• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2  * All rights reserved.
3  *
4  * This package is an SSL implementation written
5  * by Eric Young (eay@cryptsoft.com).
6  * The implementation was written so as to conform with Netscapes SSL.
7  *
8  * This library is free for commercial and non-commercial use as long as
9  * the following conditions are aheared to.  The following conditions
10  * apply to all code found in this distribution, be it the RC4, RSA,
11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12  * included with this distribution is covered by the same copyright terms
13  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14  *
15  * Copyright remains Eric Young's, and as such any Copyright notices in
16  * the code are not to be removed.
17  * If this package is used in a product, Eric Young should be given attribution
18  * as the author of the parts of the library used.
19  * This can be in the form of a textual message at program startup or
20  * in documentation (online or textual) provided with the package.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the copyright
26  *    notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  *    notice, this list of conditions and the following disclaimer in the
29  *    documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  *    must display the following acknowledgement:
32  *    "This product includes cryptographic software written by
33  *     Eric Young (eay@cryptsoft.com)"
34  *    The word 'cryptographic' can be left out if the rouines from the library
35  *    being used are not cryptographic related :-).
36  * 4. If you include any Windows specific code (or a derivative thereof) from
37  *    the apps directory (application code) you must include an acknowledgement:
38  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50  * SUCH DAMAGE.
51  *
52  * The licence and distribution terms for any publically available version or
53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
54  * copied and put under another distribution licence
55  * [including the GNU Public Licence.] */
56 
57 #ifndef OPENSSL_HEADER_RSA_H
58 #define OPENSSL_HEADER_RSA_H
59 
60 #include <openssl/base.h>
61 
62 #include <openssl/engine.h>
63 #include <openssl/ex_data.h>
64 #include <openssl/thread.h>
65 
66 #if defined(__cplusplus)
67 extern "C" {
68 #endif
69 
70 
71 /* rsa.h contains functions for handling encryption and signature using RSA. */
72 
73 
74 /* Allocation and destruction. */
75 
76 /* RSA_new returns a new, empty RSA object or NULL on error. */
77 OPENSSL_EXPORT RSA *RSA_new(void);
78 
79 /* RSA_new_method acts the same as |RSA_new| but takes an explicit |ENGINE|. */
80 OPENSSL_EXPORT RSA *RSA_new_method(const ENGINE *engine);
81 
82 /* RSA_free decrements the reference count of |rsa| and frees it if the
83  * reference count drops to zero. */
84 OPENSSL_EXPORT void RSA_free(RSA *rsa);
85 
86 /* RSA_up_ref increments the reference count of |rsa|. */
87 OPENSSL_EXPORT int RSA_up_ref(RSA *rsa);
88 
89 
90 /* Key generation. */
91 
92 /* RSA_generate_key_ex generates a new RSA key where the modulus has size
93  * |bits| and the public exponent is |e|. If unsure, |RSA_F4| is a good value
94  * for |e|. If |cb| is not NULL then it is called during the key generation
95  * process. In addition to the calls documented for |BN_generate_prime_ex|, it
96  * is called with event=2 when the n'th prime is rejected as unsuitable and
97  * with event=3 when a suitable value for |p| is found.
98  *
99  * It returns one on success or zero on error. */
100 OPENSSL_EXPORT int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e,
101                                        BN_GENCB *cb);
102 
103 
104 /* Encryption / Decryption */
105 
106 /* Padding types for encryption. */
107 #define RSA_PKCS1_PADDING 1
108 #define RSA_NO_PADDING 3
109 #define RSA_PKCS1_OAEP_PADDING 4
110 /* RSA_PKCS1_PSS_PADDING can only be used via the EVP interface. */
111 #define RSA_PKCS1_PSS_PADDING 6
112 
113 /* RSA_encrypt encrypts |in_len| bytes from |in| to the public key from |rsa|
114  * and writes, at most, |max_out| bytes of encrypted data to |out|. The
115  * |max_out| argument must be, at least, |RSA_size| in order to ensure success.
116  *
117  * It returns 1 on success or zero on error.
118  *
119  * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
120  * doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_OAEP_PADDING|
121  * is the most secure. */
122 OPENSSL_EXPORT int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out,
123                                size_t max_out, const uint8_t *in, size_t in_len,
124                                int padding);
125 
126 /* RSA_decrypt decrypts |in_len| bytes from |in| with the private key from
127  * |rsa| and writes, at most, |max_out| bytes of plaintext to |out|. The
128  * |max_out| argument must be, at least, |RSA_size| in order to ensure success.
