2
0

rsa_ossl.c 30 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020
  1. /*
  2. * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * RSA low level APIs are deprecated for public use, but still ok for
  11. * internal use.
  12. */
  13. #include "internal/deprecated.h"
  14. #include "internal/cryptlib.h"
  15. #include "crypto/bn.h"
  16. #include "rsa_local.h"
  17. #include "internal/constant_time.h"
  18. static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
  19. unsigned char *to, RSA *rsa, int padding);
  20. static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
  21. unsigned char *to, RSA *rsa, int padding);
  22. static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
  23. unsigned char *to, RSA *rsa, int padding);
  24. static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
  25. unsigned char *to, RSA *rsa, int padding);
  26. static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
  27. BN_CTX *ctx);
  28. static int rsa_ossl_init(RSA *rsa);
  29. static int rsa_ossl_finish(RSA *rsa);
  30. static RSA_METHOD rsa_pkcs1_ossl_meth = {
  31. "OpenSSL PKCS#1 RSA",
  32. rsa_ossl_public_encrypt,
  33. rsa_ossl_public_decrypt, /* signature verification */
  34. rsa_ossl_private_encrypt, /* signing */
  35. rsa_ossl_private_decrypt,
  36. rsa_ossl_mod_exp,
  37. BN_mod_exp_mont, /* XXX probably we should not use Montgomery
  38. * if e == 3 */
  39. rsa_ossl_init,
  40. rsa_ossl_finish,
  41. RSA_FLAG_FIPS_METHOD, /* flags */
  42. NULL,
  43. 0, /* rsa_sign */
  44. 0, /* rsa_verify */
  45. NULL, /* rsa_keygen */
  46. NULL /* rsa_multi_prime_keygen */
  47. };
  48. static const RSA_METHOD *default_RSA_meth = &rsa_pkcs1_ossl_meth;
  49. void RSA_set_default_method(const RSA_METHOD *meth)
  50. {
  51. default_RSA_meth = meth;
  52. }
  53. const RSA_METHOD *RSA_get_default_method(void)
  54. {
  55. return default_RSA_meth;
  56. }
  57. const RSA_METHOD *RSA_PKCS1_OpenSSL(void)
  58. {
  59. return &rsa_pkcs1_ossl_meth;
  60. }
  61. const RSA_METHOD *RSA_null_method(void)
  62. {
  63. return NULL;
  64. }
  65. static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
  66. unsigned char *to, RSA *rsa, int padding)
  67. {
  68. BIGNUM *f, *ret;
  69. int i, num = 0, r = -1;
  70. unsigned char *buf = NULL;
  71. BN_CTX *ctx = NULL;
  72. if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
  73. RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
  74. return -1;
  75. }
  76. if (BN_ucmp(rsa->n, rsa->e) <= 0) {
  77. RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
  78. return -1;
  79. }
  80. /* for large moduli, enforce exponent limit */
  81. if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
  82. if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
  83. RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
  84. return -1;
  85. }
  86. }
  87. if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
  88. goto err;
  89. BN_CTX_start(ctx);
  90. f = BN_CTX_get(ctx);
  91. ret = BN_CTX_get(ctx);
  92. num = BN_num_bytes(rsa->n);
  93. buf = OPENSSL_malloc(num);
  94. if (ret == NULL || buf == NULL) {
  95. RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE);
  96. goto err;
  97. }
  98. switch (padding) {
  99. case RSA_PKCS1_PADDING:
  100. i = rsa_padding_add_PKCS1_type_2_with_libctx(rsa->libctx, buf, num,
  101. from, flen);
  102. break;
  103. case RSA_PKCS1_OAEP_PADDING:
  104. i = rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(rsa->libctx, buf, num,
  105. from, flen, NULL, 0,
  106. NULL, NULL);
  107. break;
  108. #ifndef FIPS_MODULE
  109. case RSA_SSLV23_PADDING:
  110. i = rsa_padding_add_SSLv23_with_libctx(rsa->libctx, buf, num, from,
  111. flen);
  112. break;
  113. #endif
  114. case RSA_NO_PADDING:
  115. i = RSA_padding_add_none(buf, num, from, flen);
  116. break;
  117. default:
  118. RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
  119. goto err;
  120. }
  121. if (i <= 0)
  122. goto err;
  123. if (BN_bin2bn(buf, num, f) == NULL)
  124. goto err;
  125. if (BN_ucmp(f, rsa->n) >= 0) {
  126. /* usually the padding functions would catch this */
  127. RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT,
  128. RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  129. goto err;
  130. }
  131. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  132. if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
  133. rsa->n, ctx))
  134. goto err;
  135. if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
  136. rsa->_method_mod_n))
  137. goto err;
  138. /*
  139. * BN_bn2binpad puts in leading 0 bytes if the number is less than
  140. * the length of the modulus.
