1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay@cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay@cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] */ 56 57#ifndef OPENSSL_HEADER_RSA_H 58#define OPENSSL_HEADER_RSA_H 59 60#include <openssl/base.h> 61 62#include <openssl/engine.h> 63#include <openssl/ex_data.h> 64#include <openssl/thread.h> 65 66#if defined(__cplusplus) 67extern "C" { 68#endif 69 70 71/* rsa.h contains functions for handling encryption and signature using RSA. */ 72 73 74/* Allocation and destruction. */ 75 76/* RSA_new returns a new, empty RSA object or NULL on error. */ 77OPENSSL_EXPORT RSA *RSA_new(void); 78 79/* RSA_new_method acts the same as |RSA_new| but takes an explicit |ENGINE|. */ 80OPENSSL_EXPORT RSA *RSA_new_method(const ENGINE *engine); 81 82/* RSA_free decrements the reference count of |rsa| and frees it if the 83 * reference count drops to zero. */ 84OPENSSL_EXPORT void RSA_free(RSA *rsa); 85 86/* RSA_up_ref increments the reference count of |rsa| and returns one. */ 87OPENSSL_EXPORT int RSA_up_ref(RSA *rsa); 88 89 90/* Properties. */ 91 92/* RSA_get0_key sets |*out_n|, |*out_e|, and |*out_d|, if non-NULL, to |rsa|'s 93 * modulus, public exponent, and private exponent, respectively. If |rsa| is a 94 * public key, the private exponent will be set to NULL. */ 95OPENSSL_EXPORT void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, 96 const BIGNUM **out_e, const BIGNUM **out_d); 97 98/* RSA_get0_factors sets |*out_p| and |*out_q|, if non-NULL, to |rsa|'s prime 99 * factors. If |rsa| is a public key, they will be set to NULL. */ 100OPENSSL_EXPORT void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p, 101 const BIGNUM **out_q); 102 103/* RSA_get0_crt_params sets |*out_dmp1|, |*out_dmq1|, and |*out_iqmp|, if 104 * non-NULL, to |rsa|'s CRT parameters. These are d (mod p-1), d (mod q-1) and 105 * q^-1 (mod p), respectively. If |rsa| is a public key, each parameter will be 106 * set to NULL. */ 107OPENSSL_EXPORT void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1, 108 const BIGNUM **out_dmq1, 109 const BIGNUM **out_iqmp); 110 111 112/* Key generation. */ 113 114/* RSA_generate_key_ex generates a new RSA key where the modulus has size 115 * |bits| and the public exponent is |e|. If unsure, |RSA_F4| is a good value 116 * for |e|. If |cb| is not NULL then it is called during the key generation 117 * process. In addition to the calls documented for |BN_generate_prime_ex|, it 118 * is called with event=2 when the n'th prime is rejected as unsuitable and 119 * with event=3 when a suitable value for |p| is found. 120 * 121 * It returns one on success or zero on error. */ 122OPENSSL_EXPORT int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, 123 BN_GENCB *cb); 124 125/* RSA_generate_key_fips behaves like |RSA_generate_key_ex| but performs 126 * additional checks for FIPS compliance. The public exponent is always 65537 127 * and |bits| must be either 2048 or 3072. */ 128OPENSSL_EXPORT int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb); 129 130 131/* Encryption / Decryption */ 132 133/* Padding types for encryption. */ 134#define RSA_PKCS1_PADDING 1 135#define RSA_NO_PADDING 3 136#define RSA_PKCS1_OAEP_PADDING 4 137/* RSA_PKCS1_PSS_PADDING can only be used via the EVP interface. */ 138#define RSA_PKCS1_PSS_PADDING 6 139 140/* RSA_encrypt encrypts |in_len| bytes from |in| to the public key from |rsa| 141 * and writes, at most, |max_out| bytes of encrypted data to |out|. The 142 * |max_out| argument must be, at least, |RSA_size| in order to ensure success. 143 * 144 * It returns 1 on success or zero on error. 