1d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * All rights reserved. 3d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 4d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * This package is an SSL implementation written 5d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * by Eric Young (eay@cryptsoft.com). 6d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * The implementation was written so as to conform with Netscapes SSL. 7d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 8d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * This library is free for commercial and non-commercial use as long as 9d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * the following conditions are aheared to. The following conditions 10d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * apply to all code found in this distribution, be it the RC4, RSA, 11d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * included with this distribution is covered by the same copyright terms 13d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 15d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * Copyright remains Eric Young's, and as such any Copyright notices in 16d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * the code are not to be removed. 17d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * If this package is used in a product, Eric Young should be given attribution 18d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * as the author of the parts of the library used. 19d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * This can be in the form of a textual message at program startup or 20d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * in documentation (online or textual) provided with the package. 21d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 22d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * Redistribution and use in source and binary forms, with or without 23d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * modification, are permitted provided that the following conditions 24d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * are met: 25d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 1. Redistributions of source code must retain the copyright 26d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * notice, this list of conditions and the following disclaimer. 27d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 2. Redistributions in binary form must reproduce the above copyright 28d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * notice, this list of conditions and the following disclaimer in the 29d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * documentation and/or other materials provided with the distribution. 30d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 3. All advertising materials mentioning features or use of this software 31d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * must display the following acknowledgement: 32d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * "This product includes cryptographic software written by 33d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * Eric Young (eay@cryptsoft.com)" 34d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * The word 'cryptographic' can be left out if the rouines from the library 35d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * being used are not cryptographic related :-). 36d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 4. If you include any Windows specific code (or a derivative thereof) from 37d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * the apps directory (application code) you must include an acknowledgement: 38d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 40d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * SUCH DAMAGE. 51d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 52d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * The licence and distribution terms for any publically available version or 53d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * derivative of this code cannot be changed. i.e. this code cannot simply be 54d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * copied and put under another distribution licence 55d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * [including the GNU Public Licence.] */ 56d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 57d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#ifndef OPENSSL_HEADER_RSA_H 58d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define OPENSSL_HEADER_RSA_H 59d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 60d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#include <openssl/base.h> 61d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 62d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#include <openssl/engine.h> 63d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#include <openssl/ex_data.h> 64e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley#include <openssl/thread.h> 65d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 66d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#if defined(__cplusplus) 67d9e397b599b13d642138480a28c14db7a136bf0Adam Langleyextern "C" { 68d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#endif 69d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 70d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 71d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* rsa.h contains functions for handling encryption and signature using RSA. */ 72d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 73d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 74d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* Allocation and destruction. */ 75d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 76d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_new returns a new, empty RSA object or NULL on error. */ 77d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT RSA *RSA_new(void); 78d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 79d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_new_method acts the same as |RSA_new| but takes an explicit |ENGINE|. */ 80d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT RSA *RSA_new_method(const ENGINE *engine); 81d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 82d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_free decrements the reference count of |rsa| and frees it if the 83d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * reference count drops to zero. */ 84d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT void RSA_free(RSA *rsa); 85d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 86c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin/* RSA_up_ref increments the reference count of |rsa| and returns one. */ 87d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_up_ref(RSA *rsa); 88d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 89d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 90c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin/* Properties. */ 91c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin 92c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin/* RSA_get0_key sets |*out_n|, |*out_e|, and |*out_d|, if non-NULL, to |rsa|'s 93c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin * modulus, public exponent, and private exponent, respectively. If |rsa| is a 94c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin * public key, the private exponent will be set to NULL. */ 95c895d6b1c580258e72e1ed3fcc86d38970ded9e1David BenjaminOPENSSL_EXPORT void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, 96c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin const BIGNUM **out_e, const BIGNUM **out_d); 97c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin 98c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin/* RSA_get0_factors sets |*out_p| and |*out_q|, if non-NULL, to |rsa|'s prime 99c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin * factors. If |rsa| is a public key, they will be set to NULL. If |rsa| is a 100c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin * multi-prime key, only the first two prime factors will be reported. */ 101c895d6b1c580258e72e1ed3fcc86d38970ded9e1David BenjaminOPENSSL_EXPORT void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p, 102c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin const BIGNUM **out_q); 103c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin 104c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin/* RSA_get0_crt_params sets |*out_dmp1|, |*out_dmq1|, and |*out_iqmp|, if 105c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin * non-NULL, to |rsa|'s CRT parameters. These are d (mod p-1), d (mod q-1) and 106c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin * q^-1 (mod p), respectively. If |rsa| is a public key, each parameter will be 107c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin * set to NULL. If |rsa| is a multi-prime key, only the CRT parameters for the 108c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin * first two primes will be reported. */ 109c895d6b1c580258e72e1ed3fcc86d38970ded9e1David BenjaminOPENSSL_EXPORT void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1, 110c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin const BIGNUM **out_dmq1, 111c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin const BIGNUM **out_iqmp); 112c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin 113c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin 114d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* Key generation. */ 115d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 116d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_generate_key_ex generates a new RSA key where the modulus has size 117d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |bits| and the public exponent is |e|. If unsure, |RSA_F4| is a good value 118d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * for |e|. If |cb| is not NULL then it is called during the key generation 119d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * process. In addition to the calls documented for |BN_generate_prime_ex|, it 120d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * is called with event=2 when the n'th prime is rejected as unsuitable and 121d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * with event=3 when a suitable value for |p| is found. 122d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 123d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * It returns one on success or zero on error. */ 124d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, 125d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BN_GENCB *cb); 126d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 127b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_generate_multi_prime_key acts like |RSA_generate_key_ex| but can 128b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * generate an RSA private key with more than two primes. */ 129b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT int RSA_generate_multi_prime_key(RSA *rsa, int bits, 130b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root int num_primes, BIGNUM *e, 131b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root BN_GENCB *cb); 132b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 133d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 134d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* Encryption / Decryption */ 135d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 136d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* Padding types for encryption. */ 137d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_PKCS1_PADDING 1 138d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_NO_PADDING 3 139d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_PKCS1_OAEP_PADDING 4 140d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_PKCS1_PSS_PADDING can only be used via the EVP interface. */ 141d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_PKCS1_PSS_PADDING 6 142d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 143d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_encrypt encrypts |in_len| bytes from |in| to the public key from |rsa| 144d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * and writes, at most, |max_out| bytes of encrypted data to |out|. The 145d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |max_out| argument must be, at least, |RSA_size| in order to ensure success. 146d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 147d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * It returns 1 on success or zero on error. 148d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 149d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * The |padding| argument must be one of the |RSA_*_PADDING| values. If in 1504139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but 1514139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * |RSA_PKCS1_PADDING| is most common. */ 152d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, 153d9e397b599b13d642138480a28c14db7a136bf0Adam Langley size_t max_out, const uint8_t *in, size_t in_len, 154d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int padding); 155d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 156d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_decrypt decrypts |in_len| bytes from |in| with the private key from 157d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |rsa| and writes, at most, |max_out| bytes of plaintext to |out|. The 158d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |max_out| argument must be, at least, |RSA_size| in order to ensure success. 159d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 160d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * It returns 1 on success or zero on error. 161d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 162d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * The |padding| argument must be one of the |RSA_*_PADDING| values. If in 1634139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. 1644139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * 1654139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * Passing |RSA_PKCS1_PADDING| into this function is deprecated and insecure. If 1664139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * implementing a protocol using RSAES-PKCS1-V1_5, use |RSA_NO_PADDING| and then 1674139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * check padding in constant-time combined with a swap to a random session key 1684139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * or other mitigation. See "Chosen Ciphertext Attacks Against Protocols Based 1694139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * on the RSA Encryption Standard PKCS #1", Daniel Bleichenbacher, Advances in 1704139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * Cryptology (Crypto '98). */ 171d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, 172d9e397b599b13d642138480a28c14db7a136bf0Adam Langley size_t max_out, const uint8_t *in, size_t in_len, 173d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int padding); 174d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 175d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_public_encrypt encrypts |flen| bytes from |from| to the public key in 176d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at 177d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * least |RSA_size| bytes of space. It returns the number of bytes written, or 178d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING| 1794139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * values. If in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but 1804139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * |RSA_PKCS1_PADDING| is most common. 