xref: /freebsd/crypto/openssl/crypto/rsa/rsa_pmeth.c (revision c81495a621c461b3d3395a7c5b0e73458201c443)
1 /*
2  * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * RSA low level APIs are deprecated for public use, but still ok for
12  * internal use.
13  */
14 #include "internal/deprecated.h"
15 
16 #include "internal/constant_time.h"
17 
18 #include <stdio.h>
19 #include "internal/cryptlib.h"
20 #include <openssl/asn1t.h>
21 #include <openssl/x509.h>
22 #include <openssl/rsa.h>
23 #include <openssl/bn.h>
24 #include <openssl/evp.h>
25 #include <openssl/x509v3.h>
26 #include <openssl/cms.h>
27 #include "crypto/evp.h"
28 #include "crypto/rsa.h"
29 #include "rsa_local.h"
30 
31 /* RSA pkey context structure */
32 
33 typedef struct {
34     /* Key gen parameters */
35     int nbits;
36     BIGNUM *pub_exp;
37     int primes;
38     /* Keygen callback info */
39     int gentmp[2];
40     /* RSA padding mode */
41     int pad_mode;
42     /* message digest */
43     const EVP_MD *md;
44     /* message digest for MGF1 */
45     const EVP_MD *mgf1md;
46     /* PSS salt length */
47     int saltlen;
48     /* Minimum salt length or -1 if no PSS parameter restriction */
49     int min_saltlen;
50     /* Temp buffer */
51     unsigned char *tbuf;
52     /* OAEP label */
53     unsigned char *oaep_label;
54     size_t oaep_labellen;
55 } RSA_PKEY_CTX;
56 
57 /* True if PSS parameters are restricted */
58 #define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1)
59 
60 static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
61 {
62     RSA_PKEY_CTX *rctx = OPENSSL_zalloc(sizeof(*rctx));
63 
64     if (rctx == NULL)
65         return 0;
66     rctx->nbits = 2048;
67     rctx->primes = RSA_DEFAULT_PRIME_NUM;
68     if (pkey_ctx_is_pss(ctx))
69         rctx->pad_mode = RSA_PKCS1_PSS_PADDING;
70     else
71         rctx->pad_mode = RSA_PKCS1_PADDING;
72     /* Maximum for sign, auto for verify */
73     rctx->saltlen = RSA_PSS_SALTLEN_AUTO;
74     rctx->min_saltlen = -1;
75     ctx->data = rctx;
76     ctx->keygen_info = rctx->gentmp;
77     ctx->keygen_info_count = 2;
78 
79     return 1;
80 }
81 
82 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
83 {
84     RSA_PKEY_CTX *dctx, *sctx;
85 
86     if (!pkey_rsa_init(dst))
87         return 0;
88     sctx = src->data;
89     dctx = dst->data;
90     dctx->nbits = sctx->nbits;
91     if (sctx->pub_exp) {
92         dctx->pub_exp = BN_dup(sctx->pub_exp);
93         if (!dctx->pub_exp)
94             return 0;
95     }
96     dctx->pad_mode = sctx->pad_mode;
97     dctx->md = sctx->md;
98     dctx->mgf1md = sctx->mgf1md;
99     dctx->saltlen = sctx->saltlen;
100     if (sctx->oaep_label) {
101         OPENSSL_free(dctx->oaep_label);
102         dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen);
103         if (!dctx->oaep_label)
104             return 0;
105         dctx->oaep_labellen = sctx->oaep_labellen;
106     }
107     return 1;
108 }
109 
110 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
111 {
112     if (ctx->tbuf != NULL)
113         return 1;
114     if ((ctx->tbuf =
115             OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pk->pkey)))) == NULL) {
116         ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
117         return 0;
118     }
119     return 1;
120 }
121 
122 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
123 {
124     RSA_PKEY_CTX *rctx = ctx->data;
125     if (rctx) {
126         BN_free(rctx->pub_exp);
127         OPENSSL_free(rctx->tbuf);
128         OPENSSL_free(rctx->oaep_label);
129         OPENSSL_free(rctx);
130     }
131 }
132 
133 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
134                          size_t *siglen, const unsigned char *tbs,
135                          size_t tbslen)
136 {
137     int ret;
138     RSA_PKEY_CTX *rctx = ctx->data;
139     /*
140      * Discard const. Its marked as const because this may be a cached copy of
141      * the "real" key. These calls don't make any modifications that need to
142      * be reflected back in the "original" key.
