1e71b7053SJung-uk Kim=pod 2e71b7053SJung-uk Kim 3e71b7053SJung-uk Kim=head1 NAME 4e71b7053SJung-uk Kim 5e71b7053SJung-uk KimEVP_PKEY_CTX_ctrl, 6e71b7053SJung-uk KimEVP_PKEY_CTX_ctrl_str, 7c9cf7b5cSJung-uk KimEVP_PKEY_CTX_ctrl_uint64, 8c9cf7b5cSJung-uk KimEVP_PKEY_CTX_md, 9e71b7053SJung-uk KimEVP_PKEY_CTX_set_signature_md, 10e71b7053SJung-uk KimEVP_PKEY_CTX_get_signature_md, 11e71b7053SJung-uk KimEVP_PKEY_CTX_set_mac_key, 12*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_group_name, 13*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_group_name, 14e71b7053SJung-uk KimEVP_PKEY_CTX_set_rsa_padding, 15c9cf7b5cSJung-uk KimEVP_PKEY_CTX_get_rsa_padding, 16e71b7053SJung-uk KimEVP_PKEY_CTX_set_rsa_pss_saltlen, 17c9cf7b5cSJung-uk KimEVP_PKEY_CTX_get_rsa_pss_saltlen, 18e71b7053SJung-uk KimEVP_PKEY_CTX_set_rsa_keygen_bits, 19e71b7053SJung-uk KimEVP_PKEY_CTX_set_rsa_keygen_pubexp, 20*b077aed3SPierre ProncheryEVP_PKEY_CTX_set1_rsa_keygen_pubexp, 21c9cf7b5cSJung-uk KimEVP_PKEY_CTX_set_rsa_keygen_primes, 22*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_rsa_mgf1_md_name, 23c9cf7b5cSJung-uk KimEVP_PKEY_CTX_set_rsa_mgf1_md, 24c9cf7b5cSJung-uk KimEVP_PKEY_CTX_get_rsa_mgf1_md, 25*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_rsa_mgf1_md_name, 26*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_rsa_oaep_md_name, 27c9cf7b5cSJung-uk KimEVP_PKEY_CTX_set_rsa_oaep_md, 28c9cf7b5cSJung-uk KimEVP_PKEY_CTX_get_rsa_oaep_md, 29*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_rsa_oaep_md_name, 30c9cf7b5cSJung-uk KimEVP_PKEY_CTX_set0_rsa_oaep_label, 31c9cf7b5cSJung-uk KimEVP_PKEY_CTX_get0_rsa_oaep_label, 32e71b7053SJung-uk KimEVP_PKEY_CTX_set_dsa_paramgen_bits, 3317f01e99SJung-uk KimEVP_PKEY_CTX_set_dsa_paramgen_q_bits, 3417f01e99SJung-uk KimEVP_PKEY_CTX_set_dsa_paramgen_md, 35*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dsa_paramgen_md_props, 36*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dsa_paramgen_gindex, 37*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dsa_paramgen_type, 38*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dsa_paramgen_seed, 39e71b7053SJung-uk KimEVP_PKEY_CTX_set_dh_paramgen_prime_len, 40c9cf7b5cSJung-uk KimEVP_PKEY_CTX_set_dh_paramgen_subprime_len, 41e71b7053SJung-uk KimEVP_PKEY_CTX_set_dh_paramgen_generator, 42c9cf7b5cSJung-uk KimEVP_PKEY_CTX_set_dh_paramgen_type, 43*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dh_paramgen_gindex, 44*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dh_paramgen_seed, 45c9cf7b5cSJung-uk KimEVP_PKEY_CTX_set_dh_rfc5114, 46c9cf7b5cSJung-uk KimEVP_PKEY_CTX_set_dhx_rfc5114, 47e71b7053SJung-uk KimEVP_PKEY_CTX_set_dh_pad, 48e71b7053SJung-uk KimEVP_PKEY_CTX_set_dh_nid, 49c9cf7b5cSJung-uk KimEVP_PKEY_CTX_set_dh_kdf_type, 50c9cf7b5cSJung-uk KimEVP_PKEY_CTX_get_dh_kdf_type, 51c9cf7b5cSJung-uk KimEVP_PKEY_CTX_set0_dh_kdf_oid, 52c9cf7b5cSJung-uk KimEVP_PKEY_CTX_get0_dh_kdf_oid, 53c9cf7b5cSJung-uk KimEVP_PKEY_CTX_set_dh_kdf_md, 54c9cf7b5cSJung-uk KimEVP_PKEY_CTX_get_dh_kdf_md, 55c9cf7b5cSJung-uk KimEVP_PKEY_CTX_set_dh_kdf_outlen, 56c9cf7b5cSJung-uk KimEVP_PKEY_CTX_get_dh_kdf_outlen, 57c9cf7b5cSJung-uk KimEVP_PKEY_CTX_set0_dh_kdf_ukm, 58c9cf7b5cSJung-uk KimEVP_PKEY_CTX_get0_dh_kdf_ukm, 59e71b7053SJung-uk KimEVP_PKEY_CTX_set_ec_paramgen_curve_nid, 60e71b7053SJung-uk KimEVP_PKEY_CTX_set_ec_param_enc, 61c9cf7b5cSJung-uk KimEVP_PKEY_CTX_set_ecdh_cofactor_mode, 62c9cf7b5cSJung-uk KimEVP_PKEY_CTX_get_ecdh_cofactor_mode, 63c9cf7b5cSJung-uk KimEVP_PKEY_CTX_set_ecdh_kdf_type, 64c9cf7b5cSJung-uk KimEVP_PKEY_CTX_get_ecdh_kdf_type, 65c9cf7b5cSJung-uk KimEVP_PKEY_CTX_set_ecdh_kdf_md, 66c9cf7b5cSJung-uk KimEVP_PKEY_CTX_get_ecdh_kdf_md, 67c9cf7b5cSJung-uk KimEVP_PKEY_CTX_set_ecdh_kdf_outlen, 68c9cf7b5cSJung-uk KimEVP_PKEY_CTX_get_ecdh_kdf_outlen, 69c9cf7b5cSJung-uk KimEVP_PKEY_CTX_set0_ecdh_kdf_ukm, 70c9cf7b5cSJung-uk KimEVP_PKEY_CTX_get0_ecdh_kdf_ukm, 71*b077aed3SPierre ProncheryEVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len, 72*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_kem_op 73e71b7053SJung-uk Kim- algorithm specific control operations 74e71b7053SJung-uk Kim 75e71b7053SJung-uk Kim=head1 SYNOPSIS 76e71b7053SJung-uk Kim 77e71b7053SJung-uk Kim #include <openssl/evp.h> 78e71b7053SJung-uk Kim 79e71b7053SJung-uk Kim int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype, 80e71b7053SJung-uk Kim int cmd, int p1, void *p2); 81c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_ctrl_uint64(EVP_PKEY_CTX *ctx, int keytype, int optype, 82c9cf7b5cSJung-uk Kim int cmd, uint64_t value); 83e71b7053SJung-uk Kim int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, 84e71b7053SJung-uk Kim const char *value); 85e71b7053SJung-uk Kim 86c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_md(EVP_PKEY_CTX *ctx, int optype, int cmd, const char *md); 87c9cf7b5cSJung-uk Kim 88e71b7053SJung-uk Kim int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD *md); 89e71b7053SJung-uk Kim int EVP_PKEY_CTX_get_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD **pmd); 90e71b7053SJung-uk Kim 91*b077aed3SPierre Pronchery int EVP_PKEY_CTX_set_mac_key(EVP_PKEY_CTX *ctx, const unsigned char *key, 92*b077aed3SPierre Pronchery int len); 93*b077aed3SPierre Pronchery int EVP_PKEY_CTX_set_group_name(EVP_PKEY_CTX *ctx, const char *name); 94*b077aed3SPierre Pronchery int EVP_PKEY_CTX_get_group_name(EVP_PKEY_CTX *ctx, char *name, size_t namelen); 95*b077aed3SPierre Pronchery 96*b077aed3SPierre Pronchery int EVP_PKEY_CTX_set_kem_op(EVP_PKEY_CTX *ctx, const char *op); 97e71b7053SJung-uk Kim 98e71b7053SJung-uk Kim #include <openssl/rsa.h> 99e71b7053SJung-uk Kim 100e71b7053SJung-uk Kim int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad); 101c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad); 102*b077aed3SPierre Pronchery int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int saltlen); 103*b077aed3SPierre Pronchery int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *saltlen); 104e71b7053SJung-uk Kim int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int mbits); 105*b077aed3SPierre Pronchery int EVP_PKEY_CTX_set1_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp); 106c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX *ctx, int primes); 107*b077aed3SPierre Pronchery int EVP_PKEY_CTX_set_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, const char *mdname, 108*b077aed3SPierre