File Coverage

RSA.xs

Criterion	Covered	Total	%
statement	493	541	91.1
branch	239	374	63.9
condition			n/a
subroutine			n/a
pod			n/a
total	732	915	80.0

line	stmt	bran	code
1			#include "EXTERN.h"
2			#include "perl.h"
3			#include "XSUB.h"
4
5			#include
6			#include
7			#include
8			#include
9			#include
10			#include
11			#include
12			#include
13			#if OPENSSL_VERSION_NUMBER >= 0x10000000 && OPENSSL_VERSION_NUMBER < 0x30000000
14			#ifndef LIBRESSL_VERSION_NUMBER
15			#ifndef OPENSSL_NO_WHIRLPOOL
16			#include
17			#endif
18			#endif
19			#endif
20			#include
21			#include
22			#include
23			#include
24			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
25			#include
26			#include
27			#include
28			#include
29			#endif
30
31			/* Pre-3.x helper for PKCS#8 export: wraps RSA* in a real EVP_PKEY and
32			writes PKCS#8 PEM. Defined BEFORE the EVP_PKEY->RSA compatibility
33			macros so that EVP_PKEY, EVP_PKEY_new, EVP_PKEY_free, and
34			PEM_write_bio_PrivateKey resolve to their real OpenSSL symbols. */
35			#if OPENSSL_VERSION_NUMBER < 0x30000000L
36			static int _write_pkcs8_pem(BIO* bio, RSA* rsa, const EVP_CIPHER* enc,
37			unsigned char* pass, int passlen)
38			{
39			EVP_PKEY* pkey = EVP_PKEY_new();
40			int ok;
41			if (!pkey) return 0;
42			if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
43			EVP_PKEY_free(pkey);
44			return 0;
45			}
46			ok = PEM_write_bio_PrivateKey(bio, pkey, enc, pass, passlen, NULL, NULL);
47			EVP_PKEY_free(pkey);
48			return ok;
49			}
50			#endif
51
52			/* Pre-3.x helper for loading encrypted PKCS#8 DER private keys.
53			Placed BEFORE the EVP_PKEY->RSA compatibility macros so that
54			EVP_PKEY, EVP_PKEY_free, and EVP_PKEY_get1_RSA resolve to their
55			real OpenSSL symbols. */
56			#if OPENSSL_VERSION_NUMBER < 0x30000000L
57			static RSA* _load_pkcs8_der_key(BIO* bio, const char* passphrase)
58			{
59			EVP_PKEY* pkey;
60			RSA* rsa;
61
62			pkey = d2i_PKCS8PrivateKey_bio(bio, NULL, NULL, (void*)passphrase);
63			if (!pkey)
64			return NULL;
65
66			rsa = EVP_PKEY_get1_RSA(pkey);
67			EVP_PKEY_free(pkey);
68			return rsa;
69			}
70			#endif
71
72			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
73			#define UNSIGNED_CHAR unsigned char
74			#define SIZE_T_INT size_t
75			#define SIZE_T_UNSIGNED_INT size_t
76			#define EVP_PKEY EVP_PKEY
77			#define EVP_PKEY_free(p) EVP_PKEY_free(p)
78			#define EVP_PKEY_get_size(p) EVP_PKEY_get_size(p)
79			#define PEM_read_bio_PrivateKey PEM_read_bio_PrivateKey
80			#define PEM_read_bio_RSAPublicKey PEM_read_bio_PUBKEY
81			#define PEM_read_bio_RSA_PUBKEY PEM_read_bio_PUBKEY
82			#define PEM_write_bio_PUBKEY(o,p) PEM_write_bio_PUBKEY(o,p)
83			#define PEM_write_bio_PrivateKey_traditional(m, n, o, p, q, r, s) PEM_write_bio_PrivateKey_traditional(m, n, o, p, q, r, s)
84			#else
85			#define UNSIGNED_CHAR char
86			#define SIZE_T_INT int
87			#define SIZE_T_UNSIGNED_INT unsigned int
88			#define EVP_PKEY RSA
89			#define EVP_PKEY_free(p) RSA_free(p)
90			#define EVP_PKEY_get_size(p) RSA_size(p)
91			#define PEM_read_bio_PrivateKey PEM_read_bio_RSAPrivateKey
92			#define PEM_read_bio_RSAPublicKey PEM_read_bio_RSAPublicKey
93			#define PEM_read_bio_RSA_PUBKEY PEM_read_bio_RSA_PUBKEY
94			#define PEM_write_bio_PUBKEY(o,p) PEM_write_bio_RSA_PUBKEY(o,p)
95			#define PEM_write_bio_PrivateKey_traditional(m, n, o, p, q, r, s) PEM_write_bio_RSAPrivateKey(m, n , o, p, q, r, s)
96			#endif
97
98			typedef struct
99			{
100			EVP_PKEY* rsa;
101			int padding;
102			int hashMode;
103			int is_private_key; /* cached once at construction; avoids per-call BIGNUM alloc on 3.x */
104			} rsaData;
105
106			/* Key names for the rsa hash structure */
107
108			#define KEY_KEY "_Key"
109			#define PADDING_KEY "_Padding"
110			#define HASH_KEY "_Hash_Mode"
111
112			#define PACKAGE_NAME "Crypt::OpenSSL::RSA"
113
114			#ifdef LIBRESSL_VERSION_NUMBER
115			#define OLD_CRUFTY_SSL_VERSION (OPENSSL_VERSION_NUMBER < 0x10100000L \|\| LIBRESSL_VERSION_NUMBER < 0x03050000fL)
116			#else
117			#define OLD_CRUFTY_SSL_VERSION (OPENSSL_VERSION_NUMBER < 0x10100000L)
118			#endif
119
120	25		void croakSsl(char* p_file, int p_line)
121			{
122			const char* errorReason;
123	25		unsigned long last_err = 0;
124			unsigned long err;
125			/* Drain the error queue and use the last (most recent) error,
126			which is typically the most descriptive. This also prevents
127			stale errors from a previous eval-caught failure from leaking
128			into the next croak message. */
129	64	100	while ((err = ERR_get_error()) != 0) {
130	39		last_err = err;
131			}
132	25		errorReason = ERR_reason_error_string(last_err);
133	25	50	croak("%s:%d: OpenSSL error: %s", p_file, p_line,
134			errorReason ? errorReason : "(unknown error)");
135			}
136
137			#define CHECK_OPEN_SSL(p_result) if (!(p_result)) croakSsl(__FILE__, __LINE__);
138			#define CHECK_OPEN_SSL_BIO(p_result, bio) \
139			if (!(p_result)) { BIO_free(bio); croakSsl(__FILE__, __LINE__); }
140
141			#define PACKAGE_CROAK(p_message) croak("%s", (p_message))
142			#define CHECK_NEW(p_var, p_size, p_type) \
143			if (New(0, p_var, p_size, p_type) == NULL) \
144			{ PACKAGE_CROAK("unable to alloc buffer"); }
145
146			#define THROW(p_result) if (!(p_result)) { error = 1; goto err; }
147
148	218		char _is_private(rsaData* p_rsa)
149			{
150	218		return p_rsa->is_private_key;
151			}
152
153	86		static int _detect_private_key(EVP_PKEY* p_rsa)
154			{
155			#if OLD_CRUFTY_SSL_VERSION
156			return (p_rsa->d != NULL);
157			#else
158			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
159	86		BIGNUM* d = NULL;
160	86		EVP_PKEY_get_bn_param(p_rsa, OSSL_PKEY_PARAM_RSA_D, &d);
161	86	100	if (d) {
162	63		BN_clear_free(d);
163	63		return 1;
164			}
165	23		return 0;
166			#else
167			const BIGNUM* d = NULL;
168			RSA_get0_key(p_rsa, NULL, NULL, &d);
169			return (d != NULL);
170			#endif
171			#endif
172			}
173
174	86		SV* make_rsa_obj(SV* p_proto, EVP_PKEY* p_rsa)
175			{
176			rsaData* rsa;
177
178	86	50	CHECK_NEW(rsa, 1, rsaData);
179	86		rsa->rsa = p_rsa;
180			#ifdef SHA512_DIGEST_LENGTH
181	86		rsa->hashMode = NID_sha256;
182			#else
183			rsa->hashMode = NID_sha1;
184			#endif
185	86		rsa->padding = RSA_PKCS1_OAEP_PADDING;
186	86		rsa->is_private_key = _detect_private_key(p_rsa);
187	86	50	return sv_bless(
188			newRV_noinc(newSViv((IV) rsa)),
189			(SvROK(p_proto) ? SvSTASH(SvRV(p_proto)) : gv_stashsv(p_proto, 1)));
190			}
191
192	391		int get_digest_length(int hash_method)
193			{
194	391		switch(hash_method)
