rsa_eay.c 28 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902
  1. /* crypto/rsa/rsa_eay.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. #include <stdio.h>
  112. #include "cryptlib.h"
  113. #include <openssl/bn.h>
  114. #include <openssl/rsa.h>
  115. #include <openssl/rand.h>
  116. #if !defined(RSA_NULL) && !defined(OPENSSL_FIPS)
  117. static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
  118. unsigned char *to, RSA *rsa, int padding);
  119. static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
  120. unsigned char *to, RSA *rsa, int padding);
  121. static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
  122. unsigned char *to, RSA *rsa, int padding);
  123. static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
  124. unsigned char *to, RSA *rsa, int padding);
  125. static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
  126. BN_CTX *ctx);
  127. static int RSA_eay_init(RSA *rsa);
  128. static int RSA_eay_finish(RSA *rsa);
  129. static RSA_METHOD rsa_pkcs1_eay_meth = {
  130. "Eric Young's PKCS#1 RSA",
  131. RSA_eay_public_encrypt,
  132. RSA_eay_public_decrypt, /* signature verification */
  133. RSA_eay_private_encrypt, /* signing */
  134. RSA_eay_private_decrypt,
  135. RSA_eay_mod_exp,
  136. BN_mod_exp_mont, /* XXX probably we should not use Montgomery
  137. * if e == 3 */
  138. RSA_eay_init,
  139. RSA_eay_finish,
  140. 0, /* flags */
  141. NULL,
  142. 0, /* rsa_sign */
  143. 0, /* rsa_verify */
  144. NULL /* rsa_keygen */
  145. };
  146. const RSA_METHOD *RSA_PKCS1_SSLeay(void)
  147. {
  148. return (&rsa_pkcs1_eay_meth);
  149. }
  150. static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
  151. unsigned char *to, RSA *rsa, int padding)
  152. {
  153. BIGNUM *f, *ret;
  154. int i, j, k, num = 0, r = -1;
  155. unsigned char *buf = NULL;
  156. BN_CTX *ctx = NULL;
  157. if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
  158. RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
  159. return -1;
  160. }
  161. if (BN_ucmp(rsa->n, rsa->e) <= 0) {
  162. RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
  163. return -1;
  164. }
  165. /* for large moduli, enforce exponent limit */
  166. if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
  167. if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
  168. RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
  169. return -1;
  170. }
  171. }
  172. if ((ctx = BN_CTX_new()) == NULL)
  173. goto err;
  174. BN_CTX_start(ctx);
  175. f = BN_CTX_get(ctx);
  176. ret = BN_CTX_get(ctx);
  177. num = BN_num_bytes(rsa->n);
  178. buf = OPENSSL_malloc(num);
  179. if (!f || !ret || !buf) {
  180. RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE);
  181. goto err;
  182. }
  183. switch (padding) {
  184. case RSA_PKCS1_PADDING:
  185. i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
  186. break;
  187. # ifndef OPENSSL_NO_SHA
  188. case RSA_PKCS1_OAEP_PADDING:
  189. i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
  190. break;
  191. # endif
  192. case RSA_SSLV23_PADDING:
  193. i = RSA_padding_add_SSLv23(buf, num, from, flen);
  194. break;
  195. case RSA_NO_PADDING:
  196. i = RSA_padding_add_none(buf, num, from, flen);
  197. break;
  198. default:
  199. RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
  200. goto err;
  201. }
  202. if (i <= 0)
  203. goto err;
  204. if (BN_bin2bn(buf, num, f) == NULL)
  205. goto err;
  206. if (BN_ucmp(f, rsa->n) >= 0) {
  207. /* usually the padding functions would catch this */
  208. RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,
  209. RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  210. goto err;
  211. }
  212. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  213. if (!BN_MONT_CTX_set_locked
  214. (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
  215. goto err;
  216. if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
  217. rsa->_method_mod_n))
  218. goto err;
  219. /*
  220. * put in leading 0 bytes if the number is less than the length of the
  221. * modulus
  222. */
  223. j = BN_num_bytes(ret);
  224. i = BN_bn2bin(ret, &(to[num - j]));
  225. for (k = 0; k < (num - i); k++)
  226. to[k] = 0;
  227. r = num;
  228. err:
  229. if (ctx != NULL) {
  230. BN_CTX_end(ctx);
  231. BN_CTX_free(ctx);
  232. }
  233. if (buf != NULL) {
  234. OPENSSL_cleanse(buf, num);
  235. OPENSSL_free(buf);
  236. }
  237. return (r);
  238. }
  239. static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
  240. {
  241. BN_BLINDING *ret;
  242. int got_write_lock = 0;
  243. CRYPTO_r_lock(CRYPTO_LOCK_RSA);
  244. if (rsa->blinding == NULL) {
