• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2  * All rights reserved.
3  *
4  * This package is an SSL implementation written
5  * by Eric Young (eay@cryptsoft.com).
6  * The implementation was written so as to conform with Netscapes SSL.
7  *
8  * This library is free for commercial and non-commercial use as long as
9  * the following conditions are aheared to.  The following conditions
10  * apply to all code found in this distribution, be it the RC4, RSA,
11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12  * included with this distribution is covered by the same copyright terms
13  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14  *
15  * Copyright remains Eric Young's, and as such any Copyright notices in
16  * the code are not to be removed.
17  * If this package is used in a product, Eric Young should be given attribution
18  * as the author of the parts of the library used.
19  * This can be in the form of a textual message at program startup or
20  * in documentation (online or textual) provided with the package.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the copyright
26  *    notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  *    notice, this list of conditions and the following disclaimer in the
29  *    documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  *    must display the following acknowledgement:
32  *    "This product includes cryptographic software written by
33  *     Eric Young (eay@cryptsoft.com)"
34  *    The word 'cryptographic' can be left out if the rouines from the library
35  *    being used are not cryptographic related :-).
36  * 4. If you include any Windows specific code (or a derivative thereof) from
37  *    the apps directory (application code) you must include an acknowledgement:
38  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50  * SUCH DAMAGE.
51  *
52  * The licence and distribution terms for any publically available version or
53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
54  * copied and put under another distribution licence
55  * [including the GNU Public Licence.] */
56 
57 #ifndef OPENSSL_HEADER_RSA_H
58 #define OPENSSL_HEADER_RSA_H
59 
60 #include <openssl/base.h>
61 
62 #include <openssl/asn1.h>
63 #include <openssl/engine.h>
64 #include <openssl/ex_data.h>
65 #include <openssl/thread.h>
66 
67 #if defined(__cplusplus)
68 extern "C" {
69 #endif
70 
71 
72 /* rsa.h contains functions for handling encryption and signature using RSA. */
73 
74 
75 /* Allocation and destruction. */
76 
77 /* RSA_new returns a new, empty RSA object or NULL on error. */
78 OPENSSL_EXPORT RSA *RSA_new(void);
79 
80 /* RSA_new_method acts the same as |RSA_new| but takes an explicit |ENGINE|. */
81 OPENSSL_EXPORT RSA *RSA_new_method(const ENGINE *engine);
82 
83 /* RSA_free decrements the reference count of |rsa| and frees it if the
84  * reference count drops to zero. */
85 OPENSSL_EXPORT void RSA_free(RSA *rsa);
86 
87 /* RSA_up_ref increments the reference count of |rsa|. */
88 OPENSSL_EXPORT int RSA_up_ref(RSA *rsa);
89 
90 
91 /* Key generation. */
92 
93 /* RSA_generate_key_ex generates a new RSA key where the modulus has size
94  * |bits| and the public exponent is |e|. If unsure, |RSA_F4| is a good value
95  * for |e|. If |cb| is not NULL then it is called during the key generation
96  * process. In addition to the calls documented for |BN_generate_prime_ex|, it
97  * is called with event=2 when the n'th prime is rejected as unsuitable and
98  * with event=3 when a suitable value for |p| is found.
99  *
100  * It returns one on success or zero on error. */
101 OPENSSL_EXPORT int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e,
102                                        BN_GENCB *cb);
103 
104 /* RSA_generate_multi_prime_key acts like |RSA_generate_key_ex| but can
105  * generate an RSA private key with more than two primes. */
106 OPENSSL_EXPORT int RSA_generate_multi_prime_key(RSA *rsa, int bits,
107                                                 int num_primes, BIGNUM *e,
108                                                 BN_GENCB *cb);
109 
110 
111 /* Encryption / Decryption */
112 
113 /* Padding types for encryption. */
114 #define RSA_PKCS1_PADDING 1
115 #define RSA_NO_PADDING 3
116 #define RSA_PKCS1_OAEP_PADDING 4
117 /* RSA_PKCS1_PSS_PADDING can only be used via the EVP interface. */
118 #define RSA_PKCS1_PSS_PADDING 6
119 
120 /* RSA_encrypt encrypts |in_len| bytes from |in| to the public key from |rsa|
121  * and writes, at most, |max_out| bytes of encrypted data to |out|. The
122  * |max_out| argument must be, at least, |RSA_size| in order to ensure success.
