xref: /aosp_15_r20/external/boringssl/src/crypto/fipsmodule/rsa/internal.h (revision 8fb009dc861624b67b6cdb62ea21f0f22d0c584b) 
1 /* Copyright (C) 1995-1998 Eric Young ([email protected])
2  * All rights reserved.
3  *
4  * This package is an SSL implementation written
5  * by Eric Young ([email protected]).
6  * The implementation was written so as to conform with Netscapes SSL.
7  *
8  * This library is free for commercial and non-commercial use as long as
9  * the following conditions are aheared to.  The following conditions
10  * apply to all code found in this distribution, be it the RC4, RSA,
11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12  * included with this distribution is covered by the same copyright terms
13  * except that the holder is Tim Hudson ([email protected]).
14  *
15  * Copyright remains Eric Young's, and as such any Copyright notices in
16  * the code are not to be removed.
17  * If this package is used in a product, Eric Young should be given attribution
18  * as the author of the parts of the library used.
19  * This can be in the form of a textual message at program startup or
20  * in documentation (online or textual) provided with the package.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the copyright
26  *    notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  *    notice, this list of conditions and the following disclaimer in the
29  *    documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  *    must display the following acknowledgement:
32  *    "This product includes cryptographic software written by
33  *     Eric Young ([email protected])"
34  *    The word 'cryptographic' can be left out if the rouines from the library
35  *    being used are not cryptographic related :-).
36  * 4. If you include any Windows specific code (or a derivative thereof) from
37  *    the apps directory (application code) you must include an acknowledgement:
38  *    "This product includes software written by Tim Hudson ([email protected])"
39  *
40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50  * SUCH DAMAGE.
51  *
52  * The licence and distribution terms for any publically available version or
53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
54  * copied and put under another distribution licence
55  * [including the GNU Public Licence.] */
56 
57 #ifndef OPENSSL_HEADER_RSA_INTERNAL_H
58 #define OPENSSL_HEADER_RSA_INTERNAL_H
59 
60 #include <openssl/base.h>
61 
62 #include <openssl/bn.h>
63 #include <openssl/rsa.h>
64 
65 #include "../../internal.h"
66 
67 #if defined(__cplusplus)
68 extern "C" {
69 #endif
70 
71 
72 typedef struct bn_blinding_st BN_BLINDING;
73 
74 struct rsa_st {
75   RSA_METHOD *meth;
76 
77   BIGNUM *n;
78   BIGNUM *e;
79   BIGNUM *d;
80   BIGNUM *p;
81   BIGNUM *q;
82   BIGNUM *dmp1;
83   BIGNUM *dmq1;
84   BIGNUM *iqmp;
85 
86   // be careful using this if the RSA structure is shared
87   CRYPTO_EX_DATA ex_data;
88   CRYPTO_refcount_t references;
89   int flags;
90 
91   CRYPTO_MUTEX lock;
92 
93   // Used to cache montgomery values. The creation of these values is protected
94   // by |lock|.
95   BN_MONT_CTX *mont_n;
96   BN_MONT_CTX *mont_p;
97   BN_MONT_CTX *mont_q;
98 
99   // The following fields are copies of |d|, |dmp1|, and |dmq1|, respectively,
100   // but with the correct widths to prevent side channels. These must use
101   // separate copies due to threading concerns caused by OpenSSL's API
102   // mistakes. See https://github.com/openssl/openssl/issues/5158 and
103   // the |freeze_private_key| implementation.
104   BIGNUM *d_fixed, *dmp1_fixed, *dmq1_fixed;
105 
106   // iqmp_mont is q^-1 mod p in Montgomery form, using |mont_p|.
107   BIGNUM *iqmp_mont;
108 
109   // num_blindings contains the size of the |blindings| and |blindings_inuse|
110   // arrays. This member and the |blindings_inuse| array are protected by
111   // |lock|.
112   size_t num_blindings;
113   // blindings is an array of BN_BLINDING structures that can be reserved by a
114   // thread by locking |lock| and changing the corresponding element in
115   // |blindings_inuse| from 0 to 1.
