kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
66 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 114a711f8b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '114a711f8b'
${ noResults }
boringssl/crypto/rsa/rsa_impl.c

1010 lines
27 KiB
Raw Blame History 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.] */

  56. 

  57. #include <openssl/rsa.h>

  58. 

  59. #include <openssl/bn.h>

  60. #include <openssl/err.h>

  61. #include <openssl/mem.h>

  62. 

  63. #include "internal.h"

  64. 

  65. 

  66. #define OPENSSL_RSA_MAX_MODULUS_BITS 16384

  67. #define OPENSSL_RSA_SMALL_MODULUS_BITS 3072

  68. #define OPENSSL_RSA_MAX_PUBEXP_BITS \

  69.   64 /* exponent limit enforced for "large" modulus only */

  70. 

  71. 

  72. static int finish(RSA *rsa) {

  73.   if (rsa->_method_mod_n != NULL) {

  74.     BN_MONT_CTX_free(rsa->_method_mod_n);

  75.   }

  76.   if (rsa->_method_mod_p != NULL) {

  77.     BN_MONT_CTX_free(rsa->_method_mod_p);

  78.   }

  79.   if (rsa->_method_mod_q != NULL) {

  80.     BN_MONT_CTX_free(rsa->_method_mod_q);

  81.   }

  82. 

  83.   return 1;

  84. }

  85. 

  86. static int encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,

  87.                    const uint8_t *in, size_t in_len, int padding) {

  88.   const unsigned rsa_size = RSA_size(rsa);

  89.   BIGNUM *f, *result;

  90.   uint8_t *buf = NULL;

  91.   BN_CTX *ctx = NULL;

  92.   int i, ret = 0;

  93. 

  94.   if (rsa_size > OPENSSL_RSA_MAX_MODULUS_BITS) {

  95.     OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_MODULUS_TOO_LARGE);

  96.     return 0;

  97.   }

  98. 

  99.   if (max_out < rsa_size) {

  100.     OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_OUTPUT_BUFFER_TOO_SMALL);

  101.     return 0;

  102.   }

  103. 

  104.   if (BN_ucmp(rsa->n, rsa->e) <= 0) {

  105.     OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_BAD_E_VALUE);

  106.     return 0;

  107.   }

  108. 

  109.   /* for large moduli, enforce exponent limit */

  110.   if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS &&

  111.       BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {

  112.     OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_BAD_E_VALUE);

  113.     return 0;

  114.   }

  115. 

  116.   ctx = BN_CTX_new();

  117.   if (ctx == NULL) {

  118.     goto err;

  119.   }

  120. 

  121.   BN_CTX_start(ctx);

  122.   f = BN_CTX_get(ctx);

  123.   result = BN_CTX_get(ctx);

  124.   buf = OPENSSL_malloc(rsa_size);

  125.   if (!f || !result || !buf) {

  126.     OPENSSL_PUT_ERROR(RSA, encrypt, ERR_R_MALLOC_FAILURE);

  127.     goto err;

  128.   }

  129. 

  130.   switch (padding) {

  131.     case RSA_PKCS1_PADDING:

  132.       i = RSA_padding_add_PKCS1_type_2(buf, rsa_size, in, in_len);

  133.       break;

  134.     case RSA_PKCS1_OAEP_PADDING:

  135.       /* Use the default parameters: SHA-1 for both hashes and no label. */

  136.       i = RSA_padding_add_PKCS1_OAEP_mgf1(buf, rsa_size, in, in_len,

  137.                                           NULL, 0, NULL, NULL);

  138.       break;

  139.     case RSA_SSLV23_PADDING:

  140.       i = RSA_padding_add_SSLv23(buf, rsa_size, in, in_len);

  141.       break;

  142.     case RSA_NO_PADDING:

  143.       i = RSA_padding_add_none(buf, rsa_size, in, in_len);

  144.       break;

  145.     default:

  146.       OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_UNKNOWN_PADDING_TYPE);

  147.       goto err;

  148.   }

  149. 

  150.   if (i <= 0) {

  151.     goto err;

  152.   }

  153. 

  154.   if (BN_bin2bn(buf, rsa_size, f) == NULL) {

  155.     goto err;

  156.   }

  157. 

  158.   if (BN_ucmp(f, rsa->n) >= 0) {

  159.     /* usually the padding functions would catch this */

  160.     OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);

  161.     goto err;

  162.   }

  163. 

  164.   if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {

  165.     if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,

  166.                                 ctx)) {

  167.       goto err;

  168.     }

  169.   }

  170. 

