Line data Source code
1 : /* crypto/rsa/rsa_eay.c */
2 : /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 : * All rights reserved.
4 : *
5 : * This package is an SSL implementation written
6 : * by Eric Young (eay@cryptsoft.com).
7 : * The implementation was written so as to conform with Netscapes SSL.
8 : *
9 : * This library is free for commercial and non-commercial use as long as
10 : * the following conditions are aheared to. The following conditions
11 : * apply to all code found in this distribution, be it the RC4, RSA,
12 : * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 : * included with this distribution is covered by the same copyright terms
14 : * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 : *
16 : * Copyright remains Eric Young's, and as such any Copyright notices in
17 : * the code are not to be removed.
18 : * If this package is used in a product, Eric Young should be given attribution
19 : * as the author of the parts of the library used.
20 : * This can be in the form of a textual message at program startup or
21 : * in documentation (online or textual) provided with the package.
22 : *
23 : * Redistribution and use in source and binary forms, with or without
24 : * modification, are permitted provided that the following conditions
25 : * are met:
26 : * 1. Redistributions of source code must retain the copyright
27 : * notice, this list of conditions and the following disclaimer.
28 : * 2. Redistributions in binary form must reproduce the above copyright
29 : * notice, this list of conditions and the following disclaimer in the
30 : * documentation and/or other materials provided with the distribution.
31 : * 3. All advertising materials mentioning features or use of this software
32 : * must display the following acknowledgement:
33 : * "This product includes cryptographic software written by
34 : * Eric Young (eay@cryptsoft.com)"
35 : * The word 'cryptographic' can be left out if the rouines from the library
36 : * being used are not cryptographic related :-).
37 : * 4. If you include any Windows specific code (or a derivative thereof) from
38 : * the apps directory (application code) you must include an acknowledgement:
39 : * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 : *
41 : * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 : * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 : * SUCH DAMAGE.
52 : *
53 : * The licence and distribution terms for any publically available version or
54 : * derivative of this code cannot be changed. i.e. this code cannot simply be
55 : * copied and put under another distribution licence
56 : * [including the GNU Public Licence.]
57 : */
58 : /* ====================================================================
59 : * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 : *
61 : * Redistribution and use in source and binary forms, with or without
62 : * modification, are permitted provided that the following conditions
63 : * are met:
64 : *
65 : * 1. Redistributions of source code must retain the above copyright
66 : * notice, this list of conditions and the following disclaimer.
67 : *
68 : * 2. Redistributions in binary form must reproduce the above copyright
69 : * notice, this list of conditions and the following disclaimer in
70 : * the documentation and/or other materials provided with the
71 : * distribution.
72 : *
73 : * 3. All advertising materials mentioning features or use of this
74 : * software must display the following acknowledgment:
75 : * "This product includes software developed by the OpenSSL Project
76 : * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 : *
78 : * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 : * endorse or promote products derived from this software without
80 : * prior written permission. For written permission, please contact
81 : * openssl-core@openssl.org.
82 : *
83 : * 5. Products derived from this software may not be called "OpenSSL"
84 : * nor may "OpenSSL" appear in their names without prior written
85 : * permission of the OpenSSL Project.
86 : *
87 : * 6. Redistributions of any form whatsoever must retain the following
88 : * acknowledgment:
89 : * "This product includes software developed by the OpenSSL Project
90 : * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 : *
92 : * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 : * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 : * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 : * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 : * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 : * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 : * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 : * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 : * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 : * OF THE POSSIBILITY OF SUCH DAMAGE.
104 : * ====================================================================
105 : *
106 : * This product includes cryptographic software written by Eric Young
107 : * (eay@cryptsoft.com). This product includes software written by Tim
108 : * Hudson (tjh@cryptsoft.com).
