1 /* 2 * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * RSA low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include <openssl/crypto.h> 17 #include <openssl/core_names.h> 18 #ifndef FIPS_MODULE 19 #include <openssl/engine.h> 20 #endif 21 #include <openssl/evp.h> 22 #include <openssl/param_build.h> 23 #include "internal/cryptlib.h" 24 #include "internal/refcount.h" 25 #include "crypto/bn.h" 26 #include "crypto/evp.h" 27 #include "crypto/rsa.h" 28 #include "crypto/security_bits.h" 29 #include "rsa_local.h" 30 31 static RSA *rsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx); 32 33 #ifndef FIPS_MODULE 34 RSA *RSA_new(void) 35 { 36 return rsa_new_intern(NULL, NULL); 37 } 38 39 const RSA_METHOD *RSA_get_method(const RSA *rsa) 40 { 41 return rsa->meth; 42 } 43 44 int RSA_set_method(RSA *rsa, const RSA_METHOD *meth) 45 { 46 /* 47 * NB: The caller is specifically setting a method, so it's not up to us 48 * to deal with which ENGINE it comes from. 49 */ 50 const RSA_METHOD *mtmp; 51 mtmp = rsa->meth; 52 if (mtmp->finish) 53 mtmp->finish(rsa); 54 #ifndef OPENSSL_NO_ENGINE 55 ENGINE_finish(rsa->engine); 56 rsa->engine = NULL; 57 #endif 58 rsa->meth = meth; 59 if (meth->init) 60 meth->init(rsa); 61 return 1; 62 } 63 64 RSA *RSA_new_method(ENGINE *engine) 65 { 66 return rsa_new_intern(engine, NULL); 67 } 68 #endif 69 70 RSA *ossl_rsa_new_with_ctx(OSSL_LIB_CTX *libctx) 71 { 72 return rsa_new_intern(NULL, libctx); 73 } 74 75 static RSA *rsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx) 76 { 77 RSA *ret = OPENSSL_zalloc(sizeof(*ret)); 78 79 if (ret == NULL) 80 return NULL; 81 82 ret->lock = CRYPTO_THREAD_lock_new(); 83 if (ret->lock == NULL) { 84 ERR_raise(ERR_LIB_RSA, ERR_R_CRYPTO_LIB); 85 OPENSSL_free(ret); 86 return NULL; 87 } 88 89 if (!CRYPTO_NEW_REF(&ret->references, 1)) { 90 CRYPTO_THREAD_lock_free(ret->lock); 91 OPENSSL_free(ret); 92 return NULL; 93 } 94 95 ret->libctx = libctx; 96 ret->meth = RSA_get_default_method(); 97 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) 98 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; 99 if (engine) { 100 if (!ENGINE_init(engine)) { 101 ERR_raise(ERR_LIB_RSA, ERR_R_ENGINE_LIB); 102 goto err; 103 } 104 ret->engine = engine; 105 } else { 106 ret->engine = ENGINE_get_default_RSA(); 107 } 108 if (ret->engine) { 109 ret->meth = ENGINE_get_RSA(ret->engine); 110 if (ret->meth == NULL) { 111 ERR_raise(ERR_LIB_RSA, ERR_R_ENGINE_LIB); 112 goto err; 113 } 114 } 115 #endif 116 117 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; 118 #ifndef FIPS_MODULE 119 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { 120 goto err; 121 } 122 #endif 123 124 if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { 125 ERR_raise(ERR_LIB_RSA, ERR_R_INIT_FAIL); 126 goto err; 127 } 128 129 return ret; 130 131 err: 132 RSA_free(ret); 133 return NULL; 134 } 135 136 void RSA_free(RSA *r) 137 { 138 int i; 139 140 if (r == NULL) 141 return; 142 143 CRYPTO_DOWN_REF(&r->references, &i); 144 REF_PRINT_COUNT("RSA", i, r); 145 if (i > 0) 146 return; 147 REF_ASSERT_ISNT(i < 0); 148 149 if (r->meth != NULL && r->meth->finish != NULL) 150 r->meth->finish(r); 151 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) 152 ENGINE_finish(r->engine); 153 #endif 154 155 #ifndef FIPS_MODULE 156 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data); 157 #endif 158 159 CRYPTO_THREAD_lock_free(r->lock); 160 CRYPTO_FREE_REF(&r->references); 161 162 #ifdef OPENSSL_PEDANTIC_ZEROIZATION 163 BN_clear_free(r->n); 164 BN_clear_free(r->e); 165 #else 166 BN_free(r->n); 167 BN_free(r->e); 168 #endif 169 BN_clear_free(r->d); 170 BN_clear_free(r->p); 171 BN_clear_free(r->q); 172 BN_clear_free(r->dmp1); 173 BN_clear_free(r->dmq1); 174 BN_clear_free(r->iqmp); 175 176 #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) 177 ossl_rsa_acvp_test_free(r->acvp_test); 178 #endif 179 180 #ifndef FIPS_MODULE 181 RSA_PSS_PARAMS_free(r->pss); 182 sk_RSA_PRIME_INFO_pop_free(r->prime_infos, ossl_rsa_multip_info_free); 183 #endif 184 BN_BLINDING_free(r->blinding); 185 BN_BLINDING_free(r->mt_blinding); 186 OPENSSL_free(r); 187 } 188 189 int RSA_up_ref(RSA *r) 190 { 191 int i; 192 193 if (CRYPTO_UP_REF(&r->references, &i) <= 0) 194 return 0; 195 196 REF_PRINT_COUNT("RSA", i, r); 197 REF_ASSERT_ISNT(i < 2); 198 return i > 1 ? 1 : 0; 199 } 200 201 OSSL_LIB_CTX *ossl_rsa_get0_libctx(RSA *r) 202 { 203 return r->libctx; 204 } 205 206 void ossl_rsa_set0_libctx(RSA *r, OSSL_LIB_CTX *libctx) 207 { 208 r->libctx = libctx; 209 } 210 211 #ifndef FIPS_MODULE 212 int RSA_set_ex_data(RSA *r, int idx, void *arg) 213 { 214 return CRYPTO_set_ex_data(&r->ex_data, idx, arg); 215 } 216 217 void *RSA_get_ex_data(const RSA *r, int idx) 218 { 219 return CRYPTO_get_ex_data(&r->ex_data, idx); 220 } 221 #endif 222 223 /* 224 * Define a scaling constant for our fixed point arithmetic. 