  171.   if (!rsa->meth->bn_mod_exp(result, f, rsa->e, rsa->n, ctx, rsa->_method_mod_n)) {

  172.     goto err;

  173.   }

  174. 

  175.   /* put in leading 0 bytes if the number is less than the length of the

  176.    * modulus */

  177.   if (!BN_bn2bin_padded(out, rsa_size, result)) {

  178.     OPENSSL_PUT_ERROR(RSA, encrypt, ERR_R_INTERNAL_ERROR);

  179.     goto err;

  180.   }

  181. 

  182.   *out_len = rsa_size;

  183.   ret = 1;

  184. 

  185. err:

  186.   if (ctx != NULL) {

  187.     BN_CTX_end(ctx);

  188.     BN_CTX_free(ctx);

  189.   }

  190.   if (buf != NULL) {

  191.     OPENSSL_cleanse(buf, rsa_size);

  192.     OPENSSL_free(buf);

  193.   }

  194. 

  195.   return ret;

  196. }

  197. 

  198. /* MAX_BLINDINGS_PER_RSA defines the maximum number of cached BN_BLINDINGs per

  199.  * RSA*. Then this limit is exceeded, BN_BLINDING objects will be created and

  200.  * destroyed as needed. */

  201. #define MAX_BLINDINGS_PER_RSA 1024

  202. 

  203. /* rsa_blinding_get returns a BN_BLINDING to use with |rsa|. It does this by

  204.  * allocating one of the cached BN_BLINDING objects in |rsa->blindings|. If

  205.  * none are free, the cache will be extended by a extra element and the new

  206.  * BN_BLINDING is returned.

  207.  *

  208.  * On success, the index of the assigned BN_BLINDING is written to

  209.  * |*index_used| and must be passed to |rsa_blinding_release| when finished. */

  210. static BN_BLINDING *rsa_blinding_get(RSA *rsa, unsigned *index_used,

  211.                                      BN_CTX *ctx) {

  212.   BN_BLINDING *ret = NULL;

  213.   BN_BLINDING **new_blindings;

  214.   uint8_t *new_blindings_inuse;

  215.   char overflow = 0;

  216. 

  217.   CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);

  218.   if (rsa->num_blindings > 0) {

  219.     unsigned i, starting_index;

  220.     CRYPTO_THREADID threadid;

  221. 

  222.     /* We start searching the array at a value based on the

  223.      * threadid in order to try avoid bouncing the BN_BLINDING

  224.      * values around different threads. It's harmless if

  225.      * threadid.val is always set to zero. */

  226.     CRYPTO_THREADID_current(&threadid);

  227.     starting_index = threadid.val % rsa->num_blindings;

  228. 

  229.     for (i = starting_index;;) {

  230.       if (rsa->blindings_inuse[i] == 0) {

  231.         rsa->blindings_inuse[i] = 1;

  232.         ret = rsa->blindings[i];

  233.         *index_used = i;

  234.         break;

  235.       }

  236.       i++;

  237.       if (i == rsa->num_blindings) {

  238.         i = 0;

  239.       }

  240.       if (i == starting_index) {

  241.         break;

  242.       }

  243.     }

  244.   }

  245. 

  246.   if (ret != NULL) {

  247.     CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);

  248.     return ret;

  249.   }

  250. 

  251.   overflow = rsa->num_blindings >= MAX_BLINDINGS_PER_RSA;

  252. 

  253.   /* We didn't find a free BN_BLINDING to use so increase the length of

  254.    * the arrays by one and use the newly created element. */

  255. 

  256.   CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);

  257.   ret = rsa_setup_blinding(rsa, ctx);

  258.   if (ret == NULL) {

  259.     return NULL;

  260.   }

  261. 

  262.   if (overflow) {

  263.     /* We cannot add any more cached BN_BLINDINGs so we use |ret|

  264.      * and mark it for destruction in |rsa_blinding_release|. */

  265.     *index_used = MAX_BLINDINGS_PER_RSA;

  266.     return ret;

  267.   }

  268. 

  269.   CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);

  270. 

  271.   new_blindings =

  272.       OPENSSL_malloc(sizeof(BN_BLINDING *) * (rsa->num_blindings + 1));

  273.   if (new_blindings == NULL) {

  274.     goto err1;

  275.   }

  276.   memcpy(new_blindings, rsa->blindings,

  277.          sizeof(BN_BLINDING *) * rsa->num_blindings);

  278.   new_blindings[rsa->num_blindings] = ret;

  279. 

