1// Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// https://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15#include <openssl/rsa.h> 16 17#include <assert.h> 18#include <limits.h> 19#include <string.h> 20 21#include <openssl/bn.h> 22#include <openssl/err.h> 23#include <openssl/mem.h> 24 25#include "../../bcm_support.h" 26#include "../../internal.h" 27#include "../bn/internal.h" 28#include "../delocate.h" 29#include "../service_indicator/internal.h" 30#include "internal.h" 31 32 33static_assert(OPENSSL_RSA_MAX_MODULUS_BITS <= 34 BN_MONTGOMERY_MAX_WORDS * BN_BITS2, 35 "Max RSA size too big for Montgomery arithmetic"); 36 37int rsa_check_public_key(const RSA *rsa) { 38 if (rsa->n == NULL) { 39 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); 40 return 0; 41 } 42 43 unsigned n_bits = BN_num_bits(rsa->n); 44 if (n_bits > OPENSSL_RSA_MAX_MODULUS_BITS) { 45 OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE); 46 return 0; 47 } 48 49 // TODO(crbug.com/boringssl/607): Raise this limit. 512-bit RSA was factored 50 // in 1999. 51 if (n_bits < 512) { 52 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); 53 return 0; 54 } 55 56 // RSA moduli must be positive and odd. In addition to being necessary for RSA 57 // in general, we cannot setup Montgomery reduction with even moduli. 58 if (!BN_is_odd(rsa->n) || BN_is_negative(rsa->n)) { 59 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS); 60 return 0; 61 } 62 63 static const unsigned kMaxExponentBits = 33; 64 if (rsa->e != NULL) { 65 // Reject e = 1, negative e, and even e. e must be odd to be relatively 66 // prime with phi(n). 67 unsigned e_bits = BN_num_bits(rsa->e); 68 if (e_bits < 2 || BN_is_negative(rsa->e) || !BN_is_odd(rsa->e)) { 69 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE); 70 return 0; 71 } 72 if (rsa->flags & RSA_FLAG_LARGE_PUBLIC_EXPONENT) { 73 // The caller has requested disabling DoS protections. Still, e must be 74 // less than n. 75 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 76 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE); 77 return 0; 78 } 79 } else { 80 // Mitigate DoS attacks by limiting the exponent size. 33 bits was chosen 81 // as the limit based on the recommendations in [1] and [2]. Windows 82 // CryptoAPI doesn't support values larger than 32 bits [3], so it is 83 // unlikely that exponents larger than 32 bits are being used for anything 84 // Windows commonly does. 85 // 86 // [1] https://www.imperialviolet.org/2012/03/16/rsae.html 87 // [2] https://www.imperialviolet.org/2012/03/17/rsados.html 88 // [3] https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx 89 if (e_bits > kMaxExponentBits) { 90 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE); 91 return 0; 92 } 93 94 // The upper bound on |e_bits| and lower bound on |n_bits| imply e is 95 // bounded by n. 96 assert(BN_ucmp(rsa->n, rsa->e) > 0); 97 } 98 } else if (!(rsa->flags & RSA_FLAG_NO_PUBLIC_EXPONENT)) { 99 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); 100 return 0; 101 } 102 103 return 1; 104} 105 106static int ensure_fixed_copy(BIGNUM **out, const BIGNUM *in, int width) { 107 if (*out != NULL) { 108 return 1; 109 } 110 BIGNUM *copy = BN_dup(in); 111 if (copy == NULL || !bn_resize_words(copy, width)) { 112 BN_free(copy); 113 return 0; 114 } 115 *out = copy; 116 bn_secret(copy); 117 118 return 1; 119} 120 121// freeze_private_key finishes initializing |rsa|'s private key components. 122// After this function has returned, |rsa| may not be changed. This is needed 123// because |RSA| is a public struct and, additionally, OpenSSL 1.1.0 opaquified 124// it wrong (see https://github.com/openssl/openssl/issues/5158). 125static int freeze_private_key(RSA *rsa, BN_CTX *ctx) { 126 CRYPTO_MUTEX_lock_read(&rsa->lock); 127 int frozen = rsa->private_key_frozen; 128 CRYPTO_MUTEX_unlock_read(&rsa->lock); 129 if (frozen) { 130 return 1; 131 } 132 133 int ret = 0; 134 const BIGNUM *n_fixed; 135 CRYPTO_MUTEX_lock_write(&rsa->lock); 136 if (rsa->private_key_frozen) { 137 ret = 1; 138 goto err; 139 } 140 141 // Check the public components are within DoS bounds. 142 if (!rsa_check_public_key(rsa)) { 143 goto err; 144 } 145 146 // Pre-compute various intermediate values, as well as copies of private 147 // exponents with correct widths. Note that other threads may concurrently 148 // read from |rsa->n|, |rsa->e|, etc., so any fixes must be in separate 149 // copies. We use |mont_n->N|, |mont_p->N|, and |mont_q->N| as copies of |n|, 150 // |p|, and |q| with the correct minimal widths. 151 152 if (rsa->mont_n == NULL) { 153 rsa->mont_n = BN_MONT_CTX_new_for_modulus(rsa->n, ctx); 154 if (rsa->mont_n == NULL) { 155 goto err; 156 } 157 } 158 n_fixed = &rsa->mont_n->N; 159 160 // The only public upper-bound of |rsa->d| is the bit length of |rsa->n|. The 161 // ASN.1 serialization of RSA private keys unfortunately leaks the byte length 162 // of |rsa->d|, but normalize it so we only leak it once, rather than per 163 // operation. 164 if (rsa->d != NULL && 165 !ensure_fixed_copy(&rsa->d_fixed, rsa->d, n_fixed->width)) { 166 goto err; 167 } 168 169 if (rsa->e != NULL && rsa->p != NULL && rsa->q != NULL) { 170 // TODO: p and q are also CONSTTIME_SECRET but not yet marked as such 171 // because the Montgomery code does things like test whether or not values 172 // are zero. So the secret marking probably needs to happen inside that 173 // code. 174 175 if (rsa->mont_p == NULL) { 176 rsa->mont_p = BN_MONT_CTX_new_consttime(rsa->p, ctx); 177 if (rsa->mont_p == NULL) { 178 goto err; 179 } 180 } 181 182 if (rsa->mont_q == NULL) { 183 rsa->mont_q = BN_MONT_CTX_new_consttime(rsa->q, ctx); 184 if (rsa->mont_q == NULL) { 185 goto err; 186 } 187 } 188 189 if (rsa->dmp1 != NULL && rsa->dmq1 != NULL && rsa->iqmp != NULL) { 190 // CRT components are only publicly bounded by their corresponding 191 // moduli's bit lengths. 