xref: /openbsd-src/lib/libcrypto/rsa/rsa_pmeth.c (revision 457dff4263e6ab7af4b3e754543aca09367910ba) 
1 /* $OpenBSD: rsa_pmeth.c,v 1.43 2025/01/17 15:39:19 tb Exp $ */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3  * project 2006.
4  */
5 /* ====================================================================
6  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    licensing@OpenSSL.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58 
59 #include <limits.h>
60 #include <stdio.h>
61 #include <stdlib.h>
62 #include <string.h>
63 
64 #include <openssl/opensslconf.h>
65 
66 #include <openssl/asn1t.h>
67 #include <openssl/bn.h>
68 #include <openssl/err.h>
69 #include <openssl/evp.h>
70 #include <openssl/rsa.h>
71 #include <openssl/x509.h>
72 #include <openssl/x509v3.h>
73 
74 #include "bn_local.h"
75 #include "evp_local.h"
76 #include "rsa_local.h"
77 
78 /* RSA pkey context structure */
79 
80 typedef struct {
81 	/* Key gen parameters */
82 	int nbits;
83 	BIGNUM *pub_exp;
84 	/* Keygen callback info */
85 	int gentmp[2];
86 	/* RSA padding mode */
87 	int pad_mode;
88 	/* message digest */
89 	const EVP_MD *md;
90 	/* message digest for MGF1 */
91 	const EVP_MD *mgf1md;
92 	/* PSS salt length */
93 	int saltlen;
94 	/* Minimum salt length or -1 if no PSS parameter restriction */
95 	int min_saltlen;
96 	/* Temp buffer */
97 	unsigned char *tbuf;
98 	/* OAEP label */
99 	unsigned char *oaep_label;
100 	size_t oaep_labellen;
101 } RSA_PKEY_CTX;
102 
103 /* True if PSS parameters are restricted */
104 #define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1)
105 
106 static int
107 pkey_rsa_init(EVP_PKEY_CTX *ctx)
108 {
109 	RSA_PKEY_CTX *rctx;
110 
111 	if ((rctx = calloc(1, sizeof(RSA_PKEY_CTX))) == NULL)
112 		return 0;
113 
114 	rctx->nbits = 2048;
115 
116 	if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS)
117 		rctx->pad_mode = RSA_PKCS1_PSS_PADDING;
118 	else
119 		rctx->pad_mode = RSA_PKCS1_PADDING;
120 
121 	/* Maximum for sign, auto for verify */
122 	rctx->saltlen = RSA_PSS_SALTLEN_AUTO;
123 	rctx->min_saltlen = -1;
124 
125 	ctx->data = rctx;
126 	ctx->keygen_info = rctx->gentmp;
127 	ctx->keygen_info_count = 2;
128 
129 	return 1;
130 }
131 
132 static int
133 pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
134 {
135 	RSA_PKEY_CTX *dctx, *sctx;
136 
137 	if (!pkey_rsa_init(dst))
138 		return 0;
139 
140 	sctx = src->data;
141 	dctx = dst->data;
142 	dctx->nbits = sctx->nbits;
143 	if (sctx->pub_exp != NULL) {
144 		BN_free(dctx->pub_exp);
145 		if ((dctx->pub_exp = BN_dup(sctx->pub_exp)) == NULL)
146 			return 0;
147 	}
148 	dctx->pad_mode = sctx->pad_mode;
149 	dctx->md = sctx->md;
150 	dctx->mgf1md = sctx->mgf1md;
151 	if (sctx->oaep_label != NULL) {
152 		free(dctx->oaep_label);
153 		if ((dctx->oaep_label = calloc(1, sctx->oaep_labellen)) == NULL)
154 			return 0;
155 		memcpy(dctx->oaep_label, sctx->oaep_label, sctx->oaep_labellen);
156 		dctx->oaep_labellen = sctx->oaep_labellen;
157 	}
158 
159 	return 1;
160 }
161 
162 static int
163 setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
164 {
165 	if (ctx->tbuf != NULL)
166 		return 1;
167 	if ((ctx->tbuf = calloc(1, EVP_PKEY_size(pk->pkey))) == NULL) {
168 		RSAerror(ERR_R_MALLOC_FAILURE);
169 		return 0;
170 	}
171 	return 1;
172 }
173 
174 static void
175 pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
176 {
177 	RSA_PKEY_CTX *rctx = ctx->data;
178 
179 	if (rctx) {
180 		BN_free(rctx->pub_exp);
181 		free(rctx->tbuf);
182 		free(rctx->oaep_label);
