1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2  * All rights reserved.
3  *
4  * This package is an SSL implementation written
5  * by Eric Young (eay@cryptsoft.com).
6  * The implementation was written so as to conform with Netscapes SSL.
7  *
8  * This library is free for commercial and non-commercial use as long as
9  * the following conditions are aheared to.  The following conditions
10  * apply to all code found in this distribution, be it the RC4, RSA,
11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12  * included with this distribution is covered by the same copyright terms
13  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14  *
15  * Copyright remains Eric Young's, and as such any Copyright notices in
16  * the code are not to be removed.
17  * If this package is used in a product, Eric Young should be given attribution
18  * as the author of the parts of the library used.
19  * This can be in the form of a textual message at program startup or
20  * in documentation (online or textual) provided with the package.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the copyright
26  *    notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  *    notice, this list of conditions and the following disclaimer in the
29  *    documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  *    must display the following acknowledgement:
32  *    "This product includes cryptographic software written by
33  *     Eric Young (eay@cryptsoft.com)"
34  *    The word 'cryptographic' can be left out if the rouines from the library
35  *    being used are not cryptographic related :-).
36  * 4. If you include any Windows specific code (or a derivative thereof) from
37  *    the apps directory (application code) you must include an acknowledgement:
38  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50  * SUCH DAMAGE.
51  *
52  * The licence and distribution terms for any publically available version or
53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
54  * copied and put under another distribution licence
55  * [including the GNU Public Licence.] */
56 
57 #include <openssl/rsa.h>
58 
59 #include <limits.h>
60 #include <string.h>
61 
62 #include <openssl/bn.h>
63 #include <openssl/engine.h>
64 #include <openssl/err.h>
65 #include <openssl/ex_data.h>
66 #include <openssl/mem.h>
67 #include <openssl/obj.h>
68 #include <openssl/thread.h>
69 
70 #include "internal.h"
71 #include "../internal.h"
72 
73 
74 static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
75 
RSA_new(void)76 RSA *RSA_new(void) { return RSA_new_method(NULL); }
77 
RSA_new_method(const ENGINE * engine)78 RSA *RSA_new_method(const ENGINE *engine) {
79   RSA *rsa = (RSA *)OPENSSL_malloc(sizeof(RSA));
80   if (rsa == NULL) {
81     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
82     return NULL;
83   }
84 
85   memset(rsa, 0, sizeof(RSA));
86 
87   if (engine) {
88     rsa->meth = ENGINE_get_RSA_method(engine);
89   }
90 
91   if (rsa->meth == NULL) {
92     rsa->meth = (RSA_METHOD*) &RSA_default_method;
93   }
94   METHOD_ref(rsa->meth);
95 
96   rsa->references = 1;
97   rsa->flags = rsa->meth->flags;
98   CRYPTO_MUTEX_init(&rsa->lock);
99   CRYPTO_new_ex_data(&rsa->ex_data);
100 
101   if (rsa->meth->init && !rsa->meth->init(rsa)) {
102     CRYPTO_free_ex_data(&g_ex_data_class, rsa, &rsa->ex_data);
103     CRYPTO_MUTEX_cleanup(&rsa->lock);
104     METHOD_unref(rsa->meth);
105     OPENSSL_free(rsa);
106     return NULL;
107   }
108 
109   return rsa;
110 }
111 
RSA_additional_prime_free(RSA_additional_prime * ap)112 void RSA_additional_prime_free(RSA_additional_prime *ap) {
113   if (ap == NULL) {
114     return;
115   }
116 
117   BN_clear_free(ap->prime);
118   BN_clear_free(ap->exp);
119   BN_clear_free(ap->coeff);
120   BN_clear_free(ap->r);
121   BN_MONT_CTX_free(ap->mont);
122   OPENSSL_free(ap);
123 }
124 
