1 /* crypto/rsa/rsa_eay.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 #include "cryptlib.h" 114 #include <openssl/bn.h> 115 #include <openssl/rsa.h> 116 #include <openssl/rand.h> 117 118 #ifndef RSA_NULL 119 120 static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 121 unsigned char *to, RSA *rsa,int padding); 122 static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 123 unsigned char *to, RSA *rsa,int padding); 124 static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 125 unsigned char *to, RSA *rsa,int padding); 126 static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 127 unsigned char *to, RSA *rsa,int padding); 128 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); 129 static int RSA_eay_init(RSA *rsa); 130 static int RSA_eay_finish(RSA *rsa); 131 static RSA_METHOD rsa_pkcs1_eay_meth={ 132 "Eric Young's PKCS#1 RSA", 133 RSA_eay_public_encrypt, 134 RSA_eay_public_decrypt, /* signature verification */ 135 RSA_eay_private_encrypt, /* signing */ 136 RSA_eay_private_decrypt, 137 RSA_eay_mod_exp, 138 BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ 139 RSA_eay_init, 140 RSA_eay_finish, 141 0, /* flags */ 142 NULL, 143 0, /* rsa_sign */ 144 0, /* rsa_verify */ 145 NULL /* rsa_keygen */ 146 }; 147 148 const RSA_METHOD *RSA_PKCS1_SSLeay(void) 149 { 150 return(&rsa_pkcs1_eay_meth); 151 } 152 153 static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 154 unsigned char *to, RSA *rsa, int padding) 155 { 156 BIGNUM *f,*ret; 157 int i,j,k,num=0,r= -1; 158 unsigned char *buf=NULL; 159 BN_CTX *ctx=NULL; 160 161 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) 162 { 163 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); 164 return -1; 165 } 166 167 if (BN_ucmp(rsa->n, rsa->e) <= 0) 168 { 169 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 170 return -1; 171 } 172 173 /* for large moduli, enforce exponent limit */ 174 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) 175 { 176 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) 177 { 178 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 179 return -1; 180 } 181 } 182 183 if ((ctx=BN_CTX_new()) == NULL) goto err; 184 BN_CTX_start(ctx); 185 f = BN_CTX_get(ctx); 186 ret = BN_CTX_get(ctx); 187 num=BN_num_bytes(rsa->n); 188 buf = OPENSSL_malloc(num); 189 if (!f || !ret || !buf) 190 { 191 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); 192 goto err; 193 } 194 195 switch (padding) 196 { 197 case RSA_PKCS1_PADDING: 198 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen); 199 break; 200 #ifndef OPENSSL_NO_SHA 201 case RSA_PKCS1_OAEP_PADDING: 202 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0); 203 break; 204 #endif 205 case RSA_SSLV23_PADDING: 206 i=RSA_padding_add_SSLv23(buf,num,from,flen); 207 break; 208 case RSA_NO_PADDING: 209 i=RSA_padding_add_none(buf,num,from,flen); 210 break; 211 default: 212 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 213 goto err; 214 } 215 if (i <= 0) goto err; 216 217 if (BN_bin2bn(buf,num,f) == NULL) goto err; 218 219 if (BN_ucmp(f, rsa->n) >= 0) 220 { 221 /* usually the padding functions would catch this */ 222 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 223 goto err; 224 } 225 226 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 227 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 228 goto err; 229 230 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, 231 rsa->_method_mod_n)) goto err; 232 233 /* put in leading 0 bytes if the number is less than the 234 * length of the modulus */ 235 j=BN_num_bytes(ret); 236 i=BN_bn2bin(ret,&(to[num-j])); 237 for (k=0; k<(num-i); k++) 238 to[k]=0; 239 240 r=num; 241 err: 242 if (ctx != NULL) 243 { 244 BN_CTX_end(ctx); 245 BN_CTX_free(ctx); 246 } 247 if (buf != NULL) 248 { 249 OPENSSL_cleanse(buf,num); 250 OPENSSL_free(buf); 251 } 252 return(r); 253 } 254 255 static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 256 { 257 BN_BLINDING *ret; 258 int got_write_lock = 0; 259 CRYPTO_THREADID cur; 260 261 CRYPTO_r_lock(CRYPTO_LOCK_RSA); 262 263 if (rsa->blinding == NULL) 264 { 265 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 266 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 267 got_write_lock = 1; 268 269 if (rsa->blinding == NULL) 270 rsa->blinding = RSA_setup_blinding(rsa, ctx); 271 } 272 273 ret = rsa->blinding; 274 if (ret == NULL) 275 goto err; 276 277 CRYPTO_THREADID_current(&cur); 278 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) 279 { 280 /* rsa->blinding is ours! */ 281 282 *local = 1; 283 } 284 else 285 { 286 /* resort to rsa->mt_blinding instead */ 287 288 *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert() 289 * that the BN_BLINDING is shared, meaning that accesses 290 * require locks, and that the blinding factor must be 291 * stored outside the BN_BLINDING 292 */ 293 294 if (rsa->mt_blinding == NULL) 295 { 296 if (!got_write_lock) 297 { 298 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 299 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 300 got_write_lock = 1; 301 } 302 303 if (rsa->mt_blinding == NULL) 304 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 305 } 306 ret = rsa->mt_blinding; 307 } 308 309 err: 310 if (got_write_lock) 311 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 312 else 313 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 314 return ret; 315 } 316 317 static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 318 BN_CTX *ctx) 319 { 320 if (unblind == NULL) 321 /* Local blinding: store the unblinding factor 322 * in BN_BLINDING. */ 323 return BN_BLINDING_convert_ex(f, NULL, b, ctx); 324 else 325 { 326 /* Shared blinding: store the unblinding factor 327 * outside BN_BLINDING. */ 328 int ret; 329 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 330 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); 331 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 332 return ret; 333 } 334 } 335 336 static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 337 BN_CTX *ctx) 338 { 339 /* For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex 340 * will use the unblinding factor stored in BN_BLINDING. 341 * If BN_BLINDING is shared between threads, unblind must be non-null: 342 * BN_BLINDING_invert_ex will then use the local unblinding factor, 343 * and will only read the modulus from BN_BLINDING. 344 * In both cases it's safe to access the blinding without a lock. 345 */ 346 return BN_BLINDING_invert_ex(f, unblind, b, ctx); 347 } 348 349 /* signing */ 350 static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 351 unsigned char *to, RSA *rsa, int padding) 352 { 353 BIGNUM *f, *ret, *res; 354 int i,j,k,num=0,r= -1; 355 unsigned char *buf=NULL; 356 BN_CTX *ctx=NULL; 357 int local_blinding = 0; 358 /* Used only if the blinding structure is shared. A non-NULL unblind 359 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 360 * the unblinding factor outside the blinding structure. */ 361 BIGNUM *unblind = NULL; 362 BN_BLINDING *blinding = NULL; 363 364 if ((ctx=BN_CTX_new()) == NULL) goto err; 365 BN_CTX_start(ctx); 366 f = BN_CTX_get(ctx); 367 ret = BN_CTX_get(ctx); 368 num = BN_num_bytes(rsa->n); 369 buf = OPENSSL_malloc(num); 370 if(!f || !ret || !buf) 371 { 372 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); 373 goto err; 374 } 375 376 switch (padding) 377 { 378 case RSA_PKCS1_PADDING: 379 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); 380 break; 381 case RSA_X931_PADDING: 382 i=RSA_padding_add_X931(buf,num,from,flen); 383 break; 384 case RSA_NO_PADDING: 385 i=RSA_padding_add_none(buf,num,from,flen); 386 break; 387 case RSA_SSLV23_PADDING: 388 default: 389 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 390 goto err; 391 } 392 if (i <= 0) goto err; 393 394 if (BN_bin2bn(buf,num,f) == NULL) goto err; 395 396 if (BN_ucmp(f, rsa->n) >= 0) 397 { 398 /* usually the padding functions would catch this */ 399 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 400 goto err; 401 } 402 403 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 404 { 405 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 406 if (blinding == NULL) 407 { 408 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 409 goto err; 410 } 411 } 412 413 if (blinding != NULL) 414 { 415 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) 416 { 417 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); 418 goto err; 419 } 420 