/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include <openssl/evp.h>
#include "internal/cryptlib.h"
#include "internal/refcount.h"
+#include "openssl/param_build.h"
#include "crypto/bn.h"
#include "crypto/evp.h"
#include "crypto/rsa.h"
+#include "crypto/security_bits.h"
#include "rsa_local.h"
static RSA *rsa_new_intern(ENGINE *engine, OPENSSL_CTX *libctx);
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
RSA *RSA_new(void)
{
return rsa_new_intern(NULL, NULL);
ret->libctx = libctx;
ret->meth = RSA_get_default_method();
-#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
if (engine) {
if (!ENGINE_init(engine)) {
#endif
ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
goto err;
}
if (r->meth != NULL && r->meth->finish != NULL)
r->meth->finish(r);
-#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
ENGINE_finish(r->engine);
#endif
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
#endif
BN_clear_free(r->dmp1);
BN_clear_free(r->dmq1);
BN_clear_free(r->iqmp);
- /* TODO(3.0): Support PSS in FIPS_MODE */
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
RSA_PSS_PARAMS_free(r->pss);
sk_RSA_PRIME_INFO_pop_free(r->prime_infos, rsa_multip_info_free);
#endif
return i > 1 ? 1 : 0;
}
-#ifndef FIPS_MODE
+OPENSSL_CTX *rsa_get0_libctx(RSA *r)
+{
+ return r->libctx;
+}
+
+#ifndef FIPS_MODULE
int RSA_set_ex_data(RSA *r, int idx, void *arg)
{
return CRYPTO_set_ex_data(&r->ex_data, idx, arg);
* NIST SP 800-56B rev 2 Appendix D: Maximum Security Strength Estimates for IFC
* Modulus Lengths.
*
+ * Note that this formula is also referred to in SP800-56A rev3 Appendix D:
+ * for FFC safe prime groups for modp and ffdhe.
+ * After Table 25 and Table 26 it refers to
+ * "The maximum security strength estimates were calculated using the formula in
+ * Section 7.5 of the FIPS 140 IG and rounded to the nearest multiple of eight
+ * bits".
+ *
+ * The formula is:
+ *
* E = \frac{1.923 \sqrt[3]{nBits \cdot log_e(2)}
* \cdot(log_e(nBits \cdot log_e(2))^{2/3} - 4.69}{log_e(2)}
* The two cube roots are merged together here.
*/
-uint16_t rsa_compute_security_bits(int n)
+uint16_t ifc_ffc_compute_security_bits(int n)
{
uint64_t x;
uint32_t lx;
return (y + 4) & ~7;
}
+
+
int RSA_security_bits(const RSA *rsa)
{
int bits = BN_num_bits(rsa->n);
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
if (rsa->version == RSA_ASN1_VERSION_MULTI) {
/* This ought to mean that we have private key at hand. */
int ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos);
return 0;
}
#endif
- return rsa_compute_security_bits(bits);
+ return ifc_ffc_compute_security_bits(bits);
}
int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
return 1;
}
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
/*
* Is it better to export RSA_PRIME_INFO structure
* and related functions to let user pass a triplet?
