blob: caf4a428f627257d014ca29c9c655fb127185b60 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -07001/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57#ifndef OPENSSL_HEADER_RSA_H
58#define OPENSSL_HEADER_RSA_H
59
60#include <openssl/base.h>
61
62#include <openssl/engine.h>
63#include <openssl/ex_data.h>
Adam Langley683d7bd2015-04-13 11:04:14 -070064#include <openssl/thread.h>
Adam Langley95c29f32014-06-20 12:00:00 -070065
66#if defined(__cplusplus)
67extern "C" {
68#endif
69
70
71/* rsa.h contains functions for handling encryption and signature using RSA. */
72
73
74/* Allocation and destruction. */
75
76/* RSA_new returns a new, empty RSA object or NULL on error. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -070077OPENSSL_EXPORT RSA *RSA_new(void);
Adam Langley95c29f32014-06-20 12:00:00 -070078
Adam Langley389e3f02014-08-19 11:24:27 -070079/* RSA_new_method acts the same as |RSA_new| but takes an explicit |ENGINE|. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -070080OPENSSL_EXPORT RSA *RSA_new_method(const ENGINE *engine);
Adam Langley95c29f32014-06-20 12:00:00 -070081
82/* RSA_free decrements the reference count of |rsa| and frees it if the
83 * reference count drops to zero. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -070084OPENSSL_EXPORT void RSA_free(RSA *rsa);
Adam Langley95c29f32014-06-20 12:00:00 -070085
David Benjamin96a16cd2016-08-11 12:14:47 -040086/* RSA_up_ref increments the reference count of |rsa| and returns one. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -070087OPENSSL_EXPORT int RSA_up_ref(RSA *rsa);
Adam Langley95c29f32014-06-20 12:00:00 -070088
89
David Benjamin5a915032016-08-09 11:04:24 -040090/* Properties. */
91
92/* RSA_get0_key sets |*out_n|, |*out_e|, and |*out_d|, if non-NULL, to |rsa|'s
93 * modulus, public exponent, and private exponent, respectively. If |rsa| is a
94 * public key, the private exponent will be set to NULL. */
95OPENSSL_EXPORT void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n,
96 const BIGNUM **out_e, const BIGNUM **out_d);
97
98/* RSA_get0_factors sets |*out_p| and |*out_q|, if non-NULL, to |rsa|'s prime
David Benjamin82b2b852017-04-12 18:28:48 -040099 * factors. If |rsa| is a public key, they will be set to NULL. */
David Benjamin5a915032016-08-09 11:04:24 -0400100OPENSSL_EXPORT void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p,
101 const BIGNUM **out_q);
102
103/* RSA_get0_crt_params sets |*out_dmp1|, |*out_dmq1|, and |*out_iqmp|, if
104 * non-NULL, to |rsa|'s CRT parameters. These are d (mod p-1), d (mod q-1) and
105 * q^-1 (mod p), respectively. If |rsa| is a public key, each parameter will be
David Benjamin82b2b852017-04-12 18:28:48 -0400106 * set to NULL. */
David Benjamin5a915032016-08-09 11:04:24 -0400107OPENSSL_EXPORT void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1,
108 const BIGNUM **out_dmq1,
109 const BIGNUM **out_iqmp);
110
111
Adam Langley95c29f32014-06-20 12:00:00 -0700112/* Key generation. */
113
114/* RSA_generate_key_ex generates a new RSA key where the modulus has size
115 * |bits| and the public exponent is |e|. If unsure, |RSA_F4| is a good value
116 * for |e|. If |cb| is not NULL then it is called during the key generation
117 * process. In addition to the calls documented for |BN_generate_prime_ex|, it
118 * is called with event=2 when the n'th prime is rejected as unsuitable and
Adam Langley5129e2d2014-07-25 10:06:44 -0700119 * with event=3 when a suitable value for |p| is found.
120 *
121 * It returns one on success or zero on error. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700122OPENSSL_EXPORT int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e,
123 BN_GENCB *cb);
Adam Langley95c29f32014-06-20 12:00:00 -0700124
Steven Valdez467d3222017-05-16 14:35:22 -0400125/* RSA_generate_key_fips behaves like |RSA_generate_key_ex| but performs
126 * additional checks for FIPS compliance. The public exponent is always 65537
127 * and |bits| must be either 2048 or 3072. */
128OPENSSL_EXPORT int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb);
129
Adam Langley95c29f32014-06-20 12:00:00 -0700130
131/* Encryption / Decryption */
132
133/* Padding types for encryption. */
134#define RSA_PKCS1_PADDING 1
Adam Langley95c29f32014-06-20 12:00:00 -0700135#define RSA_NO_PADDING 3
136#define RSA_PKCS1_OAEP_PADDING 4
137/* RSA_PKCS1_PSS_PADDING can only be used via the EVP interface. */
138#define RSA_PKCS1_PSS_PADDING 6
139
140/* RSA_encrypt encrypts |in_len| bytes from |in| to the public key from |rsa|
141 * and writes, at most, |max_out| bytes of encrypted data to |out|. The
142 * |max_out| argument must be, at least, |RSA_size| in order to ensure success.
143 *
144 * It returns 1 on success or zero on error.