192 const BIGNUM *p_fixed = &rsa->mont_p->N; 193 const BIGNUM *q_fixed = &rsa->mont_q->N; 194 if (!ensure_fixed_copy(&rsa->dmp1_fixed, rsa->dmp1, p_fixed->width) || 195 !ensure_fixed_copy(&rsa->dmq1_fixed, rsa->dmq1, q_fixed->width)) { 196 goto err; 197 } 198 199 // Compute |iqmp_mont|, which is |iqmp| in Montgomery form and with the 200 // correct bit width. 201 if (rsa->iqmp_mont == NULL) { 202 BIGNUM *iqmp_mont = BN_new(); 203 if (iqmp_mont == NULL || 204 !BN_to_montgomery(iqmp_mont, rsa->iqmp, rsa->mont_p, ctx)) { 205 BN_free(iqmp_mont); 206 goto err; 207 } 208 rsa->iqmp_mont = iqmp_mont; 209 bn_secret(rsa->iqmp_mont); 210 } 211 } 212 } 213 214 rsa->private_key_frozen = 1; 215 ret = 1; 216 217err: 218 CRYPTO_MUTEX_unlock_write(&rsa->lock); 219 return ret; 220} 221 222void rsa_invalidate_key(RSA *rsa) { 223 rsa->private_key_frozen = 0; 224 225 BN_MONT_CTX_free(rsa->mont_n); 226 rsa->mont_n = NULL; 227 BN_MONT_CTX_free(rsa->mont_p); 228 rsa->mont_p = NULL; 229 BN_MONT_CTX_free(rsa->mont_q); 230 rsa->mont_q = NULL; 231 232 BN_free(rsa->d_fixed); 233 rsa->d_fixed = NULL; 234 BN_free(rsa->dmp1_fixed); 235 rsa->dmp1_fixed = NULL; 236 BN_free(rsa->dmq1_fixed); 237 rsa->dmq1_fixed = NULL; 238 BN_free(rsa->iqmp_mont); 239 rsa->iqmp_mont = NULL; 240 241 for (size_t i = 0; i < rsa->num_blindings; i++) { 242 BN_BLINDING_free(rsa->blindings[i]); 243 } 244 OPENSSL_free(rsa->blindings); 245 rsa->blindings = NULL; 246 rsa->num_blindings = 0; 247 OPENSSL_free(rsa->blindings_inuse); 248 rsa->blindings_inuse = NULL; 249 rsa->blinding_fork_generation = 0; 250} 251 252// MAX_BLINDINGS_PER_RSA defines the maximum number of cached BN_BLINDINGs per 253// RSA*. Then this limit is exceeded, BN_BLINDING objects will be created and 254// destroyed as needed. 255#if defined(OPENSSL_TSAN) 256// Smaller under TSAN so that the edge case can be hit with fewer threads. 257#define MAX_BLINDINGS_PER_RSA 2 258#else 259#define MAX_BLINDINGS_PER_RSA 1024 260#endif 261 262// rsa_blinding_get returns a BN_BLINDING to use with |rsa|. It does this by 263// allocating one of the cached BN_BLINDING objects in |rsa->blindings|. If 264// none are free, the cache will be extended by a extra element and the new 265// BN_BLINDING is returned. 266// 267// On success, the index of the assigned BN_BLINDING is written to 268// |*index_used| and must be passed to |rsa_blinding_release| when finished. 269static BN_BLINDING *rsa_blinding_get(RSA *rsa, size_t *index_used, 270 BN_CTX *ctx) { 271 assert(ctx != NULL); 272 assert(rsa->mont_n != NULL); 273 274 BN_BLINDING *ret = NULL; 275 const uint64_t fork_generation = CRYPTO_get_fork_generation(); 276 CRYPTO_MUTEX_lock_write(&rsa->lock); 277 278 // Wipe the blinding cache on |fork|. 279 if (rsa->blinding_fork_generation != fork_generation) { 280 for (size_t i = 0; i < rsa->num_blindings; i++) { 281 // The inuse flag must be zero unless we were forked from a 282 // multi-threaded process, in which case calling back into BoringSSL is 283 // forbidden. 284 assert(rsa->blindings_inuse[i] == 0); 285 BN_BLINDING_invalidate(rsa->blindings[i]); 286 } 287 rsa->blinding_fork_generation = fork_generation; 288 } 289 290 uint8_t *const free_inuse_flag = reinterpret_cast<uint8_t *>( 291 OPENSSL_memchr(rsa->blindings_inuse, 0, rsa->num_blindings)); 292 size_t new_num_blindings; 293 BN_BLINDING **new_blindings; 294 uint8_t *new_blindings_inuse; 295 if (free_inuse_flag != NULL) { 296 *free_inuse_flag = 1; 297 *index_used = free_inuse_flag - rsa->blindings_inuse; 298 ret = rsa->blindings[*index_used]; 299 goto out; 300 } 301 302 if (rsa->num_blindings >= MAX_BLINDINGS_PER_RSA) { 303 // No |BN_BLINDING| is free and nor can the cache be extended. This index 304 // value is magic and indicates to |rsa_blinding_release| that a 305 // |BN_BLINDING| was not inserted into the array. 306 *index_used = MAX_BLINDINGS_PER_RSA; 307 ret = BN_BLINDING_new(); 308 goto out; 309 } 310 311 // Double the length of the cache. 312 static_assert(MAX_BLINDINGS_PER_RSA < UINT_MAX / 2, 313 "MAX_BLINDINGS_PER_RSA too large"); 314 new_num_blindings = rsa->num_blindings * 2; 315 if (new_num_blindings == 0) { 316 new_num_blindings = 1; 317 } 318 if (new_num_blindings > MAX_BLINDINGS_PER_RSA) { 319 new_num_blindings = MAX_BLINDINGS_PER_RSA; 320 } 321 assert(new_num_blindings > rsa->num_blindings); 322 323 new_blindings = reinterpret_cast<BN_BLINDING **>( 324 OPENSSL_calloc(new_num_blindings, sizeof(BN_BLINDING *))); 325 new_blindings_inuse = 326 reinterpret_cast<uint8_t *>(OPENSSL_malloc(new_num_blindings)); 327 if (new_blindings == NULL || new_blindings_inuse == NULL) { 328 goto err; 329 } 330 331 OPENSSL_memcpy(new_blindings, rsa->blindings, 332 sizeof(BN_BLINDING *) * rsa->num_blindings); 333 OPENSSL_memcpy(new_blindings_inuse, rsa->blindings_inuse, rsa->num_blindings); 334 335 for (size_t i = rsa->num_blindings; i < new_num_blindings; i++) { 336 new_blindings[i] = BN_BLINDING_new(); 337 if (new_blindings[i] == NULL) { 338 for (size_t j = rsa->num_blindings; j < i; j++) { 339 BN_BLINDING_free(new_blindings[j]); 340 } 341 goto