]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/rsa/rsa_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
EVP: Adapt the DH specific EVP_PKEY_CTX setter / getter functions
[thirdparty/openssl.git] / crypto / rsa / rsa_lib.c
CommitLineData
2039c421 1/*
4333b89f 2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
d02b48c6 3 *
2a7b6f39 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2039c421
RS		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
d02b48c6
RE		 8 */
9
c5f87134
P		 10/*
11 * RSA low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14#include "internal/deprecated.h"
15
d02b48c6 16#include <stdio.h>
ec577822 17#include <openssl/crypto.h>
89abd1b6
MC		 18#include <openssl/core_names.h>
19#include <openssl/engine.h>
20#include <openssl/evp.h>
b39fc560 21#include "internal/cryptlib.h"
cd420b0b 22#include "internal/refcount.h"
110bff61 23#include "openssl/param_build.h"
25f2138b 24#include "crypto/bn.h"
25f2138b 25#include "crypto/evp.h"
c3a4fa4c 26#include "crypto/rsa.h"
55f02cb6 27#include "crypto/security_bits.h"
706457b7 28#include "rsa_local.h"
d02b48c6 29
b4250010 30static RSA *rsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx);
afb638f1 31
f844f9eb 32#ifndef FIPS_MODULE
6b691a5c 33RSA *RSA_new(void)
0f113f3e 34{
afb638f1 35 return rsa_new_intern(NULL, NULL);
0f113f3e 36}
ce8b2574 37
29c1f061 38const RSA_METHOD *RSA_get_method(const RSA *rsa)
0f113f3e
MC		 39{
40 return rsa->meth;
41}
cb78486d
GT		 42
43int RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
0f113f3e
MC		 44{
45 /*
46 * NB: The caller is specifically setting a method, so it's not up to us
47 * to deal with which ENGINE it comes from.
48 */
49 const RSA_METHOD *mtmp;
50 mtmp = rsa->meth;
51 if (mtmp->finish)
52 mtmp->finish(rsa);
0b13e9f0 53#ifndef OPENSSL_NO_ENGINE
7c96dbcd
RS		 54 ENGINE_finish(rsa->engine);
55 rsa->engine = NULL;
0b13e9f0 56#endif
0f113f3e
MC		 57 rsa->meth = meth;
58 if (meth->init)
59 meth->init(rsa);
60 return 1;
61}
ce8b2574 62
5270e702 63RSA *RSA_new_method(ENGINE *engine)
afb638f1
MC		 64{
65 return rsa_new_intern(engine, NULL);
66}
67#endif
68
b4250010 69RSA *ossl_rsa_new_with_ctx(OSSL_LIB_CTX *libctx)
afb638f1
MC		 70{
71 return rsa_new_intern(NULL, libctx);
72}
73
b4250010 74static RSA *rsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx)
0f113f3e 75{
11ed851d 76 RSA *ret = OPENSSL_zalloc(sizeof(*ret));
d02b48c6 77
0f113f3e 78 if (ret == NULL) {
9311d0c4 79 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 80 return NULL;
81 }
d02b48c6 82
11ed851d
F		 83 ret->references = 1;
84 ret->lock = CRYPTO_THREAD_lock_new();
85 if (ret->lock == NULL) {
9311d0c4 86 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
11ed851d
F		 87 OPENSSL_free(ret);
88 return NULL;
89 }
90
afb638f1 91 ret->libctx = libctx;
0f113f3e 92 ret->meth = RSA_get_default_method();
f844f9eb 93#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
11ed851d 94 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
0f113f3e
MC		 95 if (engine) {
96 if (!ENGINE_init(engine)) {
9311d0c4 97 ERR_raise(ERR_LIB_RSA, ERR_R_ENGINE_LIB);
11ed851d 98 goto err;
0f113f3e
MC		 99 }
100 ret->engine = engine;
90862ab4 101 } else {
0f113f3e 102 ret->engine = ENGINE_get_default_RSA();
90862ab4 103 }
0f113f3e
MC		 104 if (ret->engine) {
105 ret->meth = ENGINE_get_RSA(ret->engine);
7c96dbcd 106 if (ret->meth == NULL) {
9311d0c4 107 ERR_raise(ERR_LIB_RSA, ERR_R_ENGINE_LIB);
11ed851d 108 goto err;
0f113f3e
MC		 109 }
110 }
0b13e9f0 111#endif
0c9de428 112
0f113f3e 113 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
f844f9eb 114#ifndef FIPS_MODULE
0f113f3e 115 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
11ed851d 116 goto err;
d188a536 117 }
a3327784 118#endif
d188a536
AG		 119
120 if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
9311d0c4 121 ERR_raise(ERR_LIB_RSA, ERR_R_INIT_FAIL);
11ed851d 122 goto err;
0f113f3e 123 }
d188a536
AG		 124
125 return ret;
11ed851d 126
544648a8 127 err:
11ed851d
F		 128 RSA_free(ret);
129 return NULL;
0f113f3e 130}
d02b48c6 131
6b691a5c 132void RSA_free(RSA *r)
0f113f3e
MC		 133{
134 int i;
d02b48c6 135
0f113f3e
MC		 136 if (r == NULL)
137 return;
d02b48c6 138
2f545ae4 139 CRYPTO_DOWN_REF(&r->references, &i, r->lock);
f3f1cf84 140 REF_PRINT_COUNT("RSA", r);
0f113f3e
MC		 141 if (i > 0)
142 return;
f3f1cf84 143 REF_ASSERT_ISNT(i < 0);
d02b48c6 144
0c5d725e 145 if (r->meth != NULL && r->meth->finish != NULL)
0f113f3e 146 r->meth->finish(r);
f844f9eb 147#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
412bafdc 148 ENGINE_finish(r->engine);
0b13e9f0 149#endif
d02b48c6 150
f844f9eb 151#ifndef FIPS_MODULE
0f113f3e 152 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
a3327784 153#endif
7abe8305 154
d188a536
AG		 155 CRYPTO_THREAD_lock_free(r->lock);
156
c033101d
MB		 157 BN_free(r->n);
158 BN_free(r->e);
23a1d5e9
RS		 159 BN_clear_free(r->d);
160 BN_clear_free(r->p);
161 BN_clear_free(r->q);
162 BN_clear_free(r->dmp1);
163 BN_clear_free(r->dmq1);
164 BN_clear_free(r->iqmp);
4f2271d5
SL		 165
166#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
167 rsa_acvp_test_free(r->acvp_test);
168#endif
169
f844f9eb 170#ifndef FIPS_MODULE
d771441d 171 RSA_PSS_PARAMS_free(r->pss);
665d899f 172 sk_RSA_PRIME_INFO_pop_free(r->prime_infos, rsa_multip_info_free);
afb638f1 173#endif
23a1d5e9
RS		 174 BN_BLINDING_free(r->blinding);
175 BN_BLINDING_free(r->mt_blinding);
4c42ebd2 176 OPENSSL_free(r->bignum_data);
0f113f3e
MC		 177 OPENSSL_free(r);
178}
d02b48c6 179
6ac4e8bd 180int RSA_up_ref(RSA *r)
0f113f3e 181{
d188a536
AG		 182 int i;
183
2f545ae4 184 if (CRYPTO_UP_REF(&r->references, &i, r->lock) <= 0)
d188a536 185 return 0;
f3f1cf84
RS		 186
187 REF_PRINT_COUNT("RSA", r);
188 REF_ASSERT_ISNT(i < 2);
8686c474 189 return i > 1 ? 1 : 0;
0f113f3e 190}
5cbc2e8b 191
b4250010 192OSSL_LIB_CTX *ossl_rsa_get0_libctx(RSA *r)
8a758e96
RL		 193{
194 return r->libctx;
195}
196
6963979f
RL		 197void ossl_rsa_set0_libctx(RSA *r, OSSL_LIB_CTX *libctx)
198{
199 r->libctx = libctx;
200}
201
f844f9eb 202#ifndef FIPS_MODULE
dd9d233e 203int RSA_set_ex_data(RSA *r, int idx, void *arg)
0f113f3e 204{
8686c474 205 return CRYPTO_set_ex_data(&r->ex_data, idx, arg);
0f113f3e 206}
58964a49 207
29c1f061 208void *RSA_get_ex_data(const RSA *r, int idx)
0f113f3e 209{
8686c474 210 return CRYPTO_get_ex_data(&r->ex_data, idx);
0f113f3e 211}
a3327784 212#endif
58964a49 213
97b0b713
P		 214/*
215 * Define a scaling constant for our fixed point arithmetic.
