• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2  * All rights reserved.
3  *
4  * This package is an SSL implementation written
5  * by Eric Young (eay@cryptsoft.com).
6  * The implementation was written so as to conform with Netscapes SSL.
7  *
8  * This library is free for commercial and non-commercial use as long as
9  * the following conditions are aheared to.  The following conditions
10  * apply to all code found in this distribution, be it the RC4, RSA,
11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12  * included with this distribution is covered by the same copyright terms
13  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14  *
15  * Copyright remains Eric Young's, and as such any Copyright notices in
16  * the code are not to be removed.
17  * If this package is used in a product, Eric Young should be given attribution
18  * as the author of the parts of the library used.
19  * This can be in the form of a textual message at program startup or
20  * in documentation (online or textual) provided with the package.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the copyright
26  *    notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  *    notice, this list of conditions and the following disclaimer in the
29  *    documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  *    must display the following acknowledgement:
32  *    "This product includes cryptographic software written by
33  *     Eric Young (eay@cryptsoft.com)"
34  *    The word 'cryptographic' can be left out if the rouines from the library
35  *    being used are not cryptographic related :-).
36  * 4. If you include any Windows specific code (or a derivative thereof) from
37  *    the apps directory (application code) you must include an acknowledgement:
38  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50  * SUCH DAMAGE.
51  *
52  * The licence and distribution terms for any publically available version or
53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
54  * copied and put under another distribution licence
55  * [including the GNU Public Licence.] */
56 
57 #include <openssl/rsa.h>
58 
59 #include <limits.h>
60 #include <string.h>
61 
62 #include <openssl/bn.h>
63 #include <openssl/digest.h>
64 #include <openssl/engine.h>
65 #include <openssl/err.h>
66 #include <openssl/ex_data.h>
67 #include <openssl/md5.h>
68 #include <openssl/mem.h>
69 #include <openssl/nid.h>
70 #include <openssl/sha.h>
71 #include <openssl/thread.h>
72 
73 #include "../bn/internal.h"
74 #include "../delocate.h"
75 #include "../../internal.h"
76 #include "internal.h"
77 
78 
79 DEFINE_STATIC_EX_DATA_CLASS(g_rsa_ex_data_class);
80 
RSA_new(void)81 RSA *RSA_new(void) { return RSA_new_method(NULL); }
82 
RSA_new_method(const ENGINE * engine)83 RSA *RSA_new_method(const ENGINE *engine) {
84   RSA *rsa = OPENSSL_malloc(sizeof(RSA));
85   if (rsa == NULL) {
86     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
87     return NULL;
88   }
89 
90   OPENSSL_memset(rsa, 0, sizeof(RSA));
91 
92   if (engine) {
93     rsa->meth = ENGINE_get_RSA_method(engine);
94   }
95 
96   if (rsa->meth == NULL) {
97     rsa->meth = (RSA_METHOD *) RSA_default_method();
98   }
99   METHOD_ref(rsa->meth);
100 
101   rsa->references = 1;
102   rsa->flags = rsa->meth->flags;
103   CRYPTO_MUTEX_init(&rsa->lock);
104   CRYPTO_new_ex_data(&rsa->ex_data);
105 
106   if (rsa->meth->init && !rsa->meth->init(rsa)) {
107     CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
108     CRYPTO_MUTEX_cleanup(&rsa->lock);
109     METHOD_unref(rsa->meth);
110     OPENSSL_free(rsa);
111     return NULL;
112   }
113 
114   return rsa;
115 }
116 
RSA_free(RSA * rsa)117 void RSA_free(RSA *rsa) {
118   unsigned u;
119 
120   if (rsa == NULL) {
121     return;
122   }
123 
124   if (!CRYPTO_refcount_dec_and_test_zero(&rsa->references)) {
125     return;
126   }
127 
128   if (rsa->meth->finish) {
129     rsa->meth->finish(rsa);
130   }
131   METHOD_unref(rsa->meth);
132 
133   CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
134 
135   BN_clear_free(rsa->n);
136   BN_clear_free(rsa->e);
137   BN_clear_free(rsa->d);
138   BN_clear_free(rsa->p);
139   BN_clear_free(rsa->q);
140   BN_clear_free(rsa->dmp1);
141   BN_clear_free(rsa->dmq1);
142   BN_clear_free(rsa->iqmp);