err; 342 } 343 } 344 memset(&new_blindings_inuse[rsa->num_blindings], 0, 345 new_num_blindings - rsa->num_blindings); 346 347 new_blindings_inuse[rsa->num_blindings] = 1; 348 *index_used = rsa->num_blindings; 349 assert(*index_used != MAX_BLINDINGS_PER_RSA); 350 ret = new_blindings[rsa->num_blindings]; 351 352 OPENSSL_free(rsa->blindings); 353 rsa->blindings = new_blindings; 354 OPENSSL_free(rsa->blindings_inuse); 355 rsa->blindings_inuse = new_blindings_inuse; 356 rsa->num_blindings = new_num_blindings; 357 358 goto out; 359 360err: 361 OPENSSL_free(new_blindings_inuse); 362 OPENSSL_free(new_blindings); 363 364out: 365 CRYPTO_MUTEX_unlock_write(&rsa->lock); 366 return ret; 367} 368 369// rsa_blinding_release marks the cached BN_BLINDING at the given index as free 370// for other threads to use. 371static void rsa_blinding_release(RSA *rsa, BN_BLINDING *blinding, 372 size_t blinding_index) { 373 if (blinding_index == MAX_BLINDINGS_PER_RSA) { 374 // This blinding wasn't cached. 375 BN_BLINDING_free(blinding); 376 return; 377 } 378 379 CRYPTO_MUTEX_lock_write(&rsa->lock); 380 rsa->blindings_inuse[blinding_index] = 0; 381 CRYPTO_MUTEX_unlock_write(&rsa->lock); 382} 383 384// signing 385int rsa_default_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, 386 size_t max_out, const uint8_t *in, size_t in_len, 387 int padding) { 388 const unsigned rsa_size = RSA_size(rsa); 389 uint8_t *buf = NULL; 390 int i, ret = 0; 391 392 if (max_out < rsa_size) { 393 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL); 394 return 0; 395 } 396 397 buf = reinterpret_cast<uint8_t *>(OPENSSL_malloc(rsa_size)); 398 if (buf == NULL) { 399 goto err; 400 } 401 402 switch (padding) { 403 case RSA_PKCS1_PADDING: 404 i = RSA_padding_add_PKCS1_type_1(buf, rsa_size, in, in_len); 405 break; 406 case RSA_NO_PADDING: 407 i = RSA_padding_add_none(buf, rsa_size, in, in_len); 408 break; 409 default: 410 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE); 411 goto err; 412 } 413 414 if (i <= 0) { 415 goto err; 416 } 417 418 if (!rsa_private_transform_no_self_test(rsa, out, buf, rsa_size)) { 419 goto err; 420 } 421 422 CONSTTIME_DECLASSIFY(out, rsa_size); 423 *out_len = rsa_size; 424 ret = 1; 425 426err: 427 OPENSSL_free(buf); 428 429 return ret; 430} 431 432 433static int rsa_mod_exp_crt(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); 434 435int rsa_verify_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out, 436 size_t max_out, const uint8_t *in, 437 size_t in_len, int padding) { 438 if (rsa->n == NULL || rsa->e == NULL) { 439 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); 440 return 0; 441 } 442 443 if (!rsa_check_public_key(rsa)) { 444 return 0; 445 } 446 447 const unsigned rsa_size = RSA_size(rsa); 448 if (max_out < rsa_size) { 449 OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL); 450 return 0; 451 } 452 453 if (in_len != rsa_size) { 454 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN); 455 return 0; 456 } 457 458 bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new()); 459 if (ctx == nullptr) { 460 return 0; 461 } 462 463 int ret = 0; 464 uint8_t *buf = nullptr; 465 bssl::BN_CTXScope scope(ctx.get()); 466 BIGNUM *f = BN_CTX_get(ctx.get()); 467 BIGNUM *result = BN_CTX_get(ctx.get()); 468 if (f == nullptr || result == nullptr) { 469 goto err; 470 } 471 472 if (padding == RSA_NO_PADDING) { 473 buf = out; 474 } else { 475 // Allocate a temporary buffer to hold the padded plaintext. 476 buf = reinterpret_cast<uint8_t *>(OPENSSL_malloc(rsa_size)); 477 if (buf == nullptr) { 478 goto err; 479 } 480 } 481 482 if (BN_bin2bn(in, in_len, f) == nullptr) { 483 goto err; 484 } 485 486 if (BN_ucmp(f, rsa->n) >= 0) { 487 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 488 goto err; 489 } 490 491 if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx.get()) || 492 !BN_mod_exp_mont(result, f, rsa->e, &rsa->mont_n->N, ctx.get(), 493 rsa->mont_n)) { 494 goto err; 495 } 496 497 if (!BN_bn2bin_padded(buf, rsa_size, result)) { 498 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 499 goto err; 500 } 501 502 switch (padding) { 503 case RSA_PKCS1_PADDING: 504 ret = 505 RSA_padding_check_PKCS1_type_1(out, out_len, rsa_size, buf, rsa_size); 506 break; 507 case RSA_NO_PADDING: 508 ret = 1; 509 *out_len = rsa_size; 510 break; 511 default: 512 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE); 513 goto err; 514 } 515 516 if (!ret) { 517 OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED); 518 goto err; 519 } 520 521err: 522 if (buf != out) { 523 OPENSSL_free(buf); 524 } 525 return ret; 526} 527 528int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, 529 const uint8_t *in, size_t in_len, int padding) { 530 boringssl_ensure_rsa_self_test(); 531 return rsa_verify_raw_no_self_test(rsa, out_len, out, max_out, in, in_len, 532 padding); 533} 534 535int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, 536 size_t len) { 537 if (rsa->n == nullptr || rsa->d == nullptr) { 538 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); 539 return 0; 540 } 541 542 bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new()); 543 if (ctx == nullptr) { 544 return 0; 545 } 546 size_t blinding_index = 0; 547 BN_BLINDING *blinding = nullptr; 548 int ret = 0, do_blinding; 549 bssl::BN_CTXScope scope(ctx.get()); 550 BIGNUM *f = BN_CTX_get(ctx.get()); 551 BIGNUM *result = BN_CTX_get(ctx.get()); 552 if (f == nullptr || result == nullptr) { 553 goto err; 554 } 555 556 // The caller should have ensured this. 557 assert(len == BN_num_bytes(rsa->n)); 558 if (BN_bin2bn(in, len, f) == nullptr) { 559 goto err; 560 } 561 562 // The input to the RSA private transform may be secret, but padding is 563 // expected to construct a value within range, so we can leak this comparison. 