1 /* $OpenBSD: rsa_eay.c,v 1.37 2015/02/09 15:49:22 jsing Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 114 #include <openssl/opensslconf.h> 115 116 #include <openssl/bn.h> 117 #include <openssl/err.h> 118 #include <openssl/rsa.h> 119 120 static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 121 unsigned char *to, RSA *rsa, int padding); 122 static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 123 unsigned char *to, RSA *rsa, int padding); 124 static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 125 unsigned char *to, RSA *rsa, int padding); 126 static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 127 unsigned char *to, RSA *rsa, int padding); 128 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); 129 static int RSA_eay_init(RSA *rsa); 130 static int RSA_eay_finish(RSA *rsa); 131 132 static RSA_METHOD rsa_pkcs1_eay_meth = { 133 .name = "Eric Young's PKCS#1 RSA", 134 .rsa_pub_enc = RSA_eay_public_encrypt, 135 .rsa_pub_dec = RSA_eay_public_decrypt, /* signature verification */ 136 .rsa_priv_enc = RSA_eay_private_encrypt, /* signing */ 137 .rsa_priv_dec = RSA_eay_private_decrypt, 138 .rsa_mod_exp = RSA_eay_mod_exp, 139 .bn_mod_exp = BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ 140 .init = RSA_eay_init, 141 .finish = RSA_eay_finish, 142 }; 143 144 const RSA_METHOD * 145 RSA_PKCS1_SSLeay(void) 146 { 147 return &rsa_pkcs1_eay_meth; 148 } 149 150 static int 151 RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, 152 RSA *rsa, int padding) 153 { 154 BIGNUM *f, *ret; 155 int i, j, k, num = 0, r = -1; 156 unsigned char *buf = NULL; 157 BN_CTX *ctx = NULL; 158 159 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 160 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); 161 return -1; 162 } 163 164 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 165 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 166 return -1; 167 } 168 169 /* for large moduli, enforce exponent limit */ 170 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 171 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 172 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 173 return -1; 174 } 175 } 176 177 if ((ctx = BN_CTX_new()) == NULL) 178 goto err; 179 BN_CTX_start(ctx); 180 f = BN_CTX_get(ctx); 181 ret = BN_CTX_get(ctx); 182 num = BN_num_bytes(rsa->n); 183 buf = malloc(num); 184 if (f == NULL || ret == NULL || buf == NULL) { 185 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE); 186 goto err; 187 } 188 189 switch (padding) { 190 case RSA_PKCS1_PADDING: 191 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); 192 break; 193 #ifndef OPENSSL_NO_SHA 194 case RSA_PKCS1_OAEP_PADDING: 195 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); 196 break; 197 #endif 198 case RSA_SSLV23_PADDING: 199 i = RSA_padding_add_SSLv23(buf, num, from, flen); 200 break; 201 case RSA_NO_PADDING: 202 i = RSA_padding_add_none(buf, num, from, flen); 203 break; 204 default: 205 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, 206 RSA_R_UNKNOWN_PADDING_TYPE); 207 goto err; 208 } 209 if (i <= 0) 210 goto err; 211 212 if (BN_bin2bn(buf, num, f) == NULL) 213 goto err; 214 215 if (BN_ucmp(f, rsa->n) >= 0) { 216 /* usually the padding functions would catch this */ 217 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, 218 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 219 goto err; 220 } 221 222 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 223 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 224 CRYPTO_LOCK_RSA, rsa->n, ctx)) 225 goto err; 226 227 if (!rsa->meth->bn_mod_exp(ret, f,rsa->e, rsa->n, ctx, 228 rsa->_method_mod_n)) 229 goto err; 230 231 /* put in leading 0 bytes if the number is less than the 232 * length of the modulus */ 233 j = BN_num_bytes(ret); 234 i = BN_bn2bin(ret, &(to[num - j])); 235 for (k = 0; k < num - i; k++) 236 to[k] = 0; 237 238 r = num; 239 err: 240 if (ctx != NULL) { 241 BN_CTX_end(ctx); 242 BN_CTX_free(ctx); 243 } 244 if (buf != NULL) { 245 OPENSSL_cleanse(buf, num); 246 free(buf); 247 } 248 return r; 249 } 250 251 static BN_BLINDING * 252 rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 253 { 254 BN_BLINDING *ret; 255 int got_write_lock = 0; 256 CRYPTO_THREADID cur; 257 258 CRYPTO_r_lock(CRYPTO_LOCK_RSA); 259 260 if (rsa->blinding == NULL) { 261 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 262 