1 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2  * project 2006.
3  */
4 /* ====================================================================
5  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  *
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in
16  *    the documentation and/or other materials provided with the
17  *    distribution.
18  *
19  * 3. All advertising materials mentioning features or use of this
20  *    software must display the following acknowledgment:
21  *    "This product includes software developed by the OpenSSL Project
22  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23  *
24  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25  *    endorse or promote products derived from this software without
26  *    prior written permission. For written permission, please contact
27  *    licensing@OpenSSL.org.
28  *
29  * 5. Products derived from this software may not be called "OpenSSL"
30  *    nor may "OpenSSL" appear in their names without prior written
31  *    permission of the OpenSSL Project.
32  *
33  * 6. Redistributions of any form whatsoever must retain the following
34  *    acknowledgment:
35  *    "This product includes software developed by the OpenSSL Project
36  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37  *
38  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
42  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49  * OF THE POSSIBILITY OF SUCH DAMAGE.
50  * ====================================================================
51  *
52  * This product includes cryptographic software written by Eric Young
53  * (eay@cryptsoft.com).  This product includes software written by Tim
54  * Hudson (tjh@cryptsoft.com). */
55 
56 #include <openssl/evp.h>
57 
58 #include <limits.h>
59 #include <string.h>
60 
61 #include <openssl/bn.h>
62 #include <openssl/buf.h>
63 #include <openssl/bytestring.h>
64 #include <openssl/digest.h>
65 #include <openssl/err.h>
66 #include <openssl/mem.h>
67 #include <openssl/obj.h>
68 #include <openssl/rsa.h>
69 
70 #include "../rsa/internal.h"
71 #include "internal.h"
72 
73 
74 typedef struct {
75   /* Key gen parameters */
76   int nbits;
77   BIGNUM *pub_exp;
78   /* RSA padding mode */
79   int pad_mode;
80   /* message digest */
81   const EVP_MD *md;
82   /* message digest for MGF1 */
83   const EVP_MD *mgf1md;
84   /* PSS salt length */
85   int saltlen;
86   /* tbuf is a buffer which is either NULL, or is the size of the RSA modulus.
87    * It's used to store the output of RSA operations. */
88   uint8_t *tbuf;
89   /* OAEP label */
90   uint8_t *oaep_label;
91   size_t oaep_labellen;
92 } RSA_PKEY_CTX;
93 
pkey_rsa_init(EVP_PKEY_CTX * ctx)94 static int pkey_rsa_init(EVP_PKEY_CTX *ctx) {
95   RSA_PKEY_CTX *rctx;
96   rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX));
97   if (!rctx) {
98     return 0;
99   }
100   memset(rctx, 0, sizeof(RSA_PKEY_CTX));
101 
102   rctx->nbits = 2048;
103   rctx->pad_mode = RSA_PKCS1_PADDING;
104   rctx->saltlen = -2;
105 
106   ctx->data = rctx;
107 
108   return 1;
109 }
110 
pkey_rsa_copy(EVP_PKEY_CTX * dst,EVP_PKEY_CTX * src)111 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) {
112   RSA_PKEY_CTX *dctx, *sctx;
113   if (!pkey_rsa_init(dst)) {
114     return 0;
115   }
116   sctx = src->data;
117   dctx = dst->data;
118   dctx->nbits = sctx->nbits;
119   if (sctx->pub_exp) {
120     dctx->pub_exp = BN_dup(sctx->pub_exp);
121     if (!dctx->pub_exp) {
122       return 0;
123     }
124   }
125 
126   dctx->pad_mode = sctx->pad_mode;
127   dctx->md = sctx->md;
128   dctx->mgf1md = sctx->mgf1md;
129   if (sctx->oaep_label) {
130     OPENSSL_free(dctx->oaep_label);
131     dctx->oaep_label = BUF_memdup(sctx->oaep_label, sctx->oaep_labellen);
132     if (!dctx->oaep_label) {
133       return 0;
134     }
135     dctx->oaep_labellen = sctx->oaep_labellen;
136   }
137 
138   return 1;
139 }
140 
pkey_rsa_cleanup(EVP_PKEY_CTX * ctx)141 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) {
142   RSA_PKEY_CTX *rctx = ctx->data;
143 
144   if (rctx == NULL) {
145     return;
146   }
147 
148   BN_free(rctx->pub_exp);
149   OPENSSL_free(rctx->tbuf);
150   OPENSSL_free(rctx->oaep_label);
151   OPENSSL_free(rctx);
152 }
153 
setup_tbuf(RSA_PKEY_CTX * ctx,EVP_PKEY_CTX * pk)154 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) {
155   if (ctx->tbuf) {
156     return 1;
157   }
158   ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey));
159   if (!ctx->tbuf) {
160     return 0;
161   }
162   return 1;
163 }
164 
pkey_rsa_sign(EVP_PKEY_CTX * ctx,uint8_t * sig,size_t * siglen,const uint8_t * tbs,size_t tbslen)165 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen,
166                          const uint8_t *tbs, size_t tbslen) {
167   RSA_PKEY_CTX *rctx = ctx->data;
168   RSA *rsa = ctx->pkey->pkey.rsa;
169   const size_t key_len = EVP_PKEY_size(ctx->pkey);
170 
171   if (!sig) {
172     *siglen = key_len;
173     return 1;
174   }
175 
176   if (*siglen < key_len) {
177     OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
178     return 0;
179   }
180 
181   if (rctx->md) {
182     unsigned int out_len;
183 
184     if (tbslen != EVP_MD_size(rctx->md)) {
185       OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_DIGEST_LENGTH);
