1*de0e0e4dSAntonio Huete Jimenez /* $OpenBSD: rsa_eay.c,v 1.54 2022/01/20 11:10:11 inoguchi Exp $ */
2f5b1c8a1SJohn Marino /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3f5b1c8a1SJohn Marino * All rights reserved.
4f5b1c8a1SJohn Marino *
5f5b1c8a1SJohn Marino * This package is an SSL implementation written
6f5b1c8a1SJohn Marino * by Eric Young (eay@cryptsoft.com).
7f5b1c8a1SJohn Marino * The implementation was written so as to conform with Netscapes SSL.
8f5b1c8a1SJohn Marino *
9f5b1c8a1SJohn Marino * This library is free for commercial and non-commercial use as long as
10f5b1c8a1SJohn Marino * the following conditions are aheared to. The following conditions
11f5b1c8a1SJohn Marino * apply to all code found in this distribution, be it the RC4, RSA,
12f5b1c8a1SJohn Marino * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13f5b1c8a1SJohn Marino * included with this distribution is covered by the same copyright terms
14f5b1c8a1SJohn Marino * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15f5b1c8a1SJohn Marino *
16f5b1c8a1SJohn Marino * Copyright remains Eric Young's, and as such any Copyright notices in
17f5b1c8a1SJohn Marino * the code are not to be removed.
18f5b1c8a1SJohn Marino * If this package is used in a product, Eric Young should be given attribution
19f5b1c8a1SJohn Marino * as the author of the parts of the library used.
20f5b1c8a1SJohn Marino * This can be in the form of a textual message at program startup or
21f5b1c8a1SJohn Marino * in documentation (online or textual) provided with the package.
22f5b1c8a1SJohn Marino *
23f5b1c8a1SJohn Marino * Redistribution and use in source and binary forms, with or without
24f5b1c8a1SJohn Marino * modification, are permitted provided that the following conditions
25f5b1c8a1SJohn Marino * are met:
26f5b1c8a1SJohn Marino * 1. Redistributions of source code must retain the copyright
27f5b1c8a1SJohn Marino * notice, this list of conditions and the following disclaimer.
28f5b1c8a1SJohn Marino * 2. Redistributions in binary form must reproduce the above copyright
29f5b1c8a1SJohn Marino * notice, this list of conditions and the following disclaimer in the
30f5b1c8a1SJohn Marino * documentation and/or other materials provided with the distribution.
31f5b1c8a1SJohn Marino * 3. All advertising materials mentioning features or use of this software
32f5b1c8a1SJohn Marino * must display the following acknowledgement:
33f5b1c8a1SJohn Marino * "This product includes cryptographic software written by
34f5b1c8a1SJohn Marino * Eric Young (eay@cryptsoft.com)"
35f5b1c8a1SJohn Marino * The word 'cryptographic' can be left out if the rouines from the library
36f5b1c8a1SJohn Marino * being used are not cryptographic related :-).
37f5b1c8a1SJohn Marino * 4. If you include any Windows specific code (or a derivative thereof) from
38f5b1c8a1SJohn Marino * the apps directory (application code) you must include an acknowledgement:
39f5b1c8a1SJohn Marino * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40f5b1c8a1SJohn Marino *
41f5b1c8a1SJohn Marino * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42f5b1c8a1SJohn Marino * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43f5b1c8a1SJohn Marino * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44f5b1c8a1SJohn Marino * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45f5b1c8a1SJohn Marino * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46f5b1c8a1SJohn Marino * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47f5b1c8a1SJohn Marino * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48f5b1c8a1SJohn Marino * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49f5b1c8a1SJohn Marino * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50f5b1c8a1SJohn Marino * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51f5b1c8a1SJohn Marino * SUCH DAMAGE.
52f5b1c8a1SJohn Marino *
53f5b1c8a1SJohn Marino * The licence and distribution terms for any publically available version or
54f5b1c8a1SJohn Marino * derivative of this code cannot be changed. i.e. this code cannot simply be
55f5b1c8a1SJohn Marino * copied and put under another distribution licence
56f5b1c8a1SJohn Marino * [including the GNU Public Licence.]
57f5b1c8a1SJohn Marino */
58f5b1c8a1SJohn Marino /* ====================================================================
59f5b1c8a1SJohn Marino * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60f5b1c8a1SJohn Marino *
61f5b1c8a1SJohn Marino * Redistribution and use in source and binary forms, with or without
62f5b1c8a1SJohn Marino * modification, are permitted provided that the following conditions
63f5b1c8a1SJohn Marino * are met:
64f5b1c8a1SJohn Marino *
65f5b1c8a1SJohn Marino * 1. Redistributions of source code must retain the above copyright
66f5b1c8a1SJohn Marino * notice, this list of conditions and the following disclaimer.
67f5b1c8a1SJohn Marino *
68f5b1c8a1SJohn Marino * 2. Redistributions in binary form must reproduce the above copyright
69f5b1c8a1SJohn Marino * notice, this list of conditions and the following disclaimer in
70f5b1c8a1SJohn Marino * the documentation and/or other materials provided with the
71f5b1c8a1SJohn Marino * distribution.
72f5b1c8a1SJohn Marino *
73f5b1c8a1SJohn Marino * 3. All advertising materials mentioning features or use of this
74f5b1c8a1SJohn Marino * software must display the following acknowledgment:
75f5b1c8a1SJohn Marino * "This product includes software developed by the OpenSSL Project
76f5b1c8a1SJohn Marino * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77f5b1c8a1SJohn Marino *
78f5b1c8a1SJohn Marino * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79f5b1c8a1SJohn Marino * endorse or promote products derived from this software without
80f5b1c8a1SJohn Marino * prior written permission. For written permission, please contact
81f5b1c8a1SJohn Marino * openssl-core@openssl.org.
82f5b1c8a1SJohn Marino *
83f5b1c8a1SJohn Marino * 5. Products derived from this software may not be called "OpenSSL"
84f5b1c8a1SJohn Marino * nor may "OpenSSL" appear in their names without prior written
85f5b1c8a1SJohn Marino * permission of the OpenSSL Project.
86f5b1c8a1SJohn Marino *
87f5b1c8a1SJohn Marino * 6. Redistributions of any form whatsoever must retain the following
88f5b1c8a1SJohn Marino * acknowledgment:
89f5b1c8a1SJohn Marino * "This product includes software developed by the OpenSSL Project
90f5b1c8a1SJohn Marino * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91f5b1c8a1SJohn Marino *
92f5b1c8a1SJohn Marino * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93f5b1c8a1SJohn Marino * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94f5b1c8a1SJohn Marino * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95f5b1c8a1SJohn Marino * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96f5b1c8a1SJohn Marino * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97f5b1c8a1SJohn Marino * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98f5b1c8a1SJohn Marino * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99f5b1c8a1SJohn Marino * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100f5b1c8a1SJohn Marino * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101f5b1c8a1SJohn Marino * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102f5b1c8a1SJohn Marino * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103f5b1c8a1SJohn Marino * OF THE POSSIBILITY OF SUCH DAMAGE.
