[thirdparty/openssl.git] / providers / implementations / kem / rsa_kem.c

/*
 * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * RSA low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"
#include "internal/nelem.h"

#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/core_dispatch.h>
#include <openssl/core_names.h>
#include <openssl/rsa.h>
#include <openssl/params.h>
#include <openssl/err.h>
#include "crypto/rsa.h"
#include <openssl/proverr.h>
#include "prov/provider_ctx.h"
#include "prov/implementations.h"
#include "prov/securitycheck.h"

static OSSL_FUNC_kem_newctx_fn rsakem_newctx;
static OSSL_FUNC_kem_encapsulate_init_fn rsakem_encapsulate_init;
static OSSL_FUNC_kem_encapsulate_fn rsakem_generate;
static OSSL_FUNC_kem_decapsulate_init_fn rsakem_decapsulate_init;
static OSSL_FUNC_kem_decapsulate_fn rsakem_recover;
static OSSL_FUNC_kem_freectx_fn rsakem_freectx;
static OSSL_FUNC_kem_dupctx_fn rsakem_dupctx;
static OSSL_FUNC_kem_get_ctx_params_fn rsakem_get_ctx_params;
static OSSL_FUNC_kem_gettable_ctx_params_fn rsakem_gettable_ctx_params;
static OSSL_FUNC_kem_set_ctx_params_fn rsakem_set_ctx_params;
static OSSL_FUNC_kem_settable_ctx_params_fn rsakem_settable_ctx_params;

/*
 * Only the KEM for RSASVE as defined in SP800-56b r2 is implemented
 * currently.
 */
#define KEM_OP_UNDEFINED   -1
#define KEM_OP_RSASVE       0

/*
 * What's passed as an actual key is defined by the KEYMGMT interface.
 * We happen to know that our KEYMGMT simply passes RSA structures, so
 * we use that here too.
 */
typedef struct {
    OSSL_LIB_CTX *libctx;
    RSA *rsa;
    int op;
} PROV_RSA_CTX;

static const OSSL_ITEM rsakem_opname_id_map[] = {
    { KEM_OP_RSASVE, OSSL_KEM_PARAM_OPERATION_RSASVE },
};

static int name2id(const char *name, const OSSL_ITEM *map, size_t sz)
{
    size_t i;

    if (name == NULL)
        return -1;

    for (i = 0; i < sz; ++i) {
        if (OPENSSL_strcasecmp(map[i].ptr, name) == 0)
            return map[i].id;
    }
    return -1;
}

static int rsakem_opname2id(const char *name)
{
    return name2id(name, rsakem_opname_id_map, OSSL_NELEM(rsakem_opname_id_map));
}

static void *rsakem_newctx(void *provctx)
{
    PROV_RSA_CTX *prsactx =  OPENSSL_zalloc(sizeof(PROV_RSA_CTX));

    if (prsactx == NULL)
        return NULL;
    prsactx->libctx = PROV_LIBCTX_OF(provctx);
    prsactx->op = KEM_OP_UNDEFINED;

    return prsactx;
}

static void rsakem_freectx(void *vprsactx)
{
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;

    RSA_free(prsactx->rsa);
    OPENSSL_free(prsactx);
}

static void *rsakem_dupctx(void *vprsactx)
{
    PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx;
    PROV_RSA_CTX *dstctx;

    dstctx = OPENSSL_zalloc(sizeof(*srcctx));
    if (dstctx == NULL)
        return NULL;

    *dstctx = *srcctx;
    if (dstctx->rsa != NULL && !RSA_up_ref(dstctx->rsa)) {
        OPENSSL_free(dstctx);
        return NULL;
    }
    return dstctx;
}

static int rsakem_init(void *vprsactx, void *vrsa,
                       const OSSL_PARAM params[], int operation)
{
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;

    if (prsactx == NULL || vrsa == NULL)
        return 0;

    if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation))
        return 0;

    if (!RSA_up_ref(vrsa))
        return 0;
    RSA_free(prsactx->rsa);
    prsactx->rsa = vrsa;

    return rsakem_set_ctx_params(prsactx, params);
}

static int rsakem_encapsulate_init(void *vprsactx, void *vrsa,
                                   const OSSL_PARAM params[])
{
    return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_ENCAPSULATE);
}

static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
                                   const OSSL_PARAM params[])
{
    return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECAPSULATE);
}

static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
{
    PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;

    return ctx != NULL;
}

static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {
    OSSL_PARAM_END
};

