/src/boringssl/crypto/fipsmodule/rsa/rsa.c.inc
Line | Count | Source (jump to first uncovered line) |
1 | | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
2 | | * All rights reserved. |
3 | | * |
4 | | * This package is an SSL implementation written |
5 | | * by Eric Young (eay@cryptsoft.com). |
6 | | * The implementation was written so as to conform with Netscapes SSL. |
7 | | * |
8 | | * This library is free for commercial and non-commercial use as long as |
9 | | * the following conditions are aheared to. The following conditions |
10 | | * apply to all code found in this distribution, be it the RC4, RSA, |
11 | | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
12 | | * included with this distribution is covered by the same copyright terms |
13 | | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
14 | | * |
15 | | * Copyright remains Eric Young's, and as such any Copyright notices in |
16 | | * the code are not to be removed. |
17 | | * If this package is used in a product, Eric Young should be given attribution |
18 | | * as the author of the parts of the library used. |
19 | | * This can be in the form of a textual message at program startup or |
20 | | * in documentation (online or textual) provided with the package. |
21 | | * |
22 | | * Redistribution and use in source and binary forms, with or without |
23 | | * modification, are permitted provided that the following conditions |
24 | | * are met: |
25 | | * 1. Redistributions of source code must retain the copyright |
26 | | * notice, this list of conditions and the following disclaimer. |
27 | | * 2. Redistributions in binary form must reproduce the above copyright |
28 | | * notice, this list of conditions and the following disclaimer in the |
29 | | * documentation and/or other materials provided with the distribution. |
30 | | * 3. All advertising materials mentioning features or use of this software |
31 | | * must display the following acknowledgement: |
32 | | * "This product includes cryptographic software written by |
33 | | * Eric Young (eay@cryptsoft.com)" |
34 | | * The word 'cryptographic' can be left out if the rouines from the library |
35 | | * being used are not cryptographic related :-). |
36 | | * 4. If you include any Windows specific code (or a derivative thereof) from |
37 | | * the apps directory (application code) you must include an acknowledgement: |
38 | | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
39 | | * |
40 | | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
41 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
42 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
43 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
44 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
45 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
46 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
47 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
48 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
49 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
50 | | * SUCH DAMAGE. |
51 | | * |
52 | | * The licence and distribution terms for any publically available version or |
53 | | * derivative of this code cannot be changed. i.e. this code cannot simply be |
54 | | * copied and put under another distribution licence |
55 | | * [including the GNU Public Licence.] */ |
56 | | |
57 | | #include <openssl/rsa.h> |
58 | | |
59 | | #include <assert.h> |
60 | | #include <limits.h> |
61 | | #include <string.h> |
62 | | |
63 | | #include <openssl/bn.h> |
64 | | #include <openssl/digest.h> |
65 | | #include <openssl/engine.h> |
66 | | #include <openssl/err.h> |
67 | | #include <openssl/ex_data.h> |
68 | | #include <openssl/md5.h> |
69 | | #include <openssl/mem.h> |
70 | | #include <openssl/nid.h> |
71 | | #include <openssl/thread.h> |
72 | | |
73 | | #include "../bn/internal.h" |
74 | | #include "../delocate.h" |
75 | | #include "../../internal.h" |
76 | | #include "internal.h" |
77 | | |
78 | | |
79 | | // RSA_R_BLOCK_TYPE_IS_NOT_02 is part of the legacy SSLv23 padding scheme. |
80 | | // Cryptography.io depends on this error code. |
81 | | OPENSSL_DECLARE_ERROR_REASON(RSA, BLOCK_TYPE_IS_NOT_02) |
82 | | |
83 | | DEFINE_STATIC_EX_DATA_CLASS(g_rsa_ex_data_class) |
84 | | |
85 | 0 | static int bn_dup_into(BIGNUM **dst, const BIGNUM *src) { |
86 | 0 | if (src == NULL) { |
87 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_R_PASSED_NULL_PARAMETER); |
88 | 0 | return 0; |
89 | 0 | } |
90 | | |
91 | 0 | BN_free(*dst); |
92 | 0 | *dst = BN_dup(src); |
93 | 0 | return *dst != NULL; |
94 | 0 | } |
95 | | |
96 | 0 | RSA *RSA_new_public_key(const BIGNUM *n, const BIGNUM *e) { |
97 | 0 | RSA *rsa = RSA_new(); |
98 | 0 | if (rsa == NULL || // |
99 | 0 | !bn_dup_into(&rsa->n, n) || // |
