/src/botan/src/lib/pubkey/rsa/rsa.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * RSA |
3 | | * (C) 1999-2010,2015,2016,2018,2019 Jack Lloyd |
4 | | * |
5 | | * Botan is released under the Simplified BSD License (see license.txt) |
6 | | */ |
7 | | |
8 | | #include <botan/rsa.h> |
9 | | #include <botan/internal/pk_ops_impl.h> |
10 | | #include <botan/keypair.h> |
11 | | #include <botan/blinding.h> |
12 | | #include <botan/reducer.h> |
13 | | #include <botan/workfactor.h> |
14 | | #include <botan/der_enc.h> |
15 | | #include <botan/ber_dec.h> |
16 | | #include <botan/monty.h> |
17 | | #include <botan/divide.h> |
18 | | #include <botan/internal/monty_exp.h> |
19 | | |
20 | | #if defined(BOTAN_HAS_OPENSSL) |
21 | | #include <botan/internal/openssl.h> |
22 | | #endif |
23 | | |
24 | | #if defined(BOTAN_HAS_THREAD_UTILS) |
25 | | #include <botan/internal/thread_pool.h> |
26 | | #endif |
27 | | |
28 | | namespace Botan { |
29 | | |
30 | | class RSA_Public_Data final |
31 | | { |
32 | | public: |
33 | | RSA_Public_Data(BigInt&& n, BigInt&& e) : |
34 | | m_n(n), |
35 | | m_e(e), |
36 | | m_monty_n(std::make_shared<Montgomery_Params>(m_n)), |
37 | | m_public_modulus_bits(m_n.bits()), |
38 | | m_public_modulus_bytes(m_n.bytes()) |
39 | 6.50k | {} |
40 | | |
41 | | BigInt public_op(const BigInt& m) const |
42 | 6.27k | { |
43 | 6.27k | const size_t powm_window = 1; |
44 | 6.27k | auto powm_m_n = monty_precompute(m_monty_n, m, powm_window, false); |
45 | 6.27k | return monty_execute_vartime(*powm_m_n, m_e); |
46 | 6.27k | } |
47 | | |
48 | 6.37k | const BigInt& get_n() const { return m_n; } |
49 | 0 | const BigInt& get_e() const { return m_e; } |
50 | 6.33k | size_t public_modulus_bits() const { return m_public_modulus_bits; } |
51 | 57 | size_t public_modulus_bytes() const { return m_public_modulus_bytes; } |
52 | | |
53 | | private: |
54 | | BigInt m_n; |
55 | | BigInt m_e; |
56 | | std::shared_ptr<const Montgomery_Params> m_monty_n; |
57 | | size_t m_public_modulus_bits; |
58 | | size_t m_public_modulus_bytes; |
59 | | }; |
60 | | |
61 | | class RSA_Private_Data final |
62 | | { |
63 | | public: |
64 | | RSA_Private_Data(BigInt&& d, BigInt&& p, BigInt&& q, |
65 | | BigInt&& d1, BigInt&& d2, BigInt&& c) : |
66 | | m_d(d), |
67 | | m_p(p), |
68 | | m_q(q), |
69 | | m_d1(d1), |
70 | | m_d2(d2), |
71 | | m_c(c), |
72 | | m_mod_p(m_p), |
73 | | m_mod_q(m_q), |
74 | | m_monty_p(std::make_shared<Montgomery_Params>(m_p, m_mod_p)), |
75 | | m_monty_q(std::make_shared<Montgomery_Params>(m_q, m_mod_q)), |
76 | | m_p_bits(m_p.bits()), |
77 | | m_q_bits(m_q.bits()) |
78 | 12 | {} |
79 | | |
80 | 0 | const BigInt& get_d() const { return m_d; } |
81 | 0 | const BigInt& get_p() const { return m_p; } |
82 | 0 | const BigInt& get_q() const { return m_q; } |
83 | 0 | const BigInt& get_d1() const { return m_d1; } |
84 | 0 | const BigInt& get_d2() const { return m_d2; } |
85 | 0 | const BigInt& get_c() const { return m_c; } |
86 | | |
87 | | //private: |
88 | | BigInt m_d; |
89 | | BigInt m_p; |
90 | | BigInt m_q; |
91 | | BigInt m_d1; |
92 | | BigInt m_d2; |
93 | | BigInt m_c; |
94 | | |
95 | | Modular_Reducer m_mod_p; |
96 | | Modular_Reducer m_mod_q; |
97 | | std::shared_ptr<const Montgomery_Params> m_monty_p; |
98 | | std::shared_ptr<const Montgomery_Params> m_monty_q; |
99 | | size_t m_p_bits; |
100 | | size_t m_q_bits; |
101 | | }; |
102 | | |
103 | | std::shared_ptr<const RSA_Public_Data> RSA_PublicKey::public_data() const |
104 | 6.37k | { |
105 | 6.37k | return m_public; |
106 | 6.37k | } |
107 | | |
108 | 0 | const BigInt& RSA_PublicKey::get_n() const { return m_public->get_n(); } |
109 | 0 | const BigInt& RSA_PublicKey::get_e() const { return m_public->get_e(); } |
110 | | |