  245. CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
  246. CRYPTO_w_lock(CRYPTO_LOCK_RSA);
  247. got_write_lock = 1;
  248. if (rsa->blinding == NULL)
  249. rsa->blinding = RSA_setup_blinding(rsa, ctx);
  250. }
  251. ret = rsa->blinding;
  252. if (ret == NULL)
  253. goto err;
  254. if (BN_BLINDING_get_thread_id(ret) == CRYPTO_thread_id()) {
  255. /* rsa->blinding is ours! */
  256. *local = 1;
  257. } else {
  258. /* resort to rsa->mt_blinding instead */
  259. /*
  260. * instructs rsa_blinding_convert(), rsa_blinding_invert() that the
  261. * BN_BLINDING is shared, meaning that accesses require locks, and
  262. * that the blinding factor must be stored outside the BN_BLINDING
  263. */
  264. *local = 0;
  265. if (rsa->mt_blinding == NULL) {
  266. if (!got_write_lock) {
  267. CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
  268. CRYPTO_w_lock(CRYPTO_LOCK_RSA);
  269. got_write_lock = 1;
  270. }
  271. if (rsa->mt_blinding == NULL)
  272. rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
  273. }
  274. ret = rsa->mt_blinding;
  275. }
  276. err:
  277. if (got_write_lock)
  278. CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
  279. else
  280. CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
  281. return ret;
  282. }
  283. static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
  284. BN_CTX *ctx)
  285. {
  286. if (unblind == NULL)
  287. /*
  288. * Local blinding: store the unblinding factor in BN_BLINDING.
  289. */
  290. return BN_BLINDING_convert_ex(f, NULL, b, ctx);
  291. else {
  292. /*
  293. * Shared blinding: store the unblinding factor outside BN_BLINDING.
  294. */
  295. int ret;
  296. CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
  297. ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
  298. CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
  299. return ret;
  300. }
  301. }
  302. static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
  303. BN_CTX *ctx)
  304. {
  305. /*
  306. * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
  307. * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING
  308. * is shared between threads, unblind must be non-null:
  309. * BN_BLINDING_invert_ex will then use the local unblinding factor, and
  310. * will only read the modulus from BN_BLINDING. In both cases it's safe
  311. * to access the blinding without a lock.
  312. */
  313. return BN_BLINDING_invert_ex(f, unblind, b, ctx);
  314. }
  315. /* signing */
  316. static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
  317. unsigned char *to, RSA *rsa, int padding)
  318. {
  319. BIGNUM *f, *ret, *res;
  320. int i, j, k, num = 0, r = -1;
  321. unsigned char *buf = NULL;
  322. BN_CTX *ctx = NULL;
  323. int local_blinding = 0;
  324. /*
  325. * Used only if the blinding structure is shared. A non-NULL unblind
  326. * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
  327. * the unblinding factor outside the blinding structure.
  328. */
  329. BIGNUM *unblind = NULL;
  330. BN_BLINDING *blinding = NULL;
  331. if ((ctx = BN_CTX_new()) == NULL)
  332. goto err;
  333. BN_CTX_start(ctx);
  334. f = BN_CTX_get(ctx);
  335. ret = BN_CTX_get(ctx);
  336. num = BN_num_bytes(rsa->n);
  337. buf = OPENSSL_malloc(num);
  338. if (!f || !ret || !buf) {
  339. RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
  340. goto err;
  341. }
  342. switch (padding) {
  343. case RSA_PKCS1_PADDING:
  344. i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
  345. break;
  346. case RSA_X931_PADDING:
  347. i = RSA_padding_add_X931(buf, num, from, flen);
  348. break;
  349. case RSA_NO_PADDING:
  350. i = RSA_padding_add_none(buf, num, from, flen);
  351. break;
  352. case RSA_SSLV23_PADDING:
  353. default:
  354. RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
  355. goto err;
  356. }
  357. if (i <= 0)
  358. goto err;
  359. if (BN_bin2bn(buf, num, f) == NULL)
  360. goto err;
  361. if (BN_ucmp(f, rsa->n) >= 0) {
  362. /* usually the padding functions would catch this */
  363. RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
  364. RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  365. goto err;
  366. }
  367. if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
  368. blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
  369. if (blinding == NULL) {
  370. RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
  371. goto err;
  372. }
  373. }
  374. if (blinding != NULL) {
  375. if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
  376. RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
  377. goto err;
  378. }
