grpc 1.10.0.pre1 → 1.10.0.pre2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of grpc might be problematic. Click here for more details.

Files changed (66) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +3 -3
  3. data/src/core/ext/filters/max_age/max_age_filter.cc +3 -0
  4. data/src/core/lib/surface/version.cc +1 -1
  5. data/src/ruby/lib/grpc/version.rb +1 -1
  6. data/third_party/boringssl/crypto/fipsmodule/aes/aes.c +1100 -0
  7. data/third_party/boringssl/crypto/fipsmodule/aes/key_wrap.c +138 -0
  8. data/third_party/boringssl/crypto/fipsmodule/aes/mode_wrappers.c +112 -0
  9. data/third_party/boringssl/crypto/fipsmodule/bn/add.c +375 -0
  10. data/third_party/boringssl/crypto/fipsmodule/bn/asm/x86_64-gcc.c +537 -0
  11. data/third_party/boringssl/crypto/fipsmodule/bn/bn.c +370 -0
  12. data/third_party/boringssl/crypto/fipsmodule/bn/bytes.c +269 -0
  13. data/third_party/boringssl/crypto/fipsmodule/bn/cmp.c +239 -0
  14. data/third_party/boringssl/crypto/fipsmodule/bn/ctx.c +303 -0
  15. data/third_party/boringssl/crypto/fipsmodule/bn/div.c +726 -0
  16. data/third_party/boringssl/crypto/fipsmodule/bn/exponentiation.c +1233 -0
  17. data/third_party/boringssl/crypto/fipsmodule/bn/gcd.c +627 -0
  18. data/third_party/boringssl/crypto/fipsmodule/bn/generic.c +715 -0
  19. data/third_party/boringssl/crypto/fipsmodule/bn/jacobi.c +146 -0
  20. data/third_party/boringssl/crypto/fipsmodule/bn/montgomery.c +430 -0
  21. data/third_party/boringssl/crypto/fipsmodule/bn/montgomery_inv.c +207 -0
  22. data/third_party/boringssl/crypto/fipsmodule/bn/mul.c +869 -0
  23. data/third_party/boringssl/crypto/fipsmodule/bn/prime.c +894 -0
  24. data/third_party/boringssl/crypto/fipsmodule/bn/random.c +283 -0
  25. data/third_party/boringssl/crypto/fipsmodule/bn/rsaz_exp.c +254 -0
  26. data/third_party/boringssl/crypto/fipsmodule/bn/shift.c +307 -0
  27. data/third_party/boringssl/crypto/fipsmodule/bn/sqrt.c +502 -0
  28. data/third_party/boringssl/crypto/fipsmodule/cipher/aead.c +284 -0
  29. data/third_party/boringssl/crypto/fipsmodule/cipher/cipher.c +613 -0
  30. data/third_party/boringssl/crypto/fipsmodule/cipher/e_aes.c +1437 -0
  31. data/third_party/boringssl/crypto/fipsmodule/cipher/e_des.c +233 -0
  32. data/third_party/boringssl/crypto/fipsmodule/des/des.c +785 -0
  33. data/third_party/boringssl/crypto/fipsmodule/digest/digest.c +256 -0
  34. data/third_party/boringssl/crypto/fipsmodule/digest/digests.c +280 -0
  35. data/third_party/boringssl/crypto/fipsmodule/ec/ec.c +842 -0
  36. data/third_party/boringssl/crypto/fipsmodule/ec/ec_key.c +517 -0
  37. data/third_party/boringssl/crypto/fipsmodule/ec/ec_montgomery.c +304 -0
  38. data/third_party/boringssl/crypto/fipsmodule/ec/oct.c +404 -0
  39. data/third_party/boringssl/crypto/fipsmodule/ec/p224-64.c +1165 -0
  40. data/third_party/boringssl/crypto/fipsmodule/ec/p256-64.c +1708 -0
  41. data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64.c +561 -0
  42. data/third_party/boringssl/crypto/fipsmodule/ec/simple.c +1113 -0
  43. data/third_party/boringssl/crypto/fipsmodule/ec/util-64.c +109 -0
  44. data/third_party/boringssl/crypto/fipsmodule/ec/wnaf.c +456 -0
  45. data/third_party/boringssl/crypto/fipsmodule/ecdsa/ecdsa.c +444 -0
  46. data/third_party/boringssl/crypto/fipsmodule/hmac/hmac.c +228 -0
  47. data/third_party/boringssl/crypto/fipsmodule/md4/md4.c +254 -0
  48. data/third_party/boringssl/crypto/fipsmodule/md5/md5.c +298 -0
  49. data/third_party/boringssl/crypto/fipsmodule/modes/cbc.c +212 -0
  50. data/third_party/boringssl/crypto/fipsmodule/modes/cfb.c +230 -0
  51. data/third_party/boringssl/crypto/fipsmodule/modes/ctr.c +219 -0
  52. data/third_party/boringssl/crypto/fipsmodule/modes/gcm.c +1074 -0
  53. data/third_party/boringssl/crypto/fipsmodule/modes/ofb.c +95 -0
  54. data/third_party/boringssl/crypto/fipsmodule/modes/polyval.c +91 -0
  55. data/third_party/boringssl/crypto/fipsmodule/rand/ctrdrbg.c +200 -0
  56. data/third_party/boringssl/crypto/fipsmodule/rand/rand.c +358 -0
  57. data/third_party/boringssl/crypto/fipsmodule/rand/urandom.c +302 -0
  58. data/third_party/boringssl/crypto/fipsmodule/rsa/blinding.c +263 -0
  59. data/third_party/boringssl/crypto/fipsmodule/rsa/padding.c +692 -0
  60. data/third_party/boringssl/crypto/fipsmodule/rsa/rsa.c +855 -0
  61. data/third_party/boringssl/crypto/fipsmodule/rsa/rsa_impl.c +1061 -0
  62. data/third_party/boringssl/crypto/fipsmodule/sha/sha1-altivec.c +361 -0
  63. data/third_party/boringssl/crypto/fipsmodule/sha/sha1.c +375 -0
  64. data/third_party/boringssl/crypto/fipsmodule/sha/sha256.c +337 -0
  65. data/third_party/boringssl/crypto/fipsmodule/sha/sha512.c +608 -0
  66. metadata +62 -2
@@ -0,0 +1,1061 @@
1
+ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2
+ * All rights reserved.
