1 // Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // https://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 #ifndef OPENSSL_HEADER_CRYPTO_EVP_INTERNAL_H 16 #define OPENSSL_HEADER_CRYPTO_EVP_INTERNAL_H 17 18 #include <openssl/base.h> 19 20 #include <openssl/rsa.h> 21 22 #include "../internal.h" 23 24 #if defined(__cplusplus) 25 extern "C" { 26 #endif 27 28 29 typedef struct evp_pkey_asn1_method_st EVP_PKEY_ASN1_METHOD; 30 typedef struct evp_pkey_method_st EVP_PKEY_METHOD; 31 32 struct evp_pkey_asn1_method_st { 33 // pkey_id contains one of the |EVP_PKEY_*| values and corresponds to the OID 34 // in the key type's AlgorithmIdentifier. 35 int pkey_id; 36 uint8_t oid[9]; 37 uint8_t oid_len; 38 39 const EVP_PKEY_METHOD *pkey_method; 40 41 // pub_decode decodes |params| and |key| as a SubjectPublicKeyInfo 42 // and writes the result into |out|. It returns one on success and zero on 43 // error. |params| is the AlgorithmIdentifier after the OBJECT IDENTIFIER 44 // type field, and |key| is the contents of the subjectPublicKey with the 45 // leading padding byte checked and removed. Although X.509 uses BIT STRINGs 46 // to represent SubjectPublicKeyInfo, every key type defined encodes the key 47 // as a byte string with the same conversion to BIT STRING. 48 int (*pub_decode)(EVP_PKEY *out, CBS *params, CBS *key); 49 50 // pub_encode encodes |key| as a SubjectPublicKeyInfo and appends the result 51 // to |out|. It returns one on success and zero on error. 52 int (*pub_encode)(CBB *out, const EVP_PKEY *key); 53 54 int (*pub_cmp)(const EVP_PKEY *a, const EVP_PKEY *b); 55 56 // priv_decode decodes |params| and |key| as a PrivateKeyInfo and writes the 57 // result into |out|. It returns one on success and zero on error. |params| is 58 // the AlgorithmIdentifier after the OBJECT IDENTIFIER type field, and |key| 59 // is the contents of the OCTET STRING privateKey field. 60 int (*priv_decode)(EVP_PKEY *out, CBS *params, CBS *key); 61 62 // priv_encode encodes |key| as a PrivateKeyInfo and appends the result to 63 // |out|. It returns one on success and zero on error. 64 int (*priv_encode)(CBB *out, const EVP_PKEY *key); 65 66 int (*set_priv_raw)(EVP_PKEY *pkey, const uint8_t *in, size_t len); 67 int (*set_pub_raw)(EVP_PKEY *pkey, const uint8_t *in, size_t len); 68 int (*get_priv_raw)(const EVP_PKEY *pkey, uint8_t *out, size_t *out_len); 69 int (*get_pub_raw)(const EVP_PKEY *pkey, uint8_t *out, size_t *out_len); 70 71 // TODO(davidben): Can these be merged with the functions above? OpenSSL does 72 // not implement |EVP_PKEY_get_raw_public_key|, etc., for |EVP_PKEY_EC|, but 73 // the distinction seems unimportant. OpenSSL 3.0 has since renamed 74 // |EVP_PKEY_get1_tls_encodedpoint| to |EVP_PKEY_get1_encoded_public_key|, and 75 // what is the difference between "raw" and an "encoded" public key. 76 // 77 // One nuisance is the notion of "raw" is slightly ambiguous for EC keys. Is 78 // it a DER ECPrivateKey or just the scalar? 79 int (*set1_tls_encodedpoint)(EVP_PKEY *pkey, const uint8_t *in, size_t len); 80 size_t (*get1_tls_encodedpoint)(const EVP_PKEY *pkey, uint8_t **out_ptr); 81 82 // pkey_opaque returns 1 if the |pk| is opaque. Opaque keys are backed by 83 // custom implementations which do not expose key material and parameters. 84 int (*pkey_opaque)(const EVP_PKEY *pk); 85 86 int (*pkey_size)(const EVP_PKEY *pk); 87 int (*pkey_bits)(const EVP_PKEY *pk); 88 89 int (*param_missing)(const EVP_PKEY *pk); 90 int (*param_copy)(EVP_PKEY *to, const EVP_PKEY *from); 91 int (*param_cmp)(const EVP_PKEY *a, const EVP_PKEY *b); 92 93 void (*pkey_free)(EVP_PKEY *pkey); 94 } /* EVP_PKEY_ASN1_METHOD */; 95 96 struct evp_pkey_st { 97 CRYPTO_refcount_t references; 98 99 // pkey contains a pointer to a structure dependent on |ameth|. 