1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/rsa.h>
58
59 #include <assert.h>
60 #include <limits.h>
61 #include <string.h>
62
63 #include <openssl/bn.h>
64 #include <openssl/err.h>
65 #include <openssl/mem.h>
66 #include <openssl/thread.h>
67
68 #include "../../internal.h"
69 #include "../bn/internal.h"
70 #include "../delocate.h"
71 #include "../rand/fork_detect.h"
72 #include "../service_indicator/internal.h"
73 #include "internal.h"
74
75
rsa_check_public_key(const RSA * rsa)76 int rsa_check_public_key(const RSA *rsa) {
77 if (rsa->n == NULL || rsa->e == NULL) {
78 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
79 return 0;
80 }
81
82 unsigned n_bits = BN_num_bits(rsa->n);
83 if (n_bits > 16 * 1024) {
84 OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);
85 return 0;
86 }
87
88 // RSA moduli must be odd. In addition to being necessary for RSA in general,
89 // we cannot setup Montgomery reduction with even moduli.
90 if (!BN_is_odd(rsa->n)) {
91 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
92 return 0;
93 }
94
95 // Mitigate DoS attacks by limiting the exponent size. 33 bits was chosen as
96 // the limit based on the recommendations in [1] and [2]. Windows CryptoAPI
97 // doesn't support values larger than 32 bits [3], so it is unlikely that
98 // exponents larger than 32 bits are being used for anything Windows commonly
99 // does.
100 //
101 // [1] https://www.imperialviolet.org/2012/03/16/rsae.html
102 // [2] https://www.imperialviolet.org/2012/03/17/rsados.html
103 // [3] https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx
104 static const unsigned kMaxExponentBits = 33;
105 unsigned e_bits = BN_num_bits(rsa->e);
106 if (e_bits > kMaxExponentBits ||
107 // Additionally reject e = 1 or even e. e must be odd to be relatively
108 // prime with phi(n).
109 e_bits < 2 ||
110 !BN_is_odd(rsa->e)) {
111 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);
112 return 0;
113 }
114
115 // Verify |n > e|. Comparing |n_bits| to |kMaxExponentBits| is a small
116 // shortcut to comparing |n| and |e| directly. In reality, |kMaxExponentBits|
117 // is much smaller than the minimum RSA key size that any application should
118 // accept.
119 if (n_bits <= kMaxExponentBits) {
120 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
121 return 0;
122 }
123 assert(BN_ucmp(rsa->n, rsa->e) > 0);
124
125 return 1;
126 }
127
ensure_fixed_copy(BIGNUM ** out,const BIGNUM * in,int width)128 static int ensure_fixed_copy(BIGNUM **out, const BIGNUM *in, int width) {
129 if (*out != NULL) {
130 return 1;
131 }
132 BIGNUM *copy = BN_dup(in);
133 if (copy == NULL ||
134 !bn_resize_words(copy, width)) {
135 BN_free(copy);
136 return 0;
137 }
138 *out = copy;
139 CONSTTIME_SECRET(copy->d, sizeof(BN_ULONG) * width);
140
141 return 1;
142 }
143
144 // freeze_private_key finishes initializing |rsa|'s private key components.
145 // After this function has returned, |rsa| may not be changed. This is needed
146 // because |RSA| is a public struct and, additionally, OpenSSL 1.1.0 opaquified
147 // it wrong (see https://github.com/openssl/openssl/issues/5158).
freeze_private_key(RSA * rsa,BN_CTX * ctx)148 static int freeze_private_key(RSA *rsa, BN_CTX *ctx) {
149 CRYPTO_MUTEX_lock_read(&rsa->lock);
150 int frozen = rsa->private_key_frozen;
151 CRYPTO_MUTEX_unlock_read(&rsa->lock);
152 if (frozen) {
153 return 1;
154 }
155
156 int ret = 0;
157 CRYPTO_MUTEX_lock_write(&rsa->lock);
158 if (rsa->private_key_frozen) {
159 ret = 1;
160 goto err;
161 }
162
163 // Pre-compute various intermediate values, as well as copies of private
164 // exponents with correct widths. Note that other threads may concurrently
165 // read from |rsa->n|, |rsa->e|, etc., so any fixes must be in separate
166 // copies. We use |mont_n->N|, |mont_p->N|, and |mont_q->N| as copies of |n|,
167 // |p|, and |q| with the correct minimal widths.
168
169 if (rsa->mont_n == NULL) {
170 rsa->mont_n = BN_MONT_CTX_new_for_modulus(rsa->n, ctx);
171 if (rsa->mont_n == NULL) {
172 goto err;
173 }
174 }
175 const BIGNUM *n_fixed = &rsa->mont_n->N;
176
177 // The only public upper-bound of |rsa->d| is the bit length of |rsa->n|. The
178 // ASN.1 serialization of RSA private keys unfortunately leaks the byte length
179 // of |rsa->d|, but normalize it so we only leak it once, rather than per
180 // operation.
181 if (rsa->d != NULL &&
182 !ensure_fixed_copy(&rsa->d_fixed, rsa->d, n_fixed->width)) {
183 goto err;
184 }
185
186 if (rsa->p != NULL && rsa->q != NULL) {
187 // TODO: p and q are also CONSTTIME_SECRET but not yet marked as such
188 // because the Montgomery code does things like test whether or not values
189 // are zero. So the secret marking probably needs to happen inside that
190 // code.
191
192 if (rsa->mont_p == NULL) {
193 rsa->mont_p = BN_MONT_CTX_new_consttime(rsa->p, ctx);
194 if (rsa->mont_p == NULL) {
195 goto err;
196 }
197 }
198 const BIGNUM *p_fixed = &rsa->mont_p->N;
199
200 if (rsa->mont_q == NULL) {
201 rsa->mont_q = BN_MONT_CTX_new_consttime(rsa->q, ctx);
202 if (rsa->mont_q == NULL) {
203 goto err;
204 }
205 }
206 const BIGNUM *q_fixed = &rsa->mont_q->N;
207
208 if (rsa->dmp1 != NULL && rsa->dmq1 != NULL) {
209 // Key generation relies on this function to compute |iqmp|.
210 if (rsa->iqmp == NULL) {
211 BIGNUM *iqmp = BN_new();
212 if (iqmp == NULL ||
213 !bn_mod_inverse_secret_prime(iqmp, rsa->q, rsa->p, ctx,
214 rsa->mont_p)) {
215 BN_free(iqmp);
216 goto err;
217 }
218 rsa->iqmp = iqmp;
219 }
220
221 // CRT components are only publicly bounded by their corresponding
222 // moduli's bit lengths. |rsa->iqmp| is unused outside of this one-time
223 // setup, so we do not compute a fixed-width version of it.
