1 /* Written by Dr Stephen N Henson (steve (at) openssl.org) for the OpenSSL 2 * project 2006. 3 */ 4 /* ==================================================================== 5 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the 17 * distribution. 18 * 19 * 3. All advertising materials mentioning features or use of this 20 * software must display the following acknowledgment: 21 * "This product includes software developed by the OpenSSL Project 22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 23 * 24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 25 * endorse or promote products derived from this software without 26 * prior written permission. For written permission, please contact 27 * licensing (at) OpenSSL.org. 28 * 29 * 5. Products derived from this software may not be called "OpenSSL" 30 * nor may "OpenSSL" appear in their names without prior written 31 * permission of the OpenSSL Project. 32 * 33 * 6. Redistributions of any form whatsoever must retain the following 34 * acknowledgment: 35 * "This product includes software developed by the OpenSSL Project 36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 37 * 38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 49 * OF THE POSSIBILITY OF SUCH DAMAGE. 50 * ==================================================================== 51 * 52 * This product includes cryptographic software written by Eric Young 53 * (eay (at) cryptsoft.com). This product includes software written by Tim 54 * Hudson (tjh (at) cryptsoft.com). */ 55 56 #include <openssl/evp.h> 57 58 #include <limits.h> 59 #include <string.h> 60 61 #include <openssl/bn.h> 62 #include <openssl/buf.h> 63 #include <openssl/bytestring.h> 64 #include <openssl/digest.h> 65 #include <openssl/err.h> 66 #include <openssl/mem.h> 67 #include <openssl/nid.h> 68 #include <openssl/rsa.h> 69 70 #include "../internal.h" 71 #include "../rsa/internal.h" 72 #include "internal.h" 73 74 75 typedef struct { 76 /* Key gen parameters */ 77 int nbits; 78 BIGNUM *pub_exp; 79 /* RSA padding mode */ 80 int pad_mode; 81 /* message digest */ 82 const EVP_MD *md; 83 /* message digest for MGF1 */ 84 const EVP_MD *mgf1md; 85 /* PSS salt length */ 86 int saltlen; 87 /* tbuf is a buffer which is either NULL, or is the size of the RSA modulus. 88 * It's used to store the output of RSA operations. */ 89 uint8_t *tbuf; 90 /* OAEP label */ 91 uint8_t *oaep_label; 92 size_t oaep_labellen; 93 } RSA_PKEY_CTX; 94 95 static int pkey_rsa_init(EVP_PKEY_CTX *ctx) { 96 RSA_PKEY_CTX *rctx; 97 rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX)); 98 if (!rctx) { 99 return 0; 100 } 101 OPENSSL_memset(rctx, 0, sizeof(RSA_PKEY_CTX)); 102 103 rctx->nbits = 2048; 104 rctx->pad_mode = RSA_PKCS1_PADDING; 105 rctx->saltlen = -2; 106 107 ctx->data = rctx; 108 109 return 1; 110 } 111 112 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) { 113 RSA_PKEY_CTX *dctx, *sctx; 114 if (!pkey_rsa_init(dst)) { 115 return 0; 116 } 117 sctx = src->data; 118 dctx = dst->data; 119 dctx->nbits = sctx->nbits; 120 if (sctx->pub_exp) { 121 dctx->pub_exp = BN_dup(sctx->pub_exp); 122 if (!dctx->pub_exp) { 123 return 0; 124 } 125 } 126 127 dctx->pad_mode = sctx->pad_mode; 128 dctx->md = sctx->md; 129 dctx->mgf1md = sctx->mgf1md; 130 if (sctx->oaep_label) { 131 OPENSSL_free(dctx->oaep_label); 132 dctx->oaep_label = BUF_memdup(sctx->oaep_label, sctx->oaep_labellen); 133 if (!dctx->oaep_label) { 134 return 0; 135 } 136 dctx->oaep_labellen = sctx->oaep_labellen; 137 } 138 139 return 1; 140 } 141 142 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) { 143 RSA_PKEY_CTX *rctx = ctx->data; 144 145 if (rctx == NULL) { 146 return; 147 } 148 149 BN_free(rctx->pub_exp); 150 OPENSSL_free(rctx->tbuf); 151 OPENSSL_free(rctx->oaep_label); 152 OPENSSL_free(rctx); 153 } 154 155 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) { 156 if (ctx->tbuf) { 157 return 1; 158 } 159 ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey)); 160 if (!ctx->tbuf) { 161 return 0; 162 } 163 return 1; 164 } 165 166 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen, 167 const uint8_t *tbs, size_t tbslen) { 168 RSA_PKEY_CTX *rctx = ctx->data; 169 RSA *rsa = ctx->pkey->pkey.rsa; 170 const size_t key_len = EVP_PKEY_size(ctx->pkey); 171 172 if (!sig) { 173 *siglen = key_len; 174 return 1; 175 } 176 177 if (*siglen < key_len) { 178 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); 179 return 0; 180 } 181 182 if (rctx->md) { 183 unsigned int out_len; 184 185 if (tbslen != EVP_MD_size(rctx->md)) { 