104f5b1c8a1SJohn Marino * ====================================================================
105f5b1c8a1SJohn Marino *
106f5b1c8a1SJohn Marino * This product includes cryptographic software written by Eric Young
107f5b1c8a1SJohn Marino * (eay@cryptsoft.com). This product includes software written by Tim
108f5b1c8a1SJohn Marino * Hudson (tjh@cryptsoft.com).
109f5b1c8a1SJohn Marino *
110f5b1c8a1SJohn Marino */
111f5b1c8a1SJohn Marino
112f5b1c8a1SJohn Marino #include <stdio.h>
113f5b1c8a1SJohn Marino #include <string.h>
114f5b1c8a1SJohn Marino
115f5b1c8a1SJohn Marino #include <openssl/opensslconf.h>
116f5b1c8a1SJohn Marino
117f5b1c8a1SJohn Marino #include <openssl/bn.h>
118f5b1c8a1SJohn Marino #include <openssl/err.h>
119f5b1c8a1SJohn Marino #include <openssl/rsa.h>
120f5b1c8a1SJohn Marino
12172c33676SMaxim Ag #include "bn_lcl.h"
122*de0e0e4dSAntonio Huete Jimenez #include "rsa_locl.h"
12372c33676SMaxim Ag
124f5b1c8a1SJohn Marino static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
125f5b1c8a1SJohn Marino unsigned char *to, RSA *rsa, int padding);
126f5b1c8a1SJohn Marino static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
127f5b1c8a1SJohn Marino unsigned char *to, RSA *rsa, int padding);
128f5b1c8a1SJohn Marino static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
129f5b1c8a1SJohn Marino unsigned char *to, RSA *rsa, int padding);
130f5b1c8a1SJohn Marino static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
131f5b1c8a1SJohn Marino unsigned char *to, RSA *rsa, int padding);
132f5b1c8a1SJohn Marino static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
133f5b1c8a1SJohn Marino static int RSA_eay_init(RSA *rsa);
134f5b1c8a1SJohn Marino static int RSA_eay_finish(RSA *rsa);
135f5b1c8a1SJohn Marino
136f5b1c8a1SJohn Marino static RSA_METHOD rsa_pkcs1_eay_meth = {
137f5b1c8a1SJohn Marino .name = "Eric Young's PKCS#1 RSA",
138f5b1c8a1SJohn Marino .rsa_pub_enc = RSA_eay_public_encrypt,
139f5b1c8a1SJohn Marino .rsa_pub_dec = RSA_eay_public_decrypt, /* signature verification */
140f5b1c8a1SJohn Marino .rsa_priv_enc = RSA_eay_private_encrypt, /* signing */
141f5b1c8a1SJohn Marino .rsa_priv_dec = RSA_eay_private_decrypt,
142f5b1c8a1SJohn Marino .rsa_mod_exp = RSA_eay_mod_exp,
14372c33676SMaxim Ag .bn_mod_exp = BN_mod_exp_mont_ct, /* XXX probably we should not use Montgomery if e == 3 */
144f5b1c8a1SJohn Marino .init = RSA_eay_init,
145f5b1c8a1SJohn Marino .finish = RSA_eay_finish,
146f5b1c8a1SJohn Marino };
147f5b1c8a1SJohn Marino
148f5b1c8a1SJohn Marino const RSA_METHOD *
RSA_PKCS1_OpenSSL(void)149cca6fc52SDaniel Fojt RSA_PKCS1_OpenSSL(void)
150cca6fc52SDaniel Fojt {
151cca6fc52SDaniel Fojt return &rsa_pkcs1_eay_meth;
152cca6fc52SDaniel Fojt }
153cca6fc52SDaniel Fojt
154cca6fc52SDaniel Fojt const RSA_METHOD *
RSA_PKCS1_SSLeay(void)155f5b1c8a1SJohn Marino RSA_PKCS1_SSLeay(void)
156f5b1c8a1SJohn Marino {
157f5b1c8a1SJohn Marino return &rsa_pkcs1_eay_meth;
158f5b1c8a1SJohn Marino }
159f5b1c8a1SJohn Marino
160f5b1c8a1SJohn Marino static int
RSA_eay_public_encrypt(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)161f5b1c8a1SJohn Marino RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
162f5b1c8a1SJohn Marino RSA *rsa, int padding)
163f5b1c8a1SJohn Marino {
164f5b1c8a1SJohn Marino BIGNUM *f, *ret;
165f5b1c8a1SJohn Marino int i, j, k, num = 0, r = -1;
166f5b1c8a1SJohn Marino unsigned char *buf = NULL;
167f5b1c8a1SJohn Marino BN_CTX *ctx = NULL;
168f5b1c8a1SJohn Marino
169f5b1c8a1SJohn Marino if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
17072c33676SMaxim Ag RSAerror(RSA_R_MODULUS_TOO_LARGE);
171f5b1c8a1SJohn Marino return -1;
172f5b1c8a1SJohn Marino }
173f5b1c8a1SJohn Marino
174f5b1c8a1SJohn Marino if (BN_ucmp(rsa->n, rsa->e) <= 0) {
17572c33676SMaxim Ag RSAerror(RSA_R_BAD_E_VALUE);
176f5b1c8a1SJohn Marino return -1;
177f5b1c8a1SJohn Marino }
178f5b1c8a1SJohn Marino
179f5b1c8a1SJohn Marino /* for large moduli, enforce exponent limit */
180f5b1c8a1SJohn Marino if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
181f5b1c8a1SJohn Marino if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
18272c33676SMaxim Ag RSAerror(RSA_R_BAD_E_VALUE);
183f5b1c8a1SJohn Marino return -1;
184f5b1c8a1SJohn Marino }
185f5b1c8a1SJohn Marino }
186f5b1c8a1SJohn Marino
187f5b1c8a1SJohn Marino if ((ctx = BN_CTX_new()) == NULL)
188f5b1c8a1SJohn Marino goto err;
189f5b1c8a1SJohn Marino
190f5b1c8a1SJohn Marino BN_CTX_start(ctx);
191f5b1c8a1SJohn Marino f = BN_CTX_get(ctx);
192f5b1c8a1SJohn Marino ret = BN_CTX_get(ctx);
193f5b1c8a1SJohn Marino num = BN_num_bytes(rsa->n);
194f5b1c8a1SJohn Marino buf = malloc(num);
195f5b1c8a1SJohn Marino
196f5b1c8a1SJohn Marino if (f == NULL || ret == NULL || buf == NULL) {
19772c33676SMaxim Ag RSAerror(ERR_R_MALLOC_FAILURE);
198f5b1c8a1SJohn Marino goto err;
199f5b1c8a1SJohn Marino }
200f5b1c8a1SJohn Marino
201f5b1c8a1SJohn Marino switch (padding) {
202f5b1c8a1SJohn Marino case RSA_PKCS1_PADDING:
203f5b1c8a1SJohn Marino i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
204f5b1c8a1SJohn Marino break;
205f5b1c8a1SJohn Marino #ifndef OPENSSL_NO_SHA
206f5b1c8a1SJohn Marino case RSA_PKCS1_OAEP_PADDING:
207f5b1c8a1SJohn Marino i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
208f5b1c8a1SJohn Marino break;
209f5b1c8a1SJohn Marino #endif
210f5b1c8a1SJohn Marino case RSA_NO_PADDING:
211f5b1c8a1SJohn Marino i = RSA_padding_add_none(buf, num, from, flen);
212f5b1c8a1SJohn Marino break;
213f5b1c8a1SJohn Marino default:
21472c33676SMaxim Ag RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
215f5b1c8a1SJohn Marino goto err;
216f5b1c8a1SJohn Marino }
217f5b1c8a1SJohn Marino if (i <= 0)
218f5b1c8a1SJohn Marino goto err;
219f5b1c8a1SJohn Marino
220f5b1c8a1SJohn Marino if (BN_bin2bn(buf, num, f) == NULL)
221f5b1c8a1SJohn Marino goto err;
222f5b1c8a1SJohn Marino
223f5b1c8a1SJohn Marino if (BN_ucmp(f, rsa->n) >= 0) {
224f5b1c8a1SJohn Marino /* usually the padding functions would catch this */
22572c33676SMaxim Ag RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
226f5b1c8a1SJohn Marino goto err;
227f5b1c8a1SJohn Marino }
228f5b1c8a1SJohn Marino
229f5b1c8a1SJohn Marino if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
230f5b1c8a1SJohn Marino if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
231f5b1c8a1SJohn Marino CRYPTO_LOCK_RSA, rsa->n, ctx))
232f5b1c8a1SJohn Marino goto err;
233f5b1c8a1SJohn Marino
234f5b1c8a1SJohn Marino if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
235f5b1c8a1SJohn Marino rsa->_method_mod_n))
236f5b1c8a1SJohn Marino goto err;
237f5b1c8a1SJohn Marino
238f5b1c8a1SJohn Marino /* put in leading 0 bytes if the number is less than the
239f5b1c8a1SJohn Marino * length of the modulus */
240f5b1c8a1SJohn Marino j = BN_num_bytes(ret);
241f5b1c8a1SJohn Marino i = BN_bn2bin(ret, &(to[num - j]));
242f5b1c8a1SJohn Marino for (k = 0; k < num - i; k++)
243f5b1c8a1SJohn Marino to[k] = 0;
244f5b1c8a1SJohn Marino
245f5b1c8a1SJohn Marino r = num;
246f5b1c8a1SJohn Marino err:
247f5b1c8a1SJohn Marino if (ctx != NULL) {
248f5b1c8a1SJohn Marino BN_CTX_end(ctx);
249f5b1c8a1SJohn Marino BN_CTX_free(ctx);
250f5b1c8a1SJohn Marino }
25172c33676SMaxim Ag freezero(buf, num);
252f5b1c8a1SJohn Marino return r;
253f5b1c8a1SJohn Marino }
254f5b1c8a1SJohn Marino
255f5b1c8a1SJohn Marino static BN_BLINDING *
rsa_get_blinding(RSA * rsa,int * local,BN_CTX * ctx)256f5b1c8a1SJohn Marino rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
257f5b1c8a1SJohn Marino {
258f5b1c8a1SJohn Marino BN_BLINDING *ret;
259f5b1c8a1SJohn Marino int got_write_lock = 0;
260f5b1c8a1SJohn Marino CRYPTO_THREADID cur;
261f5b1c8a1SJohn Marino
262f5b1c8a1SJohn Marino CRYPTO_r_lock(CRYPTO_LOCK_RSA);
263f5b1c8a1SJohn Marino
264f5b1c8a1SJohn Marino if (rsa->blinding == NULL) {
265f5b1c8a1SJohn Marino CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
266f5b1c8a1SJohn Marino CRYPTO_w_lock(CRYPTO_LOCK_RSA);
267f5b1c8a1SJohn Marino got_write_lock = 1;
268f5b1c8a1SJohn Marino
269f5b1c8a1SJohn Marino if (rsa->blinding == NULL)
270f5b1c8a1SJohn Marino rsa->blinding = RSA_setup_blinding(rsa, ctx);
271f5b1c8a1SJohn Marino }
272f5b1c8a1SJohn Marino
273f5b1c8a1SJohn Marino ret = rsa->blinding;
274f5b1c8a1SJohn Marino if (ret == NULL)
275f5b1c8a1SJohn Marino goto err;
276f5b1c8a1SJohn Marino
277f5b1c8a1SJohn Marino CRYPTO_THREADID_current(&cur);
278f5b1c8a1SJohn Marino if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) {
279f5b1c8a1SJohn Marino /* rsa->blinding is ours! */
280f5b1c8a1SJohn Marino *local = 1;
281f5b1c8a1SJohn Marino } else {
282f5b1c8a1SJohn Marino /* resort to rsa->mt_blinding instead */
283f5b1c8a1SJohn Marino /*
284f5b1c8a1SJohn Marino * Instruct rsa_blinding_convert(), rsa_blinding_invert()
285f5b1c8a1SJohn Marino * that the BN_BLINDING is shared, meaning that accesses
286f5b1c8a1SJohn Marino * require locks, and that the blinding factor must be
287f5b1c8a1SJohn Marino * stored outside the BN_BLINDING
288f5b1c8a1SJohn Marino */
289f5b1c8a1SJohn Marino *local = 0;
290f5b1c8a1SJohn Marino
291f5b1c8a1SJohn Marino if (rsa->mt_blinding == NULL) {
292f5b1c8a1SJohn Marino if (!got_write_lock) {
293f5b1c8a1SJohn Marino CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
294f5b1c8a1SJohn Marino CRYPTO_w_lock(CRYPTO_LOCK_RSA);
295f5b1c8a1SJohn Marino got_write_lock = 1;
296f5b1c8a1SJohn Marino }
297f5b1c8a1SJohn Marino
298f5b1c8a1SJohn Marino if (rsa->mt_blinding == NULL)
299f5b1c8a1SJohn Marino rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
300f5b1c8a1SJohn Marino }
301f5b1c8a1SJohn Marino ret = rsa->mt_blinding;
302f5b1c8a1SJohn Marino }
303f5b1c8a1SJohn Marino
304f5b1c8a1SJohn Marino err:
305f5b1c8a1SJohn Marino if (got_write_lock)
306f5b1c8a1SJohn Marino CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
307f5b1c8a1SJohn Marino else
308f5b1c8a1SJohn Marino CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
309f5b1c8a1SJohn Marino return ret;
310f5b1c8a1SJohn Marino }
311f5b1c8a1SJohn Marino
312f5b1c8a1SJohn Marino static int
rsa_blinding_convert(BN_BLINDING * b,BIGNUM * f,BIGNUM * unblind,BN_CTX * ctx)313f5b1c8a1SJohn Marino rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx)
314f5b1c8a1SJohn Marino {
315f5b1c8a1SJohn Marino if (unblind == NULL)
316f5b1c8a1SJohn Marino /*
317f5b1c8a1SJohn Marino * Local blinding: store the unblinding factor
318f5b1c8a1SJohn Marino * in BN_BLINDING.