  141. */
  142. r = BN_bn2binpad(ret, to, num);
  143. err:
  144. BN_CTX_end(ctx);
  145. BN_CTX_free(ctx);
  146. OPENSSL_clear_free(buf, num);
  147. return r;
  148. }
  149. static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
  150. {
  151. BN_BLINDING *ret;
  152. CRYPTO_THREAD_write_lock(rsa->lock);
  153. if (rsa->blinding == NULL) {
  154. rsa->blinding = RSA_setup_blinding(rsa, ctx);
  155. }
  156. ret = rsa->blinding;
  157. if (ret == NULL)
  158. goto err;
  159. if (BN_BLINDING_is_current_thread(ret)) {
  160. /* rsa->blinding is ours! */
  161. *local = 1;
  162. } else {
  163. /* resort to rsa->mt_blinding instead */
  164. /*
  165. * instructs rsa_blinding_convert(), rsa_blinding_invert() that the
  166. * BN_BLINDING is shared, meaning that accesses require locks, and
  167. * that the blinding factor must be stored outside the BN_BLINDING
  168. */
  169. *local = 0;
  170. if (rsa->mt_blinding == NULL) {
  171. rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
  172. }
  173. ret = rsa->mt_blinding;
  174. }
  175. err:
  176. CRYPTO_THREAD_unlock(rsa->lock);
  177. return ret;
  178. }
  179. static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
  180. BN_CTX *ctx)
  181. {
  182. if (unblind == NULL) {
  183. /*
  184. * Local blinding: store the unblinding factor in BN_BLINDING.
  185. */
  186. return BN_BLINDING_convert_ex(f, NULL, b, ctx);
  187. } else {
  188. /*
  189. * Shared blinding: store the unblinding factor outside BN_BLINDING.
  190. */
  191. int ret;
  192. BN_BLINDING_lock(b);
  193. ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
  194. BN_BLINDING_unlock(b);
  195. return ret;
  196. }
  197. }
  198. static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
  199. BN_CTX *ctx)
  200. {
  201. /*
  202. * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
  203. * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING
  204. * is shared between threads, unblind must be non-null:
  205. * BN_BLINDING_invert_ex will then use the local unblinding factor, and
  206. * will only read the modulus from BN_BLINDING. In both cases it's safe
  207. * to access the blinding without a lock.
  208. */
  209. return BN_BLINDING_invert_ex(f, unblind, b, ctx);
  210. }
  211. /* signing */
  212. static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
  213. unsigned char *to, RSA *rsa, int padding)
  214. {
  215. BIGNUM *f, *ret, *res;
  216. int i, num = 0, r = -1;
  217. unsigned char *buf = NULL;
  218. BN_CTX *ctx = NULL;
  219. int local_blinding = 0;
  220. /*
  221. * Used only if the blinding structure is shared. A non-NULL unblind
  222. * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
  223. * the unblinding factor outside the blinding structure.
