1 /* crypto/rsa/rsa_eay.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 #include "cryptlib.h" 114 #include <openssl/bn.h> 115 #include <openssl/rsa.h> 116 #include <openssl/rand.h> 117 118 #if !defined(RSA_NULL) && !defined(OPENSSL_FIPS) 119 120 static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 121 unsigned char *to, RSA *rsa,int padding); 122 static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 123 unsigned char *to, RSA *rsa,int padding); 124 static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 125 unsigned char *to, RSA *rsa,int padding); 126 static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 127 unsigned char *to, RSA *rsa,int padding); 128 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa); 129 static int RSA_eay_init(RSA *rsa); 130 static int RSA_eay_finish(RSA *rsa); 131 static RSA_METHOD rsa_pkcs1_eay_meth={ 132 "Eric Young's PKCS#1 RSA", 133 RSA_eay_public_encrypt, 134 RSA_eay_public_decrypt, /* signature verification */ 135 RSA_eay_private_encrypt, /* signing */ 136 RSA_eay_private_decrypt, 137 RSA_eay_mod_exp, 138 BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ 139 RSA_eay_init, 140 RSA_eay_finish, 141 0, /* flags */ 142 NULL, 143 0, /* rsa_sign */ 144 0 /* rsa_verify */ 145 }; 146 147 const RSA_METHOD *RSA_PKCS1_SSLeay(void) 148 { 149 return(&rsa_pkcs1_eay_meth); 150 } 151 152 static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 153 unsigned char *to, RSA *rsa, int padding) 154 { 155 BIGNUM f,ret; 156 int i,j,k,num=0,r= -1; 157 unsigned char *buf=NULL; 158 BN_CTX *ctx=NULL; 159 160 BN_init(&f); 161 BN_init(&ret); 162 if ((ctx=BN_CTX_new()) == NULL) goto err; 163 num=BN_num_bytes(rsa->n); 164 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 165 { 166 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); 167 goto err; 168 } 169 170 switch (padding) 171 { 172 case RSA_PKCS1_PADDING: 173 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen); 174 break; 175 #ifndef OPENSSL_NO_SHA 176 case RSA_PKCS1_OAEP_PADDING: 177 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0); 178 break; 179 #endif 180 case RSA_SSLV23_PADDING: 181 i=RSA_padding_add_SSLv23(buf,num,from,flen); 182 break; 183 case RSA_NO_PADDING: 184 i=RSA_padding_add_none(buf,num,from,flen); 185 break; 186 default: 187 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 188 goto err; 189 } 190 if (i <= 0) goto err; 191 192 if (BN_bin2bn(buf,num,&f) == NULL) goto err; 193 194 if (BN_ucmp(&f, rsa->n) >= 0) 195 { 196 /* usually the padding functions would catch this */ 197 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 198 goto err; 199 } 200 201 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 202 { 203 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 204 CRYPTO_LOCK_RSA, rsa->n, ctx)) 205 goto err; 206 } 207 208 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 209 rsa->_method_mod_n)) goto err; 210 211 /* put in leading 0 bytes if the number is less than the 212 * length of the modulus */ 213 j=BN_num_bytes(&ret); 214 i=BN_bn2bin(&ret,&(to[num-j])); 215 for (k=0; k<(num-i); k++) 216 to[k]=0; 217 218 r=num; 219 err: 220 if (ctx != NULL) BN_CTX_free(ctx); 221 BN_clear_free(&f); 222 BN_clear_free(&ret); 223 if (buf != NULL) 224 { 225 OPENSSL_cleanse(buf,num); 226 OPENSSL_free(buf); 227 } 228 return(r); 229 } 230 231 static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) 232 { 233 int ret = 1; 234 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 235 /* Check again inside the lock - the macro's check is racey */ 236 if(rsa->blinding == NULL) 237 ret = RSA_blinding_on(rsa, ctx); 238 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 239 return ret; 240 } 241 242 #define BLINDING_HELPER(rsa, ctx, err_instr) \ 243 do { \ 244 if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \ 245 ((rsa)->blinding == NULL) && \ 246 !rsa_eay_blinding(rsa, ctx)) \ 247 err_instr \ 248 } while(0) 249 250 static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx) 251 { 252 BIGNUM *A, *Ai; 253 BN_BLINDING *ret = NULL; 254 255 /* added in OpenSSL 0.9.6j and 0.9.7b */ 256 257 /* NB: similar code appears in RSA_blinding_on (rsa_lib.c); 258 * this should be placed in a new function of its own, but for reasons 259 * of binary compatibility can't */ 260 261 BN_CTX_start(ctx); 262 A = BN_CTX_get(ctx); 263 if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) 264 { 265 /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ 266 RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); 267 if (!BN_pseudo_rand_range(A,rsa->n)) goto err; 268 } 269 else 270 { 271 if (!BN_rand_range(A,rsa->n)) goto err; 272 } 273 if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; 274 