1 /* $OpenBSD: rsa_eay.c,v 1.60 2023/05/05 12:21:44 tb Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 #include <string.h> 114 115 #include <openssl/opensslconf.h> 116 117 #include <openssl/bn.h> 118 #include <openssl/err.h> 119 #include <openssl/rsa.h> 120 121 #include "bn_local.h" 122 #include "rsa_local.h" 123 124 static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 125 unsigned char *to, RSA *rsa, int padding); 126 static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 127 unsigned char *to, RSA *rsa, int padding); 128 static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 129 unsigned char *to, RSA *rsa, int padding); 130 static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 131 unsigned char *to, RSA *rsa, int padding); 132 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); 133 static int RSA_eay_init(RSA *rsa); 134 static int RSA_eay_finish(RSA *rsa); 135 136 static RSA_METHOD rsa_pkcs1_eay_meth = { 137 .name = "Eric Young's PKCS#1 RSA", 138 .rsa_pub_enc = RSA_eay_public_encrypt, 139 .rsa_pub_dec = RSA_eay_public_decrypt, /* signature verification */ 140 .rsa_priv_enc = RSA_eay_private_encrypt, /* signing */ 141 .rsa_priv_dec = RSA_eay_private_decrypt, 142 .rsa_mod_exp = RSA_eay_mod_exp, 143 .bn_mod_exp = BN_mod_exp_mont_ct, /* XXX probably we should not use Montgomery if e == 3 */ 144 .init = RSA_eay_init, 145 .finish = RSA_eay_finish, 146 }; 147 148 const RSA_METHOD * 149 RSA_PKCS1_OpenSSL(void) 150 { 151 return &rsa_pkcs1_eay_meth; 152 } 153 154 const RSA_METHOD * 155 RSA_PKCS1_SSLeay(void) 156 { 157 return &rsa_pkcs1_eay_meth; 158 } 159 160 static int 161 RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, 162 RSA *rsa, int padding) 163 { 164 BIGNUM *f, *ret; 165 int i, j, k, num = 0, r = -1; 166 unsigned char *buf = NULL; 167 BN_CTX *ctx = NULL; 168 169 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 170 RSAerror(RSA_R_MODULUS_TOO_LARGE); 171 return -1; 172 } 173 174 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 175 RSAerror(RSA_R_BAD_E_VALUE); 176 return -1; 177 } 178 179 /* for large moduli, enforce exponent limit */ 180 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 181 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 182 RSAerror(RSA_R_BAD_E_VALUE); 183 return -1; 184 } 185 } 186 187 if ((ctx = BN_CTX_new()) == NULL) 188 goto err; 189 190 BN_CTX_start(ctx); 191 f = BN_CTX_get(ctx); 192 ret = BN_CTX_get(ctx); 193 num = BN_num_bytes(rsa->n); 194 buf = malloc(num); 195 196 if (f == NULL || ret == NULL || buf == NULL) { 197 RSAerror(ERR_R_MALLOC_FAILURE); 198 goto err; 199 } 200 201 switch (padding) { 202 case RSA_PKCS1_PADDING: 203 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); 204 break; 205 #ifndef OPENSSL_NO_SHA 206 case RSA_PKCS1_OAEP_PADDING: 207 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); 208 break; 209 #endif 210 case RSA_NO_PADDING: 211 i = RSA_padding_add_none(buf, num, from, flen); 212 break; 213 default: 214 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 215 goto err; 216 } 217 if (i <= 0) 218 goto err; 219 220 if (BN_bin2bn(buf, num, f) == NULL) 221 goto err; 222 223 if (BN_ucmp(f, rsa->n) >= 0) { 224 /* usually the padding functions would catch this */ 225 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 226 goto err; 227 } 228 229 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { 230 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 231 CRYPTO_LOCK_RSA, rsa->n, ctx)) 232 goto err; 233 } 234 235 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 236 rsa->_method_mod_n)) 237 goto err; 238 239 /* put in leading 0 bytes if the number is less than the 240 * length of the modulus */ 241 j = BN_num_bytes(ret); 242 i = BN_bn2bin(ret, &(to[num - j])); 243 for (k = 0; k < num - i; k++) 244 to[k] = 0; 245 246 r = num; 247 err: 248 if (ctx != NULL) { 249 BN_CTX_end(ctx); 250 BN_CTX_free(ctx); 251 } 252 freezero(buf, num); 253 return r; 254 } 255 