1d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * All rights reserved. 3d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 4d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * This package is an SSL implementation written 5d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * by Eric Young (eay@cryptsoft.com). 6d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * The implementation was written so as to conform with Netscapes SSL. 7d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 8d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * This library is free for commercial and non-commercial use as long as 9d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * the following conditions are aheared to. The following conditions 10d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * apply to all code found in this distribution, be it the RC4, RSA, 11d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * included with this distribution is covered by the same copyright terms 13d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 15d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * Copyright remains Eric Young's, and as such any Copyright notices in 16d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * the code are not to be removed. 17d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * If this package is used in a product, Eric Young should be given attribution 18d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * as the author of the parts of the library used. 19d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * This can be in the form of a textual message at program startup or 20d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * in documentation (online or textual) provided with the package. 21d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 22d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * Redistribution and use in source and binary forms, with or without 23d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * modification, are permitted provided that the following conditions 24d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * are met: 25d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 1. Redistributions of source code must retain the copyright 26d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * notice, this list of conditions and the following disclaimer. 27d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 2. Redistributions in binary form must reproduce the above copyright 28d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * notice, this list of conditions and the following disclaimer in the 29d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * documentation and/or other materials provided with the distribution. 30d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 3. All advertising materials mentioning features or use of this software 31d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * must display the following acknowledgement: 32d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * "This product includes cryptographic software written by 33d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * Eric Young (eay@cryptsoft.com)" 34d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * The word 'cryptographic' can be left out if the rouines from the library 35d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * being used are not cryptographic related :-). 36d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 4. If you include any Windows specific code (or a derivative thereof) from 37d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * the apps directory (application code) you must include an acknowledgement: 38d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 40d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * SUCH DAMAGE. 51d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 52d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * The licence and distribution terms for any publically available version or 53d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * derivative of this code cannot be changed. i.e. this code cannot simply be 54d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * copied and put under another distribution licence 55d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * [including the GNU Public Licence.] */ 56d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 57d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#ifndef OPENSSL_HEADER_RSA_H 58d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define OPENSSL_HEADER_RSA_H 59d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 60d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#include <openssl/base.h> 61d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 62d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#include <openssl/engine.h> 63d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#include <openssl/ex_data.h> 64e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley#include <openssl/thread.h> 65d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 66d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#if defined(__cplusplus) 67d9e397b599b13d642138480a28c14db7a136bf0Adam Langleyextern "C" { 68d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#endif 69d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 70d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 71d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* rsa.h contains functions for handling encryption and signature using RSA. */ 72d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 73d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 74d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* Allocation and destruction. */ 75d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 76d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_new returns a new, empty RSA object or NULL on error. */ 77d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT RSA *RSA_new(void); 78d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 79d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_new_method acts the same as |RSA_new| but takes an explicit |ENGINE|. */ 80d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT RSA *RSA_new_method(const ENGINE *engine); 81d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 82d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_free decrements the reference count of |rsa| and frees it if the 83d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * reference count drops to zero. */ 84d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT void RSA_free(RSA *rsa); 85d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 86c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin/* RSA_up_ref increments the reference count of |rsa| and returns one. */ 87d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_up_ref(RSA *rsa); 88d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 89d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 90c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin/* Properties. */ 91c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin 92c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin/* RSA_get0_key sets |*out_n|, |*out_e|, and |*out_d|, if non-NULL, to |rsa|'s 93c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin * modulus, public exponent, and private exponent, respectively. If |rsa| is a 94c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin * public key, the private exponent will be set to NULL. */ 95c895d6b1c580258e72e1ed3fcc86d38970ded9e1David BenjaminOPENSSL_EXPORT void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, 96c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin const BIGNUM **out_e, const BIGNUM **out_d); 97c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin 98c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin/* RSA_get0_factors sets |*out_p| and |*out_q|, if non-NULL, to |rsa|'s prime 99572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * factors. If |rsa| is a public key, they will be set to NULL. */ 100c895d6b1c580258e72e1ed3fcc86d38970ded9e1David BenjaminOPENSSL_EXPORT void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p, 