181d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 182d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * WARNING: this function is dangerous because it breaks the usual return value 183d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * convention. Use |RSA_encrypt| instead. */ 184e99801b603dea8893dcc61c70b327ef2d00b652cKenny RootOPENSSL_EXPORT int RSA_public_encrypt(size_t flen, const uint8_t *from, 185d9e397b599b13d642138480a28c14db7a136bf0Adam Langley uint8_t *to, RSA *rsa, int padding); 186d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 187d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_private_decrypt decrypts |flen| bytes from |from| with the public key in 1884139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * |rsa| and writes the plaintext to |to|. The |to| buffer must have at least 1894139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * |RSA_size| bytes of space. It returns the number of bytes written, or -1 on 1904139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * error. The |padding| argument must be one of the |RSA_*_PADDING| values. If 1914139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. Passing 1924139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * |RSA_PKCS1_PADDING| into this function is deprecated and insecure. See 1934139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * |RSA_decrypt|. 194d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 195d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * WARNING: this function is dangerous because it breaks the usual return value 196d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * convention. Use |RSA_decrypt| instead. */ 197e99801b603dea8893dcc61c70b327ef2d00b652cKenny RootOPENSSL_EXPORT int RSA_private_decrypt(size_t flen, const uint8_t *from, 198d9e397b599b13d642138480a28c14db7a136bf0Adam Langley uint8_t *to, RSA *rsa, int padding); 199d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 200d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 201d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* Signing / Verification */ 202d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 2034139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley/* RSA_sign signs |in_len| bytes of digest from |in| with |rsa| using 2044139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * RSASSA-PKCS1-v1_5. It writes, at most, |RSA_size(rsa)| bytes to |out|. On 2054139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * successful return, the actual number of bytes written is written to 2064139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * |*out_len|. 207d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 208d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * The |hash_nid| argument identifies the hash function used to calculate |in| 209d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * and is embedded in the resulting signature. For example, it might be 210d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |NID_sha256|. 211d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 212d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * It returns 1 on success and zero on error. */ 213d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_sign(int hash_nid, const uint8_t *in, 214d9e397b599b13d642138480a28c14db7a136bf0Adam Langley unsigned int in_len, uint8_t *out, 215d9e397b599b13d642138480a28c14db7a136bf0Adam Langley unsigned int *out_len, RSA *rsa); 216d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 217d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_sign_raw signs |in_len| bytes from |in| with the public key from |rsa| 218e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * and writes, at most, |max_out| bytes of signature data to |out|. The 219d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |max_out| argument must be, at least, |RSA_size| in order to ensure success. 220d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 221d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * It returns 1 on success or zero on error. 222d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 223d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * The |padding| argument must be one of the |RSA_*_PADDING| values. If in 2244139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING| 2254139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * (via the |EVP_PKEY| interface) is preferred for new protocols. */ 226d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, 227d9e397b599b13d642138480a28c14db7a136bf0Adam Langley size_t max_out, const uint8_t *in, 228d9e397b599b13d642138480a28c14db7a136bf0Adam Langley size_t in_len, int padding); 229d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 2304139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley/* RSA_verify verifies that |sig_len| bytes from |sig| are a valid, 2314139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * RSASSA-PKCS1-v1_5 signature of |msg_len| bytes at |msg| by |rsa|. 232d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 233d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * The |hash_nid| argument identifies the hash function used to calculate |in| 234d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * and is embedded in the resulting signature in order to prevent hash 235d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * confusion attacks. For example, it might be |NID_sha256|. 236d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 237d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * It returns one if the signature is valid and zero otherwise. 238d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 239d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * WARNING: this differs from the original, OpenSSL function which additionally 240d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * returned -1 on error. */ 241d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len, 242d9e397b599b13d642138480a28c14db7a136bf0Adam Langley const uint8_t *sig, size_t sig_len, RSA *rsa); 243d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 244d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_verify_raw verifies |in_len| bytes of signature from |in| using the 245d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * public key from |rsa| and writes, at most, |max_out| bytes of plaintext to 246d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |out|. The |max_out| argument must be, at least, |RSA_size| in order to 247d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * ensure success. 248d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 249d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * It returns 1 on success or zero on error. 250d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 251d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * The |padding| argument must be one of the |RSA_*_PADDING| values. If in 2524139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING| 2534139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * (via the |EVP_PKEY| interface) is preferred for new protocols. */ 254d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, 255d9e397b599b13d642138480a28c14db7a136bf0Adam Langley size_t max_out, const uint8_t *in, 256d9e397b599b13d642138480a28c14db7a136bf0Adam Langley size_t in_len, int padding); 257d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 258d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in 259d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at 260d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * least |RSA_size| bytes of space. It returns the number of bytes written, or 261d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING| 2624139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * values. If in doubt, |RSA_PKCS1_PADDING| is the most common but 2634139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for new 2644139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * protocols. 