  379. if (!rsa_blinding_convert(blinding, f, unblind, ctx))
  380. goto err;
  381. }
  382. if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
  383. ((rsa->p != NULL) &&
  384. (rsa->q != NULL) &&
  385. (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
  386. if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
  387. goto err;
  388. } else {
  389. BIGNUM local_d;
  390. BIGNUM *d = NULL;
  391. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
  392. BN_init(&local_d);
  393. d = &local_d;
  394. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  395. } else
  396. d = rsa->d;
  397. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  398. if (!BN_MONT_CTX_set_locked
  399. (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
  400. goto err;
  401. if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
  402. rsa->_method_mod_n))
  403. goto err;
  404. }
  405. if (blinding)
  406. if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
  407. goto err;
  408. if (padding == RSA_X931_PADDING) {
  409. BN_sub(f, rsa->n, ret);
  410. if (BN_cmp(ret, f) > 0)
  411. res = f;
  412. else
  413. res = ret;
  414. } else
  415. res = ret;
  416. /*
  417. * put in leading 0 bytes if the number is less than the length of the
  418. * modulus
  419. */
  420. j = BN_num_bytes(res);
  421. i = BN_bn2bin(res, &(to[num - j]));
  422. for (k = 0; k < (num - i); k++)
  423. to[k] = 0;
  424. r = num;
  425. err:
  426. if (ctx != NULL) {
  427. BN_CTX_end(ctx);
  428. BN_CTX_free(ctx);
  429. }
  430. if (buf != NULL) {
  431. OPENSSL_cleanse(buf, num);
  432. OPENSSL_free(buf);
  433. }
  434. return (r);
  435. }
  436. static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
  437. unsigned char *to, RSA *rsa, int padding)
  438. {
  439. BIGNUM *f, *ret;
  440. int j, num = 0, r = -1;
  441. unsigned char *p;
  442. unsigned char *buf = NULL;
  443. BN_CTX *ctx = NULL;
  444. int local_blinding = 0;
  445. /*
  446. * Used only if the blinding structure is shared. A non-NULL unblind
  447. * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
  448. * the unblinding factor outside the blinding structure.
  449. */
  450. BIGNUM *unblind = NULL;
  451. BN_BLINDING *blinding = NULL;
  452. if ((ctx = BN_CTX_new()) == NULL)
  453. goto err;
  454. BN_CTX_start(ctx);
  455. f = BN_CTX_get(ctx);
  456. ret = BN_CTX_get(ctx);
  457. num = BN_num_bytes(rsa->n);
  458. buf = OPENSSL_malloc(num);
  459. if (!f || !ret || !buf) {
  460. RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
  461. goto err;
  462. }
  463. /*
  464. * This check was for equality but PGP does evil things and chops off the
  465. * top '0' bytes
  466. */
  467. if (flen > num) {
  468. RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
  469. RSA_R_DATA_GREATER_THAN_MOD_LEN);
  470. goto err;
  471. }
  472. /* make data into a big number */
  473. if (BN_bin2bn(from, (int)flen, f) == NULL)
  474. goto err;
  475. if (BN_ucmp(f, rsa->n) >= 0) {
  476. RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
  477. RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  478. goto err;
  479. }
  480. if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
  481. blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
  482. if (blinding == NULL) {
  483. RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
  484. goto err;
  485. }
  486. }
  487. if (blinding != NULL) {
  488. if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
  489. RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
  490. goto err;
  491. }
  492. if (!rsa_blinding_convert(blinding, f, unblind, ctx))
  493. goto err;
  494. }
  495. /* do the decrypt */
  496. if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
  497. ((rsa->p != NULL) &&
  498. (rsa->q != NULL) &&
  499. (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
  500. if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
  501. goto err;
  502. } else {
  503. BIGNUM local_d;
  504. BIGNUM *d = NULL;
  505. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
  506. d = &local_d;
  507. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  508. } else
  509. d = rsa->d;
  510. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  511. if (!BN_MONT_CTX_set_locked
  512. (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
  513. goto err;
  514. if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
  515. rsa->_method_mod_n))
  516. goto err;
  517. }
  518. if (blinding)
  519. if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
  520. goto err;
  521. p = buf;
  522. j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */
  523. switch (padding) {
