• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * RSA low level APIs are deprecated for public use, but still ok for
12  * internal use.
13  */
14 #include "internal/deprecated.h"
15 
16 #include <openssl/crypto.h>
17 #include <openssl/core_names.h>
18 #ifndef FIPS_MODULE
19 # include <openssl/engine.h>
20 #endif
21 #include <openssl/evp.h>
22 #include <openssl/param_build.h>
23 #include "internal/cryptlib.h"
24 #include "internal/refcount.h"
25 #include "crypto/bn.h"
26 #include "crypto/evp.h"
27 #include "crypto/rsa.h"
28 #include "crypto/security_bits.h"
29 #include "rsa_local.h"
30 
31 static RSA *rsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx);
32 
33 #ifndef FIPS_MODULE
RSA_new(void)34 RSA *RSA_new(void)
35 {
36     return rsa_new_intern(NULL, NULL);
37 }
38 
RSA_get_method(const RSA * rsa)39 const RSA_METHOD *RSA_get_method(const RSA *rsa)
40 {
41     return rsa->meth;
42 }
43 
RSA_set_method(RSA * rsa,const RSA_METHOD * meth)44 int RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
45 {
46     /*
47      * NB: The caller is specifically setting a method, so it's not up to us
48      * to deal with which ENGINE it comes from.
49      */
50     const RSA_METHOD *mtmp;
51     mtmp = rsa->meth;
52     if (mtmp->finish)
53         mtmp->finish(rsa);
54 #ifndef OPENSSL_NO_ENGINE
55     ENGINE_finish(rsa->engine);
56     rsa->engine = NULL;
57 #endif
58     rsa->meth = meth;
59     if (meth->init)
60         meth->init(rsa);
61     return 1;
62 }
63 
RSA_new_method(ENGINE * engine)64 RSA *RSA_new_method(ENGINE *engine)
65 {
66     return rsa_new_intern(engine, NULL);
67 }
68 #endif
69 
ossl_rsa_new_with_ctx(OSSL_LIB_CTX * libctx)70 RSA *ossl_rsa_new_with_ctx(OSSL_LIB_CTX *libctx)
71 {
72     return rsa_new_intern(NULL, libctx);
73 }
74 
rsa_new_intern(ENGINE * engine,OSSL_LIB_CTX * libctx)75 static RSA *rsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx)
76 {
77     RSA *ret = OPENSSL_zalloc(sizeof(*ret));
78 
79     if (ret == NULL) {
80         ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
81         return NULL;
82     }
83 
84     ret->references = 1;
85     ret->lock = CRYPTO_THREAD_lock_new();
86     if (ret->lock == NULL) {
87         ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
88         OPENSSL_free(ret);
89         return NULL;
90     }
91 
92     ret->libctx = libctx;
93     ret->meth = RSA_get_default_method();
94 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
95     ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
96     if (engine) {
97         if (!ENGINE_init(engine)) {
98             ERR_raise(ERR_LIB_RSA, ERR_R_ENGINE_LIB);
99             goto err;
100         }
101         ret->engine = engine;
102     } else {
103         ret->engine = ENGINE_get_default_RSA();
104     }
105     if (ret->engine) {
106         ret->meth = ENGINE_get_RSA(ret->engine);
107         if (ret->meth == NULL) {
108             ERR_raise(ERR_LIB_RSA, ERR_R_ENGINE_LIB);
109             goto err;
110         }
111     }
112 #endif
113 
114     ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
115 #ifndef FIPS_MODULE
116     if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
117         goto err;
118     }
119 #endif
120 
121     if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
122         ERR_raise(ERR_LIB_RSA, ERR_R_INIT_FAIL);
123         goto err;
124     }
125 
126     return ret;
127 
128  err:
129     RSA_free(ret);
130     return NULL;
131 }
132 
RSA_free(RSA * r)133 void RSA_free(RSA *r)
134 {
135     int i;
136 
137     if (r == NULL)
138         return;
139 
140     CRYPTO_DOWN_REF(&r->references, &i, r->lock);
141     REF_PRINT_COUNT("RSA", r);
142     if (i > 0)
143         return;
144     REF_ASSERT_ISNT(i < 0);
145 
146     if (r->meth != NULL && r->meth->finish != NULL)
147         r->meth->finish(r);
148 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
149     ENGINE_finish(r->engine);
150 #endif
151 
152 #ifndef FIPS_MODULE
153     CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
154 #endif
155 
156     CRYPTO_THREAD_lock_free(r->lock);
157 
158     BN_free(r->n);
159     BN_free(r->e);
160     BN_clear_free(r->d);
161     BN_clear_free(r->p);
162     BN_clear_free(r->q);
163     BN_clear_free(r->dmp1);
164     BN_clear_free(r->dmq1);
165     BN_clear_free(r->iqmp);
166 
167 #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
168     ossl_rsa_acvp_test_free(r->acvp_test);
169 #endif
170 
171 #ifndef FIPS_MODULE
172     RSA_PSS_PARAMS_free(r->pss);
173     sk_RSA_PRIME_INFO_pop_free(r->prime_infos, ossl_rsa_multip_info_free);
174 #endif
175     BN_BLINDING_free(r->blinding);
176     BN_BLINDING_free(r->mt_blinding);
177     OPENSSL_free(r);
178 }
179 
RSA_up_ref(RSA * r)180 int RSA_up_ref(RSA *r)
181 {
182     int i;
183 
184     if (CRYPTO_UP_REF(&r->references, &i, r->lock) <= 0)
185         return 0;
186 
187     REF_PRINT_COUNT("RSA", r);
188     REF_ASSERT_ISNT(i < 2);
189     return i > 1 ? 1 : 0;
190 }
191 
ossl_rsa_get0_libctx(RSA * r)192 OSSL_LIB_CTX *ossl_rsa_get0_libctx(RSA *r)
193 {
194     return r->libctx;
195 }
196 
ossl_rsa_set0_libctx(RSA * r,OSSL_LIB_CTX * libctx)197 void ossl_rsa_set0_libctx(RSA *r, OSSL_LIB_CTX *libctx)
198 {
199     r->libctx = libctx;
200 }
201 
202 #ifndef FIPS_MODULE
RSA_set_ex_data(RSA * r,int idx,void * arg)203 int RSA_set_ex_data(RSA *r, int idx, void *arg)
204 {
205     return CRYPTO_set_ex_data(&r->ex_data, idx, arg);
206 }
207 
RSA_get_ex_data(const RSA * r,int idx)208 void *RSA_get_ex_data(const RSA *r, int idx)
209 {
210     return CRYPTO_get_ex_data(&r->ex_data, idx);
211 }
212 #endif
213 
214 /*
215  * Define a scaling constant for our fixed point arithmetic.
