1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/rsa.h>
58
59 #include <assert.h>
60 #include <limits.h>
61 #include <string.h>
62
63 #include <openssl/bn.h>
64 #include <openssl/digest.h>
65 #include <openssl/engine.h>
66 #include <openssl/err.h>
67 #include <openssl/ex_data.h>
68 #include <openssl/md5.h>
69 #include <openssl/mem.h>
70 #include <openssl/nid.h>
71 #include <openssl/sha.h>
72 #include <openssl/thread.h>
73
74 #include "../bn/internal.h"
75 #include "../delocate.h"
76 #include "../../internal.h"
77 #include "internal.h"
78
79
80 // RSA_R_BLOCK_TYPE_IS_NOT_02 is part of the legacy SSLv23 padding scheme.
81 // Cryptography.io depends on this error code.
OPENSSL_DECLARE_ERROR_REASON(RSA,BLOCK_TYPE_IS_NOT_02)82 OPENSSL_DECLARE_ERROR_REASON(RSA, BLOCK_TYPE_IS_NOT_02)
83
84 DEFINE_STATIC_EX_DATA_CLASS(g_rsa_ex_data_class)
85
86 static int bn_dup_into(BIGNUM **dst, const BIGNUM *src) {
87 if (src == NULL) {
88 OPENSSL_PUT_ERROR(RSA, ERR_R_PASSED_NULL_PARAMETER);
89 return 0;
90 }
91
92 BN_free(*dst);
93 *dst = BN_dup(src);
94 return *dst != NULL;
95 }
96
RSA_new_public_key(const BIGNUM * n,const BIGNUM * e)97 RSA *RSA_new_public_key(const BIGNUM *n, const BIGNUM *e) {
98 RSA *rsa = RSA_new();
99 if (rsa == NULL || //
100 !bn_dup_into(&rsa->n, n) || //
101 !bn_dup_into(&rsa->e, e) || //
102 !RSA_check_key(rsa)) {
103 RSA_free(rsa);
104 return NULL;
105 }
106
107 return rsa;
108 }
109
RSA_new_private_key(const BIGNUM * n,const BIGNUM * e,const BIGNUM * d,const BIGNUM * p,const BIGNUM * q,const BIGNUM * dmp1,const BIGNUM * dmq1,const BIGNUM * iqmp)110 RSA *RSA_new_private_key(const BIGNUM *n, const BIGNUM *e, const BIGNUM *d,
111 const BIGNUM *p, const BIGNUM *q, const BIGNUM *dmp1,
112 const BIGNUM *dmq1, const BIGNUM *iqmp) {
113 RSA *rsa = RSA_new();
114 if (rsa == NULL || //
115 !bn_dup_into(&rsa->n, n) || //
116 !bn_dup_into(&rsa->e, e) || //
117 !bn_dup_into(&rsa->d, d) || //
118 !bn_dup_into(&rsa->p, p) || //
119 !bn_dup_into(&rsa->q, q) || //
120 !bn_dup_into(&rsa->dmp1, dmp1) || //
121 !bn_dup_into(&rsa->dmq1, dmq1) || //
122 !bn_dup_into(&rsa->iqmp, iqmp) || //
123 !RSA_check_key(rsa)) {
124 RSA_free(rsa);
125 return NULL;
126 }
127
128 return rsa;
129 }
130
RSA_new_private_key_no_crt(const BIGNUM * n,const BIGNUM * e,const BIGNUM * d)131 RSA *RSA_new_private_key_no_crt(const BIGNUM *n, const BIGNUM *e,
132 const BIGNUM *d) {
133 RSA *rsa = RSA_new();
134 if (rsa == NULL || //
135 !bn_dup_into(&rsa->n, n) || //
136 !bn_dup_into(&rsa->e, e) || //
137 !bn_dup_into(&rsa->d, d) || //
138 !RSA_check_key(rsa)) {
139 RSA_free(rsa);
140 return NULL;
141 }
142
143 return rsa;
144 }
145
RSA_new_private_key_no_e(const BIGNUM * n,const BIGNUM * d)146 RSA *RSA_new_private_key_no_e(const BIGNUM *n, const BIGNUM *d) {
147 RSA *rsa = RSA_new();
148 if (rsa == NULL) {
149 return NULL;
150 }
151
152 rsa->flags |= RSA_FLAG_NO_PUBLIC_EXPONENT;
153 if (!bn_dup_into(&rsa->n, n) || //
154 !bn_dup_into(&rsa->d, d) || //
155 !RSA_check_key(rsa)) {
156 RSA_free(rsa);
157 return NULL;
158 }
159
160 return rsa;
161 }
162
RSA_new_public_key_large_e(const BIGNUM * n,const BIGNUM * e)163 RSA *RSA_new_public_key_large_e(const BIGNUM *n, const BIGNUM *e) {
164 RSA *rsa = RSA_new();
165 if (rsa == NULL) {
166 return NULL;
167 }
168
169 rsa->flags |= RSA_FLAG_LARGE_PUBLIC_EXPONENT;
170 if (!bn_dup_into(&rsa->n, n) || //
171 !bn_dup_into(&rsa->e, e) || //
172 !RSA_check_key(rsa)) {
173 RSA_free(rsa);
174 return NULL;
175 }
176
177 return rsa;
178 }
179
RSA_new_private_key_large_e(const BIGNUM * n,const BIGNUM * e,const BIGNUM * d,const BIGNUM * p,const BIGNUM * q,const BIGNUM * dmp1,const BIGNUM * dmq1,const BIGNUM * iqmp)180 RSA *RSA_new_private_key_large_e(const BIGNUM *n, const BIGNUM *e,
