1 /* $OpenBSD: rsa_eay.c,v 1.49 2017/05/02 03:59:45 deraadt Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 #include <string.h> 114 115 #include <openssl/opensslconf.h> 116 117 #include <openssl/bn.h> 118 #include <openssl/err.h> 119 #include <openssl/rsa.h> 120 121 #include "bn_lcl.h" 122 123 static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 124 unsigned char *to, RSA *rsa, int padding); 125 static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 126 unsigned char *to, RSA *rsa, int padding); 127 static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 128 unsigned char *to, RSA *rsa, int padding); 129 static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 130 unsigned char *to, RSA *rsa, int padding); 131 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); 132 static int RSA_eay_init(RSA *rsa); 133 static int RSA_eay_finish(RSA *rsa); 134 135 static RSA_METHOD rsa_pkcs1_eay_meth = { 136 .name = "Eric Young's PKCS#1 RSA", 137 .rsa_pub_enc = RSA_eay_public_encrypt, 138 .rsa_pub_dec = RSA_eay_public_decrypt, /* signature verification */ 139 .rsa_priv_enc = RSA_eay_private_encrypt, /* signing */ 140 .rsa_priv_dec = RSA_eay_private_decrypt, 141 .rsa_mod_exp = RSA_eay_mod_exp, 142 .bn_mod_exp = BN_mod_exp_mont_ct, /* XXX probably we should not use Montgomery if e == 3 */ 143 .init = RSA_eay_init, 144 .finish = RSA_eay_finish, 145 }; 146 147 const RSA_METHOD * 148 RSA_PKCS1_SSLeay(void) 149 { 150 return &rsa_pkcs1_eay_meth; 151 } 152 153 static int 154 RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, 155 RSA *rsa, int padding) 156 { 157 BIGNUM *f, *ret; 158 int i, j, k, num = 0, r = -1; 159 unsigned char *buf = NULL; 160 BN_CTX *ctx = NULL; 161 162 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 163 RSAerror(RSA_R_MODULUS_TOO_LARGE); 164 return -1; 165 } 166 167 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 168 RSAerror(RSA_R_BAD_E_VALUE); 169 return -1; 170 } 171 172 /* for large moduli, enforce exponent limit */ 173 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 174 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 175 RSAerror(RSA_R_BAD_E_VALUE); 176 return -1; 177 } 178 } 179 180 if ((ctx = BN_CTX_new()) == NULL) 181 goto err; 182 183 BN_CTX_start(ctx); 184 f = BN_CTX_get(ctx); 185 ret = BN_CTX_get(ctx); 186 num = BN_num_bytes(rsa->n); 187 buf = malloc(num); 188 189 if (f == NULL || ret == NULL || buf == NULL) { 190 RSAerror(ERR_R_MALLOC_FAILURE); 191 goto err; 192 } 193 194 switch (padding) { 195 case RSA_PKCS1_PADDING: 196 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); 197 break; 198 #ifndef OPENSSL_NO_SHA 199 case RSA_PKCS1_OAEP_PADDING: 200 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); 201 break; 202 #endif 203 case RSA_SSLV23_PADDING: 204 i = RSA_padding_add_SSLv23(buf, num, from, flen); 205 break; 206 case RSA_NO_PADDING: 207 i = RSA_padding_add_none(buf, num, from, flen); 208 break; 209 default: 210 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 211 goto err; 212 } 213 if (i <= 0) 214 goto err; 215 216 if (BN_bin2bn(buf, num, f) == NULL) 217 goto err; 218 219 if (BN_ucmp(f, rsa->n) >= 0) { 220 /* usually the padding functions would catch this */ 221 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 222 goto err; 223 } 224 225 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 226 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 227 CRYPTO_LOCK_RSA, rsa->n, ctx)) 228 goto err; 229 230 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 231 rsa->_method_mod_n)) 232 goto err; 233 234 /* put in leading 0 bytes if the number is less than the 235 * length of the modulus */ 236 j = BN_num_bytes(ret); 237 i = BN_bn2bin(ret, &(to[num - j])); 238 for (k = 0; k < num - i; k++) 239 to[k] = 0; 240 241 r = num; 242 err: 243 if (ctx != NULL) { 244 BN_CTX_end(ctx); 245 BN_CTX_free(ctx); 246 } 247 freezero(buf, num); 248 return r; 249 } 250 251 static BN_BLINDING * 252 rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 253 { 254 BN_BLINDING *ret; 255 int got_write_lock = 0; 256 CRYPTO_THREADID cur; 257 258 CRYPTO_r_lock(CRYPTO_LOCK_RSA); 259 260 if (rsa->blinding == NULL) { 261 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 262 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 263 got_write_lock = 1; 264 265 if (rsa->blinding == NULL) 266 rsa->blinding = RSA_setup_blinding(rsa, ctx); 267 } 268 269 ret = rsa->blinding; 270 if (ret == NULL) 271 goto err; 272 273 CRYPTO_THREADID_current(&cur); 274 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) { 275 /* rsa->blinding is ours! */ 276 *local = 1; 277 } else { 278 /* resort to rsa->mt_blinding instead */ 279 /* 280 * Instruct rsa_blinding_convert(), rsa_blinding_invert() 281 * that the BN_BLINDING is shared, meaning that accesses 282 * require locks, and that the blinding factor must be 283 * stored outside the BN_BLINDING 284 */ 285 *local = 0; 286 287 if (rsa->mt_blinding == NULL) { 288 if (!got_write_lock) { 289 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 290 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 291 got_write_lock = 1; 292 } 293 294 if (rsa->mt_blinding == NULL) 295 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 296 } 297 ret = rsa->mt_blinding; 298 } 299 300 err: 301 if (got_write_lock) 302 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 303 else 304 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 305 return ret; 306 } 307 308 static int 309 rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx) 310 { 311 if (unblind == NULL) 312 /* 313 * Local blinding: store the unblinding factor 314 * in BN_BLINDING. 315 */ 316 return BN_BLINDING_convert_ex(f, NULL, b, ctx); 317 else { 318 /* 319 * Shared blinding: store the unblinding factor 320 * outside BN_BLINDING. 321 */ 322 int ret; 323 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 324 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); 325 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 326 return ret; 327 } 328 } 329 330 static int 331 rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx) 332 { 333 /* 334 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex 335 * will use the unblinding factor stored in BN_BLINDING. 336 * If BN_BLINDING is shared between threads, unblind must be non-null: 337 * BN_BLINDING_invert_ex will then use the local unblinding factor, 338 * and will only read the modulus from BN_BLINDING. 339 * In both cases it's safe to access the blinding without a lock. 340 */ 341 return BN_BLINDING_invert_ex(f, unblind, b, ctx); 342 } 343 344 /* signing */ 345 static int 346 RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, 347 RSA *rsa, int padding) 348 { 349 BIGNUM *f, *ret, *res; 350 int i, j, k, num = 0, r = -1; 351 unsigned char *buf = NULL; 352 BN_CTX *ctx = NULL; 353 int local_blinding = 0; 354 /* 355 * Used only if the blinding structure is shared. A non-NULL unblind 356 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 357 * the unblinding factor outside the blinding structure. 358 */ 359 BIGNUM *unblind = NULL; 360 BN_BLINDING *blinding = NULL; 361 362 if ((ctx = BN_CTX_new()) == NULL) 363 goto err; 364 365 BN_CTX_start(ctx); 366 f = BN_CTX_get(ctx); 367 ret = BN_CTX_get(ctx); 368 num = BN_num_bytes(rsa->n); 369 buf = malloc(num); 370 371 if (f == NULL || ret == NULL || buf == NULL) { 372 RSAerror(ERR_R_MALLOC_FAILURE); 373 goto err; 374 } 375 376 switch (padding) { 377 case RSA_PKCS1_PADDING: 378 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); 379 break; 380 case RSA_X931_PADDING: 381 i = RSA_padding_add_X931(buf, num, from, flen); 382 break; 383 case RSA_NO_PADDING: 384 i = RSA_padding_add_none(buf, num, from, flen); 385 break; 386 case RSA_SSLV23_PADDING: 387 default: 388 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 389 goto err; 390 } 391 if (i <= 0) 392 goto err; 393 394 if (BN_bin2bn(buf, num, f) == NULL) 395 