a2f2bc3a40
I messed up a few of these. ASN1_R_UNSUPPORTED_ALGORITHM doesn't exist. X509_R_UNSUPPORTED_ALGORITHM does exist as part of X509_PUBKEY_set, but the SPKI parser doesn't emit this. (I don't mind the legacy code having really weird errors, but since EVP is now limited to things we like, let's try to keep that clean.) To avoid churn in Conscrypt, we'll keep defining X509_R_UNSUPPORTED_ALGORITHM, but not actually do anything with it anymore. Conscrypt was already aware of EVP_R_UNSUPPORTED_ALGORITHM, so this should be fine. (I don't expect EVP_R_UNSUPPORTED_ALGORITHM to go away. The SPKI parsers we like live in EVP now.) A few other ASN1_R_* values didn't quite match upstream, so make those match again. Finally, I got some of the rsa_pss.c values wrong. Each of those corresponds to an (overly specific) RSA_R_* value in upstream. However, those were gone in BoringSSL since even the initial commit. We placed the RSA <-> EVP glue in crypto/evp (so crypto/rsa wouldn't depend on crypto/evp) while upstream placed them in crypto/rsa. Since no one seemed to notice the loss of RSA_R_INVALID_SALT_LENGTH, let's undo all the cross-module errors inserted in crypto/rsa. Instead, since that kind of specificity is not useful, funnel it all into X509_R_INVALID_PSS_PARAMETERS (formerly EVP_R_INVALID_PSS_PARAMETERS, formerly RSA_R_INVALID_PSS_PARAMETERS). Reset the error codes for all affected modules. (That our error code story means error codes are not stable across this kind of refactoring is kind of a problem. Hopefully this will be the last of it.) Change-Id: Ibfb3a0ac340bfc777bc7de6980ef3ddf0a8c84bc Reviewed-on: https://boringssl-review.googlesource.com/7458 Reviewed-by: Emily Stark (Dunn) <estark@google.com> Reviewed-by: David Benjamin <davidben@google.com>
386 lines
11 KiB
C
386 lines
11 KiB
C
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
|
|
* project 2006.
|
|
*/
|
|
/* ====================================================================
|
|
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
*
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in
|
|
* the documentation and/or other materials provided with the
|
|
* distribution.
|
|
*
|
|
* 3. All advertising materials mentioning features or use of this
|
|
* software must display the following acknowledgment:
|
|
* "This product includes software developed by the OpenSSL Project
|
|
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
|
|
*
|
|
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
|
* endorse or promote products derived from this software without
|
|
* prior written permission. For written permission, please contact
|
|
* licensing@OpenSSL.org.
|
|
*
|
|
* 5. Products derived from this software may not be called "OpenSSL"
|
|
* nor may "OpenSSL" appear in their names without prior written
|
|
* permission of the OpenSSL Project.
