1 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2 * project 2006.
3 */
4 /* ====================================================================
5 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
17 * distribution.
18 *
19 * 3. All advertising materials mentioning features or use of this
20 * software must display the following acknowledgment:
21 * "This product includes software developed by the OpenSSL Project
22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23 *
24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25 * endorse or promote products derived from this software without
26 * prior written permission. For written permission, please contact
27 * licensing@OpenSSL.org.
28 *
29 * 5. Products derived from this software may not be called "OpenSSL"
30 * nor may "OpenSSL" appear in their names without prior written
31 * permission of the OpenSSL Project.
32 *
33 * 6. Redistributions of any form whatsoever must retain the following
34 * acknowledgment:
35 * "This product includes software developed by the OpenSSL Project
36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37 *
38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49 * OF THE POSSIBILITY OF SUCH DAMAGE.
50 * ====================================================================
51 *
52 * This product includes cryptographic software written by Eric Young
53 * (eay@cryptsoft.com). This product includes software written by Tim
54 * Hudson (tjh@cryptsoft.com). */
55
56 #include <openssl/evp.h>
57
58 #include <limits.h>
59 #include <string.h>
60
61 #include <openssl/bn.h>
62 #include <openssl/buf.h>
63 #include <openssl/bytestring.h>
64 #include <openssl/digest.h>
65 #include <openssl/err.h>
66 #include <openssl/mem.h>
67 #include <openssl/nid.h>
68 #include <openssl/rsa.h>
69
70 #include "../internal.h"
71 #include "../fipsmodule/rsa/internal.h"
72 #include "internal.h"
73
74
75 typedef struct {
76 /* Key gen parameters */
77 int nbits;
78 BIGNUM *pub_exp;
79 /* RSA padding mode */
80 int pad_mode;
81 /* message digest */
82 const EVP_MD *md;
83 /* message digest for MGF1 */
84 const EVP_MD *mgf1md;
85 /* PSS salt length */
86 int saltlen;
87 /* tbuf is a buffer which is either NULL, or is the size of the RSA modulus.
88 * It's used to store the output of RSA operations. */
89 uint8_t *tbuf;
90 /* OAEP label */
91 uint8_t *oaep_label;
92 size_t oaep_labellen;
93 } RSA_PKEY_CTX;
94
pkey_rsa_init(EVP_PKEY_CTX * ctx)95 static int pkey_rsa_init(EVP_PKEY_CTX *ctx) {
96 RSA_PKEY_CTX *rctx;
97 rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX));
98 if (!rctx) {
99 return 0;
100 }
101 OPENSSL_memset(rctx, 0, sizeof(RSA_PKEY_CTX));
102
103 rctx->nbits = 2048;
104 rctx->pad_mode = RSA_PKCS1_PADDING;
105 rctx->saltlen = -2;
106
107 ctx->data = rctx;
108
109 return 1;
110 }
111
pkey_rsa_copy(EVP_PKEY_CTX * dst,EVP_PKEY_CTX * src)112 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) {
113 RSA_PKEY_CTX *dctx, *sctx;
114 if (!pkey_rsa_init(dst)) {
115 return 0;
116 }
117 sctx = src->data;
118 dctx = dst->data;
119 dctx->nbits = sctx->nbits;
120 if (sctx->pub_exp) {
121 dctx->pub_exp = BN_dup(sctx->pub_exp);
122 if (!dctx->pub_exp) {
123 return 0;
124 }
125 }
126
127 dctx->pad_mode = sctx->pad_mode;
128 dctx->md = sctx->md;
129 dctx->mgf1md = sctx->mgf1md;
130 if (sctx->oaep_label) {
131 OPENSSL_free(dctx->oaep_label);
132 dctx->oaep_label = BUF_memdup(sctx->oaep_label, sctx->oaep_labellen);
133 if (!dctx->oaep_label) {
134 return 0;
135 }
136 dctx->oaep_labellen = sctx->oaep_labellen;
137 }
138
139 return 1;
140 }
141
pkey_rsa_cleanup(EVP_PKEY_CTX * ctx)142 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) {
143 RSA_PKEY_CTX *rctx = ctx->data;
144
145 if (rctx == NULL) {
146 return;
147 }
148
149 BN_free(rctx->pub_exp);
150 OPENSSL_free(rctx->tbuf);
