Update to OAEP support.
[oweals/openssl.git] / crypto / rsa / rsa_pmeth.c
1 /* crypto/rsa/rsa_pmeth.c */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3  * project 2006.
4  */
5 /* ====================================================================
6  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer. 
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    licensing@OpenSSL.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58
59 #include <stdio.h>
60 #include "cryptlib.h"
61 #include <openssl/asn1t.h>
62 #include <openssl/x509.h>
63 #include <openssl/rsa.h>
64 #include <openssl/bn.h>
65 #include <openssl/evp.h>
66 #include <openssl/x509v3.h>
67 #ifndef OPENSSL_NO_CMS
68 #include <openssl/cms.h>
69 #endif
70 #include "evp_locl.h"
71 #include "rsa_locl.h"
72
73 /* RSA pkey context structure */
74
75 typedef struct
76         {
77         /* Key gen parameters */
78         int nbits;
79         BIGNUM *pub_exp;
80         /* Keygen callback info */
81         int gentmp[2];
82         /* RSA padding mode */
83         int pad_mode;
84         /* message digest */
85         const EVP_MD *md;
86         /* message digest for MGF1 */
87         const EVP_MD *mgf1md;
88         /* PSS salt length */
89         int saltlen;
90         /* Temp buffer */
91         unsigned char *tbuf;
92         /* OAEP label */
93         unsigned char *oaep_label;
94         size_t oaep_labellen;
95         } RSA_PKEY_CTX;
96
97 static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
98         {
99         RSA_PKEY_CTX *rctx;
100         rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX));
101         if (!rctx)
102                 return 0;
103         rctx->nbits = 1024;
104         rctx->pub_exp = NULL;
105         rctx->pad_mode = RSA_PKCS1_PADDING;
106         rctx->md = NULL;
107         rctx->mgf1md = NULL;
108         rctx->tbuf = NULL;
109
110         rctx->saltlen = -2;
111
112         rctx->oaep_label = NULL;
113         rctx->oaep_labellen = 0;
114
115         ctx->data = rctx;
116         ctx->keygen_info = rctx->gentmp;
117         ctx->keygen_info_count = 2;
118         
119         return 1;
120         }
121
122 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
123         {
124         RSA_PKEY_CTX *dctx, *sctx;
125         if (!pkey_rsa_init(dst))
126                 return 0;
127         sctx = src->data;
128         dctx = dst->data;
129         dctx->nbits = sctx->nbits;
130         if (sctx->pub_exp)
131                 {
132                 dctx->pub_exp = BN_dup(sctx->pub_exp);
133                 if (!dctx->pub_exp)
134                         return 0;
135                 }
136         dctx->pad_mode = sctx->pad_mode;
137         dctx->md = sctx->md;
138         dctx->mgf1md = sctx->mgf1md;
139         if (sctx->oaep_label)
140                 {
141                 if (dctx->oaep_label)
142                         OPENSSL_free(dctx->oaep_label);
143                 dctx->oaep_label = BUF_memdup(sctx->oaep_label,
144                                                 sctx->oaep_labellen);
145                 if (!dctx->oaep_label)
146                         return 0;
147                 dctx->oaep_labellen = sctx->oaep_labellen;
148                 }
149         return 1;
150         }
151
152 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
153         {
154         if (ctx->tbuf)
155                 return 1;
156         ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey));
157         if (!ctx->tbuf)
158                 return 0;
159         return 1;
160         }
161
162 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
163         {
164         RSA_PKEY_CTX *rctx = ctx->data;
165         if (rctx)
166                 {
167                 if (rctx->pub_exp)
168                         BN_free(rctx->pub_exp);
169                 if (rctx->tbuf)
170                         OPENSSL_free(rctx->tbuf);
171                 if (rctx->oaep_label)
172                         OPENSSL_free(rctx->oaep_label);
173                 OPENSSL_free(rctx);
174                 }
175         }
176
177 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
178                                         const unsigned char *tbs, size_t tbslen)
179         {
180         int ret;
181         RSA_PKEY_CTX *rctx = ctx->data;
182         RSA *rsa = ctx->pkey->pkey.rsa;
183
184         if (rctx->md)
185                 {
186                 if (tbslen != (size_t)EVP_MD_size(rctx->md))
187                         {
188                         RSAerr(RSA_F_PKEY_RSA_SIGN,
189                                         RSA_R_INVALID_DIGEST_LENGTH);
190                         return -1;
191                         }
192
193                 if (EVP_MD_type(rctx->md) == NID_mdc2)
194                         {
195                         unsigned int sltmp;
196                         if (rctx->pad_mode != RSA_PKCS1_PADDING)
197                                 return -1;
198                         ret = RSA_sign_ASN1_OCTET_STRING(NID_mdc2,
199                                                 tbs, tbslen, sig, &sltmp, rsa);
200
201                         if (ret <= 0)
202                                 return ret;
203                         ret = sltmp;
204                         }
205                 else if (rctx->pad_mode == RSA_X931_PADDING)
206                         {
207                         if (!setup_tbuf(rctx, ctx))
208                                 return -1;
209                         memcpy(rctx->tbuf, tbs, tbslen);
210                         rctx->tbuf[tbslen] =
211                                 RSA_X931_hash_id(EVP_MD_type(rctx->md));
212                         ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
213                                                 sig, rsa, RSA_X931_PADDING);
214                         }
215                 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
216                         {
217                         unsigned int sltmp;
