2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/crypto.h>
12 #include <openssl/core_names.h>
13 #include <openssl/engine.h>
14 #include <openssl/evp.h>
15 #include "internal/cryptlib.h"
16 #include "internal/refcount.h"
17 #include "crypto/bn.h"
18 #include "crypto/evp.h"
19 #include "crypto/rsa.h"
20 #include "rsa_local.h"
22 static RSA *rsa_new_intern(ENGINE *engine, OPENSSL_CTX *libctx);
27 return rsa_new_intern(NULL, NULL);
30 const RSA_METHOD *RSA_get_method(const RSA *rsa)
35 int RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
38 * NB: The caller is specifically setting a method, so it's not up to us
39 * to deal with which ENGINE it comes from.
41 const RSA_METHOD *mtmp;
45 #ifndef OPENSSL_NO_ENGINE
46 ENGINE_finish(rsa->engine);
55 RSA *RSA_new_method(ENGINE *engine)
57 return rsa_new_intern(engine, NULL);
61 RSA *rsa_new_with_ctx(OPENSSL_CTX *libctx)
63 return rsa_new_intern(NULL, libctx);
66 static RSA *rsa_new_intern(ENGINE *engine, OPENSSL_CTX *libctx)
68 RSA *ret = OPENSSL_zalloc(sizeof(*ret));
71 RSAerr(0, ERR_R_MALLOC_FAILURE);
76 ret->lock = CRYPTO_THREAD_lock_new();
77 if (ret->lock == NULL) {
78 RSAerr(0, ERR_R_MALLOC_FAILURE);
84 ret->meth = RSA_get_default_method();
85 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
86 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
88 if (!ENGINE_init(engine)) {
89 RSAerr(0, ERR_R_ENGINE_LIB);
94 ret->engine = ENGINE_get_default_RSA();
97 ret->meth = ENGINE_get_RSA(ret->engine);
98 if (ret->meth == NULL) {
99 RSAerr(0, ERR_R_ENGINE_LIB);
105 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
107 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
112 if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
113 RSAerr(0, ERR_R_INIT_FAIL);
124 void RSA_free(RSA *r)
131 CRYPTO_DOWN_REF(&r->references, &i, r->lock);
132 REF_PRINT_COUNT("RSA", r);
135 REF_ASSERT_ISNT(i < 0);
137 if (r->meth != NULL && r->meth->finish != NULL)
139 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
140 ENGINE_finish(r->engine);
144 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
147 CRYPTO_THREAD_lock_free(r->lock);
154 BN_clear_free(r->dmp1);
155 BN_clear_free(r->dmq1);
156 BN_clear_free(r->iqmp);
157 /* TODO(3.0): Support PSS in FIPS_MODE */
159 RSA_PSS_PARAMS_free(r->pss);
160 sk_RSA_PRIME_INFO_pop_free(r->prime_infos, rsa_multip_info_free);
162 BN_BLINDING_free(r->blinding);
163 BN_BLINDING_free(r->mt_blinding);
164 OPENSSL_free(r->bignum_data);
168 int RSA_up_ref(RSA *r)
172 if (CRYPTO_UP_REF(&r->references, &i, r->lock) <= 0)
175 REF_PRINT_COUNT("RSA", r);
176 REF_ASSERT_ISNT(i < 2);
177 return i > 1 ? 1 : 0;
181 int RSA_set_ex_data(RSA *r, int idx, void *arg)
183 return CRYPTO_set_ex_data(&r->ex_data, idx, arg);
186 void *RSA_get_ex_data(const RSA *r, int idx)
188 return CRYPTO_get_ex_data(&r->ex_data, idx);
193 * Define a scaling constant for our fixed point arithmetic.
194 * This value must be a power of two because the base two logarithm code
195 * makes this assumption. The exponent must also be a multiple of three so
196 * that the scale factor has an exact cube root. Finally, the scale factor
197 * should not be so large that a multiplication of two scaled numbers
198 * overflows a 64 bit unsigned integer.
