2016-04-02 21:12:58 +08:00
|
|
|
/*
|
2020-04-23 20:55:52 +08:00
|
|
|
* Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
|
2016-04-02 21:12:58 +08:00
|
|
|
*
|
2018-12-06 20:54:02 +08:00
|
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
2016-05-18 02:51:34 +08:00
|
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
|
|
* in the file LICENSE in the source distribution or at
|
2016-04-02 21:12:58 +08:00
|
|
|
* https://www.openssl.org/source/license.html
|
|
|
|
*/
|
|
|
|
|
2019-09-28 06:45:57 +08:00
|
|
|
#ifndef OSSL_CRYPTO_RSA_LOCAL_H
|
|
|
|
#define OSSL_CRYPTO_RSA_LOCAL_H
|
2018-07-05 07:28:51 +08:00
|
|
|
|
2016-04-02 21:12:58 +08:00
|
|
|
#include <openssl/rsa.h>
|
2016-08-27 22:01:08 +08:00
|
|
|
#include "internal/refcount.h"
|
RSA: Add a less loaded PSS-parameter structure
RSA_PSS_PARAMS carries with it a lot of baggage in form of X509_ALGOR
and ASN1_INTEGER, which we would rather avoid in our providers.
Therefore, we create a parallell structure - RSA_PSS_PARAMS_30 - that
contains the same information, but uses numeric identities (*) and C
integers (**). This makes it simpler to handle.
Note that neither this structure nor its contents are passed between
libcrypto and the providers. Instead, the numeric identities are
translated to and from names, which are then passed over that
boundary.
For future considerations, we might consider dropping RSA_PSS_PARAMS
entirely. For now, it's still reserved for EVP_PKEY_ASN1_METHOD code,
which RSA_PSS_PARAMS_30 is (almost entirely) reserved for use in our
providers.
(*) We use NIDs in this case, because we already have them and because
only algorithms that libcrypto knows about are permitted in PSS
restrictions. We could use any number series we want, as long as we
know for sure what they represent.
(**) That's for saltlen and for trailerfield, which are never expect
to surpass the set of numbers that fit in a regular 'int'.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11710)
2020-05-02 18:46:55 +08:00
|
|
|
#include "crypto/rsa.h"
|
2016-04-02 21:12:58 +08:00
|
|
|
|
2017-12-11 23:10:36 +08:00
|
|
|
#define RSA_MAX_PRIME_NUM 5
|
|
|
|
#define RSA_MIN_MODULUS_BITS 512
|
2017-08-02 02:19:43 +08:00
|
|
|
|
|
|
|
typedef struct rsa_prime_info_st {
|
|
|
|
BIGNUM *r;
|
|
|
|
BIGNUM *d;
|
|
|
|
BIGNUM *t;
|
|
|
|
/* save product of primes prior to this one */
|
|
|
|
BIGNUM *pp;
|
|
|
|
BN_MONT_CTX *m;
|
|
|
|
} RSA_PRIME_INFO;
|
|
|
|
|
|
|
|
DECLARE_ASN1_ITEM(RSA_PRIME_INFO)
|
|
|
|
DEFINE_STACK_OF(RSA_PRIME_INFO)
|
|
|
|
|
2016-04-02 21:12:58 +08:00
|
|
|
struct rsa_st {
|
|
|
|
/*
|
2020-03-12 13:26:34 +08:00
|
|
|
* #legacy
|
|
|
|
* The first field is used to pickup errors where this is passed
|
|
|
|
* instead of an EVP_PKEY. It is always zero.
|
|
|
|
* THIS MUST REMAIN THE FIRST FIELD.
|
2016-04-02 21:12:58 +08:00
|
|
|
*/
|
2020-03-12 13:26:34 +08:00
|
|
|
int dummy_zero;
|
|
|
|
|
|
|
|
OPENSSL_CTX *libctx;
|
2017-04-05 19:24:14 +08:00
|
|
|
int32_t version;
|
2016-04-02 21:12:58 +08:00
|
|
|
const RSA_METHOD *meth;
|
|
|
|
/* functional reference if 'meth' is ENGINE-provided */
|
|
|
|
ENGINE *engine;
|
|
|
|
BIGNUM *n;
|
|
|
|
BIGNUM *e;
|
|
|
|
BIGNUM *d;
|
|
|
|
BIGNUM *p;
|
|
|
|
BIGNUM *q;
|
|
|
|
BIGNUM *dmp1;
|
|
|
|
BIGNUM *dmq1;
|
|
|
|
BIGNUM *iqmp;
|
RSA: Add a less loaded PSS-parameter structure
RSA_PSS_PARAMS carries with it a lot of baggage in form of X509_ALGOR
and ASN1_INTEGER, which we would rather avoid in our providers.
