1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/rsa.h>
58
59 #include <limits.h>
60 #include <string.h>
61
62 #include <openssl/bn.h>
63 #include <openssl/digest.h>
64 #include <openssl/engine.h>
65 #include <openssl/err.h>
66 #include <openssl/ex_data.h>
67 #include <openssl/md5.h>
68 #include <openssl/mem.h>
69 #include <openssl/nid.h>
70 #include <openssl/sha.h>
71 #include <openssl/thread.h>
72
73 #include "../bn/internal.h"
74 #include "../delocate.h"
75 #include "../../internal.h"
76 #include "internal.h"
77
78
79 DEFINE_STATIC_EX_DATA_CLASS(g_rsa_ex_data_class);
80
RSA_new(void)81 RSA *RSA_new(void) { return RSA_new_method(NULL); }
82
RSA_new_method(const ENGINE * engine)83 RSA *RSA_new_method(const ENGINE *engine) {
84 RSA *rsa = OPENSSL_malloc(sizeof(RSA));
85 if (rsa == NULL) {
86 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
87 return NULL;
88 }
89
90 OPENSSL_memset(rsa, 0, sizeof(RSA));
91
92 if (engine) {
93 rsa->meth = ENGINE_get_RSA_method(engine);
94 }
95
96 if (rsa->meth == NULL) {
97 rsa->meth = (RSA_METHOD *) RSA_default_method();
98 }
99 METHOD_ref(rsa->meth);
100
101 rsa->references = 1;
102 rsa->flags = rsa->meth->flags;
103 CRYPTO_MUTEX_init(&rsa->lock);
104 CRYPTO_new_ex_data(&rsa->ex_data);
105
106 if (rsa->meth->init && !rsa->meth->init(rsa)) {
107 CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
108 CRYPTO_MUTEX_cleanup(&rsa->lock);
109 METHOD_unref(rsa->meth);
110 OPENSSL_free(rsa);
111 return NULL;
112 }
113
114 return rsa;
115 }
116
RSA_free(RSA * rsa)117 void RSA_free(RSA *rsa) {
118 unsigned u;
119
120 if (rsa == NULL) {
121 return;
122 }
123
124 if (!CRYPTO_refcount_dec_and_test_zero(&rsa->references)) {
125 return;
126 }
127
128 if (rsa->meth->finish) {
129 rsa->meth->finish(rsa);
130 }
131 METHOD_unref(rsa->meth);
132
133 CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
134
135 BN_clear_free(rsa->n);
136 BN_clear_free(rsa->e);
137 BN_clear_free(rsa->d);
138 BN_clear_free(rsa->p);
139 BN_clear_free(rsa->q);
140 BN_clear_free(rsa->dmp1);
141 BN_clear_free(rsa->dmq1);
142 BN_clear_free(rsa->iqmp);
143 BN_MONT_CTX_free(rsa->mont_n);
144 BN_MONT_CTX_free(rsa->mont_p);
145 BN_MONT_CTX_free(rsa->mont_q);
146 for (u = 0; u < rsa->num_blindings; u++) {
147 BN_BLINDING_free(rsa->blindings[u]);
148 }
149 OPENSSL_free(rsa->blindings);
150 OPENSSL_free(rsa->blindings_inuse);
151 CRYPTO_MUTEX_cleanup(&rsa->lock);
152 OPENSSL_free(rsa);
153 }
154
RSA_up_ref(RSA * rsa)155 int RSA_up_ref(RSA *rsa) {
156 CRYPTO_refcount_inc(&rsa->references);
157 return 1;
158 }
159
RSA_bits(const RSA * rsa)160 unsigned RSA_bits(const RSA *rsa) { return BN_num_bits(rsa->n); }
161
RSA_get0_key(const RSA * rsa,const BIGNUM ** out_n,const BIGNUM ** out_e,const BIGNUM ** out_d)162 void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e,
163 const BIGNUM **out_d) {
164 if (out_n != NULL) {
165 *out_n = rsa->n;
166 }
167 if (out_e != NULL) {
168 *out_e = rsa->e;
169 }
170 if (out_d != NULL) {
171 *out_d = rsa->d;
172 }
173 }
174
RSA_get0_factors(const RSA * rsa,const BIGNUM ** out_p,const BIGNUM ** out_q)175 void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p,
176 const BIGNUM **out_q) {
177 if (out_p != NULL) {
178 *out_p = rsa->p;
179 }
180 if (out_q != NULL) {
181 *out_q = rsa->q;
182 }
183 }
184
RSA_get0_crt_params(const RSA * rsa,const BIGNUM ** out_dmp1,const BIGNUM ** out_dmq1,const BIGNUM ** out_iqmp)185 void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1,
186 const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) {
187 if (out_dmp1 != NULL) {
188 *out_dmp1 = rsa->dmp1;
189 }
190 if (out_dmq1 != NULL) {
191 *out_dmq1 = rsa->dmq1;
192 }
193 if (out_iqmp != NULL) {
194 *out_iqmp = rsa->iqmp;
195 }
196 }
197
RSA_set0_key(RSA * rsa,BIGNUM * n,BIGNUM * e,BIGNUM * d)198 int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
199 if ((rsa->n == NULL && n == NULL) ||
200 (rsa->e == NULL && e == NULL)) {
201 return 0;
202 }
203
204 if (n != NULL) {
205 BN_free(rsa->n);
206 rsa->n = n;
207 }
208 if (e != NULL) {
209 BN_free(rsa->e);
210 rsa->e = e;
211 }
212 if (d != NULL) {
213 BN_free(rsa->d);
214 rsa->d = d;
215 }
216
217 return 1;
218 }
219
RSA_set0_factors(RSA * rsa,BIGNUM * p,BIGNUM * q)220 int RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q) {
221 if ((rsa->p == NULL && p == NULL) ||
222 (rsa->q == NULL && q == NULL)) {