224 if (!ensure_fixed_copy(&rsa->dmp1_fixed, rsa->dmp1, p_fixed->width) ||
225 !ensure_fixed_copy(&rsa->dmq1_fixed, rsa->dmq1, q_fixed->width)) {
226 goto err;
227 }
228
229 // Compute |inv_small_mod_large_mont|. Note that it is always modulo the
230 // larger prime, independent of what is stored in |rsa->iqmp|.
231 if (rsa->inv_small_mod_large_mont == NULL) {
232 BIGNUM *inv_small_mod_large_mont = BN_new();
233 int ok;
234 if (BN_cmp(rsa->p, rsa->q) < 0) {
235 ok = inv_small_mod_large_mont != NULL &&
236 bn_mod_inverse_secret_prime(inv_small_mod_large_mont, rsa->p,
237 rsa->q, ctx, rsa->mont_q) &&
238 BN_to_montgomery(inv_small_mod_large_mont,
239 inv_small_mod_large_mont, rsa->mont_q, ctx);
240 } else {
241 ok = inv_small_mod_large_mont != NULL &&
242 BN_to_montgomery(inv_small_mod_large_mont, rsa->iqmp,
243 rsa->mont_p, ctx);
244 }
245 if (!ok) {
246 BN_free(inv_small_mod_large_mont);
247 goto err;
248 }
249 rsa->inv_small_mod_large_mont = inv_small_mod_large_mont;
250 CONSTTIME_SECRET(
251 rsa->inv_small_mod_large_mont->d,
252 sizeof(BN_ULONG) * rsa->inv_small_mod_large_mont->width);
253 }
254 }
255 }
256
257 rsa->private_key_frozen = 1;
258 ret = 1;
259
260 err:
261 CRYPTO_MUTEX_unlock_write(&rsa->lock);
262 return ret;
263 }
264
rsa_default_size(const RSA * rsa)265 size_t rsa_default_size(const RSA *rsa) {
266 return BN_num_bytes(rsa->n);
267 }
268
269 // MAX_BLINDINGS_PER_RSA defines the maximum number of cached BN_BLINDINGs per
270 // RSA*. Then this limit is exceeded, BN_BLINDING objects will be created and
271 // destroyed as needed.
272 #if defined(OPENSSL_TSAN)
273 // Smaller under TSAN so that the edge case can be hit with fewer threads.
274 #define MAX_BLINDINGS_PER_RSA 2
275 #else
276 #define MAX_BLINDINGS_PER_RSA 1024
277 #endif
278
279 // rsa_blinding_get returns a BN_BLINDING to use with |rsa|. It does this by
280 // allocating one of the cached BN_BLINDING objects in |rsa->blindings|. If
281 // none are free, the cache will be extended by a extra element and the new
282 // BN_BLINDING is returned.
283 //
284 // On success, the index of the assigned BN_BLINDING is written to
285 // |*index_used| and must be passed to |rsa_blinding_release| when finished.
rsa_blinding_get(RSA * rsa,size_t * index_used,BN_CTX * ctx)286 static BN_BLINDING *rsa_blinding_get(RSA *rsa, size_t *index_used,
287 BN_CTX *ctx) {
288 assert(ctx != NULL);
289 assert(rsa->mont_n != NULL);
290
291 BN_BLINDING *ret = NULL;
292 const uint64_t fork_generation = CRYPTO_get_fork_generation();
293 CRYPTO_MUTEX_lock_write(&rsa->lock);
294
295 // Wipe the blinding cache on |fork|.
296 if (rsa->blinding_fork_generation != fork_generation) {
297 for (size_t i = 0; i < rsa->num_blindings; i++) {
298 // The inuse flag must be zero unless we were forked from a
299 // multi-threaded process, in which case calling back into BoringSSL is
300 // forbidden.
301 assert(rsa->blindings_inuse[i] == 0);
302 BN_BLINDING_invalidate(rsa->blindings[i]);
303 }
304 rsa->blinding_fork_generation = fork_generation;
305 }
306
307 uint8_t *const free_inuse_flag =
308 OPENSSL_memchr(rsa->blindings_inuse, 0, rsa->num_blindings);
309 if (free_inuse_flag != NULL) {
310 *free_inuse_flag = 1;
311 *index_used = free_inuse_flag - rsa->blindings_inuse;
312 ret = rsa->blindings[*index_used];
313 goto out;
314 }
315
316 if (rsa->num_blindings >= MAX_BLINDINGS_PER_RSA) {
317 // No |BN_BLINDING| is free and nor can the cache be extended. This index
318 // value is magic and indicates to |rsa_blinding_release| that a
319 // |BN_BLINDING| was not inserted into the array.
320 *index_used = MAX_BLINDINGS_PER_RSA;
321 ret = BN_BLINDING_new();
322 goto out;
323 }
324
325 // Double the length of the cache.
326 static_assert(MAX_BLINDINGS_PER_RSA < UINT_MAX / 2,
327 "MAX_BLINDINGS_PER_RSA too large");
328 size_t new_num_blindings = rsa->num_blindings * 2;
329 if (new_num_blindings == 0) {
330 new_num_blindings = 1;
331 }
332 if (new_num_blindings > MAX_BLINDINGS_PER_RSA) {
333 new_num_blindings = MAX_BLINDINGS_PER_RSA;
334 }
335 assert(new_num_blindings > rsa->num_blindings);
336
337 BN_BLINDING **new_blindings =
338 OPENSSL_malloc(sizeof(BN_BLINDING *) * new_num_blindings);
339 uint8_t *new_blindings_inuse = OPENSSL_malloc(new_num_blindings);
340 if (new_blindings == NULL || new_blindings_inuse == NULL) {
341 goto err;
342 }
343
344 OPENSSL_memcpy(new_blindings, rsa->blindings,
345 sizeof(BN_BLINDING *) * rsa->num_blindings);
346 OPENSSL_memcpy(new_blindings_inuse, rsa->blindings_inuse, rsa->num_blindings);
347
348 for (size_t i = rsa->num_blindings; i < new_num_blindings; i++) {
349 new_blindings[i] = BN_BLINDING_new();
350 if (new_blindings[i] == NULL) {
351 for (size_t j = rsa->num_blindings; j < i; j++) {
352 BN_BLINDING_free(new_blindings[j]);
353 }
354 goto err;
355 }
356 }
357 memset(&new_blindings_inuse[rsa->num_blindings], 0,
358 new_num_blindings - rsa->num_blindings);
359
360 new_blindings_inuse[rsa->num_blindings] = 1;
361 *index_used = rsa->num_blindings;
362 assert(*index_used != MAX_BLINDINGS_PER_RSA);
363 ret = new_blindings[rsa->num_blindings];
364
365 OPENSSL_free(rsa->blindings);
366 rsa->blindings = new_blindings;
367 OPENSSL_free(rsa->blindings_inuse);
368 rsa->blindings_inuse = new_blindings_inuse;
369 rsa->num_blindings = new_num_blindings;
370
371 goto out;
372
373 err:
374 OPENSSL_free(new_blindings_inuse);
375 OPENSSL_free(new_blindings);
376
377 out:
378 CRYPTO_MUTEX_unlock_write(&rsa->lock);
379 return ret;
380 }
381
382 // rsa_blinding_release marks the cached BN_BLINDING at the given index as free
383 // for other threads to use.
rsa_blinding_release(RSA * rsa,BN_BLINDING * blinding,size_t blinding_index)384 static void rsa_blinding_release(RSA *rsa, BN_BLINDING *blinding,
385 size_t blinding_index) {
386 if (blinding_index == MAX_BLINDINGS_PER_RSA) {
387 // This blinding wasn't cached.