  280.   new_blindings_inuse = OPENSSL_malloc(rsa->num_blindings + 1);

  281.   if (new_blindings_inuse == NULL) {

  282.     goto err2;

  283.   }

  284.   memcpy(new_blindings_inuse, rsa->blindings_inuse, rsa->num_blindings);

  285.   new_blindings_inuse[rsa->num_blindings] = 1;

  286.   *index_used = rsa->num_blindings;

  287. 

  288.   if (rsa->blindings != NULL) {

  289.     OPENSSL_free(rsa->blindings);

  290.   }

  291.   rsa->blindings = new_blindings;

  292.   if (rsa->blindings_inuse != NULL) {

  293.     OPENSSL_free(rsa->blindings_inuse);

  294.   }

  295.   rsa->blindings_inuse = new_blindings_inuse;

  296.   rsa->num_blindings++;

  297. 

  298.   CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);

  299.   return ret;

  300. 

  301. err2:

  302.   OPENSSL_free(new_blindings);

  303. 

  304. err1:

  305.   CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);

  306.   BN_BLINDING_free(ret);

  307.   return NULL;

  308. }

  309. 

  310. /* rsa_blinding_release marks the cached BN_BLINDING at the given index as free

  311.  * for other threads to use. */

  312. static void rsa_blinding_release(RSA *rsa, BN_BLINDING *blinding,

  313.                                  unsigned blinding_index) {

  314.   if (blinding_index == MAX_BLINDINGS_PER_RSA) {

  315.     /* This blinding wasn't cached. */

  316.     BN_BLINDING_free(blinding);

  317.     return;

  318.   }

  319. 

  320.   CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);

  321.   rsa->blindings_inuse[blinding_index] = 0;

  322.   CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);

  323. }

  324. 

  325. /* signing */

  326. static int sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,

  327.                     const uint8_t *in, size_t in_len, int padding) {

  328.   const unsigned rsa_size = RSA_size(rsa);

  329.   BIGNUM *f, *result;

  330.   uint8_t *buf = NULL;

  331.   BN_CTX *ctx = NULL;

  332.   unsigned blinding_index = 0;

  333.   BN_BLINDING *blinding = NULL;

  334.   int i, ret = 0;

  335. 

  336.   if (max_out < rsa_size) {

  337.     OPENSSL_PUT_ERROR(RSA, sign_raw, RSA_R_OUTPUT_BUFFER_TOO_SMALL);

  338.     return 0;

  339.   }

  340. 

  341.   ctx = BN_CTX_new();

  342.   if (ctx == NULL) {

  343.     goto err;

  344.   }

  345.   BN_CTX_start(ctx);

  346.   f = BN_CTX_get(ctx);

  347.   result = BN_CTX_get(ctx);

  348.   buf = OPENSSL_malloc(rsa_size);

  349.   if (!f || !result || !buf) {

  350.     OPENSSL_PUT_ERROR(RSA, sign_raw, ERR_R_MALLOC_FAILURE);

  351.     goto err;

  352.   }

  353. 

  354.   switch (padding) {

  355.     case RSA_PKCS1_PADDING:

  356.       i = RSA_padding_add_PKCS1_type_1(buf, rsa_size, in, in_len);

  357.       break;

  358.     case RSA_NO_PADDING:

  359.       i = RSA_padding_add_none(buf, rsa_size, in, in_len);

  360.       break;

  361.     default:

  362.       OPENSSL_PUT_ERROR(RSA, sign_raw, RSA_R_UNKNOWN_PADDING_TYPE);

  363.       goto err;

  364.   }

  365.   if (i <= 0) {

  366.     goto err;

  367.   }

  368. 

  369.   if (BN_bin2bn(buf, rsa_size, f) == NULL) {

  370.     goto err;

  371.   }

  372. 

  373.   if (BN_ucmp(f, rsa->n) >= 0) {

  374.     /* usually the padding functions would catch this */

  375.     OPENSSL_PUT_ERROR(RSA, sign_raw, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);

  376.     goto err;

  377.   }

  378. 

  379.   if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {

  380.     blinding = rsa_blinding_get(rsa, &blinding_index, ctx);

  381.     if (blinding == NULL) {

  382.       OPENSSL_PUT_ERROR(RSA, sign_raw, ERR_R_INTERNAL_ERROR);

  383.       goto err;

  384.     }

  385.     if (!BN_BLINDING_convert_ex(f, NULL, blinding, ctx)) {

  386.       goto err;

  387.     }

  388.   }

  389. 