181 const BIGNUM *d, const BIGNUM *p,
182 const BIGNUM *q, const BIGNUM *dmp1,
183 const BIGNUM *dmq1, const BIGNUM *iqmp) {
184 RSA *rsa = RSA_new();
185 if (rsa == NULL) {
186 return NULL;
187 }
188
189 rsa->flags |= RSA_FLAG_LARGE_PUBLIC_EXPONENT;
190 if (!bn_dup_into(&rsa->n, n) || //
191 !bn_dup_into(&rsa->e, e) || //
192 !bn_dup_into(&rsa->d, d) || //
193 !bn_dup_into(&rsa->p, p) || //
194 !bn_dup_into(&rsa->q, q) || //
195 !bn_dup_into(&rsa->dmp1, dmp1) || //
196 !bn_dup_into(&rsa->dmq1, dmq1) || //
197 !bn_dup_into(&rsa->iqmp, iqmp) || //
198 !RSA_check_key(rsa)) {
199 RSA_free(rsa);
200 return NULL;
201 }
202
203 return rsa;
204 }
205
RSA_new(void)206 RSA *RSA_new(void) { return RSA_new_method(NULL); }
207
RSA_new_method(const ENGINE * engine)208 RSA *RSA_new_method(const ENGINE *engine) {
209 RSA *rsa = OPENSSL_zalloc(sizeof(RSA));
210 if (rsa == NULL) {
211 return NULL;
212 }
213
214 if (engine) {
215 rsa->meth = ENGINE_get_RSA_method(engine);
216 }
217
218 if (rsa->meth == NULL) {
219 rsa->meth = (RSA_METHOD *) RSA_default_method();
220 }
221 METHOD_ref(rsa->meth);
222
223 rsa->references = 1;
224 rsa->flags = rsa->meth->flags;
225 CRYPTO_MUTEX_init(&rsa->lock);
226 CRYPTO_new_ex_data(&rsa->ex_data);
227
228 if (rsa->meth->init && !rsa->meth->init(rsa)) {
229 CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
230 CRYPTO_MUTEX_cleanup(&rsa->lock);
231 METHOD_unref(rsa->meth);
232 OPENSSL_free(rsa);
233 return NULL;
234 }
235
236 return rsa;
237 }
238
RSA_new_method_no_e(const ENGINE * engine,const BIGNUM * n)239 RSA *RSA_new_method_no_e(const ENGINE *engine, const BIGNUM *n) {
240 RSA *rsa = RSA_new_method(engine);
241 if (rsa == NULL ||
242 !bn_dup_into(&rsa->n, n)) {
243 RSA_free(rsa);
244 return NULL;
245 }
246 rsa->flags |= RSA_FLAG_NO_PUBLIC_EXPONENT;
247 return rsa;
248 }
249
RSA_free(RSA * rsa)250 void RSA_free(RSA *rsa) {
251 if (rsa == NULL) {
252 return;
253 }
254
255 if (!CRYPTO_refcount_dec_and_test_zero(&rsa->references)) {
256 return;
257 }
258
259 if (rsa->meth->finish) {
260 rsa->meth->finish(rsa);
261 }
262 METHOD_unref(rsa->meth);
263
264 CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
265
266 BN_free(rsa->n);
267 BN_free(rsa->e);
268 BN_free(rsa->d);
269 BN_free(rsa->p);
270 BN_free(rsa->q);
271 BN_free(rsa->dmp1);
272 BN_free(rsa->dmq1);
273 BN_free(rsa->iqmp);
274 rsa_invalidate_key(rsa);
275 CRYPTO_MUTEX_cleanup(&rsa->lock);
276 OPENSSL_free(rsa);
277 }
278
RSA_up_ref(RSA * rsa)279 int RSA_up_ref(RSA *rsa) {
280 CRYPTO_refcount_inc(&rsa->references);
281 return 1;
282 }
283
RSA_bits(const RSA * rsa)284 unsigned RSA_bits(const RSA *rsa) { return BN_num_bits(rsa->n); }
285
RSA_get0_n(const RSA * rsa)286 const BIGNUM *RSA_get0_n(const RSA *rsa) { return rsa->n; }
287
RSA_get0_e(const RSA * rsa)288 const BIGNUM *RSA_get0_e(const RSA *rsa) { return rsa->e; }
289
RSA_get0_d(const RSA * rsa)290 const BIGNUM *RSA_get0_d(const RSA *rsa) { return rsa->d; }
291
RSA_get0_p(const RSA * rsa)292 const BIGNUM *RSA_get0_p(const RSA *rsa) { return rsa->p; }
293
RSA_get0_q(const RSA * rsa)294 const BIGNUM *RSA_get0_q(const RSA *rsa) { return rsa->q; }
295
RSA_get0_dmp1(const RSA * rsa)296 const BIGNUM *RSA_get0_dmp1(const RSA *rsa) { return rsa->dmp1; }
297
RSA_get0_dmq1(const RSA * rsa)298 const BIGNUM *RSA_get0_dmq1(const RSA *rsa) { return rsa->dmq1; }
299
RSA_get0_iqmp(const RSA * rsa)300 const BIGNUM *RSA_get0_iqmp(const RSA *rsa) { return rsa->iqmp; }
301
RSA_get0_key(const RSA * rsa,const BIGNUM ** out_n,const BIGNUM ** out_e,const BIGNUM ** out_d)302 void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e,
