rsa_ossl.c 29 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980
  1. /*
  2. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include "internal/cryptlib.h"
  10. #include "crypto/bn.h"
  11. #include "rsa_local.h"
  12. #include "internal/constant_time.h"
  13. static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
  14. unsigned char *to, RSA *rsa, int padding);
  15. static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
  16. unsigned char *to, RSA *rsa, int padding);
  17. static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
  18. unsigned char *to, RSA *rsa, int padding);
  19. static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
  20. unsigned char *to, RSA *rsa, int padding);
  21. static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
  22. BN_CTX *ctx);
  23. static int rsa_ossl_init(RSA *rsa);
  24. static int rsa_ossl_finish(RSA *rsa);
  25. static RSA_METHOD rsa_pkcs1_ossl_meth = {
  26. "OpenSSL PKCS#1 RSA",
  27. rsa_ossl_public_encrypt,
  28. rsa_ossl_public_decrypt, /* signature verification */
  29. rsa_ossl_private_encrypt, /* signing */
  30. rsa_ossl_private_decrypt,
  31. rsa_ossl_mod_exp,
  32. BN_mod_exp_mont, /* XXX probably we should not use Montgomery
  33. * if e == 3 */
  34. rsa_ossl_init,
  35. rsa_ossl_finish,
  36. RSA_FLAG_FIPS_METHOD, /* flags */
  37. NULL,
  38. 0, /* rsa_sign */
  39. 0, /* rsa_verify */
  40. NULL, /* rsa_keygen */
  41. NULL /* rsa_multi_prime_keygen */
  42. };
  43. static const RSA_METHOD *default_RSA_meth = &rsa_pkcs1_ossl_meth;
  44. void RSA_set_default_method(const RSA_METHOD *meth)
  45. {
  46. default_RSA_meth = meth;
  47. }
  48. const RSA_METHOD *RSA_get_default_method(void)
  49. {
  50. return default_RSA_meth;
  51. }
  52. const RSA_METHOD *RSA_PKCS1_OpenSSL(void)
  53. {
  54. return &rsa_pkcs1_ossl_meth;
  55. }
  56. const RSA_METHOD *RSA_null_method(void)
  57. {
  58. return NULL;
  59. }
  60. static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
  61. unsigned char *to, RSA *rsa, int padding)
  62. {
  63. BIGNUM *f, *ret;
  64. int i, num = 0, r = -1;
  65. unsigned char *buf = NULL;
  66. BN_CTX *ctx = NULL;
  67. if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
  68. RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
  69. return -1;
  70. }
  71. if (BN_ucmp(rsa->n, rsa->e) <= 0) {
  72. RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
  73. return -1;
  74. }
  75. /* for large moduli, enforce exponent limit */
  76. if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
  77. if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
  78. RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
  79. return -1;
  80. }
  81. }
  82. if ((ctx = BN_CTX_new()) == NULL)
  83. goto err;
  84. BN_CTX_start(ctx);
  85. f = BN_CTX_get(ctx);
  86. ret = BN_CTX_get(ctx);
  87. num = BN_num_bytes(rsa->n);
  88. buf = OPENSSL_malloc(num);
  89. if (ret == NULL || buf == NULL) {
  90. RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE);
  91. goto err;
  92. }
  93. switch (padding) {
  94. case RSA_PKCS1_PADDING:
  95. i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
  96. break;
  97. case RSA_PKCS1_OAEP_PADDING:
  98. i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
  99. break;
  100. case RSA_SSLV23_PADDING:
  101. i = RSA_padding_add_SSLv23(buf, num, from, flen);
  102. break;
  103. case RSA_NO_PADDING:
  104. i = RSA_padding_add_none(buf, num, from, flen);
  105. break;
  106. default:
  107. RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
  108. goto err;
  109. }
  110. if (i <= 0)
  111. goto err;
  112. if (BN_bin2bn(buf, num, f) == NULL)
  113. goto err;
  114. if (BN_ucmp(f, rsa->n) >= 0) {
  115. /* usually the padding functions would catch this */
  116. RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT,
  117. RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  118. goto err;
  119. }
  120. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  121. if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
  122. rsa->n, ctx))
  123. goto err;
  124. if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
  125. rsa->_method_mod_n))
  126. goto err;
  127. /*
  128. * BN_bn2binpad puts in leading 0 bytes if the number is less than
  129. * the length of the modulus.