200 static const unsigned int scale = 1 << 18;
201 static const unsigned int cbrt_scale = 1 << (2 * 18 / 3);
203 /* Define some constants, none exceed 32 bits */
204 static const unsigned int log_2 = 0x02c5c8; /* scale * log(2) */
205 static const unsigned int log_e = 0x05c551; /* scale * log2(M_E) */
206 static const unsigned int c1_923 = 0x07b126; /* scale * 1.923 */
207 static const unsigned int c4_690 = 0x12c28f; /* scale * 4.690 */
210 * Multiply two scaled integers together and rescale the result.
212 static ossl_inline uint64_t mul2(uint64_t a, uint64_t b)
214 return a * b / scale;
218 * Calculate the cube root of a 64 bit scaled integer.
219 * Although the cube root of a 64 bit number does fit into a 32 bit unsigned
220 * integer, this is not guaranteed after scaling, so this function has a
221 * 64 bit return. This uses the shifting nth root algorithm with some
222 * algebraic simplifications.
224 static uint64_t icbrt64(uint64_t x)
230 for (s = 63; s >= 0; s -= 3) {
232 b = 3 * r * (r + 1) + 1;
238 return r * cbrt_scale;
242 * Calculate the natural logarithm of a 64 bit scaled integer.
243 * This is done by calculating a base two logarithm and scaling.
244 * The maximum logarithm (base 2) is 64 and this reduces base e, so
245 * a 32 bit result should not overflow. The argument passed must be
246 * greater than unity so we don't need to handle negative results.
248 static uint32_t ilog_e(uint64_t v)
253 * Scale down the value into the range 1 .. 2.
255 * If fractional numbers need to be processed, another loop needs
256 * to go here that checks v < scale and if so multiplies it by 2 and
257 * reduces r by scale. This also means making r signed.
259 while (v >= 2 * scale) {
263 for (i = scale / 2; i != 0; i /= 2) {
265 if (v >= 2 * scale) {
270 r = (r * (uint64_t)scale) / log_e;
275 * NIST SP 800-56B rev 2 Appendix D: Maximum Security Strength Estimates for IFC
278 * E = \frac{1.923 \sqrt[3]{nBits \cdot log_e(2)}
279 * \cdot(log_e(nBits \cdot log_e(2))^{2/3} - 4.69}{log_e(2)}
280 * The two cube roots are merged together here.
282 uint16_t rsa_compute_security_bits(int n)
288 /* Look for common values as listed in SP 800-56B rev 2 Appendix D */
302 * The first incorrect result (i.e. not accurate or off by one low) occurs
303 * for n = 699668. The true value here is 1200. Instead of using this n
304 * as the check threshold, the smallest n such that the correct result is
305 * 1200 is used instead.
312 x = n * (uint64_t)log_2;
314 y = (uint16_t)((mul2(c1_923, icbrt64(mul2(mul2(x, lx), lx))) - c4_690)
319 int RSA_security_bits(const RSA *rsa)
321 int bits = BN_num_bits(rsa->n);
324 if (rsa->version == RSA_ASN1_VERSION_MULTI) {
325 /* This ought to mean that we have private key at hand. */
326 int ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos);
328 if (ex_primes <= 0 || (ex_primes + 2) > rsa_multip_cap(bits))
332 return rsa_compute_security_bits(bits);
335 int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
337 /* If the fields n and e in r are NULL, the corresponding input
338 * parameters MUST be non-NULL for n and e. d may be
339 * left NULL (in case only the public key is used).
341 if ((r->n == NULL && n == NULL)
342 || (r->e == NULL && e == NULL))
356 BN_set_flags(r->d, BN_FLG_CONSTTIME);
363 int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
365 /* If the fields p and q in r are NULL, the corresponding input
366 * parameters MUST be non-NULL.
368 if ((r->p == NULL && p == NULL)
369 || (r->q == NULL && q == NULL))
375 BN_set_flags(r->p, BN_FLG_CONSTTIME);
380 BN_set_flags(r->q, BN_FLG_CONSTTIME);
387 int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
389 /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input
390 * parameters MUST be non-NULL.
