Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 1 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 2 | * All rights reserved. |
| 3 | * |
| 4 | * This package is an SSL implementation written |
| 5 | * by Eric Young (eay@cryptsoft.com). |
| 6 | * The implementation was written so as to conform with Netscapes SSL. |
| 7 | * |
| 8 | * This library is free for commercial and non-commercial use as long as |
| 9 | * the following conditions are aheared to. The following conditions |
| 10 | * apply to all code found in this distribution, be it the RC4, RSA, |
| 11 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
| 12 | * included with this distribution is covered by the same copyright terms |
| 13 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
| 14 | * |
| 15 | * Copyright remains Eric Young's, and as such any Copyright notices in |
| 16 | * the code are not to be removed. |
| 17 | * If this package is used in a product, Eric Young should be given attribution |
| 18 | * as the author of the parts of the library used. |
| 19 | * This can be in the form of a textual message at program startup or |
| 20 | * in documentation (online or textual) provided with the package. |
| 21 | * |
| 22 | * Redistribution and use in source and binary forms, with or without |
| 23 | * modification, are permitted provided that the following conditions |
| 24 | * are met: |
| 25 | * 1. Redistributions of source code must retain the copyright |
| 26 | * notice, this list of conditions and the following disclaimer. |
| 27 | * 2. Redistributions in binary form must reproduce the above copyright |
| 28 | * notice, this list of conditions and the following disclaimer in the |
| 29 | * documentation and/or other materials provided with the distribution. |
| 30 | * 3. All advertising materials mentioning features or use of this software |
| 31 | * must display the following acknowledgement: |
| 32 | * "This product includes cryptographic software written by |
| 33 | * Eric Young (eay@cryptsoft.com)" |
| 34 | * The word 'cryptographic' can be left out if the rouines from the library |
| 35 | * being used are not cryptographic related :-). |
| 36 | * 4. If you include any Windows specific code (or a derivative thereof) from |
| 37 | * the apps directory (application code) you must include an acknowledgement: |
| 38 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
| 39 | * |
| 40 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
| 41 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 42 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 43 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
| 44 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 45 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 46 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 47 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 48 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 49 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 50 | * SUCH DAMAGE. |
| 51 | * |
| 52 | * The licence and distribution terms for any publically available version or |
| 53 | * derivative of this code cannot be changed. i.e. this code cannot simply be |
| 54 | * copied and put under another distribution licence |
| 55 | * [including the GNU Public Licence.] */ |
| 56 | |
| 57 | #ifndef OPENSSL_HEADER_RSA_H |
| 58 | #define OPENSSL_HEADER_RSA_H |
| 59 | |
| 60 | #include <openssl/base.h> |
| 61 | |
| 62 | #include <openssl/engine.h> |
| 63 | #include <openssl/ex_data.h> |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 64 | #include <openssl/thread.h> |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 65 | |
| 66 | #if defined(__cplusplus) |
| 67 | extern "C" { |
| 68 | #endif |
| 69 | |
| 70 | |
| 71 | /* rsa.h contains functions for handling encryption and signature using RSA. */ |
| 72 | |
| 73 | |
| 74 | /* Allocation and destruction. */ |
| 75 | |
| 76 | /* RSA_new returns a new, empty RSA object or NULL on error. */ |
| 77 | OPENSSL_EXPORT RSA *RSA_new(void); |
| 78 | |
| 79 | /* RSA_new_method acts the same as |RSA_new| but takes an explicit |ENGINE|. */ |
| 80 | OPENSSL_EXPORT RSA *RSA_new_method(const ENGINE *engine); |
| 81 | |
| 82 | /* RSA_free decrements the reference count of |rsa| and frees it if the |
| 83 | * reference count drops to zero. */ |
| 84 | OPENSSL_EXPORT void RSA_free(RSA *rsa); |
| 85 | |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 86 | /* RSA_up_ref increments the reference count of |rsa| and returns one. */ |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 87 | OPENSSL_EXPORT int RSA_up_ref(RSA *rsa); |
| 88 | |
| 89 | |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 90 | /* Properties. */ |
| 91 | |
| 92 | /* RSA_get0_key sets |*out_n|, |*out_e|, and |*out_d|, if non-NULL, to |rsa|'s |
| 93 | * modulus, public exponent, and private exponent, respectively. If |rsa| is a |
| 94 | * public key, the private exponent will be set to NULL. */ |
| 95 | OPENSSL_EXPORT void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, |
| 96 | const BIGNUM **out_e, const BIGNUM **out_d); |
| 97 | |
| 98 | /* RSA_get0_factors sets |*out_p| and |*out_q|, if non-NULL, to |rsa|'s prime |
