crypto/rsa/rsa_pmeth.c

   1 /* crypto/rsa/rsa_pmeth.c */
   2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
   3  * project 2006.
   4  */
   5 /* ====================================================================
   6  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  *
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  *
  15  * 2. Redistributions in binary form must reproduce the above copyright
  16  *    notice, this list of conditions and the following disclaimer in
  17  *    the documentation and/or other materials provided with the
  18  *    distribution.
  19  *
  20  * 3. All advertising materials mentioning features or use of this
  21  *    software must display the following acknowledgment:
  22  *    "This product includes software developed by the OpenSSL Project
  23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24  *
  25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26  *    endorse or promote products derived from this software without
  27  *    prior written permission. For written permission, please contact
  28  *    licensing@OpenSSL.org.
  29  *
  30  * 5. Products derived from this software may not be called "OpenSSL"
  31  *    nor may "OpenSSL" appear in their names without prior written
  32  *    permission of the OpenSSL Project.
  33  *
  34  * 6. Redistributions of any form whatsoever must retain the following
  35  *    acknowledgment:
  36  *    "This product includes software developed by the OpenSSL Project
  37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38  *
  39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50  * OF THE POSSIBILITY OF SUCH DAMAGE.
  51  * ====================================================================
  52  *
  53  * This product includes cryptographic software written by Eric Young
  54  * (eay@cryptsoft.com).  This product includes software written by Tim
  55  * Hudson (tjh@cryptsoft.com).
  56  *
  57  */
  58
  59 #include <stdio.h>
  60 #include "cryptlib.h"
  61 #include <openssl/asn1t.h>
  62 #include <openssl/x509.h>
  63 #include <openssl/rsa.h>
  64 #include <openssl/bn.h>
  65 #include <openssl/evp.h>
  66 #ifdef OPENSSL_FIPS
  67 #include <openssl/fips.h>
  68 #endif
  69 #include "evp_locl.h"
  70 #include "rsa_locl.h"
  71
  72 /* RSA pkey context structure */
  73
  74 typedef struct
  75         {
  76         /* Key gen parameters */
  77         int nbits;
  78         BIGNUM *pub_exp;
  79         /* Keygen callback info */
  80         int gentmp[2];
  81         /* RSA padding mode */
  82         int pad_mode;
  83         /* message digest */
  84         const EVP_MD *md;
  85         /* message digest for MGF1 */
  86         const EVP_MD *mgf1md;
  87         /* PSS/OAEP salt length */
  88         int saltlen;
  89         /* Temp buffer */
  90         unsigned char *tbuf;
  91         } RSA_PKEY_CTX;
  92
  93 static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
  94         {
  95         RSA_PKEY_CTX *rctx;
  96         rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX));
  97         if (!rctx)
  98                 return 0;
  99         rctx->nbits = 1024;
 100         rctx->pub_exp = NULL;
 101         rctx->pad_mode = RSA_PKCS1_PADDING;
 102         rctx->md = NULL;
 103         rctx->mgf1md = NULL;
 104         rctx->tbuf = NULL;
 105
 106         rctx->saltlen = -2;
 107
 108         ctx->data = rctx;
 109         ctx->keygen_info = rctx->gentmp;
 110         ctx->keygen_info_count = 2;
 111
 112         return 1;
 113         }
 114
 115 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
 116         {
 117         RSA_PKEY_CTX *dctx, *sctx;
 118         if (!pkey_rsa_init(dst))
 119                 return 0;
 120         sctx = src->data;
 121         dctx = dst->data;
 122         dctx->nbits = sctx->nbits;
 123         if (sctx->pub_exp)
 124                 {
 125                 dctx->pub_exp = BN_dup(sctx->pub_exp);
 126                 if (!dctx->pub_exp)
 127                         return 0;
 128                 }
 129         dctx->pad_mode = sctx->pad_mode;
 130         dctx->md = sctx->md;
 131         return 1;
 132         }
 133
 134 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
 135         {
 136         if (ctx->tbuf)
 137                 return 1;
 138         ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey));
 139         if (!ctx->tbuf)
 140                 return 0;
 141         return 1;
 142         }
 143
 144 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
 145         {
 146         RSA_PKEY_CTX *rctx = ctx->data;
 147         if (rctx)
 148                 {
 149                 if (rctx->pub_exp)
 150                         BN_free(rctx->pub_exp);
 151                 if (rctx->tbuf)
 152                         OPENSSL_free(rctx->tbuf);
 153                 OPENSSL_free(rctx);
 154                 }
 155         }
 156
 157 /* FIP checker. Return value indicates status of context parameters:
 158  * 1  : redirect to FIPS.
