summaryrefslogtreecommitdiffstats
path: root/src/crypto/rsa/rsa.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/crypto/rsa/rsa.c')
-rw-r--r--src/crypto/rsa/rsa.c143
1 files changed, 48 insertions, 95 deletions
diff --git a/src/crypto/rsa/rsa.c b/src/crypto/rsa/rsa.c
index 2f23165..17059b0 100644
--- a/src/crypto/rsa/rsa.c
+++ b/src/crypto/rsa/rsa.c
@@ -79,7 +79,7 @@ RSA *RSA_new(void) { return RSA_new_method(NULL); }
RSA *RSA_new_method(const ENGINE *engine) {
RSA *rsa = (RSA *)OPENSSL_malloc(sizeof(RSA));
if (rsa == NULL) {
- OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(RSA, RSA_new_method, ERR_R_MALLOC_FAILURE);
return NULL;
}
@@ -114,18 +114,6 @@ RSA *RSA_new_method(const ENGINE *engine) {
return rsa;
}
-void RSA_additional_prime_free(RSA_additional_prime *ap) {
- if (ap == NULL) {
- return;
- }
-
- BN_clear_free(ap->prime);
- BN_clear_free(ap->exp);
- BN_clear_free(ap->coeff);
- BN_clear_free(ap->r);
- OPENSSL_free(ap);
-}
-
void RSA_free(RSA *rsa) {
unsigned u;
@@ -157,10 +145,6 @@ void RSA_free(RSA *rsa) {
}
OPENSSL_free(rsa->blindings);
OPENSSL_free(rsa->blindings_inuse);
- if (rsa->additional_primes != NULL) {
- sk_RSA_additional_prime_pop_free(rsa->additional_primes,
- RSA_additional_prime_free);
- }
CRYPTO_MUTEX_cleanup(&rsa->lock);
OPENSSL_free(rsa);
}
@@ -178,16 +162,6 @@ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
return RSA_default_method.keygen(rsa, bits, e_value, cb);
}
-int RSA_generate_multi_prime_key(RSA *rsa, int bits, int num_primes,
- BIGNUM *e_value, BN_GENCB *cb) {
- if (rsa->meth->multi_prime_keygen) {
- return rsa->meth->multi_prime_keygen(rsa, bits, num_primes, e_value, cb);
- }
-
- return RSA_default_method.multi_prime_keygen(rsa, bits, num_primes, e_value,
- cb);
-}
-
int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
const uint8_t *in, size_t in_len, int padding) {
if (rsa->meth->encrypt) {
@@ -368,15 +342,20 @@ static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = {
},
};
-int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
- int *is_alloced, int hash_nid, const uint8_t *msg,
- size_t msg_len) {
+/* TODO(fork): mostly new code, needs careful review. */
+
+/* pkcs1_prefixed_msg builds a PKCS#1, prefixed version of |msg| for the given
+ * hash function and sets |out_msg| to point to it. On successful return,
+ * |*out_msg| may be allocated memory and, if so, |*is_alloced| will be 1. */
+static int pkcs1_prefixed_msg(uint8_t **out_msg, size_t *out_msg_len,
+ int *is_alloced, int hash_nid, const uint8_t *msg,
+ size_t msg_len) {
unsigned i;
if (hash_nid == NID_md5_sha1) {
/* Special case: SSL signature, just check the length. */
if (msg_len != SSL_SIG_LENGTH) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
+ OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, RSA_R_INVALID_MESSAGE_LENGTH);
return 0;
}
@@ -399,13 +378,13 @@ int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
signed_msg_len = prefix_len + msg_len;
if (signed_msg_len < prefix_len) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_LONG);
+ OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, RSA_R_TOO_LONG);
return 0;
}
signed_msg = OPENSSL_malloc(signed_msg_len);
if (!signed_msg) {
- OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, ERR_R_MALLOC_FAILURE);
return 0;
}
@@ -419,7 +398,7 @@ int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
return 1;
}
- OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE);
+ OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, RSA_R_UNKNOWN_ALGORITHM_TYPE);
return 0;
}
@@ -436,14 +415,14 @@ int RSA_sign(int hash_nid, const uint8_t *in, unsigned in_len, uint8_t *out,
return rsa->meth->sign(hash_nid, in, in_len, out, out_len, rsa);
}
