blob: 19325aae5d11fea10e5e450339559d258c3b404a [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -07001/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57#ifndef OPENSSL_HEADER_RSA_H
58#define OPENSSL_HEADER_RSA_H
59
60#include <openssl/base.h>
61
62#include <openssl/engine.h>
63#include <openssl/ex_data.h>
Adam Langley683d7bd2015-04-13 11:04:14 -070064#include <openssl/thread.h>
Adam Langley95c29f32014-06-20 12:00:00 -070065
66#if defined(__cplusplus)
67extern "C" {
68#endif
69
70
71/* rsa.h contains functions for handling encryption and signature using RSA. */
72
73
74/* Allocation and destruction. */
75
76/* RSA_new returns a new, empty RSA object or NULL on error. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -070077OPENSSL_EXPORT RSA *RSA_new(void);
Adam Langley95c29f32014-06-20 12:00:00 -070078
Adam Langley389e3f02014-08-19 11:24:27 -070079/* RSA_new_method acts the same as |RSA_new| but takes an explicit |ENGINE|. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -070080OPENSSL_EXPORT RSA *RSA_new_method(const ENGINE *engine);
Adam Langley95c29f32014-06-20 12:00:00 -070081
82/* RSA_free decrements the reference count of |rsa| and frees it if the
83 * reference count drops to zero. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -070084OPENSSL_EXPORT void RSA_free(RSA *rsa);
Adam Langley95c29f32014-06-20 12:00:00 -070085
86/* RSA_up_ref increments the reference count of |rsa|. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -070087OPENSSL_EXPORT int RSA_up_ref(RSA *rsa);
Adam Langley95c29f32014-06-20 12:00:00 -070088
89
90/* Key generation. */
91
92/* RSA_generate_key_ex generates a new RSA key where the modulus has size
93 * |bits| and the public exponent is |e|. If unsure, |RSA_F4| is a good value
94 * for |e|. If |cb| is not NULL then it is called during the key generation
95 * process. In addition to the calls documented for |BN_generate_prime_ex|, it
96 * is called with event=2 when the n'th prime is rejected as unsuitable and
Adam Langley5129e2d2014-07-25 10:06:44 -070097 * with event=3 when a suitable value for |p| is found.
98 *
99 * It returns one on success or zero on error. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700100OPENSSL_EXPORT int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e,
101 BN_GENCB *cb);
Adam Langley95c29f32014-06-20 12:00:00 -0700102
Adam Langley839b8812015-05-26 11:36:46 -0700103/* RSA_generate_multi_prime_key acts like |RSA_generate_key_ex| but can
104 * generate an RSA private key with more than two primes. */
105OPENSSL_EXPORT int RSA_generate_multi_prime_key(RSA *rsa, int bits,
106 int num_primes, BIGNUM *e,
107 BN_GENCB *cb);
108
Adam Langley95c29f32014-06-20 12:00:00 -0700109
110/* Encryption / Decryption */
111
112/* Padding types for encryption. */
113#define RSA_PKCS1_PADDING 1
Adam Langley95c29f32014-06-20 12:00:00 -0700114#define RSA_NO_PADDING 3
115#define RSA_PKCS1_OAEP_PADDING 4
116/* RSA_PKCS1_PSS_PADDING can only be used via the EVP interface. */
117#define RSA_PKCS1_PSS_PADDING 6
118
119/* RSA_encrypt encrypts |in_len| bytes from |in| to the public key from |rsa|
120 * and writes, at most, |max_out| bytes of encrypted data to |out|. The
121 * |max_out| argument must be, at least, |RSA_size| in order to ensure success.
122 *
123 * It returns 1 on success or zero on error.
124 *
125 * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
David Benjamin3f5b43d2015-12-01 19:31:24 -0500126 * doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but
127 * |RSA_PKCS1_PADDING| is most common. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700128OPENSSL_EXPORT int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out,
129 size_t max_out, const uint8_t *in, size_t in_len,
130 int padding);
Adam Langley95c29f32014-06-20 12:00:00 -0700131
132/* RSA_decrypt decrypts |in_len| bytes from |in| with the private key from
133 * |rsa| and writes, at most, |max_out| bytes of plaintext to |out|. The
134 * |max_out| argument must be, at least, |RSA_size| in order to ensure success.
135 *
136 * It returns 1 on success or zero on error.
137 *
138 * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
David Benjamin3f5b43d2015-12-01 19:31:24 -0500139 * doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols.