  524. case RSA_PKCS1_PADDING:
  525. r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
  526. break;
  527. # ifndef OPENSSL_NO_SHA
  528. case RSA_PKCS1_OAEP_PADDING:
  529. r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
  530. break;
  531. # endif
  532. case RSA_SSLV23_PADDING:
  533. r = RSA_padding_check_SSLv23(to, num, buf, j, num);
  534. break;
  535. case RSA_NO_PADDING:
  536. r = RSA_padding_check_none(to, num, buf, j, num);
  537. break;
  538. default:
  539. RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
  540. goto err;
  541. }
  542. if (r < 0)
  543. RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
  544. err:
  545. if (ctx != NULL) {
  546. BN_CTX_end(ctx);
  547. BN_CTX_free(ctx);
  548. }
  549. if (buf != NULL) {
  550. OPENSSL_cleanse(buf, num);
  551. OPENSSL_free(buf);
  552. }
  553. return (r);
  554. }
  555. /* signature verification */
  556. static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
  557. unsigned char *to, RSA *rsa, int padding)
  558. {
  559. BIGNUM *f, *ret;
  560. int i, num = 0, r = -1;
  561. unsigned char *p;
  562. unsigned char *buf = NULL;
  563. BN_CTX *ctx = NULL;
  564. if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
  565. RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
  566. return -1;
  567. }
  568. if (BN_ucmp(rsa->n, rsa->e) <= 0) {
  569. RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
  570. return -1;
  571. }
  572. /* for large moduli, enforce exponent limit */
  573. if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
  574. if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
  575. RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
  576. return -1;
  577. }
  578. }
  579. if ((ctx = BN_CTX_new()) == NULL)
  580. goto err;
  581. BN_CTX_start(ctx);
  582. f = BN_CTX_get(ctx);
  583. ret = BN_CTX_get(ctx);
  584. num = BN_num_bytes(rsa->n);
  585. buf = OPENSSL_malloc(num);
  586. if (!f || !ret || !buf) {
  587. RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
  588. goto err;
  589. }
  590. /*
  591. * This check was for equality but PGP does evil things and chops off the
  592. * top '0' bytes
  593. */
  594. if (flen > num) {
  595. RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN);
  596. goto err;
  597. }
  598. if (BN_bin2bn(from, flen, f) == NULL)
  599. goto err;
  600. if (BN_ucmp(f, rsa->n) >= 0) {
  601. RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
  602. RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  603. goto err;
  604. }
  605. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  606. if (!BN_MONT_CTX_set_locked
  607. (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
  608. goto err;
  609. if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
  610. rsa->_method_mod_n))
  611. goto err;
  612. if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))
  613. if (!BN_sub(ret, rsa->n, ret))
  614. goto err;
  615. p = buf;
  616. i = BN_bn2bin(ret, p);
  617. switch (padding) {
  618. case RSA_PKCS1_PADDING:
  619. r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
  620. break;
  621. case RSA_X931_PADDING:
  622. r = RSA_padding_check_X931(to, num, buf, i, num);
  623. break;
  624. case RSA_NO_PADDING:
  625. r = RSA_padding_check_none(to, num, buf, i, num);
  626. break;
  627. default:
  628. RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
  629. goto err;
  630. }
  631. if (r < 0)
  632. RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
  633. err:
  634. if (ctx != NULL) {
  635. BN_CTX_end(ctx);
  636. BN_CTX_free(ctx);
  637. }
  638. if (buf != NULL) {
  639. OPENSSL_cleanse(buf, num);
  640. OPENSSL_free(buf);
  641. }
  642. return (r);
  643. }
  644. static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
  645. {
  646. BIGNUM *r1, *m1, *vrfy;
  647. BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
  648. BIGNUM *dmp1, *dmq1, *c, *pr1;
  649. int ret = 0;
  650. BN_CTX_start(ctx);
  651. r1 = BN_CTX_get(ctx);
  652. m1 = BN_CTX_get(ctx);
  653. vrfy = BN_CTX_get(ctx);
  654. {
  655. BIGNUM local_p, local_q;
  656. BIGNUM *p = NULL, *q = NULL;
  657. /*
  658. * Make sure BN_mod_inverse in Montgomery intialization uses the
  659. * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
  660. */
  661. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
  662. BN_init(&local_p);
  663. p = &local_p;
  664. BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
  665. BN_init(&local_q);
  666. q = &local_q;
  667. BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
  668. } else {
  669. p = rsa->p;
  670. q = rsa->q;
  671. }