151 OPENSSL_free(rctx->oaep_label);
152 OPENSSL_free(rctx);
153 }
154
setup_tbuf(RSA_PKEY_CTX * ctx,EVP_PKEY_CTX * pk)155 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) {
156 if (ctx->tbuf) {
157 return 1;
158 }
159 ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey));
160 if (!ctx->tbuf) {
161 return 0;
162 }
163 return 1;
164 }
165
pkey_rsa_sign(EVP_PKEY_CTX * ctx,uint8_t * sig,size_t * siglen,const uint8_t * tbs,size_t tbslen)166 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen,
167 const uint8_t *tbs, size_t tbslen) {
168 RSA_PKEY_CTX *rctx = ctx->data;
169 RSA *rsa = ctx->pkey->pkey.rsa;
170 const size_t key_len = EVP_PKEY_size(ctx->pkey);
171
172 if (!sig) {
173 *siglen = key_len;
174 return 1;
175 }
176
177 if (*siglen < key_len) {
178 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
179 return 0;
180 }
181
182 if (rctx->md) {
183 unsigned out_len;
184 switch (rctx->pad_mode) {
185 case RSA_PKCS1_PADDING:
186 if (!RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig, &out_len, rsa)) {
187 return 0;
188 }
189 *siglen = out_len;
190 return 1;
191
192 case RSA_PKCS1_PSS_PADDING:
193 return RSA_sign_pss_mgf1(rsa, siglen, sig, *siglen, tbs, tbslen,
194 rctx->md, rctx->mgf1md, rctx->saltlen);
195
196 default:
197 return 0;
198 }
199 }
200
201 return RSA_sign_raw(rsa, siglen, sig, *siglen, tbs, tbslen, rctx->pad_mode);
202 }
203
pkey_rsa_verify(EVP_PKEY_CTX * ctx,const uint8_t * sig,size_t siglen,const uint8_t * tbs,size_t tbslen)204 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig,
205 size_t siglen, const uint8_t *tbs,
206 size_t tbslen) {
207 RSA_PKEY_CTX *rctx = ctx->data;
208 RSA *rsa = ctx->pkey->pkey.rsa;
209
210 if (rctx->md) {
211 switch (rctx->pad_mode) {
212 case RSA_PKCS1_PADDING:
213 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa);
214
215 case RSA_PKCS1_PSS_PADDING:
216 return RSA_verify_pss_mgf1(rsa, tbs, tbslen, rctx->md, rctx->mgf1md,
217 rctx->saltlen, sig, siglen);
218
219 default:
220 return 0;
221 }
222 }
223
224 size_t rslen;
225 const size_t key_len = EVP_PKEY_size(ctx->pkey);
226 if (!setup_tbuf(rctx, ctx) ||
227 !RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, siglen,
228 rctx->pad_mode) ||
229 rslen != tbslen ||
230 CRYPTO_memcmp(tbs, rctx->tbuf, rslen) != 0) {
231 return 0;
232 }
233
234 return 1;
235 }
236
pkey_rsa_verify_recover(EVP_PKEY_CTX * ctx,uint8_t * out,size_t * out_len,const uint8_t * sig,size_t sig_len)237 static int pkey_rsa_verify_recover(EVP_PKEY_CTX *ctx, uint8_t *out,
238 size_t *out_len, const uint8_t *sig,
239 size_t sig_len) {
240 RSA_PKEY_CTX *rctx = ctx->data;
241 RSA *rsa = ctx->pkey->pkey.rsa;
242 const size_t key_len = EVP_PKEY_size(ctx->pkey);
243
244 if (out == NULL) {
245 *out_len = key_len;
246 return 1;
247 }
248
249 if (*out_len < key_len) {
250 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
251 return 0;
252 }
253
254 if (rctx->md == NULL) {
255 return RSA_verify_raw(rsa, out_len, out, *out_len, sig, sig_len,
256 rctx->pad_mode);
257 }
258
259 if (rctx->pad_mode != RSA_PKCS1_PADDING) {
260 return 0;
261 }
262
263 /* Assemble the encoded hash, using a placeholder hash value. */
264 static const uint8_t kDummyHash[EVP_MAX_MD_SIZE] = {0};
265 const size_t hash_len = EVP_MD_size(rctx->md);
266 uint8_t *asn1_prefix;
267 size_t asn1_prefix_len;
268 int asn1_prefix_allocated;
269 if (!setup_tbuf(rctx, ctx) ||
270 !RSA_add_pkcs1_prefix(&asn1_prefix, &asn1_prefix_len,
271 &asn1_prefix_allocated, EVP_MD_type(rctx->md),
272 kDummyHash, hash_len)) {
273 return 0;
274 }
275
276 size_t rslen;
277 int ok = 1;
278 if (!RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, sig_len,
279 RSA_PKCS1_PADDING) ||
280 rslen != asn1_prefix_len ||
281 /* Compare all but the hash suffix. */
282 CRYPTO_memcmp(rctx->tbuf, asn1_prefix, asn1_prefix_len - hash_len) != 0) {
