1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/rsa.h>
58
59 #include <limits.h>
60 #include <string.h>
61
62 #include <openssl/bn.h>
63 #include <openssl/digest.h>
64 #include <openssl/engine.h>
65 #include <openssl/err.h>
66 #include <openssl/ex_data.h>
67 #include <openssl/md5.h>
68 #include <openssl/mem.h>
69 #include <openssl/nid.h>
70 #include <openssl/sha.h>
71 #include <openssl/thread.h>
72
73 #include "../bn/internal.h"
74 #include "../delocate.h"
75 #include "../../internal.h"
76 #include "internal.h"
77
78
79 // RSA_R_BLOCK_TYPE_IS_NOT_02 is part of the legacy SSLv23 padding scheme.
80 // Cryptography.io depends on this error code.
OPENSSL_DECLARE_ERROR_REASON(RSA,BLOCK_TYPE_IS_NOT_02)81 OPENSSL_DECLARE_ERROR_REASON(RSA, BLOCK_TYPE_IS_NOT_02)
82
83 DEFINE_STATIC_EX_DATA_CLASS(g_rsa_ex_data_class)
84
85 RSA *RSA_new(void) { return RSA_new_method(NULL); }
86
RSA_new_method(const ENGINE * engine)87 RSA *RSA_new_method(const ENGINE *engine) {
88 RSA *rsa = OPENSSL_malloc(sizeof(RSA));
89 if (rsa == NULL) {
90 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
91 return NULL;
92 }
93
94 OPENSSL_memset(rsa, 0, sizeof(RSA));
95
96 if (engine) {
97 rsa->meth = ENGINE_get_RSA_method(engine);
98 }
99
100 if (rsa->meth == NULL) {
101 rsa->meth = (RSA_METHOD *) RSA_default_method();
102 }
103 METHOD_ref(rsa->meth);
104
105 rsa->references = 1;
106 rsa->flags = rsa->meth->flags;
107 CRYPTO_MUTEX_init(&rsa->lock);
108 CRYPTO_new_ex_data(&rsa->ex_data);
109
110 if (rsa->meth->init && !rsa->meth->init(rsa)) {
111 CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
112 CRYPTO_MUTEX_cleanup(&rsa->lock);
113 METHOD_unref(rsa->meth);
114 OPENSSL_free(rsa);
115 return NULL;
116 }
117
118 return rsa;
119 }
120
RSA_free(RSA * rsa)121 void RSA_free(RSA *rsa) {
122 unsigned u;
123
124 if (rsa == NULL) {
125 return;
126 }
127
128 if (!CRYPTO_refcount_dec_and_test_zero(&rsa->references)) {
129 return;
130 }
131
132 if (rsa->meth->finish) {
133 rsa->meth->finish(rsa);
134 }
135 METHOD_unref(rsa->meth);
136
137 CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
138
139 BN_free(rsa->n);
140 BN_free(rsa->e);
141 BN_free(rsa->d);
142 BN_free(rsa->p);
143 BN_free(rsa->q);
144 BN_free(rsa->dmp1);
145 BN_free(rsa->dmq1);
146 BN_free(rsa->iqmp);
147 BN_MONT_CTX_free(rsa->mont_n);
148 BN_MONT_CTX_free(rsa->mont_p);
149 BN_MONT_CTX_free(rsa->mont_q);
150 BN_free(rsa->d_fixed);
151 BN_free(rsa->dmp1_fixed);
152 BN_free(rsa->dmq1_fixed);
153 BN_free(rsa->inv_small_mod_large_mont);
154 for (u = 0; u < rsa->num_blindings; u++) {
155 BN_BLINDING_free(rsa->blindings[u]);
156 }
157 OPENSSL_free(rsa->blindings);
158 OPENSSL_free(rsa->blindings_inuse);
159 CRYPTO_MUTEX_cleanup(&rsa->lock);
160 OPENSSL_free(rsa);
161 }
162
RSA_up_ref(RSA * rsa)163 int RSA_up_ref(RSA *rsa) {
164 CRYPTO_refcount_inc(&rsa->references);
165 return 1;
166 }
167
RSA_bits(const RSA * rsa)168 unsigned RSA_bits(const RSA *rsa) { return BN_num_bits(rsa->n); }
169
RSA_get0_key(const RSA * rsa,const BIGNUM ** out_n,const BIGNUM ** out_e,const BIGNUM ** out_d)170 void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e,
171 const BIGNUM **out_d) {
172 if (out_n != NULL) {
173 *out_n = rsa->n;
174 }
175 if (out_e != NULL) {
176 *out_e = rsa->e;
177 }
178 if (out_d != NULL) {
179 *out_d = rsa->d;
180 }
181 }
182
RSA_get0_factors(const RSA * rsa,const BIGNUM ** out_p,const BIGNUM ** out_q)183 void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p,
184 const BIGNUM **out_q) {
185 if (out_p != NULL) {
186 *out_p = rsa->p;
187 }
188 if (out_q != NULL) {
189 *out_q = rsa->q;
190 }
191 }
192
RSA_get0_crt_params(const RSA * rsa,const BIGNUM ** out_dmp1,const BIGNUM ** out_dmq1,const BIGNUM ** out_iqmp)193 void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1,
