1/* 2 * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10/* 11 * RSA low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14#include "internal/deprecated.h" 15 16#include <openssl/crypto.h> 17#include <openssl/core_names.h> 18#ifndef FIPS_MODULE 19# include <openssl/engine.h> 20#endif 21#include <openssl/evp.h> 22#include <openssl/param_build.h> 23#include "internal/cryptlib.h" 24#include "internal/refcount.h" 25#include "crypto/bn.h" 26#include "crypto/evp.h" 27#include "crypto/rsa.h" 28#include "crypto/security_bits.h" 29#include "rsa_local.h" 30 31static RSA *rsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx); 32 33#ifndef FIPS_MODULE 34RSA *RSA_new(void) 35{ 36 return rsa_new_intern(NULL, NULL); 37} 38 39const RSA_METHOD *RSA_get_method(const RSA *rsa) 40{ 41 return rsa->meth; 42} 43 44int RSA_set_method(RSA *rsa, const RSA_METHOD *meth) 45{ 46 /* 47 * NB: The caller is specifically setting a method, so it's not up to us 48 * to deal with which ENGINE it comes from. 49 */ 50 const RSA_METHOD *mtmp; 51 mtmp = rsa->meth; 52 if (mtmp->finish) 53 mtmp->finish(rsa); 54#ifndef OPENSSL_NO_ENGINE 55 ENGINE_finish(rsa->engine); 56 rsa->engine = NULL; 57#endif 58 rsa->meth = meth; 59 if (meth->init) 60 meth->init(rsa); 61 return 1; 62} 63 64RSA *RSA_new_method(ENGINE *engine) 65{ 66 return rsa_new_intern(engine, NULL); 67} 68#endif 69 70RSA *ossl_rsa_new_with_ctx(OSSL_LIB_CTX *libctx) 71{ 72 return rsa_new_intern(NULL, libctx); 73} 74 75static RSA *rsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx) 76{ 77 RSA *ret = OPENSSL_zalloc(sizeof(*ret)); 78 79 if (ret == NULL) { 80 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 81 return NULL; 82 } 83 84 ret->references = 1; 85 ret->lock = CRYPTO_THREAD_lock_new(); 86 if (ret->lock == NULL) { 87 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 88 OPENSSL_free(ret); 89 return NULL; 90 } 91 92 ret->libctx = libctx; 93 ret->meth = RSA_get_default_method(); 94#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) 95 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; 96 if (engine) { 97 if (!ENGINE_init(engine)) { 98 ERR_raise(ERR_LIB_RSA, ERR_R_ENGINE_LIB); 99 goto err; 100 } 101 ret->engine = engine; 102 } else { 103 ret->engine = ENGINE_get_default_RSA(); 104 } 105 if (ret->engine) { 106 ret->meth = ENGINE_get_RSA(ret->engine); 107 if (ret->meth == NULL) { 108 ERR_raise(ERR_LIB_RSA, ERR_R_ENGINE_LIB); 109 goto err; 110 } 111 } 112#endif 113 114 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; 115#ifndef FIPS_MODULE 116 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { 117 goto err; 118 } 119#endif 120 121 if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { 122 ERR_raise(ERR_LIB_RSA, ERR_R_INIT_FAIL); 123 goto err; 124 } 125 126 return ret; 127 128 err: 129 RSA_free(ret); 130 return NULL; 131} 132 133void RSA_free(RSA *r) 134{ 135 int i; 136 137 if (r == NULL) 138 return; 139 140 CRYPTO_DOWN_REF(&r->references, &i, r->lock); 141 REF_PRINT_COUNT("RSA", r); 142 if (i > 0) 143 return; 144 REF_ASSERT_ISNT(i < 0); 145 146 if (r->meth != NULL && r->meth->finish != NULL) 147 r->meth->finish(r); 148#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) 149 ENGINE_finish(r->engine); 150#endif 151 152#ifndef FIPS_MODULE 153 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data); 154#endif 155 156 CRYPTO_THREAD_lock_free(r->lock); 157 158 BN_free(r->n); 159 BN_free(r->e); 160 BN_clear_free(r->d); 161 BN_clear_free(r->p); 162 BN_clear_free(r->q); 163 BN_clear_free(r->dmp1); 164 BN_clear_free(r->dmq1); 165 BN_clear_free(r->iqmp); 166 167#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) 168 ossl_rsa_acvp_test_free(r->acvp_test); 169#endif 170 171#ifndef FIPS_MODULE 172 RSA_PSS_PARAMS_free(r->pss); 173 sk_RSA_PRIME_INFO_pop_free(r->prime_infos, ossl_rsa_multip_info_free); 174#endif 175 BN_BLINDING_free(r->blinding); 176 BN_BLINDING_free(r->mt_blinding); 177 OPENSSL_free(r); 178} 179 180int RSA_up_ref(RSA *r) 181{ 182 int i; 183 184 if (CRYPTO_UP_REF(&r->references, &i, r->lock) <= 0) 185 return 0; 186 187 REF_PRINT_COUNT("RSA", r); 188 REF_ASSERT_ISNT(i < 2); 189 return i > 1 ? 