const RSA_METHOD * HSM_PKCS11_get_rsa_method ( void ) {
#if OPENSSL_VERSION_NUMBER < 0x1010000fL
static RSA_METHOD ret;
ret = *RSA_get_default_method();
// Sets the name
ret.name = "LibPKI PKCS#11 RSA";
// Implemented Methods
ret.rsa_sign = HSM_PKCS11_rsa_sign;
// Not Implemented Methods
ret.rsa_priv_enc = NULL;
ret.rsa_priv_dec = NULL;
return &ret;
#else
static RSA_METHOD * r_pnt = NULL;
// Static Pointer to the new PKCS11 RSA Method
// If the pointer is empty, let's get a new method
if (!r_pnt) {
// Duplicate the default method
if ((r_pnt = RSA_meth_dup(RSA_get_default_method())) != NULL) {
// Sets the name
RSA_meth_set1_name(r_pnt, "LibPKI PKCS#11 RSA");
// Sets the sign to use the PKCS#11 version
RSA_meth_set_sign(r_pnt, HSM_PKCS11_rsa_sign);
// Sets not implemented calls
RSA_meth_set_priv_enc(r_pnt, NULL);
RSA_meth_set_priv_dec(r_pnt, NULL);
}
}
// All Done
return r_pnt;
#endif
}
RSA *
RSA_new_method(ENGINE *engine)
{
RSA *rsa;
rsa = calloc(1, sizeof(*rsa));
if (rsa == NULL)
return NULL;
rsa->references = 1;
if (engine) {
ENGINE_up_ref(engine);
rsa->engine = engine;
} else {
rsa->engine = ENGINE_get_default_RSA();
}
if (rsa->engine) {
rsa->meth = ENGINE_get_RSA(rsa->engine);
if (rsa->meth == NULL) {
ENGINE_finish(engine);
free(rsa);
return 0;
}
}
if (rsa->meth == NULL)
rsa->meth = rk_UNCONST(RSA_get_default_method());
(*rsa->meth->init)(rsa);
return rsa;
}
RSA_METHOD *qat_get_RSA_methods(void)
{
#ifndef OPENSSL_DISABLE_QAT_RSA
int res = 1;
#endif
if (qat_rsa_method != NULL)
return qat_rsa_method;
#ifndef OPENSSL_DISABLE_QAT_RSA
if ((qat_rsa_method = RSA_meth_new("QAT RSA method", 0)) == NULL) {
WARN("Failed to allocate QAT RSA methods\n");
QATerr(QAT_F_QAT_GET_RSA_METHODS, QAT_R_ALLOC_QAT_RSA_METH_FAILURE);
return NULL;
}
res &= RSA_meth_set_pub_enc(qat_rsa_method, qat_rsa_pub_enc);
res &= RSA_meth_set_pub_dec(qat_rsa_method, qat_rsa_pub_dec);
res &= RSA_meth_set_priv_enc(qat_rsa_method, qat_rsa_priv_enc);
res &= RSA_meth_set_priv_dec(qat_rsa_method, qat_rsa_priv_dec);
res &= RSA_meth_set_mod_exp(qat_rsa_method, qat_rsa_mod_exp);
res &= RSA_meth_set_bn_mod_exp(qat_rsa_method, qat_bn_mod_exp);
if (res == 0) {
WARN("Failed to set QAT RSA methods\n");
QATerr(QAT_F_QAT_GET_RSA_METHODS, QAT_R_SET_QAT_RSA_METH_FAILURE);
return NULL;
}
#else
qat_rsa_method = (RSA_METHOD *)RSA_get_default_method();
#endif
return qat_rsa_method;
}
// Constructors
OSSLRSAPrivateKey::OSSLRSAPrivateKey()
{
rsa = RSA_new();
// Use the OpenSSL implementation and not any engine
RSA_set_method(rsa, RSA_get_default_method());
}
void
ca_engine_init(void)
{
ENGINE *e;
const char *errstr, *name;
if ((e = ENGINE_get_default_RSA()) == NULL) {
if ((e = ENGINE_new()) == NULL) {
errstr = "ENGINE_new";
goto fail;
}
if (!ENGINE_set_name(e, rsae_method.name)) {
errstr = "ENGINE_set_name";
goto fail;
}
if ((rsa_default = RSA_get_default_method()) == NULL) {
errstr = "RSA_get_default_method";
goto fail;
}
} else if ((rsa_default = ENGINE_get_RSA(e)) == NULL) {
errstr = "ENGINE_get_RSA";
goto fail;
}
if ((name = ENGINE_get_name(e)) == NULL)
name = "unknown RSA engine";
log_debug("debug: %s: using %s", __func__, name);
if (rsa_default->flags & RSA_FLAG_SIGN_VER)
fatalx("unsupported RSA engine");
if (rsa_default->rsa_mod_exp == NULL)
rsae_method.rsa_mod_exp = NULL;
if (rsa_default->bn_mod_exp == NULL)
rsae_method.bn_mod_exp = NULL;
if (rsa_default->rsa_keygen == NULL)
rsae_method.rsa_keygen = NULL;
