1 /* 2 * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * RSA low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include <openssl/crypto.h> 17 #include <openssl/core_names.h> 18 #ifndef FIPS_MODULE 19 # include <openssl/engine.h> 20 #endif 21 #include <openssl/evp.h> 22 #include <openssl/param_build.h> 23 #include "internal/cryptlib.h" 24 #include "internal/refcount.h" 25 #include "crypto/bn.h" 26 #include "crypto/evp.h" 27 #include "crypto/rsa.h" 28 #include "crypto/security_bits.h" 29 #include "rsa_local.h" 30 31 static RSA *rsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx); 32 33 #ifndef FIPS_MODULE 34 RSA *RSA_new(void) 35 { 36 return rsa_new_intern(NULL, NULL); 37 } 38 39 const RSA_METHOD *RSA_get_method(const RSA *rsa) 40 { 41 return rsa->meth; 42 } 43 44 int RSA_set_method(RSA *rsa, const RSA_METHOD *meth) 45 { 46 /* 47 * NB: The caller is specifically setting a method, so it's not up to us 48 * to deal with which ENGINE it comes from. 49 */ 50 const RSA_METHOD *mtmp; 51 mtmp = rsa->meth; 52 if (mtmp->finish) 53 mtmp->finish(rsa); 54 #ifndef OPENSSL_NO_ENGINE 55 ENGINE_finish(rsa->engine); 56 rsa->engine = NULL; 57 #endif 58 rsa->meth = meth; 59 if (meth->init) 60 meth->init(rsa); 61 return 1; 62 } 63 64 RSA *RSA_new_method(ENGINE *engine) 65 { 66 return rsa_new_intern(engine, NULL); 67 } 68 #endif 69 70 RSA *ossl_rsa_new_with_ctx(OSSL_LIB_CTX *libctx) 71 { 72 return rsa_new_intern(NULL, libctx); 73 } 74 75 static RSA *rsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx) 76 { 77 RSA *ret = OPENSSL_zalloc(sizeof(*ret)); 78 79 if (ret == NULL) { 80 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 81 return NULL; 82 } 83 84 ret->references = 1; 85 ret->lock = CRYPTO_THREAD_lock_new(); 86 if (ret->lock == NULL) { 87 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 88 OPENSSL_free(ret); 89 return NULL; 90 } 91 92 ret->libctx = libctx; 93 ret->meth = RSA_get_default_method(); 94 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) 95 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; 96 if (engine) { 97 if (!ENGINE_init(engine)) { 98 ERR_raise(ERR_LIB_RSA, ERR_R_ENGINE_LIB); 99 goto err; 100 } 101 ret->engine = engine; 102 } else { 103 ret->engine = ENGINE_get_default_RSA(); 104 } 105 if (ret->engine) { 106 ret->meth = ENGINE_get_RSA(ret->engine); 107 if (ret->meth == NULL) { 108 ERR_raise(ERR_LIB_RSA, ERR_R_ENGINE_LIB); 109 goto err; 110 } 111 } 112 #endif 113 114 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; 115 #ifndef FIPS_MODULE 116 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { 117 goto err; 118 } 119 #endif 120 121 if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { 122 ERR_raise(ERR_LIB_RSA, ERR_R_INIT_FAIL); 123 goto err; 124 } 125 126 return ret; 127 128 err: 129 RSA_free(ret); 130 return NULL; 131 } 132 133 void RSA_free(RSA *r) 134 { 135 int i; 136 137 if (r == NULL) 138 return; 139 140 CRYPTO_DOWN_REF(&r->references, &i, r->lock); 141 REF_PRINT_COUNT("RSA", r); 142 if (i > 0) 143 return; 144 REF_ASSERT_ISNT(i < 0); 145 146 if (r->meth != NULL && r->meth->finish != NULL) 147 r->meth->finish(r); 148 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) 149 ENGINE_finish(r->engine); 150 #endif 151 152 #ifndef FIPS_MODULE 153 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data); 154 #endif 155 156 CRYPTO_THREAD_lock_free(r->lock); 157 158 BN_free(r->n); 159 BN_free(r->e); 160 BN_clear_free(r->d); 161 BN_clear_free(r->p); 162 BN_clear_free(r->q); 163 BN_clear_free(r->dmp1); 164 BN_clear_free(r->dmq1); 165 BN_clear_free(r->iqmp); 166 167 #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) 168 ossl_rsa_acvp_test_free(r->acvp_test); 169 #endif 170 171 #ifndef FIPS_MODULE 172 RSA_PSS_PARAMS_free(r->pss); 173 sk_RSA_PRIME_INFO_pop_free(r->prime_infos, ossl_rsa_multip_info_free); 174 #endif 175 BN_BLINDING_free(r->blinding); 176 BN_BLINDING_free(r->mt_blinding); 177 OPENSSL_free(r); 178 } 179 180 int RSA_up_ref(RSA *r) 181 { 182 int i; 183 184 if (CRYPTO_UP_REF(&r->references, &i, r->lock) <= 0) 185 return 0; 186 187 REF_PRINT_COUNT("RSA", r); 188 REF_ASSERT_ISNT(i < 2); 189 return i > 1 ? 