[thirdparty/openssl.git] / providers / implementations / kem / rsa_kem.c

/*
 * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * RSA low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"
#include "internal/nelem.h"

#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/core_dispatch.h>
#include <openssl/core_names.h>
#include <openssl/rsa.h>
#include <openssl/params.h>
#include <openssl/err.h>
#include "crypto/rsa.h"
#include <openssl/proverr.h>
#include "internal/nelem.h"
#include "prov/provider_ctx.h"
#include "prov/implementations.h"
#include "prov/securitycheck.h"

static OSSL_FUNC_kem_newctx_fn rsakem_newctx;
static OSSL_FUNC_kem_encapsulate_init_fn rsakem_encapsulate_init;
static OSSL_FUNC_kem_encapsulate_fn rsakem_generate;
static OSSL_FUNC_kem_decapsulate_init_fn rsakem_decapsulate_init;
static OSSL_FUNC_kem_decapsulate_fn rsakem_recover;
static OSSL_FUNC_kem_freectx_fn rsakem_freectx;
static OSSL_FUNC_kem_dupctx_fn rsakem_dupctx;
static OSSL_FUNC_kem_get_ctx_params_fn rsakem_get_ctx_params;
static OSSL_FUNC_kem_gettable_ctx_params_fn rsakem_gettable_ctx_params;
static OSSL_FUNC_kem_set_ctx_params_fn rsakem_set_ctx_params;
static OSSL_FUNC_kem_settable_ctx_params_fn rsakem_settable_ctx_params;

/*
 * Only the KEM for RSASVE as defined in SP800-56b r2 is implemented
 * currently.
 */
#define KEM_OP_UNDEFINED   -1
#define KEM_OP_RSASVE       0

/*
 * What's passed as an actual key is defined by the KEYMGMT interface.
 * We happen to know that our KEYMGMT simply passes RSA structures, so
 * we use that here too.
 */
typedef struct {
    OSSL_LIB_CTX *libctx;
    RSA *rsa;
    int op;
} PROV_RSA_CTX;

static const OSSL_ITEM rsakem_opname_id_map[] = {
    { KEM_OP_RSASVE, OSSL_KEM_PARAM_OPERATION_RSASVE },
};

static int name2id(const char *name, const OSSL_ITEM *map, size_t sz)
{
    size_t i;

    if (name == NULL)
        return -1;

    for (i = 0; i < sz; ++i) {
        if (OPENSSL_strcasecmp(map[i].ptr, name) == 0)
            return map[i].id;
    }
    return -1;
}

static int rsakem_opname2id(const char *name)
{
    return name2id(name, rsakem_opname_id_map, OSSL_NELEM(rsakem_opname_id_map));
}

static void *rsakem_newctx(void *provctx)
{
    PROV_RSA_CTX *prsactx =  OPENSSL_zalloc(sizeof(PROV_RSA_CTX));

    if (prsactx == NULL)
        return NULL;
    prsactx->libctx = PROV_LIBCTX_OF(provctx);
    prsactx->op = KEM_OP_UNDEFINED;

    return prsactx;
}

static void rsakem_freectx(void *vprsactx)
{
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;

    RSA_free(prsactx->rsa);
    OPENSSL_free(prsactx);
}

static void *rsakem_dupctx(void *vprsactx)
{
    PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx;
    PROV_RSA_CTX *dstctx;

    dstctx = OPENSSL_zalloc(sizeof(*srcctx));
    if (dstctx == NULL)
        return NULL;

    *dstctx = *srcctx;
    if (dstctx->rsa != NULL && !RSA_up_ref(dstctx->rsa)) {
        OPENSSL_free(dstctx);
        return NULL;
    }
    return dstctx;
}

static int rsakem_init(void *vprsactx, void *vrsa,
                       const OSSL_PARAM params[], int operation)
{
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;

    if (prsactx == NULL || vrsa == NULL)
        return 0;

    if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation))
        return 0;

    if (!RSA_up_ref(vrsa))
        return 0;
    RSA_free(prsactx->rsa);
    prsactx->rsa = vrsa;

    return rsakem_set_ctx_params(prsactx, params);
}

static int rsakem_encapsulate_init(void *vprsactx, void *vrsa,
                                   const OSSL_PARAM params[])
{
    return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_ENCAPSULATE);
}

static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
                                   const OSSL_PARAM params[])
{
    return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECAPSULATE);
}

static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
{
    PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;

    return ctx != NULL;
}

static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {
    OSSL_PARAM_END
};

