1 /* 2 * Copyright 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include "rsa_operation.h" 18 19 #include <limits.h> 20 21 #include <new> 22 23 #include <openssl/err.h> 24 25 #include <keymaster/logger.h> 26 27 #include "openssl_err.h" 28 #include "openssl_utils.h" 29 #include "rsa_key.h" 30 31 namespace keymaster { 32 33 const size_t kPssOverhead = 2; 34 const size_t kMinPssSaltSize = 20; 35 36 // Overhead for PKCS#1 v1.5 signature padding of undigested messages. Digested messages have 37 // additional overhead, for the digest algorithmIdentifier required by PKCS#1. 38 const size_t kPkcs1UndigestedSignaturePaddingOverhead = 11; 39 40 /* static */ 41 EVP_PKEY* RsaOperationFactory::GetRsaKey(const Key& key, keymaster_error_t* error) { 42 const RsaKey* rsa_key = static_cast<const RsaKey*>(&key); 43 assert(rsa_key); 44 if (!rsa_key || !rsa_key->key()) { 45 *error = KM_ERROR_UNKNOWN_ERROR; 46 return nullptr; 47 } 48 49 UniquePtr<EVP_PKEY, EVP_PKEY_Delete> pkey(EVP_PKEY_new()); 50 if (!rsa_key->InternalToEvp(pkey.get())) { 51 *error = KM_ERROR_UNKNOWN_ERROR; 52 return nullptr; 53 } 54 return pkey.release(); 55 } 56 57 static const keymaster_digest_t supported_digests[] = { 58 KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, 59 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512}; 60 61 const keymaster_digest_t* RsaOperationFactory::SupportedDigests(size_t* digest_count) const { 62 *digest_count = array_length(supported_digests); 63 return supported_digests; 64 } 65 66 RsaOperation* RsaOperationFactory::CreateRsaOperation(const Key& key, 67 const AuthorizationSet& begin_params, 68 keymaster_error_t* error) { 69 keymaster_padding_t padding; 70 if (!GetAndValidatePadding(begin_params, key, &padding, error)) 71 return nullptr; 72 73 bool require_digest = (purpose() == KM_PURPOSE_SIGN || purpose() == KM_PURPOSE_VERIFY || 74 padding == KM_PAD_RSA_OAEP); 75 76 keymaster_digest_t digest = KM_DIGEST_NONE; 77 if (require_digest && !GetAndValidateDigest(begin_params, key, &digest, error)) 78 return nullptr; 79 if (!require_digest && begin_params.find(TAG_DIGEST) != -1) { 80 *error = KM_ERROR_UNSUPPORTED_DIGEST; 81 return nullptr; 82 } 83 84 UniquePtr<EVP_PKEY, EVP_PKEY_Delete> rsa(GetRsaKey(key, error)); 85 if (!rsa.get()) 86 return nullptr; 87 88 RsaOperation* op = InstantiateOperation(digest, padding, rsa.release()); 89 if (!op) 90 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED; 91 return op; 92 } 93 94 static const keymaster_padding_t supported_sig_padding[] = {KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN, 95 KM_PAD_RSA_PSS}; 96 const keymaster_padding_t* 97 RsaDigestingOperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const { 98 *padding_mode_count = array_length(supported_sig_padding); 99 return supported_sig_padding; 100 } 101 102 RsaOperation* RsaCryptingOperationFactory::CreateRsaOperation(const Key& key, 103 const AuthorizationSet& begin_params, 104 keymaster_error_t* error) { 105 UniquePtr<RsaOperation> op(RsaOperationFactory::CreateRsaOperation(key, begin_params, error)); 106 if (op.get()) { 107 switch (op->padding()) { 108 case KM_PAD_NONE: 109 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT: 110 if (op->digest() != KM_DIGEST_NONE) { 111 *error = KM_ERROR_INCOMPATIBLE_DIGEST; 112 return nullptr; 113 } 114 break; 115 116 case KM_PAD_RSA_OAEP: 117 if (op->digest() == KM_DIGEST_NONE) { 