1 /* 2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * RSA low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include <openssl/crypto.h> 17 #include <openssl/core_names.h> 18 #ifndef FIPS_MODULE 19 # include <openssl/engine.h> 20 #endif 21 #include <openssl/evp.h> 22 #include <openssl/param_build.h> 23 #include "internal/cryptlib.h" 24 #include "internal/refcount.h" 25 #include "crypto/bn.h" 26 #include "crypto/evp.h" 27 #include "crypto/rsa.h" 28 #include "crypto/security_bits.h" 29 #include "rsa_local.h" 30 31 static RSA *rsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx); 32 33 #ifndef FIPS_MODULE 34 RSA *RSA_new(void) 35 { 36 return rsa_new_intern(NULL, NULL); 37 } 38 39 const RSA_METHOD *RSA_get_method(const RSA *rsa) 40 { 41 return rsa->meth; 42 } 43 44 int RSA_set_method(RSA *rsa, const RSA_METHOD *meth) 45 { 46 /* 47 * NB: The caller is specifically setting a method, so it's not up to us 48 * to deal with which ENGINE it comes from. 49 */ 50 const RSA_METHOD *mtmp; 51 mtmp = rsa->meth; 52 if (mtmp->finish) 53 mtmp->finish(rsa); 54 #ifndef OPENSSL_NO_ENGINE 55 ENGINE_finish(rsa->engine); 56 rsa->engine = NULL; 57 #endif 58 rsa->meth = meth; 59 if (meth->init) 60 meth->init(rsa); 61 return 1; 62 } 63 64 RSA *RSA_new_method(ENGINE *engine) 65 { 66 return rsa_new_intern(engine, NULL); 67 } 68 #endif 69 70 RSA *ossl_rsa_new_with_ctx(OSSL_LIB_CTX *libctx) 71 { 72 return rsa_new_intern(NULL, libctx); 73 } 74 75 static RSA *rsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx) 76 { 77 RSA *ret = OPENSSL_zalloc(sizeof(*ret)); 78 79 if (ret == NULL) { 80 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 81 return NULL; 82 } 83 84 ret->references = 1; 85 ret->lock = CRYPTO_THREAD_lock_new(); 86 if (ret->lock == NULL) { 87 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 88 OPENSSL_free(ret); 89 return NULL; 90 } 91 92 ret->libctx = libctx; 93 ret->meth = RSA_get_default_method(); 94 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) 95 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; 96 if (engine) { 97 if (!ENGINE_init(engine)) { 98 ERR_raise(ERR_LIB_RSA, ERR_R_ENGINE_LIB); 99 goto err; 100 } 101 ret->engine = engine; 102 } else { 103 ret->engine = ENGINE_get_default_RSA(); 104 } 105 if (ret->engine) { 106 ret->meth = ENGINE_get_RSA(ret->engine); 107 if (ret->meth == NULL) { 108 ERR_raise(ERR_LIB_RSA, ERR_R_ENGINE_LIB); 109 goto err; 110 } 111 } 112 #endif 113 114 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; 115 #ifndef FIPS_MODULE 116 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { 117 goto err; 118 } 119 #endif 120 121 if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { 122 ERR_raise(ERR_LIB_RSA, ERR_R_INIT_FAIL); 123 goto err; 124 } 125 126 return ret; 127 128 err: 129 RSA_free(ret); 130 return NULL; 131 } 132 133 void RSA_free(RSA *r) 134 { 135 int i; 136 137 if (r == NULL) 138 return; 139 140 CRYPTO_DOWN_REF(&r->references, &i, r->lock); 141 REF_PRINT_COUNT("RSA", r); 142 if (i > 0) 143 return; 144 REF_ASSERT_ISNT(i < 0); 145 146 if (r->meth != NULL && r->meth->finish != NULL) 147 r->meth->finish(r); 148 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) 149 ENGINE_finish(r->engine); 150 #endif 151 152 #ifndef FIPS_MODULE 153 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data); 154 #endif 155 156 CRYPTO_THREAD_lock_free(r->lock); 157 158 BN_free(r->n); 159 BN_free(r->e); 160 BN_clear_free(r->d); 161 BN_clear_free(r->p); 162 BN_clear_free(r->q); 163 BN_clear_free(r->dmp1); 164 BN_clear_free(r->dmq1); 165 BN_clear_free(r->iqmp); 166 167 #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) 168 ossl_rsa_acvp_test_free(r->acvp_test); 169 #endif 170 171 #ifndef FIPS_MODULE 172 RSA_PSS_PARAMS_free(r->pss); 173 sk_RSA_PRIME_INFO_pop_free(r->prime_infos, ossl_rsa_multip_info_free); 174 #endif 175 BN_BLINDING_free(r->blinding); 176 BN_BLINDING_free(r->mt_blinding); 177 OPENSSL_free(r); 178 } 179 180 int RSA_up_ref(RSA *r) 181 { 182 int i; 183 184 if (CRYPTO_UP_REF(&r->references, &i, r->lock) <= 0) 185 return 0; 186 187 REF_PRINT_COUNT("RSA", r); 188 REF_ASSERT_ISNT(i < 2); 189 return i > 1 ? 