Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / b0ad3d74dbcde34bf099d25d86395088b12aba8b / . / crypto / rsa / rsa_impl.c
blob: e385e603848d1e16cfaa9a8494ecf11eef8f9788 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57#include <openssl/rsa.h>
58
David Benjamincfa9de82016-03-14 14:19:41 -0400[diff] [blame]59#include <assert.h>
Adam Langley2b2d66d2015-01-30 17:08:37 -0800[diff] [blame]60#include <string.h>
61
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]62#include <openssl/bn.h>
63#include <openssl/err.h>
64#include <openssl/mem.h>
Brian Smith054e6822015-03-27 21:12:01 -1000[diff] [blame]65#include <openssl/thread.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]66
67#include "internal.h"
David Benjamin0b8dc302016-12-17 14:27:16 -0500[diff] [blame]68#include "../bn/internal.h"
Adam Langley683d7bd2015-04-13 11:04:14 -0700[diff] [blame]69#include "../internal.h"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]70
71
Brian Smith625475f2016-01-12 10:47:25 -1000[diff] [blame]72static int check_modulus_and_exponent_sizes(const RSA *rsa) {
73 unsigned rsa_bits = BN_num_bits(rsa->n);
David Benjamincfa9de82016-03-14 14:19:41 -0400[diff] [blame]74
Brian Smith625475f2016-01-12 10:47:25 -1000[diff] [blame]75 if (rsa_bits > 16 * 1024) {
76 OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);
77 return 0;
78 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]79
David Benjamincfa9de82016-03-14 14:19:41 -0400[diff] [blame]80 /* Mitigate DoS attacks by limiting the exponent size. 33 bits was chosen as
81 * the limit based on the recommendations in [1] and [2]. Windows CryptoAPI
82 * doesn't support values larger than 32 bits [3], so it is unlikely that
83 * exponents larger than 32 bits are being used for anything Windows commonly
84 * does.
85 *
86 * [1] https://www.imperialviolet.org/2012/03/16/rsae.html
87 * [2] https://www.imperialviolet.org/2012/03/17/rsados.html
88 * [3] https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx */
89 static const unsigned kMaxExponentBits = 33;
90
91 if (BN_num_bits(rsa->e) > kMaxExponentBits) {
Brian Smith625475f2016-01-12 10:47:25 -1000[diff] [blame]92 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);
93 return 0;
94 }
95
David Benjamincfa9de82016-03-14 14:19:41 -0400[diff] [blame]96 /* Verify |n > e|. Comparing |rsa_bits| to |kMaxExponentBits| is a small
97 * shortcut to comparing |n| and |e| directly. In reality, |kMaxExponentBits|
98 * is much smaller than the minimum RSA key size that any application should
99 * accept. */
100 if (rsa_bits <= kMaxExponentBits) {
101 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
Brian Smith625475f2016-01-12 10:47:25 -1000[diff] [blame]102 return 0;
103 }
David Benjamincfa9de82016-03-14 14:19:41 -0400[diff] [blame]104 assert(BN_ucmp(rsa->n, rsa->e) > 0);
Brian Smith625475f2016-01-12 10:47:25 -1000[diff] [blame]105
106 return 1;
107}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]108
David Benjamind93831d2015-10-29 13:19:12 -0400[diff] [blame]109size_t rsa_default_size(const RSA *rsa) {
David Benjamin925fee32014-07-11 14:14:08 -0400[diff] [blame]110 return BN_num_bytes(rsa->n);
111}
112
David Benjamind93831d2015-10-29 13:19:12 -0400[diff] [blame]113int rsa_default_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
114 const uint8_t *in, size_t in_len, int padding) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]115 const unsigned rsa_size = RSA_size(rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]116 BIGNUM *f, *result;
117 uint8_t *buf = NULL;
118 BN_CTX *ctx = NULL;
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]119 int i, ret = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]120
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]121 if (max_out < rsa_size) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]122 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]123 return 0;
124 }
125
Brian Smith625475f2016-01-12 10:47:25 -1000[diff] [blame]126 if (!check_modulus_and_exponent_sizes(rsa)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]127 return 0;
128 }
129
130 ctx = BN_CTX_new();
131 if (ctx == NULL) {
132 goto err;
133 }
134
135 BN_CTX_start(ctx);
136 f = BN_CTX_get(ctx);
137 result = BN_CTX_get(ctx);
138 buf = OPENSSL_malloc(rsa_size);
139 if (!f || !result || !buf) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]140 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]141 goto err;
142 }
143
144 switch (padding) {
145 case RSA_PKCS1_PADDING:
146 i = RSA_padding_add_PKCS1_type_2(buf, rsa_size, in, in_len);
147 break;
148 case RSA_PKCS1_OAEP_PADDING:
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]149 /* Use the default parameters: SHA-1 for both hashes and no label. */
150 i = RSA_padding_add_PKCS1_OAEP_mgf1(buf, rsa_size, in, in_len,
151 NULL, 0, NULL, NULL);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]152 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]153 case RSA_NO_PADDING:
154 i = RSA_padding_add_none(buf, rsa_size, in, in_len);
155 break;
156 default:
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]157 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]158 goto err;
159 }
160
161 if (i <= 0) {
162 goto err;
163 }
164
165 if (BN_bin2bn(buf, rsa_size, f) == NULL) {
166 goto err;
167 }
168
169 if (BN_ucmp(f, rsa->n) >= 0) {
170 /* usually the padding functions would catch this */
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]171 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]172 goto err;
173 }
174
Brian Smithd0357302016-03-25 10:11:04 -1000[diff] [blame]175 if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) ||
Brian Smith24493a42016-03-25 09:12:48 -1000[diff] [blame]176 !BN_mod_exp_mont(result, f, rsa->e, rsa->n, ctx, rsa->mont_n)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]177 goto err;
178 }
179
180 /* put in leading 0 bytes if the number is less than the length of the
181 * modulus */
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]182 if (!BN_bn2bin_padded(out, rsa_size, result)) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]183 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]184 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]185 }
186
187 *out_len = rsa_size;
188 ret = 1;
189
190err:
191 if (ctx != NULL) {
192 BN_CTX_end(ctx);
193 BN_CTX_free(ctx);
194 }
195 if (buf != NULL) {
196 OPENSSL_cleanse(buf, rsa_size);
197 OPENSSL_free(buf);
198 }
199
200 return ret;
201}
202
203/* MAX_BLINDINGS_PER_RSA defines the maximum number of cached BN_BLINDINGs per
204 * RSA*. Then this limit is exceeded, BN_BLINDING objects will be created and
205 * destroyed as needed. */
206#define MAX_BLINDINGS_PER_RSA 1024
207
208/* rsa_blinding_get returns a BN_BLINDING to use with |rsa|. It does this by
209 * allocating one of the cached BN_BLINDING objects in |rsa->blindings|. If
210 * none are free, the cache will be extended by a extra element and the new
211 * BN_BLINDING is returned.
