Coverage Report

Created: 2024-11-21 07:03

/src/boringssl/crypto/fipsmodule/rsa/rsa.c.inc
Line
Count
Source (jump to first uncovered line)
1
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2
 * All rights reserved.
3
 *
4
 * This package is an SSL implementation written
5
 * by Eric Young (eay@cryptsoft.com).
6
 * The implementation was written so as to conform with Netscapes SSL.
7
 *
8
 * This library is free for commercial and non-commercial use as long as
9
 * the following conditions are aheared to.  The following conditions
10
 * apply to all code found in this distribution, be it the RC4, RSA,
11
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12
 * included with this distribution is covered by the same copyright terms
13
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14
 *
15
 * Copyright remains Eric Young's, and as such any Copyright notices in
16
 * the code are not to be removed.
17
 * If this package is used in a product, Eric Young should be given attribution
18
 * as the author of the parts of the library used.
19
 * This can be in the form of a textual message at program startup or
20
 * in documentation (online or textual) provided with the package.
21
 *
22
 * Redistribution and use in source and binary forms, with or without
23
 * modification, are permitted provided that the following conditions
24
 * are met:
25
 * 1. Redistributions of source code must retain the copyright
26
 *    notice, this list of conditions and the following disclaimer.
27
 * 2. Redistributions in binary form must reproduce the above copyright
28
 *    notice, this list of conditions and the following disclaimer in the
29
 *    documentation and/or other materials provided with the distribution.
30
 * 3. All advertising materials mentioning features or use of this software
31
 *    must display the following acknowledgement:
32
 *    "This product includes cryptographic software written by
33
 *     Eric Young (eay@cryptsoft.com)"
34
 *    The word 'cryptographic' can be left out if the rouines from the library
35
 *    being used are not cryptographic related :-).
36
 * 4. If you include any Windows specific code (or a derivative thereof) from
37
 *    the apps directory (application code) you must include an acknowledgement:
38
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39
 *
40
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50
 * SUCH DAMAGE.
51
 *
52
 * The licence and distribution terms for any publically available version or
53
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
54
 * copied and put under another distribution licence
55
 * [including the GNU Public Licence.] */
56
57
#include <openssl/rsa.h>
58
59
#include <assert.h>
60
#include <limits.h>
61
#include <string.h>
62
63
#include <openssl/bn.h>
64
#include <openssl/digest.h>
65
#include <openssl/engine.h>
66
#include <openssl/err.h>
67
#include <openssl/ex_data.h>
68
#include <openssl/md5.h>
69
#include <openssl/mem.h>
70
#include <openssl/nid.h>
71
#include <openssl/thread.h>
72
73
#include "../bn/internal.h"
74
#include "../delocate.h"
75
#include "../../internal.h"
76
#include "internal.h"
77
78
79
// RSA_R_BLOCK_TYPE_IS_NOT_02 is part of the legacy SSLv23 padding scheme.
80
// Cryptography.io depends on this error code.
81
OPENSSL_DECLARE_ERROR_REASON(RSA, BLOCK_TYPE_IS_NOT_02)
82
83
DEFINE_STATIC_EX_DATA_CLASS(g_rsa_ex_data_class)
84
85
0
static int bn_dup_into(BIGNUM **dst, const BIGNUM *src) {
86
0
  if (src == NULL) {
87
0
    OPENSSL_PUT_ERROR(RSA, ERR_R_PASSED_NULL_PARAMETER);
88
0
    return 0;
89
0
  }
90
91
0
  BN_free(*dst);
92
0
  *dst = BN_dup(src);
93
0
  return *dst != NULL;
94
0
}
95
96
0
RSA *RSA_new_public_key(const BIGNUM *n, const BIGNUM *e) {
97
0
  RSA *rsa = RSA_new();
98
0
  if (rsa == NULL ||               //
99
0
      !bn_dup_into(&rsa->n, n) ||  //
100
0
      !bn_dup_into(&rsa->e, e) ||  //
101
0
      !RSA_check_key(rsa)) {
102
0
    RSA_free(rsa);
103
0
    return NULL;
104
0
  }
105
106
0
  return rsa;
107
0
}
108
109
RSA *RSA_new_private_key(const BIGNUM *n, const BIGNUM *e, const BIGNUM *d,
110
                         const BIGNUM *p, const BIGNUM *q, const BIGNUM *dmp1,
111
0
                         const BIGNUM *dmq1, const BIGNUM *iqmp) {
112
0
  RSA *rsa = RSA_new();
113
0
  if (rsa == NULL ||                     //
114
0
      !bn_dup_into(&rsa->n, n) ||        //
115
0
      !bn_dup_into(&rsa->e, e) ||        //
116
0
      !bn_dup_into(&rsa->d, d) ||        //
117
0
      !bn_dup_into(&rsa->p, p) ||        //
118
0