Therefore, we create a parallell structure - RSA_PSS_PARAMS_30 - that
contains the same information, but uses numeric identities (*) and C
integers (**). This makes it simpler to handle.
Note that neither this structure nor its contents are passed between
libcrypto and the providers. Instead, the numeric identities are
translated to and from names, which are then passed over that
boundary.
For future considerations, we might consider dropping RSA_PSS_PARAMS
entirely. For now, it's still reserved for EVP_PKEY_ASN1_METHOD code,
which RSA_PSS_PARAMS_30 is (almost entirely) reserved for use in our
providers.
(*) We use NIDs in this case, because we already have them and because
only algorithms that libcrypto knows about are permitted in PSS
restrictions. We could use any number series we want, as long as we
know for sure what they represent.
(**) That's for saltlen and for trailerfield, which are never expect
to surpass the set of numbers that fit in a regular 'int'.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11710)
2020-05-02 18:46:55 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* If a PSS only key this contains the parameter restrictions.
|
|
|
|
* There are two structures for the same thing, used in different cases.
|
|
|
|
*/
|
|
|
|
/* This is used uniquely by OpenSSL provider implementations. */
|
|
|
|
RSA_PSS_PARAMS_30 pss_params;
|
|
|
|
#ifndef FIPS_MODULE
|
|
|
|
/* This is used uniquely by rsa_ameth.c and rsa_pmeth.c. */
|
2020-03-15 15:38:00 +08:00
|
|
|
RSA_PSS_PARAMS *pss;
|
RSA: Add a less loaded PSS-parameter structure
RSA_PSS_PARAMS carries with it a lot of baggage in form of X509_ALGOR
and ASN1_INTEGER, which we would rather avoid in our providers.
Therefore, we create a parallell structure - RSA_PSS_PARAMS_30 - that
contains the same information, but uses numeric identities (*) and C
integers (**). This makes it simpler to handle.
Note that neither this structure nor its contents are passed between
libcrypto and the providers. Instead, the numeric identities are
translated to and from names, which are then passed over that
boundary.
For future considerations, we might consider dropping RSA_PSS_PARAMS
entirely. For now, it's still reserved for EVP_PKEY_ASN1_METHOD code,
which RSA_PSS_PARAMS_30 is (almost entirely) reserved for use in our
providers.
(*) We use NIDs in this case, because we already have them and because
only algorithms that libcrypto knows about are permitted in PSS
restrictions. We could use any number series we want, as long as we
know for sure what they represent.