212 *
213 * On success, the index of the assigned BN_BLINDING is written to
214 * |*index_used| and must be passed to |rsa_blinding_release| when finished. */
215static BN_BLINDING *rsa_blinding_get(RSA *rsa, unsigned *index_used,
216 BN_CTX *ctx) {
Brian Smith3426d102016-03-17 16:10:04 -1000[diff] [blame]217 assert(ctx != NULL);
Brian Smithcbf56a52016-03-21 11:25:39 -1000[diff] [blame]218 assert(rsa->mont_n != NULL);
219
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]220 BN_BLINDING *ret = NULL;
221 BN_BLINDING **new_blindings;
222 uint8_t *new_blindings_inuse;
223 char overflow = 0;
224
Adam Langley683d7bd2015-04-13 11:04:14 -0700[diff] [blame]225 CRYPTO_MUTEX_lock_write(&rsa->lock);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]226
Adam Langley33672732015-03-31 18:55:53 -0700[diff] [blame]227 unsigned i;
228 for (i = 0; i < rsa->num_blindings; i++) {
229 if (rsa->blindings_inuse[i] == 0) {
230 rsa->blindings_inuse[i] = 1;
231 ret = rsa->blindings[i];
232 *index_used = i;
233 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]234 }
235 }
236
237 if (ret != NULL) {
David Benjamin29270de2016-05-24 15:28:36 +0000[diff] [blame]238 CRYPTO_MUTEX_unlock_write(&rsa->lock);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]239 return ret;
240 }
241
242 overflow = rsa->num_blindings >= MAX_BLINDINGS_PER_RSA;
243
244 /* We didn't find a free BN_BLINDING to use so increase the length of
245 * the arrays by one and use the newly created element. */
246
David Benjamin29270de2016-05-24 15:28:36 +0000[diff] [blame]247 CRYPTO_MUTEX_unlock_write(&rsa->lock);
Brian Smith86361a32016-03-26 19:42:31 -1000[diff] [blame]248 ret = BN_BLINDING_new();
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]249 if (ret == NULL) {
250 return NULL;
251 }
252
253 if (overflow) {
254 /* We cannot add any more cached BN_BLINDINGs so we use |ret|
255 * and mark it for destruction in |rsa_blinding_release|. */
256 *index_used = MAX_BLINDINGS_PER_RSA;
257 return ret;
258 }
259
Adam Langley683d7bd2015-04-13 11:04:14 -0700[diff] [blame]260 CRYPTO_MUTEX_lock_write(&rsa->lock);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]261
262 new_blindings =
263 OPENSSL_malloc(sizeof(BN_BLINDING *) * (rsa->num_blindings + 1));
264 if (new_blindings == NULL) {
265 goto err1;
266 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]267 OPENSSL_memcpy(new_blindings, rsa->blindings,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]268 sizeof(BN_BLINDING *) * rsa->num_blindings);
269 new_blindings[rsa->num_blindings] = ret;
270
271 new_blindings_inuse = OPENSSL_malloc(rsa->num_blindings + 1);
272 if (new_blindings_inuse == NULL) {
273 goto err2;
274 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]275 OPENSSL_memcpy(new_blindings_inuse, rsa->blindings_inuse, rsa->num_blindings);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]276 new_blindings_inuse[rsa->num_blindings] = 1;
277 *index_used = rsa->num_blindings;
278
David Benjamind8b65c82015-04-22 16:09:09 -0400[diff] [blame]279 OPENSSL_free(rsa->blindings);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]280 rsa->blindings = new_blindings;
David Benjamind8b65c82015-04-22 16:09:09 -0400[diff] [blame]281 OPENSSL_free(rsa->blindings_inuse);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]282 rsa->blindings_inuse = new_blindings_inuse;
283 rsa->num_blindings++;
284
David Benjamin29270de2016-05-24 15:28:36 +0000[diff] [blame]285 CRYPTO_MUTEX_unlock_write(&rsa->lock);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]286 return ret;
287
288err2:
289 OPENSSL_free(new_blindings);
290
291err1:
David Benjamin29270de2016-05-24 15:28:36 +0000[diff] [blame]292 CRYPTO_MUTEX_unlock_write(&rsa->lock);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]293 BN_BLINDING_free(ret);
294 return NULL;
295}
296
297/* rsa_blinding_release marks the cached BN_BLINDING at the given index as free
298 * for other threads to use. */
299static void rsa_blinding_release(RSA *rsa, BN_BLINDING *blinding,
300 unsigned blinding_index) {
301 if (blinding_index == MAX_BLINDINGS_PER_RSA) {
302 /* This blinding wasn't cached. */
303 BN_BLINDING_free(blinding);
304 return;
305 }
306
Adam Langley683d7bd2015-04-13 11:04:14 -0700[diff] [blame]307 CRYPTO_MUTEX_lock_write(&rsa->lock);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]308 rsa->blindings_inuse[blinding_index] = 0;
David Benjamin29270de2016-05-24 15:28:36 +0000[diff] [blame]309 CRYPTO_MUTEX_unlock_write(&rsa->lock);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]310}
311
312/* signing */
David Benjamind93831d2015-10-29 13:19:12 -0400[diff] [blame]313int rsa_default_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,
314 size_t max_out, const uint8_t *in, size_t in_len,
315 int padding) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]316 const unsigned rsa_size = RSA_size(rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]317 uint8_t *buf = NULL;
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]318 int i, ret = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]319
320 if (max_out < rsa_size) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]321 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]322 return 0;
323 }
324
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]325 buf = OPENSSL_malloc(rsa_size);
Adam Langley6bc658d2014-08-18 13:29:45 -0700[diff] [blame]326 if (buf == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]327 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]328 goto err;
329 }
330
331 switch (padding) {
332 case RSA_PKCS1_PADDING:
333 i = RSA_padding_add_PKCS1_type_1(buf, rsa_size, in, in_len);
334 break;
335 case RSA_NO_PADDING:
336 i = RSA_padding_add_none(buf, rsa_size, in, in_len);
337 break;
338 default:
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]339 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]340 goto err;