|
|
*
|
|
* 6. Redistributions of any form whatsoever must retain the following
|
|
* acknowledgment:
|
|
* "This product includes software developed by the OpenSSL Project
|
|
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
|
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
|
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
* ====================================================================
|
|
*
|
|
* This product includes cryptographic software written by Eric Young
|
|
* (eay@cryptsoft.com). This product includes software written by Tim
|
|
* Hudson (tjh@cryptsoft.com). */
|
|
|
|
#include <openssl/x509.h>
|
|
|
|
#include <assert.h>
|
|
|
|
#include <openssl/asn1.h>
|
|
#include <openssl/asn1t.h>
|
|
#include <openssl/bio.h>
|
|
#include <openssl/evp.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/obj.h>
|
|
|
|
#include "internal.h"
|
|
|
|
|
|
ASN1_SEQUENCE(RSA_PSS_PARAMS) = {
|
|
ASN1_EXP_OPT(RSA_PSS_PARAMS, hashAlgorithm, X509_ALGOR,0),
|
|
ASN1_EXP_OPT(RSA_PSS_PARAMS, maskGenAlgorithm, X509_ALGOR,1),
|
|
ASN1_EXP_OPT(RSA_PSS_PARAMS, saltLength, ASN1_INTEGER,2),
|
|
ASN1_EXP_OPT(RSA_PSS_PARAMS, trailerField, ASN1_INTEGER,3),
|
|
} ASN1_SEQUENCE_END(RSA_PSS_PARAMS);
|
|
|
|
IMPLEMENT_ASN1_FUNCTIONS(RSA_PSS_PARAMS);
|
|
|
|
|
|
/* Given an MGF1 Algorithm ID decode to an Algorithm Identifier */
|
|
static X509_ALGOR *rsa_mgf1_decode(X509_ALGOR *alg) {
|
|
if (alg == NULL || alg->parameter == NULL ||
|
|
OBJ_obj2nid(alg->algorithm) != NID_mgf1 ||
|
|
alg->parameter->type != V_ASN1_SEQUENCE) {
|
|
return NULL;
|
|
}
|
|
|
|
const uint8_t *p = alg->parameter->value.sequence->data;
|
|
int plen = alg->parameter->value.sequence->length;
|
|
return d2i_X509_ALGOR(NULL, &p, plen);
|
|
}
|
|
|
|
static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg,
|
|
X509_ALGOR **pmaskHash) {
|
|
*pmaskHash = NULL;
|
|
|
|
if (alg->parameter == NULL || alg->parameter->type != V_ASN1_SEQUENCE) {
|
|
return NULL;
|
|
}
|
|
|
|
const uint8_t *p = alg->parameter->value.sequence->data;
|
|
int plen = alg->parameter->value.sequence->length;
|
|
RSA_PSS_PARAMS *pss = d2i_RSA_PSS_PARAMS(NULL, &p, plen);
|
|
if (pss == NULL) {
|
|
return NULL;
|
|
}
|
|
|
|
*pmaskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);
|
|
return pss;
|
|
}
|
|
|
|
/* allocate and set algorithm ID from EVP_MD, default SHA1 */
|
|
static int rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md) {
|
|
if (EVP_MD_type(md) == NID_sha1) {
|
|
return 1;
|
|
}
|
|
*palg = X509_ALGOR_new();
|
|
if (*palg == NULL) {
|
|
return 0;
|
|
}
|
|
X509_ALGOR_set_md(*palg, md);
|
|
return 1;
|
|
}
|
|
|
|
/* Allocate and set MGF1 algorithm ID from EVP_MD */
|
|
static int rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md) {
|
|
X509_ALGOR *algtmp = NULL;
|
|
ASN1_STRING *stmp = NULL;
|
|
*palg = NULL;
|
|
|
|
if (EVP_MD_type(mgf1md) == NID_sha1) {
|
|
return 1;
|
|
}
|
|
/* need to embed algorithm ID inside another */
|
|
if (!rsa_md_to_algor(&algtmp, mgf1md) ||
|
|
!ASN1_item_pack(algtmp, ASN1_ITEM_rptr(X509_ALGOR), &stmp)) {
|
|
goto err;
|
|
}
|
|
*palg = X509_ALGOR_new();
|
|
if (!*palg) {
|
|
goto err;
|
|
}
|
|
X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp);
