2
0

rsa_eay.c 24 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884
  1. /* crypto/rsa/rsa_eay.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. #include <stdio.h>
  112. #include "cryptlib.h"
  113. #include <openssl/bn.h>
  114. #include <openssl/rsa.h>
  115. #include <openssl/rand.h>
  116. #if !defined(RSA_NULL) && !defined(OPENSSL_FIPS)
  117. static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
  118. unsigned char *to, RSA *rsa,int padding);
  119. static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
  120. unsigned char *to, RSA *rsa,int padding);
  121. static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
  122. unsigned char *to, RSA *rsa,int padding);
  123. static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
  124. unsigned char *to, RSA *rsa,int padding);
  125. static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
  126. static int RSA_eay_init(RSA *rsa);
  127. static int RSA_eay_finish(RSA *rsa);
  128. static RSA_METHOD rsa_pkcs1_eay_meth={
  129. "Eric Young's PKCS#1 RSA",
  130. RSA_eay_public_encrypt,
  131. RSA_eay_public_decrypt, /* signature verification */
  132. RSA_eay_private_encrypt, /* signing */
  133. RSA_eay_private_decrypt,
  134. RSA_eay_mod_exp,
  135. BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
  136. RSA_eay_init,
  137. RSA_eay_finish,
  138. 0, /* flags */
  139. NULL,
  140. 0, /* rsa_sign */
  141. 0, /* rsa_verify */
  142. NULL /* rsa_keygen */
  143. };
  144. const RSA_METHOD *RSA_PKCS1_SSLeay(void)
  145. {
  146. return(&rsa_pkcs1_eay_meth);
  147. }
  148. /* Usage example;
  149. * MONT_HELPER(rsa, bn_ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
  150. */
  151. #define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \
  152. if((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \
  153. !BN_MONT_CTX_set_locked(&((rsa)->_method_mod_##m), \
  154. CRYPTO_LOCK_RSA, \
  155. (rsa)->m, (ctx))) \
  156. err_instr
  157. static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
  158. unsigned char *to, RSA *rsa, int padding)
  159. {
  160. BIGNUM *f,*ret;
  161. int i,j,k,num=0,r= -1;
  162. unsigned char *buf=NULL;
  163. BN_CTX *ctx=NULL;
  164. if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
  165. {
  166. RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
  167. return -1;
  168. }
  169. if (BN_ucmp(rsa->n, rsa->e) <= 0)
  170. {
  171. RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
  172. return -1;
  173. }
  174. /* for large moduli, enforce exponent limit */
  175. if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
  176. {
  177. if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
  178. {
  179. RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
  180. return -1;
  181. }
  182. }
  183. if ((ctx=BN_CTX_new()) == NULL) goto err;
  184. BN_CTX_start(ctx);
  185. f = BN_CTX_get(ctx);
  186. ret = BN_CTX_get(ctx);
  187. num=BN_num_bytes(rsa->n);
  188. buf = OPENSSL_malloc(num);
  189. if (!f || !ret || !buf)
  190. {
  191. RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
  192. goto err;
  193. }
  194. switch (padding)
  195. {
  196. case RSA_PKCS1_PADDING:
  197. i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
  198. break;
  199. #ifndef OPENSSL_NO_SHA
  200. case RSA_PKCS1_OAEP_PADDING:
  201. i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
  202. break;
  203. #endif
  204. case RSA_SSLV23_PADDING:
  205. i=RSA_padding_add_SSLv23(buf,num,from,flen);
  206. break;
  207. case RSA_NO_PADDING:
  208. i=RSA_padding_add_none(buf,num,from,flen);
  209. break;
  210. default:
  211. RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
  212. goto err;
  213. }
  214. if (i <= 0) goto err;
  215. if (BN_bin2bn(buf,num,f) == NULL) goto err;
  216. if (BN_ucmp(f, rsa->n) >= 0)
  217. {
  218. /* usually the padding functions would catch this */
  219. RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  220. goto err;
  221. }
  222. MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
  223. if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
  224. rsa->_method_mod_n)) goto err;
  225. /* put in leading 0 bytes if the number is less than the
  226. * length of the modulus */
  227. j=BN_num_bytes(ret);
  228. i=BN_bn2bin(ret,&(to[num-j]));