RSA_free(RSA * rsa)125 void RSA_free(RSA *rsa) {
126   unsigned u;
127 
128   if (rsa == NULL) {
129     return;
130   }
131 
132   if (!CRYPTO_refcount_dec_and_test_zero(&rsa->references)) {
133     return;
134   }
135 
136   if (rsa->meth->finish) {
137     rsa->meth->finish(rsa);
138   }
139   METHOD_unref(rsa->meth);
140 
141   CRYPTO_free_ex_data(&g_ex_data_class, rsa, &rsa->ex_data);
142 
143   BN_clear_free(rsa->n);
144   BN_clear_free(rsa->e);
145   BN_clear_free(rsa->d);
146   BN_clear_free(rsa->p);
147   BN_clear_free(rsa->q);
148   BN_clear_free(rsa->dmp1);
149   BN_clear_free(rsa->dmq1);
150   BN_clear_free(rsa->iqmp);
151   BN_MONT_CTX_free(rsa->mont_n);
152   BN_MONT_CTX_free(rsa->mont_p);
153   BN_MONT_CTX_free(rsa->mont_q);
154   for (u = 0; u < rsa->num_blindings; u++) {
155     BN_BLINDING_free(rsa->blindings[u]);
156   }
157   OPENSSL_free(rsa->blindings);
158   OPENSSL_free(rsa->blindings_inuse);
159   if (rsa->additional_primes != NULL) {
160     sk_RSA_additional_prime_pop_free(rsa->additional_primes,
161                                      RSA_additional_prime_free);
162   }
163   CRYPTO_MUTEX_cleanup(&rsa->lock);
164   OPENSSL_free(rsa);
165 }
166 
RSA_up_ref(RSA * rsa)167 int RSA_up_ref(RSA *rsa) {
168   CRYPTO_refcount_inc(&rsa->references);
169   return 1;
170 }
171 
RSA_generate_key_ex(RSA * rsa,int bits,BIGNUM * e_value,BN_GENCB * cb)172 int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
173   if (rsa->meth->keygen) {
174     return rsa->meth->keygen(rsa, bits, e_value, cb);
175   }
176 
177   return rsa_default_keygen(rsa, bits, e_value, cb);
178 }
179 
RSA_generate_multi_prime_key(RSA * rsa,int bits,int num_primes,BIGNUM * e_value,BN_GENCB * cb)180 int RSA_generate_multi_prime_key(RSA *rsa, int bits, int num_primes,
181                                  BIGNUM *e_value, BN_GENCB *cb) {
182   if (rsa->meth->multi_prime_keygen) {
183     return rsa->meth->multi_prime_keygen(rsa, bits, num_primes, e_value, cb);
184   }
185 
186   return rsa_default_multi_prime_keygen(rsa, bits, num_primes, e_value, cb);
187 }
188 
RSA_encrypt(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)189 int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
190                 const uint8_t *in, size_t in_len, int padding) {
191   if (rsa->meth->encrypt) {
192     return rsa->meth->encrypt(rsa, out_len, out, max_out, in, in_len, padding);
193   }
194 
195   return rsa_default_encrypt(rsa, out_len, out, max_out, in, in_len, padding);
196 }
197 
RSA_public_encrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)198 int RSA_public_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
199                        int padding) {
200   size_t out_len;
201 
202   if (!RSA_encrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
203     return -1;
204   }
205 
206   if (out_len > INT_MAX) {
207     OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
208     return -1;
209   }
210   return out_len;
211 }
212 
RSA_sign_raw(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)213 int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
214                  const uint8_t *in, size_t in_len, int padding) {
215   if (rsa->meth->sign_raw) {
216     return rsa->meth->sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
217   }
218 
219   return rsa_default_sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
220 }
221 
RSA_private_encrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)222 int RSA_private_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
223                         int padding) {
224   size_t out_len;
225 
226   if (!RSA_sign_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
227     return -1;
228   }
229 
230   if (out_len > INT_MAX) {
231     OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
232     return -1;
233   }
234   return out_len;
235 }
236 
