crypto/rsa/rsa_pmeth.c

   1 /* crypto/rsa/rsa_pmeth.c */
   2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
   3  * project 2006.
   4  */
   5 /* ====================================================================
   6  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  *
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  *
  15  * 2. Redistributions in binary form must reproduce the above copyright
  16  *    notice, this list of conditions and the following disclaimer in
  17  *    the documentation and/or other materials provided with the
  18  *    distribution.
  19  *
  20  * 3. All advertising materials mentioning features or use of this
  21  *    software must display the following acknowledgment:
  22  *    "This product includes software developed by the OpenSSL Project
  23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24  *
  25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26  *    endorse or promote products derived from this software without
  27  *    prior written permission. For written permission, please contact
  28  *    licensing@OpenSSL.org.
  29  *
  30  * 5. Products derived from this software may not be called "OpenSSL"
  31  *    nor may "OpenSSL" appear in their names without prior written
  32  *    permission of the OpenSSL Project.
  33  *
  34  * 6. Redistributions of any form whatsoever must retain the following
  35  *    acknowledgment:
  36  *    "This product includes software developed by the OpenSSL Project
  37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38  *
  39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50  * OF THE POSSIBILITY OF SUCH DAMAGE.
  51  * ====================================================================
  52  *
  53  * This product includes cryptographic software written by Eric Young
  54  * (eay@cryptsoft.com).  This product includes software written by Tim
  55  * Hudson (tjh@cryptsoft.com).
  56  *
  57  */
  58
  59 #include <stdio.h>
  60 #include "cryptlib.h"
  61 #include <openssl/asn1t.h>
  62 #include <openssl/x509.h>
  63 #include <openssl/rsa.h>
  64 #include <openssl/bn.h>
  65 #include <openssl/evp.h>
  66 #ifdef OPENSSL_FIPS
  67 #include <openssl/fips.h>
  68 #endif
  69 #include "evp_locl.h"
  70 #include "rsa_locl.h"
  71
  72 /* RSA pkey context structure */
  73
  74 typedef struct
  75         {
  76         /* Key gen parameters */
  77         int nbits;
  78         BIGNUM *pub_exp;
  79         /* Keygen callback info */
  80         int gentmp[2];
  81         /* RSA padding mode */
  82         int pad_mode;
  83         /* message digest */
  84         const EVP_MD *md;
  85         /* message digest for MGF1 */
  86         const EVP_MD *mgf1md;
  87         /* PSS/OAEP salt length */
  88         int saltlen;
  89         /* Temp buffer */
  90         unsigned char *tbuf;
  91         } RSA_PKEY_CTX;
  92
  93 static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
  94         {
  95         RSA_PKEY_CTX *rctx;
  96         rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX));
  97         if (!rctx)
  98                 return 0;
  99         rctx->nbits = 1024;
 100         rctx->pub_exp = NULL;
 101         rctx->pad_mode = RSA_PKCS1_PADDING;
 102         rctx->md = NULL;
 103         rctx->mgf1md = NULL;
 104         rctx->tbuf = NULL;
 105
 106         rctx->saltlen = -2;
 107
 108         ctx->data = rctx;
 109         ctx->keygen_info = rctx->gentmp;
 110         ctx->keygen_info_count = 2;
 111
 112         return 1;
 113         }
 114
 115 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
 116         {
 117         RSA_PKEY_CTX *dctx, *sctx;
 118         if (!pkey_rsa_init(dst))
 119                 return 0;
 120         sctx = src->data;
 121         dctx = dst->data;
 122         dctx->nbits = sctx->nbits;
 123         if (sctx->pub_exp)
 124                 {
 125                 dctx->pub_exp = BN_dup(sctx->pub_exp);
 126                 if (!dctx->pub_exp)
 127                         return 0;
 128                 }
 129         dctx->pad_mode = sctx->pad_mode;
 130         dctx->md = sctx->md;
 131         return 1;
 132         }
 133
 134 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
 135         {
 136         if (ctx->tbuf)
 137                 return 1;
 138         ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey));
 139         if (!ctx->tbuf)
 140                 return 0;
 141         return 1;
 142         }
 143
 144 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
 145         {
 146         RSA_PKEY_CTX *rctx = ctx->data;
 147         if (rctx)
 148                 {
 149                 if (rctx->pub_exp)
 150                         BN_free(rctx->pub_exp);
 151                 if (rctx->tbuf)
 152                         OPENSSL_free(rctx->tbuf);
 153                 OPENSSL_free(rctx);
 154                 }
 155         }
 156 #ifdef OPENSSL_FIPS
 157 /* FIP checker. Return value indicates status of context parameters:
 158  * 1  : redirect to FIPS.
