/src/boringssl/crypto/fipsmodule/rsa/rsa.cc.inc
Line | Count | Source |
1 | | // Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. |
2 | | // |
3 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
4 | | // you may not use this file except in compliance with the License. |
5 | | // You may obtain a copy of the License at |
6 | | // |
7 | | // https://www.apache.org/licenses/LICENSE-2.0 |
8 | | // |
9 | | // Unless required by applicable law or agreed to in writing, software |
10 | | // distributed under the License is distributed on an "AS IS" BASIS, |
11 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 | | // See the License for the specific language governing permissions and |
13 | | // limitations under the License. |
14 | | |
15 | | #include <openssl/rsa.h> |
16 | | |
17 | | #include <assert.h> |
18 | | #include <limits.h> |
19 | | #include <string.h> |
20 | | |
21 | | #include <iterator> |
22 | | |
23 | | #include <openssl/bn.h> |
24 | | #include <openssl/digest.h> |
25 | | #include <openssl/engine.h> |
26 | | #include <openssl/err.h> |
27 | | #include <openssl/ex_data.h> |
28 | | #include <openssl/md5.h> |
29 | | #include <openssl/mem.h> |
30 | | #include <openssl/nid.h> |
31 | | |
32 | | #include "../../internal.h" |
33 | | #include "../../mem_internal.h" |
34 | | #include "../bcm_interface.h" |
35 | | #include "../bn/internal.h" |
36 | | #include "../delocate.h" |
37 | | #include "internal.h" |
38 | | |
39 | | |
40 | | using namespace bssl; |
41 | | |
42 | | // RSA_R_BLOCK_TYPE_IS_NOT_02 is part of the legacy SSLv23 padding scheme. |
43 | | // Cryptography.io depends on this error code. |
44 | | OPENSSL_DECLARE_ERROR_REASON(RSA, BLOCK_TYPE_IS_NOT_02) |
45 | | |
46 | | DEFINE_STATIC_EX_DATA_CLASS(g_rsa_ex_data_class) |
47 | | |
48 | 0 | static int bn_dup_into(BIGNUM **dst, const BIGNUM *src) { |
49 | 0 | if (src == nullptr) { |
50 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_R_PASSED_NULL_PARAMETER); |
51 | 0 | return 0; |
52 | 0 | } |
53 | | |
54 | 0 | BN_free(*dst); |
55 | 0 | *dst = BN_dup(src); |
56 | 0 | return *dst != nullptr; |
57 | 0 | } |
58 | | |
59 | 0 | RSA *RSA_new_public_key(const BIGNUM *n, const BIGNUM *e) { |
60 | 0 | RSAImpl *rsa = FromOpaque(RSA_new()); |
61 | 0 | if (rsa == nullptr || // |
62 | 0 | !bn_dup_into(&rsa->n, n) || // |
63 | 0 | !bn_dup_into(&rsa->e, e) || // |
64 | 0 | !RSA_check_key(rsa)) { |
65 | 0 | RSA_free(rsa); |
66 | 0 | return nullptr; |
67 | 0 | } |
68 | | |
69 | 0 | return rsa; |
70 | 0 | } |
71 | | |
72 | | RSA *RSA_new_private_key(const BIGNUM *n, const BIGNUM *e, const BIGNUM *d, |
73 | | const BIGNUM *p, const BIGNUM *q, const BIGNUM *dmp1, |
74 | 0 | const BIGNUM *dmq1, const BIGNUM *iqmp) { |
75 | 0 | RSAImpl *rsa = FromOpaque(RSA_new()); |
76 | 0 | if (rsa == nullptr || // |
77 | 0 | !bn_dup_into(&rsa->n, n) || // |
78 | 0 | !bn_dup_into(&rsa->e, e) || // |
79 | 0 | !bn_dup_into(&rsa->d, d) || // |
80 | 0 | !bn_dup_into(&rsa->p, p) || // |
81 | 0 | !bn_dup_into(&rsa->q, q) || // |
82 | 0 | !bn_dup_into(&rsa->dmp1, dmp1) || // |
83 | 0 | !bn_dup_into(&rsa->dmq1, dmq1) || // |
84 | 0 | !bn_dup_into(&rsa->iqmp, iqmp) || // |
85 | 0 | !RSA_check_key(rsa)) { |
86 | 0 | RSA_free(rsa); |
87 | 0 | return nullptr; |
88 | 0 | } |
89 | | |
90 | 0 | return rsa; |
91 | 0 | } |
92 | | |
93 | | RSA *RSA_new_private_key_no_crt(const BIGNUM *n, const BIGNUM *e, |
94 | 0 | const BIGNUM *d) { |
95 | 0 | RSAImpl *rsa = FromOpaque(RSA_new()); |
96 | 0 | if (rsa == nullptr || // |
97 | 0 | !bn_dup_into(&rsa->n, n) || // |
98 | 0 | !bn_dup_into(&rsa->e, e) || // |
99 | 0 | !bn_dup_into(&rsa->d, d) || // |
100 | 0 | !RSA_check_key(rsa)) { |
101 | 0 | RSA_free(rsa); |
102 | 0 | return nullptr; |
103 | 0 | } |
104 | | |
105 | 0 | return rsa; |
106 | 0 | } |
107 | | |
108 | 0 | RSA *RSA_new_private_key_no_e(const BIGNUM *n, const BIGNUM *d) { |
109 | 0 | RSAImpl *rsa = FromOpaque(RSA_new()); |
110 | 0 | if (rsa == nullptr) { |
111 | 0 | return nullptr; |
112 | 0 | } |
113 | | |
114 | 0 | rsa->flags |= RSA_FLAG_NO_PUBLIC_EXPONENT; |
115 | 0 | if (!bn_dup_into(&rsa->n, n) || // |
116 | 0 | !bn_dup_into(&rsa->d, d) || // |
117 | 0 | !RSA_check_key(rsa)) { |
118 | 0 | RSA_free(rsa); |
119 | 0 | return nullptr; |
120 | 0 | } |
121 | | |
122 | 0 | return rsa; |
123 | 0 | } |
124 | | |
125 | 0 | RSA *RSA_new_public_key_large_e(const BIGNUM *n, const BIGNUM *e) { |
126 | 0 | RSAImpl *rsa = FromOpaque(RSA_new()); |
127 | 0 | if (rsa == nullptr) { |
128 | 0 | return nullptr; |
129 | 0 | } |
130 | | |
131 | 0 | rsa->flags |= RSA_FLAG_LARGE_PUBLIC_EXPONENT; |
132 | 0 | if (!bn_dup_into(&rsa->n, n) || // |
133 | 0 | !bn_dup_into(&rsa->e, e) || // |
134 | 0 | !RSA_check_key(rsa)) { |
135 | 0 | RSA_free(rsa); |
