1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/rsa.h>
58
59 #include <assert.h>
60 #include <limits.h>
61 #include <string.h>
62
63 #include <openssl/bn.h>
64 #include <openssl/err.h>
65 #include <openssl/mem.h>
66 #include <openssl/thread.h>
67 #include <openssl/type_check.h>
68
69 #include "internal.h"
70 #include "../bn/internal.h"
71 #include "../../internal.h"
72 #include "../delocate.h"
73
74
check_modulus_and_exponent_sizes(const RSA * rsa)75 static int check_modulus_and_exponent_sizes(const RSA *rsa) {
76 unsigned rsa_bits = BN_num_bits(rsa->n);
77
78 if (rsa_bits > 16 * 1024) {
79 OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);
80 return 0;
81 }
82
83 /* Mitigate DoS attacks by limiting the exponent size. 33 bits was chosen as
84 * the limit based on the recommendations in [1] and [2]. Windows CryptoAPI
85 * doesn't support values larger than 32 bits [3], so it is unlikely that
86 * exponents larger than 32 bits are being used for anything Windows commonly
87 * does.
88 *
89 * [1] https://www.imperialviolet.org/2012/03/16/rsae.html
90 * [2] https://www.imperialviolet.org/2012/03/17/rsados.html
91 * [3] https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx */
92 static const unsigned kMaxExponentBits = 33;
93
94 if (BN_num_bits(rsa->e) > kMaxExponentBits) {
95 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);
96 return 0;
97 }
98
99 /* Verify |n > e|. Comparing |rsa_bits| to |kMaxExponentBits| is a small
100 * shortcut to comparing |n| and |e| directly. In reality, |kMaxExponentBits|
101 * is much smaller than the minimum RSA key size that any application should
102 * accept. */
103 if (rsa_bits <= kMaxExponentBits) {
104 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
105 return 0;
106 }
107 assert(BN_ucmp(rsa->n, rsa->e) > 0);
108
109 return 1;
110 }
111
rsa_default_size(const RSA * rsa)112 size_t rsa_default_size(const RSA *rsa) {
113 return BN_num_bytes(rsa->n);
114 }
115
RSA_encrypt(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)116 int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
117 const uint8_t *in, size_t in_len, int padding) {
118 if (rsa->n == NULL || rsa->e == NULL) {
119 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
120 return 0;
121 }
122
123 const unsigned rsa_size = RSA_size(rsa);
124 BIGNUM *f, *result;
125 uint8_t *buf = NULL;
126 BN_CTX *ctx = NULL;
127 int i, ret = 0;
128
129 if (max_out < rsa_size) {
130 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
131 return 0;
132 }
133
134 if (!check_modulus_and_exponent_sizes(rsa)) {
135 return 0;
136 }
137
138 ctx = BN_CTX_new();
139 if (ctx == NULL) {
140 goto err;
141 }
142
143 BN_CTX_start(ctx);
144 f = BN_CTX_get(ctx);
145 result = BN_CTX_get(ctx);
146 buf = OPENSSL_malloc(rsa_size);
147 if (!f || !result || !buf) {
148 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
149 goto err;
150 }
151
152 switch (padding) {
153 case RSA_PKCS1_PADDING:
154 i = RSA_padding_add_PKCS1_type_2(buf, rsa_size, in, in_len);
155 break;
156 case RSA_PKCS1_OAEP_PADDING:
157 /* Use the default parameters: SHA-1 for both hashes and no label. */
158 i = RSA_padding_add_PKCS1_OAEP_mgf1(buf, rsa_size, in, in_len,
159 NULL, 0, NULL, NULL);
160 break;
161 case RSA_NO_PADDING:
162 i = RSA_padding_add_none(buf, rsa_size, in, in_len);
163 break;
164 default:
165 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
166 goto err;
167 }
168
169 if (i <= 0) {
170 goto err;
171 }
172
173 if (BN_bin2bn(buf, rsa_size, f) == NULL) {
174 goto err;
175 }
176
177 if (BN_ucmp(f, rsa->n) >= 0) {
178 /* usually the padding functions would catch this */
179 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
180 goto err;
181 }
182
183 if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) ||
184 !BN_mod_exp_mont(result, f, rsa->e, rsa->n, ctx, rsa->mont_n)) {
185 goto err;
186 }
187
188 /* put in leading 0 bytes if the number is less than the length of the
189 * modulus */
190 if (!BN_bn2bin_padded(out, rsa_size, result)) {
191 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
192 goto err;
193 }
194
195 *out_len = rsa_size;
196 ret = 1;
197
198 err:
199 if (ctx != NULL) {
200 BN_CTX_end(ctx);
201 BN_CTX_free(ctx);
202 }
203 if (buf != NULL) {
204 OPENSSL_cleanse(buf, rsa_size);
205 OPENSSL_free(buf);
206 }
207
208 return ret;
209 }
210
211 /* MAX_BLINDINGS_PER_RSA defines the maximum number of cached BN_BLINDINGs per
212 * RSA*. Then this limit is exceeded, BN_BLINDING objects will be created and
213 * destroyed as needed. */
214 #define MAX_BLINDINGS_PER_RSA 1024
215
216 /* rsa_blinding_get returns a BN_BLINDING to use with |rsa|. It does this by
217 * allocating one of the cached BN_BLINDING objects in |rsa->blindings|. If
218 * none are free, the cache will be extended by a extra element and the new
219 * BN_BLINDING is returned.