143   BN_MONT_CTX_free(rsa->mont_n);
144   BN_MONT_CTX_free(rsa->mont_p);
145   BN_MONT_CTX_free(rsa->mont_q);
146   for (u = 0; u < rsa->num_blindings; u++) {
147     BN_BLINDING_free(rsa->blindings[u]);
148   }
149   OPENSSL_free(rsa->blindings);
150   OPENSSL_free(rsa->blindings_inuse);
151   CRYPTO_MUTEX_cleanup(&rsa->lock);
152   OPENSSL_free(rsa);
153 }
154 
RSA_up_ref(RSA * rsa)155 int RSA_up_ref(RSA *rsa) {
156   CRYPTO_refcount_inc(&rsa->references);
157   return 1;
158 }
159 
RSA_get0_key(const RSA * rsa,const BIGNUM ** out_n,const BIGNUM ** out_e,const BIGNUM ** out_d)160 void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e,
161                   const BIGNUM **out_d) {
162   if (out_n != NULL) {
163     *out_n = rsa->n;
164   }
165   if (out_e != NULL) {
166     *out_e = rsa->e;
167   }
168   if (out_d != NULL) {
169     *out_d = rsa->d;
170   }
171 }
172 
RSA_get0_factors(const RSA * rsa,const BIGNUM ** out_p,const BIGNUM ** out_q)173 void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p,
174                       const BIGNUM **out_q) {
175   if (out_p != NULL) {
176     *out_p = rsa->p;
177   }
178   if (out_q != NULL) {
179     *out_q = rsa->q;
180   }
181 }
182 
RSA_get0_crt_params(const RSA * rsa,const BIGNUM ** out_dmp1,const BIGNUM ** out_dmq1,const BIGNUM ** out_iqmp)183 void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1,
184                          const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) {
185   if (out_dmp1 != NULL) {
186     *out_dmp1 = rsa->dmp1;
187   }
188   if (out_dmq1 != NULL) {
189     *out_dmq1 = rsa->dmq1;
190   }
191   if (out_iqmp != NULL) {
192     *out_iqmp = rsa->iqmp;
193   }
194 }
195 
RSA_public_encrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)196 int RSA_public_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
197                        int padding) {
198   size_t out_len;
199 
200   if (!RSA_encrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
201     return -1;
202   }
203 
204   if (out_len > INT_MAX) {
205     OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
206     return -1;
207   }
208   return out_len;
209 }
210 
RSA_sign_raw(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)211 int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
212                  const uint8_t *in, size_t in_len, int padding) {
213   if (rsa->meth->sign_raw) {
214     return rsa->meth->sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
215   }
216 
217   return rsa_default_sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
218 }
219 
RSA_private_encrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)220 int RSA_private_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
221                         int padding) {
222   size_t out_len;
223 
224   if (!RSA_sign_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
225     return -1;
226   }
227 
228   if (out_len > INT_MAX) {
229     OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
230     return -1;
231   }
232   return out_len;
233 }
234 
RSA_decrypt(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)235 int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
236                 const uint8_t *in, size_t in_len, int padding) {
237   if (rsa->meth->decrypt) {
238     return rsa->meth->decrypt(rsa, out_len, out, max_out, in, in_len, padding);
239   }
240 
241   return rsa_default_decrypt(rsa, out_len, out, max_out, in, in_len, padding);
242 }
243 
RSA_private_decrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)244 int RSA_private_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
245                         int padding) {
246   size_t out_len;
247 
248   if (!RSA_decrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
249     return -1;
250   }
251 
252   if (out_len > INT_MAX) {
253     OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
254     return -1;
255   }
256   return out_len;
257 }
258 
RSA_public_decrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)259 int RSA_public_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
260                        int padding) {
261   size_t out_len;
262 
263   if (!RSA_verify_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
264     return -1;
265   }
266 
267   if (out_len > INT_MAX) {
