/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #ifndef OPENSSL_HEADER_RSA_INTERNAL_H #define OPENSSL_HEADER_RSA_INTERNAL_H #include #include #include #if defined(__cplusplus) extern "C" { #endif typedef struct bn_blinding_st BN_BLINDING; struct rsa_meth_st { void *app_data; int (*init)(RSA *rsa); int (*finish)(RSA *rsa); // size returns the size of the RSA modulus in bytes. size_t (*size)(const RSA *rsa); // Set via |RSA_meth_set_sign|. The default behavior for |sign| is // implemented in |RSA_sign|. If custom functionality is provided, |sign| // will be invoked within |RSA_sign|. int (*sign)(int type, const uint8_t *m, unsigned int m_length, uint8_t *sigret, unsigned int *siglen, const RSA *rsa); // Set via |RSA_meth_set_priv_enc|. |sign_raw| is equivalent to the // |priv_enc| field of OpenSSL's |RSA_METHOD| struct. The default behavior // for |sign_raw| is implemented in |RSA_sign_raw|. If custom // functionality is provided, |sign_raw| will be invoked within // |RSA_sign_raw|. int (*sign_raw)(int max_out, const uint8_t *in, uint8_t *out, RSA *rsa, int padding); // Set via |RSA_meth_set_pub_dec|. |verify_raw| is equivalent to the // |pub_dec| field of OpenSSL's |RSA_METHOD| struct. The default behavior // for |verify_raw| is implemented in |RSA_verify_raw|. If custom // functionality is provided, |verify_raw| will be invoked within // |RSA_verify_raw|. int (*verify_raw)(int max_out, const uint8_t *in, uint8_t *out, RSA *rsa, int padding); // Set via |RSA_meth_set_priv_dec|. |decrypt| is equivalent to the // |priv_dec| field of OpenSSL's |RSA_METHOD| struct. The default behavior // for |decrypt| is implemented in |RSA_decrypt|. If custom // functionality is provided, |decrypt| will be invoked within // |RSA_decrypt|. int (*decrypt)(int max_out, const uint8_t *in, uint8_t *out, RSA *rsa, int padding); // Set via |RSA_meth_set_pub_enc|. |encrypt| is equivalent to the // |pub_enc| field of OpenSSL's |RSA_METHOD| struct. The default behavior // for |encrypt| is implemented in |RSA_encrypt|. If custom // functionality is provided, |encrypt| will be invoked within // |RSA_encrypt|. int (*encrypt)(int max_out, const uint8_t *in, uint8_t *out, RSA *rsa, int padding); // private_transform takes a big-endian integer from |in|, calculates the // d'th power of it, modulo the RSA modulus and writes the result as a // big-endian integer to |out|. Both |in| and |out| are |len| bytes long and // |len| is always equal to |RSA_size(rsa)|. If the result of the transform // can be represented in fewer than |len| bytes, then |out| must be zero // padded on the left. // // It returns one on success and zero otherwise. // // RSA decrypt and sign operations will call this, thus an ENGINE might wish // to override it in order to avoid having to implement the padding // functionality demanded by those, higher level, operations. int (*private_transform)(RSA *rsa, uint8_t *out, const uint8_t *in, size_t len); int flags; }; struct rsa_st { const RSA_METHOD *meth; BIGNUM *n; BIGNUM *e; BIGNUM *d; BIGNUM *p; BIGNUM *q; BIGNUM *dmp1; BIGNUM *dmq1; BIGNUM *iqmp; // If a PSS only key this contains the parameter restrictions. RSASSA_PSS_PARAMS *pss; // be careful using this if the RSA structure is shared CRYPTO_EX_DATA ex_data; CRYPTO_refcount_t references; int flags; CRYPTO_MUTEX lock; // Used to cache montgomery values. The creation of these values is protected // by |lock|. BN_MONT_CTX *mont_n; BN_MONT_CTX *mont_p; BN_MONT_CTX *mont_q; // The following fields are copies of |d|, |dmp1|, and |dmq1|, respectively, // but with the correct widths to prevent side channels. These must use // separate copies due to threading concerns caused by OpenSSL's API // mistakes. See https://github.com/openssl/openssl/issues/5158 and // the |freeze_private_key| implementation. BIGNUM *d_fixed, *dmp1_fixed, *dmq1_fixed; // iqmp_mont is q^-1 mod p in Montgomery form, using |mont_p|. BIGNUM *iqmp_mont; // num_blindings contains the size of the |blindings| and |blindings_inuse| // arrays. This