openssl/crypto/rsa/rsa_locl.h

/*
 * Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <openssl/rsa.h>
#include "internal/refcount.h"

#define RSA_MAX_PRIME_NUM       5
#define RSA_MIN_MODULUS_BITS    512

typedef struct rsa_prime_info_st {
    BIGNUM *r;
    BIGNUM *d;
    BIGNUM *t;
    /* save product of primes prior to this one */
    BIGNUM *pp;
    BN_MONT_CTX *m;
} RSA_PRIME_INFO;

DECLARE_ASN1_ITEM(RSA_PRIME_INFO)
DEFINE_STACK_OF(RSA_PRIME_INFO)

struct rsa_st {
    /*
     * The first parameter is used to pickup errors where this is passed
     * instead of an EVP_PKEY, it is set to 0
     */
    int pad;
    int32_t version;
    const RSA_METHOD *meth;
    /* functional reference if 'meth' is ENGINE-provided */
    ENGINE *engine;
    BIGNUM *n;
    BIGNUM *e;
    BIGNUM *d;
    BIGNUM *p;
    BIGNUM *q;
    BIGNUM *dmp1;
    BIGNUM *dmq1;
    BIGNUM *iqmp;
    /* for multi-prime RSA, defined in RFC 8017 */
    STACK_OF(RSA_PRIME_INFO) *prime_infos;
    /* If a PSS only key this contains the parameter restrictions */
    RSA_PSS_PARAMS *pss;
    /* be careful using this if the RSA structure is shared */
    CRYPTO_EX_DATA ex_data;
    CRYPTO_REF_COUNT references;
    int flags;
    /* Used to cache montgomery values */
    BN_MONT_CTX *_method_mod_n;
    BN_MONT_CTX *_method_mod_p;
    BN_MONT_CTX *_method_mod_q;
    /*
     * all BIGNUM values are actually in the following data, if it is not
     * NULL
     */
    char *bignum_data;
    BN_BLINDING *blinding;
    BN_BLINDING *mt_blinding;
    CRYPTO_RWLOCK *lock;
};

struct rsa_meth_st {
    char *name;
    int (*rsa_pub_enc) (int flen, const unsigned char *from,
                        unsigned char *to, RSA *rsa, int padding);
    int (*rsa_pub_dec) (int flen, const unsigned char *from,
                        unsigned char *to, RSA *rsa, int padding);
    int (*rsa_priv_enc) (int flen, const unsigned char *from,
                         unsigned char *to, RSA *rsa, int padding);
    int (*rsa_priv_dec) (int flen, const unsigned char *from,
                         unsigned char *to, RSA *rsa, int padding);
    /* Can be null */
    int (*rsa_mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
    /* Can be null */
    int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                       const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
    /* called at new */
    int (*init) (RSA *rsa);
    /* called at free */
    int (*finish) (RSA *rsa);
    /* RSA_METHOD_FLAG_* things */
    int flags;
    /* may be needed! */
    char *app_data;
    /*
     * New sign and verify functions: some libraries don't allow arbitrary
     * data to be signed/verified: this allows them to be used. Note: for
     * this to work the RSA_public_decrypt() and RSA_private_encrypt() should
     * *NOT* be used RSA_sign(), RSA_verify() should be used instead.
     */
    int (*rsa_sign) (int type,
                     const unsigned char *m, unsigned int m_length,
                     unsigned char *sigret, unsigned int *siglen,
                     const RSA *rsa);
    int (*rsa_verify) (int dtype, const unsigned char *m,
                       unsigned int m_length, const unsigned char *sigbuf,
                       unsigned int siglen, const RSA *rsa);
    /*
     * If this callback is NULL, the builtin software RSA key-gen will be
     * used. This is for behavioural compatibility whilst the code gets
     * rewired, but one day it would be nice to assume there are no such
     * things as "builtin software" implementations.
     */
    int (*rsa_keygen) (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
    int (*rsa_multi_prime_keygen) (RSA *rsa, int bits, int primes,
                                   BIGNUM *e, BN_GENCB *cb);
};

extern int int_rsa_verify(int dtype, const unsigned char *m,
                          unsigned int m_len, unsigned char *rm,
                          size_t *prm_len, const unsigned char *sigbuf,
                          size_t siglen, RSA *rsa);
/* Macros to test if a pkey or ctx is for a PSS key */
#define pkey_is_pss(pkey) (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS)
#define pkey_ctx_is_pss(ctx) (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS)

