Home | History | Annotate | Download | only in evp
      1 /* Written by Dr Stephen N Henson (steve (at) openssl.org) for the OpenSSL
      2  * project 2006.
      3  */
      4 /* ====================================================================
      5  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
      6  *
      7  * Redistribution and use in source and binary forms, with or without
      8  * modification, are permitted provided that the following conditions
      9  * are met:
     10  *
     11  * 1. Redistributions of source code must retain the above copyright
     12  *    notice, this list of conditions and the following disclaimer.
     13  *
     14  * 2. Redistributions in binary form must reproduce the above copyright
     15  *    notice, this list of conditions and the following disclaimer in
     16  *    the documentation and/or other materials provided with the
     17  *    distribution.
     18  *
     19  * 3. All advertising materials mentioning features or use of this
     20  *    software must display the following acknowledgment:
     21  *    "This product includes software developed by the OpenSSL Project
     22  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
     23  *
     24  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     25  *    endorse or promote products derived from this software without
     26  *    prior written permission. For written permission, please contact
     27  *    licensing (at) OpenSSL.org.
     28  *
     29  * 5. Products derived from this software may not be called "OpenSSL"
     30  *    nor may "OpenSSL" appear in their names without prior written
     31  *    permission of the OpenSSL Project.
     32  *
     33  * 6. Redistributions of any form whatsoever must retain the following
     34  *    acknowledgment:
     35  *    "This product includes software developed by the OpenSSL Project
     36  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
     37  *
     38  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     39  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     40  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     41  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     42  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     43  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     44  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     45  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     46  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
     47  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
     48  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
     49  * OF THE POSSIBILITY OF SUCH DAMAGE.
     50  * ====================================================================
     51  *
     52  * This product includes cryptographic software written by Eric Young
     53  * (eay (at) cryptsoft.com).  This product includes software written by Tim
     54  * Hudson (tjh (at) cryptsoft.com). */
     55 
     56 #include <openssl/evp.h>
     57 
     58 #include <limits.h>
     59 #include <string.h>
     60 
     61 #include <openssl/bn.h>
     62 #include <openssl/buf.h>
     63 #include <openssl/bytestring.h>
     64 #include <openssl/digest.h>
     65 #include <openssl/err.h>
     66 #include <openssl/mem.h>
     67 #include <openssl/obj.h>
     68 #include <openssl/rsa.h>
     69 
     70 #include "../rsa/internal.h"
     71 #include "internal.h"
     72 
     73 
     74 typedef struct {
     75   /* Key gen parameters */
     76   int nbits;
     77   BIGNUM *pub_exp;
     78   /* RSA padding mode */
     79   int pad_mode;
     80   /* message digest */
     81   const EVP_MD *md;
     82   /* message digest for MGF1 */
     83   const EVP_MD *mgf1md;
     84   /* PSS salt length */
     85   int saltlen;
     86   /* tbuf is a buffer which is either NULL, or is the size of the RSA modulus.
     87    * It's used to store the output of RSA operations. */
     88   uint8_t *tbuf;
     89   /* OAEP label */
     90   uint8_t *oaep_label;
     91   size_t oaep_labellen;
     92 } RSA_PKEY_CTX;
     93 
     94 static int pkey_rsa_init(EVP_PKEY_CTX *ctx) {
     95   RSA_PKEY_CTX *rctx;
     96   rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX));
     97   if (!rctx) {
     98     return 0;
     99   }
    100   memset(rctx, 0, sizeof(RSA_PKEY_CTX));
    101 
    102   rctx->nbits = 2048;
    103   rctx->pad_mode = RSA_PKCS1_PADDING;
    104   rctx->saltlen = -2;
    105 
    106   ctx->data = rctx;
    107 
    108   return 1;
    109 }
    110 
    111 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) {
    112   RSA_PKEY_CTX *dctx, *sctx;
    113   if (!pkey_rsa_init(dst)) {
    114     return 0;
    115   }
    116   sctx = src->data;
    117   dctx = dst->data;
    118   dctx->nbits = sctx->nbits;
    119   if (sctx->pub_exp) {
    120     dctx->pub_exp = BN_dup(sctx->pub_exp);
    121     if (!dctx->pub_exp) {
    122       return 0;
    123     }
    124   }
    125 
    126   dctx->pad_mode = sctx->pad_mode;
    127   dctx->md = sctx->md;
    128   dctx->mgf1md = sctx->mgf1md;
    129   if (sctx->oaep_label) {
    130     OPENSSL_free(dctx->oaep_label);
    131     dctx->oaep_label = BUF_memdup(sctx->oaep_label, sctx->oaep_labellen);
    132     if (!dctx->oaep_label) {
    133       return 0;
    134     }
    135     dctx->oaep_labellen = sctx->oaep_labellen;
    136   }
    137 
    138   return 1;
    139 }
    140 
    141 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) {
    142   RSA_PKEY_CTX *rctx = ctx->data;
    143 
    144   if (rctx == NULL) {
    145     return;
    146   }
    147 