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 421 goto err; 422 } 423 424 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 425 ((rsa->p != NULL) && 426 (rsa->q != NULL) && 427 (rsa->dmp1 != NULL) && 428 (rsa->dmq1 != NULL) && 429 (rsa->iqmp != NULL)) ) 430 { 431 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; 432 } 433 else 434 { 435 BIGNUM local_d; 436 BIGNUM *d = NULL; 437 438 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 439 { 440 BN_init(&local_d); 441 d = &local_d; 442 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 443 } 444 else 445 d= rsa->d; 446 447 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 448 if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 449 goto err; 450 451 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, 452 rsa->_method_mod_n)) goto err; 453 } 454 455 if (blinding) 456 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 457 goto err; 458 459 if (padding == RSA_X931_PADDING) 460 { 461 BN_sub(f, rsa->n, ret); 462 if (BN_cmp(ret, f) > 0) 463 res = f; 464 else 465 res = ret; 466 } 467 else 468 res = ret; 469 470 /* put in leading 0 bytes if the number is less than the 471 * length of the modulus */ 472 j=BN_num_bytes(res); 473 i=BN_bn2bin(res,&(to[num-j])); 474 for (k=0; k<(num-i); k++) 475 to[k]=0; 476 477 r=num; 478 err: 479 if (ctx != NULL) 480 { 481 BN_CTX_end(ctx); 482 BN_CTX_free(ctx); 483 } 484 if (buf != NULL) 485 { 486 OPENSSL_cleanse(buf,num); 487 OPENSSL_free(buf); 488 } 489 return(r); 490 } 491 492 static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 493 unsigned char *to, RSA *rsa, int padding) 494 { 495 BIGNUM *f, *ret; 496 int j,num=0,r= -1; 497 unsigned char *p; 498 unsigned char *buf=NULL; 499 BN_CTX *ctx=NULL; 500 int local_blinding = 0; 501 /* Used only if the blinding structure is shared. A non-NULL unblind 502 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 503 * the unblinding factor outside the blinding structure. */ 504 BIGNUM *unblind = NULL; 505 BN_BLINDING *blinding = NULL; 506 507 if((ctx = BN_CTX_new()) == NULL) goto err; 508 BN_CTX_start(ctx); 509 f = BN_CTX_get(ctx); 510 ret = BN_CTX_get(ctx); 511 num = BN_num_bytes(rsa->n); 512 buf = OPENSSL_malloc(num); 513 if(!f || !ret || !buf) 514 { 515 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); 516 goto err; 517 } 518 519 /* This check was for equality but PGP does evil things 520 * and chops off the top '0' bytes */ 521 if (flen > num) 522 { 523 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 524 goto err; 525 } 526 527 /* make data into a big number */ 528 if (BN_bin2bn(from,(int)flen,f) == NULL) goto err; 529 530 if (BN_ucmp(f, rsa->n) >= 0) 531 { 532 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 533 goto err; 534 } 535 536 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 537 { 538 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 539 if (blinding == NULL) 540 { 541 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 542 goto err; 543 } 544 } 545 546 if (blinding != NULL) 547 { 548 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) 549 { 550 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); 551 goto err; 552 } 553 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 554 goto err; 555 } 556 557 /* do the decrypt */ 558 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 559 ((rsa->p != NULL) && 560 (rsa->q != NULL) && 561 (rsa->dmp1 != NULL) && 562 (rsa->dmq1 != NULL) && 563 (rsa->iqmp != NULL)) ) 564 { 565 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; 566 } 567 else 568 { 569 BIGNUM local_d; 570 BIGNUM *d = NULL; 571 572 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 573 { 574 d = &local_d; 575 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 576 } 577 else 578 d = rsa->d; 579 580 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 581 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 582 goto err; 583 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, 584 rsa->_method_mod_n)) 585 goto err; 586 } 587 588 if (blinding) 589 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 590 goto err; 591 592 p=buf; 593 j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */ 594 595 switch (padding) 596 { 