Robert Sloan | 572a4e2 | 2017-04-17 10:52:19 -0700 | [diff] [blame] | 99 | * factors. If |rsa| is a public key, they will be set to NULL. */ |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 100 | OPENSSL_EXPORT void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p, |
| 101 | const BIGNUM **out_q); |
| 102 | |
| 103 | /* RSA_get0_crt_params sets |*out_dmp1|, |*out_dmq1|, and |*out_iqmp|, if |
| 104 | * non-NULL, to |rsa|'s CRT parameters. These are d (mod p-1), d (mod q-1) and |
| 105 | * q^-1 (mod p), respectively. If |rsa| is a public key, each parameter will be |
Robert Sloan | 572a4e2 | 2017-04-17 10:52:19 -0700 | [diff] [blame] | 106 | * set to NULL. */ |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 107 | OPENSSL_EXPORT void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1, |
| 108 | const BIGNUM **out_dmq1, |
| 109 | const BIGNUM **out_iqmp); |
| 110 | |
| 111 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 112 | /* Key generation. */ |
| 113 | |
| 114 | /* RSA_generate_key_ex generates a new RSA key where the modulus has size |
| 115 | * |bits| and the public exponent is |e|. If unsure, |RSA_F4| is a good value |
| 116 | * for |e|. If |cb| is not NULL then it is called during the key generation |
| 117 | * process. In addition to the calls documented for |BN_generate_prime_ex|, it |
| 118 | * is called with event=2 when the n'th prime is rejected as unsuitable and |
| 119 | * with event=3 when a suitable value for |p| is found. |
| 120 | * |
| 121 | * It returns one on success or zero on error. */ |
| 122 | OPENSSL_EXPORT int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, |
| 123 | BN_GENCB *cb); |
| 124 | |
| 125 | |
| 126 | /* Encryption / Decryption */ |
| 127 | |
| 128 | /* Padding types for encryption. */ |
| 129 | #define RSA_PKCS1_PADDING 1 |
| 130 | #define RSA_NO_PADDING 3 |
| 131 | #define RSA_PKCS1_OAEP_PADDING 4 |
| 132 | /* RSA_PKCS1_PSS_PADDING can only be used via the EVP interface. */ |
| 133 | #define RSA_PKCS1_PSS_PADDING 6 |
| 134 | |
| 135 | /* RSA_encrypt encrypts |in_len| bytes from |in| to the public key from |rsa| |
| 136 | * and writes, at most, |max_out| bytes of encrypted data to |out|. The |
| 137 | * |max_out| argument must be, at least, |RSA_size| in order to ensure success. |
| 138 | * |
| 139 | * It returns 1 on success or zero on error. |
| 140 | * |
| 141 | * The |padding| argument must be one of the |RSA_*_PADDING| values. If in |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 142 | * doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but |
| 143 | * |RSA_PKCS1_PADDING| is most common. */ |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 144 | OPENSSL_EXPORT int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, |
| 145 | size_t max_out, const uint8_t *in, size_t in_len, |
| 146 | int padding); |
| 147 | |
| 148 | /* RSA_decrypt decrypts |in_len| bytes from |in| with the private key from |
| 149 | * |rsa| and writes, at most, |max_out| bytes of plaintext to |out|. The |
| 150 | * |max_out| argument must be, at least, |RSA_size| in order to ensure success. |
| 151 | * |
| 152 | * It returns 1 on success or zero on error. |
| 153 | * |
| 154 | * The |padding| argument must be one of the |RSA_*_PADDING| values. If in |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 155 | * doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. |
| 156 | * |
| 157 | * Passing |RSA_PKCS1_PADDING| into this function is deprecated and insecure. If |
| 158 | * implementing a protocol using RSAES-PKCS1-V1_5, use |RSA_NO_PADDING| and then |
| 159 | * check padding in constant-time combined with a swap to a random session key |
| 160 | * or other mitigation. See "Chosen Ciphertext Attacks Against Protocols Based |
| 161 | * on the RSA Encryption Standard PKCS #1", Daniel Bleichenbacher, Advances in |
| 162 | * Cryptology (Crypto '98). */ |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 163 | OPENSSL_EXPORT int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, |
| 164 | size_t max_out, const uint8_t *in, size_t in_len, |
| 165 | int padding); |
| 166 | |
| 167 | /* RSA_public_encrypt encrypts |flen| bytes from |from| to the public key in |
| 168 | * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at |
| 169 | * least |RSA_size| bytes of space. It returns the number of bytes written, or |
| 170 | * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING| |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 171 | * values. If in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but |
| 172 | * |RSA_PKCS1_PADDING| is most common. |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 173 | * |
| 174 | * WARNING: this function is dangerous because it breaks the usual return value |
| 175 | * convention. Use |RSA_encrypt| instead. */ |
Kenny Root | e99801b | 2015-11-06 15:31:15 -0800 | [diff] [blame] | 176 | OPENSSL_EXPORT int RSA_public_encrypt(size_t flen, const uint8_t *from, |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 177 | uint8_t *to, RSA *rsa, int padding); |
| 178 | |
| 179 | /* RSA_private_decrypt decrypts |flen| bytes from |from| with the public key in |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 180 | * |rsa| and writes the plaintext to |to|. The |to| buffer must have at least |
| 181 | * |RSA_size| bytes of space. It returns the number of bytes written, or -1 on |