194 const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) {
195 if (out_dmp1 != NULL) {
196 *out_dmp1 = rsa->dmp1;
197 }
198 if (out_dmq1 != NULL) {
199 *out_dmq1 = rsa->dmq1;
200 }
201 if (out_iqmp != NULL) {
202 *out_iqmp = rsa->iqmp;
203 }
204 }
205
RSA_set0_key(RSA * rsa,BIGNUM * n,BIGNUM * e,BIGNUM * d)206 int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
207 if ((rsa->n == NULL && n == NULL) ||
208 (rsa->e == NULL && e == NULL)) {
209 return 0;
210 }
211
212 if (n != NULL) {
213 BN_free(rsa->n);
214 rsa->n = n;
215 }
216 if (e != NULL) {
217 BN_free(rsa->e);
218 rsa->e = e;
219 }
220 if (d != NULL) {
221 BN_free(rsa->d);
222 rsa->d = d;
223 }
224
225 return 1;
226 }
227
RSA_set0_factors(RSA * rsa,BIGNUM * p,BIGNUM * q)228 int RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q) {
229 if ((rsa->p == NULL && p == NULL) ||
230 (rsa->q == NULL && q == NULL)) {
231 return 0;
232 }
233
234 if (p != NULL) {
235 BN_free(rsa->p);
236 rsa->p = p;
237 }
238 if (q != NULL) {
239 BN_free(rsa->q);
240 rsa->q = q;
241 }
242
243 return 1;
244 }
245
RSA_set0_crt_params(RSA * rsa,BIGNUM * dmp1,BIGNUM * dmq1,BIGNUM * iqmp)246 int RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
247 if ((rsa->dmp1 == NULL && dmp1 == NULL) ||
248 (rsa->dmq1 == NULL && dmq1 == NULL) ||
249 (rsa->iqmp == NULL && iqmp == NULL)) {
250 return 0;
251 }
252
253 if (dmp1 != NULL) {
254 BN_free(rsa->dmp1);
255 rsa->dmp1 = dmp1;
256 }
257 if (dmq1 != NULL) {
258 BN_free(rsa->dmq1);
259 rsa->dmq1 = dmq1;
260 }
261 if (iqmp != NULL) {
262 BN_free(rsa->iqmp);
263 rsa->iqmp = iqmp;
264 }
265
266 return 1;
267 }
268
RSA_public_encrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)269 int RSA_public_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
270 int padding) {
271 size_t out_len;
272
273 if (!RSA_encrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
274 return -1;
275 }
276
277 if (out_len > INT_MAX) {
278 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
279 return -1;
280 }
281 return out_len;
282 }
283
RSA_sign_raw(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)284 int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
285 const uint8_t *in, size_t in_len, int padding) {
286 if (rsa->meth->sign_raw) {
287 return rsa->meth->sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
288 }
289
290 return rsa_default_sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
291 }
292
RSA_private_encrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)293 int RSA_private_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
294 int padding) {
295 size_t out_len;
296
297 if (!RSA_sign_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
298 return -1;
299 }
300
301 if (out_len > INT_MAX) {
302 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
303 return -1;
304 }
305 return out_len;
306 }
307
RSA_decrypt(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)308 int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
309 const uint8_t *in, size_t in_len, int padding) {
310 if (rsa->meth->decrypt) {
311 return rsa->meth->decrypt(rsa, out_len, out, max_out, in, in_len, padding);
312 }
313
314 return rsa_default_decrypt(rsa, out_len, out, max_out, in, in_len, padding);
315 }
316
RSA_private_decrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)317 int RSA_private_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
318 int padding) {
319 size_t out_len;
320
321 if (!RSA_decrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
322 return -1;
323 }
324
325 if (out_len > INT_MAX) {
326 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
327 return -1;