140 *
141 * Passing |RSA_PKCS1_PADDING| into this function is deprecated and insecure. If
142 * implementing a protocol using RSAES-PKCS1-V1_5, use |RSA_NO_PADDING| and then
143 * check padding in constant-time combined with a swap to a random session key
144 * or other mitigation. See "Chosen Ciphertext Attacks Against Protocols Based
145 * on the RSA Encryption Standard PKCS #1", Daniel Bleichenbacher, Advances in
146 * Cryptology (Crypto '98). */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700147OPENSSL_EXPORT int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out,
148 size_t max_out, const uint8_t *in, size_t in_len,
149 int padding);
Adam Langley95c29f32014-06-20 12:00:00 -0700150
151/* RSA_public_encrypt encrypts |flen| bytes from |from| to the public key in
152 * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
153 * least |RSA_size| bytes of space. It returns the number of bytes written, or
154 * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
David Benjamin3f5b43d2015-12-01 19:31:24 -0500155 * values. If in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but
156 * |RSA_PKCS1_PADDING| is most common.
Adam Langley95c29f32014-06-20 12:00:00 -0700157 *
158 * WARNING: this function is dangerous because it breaks the usual return value
159 * convention. Use |RSA_encrypt| instead. */
Matt Braithwaite978f16e2015-10-19 13:38:36 -0700160OPENSSL_EXPORT int RSA_public_encrypt(size_t flen, const uint8_t *from,
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700161 uint8_t *to, RSA *rsa, int padding);
Adam Langley95c29f32014-06-20 12:00:00 -0700162
163/* RSA_private_decrypt decrypts |flen| bytes from |from| with the public key in
David Benjamin3f5b43d2015-12-01 19:31:24 -0500164 * |rsa| and writes the plaintext to |to|. The |to| buffer must have at least
165 * |RSA_size| bytes of space. It returns the number of bytes written, or -1 on
166 * error. The |padding| argument must be one of the |RSA_*_PADDING| values. If
167 * in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. Passing
168 * |RSA_PKCS1_PADDING| into this function is deprecated and insecure. See
169 * |RSA_decrypt|.
Adam Langley95c29f32014-06-20 12:00:00 -0700170 *
171 * WARNING: this function is dangerous because it breaks the usual return value
172 * convention. Use |RSA_decrypt| instead. */
David Benjamin79c59a32015-09-19 13:35:39 -0400173OPENSSL_EXPORT int RSA_private_decrypt(size_t flen, const uint8_t *from,
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700174 uint8_t *to, RSA *rsa, int padding);
Adam Langley95c29f32014-06-20 12:00:00 -0700175
176
177/* Signing / Verification */
178
David Benjamin3f5b43d2015-12-01 19:31:24 -0500179/* RSA_sign signs |in_len| bytes of digest from |in| with |rsa| using
180 * RSASSA-PKCS1-v1_5. It writes, at most, |RSA_size(rsa)| bytes to |out|. On
181 * successful return, the actual number of bytes written is written to
182 * |*out_len|.
Adam Langley95c29f32014-06-20 12:00:00 -0700183 *
184 * The |hash_nid| argument identifies the hash function used to calculate |in|
185 * and is embedded in the resulting signature. For example, it might be
186 * |NID_sha256|.
187 *
188 * It returns 1 on success and zero on error. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700189OPENSSL_EXPORT int RSA_sign(int hash_nid, const uint8_t *in,
190 unsigned int in_len, uint8_t *out,
191 unsigned int *out_len, RSA *rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700192
193/* RSA_sign_raw signs |in_len| bytes from |in| with the public key from |rsa|
Brian Smithb828cfd2015-03-29 16:51:14 -1000194 * and writes, at most, |max_out| bytes of signature data to |out|. The
Adam Langley95c29f32014-06-20 12:00:00 -0700195 * |max_out| argument must be, at least, |RSA_size| in order to ensure success.
196 *
197 * It returns 1 on success or zero on error.
198 *
199 * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
David Benjamin3f5b43d2015-12-01 19:31:24 -0500200 * doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING|
201 * (via the |EVP_PKEY| interface) is preferred for new protocols. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700202OPENSSL_EXPORT int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,
203 size_t max_out, const uint8_t *in,
204 size_t in_len, int padding);
Adam Langley95c29f32014-06-20 12:00:00 -0700205
David Benjamin3f5b43d2015-12-01 19:31:24 -0500206/* RSA_verify verifies that |sig_len| bytes from |sig| are a valid,
207 * RSASSA-PKCS1-v1_5 signature of |msg_len| bytes at |msg| by |rsa|.
Adam Langley95c29f32014-06-20 12:00:00 -0700208 *
209 * The |hash_nid| argument identifies the hash function used to calculate |in|
210 * and is embedded in the resulting signature in order to prevent hash
211 * confusion attacks. For example, it might be |NID_sha256|.
