1 /* 2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #ifndef OPENSSL_HEADER_RSA_INTERNAL_H 11 #define OPENSSL_HEADER_RSA_INTERNAL_H 12 13 #include <openssl/base.h> 14 15 #include <openssl/bn.h> 16 #include <openssl/rsa.h> 17 18 #include "../../internal.h" 19 20 #if defined(__cplusplus) 21 extern "C" { 22 #endif 23 24 25 typedef struct bn_blinding_st BN_BLINDING; 26 27 struct rsa_st { 28 RSA_METHOD *meth; 29 30 BIGNUM *n; 31 BIGNUM *e; 32 BIGNUM *d; 33 BIGNUM *p; 34 BIGNUM *q; 35 BIGNUM *dmp1; 36 BIGNUM *dmq1; 37 BIGNUM *iqmp; 38 39 // be careful using this if the RSA structure is shared 40 CRYPTO_EX_DATA ex_data; 41 CRYPTO_refcount_t references; 42 int flags; 43 44 CRYPTO_MUTEX lock; 45 46 // Used to cache montgomery values. The creation of these values is protected 47 // by |lock|. 48 BN_MONT_CTX *mont_n; 49 BN_MONT_CTX *mont_p; 50 BN_MONT_CTX *mont_q; 51 52 // The following fields are copies of |d|, |dmp1|, and |dmq1|, respectively, 53 // but with the correct widths to prevent side channels. These must use 54 // separate copies due to threading concerns caused by OpenSSL's API 55 // mistakes. See https://github.com/openssl/openssl/issues/5158 and 56 // the |freeze_private_key| implementation. 57 BIGNUM *d_fixed, *dmp1_fixed, *dmq1_fixed; 58 59 // iqmp_mont is q^-1 mod p in Montgomery form, using |mont_p|. 60 BIGNUM *iqmp_mont; 61 62 // num_blindings contains the size of the |blindings| and |blindings_inuse| 63 // arrays. This member and the |blindings_inuse| array are protected by 64 // |lock|. 65 size_t num_blindings; 66 // blindings is an array of BN_BLINDING structures that can be reserved by a 67 // thread by locking |lock| and changing the corresponding element in 68 // |blindings_inuse| from 0 to 1. 69 BN_BLINDING **blindings; 70 unsigned char *blindings_inuse; 71 uint64_t blinding_fork_generation; 72 73 // private_key_frozen is one if the key has been used for a private key 74 // operation and may no longer be mutated. 75 unsigned private_key_frozen:1; 76 }; 77 78 79 #define RSA_PKCS1_PADDING_SIZE 11 80 81 // Default implementations of RSA operations. 82 83 const RSA_METHOD *RSA_default_method(void); 84 85 size_t rsa_default_size(const RSA *rsa); 86 int rsa_default_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, 87 size_t max_out, const uint8_t *in, size_t in_len, 88 int padding); 89 int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, 90 size_t len); 91 92 93 BN_BLINDING *BN_BLINDING_new(void); 94 void BN_BLINDING_free(BN_BLINDING *b); 95 void BN_BLINDING_invalidate(BN_BLINDING *b); 96 int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, const BIGNUM *e, 97 const BN_MONT_CTX *mont_ctx, BN_CTX *ctx); 98 int BN_BLINDING_invert(BIGNUM *n, const BN_BLINDING *b, BN_MONT_CTX *mont_ctx, 99 BN_CTX *ctx); 100 101 102 int PKCS1_MGF1(uint8_t *out, size_t len, const uint8_t *seed, size_t seed_len, 103 const EVP_MD *md); 104 int RSA_padding_add_PKCS1_type_1(uint8_t *to, size_t to_len, 105 const uint8_t *from, size_t from_len); 106 int RSA_padding_check_PKCS1_type_1(uint8_t *out, size_t *out_len, 107 size_t max_out, const uint8_t *from, 108 size_t from_len); 109 int RSA_padding_add_none(uint8_t *to, size_t to_len, const uint8_t *from, 110 size_t from_len); 111 112 // rsa_check_public_key checks that |rsa|'s public modulus and exponent are 113 // within DoS bounds. 114 int rsa_check_public_key(const RSA *rsa); 115 116 // rsa_private_transform_no_self_test calls either the method-specific 117 // |private_transform| function (if given) or the generic one. See the comment 118 // for |private_transform| in |rsa_meth_st|. 119 int rsa_private_transform_no_self_test(RSA *rsa, uint8_t *out, 120 const uint8_t *in, size_t len); 121 122 // rsa_private_transform acts the same as |rsa_private_transform_no_self_test| 123 // but, in FIPS mode, performs an RSA self test before calling the default RSA 124 // implementation. 125 int rsa_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, 126 size_t len); 127 128 // rsa_invalidate_key is called after |rsa| has been mutated, to invalidate 129 // fields derived from the original structure. This function assumes exclusive 130 // access to |rsa|. In particular, no other thread may be concurrently signing, 131 // etc., with |rsa|. 132 void rsa_invalidate_key(RSA *rsa); 133 134 135 // This constant is exported for test purposes. 136 extern const BN_ULONG kBoringSSLRSASqrtTwo[]; 137 extern const size_t kBoringSSLRSASqrtTwoLen; 138 139 140 // Functions that avoid self-tests. 141 // 142 // Self-tests need to call functions that don't try and ensure that the 143 // self-tests have passed. These functions, in turn, need to limit themselves 144 // to such functions too. 145 // 146 // These functions are the same as their public versions, but skip the self-test 147 // check. 148 149 int rsa_verify_no_self_test(int hash_nid, const uint8_t *digest, 150 size_t digest_len, const uint8_t *sig, 151 size_t sig_len, RSA *rsa); 152 153 int rsa_verify_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out, 154 size_t max_out, const uint8_t *in, 155 size_t in_len, int padding); 156 157 int rsa_sign_no_self_test(int hash_nid, const uint8_t *digest, 158 size_t digest_len, uint8_t *out, unsigned *out_len, 159 RSA *rsa); 160 161 162 #if defined(__cplusplus) 163 } // extern C 164 #endif 165 166 #endif // OPENSSL_HEADER_RSA_INTERNAL_H 167