• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2  * All rights reserved.
3  *
4  * This package is an SSL implementation written
5  * by Eric Young (eay@cryptsoft.com).
6  * The implementation was written so as to conform with Netscapes SSL.
7  *
8  * This library is free for commercial and non-commercial use as long as
9  * the following conditions are aheared to.  The following conditions
10  * apply to all code found in this distribution, be it the RC4, RSA,
11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12  * included with this distribution is covered by the same copyright terms
13  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14  *
15  * Copyright remains Eric Young's, and as such any Copyright notices in
16  * the code are not to be removed.
17  * If this package is used in a product, Eric Young should be given attribution
18  * as the author of the parts of the library used.
19  * This can be in the form of a textual message at program startup or
20  * in documentation (online or textual) provided with the package.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the copyright
26  *    notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  *    notice, this list of conditions and the following disclaimer in the
29  *    documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  *    must display the following acknowledgement:
32  *    "This product includes cryptographic software written by
33  *     Eric Young (eay@cryptsoft.com)"
34  *    The word 'cryptographic' can be left out if the rouines from the library
35  *    being used are not cryptographic related :-).
36  * 4. If you include any Windows specific code (or a derivative thereof) from
37  *    the apps directory (application code) you must include an acknowledgement:
38  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50  * SUCH DAMAGE.
51  *
52  * The licence and distribution terms for any publically available version or
53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
54  * copied and put under another distribution licence
55  * [including the GNU Public Licence.] */
56 
57 #include <openssl/rsa.h>
58 
59 #include <assert.h>
60 #include <limits.h>
61 #include <string.h>
62 
63 #include <openssl/bn.h>
64 #include <openssl/err.h>
65 #include <openssl/mem.h>
66 #include <openssl/thread.h>
67 #include <openssl/type_check.h>
68 
69 #include "internal.h"
70 #include "../bn/internal.h"
71 #include "../../internal.h"
72 #include "../delocate.h"
73 
74 
check_modulus_and_exponent_sizes(const RSA * rsa)75 static int check_modulus_and_exponent_sizes(const RSA *rsa) {
76   unsigned rsa_bits = BN_num_bits(rsa->n);
77 
78   if (rsa_bits > 16 * 1024) {
79     OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);
80     return 0;
81   }
82 
83   // Mitigate DoS attacks by limiting the exponent size. 33 bits was chosen as
84   // the limit based on the recommendations in [1] and [2]. Windows CryptoAPI
85   // doesn't support values larger than 32 bits [3], so it is unlikely that
86   // exponents larger than 32 bits are being used for anything Windows commonly
87   // does.
88   //
89   // [1] https://www.imperialviolet.org/2012/03/16/rsae.html
90   // [2] https://www.imperialviolet.org/2012/03/17/rsados.html
91   // [3] https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx
92   static const unsigned kMaxExponentBits = 33;
93 
94   if (BN_num_bits(rsa->e) > kMaxExponentBits) {
95     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);
96     return 0;
97   }
98 
99   // Verify |n > e|. Comparing |rsa_bits| to |kMaxExponentBits| is a small
100   // shortcut to comparing |n| and |e| directly. In reality, |kMaxExponentBits|
101   // is much smaller than the minimum RSA key size that any application should
102   // accept.
103   if (rsa_bits <= kMaxExponentBits) {
104     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
105     return 0;
106   }
107   assert(BN_ucmp(rsa->n, rsa->e) > 0);
108 
109   return 1;
110 }
111 
ensure_fixed_copy(BIGNUM ** out,const BIGNUM * in,int width)112 static int ensure_fixed_copy(BIGNUM **out, const BIGNUM *in, int width) {
113   if (*out != NULL) {
114     return 1;
115   }
116   BIGNUM *copy = BN_dup(in);
117   if (copy == NULL ||
118       !bn_resize_words(copy, width)) {
119     BN_free(copy);
120     return 0;
121   }
122   *out = copy;
123   CONSTTIME_SECRET(copy->d, sizeof(BN_ULONG) * width);
124 
125   return 1;
126 }
127 
128 // freeze_private_key finishes initializing |rsa|'s private key components.
129 // After this function has returned, |rsa| may not be changed. This is needed
130 // because |RSA| is a public struct and, additionally, OpenSSL 1.1.0 opaquified
131 // it wrong (see https://github.com/openssl/openssl/issues/5158).
freeze_private_key(RSA * rsa,BN_CTX * ctx)132 static int freeze_private_key(RSA *rsa, BN_CTX *ctx) {
133   CRYPTO_MUTEX_lock_read(&rsa->lock);
134   int frozen = rsa->private_key_frozen;
135   CRYPTO_MUTEX_unlock_read(&rsa->lock);
136   if (frozen) {
137     return 1;
138   }
139 
140   int ret = 0;
141   CRYPTO_MUTEX_lock_write(&rsa->lock);
142   if (rsa->private_key_frozen) {
143     ret = 1;
144     goto err;
145   }
146 
147   // Pre-compute various intermediate values, as well as copies of private
148   // exponents with correct widths. Note that other threads may concurrently
149   // read from |rsa->n|, |rsa->e|, etc., so any fixes must be in separate
150   // copies. We use |mont_n->N|, |mont_p->N|, and |mont_q->N| as copies of |n|,
151   // |p|, and |q| with the correct minimal widths.
152 
153   if (rsa->mont_n == NULL) {
154     rsa->mont_n = BN_MONT_CTX_new_for_modulus(rsa->n, ctx);
155     if (rsa->mont_n == NULL) {
156       goto err;
157     }
158   }
159   const BIGNUM *n_fixed = &rsa->mont_n->N;
160 
161   // The only public upper-bound of |rsa->d| is the bit length of |rsa->n|. The
162   // ASN.1 serialization of RSA private keys unfortunately leaks the byte length
163   // of |rsa->d|, but normalize it so we only leak it once, rather than per
164   // operation.
165   if (rsa->d != NULL &&
166       !ensure_fixed_copy(&rsa->d_fixed, rsa->d, n_fixed->width)) {
167     goto err;
168   }
169 
170   if (rsa->p != NULL && rsa->q != NULL) {
171     // TODO: p and q are also CONSTTIME_SECRET but not yet marked as such
172     // because the Montgomery code does things like test whether or not values
173     // are zero. So the secret marking probably needs to happen inside that
174     // code.
175 
176     if (rsa->mont_p == NULL) {
177       rsa->mont_p = BN_MONT_CTX_new_consttime(rsa->p, ctx);
178       if (rsa->mont_p == NULL) {
179         goto err;
180       }
181     }
182     const BIGNUM *p_fixed = &rsa->mont_p->N;
183 
184     if (rsa->mont_q == NULL) {
185       rsa->mont_q = BN_MONT_CTX_new_consttime(rsa->q, ctx);
186       if (rsa->mont_q == NULL) {
187         goto err;
188       }
189     }
190     const BIGNUM *q_fixed = &rsa->mont_q->N;
191 
192     if (rsa->dmp1 != NULL && rsa->dmq1 != NULL) {
193       // Key generation relies on this function to compute |iqmp|.
