1 /* crypto/rsa/rsa_eay.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59 #include <stdio.h> 60 #include "cryptlib.h" 61 #include <openssl/bn.h> 62 #include <openssl/rsa.h> 63 #include <openssl/rand.h> 64 65 #ifndef RSA_NULL 66 67 static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 68 unsigned char *to, RSA *rsa,int padding); 69 static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 70 unsigned char *to, RSA *rsa,int padding); 71 static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 72 unsigned char *to, RSA *rsa,int padding); 73 static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 74 unsigned char *to, RSA *rsa,int padding); 75 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa); 76 static int RSA_eay_init(RSA *rsa); 77 static int RSA_eay_finish(RSA *rsa); 78 static RSA_METHOD rsa_pkcs1_eay_meth={ 79 "Eric Young's PKCS#1 RSA", 80 RSA_eay_public_encrypt, 81 RSA_eay_public_decrypt, /* signature verification */ 82 RSA_eay_private_encrypt, /* signing */ 83 RSA_eay_private_decrypt, 84 RSA_eay_mod_exp, 85 BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ 86 RSA_eay_init, 87 RSA_eay_finish, 88 0, /* flags */ 89 NULL, 90 0, /* rsa_sign */ 91 0 /* rsa_verify */ 92 }; 93 94 const RSA_METHOD *RSA_PKCS1_SSLeay(void) 95 { 96 return(&rsa_pkcs1_eay_meth); 97 } 98 99 static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 100 unsigned char *to, RSA *rsa, int padding) 101 { 102 BIGNUM f,ret; 103 int i,j,k,num=0,r= -1; 104 unsigned char *buf=NULL; 105 BN_CTX *ctx=NULL; 106 107 BN_init(&f); 108 BN_init(&ret); 109 if ((ctx=BN_CTX_new()) == NULL) goto err; 110 num=BN_num_bytes(rsa->n); 111 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 112 { 113 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); 114 goto err; 115 } 116 117 switch (padding) 118 { 119 case RSA_PKCS1_PADDING: 120 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen); 121 break; 122 #ifndef OPENSSL_NO_SHA 123 case RSA_PKCS1_OAEP_PADDING: 124 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0); 125 break; 126 #endif 127 case RSA_SSLV23_PADDING: 128 i=RSA_padding_add_SSLv23(buf,num,from,flen); 129 break; 130 case RSA_NO_PADDING: 131 i=RSA_padding_add_none(buf,num,from,flen); 132 break; 133 default: 134 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 135 goto err; 136 } 137 if (i <= 0) goto err; 138 139 if (BN_bin2bn(buf,num,&f) == NULL) goto err; 140 141 if (BN_ucmp(&f, rsa->n) >= 0) 142 { 143 /* usually the padding functions would catch this */ 144 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 145 goto err; 146 } 147 148 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) 149 { 150 BN_MONT_CTX* bn_mont_ctx; 151 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) 152 goto err; 153 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) 154 { 155 BN_MONT_CTX_free(bn_mont_ctx); 156 goto err; 157 } 158 if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ 159 { 160 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 161 if (rsa->_method_mod_n == NULL) 162 { 163 rsa->_method_mod_n = bn_mont_ctx; 164 bn_mont_ctx = NULL; 165 } 166 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 167 } 168 if (bn_mont_ctx) 169 BN_MONT_CTX_free(bn_mont_ctx); 170 } 171 172 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 173 rsa->_method_mod_n)) goto err; 174 175 /* put in leading 0 bytes if the number is less than the 176 * length of the modulus */ 177 j=BN_num_bytes(&ret); 178 i=BN_bn2bin(&ret,&(to[num-j])); 179 for (k=0; k<(num-i); k++) 180 to[k]=0; 181 182 r=num; 183 err: 184 if (ctx != NULL) BN_CTX_free(ctx); 185 BN_clear_free(&f); 186 BN_clear_free(&ret); 187 if (buf != NULL) 188 { 189 OPENSSL_cleanse(buf,num); 190 OPENSSL_free(buf); 191 } 192 return(r); 193 } 194 195 static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) 196 { 197 int ret = 1; 198 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 199 /* Check again inside the lock - the macro's check is racey */ 200 if(rsa->blinding == NULL) 201 ret = RSA_blinding_on(rsa, ctx); 202 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 203 return ret; 204 } 205 206 #define BLINDING_HELPER(rsa, ctx, err_instr) \ 207 do { \ 208 if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \ 209 ((rsa)->blinding == NULL) && \ 210 !rsa_eay_blinding(rsa, ctx)) \ 211 err_instr \ 212 } while(0) 213 214 static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx) 215 { 216 BIGNUM *A, *Ai; 217 BN_BLINDING *ret = NULL; 218 219 /* added in OpenSSL 0.9.6j and 0.9.7b */ 220 221 /* NB: similar code appears in