145 *
146 * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
David Benjamin3f5b43d2015-12-01 19:31:24 -0500147 * doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but
148 * |RSA_PKCS1_PADDING| is most common. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700149OPENSSL_EXPORT int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out,
150 size_t max_out, const uint8_t *in, size_t in_len,
151 int padding);
Adam Langley95c29f32014-06-20 12:00:00 -0700152
153/* RSA_decrypt decrypts |in_len| bytes from |in| with the private key from
154 * |rsa| and writes, at most, |max_out| bytes of plaintext to |out|. The
155 * |max_out| argument must be, at least, |RSA_size| in order to ensure success.
156 *
157 * It returns 1 on success or zero on error.
158 *
159 * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
David Benjamin3f5b43d2015-12-01 19:31:24 -0500160 * doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols.
161 *
162 * Passing |RSA_PKCS1_PADDING| into this function is deprecated and insecure. If
163 * implementing a protocol using RSAES-PKCS1-V1_5, use |RSA_NO_PADDING| and then
164 * check padding in constant-time combined with a swap to a random session key
165 * or other mitigation. See "Chosen Ciphertext Attacks Against Protocols Based
166 * on the RSA Encryption Standard PKCS #1", Daniel Bleichenbacher, Advances in
167 * Cryptology (Crypto '98). */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700168OPENSSL_EXPORT int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out,
169 size_t max_out, const uint8_t *in, size_t in_len,
170 int padding);
Adam Langley95c29f32014-06-20 12:00:00 -0700171
172/* RSA_public_encrypt encrypts |flen| bytes from |from| to the public key in
173 * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
174 * least |RSA_size| bytes of space. It returns the number of bytes written, or
175 * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
David Benjamin3f5b43d2015-12-01 19:31:24 -0500176 * values. If in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but
177 * |RSA_PKCS1_PADDING| is most common.
Adam Langley95c29f32014-06-20 12:00:00 -0700178 *
179 * WARNING: this function is dangerous because it breaks the usual return value
180 * convention. Use |RSA_encrypt| instead. */
Matt Braithwaite978f16e2015-10-19 13:38:36 -0700181OPENSSL_EXPORT int RSA_public_encrypt(size_t flen, const uint8_t *from,
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700182 uint8_t *to, RSA *rsa, int padding);
Adam Langley95c29f32014-06-20 12:00:00 -0700183
184/* RSA_private_decrypt decrypts |flen| bytes from |from| with the public key in
David Benjamin3f5b43d2015-12-01 19:31:24 -0500185 * |rsa| and writes the plaintext to |to|. The |to| buffer must have at least
186 * |RSA_size| bytes of space. It returns the number of bytes written, or -1 on
187 * error. The |padding| argument must be one of the |RSA_*_PADDING| values. If
188 * in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. Passing
189 * |RSA_PKCS1_PADDING| into this function is deprecated and insecure. See
190 * |RSA_decrypt|.
Adam Langley95c29f32014-06-20 12:00:00 -0700191 *
192 * WARNING: this function is dangerous because it breaks the usual return value
193 * convention. Use |RSA_decrypt| instead. */
David Benjamin79c59a32015-09-19 13:35:39 -0400194OPENSSL_EXPORT int RSA_private_decrypt(size_t flen, const uint8_t *from,
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700195 uint8_t *to, RSA *rsa, int padding);
Adam Langley95c29f32014-06-20 12:00:00 -0700196
197
198/* Signing / Verification */
199
David Benjamin3f5b43d2015-12-01 19:31:24 -0500200/* RSA_sign signs |in_len| bytes of digest from |in| with |rsa| using
201 * RSASSA-PKCS1-v1_5. It writes, at most, |RSA_size(rsa)| bytes to |out|. On
202 * successful return, the actual number of bytes written is written to
203 * |*out_len|.
Adam Langley95c29f32014-06-20 12:00:00 -0700204 *
205 * The |hash_nid| argument identifies the hash function used to calculate |in|
206 * and is embedded in the resulting signature. For example, it might be
207 * |NID_sha256|.
208 *
209 * It returns 1 on success and zero on error. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700210OPENSSL_EXPORT int RSA_sign(int hash_nid, const uint8_t *in,
211 unsigned int in_len, uint8_t *out,
212 unsigned int *out_len, RSA *rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700213
David Benjamin79d18bc2017-05-02 14:34:09 -0400214/* RSA_sign_pss_mgf1 signs |in_len| bytes from |in| with the public key from
215 * |rsa| using RSASSA-PSS with MGF1 as the mask generation function. It writes,
216 * at most, |max_out| bytes of signature data to |out|. The |max_out| argument
217 * must be, at least, |RSA_size| in order to ensure success. It returns 1 on
218 * success or zero on error.
219 *
220 * The |md| and |mgf1_md| arguments identify the hash used to calculate |msg|
221 * and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is
222 * used.
223 *
224 * |salt_len| specifies the expected salt length in bytes. If |salt_len| is -1,
225 * then the salt length is the same as the hash length. If -2, then the salt
226 * length is maximal given the size of |rsa|. If unsure, use -1. */
227OPENSSL_EXPORT int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out,
228 size_t max_out, const uint8_t *in,
229 size_t in_len, const EVP_MD *md,
230 const EVP_MD *mgf1_md, int salt_len);
231
Adam Langley95c29f32014-06-20 12:00:00 -0700232/* RSA_sign_raw signs |in_len| bytes from |in| with the public key from |rsa|
Brian Smithb828cfd2015-03-29 16:51:14 -1000233 * and writes, at most, |max_out| bytes of signature data to |out|. The
Adam Langley95c29f32014-06-20 12:00:00 -0700234 * |max_out| argument must be, at least, |RSA_size| in order to ensure success.
235 *
236 * It returns 1 on success or zero on error.
