1 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2 * project 2006.
3 */
4 /* ====================================================================
5 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
17 * distribution.
18 *
19 * 3. All advertising materials mentioning features or use of this
20 * software must display the following acknowledgment:
21 * "This product includes software developed by the OpenSSL Project
22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23 *
24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25 * endorse or promote products derived from this software without
26 * prior written permission. For written permission, please contact
27 * licensing@OpenSSL.org.
28 *
29 * 5. Products derived from this software may not be called "OpenSSL"
30 * nor may "OpenSSL" appear in their names without prior written
31 * permission of the OpenSSL Project.
32 *
33 * 6. Redistributions of any form whatsoever must retain the following
34 * acknowledgment:
35 * "This product includes software developed by the OpenSSL Project
36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37 *
38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49 * OF THE POSSIBILITY OF SUCH DAMAGE.
50 * ====================================================================
51 *
52 * This product includes cryptographic software written by Eric Young
53 * (eay@cryptsoft.com). This product includes software written by Tim
54 * Hudson (tjh@cryptsoft.com). */
55
56 #include <openssl/evp.h>
57
58 #include <limits.h>
59 #include <string.h>
60
61 #include <openssl/bn.h>
62 #include <openssl/buf.h>
63 #include <openssl/bytestring.h>
64 #include <openssl/digest.h>
65 #include <openssl/err.h>
66 #include <openssl/mem.h>
67 #include <openssl/nid.h>
68 #include <openssl/rsa.h>
69
70 #include "../internal.h"
71 #include "../rsa/internal.h"
72 #include "internal.h"
73
74
75 typedef struct {
76 /* Key gen parameters */
77 int nbits;
78 BIGNUM *pub_exp;
79 /* RSA padding mode */
80 int pad_mode;
81 /* message digest */
82 const EVP_MD *md;
83 /* message digest for MGF1 */
84 const EVP_MD *mgf1md;
85 /* PSS salt length */
86 int saltlen;
87 /* tbuf is a buffer which is either NULL, or is the size of the RSA modulus.
88 * It's used to store the output of RSA operations. */
89 uint8_t *tbuf;
90 /* OAEP label */
91 uint8_t *oaep_label;
92 size_t oaep_labellen;
93 } RSA_PKEY_CTX;
94
pkey_rsa_init(EVP_PKEY_CTX * ctx)95 static int pkey_rsa_init(EVP_PKEY_CTX *ctx) {
96 RSA_PKEY_CTX *rctx;
97 rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX));
98 if (!rctx) {
99 return 0;
100 }
101 OPENSSL_memset(rctx, 0, sizeof(RSA_PKEY_CTX));
102
103 rctx->nbits = 2048;
104 rctx->pad_mode = RSA_PKCS1_PADDING;
105 rctx->saltlen = -2;
106
107 ctx->data = rctx;
108
109 return 1;
110 }
111
pkey_rsa_copy(EVP_PKEY_CTX * dst,EVP_PKEY_CTX * src)112 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) {
113 RSA_PKEY_CTX *dctx, *sctx;
114 if (!pkey_rsa_init(dst)) {
115 return 0;
116 }
117 sctx = src->data;
118 dctx = dst->data;
119 dctx->nbits = sctx->nbits;
120 if (sctx->pub_exp) {
121 dctx->pub_exp = BN_dup(sctx->pub_exp);
122 if (!dctx->pub_exp) {
123 return 0;
124 }
125 }
126
127 dctx->pad_mode = sctx->pad_mode;
128 dctx->md = sctx->md;
129 dctx->mgf1md = sctx->mgf1md;
130 if (sctx->oaep_label) {
131 OPENSSL_free(dctx->oaep_label);
132 dctx->oaep_label = BUF_memdup(sctx->oaep_label, sctx->oaep_labellen);
133 if (!dctx->oaep_label) {
134 return 0;
135 }
136 dctx->oaep_labellen = sctx->oaep_labellen;
137 }
138
139 return 1;
140 }
141
pkey_rsa_cleanup(EVP_PKEY_CTX * ctx)142 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) {
143 RSA_PKEY_CTX *rctx = ctx->data;
144
145 if (rctx == NULL) {
146 return;
147 }
148
149 BN_free(rctx->pub_exp);
150 OPENSSL_free(rctx->tbuf);
151 OPENSSL_free(rctx->oaep_label);
152 OPENSSL_free(rctx);
153 }
154
setup_tbuf(RSA_PKEY_CTX * ctx,EVP_PKEY_CTX * pk)155 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) {
