Coverage Report

Created: 2024-11-21 07:03

/src/boringssl/crypto/evp/p_rsa.c
Line
Count
Source (jump to first uncovered line)
1
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2
 * project 2006.
3
 */
4
/* ====================================================================
5
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 *
11
 * 1. Redistributions of source code must retain the above copyright
12
 *    notice, this list of conditions and the following disclaimer.
13
 *
14
 * 2. Redistributions in binary form must reproduce the above copyright
15
 *    notice, this list of conditions and the following disclaimer in
16
 *    the documentation and/or other materials provided with the
17
 *    distribution.
18
 *
19
 * 3. All advertising materials mentioning features or use of this
20
 *    software must display the following acknowledgment:
21
 *    "This product includes software developed by the OpenSSL Project
22
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23
 *
24
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25
 *    endorse or promote products derived from this software without
26
 *    prior written permission. For written permission, please contact
27
 *    licensing@OpenSSL.org.
28
 *
29
 * 5. Products derived from this software may not be called "OpenSSL"
30
 *    nor may "OpenSSL" appear in their names without prior written
31
 *    permission of the OpenSSL Project.
32
 *
33
 * 6. Redistributions of any form whatsoever must retain the following
34
 *    acknowledgment:
35
 *    "This product includes software developed by the OpenSSL Project
36
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37
 *
38
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
42
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49
 * OF THE POSSIBILITY OF SUCH DAMAGE.
50
 * ====================================================================
51
 *
52
 * This product includes cryptographic software written by Eric Young
53
 * (eay@cryptsoft.com).  This product includes software written by Tim
54
 * Hudson (tjh@cryptsoft.com). */
55
56
#include <openssl/evp.h>
57
58
#include <limits.h>
59
#include <string.h>
60
61
#include <openssl/bn.h>
62
#include <openssl/bytestring.h>
63
#include <openssl/digest.h>
64
#include <openssl/err.h>
65
#include <openssl/mem.h>
66
#include <openssl/nid.h>
67
#include <openssl/rsa.h>
68
69
#include "../internal.h"
70
#include "../rsa_extra/internal.h"
71
#include "internal.h"
72
73
74
typedef struct {
75
  // Key gen parameters
76
  int nbits;
77
  BIGNUM *pub_exp;
78
  // RSA padding mode
79
  int pad_mode;
80
  // message digest
81
  const EVP_MD *md;
82
  // message digest for MGF1
83
  const EVP_MD *mgf1md;
84
  // PSS salt length
85
  int saltlen;
86
  // tbuf is a buffer which is either NULL, or is the size of the RSA modulus.
87
  // It's used to store the output of RSA operations.
88
  uint8_t *tbuf;
89
  // OAEP label
90
  uint8_t *oaep_label;
91
  size_t oaep_labellen;
92
} RSA_PKEY_CTX;
93
94
typedef struct {
95
  uint8_t *data;
96
  size_t len;
97
} RSA_OAEP_LABEL_PARAMS;
98
99
0
static int pkey_rsa_init(EVP_PKEY_CTX *ctx) {
100
0
  RSA_PKEY_CTX *rctx = OPENSSL_zalloc(sizeof(RSA_PKEY_CTX));
101
0
  if (!rctx) {
102
0
    return 0;
103
0
  }
104
105
0
  rctx->nbits = 2048;
106
0
  rctx->pad_mode = RSA_PKCS1_PADDING;
107
0
  rctx->saltlen = -2;
108
109
0
  ctx->data = rctx;
110
111
0
  return 1;
112
0
}
113
114
0
static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) {
115
0
  RSA_PKEY_CTX *dctx, *sctx;
116
0
  if (!pkey_rsa_init(dst)) {
117
0
    return 0;
118
0
  }
119
0
  sctx = src->data;
120
0
  dctx = dst->data;
121
0
  dctx->nbits = sctx->nbits;
122
0
  if (sctx->pub_exp) {
123
0
    dctx->pub_exp = BN_dup(sctx->pub_exp);
124
0
    if (!dctx->pub_exp) {
125
0
      return 0;
126
0
    }
127
0
  }
128
129
0
  dctx->pad_mode = sctx->pad_mode;
130
0
  dctx->md = sctx->md;
131
0
  dctx->mgf1md = sctx->mgf1md;
132
0
  dctx->saltlen = sctx->saltlen;
133
0
  if (sctx->oaep_label) {
134
0