265d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 266d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * WARNING: this function is dangerous because it breaks the usual return value 267d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * convention. Use |RSA_sign_raw| instead. */ 268e99801b603dea8893dcc61c70b327ef2d00b652cKenny RootOPENSSL_EXPORT int RSA_private_encrypt(size_t flen, const uint8_t *from, 269d9e397b599b13d642138480a28c14db7a136bf0Adam Langley uint8_t *to, RSA *rsa, int padding); 270d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 271b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_public_decrypt verifies |flen| bytes of signature from |from| using the 272d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * public key in |rsa| and writes the plaintext to |to|. The |to| buffer must 273d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * have at least |RSA_size| bytes of space. It returns the number of bytes 274d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * written, or -1 on error. The |padding| argument must be one of the 2754139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * |RSA_*_PADDING| values. If in doubt, |RSA_PKCS1_PADDING| is the most common 2764139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * but |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for 2774139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * new protocols. 278d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 279d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * WARNING: this function is dangerous because it breaks the usual return value 280d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * convention. Use |RSA_verify_raw| instead. */ 281e99801b603dea8893dcc61c70b327ef2d00b652cKenny RootOPENSSL_EXPORT int RSA_public_decrypt(size_t flen, const uint8_t *from, 282d9e397b599b13d642138480a28c14db7a136bf0Adam Langley uint8_t *to, RSA *rsa, int padding); 283d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 284d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 285d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* Utility functions. */ 286d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 287d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_size returns the number of bytes in the modulus, which is also the size 288e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * of a signature or encrypted value using |rsa|. */ 289d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT unsigned RSA_size(const RSA *rsa); 290d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 291d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_is_opaque returns one if |rsa| is opaque and doesn't expose its key 292d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * material. Otherwise it returns zero. */ 293d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_is_opaque(const RSA *rsa); 294d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 295d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_supports_digest returns one if |rsa| supports signing digests 296d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * of type |md|. Otherwise it returns zero. */ 297d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_supports_digest(const RSA *rsa, const EVP_MD *md); 298d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 299b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSAPublicKey_dup allocates a fresh |RSA| and copies the public key from 300d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */ 301d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT RSA *RSAPublicKey_dup(const RSA *rsa); 302d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 303d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSAPrivateKey_dup allocates a fresh |RSA| and copies the private key from 304d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */ 305d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT RSA *RSAPrivateKey_dup(const RSA *rsa); 306d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 307d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_check_key performs basic validatity tests on |rsa|. It returns one if 308d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * they pass and zero otherwise. Opaque keys and public keys always pass. If it 309d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * returns zero then a more detailed error is available on the error queue. */ 310d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_check_key(const RSA *rsa); 311d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 312d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_recover_crt_params uses |rsa->n|, |rsa->d| and |rsa->e| in order to 313d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * calculate the two primes used and thus the precomputed, CRT values. These 314d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * values are set in the |p|, |q|, |dmp1|, |dmq1| and |iqmp| members of |rsa|, 315d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * which must be |NULL| on entry. It returns one on success and zero 316d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * otherwise. */ 317d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_recover_crt_params(RSA *rsa); 318d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 319f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley/* RSA_verify_PKCS1_PSS_mgf1 verifies that |EM| is a correct PSS padding of 320e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * |mHash|, where |mHash| is a digest produced by |Hash|. |EM| must point to 321e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * exactly |RSA_size(rsa)| bytes of data. The |mgf1Hash| argument specifies the 322e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * hash function for generating the mask. If NULL, |Hash| is used. The |sLen| 323e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * argument specifies the expected salt length in bytes. If |sLen| is -1 then 324e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * the salt length is the same as the hash length. If -2, then the salt length 32569939df2891f62f7f00ff2ac275f1cd81a67454cRobert Sloan * is recovered and all values accepted. 32669939df2891f62f7f00ff2ac275f1cd81a67454cRobert Sloan * 32769939df2891f62f7f00ff2ac275f1cd81a67454cRobert Sloan * If unsure, use -1. 328f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley * 329f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley * It returns one on success or zero on error. */ 330f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam LangleyOPENSSL_EXPORT int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash, 331f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley const EVP_MD *Hash, 332f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley const EVP_MD *mgf1Hash, 333f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley const uint8_t *EM, int sLen); 334f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley 335f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley/* RSA_padding_add_PKCS1_PSS_mgf1 writes a PSS padding of |mHash| to |EM|, 336e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * where |mHash| is a digest produced by |Hash|. |RSA_size(rsa)| bytes of 337e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * output will be written to |EM|. The |mgf1Hash| argument specifies the hash 338e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * function for generating the mask. If NULL, |Hash| is used. The |sLen| 339e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * argument specifies the expected salt length in bytes. If |sLen| is -1 then 340e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * the salt length is the same as the hash length. If -2, then the salt length 341e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * is maximal given the space in |EM|. 