 159  * 0  : don't redirect to FIPS.
 160  * -1 : illegal operation in FIPS mode.
 161  */
 162
 163 static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx)
 164         {
 165         RSA_PKEY_CTX *rctx = ctx->data;
 166         RSA *rsa = ctx->pkey->pkey.rsa;
 167         int rv = -1;
 168         if (!FIPS_mode())
 169                 return 0;
 170         if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
 171                 rv = 0;
 172         if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv)
 173                 return -1;
 174         if (rctx->md && !(rctx->md->flags & EVP_MD_FLAG_FIPS))
 175                 return rv;
 176         if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS))
 177                 return rv;
 178         return 1;
 179         }
 180
 181 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
 182                                         const unsigned char *tbs, size_t tbslen)
 183         {
 184         int ret;
 185         RSA_PKEY_CTX *rctx = ctx->data;
 186         RSA *rsa = ctx->pkey->pkey.rsa;
 187
 188 #ifdef OPENSSL_FIPS
 189         ret = pkey_fips_check_ctx(ctx);
 190         if (ret < 0)
 191                 {
 192                 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
 193                 return -1;
 194                 }
 195 #endif
 196
 197         if (rctx->md)
 198                 {
 199                 if (tbslen != (size_t)EVP_MD_size(rctx->md))
 200                         {
 201                         RSAerr(RSA_F_PKEY_RSA_SIGN,
 202                                         RSA_R_INVALID_DIGEST_LENGTH);
 203                         return -1;
 204                         }
 205 #ifdef OPENSSL_FIPS
 206                 if (ret > 0)
 207                         {
 208                         unsigned int slen;
 209                         ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
 210                                                         rctx->pad_mode,
 211                                                         rctx->saltlen,
 212                                                         rctx->mgf1md,
 213                                                         sig, &slen);
 214                         if (ret > 0)
 215                                 *siglen = slen;
 216                         else
 217                                 *siglen = 0;
 218                         return ret;
 219                         }
 220 #endif
 221                 if (rctx->pad_mode == RSA_X931_PADDING)
 222                         {
 223                         if (!setup_tbuf(rctx, ctx))
 224                                 return -1;
 225                         memcpy(rctx->tbuf, tbs, tbslen);
 226                         rctx->tbuf[tbslen] =
 227                                 RSA_X931_hash_id(EVP_MD_type(rctx->md));
 228                         ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
 229                                                 sig, rsa, RSA_X931_PADDING);
 230                         }
 231                 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
 232                         {
 233                         unsigned int sltmp;
 234                         ret = RSA_sign(EVP_MD_type(rctx->md),
 235                                                 tbs, tbslen, sig, &sltmp, rsa);
 236                         if (ret <= 0)
 237                                 return ret;
 238                         ret = sltmp;
 239                         }
 240                 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
 241                         {
 242                         if (!setup_tbuf(rctx, ctx))
 243                                 return -1;
 244                         if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
 245                                                 rctx->tbuf, tbs,
 246                                                 rctx->md, rctx->mgf1md,
 247                                                 rctx->saltlen))
 248                                 return -1;
 249                         ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
 250                                                 sig, rsa, RSA_NO_PADDING);
 251                         }
 252                 else
 253                         return -1;
 254                 }
 255         else
 256                 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
 257                                                         rctx->pad_mode);
 258         if (ret < 0)
 259                 return ret;
 260         *siglen = ret;
 261         return 1;
 262         }
 263
 264
 265 static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
 266                                         unsigned char *rout, size_t *routlen,
 267                                         const unsigned char *sig, size_t siglen)
 268         {
 269         int ret;
 270         RSA_PKEY_CTX *rctx = ctx->data;
 271
 272         if (rctx->md)
 273                 {
 274                 if (rctx->pad_mode == RSA_X931_PADDING)
 275                         {
 276                         if (!setup_tbuf(rctx, ctx))
 277                                 return -1;
 278                         ret = RSA_public_decrypt(siglen, sig,
 279                                                 rctx->tbuf, ctx->pkey->pkey.rsa,
 280                                                 RSA_X931_PADDING);
 281                         if (ret < 1)