 159  * 0  : don't redirect to FIPS.
 160  * -1 : illegal operation in FIPS mode.
 161  */
 162
 163 static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx)
 164         {
 165         RSA_PKEY_CTX *rctx = ctx->data;
 166         RSA *rsa = ctx->pkey->pkey.rsa;
 167         int rv = -1;
 168         if (!FIPS_mode())
 169                 return 0;
 170         if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
 171                 rv = 0;
 172         if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv)
 173                 return -1;
 174         if (rctx->md && !(rctx->md->flags & EVP_MD_FLAG_FIPS))
 175                 return rv;
 176         if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS))
 177                 return rv;
 178         return 1;
 179         }
 180 #endif
 181
 182 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
 183                                         const unsigned char *tbs, size_t tbslen)
 184         {
 185         int ret;
 186         RSA_PKEY_CTX *rctx = ctx->data;
 187         RSA *rsa = ctx->pkey->pkey.rsa;
 188
 189 #ifdef OPENSSL_FIPS
 190         ret = pkey_fips_check_ctx(ctx);
 191         if (ret < 0)
 192                 {
 193                 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
 194                 return -1;
 195                 }
 196 #endif
 197
 198         if (rctx->md)
 199                 {
 200                 if (tbslen != (size_t)EVP_MD_size(rctx->md))
 201                         {
 202                         RSAerr(RSA_F_PKEY_RSA_SIGN,
 203                                         RSA_R_INVALID_DIGEST_LENGTH);
 204                         return -1;
 205                         }
 206 #ifdef OPENSSL_FIPS
 207                 if (ret > 0)
 208                         {
 209                         unsigned int slen;
 210                         ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
 211                                                         rctx->pad_mode,
 212                                                         rctx->saltlen,
 213                                                         rctx->mgf1md,
 214                                                         sig, &slen);
 215                         if (ret > 0)
 216                                 *siglen = slen;
 217                         else
 218                                 *siglen = 0;
 219                         return ret;
 220                         }
 221 #endif
 222                 if (rctx->pad_mode == RSA_X931_PADDING)
 223                         {
 224                         if (!setup_tbuf(rctx, ctx))
 225                                 return -1;
 226                         memcpy(rctx->tbuf, tbs, tbslen);
 227                         rctx->tbuf[tbslen] =
 228                                 RSA_X931_hash_id(EVP_MD_type(rctx->md));
 229                         ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
 230                                                 sig, rsa, RSA_X931_PADDING);
 231                         }
 232                 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
 233                         {
 234                         unsigned int sltmp;
 235                         ret = RSA_sign(EVP_MD_type(rctx->md),
 236                                                 tbs, tbslen, sig, &sltmp, rsa);
 237                         if (ret <= 0)
 238                                 return ret;
 239                         ret = sltmp;
 240                         }
 241                 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
 242                         {
 243                         if (!setup_tbuf(rctx, ctx))
 244                                 return -1;
 245                         if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
 246                                                 rctx->tbuf, tbs,
 247                                                 rctx->md, rctx->mgf1md,
 248                                                 rctx->saltlen))
 249                                 return -1;
 250                         ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
 251                                                 sig, rsa, RSA_NO_PADDING);
 252                         }
 253                 else
 254                         return -1;
 255                 }
 256         else
 257                 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
 258                                                         rctx->pad_mode);
 259         if (ret < 0)
 260                 return ret;
 261         *siglen = ret;
 262         return 1;
 263         }
 264
 265
 266 static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
 267                                         unsigned char *rout, size_t *routlen,
 268                                         const unsigned char *sig, size_t siglen)
 269         {
 270         int ret;
 271         RSA_PKEY_CTX *rctx = ctx->data;
 272
 273         if (rctx->md)
 274                 {
 275                 if (rctx->pad_mode == RSA_X931_PADDING)
 276                         {
 277                         if (!setup_tbuf(rctx, ctx))
 278                                 return -1;
 279                         ret = RSA_public_decrypt(siglen, sig,
 280                                                 rctx->tbuf, ctx->pkey->pkey.rsa,
 281                                                 RSA_X931_PADDING);
 282                         if (ret < 1)
