Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 925fee36e1f6dcad56e60fccca5fa069e09979f7 / . / crypto / rsa / rsa_impl.c
blob: 6cc84757d3745102c5b63ac22323e47d6fcd3100 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57#include <openssl/rsa.h>
58
59#include <openssl/bn.h>
60#include <openssl/err.h>
61#include <openssl/mem.h>
62
63#include "internal.h"
64
65
66#define OPENSSL_RSA_MAX_MODULUS_BITS 16384
67#define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
68#define OPENSSL_RSA_MAX_PUBEXP_BITS \
69 64 /* exponent limit enforced for "large" modulus only */
70
71
72static int finish(RSA *rsa) {
73 if (rsa->_method_mod_n != NULL) {
74 BN_MONT_CTX_free(rsa->_method_mod_n);
75 }
76 if (rsa->_method_mod_p != NULL) {
77 BN_MONT_CTX_free(rsa->_method_mod_p);
78 }
79 if (rsa->_method_mod_q != NULL) {
80 BN_MONT_CTX_free(rsa->_method_mod_q);
81 }
82
83 return 1;
84}
85
David Benjamin925fee32014-07-11 14:14:08 -0400[diff] [blame^]86static size_t size(const RSA *rsa) {
87 return BN_num_bytes(rsa->n);
88}
89
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]90static int encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
91 const uint8_t *in, size_t in_len, int padding) {
92 const unsigned rsa_size = RSA_size(rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]93 BIGNUM *f, *result;
94 uint8_t *buf = NULL;
95 BN_CTX *ctx = NULL;
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]96 int i, ret = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]97
98 if (rsa_size > OPENSSL_RSA_MAX_MODULUS_BITS) {
99 OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_MODULUS_TOO_LARGE);
100 return 0;
101 }
102
103 if (max_out < rsa_size) {
104 OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
105 return 0;
106 }
107
108 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
109 OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_BAD_E_VALUE);
110 return 0;
111 }
112
113 /* for large moduli, enforce exponent limit */
114 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS &&
115 BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
116 OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_BAD_E_VALUE);
117 return 0;
118 }
119
120 ctx = BN_CTX_new();
121 if (ctx == NULL) {
122 goto err;
123 }
124
125 BN_CTX_start(ctx);
126 f = BN_CTX_get(ctx);
127 result = BN_CTX_get(ctx);
128 buf = OPENSSL_malloc(rsa_size);
129 if (!f || !result || !buf) {
130 OPENSSL_PUT_ERROR(RSA, encrypt, ERR_R_MALLOC_FAILURE);
131 goto err;
132 }
133
134 switch (padding) {
135 case RSA_PKCS1_PADDING:
136 i = RSA_padding_add_PKCS1_type_2(buf, rsa_size, in, in_len);
137 break;
138 case RSA_PKCS1_OAEP_PADDING:
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]139 /* Use the default parameters: SHA-1 for both hashes and no label. */
140 i = RSA_padding_add_PKCS1_OAEP_mgf1(buf, rsa_size, in, in_len,
141 NULL, 0, NULL, NULL);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]142 break;
143 case RSA_SSLV23_PADDING:
144 i = RSA_padding_add_SSLv23(buf, rsa_size, in, in_len);
145 break;
146 case RSA_NO_PADDING:
147 i = RSA_padding_add_none(buf, rsa_size, in, in_len);
148 break;
149 default:
150 OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_UNKNOWN_PADDING_TYPE);
151 goto err;
152 }
153
154 if (i <= 0) {
155 goto err;
156 }
157
158 if (BN_bin2bn(buf, rsa_size, f) == NULL) {
159 goto err;
160 }
161
162 if (BN_ucmp(f, rsa->n) >= 0) {
163 /* usually the padding functions would catch this */
164 OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
165 goto err;
166 }
167
168 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
169 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,
170 ctx)) {
171 goto err;
172 }
173 }
174
175 if (!rsa->meth->bn_mod_exp(result, f, rsa->e, rsa->n, ctx, rsa->_method_mod_n)) {
176 goto err;
177 }
178
179 /* put in leading 0 bytes if the number is less than the length of the
180 * modulus */
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]181 if (!BN_bn2bin_padded(out, rsa_size, result)) {
182 OPENSSL_PUT_ERROR(RSA, encrypt, ERR_R_INTERNAL_ERROR);
183 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]184 }
185
186 *out_len = rsa_size;
187 ret = 1;
188
189err:
190 if (ctx != NULL) {
191 BN_CTX_end(ctx);
192 BN_CTX_free(ctx);
193 }
194 if (buf != NULL) {
195 OPENSSL_cleanse(buf, rsa_size);
196 OPENSSL_free(buf);
197 }
198
199 return ret;
200}
201
202/* MAX_BLINDINGS_PER_RSA defines the maximum number of cached BN_BLINDINGs per
203 * RSA*. Then this limit is exceeded, BN_BLINDING objects will be created and
204 * destroyed as needed. */
205#define MAX_BLINDINGS_PER_RSA 1024
206
207/* rsa_blinding_get returns a BN_BLINDING to use with |rsa|. It does this by
208 * allocating one of the cached BN_BLINDING objects in |rsa->blindings|. If
209 * none are free, the cache will be extended by a extra element and the new
210 * BN_BLINDING is returned.