Pronchery const char *mdprops); 109c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md); 110c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **md); 111*b077aed3SPierre Pronchery int EVP_PKEY_CTX_get_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, char *name, 112*b077aed3SPierre Pronchery size_t namelen); 113*b077aed3SPierre Pronchery int EVP_PKEY_CTX_set_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, const char *mdname, 114*b077aed3SPierre Pronchery const char *mdprops); 115c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md); 116c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md); 117*b077aed3SPierre Pronchery int EVP_PKEY_CTX_get_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, char *name, 118*b077aed3SPierre Pronchery size_t namelen); 119*b077aed3SPierre Pronchery int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, 120*b077aed3SPierre Pronchery int len); 121c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label); 122e71b7053SJung-uk Kim 123e71b7053SJung-uk Kim #include <openssl/dsa.h> 124c9cf7b5cSJung-uk Kim 125e71b7053SJung-uk Kim int EVP_PKEY_CTX_set_dsa_paramgen_bits(EVP_PKEY_CTX *ctx, int nbits); 12617f01e99SJung-uk Kim int EVP_PKEY_CTX_set_dsa_paramgen_q_bits(EVP_PKEY_CTX *ctx, int qbits); 12717f01e99SJung-uk Kim int EVP_PKEY_CTX_set_dsa_paramgen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md); 128*b077aed3SPierre Pronchery int EVP_PKEY_CTX_set_dsa_paramgen_md_props(EVP_PKEY_CTX *ctx, 129*b077aed3SPierre Pronchery const char *md_name, 130*b077aed3SPierre Pronchery const char *md_properties); 131*b077aed3SPierre Pronchery int EVP_PKEY_CTX_set_dsa_paramgen_type(EVP_PKEY_CTX *ctx, const char *name); 132*b077aed3SPierre Pronchery int EVP_PKEY_CTX_set_dsa_paramgen_gindex(EVP_PKEY_CTX *ctx, int gindex); 133*b077aed3SPierre Pronchery int EVP_PKEY_CTX_set_dsa_paramgen_seed(EVP_PKEY_CTX *ctx, 134*b077aed3SPierre Pronchery const unsigned char *seed, 135*b077aed3SPierre Pronchery size_t seedlen); 136e71b7053SJung-uk Kim 137e71b7053SJung-uk Kim #include <openssl/dh.h> 138c9cf7b5cSJung-uk Kim 139e71b7053SJung-uk Kim int EVP_PKEY_CTX_set_dh_paramgen_prime_len(EVP_PKEY_CTX *ctx, int len); 140c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_set_dh_paramgen_subprime_len(EVP_PKEY_CTX *ctx, int len); 141e71b7053SJung-uk Kim int EVP_PKEY_CTX_set_dh_paramgen_generator(EVP_PKEY_CTX *ctx, int gen); 142c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_set_dh_paramgen_type(EVP_PKEY_CTX *ctx, int type); 143e71b7053SJung-uk Kim int EVP_PKEY_CTX_set_dh_pad(EVP_PKEY_CTX *ctx, int pad); 144e71b7053SJung-uk Kim int EVP_PKEY_CTX_set_dh_nid(EVP_PKEY_CTX *ctx, int nid); 145c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_set_dh_rfc5114(EVP_PKEY_CTX *ctx, int rfc5114); 146c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_set_dhx_rfc5114(EVP_PKEY_CTX *ctx, int rfc5114); 147*b077aed3SPierre Pronchery int EVP_PKEY_CTX_set_dh_paramgen_gindex(EVP_PKEY_CTX *ctx, int gindex); 148*b077aed3SPierre Pronchery int EVP_PKEY_CTX_set_dh_paramgen_seed(EVP_PKEY_CTX *ctx, 149*b077aed3SPierre Pronchery const unsigned char *seed, 150*b077aed3SPierre Pronchery size_t seedlen); 151c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_set_dh_kdf_type(EVP_PKEY_CTX *ctx, int kdf); 152c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_get_dh_kdf_type(EVP_PKEY_CTX *ctx); 153c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_set0_dh_kdf_oid(EVP_PKEY_CTX *ctx, ASN1_OBJECT *oid); 154c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_get0_dh_kdf_oid(EVP_PKEY_CTX *ctx, ASN1_OBJECT **oid); 155c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_set_dh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md); 156c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_get_dh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD **md); 157c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_set_dh_kdf_outlen(EVP_PKEY_CTX *ctx, int len); 158c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_get_dh_kdf_outlen(EVP_PKEY_CTX *ctx, int *len); 159c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_set0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len); 160e71b7053SJung-uk Kim 161e71b7053SJung-uk Kim #include <openssl/ec.h> 162c9cf7b5cSJung-uk Kim 163e71b7053SJung-uk Kim int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid); 164e71b7053SJung-uk Kim int EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx, int param_enc); 165c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_set_ecdh_cofactor_mode(EVP_PKEY_CTX *ctx, int cofactor_mode); 166c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_get_ecdh_cofactor_mode(EVP_PKEY_CTX *ctx); 167c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_set_ecdh_kdf_type(EVP_PKEY_CTX *ctx, int kdf); 168c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_get_ecdh_kdf_type(EVP_PKEY_CTX *ctx); 169c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_set_ecdh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md); 170c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_get_ecdh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD **md); 171c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_set_ecdh_kdf_outlen(EVP_PKEY_CTX *ctx, int len); 172c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_get_ecdh_kdf_outlen(EVP_PKEY_CTX *ctx, int *len); 173c9cf7b5cSJung-uk Kim int EVP_PKEY_CTX_set0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len); 174e71b7053SJung-uk Kim 175e71b7053SJung-uk Kim int EVP_PKEY_CTX_set1_id(EVP_PKEY_CTX *ctx, void *id, size_t id_len); 176e71b7053SJung-uk Kim int EVP_PKEY_CTX_get1_id(EVP_PKEY_CTX *ctx, void *id); 177e71b7053SJung-uk Kim int EVP_PKEY_CTX_get1_id_len(EVP_PKEY_CTX *ctx, size_t *id_len); 178e71b7053SJung-uk Kim 179*b077aed3SPierre ProncheryThe following functions have been deprecated since OpenSSL 3.0, and can be 180*b077aed3SPierre Proncheryhidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value, 181*b077aed3SPierre Proncherysee L<openssl_user_macros(7)>: 182*b077aed3SPierre Pronchery 183*b077aed3SPierre Pronchery #include <openssl/rsa.h> 184*b077aed3SPierre Pronchery 185*b077aed3SPierre Pronchery int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp); 186*b077aed3SPierre Pronchery 187*b077aed3SPierre Pronchery #include <openssl/dh.h> 188*b077aed3SPierre Pronchery 189*b077aed3SPierre Pronchery int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); 190*b077aed3SPierre Pronchery 191*b077aed3SPierre Pronchery #include <openssl/ec.h> 192*b077aed3SPierre Pronchery 193*b077aed3SPierre Pronchery int EVP_PKEY_CTX_get0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); 194*b077aed3SPierre Pronchery 195e71b7053SJung-uk Kim=head1 DESCRIPTION 196e71b7053SJung-uk Kim 197*b077aed3SPierre ProncheryEVP_PKEY_CTX_ctrl() sends a control operation to the context I<ctx>. The key 198*b077aed3SPierre Proncherytype used must match I<keytype> if it is not -1. The parameter I<optype> is a 199*b077aed3SPierre Proncherymask indicating which operations the control can be applied to. 200*b077aed3SPierre ProncheryThe control command is indicated in I<cmd> and any additional arguments in 201*b077aed3SPierre ProncheryI<p1> and I<p2>. 