564 if (constant_time_declassify_int(BN_ucmp(f, rsa->n) >= 0)) { 565 // Usually the padding functions would catch this. 566 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 567 goto err; 568 } 569 570 if (!freeze_private_key(rsa, ctx.get())) { 571 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 572 goto err; 573 } 574 575 do_blinding = 576 (rsa->flags & (RSA_FLAG_NO_BLINDING | RSA_FLAG_NO_PUBLIC_EXPONENT)) == 0; 577 578 if (rsa->e == nullptr && do_blinding) { 579 // We cannot do blinding or verification without |e|, and continuing without 580 // those countermeasures is dangerous. However, the Java/Android RSA API 581 // requires support for keys where only |d| and |n| (and not |e|) are known. 582 // The callers that require that bad behavior must set 583 // |RSA_FLAG_NO_BLINDING| or use |RSA_new_private_key_no_e|. 584 // 585 // TODO(davidben): Update this comment when Conscrypt is updated to use 586 // |RSA_new_private_key_no_e|. 587 OPENSSL_PUT_ERROR(RSA, RSA_R_NO_PUBLIC_EXPONENT); 588 goto err; 589 } 590 591 if (do_blinding) { 592 blinding = rsa_blinding_get(rsa, &blinding_index, ctx.get()); 593 if (blinding == nullptr) { 594 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 595 goto err; 596 } 597 if (!BN_BLINDING_convert(f, blinding, rsa->e, rsa->mont_n, ctx.get())) { 598 goto err; 599 } 600 } 601 602 if (rsa->p != nullptr && rsa->q != nullptr && rsa->e != nullptr && 603 rsa->dmp1 != nullptr && rsa->dmq1 != nullptr && rsa->iqmp != nullptr && 604 // Require that we can reduce |f| by |rsa->p| and |rsa->q| in constant 605 // time, which requires primes be the same size, rounded to the Montgomery 606 // coefficient. (See |mod_montgomery|.) This is not required by RFC 8017, 607 // but it is true for keys generated by us and all common implementations. 608 bn_less_than_montgomery_R(rsa->q, rsa->mont_p) && 609 bn_less_than_montgomery_R(rsa->p, rsa->mont_q)) { 610 if (!rsa_mod_exp_crt(result, f, rsa, ctx.get())) { 611 goto err; 612 } 613 } else if (!BN_mod_exp_mont_consttime(result, f, rsa->d_fixed, rsa->n, 614 ctx.get(), rsa->mont_n)) { 615 goto err; 616 } 617 618 // Verify the result to protect against fault attacks as described in the 619 // 1997 paper "On the Importance of Checking Cryptographic Protocols for 620 // Faults" by Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. Some 621 // implementations do this only when the CRT is used, but we do it in all 622 // cases. Section 6 of the aforementioned paper describes an attack that 623 // works when the CRT isn't used. That attack is much less likely to succeed 624 // than the CRT attack, but there have likely been improvements since 1997. 625 // 626 // This check is cheap assuming |e| is small, which we require in 627 // |rsa_check_public_key|. 628 if (rsa->e != nullptr) { 629 BIGNUM *vrfy = BN_CTX_get(ctx.get()); 630 if (vrfy == nullptr || 631 !BN_mod_exp_mont(vrfy, result, rsa->e, rsa->n, ctx.get(), 632 rsa->mont_n) || 633 !constant_time_declassify_int(BN_equal_consttime(vrfy, f))) { 634 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 635 goto err; 636 } 637 } 638 639 if (do_blinding && 640 !BN_BLINDING_invert(result, blinding, rsa->mont_n, ctx.get())) { 641 goto err; 642 } 643 644 // The computation should have left |result| as a maximally-wide number, so 645 // that it and serializing does not leak information about the magnitude of 646 // the result. 647 // 648 // See Falko Strenzke, "Manger's Attack revisited", ICICS 2010. 649 assert(result->width == rsa->mont_n->N.width); 650 bn_assert_fits_in_bytes(result, len); 651 if (!BN_bn2bin_padded(out, len, result)) { 652 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 653 goto err; 654 } 655 656 ret = 1; 657 658err: 659 if (blinding != nullptr) { 660 rsa_blinding_release(rsa, blinding, blinding_index); 661 } 662 663 return ret; 664} 665 666// mod_montgomery sets |r| to |I| mod |p|. |I| must already be fully reduced 667// modulo |p| times |q|. It returns one on success and zero on error. 668static int mod_montgomery(BIGNUM *r, const BIGNUM *I, const BIGNUM *p, 669 const BN_MONT_CTX *mont_p, const BIGNUM *q, 670 BN_CTX *ctx) { 671 // Reducing in constant-time with Montgomery reduction requires I <= p * R. We 672 // have I < p * q, so this follows if q < R. The caller should have checked 673 // this already. 674 if (!bn_less_than_montgomery_R(q, mont_p)) { 675 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 676 return 0; 677 } 678 679 if ( // Reduce mod p with Montgomery reduction. This computes I * R^-1 mod p. 680 !BN_from_montgomery(r, I, mont_p, ctx) || 681 // Multiply by R^2 and do another Montgomery reduction to compute 682 // I * R^-1 * R^2 * R^-1 = I mod p. 683 !BN_to_montgomery(r, r, mont_p, ctx)) { 684 return 0; 685 } 686 687 // By precomputing R^3 mod p (normally |BN_MONT_CTX| only uses R^2 mod p) and 688 // adjusting the API for |BN_mod_exp_mont_consttime|, we could instead compute 689 // I * R mod p here and save a reduction per prime. But this would require 690 // changing the RSAZ code and may not be worth it. Note that the RSAZ code 691 // uses a different radix, so it uses R' = 2^1044. There we'd actually want 692 // R^2 * R', and would futher benefit from a precomputed R'^2. It currently 693 // converts |mont_p->RR| to R'^2. 