Home | History | Annotate | Download | only in rsa
      1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com)
      2  * All rights reserved.
      3  *
      4  * This package is an SSL implementation written
      5  * by Eric Young (eay (at) cryptsoft.com).
      6  * The implementation was written so as to conform with Netscapes SSL.
      7  *
      8  * This library is free for commercial and non-commercial use as long as
      9  * the following conditions are aheared to.  The following conditions
     10  * apply to all code found in this distribution, be it the RC4, RSA,
     11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
     12  * included with this distribution is covered by the same copyright terms
     13  * except that the holder is Tim Hudson (tjh (at) cryptsoft.com).
     14  *
     15  * Copyright remains Eric Young's, and as such any Copyright notices in
     16  * the code are not to be removed.
     17  * If this package is used in a product, Eric Young should be given attribution
     18  * as the author of the parts of the library used.
     19  * This can be in the form of a textual message at program startup or
     20  * in documentation (online or textual) provided with the package.
     21  *
     22  * Redistribution and use in source and binary forms, with or without
     23  * modification, are permitted provided that the following conditions
     24  * are met:
     25  * 1. Redistributions of source code must retain the copyright
     26  *    notice, this list of conditions and the following disclaimer.
     27  * 2. Redistributions in binary form must reproduce the above copyright
     28  *    notice, this list of conditions and the following disclaimer in the
     29  *    documentation and/or other materials provided with the distribution.
     30  * 3. All advertising materials mentioning features or use of this software
     31  *    must display the following acknowledgement:
     32  *    "This product includes cryptographic software written by
     33  *     Eric Young (eay (at) cryptsoft.com)"
     34  *    The word 'cryptographic' can be left out if the rouines from the library
     35  *    being used are not cryptographic related :-).
     36  * 4. If you include any Windows specific code (or a derivative thereof) from
     37  *    the apps directory (application code) you must include an acknowledgement:
     38  *    "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)"
     39  *
     40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
     41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
     44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     50  * SUCH DAMAGE.
     51  *
     52  * The licence and distribution terms for any publically available version or
     53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
     54  * copied and put under another distribution licence
     55  * [including the GNU Public Licence.] */
     56 
     57 #include <openssl/rsa.h>
     58 
     59 #include <string.h>
     60 
     61 #include <openssl/bn.h>
     62 #include <openssl/engine.h>
     63 #include <openssl/err.h>
     64 #include <openssl/ex_data.h>
     65 #include <openssl/mem.h>
     66 #include <openssl/obj.h>
     67 #include <openssl/thread.h>
     68 
     69 #include "internal.h"
     70 #include "../internal.h"
     71 
     72 
     73 extern const RSA_METHOD RSA_default_method;
     74 
     75 static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
     76 
     77 RSA *RSA_new(void) { return RSA_new_method(NULL); }
     78 
     79 RSA *RSA_new_method(const ENGINE *engine) {
     80   RSA *rsa = (RSA *)OPENSSL_malloc(sizeof(RSA));
     81   if (rsa == NULL) {
     82     OPENSSL_PUT_ERROR(RSA, RSA_new_method, ERR_R_MALLOC_FAILURE);
     83     return NULL;
     84   }
     85 
     86   memset(rsa, 0, sizeof(RSA));
     87 
     88   if (engine) {
