1/* 2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10/* 11 * RSA low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14#include "internal/deprecated.h" 15 16#include <openssl/crypto.h> 17#include <openssl/core_names.h> 18#ifndef FIPS_MODULE 19# include <openssl/engine.h> 20#endif 21#include <openssl/evp.h> 22#include <openssl/param_build.h> 23#include "internal/cryptlib.h" 24#include "internal/refcount.h" 25#include "crypto/bn.h" 26#include "crypto/evp.h" 27#include "crypto/rsa.h" 28#include "crypto/security_bits.h" 29#include "rsa_local.h" 30 31static RSA *rsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx); 32 33#ifndef FIPS_MODULE 34RSA *RSA_new(void) 35{ 36 return rsa_new_intern(NULL, NULL); 37} 38 39const RSA_METHOD *RSA_get_method(const RSA *rsa) 40{ 41 return rsa->meth; 42} 43 44int RSA_set_method(RSA *rsa, const RSA_METHOD *meth) 45{ 46 /* 47 * NB: The caller is specifically setting a method, so it's not up to us 48 * to deal with which ENGINE it comes from. 49 */ 50 const RSA_METHOD *mtmp; 51 mtmp = rsa->meth; 52 if (mtmp->finish) 53 mtmp->finish(rsa); 54#ifndef OPENSSL_NO_ENGINE 55 ENGINE_finish(rsa->engine); 56 rsa->engine = NULL; 57#endif 58 rsa->meth = meth; 59 if (meth->init) 60 meth->init(rsa); 61 return 1; 62} 63 64RSA *RSA_new_method(ENGINE *engine) 65{ 66 return rsa_new_intern(engine, NULL); 67} 68#endif 69 70RSA *ossl_rsa_new_with_ctx(OSSL_LIB_CTX *libctx) 71{ 72 return rsa_new_intern(NULL, libctx); 73} 74 75static RSA *rsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx) 76{ 77 RSA *ret = OPENSSL_zalloc(sizeof(*ret)); 78 79 if (ret == NULL) { 80 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 81 return NULL; 82 } 83 84 ret->references = 1; 85 ret->lock = CRYPTO_THREAD_lock_new(); 86 if (ret->lock == NULL) { 87 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 88 OPENSSL_free(ret); 89 return NULL; 90 } 91 92 ret->libctx = libctx; 93 ret->meth = RSA_get_default_method(); 94#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) 95 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; 96 if (engine) { 97 if (!ENGINE_init(engine)) { 98 ERR_raise(ERR_LIB_RSA, ERR_R_ENGINE_LIB); 99 goto err; 100 } 101 ret->engine = engine; 102 } else { 103 ret->engine = ENGINE_get_default_RSA(); 104 } 105 if (ret->engine) { 106 ret->meth = ENGINE_get_RSA(ret->engine); 107 if (ret->meth == NULL) { 108 ERR_raise(ERR_LIB_RSA, ERR_R_ENGINE_LIB); 109 goto err; 110 } 111 } 112#endif 113 114 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; 115#ifndef FIPS_MODULE 116 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { 117 goto err; 118 } 119#endif 120 121 if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { 122 ERR_raise(ERR_LIB_RSA, ERR_R_INIT_FAIL); 123 goto err; 124 } 125 126 return ret; 127 128 err: 129 RSA_free(ret); 130 return NULL; 131} 132 133void RSA_free(RSA *r) 134{ 135 int i; 136 137 if (r == NULL) 138 return; 139 140 CRYPTO_DOWN_REF(&r->references, &i, r->lock); 141 REF_PRINT_COUNT("RSA", r); 142 if (i > 0) 143 return; 144 REF_ASSERT_ISNT(i < 0); 145 146 if (r->meth != NULL && r->meth->finish != NULL) 147 r->meth->finish(r); 148#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) 149 ENGINE_finish(r->engine); 150#endif 151 152#ifndef FIPS_MODULE 153 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data); 154#endif 155 156 CRYPTO_THREAD_lock_free(r->lock); 157 158 BN_free(r->n); 159 BN_free(r->e); 160 BN_clear_free(r->d); 161 BN_clear_free(r->p); 162 BN_clear_free(r->q); 163 BN_clear_free(r->dmp1); 164 BN_clear_free(r->dmq1); 165 BN_clear_free(r->iqmp); 166 167#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) 168 ossl_rsa_acvp_test_free(r->acvp_test); 169#endif 170 171#ifndef FIPS_MODULE 172 RSA_PSS_PARAMS_free(r->pss); 173 sk_RSA_PRIME_INFO_pop_free(r->prime_infos, ossl_rsa_multip_info_free); 174#endif 175 BN_BLINDING_free(r->blinding); 176 BN_BLINDING_free(r->mt_blinding); 177 OPENSSL_free(r); 178} 179 180int RSA_up_ref(RSA *r) 181{ 182 int i; 183 184 if (CRYPTO_UP_REF(&r->references, &i, r->lock) <= 0) 185 return 0; 186 187 REF_PRINT_COUNT("RSA", r); 188 REF_ASSERT_ISNT(i < 2); 189 return i > 1 ? 