1 /* crypto/rsa/rsa_pmeth.c */ 2 /* 3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project 4 * 2006. 5 */ 6 /* ==================================================================== 7 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * licensing@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59 60 #include <stdio.h> 61 #include "cryptlib.h" 62 #include <openssl/asn1t.h> 63 #include <openssl/x509.h> 64 #include <openssl/rsa.h> 65 #include <openssl/bn.h> 66 #include <openssl/evp.h> 67 #include <openssl/x509v3.h> 68 #ifndef OPENSSL_NO_CMS 69 # include <openssl/cms.h> 70 #endif 71 #ifdef OPENSSL_FIPS 72 # include <openssl/fips.h> 73 #endif 74 #include "evp_locl.h" 75 #include "rsa_locl.h" 76 77 /* RSA pkey context structure */ 78 79 typedef struct { 80 /* Key gen parameters */ 81 int nbits; 82 BIGNUM *pub_exp; 83 /* Keygen callback info */ 84 int gentmp[2]; 85 /* RSA padding mode */ 86 int pad_mode; 87 /* message digest */ 88 const EVP_MD *md; 89 /* message digest for MGF1 */ 90 const EVP_MD *mgf1md; 91 /* PSS salt length */ 92 int saltlen; 93 /* Temp buffer */ 94 unsigned char *tbuf; 95 /* OAEP label */ 96 unsigned char *oaep_label; 97 size_t oaep_labellen; 98 } RSA_PKEY_CTX; 99 100 static int pkey_rsa_init(EVP_PKEY_CTX *ctx) 101 { 102 RSA_PKEY_CTX *rctx; 103 rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX)); 104 if (!rctx) 105 return 0; 106 rctx->nbits = 1024; 107 rctx->pub_exp = NULL; 108 rctx->pad_mode = RSA_PKCS1_PADDING; 109 rctx->md = NULL; 110 rctx->mgf1md = NULL; 111 rctx->tbuf = NULL; 112 113 rctx->saltlen = -2; 114 115 rctx->oaep_label = NULL; 116 rctx->oaep_labellen = 0; 117 118 ctx->data = rctx; 119 ctx->keygen_info = rctx->gentmp; 120 ctx->keygen_info_count = 2; 121 122 return 1; 123 } 124 125 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) 126 { 127 RSA_PKEY_CTX *dctx, *sctx; 128 if (!pkey_rsa_init(dst)) 129 return 0; 130 sctx = src->data; 131 dctx = dst->data; 132 dctx->nbits = sctx->nbits; 133 if (sctx->pub_exp) { 134 dctx->pub_exp = BN_dup(sctx->pub_exp); 135 if (!dctx->pub_exp) 136 return 0; 137 } 138 dctx->pad_mode = sctx->pad_mode; 139 dctx->md = sctx->md; 140 dctx->mgf1md = sctx->mgf1md; 141 if (sctx->oaep_label) { 142 if (dctx->oaep_label) 143 OPENSSL_free(dctx->oaep_label); 144 dctx->oaep_label = BUF_memdup(sctx->oaep_label, sctx->oaep_labellen); 145 if (!dctx->oaep_label) 146 return 0; 147 dctx->oaep_labellen = sctx->oaep_labellen; 148 } 149 return 1; 150 } 151 152 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) 153 { 154 if (ctx->tbuf) 155 return 1; 156 ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey)); 157 if (!ctx->tbuf) 158 return 0; 159 return 1; 160 } 161 162 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) 163 { 164 RSA_PKEY_CTX *rctx = ctx->data; 165 if (rctx) { 166 if (rctx->pub_exp) 167 BN_free(rctx->pub_exp); 168 if (rctx->tbuf) 169 OPENSSL_free(rctx->tbuf); 170 if (rctx->oaep_label) 171 OPENSSL_free(rctx->oaep_label); 172 OPENSSL_free(rctx); 173 } 174 } 175 176 #ifdef OPENSSL_FIPS 177 /* 178 * FIP checker. Return value indicates status of context parameters: 1 : 179 * redirect to FIPS. 0 : don't redirect to FIPS. -1 : illegal operation in 180 * FIPS mode. 181 */ 182 183 static int pkey_fips_check_rsa(const RSA *rsa, const EVP_MD **pmd, 184 const EVP_MD **pmgf1md) 185 { 186 int rv = -1; 187 188 if (!FIPS_mode()) 189 return 0; 190 if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) 191 rv = 0; 192 if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv) 193 return -1; 194 if (*pmd != NULL) { 195 *pmd = FIPS_get_digestbynid(EVP_MD_type(*pmd)); 196 if (*pmd == NULL || !((*pmd)->flags & EVP_MD_FLAG_FIPS)) 197 return rv; 198 } 199 if (*pmgf1md != NULL) { 200 *pmgf1md = FIPS_get_digestbynid(EVP_MD_type(*pmgf1md)); 201 if (*pmgf1md == NULL || !