1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/rsa.h>
58
59 #include <limits.h>
60 #include <string.h>
61
62 #include <openssl/bn.h>
63 #include <openssl/digest.h>
64 #include <openssl/engine.h>
65 #include <openssl/err.h>
66 #include <openssl/ex_data.h>
67 #include <openssl/md5.h>
68 #include <openssl/mem.h>
69 #include <openssl/nid.h>
70 #include <openssl/sha.h>
71 #include <openssl/thread.h>
72
73 #include "../bn/internal.h"
74 #include "../delocate.h"
75 #include "../../internal.h"
76 #include "internal.h"
77
78
79 DEFINE_STATIC_EX_DATA_CLASS(g_rsa_ex_data_class);
80
RSA_new(void)81 RSA *RSA_new(void) { return RSA_new_method(NULL); }
82
RSA_new_method(const ENGINE * engine)83 RSA *RSA_new_method(const ENGINE *engine) {
84 RSA *rsa = OPENSSL_malloc(sizeof(RSA));
85 if (rsa == NULL) {
86 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
87 return NULL;
88 }
89
90 OPENSSL_memset(rsa, 0, sizeof(RSA));
91
92 if (engine) {
93 rsa->meth = ENGINE_get_RSA_method(engine);
94 }
95
96 if (rsa->meth == NULL) {
97 rsa->meth = (RSA_METHOD *) RSA_default_method();
98 }
99 METHOD_ref(rsa->meth);
100
101 rsa->references = 1;
102 rsa->flags = rsa->meth->flags;
103 CRYPTO_MUTEX_init(&rsa->lock);
104 CRYPTO_new_ex_data(&rsa->ex_data);
105
106 if (rsa->meth->init && !rsa->meth->init(rsa)) {
107 CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
108 CRYPTO_MUTEX_cleanup(&rsa->lock);
109 METHOD_unref(rsa->meth);
110 OPENSSL_free(rsa);
111 return NULL;
112 }
113
114 return rsa;
115 }
116
RSA_free(RSA * rsa)117 void RSA_free(RSA *rsa) {
118 unsigned u;
119
120 if (rsa == NULL) {
121 return;
122 }
123
124 if (!CRYPTO_refcount_dec_and_test_zero(&rsa->references)) {
125 return;
126 }
127
128 if (rsa->meth->finish) {
129 rsa->meth->finish(rsa);
130 }
131 METHOD_unref(rsa->meth);
132
133 CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
134
135 BN_clear_free(rsa->n);
136 BN_clear_free(rsa->e);
137 BN_clear_free(rsa->d);
138 BN_clear_free(rsa->p);
139 BN_clear_free(rsa->q);
140 BN_clear_free(rsa->dmp1);
141 BN_clear_free(rsa->dmq1);
142 BN_clear_free(rsa->iqmp);
143 BN_MONT_CTX_free(rsa->mont_n);
144 BN_MONT_CTX_free(rsa->mont_p);
145 BN_MONT_CTX_free(rsa->mont_q);
146 for (u = 0; u < rsa->num_blindings; u++) {
147 BN_BLINDING_free(rsa->blindings[u]);
148 }
149 OPENSSL_free(rsa->blindings);
150 OPENSSL_free(rsa->blindings_inuse);
151 CRYPTO_MUTEX_cleanup(&rsa->lock);
152 OPENSSL_free(rsa);
153 }
154
RSA_up_ref(RSA * rsa)155 int RSA_up_ref(RSA *rsa) {
156 CRYPTO_refcount_inc(&rsa->references);
157 return 1;
158 }
159
RSA_get0_key(const RSA * rsa,const BIGNUM ** out_n,const BIGNUM ** out_e,const BIGNUM ** out_d)160 void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e,
161 const BIGNUM **out_d) {
162 if (out_n != NULL) {
163 *out_n = rsa->n;
164 }
165 if (out_e != NULL) {
166 *out_e = rsa->e;
167 }
168 if (out_d != NULL) {
169 *out_d = rsa->d;
170 }
171 }
172
RSA_get0_factors(const RSA * rsa,const BIGNUM ** out_p,const BIGNUM ** out_q)173 void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p,
174 const BIGNUM **out_q) {
175 if (out_p != NULL) {
176 *out_p = rsa->p;
177 }
178 if (out_q != NULL) {
179 *out_q = rsa->q;
180 }
181 }
182
RSA_get0_crt_params(const RSA * rsa,const BIGNUM ** out_dmp1,const BIGNUM ** out_dmq1,const BIGNUM ** out_iqmp)183 void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1,
184 const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) {
185 if (out_dmp1 != NULL) {
186 *out_dmp1 = rsa->dmp1;
187 }
188 if (out_dmq1 != NULL) {
189 *out_dmq1 = rsa->dmq1;
190 }
191 if (out_iqmp != NULL) {