100 void *pkey; 101 102 // ameth contains a pointer to a method table that determines the key type, or 103 // nullptr if the key is empty. 104 const EVP_PKEY_ASN1_METHOD *ameth; 105 } /* EVP_PKEY */; 106 107 #define EVP_PKEY_OP_UNDEFINED 0 108 #define EVP_PKEY_OP_KEYGEN (1 << 2) 109 #define EVP_PKEY_OP_SIGN (1 << 3) 110 #define EVP_PKEY_OP_VERIFY (1 << 4) 111 #define EVP_PKEY_OP_VERIFYRECOVER (1 << 5) 112 #define EVP_PKEY_OP_ENCRYPT (1 << 6) 113 #define EVP_PKEY_OP_DECRYPT (1 << 7) 114 #define EVP_PKEY_OP_DERIVE (1 << 8) 115 #define EVP_PKEY_OP_PARAMGEN (1 << 9) 116 117 #define EVP_PKEY_OP_TYPE_SIG \ 118 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYRECOVER) 119 120 #define EVP_PKEY_OP_TYPE_CRYPT (EVP_PKEY_OP_ENCRYPT | EVP_PKEY_OP_DECRYPT) 121 122 #define EVP_PKEY_OP_TYPE_NOGEN \ 123 (EVP_PKEY_OP_SIG | EVP_PKEY_OP_CRYPT | EVP_PKEY_OP_DERIVE) 124 125 #define EVP_PKEY_OP_TYPE_GEN (EVP_PKEY_OP_KEYGEN | EVP_PKEY_OP_PARAMGEN) 126 127 // EVP_PKEY_CTX_ctrl performs |cmd| on |ctx|. The |keytype| and |optype| 128 // arguments can be -1 to specify that any type and operation are acceptable, 129 // otherwise |keytype| must match the type of |ctx| and the bits of |optype| 130 // must intersect the operation flags set on |ctx|. 131 // 132 // The |p1| and |p2| arguments depend on the value of |cmd|. 133 // 134 // It returns one on success and zero on error. 135 OPENSSL_EXPORT int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype, 136 int cmd, int p1, void *p2); 137 138 #define EVP_PKEY_CTRL_MD 1 139 #define EVP_PKEY_CTRL_GET_MD 2 140 141 // EVP_PKEY_CTRL_PEER_KEY is called with different values of |p1|: 142 // 0: Is called from |EVP_PKEY_derive_set_peer| and |p2| contains a peer key. 143 // If the return value is <= 0, the key is rejected. 144 // 1: Is called at the end of |EVP_PKEY_derive_set_peer| and |p2| contains a 145 // peer key. If the return value is <= 0, the key is rejected. 146 // 2: Is called with |p2| == NULL to test whether the peer's key was used. 147 // (EC)DH always return one in this case. 148 // 3: Is called with |p2| == NULL to set whether the peer's key was used. 149 // (EC)DH always return one in this case. This was only used for GOST. 150 #define EVP_PKEY_CTRL_PEER_KEY 3 151 152 // EVP_PKEY_ALG_CTRL is the base value from which key-type specific ctrl 153 // commands are numbered. 154 #define EVP_PKEY_ALG_CTRL 0x1000 155 156 #define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1) 157 #define EVP_PKEY_CTRL_GET_RSA_PADDING (EVP_PKEY_ALG_CTRL + 2) 158 #define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 3) 159 #define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 4) 160 #define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 5) 161 #define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 6) 162 #define EVP_PKEY_CTRL_RSA_OAEP_MD (EVP_PKEY_ALG_CTRL + 7) 163 #define EVP_PKEY_CTRL_GET_RSA_OAEP_MD (EVP_PKEY_ALG_CTRL + 8) 164 #define EVP_PKEY_CTRL_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 9) 165 #define EVP_PKEY_CTRL_GET_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 10) 166 #define EVP_PKEY_CTRL_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 11) 167 #define EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 12) 168 #define EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID (EVP_PKEY_ALG_CTRL + 13) 169 #define EVP_PKEY_CTRL_HKDF_MODE (EVP_PKEY_ALG_CTRL + 14) 170 #define EVP_PKEY_CTRL_HKDF_MD (EVP_PKEY_ALG_CTRL + 15) 171 #define EVP_PKEY_CTRL_HKDF_KEY (EVP_PKEY_ALG_CTRL + 16) 172 #define EVP_PKEY_CTRL_HKDF_SALT (EVP_PKEY_ALG_CTRL + 17) 173 #define EVP_PKEY_CTRL_HKDF_INFO (EVP_PKEY_ALG_CTRL + 18) 174 #define EVP_PKEY_CTRL_DH_PAD (EVP_PKEY_ALG_CTRL + 19) 175 176 struct evp_pkey_ctx_st { 177 ~evp_pkey_ctx_st(); 178 179 // Method associated with this operation 180 const EVP_PKEY_METHOD *pmeth = nullptr; 181 // Engine that implements this method or nullptr if builtin 182 ENGINE *engine = nullptr; 183 // Key: may be nullptr 184 bssl::UniquePtr<EVP_PKEY> pkey; 185 // Peer key for key agreement, may be nullptr 186 bssl::UniquePtr<EVP_PKEY> peerkey; 187 // operation contains one of the |EVP_PKEY_OP_*| values. 