100 | 0 | !bn_dup_into(&rsa->e, e) || // |
101 | 0 | !RSA_check_key(rsa)) { |
102 | 0 | RSA_free(rsa); |
103 | 0 | return NULL; |
104 | 0 | } |
105 | | |
106 | 0 | return rsa; |
107 | 0 | } |
108 | | |
109 | | RSA *RSA_new_private_key(const BIGNUM *n, const BIGNUM *e, const BIGNUM *d, |
110 | | const BIGNUM *p, const BIGNUM *q, const BIGNUM *dmp1, |
111 | 0 | const BIGNUM *dmq1, const BIGNUM *iqmp) { |
112 | 0 | RSA *rsa = RSA_new(); |
113 | 0 | if (rsa == NULL || // |
114 | 0 | !bn_dup_into(&rsa->n, n) || // |
115 | 0 | !bn_dup_into(&rsa->e, e) || // |
116 | 0 | !bn_dup_into(&rsa->d, d) || // |
117 | 0 | !bn_dup_into(&rsa->p, p) || // |
118 | 0 | !bn_dup_into(&rsa->q, q) || // |
119 | 0 | !bn_dup_into(&rsa->dmp1, dmp1) || // |
120 | 0 | !bn_dup_into(&rsa->dmq1, dmq1) || // |
121 | 0 | !bn_dup_into(&rsa->iqmp, iqmp) || // |
122 | 0 | !RSA_check_key(rsa)) { |
123 | 0 | RSA_free(rsa); |
124 | 0 | return NULL; |
125 | 0 | } |
126 | | |
127 | 0 | return rsa; |
128 | 0 | } |
129 | | |
130 | | RSA *RSA_new_private_key_no_crt(const BIGNUM *n, const BIGNUM *e, |
131 | 0 | const BIGNUM *d) { |
132 | 0 | RSA *rsa = RSA_new(); |
133 | 0 | if (rsa == NULL || // |
134 | 0 | !bn_dup_into(&rsa->n, n) || // |
135 | 0 | !bn_dup_into(&rsa->e, e) || // |
136 | 0 | !bn_dup_into(&rsa->d, d) || // |
137 | 0 | !RSA_check_key(rsa)) { |
138 | 0 | RSA_free(rsa); |
139 | 0 | return NULL; |
140 | 0 | } |
141 | | |
142 | 0 | return rsa; |
143 | 0 | } |
144 | | |
145 | 0 | RSA *RSA_new_private_key_no_e(const BIGNUM *n, const BIGNUM *d) { |
146 | 0 | RSA *rsa = RSA_new(); |
147 | 0 | if (rsa == NULL) { |
148 | 0 | return NULL; |
149 | 0 | } |
150 | | |
151 | 0 | rsa->flags |= RSA_FLAG_NO_PUBLIC_EXPONENT; |
152 | 0 | if (!bn_dup_into(&rsa->n, n) || // |
153 | 0 | !bn_dup_into(&rsa->d, d) || // |
154 | 0 | !RSA_check_key(rsa)) { |
155 | 0 | RSA_free(rsa); |
156 | 0 | return NULL; |
157 | 0 | } |
158 | | |
159 | 0 | return rsa; |
160 | 0 | } |
161 | | |
162 | 0 | RSA *RSA_new_public_key_large_e(const BIGNUM *n, const BIGNUM *e) { |
163 | 0 | RSA *rsa = RSA_new(); |
164 | 0 | if (rsa == NULL) { |
165 | 0 | return NULL; |
166 | 0 | } |
167 | | |
168 | 0 | rsa->flags |= RSA_FLAG_LARGE_PUBLIC_EXPONENT; |
169 | 0 | if (!bn_dup_into(&rsa->n, n) || // |
170 | 0 | !bn_dup_into(&rsa->e, e) || // |
171 | 0 | !RSA_check_key(rsa)) { |
172 | 0 | RSA_free(rsa); |
173 | 0 | return NULL; |
174 | 0 | } |
175 | | |
176 | 0 | return rsa; |
177 | 0 | } |
178 | | |
179 | | RSA *RSA_new_private_key_large_e(const BIGNUM *n, const BIGNUM *e, |
180 | | const BIGNUM *d, const BIGNUM *p, |
181 | | const BIGNUM *q, const BIGNUM *dmp1, |
182 | 0 | const BIGNUM *dmq1, const BIGNUM *iqmp) { |
183 | 0 | RSA *rsa = RSA_new(); |
184 | 0 | if (rsa == NULL) { |
185 | 0 | return NULL; |
186 | 0 | } |
187 | | |
188 | 0 | rsa->flags |= RSA_FLAG_LARGE_PUBLIC_EXPONENT; |
189 | 0 | if (!bn_dup_into(&rsa->n, n) || // |
190 | 0 | !bn_dup_into(&rsa->e, e) || // |
191 | 0 | !bn_dup_into(&rsa->d, d) || // |
192 | 0 | !bn_dup_into(&rsa->p, p) || // |
193 | 0 | !bn_dup_into(&rsa->q, q) || // |
194 | 0 | !bn_dup_into(&rsa->dmp1, dmp1) || // |
195 | 0 | !bn_dup_into(&rsa->dmq1, dmq1) || // |
196 | 0 | !bn_dup_into(&rsa->iqmp, iqmp) || // |
197 | 0 | !RSA_check_key(rsa)) { |
198 | 0 | RSA_free(rsa); |
199 | 0 | return NULL; |
200 | 0 | } |
201 | | |
202 | 0 | return rsa; |
203 | 0 | } |
204 | | |
205 | 0 | RSA *RSA_new(void) { return RSA_new_method(NULL); } |
206 | | |
207 | 0 | RSA *RSA_new_method(const ENGINE *engine) { |
208 | 0 | RSA *rsa = OPENSSL_zalloc(sizeof(RSA)); |
209 | 0 | if (rsa == NULL) { |
210 | 0 | return NULL; |
211 | 0 | } |
212 | | |
213 | 0 | if (engine) { |
214 | 0 | rsa->meth = ENGINE_get_RSA_method(engine); |
215 | 0 | } |
216 | |
|
217 | 0 | if (rsa->meth == NULL) { |
218 | 0 | rsa->meth = (RSA_METHOD *) RSA_default_method(); |
219 | 0 | } |
220 | 0 | METHOD_ref(rsa->meth); |
221 | |
|
222 | 0 | rsa->references = 1; |
223 | 0 | rsa->flags = rsa->meth->flags; |
224 | 0 | CRYPTO_MUTEX_init(&rsa->lock); |
225 | 0 | CRYPTO_new_ex_data(&rsa->ex_data); |
226 | |
|
227 | 0 | if (rsa->meth->init && !rsa->meth->init(rsa)) { |
228 | 0 | CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data); |
229 | 0 | CRYPTO_MUTEX_cleanup(&rsa->lock); |
230 | 0 | METHOD_unref(rsa->meth); |
231 | 0 | OPENSSL_free(rsa); |
232 | 0 | return NULL; |
233 | 0 | } |
234 | | |
235 | 0 | return rsa; |
236 | 0 | } |
237 | | |
238 | 0 | RSA *RSA_new_method_no_e(const ENGINE *engine, const BIGNUM *n) { |
239 | 0 | RSA *rsa = RSA_new_method(engine); |
240 | 0 | if (rsa == NULL || |
241 | 0 | !bn_dup_into(&rsa->n, n)) { |
242 | 0 | RSA_free(rsa); |
243 | 0 | return NULL; |
244 | 0 | } |
245 | 0 | rsa->flags |= RSA_FLAG_NO_PUBLIC_EXPONENT; |
246 | 0 | return rsa; |
247 | 0 | } |
248 | | |
