Update RSA OAEP code.

This syncs the RSA OAEP code with OpenSSL 1.1.1d, correctly handling OAEP padding and providing various OAEP related controls. ok inoguchi@ tb@
author: jsing <> 2019-10-29 08:00:18 +0000
committer: jsing <> 2019-10-29 08:00:18 +0000
commit: cfb54024e3e4db502eb98316e50637852da9c16a (patch)
tree: 5aa520500126d3b5a6e1e7ef6c87bc4b779ecc58 /src/lib/libc
parent: 6420bafd6b7099fd194f24cbdeec86794ceccf81 (diff)
download: openbsd-cfb54024e3e4db502eb98316e50637852da9c16a.tar.gz
openbsd-cfb54024e3e4db502eb98316e50637852da9c16a.tar.bz2
openbsd-cfb54024e3e4db502eb98316e50637852da9c16a.zip
2 files changed, 124 insertions, 21 deletions
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index db10049e0e..d3f9bee3a5 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa.h,v 1.43 2019/10/24 15:54:29 jsing Exp $ */
+/* $OpenBSD: rsa.h,v 1.44 2019/10/29 08:00:18 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -237,17 +237,39 @@ struct rsa_st {
                EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG,  \
                                EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)pmd)
-#define EVP_PKEY_CTRL_RSA_PADDING       (EVP_PKEY_ALG_CTRL + 1)
+#define EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) \
-#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN   (EVP_PKEY_ALG_CTRL + 2)
+        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \
+            EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md))
-#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS   (EVP_PKEY_ALG_CTRL + 3)
+#define EVP_PKEY_CTX_get_rsa_oaep_md(ctx, pmd) \
-#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4)
+        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \
-#define EVP_PKEY_CTRL_RSA_MGF1_MD       (EVP_PKEY_ALG_CTRL + 5)
+            EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)(pmd))
+#define EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, l, llen) \
+        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \
+            EVP_PKEY_CTRL_RSA_OAEP_LABEL, llen, (void *)(l))
+#define EVP_PKEY_CTX_get0_rsa_oaep_label(ctx, l) \
+        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \
+            EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, (void *)(l))
+#define EVP_PKEY_CTRL_RSA_PADDING               (EVP_PKEY_ALG_CTRL + 1)
+#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN           (EVP_PKEY_ALG_CTRL + 2)
+#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS           (EVP_PKEY_ALG_CTRL + 3)
+#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP         (EVP_PKEY_ALG_CTRL + 4)
+#define EVP_PKEY_CTRL_RSA_MGF1_MD               (EVP_PKEY_ALG_CTRL + 5)
 #define EVP_PKEY_CTRL_GET_RSA_PADDING           (EVP_PKEY_ALG_CTRL + 6)
 #define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN       (EVP_PKEY_ALG_CTRL + 7)
 #define EVP_PKEY_CTRL_GET_RSA_MGF1_MD           (EVP_PKEY_ALG_CTRL + 8)
+#define EVP_PKEY_CTRL_RSA_OAEP_MD               (EVP_PKEY_ALG_CTRL + 9)
+#define EVP_PKEY_CTRL_RSA_OAEP_LABEL            (EVP_PKEY_ALG_CTRL + 10)
+#define EVP_PKEY_CTRL_GET_RSA_OAEP_MD           (EVP_PKEY_ALG_CTRL + 11)
+#define EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL        (EVP_PKEY_ALG_CTRL + 12)
 #define RSA_PKCS1_PADDING       1
 #define RSA_SSLV23_PADDING      2
 #define RSA_NO_PADDING          3
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
index d0cc50cd9f..a5dd86a5de 100644
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pmeth.c,v 1.22 2019/09/09 18:06:26 jsing Exp $ */
+/* $OpenBSD: rsa_pmeth.c,v 1.23 2019/10/29 08:00:18 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -68,7 +68,7 @@
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 #include "evp_locl.h"
 #include "rsa_locl.h"
@@ -87,10 +87,13 @@ typedef struct {
        const EVP_MD *md;
        /* message digest for MGF1 */
        const EVP_MD *mgf1md;
-        /* PSS/OAEP salt length */
+        /* PSS salt length */
        int saltlen;
        /* Temp buffer */
        unsigned char *tbuf;
+        /* OAEP label */
+        unsigned char *oaep_label;
+        size_t oaep_labellen;
 } RSA_PKEY_CTX;
 static int
@@ -98,15 +101,11 @@ pkey_rsa_init(EVP_PKEY_CTX *ctx)
 {
        RSA_PKEY_CTX *rctx;
-        rctx = malloc(sizeof(RSA_PKEY_CTX));
+        if ((rctx = calloc(1, sizeof(RSA_PKEY_CTX))) == NULL)
-        if (!rctx)
                return 0;
        rctx->nbits = 2048;
-        rctx->pub_exp = NULL;
        rctx->pad_mode = RSA_PKCS1_PADDING;
-        rctx->md = NULL;
-        rctx->mgf1md = NULL;
-        rctx->tbuf = NULL;
        rctx->saltlen = -2;
@@ -124,6 +123,7 @@ pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
        if (!pkey_rsa_init(dst))
                return 0;
