1238384Sjkim/* crypto/rsa/rsa_pmeth.c */ 2238384Sjkim/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3238384Sjkim * project 2006. 4238384Sjkim */ 5238384Sjkim/* ==================================================================== 6238384Sjkim * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 7238384Sjkim * 8238384Sjkim * Redistribution and use in source and binary forms, with or without 9238384Sjkim * modification, are permitted provided that the following conditions 10238384Sjkim * are met: 11238384Sjkim * 12238384Sjkim * 1. Redistributions of source code must retain the above copyright 13238384Sjkim * notice, this list of conditions and the following disclaimer. 14238384Sjkim * 15238384Sjkim * 2. Redistributions in binary form must reproduce the above copyright 16238384Sjkim * notice, this list of conditions and the following disclaimer in 17238384Sjkim * the documentation and/or other materials provided with the 18238384Sjkim * distribution. 19238384Sjkim * 20238384Sjkim * 3. All advertising materials mentioning features or use of this 21238384Sjkim * software must display the following acknowledgment: 22238384Sjkim * "This product includes software developed by the OpenSSL Project 23238384Sjkim * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24238384Sjkim * 25238384Sjkim * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26238384Sjkim * endorse or promote products derived from this software without 27238384Sjkim * prior written permission. For written permission, please contact 28238384Sjkim * licensing@OpenSSL.org. 29238384Sjkim * 30238384Sjkim * 5. Products derived from this software may not be called "OpenSSL" 31238384Sjkim * nor may "OpenSSL" appear in their names without prior written 32238384Sjkim * permission of the OpenSSL Project. 33238384Sjkim * 34238384Sjkim * 6. Redistributions of any form whatsoever must retain the following 35238384Sjkim * acknowledgment: 36238384Sjkim * "This product includes software developed by the OpenSSL Project 37238384Sjkim * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38238384Sjkim * 39238384Sjkim * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40238384Sjkim * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41238384Sjkim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42238384Sjkim * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43238384Sjkim * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44238384Sjkim * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45238384Sjkim * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46238384Sjkim * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47238384Sjkim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48238384Sjkim * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49238384Sjkim * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50238384Sjkim * OF THE POSSIBILITY OF SUCH DAMAGE. 51238384Sjkim * ==================================================================== 52238384Sjkim * 53238384Sjkim * This product includes cryptographic software written by Eric Young 54238384Sjkim * (eay@cryptsoft.com). This product includes software written by Tim 55238384Sjkim * Hudson (tjh@cryptsoft.com). 