     89     rsa->meth = ENGINE_get_RSA_method(engine);
     90   }
     91 
     92   if (rsa->meth == NULL) {
     93     rsa->meth = (RSA_METHOD*) &RSA_default_method;
     94   }
     95   METHOD_ref(rsa->meth);
     96 
     97   rsa->references = 1;
     98   rsa->flags = rsa->meth->flags;
     99   CRYPTO_MUTEX_init(&rsa->lock);
    100 
    101   if (!CRYPTO_new_ex_data(&g_ex_data_class, rsa, &rsa->ex_data)) {
    102     METHOD_unref(rsa->meth);
    103     OPENSSL_free(rsa);
    104     return NULL;
    105   }
    106 
    107   if (rsa->meth->init && !rsa->meth->init(rsa)) {
    108     CRYPTO_free_ex_data(&g_ex_data_class, rsa, &rsa->ex_data);
    109     METHOD_unref(rsa->meth);
    110     OPENSSL_free(rsa);
    111     return NULL;
    112   }
    113 
    114   return rsa;
    115 }
    116 
    117 void RSA_free(RSA *rsa) {
    118   unsigned u;
    119 
    120   if (rsa == NULL) {
    121     return;
    122   }
    123 
    124   if (!CRYPTO_refcount_dec_and_test_zero(&rsa->references)) {
    125     return;
    126   }
    127 
    128   if (rsa->meth->finish) {
    129     rsa->meth->finish(rsa);
    130   }
    131   METHOD_unref(rsa->meth);
    132 
    133   CRYPTO_free_ex_data(&g_ex_data_class, rsa, &rsa->ex_data);
    134 
    135   BN_clear_free(rsa->n);
    136   BN_clear_free(rsa->e);
    137   BN_clear_free(rsa->d);
    138   BN_clear_free(rsa->p);
    139   BN_clear_free(rsa->q);
    140   BN_clear_free(rsa->dmp1);
    141   BN_clear_free(rsa->dmq1);
    142   BN_clear_free(rsa->iqmp);
    143   for (u = 0; u < rsa->num_blindings; u++) {
    144     BN_BLINDING_free(rsa->blindings[u]);
    145   }
    146   OPENSSL_free(rsa->blindings);
    147   OPENSSL_free(rsa->blindings_inuse);
    148   CRYPTO_MUTEX_cleanup(&rsa->lock);
    149   OPENSSL_free(rsa);
    150 }
    151 
    152 int RSA_up_ref(RSA *rsa) {
    153   CRYPTO_refcount_inc(&rsa->references);
    154   return 1;
    155 }
    156 
    157 int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
    158   if (rsa->meth->keygen) {
    159     return rsa->meth->keygen(rsa, bits, e_value, cb);
    160   }
    161 
    162   return RSA_default_method.keygen(rsa, bits, e_value, cb);
    163 }
    164 
    165 int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
    166                 const uint8_t *in, size_t in_len, int padding) {
    167   if (rsa->meth->encrypt) {
    168     return rsa->meth->encrypt(rsa, out_len, out, max_out, in, in_len, padding);
    169   }
    170 
    171   return RSA_default_method.encrypt(rsa, out_len, out, max_out, in, in_len,
    172                                     padding);
    173 }
    174 
    175 int RSA_public_encrypt(int flen, const uint8_t *from, uint8_t *to, RSA *rsa,
    176                        int padding) {
    177   size_t out_len;
    178 
    179   if (!RSA_encrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
    180     return -1;
    181   }
    182 
    183   return out_len;
    184 }
    185 
    186 int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
    187                  const uint8_t *in, size_t in_len, int padding) {
    188   if (rsa->meth->sign_raw) {
    189     return rsa->meth->sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
    190   }
    191 
    192   return RSA_default_method.sign_raw(rsa, out_len, out, max_out, in, in_len,
    193                                      padding);
    194 }
    195 
    196 int RSA_private_encrypt(int flen, const uint8_t *from, uint8_t *to, RSA *rsa,
    197                         int padding) {
    198   size_t out_len;
    199 
    200   if (!RSA_sign_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
    201     return -1;
    202   }
    203 
    204   return out_len;
    205 }
    206 
    207 int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
    208                 const uint8_t *in, size_t in_len, int padding) {
    209   if (rsa->meth->decrypt) {