RSA_PSS_PARAMS *rsa_pss_params_create(const EVP_MD *sigmd,
                                      const EVP_MD *mgf1md, int saltlen);
int rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd,
                      const EVP_MD **pmgf1md, int *psaltlen);
/* internal function to clear and free multi-prime parameters */
void rsa_multip_info_free_ex(RSA_PRIME_INFO *pinfo);
void rsa_multip_info_free(RSA_PRIME_INFO *pinfo);
RSA_PRIME_INFO *rsa_multip_info_new(void);
int rsa_multip_calc_product(RSA *rsa);
int rsa_multip_cap(int bits);
Make the RSA structure opaque Move rsa_st away from public headers. Add accessor/writer functions for the public RSA data. Adapt all other source to use the accessors and writers. Reviewed-by: Matt Caswell <matt@openssl.org> 2016-04-02 13:12:58 +00:00			`/*`
Support multi-prime RSA (RFC 8017) * Introduce RSA_generate_multi_prime_key to generate multi-prime RSA private key. As well as the following functions: RSA_get_multi_prime_extra_count RSA_get0_multi_prime_factors RSA_get0_multi_prime_crt_params RSA_set0_multi_prime_params RSA_get_version * Support EVP operations for multi-prime RSA * Support ASN.1 operations for multi-prime RSA * Support multi-prime check in RSA_check_key_ex * Support multi-prime RSA in apps/genrsa and apps/speed * Support multi-prime RSA manipulation functions * Test cases and documentation are added * CHANGES is updated Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4241) 2017-08-01 18:19:43 +00:00			`* Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.`
Make the RSA structure opaque Move rsa_st away from public headers. Add accessor/writer functions for the public RSA data. Adapt all other source to use the accessors and writers. Reviewed-by: Matt Caswell <matt@openssl.org> 2016-04-02 13:12:58 +00:00			`*`
Following the license change, modify the boilerplates in crypto/rsa/ [skip ci] Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7814) 2018-12-06 12:54:02 +00:00			`* Licensed under the Apache License 2.0 (the "License"). You may not use`
Copyright consolidation 08/10 Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-05-17 18:51:34 +00:00			`* this file except in compliance with the License. You can obtain a copy`
			`* in the file LICENSE in the source distribution or at`
Make the RSA structure opaque Move rsa_st away from public headers. Add accessor/writer functions for the public RSA data. Adapt all other source to use the accessors and writers. Reviewed-by: Matt Caswell <matt@openssl.org> 2016-04-02 13:12:58 +00:00			`* https://www.openssl.org/source/license.html`
			`*/`

			`#include <openssl/rsa.h>`
Add support for reference counting using C11 atomics Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> GH: #1500 2016-08-27 14:01:08 +00:00			`#include "internal/refcount.h"`
Make the RSA structure opaque Move rsa_st away from public headers. Add accessor/writer functions for the public RSA data. Adapt all other source to use the accessors and writers. Reviewed-by: Matt Caswell <matt@openssl.org> 2016-04-02 13:12:58 +00:00
Minor cleanup of the rsa mp limits code Reduce RSA_MAX_PRIME_NUM to 5. Remove no longer used RSA_MIN_PRIME_SIZE. Make rsa_multip_cap honor RSA_MAX_PRIME_NUM. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4905) 2017-12-11 15:10:36 +00:00			`#define RSA_MAX_PRIME_NUM 5`
			`#define RSA_MIN_MODULUS_BITS 512`
Support multi-prime RSA (RFC 8017) * Introduce RSA_generate_multi_prime_key to generate multi-prime RSA private key. As well as the following functions: RSA_get_multi_prime_extra_count RSA_get0_multi_prime_factors RSA_get0_multi_prime_crt_params RSA_set0_multi_prime_params RSA_get_version * Support EVP operations for multi-prime RSA * Support ASN.1 operations for multi-prime RSA * Support multi-prime check in RSA_check_key_ex * Support multi-prime RSA in apps/genrsa and apps/speed * Support multi-prime RSA manipulation functions * Test cases and documentation are added * CHANGES is updated Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4241) 2017-08-01 18:19:43 +00:00
			`typedef struct rsa_prime_info_st {`
			`BIGNUM *r;`
			`BIGNUM *d;`
			`BIGNUM *t;`
			`/* save product of primes prior to this one */`
			`BIGNUM *pp;`
			`BN_MONT_CTX *m;`
			`} RSA_PRIME_INFO;`

