crypto/rsa/rsa_pmeth.c

   1 /* crypto/rsa/rsa_pmeth.c */
   2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
   3  * project 2006.
   4  */
   5 /* ====================================================================
   6  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  *
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  *
  15  * 2. Redistributions in binary form must reproduce the above copyright
  16  *    notice, this list of conditions and the following disclaimer in
  17  *    the documentation and/or other materials provided with the
  18  *    distribution.
  19  *
  20  * 3. All advertising materials mentioning features or use of this
  21  *    software must display the following acknowledgment:
  22  *    "This product includes software developed by the OpenSSL Project
  23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24  *
  25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26  *    endorse or promote products derived from this software without
  27  *    prior written permission. For written permission, please contact
  28  *    licensing@OpenSSL.org.
  29  *
  30  * 5. Products derived from this software may not be called "OpenSSL"
  31  *    nor may "OpenSSL" appear in their names without prior written
  32  *    permission of the OpenSSL Project.
  33  *
  34  * 6. Redistributions of any form whatsoever must retain the following
  35  *    acknowledgment:
  36  *    "This product includes software developed by the OpenSSL Project
  37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38  *
  39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50  * OF THE POSSIBILITY OF SUCH DAMAGE.
  51  * ====================================================================
  52  *
  53  * This product includes cryptographic software written by Eric Young
  54  * (eay@cryptsoft.com).  This product includes software written by Tim
  55  * Hudson (tjh@cryptsoft.com).
  56  *
  57  */
  58
  59 #include <stdio.h>
  60 #include "cryptlib.h"
  61 #include <openssl/asn1t.h>
  62 #include <openssl/x509.h>
  63 #include <openssl/rsa.h>
  64 #include <openssl/bn.h>
  65 #include <openssl/evp.h>
  66 #ifndef OPENSSL_NO_CMS
  67 #include <openssl/cms.h>
  68 #endif
  69 #ifdef OPENSSL_FIPS
  70 #include <openssl/fips.h>
  71 #endif
  72 #include "evp_locl.h"
  73 #include "rsa_locl.h"
  74
  75 /* RSA pkey context structure */
  76
  77 typedef struct
  78         {
  79         /* Key gen parameters */
  80         int nbits;
  81         BIGNUM *pub_exp;
  82         /* Keygen callback info */
  83         int gentmp[2];
  84         /* RSA padding mode */
  85         int pad_mode;
  86         /* message digest */
  87         const EVP_MD *md;
  88         /* message digest for MGF1 */
  89         const EVP_MD *mgf1md;
  90         /* PSS/OAEP salt length */
  91         int saltlen;
  92         /* Temp buffer */
  93         unsigned char *tbuf;
  94         } RSA_PKEY_CTX;
  95
  96 static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
  97         {
  98         RSA_PKEY_CTX *rctx;
  99         rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX));
 100         if (!rctx)
 101                 return 0;
 102         rctx->nbits = 1024;
 103         rctx->pub_exp = NULL;
 104         rctx->pad_mode = RSA_PKCS1_PADDING;
 105         rctx->md = NULL;
 106         rctx->mgf1md = NULL;
 107         rctx->tbuf = NULL;
 108
 109         rctx->saltlen = -2;
 110
 111         ctx->data = rctx;
 112         ctx->keygen_info = rctx->gentmp;
 113         ctx->keygen_info_count = 2;
 114
 115         return 1;
 116         }
 117
 118 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
 119         {
 120         RSA_PKEY_CTX *dctx, *sctx;
 121         if (!pkey_rsa_init(dst))
 122                 return 0;
 123         sctx = src->data;
 124         dctx = dst->data;
 125         dctx->nbits = sctx->nbits;
 126         if (sctx->pub_exp)
 127                 {
 128                 dctx->pub_exp = BN_dup(sctx->pub_exp);
 129                 if (!dctx->pub_exp)
 130                         return 0;
 131                 }
 132         dctx->pad_mode = sctx->pad_mode;
 133         dctx->md = sctx->md;
 134         return 1;
 135         }
 136
 137 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
 138         {
 139         if (ctx->tbuf)
 140                 return 1;
 141         ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey));
 142         if (!ctx->tbuf)
 143                 return 0;
 144         return 1;
 145         }
 146
 147 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
 148         {
 149         RSA_PKEY_CTX *rctx = ctx->data;
 150         if (rctx)
 151                 {
 152                 if (rctx->pub_exp)
 153                         BN_free(rctx->pub_exp);
 154                 if (rctx->tbuf)
 155                         OPENSSL_free(rctx->tbuf);
 156                 OPENSSL_free(rctx);
 157                 }
 158         }
 159 #ifdef OPENSSL_FIPS
 160 /* FIP checker. Return value indicates status of context parameters:
 161  * 1  : redirect to FIPS.
