2
0

rsa_ossl.c 31 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956
  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  2. * All rights reserved.
  3. *
  4. * This package is an SSL implementation written
  5. * by Eric Young (eay@cryptsoft.com).
  6. * The implementation was written so as to conform with Netscapes SSL.
  7. *
  8. * This library is free for commercial and non-commercial use as long as
  9. * the following conditions are aheared to. The following conditions
  10. * apply to all code found in this distribution, be it the RC4, RSA,
  11. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  12. * included with this distribution is covered by the same copyright terms
  13. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  14. *
  15. * Copyright remains Eric Young's, and as such any Copyright notices in
  16. * the code are not to be removed.
  17. * If this package is used in a product, Eric Young should be given attribution
  18. * as the author of the parts of the library used.
  19. * This can be in the form of a textual message at program startup or
  20. * in documentation (online or textual) provided with the package.
  21. *
  22. * Redistribution and use in source and binary forms, with or without
  23. * modification, are permitted provided that the following conditions
  24. * are met:
  25. * 1. Redistributions of source code must retain the copyright
  26. * notice, this list of conditions and the following disclaimer.
  27. * 2. Redistributions in binary form must reproduce the above copyright
  28. * notice, this list of conditions and the following disclaimer in the
  29. * documentation and/or other materials provided with the distribution.
  30. * 3. All advertising materials mentioning features or use of this software
  31. * must display the following acknowledgement:
  32. * "This product includes cryptographic software written by
  33. * Eric Young (eay@cryptsoft.com)"
  34. * The word 'cryptographic' can be left out if the rouines from the library
  35. * being used are not cryptographic related :-).
  36. * 4. If you include any Windows specific code (or a derivative thereof) from
  37. * the apps directory (application code) you must include an acknowledgement:
  38. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  39. *
  40. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  41. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  42. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  43. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  44. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  45. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  46. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  48. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  49. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  50. * SUCH DAMAGE.
  51. *
  52. * The licence and distribution terms for any publically available version or
  53. * derivative of this code cannot be changed. i.e. this code cannot simply be
  54. * copied and put under another distribution licence
  55. * [including the GNU Public Licence.]
  56. */
  57. /* ====================================================================
  58. * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
  59. *
  60. * Redistribution and use in source and binary forms, with or without
  61. * modification, are permitted provided that the following conditions
  62. * are met:
  63. *
  64. * 1. Redistributions of source code must retain the above copyright
  65. * notice, this list of conditions and the following disclaimer.
  66. *
  67. * 2. Redistributions in binary form must reproduce the above copyright
  68. * notice, this list of conditions and the following disclaimer in
  69. * the documentation and/or other materials provided with the
  70. * distribution.
  71. *
  72. * 3. All advertising materials mentioning features or use of this
  73. * software must display the following acknowledgment:
  74. * "This product includes software developed by the OpenSSL Project
  75. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  76. *
  77. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  78. * endorse or promote products derived from this software without
  79. * prior written permission. For written permission, please contact
  80. * openssl-core@openssl.org.
  81. *
  82. * 5. Products derived from this software may not be called "OpenSSL"
  83. * nor may "OpenSSL" appear in their names without prior written
  84. * permission of the OpenSSL Project.
  85. *
  86. * 6. Redistributions of any form whatsoever must retain the following
  87. * acknowledgment:
  88. * "This product includes software developed by the OpenSSL Project
  89. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  90. *
  91. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  92. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  93. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  94. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  95. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  96. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  97. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  98. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  99. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  100. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  101. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  102. * OF THE POSSIBILITY OF SUCH DAMAGE.
  103. * ====================================================================
  104. *
  105. * This product includes cryptographic software written by Eric Young
  106. * (eay@cryptsoft.com). This product includes software written by Tim
  107. * Hudson (tjh@cryptsoft.com).