388 BN_BLINDING_free(blinding);
389 return;
390 }
391
392 CRYPTO_MUTEX_lock_write(&rsa->lock);
393 rsa->blindings_inuse[blinding_index] = 0;
394 CRYPTO_MUTEX_unlock_write(&rsa->lock);
395 }
396
397 // signing
rsa_default_sign_raw(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)398 int rsa_default_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,
399 size_t max_out, const uint8_t *in, size_t in_len,
400 int padding) {
401 const unsigned rsa_size = RSA_size(rsa);
402 uint8_t *buf = NULL;
403 int i, ret = 0;
404
405 if (max_out < rsa_size) {
406 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
407 return 0;
408 }
409
410 buf = OPENSSL_malloc(rsa_size);
411 if (buf == NULL) {
412 goto err;
413 }
414
415 switch (padding) {
416 case RSA_PKCS1_PADDING:
417 i = RSA_padding_add_PKCS1_type_1(buf, rsa_size, in, in_len);
418 break;
419 case RSA_NO_PADDING:
420 i = RSA_padding_add_none(buf, rsa_size, in, in_len);
421 break;
422 default:
423 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
424 goto err;
425 }
426
427 if (i <= 0) {
428 goto err;
429 }
430
431 if (!rsa_private_transform_no_self_test(rsa, out, buf, rsa_size)) {
432 goto err;
433 }
434
435 CONSTTIME_DECLASSIFY(out, rsa_size);
436 *out_len = rsa_size;
437 ret = 1;
438
439 err:
440 OPENSSL_free(buf);
441
442 return ret;
443 }
444
445
446 static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
447
rsa_verify_raw_no_self_test(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)448 int rsa_verify_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out,
449 size_t max_out, const uint8_t *in,
450 size_t in_len, int padding) {
451 if (!rsa_check_public_key(rsa)) {
452 return 0;
453 }
454
455 const unsigned rsa_size = RSA_size(rsa);
456 BIGNUM *f, *result;
457
458 if (max_out < rsa_size) {
459 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
460 return 0;
461 }
462
463 if (in_len != rsa_size) {
464 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN);
465 return 0;
466 }
467
468 BN_CTX *ctx = BN_CTX_new();
469 if (ctx == NULL) {
470 return 0;
471 }
472
473 int ret = 0;
474 uint8_t *buf = NULL;
475
476 BN_CTX_start(ctx);
477 f = BN_CTX_get(ctx);
478 result = BN_CTX_get(ctx);
479 if (f == NULL || result == NULL) {
480 goto err;
481 }
482
483 if (padding == RSA_NO_PADDING) {
484 buf = out;
485 } else {
486 // Allocate a temporary buffer to hold the padded plaintext.
487 buf = OPENSSL_malloc(rsa_size);
488 if (buf == NULL) {
489 goto err;
490 }
491 }
492
493 if (BN_bin2bn(in, in_len, f) == NULL) {
494 goto err;
495 }
496
497 if (BN_ucmp(f, rsa->n) >= 0) {
498 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
499 goto err;
500 }
501
502 if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) ||
503 !BN_mod_exp_mont(result, f, rsa->e, &rsa->mont_n->N, ctx, rsa->mont_n)) {
504 goto err;
505 }
506
507 if (!BN_bn2bin_padded(buf, rsa_size, result)) {
508 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
509 goto err;
510 }
511
512 switch (padding) {
513 case RSA_PKCS1_PADDING:
514 ret =
515 RSA_padding_check_PKCS1_type_1(out, out_len, rsa_size, buf, rsa_size);
516 break;
517 case RSA_NO_PADDING:
518 ret = 1;
519 *out_len = rsa_size;
520 break;
521 default:
522 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
523 goto err;
524 }
525
526 if (!ret) {
527 OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED);
528 goto err;
529 }
530
531 err:
532 BN_CTX_end(ctx);
533 BN_CTX_free(ctx);
534 if (buf != out) {
535 OPENSSL_free(buf);
536 }
537 return ret;
538 }
539
RSA_verify_raw(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)540 int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out,
541 size_t max_out, const uint8_t *in,
542 size_t in_len, int padding) {
543 boringssl_ensure_rsa_self_test();
544 return rsa_verify_raw_no_self_test(rsa, out_len, out, max_out, in, in_len,
545 padding);
546 }
547
rsa_default_private_transform(RSA * rsa,uint8_t * out,const uint8_t * in,size_t len)548 int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
549 size_t len) {
550 if (rsa->n == NULL || rsa->d == NULL) {
551 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
552 return 0;
553 }
554
555 BIGNUM *f, *result;
556 BN_CTX *ctx = NULL;
557 size_t blinding_index = 0;
558 BN_BLINDING *blinding = NULL;
559 int ret = 0;
560
561 ctx = BN_CTX_new();
562 if (ctx == NULL) {
563 goto err;
564 }
565 BN_CTX_start(ctx);
566 f = BN_CTX_get(ctx);
567 result = BN_CTX_get(ctx);
568
569 if (f == NULL || result == NULL) {
570 goto err;
571 }
572
573 // The caller should have ensured this.
574 assert(len == BN_num_bytes(rsa->n));
575 if (BN_bin2bn(in, len, f) == NULL) {
576 goto err;
577 }
578
579 if (BN_ucmp(f, rsa->n) >= 0) {
580 // Usually the padding functions would catch this.
581 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
582 goto err;
583 }
584
585 if (!freeze_private_key(rsa, ctx)) {
586 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
587 goto err;
588 }
589
590 const int do_blinding = (rsa->flags & RSA_FLAG_NO_BLINDING) == 0;
591
592 if (rsa->e == NULL && do_blinding) {
593 // We cannot do blinding or verification without |e|, and continuing without
594 // those countermeasures is dangerous. However, the Java/Android RSA API
595 // requires support for keys where only |d| and |n| (and not |e|) are known.