static const OSSL_PARAM *rsakem_gettable_ctx_params(ossl_unused void *vprsactx,
                                                    ossl_unused void *provctx)
{
    return known_gettable_rsakem_ctx_params;
}

static int rsakem_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
{
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    const OSSL_PARAM *p;
    int op;

    if (prsactx == NULL)
        return 0;
    if (params == NULL)
        return 1;


    p = OSSL_PARAM_locate_const(params, OSSL_KEM_PARAM_OPERATION);
    if (p != NULL) {
        if (p->data_type != OSSL_PARAM_UTF8_STRING)
            return 0;
        op = rsakem_opname2id(p->data);
        if (op < 0)
            return 0;
        prsactx->op = op;
    }
    return 1;
}

static const OSSL_PARAM known_settable_rsakem_ctx_params[] = {
    OSSL_PARAM_utf8_string(OSSL_KEM_PARAM_OPERATION, NULL, 0),
    OSSL_PARAM_END
};

static const OSSL_PARAM *rsakem_settable_ctx_params(ossl_unused void *vprsactx,
                                                    ossl_unused void *provctx)
{
    return known_settable_rsakem_ctx_params;
}

/*
 * NIST.SP.800-56Br2
 * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).
 *
 * Generate a random in the range 1 < z < (n – 1)
 */
static int rsasve_gen_rand_bytes(RSA *rsa_pub,
                                 unsigned char *out, int outlen)
{
    int ret = 0;
    BN_CTX *bnctx;
    BIGNUM *z, *nminus3;

    bnctx = BN_CTX_secure_new_ex(ossl_rsa_get0_libctx(rsa_pub));
    if (bnctx == NULL)
        return 0;

    /*
     * Generate a random in the range 1 < z < (n – 1).
     * Since BN_priv_rand_range_ex() returns a value in range 0 <= r < max
     * We can achieve this by adding 2.. but then we need to subtract 3 from
     * the upper bound i.e: 2 + (0 <= r < (n - 3))
     */
    BN_CTX_start(bnctx);
    nminus3 = BN_CTX_get(bnctx);
    z = BN_CTX_get(bnctx);
    ret = (z != NULL
           && (BN_copy(nminus3, RSA_get0_n(rsa_pub)) != NULL)
           && BN_sub_word(nminus3, 3)
           && BN_priv_rand_range_ex(z, nminus3, 0, bnctx)
           && BN_add_word(z, 2)
           && (BN_bn2binpad(z, out, outlen) == outlen));
    BN_CTX_end(bnctx);
    BN_CTX_free(bnctx);
    return ret;
}

/*
 * NIST.SP.800-56Br2
 * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).
 */
static int rsasve_generate(PROV_RSA_CTX *prsactx,
                           unsigned char *out, size_t *outlen,
                           unsigned char *secret, size_t *secretlen)
{
    int ret;
    size_t nlen;

    /* Step (1): nlen = Ceil(len(n)/8) */
    nlen = RSA_size(prsactx->rsa);

    if (out == NULL) {
        if (nlen == 0) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
            return 0;
        }
        if (outlen == NULL && secretlen == NULL)
            return 0;
        if (outlen != NULL)
            *outlen = nlen;
        if (secretlen != NULL)
            *secretlen = nlen;
        return 1;
    }
    /*
     * Step (2): Generate a random byte string z of nlen bytes where
     *            1 < z < n - 1
     */
    if (!rsasve_gen_rand_bytes(prsactx->rsa, secret, nlen))
        return 0;

    /* Step(3): out = RSAEP((n,e), z) */
    ret = RSA_public_encrypt(nlen, secret, out, prsactx->rsa, RSA_NO_PADDING);
    if (ret) {
        ret = 1;
        if (outlen != NULL)
            *outlen = nlen;
        if (secretlen != NULL)
            *secretlen = nlen;
    } else {
        OPENSSL_cleanse(secret, nlen);
    }
    return ret;
}

/*
 * NIST.SP.800-56Br2
 * 7.2.1.3 RSASVE Recovery Operation (RSASVE.RECOVER).
 */
static int rsasve_recover(PROV_RSA_CTX *prsactx,
                          unsigned char *out, size_t *outlen,
                          const unsigned char *in, size_t inlen)
{
    size_t nlen;

    /* Step (1): get the byte length of n */
    nlen = RSA_size(prsactx->rsa);

    if (out == NULL) {
        if (nlen == 0) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
            return 0;
        }
        *outlen = nlen;
        return 1;
    }

