1 /* $OpenBSD: rsa_eay.c,v 1.30 2014/07/09 08:44:53 miod Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 #include "cryptlib.h" 114 #include <openssl/bn.h> 115 #include <openssl/rsa.h> 116 #include <openssl/rand.h> 117 118 static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 119 unsigned char *to, RSA *rsa,int padding); 120 static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 121 unsigned char *to, RSA *rsa,int padding); 122 static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 123 unsigned char *to, RSA *rsa,int padding); 124 static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 125 unsigned char *to, RSA *rsa,int padding); 126 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); 127 static int RSA_eay_init(RSA *rsa); 128 static int RSA_eay_finish(RSA *rsa); 129 static RSA_METHOD rsa_pkcs1_eay_meth = { 130 .name = "Eric Young's PKCS#1 RSA", 131 .rsa_pub_enc = RSA_eay_public_encrypt, 132 .rsa_pub_dec = RSA_eay_public_decrypt, /* signature verification */ 133 .rsa_priv_enc = RSA_eay_private_encrypt, /* signing */ 134 .rsa_priv_dec = RSA_eay_private_decrypt, 135 .rsa_mod_exp = RSA_eay_mod_exp, 136 .bn_mod_exp = BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ 137 .init = RSA_eay_init, 138 .finish = RSA_eay_finish, 139 }; 140 141 const RSA_METHOD * 142 RSA_PKCS1_SSLeay(void) 143 { 144 return &rsa_pkcs1_eay_meth; 145 } 146 147 static int 148 RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, 149 RSA *rsa, int padding) 150 { 151 BIGNUM *f, *ret; 152 int i, j, k, num = 0, r = -1; 153 unsigned char *buf = NULL; 154 BN_CTX *ctx = NULL; 155 156 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 157 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); 158 return -1; 159 } 160 161 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 162 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 163 return -1; 164 } 165 166 /* for large moduli, enforce exponent limit */ 167 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 168 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 169 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 170 return -1; 171 } 172 } 173 174 if ((ctx=BN_CTX_new()) == NULL) 175 goto err; 176 BN_CTX_start(ctx); 177 f = BN_CTX_get(ctx); 178 ret = BN_CTX_get(ctx); 179 num = BN_num_bytes(rsa->n); 180 buf = malloc(num); 181 if (!f || !ret || !buf) { 182 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); 183 goto err; 184 } 185 186 switch (padding) { 187 case RSA_PKCS1_PADDING: 188 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); 189 break; 190 #ifndef OPENSSL_NO_SHA 191 case RSA_PKCS1_OAEP_PADDING: 192 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); 193 break; 194 #endif 195 case RSA_SSLV23_PADDING: 196 i = RSA_padding_add_SSLv23(buf, num, from, flen); 197 break; 198 case RSA_NO_PADDING: 199 i = RSA_padding_add_none(buf, num, from, flen); 200 break; 201 default: 202 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, 203 RSA_R_UNKNOWN_PADDING_TYPE); 204 goto err; 205 } 206 if (i <= 0) 207 goto err; 208 209 if (BN_bin2bn(buf, num, f) == NULL) 210 goto err; 211 212 if (BN_ucmp(f, rsa->n) >= 0) { 213 /* usually the padding functions would catch this */ 214 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, 215 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 216 goto err; 217 } 218 219 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 220 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 221 CRYPTO_LOCK_RSA, rsa->n, ctx)) 222 goto err; 223 224 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, rsa->_method_mod_n)) 225 goto err; 226 227 /* put in leading 0 bytes if the number is less than the 228 * length of the modulus */ 229 j = BN_num_bytes(ret); 230 i = BN_bn2bin(ret, &(to[num - j])); 231 for (k = 0; k < num - i; k++) 232 to[k] = 0; 233 234 r = num; 235 err: 236 if (ctx != NULL) { 237 BN_CTX_end(ctx); 238 BN_CTX_free(ctx); 239 } 240 if (buf != NULL) { 241 OPENSSL_cleanse(buf, num); 242 free(buf); 243 } 244 return r; 245 } 246 247 static BN_BLINDING * 248 rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 249 { 250 BN_BLINDING *ret; 251 int got_write_lock = 0; 252 CRYPTO_THREADID cur; 253 254 CRYPTO_r_lock(CRYPTO_LOCK_RSA); 255 256 if (rsa->blinding == NULL) { 257 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 258 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 259 got_write_lock = 1; 260 261 if (rsa->blinding == NULL) 262 rsa->blinding = RSA_setup_blinding(rsa, ctx); 263 } 264 265 ret = rsa->blinding; 266 if (ret == NULL) 267 goto err; 268 269 CRYPTO_THREADID_current(&cur); 270 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) { 271 /* rsa->blinding is ours! */ 272 *local = 1; 273 } else { 274 /* resort to rsa->mt_blinding instead */ 275 /* 276 * Instruct rsa_blinding_convert(), rsa_blinding_invert() 277 * that the BN_BLINDING is shared, meaning that accesses 278 * require locks, and that the blinding factor must be 279 * stored outside the BN_BLINDING 280 */ 281 *local = 0; 282 283 if (rsa->mt_blinding == NULL) { 284 if (!got_write_lock) { 285 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 286 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 287 got_write_lock = 1; 288 } 289 290 if (rsa->mt_blinding == NULL) 291 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 292 } 293 ret = rsa->mt_blinding; 294 } 295 296 err: 297 if (got_write_lock) 298 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 299 else 300 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 301 return ret; 302 } 303 304 static int 305 rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx) 306 { 307 if (unblind == NULL) 308 /* 309 * Local blinding: store the unblinding factor 310 * in BN_BLINDING. 311 */ 312 return BN_BLINDING_convert_ex(f, NULL, b, ctx); 313 else { 314 /* 315 * Shared blinding: store the unblinding factor 316 * outside BN_BLINDING. 317 */ 318 int ret; 319 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 320 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); 321 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 322 return ret; 323 } 324 } 325 326 static int 327 rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx) 328 { 329 /* 330 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex 331 * will use the unblinding factor stored in BN_BLINDING. 332 * If BN_BLINDING is shared between threads, unblind must be non-null: 333 * BN_BLINDING_invert_ex will then use the local unblinding factor, 334 * and will only read the modulus from BN_BLINDING. 335 * In both cases it's safe to access the blinding without a lock. 336 */ 337 return BN_BLINDING_invert_ex(f, unblind, b, ctx); 338 } 339 340 /* signing */ 341 static int 342 RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, 343 RSA *rsa, int padding) 344 { 345 BIGNUM *f, *ret, *res; 346 int i, j, k, num = 0, r = -1; 347 unsigned char *buf = NULL; 348 BN_CTX *ctx = NULL; 349 int local_blinding = 0; 350 /* 351 * Used only if the blinding structure is shared. A non-NULL unblind 352 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 353 * the unblinding factor outside the blinding structure. 354 */ 355 BIGNUM *unblind = NULL; 356 BN_BLINDING *blinding = NULL; 357 358 if ((ctx=BN_CTX_new()) == NULL) 359 goto err; 360 BN_CTX_start(ctx); 361 f = BN_CTX_get(ctx); 362 ret = BN_CTX_get(ctx); 363 num = BN_num_bytes(rsa->n); 364 buf = malloc(num); 365 if (!f || !ret || !buf) { 366 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); 367 goto err; 368 } 369 370 switch (padding) { 371 case RSA_PKCS1_PADDING: 372 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); 373 break; 374 case RSA_X931_PADDING: 375 i = RSA_padding_add_X931(buf, num, from, flen); 376 break; 377 case RSA_NO_PADDING: 378 i = RSA_padding_add_none(buf, num, from, flen); 379 break; 380 case RSA_SSLV23_PADDING: 381 default: 382 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 383 RSA_R_UNKNOWN_PADDING_TYPE); 384 goto err; 385 } 386 if (i <= 0) 387 goto err; 388 389 if (BN_bin2bn(buf,num,f) == NULL) 390 goto err; 391 392 if (BN_ucmp(f, rsa->n) >= 0) { 393 /* usually the padding functions would catch this */ 394 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 395 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 396 goto err; 397 } 398 399 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 400 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 401 if (blinding == NULL) { 402 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 403 ERR_R_INTERNAL_ERROR); 404 goto err; 405 } 406 } 407 408 if (blinding != NULL) { 409 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 410 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 411 ERR_R_MALLOC_FAILURE); 412 goto err; 413 } 414 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 