1 /*
2 * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * RSA low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14 #include "internal/deprecated.h"
15 #include "internal/nelem.h"
16 #include <openssl/crypto.h>
17 #include <openssl/evp.h>
18 #include <openssl/core_dispatch.h>
19 #include <openssl/core_names.h>
20 #include <openssl/rsa.h>
21 #include <openssl/params.h>
22 #include <openssl/err.h>
23 #include <openssl/proverr.h>
24 #include "crypto/rsa.h"
25 #include "prov/provider_ctx.h"
26 #include "prov/implementations.h"
27 #include "prov/securitycheck.h"
28
29 static OSSL_FUNC_kem_newctx_fn rsakem_newctx;
30 static OSSL_FUNC_kem_encapsulate_init_fn rsakem_encapsulate_init;
31 static OSSL_FUNC_kem_encapsulate_fn rsakem_generate;
32 static OSSL_FUNC_kem_decapsulate_init_fn rsakem_decapsulate_init;
33 static OSSL_FUNC_kem_decapsulate_fn rsakem_recover;
34 static OSSL_FUNC_kem_freectx_fn rsakem_freectx;
35 static OSSL_FUNC_kem_dupctx_fn rsakem_dupctx;
36 static OSSL_FUNC_kem_get_ctx_params_fn rsakem_get_ctx_params;
37 static OSSL_FUNC_kem_gettable_ctx_params_fn rsakem_gettable_ctx_params;
38 static OSSL_FUNC_kem_set_ctx_params_fn rsakem_set_ctx_params;
39 static OSSL_FUNC_kem_settable_ctx_params_fn rsakem_settable_ctx_params;
40
41 /*
42 * Only the KEM for RSASVE as defined in SP800-56b r2 is implemented
43 * currently.
44 */
45 #define KEM_OP_UNDEFINED -1
46 #define KEM_OP_RSASVE 0
47
48 /*
49 * What's passed as an actual key is defined by the KEYMGMT interface.
50 * We happen to know that our KEYMGMT simply passes RSA structures, so
51 * we use that here too.
52 */
53 typedef struct {
54 OSSL_LIB_CTX *libctx;
55 RSA *rsa;
56 int op;
57 OSSL_FIPS_IND_DECLARE
58 } PROV_RSA_CTX;
59
60 static const OSSL_ITEM rsakem_opname_id_map[] = {
61 { KEM_OP_RSASVE, OSSL_KEM_PARAM_OPERATION_RSASVE },
62 };
63
name2id(const char * name,const OSSL_ITEM * map,size_t sz)64 static int name2id(const char *name, const OSSL_ITEM *map, size_t sz)
65 {
66 size_t i;
67
68 if (name == NULL)
69 return -1;
70
71 for (i = 0; i < sz; ++i) {
72 if (OPENSSL_strcasecmp(map[i].ptr, name) == 0)
73 return map[i].id;
74 }
75 return -1;
76 }
77
rsakem_opname2id(const char * name)78 static int rsakem_opname2id(const char *name)
79 {
80 return name2id(name, rsakem_opname_id_map, OSSL_NELEM(rsakem_opname_id_map));
81 }
82
rsakem_newctx(void * provctx)83 static void *rsakem_newctx(void *provctx)
84 {
85 PROV_RSA_CTX *prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX));
86
87 if (prsactx == NULL)
88 return NULL;
89 prsactx->libctx = PROV_LIBCTX_OF(provctx);
90 prsactx->op = KEM_OP_UNDEFINED;
91 OSSL_FIPS_IND_INIT(prsactx)
92
93 return prsactx;
94 }
95
rsakem_freectx(void * vprsactx)96 static void rsakem_freectx(void *vprsactx)
97 {
98 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
99
100 RSA_free(prsactx->rsa);
101 OPENSSL_free(prsactx);
102 }
103
rsakem_dupctx(void * vprsactx)104 static void *rsakem_dupctx(void *vprsactx)
105 {
106 PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx;
107 PROV_RSA_CTX *dstctx;
108
109 dstctx = OPENSSL_zalloc(sizeof(*srcctx));
110 if (dstctx == NULL)
111 return NULL;
112
113 *dstctx = *srcctx;
114 if (dstctx->rsa != NULL && !RSA_up_ref(dstctx->rsa)) {
115 OPENSSL_free(dstctx);
116 return NULL;
117 }
118 return dstctx;
119 }
120
rsakem_init(void * vprsactx,void * vrsa,const OSSL_PARAM params[],int operation,const char * desc)121 static int rsakem_init(void *vprsactx, void *vrsa,
122 const OSSL_PARAM params[], int operation,
123 const char *desc)
124 {
125 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
126 int protect = 0;
127
128 if (prsactx == NULL || vrsa == NULL)
129 return 0;
130
131 if (!ossl_rsa_key_op_get_protect(vrsa, operation, &protect))
132 return 0;
133 if (!RSA_up_ref(vrsa))
134 return 0;
135 RSA_free(prsactx->rsa);
136 prsactx->rsa = vrsa;
137
138 OSSL_FIPS_IND_SET_APPROVED(prsactx)
139 if (!rsakem_set_ctx_params(prsactx, params))
140 return 0;
141 #ifdef FIPS_MODULE