  229. for (k=0; k<(num-i); k++)
  230. to[k]=0;
  231. r=num;
  232. err:
  233. if (ctx != NULL)
  234. {
  235. BN_CTX_end(ctx);
  236. BN_CTX_free(ctx);
  237. }
  238. if (buf != NULL)
  239. {
  240. OPENSSL_cleanse(buf,num);
  241. OPENSSL_free(buf);
  242. }
  243. return(r);
  244. }
  245. static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
  246. {
  247. BN_BLINDING *ret;
  248. int got_write_lock = 0;
  249. CRYPTO_r_lock(CRYPTO_LOCK_RSA);
  250. if (rsa->blinding == NULL)
  251. {
  252. CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
  253. CRYPTO_w_lock(CRYPTO_LOCK_RSA);
  254. got_write_lock = 1;
  255. if (rsa->blinding == NULL)
  256. rsa->blinding = RSA_setup_blinding(rsa, ctx);
  257. }
  258. ret = rsa->blinding;
  259. if (ret == NULL)
  260. goto err;
  261. if (BN_BLINDING_get_thread_id(ret) == CRYPTO_thread_id())
  262. {
  263. /* rsa->blinding is ours! */
  264. *local = 1;
  265. }
  266. else
  267. {
  268. /* resort to rsa->mt_blinding instead */
  269. *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert()
  270. * that the BN_BLINDING is shared, meaning that accesses
  271. * require locks, and that the blinding factor must be
  272. * stored outside the BN_BLINDING
  273. */
  274. if (rsa->mt_blinding == NULL)
  275. {
  276. if (!got_write_lock)
  277. {
  278. CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
  279. CRYPTO_w_lock(CRYPTO_LOCK_RSA);
  280. got_write_lock = 1;
  281. }
  282. if (rsa->mt_blinding == NULL)
  283. rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
  284. }
  285. ret = rsa->mt_blinding;
  286. }
  287. err:
  288. if (got_write_lock)
  289. CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
  290. else
  291. CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
  292. return ret;
  293. }
  294. static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f,
  295. BIGNUM *r, BN_CTX *ctx)
  296. {
  297. if (local)
  298. return BN_BLINDING_convert_ex(f, NULL, b, ctx);
  299. else
  300. {
  301. int ret;
  302. CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING);
  303. ret = BN_BLINDING_convert_ex(f, r, b, ctx);
  304. CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING);
  305. return ret;
  306. }
  307. }
  308. static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f,
  309. BIGNUM *r, BN_CTX *ctx)
  310. {
  311. if (local)
  312. return BN_BLINDING_invert_ex(f, NULL, b, ctx);
  313. else
  314. {
  315. int ret;
  316. CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
  317. ret = BN_BLINDING_invert_ex(f, r, b, ctx);
  318. CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
  319. return ret;
  320. }
  321. }
  322. /* signing */
  323. static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
  324. unsigned char *to, RSA *rsa, int padding)
  325. {
  326. BIGNUM *f, *ret, *br, *res;
  327. int i,j,k,num=0,r= -1;
  328. unsigned char *buf=NULL;
  329. BN_CTX *ctx=NULL;
  330. int local_blinding = 0;
  331. BN_BLINDING *blinding = NULL;
  332. if ((ctx=BN_CTX_new()) == NULL) goto err;
  333. BN_CTX_start(ctx);
  334. f = BN_CTX_get(ctx);
  335. br = BN_CTX_get(ctx);
  336. ret = BN_CTX_get(ctx);
  337. num = BN_num_bytes(rsa->n);
  338. buf = OPENSSL_malloc(num);
  339. if(!f || !ret || !buf)
  340. {
  341. RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
  342. goto err;
  343. }
  344. switch (padding)
  345. {
  346. case RSA_PKCS1_PADDING:
  347. i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
  348. break;
  349. case RSA_X931_PADDING:
  350. i=RSA_padding_add_X931(buf,num,from,flen);
  351. break;
  352. case RSA_NO_PADDING:
  353. i=RSA_padding_add_none(buf,num,from,flen);
  354. break;
  355. case RSA_SSLV23_PADDING:
  356. default:
  357. RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
  358. goto err;
  359. }
  360. if (i <= 0) goto err;
  361. if (BN_bin2bn(buf,num,f) == NULL) goto err;
  362. if (BN_ucmp(f, rsa->n) >= 0)
  363. {
  364. /* usually the padding functions would catch this */
  365. RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  366. goto err;
  367. }
  368. if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
  369. {
  370. blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
  371. if (blinding == NULL)
  372. {