1 : 0; 190} 191 192OSSL_LIB_CTX *ossl_rsa_get0_libctx(RSA *r) 193{ 194 return r->libctx; 195} 196 197void ossl_rsa_set0_libctx(RSA *r, OSSL_LIB_CTX *libctx) 198{ 199 r->libctx = libctx; 200} 201 202#ifndef FIPS_MODULE 203int RSA_set_ex_data(RSA *r, int idx, void *arg) 204{ 205 return CRYPTO_set_ex_data(&r->ex_data, idx, arg); 206} 207 208void *RSA_get_ex_data(const RSA *r, int idx) 209{ 210 return CRYPTO_get_ex_data(&r->ex_data, idx); 211} 212#endif 213 214/* 215 * Define a scaling constant for our fixed point arithmetic. 216 * This value must be a power of two because the base two logarithm code 217 * makes this assumption. The exponent must also be a multiple of three so 218 * that the scale factor has an exact cube root. Finally, the scale factor 219 * should not be so large that a multiplication of two scaled numbers 220 * overflows a 64 bit unsigned integer. 221 */ 222static const unsigned int scale = 1 << 18; 223static const unsigned int cbrt_scale = 1 << (2 * 18 / 3); 224 225/* Define some constants, none exceed 32 bits */ 226static const unsigned int log_2 = 0x02c5c8; /* scale * log(2) */ 227static const unsigned int log_e = 0x05c551; /* scale * log2(M_E) */ 228static const unsigned int c1_923 = 0x07b126; /* scale * 1.923 */ 229static const unsigned int c4_690 = 0x12c28f; /* scale * 4.690 */ 230 231/* 232 * Multiply two scaled integers together and rescale the result. 233 */ 234static ossl_inline uint64_t mul2(uint64_t a, uint64_t b) 235{ 236 return a * b / scale; 237} 238 239/* 240 * Calculate the cube root of a 64 bit scaled integer. 241 * Although the cube root of a 64 bit number does fit into a 32 bit unsigned 242 * integer, this is not guaranteed after scaling, so this function has a 243 * 64 bit return. This uses the shifting nth root algorithm with some 244 * algebraic simplifications. 245 */ 246static uint64_t icbrt64(uint64_t x) 247{ 248 uint64_t r = 0; 249 uint64_t b; 250 int s; 251 252 for (s = 63; s >= 0; s -= 3) { 253 r <<= 1; 254 b = 3 * r * (r + 1) + 1; 255 if ((x >> s) >= b) { 256 x -= b << s; 257 r++; 258 } 259 } 260 return r * cbrt_scale; 261} 262 263/* 264 * Calculate the natural logarithm of a 64 bit scaled integer. 265 * This is done by calculating a base two logarithm and scaling. 266 * The maximum logarithm (base 2) is 64 and this reduces base e, so 267 * a 32 bit result should not overflow. The argument passed must be 268 * greater than unity so we don't need to handle negative results. 269 */ 270static uint32_t ilog_e(uint64_t v) 271{ 272 uint32_t i, r = 0; 273 274 /* 275 * Scale down the value into the range 1 .. 2. 276 * 277 * If fractional numbers need to be processed, another loop needs 278 * to go here that checks v < scale and if so multiplies it by 2 and 279 * reduces r by scale. This also means making r signed. 280 */ 281 while (v >= 2 * scale) { 282 v >>= 1; 283 r += scale; 284 } 285 for (i = scale / 2; i != 0; i /= 2) { 286 v = mul2(v, v); 287 if (v >= 2 * scale) { 288 v >>= 1; 289 r += i; 290 } 291 } 292 r = (r * (uint64_t)scale) / log_e; 293 return r; 294} 295 296/* 297 * NIST SP 800-56B rev 2 Appendix D: Maximum Security Strength Estimates for IFC 298 * Modulus Lengths. 299 * 300 * Note that this formula is also referred to in SP800-56A rev3 Appendix D: 301 * for FFC safe prime groups for modp and ffdhe. 302 * After Table 25 and Table 26 it refers to 303 * "The maximum security strength estimates were calculated using the formula in 304 * Section 7.5 of the FIPS 140 IG and rounded to the nearest multiple of eight 305 * bits". 306 * 307 * The formula is: 308 * 309 * E = \frac{1.923 \sqrt[3]{nBits \cdot log_e(2)} 310 * \cdot(log_e(nBits \cdot log_e(2))^{2/3} - 4.69}{log_e(2)} 311 * The two cube roots are merged together here. 312 */ 313uint16_t ossl_ifc_ffc_compute_security_bits(int n) 314{ 315 uint64_t x; 316 uint32_t lx; 317 uint16_t y, cap; 318 319 /* 320 * Look for common values as listed in standards. 321 * These values are not exactly equal to the results from the formulae in 322 * the standards but are defined to be canonical. 323 */ 324 switch (n) { 325 case 2048: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */ 326 return 112; 327 case 3072: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */ 328 return 128; 329 case 4096: /* SP 800-56B rev 2 Appendix D */ 330 return 152; 331 case 6144: /* SP 800-56B rev 2 Appendix D */ 332 return 176; 333 case 7680: /* FIPS 140-2 IG 7.5 */ 334 return 192; 335 case 8192: /* SP 800-56B rev 2 Appendix D */ 336 return 200; 337 case 15360: /* FIPS 140-2 IG 7.5 */ 338 return 256; 339 } 340 341 /* 342 * The first incorrect result (i.e. not accurate or off by one low) occurs 343 * for n = 699668. The true value here is 1200. Instead of using this n 344 * as the check threshold, the smallest n such that the correct result is 345 * 1200 is used instead. 