1_INTEGER, which we would rather avoid in our providers.
Therefore, we create a parallell structure - RSA_PSS_PARAMS_30 - that
contains the same information, but uses numeric identities (*) and C
integers (**). This makes it simpler to handle.
Note that neither this structure nor its contents are passed between
libcrypto and the providers. Instead, the numeric identities are
translated to and from names, which are then passed over that
boundary.
For future considerations, we might consider dropping RSA_PSS_PARAMS
entirely. For now, it's still reserved for EVP_PKEY_ASN1_METHOD code,
which RSA_PSS_PARAMS_30 is (almost entirely) reserved for use in our
providers.
(*) We use NIDs in this case, because we already have them and because
only algorithms that libcrypto knows about are permitted in PSS
restrictions. We could use any number series we want, as long as we
know for sure what they represent.
(**) That's for saltlen and for trailerfield, which are never expect
to surpass the set of numbers that fit in a regular 'int'.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11710)
2020-05-02 18:46:55 +08:00
|
|
|
{
|
|
|
|
|
return &r->pss_params;
|
2019-11-18 08:56:22 +08:00
|
|
|
}
|
|
|
|
|
|
2016-04-02 21:12:58 +08:00
|
|
|
void RSA_clear_flags(RSA *r, int flags)
|
|
|
|
|
{
|
|
|
|
|
r->flags &= ~flags;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int RSA_test_flags(const RSA *r, int flags)
|
|
|
|
|
{
|
|
|
|
|
return r->flags & flags;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void RSA_set_flags(RSA *r, int flags)
|
|
|
|
|
{
|
|
|
|
|
r->flags |= flags;
|
|
|
|
|
}
|
|
|
|
|
|
2017-08-02 02:19:43 +08:00
|
|
|
int RSA_get_version(RSA *r)
|
|
|
|
|
{
|
|
|
|
|
/* { two-prime(0), multi(1) } */
|
|
|
|
|
return r->version;
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-14 04:34:56 +08:00
|
|
|
#ifndef FIPS_MODULE
|
2016-06-27 03:55:03 +08:00
|
|
|
ENGINE *RSA_get0_engine(const RSA *r)
|
2016-04-02 21:12:58 +08:00
|
|
|
{
|
|
|
|
|
return r->engine;
|
|
|
|
|
}
|
2016-11-21 08:44:01 +08:00
|
|
|
|
|
|
|
|
int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2)
|
|
|
|
|
{
|
|
|
|
|
/* If key type not RSA or RSA-PSS return error */
|
|
|
|
|
if (ctx != NULL && ctx->pmeth != NULL
|
|
|
|
|
&& ctx->pmeth->pkey_id != EVP_PKEY_RSA
|
|
|
|
|
&& ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
|
|
|
|
|
return -1;
|
|
|
|
|
return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, p1, p2);
|
|
|
|
|
}
|
2020-01-17 22:47:18 +08:00
|
|
|
#endif
|
2019-10-16 02:28:02 +08:00
|
|
|
|
|
|
|
|
DEFINE_STACK_OF(BIGNUM)
|
|
|
|
|
|
rsa: add ossl_ prefix to internal rsa_ calls.
The functions being:
rsa_check_crt_components, rsa_check_key, rsa_check_pminusq_diff,
rsa_check_prime_factor, rsa_check_prime_factor_range,
rsa_check_private_exponent, rsa_check_public_exponent,
rsa_digestinfo_encoding, rsa_fips186_4_gen_prob_primes, rsa_fromdata,
rsa_get0_all_params, rsa_get0_libctx, rsa_get0_pss_params_30,
rsa_get_lcm, rsa_mgf_nid2name, rsa_mp_coeff_names, rsa_mp_exp_names,
rsa_mp_factor_names, rsa_new_with_ctx, rsa_oaeppss_md2nid,
rsa_oaeppss_nid2name, rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx,
rsa_padding_add_PKCS1_type_2_with_libctx,
rsa_padding_add_SSLv23_with_libctx, rsa_padding_check_PKCS1_type_2_TLS,
rsa_pkey_method, rsa_pss_params_30_copy, rsa_pss_params_30_fromdata,
rsa_pss_params_30_hashalg, rsa_pss_params_30_is_unrestricted,
rsa_pss_params_30_maskgenalg, rsa_pss_params_30_maskgenhashalg,
rsa_pss_params_30_saltlen, rsa_pss_params_30_set_defaults,
rsa_pss_params_30_set_hashalg, rsa_pss_params_30_set_maskgenalg,