    /* Step (2): check the input ciphertext 'inlen' matches the nlen */
    if (inlen != nlen) {
        ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
        return 0;
    }
    /* Step (3): out = RSADP((n,d), in) */
    return (RSA_private_decrypt(inlen, in, out, prsactx->rsa, RSA_NO_PADDING) > 0);
}

static int rsakem_generate(void *vprsactx, unsigned char *out, size_t *outlen,
                           unsigned char *secret, size_t *secretlen)
{
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;

    switch (prsactx->op) {
        case KEM_OP_RSASVE:
            return rsasve_generate(prsactx, out, outlen, secret, secretlen);
        default:
            return -2;
    }
}

static int rsakem_recover(void *vprsactx, unsigned char *out, size_t *outlen,
                          const unsigned char *in, size_t inlen)
{
    PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;

    switch (prsactx->op) {
        case KEM_OP_RSASVE:
            return rsasve_recover(prsactx, out, outlen, in, inlen);
        default:
            return -2;
    }
}

const OSSL_DISPATCH ossl_rsa_asym_kem_functions[] = {
    { OSSL_FUNC_KEM_NEWCTX, (void (*)(void))rsakem_newctx },
    { OSSL_FUNC_KEM_ENCAPSULATE_INIT,
      (void (*)(void))rsakem_encapsulate_init },
    { OSSL_FUNC_KEM_ENCAPSULATE, (void (*)(void))rsakem_generate },
    { OSSL_FUNC_KEM_DECAPSULATE_INIT,
      (void (*)(void))rsakem_decapsulate_init },
    { OSSL_FUNC_KEM_DECAPSULATE, (void (*)(void))rsakem_recover },
    { OSSL_FUNC_KEM_FREECTX, (void (*)(void))rsakem_freectx },
    { OSSL_FUNC_KEM_DUPCTX, (void (*)(void))rsakem_dupctx },
    { OSSL_FUNC_KEM_GET_CTX_PARAMS,
      (void (*)(void))rsakem_get_ctx_params },
    { OSSL_FUNC_KEM_GETTABLE_CTX_PARAMS,
      (void (*)(void))rsakem_gettable_ctx_params },
    { OSSL_FUNC_KEM_SET_CTX_PARAMS,
      (void (*)(void))rsakem_set_ctx_params },
    { OSSL_FUNC_KEM_SETTABLE_CTX_PARAMS,
      (void (*)(void))rsakem_settable_ctx_params },
    { 0, NULL }
};
Commit	Line	Data
80f4fd18	1	/*
fecb3aae	2	* Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
80f4fd18 SL	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	/*
	11	* RSA low level APIs are deprecated for public use, but still ok for
	12	* internal use.
	13	*/
	14	#include "internal/deprecated.h"
fba140c7	15	#include "internal/nelem.h"
80f4fd18	16
80f4fd18 SL	17	#include <openssl/crypto.h>
	18	#include <openssl/evp.h>
	19	#include <openssl/core_dispatch.h>
	20	#include <openssl/core_names.h>
	21	#include <openssl/rsa.h>
	22	#include <openssl/params.h>
	23	#include <openssl/err.h>
9d0dd1d5	24	#include "crypto/rsa.h"
2741128e	25	#include <openssl/proverr.h>
80f4fd18 SL	26	#include "prov/provider_ctx.h"
80f4fd18 SL	27	#include "prov/implementations.h"
21e5be85	28	#include "prov/securitycheck.h"
80f4fd18 SL	29
80f4fd18 SL	30	static OSSL_FUNC_kem_newctx_fn rsakem_newctx;
21e5be85	31	static OSSL_FUNC_kem_encapsulate_init_fn rsakem_encapsulate_init;
80f4fd18	32	static OSSL_FUNC_kem_encapsulate_fn rsakem_generate;
21e5be85	33	static OSSL_FUNC_kem_decapsulate_init_fn rsakem_decapsulate_init;
80f4fd18 SL	34	static OSSL_FUNC_kem_decapsulate_fn rsakem_recover;
	35	static OSSL_FUNC_kem_freectx_fn rsakem_freectx;