303 const BIGNUM **out_d) {
304 if (out_n != NULL) {
305 *out_n = rsa->n;
306 }
307 if (out_e != NULL) {
308 *out_e = rsa->e;
309 }
310 if (out_d != NULL) {
311 *out_d = rsa->d;
312 }
313 }
314
RSA_get0_factors(const RSA * rsa,const BIGNUM ** out_p,const BIGNUM ** out_q)315 void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p,
316 const BIGNUM **out_q) {
317 if (out_p != NULL) {
318 *out_p = rsa->p;
319 }
320 if (out_q != NULL) {
321 *out_q = rsa->q;
322 }
323 }
324
RSA_get0_pss_params(const RSA * rsa)325 const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *rsa) {
326 // We do not support the id-RSASSA-PSS key encoding. If we add support later,
327 // the |maskHash| field should be filled in for OpenSSL compatibility.
328 return NULL;
329 }
330
RSA_get0_crt_params(const RSA * rsa,const BIGNUM ** out_dmp1,const BIGNUM ** out_dmq1,const BIGNUM ** out_iqmp)331 void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1,
332 const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) {
333 if (out_dmp1 != NULL) {
334 *out_dmp1 = rsa->dmp1;
335 }
336 if (out_dmq1 != NULL) {
337 *out_dmq1 = rsa->dmq1;
338 }
339 if (out_iqmp != NULL) {
340 *out_iqmp = rsa->iqmp;
341 }
342 }
343
RSA_set0_key(RSA * rsa,BIGNUM * n,BIGNUM * e,BIGNUM * d)344 int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
345 if ((rsa->n == NULL && n == NULL) ||
346 (rsa->e == NULL && e == NULL)) {
347 return 0;
348 }
349
350 if (n != NULL) {
351 BN_free(rsa->n);
352 rsa->n = n;
353 }
354 if (e != NULL) {
355 BN_free(rsa->e);
356 rsa->e = e;
357 }
358 if (d != NULL) {
359 BN_free(rsa->d);
360 rsa->d = d;
361 }
362
363 rsa_invalidate_key(rsa);
364 return 1;
365 }
366
RSA_set0_factors(RSA * rsa,BIGNUM * p,BIGNUM * q)367 int RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q) {
368 if ((rsa->p == NULL && p == NULL) ||
369 (rsa->q == NULL && q == NULL)) {
370 return 0;
371 }
372
373 if (p != NULL) {
374 BN_free(rsa->p);
375 rsa->p = p;
376 }
377 if (q != NULL) {
378 BN_free(rsa->q);
379 rsa->q = q;
380 }
381
382 rsa_invalidate_key(rsa);
383 return 1;
384 }
385
RSA_set0_crt_params(RSA * rsa,BIGNUM * dmp1,BIGNUM * dmq1,BIGNUM * iqmp)386 int RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
387 if ((rsa->dmp1 == NULL && dmp1 == NULL) ||
388 (rsa->dmq1 == NULL && dmq1 == NULL) ||
389 (rsa->iqmp == NULL && iqmp == NULL)) {
390 return 0;
391 }
392
393 if (dmp1 != NULL) {
394 BN_free(rsa->dmp1);
395 rsa->dmp1 = dmp1;
396 }
397 if (dmq1 != NULL) {
398 BN_free(rsa->dmq1);
399 rsa->dmq1 = dmq1;
400 }
401 if (iqmp != NULL) {
402 BN_free(rsa->iqmp);
403 rsa->iqmp = iqmp;
404 }
405
406 rsa_invalidate_key(rsa);
407 return 1;
408 }
409
rsa_sign_raw_no_self_test(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)410 static int rsa_sign_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out,
411 size_t max_out, const uint8_t *in,
412 size_t in_len, int padding) {
413 if (rsa->meth->sign_raw) {
414 return rsa->meth->sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
415 }
416
417 return rsa_default_sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
418 }
419
RSA_sign_raw(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)420 int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
421 const uint8_t *in, size_t in_len, int padding) {
422 boringssl_ensure_rsa_self_test();
423 return rsa_sign_raw_no_self_test(rsa, out_len, out, max_out, in, in_len,
424 padding);
425 }
426
RSA_size(const RSA * rsa)427 unsigned RSA_size(const RSA *rsa) {
428 size_t ret = rsa->meth->size ? rsa->meth->size(rsa) : rsa_default_size(rsa);
429 // RSA modulus sizes are bounded by |BIGNUM|, which must fit in |unsigned|.