101c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin const BIGNUM **out_q); 102c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin 103c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin/* RSA_get0_crt_params sets |*out_dmp1|, |*out_dmq1|, and |*out_iqmp|, if 104c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin * non-NULL, to |rsa|'s CRT parameters. These are d (mod p-1), d (mod q-1) and 105c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin * q^-1 (mod p), respectively. If |rsa| is a public key, each parameter will be 106572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * set to NULL. */ 107c895d6b1c580258e72e1ed3fcc86d38970ded9e1David BenjaminOPENSSL_EXPORT void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1, 108c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin const BIGNUM **out_dmq1, 109c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin const BIGNUM **out_iqmp); 110c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin 111c895d6b1c580258e72e1ed3fcc86d38970ded9e1David Benjamin 112d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* Key generation. */ 113d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 114d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_generate_key_ex generates a new RSA key where the modulus has size 115d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |bits| and the public exponent is |e|. If unsure, |RSA_F4| is a good value 116d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * for |e|. If |cb| is not NULL then it is called during the key generation 117d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * process. In addition to the calls documented for |BN_generate_prime_ex|, it 118d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * is called with event=2 when the n'th prime is rejected as unsuitable and 119d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * with event=3 when a suitable value for |p| is found. 120d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 121d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * It returns one on success or zero on error. */ 122d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, 123d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BN_GENCB *cb); 124d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 1258ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan/* RSA_generate_key_fips behaves like |RSA_generate_key_ex| but performs 1268ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * additional checks for FIPS compliance. The public exponent is always 65537 1278ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * and |bits| must be either 2048 or 3072. */ 1288ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert SloanOPENSSL_EXPORT int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb); 1298ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan 130d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 131d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* Encryption / Decryption */ 132d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 133d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* Padding types for encryption. */ 134d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_PKCS1_PADDING 1 135d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_NO_PADDING 3 136d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_PKCS1_OAEP_PADDING 4 137d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_PKCS1_PSS_PADDING can only be used via the EVP interface. */ 138d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_PKCS1_PSS_PADDING 6 139d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 140d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_encrypt encrypts |in_len| bytes from |in| to the public key from |rsa| 141d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * and writes, at most, |max_out| bytes of encrypted data to |out|. The 142d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |max_out| argument must be, at least, |RSA_size| in order to ensure success. 143d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 144d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * It returns 1 on success or zero on error. 145d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 146d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * The |padding| argument must be one of the |RSA_*_PADDING| values. If in 1474139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but 1484139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * |RSA_PKCS1_PADDING| is most common. */ 149d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, 150d9e397b599b13d642138480a28c14db7a136bf0Adam Langley size_t max_out, const uint8_t *in, size_t in_len, 151d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int padding); 152d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 153d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_decrypt decrypts |in_len| bytes from |in| with the private key from 154d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |rsa| and writes, at most, |max_out| bytes of plaintext to |out|. The 155d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |max_out| argument must be, at least, |RSA_size| in order to ensure success. 156d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 157d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * It returns 1 on success or zero on error. 158d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 159d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * The |padding| argument must be one of the |RSA_*_PADDING| values. If in 1604139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. 1614139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * 1624139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * Passing |RSA_PKCS1_PADDING| into this function is deprecated and insecure. If 1634139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * implementing a protocol using RSAES-PKCS1-V1_5, use |RSA_NO_PADDING| and then 1644139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * check padding in constant-time combined with a swap to a random session key 1654139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * or other mitigation. See "Chosen Ciphertext Attacks Against Protocols Based 1664139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * on the RSA Encryption Standard PKCS #1", Daniel Bleichenbacher, Advances in 1674139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * Cryptology (Crypto '98). */ 168d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, 169d9e397b599b13d642138480a28c14db7a136bf0Adam Langley size_t max_out, const uint8_t *in, size_t in_len, 170d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int padding); 171d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 172d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_public_encrypt encrypts |flen| bytes from |from| to the public key in 173d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at 174d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * least |RSA_size| bytes of space. It returns the number of bytes written, or 175d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING| 1764139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * values. If in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but 1774139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * |RSA_PKCS1_PADDING| is most common. 178d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 179d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * WARNING: this function is dangerous because it breaks the usual return value 180d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * convention. Use |RSA_encrypt| instead. */ 181e99801b603dea8893dcc61c70b327ef2d00b652cKenny RootOPENSSL_EXPORT int RSA_public_encrypt(size_t flen, const uint8_t *from, 182d9e397b599b13d642138480a28c14db7a136bf0Adam Langley uint8_t *to, RSA *rsa, int padding); 183d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 184d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_private_decrypt decrypts |flen| bytes from |from| with the public key in 1854139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * |rsa| and writes the plaintext to |to|. The |to| buffer must have at least 1864139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * |RSA_size| bytes of space. It returns the number of bytes written, or -1 on 1874139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * error. The |padding| argument must be one of the |RSA_*_PADDING| values. If 1884139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. Passing 1894139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * |RSA_PKCS1_PADDING| into this function is deprecated and insecure. See 1904139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * |RSA_decrypt|. 