123  *
124  * It returns 1 on success or zero on error.
125  *
126  * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
127  * doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but
128  * |RSA_PKCS1_PADDING| is most common. */
129 OPENSSL_EXPORT int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out,
130                                size_t max_out, const uint8_t *in, size_t in_len,
131                                int padding);
132 
133 /* RSA_decrypt decrypts |in_len| bytes from |in| with the private key from
134  * |rsa| and writes, at most, |max_out| bytes of plaintext to |out|. The
135  * |max_out| argument must be, at least, |RSA_size| in order to ensure success.
136  *
137  * It returns 1 on success or zero on error.
138  *
139  * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
140  * doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols.
141  *
142  * Passing |RSA_PKCS1_PADDING| into this function is deprecated and insecure. If
143  * implementing a protocol using RSAES-PKCS1-V1_5, use |RSA_NO_PADDING| and then
144  * check padding in constant-time combined with a swap to a random session key
145  * or other mitigation. See "Chosen Ciphertext Attacks Against Protocols Based
146  * on the RSA Encryption Standard PKCS #1", Daniel Bleichenbacher, Advances in
147  * Cryptology (Crypto '98). */
148 OPENSSL_EXPORT int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out,
149                                size_t max_out, const uint8_t *in, size_t in_len,
150                                int padding);
151 
152 /* RSA_public_encrypt encrypts |flen| bytes from |from| to the public key in
153  * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
154  * least |RSA_size| bytes of space. It returns the number of bytes written, or
155  * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
156  * values. If in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but
157  * |RSA_PKCS1_PADDING| is most common.
158  *
159  * WARNING: this function is dangerous because it breaks the usual return value
160  * convention. Use |RSA_encrypt| instead. */
161 OPENSSL_EXPORT int RSA_public_encrypt(size_t flen, const uint8_t *from,
162                                       uint8_t *to, RSA *rsa, int padding);
163 
164 /* RSA_private_decrypt decrypts |flen| bytes from |from| with the public key in
165  * |rsa| and writes the plaintext to |to|. The |to| buffer must have at least
166  * |RSA_size| bytes of space. It returns the number of bytes written, or -1 on
167  * error. The |padding| argument must be one of the |RSA_*_PADDING| values. If
168  * in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. Passing
169  * |RSA_PKCS1_PADDING| into this function is deprecated and insecure. See
170  * |RSA_decrypt|.
171  *
172  * WARNING: this function is dangerous because it breaks the usual return value
173  * convention. Use |RSA_decrypt| instead. */
174 OPENSSL_EXPORT int RSA_private_decrypt(size_t flen, const uint8_t *from,
175                                        uint8_t *to, RSA *rsa, int padding);
176 
177 
178 /* Signing / Verification */
179 
180 /* RSA_sign signs |in_len| bytes of digest from |in| with |rsa| using
181  * RSASSA-PKCS1-v1_5. It writes, at most, |RSA_size(rsa)| bytes to |out|. On
182  * successful return, the actual number of bytes written is written to
183  * |*out_len|.
184  *
185  * The |hash_nid| argument identifies the hash function used to calculate |in|
186  * and is embedded in the resulting signature. For example, it might be
187  * |NID_sha256|.
188  *
189  * It returns 1 on success and zero on error. */
190 OPENSSL_EXPORT int RSA_sign(int hash_nid, const uint8_t *in,
191                             unsigned int in_len, uint8_t *out,
192                             unsigned int *out_len, RSA *rsa);
193 
194 /* RSA_sign_raw signs |in_len| bytes from |in| with the public key from |rsa|
195  * and writes, at most, |max_out| bytes of signature data to |out|. The
196  * |max_out| argument must be, at least, |RSA_size| in order to ensure success.
197  *
198  * It returns 1 on success or zero on error.
199  *
200  * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
201  * doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING|
202  * (via the |EVP_PKEY| interface) is preferred for new protocols. */
203 OPENSSL_EXPORT int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,
204                                 size_t max_out, const uint8_t *in,
205                                 size_t in_len, int padding);
206 
207 /* RSA_verify verifies that |sig_len| bytes from |sig| are a valid,
208  * RSASSA-PKCS1-v1_5 signature of |msg_len| bytes at |msg| by |rsa|.