202e71b7053SJung-uk Kim 203*b077aed3SPierre ProncheryFor I<cmd> = B<EVP_PKEY_CTRL_SET_MAC_KEY>, I<p1> is the length of the MAC key, 204*b077aed3SPierre Proncheryand I<p2> is the MAC key. This is used by Poly1305, SipHash, HMAC and CMAC. 205e71b7053SJung-uk Kim 206e71b7053SJung-uk KimApplications will not normally call EVP_PKEY_CTX_ctrl() directly but will 207*b077aed3SPierre Proncheryinstead call one of the algorithm specific functions below. 208e71b7053SJung-uk Kim 209*b077aed3SPierre ProncheryEVP_PKEY_CTX_ctrl_uint64() is a wrapper that directly passes a 210*b077aed3SPierre Proncheryuint64 value as I<p2> to EVP_PKEY_CTX_ctrl(). 211c9cf7b5cSJung-uk Kim 212*b077aed3SPierre ProncheryEVP_PKEY_CTX_ctrl_str() allows an application to send an algorithm 213*b077aed3SPierre Proncheryspecific control operation to a context I<ctx> in string form. This is 214e71b7053SJung-uk Kimintended to be used for options specified on the command line or in text 215e71b7053SJung-uk Kimfiles. The commands supported are documented in the openssl utility 216*b077aed3SPierre Proncherycommand line pages for the option I<-pkeyopt> which is supported by the 217*b077aed3SPierre ProncheryI<pkeyutl>, I<genpkey> and I<req> commands. 218e71b7053SJung-uk Kim 219*b077aed3SPierre ProncheryEVP_PKEY_CTX_md() sends a message digest control operation to the context 220*b077aed3SPierre ProncheryI<ctx>. The message digest is specified by its name I<md>. 221c9cf7b5cSJung-uk Kim 222*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_signature_md() sets the message digest type used 223e71b7053SJung-uk Kimin a signature. It can be used in the RSA, DSA and ECDSA algorithms. 224e71b7053SJung-uk Kim 225*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_signature_md()gets the message digest type used 226*b077aed3SPierre Proncheryin a signature. It can be used in the RSA, DSA and ECDSA algorithms. 227e71b7053SJung-uk Kim 228e71b7053SJung-uk KimKey generation typically involves setting up parameters to be used and 229e71b7053SJung-uk Kimgenerating the private and public key data. Some algorithm implementations 230*b077aed3SPierre Proncheryallow private key data to be set explicitly using EVP_PKEY_CTX_set_mac_key(). 231*b077aed3SPierre ProncheryIn this case key generation is simply the process of setting up the 232*b077aed3SPierre Proncheryparameters for the key and then setting the raw key data to the value explicitly. 233*b077aed3SPierre ProncheryNormally applications would call L<EVP_PKEY_new_raw_private_key(3)> or similar 234*b077aed3SPierre Proncheryfunctions instead. 235e71b7053SJung-uk Kim 236*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_mac_key() can be used with any of the algorithms supported by 237*b077aed3SPierre Proncherythe L<EVP_PKEY_new_raw_private_key(3)> function. 238*b077aed3SPierre Pronchery 239*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_group_name() sets the group name to I<name> for parameter and 240*b077aed3SPierre Proncherykey generation. For example for EC keys this will set the curve name and for 241*b077aed3SPierre ProncheryDH keys it will set the name of the finite field group. 242*b077aed3SPierre Pronchery 243*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_group_name() finds the group name that's currently 244*b077aed3SPierre Proncheryset with I<ctx>, and writes it to the location that I<name> points at, as long 245*b077aed3SPierre Proncheryas its size I<namelen> is large enough to store that name, including a 246*b077aed3SPierre Proncheryterminating NUL byte. 247e71b7053SJung-uk Kim 248c9cf7b5cSJung-uk Kim=head2 RSA parameters 249c9cf7b5cSJung-uk Kim 250*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_rsa_padding() sets the RSA padding mode for I<ctx>. 251*b077aed3SPierre ProncheryThe I<pad> parameter can take the value B<RSA_PKCS1_PADDING> for PKCS#1 252*b077aed3SPierre Proncherypadding, B<RSA_NO_PADDING> for 253c9cf7b5cSJung-uk Kimno padding, B<RSA_PKCS1_OAEP_PADDING> for OAEP padding (encrypt and 254c9cf7b5cSJung-uk Kimdecrypt only), B<RSA_X931_PADDING> for X9.31 padding (signature operations 255*b077aed3SPierre Proncheryonly), B<RSA_PKCS1_PSS_PADDING> (sign and verify only) and 256*b077aed3SPierre ProncheryB<RSA_PKCS1_WITH_TLS_PADDING> for TLS RSA ClientKeyExchange message padding 257*b077aed3SPierre Pronchery(decryption only). 258e71b7053SJung-uk Kim 259e71b7053SJung-uk KimTwo RSA padding modes behave differently if EVP_PKEY_CTX_set_signature_md() 260*b077aed3SPierre Proncheryis used. If this function is called for PKCS#1 padding the plaintext buffer is 261e71b7053SJung-uk Kiman actual digest value and is encapsulated in a DigestInfo structure according 262e71b7053SJung-uk Kimto PKCS#1 when signing and this structure is expected (and stripped off) when 263e71b7053SJung-uk Kimverifying. If this control is not used with RSA and PKCS#1 padding then the 264e71b7053SJung-uk Kimsupplied data is used directly and not encapsulated. In the case of X9.31 265e71b7053SJung-uk Kimpadding for RSA the algorithm identifier byte is added or checked and removed 266e71b7053SJung-uk Kimif this control is called. If it is not called then the first byte of the plaintext 267e71b7053SJung-uk Kimbuffer is expected to be the algorithm identifier byte. 268e71b7053SJung-uk Kim 269*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_rsa_padding() gets the RSA padding mode for I<ctx>. 270c9cf7b5cSJung-uk Kim 271*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_rsa_pss_saltlen() sets the RSA PSS salt length to I<saltlen>. 