  130. */
  131. r = BN_bn2binpad(ret, to, num);
  132. err:
  133. BN_CTX_end(ctx);
  134. BN_CTX_free(ctx);
  135. OPENSSL_clear_free(buf, num);
  136. return r;
  137. }
  138. static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
  139. {
  140. BN_BLINDING *ret;
  141. CRYPTO_THREAD_write_lock(rsa->lock);
  142. if (rsa->blinding == NULL) {
  143. rsa->blinding = RSA_setup_blinding(rsa, ctx);
  144. }
  145. ret = rsa->blinding;
  146. if (ret == NULL)
  147. goto err;
  148. if (BN_BLINDING_is_current_thread(ret)) {
  149. /* rsa->blinding is ours! */
  150. *local = 1;
  151. } else {
  152. /* resort to rsa->mt_blinding instead */
  153. /*
  154. * instructs rsa_blinding_convert(), rsa_blinding_invert() that the
  155. * BN_BLINDING is shared, meaning that accesses require locks, and
  156. * that the blinding factor must be stored outside the BN_BLINDING
  157. */
  158. *local = 0;
  159. if (rsa->mt_blinding == NULL) {
  160. rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
  161. }
  162. ret = rsa->mt_blinding;
  163. }
  164. err:
  165. CRYPTO_THREAD_unlock(rsa->lock);
  166. return ret;
  167. }
  168. static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
  169. BN_CTX *ctx)
  170. {
  171. if (unblind == NULL) {
  172. /*
  173. * Local blinding: store the unblinding factor in BN_BLINDING.
  174. */
  175. return BN_BLINDING_convert_ex(f, NULL, b, ctx);
  176. } else {
  177. /*
  178. * Shared blinding: store the unblinding factor outside BN_BLINDING.
  179. */
  180. int ret;
  181. BN_BLINDING_lock(b);
  182. ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
  183. BN_BLINDING_unlock(b);
  184. return ret;
  185. }
  186. }
  187. static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
  188. BN_CTX *ctx)
  189. {
  190. /*
  191. * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
  192. * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING
  193. * is shared between threads, unblind must be non-null:
  194. * BN_BLINDING_invert_ex will then use the local unblinding factor, and
  195. * will only read the modulus from BN_BLINDING. In both cases it's safe
  196. * to access the blinding without a lock.
  197. */
  198. return BN_BLINDING_invert_ex(f, unblind, b, ctx);
  199. }
  200. /* signing */
  201. static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
  202. unsigned char *to, RSA *rsa, int padding)
  203. {
  204. BIGNUM *f, *ret, *res;
  205. int i, num = 0, r = -1;
  206. unsigned char *buf = NULL;
  207. BN_CTX *ctx = NULL;
  208. int local_blinding = 0;
  209. /*
  210. * Used only if the blinding structure is shared. A non-NULL unblind
  211. * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
  212. * the unblinding factor outside the blinding structure.
  213. */
  214. BIGNUM *unblind = NULL;
  215. BN_BLINDING *blinding = NULL;
  216. if ((ctx = BN_CTX_new()) == NULL)
  217. goto err;
  218. BN_CTX_start(ctx);
  219. f = BN_CTX_get(ctx);
  220. ret = BN_CTX_get(ctx);
  221. num = BN_num_bytes(rsa->n);
  222. buf = OPENSSL_malloc(num);
  223. if (ret == NULL || buf == NULL) {
  224. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
  225. goto err;
  226. }
  227. switch (padding) {
  228. case RSA_PKCS1_PADDING:
  229. i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
  230. break;
  231. case RSA_X931_PADDING:
  232. i = RSA_padding_add_X931(buf, num, from, flen);
  233. break;
  234. case RSA_NO_PADDING:
  235. i = RSA_padding_add_none(buf, num, from, flen);
  236. break;
  237. case RSA_SSLV23_PADDING:
  238. default:
  239. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
  240. goto err;
  241. }
  242. if (i <= 0)
  243. goto err;
  244. if (BN_bin2bn(buf, num, f) == NULL)
  245. goto err;
  246. if (BN_ucmp(f, rsa->n) >= 0) {
  247. /* usually the padding functions would catch this */
  248. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT,
  249. RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  250. goto err;
  251. }
