1 /* Written by Dr Stephen N Henson (steve (at) openssl.org) for the OpenSSL 2 * project 2006. 3 */ 4 /* ==================================================================== 5 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the 17 * distribution. 18 * 19 * 3. All advertising materials mentioning features or use of this 20 * software must display the following acknowledgment: 21 * "This product includes software developed by the OpenSSL Project 22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 23 * 24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 25 * endorse or promote products derived from this software without 26 * prior written permission. For written permission, please contact 27 * licensing (at) OpenSSL.org. 28 * 29 * 5. Products derived from this software may not be called "OpenSSL" 30 * nor may "OpenSSL" appear in their names without prior written 31 * permission of the OpenSSL Project. 32 * 33 * 6. Redistributions of any form whatsoever must retain the following 34 * acknowledgment: 35 * "This product includes software developed by the OpenSSL Project 36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 37 * 38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 49 * OF THE POSSIBILITY OF SUCH DAMAGE. 50 * ==================================================================== 51 * 52 * This product includes cryptographic software written by Eric Young 53 * (eay (at) cryptsoft.com). This product includes software written by Tim 54 * Hudson (tjh (at) cryptsoft.com). */ 55 56 #include <openssl/evp.h> 57 58 #include <limits.h> 59 #include <string.h> 60 61 #include <openssl/bn.h> 62 #include <openssl/buf.h> 63 #include <openssl/bytestring.h> 64 #include <openssl/digest.h> 65 #include <openssl/err.h> 66 #include <openssl/mem.h> 67 #include <openssl/nid.h> 68 #include <openssl/rsa.h> 69 70 #include "../internal.h" 71 #include "../fipsmodule/rsa/internal.h" 72 #include "internal.h" 73 74 75 typedef struct { 76 /* Key gen parameters */ 77 int nbits; 78 BIGNUM *pub_exp; 79 /* RSA padding mode */ 80 int pad_mode; 81 /* message digest */ 82 const EVP_MD *md; 83 /* message digest for MGF1 */ 84 const EVP_MD *mgf1md; 85 /* PSS salt length */ 86 int saltlen; 87 /* tbuf is a buffer which is either NULL, or is the size of the RSA modulus. 88 * It's used to store the output of RSA operations. */ 89 uint8_t *tbuf; 90 /* OAEP label */ 91 uint8_t *oaep_label; 92 size_t oaep_labellen; 93 } RSA_PKEY_CTX; 94 95 static int pkey_rsa_init(EVP_PKEY_CTX *ctx) { 96 RSA_PKEY_CTX *rctx; 97 rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX)); 98 if (!rctx) { 99 return 0; 100 } 101 OPENSSL_memset(rctx, 0, sizeof(RSA_PKEY_CTX)); 102 103 rctx->nbits = 2048; 104 rctx->pad_mode = RSA_PKCS1_PADDING; 105 rctx->saltlen = -2; 106 107 ctx->data = rctx; 108 109 return 1; 110 } 111 112 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) { 113 RSA_PKEY_CTX *dctx, *sctx; 114 if (!pkey_rsa_init(dst)) { 115 return 0; 116 } 117 sctx = src->data; 118 dctx = dst->data; 119 dctx->nbits = sctx->nbits; 120 if (sctx->pub_exp) { 121 dctx->pub_exp = BN_dup(sctx->pub_exp); 122 if (!dctx->pub_exp) { 123 return 0; 124 } 125 } 126 127 dctx->pad_mode = sctx->pad_mode; 128 dctx->md = sctx->md; 129 dctx->mgf1md = sctx->mgf1md; 130 if (sctx->oaep_label) { 131 OPENSSL_free(dctx->oaep_label); 132 dctx->oaep_label = BUF_memdup(sctx->oaep_label, sctx->oaep_labellen); 133 if (!dctx->oaep_label) { 134 return 0; 135 } 136 dctx->oaep_labellen = sctx->oaep_labellen; 137 } 138 139 return 1; 140 } 141 142 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) { 143 RSA_PKEY_CTX *rctx = ctx->data; 144 145 if (rctx == NULL) { 146 return; 147 } 148 149 BN_free(rctx->pub_exp); 150 OPENSSL_free(rctx->tbuf); 151 OPENSSL_free(rctx->oaep_label); 152 OPENSSL_free(rctx); 153 } 154 155 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) { 156 if (ctx->tbuf) { 157 return 1; 158 } 159 ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey)); 160 if (!ctx->tbuf) { 161 return 0; 162 } 163 return 1; 164 } 165 166 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen, 167 const uint8_t *tbs, size_t tbslen) { 168 RSA_PKEY_CTX *rctx = ctx->data; 169 RSA *rsa = ctx->pkey->pkey.rsa; 170 const size_t key_len = EVP_PKEY_size(ctx->pkey); 171 172 if (!sig) { 173 *siglen = key_len; 174 