member and the |blindings_inuse| array are protected by // |lock|. size_t num_blindings; // blindings is an array of BN_BLINDING structures that can be reserved by a // thread by locking |lock| and changing the corresponding element in // |blindings_inuse| from 0 to 1. BN_BLINDING **blindings; unsigned char *blindings_inuse; uint64_t blinding_fork_generation; // private_key_frozen is one if the key has been used for a private key // operation and may no longer be mutated. unsigned private_key_frozen:1; }; #define RSA_PKCS1_PADDING_SIZE 11 // Default implementations of RSA operations. size_t rsa_default_size(const RSA *rsa); int rsa_default_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding); int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, size_t len); BN_BLINDING *BN_BLINDING_new(void); void BN_BLINDING_free(BN_BLINDING *b); void BN_BLINDING_invalidate(BN_BLINDING *b); int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, const BIGNUM *e, const BN_MONT_CTX *mont_ctx, BN_CTX *ctx); int BN_BLINDING_invert(BIGNUM *n, const BN_BLINDING *b, BN_MONT_CTX *mont_ctx, BN_CTX *ctx); int RSA_padding_add_PKCS1_type_1(uint8_t *to, size_t to_len, const uint8_t *from, size_t from_len); int RSA_padding_check_PKCS1_type_1(uint8_t *out, size_t *out_len, size_t max_out, const uint8_t *from, size_t from_len); int RSA_padding_add_none(uint8_t *to, size_t to_len, const uint8_t *from, size_t from_len); // rsa_private_transform_no_self_test calls either the method-specific // |private_transform| function (if given) or the generic one. See the comment // for |private_transform| in |rsa_meth_st|. int rsa_private_transform_no_self_test(RSA *rsa, uint8_t *out, const uint8_t *in, size_t len); // rsa_private_transform acts the same as |rsa_private_transform_no_self_test| // but, in FIPS mode, performs an RSA self test before calling the default RSA // implementation. int rsa_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, size_t len); // rsa_invalidate_key is called after |rsa| has been mutated, to invalidate // fields derived from the original structure. This function assumes exclusive // access to |rsa|. In particular, no other thread may be concurrently signing, // etc., with |rsa|. void rsa_invalidate_key(RSA *rsa); // This constant is exported for test purposes. extern const BN_ULONG kBoringSSLRSASqrtTwo[]; extern const size_t kBoringSSLRSASqrtTwoLen; // Functions that avoid self-tests. // // Self-tests need to call functions that don't try and ensure that the // self-tests have passed. These functions, in turn, need to limit themselves // to such functions too. // // These functions are the same as their public versions, but skip the self-test // check. int rsa_verify_no_self_test(int hash_nid, const uint8_t *digest, size_t digest_len, const uint8_t *sig, size_t sig_len, RSA *rsa); int rsa_verify_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding); int rsa_sign_no_self_test(int hash_nid, const uint8_t *digest, size_t digest_len, uint8_t *out, unsigned *out_len, RSA *rsa); // rsa_digestsign_no_self_test calculates the digest and calls // |rsa_sign_no_self_test|, which doesn't try to run the self-test first. This // is for use in the self tests themselves, to prevent an infinite loop. int rsa_digestsign_no_self_test(const EVP_MD *md, const uint8_t *input, size_t in_len, uint8_t *out, unsigned *out_len, RSA *rsa); // rsa_digestverify_no_self_test calculates the digest and calls // |rsa_verify_no_self_test|, which doesn't try to run the self-test first. This // is for use in the self tests themselves, to prevent an infinite loop. int rsa_digestverify_no_self_test(const EVP_MD *md, const uint8_t *input, size_t in_len, const uint8_t *sig, size_t sig_len, RSA *rsa); // Performs several checks on the public component of the given RSA key. // See the implemetation in |rsa.c| for details. int is_public_component_of_rsa_key_good(const RSA *key); #if defined(__cplusplus) } // extern C #endif #endif // OPENSSL_HEADER_RSA_INTERNAL_H