275 if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) 276 goto err; 277 ret = BN_BLINDING_new(A,Ai,rsa->n); 278 BN_free(Ai); 279 err: 280 BN_CTX_end(ctx); 281 return ret; 282 } 283 284 /* signing */ 285 static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 286 unsigned char *to, RSA *rsa, int padding) 287 { 288 BIGNUM f,ret, *res; 289 int i,j,k,num=0,r= -1; 290 unsigned char *buf=NULL; 291 BN_CTX *ctx=NULL; 292 int local_blinding = 0; 293 BN_BLINDING *blinding = NULL; 294 295 BN_init(&f); 296 BN_init(&ret); 297 298 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) 299 { 300 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); 301 return -1; 302 } 303 304 if (BN_ucmp(rsa->n, rsa->e) <= 0) 305 { 306 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 307 return -1; 308 } 309 310 /* for large moduli, enforce exponent limit */ 311 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) 312 { 313 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) 314 { 315 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 316 return -1; 317 } 318 } 319 320 if ((ctx=BN_CTX_new()) == NULL) goto err; 321 num=BN_num_bytes(rsa->n); 322 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 323 { 324 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); 325 goto err; 326 } 327 328 switch (padding) 329 { 330 case RSA_PKCS1_PADDING: 331 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); 332 break; 333 case RSA_NO_PADDING: 334 i=RSA_padding_add_none(buf,num,from,flen); 335 break; 336 case RSA_SSLV23_PADDING: 337 default: 338 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 339 goto err; 340 } 341 if (i <= 0) goto err; 342 343 if (BN_bin2bn(buf,num,&f) == NULL) goto err; 344 345 if (BN_ucmp(&f, rsa->n) >= 0) 346 { 347 /* usually the padding functions would catch this */ 348 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 349 goto err; 350 } 351 352 BLINDING_HELPER(rsa, ctx, goto err;); 353 blinding = rsa->blinding; 354 355 /* Now unless blinding is disabled, 'blinding' is non-NULL. 356 * But the BN_BLINDING object may be owned by some other thread 357 * (we don't want to keep it constant and we don't want to use 358 * lots of locking to avoid race conditions, so only a single 359 * thread can use it; other threads have to use local blinding 360 * factors) */ 361 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 362 { 363 if (blinding == NULL) 364 { 365 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 366 goto err; 367 } 368 } 369 370 if (blinding != NULL) 371 { 372 if (blinding->thread_id != CRYPTO_thread_id()) 373 { 374 /* we need a local one-time blinding factor */ 375 376 blinding = setup_blinding(rsa, ctx); 377 if (blinding == NULL) 378 goto err; 379 local_blinding = 1; 380 } 381 } 382 383 if (blinding) 384 if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err; 385 386 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 387 ((rsa->p != NULL) && 388 (rsa->q != NULL) && 389 (rsa->dmp1 != NULL) && 390 (rsa->dmq1 != NULL) && 391 (rsa->iqmp != NULL)) ) 392 { 393 if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; 394 } 395 else 396 { 397 BIGNUM local_d; 398 BIGNUM *d = NULL; 399 400 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 401 { 402 BN_init(&local_d); 403 d = &local_d; 404 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); 405 } 406 else 407 d = rsa->d; 408 if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) goto err; 409 } 410 411 if (blinding) 412 if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; 413 414 if (padding == RSA_X931_PADDING) 415 { 416 BN_sub(&f, rsa->n, &ret); 417 if (BN_cmp(&ret, &f)) 418 res = &f; 419 else 420 res = &ret; 421 } 422 else 423 res = &ret; 424 425 /* put in leading 0 bytes if the number is less than the 426 * length of the modulus */ 427 j=BN_num_bytes(res); 428 i=BN_bn2bin(res,&(to[num-j])); 429 for (k=0; k<(num-i); k++) 430 to[k]=0; 431 432 r=num; 433 err: 434 if (ctx != NULL) BN_CTX_free(ctx); 435 BN_clear_free(&ret); 436 BN_clear_free(&f); 437 if (local_blinding) 438 BN_BLINDING_free(blinding); 439 if (buf != NULL) 440 { 441 OPENSSL_cleanse(buf,num); 442 OPENSSL_free(buf); 443 } 444 return(r); 445 } 446 447 static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 448 unsigned char *to, RSA *rsa, int padding) 449 { 450 BIGNUM f,ret; 451 int j,num=0,r= -1; 452 unsigned char *p; 453 unsigned char *buf=NULL; 454 BN_CTX *ctx=NULL; 455 int local_blinding = 0; 456 BN_BLINDING *blinding = NULL; 457 458 BN_init(&f); 459 BN_init(&ret); 460 ctx=BN_CTX_new(); 461 if (ctx == NULL) goto err; 462 463 num=BN_num_bytes(rsa->n); 464 465 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 466 { 467 