    148   BN_free(rctx->pub_exp);
    149   OPENSSL_free(rctx->tbuf);
    150   OPENSSL_free(rctx->oaep_label);
    151   OPENSSL_free(rctx);
    152 }
    153 
    154 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) {
    155   if (ctx->tbuf) {
    156     return 1;
    157   }
    158   ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey));
    159   if (!ctx->tbuf) {
    160     return 0;
    161   }
    162   return 1;
    163 }
    164 
    165 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen,
    166                          const uint8_t *tbs, size_t tbslen) {
    167   RSA_PKEY_CTX *rctx = ctx->data;
    168   RSA *rsa = ctx->pkey->pkey.rsa;
    169   const size_t key_len = EVP_PKEY_size(ctx->pkey);
    170 
    171   if (!sig) {
    172     *siglen = key_len;
    173     return 1;
    174   }
    175 
    176   if (*siglen < key_len) {
    177     OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
    178     return 0;
    179   }
    180 
    181   if (rctx->md) {
    182     unsigned int out_len;
    183 
    184     if (tbslen != EVP_MD_size(rctx->md)) {
    185       OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_DIGEST_LENGTH);
    186       return 0;
    187     }
    188 
    189     if (EVP_MD_type(rctx->md) == NID_mdc2) {
    190       OPENSSL_PUT_ERROR(EVP, EVP_R_NO_MDC2_SUPPORT);
    191       return 0;
    192     }
    193 
    194     switch (rctx->pad_mode) {
    195       case RSA_PKCS1_PADDING:
    196         if (!RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig, &out_len, rsa)) {
    197           return 0;
    198         }
    199         *siglen = out_len;
    200         return 1;
    201 
    202       case RSA_PKCS1_PSS_PADDING:
    203         if (!setup_tbuf(rctx, ctx) ||
    204             !RSA_padding_add_PKCS1_PSS_mgf1(rsa, rctx->tbuf, tbs, rctx->md,
    205                                             rctx->mgf1md, rctx->saltlen) ||
    206             !RSA_sign_raw(rsa, siglen, sig, *siglen, rctx->tbuf, key_len,
    207                           RSA_NO_PADDING)) {
    208           return 0;
    209         }
    210         return 1;
    211 
    212       default:
    213         return 0;
    214     }
    215   }
    216 
    217   return RSA_sign_raw(rsa, siglen, sig, *siglen, tbs, tbslen, rctx->pad_mode);
    218 }
    219 
    220 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig,
    221                            size_t siglen, const uint8_t *tbs,
    222                            size_t tbslen) {
    223   RSA_PKEY_CTX *rctx = ctx->data;
    224   RSA *rsa = ctx->pkey->pkey.rsa;
    225   size_t rslen;
    226   const size_t key_len = EVP_PKEY_size(ctx->pkey);
    227 
    228   if (rctx->md) {
    229     switch (rctx->pad_mode) {
    230       case RSA_PKCS1_PADDING:
    231         return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa);
    232 
    233       case RSA_PKCS1_PSS_PADDING:
    234         if (!setup_tbuf(rctx, ctx) ||
    235             !RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, siglen,
    236                             RSA_NO_PADDING) ||
    237             !RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md, rctx->mgf1md,
    238                                        rctx->tbuf, rctx->saltlen)) {
    239           return 0;
    240         }
    241         return 1;
    242 
    243       default:
    244         return 0;
    245     }
    246   }
    247 
    248   if (!setup_tbuf(rctx, ctx) ||
    249       !RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, siglen,
    250                       rctx->pad_mode) ||
    251       rslen != tbslen ||
    252       CRYPTO_memcmp(tbs, rctx->tbuf, rslen) != 0) {
    253     return 0;
    254   }
    255 
    256   return 1;
    257 }
    258 
    259 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen,
    260                             const uint8_t *in, size_t inlen) {
    261   RSA_PKEY_CTX *rctx = ctx->data;
    262   RSA *rsa = ctx->pkey->pkey.rsa;
    263   const size_t key_len = EVP_PKEY_size(ctx->pkey);
    264 
    265   if (!out) {
    266     *outlen = key_len;
    267     return 1;
    268   }
    269 
    270   if (*outlen < key_len) {
    271     OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
    272     return 0;
    273   }
    274 
    275   if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
    276     if (!setup_tbuf(rctx, ctx) ||
    277         !RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, key_len, in, inlen,
    278                                          rctx->oaep_label, rctx->oaep_labellen,
    279                                          rctx->md, rctx->mgf1md) ||
    280         !RSA_encrypt(rsa, outlen, out, *outlen, rctx->tbuf, key_len,
    281                      RSA_NO_PADDING)) {
    282       return 0;
    283     }
    284     return 1;
    285   }
    286 
    287   return RSA_encrypt(rsa, outlen, out, *outlen, in, inlen, rctx->pad_mode);
    288 }
    289 
    290 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out,
    291                             size_t *outlen, const uint8_t *in,
    292                             size_t inlen) {
    293   RSA_PKEY_CTX *rctx = ctx->data;
    294   RSA *rsa = ctx->pkey->pkey.rsa;
    295   const size_t key_len = EVP_PKEY_size(ctx->pkey);
    296 
    297   if (!out) {
    298     *outlen = key_len;
    299     return 1;
    300   }
    301 
    302   if (*outlen < key_len) {
    303     OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
    304     return 0;
    305   }
    306 
    307   if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
    308     size_t plaintext_len;