129  *
130  * It returns 1 on success or zero on error.
131  *
132  * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
133  * doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_OAEP_PADDING|
134  * is the most secure. */
135 OPENSSL_EXPORT int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out,
136                                size_t max_out, const uint8_t *in, size_t in_len,
137                                int padding);
138 
139 /* RSA_public_encrypt encrypts |flen| bytes from |from| to the public key in
140  * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
141  * least |RSA_size| bytes of space. It returns the number of bytes written, or
142  * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
143  * values. If in doubt, |RSA_PKCS1_PADDING| is the most common but
144  * |RSA_PKCS1_OAEP_PADDING| is the most secure.
145  *
146  * WARNING: this function is dangerous because it breaks the usual return value
147  * convention. Use |RSA_encrypt| instead. */
148 OPENSSL_EXPORT int RSA_public_encrypt(int flen, const uint8_t *from,
149                                       uint8_t *to, RSA *rsa, int padding);
150 
151 /* RSA_private_decrypt decrypts |flen| bytes from |from| with the public key in
152  * |rsa| and writes the plaintext to |to|. The |to| buffer must have at
153  * least |RSA_size| bytes of space. It returns the number of bytes written, or
154  * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
155  * values. If in doubt, |RSA_PKCS1_PADDING| is the most common but
156  * |RSA_PKCS1_OAEP_PADDING| is the most secure.
157  *
158  * WARNING: this function is dangerous because it breaks the usual return value
159  * convention. Use |RSA_decrypt| instead. */
160 OPENSSL_EXPORT int RSA_private_decrypt(int flen, const uint8_t *from,
161                                        uint8_t *to, RSA *rsa, int padding);
162 
163 /* RSA_message_index_PKCS1_type_2 performs the first step of a PKCS #1 padding
164  * check for decryption. If the |from_len| bytes pointed to at |from| are a
165  * valid PKCS #1 message, it returns one and sets |*out_index| to the start of
166  * the unpadded message. The unpadded message is a suffix of the input and has
167  * length |from_len - *out_index|. Otherwise, it returns zero and sets
168  * |*out_index| to zero. This function runs in time independent of the input
169  * data and is intended to be used directly to avoid Bleichenbacher's attack.
170  *
171  * WARNING: This function behaves differently from the usual OpenSSL convention
172  * in that it does NOT put an error on the queue in the error case. */
173 OPENSSL_EXPORT int RSA_message_index_PKCS1_type_2(const uint8_t *from,
174                                                   size_t from_len,
175                                                   size_t *out_index);
176 
177 
178 /* Signing / Verification */
179 
180 /* RSA_sign signs |in_len| bytes of digest from |in| with |rsa| and writes, at
181  * most, |RSA_size(rsa)| bytes to |out|. On successful return, the actual
182  * number of bytes written is written to |*out_len|.
183  *
184  * The |hash_nid| argument identifies the hash function used to calculate |in|
185  * and is embedded in the resulting signature. For example, it might be
186  * |NID_sha256|.
187  *
188  * It returns 1 on success and zero on error. */
189 OPENSSL_EXPORT int RSA_sign(int hash_nid, const uint8_t *in,
190                             unsigned int in_len, uint8_t *out,
191                             unsigned int *out_len, RSA *rsa);
192 
193 /* RSA_sign_raw signs |in_len| bytes from |in| with the public key from |rsa|
194  * and writes, at most, |max_out| bytes of signature data to |out|. The
195  * |max_out| argument must be, at least, |RSA_size| in order to ensure success.
196  *
197  * It returns 1 on success or zero on error.
198  *
199  * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
200  * doubt, |RSA_PKCS1_PADDING| is the most common. */
201 OPENSSL_EXPORT int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,
202                                 size_t max_out, const uint8_t *in,
203                                 size_t in_len, int padding);
204 
205 /* RSA_verify verifies that |sig_len| bytes from |sig| are a valid, PKCS#1
206  * signature of |msg_len| bytes at |msg| by |rsa|.
207  *
208  * The |hash_nid| argument identifies the hash function used to calculate |in|
209  * and is embedded in the resulting signature in order to prevent hash
210  * confusion attacks. For example, it might be |NID_sha256|.
211  *
212  * It returns one if the signature is valid and zero otherwise.
