Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/openssl/providers/implementations/kem/rsa_kem.c
48383 views
1
/*

2
 * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.

3
 *

4
 * Licensed under the Apache License 2.0 (the "License").  You may not use

5
 * this file except in compliance with the License.  You can obtain a copy

6
 * in the file LICENSE in the source distribution or at

7
 * https://www.openssl.org/source/license.html

8
 */

9


10
/*

11
 * RSA low level APIs are deprecated for public use, but still ok for

12
 * internal use.

13
 */

14
#include "internal/deprecated.h"

15
#include "internal/nelem.h"

16
#include <openssl/crypto.h>

17
#include <openssl/evp.h>

18
#include <openssl/core_dispatch.h>

19
#include <openssl/core_names.h>

20
#include <openssl/rsa.h>

21
#include <openssl/params.h>

22
#include <openssl/err.h>

23
#include <openssl/proverr.h>

24
#include "crypto/rsa.h"

25
#include "prov/provider_ctx.h"

26
#include "prov/providercommon.h"

27
#include "prov/implementations.h"

28
#include "prov/securitycheck.h"

29


30
static OSSL_FUNC_kem_newctx_fn rsakem_newctx;

31
static OSSL_FUNC_kem_encapsulate_init_fn rsakem_encapsulate_init;

32
static OSSL_FUNC_kem_encapsulate_fn rsakem_generate;

33
static OSSL_FUNC_kem_decapsulate_init_fn rsakem_decapsulate_init;

34
static OSSL_FUNC_kem_decapsulate_fn rsakem_recover;

35
static OSSL_FUNC_kem_freectx_fn rsakem_freectx;

36
static OSSL_FUNC_kem_dupctx_fn rsakem_dupctx;

37
static OSSL_FUNC_kem_get_ctx_params_fn rsakem_get_ctx_params;

38
static OSSL_FUNC_kem_gettable_ctx_params_fn rsakem_gettable_ctx_params;

39
static OSSL_FUNC_kem_set_ctx_params_fn rsakem_set_ctx_params;

40
static OSSL_FUNC_kem_settable_ctx_params_fn rsakem_settable_ctx_params;

41


42
/*

43
 * Only the KEM for RSASVE as defined in SP800-56b r2 is implemented

44
 * currently.

45
 */

46
#define KEM_OP_UNDEFINED   -1

47
#define KEM_OP_RSASVE       0

48


49
/*

50
 * What's passed as an actual key is defined by the KEYMGMT interface.

51
 * We happen to know that our KEYMGMT simply passes RSA structures, so

52
 * we use that here too.

53
 */

54
typedef struct {

55
    OSSL_LIB_CTX *libctx;

56
    RSA *rsa;

57
    int op;

58
    OSSL_FIPS_IND_DECLARE

59
} PROV_RSA_CTX;

60


61
static const OSSL_ITEM rsakem_opname_id_map[] = {

62
    { KEM_OP_RSASVE, OSSL_KEM_PARAM_OPERATION_RSASVE },

63
};

64


65
static int name2id(const char *name, const OSSL_ITEM *map, size_t sz)

66
{

67
    size_t i;

68


69
    if (name == NULL)

70
        return -1;

71


72
    for (i = 0; i < sz; ++i) {

73
        if (OPENSSL_strcasecmp(map[i].ptr, name) == 0)

74
            return map[i].id;

75
    }

76
    return -1;

77
}

78


79
static int rsakem_opname2id(const char *name)

80
{

81
    return name2id(name, rsakem_opname_id_map, OSSL_NELEM(rsakem_opname_id_map));

82
}

83


84
static void *rsakem_newctx(void *provctx)

85
{

86
    PROV_RSA_CTX *prsactx;

87


88
    if (!ossl_prov_is_running())

89
        return NULL;

90


91
    prsactx =  OPENSSL_zalloc(sizeof(PROV_RSA_CTX));

92
    if (prsactx == NULL)

93
        return NULL;

94
    prsactx->libctx = PROV_LIBCTX_OF(provctx);

95
    prsactx->op = KEM_OP_RSASVE;

96
    OSSL_FIPS_IND_INIT(prsactx)

97


98
    return prsactx;

99
}

100


101
static void rsakem_freectx(void *vprsactx)

