1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] */ 56 57 #include <openssl/rsa.h> 58 59 #include <assert.h> 60 #include <limits.h> 61 #include <string.h> 62 63 #include <openssl/bn.h> 64 #include <openssl/err.h> 65 #include <openssl/mem.h> 66 #include <openssl/thread.h> 67 #include <openssl/type_check.h> 68 69 #include "internal.h" 70 #include "../bn/internal.h" 71 #include "../../internal.h" 72 #include "../delocate.h" 73 74 75 static int check_modulus_and_exponent_sizes(const RSA *rsa) { 76 unsigned rsa_bits = BN_num_bits(rsa->n); 77 78 if (rsa_bits > 16 * 1024) { 79 OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE); 80 return 0; 81 } 82 83 // Mitigate DoS attacks by limiting the exponent size. 33 bits was chosen as 84 // the limit based on the recommendations in [1] and [2]. Windows CryptoAPI 85 // doesn't support values larger than 32 bits [3], so it is unlikely that 86 // exponents larger than 32 bits are being used for anything Windows commonly 87 // does. 88 // 89 // [1] https://www.imperialviolet.org/2012/03/16/rsae.html 90 // [2] https://www.imperialviolet.org/2012/03/17/rsados.html 91 // [3] https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx 92 static const unsigned kMaxExponentBits = 33; 93 94 if (BN_num_bits(rsa->e) > kMaxExponentBits) { 95 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE); 96 return 0; 97 } 98 99 // Verify |n > e|. Comparing |rsa_bits| to |kMaxExponentBits| is a small 100 // shortcut to comparing |n| and |e| directly. In reality, |kMaxExponentBits| 101 // is much smaller than the minimum RSA key size that any application should 102 // accept. 103 if (rsa_bits <= kMaxExponentBits) { 104 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); 105 return 0; 106 } 107 assert(BN_ucmp(rsa->n, rsa->e) > 0); 108 109 return 1; 110 } 111 112 size_t rsa_default_size(const RSA *rsa) { 113 return BN_num_bytes(rsa->n); 114 } 115 116 int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 117 const uint8_t *in, size_t in_len, int padding) { 118 if (rsa->n == NULL || rsa->e == NULL) { 119 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); 120 return 0; 121 } 122 123 const unsigned rsa_size = RSA_size(rsa); 124 BIGNUM *f, *result; 125 uint8_t *buf = NULL; 126 BN_CTX *ctx = NULL; 127 int i, ret = 0; 128 129 if (max_out < rsa_size) { 130 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL); 131 return 0; 132 } 133 134 if (!check_modulus_and_exponent_sizes(rsa)) { 135 return 0; 136 } 137 138 ctx = BN_CTX_new(); 139 if (ctx == NULL) { 140 goto err; 141 } 142 143 BN_CTX_start(ctx); 144 f = BN_CTX_get(ctx); 145 result = BN_CTX_get(ctx); 146 buf = OPENSSL_malloc(rsa_size); 147 if (!f || !result || !buf) { 148 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 149 goto err; 150 } 151 152 switch (padding) { 153 case RSA_PKCS1_PADDING: 154 i = RSA_padding_add_PKCS1_type_2(buf, rsa_size, in, in_len); 155 break; 156 case RSA_PKCS1_OAEP_PADDING: 157 // Use the default parameters: SHA-1 for both hashes and no label. 158 i = RSA_padding_add_PKCS1_OAEP_mgf1(buf, rsa_size, in, in_len, 159 NULL, 0, NULL, NULL); 160 break; 161 case RSA_NO_PADDING: 162 i = RSA_padding_add_none(buf, rsa_size, in, in_len); 163 break; 164 default: 165 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE); 166 goto err; 167 } 168 169 if (i <= 0) { 170 goto err; 171 } 172 173 if (BN_bin2bn(buf, rsa_size, f) == NULL) { 174 goto err; 175 } 176 177 if (BN_ucmp(f, rsa->n) >= 0) { 178 // usually the padding functions would catch this 179 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE); 180 goto err; 181 } 182 183 if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) || 184 !BN_mod_exp_mont(result, f, rsa->e, rsa->n, ctx, rsa->mont_n)) { 185 goto err; 186 } 187 188 // put in leading 0 bytes if the number is less than the length of the 189 // modulus 190 if (!BN_bn2bin_padded(out, rsa_size, result)) { 191 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 192 goto err; 193 } 194 195 *out_len = rsa_size; 196 ret = 1; 197 198 err: 199 if (ctx != NULL) { 200 BN_CTX_end(ctx); 201 BN_CTX_free(ctx); 202 } 203 OPENSSL_free(buf); 204 205 return ret; 206 } 207 208 // MAX_BLINDINGS_PER_RSA defines the maximum number of cached BN_BLINDINGs per 209 // RSA*. Then this limit is exceeded, BN_BLINDING objects will be created and 210 // destroyed as needed. 