  108. *
  109. */
  110. #include "internal/cryptlib.h"
  111. #include "internal/bn_int.h"
  112. #include <openssl/rsa.h>
  113. #include <openssl/rand.h>
  114. #ifndef RSA_NULL
  115. static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
  116. unsigned char *to, RSA *rsa, int padding);
  117. static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
  118. unsigned char *to, RSA *rsa, int padding);
  119. static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
  120. unsigned char *to, RSA *rsa, int padding);
  121. static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
  122. unsigned char *to, RSA *rsa, int padding);
  123. static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
  124. BN_CTX *ctx);
  125. static int rsa_ossl_init(RSA *rsa);
  126. static int rsa_ossl_finish(RSA *rsa);
  127. static RSA_METHOD rsa_pkcs1_ossl_meth = {
  128. "OpenSSL PKCS#1 RSA (from Eric Young)",
  129. rsa_ossl_public_encrypt,
  130. rsa_ossl_public_decrypt, /* signature verification */
  131. rsa_ossl_private_encrypt, /* signing */
  132. rsa_ossl_private_decrypt,
  133. rsa_ossl_mod_exp,
  134. BN_mod_exp_mont, /* XXX probably we should not use Montgomery
  135. * if e == 3 */
  136. rsa_ossl_init,
  137. rsa_ossl_finish,
  138. RSA_FLAG_FIPS_METHOD, /* flags */
  139. NULL,
  140. 0, /* rsa_sign */
  141. 0, /* rsa_verify */
  142. NULL /* rsa_keygen */
  143. };
  144. const RSA_METHOD *RSA_PKCS1_OpenSSL(void)
  145. {
  146. return &rsa_pkcs1_ossl_meth;
  147. }
  148. static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
  149. unsigned char *to, RSA *rsa, int padding)
  150. {
  151. BIGNUM *f, *ret;
  152. int i, j, k, num = 0, r = -1;
  153. unsigned char *buf = NULL;
  154. BN_CTX *ctx = NULL;
  155. if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
  156. RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
  157. return -1;
  158. }
  159. if (BN_ucmp(rsa->n, rsa->e) <= 0) {
  160. RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
  161. return -1;
  162. }
  163. /* for large moduli, enforce exponent limit */
  164. if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
  165. if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
  166. RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
  167. return -1;
  168. }
  169. }
  170. if ((ctx = BN_CTX_new()) == NULL)
  171. goto err;
  172. BN_CTX_start(ctx);
  173. f = BN_CTX_get(ctx);
  174. ret = BN_CTX_get(ctx);
  175. num = BN_num_bytes(rsa->n);
  176. buf = OPENSSL_malloc(num);
  177. if (f == NULL || ret == NULL || buf == NULL) {
  178. RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE);
  179. goto err;
  180. }
  181. switch (padding) {
  182. case RSA_PKCS1_PADDING:
  183. i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
  184. break;
  185. case RSA_PKCS1_OAEP_PADDING:
  186. i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
  187. break;
  188. case RSA_SSLV23_PADDING:
  189. i = RSA_padding_add_SSLv23(buf, num, from, flen);
  190. break;
  191. case RSA_NO_PADDING:
  192. i = RSA_padding_add_none(buf, num, from, flen);
  193. break;
  194. default:
  195. RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
  196. goto err;
  197. }
  198. if (i <= 0)
  199. goto err;
  200. if (BN_bin2bn(buf, num, f) == NULL)
  201. goto err;
  202. if (BN_ucmp(f, rsa->n) >= 0) {
  203. /* usually the padding functions would catch this */
  204. RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT,
  205. RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  206. goto err;
  207. }
  208. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  209. if (!BN_MONT_CTX_set_locked
  210. (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
  211. goto err;