3
+ *
4
+ * This package is an SSL implementation written
5
+ * by Eric Young (eay@cryptsoft.com).
6
+ * The implementation was written so as to conform with Netscapes SSL.
7
+ *
8
+ * This library is free for commercial and non-commercial use as long as
9
+ * the following conditions are aheared to. The following conditions
10
+ * apply to all code found in this distribution, be it the RC4, RSA,
11
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12
+ * included with this distribution is covered by the same copyright terms
13
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14
+ *
15
+ * Copyright remains Eric Young's, and as such any Copyright notices in
16
+ * the code are not to be removed.
17
+ * If this package is used in a product, Eric Young should be given attribution
18
+ * as the author of the parts of the library used.
19
+ * This can be in the form of a textual message at program startup or
20
+ * in documentation (online or textual) provided with the package.
21
+ *
22
+ * Redistribution and use in source and binary forms, with or without
23
+ * modification, are permitted provided that the following conditions
24
+ * are met:
25
+ * 1. Redistributions of source code must retain the copyright
26
+ * notice, this list of conditions and the following disclaimer.
27
+ * 2. Redistributions in binary form must reproduce the above copyright
28
+ * notice, this list of conditions and the following disclaimer in the
29
+ * documentation and/or other materials provided with the distribution.
30
+ * 3. All advertising materials mentioning features or use of this software
31
+ * must display the following acknowledgement:
32
+ * "This product includes cryptographic software written by
33
+ * Eric Young (eay@cryptsoft.com)"
34
+ * The word 'cryptographic' can be left out if the rouines from the library
35
+ * being used are not cryptographic related :-).
36
+ * 4. If you include any Windows specific code (or a derivative thereof) from
37
+ * the apps directory (application code) you must include an acknowledgement:
38
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39
+ *
40
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50
+ * SUCH DAMAGE.
51
+ *
52
+ * The licence and distribution terms for any publically available version or
53
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
54
+ * copied and put under another distribution licence
55
+ * [including the GNU Public Licence.] */
56
+
57
+ #include <openssl/rsa.h>
58
+
59
+ #include <assert.h>
60
+ #include <limits.h>
61
+ #include <string.h>
62
+
63
+ #include <openssl/bn.h>
64
+ #include <openssl/err.h>
65
+ #include <openssl/mem.h>
66
+ #include <openssl/thread.h>
67
+ #include <openssl/type_check.h>
68
+
69
+ #include "internal.h"
70
+ #include "../bn/internal.h"
71
+ #include "../../internal.h"
72
+ #include "../delocate.h"
73
+
74
+
75
+ static int check_modulus_and_exponent_sizes(const RSA *rsa) {
76
+ unsigned rsa_bits = BN_num_bits(rsa->n);
77
+
78
+ if (rsa_bits > 16 * 1024) {
79
+ OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);
80
+ return 0;
81
+ }
82
+
83
+ // Mitigate DoS attacks by limiting the exponent size. 33 bits was chosen as
84
+ // the limit based on the recommendations in [1] and [2]. Windows CryptoAPI
85
+ // doesn't support values larger than 32 bits [3], so it is unlikely that
86
+ // exponents larger than 32 bits are being used for anything Windows commonly
87
+ // does.
88
+ //
89
+ // [1] https://www.imperialviolet.org/2012/03/16/rsae.html
90
+ // [2] https://www.imperialviolet.org/2012/03/17/rsados.html
91
+ // [3] https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx
92
+ static const unsigned kMaxExponentBits = 33;
93
+
94
+ if (BN_num_bits(rsa->e) > kMaxExponentBits) {
95
+ OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);
96
+ return 0;
97
+ }
98
+
99
+ // Verify |n > e|. Comparing |rsa_bits| to |kMaxExponentBits| is a small
100
+ // shortcut to comparing |n| and |e| directly. In reality, |kMaxExponentBits|
101
+ // is much smaller than the minimum RSA key size that any application should
102
+ // accept.
103
+ if (rsa_bits <= kMaxExponentBits) {
104
+ OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
105
+ return 0;
106
+ }
107
+ assert(BN_ucmp(rsa->n, rsa->e) > 0);
108
+
109
+ return 1;
110
+ }
111
+
112
+ size_t rsa_default_size(const RSA *rsa) {
113
+ return BN_num_bytes(rsa->n);
114
+ }
115
+
116
+ int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
117
+ const uint8_t *in, size_t in_len, int padding) {
118
+ if (rsa->n == NULL || rsa->e == NULL) {
119
+ OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
120
+ return 0;
121
+ }
122
+
123
+ const unsigned rsa_size = RSA_size(rsa);
124
+ BIGNUM *f, *result;
125
+ uint8_t *buf = NULL;
126
+ BN_CTX *ctx = NULL;
127
+ int i, ret = 0;
128
+
129
+ if (max_out < rsa_size) {
130
+ OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
131
+ return 0;
132
+ }
133
+
134
+ if (!check_modulus_and_exponent_sizes(rsa)) {
135
+ return 0;
136
+ }
137
+
138
+ ctx = BN_CTX_new();
139
+ if (ctx == NULL) {
140
+ goto err;
141
+ }
142
+
143
+ BN_CTX_start(ctx);
144
+ f = BN_CTX_get(ctx);
145
+ result = BN_CTX_get(ctx);
146
+ buf = OPENSSL_malloc(rsa_size);
147
+ if (!f || !result || !buf) {
148
+ OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
149
+ goto err;
150
+ }
151
+
152
+ switch (padding) {
153
+ case RSA_PKCS1_PADDING:
154
+ i = RSA_padding_add_PKCS1_type_2(buf, rsa_size, in, in_len);
155
+ break;
156
+ case RSA_PKCS1_OAEP_PADDING:
157
+ // Use the default parameters: SHA-1 for both hashes and no label.