rsa_pss_params_30_set_maskgenhashalg, rsa_pss_params_30_set_saltlen,
rsa_pss_params_30_set_trailerfield, rsa_pss_params_30_todata,
rsa_pss_params_30_trailerfield, rsa_pss_pkey_method, rsa_set0_all_params,
rsa_sp800_56b_check_keypair, rsa_sp800_56b_check_private,
rsa_sp800_56b_check_public, rsa_sp800_56b_derive_params_from_pq,
rsa_sp800_56b_generate_key, rsa_sp800_56b_pairwise_test,
rsa_sp800_56b_validate_strength, rsa_todata, rsa_validate_pairwise,
rsa_validate_private and rsa_validate_public.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13040)
2020-09-30 12:20:14 +08:00
|
|
|
int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes,
|
|
|
|
|
const STACK_OF(BIGNUM) *exps,
|
|
|
|
|
const STACK_OF(BIGNUM) *coeffs)
|
2019-10-16 02:28:02 +08:00
|
|
|
{
|
2020-04-14 04:34:56 +08:00
|
|
|
#ifndef FIPS_MODULE
|
2019-10-16 02:28:02 +08:00
|
|
|
STACK_OF(RSA_PRIME_INFO) *prime_infos, *old_infos = NULL;
|
2020-01-17 22:47:18 +08:00
|
|
|
#endif
|
2019-10-16 02:28:02 +08:00
|
|
|
int pnum;
|
|
|
|
|
|
|
|
|
|
if (primes == NULL || exps == NULL || coeffs == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
pnum = sk_BIGNUM_num(primes);
|
|
|
|
|
if (pnum < 2
|
|
|
|
|
|| pnum != sk_BIGNUM_num(exps)
|
|
|
|
|
|| pnum != sk_BIGNUM_num(coeffs) + 1)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (!RSA_set0_factors(r, sk_BIGNUM_value(primes, 0),
|
|
|
|
|
sk_BIGNUM_value(primes, 1))
|
|
|
|
|
|| !RSA_set0_crt_params(r, sk_BIGNUM_value(exps, 0),
|
|
|
|
|
sk_BIGNUM_value(exps, 1),
|
|
|
|
|
sk_BIGNUM_value(coeffs, 0)))
|
|
|
|
|
return 0;
|
|
|
|
|
|
2020-04-14 04:34:56 +08:00
|
|
|
#ifndef FIPS_MODULE
|
2019-10-16 02:28:02 +08:00
|
|
|
old_infos = r->prime_infos;
|
2020-01-17 22:47:18 +08:00
|
|
|
#endif
|
2019-10-16 02:28:02 +08:00
|
|
|
|
|
|
|
|
if (pnum > 2) {
|
2020-04-14 04:34:56 +08:00
|
|
|
#ifndef FIPS_MODULE
|
2019-10-16 02:28:02 +08:00
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum);
|
|
|
|
|
if (prime_infos == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
for (i = 2; i < pnum; i++) {
|
|
|
|
|
BIGNUM *prime = sk_BIGNUM_value(primes, i);
|
|
|
|
|
BIGNUM *exp = sk_BIGNUM_value(exps, i);
|
|
|
|
|
BIGNUM *coeff = sk_BIGNUM_value(coeffs, i - 1);
|
|
|
|
|
RSA_PRIME_INFO *pinfo = NULL;
|
|
|
|
|
|
|
|
|
|
if (!ossl_assert(prime != NULL && exp != NULL && coeff != NULL))
|
|
|
|
|
goto err;
|
|
|
|
|
|
2021-03-09 08:14:45 +08:00
|
|
|
/* Using ossl_rsa_multip_info_new() is wasteful, so allocate directly */
|
2019-10-16 02:28:02 +08:00
|
|
|
if ((pinfo = OPENSSL_zalloc(sizeof(*pinfo))) == NULL) {
|
|
|
|
|
ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pinfo->r = prime;
|
|
|
|
|
pinfo->d = exp;
|
|
|
|
|
pinfo->t = coeff;
|
|
|
|
|
BN_set_flags(pinfo->r, BN_FLG_CONSTTIME);
|
|
|
|
|
BN_set_flags(pinfo->d, BN_FLG_CONSTTIME);
|
|
|
|
|
BN_set_flags(pinfo->t, BN_FLG_CONSTTIME);
|
|
|
|
|
(void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
r->prime_infos = prime_infos;
|
|
|
|
|
|
2021-03-09 08:14:45 +08:00
|
|
|
if (!ossl_rsa_multip_calc_product(r)) {
|
2019-10-16 02:28:02 +08:00
|
|
|
r->prime_infos = old_infos;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2020-01-17 22:47:18 +08:00
|
|
|
#else
|
|
|
|
|
return 0;
|
|
|
|
|
#endif
|
2019-10-16 02:28:02 +08:00
|
|
|
}
|
|
|
|
|
|
2020-04-14 04:34:56 +08:00
|
|
|
#ifndef FIPS_MODULE
|
2019-10-16 02:28:02 +08:00
|
|
|
if (old_infos != NULL) {
|
|
|
|
|
/*
|
|
|
|
|
* This is hard to deal with, since the old infos could
|
|
|
|
|
* also be set by this function and r, d, t should not
|
|
|
|
|
* be freed in that case. So currently, stay consistent
|
|
|
|
|
* with other *set0* functions: just free it...