return 1; 175 } 176 177 if (*siglen < key_len) { 178 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); 179 return 0; 180 } 181 182 if (rctx->md) { 183 unsigned out_len; 184 switch (rctx->pad_mode) { 185 case RSA_PKCS1_PADDING: 186 if (!RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig, &out_len, rsa)) { 187 return 0; 188 } 189 *siglen = out_len; 190 return 1; 191 192 case RSA_PKCS1_PSS_PADDING: 193 return RSA_sign_pss_mgf1(rsa, siglen, sig, *siglen, tbs, tbslen, 194 rctx->md, rctx->mgf1md, rctx->saltlen); 195 196 default: 197 return 0; 198 } 199 } 200 201 return RSA_sign_raw(rsa, siglen, sig, *siglen, tbs, tbslen, rctx->pad_mode); 202 } 203 204 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig, 205 size_t siglen, const uint8_t *tbs, 206 size_t tbslen) { 207 RSA_PKEY_CTX *rctx = ctx->data; 208 RSA *rsa = ctx->pkey->pkey.rsa; 209 210 if (rctx->md) { 211 switch (rctx->pad_mode) { 212 case RSA_PKCS1_PADDING: 213 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa); 214 215 case RSA_PKCS1_PSS_PADDING: 216 return RSA_verify_pss_mgf1(rsa, tbs, tbslen, rctx->md, rctx->mgf1md, 217 rctx->saltlen, sig, siglen); 218 219 default: 220 return 0; 221 } 222 } 223 224 size_t rslen; 225 const size_t key_len = EVP_PKEY_size(ctx->pkey); 226 if (!setup_tbuf(rctx, ctx) || 227 !RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, siglen, 228 rctx->pad_mode) || 229 rslen != tbslen || 230 CRYPTO_memcmp(tbs, rctx->tbuf, rslen) != 0) { 231 return 0; 232 } 233 234 return 1; 235 } 236 237 static int pkey_rsa_verify_recover(EVP_PKEY_CTX *ctx, uint8_t *out, 238 size_t *out_len, const uint8_t *sig, 239 size_t sig_len) { 240 RSA_PKEY_CTX *rctx = ctx->data; 241 RSA *rsa = ctx->pkey->pkey.rsa; 242 const size_t key_len = EVP_PKEY_size(ctx->pkey); 243 244 if (out == NULL) { 245 *out_len = key_len; 246 return 1; 247 } 248 249 if (*out_len < key_len) { 250 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); 251 return 0; 252 } 253 254 if (rctx->md == NULL) { 255 return RSA_verify_raw(rsa, out_len, out, *out_len, sig, sig_len, 256 rctx->pad_mode); 257 } 258 259 if (rctx->pad_mode != RSA_PKCS1_PADDING) { 260 return 0; 261 } 262 263 /* Assemble the encoded hash, using a placeholder hash value. */ 264 static const uint8_t kDummyHash[EVP_MAX_MD_SIZE] = {0}; 265 const size_t hash_len = EVP_MD_size(rctx->md); 266 uint8_t *asn1_prefix; 267 size_t asn1_prefix_len; 268 int asn1_prefix_allocated; 269 if (!setup_tbuf(rctx, ctx) || 270 !RSA_add_pkcs1_prefix(&asn1_prefix, &asn1_prefix_len, 271 &asn1_prefix_allocated, EVP_MD_type(rctx->md), 272 kDummyHash, hash_len)) { 273 return 0; 274 } 275 276 size_t rslen; 277 int ok = 1; 278 if (!RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, sig_len, 279 RSA_PKCS1_PADDING) || 280 rslen != asn1_prefix_len || 281 /* Compare all but the hash suffix. */ 282 CRYPTO_memcmp(rctx->tbuf, asn1_prefix, asn1_prefix_len - hash_len) != 0) { 283 ok = 0; 284 } 285 286 if (asn1_prefix_allocated) { 287 OPENSSL_free(asn1_prefix); 288 } 289 290 if (!ok) { 291 return 0; 292 } 293 294 if (out != NULL) { 295 OPENSSL_memcpy(out, rctx->tbuf + rslen - hash_len, hash_len); 296 } 297 *out_len = hash_len; 298 299 return 1; 300 } 301 302 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen, 303 const uint8_t *in, size_t inlen) { 304 RSA_PKEY_CTX *rctx = ctx->data; 305 RSA *rsa = ctx->pkey->pkey.rsa; 306 const size_t key_len = EVP_PKEY_size(ctx->pkey); 307 308 if (!out) { 309 *outlen = key_len; 310 return 1; 311 } 312 313 if (*outlen < key_len) { 314 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); 315 return 0; 316 } 317 318 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { 319 if (!setup_tbuf(rctx, ctx) || 320 !RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, key_len, in, inlen, 321 rctx->oaep_label, rctx->oaep_labellen, 322 rctx->md, rctx->mgf1md) || 323 !RSA_encrypt(rsa, outlen, out, *outlen, rctx->tbuf, key_len, 324 RSA_NO_PADDING)) { 325 return 0; 326 } 327 return 1; 328 } 329 330 return RSA_encrypt(rsa, outlen, out, *outlen, in, inlen, rctx->pad_mode); 331 } 332 333 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out, 334 size_t *outlen, const uint8_t *in, 335 size_t inlen) { 336 RSA_PKEY_CTX *rctx = ctx->data; 337 RSA *rsa = ctx->pkey->pkey.rsa; 338 const size_t key_len = EVP_PKEY_size(ctx->pkey); 