191d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 192d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * WARNING: this function is dangerous because it breaks the usual return value 193d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * convention. Use |RSA_decrypt| instead. */ 194e99801b603dea8893dcc61c70b327ef2d00b652cKenny RootOPENSSL_EXPORT int RSA_private_decrypt(size_t flen, const uint8_t *from, 195d9e397b599b13d642138480a28c14db7a136bf0Adam Langley uint8_t *to, RSA *rsa, int padding); 196d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 197d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 198d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* Signing / Verification */ 199d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 2004139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley/* RSA_sign signs |in_len| bytes of digest from |in| with |rsa| using 2014139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * RSASSA-PKCS1-v1_5. It writes, at most, |RSA_size(rsa)| bytes to |out|. On 2024139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * successful return, the actual number of bytes written is written to 2034139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * |*out_len|. 204d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 205d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * The |hash_nid| argument identifies the hash function used to calculate |in| 206d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * and is embedded in the resulting signature. For example, it might be 207d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |NID_sha256|. 208d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 209d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * It returns 1 on success and zero on error. */ 210d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_sign(int hash_nid, const uint8_t *in, 211d9e397b599b13d642138480a28c14db7a136bf0Adam Langley unsigned int in_len, uint8_t *out, 212d9e397b599b13d642138480a28c14db7a136bf0Adam Langley unsigned int *out_len, RSA *rsa); 213d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 2148ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan/* RSA_sign_pss_mgf1 signs |in_len| bytes from |in| with the public key from 2158ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * |rsa| using RSASSA-PSS with MGF1 as the mask generation function. It writes, 2168ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * at most, |max_out| bytes of signature data to |out|. The |max_out| argument 2178ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * must be, at least, |RSA_size| in order to ensure success. It returns 1 on 2188ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * success or zero on error. 2198ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * 2208ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * The |md| and |mgf1_md| arguments identify the hash used to calculate |msg| 2218ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is 2228ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * used. 2238ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * 2248ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * |salt_len| specifies the expected salt length in bytes. If |salt_len| is -1, 2258ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * then the salt length is the same as the hash length. If -2, then the salt 2268ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * length is maximal given the size of |rsa|. If unsure, use -1. */ 2278ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert SloanOPENSSL_EXPORT int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, 2288ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan size_t max_out, const uint8_t *in, 2298ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan size_t in_len, const EVP_MD *md, 2308ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan const EVP_MD *mgf1_md, int salt_len); 2318ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan 232d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_sign_raw signs |in_len| bytes from |in| with the public key from |rsa| 233e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * and writes, at most, |max_out| bytes of signature data to |out|. The 234d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |max_out| argument must be, at least, |RSA_size| in order to ensure success. 235d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 236d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * It returns 1 on success or zero on error. 237d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 238d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * The |padding| argument must be one of the |RSA_*_PADDING| values. If in 2394139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING| 2404139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * (via the |EVP_PKEY| interface) is preferred for new protocols. */ 241d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, 242d9e397b599b13d642138480a28c14db7a136bf0Adam Langley size_t max_out, const uint8_t *in, 243d9e397b599b13d642138480a28c14db7a136bf0Adam Langley size_t in_len, int padding); 244d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 2454139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley/* RSA_verify verifies that |sig_len| bytes from |sig| are a valid, 2464139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * RSASSA-PKCS1-v1_5 signature of |msg_len| bytes at |msg| by |rsa|. 247d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 2488ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * The |hash_nid| argument identifies the hash function used to calculate |msg| 249d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * and is embedded in the resulting signature in order to prevent hash 250d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * confusion attacks. For example, it might be |NID_sha256|. 251d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 252d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * It returns one if the signature is valid and zero otherwise. 253d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 254d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * WARNING: this differs from the original, OpenSSL function which additionally 255d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * returned -1 on error. */ 256d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len, 257d9e397b599b13d642138480a28c14db7a136bf0Adam Langley const uint8_t *sig, size_t sig_len, RSA *rsa); 258d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 2598ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan/* RSA_verify_pss_mgf1 verifies that |sig_len| bytes from |sig| are a valid, 2608ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * RSASSA-PSS signature of |msg_len| bytes at |msg| by |rsa|. It returns one if 2618ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * the signature is valid and zero otherwise. MGF1 is used as the mask 2628ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * generation function. 2638ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * 2648ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * The |md| and |mgf1_md| arguments identify the hash used to calculate |msg| 2658ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is 2668ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * used. |salt_len| specifies the expected salt length in bytes. 