56238384Sjkim * 57238384Sjkim */ 58238384Sjkim 59238384Sjkim#include <stdio.h> 60238384Sjkim#include "cryptlib.h" 61238384Sjkim#include <openssl/asn1t.h> 62238384Sjkim#include <openssl/x509.h> 63238384Sjkim#include <openssl/rsa.h> 64238384Sjkim#include <openssl/bn.h> 65238384Sjkim#include <openssl/evp.h> 66238384Sjkim#ifndef OPENSSL_NO_CMS 67238384Sjkim#include <openssl/cms.h> 68238384Sjkim#endif 69238384Sjkim#ifdef OPENSSL_FIPS 70238384Sjkim#include <openssl/fips.h> 71238384Sjkim#endif 72238384Sjkim#include "evp_locl.h" 73238384Sjkim#include "rsa_locl.h" 74238384Sjkim 75238384Sjkim/* RSA pkey context structure */ 76238384Sjkim 77238384Sjkimtypedef struct 78238384Sjkim { 79238384Sjkim /* Key gen parameters */ 80238384Sjkim int nbits; 81238384Sjkim BIGNUM *pub_exp; 82238384Sjkim /* Keygen callback info */ 83238384Sjkim int gentmp[2]; 84238384Sjkim /* RSA padding mode */ 85238384Sjkim int pad_mode; 86238384Sjkim /* message digest */ 87238384Sjkim const EVP_MD *md; 88238384Sjkim /* message digest for MGF1 */ 89238384Sjkim const EVP_MD *mgf1md; 90238384Sjkim /* PSS/OAEP salt length */ 91238384Sjkim int saltlen; 92238384Sjkim /* Temp buffer */ 93238384Sjkim unsigned char *tbuf; 94238384Sjkim } RSA_PKEY_CTX; 95238384Sjkim 96238384Sjkimstatic int pkey_rsa_init(EVP_PKEY_CTX *ctx) 97238384Sjkim { 98238384Sjkim RSA_PKEY_CTX *rctx; 99238384Sjkim rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX)); 100238384Sjkim if (!rctx) 101238384Sjkim return 0; 102238384Sjkim rctx->nbits = 1024; 103238384Sjkim rctx->pub_exp = NULL; 104238384Sjkim rctx->pad_mode = RSA_PKCS1_PADDING; 105238384Sjkim rctx->md = NULL; 106238384Sjkim rctx->mgf1md = NULL; 107238384Sjkim rctx->tbuf = NULL; 108238384Sjkim 109238384Sjkim rctx->saltlen = -2; 110238384Sjkim 111238384Sjkim ctx->data = rctx; 112238384Sjkim ctx->keygen_info = rctx->gentmp; 113238384Sjkim ctx->keygen_info_count = 2; 114238384Sjkim 115238384Sjkim return 1; 116238384Sjkim } 117238384Sjkim 118238384Sjkimstatic int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) 119238384Sjkim { 120238384Sjkim RSA_PKEY_CTX *dctx, *sctx; 121238384Sjkim if (!pkey_rsa_init(dst)) 122238384Sjkim return 0; 123238384Sjkim sctx = src->data; 124238384Sjkim dctx = dst->data; 125238384Sjkim dctx->nbits = sctx->nbits; 126238384Sjkim if (sctx->pub_exp) 127238384Sjkim { 128238384Sjkim dctx->pub_exp = BN_dup(sctx->pub_exp); 129238384Sjkim if (!dctx->pub_exp) 130238384Sjkim return 0; 131238384Sjkim } 132238384Sjkim dctx->pad_mode = sctx->pad_mode; 133238384Sjkim dctx->md = sctx->md; 134238384Sjkim return 1; 135238384Sjkim } 136238384Sjkim 137238384Sjkimstatic int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) 138238384Sjkim { 139238384Sjkim if (ctx->tbuf) 140238384Sjkim return 1; 141238384Sjkim ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey)); 142238384Sjkim if (!ctx->tbuf) 143238384Sjkim return 0; 144238384Sjkim return 1; 145238384Sjkim } 146238384Sjkim 147238384Sjkimstatic void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) 148238384Sjkim { 149238384Sjkim RSA_PKEY_CTX *rctx = ctx->data; 150238384Sjkim if (rctx) 151238384Sjkim { 152238384Sjkim if (rctx->pub_exp) 153238384Sjkim BN_free(rctx->pub_exp); 154238384Sjkim if (rctx->tbuf) 155238384Sjkim