342f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley * 343f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley * It returns one on success or zero on error. */ 344f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam LangleyOPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, uint8_t *EM, 345f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley const uint8_t *mHash, 346f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley const EVP_MD *Hash, 347f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley const EVP_MD *mgf1Hash, 348f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley int sLen); 349f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley 3504969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin/* RSA_padding_add_PKCS1_OAEP_mgf1 writes an OAEP padding of |from| to |to| 3514969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * with the given parameters and hash functions. If |md| is NULL then SHA-1 is 3524969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * used. If |mgf1md| is NULL then the value of |md| is used (which means SHA-1 3534969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * if that, in turn, is NULL). 3544969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * 3554969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * It returns one on success or zero on error. */ 3564969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid BenjaminOPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP_mgf1( 3576d0d00e090b753250659b9a2d67dab7467257900Robert Sloan uint8_t *to, size_t to_len, const uint8_t *from, size_t from_len, 3586d0d00e090b753250659b9a2d67dab7467257900Robert Sloan const uint8_t *param, size_t param_len, const EVP_MD *md, 3594969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin const EVP_MD *mgf1md); 3604969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin 361b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_add_pkcs1_prefix builds a version of |msg| prefixed with the DigestInfo 362b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * header for the given hash function and sets |out_msg| to point to it. On 363b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * successful return, |*out_msg| may be allocated memory and, if so, 364b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * |*is_alloced| will be 1. */ 365b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len, 366b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root int *is_alloced, int hash_nid, 367b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root const uint8_t *msg, size_t msg_len); 368d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 369d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 370b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* ASN.1 functions. */ 371a04d78d392463df4e69a64360c952ffa5abd22f7Kenny Root 372b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_parse_public_key parses a DER-encoded RSAPublicKey structure (RFC 3447) 373b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on 374b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * error. */ 375b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT RSA *RSA_parse_public_key(CBS *cbs); 376b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 377b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_parse_public_key_buggy behaves like |RSA_parse_public_key|, but it 378b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * tolerates some invalid encodings. Do not use this function. */ 379b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT RSA *RSA_parse_public_key_buggy(CBS *cbs); 380b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 381b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_public_key_from_bytes parses |in| as a DER-encoded RSAPublicKey structure 382b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * (RFC 3447). It returns a newly-allocated |RSA| or NULL on error. */ 383b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len); 384b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 385b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_marshal_public_key marshals |rsa| as a DER-encoded RSAPublicKey structure 386b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * (RFC 3447) and appends the result to |cbb|. It returns one on success and 387b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * zero on failure. */ 388b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT int RSA_marshal_public_key(CBB *cbb, const RSA *rsa); 389b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 390b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_public_key_to_bytes marshals |rsa| as a DER-encoded RSAPublicKey 391b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated 392b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * buffer containing the result and returns one. Otherwise, it returns zero. The 393b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * result should be freed with |OPENSSL_free|. */ 394b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len, 395b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root const RSA *rsa); 396b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 397b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_parse_private_key parses a DER-encoded RSAPrivateKey structure (RFC 3447) 398b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on 399b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * error. */ 400b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT RSA *RSA_parse_private_key(CBS *cbs); 401b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 402b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_private_key_from_bytes parses |in| as a DER-encoded RSAPrivateKey 403b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * structure (RFC 3447). It returns a newly-allocated |RSA| or NULL on error. */ 404b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT RSA *RSA_private_key_from_bytes(const uint8_t *in, 405b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root size_t in_len); 406b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 407b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_marshal_private_key marshals |rsa| as a DER-encoded RSAPrivateKey 408b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * structure (RFC 3447) and appends the result to |cbb|. It returns one on 409b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * success and zero on failure. */ 410b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT int RSA_marshal_private_key(CBB *cbb, const RSA *rsa); 411b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 412b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_private_key_to_bytes marshals |rsa| as a DER-encoded RSAPrivateKey 413b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated 414b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * buffer containing the result and returns one. Otherwise, it returns zero. The 415b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * result should be freed with |OPENSSL_free|. */ 416b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT int RSA_private_key_to_bytes(uint8_t **out_bytes, 417b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root size_t *out_len, const RSA *rsa); 418d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 419d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 420d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* ex_data functions. 