597 case RSA_PKCS1_PADDING: 598 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); 599 break; 600 #ifndef OPENSSL_NO_SHA 601 case RSA_PKCS1_OAEP_PADDING: 602 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); 603 break; 604 #endif 605 case RSA_SSLV23_PADDING: 606 r=RSA_padding_check_SSLv23(to,num,buf,j,num); 607 break; 608 case RSA_NO_PADDING: 609 r=RSA_padding_check_none(to,num,buf,j,num); 610 break; 611 default: 612 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 613 goto err; 614 } 615 if (r < 0) 616 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 617 618 err: 619 if (ctx != NULL) 620 { 621 BN_CTX_end(ctx); 622 BN_CTX_free(ctx); 623 } 624 if (buf != NULL) 625 { 626 OPENSSL_cleanse(buf,num); 627 OPENSSL_free(buf); 628 } 629 return(r); 630 } 631 632 /* signature verification */ 633 static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 634 unsigned char *to, RSA *rsa, int padding) 635 { 636 BIGNUM *f,*ret; 637 int i,num=0,r= -1; 638 unsigned char *p; 639 unsigned char *buf=NULL; 640 BN_CTX *ctx=NULL; 641 642 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) 643 { 644 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); 645 return -1; 646 } 647 648 if (BN_ucmp(rsa->n, rsa->e) <= 0) 649 { 650 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 651 return -1; 652 } 653 654 /* for large moduli, enforce exponent limit */ 655 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) 656 { 657 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) 658 { 659 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 660 return -1; 661 } 662 } 663 664 if((ctx = BN_CTX_new()) == NULL) goto err; 665 BN_CTX_start(ctx); 666 f = BN_CTX_get(ctx); 667 ret = BN_CTX_get(ctx); 668 num=BN_num_bytes(rsa->n); 669 buf = OPENSSL_malloc(num); 670 if(!f || !ret || !buf) 671 { 672 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); 673 goto err; 674 } 675 676 /* This check was for equality but PGP does evil things 677 * and chops off the top '0' bytes */ 678 if (flen > num) 679 { 680 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 681 goto err; 682 } 683 684 if (BN_bin2bn(from,flen,f) == NULL) goto err; 685 686 if (BN_ucmp(f, rsa->n) >= 0) 687 { 688 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 689 goto err; 690 } 691 692 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 693 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 694 goto err; 695 696 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, 697 rsa->_method_mod_n)) goto err; 698 699 if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) 700 if (!BN_sub(ret, rsa->n, ret)) goto err; 701 702 p=buf; 703 i=BN_bn2bin(ret,p); 704 705 switch (padding) 706 { 707 case RSA_PKCS1_PADDING: 708 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); 709 break; 710 case RSA_X931_PADDING: 711 r=RSA_padding_check_X931(to,num,buf,i,num); 712 break; 713 case RSA_NO_PADDING: 714 r=RSA_padding_check_none(to,num,buf,i,num); 715 break; 716 default: 717 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 718 goto err; 719 } 720 if (r < 0) 721 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 722 723 err: 724 if (ctx != NULL) 725 { 726 BN_CTX_end(ctx); 727 BN_CTX_free(ctx); 728 } 729 if (buf != NULL) 730 { 731 OPENSSL_cleanse(buf,num); 732 OPENSSL_free(buf); 733 } 734 return(r); 735 } 736 737 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 738 { 739 BIGNUM *r1,*m1,*vrfy; 740 BIGNUM local_dmp1,local_dmq1,local_c,local_r1; 741 BIGNUM *dmp1,*dmq1,*c,*pr1; 742 int ret=0; 743 744 BN_CTX_start(ctx); 745 r1 = BN_CTX_get(ctx); 746 m1 = BN_CTX_get(ctx); 747 vrfy = BN_CTX_get(ctx); 748 749 { 750 BIGNUM local_p, local_q; 751 BIGNUM *p = NULL, *q = NULL; 752 753 /* Make sure BN_mod_inverse in Montgomery intialization uses the 754 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) 755 */ 756 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 757 { 758 BN_init(&local_p); 759 p = &local_p; 760 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 761 762 BN_init(&local_q); 763 q = &local_q; 764 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); 765 } 766 else 767 { 768 p = rsa->p; 769 q = rsa->q; 770 } 771 772 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) 