272*b077aed3SPierre ProncheryAs its name implies it is only supported for PSS padding. If this function is 273*b077aed3SPierre Proncherynot called then the maximum salt length is used when signing and auto detection 274*b077aed3SPierre Proncherywhen verifying. Three special values are supported: 275e71b7053SJung-uk Kim 276*b077aed3SPierre Pronchery=over 4 277c9cf7b5cSJung-uk Kim 278*b077aed3SPierre Pronchery=item B<RSA_PSS_SALTLEN_DIGEST> 279e71b7053SJung-uk Kim 280*b077aed3SPierre Proncherysets the salt length to the digest length. 281e71b7053SJung-uk Kim 282*b077aed3SPierre Pronchery=item B<RSA_PSS_SALTLEN_MAX> 283c9cf7b5cSJung-uk Kim 284*b077aed3SPierre Proncherysets the salt length to the maximum permissible value. 285*b077aed3SPierre Pronchery 286*b077aed3SPierre Pronchery=item B<RSA_PSS_SALTLEN_AUTO> 287*b077aed3SPierre Pronchery 288*b077aed3SPierre Proncherycauses the salt length to be automatically determined based on the 289*b077aed3SPierre ProncheryB<PSS> block structure when verifying. When signing, it has the same 290*b077aed3SPierre Proncherymeaning as B<RSA_PSS_SALTLEN_MAX>. 291*b077aed3SPierre Pronchery 292*b077aed3SPierre Pronchery=back 293*b077aed3SPierre Pronchery 294*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_rsa_pss_saltlen() gets the RSA PSS salt length for I<ctx>. 295*b077aed3SPierre ProncheryThe padding mode must already have been set to B<RSA_PKCS1_PSS_PADDING>. 296*b077aed3SPierre Pronchery 297*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_rsa_keygen_bits() sets the RSA key length for 298*b077aed3SPierre ProncheryRSA key generation to I<bits>. If not specified 2048 bits is used. 299*b077aed3SPierre Pronchery 300*b077aed3SPierre ProncheryEVP_PKEY_CTX_set1_rsa_keygen_pubexp() sets the public exponent value for RSA key 301*b077aed3SPierre Proncherygeneration to the value stored in I<pubexp>. Currently it should be an odd 302*b077aed3SPierre Proncheryinteger. In accordance with the OpenSSL naming convention, the I<pubexp> pointer 303*b077aed3SPierre Proncherymust be freed independently of the EVP_PKEY_CTX (ie, it is internally copied). 304*b077aed3SPierre ProncheryIf not specified 65537 is used. 305*b077aed3SPierre Pronchery 306*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_rsa_keygen_pubexp() does the same as 307*b077aed3SPierre ProncheryEVP_PKEY_CTX_set1_rsa_keygen_pubexp() except that there is no internal copy and 308*b077aed3SPierre Proncherytherefore I<pubexp> should not be modified or freed after the call. 309*b077aed3SPierre Pronchery 310*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_rsa_keygen_primes() sets the number of primes for 311*b077aed3SPierre ProncheryRSA key generation to I<primes>. If not specified 2 is used. 312*b077aed3SPierre Pronchery 313*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_rsa_mgf1_md_name() sets the MGF1 digest for RSA 314*b077aed3SPierre Proncherypadding schemes to the digest named I<mdname>. If the RSA algorithm 315*b077aed3SPierre Proncheryimplementation for the selected provider supports it then the digest will be 316*b077aed3SPierre Proncheryfetched using the properties I<mdprops>. If not explicitly set the signing 317*b077aed3SPierre Proncherydigest is used. The padding mode must have been set to B<RSA_PKCS1_OAEP_PADDING> 318c9cf7b5cSJung-uk Kimor B<RSA_PKCS1_PSS_PADDING>. 319c9cf7b5cSJung-uk Kim 320*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_rsa_mgf1_md() does the same as 321*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_rsa_mgf1_md_name() except that the name of the digest is 322*b077aed3SPierre Proncheryinferred from the supplied I<md> and it is not possible to specify any 323*b077aed3SPierre Proncheryproperties. 324c9cf7b5cSJung-uk Kim 325*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_rsa_mgf1_md_name() gets the name of the MGF1 326*b077aed3SPierre Proncherydigest algorithm for I<ctx>. If not explicitly set the signing digest is used. 327*b077aed3SPierre ProncheryThe padding mode must have been set to B<RSA_PKCS1_OAEP_PADDING> or 328*b077aed3SPierre ProncheryB<RSA_PKCS1_PSS_PADDING>. 329*b077aed3SPierre Pronchery 330*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_rsa_mgf1_md() does the same as 331*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_rsa_mgf1_md_name() except that it returns a pointer to an 332*b077aed3SPierre ProncheryEVP_MD object instead. Note that only known, built-in EVP_MD objects will be 333*b077aed3SPierre Proncheryreturned. The EVP_MD object may be NULL if the digest is not one of these (such 334*b077aed3SPierre Proncheryas a digest only implemented in a third party provider). 335*b077aed3SPierre Pronchery 336*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_rsa_oaep_md_name() sets the message digest type 337*b077aed3SPierre Proncheryused in RSA OAEP to the digest named I<mdname>. If the RSA algorithm 338*b077aed3SPierre Proncheryimplementation for the selected provider supports it then the digest will be 339*b077aed3SPierre Proncheryfetched using the properties I<mdprops>. The padding mode must have been set to 340c9cf7b5cSJung-uk KimB<RSA_PKCS1_OAEP_PADDING>. 341c9cf7b5cSJung-uk Kim 342*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_rsa_oaep_md() does the same as 343*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_rsa_oaep_md_name() except that the name of the digest is 344*b077aed3SPierre Proncheryinferred from the supplied I<md> and it is not possible to specify any 345*b077aed3SPierre Proncheryproperties. 346c9cf7b5cSJung-uk Kim 347*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_rsa_oaep_md_name() gets the message digest 348*b077aed3SPierre Proncheryalgorithm name used in RSA OAEP and stores it in the buffer I<name> which is of 349*b077aed3SPierre Proncherysize I<namelen>. The padding mode must have been set to 350*b077aed3SPierre ProncheryB<RSA_PKCS1_OAEP_PADDING>. The buffer should be sufficiently large for any 351*b077aed3SPierre Proncheryexpected digest algorithm names or the function will fail. 352*b077aed3SPierre Pronchery 353*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_rsa_oaep_md() does the same as 354*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_rsa_oaep_md_name() except that it returns a pointer to an 355*b077aed3SPierre ProncheryEVP_MD object instead. Note that only known, built-in EVP_MD objects will be 356*b077aed3SPierre Proncheryreturned. The EVP_MD object may be NULL if the digest is not one of these (such 357*b077aed3SPierre Proncheryas a digest only implemented in a third party provider). 