328 }
329 return out_len;
330 }
331
RSA_public_decrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)332 int RSA_public_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
333 int padding) {
334 size_t out_len;
335
336 if (!RSA_verify_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
337 return -1;
338 }
339
340 if (out_len > INT_MAX) {
341 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
342 return -1;
343 }
344 return out_len;
345 }
346
RSA_size(const RSA * rsa)347 unsigned RSA_size(const RSA *rsa) {
348 if (rsa->meth->size) {
349 return rsa->meth->size(rsa);
350 }
351
352 return rsa_default_size(rsa);
353 }
354
RSA_is_opaque(const RSA * rsa)355 int RSA_is_opaque(const RSA *rsa) {
356 return rsa->meth && (rsa->meth->flags & RSA_FLAG_OPAQUE);
357 }
358
RSA_get_ex_new_index(long argl,void * argp,CRYPTO_EX_unused * unused,CRYPTO_EX_dup * dup_unused,CRYPTO_EX_free * free_func)359 int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
360 CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {
361 int index;
362 if (!CRYPTO_get_ex_new_index(g_rsa_ex_data_class_bss_get(), &index, argl,
363 argp, free_func)) {
364 return -1;
365 }
366 return index;
367 }
368
RSA_set_ex_data(RSA * rsa,int idx,void * arg)369 int RSA_set_ex_data(RSA *rsa, int idx, void *arg) {
370 return CRYPTO_set_ex_data(&rsa->ex_data, idx, arg);
371 }
372
RSA_get_ex_data(const RSA * rsa,int idx)373 void *RSA_get_ex_data(const RSA *rsa, int idx) {
374 return CRYPTO_get_ex_data(&rsa->ex_data, idx);
375 }
376
377 // SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's
378 // the length of an MD5 and SHA1 hash.
379 static const unsigned SSL_SIG_LENGTH = 36;
380
381 // pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is
382 // to be signed with PKCS#1.
383 struct pkcs1_sig_prefix {
384 // nid identifies the hash function.
385 int nid;
386 // hash_len is the expected length of the hash function.
387 uint8_t hash_len;
388 // len is the number of bytes of |bytes| which are valid.
389 uint8_t len;
390 // bytes contains the DER bytes.
391 uint8_t bytes[19];
392 };
393
394 // kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with
395 // different hash functions.
396 static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = {
397 {
398 NID_md5,
399 MD5_DIGEST_LENGTH,
400 18,
401 {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
402 0x02, 0x05, 0x05, 0x00, 0x04, 0x10},
403 },
404 {
405 NID_sha1,
406 SHA_DIGEST_LENGTH,
407 15,
408 {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
409 0x00, 0x04, 0x14},
410 },
411 {
412 NID_sha224,
413 SHA224_DIGEST_LENGTH,
414 19,
415 {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
416 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c},
417 },
418 {
419 NID_sha256,
420 SHA256_DIGEST_LENGTH,
421 19,
422 {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
423 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20},
424 },
425 {
426 NID_sha384,
427 SHA384_DIGEST_LENGTH,
428 19,
429 {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
430 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30},
431 },
432 {
433 NID_sha512,
434 SHA512_DIGEST_LENGTH,
435 19,
436 {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
437 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
438 },
439 {
440 NID_undef, 0, 0, {0},
441 },
442 };
443
RSA_add_pkcs1_prefix(uint8_t ** out_msg,size_t * out_msg_len,int * is_alloced,int hash_nid,const uint8_t * msg,size_t msg_len)444 int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
445 int *is_alloced, int hash_nid, const uint8_t *msg,
446 size_t msg_len) {
447 unsigned i;
448
449 if (hash_nid == NID_md5_sha1) {
450 // Special case: SSL signature, just check the length.