194       if (rsa->iqmp == NULL) {
195         BIGNUM *iqmp = BN_new();
196         if (iqmp == NULL ||
197             !bn_mod_inverse_secret_prime(iqmp, rsa->q, rsa->p, ctx,
198                                          rsa->mont_p)) {
199           BN_free(iqmp);
200           goto err;
201         }
202         rsa->iqmp = iqmp;
203       }
204 
205       // CRT components are only publicly bounded by their corresponding
206       // moduli's bit lengths. |rsa->iqmp| is unused outside of this one-time
207       // setup, so we do not compute a fixed-width version of it.
208       if (!ensure_fixed_copy(&rsa->dmp1_fixed, rsa->dmp1, p_fixed->width) ||
209           !ensure_fixed_copy(&rsa->dmq1_fixed, rsa->dmq1, q_fixed->width)) {
210         goto err;
211       }
212 
213       // Compute |inv_small_mod_large_mont|. Note that it is always modulo the
214       // larger prime, independent of what is stored in |rsa->iqmp|.
215       if (rsa->inv_small_mod_large_mont == NULL) {
216         BIGNUM *inv_small_mod_large_mont = BN_new();
217         int ok;
218         if (BN_cmp(rsa->p, rsa->q) < 0) {
219           ok = inv_small_mod_large_mont != NULL &&
220                bn_mod_inverse_secret_prime(inv_small_mod_large_mont, rsa->p,
221                                            rsa->q, ctx, rsa->mont_q) &&
222                BN_to_montgomery(inv_small_mod_large_mont,
223                                 inv_small_mod_large_mont, rsa->mont_q, ctx);
224         } else {
225           ok = inv_small_mod_large_mont != NULL &&
226                BN_to_montgomery(inv_small_mod_large_mont, rsa->iqmp,
227                                 rsa->mont_p, ctx);
228         }
229         if (!ok) {
230           BN_free(inv_small_mod_large_mont);
231           goto err;
232         }
233         rsa->inv_small_mod_large_mont = inv_small_mod_large_mont;
234         CONSTTIME_SECRET(
235             rsa->inv_small_mod_large_mont->d,
236             sizeof(BN_ULONG) * rsa->inv_small_mod_large_mont->width);
237       }
238     }
239   }
240 
241   rsa->private_key_frozen = 1;
242   ret = 1;
243 
244 err:
245   CRYPTO_MUTEX_unlock_write(&rsa->lock);
246   return ret;
247 }
248 
rsa_default_size(const RSA * rsa)249 size_t rsa_default_size(const RSA *rsa) {
250   return BN_num_bytes(rsa->n);
251 }
252 
RSA_encrypt(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)253 int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
254                 const uint8_t *in, size_t in_len, int padding) {
255   if (rsa->n == NULL || rsa->e == NULL) {
256     OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
257     return 0;
258   }
259 
260   const unsigned rsa_size = RSA_size(rsa);
261   BIGNUM *f, *result;
262   uint8_t *buf = NULL;
263   BN_CTX *ctx = NULL;
264   int i, ret = 0;
265 
266   if (max_out < rsa_size) {
267     OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
268     return 0;
269   }
270 
271   if (!check_modulus_and_exponent_sizes(rsa)) {
272     return 0;
273   }
274 
275   ctx = BN_CTX_new();
276   if (ctx == NULL) {
277     goto err;
278   }
279 
280   BN_CTX_start(ctx);
281   f = BN_CTX_get(ctx);
282   result = BN_CTX_get(ctx);
283   buf = OPENSSL_malloc(rsa_size);
284   if (!f || !result || !buf) {
285     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
286     goto err;
287   }
288 
289   switch (padding) {
290     case RSA_PKCS1_PADDING:
291       i = RSA_padding_add_PKCS1_type_2(buf, rsa_size, in, in_len);
292       break;
293     case RSA_PKCS1_OAEP_PADDING:
294       // Use the default parameters: SHA-1 for both hashes and no label.
295       i = RSA_padding_add_PKCS1_OAEP_mgf1(buf, rsa_size, in, in_len,
296                                           NULL, 0, NULL, NULL);
297       break;
298     case RSA_NO_PADDING:
299       i = RSA_padding_add_none(buf, rsa_size, in, in_len);
300       break;
301     default:
302       OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
303       goto err;
304   }
305 
306   if (i <= 0) {
307     goto err;
308   }
309 
310   if (BN_bin2bn(buf, rsa_size, f) == NULL) {
311     goto err;
312   }
313 
314   if (BN_ucmp(f, rsa->n) >= 0) {
315     // usually the padding functions would catch this
316     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
317     goto err;
318   }
319 
320   if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) ||
321       !BN_mod_exp_mont(result, f, rsa->e, &rsa->mont_n->N, ctx, rsa->mont_n)) {
322     goto err;
323   }
324 
325   // put in leading 0 bytes if the number is less than the length of the
326   // modulus
327   if (!BN_bn2bin_padded(out, rsa_size, result)) {
328     OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
329     goto err;
330   }
331 
332   *out_len = rsa_size;
333   ret = 1;
334 
335 err:
336   if (ctx != NULL) {
337     BN_CTX_end(ctx);
338     BN_CTX_free(ctx);
339   }
340   OPENSSL_free(buf);
341 
342   return ret;
343 }
344 
345 // MAX_BLINDINGS_PER_RSA defines the maximum number of cached BN_BLINDINGs per
346 // RSA*. Then this limit is exceeded, BN_BLINDING objects will be created and
347 // destroyed as needed.
348 #define MAX_BLINDINGS_PER_RSA 1024
349 
350 // rsa_blinding_get returns a BN_BLINDING to use with |rsa|. It does this by
351 // allocating one of the cached BN_BLINDING objects in |rsa->blindings|. If
352 // none are free, the cache will be extended by a extra element and the new
353 // BN_BLINDING is returned.
354 //
355 // On success, the index of the assigned BN_BLINDING is written to
356 // |*index_used| and must be passed to |rsa_blinding_release| when finished.
rsa_blinding_get(RSA * rsa,unsigned * index_used,BN_CTX * ctx)357 static BN_BLINDING *rsa_blinding_get(RSA *rsa, unsigned *index_used,
358                                      BN_CTX *ctx) {
359   assert(ctx != NULL);
360   assert(rsa->mont_n != NULL);
361 
362   BN_BLINDING *ret = NULL;
363   BN_BLINDING **new_blindings;
364   uint8_t *new_blindings_inuse;
365   char overflow = 0;
366 
367   CRYPTO_MUTEX_lock_write(&rsa->lock);
368 
369   unsigned i;
370   for (i = 0; i < rsa->num_blindings; i++) {
371     if (rsa->blindings_inuse[i] == 0) {
372       rsa->blindings_inuse[i] = 1;
373       ret = rsa->blindings[i];
374       *index_used = i;
375       break;
376     }
377   }
378 
379   if (ret != NULL) {
380     CRYPTO_MUTEX_unlock_write(&rsa->lock);
381     return ret;
382   }
383 
384   overflow = rsa->num_blindings >= MAX_BLINDINGS_PER_RSA;
385 
386   // We didn't find a free BN_BLINDING to use so increase the length of
387   // the arrays by one and use the newly created element.