283 ok = 0;
284 }
285
286 if (asn1_prefix_allocated) {
287 OPENSSL_free(asn1_prefix);
288 }
289
290 if (!ok) {
291 return 0;
292 }
293
294 if (out != NULL) {
295 OPENSSL_memcpy(out, rctx->tbuf + rslen - hash_len, hash_len);
296 }
297 *out_len = hash_len;
298
299 return 1;
300 }
301
pkey_rsa_encrypt(EVP_PKEY_CTX * ctx,uint8_t * out,size_t * outlen,const uint8_t * in,size_t inlen)302 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen,
303 const uint8_t *in, size_t inlen) {
304 RSA_PKEY_CTX *rctx = ctx->data;
305 RSA *rsa = ctx->pkey->pkey.rsa;
306 const size_t key_len = EVP_PKEY_size(ctx->pkey);
307
308 if (!out) {
309 *outlen = key_len;
310 return 1;
311 }
312
313 if (*outlen < key_len) {
314 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
315 return 0;
316 }
317
318 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
319 if (!setup_tbuf(rctx, ctx) ||
320 !RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, key_len, in, inlen,
321 rctx->oaep_label, rctx->oaep_labellen,
322 rctx->md, rctx->mgf1md) ||
323 !RSA_encrypt(rsa, outlen, out, *outlen, rctx->tbuf, key_len,
324 RSA_NO_PADDING)) {
325 return 0;
326 }
327 return 1;
328 }
329
330 return RSA_encrypt(rsa, outlen, out, *outlen, in, inlen, rctx->pad_mode);
331 }
332
pkey_rsa_decrypt(EVP_PKEY_CTX * ctx,uint8_t * out,size_t * outlen,const uint8_t * in,size_t inlen)333 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out,
334 size_t *outlen, const uint8_t *in,
335 size_t inlen) {
336 RSA_PKEY_CTX *rctx = ctx->data;
337 RSA *rsa = ctx->pkey->pkey.rsa;
338 const size_t key_len = EVP_PKEY_size(ctx->pkey);
339
340 if (!out) {
341 *outlen = key_len;
342 return 1;
343 }
344
345 if (*outlen < key_len) {
346 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
347 return 0;
348 }
349
350 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
351 size_t padded_len;
352 if (!setup_tbuf(rctx, ctx) ||
353 !RSA_decrypt(rsa, &padded_len, rctx->tbuf, key_len, in, inlen,
354 RSA_NO_PADDING) ||
355 !RSA_padding_check_PKCS1_OAEP_mgf1(
356 out, outlen, key_len, rctx->tbuf, padded_len, rctx->oaep_label,
357 rctx->oaep_labellen, rctx->md, rctx->mgf1md)) {
358 return 0;
359 }
360 return 1;
361 }
362
363 return RSA_decrypt(rsa, outlen, out, key_len, in, inlen, rctx->pad_mode);
364 }
365
check_padding_md(const EVP_MD * md,int padding)366 static int check_padding_md(const EVP_MD *md, int padding) {
367 if (!md) {
368 return 1;
369 }
370
371 if (padding == RSA_NO_PADDING) {
372 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
373 return 0;
374 }
375
376 return 1;
377 }
378
is_known_padding(int padding_mode)379 static int is_known_padding(int padding_mode) {
380 switch (padding_mode) {
381 case RSA_PKCS1_PADDING:
382 case RSA_NO_PADDING:
383 case RSA_PKCS1_OAEP_PADDING:
384 case RSA_PKCS1_PSS_PADDING:
385 return 1;
386 default:
387 return 0;
388 }
389 }
390
pkey_rsa_ctrl(EVP_PKEY_CTX * ctx,int type,int p1,void * p2)391 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
392 RSA_PKEY_CTX *rctx = ctx->data;
393 switch (type) {
394 case EVP_PKEY_CTRL_RSA_PADDING:
395 if (!is_known_padding(p1) || !check_padding_md(rctx->md, p1) ||
396 (p1 == RSA_PKCS1_PSS_PADDING &&
397 0 == (ctx->operation & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) ||
398 (p1 == RSA_PKCS1_OAEP_PADDING &&
399 0 == (ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))) {
400 OPENSSL_PUT_ERROR(EVP, EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
401 return 0;
402 }
403 if ((p1 == RSA_PKCS1_PSS_PADDING || p1 == RSA_PKCS1_OAEP_PADDING) &&
404 rctx->md == NULL) {
405 rctx->md = EVP_sha1();
406 }
407 rctx->pad_mode = p1;
408 return 1;
409
410 case EVP_PKEY_CTRL_GET_RSA_PADDING:
411 *(int *)p2 = rctx->pad_mode;
412 return 1;
413
414 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