451 if (msg_len != SSL_SIG_LENGTH) {
452 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
453 return 0;
454 }
455
456 *out_msg = (uint8_t*) msg;
457 *out_msg_len = SSL_SIG_LENGTH;
458 *is_alloced = 0;
459 return 1;
460 }
461
462 for (i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) {
463 const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i];
464 if (sig_prefix->nid != hash_nid) {
465 continue;
466 }
467
468 if (msg_len != sig_prefix->hash_len) {
469 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
470 return 0;
471 }
472
473 const uint8_t* prefix = sig_prefix->bytes;
474 unsigned prefix_len = sig_prefix->len;
475 unsigned signed_msg_len;
476 uint8_t *signed_msg;
477
478 signed_msg_len = prefix_len + msg_len;
479 if (signed_msg_len < prefix_len) {
480 OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_LONG);
481 return 0;
482 }
483
484 signed_msg = OPENSSL_malloc(signed_msg_len);
485 if (!signed_msg) {
486 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
487 return 0;
488 }
489
490 OPENSSL_memcpy(signed_msg, prefix, prefix_len);
491 OPENSSL_memcpy(signed_msg + prefix_len, msg, msg_len);
492
493 *out_msg = signed_msg;
494 *out_msg_len = signed_msg_len;
495 *is_alloced = 1;
496
497 return 1;
498 }
499
500 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE);
501 return 0;
502 }
503
RSA_sign(int hash_nid,const uint8_t * in,unsigned in_len,uint8_t * out,unsigned * out_len,RSA * rsa)504 int RSA_sign(int hash_nid, const uint8_t *in, unsigned in_len, uint8_t *out,
505 unsigned *out_len, RSA *rsa) {
506 const unsigned rsa_size = RSA_size(rsa);
507 int ret = 0;
508 uint8_t *signed_msg = NULL;
509 size_t signed_msg_len = 0;
510 int signed_msg_is_alloced = 0;
511 size_t size_t_out_len;
512
513 if (rsa->meth->sign) {
514 return rsa->meth->sign(hash_nid, in, in_len, out, out_len, rsa);
515 }
516
517 if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
518 &signed_msg_is_alloced, hash_nid, in, in_len) ||
519 !RSA_sign_raw(rsa, &size_t_out_len, out, rsa_size, signed_msg,
520 signed_msg_len, RSA_PKCS1_PADDING)) {
521 goto err;
522 }
523
524 *out_len = size_t_out_len;
525 ret = 1;
526
527 err:
528 if (signed_msg_is_alloced) {
529 OPENSSL_free(signed_msg);
530 }
531 return ret;
532 }
533
RSA_sign_pss_mgf1(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,const EVP_MD * md,const EVP_MD * mgf1_md,int salt_len)534 int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
535 const uint8_t *in, size_t in_len, const EVP_MD *md,
536 const EVP_MD *mgf1_md, int salt_len) {
537 if (in_len != EVP_MD_size(md)) {
538 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
539 return 0;
540 }
541
542 size_t padded_len = RSA_size(rsa);
543 uint8_t *padded = OPENSSL_malloc(padded_len);
544 if (padded == NULL) {
545 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
546 return 0;
547 }
548
549 int ret =
550 RSA_padding_add_PKCS1_PSS_mgf1(rsa, padded, in, md, mgf1_md, salt_len) &&
551 RSA_sign_raw(rsa, out_len, out, max_out, padded, padded_len,
552 RSA_NO_PADDING);
553 OPENSSL_free(padded);
554 return ret;
555 }
556
RSA_verify(int hash_nid,const uint8_t * msg,size_t msg_len,const uint8_t * sig,size_t sig_len,RSA * rsa)557 int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