      !bn_dup_into(&rsa->q, q) ||        //
119
0
      !bn_dup_into(&rsa->dmp1, dmp1) ||  //
120
0
      !bn_dup_into(&rsa->dmq1, dmq1) ||  //
121
0
      !bn_dup_into(&rsa->iqmp, iqmp) ||  //
122
0
      !RSA_check_key(rsa)) {
123
0
    RSA_free(rsa);
124
0
    return NULL;
125
0
  }
126
127
0
  return rsa;
128
0
}
129
130
RSA *RSA_new_private_key_no_crt(const BIGNUM *n, const BIGNUM *e,
131
0
                                const BIGNUM *d) {
132
0
  RSA *rsa = RSA_new();
133
0
  if (rsa == NULL ||               //
134
0
      !bn_dup_into(&rsa->n, n) ||  //
135
0
      !bn_dup_into(&rsa->e, e) ||  //
136
0
      !bn_dup_into(&rsa->d, d) ||  //
137
0
      !RSA_check_key(rsa)) {
138
0
    RSA_free(rsa);
139
0
    return NULL;
140
0
  }
141
142
0
  return rsa;
143
0
}
144
145
0
RSA *RSA_new_private_key_no_e(const BIGNUM *n, const BIGNUM *d) {
146
0
  RSA *rsa = RSA_new();
147
0
  if (rsa == NULL) {
148
0
    return NULL;
149
0
  }
150
151
0
  rsa->flags |= RSA_FLAG_NO_PUBLIC_EXPONENT;
152
0
  if (!bn_dup_into(&rsa->n, n) ||  //
153
0
      !bn_dup_into(&rsa->d, d) ||  //
154
0
      !RSA_check_key(rsa)) {
155
0
    RSA_free(rsa);
156
0
    return NULL;
157
0
  }
158
159
0
  return rsa;
160
0
}
161
162
0
RSA *RSA_new_public_key_large_e(const BIGNUM *n, const BIGNUM *e) {
163
0
  RSA *rsa = RSA_new();
164
0
  if (rsa == NULL) {
165
0
    return NULL;
166
0
  }
167
168
0
  rsa->flags |= RSA_FLAG_LARGE_PUBLIC_EXPONENT;
169
0
  if (!bn_dup_into(&rsa->n, n) ||  //
170
0
      !bn_dup_into(&rsa->e, e) ||  //
171
0
      !RSA_check_key(rsa)) {
172
0
    RSA_free(rsa);
173
0
    return NULL;
174
0
  }
175
176
0
  return rsa;
177
0
}
178
179
RSA *RSA_new_private_key_large_e(const BIGNUM *n, const BIGNUM *e,
180
                                 const BIGNUM *d, const BIGNUM *p,
181
                                 const BIGNUM *q, const BIGNUM *dmp1,
182
0
                                 const BIGNUM *dmq1, const BIGNUM *iqmp) {
183
0
  RSA *rsa = RSA_new();
184
0
  if (rsa == NULL) {
185
0
    return NULL;
186
0
  }
187
188
0
  rsa->flags |= RSA_FLAG_LARGE_PUBLIC_EXPONENT;
189
0
  if (!bn_dup_into(&rsa->n, n) ||        //
190
0
      !bn_dup_into(&rsa->e, e) ||        //
191
0
      !bn_dup_into(&rsa->d, d) ||        //
192
0
      !bn_dup_into(&rsa->p, p) ||        //
193
0
      !bn_dup_into(&rsa->q, q) ||        //
194
0
      !bn_dup_into(&rsa->dmp1, dmp1) ||  //
195
0
      !bn_dup_into(&rsa->dmq1, dmq1) ||  //
196
0
      !bn_dup_into(&rsa->iqmp, iqmp) ||  //
197
0
      !RSA_check_key(rsa)) {
198
0
    RSA_free(rsa);
199
0
    return NULL;
200
0
  }
201
202
0
  return rsa;
203
0
}
204
205
0
RSA *RSA_new(void) { return RSA_new_method(NULL); }
206
207
0
RSA *RSA_new_method(const ENGINE *engine) {
208
0
  RSA *rsa = OPENSSL_zalloc(sizeof(RSA));
209
0
  if (rsa == NULL) {
210
0
    return NULL;
211
0
  }
212
213
0
  if (engine) {
214
0
    rsa->meth = ENGINE_get_RSA_method(engine);
215
0
  }
216
217
0
  if (rsa->meth == NULL) {
218
0
    rsa->meth = (RSA_METHOD *) RSA_default_method();
219
0
  }
220
0
  METHOD_ref(rsa->meth);
221
222
0
  rsa->references = 1;
223
0
  rsa->flags = rsa->meth->flags;
224
0
  CRYPTO_MUTEX_init(&rsa->lock);
225
0
  CRYPTO_new_ex_data(&rsa->ex_data);
226
227
0
  if (rsa->meth->init && !rsa->meth->init(rsa)) {
228
0
    CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
229
0
    CRYPTO_MUTEX_cleanup(&rsa->lock);
230
0
    METHOD_unref(rsa->meth);
231
0
    OPENSSL_free(rsa);
232
0
    return NULL;
233
0
  }
234
235
0
  return rsa;
236
0
}
237
238
0
RSA *RSA_new_method_no_e(const ENGINE *engine, const BIGNUM *n) {
239
0
  RSA *rsa = RSA_new_method(engine);
240
0
  if (rsa == NULL ||
241
0
      !bn_dup_into(&rsa->n, n)) {
242
0
    RSA_free(rsa);
243
0
    return NULL;
244
0
  }
245
0
  rsa->flags |= RSA_FLAG_NO_PUBLIC_EXPONENT;
246
0
  return rsa;
247
0
}
248
249
0
void RSA_free(RSA *rsa) {
250
0
  if (rsa == NULL) {
251
0
    return;
252
0
  }
253
254
0
  if (!CRYPTO_refcount_dec_and_test_zero(&rsa->references)) {
255
0
    return;
256
0
  }
257
258
0
  if (rsa->meth->finish) {
259
0
    rsa->meth->finish(rsa);
260
0
  }
261
0
  METHOD_unref(rsa->meth);
262
263
0
  CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
264
265
0
  BN_free(rsa->n);
266
0
  BN_free(rsa->e);
267
0
  BN_free(rsa->d);
268
0
  BN_free(rsa->p);
269
0
  BN_free(rsa->q);
270
0
  BN_free(rsa->dmp1);
271
0
  BN_free(rsa->dmq1);
272
0
  BN_free(rsa->iqmp);
273
0
  rsa_invalidate_key(rsa);
274
0
  CRYPTO_MUTEX_cleanup(&rsa->lock);
275
0
  OPENSSL_free(rsa);