237 *
238 * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
David Benjamin3f5b43d2015-12-01 19:31:24 -0500239 * doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING|
240 * (via the |EVP_PKEY| interface) is preferred for new protocols. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700241OPENSSL_EXPORT int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,
242 size_t max_out, const uint8_t *in,
243 size_t in_len, int padding);
Adam Langley95c29f32014-06-20 12:00:00 -0700244
David Benjamin3f5b43d2015-12-01 19:31:24 -0500245/* RSA_verify verifies that |sig_len| bytes from |sig| are a valid,
246 * RSASSA-PKCS1-v1_5 signature of |msg_len| bytes at |msg| by |rsa|.
Adam Langley95c29f32014-06-20 12:00:00 -0700247 *
David Benjamin79d18bc2017-05-02 14:34:09 -0400248 * The |hash_nid| argument identifies the hash function used to calculate |msg|
Adam Langley95c29f32014-06-20 12:00:00 -0700249 * and is embedded in the resulting signature in order to prevent hash
250 * confusion attacks. For example, it might be |NID_sha256|.
251 *
252 * It returns one if the signature is valid and zero otherwise.
253 *
254 * WARNING: this differs from the original, OpenSSL function which additionally
255 * returned -1 on error. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700256OPENSSL_EXPORT int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
257 const uint8_t *sig, size_t sig_len, RSA *rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700258
David Benjamin79d18bc2017-05-02 14:34:09 -0400259/* RSA_verify_pss_mgf1 verifies that |sig_len| bytes from |sig| are a valid,
260 * RSASSA-PSS signature of |msg_len| bytes at |msg| by |rsa|. It returns one if
261 * the signature is valid and zero otherwise. MGF1 is used as the mask
262 * generation function.
263 *
264 * The |md| and |mgf1_md| arguments identify the hash used to calculate |msg|
265 * and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is
266 * used. |salt_len| specifies the expected salt length in bytes.
267 *
268 * If |salt_len| is -1, then the salt length is the same as the hash length. If
269 * -2, then the salt length is recovered and all values accepted. If unsure, use
270 * -1. */
271OPENSSL_EXPORT int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg,
272 size_t msg_len, const EVP_MD *md,
273 const EVP_MD *mgf1_md, int salt_len,
274 const uint8_t *sig, size_t sig_len);
275
Adam Langley95c29f32014-06-20 12:00:00 -0700276/* RSA_verify_raw verifies |in_len| bytes of signature from |in| using the
277 * public key from |rsa| and writes, at most, |max_out| bytes of plaintext to
278 * |out|. The |max_out| argument must be, at least, |RSA_size| in order to
279 * ensure success.
280 *
281 * It returns 1 on success or zero on error.
282 *
283 * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
David Benjamin3f5b43d2015-12-01 19:31:24 -0500284 * doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING|
285 * (via the |EVP_PKEY| interface) is preferred for new protocols. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700286OPENSSL_EXPORT int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out,
287 size_t max_out, const uint8_t *in,
288 size_t in_len, int padding);
Adam Langley95c29f32014-06-20 12:00:00 -0700289
290/* RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in
291 * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
292 * least |RSA_size| bytes of space. It returns the number of bytes written, or
293 * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
David Benjamin3f5b43d2015-12-01 19:31:24 -0500294 * values. If in doubt, |RSA_PKCS1_PADDING| is the most common but
295 * |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for new
296 * protocols.
Adam Langley95c29f32014-06-20 12:00:00 -0700297 *
298 * WARNING: this function is dangerous because it breaks the usual return value
299 * convention. Use |RSA_sign_raw| instead. */
Matt Braithwaite978f16e2015-10-19 13:38:36 -0700300OPENSSL_EXPORT int RSA_private_encrypt(size_t flen, const uint8_t *from,
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700301 uint8_t *to, RSA *rsa, int padding);
Adam Langley95c29f32014-06-20 12:00:00 -0700302
Kenny Root3a9e1fb2015-06-10 14:52:40 -0700303/* RSA_public_decrypt verifies |flen| bytes of signature from |from| using the
Adam Langley95c29f32014-06-20 12:00:00 -0700304 * public key in |rsa| and writes the plaintext to |to|. The |to| buffer must
305 * have at least |RSA_size| bytes of space. It returns the number of bytes
306 * written, or -1 on error. The |padding| argument must be one of the
David Benjamin3f5b43d2015-12-01 19:31:24 -0500307 * |RSA_*_PADDING| values. If in doubt, |RSA_PKCS1_PADDING| is the most common
308 * but |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for
309 * new protocols.
