• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2  * All rights reserved.
3  *
4  * This package is an SSL implementation written
5  * by Eric Young (eay@cryptsoft.com).
6  * The implementation was written so as to conform with Netscapes SSL.
7  *
8  * This library is free for commercial and non-commercial use as long as
9  * the following conditions are aheared to.  The following conditions
10  * apply to all code found in this distribution, be it the RC4, RSA,
11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12  * included with this distribution is covered by the same copyright terms
13  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14  *
15  * Copyright remains Eric Young's, and as such any Copyright notices in
16  * the code are not to be removed.
17  * If this package is used in a product, Eric Young should be given attribution
18  * as the author of the parts of the library used.
19  * This can be in the form of a textual message at program startup or
20  * in documentation (online or textual) provided with the package.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the copyright
26  *    notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  *    notice, this list of conditions and the following disclaimer in the
29  *    documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  *    must display the following acknowledgement:
32  *    "This product includes cryptographic software written by
33  *     Eric Young (eay@cryptsoft.com)"
34  *    The word 'cryptographic' can be left out if the rouines from the library
35  *    being used are not cryptographic related :-).
36  * 4. If you include any Windows specific code (or a derivative thereof) from
37  *    the apps directory (application code) you must include an acknowledgement:
38  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50  * SUCH DAMAGE.
51  *
52  * The licence and distribution terms for any publically available version or
53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
54  * copied and put under another distribution licence
55  * [including the GNU Public Licence.] */
56 
57 #include <openssl/rsa.h>
58 
59 #include <limits.h>
60 #include <string.h>
61 
62 #include <openssl/bn.h>
63 #include <openssl/digest.h>
64 #include <openssl/engine.h>
65 #include <openssl/err.h>
66 #include <openssl/ex_data.h>
67 #include <openssl/md5.h>
68 #include <openssl/mem.h>
69 #include <openssl/nid.h>
70 #include <openssl/sha.h>
71 #include <openssl/thread.h>
72 
73 #include "../bn/internal.h"
74 #include "../delocate.h"
75 #include "../../internal.h"
76 #include "internal.h"
77 
78 
79 // RSA_R_BLOCK_TYPE_IS_NOT_02 is part of the legacy SSLv23 padding scheme.
80 // Cryptography.io depends on this error code.
OPENSSL_DECLARE_ERROR_REASON(RSA,BLOCK_TYPE_IS_NOT_02)81 OPENSSL_DECLARE_ERROR_REASON(RSA, BLOCK_TYPE_IS_NOT_02)
82 
83 DEFINE_STATIC_EX_DATA_CLASS(g_rsa_ex_data_class)
84 
85 RSA *RSA_new(void) { return RSA_new_method(NULL); }
86 
RSA_new_method(const ENGINE * engine)87 RSA *RSA_new_method(const ENGINE *engine) {
88   RSA *rsa = OPENSSL_malloc(sizeof(RSA));
89   if (rsa == NULL) {
90     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
91     return NULL;
92   }
93 
94   OPENSSL_memset(rsa, 0, sizeof(RSA));
95 
96   if (engine) {
97     rsa->meth = ENGINE_get_RSA_method(engine);
98   }
99 
100   if (rsa->meth == NULL) {
101     rsa->meth = (RSA_METHOD *) RSA_default_method();
102   }
103   METHOD_ref(rsa->meth);
104 
105   rsa->references = 1;
106   rsa->flags = rsa->meth->flags;
107   CRYPTO_MUTEX_init(&rsa->lock);
108   CRYPTO_new_ex_data(&rsa->ex_data);
109 
110   if (rsa->meth->init && !rsa->meth->init(rsa)) {
111     CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
112     CRYPTO_MUTEX_cleanup(&rsa->lock);
113     METHOD_unref(rsa->meth);
114     OPENSSL_free(rsa);
115     return NULL;
116   }
117 
118   return rsa;
119 }
120 
RSA_free(RSA * rsa)121 void RSA_free(RSA *rsa) {
122   unsigned u;
123 
124   if (rsa == NULL) {
125     return;
126   }
127 
128   if (!CRYPTO_refcount_dec_and_test_zero(&rsa->references)) {
129     return;
130   }
131 
132   if (rsa->meth->finish) {