 282                                 return 0;
 283                         ret--;
 284                         if (rctx->tbuf[ret] !=
 285                                 RSA_X931_hash_id(EVP_MD_type(rctx->md)))
 286                                 {
 287                                 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
 288                                                 RSA_R_ALGORITHM_MISMATCH);
 289                                 return 0;
 290                                 }
 291                         if (ret != EVP_MD_size(rctx->md))
 292                                 {
 293                                 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
 294                                         RSA_R_INVALID_DIGEST_LENGTH);
 295                                 return 0;
 296                                 }
 297                         if (rout)
 298                                 memcpy(rout, rctx->tbuf, ret);
 299                         }
 300                 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
 301                         {
 302                         size_t sltmp;
 303                         ret = int_rsa_verify(EVP_MD_type(rctx->md),
 304                                                 NULL, 0, rout, &sltmp,
 305                                         sig, siglen, ctx->pkey->pkey.rsa);
 306                         if (ret <= 0)
 307                                 return 0;
 308                         ret = sltmp;
 309                         }
 310                 else
 311                         return -1;
 312                 }
 313         else
 314                 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
 315                                                         rctx->pad_mode);
 316         if (ret < 0)
 317                 return ret;
 318         *routlen = ret;
 319         return 1;
 320         }
 321
 322 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
 323                                         const unsigned char *sig, size_t siglen,
 324                                         const unsigned char *tbs, size_t tbslen)
 325         {
 326         RSA_PKEY_CTX *rctx = ctx->data;
 327         RSA *rsa = ctx->pkey->pkey.rsa;
 328         size_t rslen;
 329 #ifdef OPENSSL_FIPS
 330         int rv;
 331         rv = pkey_fips_check_ctx(ctx);
 332         if (rv < 0)
 333                 {
 334                 RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
 335                 return -1;
 336                 }
 337 #endif
 338         if (rctx->md)
 339                 {
 340 #ifdef OPENSSL_FIPS
 341                 if (rv > 0)
 342                         {
 343                         return FIPS_rsa_verify_digest(rsa,
 344                                                         tbs, tbslen,
 345                                                         rctx->md,
 346                                                         rctx->pad_mode,
 347                                                         rctx->saltlen,
 348                                                         rctx->mgf1md,
 349                                                         sig, siglen);
 350
 351                         }
 352 #endif
 353                 if (rctx->pad_mode == RSA_PKCS1_PADDING)
 354                         return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
 355                                         sig, siglen, rsa);
 356                 if (rctx->pad_mode == RSA_X931_PADDING)
 357                         {
 358                         if (pkey_rsa_verifyrecover(ctx, NULL, &rslen,
 359                                         sig, siglen) <= 0)
 360                                 return 0;
 361                         }
 362                 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
 363                         {
 364                         int ret;
 365                         if (!setup_tbuf(rctx, ctx))
 366                                 return -1;
 367                         ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
 368                                                         rsa, RSA_NO_PADDING);
 369                         if (ret <= 0)
 370                                 return 0;
 371                         ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
 372                                                 rctx->md, rctx->mgf1md,
 373                                                 rctx->tbuf, rctx->saltlen);
 374                         if (ret <= 0)
 375                                 return 0;
 376                         return 1;
 377                         }
 378                 else
 379                         return -1;
 380                 }
 381         else
 382                 {
 383                 if (!setup_tbuf(rctx, ctx))
 384                         return -1;
 385                 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
 386                                                 rsa, rctx->pad_mode);
 387                 if (rslen == 0)
 388                         return 0;
 389                 }
 390
 391         if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen))
 392                 return 0;
 393
 394         return 1;
 395
 396         }
 397
 398
 399 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
 400                                         unsigned char *out, size_t *outlen,
 401                                         const unsigned char *in, size_t inlen)
