OLD | NEW |
| (Empty) |
1 /* crypto/rsa/rsa_eay.c */ | |
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | |
3 * All rights reserved. | |
4 * | |
5 * This package is an SSL implementation written | |
6 * by Eric Young (eay@cryptsoft.com). | |
7 * The implementation was written so as to conform with Netscapes SSL. | |
8 * | |
9 * This library is free for commercial and non-commercial use as long as | |
10 * the following conditions are aheared to. The following conditions | |
11 * apply to all code found in this distribution, be it the RC4, RSA, | |
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
13 * included with this distribution is covered by the same copyright terms | |
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
15 * | |
16 * Copyright remains Eric Young's, and as such any Copyright notices in | |
17 * the code are not to be removed. | |
18 * If this package is used in a product, Eric Young should be given attribution | |
19 * as the author of the parts of the library used. | |
20 * This can be in the form of a textual message at program startup or | |
21 * in documentation (online or textual) provided with the package. | |
22 * | |
23 * Redistribution and use in source and binary forms, with or without | |
24 * modification, are permitted provided that the following conditions | |
25 * are met: | |
26 * 1. Redistributions of source code must retain the copyright | |
27 * notice, this list of conditions and the following disclaimer. | |
28 * 2. Redistributions in binary form must reproduce the above copyright | |
29 * notice, this list of conditions and the following disclaimer in the | |
30 * documentation and/or other materials provided with the distribution. | |
31 * 3. All advertising materials mentioning features or use of this software | |
32 * must display the following acknowledgement: | |
33 * "This product includes cryptographic software written by | |
34 * Eric Young (eay@cryptsoft.com)" | |
35 * The word 'cryptographic' can be left out if the rouines from the library | |
36 * being used are not cryptographic related :-). | |
37 * 4. If you include any Windows specific code (or a derivative thereof) from | |
38 * the apps directory (application code) you must include an acknowledgement: | |
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
40 * | |
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
51 * SUCH DAMAGE. | |
52 * | |
53 * The licence and distribution terms for any publically available version or | |
54 * derivative of this code cannot be changed. i.e. this code cannot simply be | |
55 * copied and put under another distribution licence | |
56 * [including the GNU Public Licence.] | |
57 */ | |
58 /* ==================================================================== | |
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. | |
60 * | |
61 * Redistribution and use in source and binary forms, with or without | |
62 * modification, are permitted provided that the following conditions | |
63 * are met: | |
64 * | |
65 * 1. Redistributions of source code must retain the above copyright | |
66 * notice, this list of conditions and the following disclaimer. | |
67 * | |
68 * 2. Redistributions in binary form must reproduce the above copyright | |
69 * notice, this list of conditions and the following disclaimer in | |
70 * the documentation and/or other materials provided with the | |
71 * distribution. | |
72 * | |
73 * 3. All advertising materials mentioning features or use of this | |
74 * software must display the following acknowledgment: | |
75 * "This product includes software developed by the OpenSSL Project | |
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
77 * | |
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
79 * endorse or promote products derived from this software without | |
80 * prior written permission. For written permission, please contact | |
81 * openssl-core@openssl.org. | |
82 * | |
83 * 5. Products derived from this software may not be called "OpenSSL" | |
84 * nor may "OpenSSL" appear in their names without prior written | |
85 * permission of the OpenSSL Project. | |
86 * | |
87 * 6. Redistributions of any form whatsoever must retain the following | |