    210     return rsa->meth->decrypt(rsa, out_len, out, max_out, in, in_len, padding);
    211   }
    212 
    213   return RSA_default_method.decrypt(rsa, out_len, out, max_out, in, in_len,
    214                                     padding);
    215 }
    216 
    217 int RSA_private_decrypt(int flen, const uint8_t *from, uint8_t *to, RSA *rsa,
    218                         int padding) {
    219   size_t out_len;
    220 
    221   if (!RSA_decrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
    222     return -1;
    223   }
    224 
    225   return out_len;
    226 }
    227 
    228 int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
    229                    const uint8_t *in, size_t in_len, int padding) {
    230   if (rsa->meth->verify_raw) {
    231     return rsa->meth->verify_raw(rsa, out_len, out, max_out, in, in_len, padding);
    232   }
    233 
    234   return RSA_default_method.verify_raw(rsa, out_len, out, max_out, in, in_len,
    235                                        padding);
    236 }
    237 
    238 int RSA_public_decrypt(int flen, const uint8_t *from, uint8_t *to, RSA *rsa,
    239                        int padding) {
    240   size_t out_len;
    241 
    242   if (!RSA_verify_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
    243     return -1;
    244   }
    245 
    246   return out_len;
    247 }
    248 
    249 unsigned RSA_size(const RSA *rsa) {
    250   if (rsa->meth->size) {
    251     return rsa->meth->size(rsa);
    252   }
    253 
    254   return RSA_default_method.size(rsa);
    255 }
    256 
    257 int RSA_is_opaque(const RSA *rsa) {
    258   return rsa->meth && (rsa->meth->flags & RSA_FLAG_OPAQUE);
    259 }
    260 
    261 int RSA_supports_digest(const RSA *rsa, const EVP_MD *md) {
    262   if (rsa->meth && rsa->meth->supports_digest) {
    263     return rsa->meth->supports_digest(rsa, md);
    264   }
    265   return 1;
    266 }
    267 
    268 int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
    269                          CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) {
    270   int index;
    271   if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, new_func,
    272                                dup_func, free_func)) {
    273     return -1;
    274   }
    275   return index;
    276 }
    277 
    278 int RSA_set_ex_data(RSA *d, int idx, void *arg) {
    279   return CRYPTO_set_ex_data(&d->ex_data, idx, arg);
    280 }
    281 
    282 void *RSA_get_ex_data(const RSA *d, int idx) {
    283   return CRYPTO_get_ex_data(&d->ex_data, idx);
    284 }
    285 
    286 /* SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's
    287  * the length of an MD5 and SHA1 hash. */
    288 static const unsigned SSL_SIG_LENGTH = 36;
    289 
    290 /* pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is
    291  * to be signed with PKCS#1. */
    292 struct pkcs1_sig_prefix {
    293   /* nid identifies the hash function. */
    294   int nid;
    295   /* len is the number of bytes of |bytes| which are valid. */
    296   uint8_t len;
    297   /* bytes contains the DER bytes. */
    298   uint8_t bytes[19];
    299 };
    300 
    301 /* kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with
    302  * different hash functions. */
    303 static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = {
    304     {
    305      NID_md5,
    306      18,
    307      {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
    308       0x02, 0x05, 0x05, 0x00, 0x04, 0x10},
    309     },
    310     {
    311      NID_sha1,
    312      15,
    313      {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
    314       0x00, 0x04, 0x14},
    315     },
    316     {
    317      NID_sha224,
    318      19,
    319      {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
    320       0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c},
