19cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 29cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * All rights reserved. 39cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * 49cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * This package is an SSL implementation written 59cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * by Eric Young (eay@cryptsoft.com). 69cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * The implementation was written so as to conform with Netscapes SSL. 79cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * 89cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * This library is free for commercial and non-commercial use as long as 99cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * the following conditions are aheared to. The following conditions 109cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * apply to all code found in this distribution, be it the RC4, RSA, 119cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * lhash, DES, etc., code; not just the SSL code. The SSL documentation 129cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * included with this distribution is covered by the same copyright terms 139cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * except that the holder is Tim Hudson (tjh@cryptsoft.com). 149cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * 159cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * Copyright remains Eric Young's, and as such any Copyright notices in 169cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * the code are not to be removed. 17ecc2d34ac23a497988f21e5f415b53c007b9d8c5Raph Levien * If this package is used in a product, Eric Young should be given attribution 18ecc2d34ac23a497988f21e5f415b53c007b9d8c5Raph Levien * as the author of the parts of the library used. 19ecc2d34ac23a497988f21e5f415b53c007b9d8c5Raph Levien * This can be in the form of a textual message at program startup or 20ecc2d34ac23a497988f21e5f415b53c007b9d8c5Raph Levien * in documentation (online or textual) provided with the package. 219cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * 22c31e3883456e018d742e9f29815ba5ff8b315ea1Raph Levien * Redistribution and use in source and binary forms, with or without 239cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * modification, are permitted provided that the following conditions 249cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * are met: 259cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * 1. Redistributions of source code must retain the copyright 269cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * notice, this list of conditions and the following disclaimer. 279cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * 2. Redistributions in binary form must reproduce the above copyright 289cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * notice, this list of conditions and the following disclaimer in the 299cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * documentation and/or other materials provided with the distribution. 309cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * 3. All advertising materials mentioning features or use of this software 319cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * must display the following acknowledgement: 329cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * "This product includes cryptographic software written by 339cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * Eric Young (eay@cryptsoft.com)" 349cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * The word 'cryptographic' can be left out if the rouines from the library 359cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * being used are not cryptographic related :-). 369cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * 4. If you include any Windows specific code (or a derivative thereof) from 37c31e3883456e018d742e9f29815ba5ff8b315ea1Raph Levien * the apps directory (application code) you must include an acknowledgement: 389cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 399cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * 409cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41ecc2d34ac23a497988f21e5f415b53c007b9d8c5Raph Levien * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 429cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 439cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 449cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 459cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46b80c1f19c58b927820a8a24bf2218e5645724608Raph Levien * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 479cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 489cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 499cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 509cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * SUCH DAMAGE. 519cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * 52bcc3dc5a2591a95a57e379e27cbad69c18e91e67Raph Levien * The licence and distribution terms for any publically available version or 539cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * derivative of this code cannot be changed. i.e. this code cannot simply be 54ecc2d34ac23a497988f21e5f415b53c007b9d8c5Raph Levien * copied and put under another distribution licence 559cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien * [including the GNU Public Licence.] */ 56bcc3dc5a2591a95a57e379e27cbad69c18e91e67Raph Levien 57bcc3dc5a2591a95a57e379e27cbad69c18e91e67Raph Levien#include <openssl/rsa.h> 58bcc3dc5a2591a95a57e379e27cbad69c18e91e67Raph Levien 599cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien#include <limits.h> 60bcc3dc5a2591a95a57e379e27cbad69c18e91e67Raph Levien#include <string.h> 619cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien 629cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien#include <openssl/bn.h> 63ecc2d34ac23a497988f21e5f415b53c007b9d8c5Raph Levien#include <openssl/digest.h> 649cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien#include <openssl/engine.h> 659cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien#include <openssl/err.h> 669cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien#include <openssl/ex_data.h> 679cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien#include <openssl/md5.h> 689cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien#include <openssl/mem.h> 6972fe9422c869b7878240a23e4650d9d90edb1c2aRaph Levien#include <openssl/nid.h> 709cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien#include <openssl/sha.h> 719cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien#include <openssl/thread.h> 729cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien 739cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien#include "../bn/internal.h" 749cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien#include "../delocate.h" 759cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien#include "../../internal.h" 76ecc2d34ac23a497988f21e5f415b53c007b9d8c5Raph Levien#include "internal.h" 779cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien 789cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien 799cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph LevienDEFINE_STATIC_EX_DATA_CLASS(g_rsa_ex_data_class); 809cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien 819cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph LevienRSA *RSA_new(void) { return RSA_new_method(NULL); } 829cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien 839cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph LevienRSA *RSA_new_method(const ENGINE *engine) { 849cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien RSA *rsa = OPENSSL_malloc(sizeof(RSA)); 859cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien if (rsa == NULL) { 86ecc2d34ac23a497988f21e5f415b53c007b9d8c5Raph Levien OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 879cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien return NULL; 889cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien } 899cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien 909cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien OPENSSL_memset(rsa, 0, sizeof(RSA)); 919cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien 929cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien if (engine) { 939cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien rsa->meth = ENGINE_get_RSA_method(engine); 949cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien } 959cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien 969cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien if (rsa->meth == NULL) { 979cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien rsa->meth = (RSA_METHOD *) RSA_default_method(); 98b80c1f19c58b927820a8a24bf2218e5645724608Raph Levien } 999cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien METHOD_ref(rsa->meth); 1009cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien 1019cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien rsa->references = 1; 1029cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien rsa->flags = rsa->meth->flags; 1039cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien CRYPTO_MUTEX_init(&rsa->lock); 1049cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien CRYPTO_new_ex_data(&rsa->ex_data); 1059cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien 1069cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien if (rsa->meth->init && !rsa->meth->init(rsa)) { 1079cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data); 108ecc2d34ac23a497988f21e5f415b53c007b9d8c5Raph Levien CRYPTO_MUTEX_cleanup(&rsa->lock); 1099cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien METHOD_unref(rsa->meth); 1109cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien OPENSSL_free(rsa); 1119cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien return NULL; 1129cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien } 1139cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien 1149cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien return rsa; 1159cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien} 1169cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien 1179cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levienvoid RSA_free(RSA *rsa) { 1189cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien unsigned u; 1199cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien 1209cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien if (rsa == NULL) { 1219cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien return; 1229cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien } 1239cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien 1249cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien if (!CRYPTO_refcount_dec_and_test_zero(&rsa->references)) { 1259cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien return; 1269cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien } 1279cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien 1289cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien if (rsa->meth->finish) { 1299cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien rsa->meth->finish(rsa); 1309cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien } 1319cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien METHOD_unref(rsa->meth); 1329cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien 1339cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data); 1349cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien 1359cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien BN_clear_free(rsa->n); 1369cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien BN_clear_free(rsa->e); 1379cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien BN_clear_free(rsa->d); 1389cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien BN_clear_free(rsa->p); 1399cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien BN_clear_free(rsa->q); 1409cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien BN_clear_free(rsa->dmp1); 1419cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien BN_clear_free(rsa->dmq1); 1429cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien BN_clear_free(rsa->iqmp); 143b80c1f19c58b927820a8a24bf2218e5645724608Raph Levien BN_MONT_CTX_free(rsa->mont_n); 1449cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien BN_MONT_CTX_free(rsa->mont_p); 1459cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien BN_MONT_CTX_free(rsa->mont_q); 1469cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien for (u = 0; u < rsa->num_blindings; u++) { 1479cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien BN_BLINDING_free(rsa->blindings[u]); 1489cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien } 1499cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien OPENSSL_free(rsa->blindings); 1509cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien OPENSSL_free(rsa->blindings_inuse); 