216 * This value must be a power of two because the base two logarithm code
217 * makes this assumption. The exponent must also be a multiple of three so
218 * that the scale factor has an exact cube root. Finally, the scale factor
219 * should not be so large that a multiplication of two scaled numbers
220 * overflows a 64 bit unsigned integer.
221 */
222static const unsigned int scale = 1 << 18;
223static const unsigned int cbrt_scale = 1 << (2 * 18 / 3);
224
225/* Define some constants, none exceed 32 bits */
226static const unsigned int log_2 = 0x02c5c8; /* scale * log(2) */
227static const unsigned int log_e = 0x05c551; /* scale * log2(M_E) */
228static const unsigned int c1_923 = 0x07b126; /* scale * 1.923 */
229static const unsigned int c4_690 = 0x12c28f; /* scale * 4.690 */
230
231/*
2beb004b 232 * Multiply two scaled integers together and rescale the result.
97b0b713
P		 233 */
234static ossl_inline uint64_t mul2(uint64_t a, uint64_t b)
235{
236 return a * b / scale;
237}
238
239/*
240 * Calculate the cube root of a 64 bit scaled integer.
241 * Although the cube root of a 64 bit number does fit into a 32 bit unsigned
242 * integer, this is not guaranteed after scaling, so this function has a
243 * 64 bit return. This uses the shifting nth root algorithm with some
244 * algebraic simplifications.
245 */
246static uint64_t icbrt64(uint64_t x)
247{
248 uint64_t r = 0;
249 uint64_t b;
250 int s;
251
252 for (s = 63; s >= 0; s -= 3) {
253 r <<= 1;
254 b = 3 * r * (r + 1) + 1;
255 if ((x >> s) >= b) {
256 x -= b << s;
257 r++;
258 }
259 }
260 return r * cbrt_scale;
261}
262
263/*
264 * Calculate the natural logarithm of a 64 bit scaled integer.
265 * This is done by calculating a base two logarithm and scaling.
266 * The maximum logarithm (base 2) is 64 and this reduces base e, so
267 * a 32 bit result should not overflow. The argument passed must be
268 * greater than unity so we don't need to handle negative results.
269 */
270static uint32_t ilog_e(uint64_t v)
271{
272 uint32_t i, r = 0;
273
274 /*
275 * Scale down the value into the range 1 .. 2.
276 *
277 * If fractional numbers need to be processed, another loop needs
278 * to go here that checks v < scale and if so multiplies it by 2 and
279 * reduces r by scale. This also means making r signed.
280 */
281 while (v >= 2 * scale) {
282 v >>= 1;
283 r += scale;
284 }
285 for (i = scale / 2; i != 0; i /= 2) {
286 v = mul2(v, v);
287 if (v >= 2 * scale) {
288 v >>= 1;
289 r += i;
290 }
291 }
292 r = (r * (uint64_t)scale) / log_e;
293 return r;
294}
295
296/*
297 * NIST SP 800-56B rev 2 Appendix D: Maximum Security Strength Estimates for IFC
298 * Modulus Lengths.
299 *
55f02cb6
SL		 300 * Note that this formula is also referred to in SP800-56A rev3 Appendix D:
301 * for FFC safe prime groups for modp and ffdhe.
302 * After Table 25 and Table 26 it refers to
303 * "The maximum security strength estimates were calculated using the formula in
304 * Section 7.5 of the FIPS 140 IG and rounded to the nearest multiple of eight
305 * bits".
306 *
307 * The formula is:
308 *
97b0b713
P		 309 * E = \frac{1.923 \sqrt[3]{nBits \cdot log_e(2)}
310 * \cdot(log_e(nBits \cdot log_e(2))^{2/3} - 4.69}{log_e(2)}
311 * The two cube roots are merged together here.
312 */
55f02cb6 313uint16_t ifc_ffc_compute_security_bits(int n)
97b0b713
P		 314{
315 uint64_t x;
316 uint32_t lx;
317 uint16_t y;
318
319 /* Look for common values as listed in SP 800-56B rev 2 Appendix D */
320 switch (n) {
321 case 2048:
322 return 112;
323 case 3072:
324 return 128;
325 case 4096:
326 return 152;
327 case 6144:
328 return 176;
329 case 8192:
330 return 200;
331 }
332 /*
333 * The first incorrect result (i.e. not accurate or off by one low) occurs
334 * for n = 699668. The true value here is 1200. Instead of using this n
335 * as the check threshold, the smallest n such that the correct result is
336 * 1200 is used instead.