421d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 422e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * See |ex_data.h| for details. */ 423d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 424d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_get_ex_new_index(long argl, void *argp, 4254139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley CRYPTO_EX_unused *unused, 426d9e397b599b13d642138480a28c14db7a136bf0Adam Langley CRYPTO_EX_dup *dup_func, 427d9e397b599b13d642138480a28c14db7a136bf0Adam Langley CRYPTO_EX_free *free_func); 428d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_set_ex_data(RSA *r, int idx, void *arg); 429d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT void *RSA_get_ex_data(const RSA *r, int idx); 430d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 431b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 432b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* Flags. */ 433b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 434d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_FLAG_OPAQUE specifies that this RSA_METHOD does not expose its key 435d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * material. This may be set if, for instance, it is wrapping some other crypto 436d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * API, like a platform key store. */ 437d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_FLAG_OPAQUE 1 438d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 4394969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin/* Deprecated and ignored. */ 440d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_FLAG_CACHE_PUBLIC 2 441d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 4424969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin/* Deprecated and ignored. */ 443d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_FLAG_CACHE_PRIVATE 4 444d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 4454969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin/* RSA_FLAG_NO_BLINDING disables blinding of private operations, which is a 4469aaebef260163f2eda55612a488ffa4b89cd26afDavid Benjamin * dangerous thing to do. It is deprecated and should not be used. It will 4479aaebef260163f2eda55612a488ffa4b89cd26afDavid Benjamin * be ignored whenever possible. 4484969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * 4494969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * This flag must be used if a key without the public exponent |e| is used for 4504969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * private key operations; avoid using such keys whenever possible. */ 451d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_FLAG_NO_BLINDING 8 452d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 4534969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin/* RSA_FLAG_EXT_PKEY is deprecated and ignored. */ 454d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_FLAG_EXT_PKEY 0x20 455d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 456d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_FLAG_SIGN_VER causes the |sign| and |verify| functions of |rsa_meth_st| 457d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * to be called when set. */ 458d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_FLAG_SIGN_VER 0x40 459d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 460d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 461d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA public exponent values. */ 462d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 463d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_3 0x3 464d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_F4 0x10001 465d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 466d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 467f7e890d94bfb2ecad87621eed301e1897b5a6aefAdam Langley/* Deprecated functions. */ 468f7e890d94bfb2ecad87621eed301e1897b5a6aefAdam Langley 469f7e890d94bfb2ecad87621eed301e1897b5a6aefAdam Langley/* RSA_blinding_on returns one. */ 470f7e890d94bfb2ecad87621eed301e1897b5a6aefAdam LangleyOPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx); 471f7e890d94bfb2ecad87621eed301e1897b5a6aefAdam Langley 472b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_generate_key behaves like |RSA_generate_key_ex|, which is what you 473b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * should use instead. It returns NULL on error, or a newly-allocated |RSA| on 474b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * success. This function is provided for compatibility only. The |callback| 475b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * and |cb_arg| parameters must be NULL. */ 476b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT RSA *RSA_generate_key(int bits, unsigned long e, void *callback, 477b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root void *cb_arg); 478b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 479b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* d2i_RSAPublicKey parses an ASN.1, DER-encoded, RSA public key from |len| 480b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result 4814969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * is in |*out|. Note that, even if |*out| is already non-NULL on entry, it 4824969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * will not be written to. Rather, a fresh |RSA| is allocated and the previous 4834969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * one is freed. On successful exit, |*inp| is advanced past the DER structure. 4844969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * It returns the result or NULL on error. */ 485b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len); 486b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 487b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* i2d_RSAPublicKey marshals |in| to an ASN.1, DER structure. If |outp| is not 488b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * NULL then the result is written to |*outp| and |*outp| is advanced just past 489b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * the output. It returns the number of bytes in the result, whether written or 490b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * not, or a negative value on error. */ 491b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT int i2d_RSAPublicKey(const RSA *in, uint8_t **outp); 492b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 493b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* d2i_RSAPrivateKey parses an ASN.1, DER-encoded, RSA private key from |len| 494b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result 4954969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * is in |*out|. Note that, even if |*out| is already non-NULL on entry, it 4964969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * will not be written to. Rather, a fresh |RSA| is allocated and the previous 4974969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * one is freed. On successful exit, |*inp| is advanced past the DER structure. 4984969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * It returns the result or NULL on error. */ 499b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len); 500b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 501b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* i2d_RSAPrivateKey marshals |in| to an ASN.1, DER structure. If |outp| is not 502b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * NULL then the result is written to |*outp| and |*outp| is advanced just past 503b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * the output. It returns the number of bytes in the result, whether written or 504b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * not, or a negative value on error. */ 505b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp); 506b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 5074969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin/* RSA_padding_add_PKCS1_PSS acts like |RSA_padding_add_PKCS1_PSS_mgf1| but the 5084969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * |mgf1Hash| parameter of the latter is implicitly set to |Hash|. */ 5094969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid BenjaminOPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS(RSA *rsa, uint8_t *EM, 5104969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin const uint8_t *mHash, 5114969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin const EVP_MD *Hash, int sLen); 5124969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin 5134969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin/* RSA_verify_PKCS1_PSS acts like |RSA_verify_PKCS1_PSS_mgf1| but the 5144969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * |mgf1Hash| parameter