109 : *
110 : */
111 :
112 : #include <stdio.h>
113 : #include "cryptlib.h"
114 : #include <openssl/bn.h>
115 : #include <openssl/rsa.h>
116 : #include <openssl/rand.h>
117 :
118 : #ifndef RSA_NULL
119 :
120 : static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
121 : unsigned char *to, RSA *rsa, int padding);
122 : static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
123 : unsigned char *to, RSA *rsa, int padding);
124 : static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
125 : unsigned char *to, RSA *rsa, int padding);
126 : static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
127 : unsigned char *to, RSA *rsa, int padding);
128 : static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
129 : BN_CTX *ctx);
130 : static int RSA_eay_init(RSA *rsa);
131 : static int RSA_eay_finish(RSA *rsa);
132 : static RSA_METHOD rsa_pkcs1_eay_meth = {
133 : "Eric Young's PKCS#1 RSA",
134 : RSA_eay_public_encrypt,
135 : RSA_eay_public_decrypt, /* signature verification */
136 : RSA_eay_private_encrypt, /* signing */
137 : RSA_eay_private_decrypt,
138 : RSA_eay_mod_exp,
139 : BN_mod_exp_mont, /* XXX probably we should not use Montgomery
140 : * if e == 3 */
141 : RSA_eay_init,
142 : RSA_eay_finish,
143 : 0, /* flags */
144 : NULL,
145 : 0, /* rsa_sign */
146 : 0, /* rsa_verify */
147 : NULL /* rsa_keygen */
148 : };
149 :
150 124 : const RSA_METHOD *RSA_PKCS1_SSLeay(void)
151 : {
152 124 : return (&rsa_pkcs1_eay_meth);
153 : }
154 :
155 0 : static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
156 : unsigned char *to, RSA *rsa, int padding)
157 : {
158 : BIGNUM *f, *ret;
159 : int i, j, k, num = 0, r = -1;
160 : unsigned char *buf = NULL;
161 : BN_CTX *ctx = NULL;
162 :
163 0 : if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
164 0 : RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
165 0 : return -1;
166 : }
167 :
168 0 : if (BN_ucmp(rsa->n, rsa->e) <= 0) {
169 0 : RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
170 0 : return -1;
171 : }
172 :
173 : /* for large moduli, enforce exponent limit */
174 0 : if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
175 0 : if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
176 0 : RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
177 0 : return -1;
178 : }
179 : }
180 :
181 0 : if ((ctx = BN_CTX_new()) == NULL)
182 : goto err;
183 0 : BN_CTX_start(ctx);
184 0 : f = BN_CTX_get(ctx);
185 0 : ret = BN_CTX_get(ctx);
186 0 : num = BN_num_bytes(rsa->n);
187 0 : buf = OPENSSL_malloc(num);
188 0 : if (!f || !ret || !buf) {
189 0 : RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE);
190 0 : goto err;
191 : }
192 :
193 0 : switch (padding) {
194 : case RSA_PKCS1_PADDING:
195 0 : i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
196 0 : break;
197 : # ifndef OPENSSL_NO_SHA
198 : case RSA_PKCS1_OAEP_PADDING:
199 0 : i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
200 0 : break;
201 : # endif
202 : case RSA_SSLV23_PADDING:
203 0 : i = RSA_padding_add_SSLv23(buf, num, from, flen);
204 0 : break;
205 : case RSA_NO_PADDING:
206 0 : i = RSA_padding_add_none(buf, num, from, flen);
207 0 : break;
208 : default:
209 0 : RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
210 0 : goto err;
211 : }
212 0 : if (i <= 0)
213 : goto err;
214 :
215 0 : if (BN_bin2bn(buf, num, f) == NULL)
216 : goto err;
217 :
218 0 : if (BN_ucmp(f, rsa->n) >= 0) {
219 : /* usually the padding functions would catch this */
220 0 : RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,
221 : RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
222 0 : goto err;
223 : }
224 :
225 0 : if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
226 0 : if (!BN_MONT_CTX_set_locked
227 0 : (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
228 : goto err;
229 :
230 0 : if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
231 : rsa->_method_mod_n))