  252. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  253. if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
  254. rsa->n, ctx))
  255. goto err;
  256. if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
  257. blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
  258. if (blinding == NULL) {
  259. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
  260. goto err;
  261. }
  262. }
  263. if (blinding != NULL) {
  264. if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
  265. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
  266. goto err;
  267. }
  268. if (!rsa_blinding_convert(blinding, f, unblind, ctx))
  269. goto err;
  270. }
  271. if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
  272. (rsa->version == RSA_ASN1_VERSION_MULTI) ||
  273. ((rsa->p != NULL) &&
  274. (rsa->q != NULL) &&
  275. (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
  276. if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
  277. goto err;
  278. } else {
  279. BIGNUM *d = BN_new();
  280. if (d == NULL) {
  281. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
  282. goto err;
  283. }
  284. if (rsa->d == NULL) {
  285. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_MISSING_PRIVATE_KEY);
  286. BN_free(d);
  287. goto err;
  288. }
  289. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  290. if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
  291. rsa->_method_mod_n)) {
  292. BN_free(d);
  293. goto err;
  294. }
  295. /* We MUST free d before any further use of rsa->d */
  296. BN_free(d);
  297. }
  298. if (blinding)
  299. if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
  300. goto err;
  301. if (padding == RSA_X931_PADDING) {
  302. if (!BN_sub(f, rsa->n, ret))
  303. goto err;
  304. if (BN_cmp(ret, f) > 0)
  305. res = f;
  306. else
  307. res = ret;
  308. } else {
  309. res = ret;
  310. }
  311. /*
  312. * BN_bn2binpad puts in leading 0 bytes if the number is less than
  313. * the length of the modulus.
  314. */
  315. r = BN_bn2binpad(res, to, num);
  316. err:
  317. BN_CTX_end(ctx);
  318. BN_CTX_free(ctx);
  319. OPENSSL_clear_free(buf, num);
  320. return r;
  321. }
  322. static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
  323. unsigned char *to, RSA *rsa, int padding)
  324. {
  325. BIGNUM *f, *ret;
  326. int j, num = 0, r = -1;
  327. unsigned char *buf = NULL;
  328. BN_CTX *ctx = NULL;
  329. int local_blinding = 0;
  330. /*
  331. * Used only if the blinding structure is shared. A non-NULL unblind
  332. * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
  333. * the unblinding factor outside the blinding structure.
  334. */
  335. BIGNUM *unblind = NULL;
  336. BN_BLINDING *blinding = NULL;
  337. if ((ctx = BN_CTX_new()) == NULL)
  338. goto err;
  339. BN_CTX_start(ctx);
  340. f = BN_CTX_get(ctx);
  341. ret = BN_CTX_get(ctx);
  342. num = BN_num_bytes(rsa->n);
  343. buf = OPENSSL_malloc(num);
  344. if (ret == NULL || buf == NULL) {
  345. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
  346. goto err;
  347. }
  348. /*
  349. * This check was for equality but PGP does evil things and chops off the
  350. * top '0' bytes
  351. */
  352. if (flen > num) {
  353. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT,
  354. RSA_R_DATA_GREATER_THAN_MOD_LEN);
  355. goto err;
  356. }
  357. /* make data into a big number */
  358. if (BN_bin2bn(from, (int)flen, f) == NULL)
  359. goto err;
  360. if (BN_ucmp(f, rsa->n) >= 0) {
  361. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT,
  362. RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  363. goto err;
  364. }
  365. if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
  366. blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
  367. if (blinding == NULL) {
  368. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
  369. goto err;
  370. }
  371. }
  372. if (blinding != NULL) {
  373. if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
  374. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
  375. goto err;