        sctx = src->data;
        dctx = dst->data;
        dctx->nbits = sctx->nbits;
@@ -134,6 +134,15 @@ pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
        }
        dctx->pad_mode = sctx->pad_mode;
        dctx->md = sctx->md;
+        dctx->mgf1md = sctx->mgf1md;
+        if (sctx->oaep_label != NULL) {
+                free(dctx->oaep_label);
+                if ((dctx->oaep_label = calloc(1, sctx->oaep_labellen)) == NULL)
+                        return 0;
+                memcpy(dctx->oaep_label, sctx->oaep_label, sctx->oaep_labellen);
+                dctx->oaep_labellen = sctx->oaep_labellen;
+        }
        return 1;
 }
@@ -156,6 +165,7 @@ pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
        if (rctx) {
                BN_free(rctx->pub_exp);
                free(rctx->tbuf);
+                free(rctx->oaep_label);
                free(rctx);
        }
 }
@@ -306,11 +316,23 @@ static int
 pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
    const unsigned char *in, size_t inlen)
 {
-        int ret;
        RSA_PKEY_CTX *rctx = ctx->data;
+        int ret;
-        ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
+        if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
-            rctx->pad_mode);
+                int klen = RSA_size(ctx->pkey->pkey.rsa);
+                if (!setup_tbuf(rctx, ctx))
+                        return -1;
+                if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen,
+                    in, inlen, rctx->oaep_label, rctx->oaep_labellen,
+                    rctx->md, rctx->mgf1md))
+                        return -1;
+                ret = RSA_public_encrypt(klen, rctx->tbuf, out,
+                    ctx->pkey->pkey.rsa, RSA_NO_PADDING);
+        } else {
+                ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
+                    rctx->pad_mode);
+        }
        if (ret < 0)
                return ret;
        *outlen = ret;
@@ -324,8 +346,20 @@ pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
        int ret;
        RSA_PKEY_CTX *rctx = ctx->data;
-        ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
+        if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
-            rctx->pad_mode);
+                if (!setup_tbuf(rctx, ctx))
+                        return -1;
+                ret = RSA_private_decrypt(inlen, in, rctx->tbuf,
+                    ctx->pkey->pkey.rsa, RSA_NO_PADDING);
+                if (ret <= 0)
+                        return ret;
+                ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf,
+                    ret, ret, rctx->oaep_label, rctx->oaep_labellen, rctx->md,
+                    rctx->mgf1md);
+        } else {
+                ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
+                    rctx->pad_mode);
+        }
        if (ret < 0)
                return ret;
        *outlen = ret;
@@ -429,7 +463,8 @@ bad_pad:
        case EVP_PKEY_CTRL_RSA_MGF1_MD:
        case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
-                if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
+                if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING &&
+                    rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
                        RSAerror(RSA_R_INVALID_MGF1_MD);
                        return -2;
                }
@@ -442,6 +477,29 @@ bad_pad:
                        rctx->mgf1md = p2;
                return 1;
+        case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
+                if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
+                        RSAerror(RSA_R_INVALID_PADDING_MODE);
+                        return -2;
+                }
+                free(rctx->oaep_label);
+                if (p2 != NULL && p1 > 0) {
+                        rctx->oaep_label = p2;
+                        rctx->oaep_labellen = p1;
+                } else {
+                        rctx->oaep_label = NULL;
+                        rctx->oaep_labellen = 0;
+                }
+                return 1;
+        case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
+                if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
+                        RSAerror(RSA_R_INVALID_PADDING_MODE);
+                        return -2;
+                }
+                *(unsigned char **)p2 = rctx->oaep_label;
+                return rctx->oaep_labellen;
        case EVP_PKEY_CTRL_DIGESTINIT:
        case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
        case EVP_PKEY_CTRL_PKCS7_DECRYPT:
@@ -529,6 +587,29 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
                return ret;
        }