  212. if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
  213. rsa->_method_mod_n))
  214. goto err;
  215. /*
  216. * put in leading 0 bytes if the number is less than the length of the
  217. * modulus
  218. */
  219. j = BN_num_bytes(ret);
  220. i = BN_bn2bin(ret, &(to[num - j]));
  221. for (k = 0; k < (num - i); k++)
  222. to[k] = 0;
  223. r = num;
  224. err:
  225. if (ctx != NULL)
  226. BN_CTX_end(ctx);
  227. BN_CTX_free(ctx);
  228. OPENSSL_clear_free(buf, num);
  229. return (r);
  230. }
  231. static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
  232. {
  233. BN_BLINDING *ret;
  234. int got_write_lock = 0;
  235. CRYPTO_THREADID cur;
  236. CRYPTO_r_lock(CRYPTO_LOCK_RSA);
  237. if (rsa->blinding == NULL) {
  238. CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
  239. CRYPTO_w_lock(CRYPTO_LOCK_RSA);
  240. got_write_lock = 1;
  241. if (rsa->blinding == NULL)
  242. rsa->blinding = RSA_setup_blinding(rsa, ctx);
  243. }
  244. ret = rsa->blinding;
  245. if (ret == NULL)
  246. goto err;
  247. CRYPTO_THREADID_current(&cur);
  248. if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) {
  249. /* rsa->blinding is ours! */
  250. *local = 1;
  251. } else {
  252. /* resort to rsa->mt_blinding instead */
  253. /*
  254. * instructs rsa_blinding_convert(), rsa_blinding_invert() that the
  255. * BN_BLINDING is shared, meaning that accesses require locks, and
  256. * that the blinding factor must be stored outside the BN_BLINDING
  257. */
  258. *local = 0;
  259. if (rsa->mt_blinding == NULL) {
  260. if (!got_write_lock) {
  261. CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
  262. CRYPTO_w_lock(CRYPTO_LOCK_RSA);
  263. got_write_lock = 1;
  264. }
  265. if (rsa->mt_blinding == NULL)
  266. rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
  267. }
  268. ret = rsa->mt_blinding;
  269. }
  270. err:
  271. if (got_write_lock)
  272. CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
  273. else
  274. CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
  275. return ret;
  276. }
  277. static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
  278. BN_CTX *ctx)
  279. {
  280. if (unblind == NULL)
  281. /*
  282. * Local blinding: store the unblinding factor in BN_BLINDING.
  283. */
  284. return BN_BLINDING_convert_ex(f, NULL, b, ctx);
  285. else {
  286. /*
  287. * Shared blinding: store the unblinding factor outside BN_BLINDING.
  288. */
  289. int ret;
  290. CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
  291. ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
  292. CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
  293. return ret;
  294. }
  295. }
  296. static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
  297. BN_CTX *ctx)
  298. {
  299. /*
  300. * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
  301. * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING
  302. * is shared between threads, unblind must be non-null:
  303. * BN_BLINDING_invert_ex will then use the local unblinding factor, and
  304. * will only read the modulus from BN_BLINDING. In both cases it's safe
  305. * to access the blinding without a lock.
  306. */
  307. return BN_BLINDING_invert_ex(f, unblind, b, ctx);
  308. }
  309. /* signing */
  310. static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
  311. unsigned char *to, RSA *rsa, int padding)
  312. {
  313. BIGNUM *f, *ret, *res;
  314. int i, j, k, num = 0, r = -1;
  315. unsigned char *buf = NULL;
  316. BN_CTX *ctx = NULL;
  317. int local_blinding = 0;
  318. /*
  319. * Used only if the blinding structure is shared. A non-NULL unblind
  320. * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
  321. * the unblinding factor outside the blinding structure.
