1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/rsa.h>
58
59 #include <limits.h>
60 #include <string.h>
61
62 #include <openssl/bn.h>
63 #include <openssl/digest.h>
64 #include <openssl/engine.h>
65 #include <openssl/err.h>
66 #include <openssl/ex_data.h>
67 #include <openssl/md5.h>
68 #include <openssl/mem.h>
69 #include <openssl/nid.h>
70 #include <openssl/sha.h>
71 #include <openssl/thread.h>
72
73 #include "../bn/internal.h"
74 #include "../delocate.h"
75 #include "../../internal.h"
76 #include "internal.h"
77
78
79 // RSA_R_BLOCK_TYPE_IS_NOT_02 is part of the legacy SSLv23 padding scheme.
80 // Cryptography.io depends on this error code.
OPENSSL_DECLARE_ERROR_REASON(RSA,BLOCK_TYPE_IS_NOT_02)81 OPENSSL_DECLARE_ERROR_REASON(RSA, BLOCK_TYPE_IS_NOT_02)
82
83 DEFINE_STATIC_EX_DATA_CLASS(g_rsa_ex_data_class)
84
85 RSA *RSA_new(void) { return RSA_new_method(NULL); }
86
RSA_new_method(const ENGINE * engine)87 RSA *RSA_new_method(const ENGINE *engine) {
88 RSA *rsa = OPENSSL_malloc(sizeof(RSA));
89 if (rsa == NULL) {
90 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
91 return NULL;
92 }
93
94 OPENSSL_memset(rsa, 0, sizeof(RSA));
95
96 if (engine) {
97 rsa->meth = ENGINE_get_RSA_method(engine);
98 }
99
100 if (rsa->meth == NULL) {
101 rsa->meth = (RSA_METHOD *) RSA_default_method();
102 }
103 METHOD_ref(rsa->meth);
104
105 rsa->references = 1;
106 rsa->flags = rsa->meth->flags;
107 CRYPTO_MUTEX_init(&rsa->lock);
108 CRYPTO_new_ex_data(&rsa->ex_data);
109
110 if (rsa->meth->init && !rsa->meth->init(rsa)) {
111 CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
112 CRYPTO_MUTEX_cleanup(&rsa->lock);
113 METHOD_unref(rsa->meth);
114 OPENSSL_free(rsa);
115 return NULL;
116 }
117
118 return rsa;
119 }
120
RSA_free(RSA * rsa)121 void RSA_free(RSA *rsa) {
122 unsigned u;
123
124 if (rsa == NULL) {
125 return;
126 }
127
128 if (!CRYPTO_refcount_dec_and_test_zero(&rsa->references)) {
129 return;
130 }
131
132 if (rsa->meth->finish) {
133 rsa->meth->finish(rsa);
134 }
135 METHOD_unref(rsa->meth);
136
137 CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
138
139 BN_free(rsa->n);
140 BN_free(rsa->e);
141 BN_free(rsa->d);
142 BN_free(rsa->p);
143 BN_free(rsa->q);
144 BN_free(rsa->dmp1);
145 BN_free(rsa->dmq1);
146 BN_free(rsa->iqmp);
147 BN_MONT_CTX_free(rsa->mont_n);
148 BN_MONT_CTX_free(rsa->mont_p);
149 BN_MONT_CTX_free(rsa->mont_q);
150 BN_free(rsa->d_fixed);
151 BN_free(rsa->dmp1_fixed);
152 BN_free(rsa->dmq1_fixed);
153 BN_free(rsa->inv_small_mod_large_mont);
154 for (u = 0; u < rsa->num_blindings; u++) {
155 BN_BLINDING_free(rsa->blindings[u]);
156 }
157 OPENSSL_free(rsa->blindings);
158 OPENSSL_free(rsa->blindings_inuse);
159 CRYPTO_MUTEX_cleanup(&rsa->lock);
160 OPENSSL_free(rsa);
161 }
162
RSA_up_ref(RSA * rsa)163 int RSA_up_ref(RSA *rsa) {
164 CRYPTO_refcount_inc(&rsa->references);
165 return 1;
166 }
167
RSA_bits(const RSA * rsa)168 unsigned RSA_bits(const RSA *rsa) { return BN_num_bits(rsa->n); }
169
RSA_get0_n(const RSA * rsa)170 const BIGNUM *RSA_get0_n(const RSA *rsa) { return rsa->n; }
171
RSA_get0_e(const RSA * rsa)172 const BIGNUM *RSA_get0_e(const RSA *rsa) { return rsa->e; }
173
RSA_get0_d(const RSA * rsa)174 const BIGNUM *RSA_get0_d(const RSA *rsa) { return rsa->d; }
175