188 int operation = EVP_PKEY_OP_UNDEFINED; 189 // Algorithm specific data. 190 // TODO(davidben): Since a |EVP_PKEY_CTX| never has its type change after 191 // creation, this should instead be a base class, with the algorithm-specific 192 // data on the subclass, coming from the same allocation. 193 void *data = nullptr; 194 } /* EVP_PKEY_CTX */; 195 196 struct evp_pkey_method_st { 197 int pkey_id; 198 199 int (*init)(EVP_PKEY_CTX *ctx); 200 int (*copy)(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src); 201 void (*cleanup)(EVP_PKEY_CTX *ctx); 202 203 int (*keygen)(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey); 204 205 int (*sign)(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen, 206 const uint8_t *tbs, size_t tbslen); 207 208 int (*sign_message)(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen, 209 const uint8_t *tbs, size_t tbslen); 210 211 int (*verify)(EVP_PKEY_CTX *ctx, const uint8_t *sig, size_t siglen, 212 const uint8_t *tbs, size_t tbslen); 213 214 int (*verify_message)(EVP_PKEY_CTX *ctx, const uint8_t *sig, size_t siglen, 215 const uint8_t *tbs, size_t tbslen); 216 217 int (*verify_recover)(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *out_len, 218 const uint8_t *sig, size_t sig_len); 219 220 int (*encrypt)(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen, 221 const uint8_t *in, size_t inlen); 222 223 int (*decrypt)(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen, 224 const uint8_t *in, size_t inlen); 225 226 int (*derive)(EVP_PKEY_CTX *ctx, uint8_t *key, size_t *keylen); 227 228 int (*paramgen)(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey); 229 230 int (*ctrl)(EVP_PKEY_CTX *ctx, int type, int p1, void *p2); 231 } /* EVP_PKEY_METHOD */; 232 233 typedef struct { 234 // key is the concatenation of the private seed and public key. It is stored 235 // as a single 64-bit array to allow passing to |ED25519_sign|. If 236 // |has_private| is false, the first 32 bytes are uninitialized and the public 237 // key is in the last 32 bytes. 238 uint8_t key[64]; 239 char has_private; 240 } ED25519_KEY; 241 242 #define ED25519_PUBLIC_KEY_OFFSET 32 243 244 typedef struct { 245 uint8_t pub[32]; 246 uint8_t priv[32]; 247 char has_private; 248 } X25519_KEY; 249 250 extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meth; 251 extern const EVP_PKEY_ASN1_METHOD ec_asn1_meth; 252 extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meth; 253 extern const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth; 254 extern const EVP_PKEY_ASN1_METHOD x25519_asn1_meth; 255 extern const EVP_PKEY_ASN1_METHOD dh_asn1_meth; 256 257 extern const EVP_PKEY_METHOD rsa_pkey_meth; 258 extern const EVP_PKEY_METHOD ec_pkey_meth; 259 extern const EVP_PKEY_METHOD ed25519_pkey_meth; 260 extern const EVP_PKEY_METHOD x25519_pkey_meth; 261 extern const EVP_PKEY_METHOD hkdf_pkey_meth; 262 extern const EVP_PKEY_METHOD dh_pkey_meth; 263 264 // evp_pkey_set_method behaves like |EVP_PKEY_set_type|, but takes a pointer to 265 // a method table. This avoids depending on every |EVP_PKEY_ASN1_METHOD|. 266 void evp_pkey_set_method(EVP_PKEY *pkey, const EVP_PKEY_ASN1_METHOD *method); 267 268 269 #if defined(__cplusplus) 270 } // extern C 271 #endif 272 273 #endif // OPENSSL_HEADER_CRYPTO_EVP_INTERNAL_H 274