145 * 146 * The |padding| argument must be one of the |RSA_*_PADDING| values. If in 147 * doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but 148 * |RSA_PKCS1_PADDING| is most common. */ 149OPENSSL_EXPORT int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, 150 size_t max_out, const uint8_t *in, size_t in_len, 151 int padding); 152 153/* RSA_decrypt decrypts |in_len| bytes from |in| with the private key from 154 * |rsa| and writes, at most, |max_out| bytes of plaintext to |out|. The 155 * |max_out| argument must be, at least, |RSA_size| in order to ensure success. 156 * 157 * It returns 1 on success or zero on error. 158 * 159 * The |padding| argument must be one of the |RSA_*_PADDING| values. If in 160 * doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. 161 * 162 * Passing |RSA_PKCS1_PADDING| into this function is deprecated and insecure. If 163 * implementing a protocol using RSAES-PKCS1-V1_5, use |RSA_NO_PADDING| and then 164 * check padding in constant-time combined with a swap to a random session key 165 * or other mitigation. See "Chosen Ciphertext Attacks Against Protocols Based 166 * on the RSA Encryption Standard PKCS #1", Daniel Bleichenbacher, Advances in 167 * Cryptology (Crypto '98). */ 168OPENSSL_EXPORT int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, 169 size_t max_out, const uint8_t *in, size_t in_len, 170 int padding); 171 172/* RSA_public_encrypt encrypts |flen| bytes from |from| to the public key in 173 * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at 174 * least |RSA_size| bytes of space. It returns the number of bytes written, or 175 * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING| 176 * values. If in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but 177 * |RSA_PKCS1_PADDING| is most common. 178 * 179 * WARNING: this function is dangerous because it breaks the usual return value 180 * convention. Use |RSA_encrypt| instead. */ 181OPENSSL_EXPORT int RSA_public_encrypt(size_t flen, const uint8_t *from, 182 uint8_t *to, RSA *rsa, int padding); 183 184/* RSA_private_decrypt decrypts |flen| bytes from |from| with the public key in 185 * |rsa| and writes the plaintext to |to|. The |to| buffer must have at least 186 * |RSA_size| bytes of space. It returns the number of bytes written, or -1 on 187 * error. The |padding| argument must be one of the |RSA_*_PADDING| values. If 188 * in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. Passing 189 * |RSA_PKCS1_PADDING| into this function is deprecated and insecure. See 190 * |RSA_decrypt|. 191 * 192 * WARNING: this function is dangerous because it breaks the usual return value 193 * convention. Use |RSA_decrypt| instead. */ 194OPENSSL_EXPORT int RSA_private_decrypt(size_t flen, const uint8_t *from, 195 uint8_t *to, RSA *rsa, int padding); 196 197 198/* Signing / Verification */ 199 200/* RSA_sign signs |in_len| bytes of digest from |in| with |rsa| using 201 * RSASSA-PKCS1-v1_5. It writes, at most, |RSA_size(rsa)| bytes to |out|. On 202 * successful return, the actual number of bytes written is written to 203 * |*out_len|. 204 * 205 * The |hash_nid| argument identifies the hash function used to calculate |in| 206 * and is embedded in the resulting signature. For example, it might be 207 * |NID_sha256|. 208 * 209 * It returns 1 on success and zero on error. */ 210OPENSSL_EXPORT int RSA_sign(int hash_nid, const uint8_t *in, 211 unsigned int in_len, uint8_t *out, 212 unsigned int *out_len, RSA *rsa); 213 214/* RSA_sign_pss_mgf1 signs |in_len| bytes from |in| with the public key from 215 * |rsa| using RSASSA-PSS with MGF1 as the mask generation function. It writes, 216 * at most, |max_out| bytes of signature data to |out|. The |max_out| argument 217 * must be, at least, |RSA_size| in order to ensure success. It returns 1 on 218 * success or zero on error. 