158
+ i = RSA_padding_add_PKCS1_OAEP_mgf1(buf, rsa_size, in, in_len,
159
+ NULL, 0, NULL, NULL);
160
+ break;
161
+ case RSA_NO_PADDING:
162
+ i = RSA_padding_add_none(buf, rsa_size, in, in_len);
163
+ break;
164
+ default:
165
+ OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
166
+ goto err;
167
+ }
168
+
169
+ if (i <= 0) {
170
+ goto err;
171
+ }
172
+
173
+ if (BN_bin2bn(buf, rsa_size, f) == NULL) {
174
+ goto err;
175
+ }
176
+
177
+ if (BN_ucmp(f, rsa->n) >= 0) {
178
+ // usually the padding functions would catch this
179
+ OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
180
+ goto err;
181
+ }
182
+
183
+ if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) ||
184
+ !BN_mod_exp_mont(result, f, rsa->e, rsa->n, ctx, rsa->mont_n)) {
185
+ goto err;
186
+ }
187
+
188
+ // put in leading 0 bytes if the number is less than the length of the
189
+ // modulus
190
+ if (!BN_bn2bin_padded(out, rsa_size, result)) {
191
+ OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
192
+ goto err;
193
+ }
194
+
195
+ *out_len = rsa_size;
196
+ ret = 1;
197
+
198
+ err:
199
+ if (ctx != NULL) {
200
+ BN_CTX_end(ctx);
201
+ BN_CTX_free(ctx);
202
+ }
203
+ OPENSSL_free(buf);
204
+
205
+ return ret;
206
+ }
207
+
208
+ // MAX_BLINDINGS_PER_RSA defines the maximum number of cached BN_BLINDINGs per
209
+ // RSA*. Then this limit is exceeded, BN_BLINDING objects will be created and
210
+ // destroyed as needed.
211
+ #define MAX_BLINDINGS_PER_RSA 1024
212
+
213
+ // rsa_blinding_get returns a BN_BLINDING to use with |rsa|. It does this by
214
+ // allocating one of the cached BN_BLINDING objects in |rsa->blindings|. If
215
+ // none are free, the cache will be extended by a extra element and the new
216
+ // BN_BLINDING is returned.
217
+ //
218
+ // On success, the index of the assigned BN_BLINDING is written to
219
+ // |*index_used| and must be passed to |rsa_blinding_release| when finished.
220
+ static BN_BLINDING *rsa_blinding_get(RSA *rsa, unsigned *index_used,
221
+ BN_CTX *ctx) {
222
+ assert(ctx != NULL);
223
+ assert(rsa->mont_n != NULL);
224
+
225
+ BN_BLINDING *ret = NULL;
226
+ BN_BLINDING **new_blindings;
227
+ uint8_t *new_blindings_inuse;
228
+ char overflow = 0;
229
+
230
+ CRYPTO_MUTEX_lock_write(&rsa->lock);
231
+
232
+ unsigned i;
233
+ for (i = 0; i < rsa->num_blindings; i++) {
234
+ if (rsa->blindings_inuse[i] == 0) {
235
+ rsa->blindings_inuse[i] = 1;
236
+ ret = rsa->blindings[i];
237
+ *index_used = i;
238
+ break;
239
+ }
240
+ }
241
+
242
+ if (ret != NULL) {
243
+ CRYPTO_MUTEX_unlock_write(&rsa->lock);
244
+ return ret;
245
+ }
246
+
247
+ overflow = rsa->num_blindings >= MAX_BLINDINGS_PER_RSA;
248
+
249
+ // We didn't find a free BN_BLINDING to use so increase the length of
250
+ // the arrays by one and use the newly created element.
251
+
252
+ CRYPTO_MUTEX_unlock_write(&rsa->lock);
253
+ ret = BN_BLINDING_new();
254
+ if (ret == NULL) {
255
+ return NULL;
256
+ }
257
+
258
+ if (overflow) {
259
+ // We cannot add any more cached BN_BLINDINGs so we use |ret|
260
+ // and mark it for destruction in |rsa_blinding_release|.
261
+ *index_used = MAX_BLINDINGS_PER_RSA;
262
+ return ret;
263
+ }
264
+
265
+ CRYPTO_MUTEX_lock_write(&rsa->lock);
266
+
267
+ new_blindings =
268
+ OPENSSL_malloc(sizeof(BN_BLINDING *) * (rsa->num_blindings + 1));
269
+ if (new_blindings == NULL) {
270
+ goto err1;
271
+ }
272
+ OPENSSL_memcpy(new_blindings, rsa->blindings,
273
+ sizeof(BN_BLINDING *) * rsa->num_blindings);
274
+ new_blindings[rsa->num_blindings] = ret;
275
+
276
+ new_blindings_inuse = OPENSSL_malloc(rsa->num_blindings + 1);
277
+ if (new_blindings_inuse == NULL) {
278
+ goto err2;
279
+ }
280
+ OPENSSL_memcpy(new_blindings_inuse, rsa->blindings_inuse, rsa->num_blindings);
281
+ new_blindings_inuse[rsa->num_blindings] = 1;
282
+ *index_used = rsa->num_blindings;
283
+
284
+ OPENSSL_free(rsa->blindings);
285
+ rsa->blindings = new_blindings;
286
+ OPENSSL_free(rsa->blindings_inuse);
287
+ rsa->blindings_inuse = new_blindings_inuse;
288
+ rsa->num_blindings++;
289
+
290
+ CRYPTO_MUTEX_unlock_write(&rsa->lock);
291
+ return ret;
292
+
293
+ err2:
294
+ OPENSSL_free(new_blindings);
295
+
296
+ err1:
297
+ CRYPTO_MUTEX_unlock_write(&rsa->lock);
298
+ BN_BLINDING_free(ret);
299
+ return NULL;
300
+ }
301
+
302
+ // rsa_blinding_release marks the cached BN_BLINDING at the given index as free
303
+ // for other threads to use.
304
+ static void rsa_blinding_release(RSA *rsa, BN_BLINDING *blinding,
305
+ unsigned blinding_index) {
306
+ if (blinding_index == MAX_BLINDINGS_PER_RSA) {
307
+ // This blinding wasn't cached.
