Pulled PR softhsm#583 for more RSA OAEP algorithms support

Author: Antoine Lochet

README.md

@@ -37,7 +37,7 @@ SoftHSM depends on a cryptographic library, Botan or OpenSSL.
 Minimum required versions:
 
 - Botan 2.0.0
-- OpenSSL 1.0.0
+- OpenSSL 1.0.2
 
 If you are using Botan, use at least version 2.6.0. This will improve
 the performance when doing public key operations.

m4/acx_crypto_backend.m4

@@ -75,9 +75,11 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
 		AC_MSG_RESULT(OpenSSL)
 
 		if test "x${enable_fips}" = "xyes"; then
-			ACX_OPENSSL(1,0,1)
+			# needed for FIPS compliance, so change only when FIPS requirements change
+			ACX_OPENSSL(1,0,2)
 		else
-			ACX_OPENSSL(1,0,0)
+			# increase this as features from newer versions needed
+			ACX_OPENSSL(1,0,2)
 		fi
 
 		CRYPTO_INCLUDES=$OPENSSL_INCLUDES

src/lib/SoftHSM.cpp

@@ -2668,6 +2668,7 @@ CK_RV SoftHSM::AsymEncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMec
 
 	// Get the asymmetric algorithm matching the mechanism
 	AsymMech::Type mechanism;
+	unsigned long expectedMgf;
 	bool isRSA = false;
 	switch(pMechanism->mechanism) {
 		case CKM_RSA_PKCS:
@@ -2689,7 +2690,37 @@ CK_RV SoftHSM::AsymEncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMec
 			if (rv != CKR_OK)
 				return rv;
 
-			mechanism = AsymMech::RSA_PKCS_OAEP;
+			switch(CK_RSA_PKCS_OAEP_PARAMS_PTR(pMechanism->pParameter)->hashAlg) {
+				case CKM_SHA_1:
+					mechanism = AsymMech::RSA_PKCS_OAEP_SHA1;
+					expectedMgf = CKG_MGF1_SHA1;
+					break;
+				case CKM_SHA224:
+					mechanism = AsymMech::RSA_PKCS_OAEP_SHA224;
+					expectedMgf = CKG_MGF1_SHA224;
+					break;
+				case CKM_SHA256:
+					mechanism = AsymMech::RSA_PKCS_OAEP_SHA256;
+					expectedMgf = CKG_MGF1_SHA256;
+					break;
+				case CKM_SHA384:
+					mechanism = AsymMech::RSA_PKCS_OAEP_SHA384;
+					expectedMgf = CKG_MGF1_SHA384;
+					break;
+				case CKM_SHA512:
+					mechanism = AsymMech::RSA_PKCS_OAEP_SHA512;
+					expectedMgf = CKG_MGF1_SHA512;
+					break;
+				default:
+					DEBUG_MSG("hashAlg must be one of: CKM_SHA_1, CKM_SHA224, CKM_SHA256, CKM_SHA384, CKM_SHA512");
+					return CKR_ARGUMENTS_BAD;
+			}
+
+			if(CK_RSA_PKCS_OAEP_PARAMS_PTR(pMechanism->pParameter)->mgf != expectedMgf) {
+				ERROR_MSG("Hash and MGF don't match");
+				return CKR_ARGUMENTS_BAD;
+			}
+
 			isRSA = true;
 			break;
 		default:
@@ -3455,6 +3486,7 @@ CK_RV SoftHSM::AsymDecryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMec
 