142 if (!ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND_GET(prsactx),
143 OSSL_FIPS_IND_SETTABLE0, prsactx->libctx,
144 prsactx->rsa, desc, protect))
145 return 0;
146 #endif
147 return 1;
148 }
149
rsakem_encapsulate_init(void * vprsactx,void * vrsa,const OSSL_PARAM params[])150 static int rsakem_encapsulate_init(void *vprsactx, void *vrsa,
151 const OSSL_PARAM params[])
152 {
153 return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_ENCAPSULATE,
154 "RSA Encapsulate Init");
155 }
156
rsakem_decapsulate_init(void * vprsactx,void * vrsa,const OSSL_PARAM params[])157 static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
158 const OSSL_PARAM params[])
159 {
160 return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECAPSULATE,
161 "RSA Decapsulate Init");
162 }
163
rsakem_get_ctx_params(void * vprsactx,OSSL_PARAM * params)164 static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
165 {
166 PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;
167
168 if (ctx == NULL)
169 return 0;
170
171 if (!OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params))
172 return 0;
173 return 1;
174 }
175
176 static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {
177 OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
178 OSSL_PARAM_END
179 };
180
rsakem_gettable_ctx_params(ossl_unused void * vprsactx,ossl_unused void * provctx)181 static const OSSL_PARAM *rsakem_gettable_ctx_params(ossl_unused void *vprsactx,
182 ossl_unused void *provctx)
183 {
184 return known_gettable_rsakem_ctx_params;
185 }
186
rsakem_set_ctx_params(void * vprsactx,const OSSL_PARAM params[])187 static int rsakem_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
188 {
189 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
190 const OSSL_PARAM *p;
191 int op;
192
193 if (prsactx == NULL)
194 return 0;
195 if (params == NULL)
196 return 1;
197
198 if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE0, params,
199 OSSL_KEM_PARAM_FIPS_KEY_CHECK))
200 return 0;
201 p = OSSL_PARAM_locate_const(params, OSSL_KEM_PARAM_OPERATION);
202 if (p != NULL) {
203 if (p->data_type != OSSL_PARAM_UTF8_STRING)
204 return 0;
205 op = rsakem_opname2id(p->data);
206 if (op < 0)
207 return 0;
208 prsactx->op = op;
209 }
210 return 1;
211 }
212
213 static const OSSL_PARAM known_settable_rsakem_ctx_params[] = {
214 OSSL_PARAM_utf8_string(OSSL_KEM_PARAM_OPERATION, NULL, 0),
215 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_KEM_PARAM_FIPS_KEY_CHECK)
216 OSSL_PARAM_END
217 };
218
rsakem_settable_ctx_params(ossl_unused void * vprsactx,ossl_unused void * provctx)219 static const OSSL_PARAM *rsakem_settable_ctx_params(ossl_unused void *vprsactx,
220 ossl_unused void *provctx)
221 {
222 return known_settable_rsakem_ctx_params;
223 }
224
225 /*
226 * NIST.SP.800-56Br2
227 * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).
228 *
229 * Generate a random in the range 1 < z < (n – 1)
230 */
rsasve_gen_rand_bytes(RSA * rsa_pub,unsigned char * out,int outlen)231 static int rsasve_gen_rand_bytes(RSA *rsa_pub,
232 unsigned char *out, int outlen)
233 {
234 int ret = 0;
235 BN_CTX *bnctx;
236 BIGNUM *z, *nminus3;
237
238 bnctx = BN_CTX_secure_new_ex(ossl_rsa_get0_libctx(rsa_pub));
239 if (bnctx == NULL)
240 return 0;
241
242 /*
243 * Generate a random in the range 1 < z < (n – 1).
244 * Since BN_priv_rand_range_ex() returns a value in range 0 <= r < max
245 * We can achieve this by adding 2.. but then we need to subtract 3 from
246 * the upper bound i.e: 2 + (0 <= r < (n - 3))
247 */
248 BN_CTX_start(bnctx);
249 nminus3 = BN_CTX_get(bnctx);
250 z = BN_CTX_get(bnctx);
251 ret = (z != NULL
252 && (BN_copy(nminus3, RSA_get0_n(rsa_pub)) != NULL)
253 && BN_sub_word(nminus3, 3)
254 && BN_priv_rand_range_ex(z, nminus3, 0, bnctx)
255 && BN_add_word(z, 2)
256 && (BN_bn2binpad(z, out, outlen) == outlen));
257 BN_CTX_end(bnctx);
258 BN_CTX_free(bnctx);
259 return ret;
260 }
261
262 /*
263 * NIST.SP.800-56Br2
264 * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).