213  *
214  * WARNING: this differs from the original, OpenSSL function which additionally
215  * returned -1 on error. */
216 OPENSSL_EXPORT int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
217                               const uint8_t *sig, size_t sig_len, RSA *rsa);
218 
219 /* RSA_verify_raw verifies |in_len| bytes of signature from |in| using the
220  * public key from |rsa| and writes, at most, |max_out| bytes of plaintext to
221  * |out|. The |max_out| argument must be, at least, |RSA_size| in order to
222  * ensure success.
223  *
224  * It returns 1 on success or zero on error.
225  *
226  * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
227  * doubt, |RSA_PKCS1_PADDING| is the most common. */
228 OPENSSL_EXPORT int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out,
229                                   size_t max_out, const uint8_t *in,
230                                   size_t in_len, int padding);
231 
232 /* RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in
233  * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
234  * least |RSA_size| bytes of space. It returns the number of bytes written, or
235  * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
236  * values. If in doubt, |RSA_PKCS1_PADDING| is the most common.
237  *
238  * WARNING: this function is dangerous because it breaks the usual return value
239  * convention. Use |RSA_sign_raw| instead. */
240 OPENSSL_EXPORT int RSA_private_encrypt(int flen, const uint8_t *from,
241                                        uint8_t *to, RSA *rsa, int padding);
242 
243 /* RSA_private_encrypt verifies |flen| bytes of signature from |from| using the
244  * public key in |rsa| and writes the plaintext to |to|. The |to| buffer must
245  * have at least |RSA_size| bytes of space. It returns the number of bytes
246  * written, or -1 on error. The |padding| argument must be one of the
247  * |RSA_*_PADDING| values. If in doubt, |RSA_PKCS1_PADDING| is the most common.
248  *
249  * WARNING: this function is dangerous because it breaks the usual return value
250  * convention. Use |RSA_verify_raw| instead. */
251 OPENSSL_EXPORT int RSA_public_decrypt(int flen, const uint8_t *from,
252                                       uint8_t *to, RSA *rsa, int padding);
253 
254 
255 /* Utility functions. */
256 
257 /* RSA_size returns the number of bytes in the modulus, which is also the size
258  * of a signature or encrypted value using |rsa|. */
259 OPENSSL_EXPORT unsigned RSA_size(const RSA *rsa);
260 
261 /* RSA_is_opaque returns one if |rsa| is opaque and doesn't expose its key
262  * material. Otherwise it returns zero. */
263 OPENSSL_EXPORT int RSA_is_opaque(const RSA *rsa);
264 
265 /* RSA_supports_digest returns one if |rsa| supports signing digests
266  * of type |md|. Otherwise it returns zero. */
267 OPENSSL_EXPORT int RSA_supports_digest(const RSA *rsa, const EVP_MD *md);
268 
269 /* RSAPublicKey_dup allocates a fresh |RSA| and copies the private key from
270  * |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */
271 OPENSSL_EXPORT RSA *RSAPublicKey_dup(const RSA *rsa);
272 
273 /* RSAPrivateKey_dup allocates a fresh |RSA| and copies the private key from
274  * |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */
275 OPENSSL_EXPORT RSA *RSAPrivateKey_dup(const RSA *rsa);
276 
277 /* RSA_check_key performs basic validatity tests on |rsa|. It returns one if
278  * they pass and zero otherwise. Opaque keys and public keys always pass. If it
279  * returns zero then a more detailed error is available on the error queue. */
280 OPENSSL_EXPORT int RSA_check_key(const RSA *rsa);
281 
282 /* RSA_recover_crt_params uses |rsa->n|, |rsa->d| and |rsa->e| in order to
283  * calculate the two primes used and thus the precomputed, CRT values. These
284  * values are set in the |p|, |q|, |dmp1|, |dmq1| and |iqmp| members of |rsa|,
285  * which must be |NULL| on entry. It returns one on success and zero
286  * otherwise. */
287 OPENSSL_EXPORT int RSA_recover_crt_params(RSA *rsa);
288 
289 /* RSA_verify_PKCS1_PSS_mgf1 verifies that |EM| is a correct PSS padding of
290  * |mHash|, where |mHash| is a digest produced by |Hash|. |EM| must point to
291  * exactly |RSA_size(rsa)| bytes of data. The |mgf1Hash| argument specifies the
292  * hash function for generating the mask. If NULL, |Hash| is used. The |sLen|
293  * argument specifies the expected salt length in bytes. If |sLen| is -1 then
294  * the salt length is the same as the hash length. If -2, then the salt length
295  * is maximal and is taken from the size of |EM|.