337 */
338 if (n >= 687737)
339 return 1200;
340 if (n < 8)
341 return 0;
342
343 x = n * (uint64_t)log_2;
344 lx = ilog_e(x);
345 y = (uint16_t)((mul2(c1_923, icbrt64(mul2(mul2(x, lx), lx))) - c4_690)
346 / log_2);
347 return (y + 4) & ~7;
348}
349
55f02cb6
SL		 350
351
2514fa79 352int RSA_security_bits(const RSA *rsa)
0f113f3e 353{
0122add6
AP		 354 int bits = BN_num_bits(rsa->n);
355
f844f9eb 356#ifndef FIPS_MODULE
0122add6
AP		 357 if (rsa->version == RSA_ASN1_VERSION_MULTI) {
358 /* This ought to mean that we have private key at hand. */
359 int ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos);
360
361 if (ex_primes <= 0 || (ex_primes + 2) > rsa_multip_cap(bits))
362 return 0;
363 }
afb638f1 364#endif
55f02cb6 365 return ifc_ffc_compute_security_bits(bits);
0f113f3e 366}
9862e9aa
RL		 367
368int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
369{
fd809cfd 370 /* If the fields n and e in r are NULL, the corresponding input
1da12e34
RL		 371 * parameters MUST be non-NULL for n and e. d may be
372 * left NULL (in case only the public key is used).
1da12e34 373 */
b84e1226
MC		 374 if ((r->n == NULL && n == NULL)
375 || (r->e == NULL && e == NULL))
9862e9aa
RL		 376 return 0;
377
1da12e34
RL		 378 if (n != NULL) {
379 BN_free(r->n);
380 r->n = n;
381 }
382 if (e != NULL) {
383 BN_free(r->e);
384 r->e = e;
385 }
386 if (d != NULL) {
c033101d 387 BN_clear_free(r->d);
1da12e34 388 r->d = d;
311e903d 389 BN_set_flags(r->d, BN_FLG_CONSTTIME);
1da12e34 390 }
29be6023 391 r->dirty_cnt++;
9862e9aa
RL		 392
393 return 1;
394}
395
396int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
397{
fd809cfd 398 /* If the fields p and q in r are NULL, the corresponding input
1da12e34 399 * parameters MUST be non-NULL.
1da12e34 400 */
b84e1226
MC		 401 if ((r->p == NULL && p == NULL)
402 || (r->q == NULL && q == NULL))
9862e9aa
RL		 403 return 0;
404
1da12e34 405 if (p != NULL) {
c033101d 406 BN_clear_free(r->p);
1da12e34 407 r->p = p;
311e903d 408 BN_set_flags(r->p, BN_FLG_CONSTTIME);
1da12e34
RL		 409 }
410 if (q != NULL) {
c033101d 411 BN_clear_free(r->q);
1da12e34 412 r->q = q;
311e903d 413 BN_set_flags(r->q, BN_FLG_CONSTTIME);
1da12e34 414 }
29be6023 415 r->dirty_cnt++;
9862e9aa
RL		 416
417 return 1;
418}
419
420int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
421{
fd809cfd 422 /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input
1da12e34 423 * parameters MUST be non-NULL.
1da12e34 424 */
b84e1226
MC		 425 if ((r->dmp1 == NULL && dmp1 == NULL)
426 || (r->dmq1 == NULL && dmq1 == NULL)
427 || (r->iqmp == NULL && iqmp == NULL))
9862e9aa
RL		 428 return 0;
429
1da12e34 430 if (dmp1 != NULL) {
c033101d 431 BN_clear_free(r->dmp1);
1da12e34 432 r->dmp1 = dmp1;
311e903d 433 BN_set_flags(r->dmp1, BN_FLG_CONSTTIME);
1da12e34
RL		 434 }
435 if (dmq1 != NULL) {
c033101d 436 BN_clear_free(r->dmq1);
1da12e34 437 r->dmq1 = dmq1;
311e903d 438 BN_set_flags(r->dmq1, BN_FLG_CONSTTIME);
1da12e34
RL		 439 }
440 if (iqmp != NULL) {
c033101d 441 BN_clear_free(r->iqmp);
1da12e34 442 r->iqmp = iqmp;
311e903d 443 BN_set_flags(r->iqmp, BN_FLG_CONSTTIME);
1da12e34 444 }
29be6023 445 r->dirty_cnt++;
9862e9aa
RL		 446
447 return 1;
448}
449
f844f9eb 450#ifndef FIPS_MODULE
665d899f
PY		 451/*
452 * Is it better to export RSA_PRIME_INFO structure
453 * and related functions to let user pass a triplet?
454 */
455int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[],
456 BIGNUM *coeffs[], int pnum)
457{
458 STACK_OF(RSA_PRIME_INFO) *prime_infos, *old = NULL;
459 RSA_PRIME_INFO *pinfo;
460 int i;
461
462 if (primes == NULL || exps == NULL || coeffs == NULL || pnum == 0)
463 return 0;
464
465 prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum);
466 if (prime_infos == NULL)
467 return 0;
468
469 if (r->prime_infos != NULL)
470 old = r->prime_infos;
471
472 for (i = 0; i < pnum; i++) {
473 pinfo = rsa_multip_info_new();
474 if (pinfo == NULL)
475 goto err;
476 if (primes[i] != NULL && exps[i] != NULL && coeffs[i] != NULL) {
d2baf88c
CPG		 477 BN_clear_free(pinfo->r);
478 BN_clear_free(pinfo->d);
479 BN_clear_free(pinfo->t);
665d899f
PY		 480 pinfo->r = primes[i];
481 pinfo->d = exps[i];
482 pinfo->t = coeffs[i];
d2baf88c
CPG		 483 BN_set_flags(pinfo->r, BN_FLG_CONSTTIME);
484 BN_set_flags(pinfo->d, BN_FLG_CONSTTIME);
485 BN_set_flags(pinfo->t, BN_FLG_CONSTTIME);
665d899f
PY		 486 } else {
487 rsa_multip_info_free(pinfo);
488 goto err;
489 }
490 (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo);
491 }
492
493 r->prime_infos = prime_infos;
494
495 if (!rsa_multip_calc_product(r)) {
496 r->prime_infos = old;
497 goto err;
498 }
499
500 if (old != NULL) {
501 /*
502 * This is hard to deal with, since the old infos could
503 * also be set by this function and r, d, t should not
504 * be freed in that case. So currently, stay consistent
505 * with other *set0* functions: just free it...
