1 /* crypto/rsa/rsa_pmeth.c */
   2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
   3  * project 2006.
   4  */
   5 /* ====================================================================
   6  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  *
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  *
  15  * 2. Redistributions in binary form must reproduce the above copyright
  16  *    notice, this list of conditions and the following disclaimer in
  17  *    the documentation and/or other materials provided with the
  18  *    distribution.
  19  *
  20  * 3. All advertising materials mentioning features or use of this
  21  *    software must display the following acknowledgment:
  22  *    "This product includes software developed by the OpenSSL Project
  23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24  *
  25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26  *    endorse or promote products derived from this software without
  27  *    prior written permission. For written permission, please contact
  28  *    licensing@OpenSSL.org.
  29  *
  30  * 5. Products derived from this software may not be called "OpenSSL"
  31  *    nor may "OpenSSL" appear in their names without prior written
  32  *    permission of the OpenSSL Project.
  33  *
  34  * 6. Redistributions of any form whatsoever must retain the following
  35  *    acknowledgment:
  36  *    "This product includes software developed by the OpenSSL Project
  37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38  *
  39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50  * OF THE POSSIBILITY OF SUCH DAMAGE.
  51  * ====================================================================
  52  *
  53  * This product includes cryptographic software written by Eric Young
  54  * (eay@cryptsoft.com).  This product includes software written by Tim
  55  * Hudson (tjh@cryptsoft.com).
  56  *
  57  */
  58 
  59 #include <stdio.h>
  60 #include "cryptlib.h"
  61 #include <openssl/asn1t.h>
  62 #include <openssl/x509.h>
  63 #include <openssl/rsa.h>
  64 #include <openssl/bn.h>
  65 #include <openssl/evp.h>
  66 #ifndef OPENSSL_NO_CMS
  67 #include <openssl/cms.h>
  68 #endif
  69 #ifdef OPENSSL_FIPS
  70 #include <openssl/fips.h>
  71 #endif
  72 #include "evp_locl.h"
  73 #include "rsa_locl.h"
  74 
  75 /* RSA pkey context structure */
  76 
  77 typedef struct
  78         {
  79         /* Key gen parameters */
  80         int nbits;
  81         BIGNUM *pub_exp;
  82         /* Keygen callback info */
  83         int gentmp[2];
  84         /* RSA padding mode */
  85         int pad_mode;
  86         /* message digest */
  87         const EVP_MD *md;
  88         /* message digest for MGF1 */
  89         const EVP_MD *mgf1md;
  90         /* PSS/OAEP salt length */
  91         int saltlen;
  92         /* Temp buffer */
  93         unsigned char *tbuf;
  94         } RSA_PKEY_CTX;
  95 
  96 static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
  97         {
  98         RSA_PKEY_CTX *rctx;
  99         rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX));
 100         if (!rctx)
 101                 return 0;
 102         rctx->nbits = 1024;
 103         rctx->pub_exp = NULL;
 104         rctx->pad_mode = RSA_PKCS1_PADDING;
 105         rctx->md = NULL;
 106         rctx->mgf1md = NULL;
 107         rctx->tbuf = NULL;
 108 
 109         rctx->saltlen = -2;
 110 
 111         ctx->data = rctx;
 112         ctx->keygen_info = rctx->gentmp;
 113         ctx->keygen_info_count = 2;
 114 
 115         return 1;
 116         }
 117 
 118 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
 119         {
 120         RSA_PKEY_CTX *dctx, *sctx;
 121         if (!pkey_rsa_init(dst))
 122                 return 0;
 123         sctx = src->data;
 124         dctx = dst->data;
 125         dctx->nbits = sctx->nbits;
 126         if (sctx->pub_exp)
 127                 {
 128                 dctx->pub_exp = BN_dup(sctx->pub_exp);
 129                 if (!dctx->pub_exp)
 130                         return 0;
 131                 }
 132         dctx->pad_mode = sctx->pad_mode;
 133         dctx->md = sctx->md;
 134         return 1;
 135         }
 136 
 137 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
 138         {
 139         if (ctx->tbuf)
 140                 return 1;
 141         ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey));
 142         if (!ctx->tbuf)
 143                 return 0;
 144         return 1;
 145         }
 146 
 147 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
 148         {
 149         RSA_PKEY_CTX *rctx = ctx->data;
 150         if (rctx)
 151                 {
 152                 if (rctx->pub_exp)
 153                         BN_free(rctx->pub_exp);
 154                 if (rctx->tbuf)
 155                         OPENSSL_free(rctx->tbuf);
 156                 OPENSSL_free(rctx);
 157                 }
 158         }
 159 #ifdef OPENSSL_FIPS
 160 /* FIP checker. Return value indicates status of context parameters:
 161  * 1  : redirect to FIPS.