 	// Get the asymmetric algorithm matching the mechanism
 	AsymMech::Type mechanism = AsymMech::Unknown;
+	unsigned long expectedMgf;
 	bool isRSA = false;
 	switch(pMechanism->mechanism) {
 		case CKM_RSA_PKCS:
@@ -3478,18 +3510,38 @@ CK_RV SoftHSM::AsymDecryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMec
 				DEBUG_MSG("pParameter must be of type CK_RSA_PKCS_OAEP_PARAMS");
 				return CKR_ARGUMENTS_BAD;
 			}
-			if (CK_RSA_PKCS_OAEP_PARAMS_PTR(pMechanism->pParameter)->hashAlg != CKM_SHA_1)
-			{
-				DEBUG_MSG("hashAlg must be CKM_SHA_1");
-				return CKR_ARGUMENTS_BAD;
+
+			switch(CK_RSA_PKCS_OAEP_PARAMS_PTR(pMechanism->pParameter)->hashAlg) {
+				case CKM_SHA_1:
+					mechanism = AsymMech::RSA_PKCS_OAEP_SHA1;
+					expectedMgf = CKG_MGF1_SHA1;
+					break;
+				case CKM_SHA224:
+					mechanism = AsymMech::RSA_PKCS_OAEP_SHA224;
+					expectedMgf = CKG_MGF1_SHA224;
+					break;
+				case CKM_SHA256:
+					mechanism = AsymMech::RSA_PKCS_OAEP_SHA256;
+					expectedMgf = CKG_MGF1_SHA256;
+					break;
+				case CKM_SHA384:
+					mechanism = AsymMech::RSA_PKCS_OAEP_SHA384;
+					expectedMgf = CKG_MGF1_SHA384;
+					break;
+				case CKM_SHA512:
+					mechanism = AsymMech::RSA_PKCS_OAEP_SHA512;
+					expectedMgf = CKG_MGF1_SHA512;
+					break;
+				default:
+					DEBUG_MSG("hashAlg must be one of: CKM_SHA_1, CKM_SHA224, CKM_SHA256, CKM_SHA384, CKM_SHA512");
+					return CKR_ARGUMENTS_BAD;
 			}
-			if (CK_RSA_PKCS_OAEP_PARAMS_PTR(pMechanism->pParameter)->mgf != CKG_MGF1_SHA1)
-			{
-				DEBUG_MSG("mgf must be CKG_MGF1_SHA1");
+
+			if (CK_RSA_PKCS_OAEP_PARAMS_PTR(pMechanism->pParameter)->mgf != expectedMgf) {
+				ERROR_MSG("Hash and MGF don't match");
 				return CKR_ARGUMENTS_BAD;
 			}
 
-			mechanism = AsymMech::RSA_PKCS_OAEP;
 			isRSA = true;
 			break;
 		default:
@@ -4422,7 +4474,7 @@ CK_RV SoftHSM::MacSignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechani
 
 CK_RV SoftHSM::GmacSignInit(Token* token, Session* session, CK_MECHANISM_PTR pMechanism, OSObject *key)
 {
-	
+
 	// Get key info
 	CK_KEY_TYPE keyType = key->getUnsignedLongValue(CKA_KEY_TYPE, CKK_VENDOR_DEFINED);
 
@@ -4475,7 +4527,7 @@ CK_RV SoftHSM::GmacSignInit(Token* token, Session* session, CK_MECHANISM_PTR pMe
 		CryptoFactory::i()->recycleSymmetricAlgorithm(cipher);
 		return CKR_MECHANISM_INVALID;
 	}
-	
+
 	session->setOpType(SESSION_OP_SIGN);
 	session->setSymmetricCryptoOp(cipher);
 	session->setAllowMultiPartOp(false);
@@ -4537,7 +4589,7 @@ CK_RV SoftHSM::GmacVerifyInit(Token* token, Session* session, CK_MECHANISM_PTR p
 		CryptoFactory::i()->recycleSymmetricAlgorithm(cipher);
 		return CKR_MECHANISM_INVALID;
 	}
-	
+
 	session->setOpType(SESSION_OP_VERIFY);
 	session->setSymmetricCryptoOp(cipher);
 	session->setAllowMultiPartOp(false);
@@ -5100,7 +5152,7 @@ static CK_RV GmacSign(Session* session, CK_BYTE_PTR pSignature, CK_ULONG_PTR pul
 		*pulSignatureLen = maxSize;
 		return CKR_BUFFER_TOO_SMALL;
 	}
-	
+
 	// Finalize encryption
 	ByteString encryptedData;
 	if (!cipher->encryptFinal(encryptedData))
@@ -5203,7 +5255,7 @@ CK_RV SoftHSM::C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ul
 	if (mockReturnCode != CKR_OK) {
 		return mockErrorCode;
 	}
-	
+
 	// Get the session
 	Session* session = (Session*)handleManager->getSession(hSession);
 	if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
@@ -5213,7 +5265,7 @@ CK_RV SoftHSM::C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ul
 		if (pData == NULL_PTR) return CKR_ARGUMENTS_BAD;
 		if (pulSignatureLen == NULL_PTR) return CKR_ARGUMENTS_BAD;
 	}
-	
+
 	// Check if we are doing the correct operation
 	if (session->getOpType() != SESSION_OP_SIGN)
 		return CKR_OPERATION_NOT_INITIALIZED;
@@ -6243,7 +6295,7 @@ CK_RV SoftHSM::C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG
 		return mockErrorCode;
 	}
 