346 */ 347 if (n >= 687737) 348 return 1200; 349 if (n < 8) 350 return 0; 351 352 /* 353 * To ensure that the output is non-decreasing with respect to n, 354 * a cap needs to be applied to the two values where the function over 355 * estimates the strength (according to the above fast path). 356 */ 357 if (n <= 7680) 358 cap = 192; 359 else if (n <= 15360) 360 cap = 256; 361 else 362 cap = 1200; 363 364 x = n * (uint64_t)log_2; 365 lx = ilog_e(x); 366 y = (uint16_t)((mul2(c1_923, icbrt64(mul2(mul2(x, lx), lx))) - c4_690) 367 / log_2); 368 y = (y + 4) & ~7; 369 if (y > cap) 370 y = cap; 371 return y; 372} 373 374 375 376int RSA_security_bits(const RSA *rsa) 377{ 378 int bits = BN_num_bits(rsa->n); 379 380#ifndef FIPS_MODULE 381 if (rsa->version == RSA_ASN1_VERSION_MULTI) { 382 /* This ought to mean that we have private key at hand. */ 383 int ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos); 384 385 if (ex_primes <= 0 || (ex_primes + 2) > ossl_rsa_multip_cap(bits)) 386 return 0; 387 } 388#endif 389 return ossl_ifc_ffc_compute_security_bits(bits); 390} 391 392int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) 393{ 394 /* If the fields n and e in r are NULL, the corresponding input 395 * parameters MUST be non-NULL for n and e. d may be 396 * left NULL (in case only the public key is used). 397 */ 398 if ((r->n == NULL && n == NULL) 399 || (r->e == NULL && e == NULL)) 400 return 0; 401 402 if (n != NULL) { 403 BN_free(r->n); 404 r->n = n; 405 } 406 if (e != NULL) { 407 BN_free(r->e); 408 r->e = e; 409 } 410 if (d != NULL) { 411 BN_clear_free(r->d); 412 r->d = d; 413 BN_set_flags(r->d, BN_FLG_CONSTTIME); 414 } 415 r->dirty_cnt++; 416 417 return 1; 418} 419 420int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) 421{ 422 /* If the fields p and q in r are NULL, the corresponding input 423 * parameters MUST be non-NULL. 424 */ 425 if ((r->p == NULL && p == NULL) 426 || (r->q == NULL && q == NULL)) 427 return 0; 428 429 if (p != NULL) { 430 BN_clear_free(r->p); 431 r->p = p; 432 BN_set_flags(r->p, BN_FLG_CONSTTIME); 433 } 434 if (q != NULL) { 435 BN_clear_free(r->q); 436 r->q = q; 437 BN_set_flags(r->q, BN_FLG_CONSTTIME); 438 } 439 r->dirty_cnt++; 440 441 return 1; 442} 443 444int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) 445{ 446 /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input 447 * parameters MUST be non-NULL. 448 */ 449 if ((r->dmp1 == NULL && dmp1 == NULL) 450 || (r->dmq1 == NULL && dmq1 == NULL) 451 || (r->iqmp == NULL && iqmp == NULL)) 452 return 0; 453 454 if (dmp1 != NULL) { 455 BN_clear_free(r->dmp1); 456 r->dmp1 = dmp1; 457 BN_set_flags(r->dmp1, BN_FLG_CONSTTIME); 458 } 459 if (dmq1 != NULL) { 460 BN_clear_free(r->dmq1); 461 r->dmq1 = dmq1; 462 BN_set_flags(r->dmq1, BN_FLG_CONSTTIME); 463 } 464 if (iqmp != NULL) { 465 BN_clear_free(r->iqmp); 466 r->iqmp = iqmp; 467 BN_set_flags(r->iqmp, BN_FLG_CONSTTIME); 468 } 469 r->dirty_cnt++; 470 471 return 1; 472} 473 474#ifndef FIPS_MODULE 475/* 476 * Is it better to export RSA_PRIME_INFO structure 477 * and related functions to let user pass a triplet? 478 */ 479int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[], 480 BIGNUM *coeffs[], int pnum) 481{ 482 STACK_OF(RSA_PRIME_INFO) *prime_infos, *old = NULL; 483 RSA_PRIME_INFO *pinfo; 484 int i; 485 486 if (primes == NULL || exps == NULL || coeffs == NULL || pnum == 0) 487 return 0; 488 489 prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum); 490 if (prime_infos == NULL) 491 return 0; 492 493 if (r->prime_infos != NULL) 494 old = r->prime_infos; 495 496 for (i = 0; i < pnum; i++) { 497 pinfo = ossl_rsa_multip_info_new(); 498 if (pinfo == NULL) 499 goto err; 500 if (primes[i] != NULL && exps[i] != NULL && coeffs[i] != NULL) { 501 BN_clear_free(pinfo->r); 502 BN_clear_free(pinfo->d); 503 BN_clear_free(pinfo->t); 504 pinfo->r = primes[i]; 505 pinfo->d = exps[i]; 506 pinfo->t = coeffs[i]; 507 BN_set_flags(pinfo->r, BN_FLG_CONSTTIME); 508 BN_set_flags(pinfo->d, BN_FLG_CONSTTIME); 509 BN_set_flags(pinfo->t, BN_FLG_CONSTTIME); 510 } else { 511 ossl_rsa_multip_info_free(pinfo); 512 