Adam Langley95c29f32014-06-20 12:00:00 -0700310 *
311 * WARNING: this function is dangerous because it breaks the usual return value
312 * convention. Use |RSA_verify_raw| instead. */
Matt Braithwaite978f16e2015-10-19 13:38:36 -0700313OPENSSL_EXPORT int RSA_public_decrypt(size_t flen, const uint8_t *from,
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700314 uint8_t *to, RSA *rsa, int padding);
Adam Langley95c29f32014-06-20 12:00:00 -0700315
316
317/* Utility functions. */
318
319/* RSA_size returns the number of bytes in the modulus, which is also the size
Brian Smithb828cfd2015-03-29 16:51:14 -1000320 * of a signature or encrypted value using |rsa|. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700321OPENSSL_EXPORT unsigned RSA_size(const RSA *rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700322
David Benjaminecc0ce72014-07-18 18:39:42 -0400323/* RSA_is_opaque returns one if |rsa| is opaque and doesn't expose its key
David Benjaminc20febe2014-11-11 23:47:50 -0500324 * material. Otherwise it returns zero. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700325OPENSSL_EXPORT int RSA_is_opaque(const RSA *rsa);
David Benjaminecc0ce72014-07-18 18:39:42 -0400326
David Benjaminc0e245a2015-06-17 00:02:59 -0400327/* RSAPublicKey_dup allocates a fresh |RSA| and copies the public key from
Adam Langley95c29f32014-06-20 12:00:00 -0700328 * |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700329OPENSSL_EXPORT RSA *RSAPublicKey_dup(const RSA *rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700330
331/* RSAPrivateKey_dup allocates a fresh |RSA| and copies the private key from
332 * |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700333OPENSSL_EXPORT RSA *RSAPrivateKey_dup(const RSA *rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700334
Steven Valdez400d0b72017-04-06 14:55:18 -0400335/* RSA_check_key performs basic validity tests on |rsa|. It returns one if
Adam Langley05b73772014-07-25 12:03:51 -0700336 * they pass and zero otherwise. Opaque keys and public keys always pass. If it
337 * returns zero then a more detailed error is available on the error queue. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700338OPENSSL_EXPORT int RSA_check_key(const RSA *rsa);
Adam Langley05b73772014-07-25 12:03:51 -0700339
Steven Valdez400d0b72017-04-06 14:55:18 -0400340/* RSA_check_fips performs public key validity tests on |key|. It returns one
Steven Valdezd0b98822017-04-11 12:46:03 -0400341 * if they pass and zero otherwise. Opaque keys always fail. */
Steven Valdez400d0b72017-04-06 14:55:18 -0400342OPENSSL_EXPORT int RSA_check_fips(RSA *key);
Steven Valdezd0b98822017-04-11 12:46:03 -0400343
Adam Langley20b64fd2015-03-20 16:39:54 -0700344/* RSA_verify_PKCS1_PSS_mgf1 verifies that |EM| is a correct PSS padding of
345 * |mHash|, where |mHash| is a digest produced by |Hash|. |EM| must point to
346 * exactly |RSA_size(rsa)| bytes of data. The |mgf1Hash| argument specifies the
347 * hash function for generating the mask. If NULL, |Hash| is used. The |sLen|
348 * argument specifies the expected salt length in bytes. If |sLen| is -1 then
349 * the salt length is the same as the hash length. If -2, then the salt length
David Benjamina36255c2016-12-14 12:41:02 -0500350 * is recovered and all values accepted.
351 *
352 * If unsure, use -1.
Adam Langley20b64fd2015-03-20 16:39:54 -0700353 *
David Benjamin79d18bc2017-05-02 14:34:09 -0400354 * It returns one on success or zero on error.
355 *
356 * This function implements only the low-level padding logic. Use
357 * |RSA_verify_pss_mgf1| instead. */
Adam Langley20b64fd2015-03-20 16:39:54 -0700358OPENSSL_EXPORT int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,
359 const EVP_MD *Hash,
360 const EVP_MD *mgf1Hash,
361 const uint8_t *EM, int sLen);
362
363/* RSA_padding_add_PKCS1_PSS_mgf1 writes a PSS padding of |mHash| to |EM|,
364 * where |mHash| is a digest produced by |Hash|. |RSA_size(rsa)| bytes of
365 * output will be written to |EM|. The |mgf1Hash| argument specifies the hash
366 * function for generating the mask. If NULL, |Hash| is used. The |sLen|
367 * argument specifies the expected salt length in bytes. If |sLen| is -1 then
368 * the salt length is the same as the hash length. If -2, then the salt length
369 * is maximal given the space in |EM|.
370 *
David Benjamin79d18bc2017-05-02 14:34:09 -0400371 * It returns one on success or zero on error.
372 *
373 * This function implements only the low-level padding logic. Use
374 * |RSA_sign_pss_mgf1| instead. */
Adam Langley20b64fd2015-03-20 16:39:54 -0700375OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, uint8_t *EM,
376 const uint8_t *mHash,
377 const EVP_MD *Hash,
378 const EVP_MD *mgf1Hash,
379 int sLen);
380
Adam Langleyaaccbfe2016-04-13 08:19:03 -0700381/* RSA_padding_add_PKCS1_OAEP_mgf1 writes an OAEP padding of |from| to |to|
382 * with the given parameters and hash functions. If |md| is NULL then SHA-1 is
383 * used. If |mgf1md| is NULL then the value of |md| is used (which means SHA-1
384 * if that, in turn, is NULL).
