1 /* $OpenBSD: rsa_eay.c,v 1.35 2014/07/11 15:21:51 miod Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 114 #include <openssl/opensslconf.h> 115 116 #include <openssl/bn.h> 117 #include <openssl/err.h> 118 #include <openssl/rand.h> 119 #include <openssl/rsa.h> 120 121 static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 122 unsigned char *to, RSA *rsa, int padding); 123 static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 124 unsigned char *to, RSA *rsa, int padding); 125 static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 126 unsigned char *to, RSA *rsa, int padding); 127 static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 128 unsigned char *to, RSA *rsa, int padding); 129 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); 130 static int RSA_eay_init(RSA *rsa); 131 static int RSA_eay_finish(RSA *rsa); 132 133 static RSA_METHOD rsa_pkcs1_eay_meth = { 134 .name = "Eric Young's PKCS#1 RSA", 135 .rsa_pub_enc = RSA_eay_public_encrypt, 136 .rsa_pub_dec = RSA_eay_public_decrypt, /* signature verification */ 137 .rsa_priv_enc = RSA_eay_private_encrypt, /* signing */ 138 .rsa_priv_dec = RSA_eay_private_decrypt, 139 .rsa_mod_exp = RSA_eay_mod_exp, 140 .bn_mod_exp = BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ 141 .init = RSA_eay_init, 142 .finish = RSA_eay_finish, 143 }; 144 145 const RSA_METHOD * 146 RSA_PKCS1_SSLeay(void) 147 { 148 return &rsa_pkcs1_eay_meth; 149 } 150 151 static int 152 RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, 153 RSA *rsa, int padding) 154 { 155 BIGNUM *f, *ret; 156 int i, j, k, num = 0, r = -1; 157 unsigned char *buf = NULL; 158 BN_CTX *ctx = NULL; 159 160 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 161 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); 162 return -1; 163 } 164 165 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 166 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 167 return -1; 168 } 169 170 /* for large moduli, enforce exponent limit */ 171 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 172 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 173 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 174 return -1; 175 } 176 } 177 178 if ((ctx = BN_CTX_new()) == NULL) 179 goto err; 180 BN_CTX_start(ctx); 181 f = BN_CTX_get(ctx); 182 ret = BN_CTX_get(ctx); 183 num = BN_num_bytes(rsa->n); 184 buf = malloc(num); 185 if (!f || !ret || !buf) { 186 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE); 187 goto err; 188 } 189 190 switch (padding) { 191 case RSA_PKCS1_PADDING: 192 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); 193 break; 194 #ifndef OPENSSL_NO_SHA 195 case RSA_PKCS1_OAEP_PADDING: 196 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); 197 break; 198 #endif 199 case RSA_SSLV23_PADDING: 200 i = RSA_padding_add_SSLv23(buf, num, from, flen); 201 break; 202 case RSA_NO_PADDING: 203 i = RSA_padding_add_none(buf, num, from, flen); 204 break; 205 default: 206 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, 207 RSA_R_UNKNOWN_PADDING_TYPE); 208 goto err; 209 } 210 if (i <= 0) 211 goto err; 212 213 if (BN_bin2bn(buf, num, f) == NULL) 214 goto err; 215 216 if (BN_ucmp(f, rsa->n) >= 0) { 217 /* usually the padding functions would catch this */ 218 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, 219 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 220 goto err; 221 } 222 223 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 224 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 225 CRYPTO_LOCK_RSA, rsa->n, ctx)) 226 goto err; 227 228 if (!rsa->meth->bn_mod_exp(ret, f,rsa->e, rsa->n, ctx, 229 rsa->_method_mod_n)) 230 goto err; 231 232 /* put in leading 0 bytes if the number is less than the 233 * length of the modulus */ 234 j = BN_num_bytes(ret); 235 i = BN_bn2bin(ret, &(to[num - j])); 236 for (k = 0; k < num - i; k++) 237 to[k] = 0; 238 239 r = num; 240 err: 241 if (ctx != NULL) { 242 BN_CTX_end(ctx); 243 BN_CTX_free(ctx); 244 } 245 if (buf != NULL) { 246 OPENSSL_cleanse(buf, num); 247 free(buf); 248 } 249 return r; 250 } 251 252 static BN_BLINDING * 253 rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 254 { 255 BN_BLINDING *ret; 256 int got_write_lock = 0; 257 CRYPTO_THREADID cur; 258 259 CRYPTO_r_lock(CRYPTO_LOCK_RSA); 260 261 if (rsa->blinding == NULL) { 262 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 