| 182 | * error. The |padding| argument must be one of the |RSA_*_PADDING| values. If |
| 183 | * in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. Passing |
| 184 | * |RSA_PKCS1_PADDING| into this function is deprecated and insecure. See |
| 185 | * |RSA_decrypt|. |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 186 | * |
| 187 | * WARNING: this function is dangerous because it breaks the usual return value |
| 188 | * convention. Use |RSA_decrypt| instead. */ |
Kenny Root | e99801b | 2015-11-06 15:31:15 -0800 | [diff] [blame] | 189 | OPENSSL_EXPORT int RSA_private_decrypt(size_t flen, const uint8_t *from, |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 190 | uint8_t *to, RSA *rsa, int padding); |
| 191 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 192 | |
| 193 | /* Signing / Verification */ |
| 194 | |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 195 | /* RSA_sign signs |in_len| bytes of digest from |in| with |rsa| using |
| 196 | * RSASSA-PKCS1-v1_5. It writes, at most, |RSA_size(rsa)| bytes to |out|. On |
| 197 | * successful return, the actual number of bytes written is written to |
| 198 | * |*out_len|. |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 199 | * |
| 200 | * The |hash_nid| argument identifies the hash function used to calculate |in| |
| 201 | * and is embedded in the resulting signature. For example, it might be |
| 202 | * |NID_sha256|. |
| 203 | * |
| 204 | * It returns 1 on success and zero on error. */ |
| 205 | OPENSSL_EXPORT int RSA_sign(int hash_nid, const uint8_t *in, |
| 206 | unsigned int in_len, uint8_t *out, |
| 207 | unsigned int *out_len, RSA *rsa); |
| 208 | |
| 209 | /* RSA_sign_raw signs |in_len| bytes from |in| with the public key from |rsa| |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 210 | * and writes, at most, |max_out| bytes of signature data to |out|. The |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 211 | * |max_out| argument must be, at least, |RSA_size| in order to ensure success. |
| 212 | * |
| 213 | * It returns 1 on success or zero on error. |
| 214 | * |
| 215 | * The |padding| argument must be one of the |RSA_*_PADDING| values. If in |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 216 | * doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING| |
| 217 | * (via the |EVP_PKEY| interface) is preferred for new protocols. */ |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 218 | OPENSSL_EXPORT int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, |
| 219 | size_t max_out, const uint8_t *in, |
| 220 | size_t in_len, int padding); |
| 221 | |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 222 | /* RSA_verify verifies that |sig_len| bytes from |sig| are a valid, |
| 223 | * RSASSA-PKCS1-v1_5 signature of |msg_len| bytes at |msg| by |rsa|. |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 224 | * |
| 225 | * The |hash_nid| argument identifies the hash function used to calculate |in| |
| 226 | * and is embedded in the resulting signature in order to prevent hash |
| 227 | * confusion attacks. For example, it might be |NID_sha256|. |
| 228 | * |
| 229 | * It returns one if the signature is valid and zero otherwise. |
| 230 | * |
| 231 | * WARNING: this differs from the original, OpenSSL function which additionally |
| 232 | * returned -1 on error. */ |
| 233 | OPENSSL_EXPORT int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len, |
| 234 | const uint8_t *sig, size_t sig_len, RSA *rsa); |
| 235 | |
| 236 | /* RSA_verify_raw verifies |in_len| bytes of signature from |in| using the |
| 237 | * public key from |rsa| and writes, at most, |max_out| bytes of plaintext to |
| 238 | * |out|. The |max_out| argument must be, at least, |RSA_size| in order to |
| 239 | * ensure success. |
| 240 | * |
| 241 | * It returns 1 on success or zero on error. |
| 242 | * |
| 243 | * The |padding| argument must be one of the |RSA_*_PADDING| values. If in |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 244 | * doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING| |
| 245 | * (via the |EVP_PKEY| interface) is preferred for new protocols. */ |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 246 | OPENSSL_EXPORT int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, |
| 247 | size_t max_out, const uint8_t *in, |
| 248 | size_t in_len, int padding); |
| 249 | |
| 250 | /* RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in |
| 251 | * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at |
| 252 | * least |RSA_size| bytes of space. It returns the number of bytes written, or |
| 253 | * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING| |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 254 | * values. If in doubt, |RSA_PKCS1_PADDING| is the most common but |
| 255 | * |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for new |
| 256 | * protocols. |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 257 | * |
| 258 | * WARNING: this function is dangerous because it breaks the usual return value |
| 259 | * convention. Use |RSA_sign_raw| instead. */ |
Kenny Root | e99801b | 2015-11-06 15:31:15 -0800 | [diff] [blame] | 260 | OPENSSL_EXPORT int RSA_private_encrypt(size_t flen, const uint8_t *from, |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 261 | uint8_t *to, RSA *rsa, int padding); |
