Make RSA opaque
Three years of updating calling code are finally complete!
Update-Note: Accessing the RSA struct directly is no longer supported.
Use accessors instead.
Bug: 316, 325
Change-Id: I27b4c9899cb96f5807075b8fe351eaf72a9a9d44
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60610
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
diff --git a/crypto/fipsmodule/rsa/internal.h b/crypto/fipsmodule/rsa/internal.h
index b940f68..7a8b219 100644
--- a/crypto/fipsmodule/rsa/internal.h
+++ b/crypto/fipsmodule/rsa/internal.h
@@ -68,6 +68,62 @@
#endif
+typedef struct bn_blinding_st BN_BLINDING;
+
+struct rsa_st {
+ RSA_METHOD *meth;
+
+ BIGNUM *n;
+ BIGNUM *e;
+ BIGNUM *d;
+ BIGNUM *p;
+ BIGNUM *q;
+ BIGNUM *dmp1;
+ BIGNUM *dmq1;
+ BIGNUM *iqmp;
+
+ // be careful using this if the RSA structure is shared
+ CRYPTO_EX_DATA ex_data;
+ CRYPTO_refcount_t references;
+ int flags;
+
+ CRYPTO_MUTEX lock;
+
+ // Used to cache montgomery values. The creation of these values is protected
+ // by |lock|.
+ BN_MONT_CTX *mont_n;
+ BN_MONT_CTX *mont_p;
+ BN_MONT_CTX *mont_q;
+
+ // The following fields are copies of |d|, |dmp1|, and |dmq1|, respectively,
+ // but with the correct widths to prevent side channels. These must use
+ // separate copies due to threading concerns caused by OpenSSL's API
+ // mistakes. See https://github.com/openssl/openssl/issues/5158 and
+ // the |freeze_private_key| implementation.
+ BIGNUM *d_fixed, *dmp1_fixed, *dmq1_fixed;
+
+ // inv_small_mod_large_mont is q^-1 mod p in Montgomery form, using |mont_p|,
+ // if |p| >= |q|. Otherwise, it is p^-1 mod q in Montgomery form, using
+ // |mont_q|.
+ BIGNUM *inv_small_mod_large_mont;
+
+ // num_blindings contains the size of the |blindings| and |blindings_inuse|
+ // arrays. This member and the |blindings_inuse| array are protected by
+ // |lock|.
+ size_t num_blindings;
+ // blindings is an array of BN_BLINDING structures that can be reserved by a
+ // thread by locking |lock| and changing the corresponding element in
+ // |blindings_inuse| from 0 to 1.
+ BN_BLINDING **blindings;
+ unsigned char *blindings_inuse;
+ uint64_t blinding_fork_generation;
+
+ // private_key_frozen is one if the key has been used for a private key
+ // operation and may no longer be mutated.
+ unsigned private_key_frozen:1;
+};
+
+
#define RSA_PKCS1_PADDING_SIZE 11
// Default implementations of RSA operations.
diff --git a/crypto/fipsmodule/service_indicator/service_indicator_test.cc b/crypto/fipsmodule/service_indicator/service_indicator_test.cc
index 4389b98..8ae52de 100644
--- a/crypto/fipsmodule/service_indicator/service_indicator_test.cc
+++ b/crypto/fipsmodule/service_indicator/service_indicator_test.cc
@@ -1065,7 +1065,7 @@
EXPECT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
approved, RSA_generate_key_fips(rsa.get(), bits, nullptr)));
EXPECT_EQ(approved, FIPSStatus::APPROVED);
- EXPECT_EQ(bits, BN_num_bits(rsa->n));
+ EXPECT_EQ(bits, RSA_bits(rsa.get()));
}
// Test running the EVP_PKEY_keygen interfaces one by one directly, and check
diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
index 9b21d83..fd183f7 100644
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -818,67 +818,6 @@
};
-// Private functions.
-
-typedef struct bn_blinding_st BN_BLINDING;
-
-struct rsa_st {
- RSA_METHOD *meth;
-
- // Access to the following fields was historically allowed, but
- // deprecated. Use |RSA_get0_*| and |RSA_set0_*| instead. Access to all other
- // fields is forbidden and will cause threading errors.
- BIGNUM *n;
- BIGNUM *e;
- BIGNUM *d;
- BIGNUM *p;
- BIGNUM *q;
- BIGNUM *dmp1;
- BIGNUM *dmq1;
- BIGNUM *iqmp;
-
- // be careful using this if the RSA structure is shared
- CRYPTO_EX_DATA ex_data;
- CRYPTO_refcount_t references;
- int flags;
-
- CRYPTO_MUTEX lock;
-
- // Used to cache montgomery values. The creation of these values is protected
- // by |lock|.
- BN_MONT_CTX *mont_n;
- BN_MONT_CTX *mont_p;
- BN_MONT_CTX *mont_q;
-
- // The following fields are copies of |d|, |dmp1|, and |dmq1|, respectively,
- // but with the correct widths to prevent side channels. These must use
- // separate copies due to threading concerns caused by OpenSSL's API
- // mistakes. See https://github.com/openssl/openssl/issues/5158 and
- // the |freeze_private_key| implementation.
- BIGNUM *d_fixed, *dmp1_fixed, *dmq1_fixed;
-
- // inv_small_mod_large_mont is q^-1 mod p in Montgomery form, using |mont_p|,
- // if |p| >= |q|. Otherwise, it is p^-1 mod q in Montgomery form, using
- // |mont_q|.
- BIGNUM *inv_small_mod_large_mont;
-
- // num_blindings contains the size of the |blindings| and |blindings_inuse|
- // arrays. This member and the |blindings_inuse| array are protected by
- // |lock|.
- size_t num_blindings;
- // blindings is an array of BN_BLINDING structures that can be reserved by a
- // thread by locking |lock| and changing the corresponding element in
- // |blindings_inuse| from 0 to 1.
- BN_BLINDING **blindings;
- unsigned char *blindings_inuse;
- uint64_t blinding_fork_generation;
-
- // private_key_frozen is one if the key has been used for a private key
- // operation and may no longer be mutated.
- unsigned private_key_frozen:1;
-};
-
-
#if defined(__cplusplus)
} // extern C
diff --git a/tool/speed.cc b/tool/speed.cc
index e2594db..8b4b13c 100644
--- a/tool/speed.cc
+++ b/tool/speed.cc
@@ -367,15 +367,11 @@
// construct a new RSA key, with a new |BN_MONT_CTX| for the
// public modulus. If we were to use |key| directly instead, then
// these costs wouldn't be accounted for.
- bssl::UniquePtr<RSA> verify_key(RSA_new());
+ bssl::UniquePtr<RSA> verify_key(RSA_new_public_key(
+ RSA_get0_n(key.get()), RSA_get0_e(key.get())));
if (!verify_key) {
return false;
}
- verify_key->n = BN_dup(key->n);
- verify_key->e = BN_dup(key->e);
- if (!verify_key->n || !verify_key->e) {
- return false;
- }
return RSA_verify(NID_sha256, fake_sha256_hash,
sizeof(fake_sha256_hash), sig, sig_len,
verify_key.get());
