Limit the execution time of RSA public key check Fixes CVE-2023-6237 If a large and incorrect RSA public key is checked with EVP_PKEY_public_check() the computation could take very long time due to no limit being applied to the RSA public key size and unnecessarily high number of Miller-Rabin algorithm rounds used for non-primality check of the modulus. Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS) will fail the check with RSA_R_MODULUS_TOO_LARGE error reason. Also the number of Miller-Rabin rounds was set to 5. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23243)
ossl_rsa_fips186_4_gen_prob_primes(): Remove unused Xpout and Xqout CLA: trivial Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23253)
Augment RSA provider to generate CRT coefficients on EVP_PKEY_fromdata() It would be helpful to be able to generate RSA's dmp1/dmq1/iqmp values when not provided in the param list to EVP_PKEY_fromdata. Augment the provider in ossl_rsa_fromdata to preform this generation iff: a) At least p q n e and e are provided b) the new parameter OSSL_PARAM_RSA_DERIVE_PQ is set to 1 Fixes #21826 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21875)
Limit RSA-OAEP related functions to RSA keys only Make EVP_PKEY_CTX_set_rsa_oaep_md() and EVP_PKEY_CTX_get_rsa_oaep_md_name() only work for RSA keys. Since these calls use "digest" as a OSSL_PARAM, they should not work for other key types. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20319)
rsa: Add SP800-56Br2 6.4.1.2.1 (3.c) check The code did not yet check that the length of the RSA key is positive and even. Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/22403)
Dont require CRT params on ossl_rsa_set0_all_params Its not required that crt params be available in an RSA key, so don't perform an error check on them Fixes #29135 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22334)
remove sanity check from ossl_rsa_todata Theres no reason we should gate ossl_rsa_todata on there being a minimum set of parameters. EVP_PKEY_todata makes no guarantees about the validity of a key, it only returns the parameters that are set in the requested key, whatever they may be. Remove the check. Fixes #21935 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22334)
rsa: Accept NULL OAEP label for backward compatibility According to the manual page, EVP_PKEY_CTX_set0_rsa_oaep_label() should accept NULL as the label argument, though the function currently rejects it while setting the corresponding octet string parameter with OSSL_PARAM_construct_octet_string, which expects non-NULL input. This adds a workaround to the caller for backward compatibility. Signed-off-by: Daiki Ueno <dueno@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22397)
Fix a possible memleak in rsa_pub_encode That seems to be only an issue for RSA-PSS with parameters. Spotted by code review, so it looks like there is no test coverage for this. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22032)
Copyright year updates Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
Compute RSA-PSS algorithm params in libcrypto for legacy Fixes regression of RSA signatures for legacy keys caused by quering the provider for the algorithm id with parameters. Legacy keys do not have a method that would create the algorithm id. So we revert to what was done in 3.0.7 and earlier versions for these keys. Fixes #21008 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21019)
Optimise locking in rsa_get_blinding() We optimise locking in rsa_get_blinding() so that we normally take a read lock, and only fallback to a write lock if we need to. This will be very slightly slower in the case of single use RSA objects, but should be significantly better when an RSA object is reused in a multi-threaded environment. It's probably worth the trade off. Partially fixes #20286 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20953)
Add libctx to x931 keygen. Added coverage test that failed without the change. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19677)
Avoid generating RSA keys with p < q We swap p and q in that case except when ACVP tests are being run. Fixes #20823 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20833)