216  * This value must be a power of two because the base two logarithm code
217  * makes this assumption.  The exponent must also be a multiple of three so
218  * that the scale factor has an exact cube root.  Finally, the scale factor
219  * should not be so large that a multiplication of two scaled numbers
220  * overflows a 64 bit unsigned integer.
221  */
222 static const unsigned int scale = 1 << 18;
223 static const unsigned int cbrt_scale = 1 << (2 * 18 / 3);
224 
225 /* Define some constants, none exceed 32 bits */
226 static const unsigned int log_2  = 0x02c5c8;    /* scale * log(2) */
227 static const unsigned int log_e  = 0x05c551;    /* scale * log2(M_E) */
228 static const unsigned int c1_923 = 0x07b126;    /* scale * 1.923 */
229 static const unsigned int c4_690 = 0x12c28f;    /* scale * 4.690 */
230 
231 /*
232  * Multiply two scaled integers together and rescale the result.
233  */
mul2(uint64_t a,uint64_t b)234 static ossl_inline uint64_t mul2(uint64_t a, uint64_t b)
235 {
236     return a * b / scale;
237 }
238 
239 /*
240  * Calculate the cube root of a 64 bit scaled integer.
241  * Although the cube root of a 64 bit number does fit into a 32 bit unsigned
242  * integer, this is not guaranteed after scaling, so this function has a
243  * 64 bit return.  This uses the shifting nth root algorithm with some
244  * algebraic simplifications.
245  */
icbrt64(uint64_t x)246 static uint64_t icbrt64(uint64_t x)
247 {
248     uint64_t r = 0;
249     uint64_t b;
250     int s;
251 
252     for (s = 63; s >= 0; s -= 3) {
253         r <<= 1;
254         b = 3 * r * (r + 1) + 1;
255         if ((x >> s) >= b) {
256             x -= b << s;
257             r++;
258         }
259     }
260     return r * cbrt_scale;
261 }
262 
263 /*
264  * Calculate the natural logarithm of a 64 bit scaled integer.
265  * This is done by calculating a base two logarithm and scaling.
266  * The maximum logarithm (base 2) is 64 and this reduces base e, so
267  * a 32 bit result should not overflow.  The argument passed must be
268  * greater than unity so we don't need to handle negative results.
269  */
ilog_e(uint64_t v)270 static uint32_t ilog_e(uint64_t v)
271 {
272     uint32_t i, r = 0;
273 
274     /*
275      * Scale down the value into the range 1 .. 2.
276      *
277      * If fractional numbers need to be processed, another loop needs
278      * to go here that checks v < scale and if so multiplies it by 2 and
279      * reduces r by scale.  This also means making r signed.
280      */
281     while (v >= 2 * scale) {
282         v >>= 1;
283         r += scale;
284     }
285     for (i = scale / 2; i != 0; i /= 2) {
286         v = mul2(v, v);
287         if (v >= 2 * scale) {
288             v >>= 1;
289             r += i;
290         }
291     }
292     r = (r * (uint64_t)scale) / log_e;
293     return r;
294 }
295 
296 /*
297  * NIST SP 800-56B rev 2 Appendix D: Maximum Security Strength Estimates for IFC
298  * Modulus Lengths.
299  *
300  * Note that this formula is also referred to in SP800-56A rev3 Appendix D:
301  * for FFC safe prime groups for modp and ffdhe.
302  * After Table 25 and Table 26 it refers to
303  * "The maximum security strength estimates were calculated using the formula in
304  * Section 7.5 of the FIPS 140 IG and rounded to the nearest multiple of eight
305  * bits".
306  *
307  * The formula is:
308  *
309  * E = \frac{1.923 \sqrt[3]{nBits \cdot log_e(2)}
310  *           \cdot(log_e(nBits \cdot log_e(2))^{2/3} - 4.69}{log_e(2)}
311  * The two cube roots are merged together here.
312  */
ossl_ifc_ffc_compute_security_bits(int n)313 uint16_t ossl_ifc_ffc_compute_security_bits(int n)
314 {
315     uint64_t x;
316     uint32_t lx;
317     uint16_t y, cap;
318 
319     /*
320      * Look for common values as listed in standards.
321      * These values are not exactly equal to the results from the formulae in
322      * the standards but are defined to be canonical.
