1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/rsa.h>
58
59 #include <assert.h>
60 #include <limits.h>
61 #include <string.h>
62
63 #include <openssl/bn.h>
64 #include <openssl/err.h>
65 #include <openssl/mem.h>
66 #include <openssl/thread.h>
67 #include <openssl/type_check.h>
68
69 #include "internal.h"
70 #include "../bn/internal.h"
71 #include "../../internal.h"
72 #include "../delocate.h"
73
74
check_modulus_and_exponent_sizes(const RSA * rsa)75 static int check_modulus_and_exponent_sizes(const RSA *rsa) {
76 unsigned rsa_bits = BN_num_bits(rsa->n);
77
78 if (rsa_bits > 16 * 1024) {
79 OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);
80 return 0;
81 }
82
83 // Mitigate DoS attacks by limiting the exponent size. 33 bits was chosen as
84 // the limit based on the recommendations in [1] and [2]. Windows CryptoAPI
85 // doesn't support values larger than 32 bits [3], so it is unlikely that
86 // exponents larger than 32 bits are being used for anything Windows commonly
87 // does.
88 //
89 // [1] https://www.imperialviolet.org/2012/03/16/rsae.html
90 // [2] https://www.imperialviolet.org/2012/03/17/rsados.html
91 // [3] https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx
92 static const unsigned kMaxExponentBits = 33;
93
94 if (BN_num_bits(rsa->e) > kMaxExponentBits) {
95 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);
96 return 0;
97 }
98
99 // Verify |n > e|. Comparing |rsa_bits| to |kMaxExponentBits| is a small
100 // shortcut to comparing |n| and |e| directly. In reality, |kMaxExponentBits|
101 // is much smaller than the minimum RSA key size that any application should
102 // accept.
103 if (rsa_bits <= kMaxExponentBits) {
104 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
105 return 0;
106 }
107 assert(BN_ucmp(rsa->n, rsa->e) > 0);
108
109 return 1;
110 }
111
rsa_default_size(const RSA * rsa)112 size_t rsa_default_size(const RSA *rsa) {
113 return BN_num_bytes(rsa->n);
114 }
115
RSA_encrypt(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)116 int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
117 const uint8_t *in, size_t in_len, int padding) {
118 if (rsa->n == NULL || rsa->e == NULL) {
119 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
120 return 0;
121 }
122
123 const unsigned rsa_size = RSA_size(rsa);
124 BIGNUM *f, *result;
125 uint8_t *buf = NULL;
126 BN_CTX *ctx = NULL;
127 int i, ret = 0;
128
129 if (max_out < rsa_size) {
130 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
131 return 0;
132 }
133
134 if (!check_modulus_and_exponent_sizes(rsa)) {
135 return 0;
136 }
137
138 ctx = BN_CTX_new();
139 if (ctx == NULL) {
140 goto err;
141 }
142
143 BN_CTX_start(ctx);
144 f = BN_CTX_get(ctx);
145 result = BN_CTX_get(ctx);
146 buf = OPENSSL_malloc(rsa_size);
147 if (!f || !result || !buf) {
148 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
149 goto err;
150 }
151
152 switch (padding) {
153 case RSA_PKCS1_PADDING:
154 i = RSA_padding_add_PKCS1_type_2(buf, rsa_size, in, in_len);
155 break;
156 case RSA_PKCS1_OAEP_PADDING:
157 // Use the default parameters: SHA-1 for both hashes and no label.
158 i = RSA_padding_add_PKCS1_OAEP_mgf1(buf, rsa_size, in, in_len,
159 NULL, 0, NULL, NULL);
160 break;
161 case RSA_NO_PADDING:
162 i = RSA_padding_add_none(buf, rsa_size, in, in_len);
163 break;
164 default:
165 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
166 goto err;
167 }
168
169 if (i <= 0) {
170 goto err;
171 }
172
173 if (BN_bin2bn(buf, rsa_size, f) == NULL) {
174 goto err;
175 }
176
177 if (BN_ucmp(f, rsa->n) >= 0) {
178 // usually the padding functions would catch this
179 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
180 goto err;
181 }
182
183 if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) ||
184 !BN_mod_exp_mont(result, f, rsa->e, rsa->n, ctx, rsa->mont_n)) {
185 goto err;
186 }
187
188 // put in leading 0 bytes if the number is less than the length of the
189 // modulus
190 if (!BN_bn2bin_padded(out, rsa_size, result)) {
191 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
192 goto err;
193 }
194
195 *out_len = rsa_size;
196 ret = 1;
197
198 err:
199 if (ctx != NULL) {
200 BN_CTX_end(ctx);
201 BN_CTX_free(ctx);
202 }
203 OPENSSL_free(buf);
204
205 return ret;
206 }
207
208 // MAX_BLINDINGS_PER_RSA defines the maximum number of cached BN_BLINDINGs per
209 // RSA*. Then this limit is exceeded, BN_BLINDING objects will be created and
210 // destroyed as needed.