RSA_decrypt(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)237 int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
238                 const uint8_t *in, size_t in_len, int padding) {
239   if (rsa->meth->decrypt) {
240     return rsa->meth->decrypt(rsa, out_len, out, max_out, in, in_len, padding);
241   }
242 
243   return rsa_default_decrypt(rsa, out_len, out, max_out, in, in_len, padding);
244 }
245 
RSA_private_decrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)246 int RSA_private_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
247                         int padding) {
248   size_t out_len;
249 
250   if (!RSA_decrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
251     return -1;
252   }
253 
254   if (out_len > INT_MAX) {
255     OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
256     return -1;
257   }
258   return out_len;
259 }
260 
RSA_verify_raw(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)261 int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
262                    const uint8_t *in, size_t in_len, int padding) {
263   if (rsa->meth->verify_raw) {
264     return rsa->meth->verify_raw(rsa, out_len, out, max_out, in, in_len, padding);
265   }
266 
267   return rsa_default_verify_raw(rsa, out_len, out, max_out, in, in_len,
268                                 padding);
269 }
270 
RSA_public_decrypt(size_t flen,const uint8_t * from,uint8_t * to,RSA * rsa,int padding)271 int RSA_public_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
272                        int padding) {
273   size_t out_len;
274 
275   if (!RSA_verify_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
276     return -1;
277   }
278 
279   if (out_len > INT_MAX) {
280     OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
281     return -1;
282   }
283   return out_len;
284 }
285 
RSA_size(const RSA * rsa)286 unsigned RSA_size(const RSA *rsa) {
287   if (rsa->meth->size) {
288     return rsa->meth->size(rsa);
289   }
290 
291   return rsa_default_size(rsa);
292 }
293 
RSA_is_opaque(const RSA * rsa)294 int RSA_is_opaque(const RSA *rsa) {
295   return rsa->meth && (rsa->meth->flags & RSA_FLAG_OPAQUE);
296 }
297 
RSA_supports_digest(const RSA * rsa,const EVP_MD * md)298 int RSA_supports_digest(const RSA *rsa, const EVP_MD *md) {
299   if (rsa->meth && rsa->meth->supports_digest) {
300     return rsa->meth->supports_digest(rsa, md);
301   }
302   return 1;
303 }
304 
RSA_get_ex_new_index(long argl,void * argp,CRYPTO_EX_unused * unused,CRYPTO_EX_dup * dup_func,CRYPTO_EX_free * free_func)305 int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
306                          CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) {
307   int index;
308   if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, dup_func,
309                                free_func)) {
310     return -1;
311   }
312   return index;
313 }
314 
RSA_set_ex_data(RSA * d,int idx,void * arg)315 int RSA_set_ex_data(RSA *d, int idx, void *arg) {
316   return CRYPTO_set_ex_data(&d->ex_data, idx, arg);
317 }
318 
RSA_get_ex_data(const RSA * d,int idx)319 void *RSA_get_ex_data(const RSA *d, int idx) {
320   return CRYPTO_get_ex_data(&d->ex_data, idx);
321 }
322 
323 /* SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's
324  * the length of an MD5 and SHA1 hash. */
325 static const unsigned SSL_SIG_LENGTH = 36;
326 
327 /* pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is
328  * to be signed with PKCS#1. */
329 struct pkcs1_sig_prefix {
330   /* nid identifies the hash function. */
331   int nid;
332   /* len is the number of bytes of |bytes| which are valid. */
333   uint8_t len;
334   /* bytes contains the DER bytes. */
335   uint8_t bytes[19];
336 };
337 
338 /* kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with
339  * different hash functions. */
340 static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = {
341     {
