]>
Commit | Line | Data |
---|---|---|
0f113f3e | 1 | /* |
da1c088f | 2 | * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. |
0b6f3c66 | 3 | * |
2a7b6f39 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
2039c421 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
0b6f3c66 DSH |
8 | */ |
9 | ||
c5f87134 P |
10 | /* |
11 | * RSA low level APIs are deprecated for public use, but still ok for | |
12 | * internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
706457b7 | 16 | #include "internal/constant_time.h" |
049e64cb | 17 | |
0b6f3c66 | 18 | #include <stdio.h> |
b39fc560 | 19 | #include "internal/cryptlib.h" |
0b6f3c66 DSH |
20 | #include <openssl/asn1t.h> |
21 | #include <openssl/x509.h> | |
22 | #include <openssl/rsa.h> | |
1e26a8ba | 23 | #include <openssl/bn.h> |
b2a97be7 | 24 | #include <openssl/evp.h> |
271fef0e | 25 | #include <openssl/x509v3.h> |
3c27208f | 26 | #include <openssl/cms.h> |
25f2138b | 27 | #include "crypto/evp.h" |
6f4b7663 | 28 | #include "crypto/rsa.h" |
706457b7 | 29 | #include "rsa_local.h" |
b2a97be7 | 30 | |
07e970c7 DSH |
31 | /* RSA pkey context structure */ |
32 | ||
0f113f3e MC |
33 | typedef struct { |
34 | /* Key gen parameters */ | |
35 | int nbits; | |
36 | BIGNUM *pub_exp; | |
665d899f | 37 | int primes; |
0f113f3e MC |
38 | /* Keygen callback info */ |
39 | int gentmp[2]; | |
40 | /* RSA padding mode */ | |
41 | int pad_mode; | |
42 | /* message digest */ | |
43 | const EVP_MD *md; | |
44 | /* message digest for MGF1 */ | |
45 | const EVP_MD *mgf1md; | |
46 | /* PSS salt length */ | |
47 | int saltlen; | |
cb49e749 DSH |
48 | /* Minimum salt length or -1 if no PSS parameter restriction */ |
49 | int min_saltlen; | |
0f113f3e MC |
50 | /* Temp buffer */ |
51 | unsigned char *tbuf; | |
52 | /* OAEP label */ | |
53 | unsigned char *oaep_label; | |
54 | size_t oaep_labellen; | |
5ab3ec1b HK |
55 | /* if to use implicit rejection in PKCS#1 v1.5 decryption */ |
56 | int implicit_rejection; | |
0f113f3e | 57 | } RSA_PKEY_CTX; |
07e970c7 | 58 | |
cb49e749 | 59 | /* True if PSS parameters are restricted */ |
bc1ea030 | 60 | #define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1) |
cb49e749 | 61 | |
07e970c7 | 62 | static int pkey_rsa_init(EVP_PKEY_CTX *ctx) |
0f113f3e | 63 | { |
52ad523c | 64 | RSA_PKEY_CTX *rctx = OPENSSL_zalloc(sizeof(*rctx)); |
f291138b | 65 | |
90945fa3 | 66 | if (rctx == NULL) |
0f113f3e | 67 | return 0; |
70b0b977 | 68 | rctx->nbits = 2048; |
665d899f | 69 | rctx->primes = RSA_DEFAULT_PRIME_NUM; |
87ee7b22 | 70 | if (pkey_ctx_is_pss(ctx)) |
ad4b3d0a DSH |
71 | rctx->pad_mode = RSA_PKCS1_PSS_PADDING; |
72 | else | |
73 | rctx->pad_mode = RSA_PKCS1_PADDING; | |
137096a7 DSH |
74 | /* Maximum for sign, auto for verify */ |
75 | rctx->saltlen = RSA_PSS_SALTLEN_AUTO; | |
cb49e749 | 76 | rctx->min_saltlen = -1; |
5ab3ec1b | 77 | rctx->implicit_rejection = 1; |
0f113f3e MC |
78 | ctx->data = rctx; |
79 | ctx->keygen_info = rctx->gentmp; | |
80 | ctx->keygen_info_count = 2; | |
81 | ||
82 | return 1; | |
83 | } | |
b2a97be7 | 84 | |
9fdcc21f | 85 | static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src) |
0f113f3e MC |
86 | { |
87 | RSA_PKEY_CTX *dctx, *sctx; | |
52ad523c | 88 | |
0f113f3e MC |
89 | if (!pkey_rsa_init(dst)) |
90 | return 0; | |
91 | sctx = src->data; | |
92 | dctx = dst->data; | |
93 | dctx->nbits = sctx->nbits; | |
94 | if (sctx->pub_exp) { | |
95 | dctx->pub_exp = BN_dup(sctx->pub_exp); | |
96 | if (!dctx->pub_exp) | |
97 | return 0; | |
98 | } | |
99 | dctx->pad_mode = sctx->pad_mode; | |
100 | dctx->md = sctx->md; | |
101 | dctx->mgf1md = sctx->mgf1md; | |
d7fcf1fe | 102 | dctx->saltlen = sctx->saltlen; |
5ab3ec1b | 103 | dctx->implicit_rejection = sctx->implicit_rejection; |
0f113f3e | 104 | if (sctx->oaep_label) { |
b548a1f1 | 105 | OPENSSL_free(dctx->oaep_label); |
7644a9ae | 106 | dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen); |
0f113f3e MC |
107 | if (!dctx->oaep_label) |
108 | return 0; | |
109 | dctx->oaep_labellen = sctx->oaep_labellen; | |
110 | } | |
111 | return 1; | |
112 | } | |
8bdcef40 | 113 | |
b2a97be7 | 114 | static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) |
0f113f3e | 115 | { |
52ad523c | 116 | if (ctx->tbuf != NULL) |
0f113f3e | 117 | return 1; |
5dc6489b | 118 | if ((ctx->tbuf = |