186 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_DIGEST_LENGTH); 187 return 0; 188 } 189 190 if (EVP_MD_type(rctx->md) == NID_mdc2) { 191 OPENSSL_PUT_ERROR(EVP, EVP_R_NO_MDC2_SUPPORT); 192 return 0; 193 } 194 195 switch (rctx->pad_mode) { 196 case RSA_PKCS1_PADDING: 197 if (!RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig, &out_len, rsa)) { 198 return 0; 199 } 200 *siglen = out_len; 201 return 1; 202 203 case RSA_PKCS1_PSS_PADDING: 204 if (!setup_tbuf(rctx, ctx) || 205 !RSA_padding_add_PKCS1_PSS_mgf1(rsa, rctx->tbuf, tbs, rctx->md, 206 rctx->mgf1md, rctx->saltlen) || 207 !RSA_sign_raw(rsa, siglen, sig, *siglen, rctx->tbuf, key_len, 208 RSA_NO_PADDING)) { 209 return 0; 210 } 211 return 1; 212 213 default: 214 return 0; 215 } 216 } 217 218 return RSA_sign_raw(rsa, siglen, sig, *siglen, tbs, tbslen, rctx->pad_mode); 219 } 220 221 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig, 222 size_t siglen, const uint8_t *tbs, 223 size_t tbslen) { 224 RSA_PKEY_CTX *rctx = ctx->data; 225 RSA *rsa = ctx->pkey->pkey.rsa; 226 size_t rslen; 227 const size_t key_len = EVP_PKEY_size(ctx->pkey); 228 229 if (rctx->md) { 230 switch (rctx->pad_mode) { 231 case RSA_PKCS1_PADDING: 232 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa); 233 234 case RSA_PKCS1_PSS_PADDING: 235 if (tbslen != EVP_MD_size(rctx->md)) { 236 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_DIGEST_LENGTH); 237 return 0; 238 } 239 240 if (!setup_tbuf(rctx, ctx) || 241 !RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, siglen, 242 RSA_NO_PADDING) || 243 !RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md, rctx->mgf1md, 244 rctx->tbuf, rctx->saltlen)) { 245 return 0; 246 } 247 return 1; 248 249 default: 250 return 0; 251 } 252 } 253 254 if (!setup_tbuf(rctx, ctx) || 255 !RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, siglen, 256 rctx->pad_mode) || 257 rslen != tbslen || 258 CRYPTO_memcmp(tbs, rctx->tbuf, rslen) != 0) { 259 return 0; 260 } 261 262 return 1; 263 } 264 265 static int pkey_rsa_verify_recover(EVP_PKEY_CTX *ctx, uint8_t *out, 266 size_t *out_len, const uint8_t *sig, 267 size_t sig_len) { 268 RSA_PKEY_CTX *rctx = ctx->data; 269 RSA *rsa = ctx->pkey->pkey.rsa; 270 const size_t key_len = EVP_PKEY_size(ctx->pkey); 271 272 if (out == NULL) { 273 *out_len = key_len; 274 return 1; 275 } 276 277 if (*out_len < key_len) { 278 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); 279 return 0; 280 } 281 282 if (!setup_tbuf(rctx, ctx)) { 283 return 0; 284 } 285 286 if (rctx->md == NULL) { 287 const int ret = RSA_public_decrypt(sig_len, sig, rctx->tbuf, 288 ctx->pkey->pkey.rsa, rctx->pad_mode); 289 if (ret < 0) { 290 return 0; 291 } 292 *out_len = ret; 293 OPENSSL_memcpy(out, rctx->tbuf, *out_len); 294 return 1; 295 } 296 297 if (rctx->pad_mode != RSA_PKCS1_PADDING) { 298 return 0; 299 } 300 301 uint8_t *asn1_prefix; 302 size_t asn1_prefix_len; 303 int asn1_prefix_allocated; 304 if (!RSA_add_pkcs1_prefix(&asn1_prefix, &asn1_prefix_len, 305 &asn1_prefix_allocated, EVP_MD_type(rctx->md), NULL, 306 0)) { 307 return 0; 308 } 309 310 size_t rslen; 311 int ok = 1; 312 if (!RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, sig_len, 313 RSA_PKCS1_PADDING) || 314 rslen < asn1_prefix_len || 315 CRYPTO_memcmp(rctx->tbuf, asn1_prefix, asn1_prefix_len) != 0) { 316 ok = 0; 317 } 318 319 if (asn1_prefix_allocated) { 320 OPENSSL_free(asn1_prefix); 321 } 322 323 if (!ok) { 324 return 0; 325 } 326 327 const size_t result_len = rslen - asn1_prefix_len; 328 if (result_len != EVP_MD_size(rctx->md)) { 329 return 0; 330 } 331 332 if (out != NULL) { 333 OPENSSL_memcpy(out, rctx->tbuf + asn1_prefix_len, result_len); 334 } 335 *out_len = result_len; 336 337 return 1; 338 } 339 340 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen, 341 const uint8_t *in, size_t inlen) { 342 RSA_PKEY_CTX *rctx = ctx->data; 343 RSA *rsa = ctx->pkey->pkey.rsa; 344 const size_t key_len = EVP_PKEY_size(ctx->pkey); 345 346 if (!out) { 347 *outlen = key_len; 348 return 1; 349 } 350 351 if (*outlen < key_len) { 352 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); 353 return 0; 354 } 355 356 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { 357 if (!setup_tbuf(rctx, ctx) || 358 !RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, key_len, in, inlen, 359 rctx->oaep_label, rctx->oaep_labellen, 360 rctx->md, rctx->mgf1md) || 361 !RSA_encrypt(rsa, outlen, out, *outlen, rctx->tbuf, key_len, 362 RSA_NO_PADDING)) { 363 return 0; 364 } 365 