192 *out_iqmp = rsa->iqmp;
193 }
194 }
195
RSA_public_encrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)196 int RSA_public_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
197 int padding) {
198 size_t out_len;
199
200 if (!RSA_encrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
201 return -1;
202 }
203
204 if (out_len > INT_MAX) {
205 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
206 return -1;
207 }
208 return out_len;
209 }
210
RSA_sign_raw(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)211 int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
212 const uint8_t *in, size_t in_len, int padding) {
213 if (rsa->meth->sign_raw) {
214 return rsa->meth->sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
215 }
216
217 return rsa_default_sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
218 }
219
RSA_private_encrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)220 int RSA_private_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
221 int padding) {
222 size_t out_len;
223
224 if (!RSA_sign_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
225 return -1;
226 }
227
228 if (out_len > INT_MAX) {
229 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
230 return -1;
231 }
232 return out_len;
233 }
234
RSA_decrypt(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)235 int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
236 const uint8_t *in, size_t in_len, int padding) {
237 if (rsa->meth->decrypt) {
238 return rsa->meth->decrypt(rsa, out_len, out, max_out, in, in_len, padding);
239 }
240
241 return rsa_default_decrypt(rsa, out_len, out, max_out, in, in_len, padding);
242 }
243
RSA_private_decrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)244 int RSA_private_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
245 int padding) {
246 size_t out_len;
247
248 if (!RSA_decrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
249 return -1;
250 }
251
252 if (out_len > INT_MAX) {
253 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
254 return -1;
255 }
256 return out_len;
257 }
258
RSA_public_decrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)259 int RSA_public_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
260 int padding) {
261 size_t out_len;
262
263 if (!RSA_verify_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
264 return -1;
265 }
266
267 if (out_len > INT_MAX) {
268 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
269 return -1;
270 }
271 return out_len;
272 }
273
RSA_size(const RSA * rsa)274 unsigned RSA_size(const RSA *rsa) {
275 if (rsa->meth->size) {
276 return rsa->meth->size(rsa);
277 }
278
279 return rsa_default_size(rsa);
280 }
281
RSA_is_opaque(const RSA * rsa)282 int RSA_is_opaque(const RSA *rsa) {
283 return rsa->meth && (rsa->meth->flags & RSA_FLAG_OPAQUE);
284 }
285
RSA_get_ex_new_index(long argl,void * argp,CRYPTO_EX_unused * unused,CRYPTO_EX_dup * dup_unused,CRYPTO_EX_free * free_func)286 int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
287 CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {
288 int index;
289 if (!CRYPTO_get_ex_new_index(g_rsa_ex_data_class_bss_get(), &index, argl,
290 argp, free_func)) {
291 return -1;
292 }
293 return index;
294 }
295
RSA_set_ex_data(RSA * d,int idx,void * arg)296 int RSA_set_ex_data(RSA *d, int idx, void *arg) {
297 return CRYPTO_set_ex_data(&d->ex_data, idx, arg);
298 }
299
RSA_get_ex_data(const RSA * d,int idx)300 void *RSA_get_ex_data(const RSA *d, int idx) {
301 return CRYPTO_get_ex_data(&d->ex_data, idx);
302 }
303