183 		free(rctx);
184 	}
185 }
186 
187 static int
188 pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
189     const unsigned char *tbs, size_t tbslen)
190 {
191 	int ret;
192 	RSA_PKEY_CTX *rctx = ctx->data;
193 	RSA *rsa = ctx->pkey->pkey.rsa;
194 
195 	if (rctx->md) {
196 		if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
197 			RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
198 			return -1;
199 		}
200 
201 		if (rctx->pad_mode == RSA_X931_PADDING) {
202 			if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) {
203 				RSAerror(RSA_R_KEY_SIZE_TOO_SMALL);
204 				return -1;
205 			}
206 			if (!setup_tbuf(rctx, ctx)) {
207 				RSAerror(ERR_R_MALLOC_FAILURE);
208 				return -1;
209 			}
210 			memcpy(rctx->tbuf, tbs, tbslen);
211 			rctx->tbuf[tbslen] =
212 			    RSA_X931_hash_id(EVP_MD_type(rctx->md));
213 			ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, sig,
214 			    rsa, RSA_X931_PADDING);
215 		} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
216 			unsigned int sltmp;
217 
218 			ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig,
219 			    &sltmp, rsa);
220 			if (ret <= 0)
221 				return ret;
222 			ret = sltmp;
223 		} else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
224 			if (!setup_tbuf(rctx, ctx))
225 				return -1;
226 			if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, rctx->tbuf,
227 			    tbs, rctx->md, rctx->mgf1md, rctx->saltlen))
228 				return -1;
229 			ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
230 			    sig, rsa, RSA_NO_PADDING);
231 		} else {
232 			return -1;
233 		}
234 	} else {
235 		ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
236 		    rctx->pad_mode);
237 	}
238 	if (ret < 0)
239 		return ret;
240 	*siglen = ret;
241 	return 1;
242 }
243 
244 static int
245 pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen,
246     const unsigned char *sig, size_t siglen)
247 {
248 	int ret;
249 	RSA_PKEY_CTX *rctx = ctx->data;
250 
251 	if (rctx->md) {
252 		if (rctx->pad_mode == RSA_X931_PADDING) {
253 			if (!setup_tbuf(rctx, ctx))
254 				return -1;
255 			ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
256 			    ctx->pkey->pkey.rsa, RSA_X931_PADDING);
257 			if (ret < 1)
258 				return 0;
259 			ret--;
260 			if (rctx->tbuf[ret] !=
261 			    RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
262 				RSAerror(RSA_R_ALGORITHM_MISMATCH);
263 				return 0;
264 			}
265 			if (ret != EVP_MD_size(rctx->md)) {
266 				RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
267 				return 0;
268 			}
269 			if (rout)
270 				memcpy(rout, rctx->tbuf, ret);
271 		} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
272 			size_t sltmp;
273 
274 			ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
275 			    rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
276 			if (ret <= 0)
277 				return 0;
278 			ret = sltmp;
279 		} else {
280 			return -1;
281 		}
282 	} else {
283 		ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
284 		    rctx->pad_mode);
285 	}
286 	if (ret < 0)
287 		return ret;
288 	*routlen = ret;
289 	return 1;
290 }
291 
292 static int
293 pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
294     const unsigned char *tbs, size_t tbslen)
295 {
296 	RSA_PKEY_CTX *rctx = ctx->data;
297 	RSA *rsa = ctx->pkey->pkey.rsa;
298 	size_t rslen;
299 
300 	if (rctx->md) {
301 		if (rctx->pad_mode == RSA_PKCS1_PADDING)
302 			return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
303 			    sig, siglen, rsa);