220 *
221 * On success, the index of the assigned BN_BLINDING is written to
222 * |*index_used| and must be passed to |rsa_blinding_release| when finished. */
rsa_blinding_get(RSA * rsa,unsigned * index_used,BN_CTX * ctx)223 static BN_BLINDING *rsa_blinding_get(RSA *rsa, unsigned *index_used,
224 BN_CTX *ctx) {
225 assert(ctx != NULL);
226 assert(rsa->mont_n != NULL);
227
228 BN_BLINDING *ret = NULL;
229 BN_BLINDING **new_blindings;
230 uint8_t *new_blindings_inuse;
231 char overflow = 0;
232
233 CRYPTO_MUTEX_lock_write(&rsa->lock);
234
235 unsigned i;
236 for (i = 0; i < rsa->num_blindings; i++) {
237 if (rsa->blindings_inuse[i] == 0) {
238 rsa->blindings_inuse[i] = 1;
239 ret = rsa->blindings[i];
240 *index_used = i;
241 break;
242 }
243 }
244
245 if (ret != NULL) {
246 CRYPTO_MUTEX_unlock_write(&rsa->lock);
247 return ret;
248 }
249
250 overflow = rsa->num_blindings >= MAX_BLINDINGS_PER_RSA;
251
252 /* We didn't find a free BN_BLINDING to use so increase the length of
253 * the arrays by one and use the newly created element. */
254
255 CRYPTO_MUTEX_unlock_write(&rsa->lock);
256 ret = BN_BLINDING_new();
257 if (ret == NULL) {
258 return NULL;
259 }
260
261 if (overflow) {
262 /* We cannot add any more cached BN_BLINDINGs so we use |ret|
263 * and mark it for destruction in |rsa_blinding_release|. */
264 *index_used = MAX_BLINDINGS_PER_RSA;
265 return ret;
266 }
267
268 CRYPTO_MUTEX_lock_write(&rsa->lock);
269
270 new_blindings =
271 OPENSSL_malloc(sizeof(BN_BLINDING *) * (rsa->num_blindings + 1));
272 if (new_blindings == NULL) {
273 goto err1;
274 }
275 OPENSSL_memcpy(new_blindings, rsa->blindings,
276 sizeof(BN_BLINDING *) * rsa->num_blindings);
277 new_blindings[rsa->num_blindings] = ret;
278
279 new_blindings_inuse = OPENSSL_malloc(rsa->num_blindings + 1);
280 if (new_blindings_inuse == NULL) {
281 goto err2;
282 }
283 OPENSSL_memcpy(new_blindings_inuse, rsa->blindings_inuse, rsa->num_blindings);
284 new_blindings_inuse[rsa->num_blindings] = 1;
285 *index_used = rsa->num_blindings;
286
287 OPENSSL_free(rsa->blindings);
288 rsa->blindings = new_blindings;
289 OPENSSL_free(rsa->blindings_inuse);
290 rsa->blindings_inuse = new_blindings_inuse;
291 rsa->num_blindings++;
292
293 CRYPTO_MUTEX_unlock_write(&rsa->lock);
294 return ret;
295
296 err2:
297 OPENSSL_free(new_blindings);
298
299 err1:
300 CRYPTO_MUTEX_unlock_write(&rsa->lock);
301 BN_BLINDING_free(ret);
302 return NULL;
303 }
304
305 /* rsa_blinding_release marks the cached BN_BLINDING at the given index as free
306 * for other threads to use. */
rsa_blinding_release(RSA * rsa,BN_BLINDING * blinding,unsigned blinding_index)307 static void rsa_blinding_release(RSA *rsa, BN_BLINDING *blinding,
308 unsigned blinding_index) {
309 if (blinding_index == MAX_BLINDINGS_PER_RSA) {
310 /* This blinding wasn't cached. */
311 BN_BLINDING_free(blinding);
312 return;
313 }
314
315 CRYPTO_MUTEX_lock_write(&rsa->lock);
316 rsa->blindings_inuse[blinding_index] = 0;
317 CRYPTO_MUTEX_unlock_write(&rsa->lock);
318 }
319
320 /* signing */
rsa_default_sign_raw(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)321 int rsa_default_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,
322 size_t max_out, const uint8_t *in, size_t in_len,
323 int padding) {
324 const unsigned rsa_size = RSA_size(rsa);
325 uint8_t *buf = NULL;
326 int i, ret = 0;
327
328 if (max_out < rsa_size) {
329 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
330 return 0;
331 }
332
333 buf = OPENSSL_malloc(rsa_size);
334 if (buf == NULL) {
335 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
336 goto err;
337 }
338
339 switch (padding) {
340 case RSA_PKCS1_PADDING:
341 i = RSA_padding_add_PKCS1_type_1(buf, rsa_size, in, in_len);
342 break;
343 case RSA_NO_PADDING:
344 i = RSA_padding_add_none(buf, rsa_size, in, in_len);
345 break;
346 default:
347 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
348 goto err;
349 }
350
351 if (i <= 0) {
352 goto err;
353 }
354
355 if (!RSA_private_transform(rsa, out, buf, rsa_size)) {
356 goto err;
357 }
358
359 *out_len = rsa_size;
360 ret = 1;
361
362 err:
363 if (buf != NULL) {
364 OPENSSL_cleanse(buf, rsa_size);
365 OPENSSL_free(buf);
366 }
367
368 return ret;
369 }
370
rsa_default_decrypt(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)371 int rsa_default_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
372 const uint8_t *in, size_t in_len, int padding) {
373 const unsigned rsa_size = RSA_size(rsa);
374 uint8_t *buf = NULL;
375 int ret = 0;
376
377 if (max_out < rsa_size) {
378 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
379 return 0;
380 }
381
382 if (padding == RSA_NO_PADDING) {
383 buf = out;
384 } else {
385 /* Allocate a temporary buffer to hold the padded plaintext. */
386 buf = OPENSSL_malloc(rsa_size);
387 if (buf == NULL) {
388 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
389 goto err;
390 }
391 }
392
393 if (in_len != rsa_size) {
394 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN);
395 goto err;
396 }
397
398 if (!RSA_private_transform(rsa, buf, in, rsa_size)) {
399 goto err;
400 }
401
402 switch (padding) {
403 case RSA_PKCS1_PADDING:
404 ret =
405 RSA_padding_check_PKCS1_type_2(out, out_len, rsa_size, buf, rsa_size);
406 break;
407 case RSA_PKCS1_OAEP_PADDING:
408 /* Use the default parameters: SHA-1 for both hashes and no label. */
409 ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, out_len, rsa_size, buf,
410 rsa_size, NULL, 0, NULL, NULL);
411 break;
412 case RSA_NO_PADDING:
413 *out_len = rsa_size;
414 ret = 1;
415 break;
416 default:
417 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
418 goto err;
419 }
420
421 if (!ret) {
422 OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED);
423 }
424
425 err:
426 if (padding != RSA_NO_PADDING && buf != NULL) {
427 OPENSSL_cleanse(buf, rsa_size);
428 OPENSSL_free(buf);
429 }
430
431 return ret;
432 }
433
434 static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
435
RSA_verify_raw(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)436 int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
437 const uint8_t *in, size_t in_len, int padding) {
438 if (rsa->n == NULL || rsa->e == NULL) {
439 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
440 return 0;
441 }
442
443 const unsigned rsa_size = RSA_size(rsa);
444 BIGNUM *f, *result;
445
446 if (max_out < rsa_size) {
447 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
448 return 0;
449 }
450
451 if (in_len != rsa_size) {
452 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN);
453 return 0;
454 }
455
456 if (!check_modulus_and_exponent_sizes(rsa)) {
457 return 0;
458 }
459
460 BN_CTX *ctx = BN_CTX_new();
461 if (ctx == NULL) {
462 return 0;
463 }
464
465 int ret = 0;
466 uint8_t *buf = NULL;
467
468 BN_CTX_start(ctx);
469 f = BN_CTX_get(ctx);
470 result = BN_CTX_get(ctx);
471 if (f == NULL || result == NULL) {
472 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
473 goto err;
474 }
475
476 if (padding == RSA_NO_PADDING) {
477 buf = out;
478 } else {
479 /* Allocate a temporary buffer to hold the padded plaintext. */
480 buf = OPENSSL_malloc(rsa_size);
481 if (buf == NULL) {
482 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
483 goto err;
484 }
485 }
486
487 if (BN_bin2bn(in, in_len, f) == NULL) {
488 goto err;
489 }
490
491 if (BN_ucmp(f, rsa->n) >= 0) {