263 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 264 got_write_lock = 1; 265 266 if (rsa->blinding == NULL) 267 rsa->blinding = RSA_setup_blinding(rsa, ctx); 268 } 269 270 ret = rsa->blinding; 271 if (ret == NULL) 272 goto err; 273 274 CRYPTO_THREADID_current(&cur); 275 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) { 276 /* rsa->blinding is ours! */ 277 *local = 1; 278 } else { 279 /* resort to rsa->mt_blinding instead */ 280 /* 281 * Instruct rsa_blinding_convert(), rsa_blinding_invert() 282 * that the BN_BLINDING is shared, meaning that accesses 283 * require locks, and that the blinding factor must be 284 * stored outside the BN_BLINDING 285 */ 286 *local = 0; 287 288 if (rsa->mt_blinding == NULL) { 289 if (!got_write_lock) { 290 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 291 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 292 got_write_lock = 1; 293 } 294 295 if (rsa->mt_blinding == NULL) 296 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 297 } 298 ret = rsa->mt_blinding; 299 } 300 301 err: 302 if (got_write_lock) 303 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 304 else 305 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 306 return ret; 307 } 308 309 static int 310 rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx) 311 { 312 if (unblind == NULL) 313 /* 314 * Local blinding: store the unblinding factor 315 * in BN_BLINDING. 316 */ 317 return BN_BLINDING_convert_ex(f, NULL, b, ctx); 318 else { 319 /* 320 * Shared blinding: store the unblinding factor 321 * outside BN_BLINDING. 322 */ 323 int ret; 324 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 325 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); 326 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 327 return ret; 328 } 329 } 330 331 static int 332 rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx) 333 { 334 /* 335 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex 336 * will use the unblinding factor stored in BN_BLINDING. 337 * If BN_BLINDING is shared between threads, unblind must be non-null: 338 * BN_BLINDING_invert_ex will then use the local unblinding factor, 339 * and will only read the modulus from BN_BLINDING. 340 * In both cases it's safe to access the blinding without a lock. 341 */ 342 return BN_BLINDING_invert_ex(f, unblind, b, ctx); 343 } 344 345 /* signing */ 346 static int 347 RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, 348 RSA *rsa, int padding) 349 { 350 BIGNUM *f, *ret, *res; 351 int i, j, k, num = 0, r = -1; 352 unsigned char *buf = NULL; 353 BN_CTX *ctx = NULL; 354 int local_blinding = 0; 355 /* 356 * Used only if the blinding structure is shared. A non-NULL unblind 357 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 358 * the unblinding factor outside the blinding structure. 359 */ 360 BIGNUM *unblind = NULL; 361 BN_BLINDING *blinding = NULL; 362 363 if ((ctx = BN_CTX_new()) == NULL) 364 goto err; 365 BN_CTX_start(ctx); 366 f = BN_CTX_get(ctx); 367 ret = BN_CTX_get(ctx); 368 num = BN_num_bytes(rsa->n); 369 buf = malloc(num); 370 if (!f || !ret || !buf) { 371 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); 372 goto err; 373 } 374 375 switch (padding) { 376 case RSA_PKCS1_PADDING: 377 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); 378 break; 379 case RSA_X931_PADDING: 380 i = RSA_padding_add_X931(buf, num, from, flen); 381 break; 382 case RSA_NO_PADDING: 383 i = RSA_padding_add_none(buf, num, from, flen); 384 break; 385 case RSA_SSLV23_PADDING: 386 default: 387 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 388 RSA_R_UNKNOWN_PADDING_TYPE); 389 goto err; 390 } 391 if (i <= 0) 392 goto err; 393 394 if (BN_bin2bn(buf, num, f) == NULL) 395 goto err; 396 397 if (BN_ucmp(f, rsa->n) >= 0) { 398 /* usually the padding functions would catch this */ 399 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 400 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 401 goto err; 402 } 403 404 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 405 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 406 if (blinding == NULL) { 407 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 408 ERR_R_INTERNAL_ERROR); 409 goto err; 410 } 411 } 412 413 if (blinding != NULL) { 414 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 415 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 416 