 162  * 0  : don't redirect to FIPS.
 163  * -1 : illegal operation in FIPS mode.
 164  */
 165
 166 static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx)
 167         {
 168         RSA_PKEY_CTX *rctx = ctx->data;
 169         RSA *rsa = ctx->pkey->pkey.rsa;
 170         int rv = -1;
 171         if (!FIPS_mode())
 172                 return 0;
 173         if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
 174                 rv = 0;
 175         if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv)
 176                 return -1;
 177         if (rctx->md && !(rctx->md->flags & EVP_MD_FLAG_FIPS))
 178                 return rv;
 179         if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS))
 180                 return rv;
 181         return 1;
 182         }
 183 #endif
 184
 185 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
 186                                         const unsigned char *tbs, size_t tbslen)
 187         {
 188         int ret;
 189         RSA_PKEY_CTX *rctx = ctx->data;
 190         RSA *rsa = ctx->pkey->pkey.rsa;
 191
 192 #ifdef OPENSSL_FIPS
 193         ret = pkey_fips_check_ctx(ctx);
 194         if (ret < 0)
 195                 {
 196                 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
 197                 return -1;
 198                 }
 199 #endif
 200
 201         if (rctx->md)
 202                 {
 203                 if (tbslen != (size_t)EVP_MD_size(rctx->md))
 204                         {
 205                         RSAerr(RSA_F_PKEY_RSA_SIGN,
 206                                         RSA_R_INVALID_DIGEST_LENGTH);
 207                         return -1;
 208                         }
 209 #ifdef OPENSSL_FIPS
 210                 if (ret > 0)
 211                         {
 212                         unsigned int slen;
 213                         ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
 214                                                         rctx->pad_mode,
 215                                                         rctx->saltlen,
 216                                                         rctx->mgf1md,
 217                                                         sig, &slen);
 218                         if (ret > 0)
 219                                 *siglen = slen;
 220                         else
 221                                 *siglen = 0;
 222                         return ret;
 223                         }
 224 #endif
 225                 if (rctx->pad_mode == RSA_X931_PADDING)
 226                         {
 227                         if (!setup_tbuf(rctx, ctx))
 228                                 return -1;
 229                         memcpy(rctx->tbuf, tbs, tbslen);
 230                         rctx->tbuf[tbslen] =
 231                                 RSA_X931_hash_id(EVP_MD_type(rctx->md));
 232                         ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
 233                                                 sig, rsa, RSA_X931_PADDING);
 234                         }
 235                 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
 236                         {
 237                         unsigned int sltmp;
 238                         ret = RSA_sign(EVP_MD_type(rctx->md),
 239                                                 tbs, tbslen, sig, &sltmp, rsa);
 240                         if (ret <= 0)
 241                                 return ret;
 242                         ret = sltmp;
 243                         }
 244                 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
 245                         {
 246                         if (!setup_tbuf(rctx, ctx))
 247                                 return -1;
 248                         if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
 249                                                 rctx->tbuf, tbs,
 250                                                 rctx->md, rctx->mgf1md,
 251                                                 rctx->saltlen))
 252                                 return -1;
 253                         ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
 254                                                 sig, rsa, RSA_NO_PADDING);
 255                         }
 256                 else
 257                         return -1;
 258                 }
 259         else
 260                 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
 261                                                         rctx->pad_mode);
 262         if (ret < 0)
 263                 return ret;
 264         *siglen = ret;
 265         return 1;
 266         }
 267
 268
 269 static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
 270                                         unsigned char *rout, size_t *routlen,
 271                                         const unsigned char *sig, size_t siglen)
 272         {
 273         int ret;
 274         RSA_PKEY_CTX *rctx = ctx->data;
 275
 276         if (rctx->md)
 277                 {
 278                 if (rctx->pad_mode == RSA_X931_PADDING)
 279                         {
 280                         if (!setup_tbuf(rctx, ctx))
 281                                 return -1;
 282                         ret = RSA_public_decrypt(siglen, sig,
 283                                                 rctx->tbuf, ctx->pkey->pkey.rsa,
 284                                                 RSA_X931_PADDING);
 285                         if (ret < 1)
 286                                 return 0;
 287                         ret--;
 288                         if (rctx->tbuf[ret] !=