1 : 0; 190} 191 192OSSL_LIB_CTX *ossl_rsa_get0_libctx(RSA *r) 193{ 194 return r->libctx; 195} 196 197void ossl_rsa_set0_libctx(RSA *r, OSSL_LIB_CTX *libctx) 198{ 199 r->libctx = libctx; 200} 201 202#ifndef FIPS_MODULE 203int RSA_set_ex_data(RSA *r, int idx, void *arg) 204{ 205 return CRYPTO_set_ex_data(&r->ex_data, idx, arg); 206} 207 208void *RSA_get_ex_data(const RSA *r, int idx) 209{ 210 return CRYPTO_get_ex_data(&r->ex_data, idx); 211} 212#endif 213 214/* 215 * Define a scaling constant for our fixed point arithmetic. 216 * This value must be a power of two because the base two logarithm code 217 * makes this assumption. The exponent must also be a multiple of three so 218 * that the scale factor has an exact cube root. Finally, the scale factor 219 * should not be so large that a multiplication of two scaled numbers 220 * overflows a 64 bit unsigned integer. 221 */ 222static const unsigned int scale = 1 << 18; 223static const unsigned int cbrt_scale = 1 << (2 * 18 / 3); 224 225/* Define some constants, none exceed 32 bits */ 226static const unsigned int log_2 = 0x02c5c8; /* scale * log(2) */ 227static const unsigned int log_e = 0x05c551; /* scale * log2(M_E) */ 228static const unsigned int c1_923 = 0x07b126; /* scale * 1.923 */ 229static const unsigned int c4_690 = 0x12c28f; /* scale * 4.690 */ 230 231/* 232 * Multiply two scaled integers together and rescale the result. 233 */ 234static ossl_inline uint64_t mul2(uint64_t a, uint64_t b) 235{ 236 return a * b / scale; 237} 238 239/* 240 * Calculate the cube root of a 64 bit scaled integer. 241 * Although the cube root of a 64 bit number does fit into a 32 bit unsigned 242 * integer, this is not guaranteed after scaling, so this function has a 243 * 64 bit return. This uses the shifting nth root algorithm with some 244 * algebraic simplifications. 245 */ 246static uint64_t icbrt64(uint64_t x) 247{ 248 uint64_t r = 0; 249 uint64_t b; 250 int s; 251 252 for (s = 63; s >= 0; s -= 3) { 253 r <<= 1; 254 b = 3 * r * (r + 1) + 1; 255 if ((x >> s) >= b) { 256 x -= b << s; 257 r++; 258 } 259 } 260 return r * cbrt_scale; 261} 262 263/* 264 * Calculate the natural logarithm of a 64 bit scaled integer. 265 * This is done by calculating a base two logarithm and scaling. 266 * The maximum logarithm (base 2) is 64 and this reduces base e, so 267 * a 32 bit result should not overflow. The argument passed must be 268 * greater than unity so we don't need to handle negative results. 269 */ 270static uint32_t ilog_e(uint64_t v) 271{ 272 uint32_t i, r = 0; 273 274 /* 275 * Scale down the value into the range 1 .. 2. 276 * 277 * If fractional numbers need to be processed, another loop needs 278 * to go here that checks v < scale and if so multiplies it by 2 and 279 * reduces r by scale. This also means making r signed. 280 */ 281 while (v >= 2 * scale) { 282 v >>= 1; 283 r += scale; 284 } 285 for (i = scale / 2; i != 0; i /= 2) { 286 v = mul2(v, v); 287 if (v >= 2 * scale) { 288 v >>= 1; 289 r += i; 290 } 291 } 292 r = (r * (uint64_t)scale) / log_e; 293 return r; 294} 295 296/* 297 * NIST SP 800-56B rev 2 Appendix D: Maximum Security Strength Estimates for IFC 298 * Modulus Lengths. 299 * 300 * Note that this formula is also referred to in SP800-56A rev3 Appendix D: 301 * for FFC safe prime groups for modp and ffdhe. 302 * After Table 25 and Table 26 it refers to 303 * "The maximum security strength estimates were calculated using the formula in 304 * Section 7.5 of the FIPS 140 IG and rounded to the nearest multiple of eight 305 * bits". 306 * 307 * The formula is: 308 * 309 * E = \frac{1.923 \sqrt[3]{nBits \cdot log_e(2)} 310 * \cdot(log_e(nBits \cdot log_e(2))^{2/3} - 4.69}{log_e(2)} 311 * The two cube roots are merged together here. 312 */ 313uint16_t ossl_ifc_ffc_compute_security_bits(int n) 314{ 315 uint64_t x; 316 uint32_t lx; 317 uint16_t y, cap; 318 319 /* 320 * Look for common values as listed in standards. 321 * These values are not exactly equal to the results from the formulae in 322 * the standards but are defined to be canonical. 