|
|
|
|
|
*/
|
2021-03-09 08:14:45 +08:00
|
|
|
sk_RSA_PRIME_INFO_pop_free(old_infos, ossl_rsa_multip_info_free);
|
2019-10-16 02:28:02 +08:00
|
|
|
}
|
2020-01-17 22:47:18 +08:00
|
|
|
#endif
|
2019-10-16 02:28:02 +08:00
|
|
|
|
|
|
|
|
r->version = pnum > 2 ? RSA_ASN1_VERSION_MULTI : RSA_ASN1_VERSION_DEFAULT;
|
|
|
|
|
r->dirty_cnt++;
|
|
|
|
|
|
|
|
|
|
return 1;
|
2020-04-14 04:34:56 +08:00
|
|
|
#ifndef FIPS_MODULE
|
2019-10-16 02:28:02 +08:00
|
|
|
err:
|
|
|
|
|
/* r, d, t should not be freed */
|
2021-03-09 08:14:45 +08:00
|
|
|
sk_RSA_PRIME_INFO_pop_free(prime_infos, ossl_rsa_multip_info_free_ex);
|
2019-10-16 02:28:02 +08:00
|
|
|
return 0;
|
2020-01-17 22:47:18 +08:00
|
|
|
#endif
|
2019-10-16 02:28:02 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM)
|
|
|
|
|
|
rsa: add ossl_ prefix to internal rsa_ calls.
The functions being:
rsa_check_crt_components, rsa_check_key, rsa_check_pminusq_diff,
rsa_check_prime_factor, rsa_check_prime_factor_range,
rsa_check_private_exponent, rsa_check_public_exponent,
rsa_digestinfo_encoding, rsa_fips186_4_gen_prob_primes, rsa_fromdata,
rsa_get0_all_params, rsa_get0_libctx, rsa_get0_pss_params_30,
rsa_get_lcm, rsa_mgf_nid2name, rsa_mp_coeff_names, rsa_mp_exp_names,
rsa_mp_factor_names, rsa_new_with_ctx, rsa_oaeppss_md2nid,
rsa_oaeppss_nid2name, rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx,
rsa_padding_add_PKCS1_type_2_with_libctx,
rsa_padding_add_SSLv23_with_libctx, rsa_padding_check_PKCS1_type_2_TLS,
rsa_pkey_method, rsa_pss_params_30_copy, rsa_pss_params_30_fromdata,
rsa_pss_params_30_hashalg, rsa_pss_params_30_is_unrestricted,
rsa_pss_params_30_maskgenalg, rsa_pss_params_30_maskgenhashalg,
rsa_pss_params_30_saltlen, rsa_pss_params_30_set_defaults,
rsa_pss_params_30_set_hashalg, rsa_pss_params_30_set_maskgenalg,
rsa_pss_params_30_set_maskgenhashalg, rsa_pss_params_30_set_saltlen,
rsa_pss_params_30_set_trailerfield, rsa_pss_params_30_todata,
rsa_pss_params_30_trailerfield, rsa_pss_pkey_method, rsa_set0_all_params,
rsa_sp800_56b_check_keypair, rsa_sp800_56b_check_private,
rsa_sp800_56b_check_public, rsa_sp800_56b_derive_params_from_pq,
rsa_sp800_56b_generate_key, rsa_sp800_56b_pairwise_test,
rsa_sp800_56b_validate_strength, rsa_todata, rsa_validate_pairwise,
rsa_validate_private and rsa_validate_public.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13040)
2020-09-30 12:20:14 +08:00
|
|
|
int ossl_rsa_get0_all_params(RSA *r, STACK_OF(BIGNUM_const) *primes,
|
|
|
|
|
STACK_OF(BIGNUM_const) *exps,
|
|
|
|
|
STACK_OF(BIGNUM_const) *coeffs)
|
2019-10-16 02:28:02 +08:00
|
|
|
{
|
2020-04-14 04:34:56 +08:00
|
|
|
#ifndef FIPS_MODULE
|
2019-10-16 02:28:02 +08:00
|
|
|
RSA_PRIME_INFO *pinfo;
|
|
|
|
|
int i, pnum;
|
2020-01-17 22:47:18 +08:00
|
|
|
#endif
|
2019-10-16 02:28:02 +08:00
|
|
|
|
|
|
|
|
if (r == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
2019-12-02 18:25:47 +08:00
|
|
|
/* If |p| is NULL, there are no CRT parameters */
|
|
|
|
|
if (RSA_get0_p(r) == NULL)
|
|
|
|
|
return 1;
|
|
|
|
|
|
2019-10-16 02:28:02 +08:00
|
|
|
sk_BIGNUM_const_push(primes, RSA_get0_p(r));
|
|
|
|
|
sk_BIGNUM_const_push(primes, RSA_get0_q(r));
|
|
|
|
|