211 #define MAX_BLINDINGS_PER_RSA 1024
212
213 // rsa_blinding_get returns a BN_BLINDING to use with |rsa|. It does this by
214 // allocating one of the cached BN_BLINDING objects in |rsa->blindings|. If
215 // none are free, the cache will be extended by a extra element and the new
216 // BN_BLINDING is returned.
217 //
218 // On success, the index of the assigned BN_BLINDING is written to
219 // |*index_used| and must be passed to |rsa_blinding_release| when finished.
rsa_blinding_get(RSA * rsa,unsigned * index_used,BN_CTX * ctx)220 static BN_BLINDING *rsa_blinding_get(RSA *rsa, unsigned *index_used,
221 BN_CTX *ctx) {
222 assert(ctx != NULL);
223 assert(rsa->mont_n != NULL);
224
225 BN_BLINDING *ret = NULL;
226 BN_BLINDING **new_blindings;
227 uint8_t *new_blindings_inuse;
228 char overflow = 0;
229
230 CRYPTO_MUTEX_lock_write(&rsa->lock);
231
232 unsigned i;
233 for (i = 0; i < rsa->num_blindings; i++) {
234 if (rsa->blindings_inuse[i] == 0) {
235 rsa->blindings_inuse[i] = 1;
236 ret = rsa->blindings[i];
237 *index_used = i;
238 break;
239 }
240 }
241
242 if (ret != NULL) {
243 CRYPTO_MUTEX_unlock_write(&rsa->lock);
244 return ret;
245 }
246
247 overflow = rsa->num_blindings >= MAX_BLINDINGS_PER_RSA;
248
249 // We didn't find a free BN_BLINDING to use so increase the length of
250 // the arrays by one and use the newly created element.
251
252 CRYPTO_MUTEX_unlock_write(&rsa->lock);
253 ret = BN_BLINDING_new();
254 if (ret == NULL) {
255 return NULL;
256 }
257
258 if (overflow) {
259 // We cannot add any more cached BN_BLINDINGs so we use |ret|
260 // and mark it for destruction in |rsa_blinding_release|.
261 *index_used = MAX_BLINDINGS_PER_RSA;
262 return ret;
263 }
264
265 CRYPTO_MUTEX_lock_write(&rsa->lock);
266
267 new_blindings =
268 OPENSSL_malloc(sizeof(BN_BLINDING *) * (rsa->num_blindings + 1));
269 if (new_blindings == NULL) {
270 goto err1;
271 }
272 OPENSSL_memcpy(new_blindings, rsa->blindings,
273 sizeof(BN_BLINDING *) * rsa->num_blindings);
274 new_blindings[rsa->num_blindings] = ret;
275
276 new_blindings_inuse = OPENSSL_malloc(rsa->num_blindings + 1);
277 if (new_blindings_inuse == NULL) {
278 goto err2;
279 }
280 OPENSSL_memcpy(new_blindings_inuse, rsa->blindings_inuse, rsa->num_blindings);
281 new_blindings_inuse[rsa->num_blindings] = 1;
282 *index_used = rsa->num_blindings;
283
284 OPENSSL_free(rsa->blindings);
285 rsa->blindings = new_blindings;
286 OPENSSL_free(rsa->blindings_inuse);
287 rsa->blindings_inuse = new_blindings_inuse;
288 rsa->num_blindings++;
289
290 CRYPTO_MUTEX_unlock_write(&rsa->lock);
291 return ret;
292
293 err2:
294 OPENSSL_free(new_blindings);
295
296 err1:
297 CRYPTO_MUTEX_unlock_write(&rsa->lock);
298 BN_BLINDING_free(ret);
299 return NULL;
300 }
301
302 // rsa_blinding_release marks the cached BN_BLINDING at the given index as free
303 // for other threads to use.
rsa_blinding_release(RSA * rsa,BN_BLINDING * blinding,unsigned blinding_index)304 static void rsa_blinding_release(RSA *rsa, BN_BLINDING *blinding,
305 unsigned blinding_index) {
306 if (blinding_index == MAX_BLINDINGS_PER_RSA) {
307 // This blinding wasn't cached.