133     rsa->meth->finish(rsa);
134   }
135   METHOD_unref(rsa->meth);
136 
137   CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
138 
139   BN_free(rsa->n);
140   BN_free(rsa->e);
141   BN_free(rsa->d);
142   BN_free(rsa->p);
143   BN_free(rsa->q);
144   BN_free(rsa->dmp1);
145   BN_free(rsa->dmq1);
146   BN_free(rsa->iqmp);
147   BN_MONT_CTX_free(rsa->mont_n);
148   BN_MONT_CTX_free(rsa->mont_p);
149   BN_MONT_CTX_free(rsa->mont_q);
150   BN_free(rsa->d_fixed);
151   BN_free(rsa->dmp1_fixed);
152   BN_free(rsa->dmq1_fixed);
153   BN_free(rsa->inv_small_mod_large_mont);
154   for (u = 0; u < rsa->num_blindings; u++) {
155     BN_BLINDING_free(rsa->blindings[u]);
156   }
157   OPENSSL_free(rsa->blindings);
158   OPENSSL_free(rsa->blindings_inuse);
159   CRYPTO_MUTEX_cleanup(&rsa->lock);
160   OPENSSL_free(rsa);
161 }
162 
RSA_up_ref(RSA * rsa)163 int RSA_up_ref(RSA *rsa) {
164   CRYPTO_refcount_inc(&rsa->references);
165   return 1;
166 }
167 
RSA_bits(const RSA * rsa)168 unsigned RSA_bits(const RSA *rsa) { return BN_num_bits(rsa->n); }
169 
RSA_get0_key(const RSA * rsa,const BIGNUM ** out_n,const BIGNUM ** out_e,const BIGNUM ** out_d)170 void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e,
171                   const BIGNUM **out_d) {
172   if (out_n != NULL) {
173     *out_n = rsa->n;
174   }
175   if (out_e != NULL) {
176     *out_e = rsa->e;
177   }
178   if (out_d != NULL) {
179     *out_d = rsa->d;
180   }
181 }
182 
RSA_get0_factors(const RSA * rsa,const BIGNUM ** out_p,const BIGNUM ** out_q)183 void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p,
184                       const BIGNUM **out_q) {
185   if (out_p != NULL) {
186     *out_p = rsa->p;
187   }
188   if (out_q != NULL) {
189     *out_q = rsa->q;
190   }
191 }
192 
RSA_get0_crt_params(const RSA * rsa,const BIGNUM ** out_dmp1,const BIGNUM ** out_dmq1,const BIGNUM ** out_iqmp)193 void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1,
194                          const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) {
195   if (out_dmp1 != NULL) {
196     *out_dmp1 = rsa->dmp1;
197   }
198   if (out_dmq1 != NULL) {
199     *out_dmq1 = rsa->dmq1;
200   }
201   if (out_iqmp != NULL) {
202     *out_iqmp = rsa->iqmp;
203   }
204 }
205 
RSA_set0_key(RSA * rsa,BIGNUM * n,BIGNUM * e,BIGNUM * d)206 int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
207   if ((rsa->n == NULL && n == NULL) ||
208       (rsa->e == NULL && e == NULL)) {
209     return 0;
210   }
211 
212   if (n != NULL) {
213     BN_free(rsa->n);
214     rsa->n = n;
215   }
216   if (e != NULL) {
217     BN_free(rsa->e);
218     rsa->e = e;
219   }
220   if (d != NULL) {
221     BN_free(rsa->d);
222     rsa->d = d;
223   }
224 
225   return 1;
226 }
227 
RSA_set0_factors(RSA * rsa,BIGNUM * p,BIGNUM * q)228 int RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q) {
229   if ((rsa->p == NULL && p == NULL) ||
230       (rsa->q == NULL && q == NULL)) {
231     return 0;
232   }
233 
234   if (p != NULL) {
235     BN_free(rsa->p);
236     rsa->p = p;
237   }
238   if (q != NULL) {
239     BN_free(rsa->q);
240     rsa->q = q;
241   }
242 
243   return 1;
244 }
245 
RSA_set0_crt_params(RSA * rsa,BIGNUM * dmp1,BIGNUM * dmq1,BIGNUM * iqmp)246 int RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
247   if ((rsa->dmp1 == NULL && dmp1 == NULL) ||
248       (rsa->dmq1 == NULL && dmq1 == NULL) ||
249       (rsa->iqmp == NULL && iqmp == NULL)) {
250     return 0;
251   }
252 
253   if (dmp1 != NULL) {
254     BN_free(rsa->dmp1);
255     rsa->dmp1 = dmp1;
256   }
257   if (dmq1 != NULL) {
258     BN_free(rsa->dmq1);
259     rsa->dmq1 = dmq1;
260   }
261   if (iqmp != NULL) {
262     BN_free(rsa->iqmp);
263     rsa->iqmp = iqmp;
264   }
265 
266   return 1;
267 }
268 
RSA_public_encrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)269 int RSA_public_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
270                        int padding) {
271   size_t out_len;
272 
273   if (!RSA_encrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
274     return -1;
275   }
276 
277   if (out_len > INT_MAX) {
278     OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