195			{
196	45		case NID_md5:
197	45		return MD5_DIGEST_LENGTH;
198			break;
199	55		case NID_sha1:
200	55		return SHA_DIGEST_LENGTH;
201			break;
202			#ifdef SHA512_DIGEST_LENGTH
203	45		case NID_sha224:
204	45		return SHA224_DIGEST_LENGTH;
205			break;
206	129		case NID_sha256:
207	129		return SHA256_DIGEST_LENGTH;
208			break;
209	45		case NID_sha384:
210	45		return SHA384_DIGEST_LENGTH;
211			break;
212	45		case NID_sha512:
213	45		return SHA512_DIGEST_LENGTH;
214			break;
215			#endif
216	27		case NID_ripemd160:
217	27		return RIPEMD160_DIGEST_LENGTH;
218			break;
219			#ifdef WHIRLPOOL_DIGEST_LENGTH
220			case NID_whirlpool:
221			return WHIRLPOOL_DIGEST_LENGTH;
222			break;
223			#endif
224	0		default:
225	0		croak("Unknown digest hash mode %u", hash_method);
226			break;
227			}
228			}
229			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
230
231	596		EVP_MD *get_md_bynid(int hash_method)
232			{
233	596		switch(hash_method)
234			{
235	70		case NID_md5:
236	70		return EVP_MD_fetch(NULL, "md5", NULL);
237			break;
238	84		case NID_sha1:
239	84		return EVP_MD_fetch(NULL, "sha1", NULL);
240			break;
241			#ifdef SHA512_DIGEST_LENGTH
242	70		case NID_sha224:
243	70		return EVP_MD_fetch(NULL, "sha224", NULL);
244			break;
245	190		case NID_sha256:
246	190		return EVP_MD_fetch(NULL, "sha256", NULL);
247			break;
248	70		case NID_sha384:
249	70		return EVP_MD_fetch(NULL, "sha384", NULL);
250			break;
251	70		case NID_sha512:
252	70		return EVP_MD_fetch(NULL, "sha512", NULL);
253			break;
254			#endif
255	42		case NID_ripemd160:
256	42		return EVP_MD_fetch(NULL, "ripemd160", NULL);
257			break;
258			#ifdef WHIRLPOOL_DIGEST_LENGTH
259			case NID_whirlpool:
260			return EVP_MD_fetch(NULL, "whirlpool", NULL);
261			break;
262			#endif
263	0		default:
264	0		croak("Unknown digest hash mode %u", hash_method);
265			break;
266			}
267			}
268
269			/* Configure PSS/PKCS1 padding, signature digest, and MGF1 on an already-initialised
270			* EVP_PKEY_CTX. On success returns 1 and sets *md_out to a freshly-fetched EVP_MD
271			* that the caller must free with EVP_MD_free(). Returns 0 on any OpenSSL error. */
272			static int
273	298		setup_pss_sign_ctx(EVP_PKEY_CTX ctx, int padding, int hash_nid, EVP_MD *md_out)
274			{
275	298		int effective_pad = padding;
276	298		EVP_MD *md = NULL;
277
278	298	50	if (padding != RSA_NO_PADDING && padding != RSA_PKCS1_PADDING)
		100
279	197		effective_pad = RSA_PKCS1_PSS_PADDING;
280
281	298	50	if (EVP_PKEY_CTX_set_rsa_padding(ctx, effective_pad) <= 0)
282	0		return 0;
283
284	298		md = get_md_bynid(hash_nid);
285	298	50	if (!md)
286	0		return 0;
287
288	298	50	if (EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) {
289	0		EVP_MD_free(md);
290	0		return 0;
291			}
292
293	298	100	if (effective_pad == RSA_PKCS1_PSS_PADDING) {
294	394		if (EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md) <= 0 \|\|
295	197		EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, RSA_PSS_SALTLEN_DIGEST) <= 0) {
296	0		EVP_MD_free(md);
297	0		return 0;
298			}
299			}
300
301	298		*md_out = md;
302	298		return 1;
303			}
304			#endif
305	298		unsigned char* get_message_digest(SV* text_SV, int hash_method, unsigned char* md)
306			{
307			STRLEN text_length;
308			unsigned char* text;
309	298		text = (unsigned char*) SvPV(text_SV, text_length);
310
311			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
312			/* Delegate NID→name lookup to get_md_bynid() — single source of truth. */
313			{
314	298		EVP_MD md_obj = get_md_bynid(hash_method); / croak()s on unknown NID */
315			unsigned int result_len;
316	298		int ok = EVP_Digest(text, text_length, md, &result_len, md_obj, NULL);
317	298		EVP_MD_free(md_obj);
318	298	50	return ok ? md : NULL;
319			}
320			#else
321			switch(hash_method)
322			{
323			case NID_md5:
324			return MD5(text, text_length, md);
325			break;
326			case NID_sha1:
327			return SHA1(text, text_length, md);
328			break;
329			#ifdef SHA512_DIGEST_LENGTH
330			case NID_sha224:
331			return SHA224(text, text_length, md);
332			break;
333			case NID_sha256:
334			return SHA256(text, text_length, md);
335			break;
336			case NID_sha384:
337			return SHA384(text, text_length, md);
338			break;
339			case NID_sha512:
340			return SHA512(text, text_length, md);
341			break;
342			#endif
343			case NID_ripemd160:
344			return RIPEMD160(text, text_length, md);
345			break;
346			#ifdef WHIRLPOOL_DIGEST_LENGTH
347			case NID_whirlpool:
348			return WHIRLPOOL(text, text_length, md);
349			break;
350			#endif
351			default:
352			croak("Unknown digest hash mode %u", hash_method);
353			break;
354			}
355			#endif
356			}
357
358	128		SV* cor_bn2sv(const BIGNUM* p_bn)
359			{
360			return p_bn != NULL
361	99		? sv_2mortal(newSViv((IV) BN_dup(p_bn)))
362	227	100	: &PL_sv_undef;
363			}
364
365	60		SV* extractBioString(BIO* p_stringBio)
366			{
367			SV* sv;
368			char* datap;
369			long datasize;
370	60		int error = 0;
371
372	60	50	THROW(BIO_flush(p_stringBio) == 1);
373
374	60		datasize = BIO_get_mem_data(p_stringBio, &datap);
375	60	50	THROW(datasize > 0);
376
377	60		sv = newSVpv(datap, datasize);
378
379	60		BIO_set_close(p_stringBio, BIO_CLOSE);
380	60		BIO_free(p_stringBio);
381	60		return sv;
382
383	0		err:
384	0		BIO_free(p_stringBio);
385	0		CHECK_OPEN_SSL(0);
386	0		return NULL; /* unreachable, CHECK_OPEN_SSL croaks */
387			}
388
389	46		EVP_PKEY* _load_rsa_key(SV* p_keyStringSv,
390			EVP_PKEY(p_loader)(BIO , EVP_PKEY, pem_password_cb, void*),
391			SV* p_passphraseSv)
392			{
393			STRLEN keyStringLength;
394			char* keyString;
395	46		UNSIGNED_CHAR *passphrase = NULL;
396
397			EVP_PKEY* rsa;
398			BIO* stringBIO;
399
400	46		keyString = SvPV(p_keyStringSv, keyStringLength);
401
402	46	100	if (SvPOK(p_passphraseSv)) {
403	10		passphrase = (UNSIGNED_CHAR *)SvPV_nolen(p_passphraseSv);
404			}
405
406	46	50	CHECK_OPEN_SSL(stringBIO = BIO_new_mem_buf(keyString, keyStringLength));
407
408	46		rsa = p_loader(stringBIO, NULL, NULL, passphrase);
409
410	46	50	CHECK_OPEN_SSL(BIO_set_close(stringBIO, BIO_CLOSE) == 1);
411	46		BIO_free(stringBIO);
412
413	46	100	CHECK_OPEN_SSL(rsa);
414			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
415			/* On 3.x, PEM_read_bio_PrivateKey/PEM_read_bio_PUBKEY accept any key
416			type (EC, DSA, etc.). Pre-3.x used RSA-specific loaders that would
417			reject non-RSA keys at parse time. Validate here to preserve that
418			behavior and give a clear error instead of confusing failures later.