 162  * 0  : don't redirect to FIPS.
 163  * -1 : illegal operation in FIPS mode.
 164  */
 165 
 166 static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx)
 167         {
 168         RSA_PKEY_CTX *rctx = ctx->data;
 169         RSA *rsa = ctx->pkey->pkey.rsa;
 170         int rv = -1;
 171         if (!FIPS_mode())
 172                 return 0;
 173         if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
 174                 rv = 0;
 175         if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv)
 176                 return -1;
 177         if (rctx->md && !(rctx->md->flags & EVP_MD_FLAG_FIPS))
 178                 return rv;
 179         if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS))
 180                 return rv;
 181         return 1;
 182         }
 183 #endif
 184 
 185 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
 186                                         const unsigned char *tbs, size_t tbslen)
 187         {
 188         int ret;
 189         RSA_PKEY_CTX *rctx = ctx->data;
 190         RSA *rsa = ctx->pkey->pkey.rsa;
 191 
 192 #ifdef OPENSSL_FIPS
 193         ret = pkey_fips_check_ctx(ctx);
 194         if (ret < 0)
 195                 {
 196                 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
 197                 return -1;
 198                 }
 199 #endif
 200 
 201         if (rctx->md)
 202                 {
 203                 if (tbslen != (size_t)EVP_MD_size(rctx->md))
 204                         {
 205                         RSAerr(RSA_F_PKEY_RSA_SIGN,
 206                                         RSA_R_INVALID_DIGEST_LENGTH);
 207                         return -1;
 208                         }
 209 #ifdef OPENSSL_FIPS
 210                 if (ret > 0)
 211                         {
 212                         unsigned int slen;
 213                         ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
 214                                                         rctx->pad_mode,
 215                                                         rctx->saltlen,
 216                                                         rctx->mgf1md,
 217                                                         sig, &slen);
 218                         if (ret > 0)
 219                                 *siglen = slen;
 220                         else
 221                                 *siglen = 0;
 222                         return ret;
 223                         }
 224 #endif
 225 
 226                 if (EVP_MD_type(rctx->md) == NID_mdc2)
 227                         {
 228                         unsigned int sltmp;
 229                         if (rctx->pad_mode != RSA_PKCS1_PADDING)
 230                                 return -1;
 231                         ret = RSA_sign_ASN1_OCTET_STRING(NID_mdc2,
 232                                                 tbs, tbslen, sig, &sltmp, rsa);
 233 
 234                         if (ret <= 0)
 235                                 return ret;
 236                         ret = sltmp;
 237                         }
 238                 else if (rctx->pad_mode == RSA_X931_PADDING)
 239                         {
 240                         if (!setup_tbuf(rctx, ctx))
 241                                 return -1;
 242                         memcpy(rctx->tbuf, tbs, tbslen);
 243                         rctx->tbuf[tbslen] =
 244                                 RSA_X931_hash_id(EVP_MD_type(rctx->md));
 245                         ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
 246                                                 sig, rsa, RSA_X931_PADDING);
 247                         }
 248                 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
 249                         {
 250                         unsigned int sltmp;
 251                         ret = RSA_sign(EVP_MD_type(rctx->md),
 252                                                 tbs, tbslen, sig, &sltmp, rsa);
 253                         if (ret <= 0)
 254                                 return ret;
 255                         ret = sltmp;
 256                         }
 257                 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
 258                         {
 259                         if (!setup_tbuf(rctx, ctx))
 260                                 return -1;
 261                         if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
 262                                                 rctx->tbuf, tbs,
 263                                                 rctx->md, rctx->mgf1md,
 264                                                 rctx->saltlen))
 265                                 return -1;
 266                         ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
 267                                                 sig, rsa, RSA_NO_PADDING);
 268                         }
 269                 else
 270                         return -1;
 271                 }
 272         else
 273                 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
 274                                                         rctx->pad_mode);
 275         if (ret < 0)
 276                 return ret;
 277         *siglen = ret;
 278         return 1;
 279         }
 280 
 281 
 282 static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
 283                                         unsigned char *rout, size_t *routlen,
 284                                         const unsigned char *sig, size_t siglen)
 285         {
 286         int ret;
 287         RSA_PKEY_CTX *rctx = ctx->data;
 288 
 289         if (rctx->md)
 290                 {
 291                 if (rctx->pad_mode == RSA_X931_PADDING)
 292                         {
 293                         if (!setup_tbuf(rctx, ctx))
 294                                 return -1;