ERR_R_MALLOC_FAILURE); 417 goto err; 418 } 419 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 420 goto err; 421 } 422 423 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 424 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL && 425 rsa->dmq1 != NULL && rsa->iqmp != NULL)) { 426 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 427 goto err; 428 } else { 429 BIGNUM local_d; 430 BIGNUM *d = NULL; 431 432 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 433 BN_init(&local_d); 434 d = &local_d; 435 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 436 } else 437 d = rsa->d; 438 439 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 440 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 441 CRYPTO_LOCK_RSA, rsa->n, ctx)) 442 goto err; 443 444 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 445 rsa->_method_mod_n)) 446 goto err; 447 } 448 449 if (blinding) 450 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 451 goto err; 452 453 if (padding == RSA_X931_PADDING) { 454 BN_sub(f, rsa->n, ret); 455 if (BN_cmp(ret, f) > 0) 456 res = f; 457 else 458 res = ret; 459 } else 460 res = ret; 461 462 /* put in leading 0 bytes if the number is less than the 463 * length of the modulus */ 464 j = BN_num_bytes(res); 465 i = BN_bn2bin(res, &(to[num - j])); 466 for (k = 0; k < num - i; k++) 467 to[k] = 0; 468 469 r = num; 470 err: 471 if (ctx != NULL) { 472 BN_CTX_end(ctx); 473 BN_CTX_free(ctx); 474 } 475 if (buf != NULL) { 476 OPENSSL_cleanse(buf, num); 477 free(buf); 478 } 479 return r; 480 } 481 482 static int 483 RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to, 484 RSA *rsa, int padding) 485 { 486 BIGNUM *f, *ret; 487 int j, num = 0, r = -1; 488 unsigned char *p; 489 unsigned char *buf = NULL; 490 BN_CTX *ctx = NULL; 491 int local_blinding = 0; 492 /* 493 * Used only if the blinding structure is shared. A non-NULL unblind 494 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 495 * the unblinding factor outside the blinding structure. 496 */ 497 BIGNUM *unblind = NULL; 498 BN_BLINDING *blinding = NULL; 499 500 if ((ctx = BN_CTX_new()) == NULL) 501 goto err; 502 BN_CTX_start(ctx); 503 f = BN_CTX_get(ctx); 504 ret = BN_CTX_get(ctx); 505 num = BN_num_bytes(rsa->n); 506 buf = malloc(num); 507 if (!f || !ret || !buf) { 508 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); 509 goto err; 510 } 511 512 /* This check was for equality but PGP does evil things 513 * and chops off the top '0' bytes */ 514 if (flen > num) { 515 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 516 RSA_R_DATA_GREATER_THAN_MOD_LEN); 517 goto err; 518 } 519 520 /* make data into a big number */ 521 if (BN_bin2bn(from, (int)flen, f) == NULL) 522 goto err; 523 524 if (BN_ucmp(f, rsa->n) >= 0) { 525 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 526 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 527 goto err; 528 } 529 530 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 531 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 532 if (blinding == NULL) { 533 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 534 ERR_R_INTERNAL_ERROR); 535 goto err; 536 } 537 } 538 539 if (blinding != NULL) { 540 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 541 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 542 ERR_R_MALLOC_FAILURE); 543 goto err; 544 } 545 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 546 goto err; 547 } 548 549 /* do the decrypt */ 550 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 551 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL && 552 rsa->dmq1 != NULL && rsa->iqmp != NULL)) { 553 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 554 goto err; 555 } else { 556 BIGNUM local_d; 557 BIGNUM *d = NULL; 558 559 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 560 d = &local_d; 561 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 562 } else 563 d = rsa->d; 564 565 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 566 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 567 CRYPTO_LOCK_RSA, rsa->n, ctx)) 568 goto err; 569 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 570 rsa->_method_mod_n)) 571 goto err; 572 } 573 574 if (blinding) 575 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 576 goto err; 577 578 p = buf; 579 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */ 580 581 switch (padding) { 582 case RSA_PKCS1_PADDING: 583 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); 584 break; 585 #ifndef OPENSSL_NO_SHA 586 case RSA_PKCS1_OAEP_PADDING: 587 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); 588 break; 589 #endif 590 case RSA_SSLV23_PADDING: 591 r = RSA_padding_check_SSLv23(to, num, buf, j, num); 592 break; 593 case RSA_NO_PADDING: 594 r = RSA_padding_check_none(to, num, buf, j, num); 595 break; 596 default: 597 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 598 RSA_R_UNKNOWN_PADDING_TYPE); 599 goto err; 600 } 601 if (r < 0) 602 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 603 RSA_R_PADDING_CHECK_FAILED); 604 605 err: 606 if (ctx != NULL) { 607 BN_CTX_end(ctx); 608 BN_CTX_free(ctx); 609 } 610 if (buf != NULL) { 611 OPENSSL_cleanse(buf, num); 612 free(buf); 613 } 614 return r; 615 } 616 617 /* signature verification */ 618 static int 619 RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to, 620 RSA *rsa, int padding) 621 { 622 BIGNUM *f, *ret; 623 int i, num = 0, r = -1; 624 unsigned char *p; 625 unsigned char *buf = NULL; 626 BN_CTX *ctx = NULL; 627 628 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 629 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); 630 return -1; 631 } 632 633 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 634 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 635 return -1; 636 } 637 638 /* for large moduli, enforce exponent limit */ 639 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 640 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 641 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 642 return -1; 643 } 644 } 645 646 if ((ctx = BN_CTX_new()) == NULL) 647 goto err; 648 BN_CTX_start(ctx); 649 f = BN_CTX_get(ctx); 650 ret = BN_CTX_get(ctx); 651 num = BN_num_bytes(rsa->n); 652 buf = malloc(num); 653 if (!f || !ret || !buf) { 654 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE); 655 goto err; 656 } 657 658 /* This check was for equality but PGP does evil things 659 * and chops off the top '0' bytes */ 660 if (flen > num) { 661 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, 662 RSA_R_DATA_GREATER_THAN_MOD_LEN); 663 goto err; 664 } 665 666 if (BN_bin2bn(from, flen, f) == NULL) 667 goto err; 668 669 if (BN_ucmp(f, rsa->n) >= 0) { 670 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, 671 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 672 goto err; 673 } 674 675 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 676 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 677 CRYPTO_LOCK_RSA, rsa->n, ctx)) 678 goto err; 679 680 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 681 rsa->_method_mod_n)) 682 goto err; 683 684 if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12) 685 if (!BN_sub(ret, rsa->n, ret)) 686 goto err; 687 688 p = buf; 689 i = BN_bn2bin(ret, p); 690 691 switch (padding) { 692 case RSA_PKCS1_PADDING: 693 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); 694 break; 695 case RSA_X931_PADDING: 696 r = RSA_padding_check_X931(to, num, buf, i, num); 697 break; 698 case RSA_NO_PADDING: 699 r = RSA_padding_check_none(to, num, buf, i, num); 700 break; 701 default: 702 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, 703 RSA_R_UNKNOWN_PADDING_TYPE); 704 goto err; 705 } 706 if (r < 0) 707 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, 708 RSA_R_PADDING_CHECK_FAILED); 709 710 err: 711 if (ctx != NULL) { 712 BN_CTX_end(ctx); 713 BN_CTX_free(ctx); 714 } 715 if (buf != NULL) { 716 OPENSSL_cleanse(buf, num); 717 free(buf); 718 } 719 return r; 720 } 721 722 static int 723 RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 724 { 725 BIGNUM *r1, *m1, *vrfy; 726 BIGNUM local_dmp1, local_dmq1, local_c, local_r1; 727 BIGNUM *dmp1, *dmq1, *c, *pr1; 728 int ret = 0; 729 730 BN_CTX_start(ctx); 731 r1 = BN_CTX_get(ctx); 732 m1 = BN_CTX_get(ctx); 733 vrfy = BN_CTX_get(ctx); 734 735 { 736 BIGNUM local_p, local_q; 737 BIGNUM *p = NULL, *q = NULL; 738 739 /* 740 * Make sure BN_mod_inverse in Montgomery intialization uses the 741 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) 742 */ 743 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 744 BN_init(&local_p); 745 p = &local_p; 746 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 747 748 BN_init(&local_q); 749 q = &local_q; 750 