506 */
507 sk_RSA_PRIME_INFO_pop_free(old, rsa_multip_info_free);
508 }
509
510 r->version = RSA_ASN1_VERSION_MULTI;
29be6023 511 r->dirty_cnt++;
665d899f
PY		 512
513 return 1;
514 err:
515 /* r, d, t should not be freed */
516 sk_RSA_PRIME_INFO_pop_free(prime_infos, rsa_multip_info_free_ex);
517 return 0;
518}
afb638f1 519#endif
665d899f 520
fd809cfd
RL		 521void RSA_get0_key(const RSA *r,
522 const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
9862e9aa
RL		 523{
524 if (n != NULL)
525 *n = r->n;
526 if (e != NULL)
527 *e = r->e;
528 if (d != NULL)
529 *d = r->d;
530}
531
fd809cfd 532void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
9862e9aa
RL		 533{
534 if (p != NULL)
535 *p = r->p;
536 if (q != NULL)
537 *q = r->q;
538}
539
f844f9eb 540#ifndef FIPS_MODULE
665d899f
PY		 541int RSA_get_multi_prime_extra_count(const RSA *r)
542{
543 int pnum;
544
545 pnum = sk_RSA_PRIME_INFO_num(r->prime_infos);
546 if (pnum <= 0)
547 pnum = 0;
548 return pnum;
549}
550
551int RSA_get0_multi_prime_factors(const RSA *r, const BIGNUM *primes[])
552{
553 int pnum, i;
554 RSA_PRIME_INFO *pinfo;
555
556 if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0)
557 return 0;
558
559 /*
560 * return other primes
561 * it's caller's responsibility to allocate oth_primes[pnum]
562 */
563 for (i = 0; i < pnum; i++) {
564 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i);
565 primes[i] = pinfo->r;
566 }
567
568 return 1;
569}
afb638f1 570#endif
665d899f 571
9862e9aa 572void RSA_get0_crt_params(const RSA *r,
fd809cfd
RL		 573 const BIGNUM **dmp1, const BIGNUM **dmq1,
574 const BIGNUM **iqmp)
9862e9aa
RL		 575{
576 if (dmp1 != NULL)
577 *dmp1 = r->dmp1;
578 if (dmq1 != NULL)
579 *dmq1 = r->dmq1;
580 if (iqmp != NULL)
581 *iqmp = r->iqmp;
582}
583
f844f9eb 584#ifndef FIPS_MODULE
665d899f
PY		 585int RSA_get0_multi_prime_crt_params(const RSA *r, const BIGNUM *exps[],
586 const BIGNUM *coeffs[])
587{
588 int pnum;
589
590 if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0)
591 return 0;
592
593 /* return other primes */
594 if (exps != NULL || coeffs != NULL) {
595 RSA_PRIME_INFO *pinfo;
596 int i;
597
598 /* it's the user's job to guarantee the buffer length */
599 for (i = 0; i < pnum; i++) {
600 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i);
601 if (exps != NULL)
602 exps[i] = pinfo->d;
603 if (coeffs != NULL)
604 coeffs[i] = pinfo->t;
605 }
606 }
607
608 return 1;
609}
afb638f1 610#endif
665d899f 611
6692ff77
DMSP		 612const BIGNUM *RSA_get0_n(const RSA *r)
613{
614 return r->n;
615}
616
617const BIGNUM *RSA_get0_e(const RSA *r)
618{
619 return r->e;
620}
621
622const BIGNUM *RSA_get0_d(const RSA *r)
623{
624 return r->d;
625}
626
627const BIGNUM *RSA_get0_p(const RSA *r)
628{
629 return r->p;
630}
631
632const BIGNUM *RSA_get0_q(const RSA *r)
633{
634 return r->q;
635}
636
637const BIGNUM *RSA_get0_dmp1(const RSA *r)
638{
639 return r->dmp1;
640}
641
642const BIGNUM *RSA_get0_dmq1(const RSA *r)
643{
644 return r->dmq1;
645}
646
647const BIGNUM *RSA_get0_iqmp(const RSA *r)
648{
649 return r->iqmp;
650}
651
677add38
RL		 652const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *r)
653{
15671090
RL		 654#ifdef FIPS_MODULE
655 return NULL;
656#else
677add38 657 return r->pss;
15671090
RL		 658#endif
659}
660
661/* Internal */
23b2fc0b 662RSA_PSS_PARAMS_30 *ossl_rsa_get0_pss_params_30(RSA *r)
15671090
RL		 663{
664 return &r->pss_params;
677add38
RL		 665}
666
9862e9aa
RL		 667void RSA_clear_flags(RSA *r, int flags)
668{
669 r->flags &= ~flags;
670}
671
672int RSA_test_flags(const RSA *r, int flags)
673{
674 return r->flags & flags;
675}
676
677void RSA_set_flags(RSA *r, int flags)
678{
679 r->flags |= flags;
680}
681
665d899f
PY		 682int RSA_get_version(RSA *r)
683{
684 /* { two-prime(0), multi(1) } */
685 return r->version;
686}
687
f844f9eb 688#ifndef FIPS_MODULE
e0685d24 689ENGINE *RSA_get0_engine(const RSA *r)
9862e9aa
RL		 690{
691 return r->engine;
692}
e5e04ee3
DSH		 693
694int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2)
695{
696 /* If key type not RSA or RSA-PSS return error */
697 if (ctx != NULL && ctx->pmeth != NULL
698 && ctx->pmeth->pkey_id != EVP_PKEY_RSA
699 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
700 return -1;
701 return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, p1, p2);
702}
afb638f1 703#endif
c3a4fa4c
RL		 704
705DEFINE_STACK_OF(BIGNUM)
706
23b2fc0b
P		 707int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes,
708 const STACK_OF(BIGNUM) *exps,
709 const STACK_OF(BIGNUM) *coeffs)
c3a4fa4c 710{
f844f9eb 711#ifndef FIPS_MODULE
c3a4fa4c 712 STACK_OF(RSA_PRIME_INFO) *prime_infos, *old_infos = NULL;
afb638f1 713#endif
c3a4fa4c
RL		 714 int pnum;
715
716 if (primes == NULL || exps == NULL || coeffs == NULL)
717 return 0;
718
719 pnum = sk_BIGNUM_num(primes);
720 if (pnum < 2
721 || pnum != sk_BIGNUM_num(exps)
722 || pnum != sk_BIGNUM_num(coeffs) + 1)
723 return 0;
724
725 if (!RSA_set0_factors(r, sk_BIGNUM_value(primes, 0),
726 sk_BIGNUM_value(primes, 1))
727 || !RSA_set0_crt_params(r, sk_BIGNUM_value(exps, 0),
728 sk_BIGNUM_value(exps, 1),
729 sk_BIGNUM_value(coeffs, 0)))
730 return 0;
731
f844f9eb 732#ifndef FIPS_MODULE
c3a4fa4c 733 old_infos = r->prime_infos;
afb638f1 734#endif
c3a4fa4c
RL		 735
736 if (pnum > 2) {
f844f9eb 737#ifndef FIPS_MODULE
c3a4fa4c
RL		 738 int i;
739
740 prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum);
741 if (prime_infos == NULL)
742 return 0;
743
744 for (i = 2; i < pnum; i++) {
745 BIGNUM *prime = sk_BIGNUM_value(primes, i);
746 BIGNUM *exp = sk_BIGNUM_value(exps, i);
747 BIGNUM *coeff = sk_BIGNUM_value(coeffs, i - 1);
748 RSA_PRIME_INFO *pinfo = NULL;
749
750 if (!ossl_assert(prime != NULL && exp != NULL && coeff != NULL))
751 goto err;
752
753 /* Using rsa_multip_info_new() is wasteful, so allocate directly */
754 if ((pinfo = OPENSSL_zalloc(sizeof(*pinfo))) == NULL) {
755 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
756 goto err;
757 }
758
759 pinfo->r = prime;
760 pinfo->d = exp;
761 pinfo->t = coeff;
762 BN_set_flags(pinfo->r, BN_FLG_CONSTTIME);
763 BN_set_flags(pinfo->d, BN_FLG_CONSTTIME);
764 BN_set_flags(pinfo->t, BN_FLG_CONSTTIME);
765 (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo);
766 }
767
768 r->prime_infos = prime_infos;
769
770 if (!rsa_multip_calc_product(r)) {
771 r->prime_infos = old_infos;
772 goto err;
773 }
afb638f1
MC		 774#else
775 return 0;
776#endif
c3a4fa4c
RL		 777 }
778
f844f9eb 779#ifndef FIPS_MODULE
c3a4fa4c
RL		 780 if (old_infos != NULL) {
781 /*
782 * This is hard to deal with, since the old infos could
783 * also be set by this function and r, d, t should not
784 * be freed in that case. So currently, stay consistent
785 * with other *set0* functions: just free it...