296  *
297  * It returns one on success or zero on error. */
298 OPENSSL_EXPORT int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,
299                                              const EVP_MD *Hash,
300                                              const EVP_MD *mgf1Hash,
301                                              const uint8_t *EM, int sLen);
302 
303 /* RSA_padding_add_PKCS1_PSS_mgf1 writes a PSS padding of |mHash| to |EM|,
304  * where |mHash| is a digest produced by |Hash|. |RSA_size(rsa)| bytes of
305  * output will be written to |EM|. The |mgf1Hash| argument specifies the hash
306  * function for generating the mask. If NULL, |Hash| is used. The |sLen|
307  * argument specifies the expected salt length in bytes. If |sLen| is -1 then
308  * the salt length is the same as the hash length. If -2, then the salt length
309  * is maximal given the space in |EM|.
310  *
311  * It returns one on success or zero on error. */
312 OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, uint8_t *EM,
313                                                   const uint8_t *mHash,
314                                                   const EVP_MD *Hash,
315                                                   const EVP_MD *mgf1Hash,
316                                                   int sLen);
317 
318 
319 /* ASN.1 functions. */
320 
321 /* d2i_RSAPublicKey parses an ASN.1, DER-encoded, RSA public key from |len|
322  * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result
323  * is in |*out|. If |*out| is already non-NULL on entry then the result is
324  * written directly into |*out|, otherwise a fresh |RSA| is allocated. On
325  * successful exit, |*inp| is advanced past the DER structure. It returns the
326  * result or NULL on error. */
327 OPENSSL_EXPORT RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len);
328 
329 /* i2d_RSAPublicKey marshals |in| to an ASN.1, DER structure. If |outp| is not
330  * NULL then the result is written to |*outp| and |*outp| is advanced just past
331  * the output. It returns the number of bytes in the result, whether written or
332  * not, or a negative value on error. */
333 OPENSSL_EXPORT int i2d_RSAPublicKey(const RSA *in, uint8_t **outp);
334 
335 /* d2i_RSAPrivateKey parses an ASN.1, DER-encoded, RSA private key from |len|
336  * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result
337  * is in |*out|. If |*out| is already non-NULL on entry then the result is
338  * written directly into |*out|, otherwise a fresh |RSA| is allocated. On
339  * successful exit, |*inp| is advanced past the DER structure. It returns the
340  * result or NULL on error. */
341 OPENSSL_EXPORT RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len);
342 
343 /* i2d_RSAPrivateKey marshals |in| to an ASN.1, DER structure. If |outp| is not
344  * NULL then the result is written to |*outp| and |*outp| is advanced just past
345  * the output. It returns the number of bytes in the result, whether written or
346  * not, or a negative value on error. */
347 OPENSSL_EXPORT int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp);
348 
349 
350 /* ex_data functions.
351  *
352  * See |ex_data.h| for details. */
353 
354 OPENSSL_EXPORT int RSA_get_ex_new_index(long argl, void *argp,
355                                         CRYPTO_EX_new *new_func,
356                                         CRYPTO_EX_dup *dup_func,
357                                         CRYPTO_EX_free *free_func);
358 OPENSSL_EXPORT int RSA_set_ex_data(RSA *r, int idx, void *arg);
359 OPENSSL_EXPORT void *RSA_get_ex_data(const RSA *r, int idx);
360 
361 /* RSA_FLAG_OPAQUE specifies that this RSA_METHOD does not expose its key
362  * material. This may be set if, for instance, it is wrapping some other crypto
363  * API, like a platform key store. */
364 #define RSA_FLAG_OPAQUE 1
365 
366 /* RSA_FLAG_CACHE_PUBLIC causes a precomputed Montgomery context to be created,
367  * on demand, for the public key operations. */
368 #define RSA_FLAG_CACHE_PUBLIC 2
369 