RSA_get0_p(const RSA * rsa)176 const BIGNUM *RSA_get0_p(const RSA *rsa) { return rsa->p; }
177
RSA_get0_q(const RSA * rsa)178 const BIGNUM *RSA_get0_q(const RSA *rsa) { return rsa->q; }
179
RSA_get0_dmp1(const RSA * rsa)180 const BIGNUM *RSA_get0_dmp1(const RSA *rsa) { return rsa->dmp1; }
181
RSA_get0_dmq1(const RSA * rsa)182 const BIGNUM *RSA_get0_dmq1(const RSA *rsa) { return rsa->dmq1; }
183
RSA_get0_iqmp(const RSA * rsa)184 const BIGNUM *RSA_get0_iqmp(const RSA *rsa) { return rsa->iqmp; }
185
RSA_get0_key(const RSA * rsa,const BIGNUM ** out_n,const BIGNUM ** out_e,const BIGNUM ** out_d)186 void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e,
187 const BIGNUM **out_d) {
188 if (out_n != NULL) {
189 *out_n = rsa->n;
190 }
191 if (out_e != NULL) {
192 *out_e = rsa->e;
193 }
194 if (out_d != NULL) {
195 *out_d = rsa->d;
196 }
197 }
198
RSA_get0_factors(const RSA * rsa,const BIGNUM ** out_p,const BIGNUM ** out_q)199 void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p,
200 const BIGNUM **out_q) {
201 if (out_p != NULL) {
202 *out_p = rsa->p;
203 }
204 if (out_q != NULL) {
205 *out_q = rsa->q;
206 }
207 }
208
RSA_get0_crt_params(const RSA * rsa,const BIGNUM ** out_dmp1,const BIGNUM ** out_dmq1,const BIGNUM ** out_iqmp)209 void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1,
210 const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) {
211 if (out_dmp1 != NULL) {
212 *out_dmp1 = rsa->dmp1;
213 }
214 if (out_dmq1 != NULL) {
215 *out_dmq1 = rsa->dmq1;
216 }
217 if (out_iqmp != NULL) {
218 *out_iqmp = rsa->iqmp;
219 }
220 }
221
RSA_set0_key(RSA * rsa,BIGNUM * n,BIGNUM * e,BIGNUM * d)222 int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
223 if ((rsa->n == NULL && n == NULL) ||
224 (rsa->e == NULL && e == NULL)) {
225 return 0;
226 }
227
228 if (n != NULL) {
229 BN_free(rsa->n);
230 rsa->n = n;
231 }
232 if (e != NULL) {
233 BN_free(rsa->e);
234 rsa->e = e;
235 }
236 if (d != NULL) {
237 BN_free(rsa->d);
238 rsa->d = d;
239 }
240
241 return 1;
242 }
243
RSA_set0_factors(RSA * rsa,BIGNUM * p,BIGNUM * q)244 int RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q) {
245 if ((rsa->p == NULL && p == NULL) ||
246 (rsa->q == NULL && q == NULL)) {
247 return 0;
248 }
249
250 if (p != NULL) {
251 BN_free(rsa->p);
252 rsa->p = p;
253 }
254 if (q != NULL) {
255 BN_free(rsa->q);
256 rsa->q = q;
257 }
258
259 return 1;
260 }
261
RSA_set0_crt_params(RSA * rsa,BIGNUM * dmp1,BIGNUM * dmq1,BIGNUM * iqmp)262 int RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
263 if ((rsa->dmp1 == NULL && dmp1 == NULL) ||
264 (rsa->dmq1 == NULL && dmq1 == NULL) ||
265 (rsa->iqmp == NULL && iqmp == NULL)) {
266 return 0;
267 }
268
269 if (dmp1 != NULL) {
270 BN_free(rsa->dmp1);
271 rsa->dmp1 = dmp1;
272 }
273 if (dmq1 != NULL) {
274 BN_free(rsa->dmq1);
275 rsa->dmq1 = dmq1;
276 }
277 if (iqmp != NULL) {
278 BN_free(rsa->iqmp);
279 rsa->iqmp = iqmp;
280 }
281
282 return 1;
283 }
284
RSA_public_encrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)285 int RSA_public_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
286 int padding) {
287 size_t out_len;
288
289 if (!RSA_encrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
290 return -1;
291 }
292
293 if (out_len > INT_MAX) {
294 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