276
0
}
277
278
0
int RSA_up_ref(RSA *rsa) {
279
0
  CRYPTO_refcount_inc(&rsa->references);
280
0
  return 1;
281
0
}
282
283
0
unsigned RSA_bits(const RSA *rsa) { return BN_num_bits(rsa->n); }
284
285
0
const BIGNUM *RSA_get0_n(const RSA *rsa) { return rsa->n; }
286
287
0
const BIGNUM *RSA_get0_e(const RSA *rsa) { return rsa->e; }
288
289
0
const BIGNUM *RSA_get0_d(const RSA *rsa) { return rsa->d; }
290
291
0
const BIGNUM *RSA_get0_p(const RSA *rsa) { return rsa->p; }
292
293
0
const BIGNUM *RSA_get0_q(const RSA *rsa) { return rsa->q; }
294
295
0
const BIGNUM *RSA_get0_dmp1(const RSA *rsa) { return rsa->dmp1; }
296
297
0
const BIGNUM *RSA_get0_dmq1(const RSA *rsa) { return rsa->dmq1; }
298
299
0
const BIGNUM *RSA_get0_iqmp(const RSA *rsa) { return rsa->iqmp; }
300
301
void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e,
302
0
                  const BIGNUM **out_d) {
303
0
  if (out_n != NULL) {
304
0
    *out_n = rsa->n;
305
0
  }
306
0
  if (out_e != NULL) {
307
0
    *out_e = rsa->e;
308
0
  }
309
0
  if (out_d != NULL) {
310
0
    *out_d = rsa->d;
311
0
  }
312
0
}
313
314
void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p,
315
0
                      const BIGNUM **out_q) {
316
0
  if (out_p != NULL) {
317
0
    *out_p = rsa->p;
318
0
  }
319
0
  if (out_q != NULL) {
320
0
    *out_q = rsa->q;
321
0
  }
322
0
}
323
324
0
const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *rsa) {
325
  // We do not support the id-RSASSA-PSS key encoding. If we add support later,
326
  // the |maskHash| field should be filled in for OpenSSL compatibility.
327
0
  return NULL;
328
0
}
329
330
void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1,
331
0
                         const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) {
332
0
  if (out_dmp1 != NULL) {
333
0
    *out_dmp1 = rsa->dmp1;
334
0
  }
335
0
  if (out_dmq1 != NULL) {
336
0
    *out_dmq1 = rsa->dmq1;
337
0
  }
338
0
  if (out_iqmp != NULL) {
339
0
    *out_iqmp = rsa->iqmp;
340
0
  }
341
0
}
342
343
0
int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
344
0
  if ((rsa->n == NULL && n == NULL) ||
345
0
      (rsa->e == NULL && e == NULL)) {
346
0
    return 0;
347
0
  }
348
349
0
  if (n != NULL) {
350
0
    BN_free(rsa->n);
351
0
    rsa->n = n;
352
0
  }
353
0
  if (e != NULL) {
354
0
    BN_free(rsa->e);
355
0
    rsa->e = e;
356
0
  }
357
0
  if (d != NULL) {
358
0
    BN_free(rsa->d);
359
0
    rsa->d = d;
360
0
  }
361
362
0
  rsa_invalidate_key(rsa);
363
0
  return 1;
364
0
}
365
366
0
int RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q) {
367
0
  if ((rsa->p == NULL && p == NULL) ||
368
0
      (rsa->q == NULL && q == NULL)) {
369
0
    return 0;
370
0
  }
371
372
0
  if (p != NULL) {
373
0
    BN_free(rsa->p);
374
0
    rsa->p = p;
375
0
  }
376
0
  if (q != NULL) {
377
0
    BN_free(rsa->q);
378
0
    rsa->q = q;
379
0
  }
380
381
0
  rsa_invalidate_key(rsa);
382
0
  return 1;
383
0
}
384
385
0
int RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
386
0
  if ((rsa->dmp1 == NULL && dmp1 == NULL) ||
387
0
      (rsa->dmq1 == NULL && dmq1 == NULL) ||
388
0
      (rsa->iqmp == NULL && iqmp == NULL)) {
389
0
    return 0;
390
0
  }
391
392
0
  if (dmp1 != NULL) {
393
0
    BN_free(rsa->dmp1);
394
0
    rsa->dmp1 = dmp1;
395
0
  }
396
0
  if (dmq1 != NULL) {
397
0
    BN_free(rsa->dmq1);
398
0
    rsa->dmq1 = dmq1;
399
0
  }
400
0
  if (iqmp != NULL) {
401
0
    BN_free(rsa->iqmp);
402
0
    rsa->iqmp = iqmp;
403
0
  }
404
405
0
  rsa_invalidate_key(rsa);
406
0
  return 1;
407
0
}
408
409
static int rsa_sign_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out,
410
                                     size_t max_out, const uint8_t *in,
411
0
                                     size_t in_len, int padding) {
412
0
  if (rsa->meth->sign_raw) {
413
0
    return rsa->meth->sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
414
0
  }
415
416
0
  return rsa_default_sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
417
0
}
418
419
int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
420
0
                 const uint8_t *in, size_t in_len, int padding) {
421
0
  boringssl_ensure_rsa_self_test();
422
0
  return rsa_sign_raw_no_self_test(rsa, out_len, out, max_out, in, in_len,
423
0
                                   padding);
424
0
}
425
426
0
unsigned RSA_size(const RSA *rsa) {
427
0
  size_t ret = rsa->meth->size ? rsa->meth->size(rsa) : rsa_default_size(rsa);
428
  // RSA modulus sizes are bounded by |BIGNUM|, which must fit in |unsigned|.