sk_BIGNUM_const_push(exps, RSA_get0_dmp1(r));
|
|
|
|
|
sk_BIGNUM_const_push(exps, RSA_get0_dmq1(r));
|
|
|
|
|
sk_BIGNUM_const_push(coeffs, RSA_get0_iqmp(r));
|
2020-01-17 22:47:18 +08:00
|
|
|
|
2020-04-14 04:34:56 +08:00
|
|
|
#ifndef FIPS_MODULE
|
2020-01-17 22:47:18 +08:00
|
|
|
pnum = RSA_get_multi_prime_extra_count(r);
|
2019-10-16 02:28:02 +08:00
|
|
|
for (i = 0; i < pnum; i++) {
|
|
|
|
|
pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i);
|
|
|
|
|
sk_BIGNUM_const_push(primes, pinfo->r);
|
|
|
|
|
sk_BIGNUM_const_push(exps, pinfo->d);
|
|
|
|
|
sk_BIGNUM_const_push(coeffs, pinfo->t);
|
|
|
|
|
}
|
2020-01-17 22:47:18 +08:00
|
|
|
#endif
|
2019-10-16 02:28:02 +08:00
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
2019-10-28 21:40:39 +08:00
|
|
|
|
2020-04-14 04:34:56 +08:00
|
|
|
#ifndef FIPS_MODULE
|
2021-01-25 22:38:32 +08:00
|
|
|
/* Helpers to set or get diverse hash algorithm names */
|
|
|
|
|
static int int_set_rsa_md_name(EVP_PKEY_CTX *ctx,
|
|
|
|
|
/* For checks */
|
|
|
|
|
int keytype, int optype,
|
|
|
|
|
/* For EVP_PKEY_CTX_set_params() */
|
|
|
|
|
const char *mdkey, const char *mdname,
|
|
|
|
|
const char *propkey, const char *mdprops)
|
2019-10-28 21:40:39 +08:00
|
|
|
{
|
2021-01-25 22:38:32 +08:00
|
|
|
OSSL_PARAM params[3], *p = params;
|
2019-10-28 21:40:39 +08:00
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
if (ctx == NULL || mdname == NULL || (ctx->operation & optype) == 0) {
|
2019-10-28 21:40:39 +08:00
|
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
|
|
|
|
|
/* Uses the same return values as EVP_PKEY_CTX_ctrl */
|
|
|
|
|
return -2;
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
/* If key type not RSA return error */
|
|
|
|
|
switch (keytype) {
|
|
|
|
|
case -1:
|
|
|
|
|
if (!EVP_PKEY_CTX_is_a(ctx, "RSA")
|
|
|
|
|
&& !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS"))
|
|
|
|
|
return -1;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
if (!EVP_PKEY_CTX_is_a(ctx, evp_pkey_type2name(keytype)))
|
|
|
|
|
return -1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2019-10-28 21:40:39 +08:00
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
/* Cast away the const. This is read only so should be safe */
|
|
|
|
|
*p++ = OSSL_PARAM_construct_utf8_string(mdkey, (char *)mdname, 0);
|
|
|
|
|
if (evp_pkey_ctx_is_provided(ctx) && mdprops != NULL) {
|
|
|
|
|
/* Cast away the const. This is read only so should be safe */
|
|
|
|
|
*p++ = OSSL_PARAM_construct_utf8_string(propkey, (char *)mdprops, 0);
|
|
|
|
|
}
|
2019-10-28 21:40:39 +08:00
|
|
|
*p++ = OSSL_PARAM_construct_end();
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
return evp_pkey_ctx_set_params_strict(ctx, params);
|
2019-10-28 21:40:39 +08:00
|
|
|
}
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
/* Helpers to set or get diverse hash algorithm names */
|
|
|
|
|
static int int_get_rsa_md_name(EVP_PKEY_CTX *ctx,
|
|
|
|
|
/* For checks */
|
|
|
|
|
int keytype, int optype,
|
|
|
|
|
/* For EVP_PKEY_CTX_get_params() */
|
|
|
|
|
const char *mdkey,
|
|
|
|
|
char *mdname, size_t mdnamesize)
|
2019-10-28 21:40:39 +08:00
|
|
|
{
|
2021-01-25 22:38:32 +08:00
|
|
|