  390.   if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||

  391.       ((rsa->p != NULL) && (rsa->q != NULL) && (rsa->dmp1 != NULL) &&

  392.        (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {

  393.     if (!rsa->meth->mod_exp(result, f, rsa, ctx)) {

  394.       goto err;

  395.     }

  396.   } else {

  397.     BIGNUM local_d;

  398.     BIGNUM *d = NULL;

  399. 

  400.     BN_init(&local_d);

  401.     d = &local_d;

  402.     BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);

  403. 

  404.     if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {

  405.       if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,

  406.                                   ctx)) {

  407.         goto err;

  408.       }

  409.     }

  410. 

  411.     if (!rsa->meth->bn_mod_exp(result, f, d, rsa->n, ctx, rsa->_method_mod_n)) {

  412.       goto err;

  413.     }

  414.   }

  415. 

  416.   if (blinding) {

  417.     if (!BN_BLINDING_invert_ex(result, NULL, blinding, ctx)) {

  418.       goto err;

  419.     }

  420.   }

  421. 

  422.   if (!BN_bn2bin_padded(out, rsa_size, result)) {

  423.     OPENSSL_PUT_ERROR(RSA, sign_raw, ERR_R_INTERNAL_ERROR);

  424.     goto err;

  425.   }

  426. 

  427.   *out_len = rsa_size;

  428.   ret = 1;

  429. 

  430. err:

  431.   if (ctx != NULL) {

  432.     BN_CTX_end(ctx);

  433.     BN_CTX_free(ctx);

  434.   }

  435.   if (buf != NULL) {

  436.     OPENSSL_cleanse(buf, rsa_size);

  437.     OPENSSL_free(buf);

  438.   }

  439.   if (blinding != NULL) {

  440.     rsa_blinding_release(rsa, blinding, blinding_index);

  441.   }

  442. 

  443.   return ret;

  444. }

  445. 

  446. static int decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,

  447.                    const uint8_t *in, size_t in_len, int padding) {

  448.   const unsigned rsa_size = RSA_size(rsa);

  449.   BIGNUM *f, *result;

  450.   int r = -1;

  451.   uint8_t *buf = NULL;

  452.   BN_CTX *ctx = NULL;

  453.   unsigned blinding_index;

  454.   BN_BLINDING *blinding = NULL;

  455.   int ret = 0;

  456. 

  457.   if (max_out < rsa_size) {

  458.     OPENSSL_PUT_ERROR(RSA, decrypt, RSA_R_OUTPUT_BUFFER_TOO_SMALL);

  459.     return 0;

  460.   }

  461. 

  462.   ctx = BN_CTX_new();

  463.   if (ctx == NULL) {

  464.     goto err;

  465.   }

  466.   BN_CTX_start(ctx);

  467.   f = BN_CTX_get(ctx);

  468.   result = BN_CTX_get(ctx);

  469.   buf = OPENSSL_malloc(rsa_size);

  470.   if (!f || !result || !buf) {

  471.     OPENSSL_PUT_ERROR(RSA, decrypt, ERR_R_MALLOC_FAILURE);

  472.     goto err;

  473.   }

  474. 

  475.   /* This check was for equality but PGP does evil things

  476.    * and chops off the top '0' bytes.

  477.    * TODO(fork): investigate this. */

  478.   if (in_len > rsa_size) {

  479.     OPENSSL_PUT_ERROR(RSA, decrypt, RSA_R_DATA_GREATER_THAN_MOD_LEN);

  480.     goto err;

  481.   }

  482. 

  483.   /* make data into a big number */

  484.   if (BN_bin2bn(in, (int)in_len, f) == NULL) {

  485.     goto err;

  486.   }

  487. 

  488.   if (BN_ucmp(f, rsa->n) >= 0) {

  489.     OPENSSL_PUT_ERROR(RSA, decrypt, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);

  490.     goto err;

  491.   }

  492. 

  493.   if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {

  494.     blinding = rsa_blinding_get(rsa, &blinding_index, ctx);

  495.     if (blinding == NULL) {

  496.       OPENSSL_PUT_ERROR(RSA, decrypt, ERR_R_INTERNAL_ERROR);

  497.       goto err;

  498.     }

  499.     if (!BN_BLINDING_convert_ex(f, NULL, blinding, ctx)) {

  500.       goto err;

  501.     }

  502.   }

  503. 