211 #define MAX_BLINDINGS_PER_RSA 1024 212 213 // rsa_blinding_get returns a BN_BLINDING to use with |rsa|. It does this by 214 // allocating one of the cached BN_BLINDING objects in |rsa->blindings|. If 215 // none are free, the cache will be extended by a extra element and the new 216 // BN_BLINDING is returned. 217 // 218 // On success, the index of the assigned BN_BLINDING is written to 219 // |*index_used| and must be passed to |rsa_blinding_release| when finished. 220 static BN_BLINDING *rsa_blinding_get(RSA *rsa, unsigned *index_used, 221 BN_CTX *ctx) { 222 assert(ctx != NULL); 223 assert(rsa->mont_n != NULL); 224 225 BN_BLINDING *ret = NULL; 226 BN_BLINDING **new_blindings; 227 uint8_t *new_blindings_inuse; 228 char overflow = 0; 229 230 CRYPTO_MUTEX_lock_write(&rsa->lock); 231 232 unsigned i; 233 for (i = 0; i < rsa->num_blindings; i++) { 234 if (rsa->blindings_inuse[i] == 0) { 235 rsa->blindings_inuse[i] = 1; 236 ret = rsa->blindings[i]; 237 *index_used = i; 238 break; 239 } 240 } 241 242 if (ret != NULL) { 243 CRYPTO_MUTEX_unlock_write(&rsa->lock); 244 return ret; 245 } 246 247 overflow = rsa->num_blindings >= MAX_BLINDINGS_PER_RSA; 248 249 // We didn't find a free BN_BLINDING to use so increase the length of 250 // the arrays by one and use the newly created element. 251 252 CRYPTO_MUTEX_unlock_write(&rsa->lock); 253 ret = BN_BLINDING_new(); 254 if (ret == NULL) { 255 return NULL; 256 } 257 258 if (overflow) { 259 // We cannot add any more cached BN_BLINDINGs so we use |ret| 260 // and mark it for destruction in |rsa_blinding_release|. 261 *index_used = MAX_BLINDINGS_PER_RSA; 262 return ret; 263 } 264 265 CRYPTO_MUTEX_lock_write(&rsa->lock); 266 267 new_blindings = 268 OPENSSL_malloc(sizeof(BN_BLINDING *) * (rsa->num_blindings + 1)); 269 if (new_blindings == NULL) { 270 goto err1; 271 } 272 OPENSSL_memcpy(new_blindings, rsa->blindings, 273 sizeof(BN_BLINDING *) * rsa->num_blindings); 274 new_blindings[rsa->num_blindings] = ret; 275 276 new_blindings_inuse = OPENSSL_malloc(rsa->num_blindings + 1); 277 if (new_blindings_inuse == NULL) { 278 goto err2; 279 } 280 OPENSSL_memcpy(new_blindings_inuse, rsa->blindings_inuse, rsa->num_blindings); 281 new_blindings_inuse[rsa->num_blindings] = 1; 282 *index_used = rsa->num_blindings; 283 284 OPENSSL_free(rsa->blindings); 285 rsa->blindings = new_blindings; 286 OPENSSL_free(rsa->blindings_inuse); 287 rsa->blindings_inuse = new_blindings_inuse; 288 rsa->num_blindings++; 289 290 CRYPTO_MUTEX_unlock_write(&rsa->lock); 291 return ret; 292 293 err2: 294 OPENSSL_free(new_blindings); 295 296 err1: 297 CRYPTO_MUTEX_unlock_write(&rsa->lock); 298 BN_BLINDING_free(ret); 299 return NULL; 300 } 301 302 // rsa_blinding_release marks the cached BN_BLINDING at the given index as free 303 // for other threads to use. 304 static void rsa_blinding_release(RSA *rsa, BN_BLINDING *blinding, 305 unsigned blinding_index) { 306 if (blinding_index == MAX_BLINDINGS_PER_RSA) { 307 // This blinding wasn't cached. 