-	
+
 	// Get the session
 	Session* session = (Session*)handleManager->getSession(hSession);
 	if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
@@ -7083,6 +7135,7 @@ CK_RV SoftHSM::WrapKeyAsym
 	const size_t bb = 8;
 	AsymAlgo::Type algo = AsymAlgo::Unknown;
 	AsymMech::Type mech = AsymMech::Unknown;
+	unsigned long expectedMgf;
 
 	CK_ULONG modulus_length;
 	switch(pMechanism->mechanism) {
@@ -7109,11 +7162,51 @@ CK_RV SoftHSM::WrapKeyAsym
 			break;
 
 		case CKM_RSA_PKCS_OAEP:
-			mech = AsymMech::RSA_PKCS_OAEP;
-			// SHA-1 is the only supported option
-			// PKCS#11 2.40 draft 2 section 2.1.8: input length <= k-2-2hashLen
-			if (keydata.size() > modulus_length - 2 - 2 * 160 / 8)
-				return CKR_KEY_SIZE_RANGE;
+			switch(CK_RSA_PKCS_OAEP_PARAMS_PTR(pMechanism->pParameter)->hashAlg) {
+				case CKM_SHA_1:
+					mech = AsymMech::RSA_PKCS_OAEP_SHA1;
+					expectedMgf = CKG_MGF1_SHA1;
+					// PKCS#11 2.40 draft 2 section 2.1.8: input length <= k-2-2hashLen
+					if (keydata.size() > modulus_length - 2 - 2 * 160 / 8)
+						return CKR_KEY_SIZE_RANGE;
+					break;
+				case CKM_SHA224:
+					mech = AsymMech::RSA_PKCS_OAEP_SHA224;
+					expectedMgf = CKG_MGF1_SHA224;
+					// PKCS#11 2.40 draft 2 section 2.1.8: input length <= k-2-2hashLen
+					if (keydata.size() > modulus_length - 2 - 2 * 224 / 8)
+						return CKR_KEY_SIZE_RANGE;
+					break;
+				case CKM_SHA256:
+					mech = AsymMech::RSA_PKCS_OAEP_SHA256;
+					expectedMgf = CKG_MGF1_SHA256;
+					// PKCS#11 2.40 draft 2 section 2.1.8: input length <= k-2-2hashLen
+					if (keydata.size() > modulus_length - 2 - 2 * 256 / 8)
+						return CKR_KEY_SIZE_RANGE;
+					break;
+				case CKM_SHA384:
+					mech = AsymMech::RSA_PKCS_OAEP_SHA384;
+					expectedMgf = CKG_MGF1_SHA384;
+					// PKCS#11 2.40 draft 2 section 2.1.8: input length <= k-2-2hashLen
+					if (keydata.size() > modulus_length - 2 - 2 * 384 / 8)
+						return CKR_KEY_SIZE_RANGE;
+					break;
+				case CKM_SHA512:
+					mech = AsymMech::RSA_PKCS_OAEP_SHA512;
+					expectedMgf = CKG_MGF1_SHA512;
+					// PKCS#11 2.40 draft 2 section 2.1.8: input length <= k-2-2hashLen
+					if (keydata.size() > modulus_length - 2 - 2 * 512 / 8)
+						return CKR_KEY_SIZE_RANGE;
+					break;
+				default:
+					return CKR_MECHANISM_INVALID;
+			}
+
+			if(CK_RSA_PKCS_OAEP_PARAMS_PTR(pMechanism->pParameter)->mgf != expectedMgf) {
+				ERROR_MSG("Hash and MGF don't match");
+				return CKR_ARGUMENTS_BAD;
+			}
+
 			break;
 