- if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
- &signed_msg_is_alloced, hash_nid, in, in_len)) {
+ if (!pkcs1_prefixed_msg(&signed_msg, &signed_msg_len, &signed_msg_is_alloced,
+ hash_nid, in, in_len)) {
return 0;
}
if (rsa_size < RSA_PKCS1_PADDING_SIZE ||
signed_msg_len > rsa_size - RSA_PKCS1_PADDING_SIZE) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
+ OPENSSL_PUT_ERROR(RSA, RSA_sign, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
goto finish;
}
@@ -474,18 +453,18 @@ int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
}
if (sig_len != rsa_size) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_WRONG_SIGNATURE_LENGTH);
+ OPENSSL_PUT_ERROR(RSA, RSA_verify, RSA_R_WRONG_SIGNATURE_LENGTH);
return 0;
}
if (hash_nid == NID_md5_sha1 && msg_len != SSL_SIG_LENGTH) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
+ OPENSSL_PUT_ERROR(RSA, RSA_verify, RSA_R_INVALID_MESSAGE_LENGTH);
return 0;
}
buf = OPENSSL_malloc(rsa_size);
if (!buf) {
- OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(RSA, RSA_verify, ERR_R_MALLOC_FAILURE);
return 0;
}
@@ -494,13 +473,13 @@ int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
goto out;
}
- if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
- &signed_msg_is_alloced, hash_nid, msg, msg_len)) {
+ if (!pkcs1_prefixed_msg(&signed_msg, &signed_msg_len, &signed_msg_is_alloced,
+ hash_nid, msg, msg_len)) {
goto out;
}
if (len != signed_msg_len || CRYPTO_memcmp(buf, signed_msg, len) != 0) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
+ OPENSSL_PUT_ERROR(RSA, RSA_verify, RSA_R_BAD_SIGNATURE);
goto out;
}
@@ -530,12 +509,12 @@ int RSA_check_key(const RSA *key) {
}
if ((key->p != NULL) != (key->q != NULL)) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN);
+ OPENSSL_PUT_ERROR(RSA, RSA_check_key, RSA_R_ONLY_ONE_OF_P_Q_GIVEN);
return 0;
}
if (!key->n || !key->e) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
+ OPENSSL_PUT_ERROR(RSA, RSA_check_key, RSA_R_VALUE_MISSING);
return 0;
}
@@ -547,7 +526,7 @@ int RSA_check_key(const RSA *key) {
ctx = BN_CTX_new();
if (ctx == NULL) {
- OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(RSA, RSA_check_key, ERR_R_MALLOC_FAILURE);
return 0;
}
@@ -561,74 +540,52 @@ int RSA_check_key(const RSA *key) {
BN_init(&dmq1);
BN_init(&iqmp);
- if (!BN_mul(&n, key->p, key->q, ctx) ||
- /* lcm = lcm(prime-1, for all primes) */
+ if (/* n = pq */
+ !BN_mul(&n, key->p, key->q, ctx) ||
+ /* lcm = lcm(p-1, q-1) */
!BN_sub(&pm1, key->p, BN_value_one()) ||
!BN_sub(&qm1, key->q, BN_value_one()) ||
!BN_mul(&lcm, &pm1, &qm1, ctx) ||
- !BN_gcd(&gcd, &pm1, &qm1, ctx)) {
- OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
- goto out;
- }
-
- size_t num_additional_primes = 0;
- if (key->additional_primes != NULL) {
- num_additional_primes = sk_RSA_additional_prime_num(key->additional_primes);
- }
-
- size_t i;
- for (i = 0; i < num_additional_primes; i++) {
- const RSA_additional_prime *ap =
- sk_RSA_additional_prime_value(key->additional_primes, i);
- if (!BN_mul(&n, &n, ap->prime, ctx) ||
- !BN_sub(&pm1, ap->prime, BN_value_one()) ||
- !BN_mul(&lcm, &lcm, &pm1, ctx) ||
- !BN_gcd(&gcd, &gcd, &pm1, ctx)) {
- OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
- goto out;
- }
- }
-
- if (!BN_div(&lcm, NULL, &lcm, &gcd, ctx) ||
!BN_gcd(&gcd, &pm1, &qm1, ctx) ||
- /* de = d*e mod lcm(prime-1, for all primes). */
+ !BN_div(&lcm, NULL, &lcm, &gcd, ctx) ||
+ /* de = d*e mod lcm(p-1, q-1) */
!BN_mod_mul(&de, key->d, key->e, &lcm, ctx)) {
- OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
+ OPENSSL_PUT_ERROR(RSA, RSA_check_key, ERR_LIB_BN);
goto out;
}
if (BN_cmp(&n, key->n) != 0) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
+ OPENSSL_PUT_ERROR(RSA, RSA_check_key, RSA_R_N_NOT_EQUAL_P_Q);
