1
/*
2
 * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9

10
/*
11
 * RSA low level APIs are deprecated for public use, but still ok for
12
 * internal use.
13
 */
14
#include "internal/deprecated.h"
15
#include "internal/nelem.h"
16
#include <openssl/crypto.h>
17
#include <openssl/evp.h>
18
#include <openssl/core_dispatch.h>
19
#include <openssl/core_names.h>
20
#include <openssl/rsa.h>
21
#include <openssl/params.h>
22
#include <openssl/err.h>
23
#include <openssl/proverr.h>
24
#include "crypto/rsa.h"
25
#include "prov/provider_ctx.h"
26
#include "prov/providercommon.h"
27
#include "prov/implementations.h"
28
#include "prov/securitycheck.h"
29

30
static OSSL_FUNC_kem_newctx_fn rsakem_newctx;
31
static OSSL_FUNC_kem_encapsulate_init_fn rsakem_encapsulate_init;
32
static OSSL_FUNC_kem_encapsulate_fn rsakem_generate;
33
static OSSL_FUNC_kem_decapsulate_init_fn rsakem_decapsulate_init;
34
static OSSL_FUNC_kem_decapsulate_fn rsakem_recover;
35
static OSSL_FUNC_kem_freectx_fn rsakem_freectx;
36
static OSSL_FUNC_kem_dupctx_fn rsakem_dupctx;
37
static OSSL_FUNC_kem_get_ctx_params_fn rsakem_get_ctx_params;
38
static OSSL_FUNC_kem_gettable_ctx_params_fn rsakem_gettable_ctx_params;
39
static OSSL_FUNC_kem_set_ctx_params_fn rsakem_set_ctx_params;
40
static OSSL_FUNC_kem_settable_ctx_params_fn rsakem_settable_ctx_params;
41

42
/*
43
 * Only the KEM for RSASVE as defined in SP800-56b r2 is implemented
44
 * currently.
45
 */
46
#define KEM_OP_UNDEFINED -1
47
#define KEM_OP_RSASVE 0
48

49
/*
50
 * What's passed as an actual key is defined by the KEYMGMT interface.
51
 * We happen to know that our KEYMGMT simply passes RSA structures, so
52
 * we use that here too.
53
 */
54
typedef struct {
55
    OSSL_LIB_CTX *libctx;
56
    RSA *rsa;
57
    int op;
58
    OSSL_FIPS_IND_DECLARE
59
} PROV_RSA_CTX;
60

61
static const OSSL_ITEM rsakem_opname_id_map[] = {
62
    { KEM_OP_RSASVE, OSSL_KEM_PARAM_OPERATION_RSASVE },
63
};
64

65
static int name2id(const char *name, const OSSL_ITEM *map, size_t sz)
66
{
67
    size_t i;
68

69
    if (name == NULL)
70
        return -1;
71

72
    for (i = 0; i < sz; ++i) {
73
        if (OPENSSL_strcasecmp(map[i].ptr, name) == 0)
74
            return map[i].id;
75
    }
76
    return -1;
77
}
78

79
static int rsakem_opname2id(const char *name)
80
{
81
    return name2id(name, rsakem_opname_id_map, OSSL_NELEM(rsakem_opname_id_map));
82
}
83

84
static void *rsakem_newctx(void *provctx)
85
{
86
    PROV_RSA_CTX *prsactx;
87

88
    if (!ossl_prov_is_running())
89
        return NULL;
90

91
    prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX));
92
    if (prsactx == NULL)
93
        return NULL;
94
    prsactx->libctx = PROV_LIBCTX_OF(provctx);
95
    prsactx->op = KEM_OP_RSASVE;
96
    OSSL_FIPS_IND_INIT(prsactx)
97

98
    return prsactx;
99
}
100

101
static void rsakem_freectx(void *vprsactx)
102
{
103
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
104

105
    RSA_free(prsactx->rsa);
106
    OPENSSL_free(prsactx);
107
}
108

109
static void *rsakem_dupctx(void *vprsactx)
110
{
111
    PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx;
112
    PROV_RSA_CTX *dstctx;
113

