Blame src/p11_rsa.c

Packit Service 2ea82d
/* libp11, a simple layer on to of PKCS#11 API
Packit Service 2ea82d
 * Copyright (C) 2005 Olaf Kirch <okir@lst.de>
Packit Service 2ea82d
 * Copyright (C) 2016-2017 MichaƂ Trojnara <Michal.Trojnara@stunnel.org>
Packit Service 2ea82d
 *
Packit Service 2ea82d
 *  This library is free software; you can redistribute it and/or
Packit Service 2ea82d
 *  modify it under the terms of the GNU Lesser General Public
Packit Service 2ea82d
 *  License as published by the Free Software Foundation; either
Packit Service 2ea82d
 *  version 2.1 of the License, or (at your option) any later version.
Packit Service 2ea82d
 *
Packit Service 2ea82d
 *  This library is distributed in the hope that it will be useful,
Packit Service 2ea82d
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
Packit Service 2ea82d
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
Packit Service 2ea82d
 *  Lesser General Public License for more details.
Packit Service 2ea82d
 *
Packit Service 2ea82d
 *  You should have received a copy of the GNU Lesser General Public
Packit Service 2ea82d
 *  License along with this library; if not, write to the Free Software
Packit Service 2ea82d
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
Packit Service 2ea82d
 */
Packit Service 2ea82d
Packit Service 2ea82d
/*
Packit Service 2ea82d
 * This file implements the handling of RSA keys stored on a
Packit Service 2ea82d
 * PKCS11 token
Packit Service 2ea82d
 */
Packit Service 2ea82d
Packit Service 2ea82d
#include "libp11-int.h"
Packit Service 2ea82d
#include <string.h>
Packit Service 2ea82d
#include <openssl/evp.h>
Packit Service 2ea82d
#include <openssl/rsa.h>
Packit Service 2ea82d
Packit Service 2ea82d
static int rsa_ex_index = 0;
Packit Service 2ea82d
Packit Service 2ea82d
static RSA *pkcs11_rsa(PKCS11_KEY *key)
Packit Service 2ea82d
{
Packit Service 2ea82d
	EVP_PKEY *evp_key = pkcs11_get_key(key, key->isPrivate);
Packit Service 2ea82d
	RSA *rsa;
Packit Service 2ea82d
	if (evp_key == NULL)
Packit Service 2ea82d
		return NULL;
Packit Service 2ea82d
	rsa = EVP_PKEY_get0_RSA(evp_key);
Packit Service 2ea82d
	EVP_PKEY_free(evp_key);
Packit Service 2ea82d
	return rsa;
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
/* PKCS#1 v1.5 RSA signature */
Packit Service 2ea82d
/* TODO: remove this function in libp11 0.5.0 */
Packit Service 2ea82d
int pkcs11_sign(int type, const unsigned char *m, unsigned int m_len,
Packit Service 2ea82d
		unsigned char *sigret, unsigned int *siglen, PKCS11_KEY *key)
Packit Service 2ea82d
{
Packit Service 2ea82d
	RSA *rsa = pkcs11_rsa(key);
Packit Service 2ea82d
	if (rsa == NULL)
Packit Service 2ea82d
		return -1;
Packit Service 2ea82d
	return RSA_sign(type, m, m_len, sigret, siglen, rsa);
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
/* Setup PKCS#11 mechanisms for encryption/decryption */
Packit Service 2ea82d
static int pkcs11_mechanism(CK_MECHANISM *mechanism, const int padding)
Packit Service 2ea82d
{
Packit Service 2ea82d
	memset(mechanism, 0, sizeof(CK_MECHANISM));
Packit Service 2ea82d
	switch (padding) {
Packit Service 2ea82d
	case RSA_PKCS1_PADDING:
Packit Service 2ea82d
		 mechanism->mechanism = CKM_RSA_PKCS;
Packit Service 2ea82d
		 break;
Packit Service 2ea82d
	case RSA_NO_PADDING:
Packit Service 2ea82d
		mechanism->mechanism = CKM_RSA_X_509;