136 | 0 | return nullptr; |
137 | 0 | } |
138 | | |
139 | 0 | return rsa; |
140 | 0 | } |
141 | | |
142 | | RSA *RSA_new_private_key_large_e(const BIGNUM *n, const BIGNUM *e, |
143 | | const BIGNUM *d, const BIGNUM *p, |
144 | | const BIGNUM *q, const BIGNUM *dmp1, |
145 | 0 | const BIGNUM *dmq1, const BIGNUM *iqmp) { |
146 | 0 | RSAImpl *rsa = FromOpaque(RSA_new()); |
147 | 0 | if (rsa == nullptr) { |
148 | 0 | return nullptr; |
149 | 0 | } |
150 | | |
151 | 0 | rsa->flags |= RSA_FLAG_LARGE_PUBLIC_EXPONENT; |
152 | 0 | if (!bn_dup_into(&rsa->n, n) || // |
153 | 0 | !bn_dup_into(&rsa->e, e) || // |
154 | 0 | !bn_dup_into(&rsa->d, d) || // |
155 | 0 | !bn_dup_into(&rsa->p, p) || // |
156 | 0 | !bn_dup_into(&rsa->q, q) || // |
157 | 0 | !bn_dup_into(&rsa->dmp1, dmp1) || // |
158 | 0 | !bn_dup_into(&rsa->dmq1, dmq1) || // |
159 | 0 | !bn_dup_into(&rsa->iqmp, iqmp) || // |
160 | 0 | !RSA_check_key(rsa)) { |
161 | 0 | RSA_free(rsa); |
162 | 0 | return nullptr; |
163 | 0 | } |
164 | | |
165 | 0 | return rsa; |
166 | 0 | } |
167 | | |
168 | | RSAImpl::RSAImpl(const ENGINE *engine) |
169 | 114k | : RefCounted(CheckSubClass()), |
170 | 114k | meth(engine ? ENGINE_get_RSA_method(engine) : nullptr) { |
171 | 114k | if (meth == nullptr) { |
172 | 114k | meth = (RSA_METHOD *)RSA_default_method(); |
173 | 114k | } |
174 | 114k | METHOD_ref(meth); |
175 | 114k | flags = meth->flags; |
176 | 114k | CRYPTO_MUTEX_init(&lock); |
177 | 114k | CRYPTO_new_ex_data(&ex_data); |
178 | 114k | } |
179 | | |
180 | 114k | RSA *RSA_new() { return RSA_new_method(nullptr); } |
181 | | |
182 | 114k | RSA *RSA_new_method(const ENGINE *engine) { |
183 | 114k | UniquePtr<RSAImpl> rsa(New<RSAImpl>(engine)); |
184 | 114k | if (rsa == nullptr) { |
185 | 0 | return nullptr; |
186 | 0 | } |
187 | | |
188 | 114k | if (rsa->meth->init && !rsa->meth->init(rsa.get())) { |
189 | 0 | METHOD_unref(rsa->meth); |
190 | 0 | rsa->meth = nullptr; |
191 | 0 | return nullptr; |
192 | 0 | } |
193 | | |
194 | 114k | return rsa.release(); |
195 | 114k | } |
196 | | |
197 | 0 | RSA *RSA_new_method_no_e(const ENGINE *engine, const BIGNUM *n) { |
198 | 0 | RSAImpl *rsa = FromOpaque(RSA_new_method(engine)); |
199 | 0 | if (rsa == nullptr || !bn_dup_into(&rsa->n, n)) { |
200 | 0 | RSA_free(rsa); |
201 | 0 | return nullptr; |
202 | 0 | } |
203 | 0 | rsa->flags |= RSA_FLAG_NO_PUBLIC_EXPONENT; |
204 | 0 | return rsa; |
205 | 0 | } |
206 | | |
207 | 114k | RSAImpl::~RSAImpl() { |
208 | 114k | if (meth != nullptr && meth->finish != nullptr) { |
209 | 0 | meth->finish(this); |
210 | 0 | } |
211 | 114k | METHOD_unref(meth); |
212 | | |
213 | 114k | CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), &ex_data); |
214 | | |
215 | 114k | BN_free(n); |
216 | 114k | BN_free(e); |
217 | 114k | BN_free(d); |
218 | 114k | BN_free(p); |
219 | 114k | BN_free(q); |
220 | 114k | BN_free(dmp1); |
221 | 114k | BN_free(dmq1); |
222 | 114k | BN_free(iqmp); |
223 | 114k | rsa_invalidate_key(this); |
224 | 114k | CRYPTO_MUTEX_cleanup(&lock); |
225 | 114k | } |
226 | | |
227 | 139k | void RSA_free(RSA *rsa) { |
228 | 139k | if (rsa == nullptr) { |
229 | 24.6k | return; |
230 | 24.6k | } |
231 | | |
232 | 114k | auto *impl = FromOpaque(rsa); |
233 | 114k | impl->DecRefInternal(); |
234 | 114k | } |
235 | | |
236 | 12 | int RSA_up_ref(RSA *rsa) { |
237 | 12 | auto *impl = FromOpaque(rsa); |
238 | 12 | impl->UpRefInternal(); |
239 | 12 | return 1; |
240 | 12 | } |
241 | | |
242 | 0 | unsigned RSA_bits(const RSA *rsa) { |
243 | 0 | auto *impl = FromOpaque(rsa); |
244 | 0 | return BN_num_bits(impl->n); |
245 | 0 | } |
246 | | |
247 | 27.9k | const BIGNUM *RSA_get0_n(const RSA *rsa) { |
248 | 27.9k | auto *impl = FromOpaque(rsa); |
249 | 27.9k | return impl->n; |
250 | 27.9k | } |
251 | | |
252 | 21.2k | const BIGNUM *RSA_get0_e(const RSA *rsa) { |
253 | 21.2k | auto *impl = FromOpaque(rsa); |
254 | 21.2k | return impl->e; |
255 | 21.2k | } |
256 | | |
257 | 6.77k | const BIGNUM *RSA_get0_d(const RSA *rsa) { |
258 | 6.77k | auto *impl = FromOpaque(rsa); |
259 | 6.77k | return impl->d; |
260 | 6.77k | } |
261 | | |
262 | 0 | const BIGNUM *RSA_get0_p(const RSA *rsa) { |
263 | 0 | auto *impl = FromOpaque(rsa); |
264 | 0 | return impl->p; |
265 | 0 | } |
266 | | |
267 | 0 | const BIGNUM *RSA_get0_q(const RSA *rsa) { |
268 | 0 | auto *impl = FromOpaque(rsa); |
269 | 0 | return impl->q; |
270 | 0 | } |
271 | | |
272 | 0 | const BIGNUM *RSA_get0_dmp1(const RSA *rsa) { |
273 | 0 | auto *impl = FromOpaque(rsa); |
274 | 0 | return impl->dmp1; |
275 | 0 | } |
276 | | |
277 | 0 | const BIGNUM *RSA_get0_dmq1(const RSA *rsa) { |
278 | 0 | auto *impl = FromOpaque(rsa); |
279 | 0 | return impl->dmq1; |
280 | 0 | } |
281 | | |
282 | 0 | const BIGNUM *RSA_get0_iqmp(const RSA *rsa) { |