111 | | void RSA_PublicKey::init(BigInt&& n, BigInt&& e) |
112 | 6.56k | { |
113 | 6.56k | if(n.is_negative() || n.is_even() || e.is_negative() || e.is_even()) |
114 | 59 | throw Decoding_Error("Invalid RSA public key parameters"); |
115 | 6.50k | m_public = std::make_shared<RSA_Public_Data>(std::move(n), std::move(e)); |
116 | 6.50k | } |
117 | | |
118 | | RSA_PublicKey::RSA_PublicKey(const AlgorithmIdentifier&, |
119 | | const std::vector<uint8_t>& key_bits) |
120 | 6.67k | { |
121 | 6.67k | BigInt n, e; |
122 | 6.67k | BER_Decoder(key_bits) |
123 | 6.67k | .start_cons(SEQUENCE) |
124 | 6.67k | .decode(n) |
125 | 6.67k | .decode(e) |
126 | 6.67k | .end_cons(); |
127 | 6.67k | |
128 | 6.67k | init(std::move(n), std::move(e)); |
129 | 6.67k | } Unexecuted instantiation: Botan::RSA_PublicKey::RSA_PublicKey(Botan::AlgorithmIdentifier const&, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&) Botan::RSA_PublicKey::RSA_PublicKey(Botan::AlgorithmIdentifier const&, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&) Line | Count | Source | 120 | 6.67k | { | 121 | 6.67k | BigInt n, e; | 122 | 6.67k | BER_Decoder(key_bits) | 123 | 6.67k | .start_cons(SEQUENCE) | 124 | 6.67k | .decode(n) | 125 | 6.67k | .decode(e) | 126 | 6.67k | .end_cons(); | 127 | 6.67k | | 128 | 6.67k | init(std::move(n), std::move(e)); | 129 | 6.67k | } |
|
130 | | |
131 | | RSA_PublicKey::RSA_PublicKey(const BigInt& modulus, const BigInt& exponent) |
132 | 0 | { |
133 | 0 | BigInt n = modulus; |
134 | 0 | BigInt e = exponent; |
135 | 0 | init(std::move(n), std::move(e)); |
136 | 0 | } Unexecuted instantiation: Botan::RSA_PublicKey::RSA_PublicKey(Botan::BigInt const&, Botan::BigInt const&) Unexecuted instantiation: Botan::RSA_PublicKey::RSA_PublicKey(Botan::BigInt const&, Botan::BigInt const&) |
137 | | |
138 | | size_t RSA_PublicKey::key_length() const |
139 | 55 | { |
140 | 55 | return m_public->public_modulus_bits(); |
141 | 55 | } |
142 | | |
143 | | size_t RSA_PublicKey::estimated_strength() const |
144 | 0 | { |
145 | 0 | return if_work_factor(key_length()); |
146 | 0 | } |
147 | | |
148 | | AlgorithmIdentifier RSA_PublicKey::algorithm_identifier() const |
149 | 0 | { |
150 | 0 | return AlgorithmIdentifier(get_oid(), AlgorithmIdentifier::USE_NULL_PARAM); |
151 | 0 | } |
152 | | |
153 | | std::vector<uint8_t> RSA_PublicKey::public_key_bits() const |
154 | 0 | { |
155 | 0 | std::vector<uint8_t> output; |
156 | 0 | DER_Encoder der(output); |
157 | 0 | der.start_cons(SEQUENCE) |
158 | 0 | .encode(get_n()) |
159 | 0 | .encode(get_e()) |
160 | 0 | .end_cons(); |
161 | 0 |
|
162 | 0 | return output; |
163 | 0 | } |
164 | | |
165 | | /* |
166 | | * Check RSA Public Parameters |
167 | | */ |
168 | | bool RSA_PublicKey::check_key(RandomNumberGenerator&, bool) const |
169 | 0 | { |
170 | 0 | if(get_n() < 35 || get_n().is_even() || get_e() < 3 || get_e().is_even()) |
171 | 0 | return false; |
172 | 0 | return true; |
173 | 0 | } |
174 | | |
175 | | std::shared_ptr<const RSA_Private_Data> RSA_PrivateKey::private_data() const |
176 | 0 | { |
177 | 0 | return m_private; |
178 | 0 | } |
179 | | |
180 | | secure_vector<uint8_t> RSA_PrivateKey::private_key_bits() const |
181 | 0 | { |
182 | 0 | return DER_Encoder() |
183 | 0 | .start_cons(SEQUENCE) |
184 | 0 | .encode(static_cast<size_t>(0)) |
185 | 0 | .encode(get_n()) |
186 | 0 | .encode(get_e()) |
187 | 0 | .encode(get_d()) |
188 | 0 | .encode(get_p()) |
189 | 0 | .encode(get_q()) |
190 | 0 | .encode(get_d1()) |
191 | 0 | .encode(get_d2()) |
192 | 0 | .encode(get_c()) |
193 | 0 | .end_cons() |
194 | 0 | .get_contents(); |
195 | 0 | } |
196 | | |
197 | 0 | const BigInt& RSA_PrivateKey::get_p() const { return m_private->get_p(); } |