143      */
144     RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey);
145 
146     if (rctx->md) {
147         if (tbslen != (size_t)EVP_MD_get_size(rctx->md)) {
148             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH);
149             return -1;
150         }
151 
152         if (EVP_MD_get_type(rctx->md) == NID_mdc2) {
153             unsigned int sltmp;
154             if (rctx->pad_mode != RSA_PKCS1_PADDING)
155                 return -1;
156             ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp, rsa);
157 
158             if (ret <= 0)
159                 return ret;
160             ret = sltmp;
161         } else if (rctx->pad_mode == RSA_X931_PADDING) {
162             if ((size_t)RSA_size(rsa) < tbslen + 1) {
163                 ERR_raise(ERR_LIB_RSA, RSA_R_KEY_SIZE_TOO_SMALL);
164                 return -1;
165             }
166             if (!setup_tbuf(rctx, ctx)) {
167                 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
168                 return -1;
169             }
170             memcpy(rctx->tbuf, tbs, tbslen);
171             rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_get_type(rctx->md));
172             ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
173                                       sig, rsa, RSA_X931_PADDING);
174         } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
175             unsigned int sltmp;
176             ret = RSA_sign(EVP_MD_get_type(rctx->md),
177                            tbs, tbslen, sig, &sltmp, rsa);
178             if (ret <= 0)
179                 return ret;
180             ret = sltmp;
181         } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
182             if (!setup_tbuf(rctx, ctx))
183                 return -1;
184             if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
185                                                 rctx->tbuf, tbs,
186                                                 rctx->md, rctx->mgf1md,
187                                                 rctx->saltlen))
188                 return -1;
189             ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
190                                       sig, rsa, RSA_NO_PADDING);
191         } else {
192             return -1;
193         }
194     } else {
195         ret = RSA_private_encrypt(tbslen, tbs, sig, rsa, rctx->pad_mode);
196     }
197     if (ret < 0)
198         return ret;
199     *siglen = ret;
200     return 1;
201 }
202 
203 static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
204                                   unsigned char *rout, size_t *routlen,
205                                   const unsigned char *sig, size_t siglen)
206 {
207     int ret;
208     RSA_PKEY_CTX *rctx = ctx->data;
209     /*
210      * Discard const. Its marked as const because this may be a cached copy of
211      * the "real" key. These calls don't make any modifications that need to
212      * be reflected back in the "original" key.
213      */
214     RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey);
215 
216     if (rctx->md) {
217         if (rctx->pad_mode == RSA_X931_PADDING) {
218             if (!setup_tbuf(rctx, ctx))
219                 return -1;
220             ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa,
221                                      RSA_X931_PADDING);
222             if (ret < 1)
223                 return 0;
224             ret--;
225             if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_get_type(rctx->md))) {
226                 ERR_raise(ERR_LIB_RSA, RSA_R_ALGORITHM_MISMATCH);
227                 return 0;
228             }
229             if (ret != EVP_MD_get_size(rctx->md)) {
230                 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH);
231                 return 0;
232             }
233             if (rout)
234                 memcpy(rout, rctx->tbuf, ret);
235         } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
236             size_t sltmp;
237             ret = ossl_rsa_verify(EVP_MD_get_type(rctx->md),
238                                   NULL, 0, rout, &sltmp,
239                                   sig, siglen, rsa);
240             if (ret <= 0)
241                 return 0;
242             ret = sltmp;
243         } else {
244             return -1;
245         }
246     } else {
247         ret = RSA_public_decrypt(siglen, sig, rout, rsa, rctx->pad_mode);
248     }
249     if (ret < 0)
250         return ret;
251     *routlen = ret;
252     return 1;
253 }
254 
255 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
256                            const unsigned char *sig, size_t siglen,
257                            const unsigned char *tbs, size_t tbslen)
258 {
259     RSA_PKEY_CTX *rctx = ctx->data;
260     /*
261      * Discard const. Its marked as const because this may be a cached copy of
262      * the "real" key. These calls don't make any modifications that need to
263      * be reflected back in the "original" key.