goto err; 513 } 514 (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo); 515 } 516 517 r->prime_infos = prime_infos; 518 519 if (!ossl_rsa_multip_calc_product(r)) { 520 r->prime_infos = old; 521 goto err; 522 } 523 524 if (old != NULL) { 525 /* 526 * This is hard to deal with, since the old infos could 527 * also be set by this function and r, d, t should not 528 * be freed in that case. So currently, stay consistent 529 * with other *set0* functions: just free it... 530 */ 531 sk_RSA_PRIME_INFO_pop_free(old, ossl_rsa_multip_info_free); 532 } 533 534 r->version = RSA_ASN1_VERSION_MULTI; 535 r->dirty_cnt++; 536 537 return 1; 538 err: 539 /* r, d, t should not be freed */ 540 sk_RSA_PRIME_INFO_pop_free(prime_infos, ossl_rsa_multip_info_free_ex); 541 return 0; 542} 543#endif 544 545void RSA_get0_key(const RSA *r, 546 const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) 547{ 548 if (n != NULL) 549 *n = r->n; 550 if (e != NULL) 551 *e = r->e; 552 if (d != NULL) 553 *d = r->d; 554} 555 556void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) 557{ 558 if (p != NULL) 559 *p = r->p; 560 if (q != NULL) 561 *q = r->q; 562} 563 564#ifndef FIPS_MODULE 565int RSA_get_multi_prime_extra_count(const RSA *r) 566{ 567 int pnum; 568 569 pnum = sk_RSA_PRIME_INFO_num(r->prime_infos); 570 if (pnum <= 0) 571 pnum = 0; 572 return pnum; 573} 574 575int RSA_get0_multi_prime_factors(const RSA *r, const BIGNUM *primes[]) 576{ 577 int pnum, i; 578 RSA_PRIME_INFO *pinfo; 579 580 if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0) 581 return 0; 582 583 /* 584 * return other primes 585 * it's caller's responsibility to allocate oth_primes[pnum] 586 */ 587 for (i = 0; i < pnum; i++) { 588 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i); 589 primes[i] = pinfo->r; 590 } 591 592 return 1; 593} 594#endif 595 596void RSA_get0_crt_params(const RSA *r, 597 const BIGNUM **dmp1, const BIGNUM **dmq1, 598 const BIGNUM **iqmp) 599{ 600 if (dmp1 != NULL) 601 *dmp1 = r->dmp1; 602 if (dmq1 != NULL) 603 *dmq1 = r->dmq1; 604 if (iqmp != NULL) 605 *iqmp = r->iqmp; 606} 607 608#ifndef FIPS_MODULE 609int RSA_get0_multi_prime_crt_params(const RSA *r, const BIGNUM *exps[], 610 const BIGNUM *coeffs[]) 611{ 612 int pnum; 613 614 if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0) 615 return 0; 616 617 /* return other primes */ 618 if (exps != NULL || coeffs != NULL) { 619 RSA_PRIME_INFO *pinfo; 620 int i; 621 622 /* it's the user's job to guarantee the buffer length */ 623 for (i = 0; i < pnum; i++) { 624 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i); 625 if (exps != NULL) 626 exps[i] = pinfo->d; 627 if (coeffs != NULL) 628 coeffs[i] = pinfo->t; 629 } 630 } 631 632 return 1; 633} 634#endif 635 636const BIGNUM *RSA_get0_n(const RSA *r) 637{ 638 return r->n; 639} 640 641const BIGNUM *RSA_get0_e(const RSA *r) 642{ 643 return r->e; 644} 645 646const BIGNUM *RSA_get0_d(const RSA *r) 647{ 648 return r->d; 649} 650 651const BIGNUM *RSA_get0_p(const RSA *r) 652{ 653 return r->p; 654} 655 656const BIGNUM *RSA_get0_q(const RSA *r) 657{ 658 return r->q; 659} 660 661const BIGNUM *RSA_get0_dmp1(const RSA *r) 662{ 663 return r->dmp1; 664} 665 666const BIGNUM *RSA_get0_dmq1(const RSA *r) 667{ 668 return r->dmq1; 669} 670 671const BIGNUM *RSA_get0_iqmp(const RSA *r) 672{ 673 return r->iqmp; 674} 675 676const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *r) 677{ 678#ifdef FIPS_MODULE 679 return NULL; 680#else 681 return r->pss; 682#endif 683} 684 685/* Internal */ 686int ossl_rsa_set0_pss_params(RSA *r, RSA_PSS_PARAMS *pss) 687{ 688#ifdef FIPS_MODULE 689 return 0; 690#else 691 RSA_PSS_PARAMS_free(r->pss); 692 r->pss = pss; 693 return 1; 694#endif 695} 696 697/* Internal */ 698RSA_PSS_PARAMS_30 *ossl_rsa_get0_pss_params_30(RSA *r) 699{ 700 return &r->pss_params; 701} 702 703void RSA_clear_flags(RSA *r, int flags) 704{ 705 r->flags &= ~flags; 706} 707 708int RSA_test_flags(const RSA *r, int flags) 709{ 710 return r->flags & flags; 711} 712 713void RSA_set_flags(RSA *r, int flags) 714{ 715 r->flags |= flags; 716} 717 718int RSA_get_version(RSA *r) 719{ 720 /* { two-prime(0), multi(1) } */ 721 return r->version; 722} 723 724#ifndef FIPS_MODULE 725ENGINE *RSA_get0_engine(const RSA *r) 726{ 727 return r->engine; 728} 729 730int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2) 731{ 732 /* If key