e077455e | 119 | OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pk->pkey)))) == NULL) |
0f113f3e MC |
120 | return 0; |
121 | return 1; | |
122 | } | |
07e970c7 DSH |
123 | |
124 | static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) | |
0f113f3e MC |
125 | { |
126 | RSA_PKEY_CTX *rctx = ctx->data; | |
127 | if (rctx) { | |
23a1d5e9 | 128 | BN_free(rctx->pub_exp); |
b548a1f1 RS |
129 | OPENSSL_free(rctx->tbuf); |
130 | OPENSSL_free(rctx->oaep_label); | |
0f113f3e MC |
131 | OPENSSL_free(rctx); |
132 | } | |
133 | } | |
134 | ||
135 | static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, | |
136 | size_t *siglen, const unsigned char *tbs, | |
137 | size_t tbslen) | |
138 | { | |
139 | int ret; | |
140 | RSA_PKEY_CTX *rctx = ctx->data; | |
5dc6489b MC |
141 | /* |
142 | * Discard const. Its marked as const because this may be a cached copy of | |
143 | * the "real" key. These calls don't make any modifications that need to | |
144 | * be reflected back in the "original" key. | |
145 | */ | |
146 | RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey); | |
882a387d | 147 | int md_size; |
0f113f3e MC |
148 | |
149 | if (rctx->md) { | |
882a387d JJ |
150 | md_size = EVP_MD_get_size(rctx->md); |
151 | if (md_size <= 0) { | |
152 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH); | |
153 | return -1; | |
154 | } | |
155 | ||
156 | if (tbslen != (size_t)md_size) { | |
9311d0c4 | 157 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH); |
0f113f3e MC |
158 | return -1; |
159 | } | |
160 | ||
ed576acd | 161 | if (EVP_MD_get_type(rctx->md) == NID_mdc2) { |
0f113f3e MC |
162 | unsigned int sltmp; |
163 | if (rctx->pad_mode != RSA_PKCS1_PADDING) | |
164 | return -1; | |
5dc6489b | 165 | ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp, rsa); |
0f113f3e MC |
166 | |
167 | if (ret <= 0) | |
168 | return ret; | |
169 | ret = sltmp; | |
170 | } else if (rctx->pad_mode == RSA_X931_PADDING) { | |
9767a3dc | 171 | if ((size_t)RSA_size(rsa) < tbslen + 1) { |
9311d0c4 | 172 | ERR_raise(ERR_LIB_RSA, RSA_R_KEY_SIZE_TOO_SMALL); |
0f113f3e | 173 | return -1; |
34166d41 MC |
174 | } |
175 | if (!setup_tbuf(rctx, ctx)) { | |
e077455e | 176 | ERR_raise(ERR_LIB_RSA, ERR_R_RSA_LIB); |
34166d41 MC |
177 | return -1; |
178 | } | |
0f113f3e | 179 | memcpy(rctx->tbuf, tbs, tbslen); |
ed576acd | 180 | rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_get_type(rctx->md)); |
0f113f3e MC |
181 | ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, |
182 | sig, rsa, RSA_X931_PADDING); | |
183 | } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { | |
184 | unsigned int sltmp; | |
ed576acd | 185 | ret = RSA_sign(EVP_MD_get_type(rctx->md), |
0f113f3e MC |
186 | tbs, tbslen, sig, &sltmp, rsa); |
187 | if (ret <= 0) | |
188 | return ret; | |
189 | ret = sltmp; | |
190 | } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { | |
191 | if (!setup_tbuf(rctx, ctx)) | |
192 | return -1; | |
193 | if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, | |
194 | rctx->tbuf, tbs, | |
195 | rctx->md, rctx->mgf1md, | |
196 | rctx->saltlen)) | |
197 | return -1; | |
198 | ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, | |
199 | sig, rsa, RSA_NO_PADDING); | |
90862ab4 | 200 | } else { |
0f113f3e | 201 | return -1; |
90862ab4 PY |
202 | } |
203 | } else { | |
5dc6489b | 204 | ret = RSA_private_encrypt(tbslen, tbs, sig, rsa, rctx->pad_mode); |
90862ab4 | 205 | } |
0f113f3e MC |
206 | if (ret < 0) |
207 | return ret; | |
208 | *siglen = ret; | |
209 | return 1; | |
210 | } | |
07e970c7 DSH |
211 | |
212 | static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, | |
0f113f3e MC |
213 | unsigned char *rout, size_t *routlen, |
214 | const unsigned char *sig, size_t siglen) | |
215 | { | |
216 | int ret; | |
217 | RSA_PKEY_CTX *rctx = ctx->data; | |
5dc6489b MC |
218 | /* |
219 | * Discard const. Its marked as const because this may be a cached copy of | |
220 | * the "real" key. These calls don't make any modifications that need to | |
221 | * be reflected back in the "original" key. | |
222 | */ | |
223 | RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey); | |
0f113f3e MC |
224 | |
225 | if (rctx->md) { | |
226 | if (rctx->pad_mode == RSA_X931_PADDING) { | |
227 | if (!setup_tbuf(rctx, ctx)) | |
228 | return -1; | |
5dc6489b | 229 | ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa, |
