/*
- * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
+/*
+ * RSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
#include "internal/cryptlib.h"
-#include "internal/bn_int.h"
-#include "rsa_locl.h"
+#include "crypto/bn.h"
+#include "rsa_local.h"
+#include "internal/constant_time.h"
static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
unsigned char *to, RSA *rsa, int padding)
{
BIGNUM *f, *ret;
- int i, j, k, num = 0, r = -1;
+ int i, num = 0, r = -1;
unsigned char *buf = NULL;
BN_CTX *ctx = NULL;
}
}
- if ((ctx = BN_CTX_new()) == NULL)
+ if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
goto err;
BN_CTX_start(ctx);
f = BN_CTX_get(ctx);
switch (padding) {
case RSA_PKCS1_PADDING:
- i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
+ i = rsa_padding_add_PKCS1_type_2_with_libctx(rsa->libctx, buf, num,
+ from, flen);
break;
case RSA_PKCS1_OAEP_PADDING:
- i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
+ i = rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(rsa->libctx, buf, num,
+ from, flen, NULL, 0,
+ NULL, NULL);
break;
+#ifndef FIPS_MODE
case RSA_SSLV23_PADDING:
- i = RSA_padding_add_SSLv23(buf, num, from, flen);
+ i = rsa_padding_add_SSLv23_with_libctx(rsa->libctx, buf, num, from,
+ flen);
break;
+#endif
case RSA_NO_PADDING:
i = RSA_padding_add_none(buf, num, from, flen);
break;
}
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
- if (!BN_MONT_CTX_set_locked
- (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx))
+ if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
+ rsa->n, ctx))
goto err;
if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
goto err;
/*
- * put in leading 0 bytes if the number is less than the length of the
- * modulus
+ * BN_bn2binpad puts in leading 0 bytes if the number is less than
+ * the length of the modulus.
*/
- j = BN_num_bytes(ret);
- i = BN_bn2bin(ret, &(to[num - j]));
- for (k = 0; k < (num - i); k++)
- to[k] = 0;
-
- r = num;
+ r = BN_bn2binpad(ret, to, num);
err:
- if (ctx != NULL)
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
BN_CTX_free(ctx);
OPENSSL_clear_free(buf, num);
return r;
unsigned char *to, RSA *rsa, int padding)
{
BIGNUM *f, *ret, *res;
- int i, j, k, num = 0, r = -1;
+ int i, num = 0, r = -1;
unsigned char *buf = NULL;
BN_CTX *ctx = NULL;
int local_blinding = 0;
BIGNUM *unblind = NULL;
BN_BLINDING *blinding = NULL;
- if ((ctx = BN_CTX_new()) == NULL)
+ if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
goto err;
BN_CTX_start(ctx);
f = BN_CTX_get(ctx);
goto err;
}
+ if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+ if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
+ rsa->n, ctx))
+ goto err;
+
if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
if (blinding == NULL) {
RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
goto err;
}
+ if (rsa->d == NULL) {
+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_MISSING_PRIVATE_KEY);
+ BN_free(d);
+ goto err;
+ }
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
- if (!BN_MONT_CTX_set_locked
- (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) {
- BN_free(d);
- goto err;
- }
-
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
rsa->_method_mod_n)) {
BN_free(d);
goto err;
if (padding == RSA_X931_PADDING) {
- BN_sub(f, rsa->n, ret);
+ if (!BN_sub(f, rsa->n, ret))
+ goto err;
if (BN_cmp(ret, f) > 0)
res = f;
else
}
/*
- * put in leading 0 bytes if the number is less than the length of the
- * modulus
+ * BN_bn2binpad puts in leading 0 bytes if the number is less than
+ * the length of the modulus.