 283                                 return 0;
 284                         ret--;
 285                         if (rctx->tbuf[ret] !=
 286                                 RSA_X931_hash_id(EVP_MD_type(rctx->md)))
 287                                 {
 288                                 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
 289                                                 RSA_R_ALGORITHM_MISMATCH);
 290                                 return 0;
 291                                 }
 292                         if (ret != EVP_MD_size(rctx->md))
 293                                 {
 294                                 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
 295                                         RSA_R_INVALID_DIGEST_LENGTH);
 296                                 return 0;
 297                                 }
 298                         if (rout)
 299                                 memcpy(rout, rctx->tbuf, ret);
 300                         }
 301                 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
 302                         {
 303                         size_t sltmp;
 304                         ret = int_rsa_verify(EVP_MD_type(rctx->md),
 305                                                 NULL, 0, rout, &sltmp,
 306                                         sig, siglen, ctx->pkey->pkey.rsa);
 307                         if (ret <= 0)
 308                                 return 0;
 309                         ret = sltmp;
 310                         }
 311                 else
 312                         return -1;
 313                 }
 314         else
 315                 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
 316                                                         rctx->pad_mode);
 317         if (ret < 0)
 318                 return ret;
 319         *routlen = ret;
 320         return 1;
 321         }
 322
 323 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
 324                                         const unsigned char *sig, size_t siglen,
 325                                         const unsigned char *tbs, size_t tbslen)
 326         {
 327         RSA_PKEY_CTX *rctx = ctx->data;
 328         RSA *rsa = ctx->pkey->pkey.rsa;
 329         size_t rslen;
 330 #ifdef OPENSSL_FIPS
 331         int rv;
 332         rv = pkey_fips_check_ctx(ctx);
 333         if (rv < 0)
 334                 {
 335                 RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
 336                 return -1;
 337                 }
 338 #endif
 339         if (rctx->md)
 340                 {
 341 #ifdef OPENSSL_FIPS
 342                 if (rv > 0)
 343                         {
 344                         return FIPS_rsa_verify_digest(rsa,
 345                                                         tbs, tbslen,
 346                                                         rctx->md,
 347                                                         rctx->pad_mode,
 348                                                         rctx->saltlen,
 349                                                         rctx->mgf1md,
 350                                                         sig, siglen);
 351
 352                         }
 353 #endif
 354                 if (rctx->pad_mode == RSA_PKCS1_PADDING)
 355                         return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
 356                                         sig, siglen, rsa);
 357                 if (rctx->pad_mode == RSA_X931_PADDING)
 358                         {
 359                         if (pkey_rsa_verifyrecover(ctx, NULL, &rslen,
 360                                         sig, siglen) <= 0)
 361                                 return 0;
 362                         }
 363                 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
 364                         {
 365                         int ret;
 366                         if (!setup_tbuf(rctx, ctx))
 367                                 return -1;
 368                         ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
 369                                                         rsa, RSA_NO_PADDING);
 370                         if (ret <= 0)
 371                                 return 0;
 372                         ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
 373                                                 rctx->md, rctx->mgf1md,
 374                                                 rctx->tbuf, rctx->saltlen);
 375                         if (ret <= 0)
 376                                 return 0;
 377                         return 1;
 378                         }
 379                 else
 380                         return -1;
 381                 }
 382         else
 383                 {
 384                 if (!setup_tbuf(rctx, ctx))
 385                         return -1;
 386                 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
 387                                                 rsa, rctx->pad_mode);
 388                 if (rslen == 0)
 389                         return 0;
 390                 }
 391
 392         if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen))
 393                 return 0;
 394
 395         return 1;
 396
 397         }
 398
 399
 400 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
 401                                         unsigned char *out, size_t *outlen,
 402                                         const unsigned char *in, size_t inlen)