type not RSA or RSA-PSS return error */ 733 if (ctx != NULL && ctx->pmeth != NULL 734 && ctx->pmeth->pkey_id != EVP_PKEY_RSA 735 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) 736 return -1; 737 return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, p1, p2); 738} 739#endif 740 741DEFINE_STACK_OF(BIGNUM) 742 743int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes, 744 const STACK_OF(BIGNUM) *exps, 745 const STACK_OF(BIGNUM) *coeffs) 746{ 747#ifndef FIPS_MODULE 748 STACK_OF(RSA_PRIME_INFO) *prime_infos, *old_infos = NULL; 749#endif 750 int pnum; 751 752 if (primes == NULL || exps == NULL || coeffs == NULL) 753 return 0; 754 755 pnum = sk_BIGNUM_num(primes); 756 if (pnum < 2) 757 return 0; 758 759 if (!RSA_set0_factors(r, sk_BIGNUM_value(primes, 0), 760 sk_BIGNUM_value(primes, 1))) 761 return 0; 762 763 if (pnum == sk_BIGNUM_num(exps) 764 && pnum == sk_BIGNUM_num(coeffs) + 1) { 765 766 if (!RSA_set0_crt_params(r, sk_BIGNUM_value(exps, 0), 767 sk_BIGNUM_value(exps, 1), 768 sk_BIGNUM_value(coeffs, 0))) 769 return 0; 770 } 771 772#ifndef FIPS_MODULE 773 old_infos = r->prime_infos; 774#endif 775 776 if (pnum > 2) { 777#ifndef FIPS_MODULE 778 int i; 779 780 prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum); 781 if (prime_infos == NULL) 782 return 0; 783 784 for (i = 2; i < pnum; i++) { 785 BIGNUM *prime = sk_BIGNUM_value(primes, i); 786 BIGNUM *exp = sk_BIGNUM_value(exps, i); 787 BIGNUM *coeff = sk_BIGNUM_value(coeffs, i - 1); 788 RSA_PRIME_INFO *pinfo = NULL; 789 790 if (!ossl_assert(prime != NULL && exp != NULL && coeff != NULL)) 791 goto err; 792 793 /* Using ossl_rsa_multip_info_new() is wasteful, so allocate directly */ 794 if ((pinfo = OPENSSL_zalloc(sizeof(*pinfo))) == NULL) { 795 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 796 goto err; 797 } 798 799 pinfo->r = prime; 800 pinfo->d = exp; 801 pinfo->t = coeff; 802 BN_set_flags(pinfo->r, BN_FLG_CONSTTIME); 803 BN_set_flags(pinfo->d, BN_FLG_CONSTTIME); 804 BN_set_flags(pinfo->t, BN_FLG_CONSTTIME); 805 (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo); 806 } 807 808 r->prime_infos = prime_infos; 809 810 if (!ossl_rsa_multip_calc_product(r)) { 811 r->prime_infos = old_infos; 812 goto err; 813 } 814#else 815 return 0; 816#endif 817 } 818 819#ifndef FIPS_MODULE 820 if (old_infos != NULL) { 821 /* 822 * This is hard to deal with, since the old infos could 823 * also be set by this function and r, d, t should not 824 * be freed in that case. So currently, stay consistent 825 * with other *set0* functions: just free it... 826 */ 827 sk_RSA_PRIME_INFO_pop_free(old_infos, ossl_rsa_multip_info_free); 828 } 829#endif 830 831 r->version = pnum > 2 ? RSA_ASN1_VERSION_MULTI : RSA_ASN1_VERSION_DEFAULT; 832 r->dirty_cnt++; 833 834 return 1; 835#ifndef FIPS_MODULE 836 err: 837 /* r, d, t should not be freed */ 838 sk_RSA_PRIME_INFO_pop_free(prime_infos, ossl_rsa_multip_info_free_ex); 839 return 0; 840#endif 841} 842 843DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM) 844 845int ossl_rsa_get0_all_params(RSA *r, STACK_OF(BIGNUM_const) *primes, 846 STACK_OF(BIGNUM_const) *exps, 847 STACK_OF(BIGNUM_const) *coeffs) 848{ 849#ifndef FIPS_MODULE 850 RSA_PRIME_INFO *pinfo; 851 int i, pnum; 852#endif 853 854 if (r == NULL) 855 return 0; 856 857 /* If |p| is NULL, there are no CRT parameters */ 858 if (RSA_get0_p(r) == NULL) 859 return 1; 860 861 sk_BIGNUM_const_push(primes, RSA_get0_p(r)); 862 sk_BIGNUM_const_push(primes, RSA_get0_q(r)); 863 sk_BIGNUM_const_push(exps, RSA_get0_dmp1(r)); 864 sk_BIGNUM_const_push(exps, RSA_get0_dmq1(r)); 865 sk_BIGNUM_const_push(coeffs, RSA_get0_iqmp(r)); 866 867#ifndef FIPS_MODULE 868 pnum = RSA_get_multi_prime_extra_count(r); 869 for (i = 0; i < pnum; i++) { 870 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i); 871 sk_BIGNUM_const_push(primes, pinfo->r); 872 sk_BIGNUM_const_push(exps, pinfo->d); 873 sk_BIGNUM_const_push(coeffs, pinfo->t); 874 } 875#endif 876 877 return 1; 878} 879 880#ifndef FIPS_MODULE 881/* Helpers to set or get diverse hash algorithm names */ 882static int int_set_rsa_md_name(EVP_PKEY_CTX *ctx, 883 /* For checks */ 884 int keytype, int optype, 885 /* For EVP_PKEY_CTX_set_params() */ 886 const char *mdkey, const char *mdname, 887 const char *propkey, const char *mdprops) 888{ 889 OSSL_PARAM params[3], *p = params; 890 891 if (ctx == NULL || mdname == NULL || (ctx->operation & optype) == 0) { 892 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 893 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 894 return -2; 895 } 896 897 /* If key type not RSA return error */ 898 switch (keytype) { 899 case -1: 900 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 901 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 902 return -1; 903 break; 904 default: 905 if (!EVP_PKEY_CTX_is_a(ctx, evp_pkey_type2name(keytype))) 906 return -1; 907 break; 908 } 909 910 /* Cast away the const. This is read only so should be safe */ 911 *p++ = OSSL_PARAM_construct_utf8_string(mdkey, (char *)mdname, 0); 912 if (evp_pkey_ctx_is_provided(ctx) && mdprops != NULL) { 913 /* Cast away the const. This is read only so should be safe */ 914 *p++ = OSSL_PARAM_construct_utf8_string(propkey, (char *)mdprops, 0); 915 } 916 *p++ = OSSL_PARAM_construct_end(); 917 918 return evp_pkey_ctx_set_params_strict(ctx, params); 919} 920 921/* Helpers to set or get diverse hash algorithm names */ 922static int int_get_rsa_md_name(EVP_PKEY_CTX *ctx, 923 /* For checks */ 924 int keytype, int optype, 925 /* For EVP_PKEY_CTX_get_params() */ 926 const char *mdkey, 927 char *mdname, size_t mdnamesize) 928{ 929 OSSL_PARAM params[2], *p = params; 930 931 if (ctx == NULL || mdname == NULL || (ctx->operation & optype) == 0) { 932 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 933 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 934 return -2; 935 } 936 937 /* If key type not RSA return error */ 938 switch (keytype) { 939 case -1: 940 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 941 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 942 return -1; 943 break; 944 default: 945 if (!EVP_PKEY_CTX_is_a(ctx, evp_pkey_type2name(keytype))) 946 return -1; 947 break; 948 } 949 950 /* Cast away the const. This is read only so should be safe */ 951 *p++ = OSSL_PARAM_construct_utf8_string(mdkey, (char *)mdname, mdnamesize); 952 *p++ = OSSL_PARAM_construct_end(); 953 954 return evp_pkey_ctx_get_params_strict(ctx, params); 955} 956 957/* 958 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 959 * simply because that's easier. 960 */ 961int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad_mode) 962{ 963 return RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_RSA_PADDING, 964 pad_mode, NULL); 965} 966 967/* 968 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 969 * simply because that's easier. 970 */ 971int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad_mode) 972{ 973 return RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, 974 0, pad_mode); 975} 976 977/* 978 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 979 * simply because that's easier. 980 */ 981int EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 982{ 983 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 984 EVP_PKEY_CTRL_MD, 0, (void *)(md)); 985} 986 987int EVP_PKEY_CTX_set_rsa_pss_keygen_md_name(EVP_PKEY_CTX *ctx, 988 const char *mdname, 989 const char *mdprops) 990{ 991 return int_set_rsa_md_name(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 992 OSSL_PKEY_PARAM_RSA_DIGEST, mdname, 993 OSSL_PKEY_PARAM_RSA_DIGEST_PROPS, mdprops); 994} 995 996/* 997 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 998 * simply because that's easier. 999 */ 1000int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 1001{ 1002 /* If key type not RSA return error */ 1003 if (!EVP_PKEY_CTX_is_a(ctx, "RSA")) 1004 return -1; 1005 1006 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 1007 EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md)); 1008} 1009 1010int EVP_PKEY_CTX_set_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, const char *mdname, 1011 const char *mdprops) 1012{ 1013 return 1014 int_set_rsa_md_name(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 1015 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, mdname, 1016 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS, mdprops); 1017} 1018 1019int EVP_PKEY_CTX_get_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, char *name, 1020 size_t namesize) 1021{ 1022 return int_get_rsa_md_name(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 1023 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, 1024 name, namesize); 1025} 1026 1027/* 1028 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1029 * simply because that's easier. 