hkdf: when HMAC key is all zeros, still set a valid key length

[openssl.git] / providers / implementations / keymgmt / rsa_kmgmt.c

diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
index 64779ca6be1bd139f4857f70a6a5abca3babd2a9..c24cb8da88ea603c744601e078515595a3fd200d 100644 (file)
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -19,6 +19,7 @@
 #include <openssl/err.h>
 #include <openssl/rsa.h>
 #include <openssl/evp.h>
+#include <openssl/proverr.h>
 #include "prov/implementations.h"
 #include "prov/providercommon.h"
 #include "prov/provider_ctx.h"
@@ -36,6 +37,7 @@ static OSSL_FUNC_keymgmt_gen_settable_params_fn rsapss_gen_settable_params;
 static OSSL_FUNC_keymgmt_gen_fn rsa_gen;
 static OSSL_FUNC_keymgmt_gen_cleanup_fn rsa_gen_cleanup;
 static OSSL_FUNC_keymgmt_load_fn rsa_load;
+static OSSL_FUNC_keymgmt_load_fn rsapss_load;
 static OSSL_FUNC_keymgmt_free_fn rsa_freedata;
 static OSSL_FUNC_keymgmt_get_params_fn rsa_get_params;
 static OSSL_FUNC_keymgmt_gettable_params_fn rsa_gettable_params;
@@ -47,6 +49,7 @@ static OSSL_FUNC_keymgmt_import_types_fn rsa_import_types;
 static OSSL_FUNC_keymgmt_export_fn rsa_export;
 static OSSL_FUNC_keymgmt_export_types_fn rsa_export_types;
 static OSSL_FUNC_keymgmt_query_operation_name_fn rsa_query_operation_name;
+static OSSL_FUNC_keymgmt_dup_fn rsa_dup;
 
 #define RSA_DEFAULT_MD "SHA256"
 #define RSA_PSS_DEFAULT_MD OSSL_DIGEST_NAME_SHA1
@@ -112,22 +115,20 @@ static void rsa_freedata(void *keydata)
 static int rsa_has(const void *keydata, int selection)
 {
     const RSA *rsa = keydata;
-    int ok = 0;
+    int ok = 1;
 
-    if (rsa != NULL && ossl_prov_is_running()) {
-        if ((selection & RSA_POSSIBLE_SELECTIONS) != 0)
-            ok = 1;
+    if (rsa == NULL || !ossl_prov_is_running())
+        return 0;
+    if ((selection & RSA_POSSIBLE_SELECTIONS) == 0)
+        return 1; /* the selection is not missing */
 
-        if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
-            /* This will change with OAEP */
-            ok = ok && (RSA_test_flags(rsa, RSA_FLAG_TYPE_RSASSAPSS) != 0);
-        if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0)
-            ok = ok && (RSA_get0_e(rsa) != NULL);
-        if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
-            ok = ok && (RSA_get0_n(rsa) != NULL);
-        if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
-            ok = ok && (RSA_get0_d(rsa) != NULL);
-    }
+    /* OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS are always available even if empty */
+    if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0)
+        ok = ok && (RSA_get0_n(rsa) != NULL);
+    if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
+        ok = ok && (RSA_get0_e(rsa) != NULL);
+    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
+        ok = ok && (RSA_get0_d(rsa) != NULL);
     return ok;
 }
 
@@ -142,10 +143,30 @@ static int rsa_match(const void *keydata1, const void *keydata2, int selection)
 
     /* There is always an |e| */
     ok = ok && BN_cmp(RSA_get0_e(rsa1), RSA_get0_e(rsa2)) == 0;
-    if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
-        ok = ok && BN_cmp(RSA_get0_n(rsa1), RSA_get0_n(rsa2)) == 0;
-    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
-        ok = ok && BN_cmp(RSA_get0_d(rsa1), RSA_get0_d(rsa2)) == 0;
+    if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
+        int key_checked = 0;
+
+        if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
+            const BIGNUM *pa = RSA_get0_n(rsa1);
+            const BIGNUM *pb = RSA_get0_n(rsa2);
+
+            if (pa != NULL && pb != NULL) {
+                ok = ok && BN_cmp(pa, pb) == 0;
+                key_checked = 1;
+            }
+        }
+        if (!key_checked
+            && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
+            const BIGNUM *pa = RSA_get0_d(rsa1);
+            const BIGNUM *pb = RSA_get0_d(rsa2);
+
+            if (pa != NULL && pb != NULL) {
+                ok = ok && BN_cmp(pa, pb) == 0;
+                key_checked = 1;
+            }
+        }
+        ok = ok && key_checked;
+    }
     return ok;
 }
 