342      NID_md5,
343      18,
344      {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
345       0x02, 0x05, 0x05, 0x00, 0x04, 0x10},
346     },
347     {
348      NID_sha1,
349      15,
350      {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
351       0x00, 0x04, 0x14},
352     },
353     {
354      NID_sha224,
355      19,
356      {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
357       0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c},
358     },
359     {
360      NID_sha256,
361      19,
362      {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
363       0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20},
364     },
365     {
366      NID_sha384,
367      19,
368      {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
369       0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30},
370     },
371     {
372      NID_sha512,
373      19,
374      {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
375       0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
376     },
377     {
378      NID_undef, 0, {0},
379     },
380 };
381 
RSA_add_pkcs1_prefix(uint8_t ** out_msg,size_t * out_msg_len,int * is_alloced,int hash_nid,const uint8_t * msg,size_t msg_len)382 int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
383                          int *is_alloced, int hash_nid, const uint8_t *msg,
384                          size_t msg_len) {
385   unsigned i;
386 
387   if (hash_nid == NID_md5_sha1) {
388     /* Special case: SSL signature, just check the length. */
389     if (msg_len != SSL_SIG_LENGTH) {
390       OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
391       return 0;
392     }
393 
394     *out_msg = (uint8_t*) msg;
395     *out_msg_len = SSL_SIG_LENGTH;
396     *is_alloced = 0;
397     return 1;
398   }
399 
400   for (i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) {
401     const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i];
402     if (sig_prefix->nid != hash_nid) {
403       continue;
404     }
405 
406     const uint8_t* prefix = sig_prefix->bytes;
407     unsigned prefix_len = sig_prefix->len;
408     unsigned signed_msg_len;
409     uint8_t *signed_msg;
410 
411     signed_msg_len = prefix_len + msg_len;
412     if (signed_msg_len < prefix_len) {
413       OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_LONG);
414       return 0;
415     }
416 
417     signed_msg = OPENSSL_malloc(signed_msg_len);
418     if (!signed_msg) {
419       OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
420       return 0;
421     }
422 
423     memcpy(signed_msg, prefix, prefix_len);
424     memcpy(signed_msg + prefix_len, msg, msg_len);
425 
426     *out_msg = signed_msg;
427     *out_msg_len = signed_msg_len;
428     *is_alloced = 1;
429 
430     return 1;
431   }
432 
433   OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE);
434   return 0;
435 }
436 
RSA_sign(int hash_nid,const uint8_t * in,unsigned in_len,uint8_t * out,unsigned * out_len,RSA * rsa)437 int RSA_sign(int hash_nid, const uint8_t *in, unsigned in_len, uint8_t *out,
438              unsigned *out_len, RSA *rsa) {
439   const unsigned rsa_size = RSA_size(rsa);
440   int ret = 0;
441   uint8_t *signed_msg;
442   size_t signed_msg_len;
443   int signed_msg_is_alloced = 0;
444   size_t size_t_out_len;
445 
446   if (rsa->meth->sign) {
447     return rsa->meth->sign(hash_nid, in, in_len, out, out_len, rsa);
448   }
449 
450   if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
451                             &signed_msg_is_alloced, hash_nid, in, in_len)) {
452     return 0;
453   }
454 
455   if (rsa_size < RSA_PKCS1_PADDING_SIZE ||
456       signed_msg_len > rsa_size - RSA_PKCS1_PADDING_SIZE) {
457     OPENSSL_PUT_ERROR(RSA, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
458     goto finish;
459   }
460 
461   if (RSA_sign_raw(rsa, &size_t_out_len, out, rsa_size, signed_msg,