(**) That's for saltlen and for trailerfield, which are never expect
to surpass the set of numbers that fit in a regular 'int'.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11710)
2020-05-02 18:46:55 +08:00
|
|
|
#endif
|
|
|
|
|
2020-04-14 04:34:56 +08:00
|
|
|
#ifndef FIPS_MODULE
|
2017-08-02 02:19:43 +08:00
|
|
|
/* for multi-prime RSA, defined in RFC 8017 */
|
|
|
|
STACK_OF(RSA_PRIME_INFO) *prime_infos;
|
2020-03-15 15:38:00 +08:00
|
|
|
/* Be careful using this if the RSA structure is shared */
|
2016-04-02 21:12:58 +08:00
|
|
|
CRYPTO_EX_DATA ex_data;
|
2020-01-14 09:32:42 +08:00
|
|
|
#endif
|
2016-08-27 22:01:08 +08:00
|
|
|
CRYPTO_REF_COUNT references;
|
2016-04-02 21:12:58 +08:00
|
|
|
int flags;
|
|
|
|
/* Used to cache montgomery values */
|
|
|
|
BN_MONT_CTX *_method_mod_n;
|
|
|
|
BN_MONT_CTX *_method_mod_p;
|
|
|
|
BN_MONT_CTX *_method_mod_q;
|
|
|
|
/*
|
|
|
|
* all BIGNUM values are actually in the following data, if it is not
|
|
|
|
* NULL
|
|
|
|
*/
|
|
|
|
char *bignum_data;
|
|
|
|
BN_BLINDING *blinding;
|
|
|
|
BN_BLINDING *mt_blinding;
|
|
|
|
CRYPTO_RWLOCK *lock;
|
2019-10-16 03:31:45 +08:00
|
|
|
|
|
|
|
int dirty_cnt;
|
2016-04-02 21:12:58 +08:00
|
|
|
};
|
|
|
|
|
2016-04-03 00:46:17 +08:00
|
|
|
struct rsa_meth_st {
|
|
|
|
char *name;
|
|
|
|
int (*rsa_pub_enc) (int flen, const unsigned char *from,
|
|
|
|
unsigned char *to, RSA *rsa, int padding);
|
|
|
|
int (*rsa_pub_dec) (int flen, const unsigned char *from,
|
|
|
|
unsigned char *to, RSA *rsa, int padding);
|
|
|
|
int (*rsa_priv_enc) (int flen, const unsigned char *from,
|
|
|
|
unsigned char *to, RSA *rsa, int padding);
|
|
|
|
int (*rsa_priv_dec) (int flen, const unsigned char *from,
|
|
|
|
unsigned char *to, RSA *rsa, int padding);
|
|
|
|
/* Can be null */
|
|
|
|
int (*rsa_mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
|
|
|
|
/* Can be null */
|
|
|
|
int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
|
|
|
|
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
|
|
|
|
/* called at new */
|
|
|
|
int (*init) (RSA *rsa);
|
|
|
|
/* called at free */
|
|
|
|
int (*finish) (RSA *rsa);
|
|
|
|
/* RSA_METHOD_FLAG_* things */
|
|
|
|
int flags;
|
|
|
|
/* may be needed! */
|
|
|
|
char *app_data;
|
|
|
|
/*
|
|
|
|
* New sign and verify functions: some libraries don't allow arbitrary
|
|
|
|
* data to be signed/verified: this allows them to be used. Note: for
|
|
|
|
* this to work the RSA_public_decrypt() and RSA_private_encrypt() should
|
|
|
|
* *NOT* be used RSA_sign(), RSA_verify() should be used instead.
|
|
|
|
*/
|
|
|
|
int (*rsa_sign) (int type,
|
|
|
|
const unsigned char *m, unsigned int m_length,
|
|
|
|
unsigned char *sigret, unsigned int *siglen,
|
|
|
|
const RSA *rsa);
|
|
|
|
int (*rsa_verify) (int dtype, const unsigned char *m,
|
|
|
|
unsigned int m_length, const unsigned char *sigbuf,
|
|
|
|
unsigned int siglen, const RSA *rsa);
|
|
|
|
/*
|
|
|
|
* If this callback is NULL, the builtin software RSA key-gen will be
|
|
|
|
* used. This is for behavioural compatibility whilst the code gets
|
|
|
|
* rewired, but one day it would be nice to assume there are no such
|
|
|
|
* things as "builtin software" implementations.
