085c73e8985f2318ce4edb251a2be164fc8727ba
[openssl.git] / crypto / rsa / rsa_pmeth.c
1 /* crypto/rsa/rsa_pmeth.c */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3  * project 2006.
4  */
5 /* ====================================================================
6  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer. 
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    licensing@OpenSSL.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58
59 #include <stdio.h>
60 #include "cryptlib.h"
61 #include <openssl/asn1t.h>
62 #include <openssl/x509.h>
63 #include <openssl/rsa.h>
64 #include <openssl/bn.h>
65 #include <openssl/evp.h>
66 #include <openssl/x509v3.h>
67 #ifndef OPENSSL_NO_CMS
68 #include <openssl/cms.h>
69 #endif
70 #include "evp_locl.h"
71 #include "rsa_locl.h"
72
73 /* RSA pkey context structure */
74
75 typedef struct
76         {
77         /* Key gen parameters */
78         int nbits;
79         BIGNUM *pub_exp;
80         /* Keygen callback info */
81         int gentmp[2];
82         /* RSA padding mode */
83         int pad_mode;
84         /* message digest */
85         const EVP_MD *md;
86         /* message digest for MGF1 */
87         const EVP_MD *mgf1md;
88         /* PSS salt length */
89         int saltlen;
90         /* Temp buffer */
91         unsigned char *tbuf;
92         /* OAEP label */
93         unsigned char *oaep_label;
94         size_t oaep_labellen;
95         } RSA_PKEY_CTX;
96
97 static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
98         {
99         RSA_PKEY_CTX *rctx;
100         rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX));
101         if (!rctx)
102                 return 0;
103         rctx->nbits = 1024;
104         rctx->pub_exp = NULL;
105         rctx->pad_mode = RSA_PKCS1_PADDING;
106         rctx->md = NULL;
107         rctx->mgf1md = NULL;
108         rctx->tbuf = NULL;
109
110         rctx->saltlen = -2;
111
112         rctx->oaep_label = NULL;
113         rctx->oaep_labellen = 0;
114
115         ctx->data = rctx;
116         ctx->keygen_info = rctx->gentmp;
117         ctx->keygen_info_count = 2;
118         
119         return 1;
120         }
121
122 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
123         {
124         RSA_PKEY_CTX *dctx, *sctx;
125         if (!pkey_rsa_init(dst))
126                 return 0;
127         sctx = src->data;
128         dctx = dst->data;
129         dctx->nbits = sctx->nbits;
130         if (sctx->pub_exp)
131                 {
132                 dctx->pub_exp = BN_dup(sctx->pub_exp);
133                 if (!dctx->pub_exp)
134                         return 0;
135                 }
136         dctx->pad_mode = sctx->pad_mode;
137         dctx->md = sctx->md;
138         dctx->mgf1md = sctx->mgf1md;
139         if (sctx->oaep_label)
140                 {
141                 if (dctx->oaep_label)
142                         OPENSSL_free(dctx->oaep_label);
143                 dctx->oaep_label = BUF_memdup(sctx->oaep_label,
144                                                 sctx->oaep_labellen);
145                 if (!dctx->oaep_label)
146                         return 0;
147                 dctx->oaep_labellen = sctx->oaep_labellen;
148                 }
149         return 1;
150         }
151
152 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
153         {
154         if (ctx->tbuf)
155                 return 1;
156         ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey));
157         if (!ctx->tbuf)
158                 return 0;
159         return 1;
160         }
161
162 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
163         {
164         RSA_PKEY_CTX *rctx = ctx->data;
165         if (rctx)
166                 {
167                 if (rctx->pub_exp)
168                         BN_free(rctx->pub_exp);
169                 if (rctx->tbuf)
170                         OPENSSL_free(rctx->tbuf);
171                 if (rctx->oaep_label)
172                         OPENSSL_free(rctx->oaep_label);
173                 OPENSSL_free(rctx);
174                 }
175         }
176
177 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
178                                         const unsigned char *tbs, size_t tbslen)
179         {
180         int ret;
181         RSA_PKEY_CTX *rctx = ctx->data;
182         RSA *rsa = ctx->pkey->pkey.rsa;
183
184         if (rctx->md)
185                 {
186                 if (tbslen != (size_t)EVP_MD_size(rctx->md))
187                         {
188                         RSAerr(RSA_F_PKEY_RSA_SIGN,
189                                         RSA_R_INVALID_DIGEST_LENGTH);
190                         return -1;
191                         }
192
193                 if (EVP_MD_type(rctx->md) == NID_mdc2)
194                         {
195                         unsigned int sltmp;
196                         if (rctx->pad_mode != RSA_PKCS1_PADDING)
197                                 return -1;
198                         ret = RSA_sign_ASN1_OCTET_STRING(NID_mdc2,
199                                                 tbs, tbslen, sig, &sltmp, rsa);
200
201                         if (ret <= 0)
202                                 return ret;
203                         ret = sltmp;
204                         }
205                 else if (rctx->pad_mode == RSA_X931_PADDING)
206                         {
207                         if (!setup_tbuf(rctx, ctx))
208                                 return -1;
209                         memcpy(rctx->tbuf, tbs, tbslen);
210                         rctx->tbuf[tbslen] =
211                                 RSA_X931_hash_id(EVP_MD_type(rctx->md));
212                         ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