1 : 0; 190 } 191 192 OSSL_LIB_CTX *ossl_rsa_get0_libctx(RSA *r) 193 { 194 return r->libctx; 195 } 196 197 void ossl_rsa_set0_libctx(RSA *r, OSSL_LIB_CTX *libctx) 198 { 199 r->libctx = libctx; 200 } 201 202 #ifndef FIPS_MODULE 203 int RSA_set_ex_data(RSA *r, int idx, void *arg) 204 { 205 return CRYPTO_set_ex_data(&r->ex_data, idx, arg); 206 } 207 208 void *RSA_get_ex_data(const RSA *r, int idx) 209 { 210 return CRYPTO_get_ex_data(&r->ex_data, idx); 211 } 212 #endif 213 214 /* 215 * Define a scaling constant for our fixed point arithmetic. 216 * This value must be a power of two because the base two logarithm code 217 * makes this assumption. The exponent must also be a multiple of three so 218 * that the scale factor has an exact cube root. Finally, the scale factor 219 * should not be so large that a multiplication of two scaled numbers 220 * overflows a 64 bit unsigned integer. 221 */ 222 static const unsigned int scale = 1 << 18; 223 static const unsigned int cbrt_scale = 1 << (2 * 18 / 3); 224 225 /* Define some constants, none exceed 32 bits */ 226 static const unsigned int log_2 = 0x02c5c8; /* scale * log(2) */ 227 static const unsigned int log_e = 0x05c551; /* scale * log2(M_E) */ 228 static const unsigned int c1_923 = 0x07b126; /* scale * 1.923 */ 229 static const unsigned int c4_690 = 0x12c28f; /* scale * 4.690 */ 230 231 /* 232 * Multiply two scaled integers together and rescale the result. 233 */ 234 static ossl_inline uint64_t mul2(uint64_t a, uint64_t b) 235 { 236 return a * b / scale; 237 } 238 239 /* 240 * Calculate the cube root of a 64 bit scaled integer. 241 * Although the cube root of a 64 bit number does fit into a 32 bit unsigned 242 * integer, this is not guaranteed after scaling, so this function has a 243 * 64 bit return. This uses the shifting nth root algorithm with some 244 * algebraic simplifications. 245 */ 246 static uint64_t icbrt64(uint64_t x) 247 { 248 uint64_t r = 0; 249 uint64_t b; 250 int s; 251 252 for (s = 63; s >= 0; s -= 3) { 253 r <<= 1; 254 b = 3 * r * (r + 1) + 1; 255 if ((x >> s) >= b) { 256 x -= b << s; 257 r++; 258 } 259 } 260 return r * cbrt_scale; 261 } 262 263 /* 264 * Calculate the natural logarithm of a 64 bit scaled integer. 265 * This is done by calculating a base two logarithm and scaling. 266 * The maximum logarithm (base 2) is 64 and this reduces base e, so 267 * a 32 bit result should not overflow. The argument passed must be 268 * greater than unity so we don't need to handle negative results. 269 */ 270 static uint32_t ilog_e(uint64_t v) 271 { 272 uint32_t i, r = 0; 273 274 /* 275 * Scale down the value into the range 1 .. 2. 276 * 277 * If fractional numbers need to be processed, another loop needs 278 * to go here that checks v < scale and if so multiplies it by 2 and 279 * reduces r by scale. This also means making r signed. 280 */ 281 while (v >= 2 * scale) { 282 v >>= 1; 283 r += scale; 284 } 285 for (i = scale / 2; i != 0; i /= 2) { 286 v = mul2(v, v); 287 if (v >= 2 * scale) { 288 v >>= 1; 289 r += i; 290 } 291 } 292 r = (r * (uint64_t)scale) / log_e; 293 return r; 294 } 295 296 /* 297 * NIST SP 800-56B rev 2 Appendix D: Maximum Security Strength Estimates for IFC 298 * Modulus Lengths. 299 * 300 * Note that this formula is also referred to in SP800-56A rev3 Appendix D: 301 * for FFC safe prime groups for modp and ffdhe. 302 * After Table 25 and Table 26 it refers to 303 * "The maximum security strength estimates were calculated using the formula in 304 * Section 7.5 of the FIPS 140 IG and rounded to the nearest multiple of eight 305 * bits". 306 * 307 * The formula is: 308 * 309 * E = \frac{1.923 \sqrt[3]{nBits \cdot log_e(2)} 310 * \cdot(log_e(nBits \cdot log_e(2))^{2/3} - 4.69}{log_e(2)} 311 * The two cube roots are merged together here. 312 */ 313 uint16_t ossl_ifc_ffc_compute_security_bits(int n) 314 { 315 uint64_t x; 316 uint32_t lx; 317 uint16_t y, cap; 318 319 /* 320 * Look for common values as listed in standards. 321 * These values are not exactly equal to the results from the formulae in 322 * the standards but are defined to be canonical. 323 */ 324 switch (n) { 325 case 2048: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */ 326 return 112; 327 case 3072: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */ 328 return 128; 329 case 4096: /* SP 800-56B rev 2 Appendix D */ 330 return 152; 331 case 6144: /* SP 800-56B rev 2 Appendix D */ 332 return 176; 333 case 7680: /* FIPS 140-2 IG 7.5 */ 334 return 192; 335 case 8192: /* SP 800-56B rev 2 Appendix D */ 336 return 200; 337 case 15360: /* FIPS 140-2 IG 7.5 */ 338 return 256; 339 } 340 341 /* 342 * The first incorrect result (i.e. not accurate or off by one low) occurs 343 * for n = 699668. The true value here is 1200. Instead of using this n 344 * as the check threshold, the smallest n such that the correct result is 345 * 1200 is used instead. 