((*pmgf1md)->flags & EVP_MD_FLAG_FIPS)) 202 return rv; 203 } 204 return 1; 205 } 206 #endif 207 208 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, 209 size_t *siglen, const unsigned char *tbs, 210 size_t tbslen) 211 { 212 int ret; 213 RSA_PKEY_CTX *rctx = ctx->data; 214 RSA *rsa = ctx->pkey->pkey.rsa; 215 const EVP_MD *md = rctx->md; 216 const EVP_MD *mgf1md = rctx->mgf1md; 217 218 #ifdef OPENSSL_FIPS 219 ret = pkey_fips_check_rsa(rsa, &md, &mgf1md); 220 if (ret < 0) { 221 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); 222 return -1; 223 } 224 #endif 225 226 if (md != NULL) { 227 if (tbslen != (size_t)EVP_MD_size(md)) { 228 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH); 229 return -1; 230 } 231 #ifdef OPENSSL_FIPS 232 if (ret > 0) { 233 unsigned int slen; 234 ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, md, rctx->pad_mode, 235 rctx->saltlen, mgf1md, sig, &slen); 236 if (ret > 0) 237 *siglen = slen; 238 else 239 *siglen = 0; 240 return ret; 241 } 242 #endif 243 244 if (EVP_MD_type(md) == NID_mdc2) { 245 unsigned int sltmp; 246 if (rctx->pad_mode != RSA_PKCS1_PADDING) 247 return -1; 248 ret = RSA_sign_ASN1_OCTET_STRING(NID_mdc2, tbs, tbslen, sig, &sltmp, 249 rsa); 250 251 if (ret <= 0) 252 return ret; 253 ret = sltmp; 254 } else if (rctx->pad_mode == RSA_X931_PADDING) { 255 if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) { 256 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_KEY_SIZE_TOO_SMALL); 257 return -1; 258 } 259 if (!setup_tbuf(rctx, ctx)) { 260 RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE); 261 return -1; 262 } 263 memcpy(rctx->tbuf, tbs, tbslen); 264 rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(md)); 265 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, 266 sig, rsa, RSA_X931_PADDING); 267 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { 268 unsigned int sltmp; 269 ret = RSA_sign(EVP_MD_type(md), tbs, tbslen, sig, &sltmp, rsa); 270 if (ret <= 0) 271 return ret; 272 ret = sltmp; 273 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { 274 if (!setup_tbuf(rctx, ctx)) 275 return -1; 276 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, rctx->tbuf, tbs, 277 md, mgf1md, rctx->saltlen)) 278 return -1; 279 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, 280 sig, rsa, RSA_NO_PADDING); 281 } else 282 return -1; 283 } else 284 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, 285 rctx->pad_mode); 286 if (ret < 0) 287 return ret; 288 *siglen = ret; 289 return 1; 290 } 291 292 static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, 293 unsigned char *rout, size_t *routlen, 294 const unsigned char *sig, size_t siglen) 295 { 296 int ret; 297 RSA_PKEY_CTX *rctx = ctx->data; 298 299 if (rctx->md) { 300 if (rctx->pad_mode == RSA_X931_PADDING) { 301 if (!setup_tbuf(rctx, ctx)) 302 return -1; 303 ret = RSA_public_decrypt(siglen, sig, 304 rctx->tbuf, ctx->pkey->pkey.rsa, 305 RSA_X931_PADDING); 306 if (ret < 1) 307 return 0; 308 ret--; 309 if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_type(rctx->md))) { 310 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, 311 RSA_R_ALGORITHM_MISMATCH); 312 return 0; 313 } 314 if (ret != EVP_MD_size(rctx->md)) { 315 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, 316 RSA_R_INVALID_DIGEST_LENGTH); 317 return 0; 318 } 319 if (rout) 320 memcpy(rout, rctx->tbuf, ret); 321 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { 322 size_t sltmp; 323 ret = int_rsa_verify(EVP_MD_type(rctx->md), 324 NULL, 0, rout, &sltmp, 325 sig, siglen, ctx->pkey->pkey.rsa); 326 if (ret <= 0) 327 return 0; 328 ret = sltmp; 329 } else 330 return -1; 331 } else 332 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa, 333 rctx->pad_mode); 334 if (ret < 0) 335 return ret; 336 *routlen = ret; 337 return 1; 338 } 339 340 