|
|
stmp = NULL;
|
|
|
|
err:
|
|
ASN1_STRING_free(stmp);
|
|
X509_ALGOR_free(algtmp);
|
|
if (*palg) {
|
|
return 1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* convert algorithm ID to EVP_MD, default SHA1 */
|
|
static const EVP_MD *rsa_algor_to_md(X509_ALGOR *alg) {
|
|
const EVP_MD *md;
|
|
if (!alg) {
|
|
return EVP_sha1();
|
|
}
|
|
md = EVP_get_digestbyobj(alg->algorithm);
|
|
if (md == NULL) {
|
|
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
|
|
}
|
|
return md;
|
|
}
|
|
|
|
/* convert MGF1 algorithm ID to EVP_MD, default SHA1 */
|
|
static const EVP_MD *rsa_mgf1_to_md(X509_ALGOR *alg, X509_ALGOR *maskHash) {
|
|
const EVP_MD *md;
|
|
if (!alg) {
|
|
return EVP_sha1();
|
|
}
|
|
/* Check mask and lookup mask hash algorithm */
|
|
if (OBJ_obj2nid(alg->algorithm) != NID_mgf1 ||
|
|
maskHash == NULL) {
|
|
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
|
|
return NULL;
|
|
}
|
|
md = EVP_get_digestbyobj(maskHash->algorithm);
|
|
if (md == NULL) {
|
|
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
|
|
return NULL;
|
|
}
|
|
return md;
|
|
}
|
|
|
|
int x509_rsa_ctx_to_pss(EVP_MD_CTX *ctx, X509_ALGOR *algor) {
|
|
const EVP_MD *sigmd, *mgf1md;
|
|
int saltlen;
|
|
if (!EVP_PKEY_CTX_get_signature_md(ctx->pctx, &sigmd) ||
|
|
!EVP_PKEY_CTX_get_rsa_mgf1_md(ctx->pctx, &mgf1md) ||
|
|
!EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx->pctx, &saltlen)) {
|
|
return 0;
|
|
}
|
|
|
|
EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(ctx->pctx);
|
|
if (saltlen == -1) {
|
|
saltlen = EVP_MD_size(sigmd);
|
|
} else if (saltlen == -2) {
|
|
saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
|
|
if (((EVP_PKEY_bits(pk) - 1) & 0x7) == 0) {
|
|
saltlen--;
|
|
}
|
|
} else {
|
|
return 0;
|
|
}
|
|
|
|
int ret = 0;
|
|
ASN1_STRING *os = NULL;
|
|
RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new();
|
|
if (!pss) {
|
|
goto err;
|
|
}
|
|
|
|
if (saltlen != 20) {
|
|
pss->saltLength = ASN1_INTEGER_new();
|
|
if (!pss->saltLength ||
|
|
!ASN1_INTEGER_set(pss->saltLength, saltlen)) {
|
|
goto err;
|
|
}
|
|
}
|
|
|
|
if (!rsa_md_to_algor(&pss->hashAlgorithm, sigmd) ||
|
|
!rsa_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md)) {
|
|
goto err;
|
|
}
|
|
|
|
/* Finally create string with pss parameter encoding. */
|
|
if (!ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), &os)) {
|
|
goto err;
|
|
}
|
|
|
|
X509_ALGOR_set0(algor, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE, os);
|
|
os = NULL;
|
|
ret = 1;
|
|
|
|
err:
|
|
RSA_PSS_PARAMS_free(pss);
|
|
ASN1_STRING_free(os);
|
|
return ret;
|
|
}
|
|
|
|
int x509_rsa_pss_to_ctx(EVP_MD_CTX *ctx, X509_ALGOR *sigalg, EVP_PKEY *pkey) {
|
|
assert(OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss);
|
|
|
|
/* Decode PSS parameters */
|
|
int ret = 0;
|
|
X509_ALGOR *maskHash;
|
|
RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg, &maskHash);
|
|
if (pss == NULL) {
|
|
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
|
|
goto err;
|
|
}
|
|
|
|
const EVP_MD *mgf1md = rsa_mgf1_to_md(pss->maskGenAlgorithm, maskHash);
|
|
const EVP_MD *md = rsa_algor_to_md(pss->hashAlgorithm);
|
|