319f5b1c8a1SJohn Marino */
320f5b1c8a1SJohn Marino return BN_BLINDING_convert_ex(f, NULL, b, ctx);
321f5b1c8a1SJohn Marino else {
322f5b1c8a1SJohn Marino /*
323f5b1c8a1SJohn Marino * Shared blinding: store the unblinding factor
324f5b1c8a1SJohn Marino * outside BN_BLINDING.
325f5b1c8a1SJohn Marino */
326f5b1c8a1SJohn Marino int ret;
327f5b1c8a1SJohn Marino CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
328f5b1c8a1SJohn Marino ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
329f5b1c8a1SJohn Marino CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
330f5b1c8a1SJohn Marino return ret;
331f5b1c8a1SJohn Marino }
332f5b1c8a1SJohn Marino }
333f5b1c8a1SJohn Marino
334f5b1c8a1SJohn Marino static int
rsa_blinding_invert(BN_BLINDING * b,BIGNUM * f,BIGNUM * unblind,BN_CTX * ctx)335f5b1c8a1SJohn Marino rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx)
336f5b1c8a1SJohn Marino {
337f5b1c8a1SJohn Marino /*
338f5b1c8a1SJohn Marino * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
339f5b1c8a1SJohn Marino * will use the unblinding factor stored in BN_BLINDING.
340f5b1c8a1SJohn Marino * If BN_BLINDING is shared between threads, unblind must be non-null:
341f5b1c8a1SJohn Marino * BN_BLINDING_invert_ex will then use the local unblinding factor,
342f5b1c8a1SJohn Marino * and will only read the modulus from BN_BLINDING.
343f5b1c8a1SJohn Marino * In both cases it's safe to access the blinding without a lock.
344f5b1c8a1SJohn Marino */
345f5b1c8a1SJohn Marino return BN_BLINDING_invert_ex(f, unblind, b, ctx);
346f5b1c8a1SJohn Marino }
347f5b1c8a1SJohn Marino
348f5b1c8a1SJohn Marino /* signing */
349f5b1c8a1SJohn Marino static int
RSA_eay_private_encrypt(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)350f5b1c8a1SJohn Marino RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
351f5b1c8a1SJohn Marino RSA *rsa, int padding)
352f5b1c8a1SJohn Marino {
353f5b1c8a1SJohn Marino BIGNUM *f, *ret, *res;
354f5b1c8a1SJohn Marino int i, j, k, num = 0, r = -1;
355f5b1c8a1SJohn Marino unsigned char *buf = NULL;
356f5b1c8a1SJohn Marino BN_CTX *ctx = NULL;
357f5b1c8a1SJohn Marino int local_blinding = 0;
358f5b1c8a1SJohn Marino /*
359f5b1c8a1SJohn Marino * Used only if the blinding structure is shared. A non-NULL unblind
360f5b1c8a1SJohn Marino * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
361f5b1c8a1SJohn Marino * the unblinding factor outside the blinding structure.
362f5b1c8a1SJohn Marino */
363f5b1c8a1SJohn Marino BIGNUM *unblind = NULL;
364f5b1c8a1SJohn Marino BN_BLINDING *blinding = NULL;
365f5b1c8a1SJohn Marino
366f5b1c8a1SJohn Marino if ((ctx = BN_CTX_new()) == NULL)
367f5b1c8a1SJohn Marino goto err;
368f5b1c8a1SJohn Marino
369f5b1c8a1SJohn Marino BN_CTX_start(ctx);
370f5b1c8a1SJohn Marino f = BN_CTX_get(ctx);
371f5b1c8a1SJohn Marino ret = BN_CTX_get(ctx);
372f5b1c8a1SJohn Marino num = BN_num_bytes(rsa->n);
373f5b1c8a1SJohn Marino buf = malloc(num);
374f5b1c8a1SJohn Marino
375f5b1c8a1SJohn Marino if (f == NULL || ret == NULL || buf == NULL) {
37672c33676SMaxim Ag RSAerror(ERR_R_MALLOC_FAILURE);
377f5b1c8a1SJohn Marino goto err;
378f5b1c8a1SJohn Marino }
379f5b1c8a1SJohn Marino
380f5b1c8a1SJohn Marino switch (padding) {
381f5b1c8a1SJohn Marino case RSA_PKCS1_PADDING:
382f5b1c8a1SJohn Marino i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
383f5b1c8a1SJohn Marino break;
384f5b1c8a1SJohn Marino case RSA_X931_PADDING:
385f5b1c8a1SJohn Marino i = RSA_padding_add_X931(buf, num, from, flen);
386f5b1c8a1SJohn Marino break;
387f5b1c8a1SJohn Marino case RSA_NO_PADDING:
388f5b1c8a1SJohn Marino i = RSA_padding_add_none(buf, num, from, flen);
389f5b1c8a1SJohn Marino break;
390f5b1c8a1SJohn Marino default:
39172c33676SMaxim Ag RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
392f5b1c8a1SJohn Marino goto err;
393f5b1c8a1SJohn Marino }
394f5b1c8a1SJohn Marino if (i <= 0)
395f5b1c8a1SJohn Marino goto err;
396f5b1c8a1SJohn Marino
397f5b1c8a1SJohn Marino if (BN_bin2bn(buf, num, f) == NULL)
398f5b1c8a1SJohn Marino goto err;
399f5b1c8a1SJohn Marino
400f5b1c8a1SJohn Marino if (BN_ucmp(f, rsa->n) >= 0) {
401f5b1c8a1SJohn Marino /* usually the padding functions would catch this */
40272c33676SMaxim Ag RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
403f5b1c8a1SJohn Marino goto err;
404f5b1c8a1SJohn Marino }
405f5b1c8a1SJohn Marino
406f5b1c8a1SJohn Marino if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
407f5b1c8a1SJohn Marino blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
408f5b1c8a1SJohn Marino if (blinding == NULL) {
40972c33676SMaxim Ag RSAerror(ERR_R_INTERNAL_ERROR);
410f5b1c8a1SJohn Marino goto err;
411f5b1c8a1SJohn Marino }
412f5b1c8a1SJohn Marino }
413f5b1c8a1SJohn Marino
414f5b1c8a1SJohn Marino if (blinding != NULL) {
415f5b1c8a1SJohn Marino if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
41672c33676SMaxim Ag RSAerror(ERR_R_MALLOC_FAILURE);
417f5b1c8a1SJohn Marino goto err;
418f5b1c8a1SJohn Marino }
419f5b1c8a1SJohn Marino if (!rsa_blinding_convert(blinding, f, unblind, ctx))
420f5b1c8a1SJohn Marino goto err;
421f5b1c8a1SJohn Marino }
