rsa_eay.c revision 296341
1/* crypto/rsa/rsa_eay.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112#include <stdio.h> 113#include "cryptlib.h" 114#include <openssl/bn.h> 115#include <openssl/rsa.h> 116#include <openssl/rand.h> 117 118#ifndef RSA_NULL 119 120static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 121 unsigned char *to, RSA *rsa, int padding); 122static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 123 unsigned char *to, RSA *rsa, int padding); 124static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 125 unsigned char *to, RSA *rsa, int padding); 126static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 127 unsigned char *to, RSA *rsa, int padding); 128static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, 129 BN_CTX *ctx); 130static int RSA_eay_init(RSA *rsa); 131static int RSA_eay_finish(RSA *rsa); 132static RSA_METHOD rsa_pkcs1_eay_meth = { 133 "Eric Young's PKCS#1 RSA", 134 RSA_eay_public_encrypt, 135 RSA_eay_public_decrypt, /* signature verification */ 136 RSA_eay_private_encrypt, /* signing */ 137 RSA_eay_private_decrypt, 138 RSA_eay_mod_exp, 139 BN_mod_exp_mont, /* XXX probably we should not use Montgomery 140 * if e == 3 */ 141 RSA_eay_init, 142 RSA_eay_finish, 143 0, /* flags */ 144 NULL, 145 0, /* rsa_sign */ 146 0, /* rsa_verify */ 147 NULL /* rsa_keygen */ 148}; 149 150const RSA_METHOD *RSA_PKCS1_SSLeay(void) 151{ 152 return (&rsa_pkcs1_eay_meth); 153} 154 155static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 156 unsigned char *to, RSA *rsa, int padding) 157{ 158 BIGNUM *f, *ret; 159 int i, j, k, num = 0, r = -1; 160 unsigned char *buf = NULL; 161 BN_CTX *ctx = NULL; 162 163 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 164 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); 165 return -1; 166 } 167 168 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 169 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 170 return -1; 171 } 172 173 /* for large moduli, enforce exponent limit */ 174 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 175 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 176 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 177 return -1; 178 } 179 } 180 181 if ((ctx = BN_CTX_new()) == NULL) 182 goto err; 183 BN_CTX_start(ctx); 184 f = BN_CTX_get(ctx); 185 ret = BN_CTX_get(ctx); 186 num = BN_num_bytes(rsa->n); 187 buf = OPENSSL_malloc(num); 188 if (!f || !ret || !buf) { 189 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE); 190 goto err; 191 } 192 193 switch (padding) { 194 case RSA_PKCS1_PADDING: 195 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); 196 break; 197# ifndef OPENSSL_NO_SHA 198 case RSA_PKCS1_OAEP_PADDING: 199 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); 200 break; 201# endif 202 case RSA_SSLV23_PADDING: 203 i = RSA_padding_add_SSLv23(buf, num, from, flen); 204 break; 205 case RSA_NO_PADDING: 206 i = RSA_padding_add_none(buf, num, from, flen); 207 break; 208 default: 209 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 210 goto err; 211 } 212 if (i <= 0) 213 goto err; 214 215 if (BN_bin2bn(buf, num, f) == NULL) 216 goto err; 217 218 if (BN_ucmp(f, rsa->n) >= 0) { 219 /* usually the padding functions would catch this */ 220 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, 221 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 222 goto err; 223 } 224 225 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 226 if (!BN_MONT_CTX_set_locked 227 (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 228 goto err; 229 230 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 231 rsa->_method_mod_n)) 232 goto err; 233 234 /* 235 * put in leading 0 bytes if the number is less than the length of the 236 * modulus 237 */ 238 j = BN_num_bytes(ret); 239 i = BN_bn2bin(ret, &(to[num - j])); 240 for (k = 0; k < (num - i); k++) 241 to[k] = 0; 242 243 r = num; 244 err: 245 if (ctx != NULL) { 246 BN_CTX_end(ctx); 247 BN_CTX_free(ctx); 248 } 249 if (buf != NULL) { 250 OPENSSL_cleanse(buf, num); 251 OPENSSL_free(buf); 252 } 253 return (r); 254} 255 256static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 257{ 258 BN_BLINDING *ret; 259 int got_write_lock = 0; 260 CRYPTO_THREADID cur; 261 262 CRYPTO_r_lock(CRYPTO_LOCK_RSA); 263 264 if (rsa->blinding == NULL) { 265 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 