223 return 0;
224 }
225
226 if (p != NULL) {
227 BN_free(rsa->p);
228 rsa->p = p;
229 }
230 if (q != NULL) {
231 BN_free(rsa->q);
232 rsa->q = q;
233 }
234
235 return 1;
236 }
237
RSA_set0_crt_params(RSA * rsa,BIGNUM * dmp1,BIGNUM * dmq1,BIGNUM * iqmp)238 int RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
239 if ((rsa->dmp1 == NULL && dmp1 == NULL) ||
240 (rsa->dmq1 == NULL && dmq1 == NULL) ||
241 (rsa->iqmp == NULL && iqmp == NULL)) {
242 return 0;
243 }
244
245 if (dmp1 != NULL) {
246 BN_free(rsa->dmp1);
247 rsa->dmp1 = dmp1;
248 }
249 if (dmq1 != NULL) {
250 BN_free(rsa->dmq1);
251 rsa->dmq1 = dmq1;
252 }
253 if (iqmp != NULL) {
254 BN_free(rsa->iqmp);
255 rsa->iqmp = iqmp;
256 }
257
258 return 1;
259 }
260
RSA_public_encrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)261 int RSA_public_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
262 int padding) {
263 size_t out_len;
264
265 if (!RSA_encrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
266 return -1;
267 }
268
269 if (out_len > INT_MAX) {
270 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
271 return -1;
272 }
273 return out_len;
274 }
275
RSA_sign_raw(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)276 int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
277 const uint8_t *in, size_t in_len, int padding) {
278 if (rsa->meth->sign_raw) {
279 return rsa->meth->sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
280 }
281
282 return rsa_default_sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
283 }
284
RSA_private_encrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)285 int RSA_private_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
286 int padding) {
287 size_t out_len;
288
289 if (!RSA_sign_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
290 return -1;
291 }
292
293 if (out_len > INT_MAX) {
294 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
295 return -1;
296 }
297 return out_len;
298 }
299
RSA_decrypt(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)300 int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
301 const uint8_t *in, size_t in_len, int padding) {
302 if (rsa->meth->decrypt) {
303 return rsa->meth->decrypt(rsa, out_len, out, max_out, in, in_len, padding);
304 }
305
306 return rsa_default_decrypt(rsa, out_len, out, max_out, in, in_len, padding);
307 }
308
RSA_private_decrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)309 int RSA_private_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
310 int padding) {
311 size_t out_len;
312
313 if (!RSA_decrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
314 return -1;
315 }
316
317 if (out_len > INT_MAX) {
318 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
319 return -1;
320 }
321 return out_len;
322 }
323
RSA_public_decrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)324 int RSA_public_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
325 int padding) {
326 size_t out_len;
327
328 if (!RSA_verify_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
329 return -1;
330 }
331
332 if (out_len > INT_MAX) {
333 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
334 return -1;
335 }
336 return out_len;
337 }
338
RSA_size(const RSA * rsa)339 unsigned RSA_size(const RSA *rsa) {
340 if (rsa->meth->size) {
341 return rsa->meth->size(rsa);
342 }
343
344 return rsa_default_size(rsa);
345 }
346
RSA_is_opaque(const RSA * rsa)347 int RSA_is_opaque(const RSA *rsa) {
348 return rsa->meth && (rsa->meth->flags & RSA_FLAG_OPAQUE);
349 }
350
RSA_get_ex_new_index(long argl,void * argp,CRYPTO_EX_unused * unused,CRYPTO_EX_dup * dup_unused,CRYPTO_EX_free * free_func)351 int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
352 CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {
353 int index;
354 if (!CRYPTO_get_ex_new_index(g_rsa_ex_data_class_bss_get(), &index, argl,
355 argp, free_func)) {
356 return -1;
357 }
358 return index;
359 }
360
RSA_set_ex_data(RSA * rsa,int idx,void * arg)361 int RSA_set_ex_data(RSA *rsa, int idx, void *arg) {
362 return CRYPTO_set_ex_data(&rsa->ex_data, idx, arg);
363 }
364
RSA_get_ex_data(const RSA * rsa,int idx)365 void *RSA_get_ex_data(const RSA *rsa, int idx) {
366 return CRYPTO_get_ex_data(&rsa->ex_data, idx);
367 }
368
369 // SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's
370 // the length of an MD5 and SHA1 hash.