283 | 0 | auto *impl = FromOpaque(rsa); |
284 | 0 | return impl->iqmp; |
285 | 0 | } |
286 | | |
287 | | void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e, |
288 | 0 | const BIGNUM **out_d) { |
289 | 0 | auto *impl = FromOpaque(rsa); |
290 | 0 | if (out_n != nullptr) { |
291 | 0 | *out_n = impl->n; |
292 | 0 | } |
293 | 0 | if (out_e != nullptr) { |
294 | 0 | *out_e = impl->e; |
295 | 0 | } |
296 | 0 | if (out_d != nullptr) { |
297 | 0 | *out_d = impl->d; |
298 | 0 | } |
299 | 0 | } |
300 | | |
301 | | void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p, |
302 | 0 | const BIGNUM **out_q) { |
303 | 0 | auto *impl = FromOpaque(rsa); |
304 | 0 | if (out_p != nullptr) { |
305 | 0 | *out_p = impl->p; |
306 | 0 | } |
307 | 0 | if (out_q != nullptr) { |
308 | 0 | *out_q = impl->q; |
309 | 0 | } |
310 | 0 | } |
311 | | |
312 | | void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1, |
313 | 0 | const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) { |
314 | 0 | auto *impl = FromOpaque(rsa); |
315 | 0 | if (out_dmp1 != nullptr) { |
316 | 0 | *out_dmp1 = impl->dmp1; |
317 | 0 | } |
318 | 0 | if (out_dmq1 != nullptr) { |
319 | 0 | *out_dmq1 = impl->dmq1; |
320 | 0 | } |
321 | 0 | if (out_iqmp != nullptr) { |
322 | 0 | *out_iqmp = impl->iqmp; |
323 | 0 | } |
324 | 0 | } |
325 | | |
326 | 0 | int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) { |
327 | 0 | auto *impl = FromOpaque(rsa); |
328 | |
|
329 | 0 | if ((impl->n == nullptr && n == nullptr) || |
330 | 0 | (impl->e == nullptr && e == nullptr)) { |
331 | 0 | return 0; |
332 | 0 | } |
333 | | |
334 | 0 | if (n != nullptr) { |
335 | 0 | BN_free(impl->n); |
336 | 0 | impl->n = n; |
337 | 0 | } |
338 | 0 | if (e != nullptr) { |
339 | 0 | BN_free(impl->e); |
340 | 0 | impl->e = e; |
341 | 0 | } |
342 | 0 | if (d != nullptr) { |
343 | 0 | BN_free(impl->d); |
344 | 0 | impl->d = d; |
345 | 0 | } |
346 | |
|
347 | 0 | rsa_invalidate_key(rsa); |
348 | 0 | return 1; |
349 | 0 | } |
350 | | |
351 | 0 | int RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q) { |
352 | 0 | auto *impl = FromOpaque(rsa); |
353 | |
|
354 | 0 | if ((impl->p == nullptr && p == nullptr) || |
355 | 0 | (impl->q == nullptr && q == nullptr)) { |
356 | 0 | return 0; |
357 | 0 | } |
358 | | |
359 | 0 | if (p != nullptr) { |
360 | 0 | BN_free(impl->p); |
361 | 0 | impl->p = p; |
362 | 0 | } |
363 | 0 | if (q != nullptr) { |
364 | 0 | BN_free(impl->q); |
365 | 0 | impl->q = q; |
366 | 0 | } |
367 | |
|
368 | 0 | rsa_invalidate_key(rsa); |
369 | 0 | return 1; |
370 | 0 | } |
371 | | |
372 | 0 | int RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) { |
373 | 0 | auto *impl = FromOpaque(rsa); |
374 | |
|
375 | 0 | if ((impl->dmp1 == nullptr && dmp1 == nullptr) || |
376 | 0 | (impl->dmq1 == nullptr && dmq1 == nullptr) || |
377 | 0 | (impl->iqmp == nullptr && iqmp == nullptr)) { |
378 | 0 | return 0; |
379 | 0 | } |
380 | | |
381 | 0 | if (dmp1 != nullptr) { |
382 | 0 | BN_free(impl->dmp1); |
383 | 0 | impl->dmp1 = dmp1; |
384 | 0 | } |
385 | 0 | if (dmq1 != nullptr) { |
386 | 0 | BN_free(impl->dmq1); |
387 | 0 | impl->dmq1 = dmq1; |
388 | 0 | } |
389 | 0 | if (iqmp != nullptr) { |
390 | 0 | BN_free(impl->iqmp); |
391 | 0 | impl->iqmp = iqmp; |
392 | 0 | } |
393 | |
|
394 | 0 | rsa_invalidate_key(rsa); |
395 | 0 | return 1; |
396 | 0 | } |
397 | | |
398 | | static int rsa_sign_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out, |
399 | | size_t max_out, const uint8_t *in, |
400 | 21.3k | size_t in_len, int padding) { |
401 | 21.3k | auto *impl = FromOpaque(rsa); |
402 | | |
403 | 21.3k | if (impl->meth->sign_raw) { |
404 | 0 | return impl->meth->sign_raw(rsa, out_len, out, max_out, in, in_len, |
405 | 0 | padding); |
406 | 0 | } |
407 | | |
408 | 21.3k | return rsa_default_sign_raw(rsa, out_len, out, max_out, in, in_len, padding); |
409 | 21.3k | } |
410 | | |
411 | | int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, |
412 | 15.7k | const uint8_t *in, size_t in_len, int padding) { |
413 | 15.7k | boringssl_ensure_rsa_self_test(); |
414 | 15.7k | return rsa_sign_raw_no_self_test(rsa, out_len, out, max_out, in, in_len, |
415 | 15.7k | padding); |
416 | 15.7k | } |
417 | | |
418 | 232k | unsigned RSA_size(const RSA *rsa) { |
419 | 232k | auto *impl = FromOpaque(rsa); |
420 | 232k | return BN_num_bytes(impl->n); |
421 | 232k | } |
422 | | |
423 | 10.6k | int RSA_is_opaque(const RSA *rsa) { |
424 | 10.6k | auto *impl = FromOpaque(rsa); |
425 | 10.6k | return impl->meth && (impl->meth->flags & RSA_FLAG_OPAQUE); |
426 | 10.6k | } |
427 | | |
428 | | int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, |
429 | 0 | CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) { |