279     return -1;
280   }
281   return out_len;
282 }
283 
RSA_sign_raw(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)284 int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
285                  const uint8_t *in, size_t in_len, int padding) {
286   if (rsa->meth->sign_raw) {
287     return rsa->meth->sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
288   }
289 
290   return rsa_default_sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
291 }
292 
RSA_private_encrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)293 int RSA_private_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
294                         int padding) {
295   size_t out_len;
296 
297   if (!RSA_sign_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
298     return -1;
299   }
300 
301   if (out_len > INT_MAX) {
302     OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
303     return -1;
304   }
305   return out_len;
306 }
307 
RSA_decrypt(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)308 int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
309                 const uint8_t *in, size_t in_len, int padding) {
310   if (rsa->meth->decrypt) {
311     return rsa->meth->decrypt(rsa, out_len, out, max_out, in, in_len, padding);
312   }
313 
314   return rsa_default_decrypt(rsa, out_len, out, max_out, in, in_len, padding);
315 }
316 
RSA_private_decrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)317 int RSA_private_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
318                         int padding) {
319   size_t out_len;
320 
321   if (!RSA_decrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
322     return -1;
323   }
324 
325   if (out_len > INT_MAX) {
326     OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
327     return -1;
328   }
329   return out_len;
330 }
331 
RSA_public_decrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)332 int RSA_public_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
333                        int padding) {
334   size_t out_len;
335 
336   if (!RSA_verify_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
337     return -1;
338   }
339 
340   if (out_len > INT_MAX) {
341     OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
342     return -1;
343   }
344   return out_len;
345 }
346 
RSA_size(const RSA * rsa)347 unsigned RSA_size(const RSA *rsa) {
348   if (rsa->meth->size) {
349     return rsa->meth->size(rsa);
350   }
351 
352   return rsa_default_size(rsa);
353 }
354 
RSA_is_opaque(const RSA * rsa)355 int RSA_is_opaque(const RSA *rsa) {
356   return rsa->meth && (rsa->meth->flags & RSA_FLAG_OPAQUE);
357 }
358 
RSA_get_ex_new_index(long argl,void * argp,CRYPTO_EX_unused * unused,CRYPTO_EX_dup * dup_unused,CRYPTO_EX_free * free_func)359 int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
360                          CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {
361   int index;
362   if (!CRYPTO_get_ex_new_index(g_rsa_ex_data_class_bss_get(), &index, argl,
363                                argp, free_func)) {
364     return -1;
365   }
366   return index;
367 }
368 
RSA_set_ex_data(RSA * rsa,int idx,void * arg)369 int RSA_set_ex_data(RSA *rsa, int idx, void *arg) {
370   return CRYPTO_set_ex_data(&rsa->ex_data, idx, arg);
371 }
372 
RSA_get_ex_data(const RSA * rsa,int idx)373 void *RSA_get_ex_data(const RSA *rsa, int idx) {
374   return CRYPTO_get_ex_data(&rsa->ex_data, idx);
375 }
376 
377 // SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's
378 // the length of an MD5 and SHA1 hash.
379 static const unsigned SSL_SIG_LENGTH = 36;
380 
381 // pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is
382 // to be signed with PKCS#1.
383 struct pkcs1_sig_prefix {
384   // nid identifies the hash function.
385   int nid;
386   // hash_len is the expected length of the hash function.
387   uint8_t hash_len;
388   // len is the number of bytes of |bytes| which are valid.
389   uint8_t len;
390   // bytes contains the DER bytes.
391   uint8_t bytes[19];
392 };
393 
394 // kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with
395 // different hash functions.