return 1; 366 } 367 368 return RSA_encrypt(rsa, outlen, out, *outlen, in, inlen, rctx->pad_mode); 369 } 370 371 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out, 372 size_t *outlen, const uint8_t *in, 373 size_t inlen) { 374 RSA_PKEY_CTX *rctx = ctx->data; 375 RSA *rsa = ctx->pkey->pkey.rsa; 376 const size_t key_len = EVP_PKEY_size(ctx->pkey); 377 378 if (!out) { 379 *outlen = key_len; 380 return 1; 381 } 382 383 if (*outlen < key_len) { 384 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); 385 return 0; 386 } 387 388 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { 389 size_t plaintext_len; 390 int message_len; 391 392 if (!setup_tbuf(rctx, ctx) || 393 !RSA_decrypt(rsa, &plaintext_len, rctx->tbuf, key_len, in, inlen, 394 RSA_NO_PADDING)) { 395 return 0; 396 } 397 398 message_len = RSA_padding_check_PKCS1_OAEP_mgf1( 399 out, key_len, rctx->tbuf, plaintext_len, rctx->oaep_label, 400 rctx->oaep_labellen, rctx->md, rctx->mgf1md); 401 if (message_len < 0) { 402 return 0; 403 } 404 *outlen = message_len; 405 return 1; 406 } 407 408 return RSA_decrypt(rsa, outlen, out, key_len, in, inlen, rctx->pad_mode); 409 } 410 411 static int check_padding_md(const EVP_MD *md, int padding) { 412 if (!md) { 413 return 1; 414 } 415 416 if (padding == RSA_NO_PADDING) { 417 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE); 418 return 0; 419 } 420 421 return 1; 422 } 423 424 static int is_known_padding(int padding_mode) { 425 switch (padding_mode) { 426 case RSA_PKCS1_PADDING: 427 case RSA_NO_PADDING: 428 case RSA_PKCS1_OAEP_PADDING: 429 case RSA_PKCS1_PSS_PADDING: 430 return 1; 431 default: 432 return 0; 433 } 434 } 435 436 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) { 437 RSA_PKEY_CTX *rctx = ctx->data; 438 switch (type) { 439 case EVP_PKEY_CTRL_RSA_PADDING: 440 if (!is_known_padding(p1) || !check_padding_md(rctx->md, p1) || 441 (p1 == RSA_PKCS1_PSS_PADDING && 442 0 == (ctx->operation & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) || 443 (p1 == RSA_PKCS1_OAEP_PADDING && 444 0 == (ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))) { 445 OPENSSL_PUT_ERROR(EVP, EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 446 return 0; 447 } 448 if ((p1 == RSA_PKCS1_PSS_PADDING || p1 == RSA_PKCS1_OAEP_PADDING) && 449 rctx->md == NULL) { 450 rctx->md = EVP_sha1(); 451 } 452 rctx->pad_mode = p1; 453 return 1; 454 455 case EVP_PKEY_CTRL_GET_RSA_PADDING: 456 *(int *)p2 = rctx->pad_mode; 457 return 1; 458 459 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: 460 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: 461 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) { 462 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PSS_SALTLEN); 463 return 0; 464 } 465 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) { 466 *(int *)p2 = rctx->saltlen; 467 } else { 468 if (p1 < -2) { 469 return 0; 470 } 471 rctx->saltlen = p1; 472 } 473 return 1; 474 475 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: 476 if (p1 < 256) { 477 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_KEYBITS); 478 return 0; 479 } 480 rctx->nbits = p1; 481 return 1; 482 483 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: 484 if (!p2) { 485 return 0; 486 } 487 BN_free(rctx->pub_exp); 488 rctx->pub_exp = p2; 489 return 1; 490 491 case EVP_PKEY_CTRL_RSA_OAEP_MD: 492 case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: 493 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 494 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE); 495 return 0; 496 } 497 if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) { 498 *(const EVP_MD **)p2 = rctx->md; 499 } else { 500 rctx->md = p2; 501 } 502 return 1; 503 504 case EVP_PKEY_CTRL_MD: 505 if (!check_padding_md(p2, rctx->pad_mode)) { 506 return 0; 507 } 508 rctx->md = p2; 509 return 1; 510 511 case EVP_PKEY_CTRL_GET_MD: 512 *(const EVP_MD **)p2 = rctx->md; 513 return 1; 514 515 case EVP_PKEY_CTRL_RSA_MGF1_MD: 516 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: 517 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING && 518 rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 519 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_MGF1_MD); 520 return 0; 521 } 522 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) { 523 if (rctx->mgf1md) { 524 *(const EVP_MD **)p2 = rctx->mgf1md; 525 } else { 526 *(const EVP_MD **)p2 = rctx->md; 527 } 528 } else { 529 rctx->mgf1md = p2; 530 } 531 return 1; 532 533 case EVP_PKEY_CTRL_RSA_OAEP_LABEL: 534 