558 const uint8_t *sig, size_t sig_len, RSA *rsa) {
559 if (rsa->n == NULL || rsa->e == NULL) {
560 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
561 return 0;
562 }
563
564 const size_t rsa_size = RSA_size(rsa);
565 uint8_t *buf = NULL;
566 int ret = 0;
567 uint8_t *signed_msg = NULL;
568 size_t signed_msg_len = 0, len;
569 int signed_msg_is_alloced = 0;
570
571 if (hash_nid == NID_md5_sha1 && msg_len != SSL_SIG_LENGTH) {
572 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
573 return 0;
574 }
575
576 buf = OPENSSL_malloc(rsa_size);
577 if (!buf) {
578 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
579 return 0;
580 }
581
582 if (!RSA_verify_raw(rsa, &len, buf, rsa_size, sig, sig_len,
583 RSA_PKCS1_PADDING)) {
584 goto out;
585 }
586
587 if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
588 &signed_msg_is_alloced, hash_nid, msg, msg_len)) {
589 goto out;
590 }
591
592 // Check that no other information follows the hash value (FIPS 186-4 Section
593 // 5.5) and it matches the expected hash.
594 if (len != signed_msg_len || OPENSSL_memcmp(buf, signed_msg, len) != 0) {
595 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
596 goto out;
597 }
598
599 ret = 1;
600
601 out:
602 OPENSSL_free(buf);
603 if (signed_msg_is_alloced) {
604 OPENSSL_free(signed_msg);
605 }
606 return ret;
607 }
608
RSA_verify_pss_mgf1(RSA * rsa,const uint8_t * msg,size_t msg_len,const EVP_MD * md,const EVP_MD * mgf1_md,int salt_len,const uint8_t * sig,size_t sig_len)609 int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg, size_t msg_len,
610 const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len,
611 const uint8_t *sig, size_t sig_len) {
612 if (msg_len != EVP_MD_size(md)) {
613 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
614 return 0;
615 }
616
617 size_t em_len = RSA_size(rsa);
618 uint8_t *em = OPENSSL_malloc(em_len);
619 if (em == NULL) {
620 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
621 return 0;
622 }
623
624 int ret = 0;
625 if (!RSA_verify_raw(rsa, &em_len, em, em_len, sig, sig_len, RSA_NO_PADDING)) {
626 goto err;
627 }
628
629 if (em_len != RSA_size(rsa)) {
630 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
631 goto err;
632 }
633
634 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, msg, md, mgf1_md, em, salt_len);
635
636 err:
637 OPENSSL_free(em);
638 return ret;
639 }
640
check_mod_inverse(int * out_ok,const BIGNUM * a,const BIGNUM * ainv,const BIGNUM * m,int check_reduced,BN_CTX * ctx)641 static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv,
642 const BIGNUM *m, int check_reduced, BN_CTX *ctx) {
643 BN_CTX_start(ctx);
644 BIGNUM *tmp = BN_CTX_get(ctx);
645 int ret = tmp != NULL &&
646 bn_mul_consttime(tmp, a, ainv, ctx) &&
647 bn_div_consttime(NULL, tmp, tmp, m, ctx);
648 if (ret) {
649 *out_ok = BN_is_one(tmp);
650 if (check_reduced && (BN_is_negative(ainv) || BN_cmp(ainv, m) >= 0)) {
651 *out_ok = 0;
652 }
653 }
654 BN_CTX_end(ctx);
655 return ret;
656 }
657
RSA_check_key(const RSA * key)658 int RSA_check_key(const RSA *key) {
659 BIGNUM n, pm1, qm1, lcm, dmp1, dmq1, iqmp_times_q;
660 BN_CTX *ctx;
661 int ok = 0, has_crt_values;
662
663 if (RSA_is_opaque(key)) {
664 // Opaque keys can't be checked.