268     OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
269     return -1;
270   }
271   return out_len;
272 }
273 
RSA_size(const RSA * rsa)274 unsigned RSA_size(const RSA *rsa) {
275   if (rsa->meth->size) {
276     return rsa->meth->size(rsa);
277   }
278 
279   return rsa_default_size(rsa);
280 }
281 
RSA_is_opaque(const RSA * rsa)282 int RSA_is_opaque(const RSA *rsa) {
283   return rsa->meth && (rsa->meth->flags & RSA_FLAG_OPAQUE);
284 }
285 
RSA_get_ex_new_index(long argl,void * argp,CRYPTO_EX_unused * unused,CRYPTO_EX_dup * dup_unused,CRYPTO_EX_free * free_func)286 int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
287                          CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {
288   int index;
289   if (!CRYPTO_get_ex_new_index(g_rsa_ex_data_class_bss_get(), &index, argl,
290                                argp, free_func)) {
291     return -1;
292   }
293   return index;
294 }
295 
RSA_set_ex_data(RSA * d,int idx,void * arg)296 int RSA_set_ex_data(RSA *d, int idx, void *arg) {
297   return CRYPTO_set_ex_data(&d->ex_data, idx, arg);
298 }
299 
RSA_get_ex_data(const RSA * d,int idx)300 void *RSA_get_ex_data(const RSA *d, int idx) {
301   return CRYPTO_get_ex_data(&d->ex_data, idx);
302 }
303 
304 /* SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's
305  * the length of an MD5 and SHA1 hash. */
306 static const unsigned SSL_SIG_LENGTH = 36;
307 
308 /* pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is
309  * to be signed with PKCS#1. */
310 struct pkcs1_sig_prefix {
311   /* nid identifies the hash function. */
312   int nid;
313   /* hash_len is the expected length of the hash function. */
314   uint8_t hash_len;
315   /* len is the number of bytes of |bytes| which are valid. */
316   uint8_t len;
317   /* bytes contains the DER bytes. */
318   uint8_t bytes[19];
319 };
320 
321 /* kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with
322  * different hash functions. */
323 static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = {
324     {
325      NID_md5,
326      MD5_DIGEST_LENGTH,
327      18,
328      {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
329       0x02, 0x05, 0x05, 0x00, 0x04, 0x10},
330     },
331     {
332      NID_sha1,
333      SHA_DIGEST_LENGTH,
334      15,
335      {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
336       0x00, 0x04, 0x14},
337     },
338     {
339      NID_sha224,
340      SHA224_DIGEST_LENGTH,
341      19,
342      {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
343       0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c},
344     },
345     {
346      NID_sha256,
347      SHA256_DIGEST_LENGTH,
348      19,
349      {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
350       0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20},
351     },
352     {
353      NID_sha384,
354      SHA384_DIGEST_LENGTH,
355      19,
356      {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
357       0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30},
358     },
359     {
360      NID_sha512,
361      SHA512_DIGEST_LENGTH,
362      19,
363      {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
364       0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
365     },
366     {
367      NID_undef, 0, 0, {0},
368     },
369 };
370 
RSA_add_pkcs1_prefix(uint8_t ** out_msg,size_t * out_msg_len,int * is_alloced,int hash_nid,const uint8_t * msg,size_t msg_len)371 int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
372                          int *is_alloced, int hash_nid, const uint8_t *msg,
373                          size_t msg_len) {
374   unsigned i;
375 
376   if (hash_nid == NID_md5_sha1) {
377     /* Special case: SSL signature, just check the length. */
378     if (msg_len != SSL_SIG_LENGTH) {
379       OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
380       return 0;
381     }
382 
383     *out_msg = (uint8_t*) msg;
384     *out_msg_len = SSL_SIG_LENGTH;
385     *is_alloced = 0;
386     return 1;
387   }
388 
389   for (i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) {
390     const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i];
391     if (sig_prefix->nid != hash_nid) {
392       continue;
393     }
394 
395     if (msg_len != sig_prefix->hash_len) {