 289                                 RSA_X931_hash_id(EVP_MD_type(rctx->md)))
 290                                 {
 291                                 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
 292                                                 RSA_R_ALGORITHM_MISMATCH);
 293                                 return 0;
 294                                 }
 295                         if (ret != EVP_MD_size(rctx->md))
 296                                 {
 297                                 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
 298                                         RSA_R_INVALID_DIGEST_LENGTH);
 299                                 return 0;
 300                                 }
 301                         if (rout)
 302                                 memcpy(rout, rctx->tbuf, ret);
 303                         }
 304                 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
 305                         {
 306                         size_t sltmp;
 307                         ret = int_rsa_verify(EVP_MD_type(rctx->md),
 308                                                 NULL, 0, rout, &sltmp,
 309                                         sig, siglen, ctx->pkey->pkey.rsa);
 310                         if (ret <= 0)
 311                                 return 0;
 312                         ret = sltmp;
 313                         }
 314                 else
 315                         return -1;
 316                 }
 317         else
 318                 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
 319                                                         rctx->pad_mode);
 320         if (ret < 0)
 321                 return ret;
 322         *routlen = ret;
 323         return 1;
 324         }
 325
 326 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
 327                                         const unsigned char *sig, size_t siglen,
 328                                         const unsigned char *tbs, size_t tbslen)
 329         {
 330         RSA_PKEY_CTX *rctx = ctx->data;
 331         RSA *rsa = ctx->pkey->pkey.rsa;
 332         size_t rslen;
 333 #ifdef OPENSSL_FIPS
 334         int rv;
 335         rv = pkey_fips_check_ctx(ctx);
 336         if (rv < 0)
 337                 {
 338                 RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
 339                 return -1;
 340                 }
 341 #endif
 342         if (rctx->md)
 343                 {
 344 #ifdef OPENSSL_FIPS
 345                 if (rv > 0)
 346                         {
 347                         return FIPS_rsa_verify_digest(rsa,
 348                                                         tbs, tbslen,
 349                                                         rctx->md,
 350                                                         rctx->pad_mode,
 351                                                         rctx->saltlen,
 352                                                         rctx->mgf1md,
 353                                                         sig, siglen);
 354
 355                         }
 356 #endif
 357                 if (rctx->pad_mode == RSA_PKCS1_PADDING)
 358                         return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
 359                                         sig, siglen, rsa);
 360                 if (rctx->pad_mode == RSA_X931_PADDING)
 361                         {
 362                         if (pkey_rsa_verifyrecover(ctx, NULL, &rslen,
 363                                         sig, siglen) <= 0)
 364                                 return 0;
 365                         }
 366                 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
 367                         {
 368                         int ret;
 369                         if (!setup_tbuf(rctx, ctx))
 370                                 return -1;
 371                         ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
 372                                                         rsa, RSA_NO_PADDING);
 373                         if (ret <= 0)
 374                                 return 0;
 375                         ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
 376                                                 rctx->md, rctx->mgf1md,
 377                                                 rctx->tbuf, rctx->saltlen);
 378                         if (ret <= 0)
 379                                 return 0;
 380                         return 1;
 381                         }
 382                 else
 383                         return -1;
 384                 }
 385         else
 386                 {
 387                 if (!setup_tbuf(rctx, ctx))
 388                         return -1;
 389                 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
 390                                                 rsa, rctx->pad_mode);
 391                 if (rslen == 0)
 392                         return 0;
 393                 }
 394
 395         if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen))
 396                 return 0;
 397
 398         return 1;
 399
 400         }
 401
 402
 403 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
 404                                         unsigned char *out, size_t *outlen,
 405                                         const unsigned char *in, size_t inlen)
 406         {
 407         int ret;
 408         RSA_PKEY_CTX *rctx = ctx->data;
 409         ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
 410                                                         rctx->pad_mode);