Packit Service 2ea82d
		break;
Packit Service 2ea82d
	case RSA_X931_PADDING:
Packit Service 2ea82d
		mechanism->mechanism = CKM_RSA_X9_31;
Packit Service 2ea82d
		break;
Packit Service 2ea82d
	default:
Packit Service 2ea82d
		P11err(P11_F_PKCS11_MECHANISM, P11_R_UNSUPPORTED_PADDING_TYPE);
Packit Service 2ea82d
		return -1;
Packit Service 2ea82d
	}
Packit Service 2ea82d
	return 0;
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
/* RSA private key encryption (also invoked by OpenSSL for signing) */
Packit Service 2ea82d
/* OpenSSL assumes that the output buffer is always big enough */
Packit Service 2ea82d
int pkcs11_private_encrypt(int flen,
Packit Service 2ea82d
		const unsigned char *from, unsigned char *to,
Packit Service 2ea82d
		PKCS11_KEY *key, int padding)
Packit Service 2ea82d
{
Packit Service 2ea82d
	PKCS11_SLOT *slot = KEY2SLOT(key);
Packit Service 2ea82d
	PKCS11_CTX *ctx = KEY2CTX(key);
Packit Service 2ea82d
	PKCS11_KEY_private *kpriv = PRIVKEY(key);
Packit Service 2ea82d
	PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
Packit Service 2ea82d
	CK_MECHANISM mechanism;
Packit Service 2ea82d
	CK_ULONG size;
Packit Service 2ea82d
	int rv;
Packit Service 2ea82d
Packit Service 2ea82d
	size = pkcs11_get_key_size(key);
Packit Service 2ea82d
Packit Service 2ea82d
	if (pkcs11_mechanism(&mechanism, padding) < 0)
Packit Service 2ea82d
		return -1;
Packit Service 2ea82d
Packit Service 2ea82d
	CRYPTO_THREAD_write_lock(PRIVCTX(ctx)->rwlock);
Packit Service 2ea82d
	/* Try signing first, as applications are more likely to use it */
Packit Service 2ea82d
	rv = CRYPTOKI_call(ctx,
Packit Service 2ea82d
		C_SignInit(spriv->session, &mechanism, kpriv->object));
Packit Service 2ea82d
	if (!rv && kpriv->always_authenticate == CK_TRUE)
Packit Service 2ea82d
		rv = pkcs11_authenticate(key);
Packit Service 2ea82d
	if (!rv)
Packit Service 2ea82d
		rv = CRYPTOKI_call(ctx,
Packit Service 2ea82d
			C_Sign(spriv->session, (CK_BYTE *)from, flen, to, &size));
Packit Service 2ea82d
	if (rv == CKR_KEY_FUNCTION_NOT_PERMITTED) {
Packit Service 2ea82d
		/* OpenSSL may use it for encryption rather than signing */
Packit Service 2ea82d
		rv = CRYPTOKI_call(ctx,
Packit Service 2ea82d
			C_EncryptInit(spriv->session, &mechanism, kpriv->object));
Packit Service 2ea82d
		if (!rv && kpriv->always_authenticate == CK_TRUE)
Packit Service 2ea82d
			rv = pkcs11_authenticate(key);
Packit Service 2ea82d
		if (!rv)
Packit Service 2ea82d
			rv = CRYPTOKI_call(ctx,
Packit Service 2ea82d
				C_Encrypt(spriv->session, (CK_BYTE *)from, flen, to, &size));
Packit Service 2ea82d
	}
Packit Service 2ea82d
	CRYPTO_THREAD_unlock(PRIVCTX(ctx)->rwlock);
Packit Service 2ea82d
Packit Service 2ea82d
	if (rv) {
Packit Service 2ea82d
		CKRerr(CKR_F_PKCS11_PRIVATE_ENCRYPT, rv);
Packit Service 2ea82d
		return -1;
Packit Service 2ea82d
	}
Packit Service 2ea82d
Packit Service 2ea82d
	return size;
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
/* RSA private key decryption */
Packit Service 2ea82d
int pkcs11_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
Packit Service 2ea82d
		PKCS11_KEY *key, int padding)
Packit Service 2ea82d
{
Packit Service 2ea82d
	PKCS11_SLOT *slot = KEY2SLOT(key);
Packit Service 2ea82d
	PKCS11_CTX *ctx = KEY2CTX(key);
Packit Service 2ea82d
	PKCS11_KEY_private *kpriv = PRIVKEY(key);