249 | 0 | void RSA_free(RSA *rsa) { |
250 | 0 | if (rsa == NULL) { |
251 | 0 | return; |
252 | 0 | } |
253 | | |
254 | 0 | if (!CRYPTO_refcount_dec_and_test_zero(&rsa->references)) { |
255 | 0 | return; |
256 | 0 | } |
257 | | |
258 | 0 | if (rsa->meth->finish) { |
259 | 0 | rsa->meth->finish(rsa); |
260 | 0 | } |
261 | 0 | METHOD_unref(rsa->meth); |
262 | |
|
263 | 0 | CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data); |
264 | |
|
265 | 0 | BN_free(rsa->n); |
266 | 0 | BN_free(rsa->e); |
267 | 0 | BN_free(rsa->d); |
268 | 0 | BN_free(rsa->p); |
269 | 0 | BN_free(rsa->q); |
270 | 0 | BN_free(rsa->dmp1); |
271 | 0 | BN_free(rsa->dmq1); |
272 | 0 | BN_free(rsa->iqmp); |
273 | 0 | rsa_invalidate_key(rsa); |
274 | 0 | CRYPTO_MUTEX_cleanup(&rsa->lock); |
275 | 0 | OPENSSL_free(rsa); |
276 | 0 | } |
277 | | |
278 | 0 | int RSA_up_ref(RSA *rsa) { |
279 | 0 | CRYPTO_refcount_inc(&rsa->references); |
280 | 0 | return 1; |
281 | 0 | } |
282 | | |
283 | 0 | unsigned RSA_bits(const RSA *rsa) { return BN_num_bits(rsa->n); } |
284 | | |
285 | 0 | const BIGNUM *RSA_get0_n(const RSA *rsa) { return rsa->n; } |
286 | | |
287 | 0 | const BIGNUM *RSA_get0_e(const RSA *rsa) { return rsa->e; } |
288 | | |
289 | 0 | const BIGNUM *RSA_get0_d(const RSA *rsa) { return rsa->d; } |
290 | | |
291 | 0 | const BIGNUM *RSA_get0_p(const RSA *rsa) { return rsa->p; } |
292 | | |
293 | 0 | const BIGNUM *RSA_get0_q(const RSA *rsa) { return rsa->q; } |
294 | | |
295 | 0 | const BIGNUM *RSA_get0_dmp1(const RSA *rsa) { return rsa->dmp1; } |
296 | | |
297 | 0 | const BIGNUM *RSA_get0_dmq1(const RSA *rsa) { return rsa->dmq1; } |
298 | | |
299 | 0 | const BIGNUM *RSA_get0_iqmp(const RSA *rsa) { return rsa->iqmp; } |
300 | | |
301 | | void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e, |
302 | 0 | const BIGNUM **out_d) { |
303 | 0 | if (out_n != NULL) { |
304 | 0 | *out_n = rsa->n; |
305 | 0 | } |
306 | 0 | if (out_e != NULL) { |
307 | 0 | *out_e = rsa->e; |
308 | 0 | } |
309 | 0 | if (out_d != NULL) { |
310 | 0 | *out_d = rsa->d; |
311 | 0 | } |
312 | 0 | } |
313 | | |
314 | | void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p, |
315 | 0 | const BIGNUM **out_q) { |
316 | 0 | if (out_p != NULL) { |
317 | 0 | *out_p = rsa->p; |
318 | 0 | } |
319 | 0 | if (out_q != NULL) { |
320 | 0 | *out_q = rsa->q; |
321 | 0 | } |
322 | 0 | } |
323 | | |
324 | 0 | const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *rsa) { |
325 | | // We do not support the id-RSASSA-PSS key encoding. If we add support later, |
326 | | // the |maskHash| field should be filled in for OpenSSL compatibility. |
327 | 0 | return NULL; |
328 | 0 | } |
329 | | |
330 | | void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1, |
331 | 0 | const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) { |
332 | 0 | if (out_dmp1 != NULL) { |
333 | 0 | *out_dmp1 = rsa->dmp1; |
334 | 0 | } |
335 | 0 | if (out_dmq1 != NULL) { |
336 | 0 | *out_dmq1 = rsa->dmq1; |
337 | 0 | } |
338 | 0 | if (out_iqmp != NULL) { |
339 | 0 | *out_iqmp = rsa->iqmp; |
340 | 0 | } |
341 | 0 | } |
342 | | |
343 | 0 | int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) { |
344 | 0 | if ((rsa->n == NULL && n == NULL) || |
345 | 0 | (rsa->e == NULL && e == NULL)) { |
346 | 0 | return 0; |
347 | 0 | } |
348 | | |
349 | 0 | if (n != NULL) { |
350 | 0 | BN_free(rsa->n); |
351 | 0 | rsa->n = n; |
352 | 0 | } |
353 | 0 | if (e != NULL) { |
354 | 0 | BN_free(rsa->e); |
355 | 0 | rsa->e = e; |
356 | 0 | } |
357 | 0 | if (d != NULL) { |
358 | 0 | BN_free(rsa->d); |
359 | 0 | rsa->d = d; |
360 | 0 | } |
361 | |
|
362 | 0 | rsa_invalidate_key(rsa); |
363 | 0 | return 1; |
364 | 0 | } |
365 | | |
366 | 0 | int RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q) { |
367 | 0 | if ((rsa->p == NULL && p == NULL) || |
368 | 0 | (rsa->q == NULL && q == NULL)) { |
369 | 0 | return 0; |
370 | 0 | } |
371 | | |
372 | 0 | if (p != NULL) { |
373 | 0 | BN_free(rsa->p); |
374 | 0 | rsa->p = p; |
375 | 0 | } |
376 | 0 | if (q != NULL) { |
377 | 0 | BN_free(rsa->q); |
378 | 0 | rsa->q = q; |
379 | 0 | } |
380 | |
|
381 | 0 | rsa_invalidate_key(rsa); |
382 | 0 | return 1; |
383 | 0 | } |
384 | | |
385 | 0 | int RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) { |
386 | 0 | if ((rsa->dmp1 == NULL && dmp1 == NULL) || |
387 | 0 | (rsa->dmq1 == NULL && dmq1 == NULL) || |
388 | 0 | (rsa->iqmp == NULL && iqmp == NULL)) { |
389 | 0 | return 0; |
390 | 0 | } |
391 | | |
392 | 0 | if (dmp1 != NULL) { |
393 | 0 | BN_free(rsa->dmp1); |
394 | 0 | rsa->dmp1 = dmp1; |
395 | 0 | } |
396 | 0 | if (dmq1 != NULL) { |
397 | 0 | BN_free(rsa->dmq1); |
398 | 0 | rsa->dmq1 = dmq1; |
399 | 0 | } |
400 | 0 | if (iqmp != NULL) { |
401 | 0 | BN_free(rsa->iqmp); |
402 | 0 | rsa->iqmp = iqmp; |
403 | 0 | } |
404 | |
|