156 if (ctx->tbuf) {
157 return 1;
158 }
159 ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey));
160 if (!ctx->tbuf) {
161 return 0;
162 }
163 return 1;
164 }
165
pkey_rsa_sign(EVP_PKEY_CTX * ctx,uint8_t * sig,size_t * siglen,const uint8_t * tbs,size_t tbslen)166 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen,
167 const uint8_t *tbs, size_t tbslen) {
168 RSA_PKEY_CTX *rctx = ctx->data;
169 RSA *rsa = ctx->pkey->pkey.rsa;
170 const size_t key_len = EVP_PKEY_size(ctx->pkey);
171
172 if (!sig) {
173 *siglen = key_len;
174 return 1;
175 }
176
177 if (*siglen < key_len) {
178 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
179 return 0;
180 }
181
182 if (rctx->md) {
183 unsigned int out_len;
184
185 if (tbslen != EVP_MD_size(rctx->md)) {
186 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_DIGEST_LENGTH);
187 return 0;
188 }
189
190 if (EVP_MD_type(rctx->md) == NID_mdc2) {
191 OPENSSL_PUT_ERROR(EVP, EVP_R_NO_MDC2_SUPPORT);
192 return 0;
193 }
194
195 switch (rctx->pad_mode) {
196 case RSA_PKCS1_PADDING:
197 if (!RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig, &out_len, rsa)) {
198 return 0;
199 }
200 *siglen = out_len;
201 return 1;
202
203 case RSA_PKCS1_PSS_PADDING:
204 if (!setup_tbuf(rctx, ctx) ||
205 !RSA_padding_add_PKCS1_PSS_mgf1(rsa, rctx->tbuf, tbs, rctx->md,
206 rctx->mgf1md, rctx->saltlen) ||
207 !RSA_sign_raw(rsa, siglen, sig, *siglen, rctx->tbuf, key_len,
208 RSA_NO_PADDING)) {
209 return 0;
210 }
211 return 1;
212
213 default:
214 return 0;
215 }
216 }
217
218 return RSA_sign_raw(rsa, siglen, sig, *siglen, tbs, tbslen, rctx->pad_mode);
219 }
220
pkey_rsa_verify(EVP_PKEY_CTX * ctx,const uint8_t * sig,size_t siglen,const uint8_t * tbs,size_t tbslen)221 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig,
222 size_t siglen, const uint8_t *tbs,
223 size_t tbslen) {
224 RSA_PKEY_CTX *rctx = ctx->data;
225 RSA *rsa = ctx->pkey->pkey.rsa;
226 size_t rslen;
227 const size_t key_len = EVP_PKEY_size(ctx->pkey);
228
229 if (rctx->md) {
230 switch (rctx->pad_mode) {
231 case RSA_PKCS1_PADDING:
232 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa);
233
234 case RSA_PKCS1_PSS_PADDING:
235 if (tbslen != EVP_MD_size(rctx->md)) {
236 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_DIGEST_LENGTH);
237 return 0;
238 }
239
240 if (!setup_tbuf(rctx, ctx) ||
241 !RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, siglen,
242 RSA_NO_PADDING) ||
243 !RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md, rctx->mgf1md,
244 rctx->tbuf, rctx->saltlen)) {
245 return 0;
246 }
247 return 1;
248
249 default:
250 return 0;
251 }
252 }
253
254 if (!setup_tbuf(rctx, ctx) ||
255 !RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, siglen,
256 rctx->pad_mode) ||
257 rslen != tbslen ||
258 CRYPTO_memcmp(tbs, rctx->tbuf, rslen) != 0) {
259 return 0;
260 }
261
262 return 1;
263 }
264
pkey_rsa_verify_recover(EVP_PKEY_CTX * ctx,uint8_t * out,size_t * out_len,const uint8_t * sig,size_t sig_len)265 static int pkey_rsa_verify_recover(EVP_PKEY_CTX *ctx, uint8_t *out,
266 size_t *out_len, const uint8_t *sig,
267 size_t sig_len) {
268 RSA_PKEY_CTX *rctx = ctx->data;
269 RSA *rsa = ctx->pkey->pkey.rsa;
270 const size_t key_len = EVP_PKEY_size(ctx->pkey);
271
272 if (out == NULL) {
273 *out_len = key_len;
274 return 1;
275 }
276
277 if (*out_len < key_len) {
278 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
279 return 0;
280 }
281
282 if (!setup_tbuf(rctx, ctx)) {
283 return 0;
284 }
285
286 if (rctx->md == NULL) {
287 const int ret = RSA_public_decrypt(sig_len, sig, rctx->tbuf,
288 ctx->pkey->pkey.rsa, rctx->pad_mode);
289 if (ret < 0) {
290 return 0;
291 }
292 *out_len = ret;
293 OPENSSL_memcpy(out, rctx->tbuf, *out_len);
294 return 1;
295 }
296
297 if (rctx->pad_mode != RSA_PKCS1_PADDING) {
298 return 0;
299 }
300
301 uint8_t *asn1_prefix;
302 size_t asn1_prefix_len;
303 int asn1_prefix_allocated;
304 if (!RSA_add_pkcs1_prefix(&asn1_prefix, &asn1_prefix_len,