213                                                 sig, rsa, RSA_X931_PADDING);
214                         }
215                 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
216                         {
217                         unsigned int sltmp;
218                         ret = RSA_sign(EVP_MD_type(rctx->md),
219                                                 tbs, tbslen, sig, &sltmp, rsa);
220                         if (ret <= 0)
221                                 return ret;
222                         ret = sltmp;
223                         }
224                 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
225                         {
226                         if (!setup_tbuf(rctx, ctx))
227                                 return -1;
228                         if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
229                                                 rctx->tbuf, tbs,
230                                                 rctx->md, rctx->mgf1md,
231                                                 rctx->saltlen))
232                                 return -1;
233                         ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
234                                                 sig, rsa, RSA_NO_PADDING);
235                         }
236                 else
237                         return -1;
238                 }
239         else
240                 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
241                                                         rctx->pad_mode);
242         if (ret < 0)
243                 return ret;
244         *siglen = ret;
245         return 1;
246         }
247
248
249 static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
250                                         unsigned char *rout, size_t *routlen,
251                                         const unsigned char *sig, size_t siglen)
252         {
253         int ret;
254         RSA_PKEY_CTX *rctx = ctx->data;
255
256         if (rctx->md)
257                 {
258                 if (rctx->pad_mode == RSA_X931_PADDING)
259                         {
260                         if (!setup_tbuf(rctx, ctx))
261                                 return -1;
262                         ret = RSA_public_decrypt(siglen, sig,
263                                                 rctx->tbuf, ctx->pkey->pkey.rsa,
264                                                 RSA_X931_PADDING);
265                         if (ret < 1)
266                                 return 0;
267                         ret--;
268                         if (rctx->tbuf[ret] !=
269                                 RSA_X931_hash_id(EVP_MD_type(rctx->md)))
270                                 {
271                                 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
272                                                 RSA_R_ALGORITHM_MISMATCH);
273                                 return 0;
274                                 }
275                         if (ret != EVP_MD_size(rctx->md))
276                                 {
277                                 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
278                                         RSA_R_INVALID_DIGEST_LENGTH);
279                                 return 0;
280                                 }
281                         if (rout)
282                                 memcpy(rout, rctx->tbuf, ret);
283                         }
284                 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
285                         {
286                         size_t sltmp;
287                         ret = int_rsa_verify(EVP_MD_type(rctx->md),
288                                                 NULL, 0, rout, &sltmp,
289                                         sig, siglen, ctx->pkey->pkey.rsa);
290                         if (ret <= 0)
291                                 return 0;
292                         ret = sltmp;
293                         }
294                 else
295                         return -1;
296                 }
297         else
298                 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
299                                                         rctx->pad_mode);
300         if (ret < 0)
301                 return ret;
302         *routlen = ret;
303         return 1;
304         }
305
306 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
307                                         const unsigned char *sig, size_t siglen,
308                                         const unsigned char *tbs, size_t tbslen)
309         {
310         RSA_PKEY_CTX *rctx = ctx->data;
311         RSA *rsa = ctx->pkey->pkey.rsa;
312         size_t rslen;
313         if (rctx->md)
314                 {
315                 if (rctx->pad_mode == RSA_PKCS1_PADDING)
316                         return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
317                                         sig, siglen, rsa);
318                 if (rctx->pad_mode == RSA_X931_PADDING)
319                         {
320                         if (pkey_rsa_verifyrecover(ctx, NULL, &rslen,
321                                         sig, siglen) <= 0)
322                                 return 0;
323                         }
324                 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
325                         {
326                         int ret;
327                         if (!setup_tbuf(rctx, ctx))
328                                 return -1;
329                         ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
330                                                         rsa, RSA_NO_PADDING);