OSSL_PARAM params[2], *p = params;
|
2019-10-28 21:40:39 +08:00
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
if (ctx == NULL || mdname == NULL || (ctx->operation & optype) == 0) {
|
2019-10-28 21:40:39 +08:00
|
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
|
|
|
|
|
/* Uses the same return values as EVP_PKEY_CTX_ctrl */
|
|
|
|
|
return -2;
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
/* If key type not RSA return error */
|
|
|
|
|
switch (keytype) {
|
|
|
|
|
case -1:
|
|
|
|
|
if (!EVP_PKEY_CTX_is_a(ctx, "RSA")
|
|
|
|
|
&& !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS"))
|
|
|
|
|
return -1;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
if (!EVP_PKEY_CTX_is_a(ctx, evp_pkey_type2name(keytype)))
|
|
|
|
|
return -1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2019-10-28 21:40:39 +08:00
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
/* Cast away the const. This is read only so should be safe */
|
|
|
|
|
*p++ = OSSL_PARAM_construct_utf8_string(mdkey, (char *)mdname, mdnamesize);
|
2019-10-28 21:40:39 +08:00
|
|
|
*p++ = OSSL_PARAM_construct_end();
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
return evp_pkey_ctx_get_params_strict(ctx, params);
|
|
|
|
|
}
|
2019-10-28 21:40:39 +08:00
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
/*
|
|
|
|
|
* This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
|
|
|
|
|
* simply because that's easier.
|
|
|
|
|
*/
|
|
|
|
|
int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad_mode)
|
|
|
|
|
{
|
|
|
|
|
return RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_RSA_PADDING,
|
|
|
|
|
pad_mode, NULL);
|
|
|
|
|
}
|
2019-10-28 21:40:39 +08:00
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
/*
|
|
|
|
|
* This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
|
|
|
|
|
* simply because that's easier.
|
|
|
|
|
*/
|
|
|
|
|
int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad_mode)
|
|
|
|
|
{
|
|
|
|
|
return RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_GET_RSA_PADDING,
|
|
|
|
|
0, pad_mode);
|
2019-10-28 21:40:39 +08:00
|
|
|
}
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
/*
|
|
|
|
|
* This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
|
|
|
|
|
* simply because that's easier.
|
|
|
|
|
*/
|
2020-10-09 12:07:43 +08:00
|
|
|
int EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
|
|
|
|
|
{
|
2021-01-25 22:38:32 +08:00
|
|
|
return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,
|
|
|
|
|
EVP_PKEY_CTRL_MD, 0, (void *)(md));
|
2020-10-09 12:07:43 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int EVP_PKEY_CTX_set_rsa_pss_keygen_md_name(EVP_PKEY_CTX *ctx,
|
|
|
|
|
const char *mdname,
|
|
|
|
|
const char *mdprops)
|
|
|
|
|
{
|
2021-01-25 22:38:32 +08:00
|
|
|
return int_set_rsa_md_name(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,
|
|
|
|
|
OSSL_PKEY_PARAM_RSA_DIGEST, mdname,
|
|
|
|
|
OSSL_PKEY_PARAM_RSA_DIGEST_PROPS, mdprops);
|
2020-10-09 12:07:43 +08:00
|
|
|
}
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
/*
|
|
|
|
|
* This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
|
|
|
|
|
* simply because that's easier.