265 */
rsasve_generate(PROV_RSA_CTX * prsactx,unsigned char * out,size_t * outlen,unsigned char * secret,size_t * secretlen)266 static int rsasve_generate(PROV_RSA_CTX *prsactx,
267 unsigned char *out, size_t *outlen,
268 unsigned char *secret, size_t *secretlen)
269 {
270 int ret;
271 size_t nlen;
272
273 /* Step (1): nlen = Ceil(len(n)/8) */
274 nlen = RSA_size(prsactx->rsa);
275
276 if (out == NULL) {
277 if (nlen == 0) {
278 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
279 return 0;
280 }
281 if (outlen == NULL && secretlen == NULL)
282 return 0;
283 if (outlen != NULL)
284 *outlen = nlen;
285 if (secretlen != NULL)
286 *secretlen = nlen;
287 return 1;
288 }
289 /*
290 * Step (2): Generate a random byte string z of nlen bytes where
291 * 1 < z < n - 1
292 */
293 if (!rsasve_gen_rand_bytes(prsactx->rsa, secret, nlen))
294 return 0;
295
296 /* Step(3): out = RSAEP((n,e), z) */
297 ret = RSA_public_encrypt(nlen, secret, out, prsactx->rsa, RSA_NO_PADDING);
298 if (ret) {
299 ret = 1;
300 if (outlen != NULL)
301 *outlen = nlen;
302 if (secretlen != NULL)
303 *secretlen = nlen;
304 } else {
305 OPENSSL_cleanse(secret, nlen);
306 }
307 return ret;
308 }
309
310 /*
311 * NIST.SP.800-56Br2
312 * 7.2.1.3 RSASVE Recovery Operation (RSASVE.RECOVER).
313 */
rsasve_recover(PROV_RSA_CTX * prsactx,unsigned char * out,size_t * outlen,const unsigned char * in,size_t inlen)314 static int rsasve_recover(PROV_RSA_CTX *prsactx,
315 unsigned char *out, size_t *outlen,
316 const unsigned char *in, size_t inlen)
317 {
318 size_t nlen;
319
320 /* Step (1): get the byte length of n */
321 nlen = RSA_size(prsactx->rsa);
322
323 if (out == NULL) {
324 if (nlen == 0) {
325 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
326 return 0;
327 }
328 *outlen = nlen;
329 return 1;
330 }
331
332 /* Step (2): check the input ciphertext 'inlen' matches the nlen */
333 if (inlen != nlen) {
334 ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
335 return 0;
336 }
337 /* Step (3): out = RSADP((n,d), in) */
338 return (RSA_private_decrypt(inlen, in, out, prsactx->rsa, RSA_NO_PADDING) > 0);
339 }
340
rsakem_generate(void * vprsactx,unsigned char * out,size_t * outlen,unsigned char * secret,size_t * secretlen)341 static int rsakem_generate(void *vprsactx, unsigned char *out, size_t *outlen,
342 unsigned char *secret, size_t *secretlen)
343 {
344 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
345
346 switch (prsactx->op) {
347 case KEM_OP_RSASVE:
348 return rsasve_generate(prsactx, out, outlen, secret, secretlen);
349 default:
350 return -2;
351 }
352 }
353
rsakem_recover(void * vprsactx,unsigned char * out,size_t * outlen,const unsigned char * in,size_t inlen)354 static int rsakem_recover(void *vprsactx, unsigned char *out, size_t *outlen,
355 const unsigned char *in, size_t inlen)
356 {
357 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
358
359 switch (prsactx->op) {
360 case KEM_OP_RSASVE:
361 return rsasve_recover(prsactx, out, outlen, in, inlen);
362 default:
363 return -2;
364 }
365 }
366
367 const OSSL_DISPATCH ossl_rsa_asym_kem_functions[] = {
368 { OSSL_FUNC_KEM_NEWCTX, (void (*)(void))rsakem_newctx },
369 { OSSL_FUNC_KEM_ENCAPSULATE_INIT,
370 (void (*)(void))rsakem_encapsulate_init },
371 { OSSL_FUNC_KEM_ENCAPSULATE, (void (*)(void))rsakem_generate },
372 { OSSL_FUNC_KEM_DECAPSULATE_INIT,
373 (void (*)(void))rsakem_decapsulate_init },
374 { OSSL_FUNC_KEM_DECAPSULATE, (void (*)(void))rsakem_recover },
375 { OSSL_FUNC_KEM_FREECTX, (void (*)(void))rsakem_freectx },
376 { OSSL_FUNC_KEM_DUPCTX, (void (*)(void))rsakem_dupctx },
377 { OSSL_FUNC_KEM_GET_CTX_PARAMS,
378 (void (*)(void))rsakem_get_ctx_params },
379 { OSSL_FUNC_KEM_GETTABLE_CTX_PARAMS,
380 (void (*)(void))rsakem_gettable_ctx_params },
381 { OSSL_FUNC_KEM_SET_CTX_PARAMS,
382 (void (*)(void))rsakem_set_ctx_params },
383 { OSSL_FUNC_KEM_SETTABLE_CTX_PARAMS,
384 (void (*)(void))rsakem_settable_ctx_params },
385 OSSL_DISPATCH_END
386 };
387