396 static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = {
397     {
398      NID_md5,
399      MD5_DIGEST_LENGTH,
400      18,
401      {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
402       0x02, 0x05, 0x05, 0x00, 0x04, 0x10},
403     },
404     {
405      NID_sha1,
406      SHA_DIGEST_LENGTH,
407      15,
408      {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
409       0x00, 0x04, 0x14},
410     },
411     {
412      NID_sha224,
413      SHA224_DIGEST_LENGTH,
414      19,
415      {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
416       0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c},
417     },
418     {
419      NID_sha256,
420      SHA256_DIGEST_LENGTH,
421      19,
422      {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
423       0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20},
424     },
425     {
426      NID_sha384,
427      SHA384_DIGEST_LENGTH,
428      19,
429      {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
430       0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30},
431     },
432     {
433      NID_sha512,
434      SHA512_DIGEST_LENGTH,
435      19,
436      {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
437       0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
438     },
439     {
440      NID_undef, 0, 0, {0},
441     },
442 };
443 
RSA_add_pkcs1_prefix(uint8_t ** out_msg,size_t * out_msg_len,int * is_alloced,int hash_nid,const uint8_t * msg,size_t msg_len)444 int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
445                          int *is_alloced, int hash_nid, const uint8_t *msg,
446                          size_t msg_len) {
447   unsigned i;
448 
449   if (hash_nid == NID_md5_sha1) {
450     // Special case: SSL signature, just check the length.
451     if (msg_len != SSL_SIG_LENGTH) {
452       OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
453       return 0;
454     }
455 
456     *out_msg = (uint8_t*) msg;
457     *out_msg_len = SSL_SIG_LENGTH;
458     *is_alloced = 0;
459     return 1;
460   }
461 
462   for (i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) {
463     const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i];
464     if (sig_prefix->nid != hash_nid) {
465       continue;
466     }
467 
468     if (msg_len != sig_prefix->hash_len) {
469       OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
470       return 0;
471     }
472 
473     const uint8_t* prefix = sig_prefix->bytes;
474     unsigned prefix_len = sig_prefix->len;
475     unsigned signed_msg_len;
476     uint8_t *signed_msg;
477 
478     signed_msg_len = prefix_len + msg_len;
479     if (signed_msg_len < prefix_len) {
480       OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_LONG);
481       return 0;
482     }
483 
484     signed_msg = OPENSSL_malloc(signed_msg_len);
485     if (!signed_msg) {
486       OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
487       return 0;
488     }
489 
490     OPENSSL_memcpy(signed_msg, prefix, prefix_len);
491     OPENSSL_memcpy(signed_msg + prefix_len, msg, msg_len);
492 
493     *out_msg = signed_msg;
494     *out_msg_len = signed_msg_len;
495     *is_alloced = 1;
496 
497     return 1;
498   }
499 
500   OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE);
501   return 0;
502 }
503 
RSA_sign(int hash_nid,const uint8_t * in,unsigned in_len,uint8_t * out,unsigned * out_len,RSA * rsa)504 int RSA_sign(int hash_nid, const uint8_t *in, unsigned in_len, uint8_t *out,
505              unsigned *out_len, RSA *rsa) {
506   const unsigned rsa_size = RSA_size(rsa);
507   int ret = 0;
508   uint8_t *signed_msg = NULL;
509   size_t signed_msg_len = 0;
510   int signed_msg_is_alloced = 0;
511   size_t size_t_out_len;
512 
513   if (rsa->meth->sign) {
514     return rsa->meth->sign(hash_nid, in, in_len, out, out_len, rsa);
515   }
516 
517   if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
518                             &signed_msg_is_alloced, hash_nid, in, in_len) ||
519       !RSA_sign_raw(rsa, &size_t_out_len, out, rsa_size, signed_msg,
520                     signed_msg_len, RSA_PKCS1_PADDING)) {
521     goto err;
522   }
523 
524   *out_len = size_t_out_len;
525   ret = 1;
526 
527 err:
528   if (signed_msg_is_alloced) {
529     OPENSSL_free(signed_msg);
530   }
531   return ret;
532 }
533 
RSA_sign_pss_mgf1(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,const EVP_MD * md,const EVP_MD * mgf1_md,int salt_len)534 int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