212 *
213 * It returns one if the signature is valid and zero otherwise.
214 *
215 * WARNING: this differs from the original, OpenSSL function which additionally
216 * returned -1 on error. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700217OPENSSL_EXPORT int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
218 const uint8_t *sig, size_t sig_len, RSA *rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700219
220/* RSA_verify_raw verifies |in_len| bytes of signature from |in| using the
221 * public key from |rsa| and writes, at most, |max_out| bytes of plaintext to
222 * |out|. The |max_out| argument must be, at least, |RSA_size| in order to
223 * ensure success.
224 *
225 * It returns 1 on success or zero on error.
226 *
227 * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
David Benjamin3f5b43d2015-12-01 19:31:24 -0500228 * doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING|
229 * (via the |EVP_PKEY| interface) is preferred for new protocols. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700230OPENSSL_EXPORT int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out,
231 size_t max_out, const uint8_t *in,
232 size_t in_len, int padding);
Adam Langley95c29f32014-06-20 12:00:00 -0700233
234/* RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in
235 * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
236 * least |RSA_size| bytes of space. It returns the number of bytes written, or
237 * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
David Benjamin3f5b43d2015-12-01 19:31:24 -0500238 * values. If in doubt, |RSA_PKCS1_PADDING| is the most common but
239 * |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for new
240 * protocols.
Adam Langley95c29f32014-06-20 12:00:00 -0700241 *
242 * WARNING: this function is dangerous because it breaks the usual return value
243 * convention. Use |RSA_sign_raw| instead. */
Matt Braithwaite978f16e2015-10-19 13:38:36 -0700244OPENSSL_EXPORT int RSA_private_encrypt(size_t flen, const uint8_t *from,
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700245 uint8_t *to, RSA *rsa, int padding);
Adam Langley95c29f32014-06-20 12:00:00 -0700246
Kenny Root3a9e1fb2015-06-10 14:52:40 -0700247/* RSA_public_decrypt verifies |flen| bytes of signature from |from| using the
Adam Langley95c29f32014-06-20 12:00:00 -0700248 * public key in |rsa| and writes the plaintext to |to|. The |to| buffer must
249 * have at least |RSA_size| bytes of space. It returns the number of bytes
250 * written, or -1 on error. The |padding| argument must be one of the
David Benjamin3f5b43d2015-12-01 19:31:24 -0500251 * |RSA_*_PADDING| values. If in doubt, |RSA_PKCS1_PADDING| is the most common
252 * but |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for
253 * new protocols.
Adam Langley95c29f32014-06-20 12:00:00 -0700254 *
255 * WARNING: this function is dangerous because it breaks the usual return value
256 * convention. Use |RSA_verify_raw| instead. */
Matt Braithwaite978f16e2015-10-19 13:38:36 -0700257OPENSSL_EXPORT int RSA_public_decrypt(size_t flen, const uint8_t *from,
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700258 uint8_t *to, RSA *rsa, int padding);
Adam Langley95c29f32014-06-20 12:00:00 -0700259
260
261/* Utility functions. */
262
263/* RSA_size returns the number of bytes in the modulus, which is also the size
Brian Smithb828cfd2015-03-29 16:51:14 -1000264 * of a signature or encrypted value using |rsa|. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700265OPENSSL_EXPORT unsigned RSA_size(const RSA *rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700266
David Benjaminecc0ce72014-07-18 18:39:42 -0400267/* RSA_is_opaque returns one if |rsa| is opaque and doesn't expose its key
David Benjaminc20febe2014-11-11 23:47:50 -0500268 * material. Otherwise it returns zero. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700269OPENSSL_EXPORT int RSA_is_opaque(const RSA *rsa);
