1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
57 #include <openssl/rsa.h>
62 #include <openssl/bn.h>
63 #include <openssl/digest.h>
64 #include <openssl/engine.h>
65 #include <openssl/err.h>
66 #include <openssl/ex_data.h>
67 #include <openssl/md5.h>
68 #include <openssl/mem.h>
69 #include <openssl/nid.h>
70 #include <openssl/sha.h>
71 #include <openssl/thread.h>
73 #include "../bn/internal.h"
74 #include "../delocate.h"
75 #include "../../internal.h"
79 DEFINE_STATIC_EX_DATA_CLASS(g_rsa_ex_data_class);
81 RSA *RSA_new(void) { return RSA_new_method(NULL); }
83 RSA *RSA_new_method(const ENGINE *engine) {
84 RSA *rsa = OPENSSL_malloc(sizeof(RSA));
86 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
90 OPENSSL_memset(rsa, 0, sizeof(RSA));
93 rsa->meth = ENGINE_get_RSA_method(engine);
96 if (rsa->meth == NULL) {
97 rsa->meth = (RSA_METHOD *) RSA_default_method();
99 METHOD_ref(rsa->meth);
102 rsa->flags = rsa->meth->flags;
103 CRYPTO_MUTEX_init(&rsa->lock);
104 CRYPTO_new_ex_data(&rsa->ex_data);
106 if (rsa->meth->init && !rsa->meth->init(rsa)) {
107 CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
108 CRYPTO_MUTEX_cleanup(&rsa->lock);
109 METHOD_unref(rsa->meth);
117 void RSA_free(RSA *rsa) {
124 if (!CRYPTO_refcount_dec_and_test_zero(&rsa->references)) {
128 if (rsa->meth->finish) {
129 rsa->meth->finish(rsa);
131 METHOD_unref(rsa->meth);
133 CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);
143 BN_MONT_CTX_free(rsa->mont_n);
144 BN_MONT_CTX_free(rsa->mont_p);
145 BN_MONT_CTX_free(rsa->mont_q);
146 BN_free(rsa->d_fixed);
147 BN_free(rsa->dmp1_fixed);
148 BN_free(rsa->dmq1_fixed);
149 BN_free(rsa->inv_small_mod_large_mont);
150 for (u = 0; u < rsa->num_blindings; u++) {
151 BN_BLINDING_free(rsa->blindings[u]);
153 OPENSSL_free(rsa->blindings);
154 OPENSSL_free(rsa->blindings_inuse);
155 CRYPTO_MUTEX_cleanup(&rsa->lock);
159 int RSA_up_ref(RSA *rsa) {
160 CRYPTO_refcount_inc(&rsa->references);
164 unsigned RSA_bits(const RSA *rsa) { return BN_num_bits(rsa->n); }
166 void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e,
167 const BIGNUM **out_d) {
179 void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p,
180 const BIGNUM **out_q) {
189 void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1,
190 const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) {
191 if (out_dmp1 != NULL) {
192 *out_dmp1 = rsa->dmp1;
194 if (out_dmq1 != NULL) {
195 *out_dmq1 = rsa->dmq1;
197 if (out_iqmp != NULL) {
198 *out_iqmp = rsa->iqmp;
202 int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
203 if ((rsa->n == NULL && n == NULL) ||
204 (rsa->e == NULL && e == NULL)) {
224 int RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q) {
225 if ((rsa->p == NULL && p == NULL) ||
226 (rsa->q == NULL && q == NULL)) {
242 int RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
243 if ((rsa->dmp1 == NULL && dmp1 == NULL) ||
244 (rsa->dmq1 == NULL && dmq1 == NULL) ||
245 (rsa->iqmp == NULL && iqmp == NULL)) {
265 int RSA_public_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
269 if (!RSA_encrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
273 if (out_len > INT_MAX) {
274 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
280 int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
281 const uint8_t *in, size_t in_len, int padding) {
282 if (rsa->meth->sign_raw) {
283 return rsa->meth->sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
286 return rsa_default_sign_raw(rsa, out_len, out, max_out, in, in_len, padding);
289 int RSA_private_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
293 if (!RSA_sign_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
297 if (out_len > INT_MAX) {
298 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
304 int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
305 const uint8_t *in, size_t in_len, int padding) {
306 if (rsa->meth->decrypt) {
307 return rsa->meth->decrypt(rsa, out_len, out, max_out, in, in_len, padding);
310 return rsa_default_decrypt(rsa, out_len, out, max_out, in, in_len, padding);
313 int RSA_private_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
317 if (!RSA_decrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
321 if (out_len > INT_MAX) {
322 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
328 int RSA_public_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
332 if (!RSA_verify_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
336 if (out_len > INT_MAX) {
337 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
343 unsigned RSA_size(const RSA *rsa) {
344 if (rsa->meth->size) {
345 return rsa->meth->size(rsa);
348 return rsa_default_size(rsa);
351 int RSA_is_opaque(const RSA *rsa) {
352 return rsa->meth && (rsa->meth->flags & RSA_FLAG_OPAQUE);
355 int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
356 CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {
358 if (!CRYPTO_get_ex_new_index(g_rsa_ex_data_class_bss_get(), &index, argl,
365 int RSA_set_ex_data(RSA *rsa, int idx, void *arg) {
366 return CRYPTO_set_ex_data(&rsa->ex_data, idx, arg);
369 void *RSA_get_ex_data(const RSA *rsa, int idx) {
370 return CRYPTO_get_ex_data(&rsa->ex_data, idx);
373 // SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's
374 // the length of an MD5 and SHA1 hash.