+        if (strcmp(type, "rsa_mgf1_md") == 0)
+                return EVP_PKEY_CTX_md(ctx,
+                    EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
+                    EVP_PKEY_CTRL_RSA_MGF1_MD, value);
+        if (strcmp(type, "rsa_oaep_md") == 0)
+                return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT,
+                    EVP_PKEY_CTRL_RSA_OAEP_MD, value);
+        if (strcmp(type, "rsa_oaep_label") == 0) {
+                unsigned char *lab;
+                long lablen;
+                int ret;
+                if ((lab = string_to_hex(value, &lablen)) == NULL)
+                        return 0;
+                ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen);
+                if (ret <= 0)
+                        free(lab);
+                return ret;
+        }
 not_a_number:
 out_of_range:
        return -2;
author	jsing <>	2019-10-29 08:00:18 +0000
committer	jsing <>	2019-10-29 08:00:18 +0000
commit	cfb54024e3e4db502eb98316e50637852da9c16a (patch)
tree	5aa520500126d3b5a6e1e7ef6c87bc4b779ecc58 /src/lib/libc
parent	6420bafd6b7099fd194f24cbdeec86794ceccf81 (diff)
download	openbsd-cfb54024e3e4db502eb98316e50637852da9c16a.tar.gz openbsd-cfb54024e3e4db502eb98316e50637852da9c16a.tar.bz2 openbsd-cfb54024e3e4db502eb98316e50637852da9c16a.zip

diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h index db10049e0e..d3f9bee3a5 100644 --- a/src/lib/libcrypto/rsa/rsa.h +++ b/src/lib/libcrypto/rsa/rsa.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa.h,v 1.43 2019/10/24 15:54:29 jsing Exp $ */	1	/* $OpenBSD: rsa.h,v 1.44 2019/10/29 08:00:18 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -237,17 +237,39 @@ struct rsa_st {
237	EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \	237	EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \
238	EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)pmd)	238	EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)pmd)
239		239
240	#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1)	240	#define EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) \
241	#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2)	241	EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \
		242	EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md))
242		243
243	#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3)	244	#define EVP_PKEY_CTX_get_rsa_oaep_md(ctx, pmd) \
244	#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4)	245	EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \
245	#define EVP_PKEY_CTRL_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 5)	246	EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)(pmd))
		247
		248	#define EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, l, llen) \
		249	EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \
		250	EVP_PKEY_CTRL_RSA_OAEP_LABEL, llen, (void *)(l))
		251
		252	#define EVP_PKEY_CTX_get0_rsa_oaep_label(ctx, l) \
		253	EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \
		254	EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, (void *)(l))
		255
		256	#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1)
		257	#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2)
		258
		259	#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3)
		260	#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4)
		261	#define EVP_PKEY_CTRL_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 5)
246		262
247	#define EVP_PKEY_CTRL_GET_RSA_PADDING (EVP_PKEY_ALG_CTRL + 6)	263	#define EVP_PKEY_CTRL_GET_RSA_PADDING (EVP_PKEY_ALG_CTRL + 6)
248	#define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 7)	264	#define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 7)
249	#define EVP_PKEY_CTRL_GET_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 8)	265	#define EVP_PKEY_CTRL_GET_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 8)
250		266
		267	#define EVP_PKEY_CTRL_RSA_OAEP_MD (EVP_PKEY_ALG_CTRL + 9)
		268	#define EVP_PKEY_CTRL_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 10)
		269
		270	#define EVP_PKEY_CTRL_GET_RSA_OAEP_MD (EVP_PKEY_ALG_CTRL + 11)
		271	#define EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 12)
		272
251	#define RSA_PKCS1_PADDING 1	273	#define RSA_PKCS1_PADDING 1
252	#define RSA_SSLV23_PADDING 2	274	#define RSA_SSLV23_PADDING 2
253	#define RSA_NO_PADDING 3	275	#define RSA_NO_PADDING 3


diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c index d0cc50cd9f..a5dd86a5de 100644 --- a/src/lib/libcrypto/rsa/rsa_pmeth.c +++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa_pmeth.c,v 1.22 2019/09/09 18:06:26 jsing Exp $ */	1	/* $OpenBSD: rsa_pmeth.c,v 1.23 2019/10/29 08:00:18 jsing Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.	3	* project 2006.