114
    if (!ossl_prov_is_running())
115
        return NULL;
116

117
    dstctx = OPENSSL_zalloc(sizeof(*srcctx));
118
    if (dstctx == NULL)
119
        return NULL;
120

121
    *dstctx = *srcctx;
122
    if (dstctx->rsa != NULL && !RSA_up_ref(dstctx->rsa)) {
123
        OPENSSL_free(dstctx);
124
        return NULL;
125
    }
126
    return dstctx;
127
}
128

129
static int rsakem_init(void *vprsactx, void *vrsa,
130
    const OSSL_PARAM params[], int operation,
131
    const char *desc)
132
{
133
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
134
    int protect = 0;
135

136
    if (!ossl_prov_is_running())
137
        return 0;
138

139
    if (prsactx == NULL || vrsa == NULL)
140
        return 0;
141

142
    if (!ossl_rsa_key_op_get_protect(vrsa, operation, &protect))
143
        return 0;
144
    if (!RSA_up_ref(vrsa))
145
        return 0;
146
    RSA_free(prsactx->rsa);
147
    prsactx->rsa = vrsa;
148

149
    OSSL_FIPS_IND_SET_APPROVED(prsactx)
150
    if (!rsakem_set_ctx_params(prsactx, params))
151
        return 0;
152
#ifdef FIPS_MODULE
153
    if (!ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND_GET(prsactx),
154
            OSSL_FIPS_IND_SETTABLE0, prsactx->libctx,
155
            prsactx->rsa, desc, protect))
156
        return 0;
157
#endif
158
    return 1;
159
}
160

161
static int rsakem_encapsulate_init(void *vprsactx, void *vrsa,
162
    const OSSL_PARAM params[])
163
{
164
    return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_ENCAPSULATE,
165
        "RSA Encapsulate Init");
166
}
167

168
static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
169
    const OSSL_PARAM params[])
170
{
171
    return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECAPSULATE,
172
        "RSA Decapsulate Init");
173
}
174

175
static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
176
{
177
    PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;
178

179
    if (ctx == NULL)
180
        return 0;
181

182
    if (!OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params))
183
        return 0;
184
    return 1;
185
}
186

187
static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {
188
    OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
189
        OSSL_PARAM_END
190
};
191

192
static const OSSL_PARAM *rsakem_gettable_ctx_params(ossl_unused void *vprsactx,
193
    ossl_unused void *provctx)
194
{
195
    return known_gettable_rsakem_ctx_params;
196
}
197

198
static int rsakem_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
199
{
200
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
201
    const OSSL_PARAM *p;
202
    int op;
203

204
    if (prsactx == NULL)
205
        return 0;
206
    if (ossl_param_is_empty(params))
207
        return 1;
208

209
    if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE0, params,
210
            OSSL_KEM_PARAM_FIPS_KEY_CHECK))
211
        return 0;
212
    p = OSSL_PARAM_locate_const(params, OSSL_KEM_PARAM_OPERATION);
213
    if (p != NULL) {
214
        if (p->data_type != OSSL_PARAM_UTF8_STRING)
215
            return 0;
216
        op = rsakem_opname2id(p->data);
217
        if (op < 0)
218
            return 0;
219
        prsactx->op = op;
220
    }
221
    return 1;
222
}
223

224
static const OSSL_PARAM known_settable_rsakem_ctx_params[] = {
225
    OSSL_PARAM_utf8_string(OSSL_KEM_PARAM_OPERATION, NULL, 0),
226
    OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_KEM_PARAM_FIPS_KEY_CHECK)
227
        OSSL_PARAM_END
228
};
229

230
static const OSSL_PARAM *rsakem_settable_ctx_params(ossl_unused void *vprsactx,
231
    ossl_unused void *provctx)
232
{
233
    return known_settable_rsakem_ctx_params;
234
}
235

236
/*
237
 * NIST.SP.800-56Br2
238
 * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).
239
 *
240
 * Generate a random in the range 1 < z < (n – 1)
241
 */
242
static int rsasve_gen_rand_bytes(RSA *rsa_pub,
243
    unsigned char *out, int outlen)
244
{
245
    int ret = 0;
246
    BN_CTX *bnctx;
247
    BIGNUM *z, *nminus3;
248