	36	static OSSL_FUNC_kem_dupctx_fn rsakem_dupctx;
	37	static OSSL_FUNC_kem_get_ctx_params_fn rsakem_get_ctx_params;
	38	static OSSL_FUNC_kem_gettable_ctx_params_fn rsakem_gettable_ctx_params;
	39	static OSSL_FUNC_kem_set_ctx_params_fn rsakem_set_ctx_params;
	40	static OSSL_FUNC_kem_settable_ctx_params_fn rsakem_settable_ctx_params;
	41
	42	/*
	43	* Only the KEM for RSASVE as defined in SP800-56b r2 is implemented
	44	* currently.
	45	*/
	46	#define KEM_OP_UNDEFINED -1
	47	#define KEM_OP_RSASVE 0
	48
	49	/*
	50	* What's passed as an actual key is defined by the KEYMGMT interface.
	51	* We happen to know that our KEYMGMT simply passes RSA structures, so
	52	* we use that here too.
	53	*/
	54	typedef struct {
b4250010	55	OSSL_LIB_CTX *libctx;
80f4fd18 SL	56	RSA *rsa;
	57	int op;
	58	} PROV_RSA_CTX;
	59
	60	static const OSSL_ITEM rsakem_opname_id_map[] = {
	61	{ KEM_OP_RSASVE, OSSL_KEM_PARAM_OPERATION_RSASVE },
	62	};
	63
	64	static int name2id(const char name, const OSSL_ITEM map, size_t sz)
	65	{
	66	size_t i;
	67
	68	if (name == NULL)
	69	return -1;
	70
	71	for (i = 0; i < sz; ++i) {
fba140c7	72	if (OPENSSL_strcasecmp(map[i].ptr, name) == 0)
80f4fd18 SL	73	return map[i].id;
	74	}
	75	return -1;
	76	}
	77
	78	static int rsakem_opname2id(const char *name)
	79	{
	80	return name2id(name, rsakem_opname_id_map, OSSL_NELEM(rsakem_opname_id_map));
	81	}
	82
	83	static void rsakem_newctx(void provctx)
	84	{
	85	PROV_RSA_CTX *prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX));
	86
	87	if (prsactx == NULL)
	88	return NULL;
a829b735	89	prsactx->libctx = PROV_LIBCTX_OF(provctx);
80f4fd18 SL	90	prsactx->op = KEM_OP_UNDEFINED;
	91
	92	return prsactx;
	93	}
	94
	95	static void rsakem_freectx(void *vprsactx)
	96	{
	97	PROV_RSA_CTX prsactx = (PROV_RSA_CTX )vprsactx;
	98
	99	RSA_free(prsactx->rsa);
	100	OPENSSL_free(prsactx);
	101	}
	102
	103	static void rsakem_dupctx(void vprsactx)
	104	{
	105	PROV_RSA_CTX srcctx = (PROV_RSA_CTX )vprsactx;
	106	PROV_RSA_CTX *dstctx;
	107
	108	dstctx = OPENSSL_zalloc(sizeof(*srcctx));
	109	if (dstctx == NULL)
	110	return NULL;
	111
	112	dstctx = srcctx;
	113	if (dstctx->rsa != NULL && !RSA_up_ref(dstctx->rsa)) {
	114	OPENSSL_free(dstctx);
	115	return NULL;
	116	}
	117	return dstctx;
	118	}
	119
5a084c5f P	120	static int rsakem_init(void vprsactx, void vrsa,
5a084c5f P	121	const OSSL_PARAM params[], int operation)
80f4fd18 SL	122	{
	123	PROV_RSA_CTX prsactx = (PROV_RSA_CTX )vprsactx;
	124
0cfbc828 TM	125	if (prsactx == NULL \|\| vrsa == NULL)
	126	return 0;
	127
6ce58488	128	if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation))
0cfbc828 TM	129	return 0;
	130
	131	if (!RSA_up_ref(vrsa))
80f4fd18 SL	132	return 0;
	133	RSA_free(prsactx->rsa);
	134	prsactx->rsa = vrsa;
21e5be85	135
5a084c5f	136	return rsakem_set_ctx_params(prsactx, params);
80f4fd18 SL	137	}
80f4fd18 SL	138
5a084c5f P	139	static int rsakem_encapsulate_init(void vprsactx, void vrsa,
5a084c5f P	140	const OSSL_PARAM params[])
21e5be85	141	{
5a084c5f	142	return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_ENCAPSULATE);
21e5be85 SL	143	}
21e5be85 SL	144
5a084c5f P	145	static int rsakem_decapsulate_init(void vprsactx, void vrsa,
5a084c5f P	146	const OSSL_PARAM params[])
21e5be85	147	{