462                    signed_msg_len, RSA_PKCS1_PADDING)) {
463     *out_len = size_t_out_len;
464     ret = 1;
465   }
466 
467 finish:
468   if (signed_msg_is_alloced) {
469     OPENSSL_free(signed_msg);
470   }
471   return ret;
472 }
473 
RSA_verify(int hash_nid,const uint8_t * msg,size_t msg_len,const uint8_t * sig,size_t sig_len,RSA * rsa)474 int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
475                const uint8_t *sig, size_t sig_len, RSA *rsa) {
476   const size_t rsa_size = RSA_size(rsa);
477   uint8_t *buf = NULL;
478   int ret = 0;
479   uint8_t *signed_msg = NULL;
480   size_t signed_msg_len, len;
481   int signed_msg_is_alloced = 0;
482 
483   if (rsa->meth->verify) {
484     return rsa->meth->verify(hash_nid, msg, msg_len, sig, sig_len, rsa);
485   }
486 
487   if (sig_len != rsa_size) {
488     OPENSSL_PUT_ERROR(RSA, RSA_R_WRONG_SIGNATURE_LENGTH);
489     return 0;
490   }
491 
492   if (hash_nid == NID_md5_sha1 && msg_len != SSL_SIG_LENGTH) {
493     OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
494     return 0;
495   }
496 
497   buf = OPENSSL_malloc(rsa_size);
498   if (!buf) {
499     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
500     return 0;
501   }
502 
503   if (!RSA_verify_raw(rsa, &len, buf, rsa_size, sig, sig_len,
504                       RSA_PKCS1_PADDING)) {
505     goto out;
506   }
507 
508   if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
509                             &signed_msg_is_alloced, hash_nid, msg, msg_len)) {
510     goto out;
511   }
512 
513   if (len != signed_msg_len || CRYPTO_memcmp(buf, signed_msg, len) != 0) {
514     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
515     goto out;
516   }
517 
518   ret = 1;
519 
520 out:
521   OPENSSL_free(buf);
522   if (signed_msg_is_alloced) {
523     OPENSSL_free(signed_msg);
524   }
525   return ret;
526 }
527 
bn_free_and_null(BIGNUM ** bn)528 static void bn_free_and_null(BIGNUM **bn) {
529   BN_free(*bn);
530   *bn = NULL;
531 }
532 
RSA_check_key(const RSA * key)533 int RSA_check_key(const RSA *key) {
534   BIGNUM n, pm1, qm1, lcm, gcd, de, dmp1, dmq1, iqmp;
535   BN_CTX *ctx;
536   int ok = 0, has_crt_values;
537 
538   if (RSA_is_opaque(key)) {
539     /* Opaque keys can't be checked. */
540     return 1;
541   }
542 
543   if ((key->p != NULL) != (key->q != NULL)) {
544     OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN);
545     return 0;
546   }
547 
548   if (!key->n || !key->e) {
549     OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
550     return 0;
551   }
552 
553   if (!key->d || !key->p) {
554     /* For a public key, or without p and q, there's nothing that can be
555      * checked. */
556     return 1;
557   }
558 
559   ctx = BN_CTX_new();
560   if (ctx == NULL) {
561     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
562     return 0;
563   }
564 
565   BN_init(&n);
566   BN_init(&pm1);
567   BN_init(&qm1);
568   BN_init(&lcm);
569   BN_init(&gcd);
570   BN_init(&de);
571   BN_init(&dmp1);
572   BN_init(&dmq1);
573   BN_init(&iqmp);
574 
575   if (!BN_mul(&n, key->p, key->q, ctx) ||
576       /* lcm = lcm(prime-1, for all primes) */
577       !BN_sub(&pm1, key->p, BN_value_one()) ||
578       !BN_sub(&qm1, key->q, BN_value_one()) ||
579       !BN_mul(&lcm, &pm1, &qm1, ctx) ||
580       !BN_gcd(&gcd, &pm1, &qm1, ctx)) {
581     OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
582     goto out;
583   }
584 
585   size_t num_additional_primes = 0;
586   if (key->additional_primes != NULL) {
587     num_additional_primes = sk_RSA_additional_prime_num(key->additional_primes);
588   }
589 
590   size_t i;
591   for (i = 0; i < num_additional_primes; i++) {
592     const RSA_additional_prime *ap =
593         sk_RSA_additional_prime_value(key->additional_primes, i);
594     if (!BN_mul(&n, &n, ap->prime, ctx) ||