1 : 0; 190 } 191 192 OSSL_LIB_CTX *ossl_rsa_get0_libctx(RSA *r) 193 { 194 return r->libctx; 195 } 196 197 void ossl_rsa_set0_libctx(RSA *r, OSSL_LIB_CTX *libctx) 198 { 199 r->libctx = libctx; 200 } 201 202 #ifndef FIPS_MODULE 203 int RSA_set_ex_data(RSA *r, int idx, void *arg) 204 { 205 return CRYPTO_set_ex_data(&r->ex_data, idx, arg); 206 } 207 208 void *RSA_get_ex_data(const RSA *r, int idx) 209 { 210 return CRYPTO_get_ex_data(&r->ex_data, idx); 211 } 212 #endif 213 214 /* 215 * Define a scaling constant for our fixed point arithmetic. 216 * This value must be a power of two because the base two logarithm code 217 * makes this assumption. The exponent must also be a multiple of three so 218 * that the scale factor has an exact cube root. Finally, the scale factor 219 * should not be so large that a multiplication of two scaled numbers 220 * overflows a 64 bit unsigned integer. 221 */ 222 static const unsigned int scale = 1 << 18; 223 static const unsigned int cbrt_scale = 1 << (2 * 18 / 3); 224 225 /* Define some constants, none exceed 32 bits */ 226 static const unsigned int log_2 = 0x02c5c8; /* scale * log(2) */ 227 static const unsigned int log_e = 0x05c551; /* scale * log2(M_E) */ 228 static const unsigned int c1_923 = 0x07b126; /* scale * 1.923 */ 229 static const unsigned int c4_690 = 0x12c28f; /* scale * 4.690 */ 230 231 /* 232 * Multiply two scaled integers together and rescale the result. 233 */ 234 static ossl_inline uint64_t mul2(uint64_t a, uint64_t b) 235 { 236 return a * b / scale; 237 } 238 239 /* 240 * Calculate the cube root of a 64 bit scaled integer. 241 * Although the cube root of a 64 bit number does fit into a 32 bit unsigned 242 * integer, this is not guaranteed after scaling, so this function has a 243 * 64 bit return. This uses the shifting nth root algorithm with some 244 * algebraic simplifications. 245 */ 246 static uint64_t icbrt64(uint64_t x) 247 { 248 uint64_t r = 0; 249 uint64_t b; 250 int s; 251 252 for (s = 63; s >= 0; s -= 3) { 253 r <<= 1; 254 b = 3 * r * (r + 1) + 1; 255 if ((x >> s) >= b) { 256 x -= b << s; 257 r++; 258 } 259 } 260 return r * cbrt_scale; 261 } 262 263 /* 264 * Calculate the natural logarithm of a 64 bit scaled integer. 265 * This is done by calculating a base two logarithm and scaling. 266 * The maximum logarithm (base 2) is 64 and this reduces base e, so 267 * a 32 bit result should not overflow. The argument passed must be 268 * greater than unity so we don't need to handle negative results. 269 */ 270 static uint32_t ilog_e(uint64_t v) 271 { 272 uint32_t i, r = 0; 273 274 /* 275 * Scale down the value into the range 1 .. 2. 276 * 277 * If fractional numbers need to be processed, another loop needs 278 * to go here that checks v < scale and if so multiplies it by 2 and 279 * reduces r by scale. This also means making r signed. 280 */ 281 while (v >= 2 * scale) { 282 v >>= 1; 283 r += scale; 284 } 285 for (i = scale / 2; i != 0; i /= 2) { 286 v = mul2(v, v); 287 if (v >= 2 * scale) { 288 v >>= 1; 289 r += i; 290 } 291 } 292 r = (r * (uint64_t)scale) / log_e; 293 return r; 294 } 295 296 /* 297 * NIST SP 800-56B rev 2 Appendix D: Maximum Security Strength Estimates for IFC 298 * Modulus Lengths. 299 * 300 * Note that this formula is also referred to in SP800-56A rev3 Appendix D: 301 * for FFC safe prime groups for modp and ffdhe. 302 * After Table 25 and Table 26 it refers to 303 * "The maximum security strength estimates were calculated using the formula in 304 * Section 7.5 of the FIPS 140 IG and rounded to the nearest multiple of eight 305 * bits". 306 * 307 * The formula is: 308 * 309 * E = \frac{1.923 \sqrt[3]{nBits \cdot log_e(2)} 310 * \cdot(log_e(nBits \cdot log_e(2))^{2/3} - 4.69}{log_e(2)} 311 * The two cube roots are merged together here. 312 */ 313 uint16_t ossl_ifc_ffc_compute_security_bits(int n) 314 { 315 uint64_t x; 316 uint32_t lx; 317 uint16_t y, cap; 318 319 /* 320 * Look for common values as listed in standards. 321 * These values are not exactly equal to the results from the formulae in 322 * the standards but are defined to be canonical. 323 */ 324 switch (n) { 325 case 2048: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */ 326 return 112; 327 case 3072: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */ 328 return 128; 329 case 4096: /* SP 800-56B rev 2 Appendix D */ 330 return 152; 331 case 6144: /* SP 800-56B rev 2 Appendix D */ 332 return 176; 333 case 7680: /* FIPS 140-2 IG 7.5 */ 334 return 192; 335 case 8192: /* SP 800-56B rev 2 Appendix D */ 336 return 200; 337 case 15360: /* FIPS 140-2 IG 7.5 */ 338 return 256; 339 } 340 341 /* 342 * The first incorrect result (i.e. not accurate or off by one low) occurs 343 * for n = 699668. The true value here is 1200. Instead of using this n 344 * as the check threshold, the smallest n such that the correct result is 345 * 1200 is used instead. 