static const OSSL_PARAM *rsakem_gettable_ctx_params(ossl_unused void *vprsactx,
                                                    ossl_unused void *provctx)
{
    return known_gettable_rsakem_ctx_params;
}

static int rsakem_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
{
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    const OSSL_PARAM *p;
    int op;

    if (prsactx == NULL)
        return 0;
    if (params == NULL)
        return 1;


    p = OSSL_PARAM_locate_const(params, OSSL_KEM_PARAM_OPERATION);
    if (p != NULL) {
        if (p->data_type != OSSL_PARAM_UTF8_STRING)
            return 0;
        op = rsakem_opname2id(p->data);
        if (op < 0)
            return 0;
        prsactx->op = op;
    }
    return 1;
}

static const OSSL_PARAM known_settable_rsakem_ctx_params[] = {
    OSSL_PARAM_utf8_string(OSSL_KEM_PARAM_OPERATION, NULL, 0),
    OSSL_PARAM_END
};

static const OSSL_PARAM *rsakem_settable_ctx_params(ossl_unused void *vprsactx,
                                                    ossl_unused void *provctx)
{
    return known_settable_rsakem_ctx_params;
}

/*
 * NIST.SP.800-56Br2
 * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).
 *
 * Generate a random in the range 1 < z < (n – 1)
 */
static int rsasve_gen_rand_bytes(RSA *rsa_pub,
                                 unsigned char *out, int outlen)
{
    int ret = 0;
    BN_CTX *bnctx;
    BIGNUM *z, *nminus3;

    bnctx = BN_CTX_secure_new_ex(ossl_rsa_get0_libctx(rsa_pub));
    if (bnctx == NULL)
        return 0;

    /*
     * Generate a random in the range 1 < z < (n – 1).
     * Since BN_priv_rand_range_ex() returns a value in range 0 <= r < max
     * We can achieve this by adding 2.. but then we need to subtract 3 from
     * the upper bound i.e: 2 + (0 <= r < (n - 3))
     */
    BN_CTX_start(bnctx);
    nminus3 = BN_CTX_get(bnctx);
    z = BN_CTX_get(bnctx);
    ret = (z != NULL
           && (BN_copy(nminus3, RSA_get0_n(rsa_pub)) != NULL)
           && BN_sub_word(nminus3, 3)
           && BN_priv_rand_range_ex(z, nminus3, 0, bnctx)
           && BN_add_word(z, 2)
           && (BN_bn2binpad(z, out, outlen) == outlen));
    BN_CTX_end(bnctx);
    BN_CTX_free(bnctx);
    return ret;
}

/*
 * NIST.SP.800-56Br2
 * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).
 */
static int rsasve_generate(PROV_RSA_CTX *prsactx,
                           unsigned char *out, size_t *outlen,
                           unsigned char *secret, size_t *secretlen)
{
    int ret;
    size_t nlen;

    /* Step (1): nlen = Ceil(len(n)/8) */
    nlen = RSA_size(prsactx->rsa);

    if (out == NULL) {
        if (nlen == 0) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
            return 0;
        }
        if (outlen == NULL && secretlen == NULL)
            return 0;
        if (outlen != NULL)
            *outlen = nlen;
        if (secretlen != NULL)
            *secretlen = nlen;
        return 1;
    }
    /*
     * Step (2): Generate a random byte string z of nlen bytes where
     *            1 < z < n - 1
     */
    if (!rsasve_gen_rand_bytes(prsactx->rsa, secret, nlen))
        return 0;

    /* Step(3): out = RSAEP((n,e), z) */
    ret = RSA_public_encrypt(nlen, secret, out, prsactx->rsa, RSA_NO_PADDING);
    if (ret) {
        ret = 1;
        if (outlen != NULL)
            *outlen = nlen;
        if (secretlen != NULL)
            *secretlen = nlen;
    } else {
        OPENSSL_cleanse(secret, nlen);
    }
    return ret;
}

/*
 * NIST.SP.800-56Br2
 * 7.2.1.3 RSASVE Recovery Operation (RSASVE.RECOVER).
 */
static int rsasve_recover(PROV_RSA_CTX *prsactx,
                          unsigned char *out, size_t *outlen,
                          const unsigned char *in, size_t inlen)
{
    size_t nlen;

    /* Step (1): get the byte length of n */
    nlen = RSA_size(prsactx->rsa);

    if (out == NULL) {
        if (nlen == 0) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
            return 0;
        }
        *outlen = nlen;
        return 1;
    }