323      */
324     switch (n) {
325     case 2048:      /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
326         return 112;
327     case 3072:      /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
328         return 128;
329     case 4096:      /* SP 800-56B rev 2 Appendix D */
330         return 152;
331     case 6144:      /* SP 800-56B rev 2 Appendix D */
332         return 176;
333     case 7680:      /* FIPS 140-2 IG 7.5 */
334         return 192;
335     case 8192:      /* SP 800-56B rev 2 Appendix D */
336         return 200;
337     case 15360:     /* FIPS 140-2 IG 7.5 */
338         return 256;
339     }
340 
341     /*
342      * The first incorrect result (i.e. not accurate or off by one low) occurs
343      * for n = 699668.  The true value here is 1200.  Instead of using this n
344      * as the check threshold, the smallest n such that the correct result is
345      * 1200 is used instead.
346      */
347     if (n >= 687737)
348         return 1200;
349     if (n < 8)
350         return 0;
351 
352     /*
353      * To ensure that the output is non-decreasing with respect to n,
354      * a cap needs to be applied to the two values where the function over
355      * estimates the strength (according to the above fast path).
356      */
357     if (n <= 7680)
358         cap = 192;
359     else if (n <= 15360)
360         cap = 256;
361     else
362         cap = 1200;
363 
364     x = n * (uint64_t)log_2;
365     lx = ilog_e(x);
366     y = (uint16_t)((mul2(c1_923, icbrt64(mul2(mul2(x, lx), lx))) - c4_690)
367                    / log_2);
368     y = (y + 4) & ~7;
369     if (y > cap)
370         y = cap;
371     return y;
372 }
373 
374 
375 
RSA_security_bits(const RSA * rsa)376 int RSA_security_bits(const RSA *rsa)
377 {
378     int bits = BN_num_bits(rsa->n);
379 
380 #ifndef FIPS_MODULE
381     if (rsa->version == RSA_ASN1_VERSION_MULTI) {
382         /* This ought to mean that we have private key at hand. */
383         int ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos);
384 
385         if (ex_primes <= 0 || (ex_primes + 2) > ossl_rsa_multip_cap(bits))
386             return 0;
387     }
388 #endif
389     return ossl_ifc_ffc_compute_security_bits(bits);
390 }
391 
RSA_set0_key(RSA * r,BIGNUM * n,BIGNUM * e,BIGNUM * d)392 int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
393 {
394     /* If the fields n and e in r are NULL, the corresponding input
395      * parameters MUST be non-NULL for n and e.  d may be
396      * left NULL (in case only the public key is used).
397      */
398     if ((r->n == NULL && n == NULL)
399         || (r->e == NULL && e == NULL))
400         return 0;
401 
402     if (n != NULL) {
403         BN_free(r->n);
404         r->n = n;
405     }
406     if (e != NULL) {
407         BN_free(r->e);
408         r->e = e;
409     }
410     if (d != NULL) {
411         BN_clear_free(r->d);
412         r->d = d;
413         BN_set_flags(r->d, BN_FLG_CONSTTIME);
414     }
415     r->dirty_cnt++;
416 
417     return 1;
418 }
419 
RSA_set0_factors(RSA * r,BIGNUM * p,BIGNUM * q)420 int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
421 {
422     /* If the fields p and q in r are NULL, the corresponding input
423      * parameters MUST be non-NULL.
424      */
425     if ((r->p == NULL && p == NULL)
426         || (r->q == NULL && q == NULL))
427         return 0;
428 
429     if (p != NULL) {
430         BN_clear_free(r->p);
431         r->p = p;
432         BN_set_flags(r->p, BN_FLG_CONSTTIME);
433     }
434     if (q != NULL) {
435         BN_clear_free(r->q);
436         r->q = q;
437         BN_set_flags(r->q, BN_FLG_CONSTTIME);
438     }
439     r->dirty_cnt++;
440 
441     return 1;
442 }
443 
RSA_set0_crt_params(RSA * r,BIGNUM * dmp1,BIGNUM * dmq1,BIGNUM * iqmp)444 int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
445 {
446     /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input
447      * parameters MUST be non-NULL.
448      */
449     if ((r->dmp1 == NULL && dmp1 == NULL)
450         || (r->dmq1 == NULL && dmq1 == NULL)
451         || (r->iqmp == NULL && iqmp == NULL))
452         return 0;
453 
454     if (dmp1 != NULL) {
455         BN_clear_free(r->dmp1);
456         r->dmp1 = dmp1;
457         BN_set_flags(r->dmp1, BN_FLG_CONSTTIME);
458     }
459     if (dmq1 != NULL) {
460         BN_clear_free(r->dmq1);
461         r->dmq1 = dmq1;
462         BN_set_flags(r->dmq1, BN_FLG_CONSTTIME);
463     }
464     if (iqmp != NULL) {
465         BN_clear_free(r->iqmp);
466         r->iqmp = iqmp;
467         BN_set_flags(r->iqmp, BN_FLG_CONSTTIME);
468     }
469     r->dirty_cnt++;
470 
471     return 1;
472 }
473 
474 #ifndef FIPS_MODULE
475 /*
476  * Is it better to export RSA_PRIME_INFO structure
477  * and related functions to let user pass a triplet?