 295                         ret = RSA_public_decrypt(siglen, sig,
 296                                                 rctx->tbuf, ctx->pkey->pkey.rsa,
 297                                                 RSA_X931_PADDING);
 298                         if (ret < 1)
 299                                 return 0;
 300                         ret--;
 301                         if (rctx->tbuf[ret] !=
 302                                 RSA_X931_hash_id(EVP_MD_type(rctx->md)))
 303                                 {
 304                                 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
 305                                                 RSA_R_ALGORITHM_MISMATCH);
 306                                 return 0;
 307                                 }
 308                         if (ret != EVP_MD_size(rctx->md))
 309                                 {
 310                                 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
 311                                         RSA_R_INVALID_DIGEST_LENGTH);
 312                                 return 0;
 313                                 }
 314                         if (rout)
 315                                 memcpy(rout, rctx->tbuf, ret);
 316                         }
 317                 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
 318                         {
 319                         size_t sltmp;
 320                         ret = int_rsa_verify(EVP_MD_type(rctx->md),
 321                                                 NULL, 0, rout, &sltmp,
 322                                         sig, siglen, ctx->pkey->pkey.rsa);
 323                         if (ret <= 0)
 324                                 return 0;
 325                         ret = sltmp;
 326                         }
 327                 else
 328                         return -1;
 329                 }
 330         else
 331                 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
 332                                                         rctx->pad_mode);
 333         if (ret < 0)
 334                 return ret;
 335         *routlen = ret;
 336         return 1;
 337         }
 338 
 339 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
 340                                         const unsigned char *sig, size_t siglen,
 341                                         const unsigned char *tbs, size_t tbslen)
 342         {
 343         RSA_PKEY_CTX *rctx = ctx->data;
 344         RSA *rsa = ctx->pkey->pkey.rsa;
 345         size_t rslen;
 346 #ifdef OPENSSL_FIPS
 347         int rv;
 348         rv = pkey_fips_check_ctx(ctx);
 349         if (rv < 0)
 350                 {
 351                 RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
 352                 return -1;
 353                 }
 354 #endif
 355         if (rctx->md)
 356                 {
 357 #ifdef OPENSSL_FIPS
 358                 if (rv > 0)
 359                         {
 360                         return FIPS_rsa_verify_digest(rsa,
 361                                                         tbs, tbslen,
 362                                                         rctx->md,
 363                                                         rctx->pad_mode,
 364                                                         rctx->saltlen,
 365                                                         rctx->mgf1md,
 366                                                         sig, siglen);
 367 
 368                         }
 369 #endif
 370                 if (rctx->pad_mode == RSA_PKCS1_PADDING)
 371                         return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
 372                                         sig, siglen, rsa);
 373                 if (rctx->pad_mode == RSA_X931_PADDING)
 374                         {
 375                         if (pkey_rsa_verifyrecover(ctx, NULL, &rslen,
 376                                         sig, siglen) <= 0)
 377                                 return 0;
 378                         }
 379                 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
 380                         {
 381                         int ret;
 382                         if (!setup_tbuf(rctx, ctx))
 383                                 return -1;
 384                         ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
 385                                                         rsa, RSA_NO_PADDING);
 386                         if (ret <= 0)
 387                                 return 0;
 388                         ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
 389                                                 rctx->md, rctx->mgf1md,
 390                                                 rctx->tbuf, rctx->saltlen);
 391                         if (ret <= 0)
 392                                 return 0;
 393                         return 1;
 394                         }
 395                 else
 396                         return -1;
 397                 }
 398         else
 399                 {
 400                 if (!setup_tbuf(rctx, ctx))
 401                         return -1;
 402                 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
 403                                                 rsa, rctx->pad_mode);
 404                 if (rslen == 0)
 405                         return 0;
 406                 }
 407 
 408         if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen))
 409                 return 0;
 410 
 411         return 1;
 412 
 413         }
 414 
 415 
 416 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
 417                                         unsigned char *out, size_t *outlen,
 418                                         const unsigned char *in, size_t inlen)