596 // The callers that require that bad behavior set |RSA_FLAG_NO_BLINDING|.
597 OPENSSL_PUT_ERROR(RSA, RSA_R_NO_PUBLIC_EXPONENT);
598 goto err;
599 }
600
601 if (do_blinding) {
602 blinding = rsa_blinding_get(rsa, &blinding_index, ctx);
603 if (blinding == NULL) {
604 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
605 goto err;
606 }
607 if (!BN_BLINDING_convert(f, blinding, rsa->e, rsa->mont_n, ctx)) {
608 goto err;
609 }
610 }
611
612 if (rsa->p != NULL && rsa->q != NULL && rsa->e != NULL && rsa->dmp1 != NULL &&
613 rsa->dmq1 != NULL && rsa->iqmp != NULL &&
614 // Require that we can reduce |f| by |rsa->p| and |rsa->q| in constant
615 // time, which requires primes be the same size, rounded to the Montgomery
616 // coefficient. (See |mod_montgomery|.) This is not required by RFC 8017,
617 // but it is true for keys generated by us and all common implementations.
618 bn_less_than_montgomery_R(rsa->q, rsa->mont_p) &&
619 bn_less_than_montgomery_R(rsa->p, rsa->mont_q)) {
620 if (!mod_exp(result, f, rsa, ctx)) {
621 goto err;
622 }
623 } else if (!BN_mod_exp_mont_consttime(result, f, rsa->d_fixed, rsa->n, ctx,
624 rsa->mont_n)) {
625 goto err;
626 }
627
628 // Verify the result to protect against fault attacks as described in the
629 // 1997 paper "On the Importance of Checking Cryptographic Protocols for
630 // Faults" by Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. Some
631 // implementations do this only when the CRT is used, but we do it in all
632 // cases. Section 6 of the aforementioned paper describes an attack that
633 // works when the CRT isn't used. That attack is much less likely to succeed
634 // than the CRT attack, but there have likely been improvements since 1997.
635 //
636 // This check is cheap assuming |e| is small, which we require in
637 // |rsa_check_public_key|.
638 if (rsa->e != NULL) {
639 BIGNUM *vrfy = BN_CTX_get(ctx);
640 if (vrfy == NULL ||
641 !BN_mod_exp_mont(vrfy, result, rsa->e, rsa->n, ctx, rsa->mont_n) ||
642 !constant_time_declassify_int(BN_equal_consttime(vrfy, f))) {
643 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
644 goto err;
645 }
646 }
647
648 if (do_blinding &&
649 !BN_BLINDING_invert(result, blinding, rsa->mont_n, ctx)) {
650 goto err;
651 }
652
653 // The computation should have left |result| as a maximally-wide number, so
654 // that it and serializing does not leak information about the magnitude of
655 // the result.
656 //
657 // See Falko Strenzke, "Manger's Attack revisited", ICICS 2010.
658 assert(result->width == rsa->mont_n->N.width);
659 bn_assert_fits_in_bytes(result, len);
660 if (!BN_bn2bin_padded(out, len, result)) {
661 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
662 goto err;
663 }
664
665 ret = 1;
666
667 err:
668 if (ctx != NULL) {
669 BN_CTX_end(ctx);
670 BN_CTX_free(ctx);
671 }
672 if (blinding != NULL) {
673 rsa_blinding_release(rsa, blinding, blinding_index);
674 }
675
676 return ret;
677 }
678
679 // mod_montgomery sets |r| to |I| mod |p|. |I| must already be fully reduced
680 // modulo |p| times |q|. It returns one on success and zero on error.
mod_montgomery(BIGNUM * r,const BIGNUM * I,const BIGNUM * p,const BN_MONT_CTX * mont_p,const BIGNUM * q,BN_CTX * ctx)681 static int mod_montgomery(BIGNUM *r, const BIGNUM *I, const BIGNUM *p,
682 const BN_MONT_CTX *mont_p, const BIGNUM *q,
683 BN_CTX *ctx) {
684 // Reducing in constant-time with Montgomery reduction requires I <= p * R. We
685 // have I < p * q, so this follows if q < R. The caller should have checked
686 // this already.
687 if (!bn_less_than_montgomery_R(q, mont_p)) {
688 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
689 return 0;
690 }
691
692 if (// Reduce mod p with Montgomery reduction. This computes I * R^-1 mod p.
693 !BN_from_montgomery(r, I, mont_p, ctx) ||
694 // Multiply by R^2 and do another Montgomery reduction to compute
695 // I * R^-1 * R^2 * R^-1 = I mod p.
696 !BN_to_montgomery(r, r, mont_p, ctx)) {
697 return 0;
698 }
699
700 // By precomputing R^3 mod p (normally |BN_MONT_CTX| only uses R^2 mod p) and
701 // adjusting the API for |BN_mod_exp_mont_consttime|, we could instead compute
702 // I * R mod p here and save a reduction per prime. But this would require
703 // changing the RSAZ code and may not be worth it. Note that the RSAZ code
704 // uses a different radix, so it uses R' = 2^1044. There we'd actually want
705 // R^2 * R', and would futher benefit from a precomputed R'^2. It currently
706 // converts |mont_p->RR| to R'^2.
707 return 1;
708 }
709
mod_exp(BIGNUM * r0,const BIGNUM * I,RSA * rsa,BN_CTX * ctx)710 static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) {
711 assert(ctx != NULL);
712
713 assert(rsa->n != NULL);
714 assert(rsa->e != NULL);
715 assert(rsa->d != NULL);
716 assert(rsa->p != NULL);
717 assert(rsa->q != NULL);
718 assert(rsa->dmp1 != NULL);
719 assert(rsa->dmq1 != NULL);
720 assert(rsa->iqmp != NULL);
721
722 BIGNUM *r1, *m1;
723 int ret = 0;
724
725 BN_CTX_start(ctx);
726 r1 = BN_CTX_get(ctx);
727 m1 = BN_CTX_get(ctx);
728 if (r1 == NULL ||
729 m1 == NULL) {
730 goto err;
731 }
732
733 if (!freeze_private_key(rsa, ctx)) {
734 goto err;
735 }
736
737 // Implementing RSA with CRT in constant-time is sensitive to which prime is
738 // larger. Canonicalize fields so that |p| is the larger prime.