773 { 774 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) 775 goto err; 776 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) 777 goto err; 778 } 779 } 780 781 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 782 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 783 goto err; 784 785 /* compute I mod q */ 786 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 787 { 788 c = &local_c; 789 BN_with_flags(c, I, BN_FLG_CONSTTIME); 790 if (!BN_mod(r1,c,rsa->q,ctx)) goto err; 791 } 792 else 793 { 794 if (!BN_mod(r1,I,rsa->q,ctx)) goto err; 795 } 796 797 /* compute r1^dmq1 mod q */ 798 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 799 { 800 dmq1 = &local_dmq1; 801 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 802 } 803 else 804 dmq1 = rsa->dmq1; 805 if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx, 806 rsa->_method_mod_q)) goto err; 807 808 /* compute I mod p */ 809 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 810 { 811 c = &local_c; 812 BN_with_flags(c, I, BN_FLG_CONSTTIME); 813 if (!BN_mod(r1,c,rsa->p,ctx)) goto err; 814 } 815 else 816 { 817 if (!BN_mod(r1,I,rsa->p,ctx)) goto err; 818 } 819 820 /* compute r1^dmp1 mod p */ 821 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 822 { 823 dmp1 = &local_dmp1; 824 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 825 } 826 else 827 dmp1 = rsa->dmp1; 828 if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx, 829 rsa->_method_mod_p)) goto err; 830 831 if (!BN_sub(r0,r0,m1)) goto err; 832 /* This will help stop the size of r0 increasing, which does 833 * affect the multiply if it optimised for a power of 2 size */ 834 if (BN_is_negative(r0)) 835 if (!BN_add(r0,r0,rsa->p)) goto err; 836 837 if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err; 838 839 /* Turn BN_FLG_CONSTTIME flag on before division operation */ 840 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 841 { 842 pr1 = &local_r1; 843 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 844 } 845 else 846 pr1 = r1; 847 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err; 848 849 /* If p < q it is occasionally possible for the correction of 850 * adding 'p' if r0 is negative above to leave the result still 851 * negative. This can break the private key operations: the following 852 * second correction should *always* correct this rare occurrence. 853 * This will *never* happen with OpenSSL generated keys because 854 * they ensure p > q [steve] 855 */ 856 if (BN_is_negative(r0)) 857 if (!BN_add(r0,r0,rsa->p)) goto err; 858 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; 859 if (!BN_add(r0,r1,m1)) goto err; 860 861 if (rsa->e && rsa->n) 862 { 863 if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; 864 /* If 'I' was greater than (or equal to) rsa->n, the operation 865 * will be equivalent to using 'I mod n'. However, the result of 866 * the verify will *always* be less than 'n' so we don't check 867 * for absolute equality, just congruency. */ 868 if (!BN_sub(vrfy, vrfy, I)) goto err; 869 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err; 870 if (BN_is_negative(vrfy)) 871 if (!BN_add(vrfy, vrfy, rsa->n)) goto err; 872 if (!BN_is_zero(vrfy)) 873 { 874 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak 875 * miscalculated CRT output, just do a raw (slower) 876 * mod_exp and return that instead. */ 877 878 BIGNUM local_d; 879 BIGNUM *d = NULL; 880 881 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 882 { 883 d = &local_d; 884 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 885 } 886 else 887 d = rsa->d; 888 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx, 889 rsa->_method_mod_n)) goto err; 890 } 891 } 892 ret=1; 893 err: 894 BN_CTX_end(ctx); 895 return(ret); 896 } 897 898 static int RSA_eay_init(RSA *rsa) 899 { 900 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; 901 return(1); 902 } 903 904 static int RSA_eay_finish(RSA *rsa) 905 { 906 if (rsa->_method_mod_n != NULL) 907 BN_MONT_CTX_free(rsa->_method_mod_n); 908 if (rsa->_method_mod_p != NULL) 909 BN_MONT_CTX_free(rsa->_method_mod_p); 910 if (rsa->_method_mod_q != NULL) 911 BN_MONT_CTX_free(rsa->_method_mod_q); 912 return(1); 913 } 914 915 #endif