225 * This value must be a power of two because the base two logarithm code 226 * makes this assumption. The exponent must also be a multiple of three so 227 * that the scale factor has an exact cube root. Finally, the scale factor 228 * should not be so large that a multiplication of two scaled numbers 229 * overflows a 64 bit unsigned integer. 230 */ 231 static const unsigned int scale = 1 << 18; 232 static const unsigned int cbrt_scale = 1 << (2 * 18 / 3); 233 234 /* Define some constants, none exceed 32 bits */ 235 static const unsigned int log_2 = 0x02c5c8; /* scale * log(2) */ 236 static const unsigned int log_e = 0x05c551; /* scale * log2(M_E) */ 237 static const unsigned int c1_923 = 0x07b126; /* scale * 1.923 */ 238 static const unsigned int c4_690 = 0x12c28f; /* scale * 4.690 */ 239 240 /* 241 * Multiply two scaled integers together and rescale the result. 242 */ 243 static ossl_inline uint64_t mul2(uint64_t a, uint64_t b) 244 { 245 return a * b / scale; 246 } 247 248 /* 249 * Calculate the cube root of a 64 bit scaled integer. 250 * Although the cube root of a 64 bit number does fit into a 32 bit unsigned 251 * integer, this is not guaranteed after scaling, so this function has a 252 * 64 bit return. This uses the shifting nth root algorithm with some 253 * algebraic simplifications. 254 */ 255 static uint64_t icbrt64(uint64_t x) 256 { 257 uint64_t r = 0; 258 uint64_t b; 259 int s; 260 261 for (s = 63; s >= 0; s -= 3) { 262 r <<= 1; 263 b = 3 * r * (r + 1) + 1; 264 if ((x >> s) >= b) { 265 x -= b << s; 266 r++; 267 } 268 } 269 return r * cbrt_scale; 270 } 271 272 /* 273 * Calculate the natural logarithm of a 64 bit scaled integer. 274 * This is done by calculating a base two logarithm and scaling. 275 * The maximum logarithm (base 2) is 64 and this reduces base e, so 276 * a 32 bit result should not overflow. The argument passed must be 277 * greater than unity so we don't need to handle negative results. 278 */ 279 static uint32_t ilog_e(uint64_t v) 280 { 281 uint32_t i, r = 0; 282 283 /* 284 * Scale down the value into the range 1 .. 2. 285 * 286 * If fractional numbers need to be processed, another loop needs 287 * to go here that checks v < scale and if so multiplies it by 2 and 288 * reduces r by scale. This also means making r signed. 289 */ 290 while (v >= 2 * scale) { 291 v >>= 1; 292 r += scale; 293 } 294 for (i = scale / 2; i != 0; i /= 2) { 295 v = mul2(v, v); 296 if (v >= 2 * scale) { 297 v >>= 1; 298 r += i; 299 } 300 } 301 r = (r * (uint64_t)scale) / log_e; 302 return r; 303 } 304 305 /* 306 * NIST SP 800-56B rev 2 Appendix D: Maximum Security Strength Estimates for IFC 307 * Modulus Lengths. 308 * 309 * Note that this formula is also referred to in SP800-56A rev3 Appendix D: 310 * for FFC safe prime groups for modp and ffdhe. 311 * After Table 25 and Table 26 it refers to 312 * "The maximum security strength estimates were calculated using the formula in 313 * Section 7.5 of the FIPS 140 IG and rounded to the nearest multiple of eight 314 * bits". 315 * 316 * The formula is: 317 * 318 * E = \frac{1.923 \sqrt[3]{nBits \cdot log_e(2)} 319 * \cdot(log_e(nBits \cdot log_e(2))^{2/3} - 4.69}{log_e(2)} 320 * The two cube roots are merged together here. 321 */ 322 uint16_t ossl_ifc_ffc_compute_security_bits(int n) 323 { 324 uint64_t x; 325 uint32_t lx; 326 uint16_t y, cap; 327 328 /* 329 * Look for common values as listed in standards. 330 * These values are not exactly equal to the results from the formulae in 331 * the standards but are defined to be canonical. 332 */ 333 switch (n) { 334 case 2048: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */ 335 return 112; 336 case 3072: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */ 337 return 128; 338 case 4096: /* SP 800-56B rev 2 Appendix D */ 339 return 152; 340 case 6144: /* SP 800-56B rev 2 Appendix D */ 341 return 176; 342 case 7680: /* FIPS 140-2 IG 7.5 */ 343 return 192; 344 case 8192: /* SP 800-56B rev 2 Appendix D */ 345 return 200; 346 case 15360: /* FIPS 140-2 IG 7.5 */ 347 return 256; 348 } 349 350 /* 351 * The first incorrect result (i.e. not accurate or off by one low) occurs 352 * for n = 699668. The true value here is 1200. Instead of using this n 353 * as the check threshold, the smallest n such that the correct result is 354 * 1200 is used instead. 355 */ 356 if (n >= 687737) 357 return 1200; 358 if (n < 8) 359 return 0; 360 361 /* 362 * To ensure that the output is non-decreasing with respect to n, 363 * a cap needs to be applied to the two values where the function over 364 * estimates the strength (according to the above fast path). 