  224. */
  225. BIGNUM *unblind = NULL;
  226. BN_BLINDING *blinding = NULL;
  227. if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
  228. goto err;
  229. BN_CTX_start(ctx);
  230. f = BN_CTX_get(ctx);
  231. ret = BN_CTX_get(ctx);
  232. num = BN_num_bytes(rsa->n);
  233. buf = OPENSSL_malloc(num);
  234. if (ret == NULL || buf == NULL) {
  235. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
  236. goto err;
  237. }
  238. switch (padding) {
  239. case RSA_PKCS1_PADDING:
  240. i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
  241. break;
  242. case RSA_X931_PADDING:
  243. i = RSA_padding_add_X931(buf, num, from, flen);
  244. break;
  245. case RSA_NO_PADDING:
  246. i = RSA_padding_add_none(buf, num, from, flen);
  247. break;
  248. case RSA_SSLV23_PADDING:
  249. default:
  250. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
  251. goto err;
  252. }
  253. if (i <= 0)
  254. goto err;
  255. if (BN_bin2bn(buf, num, f) == NULL)
  256. goto err;
  257. if (BN_ucmp(f, rsa->n) >= 0) {
  258. /* usually the padding functions would catch this */
  259. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT,
  260. RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  261. goto err;
  262. }
  263. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  264. if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
  265. rsa->n, ctx))
  266. goto err;
  267. if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
  268. blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
  269. if (blinding == NULL) {
  270. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
  271. goto err;
  272. }
  273. }
  274. if (blinding != NULL) {
  275. if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
  276. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
  277. goto err;
  278. }
  279. if (!rsa_blinding_convert(blinding, f, unblind, ctx))
  280. goto err;
  281. }
  282. if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
  283. (rsa->version == RSA_ASN1_VERSION_MULTI) ||
  284. ((rsa->p != NULL) &&
  285. (rsa->q != NULL) &&
  286. (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
  287. if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
  288. goto err;
  289. } else {
  290. BIGNUM *d = BN_new();
  291. if (d == NULL) {
  292. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
  293. goto err;
  294. }
  295. if (rsa->d == NULL) {
  296. RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_MISSING_PRIVATE_KEY);
  297. BN_free(d);
  298. goto err;
  299. }
  300. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  301. if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
  302. rsa->_method_mod_n)) {
  303. BN_free(d);
  304. goto err;
  305. }
  306. /* We MUST free d before any further use of rsa->d */
  307. BN_free(d);
  308. }
  309. if (blinding)
  310. if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
  311. goto err;
  312. if (padding == RSA_X931_PADDING) {
  313. if (!BN_sub(f, rsa->n, ret))
  314. goto err;
  315. if (BN_cmp(ret, f) > 0)
  316. res = f;
  317. else
  318. res = ret;
  319. } else {
  320. res = ret;
  321. }
  322. /*
  323. * BN_bn2binpad puts in leading 0 bytes if the number is less than
  324. * the length of the modulus.
  325. */
  326. r = BN_bn2binpad(res, to, num);
  327. err:
  328. BN_CTX_end(ctx);
  329. BN_CTX_free(ctx);
  330. OPENSSL_clear_free(buf, num);
  331. return r;
  332. }
  333. static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
  334. unsigned char *to, RSA *rsa, int padding)
  335. {
  336. BIGNUM *f, *ret;
  337. int j, num = 0, r = -1;
  338. unsigned char *buf = NULL;
  339. BN_CTX *ctx = NULL;
  340. int local_blinding = 0;
  341. /*
  342. * Used only if the blinding structure is shared. A non-NULL unblind
  343. * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
  344. * the unblinding factor outside the blinding structure.