429
  //
430
  // TODO(https://crbug.com/boringssl/516): Should we make this return |size_t|?
431
0
  assert(ret < UINT_MAX);
432
0
  return (unsigned)ret;
433
0
}
434
435
0
int RSA_is_opaque(const RSA *rsa) {
436
0
  return rsa->meth && (rsa->meth->flags & RSA_FLAG_OPAQUE);
437
0
}
438
439
int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
440
0
                         CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {
441
0
  return CRYPTO_get_ex_new_index_ex(g_rsa_ex_data_class_bss_get(), argl, argp,
442
0
                                 free_func);
443
0
}
444
445
0
int RSA_set_ex_data(RSA *rsa, int idx, void *arg) {
446
0
  return CRYPTO_set_ex_data(&rsa->ex_data, idx, arg);
447
0
}
448
449
0
void *RSA_get_ex_data(const RSA *rsa, int idx) {
450
0
  return CRYPTO_get_ex_data(&rsa->ex_data, idx);
451
0
}
452
453
// SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's
454
// the length of an MD5 and SHA1 hash.
455
static const unsigned SSL_SIG_LENGTH = 36;
456
457
// pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is
458
// to be signed with PKCS#1.
459
struct pkcs1_sig_prefix {
460
  // nid identifies the hash function.
461
  int nid;
462
  // hash_len is the expected length of the hash function.
463
  uint8_t hash_len;
464
  // len is the number of bytes of |bytes| which are valid.
465
  uint8_t len;
466
  // bytes contains the DER bytes.
467
  uint8_t bytes[19];
468
};
469
470
// kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with
471
// different hash functions.
472
static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = {
473
    {
474
     NID_md5,
475
     MD5_DIGEST_LENGTH,
476
     18,
477
     {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
478
      0x02, 0x05, 0x05, 0x00, 0x04, 0x10},
479
    },
480
    {
481
     NID_sha1,
482
     BCM_SHA_DIGEST_LENGTH,
483
     15,
484
     {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
485
      0x00, 0x04, 0x14},
486
    },
487
    {
488
     NID_sha224,
489
     BCM_SHA224_DIGEST_LENGTH,
490
     19,
491
     {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
492
      0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c},
493
    },
494
    {
495
     NID_sha256,
496
     BCM_SHA256_DIGEST_LENGTH,
497
     19,
498
     {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
499
      0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20},
500
    },
501
    {
502
     NID_sha384,
503
     BCM_SHA384_DIGEST_LENGTH,
504
     19,
505
     {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
506
      0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30},
507
    },
508
    {
509
     NID_sha512,
510
     BCM_SHA512_DIGEST_LENGTH,
511
     19,
512
     {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
513
      0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
514
    },
515
    {
516
     NID_undef, 0, 0, {0},
517
    },
518
};
519
520
0
static int rsa_check_digest_size(int hash_nid, size_t digest_len) {
521
0
  if (hash_nid == NID_md5_sha1) {
522
0
    if (digest_len != SSL_SIG_LENGTH) {
523
0
      OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
524
0
      return 0;
525
0
    }
526
0
    return 1;
527
0
  }
528
529
0
  for (size_t i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) {
530
0
    const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i];
531
0
    if (sig_prefix->nid == hash_nid) {
532
0
      if (digest_len != sig_prefix->hash_len) {
533
0
        OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
534
0
        return 0;
535
0
      }
536
0
      return 1;
537
0
    }
538
0
  }
539
540
0
  OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE);
541
0
  return 0;
542
543
0
}
544
545
int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
546
                         int *is_alloced, int hash_nid, const uint8_t *digest,
547
0
                         size_t digest_len) {
548
0
  if (!rsa_check_digest_size(hash_nid, digest_len)) {
549
0
    return 0;
550
0
  }
551
552
0
  if (hash_nid == NID_md5_sha1) {
553
    // The length should already have been checked.