346 */ 347 if (n >= 687737) 348 return 1200; 349 if (n < 8) 350 return 0; 351 352 /* 353 * To ensure that the output is non-decreasing with respect to n, 354 * a cap needs to be applied to the two values where the function over 355 * estimates the strength (according to the above fast path). 356 */ 357 if (n <= 7680) 358 cap = 192; 359 else if (n <= 15360) 360 cap = 256; 361 else 362 cap = 1200; 363 364 x = n * (uint64_t)log_2; 365 lx = ilog_e(x); 366 y = (uint16_t)((mul2(c1_923, icbrt64(mul2(mul2(x, lx), lx))) - c4_690) 367 / log_2); 368 y = (y + 4) & ~7; 369 if (y > cap) 370 y = cap; 371 return y; 372 } 373 374 375 376 int RSA_security_bits(const RSA *rsa) 377 { 378 int bits = BN_num_bits(rsa->n); 379 380 #ifndef FIPS_MODULE 381 if (rsa->version == RSA_ASN1_VERSION_MULTI) { 382 /* This ought to mean that we have private key at hand. */ 383 int ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos); 384 385 if (ex_primes <= 0 || (ex_primes + 2) > ossl_rsa_multip_cap(bits)) 386 return 0; 387 } 388 #endif 389 return ossl_ifc_ffc_compute_security_bits(bits); 390 } 391 392 int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) 393 { 394 /* If the fields n and e in r are NULL, the corresponding input 395 * parameters MUST be non-NULL for n and e. d may be 396 * left NULL (in case only the public key is used). 397 */ 398 if ((r->n == NULL && n == NULL) 399 || (r->e == NULL && e == NULL)) 400 return 0; 401 402 if (n != NULL) { 403 BN_free(r->n); 404 r->n = n; 405 } 406 if (e != NULL) { 407 BN_free(r->e); 408 r->e = e; 409 } 410 if (d != NULL) { 411 BN_clear_free(r->d); 412 r->d = d; 413 BN_set_flags(r->d, BN_FLG_CONSTTIME); 414 } 415 r->dirty_cnt++; 416 417 return 1; 418 } 419 420 int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) 421 { 422 /* If the fields p and q in r are NULL, the corresponding input 423 * parameters MUST be non-NULL. 424 */ 425 if ((r->p == NULL && p == NULL) 426 || (r->q == NULL && q == NULL)) 427 return 0; 428 429 if (p != NULL) { 430 BN_clear_free(r->p); 431 r->p = p; 432 BN_set_flags(r->p, BN_FLG_CONSTTIME); 433 } 434 if (q != NULL) { 435 BN_clear_free(r->q); 436 r->q = q; 437 BN_set_flags(r->q, BN_FLG_CONSTTIME); 438 } 439 r->dirty_cnt++; 440 441 return 1; 442 } 443 444 int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) 445 { 446 /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input 447 * parameters MUST be non-NULL. 448 */ 449 if ((r->dmp1 == NULL && dmp1 == NULL) 450 || (r->dmq1 == NULL && dmq1 == NULL) 451 || (r->iqmp == NULL && iqmp == NULL)) 452 return 0; 453 454 if (dmp1 != NULL) { 455 BN_clear_free(r->dmp1); 456 r->dmp1 = dmp1; 457 BN_set_flags(r->dmp1, BN_FLG_CONSTTIME); 458 } 459 if (dmq1 != NULL) { 460 BN_clear_free(r->dmq1); 461 r->dmq1 = dmq1; 462 BN_set_flags(r->dmq1, BN_FLG_CONSTTIME); 463 } 464 if (iqmp != NULL) { 465 BN_clear_free(r->iqmp); 466 r->iqmp = iqmp; 467 BN_set_flags(r->iqmp, BN_FLG_CONSTTIME); 468 } 469 r->dirty_cnt++; 470 471 return 1; 472 } 473 474 #ifndef FIPS_MODULE 475 /* 476 * Is it better to export RSA_PRIME_INFO structure 477 * and related functions to let user pass a triplet? 478 */ 479 int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[], 480 BIGNUM *coeffs[], int pnum) 481 { 482 STACK_OF(RSA_PRIME_INFO) *prime_infos, *old = NULL; 483 RSA_PRIME_INFO *pinfo; 484 int i; 485 486 if (primes == NULL || exps == NULL || coeffs == NULL || pnum == 0) 487 return 0; 488 489 prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum); 490 if (prime_infos == NULL) 491 return 0; 492 493 if (r->prime_infos != NULL) 494 old = r->prime_infos; 495 496 for (i = 0; i < pnum; i++) { 497 pinfo = ossl_rsa_multip_info_new(); 498 if (pinfo == NULL) 499 goto err; 500 if (primes[i] != NULL && exps[i] != NULL && coeffs[i] != NULL) { 501 BN_clear_free(pinfo->r); 502 BN_clear_free(pinfo->d); 503 BN_clear_free(pinfo->t); 504 pinfo->r = primes[i]; 505 pinfo->d = exps[i]; 506 pinfo->t = coeffs[i]; 507 BN_set_flags(pinfo->r, BN_FLG_CONSTTIME); 