  345. */
  346. BIGNUM *unblind = NULL;
  347. BN_BLINDING *blinding = NULL;
  348. if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
  349. goto err;
  350. BN_CTX_start(ctx);
  351. f = BN_CTX_get(ctx);
  352. ret = BN_CTX_get(ctx);
  353. num = BN_num_bytes(rsa->n);
  354. buf = OPENSSL_malloc(num);
  355. if (ret == NULL || buf == NULL) {
  356. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
  357. goto err;
  358. }
  359. /*
  360. * This check was for equality but PGP does evil things and chops off the
  361. * top '0' bytes
  362. */
  363. if (flen > num) {
  364. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT,
  365. RSA_R_DATA_GREATER_THAN_MOD_LEN);
  366. goto err;
  367. }
  368. /* make data into a big number */
  369. if (BN_bin2bn(from, (int)flen, f) == NULL)
  370. goto err;
  371. if (BN_ucmp(f, rsa->n) >= 0) {
  372. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT,
  373. RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  374. goto err;
  375. }
  376. if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
  377. blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
  378. if (blinding == NULL) {
  379. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
  380. goto err;
  381. }
  382. }
  383. if (blinding != NULL) {
  384. if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
  385. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
  386. goto err;
  387. }
  388. if (!rsa_blinding_convert(blinding, f, unblind, ctx))
  389. goto err;
  390. }
  391. /* do the decrypt */
  392. if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
  393. (rsa->version == RSA_ASN1_VERSION_MULTI) ||
  394. ((rsa->p != NULL) &&
  395. (rsa->q != NULL) &&
  396. (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
  397. if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
  398. goto err;
  399. } else {
  400. BIGNUM *d = BN_new();
  401. if (d == NULL) {
  402. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
  403. goto err;
  404. }
  405. if (rsa->d == NULL) {
  406. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_MISSING_PRIVATE_KEY);
  407. BN_free(d);
  408. goto err;
  409. }
  410. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  411. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  412. if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
  413. rsa->n, ctx)) {
  414. BN_free(d);
  415. goto err;
  416. }
  417. if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
  418. rsa->_method_mod_n)) {
  419. BN_free(d);
  420. goto err;
  421. }
  422. /* We MUST free d before any further use of rsa->d */
  423. BN_free(d);
  424. }
  425. if (blinding)
  426. if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
  427. goto err;
  428. j = BN_bn2binpad(ret, buf, num);
  429. if (j < 0)
  430. goto err;
  431. switch (padding) {
  432. case RSA_PKCS1_PADDING:
  433. r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
  434. break;
  435. case RSA_PKCS1_OAEP_PADDING:
  436. r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
  437. break;
  438. #ifndef FIPS_MODULE
  439. case RSA_SSLV23_PADDING:
  440. r = RSA_padding_check_SSLv23(to, num, buf, j, num);
  441. break;
  442. #endif
  443. case RSA_NO_PADDING:
  444. memcpy(to, buf, (r = j));
  445. break;
  446. default:
  447. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
  448. goto err;
  449. }
  450. #ifndef FIPS_MODULE
  451. /*
  452. * This trick doesn't work in the FIPS provider because libcrypto manages
  453. * the error stack. Instead we opt not to put an error on the stack at all
  454. * in case of padding failure in the FIPS provider.