1519cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien CRYPTO_MUTEX_cleanup(&rsa->lock); 1529cc9bbe1461f359f0b27c5e7645c17dda001ab1dRaph Levien OPENSSL_free(rsa); 153} 154 155int RSA_up_ref(RSA *rsa) { 156 CRYPTO_refcount_inc(&rsa->references); 157 return 1; 158} 159 160void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e, 161 const BIGNUM **out_d) { 162 if (out_n != NULL) { 163 *out_n = rsa->n; 164 } 165 if (out_e != NULL) { 166 *out_e = rsa->e; 167 } 168 if (out_d != NULL) { 169 *out_d = rsa->d; 170 } 171} 172 173void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p, 174 const BIGNUM **out_q) { 175 if (out_p != NULL) { 176 *out_p = rsa->p; 177 } 178 if (out_q != NULL) { 179 *out_q = rsa->q; 180 } 181} 182 183void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1, 184 const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) { 185 if (out_dmp1 != NULL) { 186 *out_dmp1 = rsa->dmp1; 187 } 188 if (out_dmq1 != NULL) { 189 *out_dmq1 = rsa->dmq1; 190 } 191 if (out_iqmp != NULL) { 192 *out_iqmp = rsa->iqmp; 193 } 194} 195 196int RSA_public_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa, 197 int padding) { 198 size_t out_len; 199 200 if (!RSA_encrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) { 201 return -1; 202 } 203 204 if (out_len > INT_MAX) { 205 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW); 206 return -1; 207 } 208 return out_len; 209} 210 211int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 212 const uint8_t *in, size_t in_len, int padding) { 213 if (rsa->meth->sign_raw) { 214 return rsa->meth->sign_raw(rsa, out_len, out, max_out, in, in_len, padding); 215 } 216 217 return rsa_default_sign_raw(rsa, out_len, out, max_out, in, in_len, padding); 218} 219 220int RSA_private_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa, 221 int padding) { 222 size_t out_len; 223 224 if (!RSA_sign_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) { 225 return -1; 226 } 227 228 if (out_len > INT_MAX) { 229 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW); 230 return -1; 231 } 232 return out_len; 233} 234 235int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 236 const uint8_t *in, size_t in_len, int padding) { 237 if (rsa->meth->decrypt) { 238 return rsa->meth->decrypt(rsa, out_len, out, max_out, in, in_len, padding); 239 } 240 241 return rsa_default_decrypt(rsa, out_len, out, max_out, in, in_len, padding); 242} 243 244int RSA_private_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa, 245 int padding) { 246 size_t out_len; 247 248 if (!RSA_decrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) { 249 return -1; 250 } 251 252 if (out_len > INT_MAX) { 253 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW); 254 return -1; 255 } 256 return out_len; 257} 258 259int RSA_public_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa, 260 int padding) { 261 size_t out_len; 262 263 if (!RSA_verify_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) { 264 return -1; 265 } 266 267 if (out_len > INT_MAX) { 268 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW); 269 return -1; 270 } 271 return out_len; 272} 273 274unsigned RSA_size(const RSA *rsa) { 275 if (rsa->meth->size) { 276 return rsa->meth->size(rsa); 277 } 278 279 return rsa_default_size(rsa); 280} 281 282int RSA_is_opaque(const RSA *rsa) { 283 return rsa->meth && (rsa->meth->flags & RSA_FLAG_OPAQUE); 284} 285 286int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, 287 CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) { 288 int index; 289 if (!CRYPTO_get_ex_new_index(g_rsa_ex_data_class_bss_get(), &index, argl, 290 argp, free_func)) { 291 return -1; 292 } 293 return index; 294} 295 296int RSA_set_ex_data(RSA *d, int idx, void *arg) { 297 return CRYPTO_set_ex_data(&d->ex_data, idx, arg); 298} 299 300void *RSA_get_ex_data(const RSA *d, int idx) { 301 return CRYPTO_get_ex_data(&d->ex_data, idx); 302} 303 304/* SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's 305 * the length of an MD5 and SHA1 hash. */ 306static const unsigned SSL_SIG_LENGTH = 36; 307 308/* pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is 309 * to be signed with PKCS#1. */ 310struct pkcs1_sig_prefix { 311 /* nid identifies the hash function. */ 312 int nid; 313 /* hash_len is the expected length of the hash function. */ 314 uint8_t hash_len; 315 /* len is the number of bytes of |bytes| which are valid. */ 316 uint8_t len; 317 /* bytes contains the DER bytes. */ 318 uint8_t bytes[19]; 319}; 320 321/* kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with 322 * different hash functions. */ 323static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = { 324 { 325 NID_md5, 326 MD5_DIGEST_LENGTH, 327 18, 328 {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 329 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}, 330 }, 331 { 332 NID_sha1, 333 SHA_DIGEST_LENGTH, 334 15, 335 {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 336 0x00, 0x04, 0x14}, 337 }, 338 { 339 NID_sha224, 340 SHA224_DIGEST_LENGTH, 341 19, 342 {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 343 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c}, 344 }, 345 { 346 NID_sha256, 347 SHA256_DIGEST_LENGTH, 348 19, 349 {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 350 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}, 351 }, 352 { 353 NID_sha384, 354 SHA384_DIGEST_LENGTH, 355 19, 356 {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 357 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}, 358 }, 359 { 360 NID_sha512, 361 SHA512_DIGEST_LENGTH, 362 19, 363 {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 364 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}, 365 }, 366 { 367 NID_undef, 0, 0, {0}, 368 }, 369}; 370 371int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len, 372 int *is_alloced, int hash_nid, const uint8_t *msg, 373 size_t msg_len) { 374 unsigned i; 375 376 if (hash_nid == NID_md5_sha1) { 377 /* Special case: SSL signature, just check the length. */ 378 if (msg_len != SSL_SIG_LENGTH) { 379 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); 380 return 0; 381 } 382 383 *out_msg = (uint8_t*) msg; 384 *out_msg_len = SSL_SIG_LENGTH; 385 *is_alloced = 0; 386 return 1; 387 } 388 389 for (i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) { 390 const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i]; 391 if (sig_prefix->nid != hash_nid) { 392 continue; 393 } 394 395 if (msg_len != sig_prefix->hash_len) { 396 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); 397 return 0; 398 } 399 400 const uint8_t* prefix = sig_prefix->bytes; 401 unsigned prefix_len = sig_prefix->len; 402 unsigned signed_msg_len; 403 uint8_t *signed_msg; 404 405 signed_msg_len = prefix_len + msg_len; 406 if (signed_msg_len < prefix_len) { 407 OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_LONG); 408 return 0; 409 } 410 411 signed_msg = OPENSSL_malloc(signed_msg_len); 412 if (!signed_msg) { 413 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 414 return 0; 415 } 416 417 OPENSSL_memcpy(signed_msg, prefix, prefix_len); 418 OPENSSL_memcpy(signed_msg + prefix_len, msg, msg_len); 419 420 *out_msg = signed_msg; 421 *out_msg_len = signed_msg_len; 422 *is_alloced = 1; 423 424 return 1; 425 } 426 427 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE); 428 return 0; 429} 430 431int RSA_sign(int hash_nid, const uint8_t *in, unsigned in_len, uint8_t *out, 432 unsigned *out_len, RSA *rsa) { 433 const unsigned rsa_size = RSA_size(rsa); 434 int ret = 0; 435 uint8_t *signed_msg = NULL; 436 size_t signed_msg_len = 0; 437 int signed_msg_is_alloced = 0; 438 size_t size_t_out_len; 439 440 if (rsa->meth->sign) { 441 return rsa->meth->sign(hash_nid, in, in_len, out, out_len, rsa); 442 } 443 444 if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len, 445 &signed_msg_is_alloced, hash_nid, in, in_len) || 446 !RSA_sign_raw(rsa, &size_t_out_len, out, rsa_size, signed_msg, 447 signed_msg_len, RSA_PKCS1_PADDING)) { 448 goto err; 449 } 450 451 *out_len = size_t_out_len; 452 ret = 1; 453 454err: 455 if (signed_msg_is_alloced) { 456 OPENSSL_free(signed_msg); 457 } 458 return ret; 459} 460 461int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 462 const uint8_t *in, size_t in_len, const EVP_MD *md, 463 const EVP_MD *mgf1_md, int salt_len) { 464 if (in_len != EVP_MD_size(md)) { 465 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); 466 return 0; 467 } 468 469 size_t padded_len = RSA_size(rsa); 470 uint8_t *padded = OPENSSL_malloc(padded_len); 471 if (padded == NULL) { 472 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 473 return 0; 474 } 475 476 int ret = 477 RSA_padding_add_PKCS1_PSS_mgf1(rsa, padded, in, md, mgf1_md, salt_len) && 