rsa_pmeth.c revision 312826
1/* crypto/rsa/rsa_pmeth.c */ 2/* 3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project 4 * 2006. 5 */ 6/* ==================================================================== 7 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * licensing@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59 60#include <stdio.h> 61#include "cryptlib.h" 62#include <openssl/asn1t.h> 63#include <openssl/x509.h> 64#include <openssl/rsa.h> 65#include <openssl/bn.h> 66#include <openssl/evp.h> 67#include <openssl/x509v3.h> 68#ifndef OPENSSL_NO_CMS 69# include <openssl/cms.h> 70#endif 71#ifdef OPENSSL_FIPS 72# include <openssl/fips.h> 73#endif 74#include "evp_locl.h" 75#include "rsa_locl.h" 76 77/* RSA pkey context structure */ 78 79typedef struct { 80 /* Key gen parameters */ 81 int nbits; 82 BIGNUM *pub_exp; 83 /* Keygen callback info */ 84 int gentmp[2]; 85 /* RSA padding mode */ 86 int pad_mode; 87 /* message digest */ 88 const EVP_MD *md; 89 /* message digest for MGF1 */ 90 const EVP_MD *mgf1md; 91 /* PSS salt length */ 92 int saltlen; 93 /* Temp buffer */ 94 unsigned char *tbuf; 95 /* OAEP label */ 96 unsigned char *oaep_label; 97 size_t oaep_labellen; 98} RSA_PKEY_CTX; 99 100static int pkey_rsa_init(EVP_PKEY_CTX *ctx) 101{ 102 RSA_PKEY_CTX *rctx; 103 rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX)); 104 if (!rctx) 105 return 0; 106 rctx->nbits = 1024; 107 rctx->pub_exp = NULL; 108 rctx->pad_mode = RSA_PKCS1_PADDING; 109 rctx->md = NULL; 110 rctx->mgf1md = NULL; 111 rctx->tbuf = NULL; 112 113 rctx->saltlen = -2; 114 115 rctx->oaep_label = NULL; 116 rctx->oaep_labellen = 0; 117 118 ctx->data = rctx; 119 ctx->keygen_info = rctx->gentmp; 120 ctx->keygen_info_count = 2; 121 122 return 1; 123} 124 125static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) 126{ 127 RSA_PKEY_CTX *dctx, *sctx; 128 if (!pkey_rsa_init(dst)) 129 return 0; 130 sctx = src->data; 131 dctx = dst->data; 132 dctx->nbits = sctx->nbits; 133 if (sctx->pub_exp) { 134 dctx->pub_exp = BN_dup(sctx->pub_exp); 135 if (!dctx->pub_exp) 136 return 0; 137 } 138 dctx->pad_mode = sctx->pad_mode; 139 dctx->md = sctx->md; 140 dctx->mgf1md = sctx->mgf1md; 141 if (sctx->oaep_label) { 142 if (dctx->oaep_label) 143 OPENSSL_free(dctx->oaep_label); 144 dctx->oaep_label = BUF_memdup(sctx->oaep_label, sctx->oaep_labellen); 145 if (!dctx->oaep_label) 146 return 0; 147 dctx->oaep_labellen = sctx->oaep_labellen; 148 } 149 return 1; 150} 151 152static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) 153{ 154 if (ctx->tbuf) 155 return 1; 156 ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey)); 157 if (!ctx->tbuf) 158 return 0; 159 return 1; 160} 161 162static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) 163{ 164 RSA_PKEY_CTX *rctx = ctx->data; 165 if (rctx) { 166 if (rctx->pub_exp) 167 BN_free(rctx->pub_exp); 168 if (rctx->tbuf) 169 OPENSSL_free(rctx->tbuf); 170 if (rctx->oaep_label) 171 OPENSSL_free(rctx->oaep_label); 172 OPENSSL_free(rctx); 173 } 174} 175 176#ifdef OPENSSL_FIPS 177/* 178 * FIP checker. Return value indicates status of context parameters: 1 : 179 * redirect to FIPS. 0 : don't redirect to FIPS. -1 : illegal operation in 180 * FIPS mode. 181 */ 182 183static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx) 184{ 185 RSA_PKEY_CTX *rctx = ctx->data; 186 RSA *rsa = ctx->pkey->pkey.rsa; 187 int rv = -1; 188 if (!FIPS_mode()) 189 return 0; 190 if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) 191 rv = 0; 192 if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv) 193 return -1; 194 if (rctx->md) { 195 const EVP_MD *fmd; 196 fmd = FIPS_get_digestbynid(EVP_MD_type(rctx->md)); 197 if (!fmd || !(fmd->flags & EVP_MD_FLAG_FIPS)) 198 return rv; 199 } 200 if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS)) { 201 const EVP_MD *fmd; 202 fmd = FIPS_get_digestbynid(EVP_MD_type(rctx->mgf1md)); 203 if (!fmd || !