218                         ret = RSA_sign(EVP_MD_type(rctx->md),
219                                                 tbs, tbslen, sig, &sltmp, rsa);
220                         if (ret <= 0)
221                                 return ret;
222                         ret = sltmp;
223                         }
224                 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
225                         {
226                         if (!setup_tbuf(rctx, ctx))
227                                 return -1;
228                         if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
229                                                 rctx->tbuf, tbs,
230                                                 rctx->md, rctx->mgf1md,
231                                                 rctx->saltlen))
232                                 return -1;
233                         ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
234                                                 sig, rsa, RSA_NO_PADDING);
235                         }
236                 else
237                         return -1;
238                 }
239         else
240                 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
241                                                         rctx->pad_mode);
242         if (ret < 0)
243                 return ret;
244         *siglen = ret;
245         return 1;
246         }
247
248
249 static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
250                                         unsigned char *rout, size_t *routlen,
251                                         const unsigned char *sig, size_t siglen)
252         {
253         int ret;
254         RSA_PKEY_CTX *rctx = ctx->data;
255
256         if (rctx->md)
257                 {
258                 if (rctx->pad_mode == RSA_X931_PADDING)
259                         {
260                         if (!setup_tbuf(rctx, ctx))
261                                 return -1;
262                         ret = RSA_public_decrypt(siglen, sig,
263                                                 rctx->tbuf, ctx->pkey->pkey.rsa,
264                                                 RSA_X931_PADDING);
265                         if (ret < 1)
266                                 return 0;
267                         ret--;
268                         if (rctx->tbuf[ret] !=
269                                 RSA_X931_hash_id(EVP_MD_type(rctx->md)))
270                                 {
271                                 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
272                                                 RSA_R_ALGORITHM_MISMATCH);
273                                 return 0;
274                                 }
275                         if (ret != EVP_MD_size(rctx->md))
276                                 {
277                                 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
278                                         RSA_R_INVALID_DIGEST_LENGTH);
279                                 return 0;
280                                 }
281                         if (rout)
282                                 memcpy(rout, rctx->tbuf, ret);
283                         }
284                 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
285                         {
286                         size_t sltmp;
287                         ret = int_rsa_verify(EVP_MD_type(rctx->md),
288                                                 NULL, 0, rout, &sltmp,
289                                         sig, siglen, ctx->pkey->pkey.rsa);
290                         if (ret <= 0)
291                                 return 0;
292                         ret = sltmp;
293                         }
294                 else
295                         return -1;
296                 }
297         else
298                 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
299                                                         rctx->pad_mode);
300         if (ret < 0)
301                 return ret;
302         *routlen = ret;
303         return 1;
304         }
305
306 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
307                                         const unsigned char *sig, size_t siglen,
308                                         const unsigned char *tbs, size_t tbslen)
309         {
310         RSA_PKEY_CTX *rctx = ctx->data;
311         RSA *rsa = ctx->pkey->pkey.rsa;
312         size_t rslen;
313         if (rctx->md)
314                 {
315                 if (rctx->pad_mode == RSA_PKCS1_PADDING)
316                         return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
317                                         sig, siglen, rsa);
318                 if (rctx->pad_mode == RSA_X931_PADDING)
319                         {
320                         if (pkey_rsa_verifyrecover(ctx, NULL, &rslen,
321                                         sig, siglen) <= 0)
322                                 return 0;
323                         }
324                 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
325                         {
326                         int ret;
327                         if (!setup_tbuf(rctx, ctx))
328                                 return -1;
329                         ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
330                                                         rsa, RSA_NO_PADDING);
331                         if (ret <= 0)
332                                 return 0;
333                         ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
334                                                 rctx->md, rctx->mgf1md,
335                                                 rctx->tbuf, rctx->saltlen);
336                         if (ret <= 0)
337                                 return 0;
338                         return 1;
339                         }
340                 else
341                         return -1;