323 */ 324 switch (n) { 325 case 2048: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */ 326 return 112; 327 case 3072: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */ 328 return 128; 329 case 4096: /* SP 800-56B rev 2 Appendix D */ 330 return 152; 331 case 6144: /* SP 800-56B rev 2 Appendix D */ 332 return 176; 333 case 7680: /* FIPS 140-2 IG 7.5 */ 334 return 192; 335 case 8192: /* SP 800-56B rev 2 Appendix D */ 336 return 200; 337 case 15360: /* FIPS 140-2 IG 7.5 */ 338 return 256; 339 } 340 341 /* 342 * The first incorrect result (i.e. not accurate or off by one low) occurs 343 * for n = 699668. The true value here is 1200. Instead of using this n 344 * as the check threshold, the smallest n such that the correct result is 345 * 1200 is used instead. 346 */ 347 if (n >= 687737) 348 return 1200; 349 if (n < 8) 350 return 0; 351 352 /* 353 * To ensure that the output is non-decreasing with respect to n, 354 * a cap needs to be applied to the two values where the function over 355 * estimates the strength (according to the above fast path). 356 */ 357 if (n <= 7680) 358 cap = 192; 359 else if (n <= 15360) 360 cap = 256; 361 else 362 cap = 1200; 363 364 x = n * (uint64_t)log_2; 365 lx = ilog_e(x); 366 y = (uint16_t)((mul2(c1_923, icbrt64(mul2(mul2(x, lx), lx))) - c4_690) 367 / log_2); 368 y = (y + 4) & ~7; 369 if (y > cap) 370 y = cap; 371 return y; 372} 373 374 375 376int RSA_security_bits(const RSA *rsa) 377{ 378 int bits = BN_num_bits(rsa->n); 379 380#ifndef FIPS_MODULE 381 if (rsa->version == RSA_ASN1_VERSION_MULTI) { 382 /* This ought to mean that we have private key at hand. */ 383 int ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos); 384 385 if (ex_primes <= 0 || (ex_primes + 2) > ossl_rsa_multip_cap(bits)) 386 return 0; 387 } 388#endif 389 return ossl_ifc_ffc_compute_security_bits(bits); 390} 391 392int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) 393{ 394 /* If the fields n and e in r are NULL, the corresponding input 395 * parameters MUST be non-NULL for n and e. d may be 396 * left NULL (in case only the public key is used). 397 */ 398 if ((r->n == NULL && n == NULL) 399 || (r->e == NULL && e == NULL)) 400 return 0; 401 402 if (n != NULL) { 403 BN_free(r->n); 404 r->n = n; 405 } 406 if (e != NULL) { 407 BN_free(r->e); 408 r->e = e; 409 } 410 if (d != NULL) { 411 BN_clear_free(r->d); 412 r->d = d; 413 BN_set_flags(r->d, BN_FLG_CONSTTIME); 414 } 415 r->dirty_cnt++; 416 417 return 1; 418} 419 420int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) 421{ 422 /* If the fields p and q in r are NULL, the corresponding input 423 * parameters MUST be non-NULL. 424 */ 425 if ((r->p == NULL && p == NULL) 426 || (r->q == NULL && q == NULL)) 427 return 0; 428 429 if (p != NULL) { 430 BN_clear_free(r->p); 431 r->p = p; 432 BN_set_flags(r->p, BN_FLG_CONSTTIME); 433 } 434 if (q != NULL) { 435 BN_clear_free(r->q); 436 r->q = q; 437 BN_set_flags(r->q, BN_FLG_CONSTTIME); 438 } 439 r->dirty_cnt++; 440 441 return 1; 442} 443 444int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) 445{ 446 /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input 447 * parameters MUST be non-NULL. 448 */ 449 if ((r->dmp1 == NULL && dmp1 == NULL) 450 || (r->dmq1 == NULL && dmq1 == NULL) 451 || (r->iqmp == NULL && iqmp == NULL)) 452 return 0; 453 454 if (dmp1 != NULL) { 455 BN_clear_free(r->dmp1); 456 r->dmp1 = dmp1; 457 BN_set_flags(r->dmp1, BN_FLG_CONSTTIME); 458 } 459 if (dmq1 != NULL) { 460 BN_clear_free(r->dmq1); 461 r->dmq1 = dmq1; 462 BN_set_flags(r->dmq1, BN_FLG_CONSTTIME); 463 } 464 if (iqmp != NULL) { 465 BN_clear_free(r->iqmp); 466 r->iqmp = iqmp; 467 BN_set_flags(r->iqmp, BN_FLG_CONSTTIME); 468 } 469 r->dirty_cnt++; 470 471 return 1; 472} 473 474#ifndef FIPS_MODULE 475/* 476 * Is it better to export RSA_PRIME_INFO structure 477 * and related functions to let user pass a triplet? 478 */ 479int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[], 480 BIGNUM *coeffs[], int pnum) 481{ 482 STACK_OF(RSA_PRIME_INFO) *prime_infos, *old = NULL; 483 RSA_PRIME_INFO *pinfo; 484 int i; 485 486 if (primes == NULL || exps == NULL || coeffs == NULL || pnum == 0) 487 return 0; 488 489 prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum); 490 if (prime_infos == NULL) 491 return 0; 492 493 if (r->prime_infos != NULL) 494 old = r->prime_infos; 495 496 for (i = 0; i < pnum; i++) { 497 pinfo = ossl_rsa_multip_info_new(); 498 if (pinfo == NULL) 499 goto err; 500 if (primes[i] != NULL && exps[i] != NULL && coeffs[i] != NULL) { 501 BN_clear_free(pinfo->r); 502 BN_clear_free(pinfo->d); 503 BN_clear_free(pinfo->t); 504 pinfo->r = primes[i]; 505 pinfo->d = exps[i]; 506 pinfo->t = coeffs[i]; 507 BN_set_flags(pinfo->r, BN_FLG_CONSTTIME); 508 BN_set_flags(pinfo->d, BN_FLG_CONSTTIME); 509 BN_set_flags(pinfo->t, BN_FLG_CONSTTIME); 510 } else { 511 ossl_rsa_multip_info_free(pinfo); 512 goto err; 513 } 514 (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo); 515 } 516 517 r->prime_infos = prime_infos; 518 519 if (!ossl_rsa_multip_calc_product(r)) { 520 r->prime_infos = old; 521 goto err; 522 } 523 524 if (old != NULL) { 525 /* 526 * This is hard to deal with, since the old infos could 527 * also be set by this function and r, d, t should not 528 * be freed in that case. So currently, stay consistent 529 * with other *set0* functions: just free it... 530 */ 531 sk_RSA_PRIME_INFO_pop_free(old, ossl_rsa_multip_info_free); 532 } 533 534 r->version = RSA_ASN1_VERSION_MULTI; 535 r->dirty_cnt++; 536 537 return 1; 538 err: 539 /* r, d, t should not be freed */ 540 sk_RSA_PRIME_INFO_pop_free(prime_infos, ossl_rsa_multip_info_free_ex); 541 return 0; 542} 543#endif 544 545void RSA_get0_key(const RSA *r, 546 const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) 547{ 548 if (n != NULL) 549 *n = r->n; 550 if (e != NULL) 551 *e = r->e; 552 if (d != NULL) 553 *d = r->d; 554} 555 556void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) 557{ 558 if (p != NULL) 559 *p = r->p; 560 if (q != NULL) 561 *q = r->q; 562} 563 564#ifndef FIPS_MODULE 565int RSA_get_multi_prime_extra_count(const RSA *r) 566{ 567 int pnum; 568 569 pnum = sk_RSA_PRIME_INFO_num(r->prime_infos); 570 if (pnum <= 0) 571 pnum = 0; 572 return pnum; 573} 574 575int RSA_get0_multi_prime_factors(const RSA *r, const BIGNUM *primes[]) 576{ 577 int pnum, i; 578 RSA_PRIME_INFO *pinfo; 579 580 if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0) 581 return 0; 582 583 /* 584 * return other primes 585 * it's caller's responsibility to allocate oth_primes[pnum] 586 */ 587 for (i = 0; i < pnum; i++) { 588 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i); 589 primes[i] = pinfo->r; 590 } 591 592 return 1; 593} 594#endif 595 596void RSA_get0_crt_params(const RSA *r, 597 const BIGNUM **dmp1, const BIGNUM **dmq1, 598 const BIGNUM **iqmp) 599{ 600 if (dmp1 != NULL) 601 *dmp1 = r->dmp1; 602 if (dmq1 != NULL) 603 *dmq1 = r->dmq1; 604 if (iqmp != NULL) 605 *iqmp = r->iqmp; 606} 607 608#ifndef FIPS_MODULE 609int RSA_get0_multi_prime_crt_params(const RSA *r, const BIGNUM *exps[], 610 const BIGNUM *coeffs[]) 611{ 612 int pnum; 613 614 if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0) 615 return 0; 616 617 /* return other primes */ 618 if (exps != NULL || coeffs != NULL) { 619 RSA_PRIME_INFO *pinfo; 620 int i; 621 622 /* it's the user's job to guarantee the buffer length */ 623 for (i = 0; i < pnum; i++) { 624 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i); 625 if (exps != NULL) 626 exps[i] = pinfo->d; 627 if (coeffs != NULL) 628 coeffs[i] = pinfo->t; 629 } 630 } 631 632 return 1; 633} 634#endif 635 636const BIGNUM *RSA_get0_n(const RSA *r) 637{ 638 return r->n; 639} 640 641const BIGNUM *RSA_get0_e(const RSA *r) 642{ 643 return r->e; 644} 645 646const BIGNUM *RSA_get0_d(const RSA *r) 647{ 648 return r->d; 649} 650 651const BIGNUM *RSA_get0_p(const RSA *r) 652{ 653 return r->p; 654} 655 656const BIGNUM *RSA_get0_q(const RSA *r) 657{ 658 return r->q; 659} 660 661const BIGNUM *RSA_get0_dmp1(const RSA *r) 662{ 663 return r->dmp1; 664} 665 666const BIGNUM *RSA_get0_dmq1(const RSA *r) 667{ 668 return r->dmq1; 669} 670 671const BIGNUM *RSA_get0_iqmp(const RSA *r) 672{ 673 return r->iqmp; 674} 675 676const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *r) 677{ 678#ifdef FIPS_MODULE 679 return NULL; 680#else 681 return r->pss; 682#endif 683} 684 685/* Internal */ 686int ossl_rsa_set0_pss_params(RSA *r, RSA_PSS_PARAMS *pss) 687{ 688#ifdef FIPS_MODULE 689 return 0; 690#else 691 RSA_PSS_PARAMS_free(r->pss); 692 r->pss = pss; 693 return 1; 694#endif 695} 696 697/* Internal */ 698RSA_PSS_PARAMS_30 *ossl_rsa_get0_pss_params_30(RSA *r) 699{ 700 return &r->pss_params; 701} 702 703void RSA_clear_flags(RSA *r, int flags) 704{ 705 r->flags &= ~flags; 706} 707 708int RSA_test_flags(const RSA *r, int flags) 709{ 710 return r->flags & flags; 711} 712 713void RSA_set_flags(RSA *r, int flags) 714{ 715 r->flags |= flags; 716} 717 718int