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); 468 goto err; 469 } 470 471 /* This check was for equality but PGP does evil things 472 * and chops off the top '0' bytes */ 473 if (flen > num) 474 { 475 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 476 goto err; 477 } 478 479 /* make data into a big number */ 480 if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err; 481 482 if (BN_ucmp(&f, rsa->n) >= 0) 483 { 484 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 485 goto err; 486 } 487 488 BLINDING_HELPER(rsa, ctx, goto err;); 489 blinding = rsa->blinding; 490 491 /* Now unless blinding is disabled, 'blinding' is non-NULL. 492 * But the BN_BLINDING object may be owned by some other thread 493 * (we don't want to keep it constant and we don't want to use 494 * lots of locking to avoid race conditions, so only a single 495 * thread can use it; other threads have to use local blinding 496 * factors) */ 497 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 498 { 499 if (blinding == NULL) 500 { 501 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 502 goto err; 503 } 504 } 505 506 if (blinding != NULL) 507 { 508 if (blinding->thread_id != CRYPTO_thread_id()) 509 { 510 /* we need a local one-time blinding factor */ 511 512 blinding = setup_blinding(rsa, ctx); 513 if (blinding == NULL) 514 goto err; 515 local_blinding = 1; 516 } 517 } 518 519 if (blinding) 520 if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err; 521 522 /* do the decrypt */ 523 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 524 ((rsa->p != NULL) && 525 (rsa->q != NULL) && 526 (rsa->dmp1 != NULL) && 527 (rsa->dmq1 != NULL) && 528 (rsa->iqmp != NULL)) ) 529 { 530 if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; 531 } 532 else 533 { 534 BIGNUM local_d; 535 BIGNUM *d = NULL; 536 537 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 538 { 539 d = &local_d; 540 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); 541 } 542 else 543 d = rsa->d; 544 if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) 545 goto err; 546 } 547 548 if (blinding) 549 if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; 550 551 p=buf; 552 j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */ 553 554 switch (padding) 555 { 556 case RSA_PKCS1_PADDING: 557 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); 558 break; 559 #ifndef OPENSSL_NO_SHA 560 case RSA_PKCS1_OAEP_PADDING: 561 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); 562 break; 563 #endif 564 case RSA_SSLV23_PADDING: 565 r=RSA_padding_check_SSLv23(to,num,buf,j,num); 566 break; 567 case RSA_NO_PADDING: 568 r=RSA_padding_check_none(to,num,buf,j,num); 569 break; 570 default: 571 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 572 goto err; 573 } 574 if (r < 0) 575 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 576 577 err: 578 if (ctx != NULL) BN_CTX_free(ctx); 579 BN_clear_free(&f); 580 BN_clear_free(&ret); 581 if (local_blinding) 582 BN_BLINDING_free(blinding); 583 if (buf != NULL) 584 { 585 OPENSSL_cleanse(buf,num); 586 OPENSSL_free(buf); 587 } 588 return(r); 589 } 590 591 /* signature verification */ 592 static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 593 unsigned char *to, RSA *rsa, int padding) 594 { 595 BIGNUM f,ret; 596 int i,num=0,r= -1; 597 unsigned char *p; 598 unsigned char *buf=NULL; 599 BN_CTX *ctx=NULL; 600 601 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) 602 { 603 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); 604 return -1; 605 } 606 607 if (BN_ucmp(rsa->n, rsa->e) <= 0) 608 { 609 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 610 return -1; 611 } 612 613 /* for large moduli, enforce exponent limit */ 614 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) 615 { 616 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) 617 { 618 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 619 return -1; 620 } 621 } 622 623 BN_init(&f); 624 BN_init(&ret); 625 ctx=BN_CTX_new(); 626 if (ctx == NULL) goto err; 627 628 num=BN_num_bytes(rsa->n); 629 buf=(unsigned char *)OPENSSL_malloc(num); 630 if (buf == NULL) 631 { 632 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); 633 goto err; 634 } 635 636 /* This check was for equality but PGP does evil things 637 * and chops off the top '0' bytes */ 638 if (flen > num) 639 { 640 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 641 goto err; 642 } 643 644 if (BN_bin2bn(from,flen,&f) == NULL) goto err; 645 646 if (BN_ucmp(&f, rsa->n) >= 0) 647 { 648 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 649 goto err; 650 } 651 652 /* do the decrypt */ 653 654 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 655 { 656 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 