295 return -1;
296 }
297 return out_len;
298 }
299
RSA_sign_raw(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)300 int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
301 const uint8_t *in, size_t in_len, int padding) {
302 if (rsa->meth->sign_raw) {
303 return rsa->meth->sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
304 }
305
306 return rsa_default_sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
307 }
308
RSA_private_encrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)309 int RSA_private_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
310 int padding) {
311 size_t out_len;
312
313 if (!RSA_sign_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
314 return -1;
315 }
316
317 if (out_len > INT_MAX) {
318 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
319 return -1;
320 }
321 return out_len;
322 }
323
RSA_decrypt(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)324 int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
325 const uint8_t *in, size_t in_len, int padding) {
326 if (rsa->meth->decrypt) {
327 return rsa->meth->decrypt(rsa, out_len, out, max_out, in, in_len, padding);
328 }
329
330 return rsa_default_decrypt(rsa, out_len, out, max_out, in, in_len, padding);
331 }
332
RSA_private_decrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)333 int RSA_private_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
334 int padding) {
335 size_t out_len;
336
337 if (!RSA_decrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
338 return -1;
339 }
340
341 if (out_len > INT_MAX) {
342 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
343 return -1;
344 }
345 return out_len;
346 }
347
RSA_public_decrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)348 int RSA_public_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
349 int padding) {
350 size_t out_len;
351
352 if (!RSA_verify_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
353 return -1;
354 }
355
356 if (out_len > INT_MAX) {
357 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
358 return -1;
359 }
360 return out_len;
361 }
362
RSA_size(const RSA * rsa)363 unsigned RSA_size(const RSA *rsa) {
364 if (rsa->meth->size) {
365 return rsa->meth->size(rsa);
366 }
367
368 return rsa_default_size(rsa);
369 }
370
RSA_is_opaque(const RSA * rsa)371 int RSA_is_opaque(const RSA *rsa) {
372 return rsa->meth && (rsa->meth->flags & RSA_FLAG_OPAQUE);
373 }
374
RSA_get_ex_new_index(long argl,void * argp,CRYPTO_EX_unused * unused,CRYPTO_EX_dup * dup_unused,CRYPTO_EX_free * free_func)375 int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
376 CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {
377 int index;
378 if (!CRYPTO_get_ex_new_index(g_rsa_ex_data_class_bss_get(), &index, argl,
379 argp, free_func)) {
380 return -1;
381 }
382 return index;
383 }
384
RSA_set_ex_data(RSA * rsa,int idx,void * arg)385 int RSA_set_ex_data(RSA *rsa, int idx, void *arg) {
386 return CRYPTO_set_ex_data(&rsa->ex_data, idx, arg);
387 }
388
RSA_get_ex_data(const RSA * rsa,int idx)389 void *RSA_get_ex_data(const RSA *rsa, int idx) {
390 return CRYPTO_get_ex_data(&rsa->ex_data, idx);
391 }
392
393 // SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's
394 // the length of an MD5 and SHA1 hash.