308
+ BN_BLINDING_free(blinding);
309
+ return;
310
+ }
311
+
312
+ CRYPTO_MUTEX_lock_write(&rsa->lock);
313
+ rsa->blindings_inuse[blinding_index] = 0;
314
+ CRYPTO_MUTEX_unlock_write(&rsa->lock);
315
+ }
316
+
317
+ // signing
318
+ int rsa_default_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,
319
+ size_t max_out, const uint8_t *in, size_t in_len,
320
+ int padding) {
321
+ const unsigned rsa_size = RSA_size(rsa);
322
+ uint8_t *buf = NULL;
323
+ int i, ret = 0;
324
+
325
+ if (max_out < rsa_size) {
326
+ OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
327
+ return 0;
328
+ }
329
+
330
+ buf = OPENSSL_malloc(rsa_size);
331
+ if (buf == NULL) {
332
+ OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
333
+ goto err;
334
+ }
335
+
336
+ switch (padding) {
337
+ case RSA_PKCS1_PADDING:
338
+ i = RSA_padding_add_PKCS1_type_1(buf, rsa_size, in, in_len);
339
+ break;
340
+ case RSA_NO_PADDING:
341
+ i = RSA_padding_add_none(buf, rsa_size, in, in_len);
342
+ break;
343
+ default:
344
+ OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
345
+ goto err;
346
+ }
347
+
348
+ if (i <= 0) {
349
+ goto err;
350
+ }
351
+
352
+ if (!RSA_private_transform(rsa, out, buf, rsa_size)) {
353
+ goto err;
354
+ }
355
+
356
+ *out_len = rsa_size;
357
+ ret = 1;
358
+
359
+ err:
360
+ OPENSSL_free(buf);
361
+
362
+ return ret;
363
+ }
364
+
365
+ int rsa_default_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
366
+ const uint8_t *in, size_t in_len, int padding) {
367
+ const unsigned rsa_size = RSA_size(rsa);
368
+ uint8_t *buf = NULL;
369
+ int ret = 0;
370
+
371
+ if (max_out < rsa_size) {
372
+ OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
373
+ return 0;
374
+ }
375
+
376
+ if (padding == RSA_NO_PADDING) {
377
+ buf = out;
378
+ } else {
379
+ // Allocate a temporary buffer to hold the padded plaintext.
380
+ buf = OPENSSL_malloc(rsa_size);
381
+ if (buf == NULL) {
382
+ OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
383
+ goto err;
384
+ }
385
+ }
386
+
387
+ if (in_len != rsa_size) {
388
+ OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN);
389
+ goto err;
390
+ }
391
+
392
+ if (!RSA_private_transform(rsa, buf, in, rsa_size)) {
393
+ goto err;
394
+ }
395
+
396
+ switch (padding) {
397
+ case RSA_PKCS1_PADDING:
398
+ ret =
399
+ RSA_padding_check_PKCS1_type_2(out, out_len, rsa_size, buf, rsa_size);
400
+ break;
401
+ case RSA_PKCS1_OAEP_PADDING:
402
+ // Use the default parameters: SHA-1 for both hashes and no label.
403
+ ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, out_len, rsa_size, buf,
404
+ rsa_size, NULL, 0, NULL, NULL);
405
+ break;
406
+ case RSA_NO_PADDING:
407
+ *out_len = rsa_size;
408
+ ret = 1;
409
+ break;
410
+ default:
411
+ OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
412
+ goto err;
413
+ }
414
+
415
+ if (!ret) {
416
+ OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED);
417
+ }
418
+
419
+ err:
420
+ if (padding != RSA_NO_PADDING) {
421
+ OPENSSL_free(buf);
422
+ }
423
+
424
+ return ret;
425
+ }
426
+
427
+ static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
428
+
429
+ int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
430
+ const uint8_t *in, size_t in_len, int padding) {
431
+ if (rsa->n == NULL || rsa->e == NULL) {
432
+ OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
433
+ return 0;
434
+ }
435
+
436
+ const unsigned rsa_size = RSA_size(rsa);
437
+ BIGNUM *f, *result;
438
+
439
+ if (max_out < rsa_size) {
440
+ OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);
441
+ return 0;
442
+ }
443
+
444
+ if (in_len != rsa_size) {
445
+ OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN);
446
+ return 0;
447
+ }
448
+
449
+ if (!check_modulus_and_exponent_sizes(rsa)) {
450
+ return 0;
451
+ }
452
+
453
+ BN_CTX *ctx = BN_CTX_new();
454
+ if (ctx == NULL) {
455
+ return 0;
456
+ }
457
+
458
+ int ret = 0;
459
+ uint8_t *buf = NULL;
460
+
461
+ BN_CTX_start(ctx);
462
+ f = BN_CTX_get(ctx);
463
+ result = BN_CTX_get(ctx);
464
+ if (f == NULL || result == NULL) {
465
+ OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
466
+ goto err;
467
+ }
468
+
469
+ if (padding == RSA_NO_PADDING) {
470
+ buf = out;
471
+ } else {
472
+ // Allocate a temporary buffer to hold the padded plaintext.