  376. }
  377. if (!rsa_blinding_convert(blinding, f, unblind, ctx))
  378. goto err;
  379. }
  380. /* do the decrypt */
  381. if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
  382. (rsa->version == RSA_ASN1_VERSION_MULTI) ||
  383. ((rsa->p != NULL) &&
  384. (rsa->q != NULL) &&
  385. (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
  386. if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
  387. goto err;
  388. } else {
  389. BIGNUM *d = BN_new();
  390. if (d == NULL) {
  391. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
  392. goto err;
  393. }
  394. if (rsa->d == NULL) {
  395. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_MISSING_PRIVATE_KEY);
  396. BN_free(d);
  397. goto err;
  398. }
  399. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  400. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  401. if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
  402. rsa->n, ctx)) {
  403. BN_free(d);
  404. goto err;
  405. }
  406. if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
  407. rsa->_method_mod_n)) {
  408. BN_free(d);
  409. goto err;
  410. }
  411. /* We MUST free d before any further use of rsa->d */
  412. BN_free(d);
  413. }
  414. if (blinding)
  415. if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
  416. goto err;
  417. j = BN_bn2binpad(ret, buf, num);
  418. if (j < 0)
  419. goto err;
  420. switch (padding) {
  421. case RSA_PKCS1_PADDING:
  422. r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
  423. break;
  424. case RSA_PKCS1_OAEP_PADDING:
  425. r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
  426. break;
  427. case RSA_SSLV23_PADDING:
  428. r = RSA_padding_check_SSLv23(to, num, buf, j, num);
  429. break;
  430. case RSA_NO_PADDING:
  431. memcpy(to, buf, (r = j));
  432. break;
  433. default:
  434. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
  435. goto err;
  436. }
  437. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
  438. err_clear_last_constant_time(1 & ~constant_time_msb(r));
  439. err:
  440. BN_CTX_end(ctx);
  441. BN_CTX_free(ctx);
  442. OPENSSL_clear_free(buf, num);
  443. return r;
  444. }
  445. /* signature verification */
  446. static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
  447. unsigned char *to, RSA *rsa, int padding)
  448. {
  449. BIGNUM *f, *ret;
  450. int i, num = 0, r = -1;
  451. unsigned char *buf = NULL;
  452. BN_CTX *ctx = NULL;
  453. if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
  454. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
  455. return -1;
  456. }
  457. if (BN_ucmp(rsa->n, rsa->e) <= 0) {
  458. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
  459. return -1;
  460. }
  461. /* for large moduli, enforce exponent limit */
  462. if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
  463. if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
  464. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
  465. return -1;
  466. }
  467. }
  468. if ((ctx = BN_CTX_new()) == NULL)
  469. goto err;
  470. BN_CTX_start(ctx);
  471. f = BN_CTX_get(ctx);
  472. ret = BN_CTX_get(ctx);
  473. num = BN_num_bytes(rsa->n);
  474. buf = OPENSSL_malloc(num);
  475. if (ret == NULL || buf == NULL) {
  476. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
  477. goto err;
  478. }
  479. /*
  480. * This check was for equality but PGP does evil things and chops off the
  481. * top '0' bytes
  482. */
  483. if (flen > num) {
  484. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN);
  485. goto err;
  486. }
  487. if (BN_bin2bn(from, flen, f) == NULL)
  488. goto err;
  489. if (BN_ucmp(f, rsa->n) >= 0) {
  490. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT,
  491. RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  492. goto err;
  493. }
  494. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  495. if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
  496. rsa->n, ctx))
  497. goto err;
  498. if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