232 : goto err;
233 :
234 : /*
235 : * put in leading 0 bytes if the number is less than the length of the
236 : * modulus
237 : */
238 0 : j = BN_num_bytes(ret);
239 0 : i = BN_bn2bin(ret, &(to[num - j]));
240 0 : for (k = 0; k < (num - i); k++)
241 0 : to[k] = 0;
242 :
243 : r = num;
244 : err:
245 0 : if (ctx != NULL) {
246 0 : BN_CTX_end(ctx);
247 0 : BN_CTX_free(ctx);
248 : }
249 0 : if (buf != NULL) {
250 0 : OPENSSL_cleanse(buf, num);
251 0 : OPENSSL_free(buf);
252 : }
253 0 : return (r);
254 : }
255 :
256 381 : static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
257 : {
258 : BN_BLINDING *ret;
259 : int got_write_lock = 0;
260 : CRYPTO_THREADID cur;
261 :
262 381 : CRYPTO_r_lock(CRYPTO_LOCK_RSA);
263 :
264 381 : if (rsa->blinding == NULL) {
265 345 : CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
266 345 : CRYPTO_w_lock(CRYPTO_LOCK_RSA);
267 : got_write_lock = 1;
268 :
269 345 : if (rsa->blinding == NULL)
270 345 : rsa->blinding = RSA_setup_blinding(rsa, ctx);
271 : }
272 :
273 381 : ret = rsa->blinding;
274 381 : if (ret == NULL)
275 : goto err;
276 :
277 381 : CRYPTO_THREADID_current(&cur);
278 381 : if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) {
279 : /* rsa->blinding is ours! */
280 :
281 381 : *local = 1;
282 : } else {
283 : /* resort to rsa->mt_blinding instead */
284 :
285 : /*
286 : * instructs rsa_blinding_convert(), rsa_blinding_invert() that the
287 : * BN_BLINDING is shared, meaning that accesses require locks, and
288 : * that the blinding factor must be stored outside the BN_BLINDING
289 : */
290 0 : *local = 0;
291 :
292 0 : if (rsa->mt_blinding == NULL) {
293 0 : if (!got_write_lock) {
294 0 : CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
295 0 : CRYPTO_w_lock(CRYPTO_LOCK_RSA);
296 : got_write_lock = 1;
297 : }
298 :
299 0 : if (rsa->mt_blinding == NULL)
300 0 : rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
301 : }
302 0 : ret = rsa->mt_blinding;
303 : }
304 :
305 : err:
306 381 : if (got_write_lock)
307 345 : CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
308 : else
309 36 : CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
310 381 : return ret;
311 : }
312 :
313 381 : static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
314 : BN_CTX *ctx)
315 : {
316 381 : if (unblind == NULL)
317 : /*
318 : * Local blinding: store the unblinding factor in BN_BLINDING.
319 : */
320 381 : return BN_BLINDING_convert_ex(f, NULL, b, ctx);
321 : else {
322 : /*
323 : * Shared blinding: store the unblinding factor outside BN_BLINDING.
324 : */
325 : int ret;
326 0 : CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
327 0 : ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
328 0 : CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
329 0 : return ret;
330 : }
331 : }
332 :
333 : static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
334 : BN_CTX *ctx)
335 : {
336 : /*
337 : * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
338 : * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING
339 : * is shared between threads, unblind must be non-null:
340 : * BN_BLINDING_invert_ex will then use the local unblinding factor, and
341 : * will only read the modulus from BN_BLINDING. In both cases it's safe
342 : * to access the blinding without a lock.
343 : */
344 381 : return BN_BLINDING_invert_ex(f, unblind, b, ctx);
345 : }
346 :
347 : /* signing */
348 381 : static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
349 : unsigned char *to, RSA *rsa, int padding)
350 : {
351 : BIGNUM *f, *ret, *res;
352 : int i, j, k, num = 0, r = -1;
353 : unsigned char *buf = NULL;
354 : BN_CTX *ctx = NULL;
355 381 : int local_blinding = 0;
356 : /*
357 : * Used only if the blinding structure is shared. A non-NULL unblind
358 : * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
359 : * the unblinding factor outside the blinding structure.
