projects / thirdparty / openssl.git / blame
| Commit | Line | Data |
|---|---|---|
| 2186cd8e UM |
1 | =pod |
| 2 | ||
| 3 | =head1 NAME | |
| 4 | ||
| 5 | RSA_public_encrypt, RSA_private_decrypt - RSA public key cryptography | |
| 6 | ||
| 7 | =head1 SYNOPSIS | |
| 8 | ||
| 9 | #include <openssl/rsa.h> | |
| 10 | ||
| e9b77246 BB |
11 | int RSA_public_encrypt(int flen, unsigned char *from, |
| 12 | unsigned char *to, RSA *rsa, int padding); | |
| 2186cd8e | 13 | |
| e9b77246 BB |
14 | int RSA_private_decrypt(int flen, unsigned char *from, |
| 15 | unsigned char *to, RSA *rsa, int padding); | |
| 2186cd8e UM |
16 | |
| 17 | =head1 DESCRIPTION | |
| 18 | ||
| 19 | RSA_public_encrypt() encrypts the B<flen> bytes at B<from> (usually a | |
| 20 | session key) using the public key B<rsa> and stores the ciphertext in | |
| 4101054a | 21 | B<to>. B<to> must point to RSA_size(B<rsa>) bytes of memory. |
| 2186cd8e UM |
22 | |
| 23 | B<padding> denotes one of the following modes: | |
| 24 | ||
| 25 | =over 4 | |
| 26 | ||
| 27 | =item RSA_PKCS1_PADDING | |
| 28 | ||
| 29 | PKCS #1 v1.5 padding. This currently is the most widely used mode. | |
| 30 | ||
| 31 | =item RSA_PKCS1_OAEP_PADDING | |
| 32 | ||
| 33 | EME-OAEP as defined in PKCS #1 v2.0 with SHA-1, MGF1 and an empty | |
| 34 | encoding parameter. This mode is recommended for all new applications. | |
| 35 | ||
| 36 | =item RSA_SSLV23_PADDING | |
| 37 | ||
| 38 | PKCS #1 v1.5 padding with an SSL-specific modification that denotes | |
| 39 | that the server is SSL3 capable. | |
| 40 | ||
| 41 | =item RSA_NO_PADDING | |
| 42 | ||
| 43 | Raw RSA encryption. This mode should I<only> be used to implement | |
| 44 | cryptographically sound padding modes in the application code. | |
| 45 | Encrypting user data directly with RSA is insecure. | |
| 46 | ||
| 47 | =back | |
| 48 | ||
| 4101054a | 49 | B<flen> must be less than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5 |
| f46e76ef RL |
50 | based padding modes, less than RSA_size(B<rsa>) - 41 for |
| 51 | RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B<rsa>) for RSA_NO_PADDING. | |
| 52 | The random number generator must be seeded prior to calling | |
| 53 | RSA_public_encrypt(). | |
| 2186cd8e UM |
54 | |
| 55 | RSA_private_decrypt() decrypts the B<flen> bytes at B<from> using the | |
| 56 | private key B<rsa> and stores the plaintext in B<to>. B<to> must point | |
| 57 | to a memory section large enough to hold the decrypted data (which is | |
| 4101054a | 58 | smaller than RSA_size(B<rsa>)). B<padding> is the padding mode that |
| 2186cd8e UM |
59 | was used to encrypt the data. |
| 60 | ||
| 61 | =head1 RETURN VALUES | |
| 62 | ||
| 63 | RSA_public_encrypt() returns the size of the encrypted data (i.e., | |
| 4101054a | 64 | RSA_size(B<rsa>)). RSA_private_decrypt() returns the size of the |
| 2186cd8e UM |
65 | recovered plaintext. |
| 66 | ||
| 67 | On error, -1 is returned; the error codes can be | |
| 9b86974e | 68 | obtained by L<ERR_get_error(3)>. |
| 2186cd8e | 69 | |
| 1e3f62a3 EK |
70 | =head1 WARNING |
| 71 | ||
| 72 | Decryption failures in the RSA_PKCS1_PADDING mode leak information | |
| 73 | which can potentially be used to mount a Bleichenbacher padding oracle | |
| 74 | attack. This is an inherent weakness in the PKCS #1 v1.5 padding | |
| 75 | design. Prefer RSA_PKCS1_OAEP_PADDING. | |
| 76 | ||
| 2186cd8e UM |
77 | =head1 CONFORMING TO |
| 78 | ||
| 79 | SSL, PKCS #1 v2.0 | |
| 80 | ||
| 81 | =head1 SEE ALSO | |
| 82 | ||
| b97fdb57 | 83 | L<ERR_get_error(3)>, L<RAND_bytes(3)>, |
| 9b86974e | 84 | L<RSA_size(3)> |
| 2186cd8e | 85 | |
| e2f92610 RS |
86 | =head1 COPYRIGHT |
| 87 | ||
| 88 | Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. | |
| 89 | ||
| 90 | Licensed under the OpenSSL license (the "License"). You may not use | |
| 91 | this file except in compliance with the License. You can obtain a copy | |
| 92 | in the file LICENSE in the source distribution or at | |
| 93 | L<https://www.openssl.org/source/license.html>. | |
| 94 | ||
| 95 | =cut |