  499. rsa->_method_mod_n))
  500. goto err;
  501. if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12))
  502. if (!BN_sub(ret, rsa->n, ret))
  503. goto err;
  504. i = BN_bn2binpad(ret, buf, num);
  505. if (i < 0)
  506. goto err;
  507. switch (padding) {
  508. case RSA_PKCS1_PADDING:
  509. r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
  510. break;
  511. case RSA_X931_PADDING:
  512. r = RSA_padding_check_X931(to, num, buf, i, num);
  513. break;
  514. case RSA_NO_PADDING:
  515. memcpy(to, buf, (r = i));
  516. break;
  517. default:
  518. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
  519. goto err;
  520. }
  521. if (r < 0)
  522. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
  523. err:
  524. BN_CTX_end(ctx);
  525. BN_CTX_free(ctx);
  526. OPENSSL_clear_free(buf, num);
  527. return r;
  528. }
  529. static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
  530. {
  531. BIGNUM *r1, *m1, *vrfy, *r2, *m[RSA_MAX_PRIME_NUM - 2];
  532. int ret = 0, i, ex_primes = 0, smooth = 0;
  533. RSA_PRIME_INFO *pinfo;
  534. BN_CTX_start(ctx);
  535. r1 = BN_CTX_get(ctx);
  536. r2 = BN_CTX_get(ctx);
  537. m1 = BN_CTX_get(ctx);
  538. vrfy = BN_CTX_get(ctx);
  539. if (vrfy == NULL)
  540. goto err;
  541. if (rsa->version == RSA_ASN1_VERSION_MULTI
  542. && ((ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) <= 0
  543. || ex_primes > RSA_MAX_PRIME_NUM - 2))
  544. goto err;
  545. if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
  546. BIGNUM *factor = BN_new();
  547. if (factor == NULL)
  548. goto err;
  549. /*
  550. * Make sure BN_mod_inverse in Montgomery initialization uses the
  551. * BN_FLG_CONSTTIME flag
  552. */
  553. if (!(BN_with_flags(factor, rsa->p, BN_FLG_CONSTTIME),
  554. BN_MONT_CTX_set_locked(&rsa->_method_mod_p, rsa->lock,
  555. factor, ctx))
  556. || !(BN_with_flags(factor, rsa->q, BN_FLG_CONSTTIME),
  557. BN_MONT_CTX_set_locked(&rsa->_method_mod_q, rsa->lock,
  558. factor, ctx))) {
  559. BN_free(factor);
  560. goto err;
  561. }
  562. for (i = 0; i < ex_primes; i++) {
  563. pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
  564. BN_with_flags(factor, pinfo->r, BN_FLG_CONSTTIME);
  565. if (!BN_MONT_CTX_set_locked(&pinfo->m, rsa->lock, factor, ctx)) {
  566. BN_free(factor);
  567. goto err;
  568. }
  569. }
  570. /*
  571. * We MUST free |factor| before any further use of the prime factors
  572. */
  573. BN_free(factor);
  574. smooth = (ex_primes == 0)
  575. && (rsa->meth->bn_mod_exp == BN_mod_exp_mont)
  576. && (BN_num_bits(rsa->q) == BN_num_bits(rsa->p));
  577. }
  578. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  579. if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
  580. rsa->n, ctx))
  581. goto err;
  582. if (smooth) {
  583. /*
  584. * Conversion from Montgomery domain, a.k.a. Montgomery reduction,
  585. * accepts values in [0-m*2^w) range. w is m's bit width rounded up
  586. * to limb width. So that at the very least if |I| is fully reduced,
  587. * i.e. less than p*q, we can count on from-to round to perform
  588. * below modulo operations on |I|. Unlike BN_mod it's constant time.
  589. */
  590. if (/* m1 = I moq q */
  591. !bn_from_mont_fixed_top(m1, I, rsa->_method_mod_q, ctx)
  592. || !bn_to_mont_fixed_top(m1, m1, rsa->_method_mod_q, ctx)
  593. /* m1 = m1^dmq1 mod q */
  594. || !BN_mod_exp_mont_consttime(m1, m1, rsa->dmq1, rsa->q, ctx,
  595. rsa->_method_mod_q)
  596. /* r1 = I mod p */
  597. || !bn_from_mont_fixed_top(r1, I, rsa->_method_mod_p, ctx)
  598. || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
  599. /* r1 = r1^dmp1 mod p */
  600. || !BN_mod_exp_mont_consttime(r1, r1, rsa->dmp1, rsa->p, ctx,
  601. rsa->_method_mod_p)
  602. /* r1 = (r1 - m1) mod p */
  603. /*
  604. * bn_mod_sub_fixed_top is not regular modular subtraction,
  605. * it can tolerate subtrahend to be larger than modulus, but
  606. * not bit-wise wider. This makes up for uncommon q>p case,
  607. * when |m1| can be larger than |rsa->p|.