430 | 0 | return CRYPTO_get_ex_new_index_ex(g_rsa_ex_data_class_bss_get(), argl, argp, |
431 | 0 | free_func); |
432 | 0 | } |
433 | | |
434 | 0 | int RSA_set_ex_data(RSA *rsa, int idx, void *arg) { |
435 | 0 | auto *impl = FromOpaque(rsa); |
436 | 0 | return CRYPTO_set_ex_data(&impl->ex_data, idx, arg); |
437 | 0 | } |
438 | | |
439 | 0 | void *RSA_get_ex_data(const RSA *rsa, int idx) { |
440 | 0 | auto *impl = FromOpaque(rsa); |
441 | 0 | return CRYPTO_get_ex_data(&impl->ex_data, idx); |
442 | 0 | } |
443 | | |
444 | | // SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's |
445 | | // the length of an MD5 and SHA1 hash. |
446 | | static const unsigned SSL_SIG_LENGTH = 36; |
447 | | |
448 | | // pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is |
449 | | // to be signed with PKCS#1. |
450 | | struct pkcs1_sig_prefix { |
451 | | // nid identifies the hash function. |
452 | | int nid; |
453 | | // hash_len is the expected length of the hash function. |
454 | | uint8_t hash_len; |
455 | | // len is the number of bytes of |bytes| which are valid. |
456 | | uint8_t len; |
457 | | // bytes contains the DER bytes. |
458 | | uint8_t bytes[19]; |
459 | | }; |
460 | | |
461 | | // kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with |
462 | | // different hash functions. |
463 | | static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = { |
464 | | { |
465 | | NID_md5, |
466 | | MD5_DIGEST_LENGTH, |
467 | | 18, |
468 | | {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, |
469 | | 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}, |
470 | | }, |
471 | | { |
472 | | NID_sha1, |
473 | | SHA_DIGEST_LENGTH, |
474 | | 15, |
475 | | {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, |
476 | | 0x00, 0x04, 0x14}, |
477 | | }, |
478 | | { |
479 | | NID_sha224, |
480 | | SHA224_DIGEST_LENGTH, |
481 | | 19, |
482 | | {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, |
483 | | 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c}, |
484 | | }, |
485 | | { |
486 | | NID_sha256, |
487 | | SHA256_DIGEST_LENGTH, |
488 | | 19, |
489 | | {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, |
490 | | 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}, |
491 | | }, |
492 | | { |
493 | | NID_sha384, |
494 | | SHA384_DIGEST_LENGTH, |
495 | | 19, |
496 | | {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, |
497 | | 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}, |
498 | | }, |
499 | | { |
500 | | NID_sha512, |
501 | | SHA512_DIGEST_LENGTH, |
502 | | 19, |
503 | | {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, |
504 | | 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}, |
505 | | }, |
506 | | { |
507 | | NID_undef, |
508 | | 0, |
509 | | 0, |
510 | | {0}, |
511 | | }, |
512 | | }; |
513 | | |
514 | 9.75k | static int rsa_check_digest_size(int hash_nid, size_t digest_len) { |
515 | 9.75k | if (hash_nid == NID_md5_sha1) { |
516 | 2.99k | if (digest_len != SSL_SIG_LENGTH) { |
517 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); |
518 | 0 | return 0; |
519 | 0 | } |
520 | 2.99k | return 1; |
521 | 2.99k | } |
522 | | |
523 | 25.0k | for (size_t i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) { |
524 | 25.0k | const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i]; |
525 | 25.0k | if (sig_prefix->nid == hash_nid) { |
526 | 6.76k | if (digest_len != sig_prefix->hash_len) { |
527 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); |
528 | 0 | return 0; |
529 | 0 | } |
530 | 6.76k | return 1; |
531 | 6.76k | } |
532 | 25.0k | } |
533 | | |
534 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE); |
535 | 0 | return 0; |
536 | 6.76k | } |
537 | | |
538 | | int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len, |
539 | | int *is_alloced, int hash_nid, const uint8_t *digest, |
540 | 9.75k | size_t digest_len) { |
541 | 9.75k | if (!rsa_check_digest_size(hash_nid, digest_len)) { |
542 | 0 | return 0; |
543 | 0 | } |
544 | | |
545 | 9.75k | if (hash_nid == NID_md5_sha1) { |
546 | | // The length should already have been checked. |
547 | 2.99k | assert(digest_len == SSL_SIG_LENGTH); |
548 | 2.99k | *out_msg = (uint8_t *)digest; |
549 | 2.99k | *out_msg_len = digest_len; |
550 | 2.99k | *is_alloced = 0; |
551 | 2.99k | return 1; |
552 | 2.99k | } |
553 | | |
554 | 25.0k | for (size_t i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) { |
555 | 25.0k | const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i]; |
556 | 25.0k | if (sig_prefix->nid != hash_nid) { |
557 | 18.2k | continue; |
558 | 18.2k | } |
559 | | |
560 | | // The length should already have been checked. |
561 | 25.0k | assert(digest_len == sig_prefix->hash_len); |
562 | 6.76k | const uint8_t *prefix = sig_prefix->bytes; |