    321     },
    322     {
    323      NID_sha256,
    324      19,
    325      {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
    326       0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20},
    327     },
    328     {
    329      NID_sha384,
    330      19,
    331      {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
    332       0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30},
    333     },
    334     {
    335      NID_sha512,
    336      19,
    337      {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
    338       0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
    339     },
    340     {
    341      NID_undef, 0, {0},
    342     },
    343 };
    344 
    345 /* TODO(fork): mostly new code, needs careful review. */
    346 
    347 /* pkcs1_prefixed_msg builds a PKCS#1, prefixed version of |msg| for the given
    348  * hash function and sets |out_msg| to point to it. On successful return,
    349  * |*out_msg| may be allocated memory and, if so, |*is_alloced| will be 1. */
    350 static int pkcs1_prefixed_msg(uint8_t **out_msg, size_t *out_msg_len,
    351                               int *is_alloced, int hash_nid, const uint8_t *msg,
    352                               size_t msg_len) {
    353   unsigned i;
    354 
    355   if (hash_nid == NID_md5_sha1) {
    356     /* Special case: SSL signature, just check the length. */
    357     if (msg_len != SSL_SIG_LENGTH) {
    358       OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, RSA_R_INVALID_MESSAGE_LENGTH);
    359       return 0;
    360     }
    361 
    362     *out_msg = (uint8_t*) msg;
    363     *out_msg_len = SSL_SIG_LENGTH;
    364     *is_alloced = 0;
    365     return 1;
    366   }
    367 
    368   for (i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) {
    369     const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i];
    370     if (sig_prefix->nid != hash_nid) {
    371       continue;
    372     }
    373 
    374     const uint8_t* prefix = sig_prefix->bytes;
    375     unsigned prefix_len = sig_prefix->len;
    376     unsigned signed_msg_len;
    377     uint8_t *signed_msg;
    378 
    379     signed_msg_len = prefix_len + msg_len;
    380     if (signed_msg_len < prefix_len) {
    381       OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, RSA_R_TOO_LONG);
    382       return 0;
    383     }
    384 
    385     signed_msg = OPENSSL_malloc(signed_msg_len);
    386     if (!signed_msg) {
    387       OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, ERR_R_MALLOC_FAILURE);
    388       return 0;
    389     }
    390 
    391     memcpy(signed_msg, prefix, prefix_len);
    392     memcpy(signed_msg + prefix_len, msg, msg_len);
    393 
    394     *out_msg = signed_msg;
    395     *out_msg_len = signed_msg_len;
    396     *is_alloced = 1;
    397 
    398     return 1;
    399   }
    400 
    401   OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, RSA_R_UNKNOWN_ALGORITHM_TYPE);
    402   return 0;
    403 }
    404 
    405 int RSA_sign(int hash_nid, const uint8_t *in, unsigned in_len, uint8_t *out,
    406              unsigned *out_len, RSA *rsa) {
    407   const unsigned rsa_size = RSA_size(rsa);
    408   int ret = 0;
    409   uint8_t *signed_msg;
    410   size_t signed_msg_len;
    411   int signed_msg_is_alloced = 0;
    412   size_t size_t_out_len;
    413 
    414   if (rsa->meth->sign) {
    415     return rsa->meth->sign(hash_nid, in, in_len, out, out_len, rsa);
    416   }
    417 
    418   if (!pkcs1_prefixed_msg(&signed_msg, &signed_msg_len, &signed_msg_is_alloced,
    419                           hash_nid, in, in_len)) {
    420     return 0;
    421   }
    422 
    423   if (rsa_size < RSA_PKCS1_PADDING_SIZE ||
    424       signed_msg_len > rsa_size - RSA_PKCS1_PADDING_SIZE) {
    425     OPENSSL_PUT_ERROR(RSA, RSA_sign, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