657 CRYPTO_LOCK_RSA, rsa->n, ctx)) 658 goto err; 659 } 660 661 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 662 rsa->_method_mod_n)) goto err; 663 664 if ((padding == RSA_X931_PADDING) && ((ret.d[0] & 0xf) != 12)) 665 BN_sub(&ret, rsa->n, &ret); 666 667 p=buf; 668 i=BN_bn2bin(&ret,p); 669 670 switch (padding) 671 { 672 case RSA_PKCS1_PADDING: 673 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); 674 break; 675 case RSA_NO_PADDING: 676 r=RSA_padding_check_none(to,num,buf,i,num); 677 break; 678 default: 679 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 680 goto err; 681 } 682 if (r < 0) 683 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 684 685 err: 686 if (ctx != NULL) BN_CTX_free(ctx); 687 BN_clear_free(&f); 688 BN_clear_free(&ret); 689 if (buf != NULL) 690 { 691 OPENSSL_cleanse(buf,num); 692 OPENSSL_free(buf); 693 } 694 return(r); 695 } 696 697 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) 698 { 699 BIGNUM r1,m1,vrfy; 700 BIGNUM local_dmp1, local_dmq1; 701 BIGNUM *dmp1, *dmq1; 702 int ret=0; 703 BN_CTX *ctx; 704 705 BN_init(&m1); 706 BN_init(&r1); 707 BN_init(&vrfy); 708 if ((ctx=BN_CTX_new()) == NULL) goto err; 709 710 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) 711 { 712 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, 713 CRYPTO_LOCK_RSA, rsa->p, ctx)) 714 goto err; 715 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, 716 CRYPTO_LOCK_RSA, rsa->q, ctx)) 717 goto err; 718 } 719 720 if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; 721 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 722 { 723 dmq1 = &local_dmq1; 724 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME); 725 } 726 else 727 dmq1 = rsa->dmq1; 728 if (!rsa->meth->bn_mod_exp(&m1,&r1,dmq1,rsa->q,ctx, 729 rsa->_method_mod_q)) goto err; 730 731 if (!BN_mod(&r1,I,rsa->p,ctx)) goto err; 732 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 733 { 734 dmp1 = &local_dmp1; 735 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME); 736 } 737 else 738 dmp1 = rsa->dmp1; 739 if (!rsa->meth->bn_mod_exp(r0,&r1,dmp1,rsa->p,ctx, 740 rsa->_method_mod_p)) goto err; 741 742 if (!BN_sub(r0,r0,&m1)) goto err; 743 /* This will help stop the size of r0 increasing, which does 744 * affect the multiply if it optimised for a power of 2 size */ 745 if (r0->neg) 746 if (!BN_add(r0,r0,rsa->p)) goto err; 747 748 if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err; 749 if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err; 750 /* If p < q it is occasionally possible for the correction of 751 * adding 'p' if r0 is negative above to leave the result still 752 * negative. This can break the private key operations: the following 753 * second correction should *always* correct this rare occurrence. 754 * This will *never* happen with OpenSSL generated keys because 755 * they ensure p > q [steve] 756 */ 757 if (r0->neg) 758 if (!BN_add(r0,r0,rsa->p)) goto err; 759 if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err; 760 if (!BN_add(r0,&r1,&m1)) goto err; 761 762 if (rsa->e && rsa->n) 763 { 764 if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err; 765 /* If 'I' was greater than (or equal to) rsa->n, the operation 766 * will be equivalent to using 'I mod n'. However, the result of 767 * the verify will *always* be less than 'n' so we don't check 768 * for absolute equality, just congruency. */ 769 if (!BN_sub(&vrfy, &vrfy, I)) goto err; 770 if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err; 771 if (vrfy.neg) 772 if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err; 773 if (!BN_is_zero(&vrfy)) 774 { 775 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak 776 * miscalculated CRT output, just do a raw (slower) 777 * mod_exp and return that instead. */ 778 779 BIGNUM local_d; 780 BIGNUM *d = NULL; 781 782 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 783 { 784 d = &local_d; 785 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); 786 } 787 else 788 d = rsa->d; 789 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,NULL)) goto err; 790 } 791 } 792 ret=1; 793 err: 794 BN_clear_free(&m1); 795 BN_clear_free(&r1); 796 BN_clear_free(&vrfy); 797 BN_CTX_free(ctx); 798 return(ret); 799 } 800 801 static int RSA_eay_init(RSA *rsa) 802 { 803 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; 804 return(1); 805 } 806 807 static int RSA_eay_finish(RSA *rsa) 808 { 809 if (rsa->_method_mod_n != NULL) 810 BN_MONT_CTX_free(rsa->_method_mod_n); 811 if (rsa->_method_mod_p != NULL) 812 BN_MONT_CTX_free(rsa->_method_mod_p); 813 if (rsa->_method_mod_q != NULL) 814 BN_MONT_CTX_free(rsa->_method_mod_q); 815 return(1); 816 } 817 818 #endif 819