563 | 6.76k | size_t prefix_len = sig_prefix->len; |
564 | 6.76k | size_t signed_msg_len = prefix_len + digest_len; |
565 | 6.76k | if (signed_msg_len < prefix_len) { |
566 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_LONG); |
567 | 0 | return 0; |
568 | 0 | } |
569 | | |
570 | 6.76k | uint8_t *signed_msg = |
571 | 6.76k | reinterpret_cast<uint8_t *>(OPENSSL_malloc(signed_msg_len)); |
572 | 6.76k | if (!signed_msg) { |
573 | 0 | return 0; |
574 | 0 | } |
575 | | |
576 | 6.76k | OPENSSL_memcpy(signed_msg, prefix, prefix_len); |
577 | 6.76k | OPENSSL_memcpy(signed_msg + prefix_len, digest, digest_len); |
578 | | |
579 | 6.76k | *out_msg = signed_msg; |
580 | 6.76k | *out_msg_len = signed_msg_len; |
581 | 6.76k | *is_alloced = 1; |
582 | | |
583 | 6.76k | return 1; |
584 | 6.76k | } |
585 | | |
586 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE); |
587 | 0 | return 0; |
588 | 6.76k | } |
589 | | |
590 | | int bssl::rsa_sign_no_self_test(int hash_nid, const uint8_t *digest, |
591 | | size_t digest_len, uint8_t *out, |
592 | 5.60k | unsigned *out_len, RSA *rsa) { |
593 | 5.60k | auto *impl = FromOpaque(rsa); |
594 | | |
595 | 5.60k | if (impl->meth->sign) { |
596 | 0 | if (!rsa_check_digest_size(hash_nid, digest_len)) { |
597 | 0 | return 0; |
598 | 0 | } |
599 | | // All supported digest lengths fit in |unsigned|. |
600 | 0 | assert(digest_len <= EVP_MAX_MD_SIZE); |
601 | 0 | static_assert(EVP_MAX_MD_SIZE <= UINT_MAX, "digest too long"); |
602 | 0 | return impl->meth->sign(hash_nid, digest, (unsigned)digest_len, out, |
603 | 0 | out_len, rsa); |
604 | 0 | } |
605 | | |
606 | 5.60k | const unsigned rsa_size = RSA_size(rsa); |
607 | 5.60k | int ret = 0; |
608 | 5.60k | uint8_t *signed_msg = nullptr; |
609 | 5.60k | size_t signed_msg_len = 0; |
610 | 5.60k | int signed_msg_is_alloced = 0; |
611 | 5.60k | size_t size_t_out_len; |
612 | 5.60k | if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len, |
613 | 5.60k | &signed_msg_is_alloced, hash_nid, digest, |
614 | 5.60k | digest_len) || |
615 | 5.60k | !rsa_sign_raw_no_self_test(rsa, &size_t_out_len, out, rsa_size, |
616 | 5.60k | signed_msg, signed_msg_len, |
617 | 5.60k | RSA_PKCS1_PADDING)) { |
618 | 0 | goto err; |
619 | 0 | } |
620 | | |
621 | 5.60k | if (size_t_out_len > UINT_MAX) { |
622 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW); |
623 | 0 | goto err; |
624 | 0 | } |
625 | | |
626 | 5.60k | *out_len = (unsigned)size_t_out_len; |
627 | 5.60k | ret = 1; |
628 | | |
629 | 5.60k | err: |
630 | 5.60k | if (signed_msg_is_alloced) { |
631 | 3.42k | OPENSSL_free(signed_msg); |
632 | 3.42k | } |
633 | 5.60k | return ret; |
634 | 5.60k | } |
635 | | |
636 | | int RSA_sign(int hash_nid, const uint8_t *digest, size_t digest_len, |
637 | 5.60k | uint8_t *out, unsigned *out_len, RSA *rsa) { |
638 | 5.60k | boringssl_ensure_rsa_self_test(); |
639 | | |
640 | 5.60k | return rsa_sign_no_self_test(hash_nid, digest, digest_len, out, out_len, rsa); |
641 | 5.60k | } |
642 | | |
643 | | int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, |
644 | | const uint8_t *digest, size_t digest_len, |
645 | 15.7k | const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len) { |
646 | 15.7k | if (digest_len != EVP_MD_size(md)) { |
647 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); |
648 | 0 | return 0; |
649 | 0 | } |
650 | | |
651 | 15.7k | size_t padded_len = RSA_size(rsa); |
652 | 15.7k | uint8_t *padded = reinterpret_cast<uint8_t *>(OPENSSL_malloc(padded_len)); |
653 | 15.7k | if (padded == nullptr) { |
654 | 0 | return 0; |
655 | 0 | } |
656 | | |
657 | 15.7k | int ret = RSA_padding_add_PKCS1_PSS_mgf1(rsa, padded, digest, md, mgf1_md, |
658 | 15.7k | salt_len) && |
659 | 15.7k | RSA_sign_raw(rsa, out_len, out, max_out, padded, padded_len, |
660 | 15.7k | RSA_NO_PADDING); |
661 | 15.7k | OPENSSL_free(padded); |
662 | 15.7k | return ret; |
663 | 15.7k | } |
664 | | |
665 | | int bssl::rsa_verify_no_self_test(int hash_nid, const uint8_t *digest, |
666 | | size_t digest_len, const uint8_t *sig, |
667 | 20.9k | size_t sig_len, RSA *rsa) { |
668 | 20.9k | auto *impl = FromOpaque(rsa); |
669 | 20.9k | if (impl->n == nullptr || impl->e == nullptr) { |
670 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); |
671 | 0 | return 0; |
672 | 0 | } |
673 | | |
674 | 20.9k | const size_t rsa_size = RSA_size(rsa); |
675 | 20.9k | uint8_t *buf = nullptr; |
676 | 20.9k | int ret = 0; |
677 | 20.9k | uint8_t *signed_msg = nullptr; |
678 | 20.9k | size_t signed_msg_len = 0, len; |
679 | 20.9k | int signed_msg_is_alloced = 0; |
680 | | |
681 | 20.9k | if (hash_nid == NID_md5_sha1 && digest_len != SSL_SIG_LENGTH) { |
682 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); |
683 | 0 | return 0; |