308 BN_BLINDING_free(blinding); 309 return; 310 } 311 312 CRYPTO_MUTEX_lock_write(&rsa->lock); 313 rsa->blindings_inuse[blinding_index] = 0; 314 CRYPTO_MUTEX_unlock_write(&rsa->lock); 315 } 316 317 // signing 318 int rsa_default_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, 319 size_t max_out, const uint8_t *in, size_t in_len, 320 int padding) { 321 const unsigned rsa_size = RSA_size(rsa); 322 uint8_t *buf = NULL; 323 int i, ret = 0; 324 325 if (max_out < rsa_size) { 326 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL); 327 return 0; 328 } 329 330 buf = OPENSSL_malloc(rsa_size); 331 if (buf == NULL) { 332 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 333 goto err; 334 } 335 336 switch (padding) { 337 case RSA_PKCS1_PADDING: 338 i = RSA_padding_add_PKCS1_type_1(buf, rsa_size, in, in_len); 339 break; 340 case RSA_NO_PADDING: 341 i = RSA_padding_add_none(buf, rsa_size, in, in_len); 342 break; 343 default: 344 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE); 345 goto err; 346 } 347 348 if (i <= 0) { 349 goto err; 350 } 351 352 if (!RSA_private_transform(rsa, out, buf, rsa_size)) { 353 goto err; 354 } 355 356 *out_len = rsa_size; 357 ret = 1; 358 359 err: 360 OPENSSL_free(buf); 361 362 return ret; 363 } 364 365 int rsa_default_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 366 const uint8_t *in, size_t in_len, int padding) { 367 const unsigned rsa_size = RSA_size(rsa); 368 uint8_t *buf = NULL; 369 int ret = 0; 370 371 if (max_out < rsa_size) { 372 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL); 373 return 0; 374 } 375 376 if (padding == RSA_NO_PADDING) { 377 buf = out; 378 } else { 379 // Allocate a temporary buffer to hold the padded plaintext. 380 buf = OPENSSL_malloc(rsa_size); 381 if (buf == NULL) { 382 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 383 goto err; 384 } 385 } 386 387 if (in_len != rsa_size) { 388 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN); 389 goto err; 390 } 391 392 if (!RSA_private_transform(rsa, buf, in, rsa_size)) { 393 goto err; 394 } 395 396 switch (padding) { 397 case RSA_PKCS1_PADDING: 398 ret = 399 RSA_padding_check_PKCS1_type_2(out, out_len, rsa_size, buf, rsa_size); 400 break; 401 case RSA_PKCS1_OAEP_PADDING: 402 // Use the default parameters: SHA-1 for both hashes and no label. 403 ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, out_len, rsa_size, buf, 404 rsa_size, NULL, 0, NULL, NULL); 405 break; 406 case RSA_NO_PADDING: 407 *out_len = rsa_size; 408 ret = 1; 409 break; 410 default: 411 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE); 412 goto err; 413 } 414 415 if (!ret) { 416 OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED); 417 } 418 419 err: 420 if (padding != RSA_NO_PADDING) { 421 OPENSSL_free(buf); 422 } 423 424 return ret; 425 } 426 427 static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); 428 429 int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 430 const uint8_t *in, size_t in_len, int padding) { 431 if (rsa->n == NULL || rsa->e == NULL) { 432 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); 433 return 0; 434 } 435 436 const unsigned rsa_size = RSA_size(rsa); 437 BIGNUM *f, *result; 438 439 if (max_out < rsa_size) { 440 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL); 441 return 0; 442 } 443 444 if (in_len != rsa_size) { 445 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN); 446 return 0; 447 } 448 449 if (!check_modulus_and_exponent_sizes(rsa)) { 450 return 0; 451 } 452 453 BN_CTX *ctx = BN_CTX_new(); 454 if (ctx == NULL) { 455 return 0; 456 } 457 458 int ret = 0; 459 uint8_t *buf = NULL; 460 461 BN_CTX_start(ctx); 462 f = BN_CTX_get(ctx); 463 result = BN_CTX_get(ctx); 464 if (f == NULL || result == NULL) { 465 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 466 goto err; 467 } 468 469 if (padding == RSA_NO_PADDING) { 470 buf = out; 471 } else { 472 // Allocate a temporary buffer to hold the padded plaintext. 473 buf = OPENSSL_malloc(rsa_size); 474 if (buf == NULL) { 475 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 476 goto err; 477 } 478 } 479 480 if (BN_bin2bn(in, in_len, f) == NULL) { 481 goto err; 482 } 483 484 if (BN_ucmp(f, rsa->n) >= 0) { 485 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE); 486 goto err; 487 } 488 489 if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) || 490 !BN_mod_exp_mont(result, f, rsa->e, rsa->n, ctx, rsa->mont_n)) { 491 goto err; 492 } 493 494 if (!BN_bn2bin_padded(buf, rsa_size, result)) { 495 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 