430 //
431 // TODO(https://crbug.com/boringssl/516): Should we make this return |size_t|?
432 assert(ret < UINT_MAX);
433 return (unsigned)ret;
434 }
435
RSA_is_opaque(const RSA * rsa)436 int RSA_is_opaque(const RSA *rsa) {
437 return rsa->meth && (rsa->meth->flags & RSA_FLAG_OPAQUE);
438 }
439
RSA_get_ex_new_index(long argl,void * argp,CRYPTO_EX_unused * unused,CRYPTO_EX_dup * dup_unused,CRYPTO_EX_free * free_func)440 int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
441 CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {
442 int index;
443 if (!CRYPTO_get_ex_new_index(g_rsa_ex_data_class_bss_get(), &index, argl,
444 argp, free_func)) {
445 return -1;
446 }
447 return index;
448 }
449
RSA_set_ex_data(RSA * rsa,int idx,void * arg)450 int RSA_set_ex_data(RSA *rsa, int idx, void *arg) {
451 return CRYPTO_set_ex_data(&rsa->ex_data, idx, arg);
452 }
453
RSA_get_ex_data(const RSA * rsa,int idx)454 void *RSA_get_ex_data(const RSA *rsa, int idx) {
455 return CRYPTO_get_ex_data(&rsa->ex_data, idx);
456 }
457
458 // SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's
459 // the length of an MD5 and SHA1 hash.
460 static const unsigned SSL_SIG_LENGTH = 36;
461
462 // pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is
463 // to be signed with PKCS#1.
464 struct pkcs1_sig_prefix {
465 // nid identifies the hash function.
466 int nid;
467 // hash_len is the expected length of the hash function.
468 uint8_t hash_len;
469 // len is the number of bytes of |bytes| which are valid.
470 uint8_t len;
471 // bytes contains the DER bytes.
472 uint8_t bytes[19];
473 };
474
475 // kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with
476 // different hash functions.
477 static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = {
478 {
479 NID_md5,
480 MD5_DIGEST_LENGTH,
481 18,
482 {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
483 0x02, 0x05, 0x05, 0x00, 0x04, 0x10},
484 },
485 {
486 NID_sha1,
487 SHA_DIGEST_LENGTH,
488 15,
489 {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
490 0x00, 0x04, 0x14},
491 },
492 {
493 NID_sha224,
494 SHA224_DIGEST_LENGTH,
495 19,
496 {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
497 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c},
498 },
499 {
500 NID_sha256,
501 SHA256_DIGEST_LENGTH,
502 19,
503 {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
504 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20},
505 },
506 {
507 NID_sha384,
508 SHA384_DIGEST_LENGTH,
509 19,
510 {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
511 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30},
512 },
513 {
514 NID_sha512,
515 SHA512_DIGEST_LENGTH,
516 19,
517 {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
518 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
519 },
520 {
521 NID_undef, 0, 0, {0},
522 },
523 };
524
rsa_check_digest_size(int hash_nid,size_t digest_len)525 static int rsa_check_digest_size(int hash_nid, size_t digest_len) {
526 if (hash_nid == NID_md5_sha1) {
527 if (digest_len != SSL_SIG_LENGTH) {
528 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
529 return 0;
530 }
531 return 1;
532 }
533
534 for (size_t i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) {
535 const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i];
536 if (sig_prefix->nid == hash_nid) {
537 if (digest_len != sig_prefix->hash_len) {
538 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
539 return 0;
540 }
541 return 1;
542 }
543 }
544
545 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE);
546 return 0;
547
548 }
549
RSA_add_pkcs1_prefix(uint8_t ** out_msg,size_t * out_msg_len,int * is_alloced,int hash_nid,const uint8_t * digest,size_t digest_len)550 int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
551 int *is_alloced, int hash_nid, const uint8_t *digest,
552 size_t digest_len) {
553 if (!rsa_check_digest_size(hash_nid, digest_len)) {
554 return 0;
555 }
556
557 if (hash_nid == NID_md5_sha1) {
558 // The length should already have been checked.