388 
389   CRYPTO_MUTEX_unlock_write(&rsa->lock);
390   ret = BN_BLINDING_new();
391   if (ret == NULL) {
392     return NULL;
393   }
394 
395   if (overflow) {
396     // We cannot add any more cached BN_BLINDINGs so we use |ret|
397     // and mark it for destruction in |rsa_blinding_release|.
398     *index_used = MAX_BLINDINGS_PER_RSA;
399     return ret;
400   }
401 
402   CRYPTO_MUTEX_lock_write(&rsa->lock);
403 
404   new_blindings =
405       OPENSSL_malloc(sizeof(BN_BLINDING *) * (rsa->num_blindings + 1));
406   if (new_blindings == NULL) {
407     goto err1;
408   }
409   OPENSSL_memcpy(new_blindings, rsa->blindings,
410          sizeof(BN_BLINDING *) * rsa->num_blindings);
411   new_blindings[rsa->num_blindings] = ret;
412 
413   new_blindings_inuse = OPENSSL_malloc(rsa->num_blindings + 1);
414   if (new_blindings_inuse == NULL) {
415     goto err2;
416   }
417   OPENSSL_memcpy(new_blindings_inuse, rsa->blindings_inuse, rsa->num_blindings);
418   new_blindings_inuse[rsa->num_blindings] = 1;
419   *index_used = rsa->num_blindings;
420 
421   OPENSSL_free(rsa->blindings);
422   rsa->blindings = new_blindings;
423   OPENSSL_free(rsa->blindings_inuse);
424   rsa->blindings_inuse = new_blindings_inuse;
425   rsa->num_blindings++;
426 
427   CRYPTO_MUTEX_unlock_write(&rsa->lock);
428   return ret;
429 
430 err2:
431   OPENSSL_free(new_blindings);
432 
433 err1:
434   CRYPTO_MUTEX_unlock_write(&rsa->lock);
435   BN_BLINDING_free(ret);
436   return NULL;
437 }
438 
439 // rsa_blinding_release marks the cached BN_BLINDING at the given index as free
440 // for other threads to use.
rsa_blinding_release(RSA * rsa,BN_BLINDING * blinding,unsigned blinding_index)441 static void rsa_blinding_release(RSA *rsa, BN_BLINDING *blinding,
442                                  unsigned blinding_index) {
443   if (blinding_index == MAX_BLINDINGS_PER_RSA) {
444     // This blinding wasn't cached.
445     BN_BLINDING_free(blinding);
446     return;
447   }
448 
449   CRYPTO_MUTEX_lock_write(&rsa->lock);
450   rsa->blindings_inuse[blinding_index] = 0;
451   CRYPTO_MUTEX_unlock_write(&rsa->lock);
452 }
453 
454 // signing
rsa_default_sign_raw(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)455 int rsa_default_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,
456                          size_t max_out, const uint8_t *in, size_t in_len,
457                          int padding) {
458   const unsigned rsa_size = RSA_size(rsa);
459   uint8_t *buf = NULL;
460   int i, ret = 0;
461 
462   if (max_out < rsa_size) {
463     OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
464     return 0;
465   }
466 
467   buf = OPENSSL_malloc(rsa_size);
468   if (buf == NULL) {
469     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
470     goto err;
471   }
472 
473   switch (padding) {
474     case RSA_PKCS1_PADDING:
475       i = RSA_padding_add_PKCS1_type_1(buf, rsa_size, in, in_len);
476       break;
477     case RSA_NO_PADDING:
478       i = RSA_padding_add_none(buf, rsa_size, in, in_len);
479       break;
480     default:
481       OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
482       goto err;
483   }
484 
485   if (i <= 0) {
486     goto err;
487   }
488 
489   if (!RSA_private_transform(rsa, out, buf, rsa_size)) {
490     goto err;
491   }
492 
493   CONSTTIME_DECLASSIFY(out, rsa_size);
494   *out_len = rsa_size;
495   ret = 1;
496 
497 err:
498   OPENSSL_free(buf);
499 
500   return ret;
501 }
502 
rsa_default_decrypt(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)503 int rsa_default_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
504                         const uint8_t *in, size_t in_len, int padding) {
505   const unsigned rsa_size = RSA_size(rsa);
506   uint8_t *buf = NULL;
507   int ret = 0;
508 
509   if (max_out < rsa_size) {
510     OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
511     return 0;
512   }
513 
514   if (padding == RSA_NO_PADDING) {
515     buf = out;
516   } else {
517     // Allocate a temporary buffer to hold the padded plaintext.
518     buf = OPENSSL_malloc(rsa_size);
519     if (buf == NULL) {
520       OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
521       goto err;
522     }
523   }
524 
525   if (in_len != rsa_size) {
526     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN);
527     goto err;
528   }
529 
530   if (!RSA_private_transform(rsa, buf, in, rsa_size)) {
531     goto err;
532   }
533 
534   switch (padding) {
535     case RSA_PKCS1_PADDING:
536       ret =
537           RSA_padding_check_PKCS1_type_2(out, out_len, rsa_size, buf, rsa_size);
538       break;
539     case RSA_PKCS1_OAEP_PADDING:
540       // Use the default parameters: SHA-1 for both hashes and no label.
541       ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, out_len, rsa_size, buf,
542                                               rsa_size, NULL, 0, NULL, NULL);
543       break;
544     case RSA_NO_PADDING:
545       *out_len = rsa_size;
546       ret = 1;
547       break;
548     default:
549       OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
550       goto err;
551   }
552 
553   CONSTTIME_DECLASSIFY(&ret, sizeof(ret));
554   if (!ret) {
555     OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED);
556   } else {
557     CONSTTIME_DECLASSIFY(out, *out_len);
558   }
559 
560 err:
561   if (padding != RSA_NO_PADDING) {
562     OPENSSL_free(buf);
563   }
564 
565   return ret;
566 }
567 
568 static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
569 
RSA_verify_raw(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)570 int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
571                    const uint8_t *in, size_t in_len, int padding) {
572   if (rsa->n == NULL || rsa->e == NULL) {
573     OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
574     return 0;
575   }
576 
577   const unsigned rsa_size = RSA_size(rsa);
578   BIGNUM *f, *result;
579 
580   if (max_out < rsa_size) {
581     OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
582     return 0;
583   }
584 
585   if (in_len != rsa_size) {
586     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN);
587     return 0;
588   }
589 
590   if (!check_modulus_and_exponent_sizes(rsa)) {
591     return 0;
592   }
593 
594   BN_CTX *ctx = BN_CTX_new();
595   if (ctx == NULL) {
596     return 0;
597   }
598 
599   int ret = 0;
600   uint8_t *buf = NULL;
601 
602   BN_CTX_start(ctx);
603   f = BN_CTX_get(ctx);
604   result = BN_CTX_get(ctx);
605   if (f == NULL || result == NULL) {
606     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
607     goto err;
608   }
609 
610   if (padding == RSA_NO_PADDING) {
611     buf = out;
612   } else {
613     // Allocate a temporary buffer to hold the padded plaintext.