304 /* SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's
305 * the length of an MD5 and SHA1 hash. */
306 static const unsigned SSL_SIG_LENGTH = 36;
307
308 /* pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is
309 * to be signed with PKCS#1. */
310 struct pkcs1_sig_prefix {
311 /* nid identifies the hash function. */
312 int nid;
313 /* hash_len is the expected length of the hash function. */
314 uint8_t hash_len;
315 /* len is the number of bytes of |bytes| which are valid. */
316 uint8_t len;
317 /* bytes contains the DER bytes. */
318 uint8_t bytes[19];
319 };
320
321 /* kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with
322 * different hash functions. */
323 static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = {
324 {
325 NID_md5,
326 MD5_DIGEST_LENGTH,
327 18,
328 {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
329 0x02, 0x05, 0x05, 0x00, 0x04, 0x10},
330 },
331 {
332 NID_sha1,
333 SHA_DIGEST_LENGTH,
334 15,
335 {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
336 0x00, 0x04, 0x14},
337 },
338 {
339 NID_sha224,
340 SHA224_DIGEST_LENGTH,
341 19,
342 {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
343 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c},
344 },
345 {
346 NID_sha256,
347 SHA256_DIGEST_LENGTH,
348 19,
349 {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
350 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20},
351 },
352 {
353 NID_sha384,
354 SHA384_DIGEST_LENGTH,
355 19,
356 {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
357 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30},
358 },
359 {
360 NID_sha512,
361 SHA512_DIGEST_LENGTH,
362 19,
363 {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
364 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
365 },
366 {
367 NID_undef, 0, 0, {0},
368 },
369 };
370
RSA_add_pkcs1_prefix(uint8_t ** out_msg,size_t * out_msg_len,int * is_alloced,int hash_nid,const uint8_t * msg,size_t msg_len)371 int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
372 int *is_alloced, int hash_nid, const uint8_t *msg,
373 size_t msg_len) {
374 unsigned i;
375
376 if (hash_nid == NID_md5_sha1) {
377 /* Special case: SSL signature, just check the length. */
378 if (msg_len != SSL_SIG_LENGTH) {
379 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
380 return 0;
381 }
382
383 *out_msg = (uint8_t*) msg;
384 *out_msg_len = SSL_SIG_LENGTH;
385 *is_alloced = 0;
386 return 1;
387 }
388
389 for (i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) {
390 const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i];
391 if (sig_prefix->nid != hash_nid) {
392 continue;
393 }
394
395 if (msg_len != sig_prefix->hash_len) {
396 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
397 return 0;
398 }
399
400 const uint8_t* prefix = sig_prefix->bytes;
401 unsigned prefix_len = sig_prefix->len;
402 unsigned signed_msg_len;
403 uint8_t *signed_msg;
404
405 signed_msg_len = prefix_len + msg_len;
406 if (signed_msg_len < prefix_len) {
407 OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_LONG);
408 return 0;
409 }
410
411 signed_msg = OPENSSL_malloc(signed_msg_len);
412 if (!signed_msg) {
413 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
414 return 0;
415 }
416
417 OPENSSL_memcpy(signed_msg, prefix, prefix_len);
418 OPENSSL_memcpy(signed_msg + prefix_len, msg, msg_len);
419
420 *out_msg = signed_msg;
421 *out_msg_len = signed_msg_len;
422 *is_alloced = 1;
423
424 return 1;
425 }
426
427 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE);
428 return 0;
429 }
430