249
    bnctx = BN_CTX_secure_new_ex(ossl_rsa_get0_libctx(rsa_pub));
250
    if (bnctx == NULL)
251
        return 0;
252

253
    /*
254
     * Generate a random in the range 1 < z < (n – 1).
255
     * Since BN_priv_rand_range_ex() returns a value in range 0 <= r < max
256
     * We can achieve this by adding 2.. but then we need to subtract 3 from
257
     * the upper bound i.e: 2 + (0 <= r < (n - 3))
258
     */
259
    BN_CTX_start(bnctx);
260
    nminus3 = BN_CTX_get(bnctx);
261
    z = BN_CTX_get(bnctx);
262
    ret = (z != NULL
263
        && (BN_copy(nminus3, RSA_get0_n(rsa_pub)) != NULL)
264
        && BN_sub_word(nminus3, 3)
265
        && BN_priv_rand_range_ex(z, nminus3, 0, bnctx)
266
        && BN_add_word(z, 2)
267
        && (BN_bn2binpad(z, out, outlen) == outlen));
268
    BN_CTX_end(bnctx);
269
    BN_CTX_free(bnctx);
270
    return ret;
271
}
272

273
/*
274
 * NIST.SP.800-56Br2
275
 * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).
276
 */
277
static int rsasve_generate(PROV_RSA_CTX *prsactx,
278
    unsigned char *out, size_t *outlen,
279
    unsigned char *secret, size_t *secretlen)
280
{
281
    int ret;
282
    size_t nlen;
283

284
    /* Step (1): nlen = Ceil(len(n)/8) */
285
    nlen = RSA_size(prsactx->rsa);
286

287
    if (out == NULL) {
288
        if (nlen == 0) {
289
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
290
            return 0;
291
        }
292
        if (outlen == NULL && secretlen == NULL)
293
            return 0;
294
        if (outlen != NULL)
295
            *outlen = nlen;
296
        if (secretlen != NULL)
297
            *secretlen = nlen;
298
        return 1;
299
    }
300

301
    /*
302
     * If outlen is specified, then it must report the length
303
     * of the out buffer on input so that we can confirm
304
     * its size is sufficient for encapsulation
305
     */
306
    if (outlen != NULL && *outlen < nlen) {
307
        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH);
308
        return 0;
309
    }
310

311
    /*
312
     * Step (2): Generate a random byte string z of nlen bytes where
313
     *            1 < z < n - 1
314
     */
315
    if (!rsasve_gen_rand_bytes(prsactx->rsa, secret, nlen))
316
        return 0;
317

318
    /* Step(3): out = RSAEP((n,e), z) */
319
    ret = RSA_public_encrypt(nlen, secret, out, prsactx->rsa, RSA_NO_PADDING);
320
    if (ret) {
321
        ret = 1;
322
        if (outlen != NULL)
323
            *outlen = nlen;
324
        if (secretlen != NULL)
325
            *secretlen = nlen;
326
    } else {
327
        OPENSSL_cleanse(secret, nlen);
328
    }
329
    return ret;
330
}
331

332
/**
333
 * rsasve_recover - Recovers a secret value from ciphertext using an RSA
334
 * private key.  Once, recovered, the secret value is considered to be a
335
 * shared secret.  Algorithm is performed as per NIST SP 800-56B Rev 2
336
 * 7.2.1.3 RSASVE Recovery Operation (RSASVE.RECOVER).
337
 *
338
 * This function performs RSA decryption using the private key from the
339
 * provided RSA context (`prsactx`). It takes the input ciphertext, decrypts
340
 * it, and writes the decrypted message to the output buffer.
341
 *
342
 * @prsactx:      The RSA context containing the private key.
343
 * @out:          The output buffer to store the decrypted message.
344
 * @outlen:       On input, the size of the output buffer. On successful
345
 *                completion, the actual length of the decrypted message.
346
 * @in:           The input buffer containing the ciphertext to be decrypted.
347
 * @inlen:        The length of the input ciphertext in bytes.
348
 *
349
 * Returns 1 on success, or 0 on error. In case of error, appropriate
350
 * error messages are raised using the ERR_raise function.
351
 */
352
static int rsasve_recover(PROV_RSA_CTX *prsactx,
353
    unsigned char *out, size_t *outlen,
354
    const unsigned char *in, size_t inlen)
355
{
356
    size_t nlen;
357
    int ret;
358