186       return 0;
187     }
188 
189     if (EVP_MD_type(rctx->md) == NID_mdc2) {
190       OPENSSL_PUT_ERROR(EVP, EVP_R_NO_MDC2_SUPPORT);
191       return 0;
192     }
193 
194     switch (rctx->pad_mode) {
195       case RSA_PKCS1_PADDING:
196         if (!RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig, &out_len, rsa)) {
197           return 0;
198         }
199         *siglen = out_len;
200         return 1;
201 
202       case RSA_PKCS1_PSS_PADDING:
203         if (!setup_tbuf(rctx, ctx) ||
204             !RSA_padding_add_PKCS1_PSS_mgf1(rsa, rctx->tbuf, tbs, rctx->md,
205                                             rctx->mgf1md, rctx->saltlen) ||
206             !RSA_sign_raw(rsa, siglen, sig, *siglen, rctx->tbuf, key_len,
207                           RSA_NO_PADDING)) {
208           return 0;
209         }
210         return 1;
211 
212       default:
213         return 0;
214     }
215   }
216 
217   return RSA_sign_raw(rsa, siglen, sig, *siglen, tbs, tbslen, rctx->pad_mode);
218 }
219 
pkey_rsa_verify(EVP_PKEY_CTX * ctx,const uint8_t * sig,size_t siglen,const uint8_t * tbs,size_t tbslen)220 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig,
221                            size_t siglen, const uint8_t *tbs,
222                            size_t tbslen) {
223   RSA_PKEY_CTX *rctx = ctx->data;
224   RSA *rsa = ctx->pkey->pkey.rsa;
225   size_t rslen;
226   const size_t key_len = EVP_PKEY_size(ctx->pkey);
227 
228   if (rctx->md) {
229     switch (rctx->pad_mode) {
230       case RSA_PKCS1_PADDING:
231         return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa);
232 
233       case RSA_PKCS1_PSS_PADDING:
234         if (!setup_tbuf(rctx, ctx) ||
235             !RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, siglen,
236                             RSA_NO_PADDING) ||
237             !RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md, rctx->mgf1md,
238                                        rctx->tbuf, rctx->saltlen)) {
239           return 0;
240         }
241         return 1;
242 
243       default:
244         return 0;
245     }
246   }
247 
248   if (!setup_tbuf(rctx, ctx) ||
249       !RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, siglen,
250                       rctx->pad_mode) ||
251       rslen != tbslen ||
252       CRYPTO_memcmp(tbs, rctx->tbuf, rslen) != 0) {
253     return 0;
254   }
255 
256   return 1;
257 }
258 
pkey_rsa_encrypt(EVP_PKEY_CTX * ctx,uint8_t * out,size_t * outlen,const uint8_t * in,size_t inlen)259 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen,
260                             const uint8_t *in, size_t inlen) {
261   RSA_PKEY_CTX *rctx = ctx->data;
262   RSA *rsa = ctx->pkey->pkey.rsa;
263   const size_t key_len = EVP_PKEY_size(ctx->pkey);
264 
265   if (!out) {
266     *outlen = key_len;
267     return 1;
268   }
269 
270   if (*outlen < key_len) {
271     OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
272     return 0;
273   }
274 
275   if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
276     if (!setup_tbuf(rctx, ctx) ||
277         !RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, key_len, in, inlen,
278                                          rctx->oaep_label, rctx->oaep_labellen,
279                                          rctx->md, rctx->mgf1md) ||
280         !RSA_encrypt(rsa, outlen, out, *outlen, rctx->tbuf, key_len,
281                      RSA_NO_PADDING)) {
282       return 0;
283     }
284     return 1;
285   }
286 
287   return RSA_encrypt(rsa, outlen, out, *outlen, in, inlen, rctx->pad_mode);
288 }
289 
pkey_rsa_decrypt(EVP_PKEY_CTX * ctx,uint8_t * out,size_t * outlen,const uint8_t * in,size_t inlen)290 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out,
291                             size_t *outlen, const uint8_t *in,
292                             size_t inlen) {
293   RSA_PKEY_CTX *rctx = ctx->data;
294   RSA *rsa = ctx->pkey->pkey.rsa;
295   const size_t key_len = EVP_PKEY_size(ctx->pkey);
296 
297   if (!out) {
298     *outlen = key_len;
299     return 1;
300   }
301 
302   if (*outlen < key_len) {
303     OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
304     return 0;
305   }
306 
307   if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
308     size_t plaintext_len;
309     int message_len;
310 
311     if (!setup_tbuf(rctx, ctx) ||
312         !RSA_decrypt(rsa, &plaintext_len, rctx->tbuf, key_len, in, inlen,
313                      RSA_NO_PADDING)) {
314       return 0;
315     }
316 
317     message_len = RSA_padding_check_PKCS1_OAEP_mgf1(
318         out, key_len, rctx->tbuf, plaintext_len, rctx->oaep_label,
319         rctx->oaep_labellen, rctx->md, rctx->mgf1md);
320     if (message_len < 0) {
321       return 0;
322     }
323     *outlen = message_len;
324     return 1;
325   }
326 
327   return RSA_decrypt(rsa, outlen, out, key_len, in, inlen, rctx->pad_mode);
328 }
329 
check_padding_md(const EVP_MD * md,int padding)330 static int check_padding_md(const EVP_MD *md, int padding) {
331   if (!md) {
332     return 1;
333   }
334 
335   if (padding == RSA_NO_PADDING) {
336     OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
337     return 0;
338   }