0f113f3e MC |
230 | RSA_X931_PADDING); |
231 | if (ret < 1) | |
232 | return 0; | |
233 | ret--; | |
ed576acd | 234 | if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_get_type(rctx->md))) { |
9311d0c4 | 235 | ERR_raise(ERR_LIB_RSA, RSA_R_ALGORITHM_MISMATCH); |
0f113f3e MC |
236 | return 0; |
237 | } | |
ed576acd | 238 | if (ret != EVP_MD_get_size(rctx->md)) { |
9311d0c4 | 239 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH); |
0f113f3e MC |
240 | return 0; |
241 | } | |
242 | if (rout) | |
243 | memcpy(rout, rctx->tbuf, ret); | |
244 | } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { | |
245 | size_t sltmp; | |
ed576acd | 246 | ret = ossl_rsa_verify(EVP_MD_get_type(rctx->md), |
4158b0dc | 247 | NULL, 0, rout, &sltmp, |
5dc6489b | 248 | sig, siglen, rsa); |
0f113f3e MC |
249 | if (ret <= 0) |
250 | return 0; | |
251 | ret = sltmp; | |
90862ab4 | 252 | } else { |
0f113f3e | 253 | return -1; |
90862ab4 PY |
254 | } |
255 | } else { | |
5dc6489b | 256 | ret = RSA_public_decrypt(siglen, sig, rout, rsa, rctx->pad_mode); |
90862ab4 | 257 | } |
0f113f3e MC |
258 | if (ret < 0) |
259 | return ret; | |
260 | *routlen = ret; | |
261 | return 1; | |
262 | } | |
07e970c7 | 263 | |
4f59b658 | 264 | static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, |
0f113f3e MC |
265 | const unsigned char *sig, size_t siglen, |
266 | const unsigned char *tbs, size_t tbslen) | |
267 | { | |
268 | RSA_PKEY_CTX *rctx = ctx->data; | |
5dc6489b MC |
269 | /* |
270 | * Discard const. Its marked as const because this may be a cached copy of | |
271 | * the "real" key. These calls don't make any modifications that need to | |
272 | * be reflected back in the "original" key. | |
273 | */ | |
274 | RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey); | |
0f113f3e | 275 | size_t rslen; |
882a387d | 276 | int md_size; |
52ad523c | 277 | |
0f113f3e MC |
278 | if (rctx->md) { |
279 | if (rctx->pad_mode == RSA_PKCS1_PADDING) | |
ed576acd | 280 | return RSA_verify(EVP_MD_get_type(rctx->md), tbs, tbslen, |
0f113f3e | 281 | sig, siglen, rsa); |
882a387d JJ |
282 | md_size = EVP_MD_get_size(rctx->md); |
283 | if (md_size <= 0) { | |
284 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH); | |
285 | return -1; | |
286 | } | |
287 | if (tbslen != (size_t)md_size) { | |
9311d0c4 | 288 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH); |
71bbc79b DSH |
289 | return -1; |
290 | } | |
0f113f3e MC |
291 | if (rctx->pad_mode == RSA_X931_PADDING) { |
292 | if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0) | |
293 | return 0; | |
294 | } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { | |
295 | int ret; | |
296 | if (!setup_tbuf(rctx, ctx)) | |
297 | return -1; | |
298 | ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, | |
299 | rsa, RSA_NO_PADDING); | |
300 | if (ret <= 0) | |
301 | return 0; | |
302 | ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, | |
303 | rctx->md, rctx->mgf1md, | |
304 | rctx->tbuf, rctx->saltlen); | |
305 | if (ret <= 0) | |
306 | return 0; | |
307 | return 1; | |
90862ab4 | 308 | } else { |
0f113f3e | 309 | return -1; |
90862ab4 | 310 | } |
0f113f3e MC |
311 | } else { |
312 | if (!setup_tbuf(rctx, ctx)) | |
313 | return -1; | |
314 | rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, | |
315 | rsa, rctx->pad_mode); | |
316 | if (rslen == 0) | |
317 | return 0; | |
318 | } | |
319 | ||
320 | if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen)) | |
321 | return 0; | |
322 | ||
323 | return 1; | |
324 | ||
325 | } | |
4f59b658 | 326 | |
eaff5a14 | 327 | static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, |
0f113f3e MC |
328 | unsigned char *out, size_t *outlen, |
329 | const unsigned char *in, size_t inlen) | |
330 | { | |
331 | int ret; | |
332 | RSA_PKEY_CTX *rctx = ctx->data; | |
5dc6489b MC |
333 | /* |
334 | * Discard const. Its marked as const because this may be a cached copy of | |
335 | * the "real" key. These calls don't make any modifications that need to | |
336 | * be reflected back in the "original" key. | |
337 | */ | |
338 | RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey); | |
52ad523c | 339 | |
0f113f3e | 340 | if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { |
5dc6489b | 341 | int klen = RSA_size(rsa); |
0f113f3e MC |
342 | if (!setup_tbuf(rctx, ctx)) |