694 return 1; 695} 696 697static int rsa_mod_exp_crt(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { 698 assert(ctx != NULL); 699 700 assert(rsa->n != NULL); 701 assert(rsa->e != NULL); 702 assert(rsa->d != NULL); 703 assert(rsa->p != NULL); 704 assert(rsa->q != NULL); 705 assert(rsa->dmp1 != NULL); 706 assert(rsa->dmq1 != NULL); 707 assert(rsa->iqmp != NULL); 708 709 bssl::BN_CTXScope scope(ctx); 710 BIGNUM *r1 = BN_CTX_get(ctx); 711 BIGNUM *m1 = BN_CTX_get(ctx); 712 if (r1 == NULL || m1 == NULL) { 713 return 0; 714 } 715 716 // Use the minimal-width versions of |n|, |p|, and |q|. Either works, but if 717 // someone gives us non-minimal values, these will be slightly more efficient 718 // on the non-Montgomery operations. 719 BIGNUM *n = &rsa->mont_n->N; 720 BIGNUM *p = &rsa->mont_p->N; 721 BIGNUM *q = &rsa->mont_q->N; 722 723 // This is a pre-condition for |mod_montgomery|. It was already checked by the 724 // caller. 725 declassify_assert(BN_ucmp(I, n) < 0); 726 727 if ( // |m1| is the result modulo |q|. 728 !mod_montgomery(r1, I, q, rsa->mont_q, p, ctx) || 729 !BN_mod_exp_mont_consttime(m1, r1, rsa->dmq1_fixed, q, ctx, 730 rsa->mont_q) || 731 // |r0| is the result modulo |p|. 732 !mod_montgomery(r1, I, p, rsa->mont_p, q, ctx) || 733 !BN_mod_exp_mont_consttime(r0, r1, rsa->dmp1_fixed, p, ctx, 734 rsa->mont_p) || 735 // Compute r0 = r0 - m1 mod p. |m1| is reduced mod |q|, not |p|, so we 736 // just run |mod_montgomery| again for simplicity. This could be more 737 // efficient with more cases: if |p > q|, |m1| is already reduced. If 738 // |p < q| but they have the same bit width, |bn_reduce_once| suffices. 739 // However, compared to over 2048 Montgomery multiplications above, this 740 // difference is not measurable. 741 !mod_montgomery(r1, m1, p, rsa->mont_p, q, ctx) || 742 !bn_mod_sub_consttime(r0, r0, r1, p, ctx) || 743 // r0 = r0 * iqmp mod p. We use Montgomery multiplication to compute this 744 // in constant time. |iqmp_mont| is in Montgomery form and r0 is not, so 745 // the result is taken out of Montgomery form. 746 !BN_mod_mul_montgomery(r0, r0, rsa->iqmp_mont, rsa->mont_p, ctx) || 747 // r0 = r0 * q + m1 gives the final result. Reducing modulo q gives m1, so 748 // it is correct mod p. Reducing modulo p gives (r0-m1)*iqmp*q + m1 = r0, 749 // so it is correct mod q. Finally, the result is bounded by [m1, n + m1), 750 // and the result is at least |m1|, so this must be the unique answer in 751 // [0, n). 752 !bn_mul_consttime(r0, r0, q, ctx) || // 753 !bn_uadd_consttime(r0, r0, m1)) { 754 return 0; 755 } 756 757 // The result should be bounded by |n|, but fixed-width operations may 758 // bound the width slightly higher, so fix it. This trips constant-time checks 759 // because a naive data flow analysis does not realize the excess words are 760 // publicly zero. 761 declassify_assert(BN_cmp(r0, n) < 0); 762 bn_assert_fits_in_bytes(r0, BN_num_bytes(n)); 763 if (!bn_resize_words(r0, n->width)) { 764 return 0; 765 } 766 767 return 1; 768} 769 770static int ensure_bignum(BIGNUM **out) { 771 if (*out == NULL) { 772 *out = BN_new(); 773 } 774 return *out != NULL; 775} 776 777// kBoringSSLRSASqrtTwo is the BIGNUM representation of ⌊2²⁰⁴⁷×√2⌋. This is 778// chosen to give enough precision for 4096-bit RSA, the largest key size FIPS 779// specifies. Key sizes beyond this will round up. 780// 781// To calculate, use the following Haskell code: 782// 783// import Text.Printf (printf) 784// import Data.List (intercalate) 785// 786// pow2 = 4095 787// target = 2^pow2 788// 789// f x = x*x - (toRational target) 790// 791// fprime x = 2*x 792// 793// newtonIteration x = x - (f x) / (fprime x) 794// 795// converge x = 796// let n = floor x in 797// if n*n - target < 0 && (n+1)*(n+1) - target > 0 798// then n 799// else converge (newtonIteration x) 800// 801// divrem bits x = (x `div` (2^bits), x `rem` (2^bits)) 802// 803// bnWords :: Integer -> [Integer] 804// bnWords x = 805// if x == 0 806// then [] 807// else let (high, low) = divrem 64 x in low : bnWords high 808// 809// showWord x = let (high, low) = divrem 32 x in printf "TOBN(0x%08x, 0x%08x)" 810// high low 811// 812// output :: String 813// output = intercalate ", " $ map showWord $ bnWords $ converge (2 ^ (pow2 814// `div` 2)) 815// 816// To verify this number, check that n² < 2⁴⁰⁹⁵ < (n+1)², where n is value 817// represented here. Note the components are listed in little-endian order. Here 818// is some sample Python code to check: 819// 820// >>> TOBN = lambda a, b: a << 32 | b 821// >>> l = [ <paste the contents of kSqrtTwo> ] 822// >>> n = sum(a * 2**(64*i) for i, a in enumerate(l)) 823// >>> n**2 < 2**4095 < (n+1)**2 824// True 825const BN_ULONG kBoringSSLRSASqrtTwo[] = { 826 TOBN(0x4d7c60a5, 0xe633e3e1), TOBN(0x5fcf8f7b, 0xca3ea33b), 827 TOBN(0xc246785e, 0x92957023), TOBN(0xf9acce41, 0x797f2805), 828 TOBN(0xfdfe170f, 0xd3b1f780), TOBN(0xd24f4a76, 0x3facb882), 829 TOBN(0x18838a2e, 0xaff5f3b2), TOBN(0xc1fcbdde, 0xa2f7dc33), 830 TOBN(0xdea06241, 0xf7aa81c2), TOBN(0xf6a1be3f, 0xca221307), 831 TOBN(0x332a5e9f, 0x7bda1ebf), TOBN(0x0104dc01, 0xfe32352f), 832 TOBN(0xb8cf341b, 0x6f8236c7), TOBN(0x4264dabc, 0xd528b651), 833 TOBN(0xf4d3a02c, 0xebc93e0c), TOBN(0x81394ab6, 0xd8fd0efd), 834 TOBN(0xeaa4a089, 0x9040ca4a), TOBN(0xf52f120f, 0x836e582e), 835 TOBN(0xcb2a6343, 0x31f3c84d), TOBN(0xc6d5a8a3, 0x8bb7e9dc), 836 TOBN(0x460abc72, 0x2f7c4e33), TOBN(0xcab1bc91, 0x1688458a), 837 TOBN(0x53059c60, 0x11bc337b), TOBN(0xd2202e87, 0x42af1f4e), 838 TOBN(0x78048736, 0x3dfa2768), TOBN(0x0f74a85e, 0x439c7b4a), 839 TOBN(0xa8b1fe6f, 0xdc83db39), TOBN(0x4afc8304, 0x3ab8a2c3), 840 TOBN(0xed17ac85, 0x83339915), TOBN(0x1d6f60ba, 0x893ba84c), 841 TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484), 842}; 843const size_t kBoringSSLRSASqrtTwoLen = OPENSSL_ARRAY_SIZE(kBoringSSLRSASqrtTwo); 844 845// generate_prime sets |out| to a prime with length |bits| such that |out|-1 is 846// relatively prime to |e|. If |p| is non-NULL, |out| will also not be close to 847// |p|. |sqrt2| must be ⌊2^(bits-1)×√2⌋ (or a slightly overestimate for large 848// sizes), and |pow2_bits_100| must be 2^(bits-100). 