198 | 0 | const BigInt& RSA_PrivateKey::get_q() const { return m_private->get_q(); } |
199 | 0 | const BigInt& RSA_PrivateKey::get_d() const { return m_private->get_d(); } |
200 | 0 | const BigInt& RSA_PrivateKey::get_c() const { return m_private->get_c(); } |
201 | 0 | const BigInt& RSA_PrivateKey::get_d1() const { return m_private->get_d1(); } |
202 | 0 | const BigInt& RSA_PrivateKey::get_d2() const { return m_private->get_d2(); } |
203 | | |
204 | | void RSA_PrivateKey::init(BigInt&& d, BigInt&& p, BigInt&& q, |
205 | | BigInt&& d1, BigInt&& d2, BigInt&& c) |
206 | 12 | { |
207 | 12 | m_private = std::make_shared<RSA_Private_Data>( |
208 | 12 | std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c)); |
209 | 12 | } |
210 | | |
211 | | RSA_PrivateKey::RSA_PrivateKey(const AlgorithmIdentifier&, |
212 | | const secure_vector<uint8_t>& key_bits) |
213 | 29 | { |
214 | 29 | BigInt n, e, d, p, q, d1, d2, c; |
215 | 29 | |
216 | 29 | BER_Decoder(key_bits) |
217 | 29 | .start_cons(SEQUENCE) |
218 | 29 | .decode_and_check<size_t>(0, "Unknown PKCS #1 key format version") |
219 | 29 | .decode(n) |
220 | 29 | .decode(e) |
221 | 29 | .decode(d) |
222 | 29 | .decode(p) |
223 | 29 | .decode(q) |
224 | 29 | .decode(d1) |
225 | 29 | .decode(d2) |
226 | 29 | .decode(c) |
227 | 29 | .end_cons(); |
228 | 29 | |
229 | 29 | RSA_PublicKey::init(std::move(n), std::move(e)); |
230 | 29 | |
231 | 29 | RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), |
232 | 29 | std::move(d1), std::move(d2), std::move(c)); |
233 | 29 | } Unexecuted instantiation: Botan::RSA_PrivateKey::RSA_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&) Botan::RSA_PrivateKey::RSA_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&) Line | Count | Source | 213 | 29 | { | 214 | 29 | BigInt n, e, d, p, q, d1, d2, c; | 215 | 29 | | 216 | 29 | BER_Decoder(key_bits) | 217 | 29 | .start_cons(SEQUENCE) | 218 | 29 | .decode_and_check<size_t>(0, "Unknown PKCS #1 key format version") | 219 | 29 | .decode(n) | 220 | 29 | .decode(e) | 221 | 29 | .decode(d) | 222 | 29 | .decode(p) | 223 | 29 | .decode(q) | 224 | 29 | .decode(d1) | 225 | 29 | .decode(d2) | 226 | 29 | .decode(c) | 227 | 29 | .end_cons(); | 228 | 29 | | 229 | 29 | RSA_PublicKey::init(std::move(n), std::move(e)); | 230 | 29 | | 231 | 29 | RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), | 232 | 29 | std::move(d1), std::move(d2), std::move(c)); | 233 | 29 | } |
|
234 | | |
235 | | RSA_PrivateKey::RSA_PrivateKey(const BigInt& prime1, |
236 | | const BigInt& prime2, |
237 | | const BigInt& exp, |
238 | | const BigInt& d_exp, |
239 | | const BigInt& mod) |
240 | 0 | { |
241 | 0 | BigInt p = prime1; |
242 | 0 | BigInt q = prime2; |
243 | 0 | BigInt n = mod; |
244 | 0 | if(n.is_zero()) |
245 | 0 | n = p * q; |
246 | 0 |
|
247 | 0 | BigInt e = exp; |
248 | 0 |
|
249 | 0 | BigInt d = d_exp; |
250 | 0 |
|
251 | 0 | const BigInt p_minus_1 = p - 1; |
252 | 0 | const BigInt q_minus_1 = q - 1; |
253 | 0 |
|
254 | 0 | if(d.is_zero()) |
255 | 0 | { |
256 | 0 | const BigInt phi_n = lcm(p_minus_1, q_minus_1); |
257 | 0 | d = inverse_mod(e, phi_n); |
258 | 0 | } |
259 | 0 |
|
260 | 0 | BigInt d1 = ct_modulo(d, p_minus_1); |
261 | 0 | BigInt d2 = ct_modulo(d, q_minus_1); |
262 | 0 | BigInt c = inverse_mod(q, p); |
263 | 0 |
|
264 | 0 | RSA_PublicKey::init(std::move(n), std::move(e)); |
265 | 0 |
|
266 | 0 | RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), |
267 | 0 | std::move(d1), std::move(d2), std::move(c)); |
268 | 0 | } Unexecuted instantiation: Botan::RSA_PrivateKey::RSA_PrivateKey(Botan::BigInt const&, Botan::BigInt const&, Botan::BigInt const&, Botan::BigInt const&, Botan::BigInt const&) Unexecuted instantiation: Botan::RSA_PrivateKey::RSA_PrivateKey(Botan::BigInt const&, Botan::BigInt const&, Botan::BigInt const&, Botan::BigInt const&, Botan::BigInt const&) |