rsae_method.flags = rsa_default->flags |
RSA_METHOD_FLAG_NO_CHECK;
rsae_method.app_data = rsa_default->app_data;
if (!ENGINE_set_RSA(e, &rsae_method)) {
errstr = "ENGINE_set_RSA";
goto fail;
}
if (!ENGINE_set_default_RSA(e)) {
errstr = "ENGINE_set_default_RSA";
goto fail;
}
return;
fail:
ssl_error(errstr);
fatalx("%s", errstr);
}
static RSA_METHOD *RSA_meth_new(const char *name, int flags)
{
RSA_METHOD *meth = OPENSSL_malloc(sizeof(RSA_METHOD));
if (meth == NULL)
return NULL;
memcpy(meth, RSA_get_default_method(), sizeof(RSA_METHOD));
meth->name = OPENSSL_strdup(name);
meth->flags = flags;
return meth;
}
/* redirect the private key encrypt operation to the ssh-pkcs11-helper */
static int
wrap_key(RSA *rsa)
{
static RSA_METHOD helper_rsa;
memcpy(&helper_rsa, RSA_get_default_method(), sizeof(helper_rsa));
helper_rsa.name = "ssh-pkcs11-helper";
helper_rsa.rsa_priv_enc = pkcs11_rsa_private_encrypt;
RSA_set_method(rsa, &helper_rsa);
return (0);
}
RSA *RSA_new_method(ENGINE *engine)
{
RSA *ret;
ret = OPENSSL_zalloc(sizeof(*ret));
if (ret == NULL) {
RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_MALLOC_FAILURE);
return NULL;
}
ret->meth = RSA_get_default_method();
#ifndef OPENSSL_NO_ENGINE
if (engine) {
if (!ENGINE_init(engine)) {
RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
OPENSSL_free(ret);
return NULL;
}
ret->engine = engine;
} else
ret->engine = ENGINE_get_default_RSA();
if (ret->engine) {
ret->meth = ENGINE_get_RSA(ret->engine);
if (!ret->meth) {
RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
ENGINE_finish(ret->engine);
OPENSSL_free(ret);
return NULL;
}
}
#endif
ret->references = 1;
ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
#ifndef OPENSSL_NO_ENGINE
if (ret->engine)
ENGINE_finish(ret->engine);
#endif
OPENSSL_free(ret);
return (NULL);
}
if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
#ifndef OPENSSL_NO_ENGINE
if (ret->engine)
ENGINE_finish(ret->engine);
#endif
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
OPENSSL_free(ret);
ret = NULL;
}
return (ret);
}
RSA *RSA_new_method(ENGINE *engine)
{
RSA *ret = OPENSSL_zalloc(sizeof(*ret));
if (ret == NULL) {
RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_MALLOC_FAILURE);
return NULL;
}
ret->references = 1;
ret->lock = CRYPTO_THREAD_lock_new();
if (ret->lock == NULL) {
RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_MALLOC_FAILURE);
OPENSSL_free(ret);
return NULL;
}
ret->meth = RSA_get_default_method();
#ifndef OPENSSL_NO_ENGINE
ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
if (engine) {
if (!ENGINE_init(engine)) {
RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
goto err;
}
ret->engine = engine;
} else {
ret->engine = ENGINE_get_default_RSA();
}
if (ret->engine) {
ret->meth = ENGINE_get_RSA(ret->engine);
if (ret->meth == NULL) {
RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
goto err;
}
}
#endif
ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
goto err;
}
if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_INIT_FAIL);
goto err;
}
return ret;
err:
RSA_free(ret);
return NULL;
}
static int pkcs11_rsa_priv_enc_method(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
PKCS11_KEY *key = RSA_get_ex_data(rsa, rsa_ex_index);
int (*priv_enc) (int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
if (key == NULL) {
priv_enc = RSA_meth_get_priv_enc(RSA_get_default_method());
return priv_enc(flen, from, to, rsa, padding);
}