849// 850// This function fails with probability around 2^-21. 851static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e, 852 const BIGNUM *p, const BIGNUM *sqrt2, 853 const BIGNUM *pow2_bits_100, BN_CTX *ctx, 854 BN_GENCB *cb) { 855 if (bits < 128 || (bits % BN_BITS2) != 0) { 856 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 857 return 0; 858 } 859 assert(BN_is_pow2(pow2_bits_100)); 860 assert(BN_is_bit_set(pow2_bits_100, bits - 100)); 861 862 // See FIPS 186-4 appendix B.3.3, steps 4 and 5. Note |bits| here is nlen/2. 863 864 // Use the limit from steps 4.7 and 5.8 for most values of |e|. When |e| is 3, 865 // the 186-4 limit is too low, so we use a higher one. Note this case is not 866 // reachable from |RSA_generate_key_fips|. 867 // 868 // |limit| determines the failure probability. We must find a prime that is 869 // not 1 mod |e|. By the prime number theorem, we'll find one with probability 870 // p = (e-1)/e * 2/(ln(2)*bits). Note the second term is doubled because we 871 // discard even numbers. 872 // 873 // The failure probability is thus (1-p)^limit. To convert that to a power of 874 // two, we take logs. -log_2((1-p)^limit) = -limit * ln(1-p) / ln(2). 875 // 876 // >>> def f(bits, e, limit): 877 // ... p = (e-1.0)/e * 2.0/(math.log(2)*bits) 878 // ... return -limit * math.log(1 - p) / math.log(2) 879 // ... 880 // >>> f(1024, 65537, 5*1024) 881 // 20.842750558272634 882 // >>> f(1536, 65537, 5*1536) 883 // 20.83294549602474 884 // >>> f(2048, 65537, 5*2048) 885 // 20.828047576234948 886 // >>> f(1024, 3, 8*1024) 887 // 22.222147925962307 888 // >>> f(1536, 3, 8*1536) 889 // 22.21518251065506 890 // >>> f(2048, 3, 8*2048) 891 // 22.211701985875937 892 if (bits >= INT_MAX / 32) { 893 OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE); 894 return 0; 895 } 896 int limit = BN_is_word(e, 3) ? bits * 8 : bits * 5; 897 898 int tries = 0, rand_tries = 0; 899 bssl::BN_CTXScope scope(ctx); 900 BIGNUM *tmp = BN_CTX_get(ctx); 901 if (tmp == NULL) { 902 return 0; 903 } 904 905 for (;;) { 906 // Generate a random number of length |bits| where the bottom bit is set 907 // (steps 4.2, 4.3, 5.2 and 5.3) and the top bit is set (implied by the 908 // bound checked below in steps 4.4 and 5.5). 909 if (!BN_rand(out, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD) || 910 !BN_GENCB_call(cb, BN_GENCB_GENERATED, rand_tries++)) { 911 return 0; 912 } 913 914 if (p != NULL) { 915 // If |p| and |out| are too close, try again (step 5.4). 916 if (!bn_abs_sub_consttime(tmp, out, p, ctx)) { 917 return 0; 918 } 919 if (BN_cmp(tmp, pow2_bits_100) <= 0) { 920 continue; 921 } 922 } 923 924 // If out < 2^(bits-1)×√2, try again (steps 4.4 and 5.5). This is equivalent 925 // to out <= ⌊2^(bits-1)×√2⌋, or out <= sqrt2 for FIPS key sizes. 926 // 927 // For larger keys, the comparison is approximate, leaning towards 928 // retrying. That is, we reject a negligible fraction of primes that are 929 // within the FIPS bound, but we will never accept a prime outside the 930 // bound, ensuring the resulting RSA key is the right size. 931 // 932 // Values over the threshold are discarded, so it is safe to leak this 933 // comparison. 934 if (constant_time_declassify_int(BN_cmp(out, sqrt2) <= 0)) { 935 continue; 936 } 937 938 // RSA key generation's bottleneck is discarding composites. If it fails 939 // trial division, do not bother computing a GCD or performing Miller-Rabin. 940 if (!bn_odd_number_is_obviously_composite(out)) { 941 // Check gcd(out-1, e) is one (steps 4.5 and 5.6). Leaking the final 942 // result of this comparison is safe because, if not relatively prime, the 943 // value will be discarded. 944 int relatively_prime; 945 if (!bn_usub_consttime(tmp, out, BN_value_one()) || 946 !bn_is_relatively_prime(&relatively_prime, tmp, e, ctx)) { 947 return 0; 948 } 949 if (constant_time_declassify_int(relatively_prime)) { 950 // Test |out| for primality (steps 4.5.1 and 5.6.1). 951 int is_probable_prime; 952 if (!BN_primality_test(&is_probable_prime, out, 953 BN_prime_checks_for_generation, ctx, 0, cb)) { 954 return 0; 955 } 956 if (is_probable_prime) { 957 return 1; 958 } 959 } 960 } 961 962 // If we've tried too many times to find a prime, abort (steps 4.7 and 963 // 5.8). 964 tries++; 965 if (tries >= limit) { 966 OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS); 967 return 0; 968 } 969 if (!BN_GENCB_call(cb, 2, tries)) { 970 return 0; 971 } 972 } 973} 974 975// rsa_generate_key_impl generates an RSA key using a generalized version of 976// FIPS 186-4 appendix B.3. |RSA_generate_key_fips| performs additional checks 977// for FIPS-compliant key generation. 978// 979// This function returns one on success and zero on failure. It has a failure 980// probability of about 2^-20. 