415 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
416 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
417 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PSS_SALTLEN);
418 return 0;
419 }
420 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
421 *(int *)p2 = rctx->saltlen;
422 } else {
423 if (p1 < -2) {
424 return 0;
425 }
426 rctx->saltlen = p1;
427 }
428 return 1;
429
430 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
431 if (p1 < 256) {
432 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_KEYBITS);
433 return 0;
434 }
435 rctx->nbits = p1;
436 return 1;
437
438 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
439 if (!p2) {
440 return 0;
441 }
442 BN_free(rctx->pub_exp);
443 rctx->pub_exp = p2;
444 return 1;
445
446 case EVP_PKEY_CTRL_RSA_OAEP_MD:
447 case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
448 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
449 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
450 return 0;
451 }
452 if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) {
453 *(const EVP_MD **)p2 = rctx->md;
454 } else {
455 rctx->md = p2;
456 }
457 return 1;
458
459 case EVP_PKEY_CTRL_MD:
460 if (!check_padding_md(p2, rctx->pad_mode)) {
461 return 0;
462 }
463 rctx->md = p2;
464 return 1;
465
466 case EVP_PKEY_CTRL_GET_MD:
467 *(const EVP_MD **)p2 = rctx->md;
468 return 1;
469
470 case EVP_PKEY_CTRL_RSA_MGF1_MD:
471 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
472 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING &&
473 rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
474 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_MGF1_MD);
475 return 0;
476 }
477 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
478 if (rctx->mgf1md) {
479 *(const EVP_MD **)p2 = rctx->mgf1md;
480 } else {
481 *(const EVP_MD **)p2 = rctx->md;
482 }
483 } else {
484 rctx->mgf1md = p2;
485 }
486 return 1;
487
488 case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
489 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
490 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
491 return 0;
492 }
493 OPENSSL_free(rctx->oaep_label);
494 if (p2 && p1 > 0) {
495 rctx->oaep_label = p2;
496 rctx->oaep_labellen = p1;
497 } else {
498 rctx->oaep_label = NULL;
499 rctx->oaep_labellen = 0;
500 }
501 return 1;
502
503 case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
504 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
505 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
506 return 0;
507 }
508 CBS_init((CBS *)p2, rctx->oaep_label, rctx->oaep_labellen);
509 return 1;
510
511 default:
512 OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED);
513 return 0;
514 }
515 }
516
pkey_rsa_keygen(EVP_PKEY_CTX * ctx,EVP_PKEY * pkey)517 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {
518 RSA *rsa = NULL;
519 RSA_PKEY_CTX *rctx = ctx->data;
520
521 if (!rctx->pub_exp) {
522 rctx->pub_exp = BN_new();
523 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) {
524 return 0;
525 }
526 }
527 rsa = RSA_new();
528 if (!rsa) {
529 return 0;
530 }
531
532 if (!RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, NULL)) {
533 RSA_free(rsa);
534 return 0;
535 }
536
537 EVP_PKEY_assign_RSA(pkey, rsa);
538 return 1;
539 }
540
541 const EVP_PKEY_METHOD rsa_pkey_meth = {
542 EVP_PKEY_RSA,
543 pkey_rsa_init,
544 pkey_rsa_copy,
545 pkey_rsa_cleanup,
546 pkey_rsa_keygen,
547 pkey_rsa_sign,
548 NULL /* sign_message */,
549 pkey_rsa_verify,
550 NULL /* verify_message */,
551 pkey_rsa_verify_recover,
552 pkey_rsa_encrypt,
553 pkey_rsa_decrypt,
554 0 /* derive */,
555 pkey_rsa_ctrl,
556 };
557
EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX * ctx,int padding)558 int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int padding) {