102
{

103
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;

104


105
    RSA_free(prsactx->rsa);

106
    OPENSSL_free(prsactx);

107
}

108


109
static void *rsakem_dupctx(void *vprsactx)

110
{

111
    PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx;

112
    PROV_RSA_CTX *dstctx;

113


114
    if (!ossl_prov_is_running())

115
        return NULL;

116


117
    dstctx = OPENSSL_zalloc(sizeof(*srcctx));

118
    if (dstctx == NULL)

119
        return NULL;

120


121
    *dstctx = *srcctx;

122
    if (dstctx->rsa != NULL && !RSA_up_ref(dstctx->rsa)) {

123
        OPENSSL_free(dstctx);

124
        return NULL;

125
    }

126
    return dstctx;

127
}

128


129
static int rsakem_init(void *vprsactx, void *vrsa,

130
                       const OSSL_PARAM params[], int operation,

131
                       const char *desc)

132
{

133
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;

134
    int protect = 0;

135


136
    if (!ossl_prov_is_running())

137
        return 0;

138


139
    if (prsactx == NULL || vrsa == NULL)

140
        return 0;

141


142
    if (!ossl_rsa_key_op_get_protect(vrsa, operation, &protect))

143
        return 0;

144
    if (!RSA_up_ref(vrsa))

145
        return 0;

146
    RSA_free(prsactx->rsa);

147
    prsactx->rsa = vrsa;

148


149
    OSSL_FIPS_IND_SET_APPROVED(prsactx)

150
    if (!rsakem_set_ctx_params(prsactx, params))

151
        return 0;

152
#ifdef FIPS_MODULE

153
    if (!ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND_GET(prsactx),

154
                                     OSSL_FIPS_IND_SETTABLE0, prsactx->libctx,

155
                                     prsactx->rsa, desc, protect))

156
        return 0;

157
#endif

158
    return 1;

159
}

160


161
static int rsakem_encapsulate_init(void *vprsactx, void *vrsa,

162
                                   const OSSL_PARAM params[])

163
{

164
    return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_ENCAPSULATE,

165
                       "RSA Encapsulate Init");

166
}

167


168
static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,

169
                                   const OSSL_PARAM params[])

170
{

171
    return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECAPSULATE,

172
                       "RSA Decapsulate Init");

173
}

174


175
static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)

176
{

177
    PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;

178


179
    if (ctx == NULL)

180
        return 0;

181


182
    if (!OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params))

183
        return 0;

184
    return 1;

185
}

186


187
static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {

188
    OSSL_FIPS_IND_GETTABLE_CTX_PARAM()

189
    OSSL_PARAM_END

190
};

191


192
static const OSSL_PARAM *rsakem_gettable_ctx_params(ossl_unused void *vprsactx,

193
                                                    ossl_unused void *provctx)

194
{

195
    return known_gettable_rsakem_ctx_params;

196
}

197


198
static int rsakem_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])

199
{

200
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;

201
    const OSSL_PARAM *p;

202
    int op;

203


204
    if (prsactx == NULL)

205
        return 0;

206
    if (ossl_param_is_empty(params))

207
        return 1;

208


209
    if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE0, params,

210
                                     OSSL_KEM_PARAM_FIPS_KEY_CHECK))

211
        return  0;

212
    p = OSSL_PARAM_locate_const(params, OSSL_KEM_PARAM_OPERATION);

213
    if (p != NULL) {

214
        if (p->data_type != OSSL_PARAM_UTF8_STRING)

215
            return 0;

216
        op = rsakem_opname2id(p->data);

217
        if (op < 0)

218
            return 0;

219
        prsactx->op = op;

220
    }

221
    return 1;

222
}

223


224
static const OSSL_PARAM known_settable_rsakem_ctx_params[] = {

225
    OSSL_PARAM_utf8_string(OSSL_KEM_PARAM_OPERATION, NULL, 0),

226
    OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_KEM_PARAM_FIPS_KEY_CHECK)

227
    OSSL_PARAM_END

228
};

229


230
static const OSSL_PARAM *rsakem_settable_ctx_params(ossl_unused void *vprsactx,

231
                                                    ossl_unused void *provctx)

232
{

233
    return known_settable_rsakem_ctx_params;

234
}

235


236
/*

237
 * NIST.SP.800-56Br2

238
 * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).