492 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
493 goto err;
494 }
495
496 if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) ||
497 !BN_mod_exp_mont(result, f, rsa->e, rsa->n, ctx, rsa->mont_n)) {
498 goto err;
499 }
500
501 if (!BN_bn2bin_padded(buf, rsa_size, result)) {
502 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
503 goto err;
504 }
505
506 switch (padding) {
507 case RSA_PKCS1_PADDING:
508 ret =
509 RSA_padding_check_PKCS1_type_1(out, out_len, rsa_size, buf, rsa_size);
510 break;
511 case RSA_NO_PADDING:
512 ret = 1;
513 *out_len = rsa_size;
514 break;
515 default:
516 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
517 goto err;
518 }
519
520 if (!ret) {
521 OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED);
522 goto err;
523 }
524
525 err:
526 BN_CTX_end(ctx);
527 BN_CTX_free(ctx);
528 if (buf != out) {
529 OPENSSL_free(buf);
530 }
531 return ret;
532 }
533
rsa_default_private_transform(RSA * rsa,uint8_t * out,const uint8_t * in,size_t len)534 int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
535 size_t len) {
536 if (rsa->n == NULL || rsa->d == NULL) {
537 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
538 return 0;
539 }
540
541 BIGNUM *f, *result;
542 BN_CTX *ctx = NULL;
543 unsigned blinding_index = 0;
544 BN_BLINDING *blinding = NULL;
545 int ret = 0;
546
547 ctx = BN_CTX_new();
548 if (ctx == NULL) {
549 goto err;
550 }
551 BN_CTX_start(ctx);
552 f = BN_CTX_get(ctx);
553 result = BN_CTX_get(ctx);
554
555 if (f == NULL || result == NULL) {
556 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
557 goto err;
558 }
559
560 if (BN_bin2bn(in, len, f) == NULL) {
561 goto err;
562 }
563
564 if (BN_ucmp(f, rsa->n) >= 0) {
565 /* Usually the padding functions would catch this. */
566 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
567 goto err;
568 }
569
570 if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx)) {
571 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
572 goto err;
573 }
574
575 const int do_blinding = (rsa->flags & RSA_FLAG_NO_BLINDING) == 0;
576
577 if (rsa->e == NULL && do_blinding) {
578 /* We cannot do blinding or verification without |e|, and continuing without
579 * those countermeasures is dangerous. However, the Java/Android RSA API
580 * requires support for keys where only |d| and |n| (and not |e|) are known.
581 * The callers that require that bad behavior set |RSA_FLAG_NO_BLINDING|. */
582 OPENSSL_PUT_ERROR(RSA, RSA_R_NO_PUBLIC_EXPONENT);
583 goto err;
584 }
585
586 if (do_blinding) {
587 blinding = rsa_blinding_get(rsa, &blinding_index, ctx);
588 if (blinding == NULL) {
589 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
590 goto err;
591 }
592 if (!BN_BLINDING_convert(f, blinding, rsa->e, rsa->mont_n, ctx)) {
593 goto err;
594 }
595 }
596
597 if (rsa->p != NULL && rsa->q != NULL && rsa->e != NULL && rsa->dmp1 != NULL &&
598 rsa->dmq1 != NULL && rsa->iqmp != NULL) {
599 if (!mod_exp(result, f, rsa, ctx)) {
600 goto err;
601 }
602 } else if (!BN_mod_exp_mont_consttime(result, f, rsa->d, rsa->n, ctx,
603 rsa->mont_n)) {
604 goto err;
605 }
606
607 /* Verify the result to protect against fault attacks as described in the
608 * 1997 paper "On the Importance of Checking Cryptographic Protocols for
609 * Faults" by Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. Some
610 * implementations do this only when the CRT is used, but we do it in all
611 * cases. Section 6 of the aforementioned paper describes an attack that
612 * works when the CRT isn't used. That attack is much less likely to succeed
613 * than the CRT attack, but there have likely been improvements since 1997.