 		default:
@@ -7676,6 +7769,7 @@ CK_RV SoftHSM::UnwrapKeyAsym
 	// Get the symmetric algorithm matching the mechanism
 	AsymAlgo::Type algo = AsymAlgo::Unknown;
 	AsymMech::Type mode = AsymMech::Unknown;
+	unsigned long expectedMgf;
 	switch(pMechanism->mechanism) {
 		case CKM_RSA_PKCS:
 			algo = AsymAlgo::RSA;
@@ -7684,7 +7778,35 @@ CK_RV SoftHSM::UnwrapKeyAsym
 
 		case CKM_RSA_PKCS_OAEP:
 			algo = AsymAlgo::RSA;
-			mode = AsymMech::RSA_PKCS_OAEP;
+			switch(CK_RSA_PKCS_OAEP_PARAMS_PTR(pMechanism->pParameter)->hashAlg) {
+				case CKM_SHA_1:
+					mode = AsymMech::RSA_PKCS_OAEP_SHA1;
+					expectedMgf = CKG_MGF1_SHA1;
+					break;
+				case CKM_SHA224:
+					mode = AsymMech::RSA_PKCS_OAEP_SHA224;
+					expectedMgf = CKG_MGF1_SHA224;
+					break;
+				case CKM_SHA256:
+					mode = AsymMech::RSA_PKCS_OAEP_SHA256;
+					expectedMgf = CKG_MGF1_SHA256;
+					break;
+				case CKM_SHA384:
+					mode = AsymMech::RSA_PKCS_OAEP_SHA384;
+					expectedMgf = CKG_MGF1_SHA384;
+					break;
+				case CKM_SHA512:
+					mode = AsymMech::RSA_PKCS_OAEP_SHA512;
+					expectedMgf = CKG_MGF1_SHA512;
+					break;
+				default:
+					return CKR_MECHANISM_INVALID;
+			}
+
+			if (CK_RSA_PKCS_PSS_PARAMS_PTR(pMechanism->pParameter)->mgf != expectedMgf) {
+				ERROR_MSG("Hash and MGF don't match");
+				return CKR_ARGUMENTS_BAD;
+			}
 			break;
 
 		default:
@@ -13992,14 +14114,22 @@ CK_RV SoftHSM::MechParamCheckRSAPKCSOAEP(CK_MECHANISM_PTR pMechanism)
 	}
 
 	CK_RSA_PKCS_OAEP_PARAMS_PTR params = (CK_RSA_PKCS_OAEP_PARAMS_PTR)pMechanism->pParameter;
-	if (params->hashAlg != CKM_SHA_1)
+	if (params->hashAlg != CKM_SHA_1 &&
+	    params->hashAlg != CKM_SHA224 &&
+	    params->hashAlg != CKM_SHA256 &&
+	    params->hashAlg != CKM_SHA384 &&
+	    params->hashAlg != CKM_SHA512)
 	{
-		ERROR_MSG("hashAlg must be CKM_SHA_1");
+		ERROR_MSG("hashAlg must be one of: CKM_SHA_1, CKM_SHA224, CKM_SHA256, CKM_SHA384, CKM_SHA512");
 		return CKR_ARGUMENTS_BAD;
 	}
-	if (params->mgf != CKG_MGF1_SHA1)
+	if (params->mgf != CKG_MGF1_SHA1 &&
+	    params->mgf != CKG_MGF1_SHA224 &&
+	    params->mgf != CKG_MGF1_SHA256 &&
+	    params->mgf != CKG_MGF1_SHA384 &&
+	    params->mgf != CKG_MGF1_SHA512)
 	{
-		ERROR_MSG("mgf must be CKG_MGF1_SHA1");
+		ERROR_MSG("mgf must be onf of: CKG_MGF1_SHA1, CKM_MGF1_SHA224, CKM_MGF1_SHA256, CKM_MGF1_SHA384, CKM_MGF1_SHA512");
 		return CKR_ARGUMENTS_BAD;
 	}
 	if (params->source != CKZ_DATA_SPECIFIED)