786 */
787 sk_RSA_PRIME_INFO_pop_free(old_infos, rsa_multip_info_free);
788 }
afb638f1 789#endif
c3a4fa4c
RL		 790
791 r->version = pnum > 2 ? RSA_ASN1_VERSION_MULTI : RSA_ASN1_VERSION_DEFAULT;
792 r->dirty_cnt++;
793
794 return 1;
f844f9eb 795#ifndef FIPS_MODULE
c3a4fa4c
RL		 796 err:
797 /* r, d, t should not be freed */
798 sk_RSA_PRIME_INFO_pop_free(prime_infos, rsa_multip_info_free_ex);
799 return 0;
afb638f1 800#endif
c3a4fa4c
RL		 801}
802
803DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM)
804
23b2fc0b
P		 805int ossl_rsa_get0_all_params(RSA *r, STACK_OF(BIGNUM_const) *primes,
806 STACK_OF(BIGNUM_const) *exps,
807 STACK_OF(BIGNUM_const) *coeffs)
c3a4fa4c 808{
f844f9eb 809#ifndef FIPS_MODULE
c3a4fa4c
RL		 810 RSA_PRIME_INFO *pinfo;
811 int i, pnum;
afb638f1 812#endif
c3a4fa4c
RL		 813
814 if (r == NULL)
815 return 0;
816
a9127c1d
RL		 817 /* If |p| is NULL, there are no CRT parameters */
818 if (RSA_get0_p(r) == NULL)
819 return 1;
820
c3a4fa4c
RL		 821 sk_BIGNUM_const_push(primes, RSA_get0_p(r));
822 sk_BIGNUM_const_push(primes, RSA_get0_q(r));
823 sk_BIGNUM_const_push(exps, RSA_get0_dmp1(r));
824 sk_BIGNUM_const_push(exps, RSA_get0_dmq1(r));
825 sk_BIGNUM_const_push(coeffs, RSA_get0_iqmp(r));
afb638f1 826
f844f9eb 827#ifndef FIPS_MODULE
afb638f1 828 pnum = RSA_get_multi_prime_extra_count(r);
c3a4fa4c
RL		 829 for (i = 0; i < pnum; i++) {
830 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i);
831 sk_BIGNUM_const_push(primes, pinfo->r);
832 sk_BIGNUM_const_push(exps, pinfo->d);
833 sk_BIGNUM_const_push(coeffs, pinfo->t);
834 }
afb638f1 835#endif
c3a4fa4c
RL		 836
837 return 1;
838}
89abd1b6 839
f844f9eb 840#ifndef FIPS_MODULE
89abd1b6
MC		 841int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad_mode)
842{
843 OSSL_PARAM pad_params[2], *p = pad_params;
844
845 if (ctx == NULL) {
846 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
847 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
848 return -2;
849 }
850
851 /* If key type not RSA or RSA-PSS return error */
852 if (ctx->pmeth != NULL
853 && ctx->pmeth->pkey_id != EVP_PKEY_RSA
854 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
855 return -1;
856
857 /* TODO(3.0): Remove this eventually when no more legacy */
6f4b7663
RL		 858 if ((!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)
859 || ctx->op.ciph.ciphprovctx == NULL)
860 && (!EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
861 || ctx->op.sig.sigprovctx == NULL))
89abd1b6
MC		 862 return EVP_PKEY_CTX_ctrl(ctx, -1, -1, EVP_PKEY_CTRL_RSA_PADDING,
863 pad_mode, NULL);
864
6f4b7663 865 *p++ = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_PAD_MODE, &pad_mode);
89abd1b6
MC		 866 *p++ = OSSL_PARAM_construct_end();
867
868 return EVP_PKEY_CTX_set_params(ctx, pad_params);
869}
870
871int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad_mode)
872{
873 OSSL_PARAM pad_params[2], *p = pad_params;
874
875 if (ctx == NULL || pad_mode == NULL) {
876 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
877 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
878 return -2;
879 }
880
881 /* If key type not RSA or RSA-PSS return error */
882 if (ctx->pmeth != NULL
883 && ctx->pmeth->pkey_id != EVP_PKEY_RSA
884 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
885 return -1;
886
887 /* TODO(3.0): Remove this eventually when no more legacy */
6f4b7663
RL		 888 if ((!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)
889 || ctx->op.ciph.ciphprovctx == NULL)
890 && (!EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
891 || ctx->op.sig.sigprovctx == NULL))
89abd1b6
MC		 892 return EVP_PKEY_CTX_ctrl(ctx, -1, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, 0,
893 pad_mode);
894
6f4b7663 895 *p++ = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_PAD_MODE, pad_mode);
89abd1b6
MC		 896 *p++ = OSSL_PARAM_construct_end();
897
898 if (!EVP_PKEY_CTX_get_params(ctx, pad_params))
899 return 0;
900
901 return 1;
902
903}
904
e947a064
DB		 905int EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
906{
907 const char *name;
908
909 if (ctx == NULL || md == NULL) {
910 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
911 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
912 return -2;
913 }
914
915 /* If key type not RSA return error */
916 if (ctx->pmeth != NULL
917 && ctx->pmeth->pkey_id != EVP_PKEY_RSA
918 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
919 return -1;
920
921 /* TODO(3.0): Remove this eventually when no more legacy */
922 if (ctx->op.keymgmt.genctx == NULL)
923 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,
924 EVP_PKEY_CTRL_MD, 0, (void *)md);
925
926 name = EVP_MD_name(md);
927
928 return EVP_PKEY_CTX_set_rsa_pss_keygen_md_name(ctx, name, NULL);
929}
930
931int EVP_PKEY_CTX_set_rsa_pss_keygen_md_name(EVP_PKEY_CTX *ctx,
932 const char *mdname,
933 const char *mdprops)
934{
935 OSSL_PARAM rsa_params[3], *p = rsa_params;
936
937 if (ctx == NULL || mdname == NULL) {
938 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
939 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
940 return -2;
941 }
942
943 /* If key type not RSA return error */
944 if (ctx->pmeth != NULL
945 && ctx->pmeth->pkey_id != EVP_PKEY_RSA
946 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
947 return -1;
948
949
950 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_RSA_DIGEST,
951 /*
952 * Cast away the const. This is read
953 * only so should be safe
954 */
955 (char *)mdname, 0);
956 if (mdprops != NULL) {
957 *p++ = OSSL_PARAM_construct_utf8_string(
958 OSSL_PKEY_PARAM_RSA_DIGEST_PROPS,
959 /*
960 * Cast away the const. This is read only so should be safe
961 */
962 (char *)mdprops, 0);
963 }
964 *p++ = OSSL_PARAM_construct_end();
965
966 return EVP_PKEY_CTX_set_params(ctx, rsa_params);
967}
968
89abd1b6
MC		 969int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
970{
971 const char *name;
972
973 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