			`DECLARE_ASN1_ITEM(RSA_PRIME_INFO)`
			`DEFINE_STACK_OF(RSA_PRIME_INFO)`

Make the RSA structure opaque Move rsa_st away from public headers. Add accessor/writer functions for the public RSA data. Adapt all other source to use the accessors and writers. Reviewed-by: Matt Caswell <matt@openssl.org> 2016-04-02 13:12:58 +00:00			`struct rsa_st {`
			`/*`
			`* The first parameter is used to pickup errors where this is passed`
Fix minor typo in comment in rsa_st CLA: trivial Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4845) 2017-12-05 11:01:14 +00:00			`* instead of an EVP_PKEY, it is set to 0`
Make the RSA structure opaque Move rsa_st away from public headers. Add accessor/writer functions for the public RSA data. Adapt all other source to use the accessors and writers. Reviewed-by: Matt Caswell <matt@openssl.org> 2016-04-02 13:12:58 +00:00			`*/`
			`int pad;`
Act on deprecation of LONG and ZLONG, step 2 Replace all remaining uses of LONG and ZLONG with INT32 / ZINT32. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3126) 2017-04-05 11:24:14 +00:00			`int32_t version;`
Make the RSA structure opaque Move rsa_st away from public headers. Add accessor/writer functions for the public RSA data. Adapt all other source to use the accessors and writers. Reviewed-by: Matt Caswell <matt@openssl.org> 2016-04-02 13:12:58 +00:00			`const RSA_METHOD *meth;`
			`/* functional reference if 'meth' is ENGINE-provided */`
			`ENGINE *engine;`
			`BIGNUM *n;`
			`BIGNUM *e;`
			`BIGNUM *d;`
			`BIGNUM *p;`
			`BIGNUM *q;`
			`BIGNUM *dmp1;`
			`BIGNUM *dmq1;`
			`BIGNUM *iqmp;`
Support multi-prime RSA (RFC 8017) * Introduce RSA_generate_multi_prime_key to generate multi-prime RSA private key. As well as the following functions: RSA_get_multi_prime_extra_count RSA_get0_multi_prime_factors RSA_get0_multi_prime_crt_params RSA_set0_multi_prime_params RSA_get_version * Support EVP operations for multi-prime RSA * Support ASN.1 operations for multi-prime RSA * Support multi-prime check in RSA_check_key_ex * Support multi-prime RSA in apps/genrsa and apps/speed * Support multi-prime RSA manipulation functions * Test cases and documentation are added * CHANGES is updated Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4241) 2017-08-01 18:19:43 +00:00			`/* for multi-prime RSA, defined in RFC 8017 */`
			`STACK_OF(RSA_PRIME_INFO) *prime_infos;`
Add pss field to RSA structure and free it. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2177) 2016-11-21 01:34:56 +00:00			`/* If a PSS only key this contains the parameter restrictions */`
			`RSA_PSS_PARAMS *pss;`
Make the RSA structure opaque Move rsa_st away from public headers. Add accessor/writer functions for the public RSA data. Adapt all other source to use the accessors and writers. Reviewed-by: Matt Caswell <matt@openssl.org> 2016-04-02 13:12:58 +00:00			`/* be careful using this if the RSA structure is shared */`
			`CRYPTO_EX_DATA ex_data;`
Add support for reference counting using C11 atomics Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> GH: #1500 2016-08-27 14:01:08 +00:00			`CRYPTO_REF_COUNT references;`
Make the RSA structure opaque Move rsa_st away from public headers. Add accessor/writer functions for the public RSA data. Adapt all other source to use the accessors and writers. Reviewed-by: Matt Caswell <matt@openssl.org> 2016-04-02 13:12:58 +00:00			`int flags;`
			`/* Used to cache montgomery values */`
			`BN_MONT_CTX *_method_mod_n;`
			`BN_MONT_CTX *_method_mod_p;`
			`BN_MONT_CTX *_method_mod_q;`
			`/*`
			`* all BIGNUM values are actually in the following data, if it is not`
			`* NULL`
			`*/`
			`char *bignum_data;`
			`BN_BLINDING *blinding;`
			`BN_BLINDING *mt_blinding;`
			`CRYPTO_RWLOCK *lock;`
			`};`