219 * 220 * The |md| and |mgf1_md| arguments identify the hash used to calculate |msg| 221 * and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is 222 * used. 223 * 224 * |salt_len| specifies the expected salt length in bytes. If |salt_len| is -1, 225 * then the salt length is the same as the hash length. If -2, then the salt 226 * length is maximal given the size of |rsa|. If unsure, use -1. */ 227OPENSSL_EXPORT int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, 228 size_t max_out, const uint8_t *in, 229 size_t in_len, const EVP_MD *md, 230 const EVP_MD *mgf1_md, int salt_len); 231 232/* RSA_sign_raw signs |in_len| bytes from |in| with the public key from |rsa| 233 * and writes, at most, |max_out| bytes of signature data to |out|. The 234 * |max_out| argument must be, at least, |RSA_size| in order to ensure success. 235 * 236 * It returns 1 on success or zero on error. 237 * 238 * The |padding| argument must be one of the |RSA_*_PADDING| values. If in 239 * doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING| 240 * (via the |EVP_PKEY| interface) is preferred for new protocols. */ 241OPENSSL_EXPORT int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, 242 size_t max_out, const uint8_t *in, 243 size_t in_len, int padding); 244 245/* RSA_verify verifies that |sig_len| bytes from |sig| are a valid, 246 * RSASSA-PKCS1-v1_5 signature of |msg_len| bytes at |msg| by |rsa|. 247 * 248 * The |hash_nid| argument identifies the hash function used to calculate |msg| 249 * and is embedded in the resulting signature in order to prevent hash 250 * confusion attacks. For example, it might be |NID_sha256|. 251 * 252 * It returns one if the signature is valid and zero otherwise. 253 * 254 * WARNING: this differs from the original, OpenSSL function which additionally 255 * returned -1 on error. */ 256OPENSSL_EXPORT int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len, 257 const uint8_t *sig, size_t sig_len, RSA *rsa); 258 259/* RSA_verify_pss_mgf1 verifies that |sig_len| bytes from |sig| are a valid, 260 * RSASSA-PSS signature of |msg_len| bytes at |msg| by |rsa|. It returns one if 261 * the signature is valid and zero otherwise. MGF1 is used as the mask 262 * generation function. 263 * 264 * The |md| and |mgf1_md| arguments identify the hash used to calculate |msg| 265 * and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is 266 * used. |salt_len| specifies the expected salt length in bytes. 267 * 268 * If |salt_len| is -1, then the salt length is the same as the hash length. If 269 * -2, then the salt length is recovered and all values accepted. If unsure, use 270 * -1. */ 271OPENSSL_EXPORT int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg, 272 size_t msg_len, const EVP_MD *md, 273 const EVP_MD *mgf1_md, int salt_len, 274 const uint8_t *sig, size_t sig_len); 275 276/* RSA_verify_raw verifies |in_len| bytes of signature from |in| using the 277 * public key from |rsa| and writes, at most, |max_out| bytes of plaintext to 278 * |out|. The |max_out| argument must be, at least, |RSA_size| in order to 279 * ensure success. 280 * 281 * It returns 1 on success or zero on error. 