|
|
|
|
|
*/
|
2019-10-28 21:40:39 +08:00
|
|
|
int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
|
|
|
|
|
{
|
2021-01-25 22:38:32 +08:00
|
|
|
return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
|
|
|
|
|
EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md));
|
2019-10-28 21:40:39 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int EVP_PKEY_CTX_set_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, const char *mdname,
|
|
|
|
|
const char *mdprops)
|
|
|
|
|
{
|
2021-01-25 22:38:32 +08:00
|
|
|
return
|
|
|
|
|
int_set_rsa_md_name(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
|
|
|
|
|
OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, mdname,
|
|
|
|
|
OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS, mdprops);
|
2019-10-28 21:40:39 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int EVP_PKEY_CTX_get_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, char *name,
|
2021-01-25 22:38:32 +08:00
|
|
|
size_t namesize)
|
2019-10-28 21:40:39 +08:00
|
|
|
{
|
2021-01-25 22:38:32 +08:00
|
|
|
return int_get_rsa_md_name(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
|
|
|
|
|
OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST,
|
|
|
|
|
name, namesize);
|
2019-10-28 21:40:39 +08:00
|
|
|
}
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
/*
|
|
|
|
|
* This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
|
|
|
|
|
* simply because that's easier.
|
|
|
|
|
*/
|
2019-10-28 21:40:39 +08:00
|
|
|
int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md)
|
|
|
|
|
{
|
2021-01-25 22:38:32 +08:00
|
|
|
return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
|
|
|
|
|
EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)md);
|
2019-10-28 21:40:39 +08:00
|
|
|
}
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
/*
|
|
|
|
|
* This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
|
|
|
|
|
* simply because that's easier.
|
|
|
|
|
*/
|
|
|
|
|
int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
|
2019-10-28 21:40:39 +08:00
|
|
|
{
|
2021-01-25 22:38:32 +08:00
|
|
|
return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
|
|
|
|
|
EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md));
|
2019-10-28 21:40:39 +08:00
|
|
|
}
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
int EVP_PKEY_CTX_set_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, const char *mdname,
|
|
|
|
|
const char *mdprops)
|
2020-05-05 16:29:34 +08:00
|
|
|
{
|
2021-01-25 22:38:32 +08:00
|
|
|
return int_set_rsa_md_name(ctx, -1,
|
2020-05-05 16:29:34 +08:00
|
|
|
EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG,
|
2021-01-25 22:38:32 +08:00
|
|
|
OSSL_PKEY_PARAM_MGF1_DIGEST, mdname,
|
|
|
|
|
OSSL_PKEY_PARAM_MGF1_PROPERTIES, mdprops);
|
2020-05-05 16:29:34 +08:00
|
|
|
}
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
int EVP_PKEY_CTX_get_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, char *name,
|
|
|
|
|
size_t namesize)
|
2020-05-05 16:29:34 +08:00
|
|
|
{
|
2021-01-25 22:38:32 +08:00
|
|
|
return int_get_rsa_md_name(ctx, -1,
|
2020-05-05 16:29:34 +08:00
|
|
|
EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG,
|
2021-01-25 22:38:32 +08:00
|
|
|
OSSL_PKEY_PARAM_MGF1_DIGEST, name, namesize);
|
2020-05-05 16:29:34 +08:00
|
|
|
}
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
/*
|
|
|
|
|
* This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
|
|
|
|
|
* simply because that's easier.
|
|
|
|
|
*/
|
2020-05-05 16:29:34 +08:00
|
|
|
int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
|
|
|
|
|
{
|
2021-01-25 22:38:32 +08:00
|
|
|
return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,
|
|
|
|
|
EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md));
|
2020-05-05 16:29:34 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md_name(EVP_PKEY_CTX *ctx,
|
|
|
|
|
const char *mdname)
|
|
|
|
|
{
|
2021-01-25 22:38:32 +08:00
|
|
|
return int_set_rsa_md_name(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,
|
|
|
|
|
OSSL_PKEY_PARAM_MGF1_DIGEST, mdname,
|
|
|
|
|
NULL, NULL);
|
2019-10-28 21:40:39 +08:00
|
|
|
}
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
/*
|
|
|
|
|
* This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
|
|
|
|
|
* simply because that's easier.