118 *error = KM_ERROR_INCOMPATIBLE_DIGEST; 119 return nullptr; 120 } 121 break; 122 123 default: 124 *error = KM_ERROR_UNSUPPORTED_PADDING_MODE; 125 return nullptr; 126 } 127 } 128 return op.release(); 129 } 130 131 static const keymaster_padding_t supported_crypt_padding[] = {KM_PAD_NONE, KM_PAD_RSA_OAEP, 132 KM_PAD_RSA_PKCS1_1_5_ENCRYPT}; 133 const keymaster_padding_t* 134 RsaCryptingOperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const { 135 *padding_mode_count = array_length(supported_crypt_padding); 136 return supported_crypt_padding; 137 } 138 139 RsaOperation::~RsaOperation() { 140 if (rsa_key_ != NULL) 141 EVP_PKEY_free(rsa_key_); 142 } 143 144 keymaster_error_t RsaOperation::Begin(const AuthorizationSet& /* input_params */, 145 AuthorizationSet* /* output_params */) { 146 return InitDigest(); 147 } 148 149 keymaster_error_t RsaOperation::Update(const AuthorizationSet& /* additional_params */, 150 const Buffer& input, AuthorizationSet* /* output_params */, 151 Buffer* /* output */, size_t* input_consumed) { 152 assert(input_consumed); 153 switch (purpose()) { 154 default: 155 return KM_ERROR_UNIMPLEMENTED; 156 case KM_PURPOSE_SIGN: 157 case KM_PURPOSE_VERIFY: 158 case KM_PURPOSE_ENCRYPT: 159 case KM_PURPOSE_DECRYPT: 160 return StoreData(input, input_consumed); 161 } 162 } 163 164 keymaster_error_t RsaOperation::StoreData(const Buffer& input, size_t* input_consumed) { 165 assert(input_consumed); 166 167 if (!data_.reserve(EVP_PKEY_size(rsa_key_))) 168 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 169 // If the write fails, it's because input length exceeds key size. 170 if (!data_.write(input.peek_read(), input.available_read())) { 171 LOG_E("Input too long: cannot operate on %u bytes of data with %u-byte RSA key", 172 input.available_read() + data_.available_read(), EVP_PKEY_size(rsa_key_)); 173 return KM_ERROR_INVALID_INPUT_LENGTH; 174 } 175 176 *input_consumed = input.available_read(); 177 return KM_ERROR_OK; 178 } 179 180 keymaster_error_t RsaOperation::SetRsaPaddingInEvpContext(EVP_PKEY_CTX* pkey_ctx) { 181 keymaster_error_t error; 182 int openssl_padding = GetOpensslPadding(&error); 183 if (error != KM_ERROR_OK) 184 return error; 185 186 if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, openssl_padding) <= 0) 187 return TranslateLastOpenSslError(); 188 return KM_ERROR_OK; 189 } 190 191 keymaster_error_t RsaOperation::InitDigest() { 192 if (digest_ == KM_DIGEST_NONE) { 193 if (require_digest()) 194 return KM_ERROR_INCOMPATIBLE_DIGEST; 195 return KM_ERROR_OK; 196 } 197 198 switch (digest_) { 199 case KM_DIGEST_NONE: 200 return KM_ERROR_OK; 201 case KM_DIGEST_MD5: 202 digest_algorithm_ = EVP_md5(); 203 return KM_ERROR_OK; 204 case KM_DIGEST_SHA1: 205 digest_algorithm_ = EVP_sha1(); 206 return KM_ERROR_OK; 207 case KM_DIGEST_SHA_2_224: 208 digest_algorithm_ = EVP_sha224(); 209 return KM_ERROR_OK; 210 case KM_DIGEST_SHA_2_256: 211 digest_algorithm_ = EVP_sha256(); 212 return KM_ERROR_OK; 213 case KM_DIGEST_SHA_2_384: 214 digest_algorithm_ = EVP_sha384(); 215 return KM_ERROR_OK; 216 case KM_DIGEST_SHA_2_512: 217 digest_algorithm_ = EVP_sha512(); 218 return KM_ERROR_OK; 219 default: 220 return KM_ERROR_UNSUPPORTED_DIGEST; 221 } 222 } 223 224 RsaDigestingOperation::RsaDigestingOperation(keymaster_purpose_t purpose, keymaster_digest_t digest, 225 keymaster_padding_t padding, EVP_PKEY* key) 226 : RsaOperation(purpose, digest, padding, key) { 227 EVP_MD_CTX_init(&digest_ctx_); 228 } 229 RsaDigestingOperation::~RsaDigestingOperation() { 230 EVP_MD_CTX_cleanup(&digest_ctx_); 231 } 232 233 int RsaDigestingOperation::GetOpensslPadding(keymaster_error_t* error) { 234 *error = KM_ERROR_OK; 235 switch (padding_) { 236 case KM_PAD_NONE: 237 return RSA_NO_PADDING; 238 case KM_PAD_RSA_PKCS1_1_5_SIGN: 239 return RSA_PKCS1_PADDING; 240 case KM_PAD_RSA_PSS: 241 if (digest_ == KM_DIGEST_NONE) { 242 *error = KM_ERROR_INCOMPATIBLE_PADDING_MODE; 243 return -1; 244 } 245 if (EVP_MD_size(digest_algorithm_) + kPssOverhead + kMinPssSaltSize > 246 (size_t)EVP_PKEY_size(rsa_key_)) { 247 LOG_E("Input too long: %d-byte digest cannot be used with %d-byte RSA key in PSS " 248 "padding mode", 249 EVP_MD_size(digest_algorithm_), EVP_PKEY_size(rsa_key_)); 250 *error = KM_ERROR_INCOMPATIBLE_DIGEST; 251 return -1; 252 } 253 return RSA_PKCS1_PSS_PADDING; 254 default: 255 return -1; 256 } 257 } 258 259 keymaster_error_t RsaSignOperation::Begin(const AuthorizationSet& input_params, 260 AuthorizationSet* output_params) { 261 keymaster_error_t error = RsaDigestingOperation::Begin(input_params, output_params); 262 if (error != KM_ERROR_OK) 263 return error; 264 265 if (digest_ == KM_DIGEST_NONE) 266 return KM_ERROR_OK; 267 268 EVP_PKEY_CTX* pkey_ctx; 269 if (EVP_DigestSignInit(&digest_ctx_, &pkey_ctx, digest_algorithm_, nullptr /* engine */, 270 rsa_key_) != 1) 271 return TranslateLastOpenSslError(); 272 return SetRsaPaddingInEvpContext(pkey_ctx); 273 } 274 275 keymaster_error_t RsaSignOperation::Update(const AuthorizationSet& additional_params, 276 const Buffer& input, AuthorizationSet* output_params, 277 Buffer* output, size_t* input_consumed) { 278 if (digest_ == KM_DIGEST_NONE) 279 // Just buffer the data. 280 return RsaOperation::Update(additional_params, input, output_params, output, 281 input_consumed); 282 283 if (EVP_DigestSignUpdate(&digest_ctx_, input.peek_read(), input.available_read()) != 1) 284 return TranslateLastOpenSslError(); 285 *input_consumed = input.available_read(); 286 return KM_ERROR_OK; 287 } 288 289 keymaster_error_t RsaSignOperation::Finish(const AuthorizationSet& /* additional_params */, 290 const Buffer& /* signature */, 291 AuthorizationSet* /* output_params */, Buffer* output) { 292 assert(output); 293 294 if (digest_ == KM_DIGEST_NONE) 295 return SignUndigested(output); 296 else 297 return SignDigested(output); 298 } 299 300 static keymaster_error_t zero_pad_left(UniquePtr<uint8_t[]>* dest, size_t padded_len, Buffer& src) { 301 assert(padded_len > src.available_read()); 302 303 dest->reset(new uint8_t[padded_len]); 304 if (!dest->get()) 305 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 306 307 size_t padding_len = padded_len - src.available_read(); 308 memset(dest->get(), 0, padding_len); 309 if (!src.read(dest->get() + padding_len, src.available_read())) 310 return KM_ERROR_UNKNOWN_ERROR; 311 312 return KM_ERROR_OK; 313 } 314 315 keymaster_error_t RsaSignOperation::SignUndigested(Buffer* output) { 316 UniquePtr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(const_cast<EVP_PKEY*>(rsa_key_))); 317 if (!rsa.get()) 318 return TranslateLastOpenSslError(); 319 320 if (!output->Reinitialize(RSA_size(rsa.get()))) 321 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 322 323 size_t key_len = EVP_PKEY_size(rsa_key_); 324 int