116   BN_BLINDING **blindings;
117   unsigned char *blindings_inuse;
118   uint64_t blinding_fork_generation;
119 
120   // private_key_frozen is one if the key has been used for a private key
121   // operation and may no longer be mutated.
122   unsigned private_key_frozen:1;
123 };
124 
125 
126 #define RSA_PKCS1_PADDING_SIZE 11
127 
128 // Default implementations of RSA operations.
129 
130 const RSA_METHOD *RSA_default_method(void);
131 
132 size_t rsa_default_size(const RSA *rsa);
133 int rsa_default_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,
134                          size_t max_out, const uint8_t *in, size_t in_len,
135                          int padding);
136 int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
137                                   size_t len);
138 
139 
140 BN_BLINDING *BN_BLINDING_new(void);
141 void BN_BLINDING_free(BN_BLINDING *b);
142 void BN_BLINDING_invalidate(BN_BLINDING *b);
143 int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, const BIGNUM *e,
144                         const BN_MONT_CTX *mont_ctx, BN_CTX *ctx);
145 int BN_BLINDING_invert(BIGNUM *n, const BN_BLINDING *b, BN_MONT_CTX *mont_ctx,
146                        BN_CTX *ctx);
147 
148 
149 int PKCS1_MGF1(uint8_t *out, size_t len, const uint8_t *seed, size_t seed_len,
150                const EVP_MD *md);
151 int RSA_padding_add_PKCS1_type_1(uint8_t *to, size_t to_len,
152                                  const uint8_t *from, size_t from_len);
153 int RSA_padding_check_PKCS1_type_1(uint8_t *out, size_t *out_len,
154                                    size_t max_out, const uint8_t *from,
155                                    size_t from_len);
156 int RSA_padding_add_none(uint8_t *to, size_t to_len, const uint8_t *from,
157                          size_t from_len);
158 
159 // rsa_check_public_key checks that |rsa|'s public modulus and exponent are
160 // within DoS bounds.
161 int rsa_check_public_key(const RSA *rsa);
162 
163 // rsa_private_transform_no_self_test calls either the method-specific
164 // |private_transform| function (if given) or the generic one. See the comment
165 // for |private_transform| in |rsa_meth_st|.
166 int rsa_private_transform_no_self_test(RSA *rsa, uint8_t *out,
167                                        const uint8_t *in, size_t len);
168 
169 // rsa_private_transform acts the same as |rsa_private_transform_no_self_test|
170 // but, in FIPS mode, performs an RSA self test before calling the default RSA
171 // implementation.
172 int rsa_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
173                           size_t len);
174 
175 // rsa_invalidate_key is called after |rsa| has been mutated, to invalidate
176 // fields derived from the original structure. This function assumes exclusive
177 // access to |rsa|. In particular, no other thread may be concurrently signing,
178 // etc., with |rsa|.
179 void rsa_invalidate_key(RSA *rsa);
180 
181 
182 // This constant is exported for test purposes.
183 extern const BN_ULONG kBoringSSLRSASqrtTwo[];
184 extern const size_t kBoringSSLRSASqrtTwoLen;
185 
186 
187 // Functions that avoid self-tests.
188 //
189 // Self-tests need to call functions that don't try and ensure that the
190 // self-tests have passed. These functions, in turn, need to limit themselves
191 // to such functions too.
192 //
193 // These functions are the same as their public versions, but skip the self-test
194 // check.
195 
196 int rsa_verify_no_self_test(int hash_nid, const uint8_t *digest,
197                             size_t digest_len, const uint8_t *sig,
198                             size_t sig_len, RSA *rsa);
199 
200 int rsa_verify_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out,
201                                 size_t max_out, const uint8_t *in,
202                                 size_t in_len, int padding);
203 
204 int rsa_sign_no_self_test(int hash_nid, const uint8_t *digest,
205                           size_t digest_len, uint8_t *out, unsigned *out_len,
206                           RSA *rsa);
207 
208 
209 #if defined(__cplusplus)
210 }  // extern C
211 #endif
212 
213 #endif  // OPENSSL_HEADER_RSA_INTERNAL_H
214