559 assert(digest_len == SSL_SIG_LENGTH);
560 *out_msg = (uint8_t *)digest;
561 *out_msg_len = digest_len;
562 *is_alloced = 0;
563 return 1;
564 }
565
566 for (size_t i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) {
567 const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i];
568 if (sig_prefix->nid != hash_nid) {
569 continue;
570 }
571
572 // The length should already have been checked.
573 assert(digest_len == sig_prefix->hash_len);
574 const uint8_t* prefix = sig_prefix->bytes;
575 size_t prefix_len = sig_prefix->len;
576 size_t signed_msg_len = prefix_len + digest_len;
577 if (signed_msg_len < prefix_len) {
578 OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_LONG);
579 return 0;
580 }
581
582 uint8_t *signed_msg = OPENSSL_malloc(signed_msg_len);
583 if (!signed_msg) {
584 return 0;
585 }
586
587 OPENSSL_memcpy(signed_msg, prefix, prefix_len);
588 OPENSSL_memcpy(signed_msg + prefix_len, digest, digest_len);
589
590 *out_msg = signed_msg;
591 *out_msg_len = signed_msg_len;
592 *is_alloced = 1;
593
594 return 1;
595 }
596
597 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE);
598 return 0;
599 }
600
rsa_sign_no_self_test(int hash_nid,const uint8_t * digest,size_t digest_len,uint8_t * out,unsigned * out_len,RSA * rsa)601 int rsa_sign_no_self_test(int hash_nid, const uint8_t *digest,
602 size_t digest_len, uint8_t *out, unsigned *out_len,
603 RSA *rsa) {
604 if (rsa->meth->sign) {
605 if (!rsa_check_digest_size(hash_nid, digest_len)) {
606 return 0;
607 }
608 // All supported digest lengths fit in |unsigned|.
609 assert(digest_len <= EVP_MAX_MD_SIZE);
610 static_assert(EVP_MAX_MD_SIZE <= UINT_MAX, "digest too long");
611 return rsa->meth->sign(hash_nid, digest, (unsigned)digest_len, out, out_len,
612 rsa);
613 }
614
615 const unsigned rsa_size = RSA_size(rsa);
616 int ret = 0;
617 uint8_t *signed_msg = NULL;
618 size_t signed_msg_len = 0;
619 int signed_msg_is_alloced = 0;
620 size_t size_t_out_len;
621 if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
622 &signed_msg_is_alloced, hash_nid, digest,
623 digest_len) ||
624 !rsa_sign_raw_no_self_test(rsa, &size_t_out_len, out, rsa_size,
625 signed_msg, signed_msg_len,
626 RSA_PKCS1_PADDING)) {
627 goto err;
628 }
629
630 if (size_t_out_len > UINT_MAX) {
631 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
632 goto err;
633 }
634
635 *out_len = (unsigned)size_t_out_len;
636 ret = 1;
637
638 err:
639 if (signed_msg_is_alloced) {
640 OPENSSL_free(signed_msg);
641 }
642 return ret;
643 }
644
RSA_sign(int hash_nid,const uint8_t * digest,size_t digest_len,uint8_t * out,unsigned * out_len,RSA * rsa)645 int RSA_sign(int hash_nid, const uint8_t *digest, size_t digest_len,
646 uint8_t *out, unsigned *out_len, RSA *rsa) {
647 boringssl_ensure_rsa_self_test();
648
649 return rsa_sign_no_self_test(hash_nid, digest, digest_len, out, out_len, rsa);
650 }
651
RSA_sign_pss_mgf1(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * digest,size_t digest_len,const EVP_MD * md,const EVP_MD * mgf1_md,int salt_len)652 int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
653 const uint8_t *digest, size_t digest_len,
654 const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len) {
655 if (digest_len != EVP_MD_size(md)) {
656 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
657 return 0;
658 }
659
660 size_t padded_len = RSA_size(rsa);
661 uint8_t *padded = OPENSSL_malloc(padded_len);
662 if (padded == NULL) {
663 return 0;
664 }
665
666 int ret = RSA_padding_add_PKCS1_PSS_mgf1(rsa, padded, digest, md, mgf1_md,
667 salt_len) &&
668 RSA_sign_raw(rsa, out_len, out, max_out, padded, padded_len,
669 RSA_NO_PADDING);
670 OPENSSL_free(padded);
671 return ret;
672 }
673
rsa_verify_no_self_test(int hash_nid,const uint8_t * digest,size_t digest_len,const uint8_t * sig,size_t sig_len,RSA * rsa)674 int rsa_verify_no_self_test(int hash_nid, const uint8_t *digest,
675 size_t digest_len, const uint8_t *sig,
676 size_t sig_len, RSA *rsa) {
677 if (rsa->n == NULL || rsa->e == NULL) {
678 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
679 return 0;
680 }
681
682 const size_t rsa_size = RSA_size(rsa);
683 uint8_t *buf = NULL;
684 int ret = 0;
685 uint8_t *signed_msg = NULL;
686 size_t signed_msg_len = 0, len;
687 int signed_msg_is_alloced = 0;
688
689 if (hash_nid == NID_md5_sha1 && digest_len != SSL_SIG_LENGTH) {
690 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
691 return 0;
692 }
693
694 buf = OPENSSL_malloc(rsa_size);
695 if (!buf) {
696 return 0;
697 }
698
699 if (!rsa_verify_raw_no_self_test(rsa, &len, buf, rsa_size, sig, sig_len,
700 RSA_PKCS1_PADDING) ||
701 !RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
702 &signed_msg_is_alloced, hash_nid, digest,
703 digest_len)) {
704 goto out;
705 }
706
707 // Check that no other information follows the hash value (FIPS 186-4 Section
708 // 5.5) and it matches the expected hash.