308 BN_BLINDING_free(blinding);
309 return;
310 }
311
312 CRYPTO_MUTEX_lock_write(&rsa->lock);
313 rsa->blindings_inuse[blinding_index] = 0;
314 CRYPTO_MUTEX_unlock_write(&rsa->lock);
315 }
316
317 // signing
rsa_default_sign_raw(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)318 int rsa_default_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,
319 size_t max_out, const uint8_t *in, size_t in_len,
320 int padding) {
321 const unsigned rsa_size = RSA_size(rsa);
322 uint8_t *buf = NULL;
323 int i, ret = 0;
324
325 if (max_out < rsa_size) {
326 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
327 return 0;
328 }
329
330 buf = OPENSSL_malloc(rsa_size);
331 if (buf == NULL) {
332 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
333 goto err;
334 }
335
336 switch (padding) {
337 case RSA_PKCS1_PADDING:
338 i = RSA_padding_add_PKCS1_type_1(buf, rsa_size, in, in_len);
339 break;
340 case RSA_NO_PADDING:
341 i = RSA_padding_add_none(buf, rsa_size, in, in_len);
342 break;
343 default:
344 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
345 goto err;
346 }
347
348 if (i <= 0) {
349 goto err;
350 }
351
352 if (!RSA_private_transform(rsa, out, buf, rsa_size)) {
353 goto err;
354 }
355
356 *out_len = rsa_size;
357 ret = 1;
358
359 err:
360 OPENSSL_free(buf);
361
362 return ret;
363 }
364
rsa_default_decrypt(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)365 int rsa_default_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
366 const uint8_t *in, size_t in_len, int padding) {
367 const unsigned rsa_size = RSA_size(rsa);
368 uint8_t *buf = NULL;
369 int ret = 0;
370
371 if (max_out < rsa_size) {
372 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
373 return 0;
374 }
375
376 if (padding == RSA_NO_PADDING) {
377 buf = out;
378 } else {
379 // Allocate a temporary buffer to hold the padded plaintext.
380 buf = OPENSSL_malloc(rsa_size);
381 if (buf == NULL) {
382 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
383 goto err;
384 }
385 }
386
387 if (in_len != rsa_size) {
388 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN);
389 goto err;
390 }
391
392 if (!RSA_private_transform(rsa, buf, in, rsa_size)) {
393 goto err;
394 }
395
396 switch (padding) {
397 case RSA_PKCS1_PADDING:
398 ret =
399 RSA_padding_check_PKCS1_type_2(out, out_len, rsa_size, buf, rsa_size);
400 break;
401 case RSA_PKCS1_OAEP_PADDING:
402 // Use the default parameters: SHA-1 for both hashes and no label.
403 ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, out_len, rsa_size, buf,
404 rsa_size, NULL, 0, NULL, NULL);
405 break;
406 case RSA_NO_PADDING:
407 *out_len = rsa_size;
408 ret = 1;
409 break;
410 default:
411 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
412 goto err;
413 }
414
415 if (!ret) {
416 OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED);
417 }
418
419 err:
420 if (padding != RSA_NO_PADDING) {
421 OPENSSL_free(buf);
422 }
423
424 return ret;
425 }
426
427 static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
428
RSA_verify_raw(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)429 int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
430 const uint8_t *in, size_t in_len, int padding) {
431 if (rsa->n == NULL || rsa->e == NULL) {
432 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
433 return 0;
434 }
435
436 const unsigned rsa_size = RSA_size(rsa);
437 BIGNUM *f, *result;
438
439 if (max_out < rsa_size) {
440 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
441 return 0;
442 }
443
444 if (in_len != rsa_size) {
445 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN);
446 return 0;
447 }
448
449 if (!check_modulus_and_exponent_sizes(rsa)) {
450 return 0;
451 }
452
453 BN_CTX *ctx = BN_CTX_new();
454 if (ctx == NULL) {
455 return 0;
456 }
457
458 int ret = 0;
459 uint8_t *buf = NULL;
460
461 BN_CTX_start(ctx);
462 f = BN_CTX_get(ctx);
463 result = BN_CTX_get(ctx);
464 if (f == NULL || result == NULL) {
465 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
466 goto err;
467 }
468
469 if (padding == RSA_NO_PADDING) {
470 buf = out;
471 } else {
472 // Allocate a temporary buffer to hold the padded plaintext.
473 buf = OPENSSL_malloc(rsa_size);
474 if (buf == NULL) {
475 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
476 goto err;
477 }
478 }
479
480 if (BN_bin2bn(in, in_len, f) == NULL) {
481 goto err;
482 }
483
484 if (BN_ucmp(f, rsa->n) >= 0) {
485 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
486 goto err;
487 }
488
489 if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) ||
490 !BN_mod_exp_mont(result, f, rsa->e, rsa->n, ctx, rsa->mont_n)) {
491 goto err;
492 }
493
494 if (!BN_bn2bin_padded(buf, rsa_size, result)) {
495 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
496 goto err;
497 }
498
499 switch (padding) {
500 case RSA_PKCS1_PADDING:
501 ret =
502 RSA_padding_check_PKCS1_type_1(out, out_len, rsa_size, buf, rsa_size);
503 break;
504 case RSA_NO_PADDING:
505 ret = 1;
506 *out_len = rsa_size;
507 break;
508 default:
509 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
510 goto err;
511 }
512
513 if (!ret) {
514 OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED);
515 goto err;
516 }
517
518 err:
519 BN_CTX_end(ctx);
520 BN_CTX_free(ctx);
521 if (buf != out) {
522 OPENSSL_free(buf);
523 }
524 return ret;
525 }
526
rsa_default_private_transform(RSA * rsa,uint8_t * out,const uint8_t * in,size_t len)527 int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
528 size_t len) {
529 if (rsa->n == NULL || rsa->d == NULL) {
530 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
531 return 0;
532 }
533
534 BIGNUM *f, *result;
535 BN_CTX *ctx = NULL;
536 unsigned blinding_index = 0;
537 BN_BLINDING *blinding = NULL;
538 int ret = 0;
539
540 ctx = BN_CTX_new();
541 if (ctx == NULL) {
542 goto err;
543 }
544 BN_CTX_start(ctx);
545 f = BN_CTX_get(ctx);
546 result = BN_CTX_get(ctx);
547
548 if (f == NULL || result == NULL) {
549 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
550 goto err;
551 }
552
553 if (BN_bin2bn(in, len, f) == NULL) {
554 goto err;
555 }
556
557 if (BN_ucmp(f, rsa->n) >= 0) {
558 // Usually the padding functions would catch this.