OPENSSL_free(rctx->tbuf); 156238384Sjkim OPENSSL_free(rctx); 157238384Sjkim } 158238384Sjkim } 159238384Sjkim#ifdef OPENSSL_FIPS 160238384Sjkim/* FIP checker. Return value indicates status of context parameters: 161238384Sjkim * 1 : redirect to FIPS. 162238384Sjkim * 0 : don't redirect to FIPS. 163238384Sjkim * -1 : illegal operation in FIPS mode. 164238384Sjkim */ 165238384Sjkim 166238384Sjkimstatic int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx) 167238384Sjkim { 168238384Sjkim RSA_PKEY_CTX *rctx = ctx->data; 169238384Sjkim RSA *rsa = ctx->pkey->pkey.rsa; 170238384Sjkim int rv = -1; 171238384Sjkim if (!FIPS_mode()) 172238384Sjkim return 0; 173238384Sjkim if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) 174238384Sjkim rv = 0; 175238384Sjkim if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv) 176238384Sjkim return -1; 177238384Sjkim if (rctx->md && !(rctx->md->flags & EVP_MD_FLAG_FIPS)) 178238384Sjkim return rv; 179238384Sjkim if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS)) 180238384Sjkim return rv; 181238384Sjkim return 1; 182238384Sjkim } 183238384Sjkim#endif 184238384Sjkim 185238384Sjkimstatic int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, 186238384Sjkim const unsigned char *tbs, size_t tbslen) 187238384Sjkim { 188238384Sjkim int ret; 189238384Sjkim RSA_PKEY_CTX *rctx = ctx->data; 190238384Sjkim RSA *rsa = ctx->pkey->pkey.rsa; 191238384Sjkim 192238384Sjkim#ifdef OPENSSL_FIPS 193238384Sjkim ret = pkey_fips_check_ctx(ctx); 194238384Sjkim if (ret < 0) 195238384Sjkim { 196238384Sjkim RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); 197238384Sjkim return -1; 198238384Sjkim } 199238384Sjkim#endif 200238384Sjkim 201238384Sjkim if (rctx->md) 202238384Sjkim { 203238384Sjkim if (tbslen != (size_t)EVP_MD_size(rctx->md)) 204238384Sjkim { 205238384Sjkim RSAerr(RSA_F_PKEY_RSA_SIGN, 206238384Sjkim RSA_R_INVALID_DIGEST_LENGTH); 207238384Sjkim return -1; 208238384Sjkim } 209238384Sjkim#ifdef OPENSSL_FIPS 210238384Sjkim if (ret > 0) 211238384Sjkim { 212238384Sjkim unsigned int slen; 213238384Sjkim ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md, 214238384Sjkim rctx->pad_mode, 215238384Sjkim rctx->saltlen, 216238384Sjkim rctx->mgf1md, 217238384Sjkim sig, &slen); 218238384Sjkim if (ret > 0) 219238384Sjkim *siglen = slen; 220238384Sjkim else 221238384Sjkim *siglen = 0; 222238384Sjkim return ret; 223238384Sjkim } 224238384Sjkim#endif 225238384Sjkim 226238384Sjkim if (EVP_MD_type(rctx->md) == NID_mdc2) 227238384Sjkim { 228238384Sjkim unsigned int sltmp; 229238384Sjkim if (rctx->pad_mode != RSA_PKCS1_PADDING) 230238384Sjkim return -1; 231238384Sjkim ret = RSA_sign_ASN1_OCTET_STRING(NID_mdc2, 232238384Sjkim tbs, tbslen, sig, &sltmp, rsa); 233238384Sjkim 234238384Sjkim if (ret <= 0) 235238384Sjkim return ret; 236238384Sjkim ret = sltmp; 237238384Sjkim } 238238384Sjkim else if (rctx->pad_mode == RSA_X931_PADDING) 239238384Sjkim { 240238384Sjkim if (!setup_tbuf(rctx, ctx)) 241238384Sjkim return -1; 242238384Sjkim memcpy(rctx->tbuf, tbs, tbslen); 243238384Sjkim rctx->tbuf[tbslen] = 244238384Sjkim RSA_X931_hash_id(EVP_MD_type(rctx->md)); 245238384Sjkim ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, 246238384Sjkim