343 | return -1; | |
344 | if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen, | |
345 | in, inlen, | |
346 | rctx->oaep_label, | |
347 | rctx->oaep_labellen, | |
348 | rctx->md, rctx->mgf1md)) | |
349 | return -1; | |
5dc6489b | 350 | ret = RSA_public_encrypt(klen, rctx->tbuf, out, rsa, RSA_NO_PADDING); |
90862ab4 | 351 | } else { |
5dc6489b | 352 | ret = RSA_public_encrypt(inlen, in, out, rsa, rctx->pad_mode); |
90862ab4 | 353 | } |
0f113f3e MC |
354 | if (ret < 0) |
355 | return ret; | |
356 | *outlen = ret; | |
357 | return 1; | |
358 | } | |
8cd44e36 | 359 | |
eaff5a14 | 360 | static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, |
0f113f3e MC |
361 | unsigned char *out, size_t *outlen, |
362 | const unsigned char *in, size_t inlen) | |
363 | { | |
364 | int ret; | |
5ab3ec1b | 365 | int pad_mode; |
0f113f3e | 366 | RSA_PKEY_CTX *rctx = ctx->data; |
5dc6489b MC |
367 | /* |
368 | * Discard const. Its marked as const because this may be a cached copy of | |
369 | * the "real" key. These calls don't make any modifications that need to | |
370 | * be reflected back in the "original" key. | |
371 | */ | |
372 | RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey); | |
52ad523c | 373 | |
0f113f3e | 374 | if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { |
0f113f3e MC |
375 | if (!setup_tbuf(rctx, ctx)) |
376 | return -1; | |
5dc6489b | 377 | ret = RSA_private_decrypt(inlen, in, rctx->tbuf, rsa, RSA_NO_PADDING); |
0f113f3e MC |
378 | if (ret <= 0) |
379 | return ret; | |
237bc6c9 BE |
380 | ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf, |
381 | ret, ret, | |
0f113f3e MC |
382 | rctx->oaep_label, |
383 | rctx->oaep_labellen, | |
384 | rctx->md, rctx->mgf1md); | |
90862ab4 | 385 | } else { |
5ab3ec1b HK |
386 | if (rctx->pad_mode == RSA_PKCS1_PADDING && |
387 | rctx->implicit_rejection == 0) | |
388 | pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; | |
389 | else | |
390 | pad_mode = rctx->pad_mode; | |
391 | ret = RSA_private_decrypt(inlen, in, out, rsa, pad_mode); | |
90862ab4 | 392 | } |
049e64cb BE |
393 | *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); |
394 | ret = constant_time_select_int(constant_time_msb(ret), ret, 1); | |
395 | return ret; | |
0f113f3e | 396 | } |
07e970c7 | 397 | |
75d44c04 | 398 | static int check_padding_md(const EVP_MD *md, int padding) |
0f113f3e | 399 | { |
7f572e95 | 400 | int mdnid; |
52ad523c | 401 | |
0f113f3e MC |
402 | if (!md) |
403 | return 1; | |
404 | ||
ed576acd | 405 | mdnid = EVP_MD_get_type(md); |
7f572e95 | 406 | |
0f113f3e | 407 | if (padding == RSA_NO_PADDING) { |
9311d0c4 | 408 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE); |
0f113f3e MC |
409 | return 0; |
410 | } | |
411 | ||
412 | if (padding == RSA_X931_PADDING) { | |
7f572e95 | 413 | if (RSA_X931_hash_id(mdnid) == -1) { |
9311d0c4 | 414 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_X931_DIGEST); |
0f113f3e MC |
415 | return 0; |
416 | } | |
7f572e95 | 417 | } else { |
1287dabd | 418 | switch (mdnid) { |
7f572e95 DSH |
419 | /* List of all supported RSA digests */ |
420 | case NID_sha1: | |
421 | case NID_sha224: | |
422 | case NID_sha256: | |
423 | case NID_sha384: | |
424 | case NID_sha512: | |
45c236ad SL |
425 | case NID_sha512_224: |
426 | case NID_sha512_256: | |
7f572e95 DSH |
427 | case NID_md5: |
428 | case NID_md5_sha1: | |
429 | case NID_md2: | |
430 | case NID_md4: | |
431 | case NID_mdc2: | |
432 | case NID_ripemd160: | |
cfb5bc69 AP |
433 | case NID_sha3_224: |
434 | case NID_sha3_256: | |
435 | case NID_sha3_384: | |
436 | case NID_sha3_512: | |
7f572e95 DSH |
437 | return 1; |
438 | ||
439 | default: | |
9311d0c4 | 440 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST); |
7f572e95 DSH |
441 | return 0; |
442 | ||
443 | } | |
0f113f3e MC |
444 | } |
445 | ||
446 | return 1; | |
447 | } | |
b2a97be7 | 448 | |
4a3dc3c0 | 449 | static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) |
0f113f3e MC |
450 | { |
451 | RSA_PKEY_CTX *rctx = ctx->data; | |
882a387d | 452 | int md_size; |
52ad523c | 453 | |
0f113f3e MC |
454 | switch (type) { |
455 | case EVP_PKEY_CTRL_RSA_PADDING: | |
456 | if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING)) { | |
457 | if (!check_padding_md(rctx->md, p1)) | |
458 | return 0; | |
459 | if (p1 == RSA_PKCS1_PSS_PADDING) { | |