709 if (len != signed_msg_len || OPENSSL_memcmp(buf, signed_msg, len) != 0) {
710 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
711 goto out;
712 }
713
714 ret = 1;
715
716 out:
717 OPENSSL_free(buf);
718 if (signed_msg_is_alloced) {
719 OPENSSL_free(signed_msg);
720 }
721 return ret;
722 }
723
RSA_verify(int hash_nid,const uint8_t * digest,size_t digest_len,const uint8_t * sig,size_t sig_len,RSA * rsa)724 int RSA_verify(int hash_nid, const uint8_t *digest, size_t digest_len,
725 const uint8_t *sig, size_t sig_len, RSA *rsa) {
726 boringssl_ensure_rsa_self_test();
727 return rsa_verify_no_self_test(hash_nid, digest, digest_len, sig, sig_len,
728 rsa);
729 }
730
RSA_verify_pss_mgf1(RSA * rsa,const uint8_t * digest,size_t digest_len,const EVP_MD * md,const EVP_MD * mgf1_md,int salt_len,const uint8_t * sig,size_t sig_len)731 int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *digest, size_t digest_len,
732 const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len,
733 const uint8_t *sig, size_t sig_len) {
734 if (digest_len != EVP_MD_size(md)) {
735 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
736 return 0;
737 }
738
739 size_t em_len = RSA_size(rsa);
740 uint8_t *em = OPENSSL_malloc(em_len);
741 if (em == NULL) {
742 return 0;
743 }
744
745 int ret = 0;
746 if (!RSA_verify_raw(rsa, &em_len, em, em_len, sig, sig_len, RSA_NO_PADDING)) {
747 goto err;
748 }
749
750 if (em_len != RSA_size(rsa)) {
751 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
752 goto err;
753 }
754
755 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, digest, md, mgf1_md, em, salt_len);
756
757 err:
758 OPENSSL_free(em);
759 return ret;
760 }
761
check_mod_inverse(int * out_ok,const BIGNUM * a,const BIGNUM * ainv,const BIGNUM * m,unsigned m_min_bits,BN_CTX * ctx)762 static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv,
763 const BIGNUM *m, unsigned m_min_bits,
764 BN_CTX *ctx) {
765 if (BN_is_negative(ainv) || BN_cmp(ainv, m) >= 0) {
766 *out_ok = 0;
767 return 1;
768 }
769
770 // Note |bn_mul_consttime| and |bn_div_consttime| do not scale linearly, but
771 // checking |ainv| is in range bounds the running time, assuming |m|'s bounds
772 // were checked by the caller.
773 BN_CTX_start(ctx);
774 BIGNUM *tmp = BN_CTX_get(ctx);
775 int ret = tmp != NULL &&
776 bn_mul_consttime(tmp, a, ainv, ctx) &&
777 bn_div_consttime(NULL, tmp, tmp, m, m_min_bits, ctx);
778 if (ret) {
779 *out_ok = BN_is_one(tmp);
780 }
781 BN_CTX_end(ctx);
782 return ret;
783 }
784
RSA_check_key(const RSA * key)785 int RSA_check_key(const RSA *key) {
786 // TODO(davidben): RSA key initialization is spread across
787 // |rsa_check_public_key|, |RSA_check_key|, |freeze_private_key|, and
788 // |BN_MONT_CTX_set_locked| as a result of API issues. See
789 // https://crbug.com/boringssl/316. As a result, we inconsistently check RSA
790 // invariants. We should fix this and integrate that logic.
791
792 if (RSA_is_opaque(key)) {
793 // Opaque keys can't be checked.
794 return 1;
795 }
796
797 if (!rsa_check_public_key(key)) {
798 return 0;
799 }
800
801 if ((key->p != NULL) != (key->q != NULL)) {
802 OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN);
803 return 0;
804 }
805
806 // |key->d| must be bounded by |key->n|. This ensures bounds on |RSA_bits|
807 // translate to bounds on the running time of private key operations.