304 		if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
305 			RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
306 			return -1;
307 		}
308 		if (rctx->pad_mode == RSA_X931_PADDING) {
309 			if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig,
310 			    siglen) <= 0)
311 				return 0;
312 		} else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
313 			int ret;
314 
315 			if (!setup_tbuf(rctx, ctx))
316 				return -1;
317 			ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
318 			    rsa, RSA_NO_PADDING);
319 			if (ret <= 0)
320 				return 0;
321 			ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
322 			    rctx->mgf1md, rctx->tbuf, rctx->saltlen);
323 			if (ret <= 0)
324 				return 0;
325 			return 1;
326 		} else {
327 			return -1;
328 		}
329 	} else {
330 		int ret;
331 
332 		if (!setup_tbuf(rctx, ctx))
333 			return -1;
334 
335 		if ((ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa,
336 		    rctx->pad_mode)) <= 0)
337 			return 0;
338 
339 		rslen = ret;
340 	}
341 
342 	if (rslen != tbslen || timingsafe_bcmp(tbs, rctx->tbuf, rslen))
343 		return 0;
344 
345 	return 1;
346 }
347 
348 static int
349 pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
350     const unsigned char *in, size_t inlen)
351 {
352 	RSA_PKEY_CTX *rctx = ctx->data;
353 	int ret;
354 
355 	if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
356 		int klen = RSA_size(ctx->pkey->pkey.rsa);
357 		if (!setup_tbuf(rctx, ctx))
358 			return -1;
359 		if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen,
360 		    in, inlen, rctx->oaep_label, rctx->oaep_labellen,
361 		    rctx->md, rctx->mgf1md))
362 			return -1;
363 		ret = RSA_public_encrypt(klen, rctx->tbuf, out,
364 		    ctx->pkey->pkey.rsa, RSA_NO_PADDING);
365 	} else {
366 		ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
367 		    rctx->pad_mode);
368 	}
369 	if (ret < 0)
370 		return ret;
371 	*outlen = ret;
372 	return 1;
373 }
374 
375 static int
376 pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
377     const unsigned char *in, size_t inlen)
378 {
379 	int ret;
380 	RSA_PKEY_CTX *rctx = ctx->data;
381 
382 	if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
383 		if (!setup_tbuf(rctx, ctx))
384 			return -1;
385 		ret = RSA_private_decrypt(inlen, in, rctx->tbuf,
386 		    ctx->pkey->pkey.rsa, RSA_NO_PADDING);
387 		if (ret <= 0)
388 			return ret;
389 		ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf,
390 		    ret, ret, rctx->oaep_label, rctx->oaep_labellen, rctx->md,
391 		    rctx->mgf1md);
392 	} else {
393 		ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
394 		    rctx->pad_mode);
395 	}
396 	if (ret < 0)
397 		return ret;
398 	*outlen = ret;
399 	return 1;
400 }
401 
402 static int
403 check_padding_md(const EVP_MD *md, int padding)
404 {
405 	if (md == NULL)
406 		return 1;
407 
408 	if (padding == RSA_NO_PADDING) {
409 		RSAerror(RSA_R_INVALID_PADDING_MODE);
410 		return 0;
411 	}
412 
413 	if (padding == RSA_X931_PADDING) {
414 		if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) {
415 			RSAerror(RSA_R_INVALID_X931_DIGEST);
416 			return 0;
417 		}
418 	} else {
419 		/* List of all supported RSA digests. */
420 		/* RFC 8017 and NIST CSOR. */
421 		switch(EVP_MD_type(md)) {
422 		case NID_sha1:
423 		case NID_sha224:
424 		case NID_sha256:
425 		case NID_sha384:
426 		case NID_sha512:
427 		case NID_sha512_224:
428 		case NID_sha512_256:
429 		case NID_sha3_224:
430 		case NID_sha3_256:
431 		case NID_sha3_384:
432 		case NID_sha3_512:
433 		case NID_md5:
434 		case NID_md5_sha1:
435 		case NID_md4:
436 		case NID_ripemd160:
437 			return 1;
438 
439 		default:
440 			RSAerror(RSA_R_INVALID_DIGEST);
441 			return 0;
442 		}
443 	}
444 
445 	return 1;
446 }
447 
448 static int
449 pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
450 {
451 	RSA_PKEY_CTX *rctx = ctx->data;
452 
453 	switch (type) {
454 	case EVP_PKEY_CTRL_RSA_PADDING:
455 		if (p1 >= RSA_PKCS1_PADDING && p1 <= RSA_PKCS1_PSS_PADDING) {
456 			if (!check_padding_md(rctx->md, p1))
457 				return 0;
458 			if (p1 == RSA_PKCS1_PSS_PADDING) {
459 				if (!(ctx->operation &
460 				    (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
461 					goto bad_pad;
462 				if (!rctx->md)
463 					rctx->md = EVP_sha1();
464 			} else if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) {
465 				goto bad_pad;
466 			}
467 			if (p1 == RSA_PKCS1_OAEP_PADDING) {
468 				if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
469 					goto bad_pad;
470 				if (!rctx->md)
471 					rctx->md = EVP_sha1();
472 			}
473 			rctx->pad_mode = p1;
474 			return 1;
475 		}
476  bad_pad:
477 		RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
478 		return -2;
479 
480 	case EVP_PKEY_CTRL_GET_RSA_PADDING:
481 		*(int *)p2 = rctx->pad_mode;
482 		return 1;
483 
484 	case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
485 	case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
486 		if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
487 			RSAerror(RSA_R_INVALID_PSS_SALTLEN);
488 			return -2;
489 		}
490 		if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
491 			*(int *)p2 = rctx->saltlen;
492 		} else {
493 			if (p1 < RSA_PSS_SALTLEN_MAX)
494 				return -2;
495 			if (rsa_pss_restricted(rctx)) {
496 				if (p1 == RSA_PSS_SALTLEN_AUTO &&
497 				    ctx->operation == EVP_PKEY_OP_VERIFY) {
498 					RSAerror(RSA_R_INVALID_PSS_SALTLEN);
499 					return -2;
500 				}
501 				if ((p1 == RSA_PSS_SALTLEN_DIGEST &&
502 				    rctx->min_saltlen > EVP_MD_size(rctx->md)) ||
503 				    (p1 >= 0 && p1 < rctx->min_saltlen)) {
504 					RSAerror(RSA_R_PSS_SALTLEN_TOO_SMALL);
505 					return 0;
506 				}
507 			}
508 			rctx->saltlen = p1;
509 		}
510 		return 1;
511 
512 	case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
513 		if (p1 < RSA_MIN_MODULUS_BITS) {
514 			RSAerror(RSA_R_KEY_SIZE_TOO_SMALL);
515 			return -2;
516 		}
517 		rctx->nbits = p1;
518 		return 1;
519 
520 	case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
521 		if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) ||
522 		    BN_is_one((BIGNUM *)p2)) {
523 			RSAerror(RSA_R_BAD_E_VALUE);
524 			return -2;
525 		}
526 		BN_free(rctx->pub_exp);
527 		rctx->pub_exp = p2;
528 		return 1;
529 
530 	case EVP_PKEY_CTRL_RSA_OAEP_MD:
531 	case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
532 		if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
533 			RSAerror(RSA_R_INVALID_PADDING_MODE);
534 			return -2;
535 		}
536 		if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD)
537 			*(const EVP_MD **)p2 = rctx->md;
538 		else
539 			rctx->md = p2;
540 		return 1;
541 
542 	case EVP_PKEY_CTRL_MD:
543 		if (!check_padding_md(p2, rctx->pad_mode))
544 			return 0;
545 		if (rsa_pss_restricted(rctx)) {
546 			if (EVP_MD_type(rctx->md) == EVP_MD_type(p2))
547 				return 1;
548 			RSAerror(RSA_R_DIGEST_NOT_ALLOWED);
549 			return 0;
550 		}
551 		rctx->md = p2;
552 		return 1;
553 
554 	case EVP_PKEY_CTRL_GET_MD:
555 		*(const EVP_MD **)p2 = rctx->md;
556 		return 1;
557 
558 	case EVP_PKEY_CTRL_RSA_MGF1_MD:
559 	case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
560 		if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING &&
561 		    rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
562 			RSAerror(RSA_R_INVALID_MGF1_MD);
563 			return -2;
564 		}
565 		if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
566 			if (rctx->mgf1md)
567 				*(const EVP_MD **)p2 = rctx->mgf1md;
568 			else
569 				*(const EVP_MD **)p2 = rctx->md;
570 		} else {
571 			if (rsa_pss_restricted(rctx)) {
572 				if (EVP_MD_type(rctx->mgf1md) == EVP_MD_type(p2))
573 					return 1;
574 				RSAerror(RSA_R_MGF1_DIGEST_NOT_ALLOWED);
575 				return 0;
576 			}
577 			rctx->mgf1md = p2;
578 		}
579 		return 1;
580 
581 	case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
582 		if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
583 			RSAerror(RSA_R_INVALID_PADDING_MODE);
584 			return -2;
585 		}
586 		free(rctx->oaep_label);
587 		if (p2 != NULL && p1 > 0) {
588 			rctx->oaep_label = p2;
589 			rctx->oaep_labellen = p1;
590 		} else {
591 			rctx->oaep_label = NULL;
592 			rctx->oaep_labellen = 0;
593 		}
594 		return 1;
595 
596 	case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
597 		if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
598 			RSAerror(RSA_R_INVALID_PADDING_MODE);
599 			return -2;
600 		}
601 		*(unsigned char **)p2 = rctx->oaep_label;
602 		return rctx->oaep_labellen;
603 
604 	case EVP_PKEY_CTRL_DIGESTINIT:
605 	case EVP_PKEY_CTRL_PKCS7_SIGN:
606 #ifndef OPENSSL_NO_CMS
607 	case EVP_PKEY_CTRL_CMS_SIGN:
608 #endif
609 		return 1;
610 
611 	case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
612 	case EVP_PKEY_CTRL_PKCS7_DECRYPT:
613 #ifndef OPENSSL_NO_CMS
614 	case EVP_PKEY_CTRL_CMS_DECRYPT:
615 	case EVP_PKEY_CTRL_CMS_ENCRYPT:
616 #endif
617 		if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
618 			return 1;
619 
620 	/* fall through */
621 	case EVP_PKEY_CTRL_PEER_KEY:
622 		RSAerror(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
623 		return -2;
624 
625 	default:
626 		return -2;
627 
628 	}
629 }
630 
631 static int
632 pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
633 {
634 	const char *errstr;
635 
636 	if (!value) {
637 		RSAerror(RSA_R_VALUE_MISSING);
638 		return 0;
639 	}
640 	if (strcmp(type, "rsa_padding_mode") == 0) {
641 		int pm;
642 		if (strcmp(value, "pkcs1") == 0)
643 			pm = RSA_PKCS1_PADDING;
644 		else if (strcmp(value, "none") == 0)
645 			pm = RSA_NO_PADDING;
646 		else if (strcmp(value, "oaep") == 0 || strcmp(value, "oeap") == 0)
647 			pm = RSA_PKCS1_OAEP_PADDING;
648 		else if (strcmp(value, "x931") == 0)
649 			pm = RSA_X931_PADDING;
650 		else if (strcmp(value, "pss") == 0)
651 			pm = RSA_PKCS1_PSS_PADDING;
652 		else {
653 			RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
654 			return -2;
655 		}
656 		return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
657 	}
658 
659 	if (strcmp(type, "rsa_pss_saltlen") == 0) {
660 		int saltlen;
661 
662 		if (strcmp(value, "digest") == 0)
663 			saltlen = RSA_PSS_SALTLEN_DIGEST;
664 		else if (strcmp(value, "max") == 0)
665 			saltlen = RSA_PSS_SALTLEN_MAX;
666 		else if (strcmp(value, "auto") == 0)
667 			saltlen = RSA_PSS_SALTLEN_AUTO;
668 		else {
669 			/*
670 			 * Accept the special values -1, -2, -3 since that's
671 			 * what atoi() historically did. Lower values are later
672 			 * rejected in EVP_PKEY_CTRL_RSA_PSS_SALTLEN anyway.