346 */ 347 if (n >= 687737) 348 return 1200; 349 if (n < 8) 350 return 0; 351 352 /* 353 * To ensure that the output is non-decreasing with respect to n, 354 * a cap needs to be applied to the two values where the function over 355 * estimates the strength (according to the above fast path). 356 */ 357 if (n <= 7680) 358 cap = 192; 359 else if (n <= 15360) 360 cap = 256; 361 else 362 cap = 1200; 363 364 x = n * (uint64_t)log_2; 365 lx = ilog_e(x); 366 y = (uint16_t)((mul2(c1_923, icbrt64(mul2(mul2(x, lx), lx))) - c4_690) 367 / log_2); 368 y = (y + 4) & ~7; 369 if (y > cap) 370 y = cap; 371 return y; 372 } 373 374 375 376 int RSA_security_bits(const RSA *rsa) 377 { 378 int bits = BN_num_bits(rsa->n); 379 380 #ifndef FIPS_MODULE 381 if (rsa->version == RSA_ASN1_VERSION_MULTI) { 382 /* This ought to mean that we have private key at hand. */ 383 int ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos); 384 385 if (ex_primes <= 0 || (ex_primes + 2) > ossl_rsa_multip_cap(bits)) 386 return 0; 387 } 388 #endif 389 return ossl_ifc_ffc_compute_security_bits(bits); 390 } 391 392 int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) 393 { 394 /* If the fields n and e in r are NULL, the corresponding input 395 * parameters MUST be non-NULL for n and e. d may be 396 * left NULL (in case only the public key is used). 397 */ 398 if ((r->n == NULL && n == NULL) 399 || (r->e == NULL && e == NULL)) 400 return 0; 401 402 if (n != NULL) { 403 BN_free(r->n); 404 r->n = n; 405 } 406 if (e != NULL) { 407 BN_free(r->e); 408 r->e = e; 409 } 410 if (d != NULL) { 411 BN_clear_free(r->d); 412 r->d = d; 413 BN_set_flags(r->d, BN_FLG_CONSTTIME); 414 } 415 r->dirty_cnt++; 416 417 return 1; 418 } 419 420 int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) 421 { 422 /* If the fields p and q in r are NULL, the corresponding input 423 * parameters MUST be non-NULL. 424 */ 425 if ((r->p == NULL && p == NULL) 426 || (r->q == NULL && q == NULL)) 427 return 0; 428 429 if (p != NULL) { 430 BN_clear_free(r->p); 431 r->p = p; 432 BN_set_flags(r->p, BN_FLG_CONSTTIME); 433 } 434 if (q != NULL) { 435 BN_clear_free(r->q); 436 r->q = q; 437 BN_set_flags(r->q, BN_FLG_CONSTTIME); 438 } 439 r->dirty_cnt++; 440 441 return 1; 442 } 443 444 int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) 445 { 446 /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input 447 * parameters MUST be non-NULL. 448 */ 449 if ((r->dmp1 == NULL && dmp1 == NULL) 450 || (r->dmq1 == NULL && dmq1 == NULL) 451 || (r->iqmp == NULL && iqmp == NULL)) 452 return 0; 453 454 if (dmp1 != NULL) { 455 BN_clear_free(r->dmp1); 456 r->dmp1 = dmp1; 457 BN_set_flags(r->dmp1, BN_FLG_CONSTTIME); 458 } 459 if (dmq1 != NULL) { 460 BN_clear_free(r->dmq1); 461 r->dmq1 = dmq1; 462 BN_set_flags(r->dmq1, BN_FLG_CONSTTIME); 463 } 464 if (iqmp != NULL) { 465 BN_clear_free(r->iqmp); 466 r->iqmp = iqmp; 467 BN_set_flags(r->iqmp, BN_FLG_CONSTTIME); 468 } 469 r->dirty_cnt++; 470 471 return 1; 472 } 473 474 #ifndef FIPS_MODULE 475 /* 476 * Is it better to export RSA_PRIME_INFO structure 477 * and related functions to let user pass a triplet? 478 */ 479 int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[], 480 BIGNUM *coeffs[], int pnum) 481 { 482 STACK_OF(RSA_PRIME_INFO) *prime_infos, *old = NULL; 483 RSA_PRIME_INFO *pinfo; 484 int i; 485 486 if (primes == NULL || exps == NULL || coeffs == NULL || pnum == 0) 487 return 0; 488 489 prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum); 490 if (prime_infos == NULL) 491 return 0; 492 493 if (r->prime_infos != NULL) 494 old = r->prime_infos; 495 496 for (i = 0; i < pnum; i++) { 497 pinfo = ossl_rsa_multip_info_new(); 498 if (pinfo == NULL) 499 goto err; 500 if (primes[i] != NULL && exps[i] != NULL && coeffs[i] != NULL) { 501 BN_clear_free(pinfo->r); 502 BN_clear_free(pinfo->d); 503 BN_clear_free(pinfo->t); 504 pinfo->r = primes[i]; 505 pinfo->d = exps[i]; 506 pinfo->t = coeffs[i]; 507 BN_set_flags(pinfo->r, BN_FLG_CONSTTIME); 508 BN_set_flags(pinfo->d, BN_FLG_CONSTTIME); 509 BN_set_flags(pinfo->t, BN_FLG_CONSTTIME); 510 } else { 511 