473
+ buf = OPENSSL_malloc(rsa_size);
474
+ if (buf == NULL) {
475
+ OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
476
+ goto err;
477
+ }
478
+ }
479
+
480
+ if (BN_bin2bn(in, in_len, f) == NULL) {
481
+ goto err;
482
+ }
483
+
484
+ if (BN_ucmp(f, rsa->n) >= 0) {
485
+ OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
486
+ goto err;
487
+ }
488
+
489
+ if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) ||
490
+ !BN_mod_exp_mont(result, f, rsa->e, rsa->n, ctx, rsa->mont_n)) {
491
+ goto err;
492
+ }
493
+
494
+ if (!BN_bn2bin_padded(buf, rsa_size, result)) {
495
+ OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
496
+ goto err;
497
+ }
498
+
499
+ switch (padding) {
500
+ case RSA_PKCS1_PADDING:
501
+ ret =
502
+ RSA_padding_check_PKCS1_type_1(out, out_len, rsa_size, buf, rsa_size);
503
+ break;
504
+ case RSA_NO_PADDING:
505
+ ret = 1;
506
+ *out_len = rsa_size;
507
+ break;
508
+ default:
509
+ OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);
510
+ goto err;
511
+ }
512
+
513
+ if (!ret) {
514
+ OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED);
515
+ goto err;
516
+ }
517
+
518
+ err:
519
+ BN_CTX_end(ctx);
520
+ BN_CTX_free(ctx);
521
+ if (buf != out) {
522
+ OPENSSL_free(buf);
523
+ }
524
+ return ret;
525
+ }
526
+
527
+ int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
528
+ size_t len) {
529
+ if (rsa->n == NULL || rsa->d == NULL) {
530
+ OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
531
+ return 0;
532
+ }
533
+
534
+ BIGNUM *f, *result;
535
+ BN_CTX *ctx = NULL;
536
+ unsigned blinding_index = 0;
537
+ BN_BLINDING *blinding = NULL;
538
+ int ret = 0;
539
+
540
+ ctx = BN_CTX_new();
541
+ if (ctx == NULL) {
542
+ goto err;
543
+ }
544
+ BN_CTX_start(ctx);
545
+ f = BN_CTX_get(ctx);
546
+ result = BN_CTX_get(ctx);
547
+
548
+ if (f == NULL || result == NULL) {
549
+ OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
550
+ goto err;
551
+ }
552
+
553
+ if (BN_bin2bn(in, len, f) == NULL) {
554
+ goto err;
555
+ }
556
+
557
+ if (BN_ucmp(f, rsa->n) >= 0) {
558
+ // Usually the padding functions would catch this.
559
+ OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
560
+ goto err;
561
+ }
562
+
563
+ if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx)) {
564
+ OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
565
+ goto err;
566
+ }
567
+
568
+ const int do_blinding = (rsa->flags & RSA_FLAG_NO_BLINDING) == 0;
569
+
570
+ if (rsa->e == NULL && do_blinding) {
571
+ // We cannot do blinding or verification without |e|, and continuing without
572
+ // those countermeasures is dangerous. However, the Java/Android RSA API
573
+ // requires support for keys where only |d| and |n| (and not |e|) are known.
574
+ // The callers that require that bad behavior set |RSA_FLAG_NO_BLINDING|.
575
+ OPENSSL_PUT_ERROR(RSA, RSA_R_NO_PUBLIC_EXPONENT);
576
+ goto err;
577
+ }
578
+
579
+ if (do_blinding) {
580
+ blinding = rsa_blinding_get(rsa, &blinding_index, ctx);
581
+ if (blinding == NULL) {
582
+ OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
583
+ goto err;
584
+ }
585
+ if (!BN_BLINDING_convert(f, blinding, rsa->e, rsa->mont_n, ctx)) {
586
+ goto err;
587
+ }
588
+ }
589
+
590
+ if (rsa->p != NULL && rsa->q != NULL && rsa->e != NULL && rsa->dmp1 != NULL &&
591
+ rsa->dmq1 != NULL && rsa->iqmp != NULL) {
592
+ if (!mod_exp(result, f, rsa, ctx)) {
593
+ goto err;
594
+ }
595
+ } else if (!BN_mod_exp_mont_consttime(result, f, rsa->d, rsa->n, ctx,
596
+ rsa->mont_n)) {
597
+ goto err;
598
+ }
599
+
600
+ // Verify the result to protect against fault attacks as described in the
601
+ // 1997 paper "On the Importance of Checking Cryptographic Protocols for
602
+ // Faults" by Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. Some
603
+ // implementations do this only when the CRT is used, but we do it in all
604
+ // cases. Section 6 of the aforementioned paper describes an attack that
605
+ // works when the CRT isn't used. That attack is much less likely to succeed
606
+ // than the CRT attack, but there have likely been improvements since 1997.
607
+ //
608
+ // This check is cheap assuming |e| is small; it almost always is.
609
+ if (rsa->e != NULL) {
610
+ BIGNUM *vrfy = BN_CTX_get(ctx);
611
+ if (vrfy == NULL ||
612
+ !BN_mod_exp_mont(vrfy, result, rsa->e, rsa->n, ctx, rsa->mont_n) ||
613
+ !BN_equal_consttime(vrfy, f)) {
614
+ OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
615
+ goto err;
616
+ }
617
+
618
+ }
619
+
620
+ if (do_blinding &&
621
+ !BN_BLINDING_invert(result, blinding, rsa->mont_n, ctx)) {
622
+ goto err;
623
+ }
624
+
625
+ if (!BN_bn2bin_padded(out, len, result)) {
626
+ OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
627
+ goto err;
628
+ }
629
+
630
+ ret = 1;
631
+
632
+ err:
633
+ if (ctx != NULL) {
634
+ BN_CTX_end(ctx);
635
+ BN_CTX_free(ctx);
636
+ }
637
+ if (blinding != NULL) {
638
+ rsa_blinding_release(rsa, blinding, blinding_index);
639
+ }
640
+
641
+ return ret;
642
+ }
643
+
644
+ static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) {
645
+ assert(ctx != NULL);
646
+
647
+ assert(rsa->n != NULL);
648
+ assert(rsa->e != NULL);
649
+ assert(rsa->d != NULL);
650
+ assert(rsa->p != NULL);
651
+ assert(rsa->q != NULL);
652
+ assert(rsa->dmp1 != NULL);
653
+ assert(rsa->dmq1 != NULL);
654
+ assert(rsa->iqmp != NULL);
655
+
656
+ BIGNUM *r1, *m1, *vrfy;
657
+ int ret = 0;
658
+
659
+ BN_CTX_start(ctx);
660
+ r1 = BN_CTX_get(ctx);
661
+ m1 = BN_CTX_get(ctx);
662
+ vrfy = BN_CTX_get(ctx);
663
+ if (r1 == NULL ||
664
+ m1 == NULL ||
665
+ vrfy == NULL) {
666
+ goto err;
667
+ }
668
+
669
+ if (!BN_MONT_CTX_set_locked(&rsa->mont_p, &rsa->lock, rsa->p, ctx) ||
670
+ !BN_MONT_CTX_set_locked(&rsa->mont_q, &rsa->lock, rsa->q, ctx)) {
671
+ goto err;
672
+ }
673
+
674
+ if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx)) {
675
+ goto err;
676
+ }
677
+
678
+ // compute I mod q
679
+ if (!BN_mod(r1, I, rsa->q, ctx)) {
680
+ goto err;
681
+ }
682
+
683
+ // compute r1^dmq1 mod q
684
+ if (!BN_mod_exp_mont_consttime(m1, r1, rsa->dmq1, rsa->q, ctx, rsa->mont_q)) {
685
+ goto err;
686
+ }
687
+
688
+ // compute I mod p
689
+ if (!BN_mod(r1, I, rsa->p, ctx)) {
690
+ goto err;
691
+ }
692
+
693
+ // compute r1^dmp1 mod p
694
+ if (!BN_mod_exp_mont_consttime(r0, r1, rsa->dmp1, rsa->p, ctx, rsa->mont_p)) {
695
+ goto err;
696
+ }
697
+
698
+ if (!BN_sub(r0, r0, m1)) {
699
+ goto err;
700
+ }
701
+ // This will help stop the size of r0 increasing, which does
702
+ // affect the multiply if it optimised for a power of 2 size
703
+ if (BN_is_negative(r0)) {
704
+ if (!BN_add(r0, r0, rsa->p)) {
705
+ goto err;
706
+ }
707
+ }
708
+
709
+ if (!BN_mul(r1, r0, rsa->iqmp, ctx)) {
710
+ goto err;
711
+ }
712
+
713
+ if (!BN_mod(r0, r1, rsa->p, ctx)) {
714
+ goto err;
715
+ }
716
+
717
+ // If p < q it is occasionally possible for the correction of
718
+ // adding 'p' if r0 is negative above to leave the result still
719
+ // negative. This can break the private key operations: the following
720
+ // second correction should *always* correct this rare occurrence.