sig, rsa, RSA_X931_PADDING); 247238384Sjkim } 248238384Sjkim else if (rctx->pad_mode == RSA_PKCS1_PADDING) 249238384Sjkim { 250238384Sjkim unsigned int sltmp; 251238384Sjkim ret = RSA_sign(EVP_MD_type(rctx->md), 252238384Sjkim tbs, tbslen, sig, &sltmp, rsa); 253238384Sjkim if (ret <= 0) 254238384Sjkim return ret; 255238384Sjkim ret = sltmp; 256238384Sjkim } 257238384Sjkim else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) 258238384Sjkim { 259238384Sjkim if (!setup_tbuf(rctx, ctx)) 260238384Sjkim return -1; 261238384Sjkim if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, 262238384Sjkim rctx->tbuf, tbs, 263238384Sjkim rctx->md, rctx->mgf1md, 264238384Sjkim rctx->saltlen)) 265238384Sjkim return -1; 266238384Sjkim ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, 267238384Sjkim sig, rsa, RSA_NO_PADDING); 268238384Sjkim } 269238384Sjkim else 270238384Sjkim return -1; 271238384Sjkim } 272238384Sjkim else 273238384Sjkim ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, 274238384Sjkim rctx->pad_mode); 275238384Sjkim if (ret < 0) 276238384Sjkim return ret; 277238384Sjkim *siglen = ret; 278238384Sjkim return 1; 279238384Sjkim } 280238384Sjkim 281238384Sjkim 282238384Sjkimstatic int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, 283238384Sjkim unsigned char *rout, size_t *routlen, 284238384Sjkim const unsigned char *sig, size_t siglen) 285238384Sjkim { 286238384Sjkim int ret; 287238384Sjkim RSA_PKEY_CTX *rctx = ctx->data; 288238384Sjkim 289238384Sjkim if (rctx->md) 290238384Sjkim { 291238384Sjkim if (rctx->pad_mode == RSA_X931_PADDING) 292238384Sjkim { 293238384Sjkim if (!setup_tbuf(rctx, ctx)) 294238384Sjkim return -1; 295238384Sjkim ret = RSA_public_decrypt(siglen, sig, 296238384Sjkim rctx->tbuf, ctx->pkey->pkey.rsa, 297238384Sjkim RSA_X931_PADDING); 298238384Sjkim if (ret < 1) 299238384Sjkim return 0; 300238384Sjkim ret--; 301238384Sjkim if (rctx->tbuf[ret] != 302238384Sjkim RSA_X931_hash_id(EVP_MD_type(rctx->md))) 303238384Sjkim { 304238384Sjkim RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, 305238384Sjkim RSA_R_ALGORITHM_MISMATCH); 306238384Sjkim return 0; 307238384Sjkim } 308238384Sjkim if (ret != EVP_MD_size(rctx->md)) 309238384Sjkim { 310238384Sjkim RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, 311238384Sjkim RSA_R_INVALID_DIGEST_LENGTH); 312238384Sjkim return 0; 313238384Sjkim } 314238384Sjkim if (rout) 315238384Sjkim memcpy(rout, rctx->tbuf, ret); 316238384Sjkim } 317238384Sjkim else if (rctx->pad_mode == RSA_PKCS1_PADDING) 318238384Sjkim { 319238384Sjkim size_t sltmp; 320238384Sjkim ret = int_rsa_verify(EVP_MD_type(rctx->md), 321238384Sjkim NULL, 0, rout, &sltmp, 322238384Sjkim sig, siglen, ctx->pkey->pkey.rsa); 323238384Sjkim if (ret <= 0) 324238384Sjkim return 0; 325238384Sjkim ret = sltmp; 326238384Sjkim } 327238384Sjkim else 328238384Sjkim return -1; 329238384Sjkim } 330238384Sjkim else 331238384Sjkim ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa, 332238384Sjkim rctx->pad_mode); 333238384Sjkim if (ret < 0) 334238384Sjkim return ret; 335238384Sjkim *routlen = ret; 336238384Sjkim return 1; 337238384Sjkim } 338238384Sjkim 339238384Sjkimstatic int pkey_rsa_verify(EVP_PKEY_CTX *ctx, 340238384Sjkim const unsigned