508 BN_set_flags(pinfo->d, BN_FLG_CONSTTIME); 509 BN_set_flags(pinfo->t, BN_FLG_CONSTTIME); 510 } else { 511 ossl_rsa_multip_info_free(pinfo); 512 goto err; 513 } 514 (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo); 515 } 516 517 r->prime_infos = prime_infos; 518 519 if (!ossl_rsa_multip_calc_product(r)) { 520 r->prime_infos = old; 521 goto err; 522 } 523 524 if (old != NULL) { 525 /* 526 * This is hard to deal with, since the old infos could 527 * also be set by this function and r, d, t should not 528 * be freed in that case. So currently, stay consistent 529 * with other *set0* functions: just free it... 530 */ 531 sk_RSA_PRIME_INFO_pop_free(old, ossl_rsa_multip_info_free); 532 } 533 534 r->version = RSA_ASN1_VERSION_MULTI; 535 r->dirty_cnt++; 536 537 return 1; 538 err: 539 /* r, d, t should not be freed */ 540 sk_RSA_PRIME_INFO_pop_free(prime_infos, ossl_rsa_multip_info_free_ex); 541 return 0; 542 } 543 #endif 544 545 void RSA_get0_key(const RSA *r, 546 const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) 547 { 548 if (n != NULL) 549 *n = r->n; 550 if (e != NULL) 551 *e = r->e; 552 if (d != NULL) 553 *d = r->d; 554 } 555 556 void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) 557 { 558 if (p != NULL) 559 *p = r->p; 560 if (q != NULL) 561 *q = r->q; 562 } 563 564 #ifndef FIPS_MODULE 565 int RSA_get_multi_prime_extra_count(const RSA *r) 566 { 567 int pnum; 568 569 pnum = sk_RSA_PRIME_INFO_num(r->prime_infos); 570 if (pnum <= 0) 571 pnum = 0; 572 return pnum; 573 } 574 575 int RSA_get0_multi_prime_factors(const RSA *r, const BIGNUM *primes[]) 576 { 577 int pnum, i; 578 RSA_PRIME_INFO *pinfo; 579 580 if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0) 581 return 0; 582 583 /* 584 * return other primes 585 * it's caller's responsibility to allocate oth_primes[pnum] 586 */ 587 for (i = 0; i < pnum; i++) { 588 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i); 589 primes[i] = pinfo->r; 590 } 591 592 return 1; 593 } 594 #endif 595 596 void RSA_get0_crt_params(const RSA *r, 597 const BIGNUM **dmp1, const BIGNUM **dmq1, 598 const BIGNUM **iqmp) 599 { 600 if (dmp1 != NULL) 601 *dmp1 = r->dmp1; 602 if (dmq1 != NULL) 603 *dmq1 = r->dmq1; 604 if (iqmp != NULL) 605 *iqmp = r->iqmp; 606 } 607 608 #ifndef FIPS_MODULE 609 int RSA_get0_multi_prime_crt_params(const RSA *r, const BIGNUM *exps[], 610 const BIGNUM *coeffs[]) 611 { 612 int pnum; 613 614 if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0) 615 return 0; 616 617 /* return other primes */ 618 if (exps != NULL || coeffs != NULL) { 619 RSA_PRIME_INFO *pinfo; 620 int i; 621 622 /* it's the user's job to guarantee the buffer length */ 623 for (i = 0; i < pnum; i++) { 624 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i); 625 if (exps != NULL) 626 exps[i] = pinfo->d; 627 if (coeffs != NULL) 628 coeffs[i] = pinfo->t; 629 } 630 } 631 632 return 1; 633 } 634 #endif 635 636 const BIGNUM *RSA_get0_n(const RSA *r) 637 { 638 return r->n; 639 } 640 641 const BIGNUM *RSA_get0_e(const RSA *r) 642 { 643 return r->e; 644 } 645 646 const BIGNUM *RSA_get0_d(const RSA *r) 647 { 648 return r->d; 649 } 650 651 const BIGNUM *RSA_get0_p(const RSA *r) 652 { 653 return r->p; 654 } 655 656 const BIGNUM *RSA_get0_q(const RSA *r) 657 { 658 return r->q; 659 } 660 661 const BIGNUM *RSA_get0_dmp1(const RSA *r) 662 { 663 return r->dmp1; 664 } 665 666 const BIGNUM *RSA_get0_dmq1(const RSA *r) 667 { 668 return r->dmq1; 669 } 670 671 const BIGNUM *RSA_get0_iqmp(const RSA *r) 672 { 673 return r->iqmp; 674 } 675 676 const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *r) 677 { 678 #ifdef FIPS_MODULE 679 return NULL; 680 #else 681 return r->pss; 682 #endif 683 } 684 685 /* Internal */ 686 int ossl_rsa_set0_pss_params(RSA *r, RSA_PSS_PARAMS *pss) 687 { 688 #ifdef FIPS_MODULE 689 return 0; 690 #else 691 RSA_PSS_PARAMS_free(r->pss); 692 r->pss = pss; 693 return 1; 694 #endif 695 } 696 697 /* Internal */ 698 RSA_PSS_PARAMS_30 *ossl_rsa_get0_pss_params_30(RSA *r) 699 { 700 return &r->pss_params; 701 } 702 703 void RSA_clear_flags(RSA *r, int flags) 704 { 705 r->flags &= ~flags; 706 } 707 708 int RSA_test_flags(const RSA *r, int flags) 709 { 710 return r->flags & flags; 711 } 712 713 void RSA_set_flags(RSA *r, int flags) 714 { 715 r->flags |= flags; 716 } 717 718 int