  455. */
  456. RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
  457. err_clear_last_constant_time(1 & ~constant_time_msb(r));
  458. #endif
  459. err:
  460. BN_CTX_end(ctx);
  461. BN_CTX_free(ctx);
  462. OPENSSL_clear_free(buf, num);
  463. return r;
  464. }
  465. /* signature verification */
  466. static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
  467. unsigned char *to, RSA *rsa, int padding)
  468. {
  469. BIGNUM *f, *ret;
  470. int i, num = 0, r = -1;
  471. unsigned char *buf = NULL;
  472. BN_CTX *ctx = NULL;
  473. if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
  474. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
  475. return -1;
  476. }
  477. if (BN_ucmp(rsa->n, rsa->e) <= 0) {
  478. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
  479. return -1;
  480. }
  481. /* for large moduli, enforce exponent limit */
  482. if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
  483. if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
  484. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
  485. return -1;
  486. }
  487. }
  488. if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
  489. goto err;
  490. BN_CTX_start(ctx);
  491. f = BN_CTX_get(ctx);
  492. ret = BN_CTX_get(ctx);
  493. num = BN_num_bytes(rsa->n);
  494. buf = OPENSSL_malloc(num);
  495. if (ret == NULL || buf == NULL) {
  496. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
  497. goto err;
  498. }
  499. /*
  500. * This check was for equality but PGP does evil things and chops off the
  501. * top '0' bytes
  502. */
  503. if (flen > num) {
  504. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN);
  505. goto err;
  506. }
  507. if (BN_bin2bn(from, flen, f) == NULL)
  508. goto err;
  509. if (BN_ucmp(f, rsa->n) >= 0) {
  510. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT,
  511. RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  512. goto err;
  513. }
  514. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  515. if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
  516. rsa->n, ctx))
  517. goto err;
  518. if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
  519. rsa->_method_mod_n))
  520. goto err;
  521. if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12))
  522. if (!BN_sub(ret, rsa->n, ret))
  523. goto err;
  524. i = BN_bn2binpad(ret, buf, num);
  525. if (i < 0)
  526. goto err;
  527. switch (padding) {
  528. case RSA_PKCS1_PADDING:
  529. r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
  530. break;
  531. case RSA_X931_PADDING:
  532. r = RSA_padding_check_X931(to, num, buf, i, num);
  533. break;
  534. case RSA_NO_PADDING:
  535. memcpy(to, buf, (r = i));
  536. break;
  537. default:
  538. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
  539. goto err;
  540. }
  541. if (r < 0)
  542. RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
  543. err:
  544. BN_CTX_end(ctx);
  545. BN_CTX_free(ctx);
  546. OPENSSL_clear_free(buf, num);
  547. return r;
  548. }
  549. static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
  550. {
  551. BIGNUM *r1, *m1, *vrfy;
  552. int ret = 0, smooth = 0;
  553. #ifndef FIPS_MODULE
  554. BIGNUM *r2, *m[RSA_MAX_PRIME_NUM - 2];
  555. int i, ex_primes = 0;
  556. RSA_PRIME_INFO *pinfo;
  557. #endif
  558. BN_CTX_start(ctx);
  559. r1 = BN_CTX_get(ctx);
  560. #ifndef FIPS_MODULE
  561. r2 = BN_CTX_get(ctx);
  562. #endif
  563. m1 = BN_CTX_get(ctx);
  564. vrfy = BN_CTX_get(ctx);
  565. if (vrfy == NULL)
  566. goto err;
  567. #ifndef FIPS_MODULE
  568. if (rsa->version == RSA_ASN1_VERSION_MULTI
  569. && ((ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) <= 0
  570. || ex_primes > RSA_MAX_PRIME_NUM - 2))
  571. goto err;
  572. #endif
  573. if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
  574. BIGNUM *factor = BN_new();
  575. if (factor == NULL)
  576. goto err;
  577. /*
  578. * Make sure BN_mod_inverse in Montgomery initialization uses the
  579. * BN_FLG_CONSTTIME flag
  580. */
  581. if (!(BN_with_flags(factor, rsa->p, BN_FLG_CONSTTIME),
  582. BN_MONT_CTX_set_locked(&rsa->_method_mod_p, rsa->lock,
  583. factor, ctx))
  584. || !(BN_with_flags(factor, rsa->q, BN_FLG_CONSTTIME),
  585. BN_MONT_CTX_set_locked(&rsa->_method_mod_q, rsa->lock,
  586. factor, ctx))) {
  587. BN_free(factor);
  588. goto err;
  589. }
  590. #ifndef FIPS_MODULE
  591. for (i = 0; i < ex_primes; i++) {
  592. pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
  593. BN_with_flags(factor, pinfo->r, BN_FLG_CONSTTIME);
  594. if (!BN_MONT_CTX_set_locked(&pinfo->m, rsa->lock, factor, ctx)) {
  595. BN_free(factor);
  596. goto err;
  597. }
  598. }
  599. #endif
  600. /*
  601. * We MUST free |factor| before any further use of the prime factors
  602. */
  603. BN_free(factor);
  604. smooth = (rsa->meth->bn_mod_exp == BN_mod_exp_mont)
  605. #ifndef FIPS_MODULE
  606. && (ex_primes == 0)
  607. #endif
  608. && (BN_num_bits(rsa->q) == BN_num_bits(rsa->p));
  609. }
  610. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  611. if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
  612. rsa->n, ctx))
  613. goto err;
  614. if (smooth) {
  615. /*
  616. * Conversion from Montgomery domain, a.k.a. Montgomery reduction,
  617. * accepts values in [0-m*2^w) range. w is m's bit width rounded up
  618. * to limb width. So that at the very least if |I| is fully reduced,
  619. * i.e. less than p*q, we can count on from-to round to perform
  620. * below modulo operations on |I|. Unlike BN_mod it's constant time.