496 goto err; 497 } 498 499 switch (padding) { 500 case RSA_PKCS1_PADDING: 501 ret = 502 RSA_padding_check_PKCS1_type_1(out, out_len, rsa_size, buf, rsa_size); 503 break; 504 case RSA_NO_PADDING: 505 ret = 1; 506 *out_len = rsa_size; 507 break; 508 default: 509 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE); 510 goto err; 511 } 512 513 if (!ret) { 514 OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED); 515 goto err; 516 } 517 518 err: 519 BN_CTX_end(ctx); 520 BN_CTX_free(ctx); 521 if (buf != out) { 522 OPENSSL_free(buf); 523 } 524 return ret; 525 } 526 527 int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, 528 size_t len) { 529 if (rsa->n == NULL || rsa->d == NULL) { 530 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); 531 return 0; 532 } 533 534 BIGNUM *f, *result; 535 BN_CTX *ctx = NULL; 536 unsigned blinding_index = 0; 537 BN_BLINDING *blinding = NULL; 538 int ret = 0; 539 540 ctx = BN_CTX_new(); 541 if (ctx == NULL) { 542 goto err; 543 } 544 BN_CTX_start(ctx); 545 f = BN_CTX_get(ctx); 546 result = BN_CTX_get(ctx); 547 548 if (f == NULL || result == NULL) { 549 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 550 goto err; 551 } 552 553 if (BN_bin2bn(in, len, f) == NULL) { 554 goto err; 555 } 556 557 if (BN_ucmp(f, rsa->n) >= 0) { 558 // Usually the padding functions would catch this. 559 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE); 560 goto err; 561 } 562 563 if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx)) { 564 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 565 goto err; 566 } 567 568 const int do_blinding = (rsa->flags & RSA_FLAG_NO_BLINDING) == 0; 569 570 if (rsa->e == NULL && do_blinding) { 571 // We cannot do blinding or verification without |e|, and continuing without 572 // those countermeasures is dangerous. However, the Java/Android RSA API 573 // requires support for keys where only |d| and |n| (and not |e|) are known. 574 // The callers that require that bad behavior set |RSA_FLAG_NO_BLINDING|. 575 OPENSSL_PUT_ERROR(RSA, RSA_R_NO_PUBLIC_EXPONENT); 576 goto err; 577 } 578 579 if (do_blinding) { 580 blinding = rsa_blinding_get(rsa, &blinding_index, ctx); 581 if (blinding == NULL) { 582 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 583 goto err; 584 } 585 if (!BN_BLINDING_convert(f, blinding, rsa->e, rsa->mont_n, ctx)) { 586 goto err; 587 } 588 } 589 590 if (rsa->p != NULL && rsa->q != NULL && rsa->e != NULL && rsa->dmp1 != NULL && 591 rsa->dmq1 != NULL && rsa->iqmp != NULL) { 592 if (!mod_exp(result, f, rsa, ctx)) { 593 goto err; 594 } 595 } else if (!BN_mod_exp_mont_consttime(result, f, rsa->d, rsa->n, ctx, 596 rsa->mont_n)) { 597 goto err; 598 } 599 600 // Verify the result to protect against fault attacks as described in the 601 // 1997 paper "On the Importance of Checking Cryptographic Protocols for 602 // Faults" by Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. Some 603 // implementations do this only when the CRT is used, but we do it in all 604 // cases. Section 6 of the aforementioned paper describes an attack that 605 // works when the CRT isn't used. That attack is much less likely to succeed 606 // than the CRT attack, but there have likely been improvements since 1997. 607 // 608 // This check is cheap assuming |e| is small; it almost always is. 609 if (rsa->e != NULL) { 610 BIGNUM *vrfy = BN_CTX_get(ctx); 611 if (vrfy == NULL || 612 !BN_mod_exp_mont(vrfy, result, rsa->e, rsa->n, ctx, rsa->mont_n) || 613 !BN_equal_consttime(vrfy, f)) { 614 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 615 goto err; 616 } 617 618 } 619 620 if (do_blinding && 621 !BN_BLINDING_invert(result, blinding, rsa->mont_n, ctx)) { 622 goto err; 623 } 624 625 if (!BN_bn2bin_padded(out, len, result)) { 626 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 627 goto err; 628 } 629 630 ret = 1; 631 632 err: 633 if (ctx != NULL) { 634 BN_CTX_end(ctx); 635 BN_CTX_free(ctx); 636 } 637 if (blinding != NULL) { 638 rsa_blinding_release(rsa, blinding, blinding_index); 639 } 640 641 return ret; 642 } 643 644 // mod_montgomery sets |r| to |I| mod |p|. |I| must already be fully reduced 645 // modulo |p| times |q|. It returns one on success and zero on error. 