419			Also rejects RSA-PSS keys (EVP_PKEY_RSA_PSS) — this module
420			only supports traditional RSA (EVP_PKEY_RSA). */
421	40	100	if (EVP_PKEY_get_base_id(rsa) != EVP_PKEY_RSA) {
422	4		EVP_PKEY_free(rsa);
423	4		croak("The key loaded is not an RSA key");
424			}
425			#endif
426	36		return rsa;
427			}
428
429	62		static void check_max_message_length(rsaData* p_rsa, STRLEN from_length) {
430			int size;
431	62		int max_len = -1;
432	62		const char *pad_name = NULL;
433
434	62		size = EVP_PKEY_get_size(p_rsa->rsa);
435
436	62	100	if (p_rsa->padding == RSA_PKCS1_OAEP_PADDING) {
437	32		max_len = size - 42; /* 2 * SHA1_DIGEST_LENGTH + 2 */
438	32		pad_name = "OAEP";
439	30	100	} else if (p_rsa->padding == RSA_PKCS1_PADDING) {
440	12		max_len = size - 11; /* PKCS#1 v1.5 overhead */
441	12		pad_name = "PKCS#1 v1.5";
442	18	100	} else if (p_rsa->padding == RSA_NO_PADDING) {
443	16		max_len = size;
444	16		pad_name = "no";
445			}
446	62	100	if (max_len >= 0 && from_length > (STRLEN) max_len) {
		100
447	9		croak("plaintext too long for key size with %s padding"
448			" (%d bytes max, got %d)", pad_name, max_len, (int)from_length);
449			}
450	53		}
451			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
452
453	102		SV* rsa_crypt(rsaData* p_rsa, SV* p_from,
454			int (p_crypt)(EVP_PKEY_CTX, unsigned char, size_t, const unsigned char*, size_t),
455			int (init_crypt)(EVP_PKEY_CTX), int is_encrypt)
456			#else
457
458			SV* rsa_crypt(rsaData* p_rsa, SV* p_from,
459			int (p_crypt)(int, const unsigned char, unsigned char, RSA, int), int is_encrypt)
460			#endif
461			{
462			STRLEN from_length;
463			SIZE_T_INT to_length;
464			unsigned char* from;
465	102		UNSIGNED_CHAR *to = NULL;
466			SV* sv;
467			#if OPENSSL_VERSION_NUMBER < 0x30000000L
468			int size;
469			#endif
470
471	102		from = (unsigned char*) SvPV(p_from, from_length);
472
473	102	100	if(is_encrypt && p_rsa->padding == RSA_PKCS1_PADDING) {
		100
474	2		croak("PKCS#1 v1.5 padding for encryption is vulnerable to the Marvin attack. "
475			"Use use_pkcs1_oaep_padding() for encryption, or use_pkcs1_padding() with sign()/verify().");
476			}
477
478	100	100	if(is_encrypt && p_rsa->padding == RSA_PKCS1_PSS_PADDING) {
		100
479	2		croak("PKCS#1 v2.1 RSA-PSS cannot be used for encryption operations call \"use_pkcs1_oaep_padding\" instead.");
480			}
481			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
482	98		EVP_PKEY_CTX *ctx = NULL;
483	98		int error = 0;
484
485	98	100	if (is_encrypt) {
486			/* Encryption path: OAEP is the only safe padding for encrypt/decrypt. */
487	76	100	if (p_rsa->padding != RSA_NO_PADDING && p_rsa->padding != RSA_PKCS1_OAEP_PADDING) {
		50
488	0		croak("Only OAEP padding or no padding is supported for encrypt/decrypt. "
489			"Call \"use_pkcs1_oaep_padding()\" or \"use_no_padding()\" first.");
490			}
491			} else {
492			/* Sign/verify_recover path (private_encrypt / public_decrypt):
493			these are low-level RSA operations that respect the user's
494			padding choice. OAEP and PSS are not valid here. */
495	22	50	if (p_rsa->padding == RSA_PKCS1_OAEP_PADDING) {
496	0		croak("OAEP padding is not supported for private_encrypt/public_decrypt. "
497			"Call use_no_padding() or use_pkcs1_padding() first.");
498			}
499	22	50	if (p_rsa->padding == RSA_PKCS1_PSS_PADDING) {
500	0		croak("PSS padding with private_encrypt/public_decrypt is not supported. "
501			"Use sign()/verify() for PSS signatures.");
502			}
503			}
504
505	98		ctx = EVP_PKEY_CTX_new_from_pkey(NULL, (EVP_PKEY* )p_rsa->rsa, NULL);
506
507	98	50	THROW(ctx);
508
509	98	50	THROW(init_crypt(ctx) == 1);
510	98	50	THROW(EVP_PKEY_CTX_set_rsa_padding(ctx, p_rsa->padding) > 0);
511	98	50	THROW(p_crypt(ctx, NULL, &to_length, from, from_length) == 1);
512	98		Newx(to, to_length, UNSIGNED_CHAR);
513	98	50	THROW(to);
514	98	100	THROW(p_crypt(ctx, to, &to_length, from, from_length) == 1);
515
516	85		EVP_PKEY_CTX_free(ctx);
517
518	85		goto crypt_done;
519	13		err:
520	13	50	if (ctx) EVP_PKEY_CTX_free(ctx);
521	13		Safefree(to);
522	13		CHECK_OPEN_SSL(0);
523	85		crypt_done:
524			#else
525			size = EVP_PKEY_get_size(p_rsa->rsa);
526			CHECK_NEW(to, size, UNSIGNED_CHAR);
527			to_length = p_crypt(
528			from_length, from, (unsigned char*) to, p_rsa->rsa, p_rsa->padding);
529			#endif
530			if (to_length < 0)
531			{
532			Safefree(to);
533			CHECK_OPEN_SSL(0);
534			}
535	85		sv = newSVpv((char* ) to, to_length);
536	85		Safefree(to);
537	85		return sv;
538			}
539
540			MODULE = Crypt::OpenSSL::RSA PACKAGE = Crypt::OpenSSL::RSA
541			PROTOTYPES: DISABLE
542
543			BOOT:
544			#if OPENSSL_VERSION_NUMBER < 0x10100000L
545			# might introduce memory leak without calling EVP_cleanup() on exit
546			# see https://wiki.openssl.org/index.php/Library_Initialization
547			ERR_load_crypto_strings();
548			OpenSSL_add_all_algorithms();
549			#else
550			# NOOP
551			#endif
552
553			SV*
554			_new_private_key_pem(proto, key_string_SV, passphrase_SV=&PL_sv_undef)
555			SV* proto;
556			SV* key_string_SV;
557			SV* passphrase_SV;
558			CODE:
559	24		RETVAL = make_rsa_obj(
560			proto, _load_rsa_key(key_string_SV, PEM_read_bio_PrivateKey, passphrase_SV));
561			OUTPUT:
562			RETVAL
563
564			SV*
565			_new_public_key_pkcs1(proto, key_string_SV)
566			SV* proto;
567			SV* key_string_SV;
568			CODE:
569	15		RETVAL = make_rsa_obj(
570			proto, _load_rsa_key(key_string_SV, PEM_read_bio_RSAPublicKey, &PL_sv_undef));
571			OUTPUT:
572			RETVAL
573
574			SV*
575			_new_public_key_x509(proto, key_string_SV)
576			SV* proto;
577			SV* key_string_SV;
578			CODE:
579	7		RETVAL = make_rsa_obj(
580			proto, _load_rsa_key(key_string_SV, PEM_read_bio_RSA_PUBKEY, &PL_sv_undef));
581			OUTPUT:
582			RETVAL
583
584			SV*
585			_new_public_key_x509_der(proto, key_string_SV)
586			SV* proto;
587			SV* key_string_SV;
588			PREINIT:
589			STRLEN keyStringLength;
590			char* keyString;
591			EVP_PKEY* pkey;
592			BIO* bio;
593			CODE:
594	2		keyString = SvPV(key_string_SV, keyStringLength);
595	2	50	CHECK_OPEN_SSL(bio = BIO_new_mem_buf(keyString, keyStringLength));
596			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
597	2		pkey = d2i_PUBKEY_bio(bio, NULL);
598			#else
599			pkey = d2i_RSA_PUBKEY_bio(bio, NULL);
600			#endif
601	2		BIO_free(bio);
602	2	50	CHECK_OPEN_SSL(pkey);
603			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
604	2	100	if (EVP_PKEY_get_base_id(pkey) != EVP_PKEY_RSA) {
605	1		EVP_PKEY_free(pkey);
606	1		croak("The key loaded is not an RSA key");
607			}
608			#endif
609	1		RETVAL = make_rsa_obj(proto, pkey);
