static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { assert(ctx != NULL); assert(rsa->n != NULL); assert(rsa->e != NULL); assert(rsa->d != NULL); assert(rsa->p != NULL); assert(rsa->q != NULL); assert(rsa->dmp1 != NULL); assert(rsa->dmq1 != NULL); assert(rsa->iqmp != NULL); BIGNUM *r1, *m1; int ret = 0; BN_CTX_start(ctx); r1 = BN_CTX_get(ctx); m1 = BN_CTX_get(ctx); if (r1 == NULL || m1 == NULL) { goto err; } if (!freeze_private_key(rsa, ctx)) { goto err; } // Implementing RSA with CRT in constant-time is sensitive to which prime is // larger. Canonicalize fields so that |p| is the larger prime. const BIGNUM *dmp1 = rsa->dmp1_fixed, *dmq1 = rsa->dmq1_fixed; const BN_MONT_CTX *mont_p = rsa->mont_p, *mont_q = rsa->mont_q; if (BN_cmp(rsa->p, rsa->q) < 0) { mont_p = rsa->mont_q; mont_q = rsa->mont_p; dmp1 = rsa->dmq1_fixed; dmq1 = rsa->dmp1_fixed; } // Use the minimal-width versions of |n|, |p|, and |q|. Either works, but if // someone gives us non-minimal values, these will be slightly more efficient // on the non-Montgomery operations. const BIGNUM *n = &rsa->mont_n->N; const BIGNUM *p = &mont_p->N; const BIGNUM *q = &mont_q->N; // This is a pre-condition for |mod_montgomery|. It was already checked by the // caller. assert(BN_ucmp(I, n) < 0); if (// |m1| is the result modulo |q|. !mod_montgomery(r1, I, q, mont_q, p, ctx) || !BN_mod_exp_mont_consttime(m1, r1, dmq1, q, ctx, mont_q) || // |r0| is the result modulo |p|. !mod_montgomery(r1, I, p, mont_p, q, ctx) || !BN_mod_exp_mont_consttime(r0, r1, dmp1, p, ctx, mont_p) || // Compute r0 = r0 - m1 mod p. |p| is the larger prime, so |m1| is already // fully reduced mod |p|. !bn_mod_sub_consttime(r0, r0, m1, p, ctx) || // r0 = r0 * iqmp mod p. We use Montgomery multiplication to compute this // in constant time. |inv_small_mod_large_mont| is in Montgomery form and // r0 is not, so the result is taken out of Montgomery form. !BN_mod_mul_montgomery(r0, r0, rsa->inv_small_mod_large_mont, mont_p, ctx) || // r0 = r0 * q + m1 gives the final result. Reducing modulo q gives m1, so // it is correct mod p. Reducing modulo p gives (r0-m1)*iqmp*q + m1 = r0, // so it is correct mod q. Finally, the result is bounded by [m1, n + m1), // and the result is at least |m1|, so this must be the unique answer in // [0, n). !bn_mul_consttime(r0, r0, q, ctx) || !bn_uadd_consttime(r0, r0, m1) || // The result should be bounded by |n|, but fixed-width operations may // bound the width slightly higher, so fix it. !bn_resize_words(r0, n->width)) { goto err; } ret = 1; err: BN_CTX_end(ctx); return ret; }
int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) { // See FIPS 186-4 appendix B.3. This function implements a generalized version // of the FIPS algorithm. |RSA_generate_key_fips| performs additional checks // for FIPS-compliant key generation. // Always generate RSA keys which are a multiple of 128 bits. Round |bits| // down as needed. bits &= ~127; // Reject excessively small keys. if (bits < 256) { OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); return 0; } // Reject excessively large public exponents. Windows CryptoAPI and Go don't // support values larger than 32 bits, so match their limits for generating // keys. (|check_modulus_and_exponent_sizes| uses a slightly more conservative // value, but we don't need to support generating such keys.) // https://github.com/golang/go/issues/3161 // https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx if (BN_num_bits(e_value) > 32) { OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE); return 0; } int ret = 0; int prime_bits = bits / 2; BN_CTX *ctx = BN_CTX_new(); if (ctx == NULL) { goto bn_err; } BN_CTX_start(ctx); BIGNUM *totient = BN_CTX_get(ctx); BIGNUM *pm1 = BN_CTX_get(ctx); BIGNUM *qm1 = BN_CTX_get(ctx); BIGNUM *sqrt2 = BN_CTX_get(ctx); BIGNUM *pow2_prime_bits_100 = BN_CTX_get(ctx); BIGNUM *pow2_prime_bits = BN_CTX_get(ctx); if (totient == NULL || pm1 == NULL || qm1 == NULL || sqrt2 == NULL || pow2_prime_bits_100 == NULL || pow2_prime_bits == NULL || !BN_set_bit(pow2_prime_bits_100, prime_bits - 100) || !BN_set_bit(pow2_prime_bits, prime_bits)) { goto bn_err; } // We need the RSA components non-NULL. if (!ensure_bignum(&rsa->n) || !ensure_bignum(&rsa->d) || !ensure_bignum(&rsa->e) || !ensure_bignum(&rsa->p) || !ensure_bignum(&rsa->q) || !ensure_bignum(&rsa->dmp1) || !ensure_bignum(&rsa->dmq1)) { goto bn_err; } if (!BN_copy(rsa->e, e_value)) { goto bn_err; } // Compute sqrt2 >= ⌊2^(prime_bits-1)×√2⌋. if (!bn_set_words(sqrt2, kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen)) { goto bn_err; } int sqrt2_bits = kBoringSSLRSASqrtTwoLen * BN_BITS2; assert(sqrt2_bits == (int)BN_num_bits(sqrt2)); if (sqrt2_bits > prime_bits) { // For key sizes up to 3072 (prime_bits = 1536), this is exactly // ⌊2^(prime_bits-1)×√2⌋. if (!BN_rshift(sqrt2, sqrt2, sqrt2_bits - prime_bits)) { goto bn_err; } } else if (prime_bits > sqrt2_bits) { // For key sizes beyond 3072, this is approximate. We err towards retrying // to ensure our key is the right size and round up. if (!BN_add_word(sqrt2, 1) || !BN_lshift(sqrt2, sqrt2, prime_bits - sqrt2_bits)) { goto bn_err; } } assert(prime_bits == (int)BN_num_bits(sqrt2)); do { // Generate p and q, each of size |prime_bits|, using the steps outlined in // appendix FIPS 186-4 appendix B.3.3. if (!generate_prime(rsa->p, prime_bits, rsa->e, NULL, sqrt2, pow2_prime_bits_100, ctx, cb) || !BN_GENCB_call(cb, 3, 0) || !generate_prime(rsa->q, prime_bits, rsa->e, rsa->p, sqrt2, pow2_prime_bits_100, ctx, cb) || !BN_GENCB_call(cb, 3, 1)) { goto bn_err; } if (BN_cmp(rsa->p, rsa->q) < 0) { BIGNUM *tmp = rsa->p; rsa->p = rsa->q; rsa->q = tmp; } // Calculate d = e^(-1) (mod lcm(p-1, q-1)), per FIPS 186-4. This differs // from typical RSA implementations which use (p-1)*(q-1). // // Note this means the size of d might reveal information about p-1 and // q-1. However, we do operations with Chinese Remainder Theorem, so we only // use d (mod p-1) and d (mod q-1) as exponents. Using a minimal totient // does not affect those two values. int no_inverse; if (!bn_usub_consttime(pm1, rsa->p, BN_value_one()) || !bn_usub_consttime(qm1, rsa->q, BN_value_one()) || !bn_lcm_consttime(totient, pm1, qm1, ctx) || !bn_mod_inverse_consttime(rsa->d, &no_inverse, rsa->e, totient, ctx)) { goto bn_err; } // Retry if |rsa->d| <= 2^|prime_bits|. See appendix B.3.1's guidance on // values for d. } while (BN_cmp(rsa->d, pow2_prime_bits) <= 0); if (// Calculate n. !bn_mul_consttime(rsa->n, rsa->p, rsa->q, ctx) || // Calculate d mod (p-1). !bn_div_consttime(NULL, rsa->dmp1, rsa->d, pm1, ctx) || // Calculate d mod (q-1) !bn_div_consttime(NULL, rsa->dmq1, rsa->d, qm1, ctx)) { goto bn_err; } bn_set_minimal_width(rsa->n); // Sanity-check that |rsa->n| has the specified size. This is implied by // |generate_prime|'s bounds. if (BN_num_bits(rsa->n) != (unsigned)bits) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); goto err; } // Call |freeze_private_key| to compute the inverse of q mod p, by way of // |rsa->mont_p|. if (!freeze_private_key(rsa, ctx)) { goto bn_err; } // The key generation process is complex and thus error-prone. It could be // disastrous to generate and then use a bad key so double-check that the key // makes sense. if (!RSA_check_key(rsa)) { OPENSSL_PUT_ERROR(RSA, RSA_R_INTERNAL_ERROR); goto err; } ret = 1; bn_err: if (!ret) { OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); } err: if (ctx != NULL) { BN_CTX_end(ctx); BN_CTX_free(ctx); } return ret; }