| 262 | |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 263 | /* RSA_public_decrypt verifies |flen| bytes of signature from |from| using the |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 264 | * public key in |rsa| and writes the plaintext to |to|. The |to| buffer must |
| 265 | * have at least |RSA_size| bytes of space. It returns the number of bytes |
| 266 | * written, or -1 on error. The |padding| argument must be one of the |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 267 | * |RSA_*_PADDING| values. If in doubt, |RSA_PKCS1_PADDING| is the most common |
| 268 | * but |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for |
| 269 | * new protocols. |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 270 | * |
| 271 | * WARNING: this function is dangerous because it breaks the usual return value |
| 272 | * convention. Use |RSA_verify_raw| instead. */ |
Kenny Root | e99801b | 2015-11-06 15:31:15 -0800 | [diff] [blame] | 273 | OPENSSL_EXPORT int RSA_public_decrypt(size_t flen, const uint8_t *from, |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 274 | uint8_t *to, RSA *rsa, int padding); |
| 275 | |
| 276 | |
| 277 | /* Utility functions. */ |
| 278 | |
| 279 | /* RSA_size returns the number of bytes in the modulus, which is also the size |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 280 | * of a signature or encrypted value using |rsa|. */ |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 281 | OPENSSL_EXPORT unsigned RSA_size(const RSA *rsa); |
| 282 | |
| 283 | /* RSA_is_opaque returns one if |rsa| is opaque and doesn't expose its key |
| 284 | * material. Otherwise it returns zero. */ |
| 285 | OPENSSL_EXPORT int RSA_is_opaque(const RSA *rsa); |
| 286 | |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 287 | /* RSAPublicKey_dup allocates a fresh |RSA| and copies the public key from |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 288 | * |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */ |
| 289 | OPENSSL_EXPORT RSA *RSAPublicKey_dup(const RSA *rsa); |
| 290 | |
| 291 | /* RSAPrivateKey_dup allocates a fresh |RSA| and copies the private key from |
| 292 | * |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */ |
| 293 | OPENSSL_EXPORT RSA *RSAPrivateKey_dup(const RSA *rsa); |
| 294 | |
Robert Sloan | 572a4e2 | 2017-04-17 10:52:19 -0700 | [diff] [blame] | 295 | /* RSA_check_key performs basic validity tests on |rsa|. It returns one if |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 296 | * they pass and zero otherwise. Opaque keys and public keys always pass. If it |
| 297 | * returns zero then a more detailed error is available on the error queue. */ |
| 298 | OPENSSL_EXPORT int RSA_check_key(const RSA *rsa); |
| 299 | |
Robert Sloan | 572a4e2 | 2017-04-17 10:52:19 -0700 | [diff] [blame] | 300 | /* RSA_check_fips performs public key validity tests on |key|. It returns one |
| 301 | * if they pass and zero otherwise. Opaque keys always fail. */ |
| 302 | OPENSSL_EXPORT int RSA_check_fips(RSA *key); |
| 303 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 304 | /* RSA_recover_crt_params uses |rsa->n|, |rsa->d| and |rsa->e| in order to |
| 305 | * calculate the two primes used and thus the precomputed, CRT values. These |
| 306 | * values are set in the |p|, |q|, |dmp1|, |dmq1| and |iqmp| members of |rsa|, |
| 307 | * which must be |NULL| on entry. It returns one on success and zero |
| 308 | * otherwise. */ |
| 309 | OPENSSL_EXPORT int RSA_recover_crt_params(RSA *rsa); |
| 310 | |
Adam Langley | f4dabdd | 2015-03-05 19:55:49 -0800 | [diff] [blame] | 311 | /* RSA_verify_PKCS1_PSS_mgf1 verifies that |EM| is a correct PSS padding of |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 312 | * |mHash|, where |mHash| is a digest produced by |Hash|. |EM| must point to |
| 313 | * exactly |RSA_size(rsa)| bytes of data. The |mgf1Hash| argument specifies the |
| 314 | * hash function for generating the mask. If NULL, |Hash| is used. The |sLen| |
| 315 | * argument specifies the expected salt length in bytes. If |sLen| is -1 then |
| 316 | * the salt length is the same as the hash length. If -2, then the salt length |
Robert Sloan | 69939df | 2017-01-09 10:53:07 -0800 | [diff] [blame] | 317 | * is recovered and all values accepted. |
| 318 | * |
| 319 | * If unsure, use -1. |
Adam Langley | f4dabdd | 2015-03-05 19:55:49 -0800 | [diff] [blame] | 320 | * |
| 321 | * It returns one on success or zero on error. */ |
| 322 | OPENSSL_EXPORT int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash, |
| 323 | const EVP_MD *Hash, |
| 324 | const EVP_MD *mgf1Hash, |
| 325 | const uint8_t *EM, int sLen); |
| 326 | |
| 327 | /* RSA_padding_add_PKCS1_PSS_mgf1 writes a PSS padding of |mHash| to |EM|, |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 328 | * where |mHash| is a digest produced by |Hash|. |RSA_size(rsa)| bytes of |
| 329 | * output will be written to |EM|. The |mgf1Hash| argument specifies the hash |
| 330 | * function for generating the mask. If NULL, |Hash| is used. The |sLen| |
| 331 | * argument specifies the expected salt length in bytes. If |sLen| is -1 then |
