159191Skris=pod 259191Skris 359191Skris=head1 NAME 459191Skris 559191SkrisRSA_public_encrypt, RSA_private_decrypt - RSA public key cryptography 659191Skris 759191Skris=head1 SYNOPSIS 859191Skris 959191Skris #include <openssl/rsa.h> 1059191Skris 11325335Sjkim int RSA_public_encrypt(int flen, const unsigned char *from, 1259191Skris unsigned char *to, RSA *rsa, int padding); 1359191Skris 14325335Sjkim int RSA_private_decrypt(int flen, const unsigned char *from, 1559191Skris unsigned char *to, RSA *rsa, int padding); 1659191Skris 1759191Skris=head1 DESCRIPTION 1859191Skris 1959191SkrisRSA_public_encrypt() encrypts the B<flen> bytes at B<from> (usually a 2059191Skrissession key) using the public key B<rsa> and stores the ciphertext in 2159191SkrisB<to>. B<to> must point to RSA_size(B<rsa>) bytes of memory. 2259191Skris 2359191SkrisB<padding> denotes one of the following modes: 2459191Skris 2559191Skris=over 4 2659191Skris 2759191Skris=item RSA_PKCS1_PADDING 2859191Skris 2959191SkrisPKCS #1 v1.5 padding. This currently is the most widely used mode. 3059191Skris 3159191Skris=item RSA_PKCS1_OAEP_PADDING 3259191Skris 3359191SkrisEME-OAEP as defined in PKCS #1 v2.0 with SHA-1, MGF1 and an empty 3459191Skrisencoding parameter. This mode is recommended for all new applications. 3559191Skris 3659191Skris=item RSA_SSLV23_PADDING 3759191Skris 3859191SkrisPKCS #1 v1.5 padding with an SSL-specific modification that denotes 3959191Skristhat the server is SSL3 capable. 4059191Skris 4159191Skris=item RSA_NO_PADDING 4259191Skris 4359191SkrisRaw RSA encryption. This mode should I<only> be used to implement 4459191Skriscryptographically sound padding modes in the application code. 4559191SkrisEncrypting user data directly with RSA is insecure. 4659191Skris 4759191Skris=back 4859191Skris 4959191SkrisB<flen> must be less than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5 50142425Snectarbased padding modes, less than RSA_size(B<rsa>) - 41 for 51142425SnectarRSA_PKCS1_OAEP_PADDING and exactly RSA_size(B<rsa>) for RSA_NO_PADDING. 52142425SnectarThe random number generator must be seeded prior to calling 53142425SnectarRSA_public_encrypt(). 5459191Skris 5559191SkrisRSA_private_decrypt() decrypts the B<flen> bytes at B<from> using the 5659191Skrisprivate key B<rsa> and stores the plaintext in B<to>. B<to> must point 5759191Skristo a memory section large enough to hold the decrypted data (which is 5859191Skrissmaller than RSA_size(B<rsa>)). B<padding> is the padding mode that 5959191Skriswas used to encrypt the data. 6059191Skris 6159191Skris=head1 RETURN VALUES 6259191Skris 6359191SkrisRSA_public_encrypt() returns the size of the encrypted data (i.e., 6459191SkrisRSA_size(B<rsa>)). RSA_private_decrypt() returns the size of the 6559191Skrisrecovered plaintext. 6659191Skris 6759191SkrisOn error, -1 is returned; the error codes can be 6859191Skrisobtained by L<ERR_get_error(3)|ERR_get_error(3)>. 6959191Skris 70325337Sjkim=head1 WARNING 71325337Sjkim 72325337SjkimDecryption failures in the RSA_PKCS1_PADDING mode leak information 73325337Sjkimwhich can potentially be used to mount a Bleichenbacher padding oracle 74325337Sjkimattack. This is an inherent weakness in the PKCS #1 v1.5 padding 75325337Sjkimdesign. Prefer RSA_PKCS1_OAEP_PADDING. 76325337Sjkim 7759191Skris=head1 CONFORMING TO 7859191Skris 7959191SkrisSSL, PKCS #1 v2.0 8059191Skris 8159191Skris=head1 SEE ALSO 8259191Skris 83109998SmarkmL<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, 84109998SmarkmL<RSA_size(3)|RSA_size(3)> 8559191Skris 8659191Skris=head1 HISTORY 8759191Skris 8859191SkrisThe B<padding> argument was added in SSLeay 0.8. RSA_NO_PADDING is 8959191Skrisavailable since SSLeay 0.9.0, OAEP was added in OpenSSL 0.9.2b. 9059191Skris 9159191Skris=cut 92