385 *
386 * It returns one on success or zero on error. */
387OPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP_mgf1(
David Benjaminf466cdb2017-03-14 15:35:27 -0400388 uint8_t *to, size_t to_len, const uint8_t *from, size_t from_len,
389 const uint8_t *param, size_t param_len, const EVP_MD *md,
Adam Langleyaaccbfe2016-04-13 08:19:03 -0700390 const EVP_MD *mgf1md);
391
David Benjaminb0acb772015-05-28 16:53:31 -0400392/* RSA_add_pkcs1_prefix builds a version of |msg| prefixed with the DigestInfo
393 * header for the given hash function and sets |out_msg| to point to it. On
394 * successful return, |*out_msg| may be allocated memory and, if so,
395 * |*is_alloced| will be 1. */
396OPENSSL_EXPORT int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
397 int *is_alloced, int hash_nid,
398 const uint8_t *msg, size_t msg_len);
399
Adam Langley20b64fd2015-03-20 16:39:54 -0700400
Adam Langley95c29f32014-06-20 12:00:00 -0700401/* ASN.1 functions. */
402
David Benjaminc0e245a2015-06-17 00:02:59 -0400403/* RSA_parse_public_key parses a DER-encoded RSAPublicKey structure (RFC 3447)
404 * from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on
405 * error. */
406OPENSSL_EXPORT RSA *RSA_parse_public_key(CBS *cbs);
Adam Langley95c29f32014-06-20 12:00:00 -0700407
David Benjamin231cb822015-09-15 16:47:35 -0400408/* RSA_parse_public_key_buggy behaves like |RSA_parse_public_key|, but it
David Benjamin4c60d352015-09-23 12:23:01 -0400409 * tolerates some invalid encodings. Do not use this function. */
David Benjamin231cb822015-09-15 16:47:35 -0400410OPENSSL_EXPORT RSA *RSA_parse_public_key_buggy(CBS *cbs);
411
David Benjaminc0e245a2015-06-17 00:02:59 -0400412/* RSA_public_key_from_bytes parses |in| as a DER-encoded RSAPublicKey structure
413 * (RFC 3447). It returns a newly-allocated |RSA| or NULL on error. */
414OPENSSL_EXPORT RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len);
415
416/* RSA_marshal_public_key marshals |rsa| as a DER-encoded RSAPublicKey structure
417 * (RFC 3447) and appends the result to |cbb|. It returns one on success and
418 * zero on failure. */
419OPENSSL_EXPORT int RSA_marshal_public_key(CBB *cbb, const RSA *rsa);
420
421/* RSA_public_key_to_bytes marshals |rsa| as a DER-encoded RSAPublicKey
422 * structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated
423 * buffer containing the result and returns one. Otherwise, it returns zero. The
424 * result should be freed with |OPENSSL_free|. */
425OPENSSL_EXPORT int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len,
426 const RSA *rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700427
David Benjamin74f71102015-06-27 14:56:25 -0400428/* RSA_parse_private_key parses a DER-encoded RSAPrivateKey structure (RFC 3447)
429 * from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on
430 * error. */
431OPENSSL_EXPORT RSA *RSA_parse_private_key(CBS *cbs);
Adam Langley95c29f32014-06-20 12:00:00 -0700432
David Benjamin74f71102015-06-27 14:56:25 -0400433/* RSA_private_key_from_bytes parses |in| as a DER-encoded RSAPrivateKey
434 * structure (RFC 3447). It returns a newly-allocated |RSA| or NULL on error. */
435OPENSSL_EXPORT RSA *RSA_private_key_from_bytes(const uint8_t *in,
436 size_t in_len);
437
438/* RSA_marshal_private_key marshals |rsa| as a DER-encoded RSAPrivateKey
439 * structure (RFC 3447) and appends the result to |cbb|. It returns one on
440 * success and zero on failure. */
441OPENSSL_EXPORT int RSA_marshal_private_key(CBB *cbb, const RSA *rsa);
442
443/* RSA_private_key_to_bytes marshals |rsa| as a DER-encoded RSAPrivateKey
444 * structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated
445 * buffer containing the result and returns one. Otherwise, it returns zero. The
446 * result should be freed with |OPENSSL_free|. */
447OPENSSL_EXPORT int RSA_private_key_to_bytes(uint8_t **out_bytes,
448 size_t *out_len, const RSA *rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700449
450
451/* ex_data functions.
452 *
David Benjamin546f1a52015-04-15 16:46:09 -0400453 * See |ex_data.h| for details. */
Adam Langley95c29f32014-06-20 12:00:00 -0700454
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700455OPENSSL_EXPORT int RSA_get_ex_new_index(long argl, void *argp,
David Benjamin8a589332015-12-04 23:14:35 -0500456 CRYPTO_EX_unused *unused,
David Benjamind94682d2017-05-14 17:10:18 -0400457 CRYPTO_EX_dup *dup_unused,
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700458 CRYPTO_EX_free *free_func);
459OPENSSL_EXPORT int RSA_set_ex_data(RSA *r, int idx, void *arg);
460OPENSSL_EXPORT void *RSA_get_ex_data(const RSA *r, int idx);
Adam Langley95c29f32014-06-20 12:00:00 -0700461
David Benjamin6fad7bc2015-09-07 13:12:05 -0400462
463/* Flags. */
464
David Benjaminecc0ce72014-07-18 18:39:42 -0400465/* RSA_FLAG_OPAQUE specifies that this RSA_METHOD does not expose its key
466 * material. This may be set if, for instance, it is wrapping some other crypto
467 * API, like a platform key store. */
468#define RSA_FLAG_OPAQUE 1
Adam Langley95c29f32014-06-20 12:00:00 -0700469
Brian Smith24493a42016-03-25 09:12:48 -1000470/* Deprecated and ignored. */
Adam Langley95c29f32014-06-20 12:00:00 -0700471#define RSA_FLAG_CACHE_PUBLIC 2
472
Brian Smith24493a42016-03-25 09:12:48 -1000473/* Deprecated and ignored. */
Adam Langley95c29f32014-06-20 12:00:00 -0700474#define RSA_FLAG_CACHE_PRIVATE 4
475
Brian Smith86361a32016-03-26 19:42:31 -1000476/* RSA_FLAG_NO_BLINDING disables blinding of private operations, which is a
Brian Smith598e55a2016-03-26 20:17:37 -1000477 * dangerous thing to do. It is deprecated and should not be used. It will
478 * be ignored whenever possible.