460 | if (!(ctx->operation & | |
461 | (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) | |
462 | goto bad_pad; | |
463 | if (!rctx->md) | |
464 | rctx->md = EVP_sha1(); | |
87ee7b22 | 465 | } else if (pkey_ctx_is_pss(ctx)) { |
a300c725 | 466 | goto bad_pad; |
0f113f3e MC |
467 | } |
468 | if (p1 == RSA_PKCS1_OAEP_PADDING) { | |
469 | if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT)) | |
470 | goto bad_pad; | |
471 | if (!rctx->md) | |
472 | rctx->md = EVP_sha1(); | |
473 | } | |
474 | rctx->pad_mode = p1; | |
475 | return 1; | |
476 | } | |
477 | bad_pad: | |
9311d0c4 | 478 | ERR_raise(ERR_LIB_RSA, RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); |
0f113f3e MC |
479 | return -2; |
480 | ||
481 | case EVP_PKEY_CTRL_GET_RSA_PADDING: | |
482 | *(int *)p2 = rctx->pad_mode; | |
483 | return 1; | |
484 | ||
485 | case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: | |
486 | case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: | |
487 | if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) { | |
9311d0c4 | 488 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PSS_SALTLEN); |
0f113f3e MC |
489 | return -2; |
490 | } | |
cb49e749 | 491 | if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) { |
0f113f3e | 492 | *(int *)p2 = rctx->saltlen; |
cb49e749 | 493 | } else { |
137096a7 | 494 | if (p1 < RSA_PSS_SALTLEN_MAX) |
0f113f3e | 495 | return -2; |
79ebfc46 | 496 | if (rsa_pss_restricted(rctx)) { |
137096a7 DSH |
497 | if (p1 == RSA_PSS_SALTLEN_AUTO |
498 | && ctx->operation == EVP_PKEY_OP_VERIFY) { | |
9311d0c4 | 499 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PSS_SALTLEN); |
79ebfc46 DSH |
500 | return -2; |
501 | } | |
882a387d JJ |
502 | md_size = EVP_MD_get_size(rctx->md); |
503 | if (md_size <= 0) { | |
504 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH); | |
505 | return -2; | |
506 | } | |
137096a7 | 507 | if ((p1 == RSA_PSS_SALTLEN_DIGEST |
882a387d | 508 | && rctx->min_saltlen > md_size) |
79ebfc46 | 509 | || (p1 >= 0 && p1 < rctx->min_saltlen)) { |
9311d0c4 | 510 | ERR_raise(ERR_LIB_RSA, RSA_R_PSS_SALTLEN_TOO_SMALL); |
79ebfc46 DSH |
511 | return 0; |
512 | } | |
cb49e749 | 513 | } |
0f113f3e MC |
514 | rctx->saltlen = p1; |
515 | } | |
516 | return 1; | |
517 | ||
518 | case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: | |
cac19d19 | 519 | if (p1 < RSA_MIN_MODULUS_BITS) { |
9311d0c4 | 520 | ERR_raise(ERR_LIB_RSA, RSA_R_KEY_SIZE_TOO_SMALL); |
0f113f3e MC |
521 | return -2; |
522 | } | |
523 | rctx->nbits = p1; | |
524 | return 1; | |
525 | ||
526 | case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: | |
464d59a5 | 527 | if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) || BN_is_one((BIGNUM *)p2)) { |
9311d0c4 | 528 | ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE); |
0f113f3e | 529 | return -2; |
464d59a5 | 530 | } |
0f113f3e MC |
531 | BN_free(rctx->pub_exp); |
532 | rctx->pub_exp = p2; | |
533 | return 1; | |
534 | ||
665d899f PY |
535 | case EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES: |
536 | if (p1 < RSA_DEFAULT_PRIME_NUM || p1 > RSA_MAX_PRIME_NUM) { | |
9311d0c4 | 537 | ERR_raise(ERR_LIB_RSA, RSA_R_KEY_PRIME_NUM_INVALID); |
665d899f PY |
538 | return -2; |
539 | } | |
540 | rctx->primes = p1; | |
541 | return 1; | |
542 | ||
0f113f3e MC |
543 | case EVP_PKEY_CTRL_RSA_OAEP_MD: |
544 | case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: | |
545 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { | |
9311d0c4 | 546 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE); |
0f113f3e MC |
547 | return -2; |
548 | } | |
549 | if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) | |
550 | *(const EVP_MD **)p2 = rctx->md; | |
551 | else | |
552 | rctx->md = p2; | |
553 | return 1; | |
554 | ||
555 | case EVP_PKEY_CTRL_MD: | |
556 | if (!check_padding_md(p2, rctx->pad_mode)) | |
557 | return 0; | |
bc1ea030 | 558 | if (rsa_pss_restricted(rctx)) { |
ed576acd | 559 | if (EVP_MD_get_type(rctx->md) == EVP_MD_get_type(p2)) |
cb49e749 | 560 | return 1; |
9311d0c4 | 561 | ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); |
cb49e749 DSH |
562 | return 0; |
563 | } | |
0f113f3e MC |
564 | rctx->md = p2; |
565 | return 1; | |
566 | ||
567 | case EVP_PKEY_CTRL_GET_MD: | |
568 | *(const EVP_MD **)p2 = rctx->md; | |
569 | return 1; | |
570 | ||