405 | 0 | rsa_invalidate_key(rsa); |
406 | 0 | return 1; |
407 | 0 | } |
408 | | |
409 | | static int rsa_sign_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out, |
410 | | size_t max_out, const uint8_t *in, |
411 | 0 | size_t in_len, int padding) { |
412 | 0 | if (rsa->meth->sign_raw) { |
413 | 0 | return rsa->meth->sign_raw(rsa, out_len, out, max_out, in, in_len, padding); |
414 | 0 | } |
415 | | |
416 | 0 | return rsa_default_sign_raw(rsa, out_len, out, max_out, in, in_len, padding); |
417 | 0 | } |
418 | | |
419 | | int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, |
420 | 0 | const uint8_t *in, size_t in_len, int padding) { |
421 | 0 | boringssl_ensure_rsa_self_test(); |
422 | 0 | return rsa_sign_raw_no_self_test(rsa, out_len, out, max_out, in, in_len, |
423 | 0 | padding); |
424 | 0 | } |
425 | | |
426 | 0 | unsigned RSA_size(const RSA *rsa) { |
427 | 0 | size_t ret = rsa->meth->size ? rsa->meth->size(rsa) : rsa_default_size(rsa); |
428 | | // RSA modulus sizes are bounded by |BIGNUM|, which must fit in |unsigned|. |
429 | | // |
430 | | // TODO(https://crbug.com/boringssl/516): Should we make this return |size_t|? |
431 | 0 | assert(ret < UINT_MAX); |
432 | 0 | return (unsigned)ret; |
433 | 0 | } |
434 | | |
435 | 0 | int RSA_is_opaque(const RSA *rsa) { |
436 | 0 | return rsa->meth && (rsa->meth->flags & RSA_FLAG_OPAQUE); |
437 | 0 | } |
438 | | |
439 | | int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, |
440 | 0 | CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) { |
441 | 0 | return CRYPTO_get_ex_new_index_ex(g_rsa_ex_data_class_bss_get(), argl, argp, |
442 | 0 | free_func); |
443 | 0 | } |
444 | | |
445 | 0 | int RSA_set_ex_data(RSA *rsa, int idx, void *arg) { |
446 | 0 | return CRYPTO_set_ex_data(&rsa->ex_data, idx, arg); |
447 | 0 | } |
448 | | |
449 | 0 | void *RSA_get_ex_data(const RSA *rsa, int idx) { |
450 | 0 | return CRYPTO_get_ex_data(&rsa->ex_data, idx); |
451 | 0 | } |
452 | | |
453 | | // SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's |
454 | | // the length of an MD5 and SHA1 hash. |
455 | | static const unsigned SSL_SIG_LENGTH = 36; |
456 | | |
457 | | // pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is |
458 | | // to be signed with PKCS#1. |
459 | | struct pkcs1_sig_prefix { |
460 | | // nid identifies the hash function. |
461 | | int nid; |
462 | | // hash_len is the expected length of the hash function. |
463 | | uint8_t hash_len; |
464 | | // len is the number of bytes of |bytes| which are valid. |
465 | | uint8_t len; |
466 | | // bytes contains the DER bytes. |
467 | | uint8_t bytes[19]; |
468 | | }; |
469 | | |
470 | | // kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with |
471 | | // different hash functions. |
472 | | static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = { |
473 | | { |
474 | | NID_md5, |
475 | | MD5_DIGEST_LENGTH, |
476 | | 18, |
477 | | {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, |
478 | | 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}, |
479 | | }, |
480 | | { |
481 | | NID_sha1, |
482 | | BCM_SHA_DIGEST_LENGTH, |
483 | | 15, |
484 | | {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, |
485 | | 0x00, 0x04, 0x14}, |
486 | | }, |
487 | | { |
488 | | NID_sha224, |
489 | | BCM_SHA224_DIGEST_LENGTH, |
490 | | 19, |
491 | | {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, |
492 | | 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c}, |
493 | | }, |
494 | | { |
495 | | NID_sha256, |
496 | | BCM_SHA256_DIGEST_LENGTH, |
497 | | 19, |
498 | | {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, |
499 | | 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}, |
500 | | }, |
501 | | { |
502 | | NID_sha384, |
503 | | BCM_SHA384_DIGEST_LENGTH, |
504 | | 19, |
505 | | {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, |
506 | | 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}, |
507 | | }, |
508 | | { |
509 | | NID_sha512, |
510 | | BCM_SHA512_DIGEST_LENGTH, |
511 | | 19, |
512 | | {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, |
513 | | 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}, |
514 | | }, |
515 | | { |
516 | | NID_undef, 0, 0, {0}, |
517 | | }, |
518 | | }; |
519 | | |
520 | 0 | static int rsa_check_digest_size(int hash_nid, size_t digest_len) { |
521 | 0 | if (hash_nid == NID_md5_sha1) { |
522 | 0 | if (digest_len != SSL_SIG_LENGTH) { |
523 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); |
524 | 0 | return 0; |
525 | 0 | } |
526 | 0 | return 1; |
527 | 0 | } |
528 | | |
529 | 0 | for (size_t i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) { |
530 | 0 | const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i]; |
531 | 0 | if (sig_prefix->nid == hash_nid) { |
532 | 0 | if (digest_len != sig_prefix->hash_len) { |