358*b077aed3SPierre Pronchery 359*b077aed3SPierre ProncheryEVP_PKEY_CTX_set0_rsa_oaep_label() sets the RSA OAEP label to binary data 360*b077aed3SPierre ProncheryI<label> and its length in bytes to I<len>. If I<label> is NULL or I<len> is 0, 361c9cf7b5cSJung-uk Kimthe label is cleared. The library takes ownership of the label so the 362*b077aed3SPierre Proncherycaller should not free the original memory pointed to by I<label>. 363c9cf7b5cSJung-uk KimThe padding mode must have been set to B<RSA_PKCS1_OAEP_PADDING>. 364c9cf7b5cSJung-uk Kim 365*b077aed3SPierre ProncheryEVP_PKEY_CTX_get0_rsa_oaep_label() gets the RSA OAEP label to 366*b077aed3SPierre ProncheryI<label>. The return value is the label length. The padding mode 367c9cf7b5cSJung-uk Kimmust have been set to B<RSA_PKCS1_OAEP_PADDING>. The resulting pointer is owned 368c9cf7b5cSJung-uk Kimby the library and should not be freed by the caller. 369c9cf7b5cSJung-uk Kim 370*b077aed3SPierre ProncheryB<RSA_PKCS1_WITH_TLS_PADDING> is used when decrypting an RSA encrypted TLS 371*b077aed3SPierre Proncherypre-master secret in a TLS ClientKeyExchange message. It is the same as 372*b077aed3SPierre ProncheryRSA_PKCS1_PADDING except that it additionally verifies that the result is the 373*b077aed3SPierre Proncherycorrect length and the first two bytes are the protocol version initially 374*b077aed3SPierre Proncheryrequested by the client. If the encrypted content is publicly invalid then the 375*b077aed3SPierre Proncherydecryption will fail. However, if the padding checks fail then decryption will 376*b077aed3SPierre Proncherystill appear to succeed but a random TLS premaster secret will be returned 377*b077aed3SPierre Proncheryinstead. This padding mode accepts two parameters which can be set using the 378*b077aed3SPierre ProncheryL<EVP_PKEY_CTX_set_params(3)> function. These are 379*b077aed3SPierre ProncheryOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION and 380*b077aed3SPierre ProncheryOSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, both of which are expected to be 381*b077aed3SPierre Proncheryunsigned integers. Normally only the first of these will be set and represents 382*b077aed3SPierre Proncherythe TLS protocol version that was first requested by the client (e.g. 0x0303 for 383*b077aed3SPierre ProncheryTLSv1.2, 0x0302 for TLSv1.1 etc). Historically some buggy clients would use the 384*b077aed3SPierre Proncherynegotiated protocol version instead of the protocol version first requested. If 385*b077aed3SPierre Proncherythis behaviour should be tolerated then 386*b077aed3SPierre ProncheryOSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION should be set to the actual 387*b077aed3SPierre Proncherynegotiated protocol version. Otherwise it should be left unset. 388*b077aed3SPierre Pronchery 389c9cf7b5cSJung-uk Kim=head2 DSA parameters 390c9cf7b5cSJung-uk Kim 391*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used for DSA 392*b077aed3SPierre Proncheryparameter generation to B<nbits>. If not specified, 2048 is used. 39317f01e99SJung-uk Kim 394*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dsa_paramgen_q_bits() sets the number of bits in the subprime 395*b077aed3SPierre Proncheryparameter I<q> for DSA parameter generation to I<qbits>. If not specified, 224 396*b077aed3SPierre Proncheryis used. If a digest function is specified below, this parameter is ignored and 397*b077aed3SPierre Proncheryinstead, the number of bits in I<q> matches the size of the digest. 39817f01e99SJung-uk Kim 399*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dsa_paramgen_md() sets the digest function used for DSA 400*b077aed3SPierre Proncheryparameter generation to I<md>. If not specified, one of SHA-1, SHA-224, or 401*b077aed3SPierre ProncherySHA-256 is selected to match the bit length of I<q> above. 402*b077aed3SPierre Pronchery 403*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dsa_paramgen_md_props() sets the digest function used for DSA 404*b077aed3SPierre Proncheryparameter generation using I<md_name> and I<md_properties> to retrieve the 405*b077aed3SPierre Proncherydigest from a provider. 406*b077aed3SPierre ProncheryIf not specified, I<md_name> will be set to one of SHA-1, SHA-224, or 407*b077aed3SPierre ProncherySHA-256 depending on the bit length of I<q> above. I<md_properties> is a 408*b077aed3SPierre Proncheryproperty query string that has a default value of '' if not specified. 409*b077aed3SPierre Pronchery 410*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dsa_paramgen_gindex() sets the I<gindex> used by the generator 411*b077aed3SPierre ProncheryG. The default value is -1 which uses unverifiable g, otherwise a positive value 412*b077aed3SPierre Proncheryuses verifiable g. This value must be saved if key validation of g is required, 413*b077aed3SPierre Proncherysince it is not part of a persisted key. 414*b077aed3SPierre Pronchery 415*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dsa_paramgen_seed() sets the I<seed> to use for generation 416*b077aed3SPierre Proncheryrather than using a randomly generated value for the seed. This is useful for 417*b077aed3SPierre Proncherytesting purposes only and can fail if the seed does not produce primes for both 418*b077aed3SPierre Proncheryp & q on its first iteration. This value must be saved if key validation of 419*b077aed3SPierre Proncheryp, q, and verifiable g are required, since it is not part of a persisted key. 420*b077aed3SPierre Pronchery 421*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dsa_paramgen_type() sets the generation type to use FIPS186-4 422*b077aed3SPierre Proncherygeneration if I<name> is "fips186_4", or FIPS186-2 generation if I<name> is 423*b077aed3SPierre Pronchery"fips186_2". The default value for the default provider is "fips186_2". The 424*b077aed3SPierre Proncherydefault value for the FIPS provider is "fips186_4". 425e71b7053SJung-uk Kim 426c9cf7b5cSJung-uk Kim=head2 DH parameters 427c9cf7b5cSJung-uk Kim 428*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dh_paramgen_prime_len() sets the length of the DH prime 429*b077aed3SPierre Proncheryparameter I<p> for DH parameter generation. If this function is not called then 430*b077aed3SPierre Pronchery2048 is used. Only accepts lengths greater than or equal to 256. 