of the latter is implicitly set to |Hash|. */ 5154969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid BenjaminOPENSSL_EXPORT int RSA_verify_PKCS1_PSS(RSA *rsa, const uint8_t *mHash, 5164969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin const EVP_MD *Hash, const uint8_t *EM, 5174969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin int sLen); 518b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 5194969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin/* RSA_padding_add_PKCS1_OAEP acts like |RSA_padding_add_PKCS1_OAEP_mgf1| but 520b0b45c63bbbf16b7f5ff3cbe3f1d0905108038aaSteven Valdez * the |md| and |mgf1md| parameters of the latter are implicitly set to NULL, 5214969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * which means SHA-1. */ 5226d0d00e090b753250659b9a2d67dab7467257900Robert SloanOPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP(uint8_t *to, size_t to_len, 5234969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin const uint8_t *from, 5246d0d00e090b753250659b9a2d67dab7467257900Robert Sloan size_t from_len, 5254969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin const uint8_t *param, 5266d0d00e090b753250659b9a2d67dab7467257900Robert Sloan size_t param_len); 527b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 528f7e890d94bfb2ecad87621eed301e1897b5a6aefAdam Langley 529d9e397b599b13d642138480a28c14db7a136bf0Adam Langleystruct rsa_meth_st { 530d9e397b599b13d642138480a28c14db7a136bf0Adam Langley struct openssl_method_common_st common; 531d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 532d9e397b599b13d642138480a28c14db7a136bf0Adam Langley void *app_data; 533d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 534d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int (*init)(RSA *rsa); 535d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int (*finish)(RSA *rsa); 536d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 537d9e397b599b13d642138480a28c14db7a136bf0Adam Langley /* size returns the size of the RSA modulus in bytes. */ 538d9e397b599b13d642138480a28c14db7a136bf0Adam Langley size_t (*size)(const RSA *rsa); 539d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 540d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int (*sign)(int type, const uint8_t *m, unsigned int m_length, 541d9e397b599b13d642138480a28c14db7a136bf0Adam Langley uint8_t *sigret, unsigned int *siglen, const RSA *rsa); 542d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 5434969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin /* Ignored. Set this to NULL. */ 544d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int (*verify)(int dtype, const uint8_t *m, unsigned int m_length, 545d9e397b599b13d642138480a28c14db7a136bf0Adam Langley const uint8_t *sigbuf, unsigned int siglen, const RSA *rsa); 546d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 547d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 548d9e397b599b13d642138480a28c14db7a136bf0Adam Langley /* These functions mirror the |RSA_*| functions of the same name. */ 549d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int (*encrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 550d9e397b599b13d642138480a28c14db7a136bf0Adam Langley const uint8_t *in, size_t in_len, int padding); 551d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int (*sign_raw)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 552d9e397b599b13d642138480a28c14db7a136bf0Adam Langley const uint8_t *in, size_t in_len, int padding); 553d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 554d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int (*decrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 555d9e397b599b13d642138480a28c14db7a136bf0Adam Langley const uint8_t *in, size_t in_len, int padding); 5564969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin /* Ignored. Set this to NULL. */ 557d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int (*verify_raw)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 558d9e397b599b13d642138480a28c14db7a136bf0Adam Langley const uint8_t *in, size_t in_len, int padding); 559d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 560d9e397b599b13d642138480a28c14db7a136bf0Adam Langley /* private_transform takes a big-endian integer from |in|, calculates the 561d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * d'th power of it, modulo the RSA modulus and writes the result as a 562d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * big-endian integer to |out|. Both |in| and |out| are |len| bytes long and 563d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |len| is always equal to |RSA_size(rsa)|. If the result of the transform 564d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * can be represented in fewer than |len| bytes, then |out| must be zero 565d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * padded on the left. 566d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 567d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * It returns one on success and zero otherwise. 568d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 569d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * RSA decrypt and sign operations will call this, thus an ENGINE might wish 570d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * to override it in order to avoid having to implement the padding 571d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * functionality demanded by those, higher level, operations. */ 572d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int (*private_transform)(RSA *rsa, uint8_t *out, const uint8_t *in, 573d9e397b599b13d642138480a28c14db7a136bf0Adam Langley size_t len); 574d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 5754969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin /* mod_exp is deprecated and ignored. Set it to NULL. */ 5764969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin int (*mod_exp)(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); 5774969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin 5784969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin /* bn_mod_exp is deprecated and ignored. Set it to NULL. */ 579d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 580d9e397b599b13d642138480a28c14db7a136bf0Adam Langley const BIGNUM *m, BN_CTX *ctx, 581fad6327e4112082b1e77e89a995723f26bd5a9aaAdam Langley const BN_MONT_CTX *mont); 582d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 583d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int flags; 584d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 585d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int (*keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); 586d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 587b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root int (*multi_prime_keygen)(RSA *rsa, int bits, int num_primes, BIGNUM *e, 588b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root BN_GENCB *cb); 589b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 590d9e397b599b13d642138480a28c14db7a136bf0Adam Langley /* supports_digest returns one if |rsa| supports digests of type 591d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |md|. If null, it is assumed that all digests are supported. */ 592d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int (*supports_digest)(const RSA *rsa, const EVP_MD *md); 593d9e397b599b13d642138480a28c14db7a136bf0Adam Langley}; 594d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 595d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 596d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* Private functions. */ 597d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 598d9e397b599b13d642138480a28c14db7a136bf0Adam Langleytypedef struct bn_blinding_st BN_BLINDING; 599d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 600d9e397b599b13d642138480a28c14db7a136bf0Adam Langleystruct rsa_st { 601d9e397b599b13d642138480a28c14db7a136bf0Adam Langley RSA_METHOD *meth; 602d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 603d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BIGNUM *n; 604d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BIGNUM *e; 605d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BIGNUM *d; 606d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BIGNUM *p; 607d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BIGNUM *q; 608d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BIGNUM *dmp1; 609d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BIGNUM *dmq1; 610d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BIGNUM *iqmp; 611b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 612b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root STACK_OF(RSA_additional_prime) *additional_primes; 613b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 614d9e397b599b13d642138480a28c14db7a136bf0Adam Langley /* be careful using this if the RSA structure is shared */ 615d9e397b599b13d642138480a28c14db7a136bf0Adam Langley CRYPTO_EX_DATA ex_data; 616f4e427204234da139fd0585def4b4e22502e33f0Adam Langley CRYPTO_refcount_t references; 617d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int flags; 618d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 619e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley CRYPTO_MUTEX lock; 620e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley 621e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley /* Used to cache montgomery values. The creation of these values is protected 622e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * by |lock|. */ 623fad6327e4112082b1e77e89a995723f26bd5a9aaAdam Langley BN_MONT_CTX *mont_n; 624fad6327e4112082b1e77e89a995723f26bd5a9aaAdam Langley BN_MONT_CTX *mont_p; 625fad6327e4112082b1e77e89a995723f26bd5a9aaAdam Langley BN_MONT_CTX *mont_q; 626d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 627d9e397b599b13d642138480a28c14db7a136bf0Adam Langley /* num_blindings contains the size of the |blindings| and |blindings_inuse| 628d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * arrays. This member and the |blindings_inuse| array are protected by 629e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * |lock|. */ 630d9e397b599b13d642138480a28c14db7a136bf0Adam Langley unsigned num_blindings; 631d9e397b599b13d642138480a28c14db7a136bf0Adam Langley /* blindings is an array of BN_BLINDING structures that can be reserved by a 632e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * thread by locking |lock| and changing the corresponding element in 633e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * |blindings_inuse| from 0 to 1. */ 634d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BN_BLINDING **blindings; 635d9e397b599b13d642138480a28c14db7a136bf0Adam Langley unsigned char *blindings_inuse; 636d9e397b599b13d642138480a28c14db7a136bf0Adam Langley}; 637d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 638d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 639d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#if defined(__cplusplus) 640d9e397b599b13d642138480a28c14db7a136bf0Adam Langley} /* extern C */ 641f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjamin 642f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjaminextern "C++" { 643f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjamin 644f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjaminnamespace bssl { 645f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjamin 646f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid BenjaminBORINGSSL_MAKE_DELETER(RSA, RSA_free) 647f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjamin 648f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjamin} // namespace bssl 649f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjamin 650f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjamin} /* extern C++ */ 651f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjamin 652d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#endif 653d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 6544969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_BAD_ENCODING 100 6554969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_BAD_E_VALUE 101 6564969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_BAD_FIXED_HEADER_DECRYPT 102 6574969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_BAD_PAD_BYTE_COUNT 103 6584969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_BAD_RSA_PARAMETERS 104 6594969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_BAD_SIGNATURE 105 6604969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_BAD_VERSION 106 6614969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_BLOCK_TYPE_IS_NOT_01 107 6624969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_BN_NOT_INITIALIZED 108 6634969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_CANNOT_RECOVER_MULTI_PRIME_KEY 109 6644969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_CRT_PARAMS_ALREADY_GIVEN 110 6654969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_CRT_VALUES_INCORRECT 111 6664969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN 112 6674969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_DATA_TOO_LARGE 113 6684969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 114 6694969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 115 6704969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_DATA_TOO_SMALL 116 6714969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 117 6724969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 118 6734969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_D_E_NOT_CONGRUENT_TO_1 119 6744969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_EMPTY_PUBLIC_KEY 120 6754969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_ENCODE_ERROR 121 6764969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_FIRST_OCTET_INVALID 122 6774969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_INCONSISTENT_SET_OF_CRT_VALUES 123 6784969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_INTERNAL_ERROR 124 6794969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_INVALID_MESSAGE_LENGTH 125 6804969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_KEY_SIZE_TOO_SMALL 126 6814969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_LAST_OCTET_INVALID 127 6824969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_MODULUS_TOO_LARGE 128 6834969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_MUST_HAVE_AT_LEAST_TWO_PRIMES 129 6844969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_NO_PUBLIC_EXPONENT 130 6854969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_NULL_BEFORE_BLOCK_MISSING 131 6864969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_N_NOT_EQUAL_P_Q 132 6874969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_OAEP_DECODING_ERROR 133 6884969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_ONLY_ONE_OF_P_Q_GIVEN 134 6894969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_OUTPUT_BUFFER_TOO_SMALL 135 6904969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_PADDING_CHECK_FAILED 136 6914969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_PKCS_DECODING_ERROR 137 6924969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_SLEN_CHECK_FAILED 138 6934969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_SLEN_RECOVERY_FAILED 139 6944969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_TOO_LONG 140 6954969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_TOO_MANY_ITERATIONS 141 6964969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_UNKNOWN_ALGORITHM_TYPE 142 6974969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_UNKNOWN_PADDING_TYPE 143 6984969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_VALUE_MISSING 144 6994969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_WRONG_SIGNATURE_LENGTH 145 700d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 701d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#endif /* OPENSSL_HEADER_RSA_H */ 702