673 			 */
674 			saltlen = strtonum(value, -3, INT_MAX, &errstr);
675 			if (errstr != NULL) {
676 				RSAerror(RSA_R_INVALID_PSS_SALTLEN);
677 				return -2;
678 			}
679 		}
680 		return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
681 	}
682 
683 	if (strcmp(type, "rsa_keygen_bits") == 0) {
684 		int nbits;
685 
686 		nbits = strtonum(value, 0, INT_MAX, &errstr);
687 		if (errstr != NULL) {
688 			RSAerror(RSA_R_INVALID_KEYBITS);
689 			return -2;
690 		}
691 
692 		return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
693 	}
694 
695 	if (strcmp(type, "rsa_keygen_pubexp") == 0) {
696 		BIGNUM *pubexp = NULL;
697 		int ret;
698 
699 		if (!BN_asc2bn(&pubexp, value))
700 			return 0;
701 		ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
702 		if (ret <= 0)
703 			BN_free(pubexp);
704 		return ret;
705 	}
706 
707 	if (strcmp(type, "rsa_mgf1_md") == 0)
708 		return EVP_PKEY_CTX_md(ctx,
709 		    EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
710 		    EVP_PKEY_CTRL_RSA_MGF1_MD, value);
711 
712 	if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) {
713 		if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0)
714 			return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
715 			    EVP_PKEY_CTRL_RSA_MGF1_MD, value);
716 
717 		if (strcmp(type, "rsa_pss_keygen_md") == 0)
718 			return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN,
719 			    EVP_PKEY_CTRL_MD, value);
720 
721 		if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) {
722 			int saltlen;
723 
724 			/*
725 			 * Accept the special values -1, -2, -3 since that's
726 			 * what atoi() historically did. Lower values are later
727 			 * rejected in EVP_PKEY_CTRL_RSA_PSS_SALTLEN anyway.
728 			 */
729 			saltlen = strtonum(value, -3, INT_MAX, &errstr);
730 			if (errstr != NULL) {
731 				RSAerror(RSA_R_INVALID_PSS_SALTLEN);
732 				return -2;
733 			}
734 
735 			return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen);
736 		}
737 	}
738 
739 	if (strcmp(type, "rsa_oaep_md") == 0)
740 		return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT,
741 		    EVP_PKEY_CTRL_RSA_OAEP_MD, value);
742 
743 	if (strcmp(type, "rsa_oaep_label") == 0) {
744 		unsigned char *lab;
745 		long lablen;
746 		int ret;
747 
748 		if ((lab = string_to_hex(value, &lablen)) == NULL)
749 			return 0;
750 		ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen);
751 		if (ret <= 0)
752 			free(lab);
753 
754 		return ret;
755 	}
756 
757 	return -2;
758 }
759 
760 /* Set PSS parameters when generating a key, if necessary. */
761 static int
762 rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx)
763 {
764 	RSA_PKEY_CTX *rctx = ctx->data;
765 
766 	if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
767 		return 1;
768 
769 	/* If all parameters are default values then do not set PSS. */
770 	if (rctx->md == NULL && rctx->mgf1md == NULL &&
771 	    rctx->saltlen == RSA_PSS_SALTLEN_AUTO)
772 		return 1;
773 
774 	rsa->pss = rsa_pss_params_create(rctx->md, rctx->mgf1md,
775 	    rctx->saltlen == RSA_PSS_SALTLEN_AUTO ? 0 : rctx->saltlen);
776 	if (rsa->pss == NULL)
777 		return 0;
778 
779 	return 1;
780 }