Brian Smith86361a32016-03-26 19:42:31 -1000479 *
480 * This flag must be used if a key without the public exponent |e| is used for
481 * private key operations; avoid using such keys whenever possible. */
Adam Langley95c29f32014-06-20 12:00:00 -0700482#define RSA_FLAG_NO_BLINDING 8
483
Brian Smithf08c1c62016-03-25 13:24:46 -1000484/* RSA_FLAG_EXT_PKEY is deprecated and ignored. */
Adam Langley95c29f32014-06-20 12:00:00 -0700485#define RSA_FLAG_EXT_PKEY 0x20
486
487/* RSA_FLAG_SIGN_VER causes the |sign| and |verify| functions of |rsa_meth_st|
488 * to be called when set. */
489#define RSA_FLAG_SIGN_VER 0x40
490
491
492/* RSA public exponent values. */
493
494#define RSA_3 0x3
495#define RSA_F4 0x10001
496
497
Adam Langleyc3ef76f2015-04-13 14:34:17 -0700498/* Deprecated functions. */
499
500/* RSA_blinding_on returns one. */
501OPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
502
Matt Braithwaite1cb49cd2015-06-17 17:16:02 -0700503/* RSA_generate_key behaves like |RSA_generate_key_ex|, which is what you
504 * should use instead. It returns NULL on error, or a newly-allocated |RSA| on
505 * success. This function is provided for compatibility only. The |callback|
506 * and |cb_arg| parameters must be NULL. */
507OPENSSL_EXPORT RSA *RSA_generate_key(int bits, unsigned long e, void *callback,
508 void *cb_arg);
509
David Benjamin6fad7bc2015-09-07 13:12:05 -0400510/* d2i_RSAPublicKey parses an ASN.1, DER-encoded, RSA public key from |len|
511 * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result
Adam Langley62882182016-01-14 09:32:24 -0800512 * is in |*out|. Note that, even if |*out| is already non-NULL on entry, it
513 * will not be written to. Rather, a fresh |RSA| is allocated and the previous
514 * one is freed. On successful exit, |*inp| is advanced past the DER structure.
515 * It returns the result or NULL on error. */
David Benjamin6fad7bc2015-09-07 13:12:05 -0400516OPENSSL_EXPORT RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len);
517
518/* i2d_RSAPublicKey marshals |in| to an ASN.1, DER structure. If |outp| is not
519 * NULL then the result is written to |*outp| and |*outp| is advanced just past
520 * the output. It returns the number of bytes in the result, whether written or
521 * not, or a negative value on error. */
522OPENSSL_EXPORT int i2d_RSAPublicKey(const RSA *in, uint8_t **outp);
523
524/* d2i_RSAPrivateKey parses an ASN.1, DER-encoded, RSA private key from |len|
525 * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result
Adam Langley62882182016-01-14 09:32:24 -0800526 * is in |*out|. Note that, even if |*out| is already non-NULL on entry, it
527 * will not be written to. Rather, a fresh |RSA| is allocated and the previous
528 * one is freed. On successful exit, |*inp| is advanced past the DER structure.
529 * It returns the result or NULL on error. */
David Benjamin6fad7bc2015-09-07 13:12:05 -0400530OPENSSL_EXPORT RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len);
531
532/* i2d_RSAPrivateKey marshals |in| to an ASN.1, DER structure. If |outp| is not
533 * NULL then the result is written to |*outp| and |*outp| is advanced just past
534 * the output. It returns the number of bytes in the result, whether written or
535 * not, or a negative value on error. */
536OPENSSL_EXPORT int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp);
537
Adam Langley8ba4b2d2016-03-07 16:35:18 -0800538/* RSA_padding_add_PKCS1_PSS acts like |RSA_padding_add_PKCS1_PSS_mgf1| but the
David Benjamin79d18bc2017-05-02 14:34:09 -0400539 * |mgf1Hash| parameter of the latter is implicitly set to |Hash|.
540 *
541 * This function implements only the low-level padding logic. Use
542 * |RSA_sign_pss_mgf1| instead. */
Adam Langley8ba4b2d2016-03-07 16:35:18 -0800543OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS(RSA *rsa, uint8_t *EM,
544 const uint8_t *mHash,
545 const EVP_MD *Hash, int sLen);
546
547/* RSA_verify_PKCS1_PSS acts like |RSA_verify_PKCS1_PSS_mgf1| but the
David Benjamin79d18bc2017-05-02 14:34:09 -0400548 * |mgf1Hash| parameter of the latter is implicitly set to |Hash|.