88 * acknowledgment: | |
89 * "This product includes software developed by the OpenSSL Project | |
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
91 * | |
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
103 * OF THE POSSIBILITY OF SUCH DAMAGE. | |
104 * ==================================================================== | |
105 * | |
106 * This product includes cryptographic software written by Eric Young | |
107 * (eay@cryptsoft.com). This product includes software written by Tim | |
108 * Hudson (tjh@cryptsoft.com). | |
109 * | |
110 */ | |
111 | |
112 #include <stdio.h> | |
113 #include "cryptlib.h" | |
114 #include <openssl/bn.h> | |
115 #include <openssl/rsa.h> | |
116 #include <openssl/rand.h> | |
117 | |
118 #ifndef RSA_NULL | |
119 | |
120 static int RSA_eay_public_encrypt(int flen, const unsigned char *from, | |
121 unsigned char *to, RSA *rsa,int padding); | |
122 static int RSA_eay_private_encrypt(int flen, const unsigned char *from, | |
123 unsigned char *to, RSA *rsa,int padding); | |
124 static int RSA_eay_public_decrypt(int flen, const unsigned char *from, | |
125 unsigned char *to, RSA *rsa,int padding); | |
126 static int RSA_eay_private_decrypt(int flen, const unsigned char *from, | |
127 unsigned char *to, RSA *rsa,int padding); | |
128 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); | |
129 static int RSA_eay_init(RSA *rsa); | |
130 static int RSA_eay_finish(RSA *rsa); | |
131 static RSA_METHOD rsa_pkcs1_eay_meth={ | |
132 "Eric Young's PKCS#1 RSA", | |
133 RSA_eay_public_encrypt, | |
134 RSA_eay_public_decrypt, /* signature verification */ | |
135 RSA_eay_private_encrypt, /* signing */ | |
136 RSA_eay_private_decrypt, | |
137 RSA_eay_mod_exp, | |
138 BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3
*/ | |
139 RSA_eay_init, | |
140 RSA_eay_finish, | |
141 0, /* flags */ | |
142 NULL, | |
143 0, /* rsa_sign */ | |
144 0, /* rsa_verify */ | |
145 NULL /* rsa_keygen */ | |
146 }; | |
147 | |
148 const RSA_METHOD *RSA_PKCS1_SSLeay(void) | |
149 { | |
150 return(&rsa_pkcs1_eay_meth); | |
151 } | |
152 | |
153 static int RSA_eay_public_encrypt(int flen, const unsigned char *from, | |
154 unsigned char *to, RSA *rsa, int padding) | |
155 { | |
156 BIGNUM *f,*ret; | |
157 int i,j,k,num=0,r= -1; | |
158 unsigned char *buf=NULL; | |
159 BN_CTX *ctx=NULL; | |
160 | |
161 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) | |
162 { | |
163 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); | |
164 return -1; | |
165 } | |
166 | |
167 if (BN_ucmp(rsa->n, rsa->e) <= 0) | |
168 { | |
169 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); | |
170 return -1; | |
171 } | |
172 | |
173 /* for large moduli, enforce exponent limit */ | |
174 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) | |
175 { | |
176 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) | |
177 { | |
178 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); | |
179 return -1; | |
180 } | |
181 } | |
182 | |
183 if ((ctx=BN_CTX_new()) == NULL) goto err; | |
184 BN_CTX_start(ctx); | |
185 f = BN_CTX_get(ctx); | |
186 ret = BN_CTX_get(ctx); | |
187 num=BN_num_bytes(rsa->n); | |
188 buf = OPENSSL_malloc(num); | |
189 if (!f || !ret || !buf) | |
190 { | |
191 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); | |
192 goto err; | |
193 } | |
194 | |
195 switch (padding) | |
196 { | |
197 case RSA_PKCS1_PADDING: | |
198 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen); | |
199 break; | |
200 #ifndef OPENSSL_NO_SHA | |
201 case RSA_PKCS1_OAEP_PADDING: | |
202 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0); | |
203 break; | |
204 #endif | |
205 case RSA_SSLV23_PADDING: | |
206 i=RSA_padding_add_SSLv23(buf,num,from,flen); | |
207 break; | |
208 case RSA_NO_PADDING: | |
209 i=RSA_padding_add_none(buf,num,from,flen); | |
210 break; | |
211 default: | |
212 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); | |
213 goto err; | |
214 } | |
215 if (i <= 0) goto err; | |
216 | |
217 if (BN_bin2bn(buf,num,f) == NULL) goto err; | |
218 | |
219 if (BN_ucmp(f, rsa->n) >= 0) | |
220 { | |
221 /* usually the padding functions would catch this */ | |