269 | | |
270 | | /* |
271 | | * Create a RSA private key |
272 | | */ |
273 | | RSA_PrivateKey::RSA_PrivateKey(RandomNumberGenerator& rng, |
274 | | size_t bits, size_t exp) |
275 | 0 | { |
276 | 0 | if(bits < 1024) |
277 | 0 | throw Invalid_Argument(algo_name() + ": Can't make a key that is only " + |
278 | 0 | std::to_string(bits) + " bits long"); |
279 | 0 | if(exp < 3 || exp % 2 == 0) |
280 | 0 | throw Invalid_Argument(algo_name() + ": Invalid encryption exponent"); |
281 | 0 | |
282 | 0 | BigInt n, e, d, p, q, d1, d2, c; |
283 | 0 |
|
284 | 0 | e = exp; |
285 | 0 |
|
286 | 0 | const size_t p_bits = (bits + 1) / 2; |
287 | 0 | const size_t q_bits = bits - p_bits; |
288 | 0 |
|
289 | 0 | do |
290 | 0 | { |
291 | 0 | // TODO could generate primes in thread pool |
292 | 0 | p = generate_rsa_prime(rng, rng, p_bits, e); |
293 | 0 | q = generate_rsa_prime(rng, rng, q_bits, e); |
294 | 0 | n = p * q; |
295 | 0 | } while(n.bits() != bits); |
296 | 0 |
|
297 | 0 | const BigInt p_minus_1 = p - 1; |
298 | 0 | const BigInt q_minus_1 = q - 1; |
299 | 0 |
|
300 | 0 | const BigInt phi_n = lcm(p_minus_1, q_minus_1); |
301 | 0 | // FIXME: this uses binary ext gcd because phi_n is even |
302 | 0 | d = inverse_mod(e, phi_n); |
303 | 0 | d1 = ct_modulo(d, p_minus_1); |
304 | 0 | d2 = ct_modulo(d, q_minus_1); |
305 | 0 | c = inverse_mod(q, p); // p odd, so uses const time algorithm |
306 | 0 |
|
307 | 0 | RSA_PublicKey::init(std::move(n), std::move(e)); |
308 | 0 |
|
309 | 0 | RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), |
310 | 0 | std::move(d1), std::move(d2), std::move(c)); |
311 | 0 | } Unexecuted instantiation: Botan::RSA_PrivateKey::RSA_PrivateKey(Botan::RandomNumberGenerator&, unsigned long, unsigned long) Unexecuted instantiation: Botan::RSA_PrivateKey::RSA_PrivateKey(Botan::RandomNumberGenerator&, unsigned long, unsigned long) |
312 | | |
313 | | /* |
314 | | * Check Private RSA Parameters |
315 | | */ |
316 | | bool RSA_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const |
317 | 0 | { |
318 | 0 | if(get_n() < 35 || get_n().is_even() || get_e() < 3 || get_e().is_even()) |
319 | 0 | return false; |
320 | 0 | |
321 | 0 | if(get_d() < 2 || get_p() < 3 || get_q() < 3) |
322 | 0 | return false; |
323 | 0 | |
324 | 0 | if(get_p() * get_q() != get_n()) |
325 | 0 | return false; |
326 | 0 | |
327 | 0 | if(get_d1() != ct_modulo(get_d(), get_p() - 1)) |
328 | 0 | return false; |
329 | 0 | if(get_d2() != ct_modulo(get_d(), get_q() - 1)) |
330 | 0 | return false; |
331 | 0 | if(get_c() != inverse_mod(get_q(), get_p())) |
332 | 0 | return false; |
333 | 0 | |
334 | 0 | const size_t prob = (strong) ? 128 : 12; |
335 | 0 |
|
336 | 0 | if(!is_prime(get_p(), rng, prob)) |
337 | 0 | return false; |
338 | 0 | if(!is_prime(get_q(), rng, prob)) |
339 | 0 | return false; |
340 | 0 | |
341 | 0 | if(strong) |
342 | 0 | { |
343 | 0 | if(ct_modulo(get_e() * get_d(), lcm(get_p() - 1, get_q() - 1)) != 1) |
344 | 0 | return false; |
345 | 0 | |
346 | 0 | return KeyPair::signature_consistency_check(rng, *this, "EMSA4(SHA-256)"); |
347 | 0 | } |
348 | 0 | |
349 | 0 | return true; |
350 | 0 | } |
351 | | |
352 | | namespace { |
353 | | |
354 | | /** |
355 | | * RSA private (decrypt/sign) operation |
356 | | */ |
357 | | class RSA_Private_Operation |
358 | | { |
359 | | protected: |
360 | 0 | size_t public_modulus_bits() const { return m_public->public_modulus_bits(); } |
361 | 0 | size_t public_modulus_bytes() const { return m_public->public_modulus_bytes(); } |
362 | | |
363 | | explicit RSA_Private_Operation(const RSA_PrivateKey& rsa, RandomNumberGenerator& rng) : |