431c9cf7b5cSJung-uk Kim 432*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dh_paramgen_subprime_len() sets the length of the DH 433*b077aed3SPierre Proncheryoptional subprime parameter I<q> for DH parameter generation. The default is 434*b077aed3SPierre Pronchery256 if the prime is at least 2048 bits long or 160 otherwise. The DH paramgen 435*b077aed3SPierre Proncherytype must have been set to "fips186_4". 436e71b7053SJung-uk Kim 437*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dh_paramgen_generator() sets DH generator to I<gen> for DH 438*b077aed3SPierre Proncheryparameter generation. If not specified 2 is used. 439e71b7053SJung-uk Kim 440*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dh_paramgen_type() sets the key type for DH parameter 441*b077aed3SPierre Proncherygeneration. The supported parameters are: 442c9cf7b5cSJung-uk Kim 443*b077aed3SPierre Pronchery=over 4 444*b077aed3SPierre Pronchery 445*b077aed3SPierre Pronchery=item B<DH_PARAMGEN_TYPE_GROUP> 446*b077aed3SPierre Pronchery 447*b077aed3SPierre ProncheryUse a named group. If only the safe prime parameter I<p> is set this can be 448*b077aed3SPierre Proncheryused to select a ffdhe safe prime group of the correct size. 449*b077aed3SPierre Pronchery 450*b077aed3SPierre Pronchery=item B<DH_PARAMGEN_TYPE_FIPS_186_4> 451*b077aed3SPierre Pronchery 452*b077aed3SPierre ProncheryFIPS186-4 FFC parameter generator. 453*b077aed3SPierre Pronchery 454*b077aed3SPierre Pronchery=item B<DH_PARAMGEN_TYPE_FIPS_186_2> 455*b077aed3SPierre Pronchery 456*b077aed3SPierre ProncheryFIPS186-2 FFC parameter generator (X9.42 DH). 457*b077aed3SPierre Pronchery 458*b077aed3SPierre Pronchery=item B<DH_PARAMGEN_TYPE_GENERATOR> 459*b077aed3SPierre Pronchery 460*b077aed3SPierre ProncheryUses a safe prime generator g (PKCS#3 format). 461*b077aed3SPierre Pronchery 462*b077aed3SPierre Pronchery=back 463*b077aed3SPierre Pronchery 464*b077aed3SPierre ProncheryThe default in the default provider is B<DH_PARAMGEN_TYPE_GENERATOR> for the 465*b077aed3SPierre Pronchery"DH" keytype, and B<DH_PARAMGEN_TYPE_FIPS_186_2> for the "DHX" keytype. In the 466*b077aed3SPierre ProncheryFIPS provider the default value is B<DH_PARAMGEN_TYPE_GROUP> for the "DH" 467*b077aed3SPierre Proncherykeytype and <B<DH_PARAMGEN_TYPE_FIPS_186_4> for the "DHX" keytype. 468*b077aed3SPierre Pronchery 469*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dh_paramgen_gindex() sets the I<gindex> used by the generator G. 470*b077aed3SPierre ProncheryThe default value is -1 which uses unverifiable g, otherwise a positive value 471*b077aed3SPierre Proncheryuses verifiable g. This value must be saved if key validation of g is required, 472*b077aed3SPierre Proncherysince it is not part of a persisted key. 473*b077aed3SPierre Pronchery 474*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dh_paramgen_seed() sets the I<seed> to use for generation 475*b077aed3SPierre Proncheryrather than using a randomly generated value for the seed. This is useful for 476*b077aed3SPierre Proncherytesting purposes only and can fail if the seed does not produce primes for both 477*b077aed3SPierre Proncheryp & q on its first iteration. This value must be saved if key validation of p, q, 478*b077aed3SPierre Proncheryand verifiable g are required, since it is not part of a persisted key. 479*b077aed3SPierre Pronchery 480*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dh_pad() sets the DH padding mode. 481*b077aed3SPierre ProncheryIf I<pad> is 1 the shared secret is padded with zeros up to the size of the DH 482*b077aed3SPierre Proncheryprime I<p>. 483*b077aed3SPierre ProncheryIf I<pad> is zero (the default) then no padding is performed. 484e71b7053SJung-uk Kim 485e71b7053SJung-uk KimEVP_PKEY_CTX_set_dh_nid() sets the DH parameters to values corresponding to 486*b077aed3SPierre ProncheryI<nid> as defined in RFC7919 or RFC3526. The I<nid> parameter must be 487*b077aed3SPierre ProncheryB<NID_ffdhe2048>, B<NID_ffdhe3072>, B<NID_ffdhe4096>, B<NID_ffdhe6144>, 488*b077aed3SPierre ProncheryB<NID_ffdhe8192>, B<NID_modp_1536>, B<NID_modp_2048>, B<NID_modp_3072>, 489*b077aed3SPierre ProncheryB<NID_modp_4096>, B<NID_modp_6144>, B<NID_modp_8192> or B<NID_undef> to clear 490*b077aed3SPierre Proncherythe stored value. This function can be called during parameter or key generation. 491c9cf7b5cSJung-uk KimThe nid parameter and the rfc5114 parameter are mutually exclusive. 492c9cf7b5cSJung-uk Kim 493*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dh_rfc5114() and EVP_PKEY_CTX_set_dhx_rfc5114() both set the 494*b077aed3SPierre ProncheryDH parameters to the values defined in RFC5114. The I<rfc5114> parameter must 495*b077aed3SPierre Proncherybe 1, 2 or 3 corresponding to RFC5114 sections 2.1, 2.2 and 2.3. or 0 to clear 496*b077aed3SPierre Proncherythe stored value. This macro can be called during parameter generation. The 497*b077aed3SPierre ProncheryI<ctx> must have a key type of B<EVP_PKEY_DHX>. 498c9cf7b5cSJung-uk KimThe rfc5114 parameter and the nid parameter are mutually exclusive. 499c9cf7b5cSJung-uk Kim 500c9cf7b5cSJung-uk Kim=head2 DH key derivation function parameters 501c9cf7b5cSJung-uk Kim 502*b077aed3SPierre ProncheryNote that all of the following functions require that the I<ctx> parameter has 503c9cf7b5cSJung-uk Kima private key type of B<EVP_PKEY_DHX>. When using key derivation, the output of 504c9cf7b5cSJung-uk KimEVP_PKEY_derive() is the output of the KDF instead of the DH shared secret. 505c9cf7b5cSJung-uk KimThe KDF output is typically used as a Key Encryption Key (KEK) that in turn 506c9cf7b5cSJung-uk Kimencrypts a Content Encryption Key (CEK). 507c9cf7b5cSJung-uk Kim 508*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dh_kdf_type() sets the key derivation function type to I<kdf> 509*b077aed3SPierre Proncheryfor DH key derivation. Possible values are B<EVP_PKEY_DH_KDF_NONE> and 510*b077aed3SPierre ProncheryB<EVP_PKEY_DH_KDF_X9_42> which uses the key derivation specified in RFC2631 511c9cf7b5cSJung-uk Kim(based on the keying algorithm described in X9.42). When using key derivation, 512*b077aed3SPierre Proncherythe I<kdf_oid>, I<kdf_md> and I<kdf_outlen> parameters must also be specified. 513c9cf7b5cSJung-uk Kim 514*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_dh_kdf_type() gets the key derivation function type for I<ctx> 515*b077aed3SPierre Proncheryused for DH key derivation. Possible values are B<EVP_PKEY_DH_KDF_NONE> and 516*b077aed3SPierre ProncheryB<EVP_PKEY_DH_KDF_X9_42>. 