1 /* $OpenBSD: rsa_eay.c,v 1.57 2023/04/05 11:30:12 tb Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 #include <string.h> 114 115 #include <openssl/opensslconf.h> 116 117 #include <openssl/bn.h> 118 #include <openssl/err.h> 119 #include <openssl/rsa.h> 120 121 #include "bn_local.h" 122 #include "rsa_local.h" 123 124 static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 125 unsigned char *to, RSA *rsa, int padding); 126 static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 127 unsigned char *to, RSA *rsa, int padding); 128 static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 129 unsigned char *to, RSA *rsa, int padding); 130 static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 131 unsigned char *to, RSA *rsa, int padding); 132 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); 133 static int RSA_eay_init(RSA *rsa); 134 static int RSA_eay_finish(RSA *rsa); 135 136 static RSA_METHOD rsa_pkcs1_eay_meth = { 137 .name = "Eric Young's PKCS#1 RSA", 138 .rsa_pub_enc = RSA_eay_public_encrypt, 139 .rsa_pub_dec = RSA_eay_public_decrypt, /* signature verification */ 140 .rsa_priv_enc = RSA_eay_private_encrypt, /* signing */ 141 .rsa_priv_dec = RSA_eay_private_decrypt, 142 .rsa_mod_exp = RSA_eay_mod_exp, 143 .bn_mod_exp = BN_mod_exp_mont_ct, /* XXX probably we should not use Montgomery if e == 3 */ 144 .init = RSA_eay_init, 145 .finish = RSA_eay_finish, 146 }; 147 148 const RSA_METHOD * 149 RSA_PKCS1_OpenSSL(void) 150 { 151 return &rsa_pkcs1_eay_meth; 152 } 153 154 const RSA_METHOD * 155 RSA_PKCS1_SSLeay(void) 156 { 157 return &rsa_pkcs1_eay_meth; 158 } 159 160 static int 161 RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, 162 RSA *rsa, int padding) 163 { 164 BIGNUM *f, *ret; 165 int i, j, k, num = 0, r = -1; 166 unsigned char *buf = NULL; 167 BN_CTX *ctx = NULL; 168 169 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 170 RSAerror(RSA_R_MODULUS_TOO_LARGE); 171 return -1; 172 } 173 174 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 175 RSAerror(RSA_R_BAD_E_VALUE); 176 return -1; 177 } 178 179 /* for large moduli, enforce exponent limit */ 180 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 181 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 182 RSAerror(RSA_R_BAD_E_VALUE); 183 return -1; 184 } 185 } 186 187 if ((ctx = BN_CTX_new()) == NULL) 188 goto err; 189 190 BN_CTX_start(ctx); 191 f = BN_CTX_get(ctx); 192 ret = BN_CTX_get(ctx); 193 num = BN_num_bytes(rsa->n); 194 buf = malloc(num); 195 196 if (f == NULL || ret == NULL || buf == NULL) { 197 RSAerror(ERR_R_MALLOC_FAILURE); 198 goto err; 199 } 200 201 switch (padding) { 202 case RSA_PKCS1_PADDING: 203 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); 204 break; 205 #ifndef OPENSSL_NO_SHA 206 case RSA_PKCS1_OAEP_PADDING: 207 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); 208 break; 209 #endif 210 case RSA_NO_PADDING: 211 i = RSA_padding_add_none(buf, num, from, flen); 212 break; 213 default: 214 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 215 goto err; 216 } 217 if (i <= 0) 218 goto err; 219 220 if (BN_bin2bn(buf, num, f) == NULL) 221 goto err; 222 223 if (BN_ucmp(f, rsa->n) >= 0) { 224 /* usually the padding functions would catch this */ 225 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 226 goto err; 227 } 228 229 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 230 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 231 CRYPTO_LOCK_RSA, rsa->n, ctx)) 232 goto err; 233 234 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 235 rsa->_method_mod_n)) 236 goto err; 237 238 /* put in leading 0 bytes if the number is less than the 239 * length of the modulus */ 240 j = BN_num_bytes(ret); 241 i = BN_bn2bin(ret, &(to[num - j])); 242 for (k = 0; k < num - i; k++) 243 to[k] = 0; 244 245 r = num; 246 err: 247 if (ctx != NULL) { 248 BN_CTX_end(ctx); 249 BN_CTX_free(ctx); 250 } 251 freezero(buf, num); 252 return r; 253 } 254 