239
 *

240
 * Generate a random in the range 1 < z < (n – 1)

241
 */

242
static int rsasve_gen_rand_bytes(RSA *rsa_pub,

243
                                 unsigned char *out, int outlen)

244
{

245
    int ret = 0;

246
    BN_CTX *bnctx;

247
    BIGNUM *z, *nminus3;

248


249
    bnctx = BN_CTX_secure_new_ex(ossl_rsa_get0_libctx(rsa_pub));

250
    if (bnctx == NULL)

251
        return 0;

252


253
    /*

254
     * Generate a random in the range 1 < z < (n – 1).

255
     * Since BN_priv_rand_range_ex() returns a value in range 0 <= r < max

256
     * We can achieve this by adding 2.. but then we need to subtract 3 from

257
     * the upper bound i.e: 2 + (0 <= r < (n - 3))

258
     */

259
    BN_CTX_start(bnctx);

260
    nminus3 = BN_CTX_get(bnctx);

261
    z = BN_CTX_get(bnctx);

262
    ret = (z != NULL

263
           && (BN_copy(nminus3, RSA_get0_n(rsa_pub)) != NULL)

264
           && BN_sub_word(nminus3, 3)

265
           && BN_priv_rand_range_ex(z, nminus3, 0, bnctx)

266
           && BN_add_word(z, 2)

267
           && (BN_bn2binpad(z, out, outlen) == outlen));

268
    BN_CTX_end(bnctx);

269
    BN_CTX_free(bnctx);

270
    return ret;

271
}

272


273
/*

274
 * NIST.SP.800-56Br2

275
 * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).

276
 */

277
static int rsasve_generate(PROV_RSA_CTX *prsactx,

278
                           unsigned char *out, size_t *outlen,

279
                           unsigned char *secret, size_t *secretlen)

280
{

281
    int ret;

282
    size_t nlen;

283


284
    /* Step (1): nlen = Ceil(len(n)/8) */

285
    nlen = RSA_size(prsactx->rsa);

286


287
    if (out == NULL) {

288
        if (nlen == 0) {

289
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);

290
            return 0;

291
        }

292
        if (outlen == NULL && secretlen == NULL)

293
            return 0;

294
        if (outlen != NULL)

295
            *outlen = nlen;

296
        if (secretlen != NULL)

297
            *secretlen = nlen;

298
        return 1;

299
    }

300


301
    /*

302
     * If outlen is specified, then it must report the length

303
     * of the out buffer on input so that we can confirm

304
     * its size is sufficent for encapsulation

305
     */

306
    if (outlen != NULL && *outlen < nlen) {

307
        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH);

308
        return 0;

309
    }

310


311
    /*

312
     * Step (2): Generate a random byte string z of nlen bytes where

313
     *            1 < z < n - 1

314
     */

315
    if (!rsasve_gen_rand_bytes(prsactx->rsa, secret, nlen))

316
        return 0;

317


318
    /* Step(3): out = RSAEP((n,e), z) */

319
    ret = RSA_public_encrypt(nlen, secret, out, prsactx->rsa, RSA_NO_PADDING);

320
    if (ret) {

321
        ret = 1;

322
        if (outlen != NULL)

323
            *outlen = nlen;

324
        if (secretlen != NULL)

325
            *secretlen = nlen;

326
    } else {

327
        OPENSSL_cleanse(secret, nlen);

328
    }

329
    return ret;

330
}

331


332
/**

333
 * rsasve_recover - Recovers a secret value from ciphertext using an RSA

334
 * private key.  Once, recovered, the secret value is considered to be a

335
 * shared secret.  Algorithm is preformed as per

336
 * NIST SP 800-56B Rev 2

337
 * 7.2.1.3 RSASVE Recovery Operation (RSASVE.RECOVER).

338
 *

339
 * This function performs RSA decryption using the private key from the

340
 * provided RSA context (`prsactx`). It takes the input ciphertext, decrypts

341
 * it, and writes the decrypted message to the output buffer.

342
 *

343
 * @prsactx:      The RSA context containing the private key.

344
 * @out:          The output buffer to store the decrypted message.