209  *
210  * The |hash_nid| argument identifies the hash function used to calculate |in|
211  * and is embedded in the resulting signature in order to prevent hash
212  * confusion attacks. For example, it might be |NID_sha256|.
213  *
214  * It returns one if the signature is valid and zero otherwise.
215  *
216  * WARNING: this differs from the original, OpenSSL function which additionally
217  * returned -1 on error. */
218 OPENSSL_EXPORT int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
219                               const uint8_t *sig, size_t sig_len, RSA *rsa);
220 
221 /* RSA_verify_raw verifies |in_len| bytes of signature from |in| using the
222  * public key from |rsa| and writes, at most, |max_out| bytes of plaintext to
223  * |out|. The |max_out| argument must be, at least, |RSA_size| in order to
224  * ensure success.
225  *
226  * It returns 1 on success or zero on error.
227  *
228  * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
229  * doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING|
230  * (via the |EVP_PKEY| interface) is preferred for new protocols. */
231 OPENSSL_EXPORT int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out,
232                                   size_t max_out, const uint8_t *in,
233                                   size_t in_len, int padding);
234 
235 /* RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in
236  * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
237  * least |RSA_size| bytes of space. It returns the number of bytes written, or
238  * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
239  * values. If in doubt, |RSA_PKCS1_PADDING| is the most common but
240  * |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for new
241  * protocols.
242  *
243  * WARNING: this function is dangerous because it breaks the usual return value
244  * convention. Use |RSA_sign_raw| instead. */
245 OPENSSL_EXPORT int RSA_private_encrypt(size_t flen, const uint8_t *from,
246                                        uint8_t *to, RSA *rsa, int padding);
247 
248 /* RSA_public_decrypt verifies |flen| bytes of signature from |from| using the
249  * public key in |rsa| and writes the plaintext to |to|. The |to| buffer must
250  * have at least |RSA_size| bytes of space. It returns the number of bytes
251  * written, or -1 on error. The |padding| argument must be one of the
252  * |RSA_*_PADDING| values. If in doubt, |RSA_PKCS1_PADDING| is the most common
253  * but |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for
254  * new protocols.
255  *
256  * WARNING: this function is dangerous because it breaks the usual return value
257  * convention. Use |RSA_verify_raw| instead. */
258 OPENSSL_EXPORT int RSA_public_decrypt(size_t flen, const uint8_t *from,
259                                       uint8_t *to, RSA *rsa, int padding);
260 
261 
262 /* Utility functions. */
263 
264 /* RSA_size returns the number of bytes in the modulus, which is also the size
265  * of a signature or encrypted value using |rsa|. */
266 OPENSSL_EXPORT unsigned RSA_size(const RSA *rsa);
267 
268 /* RSA_is_opaque returns one if |rsa| is opaque and doesn't expose its key
269  * material. Otherwise it returns zero. */
270 OPENSSL_EXPORT int RSA_is_opaque(const RSA *rsa);
271 
272 /* RSA_supports_digest returns one if |rsa| supports signing digests
273  * of type |md|. Otherwise it returns zero. */
274 OPENSSL_EXPORT int RSA_supports_digest(const RSA *rsa, const EVP_MD *md);
275 
276 /* RSAPublicKey_dup allocates a fresh |RSA| and copies the public key from
277  * |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */
278 OPENSSL_EXPORT RSA *RSAPublicKey_dup(const RSA *rsa);
279 
280 /* RSAPrivateKey_dup allocates a fresh |RSA| and copies the private key from
281  * |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */
282 OPENSSL_EXPORT RSA *RSAPrivateKey_dup(const RSA *rsa);
283 
284 /* RSA_check_key performs basic validatity tests on |rsa|. It returns one if
285  * they pass and zero otherwise. Opaque keys and public keys always pass. If it
286  * returns zero then a more detailed error is available on the error queue. */
287 OPENSSL_EXPORT int RSA_check_key(const RSA *rsa);
288 
289 /* RSA_recover_crt_params uses |rsa->n|, |rsa->d| and |rsa->e| in order to
290  * calculate the two primes used and thus the precomputed, CRT values. These
291  * values are set in the |p|, |q|, |dmp1|, |dmq1| and |iqmp| members of |rsa|,
292  * which must be |NULL| on entry. It returns one on success and zero
293  * otherwise. */
294 OPENSSL_EXPORT int RSA_recover_crt_params(RSA *rsa);
295 
296 /* RSA_verify_PKCS1_PSS_mgf1 verifies that |EM| is a correct PSS padding of
297  * |mHash|, where |mHash| is a digest produced by |Hash|. |EM| must point to
298  * exactly |RSA_size(rsa)| bytes of data. The |mgf1Hash| argument specifies the
299  * hash function for generating the mask. If NULL, |Hash| is used. The |sLen|
300  * argument specifies the expected salt length in bytes. If |sLen| is -1 then
301  * the salt length is the same as the hash length. If -2, then the salt length
302  * is maximal and is taken from the size of |EM|.