739 const BIGNUM *dmp1 = rsa->dmp1_fixed, *dmq1 = rsa->dmq1_fixed;
740 const BN_MONT_CTX *mont_p = rsa->mont_p, *mont_q = rsa->mont_q;
741 if (BN_cmp(rsa->p, rsa->q) < 0) {
742 mont_p = rsa->mont_q;
743 mont_q = rsa->mont_p;
744 dmp1 = rsa->dmq1_fixed;
745 dmq1 = rsa->dmp1_fixed;
746 }
747
748 // Use the minimal-width versions of |n|, |p|, and |q|. Either works, but if
749 // someone gives us non-minimal values, these will be slightly more efficient
750 // on the non-Montgomery operations.
751 const BIGNUM *n = &rsa->mont_n->N;
752 const BIGNUM *p = &mont_p->N;
753 const BIGNUM *q = &mont_q->N;
754
755 // This is a pre-condition for |mod_montgomery|. It was already checked by the
756 // caller.
757 assert(BN_ucmp(I, n) < 0);
758
759 if (// |m1| is the result modulo |q|.
760 !mod_montgomery(r1, I, q, mont_q, p, ctx) ||
761 !BN_mod_exp_mont_consttime(m1, r1, dmq1, q, ctx, mont_q) ||
762 // |r0| is the result modulo |p|.
763 !mod_montgomery(r1, I, p, mont_p, q, ctx) ||
764 !BN_mod_exp_mont_consttime(r0, r1, dmp1, p, ctx, mont_p) ||
765 // Compute r0 = r0 - m1 mod p. |p| is the larger prime, so |m1| is already
766 // fully reduced mod |p|.
767 !bn_mod_sub_consttime(r0, r0, m1, p, ctx) ||
768 // r0 = r0 * iqmp mod p. We use Montgomery multiplication to compute this
769 // in constant time. |inv_small_mod_large_mont| is in Montgomery form and
770 // r0 is not, so the result is taken out of Montgomery form.
771 !BN_mod_mul_montgomery(r0, r0, rsa->inv_small_mod_large_mont, mont_p,
772 ctx) ||
773 // r0 = r0 * q + m1 gives the final result. Reducing modulo q gives m1, so
774 // it is correct mod p. Reducing modulo p gives (r0-m1)*iqmp*q + m1 = r0,
775 // so it is correct mod q. Finally, the result is bounded by [m1, n + m1),
776 // and the result is at least |m1|, so this must be the unique answer in
777 // [0, n).
778 !bn_mul_consttime(r0, r0, q, ctx) || //
779 !bn_uadd_consttime(r0, r0, m1)) {
780 goto err;
781 }
782
783 // The result should be bounded by |n|, but fixed-width operations may
784 // bound the width slightly higher, so fix it. This trips constant-time checks
785 // because a naive data flow analysis does not realize the excess words are
786 // publicly zero.
787 assert(BN_cmp(r0, n) < 0);
788 bn_assert_fits_in_bytes(r0, BN_num_bytes(n));
789 if (!bn_resize_words(r0, n->width)) {
790 goto err;
791 }
792
793 ret = 1;
794
795 err:
796 BN_CTX_end(ctx);
797 return ret;
798 }
799
ensure_bignum(BIGNUM ** out)800 static int ensure_bignum(BIGNUM **out) {
801 if (*out == NULL) {
802 *out = BN_new();
803 }
804 return *out != NULL;
805 }
806
807 // kBoringSSLRSASqrtTwo is the BIGNUM representation of ⌊2²⁰⁴⁷×√2⌋. This is
808 // chosen to give enough precision for 4096-bit RSA, the largest key size FIPS
809 // specifies. Key sizes beyond this will round up.
810 //
811 // To calculate, use the following Haskell code:
812 //
813 // import Text.Printf (printf)
814 // import Data.List (intercalate)
815 //
816 // pow2 = 4095
817 // target = 2^pow2
818 //
819 // f x = x*x - (toRational target)
820 //
821 // fprime x = 2*x
822 //
823 // newtonIteration x = x - (f x) / (fprime x)
824 //
825 // converge x =
826 // let n = floor x in
827 // if n*n - target < 0 && (n+1)*(n+1) - target > 0
828 // then n
829 // else converge (newtonIteration x)
830 //
831 // divrem bits x = (x `div` (2^bits), x `rem` (2^bits))
832 //
833 // bnWords :: Integer -> [Integer]
834 // bnWords x =
835 // if x == 0
836 // then []
837 // else let (high, low) = divrem 64 x in low : bnWords high
838 //
839 // showWord x = let (high, low) = divrem 32 x in printf "TOBN(0x%08x, 0x%08x)" high low
840 //
841 // output :: String
842 // output = intercalate ", " $ map showWord $ bnWords $ converge (2 ^ (pow2 `div` 2))
843 //
844 // To verify this number, check that n² < 2⁴⁰⁹⁵ < (n+1)², where n is value
845 // represented here. Note the components are listed in little-endian order. Here
846 // is some sample Python code to check:
847 //
848 // >>> TOBN = lambda a, b: a << 32 | b
849 // >>> l = [ <paste the contents of kSqrtTwo> ]
850 // >>> n = sum(a * 2**(64*i) for i, a in enumerate(l))
851 // >>> n**2 < 2**4095 < (n+1)**2
852 // True
853 const BN_ULONG kBoringSSLRSASqrtTwo[] = {
854 TOBN(0x4d7c60a5, 0xe633e3e1), TOBN(0x5fcf8f7b, 0xca3ea33b),
855 TOBN(0xc246785e, 0x92957023), TOBN(0xf9acce41, 0x797f2805),
856 TOBN(0xfdfe170f, 0xd3b1f780), TOBN(0xd24f4a76, 0x3facb882),
857 TOBN(0x18838a2e, 0xaff5f3b2), TOBN(0xc1fcbdde, 0xa2f7dc33),
858 TOBN(0xdea06241, 0xf7aa81c2), TOBN(0xf6a1be3f, 0xca221307),
859 TOBN(0x332a5e9f, 0x7bda1ebf), TOBN(0x0104dc01, 0xfe32352f),
860 TOBN(0xb8cf341b, 0x6f8236c7), TOBN(0x4264dabc, 0xd528b651),
861 TOBN(0xf4d3a02c, 0xebc93e0c), TOBN(0x81394ab6, 0xd8fd0efd),
862 TOBN(0xeaa4a089, 0x9040ca4a), TOBN(0xf52f120f, 0x836e582e),
863 TOBN(0xcb2a6343, 0x31f3c84d), TOBN(0xc6d5a8a3, 0x8bb7e9dc),
864 TOBN(0x460abc72, 0x2f7c4e33), TOBN(0xcab1bc91, 0x1688458a),
865 TOBN(0x53059c60, 0x11bc337b), TOBN(0xd2202e87, 0x42af1f4e),
866 TOBN(0x78048736, 0x3dfa2768), TOBN(0x0f74a85e, 0x439c7b4a),
867 TOBN(0xa8b1fe6f, 0xdc83db39), TOBN(0x4afc8304, 0x3ab8a2c3),
868 TOBN(0xed17ac85, 0x83339915), TOBN(0x1d6f60ba, 0x893ba84c),
869 TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484),
870 };
871 const size_t kBoringSSLRSASqrtTwoLen = OPENSSL_ARRAY_SIZE(kBoringSSLRSASqrtTwo);
872
873 // generate_prime sets |out| to a prime with length |bits| such that |out|-1 is
874 // relatively prime to |e|. If |p| is non-NULL, |out| will also not be close to
875 // |p|. |sqrt2| must be ⌊2^(bits-1)×√2⌋ (or a slightly overestimate for large
876 // sizes), and |pow2_bits_100| must be 2^(bits-100).