211 *
212 * On success, the index of the assigned BN_BLINDING is written to
213 * |*index_used| and must be passed to |rsa_blinding_release| when finished. */
214static BN_BLINDING *rsa_blinding_get(RSA *rsa, unsigned *index_used,
215 BN_CTX *ctx) {
216 BN_BLINDING *ret = NULL;
217 BN_BLINDING **new_blindings;
218 uint8_t *new_blindings_inuse;
219 char overflow = 0;
220
221 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
222 if (rsa->num_blindings > 0) {
223 unsigned i, starting_index;
224 CRYPTO_THREADID threadid;
225
226 /* We start searching the array at a value based on the
227 * threadid in order to try avoid bouncing the BN_BLINDING
228 * values around different threads. It's harmless if
229 * threadid.val is always set to zero. */
230 CRYPTO_THREADID_current(&threadid);
231 starting_index = threadid.val % rsa->num_blindings;
232
233 for (i = starting_index;;) {
234 if (rsa->blindings_inuse[i] == 0) {
235 rsa->blindings_inuse[i] = 1;
236 ret = rsa->blindings[i];
237 *index_used = i;
238 break;
239 }
240 i++;
241 if (i == rsa->num_blindings) {
242 i = 0;
243 }
244 if (i == starting_index) {
245 break;
246 }
247 }
248 }
249
250 if (ret != NULL) {
251 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
252 return ret;
253 }
254
255 overflow = rsa->num_blindings >= MAX_BLINDINGS_PER_RSA;
256
257 /* We didn't find a free BN_BLINDING to use so increase the length of
258 * the arrays by one and use the newly created element. */
259
260 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
261 ret = rsa_setup_blinding(rsa, ctx);
262 if (ret == NULL) {
263 return NULL;
264 }
265
266 if (overflow) {
267 /* We cannot add any more cached BN_BLINDINGs so we use |ret|
268 * and mark it for destruction in |rsa_blinding_release|. */
269 *index_used = MAX_BLINDINGS_PER_RSA;
270 return ret;
271 }
272
273 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
274
275 new_blindings =
276 OPENSSL_malloc(sizeof(BN_BLINDING *) * (rsa->num_blindings + 1));
277 if (new_blindings == NULL) {
278 goto err1;
279 }
280 memcpy(new_blindings, rsa->blindings,
281 sizeof(BN_BLINDING *) * rsa->num_blindings);
282 new_blindings[rsa->num_blindings] = ret;
283
284 new_blindings_inuse = OPENSSL_malloc(rsa->num_blindings + 1);
285 if (new_blindings_inuse == NULL) {
286 goto err2;
287 }
288 memcpy(new_blindings_inuse, rsa->blindings_inuse, rsa->num_blindings);
289 new_blindings_inuse[rsa->num_blindings] = 1;
290 *index_used = rsa->num_blindings;
291
292 if (rsa->blindings != NULL) {
293 OPENSSL_free(rsa->blindings);
294 }
295 rsa->blindings = new_blindings;
296 if (rsa->blindings_inuse != NULL) {
297 OPENSSL_free(rsa->blindings_inuse);
298 }
299 rsa->blindings_inuse = new_blindings_inuse;
300 rsa->num_blindings++;
301
302 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
303 return ret;
304
305err2:
306 OPENSSL_free(new_blindings);
307
308err1:
309 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
310 BN_BLINDING_free(ret);
311 return NULL;
312}
313
314/* rsa_blinding_release marks the cached BN_BLINDING at the given index as free
315 * for other threads to use. */
316static void rsa_blinding_release(RSA *rsa, BN_BLINDING *blinding,
317 unsigned blinding_index) {
318 if (blinding_index == MAX_BLINDINGS_PER_RSA) {
319 /* This blinding wasn't cached. */
320 BN_BLINDING_free(blinding);
321 return;
322 }
323
324 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
325 rsa->blindings_inuse[blinding_index] = 0;
326 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
327}
328
329/* signing */
330static int sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
331 const uint8_t *in, size_t in_len, int padding) {
332 const unsigned rsa_size = RSA_size(rsa);
333 BIGNUM *f, *result;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]334 uint8_t *buf = NULL;
335 BN_CTX *ctx = NULL;
336 unsigned blinding_index = 0;