*/
- j = BN_num_bytes(res);
- i = BN_bn2bin(res, &(to[num - j]));
- for (k = 0; k < (num - i); k++)
- to[k] = 0;
-
- r = num;
+ r = BN_bn2binpad(res, to, num);
err:
- if (ctx != NULL)
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
BN_CTX_free(ctx);
OPENSSL_clear_free(buf, num);
return r;
{
BIGNUM *f, *ret;
int j, num = 0, r = -1;
- unsigned char *p;
unsigned char *buf = NULL;
BN_CTX *ctx = NULL;
int local_blinding = 0;
BIGNUM *unblind = NULL;
BN_BLINDING *blinding = NULL;
- if ((ctx = BN_CTX_new()) == NULL)
+ if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
goto err;
BN_CTX_start(ctx);
f = BN_CTX_get(ctx);
RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
goto err;
}
+ if (rsa->d == NULL) {
+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_MISSING_PRIVATE_KEY);
+ BN_free(d);
+ goto err;
+ }
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
- if (!BN_MONT_CTX_set_locked
- (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) {
+ if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
+ rsa->n, ctx)) {
BN_free(d);
goto err;
}
if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
goto err;
- p = buf;
- j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */
+ j = BN_bn2binpad(ret, buf, num);
+ if (j < 0)
+ goto err;
switch (padding) {
case RSA_PKCS1_PADDING:
case RSA_PKCS1_OAEP_PADDING:
r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
break;
+#ifndef FIPS_MODE
case RSA_SSLV23_PADDING:
r = RSA_padding_check_SSLv23(to, num, buf, j, num);
break;
+#endif
case RSA_NO_PADDING:
- r = RSA_padding_check_none(to, num, buf, j, num);
+ memcpy(to, buf, (r = j));
break;
default:
RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
goto err;
}
- if (r < 0)
- RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
+#ifndef FIPS_MODE
+ /*
+ * This trick doesn't work in the FIPS provider because libcrypto manages
+ * the error stack. Instead we opt not to put an error on the stack at all
+ * in case of padding failure in the FIPS provider.
+ */
+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
+ err_clear_last_constant_time(1 & ~constant_time_msb(r));
+#endif
err:
- if (ctx != NULL)
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
BN_CTX_free(ctx);
OPENSSL_clear_free(buf, num);
return r;
{
BIGNUM *f, *ret;
int i, num = 0, r = -1;
- unsigned char *p;
unsigned char *buf = NULL;
BN_CTX *ctx = NULL;
}
}
- if ((ctx = BN_CTX_new()) == NULL)
+ if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
goto err;
BN_CTX_start(ctx);
f = BN_CTX_get(ctx);
}
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
- if (!BN_MONT_CTX_set_locked
- (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx))
+ if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
+ rsa->n, ctx))
goto err;
if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
if (!BN_sub(ret, rsa->n, ret))
goto err;
- p = buf;
- i = BN_bn2bin(ret, p);
+ i = BN_bn2binpad(ret, buf, num);
+ if (i < 0)
+ goto err;
switch (padding) {
case RSA_PKCS1_PADDING:
r = RSA_padding_check_X931(to, num, buf, i, num);
break;
case RSA_NO_PADDING:
- r = RSA_padding_check_none(to, num, buf, i, num);
+ memcpy(to, buf, (r = i));
break;
default:
RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
err:
- if (ctx != NULL)
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
BN_CTX_free(ctx);
OPENSSL_clear_free(buf, num);
return r;