    /* Step (2): check the input ciphertext 'inlen' matches the nlen */
    if (inlen != nlen) {
        ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
        return 0;
    }
    /* Step (3): out = RSADP((n,d), in) */
    return (RSA_private_decrypt(inlen, in, out, prsactx->rsa, RSA_NO_PADDING) > 0);
}

static int rsakem_generate(void *vprsactx, unsigned char *out, size_t *outlen,
                           unsigned char *secret, size_t *secretlen)
{
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;

    switch (prsactx->op) {
        case KEM_OP_RSASVE:
            return rsasve_generate(prsactx, out, outlen, secret, secretlen);
        default:
            return -2;
    }
}

static int rsakem_recover(void *vprsactx, unsigned char *out, size_t *outlen,
                          const unsigned char *in, size_t inlen)
{
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;

    switch (prsactx->op) {
        case KEM_OP_RSASVE:
            return rsasve_recover(prsactx, out, outlen, in, inlen);
        default:
            return -2;
    }
}

const OSSL_DISPATCH ossl_rsa_asym_kem_functions[] = {
    { OSSL_FUNC_KEM_NEWCTX, (void (*)(void))rsakem_newctx },
    { OSSL_FUNC_KEM_ENCAPSULATE_INIT,
      (void (*)(void))rsakem_encapsulate_init },
    { OSSL_FUNC_KEM_ENCAPSULATE, (void (*)(void))rsakem_generate },
    { OSSL_FUNC_KEM_DECAPSULATE_INIT,
      (void (*)(void))rsakem_decapsulate_init },
    { OSSL_FUNC_KEM_DECAPSULATE, (void (*)(void))rsakem_recover },
    { OSSL_FUNC_KEM_FREECTX, (void (*)(void))rsakem_freectx },
    { OSSL_FUNC_KEM_DUPCTX, (void (*)(void))rsakem_dupctx },
    { OSSL_FUNC_KEM_GET_CTX_PARAMS,
      (void (*)(void))rsakem_get_ctx_params },
    { OSSL_FUNC_KEM_GETTABLE_CTX_PARAMS,
      (void (*)(void))rsakem_gettable_ctx_params },
    { OSSL_FUNC_KEM_SET_CTX_PARAMS,
      (void (*)(void))rsakem_set_ctx_params },
    { OSSL_FUNC_KEM_SETTABLE_CTX_PARAMS,
      (void (*)(void))rsakem_settable_ctx_params },
    OSSL_DISPATCH_END
};
Commit	Line	Data
80f4fd18	1	/*
fecb3aae	2	* Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
80f4fd18 SL	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	/*
	11	* RSA low level APIs are deprecated for public use, but still ok for
	12	* internal use.
	13	*/
	14	#include "internal/deprecated.h"
fba140c7	15	#include "internal/nelem.h"
80f4fd18	16
80f4fd18 SL	17	#include <openssl/crypto.h>
	18	#include <openssl/evp.h>
	19	#include <openssl/core_dispatch.h>
	20	#include <openssl/core_names.h>
	21	#include <openssl/rsa.h>
	22	#include <openssl/params.h>
	23	#include <openssl/err.h>
9d0dd1d5	24	#include "crypto/rsa.h"
2741128e	25	#include <openssl/proverr.h>
f2a6f838	26	#include "internal/nelem.h"
80f4fd18 SL	27	#include "prov/provider_ctx.h"
80f4fd18 SL	28	#include "prov/implementations.h"
21e5be85	29	#include "prov/securitycheck.h"
80f4fd18 SL	30
80f4fd18 SL	31	static OSSL_FUNC_kem_newctx_fn rsakem_newctx;
21e5be85	32	static OSSL_FUNC_kem_encapsulate_init_fn rsakem_encapsulate_init;
80f4fd18	33	static OSSL_FUNC_kem_encapsulate_fn rsakem_generate;
21e5be85	34	static OSSL_FUNC_kem_decapsulate_init_fn rsakem_decapsulate_init;
80f4fd18 SL	35	static OSSL_FUNC_kem_decapsulate_fn rsakem_recover;
	36	static OSSL_FUNC_kem_freectx_fn rsakem_freectx;