478  */
RSA_set0_multi_prime_params(RSA * r,BIGNUM * primes[],BIGNUM * exps[],BIGNUM * coeffs[],int pnum)479 int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[],
480                                 BIGNUM *coeffs[], int pnum)
481 {
482     STACK_OF(RSA_PRIME_INFO) *prime_infos, *old = NULL;
483     RSA_PRIME_INFO *pinfo;
484     int i;
485 
486     if (primes == NULL || exps == NULL || coeffs == NULL || pnum == 0)
487         return 0;
488 
489     prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum);
490     if (prime_infos == NULL)
491         return 0;
492 
493     if (r->prime_infos != NULL)
494         old = r->prime_infos;
495 
496     for (i = 0; i < pnum; i++) {
497         pinfo = ossl_rsa_multip_info_new();
498         if (pinfo == NULL)
499             goto err;
500         if (primes[i] != NULL && exps[i] != NULL && coeffs[i] != NULL) {
501             BN_clear_free(pinfo->r);
502             BN_clear_free(pinfo->d);
503             BN_clear_free(pinfo->t);
504             pinfo->r = primes[i];
505             pinfo->d = exps[i];
506             pinfo->t = coeffs[i];
507             BN_set_flags(pinfo->r, BN_FLG_CONSTTIME);
508             BN_set_flags(pinfo->d, BN_FLG_CONSTTIME);
509             BN_set_flags(pinfo->t, BN_FLG_CONSTTIME);
510         } else {
511             ossl_rsa_multip_info_free(pinfo);
512             goto err;
513         }
514         (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo);
515     }
516 
517     r->prime_infos = prime_infos;
518 
519     if (!ossl_rsa_multip_calc_product(r)) {
520         r->prime_infos = old;
521         goto err;
522     }
523 
524     if (old != NULL) {
525         /*
526          * This is hard to deal with, since the old infos could
527          * also be set by this function and r, d, t should not
528          * be freed in that case. So currently, stay consistent
529          * with other *set0* functions: just free it...
530          */
531         sk_RSA_PRIME_INFO_pop_free(old, ossl_rsa_multip_info_free);
532     }
533 
534     r->version = RSA_ASN1_VERSION_MULTI;
535     r->dirty_cnt++;
536 
537     return 1;
538  err:
539     /* r, d, t should not be freed */
540     sk_RSA_PRIME_INFO_pop_free(prime_infos, ossl_rsa_multip_info_free_ex);
541     return 0;
542 }
543 #endif
544 
RSA_get0_key(const RSA * r,const BIGNUM ** n,const BIGNUM ** e,const BIGNUM ** d)545 void RSA_get0_key(const RSA *r,
546                   const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
547 {
548     if (n != NULL)
549         *n = r->n;
550     if (e != NULL)
551         *e = r->e;
552     if (d != NULL)
553         *d = r->d;
554 }
555 
RSA_get0_factors(const RSA * r,const BIGNUM ** p,const BIGNUM ** q)556 void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
557 {
558     if (p != NULL)
559         *p = r->p;
560     if (q != NULL)
561         *q = r->q;
562 }
563 
564 #ifndef FIPS_MODULE
RSA_get_multi_prime_extra_count(const RSA * r)565 int RSA_get_multi_prime_extra_count(const RSA *r)
566 {
567     int pnum;
568 
569     pnum = sk_RSA_PRIME_INFO_num(r->prime_infos);
570     if (pnum <= 0)
571         pnum = 0;
572     return pnum;
573 }
574 
RSA_get0_multi_prime_factors(const RSA * r,const BIGNUM * primes[])575 int RSA_get0_multi_prime_factors(const RSA *r, const BIGNUM *primes[])
576 {
577     int pnum, i;
578     RSA_PRIME_INFO *pinfo;
579 
580     if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0)
581         return 0;
582 
583     /*
584      * return other primes
585      * it's caller's responsibility to allocate oth_primes[pnum]
586      */
587     for (i = 0; i < pnum; i++) {
588         pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i);
589         primes[i] = pinfo->r;
590     }
591 
592     return 1;
593 }
594 #endif
595 
RSA_get0_crt_params(const RSA * r,const BIGNUM ** dmp1,const BIGNUM ** dmq1,const BIGNUM ** iqmp)596 void RSA_get0_crt_params(const RSA *r,
597                          const BIGNUM **dmp1, const BIGNUM **dmq1,
598                          const BIGNUM **iqmp)
599 {
600     if (dmp1 != NULL)
601         *dmp1 = r->dmp1;
602     if (dmq1 != NULL)
603         *dmq1 = r->dmq1;
604     if (iqmp != NULL)
605         *iqmp = r->iqmp;
606 }
607 
608 #ifndef FIPS_MODULE
RSA_get0_multi_prime_crt_params(const RSA * r,const BIGNUM * exps[],const BIGNUM * coeffs[])609 int RSA_get0_multi_prime_crt_params(const RSA *r, const BIGNUM *exps[],
610                                     const BIGNUM *coeffs[])
611 {
612     int pnum;
613 
614     if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0)
615         return 0;
616 
617     /* return other primes */
618     if (exps != NULL || coeffs != NULL) {
619         RSA_PRIME_INFO *pinfo;
620         int i;
621 
622         /* it's the user's job to guarantee the buffer length */
623         for (i = 0; i < pnum; i++) {
624             pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i);
625             if (exps != NULL)
626                 exps[i] = pinfo->d;
627             if (coeffs != NULL)
628                 coeffs[i] = pinfo->t;
629         }
630     }
631 
632     return 1;
633 }
634 #endif
635 
RSA_get0_n(const RSA * r)636 const BIGNUM *RSA_get0_n(const RSA *r)
637 {
638     return r->n;
639 }
640 
RSA_get0_e(const RSA * r)641 const BIGNUM *RSA_get0_e(const RSA *r)
642 {
643     return r->e;