bytes_encrypted; 325 switch (padding_) { 326 case KM_PAD_NONE: { 327 const uint8_t* to_encrypt = data_.peek_read(); 328 UniquePtr<uint8_t[]> zero_padded; 329 if (data_.available_read() > key_len) { 330 return KM_ERROR_INVALID_INPUT_LENGTH; 331 } else if (data_.available_read() < key_len) { 332 keymaster_error_t error = zero_pad_left(&zero_padded, key_len, data_); 333 if (error != KM_ERROR_OK) 334 return error; 335 to_encrypt = zero_padded.get(); 336 } 337 bytes_encrypted = RSA_private_encrypt(key_len, to_encrypt, output->peek_write(), rsa.get(), 338 RSA_NO_PADDING); 339 break; 340 } 341 case KM_PAD_RSA_PKCS1_1_5_SIGN: 342 // Does PKCS1 padding without digesting even make sense? Dunno. We'll support it. 343 if (data_.available_read() + kPkcs1UndigestedSignaturePaddingOverhead > key_len) { 344 LOG_E("Input too long: cannot sign %u-byte message with PKCS1 padding with %u-bit key", 345 data_.available_read(), EVP_PKEY_size(rsa_key_) * 8); 346 return KM_ERROR_INVALID_INPUT_LENGTH; 347 } 348 bytes_encrypted = RSA_private_encrypt(data_.available_read(), data_.peek_read(), 349 output->peek_write(), rsa.get(), RSA_PKCS1_PADDING); 350 break; 351 352 default: 353 return KM_ERROR_UNSUPPORTED_PADDING_MODE; 354 } 355 356 if (bytes_encrypted <= 0) 357 return TranslateLastOpenSslError(); 358 if (!output->advance_write(bytes_encrypted)) 359 return KM_ERROR_UNKNOWN_ERROR; 360 return KM_ERROR_OK; 361 } 362 363 keymaster_error_t RsaSignOperation::SignDigested(Buffer* output) { 364 size_t siglen; 365 if (EVP_DigestSignFinal(&digest_ctx_, nullptr /* signature */, &siglen) != 1) 366 return TranslateLastOpenSslError(); 367 368 if (!output->Reinitialize(siglen)) 369 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 370 371 if (EVP_DigestSignFinal(&digest_ctx_, output->peek_write(), &siglen) <= 0) 372 return TranslateLastOpenSslError(); 373 if (!output->advance_write(siglen)) 374 return KM_ERROR_UNKNOWN_ERROR; 375 376 return KM_ERROR_OK; 377 } 378 379 keymaster_error_t RsaVerifyOperation::Begin(const AuthorizationSet& input_params, 380 AuthorizationSet* output_params) { 381 keymaster_error_t error = RsaDigestingOperation::Begin(input_params, output_params); 382 if (error != KM_ERROR_OK) 383 return error; 384 385 if (digest_ == KM_DIGEST_NONE) 386 return KM_ERROR_OK; 387 388 EVP_PKEY_CTX* pkey_ctx; 389 if (EVP_DigestVerifyInit(&digest_ctx_, &pkey_ctx, digest_algorithm_, NULL, rsa_key_) != 1) 390 return TranslateLastOpenSslError(); 391 return SetRsaPaddingInEvpContext(pkey_ctx); 392 } 393 394 keymaster_error_t RsaVerifyOperation::Update(const AuthorizationSet& additional_params, 395 const Buffer& input, AuthorizationSet* output_params, 396 Buffer* output, size_t* input_consumed) { 397 if (digest_ == KM_DIGEST_NONE) 398 // Just buffer the data. 399 return RsaOperation::Update(additional_params, input, output_params, output, 400 input_consumed); 401 402 if (EVP_DigestVerifyUpdate(&digest_ctx_, input.peek_read(), input.available_read()) != 1) 403 return TranslateLastOpenSslError(); 404 *input_consumed = input.available_read(); 405 return KM_ERROR_OK; 406 } 407 408 keymaster_error_t RsaVerifyOperation::Finish(const AuthorizationSet& /* additional_params */, 409 const Buffer& signature, 410 AuthorizationSet* /* output_params */, 411 Buffer* /* output */) { 412 if (digest_ == KM_DIGEST_NONE) 413 return VerifyUndigested(signature); 414 else 415 return VerifyDigested(signature); 