 419         {
 420         int ret;
 421         RSA_PKEY_CTX *rctx = ctx->data;
 422         ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
 423                                                         rctx->pad_mode);
 424         if (ret < 0)
 425                 return ret;
 426         *outlen = ret;
 427         return 1;
 428         }
 429 
 430 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
 431                                         unsigned char *out, size_t *outlen,
 432                                         const unsigned char *in, size_t inlen)
 433         {
 434         int ret;
 435         RSA_PKEY_CTX *rctx = ctx->data;
 436         ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
 437                                                         rctx->pad_mode);
 438         if (ret < 0)
 439                 return ret;
 440         *outlen = ret;
 441         return 1;
 442         }
 443 
 444 static int check_padding_md(const EVP_MD *md, int padding)
 445         {
 446         if (!md)
 447                 return 1;
 448 
 449         if (padding == RSA_NO_PADDING)
 450                 {
 451                 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
 452                 return 0;
 453                 }
 454 
 455         if (padding == RSA_X931_PADDING)
 456                 {
 457                 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1)
 458                         {
 459                         RSAerr(RSA_F_CHECK_PADDING_MD,
 460                                                 RSA_R_INVALID_X931_DIGEST);
 461                         return 0;
 462                         }
 463                 return 1;
 464                 }
 465 
 466         return 1;
 467         }
 468 
 469 
 470 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 471         {
 472         RSA_PKEY_CTX *rctx = ctx->data;
 473         switch (type)
 474                 {
 475                 case EVP_PKEY_CTRL_RSA_PADDING:
 476                 if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING))
 477                         {
 478                         if (!check_padding_md(rctx->md, p1))
 479                                 return 0;
 480                         if (p1 == RSA_PKCS1_PSS_PADDING)
 481                                 {
 482                                 if (!(ctx->operation &
 483                                      (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
 484                                         goto bad_pad;
 485                                 if (!rctx->md)
 486                                         rctx->md = EVP_sha1();
 487                                 }
 488                         if (p1 == RSA_PKCS1_OAEP_PADDING)
 489                                 {
 490                                 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
 491                                         goto bad_pad;
 492                                 if (!rctx->md)
 493                                         rctx->md = EVP_sha1();
 494                                 }
 495                         rctx->pad_mode = p1;
 496                         return 1;
 497                         }
 498                 bad_pad:
 499                 RSAerr(RSA_F_PKEY_RSA_CTRL,
 500                                 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
 501                 return -2;
 502 
 503                 case EVP_PKEY_CTRL_GET_RSA_PADDING:
 504                 *(int *)p2 = rctx->pad_mode;
 505                 return 1;
 506 
 507                 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
 508                 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
 509                 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
 510                         {
 511                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
 512                         return -2;
 513                         }
 514                 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN)
 515                         *(int *)p2 = rctx->saltlen;
 516                 else
 517                         {
 518                         if (p1 < -2)
 519                                 return -2;
 520                         rctx->saltlen = p1;
 521                         }
 522                 return 1;
 523 
 524                 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
 525                 if (p1 < 256)
 526                         {
 527                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS);
 528                         return -2;
 529                         }
 530                 rctx->nbits = p1;
 531                 return 1;
 532 
 533                 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
 534                 if (!p2)
 535                         return -2;
 536                 rctx->pub_exp = p2;
 537                 return 1;
 538 
 539                 case EVP_PKEY_CTRL_MD:
 540                 if (!check_padding_md(p2, rctx->pad_mode))
 541                         return 0;
 542                 rctx->md = p2;
 543                 return 1;
 544 
 545                 case EVP_PKEY_CTRL_RSA_MGF1_MD:
 546                 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
 547                 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
 548                         {
 549                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
 550                         return -2;
 551                         }
 552                 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD)
 553                         {
 554                         if (rctx->mgf1md)
 555                                 *(const EVP_MD **)p2 = rctx->mgf1md;
 556                         else