ossl_rsa_multip_info_free(pinfo); 512 goto err; 513 } 514 (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo); 515 } 516 517 r->prime_infos = prime_infos; 518 519 if (!ossl_rsa_multip_calc_product(r)) { 520 r->prime_infos = old; 521 goto err; 522 } 523 524 if (old != NULL) { 525 /* 526 * This is hard to deal with, since the old infos could 527 * also be set by this function and r, d, t should not 528 * be freed in that case. So currently, stay consistent 529 * with other *set0* functions: just free it... 530 */ 531 sk_RSA_PRIME_INFO_pop_free(old, ossl_rsa_multip_info_free); 532 } 533 534 r->version = RSA_ASN1_VERSION_MULTI; 535 r->dirty_cnt++; 536 537 return 1; 538 err: 539 /* r, d, t should not be freed */ 540 sk_RSA_PRIME_INFO_pop_free(prime_infos, ossl_rsa_multip_info_free_ex); 541 return 0; 542 } 543 #endif 544 545 void RSA_get0_key(const RSA *r, 546 const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) 547 { 548 if (n != NULL) 549 *n = r->n; 550 if (e != NULL) 551 *e = r->e; 552 if (d != NULL) 553 *d = r->d; 554 } 555 556 void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) 557 { 558 if (p != NULL) 559 *p = r->p; 560 if (q != NULL) 561 *q = r->q; 562 } 563 564 #ifndef FIPS_MODULE 565 int RSA_get_multi_prime_extra_count(const RSA *r) 566 { 567 int pnum; 568 569 pnum = sk_RSA_PRIME_INFO_num(r->prime_infos); 570 if (pnum <= 0) 571 pnum = 0; 572 return pnum; 573 } 574 575 int RSA_get0_multi_prime_factors(const RSA *r, const BIGNUM *primes[]) 576 { 577 int pnum, i; 578 RSA_PRIME_INFO *pinfo; 579 580 if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0) 581 return 0; 582 583 /* 584 * return other primes 585 * it's caller's responsibility to allocate oth_primes[pnum] 586 */ 587 for (i = 0; i < pnum; i++) { 588 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i); 589 primes[i] = pinfo->r; 590 } 591 592 return 1; 593 } 594 #endif 595 596 void RSA_get0_crt_params(const RSA *r, 597 const BIGNUM **dmp1, const BIGNUM **dmq1, 598 const BIGNUM **iqmp) 599 { 600 if (dmp1 != NULL) 601 *dmp1 = r->dmp1; 602 if (dmq1 != NULL) 603 *dmq1 = r->dmq1; 604 if (iqmp != NULL) 605 *iqmp = r->iqmp; 606 } 607 608 #ifndef FIPS_MODULE 609 int RSA_get0_multi_prime_crt_params(const RSA *r, const BIGNUM *exps[], 610 const BIGNUM *coeffs[]) 611 { 612 int pnum; 613 614 if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0) 615 return 0; 616 617 /* return other primes */ 618 if (exps != NULL || coeffs != NULL) { 619 RSA_PRIME_INFO *pinfo; 620 int i; 621 622 /* it's the user's job to guarantee the buffer length */ 623 for (i = 0; i < pnum; i++) { 624 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i); 625 if (exps != NULL) 626 exps[i] = pinfo->d; 627 if (coeffs != NULL) 628 coeffs[i] = pinfo->t; 629 } 630 } 631 632 return 1; 633 } 634 #endif 635 636 const BIGNUM *RSA_get0_n(const RSA *r) 637 { 638 return r->n; 639 } 640 641 const BIGNUM *RSA_get0_e(const RSA *r) 642 { 643 return r->e; 644 } 645 646 const BIGNUM *RSA_get0_d(const RSA *r) 647 { 648 return r->d; 649 } 650 651 const BIGNUM *RSA_get0_p(const RSA *r) 652 { 653 return r->p; 654 } 655 656 const BIGNUM *RSA_get0_q(const RSA *r) 657 { 658 return r->q; 659 } 660 661 const BIGNUM *RSA_get0_dmp1(const RSA *r) 662 { 663 return r->dmp1; 664 } 665 666 const BIGNUM *RSA_get0_dmq1(const RSA *r) 667 { 668 return r->dmq1; 669 } 670 671 const BIGNUM *RSA_get0_iqmp(const RSA *r) 672 { 673 return r->iqmp; 674 } 675 676 const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *r) 677 { 678 #ifdef FIPS_MODULE 679 return NULL; 680 #else 681 return r->pss; 682 #endif 683 } 684 685 /* Internal */ 686 int ossl_rsa_set0_pss_params(RSA *r, RSA_PSS_PARAMS *pss) 687 { 688 #ifdef FIPS_MODULE 689 return 0; 690 #else 691 RSA_PSS_PARAMS_free(r->pss); 692 r->pss = pss; 693 return 1; 694 #endif 695 } 696 697 /* Internal */ 698 RSA_PSS_PARAMS_30 *ossl_rsa_get0_pss_params_30(RSA *r) 699 { 700 return &r->pss_params; 701 } 702 703 void RSA_clear_flags(RSA *r, int flags) 704 { 705 r->flags &= ~flags; 706 } 707 708 int RSA_test_flags(const RSA *r, int flags) 709 { 710 return r->flags & flags; 711 } 712 713 void RSA_set_flags(RSA *r, int flags) 714 { 715 r->flags |= flags; 716 } 717 718 int RSA_get_version(RSA *r) 719 { 720 /* { two-prime(0), multi(1) } */ 721 return r->version; 722 } 723 724 #ifndef FIPS_MODULE 725 ENGINE *RSA_get0_engine(const RSA *r) 726 { 