2678ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * 2688ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * If |salt_len| is -1, then the salt length is the same as the hash length. If 2698ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * -2, then the salt length is recovered and all values accepted. If unsure, use 2708ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * -1. */ 2718ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert SloanOPENSSL_EXPORT int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg, 2728ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan size_t msg_len, const EVP_MD *md, 2738ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan const EVP_MD *mgf1_md, int salt_len, 2748ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan const uint8_t *sig, size_t sig_len); 2758ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan 276d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_verify_raw verifies |in_len| bytes of signature from |in| using the 277d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * public key from |rsa| and writes, at most, |max_out| bytes of plaintext to 278d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |out|. The |max_out| argument must be, at least, |RSA_size| in order to 279d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * ensure success. 280d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 281d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * It returns 1 on success or zero on error. 282d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 283d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * The |padding| argument must be one of the |RSA_*_PADDING| values. If in 2844139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING| 2854139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * (via the |EVP_PKEY| interface) is preferred for new protocols. */ 286d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, 287d9e397b599b13d642138480a28c14db7a136bf0Adam Langley size_t max_out, const uint8_t *in, 288d9e397b599b13d642138480a28c14db7a136bf0Adam Langley size_t in_len, int padding); 289d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 290d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in 291d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at 292d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * least |RSA_size| bytes of space. It returns the number of bytes written, or 293d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING| 2944139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * values. If in doubt, |RSA_PKCS1_PADDING| is the most common but 2954139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for new 2964139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * protocols. 297d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 298d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * WARNING: this function is dangerous because it breaks the usual return value 299d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * convention. Use |RSA_sign_raw| instead. */ 300e99801b603dea8893dcc61c70b327ef2d00b652cKenny RootOPENSSL_EXPORT int RSA_private_encrypt(size_t flen, const uint8_t *from, 301d9e397b599b13d642138480a28c14db7a136bf0Adam Langley uint8_t *to, RSA *rsa, int padding); 302d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 303b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_public_decrypt verifies |flen| bytes of signature from |from| using the 304d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * public key in |rsa| and writes the plaintext to |to|. The |to| buffer must 305d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * have at least |RSA_size| bytes of space. It returns the number of bytes 306d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * written, or -1 on error. The |padding| argument must be one of the 3074139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * |RSA_*_PADDING| values. If in doubt, |RSA_PKCS1_PADDING| is the most common 3084139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * but |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for 3094139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley * new protocols. 310d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 311d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * WARNING: this function is dangerous because it breaks the usual return value 312d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * convention. Use |RSA_verify_raw| instead. */ 313e99801b603dea8893dcc61c70b327ef2d00b652cKenny RootOPENSSL_EXPORT int RSA_public_decrypt(size_t flen, const uint8_t *from, 314d9e397b599b13d642138480a28c14db7a136bf0Adam Langley uint8_t *to, RSA *rsa, int padding); 315d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 316d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 317d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* Utility functions. */ 318d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 319d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_size returns the number of bytes in the modulus, which is also the size 320e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * of a signature or encrypted value using |rsa|. */ 321d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT unsigned RSA_size(const RSA *rsa); 322d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 323d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_is_opaque returns one if |rsa| is opaque and doesn't expose its key 324d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * material. Otherwise it returns zero. */ 325d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_is_opaque(const RSA *rsa); 326d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 327b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSAPublicKey_dup allocates a fresh |RSA| and copies the public key from 328d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */ 329d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT RSA *RSAPublicKey_dup(const RSA *rsa); 330d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 331d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSAPrivateKey_dup allocates a fresh |RSA| and copies the private key from 332d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */ 333d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT RSA *RSAPrivateKey_dup(const RSA *rsa); 334d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 335572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan/* RSA_check_key performs basic validity tests on |rsa|. It returns one if 336d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * they pass and zero otherwise. Opaque keys and public keys always pass. If it 337d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * returns zero then a more detailed error is available on the error queue. */ 338d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_check_key(const RSA *rsa); 339d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 340572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan/* RSA_check_fips performs public key validity tests on |key|. It returns one 341572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan * if they pass and zero otherwise. Opaque keys always fail. */ 342572a4e2e687520da9e518528d7371b794b1decc0Robert SloanOPENSSL_EXPORT int RSA_check_fips(RSA *key); 343572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan 344f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley/* RSA_verify_PKCS1_PSS_mgf1 verifies that |EM| is a correct PSS padding of 345e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * |mHash|, where |mHash| is a digest produced by |Hash|. |EM| must point to 346e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * exactly |RSA_size(rsa)| bytes of data. The |mgf1Hash| argument specifies the 347e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * hash function for generating the mask. If NULL, |Hash| is used. The |sLen| 348e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * argument specifies the expected salt length in bytes. If |sLen| is -1 then 349e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * the salt length is the same as the hash length. If -2, then the salt length 35069939df2891f62f7f00ff2ac275f1cd81a67454cRobert Sloan * is recovered and all values accepted. 35169939df2891f62f7f00ff2ac275f1cd81a67454cRobert Sloan * 35269939df2891f62f7f00ff2ac275f1cd81a67454cRobert Sloan * If unsure, use -1. 