RSA_get_version(RSA *r) 719{ 720 /* { two-prime(0), multi(1) } */ 721 return r->version; 722} 723 724#ifndef FIPS_MODULE 725ENGINE *RSA_get0_engine(const RSA *r) 726{ 727 return r->engine; 728} 729 730int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2) 731{ 732 /* If key type not RSA or RSA-PSS return error */ 733 if (ctx != NULL && ctx->pmeth != NULL 734 && ctx->pmeth->pkey_id != EVP_PKEY_RSA 735 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) 736 return -1; 737 return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, p1, p2); 738} 739#endif 740 741DEFINE_STACK_OF(BIGNUM) 742 743int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes, 744 const STACK_OF(BIGNUM) *exps, 745 const STACK_OF(BIGNUM) *coeffs) 746{ 747#ifndef FIPS_MODULE 748 STACK_OF(RSA_PRIME_INFO) *prime_infos, *old_infos = NULL; 749#endif 750 int pnum; 751 752 if (primes == NULL || exps == NULL || coeffs == NULL) 753 return 0; 754 755 pnum = sk_BIGNUM_num(primes); 756 if (pnum < 2 757 || pnum != sk_BIGNUM_num(exps) 758 || pnum != sk_BIGNUM_num(coeffs) + 1) 759 return 0; 760 761 if (!RSA_set0_factors(r, sk_BIGNUM_value(primes, 0), 762 sk_BIGNUM_value(primes, 1)) 763 || !RSA_set0_crt_params(r, sk_BIGNUM_value(exps, 0), 764 sk_BIGNUM_value(exps, 1), 765 sk_BIGNUM_value(coeffs, 0))) 766 return 0; 767 768#ifndef FIPS_MODULE 769 old_infos = r->prime_infos; 770#endif 771 772 if (pnum > 2) { 773#ifndef FIPS_MODULE 774 int i; 775 776 prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum); 777 if (prime_infos == NULL) 778 return 0; 779 780 for (i = 2; i < pnum; i++) { 781 BIGNUM *prime = sk_BIGNUM_value(primes, i); 782 BIGNUM *exp = sk_BIGNUM_value(exps, i); 783 BIGNUM *coeff = sk_BIGNUM_value(coeffs, i - 1); 784 RSA_PRIME_INFO *pinfo = NULL; 785 786 if (!ossl_assert(prime != NULL && exp != NULL && coeff != NULL)) 787 goto err; 788 789 /* Using ossl_rsa_multip_info_new() is wasteful, so allocate directly */ 790 if ((pinfo = OPENSSL_zalloc(sizeof(*pinfo))) == NULL) { 791 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 792 goto err; 793 } 794 795 pinfo->r = prime; 796 pinfo->d = exp; 797 pinfo->t = coeff; 798 BN_set_flags(pinfo->r, BN_FLG_CONSTTIME); 799 BN_set_flags(pinfo->d, BN_FLG_CONSTTIME); 800 BN_set_flags(pinfo->t, BN_FLG_CONSTTIME); 801 (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo); 802 } 803 804 r->prime_infos = prime_infos; 805 806 if (!ossl_rsa_multip_calc_product(r)) { 807 r->prime_infos = old_infos; 808 goto err; 809 } 810#else 811 return 0; 812#endif 813 } 814 815#ifndef FIPS_MODULE 816 if (old_infos != NULL) { 817 /* 818 * This is hard to deal with, since the old infos could 819 * also be set by this function and r, d, t should not 820 * be freed in that case. So currently, stay consistent 821 * with other *set0* functions: just free it... 822 */ 823 sk_RSA_PRIME_INFO_pop_free(old_infos, ossl_rsa_multip_info_free); 824 } 825#endif 826 827 r->version = pnum > 2 ? RSA_ASN1_VERSION_MULTI : RSA_ASN1_VERSION_DEFAULT; 828 r->dirty_cnt++; 829 830 return 1; 831#ifndef FIPS_MODULE 832 err: 833 /* r, d, t should not be freed */ 834 sk_RSA_PRIME_INFO_pop_free(prime_infos, ossl_rsa_multip_info_free_ex); 835 return 0; 836#endif 837} 838 839DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM) 840 841int ossl_rsa_get0_all_params(RSA *r, STACK_OF(BIGNUM_const) *primes, 842 STACK_OF(BIGNUM_const) *exps, 843 STACK_OF(BIGNUM_const) *coeffs) 844{ 845#ifndef FIPS_MODULE 846 RSA_PRIME_INFO *pinfo; 847 int i, pnum; 848#endif 849 850 if (r == NULL) 851 return 0; 852 853 /* If |p| is NULL, there are no CRT parameters */ 854 if (RSA_get0_p(r) == NULL) 855 return 1; 856 857 sk_BIGNUM_const_push(primes, RSA_get0_p(r)); 858 sk_BIGNUM_const_push(primes, RSA_get0_q(r)); 859 sk_BIGNUM_const_push(exps, RSA_get0_dmp1(r)); 860 sk_BIGNUM_const_push(exps, RSA_get0_dmq1(r)); 861 sk_BIGNUM_const_push(coeffs, RSA_get0_iqmp(r)); 862 863#ifndef FIPS_MODULE 864 pnum = RSA_get_multi_prime_extra_count(r); 865 for (i = 0; i < pnum; i++) { 866 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i); 867 sk_BIGNUM_const_push(primes, pinfo->r); 868 sk_BIGNUM_const_push(exps, pinfo->d); 869 sk_BIGNUM_const_push(coeffs, pinfo->t); 870 } 871#endif 872 873 return 1; 874} 875 876#ifndef FIPS_MODULE 877/* Helpers to set or get diverse hash algorithm names */ 878static int int_set_rsa_md_name(EVP_PKEY_CTX *ctx, 879 /* For checks */ 880 int keytype, int optype, 881 /* For EVP_PKEY_CTX_set_params() */ 882 const char *mdkey, const char *mdname, 883 const char *propkey, const char *mdprops) 884{ 885 OSSL_PARAM params[3], *p = params; 886 887 if (ctx == NULL || mdname == NULL || (ctx->operation & optype) == 0) { 888 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 889 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 890 return -2; 891 } 892 893 /* If key type not RSA return error */ 894 switch (keytype) { 895 case -1: 896 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 897 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 898 return -1; 899 break; 900 default: 901 if (!EVP_PKEY_CTX_is_a(ctx, evp_pkey_type2name(keytype))) 902 return -1; 903 break; 904 } 905 906 /* Cast away the const. This is read only so should be safe */ 907 *p++ = OSSL_PARAM_construct_utf8_string(mdkey, (char *)mdname, 0); 908 if (evp_pkey_ctx_is_provided(ctx) && mdprops != NULL) { 909 /* Cast away the const. This is read only so should be safe */ 910 *p++ = OSSL_PARAM_construct_utf8_string(propkey, (char *)mdprops, 0); 911 } 912 *p++ = OSSL_PARAM_construct_end(); 913 914 return evp_pkey_ctx_set_params_strict(ctx, params); 915} 916 917/* Helpers to set or get diverse hash algorithm names */ 918static int int_get_rsa_md_name(EVP_PKEY_CTX *ctx, 919 /* For checks */ 920 int keytype, int optype, 921 /* For EVP_PKEY_CTX_get_params() */ 922 const char *mdkey, 923 char *mdname, size_t mdnamesize) 924{ 925 OSSL_PARAM params[2], *p = params; 926 927 if (ctx == NULL || mdname == NULL || (ctx->operation & optype) == 0) { 928 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 929 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 930 return -2; 931 } 932 933 /* If key type not RSA return error */ 934 switch (keytype) { 935 case -1: 936 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 937 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 938 return -1; 939 break; 940 default: 941 if (!EVP_PKEY_CTX_is_a(ctx, evp_pkey_type2name(keytype))) 942 return -1; 943 break; 944 } 945 946 /* Cast away the const. This is read only so should be safe */ 947 *p++ = OSSL_PARAM_construct_utf8_string(mdkey, (char *)mdname, mdnamesize); 948 *p++ = OSSL_PARAM_construct_end(); 949 950 return evp_pkey_ctx_get_params_strict(ctx, params); 951} 952 953/* 954 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 955 * simply because that's easier. 956 */ 957int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad_mode) 958{ 959 return RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_RSA_PADDING, 960 pad_mode, NULL); 961} 962 963/* 964 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 965 * simply because that's easier. 966 */ 967int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad_mode) 968{ 969 return RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, 970 0, pad_mode); 971} 972 973/* 974 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 975 * simply because that's easier. 976 */ 977int EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 978{ 979 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 980 EVP_PKEY_CTRL_MD, 0, (void *)(md)); 981} 982 983int EVP_PKEY_CTX_set_rsa_pss_keygen_md_name(EVP_PKEY_CTX *ctx, 984 const char *mdname, 985 const char *mdprops) 986{ 987 return int_set_rsa_md_name(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 988 OSSL_PKEY_PARAM_RSA_DIGEST, mdname, 989 OSSL_PKEY_PARAM_RSA_DIGEST_PROPS, mdprops); 990} 991 992/* 993 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 994 * simply because that's easier. 995 */ 996int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 997{ 998 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 999 EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md)); 1000} 1001 1002int EVP_PKEY_CTX_set_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, const char *mdname, 1003 const char *mdprops) 1004{ 1005 return 1006 int_set_rsa_md_name(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 1007 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, mdname, 1008 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS, mdprops); 1009} 1010 1011int EVP_PKEY_CTX_get_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, char *name, 1012 size_t namesize) 1013{ 1014 return int_get_rsa_md_name(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 1015 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, 1016 name, namesize); 1017} 1018 1019/* 1020 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1021 * simply because that's easier. 