559 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
560 goto err;
561 }
562
563 if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx)) {
564 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
565 goto err;
566 }
567
568 const int do_blinding = (rsa->flags & RSA_FLAG_NO_BLINDING) == 0;
569
570 if (rsa->e == NULL && do_blinding) {
571 // We cannot do blinding or verification without |e|, and continuing without
572 // those countermeasures is dangerous. However, the Java/Android RSA API
573 // requires support for keys where only |d| and |n| (and not |e|) are known.
574 // The callers that require that bad behavior set |RSA_FLAG_NO_BLINDING|.
575 OPENSSL_PUT_ERROR(RSA, RSA_R_NO_PUBLIC_EXPONENT);
576 goto err;
577 }
578
579 if (do_blinding) {
580 blinding = rsa_blinding_get(rsa, &blinding_index, ctx);
581 if (blinding == NULL) {
582 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
583 goto err;
584 }
585 if (!BN_BLINDING_convert(f, blinding, rsa->e, rsa->mont_n, ctx)) {
586 goto err;
587 }
588 }
589
590 if (rsa->p != NULL && rsa->q != NULL && rsa->e != NULL && rsa->dmp1 != NULL &&
591 rsa->dmq1 != NULL && rsa->iqmp != NULL) {
592 if (!mod_exp(result, f, rsa, ctx)) {
593 goto err;
594 }
595 } else if (!BN_mod_exp_mont_consttime(result, f, rsa->d, rsa->n, ctx,
596 rsa->mont_n)) {
597 goto err;
598 }
599
600 // Verify the result to protect against fault attacks as described in the
601 // 1997 paper "On the Importance of Checking Cryptographic Protocols for
602 // Faults" by Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. Some
603 // implementations do this only when the CRT is used, but we do it in all
604 // cases. Section 6 of the aforementioned paper describes an attack that
605 // works when the CRT isn't used. That attack is much less likely to succeed
606 // than the CRT attack, but there have likely been improvements since 1997.
607 //
608 // This check is cheap assuming |e| is small; it almost always is.
609 if (rsa->e != NULL) {
610 BIGNUM *vrfy = BN_CTX_get(ctx);
611 if (vrfy == NULL ||
612 !BN_mod_exp_mont(vrfy, result, rsa->e, rsa->n, ctx, rsa->mont_n) ||
613 !BN_equal_consttime(vrfy, f)) {
614 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
615 goto err;
616 }
617
618 }
619
620 if (do_blinding &&
621 !BN_BLINDING_invert(result, blinding, rsa->mont_n, ctx)) {
622 goto err;
623 }
624
625 if (!BN_bn2bin_padded(out, len, result)) {
626 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
627 goto err;
628 }
629
630 ret = 1;
631
632 err:
633 if (ctx != NULL) {
634 BN_CTX_end(ctx);
635 BN_CTX_free(ctx);
636 }
637 if (blinding != NULL) {
638 rsa_blinding_release(rsa, blinding, blinding_index);
639 }
640
641 return ret;
642 }
643
644 // mod_montgomery sets |r| to |I| mod |p|. |I| must already be fully reduced
645 // modulo |p| times |q|. It returns one on success and zero on error.
mod_montgomery(BIGNUM * r,const BIGNUM * I,const BIGNUM * p,const BN_MONT_CTX * mont_p,const BIGNUM * q,BN_CTX * ctx)646 static int mod_montgomery(BIGNUM *r, const BIGNUM *I, const BIGNUM *p,
647 const BN_MONT_CTX *mont_p, const BIGNUM *q,
648 BN_CTX *ctx) {
649 // Reducing in constant-time with Montgomery reduction requires I <= p * R. We
650 // have I < p * q, so this follows if q < R. In particular, this always holds
651 // if p and q are the same size, which is true for any RSA keys we or anyone
652 // sane generates. For other keys, we fall back to |BN_mod|.
653 if (!bn_less_than_montgomery_R(q, mont_p)) {
654 return BN_mod(r, I, p, ctx);
655 }
656
657 if (// Reduce mod p with Montgomery reduction. This computes I * R^-1 mod p.
658 !BN_from_montgomery(r, I, mont_p, ctx) ||
659 // Multiply by R^2 and do another Montgomery reduction to compute
660 // I * R^-1 * R^2 * R^-1 = I mod p.