395 static const unsigned SSL_SIG_LENGTH = 36;
396
397 // pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is
398 // to be signed with PKCS#1.
399 struct pkcs1_sig_prefix {
400 // nid identifies the hash function.
401 int nid;
402 // hash_len is the expected length of the hash function.
403 uint8_t hash_len;
404 // len is the number of bytes of |bytes| which are valid.
405 uint8_t len;
406 // bytes contains the DER bytes.
407 uint8_t bytes[19];
408 };
409
410 // kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with
411 // different hash functions.
412 static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = {
413 {
414 NID_md5,
415 MD5_DIGEST_LENGTH,
416 18,
417 {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
418 0x02, 0x05, 0x05, 0x00, 0x04, 0x10},
419 },
420 {
421 NID_sha1,
422 SHA_DIGEST_LENGTH,
423 15,
424 {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
425 0x00, 0x04, 0x14},
426 },
427 {
428 NID_sha224,
429 SHA224_DIGEST_LENGTH,
430 19,
431 {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
432 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c},
433 },
434 {
435 NID_sha256,
436 SHA256_DIGEST_LENGTH,
437 19,
438 {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
439 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20},
440 },
441 {
442 NID_sha384,
443 SHA384_DIGEST_LENGTH,
444 19,
445 {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
446 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30},
447 },
448 {
449 NID_sha512,
450 SHA512_DIGEST_LENGTH,
451 19,
452 {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
453 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
454 },
455 {
456 NID_undef, 0, 0, {0},
457 },
458 };
459
RSA_add_pkcs1_prefix(uint8_t ** out_msg,size_t * out_msg_len,int * is_alloced,int hash_nid,const uint8_t * digest,size_t digest_len)460 int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
461 int *is_alloced, int hash_nid, const uint8_t *digest,
462 size_t digest_len) {
463 unsigned i;
464
465 if (hash_nid == NID_md5_sha1) {
466 // Special case: SSL signature, just check the length.
467 if (digest_len != SSL_SIG_LENGTH) {
468 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
469 return 0;
470 }
471
472 *out_msg = (uint8_t *)digest;
473 *out_msg_len = SSL_SIG_LENGTH;
474 *is_alloced = 0;
475 return 1;
476 }
477
478 for (i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) {
479 const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i];
480 if (sig_prefix->nid != hash_nid) {
481 continue;
482 }
483
484 if (digest_len != sig_prefix->hash_len) {
485 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
486 return 0;
487 }
488
489 const uint8_t* prefix = sig_prefix->bytes;
490 unsigned prefix_len = sig_prefix->len;
491 unsigned signed_msg_len;
492 uint8_t *signed_msg;
493
494 signed_msg_len = prefix_len + digest_len;
495 if (signed_msg_len < prefix_len) {
496 OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_LONG);
497 return 0;
498 }
499
500 signed_msg = OPENSSL_malloc(signed_msg_len);
501 if (!signed_msg) {
502 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
503 return 0;
504 }
505
506 OPENSSL_memcpy(signed_msg, prefix, prefix_len);
507 OPENSSL_memcpy(signed_msg + prefix_len, digest, digest_len);
508