877 //
878 // This function fails with probability around 2^-21.
generate_prime(BIGNUM * out,int bits,const BIGNUM * e,const BIGNUM * p,const BIGNUM * sqrt2,const BIGNUM * pow2_bits_100,BN_CTX * ctx,BN_GENCB * cb)879 static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e,
880 const BIGNUM *p, const BIGNUM *sqrt2,
881 const BIGNUM *pow2_bits_100, BN_CTX *ctx,
882 BN_GENCB *cb) {
883 if (bits < 128 || (bits % BN_BITS2) != 0) {
884 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
885 return 0;
886 }
887 assert(BN_is_pow2(pow2_bits_100));
888 assert(BN_is_bit_set(pow2_bits_100, bits - 100));
889
890 // See FIPS 186-4 appendix B.3.3, steps 4 and 5. Note |bits| here is nlen/2.
891
892 // Use the limit from steps 4.7 and 5.8 for most values of |e|. When |e| is 3,
893 // the 186-4 limit is too low, so we use a higher one. Note this case is not
894 // reachable from |RSA_generate_key_fips|.
895 //
896 // |limit| determines the failure probability. We must find a prime that is
897 // not 1 mod |e|. By the prime number theorem, we'll find one with probability
898 // p = (e-1)/e * 2/(ln(2)*bits). Note the second term is doubled because we
899 // discard even numbers.
900 //
901 // The failure probability is thus (1-p)^limit. To convert that to a power of
902 // two, we take logs. -log_2((1-p)^limit) = -limit * ln(1-p) / ln(2).
903 //
904 // >>> def f(bits, e, limit):
905 // ... p = (e-1.0)/e * 2.0/(math.log(2)*bits)
906 // ... return -limit * math.log(1 - p) / math.log(2)
907 // ...
908 // >>> f(1024, 65537, 5*1024)
909 // 20.842750558272634
910 // >>> f(1536, 65537, 5*1536)
911 // 20.83294549602474
912 // >>> f(2048, 65537, 5*2048)
913 // 20.828047576234948
914 // >>> f(1024, 3, 8*1024)
915 // 22.222147925962307
916 // >>> f(1536, 3, 8*1536)
917 // 22.21518251065506
918 // >>> f(2048, 3, 8*2048)
919 // 22.211701985875937
920 if (bits >= INT_MAX/32) {
921 OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);
922 return 0;
923 }
924 int limit = BN_is_word(e, 3) ? bits * 8 : bits * 5;
925
926 int ret = 0, tries = 0, rand_tries = 0;
927 BN_CTX_start(ctx);
928 BIGNUM *tmp = BN_CTX_get(ctx);
929 if (tmp == NULL) {
930 goto err;
931 }
932
933 for (;;) {
934 // Generate a random number of length |bits| where the bottom bit is set
935 // (steps 4.2, 4.3, 5.2 and 5.3) and the top bit is set (implied by the
936 // bound checked below in steps 4.4 and 5.5).
937 if (!BN_rand(out, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD) ||
938 !BN_GENCB_call(cb, BN_GENCB_GENERATED, rand_tries++)) {
939 goto err;
940 }
941
942 if (p != NULL) {
943 // If |p| and |out| are too close, try again (step 5.4).
944 if (!bn_abs_sub_consttime(tmp, out, p, ctx)) {
945 goto err;
946 }
947 if (BN_cmp(tmp, pow2_bits_100) <= 0) {
948 continue;
949 }
950 }
951
952 // If out < 2^(bits-1)×√2, try again (steps 4.4 and 5.5). This is equivalent
953 // to out <= ⌊2^(bits-1)×√2⌋, or out <= sqrt2 for FIPS key sizes.
954 //
955 // For larger keys, the comparison is approximate, leaning towards
956 // retrying. That is, we reject a negligible fraction of primes that are
957 // within the FIPS bound, but we will never accept a prime outside the
958 // bound, ensuring the resulting RSA key is the right size.
959 if (BN_cmp(out, sqrt2) <= 0) {
960 continue;
961 }
962
963 // RSA key generation's bottleneck is discarding composites. If it fails
964 // trial division, do not bother computing a GCD or performing Miller-Rabin.
965 if (!bn_odd_number_is_obviously_composite(out)) {
966 // Check gcd(out-1, e) is one (steps 4.5 and 5.6).
967 int relatively_prime;
968 if (!BN_sub(tmp, out, BN_value_one()) ||
969 !bn_is_relatively_prime(&relatively_prime, tmp, e, ctx)) {
970 goto err;
971 }
972 if (relatively_prime) {
973 // Test |out| for primality (steps 4.5.1 and 5.6.1).
974 int is_probable_prime;
975 if (!BN_primality_test(&is_probable_prime, out,
976 BN_prime_checks_for_generation, ctx, 0, cb)) {
977 goto err;
978 }
979 if (is_probable_prime) {
980 ret = 1;
981 goto err;
982 }
983 }
984 }
985
986 // If we've tried too many times to find a prime, abort (steps 4.7 and
987 // 5.8).
988 tries++;
989 if (tries >= limit) {
990 OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS);
991 goto err;
992 }
993 if (!BN_GENCB_call(cb, 2, tries)) {
994 goto err;
995 }
996 }
997
998 err:
999 BN_CTX_end(ctx);
1000 return ret;
1001 }
1002
1003 // rsa_generate_key_impl generates an RSA key using a generalized version of
1004 // FIPS 186-4 appendix B.3. |RSA_generate_key_fips| performs additional checks
1005 // for FIPS-compliant key generation.
1006 //
1007 // This function returns one on success and zero on failure. It has a failure
1008 // probability of about 2^-20.
rsa_generate_key_impl(RSA * rsa,int bits,const BIGNUM * e_value,BN_GENCB * cb)1009 static int rsa_generate_key_impl(RSA *rsa, int bits, const BIGNUM *e_value,
1010 BN_GENCB *cb) {
1011 // See FIPS 186-4 appendix B.3. This function implements a generalized version
1012 // of the FIPS algorithm. |RSA_generate_key_fips| performs additional checks
1013 // for FIPS-compliant key generation.