  504.   /* do the decrypt */

  505.   if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||

  506.       ((rsa->p != NULL) && (rsa->q != NULL) && (rsa->dmp1 != NULL) &&

  507.        (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {

  508.     if (!rsa->meth->mod_exp(result, f, rsa, ctx)) {

  509.       goto err;

  510.     }

  511.   } else {

  512.     BIGNUM local_d;

  513.     BIGNUM *d = NULL;

  514. 

  515.     d = &local_d;

  516.     BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);

  517. 

  518.     if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {

  519.       if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,

  520.                                   ctx)) {

  521.         goto err;

  522.       }

  523.     }

  524.     if (!rsa->meth->bn_mod_exp(result, f, d, rsa->n, ctx, rsa->_method_mod_n)) {

  525.       goto err;

  526.     }

  527.   }

  528. 

  529.   if (blinding) {

  530.     if (!BN_BLINDING_invert_ex(result, NULL, blinding, ctx)) {

  531.       goto err;

  532.     }

  533.   }

  534. 

  535.   if (!BN_bn2bin_padded(buf, rsa_size, result)) {

  536.     OPENSSL_PUT_ERROR(RSA, decrypt, ERR_R_INTERNAL_ERROR);

  537.     goto err;

  538.   }

  539. 

  540.   switch (padding) {

  541.     case RSA_PKCS1_PADDING:

  542.       r = RSA_padding_check_PKCS1_type_2(out, rsa_size, buf, rsa_size);

  543.       break;

  544.     case RSA_PKCS1_OAEP_PADDING:

  545.       /* Use the default parameters: SHA-1 for both hashes and no label. */

  546.       r = RSA_padding_check_PKCS1_OAEP_mgf1(out, rsa_size, buf, rsa_size,

  547.                                             NULL, 0, NULL, NULL);

  548.       break;

  549.     case RSA_SSLV23_PADDING:

  550.       r = RSA_padding_check_SSLv23(out, rsa_size, buf, rsa_size);

  551.       break;

  552.     case RSA_NO_PADDING:

  553.       r = RSA_padding_check_none(out, rsa_size, buf, rsa_size);

  554.       break;

  555.     default:

  556.       OPENSSL_PUT_ERROR(RSA, decrypt, RSA_R_UNKNOWN_PADDING_TYPE);

  557.       goto err;

  558.   }

  559. 

  560.   if (r < 0) {

  561.     OPENSSL_PUT_ERROR(RSA, decrypt, RSA_R_PADDING_CHECK_FAILED);

  562.   } else {

  563.     *out_len = r;

  564.     ret = 1;

  565.   }

  566. 

  567. err:

  568.   if (ctx != NULL) {

  569.     BN_CTX_end(ctx);

  570.     BN_CTX_free(ctx);

  571.   }

  572.   if (buf != NULL) {

  573.     OPENSSL_cleanse(buf, rsa_size);

  574.     OPENSSL_free(buf);

  575.   }

  576.   if (blinding != NULL) {

  577.     rsa_blinding_release(rsa, blinding, blinding_index);

  578.   }

  579. 

  580.   return ret;

  581. }

  582. 

  583. static int verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,

  584.                       const uint8_t *in, size_t in_len, int padding) {

  585.   const unsigned rsa_size = RSA_size(rsa);

  586.   BIGNUM *f, *result;

  587.   int ret = 0;

  588.   int r = -1;

  589.   uint8_t *buf = NULL;

  590.   BN_CTX *ctx = NULL;

  591. 

  592.   if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {

  593.     OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_MODULUS_TOO_LARGE);

  594.     return 0;

  595.   }

  596. 

  597.   if (BN_ucmp(rsa->n, rsa->e) <= 0) {

  598.     OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_BAD_E_VALUE);

  599.     return 0;

  600.   }

  601. 

  602.   if (max_out < rsa_size) {

  603.     OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_OUTPUT_BUFFER_TOO_SMALL);

  604.     return 0;

  605.   }

  606. 

  607.   /* for large moduli, enforce exponent limit */

  608.   if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS &&

  609.       BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {

  610.     OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_BAD_E_VALUE);

  611.     return 0;

  612.   }

  613. 

  614.   ctx = BN_CTX_new();

  615.   if (ctx == NULL) {

  616.     goto err;

  617.   }

  618. 

  619.   BN_CTX_start(ctx);

  620.   f = BN_CTX_get(ctx);

  621.   result = BN_CTX_get(ctx);

  622.   buf = OPENSSL_malloc(rsa_size);

  623.   if (!f || !result || !buf) {

  624.     OPENSSL_PUT_ERROR(RSA, verify_raw, ERR_R_MALLOC_FAILURE);

  625.     goto err;

  626.   }

  627. 