644 }
645 
RSA_get0_d(const RSA * r)646 const BIGNUM *RSA_get0_d(const RSA *r)
647 {
648     return r->d;
649 }
650 
RSA_get0_p(const RSA * r)651 const BIGNUM *RSA_get0_p(const RSA *r)
652 {
653     return r->p;
654 }
655 
RSA_get0_q(const RSA * r)656 const BIGNUM *RSA_get0_q(const RSA *r)
657 {
658     return r->q;
659 }
660 
RSA_get0_dmp1(const RSA * r)661 const BIGNUM *RSA_get0_dmp1(const RSA *r)
662 {
663     return r->dmp1;
664 }
665 
RSA_get0_dmq1(const RSA * r)666 const BIGNUM *RSA_get0_dmq1(const RSA *r)
667 {
668     return r->dmq1;
669 }
670 
RSA_get0_iqmp(const RSA * r)671 const BIGNUM *RSA_get0_iqmp(const RSA *r)
672 {
673     return r->iqmp;
674 }
675 
RSA_get0_pss_params(const RSA * r)676 const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *r)
677 {
678 #ifdef FIPS_MODULE
679     return NULL;
680 #else
681     return r->pss;
682 #endif
683 }
684 
685 /* Internal */
ossl_rsa_set0_pss_params(RSA * r,RSA_PSS_PARAMS * pss)686 int ossl_rsa_set0_pss_params(RSA *r, RSA_PSS_PARAMS *pss)
687 {
688 #ifdef FIPS_MODULE
689     return 0;
690 #else
691     RSA_PSS_PARAMS_free(r->pss);
692     r->pss = pss;
693     return 1;
694 #endif
695 }
696 
697 /* Internal */
ossl_rsa_get0_pss_params_30(RSA * r)698 RSA_PSS_PARAMS_30 *ossl_rsa_get0_pss_params_30(RSA *r)
699 {
700     return &r->pss_params;
701 }
702 
RSA_clear_flags(RSA * r,int flags)703 void RSA_clear_flags(RSA *r, int flags)
704 {
705     r->flags &= ~flags;
706 }
707 
RSA_test_flags(const RSA * r,int flags)708 int RSA_test_flags(const RSA *r, int flags)
709 {
710     return r->flags & flags;
711 }
712 
RSA_set_flags(RSA * r,int flags)713 void RSA_set_flags(RSA *r, int flags)
714 {
715     r->flags |= flags;
716 }
717 
RSA_get_version(RSA * r)718 int RSA_get_version(RSA *r)
719 {
720     /* { two-prime(0), multi(1) } */
721     return r->version;
722 }
723 
724 #ifndef FIPS_MODULE
RSA_get0_engine(const RSA * r)725 ENGINE *RSA_get0_engine(const RSA *r)
726 {
727     return r->engine;
728 }
729 
RSA_pkey_ctx_ctrl(EVP_PKEY_CTX * ctx,int optype,int cmd,int p1,void * p2)730 int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2)
731 {
732     /* If key type not RSA or RSA-PSS return error */
733     if (ctx != NULL && ctx->pmeth != NULL
734         && ctx->pmeth->pkey_id != EVP_PKEY_RSA
735         && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
736         return -1;
737      return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, p1, p2);
738 }
739 #endif
740 
DEFINE_STACK_OF(BIGNUM)741 DEFINE_STACK_OF(BIGNUM)
742 
743 int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes,
744                              const STACK_OF(BIGNUM) *exps,
745                              const STACK_OF(BIGNUM) *coeffs)
746 {
747 #ifndef FIPS_MODULE
748     STACK_OF(RSA_PRIME_INFO) *prime_infos, *old_infos = NULL;
749 #endif
750     int pnum;
751 
752     if (primes == NULL || exps == NULL || coeffs == NULL)
753         return 0;
754 
755     pnum = sk_BIGNUM_num(primes);
756     if (pnum < 2
757         || pnum != sk_BIGNUM_num(exps)
758         || pnum != sk_BIGNUM_num(coeffs) + 1)
759         return 0;
760 
761     if (!RSA_set0_factors(r, sk_BIGNUM_value(primes, 0),
762                           sk_BIGNUM_value(primes, 1))
763         || !RSA_set0_crt_params(r, sk_BIGNUM_value(exps, 0),
764                                 sk_BIGNUM_value(exps, 1),
765                                 sk_BIGNUM_value(coeffs, 0)))
766         return 0;
767 
768 #ifndef FIPS_MODULE
769     old_infos = r->prime_infos;
770 #endif
771 
772     if (pnum > 2) {
773 #ifndef FIPS_MODULE
774         int i;
775 
776         prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum);
777         if (prime_infos == NULL)
778             return 0;
779 
780         for (i = 2; i < pnum; i++) {
781             BIGNUM *prime = sk_BIGNUM_value(primes, i);
782             BIGNUM *exp = sk_BIGNUM_value(exps, i);
783             BIGNUM *coeff = sk_BIGNUM_value(coeffs, i - 1);
784             RSA_PRIME_INFO *pinfo = NULL;
785 
786             if (!ossl_assert(prime != NULL && exp != NULL && coeff != NULL))
787                 goto err;
788 
789             /* Using ossl_rsa_multip_info_new() is wasteful, so allocate directly */
790             if ((pinfo = OPENSSL_zalloc(sizeof(*pinfo))) == NULL) {
791                 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
792                 goto err;
793             }
794 
795             pinfo->r = prime;
796             pinfo->d = exp;
797             pinfo->t = coeff;
798             BN_set_flags(pinfo->r, BN_FLG_CONSTTIME);
799             BN_set_flags(pinfo->d, BN_FLG_CONSTTIME);
800             BN_set_flags(pinfo->t, BN_FLG_CONSTTIME);
801             (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo);
802         }
803 
804         r->prime_infos = prime_infos;
805 
806         if (!ossl_rsa_multip_calc_product(r)) {
807             r->prime_infos = old_infos;
808             goto err;
809         }
810 #else
811         return 0;
812 #endif
813     }
814 
815 #ifndef FIPS_MODULE
816     if (old_infos != NULL) {
817         /*
818          * This is hard to deal with, since the old infos could
819          * also be set by this function and r, d, t should not
820          * be freed in that case. So currently, stay consistent
821          * with other *set0* functions: just free it...