337 BN_BLINDING *blinding = NULL;
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]338 int i, ret = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]339
340 if (max_out < rsa_size) {
341 OPENSSL_PUT_ERROR(RSA, sign_raw, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
342 return 0;
343 }
344
345 ctx = BN_CTX_new();
346 if (ctx == NULL) {
347 goto err;
348 }
349 BN_CTX_start(ctx);
350 f = BN_CTX_get(ctx);
351 result = BN_CTX_get(ctx);
352 buf = OPENSSL_malloc(rsa_size);
353 if (!f || !result || !buf) {
354 OPENSSL_PUT_ERROR(RSA, sign_raw, ERR_R_MALLOC_FAILURE);
355 goto err;
356 }
357
358 switch (padding) {
359 case RSA_PKCS1_PADDING:
360 i = RSA_padding_add_PKCS1_type_1(buf, rsa_size, in, in_len);
361 break;
362 case RSA_NO_PADDING:
363 i = RSA_padding_add_none(buf, rsa_size, in, in_len);
364 break;
365 default:
366 OPENSSL_PUT_ERROR(RSA, sign_raw, RSA_R_UNKNOWN_PADDING_TYPE);
367 goto err;
368 }
369 if (i <= 0) {
370 goto err;
371 }
372
373 if (BN_bin2bn(buf, rsa_size, f) == NULL) {
374 goto err;
375 }
376
377 if (BN_ucmp(f, rsa->n) >= 0) {
378 /* usually the padding functions would catch this */
379 OPENSSL_PUT_ERROR(RSA, sign_raw, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
380 goto err;
381 }
382
383 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
384 blinding = rsa_blinding_get(rsa, &blinding_index, ctx);
385 if (blinding == NULL) {
386 OPENSSL_PUT_ERROR(RSA, sign_raw, ERR_R_INTERNAL_ERROR);
387 goto err;
388 }
389 if (!BN_BLINDING_convert_ex(f, NULL, blinding, ctx)) {
390 goto err;
391 }
392 }
393
394 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
395 ((rsa->p != NULL) && (rsa->q != NULL) && (rsa->dmp1 != NULL) &&
396 (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
397 if (!rsa->meth->mod_exp(result, f, rsa, ctx)) {
398 goto err;
399 }
400 } else {
401 BIGNUM local_d;
402 BIGNUM *d = NULL;
403
404 BN_init(&local_d);
405 d = &local_d;
406 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
407
408 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
409 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,
410 ctx)) {
411 goto err;
412 }
413 }
414
415 if (!rsa->meth->bn_mod_exp(result, f, d, rsa->n, ctx, rsa->_method_mod_n)) {
416 goto err;
417 }
418 }
419
420 if (blinding) {
421 if (!BN_BLINDING_invert_ex(result, NULL, blinding, ctx)) {
422 goto err;
423 }
424 }
425
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]426 if (!BN_bn2bin_padded(out, rsa_size, result)) {
427 OPENSSL_PUT_ERROR(RSA, sign_raw, ERR_R_INTERNAL_ERROR);
428 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]429 }
430
431 *out_len = rsa_size;
432 ret = 1;
433
434err:
435 if (ctx != NULL) {
436 BN_CTX_end(ctx);
437 BN_CTX_free(ctx);
438 }
439 if (buf != NULL) {
440 OPENSSL_cleanse(buf, rsa_size);
441 OPENSSL_free(buf);
442 }
443 if (blinding != NULL) {
444 rsa_blinding_release(rsa, blinding, blinding_index);
445 }
446
447 return ret;
448}
449
450static int decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
451 const uint8_t *in, size_t in_len, int padding) {
452 const unsigned rsa_size = RSA_size(rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]453 BIGNUM *f, *result;
454 int r = -1;
455 uint8_t *buf = NULL;
456 BN_CTX *ctx = NULL;
457 unsigned blinding_index;
458 BN_BLINDING *blinding = NULL;
459 int ret = 0;
460
461 if (max_out < rsa_size) {
462 OPENSSL_PUT_ERROR(RSA, decrypt, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
463 return 0;
464 }
465
466 ctx = BN_CTX_new();
467 if (ctx == NULL) {
468 goto err;
469 }
470 BN_CTX_start(ctx);
471 f = BN_CTX_get(ctx);
472 result = BN_CTX_get(ctx);
473 buf = OPENSSL_malloc(rsa_size);
474 if (!f || !result || !buf) {
475 OPENSSL_PUT_ERROR(RSA, decrypt, ERR_R_MALLOC_FAILURE);
476 goto err;
477 }
478
479 /* This check was for equality but PGP does evil things
480 * and chops off the top '0' bytes.