1030 */ 1031int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md) 1032{ 1033 /* If key type not RSA return error */ 1034 if (!EVP_PKEY_CTX_is_a(ctx, "RSA")) 1035 return -1; 1036 1037 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, 1038 EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)md); 1039} 1040 1041/* 1042 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1043 * simply because that's easier. 1044 */ 1045int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 1046{ 1047 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, 1048 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md)); 1049} 1050 1051int EVP_PKEY_CTX_set_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, const char *mdname, 1052 const char *mdprops) 1053{ 1054 return int_set_rsa_md_name(ctx, -1, 1055 EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG, 1056 OSSL_PKEY_PARAM_MGF1_DIGEST, mdname, 1057 OSSL_PKEY_PARAM_MGF1_PROPERTIES, mdprops); 1058} 1059 1060int EVP_PKEY_CTX_get_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, char *name, 1061 size_t namesize) 1062{ 1063 return int_get_rsa_md_name(ctx, -1, 1064 EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG, 1065 OSSL_PKEY_PARAM_MGF1_DIGEST, name, namesize); 1066} 1067 1068/* 1069 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1070 * simply because that's easier. 1071 */ 1072int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) 1073{ 1074 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 1075 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md)); 1076} 1077 1078int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md_name(EVP_PKEY_CTX *ctx, 1079 const char *mdname) 1080{ 1081 return int_set_rsa_md_name(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, 1082 OSSL_PKEY_PARAM_MGF1_DIGEST, mdname, 1083 NULL, NULL); 1084} 1085 1086/* 1087 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1088 * simply because that's easier. 1089 */ 1090int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **md) 1091{ 1092 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, 1093 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)(md)); 1094} 1095 1096int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen) 1097{ 1098 OSSL_PARAM rsa_params[2], *p = rsa_params; 1099 const char *empty = ""; 1100 /* 1101 * Needed as we swap label with empty if it is NULL, and label is 1102 * freed at the end of this function. 1103 */ 1104 void *plabel = label; 1105 int ret; 1106 1107 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) { 1108 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1109 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1110 return -2; 1111 } 1112 1113 /* If key type not RSA return error */ 1114 if (!EVP_PKEY_CTX_is_a(ctx, "RSA")) 1115 return -1; 1116 1117 /* Accept NULL for backward compatibility */ 1118 if (label == NULL && llen == 0) 1119 plabel = (void *)empty; 1120 1121 /* Cast away the const. This is read only so should be safe */ 1122 *p++ = OSSL_PARAM_construct_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, 1123 (void *)plabel, (size_t)llen); 1124 *p++ = OSSL_PARAM_construct_end(); 1125 1126 ret = evp_pkey_ctx_set_params_strict(ctx, rsa_params); 1127 if (ret <= 0) 1128 return ret; 1129 1130 /* Ownership is supposed to be transfered to the callee. */ 1131 OPENSSL_free(label); 1132 return 1; 1133} 1134 1135int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label) 1136{ 1137 OSSL_PARAM rsa_params[2], *p = rsa_params; 1138 size_t labellen; 1139 1140 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) { 1141 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1142 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1143 return -2; 1144 } 1145 1146 /* If key type not RSA return error */ 1147 if (!EVP_PKEY_CTX_is_a(ctx, "RSA")) 1148 return -1; 1149 1150 *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, 1151 (void **)label, 0); 1152 *p++ = OSSL_PARAM_construct_end(); 1153 1154 if (!EVP_PKEY_CTX_get_params(ctx, rsa_params)) 1155 return -1; 1156 1157 labellen = rsa_params[0].return_size; 1158 if (labellen > INT_MAX) 1159 return -1; 1160 1161 return (int)labellen; 1162} 1163 1164/* 1165 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1166 * simply because that's easier. 