392 if ((r->dmp1 == NULL && dmp1 == NULL)
393 || (r->dmq1 == NULL && dmq1 == NULL)
394 || (r->iqmp == NULL && iqmp == NULL))
398 BN_clear_free(r->dmp1);
400 BN_set_flags(r->dmp1, BN_FLG_CONSTTIME);
403 BN_clear_free(r->dmq1);
405 BN_set_flags(r->dmq1, BN_FLG_CONSTTIME);
408 BN_clear_free(r->iqmp);
410 BN_set_flags(r->iqmp, BN_FLG_CONSTTIME);
419 * Is it better to export RSA_PRIME_INFO structure
420 * and related functions to let user pass a triplet?
422 int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[],
423 BIGNUM *coeffs[], int pnum)
425 STACK_OF(RSA_PRIME_INFO) *prime_infos, *old = NULL;
426 RSA_PRIME_INFO *pinfo;
429 if (primes == NULL || exps == NULL || coeffs == NULL || pnum == 0)
432 prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum);
433 if (prime_infos == NULL)
436 if (r->prime_infos != NULL)
437 old = r->prime_infos;
439 for (i = 0; i < pnum; i++) {
440 pinfo = rsa_multip_info_new();
443 if (primes[i] != NULL && exps[i] != NULL && coeffs[i] != NULL) {
444 BN_clear_free(pinfo->r);
445 BN_clear_free(pinfo->d);
446 BN_clear_free(pinfo->t);
447 pinfo->r = primes[i];
449 pinfo->t = coeffs[i];
450 BN_set_flags(pinfo->r, BN_FLG_CONSTTIME);
451 BN_set_flags(pinfo->d, BN_FLG_CONSTTIME);
452 BN_set_flags(pinfo->t, BN_FLG_CONSTTIME);
454 rsa_multip_info_free(pinfo);
457 (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo);
460 r->prime_infos = prime_infos;
462 if (!rsa_multip_calc_product(r)) {
463 r->prime_infos = old;
469 * This is hard to deal with, since the old infos could
470 * also be set by this function and r, d, t should not
471 * be freed in that case. So currently, stay consistent
472 * with other *set0* functions: just free it...
474 sk_RSA_PRIME_INFO_pop_free(old, rsa_multip_info_free);
477 r->version = RSA_ASN1_VERSION_MULTI;
482 /* r, d, t should not be freed */
483 sk_RSA_PRIME_INFO_pop_free(prime_infos, rsa_multip_info_free_ex);
488 void RSA_get0_key(const RSA *r,
489 const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
499 void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
508 int RSA_get_multi_prime_extra_count(const RSA *r)
512 pnum = sk_RSA_PRIME_INFO_num(r->prime_infos);
518 int RSA_get0_multi_prime_factors(const RSA *r, const BIGNUM *primes[])
521 RSA_PRIME_INFO *pinfo;
523 if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0)
527 * return other primes
528 * it's caller's responsibility to allocate oth_primes[pnum]
530 for (i = 0; i < pnum; i++) {
531 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i);
532 primes[i] = pinfo->r;
539 void RSA_get0_crt_params(const RSA *r,
540 const BIGNUM **dmp1, const BIGNUM **dmq1,
552 int RSA_get0_multi_prime_crt_params(const RSA *r, const BIGNUM *exps[],
553 const BIGNUM *coeffs[])
557 if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0)
560 /* return other primes */
561 if (exps != NULL || coeffs != NULL) {
562 RSA_PRIME_INFO *pinfo;
565 /* it's the user's job to guarantee the buffer length */
566 for (i = 0; i < pnum; i++) {
567 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i);
571 coeffs[i] = pinfo->t;
579 const BIGNUM *RSA_get0_n(const RSA *r)
584 const BIGNUM *RSA_get0_e(const RSA *r)
589 const BIGNUM *RSA_get0_d(const RSA *r)
594 const BIGNUM *RSA_get0_p(const RSA *r)
599 const BIGNUM *RSA_get0_q(const RSA *r)
604 const BIGNUM *RSA_get0_dmp1(const RSA *r)
609 const BIGNUM *RSA_get0_dmq1(const RSA *r)
614 const BIGNUM *RSA_get0_iqmp(const RSA *r)
619 /* TODO(3.0): Temporary until we move PSS support into the FIPS module */
621 const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *r)
627 void RSA_clear_flags(RSA *r, int flags)
632 int RSA_test_flags(const RSA *r, int flags)
634 return r->flags & flags;
637 void RSA_set_flags(RSA *r, int flags)
642 int RSA_get_version(RSA *r)
644 /* { two-prime(0), multi(1) } */
649 ENGINE *RSA_get0_engine(const RSA *r)
654 int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2)
656 /* If key type not RSA or RSA-PSS return error */
657 if (ctx != NULL && ctx->pmeth != NULL
658 && ctx->pmeth->pkey_id != EVP_PKEY_RSA
659 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
661 return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, p1, p2);
665 DEFINE_STACK_OF(BIGNUM)
667 int rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes,
668 const STACK_OF(BIGNUM) *exps,
669 const STACK_OF(BIGNUM) *coeffs)