  608. */
  609. || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p)
  610. /* r1 = r1 * iqmp mod p */
  611. || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
  612. || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p,
  613. ctx)
  614. /* r0 = r1 * q + m1 */
  615. || !bn_mul_fixed_top(r0, r1, rsa->q, ctx)
  616. || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n))
  617. goto err;
  618. goto tail;
  619. }
  620. /* compute I mod q */
  621. {
  622. BIGNUM *c = BN_new();
  623. if (c == NULL)
  624. goto err;
  625. BN_with_flags(c, I, BN_FLG_CONSTTIME);
  626. if (!BN_mod(r1, c, rsa->q, ctx)) {
  627. BN_free(c);
  628. goto err;
  629. }
  630. {
  631. BIGNUM *dmq1 = BN_new();
  632. if (dmq1 == NULL) {
  633. BN_free(c);
  634. goto err;
  635. }
  636. BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
  637. /* compute r1^dmq1 mod q */
  638. if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
  639. rsa->_method_mod_q)) {
  640. BN_free(c);
  641. BN_free(dmq1);
  642. goto err;
  643. }
  644. /* We MUST free dmq1 before any further use of rsa->dmq1 */
  645. BN_free(dmq1);
  646. }
  647. /* compute I mod p */
  648. if (!BN_mod(r1, c, rsa->p, ctx)) {
  649. BN_free(c);
  650. goto err;
  651. }
  652. /* We MUST free c before any further use of I */
  653. BN_free(c);
  654. }
  655. {
  656. BIGNUM *dmp1 = BN_new();
  657. if (dmp1 == NULL)
  658. goto err;
  659. BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
  660. /* compute r1^dmp1 mod p */
  661. if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
  662. rsa->_method_mod_p)) {
  663. BN_free(dmp1);
  664. goto err;
  665. }
  666. /* We MUST free dmp1 before any further use of rsa->dmp1 */
  667. BN_free(dmp1);
  668. }
  669. /*
  670. * calculate m_i in multi-prime case
  671. *
  672. * TODO:
  673. * 1. squash the following two loops and calculate |m_i| there.
  674. * 2. remove cc and reuse |c|.
  675. * 3. remove |dmq1| and |dmp1| in previous block and use |di|.
  676. *
  677. * If these things are done, the code will be more readable.
  678. */
  679. if (ex_primes > 0) {
  680. BIGNUM *di = BN_new(), *cc = BN_new();
  681. if (cc == NULL || di == NULL) {
  682. BN_free(cc);
  683. BN_free(di);
  684. goto err;
  685. }
  686. for (i = 0; i < ex_primes; i++) {
  687. /* prepare m_i */
  688. if ((m[i] = BN_CTX_get(ctx)) == NULL) {
  689. BN_free(cc);
  690. BN_free(di);
  691. goto err;
  692. }
  693. pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
  694. /* prepare c and d_i */
  695. BN_with_flags(cc, I, BN_FLG_CONSTTIME);
  696. BN_with_flags(di, pinfo->d, BN_FLG_CONSTTIME);
  697. if (!BN_mod(r1, cc, pinfo->r, ctx)) {
  698. BN_free(cc);
  699. BN_free(di);
  700. goto err;
  701. }
  702. /* compute r1 ^ d_i mod r_i */
  703. if (!rsa->meth->bn_mod_exp(m[i], r1, di, pinfo->r, ctx, pinfo->m)) {
  704. BN_free(cc);
  705. BN_free(di);
  706. goto err;
  707. }
  708. }
  709. BN_free(cc);
  710. BN_free(di);
  711. }
  712. if (!BN_sub(r0, r0, m1))
  713. goto err;
  714. /*
  715. * This will help stop the size of r0 increasing, which does affect the
  716. * multiply if it optimised for a power of 2 size
  717. */
  718. if (BN_is_negative(r0))
  719. if (!BN_add(r0, r0, rsa->p))
  720. goto err;
  721. if (!BN_mul(r1, r0, rsa->iqmp, ctx))
  722. goto err;
  723. {
  724. BIGNUM *pr1 = BN_new();
  725. if (pr1 == NULL)
  726. goto err;
  727. BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
  728. if (!BN_mod(r0, pr1, rsa->p, ctx)) {
  729. BN_free(pr1);
  730. goto err;
  731. }
  732. /* We MUST free pr1 before any further use of r1 */
  733. BN_free(pr1);
  734. }
  735. /*
  736. * If p < q it is occasionally possible for the correction of adding 'p'
  737. * if r0 is negative above to leave the result still negative. This can
  738. * break the private key operations: the following second correction