1022 */ 1023int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md) 1024{ 1025 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 1026 EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)md); 1027} 1028 1029/* 1030 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1031 * simply because that's easier. 1032 */ 1033int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 1034{ 1035 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, 1036 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md)); 1037} 1038 1039int EVP_PKEY_CTX_set_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, const char *mdname, 1040 const char *mdprops) 1041{ 1042 return int_set_rsa_md_name(ctx, -1, 1043 EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG, 1044 OSSL_PKEY_PARAM_MGF1_DIGEST, mdname, 1045 OSSL_PKEY_PARAM_MGF1_PROPERTIES, mdprops); 1046} 1047 1048int EVP_PKEY_CTX_get_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, char *name, 1049 size_t namesize) 1050{ 1051 return int_get_rsa_md_name(ctx, -1, 1052 EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG, 1053 OSSL_PKEY_PARAM_MGF1_DIGEST, name, namesize); 1054} 1055 1056/* 1057 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1058 * simply because that's easier. 1059 */ 1060int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 1061{ 1062 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 1063 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md)); 1064} 1065 1066int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md_name(EVP_PKEY_CTX *ctx, 1067 const char *mdname) 1068{ 1069 return int_set_rsa_md_name(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 1070 OSSL_PKEY_PARAM_MGF1_DIGEST, mdname, 1071 NULL, NULL); 1072} 1073 1074/* 1075 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1076 * simply because that's easier. 1077 */ 1078int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **md) 1079{ 1080 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, 1081 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)(md)); 1082} 1083 1084int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen) 1085{ 1086 OSSL_PARAM rsa_params[2], *p = rsa_params; 1087 int ret; 1088 1089 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) { 1090 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1091 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1092 return -2; 1093 } 1094 1095 /* If key type not RSA return error */ 1096 if (!EVP_PKEY_CTX_is_a(ctx, "RSA")) 1097 return -1; 1098 1099 /* Cast away the const. This is read only so should be safe */ 1100 *p++ = OSSL_PARAM_construct_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, 1101 (void *)label, (size_t)llen); 1102 *p++ = OSSL_PARAM_construct_end(); 1103 1104 ret = evp_pkey_ctx_set_params_strict(ctx, rsa_params); 1105 if (ret <= 0) 1106 return ret; 1107 1108 /* Ownership is supposed to be transfered to the callee. */ 1109 OPENSSL_free(label); 1110 return 1; 1111} 1112 1113int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label) 1114{ 1115 OSSL_PARAM rsa_params[2], *p = rsa_params; 1116 size_t labellen; 1117 1118 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) { 1119 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1120 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1121 return -2; 1122 } 1123 1124 /* If key type not RSA return error */ 1125 if (!EVP_PKEY_CTX_is_a(ctx, "RSA")) 1126 return -1; 1127 1128 *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, 1129 (void **)label, 0); 1130 *p++ = OSSL_PARAM_construct_end(); 1131 1132 if (!EVP_PKEY_CTX_get_params(ctx, rsa_params)) 1133 return -1; 1134 1135 labellen = rsa_params[0].return_size; 1136 if (labellen > INT_MAX) 1137 return -1; 1138 1139 return (int)labellen; 1140} 1141 1142/* 1143 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1144 * simply because that's easier. 