Introduce new RSA API.

This also:
a) deprecates the old RSA and PKCS#1 API.
b) reverts the changes done to them in order to make them API compatible
   again with the last release.

The fixes commit mentioned is the testcase for the Bleichenbacher
attack, which works now again as expected.

Fixes: 9d03c38 ("add flags to `der_decode_sequence()`")
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>

Author: sjaeckel

src/headers/tomcrypt_pk.h

@@ -70,7 +70,10 @@ typedef struct ltc_rsa_parameters {
    /** saltLength is only defined for PSS
     * If saltLength == 0 -> OAEP, else -> PSS */
    unsigned long saltlen;
-   /** hash and MGF hash algorithms */
+   /** lparam hash for OAEP
+    *     resp.
+    *  signature hash for PSS
+    * and MGF hash algorithms */
    const char *hash_alg, *mgf1_hash_alg;
 } ltc_rsa_parameters;
 
@@ -109,51 +112,93 @@ int rsa_exptmod(const unsigned char *in,   unsigned long inlen,
 
 void rsa_free(rsa_key *key);
 
+typedef struct ltc_rsa_op_parameters {
+   /* pss_oaep flag is unused */
+   ltc_rsa_parameters params;
+   /* The padding type */
+   int padding;
+   /* The PRNG to use.
+    * Only required for signing and encryption. */
+   int wprng;
+   prng_state *prng;
+   /* Operation-specific parameters */
+   union {
+      struct {
+         const unsigned char *lparam;
+               unsigned long  lparamlen;
+      } crypt;
+      /* let's make space for potential future extensions */
+      ulong64 dummy[8];
+   } u;
+} ltc_rsa_op_parameters;
+
+int rsa_encrypt_key_v2(const unsigned char   *in,     unsigned long  inlen,
+                             unsigned char   *out,    unsigned long *outlen,
+                       ltc_rsa_op_parameters *opts,
+                       const rsa_key         *key);
+
+int rsa_decrypt_key_v2(const unsigned char   *in,     unsigned long  inlen,
+                             unsigned char   *out,    unsigned long *outlen,
+                       ltc_rsa_op_parameters *opts,
+                             int             *stat,
+                       const rsa_key         *key);
+
+int rsa_sign_hash_v2(const unsigned char   *hash,   unsigned long  hashlen,
+                           unsigned char   *sig,    unsigned long *siglen,
+                     ltc_rsa_op_parameters *opts,
+                     const rsa_key         *key);
+
+int rsa_verify_hash_v2(const unsigned char   *sig,    unsigned long  siglen,
+                       const unsigned char   *hash,   unsigned long  hashlen,
+                       ltc_rsa_op_parameters *opts,
+                             int             *stat,
+                       const rsa_key         *key);
+
 /* These use PKCS #1 v2.0 padding */
 #define rsa_encrypt_key(in, inlen, out, outlen, lparam, lparamlen, prng, prng_idx, hash_idx, key) \
-  rsa_encrypt_key_ex(in, inlen, out, outlen, lparam, lparamlen, prng, prng_idx, hash_idx, -1, LTC_PKCS_1_OAEP, key)
+  rsa_encrypt_key_ex(in, inlen, out, outlen, lparam, lparamlen, prng, prng_idx, hash_idx, LTC_PKCS_1_OAEP, key)
 
 #define rsa_decrypt_key(in, inlen, out, outlen, lparam, lparamlen, hash_idx, stat, key) \
-  rsa_decrypt_key_ex(in, inlen, out, outlen, lparam, lparamlen, hash_idx, -1, LTC_PKCS_1_OAEP, stat, key)
+  rsa_decrypt_key_ex(in, inlen, out, outlen, lparam, lparamlen, hash_idx, LTC_PKCS_1_OAEP, stat, key)
 