375 static const unsigned SSL_SIG_LENGTH = 36;
377 // pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is
378 // to be signed with PKCS#1.
379 struct pkcs1_sig_prefix {
380 // nid identifies the hash function.
382 // hash_len is the expected length of the hash function.
384 // len is the number of bytes of |bytes| which are valid.
386 // bytes contains the DER bytes.
390 // kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with
391 // different hash functions.
392 static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = {
397 {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
398 0x02, 0x05, 0x05, 0x00, 0x04, 0x10},
404 {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
409 SHA224_DIGEST_LENGTH,
411 {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
412 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c},
416 SHA256_DIGEST_LENGTH,
418 {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
419 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20},
423 SHA384_DIGEST_LENGTH,
425 {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
426 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30},
430 SHA512_DIGEST_LENGTH,
432 {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
433 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
436 NID_undef, 0, 0, {0},
440 int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
441 int *is_alloced, int hash_nid, const uint8_t *msg,
445 if (hash_nid == NID_md5_sha1) {
446 // Special case: SSL signature, just check the length.
447 if (msg_len != SSL_SIG_LENGTH) {
448 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
452 *out_msg = (uint8_t*) msg;
453 *out_msg_len = SSL_SIG_LENGTH;
458 for (i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) {
459 const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i];
460 if (sig_prefix->nid != hash_nid) {
464 if (msg_len != sig_prefix->hash_len) {
465 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
469 const uint8_t* prefix = sig_prefix->bytes;
470 unsigned prefix_len = sig_prefix->len;
471 unsigned signed_msg_len;
474 signed_msg_len = prefix_len + msg_len;
475 if (signed_msg_len < prefix_len) {
476 OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_LONG);
480 signed_msg = OPENSSL_malloc(signed_msg_len);
482 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
486 OPENSSL_memcpy(signed_msg, prefix, prefix_len);
487 OPENSSL_memcpy(signed_msg + prefix_len, msg, msg_len);
489 *out_msg = signed_msg;
490 *out_msg_len = signed_msg_len;
496 OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE);
500 int RSA_sign(int hash_nid, const uint8_t *in, unsigned in_len, uint8_t *out,
501 unsigned *out_len, RSA *rsa) {
502 const unsigned rsa_size = RSA_size(rsa);
504 uint8_t *signed_msg = NULL;
505 size_t signed_msg_len = 0;
506 int signed_msg_is_alloced = 0;
507 size_t size_t_out_len;
509 if (rsa->meth->sign) {
510 return rsa->meth->sign(hash_nid, in, in_len, out, out_len, rsa);
513 if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
514 &signed_msg_is_alloced, hash_nid, in, in_len) ||
515 !RSA_sign_raw(rsa, &size_t_out_len, out, rsa_size, signed_msg,
516 signed_msg_len, RSA_PKCS1_PADDING)) {
520 *out_len = size_t_out_len;
524 if (signed_msg_is_alloced) {
525 OPENSSL_free(signed_msg);
530 int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
531 const uint8_t *in, size_t in_len, const EVP_MD *md,
532 const EVP_MD *mgf1_md, int salt_len) {
533 if (in_len != EVP_MD_size(md)) {