return PKCS11_private_encrypt(flen, from, to, key, padding);
}
static RSA_METHOD *get_pkcs11_rsa_method(void) {
static RSA_METHOD *pkcs11_rsa_method = NULL;
if(pkcs11_rsa_key_idx == -1) {
pkcs11_rsa_key_idx = RSA_get_ex_new_index(0, NULL, NULL, NULL, 0);
}
if(pkcs11_rsa_method == NULL) {
#if OPENSSL_VERSION_NUMBER < 0x10100005L
const RSA_METHOD *def = RSA_get_default_method();
pkcs11_rsa_method = calloc(1, sizeof(*pkcs11_rsa_method));
memcpy(pkcs11_rsa_method, def, sizeof(*pkcs11_rsa_method));
pkcs11_rsa_method->name = "pkcs11";
pkcs11_rsa_method->rsa_priv_enc = pkcs11_rsa_private_encrypt;
pkcs11_rsa_method->rsa_priv_dec = pkcs11_rsa_private_decrypt;
#else
pkcs11_rsa_method = RSA_meth_dup(RSA_get_default_method());
RSA_meth_set1_name(pkcs11_rsa_method, "pkcs11");
RSA_meth_set_priv_enc(pkcs11_rsa_method, pkcs11_rsa_private_encrypt);
RSA_meth_set_priv_dec(pkcs11_rsa_method, pkcs11_rsa_private_decrypt);
#endif
}
return pkcs11_rsa_method;
}
/*
* This internal function is used by ENGINE_openssl() and possibly by the
* "dynamic" ENGINE support too
*/
static int bind_helper(ENGINE *e)
{
if (!ENGINE_set_id(e, engine_openssl_id)
|| !ENGINE_set_name(e, engine_openssl_name)
|| !ENGINE_set_destroy_function(e, openssl_destroy)
#ifndef TEST_ENG_OPENSSL_NO_ALGORITHMS
# ifndef OPENSSL_NO_RSA
|| !ENGINE_set_RSA(e, RSA_get_default_method())
# endif
# ifndef OPENSSL_NO_DSA
|| !ENGINE_set_DSA(e, DSA_get_default_method())
# endif
# ifndef OPENSSL_NO_EC
|| !ENGINE_set_EC(e, EC_KEY_OpenSSL())
# endif
# ifndef OPENSSL_NO_DH
|| !ENGINE_set_DH(e, DH_get_default_method())
# endif
|| !ENGINE_set_RAND(e, RAND_OpenSSL())
# ifdef TEST_ENG_OPENSSL_RC4
|| !ENGINE_set_ciphers(e, openssl_ciphers)
# endif
# ifdef TEST_ENG_OPENSSL_SHA
|| !ENGINE_set_digests(e, openssl_digests)
# endif
#endif
#ifdef TEST_ENG_OPENSSL_PKEY
|| !ENGINE_set_load_privkey_function(e, openssl_load_privkey)
#endif
#ifdef TEST_ENG_OPENSSL_HMAC
|| !ossl_register_hmac_meth()
|| !ENGINE_set_pkey_meths(e, ossl_pkey_meths)
#endif
)
return 0;
/*
* If we add errors to this ENGINE, ensure the error handling is setup
* here
*/
/* openssl_load_error_strings(); */
return 1;
}
static RSA_METHOD *
sc_get_rsa_method(void)
{
static RSA_METHOD smart_rsa;
const RSA_METHOD *def = RSA_get_default_method();
/* use the OpenSSL version */
memcpy(&smart_rsa, def, sizeof(smart_rsa));
smart_rsa.name = "sectok";
/* overload */
smart_rsa.rsa_priv_enc = sc_private_encrypt;
smart_rsa.rsa_priv_dec = sc_private_decrypt;
/* save original */
orig_finish = def->finish;
smart_rsa.finish = sc_finish;
return &smart_rsa;
}
/* This internal function is used by ENGINE_openssl() and possibly by the
* "dynamic" ENGINE support too */
static int bind_helper(ENGINE *e)
{
if(!ENGINE_set_id(e, engine_openssl_id)
|| !ENGINE_set_name(e, engine_openssl_name)
#ifndef TEST_ENG_OPENSSL_NO_ALGORITHMS
#ifndef OPENSSL_NO_RSA
|| !ENGINE_set_RSA(e, RSA_get_default_method())
#endif
#ifndef OPENSSL_NO_DSA
|| !ENGINE_set_DSA(e, DSA_get_default_method())
#endif
#ifndef OPENSSL_NO_ECDH
|| !ENGINE_set_ECDH(e, ECDH_OpenSSL())
#endif
#ifndef OPENSSL_NO_ECDSA
|| !ENGINE_set_ECDSA(e, ECDSA_OpenSSL())
#endif
#ifndef OPENSSL_NO_DH
|| !ENGINE_set_DH(e, DH_get_default_method())
#endif
|| !ENGINE_set_RAND(e, RAND_SSLeay())
#ifdef TEST_ENG_OPENSSL_RC4
|| !ENGINE_set_ciphers(e, openssl_ciphers)
#endif
#ifdef TEST_ENG_OPENSSL_SHA
|| !ENGINE_set_digests(e, openssl_digests)
#endif
#endif
//MS:
#ifndef OPENSSL_NO_STDIO
#ifdef TEST_ENG_OPENSSL_PKEY
|| !ENGINE_set_load_privkey_function(e, openssl_load_privkey)
#endif
#endif
)
return 0;
/* If we add errors to this ENGINE, ensure the error handling is setup here */
/* openssl_load_error_strings(); */
return 1;
}
RSA *RSA_new_method(ENGINE *engine)
{
RSA *ret;
ret=(RSA *)OPENSSL_malloc(sizeof(RSA));
if (ret == NULL)
{
RSAerr(RSA_F_RSA_NEW_METHOD,ERR_R_MALLOC_FAILURE);
return NULL;
}
ret->meth = RSA_get_default_method();
#ifndef OPENSSL_NO_ENGINE
if (engine)
{
if (!ENGINE_init(engine))
{
RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
OPENSSL_free(ret);
return NULL;
}
ret->engine = engine;
}
else
ret->engine = ENGINE_get_default_RSA();
if(ret->engine)
{
ret->meth = ENGINE_get_RSA(ret->engine);
if(!ret->meth)
{
RSAerr(RSA_F_RSA_NEW_METHOD,
ERR_R_ENGINE_LIB);
ENGINE_finish(ret->engine);
OPENSSL_free(ret);
return NULL;
}
}
#endif
ret->pad=0;
ret->version=0;
ret->n=NULL;
ret->e=NULL;
ret->d=NULL;
ret->p=NULL;
ret->q=NULL;
ret->dmp1=NULL;
ret->dmq1=NULL;
ret->iqmp=NULL;
ret->references=1;
ret->_method_mod_n=NULL;
ret->_method_mod_p=NULL;
ret->_method_mod_q=NULL;
ret->blinding=NULL;
ret->mt_blinding=NULL;
ret->bignum_data=NULL;
ret->flags=ret->meth->flags;
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
if ((ret->meth->init != NULL) && !ret->meth->init(ret))
{
#ifndef OPENSSL_NO_ENGINE
if (ret->engine)
ENGINE_finish(ret->engine);
#endif
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
OPENSSL_free(ret);
ret=NULL;
}
return(ret);
}
PKCS11H_BOOL
_pkcs11h_openssl_initialize (void) {
PKCS11H_BOOL ret = FALSE;
_PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG2,
"PKCS#11: _pkcs11h_openssl_initialize - entered"
);
#ifndef OPENSSL_NO_RSA
if (__openssl_methods.rsa != NULL) {
RSA_meth_free (__openssl_methods.rsa);
}
if ((__openssl_methods.rsa = RSA_meth_dup (RSA_get_default_method ())) == NULL) {
goto cleanup;
}
RSA_meth_set1_name (__openssl_methods.rsa, "pkcs11h");
RSA_meth_set_priv_dec (__openssl_methods.rsa, __pkcs11h_openssl_rsa_dec);
RSA_meth_set_priv_enc (__openssl_methods.rsa, __pkcs11h_openssl_rsa_enc);
RSA_meth_set_flags (__openssl_methods.rsa, RSA_METHOD_FLAG_NO_CHECK | RSA_FLAG_EXT_PKEY);
__openssl_methods.rsa_index = RSA_get_ex_new_index (
0,
"pkcs11h",
NULL,
__pkcs11h_openssl_ex_data_dup,
__pkcs11h_openssl_ex_data_free
);
#endif
#ifndef OPENSSL_NO_DSA
if (__openssl_methods.dsa != NULL) {
DSA_meth_free (__openssl_methods.dsa);
}
__openssl_methods.dsa = DSA_meth_dup (DSA_get_default_method ());
DSA_meth_set1_name (__openssl_methods.dsa, "pkcs11h");
DSA_meth_set_sign (__openssl_methods.dsa, __pkcs11h_openssl_dsa_do_sign);
__openssl_methods.dsa_index = DSA_get_ex_new_index (
0,
"pkcs11h",
NULL,
__pkcs11h_openssl_ex_data_dup,
__pkcs11h_openssl_ex_data_free
);
#endif
#ifdef __ENABLE_EC
if (__openssl_methods.ecdsa != NULL) {
ECDSA_METHOD_free(__openssl_methods.ecdsa);
}
__openssl_methods.ecdsa = ECDSA_METHOD_new ((ECDSA_METHOD *)ECDSA_get_default_method ());
ECDSA_METHOD_set_name(__openssl_methods.ecdsa, "pkcs11h");
ECDSA_METHOD_set_sign(__openssl_methods.ecdsa, __pkcs11h_openssl_ecdsa_do_sign);
__openssl_methods.ecdsa_index = ECDSA_get_ex_new_index (
0,
"pkcs11h",
NULL,
__pkcs11h_openssl_ex_data_dup,
__pkcs11h_openssl_ex_data_free
);
#endif
ret = TRUE;
cleanup:
_PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG2,
"PKCS#11: _pkcs11h_openssl_initialize - return %d",
ret
);
return ret;
}