4	*/	4	*/
@@ -68,7 +68,7 @@
68	#include <openssl/evp.h>	68	#include <openssl/evp.h>
69	#include <openssl/rsa.h>	69	#include <openssl/rsa.h>
70	#include <openssl/x509.h>	70	#include <openssl/x509.h>
71		71	#include <openssl/x509v3.h>
72		72
73	#include "evp_locl.h"	73	#include "evp_locl.h"
74	#include "rsa_locl.h"	74	#include "rsa_locl.h"
@@ -87,10 +87,13 @@ typedef struct {
87	const EVP_MD *md;	87	const EVP_MD *md;
88	/* message digest for MGF1 */	88	/* message digest for MGF1 */
89	const EVP_MD *mgf1md;	89	const EVP_MD *mgf1md;
90	/* PSS/OAEP salt length */	90	/* PSS salt length */
91	int saltlen;	91	int saltlen;
92	/* Temp buffer */	92	/* Temp buffer */
93	unsigned char *tbuf;	93	unsigned char *tbuf;
		94	/* OAEP label */
		95	unsigned char *oaep_label;
		96	size_t oaep_labellen;
94	} RSA_PKEY_CTX;	97	} RSA_PKEY_CTX;
95		98
96	static int	99	static int
@@ -98,15 +101,11 @@ pkey_rsa_init(EVP_PKEY_CTX *ctx)
98	{	101	{
99	RSA_PKEY_CTX *rctx;	102	RSA_PKEY_CTX *rctx;
100		103
101	rctx = malloc(sizeof(RSA_PKEY_CTX));	104	if ((rctx = calloc(1, sizeof(RSA_PKEY_CTX))) == NULL)
102	if (!rctx)
103	return 0;	105	return 0;
		106
104	rctx->nbits = 2048;	107	rctx->nbits = 2048;
105	rctx->pub_exp = NULL;
106	rctx->pad_mode = RSA_PKCS1_PADDING;	108	rctx->pad_mode = RSA_PKCS1_PADDING;
107	rctx->md = NULL;
108	rctx->mgf1md = NULL;
109	rctx->tbuf = NULL;
110		109
111	rctx->saltlen = -2;	110	rctx->saltlen = -2;
112		111
@@ -124,6 +123,7 @@ pkey_rsa_copy(EVP_PKEY_CTX dst, EVP_PKEY_CTX src)
124		123
125	if (!pkey_rsa_init(dst))	124	if (!pkey_rsa_init(dst))
126	return 0;	125	return 0;
		126
127	sctx = src->data;	127	sctx = src->data;
128	dctx = dst->data;	128	dctx = dst->data;
129	dctx->nbits = sctx->nbits;	129	dctx->nbits = sctx->nbits;
@@ -134,6 +134,15 @@ pkey_rsa_copy(EVP_PKEY_CTX dst, EVP_PKEY_CTX src)
134	}	134	}
135	dctx->pad_mode = sctx->pad_mode;	135	dctx->pad_mode = sctx->pad_mode;
136	dctx->md = sctx->md;	136	dctx->md = sctx->md;
		137	dctx->mgf1md = sctx->mgf1md;
		138	if (sctx->oaep_label != NULL) {
		139	free(dctx->oaep_label);
		140	if ((dctx->oaep_label = calloc(1, sctx->oaep_labellen)) == NULL)
		141	return 0;
		142	memcpy(dctx->oaep_label, sctx->oaep_label, sctx->oaep_labellen);
		143	dctx->oaep_labellen = sctx->oaep_labellen;
		144	}
		145
137	return 1;	146	return 1;
138	}	147	}
139		148
@@ -156,6 +165,7 @@ pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
156	if (rctx) {	165	if (rctx) {
157	BN_free(rctx->pub_exp);	166	BN_free(rctx->pub_exp);
158	free(rctx->tbuf);	167	free(rctx->tbuf);
		168	free(rctx->oaep_label);
159	free(rctx);	169	free(rctx);
160	}	170	}
161	}	171	}
@@ -306,11 +316,23 @@ static int
306	pkey_rsa_encrypt(EVP_PKEY_CTX ctx, unsigned char out, size_t *outlen,	316	pkey_rsa_encrypt(EVP_PKEY_CTX ctx, unsigned char out, size_t *outlen,
307	const unsigned char *in, size_t inlen)	317	const unsigned char *in, size_t inlen)
308	{	318	{
309	int ret;
310	RSA_PKEY_CTX *rctx = ctx->data;	319	RSA_PKEY_CTX *rctx = ctx->data;
		320	int ret;
311		321
312	ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,	322	if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
313	rctx->pad_mode);	323	int klen = RSA_size(ctx->pkey->pkey.rsa);
		324	if (!setup_tbuf(rctx, ctx))
		325	return -1;
		326	if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen,
		327	in, inlen, rctx->oaep_label, rctx->oaep_labellen,
		328	rctx->md, rctx->mgf1md))
		329	return -1;
		330	ret = RSA_public_encrypt(klen, rctx->tbuf, out,
		331	ctx->pkey->pkey.rsa, RSA_NO_PADDING);
		332	} else {
		333	ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