 403         {
 404         int ret;
 405         RSA_PKEY_CTX *rctx = ctx->data;
 406         ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
 407                                                         rctx->pad_mode);
 408         if (ret < 0)
 409                 return ret;
 410         *outlen = ret;
 411         return 1;
 412         }
 413
 414 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
 415                                         unsigned char *out, size_t *outlen,
 416                                         const unsigned char *in, size_t inlen)
 417         {
 418         int ret;
 419         RSA_PKEY_CTX *rctx = ctx->data;
 420         ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
 421                                                         rctx->pad_mode);
 422         if (ret < 0)
 423                 return ret;
 424         *outlen = ret;
 425         return 1;
 426         }
 427
 428 static int check_padding_md(const EVP_MD *md, int padding)
 429         {
 430         if (!md)
 431                 return 1;
 432
 433         if (padding == RSA_NO_PADDING)
 434                 {
 435                 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
 436                 return 0;
 437                 }
 438
 439         if (padding == RSA_X931_PADDING)
 440                 {
 441                 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1)
 442                         {
 443                         RSAerr(RSA_F_CHECK_PADDING_MD,
 444                                                 RSA_R_INVALID_X931_DIGEST);
 445                         return 0;
 446                         }
 447                 return 1;
 448                 }
 449
 450         return 1;
 451         }
 452
 453
 454 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 455         {
 456         RSA_PKEY_CTX *rctx = ctx->data;
 457         switch (type)
 458                 {
 459                 case EVP_PKEY_CTRL_RSA_PADDING:
 460                 if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING))
 461                         {
 462                         if (!check_padding_md(rctx->md, p1))
 463                                 return 0;
 464                         if (p1 == RSA_PKCS1_PSS_PADDING)
 465                                 {
 466                                 if (!(ctx->operation &
 467                                      (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
 468                                         goto bad_pad;
 469                                 if (!rctx->md)
 470                                         rctx->md = EVP_sha1();
 471                                 }
 472                         if (p1 == RSA_PKCS1_OAEP_PADDING)
 473                                 {
 474                                 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
 475                                         goto bad_pad;
 476                                 if (!rctx->md)
 477                                         rctx->md = EVP_sha1();
 478                                 }
 479                         rctx->pad_mode = p1;
 480                         return 1;
 481                         }
 482                 bad_pad:
 483                 RSAerr(RSA_F_PKEY_RSA_CTRL,
 484                                 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
 485                 return -2;
 486
 487                 case EVP_PKEY_CTRL_GET_RSA_PADDING:
 488                 *(int *)p2 = rctx->pad_mode;
 489                 return 1;
 490
 491                 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
 492                 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
 493                 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
 494                         {
 495                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
 496                         return -2;
 497                         }
 498                 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN)
 499                         *(int *)p2 = rctx->saltlen;
 500                 else
 501                         {
 502                         if (p1 < -2)
 503                                 return -2;
 504                         rctx->saltlen = p1;
 505                         }
 506                 return 1;
 507
 508                 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
 509                 if (p1 < 256)
 510                         {
 511                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS);
 512                         return -2;
 513                         }
 514                 rctx->nbits = p1;
 515                 return 1;
 516
 517                 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
 518                 if (!p2)
 519                         return -2;
 520                 rctx->pub_exp = p2;
 521                 return 1;
 522
 523                 case EVP_PKEY_CTRL_MD:
 524                 if (!check_padding_md(p2, rctx->pad_mode))
 525                         return 0;
 526                 rctx->md = p2;
 527                 return 1;
 528
 529                 case EVP_PKEY_CTRL_RSA_MGF1_MD:
 530                 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
 531                 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
 532                         {
 533                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