src/lib/crypto/AsymmetricAlgorithm.cpp

@@ -152,7 +152,11 @@ bool AsymmetricAlgorithm::isWrappingMech(AsymMech::Type padding)
 	{
 		case AsymMech::RSA:
 		case AsymMech::RSA_PKCS:
-		case AsymMech::RSA_PKCS_OAEP:
+		case AsymMech::RSA_PKCS_OAEP_SHA1:
+		case AsymMech::RSA_PKCS_OAEP_SHA224:
+		case AsymMech::RSA_PKCS_OAEP_SHA256:
+		case AsymMech::RSA_PKCS_OAEP_SHA384:
+		case AsymMech::RSA_PKCS_OAEP_SHA512:
 			return true;
 
 		default:

src/lib/crypto/AsymmetricAlgorithm.h

@@ -65,7 +65,11 @@ struct AsymMech
 		RSA,
 		RSA_MD5_PKCS,
 		RSA_PKCS,
-		RSA_PKCS_OAEP,
+		RSA_PKCS_OAEP_SHA1,
+		RSA_PKCS_OAEP_SHA224,
+		RSA_PKCS_OAEP_SHA256,
+		RSA_PKCS_OAEP_SHA384,
+		RSA_PKCS_OAEP_SHA512,
 		RSA_SHA1_PKCS,
 		RSA_SHA224_PKCS,
 		RSA_SHA256_PKCS,

src/lib/crypto/BotanRSA.cpp

@@ -761,8 +761,20 @@ bool BotanRSA::encrypt(PublicKey* publicKey, const ByteString& data,
 		case AsymMech::RSA_PKCS:
 			eme = "PKCS1v15";
 			break;
-		case AsymMech::RSA_PKCS_OAEP:
-			eme = "EME1(SHA-160)";
+		case AsymMech::RSA_PKCS_OAEP_SHA1:
+			eme = "EME1(SHA-1)";
+			break;
+		case AsymMech::RSA_PKCS_OAEP_SHA224:
+			eme = "EME1(SHA-224)";
+			break;
+		case AsymMech::RSA_PKCS_OAEP_SHA256:
+			eme = "EME1(SHA-256)";
+			break;
+		case AsymMech::RSA_PKCS_OAEP_SHA384:
+			eme = "EME1(SHA-384)";
+			break;
+		case AsymMech::RSA_PKCS_OAEP_SHA512:
+			eme = "EME1(SHA-512)";
 			break;
 		case AsymMech::RSA:
 			eme = "Raw";
@@ -855,8 +867,20 @@ bool BotanRSA::decrypt(PrivateKey* privateKey, const ByteString& encryptedData,
 		case AsymMech::RSA_PKCS:
 			eme = "PKCS1v15";
 			break;
-		case AsymMech::RSA_PKCS_OAEP:
-			eme = "EME1(SHA-160)";
+		case AsymMech::RSA_PKCS_OAEP_SHA1:
+			eme = "EME1(SHA-1)";
+			break;
+		case AsymMech::RSA_PKCS_OAEP_SHA224:
+			eme = "EME1(SHA-224)";
+			break;
+		case AsymMech::RSA_PKCS_OAEP_SHA256:
+			eme = "EME1(SHA-256)";
+			break;
+		case AsymMech::RSA_PKCS_OAEP_SHA384:
+			eme = "EME1(SHA-384)";
+			break;
+		case AsymMech::RSA_PKCS_OAEP_SHA512:
+			eme = "EME1(SHA-512)";
 			break;
 		case AsymMech::RSA:
 			eme = "Raw";