1145 */ 1146int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int saltlen) 1147{ 1148 /* 1149 * For some reason, the optype was set to this: 1150 * 1151 * EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY 1152 * 1153 * However, we do use RSA-PSS with the whole gamut of diverse signature 1154 * and verification operations, so the optype gets upgraded to this: 1155 * 1156 * EVP_PKEY_OP_TYPE_SIG 1157 */ 1158 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG, 1159 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, saltlen, NULL); 1160} 1161 1162/* 1163 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1164 * simply because that's easier. 1165 */ 1166int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *saltlen) 1167{ 1168 /* 1169 * Because of circumstances, the optype is updated from: 1170 * 1171 * EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY 1172 * 1173 * to: 1174 * 1175 * EVP_PKEY_OP_TYPE_SIG 1176 */ 1177 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG, 1178 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, saltlen); 1179} 1180 1181int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, int saltlen) 1182{ 1183 OSSL_PARAM pad_params[2], *p = pad_params; 1184 1185 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { 1186 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1187 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1188 return -2; 1189 } 1190 1191 if (!EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 1192 return -1; 1193 1194 *p++ = OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, 1195 &saltlen); 1196 *p++ = OSSL_PARAM_construct_end(); 1197 1198 return evp_pkey_ctx_set_params_strict(ctx, pad_params); 1199} 1200 1201int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits) 1202{ 1203 OSSL_PARAM params[2], *p = params; 1204 size_t bits2 = bits; 1205 1206 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { 1207 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1208 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1209 return -2; 1210 } 1211 1212 /* If key type not RSA return error */ 1213 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 1214 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 1215 return -1; 1216 1217 *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bits2); 1218 *p++ = OSSL_PARAM_construct_end(); 1219 1220 return evp_pkey_ctx_set_params_strict(ctx, params); 1221} 1222 1223int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp) 1224{ 1225 int ret = RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_KEYGEN, 1226 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp); 1227 1228 /* 1229 * Satisfy memory semantics for pre-3.0 callers of 1230 * EVP_PKEY_CTX_set_rsa_keygen_pubexp(): their expectation is that input 1231 * pubexp BIGNUM becomes managed by the EVP_PKEY_CTX on success. 1232 */ 1233 if (ret > 0 && evp_pkey_ctx_is_provided(ctx)) { 1234 BN_free(ctx->rsa_pubexp); 1235 ctx->rsa_pubexp = pubexp; 1236 } 1237 1238 return ret; 1239} 1240 1241int EVP_PKEY_CTX_set1_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp) 1242{ 1243 int ret = 0; 1244 1245 /* 1246 * When we're dealing with a provider, there's no need to duplicate 1247 * pubexp, as it gets copied when transforming to an OSSL_PARAM anyway. 1248 */ 1249 if (evp_pkey_ctx_is_legacy(ctx)) { 1250 pubexp = BN_dup(pubexp); 1251 if (pubexp == NULL) 1252 return 0; 1253 } 1254 ret = EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, 1255 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp); 1256 if (evp_pkey_ctx_is_legacy(ctx) && ret <= 0) 1257 BN_free(pubexp); 1258 return ret; 1259} 1260 1261int EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX *ctx, int primes) 1262{ 1263 OSSL_PARAM params[2], *p = params; 1264 size_t primes2 = primes; 1265 1266 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { 1267 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1268 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1269 return -2; 1270 } 1271 1272 /* If key type not RSA return error */ 1273 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 1274 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 1275 return -1; 1276 1277 *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_PRIMES, &primes2); 1278 *p++ = OSSL_PARAM_construct_end(); 1279 1280 return evp_pkey_ctx_set_params_strict(ctx, params); 1281} 1282#endif 1283