1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] */ 56 57 #include <openssl/rsa.h> 58 59 #include <limits.h> 60 #include <string.h> 61 62 #include <openssl/bn.h> 63 #include <openssl/digest.h> 64 #include <openssl/engine.h> 65 #include <openssl/err.h> 66 #include <openssl/ex_data.h> 67 #include <openssl/md5.h> 68 #include <openssl/mem.h> 69 #include <openssl/nid.h> 70 #include <openssl/sha.h> 71 #include <openssl/thread.h> 72 73 #include "../bn/internal.h" 74 #include "../delocate.h" 75 #include "../../internal.h" 76 #include "internal.h" 77 78 79 DEFINE_STATIC_EX_DATA_CLASS(g_rsa_ex_data_class); 80 81 RSA *RSA_new(void) { return RSA_new_method(NULL); } 82 83 RSA *RSA_new_method(const ENGINE *engine) { 84 RSA *rsa = OPENSSL_malloc(sizeof(RSA)); 85 if (rsa == NULL) { 86 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 87 return NULL; 88 } 89 90 OPENSSL_memset(rsa, 0, sizeof(RSA)); 91 92 if (engine) { 93 rsa->meth = ENGINE_get_RSA_method(engine); 94 } 95 96 if (rsa->meth == NULL) { 97 rsa->meth = (RSA_METHOD *) RSA_default_method(); 98 } 99 METHOD_ref(rsa->meth); 100 101 rsa->references = 1; 102 rsa->flags = rsa->meth->flags; 103 CRYPTO_MUTEX_init(&rsa->lock); 104 CRYPTO_new_ex_data(&rsa->ex_data); 105 106 if (rsa->meth->init && !rsa->meth->init(rsa)) { 107 CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data); 108 CRYPTO_MUTEX_cleanup(&rsa->lock); 109 METHOD_unref(rsa->meth); 110 OPENSSL_free(rsa); 111 return NULL; 112 } 113 114 return rsa; 115 } 116 117 void RSA_free(RSA *rsa) { 118 unsigned u; 119 120 if (rsa == NULL) { 121 return; 122 } 123 124 if (!CRYPTO_refcount_dec_and_test_zero(&rsa->references)) { 125 return; 126 } 127 128 if (rsa->meth->finish) { 129 rsa->meth->finish(rsa); 130 } 131 METHOD_unref(rsa->meth); 132 133 CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data); 134 135 BN_clear_free(rsa->n); 136 BN_clear_free(rsa->e); 137 BN_clear_free(rsa->d); 138 BN_clear_free(rsa->p); 139 BN_clear_free(rsa->q); 140 BN_clear_free(rsa->dmp1); 141 BN_clear_free(rsa->dmq1); 142 BN_clear_free(rsa->iqmp); 143 BN_MONT_CTX_free(rsa->mont_n); 144 BN_MONT_CTX_free(rsa->mont_p); 145 BN_MONT_CTX_free(rsa->mont_q); 146 for (u = 0; u < rsa->num_blindings; u++) { 147 BN_BLINDING_free(rsa->blindings[u]); 148 } 149 OPENSSL_free(rsa->blindings); 150 OPENSSL_free(rsa->blindings_inuse); 151 CRYPTO_MUTEX_cleanup(&rsa->lock); 152 OPENSSL_free(rsa); 153 } 154 155 int RSA_up_ref(RSA *rsa) { 156 CRYPTO_refcount_inc(&rsa->references); 157 return 1; 158 } 159 160 unsigned RSA_bits(const RSA *rsa) { return BN_num_bits(rsa->n); } 161 162 void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e, 163 const BIGNUM **out_d) { 164 if (out_n != NULL) { 165 *out_n = rsa->n; 166 } 167 if (out_e != NULL) { 168 *out_e = rsa->e; 169 } 170 if (out_d != NULL) { 171 *out_d = rsa->d; 172 } 173 } 174 175 void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p, 176 const BIGNUM **out_q) { 177 if (out_p != NULL) { 178 *out_p = rsa->p; 179 } 180 if (out_q != NULL) { 181 *out_q = rsa->q; 182 } 183 } 184 185 void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1, 186 const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) { 187 if (out_dmp1 != NULL) { 188 *out_dmp1 = rsa->dmp1; 189 } 190 if (out_dmq1 != NULL) { 191 *out_dmq1 = rsa->dmq1; 192 } 193 if (out_iqmp != NULL) { 194 *out_iqmp = rsa->iqmp; 195 } 196 } 197 198 int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) { 199 if ((rsa->n == NULL && n == NULL) || 200 (rsa->e == NULL && e == NULL)) { 201 return 0; 202 } 203 204 if (n != NULL) { 205 BN_free(rsa->n); 206 rsa->n = n; 207 } 208 if (e != NULL) { 209 BN_free(rsa->e); 210 rsa->e = e; 211 } 212 if (d != NULL) { 213 BN_free(rsa->d); 214 rsa->d = d; 215 } 216 217 return 1; 218 } 219 220 int RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q) { 221 if ((rsa->p == NULL && p == NULL) || 222 (rsa->q == NULL && q == NULL)) { 223 return 0; 224 } 225 226 if (p != NULL) { 227 BN_free(rsa->p); 228 rsa->p = p; 229 } 230 if (q != NULL) { 231 BN_free(rsa->q); 232 rsa->q = q; 233 } 234 235 return 1; 236 } 237 238 int RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) { 239 if ((rsa->dmp1 == NULL && dmp1 == NULL) || 240 (rsa->dmq1 == NULL && dmq1 == NULL) || 241 (rsa->iqmp == NULL && iqmp == NULL)) { 242 return 0; 243 } 244 245 if (dmp1 != NULL) { 246 BN_free(rsa->dmp1); 247 rsa->dmp1 = dmp1; 248 } 249 if (dmq1 != NULL) { 250 BN_free(rsa->dmq1); 251 rsa->dmq1 = dmq1; 252 } 253 if (iqmp != NULL) { 254 BN_free(rsa->iqmp); 255 rsa->iqmp = iqmp; 256 } 257 258 return 1; 259 } 260 261 int RSA_public_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa, 262 int padding) { 263 size_t out_len; 264 265 if (!RSA_encrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) { 266 return -1; 267 } 268 269 if (out_len > INT_MAX) { 270 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW); 271 return -1; 272 } 273 return out_len; 274 } 275 276 int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 277 const uint8_t *in, size_t in_len, int padding) { 278 if (rsa->meth->sign_raw) { 279 return rsa->meth->sign_raw(rsa, out_len, out, max_out, in, in_len, padding); 280 } 281 282 return rsa_default_sign_raw(rsa, out_len, out, max_out, in, in_len, padding); 283 } 284 285 int RSA_private_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa, 286 int padding) { 287 size_t out_len; 288 289 if (!RSA_sign_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) { 290 return -1; 291 } 292 293 if (out_len > INT_MAX) { 294 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW); 295 return -1; 296 } 297 return out_len; 298 } 299 300 int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 301 const uint8_t *in, size_t in_len, int padding) { 302 if (rsa->meth->decrypt) { 303 return rsa->meth->decrypt(rsa, out_len, out, max_out, in, in_len, padding); 304 } 305 306 return rsa_default_decrypt(rsa, out_len, out, max_out, in, in_len, padding); 307 } 308 309 int RSA_private_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa, 310 int padding) { 311 size_t out_len; 312 313 if (!RSA_decrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) { 314 return -1; 315 } 316 317 if (out_len > INT_MAX) { 318 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW); 319 return -1; 320 } 321 return out_len; 322 } 323 324 int RSA_public_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa, 325 int padding) { 326 size_t out_len; 327 328 if (!RSA_verify_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) { 329 return -1; 330 } 331 332 if (out_len > INT_MAX) { 333 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW); 334 return -1; 335 } 336 return out_len; 337 } 338 339 unsigned RSA_size(const RSA *rsa) { 340 if (rsa->meth->size) { 341 return rsa->meth->size(rsa); 342 } 343 344 return rsa_default_size(rsa); 345 } 346 347 int RSA_is_opaque(const RSA *rsa) { 348 return rsa->meth && (rsa->meth->flags & RSA_FLAG_OPAQUE); 349 } 350 351 int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, 352 CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) { 353 int index; 354 if (!CRYPTO_get_ex_new_index(g_rsa_ex_data_class_bss_get(), &index, argl, 355 argp, free_func)) { 356 return -1; 357 } 358 return index; 359 } 360 361 int RSA_set_ex_data(RSA *rsa, int idx, void *arg) { 362 return CRYPTO_set_ex_data(&rsa->ex_data, idx, arg); 363 } 364 365 void *RSA_get_ex_data(const RSA *rsa, int idx) { 366 return CRYPTO_get_ex_data(&rsa->ex_data, idx); 367 } 368 369 // SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's 370 // the length of an MD5 and SHA1 hash. 371 static const unsigned SSL_SIG_LENGTH = 36; 372 373 // pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is 374 // to be signed with PKCS#1. 375 struct pkcs1_sig_prefix { 376 // nid identifies the hash function. 377 int nid; 378 // hash_len is the expected length of the hash function. 379 uint8_t hash_len; 380 // len is the number of bytes of |bytes| which are valid. 381 uint8_t len; 382 // bytes contains the DER bytes. 383 uint8_t bytes[19]; 384 }; 385 386 // kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with 387 // different hash functions. 388 static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = { 389 { 390 NID_md5, 391 MD5_DIGEST_LENGTH, 392 18, 393 {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 394 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}, 395 }, 396 { 397 NID_sha1, 398 SHA_DIGEST_LENGTH, 399 15, 400 {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 401 0x00, 0x04, 0x14}, 402 }, 403 { 404 NID_sha224, 405 SHA224_DIGEST_LENGTH, 406 19, 407 {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 408 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c}, 409 }, 410 { 411 NID_sha256, 412 SHA256_DIGEST_LENGTH, 413 19, 414 {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 415 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}, 416 }, 417 { 418 NID_sha384, 419 SHA384_DIGEST_LENGTH, 420 19, 421 {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 422 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}, 423 }, 424 { 425 NID_sha512, 426 SHA512_DIGEST_LENGTH, 427 19, 428 {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 429 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}, 430 }, 431 { 432 NID_undef, 0, 0, {0}, 433 }, 434 }; 435 436 int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len, 437 int *is_alloced, int hash_nid, const uint8_t *msg, 438 size_t msg_len) { 439 unsigned i; 440 441 if (hash_nid == NID_md5_sha1) { 442 // Special case: SSL signature, just check the length. 443 if (msg_len != SSL_SIG_LENGTH) { 444 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); 445 return 0; 446 } 447 448 *out_msg = (uint8_t*) msg; 449 *out_msg_len = SSL_SIG_LENGTH; 450 *is_alloced = 0; 451 return 1; 452 } 453 454 for (i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) { 455 const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i]; 456 if (sig_prefix->nid != hash_nid) { 457 continue; 458 } 459 460 if (msg_len != sig_prefix->hash_len) { 461 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); 462 return 0; 463 } 464 465 const uint8_t* prefix = sig_prefix->bytes; 466 unsigned prefix_len = sig_prefix->len; 467 unsigned signed_msg_len; 468 uint8_t *signed_msg; 469 470 signed_msg_len = prefix_len + msg_len; 471 if (signed_msg_len < prefix_len) { 472 OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_LONG); 473 return 0; 474 } 475 476 signed_msg = OPENSSL_malloc(signed_msg_len); 477 if (!signed_msg) { 478 