1 /*
2 * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * RSA low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14 #include "internal/deprecated.h"
15 #include "internal/nelem.h"
16 #include <openssl/crypto.h>
17 #include <openssl/evp.h>
18 #include <openssl/core_dispatch.h>
19 #include <openssl/core_names.h>
20 #include <openssl/rsa.h>
21 #include <openssl/params.h>
22 #include <openssl/err.h>
23 #include <openssl/proverr.h>
24 #include "crypto/rsa.h"
25 #include "prov/provider_ctx.h"
26 #include "prov/providercommon.h"
27 #include "prov/implementations.h"
28 #include "prov/securitycheck.h"
29
30 static OSSL_FUNC_kem_newctx_fn rsakem_newctx;
31 static OSSL_FUNC_kem_encapsulate_init_fn rsakem_encapsulate_init;
32 static OSSL_FUNC_kem_encapsulate_fn rsakem_generate;
33 static OSSL_FUNC_kem_decapsulate_init_fn rsakem_decapsulate_init;
34 static OSSL_FUNC_kem_decapsulate_fn rsakem_recover;
35 static OSSL_FUNC_kem_freectx_fn rsakem_freectx;
36 static OSSL_FUNC_kem_dupctx_fn rsakem_dupctx;
37 static OSSL_FUNC_kem_get_ctx_params_fn rsakem_get_ctx_params;
38 static OSSL_FUNC_kem_gettable_ctx_params_fn rsakem_gettable_ctx_params;
39 static OSSL_FUNC_kem_set_ctx_params_fn rsakem_set_ctx_params;
40 static OSSL_FUNC_kem_settable_ctx_params_fn rsakem_settable_ctx_params;
41
42 /*
43 * Only the KEM for RSASVE as defined in SP800-56b r2 is implemented
44 * currently.
45 */
46 #define KEM_OP_UNDEFINED -1
47 #define KEM_OP_RSASVE 0
48
49 /*
50 * What's passed as an actual key is defined by the KEYMGMT interface.
51 * We happen to know that our KEYMGMT simply passes RSA structures, so
52 * we use that here too.
53 */
54 typedef struct {
55 OSSL_LIB_CTX *libctx;
56 RSA *rsa;
57 int op;
58 OSSL_FIPS_IND_DECLARE
59 } PROV_RSA_CTX;
60
61 static const OSSL_ITEM rsakem_opname_id_map[] = {
62 { KEM_OP_RSASVE, OSSL_KEM_PARAM_OPERATION_RSASVE },
63 };
64
name2id(const char * name,const OSSL_ITEM * map,size_t sz)65 static int name2id(const char *name, const OSSL_ITEM *map, size_t sz)
66 {
67 size_t i;
68
69 if (name == NULL)
70 return -1;
71
72 for (i = 0; i < sz; ++i) {
73 if (OPENSSL_strcasecmp(map[i].ptr, name) == 0)
74 return map[i].id;
75 }
76 return -1;
77 }
78
rsakem_opname2id(const char * name)79 static int rsakem_opname2id(const char *name)
80 {
81 return name2id(name, rsakem_opname_id_map, OSSL_NELEM(rsakem_opname_id_map));
82 }
83
rsakem_newctx(void * provctx)84 static void *rsakem_newctx(void *provctx)
85 {
86 PROV_RSA_CTX *prsactx;
87
88 if (!ossl_prov_is_running())
89 return NULL;
90
91 prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX));
92 if (prsactx == NULL)
93 return NULL;
94 prsactx->libctx = PROV_LIBCTX_OF(provctx);
95 prsactx->op = KEM_OP_UNDEFINED;
96 OSSL_FIPS_IND_INIT(prsactx)
97
98 return prsactx;
99 }
100
rsakem_freectx(void * vprsactx)101 static void rsakem_freectx(void *vprsactx)
102 {
103 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
104
105 RSA_free(prsactx->rsa);
106 OPENSSL_free(prsactx);
107 }
108
rsakem_dupctx(void * vprsactx)109 static void *rsakem_dupctx(void *vprsactx)
110 {
111 PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx;
112 PROV_RSA_CTX *dstctx;
113
114 if (!ossl_prov_is_running())
115 return NULL;
116
117 dstctx = OPENSSL_zalloc(sizeof(*srcctx));
118 if (dstctx == NULL)
119 return NULL;
120
121 *dstctx = *srcctx;
122 if (dstctx->rsa != NULL && !RSA_up_ref(dstctx->rsa)) {
123 OPENSSL_free(dstctx);
124 return NULL;
125 }
126 return dstctx;
127 }
128