 534                         return -2;
 535                         }
 536                 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD)
 537                         {
 538                         if (rctx->mgf1md)
 539                                 *(const EVP_MD **)p2 = rctx->mgf1md;
 540                         else
 541                                 *(const EVP_MD **)p2 = rctx->md;
 542                         }
 543                 else
 544                         rctx->mgf1md = p2;
 545                 return 1;
 546
 547                 case EVP_PKEY_CTRL_DIGESTINIT:
 548                 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
 549                 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
 550                 case EVP_PKEY_CTRL_PKCS7_SIGN:
 551 #ifndef OPENSSL_NO_CMS
 552                 case EVP_PKEY_CTRL_CMS_ENCRYPT:
 553                 case EVP_PKEY_CTRL_CMS_DECRYPT:
 554                 case EVP_PKEY_CTRL_CMS_SIGN:
 555 #endif
 556                 return 1;
 557                 case EVP_PKEY_CTRL_PEER_KEY:
 558                         RSAerr(RSA_F_PKEY_RSA_CTRL,
 559                         RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
 560                         return -2;
 561
 562                 default:
 563                 return -2;
 564
 565                 }
 566         }
 567
 568 static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
 569                         const char *type, const char *value)
 570         {
 571         if (!value)
 572                 {
 573                 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
 574                 return 0;
 575                 }
 576         if (!strcmp(type, "rsa_padding_mode"))
 577                 {
 578                 int pm;
 579                 if (!strcmp(value, "pkcs1"))
 580                         pm = RSA_PKCS1_PADDING;
 581                 else if (!strcmp(value, "sslv23"))
 582                         pm = RSA_SSLV23_PADDING;
 583                 else if (!strcmp(value, "none"))
 584                         pm = RSA_NO_PADDING;
 585                 else if (!strcmp(value, "oeap"))
 586                         pm = RSA_PKCS1_OAEP_PADDING;
 587                 else if (!strcmp(value, "x931"))
 588                         pm = RSA_X931_PADDING;
 589                 else if (!strcmp(value, "pss"))
 590                         pm = RSA_PKCS1_PSS_PADDING;
 591                 else
 592                         {
 593                         RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
 594                                                 RSA_R_UNKNOWN_PADDING_TYPE);
 595                         return -2;
 596                         }
 597                 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
 598                 }
 599
 600         if (!strcmp(type, "rsa_pss_saltlen"))
 601                 {
 602                 int saltlen;
 603                 saltlen = atoi(value);
 604                 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
 605                 }
 606
 607         if (!strcmp(type, "rsa_keygen_bits"))
 608                 {
 609                 int nbits;
 610                 nbits = atoi(value);
 611                 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
 612                 }
 613
 614         if (!strcmp(type, "rsa_keygen_pubexp"))
 615                 {
 616                 int ret;
 617                 BIGNUM *pubexp = NULL;
 618                 if (!BN_asc2bn(&pubexp, value))
 619                         return 0;
 620                 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
 621                 if (ret <= 0)
 622                         BN_free(pubexp);
 623                 return ret;
 624                 }
 625
 626         return -2;
 627         }
 628
 629 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
 630         {
 631         RSA *rsa = NULL;
 632         RSA_PKEY_CTX *rctx = ctx->data;
 633         BN_GENCB *pcb, cb;
 634         int ret;
 635         if (!rctx->pub_exp)
 636                 {
 637                 rctx->pub_exp = BN_new();
 638                 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4))
 639                         return 0;
 640                 }
 641         rsa = RSA_new();
 642         if (!rsa)
 643                 return 0;
 644         if (ctx->pkey_gencb)
 645                 {
 646                 pcb = &cb;
 647                 evp_pkey_set_cb_translate(pcb, ctx);
 648                 }
 649         else
 650                 pcb = NULL;
 651         ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
 652         if (ret > 0)
 653                 EVP_PKEY_assign_RSA(pkey, rsa);
 654         else
 655                 RSA_free(rsa);
 656         return ret;
 657         }
 658
 659 const EVP_PKEY_METHOD rsa_pkey_meth =
 660         {
 661         EVP_PKEY_RSA,
 662         EVP_PKEY_FLAG_AUTOARGLEN,
 663         pkey_rsa_init,
 664         pkey_rsa_copy,
 665         pkey_rsa_cleanup,
 666
 667         0,0,
 668
 669         0,
 670         pkey_rsa_keygen,
 671
 672         0,
 673         pkey_rsa_sign,
 674
 675         0,
 676         pkey_rsa_verify,
 677
 678         0,
 679         pkey_rsa_verifyrecover,
 680
 681
 682         0,0,0,0,
 683
 684         0,
 685         pkey_rsa_encrypt,
 686
 687         0,
 688         pkey_rsa_decrypt,
 689
 690         0,0,
 691
 692         pkey_rsa_ctrl,
 693         pkey_rsa_ctrl_str
 694
 695
 696         };