364 | | m_public(rsa.public_data()), |
365 | | m_private(rsa.private_data()), |
366 | | m_blinder(m_public->get_n(), rng, |
367 | 0 | [this](const BigInt& k) { return m_public->public_op(k); }, |
368 | 0 | [this](const BigInt& k) { return inverse_mod(k, m_public->get_n()); }), |
369 | | m_blinding_bits(64), |
370 | | m_max_d1_bits(m_private->m_p_bits + m_blinding_bits), |
371 | | m_max_d2_bits(m_private->m_q_bits + m_blinding_bits) |
372 | 0 | { |
373 | 0 | } |
374 | | |
375 | | secure_vector<uint8_t> raw_op(const uint8_t input[], size_t input_len) |
376 | 0 | { |
377 | 0 | const BigInt input_bn(input, input_len); |
378 | 0 | if(input_bn >= m_public->get_n()) |
379 | 0 | throw Invalid_Argument("RSA private op - input is too large"); |
380 | 0 | |
381 | 0 | // TODO: This should be a function on blinder |
382 | 0 | // BigInt Blinder::run_blinded_function(std::function<BigInt, BigInt> fn, const BigInt& input); |
383 | 0 | |
384 | 0 | const BigInt recovered = m_blinder.unblind(rsa_private_op(m_blinder.blind(input_bn))); |
385 | 0 | BOTAN_ASSERT(input_bn == m_public->public_op(recovered), "RSA consistency check"); |
386 | 0 | return BigInt::encode_1363(recovered, m_public->public_modulus_bytes()); |
387 | 0 | } |
388 | | |
389 | | private: |
390 | | |
391 | | BigInt rsa_private_op(const BigInt& m) const |
392 | 0 | { |
393 | 0 | /* |
394 | 0 | TODO |
395 | 0 | Consider using Montgomery reduction instead of Barrett, using |
396 | 0 | the "Smooth RSA-CRT" method. https://eprint.iacr.org/2007/039.pdf |
397 | 0 | */ |
398 | 0 |
|
399 | 0 | static constexpr size_t powm_window = 4; |
400 | 0 |
|
401 | 0 | // Compute this in main thread to avoid racing on the rng |
402 | 0 | const BigInt d1_mask(m_blinder.rng(), m_blinding_bits); |
403 | 0 |
|
404 | 0 | #if defined(BOTAN_HAS_THREAD_UTILS) && !defined(BOTAN_HAS_VALGRIND) |
405 | 0 | #define BOTAN_RSA_USE_ASYNC |
406 | 0 | #endif |
407 | 0 |
|
408 | 0 | #if defined(BOTAN_RSA_USE_ASYNC) |
409 | 0 | /* |
410 | 0 | * Precompute m.sig_words in the main thread before calling async. Otherwise |
411 | 0 | * the two threads race (during Modular_Reducer::reduce) and while the output |
412 | 0 | * is correct in both threads, helgrind warns. |
413 | 0 | */ |
414 | 0 | m.sig_words(); |
415 | 0 |
|
416 | 0 | auto future_j1 = Thread_Pool::global_instance().run([this, &m, &d1_mask]() { |
417 | 0 | #endif |
418 | 0 | const BigInt masked_d1 = m_private->get_d1() + (d1_mask * (m_private->get_p() - 1)); |
419 | 0 | auto powm_d1_p = monty_precompute(m_private->m_monty_p, m_private->m_mod_p.reduce(m), powm_window); |
420 | 0 | BigInt j1 = monty_execute(*powm_d1_p, masked_d1, m_max_d1_bits); |
421 | 0 |
|
422 | 0 | #if defined(BOTAN_RSA_USE_ASYNC) |
423 | 0 | return j1; |
424 | 0 | }); |
425 | 0 | #endif |
426 | 0 |
|
427 | 0 | const BigInt d2_mask(m_blinder.rng(), m_blinding_bits); |
428 | 0 | const BigInt masked_d2 = m_private->get_d2() + (d2_mask * (m_private->get_q() - 1)); |
429 | 0 | auto powm_d2_q = monty_precompute(m_private->m_monty_q, m_private->m_mod_q.reduce(m), powm_window); |
430 | 0 | const BigInt j2 = monty_execute(*powm_d2_q, masked_d2, m_max_d2_bits); |
431 | 0 |
|
432 | 0 | #if defined(BOTAN_RSA_USE_ASYNC) |
433 | 0 | BigInt j1 = future_j1.get(); |
434 | 0 | #endif |
435 | 0 |
|
436 | 0 | /* |
437 | 0 | * To recover the final value from the CRT representation (j1,j2) |
438 | 0 | * we use Garner's algorithm: |
439 | 0 | * c = q^-1 mod p (this is precomputed) |
440 | 0 | * h = c*(j1-j2) mod p |
441 | 0 | * m = j2 + h*q |
442 | 0 | * |
443 | 0 | * We must avoid leaking if j1 >= j2 or not, as doing so allows deriving |
444 | 0 | * information about the secret prime. Do this by first adding p to j1, |
445 | 0 | * which should ensure the subtraction of j2 does not underflow. But |