331                         if (ret <= 0)
332                                 return 0;
333                         ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
334                                                 rctx->md, rctx->mgf1md,
335                                                 rctx->tbuf, rctx->saltlen);
336                         if (ret <= 0)
337                                 return 0;
338                         return 1;
339                         }
340                 else
341                         return -1;
342                 }
343         else
344                 {
345                 if (!setup_tbuf(rctx, ctx))
346                         return -1;
347                 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
348                                                 rsa, rctx->pad_mode);
349                 if (rslen == 0)
350                         return 0;
351                 }
352
353         if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen))
354                 return 0;
355
356         return 1;
357                         
358         }
359
360 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
361                                         unsigned char *out, size_t *outlen,
362                                         const unsigned char *in, size_t inlen)
363         {
364         int ret;
365         RSA_PKEY_CTX *rctx = ctx->data;
366         if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING)
367                 {
368                 int klen = RSA_size(ctx->pkey->pkey.rsa);
369                 if (!setup_tbuf(rctx, ctx))
370                         return -1;
371                 if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen,
372                                                         in, inlen,
373                                                         rctx->oaep_label,
374                                                         rctx->oaep_labellen,
375                                                         rctx->md, rctx->mgf1md))
376                         return -1;
377                 ret = RSA_public_encrypt(klen, rctx->tbuf, out,
378                                                 ctx->pkey->pkey.rsa,
379                                                 RSA_NO_PADDING);
380                 }
381         else
382                 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
383                                                         rctx->pad_mode);
384         if (ret < 0)
385                 return ret;
386         *outlen = ret;
387         return 1;
388         }
389
390 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
391                                         unsigned char *out, size_t *outlen,
392                                         const unsigned char *in, size_t inlen)
393         {
394         int ret;
395         RSA_PKEY_CTX *rctx = ctx->data;
396         if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING)
397                 {
398                 int i;
399                 if (!setup_tbuf(rctx, ctx))
400                         return -1;
401                 ret = RSA_private_decrypt(inlen, in, rctx->tbuf,
402                                                         ctx->pkey->pkey.rsa,
403                                                         RSA_NO_PADDING);
404                 if (ret <= 0)
405                         return ret;
406                 for (i = 0; i < ret; i++)
407                         {
408                         if (rctx->tbuf[i])
409                                 break;
410                         }
411                 ret = RSA_padding_check_PKCS1_OAEP_mgf1(out,ret,rctx->tbuf + i,
412                                                         ret - i, ret,
413                                                         rctx->oaep_label,
414                                                         rctx->oaep_labellen,
415                                                         rctx->md, rctx->mgf1md);
416                 }
417         else 
418                 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
419                                                         rctx->pad_mode);
420         if (ret < 0)
421                 return ret;
422         *outlen = ret;
423         return 1;
424         }
425
426 static int check_padding_md(const EVP_MD *md, int padding)
427         {
428         if (!md)
429                 return 1;
430
431         if (padding == RSA_NO_PADDING)
432                 {
433                 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
434                 return 0;
435                 }
436
437         if (padding == RSA_X931_PADDING)
438                 {
439                 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1)
440                         {
441                         RSAerr(RSA_F_CHECK_PADDING_MD,
442                                                 RSA_R_INVALID_X931_DIGEST);
443                         return 0;
444                         }
445                 return 1;
446                 }
447
448         return 1;
449         }
450                         
451
452 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
453         {
454         RSA_PKEY_CTX *rctx = ctx->data;
455         switch (type)
456                 {
457                 case EVP_PKEY_CTRL_RSA_PADDING:
458                 if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING))
459                         {
460                         if (!check_padding_md(rctx->md, p1))
461                                 return 0;
462                         if (p1 == RSA_PKCS1_PSS_PADDING) 
463                                 {
464                                 if (!(ctx->operation &