341 }
Adam Langley6bc658d2014-08-18 13:29:45 -0700[diff] [blame]342
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]343 if (i <= 0) {
344 goto err;
345 }
346
Adam Langley6bc658d2014-08-18 13:29:45 -0700[diff] [blame]347 if (!RSA_private_transform(rsa, out, buf, rsa_size)) {
Adam Langley5f5bf6f2015-02-24 13:49:41 -0800[diff] [blame]348 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]349 }
350
351 *out_len = rsa_size;
352 ret = 1;
353
354err:
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]355 if (buf != NULL) {
356 OPENSSL_cleanse(buf, rsa_size);
357 OPENSSL_free(buf);
358 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]359
360 return ret;
361}
362
David Benjamind93831d2015-10-29 13:19:12 -0400[diff] [blame]363int rsa_default_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
364 const uint8_t *in, size_t in_len, int padding) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]365 const unsigned rsa_size = RSA_size(rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]366 uint8_t *buf = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]367 int ret = 0;
368
369 if (max_out < rsa_size) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]370 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]371 return 0;
372 }
373
David Benjamin74279b62014-07-24 13:09:19 -0400[diff] [blame]374 if (padding == RSA_NO_PADDING) {
375 buf = out;
376 } else {
377 /* Allocate a temporary buffer to hold the padded plaintext. */
378 buf = OPENSSL_malloc(rsa_size);
379 if (buf == NULL) {
380 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
381 goto err;
382 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]383 }
384
Adam Langley6bc658d2014-08-18 13:29:45 -0700[diff] [blame]385 if (in_len != rsa_size) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]386 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]387 goto err;
388 }
389
Adam Langley6bc658d2014-08-18 13:29:45 -0700[diff] [blame]390 if (!RSA_private_transform(rsa, buf, in, rsa_size)) {
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]391 goto err;
392 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]393
394 switch (padding) {
395 case RSA_PKCS1_PADDING:
David Benjaminb0ad3d72017-03-16 13:15:31 -0400[diff] [blame^]396 ret =
397 RSA_padding_check_PKCS1_type_2(out, out_len, rsa_size, buf, rsa_size);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]398 break;
399 case RSA_PKCS1_OAEP_PADDING:
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]400 /* Use the default parameters: SHA-1 for both hashes and no label. */
David Benjaminb0ad3d72017-03-16 13:15:31 -0400[diff] [blame^]401 ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, out_len, rsa_size, buf,
402 rsa_size, NULL, 0, NULL, NULL);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]403 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]404 case RSA_NO_PADDING:
David Benjaminb0ad3d72017-03-16 13:15:31 -0400[diff] [blame^]405 *out_len = rsa_size;
406 ret = 1;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]407 break;
408 default:
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]409 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]410 goto err;
411 }
412
David Benjaminb0ad3d72017-03-16 13:15:31 -0400[diff] [blame^]413 if (!ret) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]414 OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]415 }
416
417err:
David Benjamin74279b62014-07-24 13:09:19 -0400[diff] [blame]418 if (padding != RSA_NO_PADDING && buf != NULL) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]419 OPENSSL_cleanse(buf, rsa_size);
420 OPENSSL_free(buf);
421 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]422
423 return ret;
424}
425
Brian Smithf08c1c62016-03-25 13:24:46 -1000[diff] [blame]426static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
427
Brian Smithc0b196d2016-03-04 08:54:07 -1000[diff] [blame]428int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
429 const uint8_t *in, size_t in_len, int padding) {
430 if (rsa->n == NULL || rsa->e == NULL) {
431 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
432 return 0;
433 }
434
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]435 const unsigned rsa_size = RSA_size(rsa);
436 BIGNUM *f, *result;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]437
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]438 if (max_out < rsa_size) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]439 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]440 return 0;
441 }
442
Brian Smith99022622016-03-04 09:20:07 -1000[diff] [blame]443 if (in_len != rsa_size) {
444 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN);
445 return 0;
446 }
447
Brian Smith625475f2016-01-12 10:47:25 -1000[diff] [blame]448 if (!check_modulus_and_exponent_sizes(rsa)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]449 return 0;
450 }
451
Brian Smith2a920312016-03-04 13:42:47 -1000[diff] [blame]452 BN_CTX *ctx = BN_CTX_new();
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]453 if (ctx == NULL) {
Brian Smith2a920312016-03-04 13:42:47 -1000[diff] [blame]454 return 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]455 }
456
Brian Smith2a920312016-03-04 13:42:47 -1000[diff] [blame]457 int ret = 0;
458 uint8_t *buf = NULL;
459
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]460 BN_CTX_start(ctx);
461 f = BN_CTX_get(ctx);
462 result = BN_CTX_get(ctx);
Brian Smith2a920312016-03-04 13:42:47 -1000[diff] [blame]463 if (f == NULL || result == NULL) {
464 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
465 goto err;
466 }
467
David Benjamin74279b62014-07-24 13:09:19 -0400[diff] [blame]468 if (padding == RSA_NO_PADDING) {
469 buf = out;
470 } else {
471 /* Allocate a temporary buffer to hold the padded plaintext. */
472 buf = OPENSSL_malloc(rsa_size);
473 if (buf == NULL) {
474 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