@@ -164,15 +185,17 @@ static int rsa_import(void *keydata, int selection, const OSSL_PARAM params[])
 
     rsa_type = RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK);
 
-    /* TODO(3.0) OAEP should bring on parameters as well */
-
     if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
         ok = ok && pss_params_fromdata(ossl_rsa_get0_pss_params_30(rsa),
                                        &pss_defaults_set,
                                        params, rsa_type,
                                        ossl_rsa_get0_libctx(rsa));
-    if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0)
-        ok = ok && ossl_rsa_fromdata(rsa, params);
+    if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
+        int include_private =
+            selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
+
+        ok = ok && ossl_rsa_fromdata(rsa, params, include_private);
+    }
 
     return ok;
 }
@@ -189,7 +212,8 @@ static int rsa_export(void *keydata, int selection,
     if (!ossl_prov_is_running() || rsa == NULL)
         return 0;
 
-    /* TODO(3.0) OAEP should bring on parameters */
+    if ((selection & RSA_POSSIBLE_SELECTIONS) == 0)
+        return 0;
 
     tmpl = OSSL_PARAM_BLD_new();
     if (tmpl == NULL)
@@ -198,15 +222,20 @@ static int rsa_export(void *keydata, int selection,
     if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
         ok = ok && (ossl_rsa_pss_params_30_is_unrestricted(pss_params)
                     || ossl_rsa_pss_params_30_todata(pss_params, tmpl, NULL));
-    if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0)
-        ok = ok && ossl_rsa_todata(rsa, tmpl, NULL);
+    if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
+        int include_private =
+            selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
+
+        ok = ok && ossl_rsa_todata(rsa, tmpl, NULL, include_private);
+    }
 
-    if (!ok
-        || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL)
+    if (!ok || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) {
+        ok = 0;
         goto err;
+    }
 
     ok = param_callback(params, cbarg);
-    OSSL_PARAM_BLD_free_params(params);
+    OSSL_PARAM_free(params);
 err:
     OSSL_PARAM_BLD_free(tmpl);
     return ok;
@@ -304,15 +333,16 @@ static int rsa_get_params(void *key, OSSL_PARAM params[])
     const RSA_PSS_PARAMS_30 *pss_params = ossl_rsa_get0_pss_params_30(rsa);
     int rsa_type = RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK);
     OSSL_PARAM *p;
+    int empty = RSA_get0_n(rsa) == NULL;
 
     if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_BITS)) != NULL
-        && !OSSL_PARAM_set_int(p, RSA_bits(rsa)))
+        && (empty || !OSSL_PARAM_set_int(p, RSA_bits(rsa))))
         return 0;
     if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_SECURITY_BITS)) != NULL
-        && !OSSL_PARAM_set_int(p, RSA_security_bits(rsa)))
+        && (empty || !OSSL_PARAM_set_int(p, RSA_security_bits(rsa))))
         return 0;
     if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MAX_SIZE)) != NULL
-        && !OSSL_PARAM_set_int(p, RSA_size(rsa)))
+        && (empty || !OSSL_PARAM_set_int(p, RSA_size(rsa))))
         return 0;
 
     /*
@@ -342,7 +372,7 @@ static int rsa_get_params(void *key, OSSL_PARAM params[])
     }
     return (rsa_type != RSA_FLAG_TYPE_RSASSAPSS
             || ossl_rsa_pss_params_30_todata(pss_params, NULL, params))
-        && ossl_rsa_todata(rsa, NULL, params);
+        && ossl_rsa_todata(rsa, NULL, params, 1);
 }
 
 static const OSSL_PARAM rsa_params[] = {
@@ -359,16 +389,16 @@ static const OSSL_PARAM *rsa_gettable_params(void *provctx)
     return rsa_params;
 }
 
-static int rsa_validate(const void *keydata, int selection)
+static int rsa_validate(const void *keydata, int selection, int checktype)
 {
     const RSA *rsa = keydata;
-    int ok = 0;
+    int ok = 1;
 
     if (!ossl_prov_is_running())
         return 0;
 