int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, size_t len) { if (rsa->n == NULL || rsa->d == NULL) { OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); return 0; } BIGNUM *f, *result; BN_CTX *ctx = NULL; unsigned blinding_index = 0; BN_BLINDING *blinding = NULL; int ret = 0; ctx = BN_CTX_new(); if (ctx == NULL) { goto err; } BN_CTX_start(ctx); f = BN_CTX_get(ctx); result = BN_CTX_get(ctx); if (f == NULL || result == NULL) { OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); goto err; } if (BN_bin2bn(in, len, f) == NULL) { goto err; } if (BN_ucmp(f, rsa->n) >= 0) { // Usually the padding functions would catch this. OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE); goto err; } if (!freeze_private_key(rsa, ctx)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); goto err; } const int do_blinding = (rsa->flags & RSA_FLAG_NO_BLINDING) == 0; if (rsa->e == NULL && do_blinding) { // We cannot do blinding or verification without |e|, and continuing without // those countermeasures is dangerous. However, the Java/Android RSA API // requires support for keys where only |d| and |n| (and not |e|) are known. // The callers that require that bad behavior set |RSA_FLAG_NO_BLINDING|. OPENSSL_PUT_ERROR(RSA, RSA_R_NO_PUBLIC_EXPONENT); goto err; } if (do_blinding) { blinding = rsa_blinding_get(rsa, &blinding_index, ctx); if (blinding == NULL) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); goto err; } if (!BN_BLINDING_convert(f, blinding, rsa->e, rsa->mont_n, ctx)) { goto err; } } if (rsa->p != NULL && rsa->q != NULL && rsa->e != NULL && rsa->dmp1 != NULL && rsa->dmq1 != NULL && rsa->iqmp != NULL) { if (!mod_exp(result, f, rsa, ctx)) { goto err; } } else if (!BN_mod_exp_mont_consttime(result, f, rsa->d_fixed, rsa->n, ctx, rsa->mont_n)) { goto err; } // Verify the result to protect against fault attacks as described in the // 1997 paper "On the Importance of Checking Cryptographic Protocols for // Faults" by Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. Some // implementations do this only when the CRT is used, but we do it in all // cases. Section 6 of the aforementioned paper describes an attack that // works when the CRT isn't used. That attack is much less likely to succeed // than the CRT attack, but there have likely been improvements since 1997. // // This check is cheap assuming |e| is small; it almost always is. if (rsa->e != NULL) { BIGNUM *vrfy = BN_CTX_get(ctx); if (vrfy == NULL || !BN_mod_exp_mont(vrfy, result, rsa->e, rsa->n, ctx, rsa->mont_n) || !BN_equal_consttime(vrfy, f)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); goto err; } } if (do_blinding && !BN_BLINDING_invert(result, blinding, rsa->mont_n, ctx)) { goto err; } // The computation should have left |result| as a maximally-wide number, so // that it and serializing does not leak information about the magnitude of // the result. // // See Falko Stenzke, "Manger's Attack revisited", ICICS 2010. assert(result->width == rsa->mont_n->N.width); if (!BN_bn2bin_padded(out, len, result)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); goto err; } ret = 1; err: if (ctx != NULL) { BN_CTX_end(ctx); BN_CTX_free(ctx); } if (blinding != NULL) { rsa_blinding_release(rsa, blinding, blinding_index); } return ret; }