672 STACK_OF(RSA_PRIME_INFO) *prime_infos, *old_infos = NULL;
676 if (primes == NULL || exps == NULL || coeffs == NULL)
679 pnum = sk_BIGNUM_num(primes);
681 || pnum != sk_BIGNUM_num(exps)
682 || pnum != sk_BIGNUM_num(coeffs) + 1)
685 if (!RSA_set0_factors(r, sk_BIGNUM_value(primes, 0),
686 sk_BIGNUM_value(primes, 1))
687 || !RSA_set0_crt_params(r, sk_BIGNUM_value(exps, 0),
688 sk_BIGNUM_value(exps, 1),
689 sk_BIGNUM_value(coeffs, 0)))
693 old_infos = r->prime_infos;
700 prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum);
701 if (prime_infos == NULL)
704 for (i = 2; i < pnum; i++) {
705 BIGNUM *prime = sk_BIGNUM_value(primes, i);
706 BIGNUM *exp = sk_BIGNUM_value(exps, i);
707 BIGNUM *coeff = sk_BIGNUM_value(coeffs, i - 1);
708 RSA_PRIME_INFO *pinfo = NULL;
710 if (!ossl_assert(prime != NULL && exp != NULL && coeff != NULL))
713 /* Using rsa_multip_info_new() is wasteful, so allocate directly */
714 if ((pinfo = OPENSSL_zalloc(sizeof(*pinfo))) == NULL) {
715 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
722 BN_set_flags(pinfo->r, BN_FLG_CONSTTIME);
723 BN_set_flags(pinfo->d, BN_FLG_CONSTTIME);
724 BN_set_flags(pinfo->t, BN_FLG_CONSTTIME);
725 (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo);
728 r->prime_infos = prime_infos;
730 if (!rsa_multip_calc_product(r)) {
731 r->prime_infos = old_infos;
740 if (old_infos != NULL) {
742 * This is hard to deal with, since the old infos could
743 * also be set by this function and r, d, t should not
744 * be freed in that case. So currently, stay consistent
745 * with other *set0* functions: just free it...
747 sk_RSA_PRIME_INFO_pop_free(old_infos, rsa_multip_info_free);
751 r->version = pnum > 2 ? RSA_ASN1_VERSION_MULTI : RSA_ASN1_VERSION_DEFAULT;
757 /* r, d, t should not be freed */
758 sk_RSA_PRIME_INFO_pop_free(prime_infos, rsa_multip_info_free_ex);
763 DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM)
765 int rsa_get0_all_params(RSA *r, STACK_OF(BIGNUM_const) *primes,
766 STACK_OF(BIGNUM_const) *exps,
767 STACK_OF(BIGNUM_const) *coeffs)
770 RSA_PRIME_INFO *pinfo;
777 sk_BIGNUM_const_push(primes, RSA_get0_p(r));
778 sk_BIGNUM_const_push(primes, RSA_get0_q(r));
779 sk_BIGNUM_const_push(exps, RSA_get0_dmp1(r));
780 sk_BIGNUM_const_push(exps, RSA_get0_dmq1(r));
781 sk_BIGNUM_const_push(coeffs, RSA_get0_iqmp(r));
784 pnum = RSA_get_multi_prime_extra_count(r);
785 for (i = 0; i < pnum; i++) {
786 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i);
787 sk_BIGNUM_const_push(primes, pinfo->r);
788 sk_BIGNUM_const_push(exps, pinfo->d);
789 sk_BIGNUM_const_push(coeffs, pinfo->t);
797 int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad_mode)
799 OSSL_PARAM pad_params[2], *p = pad_params;
802 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
803 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
807 /* If key type not RSA or RSA-PSS return error */
808 if (ctx->pmeth != NULL
809 && ctx->pmeth->pkey_id != EVP_PKEY_RSA
810 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
813 /* TODO(3.0): Remove this eventually when no more legacy */
814 if (!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)
815 || ctx->op.ciph.ciphprovctx == NULL)
816 return EVP_PKEY_CTX_ctrl(ctx, -1, -1, EVP_PKEY_CTRL_RSA_PADDING,
819 *p++ = OSSL_PARAM_construct_int(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, &pad_mode);
820 *p++ = OSSL_PARAM_construct_end();
822 return EVP_PKEY_CTX_set_params(ctx, pad_params);
825 int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad_mode)
827 OSSL_PARAM pad_params[2], *p = pad_params;
829 if (ctx == NULL || pad_mode == NULL) {
830 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
831 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
835 /* If key type not RSA or RSA-PSS return error */
836 if (ctx->pmeth != NULL
837 && ctx->pmeth->pkey_id != EVP_PKEY_RSA
838 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
841 /* TODO(3.0): Remove this eventually when no more legacy */
842 if (!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)
843 || ctx->op.ciph.ciphprovctx == NULL)
844 return EVP_PKEY_CTX_ctrl(ctx, -1, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, 0,
847 *p++ = OSSL_PARAM_construct_int(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode);
848 *p++ = OSSL_PARAM_construct_end();
850 if (!EVP_PKEY_CTX_get_params(ctx, pad_params))