5a084c5f	148	return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECAPSULATE);
21e5be85 SL	149	}
21e5be85 SL	150
80f4fd18 SL	151	static int rsakem_get_ctx_params(void vprsactx, OSSL_PARAM params)
	152	{
	153	PROV_RSA_CTX ctx = (PROV_RSA_CTX )vprsactx;
	154
5a084c5f	155	return ctx != NULL;
80f4fd18 SL	156	}
	157
	158	static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {
	159	OSSL_PARAM_END
	160	};
	161
fb67126e TM	162	static const OSSL_PARAM rsakem_gettable_ctx_params(ossl_unused void vprsactx,
fb67126e TM	163	ossl_unused void *provctx)
80f4fd18 SL	164	{
	165	return known_gettable_rsakem_ctx_params;
	166	}
	167
	168	static int rsakem_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
	169	{
	170	PROV_RSA_CTX prsactx = (PROV_RSA_CTX )vprsactx;
	171	const OSSL_PARAM *p;
	172	int op;
	173
5a084c5f	174	if (prsactx == NULL)
80f4fd18	175	return 0;
5a084c5f P	176	if (params == NULL)
	177	return 1;
	178
80f4fd18 SL	179
	180	p = OSSL_PARAM_locate_const(params, OSSL_KEM_PARAM_OPERATION);
	181	if (p != NULL) {
	182	if (p->data_type != OSSL_PARAM_UTF8_STRING)
	183	return 0;
	184	op = rsakem_opname2id(p->data);
	185	if (op < 0)
	186	return 0;
	187	prsactx->op = op;
	188	}
	189	return 1;
	190	}
	191
	192	static const OSSL_PARAM known_settable_rsakem_ctx_params[] = {
	193	OSSL_PARAM_utf8_string(OSSL_KEM_PARAM_OPERATION, NULL, 0),
	194	OSSL_PARAM_END
	195	};
	196
fb67126e TM	197	static const OSSL_PARAM rsakem_settable_ctx_params(ossl_unused void vprsactx,
fb67126e TM	198	ossl_unused void *provctx)
80f4fd18 SL	199	{
	200	return known_settable_rsakem_ctx_params;
	201	}
	202
	203	/*
	204	* NIST.SP.800-56Br2
	205	* 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).
	206	*
	207	* Generate a random in the range 1 < z < (n – 1)
	208	*/
	209	static int rsasve_gen_rand_bytes(RSA *rsa_pub,
	210	unsigned char *out, int outlen)
	211	{
	212	int ret = 0;
	213	BN_CTX *bnctx;
	214	BIGNUM z, nminus3;
	215
23b2fc0b	216	bnctx = BN_CTX_secure_new_ex(ossl_rsa_get0_libctx(rsa_pub));
80f4fd18 SL	217	if (bnctx == NULL)
	218	return 0;
	219
	220	/*
	221	* Generate a random in the range 1 < z < (n – 1).
	222	* Since BN_priv_rand_range_ex() returns a value in range 0 <= r < max
	223	* We can achieve this by adding 2.. but then we need to subtract 3 from
	224	* the upper bound i.e: 2 + (0 <= r < (n - 3))
	225	*/
	226	BN_CTX_start(bnctx);
	227	nminus3 = BN_CTX_get(bnctx);
	228	z = BN_CTX_get(bnctx);
	229	ret = (z != NULL
	230	&& (BN_copy(nminus3, RSA_get0_n(rsa_pub)) != NULL)
	231	&& BN_sub_word(nminus3, 3)
965fa9c0	232	&& BN_priv_rand_range_ex(z, nminus3, 0, bnctx)
80f4fd18 SL	233	&& BN_add_word(z, 2)
	234	&& (BN_bn2binpad(z, out, outlen) == outlen));
	235	BN_CTX_end(bnctx);
	236	BN_CTX_free(bnctx);
	237	return ret;
	238	}
	239
	240	/*
	241	* NIST.SP.800-56Br2
	242	* 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).
	243	*/
	244	static int rsasve_generate(PROV_RSA_CTX *prsactx,
	245	unsigned char out, size_t outlen,
	246	unsigned char secret, size_t secretlen)
	247	{
	248	int ret;
	249	size_t nlen;
	250
	251	/* Step (1): nlen = Ceil(len(n)/8) */
	252	nlen = RSA_size(prsactx->rsa);
	253
	254	if (out == NULL) {
	255	if (nlen == 0) {
	256	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
	257	return 0;
	258	}