554
0
    assert(digest_len == SSL_SIG_LENGTH);
555
0
    *out_msg = (uint8_t *)digest;
556
0
    *out_msg_len = digest_len;
557
0
    *is_alloced = 0;
558
0
    return 1;
559
0
  }
560
561
0
  for (size_t i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) {
562
0
    const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i];
563
0
    if (sig_prefix->nid != hash_nid) {
564
0
      continue;
565
0
    }
566
567
    // The length should already have been checked.
568
0
    assert(digest_len == sig_prefix->hash_len);
569
0
    const uint8_t* prefix = sig_prefix->bytes;
570
0
    size_t prefix_len = sig_prefix->len;
571
0
    size_t signed_msg_len = prefix_len + digest_len;
572
0
    if (signed_msg_len < prefix_len) {
573
0
      OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_LONG);
574
0
      return 0;
575
0
    }
576
577
0
    uint8_t *signed_msg = OPENSSL_malloc(signed_msg_len);
578
0
    if (!signed_msg) {
579
0
      return 0;
580
0
    }
581
582
0
    OPENSSL_memcpy(signed_msg, prefix, prefix_len);
583
0
    OPENSSL_memcpy(signed_msg + prefix_len, digest, digest_len);
584
585
0
    *out_msg = signed_msg;
586
0
    *out_msg_len = signed_msg_len;
587
0
    *is_alloced = 1;
588
589
0
    return 1;
590
0
  }
591
592
0
  OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE);
593
0
  return 0;
594
0
}
595
596
int rsa_sign_no_self_test(int hash_nid, const uint8_t *digest,
597
                          size_t digest_len, uint8_t *out, unsigned *out_len,
598
0
                          RSA *rsa) {
599
0
  if (rsa->meth->sign) {
600
0
    if (!rsa_check_digest_size(hash_nid, digest_len)) {
601
0
      return 0;
602
0
    }
603
    // All supported digest lengths fit in |unsigned|.
604
0
    assert(digest_len <= EVP_MAX_MD_SIZE);
605
0
    static_assert(EVP_MAX_MD_SIZE <= UINT_MAX, "digest too long");
606
0
    return rsa->meth->sign(hash_nid, digest, (unsigned)digest_len, out, out_len,
607
0
                           rsa);
608
0
  }
609
610
0
  const unsigned rsa_size = RSA_size(rsa);
611
0
  int ret = 0;
612
0
  uint8_t *signed_msg = NULL;
613
0
  size_t signed_msg_len = 0;
614
0
  int signed_msg_is_alloced = 0;
615
0
  size_t size_t_out_len;
616
0
  if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
617
0
                            &signed_msg_is_alloced, hash_nid, digest,
618
0
                            digest_len) ||
619
0
      !rsa_sign_raw_no_self_test(rsa, &size_t_out_len, out, rsa_size,
620
0
                                 signed_msg, signed_msg_len,
621
0
                                 RSA_PKCS1_PADDING)) {
622
0
    goto err;
623
0
  }
624
625
0
  if (size_t_out_len > UINT_MAX) {
626
0
    OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
627
0
    goto err;
628
0
  }
629
630
0
  *out_len = (unsigned)size_t_out_len;
631
0
  ret = 1;
632
633
0
err:
634
0
  if (signed_msg_is_alloced) {
635
0
    OPENSSL_free(signed_msg);
636
0
  }
637
0
  return ret;
638
0
}
639
640
int RSA_sign(int hash_nid, const uint8_t *digest, size_t digest_len,
641
0
             uint8_t *out, unsigned *out_len, RSA *rsa) {
642
0
  boringssl_ensure_rsa_self_test();
643
644
0
  return rsa_sign_no_self_test(hash_nid, digest, digest_len, out, out_len, rsa);
645
0
}
646
647
int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
648
                      const uint8_t *digest, size_t digest_len,
649
0
                      const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len) {
650
0
  if (digest_len != EVP_MD_size(md)) {
651
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
652
0
    return 0;
653
0
  }
654
655
0
  size_t padded_len = RSA_size(rsa);
656
0
  uint8_t *padded = OPENSSL_malloc(padded_len);
657
0
  if (padded == NULL) {
658
0
    return 0;
659
0
  }
660
661
0
  int ret = RSA_padding_add_PKCS1_PSS_mgf1(rsa, padded, digest, md, mgf1_md,
662
0
                                           salt_len) &&
663
0
            RSA_sign_raw(rsa, out_len, out, max_out, padded, padded_len,
664
0
                         RSA_NO_PADDING);
665
0
  OPENSSL_free(padded);
666
0
  return ret;
667
0
}
668
669
int rsa_verify_no_self_test(int hash_nid, const uint8_t *digest,
670
                            size_t digest_len, const uint8_t *sig,
671
0
                            size_t sig_len, RSA *rsa) {
672
0
  if (rsa->n == NULL || rsa->e == NULL) {
673
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
674
0
    return 0;
675
0
  }
676
677
0
  const size_t rsa_size = RSA_size(rsa);
678
0
  uint8_t *buf = NULL;
679
0
  int ret = 0;
680
0
  uint8_t *signed_msg = NULL;
681
0
  size_t signed_msg_len = 0, len;
682
0
  int signed_msg_is_alloced = 0;
683
684
0
  if (hash_nid == NID_md5_sha1 && digest_len != SSL_SIG_LENGTH) {
685
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
686
0
    return 0;
687
0
  }
688
689
0
  buf = OPENSSL_malloc(rsa_size);
690
0
  if (!buf) {
691
0
    return 0;
692
0
  }
693
694
0
  if (!rsa_verify_raw_no_self_test(rsa, &len, buf, rsa_size, sig, sig_len,
695
0
                                   RSA_PKCS1_PADDING) ||
696
0
      !RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
697
0
                            &signed_msg_is_alloced, hash_nid, digest,
698
0
                            digest_len)) {
699
0
    goto out;
700
0
  }
701
702
  // Check that no other information follows the hash value (FIPS 186-4 Section
703
  // 5.5) and it matches the expected hash.