661 !BN_to_montgomery(r, r, mont_p, ctx)) {
662 return 0;
663 }
664
665 // By precomputing R^3 mod p (normally |BN_MONT_CTX| only uses R^2 mod p) and
666 // adjusting the API for |BN_mod_exp_mont_consttime|, we could instead compute
667 // I * R mod p here and save a reduction per prime. But this would require
668 // changing the RSAZ code and may not be worth it.
669 return 1;
670 }
671
mod_exp(BIGNUM * r0,const BIGNUM * I,RSA * rsa,BN_CTX * ctx)672 static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) {
673 assert(ctx != NULL);
674
675 assert(rsa->n != NULL);
676 assert(rsa->e != NULL);
677 assert(rsa->d != NULL);
678 assert(rsa->p != NULL);
679 assert(rsa->q != NULL);
680 assert(rsa->dmp1 != NULL);
681 assert(rsa->dmq1 != NULL);
682 assert(rsa->iqmp != NULL);
683
684 BIGNUM *r1, *m1, *vrfy;
685 int ret = 0;
686
687 BN_CTX_start(ctx);
688 r1 = BN_CTX_get(ctx);
689 m1 = BN_CTX_get(ctx);
690 vrfy = BN_CTX_get(ctx);
691 if (r1 == NULL ||
692 m1 == NULL ||
693 vrfy == NULL) {
694 goto err;
695 }
696
697 if (!BN_MONT_CTX_set_locked(&rsa->mont_p, &rsa->lock, rsa->p, ctx) ||
698 !BN_MONT_CTX_set_locked(&rsa->mont_q, &rsa->lock, rsa->q, ctx)) {
699 goto err;
700 }
701
702 if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx)) {
703 goto err;
704 }
705
706 // This is a pre-condition for |mod_montgomery|. It was already checked by the
707 // caller.
708 assert(BN_ucmp(I, rsa->n) < 0);
709
710 // compute I mod q
711 if (!mod_montgomery(r1, I, rsa->q, rsa->mont_q, rsa->p, ctx)) {
712 goto err;
713 }
714
715 // compute r1^dmq1 mod q
716 if (!BN_mod_exp_mont_consttime(m1, r1, rsa->dmq1, rsa->q, ctx, rsa->mont_q)) {
717 goto err;
718 }
719
720 // compute I mod p
721 if (!mod_montgomery(r1, I, rsa->p, rsa->mont_p, rsa->q, ctx)) {
722 goto err;
723 }
724
725 // compute r1^dmp1 mod p
726 if (!BN_mod_exp_mont_consttime(r0, r1, rsa->dmp1, rsa->p, ctx, rsa->mont_p)) {
727 goto err;
728 }
729
730 // TODO(davidben): The code below is not constant-time, even ignoring
731 // |bn_correct_top|. To fix this:
732 //
733 // 1. Canonicalize keys on p > q. (p > q for keys we generate, but not ones we
734 // import.) We have exposed structs, but we can generalize the
735 // |BN_MONT_CTX_set_locked| trick to do a one-time canonicalization of the
736 // private key where we optionally swap p and q (re-computing iqmp if
737 // necessary) and fill in mont_*. This removes the p < q case below.
738 //
739 // 2. Compute r0 - m1 (mod p) in constant-time. With (1) done, this is just a
740 // constant-time modular subtraction. It should be doable with
741 // |bn_sub_words| and a select on the borrow bit.
742 //
743 // 3. When computing mont_*, additionally compute iqmp_mont, iqmp in
744 // Montgomery form. The |BN_mul| and |BN_mod| pair can then be replaced
745 // with |BN_mod_mul_montgomery|.
746
747 if (!BN_sub(r0, r0, m1)) {
748 goto err;
749 }
750 // This will help stop the size of r0 increasing, which does
751 // affect the multiply if it optimised for a power of 2 size
752 if (BN_is_negative(r0)) {
753 if (!BN_add(r0, r0, rsa->p)) {
754 goto err;
755 }
756 }
757
758 if (!BN_mul(r1, r0, rsa->iqmp, ctx)) {
759 goto err;
760 }
761
762 if (!BN_mod(r0, r1, rsa->p, ctx)) {
763 goto err;
764 }
765
766 // If p < q it is occasionally possible for the correction of
767 // adding 'p' if r0 is negative above to leave the result still
768 // negative. This can break the private key operations: the following
769 // second correction should *always* correct this rare occurrence.
770 // This will *never* happen with OpenSSL generated keys because
771 // they ensure p > q [steve]
772 if (BN_is_negative(r0)) {
773 if (!BN_add(r0, r0, rsa->p)) {
774 goto err;
775 }
776 }
777 if (!BN_mul(r1, r0, rsa->q, ctx)) {
778 goto err;
779 }
780 if (!BN_add(r0, r1, m1)) {
781 goto err;
782 }
783
784 ret = 1;
785
786 err:
787 BN_CTX_end(ctx);
788 return ret;
789 }
790
ensure_bignum(BIGNUM ** out)791 static int ensure_bignum(BIGNUM **out) {
792 if (*out == NULL) {
793 *out = BN_new();
794 }
795 return *out != NULL;
796 }
797
798 // kBoringSSLRSASqrtTwo is the BIGNUM representation of ⌊2¹⁵³⁵×√2⌋. This is
799 // chosen to give enough precision for 3072-bit RSA, the largest key size FIPS
800 // specifies. Key sizes beyond this will round up.