415 goto err; 416 } 417 418 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 419 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL && 420 rsa->dmq1 != NULL && rsa->iqmp != NULL)) { 421 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 422 goto err; 423 } else { 424 BIGNUM local_d; 425 BIGNUM *d = NULL; 426 427 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 428 BN_init(&local_d); 429 d = &local_d; 430 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 431 } else 432 d = rsa->d; 433 434 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 435 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 436 CRYPTO_LOCK_RSA, rsa->n, ctx)) 437 goto err; 438 439 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n,ctx, 440 rsa->_method_mod_n)) 441 goto err; 442 } 443 444 if (blinding) 445 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 446 goto err; 447 448 if (padding == RSA_X931_PADDING) { 449 BN_sub(f, rsa->n, ret); 450 if (BN_cmp(ret, f)) 451 res = f; 452 else 453 res = ret; 454 } else 455 res = ret; 456 457 /* put in leading 0 bytes if the number is less than the 458 * length of the modulus */ 459 j = BN_num_bytes(res); 460 i = BN_bn2bin(res, &(to[num - j])); 461 for (k = 0; k < num - i; k++) 462 to[k] = 0; 463 464 r = num; 465 err: 466 if (ctx != NULL) { 467 BN_CTX_end(ctx); 468 BN_CTX_free(ctx); 469 } 470 if (buf != NULL) { 471 OPENSSL_cleanse(buf, num); 472 free(buf); 473 } 474 return r; 475 } 476 477 static int 478 RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to, 479 RSA *rsa, int padding) 480 { 481 BIGNUM *f, *ret; 482 int j, num = 0, r = -1; 483 unsigned char *p; 484 unsigned char *buf = NULL; 485 BN_CTX *ctx = NULL; 486 int local_blinding = 0; 487 /* 488 * Used only if the blinding structure is shared. A non-NULL unblind 489 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 490 * the unblinding factor outside the blinding structure. 491 */ 492 BIGNUM *unblind = NULL; 493 BN_BLINDING *blinding = NULL; 494 495 if ((ctx = BN_CTX_new()) == NULL) 496 goto err; 497 BN_CTX_start(ctx); 498 f = BN_CTX_get(ctx); 499 ret = BN_CTX_get(ctx); 500 num = BN_num_bytes(rsa->n); 501 buf = malloc(num); 502 if (!f || !ret || !buf) { 503 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); 504 goto err; 505 } 506 507 /* This check was for equality but PGP does evil things 508 * and chops off the top '0' bytes */ 509 if (flen > num) { 510 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 511 RSA_R_DATA_GREATER_THAN_MOD_LEN); 512 goto err; 513 } 514 515 /* make data into a big number */ 516 if (BN_bin2bn(from, (int)flen, f) == NULL) 517 goto err; 518 519 if (BN_ucmp(f, rsa->n) >= 0) { 520 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 521 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 522 goto err; 523 } 524 525 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 526 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 527 if (blinding == NULL) { 528 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 529 ERR_R_INTERNAL_ERROR); 530 goto err; 531 } 532 } 533 534 if (blinding != NULL) { 535 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 536 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 537 ERR_R_MALLOC_FAILURE); 538 goto err; 539 } 540 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 541 goto err; 542 } 543 544 /* do the decrypt */ 545 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 546 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL && 547 rsa->dmq1 != NULL && rsa->iqmp != NULL)) { 548 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 549 goto err; 550 } else { 551 BIGNUM local_d; 552 BIGNUM *d = NULL; 553 554 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 555 d = &local_d; 556 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 557 } else 558 d = rsa->d; 559 560 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 561 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 562 CRYPTO_LOCK_RSA, rsa->n, ctx)) 563 goto err; 564 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 565 rsa->_method_mod_n)) 566 goto err; 567 } 568 569 if (blinding) 570 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 571 goto err; 572 573 p = buf; 574 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */ 575 576 switch (padding) { 577 case RSA_PKCS1_PADDING: 578 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); 