549 *
550 * This function implements only the low-level padding logic. Use
551 * |RSA_verify_pss_mgf1| instead. */
Adam Langley8ba4b2d2016-03-07 16:35:18 -0800552OPENSSL_EXPORT int RSA_verify_PKCS1_PSS(RSA *rsa, const uint8_t *mHash,
553 const EVP_MD *Hash, const uint8_t *EM,
554 int sLen);
555
Adam Langleyaaccbfe2016-04-13 08:19:03 -0700556/* RSA_padding_add_PKCS1_OAEP acts like |RSA_padding_add_PKCS1_OAEP_mgf1| but
David Benjamin1d6eeb32017-01-08 05:15:58 -0500557 * the |md| and |mgf1md| parameters of the latter are implicitly set to NULL,
Adam Langleyaaccbfe2016-04-13 08:19:03 -0700558 * which means SHA-1. */
David Benjaminf466cdb2017-03-14 15:35:27 -0400559OPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP(uint8_t *to, size_t to_len,
Adam Langleyaaccbfe2016-04-13 08:19:03 -0700560 const uint8_t *from,
David Benjaminf466cdb2017-03-14 15:35:27 -0400561 size_t from_len,
Adam Langleyaaccbfe2016-04-13 08:19:03 -0700562 const uint8_t *param,
David Benjaminf466cdb2017-03-14 15:35:27 -0400563 size_t param_len);
Adam Langleyaaccbfe2016-04-13 08:19:03 -0700564
Adam Langleyc3ef76f2015-04-13 14:34:17 -0700565
Adam Langley95c29f32014-06-20 12:00:00 -0700566struct rsa_meth_st {
567 struct openssl_method_common_st common;
568
569 void *app_data;
570
571 int (*init)(RSA *rsa);
572 int (*finish)(RSA *rsa);
573
David Benjamin925fee32014-07-11 14:14:08 -0400574 /* size returns the size of the RSA modulus in bytes. */
575 size_t (*size)(const RSA *rsa);
576
Adam Langley95c29f32014-06-20 12:00:00 -0700577 int (*sign)(int type, const uint8_t *m, unsigned int m_length,
578 uint8_t *sigret, unsigned int *siglen, const RSA *rsa);
579
Brian Smithc0b196d2016-03-04 08:54:07 -1000580 /* Ignored. Set this to NULL. */
Adam Langley95c29f32014-06-20 12:00:00 -0700581 int (*verify)(int dtype, const uint8_t *m, unsigned int m_length,
582 const uint8_t *sigbuf, unsigned int siglen, const RSA *rsa);
583
David Benjamin073391f2017-05-03 15:03:35 -0400584 /* Ignored. Set this to NULL. */
Adam Langley95c29f32014-06-20 12:00:00 -0700585 int (*encrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
586 const uint8_t *in, size_t in_len, int padding);
David Benjamin073391f2017-05-03 15:03:35 -0400587
588 /* These functions mirror the |RSA_*| functions of the same name. */
Adam Langley95c29f32014-06-20 12:00:00 -0700589 int (*sign_raw)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
590 const uint8_t *in, size_t in_len, int padding);
Adam Langley95c29f32014-06-20 12:00:00 -0700591 int (*decrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
592 const uint8_t *in, size_t in_len, int padding);
Brian Smithc0b196d2016-03-04 08:54:07 -1000593 /* Ignored. Set this to NULL. */
Adam Langley95c29f32014-06-20 12:00:00 -0700594 int (*verify_raw)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
595 const uint8_t *in, size_t in_len, int padding);
596
Adam Langley6bc658d2014-08-18 13:29:45 -0700597 /* private_transform takes a big-endian integer from |in|, calculates the
598 * d'th power of it, modulo the RSA modulus and writes the result as a
599 * big-endian integer to |out|. Both |in| and |out| are |len| bytes long and
600 * |len| is always equal to |RSA_size(rsa)|. If the result of the transform
601 * can be represented in fewer than |len| bytes, then |out| must be zero
602 * padded on the left.
603 *
604 * It returns one on success and zero otherwise.
605 *
606 * RSA decrypt and sign operations will call this, thus an ENGINE might wish
607 * to override it in order to avoid having to implement the padding
608 * functionality demanded by those, higher level, operations. */
609 int (*private_transform)(RSA *rsa, uint8_t *out, const uint8_t *in,
610 size_t len);
611
Brian Smithf08c1c62016-03-25 13:24:46 -1000612 /* mod_exp is deprecated and ignored. Set it to NULL. */
613 int (*mod_exp)(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
Brian Smith617804a2016-02-08 20:36:51 -1000614
615 /* bn_mod_exp is deprecated and ignored. Set it to NULL. */
Adam Langley95c29f32014-06-20 12:00:00 -0700616 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
617 const BIGNUM *m, BN_CTX *ctx,
David Benjamine82e6f62015-11-03 10:40:23 -0500618 const BN_MONT_CTX *mont);
Adam Langley95c29f32014-06-20 12:00:00 -0700619
620 int flags;
621
David Benjamin073391f2017-05-03 15:03:35 -0400622 /* Ignored. Set this to NULL. */
Adam Langley95c29f32014-06-20 12:00:00 -0700623 int (*keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
David Benjaminc20febe2014-11-11 23:47:50 -0500624
David Benjamin4a2cc282017-04-10 18:20:55 -0400625 /* Ignored. Set this to NULL. */