595         !BN_sub(&pm1, ap->prime, BN_value_one()) ||
596         !BN_mul(&lcm, &lcm, &pm1, ctx) ||
597         !BN_gcd(&gcd, &gcd, &pm1, ctx)) {
598       OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
599       goto out;
600     }
601   }
602 
603   if (!BN_div(&lcm, NULL, &lcm, &gcd, ctx) ||
604       !BN_gcd(&gcd, &pm1, &qm1, ctx) ||
605       /* de = d*e mod lcm(prime-1, for all primes). */
606       !BN_mod_mul(&de, key->d, key->e, &lcm, ctx)) {
607     OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
608     goto out;
609   }
610 
611   if (BN_cmp(&n, key->n) != 0) {
612     OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
613     goto out;
614   }
615 
616   if (!BN_is_one(&de)) {
617     OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1);
618     goto out;
619   }
620 
621   has_crt_values = key->dmp1 != NULL;
622   if (has_crt_values != (key->dmq1 != NULL) ||
623       has_crt_values != (key->iqmp != NULL)) {
624     OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES);
625     goto out;
626   }
627 
628   if (has_crt_values && num_additional_primes == 0) {
629     if (/* dmp1 = d mod (p-1) */
630         !BN_mod(&dmp1, key->d, &pm1, ctx) ||
631         /* dmq1 = d mod (q-1) */
632         !BN_mod(&dmq1, key->d, &qm1, ctx) ||
633         /* iqmp = q^-1 mod p */
634         !BN_mod_inverse(&iqmp, key->q, key->p, ctx)) {
635       OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
636       goto out;
637     }
638 
639     if (BN_cmp(&dmp1, key->dmp1) != 0 ||
640         BN_cmp(&dmq1, key->dmq1) != 0 ||
641         BN_cmp(&iqmp, key->iqmp) != 0) {
642       OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT);
643       goto out;
644     }
645   }
646 
647   ok = 1;
648 
649 out:
650   BN_free(&n);
651   BN_free(&pm1);
652   BN_free(&qm1);
653   BN_free(&lcm);
654   BN_free(&gcd);
655   BN_free(&de);
656   BN_free(&dmp1);
657   BN_free(&dmq1);
658   BN_free(&iqmp);
659   BN_CTX_free(ctx);
660 
661   return ok;
662 }
663 
RSA_recover_crt_params(RSA * rsa)664 int RSA_recover_crt_params(RSA *rsa) {
665   BN_CTX *ctx;
666   BIGNUM *totient, *rem, *multiple, *p_plus_q, *p_minus_q;
667   int ok = 0;
668 
669   if (rsa->n == NULL || rsa->e == NULL || rsa->d == NULL) {
670     OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);
671     return 0;
672   }
673 
674   if (rsa->p || rsa->q || rsa->dmp1 || rsa->dmq1 || rsa->iqmp) {
675     OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_PARAMS_ALREADY_GIVEN);
676     return 0;
677   }
678 
679   if (rsa->additional_primes != NULL) {
680     OPENSSL_PUT_ERROR(RSA, RSA_R_CANNOT_RECOVER_MULTI_PRIME_KEY);
681     return 0;
682   }
683 
684   /* This uses the algorithm from section 9B of the RSA paper:
685    * http://people.csail.mit.edu/rivest/Rsapaper.pdf */
686 
687   ctx = BN_CTX_new();
688   if (ctx == NULL) {
689     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
690     return 0;
691   }
692 
693   BN_CTX_start(ctx);
694   totient = BN_CTX_get(ctx);
695   rem = BN_CTX_get(ctx);
696   multiple = BN_CTX_get(ctx);
697   p_plus_q = BN_CTX_get(ctx);
698   p_minus_q = BN_CTX_get(ctx);
699 
700   if (totient == NULL || rem == NULL || multiple == NULL || p_plus_q == NULL ||
701       p_minus_q == NULL) {
702     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
703     goto err;
704   }
705 
706   /* ed-1 is a small multiple of φ(n). */
707   if (!BN_mul(totient, rsa->e, rsa->d, ctx) ||
708       !BN_sub_word(totient, 1) ||
709       /* φ(n) =
710        * pq - p - q + 1 =
711        * n - (p + q) + 1
712        *
713        * Thus n is a reasonable estimate for φ(n). So, (ed-1)/n will be very
714        * close. But, when we calculate the quotient, we'll be truncating it
715        * because we discard the remainder. Thus (ed-1)/multiple will be >= n,
716        * which the totient cannot be. So we add one to the estimate.