264      */
265     RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey);
266     size_t rslen;
267 
268     if (rctx->md) {
269         if (rctx->pad_mode == RSA_PKCS1_PADDING)
270             return RSA_verify(EVP_MD_get_type(rctx->md), tbs, tbslen,
271                               sig, siglen, rsa);
272         if (tbslen != (size_t)EVP_MD_get_size(rctx->md)) {
273             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH);
274             return -1;
275         }
276         if (rctx->pad_mode == RSA_X931_PADDING) {
277             if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0)
278                 return 0;
279         } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
280             int ret;
281             if (!setup_tbuf(rctx, ctx))
282                 return -1;
283             ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
284                                      rsa, RSA_NO_PADDING);
285             if (ret <= 0)
286                 return 0;
287             ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
288                                             rctx->md, rctx->mgf1md,
289                                             rctx->tbuf, rctx->saltlen);
290             if (ret <= 0)
291                 return 0;
292             return 1;
293         } else {
294             return -1;
295         }
296     } else {
297         if (!setup_tbuf(rctx, ctx))
298             return -1;
299         rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
300                                    rsa, rctx->pad_mode);
301         if (rslen == 0)
302             return 0;
303     }
304 
305     if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen))
306         return 0;
307 
308     return 1;
309 
310 }
311 
312 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
313                             unsigned char *out, size_t *outlen,
314                             const unsigned char *in, size_t inlen)
315 {
316     int ret;
317     RSA_PKEY_CTX *rctx = ctx->data;
318     /*
319      * Discard const. Its marked as const because this may be a cached copy of
320      * the "real" key. These calls don't make any modifications that need to
321      * be reflected back in the "original" key.
322      */
323     RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey);
324 
325     if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
326         int klen = RSA_size(rsa);
327         if (!setup_tbuf(rctx, ctx))
328             return -1;
329         if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen,
330                                              in, inlen,
331                                              rctx->oaep_label,
332                                              rctx->oaep_labellen,
333                                              rctx->md, rctx->mgf1md))
334             return -1;
335         ret = RSA_public_encrypt(klen, rctx->tbuf, out, rsa, RSA_NO_PADDING);
336     } else {
337         ret = RSA_public_encrypt(inlen, in, out, rsa, rctx->pad_mode);
338     }
339     if (ret < 0)
340         return ret;
341     *outlen = ret;
342     return 1;
343 }
344 
345 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
346                             unsigned char *out, size_t *outlen,
347                             const unsigned char *in, size_t inlen)
348 {
349     int ret;
350     RSA_PKEY_CTX *rctx = ctx->data;
351     /*
352      * Discard const. Its marked as const because this may be a cached copy of
353      * the "real" key. These calls don't make any modifications that need to
354      * be reflected back in the "original" key.