481 * TODO(fork): investigate this. */
482 if (in_len > rsa_size) {
483 OPENSSL_PUT_ERROR(RSA, decrypt, RSA_R_DATA_GREATER_THAN_MOD_LEN);
484 goto err;
485 }
486
487 /* make data into a big number */
488 if (BN_bin2bn(in, (int)in_len, f) == NULL) {
489 goto err;
490 }
491
492 if (BN_ucmp(f, rsa->n) >= 0) {
493 OPENSSL_PUT_ERROR(RSA, decrypt, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
494 goto err;
495 }
496
497 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
498 blinding = rsa_blinding_get(rsa, &blinding_index, ctx);
499 if (blinding == NULL) {
500 OPENSSL_PUT_ERROR(RSA, decrypt, ERR_R_INTERNAL_ERROR);
501 goto err;
502 }
503 if (!BN_BLINDING_convert_ex(f, NULL, blinding, ctx)) {
504 goto err;
505 }
506 }
507
508 /* do the decrypt */
509 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
510 ((rsa->p != NULL) && (rsa->q != NULL) && (rsa->dmp1 != NULL) &&
511 (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
512 if (!rsa->meth->mod_exp(result, f, rsa, ctx)) {
513 goto err;
514 }
515 } else {
516 BIGNUM local_d;
517 BIGNUM *d = NULL;
518
519 d = &local_d;
520 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
521
522 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
523 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,
524 ctx)) {
525 goto err;
526 }
527 }
528 if (!rsa->meth->bn_mod_exp(result, f, d, rsa->n, ctx, rsa->_method_mod_n)) {
529 goto err;
530 }
531 }
532
533 if (blinding) {
534 if (!BN_BLINDING_invert_ex(result, NULL, blinding, ctx)) {
535 goto err;
536 }
537 }
538
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]539 if (!BN_bn2bin_padded(buf, rsa_size, result)) {
540 OPENSSL_PUT_ERROR(RSA, decrypt, ERR_R_INTERNAL_ERROR);
541 goto err;
542 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]543
544 switch (padding) {
545 case RSA_PKCS1_PADDING:
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]546 r = RSA_padding_check_PKCS1_type_2(out, rsa_size, buf, rsa_size);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]547 break;
548 case RSA_PKCS1_OAEP_PADDING:
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]549 /* Use the default parameters: SHA-1 for both hashes and no label. */
550 r = RSA_padding_check_PKCS1_OAEP_mgf1(out, rsa_size, buf, rsa_size,
551 NULL, 0, NULL, NULL);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]552 break;
553 case RSA_SSLV23_PADDING:
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]554 r = RSA_padding_check_SSLv23(out, rsa_size, buf, rsa_size);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]555 break;
556 case RSA_NO_PADDING:
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]557 r = RSA_padding_check_none(out, rsa_size, buf, rsa_size);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]558 break;
559 default:
560 OPENSSL_PUT_ERROR(RSA, decrypt, RSA_R_UNKNOWN_PADDING_TYPE);
561 goto err;
562 }
563
564 if (r < 0) {
565 OPENSSL_PUT_ERROR(RSA, decrypt, RSA_R_PADDING_CHECK_FAILED);
566 } else {
567 *out_len = r;
568 ret = 1;
569 }
570
571err:
572 if (ctx != NULL) {
573 BN_CTX_end(ctx);
574 BN_CTX_free(ctx);
575 }
576 if (buf != NULL) {
577 OPENSSL_cleanse(buf, rsa_size);
578 OPENSSL_free(buf);
579 }
580 if (blinding != NULL) {
581 rsa_blinding_release(rsa, blinding, blinding_index);
582 }
583
584 return ret;
585}
586
587static int verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
588 const uint8_t *in, size_t in_len, int padding) {
589 const unsigned rsa_size = RSA_size(rsa);
590 BIGNUM *f, *result;
591 int ret = 0;
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]592 int r = -1;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]593 uint8_t *buf = NULL;
594 BN_CTX *ctx = NULL;
595
596 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
