1 // Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // https://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 #ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_RSA_INTERNAL_H 16 #define OPENSSL_HEADER_CRYPTO_FIPSMODULE_RSA_INTERNAL_H 17 18 #include <openssl/base.h> 19 20 #include <openssl/bn.h> 21 #include <openssl/rsa.h> 22 23 #include "../../internal.h" 24 25 #if defined(__cplusplus) 26 extern "C" { 27 #endif 28 29 30 typedef struct bn_blinding_st BN_BLINDING; 31 32 struct rsa_st { 33 RSA_METHOD *meth; 34 35 BIGNUM *n; 36 BIGNUM *e; 37 BIGNUM *d; 38 BIGNUM *p; 39 BIGNUM *q; 40 BIGNUM *dmp1; 41 BIGNUM *dmq1; 42 BIGNUM *iqmp; 43 44 // be careful using this if the RSA structure is shared 45 CRYPTO_EX_DATA ex_data; 46 CRYPTO_refcount_t references; 47 int flags; 48 49 CRYPTO_MUTEX lock; 50 51 // Used to cache montgomery values. The creation of these values is protected 52 // by |lock|. 53 BN_MONT_CTX *mont_n; 54 BN_MONT_CTX *mont_p; 55 BN_MONT_CTX *mont_q; 56 57 // The following fields are copies of |d|, |dmp1|, and |dmq1|, respectively, 58 // but with the correct widths to prevent side channels. These must use 59 // separate copies due to threading concerns caused by OpenSSL's API 60 // mistakes. See https://github.com/openssl/openssl/issues/5158 and 61 // the |freeze_private_key| implementation. 62 BIGNUM *d_fixed, *dmp1_fixed, *dmq1_fixed; 63 64 // iqmp_mont is q^-1 mod p in Montgomery form, using |mont_p|. 65 BIGNUM *iqmp_mont; 66 67 // num_blindings contains the size of the |blindings| and |blindings_inuse| 68 // arrays. This member and the |blindings_inuse| array are protected by 69 // |lock|. 70 size_t num_blindings; 71 // blindings is an array of BN_BLINDING structures that can be reserved by a 72 // thread by locking |lock| and changing the corresponding element in 73 // |blindings_inuse| from 0 to 1. 74 BN_BLINDING **blindings; 75 unsigned char *blindings_inuse; 76 uint64_t blinding_fork_generation; 77 78 // private_key_frozen is one if the key has been used for a private key 79 // operation and may no longer be mutated. 80 unsigned private_key_frozen:1; 81 }; 82 83 84 #define RSA_PKCS1_PADDING_SIZE 11 85 86 // Default implementations of RSA operations. 87 88 const RSA_METHOD *RSA_default_method(void); 89 90 int rsa_default_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, 91 size_t max_out, const uint8_t *in, size_t in_len, 92 int padding); 93 int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, 94 size_t len); 95 96 97 BN_BLINDING *BN_BLINDING_new(void); 98 void BN_BLINDING_free(BN_BLINDING *b); 99 void BN_BLINDING_invalidate(BN_BLINDING *b); 100 int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, const BIGNUM *e, 101 const BN_MONT_CTX *mont_ctx, BN_CTX *ctx); 102 int BN_BLINDING_invert(BIGNUM *n, const BN_BLINDING *b, BN_MONT_CTX *mont_ctx, 103 BN_CTX *ctx); 104 105 106 int PKCS1_MGF1(uint8_t *out, size_t len, const uint8_t *seed, size_t seed_len, 107 const EVP_MD *md); 108 int RSA_padding_add_PKCS1_type_1(uint8_t *to, size_t to_len, 109 const uint8_t *from, size_t from_len); 110 int RSA_padding_check_PKCS1_type_1(uint8_t *out, size_t *out_len, 111 size_t max_out, const uint8_t *from, 112 size_t from_len); 113 int RSA_padding_add_none(uint8_t *to, size_t to_len, const uint8_t *from, 114 size_t from_len); 115 116 // rsa_check_public_key checks that |rsa|'s public modulus and exponent are 117 // within DoS bounds. 118 int rsa_check_public_key(const RSA *rsa); 119 120 // rsa_private_transform_no_self_test calls either the method-specific 121 // |private_transform| function (if given) or the generic one. See the comment 122 // for |private_transform| in |rsa_meth_st|. 123 int rsa_private_transform_no_self_test(RSA *rsa, uint8_t *out, 124 const uint8_t *in, size_t len); 125 126 // rsa_private_transform acts the same as |rsa_private_transform_no_self_test| 127 // but, in FIPS mode, performs an RSA self test before calling the default RSA 128 // implementation. 129 int rsa_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, 130 size_t len); 131 132 // rsa_invalidate_key is called after |rsa| has been mutated, to invalidate 133 // fields derived from the original structure. This function assumes exclusive 134 // access to |rsa|. In particular, no other thread may be concurrently signing, 135 // etc., with |rsa|. 136 void rsa_invalidate_key(RSA *rsa); 137 138 139 // This constant is exported for test purposes. 140 extern const BN_ULONG kBoringSSLRSASqrtTwo[]; 141 extern const size_t kBoringSSLRSASqrtTwoLen; 142 143 144 // Functions that avoid self-tests. 145 // 146 // Self-tests need to call functions that don't try and ensure that the 147 // self-tests have passed. These functions, in turn, need to limit themselves 148 // to such functions too. 149 // 150 // These functions are the same as their public versions, but skip the self-test 151 // check. 152 153 int rsa_verify_no_self_test(int hash_nid, const uint8_t *digest, 154 size_t digest_len, const uint8_t *sig, 155 size_t sig_len, RSA *rsa); 156 157 int rsa_verify_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out, 158 size_t max_out, const uint8_t *in, 159 size_t in_len, int padding); 160 161 int rsa_sign_no_self_test(int hash_nid, const uint8_t *digest, 162 size_t digest_len, uint8_t *out, unsigned *out_len, 163 RSA *rsa); 164 165 166 #if defined(__cplusplus) 167 } // extern C 168 #endif 169 170 #endif // OPENSSL_HEADER_CRYPTO_FIPSMODULE_RSA_INTERNAL_H 171