646 static int mod_montgomery(BIGNUM *r, const BIGNUM *I, const BIGNUM *p, 647 const BN_MONT_CTX *mont_p, const BIGNUM *q, 648 BN_CTX *ctx) { 649 // Reducing in constant-time with Montgomery reduction requires I <= p * R. We 650 // have I < p * q, so this follows if q < R. In particular, this always holds 651 // if p and q are the same size, which is true for any RSA keys we or anyone 652 // sane generates. For other keys, we fall back to |BN_mod|. 653 if (!bn_less_than_montgomery_R(q, mont_p)) { 654 return BN_mod(r, I, p, ctx); 655 } 656 657 if (// Reduce mod p with Montgomery reduction. This computes I * R^-1 mod p. 658 !BN_from_montgomery(r, I, mont_p, ctx) || 659 // Multiply by R^2 and do another Montgomery reduction to compute 660 // I * R^-1 * R^2 * R^-1 = I mod p. 661 !BN_to_montgomery(r, r, mont_p, ctx)) { 662 return 0; 663 } 664 665 // By precomputing R^3 mod p (normally |BN_MONT_CTX| only uses R^2 mod p) and 666 // adjusting the API for |BN_mod_exp_mont_consttime|, we could instead compute 667 // I * R mod p here and save a reduction per prime. But this would require 668 // changing the RSAZ code and may not be worth it. 669 return 1; 670 } 671 672 static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { 673 assert(ctx != NULL); 674 675 assert(rsa->n != NULL); 676 assert(rsa->e != NULL); 677 assert(rsa->d != NULL); 678 assert(rsa->p != NULL); 679 assert(rsa->q != NULL); 680 assert(rsa->dmp1 != NULL); 681 assert(rsa->dmq1 != NULL); 682 assert(rsa->iqmp != NULL); 683 684 BIGNUM *r1, *m1, *vrfy; 685 int ret = 0; 686 687 BN_CTX_start(ctx); 688 r1 = BN_CTX_get(ctx); 689 m1 = BN_CTX_get(ctx); 690 vrfy = BN_CTX_get(ctx); 691 if (r1 == NULL || 692 m1 == NULL || 693 vrfy == NULL) { 694 goto err; 695 } 696 697 if (!BN_MONT_CTX_set_locked(&rsa->mont_p, &rsa->lock, rsa->p, ctx) || 698 !BN_MONT_CTX_set_locked(&rsa->mont_q, &rsa->lock, rsa->q, ctx)) { 699 goto err; 700 } 701 702 if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx)) { 703 goto err; 704 } 705 706 // This is a pre-condition for |mod_montgomery|. It was already checked by the 707 // caller. 708 assert(BN_ucmp(I, rsa->n) < 0); 709 710 // compute I mod q 711 if (!mod_montgomery(r1, I, rsa->q, rsa->mont_q, rsa->p, ctx)) { 712 goto err; 713 } 714 715 // compute r1^dmq1 mod q 716 if (!BN_mod_exp_mont_consttime(m1, r1, rsa->dmq1, rsa->q, ctx, rsa->mont_q)) { 717 goto err; 718 } 719 720 // compute I mod p 721 if (!mod_montgomery(r1, I, rsa->p, rsa->mont_p, rsa->q, ctx)) { 722 goto err; 723 } 724 725 // compute r1^dmp1 mod p 726 if (!BN_mod_exp_mont_consttime(r0, r1, rsa->dmp1, rsa->p, ctx, rsa->mont_p)) { 727 goto err; 728 } 729 730 // TODO(davidben): The code below is not constant-time, even ignoring 731 // |bn_correct_top|. To fix this: 732 // 733 // 1. Canonicalize keys on p > q. (p > q for keys we generate, but not ones we 734 // import.) We have exposed structs, but we can generalize the 735 // |BN_MONT_CTX_set_locked| trick to do a one-time canonicalization of the 736 // private key where we optionally swap p and q (re-computing iqmp if 737 // necessary) and fill in mont_*. This removes the p < q case below. 738 // 739 // 2. Compute r0 - m1 (mod p) in constant-time. With (1) done, this is just a 740 // constant-time modular subtraction. It should be doable with 741 // |bn_sub_words| and a select on the borrow bit. 742 // 743 // 3. When computing mont_*, additionally compute iqmp_mont, iqmp in 744 // Montgomery form. The |BN_mul| and |BN_mod| pair can then be replaced 745 // with |BN_mod_mul_montgomery|. 