684 | 0 | } |
685 | | |
686 | 20.9k | buf = reinterpret_cast<uint8_t *>(OPENSSL_malloc(rsa_size)); |
687 | 20.9k | if (!buf) { |
688 | 0 | return 0; |
689 | 0 | } |
690 | | |
691 | 20.9k | if (!rsa_verify_raw_no_self_test(rsa, &len, buf, rsa_size, sig, sig_len, |
692 | 20.9k | RSA_PKCS1_PADDING) || |
693 | 4.15k | !RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len, |
694 | 4.15k | &signed_msg_is_alloced, hash_nid, digest, |
695 | 16.7k | digest_len)) { |
696 | 16.7k | goto out; |
697 | 16.7k | } |
698 | | |
699 | | // Check that no other information follows the hash value (FIPS 186-5 Section |
700 | | // 5.4) and it matches the expected hash. |
701 | 4.15k | if (len != signed_msg_len || OPENSSL_memcmp(buf, signed_msg, len) != 0) { |
702 | 4.15k | OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE); |
703 | 4.15k | goto out; |
704 | 4.15k | } |
705 | | |
706 | 0 | ret = 1; |
707 | |
|
708 | 20.9k | out: |
709 | 20.9k | OPENSSL_free(buf); |
710 | 20.9k | if (signed_msg_is_alloced) { |
711 | 3.33k | OPENSSL_free(signed_msg); |
712 | 3.33k | } |
713 | 20.9k | return ret; |
714 | 0 | } |
715 | | |
716 | | int RSA_verify(int hash_nid, const uint8_t *digest, size_t digest_len, |
717 | 20.9k | const uint8_t *sig, size_t sig_len, RSA *rsa) { |
718 | 20.9k | boringssl_ensure_rsa_self_test(); |
719 | 20.9k | return rsa_verify_no_self_test(hash_nid, digest, digest_len, sig, sig_len, |
720 | 20.9k | rsa); |
721 | 20.9k | } |
722 | | |
723 | | int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *digest, size_t digest_len, |
724 | | const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len, |
725 | 2.09k | const uint8_t *sig, size_t sig_len) { |
726 | 2.09k | if (digest_len != EVP_MD_size(md)) { |
727 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); |
728 | 0 | return 0; |
729 | 0 | } |
730 | | |
731 | 2.09k | size_t em_len = RSA_size(rsa); |
732 | 2.09k | uint8_t *em = reinterpret_cast<uint8_t *>(OPENSSL_malloc(em_len)); |
733 | 2.09k | if (em == nullptr) { |
734 | 0 | return 0; |
735 | 0 | } |
736 | | |
737 | 2.09k | int ret = 0; |
738 | 2.09k | if (!RSA_verify_raw(rsa, &em_len, em, em_len, sig, sig_len, RSA_NO_PADDING)) { |
739 | 51 | goto err; |
740 | 51 | } |
741 | | |
742 | 2.04k | if (em_len != RSA_size(rsa)) { |
743 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); |
744 | 0 | goto err; |
745 | 0 | } |
746 | | |
747 | 2.04k | ret = RSA_verify_PKCS1_PSS_mgf1(rsa, digest, md, mgf1_md, em, salt_len); |
748 | | |
749 | 2.09k | err: |
750 | 2.09k | OPENSSL_free(em); |
751 | 2.09k | return ret; |
752 | 2.04k | } |
753 | | |
754 | | static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv, |
755 | | const BIGNUM *m, unsigned m_min_bits, |
756 | 648 | BN_CTX *ctx) { |
757 | 648 | if (BN_is_negative(ainv) || |
758 | 648 | constant_time_declassify_int(BN_cmp(ainv, m) >= 0)) { |
759 | 59 | *out_ok = 0; |
760 | 59 | return 1; |
761 | 59 | } |
762 | | |
763 | | // Note |bn_mul_consttime| and |bn_div_consttime| do not scale linearly, but |
764 | | // checking |ainv| is in range bounds the running time, assuming |m|'s bounds |
765 | | // were checked by the caller. |
766 | 589 | BN_CTXScope scope(ctx); |
767 | 589 | BIGNUM *tmp = BN_CTX_get(ctx); |
768 | 589 | if (tmp == nullptr || // |
769 | 589 | !bn_mul_consttime(tmp, a, ainv, ctx) || |
770 | 589 | !bn_div_consttime(nullptr, tmp, tmp, m, m_min_bits, ctx)) { |
771 | 0 | return 0; |
772 | 0 | } |
773 | 589 | *out_ok = constant_time_declassify_int(BN_is_one(tmp)); |
774 | 589 | return 1; |
775 | 589 | } |
776 | | |
777 | 91.1k | int RSA_check_key(const RSA *key) { |
778 | | // TODO(davidben): RSA key initialization is spread across |
779 | | // |rsa_check_public_key|, |RSA_check_key|, |freeze_private_key|, and |
780 | | // |BN_MONT_CTX_set_locked| as a result of API issues. See |
781 | | // https://crbug.com/boringssl/316. As a result, we inconsistently check RSA |
782 | | // invariants. We should fix this and integrate that logic. |
783 | | |
784 | 91.1k | if (!rsa_check_public_key(key)) { |
785 | 2.57k | return 0; |
786 | 2.57k | } |
787 | | |
788 | 88.5k | auto *impl = FromOpaque(key); |
789 | 88.5k | if ((impl->p != nullptr) != (impl->q != nullptr)) { |
790 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN); |
791 | 0 | return 0; |
792 | 0 | } |
793 | | |
794 | | // |impl->d| must be bounded by |impl->n|. This ensures bounds on |RSA_bits| |
795 | | // translate to bounds on the running time of private key operations. |
796 | 88.5k | if (impl->d != nullptr && |
797 | 633 | (BN_is_negative(impl->d) || BN_cmp(impl->d, impl->n) >= 0)) { |
798 | 9 | OPENSSL_PUT_ERROR(RSA, RSA_R_D_OUT_OF_RANGE); |
799 | 9 | return 0; |
800 | 9 | } |
801 | | |
802 | 88.5k | if (impl->d == nullptr || impl->p == nullptr) { |