665 return 1;
666 }
667
668 if ((key->p != NULL) != (key->q != NULL)) {
669 OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN);
670 return 0;
671 }
672
673 if (!key->n || !key->e) {
674 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
675 return 0;
676 }
677
678 if (!key->d || !key->p) {
679 // For a public key, or without p and q, there's nothing that can be
680 // checked.
681 return 1;
682 }
683
684 ctx = BN_CTX_new();
685 if (ctx == NULL) {
686 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
687 return 0;
688 }
689
690 BN_init(&n);
691 BN_init(&pm1);
692 BN_init(&qm1);
693 BN_init(&lcm);
694 BN_init(&dmp1);
695 BN_init(&dmq1);
696 BN_init(&iqmp_times_q);
697
698 int d_ok;
699 if (!bn_mul_consttime(&n, key->p, key->q, ctx) ||
700 // lcm = lcm(p, q)
701 !bn_usub_consttime(&pm1, key->p, BN_value_one()) ||
702 !bn_usub_consttime(&qm1, key->q, BN_value_one()) ||
703 !bn_lcm_consttime(&lcm, &pm1, &qm1, ctx) ||
704 // Other implementations use the Euler totient rather than the Carmichael
705 // totient, so allow unreduced |key->d|.
706 !check_mod_inverse(&d_ok, key->e, key->d, &lcm,
707 0 /* don't require reduced */, ctx)) {
708 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
709 goto out;
710 }
711
712 if (BN_cmp(&n, key->n) != 0) {
713 OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
714 goto out;
715 }
716
717 if (!d_ok) {
718 OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1);
719 goto out;
720 }
721
722 if (BN_is_negative(key->d) || BN_cmp(key->d, key->n) >= 0) {
723 OPENSSL_PUT_ERROR(RSA, RSA_R_D_OUT_OF_RANGE);
724 goto out;
725 }
726
727 has_crt_values = key->dmp1 != NULL;
728 if (has_crt_values != (key->dmq1 != NULL) ||
729 has_crt_values != (key->iqmp != NULL)) {
730 OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES);
731 goto out;
732 }
733
734 if (has_crt_values) {
735 int dmp1_ok, dmq1_ok, iqmp_ok;
736 if (!check_mod_inverse(&dmp1_ok, key->e, key->dmp1, &pm1,
737 1 /* check reduced */, ctx) ||
738 !check_mod_inverse(&dmq1_ok, key->e, key->dmq1, &qm1,
739 1 /* check reduced */, ctx) ||
740 !check_mod_inverse(&iqmp_ok, key->q, key->iqmp, key->p,
741 1 /* check reduced */, ctx)) {
742 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
743 goto out;
744 }
745
746 if (!dmp1_ok || !dmq1_ok || !iqmp_ok) {
747 OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT);
748 goto out;
749 }
750 }
751
752 ok = 1;
753
754 out:
755 BN_free(&n);
756 BN_free(&pm1);
757 BN_free(&qm1);
758 BN_free(&lcm);
759 BN_free(&dmp1);
760 BN_free(&dmq1);
761 BN_free(&iqmp_times_q);
762 BN_CTX_free(ctx);
763
764 return ok;
765 }
766
767
768 // This is the product of the 132 smallest odd primes, from 3 to 751.