721
+ // This will *never* happen with OpenSSL generated keys because
722
+ // they ensure p > q [steve]
723
+ if (BN_is_negative(r0)) {
724
+ if (!BN_add(r0, r0, rsa->p)) {
725
+ goto err;
726
+ }
727
+ }
728
+ if (!BN_mul(r1, r0, rsa->q, ctx)) {
729
+ goto err;
730
+ }
731
+ if (!BN_add(r0, r1, m1)) {
732
+ goto err;
733
+ }
734
+
735
+ ret = 1;
736
+
737
+ err:
738
+ BN_CTX_end(ctx);
739
+ return ret;
740
+ }
741
+
742
+ static int ensure_bignum(BIGNUM **out) {
743
+ if (*out == NULL) {
744
+ *out = BN_new();
745
+ }
746
+ return *out != NULL;
747
+ }
748
+
749
+ // kBoringSSLRSASqrtTwo is the BIGNUM representation of ⌊2¹⁵³⁵×√2⌋. This is
750
+ // chosen to give enough precision for 3072-bit RSA, the largest key size FIPS
751
+ // specifies. Key sizes beyond this will round up.
752
+ //
753
+ // To verify this number, check that n² < 2³⁰⁷¹ < (n+1)², where n is value
754
+ // represented here. Note the components are listed in little-endian order. Here
755
+ // is some sample Python code to check:
756
+ //
757
+ // >>> TOBN = lambda a, b: a << 32 | b
758
+ // >>> l = [ <paste the contents of kSqrtTwo> ]
759
+ // >>> n = sum(a * 2**(64*i) for i, a in enumerate(l))
760
+ // >>> n**2 < 2**3071 < (n+1)**2
761
+ // True
762
+ const BN_ULONG kBoringSSLRSASqrtTwo[] = {
763
+ TOBN(0xdea06241, 0xf7aa81c2), TOBN(0xf6a1be3f, 0xca221307),
764
+ TOBN(0x332a5e9f, 0x7bda1ebf), TOBN(0x0104dc01, 0xfe32352f),
765
+ TOBN(0xb8cf341b, 0x6f8236c7), TOBN(0x4264dabc, 0xd528b651),
766
+ TOBN(0xf4d3a02c, 0xebc93e0c), TOBN(0x81394ab6, 0xd8fd0efd),
767
+ TOBN(0xeaa4a089, 0x9040ca4a), TOBN(0xf52f120f, 0x836e582e),
768
+ TOBN(0xcb2a6343, 0x31f3c84d), TOBN(0xc6d5a8a3, 0x8bb7e9dc),
769
+ TOBN(0x460abc72, 0x2f7c4e33), TOBN(0xcab1bc91, 0x1688458a),
770
+ TOBN(0x53059c60, 0x11bc337b), TOBN(0xd2202e87, 0x42af1f4e),
771
+ TOBN(0x78048736, 0x3dfa2768), TOBN(0x0f74a85e, 0x439c7b4a),
772
+ TOBN(0xa8b1fe6f, 0xdc83db39), TOBN(0x4afc8304, 0x3ab8a2c3),
773
+ TOBN(0xed17ac85, 0x83339915), TOBN(0x1d6f60ba, 0x893ba84c),
774
+ TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484),
775
+ };
776
+ const size_t kBoringSSLRSASqrtTwoLen = OPENSSL_ARRAY_SIZE(kBoringSSLRSASqrtTwo);
777
+
778
+ int rsa_less_than_words(const BN_ULONG *a, const BN_ULONG *b, size_t len) {
779
+ OPENSSL_COMPILE_ASSERT(sizeof(BN_ULONG) <= sizeof(crypto_word_t),
780
+ crypto_word_t_too_small);
781
+ int ret = 0;
782
+ // Process the words in little-endian order.
783
+ for (size_t i = 0; i < len; i++) {
784
+ crypto_word_t eq = constant_time_eq_w(a[i], b[i]);
785
+ crypto_word_t lt = constant_time_lt_w(a[i], b[i]);
786
+ ret = constant_time_select_int(eq, ret, constant_time_select_int(lt, 1, 0));
787
+ }
788
+ return ret;
789
+ }
790
+
791
+ int rsa_greater_than_pow2(const BIGNUM *b, int n) {
792
+ if (BN_is_negative(b) || n == INT_MAX) {
793
+ return 0;
794
+ }
795
+
796
+ int b_bits = BN_num_bits(b);
797
+ return b_bits > n + 1 || (b_bits == n + 1 && !BN_is_pow2(b));
798
+ }
799
+
800
+ // generate_prime sets |out| to a prime with length |bits| such that |out|-1 is
801
+ // relatively prime to |e|. If |p| is non-NULL, |out| will also not be close to
802
+ // |p|.