704
0
  if (len != signed_msg_len || OPENSSL_memcmp(buf, signed_msg, len) != 0) {
705
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
706
0
    goto out;
707
0
  }
708
709
0
  ret = 1;
710
711
0
out:
712
0
  OPENSSL_free(buf);
713
0
  if (signed_msg_is_alloced) {
714
0
    OPENSSL_free(signed_msg);
715
0
  }
716
0
  return ret;
717
0
}
718
719
int RSA_verify(int hash_nid, const uint8_t *digest, size_t digest_len,
720
0
               const uint8_t *sig, size_t sig_len, RSA *rsa) {
721
0
  boringssl_ensure_rsa_self_test();
722
0
  return rsa_verify_no_self_test(hash_nid, digest, digest_len, sig, sig_len,
723
0
                                 rsa);
724
0
}
725
726
int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *digest, size_t digest_len,
727
                        const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len,
728
0
                        const uint8_t *sig, size_t sig_len) {
729
0
  if (digest_len != EVP_MD_size(md)) {
730
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
731
0
    return 0;
732
0
  }
733
734
0
  size_t em_len = RSA_size(rsa);
735
0
  uint8_t *em = OPENSSL_malloc(em_len);
736
0
  if (em == NULL) {
737
0
    return 0;
738
0
  }
739
740
0
  int ret = 0;
741
0
  if (!RSA_verify_raw(rsa, &em_len, em, em_len, sig, sig_len, RSA_NO_PADDING)) {
742
0
    goto err;
743
0
  }
744
745
0
  if (em_len != RSA_size(rsa)) {
746
0
    OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
747
0
    goto err;
748
0
  }
749
750
0
  ret = RSA_verify_PKCS1_PSS_mgf1(rsa, digest, md, mgf1_md, em, salt_len);
751
752
0
err:
753
0
  OPENSSL_free(em);
754
0
  return ret;
755
0
}
756
757
static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv,
758
                             const BIGNUM *m, unsigned m_min_bits,
759
0
                             BN_CTX *ctx) {
760
0
  if (BN_is_negative(ainv) ||
761
0
      constant_time_declassify_int(BN_cmp(ainv, m) >= 0)) {
762
0
    *out_ok = 0;
763
0
    return 1;
764
0
  }
765
766
  // Note |bn_mul_consttime| and |bn_div_consttime| do not scale linearly, but
767
  // checking |ainv| is in range bounds the running time, assuming |m|'s bounds
768
  // were checked by the caller.
769
0
  BN_CTX_start(ctx);
770
0
  BIGNUM *tmp = BN_CTX_get(ctx);
771
0
  int ret = tmp != NULL &&
772
0
            bn_mul_consttime(tmp, a, ainv, ctx) &&
773
0
            bn_div_consttime(NULL, tmp, tmp, m, m_min_bits, ctx);
774
0
  if (ret) {
775
0
    *out_ok = constant_time_declassify_int(BN_is_one(tmp));
776
0
  }
777
0
  BN_CTX_end(ctx);
778
0
  return ret;
779
0
}
780
781
0
int RSA_check_key(const RSA *key) {
782
  // TODO(davidben): RSA key initialization is spread across
783
  // |rsa_check_public_key|, |RSA_check_key|, |freeze_private_key|, and
784
  // |BN_MONT_CTX_set_locked| as a result of API issues. See
785
  // https://crbug.com/boringssl/316. As a result, we inconsistently check RSA
786
  // invariants. We should fix this and integrate that logic.
787
788
0
  if (RSA_is_opaque(key)) {
789
    // Opaque keys can't be checked.
790
0
    return 1;
791
0
  }
792
793
0
  if (!rsa_check_public_key(key)) {
794
0
    return 0;
795
0
  }
796
797
0
  if ((key->p != NULL) != (key->q != NULL)) {
798
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN);
799
0
    return 0;
800
0
  }
801
802
  // |key->d| must be bounded by |key->n|. This ensures bounds on |RSA_bits|
803
  // translate to bounds on the running time of private key operations.