769 static const BN_ULONG kSmallFactorsLimbs[] = {
770 TOBN(0xc4309333, 0x3ef4e3e1), TOBN(0x71161eb6, 0xcd2d655f),
771 TOBN(0x95e2238c, 0x0bf94862), TOBN(0x3eb233d3, 0x24f7912b),
772 TOBN(0x6b55514b, 0xbf26c483), TOBN(0x0a84d817, 0x5a144871),
773 TOBN(0x77d12fee, 0x9b82210a), TOBN(0xdb5b93c2, 0x97f050b3),
774 TOBN(0x4acad6b9, 0x4d6c026b), TOBN(0xeb7751f3, 0x54aec893),
775 TOBN(0xdba53368, 0x36bc85c4), TOBN(0xd85a1b28, 0x7f5ec78e),
776 TOBN(0x2eb072d8, 0x6b322244), TOBN(0xbba51112, 0x5e2b3aea),
777 TOBN(0x36ed1a6c, 0x0e2486bf), TOBN(0x5f270460, 0xec0c5727),
778 0x000017b1
779 };
780
DEFINE_LOCAL_DATA(BIGNUM,g_small_factors)781 DEFINE_LOCAL_DATA(BIGNUM, g_small_factors) {
782 out->d = (BN_ULONG *) kSmallFactorsLimbs;
783 out->width = OPENSSL_ARRAY_SIZE(kSmallFactorsLimbs);
784 out->dmax = out->width;
785 out->neg = 0;
786 out->flags = BN_FLG_STATIC_DATA;
787 }
788
RSA_check_fips(RSA * key)789 int RSA_check_fips(RSA *key) {
790 if (RSA_is_opaque(key)) {
791 // Opaque keys can't be checked.
792 OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
793 return 0;
794 }
795
796 if (!RSA_check_key(key)) {
797 return 0;
798 }
799
800 BN_CTX *ctx = BN_CTX_new();
801 if (ctx == NULL) {
802 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
803 return 0;
804 }
805
806 BIGNUM small_gcd;
807 BN_init(&small_gcd);
808
809 int ret = 1;
810
811 // Perform partial public key validation of RSA keys (SP 800-89 5.3.3).
812 enum bn_primality_result_t primality_result;
813 if (BN_num_bits(key->e) <= 16 ||
814 BN_num_bits(key->e) > 256 ||
815 !BN_is_odd(key->n) ||
816 !BN_is_odd(key->e) ||
817 !BN_gcd(&small_gcd, key->n, g_small_factors(), ctx) ||
818 !BN_is_one(&small_gcd) ||
819 !BN_enhanced_miller_rabin_primality_test(&primality_result, key->n,
820 BN_prime_checks, ctx, NULL) ||
821 primality_result != bn_non_prime_power_composite) {
822 OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
823 ret = 0;
824 }
825
826 BN_free(&small_gcd);
827 BN_CTX_free(ctx);
828
829 if (!ret || key->d == NULL || key->p == NULL) {
830 // On a failure or on only a public key, there's nothing else can be
831 // checked.
832 return ret;
833 }
834
835 // FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG,
836 // section 9.9, it is not known whether |rsa| will be used for signing or
837 // encryption, so either pair-wise consistency self-test is acceptable. We
838 // perform a signing test.
839 uint8_t data[32] = {0};
840 unsigned sig_len = RSA_size(key);
841 uint8_t *sig = OPENSSL_malloc(sig_len);
842 if (sig == NULL) {
843 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
844 return 0;
845 }
846
847 if (!RSA_sign(NID_sha256, data, sizeof(data), sig, &sig_len, key)) {
848 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
849 ret = 0;
850 goto cleanup;
851 }
852 #if defined(BORINGSSL_FIPS_BREAK_RSA_PWCT)
853 data[0] = ~data[0];
854 #endif
855 if (!RSA_verify(NID_sha256, data, sizeof(data), sig, sig_len, key)) {
856 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
857 ret = 0;
858 }
859
860 cleanup:
861 OPENSSL_free(sig);
862
863 return ret;
864 }
865
RSA_private_transform(RSA * rsa,uint8_t * out,const uint8_t * in,size_t len)866 int RSA_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
867 size_t len) {
868 if (rsa->meth->private_transform) {
869 return rsa->meth->private_transform(rsa, out, in, len);
870 }
871
872 return rsa_default_private_transform(rsa, out, in, len);
873 }
874
RSA_flags(const RSA * rsa)875 int RSA_flags(const RSA *rsa) { return rsa->flags; }
876
RSA_blinding_on(RSA * rsa,BN_CTX * ctx)877 int RSA_blinding_on(RSA *rsa, BN_CTX *ctx) {
878 return 1;
879 }
880