614 *
615 * This check is cheap assuming |e| is small; it almost always is. */
616 if (rsa->e != NULL) {
617 BIGNUM *vrfy = BN_CTX_get(ctx);
618 if (vrfy == NULL ||
619 !BN_mod_exp_mont(vrfy, result, rsa->e, rsa->n, ctx, rsa->mont_n) ||
620 !BN_equal_consttime(vrfy, f)) {
621 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
622 goto err;
623 }
624
625 }
626
627 if (do_blinding &&
628 !BN_BLINDING_invert(result, blinding, rsa->mont_n, ctx)) {
629 goto err;
630 }
631
632 if (!BN_bn2bin_padded(out, len, result)) {
633 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
634 goto err;
635 }
636
637 ret = 1;
638
639 err:
640 if (ctx != NULL) {
641 BN_CTX_end(ctx);
642 BN_CTX_free(ctx);
643 }
644 if (blinding != NULL) {
645 rsa_blinding_release(rsa, blinding, blinding_index);
646 }
647
648 return ret;
649 }
650
mod_exp(BIGNUM * r0,const BIGNUM * I,RSA * rsa,BN_CTX * ctx)651 static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) {
652 assert(ctx != NULL);
653
654 assert(rsa->n != NULL);
655 assert(rsa->e != NULL);
656 assert(rsa->d != NULL);
657 assert(rsa->p != NULL);
658 assert(rsa->q != NULL);
659 assert(rsa->dmp1 != NULL);
660 assert(rsa->dmq1 != NULL);
661 assert(rsa->iqmp != NULL);
662
663 BIGNUM *r1, *m1, *vrfy;
664 int ret = 0;
665
666 BN_CTX_start(ctx);
667 r1 = BN_CTX_get(ctx);
668 m1 = BN_CTX_get(ctx);
669 vrfy = BN_CTX_get(ctx);
670 if (r1 == NULL ||
671 m1 == NULL ||
672 vrfy == NULL) {
673 goto err;
674 }
675
676 if (!BN_MONT_CTX_set_locked(&rsa->mont_p, &rsa->lock, rsa->p, ctx) ||
677 !BN_MONT_CTX_set_locked(&rsa->mont_q, &rsa->lock, rsa->q, ctx)) {
678 goto err;
679 }
680
681 if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx)) {
682 goto err;
683 }
684
685 /* compute I mod q */
686 if (!BN_mod(r1, I, rsa->q, ctx)) {
687 goto err;
688 }
689
690 /* compute r1^dmq1 mod q */
691 if (!BN_mod_exp_mont_consttime(m1, r1, rsa->dmq1, rsa->q, ctx, rsa->mont_q)) {
692 goto err;
693 }
694
695 /* compute I mod p */
696 if (!BN_mod(r1, I, rsa->p, ctx)) {
697 goto err;
698 }
699
700 /* compute r1^dmp1 mod p */
701 if (!BN_mod_exp_mont_consttime(r0, r1, rsa->dmp1, rsa->p, ctx, rsa->mont_p)) {
702 goto err;
703 }
704
705 if (!BN_sub(r0, r0, m1)) {
706 goto err;
707 }
708 /* This will help stop the size of r0 increasing, which does
709 * affect the multiply if it optimised for a power of 2 size */
710 if (BN_is_negative(r0)) {
711 if (!BN_add(r0, r0, rsa->p)) {
712 goto err;
713 }
714 }
715
716 if (!BN_mul(r1, r0, rsa->iqmp, ctx)) {
717 goto err;
718 }
719
720 if (!BN_mod(r0, r1, rsa->p, ctx)) {
721 goto err;
722 }
723
724 /* If p < q it is occasionally possible for the correction of
725 * adding 'p' if r0 is negative above to leave the result still
726 * negative. This can break the private key operations: the following
727 * second correction should *always* correct this rare occurrence.
728 * This will *never* happen with OpenSSL generated keys because
729 * they ensure p > q [steve] */
730 if (BN_is_negative(r0)) {
731 if (!BN_add(r0, r0, rsa->p)) {
732 goto err;
733 }
734 }
735 if (!BN_mul(r1, r0, rsa->q, ctx)) {
736 goto err;
737 }
738 if (!BN_add(r0, r1, m1)) {
739 goto err;
740 }
741
742 ret = 1;
743
744 err:
745 BN_CTX_end(ctx);
746 return ret;
747 }
748
ensure_bignum(BIGNUM ** out)749 static int ensure_bignum(BIGNUM **out) {
750 if (*out == NULL) {
751 *out = BN_new();
752 }
753 return *out != NULL;
754 }
755
756 /* kBoringSSLRSASqrtTwo is the BIGNUM representation of ⌊2¹⁵³⁵×√2⌋. This is
757 * chosen to give enough precision for 3072-bit RSA, the largest key size FIPS
758 * specifies. Key sizes beyond this will round up.