475 goto err;
476 }
477 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]478
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]479 if (BN_bin2bn(in, in_len, f) == NULL) {
480 goto err;
481 }
482
483 if (BN_ucmp(f, rsa->n) >= 0) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]484 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]485 goto err;
486 }
487
Brian Smithd0357302016-03-25 10:11:04 -1000[diff] [blame]488 if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) ||
Brian Smith24493a42016-03-25 09:12:48 -1000[diff] [blame]489 !BN_mod_exp_mont(result, f, rsa->e, rsa->n, ctx, rsa->mont_n)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]490 goto err;
491 }
492
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]493 if (!BN_bn2bin_padded(buf, rsa_size, result)) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]494 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
Adam Langley6887edb2014-06-20 12:00:00 -0700[diff] [blame]495 goto err;
496 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]497
498 switch (padding) {
499 case RSA_PKCS1_PADDING:
David Benjamin43ea2042017-03-16 11:54:11 -0400[diff] [blame]500 ret =
501 RSA_padding_check_PKCS1_type_1(out, out_len, rsa_size, buf, rsa_size);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]502 break;
503 case RSA_NO_PADDING:
David Benjamin43ea2042017-03-16 11:54:11 -0400[diff] [blame]504 ret = 1;
505 *out_len = rsa_size;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]506 break;
507 default:
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]508 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]509 goto err;
510 }
511
David Benjamin43ea2042017-03-16 11:54:11 -0400[diff] [blame]512 if (!ret) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]513 OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED);
David Benjamin43ea2042017-03-16 11:54:11 -0400[diff] [blame]514 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]515 }
516
517err:
Brian Smith2a920312016-03-04 13:42:47 -1000[diff] [blame]518 BN_CTX_end(ctx);
519 BN_CTX_free(ctx);
520 if (buf != out) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]521 OPENSSL_free(buf);
522 }
523 return ret;
524}
525
David Benjamind93831d2015-10-29 13:19:12 -0400[diff] [blame]526int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
527 size_t len) {
Adam Langley6bc658d2014-08-18 13:29:45 -0700[diff] [blame]528 BIGNUM *f, *result;
529 BN_CTX *ctx = NULL;
530 unsigned blinding_index = 0;
531 BN_BLINDING *blinding = NULL;
532 int ret = 0;
533
534 ctx = BN_CTX_new();
535 if (ctx == NULL) {
536 goto err;
537 }
538 BN_CTX_start(ctx);
539 f = BN_CTX_get(ctx);
540 result = BN_CTX_get(ctx);
541
542 if (f == NULL || result == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]543 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
Adam Langley6bc658d2014-08-18 13:29:45 -0700[diff] [blame]544 goto err;
545 }
546
547 if (BN_bin2bn(in, len, f) == NULL) {
548 goto err;
549 }
550
551 if (BN_ucmp(f, rsa->n) >= 0) {
552 /* Usually the padding functions would catch this. */
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]553 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
Adam Langley6bc658d2014-08-18 13:29:45 -0700[diff] [blame]554 goto err;
555 }
556
Brian Smith86080c32016-03-25 12:23:16 -1000[diff] [blame]557 if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx)) {
558 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
559 goto err;
560 }
561
Brian Smith598e55a2016-03-26 20:17:37 -1000[diff] [blame]562 /* We cannot do blinding or verification without |e|, and continuing without
563 * those countermeasures is dangerous. However, the Java/Android RSA API
564 * requires support for keys where only |d| and |n| (and not |e|) are known.
565 * The callers that require that bad behavior set |RSA_FLAG_NO_BLINDING|. */
566 int disable_security = (rsa->flags & RSA_FLAG_NO_BLINDING) && rsa->e == NULL;
567
568 if (!disable_security) {
Brian Smith86361a32016-03-26 19:42:31 -1000[diff] [blame]569 /* Keys without public exponents must have blinding explicitly disabled to
570 * be used. */
571 if (rsa->e == NULL) {
572 OPENSSL_PUT_ERROR(RSA, RSA_R_NO_PUBLIC_EXPONENT);
573 goto err;
574 }
575
Adam Langley6bc658d2014-08-18 13:29:45 -0700[diff] [blame]576 blinding = rsa_blinding_get(rsa, &blinding_index, ctx);
577 if (blinding == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]578 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
Adam Langley6bc658d2014-08-18 13:29:45 -0700[diff] [blame]579 goto err;
580 }
Brian Smith86361a32016-03-26 19:42:31 -1000[diff] [blame]581 if (!BN_BLINDING_convert(f, blinding, rsa->e, rsa->mont_n, ctx)) {
Adam Langley6bc658d2014-08-18 13:29:45 -0700[diff] [blame]582 goto err;
583 }
584 }
585
Brian Smith51b0d5b2016-03-25 13:15:39 -1000[diff] [blame]586 if (rsa->p != NULL && rsa->q != NULL && rsa->e != NULL && rsa->dmp1 != NULL &&
587 rsa->dmq1 != NULL && rsa->iqmp != NULL) {
Brian Smithf08c1c62016-03-25 13:24:46 -1000[diff] [blame]588 if (!mod_exp(result, f, rsa, ctx)) {
Adam Langley6bc658d2014-08-18 13:29:45 -0700[diff] [blame]589 goto err;
590 }
Brian Smith9f05de42016-08-02 18:21:18 -1000[diff] [blame]591 } else if (!BN_mod_exp_mont_consttime(result, f, rsa->d, rsa->n, ctx,
592 rsa->mont_n)) {
593 goto err;
Brian Smith86080c32016-03-25 12:23:16 -1000[diff] [blame]594 }
595
596 /* Verify the result to protect against fault attacks as described in the
597 * 1997 paper "On the Importance of Checking Cryptographic Protocols for
598 * Faults" by Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. Some
599 * implementations do this only when the CRT is used, but we do it in all
600 * cases. Section 6 of the aforementioned paper describes an attack that
601 * works when the CRT isn't used. That attack is much less likely to succeed
602 * than the CRT attack, but there have likely been improvements since 1997.