goto err; 396 397 if (BN_ucmp(f, rsa->n) >= 0) { 398 /* usually the padding functions would catch this */ 399 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 400 goto err; 401 } 402 403 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 404 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 405 if (blinding == NULL) { 406 RSAerror(ERR_R_INTERNAL_ERROR); 407 goto err; 408 } 409 } 410 411 if (blinding != NULL) { 412 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 413 RSAerror(ERR_R_MALLOC_FAILURE); 414 goto err; 415 } 416 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 417 goto err; 418 } 419 420 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 421 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL && 422 rsa->dmq1 != NULL && rsa->iqmp != NULL)) { 423 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 424 goto err; 425 } else { 426 BIGNUM d; 427 428 BN_init(&d); 429 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); 430 431 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 432 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 433 CRYPTO_LOCK_RSA, rsa->n, ctx)) 434 goto err; 435 436 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, 437 rsa->_method_mod_n)) { 438 goto err; 439 } 440 } 441 442 if (blinding) 443 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 444 goto err; 445 446 if (padding == RSA_X931_PADDING) { 447 BN_sub(f, rsa->n, ret); 448 if (BN_cmp(ret, f) > 0) 449 res = f; 450 else 451 res = ret; 452 } else 453 res = ret; 454 455 /* put in leading 0 bytes if the number is less than the 456 * length of the modulus */ 457 j = BN_num_bytes(res); 458 i = BN_bn2bin(res, &(to[num - j])); 459 for (k = 0; k < num - i; k++) 460 to[k] = 0; 461 462 r = num; 463 err: 464 if (ctx != NULL) { 465 BN_CTX_end(ctx); 466 BN_CTX_free(ctx); 467 } 468 freezero(buf, num); 469 return r; 470 } 471 472 static int 473 RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to, 474 RSA *rsa, int padding) 475 { 476 BIGNUM *f, *ret; 477 int j, num = 0, r = -1; 478 unsigned char *p; 479 unsigned char *buf = NULL; 480 BN_CTX *ctx = NULL; 481 int local_blinding = 0; 482 /* 483 * Used only if the blinding structure is shared. A non-NULL unblind 484 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 485 * the unblinding factor outside the blinding structure. 486 */ 487 BIGNUM *unblind = NULL; 488 BN_BLINDING *blinding = NULL; 489 490 if ((ctx = BN_CTX_new()) == NULL) 491 goto err; 492 493 BN_CTX_start(ctx); 494 f = BN_CTX_get(ctx); 495 ret = BN_CTX_get(ctx); 496 num = BN_num_bytes(rsa->n); 497 buf = malloc(num); 498 499 if (!f || !ret || !buf) { 500 RSAerror(ERR_R_MALLOC_FAILURE); 501 goto err; 502 } 503 504 /* This check was for equality but PGP does evil things 505 * and chops off the top '0' bytes */ 506 if (flen > num) { 507 RSAerror(RSA_R_DATA_GREATER_THAN_MOD_LEN); 508 goto err; 509 } 510 511 /* make data into a big number */ 512 if (BN_bin2bn(from, (int)flen, f) == NULL) 513 goto err; 514 515 if (BN_ucmp(f, rsa->n) >= 0) { 516 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 517 goto err; 518 } 519 520 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 521 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 522 if (blinding == NULL) { 523 RSAerror(ERR_R_INTERNAL_ERROR); 524 goto err; 525 } 526 } 527 528 if (blinding != NULL) { 529 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 530 RSAerror(ERR_R_MALLOC_FAILURE); 531 goto err; 532 } 533 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 534 goto err; 535 } 536 537 /* do the decrypt */ 538 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 539 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL && 540 rsa->dmq1 != NULL && rsa->iqmp != NULL)) { 541 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 542 goto err; 543 } else { 544 BIGNUM d; 545 546 BN_init(&d); 547 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); 548 549 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 