759 *
760 * To verify this number, check that n² < 2³⁰⁷¹ < (n+1)², where n is value
761 * represented here. Note the components are listed in little-endian order. Here
762 * is some sample Python code to check:
763 *
764 * >>> TOBN = lambda a, b: a << 32 | b
765 * >>> l = [ <paste the contents of kSqrtTwo> ]
766 * >>> n = sum(a * 2**(64*i) for i, a in enumerate(l))
767 * >>> n**2 < 2**3071 < (n+1)**2
768 * True
769 */
770 const BN_ULONG kBoringSSLRSASqrtTwo[] = {
771 TOBN(0xdea06241, 0xf7aa81c2), TOBN(0xf6a1be3f, 0xca221307),
772 TOBN(0x332a5e9f, 0x7bda1ebf), TOBN(0x0104dc01, 0xfe32352f),
773 TOBN(0xb8cf341b, 0x6f8236c7), TOBN(0x4264dabc, 0xd528b651),
774 TOBN(0xf4d3a02c, 0xebc93e0c), TOBN(0x81394ab6, 0xd8fd0efd),
775 TOBN(0xeaa4a089, 0x9040ca4a), TOBN(0xf52f120f, 0x836e582e),
776 TOBN(0xcb2a6343, 0x31f3c84d), TOBN(0xc6d5a8a3, 0x8bb7e9dc),
777 TOBN(0x460abc72, 0x2f7c4e33), TOBN(0xcab1bc91, 0x1688458a),
778 TOBN(0x53059c60, 0x11bc337b), TOBN(0xd2202e87, 0x42af1f4e),
779 TOBN(0x78048736, 0x3dfa2768), TOBN(0x0f74a85e, 0x439c7b4a),
780 TOBN(0xa8b1fe6f, 0xdc83db39), TOBN(0x4afc8304, 0x3ab8a2c3),
781 TOBN(0xed17ac85, 0x83339915), TOBN(0x1d6f60ba, 0x893ba84c),
782 TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484),
783 };
784 const size_t kBoringSSLRSASqrtTwoLen = OPENSSL_ARRAY_SIZE(kBoringSSLRSASqrtTwo);
785
rsa_less_than_words(const BN_ULONG * a,const BN_ULONG * b,size_t len)786 int rsa_less_than_words(const BN_ULONG *a, const BN_ULONG *b, size_t len) {
787 OPENSSL_COMPILE_ASSERT(sizeof(BN_ULONG) <= sizeof(crypto_word_t),
788 crypto_word_t_too_small);
789 int ret = 0;
790 /* Process the words in little-endian order. */
791 for (size_t i = 0; i < len; i++) {
792 crypto_word_t eq = constant_time_eq_w(a[i], b[i]);
793 crypto_word_t lt = constant_time_lt_w(a[i], b[i]);
794 ret = constant_time_select_int(eq, ret, constant_time_select_int(lt, 1, 0));
795 }
796 return ret;
797 }
798
rsa_greater_than_pow2(const BIGNUM * b,int n)799 int rsa_greater_than_pow2(const BIGNUM *b, int n) {
800 if (BN_is_negative(b) || n == INT_MAX) {
801 return 0;
802 }
803
804 int b_bits = BN_num_bits(b);
805 return b_bits > n + 1 || (b_bits == n + 1 && !BN_is_pow2(b));
806 }
807
808 /* generate_prime sets |out| to a prime with length |bits| such that |out|-1 is
809 * relatively prime to |e|. If |p| is non-NULL, |out| will also not be close to
810 * |p|. */
generate_prime(BIGNUM * out,int bits,const BIGNUM * e,const BIGNUM * p,BN_CTX * ctx,BN_GENCB * cb)811 static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e,
812 const BIGNUM *p, BN_CTX *ctx, BN_GENCB *cb) {
813 if (bits < 128 || (bits % BN_BITS2) != 0) {
814 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
815 return 0;
816 }
817
818 /* Ensure the bound on |tries| does not overflow. */
819 if (bits >= INT_MAX/5) {
820 OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);
821 return 0;
822 }
823
824 int ret = 0, tries = 0, rand_tries = 0;
825 BN_CTX_start(ctx);
826 BIGNUM *tmp = BN_CTX_get(ctx);
827 if (tmp == NULL) {
828 goto err;
829 }
830
831 /* See FIPS 186-4 appendix B.3.3, steps 4 and 5. Note |bits| here is
832 * nlen/2. */
833 for (;;) {
834 /* Generate a random number of length |bits| where the bottom bit is set
835 * (steps 4.2, 4.3, 5.2 and 5.3) and the top bit is set (implied by the
836 * bound checked below in steps 4.4 and 5.5). */
837 if (!BN_rand(out, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD) ||
838 !BN_GENCB_call(cb, BN_GENCB_GENERATED, rand_tries++)) {
839 goto err;
840 }
841
842 if (p != NULL) {
843 /* If |p| and |out| are too close, try again (step 5.4). */
844 if (!BN_sub(tmp, out, p)) {
845 goto err;
846 }
847 BN_set_negative(tmp, 0);
848 if (!rsa_greater_than_pow2(tmp, bits - 100)) {
849 continue;
850 }
851 }
852
853 /* If out < 2^(bits-1)×√2, try again (steps 4.4 and 5.5).