610			OUTPUT:
611			RETVAL
612
613			SV*
614			_new_public_key_pkcs1_der(proto, key_string_SV)
615			SV* proto;
616			SV* key_string_SV;
617			PREINIT:
618			STRLEN keyStringLength;
619			char* keyString;
620			EVP_PKEY* pkey;
621			BIO* bio;
622			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
623			OSSL_DECODER_CTX* dctx;
624			#endif
625			CODE:
626	2		keyString = SvPV(key_string_SV, keyStringLength);
627	2	50	CHECK_OPEN_SSL(bio = BIO_new_mem_buf(keyString, keyStringLength));
628			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
629	2		pkey = NULL;
630	2		dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", "type-specific",
631			"RSA", OSSL_KEYMGMT_SELECT_PUBLIC_KEY,
632			NULL, NULL);
633	2	50	if (!dctx) {
634	0		BIO_free(bio);
635	0		croakSsl(__FILE__, __LINE__);
636			}
637	2	100	if (!OSSL_DECODER_from_bio(dctx, bio)) {
638	1		OSSL_DECODER_CTX_free(dctx);
639	1		BIO_free(bio);
640	1		croakSsl(__FILE__, __LINE__);
641			}
642	1		OSSL_DECODER_CTX_free(dctx);
643			#else
644			pkey = d2i_RSAPublicKey_bio(bio, NULL);
645			#endif
646	1		BIO_free(bio);
647	1	50	CHECK_OPEN_SSL(pkey);
648	1		RETVAL = make_rsa_obj(proto, pkey);
649			OUTPUT:
650			RETVAL
651
652			SV*
653			_new_private_key_der(proto, key_string_SV, passphrase_SV=&PL_sv_undef)
654			SV* proto;
655			SV* key_string_SV;
656			SV* passphrase_SV;
657			PREINIT:
658			STRLEN keyStringLength;
659			char* keyString;
660			EVP_PKEY* pkey;
661			BIO* bio;
662			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
663			OSSL_DECODER_CTX* dctx;
664			#endif
665			CODE:
666	4		keyString = SvPV(key_string_SV, keyStringLength);
667	4	50	CHECK_OPEN_SSL(bio = BIO_new_mem_buf(keyString, keyStringLength));
668			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
669	4		pkey = NULL;
670	4		dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL,
671			"RSA", OSSL_KEYMGMT_SELECT_ALL,
672			NULL, NULL);
673	4	50	if (!dctx) {
674	0		BIO_free(bio);
675	0		croakSsl(__FILE__, __LINE__);
676			}
677	4	100	if (SvPOK(passphrase_SV)) {
678			STRLEN passlen;
679	2		unsigned char* pass = (unsigned char*)SvPV(passphrase_SV, passlen);
680	2	50	if (!OSSL_DECODER_CTX_set_passphrase(dctx, pass, passlen)) {
681	0		OSSL_DECODER_CTX_free(dctx);
682	0		BIO_free(bio);
683	0		croakSsl(__FILE__, __LINE__);
684			}
685			}
686	4	100	if (!OSSL_DECODER_from_bio(dctx, bio)) {
687	2		OSSL_DECODER_CTX_free(dctx);
688	2		BIO_free(bio);
689	2		croakSsl(__FILE__, __LINE__);
690			}
691	2		OSSL_DECODER_CTX_free(dctx);
692			#else
693			if (SvPOK(passphrase_SV)) {
694			char* passphrase = SvPV_nolen(passphrase_SV);
695			pkey = _load_pkcs8_der_key(bio, passphrase);
696			} else {
697			pkey = d2i_RSAPrivateKey_bio(bio, NULL);
698			}
699			#endif
700	2		BIO_free(bio);
701	2	50	CHECK_OPEN_SSL(pkey);
702	2		RETVAL = make_rsa_obj(proto, pkey);
703			OUTPUT:
704			RETVAL
705
706			void
707			DESTROY(p_rsa)
708			rsaData* p_rsa;
709			CODE:
710	86		EVP_PKEY_free(p_rsa->rsa);
711	86		Safefree(p_rsa);
712
713			SV*
714			get_private_key_string(p_rsa, passphrase_SV=&PL_sv_undef, cipher_name_SV=&PL_sv_undef)
715			rsaData* p_rsa;
716			SV* passphrase_SV;
717			SV* cipher_name_SV;
718			PREINIT:
719			BIO* stringBIO;
720	26		char* passphrase = NULL;
721	26		STRLEN passphraseLength = 0;
722			char* cipher_name;
723	26	50	const EVP_CIPHER* enc = NULL;
724			CODE:
725	26	100	if (!_is_private(p_rsa))
726			{
727	1		croak("Public keys cannot export private key strings");
728			}
729	25	100	if (SvPOK(cipher_name_SV) && !SvPOK(passphrase_SV)) {
		100
730	1		croak("Passphrase is required for cipher");
731			}
732	24	100	if (SvPOK(passphrase_SV)) {
733	9		passphrase = SvPV(passphrase_SV, passphraseLength);
734	9	100	if (SvPOK(cipher_name_SV)) {
735	7		cipher_name = SvPV_nolen(cipher_name_SV);
736			}
737			else {
738	2		cipher_name = "des3";
739			}
740	9		enc = EVP_get_cipherbyname(cipher_name);
741	9	100	if (enc == NULL) {
742	1		croak("Unsupported cipher: %s", cipher_name);
743			}
744			}
745
746	23	50	CHECK_OPEN_SSL(stringBIO = BIO_new(BIO_s_mem()));
747	23	50	CHECK_OPEN_SSL_BIO(PEM_write_bio_PrivateKey_traditional(
748			stringBIO, p_rsa->rsa, enc, (unsigned char* ) passphrase, passphraseLength, NULL, NULL), stringBIO);
749	23		RETVAL = extractBioString(stringBIO);
750
751			OUTPUT:
752			RETVAL
753
754			SV*
755			get_private_key_pkcs8_string(p_rsa, passphrase_SV=&PL_sv_undef, cipher_name_SV=&PL_sv_undef)
756			rsaData* p_rsa;
757			SV* passphrase_SV;
758			SV* cipher_name_SV;
759			PREINIT:
760			BIO* stringBIO;
761	6		char* passphrase = NULL;
762	6		STRLEN passphraseLength = 0;
763			char* cipher_name;
764	6	50	const EVP_CIPHER* enc = NULL;
765			CODE:
766	6	100	if (SvPOK(cipher_name_SV) && !SvPOK(passphrase_SV)) {
		100
767	1		croak("Passphrase is required for cipher");
768			}
769	5	100	if (SvPOK(passphrase_SV)) {
770	3		passphrase = SvPV(passphrase_SV, passphraseLength);
771	3	50	if (SvPOK(cipher_name_SV)) {
772	3		cipher_name = SvPV_nolen(cipher_name_SV);
773			}
774			else {
775	0		cipher_name = "des3";
776			}
777	3		enc = EVP_get_cipherbyname(cipher_name);
778	3	100	if (enc == NULL) {
779	1		croak("Unsupported cipher: %s", cipher_name);
780			}
781			}
782
783	4	50	CHECK_OPEN_SSL(stringBIO = BIO_new(BIO_s_mem()));
784			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
785	4	50	CHECK_OPEN_SSL_BIO(PEM_write_bio_PrivateKey(
786			stringBIO, p_rsa->rsa, enc, (unsigned char*) passphrase, passphraseLength, NULL, NULL), stringBIO);
787			#else
788			CHECK_OPEN_SSL_BIO(_write_pkcs8_pem(
789			stringBIO, p_rsa->rsa, enc, (unsigned char*) passphrase, passphraseLength), stringBIO);
790			#endif
791	4		RETVAL = extractBioString(stringBIO);
792
793			OUTPUT:
794			RETVAL
795
796			SV*
797			get_public_key_string(p_rsa)
798			rsaData* p_rsa;
799			PREINIT:
800			BIO* stringBIO;
801			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
802	23		OSSL_ENCODER_CTX *ctx = NULL;
803	23	50	int error = 0;
804			#endif
805			CODE:
806	23	50	CHECK_OPEN_SSL(stringBIO = BIO_new(BIO_s_mem()));
807			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
808	23		ctx = OSSL_ENCODER_CTX_new_for_pkey(p_rsa->rsa, OSSL_KEYMGMT_SELECT_PUBLIC_KEY,
809			"PEM", "PKCS1", NULL);
810	23	50	THROW(ctx != NULL && OSSL_ENCODER_CTX_get_num_encoders(ctx));
		50
811
812	23	50	THROW(OSSL_ENCODER_to_bio(ctx, stringBIO) == 1);
813
814	23		OSSL_ENCODER_CTX_free(ctx);
815	23		ctx = NULL;
816
817	23		goto pubkey_done;
818	0		err:
819	0	0	if (ctx) { OSSL_ENCODER_CTX_free(ctx); ctx = NULL; }
820	0		BIO_free(stringBIO);
821	0		CHECK_OPEN_SSL(0);
822	23		pubkey_done:
823			#else
824			CHECK_OPEN_SSL_BIO(PEM_write_bio_RSAPublicKey(stringBIO, p_rsa->rsa), stringBIO);
825			#endif
826	23		RETVAL = extractBioString(stringBIO);
827
828			OUTPUT:
829			RETVAL
830
831			SV*
832			get_public_key_x509_string(p_rsa)
833			rsaData* p_rsa;
834			PREINIT:
835			BIO* stringBIO;
836			CODE:
837	10	50	CHECK_OPEN_SSL(stringBIO = BIO_new(BIO_s_mem()));
838	10	50	CHECK_OPEN_SSL_BIO(PEM_write_bio_PUBKEY(stringBIO, p_rsa->rsa), stringBIO);
839	10		RETVAL = extractBioString(stringBIO);
840
841			OUTPUT:
842			RETVAL
843
844			SV*
845			generate_key(proto, bitsSV, exponent = 65537)
846			SV* proto;
847			SV* bitsSV;
848			unsigned long exponent;
849			PREINIT:
850	42		EVP_PKEY* rsa = NULL;
851	42		BIGNUM *e = NULL;
852			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
853	42		EVP_PKEY_CTX *ctx = NULL;
854	42	100	int error = 0;
855			#endif
856			CODE:
857	42	100	if (SvIV(bitsSV) < 512)
858	4		croak("RSA key size must be at least 512 bits (got %"IVdf")", SvIV(bitsSV));
859	38	100	if (exponent < 3 \|\| (exponent % 2) == 0)
		100
860	7		croak("RSA exponent must be odd and >= 3 (got %lu)", exponent);
861	31		e = BN_new();
862	31		BN_set_word(e, exponent);
863			#if OPENSSL_VERSION_NUMBER < 0x00908000L
864			rsa = RSA_generate_key(SvIV(bitsSV), exponent, NULL, NULL);
865			BN_free(e);
866			CHECK_OPEN_SSL(rsa != NULL);
867			#endif
868			#if OPENSSL_VERSION_NUMBER >= 0x00908000L && OPENSSL_VERSION_NUMBER < 0x30000000L
869			rsa = RSA_new();
870			if (!RSA_generate_key_ex(rsa, SvIV(bitsSV), e, NULL))
871			{
872			BN_free(e);
873			RSA_free(rsa);
874			croak("Unable to generate a key");
875			}
876			BN_free(e);
877			#endif
878			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
879	31		ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
880	31	50	THROW(ctx);
881	31	50	THROW(EVP_PKEY_keygen_init(ctx) == 1);
882	31	50	THROW(EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, SvIV(bitsSV)) > 0);
883	31	50	THROW(EVP_PKEY_CTX_set1_rsa_keygen_pubexp(ctx, e) > 0);
884	31	50	THROW(EVP_PKEY_generate(ctx, &rsa) == 1);
885	31		err:
886	31		BN_free(e);
887	31		e = NULL;
888	31		EVP_PKEY_CTX_free(ctx);
889	31		ctx = NULL;
890	31	50	if (error)
891	0		croakSsl(__FILE__, __LINE__);
892			#endif
893	31	50	CHECK_OPEN_SSL(rsa);
894	31		RETVAL = make_rsa_obj(proto, rsa);
895			OUTPUT:
896			RETVAL
897
898
899			SV*
900			_new_key_from_parameters(proto, n, e, d, p, q)
901			SV* proto;
902			BIGNUM* n;
903			BIGNUM* e;
904			BIGNUM* d;
905			BIGNUM* p;
906			BIGNUM* q;
907			PREINIT:
908	20		EVP_PKEY* rsa = NULL;
909	20		BN_CTX* ctx = NULL;
910	20		BIGNUM* p_minus_1 = NULL;
911	20		BIGNUM* q_minus_1 = NULL;
912	20		BIGNUM* dmp1 = NULL;
913	20		BIGNUM* dmq1 = NULL;
914	20		BIGNUM* iqmp = NULL;
915	20		int error = 0;
916			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
917	20		OSSL_PARAM *params = NULL;
918	20		EVP_PKEY_CTX *pctx = NULL;
919	20		OSSL_PARAM_BLD *params_build = NULL;
920			#endif
921			CODE:
922			{
923	20	100	if (!(n && e))
		50
924			{
925	2		croak("At least a modulus and public key must be provided");
926			}
927			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
928	18		pctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
929	18	50	THROW(pctx != NULL);
930	18	50	THROW(EVP_PKEY_fromdata_init(pctx) > 0);
931	18		params_build = OSSL_PARAM_BLD_new();
932	18	50	THROW(params_build);
933			#else
934			CHECK_OPEN_SSL(rsa = RSA_new());
935			#endif
936			#if OLD_CRUFTY_SSL_VERSION
937			rsa->n = n;
938			rsa->e = e;
939			#endif
940			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
941	18	50	THROW(OSSL_PARAM_BLD_push_BN(params_build, OSSL_PKEY_PARAM_RSA_N, n));
942	18	50	THROW(OSSL_PARAM_BLD_push_BN(params_build, OSSL_PKEY_PARAM_RSA_E, e));
943			#endif
944	18	100	if (p \|\| q)
		100
945	10		{
946	13		error = 0;
947	13	50	THROW(ctx = BN_CTX_new());
948	13	100	if (!p)
949			{
950	4	50	THROW(p = BN_new());
951	4	50	THROW(BN_div(p, NULL, n, q, ctx));
952			}
953	9	100	else if (!q)
954			{
955	3	50	THROW(q = BN_new());
956	3	50	THROW(BN_div(q, NULL, n, p, ctx));
957			}
958			#if OLD_CRUFTY_SSL_VERSION
959			rsa->p = p;
960			rsa->q = q;
961			#else
962			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
963			#else
964			THROW(RSA_set0_factors(rsa, p, q));
965			#endif
966			#endif
967	13	50	THROW(p_minus_1 = BN_new());
968	13	50	THROW(BN_sub(p_minus_1, p, BN_value_one()));
969	13	50	THROW(q_minus_1 = BN_new());
970	13	50	THROW(BN_sub(q_minus_1, q, BN_value_one()));
971	13	100	if (!d)
972			{
973	2	50	THROW(d = BN_new());
974	2	50	THROW(BN_mul(d, p_minus_1, q_minus_1, ctx));
975	2	50	THROW(BN_mod_inverse(d, e, d, ctx));
976			}
977			#if OLD_CRUFTY_SSL_VERSION
978			rsa->d = d;
979			#else
980			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
981	13	50	THROW(OSSL_PARAM_BLD_push_BN(params_build, OSSL_PKEY_PARAM_RSA_D, d));
982	13	50	THROW(OSSL_PARAM_BLD_push_BN(params_build, OSSL_PKEY_PARAM_RSA_FACTOR1, p));
983	13	50	THROW(OSSL_PARAM_BLD_push_BN(params_build, OSSL_PKEY_PARAM_RSA_FACTOR2, q));
984			#else
985			THROW(RSA_set0_key(rsa, n, e, d));
986			#endif
987			#endif
988	13	50	THROW(dmp1 = BN_new());
989	13	50	THROW(BN_mod(dmp1, d, p_minus_1, ctx));
990	13	50	THROW(dmq1 = BN_new());
991	13	50	THROW(BN_mod(dmq1, d, q_minus_1, ctx));
992	13	50	THROW(iqmp = BN_new());
993	13	50	THROW(BN_mod_inverse(iqmp, q, p, ctx));
994			#if OLD_CRUFTY_SSL_VERSION
995			rsa->dmp1 = dmp1;
996			rsa->dmq1 = dmq1;
997			rsa->iqmp = iqmp;
998			#else
999			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1000	13	50	THROW(OSSL_PARAM_BLD_push_BN(params_build, OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1));
1001	13	50	THROW(OSSL_PARAM_BLD_push_BN(params_build, OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1));
1002	13	50	THROW(OSSL_PARAM_BLD_push_BN(params_build, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp));
1003
1004	13		params = OSSL_PARAM_BLD_to_param(params_build);
1005	13	50	THROW(params != NULL);
1006
1007	13		int status = EVP_PKEY_fromdata(pctx, &rsa, EVP_PKEY_KEYPAIR, params);
1008	13	50	THROW( status > 0 && rsa != NULL );
		50
1009	13		EVP_PKEY_CTX* test_ctx = EVP_PKEY_CTX_new_from_pkey(NULL, rsa, NULL);
1010	13	50	int check_ok = (test_ctx != NULL && EVP_PKEY_check(test_ctx) == 1);
		100
1011	13		EVP_PKEY_CTX_free(test_ctx);
1012	13	100	THROW(check_ok);
1013			#else
1014			THROW(RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp));
1015			#endif
1016			#endif
1017			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1018			/* OSSL_PARAM_BLD_push_BN() copies the value, so the original