305 &asn1_prefix_allocated, EVP_MD_type(rctx->md), NULL,
306 0)) {
307 return 0;
308 }
309
310 size_t rslen;
311 int ok = 1;
312 if (!RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, sig_len,
313 RSA_PKCS1_PADDING) ||
314 rslen < asn1_prefix_len ||
315 CRYPTO_memcmp(rctx->tbuf, asn1_prefix, asn1_prefix_len) != 0) {
316 ok = 0;
317 }
318
319 if (asn1_prefix_allocated) {
320 OPENSSL_free(asn1_prefix);
321 }
322
323 if (!ok) {
324 return 0;
325 }
326
327 const size_t result_len = rslen - asn1_prefix_len;
328 if (result_len != EVP_MD_size(rctx->md)) {
329 return 0;
330 }
331
332 if (out != NULL) {
333 OPENSSL_memcpy(out, rctx->tbuf + asn1_prefix_len, result_len);
334 }
335 *out_len = result_len;
336
337 return 1;
338 }
339
pkey_rsa_encrypt(EVP_PKEY_CTX * ctx,uint8_t * out,size_t * outlen,const uint8_t * in,size_t inlen)340 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen,
341 const uint8_t *in, size_t inlen) {
342 RSA_PKEY_CTX *rctx = ctx->data;
343 RSA *rsa = ctx->pkey->pkey.rsa;
344 const size_t key_len = EVP_PKEY_size(ctx->pkey);
345
346 if (!out) {
347 *outlen = key_len;
348 return 1;
349 }
350
351 if (*outlen < key_len) {
352 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
353 return 0;
354 }
355
356 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
357 if (!setup_tbuf(rctx, ctx) ||
358 !RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, key_len, in, inlen,
359 rctx->oaep_label, rctx->oaep_labellen,
360 rctx->md, rctx->mgf1md) ||
361 !RSA_encrypt(rsa, outlen, out, *outlen, rctx->tbuf, key_len,
362 RSA_NO_PADDING)) {
363 return 0;
364 }
365 return 1;
366 }
367
368 return RSA_encrypt(rsa, outlen, out, *outlen, in, inlen, rctx->pad_mode);
369 }
370
pkey_rsa_decrypt(EVP_PKEY_CTX * ctx,uint8_t * out,size_t * outlen,const uint8_t * in,size_t inlen)371 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out,
372 size_t *outlen, const uint8_t *in,
373 size_t inlen) {
374 RSA_PKEY_CTX *rctx = ctx->data;
375 RSA *rsa = ctx->pkey->pkey.rsa;
376 const size_t key_len = EVP_PKEY_size(ctx->pkey);
377
378 if (!out) {
379 *outlen = key_len;
380 return 1;
381 }
382
383 if (*outlen < key_len) {
384 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
385 return 0;
386 }
387
388 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
389 size_t plaintext_len;
390 int message_len;
391
392 if (!setup_tbuf(rctx, ctx) ||
393 !RSA_decrypt(rsa, &plaintext_len, rctx->tbuf, key_len, in, inlen,
394 RSA_NO_PADDING)) {
395 return 0;
396 }
397
398 message_len = RSA_padding_check_PKCS1_OAEP_mgf1(
399 out, key_len, rctx->tbuf, plaintext_len, rctx->oaep_label,
400 rctx->oaep_labellen, rctx->md, rctx->mgf1md);
401 if (message_len < 0) {
402 return 0;
403 }
404 *outlen = message_len;
405 return 1;
406 }
407
408 return RSA_decrypt(rsa, outlen, out, key_len, in, inlen, rctx->pad_mode);
409 }
410
check_padding_md(const EVP_MD * md,int padding)411 static int check_padding_md(const EVP_MD *md, int padding) {
412 if (!md) {
413 return 1;
414 }
415
416 if (padding == RSA_NO_PADDING) {
417 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
418 return 0;
419 }
420
421 return 1;
422 }
423
is_known_padding(int padding_mode)424 static int is_known_padding(int padding_mode) {
425 switch (padding_mode) {
426 case RSA_PKCS1_PADDING:
427 case RSA_NO_PADDING:
428 case RSA_PKCS1_OAEP_PADDING:
429 case RSA_PKCS1_PSS_PADDING:
430 return 1;
431 default:
432 return 0;
433 }
434 }
435
pkey_rsa_ctrl(EVP_PKEY_CTX * ctx,int type,int p1,void * p2)436 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
437 RSA_PKEY_CTX *rctx = ctx->data;
438 switch (type) {
439 case EVP_PKEY_CTRL_RSA_PADDING:
440 if (!is_known_padding(p1) || !check_padding_md(rctx->md, p1) ||
441 (p1 == RSA_PKCS1_PSS_PADDING &&
442 0 == (ctx->operation & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) ||
443 (p1 == RSA_PKCS1_OAEP_PADDING &&
444 0 == (ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))) {