517c9cf7b5cSJung-uk Kim 518*b077aed3SPierre ProncheryEVP_PKEY_CTX_set0_dh_kdf_oid() sets the key derivation function object 519*b077aed3SPierre Proncheryidentifier to I<oid> for DH key derivation. This OID should identify the 520*b077aed3SPierre Proncheryalgorithm to be used with the Content Encryption Key. 521c9cf7b5cSJung-uk KimThe library takes ownership of the object identifier so the caller should not 522*b077aed3SPierre Proncheryfree the original memory pointed to by I<oid>. 523c9cf7b5cSJung-uk Kim 524*b077aed3SPierre ProncheryEVP_PKEY_CTX_get0_dh_kdf_oid() gets the key derivation function oid for I<ctx> 525*b077aed3SPierre Proncheryused for DH key derivation. The resulting pointer is owned by the library and 526*b077aed3SPierre Proncheryshould not be freed by the caller. 527c9cf7b5cSJung-uk Kim 528*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dh_kdf_md() sets the key derivation function message digest to 529*b077aed3SPierre ProncheryI<md> for DH key derivation. Note that RFC2631 specifies that this digest should 530*b077aed3SPierre Proncherybe SHA1 but OpenSSL tolerates other digests. 531c9cf7b5cSJung-uk Kim 532*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_dh_kdf_md() gets the key derivation function message digest for 533*b077aed3SPierre ProncheryI<ctx> used for DH key derivation. 534c9cf7b5cSJung-uk Kim 535*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dh_kdf_outlen() sets the key derivation function output length 536*b077aed3SPierre Proncheryto I<len> for DH key derivation. 537c9cf7b5cSJung-uk Kim 538*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_dh_kdf_outlen() gets the key derivation function output length 539*b077aed3SPierre Proncheryfor I<ctx> used for DH key derivation. 540c9cf7b5cSJung-uk Kim 541*b077aed3SPierre ProncheryEVP_PKEY_CTX_set0_dh_kdf_ukm() sets the user key material to I<ukm> and its 542*b077aed3SPierre Proncherylength to I<len> for DH key derivation. This parameter is optional and 543*b077aed3SPierre Proncherycorresponds to the partyAInfo field in RFC2631 terms. The specification 544c9cf7b5cSJung-uk Kimrequires that it is 512 bits long but this is not enforced by OpenSSL. 545c9cf7b5cSJung-uk KimThe library takes ownership of the user key material so the caller should not 546*b077aed3SPierre Proncheryfree the original memory pointed to by I<ukm>. 547c9cf7b5cSJung-uk Kim 548*b077aed3SPierre ProncheryEVP_PKEY_CTX_get0_dh_kdf_ukm() gets the user key material for I<ctx>. 549c9cf7b5cSJung-uk KimThe return value is the user key material length. The resulting pointer is owned 550c9cf7b5cSJung-uk Kimby the library and should not be freed by the caller. 551c9cf7b5cSJung-uk Kim 552c9cf7b5cSJung-uk Kim=head2 EC parameters 553e71b7053SJung-uk Kim 554*b077aed3SPierre ProncheryUse EVP_PKEY_CTX_set_group_name() (described above) to set the curve name to 555*b077aed3SPierre ProncheryI<name> for parameter and key generation. 556*b077aed3SPierre Pronchery 557*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_ec_paramgen_curve_nid() does the same as 558*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_group_name(), but is specific to EC and uses a I<nid> rather 559*b077aed3SPierre Proncherythan a name string. 560*b077aed3SPierre Pronchery 561*b077aed3SPierre ProncheryFor EC parameter generation, one of EVP_PKEY_CTX_set_group_name() 562*b077aed3SPierre Proncheryor EVP_PKEY_CTX_set_ec_paramgen_curve_nid() must be called or an error occurs 563*b077aed3SPierre Proncherybecause there is no default curve. 564*b077aed3SPierre ProncheryThese function can also be called to set the curve explicitly when 565e71b7053SJung-uk Kimgenerating an EC key. 566e71b7053SJung-uk Kim 567*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_group_name() (described above) can be used to obtain the curve 568*b077aed3SPierre Proncheryname that's currently set with I<ctx>. 569*b077aed3SPierre Pronchery 570*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_ec_param_enc() sets the EC parameter encoding to I<param_enc> 571*b077aed3SPierre Proncherywhen generating EC parameters or an EC key. The encoding can be 572e71b7053SJung-uk KimB<OPENSSL_EC_EXPLICIT_CURVE> for explicit parameters (the default in versions 573e71b7053SJung-uk Kimof OpenSSL before 1.1.0) or B<OPENSSL_EC_NAMED_CURVE> to use named curve form. 574e71b7053SJung-uk KimFor maximum compatibility the named curve form should be used. Note: the 5756935a639SJung-uk KimB<OPENSSL_EC_NAMED_CURVE> value was added in OpenSSL 1.1.0; previous 576e71b7053SJung-uk Kimversions should use 0 instead. 577e71b7053SJung-uk Kim 578c9cf7b5cSJung-uk Kim=head2 ECDH parameters 579c9cf7b5cSJung-uk Kim 580*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_ecdh_cofactor_mode() sets the cofactor mode to I<cofactor_mode> 581*b077aed3SPierre Proncheryfor ECDH key derivation. Possible values are 1 to enable cofactor 582*b077aed3SPierre Proncherykey derivation, 0 to disable it and -1 to clear the stored cofactor mode and 583*b077aed3SPierre Proncheryfallback to the private key cofactor mode. 584c9cf7b5cSJung-uk Kim 585*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_ecdh_cofactor_mode() returns the cofactor mode for I<ctx> used 586*b077aed3SPierre Proncheryfor ECDH key derivation. Possible values are 1 when cofactor key derivation is 587*b077aed3SPierre Proncheryenabled and 0 otherwise. 588c9cf7b5cSJung-uk Kim 589c9cf7b5cSJung-uk Kim=head2 ECDH key derivation function parameters 590c9cf7b5cSJung-uk Kim 591*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_ecdh_kdf_type() sets the key derivation function type to 592*b077aed3SPierre ProncheryI<kdf> for ECDH key derivation. Possible values are B<EVP_PKEY_ECDH_KDF_NONE> 593c9cf7b5cSJung-uk Kimand B<EVP_PKEY_ECDH_KDF_X9_63> which uses the key derivation specified in X9.63. 594*b077aed3SPierre ProncheryWhen using key derivation, the I<kdf_md> and I<kdf_outlen> parameters must 595c9cf7b5cSJung-uk Kimalso be specified. 596c9cf7b5cSJung-uk Kim 597*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_ecdh_kdf_type() returns the key derivation function type for 598*b077aed3SPierre ProncheryI<ctx> used for ECDH key derivation. Possible values are 599c9cf7b5cSJung-uk KimB<EVP_PKEY_ECDH_KDF_NONE> and B<EVP_PKEY_ECDH_KDF_X9_63>. 