303  *
304  * It returns one on success or zero on error. */
305 OPENSSL_EXPORT int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,
306                                              const EVP_MD *Hash,
307                                              const EVP_MD *mgf1Hash,
308                                              const uint8_t *EM, int sLen);
309 
310 /* RSA_padding_add_PKCS1_PSS_mgf1 writes a PSS padding of |mHash| to |EM|,
311  * where |mHash| is a digest produced by |Hash|. |RSA_size(rsa)| bytes of
312  * output will be written to |EM|. The |mgf1Hash| argument specifies the hash
313  * function for generating the mask. If NULL, |Hash| is used. The |sLen|
314  * argument specifies the expected salt length in bytes. If |sLen| is -1 then
315  * the salt length is the same as the hash length. If -2, then the salt length
316  * is maximal given the space in |EM|.
317  *
318  * It returns one on success or zero on error. */
319 OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, uint8_t *EM,
320                                                   const uint8_t *mHash,
321                                                   const EVP_MD *Hash,
322                                                   const EVP_MD *mgf1Hash,
323                                                   int sLen);
324 
325 /* RSA_add_pkcs1_prefix builds a version of |msg| prefixed with the DigestInfo
326  * header for the given hash function and sets |out_msg| to point to it. On
327  * successful return, |*out_msg| may be allocated memory and, if so,
328  * |*is_alloced| will be 1. */
329 OPENSSL_EXPORT int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
330                                         int *is_alloced, int hash_nid,
331                                         const uint8_t *msg, size_t msg_len);
332 
333 
334 /* ASN.1 functions. */
335 
336 /* RSA_parse_public_key parses a DER-encoded RSAPublicKey structure (RFC 3447)
337  * from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on
338  * error. */
339 OPENSSL_EXPORT RSA *RSA_parse_public_key(CBS *cbs);
340 
341 /* RSA_parse_public_key_buggy behaves like |RSA_parse_public_key|, but it
342  * tolerates some invalid encodings. Do not use this function. */
343 OPENSSL_EXPORT RSA *RSA_parse_public_key_buggy(CBS *cbs);
344 
345 /* RSA_public_key_from_bytes parses |in| as a DER-encoded RSAPublicKey structure
346  * (RFC 3447). It returns a newly-allocated |RSA| or NULL on error. */
347 OPENSSL_EXPORT RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len);
348 
349 /* RSA_marshal_public_key marshals |rsa| as a DER-encoded RSAPublicKey structure
350  * (RFC 3447) and appends the result to |cbb|. It returns one on success and
351  * zero on failure. */
352 OPENSSL_EXPORT int RSA_marshal_public_key(CBB *cbb, const RSA *rsa);
353 
354 /* RSA_public_key_to_bytes marshals |rsa| as a DER-encoded RSAPublicKey
355  * structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated
356  * buffer containing the result and returns one. Otherwise, it returns zero. The
357  * result should be freed with |OPENSSL_free|. */
358 OPENSSL_EXPORT int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len,
359                                            const RSA *rsa);
360 
361 /* RSA_parse_private_key parses a DER-encoded RSAPrivateKey structure (RFC 3447)
362  * from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on
363  * error. */
364 OPENSSL_EXPORT RSA *RSA_parse_private_key(CBS *cbs);
365 
366 /* RSA_private_key_from_bytes parses |in| as a DER-encoded RSAPrivateKey
367  * structure (RFC 3447). It returns a newly-allocated |RSA| or NULL on error. */
368 OPENSSL_EXPORT RSA *RSA_private_key_from_bytes(const uint8_t *in,
369                                                size_t in_len);
370 
371 /* RSA_marshal_private_key marshals |rsa| as a DER-encoded RSAPrivateKey
372  * structure (RFC 3447) and appends the result to |cbb|. It returns one on
373  * success and zero on failure. */
374 OPENSSL_EXPORT int RSA_marshal_private_key(CBB *cbb, const RSA *rsa);
375 
376 /* RSA_private_key_to_bytes marshals |rsa| as a DER-encoded RSAPrivateKey
377  * structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated
378  * buffer containing the result and returns one. Otherwise, it returns zero. The
379  * result should be freed with |OPENSSL_free|. */
380 OPENSSL_EXPORT int RSA_private_key_to_bytes(uint8_t **out_bytes,
381                                             size_t *out_len, const RSA *rsa);
382 
383 
384 /* ex_data functions.