746 747 if (!BN_sub(r0, r0, m1)) { 748 goto err; 749 } 750 // This will help stop the size of r0 increasing, which does 751 // affect the multiply if it optimised for a power of 2 size 752 if (BN_is_negative(r0)) { 753 if (!BN_add(r0, r0, rsa->p)) { 754 goto err; 755 } 756 } 757 758 if (!BN_mul(r1, r0, rsa->iqmp, ctx)) { 759 goto err; 760 } 761 762 if (!BN_mod(r0, r1, rsa->p, ctx)) { 763 goto err; 764 } 765 766 // If p < q it is occasionally possible for the correction of 767 // adding 'p' if r0 is negative above to leave the result still 768 // negative. This can break the private key operations: the following 769 // second correction should *always* correct this rare occurrence. 770 // This will *never* happen with OpenSSL generated keys because 771 // they ensure p > q [steve] 772 if (BN_is_negative(r0)) { 773 if (!BN_add(r0, r0, rsa->p)) { 774 goto err; 775 } 776 } 777 if (!BN_mul(r1, r0, rsa->q, ctx)) { 778 goto err; 779 } 780 if (!BN_add(r0, r1, m1)) { 781 goto err; 782 } 783 784 ret = 1; 785 786 err: 787 BN_CTX_end(ctx); 788 return ret; 789 } 790 791 static int ensure_bignum(BIGNUM **out) { 792 if (*out == NULL) { 793 *out = BN_new(); 794 } 795 return *out != NULL; 796 } 797 798 // kBoringSSLRSASqrtTwo is the BIGNUM representation of 22. This is 799 // chosen to give enough precision for 3072-bit RSA, the largest key size FIPS 800 // specifies. Key sizes beyond this will round up. 801 // 802 // To verify this number, check that n < 2 < (n+1), where n is value 803 // represented here. Note the components are listed in little-endian order. Here 804 // is some sample Python code to check: 805 // 806 // >>> TOBN = lambda a, b: a << 32 | b 807 // >>> l = [ <paste the contents of kSqrtTwo> ] 808 // >>> n = sum(a * 2**(64*i) for i, a in enumerate(l)) 809 // >>> n**2 < 2**3071 < (n+1)**2 810 // True 811 const BN_ULONG kBoringSSLRSASqrtTwo[] = { 812 TOBN(0xdea06241, 0xf7aa81c2), TOBN(0xf6a1be3f, 0xca221307), 813 TOBN(0x332a5e9f, 0x7bda1ebf), TOBN(0x0104dc01, 0xfe32352f), 814 TOBN(0xb8cf341b, 0x6f8236c7), TOBN(0x4264dabc, 0xd528b651), 815 TOBN(0xf4d3a02c, 0xebc93e0c), TOBN(0x81394ab6, 0xd8fd0efd), 816 TOBN(0xeaa4a089, 0x9040ca4a), TOBN(0xf52f120f, 0x836e582e), 817 TOBN(0xcb2a6343, 0x31f3c84d), TOBN(0xc6d5a8a3, 0x8bb7e9dc), 818 TOBN(0x460abc72, 0x2f7c4e33), TOBN(0xcab1bc91, 0x1688458a), 819 TOBN(0x53059c60, 0x11bc337b), TOBN(0xd2202e87, 0x42af1f4e), 820 TOBN(0x78048736, 0x3dfa2768), TOBN(0x0f74a85e, 0x439c7b4a), 821 TOBN(0xa8b1fe6f, 0xdc83db39), TOBN(0x4afc8304, 0x3ab8a2c3), 822 TOBN(0xed17ac85, 0x83339915), TOBN(0x1d6f60ba, 0x893ba84c), 823 TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484), 824 }; 825 const size_t kBoringSSLRSASqrtTwoLen = OPENSSL_ARRAY_SIZE(kBoringSSLRSASqrtTwo); 826 827 int rsa_greater_than_pow2(const BIGNUM *b, int n) { 828 if (BN_is_negative(b) || n == INT_MAX) { 829 return 0; 830 } 831 832 int b_bits = BN_num_bits(b); 833 return b_bits > n + 1 || (b_bits == n + 1 && !BN_is_pow2(b)); 834 } 835 836 // generate_prime sets |out| to a prime with length |bits| such that |out|-1 is 837 // relatively prime to |e|. If |p| is non-NULL, |out| will also not be close to 838 // |p|. 839 static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e, 840 const BIGNUM *p, const BIGNUM *sqrt2, BN_CTX *ctx, 841 BN_GENCB *cb) { 842 if (bits < 128 || (bits % BN_BITS2) != 0) { 843 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 844 return 0; 845 } 846 847 // See FIPS 186-4 appendix B.3.3, steps 4 and 5. Note |bits| here is nlen/2. 848 849 // Use the limit from steps 4.7 and 5.8 for most values of |e|. When |e| is 3, 850 // the 186-4 limit is too low, so we use a higher one. Note this case is not 851 // reachable from |RSA_generate_key_fips|. 852 if (bits >= INT_MAX/32) { 853 OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE); 854 return 0; 855 } 856 int limit = BN_is_word(e, 3) ? bits * 32 : bits * 5; 857 858 int ret = 0, tries = 0, rand_tries = 0; 859 BN_CTX_start(ctx); 860 BIGNUM *tmp = BN_CTX_get(ctx); 861 if (tmp == NULL) { 862 goto err; 863 } 864 865 for (;;) { 866 // Generate a random number of length |bits| where the bottom bit is set 867 // (steps 4.2, 4.3, 5.2 and 5.3) and the top bit is set (implied by the 868 // bound checked below in steps 4.4 and 5.5). 