396       OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
397       return 0;
398     }
399 
400     const uint8_t* prefix = sig_prefix->bytes;
401     unsigned prefix_len = sig_prefix->len;
402     unsigned signed_msg_len;
403     uint8_t *signed_msg;
404 
405     signed_msg_len = prefix_len + msg_len;
406     if (signed_msg_len < prefix_len) {
407       OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_LONG);
408       return 0;
409     }
410 
411     signed_msg = OPENSSL_malloc(signed_msg_len);
412     if (!signed_msg) {
413       OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
414       return 0;
415     }
416 
417     OPENSSL_memcpy(signed_msg, prefix, prefix_len);
418     OPENSSL_memcpy(signed_msg + prefix_len, msg, msg_len);
419 
420     *out_msg = signed_msg;
421     *out_msg_len = signed_msg_len;
422     *is_alloced = 1;
423 
424     return 1;
425   }
426 
427   OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE);
428   return 0;
429 }
430 
RSA_sign(int hash_nid,const uint8_t * in,unsigned in_len,uint8_t * out,unsigned * out_len,RSA * rsa)431 int RSA_sign(int hash_nid, const uint8_t *in, unsigned in_len, uint8_t *out,
432              unsigned *out_len, RSA *rsa) {
433   const unsigned rsa_size = RSA_size(rsa);
434   int ret = 0;
435   uint8_t *signed_msg = NULL;
436   size_t signed_msg_len = 0;
437   int signed_msg_is_alloced = 0;
438   size_t size_t_out_len;
439 
440   if (rsa->meth->sign) {
441     return rsa->meth->sign(hash_nid, in, in_len, out, out_len, rsa);
442   }
443 
444   if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
445                             &signed_msg_is_alloced, hash_nid, in, in_len) ||
446       !RSA_sign_raw(rsa, &size_t_out_len, out, rsa_size, signed_msg,
447                     signed_msg_len, RSA_PKCS1_PADDING)) {
448     goto err;
449   }
450 
451   *out_len = size_t_out_len;
452   ret = 1;
453 
454 err:
455   if (signed_msg_is_alloced) {
456     OPENSSL_free(signed_msg);
457   }
458   return ret;
459 }
460 
RSA_sign_pss_mgf1(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,const EVP_MD * md,const EVP_MD * mgf1_md,int salt_len)461 int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
462                       const uint8_t *in, size_t in_len, const EVP_MD *md,
463                       const EVP_MD *mgf1_md, int salt_len) {
464   if (in_len != EVP_MD_size(md)) {
465     OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
466     return 0;
467   }
468 
469   size_t padded_len = RSA_size(rsa);
470   uint8_t *padded = OPENSSL_malloc(padded_len);
471   if (padded == NULL) {
472     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
473     return 0;
474   }
475 
476   int ret =
477       RSA_padding_add_PKCS1_PSS_mgf1(rsa, padded, in, md, mgf1_md, salt_len) &&
478       RSA_sign_raw(rsa, out_len, out, max_out, padded, padded_len,
479                    RSA_NO_PADDING);
480   OPENSSL_free(padded);
481   return ret;
482 }
483 
RSA_verify(int hash_nid,const uint8_t * msg,size_t msg_len,const uint8_t * sig,size_t sig_len,RSA * rsa)484 int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
485                const uint8_t *sig, size_t sig_len, RSA *rsa) {
486   if (rsa->n == NULL || rsa->e == NULL) {
487     OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
488     return 0;
489   }
490 
491   const size_t rsa_size = RSA_size(rsa);
492   uint8_t *buf = NULL;
493   int ret = 0;
494   uint8_t *signed_msg = NULL;
495   size_t signed_msg_len = 0, len;
496   int signed_msg_is_alloced = 0;
497 
498   if (hash_nid == NID_md5_sha1 && msg_len != SSL_SIG_LENGTH) {
499     OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
500     return 0;
501   }
502 
503   buf = OPENSSL_malloc(rsa_size);
504   if (!buf) {
505     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
506     return 0;
507   }
508 
509   if (!RSA_verify_raw(rsa, &len, buf, rsa_size, sig, sig_len,
510                       RSA_PKCS1_PADDING)) {
511     goto out;
512   }
513 
514   if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
515                             &signed_msg_is_alloced, hash_nid, msg, msg_len)) {
516     goto out;
517   }
518 
519   /* Check that no other information follows the hash value (FIPS 186-4 Section
520    * 5.5) and it matches the expected hash. */