803 | | // For a public key, or without p and q, there's nothing that can be |
804 | | // checked. |
805 | 87.9k | return 1; |
806 | 87.9k | } |
807 | | |
808 | 624 | BN_CTX *ctx = BN_CTX_new(); |
809 | 624 | if (ctx == nullptr) { |
810 | 0 | return 0; |
811 | 0 | } |
812 | | |
813 | 624 | BIGNUM tmp, de, pm1, qm1, dmp1, dmq1; |
814 | 624 | int ok = 0, has_crt_values; |
815 | 624 | unsigned pm1_bits, qm1_bits; |
816 | 624 | BN_init(&tmp); |
817 | 624 | BN_init(&de); |
818 | 624 | BN_init(&pm1); |
819 | 624 | BN_init(&qm1); |
820 | 624 | BN_init(&dmp1); |
821 | 624 | BN_init(&dmq1); |
822 | | |
823 | | // Check that p * q == n. Before we multiply, we check that p and q are in |
824 | | // bounds, to avoid a DoS vector in |bn_mul_consttime| below. Note that |
825 | | // n was bound by |rsa_check_public_key|. This also implicitly checks p and q |
826 | | // are odd, which is a necessary condition for Montgomery reduction. |
827 | 624 | if (BN_is_negative(impl->p) || |
828 | 624 | constant_time_declassify_int(BN_cmp(impl->p, impl->n) >= 0) || |
829 | 611 | BN_is_negative(impl->q) || |
830 | 611 | constant_time_declassify_int(BN_cmp(impl->q, impl->n) >= 0)) { |
831 | 21 | OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q); |
832 | 21 | goto out; |
833 | 21 | } |
834 | 603 | if (!bn_mul_consttime(&tmp, impl->p, impl->q, ctx)) { |
835 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); |
836 | 0 | goto out; |
837 | 0 | } |
838 | 603 | if (BN_cmp(&tmp, impl->n) != 0) { |
839 | 172 | OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q); |
840 | 172 | goto out; |
841 | 172 | } |
842 | | |
843 | | // d must be an inverse of e mod the Carmichael totient, lcm(p-1, q-1), but it |
844 | | // may be unreduced because other implementations use the Euler totient. We |
845 | | // simply check that d * e is one mod p-1 and mod q-1. Note d and e were bound |
846 | | // by earlier checks in this function. |
847 | 431 | if (!bn_usub_consttime(&pm1, impl->p, BN_value_one()) || |
848 | 431 | !bn_usub_consttime(&qm1, impl->q, BN_value_one())) { |
849 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); |
850 | 0 | goto out; |
851 | 0 | } |
852 | 431 | pm1_bits = BN_num_bits(&pm1); |
853 | 431 | qm1_bits = BN_num_bits(&qm1); |
854 | 431 | if (!bn_mul_consttime(&de, impl->d, impl->e, ctx) || |
855 | 431 | !bn_div_consttime(nullptr, &tmp, &de, &pm1, pm1_bits, ctx) || |
856 | 431 | !bn_div_consttime(nullptr, &de, &de, &qm1, qm1_bits, ctx)) { |
857 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); |
858 | 0 | goto out; |
859 | 0 | } |
860 | | |
861 | 431 | if (constant_time_declassify_int(!BN_is_one(&tmp)) || |
862 | 216 | constant_time_declassify_int(!BN_is_one(&de))) { |
863 | 215 | OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1); |
864 | 215 | goto out; |
865 | 215 | } |
866 | | |
867 | 216 | has_crt_values = impl->dmp1 != nullptr; |
868 | 216 | if (has_crt_values != (impl->dmq1 != nullptr) || |
869 | 216 | has_crt_values != (impl->iqmp != nullptr)) { |
870 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES); |
871 | 0 | goto out; |
872 | 0 | } |
873 | | |
874 | 216 | if (has_crt_values) { |
875 | 216 | int dmp1_ok, dmq1_ok, iqmp_ok; |
876 | 216 | if (!check_mod_inverse(&dmp1_ok, impl->e, impl->dmp1, &pm1, pm1_bits, |
877 | 216 | ctx) || |
878 | 216 | !check_mod_inverse(&dmq1_ok, impl->e, impl->dmq1, &qm1, qm1_bits, |
879 | 216 | ctx) || |
880 | | // |p| is odd, so |pm1| and |p| have the same bit width. If they didn't, |
881 | | // we only need a lower bound anyway. |
882 | 216 | !check_mod_inverse(&iqmp_ok, impl->q, impl->iqmp, impl->p, pm1_bits, |
883 | 216 | ctx)) { |
884 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); |
885 | 0 | goto out; |
886 | 0 | } |
887 | | |
888 | 216 | if (!dmp1_ok || !dmq1_ok || !iqmp_ok) { |
889 | 192 | OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT); |
890 | 192 | goto out; |
891 | 192 | } |
892 | 216 | } |
893 | | |
894 | 24 | ok = 1; |
895 | | |
896 | 624 | out: |
897 | 624 | BN_free(&tmp); |
898 | 624 | BN_free(&de); |
899 | 624 | BN_free(&pm1); |
900 | 624 | BN_free(&qm1); |
901 | 624 | BN_free(&dmp1); |
902 | 624 | BN_free(&dmq1); |
903 | 624 | BN_CTX_free(ctx); |
904 | | |
905 | 624 | return ok; |
906 | 24 | } |
907 | | |
908 | | |
909 | | // This is the product of the 132 smallest odd primes, from 3 to 751. |
910 | | static const BN_ULONG kSmallFactorsLimbs[] = {TOBN(0xc4309333, 0x3ef4e3e1), |
911 | | TOBN(0x71161eb6, 0xcd2d655f), |
912 | | TOBN(0x95e2238c, 0x0bf94862), |
913 | | TOBN(0x3eb233d3, 0x24f7912b), |
914 | | TOBN(0x6b55514b, 0xbf26c483), |
915 | | TOBN(0x0a84d817, 0x5a144871), |
916 | | TOBN(0x77d12fee, 0x9b82210a), |
917 | | TOBN(0xdb5b93c2, 0x97f050b3), |