222 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MOD
ULUS); | |
223 goto err; | |
224 } | |
225 | |
226 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
227 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA
, rsa->n, ctx)) | |
228 goto err; | |
229 | |
230 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, | |
231 rsa->_method_mod_n)) goto err; | |
232 | |
233 /* put in leading 0 bytes if the number is less than the | |
234 * length of the modulus */ | |
235 j=BN_num_bytes(ret); | |
236 i=BN_bn2bin(ret,&(to[num-j])); | |
237 for (k=0; k<(num-i); k++) | |
238 to[k]=0; | |
239 | |
240 r=num; | |
241 err: | |
242 if (ctx != NULL) | |
243 { | |
244 BN_CTX_end(ctx); | |
245 BN_CTX_free(ctx); | |
246 } | |
247 if (buf != NULL) | |
248 { | |
249 OPENSSL_cleanse(buf,num); | |
250 OPENSSL_free(buf); | |
251 } | |
252 return(r); | |
253 } | |
254 | |
255 static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) | |
256 { | |
257 BN_BLINDING *ret; | |
258 int got_write_lock = 0; | |
259 CRYPTO_THREADID cur; | |
260 | |
261 CRYPTO_r_lock(CRYPTO_LOCK_RSA); | |
262 | |
263 if (rsa->blinding == NULL) | |
264 { | |
265 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); | |
266 CRYPTO_w_lock(CRYPTO_LOCK_RSA); | |
267 got_write_lock = 1; | |
268 | |
269 if (rsa->blinding == NULL) | |
270 rsa->blinding = RSA_setup_blinding(rsa, ctx); | |
271 } | |
272 | |
273 ret = rsa->blinding; | |
274 if (ret == NULL) | |
275 goto err; | |
276 | |
277 CRYPTO_THREADID_current(&cur); | |
278 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) | |
279 { | |
280 /* rsa->blinding is ours! */ | |
281 | |
282 *local = 1; | |
283 } | |
284 else | |
285 { | |
286 /* resort to rsa->mt_blinding instead */ | |
287 | |
288 *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_in
vert() | |
289 * that the BN_BLINDING is shared, meaning that acce
sses | |
290 * require locks, and that the blinding factor must
be | |
291 * stored outside the BN_BLINDING | |
292 */ | |
293 | |
294 if (rsa->mt_blinding == NULL) | |
295 { | |
296 if (!got_write_lock) | |
297 { | |
298 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); | |
299 CRYPTO_w_lock(CRYPTO_LOCK_RSA); | |
300 got_write_lock = 1; | |
301 } | |
302 | |
303 if (rsa->mt_blinding == NULL) | |
304 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); | |
305 } | |
306 ret = rsa->mt_blinding; | |
307 } | |
308 | |
309 err: | |
310 if (got_write_lock) | |
311 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); | |
312 else | |
313 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); | |
314 return ret; | |
315 } | |
316 | |
317 static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, | |
318 BN_CTX *ctx) | |
319 { | |
320 if (unblind == NULL) | |
321 /* Local blinding: store the unblinding factor | |
322 * in BN_BLINDING. */ | |
323 return BN_BLINDING_convert_ex(f, NULL, b, ctx); | |
324 else | |
325 { | |
326 /* Shared blinding: store the unblinding factor | |
327 * outside BN_BLINDING. */ | |
328 int ret; | |
329 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); | |
330 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); | |
331 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); | |
332 return ret; | |
333 } | |
334 } | |
335 | |
336 static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, | |
337 BN_CTX *ctx) | |
338 { | |
339 /* For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex | |
340 * will use the unblinding factor stored in BN_BLINDING. | |
341 * If BN_BLINDING is shared between threads, unblind must be non-null: | |
342 * BN_BLINDING_invert_ex will then use the local unblinding factor, | |
343 * and will only read the modulus from BN_BLINDING. | |
344 * In both cases it's safe to access the blinding without a lock. | |
345 */ | |
346 return BN_BLINDING_invert_ex(f, unblind, b, ctx); | |
347 } | |
348 | |
349 /* signing */ | |
350 static int RSA_eay_private_encrypt(int flen, const unsigned char *from, | |
351 unsigned char *to, RSA *rsa, int padding) | |
352 { | |
353 BIGNUM *f, *ret, *res; | |
354 int i,j,k,num=0,r= -1; | |
355 unsigned char *buf=NULL; | |
356 BN_CTX *ctx=NULL; | |
357 int local_blinding = 0; | |