  373. RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
  374. goto err;
  375. }
  376. }
  377. if (blinding != NULL)
  378. if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
  379. goto err;
  380. if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
  381. ((rsa->p != NULL) &&
  382. (rsa->q != NULL) &&
  383. (rsa->dmp1 != NULL) &&
  384. (rsa->dmq1 != NULL) &&
  385. (rsa->iqmp != NULL)) )
  386. {
  387. if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
  388. }
  389. else
  390. {
  391. BIGNUM local_d;
  392. BIGNUM *d = NULL;
  393. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
  394. {
  395. BN_init(&local_d);
  396. d = &local_d;
  397. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  398. }
  399. else
  400. d = rsa->d;
  401. MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
  402. if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
  403. rsa->_method_mod_n)) goto err;
  404. }
  405. if (blinding)
  406. if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
  407. goto err;
  408. if (padding == RSA_X931_PADDING)
  409. {
  410. BN_sub(f, rsa->n, ret);
  411. if (BN_cmp(ret, f))
  412. res = f;
  413. else
  414. res = ret;
  415. }
  416. else
  417. res = ret;
  418. /* put in leading 0 bytes if the number is less than the
  419. * length of the modulus */
  420. j=BN_num_bytes(res);
  421. i=BN_bn2bin(res,&(to[num-j]));
  422. for (k=0; k<(num-i); k++)
  423. to[k]=0;
  424. r=num;
  425. err:
  426. if (ctx != NULL)
  427. {
  428. BN_CTX_end(ctx);
  429. BN_CTX_free(ctx);
  430. }
  431. if (buf != NULL)
  432. {
  433. OPENSSL_cleanse(buf,num);
  434. OPENSSL_free(buf);
  435. }
  436. return(r);
  437. }
  438. static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
  439. unsigned char *to, RSA *rsa, int padding)
  440. {
  441. BIGNUM *f, *ret, *br;
  442. int j,num=0,r= -1;
  443. unsigned char *p;
  444. unsigned char *buf=NULL;
  445. BN_CTX *ctx=NULL;
  446. int local_blinding = 0;
  447. BN_BLINDING *blinding = NULL;
  448. if((ctx = BN_CTX_new()) == NULL) goto err;
  449. BN_CTX_start(ctx);
  450. f = BN_CTX_get(ctx);
  451. br = BN_CTX_get(ctx);
  452. ret = BN_CTX_get(ctx);
  453. num = BN_num_bytes(rsa->n);
  454. buf = OPENSSL_malloc(num);
  455. if(!f || !ret || !buf)
  456. {
  457. RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
  458. goto err;
  459. }
  460. /* This check was for equality but PGP does evil things
  461. * and chops off the top '0' bytes */
  462. if (flen > num)
  463. {
  464. RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
  465. goto err;
  466. }
  467. /* make data into a big number */
  468. if (BN_bin2bn(from,(int)flen,f) == NULL) goto err;
  469. if (BN_ucmp(f, rsa->n) >= 0)
  470. {
  471. RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  472. goto err;
  473. }
  474. if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
  475. {
  476. blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
  477. if (blinding == NULL)
  478. {
  479. RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
  480. goto err;
  481. }
  482. }
  483. if (blinding != NULL)
  484. if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
  485. goto err;
  486. /* do the decrypt */
  487. if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
  488. ((rsa->p != NULL) &&
  489. (rsa->q != NULL) &&
  490. (rsa->dmp1 != NULL) &&
  491. (rsa->dmq1 != NULL) &&
  492. (rsa->iqmp != NULL)) )
  493. {
  494. if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
  495. }
  496. else
  497. {
  498. BIGNUM local_d;
  499. BIGNUM *d = NULL;
  500. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
  501. {
  502. d = &local_d;
  503. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  504. }
  505. else
  506. d = rsa->d;
  507. MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
  508. if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
  509. rsa->_method_mod_n))
  510. goto err;
  511. }
  512. if (blinding)
  513. if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
  514. goto err;
  515. p=buf;
  516. j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */
  517. switch (padding)
  518. {
  519. case RSA_PKCS1_PADDING:
  520. r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
  521. break;