727 return r->engine; 728 } 729 730 int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2) 731 { 732 /* If key type not RSA or RSA-PSS return error */ 733 if (ctx != NULL && ctx->pmeth != NULL 734 && ctx->pmeth->pkey_id != EVP_PKEY_RSA 735 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) 736 return -1; 737 return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, p1, p2); 738 } 739 #endif 740 741 DEFINE_STACK_OF(BIGNUM) 742 743 int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes, 744 const STACK_OF(BIGNUM) *exps, 745 const STACK_OF(BIGNUM) *coeffs) 746 { 747 #ifndef FIPS_MODULE 748 STACK_OF(RSA_PRIME_INFO) *prime_infos, *old_infos = NULL; 749 #endif 750 int pnum; 751 752 if (primes == NULL || exps == NULL || coeffs == NULL) 753 return 0; 754 755 pnum = sk_BIGNUM_num(primes); 756 if (pnum < 2) 757 return 0; 758 759 if (!RSA_set0_factors(r, sk_BIGNUM_value(primes, 0), 760 sk_BIGNUM_value(primes, 1))) 761 return 0; 762 763 if (pnum == sk_BIGNUM_num(exps) 764 && pnum == sk_BIGNUM_num(coeffs) + 1) { 765 766 if (!RSA_set0_crt_params(r, sk_BIGNUM_value(exps, 0), 767 sk_BIGNUM_value(exps, 1), 768 sk_BIGNUM_value(coeffs, 0))) 769 return 0; 770 } 771 772 #ifndef FIPS_MODULE 773 old_infos = r->prime_infos; 774 #endif 775 776 if (pnum > 2) { 777 #ifndef FIPS_MODULE 778 int i; 779 780 prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum); 781 if (prime_infos == NULL) 782 return 0; 783 784 for (i = 2; i < pnum; i++) { 785 BIGNUM *prime = sk_BIGNUM_value(primes, i); 786 BIGNUM *exp = sk_BIGNUM_value(exps, i); 787 BIGNUM *coeff = sk_BIGNUM_value(coeffs, i - 1); 788 RSA_PRIME_INFO *pinfo = NULL; 789 790 if (!ossl_assert(prime != NULL && exp != NULL && coeff != NULL)) 791 goto err; 792 793 /* Using ossl_rsa_multip_info_new() is wasteful, so allocate directly */ 794 if ((pinfo = OPENSSL_zalloc(sizeof(*pinfo))) == NULL) { 795 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 796 goto err; 797 } 798 799 pinfo->r = prime; 800 pinfo->d = exp; 801 pinfo->t = coeff; 802 BN_set_flags(pinfo->r, BN_FLG_CONSTTIME); 803 BN_set_flags(pinfo->d, BN_FLG_CONSTTIME); 804 BN_set_flags(pinfo->t, BN_FLG_CONSTTIME); 805 (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo); 806 } 807 808 r->prime_infos = prime_infos; 809 810 if (!ossl_rsa_multip_calc_product(r)) { 811 r->prime_infos = old_infos; 812 goto err; 813 } 814 #else 815 return 0; 816 #endif 817 } 818 819 #ifndef FIPS_MODULE 820 if (old_infos != NULL) { 821 /* 822 * This is hard to deal with, since the old infos could 823 * also be set by this function and r, d, t should not 824 * be freed in that case. So currently, stay consistent 825 * with other *set0* functions: just free it... 826 */ 827 sk_RSA_PRIME_INFO_pop_free(old_infos, ossl_rsa_multip_info_free); 828 } 829 #endif 830 831 r->version = pnum > 2 ? RSA_ASN1_VERSION_MULTI : RSA_ASN1_VERSION_DEFAULT; 832 r->dirty_cnt++; 833 834 return 1; 835 #ifndef FIPS_MODULE 836 err: 837 /* r, d, t should not be freed */ 838 sk_RSA_PRIME_INFO_pop_free(prime_infos, ossl_rsa_multip_info_free_ex); 839 return 0; 840 #endif 841 } 842 843 DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM) 844 845 int ossl_rsa_get0_all_params(RSA *r, STACK_OF(BIGNUM_const) *primes, 846 STACK_OF(BIGNUM_const) *exps, 847 STACK_OF(BIGNUM_const) *coeffs) 848 { 849 #ifndef FIPS_MODULE 850 RSA_PRIME_INFO *pinfo; 851 int i, pnum; 852 #endif 853 854 if (r == NULL) 855 return 0; 856 857 /* If |p| is NULL, there are no CRT parameters */ 858 if (RSA_get0_p(r) == NULL) 859 return 1; 860 861 sk_BIGNUM_const_push(primes, RSA_get0_p(r)); 862 sk_BIGNUM_const_push(primes, RSA_get0_q(r)); 863 sk_BIGNUM_const_push(exps, RSA_get0_dmp1(r)); 864 sk_BIGNUM_const_push(exps, RSA_get0_dmq1(r)); 865 sk_BIGNUM_const_push(coeffs, RSA_get0_iqmp(r)); 866 867 #ifndef FIPS_MODULE 868 pnum = RSA_get_multi_prime_extra_count(r); 869 for (i = 0; i < pnum; i++) { 870 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i); 871 sk_BIGNUM_const_push(primes, pinfo->r); 872 sk_BIGNUM_const_push(exps, pinfo->d); 873 sk_BIGNUM_const_push(coeffs, pinfo->t); 874 } 875 #endif 876 877 return 1; 878 } 879 880 #ifndef FIPS_MODULE 881 /* Helpers to set or get diverse hash algorithm names */ 882 static int int_set_rsa_md_name(EVP_PKEY_CTX *ctx, 883 /* For checks */ 884 int keytype, int optype, 885 /* For EVP_PKEY_CTX_set_params() */ 886 const char *mdkey, const