854 *
855 * We check the most significant words, so we retry if ⌊out/2^k⌋ <= ⌊b/2^k⌋,
856 * where b = 2^(bits-1)×√2 and k = max(0, bits - 1536). For key sizes up to
857 * 3072 (bits = 1536), k = 0, so we are testing that ⌊out⌋ <= ⌊b⌋. out is an
858 * integer and b is not, so this is equivalent to out < b. That is, the
859 * comparison is exact for FIPS key sizes.
860 *
861 * For larger keys, the comparison is approximate, leaning towards
862 * retrying. That is, we reject a negligible fraction of primes that are
863 * within the FIPS bound, but we will never accept a prime outside the
864 * bound, ensuring the resulting RSA key is the right size. Specifically, if
865 * the FIPS bound holds, we have ⌊out/2^k⌋ < out/2^k < b/2^k. This implies
866 * ⌊out/2^k⌋ <= ⌊b/2^k⌋. That is, the FIPS bound implies our bound and so we
867 * are slightly tighter. */
868 size_t out_len = (size_t)out->top;
869 assert(out_len == (size_t)bits / BN_BITS2);
870 size_t to_check = kBoringSSLRSASqrtTwoLen;
871 if (to_check > out_len) {
872 to_check = out_len;
873 }
874 if (!rsa_less_than_words(
875 kBoringSSLRSASqrtTwo + kBoringSSLRSASqrtTwoLen - to_check,
876 out->d + out_len - to_check, to_check)) {
877 continue;
878 }
879
880 /* Check gcd(out-1, e) is one (steps 4.5 and 5.6). */
881 if (!BN_sub(tmp, out, BN_value_one()) ||
882 !BN_gcd(tmp, tmp, e, ctx)) {
883 goto err;
884 }
885 if (BN_is_one(tmp)) {
886 /* Test |out| for primality (steps 4.5.1 and 5.6.1). */
887 int is_probable_prime;
888 if (!BN_primality_test(&is_probable_prime, out, BN_prime_checks, ctx, 1,
889 cb)) {
890 goto err;
891 }
892 if (is_probable_prime) {
893 ret = 1;
894 goto err;
895 }
896 }
897
898 /* If we've tried too many times to find a prime, abort (steps 4.7 and
899 * 5.8). */
900 tries++;
901 if (tries >= bits * 5) {
902 OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS);
903 goto err;
904 }
905 if (!BN_GENCB_call(cb, 2, tries)) {
906 goto err;
907 }
908 }
909
910 err:
911 BN_CTX_end(ctx);
912 return ret;
913 }
914
RSA_generate_key_ex(RSA * rsa,int bits,BIGNUM * e_value,BN_GENCB * cb)915 int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
916 /* See FIPS 186-4 appendix B.3. This function implements a generalized version
917 * of the FIPS algorithm. |RSA_generate_key_fips| performs additional checks
918 * for FIPS-compliant key generation. */
919
920 /* Always generate RSA keys which are a multiple of 128 bits. Round |bits|
921 * down as needed. */
922 bits &= ~127;
923
924 /* Reject excessively small keys. */
925 if (bits < 256) {
926 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
927 return 0;
928 }
929
930 int ret = 0;
931 BN_CTX *ctx = BN_CTX_new();
932 if (ctx == NULL) {
933 goto bn_err;
934 }
935 BN_CTX_start(ctx);
936 BIGNUM *totient = BN_CTX_get(ctx);
937 BIGNUM *pm1 = BN_CTX_get(ctx);
938 BIGNUM *qm1 = BN_CTX_get(ctx);
939 BIGNUM *gcd = BN_CTX_get(ctx);
940 if (totient == NULL || pm1 == NULL || qm1 == NULL || gcd == NULL) {
941 goto bn_err;
942 }
943
944 /* We need the RSA components non-NULL. */
945 if (!ensure_bignum(&rsa->n) ||
946 !ensure_bignum(&rsa->d) ||
947 !ensure_bignum(&rsa->e) ||
948 !ensure_bignum(&rsa->p) ||
949 !ensure_bignum(&rsa->q) ||
950 !ensure_bignum(&rsa->dmp1) ||
951 !ensure_bignum(&rsa->dmq1) ||
952 !ensure_bignum(&rsa->iqmp)) {
953 goto bn_err;
954 }
955
956 if (!BN_copy(rsa->e, e_value)) {
957 goto bn_err;
958 }
959
960 int prime_bits = bits / 2;
961 do {
962 /* Generate p and q, each of size |prime_bits|, using the steps outlined in
963 * appendix FIPS 186-4 appendix B.3.3. */
964 if (!generate_prime(rsa->p, prime_bits, rsa->e, NULL, ctx, cb) ||
965 !BN_GENCB_call(cb, 3, 0) ||
966 !generate_prime(rsa->q, prime_bits, rsa->e, rsa->p, ctx, cb) ||
967 !BN_GENCB_call(cb, 3, 1)) {
968 goto bn_err;
969 }
970
971 if (BN_cmp(rsa->p, rsa->q) < 0) {
972 BIGNUM *tmp = rsa->p;
973 rsa->p = rsa->q;
974 rsa->q = tmp;
975 }
976
977 /* Calculate d = e^(-1) (mod lcm(p-1, q-1)), per FIPS 186-4. This differs
978 * from typical RSA implementations which use (p-1)*(q-1).