-    if ((selection & RSA_POSSIBLE_SELECTIONS) != 0)
-        ok = 1;
+    if ((selection & RSA_POSSIBLE_SELECTIONS) == 0)
+        return 1; /* nothing to validate */
 
     /* If the whole key is selected, we do a pairwise validation */
     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR)
@@ -417,7 +447,8 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb)
     return gctx->cb(params, gctx->cbarg);
 }
 
-static void *gen_init(void *provctx, int selection, int rsa_type)
+static void *gen_init(void *provctx, int selection, int rsa_type,
+                      const OSSL_PARAM params[])
 {
     OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(provctx);
     struct rsa_gen_ctx *gctx = NULL;
@@ -432,26 +463,36 @@ static void *gen_init(void *provctx, int selection, int rsa_type)
         gctx->libctx = libctx;
         if ((gctx->pub_exp = BN_new()) == NULL
             || !BN_set_word(gctx->pub_exp, RSA_F4)) {
-            BN_free(gctx->pub_exp);
-            OPENSSL_free(gctx);
-            gctx = NULL;
-        } else {
-            gctx->nbits = 2048;
-            gctx->primes = RSA_DEFAULT_PRIME_NUM;
-            gctx->rsa_type = rsa_type;
+            goto err;
         }
+        gctx->nbits = 2048;
+        gctx->primes = RSA_DEFAULT_PRIME_NUM;
+        gctx->rsa_type = rsa_type;
+    } else {
+        goto err;
     }
+
+    if (!rsa_gen_set_params(gctx, params))
+        goto err;
     return gctx;
+
+err:
+    if (gctx != NULL)
+        BN_free(gctx->pub_exp);
+    OPENSSL_free(gctx);
+    return NULL;
 }
 
-static void *rsa_gen_init(void *provctx, int selection)
+static void *rsa_gen_init(void *provctx, int selection,
+                          const OSSL_PARAM params[])
 {
-    return gen_init(provctx, selection, RSA_FLAG_TYPE_RSA);
+    return gen_init(provctx, selection, RSA_FLAG_TYPE_RSA, params);
 }
 
-static void *rsapss_gen_init(void *provctx, int selection)
+static void *rsapss_gen_init(void *provctx, int selection,
+                             const OSSL_PARAM params[])
 {
-    return gen_init(provctx, selection, RSA_FLAG_TYPE_RSASSAPSS);
+    return gen_init(provctx, selection, RSA_FLAG_TYPE_RSASSAPSS, params);
 }
 
 /*
@@ -464,9 +505,17 @@ static int rsa_gen_set_params(void *genctx, const OSSL_PARAM params[])
     struct rsa_gen_ctx *gctx = genctx;
     const OSSL_PARAM *p;
 
-    if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_BITS)) != NULL
-        && !OSSL_PARAM_get_size_t(p, &gctx->nbits))
-        return 0;
+    if (params == NULL)
+        return 1;
+
+    if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_BITS)) != NULL) {
+        if (!OSSL_PARAM_get_size_t(p, &gctx->nbits))
+            return 0;
+        if (gctx->nbits < RSA_MIN_MODULUS_BITS) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
+            return 0;
+        }
+    }
     if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_PRIMES)) != NULL
         && !OSSL_PARAM_get_size_t(p, &gctx->primes))
         return 0;
@@ -480,7 +529,7 @@ static int rsa_gen_set_params(void *genctx, const OSSL_PARAM params[])
         return 0;
 #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
     /* Any ACVP test related parameters are copied into a params[] */
-    if (!rsa_acvp_test_gen_params_new(&gctx->acvp_test_params, params))
+    if (!ossl_rsa_acvp_test_gen_params_new(&gctx->acvp_test_params, params))
         return 0;
 #endif
     return 1;
@@ -502,7 +551,8 @@ static int rsa_gen_set_params(void *genctx, const OSSL_PARAM params[])
     OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_RSA_MGF1_DIGEST, NULL, 0),   \
     OSSL_PARAM_int(OSSL_PKEY_PARAM_RSA_PSS_SALTLEN, NULL)
 