1019			BIGNUMs (from pointer_copy or BN_new) must be freed here.
1020			On pre-3.x, RSA_set0_key/RSA_set0_factors took ownership. */
1021	10		BN_clear_free(n);
1022	10		BN_clear_free(e);
1023	10		BN_clear_free(d);
1024	10		BN_clear_free(p);
1025	10		BN_clear_free(q);
1026	10		BN_clear_free(dmp1);
1027	10		BN_clear_free(dmq1);
1028	10		BN_clear_free(iqmp);
1029	10		n = e = d = p = q = NULL;
1030			#endif
1031	10		dmp1 = dmq1 = iqmp = NULL;
1032	10		BN_CTX_free(ctx);
1033	10		ctx = NULL;
1034	10		BN_clear_free(p_minus_1);
1035	10		p_minus_1 = NULL;
1036	10		BN_clear_free(q_minus_1);
1037	10		q_minus_1 = NULL;
1038			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1039	10		OSSL_PARAM_BLD_free(params_build);
1040	10		params_build = NULL;
1041	10		OSSL_PARAM_free(params);
1042	10		params = NULL;
1043	10		EVP_PKEY_CTX_free(pctx);
1044	10		pctx = NULL;
1045			#else
1046			THROW(RSA_check_key(rsa) == 1);
1047			#endif
1048			}
1049			else
1050			{
1051			#if OLD_CRUFTY_SSL_VERSION
1052			rsa->d = d;
1053			#else
1054			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1055	5	100	if(d != NULL)
1056	2	50	THROW(OSSL_PARAM_BLD_push_BN(params_build, OSSL_PKEY_PARAM_RSA_D, d));
1057	5		params = OSSL_PARAM_BLD_to_param(params_build);
1058	5	50	THROW(params != NULL);
1059
1060	5		int status = EVP_PKEY_fromdata(pctx, &rsa, EVP_PKEY_KEYPAIR, params);
1061	5		OSSL_PARAM_BLD_free(params_build);
1062	5		OSSL_PARAM_free(params);
1063	5		params_build = NULL;
1064	5		params = NULL;
1065	5	50	THROW( status > 0 && rsa != NULL );
		50
1066	5		EVP_PKEY_CTX_free(pctx);
1067	5		pctx = NULL;
1068	5		BN_clear_free(n);
1069	5		BN_clear_free(e);
1070	5		BN_clear_free(d);
1071	5		n = e = d = NULL;
1072			#else
1073			CHECK_OPEN_SSL(RSA_set0_key(rsa, n, e, d));
1074			#endif
1075			#endif
1076			}
1077
1078	15	50	THROW(RETVAL = make_rsa_obj(proto, rsa));
1079	15		goto end;
1080
1081	3		err:
1082			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1083			/* On 3.x, push_BN copies, so originals are always ours to free.
1084			On pre-3.x, RSA_set0_key/set0_factors may have taken ownership,
1085			so these are intentionally skipped (risk of double-free). */
1086	3		BN_clear_free(n);
1087	3		BN_clear_free(e);
1088	3		BN_clear_free(d);
1089	3		BN_clear_free(p);
1090	3		BN_clear_free(q);
1091			#endif
1092	3	50	if (p_minus_1) BN_clear_free(p_minus_1);
1093	3	50	if (q_minus_1) BN_clear_free(q_minus_1);
1094	3	50	if (dmp1) BN_clear_free(dmp1);
1095	3	50	if (dmq1) BN_clear_free(dmq1);
1096	3	50	if (iqmp) BN_clear_free(iqmp);
1097	3	50	if (ctx) BN_CTX_free(ctx);
1098			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1099	3	50	if (pctx) { EVP_PKEY_CTX_free(pctx); pctx = NULL; }
1100	3	50	if (params_build) { OSSL_PARAM_BLD_free(params_build); params_build = NULL; }
1101	3	50	if (params) { OSSL_PARAM_free(params); params = NULL; }
1102			#endif
1103	3	50	if (error)
1104			{
1105	3		EVP_PKEY_free(rsa);
1106	3		CHECK_OPEN_SSL(0);
1107			}
1108			}
1109	15		end:
1110
1111			OUTPUT:
1112			RETVAL
1113
1114			void
1115			_get_key_parameters(p_rsa)
1116			rsaData* p_rsa;
1117			PREINIT:
1118			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1119	16		BIGNUM* n = NULL;
1120	16		BIGNUM* e = NULL;
1121	16		BIGNUM* d = NULL;
1122	16		BIGNUM* p = NULL;
1123	16		BIGNUM* q = NULL;
1124	16		BIGNUM* dmp1 = NULL;
1125	16		BIGNUM* dmq1 = NULL;
1126	16	50	BIGNUM* iqmp = NULL;
1127			#else
1128			const BIGNUM* n;
1129			const BIGNUM* e;
1130			const BIGNUM* d;
1131			const BIGNUM* p;
1132			const BIGNUM* q;
1133			const BIGNUM* dmp1;
1134			const BIGNUM* dmq1;
1135			const BIGNUM* iqmp;
1136			#endif
1137			PPCODE:
1138			{
1139			EVP_PKEY* rsa;
1140	16		rsa = p_rsa->rsa;
1141			#if OLD_CRUFTY_SSL_VERSION
1142			n = rsa->n;
1143			e = rsa->e;
1144			d = rsa->d;
1145			p = rsa->p;
1146			q = rsa->q;
1147			dmp1 = rsa->dmp1;
1148			dmq1 = rsa->dmq1;
1149			iqmp = rsa->iqmp;
1150			#else
1151			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1152			/* n and e are mandatory for every RSA key — croak on failure. */
1153	16	50	if (!EVP_PKEY_get_bn_param(rsa, OSSL_PKEY_PARAM_RSA_N, &n))
1154	0		croakSsl(__FILE__, __LINE__);
1155	16	50	if (!EVP_PKEY_get_bn_param(rsa, OSSL_PKEY_PARAM_RSA_E, &e)) {
1156	0		BN_free(n);
1157	0		croakSsl(__FILE__, __LINE__);
1158			}
1159			/* Private components are absent for public keys — EVP_PKEY_get_bn_param()
1160			returns 0 and may push errors onto the queue, but the pointer stays NULL
1161			so cor_bn2sv() will return undef. This matches the pre-3.x behaviour
1162			where RSA_get0_key/factors/crt_params simply set NULL for missing fields. */
1163	16		EVP_PKEY_get_bn_param(rsa, OSSL_PKEY_PARAM_RSA_D, &d);
1164	16		EVP_PKEY_get_bn_param(rsa, OSSL_PKEY_PARAM_RSA_FACTOR1, &p);
1165	16		EVP_PKEY_get_bn_param(rsa, OSSL_PKEY_PARAM_RSA_FACTOR2, &q);
1166	16		EVP_PKEY_get_bn_param(rsa, OSSL_PKEY_PARAM_RSA_EXPONENT1, &dmp1);
1167	16		EVP_PKEY_get_bn_param(rsa, OSSL_PKEY_PARAM_RSA_EXPONENT2, &dmq1);