| 332 | * the salt length is the same as the hash length. If -2, then the salt length |
| 333 | * is maximal given the space in |EM|. |
Adam Langley | f4dabdd | 2015-03-05 19:55:49 -0800 | [diff] [blame] | 334 | * |
| 335 | * It returns one on success or zero on error. */ |
| 336 | OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, uint8_t *EM, |
| 337 | const uint8_t *mHash, |
| 338 | const EVP_MD *Hash, |
| 339 | const EVP_MD *mgf1Hash, |
| 340 | int sLen); |
| 341 | |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 342 | /* RSA_padding_add_PKCS1_OAEP_mgf1 writes an OAEP padding of |from| to |to| |
| 343 | * with the given parameters and hash functions. If |md| is NULL then SHA-1 is |
| 344 | * used. If |mgf1md| is NULL then the value of |md| is used (which means SHA-1 |
| 345 | * if that, in turn, is NULL). |
| 346 | * |
| 347 | * It returns one on success or zero on error. */ |
| 348 | OPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP_mgf1( |
Robert Sloan | 6d0d00e | 2017-03-27 07:13:07 -0700 | [diff] [blame] | 349 | uint8_t *to, size_t to_len, const uint8_t *from, size_t from_len, |
| 350 | const uint8_t *param, size_t param_len, const EVP_MD *md, |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 351 | const EVP_MD *mgf1md); |
| 352 | |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 353 | /* RSA_add_pkcs1_prefix builds a version of |msg| prefixed with the DigestInfo |
| 354 | * header for the given hash function and sets |out_msg| to point to it. On |
| 355 | * successful return, |*out_msg| may be allocated memory and, if so, |
| 356 | * |*is_alloced| will be 1. */ |
| 357 | OPENSSL_EXPORT int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len, |
| 358 | int *is_alloced, int hash_nid, |
| 359 | const uint8_t *msg, size_t msg_len); |
| 360 | |
Adam Langley | f4dabdd | 2015-03-05 19:55:49 -0800 | [diff] [blame] | 361 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 362 | /* ASN.1 functions. */ |
| 363 | |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 364 | /* RSA_parse_public_key parses a DER-encoded RSAPublicKey structure (RFC 3447) |
| 365 | * from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on |
| 366 | * error. */ |
| 367 | OPENSSL_EXPORT RSA *RSA_parse_public_key(CBS *cbs); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 368 | |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 369 | /* RSA_parse_public_key_buggy behaves like |RSA_parse_public_key|, but it |
| 370 | * tolerates some invalid encodings. Do not use this function. */ |
| 371 | OPENSSL_EXPORT RSA *RSA_parse_public_key_buggy(CBS *cbs); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 372 | |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 373 | /* RSA_public_key_from_bytes parses |in| as a DER-encoded RSAPublicKey structure |
| 374 | * (RFC 3447). It returns a newly-allocated |RSA| or NULL on error. */ |
| 375 | OPENSSL_EXPORT RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 376 | |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 377 | /* RSA_marshal_public_key marshals |rsa| as a DER-encoded RSAPublicKey structure |
| 378 | * (RFC 3447) and appends the result to |cbb|. It returns one on success and |
| 379 | * zero on failure. */ |
| 380 | OPENSSL_EXPORT int RSA_marshal_public_key(CBB *cbb, const RSA *rsa); |
| 381 | |
| 382 | /* RSA_public_key_to_bytes marshals |rsa| as a DER-encoded RSAPublicKey |
| 383 | * structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated |
| 384 | * buffer containing the result and returns one. Otherwise, it returns zero. The |
| 385 | * result should be freed with |OPENSSL_free|. */ |
| 386 | OPENSSL_EXPORT int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len, |
| 387 | const RSA *rsa); |
| 388 | |
| 389 | /* RSA_parse_private_key parses a DER-encoded RSAPrivateKey structure (RFC 3447) |
| 390 | * from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on |
| 391 | * error. */ |
| 392 | OPENSSL_EXPORT RSA *RSA_parse_private_key(CBS *cbs); |
| 393 | |
| 394 | /* RSA_private_key_from_bytes parses |in| as a DER-encoded RSAPrivateKey |
| 395 | * structure (RFC 3447). It returns a newly-allocated |RSA| or NULL on error. */ |
| 396 | OPENSSL_EXPORT RSA *RSA_private_key_from_bytes(const uint8_t *in, |
| 397 | size_t in_len); |
| 398 | |
| 399 | /* RSA_marshal_private_key marshals |rsa| as a DER-encoded RSAPrivateKey |
| 400 | * structure (RFC 3447) and appends the result to |cbb|. It returns one on |
| 401 | * success and zero on failure. */ |
| 402 | OPENSSL_EXPORT int RSA_marshal_private_key(CBB *cbb, const RSA *rsa); |
| 403 | |
| 404 | /* RSA_private_key_to_bytes marshals |rsa| as a DER-encoded RSAPrivateKey |
| 405 | * structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated |
| 406 | * buffer containing the result and returns one. Otherwise, it returns zero. The |
| 407 | * result should be freed with |OPENSSL_free|. */ |
| 408 | OPENSSL_EXPORT int RSA_private_key_to_bytes(uint8_t **out_bytes, |
| 409 | size_t *out_len, const RSA *rsa); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 410 | |
| 411 | |
| 412 | /* ex_data functions. |
| 413 | * |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 414 | * See |ex_data.h| for details. */ |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 415 | |