360 : */
361 : BIGNUM *unblind = NULL;
362 : BN_BLINDING *blinding = NULL;
363 :
364 381 : if ((ctx = BN_CTX_new()) == NULL)
365 : goto err;
366 381 : BN_CTX_start(ctx);
367 381 : f = BN_CTX_get(ctx);
368 381 : ret = BN_CTX_get(ctx);
369 381 : num = BN_num_bytes(rsa->n);
370 381 : buf = OPENSSL_malloc(num);
371 381 : if (!f || !ret || !buf) {
372 0 : RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
373 0 : goto err;
374 : }
375 :
376 381 : switch (padding) {
377 : case RSA_PKCS1_PADDING:
378 381 : i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
379 381 : break;
380 : case RSA_X931_PADDING:
381 0 : i = RSA_padding_add_X931(buf, num, from, flen);
382 0 : break;
383 : case RSA_NO_PADDING:
384 0 : i = RSA_padding_add_none(buf, num, from, flen);
385 0 : break;
386 : case RSA_SSLV23_PADDING:
387 : default:
388 0 : RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
389 0 : goto err;
390 : }
391 381 : if (i <= 0)
392 : goto err;
393 :
394 381 : if (BN_bin2bn(buf, num, f) == NULL)
395 : goto err;
396 :
397 381 : if (BN_ucmp(f, rsa->n) >= 0) {
398 : /* usually the padding functions would catch this */
399 0 : RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
400 : RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
401 0 : goto err;
402 : }
403 :
404 381 : if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
405 381 : blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
406 381 : if (blinding == NULL) {
407 0 : RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
408 0 : goto err;
409 : }
410 : }
411 :
412 381 : if (blinding != NULL) {
413 381 : if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
414 0 : RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
415 0 : goto err;
416 : }
417 381 : if (!rsa_blinding_convert(blinding, f, unblind, ctx))
418 : goto err;
419 : }
420 :
421 762 : if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
422 762 : ((rsa->p != NULL) &&
423 762 : (rsa->q != NULL) &&
424 762 : (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
425 381 : if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
426 : goto err;
427 : } else {
428 : BIGNUM local_d;
429 : BIGNUM *d = NULL;
430 :
431 0 : if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
432 0 : BN_init(&local_d);
433 : d = &local_d;
434 0 : BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
435 : } else
436 0 : d = rsa->d;
437 :
438 0 : if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
439 0 : if (!BN_MONT_CTX_set_locked
440 0 : (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
441 : goto err;
442 :
443 0 : if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
444 : rsa->_method_mod_n))
445 : goto err;
446 : }
447 :
448 381 : if (blinding)
449 381 : if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
450 : goto err;
451 :
452 381 : if (padding == RSA_X931_PADDING) {
453 0 : BN_sub(f, rsa->n, ret);
454 0 : if (BN_cmp(ret, f) > 0)
455 : res = f;
456 : else
457 : res = ret;
458 : } else
459 : res = ret;
460 :
461 : /*
462 : * put in leading 0 bytes if the number is less than the length of the
463 : * modulus
464 : */
465 381 : j = BN_num_bytes(res);
466 381 : i = BN_bn2bin(res, &(to[num - j]));
467 383 : for (k = 0; k < (num - i); k++)
468 2 : to[k] = 0;
469 :
470 : r = num;
471 : err:
472 381 : if (ctx != NULL) {
473 381 : BN_CTX_end(ctx);
474 381 : BN_CTX_free(ctx);
475 : }
476 381 : if (buf != NULL) {
477 381 : OPENSSL_cleanse(buf, num);
478 381 : OPENSSL_free(buf);
479 : }
480 381 : return (r);
481 : }
482 :
483 0 : static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
484 : unsigned char *to, RSA *rsa, int padding)
485 : {
486 : BIGNUM *f, *ret;
487 : int j, num = 0, r = -1;
488 : unsigned char *p;
489 : unsigned char *buf = NULL;
490 : BN_CTX *ctx = NULL;
491 0 : int local_blinding = 0;
492 : /*
493 : * Used only if the blinding structure is shared. A non-NULL unblind
494 : * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
495 : * the unblinding factor outside the blinding structure.