355      */
356     RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey);
357 
358     if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
359         if (!setup_tbuf(rctx, ctx))
360             return -1;
361         ret = RSA_private_decrypt(inlen, in, rctx->tbuf, rsa, RSA_NO_PADDING);
362         if (ret <= 0)
363             return ret;
364         ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf,
365                                                 ret, ret,
366                                                 rctx->oaep_label,
367                                                 rctx->oaep_labellen,
368                                                 rctx->md, rctx->mgf1md);
369     } else {
370         ret = RSA_private_decrypt(inlen, in, out, rsa, rctx->pad_mode);
371     }
372     *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
373     ret = constant_time_select_int(constant_time_msb(ret), ret, 1);
374     return ret;
375 }
376 
377 static int check_padding_md(const EVP_MD *md, int padding)
378 {
379     int mdnid;
380 
381     if (!md)
382         return 1;
383 
384     mdnid = EVP_MD_get_type(md);
385 
386     if (padding == RSA_NO_PADDING) {
387         ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
388         return 0;
389     }
390 
391     if (padding == RSA_X931_PADDING) {
392         if (RSA_X931_hash_id(mdnid) == -1) {
393             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_X931_DIGEST);
394             return 0;
395         }
396     } else {
397         switch(mdnid) {
398         /* List of all supported RSA digests */
399         case NID_sha1:
400         case NID_sha224:
401         case NID_sha256:
402         case NID_sha384:
403         case NID_sha512:
404         case NID_sha512_224:
405         case NID_sha512_256:
406         case NID_md5:
407         case NID_md5_sha1:
408         case NID_md2:
409         case NID_md4:
410         case NID_mdc2:
411         case NID_ripemd160:
412         case NID_sha3_224:
413         case NID_sha3_256:
414         case NID_sha3_384:
415         case NID_sha3_512:
416             return 1;
417 
418         default:
419             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST);
420             return 0;
421 
422         }
423     }
424 
425     return 1;
426 }
427 
428 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
429 {
430     RSA_PKEY_CTX *rctx = ctx->data;
431 
432     switch (type) {
433     case EVP_PKEY_CTRL_RSA_PADDING:
434         if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING)) {
435             if (!check_padding_md(rctx->md, p1))
436                 return 0;
437             if (p1 == RSA_PKCS1_PSS_PADDING) {
438                 if (!(ctx->operation &
439                       (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
440                     goto bad_pad;
441                 if (!rctx->md)
442                     rctx->md = EVP_sha1();
443             } else if (pkey_ctx_is_pss(ctx)) {
444                 goto bad_pad;
445             }
446             if (p1 == RSA_PKCS1_OAEP_PADDING) {
447                 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
448                     goto bad_pad;
449                 if (!rctx->md)
450                     rctx->md = EVP_sha1();
451             }
452             rctx->pad_mode = p1;
453             return 1;
454         }
455  bad_pad:
456         ERR_raise(ERR_LIB_RSA, RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
457         return -2;
458 
459     case EVP_PKEY_CTRL_GET_RSA_PADDING:
460         *(int *)p2 = rctx->pad_mode;
461         return 1;
462 
463     case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
464     case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
465         if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
466             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PSS_SALTLEN);
467             return -2;
468         }
469         if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
470             *(int *)p2 = rctx->saltlen;
471         } else {
472             if (p1 < RSA_PSS_SALTLEN_MAX)
473                 return -2;
474             if (rsa_pss_restricted(rctx)) {
475                 if (p1 == RSA_PSS_SALTLEN_AUTO
476                     && ctx->operation == EVP_PKEY_OP_VERIFY) {
477                     ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PSS_SALTLEN);
478                     return -2;