rsakem_init(void * vprsactx,void * vrsa,const OSSL_PARAM params[],int operation,const char * desc)129 static int rsakem_init(void *vprsactx, void *vrsa,
130 const OSSL_PARAM params[], int operation,
131 const char *desc)
132 {
133 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
134 int protect = 0;
135
136 if (!ossl_prov_is_running())
137 return 0;
138
139 if (prsactx == NULL || vrsa == NULL)
140 return 0;
141
142 if (!ossl_rsa_key_op_get_protect(vrsa, operation, &protect))
143 return 0;
144 if (!RSA_up_ref(vrsa))
145 return 0;
146 RSA_free(prsactx->rsa);
147 prsactx->rsa = vrsa;
148
149 OSSL_FIPS_IND_SET_APPROVED(prsactx)
150 if (!rsakem_set_ctx_params(prsactx, params))
151 return 0;
152 #ifdef FIPS_MODULE
153 if (!ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND_GET(prsactx),
154 OSSL_FIPS_IND_SETTABLE0, prsactx->libctx,
155 prsactx->rsa, desc, protect))
156 return 0;
157 #endif
158 return 1;
159 }
160
rsakem_encapsulate_init(void * vprsactx,void * vrsa,const OSSL_PARAM params[])161 static int rsakem_encapsulate_init(void *vprsactx, void *vrsa,
162 const OSSL_PARAM params[])
163 {
164 return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_ENCAPSULATE,
165 "RSA Encapsulate Init");
166 }
167
rsakem_decapsulate_init(void * vprsactx,void * vrsa,const OSSL_PARAM params[])168 static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
169 const OSSL_PARAM params[])
170 {
171 return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECAPSULATE,
172 "RSA Decapsulate Init");
173 }
174
rsakem_get_ctx_params(void * vprsactx,OSSL_PARAM * params)175 static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
176 {
177 PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;
178
179 if (ctx == NULL)
180 return 0;
181
182 if (!OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params))
183 return 0;
184 return 1;
185 }
186
187 static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {
188 OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
189 OSSL_PARAM_END
190 };
191
rsakem_gettable_ctx_params(ossl_unused void * vprsactx,ossl_unused void * provctx)192 static const OSSL_PARAM *rsakem_gettable_ctx_params(ossl_unused void *vprsactx,
193 ossl_unused void *provctx)
194 {
195 return known_gettable_rsakem_ctx_params;
196 }
197
rsakem_set_ctx_params(void * vprsactx,const OSSL_PARAM params[])198 static int rsakem_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
199 {
200 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
201 const OSSL_PARAM *p;
202 int op;
203
204 if (prsactx == NULL)
205 return 0;
206 if (ossl_param_is_empty(params))
207 return 1;
208
209 if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE0, params,
210 OSSL_KEM_PARAM_FIPS_KEY_CHECK))
211 return 0;
212 p = OSSL_PARAM_locate_const(params, OSSL_KEM_PARAM_OPERATION);
213 if (p != NULL) {
214 if (p->data_type != OSSL_PARAM_UTF8_STRING)
215 return 0;
216 op = rsakem_opname2id(p->data);
217 if (op < 0)
218 return 0;
219 prsactx->op = op;
220 }
221 return 1;
222 }
223
224 static const OSSL_PARAM known_settable_rsakem_ctx_params[] = {
225 OSSL_PARAM_utf8_string(OSSL_KEM_PARAM_OPERATION, NULL, 0),
226 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_KEM_PARAM_FIPS_KEY_CHECK)
227 OSSL_PARAM_END
228 };
229
rsakem_settable_ctx_params(ossl_unused void * vprsactx,ossl_unused void * provctx)230 static const OSSL_PARAM *rsakem_settable_ctx_params(ossl_unused void *vprsactx,
231 ossl_unused void *provctx)
232 {
233 return known_settable_rsakem_ctx_params;
234 }
235
236 /*
237 * NIST.SP.800-56Br2
238 * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).