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 263 got_write_lock = 1; 264 265 if (rsa->blinding == NULL) 266 rsa->blinding = RSA_setup_blinding(rsa, ctx); 267 } 268 269 ret = rsa->blinding; 270 if (ret == NULL) 271 goto err; 272 273 CRYPTO_THREADID_current(&cur); 274 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) { 275 /* rsa->blinding is ours! */ 276 *local = 1; 277 } else { 278 /* resort to rsa->mt_blinding instead */ 279 /* 280 * Instruct rsa_blinding_convert(), rsa_blinding_invert() 281 * that the BN_BLINDING is shared, meaning that accesses 282 * require locks, and that the blinding factor must be 283 * stored outside the BN_BLINDING 284 */ 285 *local = 0; 286 287 if (rsa->mt_blinding == NULL) { 288 if (!got_write_lock) { 289 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 290 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 291 got_write_lock = 1; 292 } 293 294 if (rsa->mt_blinding == NULL) 295 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 296 } 297 ret = rsa->mt_blinding; 298 } 299 300 err: 301 if (got_write_lock) 302 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 303 else 304 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 305 return ret; 306 } 307 308 static int 309 rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx) 310 { 311 if (unblind == NULL) 312 /* 313 * Local blinding: store the unblinding factor 314 * in BN_BLINDING. 315 */ 316 return BN_BLINDING_convert_ex(f, NULL, b, ctx); 317 else { 318 /* 319 * Shared blinding: store the unblinding factor 320 * outside BN_BLINDING. 321 */ 322 int ret; 323 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 324 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); 325 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 326 return ret; 327 } 328 } 329 330 static int 331 rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx) 332 { 333 /* 334 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex 335 * will use the unblinding factor stored in BN_BLINDING. 336 * If BN_BLINDING is shared between threads, unblind must be non-null: 337 * BN_BLINDING_invert_ex will then use the local unblinding factor, 338 * and will only read the modulus from BN_BLINDING. 339 * In both cases it's safe to access the blinding without a lock. 340 */ 341 return BN_BLINDING_invert_ex(f, unblind, b, ctx); 342 } 343 344 /* signing */ 345 static int 346 RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, 347 RSA *rsa, int padding) 348 { 349 BIGNUM *f, *ret, *res; 350 int i, j, k, num = 0, r = -1; 351 unsigned char *buf = NULL; 352 BN_CTX *ctx = NULL; 353 int local_blinding = 0; 354 /* 355 * Used only if the blinding structure is shared. A non-NULL unblind 356 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 357 * the unblinding factor outside the blinding structure. 358 */ 359 BIGNUM *unblind = NULL; 360 BN_BLINDING *blinding = NULL; 361 362 if ((ctx = BN_CTX_new()) == NULL) 363 goto err; 364 BN_CTX_start(ctx); 365 f = BN_CTX_get(ctx); 366 ret = BN_CTX_get(ctx); 367 num = BN_num_bytes(rsa->n); 368 buf = malloc(num); 369 if (f == NULL || ret == NULL || buf == NULL) { 370 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); 371 goto err; 372 } 373 374 switch (padding) { 375 case RSA_PKCS1_PADDING: 376 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); 377 break; 378 case RSA_X931_PADDING: 379 i = RSA_padding_add_X931(buf, num, from, flen); 380 break; 381 case RSA_NO_PADDING: 382 i = RSA_padding_add_none(buf, num, from, flen); 383 break; 384 case RSA_SSLV23_PADDING: 385 default: 386 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 387 RSA_R_UNKNOWN_PADDING_TYPE); 388 goto err; 389 } 390 if (i <= 0) 391 goto err; 392 393 if (BN_bin2bn(buf, num, f) == NULL) 394 goto err; 395 396 if (BN_ucmp(f, rsa->n) >= 0) { 397 /* usually the padding functions would catch this */ 398 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 399 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 400 goto err; 401 } 402 403 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 404 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 405 if (blinding == NULL) { 406 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 407 ERR_R_INTERNAL_ERROR); 408 goto err; 409 } 410 } 411 412 if (blinding != NULL) { 413 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 414 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 