 557                                 *(const EVP_MD **)p2 = rctx->md;
 558                         }
 559                 else
 560                         rctx->mgf1md = p2;
 561                 return 1;
 562 
 563                 case EVP_PKEY_CTRL_DIGESTINIT:
 564                 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
 565                 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
 566                 case EVP_PKEY_CTRL_PKCS7_SIGN:
 567                 return 1;
 568 #ifndef OPENSSL_NO_CMS
 569                 case EVP_PKEY_CTRL_CMS_DECRYPT:
 570                 {
 571                 X509_ALGOR *alg = NULL;
 572                 ASN1_OBJECT *encalg = NULL;
 573                 if (p2)
 574                         CMS_RecipientInfo_ktri_get0_algs(p2, NULL, NULL, &alg);
 575                 if (alg)
 576                         X509_ALGOR_get0(&encalg, NULL, NULL, alg);
 577                 if (encalg && OBJ_obj2nid(encalg) == NID_rsaesOaep)
 578                         rctx->pad_mode = RSA_PKCS1_OAEP_PADDING;
 579                 }
 580                 case EVP_PKEY_CTRL_CMS_ENCRYPT:
 581                 case EVP_PKEY_CTRL_CMS_SIGN:
 582                 return 1;
 583 #endif
 584                 case EVP_PKEY_CTRL_PEER_KEY:
 585                         RSAerr(RSA_F_PKEY_RSA_CTRL,
 586                         RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
 587                         return -2;
 588 
 589                 default:
 590                 return -2;
 591 
 592                 }
 593         }
 594 
 595 static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
 596                         const char *type, const char *value)
 597         {
 598         if (!value)
 599                 {
 600                 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
 601                 return 0;
 602                 }
 603         if (!strcmp(type, "rsa_padding_mode"))
 604                 {
 605                 int pm;
 606                 if (!strcmp(value, "pkcs1"))
 607                         pm = RSA_PKCS1_PADDING;
 608                 else if (!strcmp(value, "sslv23"))
 609                         pm = RSA_SSLV23_PADDING;
 610                 else if (!strcmp(value, "none"))
 611                         pm = RSA_NO_PADDING;
 612                 else if (!strcmp(value, "oeap"))
 613                         pm = RSA_PKCS1_OAEP_PADDING;
 614                 else if (!strcmp(value, "oaep"))
 615                         pm = RSA_PKCS1_OAEP_PADDING;
 616                 else if (!strcmp(value, "x931"))
 617                         pm = RSA_X931_PADDING;
 618                 else if (!strcmp(value, "pss"))
 619                         pm = RSA_PKCS1_PSS_PADDING;
 620                 else
 621                         {
 622                         RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
 623                                                 RSA_R_UNKNOWN_PADDING_TYPE);
 624                         return -2;
 625                         }
 626                 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
 627                 }
 628 
 629         if (!strcmp(type, "rsa_pss_saltlen"))
 630                 {
 631                 int saltlen;
 632                 saltlen = atoi(value);
 633                 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
 634                 }
 635 
 636         if (!strcmp(type, "rsa_keygen_bits"))
 637                 {
 638                 int nbits;
 639                 nbits = atoi(value);
 640                 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
 641                 }
 642 
 643         if (!strcmp(type, "rsa_keygen_pubexp"))
 644                 {
 645                 int ret;
 646                 BIGNUM *pubexp = NULL;
 647                 if (!BN_asc2bn(&pubexp, value))
 648                         return 0;
 649                 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
 650                 if (ret <= 0)
 651                         BN_free(pubexp);
 652                 return ret;
 653                 }
 654 
 655         return -2;
 656         }
 657 
 658 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
 659         {
 660         RSA *rsa = NULL;
 661         RSA_PKEY_CTX *rctx = ctx->data;
 662         BN_GENCB *pcb, cb;
 663         int ret;
 664         if (!rctx->pub_exp)
 665                 {
 666                 rctx->pub_exp = BN_new();
 667                 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4))
 668                         return 0;
 669                 }
 670         rsa = RSA_new();
 671         if (!rsa)
 672                 return 0;
 673         if (ctx->pkey_gencb)
 674                 {
 675                 pcb = &cb;
 676                 evp_pkey_set_cb_translate(pcb, ctx);
 677                 }
 678         else
 679                 pcb = NULL;
 680         ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
 681         if (ret > 0)
 682                 EVP_PKEY_assign_RSA(pkey, rsa);
 683         else
 684                 RSA_free(rsa);
 685         return ret;
 686         }
 687 
 688 const EVP_PKEY_METHOD rsa_pkey_meth =
 689         {
 690         EVP_PKEY_RSA,
 691         EVP_PKEY_FLAG_AUTOARGLEN,
 692         pkey_rsa_init,
 693         pkey_rsa_copy,
 694         pkey_rsa_cleanup,
 695 
 696         0,0,
 697 
 698         0,
 699         pkey_rsa_keygen,
 700 
 701         0,
 702         pkey_rsa_sign,
 703 
 704         0,
 705         pkey_rsa_verify,
 706 
 707         0,
 708         pkey_rsa_verifyrecover,
 709 
 710 
 711         0,0,0,0,
 712 
 713         0,
 714         pkey_rsa_encrypt,
 715 
 716         0,
 717         pkey_rsa_decrypt,
 718 
 719         0,0,
 720 
 721         pkey_rsa_ctrl,
 722         pkey_rsa_ctrl_str
 723 
 724 
 725         };