static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
{
- BIGNUM *r1, *m1, *vrfy, *r2, *m[RSA_MAX_PRIME_NUM];
- int ret = 0, i, ex_primes = 0;
+ BIGNUM *r1, *m1, *vrfy;
+ int ret = 0, smooth = 0;
+#ifndef FIPS_MODE
+ BIGNUM *r2, *m[RSA_MAX_PRIME_NUM - 2];
+ int i, ex_primes = 0;
RSA_PRIME_INFO *pinfo;
+#endif
BN_CTX_start(ctx);
r1 = BN_CTX_get(ctx);
+#ifndef FIPS_MODE
r2 = BN_CTX_get(ctx);
+#endif
m1 = BN_CTX_get(ctx);
vrfy = BN_CTX_get(ctx);
if (vrfy == NULL)
goto err;
+#ifndef FIPS_MODE
if (rsa->version == RSA_ASN1_VERSION_MULTI
- && (ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) <= 0)
+ && ((ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) <= 0
+ || ex_primes > RSA_MAX_PRIME_NUM - 2))
goto err;
+#endif
- {
- BIGNUM *p = BN_new(), *q = BN_new();
+ if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
+ BIGNUM *factor = BN_new();
+
+ if (factor == NULL)
+ goto err;
/*
* Make sure BN_mod_inverse in Montgomery initialization uses the
* BN_FLG_CONSTTIME flag
*/
- if (p == NULL || q == NULL) {
- BN_free(p);
- BN_free(q);
+ if (!(BN_with_flags(factor, rsa->p, BN_FLG_CONSTTIME),
+ BN_MONT_CTX_set_locked(&rsa->_method_mod_p, rsa->lock,
+ factor, ctx))
+ || !(BN_with_flags(factor, rsa->q, BN_FLG_CONSTTIME),
+ BN_MONT_CTX_set_locked(&rsa->_method_mod_q, rsa->lock,
+ factor, ctx))) {
+ BN_free(factor);
goto err;
}
- BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
- BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
-
- if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
- if (!BN_MONT_CTX_set_locked
- (&rsa->_method_mod_p, rsa->lock, p, ctx)
- || !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
- rsa->lock, q, ctx)) {
- BN_free(p);
- BN_free(q);
+#ifndef FIPS_MODE
+ for (i = 0; i < ex_primes; i++) {
+ pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
+ BN_with_flags(factor, pinfo->r, BN_FLG_CONSTTIME);
+ if (!BN_MONT_CTX_set_locked(&pinfo->m, rsa->lock, factor, ctx)) {
+ BN_free(factor);
goto err;
}
- if (ex_primes > 0) {
- /* cache BN_MONT_CTX for other primes */
- BIGNUM *r = BN_new();
-
- if (r == NULL) {
- BN_free(p);
- BN_free(q);
- goto err;
- }
-
- for (i = 0; i < ex_primes; i++) {
- pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
- BN_with_flags(r, pinfo->r, BN_FLG_CONSTTIME);
- if (!BN_MONT_CTX_set_locked(&pinfo->m, rsa->lock, r, ctx)) {
- BN_free(p);
- BN_free(q);
- BN_free(r);
- goto err;
- }
- }
- BN_free(r);
- }
}
+#endif
/*
- * We MUST free p and q before any further use of rsa->p and rsa->q
+ * We MUST free |factor| before any further use of the prime factors
*/
- BN_free(p);
- BN_free(q);
+ BN_free(factor);
+
+ smooth = (rsa->meth->bn_mod_exp == BN_mod_exp_mont)
+#ifndef FIPS_MODE
+ && (ex_primes == 0)
+#endif
+ && (BN_num_bits(rsa->q) == BN_num_bits(rsa->p));
}
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
- if (!BN_MONT_CTX_set_locked
- (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx))
+ if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
+ rsa->n, ctx))
+ goto err;
+
+ if (smooth) {
+ /*
+ * Conversion from Montgomery domain, a.k.a. Montgomery reduction,
+ * accepts values in [0-m*2^w) range. w is m's bit width rounded up
+ * to limb width. So that at the very least if |I| is fully reduced,
+ * i.e. less than p*q, we can count on from-to round to perform
+ * below modulo operations on |I|. Unlike BN_mod it's constant time.