415 ERR_R_MALLOC_FAILURE); 416 goto err; 417 } 418 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 419 goto err; 420 } 421 422 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 423 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL && 424 rsa->dmq1 != NULL && rsa->iqmp != NULL)) { 425 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 426 goto err; 427 } else { 428 BIGNUM local_d; 429 BIGNUM *d = NULL; 430 431 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 432 BN_init(&local_d); 433 d = &local_d; 434 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 435 } else 436 d = rsa->d; 437 438 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 439 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 440 CRYPTO_LOCK_RSA, rsa->n, ctx)) 441 goto err; 442 443 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 444 rsa->_method_mod_n)) 445 goto err; 446 } 447 448 if (blinding) 449 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 450 goto err; 451 452 if (padding == RSA_X931_PADDING) { 453 BN_sub(f, rsa->n, ret); 454 if (BN_cmp(ret, f) > 0) 455 res = f; 456 else 457 res = ret; 458 } else 459 res = ret; 460 461 /* put in leading 0 bytes if the number is less than the 462 * length of the modulus */ 463 j = BN_num_bytes(res); 464 i = BN_bn2bin(res, &(to[num - j])); 465 for (k = 0; k < num - i; k++) 466 to[k] = 0; 467 468 r = num; 469 err: 470 if (ctx != NULL) { 471 BN_CTX_end(ctx); 472 BN_CTX_free(ctx); 473 } 474 if (buf != NULL) { 475 OPENSSL_cleanse(buf, num); 476 free(buf); 477 } 478 return r; 479 } 480 481 static int 482 RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to, 483 RSA *rsa, int padding) 484 { 485 BIGNUM *f, *ret; 486 int j, num = 0, r = -1; 487 unsigned char *p; 488 unsigned char *buf = NULL; 489 BN_CTX *ctx = NULL; 490 int local_blinding = 0; 491 /* 492 * Used only if the blinding structure is shared. A non-NULL unblind 493 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 494 * the unblinding factor outside the blinding structure. 495 */ 496 BIGNUM *unblind = NULL; 497 BN_BLINDING *blinding = NULL; 498 499 if ((ctx = BN_CTX_new()) == NULL) 500 goto err; 501 BN_CTX_start(ctx); 502 f = BN_CTX_get(ctx); 503 ret = BN_CTX_get(ctx); 504 num = BN_num_bytes(rsa->n); 505 buf = malloc(num); 506 if (!f || !ret || !buf) { 507 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); 508 goto err; 509 } 510 511 /* This check was for equality but PGP does evil things 512 * and chops off the top '0' bytes */ 513 if (flen > num) { 514 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 515 RSA_R_DATA_GREATER_THAN_MOD_LEN); 516 goto err; 517 } 518 519 /* make data into a big number */ 520 if (BN_bin2bn(from, (int)flen, f) == NULL) 521 goto err; 522 523 if (BN_ucmp(f, rsa->n) >= 0) { 524 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 525 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 526 goto err; 527 } 528 529 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 530 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 531 if (blinding == NULL) { 532 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 533 ERR_R_INTERNAL_ERROR); 534 goto err; 535 } 536 } 537 538 if (blinding != NULL) { 539 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 540 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 541 ERR_R_MALLOC_FAILURE); 542 goto err; 543 } 544 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 545 goto err; 546 } 547 548 /* do the decrypt */ 549 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 550 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL && 551 rsa->dmq1 != NULL && rsa->iqmp != NULL)) { 552 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 553 goto err; 554 } else { 555 BIGNUM local_d; 556 BIGNUM *d = NULL; 557 558 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 559 d = &local_d; 560 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 561 } else 562 d = rsa->d; 563 564 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 565 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 566 CRYPTO_LOCK_RSA, rsa->n, ctx)) 567 goto err; 568 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 569 rsa->_method_mod_n)) 570 goto err; 571 } 572 573 if (blinding) 574 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 575 goto err; 576 577 p = buf; 578 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */ 579 580 