int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) { // See FIPS 186-4 appendix B.3. This function implements a generalized version // of the FIPS algorithm. |RSA_generate_key_fips| performs additional checks // for FIPS-compliant key generation. // Always generate RSA keys which are a multiple of 128 bits. Round |bits| // down as needed. bits &= ~127; // Reject excessively small keys. if (bits < 256) { OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); return 0; } int ret = 0; BN_CTX *ctx = BN_CTX_new(); if (ctx == NULL) { goto bn_err; } BN_CTX_start(ctx); BIGNUM *totient = BN_CTX_get(ctx); BIGNUM *pm1 = BN_CTX_get(ctx); BIGNUM *qm1 = BN_CTX_get(ctx); BIGNUM *gcd = BN_CTX_get(ctx); BIGNUM *sqrt2 = BN_CTX_get(ctx); if (totient == NULL || pm1 == NULL || qm1 == NULL || gcd == NULL || sqrt2 == NULL) { goto bn_err; } // We need the RSA components non-NULL. if (!ensure_bignum(&rsa->n) || !ensure_bignum(&rsa->d) || !ensure_bignum(&rsa->e) || !ensure_bignum(&rsa->p) || !ensure_bignum(&rsa->q) || !ensure_bignum(&rsa->dmp1) || !ensure_bignum(&rsa->dmq1)) { goto bn_err; } if (!BN_copy(rsa->e, e_value)) { goto bn_err; } int prime_bits = bits / 2; // Compute sqrt2 >= ⌊2^(prime_bits-1)×√2⌋. if (!bn_set_words(sqrt2, kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen)) { goto bn_err; } int sqrt2_bits = kBoringSSLRSASqrtTwoLen * BN_BITS2; assert(sqrt2_bits == (int)BN_num_bits(sqrt2)); if (sqrt2_bits > prime_bits) { // For key sizes up to 3072 (prime_bits = 1536), this is exactly // ⌊2^(prime_bits-1)×√2⌋. if (!BN_rshift(sqrt2, sqrt2, sqrt2_bits - prime_bits)) { goto bn_err; } } else if (prime_bits > sqrt2_bits) { // For key sizes beyond 3072, this is approximate. We err towards retrying // to ensure our key is the right size and round up. if (!BN_add_word(sqrt2, 1) || !BN_lshift(sqrt2, sqrt2, prime_bits - sqrt2_bits)) { goto bn_err; } } assert(prime_bits == (int)BN_num_bits(sqrt2)); do { // Generate p and q, each of size |prime_bits|, using the steps outlined in // appendix FIPS 186-4 appendix B.3.3. if (!generate_prime(rsa->p, prime_bits, rsa->e, NULL, sqrt2, ctx, cb) || !BN_GENCB_call(cb, 3, 0) || !generate_prime(rsa->q, prime_bits, rsa->e, rsa->p, sqrt2, ctx, cb) || !BN_GENCB_call(cb, 3, 1)) { goto bn_err; } if (BN_cmp(rsa->p, rsa->q) < 0) { BIGNUM *tmp = rsa->p; rsa->p = rsa->q; rsa->q = tmp; } // Calculate d = e^(-1) (mod lcm(p-1, q-1)), per FIPS 186-4. This differs // from typical RSA implementations which use (p-1)*(q-1). // // Note this means the size of d might reveal information about p-1 and // q-1. However, we do operations with Chinese Remainder Theorem, so we only // use d (mod p-1) and d (mod q-1) as exponents. Using a minimal totient // does not affect those two values. if (!BN_sub(pm1, rsa->p, BN_value_one()) || !BN_sub(qm1, rsa->q, BN_value_one()) || !BN_mul(totient, pm1, qm1, ctx) || !BN_gcd(gcd, pm1, qm1, ctx) || !BN_div(totient, NULL, totient, gcd, ctx) || !BN_mod_inverse(rsa->d, rsa->e, totient, ctx)) { goto bn_err; } // Check that |rsa->d| > 2^|prime_bits| and try again if it fails. See // appendix B.3.1's guidance on values for d. } while (!rsa_greater_than_pow2(rsa->d, prime_bits)); if (// Calculate n. !BN_mul(rsa->n, rsa->p, rsa->q, ctx) || // Calculate d mod (p-1). !BN_mod(rsa->dmp1, rsa->d, pm1, ctx) || // Calculate d mod (q-1) !BN_mod(rsa->dmq1, rsa->d, qm1, ctx)) { goto bn_err; } // Sanity-check that |rsa->n| has the specified size. This is implied by // |generate_prime|'s bounds. if (BN_num_bits(rsa->n) != (unsigned)bits) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); goto err; } // Call |freeze_private_key| to compute the inverse of q mod p, by way of // |rsa->mont_p|. if (!freeze_private_key(rsa, ctx)) { goto bn_err; } // The key generation process is complex and thus error-prone. It could be // disastrous to generate and then use a bad key so double-check that the key // makes sense. if (!RSA_check_key(rsa)) { OPENSSL_PUT_ERROR(RSA, RSA_R_INTERNAL_ERROR); goto err; } ret = 1; bn_err: if (!ret) { OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); } err: if (ctx != NULL) { BN_CTX_end(ctx); BN_CTX_free(ctx); } return ret; }