RSA_get_version(RSA *r) 719 { 720 /* { two-prime(0), multi(1) } */ 721 return r->version; 722 } 723 724 #ifndef FIPS_MODULE 725 ENGINE *RSA_get0_engine(const RSA *r) 726 { 727 return r->engine; 728 } 729 730 int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2) 731 { 732 /* If key type not RSA or RSA-PSS return error */ 733 if (ctx != NULL && ctx->pmeth != NULL 734 && ctx->pmeth->pkey_id != EVP_PKEY_RSA 735 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) 736 return -1; 737 return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, p1, p2); 738 } 739 #endif 740 741 DEFINE_STACK_OF(BIGNUM) 742 743 int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes, 744 const STACK_OF(BIGNUM) *exps, 745 const STACK_OF(BIGNUM) *coeffs) 746 { 747 #ifndef FIPS_MODULE 748 STACK_OF(RSA_PRIME_INFO) *prime_infos, *old_infos = NULL; 749 #endif 750 int pnum; 751 752 if (primes == NULL || exps == NULL || coeffs == NULL) 753 return 0; 754 755 pnum = sk_BIGNUM_num(primes); 756 if (pnum < 2 757 || pnum != sk_BIGNUM_num(exps) 758 || pnum != sk_BIGNUM_num(coeffs) + 1) 759 return 0; 760 761 if (!RSA_set0_factors(r, sk_BIGNUM_value(primes, 0), 762 sk_BIGNUM_value(primes, 1)) 763 || !RSA_set0_crt_params(r, sk_BIGNUM_value(exps, 0), 764 sk_BIGNUM_value(exps, 1), 765 sk_BIGNUM_value(coeffs, 0))) 766 return 0; 767 768 #ifndef FIPS_MODULE 769 old_infos = r->prime_infos; 770 #endif 771 772 if (pnum > 2) { 773 #ifndef FIPS_MODULE 774 int i; 775 776 prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum); 777 if (prime_infos == NULL) 778 return 0; 779 780 for (i = 2; i < pnum; i++) { 781 BIGNUM *prime = sk_BIGNUM_value(primes, i); 782 BIGNUM *exp = sk_BIGNUM_value(exps, i); 783 BIGNUM *coeff = sk_BIGNUM_value(coeffs, i - 1); 784 RSA_PRIME_INFO *pinfo = NULL; 785 786 if (!ossl_assert(prime != NULL && exp != NULL && coeff != NULL)) 787 goto err; 788 789 /* Using ossl_rsa_multip_info_new() is wasteful, so allocate directly */ 790 if ((pinfo = OPENSSL_zalloc(sizeof(*pinfo))) == NULL) { 791 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 792 goto err; 793 } 794 795 pinfo->r = prime; 796 pinfo->d = exp; 797 pinfo->t = coeff; 798 BN_set_flags(pinfo->r, BN_FLG_CONSTTIME); 799 BN_set_flags(pinfo->d, BN_FLG_CONSTTIME); 800 BN_set_flags(pinfo->t, BN_FLG_CONSTTIME); 801 (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo); 802 } 803 804 r->prime_infos = prime_infos; 805 806 if (!ossl_rsa_multip_calc_product(r)) { 807 r->prime_infos = old_infos; 808 goto err; 809 } 810 #else 811 return 0; 812 #endif 813 } 814 815 #ifndef FIPS_MODULE 816 if (old_infos != NULL) { 817 /* 818 * This is hard to deal with, since the old infos could 819 * also be set by this function and r, d, t should not 820 * be freed in that case. So currently, stay consistent 821 * with other *set0* functions: just free it... 822 */ 823 sk_RSA_PRIME_INFO_pop_free(old_infos, ossl_rsa_multip_info_free); 824 } 825 #endif 826 827 r->version = pnum > 2 ? RSA_ASN1_VERSION_MULTI : RSA_ASN1_VERSION_DEFAULT; 828 r->dirty_cnt++; 829 830 return 1; 831 #ifndef FIPS_MODULE 832 err: 833 /* r, d, t should not be freed */ 834 sk_RSA_PRIME_INFO_pop_free(prime_infos, ossl_rsa_multip_info_free_ex); 835 return 0; 836 #endif 837 } 838 839 DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM) 840 841 int ossl_rsa_get0_all_params(RSA *r, STACK_OF(BIGNUM_const) *primes, 842 STACK_OF(BIGNUM_const) *exps, 843 STACK_OF(BIGNUM_const) *coeffs) 844 { 845 #ifndef FIPS_MODULE 846 RSA_PRIME_INFO *pinfo; 847 int i, pnum; 848 #endif 849 850 if (r == NULL) 851 return 0; 852 853 /* If |p| is NULL, there are no CRT parameters */ 854 if (RSA_get0_p(r) == NULL) 855 return 1; 856 857 sk_BIGNUM_const_push(primes, RSA_get0_p(r)); 858 sk_BIGNUM_const_push(primes, RSA_get0_q(r)); 859 sk_BIGNUM_const_push(exps, RSA_get0_dmp1(r)); 860 sk_BIGNUM_const_push(exps, RSA_get0_dmq1(r)); 861 sk_BIGNUM_const_push(coeffs, RSA_get0_iqmp(r)); 862 863 #ifndef FIPS_MODULE 864 pnum = RSA_get_multi_prime_extra_count(r); 865 for (i = 0; i < pnum; i++) { 866 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i); 867 sk_BIGNUM_const_push(primes, pinfo->r); 868 sk_BIGNUM_const_push(exps, pinfo->d); 869 sk_BIGNUM_const_push(coeffs, pinfo->t); 870 } 871 #endif 872 873 return 1; 874 } 875 876 #ifndef FIPS_MODULE 877 /* Helpers to set or get diverse hash algorithm