282 * 283 * The |padding| argument must be one of the |RSA_*_PADDING| values. If in 284 * doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING| 285 * (via the |EVP_PKEY| interface) is preferred for new protocols. */ 286OPENSSL_EXPORT int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, 287 size_t max_out, const uint8_t *in, 288 size_t in_len, int padding); 289 290/* RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in 291 * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at 292 * least |RSA_size| bytes of space. It returns the number of bytes written, or 293 * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING| 294 * values. If in doubt, |RSA_PKCS1_PADDING| is the most common but 295 * |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for new 296 * protocols. 297 * 298 * WARNING: this function is dangerous because it breaks the usual return value 299 * convention. Use |RSA_sign_raw| instead. */ 300OPENSSL_EXPORT int RSA_private_encrypt(size_t flen, const uint8_t *from, 301 uint8_t *to, RSA *rsa, int padding); 302 303/* RSA_public_decrypt verifies |flen| bytes of signature from |from| using the 304 * public key in |rsa| and writes the plaintext to |to|. The |to| buffer must 305 * have at least |RSA_size| bytes of space. It returns the number of bytes 306 * written, or -1 on error. The |padding| argument must be one of the 307 * |RSA_*_PADDING| values. If in doubt, |RSA_PKCS1_PADDING| is the most common 308 * but |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for 309 * new protocols. 310 * 311 * WARNING: this function is dangerous because it breaks the usual return value 312 * convention. Use |RSA_verify_raw| instead. */ 313OPENSSL_EXPORT int RSA_public_decrypt(size_t flen, const uint8_t *from, 314 uint8_t *to, RSA *rsa, int padding); 315 316 317/* Utility functions. */ 318 319/* RSA_size returns the number of bytes in the modulus, which is also the size 320 * of a signature or encrypted value using |rsa|. */ 321OPENSSL_EXPORT unsigned RSA_size(const RSA *rsa); 322 323/* RSA_is_opaque returns one if |rsa| is opaque and doesn't expose its key 324 * material. Otherwise it returns zero. */ 325OPENSSL_EXPORT int RSA_is_opaque(const RSA *rsa); 326 327/* RSAPublicKey_dup allocates a fresh |RSA| and copies the public key from 328 * |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */ 329OPENSSL_EXPORT RSA *RSAPublicKey_dup(const RSA *rsa); 330 331/* RSAPrivateKey_dup allocates a fresh |RSA| and copies the private key from 332 * |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */ 333OPENSSL_EXPORT RSA *RSAPrivateKey_dup(const RSA *rsa); 334 335/* RSA_check_key performs basic validity tests on |rsa|. It returns one if 336 * they pass and zero otherwise. Opaque keys and public keys always pass. If it 337 * returns zero then a more detailed error is available on the error queue. */ 338OPENSSL_EXPORT int RSA_check_key(const RSA *rsa); 339 340/* RSA_check_fips performs public key validity tests on |key|. It returns one 341 * if they pass and zero otherwise. Opaque keys always fail. */ 342OPENSSL_EXPORT int RSA_check_fips(RSA *key); 343 344/* RSA_verify_PKCS1_PSS_mgf1 verifies that |EM| is a correct PSS padding of 345 * |mHash|, where |mHash| is a digest produced by |Hash|. |EM| must point to 346 * exactly |RSA_size(rsa)| bytes of data. The |mgf1Hash| argument specifies the 347 * hash function for generating the mask. If NULL, |Hash| is used. The |sLen| 348 * argument specifies the expected salt length in bytes. If |sLen| is -1 then 349 * the salt length is the same as the hash length. If -2, then the salt length 350 * is recovered and all values accepted. 351 * 352 * If unsure, use -1. 353 * 354 * It returns one on success or zero on error. 