370 /* RSA_FLAG_CACHE_PRIVATE causes a precomputed Montgomery context to be
371  * created, on demand, for the private key operations. */
372 #define RSA_FLAG_CACHE_PRIVATE 4
373 
374 /* RSA_FLAG_NO_BLINDING disables blinding of private operations. */
375 #define RSA_FLAG_NO_BLINDING 8
376 
377 /* RSA_FLAG_EXT_PKEY means that private key operations will be handled by
378  * |mod_exp| and that they do not depend on the private key components being
379  * present: for example a key stored in external hardware. */
380 #define RSA_FLAG_EXT_PKEY 0x20
381 
382 /* RSA_FLAG_SIGN_VER causes the |sign| and |verify| functions of |rsa_meth_st|
383  * to be called when set. */
384 #define RSA_FLAG_SIGN_VER 0x40
385 
386 
387 /* RSA public exponent values. */
388 
389 #define RSA_3 0x3
390 #define RSA_F4 0x10001
391 
392 
393 /* Deprecated functions. */
394 
395 /* RSA_blinding_on returns one. */
396 OPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
397 
398 
399 struct rsa_meth_st {
400   struct openssl_method_common_st common;
401 
402   void *app_data;
403 
404   int (*init)(RSA *rsa);
405   int (*finish)(RSA *rsa);
406 
407   /* size returns the size of the RSA modulus in bytes. */
408   size_t (*size)(const RSA *rsa);
409 
410   int (*sign)(int type, const uint8_t *m, unsigned int m_length,
411               uint8_t *sigret, unsigned int *siglen, const RSA *rsa);
412 
413   int (*verify)(int dtype, const uint8_t *m, unsigned int m_length,
414                 const uint8_t *sigbuf, unsigned int siglen, const RSA *rsa);
415 
416 
417   /* These functions mirror the |RSA_*| functions of the same name. */
418   int (*encrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
419                  const uint8_t *in, size_t in_len, int padding);
420   int (*sign_raw)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
421                   const uint8_t *in, size_t in_len, int padding);
422 
423   int (*decrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
424                  const uint8_t *in, size_t in_len, int padding);
425   int (*verify_raw)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
426                     const uint8_t *in, size_t in_len, int padding);
427 
428   /* private_transform takes a big-endian integer from |in|, calculates the
429    * d'th power of it, modulo the RSA modulus and writes the result as a
430    * big-endian integer to |out|. Both |in| and |out| are |len| bytes long and
431    * |len| is always equal to |RSA_size(rsa)|. If the result of the transform
432    * can be represented in fewer than |len| bytes, then |out| must be zero
433    * padded on the left.
434    *
435    * It returns one on success and zero otherwise.
436    *
437    * RSA decrypt and sign operations will call this, thus an ENGINE might wish
438    * to override it in order to avoid having to implement the padding
439    * functionality demanded by those, higher level, operations. */
440   int (*private_transform)(RSA *rsa, uint8_t *out, const uint8_t *in,
441                            size_t len);
442 
443   int (*mod_exp)(BIGNUM *r0, const BIGNUM *I, RSA *rsa,
444                  BN_CTX *ctx); /* Can be null */
445   int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
446                     const BIGNUM *m, BN_CTX *ctx,
447                     BN_MONT_CTX *m_ctx);
448 
449   int flags;
450 
451   int (*keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
452 
453   /* supports_digest returns one if |rsa| supports digests of type
454    * |md|. If null, it is assumed that all digests are supported. */
455   int (*supports_digest)(const RSA *rsa, const EVP_MD *md);
456 };
457 
458 
459 /* Private functions. */
460 
461 typedef struct bn_blinding_st BN_BLINDING;
462 
463 struct rsa_st {
464   /* version is only used during ASN.1 (de)serialisation. */
465   long version;
466   RSA_METHOD *meth;
467 
468   BIGNUM *n;
469   BIGNUM *e;
470   BIGNUM *d;
471   BIGNUM *p;
472   BIGNUM *q;
473   BIGNUM *dmp1;
474   BIGNUM *dmq1;
475   BIGNUM *iqmp;