358 /* Used only if the blinding structure is shared. A non-NULL unblind | |
359 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store | |
360 * the unblinding factor outside the blinding structure. */ | |
361 BIGNUM *unblind = NULL; | |
362 BN_BLINDING *blinding = NULL; | |
363 | |
364 if ((ctx=BN_CTX_new()) == NULL) goto err; | |
365 BN_CTX_start(ctx); | |
366 f = BN_CTX_get(ctx); | |
367 ret = BN_CTX_get(ctx); | |
368 num = BN_num_bytes(rsa->n); | |
369 buf = OPENSSL_malloc(num); | |
370 if(!f || !ret || !buf) | |
371 { | |
372 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); | |
373 goto err; | |
374 } | |
375 | |
376 switch (padding) | |
377 { | |
378 case RSA_PKCS1_PADDING: | |
379 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); | |
380 break; | |
381 case RSA_X931_PADDING: | |
382 i=RSA_padding_add_X931(buf,num,from,flen); | |
383 break; | |
384 case RSA_NO_PADDING: | |
385 i=RSA_padding_add_none(buf,num,from,flen); | |
386 break; | |
387 case RSA_SSLV23_PADDING: | |
388 default: | |
389 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE)
; | |
390 goto err; | |
391 } | |
392 if (i <= 0) goto err; | |
393 | |
394 if (BN_bin2bn(buf,num,f) == NULL) goto err; | |
395 | |
396 if (BN_ucmp(f, rsa->n) >= 0) | |
397 { | |
398 /* usually the padding functions would catch this */ | |
399 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MO
DULUS); | |
400 goto err; | |
401 } | |
402 | |
403 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) | |
404 { | |
405 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); | |
406 if (blinding == NULL) | |
407 { | |
408 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERR
OR); | |
409 goto err; | |
410 } | |
411 } | |
412 | |
413 if (blinding != NULL) | |
414 { | |
415 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) | |
416 { | |
417 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILUR
E); | |
418 goto err; | |
419 } | |
420 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) | |
421 goto err; | |
422 } | |
423 | |
424 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || | |
425 ((rsa->p != NULL) && | |
426 (rsa->q != NULL) && | |
427 (rsa->dmp1 != NULL) && | |
428 (rsa->dmq1 != NULL) && | |
429 (rsa->iqmp != NULL)) ) | |
430 { | |
431 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; | |
432 } | |
433 else | |
434 { | |
435 BIGNUM local_d; | |
436 BIGNUM *d = NULL; | |
437 | |
438 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) | |
439 { | |
440 BN_init(&local_d); | |
441 d = &local_d; | |
442 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); | |
443 } | |
444 else | |
445 d= rsa->d; | |
446 | |
447 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
448 if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_L
OCK_RSA, rsa->n, ctx)) | |
449 goto err; | |
450 | |
451 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, | |
452 rsa->_method_mod_n)) goto err; | |
453 } | |
454 | |
455 if (blinding) | |
456 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) | |
457 goto err; | |
458 | |
459 if (padding == RSA_X931_PADDING) | |
460 { | |
461 BN_sub(f, rsa->n, ret); | |
462 if (BN_cmp(ret, f)) | |
463 res = f; | |
464 else | |
465 res = ret; | |
466 } | |
467 else | |
468 res = ret; | |
469 | |
470 /* put in leading 0 bytes if the number is less than the | |
471 * length of the modulus */ | |
472 j=BN_num_bytes(res); | |
473 i=BN_bn2bin(res,&(to[num-j])); | |
474 for (k=0; k<(num-i); k++) | |
475 to[k]=0; | |
476 | |
477 r=num; | |
478 err: | |
479 if (ctx != NULL) | |
480 { | |
481 BN_CTX_end(ctx); | |
482 BN_CTX_free(ctx); | |
483 } | |
484 if (buf != NULL) | |
485 { | |
486 OPENSSL_cleanse(buf,num); | |
487 OPENSSL_free(buf); | |
488 } | |
489 return(r); | |
490 } | |
491 | |
492 static int RSA_eay_private_decrypt(int flen, const unsigned char *from, | |
493 unsigned char *to, RSA *rsa, int padding) | |
494 { | |
495 BIGNUM *f, *ret; | |
496 int j,num=0,r= -1; | |
497 unsigned char *p; | |
498 unsigned char *buf=NULL; | |
499 BN_CTX *ctx=NULL; | |
500 int local_blinding = 0; | |
501 /* Used only if the blinding structure is shared. A non-NULL unblind | |
502 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store | |