	259	if (outlen == NULL && secretlen == NULL)
	260	return 0;
	261	if (outlen != NULL)
	262	*outlen = nlen;
	263	if (secretlen != NULL)
	264	*secretlen = nlen;
	265	return 1;
	266	}
	267	/*
	268	* Step (2): Generate a random byte string z of nlen bytes where
	269	* 1 < z < n - 1
	270	*/
	271	if (!rsasve_gen_rand_bytes(prsactx->rsa, secret, nlen))
	272	return 0;
	273
	274	/* Step(3): out = RSAEP((n,e), z) */
	275	ret = RSA_public_encrypt(nlen, secret, out, prsactx->rsa, RSA_NO_PADDING);
	276	if (ret) {
	277	ret = 1;
	278	if (outlen != NULL)
	279	*outlen = nlen;
	280	if (secretlen != NULL)
	281	*secretlen = nlen;
	282	} else {
	283	OPENSSL_cleanse(secret, nlen);
	284	}
	285	return ret;
	286	}
	287
	288	/*
	289	* NIST.SP.800-56Br2
	290	* 7.2.1.3 RSASVE Recovery Operation (RSASVE.RECOVER).
	291	*/
	292	static int rsasve_recover(PROV_RSA_CTX *prsactx,
	293	unsigned char out, size_t outlen,
	294	const unsigned char *in, size_t inlen)
	295	{
	296	size_t nlen;
297
298	/* Step (1): get the byte length of n */
299	nlen = RSA_size(prsactx->rsa);
300
301	if (out == NULL) {
302	if (nlen == 0) {
303	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
304	return 0;
305	}
306	*outlen = nlen;
307	return 1;
308	}
309
310	/* Step (2): check the input ciphertext 'inlen' matches the nlen */
311	if (inlen != nlen) {
312	ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
313	return 0;
314	}
315	/* Step (3): out = RSADP((n,d), in) */
316	return (RSA_private_decrypt(inlen, in, out, prsactx->rsa, RSA_NO_PADDING) > 0);
317	}
318
319	static int rsakem_generate(void vprsactx, unsigned char out, size_t *outlen,
320	unsigned char secret, size_t secretlen)
321	{
322	PROV_RSA_CTX prsactx = (PROV_RSA_CTX )vprsactx;
323
324	switch (prsactx->op) {
325	case KEM_OP_RSASVE:
326	return rsasve_generate(prsactx, out, outlen, secret, secretlen);
327	default:
328	return -2;
329	}
330	}
331
332	static int rsakem_recover(void vprsactx, unsigned char out, size_t *outlen,
333	const unsigned char *in, size_t inlen)
334	{
335	PROV_RSA_CTX prsactx = (PROV_RSA_CTX )vprsactx;
336
337	switch (prsactx->op) {
338	case KEM_OP_RSASVE:
339	return rsasve_recover(prsactx, out, outlen, in, inlen);
340	default:
341	return -2;
342	}
343	}
344
1be63951	345	const OSSL_DISPATCH ossl_rsa_asym_kem_functions[] = {
80f4fd18 SL	346	{ OSSL_FUNC_KEM_NEWCTX, (void (*)(void))rsakem_newctx },
80f4fd18 SL	347	{ OSSL_FUNC_KEM_ENCAPSULATE_INIT,
21e5be85	348	(void (*)(void))rsakem_encapsulate_init },
80f4fd18 SL	349	{ OSSL_FUNC_KEM_ENCAPSULATE, (void (*)(void))rsakem_generate },
80f4fd18 SL	350	{ OSSL_FUNC_KEM_DECAPSULATE_INIT,
21e5be85	351	(void (*)(void))rsakem_decapsulate_init },
80f4fd18 SL	352	{ OSSL_FUNC_KEM_DECAPSULATE, (void (*)(void))rsakem_recover },
	353	{ OSSL_FUNC_KEM_FREECTX, (void (*)(void))rsakem_freectx },
	354	{ OSSL_FUNC_KEM_DUPCTX, (void (*)(void))rsakem_dupctx },
	355	{ OSSL_FUNC_KEM_GET_CTX_PARAMS,
	356	(void (*)(void))rsakem_get_ctx_params },
	357	{ OSSL_FUNC_KEM_GETTABLE_CTX_PARAMS,
	358	(void (*)(void))rsakem_gettable_ctx_params },
	359	{ OSSL_FUNC_KEM_SET_CTX_PARAMS,
	360	(void (*)(void))rsakem_set_ctx_params },
	361	{ OSSL_FUNC_KEM_SETTABLE_CTX_PARAMS,
	362	(void (*)(void))rsakem_settable_ctx_params },
	363	{ 0, NULL }
	364	};