550 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 551 CRYPTO_LOCK_RSA, rsa->n, ctx)) 552 goto err; 553 554 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, 555 rsa->_method_mod_n)) { 556 goto err; 557 } 558 } 559 560 if (blinding) 561 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 562 goto err; 563 564 p = buf; 565 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */ 566 567 switch (padding) { 568 case RSA_PKCS1_PADDING: 569 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); 570 break; 571 #ifndef OPENSSL_NO_SHA 572 case RSA_PKCS1_OAEP_PADDING: 573 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); 574 break; 575 #endif 576 case RSA_SSLV23_PADDING: 577 r = RSA_padding_check_SSLv23(to, num, buf, j, num); 578 break; 579 case RSA_NO_PADDING: 580 r = RSA_padding_check_none(to, num, buf, j, num); 581 break; 582 default: 583 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 584 goto err; 585 } 586 if (r < 0) 587 RSAerror(RSA_R_PADDING_CHECK_FAILED); 588 589 err: 590 if (ctx != NULL) { 591 BN_CTX_end(ctx); 592 BN_CTX_free(ctx); 593 } 594 freezero(buf, num); 595 return r; 596 } 597 598 /* signature verification */ 599 static int 600 RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to, 601 RSA *rsa, int padding) 602 { 603 BIGNUM *f, *ret; 604 int i, num = 0, r = -1; 605 unsigned char *p; 606 unsigned char *buf = NULL; 607 BN_CTX *ctx = NULL; 608 609 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 610 RSAerror(RSA_R_MODULUS_TOO_LARGE); 611 return -1; 612 } 613 614 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 615 RSAerror(RSA_R_BAD_E_VALUE); 616 return -1; 617 } 618 619 /* for large moduli, enforce exponent limit */ 620 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 621 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 622 RSAerror(RSA_R_BAD_E_VALUE); 623 return -1; 624 } 625 } 626 627 if ((ctx = BN_CTX_new()) == NULL) 628 goto err; 629 630 BN_CTX_start(ctx); 631 f = BN_CTX_get(ctx); 632 ret = BN_CTX_get(ctx); 633 num = BN_num_bytes(rsa->n); 634 buf = malloc(num); 635 636 if (!f || !ret || !buf) { 637 RSAerror(ERR_R_MALLOC_FAILURE); 638 goto err; 639 } 640 641 /* This check was for equality but PGP does evil things 642 * and chops off the top '0' bytes */ 643 if (flen > num) { 644 RSAerror(RSA_R_DATA_GREATER_THAN_MOD_LEN); 645 goto err; 646 } 647 648 if (BN_bin2bn(from, flen, f) == NULL) 649 goto err; 650 651 if (BN_ucmp(f, rsa->n) >= 0) { 652 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 653 goto err; 654 } 655 656 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 657 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 658 CRYPTO_LOCK_RSA, rsa->n, ctx)) 659 goto err; 660 661 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 662 rsa->_method_mod_n)) 663 goto err; 664 665 if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12) 666 if (!BN_sub(ret, rsa->n, ret)) 667 goto err; 668 669 p = buf; 670 i = BN_bn2bin(ret, p); 671 672 switch (padding) { 673 case RSA_PKCS1_PADDING: 674 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); 675 break; 676 case RSA_X931_PADDING: 677 r = RSA_padding_check_X931(to, num, buf, i, num); 678 break; 679 case RSA_NO_PADDING: 680 r = RSA_padding_check_none(to, num, buf, i, num); 681 break; 682 default: 683 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 684 goto err; 685 } 686 if (r < 0) 687 RSAerror(RSA_R_PADDING_CHECK_FAILED); 688 689 err: 690 if (ctx != NULL) { 691 BN_CTX_end(ctx); 692 BN_CTX_free(ctx); 693 } 694 freezero(buf, num); 695 return r; 696 } 697 698 static int 699 RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 700 { 701 BIGNUM *r1, *m1, *vrfy; 702 BIGNUM dmp1, dmq1, c, pr1; 703 int ret = 0; 704 705 BN_CTX_start(ctx); 706 r1 = BN_CTX_get(ctx); 707 m1 = BN_CTX_get(ctx); 708 vrfy = BN_CTX_get(ctx); 709 if (r1 == NULL || m1 == NULL || vrfy == NULL) { 710 RSAerror(ERR_R_MALLOC_FAILURE); 711 goto err; 712 } 713 714 { 715 