David Benjaminecc0ce72014-07-18 18:39:42 -0400270
David Benjaminc20febe2014-11-11 23:47:50 -0500271/* RSA_supports_digest returns one if |rsa| supports signing digests
272 * of type |md|. Otherwise it returns zero. */
273OPENSSL_EXPORT int RSA_supports_digest(const RSA *rsa, const EVP_MD *md);
274
David Benjaminc0e245a2015-06-17 00:02:59 -0400275/* RSAPublicKey_dup allocates a fresh |RSA| and copies the public key from
Adam Langley95c29f32014-06-20 12:00:00 -0700276 * |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700277OPENSSL_EXPORT RSA *RSAPublicKey_dup(const RSA *rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700278
279/* RSAPrivateKey_dup allocates a fresh |RSA| and copies the private key from
280 * |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700281OPENSSL_EXPORT RSA *RSAPrivateKey_dup(const RSA *rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700282
Adam Langley05b73772014-07-25 12:03:51 -0700283/* RSA_check_key performs basic validatity tests on |rsa|. It returns one if
284 * they pass and zero otherwise. Opaque keys and public keys always pass. If it
285 * returns zero then a more detailed error is available on the error queue. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700286OPENSSL_EXPORT int RSA_check_key(const RSA *rsa);
Adam Langley05b73772014-07-25 12:03:51 -0700287
Adam Langley409766d2014-06-20 12:00:00 -0700288/* RSA_recover_crt_params uses |rsa->n|, |rsa->d| and |rsa->e| in order to
289 * calculate the two primes used and thus the precomputed, CRT values. These
290 * values are set in the |p|, |q|, |dmp1|, |dmq1| and |iqmp| members of |rsa|,
291 * which must be |NULL| on entry. It returns one on success and zero
292 * otherwise. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700293OPENSSL_EXPORT int RSA_recover_crt_params(RSA *rsa);
Adam Langley409766d2014-06-20 12:00:00 -0700294
Adam Langley20b64fd2015-03-20 16:39:54 -0700295/* RSA_verify_PKCS1_PSS_mgf1 verifies that |EM| is a correct PSS padding of
296 * |mHash|, where |mHash| is a digest produced by |Hash|. |EM| must point to
297 * exactly |RSA_size(rsa)| bytes of data. The |mgf1Hash| argument specifies the
298 * hash function for generating the mask. If NULL, |Hash| is used. The |sLen|
299 * argument specifies the expected salt length in bytes. If |sLen| is -1 then
300 * the salt length is the same as the hash length. If -2, then the salt length
301 * is maximal and is taken from the size of |EM|.
302 *
303 * It returns one on success or zero on error. */
304OPENSSL_EXPORT int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,
305 const EVP_MD *Hash,
306 const EVP_MD *mgf1Hash,
307 const uint8_t *EM, int sLen);
308
309/* RSA_padding_add_PKCS1_PSS_mgf1 writes a PSS padding of |mHash| to |EM|,
310 * where |mHash| is a digest produced by |Hash|. |RSA_size(rsa)| bytes of
311 * output will be written to |EM|. The |mgf1Hash| argument specifies the hash
312 * function for generating the mask. If NULL, |Hash| is used. The |sLen|
313 * argument specifies the expected salt length in bytes. If |sLen| is -1 then
314 * the salt length is the same as the hash length. If -2, then the salt length
315 * is maximal given the space in |EM|.
316 *
317 * It returns one on success or zero on error. */
318OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, uint8_t *EM,
319 const uint8_t *mHash,
320 const EVP_MD *Hash,
321 const EVP_MD *mgf1Hash,
322 int sLen);
323
Adam Langleyaaccbfe2016-04-13 08:19:03 -0700324/* RSA_padding_add_PKCS1_OAEP_mgf1 writes an OAEP padding of |from| to |to|
325 * with the given parameters and hash functions. If |md| is NULL then SHA-1 is
326 * used. If |mgf1md| is NULL then the value of |md| is used (which means SHA-1
327 * if that, in turn, is NULL).