521   if (len != signed_msg_len || OPENSSL_memcmp(buf, signed_msg, len) != 0) {
522     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
523     goto out;
524   }
525 
526   ret = 1;
527 
528 out:
529   OPENSSL_free(buf);
530   if (signed_msg_is_alloced) {
531     OPENSSL_free(signed_msg);
532   }
533   return ret;
534 }
535 
RSA_verify_pss_mgf1(RSA * rsa,const uint8_t * msg,size_t msg_len,const EVP_MD * md,const EVP_MD * mgf1_md,int salt_len,const uint8_t * sig,size_t sig_len)536 int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg, size_t msg_len,
537                         const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len,
538                         const uint8_t *sig, size_t sig_len) {
539   if (msg_len != EVP_MD_size(md)) {
540     OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
541     return 0;
542   }
543 
544   size_t em_len = RSA_size(rsa);
545   uint8_t *em = OPENSSL_malloc(em_len);
546   if (em == NULL) {
547     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
548     return 0;
549   }
550 
551   int ret = 0;
552   if (!RSA_verify_raw(rsa, &em_len, em, em_len, sig, sig_len, RSA_NO_PADDING)) {
553     goto err;
554   }
555 
556   if (em_len != RSA_size(rsa)) {
557     OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
558     goto err;
559   }
560 
561   ret = RSA_verify_PKCS1_PSS_mgf1(rsa, msg, md, mgf1_md, em, salt_len);
562 
563 err:
564   OPENSSL_free(em);
565   return ret;
566 }
567 
RSA_check_key(const RSA * key)568 int RSA_check_key(const RSA *key) {
569   BIGNUM n, pm1, qm1, lcm, gcd, de, dmp1, dmq1, iqmp_times_q;
570   BN_CTX *ctx;
571   int ok = 0, has_crt_values;
572 
573   if (RSA_is_opaque(key)) {
574     /* Opaque keys can't be checked. */
575     return 1;
576   }
577 
578   if ((key->p != NULL) != (key->q != NULL)) {
579     OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN);
580     return 0;
581   }
582 
583   if (!key->n || !key->e) {
584     OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
585     return 0;
586   }
587 
588   if (!key->d || !key->p) {
589     /* For a public key, or without p and q, there's nothing that can be
590      * checked. */
591     return 1;
592   }
593 
594   ctx = BN_CTX_new();
595   if (ctx == NULL) {
596     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
597     return 0;
598   }
599 
600   BN_init(&n);
601   BN_init(&pm1);
602   BN_init(&qm1);
603   BN_init(&lcm);
604   BN_init(&gcd);
605   BN_init(&de);
606   BN_init(&dmp1);
607   BN_init(&dmq1);
608   BN_init(&iqmp_times_q);
609 
610   if (!BN_mul(&n, key->p, key->q, ctx) ||
611       /* lcm = lcm(p, q) */
612       !BN_sub(&pm1, key->p, BN_value_one()) ||
613       !BN_sub(&qm1, key->q, BN_value_one()) ||
614       !BN_mul(&lcm, &pm1, &qm1, ctx) ||
615       !BN_gcd(&gcd, &pm1, &qm1, ctx)) {
616     OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
617     goto out;
618   }
619 
620   if (!BN_div(&lcm, NULL, &lcm, &gcd, ctx) ||
621       !BN_gcd(&gcd, &pm1, &qm1, ctx) ||
622       /* de = d*e mod lcm(p, q). */
623       !BN_mod_mul(&de, key->d, key->e, &lcm, ctx)) {
624     OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
625     goto out;
626   }
627 
628   if (BN_cmp(&n, key->n) != 0) {
629     OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
630     goto out;
631   }
632 
633   if (!BN_is_one(&de)) {
634     OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1);
635     goto out;
636   }
637 
638   has_crt_values = key->dmp1 != NULL;
639   if (has_crt_values != (key->dmq1 != NULL) ||
640       has_crt_values != (key->iqmp != NULL)) {
641     OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES);
642     goto out;
643   }
644 
645   if (has_crt_values) {
646     if (/* dmp1 = d mod (p-1) */
647         !BN_mod(&dmp1, key->d, &pm1, ctx) ||
648         /* dmq1 = d mod (q-1) */
649         !BN_mod(&dmq1, key->d, &qm1, ctx) ||
650         /* iqmp = q^-1 mod p */
651         !BN_mod_mul(&iqmp_times_q, key->iqmp, key->q, key->p, ctx)) {
652       OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
653       goto out;
654     }
655 
656     if (BN_cmp(&dmp1, key->dmp1) != 0 ||
657         BN_cmp(&dmq1, key->dmq1) != 0 ||
658         BN_cmp(key->iqmp, key->p) >= 0 ||
659         !BN_is_one(&iqmp_times_q)) {
660       OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT);