857 int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
861 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
862 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
863 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
867 /* If key type not RSA return error */
868 if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA)
871 /* TODO(3.0): Remove this eventually when no more legacy */
872 if (ctx->op.ciph.ciphprovctx == NULL)
873 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
874 EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)md);
876 name = (md == NULL) ? "" : EVP_MD_name(md);
878 return EVP_PKEY_CTX_set_rsa_oaep_md_name(ctx, name, NULL);
881 int EVP_PKEY_CTX_set_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, const char *mdname,
884 OSSL_PARAM rsa_params[3], *p = rsa_params;
886 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
887 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
888 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
892 /* If key type not RSA return error */
893 if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA)
897 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST,
899 * Cast away the const. This is read
900 * only so should be safe
903 if (mdprops != NULL) {
904 *p++ = OSSL_PARAM_construct_utf8_string(
905 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS,
907 * Cast away the const. This is read
908 * only so should be safe
912 *p++ = OSSL_PARAM_construct_end();
914 return EVP_PKEY_CTX_set_params(ctx, rsa_params);
917 int EVP_PKEY_CTX_get_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, char *name,
920 OSSL_PARAM rsa_params[2], *p = rsa_params;
922 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
923 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
924 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
928 /* If key type not RSA return error */
929 if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA)
932 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST,
934 *p++ = OSSL_PARAM_construct_end();
936 if (!EVP_PKEY_CTX_get_params(ctx, rsa_params))
942 int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md)
944 /* 80 should be big enough */
947 if (ctx == NULL || md == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
948 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
949 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
953 /* If key type not RSA return error */
954 if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA)
957 /* TODO(3.0): Remove this eventually when no more legacy */
958 if (ctx->op.ciph.ciphprovctx == NULL)
959 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
960 EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)md);
962 if (EVP_PKEY_CTX_get_rsa_oaep_md_name(ctx, name, sizeof(name)) <= 0)
965 /* May be NULL meaning "unknown" */
966 *md = EVP_get_digestbyname(name);
971 int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
976 || (!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)
977 && !EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx))) {
978 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
979 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
983 /* If key type not RSA return error */
984 if (ctx->pmeth != NULL
985 && ctx->pmeth->pkey_id != EVP_PKEY_RSA
986 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
989 /* TODO(3.0): Remove this eventually when no more legacy */
990 if ((EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)
991 && ctx->op.ciph.ciphprovctx == NULL)
992 || (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
993 && ctx->op.sig.sigprovctx == NULL))
994 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
995 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
996 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)md);
998 name = (md == NULL) ? "" : EVP_MD_name(md);
1000 return EVP_PKEY_CTX_set_rsa_mgf1_md_name(ctx, name, NULL);
1003 int EVP_PKEY_CTX_set_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, const char *mdname,
1004 const char *mdprops)
1006 OSSL_PARAM rsa_params[3], *p = rsa_params;
1010 || (!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)
1011 && !EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx))) {
1012 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1013 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1017 /* If key type not RSA return error */