801 //
802 // To verify this number, check that n² < 2³⁰⁷¹ < (n+1)², where n is value
803 // represented here. Note the components are listed in little-endian order. Here
804 // is some sample Python code to check:
805 //
806 // >>> TOBN = lambda a, b: a << 32 | b
807 // >>> l = [ <paste the contents of kSqrtTwo> ]
808 // >>> n = sum(a * 2**(64*i) for i, a in enumerate(l))
809 // >>> n**2 < 2**3071 < (n+1)**2
810 // True
811 const BN_ULONG kBoringSSLRSASqrtTwo[] = {
812 TOBN(0xdea06241, 0xf7aa81c2), TOBN(0xf6a1be3f, 0xca221307),
813 TOBN(0x332a5e9f, 0x7bda1ebf), TOBN(0x0104dc01, 0xfe32352f),
814 TOBN(0xb8cf341b, 0x6f8236c7), TOBN(0x4264dabc, 0xd528b651),
815 TOBN(0xf4d3a02c, 0xebc93e0c), TOBN(0x81394ab6, 0xd8fd0efd),
816 TOBN(0xeaa4a089, 0x9040ca4a), TOBN(0xf52f120f, 0x836e582e),
817 TOBN(0xcb2a6343, 0x31f3c84d), TOBN(0xc6d5a8a3, 0x8bb7e9dc),
818 TOBN(0x460abc72, 0x2f7c4e33), TOBN(0xcab1bc91, 0x1688458a),
819 TOBN(0x53059c60, 0x11bc337b), TOBN(0xd2202e87, 0x42af1f4e),
820 TOBN(0x78048736, 0x3dfa2768), TOBN(0x0f74a85e, 0x439c7b4a),
821 TOBN(0xa8b1fe6f, 0xdc83db39), TOBN(0x4afc8304, 0x3ab8a2c3),
822 TOBN(0xed17ac85, 0x83339915), TOBN(0x1d6f60ba, 0x893ba84c),
823 TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484),
824 };
825 const size_t kBoringSSLRSASqrtTwoLen = OPENSSL_ARRAY_SIZE(kBoringSSLRSASqrtTwo);
826
rsa_greater_than_pow2(const BIGNUM * b,int n)827 int rsa_greater_than_pow2(const BIGNUM *b, int n) {
828 if (BN_is_negative(b) || n == INT_MAX) {
829 return 0;
830 }
831
832 int b_bits = BN_num_bits(b);
833 return b_bits > n + 1 || (b_bits == n + 1 && !BN_is_pow2(b));
834 }
835
836 // generate_prime sets |out| to a prime with length |bits| such that |out|-1 is
837 // relatively prime to |e|. If |p| is non-NULL, |out| will also not be close to
838 // |p|.
generate_prime(BIGNUM * out,int bits,const BIGNUM * e,const BIGNUM * p,const BIGNUM * sqrt2,BN_CTX * ctx,BN_GENCB * cb)839 static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e,
840 const BIGNUM *p, const BIGNUM *sqrt2, BN_CTX *ctx,
841 BN_GENCB *cb) {
842 if (bits < 128 || (bits % BN_BITS2) != 0) {
843 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
844 return 0;
845 }
846
847 // See FIPS 186-4 appendix B.3.3, steps 4 and 5. Note |bits| here is nlen/2.
848
849 // Use the limit from steps 4.7 and 5.8 for most values of |e|. When |e| is 3,
850 // the 186-4 limit is too low, so we use a higher one. Note this case is not
851 // reachable from |RSA_generate_key_fips|.
852 if (bits >= INT_MAX/32) {
853 OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);
854 return 0;
855 }
856 int limit = BN_is_word(e, 3) ? bits * 32 : bits * 5;
857
858 int ret = 0, tries = 0, rand_tries = 0;
859 BN_CTX_start(ctx);
860 BIGNUM *tmp = BN_CTX_get(ctx);
861 if (tmp == NULL) {
862 goto err;
863 }
864
865 for (;;) {
866 // Generate a random number of length |bits| where the bottom bit is set
867 // (steps 4.2, 4.3, 5.2 and 5.3) and the top bit is set (implied by the
868 // bound checked below in steps 4.4 and 5.5).
869 if (!BN_rand(out, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD) ||
870 !BN_GENCB_call(cb, BN_GENCB_GENERATED, rand_tries++)) {
871 goto err;
872 }
873
874 if (p != NULL) {
875 // If |p| and |out| are too close, try again (step 5.4).