353f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley * 3548ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * It returns one on success or zero on error. 3558ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * 3568ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * This function implements only the low-level padding logic. Use 3578ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * |RSA_verify_pss_mgf1| instead. */ 358f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam LangleyOPENSSL_EXPORT int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash, 359f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley const EVP_MD *Hash, 360f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley const EVP_MD *mgf1Hash, 361f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley const uint8_t *EM, int sLen); 362f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley 363f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley/* RSA_padding_add_PKCS1_PSS_mgf1 writes a PSS padding of |mHash| to |EM|, 364e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * where |mHash| is a digest produced by |Hash|. |RSA_size(rsa)| bytes of 365e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * output will be written to |EM|. The |mgf1Hash| argument specifies the hash 366e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * function for generating the mask. If NULL, |Hash| is used. The |sLen| 367e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * argument specifies the expected salt length in bytes. If |sLen| is -1 then 368e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * the salt length is the same as the hash length. If -2, then the salt length 369e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * is maximal given the space in |EM|. 370f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley * 3718ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * It returns one on success or zero on error. 3728ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * 3738ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * This function implements only the low-level padding logic. Use 3748ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * |RSA_sign_pss_mgf1| instead. */ 375f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam LangleyOPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, uint8_t *EM, 376f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley const uint8_t *mHash, 377f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley const EVP_MD *Hash, 378f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley const EVP_MD *mgf1Hash, 379f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley int sLen); 380f4dabdd0527bd5cc09ab043ec6b0a53be190d93aAdam Langley 3814969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin/* RSA_padding_add_PKCS1_OAEP_mgf1 writes an OAEP padding of |from| to |to| 3824969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * with the given parameters and hash functions. If |md| is NULL then SHA-1 is 3834969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * used. If |mgf1md| is NULL then the value of |md| is used (which means SHA-1 3844969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * if that, in turn, is NULL). 3854969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * 3864969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * It returns one on success or zero on error. */ 3874969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid BenjaminOPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP_mgf1( 3886d0d00e090b753250659b9a2d67dab7467257900Robert Sloan uint8_t *to, size_t to_len, const uint8_t *from, size_t from_len, 3896d0d00e090b753250659b9a2d67dab7467257900Robert Sloan const uint8_t *param, size_t param_len, const EVP_MD *md, 3904969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin const EVP_MD *mgf1md); 3914969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin 392b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_add_pkcs1_prefix builds a version of |msg| prefixed with the DigestInfo 393b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * header for the given hash function and sets |out_msg| to point to it. On 394b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * successful return, |*out_msg| may be allocated memory and, if so, 395b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * |*is_alloced| will be 1. */ 396b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len, 397b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root int *is_alloced, int hash_nid, 398b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root const uint8_t *msg, size_t msg_len); 399d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 400d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 401b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* ASN.1 functions. */ 402a04d78d392463df4e69a64360c952ffa5abd22f7Kenny Root 403b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_parse_public_key parses a DER-encoded RSAPublicKey structure (RFC 3447) 404b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on 405b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * error. */ 406b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT RSA *RSA_parse_public_key(CBS *cbs); 407b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 408b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_parse_public_key_buggy behaves like |RSA_parse_public_key|, but it 409b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * tolerates some invalid encodings. Do not use this function. */ 410b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT RSA *RSA_parse_public_key_buggy(CBS *cbs); 411b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 412b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_public_key_from_bytes parses |in| as a DER-encoded RSAPublicKey structure 413b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * (RFC 3447). It returns a newly-allocated |RSA| or NULL on error. */ 414b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len); 415b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 416b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_marshal_public_key marshals |rsa| as a DER-encoded RSAPublicKey structure 417b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * (RFC 3447) and appends the result to |cbb|. It returns one on success and 418b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * zero on failure. */ 419b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT int RSA_marshal_public_key(CBB *cbb, const RSA *rsa); 420b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 421b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_public_key_to_bytes marshals |rsa| as a DER-encoded RSAPublicKey 422b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated 423b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * buffer containing the result and returns one. Otherwise, it returns zero. The 424b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * result should be freed with |OPENSSL_free|. */ 425b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len, 426b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root const RSA *rsa); 427b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 428b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_parse_private_key parses a DER-encoded RSAPrivateKey structure (RFC 3447) 429b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on 430b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * error. */ 431b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT RSA *RSA_parse_private_key(CBS *cbs); 432b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 433b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_private_key_from_bytes parses |in| as a DER-encoded RSAPrivateKey 434b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * structure (RFC 3447). It returns a newly-allocated |RSA| or NULL on error. */ 435b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT RSA *RSA_private_key_from_bytes(const uint8_t *in, 436b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root size_t in_len); 437b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 438b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_marshal_private_key marshals |rsa| as