    309     int message_len;
    310 
    311     if (!setup_tbuf(rctx, ctx) ||
    312         !RSA_decrypt(rsa, &plaintext_len, rctx->tbuf, key_len, in, inlen,
    313                      RSA_NO_PADDING)) {
    314       return 0;
    315     }
    316 
    317     message_len = RSA_padding_check_PKCS1_OAEP_mgf1(
    318         out, key_len, rctx->tbuf, plaintext_len, rctx->oaep_label,
    319         rctx->oaep_labellen, rctx->md, rctx->mgf1md);
    320     if (message_len < 0) {
    321       return 0;
    322     }
    323     *outlen = message_len;
    324     return 1;
    325   }
    326 
    327   return RSA_decrypt(rsa, outlen, out, key_len, in, inlen, rctx->pad_mode);
    328 }
    329 
    330 static int check_padding_md(const EVP_MD *md, int padding) {
    331   if (!md) {
    332     return 1;
    333   }
    334 
    335   if (padding == RSA_NO_PADDING) {
    336     OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
    337     return 0;
    338   }
    339 
    340   return 1;
    341 }
    342 
    343 static int is_known_padding(int padding_mode) {
    344   switch (padding_mode) {
    345     case RSA_PKCS1_PADDING:
    346     case RSA_NO_PADDING:
    347     case RSA_PKCS1_OAEP_PADDING:
    348     case RSA_PKCS1_PSS_PADDING:
    349       return 1;
    350     default:
    351       return 0;
    352   }
    353 }
    354 
    355 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
    356   RSA_PKEY_CTX *rctx = ctx->data;
    357   switch (type) {
    358     case EVP_PKEY_CTRL_RSA_PADDING:
    359       if (!is_known_padding(p1) || !check_padding_md(rctx->md, p1) ||
    360           (p1 == RSA_PKCS1_PSS_PADDING &&
    361            0 == (ctx->operation & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) ||
    362           (p1 == RSA_PKCS1_OAEP_PADDING &&
    363            0 == (ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))) {
    364         OPENSSL_PUT_ERROR(EVP, EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
    365         return 0;
    366       }
    367       if ((p1 == RSA_PKCS1_PSS_PADDING || p1 == RSA_PKCS1_OAEP_PADDING) &&
    368           rctx->md == NULL) {
    369         rctx->md = EVP_sha1();
    370       }
    371       rctx->pad_mode = p1;
    372       return 1;
    373 
    374     case EVP_PKEY_CTRL_GET_RSA_PADDING:
    375       *(int *)p2 = rctx->pad_mode;
    376       return 1;
    377 
    378     case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
    379     case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
    380       if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
    381         OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PSS_SALTLEN);
    382         return 0;
    383       }
    384       if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
    385         *(int *)p2 = rctx->saltlen;
    386       } else {
    387         if (p1 < -2) {
    388           return 0;
    389         }
    390         rctx->saltlen = p1;
    391       }
    392       return 1;
    393 
    394     case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
    395       if (p1 < 256) {
    396         OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_KEYBITS);
    397         return 0;
    398       }
    399       rctx->nbits = p1;
    400       return 1;
    401 
    402     case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
    403       if (!p2) {
    404         return 0;
    405       }
    406       BN_free(rctx->pub_exp);
    407       rctx->pub_exp = p2;
    408       return 1;
    409 
    410     case EVP_PKEY_CTRL_RSA_OAEP_MD:
    411     case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
    412       if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
    413         OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
    414         return 0;
    415       }
    416       if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) {
    417         *(const EVP_MD **)p2 = rctx->md;
    418       } else {
    419         rctx->md = p2;
    420       }
    421       return 1;
    422 
    423     case EVP_PKEY_CTRL_MD:
    424       if (!check_padding_md(p2, rctx->pad_mode)) {
    425         return 0;
    426       }
    427       rctx->md = p2;
    428       return 1;
    429 
    430     case EVP_PKEY_CTRL_GET_MD:
    431       *(const EVP_MD **)p2 = rctx->md;
    432       return 1;
    433 
    434     case EVP_PKEY_CTRL_RSA_MGF1_MD:
    435     case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
    436       if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING &&
    437           rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
    438         OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_MGF1_MD);
    439         return 0;
    440       }
    441       if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
    442         if (rctx->mgf1md) {
    443           *(const EVP_MD **)p2 = rctx->mgf1md;
    444         } else {
    445           *(const EVP_MD **)p2 = rctx->md;
    446         }
    447       } else {
    448         rctx->mgf1md = p2;
    449       }
    450       return 1;
    451 
    452     case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
    453       if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
    454         OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
    455         return 0;
    456       }
    457       OPENSSL_free(rctx->oaep_label);
    458       if (p2 && p1 > 0) {
    459         rctx->oaep_label = p2;
    460         rctx->oaep_labellen = p1;
    461       } else {
    462         rctx->oaep_label = NULL;
    463         rctx->oaep_labellen = 0;
    464       }