416 } 417 418 keymaster_error_t RsaVerifyOperation::VerifyUndigested(const Buffer& signature) { 419 UniquePtr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(const_cast<EVP_PKEY*>(rsa_key_))); 420 if (!rsa.get()) 421 return KM_ERROR_UNKNOWN_ERROR; 422 423 size_t key_len = RSA_size(rsa.get()); 424 int openssl_padding; 425 switch (padding_) { 426 case KM_PAD_NONE: 427 if (data_.available_read() > key_len) 428 return KM_ERROR_INVALID_INPUT_LENGTH; 429 if (key_len != signature.available_read()) 430 return KM_ERROR_VERIFICATION_FAILED; 431 openssl_padding = RSA_NO_PADDING; 432 break; 433 case KM_PAD_RSA_PKCS1_1_5_SIGN: 434 if (data_.available_read() + kPkcs1UndigestedSignaturePaddingOverhead > key_len) { 435 LOG_E("Input too long: cannot verify %u-byte message with PKCS1 padding && %u-bit key", 436 data_.available_read(), key_len * 8); 437 return KM_ERROR_INVALID_INPUT_LENGTH; 438 } 439 openssl_padding = RSA_PKCS1_PADDING; 440 break; 441 default: 442 return KM_ERROR_UNSUPPORTED_PADDING_MODE; 443 } 444 445 UniquePtr<uint8_t[]> decrypted_data(new (std::nothrow) uint8_t[key_len]); 446 if (!decrypted_data.get()) 447 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 448 int bytes_decrypted = RSA_public_decrypt(signature.available_read(), signature.peek_read(), 449 decrypted_data.get(), rsa.get(), openssl_padding); 450 if (bytes_decrypted < 0) 451 return KM_ERROR_VERIFICATION_FAILED; 452 453 const uint8_t* compare_pos = decrypted_data.get(); 454 size_t bytes_to_compare = bytes_decrypted; 455 uint8_t zero_check_result = 0; 456 if (padding_ == KM_PAD_NONE && data_.available_read() < bytes_to_compare) { 457 // If the data is short, for "unpadded" signing we zero-pad to the left. So during 458 // verification we should have zeros on the left of the decrypted data. Do a constant-time 459 // check. 460 const uint8_t* zero_end = compare_pos + bytes_to_compare - data_.available_read(); 461 while (compare_pos < zero_end) 462 zero_check_result |= *compare_pos++; 463 bytes_to_compare = data_.available_read(); 464 } 465 if (memcmp_s(compare_pos, data_.peek_read(), bytes_to_compare) != 0 || zero_check_result != 0) 466 return KM_ERROR_VERIFICATION_FAILED; 467 return KM_ERROR_OK; 468 } 469 470 keymaster_error_t RsaVerifyOperation::VerifyDigested(const Buffer& signature) { 471 if (!EVP_DigestVerifyFinal(&digest_ctx_, signature.peek_read(), signature.available_read())) 472 return KM_ERROR_VERIFICATION_FAILED; 473 return KM_ERROR_OK; 474 } 475 476 keymaster_error_t RsaCryptOperation::SetOaepDigestIfRequired(EVP_PKEY_CTX* pkey_ctx) { 477 if (padding() != KM_PAD_RSA_OAEP) 478 return KM_ERROR_OK; 479 480 assert(digest_algorithm_ != nullptr); 481 if (!EVP_PKEY_CTX_set_rsa_oaep_md(pkey_ctx, digest_algorithm_)) 482 return TranslateLastOpenSslError(); 483 484 // MGF1 MD is always SHA1. 485 if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, EVP_sha1())) 486 return TranslateLastOpenSslError(); 487 488 return KM_ERROR_OK; 489 } 490 491 int RsaCryptOperation::GetOpensslPadding(keymaster_error_t* error) { 492 *error = KM_ERROR_OK; 493 switch (padding_) { 494 case KM_PAD_NONE: 495 return RSA_NO_PADDING; 496 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT: 497 return RSA_PKCS1_PADDING; 498 case KM_PAD_RSA_OAEP: 499 return RSA_PKCS1_OAEP_PADDING; 500 default: 501 return -1; 502 } 503 } 504 505 struct EVP_PKEY_CTX_Delete { 506 void