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, 341 const unsigned char *sig, size_t siglen, 342 const unsigned char *tbs, size_t tbslen) 343 { 344 RSA_PKEY_CTX *rctx = ctx->data; 345 RSA *rsa = ctx->pkey->pkey.rsa; 346 const EVP_MD *md = rctx->md; 347 const EVP_MD *mgf1md = rctx->mgf1md; 348 size_t rslen; 349 350 #ifdef OPENSSL_FIPS 351 int rv = pkey_fips_check_rsa(rsa, &md, &mgf1md); 352 353 if (rv < 0) { 354 RSAerr(RSA_F_PKEY_RSA_VERIFY, 355 RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); 356 return -1; 357 } 358 #endif 359 if (md != NULL) { 360 #ifdef OPENSSL_FIPS 361 if (rv > 0) { 362 return FIPS_rsa_verify_digest(rsa, tbs, tbslen, md, rctx->pad_mode, 363 rctx->saltlen, mgf1md, sig, siglen); 364 365 } 366 #endif 367 if (rctx->pad_mode == RSA_PKCS1_PADDING) 368 return RSA_verify(EVP_MD_type(md), tbs, tbslen, 369 sig, siglen, rsa); 370 if (tbslen != (size_t)EVP_MD_size(md)) { 371 RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH); 372 return -1; 373 } 374 if (rctx->pad_mode == RSA_X931_PADDING) { 375 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0) 376 return 0; 377 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { 378 int ret; 379 if (!setup_tbuf(rctx, ctx)) 380 return -1; 381 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, 382 rsa, RSA_NO_PADDING); 383 if (ret <= 0) 384 return 0; 385 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, md, mgf1md, 386 rctx->tbuf, rctx->saltlen); 387 if (ret <= 0) 388 return 0; 389 return 1; 390 } else 391 return -1; 392 } else { 393 if (!setup_tbuf(rctx, ctx)) 394 return -1; 395 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, 396 rsa, rctx->pad_mode); 397 if (rslen == 0) 398 return 0; 399 } 400 401 if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen)) 402 return 0; 403 404 return 1; 405 406 } 407 408 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, 409 unsigned char *out, size_t *outlen, 410 const unsigned char *in, size_t inlen) 411 { 412 int ret; 413 RSA_PKEY_CTX *rctx = ctx->data; 414 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { 415 int klen = RSA_size(ctx->pkey->pkey.rsa); 416 if (!setup_tbuf(rctx, ctx)) 417 return -1; 418 if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen, 419 in, inlen, 420 rctx->oaep_label, 421 rctx->oaep_labellen, 422 rctx->md, rctx->mgf1md)) 423 return -1; 424 ret = RSA_public_encrypt(klen, rctx->tbuf, out, 425 ctx->pkey->pkey.rsa, RSA_NO_PADDING); 426 } else 427 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, 428 rctx->pad_mode); 429 if (ret < 0) 430 return ret; 431 *outlen = ret; 432 return 1; 433 } 434 435 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, 436 unsigned char *out, size_t *outlen, 437 const unsigned char *in, size_t inlen) 438 { 439 int ret; 440 RSA_PKEY_CTX *rctx = ctx->data; 441 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { 442 if (!setup_tbuf(rctx, ctx)) 443 return -1; 444 ret = RSA_private_decrypt(inlen, in, rctx->tbuf, 445 ctx->pkey->pkey.rsa, RSA_NO_PADDING); 446 if (ret <= 0) 447 return ret; 448 ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf, 449 ret, ret, 450 rctx->oaep_label, 451 rctx->oaep_labellen, 452 rctx->md, rctx->mgf1md); 453 } else 454 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, 455 rctx->pad_mode); 456 if (ret < 0) 457 return ret; 458 *outlen = ret; 459 return 1; 460 } 461 462 static int check_padding_md(const EVP_MD *md, int padding) 463 { 464 if (!md) 465 return 1; 466 467 if (padding == RSA_NO_PADDING) { 468 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE); 469 return 0; 470 } 471 472 if (padding == RSA_X931_PADDING) { 473 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) { 474 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_X931_DIGEST); 475 return 0; 476 } 477 return 1; 478 } 479 480 return 1; 481 } 482 483 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) 484 { 485 RSA_PKEY_CTX *rctx = ctx->data; 486 switch (type) { 487 case EVP_PKEY_CTRL_RSA_PADDING: 488 if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING)) { 489 if (!check_padding_md(rctx->md, p1)) 490 return 0; 491 if (p1 == RSA_PKCS1_PSS_PADDING) { 492 if (!