717        *
718        * Consider ed-1 as:
719        *
720        * multiple * (n - (p+q) + 1) =
721        * multiple*n - multiple*(p+q) + multiple
722        *
723        * When we divide by n, the first term becomes multiple and, since
724        * multiple and p+q is tiny compared to n, the second and third terms can
725        * be ignored. Thus I claim that subtracting one from the estimate is
726        * sufficient. */
727       !BN_div(multiple, NULL, totient, rsa->n, ctx) ||
728       !BN_add_word(multiple, 1) ||
729       !BN_div(totient, rem, totient, multiple, ctx)) {
730     OPENSSL_PUT_ERROR(RSA, ERR_R_BN_LIB);
731     goto err;
732   }
733 
734   if (!BN_is_zero(rem)) {
735     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
736     goto err;
737   }
738 
739   rsa->p = BN_new();
740   rsa->q = BN_new();
741   rsa->dmp1 = BN_new();
742   rsa->dmq1 = BN_new();
743   rsa->iqmp = BN_new();
744   if (rsa->p == NULL || rsa->q == NULL || rsa->dmp1 == NULL || rsa->dmq1 ==
745       NULL || rsa->iqmp == NULL) {
746     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
747     goto err;
748   }
749 
750   /* φ(n) = n - (p + q) + 1 =>
751    * n - totient + 1 = p + q */
752   if (!BN_sub(p_plus_q, rsa->n, totient) ||
753       !BN_add_word(p_plus_q, 1) ||
754       /* p - q = sqrt((p+q)^2 - 4n) */
755       !BN_sqr(rem, p_plus_q, ctx) ||
756       !BN_lshift(multiple, rsa->n, 2) ||
757       !BN_sub(rem, rem, multiple) ||
758       !BN_sqrt(p_minus_q, rem, ctx) ||
759       /* q is 1/2 (p+q)-(p-q) */
760       !BN_sub(rsa->q, p_plus_q, p_minus_q) ||
761       !BN_rshift1(rsa->q, rsa->q) ||
762       !BN_div(rsa->p, NULL, rsa->n, rsa->q, ctx) ||
763       !BN_mul(multiple, rsa->p, rsa->q, ctx)) {
764     OPENSSL_PUT_ERROR(RSA, ERR_R_BN_LIB);
765     goto err;
766   }
767 
768   if (BN_cmp(multiple, rsa->n) != 0) {
769     OPENSSL_PUT_ERROR(RSA, RSA_R_INTERNAL_ERROR);
770     goto err;
771   }
772 
773   if (!BN_sub(rem, rsa->p, BN_value_one()) ||
774       !BN_mod(rsa->dmp1, rsa->d, rem, ctx) ||
775       !BN_sub(rem, rsa->q, BN_value_one()) ||
776       !BN_mod(rsa->dmq1, rsa->d, rem, ctx) ||
777       !BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx)) {
778     OPENSSL_PUT_ERROR(RSA, ERR_R_BN_LIB);
779     goto err;
780   }
781 
782   ok = 1;
783 
784 err:
785   BN_CTX_end(ctx);
786   BN_CTX_free(ctx);
787   if (!ok) {
788     bn_free_and_null(&rsa->p);
789     bn_free_and_null(&rsa->q);
790     bn_free_and_null(&rsa->dmp1);
791     bn_free_and_null(&rsa->dmq1);
792     bn_free_and_null(&rsa->iqmp);
793   }
794   return ok;
795 }
796 
RSA_private_transform(RSA * rsa,uint8_t * out,const uint8_t * in,size_t len)797 int RSA_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
798                           size_t len) {
799   if (rsa->meth->private_transform) {
800     return rsa->meth->private_transform(rsa, out, in, len);
801   }
802 
803   return rsa_default_private_transform(rsa, out, in, len);
804 }
805 
RSA_blinding_on(RSA * rsa,BN_CTX * ctx)806 int RSA_blinding_on(RSA *rsa, BN_CTX *ctx) {
807   return 1;
808 }
809