808 if (key->d != NULL &&
809 (BN_is_negative(key->d) || BN_cmp(key->d, key->n) >= 0)) {
810 OPENSSL_PUT_ERROR(RSA, RSA_R_D_OUT_OF_RANGE);
811 return 0;
812 }
813
814 if (key->d == NULL || key->p == NULL) {
815 // For a public key, or without p and q, there's nothing that can be
816 // checked.
817 return 1;
818 }
819
820 BN_CTX *ctx = BN_CTX_new();
821 if (ctx == NULL) {
822 return 0;
823 }
824
825 BIGNUM tmp, de, pm1, qm1, dmp1, dmq1;
826 int ok = 0;
827 BN_init(&tmp);
828 BN_init(&de);
829 BN_init(&pm1);
830 BN_init(&qm1);
831 BN_init(&dmp1);
832 BN_init(&dmq1);
833
834 // Check that p * q == n. Before we multiply, we check that p and q are in
835 // bounds, to avoid a DoS vector in |bn_mul_consttime| below. Note that
836 // n was bound by |rsa_check_public_key|. This also implicitly checks p and q
837 // are odd, which is a necessary condition for Montgomery reduction.
838 if (BN_is_negative(key->p) || BN_cmp(key->p, key->n) >= 0 ||
839 BN_is_negative(key->q) || BN_cmp(key->q, key->n) >= 0) {
840 OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
841 goto out;
842 }
843 if (!bn_mul_consttime(&tmp, key->p, key->q, ctx)) {
844 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
845 goto out;
846 }
847 if (BN_cmp(&tmp, key->n) != 0) {
848 OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
849 goto out;
850 }
851
852 // d must be an inverse of e mod the Carmichael totient, lcm(p-1, q-1), but it
853 // may be unreduced because other implementations use the Euler totient. We
854 // simply check that d * e is one mod p-1 and mod q-1. Note d and e were bound
855 // by earlier checks in this function.
856 if (!bn_usub_consttime(&pm1, key->p, BN_value_one()) ||
857 !bn_usub_consttime(&qm1, key->q, BN_value_one())) {
858 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
859 goto out;
860 }
861 const unsigned pm1_bits = BN_num_bits(&pm1);
862 const unsigned qm1_bits = BN_num_bits(&qm1);
863 if (!bn_mul_consttime(&de, key->d, key->e, ctx) ||
864 !bn_div_consttime(NULL, &tmp, &de, &pm1, pm1_bits, ctx) ||
865 !bn_div_consttime(NULL, &de, &de, &qm1, qm1_bits, ctx)) {
866 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
867 goto out;
868 }
869
870 if (!BN_is_one(&tmp) || !BN_is_one(&de)) {
871 OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1);
872 goto out;
873 }
874
875 int has_crt_values = key->dmp1 != NULL;
876 if (has_crt_values != (key->dmq1 != NULL) ||
877 has_crt_values != (key->iqmp != NULL)) {
878 OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES);
879 goto out;
880 }
881
882 if (has_crt_values) {
883 int dmp1_ok, dmq1_ok, iqmp_ok;
884 if (!check_mod_inverse(&dmp1_ok, key->e, key->dmp1, &pm1, pm1_bits, ctx) ||
885 !check_mod_inverse(&dmq1_ok, key->e, key->dmq1, &qm1, qm1_bits, ctx) ||
886 // |p| is odd, so |pm1| and |p| have the same bit width. If they didn't,
887 // we only need a lower bound anyway.
888 !check_mod_inverse(&iqmp_ok, key->q, key->iqmp, key->p, pm1_bits,
889 ctx)) {
890 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
891 goto out;
892 }
893
894 if (!dmp1_ok || !dmq1_ok || !iqmp_ok) {
895 OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT);
896 goto out;
897 }
898 }
899
900 ok = 1;
901
902 out:
903 BN_free(&tmp);
904 BN_free(&de);
905 BN_free(&pm1);
906 BN_free(&qm1);
907 BN_free(&dmp1);
908 BN_free(&dmq1);
909 BN_CTX_free(ctx);
910
911 return ok;
912 }
913
914
915 // This is the product of the 132 smallest odd primes, from 3 to 751.