goto out;
}
if (!BN_is_one(&de)) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1);
+ OPENSSL_PUT_ERROR(RSA, RSA_check_key, RSA_R_D_E_NOT_CONGRUENT_TO_1);
goto out;
}
has_crt_values = key->dmp1 != NULL;
if (has_crt_values != (key->dmq1 != NULL) ||
has_crt_values != (key->iqmp != NULL)) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES);
+ OPENSSL_PUT_ERROR(RSA, RSA_check_key, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES);
goto out;
}
- if (has_crt_values && num_additional_primes == 0) {
+ if (has_crt_values) {
if (/* dmp1 = d mod (p-1) */
!BN_mod(&dmp1, key->d, &pm1, ctx) ||
/* dmq1 = d mod (q-1) */
!BN_mod(&dmq1, key->d, &qm1, ctx) ||
/* iqmp = q^-1 mod p */
!BN_mod_inverse(&iqmp, key->q, key->p, ctx)) {
- OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
+ OPENSSL_PUT_ERROR(RSA, RSA_check_key, ERR_LIB_BN);
goto out;
}
if (BN_cmp(&dmp1, key->dmp1) != 0 ||
BN_cmp(&dmq1, key->dmq1) != 0 ||
BN_cmp(&iqmp, key->iqmp) != 0) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT);
+ OPENSSL_PUT_ERROR(RSA, RSA_check_key, RSA_R_CRT_VALUES_INCORRECT);
goto out;
}
}
@@ -656,17 +613,13 @@ int RSA_recover_crt_params(RSA *rsa) {
int ok = 0;
if (rsa->n == NULL || rsa->e == NULL || rsa->d == NULL) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);
+ OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, RSA_R_EMPTY_PUBLIC_KEY);
return 0;
}
if (rsa->p || rsa->q || rsa->dmp1 || rsa->dmq1 || rsa->iqmp) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_PARAMS_ALREADY_GIVEN);
- return 0;
- }
-
- if (rsa->additional_primes != NULL) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_CANNOT_RECOVER_MULTI_PRIME_KEY);
+ OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params,
+ RSA_R_CRT_PARAMS_ALREADY_GIVEN);
return 0;
}
@@ -675,7 +628,7 @@ int RSA_recover_crt_params(RSA *rsa) {
ctx = BN_CTX_new();
if (ctx == NULL) {
- OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_MALLOC_FAILURE);
return 0;
}
@@ -688,7 +641,7 @@ int RSA_recover_crt_params(RSA *rsa) {
if (totient == NULL || rem == NULL || multiple == NULL || p_plus_q == NULL ||
p_minus_q == NULL) {
- OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -716,12 +669,12 @@ int RSA_recover_crt_params(RSA *rsa) {
!BN_div(multiple, NULL, totient, rsa->n, ctx) ||
!BN_add_word(multiple, 1) ||
!BN_div(totient, rem, totient, multiple, ctx)) {
- OPENSSL_PUT_ERROR(RSA, ERR_R_BN_LIB);
+ OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_BN_LIB);
goto err;
}
if (!BN_is_zero(rem)) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
+ OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, RSA_R_BAD_RSA_PARAMETERS);
goto err;
}
@@ -732,7 +685,7 @@ int RSA_recover_crt_params(RSA *rsa) {
rsa->iqmp = BN_new();
if (rsa->p == NULL || rsa->q == NULL || rsa->dmp1 == NULL || rsa->dmq1 ==
NULL || rsa->iqmp == NULL) {
- OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -750,12 +703,12 @@ int RSA_recover_crt_params(RSA *rsa) {
!BN_rshift1(rsa->q, rsa->q) ||
!BN_div(rsa->p, NULL, rsa->n, rsa->q, ctx) ||
!BN_mul(multiple, rsa->p, rsa->q, ctx)) {
- OPENSSL_PUT_ERROR(RSA, ERR_R_BN_LIB);
+ OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_BN_LIB);
goto err;
}
if (BN_cmp(multiple, rsa->n) != 0) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_INTERNAL_ERROR);
+ OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, RSA_R_INTERNAL_ERROR);
goto err;
}
@@ -764,7 +717,7 @@ int RSA_recover_crt_params(RSA *rsa) {
!BN_sub(rem, rsa->q, BN_value_one()) ||
!BN_mod(rsa->dmq1, rsa->d, rem, ctx) ||
!BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx)) {
- OPENSSL_PUT_ERROR(RSA, ERR_R_BN_LIB);
+ OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_BN_LIB);
goto err;
}