385  *
386  * See |ex_data.h| for details. */
387 
388 OPENSSL_EXPORT int RSA_get_ex_new_index(long argl, void *argp,
389                                         CRYPTO_EX_unused *unused,
390                                         CRYPTO_EX_dup *dup_func,
391                                         CRYPTO_EX_free *free_func);
392 OPENSSL_EXPORT int RSA_set_ex_data(RSA *r, int idx, void *arg);
393 OPENSSL_EXPORT void *RSA_get_ex_data(const RSA *r, int idx);
394 
395 
396 /* Flags. */
397 
398 /* RSA_FLAG_OPAQUE specifies that this RSA_METHOD does not expose its key
399  * material. This may be set if, for instance, it is wrapping some other crypto
400  * API, like a platform key store. */
401 #define RSA_FLAG_OPAQUE 1
402 
403 /* RSA_FLAG_CACHE_PUBLIC causes a precomputed Montgomery context to be created,
404  * on demand, for the public key operations. */
405 #define RSA_FLAG_CACHE_PUBLIC 2
406 
407 /* RSA_FLAG_CACHE_PRIVATE causes a precomputed Montgomery context to be
408  * created, on demand, for the private key operations. */
409 #define RSA_FLAG_CACHE_PRIVATE 4
410 
411 /* RSA_FLAG_NO_BLINDING disables blinding of private operations. */
412 #define RSA_FLAG_NO_BLINDING 8
413 
414 /* RSA_FLAG_EXT_PKEY means that private key operations will be handled by
415  * |mod_exp| and that they do not depend on the private key components being
416  * present: for example a key stored in external hardware. */
417 #define RSA_FLAG_EXT_PKEY 0x20
418 
419 /* RSA_FLAG_SIGN_VER causes the |sign| and |verify| functions of |rsa_meth_st|
420  * to be called when set. */
421 #define RSA_FLAG_SIGN_VER 0x40
422 
423 
424 /* RSA public exponent values. */
425 
426 #define RSA_3 0x3
427 #define RSA_F4 0x10001
428 
429 
430 /* Deprecated functions. */
431 
432 /* RSA_blinding_on returns one. */
433 OPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
434 
435 /* RSA_generate_key behaves like |RSA_generate_key_ex|, which is what you
436  * should use instead. It returns NULL on error, or a newly-allocated |RSA| on
437  * success. This function is provided for compatibility only. The |callback|
438  * and |cb_arg| parameters must be NULL. */
439 OPENSSL_EXPORT RSA *RSA_generate_key(int bits, unsigned long e, void *callback,
440                                      void *cb_arg);
441 
442 /* d2i_RSAPublicKey parses an ASN.1, DER-encoded, RSA public key from |len|
443  * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result
444  * is in |*out|. If |*out| is already non-NULL on entry then the result is
445  * written directly into |*out|, otherwise a fresh |RSA| is allocated. On
446  * successful exit, |*inp| is advanced past the DER structure. It returns the
447  * result or NULL on error. */
448 OPENSSL_EXPORT RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len);
449 
450 /* i2d_RSAPublicKey marshals |in| to an ASN.1, DER structure. If |outp| is not
451  * NULL then the result is written to |*outp| and |*outp| is advanced just past
452  * the output. It returns the number of bytes in the result, whether written or
453  * not, or a negative value on error. */
454 OPENSSL_EXPORT int i2d_RSAPublicKey(const RSA *in, uint8_t **outp);
455 
456 /* d2i_RSAPrivateKey parses an ASN.1, DER-encoded, RSA private key from |len|
457  * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result
458  * is in |*out|. If |*out| is already non-NULL on entry then the result is
459  * written directly into |*out|, otherwise a fresh |RSA| is allocated. On