355 * 356 * This function implements only the low-level padding logic. Use 357 * |RSA_verify_pss_mgf1| instead. */ 358OPENSSL_EXPORT int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash, 359 const EVP_MD *Hash, 360 const EVP_MD *mgf1Hash, 361 const uint8_t *EM, int sLen); 362 363/* RSA_padding_add_PKCS1_PSS_mgf1 writes a PSS padding of |mHash| to |EM|, 364 * where |mHash| is a digest produced by |Hash|. |RSA_size(rsa)| bytes of 365 * output will be written to |EM|. The |mgf1Hash| argument specifies the hash 366 * function for generating the mask. If NULL, |Hash| is used. The |sLen| 367 * argument specifies the expected salt length in bytes. If |sLen| is -1 then 368 * the salt length is the same as the hash length. If -2, then the salt length 369 * is maximal given the space in |EM|. 370 * 371 * It returns one on success or zero on error. 372 * 373 * This function implements only the low-level padding logic. Use 374 * |RSA_sign_pss_mgf1| instead. */ 375OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, uint8_t *EM, 376 const uint8_t *mHash, 377 const EVP_MD *Hash, 378 const EVP_MD *mgf1Hash, 379 int sLen); 380 381/* RSA_padding_add_PKCS1_OAEP_mgf1 writes an OAEP padding of |from| to |to| 382 * with the given parameters and hash functions. If |md| is NULL then SHA-1 is 383 * used. If |mgf1md| is NULL then the value of |md| is used (which means SHA-1 384 * if that, in turn, is NULL). 385 * 386 * It returns one on success or zero on error. */ 387OPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP_mgf1( 388 uint8_t *to, size_t to_len, const uint8_t *from, size_t from_len, 389 const uint8_t *param, size_t param_len, const EVP_MD *md, 390 const EVP_MD *mgf1md); 391 392/* RSA_add_pkcs1_prefix builds a version of |msg| prefixed with the DigestInfo 393 * header for the given hash function and sets |out_msg| to point to it. On 394 * successful return, |*out_msg| may be allocated memory and, if so, 395 * |*is_alloced| will be 1. */ 396OPENSSL_EXPORT int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len, 397 int *is_alloced, int hash_nid, 398 const uint8_t *msg, size_t msg_len); 399 400 401/* ASN.1 functions. */ 402 403/* RSA_parse_public_key parses a DER-encoded RSAPublicKey structure (RFC 3447) 404 * from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on 405 * error. */ 406OPENSSL_EXPORT RSA *RSA_parse_public_key(CBS *cbs); 407 408/* RSA_parse_public_key_buggy behaves like |RSA_parse_public_key|, but it 409 * tolerates some invalid encodings. Do not use this function. */ 410OPENSSL_EXPORT RSA *RSA_parse_public_key_buggy(CBS *cbs); 411 412/* RSA_public_key_from_bytes parses |in| as a DER-encoded RSAPublicKey structure 413 * (RFC 3447). It returns a newly-allocated |RSA| or NULL on error. */ 414OPENSSL_EXPORT RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len); 415 416/* RSA_marshal_public_key marshals |rsa| as a DER-encoded RSAPublicKey structure 417 * (RFC 3447) and appends the result to |cbb|. It returns one on success and 418 * zero on failure. */ 419OPENSSL_EXPORT int RSA_marshal_public_key(CBB *cbb, const RSA *rsa); 420 421/* RSA_public_key_to_bytes marshals |rsa| as a DER-encoded RSAPublicKey 422 * structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated 423 * buffer containing the result and returns one. Otherwise, it returns zero. The 424 * result should be freed with |OPENSSL_free|. */ 425OPENSSL_EXPORT int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len, 426 const RSA *rsa); 427 428/* RSA_parse_private_key parses a DER-encoded RSAPrivateKey structure (RFC 3447) 429 * from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on 430 * error. */ 431OPENSSL_EXPORT RSA *RSA_parse_private_key(CBS *cbs); 432 433/* RSA_private_key_from_bytes parses |in| as a DER-encoded RSAPrivateKey 434 * structure (RFC 3447). It returns a newly-allocated |RSA| or NULL on error. */ 435OPENSSL_EXPORT RSA *RSA_private_key_from_bytes(const uint8_t *in, 436 size_t in_len); 437 438/* RSA_marshal_private_key marshals |rsa| as a DER-encoded RSAPrivateKey 439 * structure (RFC 3447) and appends the result to |cbb|. It returns one on 440 * success and zero on failure. */ 441OPENSSL_EXPORT int RSA_marshal_private_key(CBB *cbb, const RSA *rsa); 442 443/* RSA_private_key_to_bytes marshals |rsa| as a DER-encoded RSAPrivateKey 444 * structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated 445 * buffer containing the result and returns one. Otherwise, it returns zero. The 446 * result should be freed with |OPENSSL_free|. */ 447OPENSSL_EXPORT int RSA_private_key_to_bytes(uint8_t **out_bytes, 448 size_t *out_len, const RSA *rsa); 449 450 451/* ex_data functions. 452 * 453 * See |ex_data.h| for details. */ 454 455OPENSSL_EXPORT int RSA_get_ex_new_index(long argl, void *argp, 456 CRYPTO_EX_unused *unused, 457 CRYPTO_EX_dup *dup_unused, 458 CRYPTO_EX_free *free_func); 459OPENSSL_EXPORT int RSA_set_ex_data(RSA *r, int idx, void *arg); 460OPENSSL_EXPORT void *RSA_get_ex_data(const RSA *r, int idx); 461 462 463/* Flags. */ 464 465/* RSA_FLAG_OPAQUE specifies that this RSA_METHOD does not expose its key 466 * material. This may be set if, for instance, it is wrapping some other crypto 467 * API, like a platform key store. */ 468#define RSA_FLAG_OPAQUE 1 469 470/* Deprecated and ignored. */ 471#define RSA_FLAG_CACHE_PUBLIC 2 472 473/* Deprecated and ignored. */ 474#define RSA_FLAG_CACHE_PRIVATE 4 475 476/* RSA_FLAG_NO_BLINDING disables blinding of private operations, which is a 477 * dangerous thing to do. It is deprecated and should not be used. It will 478 * be ignored whenever possible. 479 * 480 * This flag must be used if a key without the public exponent |e| is used for 481 * private key operations; avoid using such keys whenever possible. */ 482#define RSA_FLAG_NO_BLINDING 8 483 484/* RSA_FLAG_EXT_PKEY is deprecated and ignored. */ 485#define RSA_FLAG_EXT_PKEY 0x20 486 487/* RSA_FLAG_SIGN_VER causes the |sign| and |verify| functions of |rsa_meth_st| 488 * to be called when set. */ 489#define RSA_FLAG_SIGN_VER 0x40 490 491 492/* RSA public exponent values. */ 493 494#define RSA_3 0x3 495#define RSA_F4 0x10001 496 497 498/* Deprecated functions. */ 499 500/* RSA_blinding_on returns one. */ 501OPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx); 502 503/* RSA_generate_key behaves like |RSA_generate_key_ex|, which is what you 504 * should use instead. It returns NULL on error, or a newly-allocated |RSA| on 505 * success. This function is provided for compatibility only. The |callback| 506 * and |cb_arg| parameters must be NULL. */ 507OPENSSL_EXPORT RSA *RSA_generate_key(int bits, unsigned long e, void *callback, 508 void *cb_arg); 509 510/* d2i_RSAPublicKey parses an ASN.1, DER-encoded, RSA public key from |len| 511 * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result 512 * is in |*out|. Note that, even if |*out| is already non-NULL on entry, it 513 * will not be written to. Rather, a fresh |RSA| is allocated and the previous 514 * one is freed. On successful exit, |*inp| is advanced past the DER structure. 515 * It returns the result or NULL on error. */ 516OPENSSL_EXPORT RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len); 517 518/* i2d_RSAPublicKey marshals |in| to an ASN.1, DER structure. If |outp| is not 519 * NULL then the result is written to |*outp| and |*outp| is advanced just past 520 * the output. It returns the number of bytes in the result, whether written or 521 * not, or a negative value on error. */ 522OPENSSL_EXPORT int i2d_RSAPublicKey(const RSA *in, uint8_t **outp); 523 524/* d2i_RSAPrivateKey parses an ASN.1, DER-encoded, RSA private key from |len| 525 * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result 526 * is in |*out|. Note that, even if |*out| is already non-NULL on entry, it 527 * will not be written to. Rather, a fresh |RSA| is allocated and the previous 528 * one is freed. On successful exit, |*inp| is advanced past the DER structure. 