571 | case EVP_PKEY_CTRL_RSA_MGF1_MD: | |
572 | case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: | |
573 | if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING | |
574 | && rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { | |
9311d0c4 | 575 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MGF1_MD); |
0f113f3e MC |
576 | return -2; |
577 | } | |
578 | if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) { | |
579 | if (rctx->mgf1md) | |
580 | *(const EVP_MD **)p2 = rctx->mgf1md; | |
581 | else | |
582 | *(const EVP_MD **)p2 = rctx->md; | |
cb49e749 | 583 | } else { |
bc1ea030 | 584 | if (rsa_pss_restricted(rctx)) { |
ed576acd | 585 | if (EVP_MD_get_type(rctx->mgf1md) == EVP_MD_get_type(p2)) |
cb49e749 | 586 | return 1; |
9311d0c4 | 587 | ERR_raise(ERR_LIB_RSA, RSA_R_MGF1_DIGEST_NOT_ALLOWED); |
cb49e749 DSH |
588 | return 0; |
589 | } | |
0f113f3e | 590 | rctx->mgf1md = p2; |
cb49e749 | 591 | } |
0f113f3e MC |
592 | return 1; |
593 | ||
594 | case EVP_PKEY_CTRL_RSA_OAEP_LABEL: | |
595 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { | |
9311d0c4 | 596 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE); |
0f113f3e MC |
597 | return -2; |
598 | } | |
b548a1f1 | 599 | OPENSSL_free(rctx->oaep_label); |
0f113f3e MC |
600 | if (p2 && p1 > 0) { |
601 | rctx->oaep_label = p2; | |
602 | rctx->oaep_labellen = p1; | |
603 | } else { | |
604 | rctx->oaep_label = NULL; | |
605 | rctx->oaep_labellen = 0; | |
606 | } | |
607 | return 1; | |
608 | ||
609 | case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: | |
610 | if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { | |
9311d0c4 | 611 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE); |
0f113f3e MC |
612 | return -2; |
613 | } | |
64b1d2fb | 614 | if (p2 == NULL) { |
615 | ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER); | |
616 | return 0; | |
617 | } | |
0f113f3e MC |
618 | *(unsigned char **)p2 = rctx->oaep_label; |
619 | return rctx->oaep_labellen; | |
620 | ||
5ab3ec1b HK |
621 | case EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION: |
622 | if (rctx->pad_mode != RSA_PKCS1_PADDING) { | |
623 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE); | |
624 | return -2; | |
625 | } | |
626 | rctx->implicit_rejection = p1; | |
627 | return 1; | |
628 | ||
0f113f3e | 629 | case EVP_PKEY_CTRL_DIGESTINIT: |
186e48cd DSH |
630 | case EVP_PKEY_CTRL_PKCS7_SIGN: |
631 | #ifndef OPENSSL_NO_CMS | |
632 | case EVP_PKEY_CTRL_CMS_SIGN: | |
633 | #endif | |
634 | return 1; | |
635 | ||
0f113f3e MC |
636 | case EVP_PKEY_CTRL_PKCS7_ENCRYPT: |
637 | case EVP_PKEY_CTRL_PKCS7_DECRYPT: | |
8931b30d | 638 | #ifndef OPENSSL_NO_CMS |
0f113f3e MC |
639 | case EVP_PKEY_CTRL_CMS_DECRYPT: |
640 | case EVP_PKEY_CTRL_CMS_ENCRYPT: | |
1bcbf658 | 641 | #endif |
186e48cd | 642 | if (!pkey_ctx_is_pss(ctx)) |
0f113f3e | 643 | return 1; |
1bcbf658 | 644 | /* fall through */ |
0f113f3e | 645 | case EVP_PKEY_CTRL_PEER_KEY: |
9311d0c4 | 646 | ERR_raise(ERR_LIB_RSA, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); |
0f113f3e MC |
647 | return -2; |
648 | ||
649 | default: | |
650 | return -2; | |
399a6f0b | 651 | |
0f113f3e MC |
652 | } |
653 | } | |
4a3dc3c0 | 654 | |
4a3dc3c0 | 655 | static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, |
0f113f3e MC |
656 | const char *type, const char *value) |
657 | { | |
52ad523c | 658 | if (value == NULL) { |
9311d0c4 | 659 | ERR_raise(ERR_LIB_RSA, RSA_R_VALUE_MISSING); |
0f113f3e MC |
660 | return 0; |
661 | } | |
86885c28 | 662 | if (strcmp(type, "rsa_padding_mode") == 0) { |
0f113f3e | 663 | int pm; |
665d899f | 664 | |
90862ab4 | 665 | if (strcmp(value, "pkcs1") == 0) { |
0f113f3e | 666 | pm = RSA_PKCS1_PADDING; |
90862ab4 | 667 | } else if (strcmp(value, "none") == 0) { |
0f113f3e | 668 | pm = RSA_NO_PADDING; |
90862ab4 | 669 | } else if (strcmp(value, "oeap") == 0) { |
0f113f3e | 670 | pm = RSA_PKCS1_OAEP_PADDING; |
90862ab4 | 671 | } else if (strcmp(value, "oaep") == 0) { |
0f113f3e | 672 | pm = RSA_PKCS1_OAEP_PADDING; |
90862ab4 | 673 | } else if (strcmp(value, "x931") == 0) { |
0f113f3e | 674 | pm = RSA_X931_PADDING; |
90862ab4 | 675 | } else if (strcmp(value, "pss") == 0) { |
0f113f3e | 676 | pm = RSA_PKCS1_PSS_PADDING; |
90862ab4 | 677 | } else { |
9311d0c4 | 678 | ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE); |
0f113f3e MC |