445 OPENSSL_PUT_ERROR(EVP, EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
446 return 0;
447 }
448 if ((p1 == RSA_PKCS1_PSS_PADDING || p1 == RSA_PKCS1_OAEP_PADDING) &&
449 rctx->md == NULL) {
450 rctx->md = EVP_sha1();
451 }
452 rctx->pad_mode = p1;
453 return 1;
454
455 case EVP_PKEY_CTRL_GET_RSA_PADDING:
456 *(int *)p2 = rctx->pad_mode;
457 return 1;
458
459 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
460 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
461 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
462 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PSS_SALTLEN);
463 return 0;
464 }
465 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
466 *(int *)p2 = rctx->saltlen;
467 } else {
468 if (p1 < -2) {
469 return 0;
470 }
471 rctx->saltlen = p1;
472 }
473 return 1;
474
475 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
476 if (p1 < 256) {
477 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_KEYBITS);
478 return 0;
479 }
480 rctx->nbits = p1;
481 return 1;
482
483 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
484 if (!p2) {
485 return 0;
486 }
487 BN_free(rctx->pub_exp);
488 rctx->pub_exp = p2;
489 return 1;
490
491 case EVP_PKEY_CTRL_RSA_OAEP_MD:
492 case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
493 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
494 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
495 return 0;
496 }
497 if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) {
498 *(const EVP_MD **)p2 = rctx->md;
499 } else {
500 rctx->md = p2;
501 }
502 return 1;
503
504 case EVP_PKEY_CTRL_MD:
505 if (!check_padding_md(p2, rctx->pad_mode)) {
506 return 0;
507 }
508 rctx->md = p2;
509 return 1;
510
511 case EVP_PKEY_CTRL_GET_MD:
512 *(const EVP_MD **)p2 = rctx->md;
513 return 1;
514
515 case EVP_PKEY_CTRL_RSA_MGF1_MD:
516 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
517 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING &&
518 rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
519 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_MGF1_MD);
520 return 0;
521 }
522 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
523 if (rctx->mgf1md) {
524 *(const EVP_MD **)p2 = rctx->mgf1md;
525 } else {
526 *(const EVP_MD **)p2 = rctx->md;
527 }
528 } else {
529 rctx->mgf1md = p2;
530 }
531 return 1;
532
533 case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
534 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
535 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
536 return 0;
537 }
538 OPENSSL_free(rctx->oaep_label);
539 if (p2 && p1 > 0) {
540 rctx->oaep_label = p2;
541 rctx->oaep_labellen = p1;
542 } else {
543 rctx->oaep_label = NULL;
544 rctx->oaep_labellen = 0;
545 }
546 return 1;
547
548 case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
549 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
550 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
551 return 0;
552 }
553 CBS_init((CBS *)p2, rctx->oaep_label, rctx->oaep_labellen);
554 return 1;
555
556 default:
557 OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED);
558 return 0;
559 }
560 }
561
pkey_rsa_keygen(EVP_PKEY_CTX * ctx,EVP_PKEY * pkey)562 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {
563 RSA *rsa = NULL;
564 RSA_PKEY_CTX *rctx = ctx->data;
565
566 if (!rctx->pub_exp) {
567 rctx->pub_exp = BN_new();
568 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) {
569 return 0;
570 }
571 }
572 rsa = RSA_new();
573 if (!rsa) {
574 return 0;
575 }
576
577 if (!RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, NULL)) {
578 RSA_free(rsa);
579 return 0;
580 }
581
582 EVP_PKEY_assign_RSA(pkey, rsa);
583 return 1;
584 }
585
586 const EVP_PKEY_METHOD rsa_pkey_meth = {
587 EVP_PKEY_RSA,
588 pkey_rsa_init,
589 pkey_rsa_copy,
590 pkey_rsa_cleanup,
591 pkey_rsa_keygen,
592 pkey_rsa_sign,
593 pkey_rsa_verify,
594 pkey_rsa_verify_recover,
595 pkey_rsa_encrypt,
596 pkey_rsa_decrypt,
597 0 /* derive */,
598 pkey_rsa_ctrl,