981static int rsa_generate_key_impl(RSA *rsa, int bits, const BIGNUM *e_value, 982 BN_GENCB *cb) { 983 // See FIPS 186-4 appendix B.3. This function implements a generalized version 984 // of the FIPS algorithm. |RSA_generate_key_fips| performs additional checks 985 // for FIPS-compliant key generation. 986 987 // Always generate RSA keys which are a multiple of 128 bits. Round |bits| 988 // down as needed. 989 bits &= ~127; 990 991 // Reject excessively small keys. 992 if (bits < 256) { 993 OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); 994 return 0; 995 } 996 997 // Reject excessively large public exponents. Windows CryptoAPI and Go don't 998 // support values larger than 32 bits, so match their limits for generating 999 // keys. (|rsa_check_public_key| uses a slightly more conservative value, but 1000 // we don't need to support generating such keys.) 1001 // https://github.com/golang/go/issues/3161 1002 // https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx 1003 if (BN_num_bits(e_value) > 32) { 1004 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE); 1005 return 0; 1006 } 1007 1008 bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new()); 1009 int sqrt2_bits; 1010 if (ctx == nullptr) { 1011 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); 1012 return 0; 1013 } 1014 1015 int prime_bits = bits / 2; 1016 bssl::BN_CTXScope scope(ctx.get()); 1017 BIGNUM *totient = BN_CTX_get(ctx.get()); 1018 BIGNUM *pm1 = BN_CTX_get(ctx.get()); 1019 BIGNUM *qm1 = BN_CTX_get(ctx.get()); 1020 BIGNUM *sqrt2 = BN_CTX_get(ctx.get()); 1021 BIGNUM *pow2_prime_bits_100 = BN_CTX_get(ctx.get()); 1022 BIGNUM *pow2_prime_bits = BN_CTX_get(ctx.get()); 1023 if (totient == nullptr || pm1 == nullptr || qm1 == nullptr || 1024 sqrt2 == nullptr || pow2_prime_bits_100 == nullptr || 1025 pow2_prime_bits == nullptr || 1026 !BN_set_bit(pow2_prime_bits_100, prime_bits - 100) || 1027 !BN_set_bit(pow2_prime_bits, prime_bits)) { 1028 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); 1029 return 0; 1030 } 1031 1032 // We need the RSA components non-null. 1033 if (!ensure_bignum(&rsa->n) || // 1034 !ensure_bignum(&rsa->d) || // 1035 !ensure_bignum(&rsa->e) || // 1036 !ensure_bignum(&rsa->p) || // 1037 !ensure_bignum(&rsa->q) || // 1038 !ensure_bignum(&rsa->dmp1) || // 1039 !ensure_bignum(&rsa->dmq1) || // 1040 !ensure_bignum(&rsa->iqmp)) { 1041 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); 1042 return 0; 1043 } 1044 1045 if (!BN_copy(rsa->e, e_value)) { 1046 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); 1047 return 0; 1048 } 1049 1050 // Compute sqrt2 >= ⌊2^(prime_bits-1)×√2⌋. 1051 if (!bn_set_words(sqrt2, kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen)) { 1052 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); 1053 return 0; 1054 } 1055 sqrt2_bits = kBoringSSLRSASqrtTwoLen * BN_BITS2; 1056 assert(sqrt2_bits == (int)BN_num_bits(sqrt2)); 1057 if (sqrt2_bits > prime_bits) { 1058 // For key sizes up to 4096 (prime_bits = 2048), this is exactly 1059 // ⌊2^(prime_bits-1)×√2⌋. 1060 if (!BN_rshift(sqrt2, sqrt2, sqrt2_bits - prime_bits)) { 1061 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); 1062 return 0; 1063 } 1064 } else if (prime_bits > sqrt2_bits) { 1065 // For key sizes beyond 4096, this is approximate. We err towards retrying 1066 // to ensure our key is the right size and round up. 1067 if (!BN_add_word(sqrt2, 1) || 1068 !BN_lshift(sqrt2, sqrt2, prime_bits - sqrt2_bits)) { 1069 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); 1070 return 0; 1071 } 1072 } 1073 assert(prime_bits == (int)BN_num_bits(sqrt2)); 1074 1075 do { 1076 // Generate p and q, each of size |prime_bits|, using the steps outlined in 1077 // appendix FIPS 186-4 appendix B.3.3. 1078 // 1079 // Each call to |generate_prime| fails with probability p = 2^-21. The 1080 // probability that either call fails is 1 - (1-p)^2, which is around 2^-20. 1081 if (!generate_prime(rsa->p, prime_bits, rsa->e, nullptr, sqrt2, 1082 pow2_prime_bits_100, ctx.get(), cb) || 1083 !BN_GENCB_call(cb, 3, 0) || 1084 !generate_prime(rsa->q, prime_bits, rsa->e, rsa->p, sqrt2, 1085 pow2_prime_bits_100, ctx.get(), cb) || 1086 !BN_GENCB_call(cb, 3, 1)) { 1087 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); 1088 return 0; 1089 } 1090 1091 if (BN_cmp(rsa->p, rsa->q) < 0) { 1092 BIGNUM *tmp = rsa->p; 1093 rsa->p = rsa->q; 1094 rsa->q = tmp; 1095 } 1096 1097 // Calculate d = e^(-1) (mod lcm(p-1, q-1)), per FIPS 186-4. This differs 1098 // from typical RSA implementations which use (p-1)*(q-1). 1099 // 1100 // Note this means the size of d might reveal information about p-1 and 1101 // q-1. However, we do operations with Chinese Remainder Theorem, so we only 1102 // use d (mod p-1) and d (mod q-1) as exponents. Using a minimal totient 1103 // does not affect those two values. 1104 int no_inverse; 1105 if (!bn_usub_consttime(pm1, rsa->p, BN_value_one()) || 1106 !bn_usub_consttime(qm1, rsa->q, BN_value_one()) || 1107 !bn_lcm_consttime(totient, pm1, qm1, ctx.get()) || 1108 !bn_mod_inverse_consttime(rsa->d, &no_inverse, rsa->e, totient, 1109 ctx.get())) { 1110 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); 1111 return 0; 1112 } 1113 1114 // Retry if |rsa->d| <= 2^|prime_bits|. See appendix B.3.1's guidance on 1115 // values for d. When we retry, p and q are discarded, so it is safe to leak 1116 // this comparison. 