679 | return -2; |
680 | } | |
681 | return EVP_PKEY_CTX_set_rsa_padding(ctx, pm); | |
682 | } | |
683 | ||
86885c28 | 684 | if (strcmp(type, "rsa_pss_saltlen") == 0) { |
0f113f3e | 685 | int saltlen; |
665d899f | 686 | |
137096a7 DSH |
687 | if (!strcmp(value, "digest")) |
688 | saltlen = RSA_PSS_SALTLEN_DIGEST; | |
689 | else if (!strcmp(value, "max")) | |
690 | saltlen = RSA_PSS_SALTLEN_MAX; | |
691 | else if (!strcmp(value, "auto")) | |
692 | saltlen = RSA_PSS_SALTLEN_AUTO; | |
693 | else | |
694 | saltlen = atoi(value); | |
0f113f3e MC |
695 | return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen); |
696 | } | |
697 | ||
86885c28 | 698 | if (strcmp(type, "rsa_keygen_bits") == 0) { |
665d899f PY |
699 | int nbits = atoi(value); |
700 | ||
0f113f3e MC |
701 | return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits); |
702 | } | |
703 | ||
86885c28 | 704 | if (strcmp(type, "rsa_keygen_pubexp") == 0) { |
0f113f3e | 705 | int ret; |
665d899f | 706 | |
0f113f3e MC |
707 | BIGNUM *pubexp = NULL; |
708 | if (!BN_asc2bn(&pubexp, value)) | |
709 | return 0; | |
3786d748 | 710 | ret = EVP_PKEY_CTX_set1_rsa_keygen_pubexp(ctx, pubexp); |
711 | BN_free(pubexp); | |
0f113f3e MC |
712 | return ret; |
713 | } | |
714 | ||
665d899f PY |
715 | if (strcmp(type, "rsa_keygen_primes") == 0) { |
716 | int nprimes = atoi(value); | |
717 | ||
718 | return EVP_PKEY_CTX_set_rsa_keygen_primes(ctx, nprimes); | |
719 | } | |
720 | ||
410877ba DSH |
721 | if (strcmp(type, "rsa_mgf1_md") == 0) |
722 | return EVP_PKEY_CTX_md(ctx, | |
723 | EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, | |
724 | EVP_PKEY_CTRL_RSA_MGF1_MD, value); | |
0f113f3e | 725 | |
87ee7b22 | 726 | if (pkey_ctx_is_pss(ctx)) { |
e64b2b5c DSH |
727 | |
728 | if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0) | |
729 | return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, | |
730 | EVP_PKEY_CTRL_RSA_MGF1_MD, value); | |
731 | ||
732 | if (strcmp(type, "rsa_pss_keygen_md") == 0) | |
733 | return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, | |
734 | EVP_PKEY_CTRL_MD, value); | |
735 | ||
736 | if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) { | |
c82bafc5 DSH |
737 | int saltlen = atoi(value); |
738 | ||
e64b2b5c | 739 | return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen); |
0f113f3e | 740 | } |
0f113f3e | 741 | } |
410877ba DSH |
742 | |
743 | if (strcmp(type, "rsa_oaep_md") == 0) | |
744 | return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT, | |
745 | EVP_PKEY_CTRL_RSA_OAEP_MD, value); | |
746 | ||
86885c28 | 747 | if (strcmp(type, "rsa_oaep_label") == 0) { |
0f113f3e MC |
748 | unsigned char *lab; |
749 | long lablen; | |
750 | int ret; | |
665d899f | 751 | |
14f051a0 | 752 | lab = OPENSSL_hexstr2buf(value, &lablen); |
0f113f3e MC |
753 | if (!lab) |
754 | return 0; | |
755 | ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen); | |
756 | if (ret <= 0) | |
757 | OPENSSL_free(lab); | |
758 | return ret; | |
759 | } | |
760 | ||
761 | return -2; | |
762 | } | |
4a3dc3c0 | 763 | |
e64b2b5c DSH |
764 | /* Set PSS parameters when generating a key, if necessary */ |
765 | static int rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx) | |
766 | { | |
767 | RSA_PKEY_CTX *rctx = ctx->data; | |
52ad523c | 768 | |
87ee7b22 | 769 | if (!pkey_ctx_is_pss(ctx)) |
e64b2b5c | 770 | return 1; |
87ee7b22 | 771 | /* If all parameters are default values don't set pss */ |
e64b2b5c DSH |
772 | if (rctx->md == NULL && rctx->mgf1md == NULL && rctx->saltlen == -2) |
773 | return 1; | |
4158b0dc SL |
774 | rsa->pss = ossl_rsa_pss_params_create(rctx->md, rctx->mgf1md, |
775 | rctx->saltlen == -2 | |
776 | ? 0 : rctx->saltlen); | |
e64b2b5c DSH |
777 | if (rsa->pss == NULL) |
778 | return 0; | |
779 | return 1; | |
780 | } | |
781 | ||
f5cda4cb | 782 | static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) |
0f113f3e MC |
783 | { |
784 | RSA *rsa = NULL; | |
785 | RSA_PKEY_CTX *rctx = ctx->data; | |
786 | BN_GENCB *pcb; | |
787 | int ret; | |
52ad523c | 788 | |
90945fa3 | 789 | if (rctx->pub_exp == NULL) { |
0f113f3e | 790 | rctx->pub_exp = BN_new(); |
90945fa3 | 791 | if (rctx->pub_exp == NULL || !BN_set_word(rctx->pub_exp, RSA_F4)) |
0f113f3e MC |
792 | return 0; |
793 | } | |
794 | rsa = RSA_new(); | |
90945fa3 | 795 | if (rsa == NULL) |
0f113f3e MC |
