Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / boringssl / ab8b888152733533e60c1ebbe8438594a3a2e3d7^! / . / src / include / openssl / rsa.h
commitab8b888152733533e60c1ebbe8438594a3a2e3d7[log] [tgz]
authorRobert Sloan <varomodt@google.com>Mon Mar 26 11:39:51 2018 -0700
committerRobert Sloan <varomodt@google.com>Mon Mar 26 11:41:04 2018 -0700
treebb70888d6d3aa4c8ad98d75acfe5ae688ae2fef3
parent9083ef933c7f44d6ee3cd1b7ca91135fdada8e31 [diff] [blame]
external/boringssl: Sync to d89d65ba12e28e543df4fd9dfbc687bb8be1dba7.

This includes the following changes:

https://boringssl.googlesource.com/boringssl/+log/45210dd4e21ace9d28cb76b3f83303fcdd2efcce..d89d65ba12e28e543df4fd9dfbc687bb8be1dba7

Test: BoringSSL CTS Presubmits.
Change-Id: I2dc13b549eac1f345553da07b7fb66824fc77204

diff --git a/src/include/openssl/rsa.h b/src/include/openssl/rsa.h
index 1731f14..7059e7c 100644
--- a/src/include/openssl/rsa.h
+++ b/src/include/openssl/rsa.h

@@ -117,6 +117,9 @@
 //
 // |d| may be NULL, but |n| and |e| must either be non-NULL or already
 // configured on |rsa|.
+//
+// It is an error to call this function after |rsa| has been used for a
+// cryptographic operation. Construct a new |RSA| object instead.
 OPENSSL_EXPORT int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d);
 
 // RSA_set0_factors sets |rsa|'s prime factors to |p| and |q|, if non-NULL, and
@@ -124,6 +127,9 @@
 // returns one. Otherwise, it returns zero.
 //
 // Each argument must either be non-NULL or already configured on |rsa|.
+//
+// It is an error to call this function after |rsa| has been used for a
+// cryptographic operation. Construct a new |RSA| object instead.
 OPENSSL_EXPORT int RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q);
 
 // RSA_set0_crt_params sets |rsa|'s CRT parameters to |dmp1|, |dmq1|, and
@@ -131,6 +137,9 @@
 // ownership of its parameters and returns one. Otherwise, it returns zero.
 //
 // Each argument must either be non-NULL or already configured on |rsa|.
+//
+// It is an error to call this function after |rsa| has been used for a
+// cryptographic operation. Construct a new |RSA| object instead.
 OPENSSL_EXPORT int RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1,
                                        BIGNUM *iqmp);
 
@@ -627,6 +636,9 @@
 struct rsa_st {
   RSA_METHOD *meth;
 
+  // Access to the following fields was historically allowed, but
+  // deprecated. Use |RSA_get0_*| and |RSA_set0_*| instead. Access to all other
+  // fields is forbidden and will cause threading errors.
   BIGNUM *n;
   BIGNUM *e;
   BIGNUM *d;
@@ -649,6 +661,18 @@
   BN_MONT_CTX *mont_p;
   BN_MONT_CTX *mont_q;
 
+  // The following fields are copies of |d|, |dmp1|, and |dmq1|, respectively,
+  // but with the correct widths to prevent side channels. These must use
+  // separate copies due to threading concerns caused by OpenSSL's API
+  // mistakes. See https://github.com/openssl/openssl/issues/5158 and
+  // the |freeze_private_key| implementation.
+  BIGNUM *d_fixed, *dmp1_fixed, *dmq1_fixed;
+
+  // inv_small_mod_large_mont is q^-1 mod p in Montgomery form, using |mont_p|,
+  // if |p| >= |q|. Otherwise, it is p^-1 mod q in Montgomery form, using
+  // |mont_q|.
+  BIGNUM *inv_small_mod_large_mont;
+
   // num_blindings contains the size of the |blindings| and |blindings_inuse|
   // arrays. This member and the |blindings_inuse| array are protected by
   // |lock|.
@@ -658,6 +682,10 @@
   // |blindings_inuse| from 0 to 1.
   BN_BLINDING **blindings;
   unsigned char *blindings_inuse;
+
+  // private_key_frozen is one if the key has been used for a private key
+  // operation and may no longer be mutated.
+  unsigned private_key_frozen:1;
 };