*q = r->q;
}
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
int RSA_get_multi_prime_extra_count(const RSA *r)
{
int pnum;
*iqmp = r->iqmp;
}
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
int RSA_get0_multi_prime_crt_params(const RSA *r, const BIGNUM *exps[],
const BIGNUM *coeffs[])
{
return r->iqmp;
}
-/* TODO(3.0): Temporary until we move PSS support into the FIPS module */
-#ifndef FIPS_MODE
const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *r)
{
+#ifdef FIPS_MODULE
+ return NULL;
+#else
return r->pss;
-}
#endif
+}
+
+/* Internal */
+RSA_PSS_PARAMS_30 *rsa_get0_pss_params_30(RSA *r)
+{
+ return &r->pss_params;
+}
void RSA_clear_flags(RSA *r, int flags)
{
return r->version;
}
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
ENGINE *RSA_get0_engine(const RSA *r)
{
return r->engine;
const STACK_OF(BIGNUM) *exps,
const STACK_OF(BIGNUM) *coeffs)
{
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
STACK_OF(RSA_PRIME_INFO) *prime_infos, *old_infos = NULL;
#endif
int pnum;
sk_BIGNUM_value(coeffs, 0)))
return 0;
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
old_infos = r->prime_infos;
#endif
if (pnum > 2) {
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
int i;
prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum);
#endif
}
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
if (old_infos != NULL) {
/*
* This is hard to deal with, since the old infos could
r->dirty_cnt++;
return 1;
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
err:
/* r, d, t should not be freed */
sk_RSA_PRIME_INFO_pop_free(prime_infos, rsa_multip_info_free_ex);
STACK_OF(BIGNUM_const) *exps,
STACK_OF(BIGNUM_const) *coeffs)
{
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
RSA_PRIME_INFO *pinfo;
int i, pnum;
#endif
sk_BIGNUM_const_push(exps, RSA_get0_dmq1(r));
sk_BIGNUM_const_push(coeffs, RSA_get0_iqmp(r));
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
pnum = RSA_get_multi_prime_extra_count(r);
for (i = 0; i < pnum; i++) {
pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i);
return 1;
}
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad_mode)
{
OSSL_PARAM pad_params[2], *p = pad_params;
return 1;
}
+
+int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits)
+{
+ OSSL_PARAM params[2], *p = params;
+ size_t bits2 = bits;
+
+ if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+ /* Uses the same return values as EVP_PKEY_CTX_ctrl */
+ return -2;
+ }
+
+ /* If key type not RSA return error */
+ if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA)
+ return -1;
+
+ /* TODO(3.0): Remove this eventually when no more legacy */
+ if (ctx->op.keymgmt.genctx == NULL)
+ return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
+ EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL);
+
+ *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bits2);
+ *p++ = OSSL_PARAM_construct_end();
+
+ if (!EVP_PKEY_CTX_set_params(ctx, params))
+ return 0;
+
+ return 1;
+}
+
+int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp)
+{
+ OSSL_PARAM_BLD *tmpl;
+ OSSL_PARAM *params;
+ int ret;
+
+ if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+ /* Uses the same return values as EVP_PKEY_CTX_ctrl */
+ return -2;
+ }
+
+ /* If key type not RSA return error */
+ if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA)
+ return -1;
+
+ /* TODO(3.0): Remove this eventually when no more legacy */
+ if (ctx->op.keymgmt.genctx == NULL)
+ return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
+ EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp);
+
+ if ((tmpl = OSSL_PARAM_BLD_new()) == NULL)
+ return 0;
+ if (!OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_RSA_E, pubexp)
+ || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) {
+ OSSL_PARAM_BLD_free(tmpl);
+ return 0;
+ }
+ OSSL_PARAM_BLD_free(tmpl);
+
+ ret = EVP_PKEY_CTX_set_params(ctx, params);
+ OSSL_PARAM_BLD_free_params(params);
+ return ret;
+}
+
+int EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX *ctx, int primes)
+{
+ OSSL_PARAM params[2], *p = params;
+ size_t primes2 = primes;
+
+ if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+ /* Uses the same return values as EVP_PKEY_CTX_ctrl */
+ return -2;
+ }
+
+ /* If key type not RSA return error */
+ if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA)
+ return -1;
+
+ /* TODO(3.0): Remove this eventually when no more legacy */
+ if (ctx->op.keymgmt.genctx == NULL)
+ return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
+ EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES, primes,
+ NULL);
+
+ *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_PRIMES, &primes2);
+ *p++ = OSSL_PARAM_construct_end();
+
+ if (!EVP_PKEY_CTX_set_params(ctx, params))
+ return 0;
+
+ return 1;
+}
#endif