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); 751 } else { 752 p = rsa->p; 753 q = rsa->q; 754 } 755 756 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { 757 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, 758 CRYPTO_LOCK_RSA, p, ctx)) 759 goto err; 760 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, 761 CRYPTO_LOCK_RSA, q, ctx)) 762 goto err; 763 } 764 } 765 766 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 767 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 768 CRYPTO_LOCK_RSA, rsa->n, ctx)) 769 goto err; 770 771 /* compute I mod q */ 772 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 773 c = &local_c; 774 BN_with_flags(c, I, BN_FLG_CONSTTIME); 775 if (!BN_mod(r1, c, rsa->q, ctx)) 776 goto err; 777 } else { 778 if (!BN_mod(r1, I, rsa->q, ctx)) 779 goto err; 780 } 781 782 /* compute r1^dmq1 mod q */ 783 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 784 dmq1 = &local_dmq1; 785 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 786 } else 787 dmq1 = rsa->dmq1; 788 if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, 789 rsa->_method_mod_q)) 790 goto err; 791 792 /* compute I mod p */ 793 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 794 c = &local_c; 795 BN_with_flags(c, I, BN_FLG_CONSTTIME); 796 if (!BN_mod(r1, c, rsa->p, ctx)) 797 goto err; 798 } else { 799 if (!BN_mod(r1, I, rsa->p, ctx)) 800 goto err; 801 } 802 803 /* compute r1^dmp1 mod p */ 804 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 805 dmp1 = &local_dmp1; 806 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 807 } else 808 dmp1 = rsa->dmp1; 809 if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, 810 rsa->_method_mod_p)) 811 goto err; 812 813 if (!BN_sub(r0, r0, m1)) 814 goto err; 815 /* 816 * This will help stop the size of r0 increasing, which does 817 * affect the multiply if it optimised for a power of 2 size 818 */ 819 if (BN_is_negative(r0)) 820 if (!BN_add(r0, r0, rsa->p)) 821 goto err; 822 823 if (!BN_mul(r1, r0, rsa->iqmp, ctx)) 824 goto err; 825 826 /* Turn BN_FLG_CONSTTIME flag on before division operation */ 827 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 828 pr1 = &local_r1; 829 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 830 } else 831 pr1 = r1; 832 if (!BN_mod(r0, pr1, rsa->p, ctx)) 833 goto err; 834 835 /* 836 * If p < q it is occasionally possible for the correction of 837 * adding 'p' if r0 is negative above to leave the result still 838 * negative. This can break the private key operations: the following 839 * second correction should *always* correct this rare occurrence. 840 * This will *never* happen with OpenSSL generated keys because 841 * they ensure p > q [steve] 842 */ 843 if (BN_is_negative(r0)) 844 if (!BN_add(r0, r0, rsa->p)) 845 goto err; 846 if (!BN_mul(r1, r0, rsa->q, ctx)) 847 goto err; 848 if (!BN_add(r0, r1, m1)) 849 goto err; 850 851 if (rsa->e && rsa->n) { 852 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, 853 rsa->_method_mod_n)) 854 goto err; 855 /* 856 * If 'I' was greater than (or equal to) rsa->n, the operation 857 * will be equivalent to using 'I mod n'. However, the result of 858 * the verify will *always* be less than 'n' so we don't check 859 * for absolute equality, just congruency. 860 */ 861 if (!BN_sub(vrfy, vrfy, I)) 862 goto err; 863 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) 864 goto err; 865 if (BN_is_negative(vrfy)) 866 if (!BN_add(vrfy, vrfy, rsa->n)) 867 goto err; 868 if (!BN_is_zero(vrfy)) { 869 /* 870 * 'I' and 'vrfy' aren't congruent mod n. Don't leak 871 * miscalculated CRT output, just do a raw (slower) 872 * mod_exp and return that instead. 873 */ 874 875 BIGNUM local_d; 876 BIGNUM *d = NULL; 877 878 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 879 d = &local_d; 880 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 881 } else 882 d = rsa->d; 883 if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, 884 rsa->_method_mod_n)) 885 goto err; 886 } 887 } 888 ret = 1; 889 err: 890 BN_CTX_end(ctx); 891 return ret; 892 } 893 894 static int 895 RSA_eay_init(RSA *rsa) 896 { 897 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; 898 return 1; 899 } 900 901 static int 902 RSA_eay_finish(RSA *rsa) 903 { 904 BN_MONT_CTX_free(rsa->_method_mod_n); 905 BN_MONT_CTX_free(rsa->_method_mod_p); 906 BN_MONT_CTX_free(rsa->_method_mod_q); 907 908 return 1; 909 } 910