1168	16		EVP_PKEY_get_bn_param(rsa, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &iqmp);
1169			/* Failed calls (e.g. private params on a public key) push errors
1170			onto the OpenSSL error queue. Drain them so they don't leak
1171			into the next croakSsl() call from an unrelated operation. */
1172	16		ERR_clear_error();
1173			#else
1174			RSA_get0_key(rsa, &n, &e, &d);
1175			RSA_get0_factors(rsa, &p, &q);
1176			RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
1177			#endif
1178			#endif
1179	16	50	XPUSHs(cor_bn2sv(n));
1180	16	50	XPUSHs(cor_bn2sv(e));
1181	16	50	XPUSHs(cor_bn2sv(d));
1182	16	50	XPUSHs(cor_bn2sv(p));
1183	16	50	XPUSHs(cor_bn2sv(q));
1184	16	50	XPUSHs(cor_bn2sv(dmp1));
1185	16	50	XPUSHs(cor_bn2sv(dmq1));
1186	16	50	XPUSHs(cor_bn2sv(iqmp));
1187			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1188			/* EVP_PKEY_get_bn_param() allocates new BIGNUMs (unlike the pre-3.x
1189			getters which return internal pointers). cor_bn2sv() duplicates
1190			them via BN_dup(), so we must free the originals here. */
1191	16		BN_free(n);
1192	16		BN_free(e);
1193	16		BN_clear_free(d);
1194	16		BN_clear_free(p);
1195	16		BN_clear_free(q);
1196	16		BN_clear_free(dmp1);
1197	16		BN_clear_free(dmq1);
1198	16		BN_clear_free(iqmp);
1199			#endif
1200			}
1201
1202			SV*
1203			encrypt(p_rsa, p_plaintext)
1204			rsaData* p_rsa;
1205			SV* p_plaintext;
1206			CODE:
1207	48		check_max_message_length(p_rsa, sv_len(p_plaintext));
1208			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1209	41		RETVAL = rsa_crypt(p_rsa, p_plaintext, EVP_PKEY_encrypt, EVP_PKEY_encrypt_init, 1 /* is_encrypt */);
1210			#else
1211			RETVAL = rsa_crypt(p_rsa, p_plaintext, RSA_public_encrypt, 1 /* is_encrypt */);
1212			#endif
1213			OUTPUT:
1214			RETVAL
1215
1216			SV*
1217			decrypt(p_rsa, p_ciphertext)
1218			rsaData* p_rsa;
1219			SV* p_ciphertext;
1220			CODE:
1221	41	100	if (!_is_private(p_rsa))
1222			{
1223	2		croak("Public keys cannot decrypt");
1224			}
1225			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1226	39		RETVAL = rsa_crypt(p_rsa, p_ciphertext, EVP_PKEY_decrypt, EVP_PKEY_decrypt_init, 1 /* is_encrypt */);
1227			#else
1228			RETVAL = rsa_crypt(p_rsa, p_ciphertext, RSA_private_decrypt, 1 /* is_encrypt */);
1229			#endif
1230			OUTPUT:
1231			RETVAL
1232
1233			SV*
1234			private_encrypt(p_rsa, p_plaintext)
1235			rsaData* p_rsa;
1236			SV* p_plaintext;
1237			CODE:
1238	25	100	if (!_is_private(p_rsa))
1239			{
1240	4		croak("Public keys cannot private_encrypt");
1241			}
1242	21	100	if (p_rsa->padding == RSA_PKCS1_OAEP_PADDING) {
1243	4		croak("OAEP padding is not supported for private_encrypt/public_decrypt. "
1244			"Call use_no_padding() or use_pkcs1_padding() first.");
1245			}
1246	17	100	if (p_rsa->padding == RSA_PKCS1_PSS_PADDING) {
1247	3		croak("PSS padding with private_encrypt/public_decrypt is not supported. "
1248			"Use sign()/verify() for PSS signatures.");
1249			}
1250	14		check_max_message_length(p_rsa, sv_len(p_plaintext));
1251			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1252	12		RETVAL = rsa_crypt(p_rsa, p_plaintext, EVP_PKEY_sign, EVP_PKEY_sign_init, 0 /* is_encrypt */);
1253			#else
1254			RETVAL = rsa_crypt(p_rsa, p_plaintext, RSA_private_encrypt, 0 /* is_encrypt */);
1255			#endif
1256			OUTPUT:
1257			RETVAL
1258
1259			SV*
1260			public_decrypt(p_rsa, p_ciphertext)
1261			rsaData* p_rsa;
1262			SV* p_ciphertext;
1263			CODE:
1264	12	100	if (p_rsa->padding == RSA_PKCS1_OAEP_PADDING) {
1265	1		croak("OAEP padding is not supported for private_encrypt/public_decrypt. "
1266			"Call use_no_padding() or use_pkcs1_padding() first.");
1267			}
1268	11	100	if (p_rsa->padding == RSA_PKCS1_PSS_PADDING) {
1269	1		croak("PSS padding with private_encrypt/public_decrypt is not supported. "
1270			"Use sign()/verify() for PSS signatures.");
1271			}
1272			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1273	10		RETVAL = rsa_crypt(p_rsa, p_ciphertext, EVP_PKEY_verify_recover, EVP_PKEY_verify_recover_init, 0 /* is_encrypt */);
1274			#else
1275			RETVAL = rsa_crypt(p_rsa, p_ciphertext, RSA_public_decrypt, 0 /* is_encrypt */);
1276			#endif
1277			OUTPUT:
1278			RETVAL
1279
1280			int
1281			size(p_rsa)
1282			rsaData* p_rsa;
1283			CODE:
1284	44		RETVAL = EVP_PKEY_get_size(p_rsa->rsa);
1285			OUTPUT:
1286			RETVAL
1287
1288			int
1289			check_key(p_rsa)
1290			rsaData* p_rsa;
1291			CODE:
1292	17	100	if (!_is_private(p_rsa))
1293			{
1294	2		croak("Public keys cannot be checked");
1295			}
1296			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1297	15		EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_pkey(NULL, p_rsa->rsa, NULL);
1298	15	50	CHECK_OPEN_SSL(pctx);
1299	15		RETVAL = (EVP_PKEY_private_check(pctx) == 1);
1300	15		EVP_PKEY_CTX_free(pctx);
1301			#else
1302			RETVAL = (RSA_check_key(p_rsa->rsa) == 1);
1303			#endif
1304			OUTPUT:
1305			RETVAL
1306
1307			# Seed the PRNG with user-provided bytes; returns true if the
1308			# seeding was sufficient.