Make the RSA_METHOD structure opaque Move rsa_meth_st away from public headers. Add RSA_METHOD creator/destructor functions. Add RSA_METHOD accessor/writer functions. Adapt all other source to use the creator, destructor, accessors and writers. Reviewed-by: Matt Caswell <matt@openssl.org> 2016-04-02 16:46:17 +00:00			`struct rsa_meth_st {`
			`char *name;`
			`int (rsa_pub_enc) (int flen, const unsigned char from,`
			`unsigned char to, RSA rsa, int padding);`
			`int (rsa_pub_dec) (int flen, const unsigned char from,`
			`unsigned char to, RSA rsa, int padding);`
			`int (rsa_priv_enc) (int flen, const unsigned char from,`
			`unsigned char to, RSA rsa, int padding);`
			`int (rsa_priv_dec) (int flen, const unsigned char from,`
			`unsigned char to, RSA rsa, int padding);`
			`/* Can be null */`
			`int (rsa_mod_exp) (BIGNUM r0, const BIGNUM I, RSA rsa, BN_CTX *ctx);`
			`/* Can be null */`
			`int (bn_mod_exp) (BIGNUM r, const BIGNUM a, const BIGNUM p,`
			`const BIGNUM m, BN_CTX ctx, BN_MONT_CTX *m_ctx);`
			`/* called at new */`
			`int (init) (RSA rsa);`
			`/* called at free */`
			`int (finish) (RSA rsa);`
			`/* RSA_METHOD_FLAG_* things */`
			`int flags;`
			`/* may be needed! */`
			`char *app_data;`
			`/*`
			`* New sign and verify functions: some libraries don't allow arbitrary`
			`* data to be signed/verified: this allows them to be used. Note: for`
			`* this to work the RSA_public_decrypt() and RSA_private_encrypt() should`
			`* NOT be used RSA_sign(), RSA_verify() should be used instead.`
			`*/`
			`int (*rsa_sign) (int type,`
			`const unsigned char *m, unsigned int m_length,`
			`unsigned char sigret, unsigned int siglen,`
			`const RSA *rsa);`
			`int (rsa_verify) (int dtype, const unsigned char m,`
			`unsigned int m_length, const unsigned char *sigbuf,`
			`unsigned int siglen, const RSA *rsa);`
			`/*`
			`* If this callback is NULL, the builtin software RSA key-gen will be`
			`* used. This is for behavioural compatibility whilst the code gets`
			`* rewired, but one day it would be nice to assume there are no such`
			`* things as "builtin software" implementations.`
			`*/`
			`int (rsa_keygen) (RSA rsa, int bits, BIGNUM e, BN_GENCB cb);`
Support multi-prime RSA (RFC 8017) * Introduce RSA_generate_multi_prime_key to generate multi-prime RSA private key. As well as the following functions: RSA_get_multi_prime_extra_count RSA_get0_multi_prime_factors RSA_get0_multi_prime_crt_params RSA_set0_multi_prime_params RSA_get_version * Support EVP operations for multi-prime RSA * Support ASN.1 operations for multi-prime RSA * Support multi-prime check in RSA_check_key_ex * Support multi-prime RSA in apps/genrsa and apps/speed * Support multi-prime RSA manipulation functions * Test cases and documentation are added * CHANGES is updated Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4241) 2017-08-01 18:19:43 +00:00			`int (rsa_multi_prime_keygen) (RSA rsa, int bits, int primes,`
			`BIGNUM e, BN_GENCB cb);`
Make the RSA_METHOD structure opaque Move rsa_meth_st away from public headers. Add RSA_METHOD creator/destructor functions. Add RSA_METHOD accessor/writer functions. Adapt all other source to use the creator, destructor, accessors and writers. Reviewed-by: Matt Caswell <matt@openssl.org> 2016-04-02 16:46:17 +00:00			`};`

Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org> 2015-01-22 03:40:55 +00:00			`extern int int_rsa_verify(int dtype, const unsigned char *m,`
			`unsigned int m_len, unsigned char *rm,`
			`size_t prm_len, const unsigned char sigbuf,`
			`size_t siglen, RSA *rsa);`
Add macros to determine if key or ctx is PSS. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2177) 2016-12-01 21:46:31 +00:00			`/* Macros to test if a pkey or ctx is for a PSS key */`
			`#define pkey_is_pss(pkey) (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS)`
			`#define pkey_ctx_is_pss(ctx) (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS)`
Split PSS parameter creation. Split PSS parameter creation. This adds a new function rsa_pss_params_create which creates PSS parameters from digest and salt values. This will be used for PSS key generation. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2177) 2016-11-21 01:35:30 +00:00
			`RSA_PSS_PARAMS rsa_pss_params_create(const EVP_MD sigmd,`
			`const EVP_MD *mgf1md, int saltlen);`
Add rsa_pss_get_param. New function rsa_pss_get_param to extract and sanity check PSS parameters. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2177) 2016-12-05 14:00:48 +00:00			`int rsa_pss_get_param(const RSA_PSS_PARAMS pss, const EVP_MD *pmd,`
			`const EVP_MD *pmgf1md, int psaltlen);`
Support multi-prime RSA (RFC 8017) * Introduce RSA_generate_multi_prime_key to generate multi-prime RSA private key. As well as the following functions: RSA_get_multi_prime_extra_count RSA_get0_multi_prime_factors RSA_get0_multi_prime_crt_params RSA_set0_multi_prime_params RSA_get_version * Support EVP operations for multi-prime RSA * Support ASN.1 operations for multi-prime RSA * Support multi-prime check in RSA_check_key_ex * Support multi-prime RSA in apps/genrsa and apps/speed * Support multi-prime RSA manipulation functions * Test cases and documentation are added * CHANGES is updated Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4241) 2017-08-01 18:19:43 +00:00			`/* internal function to clear and free multi-prime parameters */`
			`void rsa_multip_info_free_ex(RSA_PRIME_INFO *pinfo);`
			`void rsa_multip_info_free(RSA_PRIME_INFO *pinfo);`
			`RSA_PRIME_INFO *rsa_multip_info_new(void);`
			`int rsa_multip_calc_product(RSA *rsa);`
rsa/rsa_lib.c: make RSA_security_bits multi-prime aware. Multi-prime RSA security is not determined by modulus length alone, but depends even on number of primes. Too many primes render security inadequate, but there is no common amount of primes or common factors' length that provide equivalent secuity promise as two-prime for given modulus length. Maximum amount of permitted primes is determined according to following table. <1024 \| >=1024 \| >=4096 \| >=8192 ------+--------+--------+------- 2 \| 3 \| 4 \| 5 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4791) 2017-11-24 20:31:11 +00:00			`int rsa_multip_cap(int bits);`