359
    /* Step (1): get the byte length of n */
360
    nlen = RSA_size(prsactx->rsa);
361

362
    if (out == NULL) {
363
        if (nlen == 0) {
364
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
365
            return 0;
366
        }
367
        *outlen = nlen;
368
        return 1;
369
    }
370

371
    /*
372
     * Step (2): check the input ciphertext 'inlen' matches the nlen
373
     * and that outlen is at least nlen bytes
374
     */
375
    if (inlen != nlen) {
376
        ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
377
        return 0;
378
    }
379

380
    /*
381
     * If outlen is specified, then it must report the length
382
     * of the out buffer, so that we can confirm that it is of
383
     * sufficient size to hold the output of decapsulation
384
     */
385
    if (outlen != NULL && *outlen < nlen) {
386
        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH);
387
        return 0;
388
    }
389

390
    /* Step (3): out = RSADP((n,d), in) */
391
    ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, RSA_NO_PADDING);
392
    if (ret > 0 && outlen != NULL)
393
        *outlen = ret;
394
    return ret > 0;
395
}
396

397
static int rsakem_generate(void *vprsactx, unsigned char *out, size_t *outlen,
398
    unsigned char *secret, size_t *secretlen)
399
{
400
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
401

402
    if (!ossl_prov_is_running())
403
        return 0;
404

405
    switch (prsactx->op) {
406
    case KEM_OP_RSASVE:
407
        return rsasve_generate(prsactx, out, outlen, secret, secretlen);
408
    default:
409
        return -2;
410
    }
411
}
412

413
static int rsakem_recover(void *vprsactx, unsigned char *out, size_t *outlen,
414
    const unsigned char *in, size_t inlen)
415
{
416
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
417

418
    if (!ossl_prov_is_running())
419
        return 0;
420

421
    switch (prsactx->op) {
422
    case KEM_OP_RSASVE:
423
        return rsasve_recover(prsactx, out, outlen, in, inlen);
424
    default:
425
        return -2;
426
    }
427
}
428

429
const OSSL_DISPATCH ossl_rsa_asym_kem_functions[] = {
430
    { OSSL_FUNC_KEM_NEWCTX, (void (*)(void))rsakem_newctx },
431
    { OSSL_FUNC_KEM_ENCAPSULATE_INIT,
432
        (void (*)(void))rsakem_encapsulate_init },
433
    { OSSL_FUNC_KEM_ENCAPSULATE, (void (*)(void))rsakem_generate },
434
    { OSSL_FUNC_KEM_DECAPSULATE_INIT,
435
        (void (*)(void))rsakem_decapsulate_init },
436
    { OSSL_FUNC_KEM_DECAPSULATE, (void (*)(void))rsakem_recover },
437
    { OSSL_FUNC_KEM_FREECTX, (void (*)(void))rsakem_freectx },
438
    { OSSL_FUNC_KEM_DUPCTX, (void (*)(void))rsakem_dupctx },
439
    { OSSL_FUNC_KEM_GET_CTX_PARAMS,
440
        (void (*)(void))rsakem_get_ctx_params },
441
    { OSSL_FUNC_KEM_GETTABLE_CTX_PARAMS,
442
        (void (*)(void))rsakem_gettable_ctx_params },
443
    { OSSL_FUNC_KEM_SET_CTX_PARAMS,
444
        (void (*)(void))rsakem_set_ctx_params },
445
    { OSSL_FUNC_KEM_SETTABLE_CTX_PARAMS,
446
        (void (*)(void))rsakem_settable_ctx_params },
447
    OSSL_DISPATCH_END
448
};
449

450