365 */ 366 if (n <= 7680) 367 cap = 192; 368 else if (n <= 15360) 369 cap = 256; 370 else 371 cap = 1200; 372 373 x = n * (uint64_t)log_2; 374 lx = ilog_e(x); 375 y = (uint16_t)((mul2(c1_923, icbrt64(mul2(mul2(x, lx), lx))) - c4_690) 376 / log_2); 377 y = (y + 4) & ~7; 378 if (y > cap) 379 y = cap; 380 return y; 381 } 382 383 int RSA_security_bits(const RSA *rsa) 384 { 385 int bits = BN_num_bits(rsa->n); 386 387 #ifndef FIPS_MODULE 388 if (rsa->version == RSA_ASN1_VERSION_MULTI) { 389 /* This ought to mean that we have private key at hand. */ 390 int ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos); 391 392 if (ex_primes <= 0 || (ex_primes + 2) > ossl_rsa_multip_cap(bits)) 393 return 0; 394 } 395 #endif 396 return ossl_ifc_ffc_compute_security_bits(bits); 397 } 398 399 int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) 400 { 401 /* If the fields n and e in r are NULL, the corresponding input 402 * parameters MUST be non-NULL for n and e. d may be 403 * left NULL (in case only the public key is used). 404 */ 405 if ((r->n == NULL && n == NULL) 406 || (r->e == NULL && e == NULL)) 407 return 0; 408 409 if (n != NULL) { 410 BN_free(r->n); 411 r->n = n; 412 } 413 if (e != NULL) { 414 BN_free(r->e); 415 r->e = e; 416 } 417 if (d != NULL) { 418 BN_clear_free(r->d); 419 r->d = d; 420 BN_set_flags(r->d, BN_FLG_CONSTTIME); 421 } 422 r->dirty_cnt++; 423 424 return 1; 425 } 426 427 int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) 428 { 429 /* If the fields p and q in r are NULL, the corresponding input 430 * parameters MUST be non-NULL. 431 */ 432 if ((r->p == NULL && p == NULL) 433 || (r->q == NULL && q == NULL)) 434 return 0; 435 436 if (p != NULL) { 437 BN_clear_free(r->p); 438 r->p = p; 439 BN_set_flags(r->p, BN_FLG_CONSTTIME); 440 } 441 if (q != NULL) { 442 BN_clear_free(r->q); 443 r->q = q; 444 BN_set_flags(r->q, BN_FLG_CONSTTIME); 445 } 446 r->dirty_cnt++; 447 448 return 1; 449 } 450 451 int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) 452 { 453 /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input 454 * parameters MUST be non-NULL. 455 */ 456 if ((r->dmp1 == NULL && dmp1 == NULL) 457 || (r->dmq1 == NULL && dmq1 == NULL) 458 || (r->iqmp == NULL && iqmp == NULL)) 459 return 0; 460 461 if (dmp1 != NULL) { 462 BN_clear_free(r->dmp1); 463 r->dmp1 = dmp1; 464 BN_set_flags(r->dmp1, BN_FLG_CONSTTIME); 465 } 466 if (dmq1 != NULL) { 467 BN_clear_free(r->dmq1); 468 r->dmq1 = dmq1; 469 BN_set_flags(r->dmq1, BN_FLG_CONSTTIME); 470 } 471 if (iqmp != NULL) { 472 BN_clear_free(r->iqmp); 473 r->iqmp = iqmp; 474 BN_set_flags(r->iqmp, BN_FLG_CONSTTIME); 475 } 476 r->dirty_cnt++; 477 478 return 1; 479 } 480 481 #ifndef FIPS_MODULE 482 /* 483 * Is it better to export RSA_PRIME_INFO structure 484 * and related functions to let user pass a triplet? 485 */ 486 int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[], 487 BIGNUM *coeffs[], int pnum) 488 { 489 STACK_OF(RSA_PRIME_INFO) *prime_infos, *old = NULL; 490 RSA_PRIME_INFO *pinfo; 491 int i; 492 493 if (primes == NULL || exps == NULL || coeffs == NULL || pnum == 0) 494 return 0; 495 496 prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum); 497 if (prime_infos == NULL) 498 return 0; 499 500 if (r->prime_infos != NULL) 501 old = r->prime_infos; 502 503 for (i = 0; i < pnum; i++) { 504 pinfo = ossl_rsa_multip_info_new(); 505 if (pinfo == NULL) 506 goto err; 507 if (primes[i] != NULL && exps[i] != NULL && coeffs[i] != NULL) { 508 BN_clear_free(pinfo->r); 509 BN_clear_free(pinfo->d); 510 BN_clear_free(pinfo->t); 511 pinfo->r = primes[i]; 512 pinfo->d = exps[i]; 513 pinfo->t = coeffs[i]; 514 BN_set_flags(pinfo->r, BN_FLG_CONSTTIME); 515 BN_set_flags(pinfo->d, BN_FLG_CONSTTIME); 516 BN_set_flags(pinfo->t, BN_FLG_CONSTTIME); 517 } else { 518 ossl_rsa_multip_info_free(pinfo); 519 goto err; 520 } 521 (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo); 522 } 523 524 r->prime_infos = prime_infos; 525 526 if (!ossl_rsa_multip_calc_product(r)) { 527 r->prime_infos = old; 528 goto err; 529 } 530 531 if (old != NULL) { 532 /* 533 * This is hard to deal with, since the old infos could 534 * also be set by this function and r, d, t should not 535 * be freed in that case. So currently, stay consistent 536 * with other *set0* functions: just free it... 537 */ 538 sk_RSA_PRIME_INFO_pop_free(old, ossl_rsa_multip_info_free); 539 } 540 541 r->version = RSA_ASN1_VERSION_MULTI; 542 r->dirty_cnt++; 543 544 return 1; 545 err: 546 /* r, d, t should not be freed */ 547 sk_RSA_PRIME_INFO_pop_free(prime_infos, ossl_rsa_multip_info_free_ex); 