796 | return 0; |
797 | if (ctx->pkey_gencb) { | |
798 | pcb = BN_GENCB_new(); | |
90945fa3 | 799 | if (pcb == NULL) { |
0f113f3e MC |
800 | RSA_free(rsa); |
801 | return 0; | |
802 | } | |
803 | evp_pkey_set_cb_translate(pcb, ctx); | |
90862ab4 | 804 | } else { |
0f113f3e | 805 | pcb = NULL; |
90862ab4 | 806 | } |
665d899f PY |
807 | ret = RSA_generate_multi_prime_key(rsa, rctx->nbits, rctx->primes, |
808 | rctx->pub_exp, pcb); | |
0f113f3e | 809 | BN_GENCB_free(pcb); |
e64b2b5c DSH |
810 | if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) { |
811 | RSA_free(rsa); | |
812 | return 0; | |
813 | } | |
0f113f3e | 814 | if (ret > 0) |
faa02fe2 | 815 | EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa); |
0f113f3e MC |
816 | else |
817 | RSA_free(rsa); | |
818 | return ret; | |
819 | } | |
820 | ||
19bd1fa1 | 821 | static const EVP_PKEY_METHOD rsa_pkey_meth = { |
0f113f3e MC |
822 | EVP_PKEY_RSA, |
823 | EVP_PKEY_FLAG_AUTOARGLEN, | |
824 | pkey_rsa_init, | |
825 | pkey_rsa_copy, | |
826 | pkey_rsa_cleanup, | |
827 | ||
828 | 0, 0, | |
829 | ||
830 | 0, | |
831 | pkey_rsa_keygen, | |
832 | ||
833 | 0, | |
834 | pkey_rsa_sign, | |
835 | ||
836 | 0, | |
837 | pkey_rsa_verify, | |
838 | ||
839 | 0, | |
840 | pkey_rsa_verifyrecover, | |
841 | ||
842 | 0, 0, 0, 0, | |
843 | ||
844 | 0, | |
845 | pkey_rsa_encrypt, | |
846 | ||
847 | 0, | |
848 | pkey_rsa_decrypt, | |
849 | ||
850 | 0, 0, | |
851 | ||
852 | pkey_rsa_ctrl, | |
853 | pkey_rsa_ctrl_str | |
854 | }; | |
6577e008 | 855 | |
23b2fc0b | 856 | const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void) |
19bd1fa1 PS |
857 | { |
858 | return &rsa_pkey_meth; | |
859 | } | |
860 | ||
59029ca1 DSH |
861 | /* |
862 | * Called for PSS sign or verify initialisation: checks PSS parameter | |
863 | * sanity and sets any restrictions on key usage. | |
864 | */ | |
865 | ||
866 | static int pkey_pss_init(EVP_PKEY_CTX *ctx) | |
867 | { | |
5dc6489b | 868 | const RSA *rsa; |
59029ca1 DSH |
869 | RSA_PKEY_CTX *rctx = ctx->data; |
870 | const EVP_MD *md; | |
871 | const EVP_MD *mgf1md; | |
882a387d | 872 | int min_saltlen, max_saltlen, md_size; |
52ad523c | 873 | |
59029ca1 DSH |
874 | /* Should never happen */ |
875 | if (!pkey_ctx_is_pss(ctx)) | |
876 | return 0; | |
5dc6489b | 877 | rsa = EVP_PKEY_get0_RSA(ctx->pkey); |
59029ca1 DSH |
878 | /* If no restrictions just return */ |
879 | if (rsa->pss == NULL) | |
880 | return 1; | |
881 | /* Get and check parameters */ | |
4158b0dc | 882 | if (!ossl_rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen)) |
59029ca1 DSH |
883 | return 0; |
884 | ||
46f4e1be | 885 | /* See if minimum salt length exceeds maximum possible */ |
882a387d JJ |
886 | md_size = EVP_MD_get_size(md); |
887 | if (md_size <= 0) { | |
888 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_DIGEST_LENGTH); | |
889 | return 0; | |
890 | } | |
891 | max_saltlen = RSA_size(rsa) - md_size; | |
79ebfc46 DSH |
892 | if ((RSA_bits(rsa) & 0x7) == 1) |
893 | max_saltlen--; | |
894 | if (min_saltlen > max_saltlen) { | |
9311d0c4 | 895 | ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_SALT_LENGTH); |
79ebfc46 DSH |
896 | return 0; |
897 | } | |
898 | ||
59029ca1 DSH |
899 | rctx->min_saltlen = min_saltlen; |
900 | ||
901 | /* | |
902 | * Set PSS restrictions as defaults: we can then block any attempt to | |
903 | * use invalid values in pkey_rsa_ctrl | |
904 | */ | |
905 | ||
906 | rctx->md = md; | |
907 | rctx->mgf1md = mgf1md; | |
908 | rctx->saltlen = min_saltlen; | |
909 | ||
910 | return 1; | |
911 | } | |
912 | ||
19bd1fa1 | 913 | static const EVP_PKEY_METHOD rsa_pss_pkey_meth = { |
6577e008 DSH |
914 | EVP_PKEY_RSA_PSS, |
915 | EVP_PKEY_FLAG_AUTOARGLEN, | |
916 | pkey_rsa_init, | |
917 | pkey_rsa_copy, | |
918 | pkey_rsa_cleanup, | |
919 | ||
920 | 0, 0, | |
921 | ||
922 | 0, | |
923 | pkey_rsa_keygen, | |
924 | ||
59029ca1 | 925 | pkey_pss_init, |
6577e008 DSH |
926 | pkey_rsa_sign, |
927 | ||
59029ca1 | 928 | pkey_pss_init, |
6577e008 DSH |
929 | pkey_rsa_verify, |
930 | ||
931 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, | |
932 | ||
933 | pkey_rsa_ctrl, | |
934 | pkey_rsa_ctrl_str | |
935 | }; | |
19bd1fa1 | 936 | |
23b2fc0b | 937 | const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void) |
19bd1fa1 PS |
938 | { |
939 | return &rsa_pss_pkey_meth; | |
940 | } |