 #define rsa_sign_hash(in, inlen, out, outlen, prng, prng_idx, hash_idx, saltlen, key) \
-  rsa_sign_hash_ex(in, inlen, out, outlen, LTC_PKCS_1_PSS, prng, prng_idx, hash_idx, hash_idx, saltlen, key)
+  rsa_sign_hash_ex(in, inlen, out, outlen, LTC_PKCS_1_PSS, prng, prng_idx, hash_idx, saltlen, key)
 
 #define rsa_verify_hash(sig, siglen, hash, hashlen, hash_idx, saltlen, stat, key) \
-  rsa_verify_hash_ex(sig, siglen, hash, hashlen, LTC_PKCS_1_PSS, hash_idx, hash_idx, saltlen, stat, key)
+  rsa_verify_hash_ex(sig, siglen, hash, hashlen, LTC_PKCS_1_PSS, hash_idx, saltlen, stat, key)
 
 #define rsa_sign_saltlen_get_max(hash_idx, key) \
   rsa_sign_saltlen_get_max_ex(LTC_PKCS_1_PSS, hash_idx, key)
 
 /* These can be switched between PKCS #1 v2.x and PKCS #1 v1.5 paddings */
+LTC_DEPRECATED(rsa_encrypt_key_v2)
 int rsa_encrypt_key_ex(const unsigned char *in,       unsigned long  inlen,
                              unsigned char *out,      unsigned long *outlen,
                        const unsigned char *lparam,   unsigned long  lparamlen,
                              prng_state    *prng,     int            prng_idx,
-                             int            mgf_hash, int            lparam_hash,
-                             int            padding,
+                             int            hash_idx, int            padding,
                        const rsa_key       *key);
 
+LTC_DEPRECATED(rsa_decrypt_key_v2)
 int rsa_decrypt_key_ex(const unsigned char *in,             unsigned long  inlen,
                              unsigned char *out,            unsigned long *outlen,
                        const unsigned char *lparam,         unsigned long  lparamlen,
-                             int            mgf_hash,       int            lparam_hash,
-                             int            padding,
+                             int            hash_idx,       int            padding,
                              int           *stat,     const rsa_key       *key);
 
+LTC_DEPRECATED(rsa_sign_hash_v2)
 int rsa_sign_hash_ex(const unsigned char *in,       unsigned long  inlen,
                            unsigned char *out,      unsigned long *outlen,
                            int            padding,
                            prng_state    *prng,               int  prng_idx,
-                           int            hash_idx,           int  mgf_hash_idx,
-                           unsigned long  saltlen,
+                           int            hash_idx, unsigned long  saltlen,
                      const rsa_key       *key);
 
+LTC_DEPRECATED(rsa_verify_hash_v2)
 int rsa_verify_hash_ex(const unsigned char *sig,            unsigned long  siglen,
                        const unsigned char *hash,           unsigned long  hashlen,
                              int            padding,
-                             int            hash_idx,                 int  mgf_hash_idx,
-                             unsigned long  saltlen,
+                             int            hash_idx,       unsigned long  saltlen,
                              int           *stat,     const rsa_key       *key);
 
 int rsa_sign_saltlen_get_max_ex(int padding, int hash_idx, const rsa_key *key);

src/headers/tomcrypt_pkcs.h

@@ -20,14 +20,18 @@ enum ltc_pkcs_1_paddings
   LTC_PKCS_1_V1_5_NA1 = 4         /* PKCS #1 v1.5 padding - No ASN.1 (\sa ltc_pkcs_1_v1_5_blocks) */
 };
 
+LTC_DEPRECATED(nothing. API will be internal)
 int pkcs_1_mgf1(      int            hash_idx,
                 const unsigned char *seed, unsigned long seedlen,
                       unsigned char *mask, unsigned long masklen);
 
+LTC_DEPRECATED(nothing. API will be removed)
 int pkcs_1_i2osp(void *n, unsigned long modulus_len, unsigned char *out);
+LTC_DEPRECATED(nothing. API will be removed)
 int pkcs_1_os2ip(void *n, unsigned char *in, unsigned long inlen);
 