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 479 return 0; 480 } 481 482 OPENSSL_memcpy(signed_msg, prefix, prefix_len); 483 OPENSSL_memcpy(signed_msg + prefix_len, msg, msg_len); 484 485 *out_msg = signed_msg; 486 *out_msg_len = signed_msg_len; 487 *is_alloced = 1; 488 489 return 1; 490 } 491 492 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE); 493 return 0; 494 } 495 496 int RSA_sign(int hash_nid, const uint8_t *in, unsigned in_len, uint8_t *out, 497 unsigned *out_len, RSA *rsa) { 498 const unsigned rsa_size = RSA_size(rsa); 499 int ret = 0; 500 uint8_t *signed_msg = NULL; 501 size_t signed_msg_len = 0; 502 int signed_msg_is_alloced = 0; 503 size_t size_t_out_len; 504 505 if (rsa->meth->sign) { 506 return rsa->meth->sign(hash_nid, in, in_len, out, out_len, rsa); 507 } 508 509 if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len, 510 &signed_msg_is_alloced, hash_nid, in, in_len) || 511 !RSA_sign_raw(rsa, &size_t_out_len, out, rsa_size, signed_msg, 512 signed_msg_len, RSA_PKCS1_PADDING)) { 513 goto err; 514 } 515 516 *out_len = size_t_out_len; 517 ret = 1; 518 519 err: 520 if (signed_msg_is_alloced) { 521 OPENSSL_free(signed_msg); 522 } 523 return ret; 524 } 525 526 int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 527 const uint8_t *in, size_t in_len, const EVP_MD *md, 528 const EVP_MD *mgf1_md, int salt_len) { 529 if (in_len != EVP_MD_size(md)) { 530 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); 531 return 0; 532 } 533 534 size_t padded_len = RSA_size(rsa); 535 uint8_t *padded = OPENSSL_malloc(padded_len); 536 if (padded == NULL) { 537 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 538 return 0; 539 } 540 541 int ret = 542 RSA_padding_add_PKCS1_PSS_mgf1(rsa, padded, in, md, mgf1_md, salt_len) && 543 RSA_sign_raw(rsa, out_len, out, max_out, padded, padded_len, 544 RSA_NO_PADDING); 545 OPENSSL_free(padded); 546 return ret; 547 } 548 549 int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len, 550 const uint8_t *sig, size_t sig_len, RSA *rsa) { 551 if (rsa->n == NULL || rsa->e == NULL) { 552 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); 553 return 0; 554 } 555 556 const size_t rsa_size = RSA_size(rsa); 557 uint8_t *buf = NULL; 558 int ret = 0; 559 uint8_t *signed_msg = NULL; 560 size_t signed_msg_len = 0, len; 561 int signed_msg_is_alloced = 0; 562 563 if (hash_nid == NID_md5_sha1 && msg_len != SSL_SIG_LENGTH) { 564 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); 565 return 0; 566 } 567 568 buf = OPENSSL_malloc(rsa_size); 569 if (!buf) { 570 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 571 return 0; 572 } 573 574 if (!RSA_verify_raw(rsa, &len, buf, rsa_size, sig, sig_len, 575 RSA_PKCS1_PADDING)) { 576 goto out; 577 } 578 579 if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len, 580 &signed_msg_is_alloced, hash_nid, msg, msg_len)) { 581 goto out; 582 } 583 584 // Check that no other information follows the hash value (FIPS 186-4 Section 585 // 5.5) and it matches the expected hash. 586 if (len != signed_msg_len || OPENSSL_memcmp(buf, signed_msg, len) != 0) { 587 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE); 588 goto out; 589 } 590 591 ret = 1; 592 593 out: 594 OPENSSL_free(buf); 595 if (signed_msg_is_alloced) { 596 OPENSSL_free(signed_msg); 597 } 598 return ret; 599 } 600 601 int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg, size_t msg_len, 602 const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len, 603 const uint8_t *sig, size_t sig_len) { 604 if (msg_len != EVP_MD_size(md)) { 605 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); 606 return 0; 607 } 608 609 size_t em_len = RSA_size(rsa); 610 uint8_t *em = OPENSSL_malloc(em_len); 611 if (em == NULL) { 612 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 613 return 0; 614 } 615 616 int ret = 0; 617 if (!RSA_verify_raw(rsa, &em_len, em, em_len, sig, sig_len, RSA_NO_PADDING)) { 618 goto err; 619 } 620 621 if (em_len != RSA_size(rsa)) { 622 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 623 goto err; 624 } 625 626 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, msg, md, mgf1_md, em, salt_len); 627 628 err: 629 OPENSSL_free(em); 630 return ret; 631 } 632 633 int RSA_check_key(const RSA *key) { 634 BIGNUM n, pm1, qm1, lcm, gcd, de, dmp1, dmq1, iqmp_times_q; 635 BN_CTX *ctx; 636 int ok = 0, has_crt_values; 637 638 if (RSA_is_opaque(key)) { 639 // Opaque keys can't be checked. 640 return 1; 641 } 642 643 if ((key->p != NULL) != (key->q != NULL)) { 644 OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN); 645 return 0; 646 } 647 648 if (!key->n || !key->e) { 649 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); 650 return 0; 651 } 652 653 if (!key->d || !key->p) { 654 // For a public key, or without p and q, there's nothing that can be 655 // checked. 656 return 1; 657 } 658 659 ctx = BN_CTX_new(); 660 if (ctx == NULL) { 661 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 662 return 0; 663 } 664 665 BN_init(&n); 666 BN_init(&pm1); 667 BN_init(&qm1); 668 BN_init(&lcm); 669 BN_init(&gcd); 670 BN_init(&de); 671 BN_init(&dmp1); 672 BN_init(&dmq1); 673 BN_init(&iqmp_times_q); 674 675 if (!BN_mul(&n, key->p, key->q, ctx) || 676 // lcm = lcm(p, q) 677 !BN_sub(&pm1, key->p, BN_value_one()) || 678 !BN_sub(&qm1, key->q, BN_value_one()) || 679 !BN_mul(&lcm, &pm1, &qm1, ctx) || 680 !BN_gcd(&gcd, &pm1, &qm1, ctx)) { 681 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); 682 goto out; 683 } 684 685 if (!BN_div(&lcm, NULL, &lcm, &gcd, ctx) || 686 !BN_gcd(&gcd, &pm1, &qm1, ctx) || 687 // de = d*e mod lcm(p, q). 688 !BN_mod_mul(&de, key->d, key->e, &lcm, ctx)) { 689 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); 690 goto out; 691 } 692 693 if (BN_cmp(&n, key->n) != 0) { 694 OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q); 695 goto out; 696 } 697 698 if (!BN_is_one(&de)) { 699 OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1); 700 goto out; 701 } 702 703 has_crt_values = key->dmp1 != NULL; 704 if (has_crt_values != (key->dmq1 != NULL) || 705 has_crt_values != (key->iqmp != NULL)) { 706 OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES); 707 goto out; 708 } 709 710 if (has_crt_values) { 711 if (// dmp1 = d mod (p-1) 712 !BN_mod(&dmp1, key->d, &pm1, ctx) || 713 // dmq1 = d mod (q-1) 714 !BN_mod(&dmq1, key->d, &qm1, ctx) || 715 // iqmp = q^-1 mod p 716 !BN_mod_mul(&iqmp_times_q, key->iqmp, key->q, key->p, ctx)) { 717 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); 718 goto out; 719 } 720 721 if (BN_cmp(&dmp1, key->dmp1) != 0 || 722 BN_cmp(&dmq1, key->dmq1) != 0 || 723 BN_cmp(key->iqmp, key->p) >= 0 || 724 !BN_is_one(&iqmp_times_q)) { 725 OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT); 726 goto out; 727 } 728 } 729 730 ok = 1; 731 732 out: 733 BN_free(&n); 734 BN_free(&pm1); 735 BN_free(&qm1); 736 BN_free(&lcm); 737 BN_free(&gcd); 738 BN_free(&de); 739 BN_free(&dmp1); 740 BN_free(&dmq1); 741 BN_free(&iqmp_times_q); 742 BN_CTX_free(ctx); 743 744 return ok; 745 } 746 747 748 // This is the product of the 132 smallest odd primes, from 3 to 751. 