  621. */
  622. if (/* m1 = I moq q */
  623. !bn_from_mont_fixed_top(m1, I, rsa->_method_mod_q, ctx)
  624. || !bn_to_mont_fixed_top(m1, m1, rsa->_method_mod_q, ctx)
  625. /* m1 = m1^dmq1 mod q */
  626. || !BN_mod_exp_mont_consttime(m1, m1, rsa->dmq1, rsa->q, ctx,
  627. rsa->_method_mod_q)
  628. /* r1 = I mod p */
  629. || !bn_from_mont_fixed_top(r1, I, rsa->_method_mod_p, ctx)
  630. || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
  631. /* r1 = r1^dmp1 mod p */
  632. || !BN_mod_exp_mont_consttime(r1, r1, rsa->dmp1, rsa->p, ctx,
  633. rsa->_method_mod_p)
  634. /* r1 = (r1 - m1) mod p */
  635. /*
  636. * bn_mod_sub_fixed_top is not regular modular subtraction,
  637. * it can tolerate subtrahend to be larger than modulus, but
  638. * not bit-wise wider. This makes up for uncommon q>p case,
  639. * when |m1| can be larger than |rsa->p|.
  640. */
  641. || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p)
  642. /* r1 = r1 * iqmp mod p */
  643. || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
  644. || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p,
  645. ctx)
  646. /* r0 = r1 * q + m1 */
  647. || !bn_mul_fixed_top(r0, r1, rsa->q, ctx)
  648. || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n))
  649. goto err;
  650. goto tail;
  651. }
  652. /* compute I mod q */
  653. {
  654. BIGNUM *c = BN_new();
  655. if (c == NULL)
  656. goto err;
  657. BN_with_flags(c, I, BN_FLG_CONSTTIME);
  658. if (!BN_mod(r1, c, rsa->q, ctx)) {
  659. BN_free(c);
  660. goto err;
  661. }
  662. {
  663. BIGNUM *dmq1 = BN_new();
  664. if (dmq1 == NULL) {
  665. BN_free(c);
  666. goto err;
  667. }
  668. BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
  669. /* compute r1^dmq1 mod q */
  670. if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
  671. rsa->_method_mod_q)) {
  672. BN_free(c);
  673. BN_free(dmq1);
  674. goto err;
  675. }
  676. /* We MUST free dmq1 before any further use of rsa->dmq1 */
  677. BN_free(dmq1);
  678. }
  679. /* compute I mod p */
  680. if (!BN_mod(r1, c, rsa->p, ctx)) {
  681. BN_free(c);
  682. goto err;
  683. }
  684. /* We MUST free c before any further use of I */
  685. BN_free(c);
  686. }
  687. {
  688. BIGNUM *dmp1 = BN_new();
  689. if (dmp1 == NULL)
  690. goto err;
  691. BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
  692. /* compute r1^dmp1 mod p */
  693. if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
  694. rsa->_method_mod_p)) {
  695. BN_free(dmp1);
  696. goto err;
  697. }
  698. /* We MUST free dmp1 before any further use of rsa->dmp1 */
  699. BN_free(dmp1);
  700. }
  701. #ifndef FIPS_MODULE
  702. /*
  703. * calculate m_i in multi-prime case
  704. *
  705. * TODO:
  706. * 1. squash the following two loops and calculate |m_i| there.