803
+ static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e,
804
+ const BIGNUM *p, BN_CTX *ctx, BN_GENCB *cb) {
805
+ if (bits < 128 || (bits % BN_BITS2) != 0) {
806
+ OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
807
+ return 0;
808
+ }
809
+
810
+ // Ensure the bound on |tries| does not overflow.
811
+ if (bits >= INT_MAX/5) {
812
+ OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);
813
+ return 0;
814
+ }
815
+
816
+ int ret = 0, tries = 0, rand_tries = 0;
817
+ BN_CTX_start(ctx);
818
+ BIGNUM *tmp = BN_CTX_get(ctx);
819
+ if (tmp == NULL) {
820
+ goto err;
821
+ }
822
+
823
+ // See FIPS 186-4 appendix B.3.3, steps 4 and 5. Note |bits| here is
824
+ // nlen/2.
825
+ for (;;) {
826
+ // Generate a random number of length |bits| where the bottom bit is set
827
+ // (steps 4.2, 4.3, 5.2 and 5.3) and the top bit is set (implied by the
828
+ // bound checked below in steps 4.4 and 5.5).
829
+ if (!BN_rand(out, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD) ||
830
+ !BN_GENCB_call(cb, BN_GENCB_GENERATED, rand_tries++)) {
831
+ goto err;
832
+ }
833
+
834
+ if (p != NULL) {
835
+ // If |p| and |out| are too close, try again (step 5.4).
836
+ if (!BN_sub(tmp, out, p)) {
837
+ goto err;
838
+ }
839
+ BN_set_negative(tmp, 0);
840
+ if (!rsa_greater_than_pow2(tmp, bits - 100)) {
841
+ continue;
842
+ }
843
+ }
844
+
845
+ // If out < 2^(bits-1)×√2, try again (steps 4.4 and 5.5).
846
+ //
847
+ // We check the most significant words, so we retry if ⌊out/2^k⌋ <= ⌊b/2^k⌋,
848
+ // where b = 2^(bits-1)×√2 and k = max(0, bits - 1536). For key sizes up to
849
+ // 3072 (bits = 1536), k = 0, so we are testing that ⌊out⌋ <= ⌊b⌋. out is an
850
+ // integer and b is not, so this is equivalent to out < b. That is, the
851
+ // comparison is exact for FIPS key sizes.
852
+ //
853
+ // For larger keys, the comparison is approximate, leaning towards
854
+ // retrying. That is, we reject a negligible fraction of primes that are
855
+ // within the FIPS bound, but we will never accept a prime outside the
856
+ // bound, ensuring the resulting RSA key is the right size. Specifically, if
857
+ // the FIPS bound holds, we have ⌊out/2^k⌋ < out/2^k < b/2^k. This implies
858
+ // ⌊out/2^k⌋ <= ⌊b/2^k⌋. That is, the FIPS bound implies our bound and so we
859
+ // are slightly tighter.
860
+ size_t out_len = (size_t)out->top;
861
+ assert(out_len == (size_t)bits / BN_BITS2);
862
+ size_t to_check = kBoringSSLRSASqrtTwoLen;
863
+ if (to_check > out_len) {
864
+ to_check = out_len;
865
+ }
866
+ if (!rsa_less_than_words(
867
+ kBoringSSLRSASqrtTwo + kBoringSSLRSASqrtTwoLen - to_check,
868
+ out->d + out_len - to_check, to_check)) {
869
+ continue;
870
+ }
871
+
872
+ // Check gcd(out-1, e) is one (steps 4.5 and 5.6).
873
+ if (!BN_sub(tmp, out, BN_value_one()) ||
874
+ !BN_gcd(tmp, tmp, e, ctx)) {
875
+ goto err;
876
+ }
877
+ if (BN_is_one(tmp)) {
878
+ // Test |out| for primality (steps 4.5.1 and 5.6.1).
879
+ int is_probable_prime;
880
+ if (!BN_primality_test(&is_probable_prime, out, BN_prime_checks, ctx, 1,
881
+ cb)) {
882
+ goto err;
883
+ }
884
+ if (is_probable_prime) {
885
+ ret = 1;
886
+ goto err;
887
+ }
888
+ }
889
+
890
+ // If we've tried too many times to find a prime, abort (steps 4.7 and
891
+ // 5.8).
892
+ tries++;
893
+ if (tries >= bits * 5) {
894
+ OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS);
895
+ goto err;
896
+ }
897
+ if (!BN_GENCB_call(cb, 2, tries)) {
898
+ goto err;
899
+ }
900
+ }
901
+
902
+ err:
903
+ BN_CTX_end(ctx);
904
+ return ret;
905
+ }
906
+
907
+ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
908
+ // See FIPS 186-4 appendix B.3. This function implements a generalized version
909
+ // of the FIPS algorithm. |RSA_generate_key_fips| performs additional checks
910
+ // for FIPS-compliant key generation.
911
+
912
+ // Always generate RSA keys which are a multiple of 128 bits. Round |bits|
913
+ // down as needed.
914
+ bits &= ~127;
915
+
916
+ // Reject excessively small keys.
917
+ if (bits < 256) {
918
+ OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
919
+ return 0;
920
+ }
921
+
922
+ int ret = 0;
923
+ BN_CTX *ctx = BN_CTX_new();
924
+ if (ctx == NULL) {
925
+ goto bn_err;
926
+ }
927
+ BN_CTX_start(ctx);
928
+ BIGNUM *totient = BN_CTX_get(ctx);
929
+ BIGNUM *pm1 = BN_CTX_get(ctx);
930
+ BIGNUM *qm1 = BN_CTX_get(ctx);
931
+ BIGNUM *gcd = BN_CTX_get(ctx);
932
+ if (totient == NULL || pm1 == NULL || qm1 == NULL || gcd == NULL) {
933
+ goto bn_err;
934
+ }
935
+
936
+ // We need the RSA components non-NULL.