422f5b1c8a1SJohn Marino
423f5b1c8a1SJohn Marino if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
424f5b1c8a1SJohn Marino (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL &&
425f5b1c8a1SJohn Marino rsa->dmq1 != NULL && rsa->iqmp != NULL)) {
426f5b1c8a1SJohn Marino if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
427f5b1c8a1SJohn Marino goto err;
428f5b1c8a1SJohn Marino } else {
429f5b1c8a1SJohn Marino BIGNUM d;
430f5b1c8a1SJohn Marino
431f5b1c8a1SJohn Marino BN_init(&d);
432f5b1c8a1SJohn Marino BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
433f5b1c8a1SJohn Marino
434f5b1c8a1SJohn Marino if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
435f5b1c8a1SJohn Marino if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
436f5b1c8a1SJohn Marino CRYPTO_LOCK_RSA, rsa->n, ctx))
437f5b1c8a1SJohn Marino goto err;
438f5b1c8a1SJohn Marino
439f5b1c8a1SJohn Marino if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
440f5b1c8a1SJohn Marino rsa->_method_mod_n)) {
441f5b1c8a1SJohn Marino goto err;
442f5b1c8a1SJohn Marino }
443f5b1c8a1SJohn Marino }
444f5b1c8a1SJohn Marino
445f5b1c8a1SJohn Marino if (blinding)
446f5b1c8a1SJohn Marino if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
447f5b1c8a1SJohn Marino goto err;
448f5b1c8a1SJohn Marino
449f5b1c8a1SJohn Marino if (padding == RSA_X931_PADDING) {
450*de0e0e4dSAntonio Huete Jimenez if (!BN_sub(f, rsa->n, ret))
451*de0e0e4dSAntonio Huete Jimenez goto err;
452f5b1c8a1SJohn Marino if (BN_cmp(ret, f) > 0)
453f5b1c8a1SJohn Marino res = f;
454f5b1c8a1SJohn Marino else
455f5b1c8a1SJohn Marino res = ret;
456f5b1c8a1SJohn Marino } else
457f5b1c8a1SJohn Marino res = ret;
458f5b1c8a1SJohn Marino
459f5b1c8a1SJohn Marino /* put in leading 0 bytes if the number is less than the
460f5b1c8a1SJohn Marino * length of the modulus */
461f5b1c8a1SJohn Marino j = BN_num_bytes(res);
462f5b1c8a1SJohn Marino i = BN_bn2bin(res, &(to[num - j]));
463f5b1c8a1SJohn Marino for (k = 0; k < num - i; k++)
464f5b1c8a1SJohn Marino to[k] = 0;
465f5b1c8a1SJohn Marino
466f5b1c8a1SJohn Marino r = num;
467f5b1c8a1SJohn Marino err:
468f5b1c8a1SJohn Marino if (ctx != NULL) {
469f5b1c8a1SJohn Marino BN_CTX_end(ctx);
470f5b1c8a1SJohn Marino BN_CTX_free(ctx);
471f5b1c8a1SJohn Marino }
47272c33676SMaxim Ag freezero(buf, num);
473f5b1c8a1SJohn Marino return r;
474f5b1c8a1SJohn Marino }
475f5b1c8a1SJohn Marino
476f5b1c8a1SJohn Marino static int
RSA_eay_private_decrypt(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)477f5b1c8a1SJohn Marino RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
478f5b1c8a1SJohn Marino RSA *rsa, int padding)
479f5b1c8a1SJohn Marino {
480f5b1c8a1SJohn Marino BIGNUM *f, *ret;
481f5b1c8a1SJohn Marino int j, num = 0, r = -1;
482f5b1c8a1SJohn Marino unsigned char *p;
483f5b1c8a1SJohn Marino unsigned char *buf = NULL;
484f5b1c8a1SJohn Marino BN_CTX *ctx = NULL;
485f5b1c8a1SJohn Marino int local_blinding = 0;
486f5b1c8a1SJohn Marino /*
487f5b1c8a1SJohn Marino * Used only if the blinding structure is shared. A non-NULL unblind
488f5b1c8a1SJohn Marino * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
489f5b1c8a1SJohn Marino * the unblinding factor outside the blinding structure.
490f5b1c8a1SJohn Marino */
491f5b1c8a1SJohn Marino BIGNUM *unblind = NULL;
492f5b1c8a1SJohn Marino BN_BLINDING *blinding = NULL;
493f5b1c8a1SJohn Marino
494f5b1c8a1SJohn Marino if ((ctx = BN_CTX_new()) == NULL)
495f5b1c8a1SJohn Marino goto err;
496f5b1c8a1SJohn Marino
497f5b1c8a1SJohn Marino BN_CTX_start(ctx);
498f5b1c8a1SJohn Marino f = BN_CTX_get(ctx);
499f5b1c8a1SJohn Marino ret = BN_CTX_get(ctx);
500f5b1c8a1SJohn Marino num = BN_num_bytes(rsa->n);
501f5b1c8a1SJohn Marino buf = malloc(num);
502f5b1c8a1SJohn Marino
503f5b1c8a1SJohn Marino if (!f || !ret || !buf) {
50472c33676SMaxim Ag RSAerror(ERR_R_MALLOC_FAILURE);
505f5b1c8a1SJohn Marino goto err;
506f5b1c8a1SJohn Marino }
507f5b1c8a1SJohn Marino
508f5b1c8a1SJohn Marino /* This check was for equality but PGP does evil things
509f5b1c8a1SJohn Marino * and chops off the top '0' bytes */
510f5b1c8a1SJohn Marino if (flen > num) {
51172c33676SMaxim Ag RSAerror(RSA_R_DATA_GREATER_THAN_MOD_LEN);
512f5b1c8a1SJohn Marino goto err;
513f5b1c8a1SJohn Marino }
514f5b1c8a1SJohn Marino
515f5b1c8a1SJohn Marino /* make data into a big number */
516f5b1c8a1SJohn Marino if (BN_bin2bn(from, (int)flen, f) == NULL)
517f5b1c8a1SJohn Marino goto err;
518f5b1c8a1SJohn Marino
519f5b1c8a1SJohn Marino if (BN_ucmp(f, rsa->n) >= 0) {
52072c33676SMaxim Ag RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
521f5b1c8a1SJohn Marino goto err;
522f5b1c8a1SJohn Marino }
523f5b1c8a1SJohn Marino
524f5b1c8a1SJohn Marino if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
525f5b1c8a1SJohn Marino blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
526f5b1c8a1SJohn Marino if (blinding == NULL) {
52772c33676SMaxim Ag RSAerror(ERR_R_INTERNAL_ERROR);
528f5b1c8a1SJohn Marino goto err;
529f5b1c8a1SJohn Marino }
530f5b1c8a1SJohn Marino }
531f5b1c8a1SJohn Marino
532f5b1c8a1SJohn Marino if (blinding != NULL) {