974 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
975 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
976 return -2;
977 }
978
979 /* If key type not RSA return error */
980 if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA)
981 return -1;
982
983 /* TODO(3.0): Remove this eventually when no more legacy */
984 if (ctx->op.ciph.ciphprovctx == NULL)
985 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
986 EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)md);
987
988 name = (md == NULL) ? "" : EVP_MD_name(md);
989
990 return EVP_PKEY_CTX_set_rsa_oaep_md_name(ctx, name, NULL);
991}
992
993int EVP_PKEY_CTX_set_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, const char *mdname,
994 const char *mdprops)
995{
996 OSSL_PARAM rsa_params[3], *p = rsa_params;
997
998 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
999 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1000 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1001 return -2;
1002 }
1003
1004 /* If key type not RSA return error */
1005 if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA)
1006 return -1;
1007
1008
1009 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST,
1010 /*
1011 * Cast away the const. This is read
1012 * only so should be safe
1013 */
8b6ffd40 1014 (char *)mdname, 0);
89abd1b6
MC		 1015 if (mdprops != NULL) {
1016 *p++ = OSSL_PARAM_construct_utf8_string(
1017 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS,
1018 /*
1019 * Cast away the const. This is read
1020 * only so should be safe
1021 */
8b6ffd40 1022 (char *)mdprops, 0);
89abd1b6
MC		 1023 }
1024 *p++ = OSSL_PARAM_construct_end();
1025
1026 return EVP_PKEY_CTX_set_params(ctx, rsa_params);
1027}
1028
1029int EVP_PKEY_CTX_get_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, char *name,
1030 size_t namelen)
1031{
1032 OSSL_PARAM rsa_params[2], *p = rsa_params;
1033
1034 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
1035 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1036 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1037 return -2;
1038 }
1039
1040 /* If key type not RSA return error */
1041 if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA)
1042 return -1;
1043
1044 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST,
1045 name, namelen);
1046 *p++ = OSSL_PARAM_construct_end();
1047
1048 if (!EVP_PKEY_CTX_get_params(ctx, rsa_params))
1049 return -1;
1050
1051 return 1;
1052}
1053
1054int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md)
1055{
1056 /* 80 should be big enough */
1057 char name[80] = "";
1058
1059 if (ctx == NULL || md == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
1060 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1061 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1062 return -2;
1063 }
1064
1065 /* If key type not RSA return error */
1066 if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA)
1067 return -1;
1068
1069 /* TODO(3.0): Remove this eventually when no more legacy */
1070 if (ctx->op.ciph.ciphprovctx == NULL)
1071 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
1072 EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)md);
1073
1074 if (EVP_PKEY_CTX_get_rsa_oaep_md_name(ctx, name, sizeof(name)) <= 0)
1075 return -1;
1076
1077 /* May be NULL meaning "unknown" */
57e84206 1078 *md = evp_get_digestbyname_ex(ctx->libctx, name);
89abd1b6
MC		 1079
1080 return 1;
1081}
1082
e25761b1
RL		 1083static int int_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx,
1084 /* For EVP_PKEY_CTX_ctrl() */
1085 int keytype, int optype, int cmd,
1086 const EVP_MD *md,
1087 /* For EVP_PKEY_CTX_set_params() */
1088 const char *mdname, const char *mdprops)
89abd1b6 1089{
e25761b1 1090 OSSL_PARAM rsa_params[3], *p = rsa_params;
89abd1b6 1091
e25761b1 1092 if (ctx == NULL || (ctx->operation & optype) == 0) {
89abd1b6
MC		 1093 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1094 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1095 return -2;
1096 }
1097
1098 /* If key type not RSA return error */
1099 if (ctx->pmeth != NULL
e25761b1
RL		 1100 && (keytype == -1
1101 ? (ctx->pmeth->pkey_id != EVP_PKEY_RSA
1102 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
1103 : ctx->pmeth->pkey_id != keytype))
89abd1b6
MC		 1104 return -1;
1105
1106 /* TODO(3.0): Remove this eventually when no more legacy */
e25761b1
RL		 1107 if (cmd != -1) {
1108 if ((EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)
1109 && ctx->op.ciph.ciphprovctx == NULL)
89abd1b6 1110 || (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
e25761b1
RL		 1111 && ctx->op.sig.sigprovctx == NULL)
1112 || (EVP_PKEY_CTX_IS_GEN_OP(ctx)
1113 && ctx->op.keymgmt.genctx == NULL))
1114 return EVP_PKEY_CTX_ctrl(ctx, keytype, optype, cmd, 0, (void *)md);
89abd1b6 1115
e25761b1 1116 mdname = (md == NULL) ? "" : EVP_MD_name(md);
89abd1b6
MC		 1117 }
1118
89abd1b6 1119
6f4b7663 1120 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_MGF1_DIGEST,
89abd1b6 1121 /*
6f4b7663
RL		 1122 * Cast away the const. This is
1123 * read only so should be safe
89abd1b6 1124 */
8b6ffd40 1125 (char *)mdname, 0);
89abd1b6 1126 if (mdprops != NULL) {
6f4b7663
RL		 1127 *p++ =
1128 OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_MGF1_PROPERTIES,
1129 /*
1130 * Cast away the const. This is
1131 * read only so should be safe
1132 */
1133 (char *)mdprops, 0);
89abd1b6
MC		 1134 }
1135 *p++ = OSSL_PARAM_construct_end();
1136
1137 return EVP_PKEY_CTX_set_params(ctx, rsa_params);
1138}
1139
e25761b1
RL		 1140int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
1141{
1142 return int_set_rsa_mgf1_md(ctx, -1,
1143 EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG,
1144 EVP_PKEY_CTRL_RSA_MGF1_MD, md, NULL, NULL);
1145}
1146
1147int EVP_PKEY_CTX_set_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, const char *mdname,
1148 const char *mdprops)
1149{
1150 return int_set_rsa_mgf1_md(ctx, -1,
1151 EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG,