548 return 0; 549 } 550 #endif 551 552 void RSA_get0_key(const RSA *r, 553 const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) 554 { 555 if (n != NULL) 556 *n = r->n; 557 if (e != NULL) 558 *e = r->e; 559 if (d != NULL) 560 *d = r->d; 561 } 562 563 void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) 564 { 565 if (p != NULL) 566 *p = r->p; 567 if (q != NULL) 568 *q = r->q; 569 } 570 571 #ifndef FIPS_MODULE 572 int RSA_get_multi_prime_extra_count(const RSA *r) 573 { 574 int pnum; 575 576 pnum = sk_RSA_PRIME_INFO_num(r->prime_infos); 577 if (pnum <= 0) 578 pnum = 0; 579 return pnum; 580 } 581 582 int RSA_get0_multi_prime_factors(const RSA *r, const BIGNUM *primes[]) 583 { 584 int pnum, i; 585 RSA_PRIME_INFO *pinfo; 586 587 if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0) 588 return 0; 589 590 /* 591 * return other primes 592 * it's caller's responsibility to allocate oth_primes[pnum] 593 */ 594 for (i = 0; i < pnum; i++) { 595 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i); 596 primes[i] = pinfo->r; 597 } 598 599 return 1; 600 } 601 #endif 602 603 void RSA_get0_crt_params(const RSA *r, 604 const BIGNUM **dmp1, const BIGNUM **dmq1, 605 const BIGNUM **iqmp) 606 { 607 if (dmp1 != NULL) 608 *dmp1 = r->dmp1; 609 if (dmq1 != NULL) 610 *dmq1 = r->dmq1; 611 if (iqmp != NULL) 612 *iqmp = r->iqmp; 613 } 614 615 #ifndef FIPS_MODULE 616 int RSA_get0_multi_prime_crt_params(const RSA *r, const BIGNUM *exps[], 617 const BIGNUM *coeffs[]) 618 { 619 int pnum; 620 621 if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0) 622 return 0; 623 624 /* return other primes */ 625 if (exps != NULL || coeffs != NULL) { 626 RSA_PRIME_INFO *pinfo; 627 int i; 628 629 /* it's the user's job to guarantee the buffer length */ 630 for (i = 0; i < pnum; i++) { 631 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i); 632 if (exps != NULL) 633 exps[i] = pinfo->d; 634 if (coeffs != NULL) 635 coeffs[i] = pinfo->t; 636 } 637 } 638 639 return 1; 640 } 641 #endif 642 643 const BIGNUM *RSA_get0_n(const RSA *r) 644 { 645 return r->n; 646 } 647 648 const BIGNUM *RSA_get0_e(const RSA *r) 649 { 650 return r->e; 651 } 652 653 const BIGNUM *RSA_get0_d(const RSA *r) 654 { 655 return r->d; 656 } 657 658 const BIGNUM *RSA_get0_p(const RSA *r) 659 { 660 return r->p; 661 } 662 663 const BIGNUM *RSA_get0_q(const RSA *r) 664 { 665 return r->q; 666 } 667 668 const BIGNUM *RSA_get0_dmp1(const RSA *r) 669 { 670 return r->dmp1; 671 } 672 673 const BIGNUM *RSA_get0_dmq1(const RSA *r) 674 { 675 return r->dmq1; 676 } 677 678 const BIGNUM *RSA_get0_iqmp(const RSA *r) 679 { 680 return r->iqmp; 681 } 682 683 const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *r) 684 { 685 #ifdef FIPS_MODULE 686 return NULL; 687 #else 688 return r->pss; 689 #endif 690 } 691 692 /* Internal */ 693 int ossl_rsa_set0_pss_params(RSA *r, RSA_PSS_PARAMS *pss) 694 { 695 #ifdef FIPS_MODULE 696 return 0; 697 #else 698 RSA_PSS_PARAMS_free(r->pss); 699 r->pss = pss; 700 return 1; 701 #endif 702 } 703 704 /* Internal */ 705 RSA_PSS_PARAMS_30 *ossl_rsa_get0_pss_params_30(RSA *r) 706 { 707 return &r->pss_params; 708 } 709 710 void RSA_clear_flags(RSA *r, int flags) 711 { 712 r->flags &= ~flags; 713 } 714 715 int RSA_test_flags(const RSA *r, int flags) 716 { 717 return r->flags & flags; 718 } 719 720 void RSA_set_flags(RSA *r, int flags) 721 { 722 r->flags |= flags; 723 } 724 725 int RSA_get_version(RSA *r) 726 { 727 /* { two-prime(0), multi(1) } */ 728 return r->version; 729 } 730 731 #ifndef FIPS_MODULE 732 ENGINE *RSA_get0_engine(const RSA *r) 733 { 734 return r->engine; 735 } 736 737 int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2) 738 { 739 /* If key type not RSA or RSA-PSS return error */ 740 if (ctx != NULL && ctx->pmeth != NULL 741 && ctx->pmeth->pkey_id != EVP_PKEY_RSA 742 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) 743 return -1; 744 return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, p1, p2); 745 } 746 #endif 747 748 DEFINE_STACK_OF(BIGNUM) 749 750 /* 751 * Note: This function deletes values from the parameter 752 * stack values as they are consumed and set in the RSA key. 753 */ 754 int ossl_rsa_set0_all_params(RSA *r, STACK_OF(BIGNUM) *primes, 755 STACK_OF(BIGNUM) *exps, 756 STACK_OF(BIGNUM) *coeffs) 757 { 758 #ifndef FIPS_MODULE 759 STACK_OF(RSA_PRIME_INFO) *prime_infos, *old_infos = NULL; 760 #endif 761 int pnum; 762 763 if (primes == NULL || exps == NULL || coeffs == NULL) 764 return 0; 765 766 pnum = sk_BIGNUM_num(primes); 767 768 /* we need at least 2 primes */ 769 if (pnum < 2) 770 return 0; 771 772 if (!RSA_set0_factors(r, sk_BIGNUM_value(primes, 0), 773 sk_BIGNUM_value(primes, 1))) 774 