614     buf = OPENSSL_malloc(rsa_size);
615     if (buf == NULL) {
616       OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
617       goto err;
618     }
619   }
620 
621   if (BN_bin2bn(in, in_len, f) == NULL) {
622     goto err;
623   }
624 
625   if (BN_ucmp(f, rsa->n) >= 0) {
626     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
627     goto err;
628   }
629 
630   if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) ||
631       !BN_mod_exp_mont(result, f, rsa->e, &rsa->mont_n->N, ctx, rsa->mont_n)) {
632     goto err;
633   }
634 
635   if (!BN_bn2bin_padded(buf, rsa_size, result)) {
636     OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
637     goto err;
638   }
639 
640   switch (padding) {
641     case RSA_PKCS1_PADDING:
642       ret =
643           RSA_padding_check_PKCS1_type_1(out, out_len, rsa_size, buf, rsa_size);
644       break;
645     case RSA_NO_PADDING:
646       ret = 1;
647       *out_len = rsa_size;
648       break;
649     default:
650       OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
651       goto err;
652   }
653 
654   if (!ret) {
655     OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED);
656     goto err;
657   }
658 
659 err:
660   BN_CTX_end(ctx);
661   BN_CTX_free(ctx);
662   if (buf != out) {
663     OPENSSL_free(buf);
664   }
665   return ret;
666 }
667 
rsa_default_private_transform(RSA * rsa,uint8_t * out,const uint8_t * in,size_t len)668 int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
669                                   size_t len) {
670   if (rsa->n == NULL || rsa->d == NULL) {
671     OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
672     return 0;
673   }
674 
675   BIGNUM *f, *result;
676   BN_CTX *ctx = NULL;
677   unsigned blinding_index = 0;
678   BN_BLINDING *blinding = NULL;
679   int ret = 0;
680 
681   ctx = BN_CTX_new();
682   if (ctx == NULL) {
683     goto err;
684   }
685   BN_CTX_start(ctx);
686   f = BN_CTX_get(ctx);
687   result = BN_CTX_get(ctx);
688 
689   if (f == NULL || result == NULL) {
690     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
691     goto err;
692   }
693 
694   if (BN_bin2bn(in, len, f) == NULL) {
695     goto err;
696   }
697 
698   if (BN_ucmp(f, rsa->n) >= 0) {
699     // Usually the padding functions would catch this.
700     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
701     goto err;
702   }
703 
704   if (!freeze_private_key(rsa, ctx)) {
705     OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
706     goto err;
707   }
708 
709   const int do_blinding = (rsa->flags & RSA_FLAG_NO_BLINDING) == 0;
710 
711   if (rsa->e == NULL && do_blinding) {
712     // We cannot do blinding or verification without |e|, and continuing without
713     // those countermeasures is dangerous. However, the Java/Android RSA API
714     // requires support for keys where only |d| and |n| (and not |e|) are known.
715     // The callers that require that bad behavior set |RSA_FLAG_NO_BLINDING|.
716     OPENSSL_PUT_ERROR(RSA, RSA_R_NO_PUBLIC_EXPONENT);
717     goto err;
718   }
719 
720   if (do_blinding) {
721     blinding = rsa_blinding_get(rsa, &blinding_index, ctx);
722     if (blinding == NULL) {
723       OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
724       goto err;
725     }
726     if (!BN_BLINDING_convert(f, blinding, rsa->e, rsa->mont_n, ctx)) {
727       goto err;
728     }
729   }
730 
731   if (rsa->p != NULL && rsa->q != NULL && rsa->e != NULL && rsa->dmp1 != NULL &&
732       rsa->dmq1 != NULL && rsa->iqmp != NULL &&
733       // Require that we can reduce |f| by |rsa->p| and |rsa->q| in constant
734       // time, which requires primes be the same size, rounded to the Montgomery
735       // coefficient. (See |mod_montgomery|.) This is not required by RFC 8017,
736       // but it is true for keys generated by us and all common implementations.
737       bn_less_than_montgomery_R(rsa->q, rsa->mont_p) &&
738       bn_less_than_montgomery_R(rsa->p, rsa->mont_q)) {
739     if (!mod_exp(result, f, rsa, ctx)) {
740       goto err;
741     }
742   } else if (!BN_mod_exp_mont_consttime(result, f, rsa->d_fixed, rsa->n, ctx,
743                                         rsa->mont_n)) {
744     goto err;
745   }
746 
747   // Verify the result to protect against fault attacks as described in the
748   // 1997 paper "On the Importance of Checking Cryptographic Protocols for
749   // Faults" by Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. Some
750   // implementations do this only when the CRT is used, but we do it in all
751   // cases. Section 6 of the aforementioned paper describes an attack that
752   // works when the CRT isn't used. That attack is much less likely to succeed
753   // than the CRT attack, but there have likely been improvements since 1997.
754   //
755   // This check is cheap assuming |e| is small; it almost always is.
756   if (rsa->e != NULL) {
757     BIGNUM *vrfy = BN_CTX_get(ctx);
758     if (vrfy == NULL ||
759         !BN_mod_exp_mont(vrfy, result, rsa->e, rsa->n, ctx, rsa->mont_n) ||
760         !BN_equal_consttime(vrfy, f)) {
761       OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
762       goto err;
763     }
764 
765   }
766 
767   if (do_blinding &&
768       !BN_BLINDING_invert(result, blinding, rsa->mont_n, ctx)) {
769     goto err;
770   }
771 
772   // The computation should have left |result| as a maximally-wide number, so
773   // that it and serializing does not leak information about the magnitude of
774   // the result.
775   //
776   // See Falko Strenzke, "Manger's Attack revisited", ICICS 2010.