339 340 if (!out) { 341 *outlen = key_len; 342 return 1; 343 } 344 345 if (*outlen < key_len) { 346 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); 347 return 0; 348 } 349 350 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { 351 size_t padded_len; 352 if (!setup_tbuf(rctx, ctx) || 353 !RSA_decrypt(rsa, &padded_len, rctx->tbuf, key_len, in, inlen, 354 RSA_NO_PADDING) || 355 !RSA_padding_check_PKCS1_OAEP_mgf1( 356 out, outlen, key_len, rctx->tbuf, padded_len, rctx->oaep_label, 357 rctx->oaep_labellen, rctx->md, rctx->mgf1md)) { 358 return 0; 359 } 360 return 1; 361 } 362 363 return RSA_decrypt(rsa, outlen, out, key_len, in, inlen, rctx->pad_mode); 364 } 365 366 static int check_padding_md(const EVP_MD *md, int padding) { 367 if (!md) { 368 return 1; 369 } 370 371 if (padding == RSA_NO_PADDING) { 372 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE); 373 return 0; 374 } 375 376 return 1; 377 } 378 379 static int is_known_padding(int padding_mode) { 380 switch (padding_mode) { 381 case RSA_PKCS1_PADDING: 382 case RSA_NO_PADDING: 383 case RSA_PKCS1_OAEP_PADDING: 384 case RSA_PKCS1_PSS_PADDING: 385 return 1; 386 default: 387 return 0; 388 } 389 } 390 391 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) { 392 RSA_PKEY_CTX *rctx = ctx->data; 393 switch (type) { 394 case EVP_PKEY_CTRL_RSA_PADDING: 395 if (!is_known_padding(p1) || !check_padding_md(rctx->md, p1) || 396 (p1 == RSA_PKCS1_PSS_PADDING && 397 0 == (ctx->operation & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) || 398 (p1 == RSA_PKCS1_OAEP_PADDING && 399 0 == (ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))) { 400 OPENSSL_PUT_ERROR(EVP, EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 401 return 0; 402 } 403 if ((p1 == RSA_PKCS1_PSS_PADDING || p1 == RSA_PKCS1_OAEP_PADDING) && 404 rctx->md == NULL) { 405 rctx->md = EVP_sha1(); 406 } 407 rctx->pad_mode = p1; 408 return 1; 409 410 case EVP_PKEY_CTRL_GET_RSA_PADDING: 411 *(int *)p2 = rctx->pad_mode; 412 return 1; 413 414 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: 415 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: 416 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) { 417 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PSS_SALTLEN); 418 return 0; 419 } 420 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) { 421 *(int *)p2 = rctx->saltlen; 422 } else { 423 if (p1 < -2) { 424 return 0; 425 } 426 rctx->saltlen = p1; 427 } 428 return 1; 429 430 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: 431 if (p1 < 256) { 432 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_KEYBITS); 433 return 0; 434 } 435 rctx->nbits = p1; 436 return 1; 437 438 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: 439 if (!p2) { 440 return 0; 441 } 442 BN_free(rctx->pub_exp); 443 rctx->pub_exp = p2; 444 return 1; 445 446 case EVP_PKEY_CTRL_RSA_OAEP_MD: 447 case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: 448 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 449 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE); 450 return 0; 451 } 452 if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) { 453 *(const EVP_MD **)p2 = rctx->md; 454 } else { 455 rctx->md = p2; 456 } 457 return 1; 458 459 case EVP_PKEY_CTRL_MD: 460 if (!check_padding_md(p2, rctx->pad_mode)) { 461 return 0; 462 } 463 rctx->md = p2; 464 return 1; 465 466 case EVP_PKEY_CTRL_GET_MD: 467 *(const EVP_MD **)p2 = rctx->md; 468 return 1; 469 470 case EVP_PKEY_CTRL_RSA_MGF1_MD: 471 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: 472 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING && 473 rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 474 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_MGF1_MD); 475 return 0; 476 } 477 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) { 478 if (rctx->mgf1md) { 479 *(const EVP_MD **)p2 = rctx->mgf1md; 480 } else { 481 *(const EVP_MD **)p2 = rctx->md; 482 } 483 } else { 484 rctx->mgf1md = p2; 485 } 486 return 1; 487 488 case EVP_PKEY_CTRL_RSA_OAEP_LABEL: 489 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 490 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE); 491 return 0; 492 } 493 OPENSSL_free(rctx->oaep_label); 494 if (p2 && p1 > 0) { 495 rctx->oaep_label = p2; 496 rctx->oaep_labellen = p1; 497 } else { 498 