  322. */
  323. BIGNUM *unblind = NULL;
  324. BN_BLINDING *blinding = NULL;
  325. if ((ctx = BN_CTX_new()) == NULL)
  326. goto err;
  327. BN_CTX_start(ctx);
  328. f = BN_CTX_get(ctx);
  329. ret = BN_CTX_get(ctx);
  330. num = BN_num_bytes(rsa->n);
  331. buf = OPENSSL_malloc(num);
  332. if (f == NULL || ret == NULL || buf == NULL) {
  333. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
  334. goto err;
  335. }
  336. switch (padding) {
  337. case RSA_PKCS1_PADDING:
  338. i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
  339. break;
  340. case RSA_X931_PADDING:
  341. i = RSA_padding_add_X931(buf, num, from, flen);
  342. break;
  343. case RSA_NO_PADDING:
  344. i = RSA_padding_add_none(buf, num, from, flen);
  345. break;
  346. case RSA_SSLV23_PADDING:
  347. default:
  348. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
  349. goto err;
  350. }
  351. if (i <= 0)
  352. goto err;
  353. if (BN_bin2bn(buf, num, f) == NULL)
  354. goto err;
  355. if (BN_ucmp(f, rsa->n) >= 0) {
  356. /* usually the padding functions would catch this */
  357. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT,
  358. RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  359. goto err;
  360. }
  361. if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
  362. blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
  363. if (blinding == NULL) {
  364. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
  365. goto err;
  366. }
  367. }
  368. if (blinding != NULL) {
  369. if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
  370. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
  371. goto err;
  372. }
  373. if (!rsa_blinding_convert(blinding, f, unblind, ctx))
  374. goto err;
  375. }
  376. if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
  377. ((rsa->p != NULL) &&
  378. (rsa->q != NULL) &&
  379. (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
  380. if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
  381. goto err;
  382. } else {
  383. BIGNUM *d = NULL, *local_d = NULL;
  384. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
  385. local_d = d = BN_new();
  386. if (d == NULL) {
  387. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
  388. goto err;
  389. }
  390. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  391. } else {
  392. d = rsa->d;
  393. }
  394. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  395. if (!BN_MONT_CTX_set_locked
  396. (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) {
  397. BN_free(local_d);
  398. goto err;
  399. }
  400. if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
  401. rsa->_method_mod_n)) {
  402. BN_free(local_d);
  403. goto err;
  404. }
  405. /* We MUST free local_d before any further use of rsa->d */
  406. BN_free(local_d);
  407. }
  408. if (blinding)
  409. if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
  410. goto err;
  411. if (padding == RSA_X931_PADDING) {
  412. BN_sub(f, rsa->n, ret);
  413. if (BN_cmp(ret, f) > 0)
  414. res = f;
  415. else
  416. res = ret;
  417. } else
  418. res = ret;
  419. /*
  420. * put in leading 0 bytes if the number is less than the length of the
  421. * modulus
  422. */
  423. j = BN_num_bytes(res);
  424. i = BN_bn2bin(res, &(to[num - j]));
  425. for (k = 0; k < (num - i); k++)
  426. to[k] = 0;
  427. r = num;
  428. err:
  429. if (ctx != NULL)
  430. BN_CTX_end(ctx);
  431. BN_CTX_free(ctx);
  432. OPENSSL_clear_free(buf, num);
  433. return (r);
  434. }
  435. static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
  436. unsigned char *to, RSA *rsa, int padding)
  437. {
  438. BIGNUM *f, *ret;
  439. int j, num = 0, r = -1;
  440. unsigned char *p;
  441. unsigned char *buf = NULL;
  442. BN_CTX *ctx = NULL;
  443. int local_blinding = 0;
  444. /*
  445. * Used only if the blinding structure is shared. A non-NULL unblind
  446. * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
  447. * the unblinding factor outside the blinding structure.