switch (padding) { 581 case RSA_PKCS1_PADDING: 582 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); 583 break; 584 #ifndef OPENSSL_NO_SHA 585 case RSA_PKCS1_OAEP_PADDING: 586 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); 587 break; 588 #endif 589 case RSA_SSLV23_PADDING: 590 r = RSA_padding_check_SSLv23(to, num, buf, j, num); 591 break; 592 case RSA_NO_PADDING: 593 r = RSA_padding_check_none(to, num, buf, j, num); 594 break; 595 default: 596 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 597 RSA_R_UNKNOWN_PADDING_TYPE); 598 goto err; 599 } 600 if (r < 0) 601 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 602 RSA_R_PADDING_CHECK_FAILED); 603 604 err: 605 if (ctx != NULL) { 606 BN_CTX_end(ctx); 607 BN_CTX_free(ctx); 608 } 609 if (buf != NULL) { 610 OPENSSL_cleanse(buf, num); 611 free(buf); 612 } 613 return r; 614 } 615 616 /* signature verification */ 617 static int 618 RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to, 619 RSA *rsa, int padding) 620 { 621 BIGNUM *f, *ret; 622 int i, num = 0, r = -1; 623 unsigned char *p; 624 unsigned char *buf = NULL; 625 BN_CTX *ctx = NULL; 626 627 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 628 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); 629 return -1; 630 } 631 632 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 633 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 634 return -1; 635 } 636 637 /* for large moduli, enforce exponent limit */ 638 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 639 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 640 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 641 return -1; 642 } 643 } 644 645 if ((ctx = BN_CTX_new()) == NULL) 646 goto err; 647 BN_CTX_start(ctx); 648 f = BN_CTX_get(ctx); 649 ret = BN_CTX_get(ctx); 650 num = BN_num_bytes(rsa->n); 651 buf = malloc(num); 652 if (!f || !ret || !buf) { 653 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE); 654 goto err; 655 } 656 657 /* This check was for equality but PGP does evil things 658 * and chops off the top '0' bytes */ 659 if (flen > num) { 660 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, 661 RSA_R_DATA_GREATER_THAN_MOD_LEN); 662 goto err; 663 } 664 665 if (BN_bin2bn(from, flen, f) == NULL) 666 goto err; 667 668 if (BN_ucmp(f, rsa->n) >= 0) { 669 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, 670 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 671 goto err; 672 } 673 674 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 675 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 676 CRYPTO_LOCK_RSA, rsa->n, ctx)) 677 goto err; 678 679 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 680 rsa->_method_mod_n)) 681 goto err; 682 683 if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12) 684 if (!BN_sub(ret, rsa->n, ret)) 685 goto err; 686 687 p = buf; 688 i = BN_bn2bin(ret, p); 689 690 switch (padding) { 691 case RSA_PKCS1_PADDING: 692 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); 693 break; 694 case RSA_X931_PADDING: 695 r = RSA_padding_check_X931(to, num, buf, i, num); 696 break; 697 case RSA_NO_PADDING: 698 r = RSA_padding_check_none(to, num, buf, i, num); 699 break; 700 default: 701 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, 702 RSA_R_UNKNOWN_PADDING_TYPE); 703 goto err; 704 } 705 if (r < 0) 706 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, 707 RSA_R_PADDING_CHECK_FAILED); 708 709 err: 710 if (ctx != NULL) { 711 BN_CTX_end(ctx); 712 BN_CTX_free(ctx); 713 } 714 if (buf != NULL) { 715 OPENSSL_cleanse(buf, num); 716 free(buf); 717 } 718 return r; 719 } 720 721 static int 722 RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 723 { 724 BIGNUM *r1, *m1, *vrfy; 725 BIGNUM local_dmp1, local_dmq1, local_c, local_r1; 726 BIGNUM *dmp1, *dmq1, *c, *pr1; 727 int ret = 0; 728 729 BN_CTX_start(ctx); 730 r1 = BN_CTX_get(ctx); 731 m1 = BN_CTX_get(ctx); 732 vrfy = BN_CTX_get(ctx); 733 734 { 735 BIGNUM local_p, local_q; 736 BIGNUM *p = NULL, *q = NULL; 737 738 /* 739 * Make sure BN_mod_inverse in Montgomery intialization uses the 740 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) 741 */ 742 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 743 BN_init(&local_p); 744 p = &local_p; 745 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 746 747 BN_init(&local_q); 748 q = &local_q; 749 