		334	rctx->pad_mode);
		335	}
314	if (ret < 0)	336	if (ret < 0)
315	return ret;	337	return ret;
316	*outlen = ret;	338	*outlen = ret;
@@ -324,8 +346,20 @@ pkey_rsa_decrypt(EVP_PKEY_CTX ctx, unsigned char out, size_t *outlen,
324	int ret;	346	int ret;
325	RSA_PKEY_CTX *rctx = ctx->data;	347	RSA_PKEY_CTX *rctx = ctx->data;
326		348
327	ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,	349	if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
328	rctx->pad_mode);	350	if (!setup_tbuf(rctx, ctx))
		351	return -1;
		352	ret = RSA_private_decrypt(inlen, in, rctx->tbuf,
		353	ctx->pkey->pkey.rsa, RSA_NO_PADDING);
		354	if (ret <= 0)
		355	return ret;
		356	ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf,
		357	ret, ret, rctx->oaep_label, rctx->oaep_labellen, rctx->md,
		358	rctx->mgf1md);
		359	} else {
		360	ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
		361	rctx->pad_mode);
		362	}
329	if (ret < 0)	363	if (ret < 0)
330	return ret;	364	return ret;
331	*outlen = ret;	365	*outlen = ret;
@@ -429,7 +463,8 @@ bad_pad:
429		463
430	case EVP_PKEY_CTRL_RSA_MGF1_MD:	464	case EVP_PKEY_CTRL_RSA_MGF1_MD:
431	case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:	465	case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
432	if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {	466	if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING &&
		467	rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
433	RSAerror(RSA_R_INVALID_MGF1_MD);	468	RSAerror(RSA_R_INVALID_MGF1_MD);
434	return -2;	469	return -2;
435	}	470	}
@@ -442,6 +477,29 @@ bad_pad:
442	rctx->mgf1md = p2;	477	rctx->mgf1md = p2;
443	return 1;	478	return 1;
444		479
		480	case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
		481	if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
		482	RSAerror(RSA_R_INVALID_PADDING_MODE);
		483	return -2;
		484	}
		485	free(rctx->oaep_label);
		486	if (p2 != NULL && p1 > 0) {
		487	rctx->oaep_label = p2;
		488	rctx->oaep_labellen = p1;
		489	} else {
		490	rctx->oaep_label = NULL;
		491	rctx->oaep_labellen = 0;
		492	}
		493	return 1;
		494
		495	case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
		496	if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
		497	RSAerror(RSA_R_INVALID_PADDING_MODE);
		498	return -2;
		499	}
		500	(unsigned char *)p2 = rctx->oaep_label;
		501	return rctx->oaep_labellen;
		502
445	case EVP_PKEY_CTRL_DIGESTINIT:	503	case EVP_PKEY_CTRL_DIGESTINIT:
446	case EVP_PKEY_CTRL_PKCS7_ENCRYPT:	504	case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
447	case EVP_PKEY_CTRL_PKCS7_DECRYPT:	505	case EVP_PKEY_CTRL_PKCS7_DECRYPT:
@@ -529,6 +587,29 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX ctx, const char type, const char *value)
529	return ret;	587	return ret;
530	}	588	}
531		589
		590	if (strcmp(type, "rsa_mgf1_md") == 0)
		591	return EVP_PKEY_CTX_md(ctx,
		592	EVP_PKEY_OP_TYPE_SIG \| EVP_PKEY_OP_TYPE_CRYPT,
		593	EVP_PKEY_CTRL_RSA_MGF1_MD, value);
		594
		595	if (strcmp(type, "rsa_oaep_md") == 0)
		596	return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT,
		597	EVP_PKEY_CTRL_RSA_OAEP_MD, value);
		598
		599	if (strcmp(type, "rsa_oaep_label") == 0) {
		600	unsigned char *lab;
		601	long lablen;
		602	int ret;
		603
		604	if ((lab = string_to_hex(value, &lablen)) == NULL)
		605	return 0;
		606	ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen);
		607	if (ret <= 0)
		608	free(lab);
		609
		610	return ret;
		611	}
		612
532	not_a_number:	613	not_a_number:
533	out_of_range:	614	out_of_range:
534	return -2;	615	return -2;