579 break; 580 #ifndef OPENSSL_NO_SHA 581 case RSA_PKCS1_OAEP_PADDING: 582 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); 583 break; 584 #endif 585 case RSA_SSLV23_PADDING: 586 r = RSA_padding_check_SSLv23(to, num, buf, j, num); 587 break; 588 case RSA_NO_PADDING: 589 r = RSA_padding_check_none(to, num, buf, j, num); 590 break; 591 default: 592 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 593 RSA_R_UNKNOWN_PADDING_TYPE); 594 goto err; 595 } 596 if (r < 0) 597 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 598 RSA_R_PADDING_CHECK_FAILED); 599 600 err: 601 if (ctx != NULL) { 602 BN_CTX_end(ctx); 603 BN_CTX_free(ctx); 604 } 605 if (buf != NULL) { 606 OPENSSL_cleanse(buf,num); 607 free(buf); 608 } 609 return r; 610 } 611 612 /* signature verification */ 613 static int 614 RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to, 615 RSA *rsa, int padding) 616 { 617 BIGNUM *f, *ret; 618 int i, num = 0,r = -1; 619 unsigned char *p; 620 unsigned char *buf = NULL; 621 BN_CTX *ctx = NULL; 622 623 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 624 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); 625 return -1; 626 } 627 628 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 629 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 630 return -1; 631 } 632 633 /* for large moduli, enforce exponent limit */ 634 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 635 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 636 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 637 return -1; 638 } 639 } 640 641 if ((ctx = BN_CTX_new()) == NULL) 642 goto err; 643 BN_CTX_start(ctx); 644 f = BN_CTX_get(ctx); 645 ret = BN_CTX_get(ctx); 646 num = BN_num_bytes(rsa->n); 647 buf = malloc(num); 648 if (!f || !ret || !buf) { 649 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE); 650 goto err; 651 } 652 653 /* This check was for equality but PGP does evil things 654 * and chops off the top '0' bytes */ 655 if (flen > num) { 656 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, 657 RSA_R_DATA_GREATER_THAN_MOD_LEN); 658 goto err; 659 } 660 661 if (BN_bin2bn(from,flen,f) == NULL) 662 goto err; 663 664 if (BN_ucmp(f, rsa->n) >= 0) { 665 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, 666 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 667 goto err; 668 } 669 670 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 671 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 672 CRYPTO_LOCK_RSA, rsa->n, ctx)) 673 goto err; 674 675 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 676 rsa->_method_mod_n)) 677 goto err; 678 679 if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12) 680 if (!BN_sub(ret, rsa->n, ret)) 681 goto err; 682 683 p = buf; 684 i = BN_bn2bin(ret, p); 685 686 switch (padding) { 687 case RSA_PKCS1_PADDING: 688 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); 689 break; 690 case RSA_X931_PADDING: 691 r = RSA_padding_check_X931(to, num, buf, i, num); 692 break; 693 case RSA_NO_PADDING: 694 r = RSA_padding_check_none(to, num, buf, i, num); 695 break; 696 default: 697 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, 698 RSA_R_UNKNOWN_PADDING_TYPE); 699 goto err; 700 } 701 if (r < 0) 702 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, 703 RSA_R_PADDING_CHECK_FAILED); 704 705 err: 706 if (ctx != NULL) { 707 BN_CTX_end(ctx); 708 BN_CTX_free(ctx); 709 } 710 if (buf != NULL) { 711 OPENSSL_cleanse(buf, num); 712 free(buf); 713 } 714 return r; 715 } 716 717 static int 718 RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 719 { 720 BIGNUM *r1, *m1, *vrfy; 721 BIGNUM local_dmp1, local_dmq1, local_c, local_r1; 722 BIGNUM *dmp1, *dmq1, *c, *pr1; 723 int ret = 0; 724 725 BN_CTX_start(ctx); 726 r1 = BN_CTX_get(ctx); 727 m1 = BN_CTX_get(ctx); 728 vrfy = BN_CTX_get(ctx); 729 730 { 731 BIGNUM local_p, local_q; 732 BIGNUM *p = NULL, *q = NULL; 733 734 /* 735 * Make sure BN_mod_inverse in Montgomery intialization uses the 736 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) 737 */ 738 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 739 BN_init(&local_p); 740 p = &local_p; 741 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 742 743 BN_init(&local_q); 744 q = &local_q; 745 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); 746 } else { 747 p = rsa->p; 748 q = rsa->q; 749 } 750 751 