 411         if (ret < 0)
 412                 return ret;
 413         *outlen = ret;
 414         return 1;
 415         }
 416
 417 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
 418                                         unsigned char *out, size_t *outlen,
 419                                         const unsigned char *in, size_t inlen)
 420         {
 421         int ret;
 422         RSA_PKEY_CTX *rctx = ctx->data;
 423         ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
 424                                                         rctx->pad_mode);
 425         if (ret < 0)
 426                 return ret;
 427         *outlen = ret;
 428         return 1;
 429         }
 430
 431 static int check_padding_md(const EVP_MD *md, int padding)
 432         {
 433         if (!md)
 434                 return 1;
 435
 436         if (padding == RSA_NO_PADDING)
 437                 {
 438                 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
 439                 return 0;
 440                 }
 441
 442         if (padding == RSA_X931_PADDING)
 443                 {
 444                 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1)
 445                         {
 446                         RSAerr(RSA_F_CHECK_PADDING_MD,
 447                                                 RSA_R_INVALID_X931_DIGEST);
 448                         return 0;
 449                         }
 450                 return 1;
 451                 }
 452
 453         return 1;
 454         }
 455
 456
 457 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 458         {
 459         RSA_PKEY_CTX *rctx = ctx->data;
 460         switch (type)
 461                 {
 462                 case EVP_PKEY_CTRL_RSA_PADDING:
 463                 if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING))
 464                         {
 465                         if (!check_padding_md(rctx->md, p1))
 466                                 return 0;
 467                         if (p1 == RSA_PKCS1_PSS_PADDING)
 468                                 {
 469                                 if (!(ctx->operation &
 470                                      (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
 471                                         goto bad_pad;
 472                                 if (!rctx->md)
 473                                         rctx->md = EVP_sha1();
 474                                 }
 475                         if (p1 == RSA_PKCS1_OAEP_PADDING)
 476                                 {
 477                                 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
 478                                         goto bad_pad;
 479                                 if (!rctx->md)
 480                                         rctx->md = EVP_sha1();
 481                                 }
 482                         rctx->pad_mode = p1;
 483                         return 1;
 484                         }
 485                 bad_pad:
 486                 RSAerr(RSA_F_PKEY_RSA_CTRL,
 487                                 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
 488                 return -2;
 489
 490                 case EVP_PKEY_CTRL_GET_RSA_PADDING:
 491                 *(int *)p2 = rctx->pad_mode;
 492                 return 1;
 493
 494                 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
 495                 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
 496                 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
 497                         {
 498                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
 499                         return -2;
 500                         }
 501                 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN)
 502                         *(int *)p2 = rctx->saltlen;
 503                 else
 504                         {
 505                         if (p1 < -2)
 506                                 return -2;
 507                         rctx->saltlen = p1;
 508                         }
 509                 return 1;
 510
 511                 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
 512                 if (p1 < 256)
 513                         {
 514                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS);
 515                         return -2;
 516                         }
 517                 rctx->nbits = p1;
 518                 return 1;
 519
 520                 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
 521                 if (!p2)
 522                         return -2;
 523                 rctx->pub_exp = p2;
 524                 return 1;
 525
 526                 case EVP_PKEY_CTRL_MD:
 527                 if (!check_padding_md(p2, rctx->pad_mode))
 528                         return 0;
 529                 rctx->md = p2;
 530                 return 1;
 531
 532                 case EVP_PKEY_CTRL_RSA_MGF1_MD:
 533                 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
 534                 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
 535                         {
 536                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
 537                         return -2;
 538                         }
 539                 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD)
 540                         {
 541                         if (rctx->mgf1md)
 542                                 *(const EVP_MD **)p2 = rctx->mgf1md;
 543                         else
 544                                 *(const EVP_MD **)p2 = rctx->md;