|
|
|
|
|
*/
|
2019-10-28 21:40:39 +08:00
|
|
|
int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **md)
|
|
|
|
|
{
|
2021-01-25 22:38:32 +08:00
|
|
|
return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
|
|
|
|
|
EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)(md));
|
2019-10-28 21:40:39 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen)
|
|
|
|
|
{
|
|
|
|
|
OSSL_PARAM rsa_params[2], *p = rsa_params;
|
|
|
|
|
|
|
|
|
|
if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
|
|
|
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
|
|
|
|
|
/* Uses the same return values as EVP_PKEY_CTX_ctrl */
|
|
|
|
|
return -2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* If key type not RSA return error */
|
2021-01-25 22:38:32 +08:00
|
|
|
if (!EVP_PKEY_CTX_is_a(ctx, "RSA"))
|
2019-10-28 21:40:39 +08:00
|
|
|
return -1;
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
/* Cast away the const. This is read only so should be safe */
|
2019-10-28 21:40:39 +08:00
|
|
|
*p++ = OSSL_PARAM_construct_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL,
|
2021-01-25 22:38:32 +08:00
|
|
|
(void *)label, (size_t)llen);
|
2019-10-28 21:40:39 +08:00
|
|
|
*p++ = OSSL_PARAM_construct_end();
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
if (!evp_pkey_ctx_set_params_strict(ctx, rsa_params))
|
2019-10-28 21:40:39 +08:00
|
|
|
return 0;
|
|
|
|
|
|
2021-02-23 23:52:49 +08:00
|
|
|
/* Ownership is supposed to be transfered to the callee. */
|
2019-10-28 21:40:39 +08:00
|
|
|
OPENSSL_free(label);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label)
|
|
|
|
|
{
|
2021-01-25 03:37:09 +08:00
|
|
|
OSSL_PARAM rsa_params[2], *p = rsa_params;
|
2019-10-28 21:40:39 +08:00
|
|
|
size_t labellen;
|
|
|
|
|
|
|
|
|
|
if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
|
|
|
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
|
|
|
|
|
/* Uses the same return values as EVP_PKEY_CTX_ctrl */
|
|
|
|
|
return -2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* If key type not RSA return error */
|
2021-01-25 22:38:32 +08:00
|
|
|
if (!EVP_PKEY_CTX_is_a(ctx, "RSA"))
|
2019-10-28 21:40:39 +08:00
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
*p++ = OSSL_PARAM_construct_octet_ptr(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL,
|
|
|
|
|
(void **)label, 0);
|
|
|
|
|
*p++ = OSSL_PARAM_construct_end();
|
|
|
|
|
|
|
|
|
|
if (!EVP_PKEY_CTX_get_params(ctx, rsa_params))
|
|
|
|
|
return -1;
|
|
|
|
|
|
2021-01-25 03:37:09 +08:00
|
|
|
labellen = rsa_params[0].return_size;
|
2019-10-28 21:40:39 +08:00
|
|
|
if (labellen > INT_MAX)
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
return (int)labellen;
|
|
|
|
|
}
|
2019-12-01 22:01:50 +08:00
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
/*
|
|
|
|
|
* This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
|
|
|
|
|
* simply because that's easier.
|
|
|
|
|
*/
|
2020-05-05 16:29:34 +08:00
|
|
|
int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int saltlen)
|
|
|
|
|
{
|
2021-01-25 22:38:32 +08:00
|
|
|
/*
|
|
|
|
|
* For some reason, the optype was set to this:
|
|
|
|
|
*
|
|
|
|
|
* EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY
|
|
|
|
|
*
|
|
|
|
|
* However, we do use RSA-PSS with the whole gamut of diverse signature
|
|
|
|
|
* and verification operations, so the optype gets upgraded to this:
|
|
|
|
|
*
|
|
|
|
|
* EVP_PKEY_OP_TYPE_SIG
|
|
|
|
|
*/
|
|
|
|
|
return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG,
|
|
|
|
|
EVP_PKEY_CTRL_RSA_PSS_SALTLEN, saltlen, NULL);
|
2020-05-05 16:29:34 +08:00
|
|
|
}
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
/*
|
|
|
|
|
* This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
|
|
|
|
|
* simply because that's easier.
