1 /* Written by Dr Stephen N Henson ([email protected]) for the OpenSSL
2 * project 2006.
3 */
4 /* ====================================================================
5 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
17 * distribution.
18 *
19 * 3. All advertising materials mentioning features or use of this
20 * software must display the following acknowledgment:
21 * "This product includes software developed by the OpenSSL Project
22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23 *
24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25 * endorse or promote products derived from this software without
26 * prior written permission. For written permission, please contact
27 * [email protected].
28 *
29 * 5. Products derived from this software may not be called "OpenSSL"
30 * nor may "OpenSSL" appear in their names without prior written
31 * permission of the OpenSSL Project.
32 *
33 * 6. Redistributions of any form whatsoever must retain the following
34 * acknowledgment:
35 * "This product includes software developed by the OpenSSL Project
36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37 *
38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49 * OF THE POSSIBILITY OF SUCH DAMAGE.
50 * ====================================================================
51 *
52 * This product includes cryptographic software written by Eric Young
53 * ([email protected]). This product includes software written by Tim
54 * Hudson ([email protected]). */
55
56 #include <openssl/evp.h>
57
58 #include <limits.h>
59 #include <string.h>
60
61 #include <openssl/bn.h>
62 #include <openssl/bytestring.h>
63 #include <openssl/digest.h>
64 #include <openssl/err.h>
65 #include <openssl/mem.h>
66 #include <openssl/nid.h>
67 #include <openssl/rsa.h>
68
69 #include "../internal.h"
70 #include "../rsa_extra/internal.h"
71 #include "internal.h"
72
73
74 typedef struct {
75 // Key gen parameters
76 int nbits;
77 BIGNUM *pub_exp;
78 // RSA padding mode
79 int pad_mode;
80 // message digest
81 const EVP_MD *md;
82 // message digest for MGF1
83 const EVP_MD *mgf1md;
84 // PSS salt length
85 int saltlen;
86 // tbuf is a buffer which is either NULL, or is the size of the RSA modulus.
87 // It's used to store the output of RSA operations.
88 uint8_t *tbuf;
89 // OAEP label
90 uint8_t *oaep_label;
91 size_t oaep_labellen;
92 } RSA_PKEY_CTX;
93
94 typedef struct {
95 uint8_t *data;
96 size_t len;
97 } RSA_OAEP_LABEL_PARAMS;
98
pkey_rsa_init(EVP_PKEY_CTX * ctx)99 static int pkey_rsa_init(EVP_PKEY_CTX *ctx) {
100 RSA_PKEY_CTX *rctx = OPENSSL_zalloc(sizeof(RSA_PKEY_CTX));
101 if (!rctx) {
102 return 0;
103 }
104
105 rctx->nbits = 2048;
106 rctx->pad_mode = RSA_PKCS1_PADDING;
107 rctx->saltlen = -2;
108
109 ctx->data = rctx;
110
111 return 1;
112 }
113
pkey_rsa_copy(EVP_PKEY_CTX * dst,EVP_PKEY_CTX * src)114 static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) {
115 RSA_PKEY_CTX *dctx, *sctx;
116 if (!pkey_rsa_init(dst)) {
117 return 0;
118 }
119 sctx = src->data;
120 dctx = dst->data;
121 dctx->nbits = sctx->nbits;
122 if (sctx->pub_exp) {
123 dctx->pub_exp = BN_dup(sctx->pub_exp);
124 if (!dctx->pub_exp) {
125 return 0;
126 }
127 }
128
129 dctx->pad_mode = sctx->pad_mode;
130 dctx->md = sctx->md;
131 dctx->mgf1md = sctx->mgf1md;
132 dctx->saltlen = sctx->saltlen;
133 if (sctx->oaep_label) {
134 OPENSSL_free(dctx->oaep_label);
135 dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen);
136 if (!dctx->oaep_label) {
137 return 0;