  739. * should *always* correct this rare occurrence. This will *never* happen
  740. * with OpenSSL generated keys because they ensure p > q [steve]
  741. */
  742. if (BN_is_negative(r0))
  743. if (!BN_add(r0, r0, rsa->p))
  744. goto err;
  745. if (!BN_mul(r1, r0, rsa->q, ctx))
  746. goto err;
  747. if (!BN_add(r0, r1, m1))
  748. goto err;
  749. /* add m_i to m in multi-prime case */
  750. if (ex_primes > 0) {
  751. BIGNUM *pr2 = BN_new();
  752. if (pr2 == NULL)
  753. goto err;
  754. for (i = 0; i < ex_primes; i++) {
  755. pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
  756. if (!BN_sub(r1, m[i], r0)) {
  757. BN_free(pr2);
  758. goto err;
  759. }
  760. if (!BN_mul(r2, r1, pinfo->t, ctx)) {
  761. BN_free(pr2);
  762. goto err;
  763. }
  764. BN_with_flags(pr2, r2, BN_FLG_CONSTTIME);
  765. if (!BN_mod(r1, pr2, pinfo->r, ctx)) {
  766. BN_free(pr2);
  767. goto err;
  768. }
  769. if (BN_is_negative(r1))
  770. if (!BN_add(r1, r1, pinfo->r)) {
  771. BN_free(pr2);
  772. goto err;
  773. }
  774. if (!BN_mul(r1, r1, pinfo->pp, ctx)) {
  775. BN_free(pr2);
  776. goto err;
  777. }
  778. if (!BN_add(r0, r0, r1)) {
  779. BN_free(pr2);
  780. goto err;
  781. }
  782. }
  783. BN_free(pr2);
  784. }
  785. tail:
  786. if (rsa->e && rsa->n) {
  787. if (rsa->meth->bn_mod_exp == BN_mod_exp_mont) {
  788. if (!BN_mod_exp_mont(vrfy, r0, rsa->e, rsa->n, ctx,
  789. rsa->_method_mod_n))
  790. goto err;
  791. } else {
  792. bn_correct_top(r0);
  793. if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
  794. rsa->_method_mod_n))
  795. goto err;
  796. }
  797. /*
  798. * If 'I' was greater than (or equal to) rsa->n, the operation will
  799. * be equivalent to using 'I mod n'. However, the result of the
  800. * verify will *always* be less than 'n' so we don't check for
  801. * absolute equality, just congruency.
  802. */
  803. if (!BN_sub(vrfy, vrfy, I))
  804. goto err;
  805. if (BN_is_zero(vrfy)) {
  806. bn_correct_top(r0);
  807. ret = 1;
  808. goto err; /* not actually error */
  809. }
  810. if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
  811. goto err;
  812. if (BN_is_negative(vrfy))
  813. if (!BN_add(vrfy, vrfy, rsa->n))
  814. goto err;
  815. if (!BN_is_zero(vrfy)) {
  816. /*
  817. * 'I' and 'vrfy' aren't congruent mod n. Don't leak
  818. * miscalculated CRT output, just do a raw (slower) mod_exp and
  819. * return that instead.
  820. */
  821. BIGNUM *d = BN_new();
  822. if (d == NULL)
  823. goto err;
  824. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  825. if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
  826. rsa->_method_mod_n)) {
  827. BN_free(d);
  828. goto err;
  829. }
  830. /* We MUST free d before any further use of rsa->d */
  831. BN_free(d);
  832. }
  833. }
  834. /*
  835. * It's unfortunate that we have to bn_correct_top(r0). What hopefully
  836. * saves the day is that correction is highly unlike, and private key
  837. * operations are customarily performed on blinded message. Which means
  838. * that attacker won't observe correlation with chosen plaintext.
  839. * Secondly, remaining code would still handle it in same computational
  840. * time and even conceal memory access pattern around corrected top.
  841. */
  842. bn_correct_top(r0);
  843. ret = 1;
  844. err:
  845. BN_CTX_end(ctx);
  846. return ret;
  847. }
  848. static int rsa_ossl_init(RSA *rsa)
  849. {
  850. rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
  851. return 1;
  852. }
  853. static int rsa_ossl_finish(RSA *rsa)
  854. {
  855. int i;
  856. RSA_PRIME_INFO *pinfo;
  857. BN_MONT_CTX_free(rsa->_method_mod_n);
  858. BN_MONT_CTX_free(rsa->_method_mod_p);
  859. BN_MONT_CTX_free(rsa->_method_mod_q);
  860. for (i = 0; i < sk_RSA_PRIME_INFO_num(rsa->prime_infos); i++) {
  861. pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
  862. BN_MONT_CTX_free(pinfo->m);
  863. }
  864. return 1;
  865. }