255 static BN_BLINDING * 256 rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 257 { 258 BN_BLINDING *ret; 259 int got_write_lock = 0; 260 CRYPTO_THREADID cur; 261 262 CRYPTO_r_lock(CRYPTO_LOCK_RSA); 263 264 if (rsa->blinding == NULL) { 265 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 266 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 267 got_write_lock = 1; 268 269 if (rsa->blinding == NULL) 270 rsa->blinding = RSA_setup_blinding(rsa, ctx); 271 } 272 273 ret = rsa->blinding; 274 if (ret == NULL) 275 goto err; 276 277 CRYPTO_THREADID_current(&cur); 278 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) { 279 /* rsa->blinding is ours! */ 280 *local = 1; 281 } else { 282 /* resort to rsa->mt_blinding instead */ 283 /* 284 * Instruct rsa_blinding_convert(), rsa_blinding_invert() 285 * that the BN_BLINDING is shared, meaning that accesses 286 * require locks, and that the blinding factor must be 287 * stored outside the BN_BLINDING 288 */ 289 *local = 0; 290 291 if (rsa->mt_blinding == NULL) { 292 if (!got_write_lock) { 293 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 294 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 295 got_write_lock = 1; 296 } 297 298 if (rsa->mt_blinding == NULL) 299 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 300 } 301 ret = rsa->mt_blinding; 302 } 303 304 err: 305 if (got_write_lock) 306 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 307 else 308 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 309 return ret; 310 } 311 312 static int 313 rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx) 314 { 315 if (unblind == NULL) 316 /* 317 * Local blinding: store the unblinding factor 318 * in BN_BLINDING. 319 */ 320 return BN_BLINDING_convert_ex(f, NULL, b, ctx); 321 else { 322 /* 323 * Shared blinding: store the unblinding factor 324 * outside BN_BLINDING. 325 */ 326 int ret; 327 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 328 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); 329 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 330 return ret; 331 } 332 } 333 334 static int 335 rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx) 336 { 337 /* 338 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex 339 * will use the unblinding factor stored in BN_BLINDING. 340 * If BN_BLINDING is shared between threads, unblind must be non-null: 341 * BN_BLINDING_invert_ex will then use the local unblinding factor, 342 * and will only read the modulus from BN_BLINDING. 343 * In both cases it's safe to access the blinding without a lock. 344 */ 345 return BN_BLINDING_invert_ex(f, unblind, b, ctx); 346 } 347 348 /* signing */ 349 static int 350 RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, 351 RSA *rsa, int padding) 352 { 353 BIGNUM *f, *ret, *res; 354 int i, j, k, num = 0, r = -1; 355 unsigned char *buf = NULL; 356 BN_CTX *ctx = NULL; 357 int local_blinding = 0; 358 /* 359 * Used only if the blinding structure is shared. A non-NULL unblind 360 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 361 * the unblinding factor outside the blinding structure. 362 */ 363 BIGNUM *unblind = NULL; 364 BN_BLINDING *blinding = NULL; 365 366 if ((ctx = BN_CTX_new()) == NULL) 367 goto err; 368 369 BN_CTX_start(ctx); 370 f = BN_CTX_get(ctx); 371 ret = BN_CTX_get(ctx); 372 num = BN_num_bytes(rsa->n); 373 buf = malloc(num); 374 375 if (f == NULL || ret == NULL || buf == NULL) { 376 RSAerror(ERR_R_MALLOC_FAILURE); 377 goto err; 378 } 379 380 switch (padding) { 381 case RSA_PKCS1_PADDING: 382 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); 383 break; 384 case RSA_X931_PADDING: 385 i = RSA_padding_add_X931(buf, num, from, flen); 386 break; 387 case RSA_NO_PADDING: 388 i = RSA_padding_add_none(buf, num, from, flen); 389 break; 390 default: 391 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 392 goto err; 393 } 394 if (i <= 0) 395 goto err; 396 397 if (BN_bin2bn(buf, num, f) == NULL) 