| 416 | OPENSSL_EXPORT int RSA_get_ex_new_index(long argl, void *argp, |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 417 | CRYPTO_EX_unused *unused, |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 418 | CRYPTO_EX_dup *dup_func, |
| 419 | CRYPTO_EX_free *free_func); |
| 420 | OPENSSL_EXPORT int RSA_set_ex_data(RSA *r, int idx, void *arg); |
| 421 | OPENSSL_EXPORT void *RSA_get_ex_data(const RSA *r, int idx); |
| 422 | |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 423 | |
| 424 | /* Flags. */ |
| 425 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 426 | /* RSA_FLAG_OPAQUE specifies that this RSA_METHOD does not expose its key |
| 427 | * material. This may be set if, for instance, it is wrapping some other crypto |
| 428 | * API, like a platform key store. */ |
| 429 | #define RSA_FLAG_OPAQUE 1 |
| 430 | |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 431 | /* Deprecated and ignored. */ |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 432 | #define RSA_FLAG_CACHE_PUBLIC 2 |
| 433 | |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 434 | /* Deprecated and ignored. */ |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 435 | #define RSA_FLAG_CACHE_PRIVATE 4 |
| 436 | |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 437 | /* RSA_FLAG_NO_BLINDING disables blinding of private operations, which is a |
David Benjamin | 9aaebef | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 438 | * dangerous thing to do. It is deprecated and should not be used. It will |
| 439 | * be ignored whenever possible. |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 440 | * |
| 441 | * This flag must be used if a key without the public exponent |e| is used for |
| 442 | * private key operations; avoid using such keys whenever possible. */ |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 443 | #define RSA_FLAG_NO_BLINDING 8 |
| 444 | |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 445 | /* RSA_FLAG_EXT_PKEY is deprecated and ignored. */ |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 446 | #define RSA_FLAG_EXT_PKEY 0x20 |
| 447 | |
| 448 | /* RSA_FLAG_SIGN_VER causes the |sign| and |verify| functions of |rsa_meth_st| |
| 449 | * to be called when set. */ |
| 450 | #define RSA_FLAG_SIGN_VER 0x40 |
| 451 | |
| 452 | |
| 453 | /* RSA public exponent values. */ |
| 454 | |
| 455 | #define RSA_3 0x3 |
| 456 | #define RSA_F4 0x10001 |
| 457 | |
| 458 | |
Adam Langley | f7e890d | 2015-03-31 18:58:05 -0700 | [diff] [blame] | 459 | /* Deprecated functions. */ |
| 460 | |
| 461 | /* RSA_blinding_on returns one. */ |
| 462 | OPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx); |
| 463 | |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 464 | /* RSA_generate_key behaves like |RSA_generate_key_ex|, which is what you |
| 465 | * should use instead. It returns NULL on error, or a newly-allocated |RSA| on |
| 466 | * success. This function is provided for compatibility only. The |callback| |
| 467 | * and |cb_arg| parameters must be NULL. */ |
| 468 | OPENSSL_EXPORT RSA *RSA_generate_key(int bits, unsigned long e, void *callback, |
| 469 | void *cb_arg); |
| 470 | |
| 471 | /* d2i_RSAPublicKey parses an ASN.1, DER-encoded, RSA public key from |len| |
| 472 | * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 473 | * is in |*out|. Note that, even if |*out| is already non-NULL on entry, it |
| 474 | * will not be written to. Rather, a fresh |RSA| is allocated and the previous |
| 475 | * one is freed. On successful exit, |*inp| is advanced past the DER structure. |
| 476 | * It returns the result or NULL on error. */ |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 477 | OPENSSL_EXPORT RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len); |
| 478 | |
| 479 | /* i2d_RSAPublicKey marshals |in| to an ASN.1, DER structure. If |outp| is not |
| 480 | * NULL then the result is written to |*outp| and |*outp| is advanced just past |
| 481 | * the output. It returns the number of bytes in the result, whether written or |
| 482 | * not, or a negative value on error. */ |
| 483 | OPENSSL_EXPORT int i2d_RSAPublicKey(const RSA *in, uint8_t **outp); |
| 484 | |
| 485 | /* d2i_RSAPrivateKey parses an ASN.1, DER-encoded, RSA private key from |len| |
| 486 | * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 487 | * is in |*out|. Note that, even if |*out| is already non-NULL on entry, it |
| 488 | * will not be written to. Rather, a fresh |RSA| is allocated and the previous |
| 489 | * one is freed. On successful exit, |*inp| is advanced past the DER structure. |
| 490 | * It returns the result or NULL on error. */ |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 491 | OPENSSL_EXPORT RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len); |
| 492 | |
| 493 | /* i2d_RSAPrivateKey marshals |in| to an ASN.1, DER structure. If |outp| is not |
| 494 | * NULL then the result is written to |*outp| and |*outp| is advanced just past |
| 495 | * the output. It returns the number of bytes in the result, whether written or |
| 496 | * not, or a negative value on error. */ |
| 497 | OPENSSL_EXPORT int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp); |