Packit Service 2ea82d
	PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
Packit Service 2ea82d
	CK_MECHANISM mechanism;
Packit Service 2ea82d
	CK_ULONG size = flen;
Packit Service 2ea82d
	CK_RV rv;
Packit Service 2ea82d
Packit Service 2ea82d
	if (pkcs11_mechanism(&mechanism, padding) < 0)
Packit Service 2ea82d
		return -1;
Packit Service 2ea82d
Packit Service 2ea82d
	CRYPTO_THREAD_write_lock(PRIVCTX(ctx)->rwlock);
Packit Service 2ea82d
	rv = CRYPTOKI_call(ctx,
Packit Service 2ea82d
		C_DecryptInit(spriv->session, &mechanism, kpriv->object));
Packit Service 2ea82d
	if (!rv && kpriv->always_authenticate == CK_TRUE)
Packit Service 2ea82d
		rv = pkcs11_authenticate(key);
Packit Service 2ea82d
	if (!rv)
Packit Service 2ea82d
		rv = CRYPTOKI_call(ctx,
Packit Service 2ea82d
			C_Decrypt(spriv->session, (CK_BYTE *)from, size,
Packit Service 2ea82d
				(CK_BYTE_PTR)to, &size));
Packit Service 2ea82d
	CRYPTO_THREAD_unlock(PRIVCTX(ctx)->rwlock);
Packit Service 2ea82d
Packit Service 2ea82d
	if (rv) {
Packit Service 2ea82d
		CKRerr(CKR_F_PKCS11_PRIVATE_DECRYPT, rv);
Packit Service 2ea82d
		return -1;
Packit Service 2ea82d
	}
Packit Service 2ea82d
Packit Service 2ea82d
	return size;
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
/* TODO: remove this function in libp11 0.5.0 */
Packit Service 2ea82d
int pkcs11_verify(int type, const unsigned char *m, unsigned int m_len,
Packit Service 2ea82d
		unsigned char *signature, unsigned int siglen, PKCS11_KEY *key)
Packit Service 2ea82d
{
Packit Service 2ea82d
	(void)type;
Packit Service 2ea82d
	(void)m;
Packit Service 2ea82d
	(void)m_len;
Packit Service 2ea82d
	(void)signature;
Packit Service 2ea82d
	(void)siglen;
Packit Service 2ea82d
	(void)key;
Packit Service 2ea82d
Packit Service 2ea82d
	/* PKCS11 calls go here */
Packit Service 2ea82d
	P11err(P11_F_PKCS11_VERIFY, P11_R_NOT_SUPPORTED);
Packit Service 2ea82d
	return -1;
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
/*
Packit Service 2ea82d
 * Get RSA key material
Packit Service 2ea82d
 */
Packit Service 2ea82d
static RSA *pkcs11_get_rsa(PKCS11_KEY *key)
Packit Service 2ea82d
{
Packit Service 2ea82d
	RSA *rsa;
Packit Service 2ea82d
	PKCS11_KEY *keys;
Packit Service 2ea82d
	unsigned int i, count;
Packit Service 2ea82d
	BIGNUM *rsa_n = NULL, *rsa_e = NULL;
Packit Service 2ea82d
Packit Service 2ea82d
	/* Retrieve the modulus */
Packit Service 2ea82d
	if (key_getattr_bn(key, CKA_MODULUS, &rsa_n))
Packit Service 2ea82d
		return NULL;
Packit Service 2ea82d
Packit Service 2ea82d
	/* Retrieve the public exponent */
Packit Service 2ea82d
	if (!key_getattr_bn(key, CKA_PUBLIC_EXPONENT, &rsa_e)) {
Packit Service 2ea82d
		if (!BN_is_zero(rsa_e)) /* A valid public exponent */
Packit Service 2ea82d
			goto success;
Packit Service 2ea82d
		BN_clear_free(rsa_e);
Packit Service 2ea82d
		rsa_e = NULL;
Packit Service 2ea82d
	}
Packit Service 2ea82d
Packit Service 2ea82d
	/* The public exponent was not found in the private key:
Packit Service 2ea82d
	 * retrieve it from the corresponding public key */
Packit Service 2ea82d
	if (!PKCS11_enumerate_public_keys(KEY2TOKEN(key), &keys, &count)) {
Packit Service 2ea82d
		for (i = 0; i < count; i++) {
Packit Service 2ea82d
			BIGNUM *pubmod = NULL;
Packit Service 2ea82d
			if (!key_getattr_bn(&keys[i], CKA_MODULUS, &pubmod)) {
Packit Service 2ea82d