503 * the unblinding factor outside the blinding structure. */ | |
504 BIGNUM *unblind = NULL; | |
505 BN_BLINDING *blinding = NULL; | |
506 | |
507 if((ctx = BN_CTX_new()) == NULL) goto err; | |
508 BN_CTX_start(ctx); | |
509 f = BN_CTX_get(ctx); | |
510 ret = BN_CTX_get(ctx); | |
511 num = BN_num_bytes(rsa->n); | |
512 buf = OPENSSL_malloc(num); | |
513 if(!f || !ret || !buf) | |
514 { | |
515 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); | |
516 goto err; | |
517 } | |
518 | |
519 /* This check was for equality but PGP does evil things | |
520 * and chops off the top '0' bytes */ | |
521 if (flen > num) | |
522 { | |
523 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD
_LEN); | |
524 goto err; | |
525 } | |
526 | |
527 /* make data into a big number */ | |
528 if (BN_bin2bn(from,(int)flen,f) == NULL) goto err; | |
529 | |
530 if (BN_ucmp(f, rsa->n) >= 0) | |
531 { | |
532 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MO
DULUS); | |
533 goto err; | |
534 } | |
535 | |
536 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) | |
537 { | |
538 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); | |
539 if (blinding == NULL) | |
540 { | |
541 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERR
OR); | |
542 goto err; | |
543 } | |
544 } | |
545 | |
546 if (blinding != NULL) | |
547 { | |
548 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) | |
549 { | |
550 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILUR
E); | |
551 goto err; | |
552 } | |
553 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) | |
554 goto err; | |
555 } | |
556 | |
557 /* do the decrypt */ | |
558 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || | |
559 ((rsa->p != NULL) && | |
560 (rsa->q != NULL) && | |
561 (rsa->dmp1 != NULL) && | |
562 (rsa->dmq1 != NULL) && | |
563 (rsa->iqmp != NULL)) ) | |
564 { | |
565 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; | |
566 } | |
567 else | |
568 { | |
569 BIGNUM local_d; | |
570 BIGNUM *d = NULL; | |
571 | |
572 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) | |
573 { | |
574 d = &local_d; | |
575 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); | |
576 } | |
577 else | |
578 d = rsa->d; | |
579 | |
580 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
581 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_
LOCK_RSA, rsa->n, ctx)) | |
582 goto err; | |
583 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, | |
584 rsa->_method_mod_n)) | |
585 goto err; | |
586 } | |
587 | |
588 if (blinding) | |
589 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) | |
590 goto err; | |
591 | |
592 p=buf; | |
593 j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */ | |
594 | |
595 switch (padding) | |
596 { | |
597 case RSA_PKCS1_PADDING: | |
598 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); | |
599 break; | |
600 #ifndef OPENSSL_NO_SHA | |
601 case RSA_PKCS1_OAEP_PADDING: | |
602 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); | |
603 break; | |
604 #endif | |
605 case RSA_SSLV23_PADDING: | |
606 r=RSA_padding_check_SSLv23(to,num,buf,j,num); | |
607 break; | |
608 case RSA_NO_PADDING: | |
609 r=RSA_padding_check_none(to,num,buf,j,num); | |
610 break; | |
611 default: | |
612 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE)
; | |
613 goto err; | |
614 } | |
615 if (r < 0) | |
616 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED)
; | |
617 | |
618 err: | |
619 if (ctx != NULL) | |
620 { | |
621 BN_CTX_end(ctx); | |
622 BN_CTX_free(ctx); | |
623 } | |
624 if (buf != NULL) | |
625 { | |
626 OPENSSL_cleanse(buf,num); | |
627 OPENSSL_free(buf); | |
628 } | |
629 return(r); | |
630 } | |
631 | |
632 /* signature verification */ | |
633 static int RSA_eay_public_decrypt(int flen, const unsigned char *from, | |
634 unsigned char *to, RSA *rsa, int padding) | |
635 { | |
636 BIGNUM *f,*ret; | |
637 int i,num=0,r= -1; | |
638 unsigned char *p; | |
639 unsigned char *buf=NULL; | |
640 BN_CTX *ctx=NULL; | |
641 | |
642 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) | |
643 { | |
644 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); | |
645 return -1; | |
646 } | |
647 | |
648 if (BN_ucmp(rsa->n, rsa->e) <= 0) | |