916 static const BN_ULONG kSmallFactorsLimbs[] = {
917 TOBN(0xc4309333, 0x3ef4e3e1), TOBN(0x71161eb6, 0xcd2d655f),
918 TOBN(0x95e2238c, 0x0bf94862), TOBN(0x3eb233d3, 0x24f7912b),
919 TOBN(0x6b55514b, 0xbf26c483), TOBN(0x0a84d817, 0x5a144871),
920 TOBN(0x77d12fee, 0x9b82210a), TOBN(0xdb5b93c2, 0x97f050b3),
921 TOBN(0x4acad6b9, 0x4d6c026b), TOBN(0xeb7751f3, 0x54aec893),
922 TOBN(0xdba53368, 0x36bc85c4), TOBN(0xd85a1b28, 0x7f5ec78e),
923 TOBN(0x2eb072d8, 0x6b322244), TOBN(0xbba51112, 0x5e2b3aea),
924 TOBN(0x36ed1a6c, 0x0e2486bf), TOBN(0x5f270460, 0xec0c5727),
925 0x000017b1
926 };
927
DEFINE_LOCAL_DATA(BIGNUM,g_small_factors)928 DEFINE_LOCAL_DATA(BIGNUM, g_small_factors) {
929 out->d = (BN_ULONG *) kSmallFactorsLimbs;
930 out->width = OPENSSL_ARRAY_SIZE(kSmallFactorsLimbs);
931 out->dmax = out->width;
932 out->neg = 0;
933 out->flags = BN_FLG_STATIC_DATA;
934 }
935
RSA_check_fips(RSA * key)936 int RSA_check_fips(RSA *key) {
937 if (RSA_is_opaque(key)) {
938 // Opaque keys can't be checked.
939 OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
940 return 0;
941 }
942
943 if (!RSA_check_key(key)) {
944 return 0;
945 }
946
947 BN_CTX *ctx = BN_CTX_new();
948 if (ctx == NULL) {
949 return 0;
950 }
951
952 BIGNUM small_gcd;
953 BN_init(&small_gcd);
954
955 int ret = 1;
956
957 // Perform partial public key validation of RSA keys (SP 800-89 5.3.3).
958 // Although this is not for primality testing, SP 800-89 cites an RSA
959 // primality testing algorithm, so we use |BN_prime_checks_for_generation| to
960 // match. This is only a plausibility test and we expect the value to be
961 // composite, so too few iterations will cause us to reject the key, not use
962 // an implausible one.
963 enum bn_primality_result_t primality_result;
964 if (BN_num_bits(key->e) <= 16 ||
965 BN_num_bits(key->e) > 256 ||
966 !BN_is_odd(key->n) ||
967 !BN_is_odd(key->e) ||
968 !BN_gcd(&small_gcd, key->n, g_small_factors(), ctx) ||
969 !BN_is_one(&small_gcd) ||
970 !BN_enhanced_miller_rabin_primality_test(&primality_result, key->n,
971 BN_prime_checks_for_generation,
972 ctx, NULL) ||
973 primality_result != bn_non_prime_power_composite) {
974 OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
975 ret = 0;
976 }
977
978 BN_free(&small_gcd);
979 BN_CTX_free(ctx);
980
981 if (!ret || key->d == NULL || key->p == NULL) {
982 // On a failure or on only a public key, there's nothing else can be
983 // checked.
984 return ret;
985 }
986
987 // FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG,
988 // section 9.9, it is not known whether |rsa| will be used for signing or
989 // encryption, so either pair-wise consistency self-test is acceptable. We
990 // perform a signing test.
991 uint8_t data[32] = {0};
992 unsigned sig_len = RSA_size(key);
993 uint8_t *sig = OPENSSL_malloc(sig_len);
994 if (sig == NULL) {
995 return 0;
996 }
997
998 if (!RSA_sign(NID_sha256, data, sizeof(data), sig, &sig_len, key)) {
999 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
1000 ret = 0;
1001 goto cleanup;
1002 }
1003 if (boringssl_fips_break_test("RSA_PWCT")) {
1004 data[0] = ~data[0];
1005 }
1006 if (!RSA_verify(NID_sha256, data, sizeof(data), sig, sig_len, key)) {
1007 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
1008 ret = 0;
1009 }
1010
1011 cleanup:
1012 OPENSSL_free(sig);
1013
1014 return ret;
1015 }
1016
rsa_private_transform_no_self_test(RSA * rsa,uint8_t * out,const uint8_t * in,size_t len)1017 int rsa_private_transform_no_self_test(RSA *rsa, uint8_t *out,
1018 const uint8_t *in, size_t len) {
1019 if (rsa->meth->private_transform) {
1020 return rsa->meth->private_transform(rsa, out, in, len);
1021 }
1022
1023 return rsa_default_private_transform(rsa, out, in, len);
1024 }
1025
rsa_private_transform(RSA * rsa,uint8_t * out,const uint8_t * in,size_t len)1026 int rsa_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
1027 size_t len) {
1028 boringssl_ensure_rsa_self_test();
1029 return rsa_private_transform_no_self_test(rsa, out, in, len);
1030 }
1031
RSA_flags(const RSA * rsa)1032 int RSA_flags(const RSA *rsa) { return rsa->flags; }
1033
RSA_test_flags(const RSA * rsa,int flags)1034 int RSA_test_flags(const RSA *rsa, int flags) { return rsa->flags & flags; }
1035
RSA_blinding_on(RSA * rsa,BN_CTX * ctx)1036 int RSA_blinding_on(RSA *rsa, BN_CTX *ctx) {
1037 return 1;
1038 }
1039