822          */
823         sk_RSA_PRIME_INFO_pop_free(old_infos, ossl_rsa_multip_info_free);
824     }
825 #endif
826 
827     r->version = pnum > 2 ? RSA_ASN1_VERSION_MULTI : RSA_ASN1_VERSION_DEFAULT;
828     r->dirty_cnt++;
829 
830     return 1;
831 #ifndef FIPS_MODULE
832  err:
833     /* r, d, t should not be freed */
834     sk_RSA_PRIME_INFO_pop_free(prime_infos, ossl_rsa_multip_info_free_ex);
835     return 0;
836 #endif
837 }
838 
DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const,BIGNUM)839 DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM)
840 
841 int ossl_rsa_get0_all_params(RSA *r, STACK_OF(BIGNUM_const) *primes,
842                              STACK_OF(BIGNUM_const) *exps,
843                              STACK_OF(BIGNUM_const) *coeffs)
844 {
845 #ifndef FIPS_MODULE
846     RSA_PRIME_INFO *pinfo;
847     int i, pnum;
848 #endif
849 
850     if (r == NULL)
851         return 0;
852 
853     /* If |p| is NULL, there are no CRT parameters */
854     if (RSA_get0_p(r) == NULL)
855         return 1;
856 
857     sk_BIGNUM_const_push(primes, RSA_get0_p(r));
858     sk_BIGNUM_const_push(primes, RSA_get0_q(r));
859     sk_BIGNUM_const_push(exps, RSA_get0_dmp1(r));
860     sk_BIGNUM_const_push(exps, RSA_get0_dmq1(r));
861     sk_BIGNUM_const_push(coeffs, RSA_get0_iqmp(r));
862 
863 #ifndef FIPS_MODULE
864     pnum = RSA_get_multi_prime_extra_count(r);
865     for (i = 0; i < pnum; i++) {
866         pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i);
867         sk_BIGNUM_const_push(primes, pinfo->r);
868         sk_BIGNUM_const_push(exps, pinfo->d);
869         sk_BIGNUM_const_push(coeffs, pinfo->t);
870     }
871 #endif
872 
873     return 1;
874 }
875 
876 #ifndef FIPS_MODULE
877 /* Helpers to set or get diverse hash algorithm names */
int_set_rsa_md_name(EVP_PKEY_CTX * ctx,int keytype,int optype,const char * mdkey,const char * mdname,const char * propkey,const char * mdprops)878 static int int_set_rsa_md_name(EVP_PKEY_CTX *ctx,
879                                /* For checks */
880                                int keytype, int optype,
881                                /* For EVP_PKEY_CTX_set_params() */
882                                const char *mdkey, const char *mdname,
883                                const char *propkey, const char *mdprops)
884 {
885     OSSL_PARAM params[3], *p = params;
886 
887     if (ctx == NULL || mdname == NULL || (ctx->operation & optype) == 0) {
888         ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
889         /* Uses the same return values as EVP_PKEY_CTX_ctrl */
890         return -2;
891     }
892 
893     /* If key type not RSA return error */
894     switch (keytype) {
895     case -1:
896         if (!EVP_PKEY_CTX_is_a(ctx, "RSA")
897             && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS"))
898             return -1;
899         break;
900     default:
901         if (!EVP_PKEY_CTX_is_a(ctx, evp_pkey_type2name(keytype)))
902             return -1;
903         break;
904     }
905 
906     /* Cast away the const. This is read only so should be safe */
907     *p++ = OSSL_PARAM_construct_utf8_string(mdkey, (char *)mdname, 0);
908     if (evp_pkey_ctx_is_provided(ctx) && mdprops != NULL) {
909         /* Cast away the const. This is read only so should be safe */
910         *p++ = OSSL_PARAM_construct_utf8_string(propkey, (char *)mdprops, 0);
911     }
912     *p++ = OSSL_PARAM_construct_end();
913 
914     return evp_pkey_ctx_set_params_strict(ctx, params);
915 }
916 
917 /* Helpers to set or get diverse hash algorithm names */
int_get_rsa_md_name(EVP_PKEY_CTX * ctx,int keytype,int optype,const char * mdkey,char * mdname,size_t mdnamesize)918 static int int_get_rsa_md_name(EVP_PKEY_CTX *ctx,
919                                /* For checks */
920                                int keytype, int optype,
921                                /* For EVP_PKEY_CTX_get_params() */
922                                const char *mdkey,
923                                char *mdname, size_t mdnamesize)
924 {
925     OSSL_PARAM params[2], *p = params;
926 
927     if (ctx == NULL || mdname == NULL || (ctx->operation & optype) == 0) {
928         ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
929         /* Uses the same return values as EVP_PKEY_CTX_ctrl */
930         return -2;
931     }
932 
933     /* If key type not RSA return error */
934     switch (keytype) {
935     case -1:
936         if (!EVP_PKEY_CTX_is_a(ctx, "RSA")
937             && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS"))
938             return -1;
939         break;
940     default:
941         if (!EVP_PKEY_CTX_is_a(ctx, evp_pkey_type2name(keytype)))
942             return -1;
943         break;
944     }
945 
946     /* Cast away the const. This is read only so should be safe */
947     *p++ = OSSL_PARAM_construct_utf8_string(mdkey, (char *)mdname, mdnamesize);
948     *p++ = OSSL_PARAM_construct_end();
949 
950     return evp_pkey_ctx_get_params_strict(ctx, params);
951 }
952 
953 /*
954  * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
955  * simply because that's easier.