342                 }
343         else
344                 {
345                 if (!setup_tbuf(rctx, ctx))
346                         return -1;
347                 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
348                                                 rsa, rctx->pad_mode);
349                 if (rslen == 0)
350                         return 0;
351                 }
352
353         if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen))
354                 return 0;
355
356         return 1;
357                         
358         }
359
360 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
361                                         unsigned char *out, size_t *outlen,
362                                         const unsigned char *in, size_t inlen)
363         {
364         int ret;
365         RSA_PKEY_CTX *rctx = ctx->data;
366         if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING)
367                 {
368                 int klen = RSA_size(ctx->pkey->pkey.rsa);
369                 if (!setup_tbuf(rctx, ctx))
370                         return -1;
371                 if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen,
372                                                         in, inlen,
373                                                         rctx->oaep_label,
374                                                         rctx->oaep_labellen,
375                                                         rctx->md, rctx->mgf1md))
376                         return -1;
377                 ret = RSA_public_encrypt(klen, rctx->tbuf, out,
378                                                 ctx->pkey->pkey.rsa,
379                                                 RSA_NO_PADDING);
380                 }
381         else
382                 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
383                                                         rctx->pad_mode);
384         if (ret < 0)
385                 return ret;
386         *outlen = ret;
387         return 1;
388         }
389
390 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
391                                         unsigned char *out, size_t *outlen,
392                                         const unsigned char *in, size_t inlen)
393         {
394         int ret;
395         RSA_PKEY_CTX *rctx = ctx->data;
396         if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING)
397                 {
398                 int i;
399                 if (!setup_tbuf(rctx, ctx))
400                         return -1;
401                 ret = RSA_private_decrypt(inlen, in, rctx->tbuf,
402                                                         ctx->pkey->pkey.rsa,
403                                                         RSA_NO_PADDING);
404                 if (ret <= 0)
405                         return ret;
406                 for (i = 0; i < ret; i++)
407                         {
408                         if (rctx->tbuf[i])
409                                 break;
410                         }
411                 ret = RSA_padding_check_PKCS1_OAEP_mgf1(out,ret,rctx->tbuf + i,
412                                                         ret - i, ret,
413                                                         rctx->oaep_label,
414                                                         rctx->oaep_labellen,
415                                                         rctx->md, rctx->mgf1md);
416                 }
417         else 
418                 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
419                                                         rctx->pad_mode);
420         if (ret < 0)
421                 return ret;
422         *outlen = ret;
423         return 1;
424         }
425
426 static int check_padding_md(const EVP_MD *md, int padding)
427         {
428         if (!md)
429                 return 1;
430
431         if (padding == RSA_NO_PADDING)
432                 {
433                 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
434                 return 0;
435                 }
436
437         if (padding == RSA_X931_PADDING)
438                 {
439                 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1)
440                         {
441                         RSAerr(RSA_F_CHECK_PADDING_MD,
442                                                 RSA_R_INVALID_X931_DIGEST);
443                         return 0;
444                         }
445                 return 1;
446                 }
447
448         return 1;
449         }
450                         
451
452 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
453         {
454         RSA_PKEY_CTX *rctx = ctx->data;
455         switch (type)
456                 {
457                 case EVP_PKEY_CTRL_RSA_PADDING:
458                 if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING))
459                         {
460                         if (!check_padding_md(rctx->md, p1))
461                                 return 0;
462                         if (p1 == RSA_PKCS1_PSS_PADDING) 
463                                 {
464                                 if (!(ctx->operation &
465                                      (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
466                                         goto bad_pad;
467                                 if (!rctx->md)
468                                         rctx->md = EVP_sha1();
469                                 }
470                         if (p1 == RSA_PKCS1_OAEP_PADDING) 
471                                 {
472                                 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
473                                         goto bad_pad;
474                                 if (!rctx->md)
475                                         rctx->md = EVP_sha1();
476                                 }
477                         rctx->pad_mode = p1;
478                         return 1;