RSA_blinding_on (rsa_lib.c); 222 * this should be placed in a new function of its own, but for reasons 223 * of binary compatibility can't */ 224 225 BN_CTX_start(ctx); 226 A = BN_CTX_get(ctx); 227 if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) 228 { 229 /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ 230 RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); 231 if (!BN_pseudo_rand_range(A,rsa->n)) goto err; 232 } 233 else 234 { 235 if (!BN_rand_range(A,rsa->n)) goto err; 236 } 237 if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; 238 239 if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) 240 goto err; 241 ret = BN_BLINDING_new(A,Ai,rsa->n); 242 BN_free(Ai); 243 err: 244 BN_CTX_end(ctx); 245 return ret; 246 } 247 248 /* signing */ 249 static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 250 unsigned char *to, RSA *rsa, int padding) 251 { 252 BIGNUM f,ret; 253 int i,j,k,num=0,r= -1; 254 unsigned char *buf=NULL; 255 BN_CTX *ctx=NULL; 256 int local_blinding = 0; 257 BN_BLINDING *blinding = NULL; 258 259 BN_init(&f); 260 BN_init(&ret); 261 262 if ((ctx=BN_CTX_new()) == NULL) goto err; 263 num=BN_num_bytes(rsa->n); 264 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 265 { 266 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); 267 goto err; 268 } 269 270 switch (padding) 271 { 272 case RSA_PKCS1_PADDING: 273 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); 274 break; 275 case RSA_NO_PADDING: 276 i=RSA_padding_add_none(buf,num,from,flen); 277 break; 278 case RSA_SSLV23_PADDING: 279 default: 280 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 281 goto err; 282 } 283 if (i <= 0) goto err; 284 285 if (BN_bin2bn(buf,num,&f) == NULL) goto err; 286 287 if (BN_ucmp(&f, rsa->n) >= 0) 288 { 289 /* usually the padding functions would catch this */ 290 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 291 goto err; 292 } 293 294 BLINDING_HELPER(rsa, ctx, goto err;); 295 blinding = rsa->blinding; 296 297 /* Now unless blinding is disabled, 'blinding' is non-NULL. 298 * But the BN_BLINDING object may be owned by some other thread 299 * (we don't want to keep it constant and we don't want to use 300 * lots of locking to avoid race conditions, so only a single 301 * thread can use it; other threads have to use local blinding 302 * factors) */ 303 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 304 { 305 if (blinding == NULL) 306 { 307 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 308 goto err; 309 } 310 } 311 312 if (blinding != NULL) 313 { 314 if (blinding->thread_id != CRYPTO_thread_id()) 315 { 316 /* we need a local one-time blinding factor */ 317 318 blinding = setup_blinding(rsa, ctx); 319 if (blinding == NULL) 320 goto err; 321 local_blinding = 1; 322 } 323 } 324 325 if (blinding) 326 if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err; 327 328 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 329 ((rsa->p != NULL) && 330 (rsa->q != NULL) && 331 (rsa->dmp1 != NULL) && 332 (rsa->dmq1 != NULL) && 333 (rsa->iqmp != NULL)) ) 334 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } 335 else 336 { 337 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err; 338 } 339 340 if (blinding) 341 if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; 342 343 /* put in leading 0 bytes if the number is less than the 344 * length of the modulus */ 345 j=BN_num_bytes(&ret); 346 i=BN_bn2bin(&ret,&(to[num-j])); 347 for (k=0; k<(num-i); k++) 348 to[k]=0; 349 350 r=num; 351 err: 352 if (ctx != NULL) BN_CTX_free(ctx); 353 BN_clear_free(&ret); 354 BN_clear_free(&f); 355 if (local_blinding) 356 BN_BLINDING_free(blinding); 357 if (buf != NULL) 358 { 359 OPENSSL_cleanse(buf,num); 360 OPENSSL_free(buf); 361 } 362 return(r); 363 } 364 365 static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 366 unsigned char *to, RSA *rsa, int padding) 367 { 368 BIGNUM f,ret; 369 int j,num=0,r= -1; 370 unsigned char *p; 371 unsigned char *buf=NULL; 372 BN_CTX *ctx=NULL; 373 int local_blinding = 0; 374 BN_BLINDING *blinding = NULL; 375 376 BN_init(&f); 377 BN_init(&ret); 378 ctx=BN_CTX_new(); 379 if (ctx == NULL) goto err; 380 381 num=BN_num_bytes(rsa->n); 382 383 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 384 { 385 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); 386 goto err; 387 } 388 389 /* This check was for equality but PGP does evil things 390 * and chops off the top '0' bytes */ 391 if (flen > num) 392 { 393 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 394 goto err; 395 } 396 397 /* make