From 317c1ea1d9893d6f4f837196648c53b7f7dd762f Mon Sep 17 00:00:00 2001

From: Petr Gotthard <petr.gotthard@centrum.cz>

Date: Sun, 15 Aug 2021 17:22:44 +0200

Subject: [PATCH 16/17] openssl: Reimplement RSA OAEP encryption using EVP

 functions

The RSA_padding_add_PKCS1_OAEP_mgf1 is deprecated and the entire

semi-custom implementation of OAEP is unnecessary.

The Part 1, B.10.3 talks about a standard OAEP with a given label,

which can be easily implemented using the standard EVP functions.

Also, the public key retrieval can be replaced by invocation of

convert_pubkey_RSA from lib/tpm2_convert.c

Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>

---

 lib/tpm2_identity_util.c | 162 +++++++++++----------------------------

 1 file changed, 43 insertions(+), 119 deletions(-)

diff --git a/lib/tpm2_identity_util.c b/lib/tpm2_identity_util.c

index ba0c0e1c..b04a56d6 100644

--- a/lib/tpm2_identity_util.c

+++ b/lib/tpm2_identity_util.c

@@ -10,6 +10,7 @@

 #include "log.h"

 #include "tpm2_alg_util.h"

+#include "tpm2_convert.h"

 #include "tpm2_identity_util.h"

 #include "tpm2_kdfa.h"

 #include "tpm2_kdfe.h"

@@ -17,73 +18,6 @@

 // Identity-related functionality that the TPM normally does, but using OpenSSL

-#if defined(LIBRESSL_VERSION_NUMBER)

-static int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,

-        const unsigned char *from, int flen, const unsigned char *param, int plen,

-        const EVP_MD *md, const EVP_MD *mgf1md) {

-

-    int ret = 0;

-    int i, emlen = tlen - 1;

-    unsigned char *db, *seed;

-    unsigned char *dbmask, seedmask[EVP_MAX_MD_SIZE];

-    int mdlen;

-

-    if (md == NULL)

-    md = EVP_sha1();

-    if (mgf1md == NULL)

-    mgf1md = md;

-

-    mdlen = EVP_MD_size(md);

-

-    if (flen > emlen - 2 * mdlen - 1) {

-        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,

-                RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

-        return 0;

-    }

-

-    if (emlen < 2 * mdlen + 1) {

-        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,

-                RSA_R_KEY_SIZE_TOO_SMALL);

-        return 0;

-    }

-

-    to[0] = 0;

-    seed = to + 1;

-    db = to + mdlen + 1;

-

-    if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL))

-    return 0;

-    memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1);

-    db[emlen - flen - mdlen - 1] = 0x01;

-    memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);

-    if (RAND_bytes(seed, mdlen) <= 0)

-    return 0;

-

-    dbmask = OPENSSL_malloc(emlen - mdlen);

-    if (dbmask == NULL) {

-        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);

-        return 0;

-    }

-

-    if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0)

-    goto err;

-    for (i = 0; i < emlen - mdlen; i++)

-    db[i] ^= dbmask[i];

-

-    if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0)

-    goto err;

-    for (i = 0; i < mdlen; i++)

-    seed[i] ^= seedmask[i];

-

-    ret = 1;

-

-err:

-    OPENSSL_free(dbmask);

-

-    return ret;

-}

-#endif

-

 static TPM2_KEY_BITS get_pub_asym_key_bits(TPM2B_PUBLIC *public) {

     TPMU_PUBLIC_PARMS *p = &public->publicArea.parameters;

@@ -102,19 +36,13 @@ static bool share_secret_with_tpm2_rsa_public_key(TPM2B_DIGEST *protection_seed,

         TPM2B_PUBLIC *parent_pub, unsigned char *label, int label_len,

         TPM2B_ENCRYPTED_SECRET *encrypted_protection_seed) {

     bool rval = false;

-    RSA *rsa = NULL;

-

-    // Public modulus (RSA-only!)

-    TPMI_RSA_KEY_BITS mod_size_bits =

-            parent_pub->publicArea.parameters.rsaDetail.keyBits;

-    UINT16 mod_size = mod_size_bits / 8;

-    TPM2B *pub_key_val = (TPM2B *) &parent_pub->publicArea.unique.rsa;

-    unsigned char *pub_modulus = malloc(mod_size);

-    if (pub_modulus == NULL) {

-        LOG_ERR("Failed to allocate memory to store public key's modulus.");

+    EVP_PKEY_CTX *ctx = NULL;

+

+    EVP_PKEY *pkey = convert_pubkey_RSA(&parent_pub->publicArea);

+    if (pkey == NULL) {

+        LOG_ERR("Failed to retrieve public key");

         return false;

     }

-    memcpy(pub_modulus, pub_key_val->buffer, mod_size);

     TPMI_ALG_HASH parent_name_alg = parent_pub->publicArea.nameAlg;

@@ -122,70 +50,66 @@ static bool share_secret_with_tpm2_rsa_public_key(TPM2B_DIGEST *protection_seed,

      * RSA Secret Sharing uses a randomly generated seed (Part 1, B.10.3).