				int found = BN_cmp(rsa_n, pubmod) == 0;
Packit Service 2ea82d
				BN_clear_free(pubmod);
Packit Service 2ea82d
				if (found && !key_getattr_bn(&keys[i],
Packit Service 2ea82d
						CKA_PUBLIC_EXPONENT, &rsa_e))
Packit Service 2ea82d
					goto success;
Packit Service 2ea82d
			}
Packit Service 2ea82d
		}
Packit Service 2ea82d
	}
Packit Service 2ea82d
Packit Service 2ea82d
	/* Last resort: use the most common default */
Packit Service 2ea82d
	rsa_e = BN_new();
Packit Service 2ea82d
	if (rsa_e && BN_set_word(rsa_e, RSA_F4))
Packit Service 2ea82d
		goto success;
Packit Service 2ea82d
Packit Service 2ea82d
failure:
Packit Service 2ea82d
	if (rsa_n)
Packit Service 2ea82d
		BN_clear_free(rsa_n);
Packit Service 2ea82d
	if (rsa_e)
Packit Service 2ea82d
		BN_clear_free(rsa_e);
Packit Service 2ea82d
	return NULL;
Packit Service 2ea82d
Packit Service 2ea82d
success:
Packit Service 2ea82d
	rsa = RSA_new();
Packit Service 2ea82d
	if (rsa == NULL)
Packit Service 2ea82d
		goto failure;
Packit Service 2ea82d
#if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER)
Packit Service 2ea82d
	RSA_set0_key(rsa, rsa_n, rsa_e, NULL);
Packit Service 2ea82d
#else
Packit Service 2ea82d
	rsa->n = rsa_n;
Packit Service 2ea82d
	rsa->e = rsa_e;
Packit Service 2ea82d
#endif
Packit Service 2ea82d
	return rsa;
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
PKCS11_KEY *pkcs11_get_ex_data_rsa(const RSA *rsa)
Packit Service 2ea82d
{
Packit Service 2ea82d
	return RSA_get_ex_data(rsa, rsa_ex_index);
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
static void pkcs11_set_ex_data_rsa(RSA *rsa, PKCS11_KEY *key)
Packit Service 2ea82d
{
Packit Service 2ea82d
	RSA_set_ex_data(rsa, rsa_ex_index, key);
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
static void pkcs11_update_ex_data_rsa(PKCS11_KEY *key)
Packit Service 2ea82d
{
Packit Service 2ea82d
	EVP_PKEY *evp = key->evp_key;
Packit Service 2ea82d
	RSA *rsa;
Packit Service 2ea82d
	if (evp == NULL)
Packit Service 2ea82d
		return;
Packit Service 2ea82d
	if (EVP_PKEY_base_id(evp) != EVP_PKEY_RSA)
Packit Service 2ea82d
		return;
Packit Service 2ea82d
Packit Service 2ea82d
	rsa = EVP_PKEY_get1_RSA(evp);
Packit Service 2ea82d
	pkcs11_set_ex_data_rsa(rsa, key);
Packit Service 2ea82d
	RSA_free(rsa);
Packit Service 2ea82d
}
Packit Service 2ea82d
/*
Packit Service 2ea82d
 * Build an EVP_PKEY object
Packit Service 2ea82d
 */
Packit Service 2ea82d
static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key)
Packit Service 2ea82d
{
Packit Service 2ea82d
	EVP_PKEY *pk;
Packit Service 2ea82d
	RSA *rsa;
Packit Service 2ea82d
Packit Service 2ea82d
	rsa = pkcs11_get_rsa(key);
Packit Service 2ea82d
	if (rsa == NULL)
Packit Service 2ea82d
		return NULL;
Packit Service 2ea82d
	pk = EVP_PKEY_new();
Packit Service 2ea82d
	if (pk == NULL) {
Packit Service 2ea82d
		RSA_free(rsa);
Packit Service 2ea82d
		return NULL;
Packit Service 2ea82d
	}
Packit Service 2ea82d
	EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */
Packit Service 2ea82d
Packit Service 2ea82d
	if (key->isPrivate)
Packit Service 2ea82d
		RSA_set_method(rsa, PKCS11_get_rsa_method());
Packit Service 2ea82d
	/* TODO: Retrieve the RSA private key object attributes instead,
Packit Service 2ea82d
	 * unless the key has the "sensitive" attribute set */
Packit Service 2ea82d
Packit Service 2ea82d
#if OPENSSL_VERSION_NUMBER < 0x01010000L