371 static const unsigned SSL_SIG_LENGTH = 36;
372
373 // pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is
374 // to be signed with PKCS#1.
375 struct pkcs1_sig_prefix {
376 // nid identifies the hash function.
377 int nid;
378 // hash_len is the expected length of the hash function.
379 uint8_t hash_len;
380 // len is the number of bytes of |bytes| which are valid.
381 uint8_t len;
382 // bytes contains the DER bytes.
383 uint8_t bytes[19];
384 };
385
386 // kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with
387 // different hash functions.
388 static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = {
389 {
390 NID_md5,
391 MD5_DIGEST_LENGTH,
392 18,
393 {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
394 0x02, 0x05, 0x05, 0x00, 0x04, 0x10},
395 },
396 {
397 NID_sha1,
398 SHA_DIGEST_LENGTH,
399 15,
400 {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
401 0x00, 0x04, 0x14},
402 },
403 {
404 NID_sha224,
405 SHA224_DIGEST_LENGTH,
406 19,
407 {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
408 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c},
409 },
410 {
411 NID_sha256,
412 SHA256_DIGEST_LENGTH,
413 19,
414 {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
415 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20},
416 },
417 {
418 NID_sha384,
419 SHA384_DIGEST_LENGTH,
420 19,
421 {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
422 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30},
423 },
424 {
425 NID_sha512,
426 SHA512_DIGEST_LENGTH,
427 19,
428 {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
429 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
430 },
431 {
432 NID_undef, 0, 0, {0},
433 },
434 };
435
RSA_add_pkcs1_prefix(uint8_t ** out_msg,size_t * out_msg_len,int * is_alloced,int hash_nid,const uint8_t * msg,size_t msg_len)436 int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
437 int *is_alloced, int hash_nid, const uint8_t *msg,
438 size_t msg_len) {
439 unsigned i;
440
441 if (hash_nid == NID_md5_sha1) {
442 // Special case: SSL signature, just check the length.