RSA_sign(int hash_nid,const uint8_t * in,unsigned in_len,uint8_t * out,unsigned * out_len,RSA * rsa)431 int RSA_sign(int hash_nid, const uint8_t *in, unsigned in_len, uint8_t *out,
432 unsigned *out_len, RSA *rsa) {
433 const unsigned rsa_size = RSA_size(rsa);
434 int ret = 0;
435 uint8_t *signed_msg = NULL;
436 size_t signed_msg_len = 0;
437 int signed_msg_is_alloced = 0;
438 size_t size_t_out_len;
439
440 if (rsa->meth->sign) {
441 return rsa->meth->sign(hash_nid, in, in_len, out, out_len, rsa);
442 }
443
444 if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
445 &signed_msg_is_alloced, hash_nid, in, in_len) ||
446 !RSA_sign_raw(rsa, &size_t_out_len, out, rsa_size, signed_msg,
447 signed_msg_len, RSA_PKCS1_PADDING)) {
448 goto err;
449 }
450
451 *out_len = size_t_out_len;
452 ret = 1;
453
454 err:
455 if (signed_msg_is_alloced) {
456 OPENSSL_free(signed_msg);
457 }
458 return ret;
459 }
460
RSA_sign_pss_mgf1(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,const EVP_MD * md,const EVP_MD * mgf1_md,int salt_len)461 int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
462 const uint8_t *in, size_t in_len, const EVP_MD *md,
463 const EVP_MD *mgf1_md, int salt_len) {
464 if (in_len != EVP_MD_size(md)) {
465 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
466 return 0;
467 }
468
469 size_t padded_len = RSA_size(rsa);
470 uint8_t *padded = OPENSSL_malloc(padded_len);
471 if (padded == NULL) {
472 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
473 return 0;
474 }
475
476 int ret =
477 RSA_padding_add_PKCS1_PSS_mgf1(rsa, padded, in, md, mgf1_md, salt_len) &&
478 RSA_sign_raw(rsa, out_len, out, max_out, padded, padded_len,
479 RSA_NO_PADDING);
480 OPENSSL_free(padded);
481 return ret;
482 }
483
RSA_verify(int hash_nid,const uint8_t * msg,size_t msg_len,const uint8_t * sig,size_t sig_len,RSA * rsa)484 int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
485 const uint8_t *sig, size_t sig_len, RSA *rsa) {
486 if (rsa->n == NULL || rsa->e == NULL) {
487 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
488 return 0;
489 }
490
491 const size_t rsa_size = RSA_size(rsa);
492 uint8_t *buf = NULL;
493 int ret = 0;
494 uint8_t *signed_msg = NULL;
495 size_t signed_msg_len = 0, len;
496 int signed_msg_is_alloced = 0;
497
498 if (hash_nid == NID_md5_sha1 && msg_len != SSL_SIG_LENGTH) {
499 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
500 return 0;
501 }
502
503 buf = OPENSSL_malloc(rsa_size);
504 if (!buf) {
505 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
506 return 0;
507 }
508
509 if (!RSA_verify_raw(rsa, &len, buf, rsa_size, sig, sig_len,
510 RSA_PKCS1_PADDING)) {
511 goto out;
512 }
513
514 if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
515 &signed_msg_is_alloced, hash_nid, msg, msg_len)) {
516 goto out;
517 }
518
519 /* Check that no other information follows the hash value (FIPS 186-4 Section
520 * 5.5) and it matches the expected hash. */
521 if (len != signed_msg_len || OPENSSL_memcmp(buf, signed_msg, len) != 0) {
522 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
523 goto out;
524 }
525
526 ret = 1;
527
528 out:
529 OPENSSL_free(buf);
530 if (signed_msg_is_alloced) {
531 OPENSSL_free(signed_msg);
532 }
533 return ret;
534 }
535
RSA_verify_pss_mgf1(RSA * rsa,const uint8_t * msg,size_t msg_len,const EVP_MD * md,const EVP_MD * mgf1_md,int salt_len,const uint8_t * sig,size_t sig_len)536 int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg, size_t msg_len,
537 const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len,
538 const uint8_t *sig, size_t sig_len) {
539 if (msg_len != EVP_MD_size(md)) {