597 OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_MODULUS_TOO_LARGE);
598 return 0;
599 }
600
601 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
602 OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_BAD_E_VALUE);
603 return 0;
604 }
605
606 if (max_out < rsa_size) {
607 OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
608 return 0;
609 }
610
611 /* for large moduli, enforce exponent limit */
612 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS &&
613 BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
614 OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_BAD_E_VALUE);
615 return 0;
616 }
617
618 ctx = BN_CTX_new();
619 if (ctx == NULL) {
620 goto err;
621 }
622
623 BN_CTX_start(ctx);
624 f = BN_CTX_get(ctx);
625 result = BN_CTX_get(ctx);
626 buf = OPENSSL_malloc(rsa_size);
627 if (!f || !result || !buf) {
628 OPENSSL_PUT_ERROR(RSA, verify_raw, ERR_R_MALLOC_FAILURE);
629 goto err;
630 }
631
632 /* This check was for equality but PGP does evil things
633 * and chops off the top '0' bytes.
634 * TODO(fork): investigate */
635 if (in_len > rsa_size) {
636 OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_DATA_GREATER_THAN_MOD_LEN);
637 goto err;
638 }
639
640 if (BN_bin2bn(in, in_len, f) == NULL) {
641 goto err;
642 }
643
644 if (BN_ucmp(f, rsa->n) >= 0) {
645 OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
646 goto err;
647 }
648
649 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
650 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,
651 ctx)) {
652 goto err;
653 }
654 }
655
656 if (!rsa->meth->bn_mod_exp(result, f, rsa->e, rsa->n, ctx,
657 rsa->_method_mod_n)) {
658 goto err;
659 }
660
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]661 if (!BN_bn2bin_padded(buf, rsa_size, result)) {
662 OPENSSL_PUT_ERROR(RSA, verify_raw, ERR_R_INTERNAL_ERROR);
663 goto err;
664 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]665
666 switch (padding) {
667 case RSA_PKCS1_PADDING:
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]668 r = RSA_padding_check_PKCS1_type_1(out, rsa_size, buf, rsa_size);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]669 break;
670 case RSA_NO_PADDING:
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]671 r = RSA_padding_check_none(out, rsa_size, buf, rsa_size);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]672 break;
673 default:
674 OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_UNKNOWN_PADDING_TYPE);
675 goto err;
676 }
677
678 if (r < 0) {
679 OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_PADDING_CHECK_FAILED);
680 } else {
681 *out_len = r;
682 ret = 1;
683 }
684
685err:
686 if (ctx != NULL) {
687 BN_CTX_end(ctx);
688 BN_CTX_free(ctx);
689 }
690 if (buf != NULL) {
691 OPENSSL_cleanse(buf, rsa_size);
692 OPENSSL_free(buf);
693 }
694 return ret;
695}
696
697static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) {
698 BIGNUM *r1, *m1, *vrfy;
699 BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
700 BIGNUM *dmp1, *dmq1, *c, *pr1;
701 int ret = 0;
702
703 BN_CTX_start(ctx);
704 r1 = BN_CTX_get(ctx);
705 m1 = BN_CTX_get(ctx);
706 vrfy = BN_CTX_get(ctx);
707
708 {
709 BIGNUM local_p, local_q;
710 BIGNUM *p = NULL, *q = NULL;
711
712 /* Make sure BN_mod_inverse in Montgomery intialization uses the
713 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) */
714 BN_init(&local_p);
715 p = &local_p;
716 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
717
718 BN_init(&local_q);
719 q = &local_q;
720 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
721
722 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
723 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) {
724 goto err;
725 }