509 *out_msg = signed_msg;
510 *out_msg_len = signed_msg_len;
511 *is_alloced = 1;
512
513 return 1;
514 }
515
516 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE);
517 return 0;
518 }
519
RSA_sign(int hash_nid,const uint8_t * digest,unsigned digest_len,uint8_t * out,unsigned * out_len,RSA * rsa)520 int RSA_sign(int hash_nid, const uint8_t *digest, unsigned digest_len,
521 uint8_t *out, unsigned *out_len, RSA *rsa) {
522 const unsigned rsa_size = RSA_size(rsa);
523 int ret = 0;
524 uint8_t *signed_msg = NULL;
525 size_t signed_msg_len = 0;
526 int signed_msg_is_alloced = 0;
527 size_t size_t_out_len;
528
529 if (rsa->meth->sign) {
530 return rsa->meth->sign(hash_nid, digest, digest_len, out, out_len, rsa);
531 }
532
533 if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
534 &signed_msg_is_alloced, hash_nid, digest,
535 digest_len) ||
536 !RSA_sign_raw(rsa, &size_t_out_len, out, rsa_size, signed_msg,
537 signed_msg_len, RSA_PKCS1_PADDING)) {
538 goto err;
539 }
540
541 *out_len = size_t_out_len;
542 ret = 1;
543
544 err:
545 if (signed_msg_is_alloced) {
546 OPENSSL_free(signed_msg);
547 }
548 return ret;
549 }
550
RSA_sign_pss_mgf1(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * digest,size_t digest_len,const EVP_MD * md,const EVP_MD * mgf1_md,int salt_len)551 int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
552 const uint8_t *digest, size_t digest_len,
553 const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len) {
554 if (digest_len != EVP_MD_size(md)) {
555 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
556 return 0;
557 }
558
559 size_t padded_len = RSA_size(rsa);
560 uint8_t *padded = OPENSSL_malloc(padded_len);
561 if (padded == NULL) {
562 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
563 return 0;
564 }
565
566 int ret = RSA_padding_add_PKCS1_PSS_mgf1(rsa, padded, digest, md, mgf1_md,
567 salt_len) &&
568 RSA_sign_raw(rsa, out_len, out, max_out, padded, padded_len,
569 RSA_NO_PADDING);
570 OPENSSL_free(padded);
571 return ret;
572 }
573
RSA_verify(int hash_nid,const uint8_t * digest,size_t digest_len,const uint8_t * sig,size_t sig_len,RSA * rsa)574 int RSA_verify(int hash_nid, const uint8_t *digest, size_t digest_len,
575 const uint8_t *sig, size_t sig_len, RSA *rsa) {
576 if (rsa->n == NULL || rsa->e == NULL) {
577 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
578 return 0;
579 }
580
581 const size_t rsa_size = RSA_size(rsa);
582 uint8_t *buf = NULL;
583 int ret = 0;
584 uint8_t *signed_msg = NULL;
585 size_t signed_msg_len = 0, len;
586 int signed_msg_is_alloced = 0;
587
588 if (hash_nid == NID_md5_sha1 && digest_len != SSL_SIG_LENGTH) {
589 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
590 return 0;
591 }
592
593 buf = OPENSSL_malloc(rsa_size);
594 if (!buf) {
595 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
596 return 0;
597 }
598
599 if (!RSA_verify_raw(rsa, &len, buf, rsa_size, sig, sig_len,
600 RSA_PKCS1_PADDING)) {
601 goto out;
602 }
603
604 if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
605 &signed_msg_is_alloced, hash_nid, digest,
606 digest_len)) {
607 goto out;
608 }
609
610 // Check that no other information follows the hash value (FIPS 186-4 Section
611 // 5.5) and it matches the expected hash.