	37	static OSSL_FUNC_kem_dupctx_fn rsakem_dupctx;
	38	static OSSL_FUNC_kem_get_ctx_params_fn rsakem_get_ctx_params;
	39	static OSSL_FUNC_kem_gettable_ctx_params_fn rsakem_gettable_ctx_params;
	40	static OSSL_FUNC_kem_set_ctx_params_fn rsakem_set_ctx_params;
	41	static OSSL_FUNC_kem_settable_ctx_params_fn rsakem_settable_ctx_params;
	42
	43	/*
	44	* Only the KEM for RSASVE as defined in SP800-56b r2 is implemented
	45	* currently.
	46	*/
	47	#define KEM_OP_UNDEFINED -1
	48	#define KEM_OP_RSASVE 0
	49
	50	/*
	51	* What's passed as an actual key is defined by the KEYMGMT interface.
	52	* We happen to know that our KEYMGMT simply passes RSA structures, so
	53	* we use that here too.
	54	*/
	55	typedef struct {
b4250010	56	OSSL_LIB_CTX *libctx;
80f4fd18 SL	57	RSA *rsa;
	58	int op;
	59	} PROV_RSA_CTX;
	60
	61	static const OSSL_ITEM rsakem_opname_id_map[] = {
	62	{ KEM_OP_RSASVE, OSSL_KEM_PARAM_OPERATION_RSASVE },
	63	};
	64
	65	static int name2id(const char name, const OSSL_ITEM map, size_t sz)
	66	{
	67	size_t i;
	68
	69	if (name == NULL)
	70	return -1;
	71
	72	for (i = 0; i < sz; ++i) {
fba140c7	73	if (OPENSSL_strcasecmp(map[i].ptr, name) == 0)
80f4fd18 SL	74	return map[i].id;
	75	}
	76	return -1;
	77	}
	78
	79	static int rsakem_opname2id(const char *name)
	80	{
	81	return name2id(name, rsakem_opname_id_map, OSSL_NELEM(rsakem_opname_id_map));
	82	}
	83
	84	static void rsakem_newctx(void provctx)
	85	{
	86	PROV_RSA_CTX *prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX));
	87
	88	if (prsactx == NULL)
	89	return NULL;
a829b735	90	prsactx->libctx = PROV_LIBCTX_OF(provctx);
80f4fd18 SL	91	prsactx->op = KEM_OP_UNDEFINED;
	92
	93	return prsactx;
	94	}
	95
	96	static void rsakem_freectx(void *vprsactx)
	97	{
	98	PROV_RSA_CTX prsactx = (PROV_RSA_CTX )vprsactx;
	99
	100	RSA_free(prsactx->rsa);
	101	OPENSSL_free(prsactx);
	102	}
	103
	104	static void rsakem_dupctx(void vprsactx)
	105	{
	106	PROV_RSA_CTX srcctx = (PROV_RSA_CTX )vprsactx;
	107	PROV_RSA_CTX *dstctx;
	108
	109	dstctx = OPENSSL_zalloc(sizeof(*srcctx));
	110	if (dstctx == NULL)
	111	return NULL;
	112
	113	dstctx = srcctx;
	114	if (dstctx->rsa != NULL && !RSA_up_ref(dstctx->rsa)) {
	115	OPENSSL_free(dstctx);
	116	return NULL;
	117	}
	118	return dstctx;
	119	}
	120
5a084c5f P	121	static int rsakem_init(void vprsactx, void vrsa,
5a084c5f P	122	const OSSL_PARAM params[], int operation)
80f4fd18 SL	123	{
	124	PROV_RSA_CTX prsactx = (PROV_RSA_CTX )vprsactx;
	125
0cfbc828 TM	126	if (prsactx == NULL \|\| vrsa == NULL)
	127	return 0;
	128
6ce58488	129	if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation))
0cfbc828 TM	130	return 0;
	131
	132	if (!RSA_up_ref(vrsa))
80f4fd18 SL	133	return 0;
	134	RSA_free(prsactx->rsa);
	135	prsactx->rsa = vrsa;
21e5be85	136
5a084c5f	137	return rsakem_set_ctx_params(prsactx, params);
80f4fd18 SL	138	}
80f4fd18 SL	139
5a084c5f P	140	static int rsakem_encapsulate_init(void vprsactx, void vrsa,
5a084c5f P	141	const OSSL_PARAM params[])
21e5be85	142	{
5a084c5f	143	return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_ENCAPSULATE);
21e5be85 SL	144	}
21e5be85 SL	145
5a084c5f P	146	static int rsakem_decapsulate_init(void vprsactx, void vrsa,
5a084c5f P	147	const OSSL_PARAM params[])
21e5be85	148	{