+ */
+ if (/* m1 = I moq q */
+ !bn_from_mont_fixed_top(m1, I, rsa->_method_mod_q, ctx)
+ || !bn_to_mont_fixed_top(m1, m1, rsa->_method_mod_q, ctx)
+ /* m1 = m1^dmq1 mod q */
+ || !BN_mod_exp_mont_consttime(m1, m1, rsa->dmq1, rsa->q, ctx,
+ rsa->_method_mod_q)
+ /* r1 = I mod p */
+ || !bn_from_mont_fixed_top(r1, I, rsa->_method_mod_p, ctx)
+ || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
+ /* r1 = r1^dmp1 mod p */
+ || !BN_mod_exp_mont_consttime(r1, r1, rsa->dmp1, rsa->p, ctx,
+ rsa->_method_mod_p)
+ /* r1 = (r1 - m1) mod p */
+ /*
+ * bn_mod_sub_fixed_top is not regular modular subtraction,
+ * it can tolerate subtrahend to be larger than modulus, but
+ * not bit-wise wider. This makes up for uncommon q>p case,
+ * when |m1| can be larger than |rsa->p|.
+ */
+ || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p)
+
+ /* r1 = r1 * iqmp mod p */
+ || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
+ || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p,
+ ctx)
+ /* r0 = r1 * q + m1 */
+ || !bn_mul_fixed_top(r0, r1, rsa->q, ctx)
+ || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n))
goto err;
+ goto tail;
+ }
+
/* compute I mod q */
{
BIGNUM *c = BN_new();
/* compute r1^dmq1 mod q */
if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
- rsa->_method_mod_q)) {
+ rsa->_method_mod_q)) {
BN_free(c);
BN_free(dmq1);
goto err;
BN_free(dmp1);
}
+#ifndef FIPS_MODE
/*
* calculate m_i in multi-prime case
*
BN_free(cc);
BN_free(di);
}
+#endif
if (!BN_sub(r0, r0, m1))
goto err;
if (!BN_add(r0, r1, m1))
goto err;
+#ifndef FIPS_MODE
/* add m_i to m in multi-prime case */
if (ex_primes > 0) {
BIGNUM *pr2 = BN_new();
}
BN_free(pr2);
}
+#endif
+ tail:
if (rsa->e && rsa->n) {
- if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
- rsa->_method_mod_n))
- goto err;
+ if (rsa->meth->bn_mod_exp == BN_mod_exp_mont) {
+ if (!BN_mod_exp_mont(vrfy, r0, rsa->e, rsa->n, ctx,
+ rsa->_method_mod_n))
+ goto err;
+ } else {
+ bn_correct_top(r0);
+ if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
+ rsa->_method_mod_n))
+ goto err;
+ }
/*
* If 'I' was greater than (or equal to) rsa->n, the operation will
* be equivalent to using 'I mod n'. However, the result of the
*/
if (!BN_sub(vrfy, vrfy, I))
goto err;
+ if (BN_is_zero(vrfy)) {
+ bn_correct_top(r0);
+ ret = 1;
+ goto err; /* not actually error */
+ }
if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
goto err;
if (BN_is_negative(vrfy))
BN_free(d);
}
}
+ /*
+ * It's unfortunate that we have to bn_correct_top(r0). What hopefully
+ * saves the day is that correction is highly unlike, and private key
+ * operations are customarily performed on blinded message. Which means
+ * that attacker won't observe correlation with chosen plaintext.
+ * Secondly, remaining code would still handle it in same computational
+ * time and even conceal memory access pattern around corrected top.
+ */
+ bn_correct_top(r0);
ret = 1;
err:
BN_CTX_end(ctx);
static int rsa_ossl_finish(RSA *rsa)
{
+#ifndef FIPS_MODE
int i;
RSA_PRIME_INFO *pinfo;
- BN_MONT_CTX_free(rsa->_method_mod_n);
- BN_MONT_CTX_free(rsa->_method_mod_p);
- BN_MONT_CTX_free(rsa->_method_mod_q);
for (i = 0; i < sk_RSA_PRIME_INFO_num(rsa->prime_infos); i++) {
pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
BN_MONT_CTX_free(pinfo->m);
}
+#endif
+
+ BN_MONT_CTX_free(rsa->_method_mod_n);
+ BN_MONT_CTX_free(rsa->_method_mod_p);
+ BN_MONT_CTX_free(rsa->_method_mod_q);
return 1;
}