rctx->oaep_label = NULL; 499 rctx->oaep_labellen = 0; 500 } 501 return 1; 502 503 case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: 504 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { 505 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE); 506 return 0; 507 } 508 CBS_init((CBS *)p2, rctx->oaep_label, rctx->oaep_labellen); 509 return 1; 510 511 default: 512 OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED); 513 return 0; 514 } 515 } 516 517 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { 518 RSA *rsa = NULL; 519 RSA_PKEY_CTX *rctx = ctx->data; 520 521 if (!rctx->pub_exp) { 522 rctx->pub_exp = BN_new(); 523 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) { 524 return 0; 525 } 526 } 527 rsa = RSA_new(); 528 if (!rsa) { 529 return 0; 530 } 531 532 if (!RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, NULL)) { 533 RSA_free(rsa); 534 return 0; 535 } 536 537 EVP_PKEY_assign_RSA(pkey, rsa); 538 return 1; 539 } 540 541 const EVP_PKEY_METHOD rsa_pkey_meth = { 542 EVP_PKEY_RSA, 543 pkey_rsa_init, 544 pkey_rsa_copy, 545 pkey_rsa_cleanup, 546 pkey_rsa_keygen, 547 pkey_rsa_sign, 548 NULL /* sign_message */, 549 pkey_rsa_verify, 550 NULL /* verify_message */, 551 pkey_rsa_verify_recover, 552 pkey_rsa_encrypt, 553 pkey_rsa_decrypt, 554 0 /* derive */, 555 pkey_rsa_ctrl, 556 }; 557 558 int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int padding) { 559 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, 560 padding, NULL); 561 } 562 563 int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *out_padding) { 564 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, 565 0, out_padding); 566 } 567 568 int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int salt_len) { 569 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, 570 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY), 571 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, salt_len, NULL); 572 } 573 574 int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *out_salt_len) { 575 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, 576 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY), 577 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, out_salt_len); 578 } 579 580 int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits) { 581 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, 582 EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL); 583 } 584 585 int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *e) { 586 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, 587 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, e); 588 } 589 590 int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { 591 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 592 EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)md); 593 } 594 595 int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) { 596 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 597 EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void*) out_md); 598 } 599 600 int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { 601 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, 602 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, 603 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void*) md); 604 } 605 606 int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) { 607 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, 608 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, 609 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void*) out_md); 610 } 611 612 int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, uint8_t *label, 613 size_t label_len) { 614 if (label_len > INT_MAX) { 615 return 0; 616 } 617 618 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 619 EVP_PKEY_CTRL_RSA_OAEP_LABEL, (int)label_len, 620 (void *)label); 621 } 622 623 int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, 624 const uint8_t **out_label) { 625 CBS label; 626 if (!EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 627 EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, &label)) { 628 return -1; 629 } 630 if (CBS_len(&label) > INT_MAX) { 631 OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW); 632 return -1; 633 } 634 *out_label = CBS_data(&label); 635 return (int)CBS_len(&label); 636 } 637