781 
782 static int
783 pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
784 {
785 	RSA *rsa = NULL;
786 	RSA_PKEY_CTX *rctx = ctx->data;
787 	BN_GENCB *pcb = NULL;
788 	BN_GENCB cb = {0};
789 	int ret = 0;
790 
791 	if (rctx->pub_exp == NULL) {
792 		if ((rctx->pub_exp = BN_new()) == NULL)
793 			goto err;
794 		if (!BN_set_word(rctx->pub_exp, RSA_F4))
795 			goto err;
796 	}
797 
798 	if ((rsa = RSA_new()) == NULL)
799 		goto err;
800 	if (ctx->pkey_gencb != NULL) {
801 		pcb = &cb;
802 		evp_pkey_set_cb_translate(pcb, ctx);
803 	}
804 	if (!RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb))
805 		goto err;
806 	if (!rsa_set_pss_param(rsa, ctx))
807 		goto err;
808 	if (!EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa))
809 		goto err;
810 	rsa = NULL;
811 
812 	ret = 1;
813 
814  err:
815 	RSA_free(rsa);
816 
817 	return ret;
818 }
819 
820 const EVP_PKEY_METHOD rsa_pkey_meth = {
821 	.pkey_id = EVP_PKEY_RSA,
822 	.flags = EVP_PKEY_FLAG_AUTOARGLEN,
823 
824 	.init = pkey_rsa_init,
825 	.copy = pkey_rsa_copy,
826 	.cleanup = pkey_rsa_cleanup,
827 
828 	.keygen = pkey_rsa_keygen,
829 
830 	.sign = pkey_rsa_sign,
831 
832 	.verify = pkey_rsa_verify,
833 
834 	.verify_recover = pkey_rsa_verifyrecover,
835 
836 	.encrypt = pkey_rsa_encrypt,
837 
838 	.decrypt = pkey_rsa_decrypt,
839 
840 	.ctrl = pkey_rsa_ctrl,
841 	.ctrl_str = pkey_rsa_ctrl_str
842 };
843 
844 /*
845  * Called for PSS sign or verify initialisation: checks PSS parameter
846  * sanity and sets any restrictions on key usage.
847  */
848 
849 static int
850 pkey_pss_init(EVP_PKEY_CTX *ctx)
851 {
852 	RSA *rsa;
853 	RSA_PKEY_CTX *rctx = ctx->data;
854 	const EVP_MD *md;
855 	const EVP_MD *mgf1md;
856 	int min_saltlen, max_saltlen;
857 
858 	/* Should never happen */
859 	if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
860 		return 0;
861 	rsa = ctx->pkey->pkey.rsa;
862 
863 	/* If no restrictions just return */
864 	if (rsa->pss == NULL)
865 		return 1;
866 
867 	/* Get and check parameters */
868 	if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen))
869 		return 0;
870 
871 	/* See if minimum salt length exceeds maximum possible */
872 	max_saltlen = RSA_size(rsa) - EVP_MD_size(md);
873 	if ((RSA_bits(rsa) & 0x7) == 1)
874 		max_saltlen--;
875 	if (min_saltlen > max_saltlen) {
876 		RSAerror(RSA_R_INVALID_SALT_LENGTH);
877 		return 0;
878 	}
879 	rctx->min_saltlen = min_saltlen;
880 
881 	/*
882 	 * Set PSS restrictions as defaults: we can then block any attempt to
883 	 * use invalid values in pkey_rsa_ctrl
884 	 */
885 
886 	rctx->md = md;
887 	rctx->mgf1md = mgf1md;
888 	rctx->saltlen = min_saltlen;
889 
890 	return 1;
891 }
892 
893 const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
894 	.pkey_id = EVP_PKEY_RSA_PSS,
895 	.flags = EVP_PKEY_FLAG_AUTOARGLEN,
896 
897 	.init = pkey_rsa_init,
898 	.copy = pkey_rsa_copy,
899 	.cleanup = pkey_rsa_cleanup,
900 
901 	.keygen = pkey_rsa_keygen,
902 
903 	.sign_init = pkey_pss_init,
904 	.sign = pkey_rsa_sign,
905 
906 	.verify_init = pkey_pss_init,
907 	.verify = pkey_rsa_verify,
908 
909 	.ctrl = pkey_rsa_ctrl,
910 	.ctrl_str = pkey_rsa_ctrl_str
911 };
912