533 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); |
534 | 0 | return 0; |
535 | 0 | } |
536 | 0 | return 1; |
537 | 0 | } |
538 | 0 | } |
539 | | |
540 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE); |
541 | 0 | return 0; |
542 | |
|
543 | 0 | } |
544 | | |
545 | | int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len, |
546 | | int *is_alloced, int hash_nid, const uint8_t *digest, |
547 | 0 | size_t digest_len) { |
548 | 0 | if (!rsa_check_digest_size(hash_nid, digest_len)) { |
549 | 0 | return 0; |
550 | 0 | } |
551 | | |
552 | 0 | if (hash_nid == NID_md5_sha1) { |
553 | | // The length should already have been checked. |
554 | 0 | assert(digest_len == SSL_SIG_LENGTH); |
555 | 0 | *out_msg = (uint8_t *)digest; |
556 | 0 | *out_msg_len = digest_len; |
557 | 0 | *is_alloced = 0; |
558 | 0 | return 1; |
559 | 0 | } |
560 | | |
561 | 0 | for (size_t i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) { |
562 | 0 | const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i]; |
563 | 0 | if (sig_prefix->nid != hash_nid) { |
564 | 0 | continue; |
565 | 0 | } |
566 | | |
567 | | // The length should already have been checked. |
568 | 0 | assert(digest_len == sig_prefix->hash_len); |
569 | 0 | const uint8_t* prefix = sig_prefix->bytes; |
570 | 0 | size_t prefix_len = sig_prefix->len; |
571 | 0 | size_t signed_msg_len = prefix_len + digest_len; |
572 | 0 | if (signed_msg_len < prefix_len) { |
573 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_LONG); |
574 | 0 | return 0; |
575 | 0 | } |
576 | | |
577 | 0 | uint8_t *signed_msg = OPENSSL_malloc(signed_msg_len); |
578 | 0 | if (!signed_msg) { |
579 | 0 | return 0; |
580 | 0 | } |
581 | | |
582 | 0 | OPENSSL_memcpy(signed_msg, prefix, prefix_len); |
583 | 0 | OPENSSL_memcpy(signed_msg + prefix_len, digest, digest_len); |
584 | |
|
585 | 0 | *out_msg = signed_msg; |
586 | 0 | *out_msg_len = signed_msg_len; |
587 | 0 | *is_alloced = 1; |
588 | |
|
589 | 0 | return 1; |
590 | 0 | } |
591 | | |
592 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE); |
593 | 0 | return 0; |
594 | 0 | } |
595 | | |
596 | | int rsa_sign_no_self_test(int hash_nid, const uint8_t *digest, |
597 | | size_t digest_len, uint8_t *out, unsigned *out_len, |
598 | 0 | RSA *rsa) { |
599 | 0 | if (rsa->meth->sign) { |
600 | 0 | if (!rsa_check_digest_size(hash_nid, digest_len)) { |
601 | 0 | return 0; |
602 | 0 | } |
603 | | // All supported digest lengths fit in |unsigned|. |
604 | 0 | assert(digest_len <= EVP_MAX_MD_SIZE); |
605 | 0 | static_assert(EVP_MAX_MD_SIZE <= UINT_MAX, "digest too long"); |
606 | 0 | return rsa->meth->sign(hash_nid, digest, (unsigned)digest_len, out, out_len, |
607 | 0 | rsa); |
608 | 0 | } |
609 | | |
610 | 0 | const unsigned rsa_size = RSA_size(rsa); |
611 | 0 | int ret = 0; |
612 | 0 | uint8_t *signed_msg = NULL; |
613 | 0 | size_t signed_msg_len = 0; |
614 | 0 | int signed_msg_is_alloced = 0; |
615 | 0 | size_t size_t_out_len; |
616 | 0 | if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len, |
617 | 0 | &signed_msg_is_alloced, hash_nid, digest, |
618 | 0 | digest_len) || |
619 | 0 | !rsa_sign_raw_no_self_test(rsa, &size_t_out_len, out, rsa_size, |
620 | 0 | signed_msg, signed_msg_len, |
621 | 0 | RSA_PKCS1_PADDING)) { |
622 | 0 | goto err; |
623 | 0 | } |
624 | | |
625 | 0 | if (size_t_out_len > UINT_MAX) { |
626 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW); |
627 | 0 | goto err; |
628 | 0 | } |
629 | | |
630 | 0 | *out_len = (unsigned)size_t_out_len; |
631 | 0 | ret = 1; |
632 | |
|
633 | 0 | err: |
634 | 0 | if (signed_msg_is_alloced) { |
635 | 0 | OPENSSL_free(signed_msg); |
636 | 0 | } |
637 | 0 | return ret; |
638 | 0 | } |
639 | | |
640 | | int RSA_sign(int hash_nid, const uint8_t *digest, size_t digest_len, |
641 | 0 | uint8_t *out, unsigned *out_len, RSA *rsa) { |
642 | 0 | boringssl_ensure_rsa_self_test(); |
643 | |
|
644 | 0 | return rsa_sign_no_self_test(hash_nid, digest, digest_len, out, out_len, rsa); |
645 | 0 | } |
646 | | |
647 | | int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, |
648 | | const uint8_t *digest, size_t digest_len, |
649 | 0 | const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len) { |
650 | 0 | if (digest_len != EVP_MD_size(md)) { |
651 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); |
652 | 0 | return 0; |
653 | 0 | } |
654 | | |
655 | 0 | size_t padded_len = RSA_size(rsa); |
656 | 0 | uint8_t *padded = OPENSSL_malloc(padded_len); |
657 | 0 | if (padded == NULL) { |
658 | 0 | return 0; |
659 | 0 | } |
660 | | |
661 | 0 | int ret = RSA_padding_add_PKCS1_PSS_mgf1(rsa, padded, digest, md, mgf1_md, |
662 | 0 | salt_len) && |
663 | 0 | RSA_sign_raw(rsa, out_len, out, max_out, padded, padded_len, |
664 | 0 | RSA_NO_PADDING); |
665 | 0 | OPENSSL_free(padded); |