  522. #ifndef OPENSSL_NO_SHA
  523. case RSA_PKCS1_OAEP_PADDING:
  524. r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
  525. break;
  526. #endif
  527. case RSA_SSLV23_PADDING:
  528. r=RSA_padding_check_SSLv23(to,num,buf,j,num);
  529. break;
  530. case RSA_NO_PADDING:
  531. r=RSA_padding_check_none(to,num,buf,j,num);
  532. break;
  533. default:
  534. RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
  535. goto err;
  536. }
  537. if (r < 0)
  538. RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
  539. err:
  540. if (ctx != NULL)
  541. {
  542. BN_CTX_end(ctx);
  543. BN_CTX_free(ctx);
  544. }
  545. if (buf != NULL)
  546. {
  547. OPENSSL_cleanse(buf,num);
  548. OPENSSL_free(buf);
  549. }
  550. return(r);
  551. }
  552. /* signature verification */
  553. static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
  554. unsigned char *to, RSA *rsa, int padding)
  555. {
  556. BIGNUM *f,*ret;
  557. int i,num=0,r= -1;
  558. unsigned char *p;
  559. unsigned char *buf=NULL;
  560. BN_CTX *ctx=NULL;
  561. if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
  562. {
  563. RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
  564. return -1;
  565. }
  566. if (BN_ucmp(rsa->n, rsa->e) <= 0)
  567. {
  568. RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
  569. return -1;
  570. }
  571. /* for large moduli, enforce exponent limit */
  572. if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
  573. {
  574. if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
  575. {
  576. RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
  577. return -1;
  578. }
  579. }
  580. if((ctx = BN_CTX_new()) == NULL) goto err;
  581. BN_CTX_start(ctx);
  582. f = BN_CTX_get(ctx);
  583. ret = BN_CTX_get(ctx);
  584. num=BN_num_bytes(rsa->n);
  585. buf = OPENSSL_malloc(num);
  586. if(!f || !ret || !buf)
  587. {
  588. RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
  589. goto err;
  590. }
  591. /* This check was for equality but PGP does evil things
  592. * and chops off the top '0' bytes */
  593. if (flen > num)
  594. {
  595. RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
  596. goto err;
  597. }
  598. if (BN_bin2bn(from,flen,f) == NULL) goto err;
  599. if (BN_ucmp(f, rsa->n) >= 0)
  600. {
  601. RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  602. goto err;
  603. }
  604. MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
  605. if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
  606. rsa->_method_mod_n)) goto err;
  607. if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))
  608. BN_sub(ret, rsa->n, ret);
  609. p=buf;
  610. i=BN_bn2bin(ret,p);
  611. switch (padding)
  612. {
  613. case RSA_PKCS1_PADDING:
  614. r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
  615. break;
  616. case RSA_X931_PADDING:
  617. r=RSA_padding_check_X931(to,num,buf,i,num);
  618. break;
  619. case RSA_NO_PADDING:
  620. r=RSA_padding_check_none(to,num,buf,i,num);
  621. break;
  622. default:
  623. RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
  624. goto err;
  625. }
  626. if (r < 0)
  627. RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
  628. err:
  629. if (ctx != NULL)
  630. {
  631. BN_CTX_end(ctx);
  632. BN_CTX_free(ctx);
  633. }
  634. if (buf != NULL)
  635. {
  636. OPENSSL_cleanse(buf,num);
  637. OPENSSL_free(buf);
  638. }
  639. return(r);
  640. }
  641. static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
  642. {
  643. BIGNUM *r1,*m1,*vrfy;
  644. BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
  645. BIGNUM *dmp1,*dmq1,*c,*pr1;
  646. int bn_flags;
  647. int ret=0;
  648. BN_CTX_start(ctx);
  649. r1 = BN_CTX_get(ctx);
  650. m1 = BN_CTX_get(ctx);
  651. vrfy = BN_CTX_get(ctx);
  652. /* Make sure mod_inverse in montgomerey intialization use correct
  653. * BN_FLG_CONSTTIME flag.
  654. */
  655. bn_flags = rsa->p->flags;
  656. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
  657. {
  658. rsa->p->flags |= BN_FLG_CONSTTIME;
  659. }
  660. MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
  661. /* We restore bn_flags back */
  662. rsa->p->flags = bn_flags;
  663. /* Make sure mod_inverse in montgomerey intialization use correct
  664. * BN_FLG_CONSTTIME flag.