    426     goto finish;
    427   }
    428 
    429   if (RSA_sign_raw(rsa, &size_t_out_len, out, rsa_size, signed_msg,
    430                    signed_msg_len, RSA_PKCS1_PADDING)) {
    431     *out_len = size_t_out_len;
    432     ret = 1;
    433   }
    434 
    435 finish:
    436   if (signed_msg_is_alloced) {
    437     OPENSSL_free(signed_msg);
    438   }
    439   return ret;
    440 }
    441 
    442 int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
    443                const uint8_t *sig, size_t sig_len, RSA *rsa) {
    444   const size_t rsa_size = RSA_size(rsa);
    445   uint8_t *buf = NULL;
    446   int ret = 0;
    447   uint8_t *signed_msg = NULL;
    448   size_t signed_msg_len, len;
    449   int signed_msg_is_alloced = 0;
    450 
    451   if (rsa->meth->verify) {
    452     return rsa->meth->verify(hash_nid, msg, msg_len, sig, sig_len, rsa);
    453   }
    454 
    455   if (sig_len != rsa_size) {
    456     OPENSSL_PUT_ERROR(RSA, RSA_verify, RSA_R_WRONG_SIGNATURE_LENGTH);
    457     return 0;
    458   }
    459 
    460   if (hash_nid == NID_md5_sha1 && msg_len != SSL_SIG_LENGTH) {
    461     OPENSSL_PUT_ERROR(RSA, RSA_verify, RSA_R_INVALID_MESSAGE_LENGTH);
    462     return 0;
    463   }
    464 
    465   buf = OPENSSL_malloc(rsa_size);
    466   if (!buf) {
    467     OPENSSL_PUT_ERROR(RSA, RSA_verify, ERR_R_MALLOC_FAILURE);
    468     return 0;
    469   }
    470 
    471   if (!RSA_verify_raw(rsa, &len, buf, rsa_size, sig, sig_len,
    472                       RSA_PKCS1_PADDING)) {
    473     goto out;
    474   }
    475 
    476   if (!pkcs1_prefixed_msg(&signed_msg, &signed_msg_len, &signed_msg_is_alloced,
    477                           hash_nid, msg, msg_len)) {
    478     goto out;
    479   }
    480 
    481   if (len != signed_msg_len || CRYPTO_memcmp(buf, signed_msg, len) != 0) {
    482     OPENSSL_PUT_ERROR(RSA, RSA_verify, RSA_R_BAD_SIGNATURE);
    483     goto out;
    484   }
    485 
    486   ret = 1;
    487 
    488 out:
    489   OPENSSL_free(buf);
    490   if (signed_msg_is_alloced) {
    491     OPENSSL_free(signed_msg);
    492   }
    493   return ret;
    494 }
    495 
    496 static void bn_free_and_null(BIGNUM **bn) {
    497   BN_free(*bn);
    498   *bn = NULL;
    499 }
    500 
    501 int RSA_check_key(const RSA *key) {
    502   BIGNUM n, pm1, qm1, lcm, gcd, de, dmp1, dmq1, iqmp;
    503   BN_CTX *ctx;
    504   int ok = 0, has_crt_values;
    505 
    506   if (RSA_is_opaque(key)) {
    507     /* Opaque keys can't be checked. */
    508     return 1;
    509   }
    510 
    511   if ((key->p != NULL) != (key->q != NULL)) {
    512     OPENSSL_PUT_ERROR(RSA, RSA_check_key, RSA_R_ONLY_ONE_OF_P_Q_GIVEN);
    513     return 0;
    514   }
    515 
    516   if (!key->n || !key->e) {
    517     OPENSSL_PUT_ERROR(RSA, RSA_check_key, RSA_R_VALUE_MISSING);
    518     return 0;
    519   }
    520 
    521   if (!key->d || !key->p) {
    522     /* For a public key, or without p and q, there's nothing that can be
    523      * checked. */
    524     return 1;
    525   }
    526 
    527   ctx = BN_CTX_new();
    528   if (ctx == NULL) {
    529     OPENSSL_PUT_ERROR(RSA, RSA_check_key, ERR_R_MALLOC_FAILURE);
    530     return 0;
    531   }
    532 
    533   BN_init(&n);
    534   BN_init(&pm1);
    535   BN_init(&qm1);
    536   BN_init(&lcm);
    537   BN_init(&gcd);
    538   BN_init(&de);
    539   BN_init(&dmp1);
    540   BN_init(&dmq1);
    541   BN_init(&iqmp);
    542 
    543   if (/* n = pq */
    544       !BN_mul(&n, key->p, key->q, ctx) ||
    545       /* lcm = lcm(p-1, q-1) */
    546       !BN_sub(&pm1, key->p, BN_value_one()) ||
    547       !BN_sub(&qm1, key->q, BN_value_one()) ||
    548       !BN_mul(&lcm, &pm1, &qm1, ctx) ||
    549       !BN_gcd(&gcd, &pm1, &qm1, ctx) ||
    550       !BN_div(&lcm, NULL, &lcm, &gcd, ctx) ||