869 if (!BN_rand(out, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD) || 870 !BN_GENCB_call(cb, BN_GENCB_GENERATED, rand_tries++)) { 871 goto err; 872 } 873 874 if (p != NULL) { 875 // If |p| and |out| are too close, try again (step 5.4). 876 if (!BN_sub(tmp, out, p)) { 877 goto err; 878 } 879 BN_set_negative(tmp, 0); 880 if (!rsa_greater_than_pow2(tmp, bits - 100)) { 881 continue; 882 } 883 } 884 885 // If out < 2^(bits-1)2, try again (steps 4.4 and 5.5). This is equivalent 886 // to out <= 2^(bits-1)2, or out <= sqrt2 for FIPS key sizes. 887 // 888 // For larger keys, the comparison is approximate, leaning towards 889 // retrying. That is, we reject a negligible fraction of primes that are 890 // within the FIPS bound, but we will never accept a prime outside the 891 // bound, ensuring the resulting RSA key is the right size. 892 if (!BN_less_than_consttime(sqrt2, out)) { 893 continue; 894 } 895 896 // Check gcd(out-1, e) is one (steps 4.5 and 5.6). 897 if (!BN_sub(tmp, out, BN_value_one()) || 898 !BN_gcd(tmp, tmp, e, ctx)) { 899 goto err; 900 } 901 if (BN_is_one(tmp)) { 902 // Test |out| for primality (steps 4.5.1 and 5.6.1). 903 int is_probable_prime; 904 if (!BN_primality_test(&is_probable_prime, out, BN_prime_checks, ctx, 1, 905 cb)) { 906 goto err; 907 } 908 if (is_probable_prime) { 909 ret = 1; 910 goto err; 911 } 912 } 913 914 // If we've tried too many times to find a prime, abort (steps 4.7 and 915 // 5.8). 916 tries++; 917 if (tries >= limit) { 918 OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS); 919 goto err; 920 } 921 if (!BN_GENCB_call(cb, 2, tries)) { 922 goto err; 923 } 924 } 925 926 err: 927 BN_CTX_end(ctx); 928 return ret; 929 } 930 931 int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) { 932 // See FIPS 186-4 appendix B.3. This function implements a generalized version 933 // of the FIPS algorithm. |RSA_generate_key_fips| performs additional checks 934 // for FIPS-compliant key generation. 935 936 // Always generate RSA keys which are a multiple of 128 bits. Round |bits| 937 // down as needed. 938 bits &= ~127; 939 940 // Reject excessively small keys. 941 if (bits < 256) { 942 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); 943 return 0; 944 } 945 946 int ret = 0; 947 BN_CTX *ctx = BN_CTX_new(); 948 if (ctx == NULL) { 949 goto bn_err; 950 } 951 BN_CTX_start(ctx); 952 BIGNUM *totient = BN_CTX_get(ctx); 953 BIGNUM *pm1 = BN_CTX_get(ctx); 954 BIGNUM *qm1 = BN_CTX_get(ctx); 955 BIGNUM *gcd = BN_CTX_get(ctx); 956 BIGNUM *sqrt2 = BN_CTX_get(ctx); 957 if (totient == NULL || pm1 == NULL || qm1 == NULL || gcd == NULL || 958 sqrt2 == NULL) { 959 goto bn_err; 960 } 961 962 // We need the RSA components non-NULL. 963 if (!ensure_bignum(&rsa->n) || 964 !ensure_bignum(&rsa->d) || 965 !ensure_bignum(&rsa->e) || 966 !ensure_bignum(&rsa->p) || 967 !ensure_bignum(&rsa->q) || 968 !ensure_bignum(&rsa->dmp1) || 969 !ensure_bignum(&rsa->dmq1) || 970 !ensure_bignum(&rsa->iqmp)) { 971 goto bn_err; 972 } 973 974 if (!BN_copy(rsa->e, e_value)) { 975 goto bn_err; 976 } 977 978 int prime_bits = bits / 2; 979 980 // Compute sqrt2 >= 2^(prime_bits-1)2. 981 if (!bn_set_words(sqrt2, kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen)) { 982 goto bn_err; 983 } 984 int sqrt2_bits = kBoringSSLRSASqrtTwoLen * BN_BITS2; 985 assert(sqrt2_bits == (int)BN_num_bits(sqrt2)); 986 if (sqrt2_bits > prime_bits) { 987 // For key sizes up to 3072 (prime_bits = 1536), this is exactly 988 // 2^(prime_bits-1)2. 989 if (!BN_rshift(sqrt2, sqrt2, sqrt2_bits - prime_bits)) { 990 goto bn_err; 991 } 992 } else if (prime_bits > sqrt2_bits) { 993 // For key sizes beyond 3072, this is approximate. We err towards retrying 994 // to ensure our key is the right size and round up. 995 if (!BN_add_word(sqrt2, 1) || 996 !BN_lshift(sqrt2, sqrt2, prime_bits - sqrt2_bits)) { 997 goto bn_err; 998 } 999 } 1000 assert(prime_bits == (int)BN_num_bits(sqrt2)); 1001 1002 do { 1003 // Generate p and q, each of size |prime_bits|, using the steps outlined in 1004 // appendix FIPS 186-4 appendix B.3.3. 