612 if (len != signed_msg_len || OPENSSL_memcmp(buf, signed_msg, len) != 0) {
613 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
614 goto out;
615 }
616
617 ret = 1;
618
619 out:
620 OPENSSL_free(buf);
621 if (signed_msg_is_alloced) {
622 OPENSSL_free(signed_msg);
623 }
624 return ret;
625 }
626
RSA_verify_pss_mgf1(RSA * rsa,const uint8_t * digest,size_t digest_len,const EVP_MD * md,const EVP_MD * mgf1_md,int salt_len,const uint8_t * sig,size_t sig_len)627 int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *digest, size_t digest_len,
628 const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len,
629 const uint8_t *sig, size_t sig_len) {
630 if (digest_len != EVP_MD_size(md)) {
631 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
632 return 0;
633 }
634
635 size_t em_len = RSA_size(rsa);
636 uint8_t *em = OPENSSL_malloc(em_len);
637 if (em == NULL) {
638 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
639 return 0;
640 }
641
642 int ret = 0;
643 if (!RSA_verify_raw(rsa, &em_len, em, em_len, sig, sig_len, RSA_NO_PADDING)) {
644 goto err;
645 }
646
647 if (em_len != RSA_size(rsa)) {
648 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
649 goto err;
650 }
651
652 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, digest, md, mgf1_md, em, salt_len);
653
654 err:
655 OPENSSL_free(em);
656 return ret;
657 }
658
check_mod_inverse(int * out_ok,const BIGNUM * a,const BIGNUM * ainv,const BIGNUM * m,unsigned m_min_bits,BN_CTX * ctx)659 static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv,
660 const BIGNUM *m, unsigned m_min_bits,
661 BN_CTX *ctx) {
662 if (BN_is_negative(ainv) || BN_cmp(ainv, m) >= 0) {
663 *out_ok = 0;
664 return 1;
665 }
666
667 // Note |bn_mul_consttime| and |bn_div_consttime| do not scale linearly, but
668 // checking |ainv| is in range bounds the running time, assuming |m|'s bounds
669 // were checked by the caller.
670 BN_CTX_start(ctx);
671 BIGNUM *tmp = BN_CTX_get(ctx);
672 int ret = tmp != NULL &&
673 bn_mul_consttime(tmp, a, ainv, ctx) &&
674 bn_div_consttime(NULL, tmp, tmp, m, m_min_bits, ctx);
675 if (ret) {
676 *out_ok = BN_is_one(tmp);
677 }
678 BN_CTX_end(ctx);
679 return ret;
680 }
681
RSA_check_key(const RSA * key)682 int RSA_check_key(const RSA *key) {
683 // TODO(davidben): RSA key initialization is spread across
684 // |rsa_check_public_key|, |RSA_check_key|, |freeze_private_key|, and
685 // |BN_MONT_CTX_set_locked| as a result of API issues. See
686 // https://crbug.com/boringssl/316. As a result, we inconsistently check RSA
687 // invariants. We should fix this and integrate that logic.
688
689 if (RSA_is_opaque(key)) {
690 // Opaque keys can't be checked.
691 return 1;
692 }
693
694 if (!rsa_check_public_key(key)) {
695 return 0;
696 }
697
698 if ((key->p != NULL) != (key->q != NULL)) {
699 OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN);
700 return 0;
701 }
702
703 // |key->d| must be bounded by |key->n|. This ensures bounds on |RSA_bits|
704 // translate to bounds on the running time of private key operations.
705 if (key->d != NULL &&
706 (BN_is_negative(key->d) || BN_cmp(key->d, key->n) >= 0)) {
707 OPENSSL_PUT_ERROR(RSA, RSA_R_D_OUT_OF_RANGE);
708 return 0;
709 }
710
711 if (key->d == NULL || key->p == NULL) {
712 // For a public key, or without p and q, there's nothing that can be
713 // checked.
714 return 1;
715 }
716
717 BN_CTX *ctx = BN_CTX_new();
718 if (ctx == NULL) {
719 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
720 return 0;
721 }
722
723 BIGNUM tmp, de, pm1, qm1, dmp1, dmq1;
724 int ok = 0;
725 BN_init(&tmp);
726 BN_init(&de);
727 BN_init(&pm1);
728 BN_init(&qm1);
729 BN_init(&dmp1);
730 BN_init(&dmq1);
731
732 // Check that p * q == n. Before we multiply, we check that p and q are in
733 // bounds, to avoid a DoS vector in |bn_mul_consttime| below. Note that
734 // n was bound by |rsa_check_public_key|.