666 | 0 | return ret; |
667 | 0 | } |
668 | | |
669 | | int rsa_verify_no_self_test(int hash_nid, const uint8_t *digest, |
670 | | size_t digest_len, const uint8_t *sig, |
671 | 0 | size_t sig_len, RSA *rsa) { |
672 | 0 | if (rsa->n == NULL || rsa->e == NULL) { |
673 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); |
674 | 0 | return 0; |
675 | 0 | } |
676 | | |
677 | 0 | const size_t rsa_size = RSA_size(rsa); |
678 | 0 | uint8_t *buf = NULL; |
679 | 0 | int ret = 0; |
680 | 0 | uint8_t *signed_msg = NULL; |
681 | 0 | size_t signed_msg_len = 0, len; |
682 | 0 | int signed_msg_is_alloced = 0; |
683 | |
|
684 | 0 | if (hash_nid == NID_md5_sha1 && digest_len != SSL_SIG_LENGTH) { |
685 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); |
686 | 0 | return 0; |
687 | 0 | } |
688 | | |
689 | 0 | buf = OPENSSL_malloc(rsa_size); |
690 | 0 | if (!buf) { |
691 | 0 | return 0; |
692 | 0 | } |
693 | | |
694 | 0 | if (!rsa_verify_raw_no_self_test(rsa, &len, buf, rsa_size, sig, sig_len, |
695 | 0 | RSA_PKCS1_PADDING) || |
696 | 0 | !RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len, |
697 | 0 | &signed_msg_is_alloced, hash_nid, digest, |
698 | 0 | digest_len)) { |
699 | 0 | goto out; |
700 | 0 | } |
701 | | |
702 | | // Check that no other information follows the hash value (FIPS 186-4 Section |
703 | | // 5.5) and it matches the expected hash. |
704 | 0 | if (len != signed_msg_len || OPENSSL_memcmp(buf, signed_msg, len) != 0) { |
705 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE); |
706 | 0 | goto out; |
707 | 0 | } |
708 | | |
709 | 0 | ret = 1; |
710 | |
|
711 | 0 | out: |
712 | 0 | OPENSSL_free(buf); |
713 | 0 | if (signed_msg_is_alloced) { |
714 | 0 | OPENSSL_free(signed_msg); |
715 | 0 | } |
716 | 0 | return ret; |
717 | 0 | } |
718 | | |
719 | | int RSA_verify(int hash_nid, const uint8_t *digest, size_t digest_len, |
720 | 0 | const uint8_t *sig, size_t sig_len, RSA *rsa) { |
721 | 0 | boringssl_ensure_rsa_self_test(); |
722 | 0 | return rsa_verify_no_self_test(hash_nid, digest, digest_len, sig, sig_len, |
723 | 0 | rsa); |
724 | 0 | } |
725 | | |
726 | | int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *digest, size_t digest_len, |
727 | | const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len, |
728 | 0 | const uint8_t *sig, size_t sig_len) { |
729 | 0 | if (digest_len != EVP_MD_size(md)) { |
730 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); |
731 | 0 | return 0; |
732 | 0 | } |
733 | | |
734 | 0 | size_t em_len = RSA_size(rsa); |
735 | 0 | uint8_t *em = OPENSSL_malloc(em_len); |
736 | 0 | if (em == NULL) { |
737 | 0 | return 0; |
738 | 0 | } |
739 | | |
740 | 0 | int ret = 0; |
741 | 0 | if (!RSA_verify_raw(rsa, &em_len, em, em_len, sig, sig_len, RSA_NO_PADDING)) { |
742 | 0 | goto err; |
743 | 0 | } |
744 | | |
745 | 0 | if (em_len != RSA_size(rsa)) { |
746 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); |
747 | 0 | goto err; |
748 | 0 | } |
749 | | |
750 | 0 | ret = RSA_verify_PKCS1_PSS_mgf1(rsa, digest, md, mgf1_md, em, salt_len); |
751 | |
|
752 | 0 | err: |
753 | 0 | OPENSSL_free(em); |
754 | 0 | return ret; |
755 | 0 | } |
756 | | |
757 | | static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv, |
758 | | const BIGNUM *m, unsigned m_min_bits, |
759 | 0 | BN_CTX *ctx) { |
760 | 0 | if (BN_is_negative(ainv) || |
761 | 0 | constant_time_declassify_int(BN_cmp(ainv, m) >= 0)) { |
762 | 0 | *out_ok = 0; |
763 | 0 | return 1; |
764 | 0 | } |
765 | | |
766 | | // Note |bn_mul_consttime| and |bn_div_consttime| do not scale linearly, but |
767 | | // checking |ainv| is in range bounds the running time, assuming |m|'s bounds |
768 | | // were checked by the caller. |
769 | 0 | BN_CTX_start(ctx); |
770 | 0 | BIGNUM *tmp = BN_CTX_get(ctx); |
771 | 0 | int ret = tmp != NULL && |
772 | 0 | bn_mul_consttime(tmp, a, ainv, ctx) && |
773 | 0 | bn_div_consttime(NULL, tmp, tmp, m, m_min_bits, ctx); |
774 | 0 | if (ret) { |
775 | 0 | *out_ok = constant_time_declassify_int(BN_is_one(tmp)); |
776 | 0 | } |
777 | 0 | BN_CTX_end(ctx); |
778 | 0 | return ret; |
779 | 0 | } |
780 | | |
781 | 0 | int RSA_check_key(const RSA *key) { |
782 | | // TODO(davidben): RSA key initialization is spread across |
783 | | // |rsa_check_public_key|, |RSA_check_key|, |freeze_private_key|, and |
784 | | // |BN_MONT_CTX_set_locked| as a result of API issues. See |
785 | | // https://crbug.com/boringssl/316. As a result, we inconsistently check RSA |
786 | | // invariants. We should fix this and integrate that logic. |
787 | |
|
788 | 0 | if (RSA_is_opaque(key)) { |
789 | | // Opaque keys can't be checked. |
790 | 0 | return 1; |
791 | 0 | } |
792 | | |
793 | 0 | if (!rsa_check_public_key(key)) { |
794 | 0 | return 0; |
795 | 0 | } |
796 | | |
797 | 0 | if ((key->p != NULL) != (key->q != NULL)) { |