535                       const uint8_t *in, size_t in_len, const EVP_MD *md,
536                       const EVP_MD *mgf1_md, int salt_len) {
537   if (in_len != EVP_MD_size(md)) {
538     OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
539     return 0;
540   }
541 
542   size_t padded_len = RSA_size(rsa);
543   uint8_t *padded = OPENSSL_malloc(padded_len);
544   if (padded == NULL) {
545     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
546     return 0;
547   }
548 
549   int ret =
550       RSA_padding_add_PKCS1_PSS_mgf1(rsa, padded, in, md, mgf1_md, salt_len) &&
551       RSA_sign_raw(rsa, out_len, out, max_out, padded, padded_len,
552                    RSA_NO_PADDING);
553   OPENSSL_free(padded);
554   return ret;
555 }
556 
RSA_verify(int hash_nid,const uint8_t * msg,size_t msg_len,const uint8_t * sig,size_t sig_len,RSA * rsa)557 int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
558                const uint8_t *sig, size_t sig_len, RSA *rsa) {
559   if (rsa->n == NULL || rsa->e == NULL) {
560     OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
561     return 0;
562   }
563 
564   const size_t rsa_size = RSA_size(rsa);
565   uint8_t *buf = NULL;
566   int ret = 0;
567   uint8_t *signed_msg = NULL;
568   size_t signed_msg_len = 0, len;
569   int signed_msg_is_alloced = 0;
570 
571   if (hash_nid == NID_md5_sha1 && msg_len != SSL_SIG_LENGTH) {
572     OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
573     return 0;
574   }
575 
576   buf = OPENSSL_malloc(rsa_size);
577   if (!buf) {
578     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
579     return 0;
580   }
581 
582   if (!RSA_verify_raw(rsa, &len, buf, rsa_size, sig, sig_len,
583                       RSA_PKCS1_PADDING)) {
584     goto out;
585   }
586 
587   if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
588                             &signed_msg_is_alloced, hash_nid, msg, msg_len)) {
589     goto out;
590   }
591 
592   // Check that no other information follows the hash value (FIPS 186-4 Section
593   // 5.5) and it matches the expected hash.
594   if (len != signed_msg_len || OPENSSL_memcmp(buf, signed_msg, len) != 0) {
595     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
596     goto out;
597   }
598 
599   ret = 1;
600 
601 out:
602   OPENSSL_free(buf);
603   if (signed_msg_is_alloced) {
604     OPENSSL_free(signed_msg);
605   }
606   return ret;
607 }
608 
RSA_verify_pss_mgf1(RSA * rsa,const uint8_t * msg,size_t msg_len,const EVP_MD * md,const EVP_MD * mgf1_md,int salt_len,const uint8_t * sig,size_t sig_len)609 int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg, size_t msg_len,
610                         const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len,
611                         const uint8_t *sig, size_t sig_len) {
612   if (msg_len != EVP_MD_size(md)) {
613     OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
614     return 0;
615   }
616 
617   size_t em_len = RSA_size(rsa);
618   uint8_t *em = OPENSSL_malloc(em_len);
619   if (em == NULL) {
620     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
621     return 0;
622   }
623 
624   int ret = 0;
625   if (!RSA_verify_raw(rsa, &em_len, em, em_len, sig, sig_len, RSA_NO_PADDING)) {
626     goto err;
627   }
628 
629   if (em_len != RSA_size(rsa)) {
630     OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
631     goto err;
632   }
633 
634   ret = RSA_verify_PKCS1_PSS_mgf1(rsa, msg, md, mgf1_md, em, salt_len);
635 
636 err:
637   OPENSSL_free(em);
638   return ret;
639 }
640 
check_mod_inverse(int * out_ok,const BIGNUM * a,const BIGNUM * ainv,const BIGNUM * m,int check_reduced,BN_CTX * ctx)641 static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv,
642                              const BIGNUM *m, int check_reduced, BN_CTX *ctx) {
643   BN_CTX_start(ctx);
644   BIGNUM *tmp = BN_CTX_get(ctx);
645   int ret = tmp != NULL &&
646             bn_mul_consttime(tmp, a, ainv, ctx) &&
647             bn_div_consttime(NULL, tmp, tmp, m, ctx);
648   if (ret) {
649     *out_ok = BN_is_one(tmp);
650     if (check_reduced && (BN_is_negative(ainv) || BN_cmp(ainv, m) >= 0)) {
651       *out_ok = 0;
652     }
653   }
654   BN_CTX_end(ctx);
655   return ret;
656 }
657 
RSA_check_key(const RSA * key)658 int RSA_check_key(const RSA *key) {
659   BIGNUM n, pm1, qm1, lcm, dmp1, dmq1, iqmp_times_q;
660   BN_CTX *ctx;
661   int ok = 0, has_crt_values;
662 
663   if (RSA_is_opaque(key)) {
664     // Opaque keys can't be checked.