1117 } while (constant_time_declassify_int(BN_cmp(rsa->d, pow2_prime_bits) <= 0)); 1118 1119 assert(BN_num_bits(pm1) == (unsigned)prime_bits); 1120 assert(BN_num_bits(qm1) == (unsigned)prime_bits); 1121 if ( // Calculate n. 1122 !bn_mul_consttime(rsa->n, rsa->p, rsa->q, ctx.get()) || 1123 // Calculate d mod (p-1). 1124 !bn_div_consttime(nullptr, rsa->dmp1, rsa->d, pm1, prime_bits, 1125 ctx.get()) || 1126 // Calculate d mod (q-1) 1127 !bn_div_consttime(nullptr, rsa->dmq1, rsa->d, qm1, prime_bits, 1128 ctx.get())) { 1129 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); 1130 return 0; 1131 } 1132 bn_set_minimal_width(rsa->n); 1133 1134 // |rsa->n| is computed from the private key, but is public. 1135 bn_declassify(rsa->n); 1136 1137 // Calculate q^-1 mod p. 1138 rsa->mont_p = BN_MONT_CTX_new_consttime(rsa->p, ctx.get()); 1139 if (rsa->mont_p == nullptr || // 1140 !bn_mod_inverse_secret_prime(rsa->iqmp, rsa->q, rsa->p, ctx.get(), 1141 rsa->mont_p)) { 1142 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); 1143 return 0; 1144 } 1145 1146 // Sanity-check that |rsa->n| has the specified size. This is implied by 1147 // |generate_prime|'s bounds. 1148 if (BN_num_bits(rsa->n) != (unsigned)bits) { 1149 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); 1150 return 0; 1151 } 1152 1153 // The key generation process is complex and thus error-prone. It could be 1154 // disastrous to generate and then use a bad key so double-check that the key 1155 // makes sense. Also, while |rsa| is mutable, fill in the cached components. 1156 if (!RSA_check_key(rsa) || !freeze_private_key(rsa, ctx.get())) { 1157 OPENSSL_PUT_ERROR(RSA, RSA_R_INTERNAL_ERROR); 1158 return 0; 1159 } 1160 1161 return 1; 1162} 1163 1164static void replace_bignum(BIGNUM **out, BIGNUM **in) { 1165 BN_free(*out); 1166 *out = *in; 1167 *in = NULL; 1168} 1169 1170static void replace_bn_mont_ctx(BN_MONT_CTX **out, BN_MONT_CTX **in) { 1171 BN_MONT_CTX_free(*out); 1172 *out = *in; 1173 *in = NULL; 1174} 1175 1176static int RSA_generate_key_ex_maybe_fips(RSA *rsa, int bits, 1177 const BIGNUM *e_value, BN_GENCB *cb, 1178 int check_fips) { 1179 boringssl_ensure_rsa_self_test(); 1180 1181 if (rsa == NULL) { 1182 OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); 1183 return 0; 1184 } 1185 1186 RSA *tmp = NULL; 1187 uint32_t err; 1188 int ret = 0; 1189 1190 // |rsa_generate_key_impl|'s 2^-20 failure probability is too high at scale, 1191 // so we run the FIPS algorithm four times, bringing it down to 2^-80. We 1192 // should just adjust the retry limit, but FIPS 186-4 prescribes that value 1193 // and thus results in unnecessary complexity. 1194 int failures = 0; 1195 do { 1196 ERR_clear_error(); 1197 // Generate into scratch space, to avoid leaving partial work on failure. 1198 tmp = RSA_new(); 1199 if (tmp == NULL) { 1200 goto out; 1201 } 1202 1203 if (rsa_generate_key_impl(tmp, bits, e_value, cb)) { 1204 break; 1205 } 1206 1207 err = ERR_peek_error(); 1208 RSA_free(tmp); 1209 tmp = NULL; 1210 failures++; 1211 1212 // Only retry on |RSA_R_TOO_MANY_ITERATIONS|. This is so a caller-induced 1213 // failure in |BN_GENCB_call| is still fatal. 1214 } while (failures < 4 && ERR_GET_LIB(err) == ERR_LIB_RSA && 1215 ERR_GET_REASON(err) == RSA_R_TOO_MANY_ITERATIONS); 1216 1217 if (tmp == NULL || (check_fips && !RSA_check_fips(tmp))) { 1218 goto out; 1219 } 1220 1221 rsa_invalidate_key(rsa); 1222 replace_bignum(&rsa->n, &tmp->n); 1223 replace_bignum(&rsa->e, &tmp->e); 1224 replace_bignum(&rsa->d, &tmp->d); 1225 replace_bignum(&rsa->p, &tmp->p); 1226 replace_bignum(&rsa->q, &tmp->q); 1227 replace_bignum(&rsa->dmp1, &tmp->dmp1); 1228 replace_bignum(&rsa->dmq1, &tmp->dmq1); 1229 replace_bignum(&rsa->iqmp, &tmp->iqmp); 1230 replace_bn_mont_ctx(&rsa->mont_n, &tmp->mont_n); 1231 replace_bn_mont_ctx(&rsa->mont_p, &tmp->mont_p); 1232 replace_bn_mont_ctx(&rsa->mont_q, &tmp->mont_q); 1233 replace_bignum(&rsa->d_fixed, &tmp->d_fixed); 1234 replace_bignum(&rsa->dmp1_fixed, &tmp->dmp1_fixed); 1235 replace_bignum(&rsa->dmq1_fixed, &tmp->dmq1_fixed); 1236 replace_bignum(&rsa->iqmp_mont, &tmp->iqmp_mont); 1237 rsa->private_key_frozen = tmp->private_key_frozen; 1238 ret = 1; 1239 1240out: 1241 RSA_free(tmp); 1242 return ret; 1243} 1244 1245int RSA_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e_value, 1246 BN_GENCB *cb) { 1247 return RSA_generate_key_ex_maybe_fips(rsa, bits, e_value, cb, 1248 /*check_fips=*/0); 1249} 1250 1251int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb) { 1252 // FIPS 186-4 allows 2048-bit and 3072-bit RSA keys (1024-bit and 1536-bit 1253 // primes, respectively) with the prime generation method we use. 1254 // Subsequently, IG A.14 stated that larger modulus sizes can be used and ACVP 1255 // testing supports 4096 bits. 1256 if (bits != 2048 && bits != 3072 && bits != 4096) { 1257 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS); 1258 return 0; 1259 } 1260 1261 BIGNUM *e = BN_new(); 1262 int ret = e != NULL && BN_set_word(e, RSA_F4) && 1263 RSA_generate_key_ex_maybe_fips(rsa, bits, e, cb, /*check_fips=*/1); 1264 BN_free(e); 1265 1266 if (ret) { 1267 FIPS_service_indicator_update_state(); 1268 } 1269 return ret; 1270} 1271 1272DEFINE_METHOD_FUNCTION(RSA_METHOD, RSA_default_method) { 1273 // All of the methods are NULL to make it easier for the compiler/linker to 1274 // drop unused functions. The wrapper functions will select the appropriate 1275 // |rsa_default_*| implementation. 1276 OPENSSL_memset(out, 0, sizeof(RSA_METHOD)); 1277 out->common.is_static = 1; 1278} 1279