777   assert(result->width == rsa->mont_n->N.width);
778   if (!BN_bn2bin_padded(out, len, result)) {
779     OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
780     goto err;
781   }
782 
783   ret = 1;
784 
785 err:
786   if (ctx != NULL) {
787     BN_CTX_end(ctx);
788     BN_CTX_free(ctx);
789   }
790   if (blinding != NULL) {
791     rsa_blinding_release(rsa, blinding, blinding_index);
792   }
793 
794   return ret;
795 }
796 
797 // mod_montgomery sets |r| to |I| mod |p|. |I| must already be fully reduced
798 // modulo |p| times |q|. It returns one on success and zero on error.
mod_montgomery(BIGNUM * r,const BIGNUM * I,const BIGNUM * p,const BN_MONT_CTX * mont_p,const BIGNUM * q,BN_CTX * ctx)799 static int mod_montgomery(BIGNUM *r, const BIGNUM *I, const BIGNUM *p,
800                           const BN_MONT_CTX *mont_p, const BIGNUM *q,
801                           BN_CTX *ctx) {
802   // Reducing in constant-time with Montgomery reduction requires I <= p * R. We
803   // have I < p * q, so this follows if q < R. The caller should have checked
804   // this already.
805   if (!bn_less_than_montgomery_R(q, mont_p)) {
806     OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
807     return 0;
808   }
809 
810   if (// Reduce mod p with Montgomery reduction. This computes I * R^-1 mod p.
811       !BN_from_montgomery(r, I, mont_p, ctx) ||
812       // Multiply by R^2 and do another Montgomery reduction to compute
813       // I * R^-1 * R^2 * R^-1 = I mod p.
814       !BN_to_montgomery(r, r, mont_p, ctx)) {
815     return 0;
816   }
817 
818   // By precomputing R^3 mod p (normally |BN_MONT_CTX| only uses R^2 mod p) and
819   // adjusting the API for |BN_mod_exp_mont_consttime|, we could instead compute
820   // I * R mod p here and save a reduction per prime. But this would require
821   // changing the RSAZ code and may not be worth it. Note that the RSAZ code
822   // uses a different radix, so it uses R' = 2^1044. There we'd actually want
823   // R^2 * R', and would futher benefit from a precomputed R'^2. It currently
824   // converts |mont_p->RR| to R'^2.
825   return 1;
826 }
827 
mod_exp(BIGNUM * r0,const BIGNUM * I,RSA * rsa,BN_CTX * ctx)828 static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) {
829   assert(ctx != NULL);
830 
831   assert(rsa->n != NULL);
832   assert(rsa->e != NULL);
833   assert(rsa->d != NULL);
834   assert(rsa->p != NULL);
835   assert(rsa->q != NULL);
836   assert(rsa->dmp1 != NULL);
837   assert(rsa->dmq1 != NULL);
838   assert(rsa->iqmp != NULL);
839 
840   BIGNUM *r1, *m1;
841   int ret = 0;
842 
843   BN_CTX_start(ctx);
844   r1 = BN_CTX_get(ctx);
845   m1 = BN_CTX_get(ctx);
846   if (r1 == NULL ||
847       m1 == NULL) {
848     goto err;
849   }
850 
851   if (!freeze_private_key(rsa, ctx)) {
852     goto err;
853   }
854 
855   // Implementing RSA with CRT in constant-time is sensitive to which prime is
856   // larger. Canonicalize fields so that |p| is the larger prime.
857   const BIGNUM *dmp1 = rsa->dmp1_fixed, *dmq1 = rsa->dmq1_fixed;
858   const BN_MONT_CTX *mont_p = rsa->mont_p, *mont_q = rsa->mont_q;
859   if (BN_cmp(rsa->p, rsa->q) < 0) {
860     mont_p = rsa->mont_q;
861     mont_q = rsa->mont_p;
862     dmp1 = rsa->dmq1_fixed;
863     dmq1 = rsa->dmp1_fixed;
864   }
865 
866   // Use the minimal-width versions of |n|, |p|, and |q|. Either works, but if
867   // someone gives us non-minimal values, these will be slightly more efficient
868   // on the non-Montgomery operations.
869   const BIGNUM *n = &rsa->mont_n->N;
870   const BIGNUM *p = &mont_p->N;
871   const BIGNUM *q = &mont_q->N;
872 
873   // This is a pre-condition for |mod_montgomery|. It was already checked by the
874   // caller.
875   assert(BN_ucmp(I, n) < 0);
876 
877   if (// |m1| is the result modulo |q|.
878       !mod_montgomery(r1, I, q, mont_q, p, ctx) ||
879       !BN_mod_exp_mont_consttime(m1, r1, dmq1, q, ctx, mont_q) ||
880       // |r0| is the result modulo |p|.
881       !mod_montgomery(r1, I, p, mont_p, q, ctx) ||
882       !BN_mod_exp_mont_consttime(r0, r1, dmp1, p, ctx, mont_p) ||
883       // Compute r0 = r0 - m1 mod p. |p| is the larger prime, so |m1| is already
884       // fully reduced mod |p|.
885       !bn_mod_sub_consttime(r0, r0, m1, p, ctx) ||
886       // r0 = r0 * iqmp mod p. We use Montgomery multiplication to compute this
887       // in constant time. |inv_small_mod_large_mont| is in Montgomery form and
888       // r0 is not, so the result is taken out of Montgomery form.
889       !BN_mod_mul_montgomery(r0, r0, rsa->inv_small_mod_large_mont, mont_p,
890                              ctx) ||
891       // r0 = r0 * q + m1 gives the final result. Reducing modulo q gives m1, so
892       // it is correct mod p. Reducing modulo p gives (r0-m1)*iqmp*q + m1 = r0,
893       // so it is correct mod q. Finally, the result is bounded by [m1, n + m1),
894       // and the result is at least |m1|, so this must be the unique answer in
895       // [0, n).
896       !bn_mul_consttime(r0, r0, q, ctx) ||
897       !bn_uadd_consttime(r0, r0, m1) ||
898       // The result should be bounded by |n|, but fixed-width operations may
899       // bound the width slightly higher, so fix it.
900       !bn_resize_words(r0, n->width)) {
901     goto err;
902   }
903 
904   ret = 1;
905 
906 err:
907   BN_CTX_end(ctx);
908   return ret;
909 }
910 
ensure_bignum(BIGNUM ** out)911 static int ensure_bignum(BIGNUM **out) {
912   if (*out == NULL) {
913     *out = BN_new();
914   }
915   return *out != NULL;
916 }
917 
918 // kBoringSSLRSASqrtTwo is the BIGNUM representation of ⌊2¹⁵³⁵×√2⌋. This is
919 // chosen to give enough precision for 3072-bit RSA, the largest key size FIPS
920 // specifies. Key sizes beyond this will round up.