char *mdname, 887 const char *propkey, const char *mdprops) 888 { 889 OSSL_PARAM params[3], *p = params; 890 891 if (ctx == NULL || mdname == NULL || (ctx->operation & optype) == 0) { 892 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 893 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 894 return -2; 895 } 896 897 /* If key type not RSA return error */ 898 switch (keytype) { 899 case -1: 900 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 901 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 902 return -1; 903 break; 904 default: 905 if (!EVP_PKEY_CTX_is_a(ctx, evp_pkey_type2name(keytype))) 906 return -1; 907 break; 908 } 909 910 /* Cast away the const. This is read only so should be safe */ 911 *p++ = OSSL_PARAM_construct_utf8_string(mdkey, (char *)mdname, 0); 912 if (evp_pkey_ctx_is_provided(ctx) && mdprops != NULL) { 913 /* Cast away the const. This is read only so should be safe */ 914 *p++ = OSSL_PARAM_construct_utf8_string(propkey, (char *)mdprops, 0); 915 } 916 *p++ = OSSL_PARAM_construct_end(); 917 918 return evp_pkey_ctx_set_params_strict(ctx, params); 919 } 920 921 /* Helpers to set or get diverse hash algorithm names */ 922 static int int_get_rsa_md_name(EVP_PKEY_CTX *ctx, 923 /* For checks */ 924 int keytype, int optype, 925 /* For EVP_PKEY_CTX_get_params() */ 926 const char *mdkey, 927 char *mdname, size_t mdnamesize) 928 { 929 OSSL_PARAM params[2], *p = params; 930 931 if (ctx == NULL || mdname == NULL || (ctx->operation & optype) == 0) { 932 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 933 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 934 return -2; 935 } 936 937 /* If key type not RSA return error */ 938 switch (keytype) { 939 case -1: 940 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 941 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 942 return -1; 943 break; 944 default: 945 if (!EVP_PKEY_CTX_is_a(ctx, evp_pkey_type2name(keytype))) 946 return -1; 947 break; 948 } 949 950 /* Cast away the const. This is read only so should be safe */ 951 *p++ = OSSL_PARAM_construct_utf8_string(mdkey, (char *)mdname, mdnamesize); 952 *p++ = OSSL_PARAM_construct_end(); 953 954 return evp_pkey_ctx_get_params_strict(ctx, params); 955 } 956 957 /* 958 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 959 * simply because that's easier. 960 */ 961 int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad_mode) 962 { 963 return RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_RSA_PADDING, 964 pad_mode, NULL); 965 } 966 967 /* 968 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 969 * simply because that's easier. 970 */ 971 int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad_mode) 972 { 973 return RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, 974 0, pad_mode); 975 } 976 977 /* 978 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 979 * simply because that's easier. 980 */ 981 int EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 982 { 983 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 984 EVP_PKEY_CTRL_MD, 0, (void *)(md)); 985 } 986 987 int EVP_PKEY_CTX_set_rsa_pss_keygen_md_name(EVP_PKEY_CTX *ctx, 988 const char *mdname, 989 const char *mdprops) 990 { 991 return int_set_rsa_md_name(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 992 OSSL_PKEY_PARAM_RSA_DIGEST, mdname, 993 OSSL_PKEY_PARAM_RSA_DIGEST_PROPS, mdprops); 994 } 995 996 /* 997 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 998 * simply because that's easier. 999 */ 1000 int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 1001 { 1002 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 1003 EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md)); 1004 } 1005 1006 int EVP_PKEY_CTX_set_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, const char *mdname, 1007 const char *mdprops) 1008 { 1009 return 1010 int_set_rsa_md_name(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 1011 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, mdname, 1012 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS, mdprops); 1013 } 1014 1015 int EVP_PKEY_CTX_get_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, char *name, 1016 size_t namesize) 1017 { 1018 return int_get_rsa_md_name(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 1019 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, 1020 name, namesize); 1021 } 1022 1023 /* 1024 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1025 * simply because that's easier. 