649 { | |
650 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); | |
651 return -1; | |
652 } | |
653 | |
654 /* for large moduli, enforce exponent limit */ | |
655 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) | |
656 { | |
657 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) | |
658 { | |
659 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); | |
660 return -1; | |
661 } | |
662 } | |
663 | |
664 if((ctx = BN_CTX_new()) == NULL) goto err; | |
665 BN_CTX_start(ctx); | |
666 f = BN_CTX_get(ctx); | |
667 ret = BN_CTX_get(ctx); | |
668 num=BN_num_bytes(rsa->n); | |
669 buf = OPENSSL_malloc(num); | |
670 if(!f || !ret || !buf) | |
671 { | |
672 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); | |
673 goto err; | |
674 } | |
675 | |
676 /* This check was for equality but PGP does evil things | |
677 * and chops off the top '0' bytes */ | |
678 if (flen > num) | |
679 { | |
680 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_
LEN); | |
681 goto err; | |
682 } | |
683 | |
684 if (BN_bin2bn(from,flen,f) == NULL) goto err; | |
685 | |
686 if (BN_ucmp(f, rsa->n) >= 0) | |
687 { | |
688 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MOD
ULUS); | |
689 goto err; | |
690 } | |
691 | |
692 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
693 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA
, rsa->n, ctx)) | |
694 goto err; | |
695 | |
696 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, | |
697 rsa->_method_mod_n)) goto err; | |
698 | |
699 if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) | |
700 if (!BN_sub(ret, rsa->n, ret)) goto err; | |
701 | |
702 p=buf; | |
703 i=BN_bn2bin(ret,p); | |
704 | |
705 switch (padding) | |
706 { | |
707 case RSA_PKCS1_PADDING: | |
708 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); | |
709 break; | |
710 case RSA_X931_PADDING: | |
711 r=RSA_padding_check_X931(to,num,buf,i,num); | |
712 break; | |
713 case RSA_NO_PADDING: | |
714 r=RSA_padding_check_none(to,num,buf,i,num); | |
715 break; | |
716 default: | |
717 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); | |
718 goto err; | |
719 } | |
720 if (r < 0) | |
721 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); | |
722 | |
723 err: | |
724 if (ctx != NULL) | |
725 { | |
726 BN_CTX_end(ctx); | |
727 BN_CTX_free(ctx); | |
728 } | |
729 if (buf != NULL) | |
730 { | |
731 OPENSSL_cleanse(buf,num); | |
732 OPENSSL_free(buf); | |
733 } | |
734 return(r); | |
735 } | |
736 | |
737 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) | |
738 { | |
739 BIGNUM *r1,*m1,*vrfy; | |
740 BIGNUM local_dmp1,local_dmq1,local_c,local_r1; | |
741 BIGNUM *dmp1,*dmq1,*c,*pr1; | |
742 int ret=0; | |
743 | |
744 BN_CTX_start(ctx); | |
745 r1 = BN_CTX_get(ctx); | |
746 m1 = BN_CTX_get(ctx); | |
747 vrfy = BN_CTX_get(ctx); | |
748 | |
749 { | |
750 BIGNUM local_p, local_q; | |
751 BIGNUM *p = NULL, *q = NULL; | |
752 | |
753 /* Make sure BN_mod_inverse in Montgomery intialization uses the | |
754 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) | |
755 */ | |
756 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) | |
757 { | |
758 BN_init(&local_p); | |
759 p = &local_p; | |
760 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); | |
761 | |
762 BN_init(&local_q); | |
763 q = &local_q; | |
764 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); | |
765 } | |
766 else | |
767 { | |
768 p = rsa->p; | |
769 q = rsa->q; | |
770 } | |
771 | |
772 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) | |
773 { | |
774 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_
LOCK_RSA, p, ctx)) | |
775 goto err; | |
776 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_
LOCK_RSA, q, ctx)) | |
777 goto err; | |
778 } | |
779 } | |
780 | |
781 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
782 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA
, rsa->n, ctx)) | |
783 goto err; | |
784 | |
785 /* compute I mod q */ | |
786 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) | |
787 { | |
788 c = &local_c; | |
789 BN_with_flags(c, I, BN_FLG_CONSTTIME); | |
790 if (!BN_mod(r1,c,rsa->q,ctx)) goto err; | |
791 } | |
792 else | |
793 { | |