798 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN); |
799 | 0 | return 0; |
800 | 0 | } |
801 | | |
802 | | // |key->d| must be bounded by |key->n|. This ensures bounds on |RSA_bits| |
803 | | // translate to bounds on the running time of private key operations. |
804 | 0 | if (key->d != NULL && |
805 | 0 | (BN_is_negative(key->d) || BN_cmp(key->d, key->n) >= 0)) { |
806 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_D_OUT_OF_RANGE); |
807 | 0 | return 0; |
808 | 0 | } |
809 | | |
810 | 0 | if (key->d == NULL || key->p == NULL) { |
811 | | // For a public key, or without p and q, there's nothing that can be |
812 | | // checked. |
813 | 0 | return 1; |
814 | 0 | } |
815 | | |
816 | 0 | BN_CTX *ctx = BN_CTX_new(); |
817 | 0 | if (ctx == NULL) { |
818 | 0 | return 0; |
819 | 0 | } |
820 | | |
821 | 0 | BIGNUM tmp, de, pm1, qm1, dmp1, dmq1; |
822 | 0 | int ok = 0; |
823 | 0 | BN_init(&tmp); |
824 | 0 | BN_init(&de); |
825 | 0 | BN_init(&pm1); |
826 | 0 | BN_init(&qm1); |
827 | 0 | BN_init(&dmp1); |
828 | 0 | BN_init(&dmq1); |
829 | | |
830 | | // Check that p * q == n. Before we multiply, we check that p and q are in |
831 | | // bounds, to avoid a DoS vector in |bn_mul_consttime| below. Note that |
832 | | // n was bound by |rsa_check_public_key|. This also implicitly checks p and q |
833 | | // are odd, which is a necessary condition for Montgomery reduction. |
834 | 0 | if (BN_is_negative(key->p) || |
835 | 0 | constant_time_declassify_int(BN_cmp(key->p, key->n) >= 0) || |
836 | 0 | BN_is_negative(key->q) || |
837 | 0 | constant_time_declassify_int(BN_cmp(key->q, key->n) >= 0)) { |
838 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q); |
839 | 0 | goto out; |
840 | 0 | } |
841 | 0 | if (!bn_mul_consttime(&tmp, key->p, key->q, ctx)) { |
842 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); |
843 | 0 | goto out; |
844 | 0 | } |
845 | 0 | if (BN_cmp(&tmp, key->n) != 0) { |
846 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q); |
847 | 0 | goto out; |
848 | 0 | } |
849 | | |
850 | | // d must be an inverse of e mod the Carmichael totient, lcm(p-1, q-1), but it |
851 | | // may be unreduced because other implementations use the Euler totient. We |
852 | | // simply check that d * e is one mod p-1 and mod q-1. Note d and e were bound |
853 | | // by earlier checks in this function. |
854 | 0 | if (!bn_usub_consttime(&pm1, key->p, BN_value_one()) || |
855 | 0 | !bn_usub_consttime(&qm1, key->q, BN_value_one())) { |
856 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); |
857 | 0 | goto out; |
858 | 0 | } |
859 | 0 | const unsigned pm1_bits = BN_num_bits(&pm1); |
860 | 0 | const unsigned qm1_bits = BN_num_bits(&qm1); |
861 | 0 | if (!bn_mul_consttime(&de, key->d, key->e, ctx) || |
862 | 0 | !bn_div_consttime(NULL, &tmp, &de, &pm1, pm1_bits, ctx) || |
863 | 0 | !bn_div_consttime(NULL, &de, &de, &qm1, qm1_bits, ctx)) { |
864 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); |
865 | 0 | goto out; |
866 | 0 | } |
867 | | |
868 | 0 | if (constant_time_declassify_int(!BN_is_one(&tmp)) || |
869 | 0 | constant_time_declassify_int(!BN_is_one(&de))) { |
870 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1); |
871 | 0 | goto out; |
872 | 0 | } |
873 | | |
874 | 0 | int has_crt_values = key->dmp1 != NULL; |
875 | 0 | if (has_crt_values != (key->dmq1 != NULL) || |
876 | 0 | has_crt_values != (key->iqmp != NULL)) { |
877 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES); |
878 | 0 | goto out; |
879 | 0 | } |
880 | | |
881 | 0 | if (has_crt_values) { |
882 | 0 | int dmp1_ok, dmq1_ok, iqmp_ok; |
883 | 0 | if (!check_mod_inverse(&dmp1_ok, key->e, key->dmp1, &pm1, pm1_bits, ctx) || |
884 | 0 | !check_mod_inverse(&dmq1_ok, key->e, key->dmq1, &qm1, qm1_bits, ctx) || |
885 | | // |p| is odd, so |pm1| and |p| have the same bit width. If they didn't, |
886 | | // we only need a lower bound anyway. |
887 | 0 | !check_mod_inverse(&iqmp_ok, key->q, key->iqmp, key->p, pm1_bits, |
888 | 0 | ctx)) { |
889 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); |
890 | 0 | goto out; |
891 | 0 | } |
892 | | |
893 | 0 | if (!dmp1_ok || !dmq1_ok || !iqmp_ok) { |
894 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT); |
895 | 0 | goto out; |
896 | 0 | } |
897 | 0 | } |
898 | | |
899 | 0 | ok = 1; |
900 | |
|
901 | 0 | out: |
902 | 0 | BN_free(&tmp); |
903 | 0 | BN_free(&de); |
904 | 0 | BN_free(&pm1); |
905 | 0 | BN_free(&qm1); |
906 | 0 | BN_free(&dmp1); |
907 | 0 | BN_free(&dmq1); |
908 | 0 | BN_CTX_free(ctx); |
909 | |
|
910 | 0 | return ok; |
911 | 0 | } |
912 | | |
913 | | |
914 | | // This is the product of the 132 smallest odd primes, from 3 to 751. |
915 | | static const BN_ULONG kSmallFactorsLimbs[] = { |
916 | | TOBN(0xc4309333, 0x3ef4e3e1), TOBN(0x71161eb6, 0xcd2d655f), |