937
+ if (!ensure_bignum(&rsa->n) ||
938
+ !ensure_bignum(&rsa->d) ||
939
+ !ensure_bignum(&rsa->e) ||
940
+ !ensure_bignum(&rsa->p) ||
941
+ !ensure_bignum(&rsa->q) ||
942
+ !ensure_bignum(&rsa->dmp1) ||
943
+ !ensure_bignum(&rsa->dmq1) ||
944
+ !ensure_bignum(&rsa->iqmp)) {
945
+ goto bn_err;
946
+ }
947
+
948
+ if (!BN_copy(rsa->e, e_value)) {
949
+ goto bn_err;
950
+ }
951
+
952
+ int prime_bits = bits / 2;
953
+ do {
954
+ // Generate p and q, each of size |prime_bits|, using the steps outlined in
955
+ // appendix FIPS 186-4 appendix B.3.3.
956
+ if (!generate_prime(rsa->p, prime_bits, rsa->e, NULL, ctx, cb) ||
957
+ !BN_GENCB_call(cb, 3, 0) ||
958
+ !generate_prime(rsa->q, prime_bits, rsa->e, rsa->p, ctx, cb) ||
959
+ !BN_GENCB_call(cb, 3, 1)) {
960
+ goto bn_err;
961
+ }
962
+
963
+ if (BN_cmp(rsa->p, rsa->q) < 0) {
964
+ BIGNUM *tmp = rsa->p;
965
+ rsa->p = rsa->q;
966
+ rsa->q = tmp;
967
+ }
968
+
969
+ // Calculate d = e^(-1) (mod lcm(p-1, q-1)), per FIPS 186-4. This differs
970
+ // from typical RSA implementations which use (p-1)*(q-1).
971
+ //
972
+ // Note this means the size of d might reveal information about p-1 and
973
+ // q-1. However, we do operations with Chinese Remainder Theorem, so we only
974
+ // use d (mod p-1) and d (mod q-1) as exponents. Using a minimal totient
975
+ // does not affect those two values.
976
+ if (!BN_sub(pm1, rsa->p, BN_value_one()) ||
977
+ !BN_sub(qm1, rsa->q, BN_value_one()) ||
978
+ !BN_mul(totient, pm1, qm1, ctx) ||
979
+ !BN_gcd(gcd, pm1, qm1, ctx) ||
980
+ !BN_div(totient, NULL, totient, gcd, ctx) ||
981
+ !BN_mod_inverse(rsa->d, rsa->e, totient, ctx)) {
982
+ goto bn_err;
983
+ }
984
+
985
+ // Check that |rsa->d| > 2^|prime_bits| and try again if it fails. See
986
+ // appendix B.3.1's guidance on values for d.
987
+ } while (!rsa_greater_than_pow2(rsa->d, prime_bits));
988
+
989
+ if (// Calculate n.
990
+ !BN_mul(rsa->n, rsa->p, rsa->q, ctx) ||
991
+ // Calculate d mod (p-1).
992
+ !BN_mod(rsa->dmp1, rsa->d, pm1, ctx) ||
993
+ // Calculate d mod (q-1)
994
+ !BN_mod(rsa->dmq1, rsa->d, qm1, ctx)) {
995
+ goto bn_err;
996
+ }
997
+
998
+ // Sanity-check that |rsa->n| has the specified size. This is implied by
999
+ // |generate_prime|'s bounds.
1000
+ if (BN_num_bits(rsa->n) != (unsigned)bits) {
1001
+ OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
1002
+ goto err;
1003
+ }
1004
+
1005
+ // Calculate inverse of q mod p. Note that although RSA key generation is far
1006
+ // from constant-time, |bn_mod_inverse_secret_prime| uses the same modular
1007
+ // exponentation logic as in RSA private key operations and, if the RSAZ-1024
1008
+ // code is enabled, will be optimized for common RSA prime sizes.
1009
+ if (!BN_MONT_CTX_set_locked(&rsa->mont_p, &rsa->lock, rsa->p, ctx) ||
1010
+ !bn_mod_inverse_secret_prime(rsa->iqmp, rsa->q, rsa->p, ctx,
1011
+ rsa->mont_p)) {
1012
+ goto bn_err;
1013
+ }
1014
+
1015
+ // The key generation process is complex and thus error-prone. It could be
1016
+ // disastrous to generate and then use a bad key so double-check that the key
1017
+ // makes sense.
1018
+ if (!RSA_check_key(rsa)) {
1019
+ OPENSSL_PUT_ERROR(RSA, RSA_R_INTERNAL_ERROR);
1020
+ goto err;
1021
+ }
1022
+
1023
+ ret = 1;
1024
+
1025
+ bn_err:
1026
+ if (!ret) {
1027
+ OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
1028
+ }
1029
+ err:
1030
+ if (ctx != NULL) {
1031
+ BN_CTX_end(ctx);
1032
+ BN_CTX_free(ctx);
1033
+ }
1034
+ return ret;
1035
+ }
1036
+
1037
+ int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb) {
1038
+ // FIPS 186-4 allows 2048-bit and 3072-bit RSA keys (1024-bit and 1536-bit
1039
+ // primes, respectively) with the prime generation method we use.
1040
+ if (bits != 2048 && bits != 3072) {
1041
+ OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
1042
+ return 0;
1043
+ }
1044
+
1045
+ BIGNUM *e = BN_new();
1046
+ int ret = e != NULL &&
1047
+ BN_set_word(e, RSA_F4) &&
1048
+ RSA_generate_key_ex(rsa, bits, e, cb) &&
1049
+ RSA_check_fips(rsa);
1050
+ BN_free(e);
1051
+ return ret;
1052
+ }
1053
+
1054
+ DEFINE_METHOD_FUNCTION(RSA_METHOD, RSA_default_method) {
1055
+ // All of the methods are NULL to make it easier for the compiler/linker to
1056
+ // drop unused functions. The wrapper functions will select the appropriate
1057
+ // |rsa_default_*| implementation.
1058
+ OPENSSL_memset(out, 0, sizeof(RSA_METHOD));
1059
+ out->common.is_static = 1;
1060
+ out->flags = RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
1061
+ }