735 if (BN_is_negative(key->p) || BN_cmp(key->p, key->n) >= 0 ||
736 BN_is_negative(key->q) || BN_cmp(key->q, key->n) >= 0) {
737 OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
738 goto out;
739 }
740 if (!bn_mul_consttime(&tmp, key->p, key->q, ctx)) {
741 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
742 goto out;
743 }
744 if (BN_cmp(&tmp, key->n) != 0) {
745 OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
746 goto out;
747 }
748
749 // d must be an inverse of e mod the Carmichael totient, lcm(p-1, q-1), but it
750 // may be unreduced because other implementations use the Euler totient. We
751 // simply check that d * e is one mod p-1 and mod q-1. Note d and e were bound
752 // by earlier checks in this function.
753 if (!bn_usub_consttime(&pm1, key->p, BN_value_one()) ||
754 !bn_usub_consttime(&qm1, key->q, BN_value_one())) {
755 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
756 goto out;
757 }
758 const unsigned pm1_bits = BN_num_bits(&pm1);
759 const unsigned qm1_bits = BN_num_bits(&qm1);
760 if (!bn_mul_consttime(&de, key->d, key->e, ctx) ||
761 !bn_div_consttime(NULL, &tmp, &de, &pm1, pm1_bits, ctx) ||
762 !bn_div_consttime(NULL, &de, &de, &qm1, qm1_bits, ctx)) {
763 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
764 goto out;
765 }
766
767 if (!BN_is_one(&tmp) || !BN_is_one(&de)) {
768 OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1);
769 goto out;
770 }
771
772 int has_crt_values = key->dmp1 != NULL;
773 if (has_crt_values != (key->dmq1 != NULL) ||
774 has_crt_values != (key->iqmp != NULL)) {
775 OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES);
776 goto out;
777 }
778
779 if (has_crt_values) {
780 int dmp1_ok, dmq1_ok, iqmp_ok;
781 if (!check_mod_inverse(&dmp1_ok, key->e, key->dmp1, &pm1, pm1_bits, ctx) ||
782 !check_mod_inverse(&dmq1_ok, key->e, key->dmq1, &qm1, qm1_bits, ctx) ||
783 // |p| is odd, so |pm1| and |p| have the same bit width. If they didn't,
784 // we only need a lower bound anyway.
785 !check_mod_inverse(&iqmp_ok, key->q, key->iqmp, key->p, pm1_bits,
786 ctx)) {
787 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
788 goto out;
789 }
790
791 if (!dmp1_ok || !dmq1_ok || !iqmp_ok) {
792 OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT);
793 goto out;
794 }
795 }
796
797 ok = 1;
798
799 out:
800 BN_free(&tmp);
801 BN_free(&de);
802 BN_free(&pm1);
803 BN_free(&qm1);
804 BN_free(&dmp1);
805 BN_free(&dmq1);
806 BN_CTX_free(ctx);
807
808 return ok;
809 }
810
811
812 // This is the product of the 132 smallest odd primes, from 3 to 751.
813 static const BN_ULONG kSmallFactorsLimbs[] = {
814 TOBN(0xc4309333, 0x3ef4e3e1), TOBN(0x71161eb6, 0xcd2d655f),
815 TOBN(0x95e2238c, 0x0bf94862), TOBN(0x3eb233d3, 0x24f7912b),
816 TOBN(0x6b55514b, 0xbf26c483), TOBN(0x0a84d817, 0x5a144871),
817 TOBN(0x77d12fee, 0x9b82210a), TOBN(0xdb5b93c2, 0x97f050b3),
818 TOBN(0x4acad6b9, 0x4d6c026b), TOBN(0xeb7751f3, 0x54aec893),
819 TOBN(0xdba53368, 0x36bc85c4), TOBN(0xd85a1b28, 0x7f5ec78e),
820 TOBN(0x2eb072d8, 0x6b322244), TOBN(0xbba51112, 0x5e2b3aea),
821 TOBN(0x36ed1a6c, 0x0e2486bf), TOBN(0x5f270460, 0xec0c5727),
822 0x000017b1
823 };
824
DEFINE_LOCAL_DATA(BIGNUM,g_small_factors)825 DEFINE_LOCAL_DATA(BIGNUM, g_small_factors) {
826 out->d = (BN_ULONG *) kSmallFactorsLimbs;
827 out->width = OPENSSL_ARRAY_SIZE(kSmallFactorsLimbs);
828 out->dmax = out->width;
829 out->neg = 0;
830 out->flags = BN_FLG_STATIC_DATA;
831 }
832
RSA_check_fips(RSA * key)833 int RSA_check_fips(RSA *key) {
834 if (RSA_is_opaque(key)) {
835 // Opaque keys can't be checked.