 545                         }
 546                 else
 547                         rctx->mgf1md = p2;
 548                 return 1;
 549
 550                 case EVP_PKEY_CTRL_DIGESTINIT:
 551                 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
 552                 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
 553                 case EVP_PKEY_CTRL_PKCS7_SIGN:
 554                 return 1;
 555 #ifndef OPENSSL_NO_CMS
 556                 case EVP_PKEY_CTRL_CMS_DECRYPT:
 557                 {
 558                 X509_ALGOR *alg = NULL;
 559                 ASN1_OBJECT *encalg = NULL;
 560                 if (p2)
 561                         CMS_RecipientInfo_ktri_get0_algs(p2, NULL, NULL, &alg);
 562                 if (alg)
 563                         X509_ALGOR_get0(&encalg, NULL, NULL, alg);
 564                 if (encalg && OBJ_obj2nid(encalg) == NID_rsaesOaep)
 565                         rctx->pad_mode = RSA_PKCS1_OAEP_PADDING;
 566                 }
 567                 case EVP_PKEY_CTRL_CMS_ENCRYPT:
 568                 case EVP_PKEY_CTRL_CMS_SIGN:
 569                 return 1;
 570 #endif
 571                 case EVP_PKEY_CTRL_PEER_KEY:
 572                         RSAerr(RSA_F_PKEY_RSA_CTRL,
 573                         RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
 574                         return -2;
 575
 576                 default:
 577                 return -2;
 578
 579                 }
 580         }
 581
 582 static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
 583                         const char *type, const char *value)
 584         {
 585         if (!value)
 586                 {
 587                 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
 588                 return 0;
 589                 }
 590         if (!strcmp(type, "rsa_padding_mode"))
 591                 {
 592                 int pm;
 593                 if (!strcmp(value, "pkcs1"))
 594                         pm = RSA_PKCS1_PADDING;
 595                 else if (!strcmp(value, "sslv23"))
 596                         pm = RSA_SSLV23_PADDING;
 597                 else if (!strcmp(value, "none"))
 598                         pm = RSA_NO_PADDING;
 599                 else if (!strcmp(value, "oeap"))
 600                         pm = RSA_PKCS1_OAEP_PADDING;
 601                 else if (!strcmp(value, "x931"))
 602                         pm = RSA_X931_PADDING;
 603                 else if (!strcmp(value, "pss"))
 604                         pm = RSA_PKCS1_PSS_PADDING;
 605                 else
 606                         {
 607                         RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
 608                                                 RSA_R_UNKNOWN_PADDING_TYPE);
 609                         return -2;
 610                         }
 611                 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
 612                 }
 613
 614         if (!strcmp(type, "rsa_pss_saltlen"))
 615                 {
 616                 int saltlen;
 617                 saltlen = atoi(value);
 618                 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
 619                 }
 620
 621         if (!strcmp(type, "rsa_keygen_bits"))
 622                 {
 623                 int nbits;
 624                 nbits = atoi(value);
 625                 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
 626                 }
 627
 628         if (!strcmp(type, "rsa_keygen_pubexp"))
 629                 {
 630                 int ret;
 631                 BIGNUM *pubexp = NULL;
 632                 if (!BN_asc2bn(&pubexp, value))
 633                         return 0;
 634                 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
 635                 if (ret <= 0)
 636                         BN_free(pubexp);
 637                 return ret;
 638                 }
 639
 640         return -2;
 641         }
 642
 643 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
 644         {
 645         RSA *rsa = NULL;
 646         RSA_PKEY_CTX *rctx = ctx->data;
 647         BN_GENCB *pcb, cb;
 648         int ret;
 649         if (!rctx->pub_exp)
 650                 {
 651                 rctx->pub_exp = BN_new();
 652                 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4))
 653                         return 0;
 654                 }
 655         rsa = RSA_new();
 656         if (!rsa)
 657                 return 0;
 658         if (ctx->pkey_gencb)
 659                 {
 660                 pcb = &cb;
 661                 evp_pkey_set_cb_translate(pcb, ctx);
 662                 }
 663         else
 664                 pcb = NULL;
 665         ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
 666         if (ret > 0)
 667                 EVP_PKEY_assign_RSA(pkey, rsa);
 668         else
 669                 RSA_free(rsa);
 670         return ret;
 671         }
 672
 673 const EVP_PKEY_METHOD rsa_pkey_meth =
 674         {
 675         EVP_PKEY_RSA,
 676         EVP_PKEY_FLAG_AUTOARGLEN,
 677         pkey_rsa_init,
 678         pkey_rsa_copy,
 679         pkey_rsa_cleanup,
 680
 681         0,0,
 682
 683         0,
 684         pkey_rsa_keygen,
 685
 686         0,
 687         pkey_rsa_sign,
 688
 689         0,
 690         pkey_rsa_verify,
 691
 692         0,
 693         pkey_rsa_verifyrecover,
 694
 695
 696         0,0,0,0,
 697
 698         0,
 699         pkey_rsa_encrypt,
 700
 701         0,
 702         pkey_rsa_decrypt,
 703
 704         0,0,
 705
 706         pkey_rsa_ctrl,
 707         pkey_rsa_ctrl_str
 708
 709
 710         };