529 * It returns the result or NULL on error. */ 530OPENSSL_EXPORT RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len); 531 532/* i2d_RSAPrivateKey marshals |in| to an ASN.1, DER structure. If |outp| is not 533 * NULL then the result is written to |*outp| and |*outp| is advanced just past 534 * the output. It returns the number of bytes in the result, whether written or 535 * not, or a negative value on error. */ 536OPENSSL_EXPORT int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp); 537 538/* RSA_padding_add_PKCS1_PSS acts like |RSA_padding_add_PKCS1_PSS_mgf1| but the 539 * |mgf1Hash| parameter of the latter is implicitly set to |Hash|. 540 * 541 * This function implements only the low-level padding logic. Use 542 * |RSA_sign_pss_mgf1| instead. */ 543OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS(RSA *rsa, uint8_t *EM, 544 const uint8_t *mHash, 545 const EVP_MD *Hash, int sLen); 546 547/* RSA_verify_PKCS1_PSS acts like |RSA_verify_PKCS1_PSS_mgf1| but the 548 * |mgf1Hash| parameter of the latter is implicitly set to |Hash|. 549 * 550 * This function implements only the low-level padding logic. Use 551 * |RSA_verify_pss_mgf1| instead. */ 552OPENSSL_EXPORT int RSA_verify_PKCS1_PSS(RSA *rsa, const uint8_t *mHash, 553 const EVP_MD *Hash, const uint8_t *EM, 554 int sLen); 555 556/* RSA_padding_add_PKCS1_OAEP acts like |RSA_padding_add_PKCS1_OAEP_mgf1| but 557 * the |md| and |mgf1md| parameters of the latter are implicitly set to NULL, 558 * which means SHA-1. */ 559OPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP(uint8_t *to, size_t to_len, 560 const uint8_t *from, 561 size_t from_len, 562 const uint8_t *param, 563 size_t param_len); 564 565 566struct rsa_meth_st { 567 struct openssl_method_common_st common; 568 569 void *app_data; 570 571 int (*init)(RSA *rsa); 572 int (*finish)(RSA *rsa); 573 574 /* size returns the size of the RSA modulus in bytes. */ 575 size_t (*size)(const RSA *rsa); 576 577 int (*sign)(int type, const uint8_t *m, unsigned int m_length, 578 uint8_t *sigret, unsigned int *siglen, const RSA *rsa); 579 580 /* Ignored. Set this to NULL. 581 * TODO(davidben): Remove this when 582 * https://github.com/google/conscrypt/commit/bb0571e358e95e1c70ac7a6984fc4d7236cac72f 583 * is in all BoringSSL consumers. */ 584 int (*encrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 585 const uint8_t *in, size_t in_len, int padding); 586 587 /* These functions mirror the |RSA_*| functions of the same name. */ 588 int (*sign_raw)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 589 const uint8_t *in, size_t in_len, int padding); 590 int (*decrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 591 const uint8_t *in, size_t in_len, int padding); 592 593 /* private_transform takes a big-endian integer from |in|, calculates the 594 * d'th power of it, modulo the RSA modulus and writes the result as a 595 * big-endian integer to |out|. Both |in| and |out| are |len| bytes long and 596 * |len| is always equal to |RSA_size(rsa)|. If the result of the transform 597 * can be represented in fewer than |len| bytes, then |out| must be zero 598 * padded on the left. 599 * 600 * It returns one on success and zero otherwise. 