  628.   /* This check was for equality but PGP does evil things

  629.    * and chops off the top '0' bytes.

  630.    * TODO(fork): investigate */

  631.   if (in_len > rsa_size) {

  632.     OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_DATA_GREATER_THAN_MOD_LEN);

  633.     goto err;

  634.   }

  635. 

  636.   if (BN_bin2bn(in, in_len, f) == NULL) {

  637.     goto err;

  638.   }

  639. 

  640.   if (BN_ucmp(f, rsa->n) >= 0) {

  641.     OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);

  642.     goto err;

  643.   }

  644. 

  645.   if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {

  646.     if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,

  647.                                 ctx)) {

  648.       goto err;

  649.     }

  650.   }

  651. 

  652.   if (!rsa->meth->bn_mod_exp(result, f, rsa->e, rsa->n, ctx,

  653.                              rsa->_method_mod_n)) {

  654.     goto err;

  655.   }

  656. 

  657.   if (!BN_bn2bin_padded(buf, rsa_size, result)) {

  658.     OPENSSL_PUT_ERROR(RSA, verify_raw, ERR_R_INTERNAL_ERROR);

  659.     goto err;

  660.   }

  661. 

  662.   switch (padding) {

  663.     case RSA_PKCS1_PADDING:

  664.       r = RSA_padding_check_PKCS1_type_1(out, rsa_size, buf, rsa_size);

  665.       break;

  666.     case RSA_NO_PADDING:

  667.       r = RSA_padding_check_none(out, rsa_size, buf, rsa_size);

  668.       break;

  669.     default:

  670.       OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_UNKNOWN_PADDING_TYPE);

  671.       goto err;

  672.   }

  673. 

  674.   if (r < 0) {

  675.     OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_PADDING_CHECK_FAILED);

  676.   } else {

  677.     *out_len = r;

  678.     ret = 1;

  679.   }

  680. 

  681. err:

  682.   if (ctx != NULL) {

  683.     BN_CTX_end(ctx);

  684.     BN_CTX_free(ctx);

  685.   }

  686.   if (buf != NULL) {

  687.     OPENSSL_cleanse(buf, rsa_size);

  688.     OPENSSL_free(buf);

  689.   }

  690.   return ret;

  691. }

  692. 

  693. static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) {

  694.   BIGNUM *r1, *m1, *vrfy;

  695.   BIGNUM local_dmp1, local_dmq1, local_c, local_r1;

  696.   BIGNUM *dmp1, *dmq1, *c, *pr1;

  697.   int ret = 0;

  698. 

  699.   BN_CTX_start(ctx);

  700.   r1 = BN_CTX_get(ctx);

  701.   m1 = BN_CTX_get(ctx);

  702.   vrfy = BN_CTX_get(ctx);

  703. 

  704.   {

  705.     BIGNUM local_p, local_q;

  706.     BIGNUM *p = NULL, *q = NULL;

  707. 

  708.     /* Make sure BN_mod_inverse in Montgomery intialization uses the

  709.      * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) */

  710.     BN_init(&local_p);

  711.     p = &local_p;

  712.     BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);

  713. 

  714.     BN_init(&local_q);

  715.     q = &local_q;

  716.     BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);

  717. 

  718.     if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {

  719.       if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) {

  720.         goto err;

  721.       }

  722.       if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) {

  723.         goto err;

  724.       }

  725.     }

  726.   }

  727. 

  728.   if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {

  729.     if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,

  730.                                 ctx)) {

  731.       goto err;

  732.     }

  733.   }

  734. 

  735.   /* compute I mod q */

  736.   c = &local_c;

  737.   BN_with_flags(c, I, BN_FLG_CONSTTIME);

  738.   if (!BN_mod(r1, c, rsa->q, ctx)) {

  739.     goto err;

  740.   }

  741. 

  742.   /* compute r1^dmq1 mod q */

  743.   dmq1 = &local_dmq1;

  744.   BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);

  745.   if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q)) {

  746.     goto err;

  747.   }

  748. 

  749.   /* compute I mod p */

  750.   c = &local_c;

  751.   BN_with_flags(c, I, BN_FLG_CONSTTIME);

  752.   if (!BN_mod(r1, c, rsa->p, ctx)) {

  753.     goto err;

  754.   }

  755. 