599 };
600
EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX * ctx,int padding)601 int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int padding) {
602 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING,
603 padding, NULL);
604 }
605
EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX * ctx,int * out_padding)606 int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *out_padding) {
607 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_GET_RSA_PADDING,
608 0, out_padding);
609 }
610
EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX * ctx,int salt_len)611 int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int salt_len) {
612 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
613 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY),
614 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, salt_len, NULL);
615 }
616
EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX * ctx,int * out_salt_len)617 int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *out_salt_len) {
618 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
619 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY),
620 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, out_salt_len);
621 }
622
EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX * ctx,int bits)623 int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits) {
624 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
625 EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL);
626 }
627
EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX * ctx,BIGNUM * e)628 int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *e) {
629 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
630 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, e);
631 }
632
EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX * ctx,const EVP_MD * md)633 int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {
634 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
635 EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)md);
636 }
637
EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX * ctx,const EVP_MD ** out_md)638 int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) {
639 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
640 EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void*) out_md);
641 }
642
EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX * ctx,const EVP_MD * md)643 int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {
644 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
645 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
646 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void*) md);
647 }
648
EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX * ctx,const EVP_MD ** out_md)649 int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) {
650 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
651 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
652 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void*) out_md);
653 }
654
EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX * ctx,uint8_t * label,size_t label_len)655 int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, uint8_t *label,
656 size_t label_len) {
657 if (label_len > INT_MAX) {
658 return 0;
659 }
660
661 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
662 EVP_PKEY_CTRL_RSA_OAEP_LABEL, (int)label_len,
663 (void *)label);
664 }
665
EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX * ctx,const uint8_t ** out_label)666 int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx,
667 const uint8_t **out_label) {
668 CBS label;
669 if (!EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
670 EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, &label)) {
671 return -1;
672 }
673 if (CBS_len(&label) > INT_MAX) {
674 OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW);
675 return -1;
676 }
677 *out_label = CBS_data(&label);
678 return (int)CBS_len(&label);
679 }
680