  707. * 2. remove cc and reuse |c|.
  708. * 3. remove |dmq1| and |dmp1| in previous block and use |di|.
  709. *
  710. * If these things are done, the code will be more readable.
  711. */
  712. if (ex_primes > 0) {
  713. BIGNUM *di = BN_new(), *cc = BN_new();
  714. if (cc == NULL || di == NULL) {
  715. BN_free(cc);
  716. BN_free(di);
  717. goto err;
  718. }
  719. for (i = 0; i < ex_primes; i++) {
  720. /* prepare m_i */
  721. if ((m[i] = BN_CTX_get(ctx)) == NULL) {
  722. BN_free(cc);
  723. BN_free(di);
  724. goto err;
  725. }
  726. pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
  727. /* prepare c and d_i */
  728. BN_with_flags(cc, I, BN_FLG_CONSTTIME);
  729. BN_with_flags(di, pinfo->d, BN_FLG_CONSTTIME);
  730. if (!BN_mod(r1, cc, pinfo->r, ctx)) {
  731. BN_free(cc);
  732. BN_free(di);
  733. goto err;
  734. }
  735. /* compute r1 ^ d_i mod r_i */
  736. if (!rsa->meth->bn_mod_exp(m[i], r1, di, pinfo->r, ctx, pinfo->m)) {
  737. BN_free(cc);
  738. BN_free(di);
  739. goto err;
  740. }
  741. }
  742. BN_free(cc);
  743. BN_free(di);
  744. }
  745. #endif
  746. if (!BN_sub(r0, r0, m1))
  747. goto err;
  748. /*
  749. * This will help stop the size of r0 increasing, which does affect the
  750. * multiply if it optimised for a power of 2 size
  751. */
  752. if (BN_is_negative(r0))
  753. if (!BN_add(r0, r0, rsa->p))
  754. goto err;
  755. if (!BN_mul(r1, r0, rsa->iqmp, ctx))
  756. goto err;
  757. {
  758. BIGNUM *pr1 = BN_new();
  759. if (pr1 == NULL)
  760. goto err;
  761. BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
  762. if (!BN_mod(r0, pr1, rsa->p, ctx)) {
  763. BN_free(pr1);
  764. goto err;
  765. }
  766. /* We MUST free pr1 before any further use of r1 */
  767. BN_free(pr1);
  768. }
  769. /*
  770. * If p < q it is occasionally possible for the correction of adding 'p'
  771. * if r0 is negative above to leave the result still negative. This can
  772. * break the private key operations: the following second correction
  773. * should *always* correct this rare occurrence. This will *never* happen
  774. * with OpenSSL generated keys because they ensure p > q [steve]
  775. */
  776. if (BN_is_negative(r0))
  777. if (!BN_add(r0, r0, rsa->p))
  778. goto err;
  779. if (!BN_mul(r1, r0, rsa->q, ctx))
  780. goto err;
  781. if (!BN_add(r0, r1, m1))
  782. goto err;
  783. #ifndef FIPS_MODULE
  784. /* add m_i to m in multi-prime case */
  785. if (ex_primes > 0) {
  786. BIGNUM *pr2 = BN_new();
  787. if (pr2 == NULL)
  788. goto err;
  789. for (i = 0; i < ex_primes; i++) {
  790. pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
  791. if (!BN_sub(r1, m[i], r0)) {
  792. BN_free(pr2);
  793. goto err;
  794. }
  795. if (!BN_mul(r2, r1, pinfo->t, ctx)) {
  796. BN_free(pr2);
  797. goto err;
  798. }
  799. BN_with_flags(pr2, r2, BN_FLG_CONSTTIME);
  800. if (!BN_mod(r1, pr2, pinfo->r, ctx)) {
  801. BN_free(pr2);
  802. goto err;
  803. }
  804. if (BN_is_negative(r1))
  805. if (!BN_add(r1, r1, pinfo->r)) {