446 | 0 | * this may still underflow if p and q are imbalanced in size. |
447 | 0 | */ |
448 | 0 |
|
449 | 0 | j1 = m_private->m_mod_p.multiply(m_private->m_mod_p.reduce((m_private->get_p() + j1) - j2), m_private->get_c()); |
450 | 0 | return mul_add(j1, m_private->get_q(), j2); |
451 | 0 | } |
452 | | |
453 | | std::shared_ptr<const RSA_Public_Data> m_public; |
454 | | std::shared_ptr<const RSA_Private_Data> m_private; |
455 | | |
456 | | // XXX could the blinder starting pair be shared? |
457 | | Blinder m_blinder; |
458 | | const size_t m_blinding_bits; |
459 | | const size_t m_max_d1_bits; |
460 | | const size_t m_max_d2_bits; |
461 | | }; |
462 | | |
463 | | class RSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA, |
464 | | private RSA_Private_Operation |
465 | | { |
466 | | public: |
467 | 0 | size_t max_input_bits() const override { return public_modulus_bits() - 1; } |
468 | | |
469 | 0 | size_t signature_length() const override { return public_modulus_bytes(); } |
470 | | |
471 | | RSA_Signature_Operation(const RSA_PrivateKey& rsa, const std::string& emsa, RandomNumberGenerator& rng) : |
472 | | PK_Ops::Signature_with_EMSA(emsa), |
473 | | RSA_Private_Operation(rsa, rng) |
474 | 0 | { |
475 | 0 | } |
476 | | |
477 | | secure_vector<uint8_t> raw_sign(const uint8_t input[], size_t input_len, |
478 | | RandomNumberGenerator&) override |
479 | 0 | { |
480 | 0 | return raw_op(input, input_len); |
481 | 0 | } |
482 | | }; |
483 | | |
484 | | class RSA_Decryption_Operation final : public PK_Ops::Decryption_with_EME, |
485 | | private RSA_Private_Operation |
486 | | { |
487 | | public: |
488 | | |
489 | | RSA_Decryption_Operation(const RSA_PrivateKey& rsa, const std::string& eme, RandomNumberGenerator& rng) : |
490 | | PK_Ops::Decryption_with_EME(eme), |
491 | | RSA_Private_Operation(rsa, rng) |
492 | 0 | { |
493 | 0 | } |
494 | | |
495 | 0 | size_t plaintext_length(size_t) const override { return public_modulus_bytes(); } |
496 | | |
497 | | secure_vector<uint8_t> raw_decrypt(const uint8_t input[], size_t input_len) override |
498 | 0 | { |
499 | 0 | return raw_op(input, input_len); |
500 | 0 | } |
501 | | }; |
502 | | |
503 | | class RSA_KEM_Decryption_Operation final : public PK_Ops::KEM_Decryption_with_KDF, |
504 | | private RSA_Private_Operation |
505 | | { |
506 | | public: |
507 | | |
508 | | RSA_KEM_Decryption_Operation(const RSA_PrivateKey& key, |
509 | | const std::string& kdf, |
510 | | RandomNumberGenerator& rng) : |
511 | | PK_Ops::KEM_Decryption_with_KDF(kdf), |
512 | | RSA_Private_Operation(key, rng) |
513 | 0 | {} |
514 | | |
515 | | secure_vector<uint8_t> |
516 | | raw_kem_decrypt(const uint8_t encap_key[], size_t len) override |
517 | 0 | { |
518 | 0 | return raw_op(encap_key, len); |
519 | 0 | } |
520 | | }; |
521 | | |
522 | | /** |
523 | | * RSA public (encrypt/verify) operation |
524 | | */ |
525 | | class RSA_Public_Operation |
526 | | { |
527 | | public: |
528 | | explicit RSA_Public_Operation(const RSA_PublicKey& rsa) : |
529 | | m_public(rsa.public_data()) |
530 | 6.37k | {} |
531 | | |
532 | | size_t get_max_input_bits() const |
533 | 6.28k | { |
534 | 6.28k | const size_t n_bits = m_public->public_modulus_bits(); |
535 | 6.28k | |
536 | 6.28k | /* |
537 | 6.28k | Make Coverity happy that n_bits - 1 won't underflow |
538 | 6.28k | |
539 | 6.28k | 5 bit minimum: smallest possible RSA key is 3*5 |
540 | 6.28k | */ |
541 | 6.28k | BOTAN_ASSERT_NOMSG(n_bits >= 5); |
542 | 6.28k | return n_bits - 1; |
543 | 6.28k | } |
544 | | |
545 | | protected: |
546 | | BigInt public_op(const BigInt& m) const |
547 | 6.37k | { |
548 | 6.37k | if(m >= m_public->get_n()) |
549 | 95 | throw Invalid_Argument("RSA public op - input is too large"); |