Adam Langley839b8812015-05-26 11:36:46 -0700626 int (*multi_prime_keygen)(RSA *rsa, int bits, int num_primes, BIGNUM *e,
627 BN_GENCB *cb);
628
David Benjamin17eeb982017-03-27 22:45:32 -0500629 /* supports_digest is deprecated and ignored. Set it to NULL. */
David Benjaminc20febe2014-11-11 23:47:50 -0500630 int (*supports_digest)(const RSA *rsa, const EVP_MD *md);
Adam Langley95c29f32014-06-20 12:00:00 -0700631};
632
633
634/* Private functions. */
635
636typedef struct bn_blinding_st BN_BLINDING;
637
638struct rsa_st {
Adam Langley95c29f32014-06-20 12:00:00 -0700639 RSA_METHOD *meth;
640
641 BIGNUM *n;
642 BIGNUM *e;
643 BIGNUM *d;
644 BIGNUM *p;
645 BIGNUM *q;
646 BIGNUM *dmp1;
647 BIGNUM *dmq1;
648 BIGNUM *iqmp;
Adam Langley839b8812015-05-26 11:36:46 -0700649
Adam Langley95c29f32014-06-20 12:00:00 -0700650 /* be careful using this if the RSA structure is shared */
651 CRYPTO_EX_DATA ex_data;
Adam Langley0da323a2015-05-15 12:49:30 -0700652 CRYPTO_refcount_t references;
Adam Langley95c29f32014-06-20 12:00:00 -0700653 int flags;
654
Adam Langley683d7bd2015-04-13 11:04:14 -0700655 CRYPTO_MUTEX lock;
656
657 /* Used to cache montgomery values. The creation of these values is protected
658 * by |lock|. */
David Benjamin8fb0f522015-11-03 18:24:07 -0500659 BN_MONT_CTX *mont_n;
660 BN_MONT_CTX *mont_p;
661 BN_MONT_CTX *mont_q;
Adam Langley95c29f32014-06-20 12:00:00 -0700662
663 /* num_blindings contains the size of the |blindings| and |blindings_inuse|
664 * arrays. This member and the |blindings_inuse| array are protected by
Adam Langley683d7bd2015-04-13 11:04:14 -0700665 * |lock|. */
Adam Langley95c29f32014-06-20 12:00:00 -0700666 unsigned num_blindings;
667 /* blindings is an array of BN_BLINDING structures that can be reserved by a
Adam Langley683d7bd2015-04-13 11:04:14 -0700668 * thread by locking |lock| and changing the corresponding element in
669 * |blindings_inuse| from 0 to 1. */
Adam Langley95c29f32014-06-20 12:00:00 -0700670 BN_BLINDING **blindings;
671 unsigned char *blindings_inuse;
672};
673
674
675#if defined(__cplusplus)
676} /* extern C */
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700677
678extern "C++" {
679
680namespace bssl {
681
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700682BORINGSSL_MAKE_DELETER(RSA, RSA_free)
683
Matt Braithwaited17d74d2016-08-17 20:10:28 -0700684} // namespace bssl
685
686} /* extern C++ */
687
Adam Langley95c29f32014-06-20 12:00:00 -0700688#endif
689
David Benjamina2f2bc32016-03-14 17:13:54 -0400690#define RSA_R_BAD_ENCODING 100
691#define RSA_R_BAD_E_VALUE 101
692#define RSA_R_BAD_FIXED_HEADER_DECRYPT 102
693#define RSA_R_BAD_PAD_BYTE_COUNT 103
694#define RSA_R_BAD_RSA_PARAMETERS 104
695#define RSA_R_BAD_SIGNATURE 105
696#define RSA_R_BAD_VERSION 106
697#define RSA_R_BLOCK_TYPE_IS_NOT_01 107
698#define RSA_R_BN_NOT_INITIALIZED 108
699#define RSA_R_CANNOT_RECOVER_MULTI_PRIME_KEY 109
700#define RSA_R_CRT_PARAMS_ALREADY_GIVEN 110
701#define RSA_R_CRT_VALUES_INCORRECT 111
702#define RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN 112
703#define RSA_R_DATA_TOO_LARGE 113
704#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 114
705#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 115
706#define RSA_R_DATA_TOO_SMALL 116
707#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 117
708#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 118
709#define RSA_R_D_E_NOT_CONGRUENT_TO_1 119
710#define RSA_R_EMPTY_PUBLIC_KEY 120
711#define RSA_R_ENCODE_ERROR 121
712#define RSA_R_FIRST_OCTET_INVALID 122
713#define RSA_R_INCONSISTENT_SET_OF_CRT_VALUES 123
714#define RSA_R_INTERNAL_ERROR 124
715#define RSA_R_INVALID_MESSAGE_LENGTH 125
716#define RSA_R_KEY_SIZE_TOO_SMALL 126
717#define RSA_R_LAST_OCTET_INVALID 127
718#define RSA_R_MODULUS_TOO_LARGE 128
719#define RSA_R_MUST_HAVE_AT_LEAST_TWO_PRIMES 129
720#define RSA_R_NO_PUBLIC_EXPONENT 130
721#define RSA_R_NULL_BEFORE_BLOCK_MISSING 131
722#define RSA_R_N_NOT_EQUAL_P_Q 132
723#define RSA_R_OAEP_DECODING_ERROR 133
724#define RSA_R_ONLY_ONE_OF_P_Q_GIVEN 134
725#define RSA_R_OUTPUT_BUFFER_TOO_SMALL 135
726#define RSA_R_PADDING_CHECK_FAILED 136
727#define RSA_R_PKCS_DECODING_ERROR 137
728#define RSA_R_SLEN_CHECK_FAILED 138
729#define RSA_R_SLEN_RECOVERY_FAILED 139
730#define RSA_R_TOO_LONG 140
731#define RSA_R_TOO_MANY_ITERATIONS 141
732#define RSA_R_UNKNOWN_ALGORITHM_TYPE 142
733#define RSA_R_UNKNOWN_PADDING_TYPE 143
734#define RSA_R_VALUE_MISSING 144
735#define RSA_R_WRONG_SIGNATURE_LENGTH 145
Steven Valdezd0b98822017-04-11 12:46:03 -0400736#define RSA_R_PUBLIC_KEY_VALIDATION_FAILED 146
Adam Langley95c29f32014-06-20 12:00:00 -0700737
738#endif /* OPENSSL_HEADER_RSA_H */