  806. BN_free(pr2);
  807. goto err;
  808. }
  809. if (!BN_mul(r1, r1, pinfo->pp, ctx)) {
  810. BN_free(pr2);
  811. goto err;
  812. }
  813. if (!BN_add(r0, r0, r1)) {
  814. BN_free(pr2);
  815. goto err;
  816. }
  817. }
  818. BN_free(pr2);
  819. }
  820. #endif
  821. tail:
  822. if (rsa->e && rsa->n) {
  823. if (rsa->meth->bn_mod_exp == BN_mod_exp_mont) {
  824. if (!BN_mod_exp_mont(vrfy, r0, rsa->e, rsa->n, ctx,
  825. rsa->_method_mod_n))
  826. goto err;
  827. } else {
  828. bn_correct_top(r0);
  829. if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
  830. rsa->_method_mod_n))
  831. goto err;
  832. }
  833. /*
  834. * If 'I' was greater than (or equal to) rsa->n, the operation will
  835. * be equivalent to using 'I mod n'. However, the result of the
  836. * verify will *always* be less than 'n' so we don't check for
  837. * absolute equality, just congruency.
  838. */
  839. if (!BN_sub(vrfy, vrfy, I))
  840. goto err;
  841. if (BN_is_zero(vrfy)) {
  842. bn_correct_top(r0);
  843. ret = 1;
  844. goto err; /* not actually error */
  845. }
  846. if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
  847. goto err;
  848. if (BN_is_negative(vrfy))
  849. if (!BN_add(vrfy, vrfy, rsa->n))
  850. goto err;
  851. if (!BN_is_zero(vrfy)) {
  852. /*
  853. * 'I' and 'vrfy' aren't congruent mod n. Don't leak
  854. * miscalculated CRT output, just do a raw (slower) mod_exp and
  855. * return that instead.
  856. */
  857. BIGNUM *d = BN_new();
  858. if (d == NULL)
  859. goto err;
  860. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  861. if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
  862. rsa->_method_mod_n)) {
  863. BN_free(d);
  864. goto err;
  865. }
  866. /* We MUST free d before any further use of rsa->d */
  867. BN_free(d);
  868. }
  869. }
  870. /*
  871. * It's unfortunate that we have to bn_correct_top(r0). What hopefully
  872. * saves the day is that correction is highly unlike, and private key
  873. * operations are customarily performed on blinded message. Which means
  874. * that attacker won't observe correlation with chosen plaintext.
  875. * Secondly, remaining code would still handle it in same computational
  876. * time and even conceal memory access pattern around corrected top.
  877. */
  878. bn_correct_top(r0);
  879. ret = 1;
  880. err:
  881. BN_CTX_end(ctx);
  882. return ret;
  883. }
  884. static int rsa_ossl_init(RSA *rsa)
  885. {
  886. rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
  887. return 1;
  888. }
  889. static int rsa_ossl_finish(RSA *rsa)
  890. {
  891. #ifndef FIPS_MODULE
  892. int i;
  893. RSA_PRIME_INFO *pinfo;
  894. for (i = 0; i < sk_RSA_PRIME_INFO_num(rsa->prime_infos); i++) {
  895. pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
  896. BN_MONT_CTX_free(pinfo->m);
  897. }
  898. #endif
  899. BN_MONT_CTX_free(rsa->_method_mod_n);
  900. BN_MONT_CTX_free(rsa->_method_mod_p);
  901. BN_MONT_CTX_free(rsa->_method_mod_q);
  902. return 1;
  903. }