600c9cf7b5cSJung-uk Kim 601*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_ecdh_kdf_md() sets the key derivation function message digest 602*b077aed3SPierre Proncheryto I<md> for ECDH key derivation. Note that X9.63 specifies that this digest 603*b077aed3SPierre Proncheryshould be SHA1 but OpenSSL tolerates other digests. 604c9cf7b5cSJung-uk Kim 605*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_ecdh_kdf_md() gets the key derivation function message digest 606*b077aed3SPierre Proncheryfor I<ctx> used for ECDH key derivation. 607c9cf7b5cSJung-uk Kim 608*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_ecdh_kdf_outlen() sets the key derivation function output 609*b077aed3SPierre Proncherylength to I<len> for ECDH key derivation. 610c9cf7b5cSJung-uk Kim 611*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_ecdh_kdf_outlen() gets the key derivation function output 612*b077aed3SPierre Proncherylength for I<ctx> used for ECDH key derivation. 613c9cf7b5cSJung-uk Kim 614*b077aed3SPierre ProncheryEVP_PKEY_CTX_set0_ecdh_kdf_ukm() sets the user key material to I<ukm> for ECDH 615*b077aed3SPierre Proncherykey derivation. This parameter is optional and corresponds to the shared info in 616*b077aed3SPierre ProncheryX9.63 terms. The library takes ownership of the user key material so the caller 617*b077aed3SPierre Proncheryshould not free the original memory pointed to by I<ukm>. 618c9cf7b5cSJung-uk Kim 619*b077aed3SPierre ProncheryEVP_PKEY_CTX_get0_ecdh_kdf_ukm() gets the user key material for I<ctx>. 620c9cf7b5cSJung-uk KimThe return value is the user key material length. The resulting pointer is owned 621c9cf7b5cSJung-uk Kimby the library and should not be freed by the caller. 622c9cf7b5cSJung-uk Kim 623c9cf7b5cSJung-uk Kim=head2 Other parameters 624c9cf7b5cSJung-uk Kim 625*b077aed3SPierre ProncheryEVP_PKEY_CTX_set1_id(), EVP_PKEY_CTX_get1_id() and EVP_PKEY_CTX_get1_id_len() 626*b077aed3SPierre Proncheryare used to manipulate the special identifier field for specific signature 627*b077aed3SPierre Proncheryalgorithms such as SM2. The EVP_PKEY_CTX_set1_id() sets an ID pointed by I<id> with 628*b077aed3SPierre Proncherythe length I<id_len> to the library. The library takes a copy of the id so that 629*b077aed3SPierre Proncherythe caller can safely free the original memory pointed to by I<id>. 630*b077aed3SPierre ProncheryEVP_PKEY_CTX_get1_id_len() returns the length of the ID set via a previous call 631*b077aed3SPierre Proncheryto EVP_PKEY_CTX_set1_id(). The length is usually used to allocate adequate 632*b077aed3SPierre Proncherymemory for further calls to EVP_PKEY_CTX_get1_id(). EVP_PKEY_CTX_get1_id() 633*b077aed3SPierre Proncheryreturns the previously set ID value to caller in I<id>. The caller should 634*b077aed3SPierre Proncheryallocate adequate memory space for the I<id> before calling EVP_PKEY_CTX_get1_id(). 635*b077aed3SPierre Pronchery 636*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_kem_op() sets the KEM operation to run. This can be set after 637*b077aed3SPierre ProncheryEVP_PKEY_encapsulate_init() or EVP_PKEY_decapsulate_init() to select the 638*b077aed3SPierre Proncherykem operation. RSA is the only key type that supports encapsulation currently, 639*b077aed3SPierre Proncheryand as there is no default operation for the RSA type, this function must be 640*b077aed3SPierre Proncherycalled before EVP_PKEY_encapsulate() or EVP_PKEY_decapsulate(). 641e71b7053SJung-uk Kim 642e71b7053SJung-uk Kim=head1 RETURN VALUES 643e71b7053SJung-uk Kim 644*b077aed3SPierre ProncheryAll other functions described on this page return a positive value for success 645*b077aed3SPierre Proncheryand 0 or a negative value for failure. In particular a return value of -2 646e71b7053SJung-uk Kimindicates the operation is not supported by the public key algorithm. 647e71b7053SJung-uk Kim 648e71b7053SJung-uk Kim=head1 SEE ALSO 649e71b7053SJung-uk Kim 650*b077aed3SPierre ProncheryL<EVP_PKEY_CTX_set_params(3)>, 651e71b7053SJung-uk KimL<EVP_PKEY_CTX_new(3)>, 652e71b7053SJung-uk KimL<EVP_PKEY_encrypt(3)>, 653e71b7053SJung-uk KimL<EVP_PKEY_decrypt(3)>, 654e71b7053SJung-uk KimL<EVP_PKEY_sign(3)>, 655e71b7053SJung-uk KimL<EVP_PKEY_verify(3)>, 656e71b7053SJung-uk KimL<EVP_PKEY_verify_recover(3)>, 657c9cf7b5cSJung-uk KimL<EVP_PKEY_derive(3)>, 658e71b7053SJung-uk KimL<EVP_PKEY_keygen(3)> 659*b077aed3SPierre ProncheryL<EVP_PKEY_encapsulate(3)> 660*b077aed3SPierre ProncheryL<EVP_PKEY_decapsulate(3)> 661e71b7053SJung-uk Kim 662e71b7053SJung-uk Kim=head1 HISTORY 663e71b7053SJung-uk Kim 664*b077aed3SPierre ProncheryEVP_PKEY_CTX_get_rsa_oaep_md_name(), EVP_PKEY_CTX_get_rsa_mgf1_md_name(), 665*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_rsa_mgf1_md_name(), EVP_PKEY_CTX_set_rsa_oaep_md_name(), 666*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dsa_paramgen_md_props(), EVP_PKEY_CTX_set_dsa_paramgen_gindex(), 667*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_dsa_paramgen_type(), EVP_PKEY_CTX_set_dsa_paramgen_seed(), 668*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_group_name() and EVP_PKEY_CTX_get_group_name() 669*b077aed3SPierre Proncherywere added in OpenSSL 3.0. 670*b077aed3SPierre Pronchery 671*b077aed3SPierre ProncheryThe EVP_PKEY_CTX_set1_id(), EVP_PKEY_CTX_get1_id() and 672*b077aed3SPierre ProncheryEVP_PKEY_CTX_get1_id_len() macros were added in 1.1.1, other functions were 673*b077aed3SPierre Proncheryadded in OpenSSL 1.0.0. 674*b077aed3SPierre Pronchery 675*b077aed3SPierre ProncheryIn OpenSSL 1.1.1 and below the functions were mostly macros. 676*b077aed3SPierre ProncheryFrom OpenSSL 3.0 they are all functions. 677*b077aed3SPierre Pronchery 678*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_rsa_keygen_pubexp(), EVP_PKEY_CTX_get0_dh_kdf_ukm(), 679*b077aed3SPierre Proncheryand EVP_PKEY_CTX_get0_ecdh_kdf_ukm() were deprecated in OpenSSL 3.0. 680e71b7053SJung-uk Kim 681e71b7053SJung-uk Kim=head1 COPYRIGHT 682e71b7053SJung-uk Kim 683*b077aed3SPierre ProncheryCopyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. 684e71b7053SJung-uk Kim 685*b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License"). You may not use 686e71b7053SJung-uk Kimthis file except in compliance with the License. You can obtain a copy 687e71b7053SJung-uk Kimin the file LICENSE in the source distribution or at 688e71b7053SJung-uk KimL<https://www.openssl.org/source/license.html>. 689e71b7053SJung-uk Kim 690e71b7053SJung-uk Kim=cut 691