917 | | TOBN(0x95e2238c, 0x0bf94862), TOBN(0x3eb233d3, 0x24f7912b), |
918 | | TOBN(0x6b55514b, 0xbf26c483), TOBN(0x0a84d817, 0x5a144871), |
919 | | TOBN(0x77d12fee, 0x9b82210a), TOBN(0xdb5b93c2, 0x97f050b3), |
920 | | TOBN(0x4acad6b9, 0x4d6c026b), TOBN(0xeb7751f3, 0x54aec893), |
921 | | TOBN(0xdba53368, 0x36bc85c4), TOBN(0xd85a1b28, 0x7f5ec78e), |
922 | | TOBN(0x2eb072d8, 0x6b322244), TOBN(0xbba51112, 0x5e2b3aea), |
923 | | TOBN(0x36ed1a6c, 0x0e2486bf), TOBN(0x5f270460, 0xec0c5727), |
924 | | 0x000017b1 |
925 | | }; |
926 | | |
927 | 0 | DEFINE_LOCAL_DATA(BIGNUM, g_small_factors) { |
928 | 0 | out->d = (BN_ULONG *) kSmallFactorsLimbs; |
929 | 0 | out->width = OPENSSL_ARRAY_SIZE(kSmallFactorsLimbs); |
930 | 0 | out->dmax = out->width; |
931 | 0 | out->neg = 0; |
932 | 0 | out->flags = BN_FLG_STATIC_DATA; |
933 | 0 | } |
934 | | |
935 | 0 | int RSA_check_fips(RSA *key) { |
936 | 0 | if (RSA_is_opaque(key)) { |
937 | | // Opaque keys can't be checked. |
938 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED); |
939 | 0 | return 0; |
940 | 0 | } |
941 | | |
942 | 0 | if (!RSA_check_key(key)) { |
943 | 0 | return 0; |
944 | 0 | } |
945 | | |
946 | 0 | BN_CTX *ctx = BN_CTX_new(); |
947 | 0 | if (ctx == NULL) { |
948 | 0 | return 0; |
949 | 0 | } |
950 | | |
951 | 0 | BIGNUM small_gcd; |
952 | 0 | BN_init(&small_gcd); |
953 | |
|
954 | 0 | int ret = 1; |
955 | | |
956 | | // Perform partial public key validation of RSA keys (SP 800-89 5.3.3). |
957 | | // Although this is not for primality testing, SP 800-89 cites an RSA |
958 | | // primality testing algorithm, so we use |BN_prime_checks_for_generation| to |
959 | | // match. This is only a plausibility test and we expect the value to be |
960 | | // composite, so too few iterations will cause us to reject the key, not use |
961 | | // an implausible one. |
962 | 0 | enum bn_primality_result_t primality_result; |
963 | 0 | if (BN_num_bits(key->e) <= 16 || |
964 | 0 | BN_num_bits(key->e) > 256 || |
965 | 0 | !BN_is_odd(key->n) || |
966 | 0 | !BN_is_odd(key->e) || |
967 | 0 | !BN_gcd(&small_gcd, key->n, g_small_factors(), ctx) || |
968 | 0 | !BN_is_one(&small_gcd) || |
969 | 0 | !BN_enhanced_miller_rabin_primality_test(&primality_result, key->n, |
970 | 0 | BN_prime_checks_for_generation, |
971 | 0 | ctx, NULL) || |
972 | 0 | primality_result != bn_non_prime_power_composite) { |
973 | 0 | OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED); |
974 | 0 | ret = 0; |
975 | 0 | } |
976 | |
|
977 | 0 | BN_free(&small_gcd); |
978 | 0 | BN_CTX_free(ctx); |
979 | |
|
980 | 0 | if (!ret || key->d == NULL || key->p == NULL) { |
981 | | // On a failure or on only a public key, there's nothing else can be |
982 | | // checked. |
983 | 0 | return ret; |
984 | 0 | } |
985 | | |
986 | | // FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG, |
987 | | // section 9.9, it is not known whether |rsa| will be used for signing or |
988 | | // encryption, so either pair-wise consistency self-test is acceptable. We |
989 | | // perform a signing test. |
990 | 0 | uint8_t data[32] = {0}; |
991 | 0 | unsigned sig_len = RSA_size(key); |
992 | 0 | uint8_t *sig = OPENSSL_malloc(sig_len); |
993 | 0 | if (sig == NULL) { |
994 | 0 | return 0; |
995 | 0 | } |
996 | | |
997 | 0 | if (!RSA_sign(NID_sha256, data, sizeof(data), sig, &sig_len, key)) { |
998 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); |
999 | 0 | ret = 0; |
1000 | 0 | goto cleanup; |
1001 | 0 | } |
1002 | 0 | if (boringssl_fips_break_test("RSA_PWCT")) { |
1003 | 0 | data[0] = ~data[0]; |
1004 | 0 | } |
1005 | 0 | if (!RSA_verify(NID_sha256, data, sizeof(data), sig, sig_len, key)) { |
1006 | 0 | OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); |
1007 | 0 | ret = 0; |
1008 | 0 | } |
1009 | |
|
1010 | 0 | cleanup: |
1011 | 0 | OPENSSL_free(sig); |
1012 | |
|
1013 | 0 | return ret; |
1014 | 0 | } |
1015 | | |
1016 | | int rsa_private_transform_no_self_test(RSA *rsa, uint8_t *out, |
1017 | 0 | const uint8_t *in, size_t len) { |
1018 | 0 | if (rsa->meth->private_transform) { |
1019 | 0 | return rsa->meth->private_transform(rsa, out, in, len); |
1020 | 0 | } |
1021 | | |
1022 | 0 | return rsa_default_private_transform(rsa, out, in, len); |
1023 | 0 | } |
1024 | | |
1025 | | int rsa_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, |
1026 | 0 | size_t len) { |
1027 | 0 | boringssl_ensure_rsa_self_test(); |
1028 | 0 | return rsa_private_transform_no_self_test(rsa, out, in, len); |
1029 | 0 | } |
1030 | | |
1031 | 0 | int RSA_flags(const RSA *rsa) { return rsa->flags; } |
1032 | | |
1033 | 0 | int RSA_test_flags(const RSA *rsa, int flags) { return rsa->flags & flags; } |
1034 | | |
1035 | 0 | int RSA_blinding_on(RSA *rsa, BN_CTX *ctx) { |
1036 | 0 | return 1; |
1037 | 0 | } |