460  * successful exit, |*inp| is advanced past the DER structure. It returns the
461  * result or NULL on error. */
462 OPENSSL_EXPORT RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len);
463 
464 /* i2d_RSAPrivateKey marshals |in| to an ASN.1, DER structure. If |outp| is not
465  * NULL then the result is written to |*outp| and |*outp| is advanced just past
466  * the output. It returns the number of bytes in the result, whether written or
467  * not, or a negative value on error. */
468 OPENSSL_EXPORT int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp);
469 
470 typedef struct rsa_pss_params_st {
471   X509_ALGOR *hashAlgorithm;
472   X509_ALGOR *maskGenAlgorithm;
473   ASN1_INTEGER *saltLength;
474   ASN1_INTEGER *trailerField;
475 } RSA_PSS_PARAMS;
476 
477 DECLARE_ASN1_FUNCTIONS(RSA_PSS_PARAMS)
478 
479 
480 struct rsa_meth_st {
481   struct openssl_method_common_st common;
482 
483   void *app_data;
484 
485   int (*init)(RSA *rsa);
486   int (*finish)(RSA *rsa);
487 
488   /* size returns the size of the RSA modulus in bytes. */
489   size_t (*size)(const RSA *rsa);
490 
491   int (*sign)(int type, const uint8_t *m, unsigned int m_length,
492               uint8_t *sigret, unsigned int *siglen, const RSA *rsa);
493 
494   int (*verify)(int dtype, const uint8_t *m, unsigned int m_length,
495                 const uint8_t *sigbuf, unsigned int siglen, const RSA *rsa);
496 
497 
498   /* These functions mirror the |RSA_*| functions of the same name. */
499   int (*encrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
500                  const uint8_t *in, size_t in_len, int padding);
501   int (*sign_raw)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
502                   const uint8_t *in, size_t in_len, int padding);
503 
504   int (*decrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
505                  const uint8_t *in, size_t in_len, int padding);
506   int (*verify_raw)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
507                     const uint8_t *in, size_t in_len, int padding);
508 
509   /* private_transform takes a big-endian integer from |in|, calculates the
510    * d'th power of it, modulo the RSA modulus and writes the result as a
511    * big-endian integer to |out|. Both |in| and |out| are |len| bytes long and
512    * |len| is always equal to |RSA_size(rsa)|. If the result of the transform
513    * can be represented in fewer than |len| bytes, then |out| must be zero
514    * padded on the left.
515    *
516    * It returns one on success and zero otherwise.
517    *
518    * RSA decrypt and sign operations will call this, thus an ENGINE might wish
519    * to override it in order to avoid having to implement the padding
520    * functionality demanded by those, higher level, operations. */
521   int (*private_transform)(RSA *rsa, uint8_t *out, const uint8_t *in,
522                            size_t len);
523 
524   int (*mod_exp)(BIGNUM *r0, const BIGNUM *I, RSA *rsa,
525                  BN_CTX *ctx); /* Can be null */
526   int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
527                     const BIGNUM *m, BN_CTX *ctx,
528                     const BN_MONT_CTX *mont);
529 
530   int flags;
531 
532   int (*keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
533 
534   int (*multi_prime_keygen)(RSA *rsa, int bits, int num_primes, BIGNUM *e,
535                             BN_GENCB *cb);
536 
537   /* supports_digest returns one if |rsa| supports digests of type