665     return 1;
666   }
667 
668   if ((key->p != NULL) != (key->q != NULL)) {
669     OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN);
670     return 0;
671   }
672 
673   if (!key->n || !key->e) {
674     OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
675     return 0;
676   }
677 
678   if (!key->d || !key->p) {
679     // For a public key, or without p and q, there's nothing that can be
680     // checked.
681     return 1;
682   }
683 
684   ctx = BN_CTX_new();
685   if (ctx == NULL) {
686     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
687     return 0;
688   }
689 
690   BN_init(&n);
691   BN_init(&pm1);
692   BN_init(&qm1);
693   BN_init(&lcm);
694   BN_init(&dmp1);
695   BN_init(&dmq1);
696   BN_init(&iqmp_times_q);
697 
698   int d_ok;
699   if (!bn_mul_consttime(&n, key->p, key->q, ctx) ||
700       // lcm = lcm(p, q)
701       !bn_usub_consttime(&pm1, key->p, BN_value_one()) ||
702       !bn_usub_consttime(&qm1, key->q, BN_value_one()) ||
703       !bn_lcm_consttime(&lcm, &pm1, &qm1, ctx) ||
704       // Other implementations use the Euler totient rather than the Carmichael
705       // totient, so allow unreduced |key->d|.
706       !check_mod_inverse(&d_ok, key->e, key->d, &lcm,
707                          0 /* don't require reduced */, ctx)) {
708     OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
709     goto out;
710   }
711 
712   if (BN_cmp(&n, key->n) != 0) {
713     OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
714     goto out;
715   }
716 
717   if (!d_ok) {
718     OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1);
719     goto out;
720   }
721 
722   if (BN_is_negative(key->d) || BN_cmp(key->d, key->n) >= 0) {
723     OPENSSL_PUT_ERROR(RSA, RSA_R_D_OUT_OF_RANGE);
724     goto out;
725   }
726 
727   has_crt_values = key->dmp1 != NULL;
728   if (has_crt_values != (key->dmq1 != NULL) ||
729       has_crt_values != (key->iqmp != NULL)) {
730     OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES);
731     goto out;
732   }
733 
734   if (has_crt_values) {
735     int dmp1_ok, dmq1_ok, iqmp_ok;
736     if (!check_mod_inverse(&dmp1_ok, key->e, key->dmp1, &pm1,
737                            1 /* check reduced */, ctx) ||
738         !check_mod_inverse(&dmq1_ok, key->e, key->dmq1, &qm1,
739                            1 /* check reduced */, ctx) ||
740         !check_mod_inverse(&iqmp_ok, key->q, key->iqmp, key->p,
741                            1 /* check reduced */, ctx)) {
742       OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
743       goto out;
744     }
745 
746     if (!dmp1_ok || !dmq1_ok || !iqmp_ok) {
747       OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT);
748       goto out;
749     }
750   }
751 
752   ok = 1;
753 
754 out:
755   BN_free(&n);
756   BN_free(&pm1);
757   BN_free(&qm1);
758   BN_free(&lcm);
759   BN_free(&dmp1);
760   BN_free(&dmq1);
761   BN_free(&iqmp_times_q);
762   BN_CTX_free(ctx);
763 
764   return ok;
765 }
766 
767 
768 // This is the product of the 132 smallest odd primes, from 3 to 751.