339 
340   return 1;
341 }
342 
is_known_padding(int padding_mode)343 static int is_known_padding(int padding_mode) {
344   switch (padding_mode) {
345     case RSA_PKCS1_PADDING:
346     case RSA_NO_PADDING:
347     case RSA_PKCS1_OAEP_PADDING:
348     case RSA_PKCS1_PSS_PADDING:
349       return 1;
350     default:
351       return 0;
352   }
353 }
354 
pkey_rsa_ctrl(EVP_PKEY_CTX * ctx,int type,int p1,void * p2)355 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
356   RSA_PKEY_CTX *rctx = ctx->data;
357   switch (type) {
358     case EVP_PKEY_CTRL_RSA_PADDING:
359       if (!is_known_padding(p1) || !check_padding_md(rctx->md, p1) ||
360           (p1 == RSA_PKCS1_PSS_PADDING &&
361            0 == (ctx->operation & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) ||
362           (p1 == RSA_PKCS1_OAEP_PADDING &&
363            0 == (ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))) {
364         OPENSSL_PUT_ERROR(EVP, EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
365         return 0;
366       }
367       if ((p1 == RSA_PKCS1_PSS_PADDING || p1 == RSA_PKCS1_OAEP_PADDING) &&
368           rctx->md == NULL) {
369         rctx->md = EVP_sha1();
370       }
371       rctx->pad_mode = p1;
372       return 1;
373 
374     case EVP_PKEY_CTRL_GET_RSA_PADDING:
375       *(int *)p2 = rctx->pad_mode;
376       return 1;
377 
378     case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
379     case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
380       if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
381         OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PSS_SALTLEN);
382         return 0;
383       }
384       if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
385         *(int *)p2 = rctx->saltlen;
386       } else {
387         if (p1 < -2) {
388           return 0;
389         }
390         rctx->saltlen = p1;
391       }
392       return 1;
393 
394     case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
395       if (p1 < 256) {
396         OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_KEYBITS);
397         return 0;
398       }
399       rctx->nbits = p1;
400       return 1;
401 
402     case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
403       if (!p2) {
404         return 0;
405       }
406       BN_free(rctx->pub_exp);
407       rctx->pub_exp = p2;
408       return 1;
409 
410     case EVP_PKEY_CTRL_RSA_OAEP_MD:
411     case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
412       if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
413         OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
414         return 0;
415       }
416       if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) {
417         *(const EVP_MD **)p2 = rctx->md;
418       } else {
419         rctx->md = p2;
420       }
421       return 1;
422 
423     case EVP_PKEY_CTRL_MD:
424       if (!check_padding_md(p2, rctx->pad_mode)) {
425         return 0;
426       }
427       rctx->md = p2;
428       return 1;
429 
430     case EVP_PKEY_CTRL_GET_MD:
431       *(const EVP_MD **)p2 = rctx->md;
432       return 1;
433 
434     case EVP_PKEY_CTRL_RSA_MGF1_MD:
435     case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
436       if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING &&
437           rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
438         OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_MGF1_MD);
439         return 0;
440       }
441       if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
442         if (rctx->mgf1md) {
443           *(const EVP_MD **)p2 = rctx->mgf1md;
444         } else {
445           *(const EVP_MD **)p2 = rctx->md;
446         }
447       } else {
448         rctx->mgf1md = p2;
449       }
450       return 1;
451 
452     case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
453       if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
454         OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
455         return 0;
456       }
457       OPENSSL_free(rctx->oaep_label);
458       if (p2 && p1 > 0) {
459         rctx->oaep_label = p2;
460         rctx->oaep_labellen = p1;
461       } else {
462         rctx->oaep_label = NULL;
463         rctx->oaep_labellen = 0;
464       }
465       return 1;
466 
467     case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
468       if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
469         OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
470         return 0;
471       }
472       CBS_init((CBS *)p2, rctx->oaep_label, rctx->oaep_labellen);
473       return 1;
474 
475     default:
476       OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED);
477       return 0;
478   }
479 }
480 
pkey_rsa_keygen(EVP_PKEY_CTX * ctx,EVP_PKEY * pkey)481 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {
482   RSA *rsa = NULL;
483   RSA_PKEY_CTX *rctx = ctx->data;
484 
485   if (!rctx->pub_exp) {
486     rctx->pub_exp = BN_new();
487     if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) {
488       return 0;
489     }
490   }
491   rsa = RSA_new();
492   if (!rsa) {
493     return 0;
494   }
495 
496   if (!RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, NULL)) {