603 *
Brian Smith598e55a2016-03-26 20:17:37 -1000[diff] [blame]604 * This check is cheap assuming |e| is small; it almost always is. */
605 if (!disable_security) {
Brian Smith86080c32016-03-25 12:23:16 -1000[diff] [blame]606 BIGNUM *vrfy = BN_CTX_get(ctx);
607 if (vrfy == NULL ||
608 !BN_mod_exp_mont(vrfy, result, rsa->e, rsa->n, ctx, rsa->mont_n) ||
609 !BN_equal_consttime(vrfy, f)) {
610 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
Adam Langley6bc658d2014-08-18 13:29:45 -0700[diff] [blame]611 goto err;
612 }
Adam Langley6bc658d2014-08-18 13:29:45 -0700[diff] [blame]613
Brian Smith3426d102016-03-17 16:10:04 -1000[diff] [blame]614 if (!BN_BLINDING_invert(result, blinding, rsa->mont_n, ctx)) {
Adam Langley6bc658d2014-08-18 13:29:45 -0700[diff] [blame]615 goto err;
616 }
617 }
618
619 if (!BN_bn2bin_padded(out, len, result)) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]620 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
Adam Langley6bc658d2014-08-18 13:29:45 -0700[diff] [blame]621 goto err;
622 }
623
624 ret = 1;
625
626err:
627 if (ctx != NULL) {
628 BN_CTX_end(ctx);
629 BN_CTX_free(ctx);
630 }
631 if (blinding != NULL) {
632 rsa_blinding_release(rsa, blinding, blinding_index);
633 }
634
635 return ret;
636}
637
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]638static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) {
Brian Smithf08c1c62016-03-25 13:24:46 -1000[diff] [blame]639 assert(ctx != NULL);
640
Brian Smith51b0d5b2016-03-25 13:15:39 -1000[diff] [blame]641 assert(rsa->n != NULL);
642 assert(rsa->e != NULL);
643 assert(rsa->d != NULL);
644 assert(rsa->p != NULL);
645 assert(rsa->q != NULL);
646 assert(rsa->dmp1 != NULL);
647 assert(rsa->dmq1 != NULL);
648 assert(rsa->iqmp != NULL);
649
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]650 BIGNUM *r1, *m1, *vrfy;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]651 int ret = 0;
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]652 size_t i, num_additional_primes = 0;
653
654 if (rsa->additional_primes != NULL) {
655 num_additional_primes = sk_RSA_additional_prime_num(rsa->additional_primes);
656 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]657
658 BN_CTX_start(ctx);
659 r1 = BN_CTX_get(ctx);
660 m1 = BN_CTX_get(ctx);
661 vrfy = BN_CTX_get(ctx);
Brian Smith7cf60852016-03-19 22:39:37 -1000[diff] [blame]662 if (r1 == NULL ||
663 m1 == NULL ||
664 vrfy == NULL) {
665 goto err;
666 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]667
Brian Smith9f05de42016-08-02 18:21:18 -1000[diff] [blame]668 if (!BN_MONT_CTX_set_locked(&rsa->mont_p, &rsa->lock, rsa->p, ctx) ||
669 !BN_MONT_CTX_set_locked(&rsa->mont_q, &rsa->lock, rsa->q, ctx)) {
670 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]671 }
672
Brian Smithd0357302016-03-25 10:11:04 -1000[diff] [blame]673 if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx)) {
Brian Smith24493a42016-03-25 09:12:48 -1000[diff] [blame]674 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]675 }
676
677 /* compute I mod q */
Brian Smith9f05de42016-08-02 18:21:18 -1000[diff] [blame]678 if (!BN_mod(r1, I, rsa->q, ctx)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]679 goto err;
680 }
681
682 /* compute r1^dmq1 mod q */
Brian Smith9f05de42016-08-02 18:21:18 -1000[diff] [blame]683 if (!BN_mod_exp_mont_consttime(m1, r1, rsa->dmq1, rsa->q, ctx, rsa->mont_q)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]684 goto err;
685 }
686
687 /* compute I mod p */
Brian Smith9f05de42016-08-02 18:21:18 -1000[diff] [blame]688 if (!BN_mod(r1, I, rsa->p, ctx)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]689 goto err;
690 }
691
692 /* compute r1^dmp1 mod p */
Brian Smith9f05de42016-08-02 18:21:18 -1000[diff] [blame]693 if (!BN_mod_exp_mont_consttime(r0, r1, rsa->dmp1, rsa->p, ctx, rsa->mont_p)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]694 goto err;
695 }
696
697 if (!BN_sub(r0, r0, m1)) {
698 goto err;
699 }
700 /* This will help stop the size of r0 increasing, which does
701 * affect the multiply if it optimised for a power of 2 size */
702 if (BN_is_negative(r0)) {
703 if (!BN_add(r0, r0, rsa->p)) {
704 goto err;
705 }
706 }
707
708 if (!BN_mul(r1, r0, rsa->iqmp, ctx)) {
709 goto err;
710 }
711
Brian Smith9f05de42016-08-02 18:21:18 -1000[diff] [blame]712 if (!BN_mod(r0, r1, rsa->p, ctx)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]713 goto err;
714 }
715
716 /* If p < q it is occasionally possible for the correction of
717 * adding 'p' if r0 is negative above to leave the result still
718 * negative. This can break the private key operations: the following
719 * second correction should *always* correct this rare occurrence.