550 | 6.27k | |
551 | 6.27k | return m_public->public_op(m); |
552 | 6.27k | } |
553 | | |
554 | 57 | size_t public_modulus_bytes() const { return m_public->public_modulus_bytes(); } |
555 | | |
556 | 0 | const BigInt& get_n() const { return m_public->get_n(); } |
557 | | |
558 | | std::shared_ptr<const RSA_Public_Data> m_public; |
559 | | }; |
560 | | |
561 | | class RSA_Encryption_Operation final : public PK_Ops::Encryption_with_EME, |
562 | | private RSA_Public_Operation |
563 | | { |
564 | | public: |
565 | | |
566 | | RSA_Encryption_Operation(const RSA_PublicKey& rsa, const std::string& eme) : |
567 | | PK_Ops::Encryption_with_EME(eme), |
568 | | RSA_Public_Operation(rsa) |
569 | 61 | { |
570 | 61 | } |
571 | | |
572 | 0 | size_t ciphertext_length(size_t) const override { return public_modulus_bytes(); } |
573 | | |
574 | 61 | size_t max_raw_input_bits() const override { return get_max_input_bits(); } |
575 | | |
576 | | secure_vector<uint8_t> raw_encrypt(const uint8_t input[], size_t input_len, |
577 | | RandomNumberGenerator&) override |
578 | 57 | { |
579 | 57 | BigInt input_bn(input, input_len); |
580 | 57 | return BigInt::encode_1363(public_op(input_bn), public_modulus_bytes()); |
581 | 57 | } |
582 | | }; |
583 | | |
584 | | class RSA_Verify_Operation final : public PK_Ops::Verification_with_EMSA, |
585 | | private RSA_Public_Operation |
586 | | { |
587 | | public: |
588 | | |
589 | 6.22k | size_t max_input_bits() const override { return get_max_input_bits(); } |
590 | | |
591 | | RSA_Verify_Operation(const RSA_PublicKey& rsa, const std::string& emsa) : |
592 | | PK_Ops::Verification_with_EMSA(emsa), |
593 | | RSA_Public_Operation(rsa) |
594 | 6.31k | { |
595 | 6.31k | } |
596 | | |
597 | 6.31k | bool with_recovery() const override { return true; } |
598 | | |
599 | | secure_vector<uint8_t> verify_mr(const uint8_t input[], size_t input_len) override |
600 | 6.31k | { |
601 | 6.31k | BigInt input_bn(input, input_len); |
602 | 6.31k | return BigInt::encode_locked(public_op(input_bn)); |
603 | 6.31k | } |
604 | | }; |
605 | | |
606 | | class RSA_KEM_Encryption_Operation final : public PK_Ops::KEM_Encryption_with_KDF, |
607 | | private RSA_Public_Operation |
608 | | { |
609 | | public: |
610 | | |
611 | | RSA_KEM_Encryption_Operation(const RSA_PublicKey& key, |
612 | | const std::string& kdf) : |
613 | | PK_Ops::KEM_Encryption_with_KDF(kdf), |
614 | 0 | RSA_Public_Operation(key) {} |
615 | | |
616 | | private: |
617 | | void raw_kem_encrypt(secure_vector<uint8_t>& out_encapsulated_key, |
618 | | secure_vector<uint8_t>& raw_shared_key, |
619 | | Botan::RandomNumberGenerator& rng) override |
620 | 0 | { |
621 | 0 | const BigInt r = BigInt::random_integer(rng, 1, get_n()); |
622 | 0 | const BigInt c = public_op(r); |
623 | 0 |
|
624 | 0 | out_encapsulated_key = BigInt::encode_locked(c); |
625 | 0 | raw_shared_key = BigInt::encode_locked(r); |
626 | 0 | } |
627 | | }; |
628 | | |
629 | | } |
630 | | |
631 | | std::unique_ptr<PK_Ops::Encryption> |
632 | | RSA_PublicKey::create_encryption_op(RandomNumberGenerator& /*rng*/, |
633 | | const std::string& params, |
634 | | const std::string& provider) const |
635 | 61 | { |
636 | | #if defined(BOTAN_HAS_OPENSSL) |
637 | | if(provider == "openssl" || provider.empty()) |
638 | | { |
639 | | try |
640 | | { |
641 | | return make_openssl_rsa_enc_op(*this, params); |
642 | | } |
643 | | catch(Exception& e) |
644 | | { |
645 | | /* |
646 | | * If OpenSSL for some reason could not handle this (eg due to OAEP params), |
647 | | * throw if openssl was specifically requested but otherwise just fall back |
648 | | * to the normal version. |
649 | | */ |
650 | | if(provider == "openssl") |
