1 /* crypto/rsa/rsa_eay.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 #include "cryptlib.h" 114 #include <openssl/bn.h> 115 #include <openssl/rsa.h> 116 #include <openssl/rand.h> 117 118 #ifndef RSA_NULL 119 120 static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 121 unsigned char *to, RSA *rsa,int padding); 122 static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 123 unsigned char *to, RSA *rsa,int padding); 124 static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 125 unsigned char *to, RSA *rsa,int padding); 126 static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 127 unsigned char *to, RSA *rsa,int padding); 128 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); 129 static int RSA_eay_init(RSA *rsa); 130 static int RSA_eay_finish(RSA *rsa); 131 static RSA_METHOD rsa_pkcs1_eay_meth={ 132 "Eric Young's PKCS#1 RSA", 133 RSA_eay_public_encrypt, 134 RSA_eay_public_decrypt, /* signature verification */ 135 RSA_eay_private_encrypt, /* signing */ 136 RSA_eay_private_decrypt, 137 RSA_eay_mod_exp, 138 BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ 139 RSA_eay_init, 140 RSA_eay_finish, 141 0, /* flags */ 142 NULL, 143 0, /* rsa_sign */ 144 0, /* rsa_verify */ 145 NULL /* rsa_keygen */ 146 }; 147 148 const RSA_METHOD *RSA_PKCS1_SSLeay(void) 149 { 150 return(&rsa_pkcs1_eay_meth); 151 } 152 153 /* Usage example; 154 * MONT_HELPER(rsa, bn_ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); 155 */ 156 #define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \ 157 if((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \ 158 !BN_MONT_CTX_set_locked(&((rsa)->_method_mod_##m), \ 159 CRYPTO_LOCK_RSA, \ 160 (rsa)->m, (ctx))) \ 161 err_instr 162 163 static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 164 unsigned char *to, RSA *rsa, int padding) 165 { 166 BIGNUM *f,*ret; 167 int i,j,k,num=0,r= -1; 168 unsigned char *buf=NULL; 169 BN_CTX *ctx=NULL; 170 171 if ((ctx=BN_CTX_new()) == NULL) goto err; 172 BN_CTX_start(ctx); 173 f = BN_CTX_get(ctx); 174 ret = BN_CTX_get(ctx); 175 num=BN_num_bytes(rsa->n); 176 buf = OPENSSL_malloc(num); 177 if (!f || !ret || !buf) 178 { 179 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); 180 goto err; 181 } 182 183 switch (padding) 184 { 185 case RSA_PKCS1_PADDING: 186 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen); 187 break; 188 #ifndef OPENSSL_NO_SHA 189 case RSA_PKCS1_OAEP_PADDING: 190 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0); 191 break; 192 #endif 193 case RSA_SSLV23_PADDING: 194 i=RSA_padding_add_SSLv23(buf,num,from,flen); 195 break; 196 case RSA_NO_PADDING: 197 i=RSA_padding_add_none(buf,num,from,flen); 198 break; 199 default: 200 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 201 goto err; 202 } 203 if (i <= 0) goto err; 204 205 if (BN_bin2bn(buf,num,f) == NULL) goto err; 206 207 if (BN_ucmp(f, rsa->n) >= 0) 208 { 209 /* usually the padding functions would catch this */ 210 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 211 goto err; 212 } 213 214 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); 215 216 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, 217 rsa->_method_mod_n)) goto err; 218 219 /* put in leading 0 bytes if the number is less than the 220 * length of the modulus */ 221 j=BN_num_bytes(ret); 222 i=BN_bn2bin(ret,&(to[num-j])); 223 for (k=0; k<(num-i); k++) 224 to[k]=0; 225 226 r=num; 227 err: 228 if (ctx != NULL) 229 { 230 BN_CTX_end(ctx); 231 BN_CTX_free(ctx); 232 } 233 if (buf != NULL) 234 { 235 OPENSSL_cleanse(buf,num); 236 OPENSSL_free(buf); 237 } 238 return(r); 239 } 240 241 static BN_BLINDING *rsa_get_blinding(RSA *rsa, BIGNUM **r, int *local, BN_CTX *ctx) 242 { 243 BN_BLINDING *ret; 244 245 if (rsa->blinding == NULL) 246 { 247 if (rsa->blinding == NULL) 248 { 249 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 250 if (rsa->blinding == NULL) 251 rsa->blinding = RSA_setup_blinding(rsa, ctx); 252 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 253 } 254 } 255 256 ret = rsa->blinding; 257 if (ret == NULL) 258 return NULL; 259 260 if (BN_BLINDING_get_thread_id(ret) != CRYPTO_thread_id()) 261 { 262 *local = 0; 263 if (rsa->mt_blinding == NULL) 264 { 265 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 266 if (rsa->mt_blinding == NULL) 267 