601 * 602 * RSA decrypt and sign operations will call this, thus an ENGINE might wish 603 * to override it in order to avoid having to implement the padding 604 * functionality demanded by those, higher level, operations. */ 605 int (*private_transform)(RSA *rsa, uint8_t *out, const uint8_t *in, 606 size_t len); 607 608 int flags; 609}; 610 611 612/* Private functions. */ 613 614typedef struct bn_blinding_st BN_BLINDING; 615 616struct rsa_st { 617 RSA_METHOD *meth; 618 619 BIGNUM *n; 620 BIGNUM *e; 621 BIGNUM *d; 622 BIGNUM *p; 623 BIGNUM *q; 624 BIGNUM *dmp1; 625 BIGNUM *dmq1; 626 BIGNUM *iqmp; 627 628 /* be careful using this if the RSA structure is shared */ 629 CRYPTO_EX_DATA ex_data; 630 CRYPTO_refcount_t references; 631 int flags; 632 633 CRYPTO_MUTEX lock; 634 635 /* Used to cache montgomery values. The creation of these values is protected 636 * by |lock|. */ 637 BN_MONT_CTX *mont_n; 638 BN_MONT_CTX *mont_p; 639 BN_MONT_CTX *mont_q; 640 641 /* num_blindings contains the size of the |blindings| and |blindings_inuse| 642 * arrays. This member and the |blindings_inuse| array are protected by 643 * |lock|. */ 644 unsigned num_blindings; 645 /* blindings is an array of BN_BLINDING structures that can be reserved by a 646 * thread by locking |lock| and changing the corresponding element in 647 * |blindings_inuse| from 0 to 1. */ 648 BN_BLINDING **blindings; 649 unsigned char *blindings_inuse; 650}; 651 652 653#if defined(__cplusplus) 654} /* extern C */ 655 656extern "C++" { 657 658namespace bssl { 659 660BORINGSSL_MAKE_DELETER(RSA, RSA_free) 661 662} // namespace bssl 663 664} /* extern C++ */ 665 666#endif 667 668#define RSA_R_BAD_ENCODING 100 669#define RSA_R_BAD_E_VALUE 101 670#define RSA_R_BAD_FIXED_HEADER_DECRYPT 102 671#define RSA_R_BAD_PAD_BYTE_COUNT 103 672#define RSA_R_BAD_RSA_PARAMETERS 104 673#define RSA_R_BAD_SIGNATURE 105 674#define RSA_R_BAD_VERSION 106 675#define RSA_R_BLOCK_TYPE_IS_NOT_01 107 676#define RSA_R_BN_NOT_INITIALIZED 108 677#define RSA_R_CANNOT_RECOVER_MULTI_PRIME_KEY 109 678#define RSA_R_CRT_PARAMS_ALREADY_GIVEN 110 679#define RSA_R_CRT_VALUES_INCORRECT 111 680#define RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN 112 681#define RSA_R_DATA_TOO_LARGE 113 682#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 114 683#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 115 684#define RSA_R_DATA_TOO_SMALL 116 685#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 117 686#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 118 687#define RSA_R_D_E_NOT_CONGRUENT_TO_1 119 688#define RSA_R_EMPTY_PUBLIC_KEY 120 689#define RSA_R_ENCODE_ERROR 121 690#define RSA_R_FIRST_OCTET_INVALID 122 691#define RSA_R_INCONSISTENT_SET_OF_CRT_VALUES 123 692#define RSA_R_INTERNAL_ERROR 124 693#define RSA_R_INVALID_MESSAGE_LENGTH 125 694#define RSA_R_KEY_SIZE_TOO_SMALL 126 695#define RSA_R_LAST_OCTET_INVALID 127 696#define RSA_R_MODULUS_TOO_LARGE 128 697#define RSA_R_MUST_HAVE_AT_LEAST_TWO_PRIMES 129 698#define RSA_R_NO_PUBLIC_EXPONENT 130 699#define RSA_R_NULL_BEFORE_BLOCK_MISSING 131 700#define RSA_R_N_NOT_EQUAL_P_Q 132 701#define RSA_R_OAEP_DECODING_ERROR 133 702#define RSA_R_ONLY_ONE_OF_P_Q_GIVEN 134 703#define RSA_R_OUTPUT_BUFFER_TOO_SMALL 135 704#define RSA_R_PADDING_CHECK_FAILED 136 705#define RSA_R_PKCS_DECODING_ERROR 137 706#define RSA_R_SLEN_CHECK_FAILED 138 707#define RSA_R_SLEN_RECOVERY_FAILED 139 708#define RSA_R_TOO_LONG 140 709#define RSA_R_TOO_MANY_ITERATIONS 141 710#define RSA_R_UNKNOWN_ALGORITHM_TYPE 142 711#define RSA_R_UNKNOWN_PADDING_TYPE 143 712#define RSA_R_VALUE_MISSING 144 713#define RSA_R_WRONG_SIGNATURE_LENGTH 145 714#define RSA_R_PUBLIC_KEY_VALIDATION_FAILED 146 715 716#endif /* OPENSSL_HEADER_RSA_H */ 717