661       goto out;
662     }
663   }
664 
665   ok = 1;
666 
667 out:
668   BN_free(&n);
669   BN_free(&pm1);
670   BN_free(&qm1);
671   BN_free(&lcm);
672   BN_free(&gcd);
673   BN_free(&de);
674   BN_free(&dmp1);
675   BN_free(&dmq1);
676   BN_free(&iqmp_times_q);
677   BN_CTX_free(ctx);
678 
679   return ok;
680 }
681 
682 
683 /* This is the product of the 132 smallest odd primes, from 3 to 751. */
684 static const BN_ULONG kSmallFactorsLimbs[] = {
685     TOBN(0xc4309333, 0x3ef4e3e1), TOBN(0x71161eb6, 0xcd2d655f),
686     TOBN(0x95e2238c, 0x0bf94862), TOBN(0x3eb233d3, 0x24f7912b),
687     TOBN(0x6b55514b, 0xbf26c483), TOBN(0x0a84d817, 0x5a144871),
688     TOBN(0x77d12fee, 0x9b82210a), TOBN(0xdb5b93c2, 0x97f050b3),
689     TOBN(0x4acad6b9, 0x4d6c026b), TOBN(0xeb7751f3, 0x54aec893),
690     TOBN(0xdba53368, 0x36bc85c4), TOBN(0xd85a1b28, 0x7f5ec78e),
691     TOBN(0x2eb072d8, 0x6b322244), TOBN(0xbba51112, 0x5e2b3aea),
692     TOBN(0x36ed1a6c, 0x0e2486bf), TOBN(0x5f270460, 0xec0c5727),
693     0x000017b1
694 };
695 
DEFINE_LOCAL_DATA(BIGNUM,g_small_factors)696 DEFINE_LOCAL_DATA(BIGNUM, g_small_factors) {
697   out->d = (BN_ULONG *) kSmallFactorsLimbs;
698   out->top = OPENSSL_ARRAY_SIZE(kSmallFactorsLimbs);
699   out->dmax = out->top;
700   out->neg = 0;
701   out->flags = BN_FLG_STATIC_DATA;
702 }
703 
RSA_check_fips(RSA * key)704 int RSA_check_fips(RSA *key) {
705   if (RSA_is_opaque(key)) {
706     /* Opaque keys can't be checked. */
707     OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
708     return 0;
709   }
710 
711   if (!RSA_check_key(key)) {
712     return 0;
713   }
714 
715   BN_CTX *ctx = BN_CTX_new();
716   if (ctx == NULL) {
717     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
718     return 0;
719   }
720 
721   BIGNUM small_gcd;
722   BN_init(&small_gcd);
723 
724   int ret = 1;
725 
726   /* Perform partial public key validation of RSA keys (SP 800-89 5.3.3). */
727   enum bn_primality_result_t primality_result;
728   if (BN_num_bits(key->e) <= 16 ||
729       BN_num_bits(key->e) > 256 ||
730       !BN_is_odd(key->n) ||
731       !BN_is_odd(key->e) ||
732       !BN_gcd(&small_gcd, key->n, g_small_factors(), ctx) ||
733       !BN_is_one(&small_gcd) ||
734       !BN_enhanced_miller_rabin_primality_test(&primality_result, key->n,
735                                                BN_prime_checks, ctx, NULL) ||
736       primality_result != bn_non_prime_power_composite) {
737     OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
738     ret = 0;
739   }
740 
741   BN_free(&small_gcd);
742   BN_CTX_free(ctx);
743 
744   if (!ret || key->d == NULL || key->p == NULL) {
745     /* On a failure or on only a public key, there's nothing else can be
746      * checked. */
747     return ret;
748   }
749 
750   /* FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG,
751    * section 9.9, it is not known whether |rsa| will be used for signing or
752    * encryption, so either pair-wise consistency self-test is acceptable. We
753    * perform a signing test. */
754   uint8_t data[32] = {0};
755   unsigned sig_len = RSA_size(key);
756   uint8_t *sig = OPENSSL_malloc(sig_len);
757   if (sig == NULL) {
758     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
759     return 0;
760   }
761 
762   if (!RSA_sign(NID_sha256, data, sizeof(data), sig, &sig_len, key)) {
763     OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
764     ret = 0;
765     goto cleanup;
766   }
767 #if defined(BORINGSSL_FIPS_BREAK_RSA_PWCT)
768   data[0] = ~data[0];
769 #endif
770   if (!RSA_verify(NID_sha256, data, sizeof(data), sig, sig_len, key)) {
771     OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
772     ret = 0;
773   }
774 
775 cleanup:
776   OPENSSL_free(sig);
777 
778   return ret;
779 }
780 
RSA_private_transform(RSA * rsa,uint8_t * out,const uint8_t * in,size_t len)781 int RSA_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
782                           size_t len) {
783   if (rsa->meth->private_transform) {
784     return rsa->meth->private_transform(rsa, out, in, len);
785   }
786 
787   return rsa_default_private_transform(rsa, out, in, len);
788 }
789 
RSA_blinding_on(RSA * rsa,BN_CTX * ctx)790 int RSA_blinding_on(RSA *rsa, BN_CTX *ctx) {
791   return 1;
792 }
793