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 268 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 269 } 270 ret = rsa->mt_blinding; 271 } 272 else 273 *local = 1; 274 275 return ret; 276 } 277 278 static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f, 279 BIGNUM *r, BN_CTX *ctx) 280 { 281 if (local) 282 return BN_BLINDING_convert_ex(f, NULL, b, ctx); 283 else 284 { 285 int ret; 286 CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING); 287 ret = BN_BLINDING_convert_ex(f, r, b, ctx); 288 CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING); 289 return ret; 290 } 291 } 292 293 static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f, 294 BIGNUM *r, BN_CTX *ctx) 295 { 296 if (local) 297 return BN_BLINDING_invert_ex(f, NULL, b, ctx); 298 else 299 { 300 int ret; 301 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 302 ret = BN_BLINDING_invert_ex(f, r, b, ctx); 303 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 304 return ret; 305 } 306 } 307 308 /* signing */ 309 static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 310 unsigned char *to, RSA *rsa, int padding) 311 { 312 BIGNUM *f, *ret, *br, *res; 313 int i,j,k,num=0,r= -1; 314 unsigned char *buf=NULL; 315 BN_CTX *ctx=NULL; 316 int local_blinding = 0; 317 BN_BLINDING *blinding = NULL; 318 319 if ((ctx=BN_CTX_new()) == NULL) goto err; 320 BN_CTX_start(ctx); 321 f = BN_CTX_get(ctx); 322 br = BN_CTX_get(ctx); 323 ret = BN_CTX_get(ctx); 324 num = BN_num_bytes(rsa->n); 325 buf = OPENSSL_malloc(num); 326 if(!f || !ret || !buf) 327 { 328 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); 329 goto err; 330 } 331 332 switch (padding) 333 { 334 case RSA_PKCS1_PADDING: 335 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); 336 break; 337 case RSA_X931_PADDING: 338 i=RSA_padding_add_X931(buf,num,from,flen); 339 break; 340 case RSA_NO_PADDING: 341 i=RSA_padding_add_none(buf,num,from,flen); 342 break; 343 case RSA_SSLV23_PADDING: 344 default: 345 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 346 goto err; 347 } 348 if (i <= 0) goto err; 349 350 if (BN_bin2bn(buf,num,f) == NULL) goto err; 351 352 if (BN_ucmp(f, rsa->n) >= 0) 353 { 354 /* usually the padding functions would catch this */ 355 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 356 goto err; 357 } 358 359 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 360 { 361 blinding = rsa_get_blinding(rsa, &br, &local_blinding, ctx); 362 if (blinding == NULL) 363 { 364 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 365 goto err; 366 } 367 } 368 369 if (blinding != NULL) 370 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) 371 goto err; 372 373 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 374 ((rsa->p != NULL) && 375 (rsa->q != NULL) && 376 (rsa->dmp1 != NULL) && 377 (rsa->dmq1 != NULL) && 378 (rsa->iqmp != NULL)) ) 379 { 380 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; 381 } 382 else 383 { 384 BIGNUM local_d; 385 BIGNUM *d = NULL; 386 387 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 388 { 389 BN_init(&local_d); 390 d = &local_d; 391 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); 392 } 393 else 394 d = rsa->d; 395 396 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); 397 398 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, 399 rsa->_method_mod_n)) goto err; 400 } 401 402 if (blinding) 403 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) 404 goto err; 405 406 if (padding == RSA_X931_PADDING) 407 { 408 BN_sub(f, rsa->n, ret); 409 if (BN_cmp(ret, f)) 410 res = f; 411 else 412 res = ret; 413 } 414 else 415 res = ret; 416 417 /* put in leading 0 bytes if the number is less than the 418 * length of the modulus */ 419 j=BN_num_bytes(res); 420 i=BN_bn2bin(res,&(to[num-j])); 421 for (k=0; k<(num-i); k++) 422 to[k]=0; 423 424 r=num; 425 err: 426 if (ctx != NULL) 427 { 428 BN_CTX_end(ctx); 429 BN_CTX_free(ctx); 430 } 431 if (buf != NULL) 432 { 433 OPENSSL_cleanse(buf,num); 434 OPENSSL_free(buf); 435 } 436 return(r); 437 } 438 439 static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 440 unsigned char *to, RSA *rsa, int padding) 441 { 442 BIGNUM *f, *ret, *br; 443 int j,num=0,r= -1; 444 unsigned char *p; 445 unsigned char *buf=NULL; 446 BN_CTX *ctx=NULL; 447 int local_blinding = 0; 448 BN_BLINDING *blinding = NULL; 449 