479                 }
480                 if ((p1 == RSA_PSS_SALTLEN_DIGEST
481                      && rctx->min_saltlen > EVP_MD_get_size(rctx->md))
482                     || (p1 >= 0 && p1 < rctx->min_saltlen)) {
483                     ERR_raise(ERR_LIB_RSA, RSA_R_PSS_SALTLEN_TOO_SMALL);
484                     return 0;
485                 }
486             }
487             rctx->saltlen = p1;
488         }
489         return 1;
490 
491     case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
492         if (p1 < RSA_MIN_MODULUS_BITS) {
493             ERR_raise(ERR_LIB_RSA, RSA_R_KEY_SIZE_TOO_SMALL);
494             return -2;
495         }
496         rctx->nbits = p1;
497         return 1;
498 
499     case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
500         if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) || BN_is_one((BIGNUM *)p2)) {
501             ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
502             return -2;
503         }
504         BN_free(rctx->pub_exp);
505         rctx->pub_exp = p2;
506         return 1;
507 
508     case EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES:
509         if (p1 < RSA_DEFAULT_PRIME_NUM || p1 > RSA_MAX_PRIME_NUM) {
510             ERR_raise(ERR_LIB_RSA, RSA_R_KEY_PRIME_NUM_INVALID);
511             return -2;
512         }
513         rctx->primes = p1;
514         return 1;
515 
516     case EVP_PKEY_CTRL_RSA_OAEP_MD:
517     case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
518         if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
519             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
520             return -2;
521         }
522         if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD)
523             *(const EVP_MD **)p2 = rctx->md;
524         else
525             rctx->md = p2;
526         return 1;
527 
528     case EVP_PKEY_CTRL_MD:
529         if (!check_padding_md(p2, rctx->pad_mode))
530             return 0;
531         if (rsa_pss_restricted(rctx)) {
532             if (EVP_MD_get_type(rctx->md) == EVP_MD_get_type(p2))
533                 return 1;
534             ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
535             return 0;
536         }
537         rctx->md = p2;
538         return 1;
539 
540     case EVP_PKEY_CTRL_GET_MD:
541         *(const EVP_MD **)p2 = rctx->md;
542         return 1;
543 
544     case EVP_PKEY_CTRL_RSA_MGF1_MD:
545     case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
546         if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING
547             && rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
548             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MGF1_MD);
549             return -2;
550         }
551         if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
552             if (rctx->mgf1md)
553                 *(const EVP_MD **)p2 = rctx->mgf1md;
554             else
555                 *(const EVP_MD **)p2 = rctx->md;
556         } else {
557             if (rsa_pss_restricted(rctx)) {
558                 if (EVP_MD_get_type(rctx->mgf1md) == EVP_MD_get_type(p2))
559                     return 1;
560                 ERR_raise(ERR_LIB_RSA, RSA_R_MGF1_DIGEST_NOT_ALLOWED);
561                 return 0;
562             }
563             rctx->mgf1md = p2;
564         }
565         return 1;
566 
567     case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
568         if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
569             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
570             return -2;
571         }
572         OPENSSL_free(rctx->oaep_label);
573         if (p2 && p1 > 0) {
574             rctx->oaep_label = p2;
575             rctx->oaep_labellen = p1;
576         } else {
577             rctx->oaep_label = NULL;
578             rctx->oaep_labellen = 0;
579         }
580         return 1;
581 
582     case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
583         if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
584             ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
585             return -2;
586         }
587         *(unsigned char **)p2 = rctx->oaep_label;
588         return rctx->oaep_labellen;
589 
590     case EVP_PKEY_CTRL_DIGESTINIT:
591     case EVP_PKEY_CTRL_PKCS7_SIGN:
592 #ifndef OPENSSL_NO_CMS
593     case EVP_PKEY_CTRL_CMS_SIGN:
594 #endif
595     return 1;
596 