794 if (!BN_mod(r1,I,rsa->q,ctx)) goto err; | |
795 } | |
796 | |
797 /* compute r1^dmq1 mod q */ | |
798 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) | |
799 { | |
800 dmq1 = &local_dmq1; | |
801 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); | |
802 } | |
803 else | |
804 dmq1 = rsa->dmq1; | |
805 if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx, | |
806 rsa->_method_mod_q)) goto err; | |
807 | |
808 /* compute I mod p */ | |
809 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) | |
810 { | |
811 c = &local_c; | |
812 BN_with_flags(c, I, BN_FLG_CONSTTIME); | |
813 if (!BN_mod(r1,c,rsa->p,ctx)) goto err; | |
814 } | |
815 else | |
816 { | |
817 if (!BN_mod(r1,I,rsa->p,ctx)) goto err; | |
818 } | |
819 | |
820 /* compute r1^dmp1 mod p */ | |
821 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) | |
822 { | |
823 dmp1 = &local_dmp1; | |
824 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); | |
825 } | |
826 else | |
827 dmp1 = rsa->dmp1; | |
828 if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx, | |
829 rsa->_method_mod_p)) goto err; | |
830 | |
831 if (!BN_sub(r0,r0,m1)) goto err; | |
832 /* This will help stop the size of r0 increasing, which does | |
833 * affect the multiply if it optimised for a power of 2 size */ | |
834 if (BN_is_negative(r0)) | |
835 if (!BN_add(r0,r0,rsa->p)) goto err; | |
836 | |
837 if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err; | |
838 | |
839 /* Turn BN_FLG_CONSTTIME flag on before division operation */ | |
840 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) | |
841 { | |
842 pr1 = &local_r1; | |
843 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); | |
844 } | |
845 else | |
846 pr1 = r1; | |
847 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err; | |
848 | |
849 /* If p < q it is occasionally possible for the correction of | |
850 * adding 'p' if r0 is negative above to leave the result still | |
851 * negative. This can break the private key operations: the following | |
852 * second correction should *always* correct this rare occurrence. | |
853 * This will *never* happen with OpenSSL generated keys because | |
854 * they ensure p > q [steve] | |
855 */ | |
856 if (BN_is_negative(r0)) | |
857 if (!BN_add(r0,r0,rsa->p)) goto err; | |
858 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; | |
859 if (!BN_add(r0,r1,m1)) goto err; | |
860 | |
861 if (rsa->e && rsa->n) | |
862 { | |
863 if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_metho
d_mod_n)) goto err; | |
864 /* If 'I' was greater than (or equal to) rsa->n, the operation | |
865 * will be equivalent to using 'I mod n'. However, the result of | |
866 * the verify will *always* be less than 'n' so we don't check | |
867 * for absolute equality, just congruency. */ | |
868 if (!BN_sub(vrfy, vrfy, I)) goto err; | |
869 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err; | |
870 if (BN_is_negative(vrfy)) | |
871 if (!BN_add(vrfy, vrfy, rsa->n)) goto err; | |
872 if (!BN_is_zero(vrfy)) | |
873 { | |
874 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak | |
875 * miscalculated CRT output, just do a raw (slower) | |
876 * mod_exp and return that instead. */ | |
877 | |
878 BIGNUM local_d; | |
879 BIGNUM *d = NULL; | |
880 | |
881 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) | |
882 { | |
883 d = &local_d; | |
884 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); | |
885 } | |
886 else | |
887 d = rsa->d; | |
888 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx, | |
889 rsa->_method_mod_n)) goto err
; | |
890 } | |
891 } | |
892 ret=1; | |
893 err: | |
894 BN_CTX_end(ctx); | |
895 return(ret); | |
896 } | |
897 | |
898 static int RSA_eay_init(RSA *rsa) | |
899 { | |
900 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; | |
901 return(1); | |
902 } | |
903 | |
904 static int RSA_eay_finish(RSA *rsa) | |
905 { | |
906 if (rsa->_method_mod_n != NULL) | |
907 BN_MONT_CTX_free(rsa->_method_mod_n); | |
908 if (rsa->_method_mod_p != NULL) | |
909 BN_MONT_CTX_free(rsa->_method_mod_p); | |
910 if (rsa->_method_mod_q != NULL) | |
911 BN_MONT_CTX_free(rsa->_method_mod_q); | |
912 return(1); | |
913 } | |
914 | |
915 #endif | |
OLD | NEW |