443 if (msg_len != SSL_SIG_LENGTH) {
444 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
445 return 0;
446 }
447
448 *out_msg = (uint8_t*) msg;
449 *out_msg_len = SSL_SIG_LENGTH;
450 *is_alloced = 0;
451 return 1;
452 }
453
454 for (i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) {
455 const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i];
456 if (sig_prefix->nid != hash_nid) {
457 continue;
458 }
459
460 if (msg_len != sig_prefix->hash_len) {
461 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
462 return 0;
463 }
464
465 const uint8_t* prefix = sig_prefix->bytes;
466 unsigned prefix_len = sig_prefix->len;
467 unsigned signed_msg_len;
468 uint8_t *signed_msg;
469
470 signed_msg_len = prefix_len + msg_len;
471 if (signed_msg_len < prefix_len) {
472 OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_LONG);
473 return 0;
474 }
475
476 signed_msg = OPENSSL_malloc(signed_msg_len);
477 if (!signed_msg) {
478 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
479 return 0;
480 }
481
482 OPENSSL_memcpy(signed_msg, prefix, prefix_len);
483 OPENSSL_memcpy(signed_msg + prefix_len, msg, msg_len);
484
485 *out_msg = signed_msg;
486 *out_msg_len = signed_msg_len;
487 *is_alloced = 1;
488
489 return 1;
490 }
491
492 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE);
493 return 0;
494 }
495
RSA_sign(int hash_nid,const uint8_t * in,unsigned in_len,uint8_t * out,unsigned * out_len,RSA * rsa)496 int RSA_sign(int hash_nid, const uint8_t *in, unsigned in_len, uint8_t *out,
497 unsigned *out_len, RSA *rsa) {
498 const unsigned rsa_size = RSA_size(rsa);
499 int ret = 0;
500 uint8_t *signed_msg = NULL;
501 size_t signed_msg_len = 0;
502 int signed_msg_is_alloced = 0;
503 size_t size_t_out_len;
504
505 if (rsa->meth->sign) {
506 return rsa->meth->sign(hash_nid, in, in_len, out, out_len, rsa);
507 }
508
509 if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
510 &signed_msg_is_alloced, hash_nid, in, in_len) ||
511 !RSA_sign_raw(rsa, &size_t_out_len, out, rsa_size, signed_msg,
512 signed_msg_len, RSA_PKCS1_PADDING)) {
513 goto err;
514 }
515
516 *out_len = size_t_out_len;
517 ret = 1;
518
519 err:
520 if (signed_msg_is_alloced) {
521 OPENSSL_free(signed_msg);
522 }
523 return ret;
524 }
525
RSA_sign_pss_mgf1(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,const EVP_MD * md,const EVP_MD * mgf1_md,int salt_len)526 int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
527 const uint8_t *in, size_t in_len, const EVP_MD *md,
528 const EVP_MD *mgf1_md, int salt_len) {
529 if (in_len != EVP_MD_size(md)) {
530 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
531 return 0;
532 }
533
534 size_t padded_len = RSA_size(rsa);
535 uint8_t *padded = OPENSSL_malloc(padded_len);
536 if (padded == NULL) {
537 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
538 return 0;
539 }
540
541 int ret =
542 RSA_padding_add_PKCS1_PSS_mgf1(rsa, padded, in, md, mgf1_md, salt_len) &&
543 RSA_sign_raw(rsa, out_len, out, max_out, padded, padded_len,
544 RSA_NO_PADDING);
545 OPENSSL_free(padded);
546 return ret;
547 }
548
RSA_verify(int hash_nid,const uint8_t * msg,size_t msg_len,const uint8_t * sig,size_t sig_len,RSA * rsa)549 int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
550 const uint8_t *sig, size_t sig_len, RSA *rsa) {
551 if (rsa->n == NULL || rsa->e == NULL) {
552 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
553 return 0;
554 }
555
556 const size_t rsa_size = RSA_size(rsa);
557 uint8_t *buf = NULL;
558 int ret = 0;
559 uint8_t *signed_msg = NULL;
560 size_t signed_msg_len = 0, len;
561 int signed_msg_is_alloced = 0;
562
563 if (hash_nid == NID_md5_sha1 && msg_len != SSL_SIG_LENGTH) {
564 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
565 return 0;
566 }
567
568 buf = OPENSSL_malloc(rsa_size);
569 if (!buf) {
570 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
571 return 0;
572 }
573
574 if (!RSA_verify_raw(rsa, &len, buf, rsa_size, sig, sig_len,
575 RSA_PKCS1_PADDING)) {
576 goto out;
577 }
578
579 if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
580 &signed_msg_is_alloced, hash_nid, msg, msg_len)) {
581 goto out;
582 }
583
584 // Check that no other information follows the hash value (FIPS 186-4 Section
585 // 5.5) and it matches the expected hash.
586 if (len != signed_msg_len || OPENSSL_memcmp(buf, signed_msg, len) != 0) {
587 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
588 goto out;
589 }
590
591 ret = 1;
592
593 out:
594 OPENSSL_free(buf);
595 if (signed_msg_is_alloced) {
596 OPENSSL_free(signed_msg);
597 }
598 return ret;
599 }
600
RSA_verify_pss_mgf1(RSA * rsa,const uint8_t * msg,size_t msg_len,const EVP_MD * md,const EVP_MD * mgf1_md,int salt_len,const uint8_t * sig,size_t sig_len)601 int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg, size_t msg_len,
602 const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len,
603 const uint8_t *sig, size_t sig_len) {
604 if (msg_len != EVP_MD_size(md)) {
605 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
606 return 0;
607 }
608
609 size_t em_len = RSA_size(rsa);
610 uint8_t *em = OPENSSL_malloc(em_len);
611 if (em == NULL) {
612 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
613 return 0;
614 }
615
616 int ret = 0;
617 if (!RSA_verify_raw(rsa, &em_len, em, em_len, sig, sig_len, RSA_NO_PADDING)) {
618 goto err;
619 }
620
621 if (em_len != RSA_size(rsa)) {
622 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
623 goto err;
624 }
625
626 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, msg, md, mgf1_md, em, salt_len);
627
628 err:
629 OPENSSL_free(em);
630 return ret;
631 }
632
RSA_check_key(const RSA * key)633 int RSA_check_key(const RSA *key) {
634 BIGNUM n, pm1, qm1, lcm, gcd, de, dmp1, dmq1, iqmp_times_q;
635 BN_CTX *ctx;
636 int ok = 0, has_crt_values;
637
638 if (RSA_is_opaque(key)) {
639 // Opaque keys can't be checked.