956  */
EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX * ctx,int pad_mode)957 int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad_mode)
958 {
959     return RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_RSA_PADDING,
960                              pad_mode, NULL);
961 }
962 
963 /*
964  * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
965  * simply because that's easier.
966  */
EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX * ctx,int * pad_mode)967 int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad_mode)
968 {
969     return RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_GET_RSA_PADDING,
970                              0, pad_mode);
971 }
972 
973 /*
974  * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
975  * simply because that's easier.
976  */
EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX * ctx,const EVP_MD * md)977 int EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
978 {
979     return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,
980                              EVP_PKEY_CTRL_MD, 0, (void *)(md));
981 }
982 
EVP_PKEY_CTX_set_rsa_pss_keygen_md_name(EVP_PKEY_CTX * ctx,const char * mdname,const char * mdprops)983 int EVP_PKEY_CTX_set_rsa_pss_keygen_md_name(EVP_PKEY_CTX *ctx,
984                                             const char *mdname,
985                                             const char *mdprops)
986 {
987     return int_set_rsa_md_name(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,
988                                OSSL_PKEY_PARAM_RSA_DIGEST, mdname,
989                                OSSL_PKEY_PARAM_RSA_DIGEST_PROPS, mdprops);
990 }
991 
992 /*
993  * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
994  * simply because that's easier.
995  */
EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX * ctx,const EVP_MD * md)996 int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
997 {
998     return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
999                              EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md));
1000 }
1001 
EVP_PKEY_CTX_set_rsa_oaep_md_name(EVP_PKEY_CTX * ctx,const char * mdname,const char * mdprops)1002 int EVP_PKEY_CTX_set_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, const char *mdname,
1003                                       const char *mdprops)
1004 {
1005     return
1006         int_set_rsa_md_name(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
1007                             OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, mdname,
1008                             OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS, mdprops);
1009 }
1010 
EVP_PKEY_CTX_get_rsa_oaep_md_name(EVP_PKEY_CTX * ctx,char * name,size_t namesize)1011 int EVP_PKEY_CTX_get_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, char *name,
1012                                       size_t namesize)
1013 {
1014     return int_get_rsa_md_name(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
1015                                OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST,
1016                                name, namesize);
1017 }
1018 
1019 /*
1020  * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
1021  * simply because that's easier.
1022  */
EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX * ctx,const EVP_MD ** md)1023 int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md)
1024 {
1025     return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
1026                              EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)md);
1027 }
1028 
1029 /*
1030  * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
1031  * simply because that's easier.
1032  */
EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX * ctx,const EVP_MD * md)1033 int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
1034 {
1035     return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
1036                              EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md));
1037 }
1038 
EVP_PKEY_CTX_set_rsa_mgf1_md_name(EVP_PKEY_CTX * ctx,const char * mdname,const char * mdprops)1039 int EVP_PKEY_CTX_set_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, const char *mdname,
1040                                       const char *mdprops)
1041 {
1042     return int_set_rsa_md_name(ctx, -1,
1043                                EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG,
1044                                OSSL_PKEY_PARAM_MGF1_DIGEST, mdname,
1045                                OSSL_PKEY_PARAM_MGF1_PROPERTIES, mdprops);
1046 }
1047 
EVP_PKEY_CTX_get_rsa_mgf1_md_name(EVP_PKEY_CTX * ctx,char * name,size_t namesize)1048 int EVP_PKEY_CTX_get_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, char *name,
1049                                       size_t namesize)
1050 {
1051     return int_get_rsa_md_name(ctx, -1,
1052                                EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG,
1053                                OSSL_PKEY_PARAM_MGF1_DIGEST, name, namesize);
1054 }
1055 
1056 /*
1057  * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
1058  * simply because that's easier.
1059  */
EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX * ctx,const EVP_MD * md)1060 int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
1061 {
1062     return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,
1063                              EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md));
1064 }
1065 
EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md_name(EVP_PKEY_CTX * ctx,const char * mdname)1066 int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md_name(EVP_PKEY_CTX *ctx,
1067                                                  const char *mdname)
1068 {
1069     return int_set_rsa_md_name(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,
1070                                OSSL_PKEY_PARAM_MGF1_DIGEST, mdname,
1071                                NULL, NULL);
1072 }
1073 
1074 /*
1075  * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
1076  * simply because that's easier.