559 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING,
560 padding, NULL);
561 }
562
EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX * ctx,int * out_padding)563 int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *out_padding) {
564 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_GET_RSA_PADDING,
565 0, out_padding);
566 }
567
EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX * ctx,int salt_len)568 int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int salt_len) {
569 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
570 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY),
571 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, salt_len, NULL);
572 }
573
EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX * ctx,int * out_salt_len)574 int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *out_salt_len) {
575 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
576 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY),
577 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, out_salt_len);
578 }
579
EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX * ctx,int bits)580 int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits) {
581 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
582 EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL);
583 }
584
EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX * ctx,BIGNUM * e)585 int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *e) {
586 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
587 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, e);
588 }
589
EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX * ctx,const EVP_MD * md)590 int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {
591 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
592 EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)md);
593 }
594
EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX * ctx,const EVP_MD ** out_md)595 int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) {
596 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
597 EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void*) out_md);
598 }
599
EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX * ctx,const EVP_MD * md)600 int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {
601 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
602 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
603 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void*) md);
604 }
605
EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX * ctx,const EVP_MD ** out_md)606 int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) {
607 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
608 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
609 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void*) out_md);
610 }
611
EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX * ctx,uint8_t * label,size_t label_len)612 int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, uint8_t *label,
613 size_t label_len) {
614 if (label_len > INT_MAX) {
615 return 0;
616 }
617
618 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
619 EVP_PKEY_CTRL_RSA_OAEP_LABEL, (int)label_len,
620 (void *)label);
621 }
622
EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX * ctx,const uint8_t ** out_label)623 int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx,
624 const uint8_t **out_label) {
625 CBS label;
626 if (!EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
627 EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, &label)) {
628 return -1;
629 }
630 if (CBS_len(&label) > INT_MAX) {
631 OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW);
632 return -1;
633 }
634 *out_label = CBS_data(&label);
635 return (int)CBS_len(&label);
636 }
637