1152 -1, NULL, mdname, mdprops);
1153}
1154
1155int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
1156{
1157 return int_set_rsa_mgf1_md(ctx, EVP_PKEY_RSA_PSS,
1158 EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_RSA_MGF1_MD,
1159 md, NULL, NULL);
1160}
1161
1162int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md_name(EVP_PKEY_CTX *ctx,
1163 const char *mdname)
1164{
1165 return int_set_rsa_mgf1_md(ctx, EVP_PKEY_RSA_PSS,
1166 EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG,
1167 -1, NULL, mdname, NULL);
1168}
1169
89abd1b6
MC		 1170int EVP_PKEY_CTX_get_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, char *name,
1171 size_t namelen)
1172{
1173 OSSL_PARAM rsa_params[2], *p = rsa_params;
1174
1175 if (ctx == NULL
1176 || (!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)
1177 && !EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx))) {
1178 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1179 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1180 return -2;
1181 }
1182
1183 /* If key type not RSA or RSA-PSS return error */
1184 if (ctx->pmeth != NULL
1185 && ctx->pmeth->pkey_id != EVP_PKEY_RSA
1186 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
1187 return -1;
1188
6f4b7663 1189 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_MGF1_DIGEST,
89abd1b6
MC		 1190 name, namelen);
1191 *p++ = OSSL_PARAM_construct_end();
1192
1193 if (!EVP_PKEY_CTX_get_params(ctx, rsa_params))
1194 return -1;
1195
1196 return 1;
1197}
1198
1199int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **md)
1200{
1201 /* 80 should be big enough */
1202 char name[80] = "";
1203
1204 if (ctx == NULL
1205 || (!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)
1206 && !EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx))) {
1207 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1208 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1209 return -2;
1210 }
1211
1212 /* If key type not RSA or RSA-PSS return error */
1213 if (ctx->pmeth != NULL
1214 && ctx->pmeth->pkey_id != EVP_PKEY_RSA
1215 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
1216 return -1;
1217
1218 /* TODO(3.0): Remove this eventually when no more legacy */
1219 if ((EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)
1220 && ctx->op.ciph.ciphprovctx == NULL)
1221 || (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
1222 && ctx->op.sig.sigprovctx == NULL))
1223 return EVP_PKEY_CTX_ctrl(ctx, -1,
1224 EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
1225 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)md);
1226
1227 if (EVP_PKEY_CTX_get_rsa_mgf1_md_name(ctx, name, sizeof(name)) <= 0)
1228 return -1;
1229
1230 /* May be NULL meaning "unknown" */
57e84206 1231 *md = evp_get_digestbyname_ex(ctx->libctx, name);
89abd1b6
MC		 1232
1233 return 1;
1234}
1235
1236int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen)
1237{
1238 OSSL_PARAM rsa_params[2], *p = rsa_params;
1239
1240 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
1241 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1242 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1243 return -2;
1244 }
1245
1246 /* If key type not RSA return error */
1247 if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA)
1248 return -1;
1249
1250 /* TODO(3.0): Remove this eventually when no more legacy */
1251 if (ctx->op.ciph.ciphprovctx == NULL)
1252 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
1253 EVP_PKEY_CTRL_RSA_OAEP_LABEL, llen,
1254 (void *)label);
1255
1256 *p++ = OSSL_PARAM_construct_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL,
6f4b7663
RL		 1257 /*
1258 * Cast away the const. This is
1259 * read only so should be safe
1260 */
1261 (void *)label,
1262 (size_t)llen);
89abd1b6
MC		 1263 *p++ = OSSL_PARAM_construct_end();
1264
1265 if (!EVP_PKEY_CTX_set_params(ctx, rsa_params))
1266 return 0;
1267
1268 OPENSSL_free(label);
1269 return 1;
1270}
1271
1272int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label)
1273{
ba0a6d1d 1274 OSSL_PARAM rsa_params[2], *p = rsa_params;
89abd1b6
MC		 1275 size_t labellen;
1276
1277 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
1278 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1279 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1280 return -2;
1281 }
1282
1283 /* If key type not RSA return error */
1284 if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA)
1285 return -1;
1286
1287 /* TODO(3.0): Remove this eventually when no more legacy */
1288 if (ctx->op.ciph.ciphprovctx == NULL)
1289 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
1290 EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0,
1291 (void *)label);
1292
1293 *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL,
1294 (void **)label, 0);
89abd1b6
MC		 1295 *p++ = OSSL_PARAM_construct_end();
1296
1297 if (!EVP_PKEY_CTX_get_params(ctx, rsa_params))
1298 return -1;
1299
ba0a6d1d 1300 labellen = rsa_params[0].return_size;
89abd1b6
MC		 1301 if (labellen > INT_MAX)
1302 return -1;
1303
1304 return (int)labellen;
1305}
6f4b7663 1306
e25761b1
RL		 1307static int int_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int saltlen,
1308 int keytype, int optype)
6f4b7663
RL		 1309{
1310 OSSL_PARAM pad_params[2], *p = pad_params;
1311
e25761b1 1312 if (ctx == NULL || (ctx->operation & optype) == 0) {
6f4b7663
RL		 1313 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1314 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1315 return -2;
1316 }
1317
1318 /* If key type not RSA or RSA-PSS return error */
1319 if (ctx->pmeth != NULL
e25761b1
RL		 1320 && (keytype == -1
1321 ? (ctx->pmeth->pkey_id != EVP_PKEY_RSA
1322 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
1323 : ctx->pmeth->pkey_id != keytype))
6f4b7663
RL		 1324 return -1;
1325
1326 /* TODO(3.0): Remove this eventually when no more legacy */
e25761b1
RL		 1327 if ((EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
1328 && ctx->op.sig.sigprovctx == NULL)