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); 750 } else { 751 p = rsa->p; 752 q = rsa->q; 753 } 754 755 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { 756 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, 757 CRYPTO_LOCK_RSA, p, ctx)) 758 goto err; 759 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, 760 CRYPTO_LOCK_RSA, q, ctx)) 761 goto err; 762 } 763 } 764 765 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 766 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 767 CRYPTO_LOCK_RSA, rsa->n, ctx)) 768 goto err; 769 770 /* compute I mod q */ 771 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 772 c = &local_c; 773 BN_with_flags(c, I, BN_FLG_CONSTTIME); 774 if (!BN_mod(r1, c, rsa->q, ctx)) 775 goto err; 776 } else { 777 if (!BN_mod(r1, I, rsa->q, ctx)) 778 goto err; 779 } 780 781 /* compute r1^dmq1 mod q */ 782 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 783 dmq1 = &local_dmq1; 784 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 785 } else 786 dmq1 = rsa->dmq1; 787 if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, 788 rsa->_method_mod_q)) 789 goto err; 790 791 /* compute I mod p */ 792 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 793 c = &local_c; 794 BN_with_flags(c, I, BN_FLG_CONSTTIME); 795 if (!BN_mod(r1, c, rsa->p, ctx)) 796 goto err; 797 } else { 798 if (!BN_mod(r1, I, rsa->p, ctx)) 799 goto err; 800 } 801 802 /* compute r1^dmp1 mod p */ 803 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 804 dmp1 = &local_dmp1; 805 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 806 } else 807 dmp1 = rsa->dmp1; 808 if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, 809 rsa->_method_mod_p)) 810 goto err; 811 812 if (!BN_sub(r0, r0, m1)) 813 goto err; 814 /* 815 * This will help stop the size of r0 increasing, which does 816 * affect the multiply if it optimised for a power of 2 size 817 */ 818 if (BN_is_negative(r0)) 819 if (!BN_add(r0, r0, rsa->p)) 820 goto err; 821 822 if (!BN_mul(r1, r0, rsa->iqmp, ctx)) 823 goto err; 824 825 /* Turn BN_FLG_CONSTTIME flag on before division operation */ 826 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 827 pr1 = &local_r1; 828 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 829 } else 830 pr1 = r1; 831 if (!BN_mod(r0, pr1, rsa->p, ctx)) 832 goto err; 833 834 /* 835 * If p < q it is occasionally possible for the correction of 836 * adding 'p' if r0 is negative above to leave the result still 837 * negative. This can break the private key operations: the following 838 * second correction should *always* correct this rare occurrence. 839 * This will *never* happen with OpenSSL generated keys because 840 * they ensure p > q [steve] 841 */ 842 if (BN_is_negative(r0)) 843 if (!BN_add(r0, r0, rsa->p)) 844 goto err; 845 if (!BN_mul(r1, r0, rsa->q, ctx)) 846 goto err; 847 if (!BN_add(r0, r1, m1)) 848 goto err; 849 850 if (rsa->e && rsa->n) { 851 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, 852 rsa->_method_mod_n)) 853 goto err; 854 /* 855 * If 'I' was greater than (or equal to) rsa->n, the operation 856 * will be equivalent to using 'I mod n'. However, the result of 857 * the verify will *always* be less than 'n' so we don't check 858 * for absolute equality, just congruency. 859 */ 860 if (!BN_sub(vrfy, vrfy, I)) 861 goto err; 862 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) 863 goto err; 864 if (BN_is_negative(vrfy)) 865 if (!BN_add(vrfy, vrfy, rsa->n)) 866 goto err; 867 if (!BN_is_zero(vrfy)) { 868 /* 869 * 'I' and 'vrfy' aren't congruent mod n. Don't leak 870 * miscalculated CRT output, just do a raw (slower) 871 * mod_exp and return that instead. 872 */ 873 874 BIGNUM local_d; 875 BIGNUM *d = NULL; 876 877 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 878 d = &local_d; 879 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 880 } else 881 d = rsa->d; 882 if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, 883 rsa->_method_mod_n)) 884 goto err; 885 } 886 } 887 ret = 1; 888 err: 889 BN_CTX_end(ctx); 890 return ret; 891 } 892 893 static int 894 RSA_eay_init(RSA *rsa) 895 { 896 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; 897 return 1; 898 } 899 900 static int 901 RSA_eay_finish(RSA *rsa) 902 { 903 BN_MONT_CTX_free(rsa->_method_mod_n); 904 BN_MONT_CTX_free(rsa->_method_mod_p); 905 BN_MONT_CTX_free(rsa->_method_mod_q); 906 907 return 1; 908 } 909