345
 * @outlen:       On input, the size of the output buffer. On successful

346
 *                completion, the actual length of the decrypted message.

347
 * @in:           The input buffer containing the ciphertext to be decrypted.

348
 * @inlen:        The length of the input ciphertext in bytes.

349
 *

350
 * Returns 1 on success, or 0 on error. In case of error, appropriate

351
 * error messages are raised using the ERR_raise function.

352
 */

353
static int rsasve_recover(PROV_RSA_CTX *prsactx,

354
                          unsigned char *out, size_t *outlen,

355
                          const unsigned char *in, size_t inlen)

356
{

357
    size_t nlen;

358
    int ret;

359


360
    /* Step (1): get the byte length of n */

361
    nlen = RSA_size(prsactx->rsa);

362


363
    if (out == NULL) {

364
        if (nlen == 0) {

365
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);

366
            return 0;

367
        }

368
        *outlen = nlen;

369
        return 1;

370
    }

371


372
    /*

373
     * Step (2): check the input ciphertext 'inlen' matches the nlen

374
     * and that outlen is at least nlen bytes

375
     */

376
    if (inlen != nlen) {

377
        ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);

378
        return 0;

379
    }

380


381
    /*

382
     * If outlen is specified, then it must report the length

383
     * of the out buffer, so that we can confirm that it is of

384
     * sufficient size to hold the output of decapsulation

385
     */

386
    if (outlen != NULL && *outlen < nlen) {

387
        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH);

388
        return 0;

389
    }

390


391
    /* Step (3): out = RSADP((n,d), in) */

392
    ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, RSA_NO_PADDING);

393
    if (ret > 0 && outlen != NULL)

394
        *outlen = ret;

395
    return ret > 0;

396
}

397


398
static int rsakem_generate(void *vprsactx, unsigned char *out, size_t *outlen,

399
                           unsigned char *secret, size_t *secretlen)

400
{

401
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;

402


403
    if (!ossl_prov_is_running())

404
        return 0;

405


406
    switch (prsactx->op) {

407
        case KEM_OP_RSASVE:

408
            return rsasve_generate(prsactx, out, outlen, secret, secretlen);

409
        default:

410
            return -2;

411
    }

412
}

413


414
static int rsakem_recover(void *vprsactx, unsigned char *out, size_t *outlen,

415
                          const unsigned char *in, size_t inlen)

416
{

417
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;

418


419
    if (!ossl_prov_is_running())

420
        return 0;

421


422
    switch (prsactx->op) {

423
        case KEM_OP_RSASVE:

424
            return rsasve_recover(prsactx, out, outlen, in, inlen);

425
        default:

426
            return -2;

427
    }

428
}

429


430
const OSSL_DISPATCH ossl_rsa_asym_kem_functions[] = {

431
    { OSSL_FUNC_KEM_NEWCTX, (void (*)(void))rsakem_newctx },

432
    { OSSL_FUNC_KEM_ENCAPSULATE_INIT,

433
      (void (*)(void))rsakem_encapsulate_init },

434
    { OSSL_FUNC_KEM_ENCAPSULATE, (void (*)(void))rsakem_generate },

435
    { OSSL_FUNC_KEM_DECAPSULATE_INIT,

436
      (void (*)(void))rsakem_decapsulate_init },

437
    { OSSL_FUNC_KEM_DECAPSULATE, (void (*)(void))rsakem_recover },

438
    { OSSL_FUNC_KEM_FREECTX, (void (*)(void))rsakem_freectx },

439
    { OSSL_FUNC_KEM_DUPCTX, (void (*)(void))rsakem_dupctx },

440
    { OSSL_FUNC_KEM_GET_CTX_PARAMS,

441
      (void (*)(void))rsakem_get_ctx_params },

442
    { OSSL_FUNC_KEM_GETTABLE_CTX_PARAMS,

443
      (void (*)(void))rsakem_gettable_ctx_params },

444
    { OSSL_FUNC_KEM_SET_CTX_PARAMS,

445
      (void (*)(void))rsakem_set_ctx_params },

446
    { OSSL_FUNC_KEM_SETTABLE_CTX_PARAMS,

447
      (void (*)(void))rsakem_settable_ctx_params },

448
    OSSL_DISPATCH_END

449
};

450


451