| 498 | |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 499 | /* RSA_padding_add_PKCS1_PSS acts like |RSA_padding_add_PKCS1_PSS_mgf1| but the |
| 500 | * |mgf1Hash| parameter of the latter is implicitly set to |Hash|. */ |
| 501 | OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS(RSA *rsa, uint8_t *EM, |
| 502 | const uint8_t *mHash, |
| 503 | const EVP_MD *Hash, int sLen); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 504 | |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 505 | /* RSA_verify_PKCS1_PSS acts like |RSA_verify_PKCS1_PSS_mgf1| but the |
| 506 | * |mgf1Hash| parameter of the latter is implicitly set to |Hash|. */ |
| 507 | OPENSSL_EXPORT int RSA_verify_PKCS1_PSS(RSA *rsa, const uint8_t *mHash, |
| 508 | const EVP_MD *Hash, const uint8_t *EM, |
| 509 | int sLen); |
| 510 | |
| 511 | /* RSA_padding_add_PKCS1_OAEP acts like |RSA_padding_add_PKCS1_OAEP_mgf1| but |
Steven Valdez | b0b45c6 | 2017-01-17 16:23:54 -0500 | [diff] [blame] | 512 | * the |md| and |mgf1md| parameters of the latter are implicitly set to NULL, |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 513 | * which means SHA-1. */ |
Robert Sloan | 6d0d00e | 2017-03-27 07:13:07 -0700 | [diff] [blame] | 514 | OPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP(uint8_t *to, size_t to_len, |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 515 | const uint8_t *from, |
Robert Sloan | 6d0d00e | 2017-03-27 07:13:07 -0700 | [diff] [blame] | 516 | size_t from_len, |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 517 | const uint8_t *param, |
Robert Sloan | 6d0d00e | 2017-03-27 07:13:07 -0700 | [diff] [blame] | 518 | size_t param_len); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 519 | |
Adam Langley | f7e890d | 2015-03-31 18:58:05 -0700 | [diff] [blame] | 520 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 521 | struct rsa_meth_st { |
| 522 | struct openssl_method_common_st common; |
| 523 | |
| 524 | void *app_data; |
| 525 | |
| 526 | int (*init)(RSA *rsa); |
| 527 | int (*finish)(RSA *rsa); |
| 528 | |
| 529 | /* size returns the size of the RSA modulus in bytes. */ |
| 530 | size_t (*size)(const RSA *rsa); |
| 531 | |
| 532 | int (*sign)(int type, const uint8_t *m, unsigned int m_length, |
| 533 | uint8_t *sigret, unsigned int *siglen, const RSA *rsa); |
| 534 | |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 535 | /* Ignored. Set this to NULL. */ |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 536 | int (*verify)(int dtype, const uint8_t *m, unsigned int m_length, |
| 537 | const uint8_t *sigbuf, unsigned int siglen, const RSA *rsa); |
| 538 | |
| 539 | |
| 540 | /* These functions mirror the |RSA_*| functions of the same name. */ |
| 541 | int (*encrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, |
| 542 | const uint8_t *in, size_t in_len, int padding); |
| 543 | int (*sign_raw)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, |
| 544 | const uint8_t *in, size_t in_len, int padding); |
| 545 | |
| 546 | int (*decrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, |
| 547 | const uint8_t *in, size_t in_len, int padding); |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 548 | /* Ignored. Set this to NULL. */ |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 549 | int (*verify_raw)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, |
| 550 | const uint8_t *in, size_t in_len, int padding); |
| 551 | |
| 552 | /* private_transform takes a big-endian integer from |in|, calculates the |
| 553 | * d'th power of it, modulo the RSA modulus and writes the result as a |
| 554 | * big-endian integer to |out|. Both |in| and |out| are |len| bytes long and |
| 555 | * |len| is always equal to |RSA_size(rsa)|. If the result of the transform |
| 556 | * can be represented in fewer than |len| bytes, then |out| must be zero |
| 557 | * padded on the left. |
| 558 | * |
| 559 | * It returns one on success and zero otherwise. |
| 560 | * |
| 561 | * RSA decrypt and sign operations will call this, thus an ENGINE might wish |
| 562 | * to override it in order to avoid having to implement the padding |
| 563 | * functionality demanded by those, higher level, operations. */ |
| 564 | int (*private_transform)(RSA *rsa, uint8_t *out, const uint8_t *in, |
| 565 | size_t len); |
| 566 | |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 567 | /* mod_exp is deprecated and ignored. Set it to NULL. */ |
| 568 | int (*mod_exp)(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); |
| 569 | |
| 570 | /* bn_mod_exp is deprecated and ignored. Set it to NULL. */ |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 571 | int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, |
| 572 | const BIGNUM *m, BN_CTX *ctx, |
Adam Langley | fad6327 | 2015-11-12 12:15:39 -0800 | [diff] [blame] | 573 | const BN_MONT_CTX *mont); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 574 | |
| 575 | int flags; |
| 576 | |
| 577 | int (*keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); |
| 578 | |
Robert Sloan | 572a4e2 | 2017-04-17 10:52:19 -0700 | [diff] [blame] | 579 | /* Ignored. Set this to NULL. */ |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 580 | int (*multi_prime_keygen)(RSA *rsa, int bits, int num_primes, BIGNUM *e, |
| 581 | BN_GENCB *cb); |
| 582 | |