538    * |md|. If null, it is assumed that all digests are supported. */
539   int (*supports_digest)(const RSA *rsa, const EVP_MD *md);
540 };
541 
542 
543 /* Private functions. */
544 
545 typedef struct bn_blinding_st BN_BLINDING;
546 
547 struct rsa_st {
548   RSA_METHOD *meth;
549 
550   BIGNUM *n;
551   BIGNUM *e;
552   BIGNUM *d;
553   BIGNUM *p;
554   BIGNUM *q;
555   BIGNUM *dmp1;
556   BIGNUM *dmq1;
557   BIGNUM *iqmp;
558 
559   STACK_OF(RSA_additional_prime) *additional_primes;
560 
561   /* be careful using this if the RSA structure is shared */
562   CRYPTO_EX_DATA ex_data;
563   CRYPTO_refcount_t references;
564   int flags;
565 
566   CRYPTO_MUTEX lock;
567 
568   /* Used to cache montgomery values. The creation of these values is protected
569    * by |lock|. */
570   BN_MONT_CTX *mont_n;
571   BN_MONT_CTX *mont_p;
572   BN_MONT_CTX *mont_q;
573 
574   /* num_blindings contains the size of the |blindings| and |blindings_inuse|
575    * arrays. This member and the |blindings_inuse| array are protected by
576    * |lock|. */
577   unsigned num_blindings;
578   /* blindings is an array of BN_BLINDING structures that can be reserved by a
579    * thread by locking |lock| and changing the corresponding element in
580    * |blindings_inuse| from 0 to 1. */
581   BN_BLINDING **blindings;
582   unsigned char *blindings_inuse;
583 };
584 
585 
586 #if defined(__cplusplus)
587 }  /* extern C */
588 #endif
589 
590 #define RSA_R_BAD_E_VALUE 100
591 #define RSA_R_BAD_FIXED_HEADER_DECRYPT 101
592 #define RSA_R_BAD_PAD_BYTE_COUNT 102
593 #define RSA_R_BAD_RSA_PARAMETERS 103
594 #define RSA_R_BAD_SIGNATURE 104
595 #define RSA_R_BLOCK_TYPE_IS_NOT_01 105
596 #define RSA_R_BN_NOT_INITIALIZED 106
597 #define RSA_R_CRT_PARAMS_ALREADY_GIVEN 107
598 #define RSA_R_CRT_VALUES_INCORRECT 108
599 #define RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN 109
600 #define RSA_R_DATA_TOO_LARGE 110
601 #define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 111
602 #define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 112
603 #define RSA_R_DATA_TOO_SMALL 113
604 #define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 114
605 #define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 115
606 #define RSA_R_D_E_NOT_CONGRUENT_TO_1 116
607 #define RSA_R_EMPTY_PUBLIC_KEY 117
608 #define RSA_R_FIRST_OCTET_INVALID 118
609 #define RSA_R_INCONSISTENT_SET_OF_CRT_VALUES 119
610 #define RSA_R_INTERNAL_ERROR 120
611 #define RSA_R_INVALID_MESSAGE_LENGTH 121
612 #define RSA_R_KEY_SIZE_TOO_SMALL 122
613 #define RSA_R_LAST_OCTET_INVALID 123
614 #define RSA_R_MODULUS_TOO_LARGE 124
615 #define RSA_R_NO_PUBLIC_EXPONENT 125
616 #define RSA_R_NULL_BEFORE_BLOCK_MISSING 126
617 #define RSA_R_N_NOT_EQUAL_P_Q 127
618 #define RSA_R_OAEP_DECODING_ERROR 128
619 #define RSA_R_ONLY_ONE_OF_P_Q_GIVEN 129
620 #define RSA_R_OUTPUT_BUFFER_TOO_SMALL 130
621 #define RSA_R_PADDING_CHECK_FAILED 131
622 #define RSA_R_PKCS_DECODING_ERROR 132
623 #define RSA_R_SLEN_CHECK_FAILED 133
624 #define RSA_R_SLEN_RECOVERY_FAILED 134
625 #define RSA_R_TOO_LONG 135
626 #define RSA_R_TOO_MANY_ITERATIONS 136
627 #define RSA_R_UNKNOWN_ALGORITHM_TYPE 137
628 #define RSA_R_UNKNOWN_PADDING_TYPE 138
629 #define RSA_R_VALUE_MISSING 139
630 #define RSA_R_WRONG_SIGNATURE_LENGTH 140
631 #define RSA_R_MUST_HAVE_AT_LEAST_TWO_PRIMES 141
632 #define RSA_R_CANNOT_RECOVER_MULTI_PRIME_KEY 142
633 #define RSA_R_BAD_ENCODING 143
634 #define RSA_R_ENCODE_ERROR 144
635 #define RSA_R_BAD_VERSION 145
636 
637 #endif  /* OPENSSL_HEADER_RSA_H */
638