921 //
922 // To verify this number, check that n² < 2³⁰⁷¹ < (n+1)², where n is value
923 // represented here. Note the components are listed in little-endian order. Here
924 // is some sample Python code to check:
925 //
926 //   >>> TOBN = lambda a, b: a << 32 | b
927 //   >>> l = [ <paste the contents of kSqrtTwo> ]
928 //   >>> n = sum(a * 2**(64*i) for i, a in enumerate(l))
929 //   >>> n**2 < 2**3071 < (n+1)**2
930 //   True
931 const BN_ULONG kBoringSSLRSASqrtTwo[] = {
932     TOBN(0xdea06241, 0xf7aa81c2), TOBN(0xf6a1be3f, 0xca221307),
933     TOBN(0x332a5e9f, 0x7bda1ebf), TOBN(0x0104dc01, 0xfe32352f),
934     TOBN(0xb8cf341b, 0x6f8236c7), TOBN(0x4264dabc, 0xd528b651),
935     TOBN(0xf4d3a02c, 0xebc93e0c), TOBN(0x81394ab6, 0xd8fd0efd),
936     TOBN(0xeaa4a089, 0x9040ca4a), TOBN(0xf52f120f, 0x836e582e),
937     TOBN(0xcb2a6343, 0x31f3c84d), TOBN(0xc6d5a8a3, 0x8bb7e9dc),
938     TOBN(0x460abc72, 0x2f7c4e33), TOBN(0xcab1bc91, 0x1688458a),
939     TOBN(0x53059c60, 0x11bc337b), TOBN(0xd2202e87, 0x42af1f4e),
940     TOBN(0x78048736, 0x3dfa2768), TOBN(0x0f74a85e, 0x439c7b4a),
941     TOBN(0xa8b1fe6f, 0xdc83db39), TOBN(0x4afc8304, 0x3ab8a2c3),
942     TOBN(0xed17ac85, 0x83339915), TOBN(0x1d6f60ba, 0x893ba84c),
943     TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484),
944 };
945 const size_t kBoringSSLRSASqrtTwoLen = OPENSSL_ARRAY_SIZE(kBoringSSLRSASqrtTwo);
946 
947 // generate_prime sets |out| to a prime with length |bits| such that |out|-1 is
948 // relatively prime to |e|. If |p| is non-NULL, |out| will also not be close to
949 // |p|. |sqrt2| must be ⌊2^(bits-1)×√2⌋ (or a slightly overestimate for large
950 // sizes), and |pow2_bits_100| must be 2^(bits-100).
951 //
952 // This function fails with probability around 2^-21.
generate_prime(BIGNUM * out,int bits,const BIGNUM * e,const BIGNUM * p,const BIGNUM * sqrt2,const BIGNUM * pow2_bits_100,BN_CTX * ctx,BN_GENCB * cb)953 static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e,
954                           const BIGNUM *p, const BIGNUM *sqrt2,
955                           const BIGNUM *pow2_bits_100, BN_CTX *ctx,
956                           BN_GENCB *cb) {
957   if (bits < 128 || (bits % BN_BITS2) != 0) {
958     OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
959     return 0;
960   }
961   assert(BN_is_pow2(pow2_bits_100));
962   assert(BN_is_bit_set(pow2_bits_100, bits - 100));
963 
964   // See FIPS 186-4 appendix B.3.3, steps 4 and 5. Note |bits| here is nlen/2.
965 
966   // Use the limit from steps 4.7 and 5.8 for most values of |e|. When |e| is 3,
967   // the 186-4 limit is too low, so we use a higher one. Note this case is not
968   // reachable from |RSA_generate_key_fips|.
969   //
970   // |limit| determines the failure probability. We must find a prime that is
971   // not 1 mod |e|. By the prime number theorem, we'll find one with probability
972   // p = (e-1)/e * 2/(ln(2)*bits). Note the second term is doubled because we
973   // discard even numbers.
974   //
975   // The failure probability is thus (1-p)^limit. To convert that to a power of
976   // two, we take logs. -log_2((1-p)^limit) = -limit * ln(1-p) / ln(2).
977   //
978   // >>> def f(bits, e, limit):
979   // ...   p = (e-1.0)/e * 2.0/(math.log(2)*bits)
980   // ...   return -limit * math.log(1 - p) / math.log(2)
981   // ...
982   // >>> f(1024, 65537, 5*1024)
983   // 20.842750558272634
984   // >>> f(1536, 65537, 5*1536)
985   // 20.83294549602474
986   // >>> f(2048, 65537, 5*2048)
987   // 20.828047576234948
988   // >>> f(1024, 3, 8*1024)
989   // 22.222147925962307
990   // >>> f(1536, 3, 8*1536)
991   // 22.21518251065506
992   // >>> f(2048, 3, 8*2048)
993   // 22.211701985875937
994   if (bits >= INT_MAX/32) {
995     OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);
996     return 0;
997   }
998   int limit = BN_is_word(e, 3) ? bits * 8 : bits * 5;
999 
1000   int ret = 0, tries = 0, rand_tries = 0;
1001   BN_CTX_start(ctx);
1002   BIGNUM *tmp = BN_CTX_get(ctx);
1003   if (tmp == NULL) {
1004     goto err;
1005   }
1006 
1007   for (;;) {
1008     // Generate a random number of length |bits| where the bottom bit is set
1009     // (steps 4.2, 4.3, 5.2 and 5.3) and the top bit is set (implied by the
1010     // bound checked below in steps 4.4 and 5.5).
1011     if (!BN_rand(out, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD) ||
1012         !BN_GENCB_call(cb, BN_GENCB_GENERATED, rand_tries++)) {
1013       goto err;
1014     }
1015 
1016     if (p != NULL) {
1017       // If |p| and |out| are too close, try again (step 5.4).
1018       if (!bn_abs_sub_consttime(tmp, out, p, ctx)) {
1019         goto err;
1020       }
1021       if (BN_cmp(tmp, pow2_bits_100) <= 0) {
1022         continue;
1023       }
1024     }
1025 
1026     // If out < 2^(bits-1)×√2, try again (steps 4.4 and 5.5). This is equivalent
1027     // to out <= ⌊2^(bits-1)×√2⌋, or out <= sqrt2 for FIPS key sizes.
1028     //
1029     // For larger keys, the comparison is approximate, leaning towards
1030     // retrying. That is, we reject a negligible fraction of primes that are
1031     // within the FIPS bound, but we will never accept a prime outside the
1032     // bound, ensuring the resulting RSA key is the right size.
1033     if (BN_cmp(out, sqrt2) <= 0) {
1034       continue;
1035     }
1036 
1037     // RSA key generation's bottleneck is discarding composites. If it fails
1038     // trial division, do not bother computing a GCD or performing Miller-Rabin.
1039     if (!bn_odd_number_is_obviously_composite(out)) {
1040       // Check gcd(out-1, e) is one (steps 4.5 and 5.6).
1041       int relatively_prime;
1042       if (!BN_sub(tmp, out, BN_value_one()) ||
1043           !bn_is_relatively_prime(&relatively_prime, tmp, e, ctx)) {
1044         goto err;
1045       }
1046       if (relatively_prime) {
1047         // Test |out| for primality (steps 4.5.1 and 5.6.1).