450 if((ctx = BN_CTX_new()) == NULL) goto err; 451 BN_CTX_start(ctx); 452 f = BN_CTX_get(ctx); 453 br = BN_CTX_get(ctx); 454 ret = BN_CTX_get(ctx); 455 num = BN_num_bytes(rsa->n); 456 buf = OPENSSL_malloc(num); 457 if(!f || !ret || !buf) 458 { 459 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); 460 goto err; 461 } 462 463 /* This check was for equality but PGP does evil things 464 * and chops off the top '0' bytes */ 465 if (flen > num) 466 { 467 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 468 goto err; 469 } 470 471 /* make data into a big number */ 472 if (BN_bin2bn(from,(int)flen,f) == NULL) goto err; 473 474 if (BN_ucmp(f, rsa->n) >= 0) 475 { 476 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 477 goto err; 478 } 479 480 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 481 { 482 blinding = rsa_get_blinding(rsa, &br, &local_blinding, ctx); 483 if (blinding == NULL) 484 { 485 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 486 goto err; 487 } 488 } 489 490 if (blinding != NULL) 491 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) 492 goto err; 493 494 /* do the decrypt */ 495 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 496 ((rsa->p != NULL) && 497 (rsa->q != NULL) && 498 (rsa->dmp1 != NULL) && 499 (rsa->dmq1 != NULL) && 500 (rsa->iqmp != NULL)) ) 501 { 502 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; 503 } 504 else 505 { 506 BIGNUM local_d; 507 BIGNUM *d = NULL; 508 509 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 510 { 511 d = &local_d; 512 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); 513 } 514 else 515 d = rsa->d; 516 517 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); 518 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, 519 rsa->_method_mod_n)) 520 goto err; 521 } 522 523 if (blinding) 524 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) 525 goto err; 526 527 p=buf; 528 j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */ 529 530 switch (padding) 531 { 532 case RSA_PKCS1_PADDING: 533 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); 534 break; 535 #ifndef OPENSSL_NO_SHA 536 case RSA_PKCS1_OAEP_PADDING: 537 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); 538 break; 539 #endif 540 case RSA_SSLV23_PADDING: 541 r=RSA_padding_check_SSLv23(to,num,buf,j,num); 542 break; 543 case RSA_NO_PADDING: 544 r=RSA_padding_check_none(to,num,buf,j,num); 545 break; 546 default: 547 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 548 goto err; 549 } 550 if (r < 0) 551 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 552 553 err: 554 if (ctx != NULL) 555 { 556 BN_CTX_end(ctx); 557 BN_CTX_free(ctx); 558 } 559 if (buf != NULL) 560 { 561 OPENSSL_cleanse(buf,num); 562 OPENSSL_free(buf); 563 } 564 return(r); 565 } 566 567 /* signature verification */ 568 static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 569 unsigned char *to, RSA *rsa, int padding) 570 { 571 BIGNUM *f,*ret; 572 int i,num=0,r= -1; 573 unsigned char *p; 574 unsigned char *buf=NULL; 575 BN_CTX *ctx=NULL; 576 577 if((ctx = BN_CTX_new()) == NULL) goto err; 578 BN_CTX_start(ctx); 579 f = BN_CTX_get(ctx); 580 ret = BN_CTX_get(ctx); 581 num=BN_num_bytes(rsa->n); 582 buf = OPENSSL_malloc(num); 583 if(!f || !ret || !buf) 584 { 585 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); 586 goto err; 587 } 588 589 /* This check was for equality but PGP does evil things 590 * and chops off the top '0' bytes */ 591 if (flen > num) 592 { 593 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 594 goto err; 595 } 596 597 if (BN_bin2bn(from,flen,f) == NULL) goto err; 598 599 if (BN_ucmp(f, rsa->n) >= 0) 600 { 601 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 602 goto err; 603 } 604 605 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); 606 607 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, 608 rsa->_method_mod_n)) goto err; 609 610 if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) 611 BN_sub(ret, rsa->n, ret); 612 613 p=buf; 614 i=BN_bn2bin(ret,p); 615 616 switch (padding) 617 { 618 case RSA_PKCS1_PADDING: 619 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); 620 /* Generally signatures should be at least 2/3 padding, though 621 this isn't possible for really short keys and some standard 622 signature schemes, so don't check