138 }
139 dctx->oaep_labellen = sctx->oaep_labellen;
140 }
141
142 return 1;
143 }
144
pkey_rsa_cleanup(EVP_PKEY_CTX * ctx)145 static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) {
146 RSA_PKEY_CTX *rctx = ctx->data;
147
148 if (rctx == NULL) {
149 return;
150 }
151
152 BN_free(rctx->pub_exp);
153 OPENSSL_free(rctx->tbuf);
154 OPENSSL_free(rctx->oaep_label);
155 OPENSSL_free(rctx);
156 }
157
setup_tbuf(RSA_PKEY_CTX * ctx,EVP_PKEY_CTX * pk)158 static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) {
159 if (ctx->tbuf) {
160 return 1;
161 }
162 ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey));
163 if (!ctx->tbuf) {
164 return 0;
165 }
166 return 1;
167 }
168
pkey_rsa_sign(EVP_PKEY_CTX * ctx,uint8_t * sig,size_t * siglen,const uint8_t * tbs,size_t tbslen)169 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen,
170 const uint8_t *tbs, size_t tbslen) {
171 RSA_PKEY_CTX *rctx = ctx->data;
172 RSA *rsa = ctx->pkey->pkey;
173 const size_t key_len = EVP_PKEY_size(ctx->pkey);
174
175 if (!sig) {
176 *siglen = key_len;
177 return 1;
178 }
179
180 if (*siglen < key_len) {
181 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
182 return 0;
183 }
184
185 if (rctx->md) {
186 unsigned out_len;
187 switch (rctx->pad_mode) {
188 case RSA_PKCS1_PADDING:
189 if (!RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig, &out_len, rsa)) {
190 return 0;
191 }
192 *siglen = out_len;
193 return 1;
194
195 case RSA_PKCS1_PSS_PADDING:
196 return RSA_sign_pss_mgf1(rsa, siglen, sig, *siglen, tbs, tbslen,
197 rctx->md, rctx->mgf1md, rctx->saltlen);
198
199 default:
200 return 0;
201 }
202 }
203
204 return RSA_sign_raw(rsa, siglen, sig, *siglen, tbs, tbslen, rctx->pad_mode);
205 }
206
pkey_rsa_verify(EVP_PKEY_CTX * ctx,const uint8_t * sig,size_t siglen,const uint8_t * tbs,size_t tbslen)207 static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig,
208 size_t siglen, const uint8_t *tbs,
209 size_t tbslen) {
210 RSA_PKEY_CTX *rctx = ctx->data;
211 RSA *rsa = ctx->pkey->pkey;
212
213 if (rctx->md) {
214 switch (rctx->pad_mode) {
215 case RSA_PKCS1_PADDING:
216 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa);
217
218 case RSA_PKCS1_PSS_PADDING:
219 return RSA_verify_pss_mgf1(rsa, tbs, tbslen, rctx->md, rctx->mgf1md,
220 rctx->saltlen, sig, siglen);
221
222 default:
223 return 0;
224 }
225 }
226
227 size_t rslen;
228 const size_t key_len = EVP_PKEY_size(ctx->pkey);
229 if (!setup_tbuf(rctx, ctx) ||
230 !RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, siglen,
231 rctx->pad_mode) ||
232 rslen != tbslen ||
233 CRYPTO_memcmp(tbs, rctx->tbuf, rslen) != 0) {
234 return 0;
235 }
236
237 return 1;
238 }
239
pkey_rsa_verify_recover(EVP_PKEY_CTX * ctx,uint8_t * out,size_t * out_len,const uint8_t * sig,size_t sig_len)240 static int pkey_rsa_verify_recover(EVP_PKEY_CTX *ctx, uint8_t *out,
241 size_t *out_len, const uint8_t *sig,
242 size_t sig_len) {
243 RSA_PKEY_CTX *rctx = ctx->data;
244 RSA *rsa = ctx->pkey->pkey;
245 const size_t key_len = EVP_PKEY_size(ctx->pkey);
246
247 if (out == NULL) {
248 *out_len = key_len;
249 return 1;
250 }
251
252 if (*out_len < key_len) {
253 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
254 return 0;
255 }
256
257 if (rctx->md == NULL) {
258 return RSA_verify_raw(rsa, out_len, out, *out_len, sig, sig_len,
259 rctx->pad_mode);
260 }
261
262 if (rctx->pad_mode != RSA_PKCS1_PADDING) {
263 return 0;
264 }
265
266 // Assemble the encoded hash, using a placeholder hash value.