479                         }
480                 bad_pad:
481                 RSAerr(RSA_F_PKEY_RSA_CTRL,
482                                 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
483                 return -2;
484
485                 case EVP_PKEY_CTRL_GET_RSA_PADDING:
486                 *(int *)p2 = rctx->pad_mode;
487                 return 1;
488
489                 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
490                 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
491                 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
492                         {
493                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
494                         return -2;
495                         }
496                 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN)
497                         *(int *)p2 = rctx->saltlen;
498                 else
499                         {
500                         if (p1 < -2)
501                                 return -2;
502                         rctx->saltlen = p1;
503                         }
504                 return 1;
505
506                 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
507                 if (p1 < 256)
508                         {
509                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS);
510                         return -2;
511                         }
512                 rctx->nbits = p1;
513                 return 1;
514
515                 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
516                 if (!p2)
517                         return -2;
518                 BN_free(rctx->pub_exp);
519                 rctx->pub_exp = p2;
520                 return 1;
521
522                 case EVP_PKEY_CTRL_RSA_OAEP_MD:
523                 case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
524                 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING)
525                         {
526                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
527                         return -2;
528                         }
529                 if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD)
530                         *(const EVP_MD **)p2 = rctx->md;
531                 else
532                         rctx->md = p2;
533                 return 1;
534
535                 case EVP_PKEY_CTRL_MD:
536                 if (!check_padding_md(p2, rctx->pad_mode))
537                         return 0;
538                 rctx->md = p2;
539                 return 1;
540
541                 case EVP_PKEY_CTRL_GET_MD:
542                 *(const EVP_MD **)p2 = rctx->md;
543                 return 1;
544
545                 case EVP_PKEY_CTRL_RSA_MGF1_MD:
546                 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
547                 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING
548                         && rctx->pad_mode != RSA_PKCS1_OAEP_PADDING)
549                         {
550                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
551                         return -2;
552                         }
553                 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD)
554                         {
555                         if (rctx->mgf1md)
556                                 *(const EVP_MD **)p2 = rctx->mgf1md;
557                         else
558                                 *(const EVP_MD **)p2 = rctx->md;
559                         }
560                 else
561                         rctx->mgf1md = p2;
562                 return 1;
563
564                 case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
565                 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING)
566                         {
567                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
568                         return -2;
569                         }
570                 if (rctx->oaep_label)
571                         OPENSSL_free(rctx->oaep_label);
572                 if (p2 && p1 > 0)
573                         {
574                         rctx->oaep_label = p2;
575                         rctx->oaep_labellen = p1;
576                         }
577                 else
578                         {
579                         rctx->oaep_label = NULL;
580                         rctx->oaep_labellen = 0;
581                         }
582                 return 1;
583
584                 case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
585                 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING)
586                         {
587                         RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
588                         return -2;
589                         }
590                 *(unsigned char **)p2 = rctx->oaep_label;
591                 return rctx->oaep_labellen;
592
593                 case EVP_PKEY_CTRL_DIGESTINIT:
594                 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
595                 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
596                 case EVP_PKEY_CTRL_PKCS7_SIGN:
597                 return 1;
598 #ifndef OPENSSL_NO_CMS
599                 case EVP_PKEY_CTRL_CMS_DECRYPT:
600                 {
601                 X509_ALGOR *alg = NULL;
602                 ASN1_OBJECT *encalg = NULL;
603                 if (p2)
604                         CMS_RecipientInfo_ktri_get0_algs(p2, NULL, NULL, &alg);
605                 if (alg)
606                         X509_ALGOR_get0(&encalg, NULL, NULL, alg);
607                 if (encalg && OBJ_obj2nid(encalg) == NID_rsaesOaep)
608                         rctx->pad_mode = RSA_PKCS1_OAEP_PADDING;
609                 }
610                 case EVP_PKEY_CTRL_CMS_ENCRYPT:
611                 case EVP_PKEY_CTRL_CMS_SIGN:
612                 return 1;
613 #endif
614                 case EVP_PKEY_CTRL_PEER_KEY:
615                         RSAerr(RSA_F_PKEY_RSA_CTRL,
616                         RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
617                         return -2;      
618
619                 default:
620                 return -2;
621
622                 }
623         }
624                         
625 static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
626                         const char *type, const char *value)
627         {
628         if (!value)
629                 {
630                 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
631                 return 0;
632                 }
633         if (!strcmp(type, "rsa_padding_mode"))
634                 {
635                 int pm;
636                 if (!strcmp(value, "pkcs1"))
637                         pm = RSA_PKCS1_PADDING;
638                 else if (!strcmp(value, "sslv23"))
639                         pm = RSA_SSLV23_PADDING;
640                 else if (!strcmp(value, "none"))
641                         pm = RSA_NO_PADDING;
642                 else if (!strcmp(value, "oeap"))
643                         pm = RSA_PKCS1_OAEP_PADDING;
644                 else if (!strcmp(value, "oaep"))
645                         pm = RSA_PKCS1_OAEP_PADDING;
646                 else if (!strcmp(value, "x931"))
647                         pm = RSA_X931_PADDING;
648                 else if (!strcmp(value, "pss"))
649                         pm = RSA_PKCS1_PSS_PADDING;
650                 else
651                         {
652                         RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
653                                                 RSA_R_UNKNOWN_PADDING_TYPE);
654                         return -2;
655                         }
656                 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
657                 }
658
659         if (!strcmp(type, "rsa_pss_saltlen"))
660                 {
661                 int saltlen;
662                 saltlen = atoi(value);
663                 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
664                 }
665
666         if (!strcmp(type, "rsa_keygen_bits"))
667                 {
668                 int nbits;
669                 nbits = atoi(value);
670                 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
671                 }
672
673         if (!strcmp(type, "rsa_keygen_pubexp"))
674                 {
675                 int ret;
676                 BIGNUM *pubexp = NULL;
677                 if (!BN_asc2bn(&pubexp, value))
678                         return 0;
679                 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
680                 if (ret <= 0)
681                         BN_free(pubexp);
682                 return ret;
683                 }
684
685         if (!strcmp(type, "rsa_mgf1_md"))
686                 {
687                 const EVP_MD *md;
688                 if (!(md = EVP_get_digestbyname(value)))
689                         {
690                         RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
691                                                 RSA_R_INVALID_DIGEST);
692                         return 0;
693                         }
694                 return EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md);
695                 }
696
697         if (!strcmp(type, "rsa_oaep_md"))
698                 {
699                 const EVP_MD *md;
700                 if (!(md = EVP_get_digestbyname(value)))
701                         {
702                         RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
703                                                 RSA_R_INVALID_DIGEST);
704                         return 0;
705                         }
706                 return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md);
707                 }
708         if (!strcmp(type, "rsa_oaep_label"))
709                 {
710                 unsigned char *lab;
711                 long lablen;
712                 int ret;
713                 lab = string_to_hex(value, &lablen);
714                 if (!lab)
715                         return 0;
716                 ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen);
717                 if (ret <= 0)
718                         OPENSSL_free(lab);
719                 return ret;
720                 }
721
722         return -2;
723         }
724
725 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
726         {
727         RSA *rsa = NULL;
728         RSA_PKEY_CTX *rctx = ctx->data;
729         BN_GENCB *pcb, cb;
730         int ret;
731         if (!rctx->pub_exp)
732                 {
733                 rctx->pub_exp = BN_new();
734                 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4))
735                         return 0;
736                 }
737         rsa = RSA_new();
738         if (!rsa)
739                 return 0;
740         if (ctx->pkey_gencb)
741                 {
742                 pcb = &cb;
743                 evp_pkey_set_cb_translate(pcb, ctx);
744                 }
745         else
746                 pcb = NULL;
747         ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
748         if (ret > 0)
749                 EVP_PKEY_assign_RSA(pkey, rsa);
750         else
751                 RSA_free(rsa);
752         return ret;
753         }
754
755 const EVP_PKEY_METHOD rsa_pkey_meth = 
756         {
757         EVP_PKEY_RSA,
758         EVP_PKEY_FLAG_AUTOARGLEN,
759         pkey_rsa_init,
760         pkey_rsa_copy,
761         pkey_rsa_cleanup,
762
763         0,0,
764
765         0,
766         pkey_rsa_keygen,
767
768         0,
769         pkey_rsa_sign,
770
771         0,
772         pkey_rsa_verify,
773
774         0,
775         pkey_rsa_verifyrecover,
776
777
778         0,0,0,0,
779
780         0,
781         pkey_rsa_encrypt,
782
783         0,
784         pkey_rsa_decrypt,
785
786         0,0,
787
788         pkey_rsa_ctrl,
789         pkey_rsa_ctrl_str
790
791
792         };