726 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) {
727 goto err;
728 }
729 }
730 }
731
732 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
733 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,
734 ctx)) {
735 goto err;
736 }
737 }
738
739 /* compute I mod q */
740 c = &local_c;
741 BN_with_flags(c, I, BN_FLG_CONSTTIME);
742 if (!BN_mod(r1, c, rsa->q, ctx)) {
743 goto err;
744 }
745
746 /* compute r1^dmq1 mod q */
747 dmq1 = &local_dmq1;
748 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
749 if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q)) {
750 goto err;
751 }
752
753 /* compute I mod p */
754 c = &local_c;
755 BN_with_flags(c, I, BN_FLG_CONSTTIME);
756 if (!BN_mod(r1, c, rsa->p, ctx)) {
757 goto err;
758 }
759
760 /* compute r1^dmp1 mod p */
761 dmp1 = &local_dmp1;
762 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
763 if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p)) {
764 goto err;
765 }
766
767 if (!BN_sub(r0, r0, m1)) {
768 goto err;
769 }
770 /* This will help stop the size of r0 increasing, which does
771 * affect the multiply if it optimised for a power of 2 size */
772 if (BN_is_negative(r0)) {
773 if (!BN_add(r0, r0, rsa->p)) {
774 goto err;
775 }
776 }
777
778 if (!BN_mul(r1, r0, rsa->iqmp, ctx)) {
779 goto err;
780 }
781
782 /* Turn BN_FLG_CONSTTIME flag on before division operation */
783 pr1 = &local_r1;
784 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
785
786 if (!BN_mod(r0, pr1, rsa->p, ctx)) {
787 goto err;
788 }
789
790 /* If p < q it is occasionally possible for the correction of
791 * adding 'p' if r0 is negative above to leave the result still
792 * negative. This can break the private key operations: the following
793 * second correction should *always* correct this rare occurrence.
794 * This will *never* happen with OpenSSL generated keys because
795 * they ensure p > q [steve] */
796 if (BN_is_negative(r0)) {
797 if (!BN_add(r0, r0, rsa->p)) {
798 goto err;
799 }
800 }
801 if (!BN_mul(r1, r0, rsa->q, ctx)) {
802 goto err;
803 }
804 if (!BN_add(r0, r1, m1)) {
805 goto err;
806 }
807
808 if (rsa->e && rsa->n) {
809 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
810 rsa->_method_mod_n)) {
811 goto err;
812 }
813 /* If 'I' was greater than (or equal to) rsa->n, the operation
814 * will be equivalent to using 'I mod n'. However, the result of
815 * the verify will *always* be less than 'n' so we don't check
816 * for absolute equality, just congruency. */
817 if (!BN_sub(vrfy, vrfy, I)) {
818 goto err;
819 }
820 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) {
821 goto err;
822 }
823 if (BN_is_negative(vrfy)) {
824 if (!BN_add(vrfy, vrfy, rsa->n)) {
825 goto err;
826 }
827 }
828 if (!BN_is_zero(vrfy)) {
829 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
830 * miscalculated CRT output, just do a raw (slower)
831 * mod_exp and return that instead. */
832
833 BIGNUM local_d;
834 BIGNUM *d = NULL;
835
836 d = &local_d;
837 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
838 if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, rsa->_method_mod_n)) {
839 goto err;
840 }
841 }
842 }
843 ret = 1;
844
845err:
846 BN_CTX_end(ctx);
847 return ret;
848}
849
850static int keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
851 BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
852 BIGNUM local_r0, local_d, local_p;
853 BIGNUM *pr0, *d, *p;
854 int bitsp, bitsq, ok = -1, n = 0;
855 BN_CTX *ctx = NULL;
856
857 ctx = BN_CTX_new();
858 if (ctx == NULL) {
859 goto err;
860 }
861 BN_CTX_start(ctx);
862 r0 = BN_CTX_get(ctx);
863 r1 = BN_CTX_get(ctx);
864 r2 = BN_CTX_get(ctx);
865 r3 = BN_CTX_get(ctx);
866 if (r3 == NULL) {
867 goto err;
868 }
869