534 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
538 size_t padded_len = RSA_size(rsa);
539 uint8_t *padded = OPENSSL_malloc(padded_len);
540 if (padded == NULL) {
541 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
546 RSA_padding_add_PKCS1_PSS_mgf1(rsa, padded, in, md, mgf1_md, salt_len) &&
547 RSA_sign_raw(rsa, out_len, out, max_out, padded, padded_len,
549 OPENSSL_free(padded);
553 int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
554 const uint8_t *sig, size_t sig_len, RSA *rsa) {
555 if (rsa->n == NULL || rsa->e == NULL) {
556 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
560 const size_t rsa_size = RSA_size(rsa);
563 uint8_t *signed_msg = NULL;
564 size_t signed_msg_len = 0, len;
565 int signed_msg_is_alloced = 0;
567 if (hash_nid == NID_md5_sha1 && msg_len != SSL_SIG_LENGTH) {
568 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
572 buf = OPENSSL_malloc(rsa_size);
574 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
578 if (!RSA_verify_raw(rsa, &len, buf, rsa_size, sig, sig_len,
579 RSA_PKCS1_PADDING)) {
583 if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
584 &signed_msg_is_alloced, hash_nid, msg, msg_len)) {
588 // Check that no other information follows the hash value (FIPS 186-4 Section
589 // 5.5) and it matches the expected hash.
590 if (len != signed_msg_len || OPENSSL_memcmp(buf, signed_msg, len) != 0) {
591 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
599 if (signed_msg_is_alloced) {
600 OPENSSL_free(signed_msg);
605 int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg, size_t msg_len,
606 const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len,
607 const uint8_t *sig, size_t sig_len) {
608 if (msg_len != EVP_MD_size(md)) {
609 OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
613 size_t em_len = RSA_size(rsa);
614 uint8_t *em = OPENSSL_malloc(em_len);
616 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
621 if (!RSA_verify_raw(rsa, &em_len, em, em_len, sig, sig_len, RSA_NO_PADDING)) {
625 if (em_len != RSA_size(rsa)) {
626 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
630 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, msg, md, mgf1_md, em, salt_len);
637 static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv,
638 const BIGNUM *m, int check_reduced, BN_CTX *ctx) {
640 BIGNUM *tmp = BN_CTX_get(ctx);
641 int ret = tmp != NULL &&
642 bn_mul_consttime(tmp, a, ainv, ctx) &&
643 bn_div_consttime(NULL, tmp, tmp, m, ctx);
645 *out_ok = BN_is_one(tmp);
646 if (check_reduced && (BN_is_negative(ainv) || BN_cmp(ainv, m) >= 0)) {
654 int RSA_check_key(const RSA *key) {
655 BIGNUM n, pm1, qm1, lcm, dmp1, dmq1, iqmp_times_q;
657 int ok = 0, has_crt_values;
659 if (RSA_is_opaque(key)) {
660 // Opaque keys can't be checked.
664 if ((key->p != NULL) != (key->q != NULL)) {
665 OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN);
669 if (!key->n || !key->e) {
670 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
674 if (!key->d || !key->p) {
675 // For a public key, or without p and q, there's nothing that can be
682 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
692 BN_init(&iqmp_times_q);
695 if (!bn_mul_consttime(&n, key->p, key->q, ctx) ||
697 !bn_usub_consttime(&pm1, key->p, BN_value_one()) ||
698 !bn_usub_consttime(&qm1, key->q, BN_value_one()) ||
699 !bn_lcm_consttime(&lcm, &pm1, &qm1, ctx) ||
700 // Other implementations use the Euler totient rather than the Carmichael
701 // totient, so allow unreduced |key->d|.