(fmd->flags & EVP_MD_FLAG_FIPS)) 204 return rv; 205 } 206 return 1; 207} 208#endif 209 210static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, 211 size_t *siglen, const unsigned char *tbs, 212 size_t tbslen) 213{ 214 int ret; 215 RSA_PKEY_CTX *rctx = ctx->data; 216 RSA *rsa = ctx->pkey->pkey.rsa; 217 218#ifdef OPENSSL_FIPS 219 ret = pkey_fips_check_ctx(ctx); 220 if (ret < 0) { 221 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); 222 return -1; 223 } 224#endif 225 226 if (rctx->md) { 227 if (tbslen != (size_t)EVP_MD_size(rctx->md)) { 228 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH); 229 return -1; 230 } 231#ifdef OPENSSL_FIPS 232 if (ret > 0) { 233 unsigned int slen; 234 ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md, 235 rctx->pad_mode, 236 rctx->saltlen, 237 rctx->mgf1md, sig, &slen); 238 if (ret > 0) 239 *siglen = slen; 240 else 241 *siglen = 0; 242 return ret; 243 } 244#endif 245 246 if (EVP_MD_type(rctx->md) == NID_mdc2) { 247 unsigned int sltmp; 248 if (rctx->pad_mode != RSA_PKCS1_PADDING) 249 return -1; 250 ret = RSA_sign_ASN1_OCTET_STRING(NID_mdc2, 251 tbs, tbslen, sig, &sltmp, rsa); 252 253 if (ret <= 0) 254 return ret; 255 ret = sltmp; 256 } else if (rctx->pad_mode == RSA_X931_PADDING) { 257 if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) { 258 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_KEY_SIZE_TOO_SMALL); 259 return -1; 260 } 261 if (!setup_tbuf(rctx, ctx)) { 262 RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE); 263 return -1; 264 } 265 memcpy(rctx->tbuf, tbs, tbslen); 266 rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md)); 267 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, 268 sig, rsa, RSA_X931_PADDING); 269 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { 270 unsigned int sltmp; 271 ret = RSA_sign(EVP_MD_type(rctx->md), 272 tbs, tbslen, sig, &sltmp, rsa); 273 if (ret <= 0) 274 return ret; 275 ret = sltmp; 276 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { 277 if (!setup_tbuf(rctx, ctx)) 278 return -1; 279 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, 280 rctx->tbuf, tbs, 281 rctx->md, rctx->mgf1md, 282 rctx->saltlen)) 283 return -1; 284 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, 285 sig, rsa, RSA_NO_PADDING); 286 } else 287 return -1; 288 } else 289 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, 290 rctx->pad_mode); 291 if (ret < 0) 292 return ret; 293 *siglen = ret; 294 return 1; 295} 296 297static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, 298 unsigned char *rout, size_t *routlen, 299 const unsigned char *sig, size_t siglen) 300{ 301 int ret; 302 RSA_PKEY_CTX *rctx = ctx->data; 303 304 if (rctx->md) { 305 if (rctx->pad_mode == RSA_X931_PADDING) { 306 if (!setup_tbuf(rctx, ctx)) 307 return -1; 308 ret = RSA_public_decrypt(siglen, sig, 309 rctx->tbuf, ctx->pkey->pkey.rsa, 310 RSA_X931_PADDING); 311 if (ret < 1) 312 return 0; 313 ret--; 314 if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_type(rctx->md))) { 315 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, 316 RSA_R_ALGORITHM_MISMATCH); 317 return 0; 318 } 319 if (ret != EVP_MD_size(rctx->md)) { 320 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, 321 RSA_R_INVALID_DIGEST_LENGTH); 322 return 0; 323 } 324 if (rout) 325 memcpy(rout, rctx->tbuf, ret); 326 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { 327 size_t sltmp; 328 ret = int_rsa_verify(EVP_MD_type(rctx->md), 329 NULL, 0, rout, &sltmp, 330 sig, siglen, ctx->pkey->pkey.rsa); 331 if (ret <= 0) 332 return 0; 333 ret = sltmp; 334 } else 335 return -1; 336 } else 337 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa, 338 rctx->pad_mode); 339 if (ret < 0) 340 return ret; 341 *routlen = ret; 342 return 1; 343} 344 