1048         int is_probable_prime;
1049         if (!BN_primality_test(&is_probable_prime, out, BN_prime_checks, ctx, 0,
1050                                cb)) {
1051           goto err;
1052         }
1053         if (is_probable_prime) {
1054           ret = 1;
1055           goto err;
1056         }
1057       }
1058     }
1059 
1060     // If we've tried too many times to find a prime, abort (steps 4.7 and
1061     // 5.8).
1062     tries++;
1063     if (tries >= limit) {
1064       OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS);
1065       goto err;
1066     }
1067     if (!BN_GENCB_call(cb, 2, tries)) {
1068       goto err;
1069     }
1070   }
1071 
1072 err:
1073   BN_CTX_end(ctx);
1074   return ret;
1075 }
1076 
1077 // rsa_generate_key_impl generates an RSA key using a generalized version of
1078 // FIPS 186-4 appendix B.3. |RSA_generate_key_fips| performs additional checks
1079 // for FIPS-compliant key generation.
1080 //
1081 // This function returns one on success and zero on failure. It has a failure
1082 // probability of about 2^-20.
rsa_generate_key_impl(RSA * rsa,int bits,const BIGNUM * e_value,BN_GENCB * cb)1083 static int rsa_generate_key_impl(RSA *rsa, int bits, const BIGNUM *e_value,
1084                                  BN_GENCB *cb) {
1085   // See FIPS 186-4 appendix B.3. This function implements a generalized version
1086   // of the FIPS algorithm. |RSA_generate_key_fips| performs additional checks
1087   // for FIPS-compliant key generation.
1088 
1089   // Always generate RSA keys which are a multiple of 128 bits. Round |bits|
1090   // down as needed.
1091   bits &= ~127;
1092 
1093   // Reject excessively small keys.
1094   if (bits < 256) {
1095     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
1096     return 0;
1097   }
1098 
1099   // Reject excessively large public exponents. Windows CryptoAPI and Go don't
1100   // support values larger than 32 bits, so match their limits for generating
1101   // keys. (|check_modulus_and_exponent_sizes| uses a slightly more conservative
1102   // value, but we don't need to support generating such keys.)
1103   // https://github.com/golang/go/issues/3161
1104   // https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx
1105   if (BN_num_bits(e_value) > 32) {
1106     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);
1107     return 0;
1108   }
1109 
1110   int ret = 0;
1111   int prime_bits = bits / 2;
1112   BN_CTX *ctx = BN_CTX_new();
1113   if (ctx == NULL) {
1114     goto bn_err;
1115   }
1116   BN_CTX_start(ctx);
1117   BIGNUM *totient = BN_CTX_get(ctx);
1118   BIGNUM *pm1 = BN_CTX_get(ctx);
1119   BIGNUM *qm1 = BN_CTX_get(ctx);
1120   BIGNUM *sqrt2 = BN_CTX_get(ctx);
1121   BIGNUM *pow2_prime_bits_100 = BN_CTX_get(ctx);
1122   BIGNUM *pow2_prime_bits = BN_CTX_get(ctx);
1123   if (totient == NULL || pm1 == NULL || qm1 == NULL || sqrt2 == NULL ||
1124       pow2_prime_bits_100 == NULL || pow2_prime_bits == NULL ||
1125       !BN_set_bit(pow2_prime_bits_100, prime_bits - 100) ||
1126       !BN_set_bit(pow2_prime_bits, prime_bits)) {
1127     goto bn_err;
1128   }
1129 
1130   // We need the RSA components non-NULL.
1131   if (!ensure_bignum(&rsa->n) ||
1132       !ensure_bignum(&rsa->d) ||
1133       !ensure_bignum(&rsa->e) ||
1134       !ensure_bignum(&rsa->p) ||
1135       !ensure_bignum(&rsa->q) ||
1136       !ensure_bignum(&rsa->dmp1) ||
1137       !ensure_bignum(&rsa->dmq1)) {
1138     goto bn_err;
1139   }
1140 
1141   if (!BN_copy(rsa->e, e_value)) {
1142     goto bn_err;
1143   }
1144 
1145   // Compute sqrt2 >= ⌊2^(prime_bits-1)×√2⌋.
1146   if (!bn_set_words(sqrt2, kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen)) {
1147     goto bn_err;
1148   }
1149   int sqrt2_bits = kBoringSSLRSASqrtTwoLen * BN_BITS2;
1150   assert(sqrt2_bits == (int)BN_num_bits(sqrt2));
1151   if (sqrt2_bits > prime_bits) {
1152     // For key sizes up to 3072 (prime_bits = 1536), this is exactly
1153     // ⌊2^(prime_bits-1)×√2⌋.
1154     if (!BN_rshift(sqrt2, sqrt2, sqrt2_bits - prime_bits)) {
1155       goto bn_err;
1156     }
1157   } else if (prime_bits > sqrt2_bits) {
1158     // For key sizes beyond 3072, this is approximate. We err towards retrying
1159     // to ensure our key is the right size and round up.
1160     if (!BN_add_word(sqrt2, 1) ||
1161         !BN_lshift(sqrt2, sqrt2, prime_bits - sqrt2_bits)) {
1162       goto bn_err;
1163     }
1164   }
1165   assert(prime_bits == (int)BN_num_bits(sqrt2));
1166 
1167   do {
1168     // Generate p and q, each of size |prime_bits|, using the steps outlined in
1169     // appendix FIPS 186-4 appendix B.3.3.
1170     //
1171     // Each call to |generate_prime| fails with probability p = 2^-21. The
1172     // probability that either call fails is 1 - (1-p)^2, which is around 2^-20.
1173     if (!generate_prime(rsa->p, prime_bits, rsa->e, NULL, sqrt2,
1174                         pow2_prime_bits_100, ctx, cb) ||
1175         !BN_GENCB_call(cb, 3, 0) ||
1176         !generate_prime(rsa->q, prime_bits, rsa->e, rsa->p, sqrt2,
1177                         pow2_prime_bits_100, ctx, cb) ||
1178         !BN_GENCB_call(cb, 3, 1)) {
1179       goto bn_err;
1180     }
1181 
1182     if (BN_cmp(rsa->p, rsa->q) < 0) {
1183       BIGNUM *tmp = rsa->p;
1184       rsa->p = rsa->q;
1185       rsa->q = tmp;
1186     }
1187 
1188     // Calculate d = e^(-1) (mod lcm(p-1, q-1)), per FIPS 186-4. This differs
1189     // from typical RSA implementations which use (p-1)*(q-1).
1190     //
1191     // Note this means the size of d might reveal information about p-1 and
1192     // q-1. However, we do operations with Chinese Remainder Theorem, so we only
1193     // use d (mod p-1) and d (mod q-1) as exponents. Using a minimal totient
1194     // does not affect those two values.