5a084c5f	149	return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECAPSULATE);
21e5be85 SL	150	}
21e5be85 SL	151
80f4fd18 SL	152	static int rsakem_get_ctx_params(void vprsactx, OSSL_PARAM params)
	153	{
	154	PROV_RSA_CTX ctx = (PROV_RSA_CTX )vprsactx;
	155
5a084c5f	156	return ctx != NULL;
80f4fd18 SL	157	}
	158
	159	static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {
	160	OSSL_PARAM_END
	161	};
	162
fb67126e TM	163	static const OSSL_PARAM rsakem_gettable_ctx_params(ossl_unused void vprsactx,
fb67126e TM	164	ossl_unused void *provctx)
80f4fd18 SL	165	{
	166	return known_gettable_rsakem_ctx_params;
	167	}
	168
	169	static int rsakem_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
	170	{
	171	PROV_RSA_CTX prsactx = (PROV_RSA_CTX )vprsactx;
	172	const OSSL_PARAM *p;
	173	int op;
	174
5a084c5f	175	if (prsactx == NULL)
80f4fd18	176	return 0;
5a084c5f P	177	if (params == NULL)
	178	return 1;
	179
80f4fd18 SL	180
	181	p = OSSL_PARAM_locate_const(params, OSSL_KEM_PARAM_OPERATION);
	182	if (p != NULL) {
	183	if (p->data_type != OSSL_PARAM_UTF8_STRING)
	184	return 0;
	185	op = rsakem_opname2id(p->data);
	186	if (op < 0)
	187	return 0;
	188	prsactx->op = op;
	189	}
	190	return 1;
	191	}
	192
	193	static const OSSL_PARAM known_settable_rsakem_ctx_params[] = {
	194	OSSL_PARAM_utf8_string(OSSL_KEM_PARAM_OPERATION, NULL, 0),
	195	OSSL_PARAM_END
	196	};
	197
fb67126e TM	198	static const OSSL_PARAM rsakem_settable_ctx_params(ossl_unused void vprsactx,
fb67126e TM	199	ossl_unused void *provctx)
80f4fd18 SL	200	{
	201	return known_settable_rsakem_ctx_params;
	202	}
	203
	204	/*
	205	* NIST.SP.800-56Br2
	206	* 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).
	207	*
	208	* Generate a random in the range 1 < z < (n – 1)
	209	*/
	210	static int rsasve_gen_rand_bytes(RSA *rsa_pub,
	211	unsigned char *out, int outlen)
	212	{
	213	int ret = 0;
	214	BN_CTX *bnctx;
	215	BIGNUM z, nminus3;
	216
23b2fc0b	217	bnctx = BN_CTX_secure_new_ex(ossl_rsa_get0_libctx(rsa_pub));
80f4fd18 SL	218	if (bnctx == NULL)
	219	return 0;
	220
	221	/*
	222	* Generate a random in the range 1 < z < (n – 1).
	223	* Since BN_priv_rand_range_ex() returns a value in range 0 <= r < max
	224	* We can achieve this by adding 2.. but then we need to subtract 3 from
	225	* the upper bound i.e: 2 + (0 <= r < (n - 3))
	226	*/
	227	BN_CTX_start(bnctx);
	228	nminus3 = BN_CTX_get(bnctx);
	229	z = BN_CTX_get(bnctx);
	230	ret = (z != NULL
	231	&& (BN_copy(nminus3, RSA_get0_n(rsa_pub)) != NULL)
	232	&& BN_sub_word(nminus3, 3)
965fa9c0	233	&& BN_priv_rand_range_ex(z, nminus3, 0, bnctx)
80f4fd18 SL	234	&& BN_add_word(z, 2)
	235	&& (BN_bn2binpad(z, out, outlen) == outlen));
	236	BN_CTX_end(bnctx);
	237	BN_CTX_free(bnctx);
	238	return ret;
	239	}
	240
	241	/*
	242	* NIST.SP.800-56Br2
	243	* 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).
	244	*/
	245	static int rsasve_generate(PROV_RSA_CTX *prsactx,
	246	unsigned char out, size_t outlen,
	247	unsigned char secret, size_t secretlen)
	248	{
	249	int ret;
	250	size_t nlen;
	251
	252	/* Step (1): nlen = Ceil(len(n)/8) */
	253	nlen = RSA_size(prsactx->rsa);
	254
	255	if (out == NULL) {
	256	if (nlen == 0) {
	257	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
	258	return 0;
	259	}