749 static const BN_ULONG kSmallFactorsLimbs[] = { 750 TOBN(0xc4309333, 0x3ef4e3e1), TOBN(0x71161eb6, 0xcd2d655f), 751 TOBN(0x95e2238c, 0x0bf94862), TOBN(0x3eb233d3, 0x24f7912b), 752 TOBN(0x6b55514b, 0xbf26c483), TOBN(0x0a84d817, 0x5a144871), 753 TOBN(0x77d12fee, 0x9b82210a), TOBN(0xdb5b93c2, 0x97f050b3), 754 TOBN(0x4acad6b9, 0x4d6c026b), TOBN(0xeb7751f3, 0x54aec893), 755 TOBN(0xdba53368, 0x36bc85c4), TOBN(0xd85a1b28, 0x7f5ec78e), 756 TOBN(0x2eb072d8, 0x6b322244), TOBN(0xbba51112, 0x5e2b3aea), 757 TOBN(0x36ed1a6c, 0x0e2486bf), TOBN(0x5f270460, 0xec0c5727), 758 0x000017b1 759 }; 760 761 DEFINE_LOCAL_DATA(BIGNUM, g_small_factors) { 762 out->d = (BN_ULONG *) kSmallFactorsLimbs; 763 out->top = OPENSSL_ARRAY_SIZE(kSmallFactorsLimbs); 764 out->dmax = out->top; 765 out->neg = 0; 766 out->flags = BN_FLG_STATIC_DATA; 767 } 768 769 int RSA_check_fips(RSA *key) { 770 if (RSA_is_opaque(key)) { 771 // Opaque keys can't be checked. 772 OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED); 773 return 0; 774 } 775 776 if (!RSA_check_key(key)) { 777 return 0; 778 } 779 780 BN_CTX *ctx = BN_CTX_new(); 781 if (ctx == NULL) { 782 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 783 return 0; 784 } 785 786 BIGNUM small_gcd; 787 BN_init(&small_gcd); 788 789 int ret = 1; 790 791 // Perform partial public key validation of RSA keys (SP 800-89 5.3.3). 792 enum bn_primality_result_t primality_result; 793 if (BN_num_bits(key->e) <= 16 || 794 BN_num_bits(key->e) > 256 || 795 !BN_is_odd(key->n) || 796 !BN_is_odd(key->e) || 797 !BN_gcd(&small_gcd, key->n, g_small_factors(), ctx) || 798 !BN_is_one(&small_gcd) || 799 !BN_enhanced_miller_rabin_primality_test(&primality_result, key->n, 800 BN_prime_checks, ctx, NULL) || 801 primality_result != bn_non_prime_power_composite) { 802 OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED); 803 ret = 0; 804 } 805 806 BN_free(&small_gcd); 807 BN_CTX_free(ctx); 808 809 if (!ret || key->d == NULL || key->p == NULL) { 810 // On a failure or on only a public key, there's nothing else can be 811 // checked. 812 return ret; 813 } 814 815 // FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG, 816 // section 9.9, it is not known whether |rsa| will be used for signing or 817 // encryption, so either pair-wise consistency self-test is acceptable. We 818 // perform a signing test. 819 uint8_t data[32] = {0}; 820 unsigned sig_len = RSA_size(key); 821 uint8_t *sig = OPENSSL_malloc(sig_len); 822 if (sig == NULL) { 823 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 824 return 0; 825 } 826 827 if (!RSA_sign(NID_sha256, data, sizeof(data), sig, &sig_len, key)) { 828 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 829 ret = 0; 830 goto cleanup; 831 } 832 #if defined(BORINGSSL_FIPS_BREAK_RSA_PWCT) 833 data[0] = ~data[0]; 834 #endif 835 if (!RSA_verify(NID_sha256, data, sizeof(data), sig, sig_len, key)) { 836 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 837 ret = 0; 838 } 839 840 cleanup: 841 OPENSSL_free(sig); 842 843 return ret; 844 } 845 846 int RSA_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, 847 size_t len) { 848 if (rsa->meth->private_transform) { 849 return rsa->meth->private_transform(rsa, out, in, len); 850 } 851 852 return rsa_default_private_transform(rsa, out, in, len); 853 } 854 855 int RSA_flags(const RSA *rsa) { return rsa->flags; } 856 857 int RSA_blinding_on(RSA *rsa, BN_CTX *ctx) { 858 return 1; 859 } 860