720 * This will *never* happen with OpenSSL generated keys because
721 * they ensure p > q [steve] */
722 if (BN_is_negative(r0)) {
723 if (!BN_add(r0, r0, rsa->p)) {
724 goto err;
725 }
726 }
727 if (!BN_mul(r1, r0, rsa->q, ctx)) {
728 goto err;
729 }
730 if (!BN_add(r0, r1, m1)) {
731 goto err;
732 }
733
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]734 for (i = 0; i < num_additional_primes; i++) {
735 /* multi-prime RSA. */
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]736 RSA_additional_prime *ap =
737 sk_RSA_additional_prime_value(rsa->additional_primes, i);
738
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]739 /* c will already point to a BIGNUM with the correct flags. */
Brian Smith9f05de42016-08-02 18:21:18 -1000[diff] [blame]740 if (!BN_mod(r1, I, ap->prime, ctx)) {
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]741 goto err;
742 }
743
Brian Smith9f05de42016-08-02 18:21:18 -1000[diff] [blame]744 if (!BN_MONT_CTX_set_locked(&ap->mont, &rsa->lock, ap->prime, ctx) ||
745 !BN_mod_exp_mont_consttime(m1, r1, ap->exp, ap->prime, ctx, ap->mont)) {
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]746 goto err;
747 }
748
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]749 if (!BN_sub(m1, m1, r0) ||
750 !BN_mul(m1, m1, ap->coeff, ctx) ||
Brian Smith9f05de42016-08-02 18:21:18 -1000[diff] [blame]751 !BN_mod(m1, m1, ap->prime, ctx) ||
752 (BN_is_negative(m1) && !BN_add(m1, m1, ap->prime)) ||
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]753 !BN_mul(m1, m1, ap->r, ctx) ||
754 !BN_add(r0, r0, m1)) {
755 goto err;
756 }
757 }
758
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]759 ret = 1;
760
761err:
762 BN_CTX_end(ctx);
763 return ret;
764}
765
David Benjamind93831d2015-10-29 13:19:12 -0400[diff] [blame]766int rsa_default_multi_prime_keygen(RSA *rsa, int bits, int num_primes,
767 BIGNUM *e_value, BN_GENCB *cb) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]768 BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]769 int prime_bits, ok = -1, n = 0, i, j;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]770 BN_CTX *ctx = NULL;
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]771 STACK_OF(RSA_additional_prime) *additional_primes = NULL;
772
773 if (num_primes < 2) {
774 ok = 0; /* we set our own err */
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]775 OPENSSL_PUT_ERROR(RSA, RSA_R_MUST_HAVE_AT_LEAST_TWO_PRIMES);
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]776 goto err;
777 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]778
779 ctx = BN_CTX_new();
780 if (ctx == NULL) {
781 goto err;
782 }
783 BN_CTX_start(ctx);
784 r0 = BN_CTX_get(ctx);
785 r1 = BN_CTX_get(ctx);
786 r2 = BN_CTX_get(ctx);
787 r3 = BN_CTX_get(ctx);
Brian Smithf4bbc2a2015-08-06 10:42:27 -0400[diff] [blame]788 if (r0 == NULL || r1 == NULL || r2 == NULL || r3 == NULL) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]789 goto err;
790 }
791
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]792 if (num_primes > 2) {
793 additional_primes = sk_RSA_additional_prime_new_null();
794 if (additional_primes == NULL) {
795 goto err;
796 }
797 }
798
799 for (i = 2; i < num_primes; i++) {
800 RSA_additional_prime *ap = OPENSSL_malloc(sizeof(RSA_additional_prime));
801 if (ap == NULL) {
802 goto err;
803 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]804 OPENSSL_memset(ap, 0, sizeof(RSA_additional_prime));
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]805 ap->prime = BN_new();
806 ap->exp = BN_new();
807 ap->coeff = BN_new();
808 ap->r = BN_new();
809 if (ap->prime == NULL ||
810 ap->exp == NULL ||
811 ap->coeff == NULL ||
812 ap->r == NULL ||
813 !sk_RSA_additional_prime_push(additional_primes, ap)) {
814 RSA_additional_prime_free(ap);
815 goto err;
816 }
817 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]818
819 /* We need the RSA components non-NULL */
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]820 if (!rsa->n && ((rsa->n = BN_new()) == NULL)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]821 goto err;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]822 }
823 if (!rsa->d && ((rsa->d = BN_new()) == NULL)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]824 goto err;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]825 }
826 if (!rsa->e && ((rsa->e = BN_new()) == NULL)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]827 goto err;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]828 }
829 if (!rsa->p && ((rsa->p = BN_new()) == NULL)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]830 goto err;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]831 }
832 if (!rsa->q && ((rsa->q = BN_new()) == NULL)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]833 goto err;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]834 }
835 if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]836 goto err;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]837 }
838 if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]839 goto err;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]840 }
841 if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]842 goto err;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]843 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]844
David Benjamin1c703cb2015-06-11 21:42:14 -0400[diff] [blame]845 if (!BN_copy(rsa->e, e_value)) {
846 goto err;
847 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]848
849 /* generate p and q */
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]850 prime_bits = (bits + (num_primes - 1)) / num_primes;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]851 for (;;) {
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]852 if (!BN_generate_prime_ex(rsa->p, prime_bits, 0, NULL, NULL, cb) ||
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]853 !BN_sub(r2, rsa->p, BN_value_one()) ||