    465       return 1;
    466 
    467     case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
    468       if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
    469         OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
    470         return 0;
    471       }
    472       CBS_init((CBS *)p2, rctx->oaep_label, rctx->oaep_labellen);
    473       return 1;
    474 
    475     default:
    476       OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED);
    477       return 0;
    478   }
    479 }
    480 
    481 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {
    482   RSA *rsa = NULL;
    483   RSA_PKEY_CTX *rctx = ctx->data;
    484 
    485   if (!rctx->pub_exp) {
    486     rctx->pub_exp = BN_new();
    487     if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) {
    488       return 0;
    489     }
    490   }
    491   rsa = RSA_new();
    492   if (!rsa) {
    493     return 0;
    494   }
    495 
    496   if (!RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, NULL)) {
    497     RSA_free(rsa);
    498     return 0;
    499   }
    500 
    501   EVP_PKEY_assign_RSA(pkey, rsa);
    502   return 1;
    503 }
    504 
    505 const EVP_PKEY_METHOD rsa_pkey_meth = {
    506     EVP_PKEY_RSA,         0 /* flags */,        pkey_rsa_init,
    507     pkey_rsa_copy,        pkey_rsa_cleanup,     0 /* paramgen_init */,
    508     0 /* paramgen */,     0 /* keygen_init */,  pkey_rsa_keygen,
    509     0 /* sign_init */,    pkey_rsa_sign,        0 /* verify_init */,
    510     pkey_rsa_verify,      0 /* encrypt_init */, pkey_rsa_encrypt,
    511     0 /* decrypt_init */, pkey_rsa_decrypt,     0 /* derive_init */,
    512     0 /* derive */,       pkey_rsa_ctrl,
    513 };
    514 
    515 int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int padding) {
    516   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING,
    517                            padding, NULL);
    518 }
    519 
    520 int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *out_padding) {
    521   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_GET_RSA_PADDING,
    522                            0, out_padding);
    523 }
    524 
    525 int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int salt_len) {
    526   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
    527                            (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY),
    528                            EVP_PKEY_CTRL_RSA_PSS_SALTLEN, salt_len, NULL);
    529 }
    530 
    531 int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *out_salt_len) {
    532   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
    533                            (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY),
    534                            EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, out_salt_len);
    535 }
    536 
    537 int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits) {
    538   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
    539                            EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL);
    540 }
    541 
    542 int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *e) {
    543   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
    544                            EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, e);
    545 }
    546 
    547 int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {
    548   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
    549                            EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)md);
    550 }
    551 
    552 int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) {
    553   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
    554                            EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void*) out_md);
    555 }
    556 
    557 int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {
    558   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
    559                            EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
    560                            EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void*) md);
    561 }
    562 
    563 int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) {
    564   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
    565                            EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
    566                            EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void*) out_md);
    567 }
    568 
    569 int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, const uint8_t *label,
    570                                      size_t label_len) {
    571   int label_len_int = label_len;
    572   if (((size_t) label_len_int) != label_len) {
    573     return 0;
    574   }
    575 
    576   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
    577                            EVP_PKEY_CTRL_RSA_OAEP_LABEL, label_len,
    578                            (void *)label);
    579 }
    580 
    581 int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx,
    582                                      const uint8_t **out_label) {
    583   CBS label;
    584   if (!EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
    585                          EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, &label)) {
    586     return -1;
    587   }
    588   if (CBS_len(&label) > INT_MAX) {
    589     OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW);
    590     return -1;
    591   }
    592   *out_label = CBS_data(&label);
    593   return (int)CBS_len(&label);
    594 }
    595