a DER-encoded RSAPrivateKey 439b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * structure (RFC 3447) and appends the result to |cbb|. It returns one on 440b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * success and zero on failure. */ 441b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT int RSA_marshal_private_key(CBB *cbb, const RSA *rsa); 442b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 443b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_private_key_to_bytes marshals |rsa| as a DER-encoded RSAPrivateKey 444b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated 445b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * buffer containing the result and returns one. Otherwise, it returns zero. The 446b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * result should be freed with |OPENSSL_free|. */ 447b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT int RSA_private_key_to_bytes(uint8_t **out_bytes, 448b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root size_t *out_len, const RSA *rsa); 449d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 450d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 451d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* ex_data functions. 452d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 453e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * See |ex_data.h| for details. */ 454d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 455d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_get_ex_new_index(long argl, void *argp, 4564139edb02e59e7ad48e0a8f4c02e45923bc8a344Adam Langley CRYPTO_EX_unused *unused, 4578ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan CRYPTO_EX_dup *dup_unused, 458d9e397b599b13d642138480a28c14db7a136bf0Adam Langley CRYPTO_EX_free *free_func); 459d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT int RSA_set_ex_data(RSA *r, int idx, void *arg); 460d9e397b599b13d642138480a28c14db7a136bf0Adam LangleyOPENSSL_EXPORT void *RSA_get_ex_data(const RSA *r, int idx); 461d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 462b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 463b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* Flags. */ 464b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 465d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_FLAG_OPAQUE specifies that this RSA_METHOD does not expose its key 466d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * material. This may be set if, for instance, it is wrapping some other crypto 467d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * API, like a platform key store. */ 468d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_FLAG_OPAQUE 1 469d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 4704969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin/* Deprecated and ignored. */ 471d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_FLAG_CACHE_PUBLIC 2 472d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 4734969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin/* Deprecated and ignored. */ 474d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_FLAG_CACHE_PRIVATE 4 475d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 4764969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin/* RSA_FLAG_NO_BLINDING disables blinding of private operations, which is a 4779aaebef260163f2eda55612a488ffa4b89cd26afDavid Benjamin * dangerous thing to do. It is deprecated and should not be used. It will 4789aaebef260163f2eda55612a488ffa4b89cd26afDavid Benjamin * be ignored whenever possible. 4794969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * 4804969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * This flag must be used if a key without the public exponent |e| is used for 4814969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * private key operations; avoid using such keys whenever possible. */ 482d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_FLAG_NO_BLINDING 8 483d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 4844969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin/* RSA_FLAG_EXT_PKEY is deprecated and ignored. */ 485d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_FLAG_EXT_PKEY 0x20 486d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 487d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA_FLAG_SIGN_VER causes the |sign| and |verify| functions of |rsa_meth_st| 488d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * to be called when set. */ 489d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_FLAG_SIGN_VER 0x40 490d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 491d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 492d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* RSA public exponent values. */ 493d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 494d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_3 0x3 495d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#define RSA_F4 0x10001 496d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 497d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 498f7e890d94bfb2ecad87621eed301e1897b5a6aefAdam Langley/* Deprecated functions. */ 499f7e890d94bfb2ecad87621eed301e1897b5a6aefAdam Langley 500f7e890d94bfb2ecad87621eed301e1897b5a6aefAdam Langley/* RSA_blinding_on returns one. */ 501f7e890d94bfb2ecad87621eed301e1897b5a6aefAdam LangleyOPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx); 502f7e890d94bfb2ecad87621eed301e1897b5a6aefAdam Langley 503b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* RSA_generate_key behaves like |RSA_generate_key_ex|, which is what you 504b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * should use instead. It returns NULL on error, or a newly-allocated |RSA| on 505b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * success. This function is provided for compatibility only. The |callback| 506b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * and |cb_arg| parameters must be NULL. */ 507b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT RSA *RSA_generate_key(int bits, unsigned long e, void *callback, 508b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root void *cb_arg); 509b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 510b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* d2i_RSAPublicKey parses an ASN.1, DER-encoded, RSA public key from |len| 511b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result 5124969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * is in |*out|. Note that, even if |*out| is already non-NULL on entry, it 5134969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * will not be written to. Rather, a fresh |RSA| is allocated and the previous 5144969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * one is freed. On successful exit, |*inp| is advanced past the DER structure. 5154969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * It returns the result or NULL on error. */ 516b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len); 517b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 518b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* i2d_RSAPublicKey marshals |in| to an ASN.1, DER structure. If |outp| is not 519b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * NULL then the result is written to |*outp| and |*outp| is advanced just past 520b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * the output. It returns the number of bytes in the result, whether written or 521b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * not, or a negative value on error. */ 522b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT int i2d_RSAPublicKey(const RSA *in, uint8_t **outp); 523b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 524b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* d2i_RSAPrivateKey parses an ASN.1, DER-encoded, RSA private key from |len| 525b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result 5264969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * is in |*out|. Note that, even if |*out| is already non-NULL on entry, it 5274969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * will not be written to. Rather, a fresh |RSA| is allocated and the previous 5284969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * one is freed. On successful exit, |*inp| is advanced past the DER structure. 