266 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 267 got_write_lock = 1; 268 269 if (rsa->blinding == NULL) 270 rsa->blinding = RSA_setup_blinding(rsa, ctx); 271 } 272 273 ret = rsa->blinding; 274 if (ret == NULL) 275 goto err; 276 277 CRYPTO_THREADID_current(&cur); 278 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) { 279 /* rsa->blinding is ours! */ 280 281 *local = 1; 282 } else { 283 /* resort to rsa->mt_blinding instead */ 284 285 /* 286 * instructs rsa_blinding_convert(), rsa_blinding_invert() that the 287 * BN_BLINDING is shared, meaning that accesses require locks, and 288 * that the blinding factor must be stored outside the BN_BLINDING 289 */ 290 *local = 0; 291 292 if (rsa->mt_blinding == NULL) { 293 if (!got_write_lock) { 294 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 295 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 296 got_write_lock = 1; 297 } 298 299 if (rsa->mt_blinding == NULL) 300 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 301 } 302 ret = rsa->mt_blinding; 303 } 304 305 err: 306 if (got_write_lock) 307 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 308 else 309 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 310 return ret; 311} 312 313static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 314 BN_CTX *ctx) 315{ 316 if (unblind == NULL) 317 /* 318 * Local blinding: store the unblinding factor in BN_BLINDING. 319 */ 320 return BN_BLINDING_convert_ex(f, NULL, b, ctx); 321 else { 322 /* 323 * Shared blinding: store the unblinding factor outside BN_BLINDING. 324 */ 325 int ret; 326 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 327 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); 328 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 329 return ret; 330 } 331} 332 333static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 334 BN_CTX *ctx) 335{ 336 /* 337 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex 338 * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING 339 * is shared between threads, unblind must be non-null: 340 * BN_BLINDING_invert_ex will then use the local unblinding factor, and 341 * will only read the modulus from BN_BLINDING. In both cases it's safe 342 * to access the blinding without a lock. 343 */ 344 return BN_BLINDING_invert_ex(f, unblind, b, ctx); 345} 346 347/* signing */ 348static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 349 unsigned char *to, RSA *rsa, int padding) 350{ 351 BIGNUM *f, *ret, *res; 352 int i, j, k, num = 0, r = -1; 353 unsigned char *buf = NULL; 354 BN_CTX *ctx = NULL; 355 int local_blinding = 0; 356 /* 357 * Used only if the blinding structure is shared. A non-NULL unblind 358 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 359 * the unblinding factor outside the blinding structure. 360 */ 361 BIGNUM *unblind = NULL; 362 BN_BLINDING *blinding = NULL; 363 364 if ((ctx = BN_CTX_new()) == NULL) 365 goto err; 366 BN_CTX_start(ctx); 367 f = BN_CTX_get(ctx); 368 ret = BN_CTX_get(ctx); 369 num = BN_num_bytes(rsa->n); 370 buf = OPENSSL_malloc(num); 371 if (!f || !ret || !buf) { 372 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); 373 goto err; 374 } 375 376 switch (padding) { 377 case RSA_PKCS1_PADDING: 378 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); 379 break; 380 case RSA_X931_PADDING: 381 i = RSA_padding_add_X931(buf, num, from, flen); 382 break; 383 case RSA_NO_PADDING: 384 i = RSA_padding_add_none(buf, num, from, flen); 385 break; 386 case RSA_SSLV23_PADDING: 387 default: 388 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 389 goto err; 390 } 391 if (i <= 0) 392 goto err; 393 394 if (BN_bin2bn(buf, num, f) == NULL) 395 goto err; 396 397 if (BN_ucmp(f, rsa->n) >= 0) { 398 /* usually the padding functions would catch this */ 399 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 400 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 401 goto err; 402 } 403 404 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 405 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 406 if (blinding == NULL) { 407 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 408 goto err; 409 } 410 } 411 412 if (blinding != NULL) { 413 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 414 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); 415 goto