239 *
240 * Generate a random in the range 1 < z < (n – 1)
241 */
rsasve_gen_rand_bytes(RSA * rsa_pub,unsigned char * out,int outlen)242 static int rsasve_gen_rand_bytes(RSA *rsa_pub,
243 unsigned char *out, int outlen)
244 {
245 int ret = 0;
246 BN_CTX *bnctx;
247 BIGNUM *z, *nminus3;
248
249 bnctx = BN_CTX_secure_new_ex(ossl_rsa_get0_libctx(rsa_pub));
250 if (bnctx == NULL)
251 return 0;
252
253 /*
254 * Generate a random in the range 1 < z < (n – 1).
255 * Since BN_priv_rand_range_ex() returns a value in range 0 <= r < max
256 * We can achieve this by adding 2.. but then we need to subtract 3 from
257 * the upper bound i.e: 2 + (0 <= r < (n - 3))
258 */
259 BN_CTX_start(bnctx);
260 nminus3 = BN_CTX_get(bnctx);
261 z = BN_CTX_get(bnctx);
262 ret = (z != NULL
263 && (BN_copy(nminus3, RSA_get0_n(rsa_pub)) != NULL)
264 && BN_sub_word(nminus3, 3)
265 && BN_priv_rand_range_ex(z, nminus3, 0, bnctx)
266 && BN_add_word(z, 2)
267 && (BN_bn2binpad(z, out, outlen) == outlen));
268 BN_CTX_end(bnctx);
269 BN_CTX_free(bnctx);
270 return ret;
271 }
272
273 /*
274 * NIST.SP.800-56Br2
275 * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).
276 */
rsasve_generate(PROV_RSA_CTX * prsactx,unsigned char * out,size_t * outlen,unsigned char * secret,size_t * secretlen)277 static int rsasve_generate(PROV_RSA_CTX *prsactx,
278 unsigned char *out, size_t *outlen,
279 unsigned char *secret, size_t *secretlen)
280 {
281 int ret;
282 size_t nlen;
283
284 /* Step (1): nlen = Ceil(len(n)/8) */
285 nlen = RSA_size(prsactx->rsa);
286
287 if (out == NULL) {
288 if (nlen == 0) {
289 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
290 return 0;
291 }
292 if (outlen == NULL && secretlen == NULL)
293 return 0;
294 if (outlen != NULL)
295 *outlen = nlen;
296 if (secretlen != NULL)
297 *secretlen = nlen;
298 return 1;
299 }
300
301 /*
302 * If outlen is specified, then it must report the length
303 * of the out buffer on input so that we can confirm
304 * its size is sufficent for encapsulation
305 */
306 if (outlen != NULL && *outlen < nlen) {
307 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH);
308 return 0;
309 }
310
311 /*
312 * Step (2): Generate a random byte string z of nlen bytes where
313 * 1 < z < n - 1
314 */
315 if (!rsasve_gen_rand_bytes(prsactx->rsa, secret, nlen))
316 return 0;
317
318 /* Step(3): out = RSAEP((n,e), z) */
319 ret = RSA_public_encrypt(nlen, secret, out, prsactx->rsa, RSA_NO_PADDING);
320 if (ret) {
321 ret = 1;
322 if (outlen != NULL)
323 *outlen = nlen;
324 if (secretlen != NULL)
325 *secretlen = nlen;
326 } else {
327 OPENSSL_cleanse(secret, nlen);
328 }
329 return ret;
330 }
331
332 /**
333 * rsasve_recover - Recovers a secret value from ciphertext using an RSA
334 * private key. Once, recovered, the secret value is considered to be a
335 * shared secret. Algorithm is preformed as per
336 * NIST SP 800-56B Rev 2
337 * 7.2.1.3 RSASVE Recovery Operation (RSASVE.RECOVER).
338 *
339 * This function performs RSA decryption using the private key from the
340 * provided RSA context (`prsactx`). It takes the input ciphertext, decrypts
341 * it, and writes the decrypted message to the output buffer.
342 *
343 * @prsactx: The RSA context containing the private key.
344 * @out: The output buffer to store the decrypted message.
345 * @outlen: On input, the size of the output buffer. On successful
346 * completion, the actual length of the decrypted message.
347 * @in: The input buffer containing the ciphertext to be decrypted.