1167 */ 1168int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int saltlen) 1169{ 1170 /* 1171 * For some reason, the optype was set to this: 1172 * 1173 * EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY 1174 * 1175 * However, we do use RSA-PSS with the whole gamut of diverse signature 1176 * and verification operations, so the optype gets upgraded to this: 1177 * 1178 * EVP_PKEY_OP_TYPE_SIG 1179 */ 1180 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG, 1181 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, saltlen, NULL); 1182} 1183 1184/* 1185 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, 1186 * simply because that's easier. 1187 */ 1188int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *saltlen) 1189{ 1190 /* 1191 * Because of circumstances, the optype is updated from: 1192 * 1193 * EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY 1194 * 1195 * to: 1196 * 1197 * EVP_PKEY_OP_TYPE_SIG 1198 */ 1199 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG, 1200 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, saltlen); 1201} 1202 1203int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, int saltlen) 1204{ 1205 OSSL_PARAM pad_params[2], *p = pad_params; 1206 1207 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { 1208 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1209 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1210 return -2; 1211 } 1212 1213 if (!EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 1214 return -1; 1215 1216 *p++ = OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, 1217 &saltlen); 1218 *p++ = OSSL_PARAM_construct_end(); 1219 1220 return evp_pkey_ctx_set_params_strict(ctx, pad_params); 1221} 1222 1223int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits) 1224{ 1225 OSSL_PARAM params[2], *p = params; 1226 size_t bits2 = bits; 1227 1228 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { 1229 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1230 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1231 return -2; 1232 } 1233 1234 /* If key type not RSA return error */ 1235 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 1236 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 1237 return -1; 1238 1239 *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bits2); 1240 *p++ = OSSL_PARAM_construct_end(); 1241 1242 return evp_pkey_ctx_set_params_strict(ctx, params); 1243} 1244 1245int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp) 1246{ 1247 int ret = RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_KEYGEN, 1248 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp); 1249 1250 /* 1251 * Satisfy memory semantics for pre-3.0 callers of 1252 * EVP_PKEY_CTX_set_rsa_keygen_pubexp(): their expectation is that input 1253 * pubexp BIGNUM becomes managed by the EVP_PKEY_CTX on success. 1254 */ 1255 if (ret > 0 && evp_pkey_ctx_is_provided(ctx)) { 1256 BN_free(ctx->rsa_pubexp); 1257 ctx->rsa_pubexp = pubexp; 1258 } 1259 1260 return ret; 1261} 1262 1263int EVP_PKEY_CTX_set1_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp) 1264{ 1265 int ret = 0; 1266 1267 /* 1268 * When we're dealing with a provider, there's no need to duplicate 1269 * pubexp, as it gets copied when transforming to an OSSL_PARAM anyway. 1270 */ 1271 if (evp_pkey_ctx_is_legacy(ctx)) { 1272 pubexp = BN_dup(pubexp); 1273 if (pubexp == NULL) 1274 return 0; 1275 } 1276 ret = EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, 1277 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp); 1278 if (evp_pkey_ctx_is_legacy(ctx) && ret <= 0) 1279 BN_free(pubexp); 1280 return ret; 1281} 1282 1283int EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX *ctx, int primes) 1284{ 1285 OSSL_PARAM params[2], *p = params; 1286 size_t primes2 = primes; 1287 1288 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { 1289 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); 1290 /* Uses the same return values as EVP_PKEY_CTX_ctrl */ 1291 return -2; 1292 } 1293 1294 /* If key type not RSA return error */ 1295 if (!EVP_PKEY_CTX_is_a(ctx, "RSA") 1296 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) 1297 return -1; 1298 1299 *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_PRIMES, &primes2); 1300 *p++ = OSSL_PARAM_construct_end(); 1301 1302 return evp_pkey_ctx_set_params_strict(ctx, params); 1303} 1304#endif 1305