    551       /* de = d*e mod lcm(p-1, q-1) */
    552       !BN_mod_mul(&de, key->d, key->e, &lcm, ctx)) {
    553     OPENSSL_PUT_ERROR(RSA, RSA_check_key, ERR_LIB_BN);
    554     goto out;
    555   }
    556 
    557   if (BN_cmp(&n, key->n) != 0) {
    558     OPENSSL_PUT_ERROR(RSA, RSA_check_key, RSA_R_N_NOT_EQUAL_P_Q);
    559     goto out;
    560   }
    561 
    562   if (!BN_is_one(&de)) {
    563     OPENSSL_PUT_ERROR(RSA, RSA_check_key, RSA_R_D_E_NOT_CONGRUENT_TO_1);
    564     goto out;
    565   }
    566 
    567   has_crt_values = key->dmp1 != NULL;
    568   if (has_crt_values != (key->dmq1 != NULL) ||
    569       has_crt_values != (key->iqmp != NULL)) {
    570     OPENSSL_PUT_ERROR(RSA, RSA_check_key, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES);
    571     goto out;
    572   }
    573 
    574   if (has_crt_values) {
    575     if (/* dmp1 = d mod (p-1) */
    576         !BN_mod(&dmp1, key->d, &pm1, ctx) ||
    577         /* dmq1 = d mod (q-1) */
    578         !BN_mod(&dmq1, key->d, &qm1, ctx) ||
    579         /* iqmp = q^-1 mod p */
    580         !BN_mod_inverse(&iqmp, key->q, key->p, ctx)) {
    581       OPENSSL_PUT_ERROR(RSA, RSA_check_key, ERR_LIB_BN);
    582       goto out;
    583     }
    584 
    585     if (BN_cmp(&dmp1, key->dmp1) != 0 ||
    586         BN_cmp(&dmq1, key->dmq1) != 0 ||
    587         BN_cmp(&iqmp, key->iqmp) != 0) {
    588       OPENSSL_PUT_ERROR(RSA, RSA_check_key, RSA_R_CRT_VALUES_INCORRECT);
    589       goto out;
    590     }
    591   }
    592 
    593   ok = 1;
    594 
    595 out:
    596   BN_free(&n);
    597   BN_free(&pm1);
    598   BN_free(&qm1);
    599   BN_free(&lcm);
    600   BN_free(&gcd);
    601   BN_free(&de);
    602   BN_free(&dmp1);
    603   BN_free(&dmq1);
    604   BN_free(&iqmp);
    605   BN_CTX_free(ctx);
    606 
    607   return ok;
    608 }
    609 
    610 int RSA_recover_crt_params(RSA *rsa) {
    611   BN_CTX *ctx;
    612   BIGNUM *totient, *rem, *multiple, *p_plus_q, *p_minus_q;
    613   int ok = 0;
    614 
    615   if (rsa->n == NULL || rsa->e == NULL || rsa->d == NULL) {
    616     OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, RSA_R_EMPTY_PUBLIC_KEY);
    617     return 0;
    618   }
    619 
    620   if (rsa->p || rsa->q || rsa->dmp1 || rsa->dmq1 || rsa->iqmp) {
    621     OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params,
    622                       RSA_R_CRT_PARAMS_ALREADY_GIVEN);
    623     return 0;
    624   }
    625 
    626   /* This uses the algorithm from section 9B of the RSA paper:
    627    * http://people.csail.mit.edu/rivest/Rsapaper.pdf */
    628 
    629   ctx = BN_CTX_new();
    630   if (ctx == NULL) {
    631     OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_MALLOC_FAILURE);
    632     return 0;
    633   }
    634 
    635   BN_CTX_start(ctx);
    636   totient = BN_CTX_get(ctx);
    637   rem = BN_CTX_get(ctx);
    638   multiple = BN_CTX_get(ctx);
    639   p_plus_q = BN_CTX_get(ctx);
    640   p_minus_q = BN_CTX_get(ctx);
    641 
    642   if (totient == NULL || rem == NULL || multiple == NULL || p_plus_q == NULL ||
    643       p_minus_q == NULL) {
    644     OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_MALLOC_FAILURE);
    645     goto err;
    646   }
    647 
    648   /* ed-1 is a small multiple of (n). */
    649   if (!BN_mul(totient, rsa->e, rsa->d, ctx) ||
    650       !BN_sub_word(totient, 1) ||
    651       /* (n) =
    652        * pq - p - q + 1 =
    653        * n - (p + q) + 1
    654        *
    655        * Thus n is a reasonable estimate for (n). So, (ed-1)/n will be very
    656        * close. But, when we calculate the quotient, we'll be truncating it
    657        * because we discard the remainder. Thus (ed-1)/multiple will be >= n,
    658        * which the totient cannot be. So we add one to the estimate.