398 goto err; 399 400 if (BN_ucmp(f, rsa->n) >= 0) { 401 /* usually the padding functions would catch this */ 402 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 403 goto err; 404 } 405 406 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { 407 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 408 CRYPTO_LOCK_RSA, rsa->n, ctx)) 409 goto err; 410 } 411 412 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 413 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 414 if (blinding == NULL) { 415 RSAerror(ERR_R_INTERNAL_ERROR); 416 goto err; 417 } 418 } 419 420 if (blinding != NULL) { 421 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 422 RSAerror(ERR_R_MALLOC_FAILURE); 423 goto err; 424 } 425 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 426 goto err; 427 } 428 429 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 430 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL && 431 rsa->dmq1 != NULL && rsa->iqmp != NULL)) { 432 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 433 goto err; 434 } else { 435 BIGNUM d; 436 437 BN_init(&d); 438 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); 439 440 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, 441 rsa->_method_mod_n)) { 442 goto err; 443 } 444 } 445 446 if (blinding) 447 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 448 goto err; 449 450 if (padding == RSA_X931_PADDING) { 451 if (!BN_sub(f, rsa->n, ret)) 452 goto err; 453 if (BN_cmp(ret, f) > 0) 454 res = f; 455 else 456 res = ret; 457 } else 458 res = ret; 459 460 /* put in leading 0 bytes if the number is less than the 461 * length of the modulus */ 462 j = BN_num_bytes(res); 463 i = BN_bn2bin(res, &(to[num - j])); 464 for (k = 0; k < num - i; k++) 465 to[k] = 0; 466 467 r = num; 468 err: 469 if (ctx != NULL) { 470 BN_CTX_end(ctx); 471 BN_CTX_free(ctx); 472 } 473 freezero(buf, num); 474 return r; 475 } 476 477 static int 478 RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to, 479 RSA *rsa, int padding) 480 { 481 BIGNUM *f, *ret; 482 int j, num = 0, r = -1; 483 unsigned char *p; 484 unsigned char *buf = NULL; 485 BN_CTX *ctx = NULL; 486 int local_blinding = 0; 487 /* 488 * Used only if the blinding structure is shared. A non-NULL unblind 489 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 490 * the unblinding factor outside the blinding structure. 491 */ 492 BIGNUM *unblind = NULL; 493 BN_BLINDING *blinding = NULL; 494 495 if ((ctx = BN_CTX_new()) == NULL) 496 goto err; 497 498 BN_CTX_start(ctx); 499 f = BN_CTX_get(ctx); 500 ret = BN_CTX_get(ctx); 501 num = BN_num_bytes(rsa->n); 502 buf = malloc(num); 503 504 if (!f || !ret || !buf) { 505 RSAerror(ERR_R_MALLOC_FAILURE); 506 goto err; 507 } 508 509 /* This check was for equality but PGP does evil things 510 * and chops off the top '0' bytes */ 511 if (flen > num) { 512 RSAerror(RSA_R_DATA_GREATER_THAN_MOD_LEN); 513 goto err; 514 } 515 516 /* make data into a big number */ 517 if (BN_bin2bn(from, (int)flen, f) == NULL) 518 goto err; 519 520 if (BN_ucmp(f, rsa->n) >= 0) { 521 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 522 goto err; 523 } 524 525 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { 526 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 527 CRYPTO_LOCK_RSA, rsa->n, ctx)) 528 goto err; 529 } 530 531 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 532 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 533 if (blinding == NULL) { 534 RSAerror(ERR_R_INTERNAL_ERROR); 535 goto err; 536 } 537 } 538 539 if (blinding != NULL) { 540 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 541 RSAerror(ERR_R_MALLOC_FAILURE); 542 goto err; 543 } 544 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 545 goto err; 546 } 547 548 /* do the decrypt */ 549 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 550 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL && 551 rsa->dmq1 != NULL && rsa->iqmp != NULL)) { 552 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 553 goto err; 554 } else { 555 BIGNUM d; 556 557 BN_init(&d); 558 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); 559 560 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, 561 rsa->_method_mod_n)) { 562 goto err; 563 } 564 } 565 566 if (blinding) 567 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 568 goto err; 569 570 p = buf; 571 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */ 572 573 switch (padding) { 574 case RSA_PKCS1_PADDING: 575 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); 576 break; 577 #ifndef OPENSSL_NO_SHA 578 case RSA_PKCS1_OAEP_PADDING: 579 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); 580 break; 581 #endif 582 case RSA_NO_PADDING: 583 r = RSA_padding_check_none(to, num, buf, j, num); 584 break; 585 default: 586 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 587 goto err; 588 } 589 if (r < 0) 590 RSAerror(RSA_R_PADDING_CHECK_FAILED); 591 592 err: 593 if (ctx != NULL) { 594 BN_CTX_end(ctx); 595 BN_CTX_free(ctx); 596 } 597 freezero(buf, num); 598 return r; 599 } 600 601 /* signature verification */ 602 static int 603 RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to, 604 RSA *rsa, int padding) 605 { 606 BIGNUM *f, *ret; 607 int i, num = 0, r = -1; 608 unsigned char *p; 609 unsigned char *buf = NULL; 610 BN_CTX *ctx = NULL; 611 612 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 613 RSAerror(RSA_R_MODULUS_TOO_LARGE); 614 return -1; 615 } 616 617 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 618 RSAerror(RSA_R_BAD_E_VALUE); 619 return -1; 620 } 621 622 /* for large moduli, enforce exponent limit */ 623 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 624 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 625 RSAerror(RSA_R_BAD_E_VALUE); 626 return -1; 627 } 628 } 629 630 if ((ctx = BN_CTX_new()) == NULL) 631 goto err; 632 633 BN_CTX_start(ctx); 634 f = BN_CTX_get(ctx); 635 ret = BN_CTX_get(ctx); 636 num = BN_num_bytes(rsa->n); 637 buf = malloc(num); 638 639 if (!f || !ret || !buf) { 640 RSAerror(ERR_R_MALLOC_FAILURE); 641 goto err; 642 } 643 644 /* This check was for equality but PGP does evil things 645 * and chops off the top '0' bytes */ 646 if (flen > num) { 647 RSAerror(RSA_R_DATA_GREATER_THAN_MOD_LEN); 648 goto err; 649 } 650 651 if (BN_bin2bn(from, flen, f) == NULL) 652 goto err; 653 654 if (BN_ucmp(f, rsa->n) >= 0) { 655 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 656 goto err; 657 } 658 659 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 660 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 661 CRYPTO_LOCK_RSA, rsa->n, ctx)) 662 goto err; 663 664 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 665 rsa->_method_mod_n)) 666 goto err; 667 668 if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12) 669 if (!BN_sub(ret, rsa->n, ret)) 670 goto err; 671 672 p = buf; 673 i = BN_bn2bin(ret, p); 674 675 switch (padding) { 676 case RSA_PKCS1_PADDING: 677 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); 678 break; 679 case RSA_X931_PADDING: 680 r = RSA_padding_check_X931(to, num, buf, i, num); 681 break; 682 case RSA_NO_PADDING: 683 r = RSA_padding_check_none(to, num, buf, i, num); 684 break; 685 default: 686 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 687 goto err; 688 } 689 if (r < 0) 690 RSAerror(RSA_R_PADDING_CHECK_FAILED); 691 692 err: 693 if (ctx != NULL) { 694 BN_CTX_end(ctx); 695 BN_CTX_free(ctx); 696 } 697 freezero(buf, num); 698 return r; 699 } 700 701 static int 702 RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 703 { 704 BIGNUM *r1, *m1, *vrfy; 705 BIGNUM dmp1, dmq1, c, pr1; 706 int ret = 0; 707 708 BN_CTX_start(ctx); 709 r1 = BN_CTX_get(ctx); 710 m1 = BN_CTX_get(ctx); 711 vrfy = BN_CTX_get(ctx); 712 if (r1 == NULL || m1 == NULL || vrfy == NULL) { 713 RSAerror(ERR_R_MALLOC_FAILURE); 714 goto err; 715 } 716 717 { 718 BIGNUM p, q; 719 720 /* 