478 RSA_sign_raw(rsa, out_len, out, max_out, padded, padded_len, 479 RSA_NO_PADDING); 480 OPENSSL_free(padded); 481 return ret; 482} 483 484int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len, 485 const uint8_t *sig, size_t sig_len, RSA *rsa) { 486 if (rsa->n == NULL || rsa->e == NULL) { 487 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); 488 return 0; 489 } 490 491 const size_t rsa_size = RSA_size(rsa); 492 uint8_t *buf = NULL; 493 int ret = 0; 494 uint8_t *signed_msg = NULL; 495 size_t signed_msg_len = 0, len; 496 int signed_msg_is_alloced = 0; 497 498 if (hash_nid == NID_md5_sha1 && msg_len != SSL_SIG_LENGTH) { 499 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); 500 return 0; 501 } 502 503 buf = OPENSSL_malloc(rsa_size); 504 if (!buf) { 505 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 506 return 0; 507 } 508 509 if (!RSA_verify_raw(rsa, &len, buf, rsa_size, sig, sig_len, 510 RSA_PKCS1_PADDING)) { 511 goto out; 512 } 513 514 if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len, 515 &signed_msg_is_alloced, hash_nid, msg, msg_len)) { 516 goto out; 517 } 518 519 /* Check that no other information follows the hash value (FIPS 186-4 Section 520 * 5.5) and it matches the expected hash. */ 521 if (len != signed_msg_len || OPENSSL_memcmp(buf, signed_msg, len) != 0) { 522 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE); 523 goto out; 524 } 525 526 ret = 1; 527 528out: 529 OPENSSL_free(buf); 530 if (signed_msg_is_alloced) { 531 OPENSSL_free(signed_msg); 532 } 533 return ret; 534} 535 536int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg, size_t msg_len, 537 const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len, 538 const uint8_t *sig, size_t sig_len) { 539 if (msg_len != EVP_MD_size(md)) { 540 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); 541 return 0; 542 } 543 544 size_t em_len = RSA_size(rsa); 545 uint8_t *em = OPENSSL_malloc(em_len); 546 if (em == NULL) { 547 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 548 return 0; 549 } 550 551 int ret = 0; 552 if (!RSA_verify_raw(rsa, &em_len, em, em_len, sig, sig_len, RSA_NO_PADDING)) { 553 goto err; 554 } 555 556 if (em_len != RSA_size(rsa)) { 557 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 558 goto err; 559 } 560 561 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, msg, md, mgf1_md, em, salt_len); 562 563err: 564 OPENSSL_free(em); 565 return ret; 566} 567 568int RSA_check_key(const RSA *key) { 569 BIGNUM n, pm1, qm1, lcm, gcd, de, dmp1, dmq1, iqmp_times_q; 570 BN_CTX *ctx; 571 int ok = 0, has_crt_values; 572 573 if (RSA_is_opaque(key)) { 574 /* Opaque keys can't be checked. */ 575 return 1; 576 } 577 578 if ((key->p != NULL) != (key->q != NULL)) { 579 OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN); 580 return 0; 581 } 582 583 if (!key->n || !key->e) { 584 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); 585 return 0; 586 } 587 588 if (!key->d || !key->p) { 589 /* For a public key, or without p and q, there's nothing that can be 590 * checked. */ 591 return 1; 592 } 593 594 ctx = BN_CTX_new(); 595 if (ctx == NULL) { 596 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 597 return 0; 598 } 599 600 BN_init(&n); 601 BN_init(&pm1); 602 BN_init(&qm1); 603 BN_init(&lcm); 604 BN_init(&gcd); 605 BN_init(&de); 606 BN_init(&dmp1); 607 BN_init(&dmq1); 608 BN_init(&iqmp_times_q); 609 610 if (!BN_mul(&n, key->p, key->q, ctx) || 611 /* lcm = lcm(p, q) */ 612 !BN_sub(&pm1, key->p, BN_value_one()) || 613 !BN_sub(&qm1, key->q, BN_value_one()) || 614 !BN_mul(&lcm, &pm1, &qm1, ctx) || 615 !BN_gcd(&gcd, &pm1, &qm1, ctx)) { 616 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); 617 goto out; 618 } 619 620 if (!BN_div(&lcm, NULL, &lcm, &gcd, ctx) || 621 !BN_gcd(&gcd, &pm1, &qm1, ctx) || 622 /* de = d*e mod lcm(p, q). */ 623 !BN_mod_mul(&de, key->d, key->e, &lcm, ctx)) { 624 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); 625 goto out; 626 } 627 628 if (BN_cmp(&n, key->n) != 0) { 629 OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q); 630 goto out; 631 } 632 633 if (!BN_is_one(&de)) { 634 OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1); 635 goto out; 636 } 637 638 has_crt_values = key->dmp1 != NULL; 639 if (has_crt_values != (key->dmq1 != NULL) || 640 has_crt_values != (key->iqmp != NULL)) { 641 OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES); 642 goto out; 643 } 644 645 if (has_crt_values) { 646 if (/* dmp1 = d mod (p-1) */ 647 !BN_mod(&dmp1, key->d, &pm1, ctx) || 648 /* dmq1 = d mod (q-1) */ 649 !BN_mod(&dmq1, key->d, &qm1, ctx) || 650 /* iqmp = q^-1 mod p */ 651 !BN_mod_mul(&iqmp_times_q, key->iqmp, key->q, key->p, ctx)) { 652 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); 653 goto out; 654 } 655 656 if (BN_cmp(&dmp1, key->dmp1) != 0 || 657 BN_cmp(&dmq1, key->dmq1) != 0 || 658 BN_cmp(key->iqmp, key->p) >= 0 || 659 !BN_is_one(&iqmp_times_q)) { 660 OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT); 661 goto out; 662 } 663 } 664 665 ok = 1; 666 667out: 668 BN_free(&n); 669 BN_free(&pm1); 670 BN_free(&qm1); 671 BN_free(&lcm); 672 BN_free(&gcd); 673 BN_free(&de); 674 BN_free(&dmp1); 675 BN_free(&dmq1); 676 BN_free(&iqmp_times_q); 677 BN_CTX_free(ctx); 678 679 return ok; 680} 681 682 683/* This is the product of the 132 smallest odd primes, from 3 to 751. */ 684static const BN_ULONG kSmallFactorsLimbs[] = { 685 TOBN(0xc4309333, 0x3ef4e3e1), TOBN(0x71161eb6, 0xcd2d655f), 686 TOBN(0x95e2238c, 0x0bf94862), TOBN(0x3eb233d3, 0x24f7912b), 687 TOBN(0x6b55514b, 0xbf26c483), TOBN(0x0a84d817, 0x5a144871), 688 TOBN(0x77d12fee, 0x9b82210a), TOBN(0xdb5b93c2, 0x97f050b3), 689 TOBN(0x4acad6b9, 0x4d6c026b), TOBN(0xeb7751f3, 0x54aec893), 690 TOBN(0xdba53368, 0x36bc85c4), TOBN(0xd85a1b28, 0x7f5ec78e), 691 TOBN(0x2eb072d8, 0x6b322244), TOBN(0xbba51112, 0x5e2b3aea), 692 TOBN(0x36ed1a6c, 0x0e2486bf), TOBN(0x5f270460, 0xec0c5727), 693 0x000017b1 694}; 695 696DEFINE_LOCAL_DATA(BIGNUM, g_small_factors) { 697 out->d = (BN_ULONG *) kSmallFactorsLimbs; 698 out->top = OPENSSL_ARRAY_SIZE(kSmallFactorsLimbs); 699 out->dmax = out->top; 700 out->neg = 0; 701 out->flags = BN_FLG_STATIC_DATA; 702} 703 704int RSA_check_fips(RSA *key) { 705 if (RSA_is_opaque(key)) { 706 /* Opaque keys can't be checked. */ 707 OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED); 708 return 0; 709 } 710 711 if (!RSA_check_key(key)) { 712 return 0; 713 } 714 715 BN_CTX *ctx = BN_CTX_new(); 716 if (ctx == NULL) { 717 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 718 return 0; 719 } 720 721 BIGNUM small_gcd; 722 BN_init(&small_gcd); 723 724 int ret = 1; 725 726 /* Perform partial public key validation of RSA keys (SP 800-89 5.3.3). */ 727 enum bn_primality_result_t primality_result; 728 if (BN_num_bits(key->e) <= 16 || 729 BN_num_bits(key->e) > 256 || 730 !BN_is_odd(key->n) || 731 !BN_is_odd(key->e) || 732 !BN_gcd(&small_gcd, key->n, g_small_factors(), ctx) || 733 !BN_is_one(&small_gcd) || 734 !BN_enhanced_miller_rabin_primality_test(&primality_result, key->n, 735 BN_prime_checks, ctx, NULL) || 736 primality_result != bn_non_prime_power_composite) { 737 OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED); 738 ret = 0; 739 } 740 741 BN_free(&small_gcd); 742 BN_CTX_free(ctx); 743 744 if (!ret || key->d == NULL || key->p == NULL) { 745 /* On a failure or on only a public key, there's nothing else can be 746 * checked. */ 747 return ret; 748 } 749 750 /* FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG, 751 * section 9.9, it is not known whether |rsa| will be used for signing or 752 * encryption, so either pair-wise consistency self-test is acceptable. We 753 * perform a signing test. */ 754 uint8_t data[32] = {0}; 755 unsigned sig_len = RSA_size(key); 756 uint8_t *sig = OPENSSL_malloc(sig_len); 757 if (sig == NULL) { 758 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 759 return 0; 760 } 761 762 if (!RSA_sign(NID_sha256, data, sizeof(data), sig, &sig_len, key)) { 763 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 764 ret = 0; 765 goto cleanup; 766 } 767#if defined(BORINGSSL_FIPS_BREAK_RSA_PWCT) 768 data[0] = ~data[0]; 769#endif 770 if (!RSA_verify(NID_sha256, data, sizeof(data), sig, sig_len, key)) { 771 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 772 ret = 0; 773 } 774 775cleanup: 776 OPENSSL_free(sig); 777 778 return ret; 779} 780 781int RSA_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, 782 size_t len) { 783 if (rsa->meth->private_transform) { 784 return rsa->meth->private_transform(rsa, out, in, len); 785 } 786 787 return rsa_default_private_transform(rsa, out, in, len); 788} 789 790int RSA_blinding_on(RSA *rsa, BN_CTX *ctx) { 791 return 1; 792} 793