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { 752 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, 753 CRYPTO_LOCK_RSA, p, ctx)) 754 goto err; 755 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, 756 CRYPTO_LOCK_RSA, q, ctx)) 757 goto err; 758 } 759 } 760 761 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 762 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 763 CRYPTO_LOCK_RSA, rsa->n, ctx)) 764 goto err; 765 766 /* compute I mod q */ 767 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 768 c = &local_c; 769 BN_with_flags(c, I, BN_FLG_CONSTTIME); 770 if (!BN_mod(r1, c, rsa->q, ctx)) 771 goto err; 772 } else { 773 if (!BN_mod(r1, I, rsa->q, ctx)) 774 goto err; 775 } 776 777 /* compute r1^dmq1 mod q */ 778 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 779 dmq1 = &local_dmq1; 780 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 781 } else 782 dmq1 = rsa->dmq1; 783 if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, 784 rsa->_method_mod_q)) 785 goto err; 786 787 /* compute I mod p */ 788 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 789 c = &local_c; 790 BN_with_flags(c, I, BN_FLG_CONSTTIME); 791 if (!BN_mod(r1, c, rsa->p, ctx)) 792 goto err; 793 } else { 794 if (!BN_mod(r1, I, rsa->p, ctx)) 795 goto err; 796 } 797 798 /* compute r1^dmp1 mod p */ 799 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 800 dmp1 = &local_dmp1; 801 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 802 } else 803 dmp1 = rsa->dmp1; 804 if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p,ctx, 805 rsa->_method_mod_p)) 806 goto err; 807 808 if (!BN_sub(r0, r0, m1)) 809 goto err; 810 /* 811 * This will help stop the size of r0 increasing, which does 812 * affect the multiply if it optimised for a power of 2 size 813 */ 814 if (BN_is_negative(r0)) 815 if (!BN_add(r0, r0, rsa->p)) 816 goto err; 817 818 if (!BN_mul(r1, r0, rsa->iqmp, ctx)) 819 goto err; 820 821 /* Turn BN_FLG_CONSTTIME flag on before division operation */ 822 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 823 pr1 = &local_r1; 824 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 825 } else 826 pr1 = r1; 827 if (!BN_mod(r0, pr1, rsa->p,ctx)) 828 goto err; 829 830 /* 831 * If p < q it is occasionally possible for the correction of 832 * adding 'p' if r0 is negative above to leave the result still 833 * negative. This can break the private key operations: the following 834 * second correction should *always* correct this rare occurrence. 835 * This will *never* happen with OpenSSL generated keys because 836 * they ensure p > q [steve] 837 */ 838 if (BN_is_negative(r0)) 839 if (!BN_add(r0, r0, rsa->p)) 840 goto err; 841 if (!BN_mul(r1, r0, rsa->q, ctx)) 842 goto err; 843 if (!BN_add(r0, r1, m1)) 844 goto err; 845 846 if (rsa->e && rsa->n) { 847 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, 848 rsa->_method_mod_n)) 849 goto err; 850 /* 851 * If 'I' was greater than (or equal to) rsa->n, the operation 852 * will be equivalent to using 'I mod n'. However, the result of 853 * the verify will *always* be less than 'n' so we don't check 854 * for absolute equality, just congruency. 855 */ 856 if (!BN_sub(vrfy, vrfy, I)) 857 goto err; 858 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) 859 goto err; 860 if (BN_is_negative(vrfy)) 861 if (!BN_add(vrfy, vrfy, rsa->n)) 862 goto err; 863 if (!BN_is_zero(vrfy)) { 864 /* 865 * 'I' and 'vrfy' aren't congruent mod n. Don't leak 866 * miscalculated CRT output, just do a raw (slower) 867 * mod_exp and return that instead. 868 */ 869 870 BIGNUM local_d; 871 BIGNUM *d = NULL; 872 873 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 874 d = &local_d; 875 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 876 } else 877 d = rsa->d; 878 if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, 879 rsa->_method_mod_n)) 880 goto err; 881 } 882 } 883 ret = 1; 884 err: 885 BN_CTX_end(ctx); 886 return ret; 887 } 888 889 static int 890 RSA_eay_init(RSA *rsa) 891 { 892 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; 893 return 1 ; 894 } 895 896 static int 897 RSA_eay_finish(RSA *rsa) 898 { 899 if (rsa->_method_mod_n != NULL) 900 BN_MONT_CTX_free(rsa->_method_mod_n); 901 if (rsa->_method_mod_p != NULL) 902 BN_MONT_CTX_free(rsa->_method_mod_p); 903 if (rsa->_method_mod_q != NULL) 904 BN_MONT_CTX_free(rsa->_method_mod_q); 905 return 1; 906 } 907