328 *
329 * It returns one on success or zero on error. */
330OPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP_mgf1(
331 uint8_t *to, unsigned to_len, const uint8_t *from, unsigned from_len,
332 const uint8_t *param, unsigned param_len, const EVP_MD *md,
333 const EVP_MD *mgf1md);
334
David Benjaminb0acb772015-05-28 16:53:31 -0400335/* RSA_add_pkcs1_prefix builds a version of |msg| prefixed with the DigestInfo
336 * header for the given hash function and sets |out_msg| to point to it. On
337 * successful return, |*out_msg| may be allocated memory and, if so,
338 * |*is_alloced| will be 1. */
339OPENSSL_EXPORT int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
340 int *is_alloced, int hash_nid,
341 const uint8_t *msg, size_t msg_len);
342
Adam Langley20b64fd2015-03-20 16:39:54 -0700343
Adam Langley95c29f32014-06-20 12:00:00 -0700344/* ASN.1 functions. */
345
David Benjaminc0e245a2015-06-17 00:02:59 -0400346/* RSA_parse_public_key parses a DER-encoded RSAPublicKey structure (RFC 3447)
347 * from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on
348 * error. */
349OPENSSL_EXPORT RSA *RSA_parse_public_key(CBS *cbs);
Adam Langley95c29f32014-06-20 12:00:00 -0700350
David Benjamin231cb822015-09-15 16:47:35 -0400351/* RSA_parse_public_key_buggy behaves like |RSA_parse_public_key|, but it
David Benjamin4c60d352015-09-23 12:23:01 -0400352 * tolerates some invalid encodings. Do not use this function. */
David Benjamin231cb822015-09-15 16:47:35 -0400353OPENSSL_EXPORT RSA *RSA_parse_public_key_buggy(CBS *cbs);
354
David Benjaminc0e245a2015-06-17 00:02:59 -0400355/* RSA_public_key_from_bytes parses |in| as a DER-encoded RSAPublicKey structure
356 * (RFC 3447). It returns a newly-allocated |RSA| or NULL on error. */
357OPENSSL_EXPORT RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len);
358
359/* RSA_marshal_public_key marshals |rsa| as a DER-encoded RSAPublicKey structure
360 * (RFC 3447) and appends the result to |cbb|. It returns one on success and
361 * zero on failure. */
362OPENSSL_EXPORT int RSA_marshal_public_key(CBB *cbb, const RSA *rsa);
363
364/* RSA_public_key_to_bytes marshals |rsa| as a DER-encoded RSAPublicKey
365 * structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated
366 * buffer containing the result and returns one. Otherwise, it returns zero. The
367 * result should be freed with |OPENSSL_free|. */
368OPENSSL_EXPORT int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len,
369 const RSA *rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700370
David Benjamin74f71102015-06-27 14:56:25 -0400371/* RSA_parse_private_key parses a DER-encoded RSAPrivateKey structure (RFC 3447)
372 * from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on
373 * error. */
374OPENSSL_EXPORT RSA *RSA_parse_private_key(CBS *cbs);
Adam Langley95c29f32014-06-20 12:00:00 -0700375
David Benjamin74f71102015-06-27 14:56:25 -0400376/* RSA_private_key_from_bytes parses |in| as a DER-encoded RSAPrivateKey
377 * structure (RFC 3447). It returns a newly-allocated |RSA| or NULL on error. */
378OPENSSL_EXPORT RSA *RSA_private_key_from_bytes(const uint8_t *in,
379 size_t in_len);
380
381/* RSA_marshal_private_key marshals |rsa| as a DER-encoded RSAPrivateKey
382 * structure (RFC 3447) and appends the result to |cbb|. It returns one on
383 * success and zero on failure. */
384OPENSSL_EXPORT int RSA_marshal_private_key(CBB *cbb, const RSA *rsa);
385
386/* RSA_private_key_to_bytes marshals |rsa| as a DER-encoded RSAPrivateKey
387 * structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated
388 * buffer containing the result and returns one. Otherwise, it returns zero. The
389 * result should be freed with |OPENSSL_free|. */
390OPENSSL_EXPORT int RSA_private_key_to_bytes(uint8_t **out_bytes,
391 size_t *out_len, const RSA *rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700392
393
394/* ex_data functions.
395 *
David Benjamin546f1a52015-04-15 16:46:09 -0400396 * See |ex_data.h| for details. */
Adam Langley95c29f32014-06-20 12:00:00 -0700397
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700398OPENSSL_EXPORT int RSA_get_ex_new_index(long argl, void *argp,