1026 */ 1027 int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md) 1028 { 1029 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 1030 EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)md); 1031 } 1032 1033 /* 1034 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1035 * simply because that's easier. 1036 */ 1037 int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 1038 { 1039 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, 1040 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md)); 1041 } 1042 1043 int EVP_PKEY_CTX_set_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, const char *mdname, 1044 const char *mdprops) 1045 { 1046 return int_set_rsa_md_name(ctx, -1, 1047 EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG, 1048 OSSL_PKEY_PARAM_MGF1_DIGEST, mdname, 1049 OSSL_PKEY_PARAM_MGF1_PROPERTIES, mdprops); 1050 } 1051 1052 int EVP_PKEY_CTX_get_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, char *name, 1053 size_t namesize) 1054 { 1055 return int_get_rsa_md_name(ctx, -1, 1056 EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG, 1057 OSSL_PKEY_PARAM_MGF1_DIGEST, name, namesize); 1058 } 1059 1060 /* 1061 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1062 * simply because that's easier. 1063 */ 1064 int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 1065 { 1066 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 1067 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md)); 1068 } 1069 1070 int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md_name(EVP_PKEY_CTX *ctx, 1071 const char *mdname) 1072 { 1073 return int_set_rsa_md_name(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 1074 OSSL_PKEY_PARAM_MGF1_DIGEST, mdname, 1075 NULL, NULL); 1076 } 1077 1078 /* 1079 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1080 * simply because that's easier. 1081 */ 1082 int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **md) 1083 { 1084 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, 1085 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)(md)); 1086 } 1087 1088 int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen) 1089 { 1090 OSSL_PARAM rsa_params[2], *p = rsa_params; 1091 const char *empty = ""; 1092 /* 1093 * Needed as we swap label with empty if it is NULL, and label is 1094 * freed at the end of this function. 1095 */ 1096 void *plabel = label; 1097 int ret; 1098 1099 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) { 1100 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1101 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1102 return -2; 1103 } 1104 1105 /* If key type not RSA return error */ 1106 if (!EVP_PKEY_CTX_is_a(ctx, "RSA")) 1107 return -1; 1108 1109 /* Accept NULL for backward compatibility */ 1110 if (label == NULL && llen == 0) 1111 plabel = (void *)empty; 1112 1113 /* Cast away the const. This is read only so should be safe */ 1114 *p++ = OSSL_PARAM_construct_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, 1115 (void *)plabel, (size_t)llen); 1116 *p++ = OSSL_PARAM_construct_end(); 1117 1118 ret = evp_pkey_ctx_set_params_strict(ctx, rsa_params); 1119 if (ret <= 0) 1120 return ret; 1121 1122 /* Ownership is supposed to be transfered to the callee. */ 1123 OPENSSL_free(label); 1124 return 1; 1125 } 1126 1127 int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label) 1128 { 1129 OSSL_PARAM rsa_params[2], *p = rsa_params; 1130 size_t labellen; 1131 1132 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) { 1133 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1134 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1135 return -2; 1136 } 1137 1138 /* If key type not RSA return error */ 1139 if (!EVP_PKEY_CTX_is_a(ctx, "RSA")) 1140 return -1; 1141 1142 *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, 1143 (void **)label, 0); 1144 *p++ = OSSL_PARAM_construct_end(); 1145 1146 if (!EVP_PKEY_CTX_get_params(ctx, rsa_params)) 1147 return -1; 1148 1149 labellen = rsa_params[0].return_size; 1150 if (labellen > INT_MAX) 1151 return -1; 1152 1153 return (int)labellen; 1154 } 1155 1156 /* 1157 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1158 * simply because that's easier. 