  756.   /* compute r1^dmp1 mod p */

  757.   dmp1 = &local_dmp1;

  758.   BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);

  759.   if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p)) {

  760.     goto err;

  761.   }

  762. 

  763.   if (!BN_sub(r0, r0, m1)) {

  764.     goto err;

  765.   }

  766.   /* This will help stop the size of r0 increasing, which does

  767.    * affect the multiply if it optimised for a power of 2 size */

  768.   if (BN_is_negative(r0)) {

  769.     if (!BN_add(r0, r0, rsa->p)) {

  770.       goto err;

  771.     }

  772.   }

  773. 

  774.   if (!BN_mul(r1, r0, rsa->iqmp, ctx)) {

  775.     goto err;

  776.   }

  777. 

  778.   /* Turn BN_FLG_CONSTTIME flag on before division operation */

  779.   pr1 = &local_r1;

  780.   BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);

  781. 

  782.   if (!BN_mod(r0, pr1, rsa->p, ctx)) {

  783.     goto err;

  784.   }

  785. 

  786.   /* If p < q it is occasionally possible for the correction of

  787.    * adding 'p' if r0 is negative above to leave the result still

  788.    * negative. This can break the private key operations: the following

  789.    * second correction should *always* correct this rare occurrence.

  790.    * This will *never* happen with OpenSSL generated keys because

  791.    * they ensure p > q [steve] */

  792.   if (BN_is_negative(r0)) {

  793.     if (!BN_add(r0, r0, rsa->p)) {

  794.       goto err;

  795.     }

  796.   }

  797.   if (!BN_mul(r1, r0, rsa->q, ctx)) {

  798.     goto err;

  799.   }

  800.   if (!BN_add(r0, r1, m1)) {

  801.     goto err;

  802.   }

  803. 

  804.   if (rsa->e && rsa->n) {

  805.     if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,

  806.                                rsa->_method_mod_n)) {

  807.       goto err;

  808.     }

  809.     /* If 'I' was greater than (or equal to) rsa->n, the operation

  810.      * will be equivalent to using 'I mod n'. However, the result of

  811.      * the verify will *always* be less than 'n' so we don't check

  812.      * for absolute equality, just congruency. */

  813.     if (!BN_sub(vrfy, vrfy, I)) {

  814.       goto err;

  815.     }

  816.     if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) {

  817.       goto err;

  818.     }

  819.     if (BN_is_negative(vrfy)) {

  820.       if (!BN_add(vrfy, vrfy, rsa->n)) {

  821.         goto err;

  822.       }

  823.     }

  824.     if (!BN_is_zero(vrfy)) {

  825.       /* 'I' and 'vrfy' aren't congruent mod n. Don't leak

  826.        * miscalculated CRT output, just do a raw (slower)

  827.        * mod_exp and return that instead. */

  828. 

  829.       BIGNUM local_d;

  830.       BIGNUM *d = NULL;

  831. 

  832.       d = &local_d;

  833.       BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);

  834.       if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, rsa->_method_mod_n)) {

  835.         goto err;

  836.       }

  837.     }

  838.   }

  839.   ret = 1;

  840. 

  841. err:

  842.   BN_CTX_end(ctx);

  843.   return ret;

  844. }

  845. 

  846. static int keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {

  847.   BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;

  848.   BIGNUM local_r0, local_d, local_p;

  849.   BIGNUM *pr0, *d, *p;

  850.   int bitsp, bitsq, ok = -1, n = 0;

  851.   BN_CTX *ctx = NULL;

  852. 

  853.   ctx = BN_CTX_new();

  854.   if (ctx == NULL) {

  855.     goto err;

  856.   }

  857.   BN_CTX_start(ctx);

  858.   r0 = BN_CTX_get(ctx);

  859.   r1 = BN_CTX_get(ctx);

  860.   r2 = BN_CTX_get(ctx);

  861.   r3 = BN_CTX_get(ctx);

  862.   if (r3 == NULL) {

  863.     goto err;

  864.   }

  865. 

  866.   bitsp = (bits + 1) / 2;

  867.   bitsq = bits - bitsp;

  868. 

  869.   /* We need the RSA components non-NULL */

  870.   if (!rsa->n && ((rsa->n = BN_new()) == NULL))

  871.     goto err;

  872.   if (!rsa->d && ((rsa->d = BN_new()) == NULL))

  873.     goto err;

  874.   if (!rsa->e && ((rsa->e = BN_new()) == NULL))

  875.     goto err;

  876.   if (!rsa->p && ((rsa->p = BN_new()) == NULL))

  877.     goto err;

  878.   if (!rsa->q && ((rsa->q = BN_new()) == NULL))

  879.     goto err;

  880.   if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL))

  881.     goto err;

  882.   if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL))

  883.     goto err;

  884.   if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))

  885.     goto err;

  886. 