    OPENSSL_free(dctx->oaep_label);
135
0
    dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen);
136
0
    if (!dctx->oaep_label) {
137
0
      return 0;
138
0
    }
139
0
    dctx->oaep_labellen = sctx->oaep_labellen;
140
0
  }
141
142
0
  return 1;
143
0
}
144
145
0
static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) {
146
0
  RSA_PKEY_CTX *rctx = ctx->data;
147
148
0
  if (rctx == NULL) {
149
0
    return;
150
0
  }
151
152
0
  BN_free(rctx->pub_exp);
153
0
  OPENSSL_free(rctx->tbuf);
154
0
  OPENSSL_free(rctx->oaep_label);
155
0
  OPENSSL_free(rctx);
156
0
}
157
158
0
static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) {
159
0
  if (ctx->tbuf) {
160
0
    return 1;
161
0
  }
162
0
  ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey));
163
0
  if (!ctx->tbuf) {
164
0
    return 0;
165
0
  }
166
0
  return 1;
167
0
}
168
169
static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen,
170
0
                         const uint8_t *tbs, size_t tbslen) {
171
0
  RSA_PKEY_CTX *rctx = ctx->data;
172
0
  RSA *rsa = ctx->pkey->pkey;
173
0
  const size_t key_len = EVP_PKEY_size(ctx->pkey);
174
175
0
  if (!sig) {
176
0
    *siglen = key_len;
177
0
    return 1;
178
0
  }
179
180
0
  if (*siglen < key_len) {
181
0
    OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
182
0
    return 0;
183
0
  }
184
185
0
  if (rctx->md) {
186
0
    unsigned out_len;
187
0
    switch (rctx->pad_mode) {
188
0
      case RSA_PKCS1_PADDING:
189
0
        if (!RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig, &out_len, rsa)) {
190
0
          return 0;
191
0
        }
192
0
        *siglen = out_len;
193
0
        return 1;
194
195
0
      case RSA_PKCS1_PSS_PADDING:
196
0
        return RSA_sign_pss_mgf1(rsa, siglen, sig, *siglen, tbs, tbslen,
197
0
                                 rctx->md, rctx->mgf1md, rctx->saltlen);
198
199
0
      default:
200
0
        return 0;
201
0
    }
202
0
  }
203
204
0
  return RSA_sign_raw(rsa, siglen, sig, *siglen, tbs, tbslen, rctx->pad_mode);
205
0
}
206
207
static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig,
208
                           size_t siglen, const uint8_t *tbs,
209
0
                           size_t tbslen) {
210
0
  RSA_PKEY_CTX *rctx = ctx->data;
211
0
  RSA *rsa = ctx->pkey->pkey;
212
213
0
  if (rctx->md) {
214
0
    switch (rctx->pad_mode) {
215
0
      case RSA_PKCS1_PADDING:
216
0
        return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa);
217
218
0
      case RSA_PKCS1_PSS_PADDING:
219
0
        return RSA_verify_pss_mgf1(rsa, tbs, tbslen, rctx->md, rctx->mgf1md,
220
0
                                   rctx->saltlen, sig, siglen);
221
222
0
      default:
223
0
        return 0;
224
0
    }
225
0
  }
226
227
0
  size_t rslen;
228
0
  const size_t key_len = EVP_PKEY_size(ctx->pkey);
229
0
  if (!setup_tbuf(rctx, ctx) ||
230
0
      !RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, siglen,
231
0
                      rctx->pad_mode) ||
232
0
      rslen != tbslen ||
233
0
      CRYPTO_memcmp(tbs, rctx->tbuf, rslen) != 0) {
234
0
    return 0;
235
0
  }
236
237
0
  return 1;
238
0
}
239
240
static int pkey_rsa_verify_recover(EVP_PKEY_CTX *ctx, uint8_t *out,
241
                                   size_t *out_len, const uint8_t *sig,
242
0
                                   size_t sig_len) {
243
0
  RSA_PKEY_CTX *rctx = ctx->data;
244
0
  RSA *rsa = ctx->pkey->pkey;
245
0
  const size_t key_len = EVP_PKEY_size(ctx->pkey);
246
247
0
  if (out == NULL) {
248
0
    *out_len = key_len;
249
0
    return 1;
250
0
  }
251
252
0
  if (*out_len < key_len) {
253
0
    OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
254
0
    return 0;
255
0
  }
256
257
0
  if (rctx->md == NULL) {
258
0
    return RSA_verify_raw(rsa, out_len, out, *out_len, sig, sig_len,
259
0
                          rctx->pad_mode);
260
0
  }
261
262
0
  if (rctx->pad_mode != RSA_PKCS1_PADDING) {
263
0
    return 0;
264
0
  }
265
266
  // Assemble the encoded hash, using a placeholder hash value.