533f5b1c8a1SJohn Marino if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
53472c33676SMaxim Ag RSAerror(ERR_R_MALLOC_FAILURE);
535f5b1c8a1SJohn Marino goto err;
536f5b1c8a1SJohn Marino }
537f5b1c8a1SJohn Marino if (!rsa_blinding_convert(blinding, f, unblind, ctx))
538f5b1c8a1SJohn Marino goto err;
539f5b1c8a1SJohn Marino }
540f5b1c8a1SJohn Marino
541f5b1c8a1SJohn Marino /* do the decrypt */
542f5b1c8a1SJohn Marino if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
543f5b1c8a1SJohn Marino (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL &&
544f5b1c8a1SJohn Marino rsa->dmq1 != NULL && rsa->iqmp != NULL)) {
545f5b1c8a1SJohn Marino if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
546f5b1c8a1SJohn Marino goto err;
547f5b1c8a1SJohn Marino } else {
548f5b1c8a1SJohn Marino BIGNUM d;
549f5b1c8a1SJohn Marino
550f5b1c8a1SJohn Marino BN_init(&d);
551f5b1c8a1SJohn Marino BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
552f5b1c8a1SJohn Marino
553f5b1c8a1SJohn Marino if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
554f5b1c8a1SJohn Marino if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
555f5b1c8a1SJohn Marino CRYPTO_LOCK_RSA, rsa->n, ctx))
556f5b1c8a1SJohn Marino goto err;
557f5b1c8a1SJohn Marino
558f5b1c8a1SJohn Marino if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
559f5b1c8a1SJohn Marino rsa->_method_mod_n)) {
560f5b1c8a1SJohn Marino goto err;
561f5b1c8a1SJohn Marino }
562f5b1c8a1SJohn Marino }
563f5b1c8a1SJohn Marino
564f5b1c8a1SJohn Marino if (blinding)
565f5b1c8a1SJohn Marino if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
566f5b1c8a1SJohn Marino goto err;
567f5b1c8a1SJohn Marino
568f5b1c8a1SJohn Marino p = buf;
569f5b1c8a1SJohn Marino j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */
570f5b1c8a1SJohn Marino
571f5b1c8a1SJohn Marino switch (padding) {
572f5b1c8a1SJohn Marino case RSA_PKCS1_PADDING:
573f5b1c8a1SJohn Marino r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
574f5b1c8a1SJohn Marino break;
575f5b1c8a1SJohn Marino #ifndef OPENSSL_NO_SHA
576f5b1c8a1SJohn Marino case RSA_PKCS1_OAEP_PADDING:
577f5b1c8a1SJohn Marino r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
578f5b1c8a1SJohn Marino break;
579f5b1c8a1SJohn Marino #endif
580f5b1c8a1SJohn Marino case RSA_NO_PADDING:
581f5b1c8a1SJohn Marino r = RSA_padding_check_none(to, num, buf, j, num);
582f5b1c8a1SJohn Marino break;
583f5b1c8a1SJohn Marino default:
58472c33676SMaxim Ag RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
585f5b1c8a1SJohn Marino goto err;
586f5b1c8a1SJohn Marino }
587f5b1c8a1SJohn Marino if (r < 0)
58872c33676SMaxim Ag RSAerror(RSA_R_PADDING_CHECK_FAILED);
589f5b1c8a1SJohn Marino
590f5b1c8a1SJohn Marino err:
591f5b1c8a1SJohn Marino if (ctx != NULL) {
592f5b1c8a1SJohn Marino BN_CTX_end(ctx);
593f5b1c8a1SJohn Marino BN_CTX_free(ctx);
594f5b1c8a1SJohn Marino }
59572c33676SMaxim Ag freezero(buf, num);
596f5b1c8a1SJohn Marino return r;
597f5b1c8a1SJohn Marino }
598f5b1c8a1SJohn Marino
599f5b1c8a1SJohn Marino /* signature verification */
600f5b1c8a1SJohn Marino static int
RSA_eay_public_decrypt(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)601f5b1c8a1SJohn Marino RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
602f5b1c8a1SJohn Marino RSA *rsa, int padding)
603f5b1c8a1SJohn Marino {
604f5b1c8a1SJohn Marino BIGNUM *f, *ret;
605f5b1c8a1SJohn Marino int i, num = 0, r = -1;
606f5b1c8a1SJohn Marino unsigned char *p;
607f5b1c8a1SJohn Marino unsigned char *buf = NULL;
608f5b1c8a1SJohn Marino BN_CTX *ctx = NULL;
609f5b1c8a1SJohn Marino
610f5b1c8a1SJohn Marino if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
61172c33676SMaxim Ag RSAerror(RSA_R_MODULUS_TOO_LARGE);
612f5b1c8a1SJohn Marino return -1;
613f5b1c8a1SJohn Marino }
614f5b1c8a1SJohn Marino
615f5b1c8a1SJohn Marino if (BN_ucmp(rsa->n, rsa->e) <= 0) {
61672c33676SMaxim Ag RSAerror(RSA_R_BAD_E_VALUE);
617f5b1c8a1SJohn Marino return -1;
618f5b1c8a1SJohn Marino }
619f5b1c8a1SJohn Marino
620f5b1c8a1SJohn Marino /* for large moduli, enforce exponent limit */
621f5b1c8a1SJohn Marino if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
622f5b1c8a1SJohn Marino if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
62372c33676SMaxim Ag RSAerror(RSA_R_BAD_E_VALUE);
624f5b1c8a1SJohn Marino return -1;
625f5b1c8a1SJohn Marino }
626f5b1c8a1SJohn Marino }
627f5b1c8a1SJohn Marino
628f5b1c8a1SJohn Marino if ((ctx = BN_CTX_new()) == NULL)
629f5b1c8a1SJohn Marino goto err;
630f5b1c8a1SJohn Marino
631f5b1c8a1SJohn Marino BN_CTX_start(ctx);
632f5b1c8a1SJohn Marino f = BN_CTX_get(ctx);
633f5b1c8a1SJohn Marino ret = BN_CTX_get(ctx);
634f5b1c8a1SJohn Marino num = BN_num_bytes(rsa->n);
635f5b1c8a1SJohn Marino buf = malloc(num);
636f5b1c8a1SJohn Marino
637f5b1c8a1SJohn Marino if (!f || !ret || !buf) {
63872c33676SMaxim Ag RSAerror(ERR_R_MALLOC_FAILURE);
639f5b1c8a1SJohn Marino goto err;
640f5b1c8a1SJohn Marino }
641f5b1c8a1SJohn Marino
642f5b1c8a1SJohn Marino /* This check was for equality but PGP does evil things
643f5b1c8a1SJohn Marino * and chops off the top '0' bytes */
644f5b1c8a1SJohn Marino if (flen > num) {