if (mgf1md == NULL || md == NULL) {
|
|
goto err;
|
|
}
|
|
|
|
int saltlen = 20;
|
|
if (pss->saltLength != NULL) {
|
|
saltlen = ASN1_INTEGER_get(pss->saltLength);
|
|
|
|
/* Could perform more salt length sanity checks but the main
|
|
* RSA routines will trap other invalid values anyway. */
|
|
if (saltlen < 0) {
|
|
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
|
|
goto err;
|
|
}
|
|
}
|
|
|
|
/* low-level routines support only trailer field 0xbc (value 1)
|
|
* and PKCS#1 says we should reject any other value anyway. */
|
|
if (pss->trailerField != NULL && ASN1_INTEGER_get(pss->trailerField) != 1) {
|
|
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
|
|
goto err;
|
|
}
|
|
|
|
EVP_PKEY_CTX *pkctx;
|
|
if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey) ||
|
|
!EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) ||
|
|
!EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) ||
|
|
!EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md)) {
|
|
goto err;
|
|
}
|
|
|
|
ret = 1;
|
|
|
|
err:
|
|
RSA_PSS_PARAMS_free(pss);
|
|
X509_ALGOR_free(maskHash);
|
|
return ret;
|
|
}
|
|
|
|
int x509_print_rsa_pss_params(BIO *bp, const X509_ALGOR *sigalg, int indent,
|
|
ASN1_PCTX *pctx) {
|
|
assert(OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss);
|
|
|
|
int rv = 0;
|
|
X509_ALGOR *maskHash;
|
|
RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg, &maskHash);
|
|
if (!pss) {
|
|
if (BIO_puts(bp, " (INVALID PSS PARAMETERS)\n") <= 0) {
|
|
goto err;
|
|
}
|
|
rv = 1;
|
|
goto err;
|
|
}
|
|
|
|
if (BIO_puts(bp, "\n") <= 0 ||
|
|
!BIO_indent(bp, indent, 128) ||
|
|
BIO_puts(bp, "Hash Algorithm: ") <= 0) {
|
|
goto err;
|
|
}
|
|
|
|
if (pss->hashAlgorithm) {
|
|
if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0) {
|
|
goto err;
|
|
}
|
|
} else if (BIO_puts(bp, "sha1 (default)") <= 0) {
|
|
goto err;
|
|
}
|
|
|
|
if (BIO_puts(bp, "\n") <= 0 ||
|
|
!BIO_indent(bp, indent, 128) ||
|
|
BIO_puts(bp, "Mask Algorithm: ") <= 0) {
|
|
goto err;
|
|
}
|
|
|
|
if (pss->maskGenAlgorithm) {
|
|
if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0 ||
|
|
BIO_puts(bp, " with ") <= 0) {
|
|
goto err;
|
|
}
|
|
|
|
if (maskHash) {
|
|
if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0) {
|
|
goto err;
|
|
}
|
|
} else if (BIO_puts(bp, "INVALID") <= 0) {
|
|
goto err;
|
|
}
|
|
} else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) {
|
|
goto err;
|
|
}
|
|
BIO_puts(bp, "\n");
|
|
|
|
if (!BIO_indent(bp, indent, 128) ||
|
|
BIO_puts(bp, "Salt Length: 0x") <= 0) {
|
|
goto err;
|
|
}
|
|
|
|
if (pss->saltLength) {
|
|
if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) {
|
|
goto err;
|
|
}
|
|
} else if (BIO_puts(bp, "14 (default)") <= 0) {
|
|
goto err;
|
|
}
|
|
BIO_puts(bp, "\n");
|
|
|
|
if (!BIO_indent(bp, indent, 128) ||
|
|
BIO_puts(bp, "Trailer Field: 0x") <= 0) {
|
|
goto err;
|
|
}
|
|
|
|
if (pss->trailerField) {
|
|
if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) {
|
|
goto err;
|
|
}
|
|
} else if (BIO_puts(bp, "BC (default)") <= 0) {
|
|
goto err;
|
|
}
|
|
BIO_puts(bp, "\n");
|
|
|
|
rv = 1;
|
|
|
|
err:
|
|
RSA_PSS_PARAMS_free(pss);
|
|
X509_ALGOR_free(maskHash);
|
|
return rv;
|
|
}
|