979 *
980 * Note this means the size of d might reveal information about p-1 and
981 * q-1. However, we do operations with Chinese Remainder Theorem, so we only
982 * use d (mod p-1) and d (mod q-1) as exponents. Using a minimal totient
983 * does not affect those two values. */
984 if (!BN_sub(pm1, rsa->p, BN_value_one()) ||
985 !BN_sub(qm1, rsa->q, BN_value_one()) ||
986 !BN_mul(totient, pm1, qm1, ctx) ||
987 !BN_gcd(gcd, pm1, qm1, ctx) ||
988 !BN_div(totient, NULL, totient, gcd, ctx) ||
989 !BN_mod_inverse(rsa->d, rsa->e, totient, ctx)) {
990 goto bn_err;
991 }
992
993 /* Check that |rsa->d| > 2^|prime_bits| and try again if it fails. See
994 * appendix B.3.1's guidance on values for d. */
995 } while (!rsa_greater_than_pow2(rsa->d, prime_bits));
996
997 if (/* Calculate n. */
998 !BN_mul(rsa->n, rsa->p, rsa->q, ctx) ||
999 /* Calculate d mod (p-1). */
1000 !BN_mod(rsa->dmp1, rsa->d, pm1, ctx) ||
1001 /* Calculate d mod (q-1) */
1002 !BN_mod(rsa->dmq1, rsa->d, qm1, ctx)) {
1003 goto bn_err;
1004 }
1005
1006 /* Sanity-check that |rsa->n| has the specified size. This is implied by
1007 * |generate_prime|'s bounds. */
1008 if (BN_num_bits(rsa->n) != (unsigned)bits) {
1009 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
1010 goto err;
1011 }
1012
1013 /* Calculate inverse of q mod p. Note that although RSA key generation is far
1014 * from constant-time, |bn_mod_inverse_secret_prime| uses the same modular
1015 * exponentation logic as in RSA private key operations and, if the RSAZ-1024
1016 * code is enabled, will be optimized for common RSA prime sizes. */
1017 if (!BN_MONT_CTX_set_locked(&rsa->mont_p, &rsa->lock, rsa->p, ctx) ||
1018 !bn_mod_inverse_secret_prime(rsa->iqmp, rsa->q, rsa->p, ctx,
1019 rsa->mont_p)) {
1020 goto bn_err;
1021 }
1022
1023 /* The key generation process is complex and thus error-prone. It could be
1024 * disastrous to generate and then use a bad key so double-check that the key
1025 * makes sense. */
1026 if (!RSA_check_key(rsa)) {
1027 OPENSSL_PUT_ERROR(RSA, RSA_R_INTERNAL_ERROR);
1028 goto err;
1029 }
1030
1031 ret = 1;
1032
1033 bn_err:
1034 if (!ret) {
1035 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
1036 }
1037 err:
1038 if (ctx != NULL) {
1039 BN_CTX_end(ctx);
1040 BN_CTX_free(ctx);
1041 }
1042 return ret;
1043 }
1044
RSA_generate_key_fips(RSA * rsa,int bits,BN_GENCB * cb)1045 int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb) {
1046 /* FIPS 186-4 allows 2048-bit and 3072-bit RSA keys (1024-bit and 1536-bit
1047 * primes, respectively) with the prime generation method we use. */
1048 if (bits != 2048 && bits != 3072) {
1049 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
1050 return 0;
1051 }
1052
1053 BIGNUM *e = BN_new();
1054 int ret = e != NULL &&
1055 BN_set_word(e, RSA_F4) &&
1056 RSA_generate_key_ex(rsa, bits, e, cb) &&
1057 RSA_check_fips(rsa);
1058 BN_free(e);
1059 return ret;
1060 }
1061
DEFINE_METHOD_FUNCTION(RSA_METHOD,RSA_default_method)1062 DEFINE_METHOD_FUNCTION(RSA_METHOD, RSA_default_method) {
1063 /* All of the methods are NULL to make it easier for the compiler/linker to
1064 * drop unused functions. The wrapper functions will select the appropriate
1065 * |rsa_default_*| implementation. */
1066 OPENSSL_memset(out, 0, sizeof(RSA_METHOD));
1067 out->common.is_static = 1;
1068 out->flags = RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
1069 }
1070