return 0; 775 776 /* 777 * if we managed to set everything above, remove those elements from the 778 * stack 779 * Note, we do this after the above all to ensure that we have taken 780 * ownership of all the elements in the RSA key to avoid memory leaks 781 * we also use delete 0 here as we are grabbing items from the end of the 782 * stack rather than the start, otherwise we could use pop 783 */ 784 sk_BIGNUM_delete(primes, 0); 785 sk_BIGNUM_delete(primes, 0); 786 787 if (pnum == sk_BIGNUM_num(exps) 788 && pnum == sk_BIGNUM_num(coeffs) + 1) { 789 790 if (!RSA_set0_crt_params(r, sk_BIGNUM_value(exps, 0), 791 sk_BIGNUM_value(exps, 1), 792 sk_BIGNUM_value(coeffs, 0))) 793 return 0; 794 795 /* as above, once we consume the above params, delete them from the list */ 796 sk_BIGNUM_delete(exps, 0); 797 sk_BIGNUM_delete(exps, 0); 798 sk_BIGNUM_delete(coeffs, 0); 799 } 800 801 #ifndef FIPS_MODULE 802 old_infos = r->prime_infos; 803 #endif 804 805 if (pnum > 2) { 806 #ifndef FIPS_MODULE 807 int i; 808 809 prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum); 810 if (prime_infos == NULL) 811 return 0; 812 813 for (i = 2; i < pnum; i++) { 814 BIGNUM *prime = sk_BIGNUM_pop(primes); 815 BIGNUM *exp = sk_BIGNUM_pop(exps); 816 BIGNUM *coeff = sk_BIGNUM_pop(coeffs); 817 RSA_PRIME_INFO *pinfo = NULL; 818 819 if (!ossl_assert(prime != NULL && exp != NULL && coeff != NULL)) 820 goto err; 821 822 /* Using ossl_rsa_multip_info_new() is wasteful, so allocate directly */ 823 if ((pinfo = OPENSSL_zalloc(sizeof(*pinfo))) == NULL) 824 goto err; 825 826 pinfo->r = prime; 827 pinfo->d = exp; 828 pinfo->t = coeff; 829 BN_set_flags(pinfo->r, BN_FLG_CONSTTIME); 830 BN_set_flags(pinfo->d, BN_FLG_CONSTTIME); 831 BN_set_flags(pinfo->t, BN_FLG_CONSTTIME); 832 (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo); 833 } 834 835 r->prime_infos = prime_infos; 836 837 if (!ossl_rsa_multip_calc_product(r)) { 838 r->prime_infos = old_infos; 839 goto err; 840 } 841 #else 842 return 0; 843 #endif 844 } 845 846 #ifndef FIPS_MODULE 847 if (old_infos != NULL) { 848 /* 849 * This is hard to deal with, since the old infos could 850 * also be set by this function and r, d, t should not 851 * be freed in that case. So currently, stay consistent 852 * with other *set0* functions: just free it... 853 */ 854 sk_RSA_PRIME_INFO_pop_free(old_infos, ossl_rsa_multip_info_free); 855 } 856 #endif 857 858 r->version = pnum > 2 ? RSA_ASN1_VERSION_MULTI : RSA_ASN1_VERSION_DEFAULT; 859 r->dirty_cnt++; 860 861 return 1; 862 #ifndef FIPS_MODULE 863 err: 864 /* r, d, t should not be freed */ 865 sk_RSA_PRIME_INFO_pop_free(prime_infos, ossl_rsa_multip_info_free_ex); 866 return 0; 867 #endif 868 } 869 870 DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM) 871 872 int ossl_rsa_get0_all_params(RSA *r, STACK_OF(BIGNUM_const) *primes, 873 STACK_OF(BIGNUM_const) *exps, 874 STACK_OF(BIGNUM_const) *coeffs) 875 { 876 #ifndef FIPS_MODULE 877 RSA_PRIME_INFO *pinfo; 878 int i, pnum; 879 #endif 880 881 if (r == NULL) 882 return 0; 883 884 /* If |p| is NULL, there are no CRT parameters */ 885 if (RSA_get0_p(r) == NULL) 886 return 1; 887 888 sk_BIGNUM_const_push(primes, RSA_get0_p(r)); 889 sk_BIGNUM_const_push(primes, RSA_get0_q(r)); 890 sk_BIGNUM_const_push(exps, RSA_get0_dmp1(r)); 891 sk_BIGNUM_const_push(exps, RSA_get0_dmq1(r)); 892 sk_BIGNUM_const_push(coeffs, RSA_get0_iqmp(r)); 893 894 #ifndef FIPS_MODULE 895 pnum = RSA_get_multi_prime_extra_count(r); 896 for (i = 0; i < pnum; i++) { 897 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i); 898 sk_BIGNUM_const_push(primes, pinfo->r); 899 sk_BIGNUM_const_push(exps, pinfo->d); 900 sk_BIGNUM_const_push(coeffs, pinfo->t); 901 } 902 #endif 903 904 return 1; 905 } 906 907 #define safe_BN_num_bits(_k_) (((_k_) == NULL) ? 0 : BN_num_bits((_k_))) 908 int ossl_rsa_check_factors(RSA *r) 909 { 910 int valid = 0; 911 int n, i, bits; 912 STACK_OF(BIGNUM_const) *factors = sk_BIGNUM_const_new_null(); 913 STACK_OF(BIGNUM_const) *exps = sk_BIGNUM_const_new_null(); 914 STACK_OF(BIGNUM_const) *coeffs = sk_BIGNUM_const_new_null(); 915 916 if (factors == NULL || exps == NULL || coeffs == NULL) 917 goto done; 918 919 /* 920 * Simple sanity check for RSA key. All RSA key parameters 921 * must be less-than/equal-to RSA parameter n. 922 */ 923 ossl_rsa_get0_all_params(r, factors, exps, coeffs); 924 n = safe_BN_num_bits(RSA_get0_n(r)); 925 926 if (safe_BN_num_bits(RSA_get0_d(r)) > n) 927 goto done; 928 929 for (i = 0; i < sk_BIGNUM_const_num(exps); i++) { 930 bits = safe_BN_num_bits(sk_BIGNUM_const_value(exps, i)); 931 if (bits > n) 932 goto done; 933 } 934 935 for (i = 0; i < sk_BIGNUM_const_num(factors); i++) { 936 bits = safe_BN_num_bits(sk_BIGNUM_const_value(factors, i)); 937 if (bits > n) 938 goto done; 939 } 940 941 for (i = 0; i < sk_BIGNUM_const_num(coeffs); i++) { 942 bits = safe_BN_num_bits(sk_BIGNUM_const_value(coeffs, i)); 943 if (bits > n) 944 goto done; 945 } 946 947 valid = 1; 948 949 done: 950 sk_BIGNUM_const_free(factors); 951 sk_BIGNUM_const_free(exps); 952 sk_BIGNUM_const_free(coeffs); 953 954 return valid; 955 } 956 957 #ifndef FIPS_MODULE 958 /* Helpers to set or get diverse hash algorithm names */ 959 static int int_set_rsa_md_name(EVP_PKEY_CTX *ctx, 960 /* For checks */ 961 int keytype, int optype, 962 /* For EVP_PKEY_CTX_set_params() */ 963 const char *mdkey, const char *mdname, 964 const char *propkey, const char *mdprops) 965 { 966 OSSL_PARAM params[3], *p = params; 967 968 if (ctx == NULL || mdname == NULL || (ctx->operation & optype) == 0) { 969 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 970 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 971 return -2; 972 } 973 974 /* If key type not RSA return error */ 975 switch (keytype) { 976 case -1: 977 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 978 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 979 return -1; 980 break; 981 default: 982 if (!EVP_PKEY_CTX_is_a(ctx, evp_pkey_type2name(keytype))) 983 return -1; 984 break; 985 } 986 987 /* Cast away the const. This is read only so should be safe */ 988 *p++ = OSSL_PARAM_construct_utf8_string(mdkey, (char *)mdname, 0); 989 if (evp_pkey_ctx_is_provided(ctx) && mdprops != NULL) { 990 /* Cast away the const. This is read only so should be safe */ 991 *p++ = OSSL_PARAM_construct_utf8_string(propkey, (char *)mdprops, 0); 992 } 993 *p++ = OSSL_PARAM_construct_end(); 994 995 return evp_pkey_ctx_set_params_strict(ctx, params); 996 } 997 998 /* Helpers to set or get diverse hash algorithm names */ 999 static int int_get_rsa_md_name(EVP_PKEY_CTX *ctx, 1000 /* For checks */ 1001 int keytype, int optype, 1002 /* For EVP_PKEY_CTX_get_params() */ 1003 const char *mdkey, 1004 char *mdname, size_t mdnamesize) 1005 { 1006 OSSL_PARAM params[2], *p = params; 1007 1008 if (ctx == NULL || mdname == NULL || (ctx->operation & optype) == 0) { 1009 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1010 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1011 return -2; 1012 } 1013 1014 /* If key type not RSA return error */ 1015 switch (keytype) { 1016 case -1: 1017 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 1018 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 1019 return -1; 1020 break; 1021 default: 1022 if (!EVP_PKEY_CTX_is_a(ctx, evp_pkey_type2name(keytype))) 1023 return -1; 1024 break; 1025 } 1026 1027 /* Cast away the const. This is read only so should be safe */ 1028 *p++ = OSSL_PARAM_construct_utf8_string(mdkey, (char *)mdname, mdnamesize); 1029 *p++ = OSSL_PARAM_construct_end(); 1030 1031 return evp_pkey_ctx_get_params_strict(ctx, params); 1032 } 1033 1034 /* 1035 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1036 * simply because that's easier. 1037 */ 1038 int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad_mode) 1039 { 1040 return RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_RSA_PADDING, 1041 pad_mode, NULL); 1042 } 1043 1044 /* 1045 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1046 * simply because that's easier. 1047 */ 1048 int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad_mode) 1049 { 1050 return RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, 1051 0, pad_mode); 1052 } 1053 1054 /* 1055 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1056 * simply because that's easier. 1057 */ 1058 int EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 1059 { 1060 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 1061 EVP_PKEY_CTRL_MD, 0, (void *)(md)); 1062 } 1063 1064 int EVP_PKEY_CTX_set_rsa_pss_keygen_md_name(EVP_PKEY_CTX *ctx, 1065 const char *mdname, 1066 const char *mdprops) 1067 { 1068 return int_set_rsa_md_name(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 1069 OSSL_PKEY_PARAM_RSA_DIGEST, mdname, 1070 OSSL_PKEY_PARAM_RSA_DIGEST_PROPS, mdprops); 1071 } 1072 1073 /* 1074 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1075 * simply because that's easier. 