267
0
  static const uint8_t kDummyHash[EVP_MAX_MD_SIZE] = {0};
268
0
  const size_t hash_len = EVP_MD_size(rctx->md);
269
0
  uint8_t *asn1_prefix;
270
0
  size_t asn1_prefix_len;
271
0
  int asn1_prefix_allocated;
272
0
  if (!setup_tbuf(rctx, ctx) ||
273
0
      !RSA_add_pkcs1_prefix(&asn1_prefix, &asn1_prefix_len,
274
0
                            &asn1_prefix_allocated, EVP_MD_type(rctx->md),
275
0
                            kDummyHash, hash_len)) {
276
0
    return 0;
277
0
  }
278
279
0
  size_t rslen;
280
0
  int ok = 1;
281
0
  if (!RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, sig_len,
282
0
                      RSA_PKCS1_PADDING) ||
283
0
      rslen != asn1_prefix_len ||
284
      // Compare all but the hash suffix.
285
0
      CRYPTO_memcmp(rctx->tbuf, asn1_prefix, asn1_prefix_len - hash_len) != 0) {
286
0
    ok = 0;
287
0
  }
288
289
0
  if (asn1_prefix_allocated) {
290
0
    OPENSSL_free(asn1_prefix);
291
0
  }
292
293
0
  if (!ok) {
294
0
    return 0;
295
0
  }
296
297
0
  if (out != NULL) {
298
0
    OPENSSL_memcpy(out, rctx->tbuf + rslen - hash_len, hash_len);
299
0
  }
300
0
  *out_len = hash_len;
301
302
0
  return 1;
303
0
}
304
305
static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen,
306
0
                            const uint8_t *in, size_t inlen) {
307
0
  RSA_PKEY_CTX *rctx = ctx->data;
308
0
  RSA *rsa = ctx->pkey->pkey;
309
0
  const size_t key_len = EVP_PKEY_size(ctx->pkey);
310
311
0
  if (!out) {
312
0
    *outlen = key_len;
313
0
    return 1;
314
0
  }
315
316
0
  if (*outlen < key_len) {
317
0
    OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
318
0
    return 0;
319
0
  }
320
321
0
  if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
322
0
    if (!setup_tbuf(rctx, ctx) ||
323
0
        !RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, key_len, in, inlen,
324
0
                                         rctx->oaep_label, rctx->oaep_labellen,
325
0
                                         rctx->md, rctx->mgf1md) ||
326
0
        !RSA_encrypt(rsa, outlen, out, *outlen, rctx->tbuf, key_len,
327
0
                     RSA_NO_PADDING)) {
328
0
      return 0;
329
0
    }
330
0
    return 1;
331
0
  }
332
333
0
  return RSA_encrypt(rsa, outlen, out, *outlen, in, inlen, rctx->pad_mode);
334
0
}
335
336
static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out,
337
                            size_t *outlen, const uint8_t *in,
338
0
                            size_t inlen) {
339
0
  RSA_PKEY_CTX *rctx = ctx->data;
340
0
  RSA *rsa = ctx->pkey->pkey;
341
0
  const size_t key_len = EVP_PKEY_size(ctx->pkey);
342
343
0
  if (!out) {
344
0
    *outlen = key_len;
345
0
    return 1;
346
0
  }
347
348
0
  if (*outlen < key_len) {
349
0
    OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
350
0
    return 0;
351
0
  }
352
353
0
  if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
354
0
    size_t padded_len;
355
0
    if (!setup_tbuf(rctx, ctx) ||
356
0
        !RSA_decrypt(rsa, &padded_len, rctx->tbuf, key_len, in, inlen,
357
0
                     RSA_NO_PADDING) ||
358
0
        !RSA_padding_check_PKCS1_OAEP_mgf1(
359
0
            out, outlen, key_len, rctx->tbuf, padded_len, rctx->oaep_label,
360
0
            rctx->oaep_labellen, rctx->md, rctx->mgf1md)) {
361
0
      return 0;
362
0
    }
363
0
    return 1;
364
0
  }
365
366
0
  return RSA_decrypt(rsa, outlen, out, key_len, in, inlen, rctx->pad_mode);
367
0
}
368
369
0
static int check_padding_md(const EVP_MD *md, int padding) {
370
0
  if (!md) {
371
0
    return 1;
372
0
  }
373
374
0
  if (padding == RSA_NO_PADDING) {
375
0
    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
376
0
    return 0;
377
0
  }
378
379
0
  return 1;
380
0
}
381
382
0
static int is_known_padding(int padding_mode) {
383
0
  switch (padding_mode) {
384
0
    case RSA_PKCS1_PADDING:
385
0
    case RSA_NO_PADDING:
386
0
    case RSA_PKCS1_OAEP_PADDING:
387
0
    case RSA_PKCS1_PSS_PADDING:
388
0
      return 1;
389
0
    default:
390
0
      return 0;
391
0
  }
392
0
}
393
394
0
static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
395
0
  RSA_PKEY_CTX *rctx = ctx->data;
396
0
  switch (type) {
397
0
    case EVP_PKEY_CTRL_RSA_PADDING:
398
0
      if (!is_known_padding(p1) || !check_padding_md(rctx->md, p1) ||
399
0
          (p1 == RSA_PKCS1_PSS_PADDING &&
400
0
           0 == (ctx->operation & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) ||
401
0
          (p1 == RSA_PKCS1_OAEP_PADDING &&
402
0
           0 == (ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))) {