640 return 1;
641 }
642
643 if ((key->p != NULL) != (key->q != NULL)) {
644 OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN);
645 return 0;
646 }
647
648 if (!key->n || !key->e) {
649 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
650 return 0;
651 }
652
653 if (!key->d || !key->p) {
654 // For a public key, or without p and q, there's nothing that can be
655 // checked.
656 return 1;
657 }
658
659 ctx = BN_CTX_new();
660 if (ctx == NULL) {
661 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
662 return 0;
663 }
664
665 BN_init(&n);
666 BN_init(&pm1);
667 BN_init(&qm1);
668 BN_init(&lcm);
669 BN_init(&gcd);
670 BN_init(&de);
671 BN_init(&dmp1);
672 BN_init(&dmq1);
673 BN_init(&iqmp_times_q);
674
675 if (!BN_mul(&n, key->p, key->q, ctx) ||
676 // lcm = lcm(p, q)
677 !BN_sub(&pm1, key->p, BN_value_one()) ||
678 !BN_sub(&qm1, key->q, BN_value_one()) ||
679 !BN_mul(&lcm, &pm1, &qm1, ctx) ||
680 !BN_gcd(&gcd, &pm1, &qm1, ctx)) {
681 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
682 goto out;
683 }
684
685 if (!BN_div(&lcm, NULL, &lcm, &gcd, ctx) ||
686 !BN_gcd(&gcd, &pm1, &qm1, ctx) ||
687 // de = d*e mod lcm(p, q).
688 !BN_mod_mul(&de, key->d, key->e, &lcm, ctx)) {
689 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
690 goto out;
691 }
692
693 if (BN_cmp(&n, key->n) != 0) {
694 OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
695 goto out;
696 }
697
698 if (!BN_is_one(&de)) {
699 OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1);
700 goto out;
701 }
702
703 has_crt_values = key->dmp1 != NULL;
704 if (has_crt_values != (key->dmq1 != NULL) ||
705 has_crt_values != (key->iqmp != NULL)) {
706 OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES);
707 goto out;
708 }
709
710 if (has_crt_values) {
711 if (// dmp1 = d mod (p-1)
712 !BN_mod(&dmp1, key->d, &pm1, ctx) ||
713 // dmq1 = d mod (q-1)
714 !BN_mod(&dmq1, key->d, &qm1, ctx) ||
715 // iqmp = q^-1 mod p
716 !BN_mod_mul(&iqmp_times_q, key->iqmp, key->q, key->p, ctx)) {
717 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
718 goto out;
719 }
720
721 if (BN_cmp(&dmp1, key->dmp1) != 0 ||
722 BN_cmp(&dmq1, key->dmq1) != 0 ||
723 BN_cmp(key->iqmp, key->p) >= 0 ||
724 !BN_is_one(&iqmp_times_q)) {
725 OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT);
726 goto out;
727 }
728 }
729
730 ok = 1;
731
732 out:
733 BN_free(&n);
734 BN_free(&pm1);
735 BN_free(&qm1);
736 BN_free(&lcm);
737 BN_free(&gcd);
738 BN_free(&de);
739 BN_free(&dmp1);
740 BN_free(&dmq1);
741 BN_free(&iqmp_times_q);
742 BN_CTX_free(ctx);
743
744 return ok;
745 }
746
747
748 // This is the product of the 132 smallest odd primes, from 3 to 751.