1076 */ 1077 int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 1078 { 1079 /* If key type not RSA return error */ 1080 if (!EVP_PKEY_CTX_is_a(ctx, "RSA")) 1081 return -1; 1082 1083 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 1084 EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md)); 1085 } 1086 1087 int EVP_PKEY_CTX_set_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, const char *mdname, 1088 const char *mdprops) 1089 { 1090 return int_set_rsa_md_name(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 1091 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, mdname, 1092 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS, mdprops); 1093 } 1094 1095 int EVP_PKEY_CTX_get_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, char *name, 1096 size_t namesize) 1097 { 1098 return int_get_rsa_md_name(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 1099 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, 1100 name, namesize); 1101 } 1102 1103 /* 1104 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1105 * simply because that's easier. 1106 */ 1107 int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md) 1108 { 1109 /* If key type not RSA return error */ 1110 if (!EVP_PKEY_CTX_is_a(ctx, "RSA")) 1111 return -1; 1112 1113 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 1114 EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)md); 1115 } 1116 1117 /* 1118 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1119 * simply because that's easier. 1120 */ 1121 int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 1122 { 1123 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, 1124 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md)); 1125 } 1126 1127 int EVP_PKEY_CTX_set_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, const char *mdname, 1128 const char *mdprops) 1129 { 1130 return int_set_rsa_md_name(ctx, -1, 1131 EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG, 1132 OSSL_PKEY_PARAM_MGF1_DIGEST, mdname, 1133 OSSL_PKEY_PARAM_MGF1_PROPERTIES, mdprops); 1134 } 1135 1136 int EVP_PKEY_CTX_get_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, char *name, 1137 size_t namesize) 1138 { 1139 return int_get_rsa_md_name(ctx, -1, 1140 EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG, 1141 OSSL_PKEY_PARAM_MGF1_DIGEST, name, namesize); 1142 } 1143 1144 /* 1145 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1146 * simply because that's easier. 1147 */ 1148 int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 1149 { 1150 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 1151 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md)); 1152 } 1153 1154 int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md_name(EVP_PKEY_CTX *ctx, 1155 const char *mdname) 1156 { 1157 return int_set_rsa_md_name(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 1158 OSSL_PKEY_PARAM_MGF1_DIGEST, mdname, 1159 NULL, NULL); 1160 } 1161 1162 /* 1163 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1164 * simply because that's easier. 1165 */ 1166 int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **md) 1167 { 1168 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, 1169 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)(md)); 1170 } 1171 1172 int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen) 1173 { 1174 OSSL_PARAM rsa_params[2], *p = rsa_params; 1175 const char *empty = ""; 1176 /* 1177 * Needed as we swap label with empty if it is NULL, and label is 1178 * freed at the end of this function. 1179 */ 1180 void *plabel = label; 1181 int ret; 1182 1183 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) { 1184 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1185 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1186 return -2; 1187 } 1188 1189 /* If key type not RSA return error */ 1190 if (!EVP_PKEY_CTX_is_a(ctx, "RSA")) 1191 return -1; 1192 1193 /* Accept NULL for backward compatibility */ 1194 if (label == NULL && llen == 0) 1195 plabel = (void *)empty; 1196 1197 /* Cast away the const. This is read only so should be safe */ 1198 *p++ = OSSL_PARAM_construct_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, 1199 (void *)plabel, (size_t)llen); 1200 *p++ = OSSL_PARAM_construct_end(); 1201 1202 ret = evp_pkey_ctx_set_params_strict(ctx, rsa_params); 1203 if (ret <= 0) 1204 return ret; 1205 1206 /* Ownership is supposed to be transferred to the callee. */ 1207 OPENSSL_free(label); 1208 return 1; 1209 } 1210 1211 int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label) 1212 { 1213 OSSL_PARAM rsa_params[2], *p = rsa_params; 1214 size_t labellen; 1215 1216 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) { 1217 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1218 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1219 return -2; 1220 } 1221 1222 /* If key type not RSA return error */ 1223 if (!EVP_PKEY_CTX_is_a(ctx, "RSA")) 1224 return -1; 1225 1226 *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, 1227 (void **)label, 0); 1228 *p++ = OSSL_PARAM_construct_end(); 1229 1230 if (!EVP_PKEY_CTX_get_params(ctx, rsa_params)) 1231 return -1; 1232 1233 labellen = rsa_params[0].return_size; 1234 if (labellen > INT_MAX) 1235 return -1; 1236 1237 return (int)labellen; 1238 } 1239 1240 /* 1241 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1242 * simply because that's easier. 