David Benjamin8a589332015-12-04 23:14:35 -0500399 CRYPTO_EX_unused *unused,
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700400 CRYPTO_EX_dup *dup_func,
401 CRYPTO_EX_free *free_func);
402OPENSSL_EXPORT int RSA_set_ex_data(RSA *r, int idx, void *arg);
403OPENSSL_EXPORT void *RSA_get_ex_data(const RSA *r, int idx);
Adam Langley95c29f32014-06-20 12:00:00 -0700404
David Benjamin6fad7bc2015-09-07 13:12:05 -0400405
406/* Flags. */
407
David Benjaminecc0ce72014-07-18 18:39:42 -0400408/* RSA_FLAG_OPAQUE specifies that this RSA_METHOD does not expose its key
409 * material. This may be set if, for instance, it is wrapping some other crypto
410 * API, like a platform key store. */
411#define RSA_FLAG_OPAQUE 1
Adam Langley95c29f32014-06-20 12:00:00 -0700412
Brian Smith24493a42016-03-25 09:12:48 -1000413/* Deprecated and ignored. */
Adam Langley95c29f32014-06-20 12:00:00 -0700414#define RSA_FLAG_CACHE_PUBLIC 2
415
Brian Smith24493a42016-03-25 09:12:48 -1000416/* Deprecated and ignored. */
Adam Langley95c29f32014-06-20 12:00:00 -0700417#define RSA_FLAG_CACHE_PRIVATE 4
418
419/* RSA_FLAG_NO_BLINDING disables blinding of private operations. */
420#define RSA_FLAG_NO_BLINDING 8
421
Brian Smithf08c1c62016-03-25 13:24:46 -1000422/* RSA_FLAG_EXT_PKEY is deprecated and ignored. */
Adam Langley95c29f32014-06-20 12:00:00 -0700423#define RSA_FLAG_EXT_PKEY 0x20
424
425/* RSA_FLAG_SIGN_VER causes the |sign| and |verify| functions of |rsa_meth_st|
426 * to be called when set. */
427#define RSA_FLAG_SIGN_VER 0x40
428
429
430/* RSA public exponent values. */
431
432#define RSA_3 0x3
433#define RSA_F4 0x10001
434
435
Adam Langleyc3ef76f2015-04-13 14:34:17 -0700436/* Deprecated functions. */
437
438/* RSA_blinding_on returns one. */
439OPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
440
Matt Braithwaite1cb49cd2015-06-17 17:16:02 -0700441/* RSA_generate_key behaves like |RSA_generate_key_ex|, which is what you
442 * should use instead. It returns NULL on error, or a newly-allocated |RSA| on
443 * success. This function is provided for compatibility only. The |callback|
444 * and |cb_arg| parameters must be NULL. */
445OPENSSL_EXPORT RSA *RSA_generate_key(int bits, unsigned long e, void *callback,
446 void *cb_arg);
447
David Benjamin6fad7bc2015-09-07 13:12:05 -0400448/* d2i_RSAPublicKey parses an ASN.1, DER-encoded, RSA public key from |len|
449 * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result
Adam Langley62882182016-01-14 09:32:24 -0800450 * is in |*out|. Note that, even if |*out| is already non-NULL on entry, it
451 * will not be written to. Rather, a fresh |RSA| is allocated and the previous
452 * one is freed. On successful exit, |*inp| is advanced past the DER structure.
453 * It returns the result or NULL on error. */
David Benjamin6fad7bc2015-09-07 13:12:05 -0400454OPENSSL_EXPORT RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len);
455
456/* i2d_RSAPublicKey marshals |in| to an ASN.1, DER structure. If |outp| is not
457 * NULL then the result is written to |*outp| and |*outp| is advanced just past
458 * the output. It returns the number of bytes in the result, whether written or
459 * not, or a negative value on error. */
460OPENSSL_EXPORT int i2d_RSAPublicKey(const RSA *in, uint8_t **outp);
461
462/* d2i_RSAPrivateKey parses an ASN.1, DER-encoded, RSA private key from |len|
463 * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result
Adam Langley62882182016-01-14 09:32:24 -0800464 * is in |*out|. Note that, even if |*out| is already non-NULL on entry, it
465 * will not be written to. Rather, a fresh |RSA| is allocated and the previous
466 * one is freed. On successful exit, |*inp| is advanced past the DER structure.
467 * It returns the result or NULL on error. */
David Benjamin6fad7bc2015-09-07 13:12:05 -0400468OPENSSL_EXPORT RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len);
469
470/* i2d_RSAPrivateKey marshals |in| to an ASN.1, DER structure. If |outp| is not
471 * NULL then the result is written to |*outp| and |*outp| is advanced just past
472 * the output. It returns the number of bytes in the result, whether written or