 /* *** v1.5 padding */
+LTC_DEPRECATED(nothing. API will be internal)
 int pkcs_1_v1_5_encode(const unsigned char *msg,
                              unsigned long  msglen,
                              int            block_type,
@@ -37,6 +41,7 @@ int pkcs_1_v1_5_encode(const unsigned char *msg,
                              unsigned char *out,
                              unsigned long *outlen);
 
+LTC_DEPRECATED(nothing. API will be internal)
 int pkcs_1_v1_5_decode(const unsigned char *msg,
                              unsigned long  msglen,
                                        int  block_type,
@@ -46,26 +51,28 @@ int pkcs_1_v1_5_decode(const unsigned char *msg,
                                        int *is_valid);
 
 /* *** v2.1 padding */
+LTC_DEPRECATED(nothing. API will be internal)
 int pkcs_1_oaep_encode(const unsigned char *msg,    unsigned long msglen,
                        const unsigned char *lparam, unsigned long lparamlen,
                              unsigned long modulus_bitlen, prng_state *prng,
-                             int           prng_idx,
-                             int           mgf_hash, int lparam_hash,
+                             int           prng_idx, int          hash_idx,
                              unsigned char *out,    unsigned long *outlen);
 
+LTC_DEPRECATED(nothing. API will be internal)
 int pkcs_1_oaep_decode(const unsigned char *msg,    unsigned long msglen,
                        const unsigned char *lparam, unsigned long lparamlen,
-                             unsigned long modulus_bitlen,
-                             int           mgf_hash, int          lparam_hash,
+                             unsigned long modulus_bitlen, int hash_idx,
                              unsigned char *out,    unsigned long *outlen,
                              int           *res);
 
+LTC_DEPRECATED(nothing. API will be internal)
 int pkcs_1_pss_encode(const unsigned char *msghash, unsigned long msghashlen,
                             unsigned long saltlen,  prng_state   *prng,
                             int           prng_idx, int           hash_idx,
                             unsigned long modulus_bitlen,
                             unsigned char *out,     unsigned long *outlen);
 
+LTC_DEPRECATED(nothing. API will be internal)
 int pkcs_1_pss_decode(const unsigned char *msghash, unsigned long msghashlen,
                       const unsigned char *sig,     unsigned long siglen,
                             unsigned long saltlen,  int           hash_idx,

src/headers/tomcrypt_private.h

@@ -435,13 +435,51 @@ int pk_oid_cmp_with_ulong(const char *o1, const unsigned long *o2, unsigned long
 