Packit Service 2ea82d
	/* RSA_FLAG_SIGN_VER is no longer needed since OpenSSL 1.1 */
Packit Service 2ea82d
	rsa->flags |= RSA_FLAG_SIGN_VER;
Packit Service 2ea82d
#endif
Packit Service 2ea82d
	pkcs11_set_ex_data_rsa(rsa, key);
Packit Service 2ea82d
	RSA_free(rsa); /* Drops our reference to it */
Packit Service 2ea82d
	return pk;
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
/* TODO: remove this function in libp11 0.5.0 */
Packit Service 2ea82d
int pkcs11_get_key_modulus(PKCS11_KEY *key, BIGNUM **bn)
Packit Service 2ea82d
{
Packit Service 2ea82d
	RSA *rsa = pkcs11_rsa(key);
Packit Service 2ea82d
	const BIGNUM *rsa_n;
Packit Service 2ea82d
Packit Service 2ea82d
	if (rsa == NULL)
Packit Service 2ea82d
		return 0;
Packit Service 2ea82d
#if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER)
Packit Service 2ea82d
	RSA_get0_key(rsa, &rsa_n, NULL, NULL);
Packit Service 2ea82d
#else
Packit Service 2ea82d
	rsa_n=rsa->n;
Packit Service 2ea82d
#endif
Packit Service 2ea82d
	*bn = BN_dup(rsa_n);
Packit Service 2ea82d
	return *bn == NULL ? 0 : 1;
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
/* TODO: remove this function in libp11 0.5.0 */
Packit Service 2ea82d
int pkcs11_get_key_exponent(PKCS11_KEY *key, BIGNUM **bn)
Packit Service 2ea82d
{
Packit Service 2ea82d
	RSA *rsa = pkcs11_rsa(key);
Packit Service 2ea82d
	const BIGNUM *rsa_e;
Packit Service 2ea82d
Packit Service 2ea82d
	if (rsa == NULL)
Packit Service 2ea82d
		return 0;
Packit Service 2ea82d
#if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER)
Packit Service 2ea82d
	RSA_get0_key(rsa, NULL, &rsa_e, NULL);
Packit Service 2ea82d
#else
Packit Service 2ea82d
	rsa_e=rsa->e;
Packit Service 2ea82d
#endif
Packit Service 2ea82d
	*bn = BN_dup(rsa_e);
Packit Service 2ea82d
	return *bn == NULL ? 0 : 1;
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
/* TODO: make this function static in libp11 0.5.0 */
Packit Service 2ea82d
int pkcs11_get_key_size(PKCS11_KEY *key)
Packit Service 2ea82d
{
Packit Service 2ea82d
	RSA *rsa = pkcs11_rsa(key);
Packit Service 2ea82d
	if (rsa == NULL)
Packit Service 2ea82d
		return 0;
Packit Service 2ea82d
	return RSA_size(rsa);
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
#if OPENSSL_VERSION_NUMBER < 0x10100005L || defined(LIBRESSL_VERSION_NUMBER)
Packit Service 2ea82d
Packit Service 2ea82d
int (*RSA_meth_get_priv_enc(const RSA_METHOD *meth))
Packit Service 2ea82d
		(int flen, const unsigned char *from,
Packit Service 2ea82d
			unsigned char *to, RSA *rsa, int padding)
Packit Service 2ea82d
{
Packit Service 2ea82d
    return meth->rsa_priv_enc;
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))
Packit Service 2ea82d
		(int flen, const unsigned char *from,
Packit Service 2ea82d
			unsigned char *to, RSA *rsa, int padding)
Packit Service 2ea82d
{
Packit Service 2ea82d
    return meth->rsa_priv_dec;
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
#endif
Packit Service 2ea82d
Packit Service 2ea82d
static int pkcs11_rsa_priv_dec_method(int flen, const unsigned char *from,
Packit Service 2ea82d
		unsigned char *to, RSA *rsa, int padding)
Packit Service 2ea82d
{
Packit Service 2ea82d
	PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa);
Packit Service 2ea82d
	int (*priv_dec) (int flen, const unsigned char *from,
Packit Service 2ea82d