1309
1310			int
1311			_random_seed(random_bytes_SV)
1312			SV* random_bytes_SV;
1313			PREINIT:
1314			STRLEN random_bytes_length;
1315			char* random_bytes;
1316			CODE:
1317	0		random_bytes = SvPV(random_bytes_SV, random_bytes_length);
1318	0		RAND_seed(random_bytes, random_bytes_length);
1319	0		RETVAL = RAND_status();
1320			OUTPUT:
1321			RETVAL
1322
1323			# Returns true if the PRNG has enough seed data
1324
1325			int
1326			_random_status()
1327			CODE:
1328	13		RETVAL = RAND_status();
1329			OUTPUT:
1330			RETVAL
1331
1332			void
1333			use_md5_hash(p_rsa)
1334			rsaData* p_rsa;
1335			CODE:
1336	14		p_rsa->hashMode = NID_md5;
1337
1338			void
1339			use_sha1_hash(p_rsa)
1340			rsaData* p_rsa;
1341			CODE:
1342	19		p_rsa->hashMode = NID_sha1;
1343
1344			#ifdef SHA512_DIGEST_LENGTH
1345
1346			void
1347			use_sha224_hash(p_rsa)
1348			rsaData* p_rsa;
1349			CODE:
1350	14		p_rsa->hashMode = NID_sha224;
1351
1352			void
1353			use_sha256_hash(p_rsa)
1354			rsaData* p_rsa;
1355			CODE:
1356	40		p_rsa->hashMode = NID_sha256;
1357
1358			void
1359			use_sha384_hash(p_rsa)
1360			rsaData* p_rsa;
1361			CODE:
1362	14		p_rsa->hashMode = NID_sha384;
1363
1364			void
1365			use_sha512_hash(p_rsa)
1366			rsaData* p_rsa;
1367			CODE:
1368	14		p_rsa->hashMode = NID_sha512;
1369
1370			#endif
1371
1372			void
1373			use_ripemd160_hash(p_rsa)
1374			rsaData* p_rsa;
1375			CODE:
1376	10		p_rsa->hashMode = NID_ripemd160;
1377
1378			#ifdef WHIRLPOOL_DIGEST_LENGTH
1379
1380			void
1381			use_whirlpool_hash(p_rsa)
1382			rsaData* p_rsa;
1383			CODE:
1384			p_rsa->hashMode = NID_whirlpool;
1385
1386			#endif
1387
1388			void
1389			use_no_padding(p_rsa)
1390			rsaData* p_rsa;
1391			CODE:
1392	24		p_rsa->padding = RSA_NO_PADDING;
1393
1394			void
1395			use_pkcs1_padding(p_rsa)
1396			rsaData* p_rsa;
1397			CODE:
1398	48		p_rsa->padding = RSA_PKCS1_PADDING;
1399
1400			void
1401			use_pkcs1_oaep_padding(p_rsa)
1402			rsaData* p_rsa;
1403			CODE:
1404	42		p_rsa->padding = RSA_PKCS1_OAEP_PADDING;
1405
1406			void
1407			use_pkcs1_pss_padding(p_rsa)
1408			rsaData* p_rsa;
1409			CODE:
1410	48		p_rsa->padding = RSA_PKCS1_PSS_PADDING;
1411
1412			#if OPENSSL_VERSION_NUMBER < 0x30000000L
1413
1414			void
1415			use_sslv23_padding(p_rsa)
1416			rsaData* p_rsa;
1417			CODE:
1418			p_rsa->padding = RSA_SSLV23_PADDING;
1419
1420			#endif
1421
1422			# Sign text. Returns the signature.
1423
1424			SV*
1425			sign(p_rsa, text_SV)
1426			rsaData* p_rsa;
1427			SV* text_SV;
1428			PREINIT:
1429	96		UNSIGNED_CHAR *signature = NULL;
1430			unsigned char* digest;
1431			SIZE_T_UNSIGNED_INT signature_length;
1432			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1433	96		EVP_PKEY_CTX *ctx = NULL;
1434	96		EVP_MD *md = NULL;
1435	96	50	int error = 0;
1436			#endif
1437			CODE:
1438			{
1439	96	100	if (!_is_private(p_rsa))
1440			{
1441	3		croak("Public keys cannot sign messages");
1442			}
1443
1444			unsigned char digest_buf[EVP_MAX_MD_SIZE];
1445	93	50	CHECK_OPEN_SSL(digest = get_message_digest(text_SV, p_rsa->hashMode, digest_buf));
1446			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1447	93		ctx = EVP_PKEY_CTX_new(p_rsa->rsa, NULL /* no engine */);
1448	93	50	THROW(ctx);
1449	93	50	THROW(EVP_PKEY_sign_init(ctx));
1450	93	50	THROW(setup_pss_sign_ctx(ctx, p_rsa->padding, p_rsa->hashMode, &md));
1451	93	50	THROW(EVP_PKEY_sign(ctx, NULL, &signature_length, digest, get_digest_length(p_rsa->hashMode)) == 1);
1452
1453	93		Newx(signature, signature_length, UNSIGNED_CHAR);
1454	93	50	THROW(signature);
1455
1456	93	50	THROW(EVP_PKEY_sign(ctx, signature, &signature_length, digest, get_digest_length(p_rsa->hashMode)) == 1);
1457
1458	93		EVP_MD_free(md);
1459	93		EVP_PKEY_CTX_free(ctx);
1460
1461	93		goto sign_done;
1462	0		err:
1463	0		Safefree(signature);
1464	0	0	if (md) EVP_MD_free(md);
1465	0	0	if (ctx) EVP_PKEY_CTX_free(ctx);
1466	0		CHECK_OPEN_SSL(0);
1467	93		sign_done:
1468			#else
1469			CHECK_NEW(signature, EVP_PKEY_get_size(p_rsa->rsa), UNSIGNED_CHAR);
1470			if (!RSA_sign(p_rsa->hashMode,
1471			digest,
1472			get_digest_length(p_rsa->hashMode),
1473			(unsigned char*) signature,
1474			&signature_length,
1475			p_rsa->rsa))
1476			{
1477			Safefree(signature);
1478			croakSsl(__FILE__, __LINE__);
1479			}
1480			#endif
1481	93		RETVAL = newSVpvn((const char* )signature, signature_length);
1482	93		Safefree(signature);
1483			}
1484			OUTPUT:
1485			RETVAL
1486
1487			# Verify signature. Returns true if correct, false otherwise.
1488
1489			void
1490			verify(p_rsa, text_SV, sig_SV)
1491			rsaData* p_rsa;
1492			SV* text_SV;
1493			SV* sig_SV;
1494			PREINIT:
1495			int verify_result;
1496			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1497	206		int error = 0;
1498	206		EVP_PKEY_CTX *ctx = NULL;
1499	206	50	EVP_MD *md = NULL;
1500			#endif
1501			PPCODE:
1502			{
1503			unsigned char* sig;
1504			unsigned char* digest;
1505			STRLEN sig_length;
1506
1507	206		sig = (unsigned char*) SvPV(sig_SV, sig_length);
1508	206	100	if (EVP_PKEY_get_size(p_rsa->rsa) < sig_length)
1509			{
1510	1		croak("Signature longer than key");
1511			}
1512
1513			unsigned char digest_buf[EVP_MAX_MD_SIZE];
1514	205	50	CHECK_OPEN_SSL(digest = get_message_digest(text_SV, p_rsa->hashMode, digest_buf));
1515			#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1516	205		ctx = EVP_PKEY_CTX_new(p_rsa->rsa, NULL /* no engine */);
1517	205	50	THROW(ctx);
1518	205	50	THROW(EVP_PKEY_verify_init(ctx) == 1);
1519	205	50	THROW(setup_pss_sign_ctx(ctx, p_rsa->padding, p_rsa->hashMode, &md));
1520
1521	205		verify_result = EVP_PKEY_verify(ctx, sig, sig_length, digest, get_digest_length(p_rsa->hashMode));
1522	205		EVP_MD_free(md);
1523	205		EVP_PKEY_CTX_free(ctx);
1524
1525	205		goto verify_switch;
1526	0		err:
1527	0	0	if (md) EVP_MD_free(md);
1528	0	0	if (ctx) EVP_PKEY_CTX_free(ctx);
1529	0		CHECK_OPEN_SSL(0);
1530	205		verify_switch: ;
1531			#else
1532			verify_result = RSA_verify(p_rsa->hashMode,
1533			digest,
1534			get_digest_length(p_rsa->hashMode),
1535			sig,
1536			sig_length,
1537			p_rsa->rsa);
1538			#endif
1539	205		switch(verify_result)
1540			{
1541	146		case 0:
1542	146		ERR_clear_error();
1543	205		XSRETURN_NO;
1544			break;
1545	59		case 1:
1546	59		XSRETURN_YES;
1547			break;
1548	0		default:
1549	0		CHECK_OPEN_SSL(0);
1550	0		break;
1551			}
1552			}
1553
1554			int
1555			is_private(p_rsa)
1556			rsaData* p_rsa;
1557			CODE:
1558	13	100	RETVAL = _is_private(p_rsa);
1559			OUTPUT:
1560			RETVAL