    659        *
    660        * Consider ed-1 as:
    661        *
    662        * multiple * (n - (p+q) + 1) =
    663        * multiple*n - multiple*(p+q) + multiple
    664        *
    665        * When we divide by n, the first term becomes multiple and, since
    666        * multiple and p+q is tiny compared to n, the second and third terms can
    667        * be ignored. Thus I claim that subtracting one from the estimate is
    668        * sufficient. */
    669       !BN_div(multiple, NULL, totient, rsa->n, ctx) ||
    670       !BN_add_word(multiple, 1) ||
    671       !BN_div(totient, rem, totient, multiple, ctx)) {
    672     OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_BN_LIB);
    673     goto err;
    674   }
    675 
    676   if (!BN_is_zero(rem)) {
    677     OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, RSA_R_BAD_RSA_PARAMETERS);
    678     goto err;
    679   }
    680 
    681   rsa->p = BN_new();
    682   rsa->q = BN_new();
    683   rsa->dmp1 = BN_new();
    684   rsa->dmq1 = BN_new();
    685   rsa->iqmp = BN_new();
    686   if (rsa->p == NULL || rsa->q == NULL || rsa->dmp1 == NULL || rsa->dmq1 ==
    687       NULL || rsa->iqmp == NULL) {
    688     OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_MALLOC_FAILURE);
    689     goto err;
    690   }
    691 
    692   /* (n) = n - (p + q) + 1 =>
    693    * n - totient + 1 = p + q */
    694   if (!BN_sub(p_plus_q, rsa->n, totient) ||
    695       !BN_add_word(p_plus_q, 1) ||
    696       /* p - q = sqrt((p+q)^2 - 4n) */
    697       !BN_sqr(rem, p_plus_q, ctx) ||
    698       !BN_lshift(multiple, rsa->n, 2) ||
    699       !BN_sub(rem, rem, multiple) ||
    700       !BN_sqrt(p_minus_q, rem, ctx) ||
    701       /* q is 1/2 (p+q)-(p-q) */
    702       !BN_sub(rsa->q, p_plus_q, p_minus_q) ||
    703       !BN_rshift1(rsa->q, rsa->q) ||
    704       !BN_div(rsa->p, NULL, rsa->n, rsa->q, ctx) ||
    705       !BN_mul(multiple, rsa->p, rsa->q, ctx)) {
    706     OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_BN_LIB);
    707     goto err;
    708   }
    709 
    710   if (BN_cmp(multiple, rsa->n) != 0) {
    711     OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, RSA_R_INTERNAL_ERROR);
    712     goto err;
    713   }
    714 
    715   if (!BN_sub(rem, rsa->p, BN_value_one()) ||
    716       !BN_mod(rsa->dmp1, rsa->d, rem, ctx) ||
    717       !BN_sub(rem, rsa->q, BN_value_one()) ||
    718       !BN_mod(rsa->dmq1, rsa->d, rem, ctx) ||
    719       !BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx)) {
    720     OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_BN_LIB);
    721     goto err;
    722   }
    723 
    724   ok = 1;
    725 
    726 err:
    727   BN_CTX_end(ctx);
    728   BN_CTX_free(ctx);
    729   if (!ok) {
    730     bn_free_and_null(&rsa->p);
    731     bn_free_and_null(&rsa->q);
    732     bn_free_and_null(&rsa->dmp1);
    733     bn_free_and_null(&rsa->dmq1);
    734     bn_free_and_null(&rsa->iqmp);
    735   }
    736   return ok;
    737 }
    738 
    739 int RSA_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
    740                           size_t len) {
    741   if (rsa->meth->private_transform) {
    742     return rsa->meth->private_transform(rsa, out, in, len);
    743   }
    744 
    745   return RSA_default_method.private_transform(rsa, out, in, len);
    746 }
    747 
    748 int RSA_blinding_on(RSA *rsa, BN_CTX *ctx) {
    749   return 1;
    750 }
    751