854 !BN_gcd(r1, r2, rsa->e, ctx)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]855 goto err;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]856 }
857 if (BN_is_one(r1)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]858 break;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]859 }
860 if (!BN_GENCB_call(cb, 2, n++)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]861 goto err;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]862 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]863 }
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]864 if (!BN_GENCB_call(cb, 3, 0)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]865 goto err;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]866 }
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]867 prime_bits = ((bits - prime_bits) + (num_primes - 2)) / (num_primes - 1);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]868 for (;;) {
869 /* When generating ridiculously small keys, we can get stuck
870 * continually regenerating the same prime values. Check for
871 * this and bail if it happens 3 times. */
872 unsigned int degenerate = 0;
873 do {
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]874 if (!BN_generate_prime_ex(rsa->q, prime_bits, 0, NULL, NULL, cb)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]875 goto err;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]876 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]877 } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
878 if (degenerate == 3) {
879 ok = 0; /* we set our own err */
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]880 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]881 goto err;
882 }
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]883 if (!BN_sub(r2, rsa->q, BN_value_one()) ||
884 !BN_gcd(r1, r2, rsa->e, ctx)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]885 goto err;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]886 }
887 if (BN_is_one(r1)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]888 break;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]889 }
890 if (!BN_GENCB_call(cb, 2, n++)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]891 goto err;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]892 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]893 }
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]894
895 if (!BN_GENCB_call(cb, 3, 1) ||
896 !BN_mul(rsa->n, rsa->p, rsa->q, ctx)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]897 goto err;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]898 }
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]899
900 for (i = 2; i < num_primes; i++) {
901 RSA_additional_prime *ap =
902 sk_RSA_additional_prime_value(additional_primes, i - 2);
903 prime_bits = ((bits - BN_num_bits(rsa->n)) + (num_primes - (i + 1))) /
904 (num_primes - i);
905
906 for (;;) {
907 if (!BN_generate_prime_ex(ap->prime, prime_bits, 0, NULL, NULL, cb)) {
908 goto err;
909 }
910 if (BN_cmp(rsa->p, ap->prime) == 0 ||
911 BN_cmp(rsa->q, ap->prime) == 0) {
912 continue;
913 }
914
915 for (j = 0; j < i - 2; j++) {
916 if (BN_cmp(sk_RSA_additional_prime_value(additional_primes, j)->prime,
917 ap->prime) == 0) {
918 break;
919 }
920 }
921 if (j != i - 2) {
922 continue;
923 }
924
925 if (!BN_sub(r2, ap->prime, BN_value_one()) ||
926 !BN_gcd(r1, r2, rsa->e, ctx)) {
927 goto err;
928 }
929
930 if (!BN_is_one(r1)) {
931 continue;
932 }
933 if (i != num_primes - 1) {
934 break;
935 }
936
937 /* For the last prime we'll check that it makes n large enough. In the
938 * two prime case this isn't a problem because we generate primes with
939 * the top two bits set and so the product is always of the expected
940 * size. In the multi prime case, this doesn't follow. */
941 if (!BN_mul(r1, rsa->n, ap->prime, ctx)) {
942 goto err;
943 }
Adam Langley96c2a282015-06-02 14:16:44 -0700[diff] [blame]944 if (BN_num_bits(r1) == (unsigned) bits) {
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]945 break;
946 }
947
948 if (!BN_GENCB_call(cb, 2, n++)) {
949 goto err;
950 }
951 }
952
953 /* ap->r is is the product of all the primes prior to the current one
954 * (including p and q). */
955 if (!BN_copy(ap->r, rsa->n)) {
956 goto err;
957 }
958 if (i == num_primes - 1) {
959 /* In the case of the last prime, we calculated n as |r1| in the loop
960 * above. */
961 if (!BN_copy(rsa->n, r1)) {
962 goto err;
963 }
964 } else if (!BN_mul(rsa->n, rsa->n, ap->prime, ctx)) {
965 goto err;
966 }
967
968 if (!BN_GENCB_call(cb, 3, 1)) {
969 goto err;
970 }
971 }
972
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]973 if (BN_cmp(rsa->p, rsa->q) < 0) {
974 tmp = rsa->p;
975 rsa->p = rsa->q;
976 rsa->q = tmp;
977 }
978
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]979 /* calculate d */
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]980 if (!BN_sub(r1, rsa->p, BN_value_one())) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]981 goto err; /* p-1 */
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]982 }
983 if (!BN_sub(r2, rsa->q, BN_value_one())) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]984 goto err; /* q-1 */
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]985 }
986 if (!BN_mul(r0, r1, r2, ctx)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]987 goto err; /* (p-1)(q-1) */
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]988 }
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]989 for (i = 2; i < num_primes; i++) {
990 RSA_additional_prime *ap =
991 sk_RSA_additional_prime_value(additional_primes, i - 2);
992 if (!BN_sub(r3, ap->prime, BN_value_one()) ||
993 !BN_mul(r0, r0, r3, ctx)) {
994 goto err;
995 }
996 }
David Benjamin0a211df2016-12-17 15:25:55 -0500[diff] [blame]997 if (!BN_mod_inverse(rsa->d, rsa->e, r0, ctx)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]998 goto err; /* d */