err; 416 } 417 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 418 goto err; 419 } 420 421 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 422 ((rsa->p != NULL) && 423 (rsa->q != NULL) && 424 (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { 425 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 426 goto err; 427 } else { 428 BIGNUM local_d; 429 BIGNUM *d = NULL; 430 431 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 432 BN_init(&local_d); 433 d = &local_d; 434 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 435 } else 436 d = rsa->d; 437 438 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 439 if (!BN_MONT_CTX_set_locked 440 (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 441 goto err; 442 443 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 444 rsa->_method_mod_n)) 445 goto err; 446 } 447 448 if (blinding) 449 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 450 goto err; 451 452 if (padding == RSA_X931_PADDING) { 453 BN_sub(f, rsa->n, ret); 454 if (BN_cmp(ret, f) > 0) 455 res = f; 456 else 457 res = ret; 458 } else 459 res = ret; 460 461 /* 462 * put in leading 0 bytes if the number is less than the length of the 463 * modulus 464 */ 465 j = BN_num_bytes(res); 466 i = BN_bn2bin(res, &(to[num - j])); 467 for (k = 0; k < (num - i); k++) 468 to[k] = 0; 469 470 r = num; 471 err: 472 if (ctx != NULL) { 473 BN_CTX_end(ctx); 474 BN_CTX_free(ctx); 475 } 476 if (buf != NULL) { 477 OPENSSL_cleanse(buf, num); 478 OPENSSL_free(buf); 479 } 480 return (r); 481} 482 483static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 484 unsigned char *to, RSA *rsa, int padding) 485{ 486 BIGNUM *f, *ret; 487 int j, num = 0, r = -1; 488 unsigned char *p; 489 unsigned char *buf = NULL; 490 BN_CTX *ctx = NULL; 491 int local_blinding = 0; 492 /* 493 * Used only if the blinding structure is shared. A non-NULL unblind 494 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 495 * the unblinding factor outside the blinding structure. 496 */ 497 BIGNUM *unblind = NULL; 498 BN_BLINDING *blinding = NULL; 499 500 if ((ctx = BN_CTX_new()) == NULL) 501 goto err; 502 BN_CTX_start(ctx); 503 f = BN_CTX_get(ctx); 504 ret = BN_CTX_get(ctx); 505 num = BN_num_bytes(rsa->n); 506 buf = OPENSSL_malloc(num); 507 if (!f || !ret || !buf) { 508 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); 509 goto err; 510 } 511 512 /* 513 * This check was for equality but PGP does evil things and chops off the 514 * top '0' bytes 515 */ 516 if (flen > num) { 517 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 518 RSA_R_DATA_GREATER_THAN_MOD_LEN); 519 goto err; 520 } 521 522 /* make data into a big number */ 523 if (BN_bin2bn(from, (int)flen, f) == NULL) 524 goto err; 525 526 if (BN_ucmp(f, rsa->n) >= 0) { 527 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 528 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 529 goto err; 530 } 531 532 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 533 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 534 if (blinding == NULL) { 535 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 536 goto err; 537 } 538 } 539 540 if (blinding != NULL) { 541 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 542 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); 543 goto err; 544 } 545 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 546 goto err; 547 } 548 549 /* do the decrypt */ 550 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 551 ((rsa->p != NULL) && 552 (rsa->q != NULL) && 553 (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { 554 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 555 goto err; 556 } else { 557 BIGNUM local_d; 558 BIGNUM *d = NULL; 559 560 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 561 d = &local_d; 562 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 563 } else 564 d = rsa->d; 565 566 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 567 if (!BN_MONT_CTX_set_locked 568 (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 569 goto err; 570 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 571 rsa->_method_mod_n)) 572 goto err; 573 } 574 575 if (blinding) 576 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 577 goto err; 578 579 p = buf; 580 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */ 581 582 switch (padding) { 583 case RSA_PKCS1_PADDING: 584 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); 585 break; 586# ifndef OPENSSL_NO_SHA 587 case RSA_PKCS1_OAEP_PADDING: 588 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); 589 break; 590# endif 591 case RSA_SSLV23_PADDING: 592 r = RSA_padding_check_SSLv23(to, num, buf, j, num); 593 break; 594 case RSA_NO_PADDING: 595 r = RSA_padding_check_none(to, num, buf, j, num); 596 break; 597 default: 598 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 599 goto err; 600 } 601 if (r < 0) 602 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); 603 604 err: 605 if (ctx != NULL) { 606 BN_CTX_end(ctx); 607 BN_CTX_free(ctx); 608 } 609 if (buf != NULL) { 610 OPENSSL_cleanse(buf, num); 611 OPENSSL_free(buf); 612 } 613 return (r); 614} 615 616/* signature verification */ 617static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 618 unsigned char *to, RSA *rsa, int padding) 619{ 620 BIGNUM *f, *ret; 621 int i, num = 0, r = -1; 622 unsigned char *p; 623 unsigned char *buf = NULL; 624 BN_CTX *ctx = NULL; 625 626 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 627 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); 628 return -1; 629 } 630 631 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 632 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 633 return -1; 634 } 635 636 /* for large moduli, enforce exponent limit */ 637 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 638 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 639 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 640 return -1; 641 } 642 } 643 644 if ((ctx = BN_CTX_new()) == NULL) 645 goto err; 646 BN_CTX_start(ctx); 647 f = BN_CTX_get(ctx); 648 ret = BN_CTX_get(ctx); 649 num = BN_num_bytes(rsa->n); 650 buf = OPENSSL_malloc(num); 651 if (!f || !ret || !buf) { 652 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE); 653 goto err; 654 } 655 656 /* 657 * This check was for equality but PGP does evil things and chops off the 658 * top '0' bytes 659 */ 660 if (flen > num) { 661 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN); 662 goto err; 663 } 664 665 if (BN_bin2bn(from, flen, f) == NULL) 666 goto err; 667 668 if (BN_ucmp(f, rsa->n) >= 0) { 669 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, 670 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 671 goto err; 672 } 673 674 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 675 if (!BN_MONT_CTX_set_locked 676 (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 677 goto err; 678 679 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 680 rsa->_method_mod_n)) 681 goto err; 682 683 if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) 684 if (!BN_sub(ret, rsa->n, ret)) 685 goto err; 686 687 p = buf; 688 i = BN_bn2bin(ret, p); 689 690 switch (padding) { 691 case RSA_PKCS1_PADDING: 692 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); 693 break; 694 case RSA_X931_PADDING: 695 r = RSA_padding_check_X931(to, num, buf, i, num); 696 break; 697 case RSA_NO_PADDING: 698 r = RSA_padding_check_none(to, num, buf, i, num); 699 break; 700 default: 701 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 702 goto err; 703 } 704 if (r < 0) 705 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED); 706 707 err: 708 if (ctx != NULL) { 709 BN_CTX_end(ctx); 710 BN_CTX_free(ctx); 711 } 712 if (buf != NULL) { 713 OPENSSL_cleanse(buf, num); 714 OPENSSL_free(buf); 715 } 716 return (r); 717} 718 719static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 720{ 721 BIGNUM *r1, *m1, *vrfy; 722 BIGNUM local_dmp1, local_dmq1, local_c, local_r1; 723 BIGNUM *dmp1, *dmq1, *c, *pr1; 724 int ret = 0; 725 726 BN_CTX_start(ctx); 727 r1 = BN_CTX_get(ctx); 728 m1 = BN_CTX_get(ctx); 729 vrfy = BN_CTX_get(ctx); 730 731 { 732 BIGNUM local_p, local_q; 733 BIGNUM *p = NULL, *q = NULL; 734 735 /* 736 * Make sure BN_mod_inverse in Montgomery intialization uses the 737 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) 738 */ 739 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 740 BN_init(&local_p); 741 p = &local_p; 742 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 743 744 BN_init(&local_q); 745 q = &local_q; 746 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); 747 } else { 748 p = rsa->p; 749 q = rsa->q; 750 } 751 752 