496 : */
497 : BIGNUM *unblind = NULL;
498 : BN_BLINDING *blinding = NULL;
499 :
500 0 : if ((ctx = BN_CTX_new()) == NULL)
501 : goto err;
502 0 : BN_CTX_start(ctx);
503 0 : f = BN_CTX_get(ctx);
504 0 : ret = BN_CTX_get(ctx);
505 0 : num = BN_num_bytes(rsa->n);
506 0 : buf = OPENSSL_malloc(num);
507 0 : if (!f || !ret || !buf) {
508 0 : RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
509 0 : goto err;
510 : }
511 :
512 : /*
513 : * This check was for equality but PGP does evil things and chops off the
514 : * top '0' bytes
515 : */
516 0 : if (flen > num) {
517 0 : RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
518 : RSA_R_DATA_GREATER_THAN_MOD_LEN);
519 0 : goto err;
520 : }
521 :
522 : /* make data into a big number */
523 0 : if (BN_bin2bn(from, (int)flen, f) == NULL)
524 : goto err;
525 :
526 0 : if (BN_ucmp(f, rsa->n) >= 0) {
527 0 : RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
528 : RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
529 0 : goto err;
530 : }
531 :
532 0 : if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
533 0 : blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
534 0 : if (blinding == NULL) {
535 0 : RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
536 0 : goto err;
537 : }
538 : }
539 :
540 0 : if (blinding != NULL) {
541 0 : if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
542 0 : RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
543 0 : goto err;
544 : }
545 0 : if (!rsa_blinding_convert(blinding, f, unblind, ctx))
546 : goto err;
547 : }
548 :
549 : /* do the decrypt */
550 0 : if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
551 0 : ((rsa->p != NULL) &&
552 0 : (rsa->q != NULL) &&
553 0 : (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
554 0 : if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
555 : goto err;
556 : } else {
557 : BIGNUM local_d;
558 : BIGNUM *d = NULL;
559 :
560 0 : if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
561 : d = &local_d;
562 0 : BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
563 : } else
564 0 : d = rsa->d;
565 :
566 0 : if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
567 0 : if (!BN_MONT_CTX_set_locked
568 0 : (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
569 : goto err;
570 0 : if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
571 : rsa->_method_mod_n))
572 : goto err;
573 : }
574 :
575 0 : if (blinding)
576 0 : if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
577 : goto err;
578 :
579 : p = buf;
580 0 : j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */
581 :
582 0 : switch (padding) {
583 : case RSA_PKCS1_PADDING:
584 0 : r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
585 0 : break;
586 : # ifndef OPENSSL_NO_SHA
587 : case RSA_PKCS1_OAEP_PADDING:
588 0 : r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
589 0 : break;
590 : # endif
591 : case RSA_SSLV23_PADDING:
592 0 : r = RSA_padding_check_SSLv23(to, num, buf, j, num);
593 0 : break;
594 : case RSA_NO_PADDING:
595 0 : r = RSA_padding_check_none(to, num, buf, j, num);
596 0 : break;
597 : default:
598 0 : RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
599 0 : goto err;
600 : }
601 0 : if (r < 0)
602 0 : RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
603 :
604 : err:
605 0 : if (ctx != NULL) {
606 0 : BN_CTX_end(ctx);
607 0 : BN_CTX_free(ctx);
608 : }
609 0 : if (buf != NULL) {
610 0 : OPENSSL_cleanse(buf, num);
611 0 : OPENSSL_free(buf);
612 : }
613 0 : return (r);
614 : }
615 :
616 : /* signature verification */
617 746 : static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
618 : unsigned char *to, RSA *rsa, int padding)
619 : {
620 : BIGNUM *f, *ret;
621 : int i, num = 0, r = -1;
622 : unsigned char *p;
623 : unsigned char *buf = NULL;
624 : BN_CTX *ctx = NULL;
625 :
626 746 : if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
627 0 : RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
628 0 : return -1;
629 : }
630 :
631 746 : if (BN_ucmp(rsa->n, rsa->e) <= 0) {
632 0 : RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
633 0 : return -1;
634 : }
635 :