473 * not, or a negative value on error. */
474OPENSSL_EXPORT int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp);
475
Adam Langley8ba4b2d2016-03-07 16:35:18 -0800476/* RSA_padding_add_PKCS1_PSS acts like |RSA_padding_add_PKCS1_PSS_mgf1| but the
477 * |mgf1Hash| parameter of the latter is implicitly set to |Hash|. */
478OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS(RSA *rsa, uint8_t *EM,
479 const uint8_t *mHash,
480 const EVP_MD *Hash, int sLen);
481
482/* RSA_verify_PKCS1_PSS acts like |RSA_verify_PKCS1_PSS_mgf1| but the
483 * |mgf1Hash| parameter of the latter is implicitly set to |Hash|. */
484OPENSSL_EXPORT int RSA_verify_PKCS1_PSS(RSA *rsa, const uint8_t *mHash,
485 const EVP_MD *Hash, const uint8_t *EM,
486 int sLen);
487
Adam Langleyaaccbfe2016-04-13 08:19:03 -0700488/* RSA_padding_add_PKCS1_OAEP acts like |RSA_padding_add_PKCS1_OAEP_mgf1| but
489 * the |md| and |mgf1md| paramaters of the latter are implicitly set to NULL,
490 * which means SHA-1. */
491OPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP(uint8_t *to, unsigned to_len,
492 const uint8_t *from,
493 unsigned from_len,
494 const uint8_t *param,
495 unsigned param_len);
496
Adam Langleyc3ef76f2015-04-13 14:34:17 -0700497
Adam Langley95c29f32014-06-20 12:00:00 -0700498struct rsa_meth_st {
499 struct openssl_method_common_st common;
500
501 void *app_data;
502
503 int (*init)(RSA *rsa);
504 int (*finish)(RSA *rsa);
505
David Benjamin925fee32014-07-11 14:14:08 -0400506 /* size returns the size of the RSA modulus in bytes. */
507 size_t (*size)(const RSA *rsa);
508
Adam Langley95c29f32014-06-20 12:00:00 -0700509 int (*sign)(int type, const uint8_t *m, unsigned int m_length,
510 uint8_t *sigret, unsigned int *siglen, const RSA *rsa);
511
512 int (*verify)(int dtype, const uint8_t *m, unsigned int m_length,
513 const uint8_t *sigbuf, unsigned int siglen, const RSA *rsa);
514
515
516 /* These functions mirror the |RSA_*| functions of the same name. */
517 int (*encrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
518 const uint8_t *in, size_t in_len, int padding);
519 int (*sign_raw)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
520 const uint8_t *in, size_t in_len, int padding);
521
522 int (*decrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
523 const uint8_t *in, size_t in_len, int padding);
524 int (*verify_raw)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
525 const uint8_t *in, size_t in_len, int padding);
526
Adam Langley6bc658d2014-08-18 13:29:45 -0700527 /* private_transform takes a big-endian integer from |in|, calculates the
528 * d'th power of it, modulo the RSA modulus and writes the result as a
529 * big-endian integer to |out|. Both |in| and |out| are |len| bytes long and
530 * |len| is always equal to |RSA_size(rsa)|. If the result of the transform
531 * can be represented in fewer than |len| bytes, then |out| must be zero
532 * padded on the left.
533 *
534 * It returns one on success and zero otherwise.
535 *
536 * RSA decrypt and sign operations will call this, thus an ENGINE might wish
537 * to override it in order to avoid having to implement the padding
538 * functionality demanded by those, higher level, operations. */
539 int (*private_transform)(RSA *rsa, uint8_t *out, const uint8_t *in,
540 size_t len);
541
Brian Smithf08c1c62016-03-25 13:24:46 -1000542 /* mod_exp is deprecated and ignored. Set it to NULL. */
543 int (*mod_exp)(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
Brian Smith617804a2016-02-08 20:36:51 -1000544
545 /* bn_mod_exp is deprecated and ignored. Set it to NULL. */
Adam Langley95c29f32014-06-20 12:00:00 -0700546 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
547 const BIGNUM *m, BN_CTX *ctx,
David Benjamine82e6f62015-11-03 10:40:23 -0500548 const BN_MONT_CTX *mont);
Adam Langley95c29f32014-06-20 12:00:00 -0700549
550 int flags;
551
552 int (*keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
David Benjaminc20febe2014-11-11 23:47:50 -0500553
Adam Langley839b8812015-05-26 11:36:46 -0700554 int (*multi_prime_keygen)(RSA *rsa, int bits, int num_primes, BIGNUM *e,
555 BN_GENCB *cb);
556