651 | | throw Lookup_Error("OpenSSL RSA provider rejected key:" + std::string(e.what())); |
652 | | } |
653 | | } |
654 | | #endif |
655 | | |
656 | 61 | if(provider == "base" || provider.empty()) |
657 | 61 | return std::unique_ptr<PK_Ops::Encryption>(new RSA_Encryption_Operation(*this, params)); |
658 | 0 | throw Provider_Not_Found(algo_name(), provider); |
659 | 0 | } |
660 | | |
661 | | std::unique_ptr<PK_Ops::KEM_Encryption> |
662 | | RSA_PublicKey::create_kem_encryption_op(RandomNumberGenerator& /*rng*/, |
663 | | const std::string& params, |
664 | | const std::string& provider) const |
665 | 0 | { |
666 | 0 | if(provider == "base" || provider.empty()) |
667 | 0 | return std::unique_ptr<PK_Ops::KEM_Encryption>(new RSA_KEM_Encryption_Operation(*this, params)); |
668 | 0 | throw Provider_Not_Found(algo_name(), provider); |
669 | 0 | } |
670 | | |
671 | | std::unique_ptr<PK_Ops::Verification> |
672 | | RSA_PublicKey::create_verification_op(const std::string& params, |
673 | | const std::string& provider) const |
674 | 6.31k | { |
675 | | #if defined(BOTAN_HAS_OPENSSL) |
676 | | if(provider == "openssl" || provider.empty()) |
677 | | { |
678 | | std::unique_ptr<PK_Ops::Verification> res = make_openssl_rsa_ver_op(*this, params); |
679 | | if(res) |
680 | | return res; |
681 | | } |
682 | | #endif |
683 | | |
684 | 6.31k | if(provider == "base" || provider.empty()) |
685 | 6.31k | return std::unique_ptr<PK_Ops::Verification>(new RSA_Verify_Operation(*this, params)); |
686 | 0 | |
687 | 0 | throw Provider_Not_Found(algo_name(), provider); |
688 | 0 | } |
689 | | |
690 | | std::unique_ptr<PK_Ops::Decryption> |
691 | | RSA_PrivateKey::create_decryption_op(RandomNumberGenerator& rng, |
692 | | const std::string& params, |
693 | | const std::string& provider) const |
694 | 0 | { |
695 | | #if defined(BOTAN_HAS_OPENSSL) |
696 | | if(provider == "openssl" || provider.empty()) |
697 | | { |
698 | | try |
699 | | { |
700 | | return make_openssl_rsa_dec_op(*this, params); |
701 | | } |
702 | | catch(Exception& e) |
703 | | { |
704 | | if(provider == "openssl") |
705 | | throw Lookup_Error("OpenSSL RSA provider rejected key:" + std::string(e.what())); |
706 | | } |
707 | | } |
708 | | #endif |
709 | |
|
710 | 0 | if(provider == "base" || provider.empty()) |
711 | 0 | return std::unique_ptr<PK_Ops::Decryption>(new RSA_Decryption_Operation(*this, params, rng)); |
712 | 0 | |
713 | 0 | throw Provider_Not_Found(algo_name(), provider); |
714 | 0 | } |
715 | | |
716 | | std::unique_ptr<PK_Ops::KEM_Decryption> |
717 | | RSA_PrivateKey::create_kem_decryption_op(RandomNumberGenerator& rng, |
718 | | const std::string& params, |
719 | | const std::string& provider) const |
720 | 0 | { |
721 | 0 | if(provider == "base" || provider.empty()) |
722 | 0 | return std::unique_ptr<PK_Ops::KEM_Decryption>(new RSA_KEM_Decryption_Operation(*this, params, rng)); |
723 | 0 | |
724 | 0 | throw Provider_Not_Found(algo_name(), provider); |
725 | 0 | } |
726 | | |
727 | | std::unique_ptr<PK_Ops::Signature> |
728 | | RSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng, |
729 | | const std::string& params, |
730 | | const std::string& provider) const |
731 | 0 | { |
732 | | #if defined(BOTAN_HAS_OPENSSL) |
733 | | if(provider == "openssl" || provider.empty()) |
734 | | { |
735 | | std::unique_ptr<PK_Ops::Signature> res = make_openssl_rsa_sig_op(*this, params); |
736 | | if(res) |
737 | | return res; |
738 | | } |
739 | | #endif |
740 | |
|
741 | 0 | if(provider == "base" || provider.empty()) |
742 | 0 | return std::unique_ptr<PK_Ops::Signature>(new RSA_Signature_Operation(*this, params, rng)); |
743 | 0 | |
744 | 0 | throw Provider_Not_Found(algo_name(), provider); |
745 | 0 | } |
746 | | |
747 | | } |