804
0
  if (key->d != NULL &&
805
0
      (BN_is_negative(key->d) || BN_cmp(key->d, key->n) >= 0)) {
806
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_D_OUT_OF_RANGE);
807
0
    return 0;
808
0
  }
809
810
0
  if (key->d == NULL || key->p == NULL) {
811
    // For a public key, or without p and q, there's nothing that can be
812
    // checked.
813
0
    return 1;
814
0
  }
815
816
0
  BN_CTX *ctx = BN_CTX_new();
817
0
  if (ctx == NULL) {
818
0
    return 0;
819
0
  }
820
821
0
  BIGNUM tmp, de, pm1, qm1, dmp1, dmq1;
822
0
  int ok = 0;
823
0
  BN_init(&tmp);
824
0
  BN_init(&de);
825
0
  BN_init(&pm1);
826
0
  BN_init(&qm1);
827
0
  BN_init(&dmp1);
828
0
  BN_init(&dmq1);
829
830
  // Check that p * q == n. Before we multiply, we check that p and q are in
831
  // bounds, to avoid a DoS vector in |bn_mul_consttime| below. Note that
832
  // n was bound by |rsa_check_public_key|. This also implicitly checks p and q
833
  // are odd, which is a necessary condition for Montgomery reduction.
834
0
  if (BN_is_negative(key->p) ||
835
0
      constant_time_declassify_int(BN_cmp(key->p, key->n) >= 0) ||
836
0
      BN_is_negative(key->q) ||
837
0
      constant_time_declassify_int(BN_cmp(key->q, key->n) >= 0)) {
838
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
839
0
    goto out;
840
0
  }
841
0
  if (!bn_mul_consttime(&tmp, key->p, key->q, ctx)) {
842
0
    OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
843
0
    goto out;
844
0
  }
845
0
  if (BN_cmp(&tmp, key->n) != 0) {
846
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
847
0
    goto out;
848
0
  }
849
850
  // d must be an inverse of e mod the Carmichael totient, lcm(p-1, q-1), but it
851
  // may be unreduced because other implementations use the Euler totient. We
852
  // simply check that d * e is one mod p-1 and mod q-1. Note d and e were bound
853
  // by earlier checks in this function.
854
0
  if (!bn_usub_consttime(&pm1, key->p, BN_value_one()) ||
855
0
      !bn_usub_consttime(&qm1, key->q, BN_value_one())) {
856
0
    OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
857
0
    goto out;
858
0
  }
859
0
  const unsigned pm1_bits = BN_num_bits(&pm1);
860
0
  const unsigned qm1_bits = BN_num_bits(&qm1);
861
0
  if (!bn_mul_consttime(&de, key->d, key->e, ctx) ||
862
0
      !bn_div_consttime(NULL, &tmp, &de, &pm1, pm1_bits, ctx) ||
863
0
      !bn_div_consttime(NULL, &de, &de, &qm1, qm1_bits, ctx)) {
864
0
    OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
865
0
    goto out;
866
0
  }
867
868
0
  if (constant_time_declassify_int(!BN_is_one(&tmp)) ||
869
0
      constant_time_declassify_int(!BN_is_one(&de))) {
870
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1);
871
0
    goto out;
872
0
  }
873
874
0
  int has_crt_values = key->dmp1 != NULL;
875
0
  if (has_crt_values != (key->dmq1 != NULL) ||
876
0
      has_crt_values != (key->iqmp != NULL)) {
877
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES);
878
0
    goto out;
879
0
  }
880
881
0
  if (has_crt_values) {
882
0
    int dmp1_ok, dmq1_ok, iqmp_ok;
883
0
    if (!check_mod_inverse(&dmp1_ok, key->e, key->dmp1, &pm1, pm1_bits, ctx) ||
884
0
        !check_mod_inverse(&dmq1_ok, key->e, key->dmq1, &qm1, qm1_bits, ctx) ||
885
        // |p| is odd, so |pm1| and |p| have the same bit width. If they didn't,
886
        // we only need a lower bound anyway.
887
0
        !check_mod_inverse(&iqmp_ok, key->q, key->iqmp, key->p, pm1_bits,
888
0
                           ctx)) {
889
0
      OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
890
0
      goto out;
891
0
    }
892
893
0
    if (!dmp1_ok || !dmq1_ok || !iqmp_ok) {
894
0
      OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT);
895
0
      goto out;
896
0
    }
897
0
  }
898
899
0
  ok = 1;
900
901
0
out:
902
0
  BN_free(&tmp);
903
0
  BN_free(&de);
904
0
  BN_free(&pm1);
905
0
  BN_free(&qm1);
906
0
  BN_free(&dmp1);
907
0
  BN_free(&dmq1);
908
0
  BN_CTX_free(ctx);
909
910
0
  return ok;
911
0
}
912
913
914
// This is the product of the 132 smallest odd primes, from 3 to 751.