465                                      (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
466                                         goto bad_pad;
467                                 if (!rctx->md)
468                                         rctx->md = EVP_sha1();
469                                 }
470                         if (p1 == RSA_PKCS1_OAEP_PADDING) 
471                                 {
472                                 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
473                                         goto bad_pad;
474                                 if (!rctx->md)
475                                         rctx->md = EVP_sha1();
476                                 }
477                         rctx->pad_mode = p1;
478                         return 1;
479                         }
480                 bad_pad:
481                 RSAerr(RSA_F_PKEY_RSA_CTRL,
482                                 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
483                 return -2;
484
485                 case EVP_PKEY_CTRL_GET_RSA_PADDING:
486                 *(int *)p2 = rctx->pad_mode;
487                 return 1;
488
489                 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
490                 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
491                 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
492                         {
493                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
494                         return -2;
495                         }
496                 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN)
497                         *(int *)p2 = rctx->saltlen;
498                 else
499                         {
500                         if (p1 < -2)
501                                 return -2;
502                         rctx->saltlen = p1;
503                         }
504                 return 1;
505
506                 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
507                 if (p1 < 256)
508                         {
509                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS);
510                         return -2;
511                         }
512                 rctx->nbits = p1;
513                 return 1;
514
515                 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
516                 if (!p2)
517                         return -2;
518                 BN_free(rctx->pub_exp);
519                 rctx->pub_exp = p2;
520                 return 1;
521
522                 case EVP_PKEY_CTRL_RSA_OAEP_MD:
523                 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING)
524                         {
525                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
526                         return 0;
527                         }
528                 rctx->md = p2;
529                 return 1;
530
531                 case EVP_PKEY_CTRL_MD:
532                 if (!check_padding_md(p2, rctx->pad_mode))
533                         return 0;
534                 rctx->md = p2;
535                 return 1;
536
537                 case EVP_PKEY_CTRL_GET_MD:
538                 *(const EVP_MD **)p2 = rctx->md;
539                 return 1;
540
541                 case EVP_PKEY_CTRL_RSA_MGF1_MD:
542                 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
543                 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING
544                         && rctx->pad_mode != RSA_PKCS1_OAEP_PADDING)
545                         {
546                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
547                         return -2;
548                         }
549                 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD)
550                         {
551                         if (rctx->mgf1md)
552                                 *(const EVP_MD **)p2 = rctx->mgf1md;
553                         else
554                                 *(const EVP_MD **)p2 = rctx->md;
555                         }
556                 else
557                         rctx->mgf1md = p2;
558                 return 1;
559
560                 case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
561                 OPENSSL_free(rctx->oaep_label);
562                 rctx->oaep_label = p2;
563                 rctx->oaep_labellen = p1;
564                 return 1;
565
566                 case EVP_PKEY_CTRL_DIGESTINIT:
567                 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
568                 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
569                 case EVP_PKEY_CTRL_PKCS7_SIGN:
570                 return 1;
571 #ifndef OPENSSL_NO_CMS
572                 case EVP_PKEY_CTRL_CMS_DECRYPT:
573                 {
574                 X509_ALGOR *alg = NULL;
575                 ASN1_OBJECT *encalg = NULL;
576                 if (p2)
577                         CMS_RecipientInfo_ktri_get0_algs(p2, NULL, NULL, &alg);
578                 if (alg)
579                         X509_ALGOR_get0(&encalg, NULL, NULL, alg);
580                 if (encalg && OBJ_obj2nid(encalg) == NID_rsaesOaep)
581                         rctx->pad_mode = RSA_PKCS1_OAEP_PADDING;
582                 }
583                 case EVP_PKEY_CTRL_CMS_ENCRYPT:
584                 case EVP_PKEY_CTRL_CMS_SIGN:
585                 return 1;
586 #endif
587                 case EVP_PKEY_CTRL_PEER_KEY:
588                         RSAerr(RSA_F_PKEY_RSA_CTRL,
589                         RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
590                         return -2;      
591
592                 default:
593                 return -2;
594
595                 }
596         }