1243 */ 1244 int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int saltlen) 1245 { 1246 /* 1247 * For some reason, the optype was set to this: 1248 * 1249 * EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY 1250 * 1251 * However, we do use RSA-PSS with the whole gamut of diverse signature 1252 * and verification operations, so the optype gets upgraded to this: 1253 * 1254 * EVP_PKEY_OP_TYPE_SIG 1255 */ 1256 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG, 1257 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, saltlen, NULL); 1258 } 1259 1260 /* 1261 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1262 * simply because that's easier. 1263 */ 1264 int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *saltlen) 1265 { 1266 /* 1267 * Because of circumstances, the optype is updated from: 1268 * 1269 * EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY 1270 * 1271 * to: 1272 * 1273 * EVP_PKEY_OP_TYPE_SIG 1274 */ 1275 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG, 1276 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, saltlen); 1277 } 1278 1279 int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, int saltlen) 1280 { 1281 OSSL_PARAM pad_params[2], *p = pad_params; 1282 1283 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { 1284 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1285 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1286 return -2; 1287 } 1288 1289 if (!EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 1290 return -1; 1291 1292 *p++ = OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, 1293 &saltlen); 1294 *p++ = OSSL_PARAM_construct_end(); 1295 1296 return evp_pkey_ctx_set_params_strict(ctx, pad_params); 1297 } 1298 1299 int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits) 1300 { 1301 OSSL_PARAM params[2], *p = params; 1302 size_t bits2 = bits; 1303 1304 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { 1305 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1306 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1307 return -2; 1308 } 1309 1310 /* If key type not RSA return error */ 1311 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 1312 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 1313 return -1; 1314 1315 *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bits2); 1316 *p++ = OSSL_PARAM_construct_end(); 1317 1318 return evp_pkey_ctx_set_params_strict(ctx, params); 1319 } 1320 1321 int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp) 1322 { 1323 int ret = RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_KEYGEN, 1324 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp); 1325 1326 /* 1327 * Satisfy memory semantics for pre-3.0 callers of 1328 * EVP_PKEY_CTX_set_rsa_keygen_pubexp(): their expectation is that input 1329 * pubexp BIGNUM becomes managed by the EVP_PKEY_CTX on success. 1330 */ 1331 if (ret > 0 && evp_pkey_ctx_is_provided(ctx)) { 1332 BN_free(ctx->rsa_pubexp); 1333 ctx->rsa_pubexp = pubexp; 1334 } 1335 1336 return ret; 1337 } 1338 1339 int EVP_PKEY_CTX_set1_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp) 1340 { 1341 int ret = 0; 1342 1343 /* 1344 * When we're dealing with a provider, there's no need to duplicate 1345 * pubexp, as it gets copied when transforming to an OSSL_PARAM anyway. 1346 */ 1347 if (evp_pkey_ctx_is_legacy(ctx)) { 1348 pubexp = BN_dup(pubexp); 1349 if (pubexp == NULL) 1350 return 0; 1351 } 1352 ret = EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, 1353 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp); 1354 if (evp_pkey_ctx_is_legacy(ctx) && ret <= 0) 1355 BN_free(pubexp); 1356 return ret; 1357 } 1358 1359 int EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX *ctx, int primes) 1360 { 1361 OSSL_PARAM params[2], *p = params; 1362 size_t primes2 = primes; 1363 1364 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { 1365 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1366 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1367 return -2; 1368 } 1369 1370 /* If key type not RSA return error */ 1371 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 1372 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 1373 return -1; 1374 1375 *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_PRIMES, &primes2); 1376 *p++ = OSSL_PARAM_construct_end(); 1377 1378 return evp_pkey_ctx_set_params_strict(ctx, params); 1379 } 1380 #endif 1381