636 : /* for large moduli, enforce exponent limit */
637 746 : if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
638 0 : if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
639 0 : RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
640 0 : return -1;
641 : }
642 : }
643 :
644 746 : if ((ctx = BN_CTX_new()) == NULL)
645 : goto err;
646 746 : BN_CTX_start(ctx);
647 746 : f = BN_CTX_get(ctx);
648 746 : ret = BN_CTX_get(ctx);
649 746 : num = BN_num_bytes(rsa->n);
650 746 : buf = OPENSSL_malloc(num);
651 746 : if (!f || !ret || !buf) {
652 0 : RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
653 0 : goto err;
654 : }
655 :
656 : /*
657 : * This check was for equality but PGP does evil things and chops off the
658 : * top '0' bytes
659 : */
660 746 : if (flen > num) {
661 0 : RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN);
662 0 : goto err;
663 : }
664 :
665 746 : if (BN_bin2bn(from, flen, f) == NULL)
666 : goto err;
667 :
668 746 : if (BN_ucmp(f, rsa->n) >= 0) {
669 0 : RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
670 : RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
671 0 : goto err;
672 : }
673 :
674 746 : if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
675 746 : if (!BN_MONT_CTX_set_locked
676 746 : (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
677 : goto err;
678 :
679 746 : if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
680 : rsa->_method_mod_n))
681 : goto err;
682 :
683 746 : if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))
684 0 : if (!BN_sub(ret, rsa->n, ret))
685 : goto err;
686 :
687 : p = buf;
688 746 : i = BN_bn2bin(ret, p);
689 :
690 746 : switch (padding) {
691 : case RSA_PKCS1_PADDING:
692 746 : r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
693 746 : break;
694 : case RSA_X931_PADDING:
695 0 : r = RSA_padding_check_X931(to, num, buf, i, num);
696 0 : break;
697 : case RSA_NO_PADDING:
698 0 : r = RSA_padding_check_none(to, num, buf, i, num);
699 0 : break;
700 : default:
701 0 : RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
702 0 : goto err;
703 : }
704 746 : if (r < 0)
705 1 : RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
706 :
707 : err:
708 746 : if (ctx != NULL) {
709 746 : BN_CTX_end(ctx);
710 746 : BN_CTX_free(ctx);
711 : }
712 746 : if (buf != NULL) {
713 746 : OPENSSL_cleanse(buf, num);
714 746 : OPENSSL_free(buf);
715 : }
716 746 : return (r);
717 : }
718 :
719 381 : static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
720 : {
721 : BIGNUM *r1, *m1, *vrfy;
722 : BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
723 : BIGNUM *dmp1, *dmq1, *c, *pr1;
724 : int ret = 0;
725 :
726 381 : BN_CTX_start(ctx);
727 381 : r1 = BN_CTX_get(ctx);
728 381 : m1 = BN_CTX_get(ctx);
729 381 : vrfy = BN_CTX_get(ctx);
730 :
731 : {
732 : BIGNUM local_p, local_q;
733 : BIGNUM *p = NULL, *q = NULL;
734 :
735 : /*
736 : * Make sure BN_mod_inverse in Montgomery intialization uses the
737 : * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
738 : */
739 381 : if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
740 381 : BN_init(&local_p);
741 : p = &local_p;
742 381 : BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
743 :
744 381 : BN_init(&local_q);
745 : q = &local_q;
746 381 : BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
747 : } else {
748 0 : p = rsa->p;
749 0 : q = rsa->q;
750 : }
751 :
752 381 : if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
753 381 : if (!BN_MONT_CTX_set_locked
754 381 : (&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
755 : goto err;
756 381 : if (!BN_MONT_CTX_set_locked
757 381 : (&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
758 : goto err;
759 : }
760 : }
761 :
762 381 : if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
763 381 : if (!BN_MONT_CTX_set_locked
764 381 : (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
765 : goto err;
766 :
767 : /* compute I mod q */
768 381 : if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
769 : c = &local_c;
770 381 : BN_with_flags(c, I, BN_FLG_CONSTTIME);
771 381 : if (!BN_mod(r1, c, rsa->q, ctx))
772 : goto err;
773 : } else {