64572c33676SMaxim Ag RSAerror(RSA_R_DATA_GREATER_THAN_MOD_LEN);
646f5b1c8a1SJohn Marino goto err;
647f5b1c8a1SJohn Marino }
648f5b1c8a1SJohn Marino
649f5b1c8a1SJohn Marino if (BN_bin2bn(from, flen, f) == NULL)
650f5b1c8a1SJohn Marino goto err;
651f5b1c8a1SJohn Marino
652f5b1c8a1SJohn Marino if (BN_ucmp(f, rsa->n) >= 0) {
65372c33676SMaxim Ag RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
654f5b1c8a1SJohn Marino goto err;
655f5b1c8a1SJohn Marino }
656f5b1c8a1SJohn Marino
657f5b1c8a1SJohn Marino if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
658f5b1c8a1SJohn Marino if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
659f5b1c8a1SJohn Marino CRYPTO_LOCK_RSA, rsa->n, ctx))
660f5b1c8a1SJohn Marino goto err;
661f5b1c8a1SJohn Marino
662f5b1c8a1SJohn Marino if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
663f5b1c8a1SJohn Marino rsa->_method_mod_n))
664f5b1c8a1SJohn Marino goto err;
665f5b1c8a1SJohn Marino
666f5b1c8a1SJohn Marino if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12)
667f5b1c8a1SJohn Marino if (!BN_sub(ret, rsa->n, ret))
668f5b1c8a1SJohn Marino goto err;
669f5b1c8a1SJohn Marino
670f5b1c8a1SJohn Marino p = buf;
671f5b1c8a1SJohn Marino i = BN_bn2bin(ret, p);
672f5b1c8a1SJohn Marino
673f5b1c8a1SJohn Marino switch (padding) {
674f5b1c8a1SJohn Marino case RSA_PKCS1_PADDING:
675f5b1c8a1SJohn Marino r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
676f5b1c8a1SJohn Marino break;
677f5b1c8a1SJohn Marino case RSA_X931_PADDING:
678f5b1c8a1SJohn Marino r = RSA_padding_check_X931(to, num, buf, i, num);
679f5b1c8a1SJohn Marino break;
680f5b1c8a1SJohn Marino case RSA_NO_PADDING:
681f5b1c8a1SJohn Marino r = RSA_padding_check_none(to, num, buf, i, num);
682f5b1c8a1SJohn Marino break;
683f5b1c8a1SJohn Marino default:
68472c33676SMaxim Ag RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
685f5b1c8a1SJohn Marino goto err;
686f5b1c8a1SJohn Marino }
687f5b1c8a1SJohn Marino if (r < 0)
68872c33676SMaxim Ag RSAerror(RSA_R_PADDING_CHECK_FAILED);
689f5b1c8a1SJohn Marino
690f5b1c8a1SJohn Marino err:
691f5b1c8a1SJohn Marino if (ctx != NULL) {
692f5b1c8a1SJohn Marino BN_CTX_end(ctx);
693f5b1c8a1SJohn Marino BN_CTX_free(ctx);
694f5b1c8a1SJohn Marino }
69572c33676SMaxim Ag freezero(buf, num);
696f5b1c8a1SJohn Marino return r;
697f5b1c8a1SJohn Marino }
698f5b1c8a1SJohn Marino
699f5b1c8a1SJohn Marino static int
RSA_eay_mod_exp(BIGNUM * r0,const BIGNUM * I,RSA * rsa,BN_CTX * ctx)700f5b1c8a1SJohn Marino RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
701f5b1c8a1SJohn Marino {
702f5b1c8a1SJohn Marino BIGNUM *r1, *m1, *vrfy;
703f5b1c8a1SJohn Marino BIGNUM dmp1, dmq1, c, pr1;
704f5b1c8a1SJohn Marino int ret = 0;
705f5b1c8a1SJohn Marino
706f5b1c8a1SJohn Marino BN_CTX_start(ctx);
707f5b1c8a1SJohn Marino r1 = BN_CTX_get(ctx);
708f5b1c8a1SJohn Marino m1 = BN_CTX_get(ctx);
709f5b1c8a1SJohn Marino vrfy = BN_CTX_get(ctx);
710f5b1c8a1SJohn Marino if (r1 == NULL || m1 == NULL || vrfy == NULL) {
71172c33676SMaxim Ag RSAerror(ERR_R_MALLOC_FAILURE);
712f5b1c8a1SJohn Marino goto err;
713f5b1c8a1SJohn Marino }
714f5b1c8a1SJohn Marino
715f5b1c8a1SJohn Marino {
716f5b1c8a1SJohn Marino BIGNUM p, q;
717f5b1c8a1SJohn Marino
718f5b1c8a1SJohn Marino /*
719f5b1c8a1SJohn Marino * Make sure BN_mod_inverse in Montgomery intialization uses the
720f5b1c8a1SJohn Marino * BN_FLG_CONSTTIME flag
721f5b1c8a1SJohn Marino */
722f5b1c8a1SJohn Marino BN_init(&p);
723f5b1c8a1SJohn Marino BN_init(&q);
724f5b1c8a1SJohn Marino BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
725f5b1c8a1SJohn Marino BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME);
726f5b1c8a1SJohn Marino
727f5b1c8a1SJohn Marino if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
728f5b1c8a1SJohn Marino if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
729f5b1c8a1SJohn Marino CRYPTO_LOCK_RSA, &p, ctx) ||
730f5b1c8a1SJohn Marino !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
731f5b1c8a1SJohn Marino CRYPTO_LOCK_RSA, &q, ctx)) {
732f5b1c8a1SJohn Marino goto err;
733f5b1c8a1SJohn Marino }
734f5b1c8a1SJohn Marino }
735f5b1c8a1SJohn Marino }
736f5b1c8a1SJohn Marino
737f5b1c8a1SJohn Marino if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
738f5b1c8a1SJohn Marino if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
739f5b1c8a1SJohn Marino CRYPTO_LOCK_RSA, rsa->n, ctx))
740f5b1c8a1SJohn Marino goto err;
741f5b1c8a1SJohn Marino
742f5b1c8a1SJohn Marino /* compute I mod q */
743f5b1c8a1SJohn Marino BN_init(&c);
744f5b1c8a1SJohn Marino BN_with_flags(&c, I, BN_FLG_CONSTTIME);
745f5b1c8a1SJohn Marino
74672c33676SMaxim Ag if (!BN_mod_ct(r1, &c, rsa->q, ctx))
747f5b1c8a1SJohn Marino goto err;
748f5b1c8a1SJohn Marino
749f5b1c8a1SJohn Marino /* compute r1^dmq1 mod q */
750f5b1c8a1SJohn Marino BN_init(&dmq1);
751f5b1c8a1SJohn Marino BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
752f5b1c8a1SJohn Marino
753f5b1c8a1SJohn Marino if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx,
754f5b1c8a1SJohn Marino rsa->_method_mod_q))
755f5b1c8a1SJohn Marino goto err;
756f5b1c8a1SJohn Marino