  665. */
  666. bn_flags = rsa->q->flags;
  667. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
  668. {
  669. rsa->q->flags |= BN_FLG_CONSTTIME;
  670. }
  671. MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
  672. /* We restore bn_flags back */
  673. rsa->q->flags = bn_flags;
  674. MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
  675. /* compute I mod q */
  676. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
  677. {
  678. c = &local_c;
  679. BN_with_flags(c, I, BN_FLG_CONSTTIME);
  680. if (!BN_mod(r1,c,rsa->q,ctx)) goto err;
  681. }
  682. else
  683. {
  684. if (!BN_mod(r1,I,rsa->q,ctx)) goto err;
  685. }
  686. /* compute r1^dmq1 mod q */
  687. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
  688. {
  689. dmq1 = &local_dmq1;
  690. BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
  691. }
  692. else
  693. dmq1 = rsa->dmq1;
  694. if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx,
  695. rsa->_method_mod_q)) goto err;
  696. /* compute I mod p */
  697. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
  698. {
  699. c = &local_c;
  700. BN_with_flags(c, I, BN_FLG_CONSTTIME);
  701. if (!BN_mod(r1,c,rsa->p,ctx)) goto err;
  702. }
  703. else
  704. {
  705. if (!BN_mod(r1,I,rsa->p,ctx)) goto err;
  706. }
  707. /* compute r1^dmp1 mod p */
  708. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
  709. {
  710. dmp1 = &local_dmp1;
  711. BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
  712. }
  713. else
  714. dmp1 = rsa->dmp1;
  715. if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx,
  716. rsa->_method_mod_p)) goto err;
  717. if (!BN_sub(r0,r0,m1)) goto err;
  718. /* This will help stop the size of r0 increasing, which does
  719. * affect the multiply if it optimised for a power of 2 size */
  720. if (BN_is_negative(r0))
  721. if (!BN_add(r0,r0,rsa->p)) goto err;
  722. if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err;
  723. /* Turn BN_FLG_CONSTTIME flag on before division operation */
  724. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
  725. {
  726. pr1 = &local_r1;
  727. BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
  728. }
  729. else
  730. pr1 = r1;
  731. if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
  732. /* If p < q it is occasionally possible for the correction of
  733. * adding 'p' if r0 is negative above to leave the result still
  734. * negative. This can break the private key operations: the following
  735. * second correction should *always* correct this rare occurrence.
  736. * This will *never* happen with OpenSSL generated keys because
  737. * they ensure p > q [steve]
  738. */
  739. if (BN_is_negative(r0))
  740. if (!BN_add(r0,r0,rsa->p)) goto err;
  741. if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
  742. if (!BN_add(r0,r1,m1)) goto err;
  743. if (rsa->e && rsa->n)
  744. {
  745. if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err;
  746. /* If 'I' was greater than (or equal to) rsa->n, the operation
  747. * will be equivalent to using 'I mod n'. However, the result of
  748. * the verify will *always* be less than 'n' so we don't check
  749. * for absolute equality, just congruency. */
  750. if (!BN_sub(vrfy, vrfy, I)) goto err;
  751. if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err;
  752. if (BN_is_negative(vrfy))
  753. if (!BN_add(vrfy, vrfy, rsa->n)) goto err;
  754. if (!BN_is_zero(vrfy))
  755. {
  756. /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
  757. * miscalculated CRT output, just do a raw (slower)
  758. * mod_exp and return that instead. */
  759. BIGNUM local_d;
  760. BIGNUM *d = NULL;
  761. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
  762. {
  763. d = &local_d;
  764. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  765. }
  766. else
  767. d = rsa->d;
  768. if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,
  769. rsa->_method_mod_n)) goto err;
  770. }
  771. }
  772. ret=1;
  773. err:
  774. BN_CTX_end(ctx);
  775. return(ret);
  776. }
  777. static int RSA_eay_init(RSA *rsa)
  778. {
  779. rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
  780. return(1);
  781. }
  782. static int RSA_eay_finish(RSA *rsa)
  783. {
  784. if (rsa->_method_mod_n != NULL)
  785. BN_MONT_CTX_free(rsa->_method_mod_n);
  786. if (rsa->_method_mod_p != NULL)
  787. BN_MONT_CTX_free(rsa->_method_mod_p);
  788. if (rsa->_method_mod_q != NULL)
  789. BN_MONT_CTX_free(rsa->_method_mod_q);
  790. return(1);
  791. }
  792. #endif