1018 if (ctx->pmeth != NULL
1019 && ctx->pmeth->pkey_id != EVP_PKEY_RSA
1020 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
1023 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST,
1025 * Cast away the const. This is read
1026 * only so should be safe
1029 if (mdprops != NULL) {
1030 *p++ = OSSL_PARAM_construct_utf8_string(
1031 OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS,
1033 * Cast away the const. This is read
1034 * only so should be safe
1036 (char *)mdprops, 0);
1038 *p++ = OSSL_PARAM_construct_end();
1040 return EVP_PKEY_CTX_set_params(ctx, rsa_params);
1043 int EVP_PKEY_CTX_get_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, char *name,
1046 OSSL_PARAM rsa_params[2], *p = rsa_params;
1049 || (!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)
1050 && !EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx))) {
1051 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1052 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1056 /* If key type not RSA or RSA-PSS return error */
1057 if (ctx->pmeth != NULL
1058 && ctx->pmeth->pkey_id != EVP_PKEY_RSA
1059 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
1062 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST,
1064 *p++ = OSSL_PARAM_construct_end();
1066 if (!EVP_PKEY_CTX_get_params(ctx, rsa_params))
1072 int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **md)
1074 /* 80 should be big enough */
1078 || (!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)
1079 && !EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx))) {
1080 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1081 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1085 /* If key type not RSA or RSA-PSS return error */
1086 if (ctx->pmeth != NULL
1087 && ctx->pmeth->pkey_id != EVP_PKEY_RSA
1088 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
1091 /* TODO(3.0): Remove this eventually when no more legacy */
1092 if ((EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)
1093 && ctx->op.ciph.ciphprovctx == NULL)
1094 || (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
1095 && ctx->op.sig.sigprovctx == NULL))
1096 return EVP_PKEY_CTX_ctrl(ctx, -1,
1097 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
1098 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)md);
1100 if (EVP_PKEY_CTX_get_rsa_mgf1_md_name(ctx, name, sizeof(name)) <= 0)
1103 /* May be NULL meaning "unknown" */
1104 *md = EVP_get_digestbyname(name);
1109 int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen)
1111 OSSL_PARAM rsa_params[2], *p = rsa_params;
1113 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
1114 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1115 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1119 /* If key type not RSA return error */
1120 if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA)
1123 /* TODO(3.0): Remove this eventually when no more legacy */
1124 if (ctx->op.ciph.ciphprovctx == NULL)
1125 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
1126 EVP_PKEY_CTRL_RSA_OAEP_LABEL, llen,
1129 *p++ = OSSL_PARAM_construct_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL,
1131 * Cast away the const. This is read
1132 * only so should be safe
1136 *p++ = OSSL_PARAM_construct_end();
1138 if (!EVP_PKEY_CTX_set_params(ctx, rsa_params))
1141 OPENSSL_free(label);
1145 int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label)
1147 OSSL_PARAM rsa_params[3], *p = rsa_params;
1150 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
1151 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1152 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1156 /* If key type not RSA return error */
1157 if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA)
1160 /* TODO(3.0): Remove this eventually when no more legacy */
1161 if (ctx->op.ciph.ciphprovctx == NULL)
1162 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
1163 EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0,
1166 *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL,
1168 *p++ = OSSL_PARAM_construct_size_t(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL_LEN,
1170 *p++ = OSSL_PARAM_construct_end();
1172 if (!EVP_PKEY_CTX_get_params(ctx, rsa_params))
1175 if (labellen > INT_MAX)
1178 return (int)labellen;