345static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, 346 const unsigned char *sig, size_t siglen, 347 const unsigned char *tbs, size_t tbslen) 348{ 349 RSA_PKEY_CTX *rctx = ctx->data; 350 RSA *rsa = ctx->pkey->pkey.rsa; 351 size_t rslen; 352#ifdef OPENSSL_FIPS 353 int rv; 354 rv = pkey_fips_check_ctx(ctx); 355 if (rv < 0) { 356 RSAerr(RSA_F_PKEY_RSA_VERIFY, 357 RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); 358 return -1; 359 } 360#endif 361 if (rctx->md) { 362#ifdef OPENSSL_FIPS 363 if (rv > 0) { 364 return FIPS_rsa_verify_digest(rsa, 365 tbs, tbslen, 366 rctx->md, 367 rctx->pad_mode, 368 rctx->saltlen, 369 rctx->mgf1md, sig, siglen); 370 371 } 372#endif 373 if (rctx->pad_mode == RSA_PKCS1_PADDING) 374 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, 375 sig, siglen, rsa); 376 if (tbslen != (size_t)EVP_MD_size(rctx->md)) { 377 RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH); 378 return -1; 379 } 380 if (rctx->pad_mode == RSA_X931_PADDING) { 381 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0) 382 return 0; 383 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { 384 int ret; 385 if (!setup_tbuf(rctx, ctx)) 386 return -1; 387 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, 388 rsa, RSA_NO_PADDING); 389 if (ret <= 0) 390 return 0; 391 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, 392 rctx->md, rctx->mgf1md, 393 rctx->tbuf, rctx->saltlen); 394 if (ret <= 0) 395 return 0; 396 return 1; 397 } else 398 return -1; 399 } else { 400 if (!setup_tbuf(rctx, ctx)) 401 return -1; 402 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, 403 rsa, rctx->pad_mode); 404 if (rslen == 0) 405 return 0; 406 } 407 408 if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen)) 409 return 0; 410 411 return 1; 412 413} 414 415static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, 416 unsigned char *out, size_t *outlen, 417 const unsigned char *in, size_t inlen) 418{ 419 int ret; 420 RSA_PKEY_CTX *rctx = ctx->data; 421 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { 422 int klen = RSA_size(ctx->pkey->pkey.rsa); 423 if (!setup_tbuf(rctx, ctx)) 424 return -1; 425 if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen, 426 in, inlen, 427 rctx->oaep_label, 428 rctx->oaep_labellen, 429 rctx->md, rctx->mgf1md)) 430 return -1; 431 ret = RSA_public_encrypt(klen, rctx->tbuf, out, 432 ctx->pkey->pkey.rsa, RSA_NO_PADDING); 433 } else 434 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, 435 rctx->pad_mode); 436 if (ret < 0) 437 return ret; 438 *outlen = ret; 439 return 1; 440} 441 442static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, 443 unsigned char *out, size_t *outlen, 444 const unsigned char *in, size_t inlen) 445{ 446 int ret; 447 RSA_PKEY_CTX *rctx = ctx->data; 448 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { 449 int i; 450 if (!setup_tbuf(rctx, ctx)) 451 return -1; 452 ret = RSA_private_decrypt(inlen, in, rctx->tbuf, 453 ctx->pkey->pkey.rsa, RSA_NO_PADDING); 454 if (ret <= 0) 455 return ret; 456 for (i = 0; i < ret; i++) { 457 if (rctx->tbuf[i]) 458 break; 459 } 460 ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf + i, 461 ret - i, ret, 462 rctx->oaep_label, 463 rctx->oaep_labellen, 464 rctx->md, rctx->mgf1md); 465 } else 466 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, 467 rctx->pad_mode); 468 if (ret < 0) 469 return ret; 470 *outlen = ret; 471 return 1; 472} 473 474static int check_padding_md(const EVP_MD *md, int padding) 475{ 476 if (!md) 477 return 1; 478 479 if (padding == RSA_NO_PADDING) { 480 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE); 481 return 0; 482 } 483 484 if (padding == RSA_X931_PADDING) { 485 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) { 486 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_X931_DIGEST); 487 return 0; 488 } 489 return 1; 490 } 491 492 return 1; 493} 494 495static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) 496{ 497 RSA_PKEY_CTX *rctx = ctx->data; 498 switch (type) { 499 case EVP_PKEY_CTRL_RSA_PADDING: 500 if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING)) { 501 if (!check_padding_md(rctx->md, p1)) 502 return 0; 503 if (p1 == RSA_PKCS1_PSS_PADDING) { 504 if (!