497     RSA_free(rsa);
498     return 0;
499   }
500 
501   EVP_PKEY_assign_RSA(pkey, rsa);
502   return 1;
503 }
504 
505 const EVP_PKEY_METHOD rsa_pkey_meth = {
506     EVP_PKEY_RSA,         0 /* flags */,        pkey_rsa_init,
507     pkey_rsa_copy,        pkey_rsa_cleanup,     0 /* paramgen_init */,
508     0 /* paramgen */,     0 /* keygen_init */,  pkey_rsa_keygen,
509     0 /* sign_init */,    pkey_rsa_sign,        0 /* verify_init */,
510     pkey_rsa_verify,      0 /* encrypt_init */, pkey_rsa_encrypt,
511     0 /* decrypt_init */, pkey_rsa_decrypt,     0 /* derive_init */,
512     0 /* derive */,       pkey_rsa_ctrl,
513 };
514 
EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX * ctx,int padding)515 int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int padding) {
516   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING,
517                            padding, NULL);
518 }
519 
EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX * ctx,int * out_padding)520 int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *out_padding) {
521   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_GET_RSA_PADDING,
522                            0, out_padding);
523 }
524 
EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX * ctx,int salt_len)525 int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int salt_len) {
526   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
527                            (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY),
528                            EVP_PKEY_CTRL_RSA_PSS_SALTLEN, salt_len, NULL);
529 }
530 
EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX * ctx,int * out_salt_len)531 int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *out_salt_len) {
532   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
533                            (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY),
534                            EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, out_salt_len);
535 }
536 
EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX * ctx,int bits)537 int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits) {
538   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
539                            EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL);
540 }
541 
EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX * ctx,BIGNUM * e)542 int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *e) {
543   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
544                            EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, e);
545 }
546 
EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX * ctx,const EVP_MD * md)547 int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {
548   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
549                            EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)md);
550 }
551 
EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX * ctx,const EVP_MD ** out_md)552 int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) {
553   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
554                            EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void*) out_md);
555 }
556 
EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX * ctx,const EVP_MD * md)557 int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {
558   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
559                            EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
560                            EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void*) md);
561 }
562 
EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX * ctx,const EVP_MD ** out_md)563 int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) {
564   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
565                            EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
566                            EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void*) out_md);
567 }
568 
EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX * ctx,const uint8_t * label,size_t label_len)569 int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, const uint8_t *label,
570                                      size_t label_len) {
571   int label_len_int = label_len;
572   if (((size_t) label_len_int) != label_len) {
573     return 0;
574   }
575 
576   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
577                            EVP_PKEY_CTRL_RSA_OAEP_LABEL, label_len,
578                            (void *)label);
579 }
580 
EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX * ctx,const uint8_t ** out_label)581 int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx,
582                                      const uint8_t **out_label) {
583   CBS label;
584   if (!EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
585                          EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, &label)) {
586     return -1;
587   }
588   if (CBS_len(&label) > INT_MAX) {
589     OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW);
590     return -1;
591   }
592   *out_label = CBS_data(&label);
593   return (int)CBS_len(&label);
594 }
595