BIGNUM p, q; 716 717 /* 718 * Make sure BN_mod_inverse in Montgomery intialization uses the 719 * BN_FLG_CONSTTIME flag 720 */ 721 BN_init(&p); 722 BN_init(&q); 723 BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME); 724 BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME); 725 726 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { 727 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, 728 CRYPTO_LOCK_RSA, &p, ctx) || 729 !BN_MONT_CTX_set_locked(&rsa->_method_mod_q, 730 CRYPTO_LOCK_RSA, &q, ctx)) { 731 goto err; 732 } 733 } 734 } 735 736 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 737 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 738 CRYPTO_LOCK_RSA, rsa->n, ctx)) 739 goto err; 740 741 /* compute I mod q */ 742 BN_init(&c); 743 BN_with_flags(&c, I, BN_FLG_CONSTTIME); 744 745 if (!BN_mod_ct(r1, &c, rsa->q, ctx)) 746 goto err; 747 748 /* compute r1^dmq1 mod q */ 749 BN_init(&dmq1); 750 BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 751 752 if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx, 753 rsa->_method_mod_q)) 754 goto err; 755 756 /* compute I mod p */ 757 BN_with_flags(&c, I, BN_FLG_CONSTTIME); 758 759 if (!BN_mod_ct(r1, &c, rsa->p, ctx)) 760 goto err; 761 762 /* compute r1^dmp1 mod p */ 763 BN_init(&dmp1); 764 BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 765 766 if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx, 767 rsa->_method_mod_p)) 768 goto err; 769 770 if (!BN_sub(r0, r0, m1)) 771 goto err; 772 773 /* 774 * This will help stop the size of r0 increasing, which does 775 * affect the multiply if it optimised for a power of 2 size 776 */ 777 if (BN_is_negative(r0)) 778 if (!BN_add(r0, r0, rsa->p)) 779 goto err; 780 781 if (!BN_mul(r1, r0, rsa->iqmp, ctx)) 782 goto err; 783 784 /* Turn BN_FLG_CONSTTIME flag on before division operation */ 785 BN_init(&pr1); 786 BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME); 787 788 if (!BN_mod_ct(r0, &pr1, rsa->p, ctx)) 789 goto err; 790 791 /* 792 * If p < q it is occasionally possible for the correction of 793 * adding 'p' if r0 is negative above to leave the result still 794 * negative. This can break the private key operations: the following 795 * second correction should *always* correct this rare occurrence. 796 * This will *never* happen with OpenSSL generated keys because 797 * they ensure p > q [steve] 798 */ 799 if (BN_is_negative(r0)) 800 if (!BN_add(r0, r0, rsa->p)) 801 goto err; 802 if (!BN_mul(r1, r0, rsa->q, ctx)) 803 goto err; 804 if (!BN_add(r0, r1, m1)) 805 goto err; 806 807 if (rsa->e && rsa->n) { 808 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, 809 rsa->_method_mod_n)) 810 goto err; 811 /* 812 * If 'I' was greater than (or equal to) rsa->n, the operation 813 * will be equivalent to using 'I mod n'. However, the result of 814 * the verify will *always* be less than 'n' so we don't check 815 * for absolute equality, just congruency. 816 */ 817 if (!BN_sub(vrfy, vrfy, I)) 818 goto err; 819 if (!BN_mod_ct(vrfy, vrfy, rsa->n, ctx)) 820 goto err; 821 if (BN_is_negative(vrfy)) 822 if (!BN_add(vrfy, vrfy, rsa->n)) 823 goto err; 824 if (!BN_is_zero(vrfy)) { 825 /* 826 * 'I' and 'vrfy' aren't congruent mod n. Don't leak 827 * miscalculated CRT output, just do a raw (slower) 828 * mod_exp and return that instead. 829 */ 830 BIGNUM d; 831 832 BN_init(&d); 833 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); 834 835 if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx, 836 rsa->_method_mod_n)) { 837 goto err; 838 } 839 } 840 } 841 ret = 1; 842 err: 843 BN_CTX_end(ctx); 844 return ret; 845 } 846 847 static int 848 RSA_eay_init(RSA *rsa) 849 { 850 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; 851 return 1; 852 } 853 854 static int 855 RSA_eay_finish(RSA *rsa) 856 { 857 BN_MONT_CTX_free(rsa->_method_mod_n); 858 BN_MONT_CTX_free(rsa->_method_mod_p); 859 BN_MONT_CTX_free(rsa->_method_mod_q); 860 861 return 1; 862 } 863