918 | | TOBN(0x4acad6b9, 0x4d6c026b), |
919 | | TOBN(0xeb7751f3, 0x54aec893), |
920 | | TOBN(0xdba53368, 0x36bc85c4), |
921 | | TOBN(0xd85a1b28, 0x7f5ec78e), |
922 | | TOBN(0x2eb072d8, 0x6b322244), |
923 | | TOBN(0xbba51112, 0x5e2b3aea), |
924 | | TOBN(0x36ed1a6c, 0x0e2486bf), |
925 | | TOBN(0x5f270460, 0xec0c5727), |
926 | | 0x000017b1}; |
927 | | |
928 | 0 | DEFINE_LOCAL_DATA(BIGNUM, g_small_factors) { |
929 | 0 | out->d = const_cast<BN_ULONG *>(kSmallFactorsLimbs); |
930 | 0 | out->width = std::size(kSmallFactorsLimbs); |
931 | 0 | out->dmax = out->width; |
932 | 0 | out->neg = 0; |
933 | 0 | out->flags = BN_FLG_STATIC_DATA; |
934 | 0 | } |
935 | | |
936 | 0 | int RSA_check_fips(RSA *key) { |
937 | 0 | if (!RSA_check_key(key)) { |
938 | 0 | return 0; |
939 | 0 | } |
940 | | |
941 | 0 | BN_CTX *ctx = BN_CTX_new(); |
942 | 0 | if (ctx == nullptr) { |
943 | 0 | return 0; |
944 | 0 | } |
945 | | |
946 | 0 | BIGNUM small_gcd; |
947 | 0 | BN_init(&small_gcd); |
948 | |
|
949 | 0 | int ret = 1; |
950 | | |
951 | | // Perform partial public key validation of RSA keys (SP 800-89 5.3.3). |
952 | | // Although this is not for primality testing, SP 800-89 cites an RSA |
953 | | // primality testing algorithm, so we use |BN_prime_checks_for_generation| to |
954 | | // match. This is only a plausibility test and we expect the value to be |
955 | | // composite, so too few iterations will cause us to reject the key, not use |
956 | | // an implausible one. |
957 | | // |
958 | | // |key->e| may be nullptr if created with |RSA_new_private_key_no_e|. |
959 | 0 | enum bn_primality_result_t primality_result; |
960 | 0 | auto *impl = FromOpaque(key); |
961 | 0 | if (impl->e == nullptr || // |
962 | 0 | BN_num_bits(impl->e) <= 16 || // |
963 | 0 | BN_num_bits(impl->e) > 256 || // |
964 | 0 | !BN_is_odd(impl->n) || // |
965 | 0 | !BN_is_odd(impl->e) || |
966 | 0 | !BN_gcd(&small_gcd, impl->n, g_small_factors(), ctx) || |
967 | 0 | !BN_is_one(&small_gcd) || |
968 | 0 | !BN_enhanced_miller_rabin_primality_test(&primality_result, impl->n, |
969 | 0 | BN_prime_checks_for_generation, |
970 | 0 | ctx, nullptr) || |
971 | 0 | primality_result != bn_non_prime_power_composite) { |
972 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED); |
973 | 0 | ret = 0; |
974 | 0 | } |
975 | |
|
976 | 0 | BN_free(&small_gcd); |
977 | 0 | BN_CTX_free(ctx); |
978 | |
|
979 | 0 | if (!ret || impl->d == nullptr || impl->p == nullptr) { |
980 | | // On a failure or on only a public key, there's nothing else can be |
981 | | // checked. |
982 | 0 | return ret; |
983 | 0 | } |
984 | | |
985 | | // FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG, |
986 | | // section 9.9, it is not known whether |rsa| will be used for signing or |
987 | | // encryption, so either pair-wise consistency self-test is acceptable. We |
988 | | // perform a signing test. |
989 | 0 | uint8_t data[32] = {0}; |
990 | 0 | unsigned sig_len = RSA_size(key); |
991 | 0 | uint8_t *sig = reinterpret_cast<uint8_t *>(OPENSSL_malloc(sig_len)); |
992 | 0 | if (sig == nullptr) { |
993 | 0 | return 0; |
994 | 0 | } |
995 | | |
996 | 0 | if (!RSA_sign(NID_sha256, data, sizeof(data), sig, &sig_len, key)) { |
997 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); |
998 | 0 | ret = 0; |
999 | 0 | goto cleanup; |
1000 | 0 | } |
1001 | 0 | if (boringssl_fips_break_test("RSA_PWCT")) { |
1002 | 0 | data[0] = ~data[0]; |
1003 | 0 | } |
1004 | 0 | if (!RSA_verify(NID_sha256, data, sizeof(data), sig, sig_len, key)) { |
1005 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); |
1006 | 0 | ret = 0; |
1007 | 0 | } |
1008 | |
|
1009 | 0 | cleanup: |
1010 | 0 | OPENSSL_free(sig); |
1011 | |
|
1012 | 0 | return ret; |
1013 | 0 | } |
1014 | | |
1015 | | int bssl::rsa_private_transform_no_self_test(RSA *rsa, uint8_t *out, |
1016 | 21.4k | const uint8_t *in, size_t len) { |
1017 | 21.4k | auto *impl = FromOpaque(rsa); |
1018 | | |
1019 | 21.4k | if (impl->meth->private_transform) { |
1020 | 0 | return impl->meth->private_transform(rsa, out, in, len); |
1021 | 0 | } |
1022 | | |
1023 | 21.4k | return rsa_default_private_transform(rsa, out, in, len); |
1024 | 21.4k | } |
1025 | | |
1026 | | int bssl::rsa_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, |
1027 | 89 | size_t len) { |
1028 | 89 | boringssl_ensure_rsa_self_test(); |
1029 | 89 | return rsa_private_transform_no_self_test(rsa, out, in, len); |
1030 | 89 | } |
1031 | | |
1032 | 0 | int RSA_flags(const RSA *rsa) { |
1033 | 0 | auto *impl = FromOpaque(rsa); |
1034 | 0 | return impl->flags; |
1035 | 0 | } |
1036 | | |
1037 | 0 | int RSA_test_flags(const RSA *rsa, int flags) { |
1038 | 0 | auto *impl = FromOpaque(rsa); |
1039 | 0 | return impl->flags & flags; |
1040 | 0 | } |