5294969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * It returns the result or NULL on error. */ 530b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len); 531b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 532b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root/* i2d_RSAPrivateKey marshals |in| to an ASN.1, DER structure. If |outp| is not 533b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * NULL then the result is written to |*outp| and |*outp| is advanced just past 534b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * the output. It returns the number of bytes in the result, whether written or 535b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root * not, or a negative value on error. */ 536b8494591d1b1a143f3b192d845c238bbf3bc629dKenny RootOPENSSL_EXPORT int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp); 537b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 5384969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin/* RSA_padding_add_PKCS1_PSS acts like |RSA_padding_add_PKCS1_PSS_mgf1| but the 5398ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * |mgf1Hash| parameter of the latter is implicitly set to |Hash|. 5408ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * 5418ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * This function implements only the low-level padding logic. Use 5428ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * |RSA_sign_pss_mgf1| instead. */ 5434969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid BenjaminOPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS(RSA *rsa, uint8_t *EM, 5444969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin const uint8_t *mHash, 5454969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin const EVP_MD *Hash, int sLen); 5464969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin 5474969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin/* RSA_verify_PKCS1_PSS acts like |RSA_verify_PKCS1_PSS_mgf1| but the 5488ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * |mgf1Hash| parameter of the latter is implicitly set to |Hash|. 5498ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * 5508ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * This function implements only the low-level padding logic. Use 5518ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan * |RSA_verify_pss_mgf1| instead. */ 5524969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid BenjaminOPENSSL_EXPORT int RSA_verify_PKCS1_PSS(RSA *rsa, const uint8_t *mHash, 5534969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin const EVP_MD *Hash, const uint8_t *EM, 5544969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin int sLen); 555b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 5564969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin/* RSA_padding_add_PKCS1_OAEP acts like |RSA_padding_add_PKCS1_OAEP_mgf1| but 557b0b45c63bbbf16b7f5ff3cbe3f1d0905108038aaSteven Valdez * the |md| and |mgf1md| parameters of the latter are implicitly set to NULL, 5584969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin * which means SHA-1. */ 5596d0d00e090b753250659b9a2d67dab7467257900Robert SloanOPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP(uint8_t *to, size_t to_len, 5604969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin const uint8_t *from, 5616d0d00e090b753250659b9a2d67dab7467257900Robert Sloan size_t from_len, 5624969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin const uint8_t *param, 5636d0d00e090b753250659b9a2d67dab7467257900Robert Sloan size_t param_len); 564b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 565f7e890d94bfb2ecad87621eed301e1897b5a6aefAdam Langley 566d9e397b599b13d642138480a28c14db7a136bf0Adam Langleystruct rsa_meth_st { 567d9e397b599b13d642138480a28c14db7a136bf0Adam Langley struct openssl_method_common_st common; 568d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 569d9e397b599b13d642138480a28c14db7a136bf0Adam Langley void *app_data; 570d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 571d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int (*init)(RSA *rsa); 572d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int (*finish)(RSA *rsa); 573d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 574d9e397b599b13d642138480a28c14db7a136bf0Adam Langley /* size returns the size of the RSA modulus in bytes. */ 575d9e397b599b13d642138480a28c14db7a136bf0Adam Langley size_t (*size)(const RSA *rsa); 576d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 577d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int (*sign)(int type, const uint8_t *m, unsigned int m_length, 578d9e397b599b13d642138480a28c14db7a136bf0Adam Langley uint8_t *sigret, unsigned int *siglen, const RSA *rsa); 579d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 580e56da3e0a18add8be1571c4ae616492a0258ebeaRobert Sloan /* Ignored. Set this to NULL. 581e56da3e0a18add8be1571c4ae616492a0258ebeaRobert Sloan * TODO(davidben): Remove this when 582e56da3e0a18add8be1571c4ae616492a0258ebeaRobert Sloan * https://github.com/google/conscrypt/commit/bb0571e358e95e1c70ac7a6984fc4d7236cac72f 583e56da3e0a18add8be1571c4ae616492a0258ebeaRobert Sloan * is in all BoringSSL consumers. */ 584d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int (*encrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 585d9e397b599b13d642138480a28c14db7a136bf0Adam Langley const uint8_t *in, size_t in_len, int padding); 5868ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan 5878ff035535f7cf2903f02bbe94d2fa10b7ab855f1Robert Sloan /* These functions mirror the |RSA_*| functions of the same name. */ 588d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int (*sign_raw)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 589d9e397b599b13d642138480a28c14db7a136bf0Adam Langley const uint8_t *in, size_t in_len, int padding); 590d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int (*decrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 591d9e397b599b13d642138480a28c14db7a136bf0Adam Langley const uint8_t *in, size_t in_len, int padding); 592d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 593d9e397b599b13d642138480a28c14db7a136bf0Adam Langley /* private_transform takes a big-endian integer from |in|, calculates the 594d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * d'th power of it, modulo the RSA modulus and writes the result as a 595d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * big-endian integer to |out|. Both |in| and |out| are |len| bytes long and 596d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * |len| is always equal to |RSA_size(rsa)|. If the result of the transform 597d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * can be represented in fewer than |len| bytes, then |out| must be zero 598d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * padded on the left. 599d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 600d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * It returns one on success and zero otherwise. 