774 0 : if (!BN_mod(r1, I, rsa->q, ctx))
775 : goto err;
776 : }
777 :
778 : /* compute r1^dmq1 mod q */
779 381 : if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
780 : dmq1 = &local_dmq1;
781 381 : BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
782 : } else
783 0 : dmq1 = rsa->dmq1;
784 381 : if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q))
785 : goto err;
786 :
787 : /* compute I mod p */
788 381 : if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
789 : c = &local_c;
790 381 : BN_with_flags(c, I, BN_FLG_CONSTTIME);
791 381 : if (!BN_mod(r1, c, rsa->p, ctx))
792 : goto err;
793 : } else {
794 0 : if (!BN_mod(r1, I, rsa->p, ctx))
795 : goto err;
796 : }
797 :
798 : /* compute r1^dmp1 mod p */
799 381 : if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
800 : dmp1 = &local_dmp1;
801 381 : BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
802 : } else
803 0 : dmp1 = rsa->dmp1;
804 381 : if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p))
805 : goto err;
806 :
807 381 : if (!BN_sub(r0, r0, m1))
808 : goto err;
809 : /*
810 : * This will help stop the size of r0 increasing, which does affect the
811 : * multiply if it optimised for a power of 2 size
812 : */
813 381 : if (BN_is_negative(r0))
814 181 : if (!BN_add(r0, r0, rsa->p))
815 : goto err;
816 :
817 381 : if (!BN_mul(r1, r0, rsa->iqmp, ctx))
818 : goto err;
819 :
820 : /* Turn BN_FLG_CONSTTIME flag on before division operation */
821 381 : if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
822 : pr1 = &local_r1;
823 381 : BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
824 : } else
825 : pr1 = r1;
826 381 : if (!BN_mod(r0, pr1, rsa->p, ctx))
827 : goto err;
828 :
829 : /*
830 : * If p < q it is occasionally possible for the correction of adding 'p'
831 : * if r0 is negative above to leave the result still negative. This can
832 : * break the private key operations: the following second correction
833 : * should *always* correct this rare occurrence. This will *never* happen
834 : * with OpenSSL generated keys because they ensure p > q [steve]
835 : */
836 381 : if (BN_is_negative(r0))
837 0 : if (!BN_add(r0, r0, rsa->p))
838 : goto err;
839 381 : if (!BN_mul(r1, r0, rsa->q, ctx))
840 : goto err;
841 381 : if (!BN_add(r0, r1, m1))
842 : goto err;
843 :
844 381 : if (rsa->e && rsa->n) {
845 381 : if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
846 : rsa->_method_mod_n))
847 : goto err;
848 : /*
849 : * If 'I' was greater than (or equal to) rsa->n, the operation will
850 : * be equivalent to using 'I mod n'. However, the result of the
851 : * verify will *always* be less than 'n' so we don't check for
852 : * absolute equality, just congruency.
853 : */
854 381 : if (!BN_sub(vrfy, vrfy, I))
855 : goto err;
856 381 : if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
857 : goto err;
858 381 : if (BN_is_negative(vrfy))
859 0 : if (!BN_add(vrfy, vrfy, rsa->n))
860 : goto err;
861 381 : if (!BN_is_zero(vrfy)) {
862 : /*
863 : * 'I' and 'vrfy' aren't congruent mod n. Don't leak
864 : * miscalculated CRT output, just do a raw (slower) mod_exp and
865 : * return that instead.
866 : */
867 :
868 : BIGNUM local_d;
869 : BIGNUM *d = NULL;
870 :
871 0 : if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
872 : d = &local_d;
873 0 : BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
874 : } else
875 0 : d = rsa->d;
876 0 : if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
877 : rsa->_method_mod_n))
878 : goto err;
879 : }
880 : }
881 : ret = 1;
882 : err:
883 381 : BN_CTX_end(ctx);
884 381 : return (ret);
885 : }
886 :
887 1592 : static int RSA_eay_init(RSA *rsa)
888 : {
889 1592 : rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
890 1592 : return (1);
891 : }
892 :
893 1592 : static int RSA_eay_finish(RSA *rsa)
894 : {
895 1592 : if (rsa->_method_mod_n != NULL)
896 1049 : BN_MONT_CTX_free(rsa->_method_mod_n);
897 1592 : if (rsa->_method_mod_p != NULL)
898 345 : BN_MONT_CTX_free(rsa->_method_mod_p);
899 1592 : if (rsa->_method_mod_q != NULL)
900 345 : BN_MONT_CTX_free(rsa->_method_mod_q);
901 1592 : return (1);
902 : }
903 :
904 : #endif
|