 /* ---- DH Routines ---- */
 #ifdef LTC_MRSA
+/* Receiving side, i.e. Decrypt or Verify */
+#define LTC_RSA_OP_RECV  0x00u
+/* Sending side, i.e. Encrypt or Sign */
+#define LTC_RSA_OP_SEND  0x01u
+/* En- or Decrypt */
+#define LTC_RSA_OP_CRYPT 0x00u
+/* Sign or Verify */
+#define LTC_RSA_OP_SIGN  0x02u
+/* All combinations of the above
+ * but only the PKCS#1 de-/encoding part */
+#define LTC_RSA_OP_PKCS1 0x04u
+
 typedef enum ltc_rsa_op {
-   LTC_RSA_CRYPT,
-   LTC_RSA_SIGN
+   LTC_RSA_DECRYPT = LTC_RSA_OP_CRYPT | LTC_RSA_OP_RECV,
+   LTC_RSA_ENCRYPT = LTC_RSA_OP_CRYPT | LTC_RSA_OP_SEND,
+   LTC_RSA_VERIFY  = LTC_RSA_OP_SIGN | LTC_RSA_OP_RECV,
+   LTC_RSA_SIGN    = LTC_RSA_OP_SIGN | LTC_RSA_OP_SEND,
+   LTC_PKCS1_ENCRYPT = LTC_RSA_OP_PKCS1 | LTC_RSA_ENCRYPT,
+   LTC_PKCS1_DECRYPT = LTC_RSA_OP_PKCS1 | LTC_RSA_DECRYPT,
+   LTC_PKCS1_SIGN    = LTC_RSA_OP_PKCS1 | LTC_RSA_SIGN,
+   LTC_PKCS1_VERIFY  = LTC_RSA_OP_PKCS1 | LTC_RSA_VERIFY,
 } ltc_rsa_op;
+
+typedef struct ltc_rsa_op_check {
+   const rsa_key *key;
+   ltc_rsa_op_parameters *params;
+   int hash_alg, mgf1_hash_alg;
+} ltc_rsa_op_checked;
+
+#define ltc_rsa_op_checked_init(k, p) {  \
+   .key = k,                           \
+   .params = p,                        \
+   .hash_alg = -1,                     \
+   .mgf1_hash_alg = -1,                \
+}
+
+#define ltc_pkcs1_op_checked_init(p) ltc_rsa_op_checked_init(NULL, p)
+
 int rsa_init(rsa_key *key);
 void rsa_shrink_key(rsa_key *key);
-int rsa_key_valid_op(const rsa_key *key, ltc_rsa_op op, int padding, int hash_idx);
+int rsa_args_to_op_params(const unsigned char *lparam, unsigned long lparamlen,
+                          prng_state *prng, int prng_idx, int hash_idx,
+                          int padding, unsigned long saltlen,
+                          ltc_rsa_op_parameters *params);
+int rsa_key_valid_op(ltc_rsa_op op, ltc_rsa_op_checked *params);
 int rsa_params_equal(const ltc_rsa_parameters *a, const ltc_rsa_parameters *b);
 int rsa_make_key_bn_e(prng_state *prng, int wprng, int size, void *e,
                       rsa_key *key); /* used by op-tee */
@@ -756,17 +794,23 @@ int pk_oid_cmp_with_asn1(const char *o1, const ltc_asn1_list *o2);
 
 #ifdef LTC_PKCS_1
 
-int pkcs_1_pss_encode_mgf1(const unsigned char *msghash,       unsigned long  msghashlen,
-                                 unsigned long saltlen,
-                                 prng_state    *prng,                    int  prng_idx,
-                                 int           hash_idx,                 int  mgf_hash_idx,
-                                 unsigned long modulus_bitlen,
-                                 unsigned char *out,           unsigned long *outlen);
-int pkcs_1_pss_decode_mgf1(const unsigned char *msghash, unsigned long msghashlen,
-                           const unsigned char *sig,     unsigned long siglen,
-                                 unsigned long saltlen,
-                                          int  hash_idx,           int mgf_hash_idx,
-                                 unsigned long modulus_bitlen,     int *res);
+int ltc_pkcs_1_pss_encode_mgf1(const unsigned char *msghash,       unsigned long  msghashlen,
+                             ltc_rsa_op_parameters *params,
+                                     unsigned long  modulus_bitlen,
+                                     unsigned char *out,           unsigned long *outlen);
+int ltc_pkcs_1_pss_decode_mgf1(const unsigned char *msghash, unsigned long  msghashlen,
+                               const unsigned char *sig,     unsigned long  siglen,
+                               ltc_rsa_op_parameters *params,
+                                     unsigned long  modulus_bitlen,    int *res);
+int ltc_pkcs_1_oaep_encode(const unsigned char   *msg,    unsigned long msglen,
+                                unsigned long    modulus_bitlen,
+                          ltc_rsa_op_parameters *params,
+                                unsigned char   *out,    unsigned long *outlen);
+int ltc_pkcs_1_oaep_decode(const unsigned char *msg,    unsigned long msglen,
+                                 unsigned long  modulus_bitlen,
+                         ltc_rsa_op_parameters *params,
+                                 unsigned char *out,    unsigned long *outlen,
+                                 int           *res);
 
 #endif /* LTC_PKCS_1 */