Robert Sloan | 6f79a50 | 2017-04-03 09:16:40 -0700 | [diff] [blame] | 583 | /* supports_digest is deprecated and ignored. Set it to NULL. */ |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 584 | int (*supports_digest)(const RSA *rsa, const EVP_MD *md); |
| 585 | }; |
| 586 | |
| 587 | |
| 588 | /* Private functions. */ |
| 589 | |
| 590 | typedef struct bn_blinding_st BN_BLINDING; |
| 591 | |
| 592 | struct rsa_st { |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 593 | RSA_METHOD *meth; |
| 594 | |
| 595 | BIGNUM *n; |
| 596 | BIGNUM *e; |
| 597 | BIGNUM *d; |
| 598 | BIGNUM *p; |
| 599 | BIGNUM *q; |
| 600 | BIGNUM *dmp1; |
| 601 | BIGNUM *dmq1; |
| 602 | BIGNUM *iqmp; |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 603 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 604 | /* be careful using this if the RSA structure is shared */ |
| 605 | CRYPTO_EX_DATA ex_data; |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 606 | CRYPTO_refcount_t references; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 607 | int flags; |
| 608 | |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 609 | CRYPTO_MUTEX lock; |
| 610 | |
| 611 | /* Used to cache montgomery values. The creation of these values is protected |
| 612 | * by |lock|. */ |
Adam Langley | fad6327 | 2015-11-12 12:15:39 -0800 | [diff] [blame] | 613 | BN_MONT_CTX *mont_n; |
| 614 | BN_MONT_CTX *mont_p; |
| 615 | BN_MONT_CTX *mont_q; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 616 | |
| 617 | /* num_blindings contains the size of the |blindings| and |blindings_inuse| |
| 618 | * arrays. This member and the |blindings_inuse| array are protected by |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 619 | * |lock|. */ |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 620 | unsigned num_blindings; |
| 621 | /* blindings is an array of BN_BLINDING structures that can be reserved by a |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 622 | * thread by locking |lock| and changing the corresponding element in |
| 623 | * |blindings_inuse| from 0 to 1. */ |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 624 | BN_BLINDING **blindings; |
| 625 | unsigned char *blindings_inuse; |
| 626 | }; |
| 627 | |
| 628 | |
| 629 | #if defined(__cplusplus) |
| 630 | } /* extern C */ |
David Benjamin | f0c4a6c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 631 | |
| 632 | extern "C++" { |
| 633 | |
| 634 | namespace bssl { |
| 635 | |
| 636 | BORINGSSL_MAKE_DELETER(RSA, RSA_free) |
| 637 | |
| 638 | } // namespace bssl |
| 639 | |
| 640 | } /* extern C++ */ |
| 641 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 642 | #endif |
| 643 | |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 644 | #define RSA_R_BAD_ENCODING 100 |
| 645 | #define RSA_R_BAD_E_VALUE 101 |
| 646 | #define RSA_R_BAD_FIXED_HEADER_DECRYPT 102 |
| 647 | #define RSA_R_BAD_PAD_BYTE_COUNT 103 |
| 648 | #define RSA_R_BAD_RSA_PARAMETERS 104 |
| 649 | #define RSA_R_BAD_SIGNATURE 105 |
| 650 | #define RSA_R_BAD_VERSION 106 |
| 651 | #define RSA_R_BLOCK_TYPE_IS_NOT_01 107 |
| 652 | #define RSA_R_BN_NOT_INITIALIZED 108 |
| 653 | #define RSA_R_CANNOT_RECOVER_MULTI_PRIME_KEY 109 |
| 654 | #define RSA_R_CRT_PARAMS_ALREADY_GIVEN 110 |
| 655 | #define RSA_R_CRT_VALUES_INCORRECT 111 |
| 656 | #define RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN 112 |
| 657 | #define RSA_R_DATA_TOO_LARGE 113 |
| 658 | #define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 114 |
| 659 | #define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 115 |
| 660 | #define RSA_R_DATA_TOO_SMALL 116 |
| 661 | #define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 117 |
| 662 | #define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 118 |
| 663 | #define RSA_R_D_E_NOT_CONGRUENT_TO_1 119 |
| 664 | #define RSA_R_EMPTY_PUBLIC_KEY 120 |
| 665 | #define RSA_R_ENCODE_ERROR 121 |
| 666 | #define RSA_R_FIRST_OCTET_INVALID 122 |
| 667 | #define RSA_R_INCONSISTENT_SET_OF_CRT_VALUES 123 |
| 668 | #define RSA_R_INTERNAL_ERROR 124 |
| 669 | #define RSA_R_INVALID_MESSAGE_LENGTH 125 |
| 670 | #define RSA_R_KEY_SIZE_TOO_SMALL 126 |
| 671 | #define RSA_R_LAST_OCTET_INVALID 127 |
| 672 | #define RSA_R_MODULUS_TOO_LARGE 128 |
| 673 | #define RSA_R_MUST_HAVE_AT_LEAST_TWO_PRIMES 129 |
| 674 | #define RSA_R_NO_PUBLIC_EXPONENT 130 |
| 675 | #define RSA_R_NULL_BEFORE_BLOCK_MISSING 131 |
| 676 | #define RSA_R_N_NOT_EQUAL_P_Q 132 |
| 677 | #define RSA_R_OAEP_DECODING_ERROR 133 |
| 678 | #define RSA_R_ONLY_ONE_OF_P_Q_GIVEN 134 |
| 679 | #define RSA_R_OUTPUT_BUFFER_TOO_SMALL 135 |
| 680 | #define RSA_R_PADDING_CHECK_FAILED 136 |
| 681 | #define RSA_R_PKCS_DECODING_ERROR 137 |
| 682 | #define RSA_R_SLEN_CHECK_FAILED 138 |
| 683 | #define RSA_R_SLEN_RECOVERY_FAILED 139 |
| 684 | #define RSA_R_TOO_LONG 140 |
| 685 | #define RSA_R_TOO_MANY_ITERATIONS 141 |
| 686 | #define RSA_R_UNKNOWN_ALGORITHM_TYPE 142 |
| 687 | #define RSA_R_UNKNOWN_PADDING_TYPE 143 |
| 688 | #define RSA_R_VALUE_MISSING 144 |
| 689 | #define RSA_R_WRONG_SIGNATURE_LENGTH 145 |
Robert Sloan | 572a4e2 | 2017-04-17 10:52:19 -0700 | [diff] [blame] | 690 | #define RSA_R_PUBLIC_KEY_VALIDATION_FAILED 146 |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 691 | |
| 692 | #endif /* OPENSSL_HEADER_RSA_H */ |