(ctx->operation & 505 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) 506 goto bad_pad; 507 if (!rctx->md) 508 rctx->md = EVP_sha1(); 509 } 510 if (p1 == RSA_PKCS1_OAEP_PADDING) { 511 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT)) 512 goto bad_pad; 513 if (!rctx->md) 514 rctx->md = EVP_sha1(); 515 } 516 rctx->pad_mode = p1; 517 return 1; 518 } 519 bad_pad: 520 RSAerr(RSA_F_PKEY_RSA_CTRL, 521 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 522 return -2; 523 524 case EVP_PKEY_CTRL_GET_RSA_PADDING: 525 *(int *)p2 = rctx->pad_mode; 526 return 1; 527 528 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: 529 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: 530 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) { 531 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); 532 return -2; 533 } 534 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) 535 *(int *)p2 = rctx->saltlen; 536 else { 537 if (p1 < -2) 538 return -2; 539 rctx->saltlen = p1; 540 } 541 return 1; 542 543 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: 544 if (p1 < 256) { 545 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS); 546 return -2; 547 } 548 rctx->nbits = p1; 549 return 1; 550 551 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: 552 if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) || BN_is_one((BIGNUM *)p2)) { 553 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_BAD_E_VALUE); 554 return -2; 555 } 556 BN_free(rctx->pub_exp); 557 rctx->pub_exp = p2; 558 return 1; 559 560 case EVP_PKEY_CTRL_RSA_OAEP_MD: 561 case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: 562 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 563 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); 564 return -2; 565 } 566 if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) 567 *(const EVP_MD **)p2 = rctx->md; 568 else 569 rctx->md = p2; 570 return 1; 571 572 case EVP_PKEY_CTRL_MD: 573 if (!check_padding_md(p2, rctx->pad_mode)) 574 return 0; 575 rctx->md = p2; 576 return 1; 577 578 case EVP_PKEY_CTRL_GET_MD: 579 *(const EVP_MD **)p2 = rctx->md; 580 return 1; 581 582 case EVP_PKEY_CTRL_RSA_MGF1_MD: 583 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: 584 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING 585 && rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 586 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD); 587 return -2; 588 } 589 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) { 590 if (rctx->mgf1md) 591 *(const EVP_MD **)p2 = rctx->mgf1md; 592 else 593 *(const EVP_MD **)p2 = rctx->md; 594 } else 595 rctx->mgf1md = p2; 596 return 1; 597 598 case EVP_PKEY_CTRL_RSA_OAEP_LABEL: 599 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 600 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); 601 return -2; 602 } 603 if (rctx->oaep_label) 604 OPENSSL_free(rctx->oaep_label); 605 if (p2 && p1 > 0) { 606 rctx->oaep_label = p2; 607 rctx->oaep_labellen = p1; 608 } else { 609 rctx->oaep_label = NULL; 610 rctx->oaep_labellen = 0; 611 } 612 return 1; 613 614 case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: 615 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 616 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); 617 return -2; 618 } 619 *(unsigned char **)p2 = rctx->oaep_label; 620 return rctx->oaep_labellen; 621 622 case EVP_PKEY_CTRL_DIGESTINIT: 623 case EVP_PKEY_CTRL_PKCS7_ENCRYPT: 624 case EVP_PKEY_CTRL_PKCS7_DECRYPT: 625 case