597     case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
598     case EVP_PKEY_CTRL_PKCS7_DECRYPT:
599 #ifndef OPENSSL_NO_CMS
600     case EVP_PKEY_CTRL_CMS_DECRYPT:
601     case EVP_PKEY_CTRL_CMS_ENCRYPT:
602 #endif
603     if (!pkey_ctx_is_pss(ctx))
604         return 1;
605     /* fall through */
606     case EVP_PKEY_CTRL_PEER_KEY:
607         ERR_raise(ERR_LIB_RSA, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
608         return -2;
609 
610     default:
611         return -2;
612 
613     }
614 }
615 
616 static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
617                              const char *type, const char *value)
618 {
619     if (value == NULL) {
620         ERR_raise(ERR_LIB_RSA, RSA_R_VALUE_MISSING);
621         return 0;
622     }
623     if (strcmp(type, "rsa_padding_mode") == 0) {
624         int pm;
625 
626         if (strcmp(value, "pkcs1") == 0) {
627             pm = RSA_PKCS1_PADDING;
628         } else if (strcmp(value, "none") == 0) {
629             pm = RSA_NO_PADDING;
630         } else if (strcmp(value, "oeap") == 0) {
631             pm = RSA_PKCS1_OAEP_PADDING;
632         } else if (strcmp(value, "oaep") == 0) {
633             pm = RSA_PKCS1_OAEP_PADDING;
634         } else if (strcmp(value, "x931") == 0) {
635             pm = RSA_X931_PADDING;
636         } else if (strcmp(value, "pss") == 0) {
637             pm = RSA_PKCS1_PSS_PADDING;
638         } else {
639             ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
640             return -2;
641         }
642         return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
643     }
644 
645     if (strcmp(type, "rsa_pss_saltlen") == 0) {
646         int saltlen;
647 
648         if (!strcmp(value, "digest"))
649             saltlen = RSA_PSS_SALTLEN_DIGEST;
650         else if (!strcmp(value, "max"))
651             saltlen = RSA_PSS_SALTLEN_MAX;
652         else if (!strcmp(value, "auto"))
653             saltlen = RSA_PSS_SALTLEN_AUTO;
654         else
655             saltlen = atoi(value);
656         return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
657     }
658 
659     if (strcmp(type, "rsa_keygen_bits") == 0) {
660         int nbits = atoi(value);
661 
662         return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
663     }
664 
665     if (strcmp(type, "rsa_keygen_pubexp") == 0) {
666         int ret;
667 
668         BIGNUM *pubexp = NULL;
669         if (!BN_asc2bn(&pubexp, value))
670             return 0;
671         ret = EVP_PKEY_CTX_set1_rsa_keygen_pubexp(ctx, pubexp);
672         BN_free(pubexp);
673         return ret;
674     }
675 
676     if (strcmp(type, "rsa_keygen_primes") == 0) {
677         int nprimes = atoi(value);
678 
679         return EVP_PKEY_CTX_set_rsa_keygen_primes(ctx, nprimes);
680     }
681 
682     if (strcmp(type, "rsa_mgf1_md") == 0)
683         return EVP_PKEY_CTX_md(ctx,
684                                EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
685                                EVP_PKEY_CTRL_RSA_MGF1_MD, value);
686 
687     if (pkey_ctx_is_pss(ctx)) {
688 
689         if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0)
690             return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
691                                    EVP_PKEY_CTRL_RSA_MGF1_MD, value);
692 
693         if (strcmp(type, "rsa_pss_keygen_md") == 0)
694             return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
695                                    EVP_PKEY_CTRL_MD, value);
696 
697         if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) {
698             int saltlen = atoi(value);
699 
700             return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen);
701         }
702     }
703 
704     if (strcmp(type, "rsa_oaep_md") == 0)
705         return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT,
706                                EVP_PKEY_CTRL_RSA_OAEP_MD, value);
707 
708     if (strcmp(type, "rsa_oaep_label") == 0) {
709         unsigned char *lab;
710         long lablen;
711         int ret;
712 
713         lab = OPENSSL_hexstr2buf(value, &lablen);
714         if (!lab)
715             return 0;
716         ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen);
717         if (ret <= 0)
718             OPENSSL_free(lab);
719         return ret;
720     }
721 
722     return -2;
723 }
724 
725 /* Set PSS parameters when generating a key, if necessary */