540 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
541 return 0;
542 }
543
544 size_t em_len = RSA_size(rsa);
545 uint8_t *em = OPENSSL_malloc(em_len);
546 if (em == NULL) {
547 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
548 return 0;
549 }
550
551 int ret = 0;
552 if (!RSA_verify_raw(rsa, &em_len, em, em_len, sig, sig_len, RSA_NO_PADDING)) {
553 goto err;
554 }
555
556 if (em_len != RSA_size(rsa)) {
557 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
558 goto err;
559 }
560
561 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, msg, md, mgf1_md, em, salt_len);
562
563 err:
564 OPENSSL_free(em);
565 return ret;
566 }
567
RSA_check_key(const RSA * key)568 int RSA_check_key(const RSA *key) {
569 BIGNUM n, pm1, qm1, lcm, gcd, de, dmp1, dmq1, iqmp_times_q;
570 BN_CTX *ctx;
571 int ok = 0, has_crt_values;
572
573 if (RSA_is_opaque(key)) {
574 /* Opaque keys can't be checked. */
575 return 1;
576 }
577
578 if ((key->p != NULL) != (key->q != NULL)) {
579 OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN);
580 return 0;
581 }
582
583 if (!key->n || !key->e) {
584 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
585 return 0;
586 }
587
588 if (!key->d || !key->p) {
589 /* For a public key, or without p and q, there's nothing that can be
590 * checked. */
591 return 1;
592 }
593
594 ctx = BN_CTX_new();
595 if (ctx == NULL) {
596 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
597 return 0;
598 }
599
600 BN_init(&n);
601 BN_init(&pm1);
602 BN_init(&qm1);
603 BN_init(&lcm);
604 BN_init(&gcd);
605 BN_init(&de);
606 BN_init(&dmp1);
607 BN_init(&dmq1);
608 BN_init(&iqmp_times_q);
609
610 if (!BN_mul(&n, key->p, key->q, ctx) ||
611 /* lcm = lcm(p, q) */
612 !BN_sub(&pm1, key->p, BN_value_one()) ||
613 !BN_sub(&qm1, key->q, BN_value_one()) ||
614 !BN_mul(&lcm, &pm1, &qm1, ctx) ||
615 !BN_gcd(&gcd, &pm1, &qm1, ctx)) {
616 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
617 goto out;
618 }
619
620 if (!BN_div(&lcm, NULL, &lcm, &gcd, ctx) ||
621 !BN_gcd(&gcd, &pm1, &qm1, ctx) ||
622 /* de = d*e mod lcm(p, q). */
623 !BN_mod_mul(&de, key->d, key->e, &lcm, ctx)) {
624 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
625 goto out;
626 }
627
628 if (BN_cmp(&n, key->n) != 0) {
629 OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
630 goto out;
631 }
632
633 if (!BN_is_one(&de)) {
634 OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1);
635 goto out;
636 }
637
638 has_crt_values = key->dmp1 != NULL;
639 if (has_crt_values != (key->dmq1 != NULL) ||
640 has_crt_values != (key->iqmp != NULL)) {
641 OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES);
642 goto out;
643 }
644
645 if (has_crt_values) {
646 if (/* dmp1 = d mod (p-1) */
647 !BN_mod(&dmp1, key->d, &pm1, ctx) ||
648 /* dmq1 = d mod (q-1) */
649 !BN_mod(&dmq1, key->d, &qm1, ctx) ||
650 /* iqmp = q^-1 mod p */
651 !BN_mod_mul(&iqmp_times_q, key->iqmp, key->q, key->p, ctx)) {
652 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
653 goto out;
654 }
655
656 if (BN_cmp(&dmp1, key->dmp1) != 0 ||
657 BN_cmp(&dmq1, key->dmq1) != 0 ||
658 BN_cmp(key->iqmp, key->p) >= 0 ||
659 !BN_is_one(&iqmp_times_q)) {
660 OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT);
661 goto out;
662 }
663 }
664
665 ok = 1;
666
667 out:
668 BN_free(&n);
669 BN_free(&pm1);
670 BN_free(&qm1);
671 BN_free(&lcm);
672 BN_free(&gcd);
673 BN_free(&de);
674 BN_free(&dmp1);
675 BN_free(&dmq1);
676 BN_free(&iqmp_times_q);
677 BN_CTX_free(ctx);
678
679 return ok;
680 }
681
682
683 /* This is the product of the 132 smallest odd primes, from 3 to 751. */