836 OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
837 return 0;
838 }
839
840 if (!RSA_check_key(key)) {
841 return 0;
842 }
843
844 BN_CTX *ctx = BN_CTX_new();
845 if (ctx == NULL) {
846 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
847 return 0;
848 }
849
850 BIGNUM small_gcd;
851 BN_init(&small_gcd);
852
853 int ret = 1;
854
855 // Perform partial public key validation of RSA keys (SP 800-89 5.3.3).
856 // Although this is not for primality testing, SP 800-89 cites an RSA
857 // primality testing algorithm, so we use |BN_prime_checks_for_generation| to
858 // match. This is only a plausibility test and we expect the value to be
859 // composite, so too few iterations will cause us to reject the key, not use
860 // an implausible one.
861 enum bn_primality_result_t primality_result;
862 if (BN_num_bits(key->e) <= 16 ||
863 BN_num_bits(key->e) > 256 ||
864 !BN_is_odd(key->n) ||
865 !BN_is_odd(key->e) ||
866 !BN_gcd(&small_gcd, key->n, g_small_factors(), ctx) ||
867 !BN_is_one(&small_gcd) ||
868 !BN_enhanced_miller_rabin_primality_test(&primality_result, key->n,
869 BN_prime_checks_for_generation,
870 ctx, NULL) ||
871 primality_result != bn_non_prime_power_composite) {
872 OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
873 ret = 0;
874 }
875
876 BN_free(&small_gcd);
877 BN_CTX_free(ctx);
878
879 if (!ret || key->d == NULL || key->p == NULL) {
880 // On a failure or on only a public key, there's nothing else can be
881 // checked.
882 return ret;
883 }
884
885 // FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG,
886 // section 9.9, it is not known whether |rsa| will be used for signing or
887 // encryption, so either pair-wise consistency self-test is acceptable. We
888 // perform a signing test.
889 uint8_t data[32] = {0};
890 unsigned sig_len = RSA_size(key);
891 uint8_t *sig = OPENSSL_malloc(sig_len);
892 if (sig == NULL) {
893 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
894 return 0;
895 }
896
897 if (!RSA_sign(NID_sha256, data, sizeof(data), sig, &sig_len, key)) {
898 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
899 ret = 0;
900 goto cleanup;
901 }
902 #if defined(BORINGSSL_FIPS_BREAK_RSA_PWCT)
903 data[0] = ~data[0];
904 #endif
905 if (!RSA_verify(NID_sha256, data, sizeof(data), sig, sig_len, key)) {
906 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
907 ret = 0;
908 }
909
910 cleanup:
911 OPENSSL_free(sig);
912
913 return ret;
914 }
915
RSA_private_transform(RSA * rsa,uint8_t * out,const uint8_t * in,size_t len)916 int RSA_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
917 size_t len) {
918 if (rsa->meth->private_transform) {
919 return rsa->meth->private_transform(rsa, out, in, len);
920 }
921
922 return rsa_default_private_transform(rsa, out, in, len);
923 }
924
RSA_flags(const RSA * rsa)925 int RSA_flags(const RSA *rsa) { return rsa->flags; }
926
RSA_blinding_on(RSA * rsa,BN_CTX * ctx)927 int RSA_blinding_on(RSA *rsa, BN_CTX *ctx) {
928 return 1;
929 }
930