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]999 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1000
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1001 /* calculate d mod (p-1) */
Brian Smith9f05de42016-08-02 18:21:18 -1000[diff] [blame]1002 if (!BN_mod(rsa->dmp1, rsa->d, r1, ctx)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1003 goto err;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]1004 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1005
1006 /* calculate d mod (q-1) */
Brian Smith9f05de42016-08-02 18:21:18 -1000[diff] [blame]1007 if (!BN_mod(rsa->dmq1, rsa->d, r2, ctx)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1008 goto err;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]1009 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1010
David Benjamin0b8dc302016-12-17 14:27:16 -0500[diff] [blame]1011 /* Calculate inverse of q mod p. Note that although RSA key generation is far
1012 * from constant-time, |bn_mod_inverse_secret_prime| uses the same modular
1013 * exponentation logic as in RSA private key operations and, if the RSAZ-1024
1014 * code is enabled, will be optimized for common RSA prime sizes. */
David Benjamin0b8dc302016-12-17 14:27:16 -0500[diff] [blame]1015 if (!BN_MONT_CTX_set_locked(&rsa->mont_p, &rsa->lock, rsa->p, ctx) ||
David Benjamin0a211df2016-12-17 15:25:55 -0500[diff] [blame]1016 !bn_mod_inverse_secret_prime(rsa->iqmp, rsa->q, rsa->p, ctx,
1017 rsa->mont_p)) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1018 goto err;
David Benjamin6eb000d2015-02-11 01:17:41 -0500[diff] [blame]1019 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1020
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]1021 for (i = 2; i < num_primes; i++) {
1022 RSA_additional_prime *ap =
1023 sk_RSA_additional_prime_value(additional_primes, i - 2);
1024 if (!BN_sub(ap->exp, ap->prime, BN_value_one()) ||
1025 !BN_mod(ap->exp, rsa->d, ap->exp, ctx) ||
David Benjamin0b8dc302016-12-17 14:27:16 -0500[diff] [blame]1026 !BN_MONT_CTX_set_locked(&ap->mont, &rsa->lock, ap->prime, ctx) ||
1027 !bn_mod_inverse_secret_prime(ap->coeff, ap->r, ap->prime, ctx,
1028 ap->mont)) {
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]1029 goto err;
1030 }
1031 }
1032
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]1033 rsa->additional_primes = additional_primes;
1034 additional_primes = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1035
Brian Smithfebf7712016-03-21 13:47:32 -1000[diff] [blame]1036 /* The key generation process is complex and thus error-prone. It could be
1037 * disastrous to generate and then use a bad key so double-check that the key
1038 * makes sense. */
1039 ok = RSA_check_key(rsa);
1040 if (!ok) {
1041 OPENSSL_PUT_ERROR(RSA, RSA_R_INTERNAL_ERROR);
1042 }
1043
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1044err:
1045 if (ok == -1) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1046 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1047 ok = 0;
1048 }
1049 if (ctx != NULL) {
1050 BN_CTX_end(ctx);
1051 BN_CTX_free(ctx);
1052 }
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]1053 sk_RSA_additional_prime_pop_free(additional_primes,
1054 RSA_additional_prime_free);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1055 return ok;
1056}
1057
David Benjamind93831d2015-10-29 13:19:12 -0400[diff] [blame]1058int rsa_default_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
1059 return rsa_default_multi_prime_keygen(rsa, bits, 2 /* num primes */, e_value,
1060 cb);
Adam Langley839b8812015-05-26 11:36:46 -0700[diff] [blame]1061}
1062
Brian Smithf08c1c62016-03-25 13:24:46 -1000[diff] [blame]1063/* All of the methods are NULL to make it easier for the compiler/linker to drop
1064 * unused functions. The wrapper functions will select the appropriate
1065 * |rsa_default_*| implementation. */
David Benjamind93831d2015-10-29 13:19:12 -0400[diff] [blame]1066const RSA_METHOD RSA_default_method = {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1067 {
1068 0 /* references */,
1069 1 /* is_static */,
1070 },
1071 NULL /* app_data */,
1072
1073 NULL /* init */,
David Benjamind93831d2015-10-29 13:19:12 -0400[diff] [blame]1074 NULL /* finish (defaults to rsa_default_finish) */,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1075
David Benjamind93831d2015-10-29 13:19:12 -0400[diff] [blame]1076 NULL /* size (defaults to rsa_default_size) */,
David Benjamin925fee32014-07-11 14:14:08 -0400[diff] [blame]1077
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1078 NULL /* sign */,
1079 NULL /* verify */,
1080
David Benjamind93831d2015-10-29 13:19:12 -0400[diff] [blame]1081 NULL /* encrypt (defaults to rsa_default_encrypt) */,
1082 NULL /* sign_raw (defaults to rsa_default_sign_raw) */,
1083 NULL /* decrypt (defaults to rsa_default_decrypt) */,
1084 NULL /* verify_raw (defaults to rsa_default_verify_raw) */,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1085
David Benjamind93831d2015-10-29 13:19:12 -0400[diff] [blame]1086 NULL /* private_transform (defaults to rsa_default_private_transform) */,
Adam Langley6bc658d2014-08-18 13:29:45 -0700[diff] [blame]1087
Brian Smithf08c1c62016-03-25 13:24:46 -1000[diff] [blame]1088 NULL /* mod_exp (ignored) */,
1089 NULL /* bn_mod_exp (ignored) */,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1090
1091 RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE,
1092
David Benjamind93831d2015-10-29 13:19:12 -0400[diff] [blame]1093 NULL /* keygen (defaults to rsa_default_keygen) */,
1094 NULL /* multi_prime_keygen (defaults to rsa_default_multi_prime_keygen) */,
Adam Langley626c6862015-09-11 16:17:44 -0700[diff] [blame]1095
1096 NULL /* supports_digest */,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1097};