876 if (!BN_sub(tmp, out, p)) {
877 goto err;
878 }
879 BN_set_negative(tmp, 0);
880 if (!rsa_greater_than_pow2(tmp, bits - 100)) {
881 continue;
882 }
883 }
884
885 // If out < 2^(bits-1)×√2, try again (steps 4.4 and 5.5). This is equivalent
886 // to out <= ⌊2^(bits-1)×√2⌋, or out <= sqrt2 for FIPS key sizes.
887 //
888 // For larger keys, the comparison is approximate, leaning towards
889 // retrying. That is, we reject a negligible fraction of primes that are
890 // within the FIPS bound, but we will never accept a prime outside the
891 // bound, ensuring the resulting RSA key is the right size.
892 if (!BN_less_than_consttime(sqrt2, out)) {
893 continue;
894 }
895
896 // Check gcd(out-1, e) is one (steps 4.5 and 5.6).
897 if (!BN_sub(tmp, out, BN_value_one()) ||
898 !BN_gcd(tmp, tmp, e, ctx)) {
899 goto err;
900 }
901 if (BN_is_one(tmp)) {
902 // Test |out| for primality (steps 4.5.1 and 5.6.1).
903 int is_probable_prime;
904 if (!BN_primality_test(&is_probable_prime, out, BN_prime_checks, ctx, 1,
905 cb)) {
906 goto err;
907 }
908 if (is_probable_prime) {
909 ret = 1;
910 goto err;
911 }
912 }
913
914 // If we've tried too many times to find a prime, abort (steps 4.7 and
915 // 5.8).
916 tries++;
917 if (tries >= limit) {
918 OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS);
919 goto err;
920 }
921 if (!BN_GENCB_call(cb, 2, tries)) {
922 goto err;
923 }
924 }
925
926 err:
927 BN_CTX_end(ctx);
928 return ret;
929 }
930
RSA_generate_key_ex(RSA * rsa,int bits,BIGNUM * e_value,BN_GENCB * cb)931 int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
932 // See FIPS 186-4 appendix B.3. This function implements a generalized version
933 // of the FIPS algorithm. |RSA_generate_key_fips| performs additional checks
934 // for FIPS-compliant key generation.
935
936 // Always generate RSA keys which are a multiple of 128 bits. Round |bits|
937 // down as needed.
938 bits &= ~127;
939
940 // Reject excessively small keys.
941 if (bits < 256) {
942 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
943 return 0;
944 }
945
946 int ret = 0;
947 BN_CTX *ctx = BN_CTX_new();
948 if (ctx == NULL) {
949 goto bn_err;
950 }
951 BN_CTX_start(ctx);
952 BIGNUM *totient = BN_CTX_get(ctx);
953 BIGNUM *pm1 = BN_CTX_get(ctx);
954 BIGNUM *qm1 = BN_CTX_get(ctx);
955 BIGNUM *gcd = BN_CTX_get(ctx);
956 BIGNUM *sqrt2 = BN_CTX_get(ctx);
957 if (totient == NULL || pm1 == NULL || qm1 == NULL || gcd == NULL ||
958 sqrt2 == NULL) {
959 goto bn_err;
960 }
961
962 // We need the RSA components non-NULL.
963 if (!ensure_bignum(&rsa->n) ||
964 !ensure_bignum(&rsa->d) ||
965 !ensure_bignum(&rsa->e) ||
966 !ensure_bignum(&rsa->p) ||
967 !ensure_bignum(&rsa->q) ||
968 !ensure_bignum(&rsa->dmp1) ||
969 !ensure_bignum(&rsa->dmq1) ||
970 !ensure_bignum(&rsa->iqmp)) {
971 goto bn_err;
972 }
973
974 if (!BN_copy(rsa->e, e_value)) {
975 goto bn_err;
976 }
977
978 int prime_bits = bits / 2;
979
980 // Compute sqrt2 >= ⌊2^(prime_bits-1)×√2⌋.
981 if (!bn_set_words(sqrt2, kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen)) {
982 goto bn_err;
983 }
984 int sqrt2_bits = kBoringSSLRSASqrtTwoLen * BN_BITS2;
985 assert(sqrt2_bits == (int)BN_num_bits(sqrt2));
986 if (sqrt2_bits > prime_bits) {
987 // For key sizes up to 3072 (prime_bits = 1536), this is exactly
988 // ⌊2^(prime_bits-1)×√2⌋.
989 if (!BN_rshift(sqrt2, sqrt2, sqrt2_bits - prime_bits)) {
990 goto bn_err;
991 }
992 } else if (prime_bits > sqrt2_bits) {
993 // For key sizes beyond 3072, this is approximate. We err towards retrying
994 // to ensure our key is the right size and round up.
995 if (!BN_add_word(sqrt2, 1) ||
996 !BN_lshift(sqrt2, sqrt2, prime_bits - sqrt2_bits)) {
997 goto bn_err;
998 }
999 }
1000 assert(prime_bits == (int)BN_num_bits(sqrt2));
1001
1002 do {
1003 // Generate p and q, each of size |prime_bits|, using the steps outlined in
1004 // appendix FIPS 186-4 appendix B.3.3.