702 !check_mod_inverse(&d_ok, key->e, key->d, &lcm,
703 0 /* don't require reduced */, ctx)) {
704 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
708 if (BN_cmp(&n, key->n) != 0) {
709 OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
714 OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1);
718 if (BN_is_negative(key->d) || BN_cmp(key->d, key->n) >= 0) {
719 OPENSSL_PUT_ERROR(RSA, RSA_R_D_OUT_OF_RANGE);
723 has_crt_values = key->dmp1 != NULL;
724 if (has_crt_values != (key->dmq1 != NULL) ||
725 has_crt_values != (key->iqmp != NULL)) {
726 OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES);
730 if (has_crt_values) {
731 int dmp1_ok, dmq1_ok, iqmp_ok;
732 if (!check_mod_inverse(&dmp1_ok, key->e, key->dmp1, &pm1,
733 1 /* check reduced */, ctx) ||
734 !check_mod_inverse(&dmq1_ok, key->e, key->dmq1, &qm1,
735 1 /* check reduced */, ctx) ||
736 !check_mod_inverse(&iqmp_ok, key->q, key->iqmp, key->p,
737 1 /* check reduced */, ctx)) {
738 OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
742 if (!dmp1_ok || !dmq1_ok || !iqmp_ok) {
743 OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT);
757 BN_free(&iqmp_times_q);
764 // This is the product of the 132 smallest odd primes, from 3 to 751.
765 static const BN_ULONG kSmallFactorsLimbs[] = {
766 TOBN(0xc4309333, 0x3ef4e3e1), TOBN(0x71161eb6, 0xcd2d655f),
767 TOBN(0x95e2238c, 0x0bf94862), TOBN(0x3eb233d3, 0x24f7912b),
768 TOBN(0x6b55514b, 0xbf26c483), TOBN(0x0a84d817, 0x5a144871),
769 TOBN(0x77d12fee, 0x9b82210a), TOBN(0xdb5b93c2, 0x97f050b3),
770 TOBN(0x4acad6b9, 0x4d6c026b), TOBN(0xeb7751f3, 0x54aec893),
771 TOBN(0xdba53368, 0x36bc85c4), TOBN(0xd85a1b28, 0x7f5ec78e),
772 TOBN(0x2eb072d8, 0x6b322244), TOBN(0xbba51112, 0x5e2b3aea),
773 TOBN(0x36ed1a6c, 0x0e2486bf), TOBN(0x5f270460, 0xec0c5727),
777 DEFINE_LOCAL_DATA(BIGNUM, g_small_factors) {
778 out->d = (BN_ULONG *) kSmallFactorsLimbs;
779 out->width = OPENSSL_ARRAY_SIZE(kSmallFactorsLimbs);
780 out->dmax = out->width;
782 out->flags = BN_FLG_STATIC_DATA;
785 int RSA_check_fips(RSA *key) {
786 if (RSA_is_opaque(key)) {
787 // Opaque keys can't be checked.
788 OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
792 if (!RSA_check_key(key)) {
796 BN_CTX *ctx = BN_CTX_new();
798 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
807 // Perform partial public key validation of RSA keys (SP 800-89 5.3.3).
808 enum bn_primality_result_t primality_result;
809 if (BN_num_bits(key->e) <= 16 ||
810 BN_num_bits(key->e) > 256 ||
811 !BN_is_odd(key->n) ||
812 !BN_is_odd(key->e) ||
813 !BN_gcd(&small_gcd, key->n, g_small_factors(), ctx) ||
814 !BN_is_one(&small_gcd) ||
815 !BN_enhanced_miller_rabin_primality_test(&primality_result, key->n,
816 BN_prime_checks, ctx, NULL) ||
817 primality_result != bn_non_prime_power_composite) {
818 OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
825 if (!ret || key->d == NULL || key->p == NULL) {
826 // On a failure or on only a public key, there's nothing else can be
831 // FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG,
832 // section 9.9, it is not known whether |rsa| will be used for signing or
833 // encryption, so either pair-wise consistency self-test is acceptable. We
834 // perform a signing test.
835 uint8_t data[32] = {0};
836 unsigned sig_len = RSA_size(key);
837 uint8_t *sig = OPENSSL_malloc(sig_len);
839 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
843 if (!RSA_sign(NID_sha256, data, sizeof(data), sig, &sig_len, key)) {
844 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
848 #if defined(BORINGSSL_FIPS_BREAK_RSA_PWCT)
851 if (!RSA_verify(NID_sha256, data, sizeof(data), sig, sig_len, key)) {
852 OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
862 int RSA_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
864 if (rsa->meth->private_transform) {
865 return rsa->meth->private_transform(rsa, out, in, len);
868 return rsa_default_private_transform(rsa, out, in, len);
871 int RSA_flags(const RSA *rsa) { return rsa->flags; }
873 int RSA_blinding_on(RSA *rsa, BN_CTX *ctx) {