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 535 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE); 536 return 0; 537 } 538 OPENSSL_free(rctx->oaep_label); 539 if (p2 && p1 > 0) { 540 rctx->oaep_label = p2; 541 rctx->oaep_labellen = p1; 542 } else { 543 rctx->oaep_label = NULL; 544 rctx->oaep_labellen = 0; 545 } 546 return 1; 547 548 case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: 549 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 550 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE); 551 return 0; 552 } 553 CBS_init((CBS *)p2, rctx->oaep_label, rctx->oaep_labellen); 554 return 1; 555 556 default: 557 OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED); 558 return 0; 559 } 560 } 561 562 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { 563 RSA *rsa = NULL; 564 RSA_PKEY_CTX *rctx = ctx->data; 565 566 if (!rctx->pub_exp) { 567 rctx->pub_exp = BN_new(); 568 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) { 569 return 0; 570 } 571 } 572 rsa = RSA_new(); 573 if (!rsa) { 574 return 0; 575 } 576 577 if (!RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, NULL)) { 578 RSA_free(rsa); 579 return 0; 580 } 581 582 EVP_PKEY_assign_RSA(pkey, rsa); 583 return 1; 584 } 585 586 const EVP_PKEY_METHOD rsa_pkey_meth = { 587 EVP_PKEY_RSA, 588 pkey_rsa_init, 589 pkey_rsa_copy, 590 pkey_rsa_cleanup, 591 pkey_rsa_keygen, 592 pkey_rsa_sign, 593 pkey_rsa_verify, 594 pkey_rsa_verify_recover, 595 pkey_rsa_encrypt, 596 pkey_rsa_decrypt, 597 0 /* derive */, 598 pkey_rsa_ctrl, 599 }; 600 601 int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int padding) { 602 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, 603 padding, NULL); 604 } 605 606 int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *out_padding) { 607 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, 608 0, out_padding); 609 } 610 611 int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int salt_len) { 612 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, 613 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY), 614 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, salt_len, NULL); 615 } 616 617 int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *out_salt_len) { 618 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, 619 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY), 620 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, out_salt_len); 621 } 622 623 int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits) { 624 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, 625 EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL); 626 } 627 628 int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *e) { 629 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, 630 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, e); 631 } 632 633 int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { 634 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 635 EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)md); 636 } 637 638 int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) { 639 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 640 EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void*) out_md); 641 } 642 643 int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { 644 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, 645 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, 646 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void*) md); 647 } 648 649 int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) { 650 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, 651 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, 652 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void*) out_md); 653 } 654 655 int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, uint8_t *label, 656 size_t label_len) { 657 if (label_len > INT_MAX) { 658 return 0; 659 } 660 661 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 662 EVP_PKEY_CTRL_RSA_OAEP_LABEL, (int)label_len, 663 (void *)label); 664 } 665 666 int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, 667 const uint8_t **out_label) { 668 CBS label; 669 if (!EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 670 EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, &label)) { 671 return -1; 672 } 673 if (CBS_len(&label) > INT_MAX) { 674 OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW); 675 return -1; 676 } 677 *out_label = CBS_data(&label); 678 return (int)CBS_len(&label); 679 } 680