		unsigned char *to, RSA *rsa, int padding);
Packit Service 2ea82d
	if (check_key_fork(key) < 0) {
Packit Service 2ea82d
		priv_dec = RSA_meth_get_priv_dec(RSA_get_default_method());
Packit Service 2ea82d
		return priv_dec(flen, from, to, rsa, padding);
Packit Service 2ea82d
	}
Packit Service 2ea82d
	return PKCS11_private_decrypt(flen, from, to, key, padding);
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
static int pkcs11_rsa_priv_enc_method(int flen, const unsigned char *from,
Packit Service 2ea82d
		unsigned char *to, RSA *rsa, int padding)
Packit Service 2ea82d
{
Packit Service 2ea82d
	PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa);
Packit Service 2ea82d
	int (*priv_enc) (int flen, const unsigned char *from,
Packit Service 2ea82d
		unsigned char *to, RSA *rsa, int padding);
Packit Service 2ea82d
	if (check_key_fork(key) < 0) {
Packit Service 2ea82d
		priv_enc = RSA_meth_get_priv_enc(RSA_get_default_method());
Packit Service 2ea82d
		return priv_enc(flen, from, to, rsa, padding);
Packit Service 2ea82d
	}
Packit Service 2ea82d
	return PKCS11_private_encrypt(flen, from, to, key, padding);
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
static int pkcs11_rsa_free_method(RSA *rsa)
Packit Service 2ea82d
{
Packit Service 2ea82d
	RSA_set_ex_data(rsa, rsa_ex_index, NULL);
Packit Service 2ea82d
	return 1;
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
static void alloc_rsa_ex_index()
Packit Service 2ea82d
{
Packit Service 2ea82d
	if (rsa_ex_index == 0) {
Packit Service 2ea82d
		while (rsa_ex_index == 0) /* Workaround for OpenSSL RT3710 */
Packit Service 2ea82d
			rsa_ex_index = RSA_get_ex_new_index(0, "libp11 rsa",
Packit Service 2ea82d
				NULL, NULL, NULL);
Packit Service 2ea82d
		if (rsa_ex_index < 0)
Packit Service 2ea82d
			rsa_ex_index = 0; /* Fallback to app_data */
Packit Service 2ea82d
	}
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
static void free_rsa_ex_index()
Packit Service 2ea82d
{
Packit Service 2ea82d
	/* CRYPTO_free_ex_index requires OpenSSL version >= 1.1.0-pre1 */
Packit Service 2ea82d
#if OPENSSL_VERSION_NUMBER >= 0x10100001L && !defined(LIBRESSL_VERSION_NUMBER)
Packit Service 2ea82d
	if (rsa_ex_index > 0) {
Packit Service 2ea82d
		CRYPTO_free_ex_index(CRYPTO_EX_INDEX_RSA, rsa_ex_index);
Packit Service 2ea82d
		rsa_ex_index = 0;
Packit Service 2ea82d
	}
Packit Service 2ea82d
#endif
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
#if OPENSSL_VERSION_NUMBER < 0x10100005L || ( defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2080000L )
Packit Service 2ea82d
Packit Service 2ea82d
static RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth)
Packit Service 2ea82d
{
Packit Service 2ea82d
	RSA_METHOD *ret = OPENSSL_malloc(sizeof(RSA_METHOD));
Packit Service 2ea82d
	if (ret == NULL)
Packit Service 2ea82d
		return NULL;
Packit Service 2ea82d
	memcpy(ret, meth, sizeof(RSA_METHOD));
Packit Service 2ea82d
	ret->name = OPENSSL_strdup(meth->name);
Packit Service 2ea82d
	if (ret->name == NULL) {
Packit Service 2ea82d
		OPENSSL_free(ret);
Packit Service 2ea82d
		return NULL;
Packit Service 2ea82d
	}
Packit Service 2ea82d
	return ret;
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
static int RSA_meth_set1_name(RSA_METHOD *meth, const char *name)
Packit Service 2ea82d
{
Packit Service 2ea82d
	char *tmp = OPENSSL_strdup(name);