769 static const BN_ULONG kSmallFactorsLimbs[] = {
770     TOBN(0xc4309333, 0x3ef4e3e1), TOBN(0x71161eb6, 0xcd2d655f),
771     TOBN(0x95e2238c, 0x0bf94862), TOBN(0x3eb233d3, 0x24f7912b),
772     TOBN(0x6b55514b, 0xbf26c483), TOBN(0x0a84d817, 0x5a144871),
773     TOBN(0x77d12fee, 0x9b82210a), TOBN(0xdb5b93c2, 0x97f050b3),
774     TOBN(0x4acad6b9, 0x4d6c026b), TOBN(0xeb7751f3, 0x54aec893),
775     TOBN(0xdba53368, 0x36bc85c4), TOBN(0xd85a1b28, 0x7f5ec78e),
776     TOBN(0x2eb072d8, 0x6b322244), TOBN(0xbba51112, 0x5e2b3aea),
777     TOBN(0x36ed1a6c, 0x0e2486bf), TOBN(0x5f270460, 0xec0c5727),
778     0x000017b1
779 };
780 
DEFINE_LOCAL_DATA(BIGNUM,g_small_factors)781 DEFINE_LOCAL_DATA(BIGNUM, g_small_factors) {
782   out->d = (BN_ULONG *) kSmallFactorsLimbs;
783   out->width = OPENSSL_ARRAY_SIZE(kSmallFactorsLimbs);
784   out->dmax = out->width;
785   out->neg = 0;
786   out->flags = BN_FLG_STATIC_DATA;
787 }
788 
RSA_check_fips(RSA * key)789 int RSA_check_fips(RSA *key) {
790   if (RSA_is_opaque(key)) {
791     // Opaque keys can't be checked.
792     OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
793     return 0;
794   }
795 
796   if (!RSA_check_key(key)) {
797     return 0;
798   }
799 
800   BN_CTX *ctx = BN_CTX_new();
801   if (ctx == NULL) {
802     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
803     return 0;
804   }
805 
806   BIGNUM small_gcd;
807   BN_init(&small_gcd);
808 
809   int ret = 1;
810 
811   // Perform partial public key validation of RSA keys (SP 800-89 5.3.3).
812   enum bn_primality_result_t primality_result;
813   if (BN_num_bits(key->e) <= 16 ||
814       BN_num_bits(key->e) > 256 ||
815       !BN_is_odd(key->n) ||
816       !BN_is_odd(key->e) ||
817       !BN_gcd(&small_gcd, key->n, g_small_factors(), ctx) ||
818       !BN_is_one(&small_gcd) ||
819       !BN_enhanced_miller_rabin_primality_test(&primality_result, key->n,
820                                                BN_prime_checks, ctx, NULL) ||
821       primality_result != bn_non_prime_power_composite) {
822     OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
823     ret = 0;
824   }
825 
826   BN_free(&small_gcd);
827   BN_CTX_free(ctx);
828 
829   if (!ret || key->d == NULL || key->p == NULL) {
830     // On a failure or on only a public key, there's nothing else can be
831     // checked.
832     return ret;
833   }
834 
835   // FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG,
836   // section 9.9, it is not known whether |rsa| will be used for signing or
837   // encryption, so either pair-wise consistency self-test is acceptable. We
838   // perform a signing test.
839   uint8_t data[32] = {0};
840   unsigned sig_len = RSA_size(key);
841   uint8_t *sig = OPENSSL_malloc(sig_len);
842   if (sig == NULL) {
843     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
844     return 0;
845   }
846 
847   if (!RSA_sign(NID_sha256, data, sizeof(data), sig, &sig_len, key)) {
848     OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
849     ret = 0;
850     goto cleanup;
851   }
852 #if defined(BORINGSSL_FIPS_BREAK_RSA_PWCT)
853   data[0] = ~data[0];
854 #endif
855   if (!RSA_verify(NID_sha256, data, sizeof(data), sig, sig_len, key)) {
856     OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
857     ret = 0;
858   }
859 
860 cleanup:
861   OPENSSL_free(sig);
862 
863   return ret;
864 }
865 
RSA_private_transform(RSA * rsa,uint8_t * out,const uint8_t * in,size_t len)866 int RSA_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
867                           size_t len) {
868   if (rsa->meth->private_transform) {
869     return rsa->meth->private_transform(rsa, out, in, len);
870   }
871 
872   return rsa_default_private_transform(rsa, out, in, len);
873 }
874 
RSA_flags(const RSA * rsa)875 int RSA_flags(const RSA *rsa) { return rsa->flags; }
876 
RSA_blinding_on(RSA * rsa,BN_CTX * ctx)877 int RSA_blinding_on(RSA *rsa, BN_CTX *ctx) {
878   return 1;
879 }
880