char *sig, size_t siglen, 341238384Sjkim const unsigned char *tbs, size_t tbslen) 342238384Sjkim { 343238384Sjkim RSA_PKEY_CTX *rctx = ctx->data; 344238384Sjkim RSA *rsa = ctx->pkey->pkey.rsa; 345238384Sjkim size_t rslen; 346238384Sjkim#ifdef OPENSSL_FIPS 347238384Sjkim int rv; 348238384Sjkim rv = pkey_fips_check_ctx(ctx); 349238384Sjkim if (rv < 0) 350238384Sjkim { 351238384Sjkim RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); 352238384Sjkim return -1; 353238384Sjkim } 354238384Sjkim#endif 355238384Sjkim if (rctx->md) 356238384Sjkim { 357238384Sjkim#ifdef OPENSSL_FIPS 358238384Sjkim if (rv > 0) 359238384Sjkim { 360238384Sjkim return FIPS_rsa_verify_digest(rsa, 361238384Sjkim tbs, tbslen, 362238384Sjkim rctx->md, 363238384Sjkim rctx->pad_mode, 364238384Sjkim rctx->saltlen, 365238384Sjkim rctx->mgf1md, 366238384Sjkim sig, siglen); 367238384Sjkim 368238384Sjkim } 369238384Sjkim#endif 370238384Sjkim if (rctx->pad_mode == RSA_PKCS1_PADDING) 371238384Sjkim return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, 372238384Sjkim sig, siglen, rsa); 373238384Sjkim if (rctx->pad_mode == RSA_X931_PADDING) 374238384Sjkim { 375238384Sjkim if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, 376238384Sjkim sig, siglen) <= 0) 377238384Sjkim return 0; 378238384Sjkim } 379238384Sjkim else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) 380238384Sjkim { 381238384Sjkim int ret; 382238384Sjkim if (!setup_tbuf(rctx, ctx)) 383238384Sjkim return -1; 384238384Sjkim ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, 385238384Sjkim rsa, RSA_NO_PADDING); 386238384Sjkim if (ret <= 0) 387238384Sjkim return 0; 388238384Sjkim ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, 389238384Sjkim rctx->md, rctx->mgf1md, 390238384Sjkim rctx->tbuf, rctx->saltlen); 391238384Sjkim if (ret <= 0) 392238384Sjkim return 0; 393238384Sjkim return 1; 394238384Sjkim } 395238384Sjkim else 396238384Sjkim return -1; 397238384Sjkim } 398238384Sjkim else 399238384Sjkim { 400238384Sjkim if (!setup_tbuf(rctx, ctx)) 401238384Sjkim return -1; 402238384Sjkim rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, 403238384Sjkim rsa, rctx->pad_mode); 404238384Sjkim if (rslen == 0) 405238384Sjkim return 0; 406238384Sjkim } 407238384Sjkim 408238384Sjkim if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen)) 409238384Sjkim return 0; 410238384Sjkim 411238384Sjkim return 1; 412238384Sjkim 413238384Sjkim } 414238384Sjkim 415238384Sjkim 416238384Sjkimstatic int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, 417238384Sjkim unsigned char *out, size_t *outlen, 418238384Sjkim const unsigned char *in, size_t inlen) 419238384Sjkim { 420238384Sjkim int ret; 421238384Sjkim RSA_PKEY_CTX *rctx = ctx->data; 422238384Sjkim ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, 423238384Sjkim rctx->pad_mode); 424238384Sjkim if (ret < 0) 425238384Sjkim return ret; 426238384Sjkim *outlen = ret; 427238384Sjkim return 1; 428238384Sjkim } 429238384Sjkim 430238384Sjkimstatic int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, 431238384Sjkim unsigned char *out, size_t *outlen, 432238384Sjkim const unsigned char *in, size_t inlen) 433238384Sjkim { 434238384Sjkim int ret; 435238384Sjkim RSA_PKEY_CTX *rctx = ctx->data; 436238384Sjkim ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, 437238384Sjkim rctx->pad_mode); 438238384Sjkim if (ret < 0) 439238384Sjkim return ret; 440238384Sjkim *outlen = ret; 441238384Sjkim return 1; 442238384Sjkim } 443238384Sjkim 444238384Sjkimstatic int check_padding_md(const EVP_MD *md, int padding) 445238384Sjkim { 446238384Sjkim if (!md) 447238384Sjkim return 1; 448238384Sjkim 449238384Sjkim if (padding == RSA_NO_PADDING) 450238384Sjkim { 451238384Sjkim RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE); 452238384Sjkim return 0; 453238384Sjkim } 454238384Sjkim 455238384Sjkim if (padding == RSA_X931_PADDING) 456238384Sjkim { 457238384Sjkim if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) 458238384Sjkim { 459238384Sjkim RSAerr(RSA_F_CHECK_PADDING_MD, 460238384Sjkim RSA_R_INVALID_X931_DIGEST); 461238384Sjkim return 0; 462238384Sjkim } 463238384Sjkim return 1; 464238384Sjkim } 465238384Sjkim 466238384Sjkim return 1; 467238384Sjkim } 468238384Sjkim 469238384Sjkim 470238384Sjkimstatic int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) 471238384Sjkim { 472238384Sjkim RSA_PKEY_CTX *rctx = ctx->data; 473238384Sjkim switch (type) 474238384Sjkim { 475238384Sjkim case EVP_PKEY_CTRL_RSA_PADDING: 476238384Sjkim if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING)) 477238384Sjkim { 478238384Sjkim if (!check_padding_md(rctx->md, p1)) 479238384Sjkim return 0; 480238384Sjkim if (p1 == RSA_PKCS1_PSS_PADDING) 481238384Sjkim { 482238384Sjkim if (!(ctx->operation & 483238384Sjkim (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) 484238384Sjkim goto bad_pad; 485238384Sjkim if (!rctx->md) 486238384Sjkim rctx->md = EVP_sha1(); 487238384Sjkim } 488238384Sjkim if (p1 == RSA_PKCS1_OAEP_PADDING) 489238384Sjkim { 490238384Sjkim if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT)) 491238384Sjkim goto bad_pad; 492238384Sjkim if (!rctx->md) 493238384Sjkim rctx->md = EVP_sha1(); 494238384Sjkim } 495238384Sjkim rctx->pad_mode = p1; 496238384Sjkim return 1; 497238384Sjkim } 498238384Sjkim bad_pad: 499238384Sjkim RSAerr(RSA_F_PKEY_RSA_CTRL, 500238384Sjkim RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 501238384Sjkim return -2; 502238384Sjkim 503238384Sjkim case EVP_PKEY_CTRL_GET_RSA_PADDING: 504238384Sjkim *(int *)p2 = rctx->pad_mode; 505238384Sjkim return 1; 506238384Sjkim 507238384Sjkim case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: 508238384Sjkim case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: 509238384Sjkim if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) 510238384Sjkim { 511238384Sjkim RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); 512238384Sjkim return -2; 513238384Sjkim } 514238384Sjkim if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) 515238384Sjkim *(int *)p2 = rctx->saltlen; 516238384Sjkim else 517238384Sjkim { 518238384Sjkim if (p1 < -2) 519238384Sjkim return -2; 520238384Sjkim rctx->saltlen = p1; 521238384Sjkim } 522238384Sjkim return 1; 523238384Sjkim 524238384Sjkim case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: 525238384Sjkim if (p1 < 256) 526238384Sjkim { 527238384Sjkim RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS); 528238384Sjkim