 402         {
 403         int ret;
 404         RSA_PKEY_CTX *rctx = ctx->data;
 405         ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
 406                                                         rctx->pad_mode);
 407         if (ret < 0)
 408                 return ret;
 409         *outlen = ret;
 410         return 1;
 411         }
 412
 413 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
 414                                         unsigned char *out, size_t *outlen,
 415                                         const unsigned char *in, size_t inlen)
 416         {
 417         int ret;
 418         RSA_PKEY_CTX *rctx = ctx->data;
 419         ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
 420                                                         rctx->pad_mode);
 421         if (ret < 0)
 422                 return ret;
 423         *outlen = ret;
 424         return 1;
 425         }
 426
 427 static int check_padding_md(const EVP_MD *md, int padding)
 428         {
 429         if (!md)
 430                 return 1;
 431
 432         if (padding == RSA_NO_PADDING)
 433                 {
 434                 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
 435                 return 0;
 436                 }
 437
 438         if (padding == RSA_X931_PADDING)
 439                 {
 440                 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1)
 441                         {
 442                         RSAerr(RSA_F_CHECK_PADDING_MD,
 443                                                 RSA_R_INVALID_X931_DIGEST);
 444                         return 0;
 445                         }
 446                 return 1;
 447                 }
 448
 449         return 1;
 450         }
 451
 452
 453 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 454         {
 455         RSA_PKEY_CTX *rctx = ctx->data;
 456         switch (type)
 457                 {
 458                 case EVP_PKEY_CTRL_RSA_PADDING:
 459                 if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING))
 460                         {
 461                         if (!check_padding_md(rctx->md, p1))
 462                                 return 0;
 463                         if (p1 == RSA_PKCS1_PSS_PADDING)
 464                                 {
 465                                 if (!(ctx->operation &
 466                                      (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
 467                                         goto bad_pad;
 468                                 if (!rctx->md)
 469                                         rctx->md = EVP_sha1();
 470                                 }
 471                         if (p1 == RSA_PKCS1_OAEP_PADDING)
 472                                 {
 473                                 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
 474                                         goto bad_pad;
 475                                 if (!rctx->md)
 476                                         rctx->md = EVP_sha1();
 477                                 }
 478                         rctx->pad_mode = p1;
 479                         return 1;
 480                         }
 481                 bad_pad:
 482                 RSAerr(RSA_F_PKEY_RSA_CTRL,
 483                                 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
 484                 return -2;
 485
 486                 case EVP_PKEY_CTRL_GET_RSA_PADDING:
 487                 *(int *)p2 = rctx->pad_mode;
 488                 return 1;
 489
 490                 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
 491                 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
 492                 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
 493                         {
 494                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
 495                         return -2;
 496                         }
 497                 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN)
 498                         *(int *)p2 = rctx->saltlen;
 499                 else
 500                         {
 501                         if (p1 < -2)
 502                                 return -2;
 503                         rctx->saltlen = p1;
 504                         }
 505                 return 1;
 506
 507                 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
 508                 if (p1 < 256)
 509                         {
 510                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS);
 511                         return -2;
 512                         }
 513                 rctx->nbits = p1;
 514                 return 1;
 515
 516                 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
 517                 if (!p2)
 518                         return -2;
 519                 rctx->pub_exp = p2;
 520                 return 1;
 521
 522                 case EVP_PKEY_CTRL_MD:
 523                 if (!check_padding_md(p2, rctx->pad_mode))
 524                         return 0;
 525                 rctx->md = p2;
 526                 return 1;
 527
 528                 case EVP_PKEY_CTRL_RSA_MGF1_MD:
 529                 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
 530                 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
 531                         {
 532                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