267 static const uint8_t kDummyHash[EVP_MAX_MD_SIZE] = {0};
268 const size_t hash_len = EVP_MD_size(rctx->md);
269 uint8_t *asn1_prefix;
270 size_t asn1_prefix_len;
271 int asn1_prefix_allocated;
272 if (!setup_tbuf(rctx, ctx) ||
273 !RSA_add_pkcs1_prefix(&asn1_prefix, &asn1_prefix_len,
274 &asn1_prefix_allocated, EVP_MD_type(rctx->md),
275 kDummyHash, hash_len)) {
276 return 0;
277 }
278
279 size_t rslen;
280 int ok = 1;
281 if (!RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, sig_len,
282 RSA_PKCS1_PADDING) ||
283 rslen != asn1_prefix_len ||
284 // Compare all but the hash suffix.
285 CRYPTO_memcmp(rctx->tbuf, asn1_prefix, asn1_prefix_len - hash_len) != 0) {
286 ok = 0;
287 }
288
289 if (asn1_prefix_allocated) {
290 OPENSSL_free(asn1_prefix);
291 }
292
293 if (!ok) {
294 return 0;
295 }
296
297 if (out != NULL) {
298 OPENSSL_memcpy(out, rctx->tbuf + rslen - hash_len, hash_len);
299 }
300 *out_len = hash_len;
301
302 return 1;
303 }
304
pkey_rsa_encrypt(EVP_PKEY_CTX * ctx,uint8_t * out,size_t * outlen,const uint8_t * in,size_t inlen)305 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen,
306 const uint8_t *in, size_t inlen) {
307 RSA_PKEY_CTX *rctx = ctx->data;
308 RSA *rsa = ctx->pkey->pkey;
309 const size_t key_len = EVP_PKEY_size(ctx->pkey);
310
311 if (!out) {
312 *outlen = key_len;
313 return 1;
314 }
315
316 if (*outlen < key_len) {
317 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
318 return 0;
319 }
320
321 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
322 if (!setup_tbuf(rctx, ctx) ||
323 !RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, key_len, in, inlen,
324 rctx->oaep_label, rctx->oaep_labellen,
325 rctx->md, rctx->mgf1md) ||
326 !RSA_encrypt(rsa, outlen, out, *outlen, rctx->tbuf, key_len,
327 RSA_NO_PADDING)) {
328 return 0;
329 }
330 return 1;
331 }
332
333 return RSA_encrypt(rsa, outlen, out, *outlen, in, inlen, rctx->pad_mode);
334 }
335
pkey_rsa_decrypt(EVP_PKEY_CTX * ctx,uint8_t * out,size_t * outlen,const uint8_t * in,size_t inlen)336 static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out,
337 size_t *outlen, const uint8_t *in,
338 size_t inlen) {
339 RSA_PKEY_CTX *rctx = ctx->data;
340 RSA *rsa = ctx->pkey->pkey;
341 const size_t key_len = EVP_PKEY_size(ctx->pkey);
342
343 if (!out) {
344 *outlen = key_len;
345 return 1;
346 }
347
348 if (*outlen < key_len) {
349 OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
350 return 0;
351 }
352
353 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
354 size_t padded_len;
355 if (!setup_tbuf(rctx, ctx) ||
356 !RSA_decrypt(rsa, &padded_len, rctx->tbuf, key_len, in, inlen,
357 RSA_NO_PADDING) ||
358 !RSA_padding_check_PKCS1_OAEP_mgf1(
359 out, outlen, key_len, rctx->tbuf, padded_len, rctx->oaep_label,
360 rctx->oaep_labellen, rctx->md, rctx->mgf1md)) {
361 return 0;
362 }
363 return 1;
364 }
365
366 return RSA_decrypt(rsa, outlen, out, key_len, in, inlen, rctx->pad_mode);
367 }
368
check_padding_md(const EVP_MD * md,int padding)369 static int check_padding_md(const EVP_MD *md, int padding) {
370 if (!md) {
371 return 1;
372 }
373
374 if (padding == RSA_NO_PADDING) {
375 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
376 return 0;
377 }
378
379 return 1;
380 }
381
is_known_padding(int padding_mode)382 static int is_known_padding(int padding_mode) {
383 switch (padding_mode) {
384 case RSA_PKCS1_PADDING:
385 case RSA_NO_PADDING:
386 case RSA_PKCS1_OAEP_PADDING:
387 case RSA_PKCS1_PSS_PADDING:
388 return 1;
389 default:
390 return 0;
391 }
392 }
393
pkey_rsa_ctrl(EVP_PKEY_CTX * ctx,int type,int p1,void * p2)394 static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
395 RSA_PKEY_CTX *rctx = ctx->data;
396 switch (type) {
397 case EVP_PKEY_CTRL_RSA_PADDING:
398 if (!is_known_padding(p1) || !check_padding_md(rctx->md, p1) ||
399 (p1 == RSA_PKCS1_PSS_PADDING &&
400 0 == (ctx->operation & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) ||
401 (p1 == RSA_PKCS1_OAEP_PADDING &&
402 0 == (ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))) {
403 OPENSSL_PUT_ERROR(EVP, EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
404 return 0;
405 }
406 if ((p1 == RSA_PKCS1_PSS_PADDING || p1 == RSA_PKCS1_OAEP_PADDING) &&