870 bitsp = (bits + 1) / 2;
871 bitsq = bits - bitsp;
872
873 /* We need the RSA components non-NULL */
874 if (!rsa->n && ((rsa->n = BN_new()) == NULL))
875 goto err;
876 if (!rsa->d && ((rsa->d = BN_new()) == NULL))
877 goto err;
878 if (!rsa->e && ((rsa->e = BN_new()) == NULL))
879 goto err;
880 if (!rsa->p && ((rsa->p = BN_new()) == NULL))
881 goto err;
882 if (!rsa->q && ((rsa->q = BN_new()) == NULL))
883 goto err;
884 if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL))
885 goto err;
886 if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL))
887 goto err;
888 if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
889 goto err;
890
891 BN_copy(rsa->e, e_value);
892
893 /* generate p and q */
894 for (;;) {
895 if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
896 goto err;
897 if (!BN_sub(r2, rsa->p, BN_value_one()))
898 goto err;
899 if (!BN_gcd(r1, r2, rsa->e, ctx))
900 goto err;
901 if (BN_is_one(r1))
902 break;
903 if (!BN_GENCB_call(cb, 2, n++))
904 goto err;
905 }
906 if (!BN_GENCB_call(cb, 3, 0))
907 goto err;
908 for (;;) {
909 /* When generating ridiculously small keys, we can get stuck
910 * continually regenerating the same prime values. Check for
911 * this and bail if it happens 3 times. */
912 unsigned int degenerate = 0;
913 do {
914 if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
915 goto err;
916 } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
917 if (degenerate == 3) {
918 ok = 0; /* we set our own err */
919 OPENSSL_PUT_ERROR(RSA, keygen, RSA_R_KEY_SIZE_TOO_SMALL);
920 goto err;
921 }
922 if (!BN_sub(r2, rsa->q, BN_value_one()))
923 goto err;
924 if (!BN_gcd(r1, r2, rsa->e, ctx))
925 goto err;
926 if (BN_is_one(r1))
927 break;
928 if (!BN_GENCB_call(cb, 2, n++))
929 goto err;
930 }
931 if (!BN_GENCB_call(cb, 3, 1))
932 goto err;
933 if (BN_cmp(rsa->p, rsa->q) < 0) {
934 tmp = rsa->p;
935 rsa->p = rsa->q;
936 rsa->q = tmp;
937 }
938
939 /* calculate n */
940 if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
941 goto err;
942
943 /* calculate d */
944 if (!BN_sub(r1, rsa->p, BN_value_one()))
945 goto err; /* p-1 */
946 if (!BN_sub(r2, rsa->q, BN_value_one()))
947 goto err; /* q-1 */
948 if (!BN_mul(r0, r1, r2, ctx))
949 goto err; /* (p-1)(q-1) */
950 pr0 = &local_r0;
951 BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
952 if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx))
953 goto err; /* d */
954
955 /* set up d for correct BN_FLG_CONSTTIME flag */
956 d = &local_d;
957 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
958
959 /* calculate d mod (p-1) */
960 if (!BN_mod(rsa->dmp1, d, r1, ctx))
961 goto err;
962
963 /* calculate d mod (q-1) */
964 if (!BN_mod(rsa->dmq1, d, r2, ctx))
965 goto err;
966
967 /* calculate inverse of q mod p */
968 p = &local_p;
969 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
970
971 if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
972 goto err;
973
974 ok = 1;
975
976err:
977 if (ok == -1) {
978 OPENSSL_PUT_ERROR(RSA, keygen, ERR_LIB_BN);
979 ok = 0;
980 }
981 if (ctx != NULL) {
982 BN_CTX_end(ctx);
983 BN_CTX_free(ctx);
984 }
985
986 return ok;
987}
988
989const struct rsa_meth_st RSA_default_method = {
990 {
991 0 /* references */,
992 1 /* is_static */,
993 },
994 NULL /* app_data */,
995
996 NULL /* init */,
997 finish,
998
David Benjamin925fee32014-07-11 14:14:08 -0400[diff] [blame^]999 size,
1000
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1001 NULL /* sign */,
1002 NULL /* verify */,
1003
1004 encrypt,
1005 sign_raw,
1006 decrypt,
1007 verify_raw,
1008
1009 mod_exp /* mod_exp */,
1010 BN_mod_exp_mont /* bn_mod_exp */,
1011
1012 RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE,
1013
1014 keygen,
1015};