names */ 878 static int int_set_rsa_md_name(EVP_PKEY_CTX *ctx, 879 /* For checks */ 880 int keytype, int optype, 881 /* For EVP_PKEY_CTX_set_params() */ 882 const char *mdkey, const char *mdname, 883 const char *propkey, const char *mdprops) 884 { 885 OSSL_PARAM params[3], *p = params; 886 887 if (ctx == NULL || mdname == NULL || (ctx->operation & optype) == 0) { 888 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 889 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 890 return -2; 891 } 892 893 /* If key type not RSA return error */ 894 switch (keytype) { 895 case -1: 896 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 897 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 898 return -1; 899 break; 900 default: 901 if (!EVP_PKEY_CTX_is_a(ctx, evp_pkey_type2name(keytype))) 902 return -1; 903 break; 904 } 905 906 /* Cast away the const. This is read only so should be safe */ 907 *p++ = OSSL_PARAM_construct_utf8_string(mdkey, (char *)mdname, 0); 908 if (evp_pkey_ctx_is_provided(ctx) && mdprops != NULL) { 909 /* Cast away the const. This is read only so should be safe */ 910 *p++ = OSSL_PARAM_construct_utf8_string(propkey, (char *)mdprops, 0); 911 } 912 *p++ = OSSL_PARAM_construct_end(); 913 914 return evp_pkey_ctx_set_params_strict(ctx, params); 915 } 916 917 /* Helpers to set or get diverse hash algorithm names */ 918 static int int_get_rsa_md_name(EVP_PKEY_CTX *ctx, 919 /* For checks */ 920 int keytype, int optype, 921 /* For EVP_PKEY_CTX_get_params() */ 922 const char *mdkey, 923 char *mdname, size_t mdnamesize) 924 { 925 OSSL_PARAM params[2], *p = params; 926 927 if (ctx == NULL || mdname == NULL || (ctx->operation & optype) == 0) { 928 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 929 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 930 return -2; 931 } 932 933 /* If key type not RSA return error */ 934 switch (keytype) { 935 case -1: 936 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 937 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 938 return -1; 939 break; 940 default: 941 if (!EVP_PKEY_CTX_is_a(ctx, evp_pkey_type2name(keytype))) 942 return -1; 943 break; 944 } 945 946 /* Cast away the const. This is read only so should be safe */ 947 *p++ = OSSL_PARAM_construct_utf8_string(mdkey, (char *)mdname, mdnamesize); 948 *p++ = OSSL_PARAM_construct_end(); 949 950 return evp_pkey_ctx_get_params_strict(ctx, params); 951 } 952 953 /* 954 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 955 * simply because that's easier. 956 */ 957 int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad_mode) 958 { 959 return RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_RSA_PADDING, 960 pad_mode, NULL); 961 } 962 963 /* 964 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 965 * simply because that's easier. 966 */ 967 int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad_mode) 968 { 969 return RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, 970 0, pad_mode); 971 } 972 973 /* 974 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 975 * simply because that's easier. 976 */ 977 int EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 978 { 979 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 980 EVP_PKEY_CTRL_MD, 0, (void *)(md)); 981 } 982 983 int EVP_PKEY_CTX_set_rsa_pss_keygen_md_name(EVP_PKEY_CTX *ctx, 984 const char *mdname, 985 const char *mdprops) 986 { 987 return int_set_rsa_md_name(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 988 OSSL_PKEY_PARAM_RSA_DIGEST, mdname, 989 OSSL_PKEY_PARAM_RSA_DIGEST_PROPS, mdprops); 990 } 991 992 /* 993 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 994 * simply because that's easier. 995 */ 996 int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 997 { 998 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 999 EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md)); 1000 } 1001 1002 int EVP_PKEY_CTX_set_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, const char *mdname, 1003 const char *mdprops) 1004 { 1005 return 1006 int_set_rsa_md_name(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 1007 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, mdname, 1008 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS, mdprops); 1009 } 1010 1011 int EVP_PKEY_CTX_get_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, char *name, 1012 size_t namesize) 1013 { 1014 return int_get_rsa_md_name(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 1015 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, 1016 name, namesize); 1017 } 1018 1019 /* 1020 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1021 * simply because that's easier. 