return -2; 529238384Sjkim } 530238384Sjkim rctx->nbits = p1; 531238384Sjkim return 1; 532238384Sjkim 533238384Sjkim case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: 534238384Sjkim if (!p2) 535238384Sjkim return -2; 536238384Sjkim rctx->pub_exp = p2; 537238384Sjkim return 1; 538238384Sjkim 539238384Sjkim case EVP_PKEY_CTRL_MD: 540238384Sjkim if (!check_padding_md(p2, rctx->pad_mode)) 541238384Sjkim return 0; 542238384Sjkim rctx->md = p2; 543238384Sjkim return 1; 544238384Sjkim 545238384Sjkim case EVP_PKEY_CTRL_RSA_MGF1_MD: 546238384Sjkim case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: 547238384Sjkim if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) 548238384Sjkim { 549238384Sjkim RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD); 550238384Sjkim return -2; 551238384Sjkim } 552238384Sjkim if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) 553238384Sjkim { 554238384Sjkim if (rctx->mgf1md) 555238384Sjkim *(const EVP_MD **)p2 = rctx->mgf1md; 556238384Sjkim else 557238384Sjkim *(const EVP_MD **)p2 = rctx->md; 558238384Sjkim } 559238384Sjkim else 560238384Sjkim rctx->mgf1md = p2; 561238384Sjkim return 1; 562238384Sjkim 563238384Sjkim case EVP_PKEY_CTRL_DIGESTINIT: 564238384Sjkim case EVP_PKEY_CTRL_PKCS7_ENCRYPT: 565238384Sjkim case EVP_PKEY_CTRL_PKCS7_DECRYPT: 566238384Sjkim case EVP_PKEY_CTRL_PKCS7_SIGN: 567238384Sjkim return 1; 568238384Sjkim#ifndef OPENSSL_NO_CMS 569238384Sjkim case EVP_PKEY_CTRL_CMS_DECRYPT: 570238384Sjkim { 571238384Sjkim X509_ALGOR *alg = NULL; 572238384Sjkim ASN1_OBJECT *encalg = NULL; 573238384Sjkim if (p2) 574238384Sjkim CMS_RecipientInfo_ktri_get0_algs(p2, NULL, NULL, &alg); 575238384Sjkim if (alg) 576238384Sjkim X509_ALGOR_get0(&encalg, NULL, NULL, alg); 577238384Sjkim if (encalg && OBJ_obj2nid(encalg) == NID_rsaesOaep) 578238384Sjkim rctx->pad_mode = RSA_PKCS1_OAEP_PADDING; 579238384Sjkim } 580238384Sjkim case EVP_PKEY_CTRL_CMS_ENCRYPT: 581238384Sjkim case EVP_PKEY_CTRL_CMS_SIGN: 582238384Sjkim return 1; 583238384Sjkim#endif 584238384Sjkim case EVP_PKEY_CTRL_PEER_KEY: 585238384Sjkim RSAerr(RSA_F_PKEY_RSA_CTRL, 586238384Sjkim RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); 587238384Sjkim return -2; 588238384Sjkim 589238384Sjkim default: 590238384Sjkim return -2; 591238384Sjkim 592238384Sjkim } 593238384Sjkim } 594238384Sjkim 595238384Sjkimstatic int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, 596238384Sjkim const char *type, const char *value) 597238384Sjkim { 598238384Sjkim if (!value) 599238384Sjkim { 600238384Sjkim RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING); 601238384Sjkim return 0; 602238384Sjkim } 603238384Sjkim if (!strcmp(type, "rsa_padding_mode")) 604238384Sjkim { 605238384Sjkim int pm; 606238384Sjkim if (!strcmp(value, "pkcs1")) 607238384Sjkim pm = RSA_PKCS1_PADDING; 608238384Sjkim else if (!strcmp(value, "sslv23")) 609238384Sjkim pm = RSA_SSLV23_PADDING; 610238384Sjkim else if (!strcmp(value, "none")) 611238384Sjkim pm = RSA_NO_PADDING; 612238384Sjkim else if (!strcmp(value, "oeap")) 613238384Sjkim pm = RSA_PKCS1_OAEP_PADDING; 614279264Sdelphij else if (!strcmp(value, "oaep")) 615279264Sdelphij pm = RSA_PKCS1_OAEP_PADDING; 616238384Sjkim else if (!strcmp(value, "x931")) 617238384Sjkim pm = RSA_X931_PADDING; 618238384Sjkim else if (!strcmp(value, "pss")) 619238384Sjkim pm = RSA_PKCS1_PSS_PADDING; 620238384Sjkim else 621238384Sjkim { 622238384Sjkim RSAerr(RSA_F_PKEY_RSA_CTRL_STR, 623238384Sjkim RSA_R_UNKNOWN_PADDING_TYPE); 624238384Sjkim return -2; 625238384Sjkim } 626238384Sjkim return EVP_PKEY_CTX_set_rsa_padding(ctx, pm); 627238384Sjkim } 628238384Sjkim 629238384Sjkim if (!strcmp(type, "rsa_pss_saltlen")) 630238384Sjkim { 631238384Sjkim int saltlen; 632238384Sjkim saltlen = atoi(value); 633238384Sjkim return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen); 634238384Sjkim } 635238384Sjkim 636238384Sjkim if (!strcmp(type, "rsa_keygen_bits")) 637238384Sjkim { 638238384Sjkim int nbits; 639238384Sjkim nbits = atoi(value); 640238384Sjkim return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits); 641238384Sjkim } 642238384Sjkim 643238384Sjkim if (!strcmp(type, "rsa_keygen_pubexp")) 644238384Sjkim { 645238384Sjkim int ret; 646238384Sjkim BIGNUM *pubexp = NULL; 647238384Sjkim if (!BN_asc2bn(&pubexp, value)) 648238384Sjkim return 0; 649238384Sjkim ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp); 650238384Sjkim if (ret <= 0) 651238384Sjkim BN_free(pubexp); 652238384Sjkim return ret; 653238384Sjkim } 654238384Sjkim 655238384Sjkim return -2; 656238384Sjkim } 657238384Sjkim 658238384Sjkimstatic int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) 659238384Sjkim { 660238384Sjkim RSA *rsa = NULL; 661238384Sjkim RSA_PKEY_CTX *rctx = ctx->data; 662238384Sjkim BN_GENCB *pcb, cb; 663238384Sjkim int ret; 664238384Sjkim if (!rctx->pub_exp) 665238384Sjkim { 666238384Sjkim rctx->pub_exp = BN_new(); 667238384Sjkim if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) 668238384Sjkim return 0; 669238384Sjkim } 670238384Sjkim rsa = RSA_new(); 671238384Sjkim if (!rsa) 672238384Sjkim return 0; 673238384Sjkim if (ctx->pkey_gencb) 674238384Sjkim { 675238384Sjkim pcb = &cb; 676238384Sjkim evp_pkey_set_cb_translate(pcb, ctx); 677238384Sjkim } 678238384Sjkim else 679238384Sjkim pcb = NULL; 680238384Sjkim ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb); 681238384Sjkim if (ret > 0) 682238384Sjkim EVP_PKEY_assign_RSA(pkey, rsa); 683238384Sjkim else 684238384Sjkim RSA_free(rsa); 685238384Sjkim return ret; 686238384Sjkim } 687238384Sjkim 688238384Sjkimconst EVP_PKEY_METHOD rsa_pkey_meth = 689238384Sjkim { 690238384Sjkim EVP_PKEY_RSA, 691238384Sjkim EVP_PKEY_FLAG_AUTOARGLEN, 692238384Sjkim pkey_rsa_init, 693238384Sjkim pkey_rsa_copy, 694238384Sjkim pkey_rsa_cleanup, 695238384Sjkim 696238384Sjkim 0,0, 697238384Sjkim 698238384Sjkim 0, 699238384Sjkim pkey_rsa_keygen, 700238384Sjkim 701238384Sjkim 0, 702238384Sjkim pkey_rsa_sign, 703238384Sjkim 704238384Sjkim 0, 705238384Sjkim pkey_rsa_verify, 706238384Sjkim 707238384Sjkim 0, 708238384Sjkim pkey_rsa_verifyrecover, 709238384Sjkim 710238384Sjkim 711238384Sjkim 0,0,0,0, 712238384Sjkim 713238384Sjkim 0, 714238384Sjkim pkey_rsa_encrypt, 715238384Sjkim 716238384Sjkim 0, 717238384Sjkim pkey_rsa_decrypt, 718238384Sjkim 719238384Sjkim 0,0, 720238384Sjkim 721238384Sjkim pkey_rsa_ctrl, 722238384Sjkim pkey_rsa_ctrl_str 723238384Sjkim 724238384Sjkim 725238384Sjkim }; 726