403
0
        OPENSSL_PUT_ERROR(EVP, EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
404
0
        return 0;
405
0
      }
406
0
      if ((p1 == RSA_PKCS1_PSS_PADDING || p1 == RSA_PKCS1_OAEP_PADDING) &&
407
0
          rctx->md == NULL) {
408
0
        rctx->md = EVP_sha1();
409
0
      }
410
0
      rctx->pad_mode = p1;
411
0
      return 1;
412
413
0
    case EVP_PKEY_CTRL_GET_RSA_PADDING:
414
0
      *(int *)p2 = rctx->pad_mode;
415
0
      return 1;
416
417
0
    case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
418
0
    case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
419
0
      if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
420
0
        OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PSS_SALTLEN);
421
0
        return 0;
422
0
      }
423
0
      if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
424
0
        *(int *)p2 = rctx->saltlen;
425
0
      } else {
426
0
        if (p1 < -2) {
427
0
          return 0;
428
0
        }
429
0
        rctx->saltlen = p1;
430
0
      }
431
0
      return 1;
432
433
0
    case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
434
0
      if (p1 < 256) {
435
0
        OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_KEYBITS);
436
0
        return 0;
437
0
      }
438
0
      rctx->nbits = p1;
439
0
      return 1;
440
441
0
    case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
442
0
      if (!p2) {
443
0
        return 0;
444
0
      }
445
0
      BN_free(rctx->pub_exp);
446
0
      rctx->pub_exp = p2;
447
0
      return 1;
448
449
0
    case EVP_PKEY_CTRL_RSA_OAEP_MD:
450
0
    case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
451
0
      if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
452
0
        OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
453
0
        return 0;
454
0
      }
455
0
      if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) {
456
0
        *(const EVP_MD **)p2 = rctx->md;
457
0
      } else {
458
0
        rctx->md = p2;
459
0
      }
460
0
      return 1;
461
462
0
    case EVP_PKEY_CTRL_MD:
463
0
      if (!check_padding_md(p2, rctx->pad_mode)) {
464
0
        return 0;
465
0
      }
466
0
      rctx->md = p2;
467
0
      return 1;
468
469
0
    case EVP_PKEY_CTRL_GET_MD:
470
0
      *(const EVP_MD **)p2 = rctx->md;
471
0
      return 1;
472
473
0
    case EVP_PKEY_CTRL_RSA_MGF1_MD:
474
0
    case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
475
0
      if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING &&
476
0
          rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
477
0
        OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_MGF1_MD);
478
0
        return 0;
479
0
      }
480
0
      if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
481
0
        if (rctx->mgf1md) {
482
0
          *(const EVP_MD **)p2 = rctx->mgf1md;
483
0
        } else {
484
0
          *(const EVP_MD **)p2 = rctx->md;
485
0
        }
486
0
      } else {
487
0
        rctx->mgf1md = p2;
488
0
      }
489
0
      return 1;
490
491
0
    case EVP_PKEY_CTRL_RSA_OAEP_LABEL: {
492
0
      if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
493
0
        OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
494
0
        return 0;
495
0
      }
496
0
      OPENSSL_free(rctx->oaep_label);
497
0
      RSA_OAEP_LABEL_PARAMS *params = p2;
498
0
      rctx->oaep_label = params->data;
499
0
      rctx->oaep_labellen = params->len;
500
0
      return 1;
501
0
    }
502
503
0
    case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
504
0
      if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
505
0
        OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
506
0
        return 0;
507
0
      }
508
0
      CBS_init((CBS *)p2, rctx->oaep_label, rctx->oaep_labellen);
509
0
      return 1;
510
511
0
    default:
512
0
      OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED);
513
0
      return 0;
514
0
  }
515
0
}
516
517
0
static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {
518
0
  RSA *rsa = NULL;
519
0
  RSA_PKEY_CTX *rctx = ctx->data;
520
521
0
  if (!rctx->pub_exp) {
522
0
    rctx->pub_exp = BN_new();
523
0
    if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) {
524
0
      return 0;
525
0
    }
526
0
  }
527
0
  rsa = RSA_new();
528
0
  if (!rsa) {
529
0
    return 0;
530
0
  }
531
532
0
  if (!RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, NULL)) {
533
0
    RSA_free(rsa);
534
0
    return 0;
535
0
  }
536
537
0