  887.   BN_copy(rsa->e, e_value);

  888. 

  889.   /* generate p and q */

  890.   for (;;) {

  891.     if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))

  892.       goto err;

  893.     if (!BN_sub(r2, rsa->p, BN_value_one()))

  894.       goto err;

  895.     if (!BN_gcd(r1, r2, rsa->e, ctx))

  896.       goto err;

  897.     if (BN_is_one(r1))

  898.       break;

  899.     if (!BN_GENCB_call(cb, 2, n++))

  900.       goto err;

  901.   }

  902.   if (!BN_GENCB_call(cb, 3, 0))

  903.     goto err;

  904.   for (;;) {

  905.     /* When generating ridiculously small keys, we can get stuck

  906.      * continually regenerating the same prime values. Check for

  907.      * this and bail if it happens 3 times. */

  908.     unsigned int degenerate = 0;

  909.     do {

  910.       if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))

  911.         goto err;

  912.     } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));

  913.     if (degenerate == 3) {

  914.       ok = 0; /* we set our own err */

  915.       OPENSSL_PUT_ERROR(RSA, keygen, RSA_R_KEY_SIZE_TOO_SMALL);

  916.       goto err;

  917.     }

  918.     if (!BN_sub(r2, rsa->q, BN_value_one()))

  919.       goto err;

  920.     if (!BN_gcd(r1, r2, rsa->e, ctx))

  921.       goto err;

  922.     if (BN_is_one(r1))

  923.       break;

  924.     if (!BN_GENCB_call(cb, 2, n++))

  925.       goto err;

  926.   }

  927.   if (!BN_GENCB_call(cb, 3, 1))

  928.     goto err;

  929.   if (BN_cmp(rsa->p, rsa->q) < 0) {

  930.     tmp = rsa->p;

  931.     rsa->p = rsa->q;

  932.     rsa->q = tmp;

  933.   }

  934. 

  935.   /* calculate n */

  936.   if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))

  937.     goto err;

  938. 

  939.   /* calculate d */

  940.   if (!BN_sub(r1, rsa->p, BN_value_one()))

  941.     goto err; /* p-1 */

  942.   if (!BN_sub(r2, rsa->q, BN_value_one()))

  943.     goto err; /* q-1 */

  944.   if (!BN_mul(r0, r1, r2, ctx))

  945.     goto err; /* (p-1)(q-1) */

  946.   pr0 = &local_r0;

  947.   BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);

  948.   if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx))

  949.     goto err; /* d */

  950. 

  951.   /* set up d for correct BN_FLG_CONSTTIME flag */

  952.   d = &local_d;

  953.   BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);

  954. 

  955.   /* calculate d mod (p-1) */

  956.   if (!BN_mod(rsa->dmp1, d, r1, ctx))

  957.     goto err;

  958. 

  959.   /* calculate d mod (q-1) */

  960.   if (!BN_mod(rsa->dmq1, d, r2, ctx))

  961.     goto err;

  962. 

  963.   /* calculate inverse of q mod p */

  964.   p = &local_p;

  965.   BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);

  966. 

  967.   if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))

  968.     goto err;

  969. 

  970.   ok = 1;

  971. 

  972. err:

  973.   if (ok == -1) {

  974.     OPENSSL_PUT_ERROR(RSA, keygen, ERR_LIB_BN);

  975.     ok = 0;

  976.   }

  977.   if (ctx != NULL) {

  978.     BN_CTX_end(ctx);

  979.     BN_CTX_free(ctx);

  980.   }

  981. 

  982.   return ok;

  983. }

  984. 

  985. const struct rsa_meth_st RSA_default_method = {

  986.   {

  987.     0 /* references */,

  988.     1 /* is_static */,

  989.   },

  990.   NULL /* app_data */,

  991. 

  992.   NULL /* init */,

  993.   finish,

  994. 

  995.   NULL /* sign */,

  996.   NULL /* verify */,

  997. 

  998.   encrypt,

  999.   sign_raw,

  1000.   decrypt,

  1001.   verify_raw,

  1002. 

  1003.   mod_exp /* mod_exp */,

  1004.   BN_mod_exp_mont /* bn_mod_exp */,

  1005. 

  1006.   RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE,

  1007. 

  1008.   keygen,

  1009. };