  448. */
  449. BIGNUM *unblind = NULL;
  450. BN_BLINDING *blinding = NULL;
  451. if ((ctx = BN_CTX_new()) == NULL)
  452. goto err;
  453. BN_CTX_start(ctx);
  454. f = BN_CTX_get(ctx);
  455. ret = BN_CTX_get(ctx);
  456. num = BN_num_bytes(rsa->n);
  457. buf = OPENSSL_malloc(num);
  458. if (f == NULL || ret == NULL || buf == NULL) {
  459. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
  460. goto err;
  461. }
  462. /*
  463. * This check was for equality but PGP does evil things and chops off the
  464. * top '0' bytes
  465. */
  466. if (flen > num) {
  467. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT,
  468. RSA_R_DATA_GREATER_THAN_MOD_LEN);
  469. goto err;
  470. }
  471. /* make data into a big number */
  472. if (BN_bin2bn(from, (int)flen, f) == NULL)
  473. goto err;
  474. if (BN_ucmp(f, rsa->n) >= 0) {
  475. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT,
  476. RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  477. goto err;
  478. }
  479. if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
  480. blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
  481. if (blinding == NULL) {
  482. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
  483. goto err;
  484. }
  485. }
  486. if (blinding != NULL) {
  487. if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
  488. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
  489. goto err;
  490. }
  491. if (!rsa_blinding_convert(blinding, f, unblind, ctx))
  492. goto err;
  493. }
  494. /* do the decrypt */
  495. if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
  496. ((rsa->p != NULL) &&
  497. (rsa->q != NULL) &&
  498. (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
  499. if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
  500. goto err;
  501. } else {
  502. BIGNUM *d = NULL, *local_d = NULL;
  503. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
  504. local_d = d = BN_new();
  505. if (d == NULL) {
  506. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
  507. goto err;
  508. }
  509. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  510. } else {
  511. d = rsa->d;
  512. }
  513. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  514. if (!BN_MONT_CTX_set_locked
  515. (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) {
  516. BN_free(local_d);
  517. goto err;
  518. }
  519. if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
  520. rsa->_method_mod_n)) {
  521. BN_free(local_d);
  522. goto err;
  523. }
  524. /* We MUST free local_d before any further use of rsa->d */
  525. BN_free(local_d);
  526. }
  527. if (blinding)
  528. if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
  529. goto err;
  530. p = buf;
  531. j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */
  532. switch (padding) {
  533. case RSA_PKCS1_PADDING:
  534. r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
  535. break;
  536. case RSA_PKCS1_OAEP_PADDING:
  537. r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
  538. break;
  539. case RSA_SSLV23_PADDING:
  540. r = RSA_padding_check_SSLv23(to, num, buf, j, num);
  541. break;
  542. case RSA_NO_PADDING:
  543. r = RSA_padding_check_none(to, num, buf, j, num);
  544. break;
  545. default:
  546. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
  547. goto err;
  548. }
  549. if (r < 0)
  550. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
  551. err:
  552. if (ctx != NULL)
  553. BN_CTX_end(ctx);
  554. BN_CTX_free(ctx);
  555. OPENSSL_clear_free(buf, num);
  556. return (r);
  557. }
  558. /* signature verification */
  559. static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
  560. unsigned char *to, RSA *rsa, int padding)
  561. {
  562. BIGNUM *f, *ret;
  563. int i, num = 0, r = -1;
  564. unsigned char *p;
  565. unsigned char *buf = NULL;
  566. BN_CTX *ctx = NULL;
  567. if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
  568. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
  569. return -1;
  570. }
  571. if (BN_ucmp(rsa->n, rsa->e) <= 0) {
  572. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
  573. return -1;
  574. }
  575. /* for large moduli, enforce exponent limit */
  576. if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
  577. if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
  578. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