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { 753 if (!BN_MONT_CTX_set_locked 754 (&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) 755 goto err; 756 if (!BN_MONT_CTX_set_locked 757 (&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) 758 goto err; 759 } 760 } 761 762 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 763 if (!BN_MONT_CTX_set_locked 764 (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 765 goto err; 766 767 /* compute I mod q */ 768 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 769 c = &local_c; 770 BN_with_flags(c, I, BN_FLG_CONSTTIME); 771 if (!BN_mod(r1, c, rsa->q, ctx)) 772 goto err; 773 } else { 774 if (!BN_mod(r1, I, rsa->q, ctx)) 775 goto err; 776 } 777 778 /* compute r1^dmq1 mod q */ 779 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 780 dmq1 = &local_dmq1; 781 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 782 } else 783 dmq1 = rsa->dmq1; 784 if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q)) 785 goto err; 786 787 /* compute I mod p */ 788 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 789 c = &local_c; 790 BN_with_flags(c, I, BN_FLG_CONSTTIME); 791 if (!BN_mod(r1, c, rsa->p, ctx)) 792 goto err; 793 } else { 794 if (!BN_mod(r1, I, rsa->p, ctx)) 795 goto err; 796 } 797 798 /* compute r1^dmp1 mod p */ 799 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 800 dmp1 = &local_dmp1; 801 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 802 } else 803 dmp1 = rsa->dmp1; 804 if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p)) 805 goto err; 806 807 if (!BN_sub(r0, r0, m1)) 808 goto err; 809 /* 810 * This will help stop the size of r0 increasing, which does affect the 811 * multiply if it optimised for a power of 2 size 812 */ 813 if (BN_is_negative(r0)) 814 if (!BN_add(r0, r0, rsa->p)) 815 goto err; 816 817 if (!BN_mul(r1, r0, rsa->iqmp, ctx)) 818 goto err; 819 820 /* Turn BN_FLG_CONSTTIME flag on before division operation */ 821 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 822 pr1 = &local_r1; 823 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 824 } else 825 pr1 = r1; 826 if (!BN_mod(r0, pr1, rsa->p, ctx)) 827 goto err; 828 829 /* 830 * If p < q it is occasionally possible for the correction of adding 'p' 831 * if r0 is negative above to leave the result still negative. This can 832 * break the private key operations: the following second correction 833 * should *always* correct this rare occurrence. This will *never* happen 834 * with OpenSSL generated keys because they ensure p > q [steve] 835 */ 836 if (BN_is_negative(r0)) 837 if (!BN_add(r0, r0, rsa->p)) 838 goto err; 839 if (!BN_mul(r1, r0, rsa->q, ctx)) 840 goto err; 841 if (!BN_add(r0, r1, m1)) 842 goto err; 843 844 if (rsa->e && rsa->n) { 845 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, 846 rsa->_method_mod_n)) 847 goto err; 848 /* 849 * If 'I' was greater than (or equal to) rsa->n, the operation will 850 * be equivalent to using 'I mod n'. However, the result of the 851 * verify will *always* be less than 'n' so we don't check for 852 * absolute equality, just congruency. 853 */ 854 if (!BN_sub(vrfy, vrfy, I)) 855 goto err; 856 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) 857 goto err; 858 if (BN_is_negative(vrfy)) 859 if (!BN_add(vrfy, vrfy, rsa->n)) 860 goto err; 861 if (!BN_is_zero(vrfy)) { 862 /* 863 * 'I' and 'vrfy' aren't congruent mod n. Don't leak 864 * miscalculated CRT output, just do a raw (slower) mod_exp and 865 * return that instead. 866 */ 867 868 BIGNUM local_d; 869 BIGNUM *d = NULL; 870 871 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 872 d = &local_d; 873 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 874 } else 875 d = rsa->d; 876 if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, 877 rsa->_method_mod_n)) 878 goto err; 879 } 880 } 881 ret = 1; 882 err: 883 BN_CTX_end(ctx); 884 return (ret); 885} 886 887static int RSA_eay_init(RSA *rsa) 888{ 889 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; 890 return (1); 891} 892 893static int RSA_eay_finish(RSA *rsa) 894{ 895 if (rsa->_method_mod_n != NULL) 896 BN_MONT_CTX_free(rsa->_method_mod_n); 897 if (rsa->_method_mod_p != NULL) 898 BN_MONT_CTX_free(rsa->_method_mod_p); 899 if (rsa->_method_mod_q != NULL) 900 BN_MONT_CTX_free(rsa->_method_mod_q); 901 return (1); 902} 903 904#endif 905