1005 if (!generate_prime(rsa->p, prime_bits, rsa->e, NULL, sqrt2, ctx, cb) || 1006 !BN_GENCB_call(cb, 3, 0) || 1007 !generate_prime(rsa->q, prime_bits, rsa->e, rsa->p, sqrt2, ctx, cb) || 1008 !BN_GENCB_call(cb, 3, 1)) { 1009 goto bn_err; 1010 } 1011 1012 if (BN_cmp(rsa->p, rsa->q) < 0) { 1013 BIGNUM *tmp = rsa->p; 1014 rsa->p = rsa->q; 1015 rsa->q = tmp; 1016 } 1017 1018 // Calculate d = e^(-1) (mod lcm(p-1, q-1)), per FIPS 186-4. This differs 1019 // from typical RSA implementations which use (p-1)*(q-1). 1020 // 1021 // Note this means the size of d might reveal information about p-1 and 1022 // q-1. However, we do operations with Chinese Remainder Theorem, so we only 1023 // use d (mod p-1) and d (mod q-1) as exponents. Using a minimal totient 1024 // does not affect those two values. 1025 if (!BN_sub(pm1, rsa->p, BN_value_one()) || 1026 !BN_sub(qm1, rsa->q, BN_value_one()) || 1027 !BN_mul(totient, pm1, qm1, ctx) || 1028 !BN_gcd(gcd, pm1, qm1, ctx) || 1029 !BN_div(totient, NULL, totient, gcd, ctx) || 1030 !BN_mod_inverse(rsa->d, rsa->e, totient, ctx)) { 1031 goto bn_err; 1032 } 1033 1034 // Check that |rsa->d| > 2^|prime_bits| and try again if it fails. See 1035 // appendix B.3.1's guidance on values for d. 1036 } while (!rsa_greater_than_pow2(rsa->d, prime_bits)); 1037 1038 if (// Calculate n. 1039 !BN_mul(rsa->n, rsa->p, rsa->q, ctx) || 1040 // Calculate d mod (p-1). 1041 !BN_mod(rsa->dmp1, rsa->d, pm1, ctx) || 1042 // Calculate d mod (q-1) 1043 !BN_mod(rsa->dmq1, rsa->d, qm1, ctx)) { 1044 goto bn_err; 1045 } 1046 1047 // Sanity-check that |rsa->n| has the specified size. This is implied by 1048 // |generate_prime|'s bounds. 1049 if (BN_num_bits(rsa->n) != (unsigned)bits) { 1050 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 1051 goto err; 1052 } 1053 1054 // Calculate inverse of q mod p. Note that although RSA key generation is far 1055 // from constant-time, |bn_mod_inverse_secret_prime| uses the same modular 1056 // exponentation logic as in RSA private key operations and, if the RSAZ-1024 1057 // code is enabled, will be optimized for common RSA prime sizes. 1058 if (!BN_MONT_CTX_set_locked(&rsa->mont_p, &rsa->lock, rsa->p, ctx) || 1059 !bn_mod_inverse_secret_prime(rsa->iqmp, rsa->q, rsa->p, ctx, 1060 rsa->mont_p)) { 1061 goto bn_err; 1062 } 1063 1064 // The key generation process is complex and thus error-prone. It could be 1065 // disastrous to generate and then use a bad key so double-check that the key 1066 // makes sense. 1067 if (!RSA_check_key(rsa)) { 1068 OPENSSL_PUT_ERROR(RSA, RSA_R_INTERNAL_ERROR); 1069 goto err; 1070 } 1071 1072 ret = 1; 1073 1074 bn_err: 1075 if (!ret) { 1076 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); 1077 } 1078 err: 1079 if (ctx != NULL) { 1080 BN_CTX_end(ctx); 1081 BN_CTX_free(ctx); 1082 } 1083 return ret; 1084 } 1085 1086 int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb) { 1087 // FIPS 186-4 allows 2048-bit and 3072-bit RSA keys (1024-bit and 1536-bit 1088 // primes, respectively) with the prime generation method we use. 1089 if (bits != 2048 && bits != 3072) { 1090 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS); 1091 return 0; 1092 } 1093 1094 BIGNUM *e = BN_new(); 1095 int ret = e != NULL && 1096 BN_set_word(e, RSA_F4) && 1097 RSA_generate_key_ex(rsa, bits, e, cb) && 1098 RSA_check_fips(rsa); 1099 BN_free(e); 1100 return ret; 1101 } 1102 1103 DEFINE_METHOD_FUNCTION(RSA_METHOD, RSA_default_method) { 1104 // All of the methods are NULL to make it easier for the compiler/linker to 1105 // drop unused functions. The wrapper functions will select the appropriate 1106 // |rsa_default_*| implementation. 1107 OPENSSL_memset(out, 0, sizeof(RSA_METHOD)); 1108 out->common.is_static = 1; 1109 } 1110