1022 */ 1023 int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md) 1024 { 1025 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 1026 EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)md); 1027 } 1028 1029 /* 1030 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1031 * simply because that's easier. 1032 */ 1033 int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 1034 { 1035 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, 1036 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md)); 1037 } 1038 1039 int EVP_PKEY_CTX_set_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, const char *mdname, 1040 const char *mdprops) 1041 { 1042 return int_set_rsa_md_name(ctx, -1, 1043 EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG, 1044 OSSL_PKEY_PARAM_MGF1_DIGEST, mdname, 1045 OSSL_PKEY_PARAM_MGF1_PROPERTIES, mdprops); 1046 } 1047 1048 int EVP_PKEY_CTX_get_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, char *name, 1049 size_t namesize) 1050 { 1051 return int_get_rsa_md_name(ctx, -1, 1052 EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG, 1053 OSSL_PKEY_PARAM_MGF1_DIGEST, name, namesize); 1054 } 1055 1056 /* 1057 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1058 * simply because that's easier. 1059 */ 1060 int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 1061 { 1062 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 1063 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md)); 1064 } 1065 1066 int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md_name(EVP_PKEY_CTX *ctx, 1067 const char *mdname) 1068 { 1069 return int_set_rsa_md_name(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 1070 OSSL_PKEY_PARAM_MGF1_DIGEST, mdname, 1071 NULL, NULL); 1072 } 1073 1074 /* 1075 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1076 * simply because that's easier. 1077 */ 1078 int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **md) 1079 { 1080 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, 1081 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)(md)); 1082 } 1083 1084 int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen) 1085 { 1086 OSSL_PARAM rsa_params[2], *p = rsa_params; 1087 int ret; 1088 1089 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) { 1090 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1091 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1092 return -2; 1093 } 1094 1095 /* If key type not RSA return error */ 1096 if (!EVP_PKEY_CTX_is_a(ctx, "RSA")) 1097 return -1; 1098 1099 /* Cast away the const. This is read only so should be safe */ 1100 *p++ = OSSL_PARAM_construct_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, 1101 (void *)label, (size_t)llen); 1102 *p++ = OSSL_PARAM_construct_end(); 1103 1104 ret = evp_pkey_ctx_set_params_strict(ctx, rsa_params); 1105 if (ret <= 0) 1106 return ret; 1107 1108 /* Ownership is supposed to be transfered to the callee. */ 1109 OPENSSL_free(label); 1110 return 1; 1111 } 1112 1113 int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label) 1114 { 1115 OSSL_PARAM rsa_params[2], *p = rsa_params; 1116 size_t labellen; 1117 1118 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) { 1119 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1120 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1121 return -2; 1122 } 1123 1124 /* If key type not RSA return error */ 1125 if (!EVP_PKEY_CTX_is_a(ctx, "RSA")) 1126 return -1; 1127 1128 *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, 1129 (void **)label, 0); 1130 *p++ = OSSL_PARAM_construct_end(); 1131 1132 if (!EVP_PKEY_CTX_get_params(ctx, rsa_params)) 1133 return -1; 1134 1135 labellen = rsa_params[0].return_size; 1136 if (labellen > INT_MAX) 1137 return -1; 1138 1139 return (int)labellen; 1140 } 1141 1142 /* 1143 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1144 * simply because that's easier. 