if the unpadded data is 623 small. */ 624 if(r > 42 && 3*8*r >= BN_num_bits(rsa->n)) 625 { 626 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT); 627 goto err; 628 } 629 break; 630 case RSA_X931_PADDING: 631 r=RSA_padding_check_X931(to,num,buf,i,num); 632 break; 633 case RSA_NO_PADDING: 634 r=RSA_padding_check_none(to,num,buf,i,num); 635 break; 636 default: 637 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 638 goto err; 639 } 640 if (r < 0) 641 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 642 643 err: 644 if (ctx != NULL) 645 { 646 BN_CTX_end(ctx); 647 BN_CTX_free(ctx); 648 } 649 if (buf != NULL) 650 { 651 OPENSSL_cleanse(buf,num); 652 OPENSSL_free(buf); 653 } 654 return(r); 655 } 656 657 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 658 { 659 BIGNUM *r1,*m1,*vrfy; 660 BIGNUM local_dmp1, local_dmq1; 661 BIGNUM *dmp1, *dmq1; 662 int ret=0; 663 664 BN_CTX_start(ctx); 665 r1 = BN_CTX_get(ctx); 666 m1 = BN_CTX_get(ctx); 667 vrfy = BN_CTX_get(ctx); 668 669 MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); 670 MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); 671 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); 672 673 if (!BN_mod(r1,I,rsa->q,ctx)) goto err; 674 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 675 { 676 dmq1 = &local_dmq1; 677 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME); 678 } 679 else 680 dmq1 = rsa->dmq1; 681 if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx, 682 rsa->_method_mod_q)) goto err; 683 684 if (!BN_mod(r1,I,rsa->p,ctx)) goto err; 685 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 686 { 687 dmp1 = &local_dmp1; 688 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME); 689 } 690 else 691 dmp1 = rsa->dmp1; 692 if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx, 693 rsa->_method_mod_p)) goto err; 694 695 if (!BN_sub(r0,r0,m1)) goto err; 696 /* This will help stop the size of r0 increasing, which does 697 * affect the multiply if it optimised for a power of 2 size */ 698 if (BN_is_negative(r0)) 699 if (!BN_add(r0,r0,rsa->p)) goto err; 700 701 if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err; 702 if (!BN_mod(r0,r1,rsa->p,ctx)) goto err; 703 /* If p < q it is occasionally possible for the correction of 704 * adding 'p' if r0 is negative above to leave the result still 705 * negative. This can break the private key operations: the following 706 * second correction should *always* correct this rare occurrence. 707 * This will *never* happen with OpenSSL generated keys because 708 * they ensure p > q [steve] 709 */ 710 if (BN_is_negative(r0)) 711 if (!BN_add(r0,r0,rsa->p)) goto err; 712 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; 713 if (!BN_add(r0,r1,m1)) goto err; 714 715 if (rsa->e && rsa->n) 716 { 717 if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; 718 /* If 'I' was greater than (or equal to) rsa->n, the operation 719 * will be equivalent to using 'I mod n'. However, the result of 720 * the verify will *always* be less than 'n' so we don't check 721 * for absolute equality, just congruency. */ 722 if (!BN_sub(vrfy, vrfy, I)) goto err; 723 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err; 724 if (BN_is_negative(vrfy)) 725 if (!BN_add(vrfy, vrfy, rsa->n)) goto err; 726 if (!BN_is_zero(vrfy)) 727 { 728 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak 729 * miscalculated CRT output, just do a raw (slower) 730 * mod_exp and return that instead. */ 731 732 BIGNUM local_d; 733 BIGNUM *d = NULL; 734 735 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 736 { 737 d = &local_d; 738 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); 739 } 740 else 741 d = rsa->d; 742 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx, 743 rsa->_method_mod_n)) goto err; 744 } 745 } 746 ret=1; 747 err: 748 BN_CTX_end(ctx); 749 return(ret); 750 } 751 752 static int RSA_eay_init(RSA *rsa) 753 { 754 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; 755 return(1); 756 } 757 758 static int RSA_eay_finish(RSA *rsa) 759 { 760 if (rsa->_method_mod_n != NULL) 761 BN_MONT_CTX_free(rsa->_method_mod_n); 762 if (rsa->_method_mod_p != NULL) 763 BN_MONT_CTX_free(rsa->_method_mod_p); 764 if (rsa->_method_mod_q != NULL) 765 BN_MONT_CTX_free(rsa->_method_mod_q); 766 return(1); 767 } 768 769 #endif 770