1005 if (!generate_prime(rsa->p, prime_bits, rsa->e, NULL, sqrt2, ctx, cb) ||
1006 !BN_GENCB_call(cb, 3, 0) ||
1007 !generate_prime(rsa->q, prime_bits, rsa->e, rsa->p, sqrt2, ctx, cb) ||
1008 !BN_GENCB_call(cb, 3, 1)) {
1009 goto bn_err;
1010 }
1011
1012 if (BN_cmp(rsa->p, rsa->q) < 0) {
1013 BIGNUM *tmp = rsa->p;
1014 rsa->p = rsa->q;
1015 rsa->q = tmp;
1016 }
1017
1018 // Calculate d = e^(-1) (mod lcm(p-1, q-1)), per FIPS 186-4. This differs
1019 // from typical RSA implementations which use (p-1)*(q-1).
1020 //
1021 // Note this means the size of d might reveal information about p-1 and
1022 // q-1. However, we do operations with Chinese Remainder Theorem, so we only
1023 // use d (mod p-1) and d (mod q-1) as exponents. Using a minimal totient
1024 // does not affect those two values.
1025 if (!BN_sub(pm1, rsa->p, BN_value_one()) ||
1026 !BN_sub(qm1, rsa->q, BN_value_one()) ||
1027 !BN_mul(totient, pm1, qm1, ctx) ||
1028 !BN_gcd(gcd, pm1, qm1, ctx) ||
1029 !BN_div(totient, NULL, totient, gcd, ctx) ||
1030 !BN_mod_inverse(rsa->d, rsa->e, totient, ctx)) {
1031 goto bn_err;
1032 }
1033
1034 // Check that |rsa->d| > 2^|prime_bits| and try again if it fails. See
1035 // appendix B.3.1's guidance on values for d.
1036 } while (!rsa_greater_than_pow2(rsa->d, prime_bits));
1037
1038 if (// Calculate n.
1039 !BN_mul(rsa->n, rsa->p, rsa->q, ctx) ||
1040 // Calculate d mod (p-1).
1041 !BN_mod(rsa->dmp1, rsa->d, pm1, ctx) ||
1042 // Calculate d mod (q-1)
1043 !BN_mod(rsa->dmq1, rsa->d, qm1, ctx)) {
1044 goto bn_err;
1045 }
1046
1047 // Sanity-check that |rsa->n| has the specified size. This is implied by
1048 // |generate_prime|'s bounds.
1049 if (BN_num_bits(rsa->n) != (unsigned)bits) {
1050 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
1051 goto err;
1052 }
1053
1054 // Calculate inverse of q mod p. Note that although RSA key generation is far
1055 // from constant-time, |bn_mod_inverse_secret_prime| uses the same modular
1056 // exponentation logic as in RSA private key operations and, if the RSAZ-1024
1057 // code is enabled, will be optimized for common RSA prime sizes.
1058 if (!BN_MONT_CTX_set_locked(&rsa->mont_p, &rsa->lock, rsa->p, ctx) ||
1059 !bn_mod_inverse_secret_prime(rsa->iqmp, rsa->q, rsa->p, ctx,
1060 rsa->mont_p)) {
1061 goto bn_err;
1062 }
1063
1064 // The key generation process is complex and thus error-prone. It could be
1065 // disastrous to generate and then use a bad key so double-check that the key
1066 // makes sense.
1067 if (!RSA_check_key(rsa)) {
1068 OPENSSL_PUT_ERROR(RSA, RSA_R_INTERNAL_ERROR);
1069 goto err;
1070 }
1071
1072 ret = 1;
1073
1074 bn_err:
1075 if (!ret) {
1076 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
1077 }
1078 err:
1079 if (ctx != NULL) {
1080 BN_CTX_end(ctx);
1081 BN_CTX_free(ctx);
1082 }
1083 return ret;
1084 }
1085
RSA_generate_key_fips(RSA * rsa,int bits,BN_GENCB * cb)1086 int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb) {
1087 // FIPS 186-4 allows 2048-bit and 3072-bit RSA keys (1024-bit and 1536-bit
1088 // primes, respectively) with the prime generation method we use.
1089 if (bits != 2048 && bits != 3072) {
1090 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
1091 return 0;
1092 }
1093
1094 BIGNUM *e = BN_new();
1095 int ret = e != NULL &&
1096 BN_set_word(e, RSA_F4) &&
1097 RSA_generate_key_ex(rsa, bits, e, cb) &&
1098 RSA_check_fips(rsa);
1099 BN_free(e);
1100 return ret;
1101 }
1102
DEFINE_METHOD_FUNCTION(RSA_METHOD,RSA_default_method)1103 DEFINE_METHOD_FUNCTION(RSA_METHOD, RSA_default_method) {
1104 // All of the methods are NULL to make it easier for the compiler/linker to
1105 // drop unused functions. The wrapper functions will select the appropriate
1106 // |rsa_default_*| implementation.
1107 OPENSSL_memset(out, 0, sizeof(RSA_METHOD));
1108 out->common.is_static = 1;
1109 }
1110