data into a big number */ 398 if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err; 399 400 if (BN_ucmp(&f, rsa->n) >= 0) 401 { 402 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 403 goto err; 404 } 405 406 BLINDING_HELPER(rsa, ctx, goto err;); 407 blinding = rsa->blinding; 408 409 /* Now unless blinding is disabled, 'blinding' is non-NULL. 410 * But the BN_BLINDING object may be owned by some other thread 411 * (we don't want to keep it constant and we don't want to use 412 * lots of locking to avoid race conditions, so only a single 413 * thread can use it; other threads have to use local blinding 414 * factors) */ 415 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 416 { 417 if (blinding == NULL) 418 { 419 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 420 goto err; 421 } 422 } 423 424 if (blinding != NULL) 425 { 426 if (blinding->thread_id != CRYPTO_thread_id()) 427 { 428 /* we need a local one-time blinding factor */ 429 430 blinding = setup_blinding(rsa, ctx); 431 if (blinding == NULL) 432 goto err; 433 local_blinding = 1; 434 } 435 } 436 437 if (blinding) 438 if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err; 439 440 /* do the decrypt */ 441 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 442 ((rsa->p != NULL) && 443 (rsa->q != NULL) && 444 (rsa->dmp1 != NULL) && 445 (rsa->dmq1 != NULL) && 446 (rsa->iqmp != NULL)) ) 447 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } 448 else 449 { 450 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) 451 goto err; 452 } 453 454 if (blinding) 455 if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; 456 457 p=buf; 458 j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */ 459 460 switch (padding) 461 { 462 case RSA_PKCS1_PADDING: 463 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); 464 break; 465 #ifndef OPENSSL_NO_SHA 466 case RSA_PKCS1_OAEP_PADDING: 467 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); 468 break; 469 #endif 470 case RSA_SSLV23_PADDING: 471 r=RSA_padding_check_SSLv23(to,num,buf,j,num); 472 break; 473 case RSA_NO_PADDING: 474 r=RSA_padding_check_none(to,num,buf,j,num); 475 break; 476 default: 477 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 478 goto err; 479 } 480 if (r < 0) 481 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 482 483 err: 484 if (ctx != NULL) BN_CTX_free(ctx); 485 BN_clear_free(&f); 486 BN_clear_free(&ret); 487 if (local_blinding) 488 BN_BLINDING_free(blinding); 489 if (buf != NULL) 490 { 491 OPENSSL_cleanse(buf,num); 492 OPENSSL_free(buf); 493 } 494 return(r); 495 } 496 497 /* signature verification */ 498 static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 499 unsigned char *to, RSA *rsa, int padding) 500 { 501 BIGNUM f,ret; 502 int i,num=0,r= -1; 503 unsigned char *p; 504 unsigned char *buf=NULL; 505 BN_CTX *ctx=NULL; 506 507 BN_init(&f); 508 BN_init(&ret); 509 ctx=BN_CTX_new(); 510 if (ctx == NULL) goto err; 511 512 num=BN_num_bytes(rsa->n); 513 buf=(unsigned char *)OPENSSL_malloc(num); 514 if (buf == NULL) 515 { 516 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); 517 goto err; 518 } 519 520 /* This check was for equality but PGP does evil things 521 * and chops off the top '0' bytes */ 522 if (flen > num) 523 { 524 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 525 goto err; 526 } 527 528 if (BN_bin2bn(from,flen,&f) == NULL) goto err; 529 530 if (BN_ucmp(&f, rsa->n) >= 0) 531 { 532 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 533 goto err; 534 } 535 536 /* do the decrypt */ 537 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) 538 { 539 BN_MONT_CTX* bn_mont_ctx; 540 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) 541 goto err; 542 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) 543 { 544 BN_MONT_CTX_free(bn_mont_ctx); 545 goto err; 546 } 547 if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ 548 { 549 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 550 if (rsa->_method_mod_n == NULL) 551 { 552 rsa->_method_mod_n = bn_mont_ctx; 553 bn_mont_ctx = NULL; 554 } 555 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 556 } 557 if (bn_mont_ctx) 558 BN_MONT_CTX_free(bn_mont_ctx); 559 } 560 561 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 562 rsa->_method_mod_n)) goto err; 563 564 p=buf; 565 i=BN_bn2bin(&ret,p); 566 567 switch (padding) 568 { 569 case RSA_PKCS1_PADDING: 570 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); 571 break; 572 case RSA_NO_PADDING: 573 r=RSA_padding_check_none(to,num,buf,i,num); 574 break; 575 default: 576 