407 rctx->md == NULL) {
408 rctx->md = EVP_sha1();
409 }
410 rctx->pad_mode = p1;
411 return 1;
412
413 case EVP_PKEY_CTRL_GET_RSA_PADDING:
414 *(int *)p2 = rctx->pad_mode;
415 return 1;
416
417 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
418 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
419 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
420 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PSS_SALTLEN);
421 return 0;
422 }
423 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
424 *(int *)p2 = rctx->saltlen;
425 } else {
426 if (p1 < -2) {
427 return 0;
428 }
429 rctx->saltlen = p1;
430 }
431 return 1;
432
433 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
434 if (p1 < 256) {
435 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_KEYBITS);
436 return 0;
437 }
438 rctx->nbits = p1;
439 return 1;
440
441 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
442 if (!p2) {
443 return 0;
444 }
445 BN_free(rctx->pub_exp);
446 rctx->pub_exp = p2;
447 return 1;
448
449 case EVP_PKEY_CTRL_RSA_OAEP_MD:
450 case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
451 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
452 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
453 return 0;
454 }
455 if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) {
456 *(const EVP_MD **)p2 = rctx->md;
457 } else {
458 rctx->md = p2;
459 }
460 return 1;
461
462 case EVP_PKEY_CTRL_MD:
463 if (!check_padding_md(p2, rctx->pad_mode)) {
464 return 0;
465 }
466 rctx->md = p2;
467 return 1;
468
469 case EVP_PKEY_CTRL_GET_MD:
470 *(const EVP_MD **)p2 = rctx->md;
471 return 1;
472
473 case EVP_PKEY_CTRL_RSA_MGF1_MD:
474 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
475 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING &&
476 rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
477 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_MGF1_MD);
478 return 0;
479 }
480 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
481 if (rctx->mgf1md) {
482 *(const EVP_MD **)p2 = rctx->mgf1md;
483 } else {
484 *(const EVP_MD **)p2 = rctx->md;
485 }
486 } else {
487 rctx->mgf1md = p2;
488 }
489 return 1;
490
491 case EVP_PKEY_CTRL_RSA_OAEP_LABEL: {
492 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
493 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
494 return 0;
495 }
496 OPENSSL_free(rctx->oaep_label);
497 RSA_OAEP_LABEL_PARAMS *params = p2;
498 rctx->oaep_label = params->data;
499 rctx->oaep_labellen = params->len;
500 return 1;
501 }
502
503 case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
504 if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
505 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
506 return 0;
507 }
508 CBS_init((CBS *)p2, rctx->oaep_label, rctx->oaep_labellen);
509 return 1;
510
511 default:
512 OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED);
513 return 0;
514 }
515 }
516
pkey_rsa_keygen(EVP_PKEY_CTX * ctx,EVP_PKEY * pkey)517 static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {
518 RSA *rsa = NULL;
519 RSA_PKEY_CTX *rctx = ctx->data;
520
521 if (!rctx->pub_exp) {
522 rctx->pub_exp = BN_new();
523 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) {
524 return 0;
525 }
526 }
527 rsa = RSA_new();
528 if (!rsa) {
529 return 0;
530 }
531
532 if (!RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, NULL)) {
533 RSA_free(rsa);
534 return 0;
535 }
536
537 EVP_PKEY_assign_RSA(pkey, rsa);
538 return 1;
539 }
540
541 const EVP_PKEY_METHOD rsa_pkey_meth = {
542 EVP_PKEY_RSA,
543 pkey_rsa_init,
544 pkey_rsa_copy,
545 pkey_rsa_cleanup,
546 pkey_rsa_keygen,
547 pkey_rsa_sign,
548 NULL /* sign_message */,
549 pkey_rsa_verify,
550 NULL /* verify_message */,
551 pkey_rsa_verify_recover,
552 pkey_rsa_encrypt,
553 pkey_rsa_decrypt,
554 NULL /* derive */,
555 NULL /* paramgen */,
556 pkey_rsa_ctrl,
557 };
558
EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX * ctx,int padding)559 int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int padding) {
560 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING,
561 padding, NULL);
562 }
563
EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX * ctx,int * out_padding)564 int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *out_padding) {
565 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_GET_RSA_PADDING,
566 0, out_padding);
567 }
568
EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX * ctx,const EVP_MD * md)569 int EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {
570 return 0;
571 }
572
EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX * ctx,int salt_len)573 int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, int salt_len) {
574 return 0;
575 }
576
EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX * ctx,const EVP_MD * md)577 int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx,
578 const EVP_MD *md) {
579 return 0;
580 }
581
EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX * ctx,int salt_len)582 int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int salt_len) {
583 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
584 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY),
585 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, salt_len, NULL);
586 }
587
EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX * ctx,int * out_salt_len)588 int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *out_salt_len) {
589 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
590 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY),
591 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, out_salt_len);
592 }
593
EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX * ctx,int bits)594 int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits) {
595 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
596 EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL);
597 }
598
EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX * ctx,BIGNUM * e)599 int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *e) {
600 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
601 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, e);
602 }
603
EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX * ctx,const EVP_MD * md)604 int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {
605 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
606 EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)md);
607 }
608
EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX * ctx,const EVP_MD ** out_md)609 int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) {
610 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
611 EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void*) out_md);
612 }
613
EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX * ctx,const EVP_MD * md)614 int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {
615 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
616 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
617 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void*) md);
618 }
619
EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX * ctx,const EVP_MD ** out_md)620 int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) {
621 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
622 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
623 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void*) out_md);
624 }
625
EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX * ctx,uint8_t * label,size_t label_len)626 int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, uint8_t *label,
627 size_t label_len) {
628 RSA_OAEP_LABEL_PARAMS params = {label, label_len};
629 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
630 EVP_PKEY_CTRL_RSA_OAEP_LABEL, 0, ¶ms);
631 }
632
EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX * ctx,const uint8_t ** out_label)633 int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx,
634 const uint8_t **out_label) {
635 CBS label;
636 if (!EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
637 EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, &label)) {
638 return -1;
639 }
640 if (CBS_len(&label) > INT_MAX) {
641 OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW);
642 return -1;
643 }
644 *out_label = CBS_data(&label);
645 return (int)CBS_len(&label);
646 }
647