|
|
|
|
|
*/
|
|
|
|
|
int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *saltlen)
|
2020-05-05 16:29:34 +08:00
|
|
|
{
|
2021-01-25 22:38:32 +08:00
|
|
|
/*
|
|
|
|
|
* Because of circumstances, the optype is updated from:
|
|
|
|
|
*
|
|
|
|
|
* EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY
|
|
|
|
|
*
|
|
|
|
|
* to:
|
|
|
|
|
*
|
|
|
|
|
* EVP_PKEY_OP_TYPE_SIG
|
|
|
|
|
*/
|
|
|
|
|
return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG,
|
|
|
|
|
EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, saltlen);
|
2020-05-05 16:29:34 +08:00
|
|
|
}
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, int saltlen)
|
2019-12-01 22:01:50 +08:00
|
|
|
{
|
|
|
|
|
OSSL_PARAM pad_params[2], *p = pad_params;
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) {
|
2019-12-01 22:01:50 +08:00
|
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
|
|
|
|
|
/* Uses the same return values as EVP_PKEY_CTX_ctrl */
|
|
|
|
|
return -2;
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
if (!EVP_PKEY_CTX_is_a(ctx, "RSA-PSS"))
|
2019-12-01 22:01:50 +08:00
|
|
|
return -1;
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
*p++ = OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN,
|
|
|
|
|
&saltlen);
|
2019-12-01 22:01:50 +08:00
|
|
|
*p++ = OSSL_PARAM_construct_end();
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
return evp_pkey_ctx_set_params_strict(ctx, pad_params);
|
2019-12-01 22:01:50 +08:00
|
|
|
}
|
2019-10-27 22:28:29 +08:00
|
|
|
|
|
|
|
|
int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits)
|
|
|
|
|
{
|
|
|
|
|
OSSL_PARAM params[2], *p = params;
|
|
|
|
|
size_t bits2 = bits;
|
|
|
|
|
|
|
|
|
|
if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) {
|
|
|
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
|
|
|
|
|
/* Uses the same return values as EVP_PKEY_CTX_ctrl */
|
|
|
|
|
return -2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* If key type not RSA return error */
|
2021-01-25 22:38:32 +08:00
|
|
|
if (!EVP_PKEY_CTX_is_a(ctx, "RSA")
|
|
|
|
|
&& !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS"))
|
2019-10-27 22:28:29 +08:00
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
*p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bits2);
|
|
|
|
|
*p++ = OSSL_PARAM_construct_end();
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
return evp_pkey_ctx_set_params_strict(ctx, params);
|
2019-10-27 22:28:29 +08:00
|
|
|
}
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp)
|
2019-10-27 22:28:29 +08:00
|
|
|
{
|
2021-01-25 22:38:32 +08:00
|
|
|
int ret = RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_KEYGEN,
|
2020-09-24 23:43:06 +08:00
|
|
|
EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Satisfy memory semantics for pre-3.0 callers of
|
|
|
|
|
* EVP_PKEY_CTX_set_rsa_keygen_pubexp(): their expectation is that input
|
|
|
|
|
* pubexp BIGNUM becomes managed by the EVP_PKEY_CTX on success.
|
|
|
|
|
*/
|
2021-01-25 22:38:32 +08:00
|
|
|
if (ret > 0 && evp_pkey_ctx_is_provided(ctx)) {
|
|
|
|
|
BN_free(ctx->rsa_pubexp);
|
2020-09-24 23:43:06 +08:00
|
|
|
ctx->rsa_pubexp = pubexp;
|
2021-01-25 22:38:32 +08:00
|
|
|
}
|
2020-09-24 23:43:06 +08:00
|
|
|
|
2019-10-27 22:28:29 +08:00
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2020-09-24 23:43:06 +08:00
|
|
|
int EVP_PKEY_CTX_set1_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp)
|
|
|
|
|
{
|
2021-01-25 22:38:32 +08:00
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* When we're dealing with a provider, there's no need to duplicate
|
|
|
|
|
* pubexp, as it gets copied when transforming to an OSSL_PARAM anyway.
|
|
|
|
|
*/
|
|
|
|
|
if (evp_pkey_ctx_is_legacy(ctx))
|
|
|
|
|
pubexp = BN_dup(pubexp);
|
|
|
|
|
ret = EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
|
|
|
|
|
EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp);
|
|
|
|
|
if (evp_pkey_ctx_is_legacy(ctx) && ret <= 0)
|
|
|
|
|
BN_free(pubexp);
|
|
|
|
|
return ret;
|
2020-09-24 23:43:06 +08:00
|
|
|
}
|
|
|
|
|
|
2019-10-27 22:28:29 +08:00
|
|
|
int EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX *ctx, int primes)
|
|
|
|
|
{
|
|
|
|
|
OSSL_PARAM params[2], *p = params;
|
|
|
|
|
size_t primes2 = primes;
|
|
|
|
|
|
|
|
|
|
if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) {
|
|
|
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
|
|
|
|
|
/* Uses the same return values as EVP_PKEY_CTX_ctrl */
|
|
|
|
|
return -2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* If key type not RSA return error */
|
2021-01-25 22:38:32 +08:00
|
|
|
if (!EVP_PKEY_CTX_is_a(ctx, "RSA")
|
|
|
|
|
&& !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS"))
|
2019-10-27 22:28:29 +08:00
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
*p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_PRIMES, &primes2);
|
|
|
|
|
*p++ = OSSL_PARAM_construct_end();
|
|
|
|
|
|
2021-01-25 22:38:32 +08:00
|
|
|
return evp_pkey_ctx_set_params_strict(ctx, params);
|
2019-10-27 22:28:29 +08:00
|
|
|
}
|
2020-01-17 22:47:18 +08:00
|
|
|
#endif
|