EVP_PKEY_CTRL_PKCS7_SIGN: 626 return 1; 627#ifndef OPENSSL_NO_CMS 628 case EVP_PKEY_CTRL_CMS_DECRYPT: 629 case EVP_PKEY_CTRL_CMS_ENCRYPT: 630 case EVP_PKEY_CTRL_CMS_SIGN: 631 return 1; 632#endif 633 case EVP_PKEY_CTRL_PEER_KEY: 634 RSAerr(RSA_F_PKEY_RSA_CTRL, 635 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); 636 return -2; 637 638 default: 639 return -2; 640 641 } 642} 643 644static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, 645 const char *type, const char *value) 646{ 647 if (!value) { 648 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING); 649 return 0; 650 } 651 if (!strcmp(type, "rsa_padding_mode")) { 652 int pm; 653 if (!strcmp(value, "pkcs1")) 654 pm = RSA_PKCS1_PADDING; 655 else if (!strcmp(value, "sslv23")) 656 pm = RSA_SSLV23_PADDING; 657 else if (!strcmp(value, "none")) 658 pm = RSA_NO_PADDING; 659 else if (!strcmp(value, "oeap")) 660 pm = RSA_PKCS1_OAEP_PADDING; 661 else if (!strcmp(value, "oaep")) 662 pm = RSA_PKCS1_OAEP_PADDING; 663 else if (!strcmp(value, "x931")) 664 pm = RSA_X931_PADDING; 665 else if (!strcmp(value, "pss")) 666 pm = RSA_PKCS1_PSS_PADDING; 667 else { 668 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_UNKNOWN_PADDING_TYPE); 669 return -2; 670 } 671 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm); 672 } 673 674 if (!strcmp(type, "rsa_pss_saltlen")) { 675 int saltlen; 676 saltlen = atoi(value); 677 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen); 678 } 679 680 if (!strcmp(type, "rsa_keygen_bits")) { 681 int nbits; 682 nbits = atoi(value); 683 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits); 684 } 685 686 if (!strcmp(type, "rsa_keygen_pubexp")) { 687 int ret; 688 BIGNUM *pubexp = NULL; 689 if (!BN_asc2bn(&pubexp, value)) 690 return 0; 691 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp); 692 if (ret <= 0) 693 BN_free(pubexp); 694 return ret; 695 } 696 697 if (!strcmp(type, "rsa_mgf1_md")) { 698 const EVP_MD *md; 699 if (!(md = EVP_get_digestbyname(value))) { 700 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_INVALID_DIGEST); 701 return 0; 702 } 703 return EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md); 704 } 705 706 if (!strcmp(type, "rsa_oaep_md")) { 707 const EVP_MD *md; 708 if (!(md = EVP_get_digestbyname(value))) { 709 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_INVALID_DIGEST); 710 return 0; 711 } 712 return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md); 713 } 714 if (!strcmp(type, "rsa_oaep_label")) { 715 unsigned char *lab; 716 long lablen; 717 int ret; 718 lab = string_to_hex(value, &lablen); 719 if (!lab) 720 return 0; 721 ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen); 722 if (ret <= 0) 723 OPENSSL_free(lab); 724 return ret; 725 } 726 727 return -2; 728} 729 730static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) 731{ 732 RSA *rsa = NULL; 733 RSA_PKEY_CTX *rctx = ctx->data; 734 BN_GENCB *pcb, cb; 735 int ret; 736 if (!rctx->pub_exp) { 737 rctx->pub_exp = BN_new(); 738 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) 739 return 0; 740 } 741 rsa = RSA_new(); 742 if (!rsa) 743 return 0; 744 if (ctx->pkey_gencb) { 745 pcb = &cb; 746 evp_pkey_set_cb_translate(pcb, ctx); 747 } else 748 pcb = NULL; 749 ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb); 750 if (ret > 0) 751 EVP_PKEY_assign_RSA(pkey, rsa); 752 else 753 RSA_free(rsa); 754 return ret; 755} 756 757const EVP_PKEY_METHOD rsa_pkey_meth = { 758 EVP_PKEY_RSA, 759 EVP_PKEY_FLAG_AUTOARGLEN, 760 pkey_rsa_init, 761 pkey_rsa_copy, 762 pkey_rsa_cleanup, 763 764 0, 0, 765 766 0, 767 pkey_rsa_keygen, 768 769 0, 770 pkey_rsa_sign, 771 772 0, 773 pkey_rsa_verify, 774 775 0, 776 pkey_rsa_verifyrecover, 777 778 0, 0, 0, 0, 779 780 0, 781 pkey_rsa_encrypt, 782 783 0, 784 pkey_rsa_decrypt, 785 786 0, 0, 787 788 pkey_rsa_ctrl, 789 pkey_rsa_ctrl_str 790}; 791