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 577 goto err; 578 } 579 if (r < 0) 580 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 581 582 err: 583 if (ctx != NULL) BN_CTX_free(ctx); 584 BN_clear_free(&f); 585 BN_clear_free(&ret); 586 if (buf != NULL) 587 { 588 OPENSSL_cleanse(buf,num); 589 OPENSSL_free(buf); 590 } 591 return(r); 592 } 593 594 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) 595 { 596 BIGNUM r1,m1,vrfy; 597 int ret=0; 598 BN_CTX *ctx; 599 600 BN_init(&m1); 601 BN_init(&r1); 602 BN_init(&vrfy); 603 if ((ctx=BN_CTX_new()) == NULL) goto err; 604 605 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) 606 { 607 if (rsa->_method_mod_p == NULL) 608 { 609 BN_MONT_CTX* bn_mont_ctx; 610 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) 611 goto err; 612 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx)) 613 { 614 BN_MONT_CTX_free(bn_mont_ctx); 615 goto err; 616 } 617 if (rsa->_method_mod_p == NULL) /* other thread may have finished first */ 618 { 619 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 620 if (rsa->_method_mod_p == NULL) 621 { 622 rsa->_method_mod_p = bn_mont_ctx; 623 bn_mont_ctx = NULL; 624 } 625 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 626 } 627 if (bn_mont_ctx) 628 BN_MONT_CTX_free(bn_mont_ctx); 629 } 630 631 if (rsa->_method_mod_q == NULL) 632 { 633 BN_MONT_CTX* bn_mont_ctx; 634 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) 635 goto err; 636 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx)) 637 { 638 BN_MONT_CTX_free(bn_mont_ctx); 639 goto err; 640 } 641 if (rsa->_method_mod_q == NULL) /* other thread may have finished first */ 642 { 643 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 644 if (rsa->_method_mod_q == NULL) 645 { 646 rsa->_method_mod_q = bn_mont_ctx; 647 bn_mont_ctx = NULL; 648 } 649 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 650 } 651 if (bn_mont_ctx) 652 BN_MONT_CTX_free(bn_mont_ctx); 653 } 654 } 655 656 if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; 657 if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx, 658 rsa->_method_mod_q)) goto err; 659 660 if (!BN_mod(&r1,I,rsa->p,ctx)) goto err; 661 if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx, 662 rsa->_method_mod_p)) goto err; 663 664 if (!BN_sub(r0,r0,&m1)) goto err; 665 /* This will help stop the size of r0 increasing, which does 666 * affect the multiply if it optimised for a power of 2 size */ 667 if (r0->neg) 668 if (!BN_add(r0,r0,rsa->p)) goto err; 669 670 if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err; 671 if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err; 672 /* If p < q it is occasionally possible for the correction of 673 * adding 'p' if r0 is negative above to leave the result still 674 * negative. This can break the private key operations: the following 675 * second correction should *always* correct this rare occurrence. 676 * This will *never* happen with OpenSSL generated keys because 677 * they ensure p > q [steve] 678 */ 679 if (r0->neg) 680 if (!BN_add(r0,r0,rsa->p)) goto err; 681 if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err; 682 if (!BN_add(r0,&r1,&m1)) goto err; 683 684 if (rsa->e && rsa->n) 685 { 686 if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err; 687 /* If 'I' was greater than (or equal to) rsa->n, the operation 688 * will be equivalent to using 'I mod n'. However, the result of 689 * the verify will *always* be less than 'n' so we don't check 690 * for absolute equality, just congruency. */ 691 if (!BN_sub(&vrfy, &vrfy, I)) goto err; 692 if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err; 693 if (vrfy.neg) 694 if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err; 695 if (!BN_is_zero(&vrfy)) 696 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak 697 * miscalculated CRT output, just do a raw (slower) 698 * mod_exp and return that instead. */ 699 if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err; 700 } 701 ret=1; 702 err: 703 BN_clear_free(&m1); 704 BN_clear_free(&r1); 705 BN_clear_free(&vrfy); 706 BN_CTX_free(ctx); 707 return(ret); 708 } 709 710 static int RSA_eay_init(RSA *rsa) 711 { 712 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; 713 return(1); 714 } 715 716 static int RSA_eay_finish(RSA *rsa) 717 { 718 if (rsa->_method_mod_n != NULL) 719 BN_MONT_CTX_free(rsa->_method_mod_n); 720 if (rsa->_method_mod_p != NULL) 721 BN_MONT_CTX_free(rsa->_method_mod_p); 722 if (rsa->_method_mod_q != NULL) 723 BN_MONT_CTX_free(rsa->_method_mod_q); 724 return(1); 725 } 726 727 #endif 728