597                         
598 static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
599                         const char *type, const char *value)
600         {
601         if (!value)
602                 {
603                 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
604                 return 0;
605                 }
606         if (!strcmp(type, "rsa_padding_mode"))
607                 {
608                 int pm;
609                 if (!strcmp(value, "pkcs1"))
610                         pm = RSA_PKCS1_PADDING;
611                 else if (!strcmp(value, "sslv23"))
612                         pm = RSA_SSLV23_PADDING;
613                 else if (!strcmp(value, "none"))
614                         pm = RSA_NO_PADDING;
615                 else if (!strcmp(value, "oeap"))
616                         pm = RSA_PKCS1_OAEP_PADDING;
617                 else if (!strcmp(value, "oaep"))
618                         pm = RSA_PKCS1_OAEP_PADDING;
619                 else if (!strcmp(value, "x931"))
620                         pm = RSA_X931_PADDING;
621                 else if (!strcmp(value, "pss"))
622                         pm = RSA_PKCS1_PSS_PADDING;
623                 else
624                         {
625                         RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
626                                                 RSA_R_UNKNOWN_PADDING_TYPE);
627                         return -2;
628                         }
629                 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
630                 }
631
632         if (!strcmp(type, "rsa_pss_saltlen"))
633                 {
634                 int saltlen;
635                 saltlen = atoi(value);
636                 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
637                 }
638
639         if (!strcmp(type, "rsa_keygen_bits"))
640                 {
641                 int nbits;
642                 nbits = atoi(value);
643                 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
644                 }
645
646         if (!strcmp(type, "rsa_keygen_pubexp"))
647                 {
648                 int ret;
649                 BIGNUM *pubexp = NULL;
650                 if (!BN_asc2bn(&pubexp, value))
651                         return 0;
652                 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
653                 if (ret <= 0)
654                         BN_free(pubexp);
655                 return ret;
656                 }
657
658         if (!strcmp(type, "rsa_mgf1_md"))
659                 {
660                 const EVP_MD *md;
661                 if (!(md = EVP_get_digestbyname(value)))
662                         {
663                         RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
664                                                 RSA_R_INVALID_DIGEST);
665                         return 0;
666                         }
667                 return EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md);
668                 }
669
670         if (!strcmp(type, "rsa_oaep_md"))
671                 {
672                 const EVP_MD *md;
673                 if (!(md = EVP_get_digestbyname(value)))
674                         {
675                         RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
676                                                 RSA_R_INVALID_DIGEST);
677                         return 0;
678                         }
679                 return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md);
680                 }
681         if (!strcmp(type, "rsa_oaep_label"))
682                 {
683                 unsigned char *lab;
684                 long lablen;
685                 int ret;
686                 lab = string_to_hex(value, &lablen);
687                 if (!lab)
688                         return 0;
689                 ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen);
690                 if (ret <= 0)
691                         OPENSSL_free(lab);
692                 return ret;
693                 }
694
695         return -2;
696         }
697
698 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
699         {
700         RSA *rsa = NULL;
701         RSA_PKEY_CTX *rctx = ctx->data;
702         BN_GENCB *pcb, cb;
703         int ret;
704         if (!rctx->pub_exp)
705                 {
706                 rctx->pub_exp = BN_new();
707                 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4))
708                         return 0;
709                 }
710         rsa = RSA_new();
711         if (!rsa)
712                 return 0;
713         if (ctx->pkey_gencb)
714                 {
715                 pcb = &cb;
716                 evp_pkey_set_cb_translate(pcb, ctx);
717                 }
718         else
719                 pcb = NULL;
720         ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
721         if (ret > 0)
722                 EVP_PKEY_assign_RSA(pkey, rsa);
723         else
724                 RSA_free(rsa);
725         return ret;
726         }
727
728 const EVP_PKEY_METHOD rsa_pkey_meth = 
729         {
730         EVP_PKEY_RSA,
731         EVP_PKEY_FLAG_AUTOARGLEN,
732         pkey_rsa_init,
733         pkey_rsa_copy,
734         pkey_rsa_cleanup,
735
736         0,0,
737
738         0,
739         pkey_rsa_keygen,
740
741         0,
742         pkey_rsa_sign,
743
744         0,
745         pkey_rsa_verify,
746
747         0,
748         pkey_rsa_verifyrecover,
749
750
751         0,0,0,0,
752
753         0,
754         pkey_rsa_encrypt,
755
756         0,
757         pkey_rsa_decrypt,
758
759         0,0,
760
761         pkey_rsa_ctrl,
762         pkey_rsa_ctrl_str
763
764
765         };