1195     int no_inverse;
1196     if (!bn_usub_consttime(pm1, rsa->p, BN_value_one()) ||
1197         !bn_usub_consttime(qm1, rsa->q, BN_value_one()) ||
1198         !bn_lcm_consttime(totient, pm1, qm1, ctx) ||
1199         !bn_mod_inverse_consttime(rsa->d, &no_inverse, rsa->e, totient, ctx)) {
1200       goto bn_err;
1201     }
1202 
1203     // Retry if |rsa->d| <= 2^|prime_bits|. See appendix B.3.1's guidance on
1204     // values for d.
1205   } while (BN_cmp(rsa->d, pow2_prime_bits) <= 0);
1206 
1207   if (// Calculate n.
1208       !bn_mul_consttime(rsa->n, rsa->p, rsa->q, ctx) ||
1209       // Calculate d mod (p-1).
1210       !bn_div_consttime(NULL, rsa->dmp1, rsa->d, pm1, ctx) ||
1211       // Calculate d mod (q-1)
1212       !bn_div_consttime(NULL, rsa->dmq1, rsa->d, qm1, ctx)) {
1213     goto bn_err;
1214   }
1215   bn_set_minimal_width(rsa->n);
1216 
1217   // Sanity-check that |rsa->n| has the specified size. This is implied by
1218   // |generate_prime|'s bounds.
1219   if (BN_num_bits(rsa->n) != (unsigned)bits) {
1220     OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
1221     goto err;
1222   }
1223 
1224   // Call |freeze_private_key| to compute the inverse of q mod p, by way of
1225   // |rsa->mont_p|.
1226   if (!freeze_private_key(rsa, ctx)) {
1227     goto bn_err;
1228   }
1229 
1230   // The key generation process is complex and thus error-prone. It could be
1231   // disastrous to generate and then use a bad key so double-check that the key
1232   // makes sense.
1233   if (!RSA_check_key(rsa)) {
1234     OPENSSL_PUT_ERROR(RSA, RSA_R_INTERNAL_ERROR);
1235     goto err;
1236   }
1237 
1238   ret = 1;
1239 
1240 bn_err:
1241   if (!ret) {
1242     OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
1243   }
1244 err:
1245   if (ctx != NULL) {
1246     BN_CTX_end(ctx);
1247     BN_CTX_free(ctx);
1248   }
1249   return ret;
1250 }
1251 
replace_bignum(BIGNUM ** out,BIGNUM ** in)1252 static void replace_bignum(BIGNUM **out, BIGNUM **in) {
1253   BN_free(*out);
1254   *out = *in;
1255   *in = NULL;
1256 }
1257 
replace_bn_mont_ctx(BN_MONT_CTX ** out,BN_MONT_CTX ** in)1258 static void replace_bn_mont_ctx(BN_MONT_CTX **out, BN_MONT_CTX **in) {
1259   BN_MONT_CTX_free(*out);
1260   *out = *in;
1261   *in = NULL;
1262 }
1263 
RSA_generate_key_ex(RSA * rsa,int bits,const BIGNUM * e_value,BN_GENCB * cb)1264 int RSA_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e_value,
1265                         BN_GENCB *cb) {
1266   // |rsa_generate_key_impl|'s 2^-20 failure probability is too high at scale,
1267   // so we run the FIPS algorithm four times, bringing it down to 2^-80. We
1268   // should just adjust the retry limit, but FIPS 186-4 prescribes that value
1269   // and thus results in unnecessary complexity.
1270   for (int i = 0; i < 4; i++) {
1271     ERR_clear_error();
1272     // Generate into scratch space, to avoid leaving partial work on failure.
1273     RSA *tmp = RSA_new();
1274     if (tmp == NULL) {
1275       return 0;
1276     }
1277     if (rsa_generate_key_impl(tmp, bits, e_value, cb)) {
1278       replace_bignum(&rsa->n, &tmp->n);
1279       replace_bignum(&rsa->e, &tmp->e);
1280       replace_bignum(&rsa->d, &tmp->d);
1281       replace_bignum(&rsa->p, &tmp->p);
1282       replace_bignum(&rsa->q, &tmp->q);
1283       replace_bignum(&rsa->dmp1, &tmp->dmp1);
1284       replace_bignum(&rsa->dmq1, &tmp->dmq1);
1285       replace_bignum(&rsa->iqmp, &tmp->iqmp);
1286       replace_bn_mont_ctx(&rsa->mont_n, &tmp->mont_n);
1287       replace_bn_mont_ctx(&rsa->mont_p, &tmp->mont_p);
1288       replace_bn_mont_ctx(&rsa->mont_q, &tmp->mont_q);
1289       replace_bignum(&rsa->d_fixed, &tmp->d_fixed);
1290       replace_bignum(&rsa->dmp1_fixed, &tmp->dmp1_fixed);
1291       replace_bignum(&rsa->dmq1_fixed, &tmp->dmq1_fixed);
1292       replace_bignum(&rsa->inv_small_mod_large_mont,
1293                      &tmp->inv_small_mod_large_mont);
1294       rsa->private_key_frozen = tmp->private_key_frozen;
1295       RSA_free(tmp);
1296       return 1;
1297     }
1298     uint32_t err = ERR_peek_error();
1299     RSA_free(tmp);
1300     tmp = NULL;
1301     // Only retry on |RSA_R_TOO_MANY_ITERATIONS|. This is so a caller-induced
1302     // failure in |BN_GENCB_call| is still fatal.
1303     if (ERR_GET_LIB(err) != ERR_LIB_RSA ||
1304         ERR_GET_REASON(err) != RSA_R_TOO_MANY_ITERATIONS) {
1305       return 0;
1306     }
1307   }
1308 
1309   return 0;
1310 }
1311 
RSA_generate_key_fips(RSA * rsa,int bits,BN_GENCB * cb)1312 int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb) {
1313   // FIPS 186-4 allows 2048-bit and 3072-bit RSA keys (1024-bit and 1536-bit
1314   // primes, respectively) with the prime generation method we use.
1315   if (bits != 2048 && bits != 3072) {
1316     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
1317     return 0;
1318   }
1319 
1320   BIGNUM *e = BN_new();
1321   int ret = e != NULL &&
1322             BN_set_word(e, RSA_F4) &&
1323             RSA_generate_key_ex(rsa, bits, e, cb) &&
1324             RSA_check_fips(rsa);
1325   BN_free(e);
1326   return ret;
1327 }
1328 
DEFINE_METHOD_FUNCTION(RSA_METHOD,RSA_default_method)1329 DEFINE_METHOD_FUNCTION(RSA_METHOD, RSA_default_method) {
1330   // All of the methods are NULL to make it easier for the compiler/linker to
1331   // drop unused functions. The wrapper functions will select the appropriate
1332   // |rsa_default_*| implementation.
1333   OPENSSL_memset(out, 0, sizeof(RSA_METHOD));
1334   out->common.is_static = 1;
1335 }
1336