-static const OSSL_PARAM *rsa_gen_settable_params(void *provctx)
+static const OSSL_PARAM *rsa_gen_settable_params(ossl_unused void *genctx,
+                                                 ossl_unused void *provctx)
 {
     static OSSL_PARAM settable[] = {
         rsa_gen_basic,
@@ -512,7 +562,8 @@ static const OSSL_PARAM *rsa_gen_settable_params(void *provctx)
     return settable;
 }
 
-static const OSSL_PARAM *rsapss_gen_settable_params(void *provctx)
+static const OSSL_PARAM *rsapss_gen_settable_params(ossl_unused void *genctx,
+                                                    ossl_unused void *provctx)
 {
     static OSSL_PARAM settable[] = {
         rsa_gen_basic,
@@ -560,7 +611,7 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
 
 #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
     if (gctx->acvp_test_params != NULL) {
-        if (!rsa_acvp_test_set_params(rsa_tmp, gctx->acvp_test_params))
+        if (!ossl_rsa_acvp_test_set_params(rsa_tmp, gctx->acvp_test_params))
             goto err;
     }
 #endif
@@ -592,20 +643,25 @@ static void rsa_gen_cleanup(void *genctx)
     if (gctx == NULL)
         return;
 #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
-    rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
+    ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
     gctx->acvp_test_params = NULL;
 #endif
     BN_clear_free(gctx->pub_exp);
     OPENSSL_free(gctx);
 }
 
-void *rsa_load(const void *reference, size_t reference_sz)
+static void *common_load(const void *reference, size_t reference_sz,
+                         int expected_rsa_type)
 {
     RSA *rsa = NULL;
 
     if (ossl_prov_is_running() && reference_sz == sizeof(rsa)) {
         /* The contents of the reference is the address to our object */
         rsa = *(RSA **)reference;
+
+        if (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK) != expected_rsa_type)
+            return NULL;
+
         /* We grabbed, so we detach it */
         *(RSA **)reference = NULL;
         return rsa;
@@ -613,6 +669,25 @@ void *rsa_load(const void *reference, size_t reference_sz)
     return NULL;
 }
 
+static void *rsa_load(const void *reference, size_t reference_sz)
+{
+    return common_load(reference, reference_sz, RSA_FLAG_TYPE_RSA);
+}
+
+static void *rsapss_load(const void *reference, size_t reference_sz)
+{
+    return common_load(reference, reference_sz, RSA_FLAG_TYPE_RSASSAPSS);
+}
+
+static void *rsa_dup(const void *keydata_from, int selection)
+{
+    if (ossl_prov_is_running()
+        /* do not allow creating empty keys by duplication */
+        && (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0)
+        return ossl_rsa_dup(keydata_from, selection);
+    return NULL;
+}
+
 /* For any RSA key, we use the "RSA" algorithms regardless of sub-type. */
 static const char *rsa_query_operation_name(int operation_id)
 {
@@ -639,7 +714,8 @@ const OSSL_DISPATCH ossl_rsa_keymgmt_functions[] = {
     { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))rsa_import_types },
     { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))rsa_export },
     { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, (void (*)(void))rsa_export_types },
-    { 0, NULL }
+    { OSSL_FUNC_KEYMGMT_DUP, (void (*)(void))rsa_dup },
+    OSSL_DISPATCH_END
 };
 
 const OSSL_DISPATCH ossl_rsapss_keymgmt_functions[] = {
@@ -650,7 +726,7 @@ const OSSL_DISPATCH ossl_rsapss_keymgmt_functions[] = {
       (void (*)(void))rsapss_gen_settable_params },
     { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))rsa_gen },
     { OSSL_FUNC_KEYMGMT_GEN_CLEANUP, (void (*)(void))rsa_gen_cleanup },
-    { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))rsa_load },
+    { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))rsapss_load },
     { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))rsa_freedata },
     { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*) (void))rsa_get_params },
     { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void))rsa_gettable_params },
@@ -663,5 +739,6 @@ const OSSL_DISPATCH ossl_rsapss_keymgmt_functions[] = {
     { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, (void (*)(void))rsa_export_types },
     { OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME,
       (void (*)(void))rsa_query_operation_name },
-    { 0, NULL }
+    { OSSL_FUNC_KEYMGMT_DUP, (void (*)(void))rsa_dup },
+    OSSL_DISPATCH_END
 };