749 static const BN_ULONG kSmallFactorsLimbs[] = {
750 TOBN(0xc4309333, 0x3ef4e3e1), TOBN(0x71161eb6, 0xcd2d655f),
751 TOBN(0x95e2238c, 0x0bf94862), TOBN(0x3eb233d3, 0x24f7912b),
752 TOBN(0x6b55514b, 0xbf26c483), TOBN(0x0a84d817, 0x5a144871),
753 TOBN(0x77d12fee, 0x9b82210a), TOBN(0xdb5b93c2, 0x97f050b3),
754 TOBN(0x4acad6b9, 0x4d6c026b), TOBN(0xeb7751f3, 0x54aec893),
755 TOBN(0xdba53368, 0x36bc85c4), TOBN(0xd85a1b28, 0x7f5ec78e),
756 TOBN(0x2eb072d8, 0x6b322244), TOBN(0xbba51112, 0x5e2b3aea),
757 TOBN(0x36ed1a6c, 0x0e2486bf), TOBN(0x5f270460, 0xec0c5727),
758 0x000017b1
759 };
760
DEFINE_LOCAL_DATA(BIGNUM,g_small_factors)761 DEFINE_LOCAL_DATA(BIGNUM, g_small_factors) {
762 out->d = (BN_ULONG *) kSmallFactorsLimbs;
763 out->top = OPENSSL_ARRAY_SIZE(kSmallFactorsLimbs);
764 out->dmax = out->top;
765 out->neg = 0;
766 out->flags = BN_FLG_STATIC_DATA;
767 }
768
RSA_check_fips(RSA * key)769 int RSA_check_fips(RSA *key) {
770 if (RSA_is_opaque(key)) {
771 // Opaque keys can't be checked.
772 OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
773 return 0;
774 }
775
776 if (!RSA_check_key(key)) {
777 return 0;
778 }
779
780 BN_CTX *ctx = BN_CTX_new();
781 if (ctx == NULL) {
782 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
783 return 0;
784 }
785
786 BIGNUM small_gcd;
787 BN_init(&small_gcd);
788
789 int ret = 1;
790
791 // Perform partial public key validation of RSA keys (SP 800-89 5.3.3).
792 enum bn_primality_result_t primality_result;
793 if (BN_num_bits(key->e) <= 16 ||
794 BN_num_bits(key->e) > 256 ||
795 !BN_is_odd(key->n) ||
796 !BN_is_odd(key->e) ||
797 !BN_gcd(&small_gcd, key->n, g_small_factors(), ctx) ||
798 !BN_is_one(&small_gcd) ||
799 !BN_enhanced_miller_rabin_primality_test(&primality_result, key->n,
800 BN_prime_checks, ctx, NULL) ||
801 primality_result != bn_non_prime_power_composite) {
802 OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
803 ret = 0;
804 }
805
806 BN_free(&small_gcd);
807 BN_CTX_free(ctx);
808
809 if (!ret || key->d == NULL || key->p == NULL) {
810 // On a failure or on only a public key, there's nothing else can be
811 // checked.
812 return ret;
813 }
814
815 // FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG,
816 // section 9.9, it is not known whether |rsa| will be used for signing or
817 // encryption, so either pair-wise consistency self-test is acceptable. We
818 // perform a signing test.
819 uint8_t data[32] = {0};
820 unsigned sig_len = RSA_size(key);
821 uint8_t *sig = OPENSSL_malloc(sig_len);
822 if (sig == NULL) {
823 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
824 return 0;
825 }
826
827 if (!RSA_sign(NID_sha256, data, sizeof(data), sig, &sig_len, key)) {
828 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
829 ret = 0;
830 goto cleanup;
831 }
832 #if defined(BORINGSSL_FIPS_BREAK_RSA_PWCT)
833 data[0] = ~data[0];
834 #endif
835 if (!RSA_verify(NID_sha256, data, sizeof(data), sig, sig_len, key)) {
836 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
837 ret = 0;
838 }
839
840 cleanup:
841 OPENSSL_free(sig);
842
843 return ret;
844 }
845
RSA_private_transform(RSA * rsa,uint8_t * out,const uint8_t * in,size_t len)846 int RSA_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
847 size_t len) {
848 if (rsa->meth->private_transform) {
849 return rsa->meth->private_transform(rsa, out, in, len);
850 }
851
852 return rsa_default_private_transform(rsa, out, in, len);
853 }
854
RSA_flags(const RSA * rsa)855 int RSA_flags(const RSA *rsa) { return rsa->flags; }
856
RSA_blinding_on(RSA * rsa,BN_CTX * ctx)857 int RSA_blinding_on(RSA *rsa, BN_CTX *ctx) {
858 return 1;
859 }
860