  579. return -1;
  580. }
  581. }
  582. if ((ctx = BN_CTX_new()) == NULL)
  583. goto err;
  584. BN_CTX_start(ctx);
  585. f = BN_CTX_get(ctx);
  586. ret = BN_CTX_get(ctx);
  587. num = BN_num_bytes(rsa->n);
  588. buf = OPENSSL_malloc(num);
  589. if (f == NULL || ret == NULL || buf == NULL) {
  590. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
  591. goto err;
  592. }
  593. /*
  594. * This check was for equality but PGP does evil things and chops off the
  595. * top '0' bytes
  596. */
  597. if (flen > num) {
  598. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN);
  599. goto err;
  600. }
  601. if (BN_bin2bn(from, flen, f) == NULL)
  602. goto err;
  603. if (BN_ucmp(f, rsa->n) >= 0) {
  604. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT,
  605. RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  606. goto err;
  607. }
  608. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  609. if (!BN_MONT_CTX_set_locked
  610. (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
  611. goto err;
  612. if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
  613. rsa->_method_mod_n))
  614. goto err;
  615. if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12))
  616. if (!BN_sub(ret, rsa->n, ret))
  617. goto err;
  618. p = buf;
  619. i = BN_bn2bin(ret, p);
  620. switch (padding) {
  621. case RSA_PKCS1_PADDING:
  622. r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
  623. break;
  624. case RSA_X931_PADDING:
  625. r = RSA_padding_check_X931(to, num, buf, i, num);
  626. break;
  627. case RSA_NO_PADDING:
  628. r = RSA_padding_check_none(to, num, buf, i, num);
  629. break;
  630. default:
  631. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
  632. goto err;
  633. }
  634. if (r < 0)
  635. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
  636. err:
  637. if (ctx != NULL)
  638. BN_CTX_end(ctx);
  639. BN_CTX_free(ctx);
  640. OPENSSL_clear_free(buf, num);
  641. return (r);
  642. }
  643. static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
  644. {
  645. BIGNUM *r1, *m1, *vrfy;
  646. int ret = 0;
  647. BN_CTX_start(ctx);
  648. r1 = BN_CTX_get(ctx);
  649. m1 = BN_CTX_get(ctx);
  650. vrfy = BN_CTX_get(ctx);
  651. {
  652. BIGNUM *local_p = NULL, *local_q = NULL;
  653. BIGNUM *p = NULL, *q = NULL;
  654. /*
  655. * Make sure BN_mod_inverse in Montgomery intialization uses the
  656. * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
  657. */
  658. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
  659. local_p = p = BN_new();
  660. if (p == NULL)
  661. goto err;
  662. BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
  663. local_q = q = BN_new();
  664. if (q == NULL) {
  665. BN_free(local_p);
  666. goto err;
  667. }
  668. BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
  669. } else {
  670. p = rsa->p;
  671. q = rsa->q;
  672. }
  673. if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
  674. if (!BN_MONT_CTX_set_locked
  675. (&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)
  676. || !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
  677. CRYPTO_LOCK_RSA, q, ctx)) {
  678. BN_free(local_p);
  679. BN_free(local_q);
  680. goto err;
  681. }
  682. }
  683. /*
  684. * We MUST free local_p and local_q before any further use of rsa->p and
  685. * rsa->q
  686. */
  687. BN_free(local_p);
  688. BN_free(local_q);
  689. }
  690. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  691. if (!BN_MONT_CTX_set_locked
  692. (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
  693. goto err;
  694. /* compute I mod q */
  695. {
  696. BIGNUM *local_c = NULL;
  697. const BIGNUM *c;
  698. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
  699. local_c = BN_new();
  700. if (local_c == NULL)
  701. goto err;
  702. BN_with_flags(local_c, I, BN_FLG_CONSTTIME);
  703. c = local_c;
  704. } else {
  705. c = I;
  706. }
  707. if (!BN_mod(r1, c, rsa->q, ctx)) {
  708. BN_free(local_c);
  709. goto err;
  710. }
  711. {
  712. BIGNUM *local_dmq1 = NULL, *dmq1;
  713. /* compute r1^dmq1 mod q */
  714. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
  715. dmq1 = local_dmq1 = BN_new();
  716. if (local_dmq1 == NULL) {
  717. BN_free(local_c);
  718. goto err;
  719. }
  720. BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
  721. } else {
  722. dmq1 = rsa->dmq1;
  723. }