      */

     protection_seed->size = tpm2_alg_util_get_hash_size(parent_name_alg);

-    int return_code = RAND_bytes(protection_seed->buffer, protection_seed->size);

-    if (return_code != 1) {

+    int rc = RAND_bytes(protection_seed->buffer, protection_seed->size);

+    if (rc != 1) {

         LOG_ERR("Failed to get random bytes");

         goto error;

     }

     /*

-     * This is the biggest buffer value, so it should always be sufficient.

+     * The seed value will be OAEP encrypted with a given L parameter.

      */

-    unsigned char encoded[TPM2_MAX_DIGEST_BUFFER];

-    return_code = RSA_padding_add_PKCS1_OAEP_mgf1(encoded, mod_size,

-            protection_seed->buffer, protection_seed->size, label, label_len,

-            tpm2_openssl_md_from_tpmhalg(parent_name_alg), NULL);

-    if (return_code != 1) {

-        LOG_ERR("Failed RSA_padding_add_PKCS1_OAEP_mgf1\n");

-        goto error;

-    }

-    BIGNUM* bne = BN_new();

-    if (!bne) {

-        LOG_ERR("BN_new for bne failed\n");

+    ctx = EVP_PKEY_CTX_new(pkey, NULL);

+    if (!ctx) {

+        LOG_ERR("Failed EVP_PKEY_CTX_new");

         goto error;

     }

-    return_code = BN_set_word(bne, RSA_F4);

-    if (return_code != 1) {

-        LOG_ERR("BN_set_word failed\n");

-        BN_free(bne);

+

+    rc = EVP_PKEY_encrypt_init(ctx);

+    if (rc <= 0) {

+        LOG_ERR("Failed EVP_PKEY_encrypt_init");

         goto error;

     }

-    rsa = RSA_new();

-    if (!rsa) {

-        LOG_ERR("RSA_new failed\n");

-        BN_free(bne);

+

+    rc = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING);

+    if (rc <= 0) {

+        LOG_ERR("Failed EVP_PKEY_CTX_set_rsa_padding");

         goto error;

     }

-    return_code = RSA_generate_key_ex(rsa, mod_size_bits, bne, NULL);

-    BN_free(bne);

-    if (return_code != 1) {

-        LOG_ERR("RSA_generate_key_ex failed\n");

+

+    rc = EVP_PKEY_CTX_set_rsa_oaep_md(ctx,

+            tpm2_openssl_md_from_tpmhalg(parent_name_alg));

+    if (rc <= 0) {

+        LOG_ERR("Failed EVP_PKEY_CTX_set_rsa_oaep_md");

         goto error;

     }

-    BIGNUM *n = BN_bin2bn(pub_modulus, mod_size, NULL);

-    if (n == NULL) {

-        LOG_ERR("BN_bin2bn failed\n");

+

+    // the library will take ownership of the label

+    char *newlabel = strdup((const char *)label);

+    if (newlabel == NULL) {

+        LOG_ERR("Failed to allocate label");

         goto error;

     }

-    if (!RSA_set0_key(rsa, n, NULL, NULL)) {

-        LOG_ERR("RSA_set0_key failed\n");

-        BN_free(n);

+

+    rc = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, newlabel, label_len);

+    if (rc <= 0) {

+        LOG_ERR("Failed EVP_PKEY_CTX_set0_rsa_oaep_label");

+        free(newlabel);

         goto error;

     }

-    // Encrypting

-    encrypted_protection_seed->size = mod_size;

-    return_code = RSA_public_encrypt(mod_size, encoded,

-            encrypted_protection_seed->secret, rsa, RSA_NO_PADDING);

-    if (return_code < 0) {

-        LOG_ERR("Failed RSA_public_encrypt\n");

+

+    size_t outlen = sizeof(TPMU_ENCRYPTED_SECRET);

+    if (EVP_PKEY_encrypt(ctx, encrypted_protection_seed->secret, &outlen,

+            protection_seed->buffer, protection_seed->size) <= 0) {

+        LOG_ERR("Failed EVP_PKEY_encrypt\n");

         goto error;

     }

-

+    encrypted_protection_seed->size = outlen;

     rval = true;

 error:

-    free(pub_modulus);

-    RSA_free(rsa);

+    EVP_PKEY_CTX_free(ctx);

+    EVP_PKEY_free(pkey);

     return rval;

 }

-- 

2.31.1