Packit Service 2ea82d
	if (tmp == NULL)
Packit Service 2ea82d
		return 0;
Packit Service 2ea82d
	OPENSSL_free((char *)meth->name);
Packit Service 2ea82d
	meth->name = tmp;
Packit Service 2ea82d
	return 1;
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
#endif
Packit Service 2ea82d
Packit Service 2ea82d
#if OPENSSL_VERSION_NUMBER < 0x10100005L || defined(LIBRESSL_VERSION_NUMBER)
Packit Service 2ea82d
Packit Service 2ea82d
static int RSA_meth_set_flags(RSA_METHOD *meth, int flags)
Packit Service 2ea82d
{
Packit Service 2ea82d
	meth->flags = flags;
Packit Service 2ea82d
	return 1;
Packit Service 2ea82d
}
Packit Service 2ea82d
#endif
Packit Service 2ea82d
Packit Service 2ea82d
#if OPENSSL_VERSION_NUMBER < 0x10100005L || ( defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2080000L )
Packit Service 2ea82d
Packit Service 2ea82d
static int RSA_meth_set_priv_enc(RSA_METHOD *meth,
Packit Service 2ea82d
		int (*priv_enc) (int flen, const unsigned char *from,
Packit Service 2ea82d
		unsigned char *to, RSA *rsa, int padding))
Packit Service 2ea82d
{
Packit Service 2ea82d
	meth->rsa_priv_enc = priv_enc;
Packit Service 2ea82d
	return 1;
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
static int RSA_meth_set_priv_dec(RSA_METHOD *meth,
Packit Service 2ea82d
		int (*priv_dec) (int flen, const unsigned char *from,
Packit Service 2ea82d
		unsigned char *to, RSA *rsa, int padding))
Packit Service 2ea82d
{
Packit Service 2ea82d
	meth->rsa_priv_dec = priv_dec;
Packit Service 2ea82d
	return 1;
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
static int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa))
Packit Service 2ea82d
{
Packit Service 2ea82d
	meth->finish = finish;
Packit Service 2ea82d
	return 1;
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
#endif
Packit Service 2ea82d
Packit Service 2ea82d
/*
Packit Service 2ea82d
 * Overload the default OpenSSL methods for RSA
Packit Service 2ea82d
 */
Packit Service 2ea82d
RSA_METHOD *PKCS11_get_rsa_method(void)
Packit Service 2ea82d
{
Packit Service 2ea82d
	static RSA_METHOD *ops = NULL;
Packit Service 2ea82d
Packit Service 2ea82d
	if (ops == NULL) {
Packit Service 2ea82d
		alloc_rsa_ex_index();
Packit Service 2ea82d
		ops = RSA_meth_dup(RSA_get_default_method());
Packit Service 2ea82d
		if (ops == NULL)
Packit Service 2ea82d
			return NULL;
Packit Service 2ea82d
		RSA_meth_set1_name(ops, "libp11 RSA method");
Packit Service b0ef77
		RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD);
Packit Service 2ea82d
		RSA_meth_set_priv_enc(ops, pkcs11_rsa_priv_enc_method);
Packit Service 2ea82d
		RSA_meth_set_priv_dec(ops, pkcs11_rsa_priv_dec_method);
Packit Service 2ea82d
		RSA_meth_set_finish(ops, pkcs11_rsa_free_method);
Packit Service 2ea82d
	}
Packit Service 2ea82d
	return ops;
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
/* This function is *not* currently exported */
Packit Service 2ea82d
void PKCS11_rsa_method_free(void)
Packit Service 2ea82d
{
Packit Service 2ea82d
	free_rsa_ex_index();
Packit Service 2ea82d
}
Packit Service 2ea82d
Packit Service 2ea82d
PKCS11_KEY_ops pkcs11_rsa_ops = {
Packit Service 2ea82d
	EVP_PKEY_RSA,
Packit Service 2ea82d
	pkcs11_get_evp_key_rsa,
Packit Service 2ea82d
	pkcs11_update_ex_data_rsa
Packit Service 2ea82d
};
Packit Service 2ea82d
Packit Service 2ea82d
/* vim: set noexpandtab: */