721 * Make sure BN_mod_inverse in Montgomery initialization uses the 722 * BN_FLG_CONSTTIME flag 723 */ 724 BN_init(&p); 725 BN_init(&q); 726 BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME); 727 BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME); 728 729 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { 730 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, 731 CRYPTO_LOCK_RSA, &p, ctx) || 732 !BN_MONT_CTX_set_locked(&rsa->_method_mod_q, 733 CRYPTO_LOCK_RSA, &q, ctx)) { 734 goto err; 735 } 736 } 737 } 738 739 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 740 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 741 CRYPTO_LOCK_RSA, rsa->n, ctx)) 742 goto err; 743 744 /* compute I mod q */ 745 BN_init(&c); 746 BN_with_flags(&c, I, BN_FLG_CONSTTIME); 747 748 if (!BN_mod_ct(r1, &c, rsa->q, ctx)) 749 goto err; 750 751 /* compute r1^dmq1 mod q */ 752 BN_init(&dmq1); 753 BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 754 755 if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx, 756 rsa->_method_mod_q)) 757 goto err; 758 759 /* compute I mod p */ 760 BN_init(&c); 761 BN_with_flags(&c, I, BN_FLG_CONSTTIME); 762 763 if (!BN_mod_ct(r1, &c, rsa->p, ctx)) 764 goto err; 765 766 /* compute r1^dmp1 mod p */ 767 BN_init(&dmp1); 768 BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 769 770 if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx, 771 rsa->_method_mod_p)) 772 goto err; 773 774 if (!BN_sub(r0, r0, m1)) 775 goto err; 776 777 /* 778 * This will help stop the size of r0 increasing, which does 779 * affect the multiply if it optimised for a power of 2 size 780 */ 781 if (BN_is_negative(r0)) 782 if (!BN_add(r0, r0, rsa->p)) 783 goto err; 784 785 if (!BN_mul(r1, r0, rsa->iqmp, ctx)) 786 goto err; 787 788 /* Turn BN_FLG_CONSTTIME flag on before division operation */ 789 BN_init(&pr1); 790 BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME); 791 792 if (!BN_mod_ct(r0, &pr1, rsa->p, ctx)) 793 goto err; 794 795 /* 796 * If p < q it is occasionally possible for the correction of 797 * adding 'p' if r0 is negative above to leave the result still 798 * negative. This can break the private key operations: the following 799 * second correction should *always* correct this rare occurrence. 800 * This will *never* happen with OpenSSL generated keys because 801 * they ensure p > q [steve] 802 */ 803 if (BN_is_negative(r0)) 804 if (!BN_add(r0, r0, rsa->p)) 805 goto err; 806 if (!BN_mul(r1, r0, rsa->q, ctx)) 807 goto err; 808 if (!BN_add(r0, r1, m1)) 809 goto err; 810 811 if (rsa->e && rsa->n) { 812 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, 813 rsa->_method_mod_n)) 814 goto err; 815 /* 816 * If 'I' was greater than (or equal to) rsa->n, the operation 817 * will be equivalent to using 'I mod n'. However, the result of 818 * the verify will *always* be less than 'n' so we don't check 819 * for absolute equality, just congruency. 820 */ 821 if (!BN_sub(vrfy, vrfy, I)) 822 goto err; 823 if (!BN_mod_ct(vrfy, vrfy, rsa->n, ctx)) 824 goto err; 825 if (BN_is_negative(vrfy)) 826 if (!BN_add(vrfy, vrfy, rsa->n)) 827 goto err; 828 if (!BN_is_zero(vrfy)) { 829 /* 830 * 'I' and 'vrfy' aren't congruent mod n. Don't leak 831 * miscalculated CRT output, just do a raw (slower) 832 * mod_exp and return that instead. 833 */ 834 BIGNUM d; 835 836 BN_init(&d); 837 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); 838 839 if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx, 840 rsa->_method_mod_n)) { 841 goto err; 842 } 843 } 844 } 845 ret = 1; 846 err: 847 BN_CTX_end(ctx); 848 return ret; 849 } 850 851 static int 852 RSA_eay_init(RSA *rsa) 853 { 854 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; 855 return 1; 856 } 857 858 static int 859 RSA_eay_finish(RSA *rsa) 860 { 861 BN_MONT_CTX_free(rsa->_method_mod_n); 862 BN_MONT_CTX_free(rsa->_method_mod_p); 863 BN_MONT_CTX_free(rsa->_method_mod_q); 864 865 return 1; 866 } 867