1145 */ 1146 int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int saltlen) 1147 { 1148 /* 1149 * For some reason, the optype was set to this: 1150 * 1151 * EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY 1152 * 1153 * However, we do use RSA-PSS with the whole gamut of diverse signature 1154 * and verification operations, so the optype gets upgraded to this: 1155 * 1156 * EVP_PKEY_OP_TYPE_SIG 1157 */ 1158 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG, 1159 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, saltlen, NULL); 1160 } 1161 1162 /* 1163 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1164 * simply because that's easier. 1165 */ 1166 int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *saltlen) 1167 { 1168 /* 1169 * Because of circumstances, the optype is updated from: 1170 * 1171 * EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY 1172 * 1173 * to: 1174 * 1175 * EVP_PKEY_OP_TYPE_SIG 1176 */ 1177 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG, 1178 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, saltlen); 1179 } 1180 1181 int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, int saltlen) 1182 { 1183 OSSL_PARAM pad_params[2], *p = pad_params; 1184 1185 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { 1186 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1187 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1188 return -2; 1189 } 1190 1191 if (!EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 1192 return -1; 1193 1194 *p++ = OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, 1195 &saltlen); 1196 *p++ = OSSL_PARAM_construct_end(); 1197 1198 return evp_pkey_ctx_set_params_strict(ctx, pad_params); 1199 } 1200 1201 int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits) 1202 { 1203 OSSL_PARAM params[2], *p = params; 1204 size_t bits2 = bits; 1205 1206 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { 1207 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1208 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1209 return -2; 1210 } 1211 1212 /* If key type not RSA return error */ 1213 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 1214 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 1215 return -1; 1216 1217 *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bits2); 1218 *p++ = OSSL_PARAM_construct_end(); 1219 1220 return evp_pkey_ctx_set_params_strict(ctx, params); 1221 } 1222 1223 int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp) 1224 { 1225 int ret = RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_KEYGEN, 1226 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp); 1227 1228 /* 1229 * Satisfy memory semantics for pre-3.0 callers of 1230 * EVP_PKEY_CTX_set_rsa_keygen_pubexp(): their expectation is that input 1231 * pubexp BIGNUM becomes managed by the EVP_PKEY_CTX on success. 1232 */ 1233 if (ret > 0 && evp_pkey_ctx_is_provided(ctx)) { 1234 BN_free(ctx->rsa_pubexp); 1235 ctx->rsa_pubexp = pubexp; 1236 } 1237 1238 return ret; 1239 } 1240 1241 int EVP_PKEY_CTX_set1_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp) 1242 { 1243 int ret = 0; 1244 1245 /* 1246 * When we're dealing with a provider, there's no need to duplicate 1247 * pubexp, as it gets copied when transforming to an OSSL_PARAM anyway. 1248 */ 1249 if (evp_pkey_ctx_is_legacy(ctx)) { 1250 pubexp = BN_dup(pubexp); 1251 if (pubexp == NULL) 1252 return 0; 1253 } 1254 ret = EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, 1255 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp); 1256 if (evp_pkey_ctx_is_legacy(ctx) && ret <= 0) 1257 BN_free(pubexp); 1258 return ret; 1259 } 1260 1261 int EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX *ctx, int primes) 1262 { 1263 OSSL_PARAM params[2], *p = params; 1264 size_t primes2 = primes; 1265 1266 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { 1267 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1268 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1269 return -2; 1270 } 1271 1272 /* If key type not RSA return error */ 1273 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 1274 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 1275 return -1; 1276 1277 *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_PRIMES, &primes2); 1278 *p++ = OSSL_PARAM_construct_end(); 1279 1280 return evp_pkey_ctx_set_params_strict(ctx, params); 1281 } 1282 #endif 1283