  724. if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
  725. rsa->_method_mod_q)) {
  726. BN_free(local_c);
  727. BN_free(local_dmq1);
  728. goto err;
  729. }
  730. /* We MUST free local_dmq1 before any further use of rsa->dmq1 */
  731. BN_free(local_dmq1);
  732. }
  733. /* compute I mod p */
  734. if (!BN_mod(r1, c, rsa->p, ctx)) {
  735. BN_free(local_c);
  736. goto err;
  737. }
  738. /* We MUST free local_c before any further use of I */
  739. BN_free(local_c);
  740. }
  741. {
  742. BIGNUM *local_dmp1 = NULL, *dmp1;
  743. /* compute r1^dmp1 mod p */
  744. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
  745. dmp1 = local_dmp1 = BN_new();
  746. if (local_dmp1 == NULL)
  747. goto err;
  748. BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
  749. } else {
  750. dmp1 = rsa->dmp1;
  751. }
  752. if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
  753. rsa->_method_mod_p)) {
  754. BN_free(local_dmp1);
  755. goto err;
  756. }
  757. /* We MUST free local_dmp1 before any further use of rsa->dmp1 */
  758. BN_free(local_dmp1);
  759. }
  760. if (!BN_sub(r0, r0, m1))
  761. goto err;
  762. /*
  763. * This will help stop the size of r0 increasing, which does affect the
  764. * multiply if it optimised for a power of 2 size
  765. */
  766. if (BN_is_negative(r0))
  767. if (!BN_add(r0, r0, rsa->p))
  768. goto err;
  769. if (!BN_mul(r1, r0, rsa->iqmp, ctx))
  770. goto err;
  771. {
  772. BIGNUM *local_r1 = NULL, *pr1;
  773. /* Turn BN_FLG_CONSTTIME flag on before division operation */
  774. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
  775. pr1 = local_r1 = BN_new();
  776. if (local_r1 == NULL)
  777. goto err;
  778. BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
  779. } else {
  780. pr1 = r1;
  781. }
  782. if (!BN_mod(r0, pr1, rsa->p, ctx)) {
  783. BN_free(local_r1);
  784. goto err;
  785. }
  786. /* We MUST free local_r1 before any further use of r1 */
  787. BN_free(local_r1);
  788. }
  789. /*
  790. * If p < q it is occasionally possible for the correction of adding 'p'
  791. * if r0 is negative above to leave the result still negative. This can
  792. * break the private key operations: the following second correction
  793. * should *always* correct this rare occurrence. This will *never* happen
  794. * with OpenSSL generated keys because they ensure p > q [steve]
  795. */
  796. if (BN_is_negative(r0))
  797. if (!BN_add(r0, r0, rsa->p))
  798. goto err;
  799. if (!BN_mul(r1, r0, rsa->q, ctx))
  800. goto err;
  801. if (!BN_add(r0, r1, m1))
  802. goto err;
  803. if (rsa->e && rsa->n) {
  804. if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
  805. rsa->_method_mod_n))
  806. goto err;
  807. /*
  808. * If 'I' was greater than (or equal to) rsa->n, the operation will
  809. * be equivalent to using 'I mod n'. However, the result of the
  810. * verify will *always* be less than 'n' so we don't check for
  811. * absolute equality, just congruency.
  812. */
  813. if (!BN_sub(vrfy, vrfy, I))
  814. goto err;
  815. if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
  816. goto err;
  817. if (BN_is_negative(vrfy))
  818. if (!BN_add(vrfy, vrfy, rsa->n))
  819. goto err;
  820. if (!BN_is_zero(vrfy)) {
  821. /*
  822. * 'I' and 'vrfy' aren't congruent mod n. Don't leak
  823. * miscalculated CRT output, just do a raw (slower) mod_exp and
  824. * return that instead.
  825. */
  826. BIGNUM *local_d = NULL;
  827. BIGNUM *d = NULL;
  828. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
  829. local_d = d = BN_new();
  830. if (d == NULL)
  831. goto err;
  832. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  833. } else {
  834. d = rsa->d;
  835. }
  836. if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
  837. rsa->_method_mod_n)) {
  838. BN_free(local_d);
  839. goto err;
  840. }
  841. /* We MUST free local_d before any further use of rsa->d */
  842. BN_free(local_d);
  843. }
  844. }
  845. ret = 1;
  846. err:
  847. BN_CTX_end(ctx);
  848. return (ret);
  849. }
  850. static int rsa_ossl_init(RSA *rsa)
  851. {
  852. rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
  853. return (1);
  854. }
  855. static int rsa_ossl_finish(RSA *rsa)
  856. {
  857. BN_MONT_CTX_free(rsa->_method_mod_n);
  858. BN_MONT_CTX_free(rsa->_method_mod_p);
  859. BN_MONT_CTX_free(rsa->_method_mod_q);
  860. return (1);
  861. }
  862. #endif