|
|
|
|
*/
|
|
|
|
int (*rsa_keygen) (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
|
2017-08-02 02:19:43 +08:00
|
|
|
int (*rsa_multi_prime_keygen) (RSA *rsa, int bits, int primes,
|
|
|
|
BIGNUM *e, BN_GENCB *cb);
|
2016-04-03 00:46:17 +08:00
|
|
|
};
|
|
|
|
|
2016-12-02 05:46:31 +08:00
|
|
|
/* Macros to test if a pkey or ctx is for a PSS key */
|
|
|
|
#define pkey_is_pss(pkey) (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS)
|
|
|
|
#define pkey_ctx_is_pss(ctx) (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS)
|
2016-11-21 09:35:30 +08:00
|
|
|
|
|
|
|
RSA_PSS_PARAMS *rsa_pss_params_create(const EVP_MD *sigmd,
|
|
|
|
const EVP_MD *mgf1md, int saltlen);
|
2016-12-05 22:00:48 +08:00
|
|
|
int rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd,
|
|
|
|
const EVP_MD **pmgf1md, int *psaltlen);
|
2017-08-02 02:19:43 +08:00
|
|
|
/* internal function to clear and free multi-prime parameters */
|
|
|
|
void rsa_multip_info_free_ex(RSA_PRIME_INFO *pinfo);
|
|
|
|
void rsa_multip_info_free(RSA_PRIME_INFO *pinfo);
|
|
|
|
RSA_PRIME_INFO *rsa_multip_info_new(void);
|
|
|
|
int rsa_multip_calc_product(RSA *rsa);
|
2017-11-25 04:31:11 +08:00
|
|
|
int rsa_multip_cap(int bits);
|
2018-07-05 07:28:51 +08:00
|
|
|
|
|
|
|
int rsa_sp800_56b_validate_strength(int nbits, int strength);
|
|
|
|
int rsa_check_pminusq_diff(BIGNUM *diff, const BIGNUM *p, const BIGNUM *q,
|
|
|
|
int nbits);
|
|
|
|
int rsa_get_lcm(BN_CTX *ctx, const BIGNUM *p, const BIGNUM *q,
|
|
|
|
BIGNUM *lcm, BIGNUM *gcd, BIGNUM *p1, BIGNUM *q1,
|
|
|
|
BIGNUM *p1q1);
|
|
|
|
|
|
|
|
int rsa_check_public_exponent(const BIGNUM *e);
|
|
|
|
int rsa_check_private_exponent(const RSA *rsa, int nbits, BN_CTX *ctx);
|
|
|
|
int rsa_check_prime_factor(BIGNUM *p, BIGNUM *e, int nbits, BN_CTX *ctx);
|
|
|
|
int rsa_check_prime_factor_range(const BIGNUM *p, int nbits, BN_CTX *ctx);
|
|
|
|
int rsa_check_crt_components(const RSA *rsa, BN_CTX *ctx);
|
|
|
|
|
|
|
|
int rsa_sp800_56b_pairwise_test(RSA *rsa, BN_CTX *ctx);
|
|
|
|
int rsa_sp800_56b_check_public(const RSA *rsa);
|
|
|
|
int rsa_sp800_56b_check_private(const RSA *rsa);
|
|
|
|
int rsa_sp800_56b_check_keypair(const RSA *rsa, const BIGNUM *efixed,
|
|
|
|
int strength, int nbits);
|
|
|
|
int rsa_sp800_56b_generate_key(RSA *rsa, int nbits, const BIGNUM *efixed,
|
|
|
|
BN_GENCB *cb);
|
|
|
|
|
|
|
|
int rsa_sp800_56b_derive_params_from_pq(RSA *rsa, int nbits,
|
|
|
|
const BIGNUM *e, BN_CTX *ctx);
|
|
|
|
int rsa_fips186_4_gen_prob_primes(RSA *rsa, BIGNUM *p1, BIGNUM *p2,
|
|
|
|
BIGNUM *Xpout, const BIGNUM *Xp,
|
|
|
|
const BIGNUM *Xp1, const BIGNUM *Xp2,
|
|
|
|
BIGNUM *q1, BIGNUM *q2, BIGNUM *Xqout,
|
|
|
|
const BIGNUM *Xq, const BIGNUM *Xq1,
|
|
|
|
const BIGNUM *Xq2, int nbits,
|
|
|
|
const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb);
|
|
|
|
|
2020-03-12 22:41:45 +08:00
|
|
|
int rsa_padding_add_SSLv23_with_libctx(OPENSSL_CTX *libctx, unsigned char *to,
|
|
|
|
int tlen, const unsigned char *from,
|
|
|
|
int flen);
|
|
|
|
int rsa_padding_add_PKCS1_type_2_with_libctx(OPENSSL_CTX *libctx,
|
|
|
|
unsigned char *to, int tlen,
|
|
|
|
const unsigned char *from,
|
|
|
|
int flen);
|
|
|
|
|
2019-09-28 06:45:57 +08:00
|
|
|
#endif /* OSSL_CRYPTO_RSA_LOCAL_H */
|