757f5b1c8a1SJohn Marino /* compute I mod p */
758*de0e0e4dSAntonio Huete Jimenez BN_init(&c);
759f5b1c8a1SJohn Marino BN_with_flags(&c, I, BN_FLG_CONSTTIME);
760f5b1c8a1SJohn Marino
76172c33676SMaxim Ag if (!BN_mod_ct(r1, &c, rsa->p, ctx))
762f5b1c8a1SJohn Marino goto err;
763f5b1c8a1SJohn Marino
764f5b1c8a1SJohn Marino /* compute r1^dmp1 mod p */
765f5b1c8a1SJohn Marino BN_init(&dmp1);
766f5b1c8a1SJohn Marino BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
767f5b1c8a1SJohn Marino
768f5b1c8a1SJohn Marino if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx,
769f5b1c8a1SJohn Marino rsa->_method_mod_p))
770f5b1c8a1SJohn Marino goto err;
771f5b1c8a1SJohn Marino
772f5b1c8a1SJohn Marino if (!BN_sub(r0, r0, m1))
773f5b1c8a1SJohn Marino goto err;
774f5b1c8a1SJohn Marino
775f5b1c8a1SJohn Marino /*
776f5b1c8a1SJohn Marino * This will help stop the size of r0 increasing, which does
777f5b1c8a1SJohn Marino * affect the multiply if it optimised for a power of 2 size
778f5b1c8a1SJohn Marino */
779f5b1c8a1SJohn Marino if (BN_is_negative(r0))
780f5b1c8a1SJohn Marino if (!BN_add(r0, r0, rsa->p))
781f5b1c8a1SJohn Marino goto err;
782f5b1c8a1SJohn Marino
783f5b1c8a1SJohn Marino if (!BN_mul(r1, r0, rsa->iqmp, ctx))
784f5b1c8a1SJohn Marino goto err;
785f5b1c8a1SJohn Marino
786f5b1c8a1SJohn Marino /* Turn BN_FLG_CONSTTIME flag on before division operation */
787f5b1c8a1SJohn Marino BN_init(&pr1);
788f5b1c8a1SJohn Marino BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME);
789f5b1c8a1SJohn Marino
79072c33676SMaxim Ag if (!BN_mod_ct(r0, &pr1, rsa->p, ctx))
791f5b1c8a1SJohn Marino goto err;
792f5b1c8a1SJohn Marino
793f5b1c8a1SJohn Marino /*
794f5b1c8a1SJohn Marino * If p < q it is occasionally possible for the correction of
795f5b1c8a1SJohn Marino * adding 'p' if r0 is negative above to leave the result still
796f5b1c8a1SJohn Marino * negative. This can break the private key operations: the following
797f5b1c8a1SJohn Marino * second correction should *always* correct this rare occurrence.
798f5b1c8a1SJohn Marino * This will *never* happen with OpenSSL generated keys because
799f5b1c8a1SJohn Marino * they ensure p > q [steve]
800f5b1c8a1SJohn Marino */
801f5b1c8a1SJohn Marino if (BN_is_negative(r0))
802f5b1c8a1SJohn Marino if (!BN_add(r0, r0, rsa->p))
803f5b1c8a1SJohn Marino goto err;
804f5b1c8a1SJohn Marino if (!BN_mul(r1, r0, rsa->q, ctx))
805f5b1c8a1SJohn Marino goto err;
806f5b1c8a1SJohn Marino if (!BN_add(r0, r1, m1))
807f5b1c8a1SJohn Marino goto err;
808f5b1c8a1SJohn Marino
809f5b1c8a1SJohn Marino if (rsa->e && rsa->n) {
810f5b1c8a1SJohn Marino if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
811f5b1c8a1SJohn Marino rsa->_method_mod_n))
812f5b1c8a1SJohn Marino goto err;
813f5b1c8a1SJohn Marino /*
814f5b1c8a1SJohn Marino * If 'I' was greater than (or equal to) rsa->n, the operation
815f5b1c8a1SJohn Marino * will be equivalent to using 'I mod n'. However, the result of
816f5b1c8a1SJohn Marino * the verify will *always* be less than 'n' so we don't check
817f5b1c8a1SJohn Marino * for absolute equality, just congruency.
818f5b1c8a1SJohn Marino */
819f5b1c8a1SJohn Marino if (!BN_sub(vrfy, vrfy, I))
820f5b1c8a1SJohn Marino goto err;
82172c33676SMaxim Ag if (!BN_mod_ct(vrfy, vrfy, rsa->n, ctx))
822f5b1c8a1SJohn Marino goto err;
823f5b1c8a1SJohn Marino if (BN_is_negative(vrfy))
824f5b1c8a1SJohn Marino if (!BN_add(vrfy, vrfy, rsa->n))
825f5b1c8a1SJohn Marino goto err;
826f5b1c8a1SJohn Marino if (!BN_is_zero(vrfy)) {
827f5b1c8a1SJohn Marino /*
828f5b1c8a1SJohn Marino * 'I' and 'vrfy' aren't congruent mod n. Don't leak
829f5b1c8a1SJohn Marino * miscalculated CRT output, just do a raw (slower)
830f5b1c8a1SJohn Marino * mod_exp and return that instead.
831f5b1c8a1SJohn Marino */
832f5b1c8a1SJohn Marino BIGNUM d;
833f5b1c8a1SJohn Marino
834f5b1c8a1SJohn Marino BN_init(&d);
835f5b1c8a1SJohn Marino BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
836f5b1c8a1SJohn Marino
837f5b1c8a1SJohn Marino if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx,
838f5b1c8a1SJohn Marino rsa->_method_mod_n)) {
839f5b1c8a1SJohn Marino goto err;
840f5b1c8a1SJohn Marino }
841f5b1c8a1SJohn Marino }
842f5b1c8a1SJohn Marino }
843f5b1c8a1SJohn Marino ret = 1;
844f5b1c8a1SJohn Marino err:
845f5b1c8a1SJohn Marino BN_CTX_end(ctx);
846f5b1c8a1SJohn Marino return ret;
847f5b1c8a1SJohn Marino }
848f5b1c8a1SJohn Marino
849f5b1c8a1SJohn Marino static int
RSA_eay_init(RSA * rsa)850f5b1c8a1SJohn Marino RSA_eay_init(RSA *rsa)
851f5b1c8a1SJohn Marino {
852f5b1c8a1SJohn Marino rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
853f5b1c8a1SJohn Marino return 1;
854f5b1c8a1SJohn Marino }
855f5b1c8a1SJohn Marino
856f5b1c8a1SJohn Marino static int
RSA_eay_finish(RSA * rsa)857f5b1c8a1SJohn Marino RSA_eay_finish(RSA *rsa)
858f5b1c8a1SJohn Marino {
859f5b1c8a1SJohn Marino BN_MONT_CTX_free(rsa->_method_mod_n);
860f5b1c8a1SJohn Marino BN_MONT_CTX_free(rsa->_method_mod_p);
861f5b1c8a1SJohn Marino BN_MONT_CTX_free(rsa->_method_mod_q);
862f5b1c8a1SJohn Marino
863f5b1c8a1SJohn Marino return 1;
864f5b1c8a1SJohn Marino }
865