601d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * 602d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * RSA decrypt and sign operations will call this, thus an ENGINE might wish 603d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * to override it in order to avoid having to implement the padding 604d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * functionality demanded by those, higher level, operations. */ 605d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int (*private_transform)(RSA *rsa, uint8_t *out, const uint8_t *in, 606d9e397b599b13d642138480a28c14db7a136bf0Adam Langley size_t len); 607d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 608d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int flags; 609d9e397b599b13d642138480a28c14db7a136bf0Adam Langley}; 610d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 611d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 612d9e397b599b13d642138480a28c14db7a136bf0Adam Langley/* Private functions. */ 613d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 614d9e397b599b13d642138480a28c14db7a136bf0Adam Langleytypedef struct bn_blinding_st BN_BLINDING; 615d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 616d9e397b599b13d642138480a28c14db7a136bf0Adam Langleystruct rsa_st { 617d9e397b599b13d642138480a28c14db7a136bf0Adam Langley RSA_METHOD *meth; 618d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 619d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BIGNUM *n; 620d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BIGNUM *e; 621d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BIGNUM *d; 622d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BIGNUM *p; 623d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BIGNUM *q; 624d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BIGNUM *dmp1; 625d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BIGNUM *dmq1; 626d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BIGNUM *iqmp; 627b8494591d1b1a143f3b192d845c238bbf3bc629dKenny Root 628d9e397b599b13d642138480a28c14db7a136bf0Adam Langley /* be careful using this if the RSA structure is shared */ 629d9e397b599b13d642138480a28c14db7a136bf0Adam Langley CRYPTO_EX_DATA ex_data; 630f4e427204234da139fd0585def4b4e22502e33f0Adam Langley CRYPTO_refcount_t references; 631d9e397b599b13d642138480a28c14db7a136bf0Adam Langley int flags; 632d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 633e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley CRYPTO_MUTEX lock; 634e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley 635e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley /* Used to cache montgomery values. The creation of these values is protected 636e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * by |lock|. */ 637fad6327e4112082b1e77e89a995723f26bd5a9aaAdam Langley BN_MONT_CTX *mont_n; 638fad6327e4112082b1e77e89a995723f26bd5a9aaAdam Langley BN_MONT_CTX *mont_p; 639fad6327e4112082b1e77e89a995723f26bd5a9aaAdam Langley BN_MONT_CTX *mont_q; 640d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 641d9e397b599b13d642138480a28c14db7a136bf0Adam Langley /* num_blindings contains the size of the |blindings| and |blindings_inuse| 642d9e397b599b13d642138480a28c14db7a136bf0Adam Langley * arrays. This member and the |blindings_inuse| array are protected by 643e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * |lock|. */ 644d9e397b599b13d642138480a28c14db7a136bf0Adam Langley unsigned num_blindings; 645d9e397b599b13d642138480a28c14db7a136bf0Adam Langley /* blindings is an array of BN_BLINDING structures that can be reserved by a 646e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * thread by locking |lock| and changing the corresponding element in 647e9ada863a7b3e81f5d2b1e3bdd2305da902a87f5Adam Langley * |blindings_inuse| from 0 to 1. */ 648d9e397b599b13d642138480a28c14db7a136bf0Adam Langley BN_BLINDING **blindings; 649d9e397b599b13d642138480a28c14db7a136bf0Adam Langley unsigned char *blindings_inuse; 650d9e397b599b13d642138480a28c14db7a136bf0Adam Langley}; 651d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 652d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 653d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#if defined(__cplusplus) 654d9e397b599b13d642138480a28c14db7a136bf0Adam Langley} /* extern C */ 655f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjamin 656f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjaminextern "C++" { 657f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjamin 658f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjaminnamespace bssl { 659f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjamin 660f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid BenjaminBORINGSSL_MAKE_DELETER(RSA, RSA_free) 661f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjamin 662f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjamin} // namespace bssl 663f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjamin 664f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjamin} /* extern C++ */ 665f0c4a6c4bbde5229ceb86740703243fe5c436aadDavid Benjamin 666d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#endif 667d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 6684969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_BAD_ENCODING 100 6694969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_BAD_E_VALUE 101 6704969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_BAD_FIXED_HEADER_DECRYPT 102 6714969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_BAD_PAD_BYTE_COUNT 103 6724969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_BAD_RSA_PARAMETERS 104 6734969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_BAD_SIGNATURE 105 6744969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_BAD_VERSION 106 6754969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_BLOCK_TYPE_IS_NOT_01 107 6764969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_BN_NOT_INITIALIZED 108 6774969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_CANNOT_RECOVER_MULTI_PRIME_KEY 109 6784969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_CRT_PARAMS_ALREADY_GIVEN 110 6794969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_CRT_VALUES_INCORRECT 111 6804969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN 112 6814969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_DATA_TOO_LARGE 113 6824969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 114 6834969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 115 6844969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_DATA_TOO_SMALL 116 6854969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 117 6864969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 118 6874969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_D_E_NOT_CONGRUENT_TO_1 119 6884969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_EMPTY_PUBLIC_KEY 120 6894969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_ENCODE_ERROR 121 6904969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_FIRST_OCTET_INVALID 122 6914969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_INCONSISTENT_SET_OF_CRT_VALUES 123 6924969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_INTERNAL_ERROR 124 6934969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_INVALID_MESSAGE_LENGTH 125 6944969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_KEY_SIZE_TOO_SMALL 126 6954969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_LAST_OCTET_INVALID 127 6964969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_MODULUS_TOO_LARGE 128 6974969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_MUST_HAVE_AT_LEAST_TWO_PRIMES 129 6984969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_NO_PUBLIC_EXPONENT 130 6994969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_NULL_BEFORE_BLOCK_MISSING 131 7004969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_N_NOT_EQUAL_P_Q 132 7014969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_OAEP_DECODING_ERROR 133 7024969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_ONLY_ONE_OF_P_Q_GIVEN 134 7034969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_OUTPUT_BUFFER_TOO_SMALL 135 7044969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_PADDING_CHECK_FAILED 136 7054969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_PKCS_DECODING_ERROR 137 7064969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_SLEN_CHECK_FAILED 138 7074969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_SLEN_RECOVERY_FAILED 139 7084969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_TOO_LONG 140 7094969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_TOO_MANY_ITERATIONS 141 7104969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_UNKNOWN_ALGORITHM_TYPE 142 7114969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_UNKNOWN_PADDING_TYPE 143 7124969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_VALUE_MISSING 144 7134969cc9b0ab2905ec478277f50ed3849b37a6c6bDavid Benjamin#define RSA_R_WRONG_SIGNATURE_LENGTH 145 714572a4e2e687520da9e518528d7371b794b1decc0Robert Sloan#define RSA_R_PUBLIC_KEY_VALIDATION_FAILED 146 715d9e397b599b13d642138480a28c14db7a136bf0Adam Langley 716d9e397b599b13d642138480a28c14db7a136bf0Adam Langley#endif /* OPENSSL_HEADER_RSA_H */ 717