1014
1015 // Always generate RSA keys which are a multiple of 128 bits. Round |bits|
1016 // down as needed.
1017 bits &= ~127;
1018
1019 // Reject excessively small keys.
1020 if (bits < 256) {
1021 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
1022 return 0;
1023 }
1024
1025 // Reject excessively large public exponents. Windows CryptoAPI and Go don't
1026 // support values larger than 32 bits, so match their limits for generating
1027 // keys. (|rsa_check_public_key| uses a slightly more conservative value, but
1028 // we don't need to support generating such keys.)
1029 // https://github.com/golang/go/issues/3161
1030 // https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx
1031 if (BN_num_bits(e_value) > 32) {
1032 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);
1033 return 0;
1034 }
1035
1036 int ret = 0;
1037 int prime_bits = bits / 2;
1038 BN_CTX *ctx = BN_CTX_new();
1039 if (ctx == NULL) {
1040 goto bn_err;
1041 }
1042 BN_CTX_start(ctx);
1043 BIGNUM *totient = BN_CTX_get(ctx);
1044 BIGNUM *pm1 = BN_CTX_get(ctx);
1045 BIGNUM *qm1 = BN_CTX_get(ctx);
1046 BIGNUM *sqrt2 = BN_CTX_get(ctx);
1047 BIGNUM *pow2_prime_bits_100 = BN_CTX_get(ctx);
1048 BIGNUM *pow2_prime_bits = BN_CTX_get(ctx);
1049 if (totient == NULL || pm1 == NULL || qm1 == NULL || sqrt2 == NULL ||
1050 pow2_prime_bits_100 == NULL || pow2_prime_bits == NULL ||
1051 !BN_set_bit(pow2_prime_bits_100, prime_bits - 100) ||
1052 !BN_set_bit(pow2_prime_bits, prime_bits)) {
1053 goto bn_err;
1054 }
1055
1056 // We need the RSA components non-NULL.
1057 if (!ensure_bignum(&rsa->n) ||
1058 !ensure_bignum(&rsa->d) ||
1059 !ensure_bignum(&rsa->e) ||
1060 !ensure_bignum(&rsa->p) ||
1061 !ensure_bignum(&rsa->q) ||
1062 !ensure_bignum(&rsa->dmp1) ||
1063 !ensure_bignum(&rsa->dmq1)) {
1064 goto bn_err;
1065 }
1066
1067 if (!BN_copy(rsa->e, e_value)) {
1068 goto bn_err;
1069 }
1070
1071 // Compute sqrt2 >= ⌊2^(prime_bits-1)×√2⌋.
1072 if (!bn_set_words(sqrt2, kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen)) {
1073 goto bn_err;
1074 }
1075 int sqrt2_bits = kBoringSSLRSASqrtTwoLen * BN_BITS2;
1076 assert(sqrt2_bits == (int)BN_num_bits(sqrt2));
1077 if (sqrt2_bits > prime_bits) {
1078 // For key sizes up to 4096 (prime_bits = 2048), this is exactly
1079 // ⌊2^(prime_bits-1)×√2⌋.
1080 if (!BN_rshift(sqrt2, sqrt2, sqrt2_bits - prime_bits)) {
1081 goto bn_err;
1082 }
1083 } else if (prime_bits > sqrt2_bits) {
1084 // For key sizes beyond 4096, this is approximate. We err towards retrying
1085 // to ensure our key is the right size and round up.
1086 if (!BN_add_word(sqrt2, 1) ||
1087 !BN_lshift(sqrt2, sqrt2, prime_bits - sqrt2_bits)) {
1088 goto bn_err;
1089 }
1090 }
1091 assert(prime_bits == (int)BN_num_bits(sqrt2));
1092
1093 do {
1094 // Generate p and q, each of size |prime_bits|, using the steps outlined in
1095 // appendix FIPS 186-4 appendix B.3.3.
1096 //
1097 // Each call to |generate_prime| fails with probability p = 2^-21. The
1098 // probability that either call fails is 1 - (1-p)^2, which is around 2^-20.
1099 if (!generate_prime(rsa->p, prime_bits, rsa->e, NULL, sqrt2,
1100 pow2_prime_bits_100, ctx, cb) ||
1101 !BN_GENCB_call(cb, 3, 0) ||
1102 !generate_prime(rsa->q, prime_bits, rsa->e, rsa->p, sqrt2,
1103 pow2_prime_bits_100, ctx, cb) ||
1104 !BN_GENCB_call(cb, 3, 1)) {
1105 goto bn_err;
1106 }
1107
1108 if (BN_cmp(rsa->p, rsa->q) < 0) {
1109 BIGNUM *tmp = rsa->p;
1110 rsa->p = rsa->q;
1111 rsa->q = tmp;
1112 }
1113
1114 // Calculate d = e^(-1) (mod lcm(p-1, q-1)), per FIPS 186-4. This differs
1115 // from typical RSA implementations which use (p-1)*(q-1).
1116 //
1117 // Note this means the size of d might reveal information about p-1 and
1118 // q-1. However, we do operations with Chinese Remainder Theorem, so we only
1119 // use d (mod p-1) and d (mod q-1) as exponents. Using a minimal totient
1120 // does not affect those two values.
1121 int no_inverse;
1122 if (!bn_usub_consttime(pm1, rsa->p, BN_value_one()) ||
1123 !bn_usub_consttime(qm1, rsa->q, BN_value_one()) ||
1124 !bn_lcm_consttime(totient, pm1, qm1, ctx) ||
1125 !bn_mod_inverse_consttime(rsa->d, &no_inverse, rsa->e, totient, ctx)) {
1126 goto bn_err;
1127 }
1128
1129 // Retry if |rsa->d| <= 2^|prime_bits|. See appendix B.3.1's guidance on
1130 // values for d.
1131 } while (BN_cmp(rsa->d, pow2_prime_bits) <= 0);
1132
1133 assert(BN_num_bits(pm1) == (unsigned)prime_bits);
1134 assert(BN_num_bits(qm1) == (unsigned)prime_bits);
1135 if (// Calculate n.
1136 !bn_mul_consttime(rsa->n, rsa->p, rsa->q, ctx) ||
1137 // Calculate d mod (p-1).
1138 !bn_div_consttime(NULL, rsa->dmp1, rsa->d, pm1, prime_bits, ctx) ||
1139 // Calculate d mod (q-1)
1140 !bn_div_consttime(NULL, rsa->dmq1, rsa->d, qm1, prime_bits, ctx)) {
1141 goto bn_err;
1142 }
1143 bn_set_minimal_width(rsa->n);
1144
1145 // Sanity-check that |rsa->n| has the specified size. This is implied by
1146 // |generate_prime|'s bounds.