(ctx->operation & 493 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) 494 goto bad_pad; 495 if (!rctx->md) 496 rctx->md = EVP_sha1(); 497 } 498 if (p1 == RSA_PKCS1_OAEP_PADDING) { 499 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT)) 500 goto bad_pad; 501 if (!rctx->md) 502 rctx->md = EVP_sha1(); 503 } 504 rctx->pad_mode = p1; 505 return 1; 506 } 507 bad_pad: 508 RSAerr(RSA_F_PKEY_RSA_CTRL, 509 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 510 return -2; 511 512 case EVP_PKEY_CTRL_GET_RSA_PADDING: 513 *(int *)p2 = rctx->pad_mode; 514 return 1; 515 516 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: 517 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: 518 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) { 519 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); 520 return -2; 521 } 522 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) 523 *(int *)p2 = rctx->saltlen; 524 else { 525 if (p1 < -2) 526 return -2; 527 rctx->saltlen = p1; 528 } 529 return 1; 530 531 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: 532 if (p1 < 256) { 533 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS); 534 return -2; 535 } 536 rctx->nbits = p1; 537 return 1; 538 539 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: 540 if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) || BN_is_one((BIGNUM *)p2)) { 541 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_BAD_E_VALUE); 542 return -2; 543 } 544 BN_free(rctx->pub_exp); 545 rctx->pub_exp = p2; 546 return 1; 547 548 case EVP_PKEY_CTRL_RSA_OAEP_MD: 549 case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: 550 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 551 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); 552 return -2; 553 } 554 if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) 555 *(const EVP_MD **)p2 = rctx->md; 556 else 557 rctx->md = p2; 558 return 1; 559 560 case EVP_PKEY_CTRL_MD: 561 if (!check_padding_md(p2, rctx->pad_mode)) 562 return 0; 563 rctx->md = p2; 564 return 1; 565 566 case EVP_PKEY_CTRL_GET_MD: 567 *(const EVP_MD **)p2 = rctx->md; 568 return 1; 569 570 case EVP_PKEY_CTRL_RSA_MGF1_MD: 571 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: 572 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING 573 && rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 574 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD); 575 return -2; 576 } 577 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) { 578 if (rctx->mgf1md) 579 *(const EVP_MD **)p2 = rctx->mgf1md; 580 else 581 *(const EVP_MD **)p2 = rctx->md; 582 } else 583 rctx->mgf1md = p2; 584 return 1; 585 586 case EVP_PKEY_CTRL_RSA_OAEP_LABEL: 587 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 588 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); 589 return -2; 590 } 591 if (rctx->oaep_label) 592 OPENSSL_free(rctx->oaep_label); 593 if (p2 && p1 > 0) { 594 rctx->oaep_label = p2; 595 rctx->oaep_labellen = p1; 596 } else { 597 rctx->oaep_label = NULL; 598 rctx->oaep_labellen = 0; 599 } 600 return 1; 601 602 case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: 603 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 604 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE); 605 return -2; 606 } 607 *(unsigned char **)p2 = rctx->oaep_label; 608 return rctx->oaep_labellen; 609 610 case EVP_PKEY_CTRL_DIGESTINIT: 611 case EVP_PKEY_CTRL_PKCS7_ENCRYPT: 612 case EVP_PKEY_CTRL_PKCS7_DECRYPT: 613 case EVP_PKEY_CTRL_PKCS7_SIGN: 614 