  672. if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
  673. if (!BN_MONT_CTX_set_locked
  674. (&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
  675. goto err;
  676. if (!BN_MONT_CTX_set_locked
  677. (&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
  678. goto err;
  679. }
  680. }
  681. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  682. if (!BN_MONT_CTX_set_locked
  683. (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
  684. goto err;
  685. /* compute I mod q */
  686. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
  687. c = &local_c;
  688. BN_with_flags(c, I, BN_FLG_CONSTTIME);
  689. if (!BN_mod(r1, c, rsa->q, ctx))
  690. goto err;
  691. } else {
  692. if (!BN_mod(r1, I, rsa->q, ctx))
  693. goto err;
  694. }
  695. /* compute r1^dmq1 mod q */
  696. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
  697. dmq1 = &local_dmq1;
  698. BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
  699. } else
  700. dmq1 = rsa->dmq1;
  701. if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q))
  702. goto err;
  703. /* compute I mod p */
  704. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
  705. c = &local_c;
  706. BN_with_flags(c, I, BN_FLG_CONSTTIME);
  707. if (!BN_mod(r1, c, rsa->p, ctx))
  708. goto err;
  709. } else {
  710. if (!BN_mod(r1, I, rsa->p, ctx))
  711. goto err;
  712. }
  713. /* compute r1^dmp1 mod p */
  714. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
  715. dmp1 = &local_dmp1;
  716. BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
  717. } else
  718. dmp1 = rsa->dmp1;
  719. if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p))
  720. goto err;
  721. if (!BN_sub(r0, r0, m1))
  722. goto err;
  723. /*
  724. * This will help stop the size of r0 increasing, which does affect the
  725. * multiply if it optimised for a power of 2 size
  726. */
  727. if (BN_is_negative(r0))
  728. if (!BN_add(r0, r0, rsa->p))
  729. goto err;
  730. if (!BN_mul(r1, r0, rsa->iqmp, ctx))
  731. goto err;
  732. /* Turn BN_FLG_CONSTTIME flag on before division operation */
  733. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
  734. pr1 = &local_r1;
  735. BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
  736. } else
  737. pr1 = r1;
  738. if (!BN_mod(r0, pr1, rsa->p, ctx))
  739. goto err;
  740. /*
  741. * If p < q it is occasionally possible for the correction of adding 'p'
  742. * if r0 is negative above to leave the result still negative. This can
  743. * break the private key operations: the following second correction
  744. * should *always* correct this rare occurrence. This will *never* happen
  745. * with OpenSSL generated keys because they ensure p > q [steve]
  746. */
  747. if (BN_is_negative(r0))
  748. if (!BN_add(r0, r0, rsa->p))
  749. goto err;
  750. if (!BN_mul(r1, r0, rsa->q, ctx))
  751. goto err;
  752. if (!BN_add(r0, r1, m1))
  753. goto err;
  754. if (rsa->e && rsa->n) {
  755. if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
  756. rsa->_method_mod_n))
  757. goto err;
  758. /*
  759. * If 'I' was greater than (or equal to) rsa->n, the operation will
  760. * be equivalent to using 'I mod n'. However, the result of the
  761. * verify will *always* be less than 'n' so we don't check for
  762. * absolute equality, just congruency.
  763. */
  764. if (!BN_sub(vrfy, vrfy, I))
  765. goto err;
  766. if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
  767. goto err;
  768. if (BN_is_negative(vrfy))
  769. if (!BN_add(vrfy, vrfy, rsa->n))
  770. goto err;
  771. if (!BN_is_zero(vrfy)) {
  772. /*
  773. * 'I' and 'vrfy' aren't congruent mod n. Don't leak
  774. * miscalculated CRT output, just do a raw (slower) mod_exp and
  775. * return that instead.
  776. */
  777. BIGNUM local_d;
  778. BIGNUM *d = NULL;
  779. if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
  780. d = &local_d;
  781. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  782. } else
  783. d = rsa->d;
  784. if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
  785. rsa->_method_mod_n))
  786. goto err;
  787. }
  788. }
  789. ret = 1;
  790. err:
  791. BN_CTX_end(ctx);
  792. return (ret);
  793. }
  794. static int RSA_eay_init(RSA *rsa)
  795. {
  796. rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
  797. return (1);
  798. }
  799. static int RSA_eay_finish(RSA *rsa)
  800. {
  801. if (rsa->_method_mod_n != NULL)
  802. BN_MONT_CTX_free(rsa->_method_mod_n);
  803. if (rsa->_method_mod_p != NULL)
  804. BN_MONT_CTX_free(rsa->_method_mod_p);
  805. if (rsa->_method_mod_q != NULL)
  806. BN_MONT_CTX_free(rsa->_method_mod_q);
  807. return (1);
  808. }
  809. #endif