684 static const BN_ULONG kSmallFactorsLimbs[] = {
685 TOBN(0xc4309333, 0x3ef4e3e1), TOBN(0x71161eb6, 0xcd2d655f),
686 TOBN(0x95e2238c, 0x0bf94862), TOBN(0x3eb233d3, 0x24f7912b),
687 TOBN(0x6b55514b, 0xbf26c483), TOBN(0x0a84d817, 0x5a144871),
688 TOBN(0x77d12fee, 0x9b82210a), TOBN(0xdb5b93c2, 0x97f050b3),
689 TOBN(0x4acad6b9, 0x4d6c026b), TOBN(0xeb7751f3, 0x54aec893),
690 TOBN(0xdba53368, 0x36bc85c4), TOBN(0xd85a1b28, 0x7f5ec78e),
691 TOBN(0x2eb072d8, 0x6b322244), TOBN(0xbba51112, 0x5e2b3aea),
692 TOBN(0x36ed1a6c, 0x0e2486bf), TOBN(0x5f270460, 0xec0c5727),
693 0x000017b1
694 };
695
DEFINE_LOCAL_DATA(BIGNUM,g_small_factors)696 DEFINE_LOCAL_DATA(BIGNUM, g_small_factors) {
697 out->d = (BN_ULONG *) kSmallFactorsLimbs;
698 out->top = OPENSSL_ARRAY_SIZE(kSmallFactorsLimbs);
699 out->dmax = out->top;
700 out->neg = 0;
701 out->flags = BN_FLG_STATIC_DATA;
702 }
703
RSA_check_fips(RSA * key)704 int RSA_check_fips(RSA *key) {
705 if (RSA_is_opaque(key)) {
706 /* Opaque keys can't be checked. */
707 OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
708 return 0;
709 }
710
711 if (!RSA_check_key(key)) {
712 return 0;
713 }
714
715 BN_CTX *ctx = BN_CTX_new();
716 if (ctx == NULL) {
717 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
718 return 0;
719 }
720
721 BIGNUM small_gcd;
722 BN_init(&small_gcd);
723
724 int ret = 1;
725
726 /* Perform partial public key validation of RSA keys (SP 800-89 5.3.3). */
727 enum bn_primality_result_t primality_result;
728 if (BN_num_bits(key->e) <= 16 ||
729 BN_num_bits(key->e) > 256 ||
730 !BN_is_odd(key->n) ||
731 !BN_is_odd(key->e) ||
732 !BN_gcd(&small_gcd, key->n, g_small_factors(), ctx) ||
733 !BN_is_one(&small_gcd) ||
734 !BN_enhanced_miller_rabin_primality_test(&primality_result, key->n,
735 BN_prime_checks, ctx, NULL) ||
736 primality_result != bn_non_prime_power_composite) {
737 OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
738 ret = 0;
739 }
740
741 BN_free(&small_gcd);
742 BN_CTX_free(ctx);
743
744 if (!ret || key->d == NULL || key->p == NULL) {
745 /* On a failure or on only a public key, there's nothing else can be
746 * checked. */
747 return ret;
748 }
749
750 /* FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG,
751 * section 9.9, it is not known whether |rsa| will be used for signing or
752 * encryption, so either pair-wise consistency self-test is acceptable. We
753 * perform a signing test. */
754 uint8_t data[32] = {0};
755 unsigned sig_len = RSA_size(key);
756 uint8_t *sig = OPENSSL_malloc(sig_len);
757 if (sig == NULL) {
758 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
759 return 0;
760 }
761
762 if (!RSA_sign(NID_sha256, data, sizeof(data), sig, &sig_len, key)) {
763 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
764 ret = 0;
765 goto cleanup;
766 }
767 #if defined(BORINGSSL_FIPS_BREAK_RSA_PWCT)
768 data[0] = ~data[0];
769 #endif
770 if (!RSA_verify(NID_sha256, data, sizeof(data), sig, sig_len, key)) {
771 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
772 ret = 0;
773 }
774
775 cleanup:
776 OPENSSL_free(sig);
777
778 return ret;
779 }
780
RSA_private_transform(RSA * rsa,uint8_t * out,const uint8_t * in,size_t len)781 int RSA_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
782 size_t len) {
783 if (rsa->meth->private_transform) {
784 return rsa->meth->private_transform(rsa, out, in, len);
785 }
786
787 return rsa_default_private_transform(rsa, out, in, len);
788 }
789
RSA_blinding_on(RSA * rsa,BN_CTX * ctx)790 int RSA_blinding_on(RSA *rsa, BN_CTX *ctx) {
791 return 1;
792 }
793