256 static BN_BLINDING * 257 rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 258 { 259 BN_BLINDING *ret; 260 int got_write_lock = 0; 261 CRYPTO_THREADID cur; 262 263 CRYPTO_r_lock(CRYPTO_LOCK_RSA); 264 265 if (rsa->blinding == NULL) { 266 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 267 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 268 got_write_lock = 1; 269 270 if (rsa->blinding == NULL) 271 rsa->blinding = RSA_setup_blinding(rsa, ctx); 272 } 273 274 ret = rsa->blinding; 275 if (ret == NULL) 276 goto err; 277 278 CRYPTO_THREADID_current(&cur); 279 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) { 280 /* rsa->blinding is ours! */ 281 *local = 1; 282 } else { 283 /* resort to rsa->mt_blinding instead */ 284 /* 285 * Instruct rsa_blinding_convert(), rsa_blinding_invert() 286 * that the BN_BLINDING is shared, meaning that accesses 287 * require locks, and that the blinding factor must be 288 * stored outside the BN_BLINDING 289 */ 290 *local = 0; 291 292 if (rsa->mt_blinding == NULL) { 293 if (!got_write_lock) { 294 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 295 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 296 got_write_lock = 1; 297 } 298 299 if (rsa->mt_blinding == NULL) 300 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 301 } 302 ret = rsa->mt_blinding; 303 } 304 305 err: 306 if (got_write_lock) 307 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 308 else 309 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 310 return ret; 311 } 312 313 static int 314 rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx) 315 { 316 if (unblind == NULL) 317 /* 318 * Local blinding: store the unblinding factor 319 * in BN_BLINDING. 320 */ 321 return BN_BLINDING_convert_ex(f, NULL, b, ctx); 322 else { 323 /* 324 * Shared blinding: store the unblinding factor 325 * outside BN_BLINDING. 326 */ 327 int ret; 328 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 329 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); 330 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 331 return ret; 332 } 333 } 334 335 static int 336 rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx) 337 { 338 /* 339 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex 340 * will use the unblinding factor stored in BN_BLINDING. 341 * If BN_BLINDING is shared between threads, unblind must be non-null: 342 * BN_BLINDING_invert_ex will then use the local unblinding factor, 343 * and will only read the modulus from BN_BLINDING. 344 * In both cases it's safe to access the blinding without a lock. 345 */ 346 return BN_BLINDING_invert_ex(f, unblind, b, ctx); 347 } 348 349 /* signing */ 350 static int 351 RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, 352 RSA *rsa, int padding) 353 { 354 BIGNUM *f, *ret, *res; 355 int i, j, k, num = 0, r = -1; 356 unsigned char *buf = NULL; 357 BN_CTX *ctx = NULL; 358 int local_blinding = 0; 359 /* 360 * Used only if the blinding structure is shared. A non-NULL unblind 361 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 362 * the unblinding factor outside the blinding structure. 363 */ 364 BIGNUM *unblind = NULL; 365 BN_BLINDING *blinding = NULL; 366 367 if ((ctx = BN_CTX_new()) == NULL) 368 goto err; 369 370 BN_CTX_start(ctx); 371 f = BN_CTX_get(ctx); 372 ret = BN_CTX_get(ctx); 373 num = BN_num_bytes(rsa->n); 374 buf = malloc(num); 375 376 if (f == NULL || ret == NULL || buf == NULL) { 377 RSAerror(ERR_R_MALLOC_FAILURE); 378 goto err; 379 } 380 381 switch (padding) { 382 case RSA_PKCS1_PADDING: 383 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); 384 break; 385 case RSA_X931_PADDING: 386 i = RSA_padding_add_X931(buf, num, from, flen); 387 break; 388 case RSA_NO_PADDING: 389 i = RSA_padding_add_none(buf, num, from, flen); 390 break; 391 default: 392 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 393 goto err; 394 } 395 if (i <= 0) 396 goto err; 397 398 if (BN_bin2bn(buf, num, f) == NULL) 