915
static const BN_ULONG kSmallFactorsLimbs[] = {
916
    TOBN(0xc4309333, 0x3ef4e3e1), TOBN(0x71161eb6, 0xcd2d655f),
917
    TOBN(0x95e2238c, 0x0bf94862), TOBN(0x3eb233d3, 0x24f7912b),
918
    TOBN(0x6b55514b, 0xbf26c483), TOBN(0x0a84d817, 0x5a144871),
919
    TOBN(0x77d12fee, 0x9b82210a), TOBN(0xdb5b93c2, 0x97f050b3),
920
    TOBN(0x4acad6b9, 0x4d6c026b), TOBN(0xeb7751f3, 0x54aec893),
921
    TOBN(0xdba53368, 0x36bc85c4), TOBN(0xd85a1b28, 0x7f5ec78e),
922
    TOBN(0x2eb072d8, 0x6b322244), TOBN(0xbba51112, 0x5e2b3aea),
923
    TOBN(0x36ed1a6c, 0x0e2486bf), TOBN(0x5f270460, 0xec0c5727),
924
    0x000017b1
925
};
926
927
0
DEFINE_LOCAL_DATA(BIGNUM, g_small_factors) {
928
0
  out->d = (BN_ULONG *) kSmallFactorsLimbs;
929
0
  out->width = OPENSSL_ARRAY_SIZE(kSmallFactorsLimbs);
930
0
  out->dmax = out->width;
931
0
  out->neg = 0;
932
0
  out->flags = BN_FLG_STATIC_DATA;
933
0
}
934
935
0
int RSA_check_fips(RSA *key) {
936
0
  if (RSA_is_opaque(key)) {
937
    // Opaque keys can't be checked.
938
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
939
0
    return 0;
940
0
  }
941
942
0
  if (!RSA_check_key(key)) {
943
0
    return 0;
944
0
  }
945
946
0
  BN_CTX *ctx = BN_CTX_new();
947
0
  if (ctx == NULL) {
948
0
    return 0;
949
0
  }
950
951
0
  BIGNUM small_gcd;
952
0
  BN_init(&small_gcd);
953
954
0
  int ret = 1;
955
956
  // Perform partial public key validation of RSA keys (SP 800-89 5.3.3).
957
  // Although this is not for primality testing, SP 800-89 cites an RSA
958
  // primality testing algorithm, so we use |BN_prime_checks_for_generation| to
959
  // match. This is only a plausibility test and we expect the value to be
960
  // composite, so too few iterations will cause us to reject the key, not use
961
  // an implausible one.
962
0
  enum bn_primality_result_t primality_result;
963
0
  if (BN_num_bits(key->e) <= 16 ||
964
0
      BN_num_bits(key->e) > 256 ||
965
0
      !BN_is_odd(key->n) ||
966
0
      !BN_is_odd(key->e) ||
967
0
      !BN_gcd(&small_gcd, key->n, g_small_factors(), ctx) ||
968
0
      !BN_is_one(&small_gcd) ||
969
0
      !BN_enhanced_miller_rabin_primality_test(&primality_result, key->n,
970
0
                                               BN_prime_checks_for_generation,
971
0
                                               ctx, NULL) ||
972
0
      primality_result != bn_non_prime_power_composite) {
973
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
974
0
    ret = 0;
975
0
  }
976
977
0
  BN_free(&small_gcd);
978
0
  BN_CTX_free(ctx);
979
980
0
  if (!ret || key->d == NULL || key->p == NULL) {
981
    // On a failure or on only a public key, there's nothing else can be
982
    // checked.
983
0
    return ret;
984
0
  }
985
986
  // FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG,
987
  // section 9.9, it is not known whether |rsa| will be used for signing or
988
  // encryption, so either pair-wise consistency self-test is acceptable. We
989
  // perform a signing test.
990
0
  uint8_t data[32] = {0};
991
0
  unsigned sig_len = RSA_size(key);
992
0
  uint8_t *sig = OPENSSL_malloc(sig_len);
993
0
  if (sig == NULL) {
994
0
    return 0;
995
0
  }
996
997
0
  if (!RSA_sign(NID_sha256, data, sizeof(data), sig, &sig_len, key)) {
998
0
    OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
999
0
    ret = 0;
1000
0
    goto cleanup;
1001
0
  }
1002
0
  if (boringssl_fips_break_test("RSA_PWCT")) {
1003
0
    data[0] = ~data[0];
1004
0
  }
1005
0
  if (!RSA_verify(NID_sha256, data, sizeof(data), sig, sig_len, key)) {
1006
0
    OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
1007
0
    ret = 0;
1008
0
  }
1009
1010
0
cleanup:
1011
0
  OPENSSL_free(sig);
1012
1013
0
  return ret;
1014
0
}
1015
1016
int rsa_private_transform_no_self_test(RSA *rsa, uint8_t *out,
1017
0
                                       const uint8_t *in, size_t len) {
1018
0
  if (rsa->meth->private_transform) {
1019
0
    return rsa->meth->private_transform(rsa, out, in, len);
1020
0
  }
1021
1022
0
  return rsa_default_private_transform(rsa, out, in, len);
1023
0
}
1024
1025
int rsa_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
1026
0
                          size_t len) {
1027
0
  boringssl_ensure_rsa_self_test();
1028
0
  return rsa_private_transform_no_self_test(rsa, out, in, len);
1029
0
}
1030
1031
0
int RSA_flags(const RSA *rsa) { return rsa->flags; }
1032
1033
0
int RSA_test_flags(const RSA *rsa, int flags) { return rsa->flags & flags; }
1034
1035
0
int RSA_blinding_on(RSA *rsa, BN_CTX *ctx) {
1036
0
  return 1;
1037
0
}