	260	if (outlen == NULL && secretlen == NULL)
	261	return 0;
	262	if (outlen != NULL)
	263	*outlen = nlen;
	264	if (secretlen != NULL)
	265	*secretlen = nlen;
	266	return 1;
	267	}
	268	/*
	269	* Step (2): Generate a random byte string z of nlen bytes where
	270	* 1 < z < n - 1
	271	*/
	272	if (!rsasve_gen_rand_bytes(prsactx->rsa, secret, nlen))
	273	return 0;
	274
	275	/* Step(3): out = RSAEP((n,e), z) */
	276	ret = RSA_public_encrypt(nlen, secret, out, prsactx->rsa, RSA_NO_PADDING);
	277	if (ret) {
	278	ret = 1;
	279	if (outlen != NULL)
	280	*outlen = nlen;
	281	if (secretlen != NULL)
	282	*secretlen = nlen;
	283	} else {
	284	OPENSSL_cleanse(secret, nlen);
	285	}
	286	return ret;
	287	}
	288
	289	/*
	290	* NIST.SP.800-56Br2
	291	* 7.2.1.3 RSASVE Recovery Operation (RSASVE.RECOVER).
	292	*/
	293	static int rsasve_recover(PROV_RSA_CTX *prsactx,
	294	unsigned char out, size_t outlen,
	295	const unsigned char *in, size_t inlen)
	296	{
	297	size_t nlen;
298
299	/* Step (1): get the byte length of n */
300	nlen = RSA_size(prsactx->rsa);
301
302	if (out == NULL) {
303	if (nlen == 0) {
304	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
305	return 0;
306	}
307	*outlen = nlen;
308	return 1;
309	}
310
311	/* Step (2): check the input ciphertext 'inlen' matches the nlen */
312	if (inlen != nlen) {
313	ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
314	return 0;
315	}
316	/* Step (3): out = RSADP((n,d), in) */
317	return (RSA_private_decrypt(inlen, in, out, prsactx->rsa, RSA_NO_PADDING) > 0);
318	}
319
320	static int rsakem_generate(void vprsactx, unsigned char out, size_t *outlen,
321	unsigned char secret, size_t secretlen)
322	{
323	PROV_RSA_CTX prsactx = (PROV_RSA_CTX )vprsactx;
324
325	switch (prsactx->op) {
326	case KEM_OP_RSASVE:
327	return rsasve_generate(prsactx, out, outlen, secret, secretlen);
328	default:
329	return -2;
330	}
331	}
332
333	static int rsakem_recover(void vprsactx, unsigned char out, size_t *outlen,
334	const unsigned char *in, size_t inlen)
335	{
336	PROV_RSA_CTX prsactx = (PROV_RSA_CTX )vprsactx;
337
338	switch (prsactx->op) {
339	case KEM_OP_RSASVE:
340	return rsasve_recover(prsactx, out, outlen, in, inlen);
341	default:
342	return -2;
343	}
344	}
345
1be63951	346	const OSSL_DISPATCH ossl_rsa_asym_kem_functions[] = {
80f4fd18 SL	347	{ OSSL_FUNC_KEM_NEWCTX, (void (*)(void))rsakem_newctx },
80f4fd18 SL	348	{ OSSL_FUNC_KEM_ENCAPSULATE_INIT,
21e5be85	349	(void (*)(void))rsakem_encapsulate_init },
80f4fd18 SL	350	{ OSSL_FUNC_KEM_ENCAPSULATE, (void (*)(void))rsakem_generate },
80f4fd18 SL	351	{ OSSL_FUNC_KEM_DECAPSULATE_INIT,
21e5be85	352	(void (*)(void))rsakem_decapsulate_init },
80f4fd18 SL	353	{ OSSL_FUNC_KEM_DECAPSULATE, (void (*)(void))rsakem_recover },
	354	{ OSSL_FUNC_KEM_FREECTX, (void (*)(void))rsakem_freectx },
	355	{ OSSL_FUNC_KEM_DUPCTX, (void (*)(void))rsakem_dupctx },
	356	{ OSSL_FUNC_KEM_GET_CTX_PARAMS,
	357	(void (*)(void))rsakem_get_ctx_params },
	358	{ OSSL_FUNC_KEM_GETTABLE_CTX_PARAMS,
	359	(void (*)(void))rsakem_gettable_ctx_params },
	360	{ OSSL_FUNC_KEM_SET_CTX_PARAMS,
	361	(void (*)(void))rsakem_set_ctx_params },
	362	{ OSSL_FUNC_KEM_SETTABLE_CTX_PARAMS,
	363	(void (*)(void))rsakem_settable_ctx_params },
1e6bd31e	364	OSSL_DISPATCH_END
80f4fd18	365	};