return 1; 615 #ifndef OPENSSL_NO_CMS 616 case EVP_PKEY_CTRL_CMS_DECRYPT: 617 case EVP_PKEY_CTRL_CMS_ENCRYPT: 618 case EVP_PKEY_CTRL_CMS_SIGN: 619 return 1; 620 #endif 621 case EVP_PKEY_CTRL_PEER_KEY: 622 RSAerr(RSA_F_PKEY_RSA_CTRL, 623 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); 624 return -2; 625 626 default: 627 return -2; 628 629 } 630 } 631 632 static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, 633 const char *type, const char *value) 634 { 635 if (!value) { 636 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING); 637 return 0; 638 } 639 if (!strcmp(type, "rsa_padding_mode")) { 640 int pm; 641 if (!strcmp(value, "pkcs1")) 642 pm = RSA_PKCS1_PADDING; 643 else if (!strcmp(value, "sslv23")) 644 pm = RSA_SSLV23_PADDING; 645 else if (!strcmp(value, "none")) 646 pm = RSA_NO_PADDING; 647 else if (!strcmp(value, "oeap")) 648 pm = RSA_PKCS1_OAEP_PADDING; 649 else if (!strcmp(value, "oaep")) 650 pm = RSA_PKCS1_OAEP_PADDING; 651 else if (!strcmp(value, "x931")) 652 pm = RSA_X931_PADDING; 653 else if (!strcmp(value, "pss")) 654 pm = RSA_PKCS1_PSS_PADDING; 655 else { 656 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_UNKNOWN_PADDING_TYPE); 657 return -2; 658 } 659 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm); 660 } 661 662 if (!strcmp(type, "rsa_pss_saltlen")) { 663 int saltlen; 664 saltlen = atoi(value); 665 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen); 666 } 667 668 if (!strcmp(type, "rsa_keygen_bits")) { 669 int nbits; 670 nbits = atoi(value); 671 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits); 672 } 673 674 if (!strcmp(type, "rsa_keygen_pubexp")) { 675 int ret; 676 BIGNUM *pubexp = NULL; 677 if (!BN_asc2bn(&pubexp, value)) 678 return 0; 679 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp); 680 if (ret <= 0) 681 BN_free(pubexp); 682 return ret; 683 } 684 685 if (!strcmp(type, "rsa_mgf1_md")) { 686 const EVP_MD *md; 687 if (!(md = EVP_get_digestbyname(value))) { 688 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_INVALID_DIGEST); 689 return 0; 690 } 691 return EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md); 692 } 693 694 if (!strcmp(type, "rsa_oaep_md")) { 695 const EVP_MD *md; 696 if (!(md = EVP_get_digestbyname(value))) { 697 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_INVALID_DIGEST); 698 return 0; 699 } 700 return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md); 701 } 702 if (!strcmp(type, "rsa_oaep_label")) { 703 unsigned char *lab; 704 long lablen; 705 int ret; 706 lab = string_to_hex(value, &lablen); 707 if (!lab) 708 return 0; 709 ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen); 710 if (ret <= 0) 711 OPENSSL_free(lab); 712 return ret; 713 } 714 715 return -2; 716 } 717 718 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) 719 { 720 RSA *rsa = NULL; 721 RSA_PKEY_CTX *rctx = ctx->data; 722 BN_GENCB *pcb, cb; 723 int ret; 724 if (!rctx->pub_exp) { 725 rctx->pub_exp = BN_new(); 726 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) 727 return 0; 728 } 729 rsa = RSA_new(); 730 if (!rsa) 731 return 0; 732 if (ctx->pkey_gencb) { 733 pcb = &cb; 734 evp_pkey_set_cb_translate(pcb, ctx); 735 } else 736 pcb = NULL; 737 ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb); 738 if (ret > 0) 739 EVP_PKEY_assign_RSA(pkey, rsa); 740 else 741 RSA_free(rsa); 742 return ret; 743 } 744 745 const EVP_PKEY_METHOD rsa_pkey_meth = { 746 EVP_PKEY_RSA, 747 EVP_PKEY_FLAG_AUTOARGLEN, 748 pkey_rsa_init, 749 pkey_rsa_copy, 750 pkey_rsa_cleanup, 751 752 0, 0, 753 754 0, 755 pkey_rsa_keygen, 756 757 0, 758 pkey_rsa_sign, 759 760 0, 761 pkey_rsa_verify, 762 763 0, 764 pkey_rsa_verifyrecover, 765 766 0, 0, 0, 0, 767 768 0, 769 pkey_rsa_encrypt, 770 771 0, 772 pkey_rsa_decrypt, 773 774 0, 0, 775 776 pkey_rsa_ctrl, 777 pkey_rsa_ctrl_str 778 }; 779