476   /* be careful using this if the RSA structure is shared */
477   CRYPTO_EX_DATA ex_data;
478   CRYPTO_refcount_t references;
479   int flags;
480 
481   CRYPTO_MUTEX lock;
482 
483   /* Used to cache montgomery values. The creation of these values is protected
484    * by |lock|. */
485   BN_MONT_CTX *_method_mod_n;
486   BN_MONT_CTX *_method_mod_p;
487   BN_MONT_CTX *_method_mod_q;
488 
489   /* num_blindings contains the size of the |blindings| and |blindings_inuse|
490    * arrays. This member and the |blindings_inuse| array are protected by
491    * |lock|. */
492   unsigned num_blindings;
493   /* blindings is an array of BN_BLINDING structures that can be reserved by a
494    * thread by locking |lock| and changing the corresponding element in
495    * |blindings_inuse| from 0 to 1. */
496   BN_BLINDING **blindings;
497   unsigned char *blindings_inuse;
498 };
499 
500 
501 #if defined(__cplusplus)
502 }  /* extern C */
503 #endif
504 
505 #define RSA_F_BN_BLINDING_convert_ex 100
506 #define RSA_F_BN_BLINDING_create_param 101
507 #define RSA_F_BN_BLINDING_invert_ex 102
508 #define RSA_F_BN_BLINDING_new 103
509 #define RSA_F_BN_BLINDING_update 104
510 #define RSA_F_RSA_check_key 105
511 #define RSA_F_RSA_new_method 106
512 #define RSA_F_RSA_padding_add_PKCS1_OAEP_mgf1 107
513 #define RSA_F_RSA_padding_add_PKCS1_PSS_mgf1 108
514 #define RSA_F_RSA_padding_add_PKCS1_type_1 109
515 #define RSA_F_RSA_padding_add_PKCS1_type_2 110
516 #define RSA_F_RSA_padding_add_none 111
517 #define RSA_F_RSA_padding_check_PKCS1_OAEP_mgf1 112
518 #define RSA_F_RSA_padding_check_PKCS1_type_1 113
519 #define RSA_F_RSA_padding_check_PKCS1_type_2 114
520 #define RSA_F_RSA_padding_check_none 115
521 #define RSA_F_RSA_recover_crt_params 116
522 #define RSA_F_RSA_sign 117
523 #define RSA_F_RSA_verify 118
524 #define RSA_F_RSA_verify_PKCS1_PSS_mgf1 119
525 #define RSA_F_decrypt 120
526 #define RSA_F_encrypt 121
527 #define RSA_F_keygen 122
528 #define RSA_F_pkcs1_prefixed_msg 123
529 #define RSA_F_private_transform 124
530 #define RSA_F_rsa_setup_blinding 125
531 #define RSA_F_sign_raw 126
532 #define RSA_F_verify_raw 127
533 #define RSA_R_BAD_E_VALUE 100
534 #define RSA_R_BAD_FIXED_HEADER_DECRYPT 101
535 #define RSA_R_BAD_PAD_BYTE_COUNT 102
536 #define RSA_R_BAD_RSA_PARAMETERS 103
537 #define RSA_R_BAD_SIGNATURE 104
538 #define RSA_R_BLOCK_TYPE_IS_NOT_01 105
539 #define RSA_R_BN_NOT_INITIALIZED 106
540 #define RSA_R_CRT_PARAMS_ALREADY_GIVEN 107
541 #define RSA_R_CRT_VALUES_INCORRECT 108
542 #define RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN 109
543 #define RSA_R_DATA_TOO_LARGE 110
544 #define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 111
545 #define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 112
546 #define RSA_R_DATA_TOO_SMALL 113
547 #define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 114
548 #define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 115
549 #define RSA_R_D_E_NOT_CONGRUENT_TO_1 116
550 #define RSA_R_EMPTY_PUBLIC_KEY 117
551 #define RSA_R_FIRST_OCTET_INVALID 118
552 #define RSA_R_INCONSISTENT_SET_OF_CRT_VALUES 119
553 #define RSA_R_INTERNAL_ERROR 120
554 #define RSA_R_INVALID_MESSAGE_LENGTH 121
555 #define RSA_R_KEY_SIZE_TOO_SMALL 122
556 #define RSA_R_LAST_OCTET_INVALID 123
557 #define RSA_R_MODULUS_TOO_LARGE 124
558 #define RSA_R_NO_PUBLIC_EXPONENT 125
559 #define RSA_R_NULL_BEFORE_BLOCK_MISSING 126
560 #define RSA_R_N_NOT_EQUAL_P_Q 127
561 #define RSA_R_OAEP_DECODING_ERROR 128
562 #define RSA_R_ONLY_ONE_OF_P_Q_GIVEN 129
563 #define RSA_R_OUTPUT_BUFFER_TOO_SMALL 130
564 #define RSA_R_PADDING_CHECK_FAILED 131
565 #define RSA_R_PKCS_DECODING_ERROR 132
566 #define RSA_R_SLEN_CHECK_FAILED 133
567 #define RSA_R_SLEN_RECOVERY_FAILED 134
568 #define RSA_R_TOO_LONG 135
569 #define RSA_R_TOO_MANY_ITERATIONS 136
570 #define RSA_R_UNKNOWN_ALGORITHM_TYPE 137
571 #define RSA_R_UNKNOWN_PADDING_TYPE 138
572 #define RSA_R_VALUE_MISSING 139
573 #define RSA_R_WRONG_SIGNATURE_LENGTH 140
574 
575 #endif  /* OPENSSL_HEADER_RSA_H */
576