399 goto err; 400 401 if (BN_ucmp(f, rsa->n) >= 0) { 402 /* usually the padding functions would catch this */ 403 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 404 goto err; 405 } 406 407 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { 408 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 409 CRYPTO_LOCK_RSA, rsa->n, ctx)) 410 goto err; 411 } 412 413 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 414 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 415 if (blinding == NULL) { 416 RSAerror(ERR_R_INTERNAL_ERROR); 417 goto err; 418 } 419 } 420 421 if (blinding != NULL) { 422 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 423 RSAerror(ERR_R_MALLOC_FAILURE); 424 goto err; 425 } 426 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 427 goto err; 428 } 429 430 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 431 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL && 432 rsa->dmq1 != NULL && rsa->iqmp != NULL)) { 433 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 434 goto err; 435 } else { 436 BIGNUM d; 437 438 BN_init(&d); 439 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); 440 441 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, 442 rsa->_method_mod_n)) { 443 goto err; 444 } 445 } 446 447 if (blinding) 448 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 449 goto err; 450 451 if (padding == RSA_X931_PADDING) { 452 if (!BN_sub(f, rsa->n, ret)) 453 goto err; 454 if (BN_cmp(ret, f) > 0) 455 res = f; 456 else 457 res = ret; 458 } else 459 res = ret; 460 461 /* put in leading 0 bytes if the number is less than the 462 * length of the modulus */ 463 j = BN_num_bytes(res); 464 i = BN_bn2bin(res, &(to[num - j])); 465 for (k = 0; k < num - i; k++) 466 to[k] = 0; 467 468 r = num; 469 err: 470 if (ctx != NULL) { 471 BN_CTX_end(ctx); 472 BN_CTX_free(ctx); 473 } 474 freezero(buf, num); 475 return r; 476 } 477 478 static int 479 RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to, 480 RSA *rsa, int padding) 481 { 482 BIGNUM *f, *ret; 483 int j, num = 0, r = -1; 484 unsigned char *p; 485 unsigned char *buf = NULL; 486 BN_CTX *ctx = NULL; 487 int local_blinding = 0; 488 /* 489 * Used only if the blinding structure is shared. A non-NULL unblind 490 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 491 * the unblinding factor outside the blinding structure. 492 */ 493 BIGNUM *unblind = NULL; 494 BN_BLINDING *blinding = NULL; 495 496 if ((ctx = BN_CTX_new()) == NULL) 497 goto err; 498 499 BN_CTX_start(ctx); 500 f = BN_CTX_get(ctx); 501 ret = BN_CTX_get(ctx); 502 num = BN_num_bytes(rsa->n); 503 buf = malloc(num); 504 505 if (!f || !ret || !buf) { 506 RSAerror(ERR_R_MALLOC_FAILURE); 507 goto err; 508 } 509 510 /* This check was for equality but PGP does evil things 511 * and chops off the top '0' bytes */ 512 if (flen > num) { 513 RSAerror(RSA_R_DATA_GREATER_THAN_MOD_LEN); 514 goto err; 515 } 516 517 /* make data into a big number */ 518 if (BN_bin2bn(from, (int)flen, f) == NULL) 519 goto err; 520 521 if (BN_ucmp(f, rsa->n) >= 0) { 522 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 523 goto err; 524 } 525 526 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { 527 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 528 CRYPTO_LOCK_RSA, rsa->n, ctx)) 529 goto err; 530 } 531 532 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 533 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 534 if (blinding == NULL) { 535 RSAerror(ERR_R_INTERNAL_ERROR); 536 goto err; 537 } 538 } 539 540 if (blinding != NULL) { 541 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 542 RSAerror(ERR_R_MALLOC_FAILURE); 543 goto err; 544 } 545 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 546 goto err; 547 } 548 549 /* do the decrypt */ 550 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 551 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL && 552 rsa->dmq1 != NULL && rsa->iqmp != NULL)) { 