David Benjaminc20febe2014-11-11 23:47:50 -0500557 /* supports_digest returns one if |rsa| supports digests of type
558 * |md|. If null, it is assumed that all digests are supported. */
559 int (*supports_digest)(const RSA *rsa, const EVP_MD *md);
Adam Langley95c29f32014-06-20 12:00:00 -0700560};
561
562
563/* Private functions. */
564
565typedef struct bn_blinding_st BN_BLINDING;
566
567struct rsa_st {
Adam Langley95c29f32014-06-20 12:00:00 -0700568 RSA_METHOD *meth;
569
570 BIGNUM *n;
571 BIGNUM *e;
572 BIGNUM *d;
573 BIGNUM *p;
574 BIGNUM *q;
575 BIGNUM *dmp1;
576 BIGNUM *dmq1;
577 BIGNUM *iqmp;
Adam Langley839b8812015-05-26 11:36:46 -0700578
579 STACK_OF(RSA_additional_prime) *additional_primes;
580
Adam Langley95c29f32014-06-20 12:00:00 -0700581 /* be careful using this if the RSA structure is shared */
582 CRYPTO_EX_DATA ex_data;
Adam Langley0da323a2015-05-15 12:49:30 -0700583 CRYPTO_refcount_t references;
Adam Langley95c29f32014-06-20 12:00:00 -0700584 int flags;
585
Adam Langley683d7bd2015-04-13 11:04:14 -0700586 CRYPTO_MUTEX lock;
587
588 /* Used to cache montgomery values. The creation of these values is protected
589 * by |lock|. */
David Benjamin8fb0f522015-11-03 18:24:07 -0500590 BN_MONT_CTX *mont_n;
591 BN_MONT_CTX *mont_p;
592 BN_MONT_CTX *mont_q;
Adam Langley95c29f32014-06-20 12:00:00 -0700593
594 /* num_blindings contains the size of the |blindings| and |blindings_inuse|
595 * arrays. This member and the |blindings_inuse| array are protected by
Adam Langley683d7bd2015-04-13 11:04:14 -0700596 * |lock|. */
Adam Langley95c29f32014-06-20 12:00:00 -0700597 unsigned num_blindings;
598 /* blindings is an array of BN_BLINDING structures that can be reserved by a
Adam Langley683d7bd2015-04-13 11:04:14 -0700599 * thread by locking |lock| and changing the corresponding element in
600 * |blindings_inuse| from 0 to 1. */
Adam Langley95c29f32014-06-20 12:00:00 -0700601 BN_BLINDING **blindings;
602 unsigned char *blindings_inuse;
603};
604
605
606#if defined(__cplusplus)
607} /* extern C */
608#endif
609
David Benjamina2f2bc32016-03-14 17:13:54 -0400610#define RSA_R_BAD_ENCODING 100
611#define RSA_R_BAD_E_VALUE 101
612#define RSA_R_BAD_FIXED_HEADER_DECRYPT 102
613#define RSA_R_BAD_PAD_BYTE_COUNT 103
614#define RSA_R_BAD_RSA_PARAMETERS 104
615#define RSA_R_BAD_SIGNATURE 105
616#define RSA_R_BAD_VERSION 106
617#define RSA_R_BLOCK_TYPE_IS_NOT_01 107
618#define RSA_R_BN_NOT_INITIALIZED 108
619#define RSA_R_CANNOT_RECOVER_MULTI_PRIME_KEY 109
620#define RSA_R_CRT_PARAMS_ALREADY_GIVEN 110
621#define RSA_R_CRT_VALUES_INCORRECT 111
622#define RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN 112
623#define RSA_R_DATA_TOO_LARGE 113
624#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 114
625#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 115
626#define RSA_R_DATA_TOO_SMALL 116
627#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 117
628#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 118
629#define RSA_R_D_E_NOT_CONGRUENT_TO_1 119
630#define RSA_R_EMPTY_PUBLIC_KEY 120
631#define RSA_R_ENCODE_ERROR 121
632#define RSA_R_FIRST_OCTET_INVALID 122
633#define RSA_R_INCONSISTENT_SET_OF_CRT_VALUES 123
634#define RSA_R_INTERNAL_ERROR 124
635#define RSA_R_INVALID_MESSAGE_LENGTH 125
636#define RSA_R_KEY_SIZE_TOO_SMALL 126
637#define RSA_R_LAST_OCTET_INVALID 127
638#define RSA_R_MODULUS_TOO_LARGE 128
639#define RSA_R_MUST_HAVE_AT_LEAST_TWO_PRIMES 129
640#define RSA_R_NO_PUBLIC_EXPONENT 130
641#define RSA_R_NULL_BEFORE_BLOCK_MISSING 131
642#define RSA_R_N_NOT_EQUAL_P_Q 132
643#define RSA_R_OAEP_DECODING_ERROR 133
644#define RSA_R_ONLY_ONE_OF_P_Q_GIVEN 134
645#define RSA_R_OUTPUT_BUFFER_TOO_SMALL 135
646#define RSA_R_PADDING_CHECK_FAILED 136
647#define RSA_R_PKCS_DECODING_ERROR 137
648#define RSA_R_SLEN_CHECK_FAILED 138
649#define RSA_R_SLEN_RECOVERY_FAILED 139
650#define RSA_R_TOO_LONG 140
651#define RSA_R_TOO_MANY_ITERATIONS 141
652#define RSA_R_UNKNOWN_ALGORITHM_TYPE 142
653#define RSA_R_UNKNOWN_PADDING_TYPE 143
654#define RSA_R_VALUE_MISSING 144
655#define RSA_R_WRONG_SIGNATURE_LENGTH 145
Adam Langley95c29f32014-06-20 12:00:00 -0700656
657#endif /* OPENSSL_HEADER_RSA_H */