operator()(EVP_PKEY_CTX* p) { EVP_PKEY_CTX_free(p); } 507 }; 508 509 keymaster_error_t RsaEncryptOperation::Finish(const AuthorizationSet& /* additional_params */, 510 const Buffer& /* signature */, 511 AuthorizationSet* /* output_params */, 512 Buffer* output) { 513 assert(output); 514 515 UniquePtr<EVP_PKEY_CTX, EVP_PKEY_CTX_Delete> ctx( 516 EVP_PKEY_CTX_new(rsa_key_, nullptr /* engine */)); 517 if (!ctx.get()) 518 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 519 520 if (EVP_PKEY_encrypt_init(ctx.get()) <= 0) 521 return TranslateLastOpenSslError(); 522 523 keymaster_error_t error = SetRsaPaddingInEvpContext(ctx.get()); 524 if (error != KM_ERROR_OK) 525 return error; 526 error = SetOaepDigestIfRequired(ctx.get()); 527 if (error != KM_ERROR_OK) 528 return error; 529 530 size_t outlen; 531 if (EVP_PKEY_encrypt(ctx.get(), nullptr /* out */, &outlen, data_.peek_read(), 532 data_.available_read()) <= 0) 533 return TranslateLastOpenSslError(); 534 535 if (!output->Reinitialize(outlen)) 536 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 537 538 const uint8_t* to_encrypt = data_.peek_read(); 539 size_t to_encrypt_len = data_.available_read(); 540 UniquePtr<uint8_t[]> zero_padded; 541 if (padding_ == KM_PAD_NONE && to_encrypt_len < outlen) { 542 keymaster_error_t error = zero_pad_left(&zero_padded, outlen, data_); 543 if (error != KM_ERROR_OK) 544 return error; 545 to_encrypt = zero_padded.get(); 546 to_encrypt_len = outlen; 547 } 548 549 if (EVP_PKEY_encrypt(ctx.get(), output->peek_write(), &outlen, to_encrypt, to_encrypt_len) <= 0) 550 return TranslateLastOpenSslError(); 551 if (!output->advance_write(outlen)) 552 return KM_ERROR_UNKNOWN_ERROR; 553 554 return KM_ERROR_OK; 555 } 556 557 keymaster_error_t RsaDecryptOperation::Finish(const AuthorizationSet& /* additional_params */, 558 const Buffer& /* signature */, 559 AuthorizationSet* /* output_params */, 560 Buffer* output) { 561 assert(output); 562 563 UniquePtr<EVP_PKEY_CTX, EVP_PKEY_CTX_Delete> ctx( 564 EVP_PKEY_CTX_new(rsa_key_, nullptr /* engine */)); 565 if (!ctx.get()) 566 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 567 568 if (EVP_PKEY_decrypt_init(ctx.get()) <= 0) 569 return TranslateLastOpenSslError(); 570 571 keymaster_error_t error = SetRsaPaddingInEvpContext(ctx.get()); 572 if (error != KM_ERROR_OK) 573 return error; 574 error = SetOaepDigestIfRequired(ctx.get()); 575 if (error != KM_ERROR_OK) 576 return error; 577 578 size_t outlen; 579 if (EVP_PKEY_decrypt(ctx.get(), nullptr /* out */, &outlen, data_.peek_read(), 580 data_.available_read()) <= 0) 581 return TranslateLastOpenSslError(); 582 583 if (!output->Reinitialize(outlen)) 584 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 585 586 const uint8_t* to_decrypt = data_.peek_read(); 587 size_t to_decrypt_len = data_.available_read(); 588 UniquePtr<uint8_t[]> zero_padded; 589 if (padding_ == KM_PAD_NONE && to_decrypt_len < outlen) { 590 keymaster_error_t error = zero_pad_left(&zero_padded, outlen, data_); 591 if (error != KM_ERROR_OK) 592 return error; 593 to_decrypt = zero_padded.get(); 594 to_decrypt_len = outlen; 595 } 596 597 if (EVP_PKEY_decrypt(ctx.get(), output->peek_write(), &outlen, to_decrypt, to_decrypt_len) <= 0) 598 return TranslateLastOpenSslError(); 599 if (!output->advance_write(outlen)) 600 return KM_ERROR_UNKNOWN_ERROR; 601 602 return KM_ERROR_OK; 603 } 604 605 } // namespace keymaster 606