1159 */ 1160 int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int saltlen) 1161 { 1162 /* 1163 * For some reason, the optype was set to this: 1164 * 1165 * EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY 1166 * 1167 * However, we do use RSA-PSS with the whole gamut of diverse signature 1168 * and verification operations, so the optype gets upgraded to this: 1169 * 1170 * EVP_PKEY_OP_TYPE_SIG 1171 */ 1172 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG, 1173 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, saltlen, NULL); 1174 } 1175 1176 /* 1177 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1178 * simply because that's easier. 1179 */ 1180 int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *saltlen) 1181 { 1182 /* 1183 * Because of circumstances, the optype is updated from: 1184 * 1185 * EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY 1186 * 1187 * to: 1188 * 1189 * EVP_PKEY_OP_TYPE_SIG 1190 */ 1191 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG, 1192 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, saltlen); 1193 } 1194 1195 int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, int saltlen) 1196 { 1197 OSSL_PARAM pad_params[2], *p = pad_params; 1198 1199 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { 1200 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1201 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1202 return -2; 1203 } 1204 1205 if (!EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 1206 return -1; 1207 1208 *p++ = OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, 1209 &saltlen); 1210 *p++ = OSSL_PARAM_construct_end(); 1211 1212 return evp_pkey_ctx_set_params_strict(ctx, pad_params); 1213 } 1214 1215 int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits) 1216 { 1217 OSSL_PARAM params[2], *p = params; 1218 size_t bits2 = bits; 1219 1220 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { 1221 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1222 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1223 return -2; 1224 } 1225 1226 /* If key type not RSA return error */ 1227 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 1228 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 1229 return -1; 1230 1231 *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bits2); 1232 *p++ = OSSL_PARAM_construct_end(); 1233 1234 return evp_pkey_ctx_set_params_strict(ctx, params); 1235 } 1236 1237 int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp) 1238 { 1239 int ret = RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_KEYGEN, 1240 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp); 1241 1242 /* 1243 * Satisfy memory semantics for pre-3.0 callers of 1244 * EVP_PKEY_CTX_set_rsa_keygen_pubexp(): their expectation is that input 1245 * pubexp BIGNUM becomes managed by the EVP_PKEY_CTX on success. 1246 */ 1247 if (ret > 0 && evp_pkey_ctx_is_provided(ctx)) { 1248 BN_free(ctx->rsa_pubexp); 1249 ctx->rsa_pubexp = pubexp; 1250 } 1251 1252 return ret; 1253 } 1254 1255 int EVP_PKEY_CTX_set1_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp) 1256 { 1257 int ret = 0; 1258 1259 /* 1260 * When we're dealing with a provider, there's no need to duplicate 1261 * pubexp, as it gets copied when transforming to an OSSL_PARAM anyway. 1262 */ 1263 if (evp_pkey_ctx_is_legacy(ctx)) { 1264 pubexp = BN_dup(pubexp); 1265 if (pubexp == NULL) 1266 return 0; 1267 } 1268 ret = EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, 1269 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp); 1270 if (evp_pkey_ctx_is_legacy(ctx) && ret <= 0) 1271 BN_free(pubexp); 1272 return ret; 1273 } 1274 1275 int EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX *ctx, int primes) 1276 { 1277 OSSL_PARAM params[2], *p = params; 1278 size_t primes2 = primes; 1279 1280 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { 1281 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1282 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1283 return -2; 1284 } 1285 1286 /* If key type not RSA return error */ 1287 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 1288 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 1289 return -1; 1290 1291 *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_PRIMES, &primes2); 1292 *p++ = OSSL_PARAM_construct_end(); 1293 1294 return evp_pkey_ctx_set_params_strict(ctx, params); 1295 } 1296 #endif 1297