  EVP_PKEY_assign_RSA(pkey, rsa);
538
0
  return 1;
539
0
}
540
541
const EVP_PKEY_METHOD rsa_pkey_meth = {
542
    EVP_PKEY_RSA,
543
    pkey_rsa_init,
544
    pkey_rsa_copy,
545
    pkey_rsa_cleanup,
546
    pkey_rsa_keygen,
547
    pkey_rsa_sign,
548
    NULL /* sign_message */,
549
    pkey_rsa_verify,
550
    NULL /* verify_message */,
551
    pkey_rsa_verify_recover,
552
    pkey_rsa_encrypt,
553
    pkey_rsa_decrypt,
554
    NULL /* derive */,
555
    NULL /* paramgen */,
556
    pkey_rsa_ctrl,
557
};
558
559
0
int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int padding) {
560
0
  return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING,
561
0
                           padding, NULL);
562
0
}
563
564
0
int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *out_padding) {
565
0
  return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_GET_RSA_PADDING,
566
0
                           0, out_padding);
567
0
}
568
569
0
int EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {
570
0
  return 0;
571
0
}
572
573
0
int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, int salt_len) {
574
0
  return 0;
575
0
}
576
577
int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx,
578
0
                                            const EVP_MD *md) {
579
0
  return 0;
580
0
}
581
582
0
int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int salt_len) {
583
0
  return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
584
0
                           (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY),
585
0
                           EVP_PKEY_CTRL_RSA_PSS_SALTLEN, salt_len, NULL);
586
0
}
587
588
0
int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *out_salt_len) {
589
0
  return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
590
0
                           (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY),
591
0
                           EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, out_salt_len);
592
0
}
593
594
0
int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits) {
595
0
  return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
596
0
                           EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL);
597
0
}
598
599
0
int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *e) {
600
0
  return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
601
0
                           EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, e);
602
0
}
603
604
0
int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {
605
0
  return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
606
0
                           EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)md);
607
0
}
608
609
0
int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) {
610
0
  return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
611
0
                           EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void*) out_md);
612
0
}
613
614
0
int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {
615
0
  return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
616
0
                           EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
617
0
                           EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void*) md);
618
0
}
619
620
0
int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) {
621
0
  return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
622
0
                           EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
623
0
                           EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void*) out_md);
624
0
}
625
626
int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, uint8_t *label,
627
0
                                     size_t label_len) {
628
0
  RSA_OAEP_LABEL_PARAMS params = {label, label_len};
629
0
  return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
630
0
                           EVP_PKEY_CTRL_RSA_OAEP_LABEL, 0, &params);
631
0
}
632
633
int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx,
634
0
                                     const uint8_t **out_label) {
635
0
  CBS label;
636
0
  if (!EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
637
0
                         EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, &label)) {
638
0
    return -1;
639
0
  }
640
0
  if (CBS_len(&label) > INT_MAX) {
641
0
    OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW);
642
0
    return -1;
643
0
  }
644
0
  *out_label = CBS_data(&label);
645
0
  return (int)CBS_len(&label);
646
0
}