1077  */
EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX * ctx,const EVP_MD ** md)1078 int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **md)
1079 {
1080     return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
1081                              EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)(md));
1082 }
1083 
EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX * ctx,void * label,int llen)1084 int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen)
1085 {
1086     OSSL_PARAM rsa_params[2], *p = rsa_params;
1087     int ret;
1088 
1089     if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
1090         ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1091         /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1092         return -2;
1093     }
1094 
1095     /* If key type not RSA return error */
1096     if (!EVP_PKEY_CTX_is_a(ctx, "RSA"))
1097         return -1;
1098 
1099     /* Cast away the const. This is read only so should be safe */
1100     *p++ = OSSL_PARAM_construct_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL,
1101                                              (void *)label, (size_t)llen);
1102     *p++ = OSSL_PARAM_construct_end();
1103 
1104     ret = evp_pkey_ctx_set_params_strict(ctx, rsa_params);
1105     if (ret <= 0)
1106         return ret;
1107 
1108     /* Ownership is supposed to be transfered to the callee. */
1109     OPENSSL_free(label);
1110     return 1;
1111 }
1112 
EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX * ctx,unsigned char ** label)1113 int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label)
1114 {
1115     OSSL_PARAM rsa_params[2], *p = rsa_params;
1116     size_t labellen;
1117 
1118     if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
1119         ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1120         /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1121         return -2;
1122     }
1123 
1124     /* If key type not RSA return error */
1125     if (!EVP_PKEY_CTX_is_a(ctx, "RSA"))
1126         return -1;
1127 
1128     *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL,
1129                                           (void **)label, 0);
1130     *p++ = OSSL_PARAM_construct_end();
1131 
1132     if (!EVP_PKEY_CTX_get_params(ctx, rsa_params))
1133         return -1;
1134 
1135     labellen = rsa_params[0].return_size;
1136     if (labellen > INT_MAX)
1137         return -1;
1138 
1139     return (int)labellen;
1140 }
1141 
1142 /*
1143  * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
1144  * simply because that's easier.
1145  */
EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX * ctx,int saltlen)1146 int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int saltlen)
1147 {
1148     /*
1149      * For some reason, the optype was set to this:
1150      *
1151      * EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY
1152      *
1153      * However, we do use RSA-PSS with the whole gamut of diverse signature
1154      * and verification operations, so the optype gets upgraded to this:
1155      *
1156      * EVP_PKEY_OP_TYPE_SIG
1157      */
1158     return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG,
1159                              EVP_PKEY_CTRL_RSA_PSS_SALTLEN, saltlen, NULL);
1160 }
1161 
1162 /*
1163  * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
1164  * simply because that's easier.
1165  */
EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX * ctx,int * saltlen)1166 int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *saltlen)
1167 {
1168     /*
1169      * Because of circumstances, the optype is updated from:
1170      *
1171      * EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY
1172      *
1173      * to:
1174      *
1175      * EVP_PKEY_OP_TYPE_SIG
1176      */
1177     return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG,
1178                              EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, saltlen);
1179 }
1180 
EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX * ctx,int saltlen)1181 int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, int saltlen)
1182 {
1183     OSSL_PARAM pad_params[2], *p = pad_params;
1184 
1185     if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) {
1186         ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1187         /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1188         return -2;
1189     }
1190 
1191     if (!EVP_PKEY_CTX_is_a(ctx, "RSA-PSS"))
1192         return -1;
1193 
1194     *p++ = OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN,
1195                                     &saltlen);
1196     *p++ = OSSL_PARAM_construct_end();
1197 
1198     return evp_pkey_ctx_set_params_strict(ctx, pad_params);
1199 }
1200 
EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX * ctx,int bits)1201 int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits)
1202 {
1203     OSSL_PARAM params[2], *p = params;
1204     size_t bits2 = bits;
1205 
1206     if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) {
1207         ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1208         /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1209         return -2;
1210     }
1211 
1212     /* If key type not RSA return error */
1213     if (!EVP_PKEY_CTX_is_a(ctx, "RSA")
1214         && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS"))
1215         return -1;
1216 
1217     *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bits2);
1218     *p++ = OSSL_PARAM_construct_end();
1219 
1220     return evp_pkey_ctx_set_params_strict(ctx, params);
1221 }
1222 
EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX * ctx,BIGNUM * pubexp)1223 int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp)
1224 {
1225     int ret = RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_KEYGEN,
1226                                 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp);
1227 
1228     /*
1229      * Satisfy memory semantics for pre-3.0 callers of
1230      * EVP_PKEY_CTX_set_rsa_keygen_pubexp(): their expectation is that input
1231      * pubexp BIGNUM becomes managed by the EVP_PKEY_CTX on success.
1232      */
1233     if (ret > 0 && evp_pkey_ctx_is_provided(ctx)) {
1234         BN_free(ctx->rsa_pubexp);
1235         ctx->rsa_pubexp = pubexp;
1236     }
1237 
1238     return ret;
1239 }
1240 
EVP_PKEY_CTX_set1_rsa_keygen_pubexp(EVP_PKEY_CTX * ctx,BIGNUM * pubexp)1241 int EVP_PKEY_CTX_set1_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp)
1242 {
1243     int ret = 0;
1244 
1245     /*
1246      * When we're dealing with a provider, there's no need to duplicate
1247      * pubexp, as it gets copied when transforming to an OSSL_PARAM anyway.
1248      */
1249     if (evp_pkey_ctx_is_legacy(ctx)) {
1250         pubexp = BN_dup(pubexp);
1251         if (pubexp == NULL)
1252             return 0;
1253     }
1254     ret = EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
1255                             EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp);
1256     if (evp_pkey_ctx_is_legacy(ctx) && ret <= 0)
1257         BN_free(pubexp);
1258     return ret;
1259 }
1260 
EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX * ctx,int primes)1261 int EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX *ctx, int primes)
1262 {
1263     OSSL_PARAM params[2], *p = params;
1264     size_t primes2 = primes;
1265 
1266     if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) {
1267         ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1268         /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1269         return -2;
1270     }
1271 
1272     /* If key type not RSA return error */
1273     if (!EVP_PKEY_CTX_is_a(ctx, "RSA")
1274         && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS"))
1275         return -1;
1276 
1277     *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_PRIMES, &primes2);
1278     *p++ = OSSL_PARAM_construct_end();
1279 
1280     return evp_pkey_ctx_set_params_strict(ctx, params);
1281 }
1282 #endif
1283