348 * @inlen: The length of the input ciphertext in bytes.
349 *
350 * Returns 1 on success, or 0 on error. In case of error, appropriate
351 * error messages are raised using the ERR_raise function.
352 */
rsasve_recover(PROV_RSA_CTX * prsactx,unsigned char * out,size_t * outlen,const unsigned char * in,size_t inlen)353 static int rsasve_recover(PROV_RSA_CTX *prsactx,
354 unsigned char *out, size_t *outlen,
355 const unsigned char *in, size_t inlen)
356 {
357 size_t nlen;
358 int ret;
359
360 /* Step (1): get the byte length of n */
361 nlen = RSA_size(prsactx->rsa);
362
363 if (out == NULL) {
364 if (nlen == 0) {
365 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
366 return 0;
367 }
368 *outlen = nlen;
369 return 1;
370 }
371
372 /*
373 * Step (2): check the input ciphertext 'inlen' matches the nlen
374 * and that outlen is at least nlen bytes
375 */
376 if (inlen != nlen) {
377 ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
378 return 0;
379 }
380
381 /*
382 * If outlen is specified, then it must report the length
383 * of the out buffer, so that we can confirm that it is of
384 * sufficient size to hold the output of decapsulation
385 */
386 if (outlen != NULL && *outlen < nlen) {
387 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH);
388 return 0;
389 }
390
391 /* Step (3): out = RSADP((n,d), in) */
392 ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, RSA_NO_PADDING);
393 if (ret > 0 && outlen != NULL)
394 *outlen = ret;
395 return ret > 0;
396 }
397
rsakem_generate(void * vprsactx,unsigned char * out,size_t * outlen,unsigned char * secret,size_t * secretlen)398 static int rsakem_generate(void *vprsactx, unsigned char *out, size_t *outlen,
399 unsigned char *secret, size_t *secretlen)
400 {
401 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
402
403 if (!ossl_prov_is_running())
404 return 0;
405
406 switch (prsactx->op) {
407 case KEM_OP_RSASVE:
408 return rsasve_generate(prsactx, out, outlen, secret, secretlen);
409 default:
410 return -2;
411 }
412 }
413
rsakem_recover(void * vprsactx,unsigned char * out,size_t * outlen,const unsigned char * in,size_t inlen)414 static int rsakem_recover(void *vprsactx, unsigned char *out, size_t *outlen,
415 const unsigned char *in, size_t inlen)
416 {
417 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
418
419 if (!ossl_prov_is_running())
420 return 0;
421
422 switch (prsactx->op) {
423 case KEM_OP_RSASVE:
424 return rsasve_recover(prsactx, out, outlen, in, inlen);
425 default:
426 return -2;
427 }
428 }
429
430 const OSSL_DISPATCH ossl_rsa_asym_kem_functions[] = {
431 { OSSL_FUNC_KEM_NEWCTX, (void (*)(void))rsakem_newctx },
432 { OSSL_FUNC_KEM_ENCAPSULATE_INIT,
433 (void (*)(void))rsakem_encapsulate_init },
434 { OSSL_FUNC_KEM_ENCAPSULATE, (void (*)(void))rsakem_generate },
435 { OSSL_FUNC_KEM_DECAPSULATE_INIT,
436 (void (*)(void))rsakem_decapsulate_init },
437 { OSSL_FUNC_KEM_DECAPSULATE, (void (*)(void))rsakem_recover },
438 { OSSL_FUNC_KEM_FREECTX, (void (*)(void))rsakem_freectx },
439 { OSSL_FUNC_KEM_DUPCTX, (void (*)(void))rsakem_dupctx },
440 { OSSL_FUNC_KEM_GET_CTX_PARAMS,
441 (void (*)(void))rsakem_get_ctx_params },
442 { OSSL_FUNC_KEM_GETTABLE_CTX_PARAMS,
443 (void (*)(void))rsakem_gettable_ctx_params },
444 { OSSL_FUNC_KEM_SET_CTX_PARAMS,
445 (void (*)(void))rsakem_set_ctx_params },
446 { OSSL_FUNC_KEM_SETTABLE_CTX_PARAMS,
447 (void (*)(void))rsakem_settable_ctx_params },
448 OSSL_DISPATCH_END
449 };
450