1147 if (BN_num_bits(rsa->n) != (unsigned)bits) {
1148 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
1149 goto err;
1150 }
1151
1152 // Call |freeze_private_key| to compute the inverse of q mod p, by way of
1153 // |rsa->mont_p|.
1154 if (!freeze_private_key(rsa, ctx)) {
1155 goto bn_err;
1156 }
1157
1158 // The key generation process is complex and thus error-prone. It could be
1159 // disastrous to generate and then use a bad key so double-check that the key
1160 // makes sense.
1161 if (!RSA_check_key(rsa)) {
1162 OPENSSL_PUT_ERROR(RSA, RSA_R_INTERNAL_ERROR);
1163 goto err;
1164 }
1165
1166 ret = 1;
1167
1168 bn_err:
1169 if (!ret) {
1170 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
1171 }
1172 err:
1173 if (ctx != NULL) {
1174 BN_CTX_end(ctx);
1175 BN_CTX_free(ctx);
1176 }
1177 return ret;
1178 }
1179
replace_bignum(BIGNUM ** out,BIGNUM ** in)1180 static void replace_bignum(BIGNUM **out, BIGNUM **in) {
1181 BN_free(*out);
1182 *out = *in;
1183 *in = NULL;
1184 }
1185
replace_bn_mont_ctx(BN_MONT_CTX ** out,BN_MONT_CTX ** in)1186 static void replace_bn_mont_ctx(BN_MONT_CTX **out, BN_MONT_CTX **in) {
1187 BN_MONT_CTX_free(*out);
1188 *out = *in;
1189 *in = NULL;
1190 }
1191
RSA_generate_key_ex_maybe_fips(RSA * rsa,int bits,const BIGNUM * e_value,BN_GENCB * cb,int check_fips)1192 static int RSA_generate_key_ex_maybe_fips(RSA *rsa, int bits,
1193 const BIGNUM *e_value, BN_GENCB *cb,
1194 int check_fips) {
1195 boringssl_ensure_rsa_self_test();
1196
1197 RSA *tmp = NULL;
1198 uint32_t err;
1199 int ret = 0;
1200
1201 // |rsa_generate_key_impl|'s 2^-20 failure probability is too high at scale,
1202 // so we run the FIPS algorithm four times, bringing it down to 2^-80. We
1203 // should just adjust the retry limit, but FIPS 186-4 prescribes that value
1204 // and thus results in unnecessary complexity.
1205 int failures = 0;
1206 do {
1207 ERR_clear_error();
1208 // Generate into scratch space, to avoid leaving partial work on failure.
1209 tmp = RSA_new();
1210 if (tmp == NULL) {
1211 goto out;
1212 }
1213
1214 if (rsa_generate_key_impl(tmp, bits, e_value, cb)) {
1215 break;
1216 }
1217
1218 err = ERR_peek_error();
1219 RSA_free(tmp);
1220 tmp = NULL;
1221 failures++;
1222
1223 // Only retry on |RSA_R_TOO_MANY_ITERATIONS|. This is so a caller-induced
1224 // failure in |BN_GENCB_call| is still fatal.
1225 } while (failures < 4 && ERR_GET_LIB(err) == ERR_LIB_RSA &&
1226 ERR_GET_REASON(err) == RSA_R_TOO_MANY_ITERATIONS);
1227
1228 if (tmp == NULL || (check_fips && !RSA_check_fips(tmp))) {
1229 goto out;
1230 }
1231
1232 replace_bignum(&rsa->n, &tmp->n);
1233 replace_bignum(&rsa->e, &tmp->e);
1234 replace_bignum(&rsa->d, &tmp->d);
1235 replace_bignum(&rsa->p, &tmp->p);
1236 replace_bignum(&rsa->q, &tmp->q);
1237 replace_bignum(&rsa->dmp1, &tmp->dmp1);
1238 replace_bignum(&rsa->dmq1, &tmp->dmq1);
1239 replace_bignum(&rsa->iqmp, &tmp->iqmp);
1240 replace_bn_mont_ctx(&rsa->mont_n, &tmp->mont_n);
1241 replace_bn_mont_ctx(&rsa->mont_p, &tmp->mont_p);
1242 replace_bn_mont_ctx(&rsa->mont_q, &tmp->mont_q);
1243 replace_bignum(&rsa->d_fixed, &tmp->d_fixed);
1244 replace_bignum(&rsa->dmp1_fixed, &tmp->dmp1_fixed);
1245 replace_bignum(&rsa->dmq1_fixed, &tmp->dmq1_fixed);
1246 replace_bignum(&rsa->inv_small_mod_large_mont,
1247 &tmp->inv_small_mod_large_mont);
1248 rsa->private_key_frozen = tmp->private_key_frozen;
1249 ret = 1;
1250
1251 out:
1252 RSA_free(tmp);
1253 return ret;
1254 }
1255
RSA_generate_key_ex(RSA * rsa,int bits,const BIGNUM * e_value,BN_GENCB * cb)1256 int RSA_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e_value,
1257 BN_GENCB *cb) {
1258 return RSA_generate_key_ex_maybe_fips(rsa, bits, e_value, cb,
1259 /*check_fips=*/0);
1260 }
1261
RSA_generate_key_fips(RSA * rsa,int bits,BN_GENCB * cb)1262 int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb) {
1263 // FIPS 186-4 allows 2048-bit and 3072-bit RSA keys (1024-bit and 1536-bit
1264 // primes, respectively) with the prime generation method we use.
1265 // Subsequently, IG A.14 stated that larger modulus sizes can be used and ACVP
1266 // testing supports 4096 bits.
1267 if (bits != 2048 && bits != 3072 && bits != 4096) {
1268 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
1269 return 0;
1270 }
1271
1272 BIGNUM *e = BN_new();
1273 int ret = e != NULL &&
1274 BN_set_word(e, RSA_F4) &&
1275 RSA_generate_key_ex_maybe_fips(rsa, bits, e, cb, /*check_fips=*/1);
1276 BN_free(e);
1277
1278 if (ret) {
1279 FIPS_service_indicator_update_state();
1280 }
1281 return ret;
1282 }
1283
DEFINE_METHOD_FUNCTION(RSA_METHOD,RSA_default_method)1284 DEFINE_METHOD_FUNCTION(RSA_METHOD, RSA_default_method) {
1285 // All of the methods are NULL to make it easier for the compiler/linker to
1286 // drop unused functions. The wrapper functions will select the appropriate
1287 // |rsa_default_*| implementation.
1288 OPENSSL_memset(out, 0, sizeof(RSA_METHOD));
1289 out->common.is_static = 1;
1290 }
1291