553 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 554 goto err; 555 } else { 556 BIGNUM d; 557 558 BN_init(&d); 559 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); 560 561 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, 562 rsa->_method_mod_n)) { 563 goto err; 564 } 565 } 566 567 if (blinding) 568 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 569 goto err; 570 571 p = buf; 572 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */ 573 574 switch (padding) { 575 case RSA_PKCS1_PADDING: 576 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); 577 break; 578 #ifndef OPENSSL_NO_SHA 579 case RSA_PKCS1_OAEP_PADDING: 580 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); 581 break; 582 #endif 583 case RSA_NO_PADDING: 584 r = RSA_padding_check_none(to, num, buf, j, num); 585 break; 586 default: 587 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 588 goto err; 589 } 590 if (r < 0) 591 RSAerror(RSA_R_PADDING_CHECK_FAILED); 592 593 err: 594 if (ctx != NULL) { 595 BN_CTX_end(ctx); 596 BN_CTX_free(ctx); 597 } 598 freezero(buf, num); 599 return r; 600 } 601 602 /* signature verification */ 603 static int 604 RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to, 605 RSA *rsa, int padding) 606 { 607 BIGNUM *f, *ret; 608 int i, num = 0, r = -1; 609 unsigned char *p; 610 unsigned char *buf = NULL; 611 BN_CTX *ctx = NULL; 612 613 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 614 RSAerror(RSA_R_MODULUS_TOO_LARGE); 615 return -1; 616 } 617 618 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 619 RSAerror(RSA_R_BAD_E_VALUE); 620 return -1; 621 } 622 623 /* for large moduli, enforce exponent limit */ 624 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 625 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 626 RSAerror(RSA_R_BAD_E_VALUE); 627 return -1; 628 } 629 } 630 631 if ((ctx = BN_CTX_new()) == NULL) 632 goto err; 633 634 BN_CTX_start(ctx); 635 f = BN_CTX_get(ctx); 636 ret = BN_CTX_get(ctx); 637 num = BN_num_bytes(rsa->n); 638 buf = malloc(num); 639 640 if (!f || !ret || !buf) { 641 RSAerror(ERR_R_MALLOC_FAILURE); 642 goto err; 643 } 644 645 /* This check was for equality but PGP does evil things 646 * and chops off the top '0' bytes */ 647 if (flen > num) { 648 RSAerror(RSA_R_DATA_GREATER_THAN_MOD_LEN); 649 goto err; 650 } 651 652 if (BN_bin2bn(from, flen, f) == NULL) 653 goto err; 654 655 if (BN_ucmp(f, rsa->n) >= 0) { 656 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 657 goto err; 658 } 659 660 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { 661 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 662 CRYPTO_LOCK_RSA, rsa->n, ctx)) 663 goto err; 664 } 665 666 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 667 rsa->_method_mod_n)) 668 goto err; 669 670 if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12) 671 if (!BN_sub(ret, rsa->n, ret)) 672 goto err; 673 674 p = buf; 675 i = BN_bn2bin(ret, p); 676 677 switch (padding) { 678 case RSA_PKCS1_PADDING: 679 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); 680 break; 681 case RSA_X931_PADDING: 682 r = RSA_padding_check_X931(to, num, buf, i, num); 683 break; 684 case RSA_NO_PADDING: 685 r = RSA_padding_check_none(to, num, buf, i, num); 686 break; 687 default: 688 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 689 goto err; 690 } 691 if (r < 0) 692 RSAerror(RSA_R_PADDING_CHECK_FAILED); 693 694 err: 695 if (ctx != NULL) { 696 BN_CTX_end(ctx); 697 BN_CTX_free(ctx); 698 } 699 freezero(buf, num); 700 return r; 701 } 702 703 static int 704 RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 705 { 706 BIGNUM *r1, *m1, *vrfy; 707 BIGNUM dmp1, dmq1, c, pr1; 708 int ret = 0; 709 710 BN_CTX_start(ctx); 711 r1 = BN_CTX_get(ctx); 712 m1 = BN_CTX_get(ctx); 713 vrfy = BN_CTX_get(ctx); 714 if (r1 == NULL || m1 == NULL || vrfy == NULL) { 715 RSAerror(ERR_R_MALLOC_FAILURE); 716 goto err; 717 } 718 719 { 720 BIGNUM p, q; 721 722 /* 723 * Make sure BN_mod_inverse in Montgomery initialization uses the 724 * BN_FLG_CONSTTIME flag 725 */ 726 BN_init(&p); 727 BN_init(&q); 728 BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME); 729 BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME); 730 731 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { 732 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, 733 CRYPTO_LOCK_RSA, &p, ctx) || 734 !BN_MONT_CTX_set_locked(&rsa->_method_mod_q, 735 CRYPTO_LOCK_RSA, &q, ctx)) { 736 goto err; 737 } 738 } 739 } 740 741 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { 742 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 743 CRYPTO_LOCK_RSA, rsa->n, ctx)) 744 goto err; 745 } 746 747 /* compute I mod q */ 748 BN_init(&c); 749 BN_with_flags(&c, I, BN_FLG_CONSTTIME); 750 751 if (!BN_mod_ct(r1, &c, rsa->q, ctx)) 752 goto err; 753 754 /* compute r1^dmq1 mod q */ 755 BN_init(&dmq1); 756 BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 757 758 if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx, 759 rsa->_method_mod_q)) 760 goto err; 761 762 /* compute I mod p */ 763 BN_init(&c); 764 BN_with_flags(&c, I, BN_FLG_CONSTTIME); 765 766 if (!BN_mod_ct(r1, &c, rsa->p, ctx)) 767 goto err; 768 769 /* compute r1^dmp1 mod p */ 770 BN_init(&dmp1); 771 BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 772 773 if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx, 774 rsa->_method_mod_p)) 775 goto err; 776 777 if (!BN_sub(r0, r0, m1)) 778 goto err; 779 780 /* 781 * This will help stop the size of r0 increasing, which does 782 * affect the multiply if it optimised for a power of 2 size 783 */ 784 if (BN_is_negative(r0)) 785 if (!BN_add(r0, r0, rsa->p)) 786 goto err; 787 788 if (!BN_mul(r1, r0, rsa->iqmp, ctx)) 789 goto err; 790 791 /* Turn BN_FLG_CONSTTIME flag on before division operation */ 792 BN_init(&pr1); 793 BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME); 794 795 if (!BN_mod_ct(r0, &pr1, rsa->p, ctx)) 796 goto err; 797 798 /* 799 * If p < q it is occasionally possible for the correction of 800 * adding 'p' if r0 is negative above to leave the result still 801 * negative. This can break the private key operations: the following 802 * second correction should *always* correct this rare occurrence. 803 * This will *never* happen with OpenSSL generated keys because 804 * they ensure p > q [steve] 805 */ 806 if (BN_is_negative(r0)) 807 if (!BN_add(r0, r0, rsa->p)) 808 goto err; 809 if (!BN_mul(r1, r0, rsa->q, ctx)) 810 goto err; 811 if (!BN_add(r0, r1, m1)) 812 goto err; 813 814 if (rsa->e && rsa->n) { 815 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, 816 rsa->_method_mod_n)) 817 goto err; 818 /* 819 * If 'I' was greater than (or equal to) rsa->n, the operation 820 * will be equivalent to using 'I mod n'. However, the result of 821 * the verify will *always* be less than 'n' so we don't check 822 * for absolute equality, just congruency. 823 */ 824 if (!BN_sub(vrfy, vrfy, I)) 825 goto err; 826 if (!BN_mod_ct(vrfy, vrfy, rsa->n, ctx)) 827 goto err; 828 if (BN_is_negative(vrfy)) 829 if (!BN_add(vrfy, vrfy, rsa->n)) 830 goto err; 831 if (!BN_is_zero(vrfy)) { 832 /* 833 * 'I' and 'vrfy' aren't congruent mod n. Don't leak 834 * miscalculated CRT output, just do a raw (slower) 835 * mod_exp and return that instead. 836 */ 837 BIGNUM d; 838 839 BN_init(&d); 840 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); 841 842 if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx, 843 rsa->_method_mod_n)) { 844 goto err; 845 } 846 } 847 } 848 ret = 1; 849 err: 850 BN_CTX_end(ctx); 851 return ret; 852 } 853 854 static int 855 RSA_eay_init(RSA *rsa) 856 { 857 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; 858 return 1; 859 } 860 861 static int 862 RSA_eay_finish(RSA *rsa) 863 { 864 BN_MONT_CTX_free(rsa->_method_mod_n); 865 BN_MONT_CTX_free(rsa->_method_mod_p); 866 BN_MONT_CTX_free(rsa->_method_mod_q); 867 868 return 1; 869 } 870