1329 || (EVP_PKEY_CTX_IS_GEN_OP(ctx)
1330 && ctx->op.keymgmt.genctx == NULL))
1331 return EVP_PKEY_CTX_ctrl(ctx, keytype, optype,
1332 EVP_PKEY_CTRL_RSA_PSS_SALTLEN,
6f4b7663
RL		 1333 saltlen, NULL);
1334
1335 *p++ =
1336 OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, &saltlen);
1337 *p++ = OSSL_PARAM_construct_end();
1338
1339 return EVP_PKEY_CTX_set_params(ctx, pad_params);
1340}
1341
e25761b1
RL		 1342int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int saltlen)
1343{
1344 return int_set_rsa_pss_saltlen(ctx, saltlen, -1, EVP_PKEY_OP_TYPE_SIG);
1345}
1346
1347int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, int saltlen)
1348{
1349 return int_set_rsa_pss_saltlen(ctx, saltlen, EVP_PKEY_RSA_PSS,
1350 EVP_PKEY_OP_KEYGEN);
1351}
1352
6f4b7663
RL		 1353int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *saltlen)
1354{
1355 OSSL_PARAM pad_params[2], *p = pad_params;
1356
1357 if (ctx == NULL || saltlen == NULL) {
1358 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1359 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1360 return -2;
1361 }
1362
1363 /* If key type not RSA or RSA-PSS return error */
1364 if (ctx->pmeth != NULL
1365 && ctx->pmeth->pkey_id != EVP_PKEY_RSA
1366 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
1367 return -1;
1368
1369 /* TODO(3.0): Remove this eventually when no more legacy */
1370 if (!EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
1371 || ctx->op.sig.sigprovctx == NULL)
1372 return EVP_PKEY_CTX_ctrl(ctx, -1, -1,
1373 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN,
1374 0, saltlen);
1375
1376 *p++ =
1377 OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, saltlen);
1378 *p++ = OSSL_PARAM_construct_end();
1379
1380 if (!EVP_PKEY_CTX_get_params(ctx, pad_params))
1381 return 0;
1382
1383 return 1;
1384
1385}
2972af10
RL		 1386
1387int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits)
1388{
1389 OSSL_PARAM params[2], *p = params;
1390 size_t bits2 = bits;
1391
1392 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) {
1393 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1394 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1395 return -2;
1396 }
1397
1398 /* If key type not RSA return error */
e947a064
DB		 1399 if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA &&
1400 ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
2972af10
RL		 1401 return -1;
1402
1403 /* TODO(3.0): Remove this eventually when no more legacy */
1404 if (ctx->op.keymgmt.genctx == NULL)
1405 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
1406 EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL);
1407
1408 *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bits2);
1409 *p++ = OSSL_PARAM_construct_end();
1410
1411 if (!EVP_PKEY_CTX_set_params(ctx, params))
1412 return 0;
1413
1414 return 1;
1415}
1416
3786d748 1417static int evp_pkey_ctx_set_rsa_keygen_pubexp_intern(EVP_PKEY_CTX *ctx,
1418 BIGNUM *pubexp,
1419 int copy)
2972af10 1420{
6d4e6009 1421 OSSL_PARAM_BLD *tmpl;
2972af10
RL		 1422 OSSL_PARAM *params;
1423 int ret;
1424
1425 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) {
1426 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1427 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1428 return -2;
1429 }
1430
1431 /* If key type not RSA return error */
1432 if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA)
1433 return -1;
1434
1435 /* TODO(3.0): Remove this eventually when no more legacy */
3786d748 1436 if (ctx->op.keymgmt.genctx == NULL) {
1437 if (copy == 1)
1438 pubexp = BN_dup(pubexp);
1439 ret = EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
1440 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp);
1441 if ((copy == 1) && (ret <= 0))
1442 BN_free(pubexp);
1443 return ret;
1444 }
2972af10 1445
6d4e6009 1446 if ((tmpl = OSSL_PARAM_BLD_new()) == NULL)
2972af10 1447 return 0;
6d4e6009
P		 1448 if (!OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_RSA_E, pubexp)
1449 || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) {
1450 OSSL_PARAM_BLD_free(tmpl);
1451 return 0;
1452 }
1453 OSSL_PARAM_BLD_free(tmpl);
2972af10
RL		 1454
1455 ret = EVP_PKEY_CTX_set_params(ctx, params);
6d4e6009 1456 OSSL_PARAM_BLD_free_params(params);
3786d748 1457
1458 /*
1459 * Satisfy memory semantics for pre-3.0 callers of
1460 * EVP_PKEY_CTX_set_rsa_keygen_pubexp(): their expectation is that input
1461 * pubexp BIGNUM becomes managed by the EVP_PKEY_CTX on success.
1462 */
1463 if ((copy == 0) && (ret > 0))
1464 ctx->rsa_pubexp = pubexp;
1465
2972af10
RL		 1466 return ret;
1467}
1468
3786d748 1469int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp)
1470{
1471 return evp_pkey_ctx_set_rsa_keygen_pubexp_intern(ctx, pubexp, 0);
1472}
1473
1474int EVP_PKEY_CTX_set1_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp)
1475{
1476 return evp_pkey_ctx_set_rsa_keygen_pubexp_intern(ctx, pubexp, 1);
1477}
1478
2972af10
RL		 1479int EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX *ctx, int primes)
1480{
1481 OSSL_PARAM params[2], *p = params;
1482 size_t primes2 = primes;
1483
1484 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) {
1485 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1486 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1487 return -2;
1488 }
1489
1490 /* If key type not RSA return error */
1491 if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA)
1492 return -1;
1493
1494 /* TODO(3.0): Remove this eventually when no more legacy */
1495 if (ctx->op.keymgmt.genctx == NULL)
1496 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
1497 EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES, primes,
1498 NULL);
1499
1500 *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_PRIMES, &primes2);
1501 *p++ = OSSL_PARAM_construct_end();
1502
1503 if (!EVP_PKEY_CTX_set_params(ctx, params))
1504 return 0;
1505
1506 return 1;
1507}
afb638f1 1508#endif
A mirror of the official openssl repository