726 static int rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx)
727 {
728     RSA_PKEY_CTX *rctx = ctx->data;
729 
730     if (!pkey_ctx_is_pss(ctx))
731         return 1;
732     /* If all parameters are default values don't set pss */
733     if (rctx->md == NULL && rctx->mgf1md == NULL && rctx->saltlen == -2)
734         return 1;
735     rsa->pss = ossl_rsa_pss_params_create(rctx->md, rctx->mgf1md,
736                                           rctx->saltlen == -2
737                                           ? 0 : rctx->saltlen);
738     if (rsa->pss == NULL)
739         return 0;
740     return 1;
741 }
742 
743 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
744 {
745     RSA *rsa = NULL;
746     RSA_PKEY_CTX *rctx = ctx->data;
747     BN_GENCB *pcb;
748     int ret;
749 
750     if (rctx->pub_exp == NULL) {
751         rctx->pub_exp = BN_new();
752         if (rctx->pub_exp == NULL || !BN_set_word(rctx->pub_exp, RSA_F4))
753             return 0;
754     }
755     rsa = RSA_new();
756     if (rsa == NULL)
757         return 0;
758     if (ctx->pkey_gencb) {
759         pcb = BN_GENCB_new();
760         if (pcb == NULL) {
761             RSA_free(rsa);
762             return 0;
763         }
764         evp_pkey_set_cb_translate(pcb, ctx);
765     } else {
766         pcb = NULL;
767     }
768     ret = RSA_generate_multi_prime_key(rsa, rctx->nbits, rctx->primes,
769                                        rctx->pub_exp, pcb);
770     BN_GENCB_free(pcb);
771     if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) {
772         RSA_free(rsa);
773         return 0;
774     }
775     if (ret > 0)
776         EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa);
777     else
778         RSA_free(rsa);
779     return ret;
780 }
781 
782 static const EVP_PKEY_METHOD rsa_pkey_meth = {
783     EVP_PKEY_RSA,
784     EVP_PKEY_FLAG_AUTOARGLEN,
785     pkey_rsa_init,
786     pkey_rsa_copy,
787     pkey_rsa_cleanup,
788 
789     0, 0,
790 
791     0,
792     pkey_rsa_keygen,
793 
794     0,
795     pkey_rsa_sign,
796 
797     0,
798     pkey_rsa_verify,
799 
800     0,
801     pkey_rsa_verifyrecover,
802 
803     0, 0, 0, 0,
804 
805     0,
806     pkey_rsa_encrypt,
807 
808     0,
809     pkey_rsa_decrypt,
810 
811     0, 0,
812 
813     pkey_rsa_ctrl,
814     pkey_rsa_ctrl_str
815 };
816 
817 const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void)
818 {
819     return &rsa_pkey_meth;
820 }
821 
822 /*
823  * Called for PSS sign or verify initialisation: checks PSS parameter
824  * sanity and sets any restrictions on key usage.
825  */
826 
827 static int pkey_pss_init(EVP_PKEY_CTX *ctx)
828 {
829     const RSA *rsa;
830     RSA_PKEY_CTX *rctx = ctx->data;
831     const EVP_MD *md;
832     const EVP_MD *mgf1md;
833     int min_saltlen, max_saltlen;
834 
835     /* Should never happen */
836     if (!pkey_ctx_is_pss(ctx))
837         return 0;
838     rsa = EVP_PKEY_get0_RSA(ctx->pkey);
839     /* If no restrictions just return */
840     if (rsa->pss == NULL)
841         return 1;
842     /* Get and check parameters */
843     if (!ossl_rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen))
844         return 0;
845 
846     /* See if minimum salt length exceeds maximum possible */
847     max_saltlen = RSA_size(rsa) - EVP_MD_get_size(md);
848     if ((RSA_bits(rsa) & 0x7) == 1)
849         max_saltlen--;
850     if (min_saltlen > max_saltlen) {
851         ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_SALT_LENGTH);
852         return 0;
853     }
854 
855     rctx->min_saltlen = min_saltlen;
856 
857     /*
858      * Set PSS restrictions as defaults: we can then block any attempt to
859      * use invalid values in pkey_rsa_ctrl
860      */
861 
862     rctx->md = md;
863     rctx->mgf1md = mgf1md;
864     rctx->saltlen = min_saltlen;
865 
866     return 1;
867 }
868 
869 static const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
870     EVP_PKEY_RSA_PSS,
871     EVP_PKEY_FLAG_AUTOARGLEN,
872     pkey_rsa_init,
873     pkey_rsa_copy,
874     pkey_rsa_cleanup,
875 
876     0, 0,
877 
878     0,
879     pkey_rsa_keygen,
880 
881     pkey_pss_init,
882     pkey_rsa_sign,
883 
884     pkey_pss_init,
885     pkey_rsa_verify,
886 
887     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
888 
889     pkey_rsa_ctrl,
890     pkey_rsa_ctrl_str
891 };
892 
893 const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void)
894 {
895     return &rsa_pss_pkey_meth;
896 }
897