 533                         return -2;
 534                         }
 535                 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD)
 536                         {
 537                         if (rctx->mgf1md)
 538                                 *(const EVP_MD **)p2 = rctx->mgf1md;
 539                         else
 540                                 *(const EVP_MD **)p2 = rctx->md;
 541                         }
 542                 else
 543                         rctx->mgf1md = p2;
 544                 return 1;
 545
 546                 case EVP_PKEY_CTRL_DIGESTINIT:
 547                 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
 548                 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
 549                 case EVP_PKEY_CTRL_PKCS7_SIGN:
 550 #ifndef OPENSSL_NO_CMS
 551                 case EVP_PKEY_CTRL_CMS_ENCRYPT:
 552                 case EVP_PKEY_CTRL_CMS_DECRYPT:
 553                 case EVP_PKEY_CTRL_CMS_SIGN:
 554 #endif
 555                 return 1;
 556                 case EVP_PKEY_CTRL_PEER_KEY:
 557                         RSAerr(RSA_F_PKEY_RSA_CTRL,
 558                         RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
 559                         return -2;
 560
 561                 default:
 562                 return -2;
 563
 564                 }
 565         }
 566
 567 static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
 568                         const char *type, const char *value)
 569         {
 570         if (!value)
 571                 {
 572                 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
 573                 return 0;
 574                 }
 575         if (!strcmp(type, "rsa_padding_mode"))
 576                 {
 577                 int pm;
 578                 if (!strcmp(value, "pkcs1"))
 579                         pm = RSA_PKCS1_PADDING;
 580                 else if (!strcmp(value, "sslv23"))
 581                         pm = RSA_SSLV23_PADDING;
 582                 else if (!strcmp(value, "none"))
 583                         pm = RSA_NO_PADDING;
 584                 else if (!strcmp(value, "oeap"))
 585                         pm = RSA_PKCS1_OAEP_PADDING;
 586                 else if (!strcmp(value, "x931"))
 587                         pm = RSA_X931_PADDING;
 588                 else if (!strcmp(value, "pss"))
 589                         pm = RSA_PKCS1_PSS_PADDING;
 590                 else
 591                         {
 592                         RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
 593                                                 RSA_R_UNKNOWN_PADDING_TYPE);
 594                         return -2;
 595                         }
 596                 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
 597                 }
 598
 599         if (!strcmp(type, "rsa_pss_saltlen"))
 600                 {
 601                 int saltlen;
 602                 saltlen = atoi(value);
 603                 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
 604                 }
 605
 606         if (!strcmp(type, "rsa_keygen_bits"))
 607                 {
 608                 int nbits;
 609                 nbits = atoi(value);
 610                 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
 611                 }
 612
 613         if (!strcmp(type, "rsa_keygen_pubexp"))
 614                 {
 615                 int ret;
 616                 BIGNUM *pubexp = NULL;
 617                 if (!BN_asc2bn(&pubexp, value))
 618                         return 0;
 619                 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
 620                 if (ret <= 0)
 621                         BN_free(pubexp);
 622                 return ret;
 623                 }
 624
 625         return -2;
 626         }
 627
 628 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
 629         {
 630         RSA *rsa = NULL;
 631         RSA_PKEY_CTX *rctx = ctx->data;
 632         BN_GENCB *pcb, cb;
 633         int ret;
 634         if (!rctx->pub_exp)
 635                 {
 636                 rctx->pub_exp = BN_new();
 637                 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4))
 638                         return 0;
 639                 }
 640         rsa = RSA_new();
 641         if (!rsa)
 642                 return 0;
 643         if (ctx->pkey_gencb)
 644                 {
 645                 pcb = &cb;
 646                 evp_pkey_set_cb_translate(pcb, ctx);
 647                 }
 648         else
 649                 pcb = NULL;
 650         ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
 651         if (ret > 0)
 652                 EVP_PKEY_assign_RSA(pkey, rsa);
 653         else
 654                 RSA_free(rsa);
 655         return ret;
 656         }
 657
 658 const EVP_PKEY_METHOD rsa_pkey_meth =
 659         {
 660         EVP_PKEY_RSA,
 661         EVP_PKEY_FLAG_AUTOARGLEN,
 662         pkey_rsa_init,
 663         pkey_rsa_copy,
 664         pkey_rsa_cleanup,
 665
 666         0,0,
 667
 668         0,
 669         pkey_rsa_keygen,
 670
 671         0,
 672         pkey_rsa_sign,
 673
 674         0,
 675         pkey_rsa_verify,
 676
 677         0,
 678         pkey_rsa_verifyrecover,
 679
 680
 681         0,0,0,0,
 682
 683         0,
 684         pkey_rsa_encrypt,
 685
 686         0,
 687         pkey_rsa_decrypt,
 688
 689         0,0,
 690
 691         pkey_rsa_ctrl,
 692         pkey_rsa_ctrl_str
 693
 694
 695         };