155099Skris/* crypto/rsa/rsa_eay.c */ 255099Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355099Skris * All rights reserved. 455099Skris * 555099Skris * This package is an SSL implementation written 655099Skris * by Eric Young (eay@cryptsoft.com). 755099Skris * The implementation was written so as to conform with Netscapes SSL. 8296341Sdelphij * 955099Skris * This library is free for commercial and non-commercial use as long as 1055099Skris * the following conditions are aheared to. The following conditions 1155099Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255099Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355099Skris * included with this distribution is covered by the same copyright terms 1455099Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15296341Sdelphij * 1655099Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755099Skris * the code are not to be removed. 1855099Skris * If this package is used in a product, Eric Young should be given attribution 1955099Skris * as the author of the parts of the library used. 2055099Skris * This can be in the form of a textual message at program startup or 2155099Skris * in documentation (online or textual) provided with the package. 22296341Sdelphij * 2355099Skris * Redistribution and use in source and binary forms, with or without 2455099Skris * modification, are permitted provided that the following conditions 2555099Skris * are met: 2655099Skris * 1. Redistributions of source code must retain the copyright 2755099Skris * notice, this list of conditions and the following disclaimer. 2855099Skris * 2. Redistributions in binary form must reproduce the above copyright 2955099Skris * notice, this list of conditions and the following disclaimer in the 3055099Skris * documentation and/or other materials provided with the distribution. 3155099Skris * 3. All advertising materials mentioning features or use of this software 3255099Skris * must display the following acknowledgement: 3355099Skris * "This product includes cryptographic software written by 3455099Skris * Eric Young (eay@cryptsoft.com)" 3555099Skris * The word 'cryptographic' can be left out if the rouines from the library 3655099Skris * being used are not cryptographic related :-). 37296341Sdelphij * 4. If you include any Windows specific code (or a derivative thereof) from 3855099Skris * the apps directory (application code) you must include an acknowledgement: 3955099Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40296341Sdelphij * 4155099Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255099Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355099Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455099Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555099Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655099Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755099Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855099Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955099Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055099Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155099Skris * SUCH DAMAGE. 52296341Sdelphij * 5355099Skris * The licence and distribution terms for any publically available version or 5455099Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555099Skris * copied and put under another distribution licence 5655099Skris * [including the GNU Public Licence.] 5755099Skris */ 58160817Ssimon/* ==================================================================== 59162914Ssimon * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60160817Ssimon * 61160817Ssimon * Redistribution and use in source and binary forms, with or without 62160817Ssimon * modification, are permitted provided that the following conditions 63160817Ssimon * are met: 64160817Ssimon * 65160817Ssimon * 1. Redistributions of source code must retain the above copyright 66296341Sdelphij * notice, this list of conditions and the following disclaimer. 67160817Ssimon * 68160817Ssimon * 2. Redistributions in binary form must reproduce the above copyright 69160817Ssimon * notice, this list of conditions and the following disclaimer in 70160817Ssimon * the documentation and/or other materials provided with the 71160817Ssimon * distribution. 72160817Ssimon * 73160817Ssimon * 3. All advertising materials mentioning features or use of this 74160817Ssimon * software must display the following acknowledgment: 75160817Ssimon * "This product includes software developed by the OpenSSL Project 76160817Ssimon * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77160817Ssimon * 78160817Ssimon * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79160817Ssimon * endorse or promote products derived from this software without 80160817Ssimon * prior written permission. For written permission, please contact 81160817Ssimon * openssl-core@openssl.org. 82160817Ssimon * 83160817Ssimon * 5. Products derived from this software may not be called "OpenSSL" 84160817Ssimon * nor may "OpenSSL" appear in their names without prior written 85160817Ssimon * permission of the OpenSSL Project. 86160817Ssimon * 87160817Ssimon * 6. Redistributions of any form whatsoever must retain the following 88160817Ssimon * acknowledgment: 89160817Ssimon * "This product includes software developed by the OpenSSL Project 90160817Ssimon * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91160817Ssimon * 92160817Ssimon * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93160817Ssimon * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94160817Ssimon * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95160817Ssimon * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96160817Ssimon * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97160817Ssimon * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98160817Ssimon * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99160817Ssimon * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100160817Ssimon * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101160817Ssimon * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102160817Ssimon * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103160817Ssimon * OF THE POSSIBILITY OF SUCH DAMAGE. 104160817Ssimon * ==================================================================== 105160817Ssimon * 106160817Ssimon * This product includes cryptographic software written by Eric Young 107160817Ssimon * (eay@cryptsoft.com). This product includes software written by Tim 108160817Ssimon * Hudson (tjh@cryptsoft.com). 109160817Ssimon * 110160817Ssimon */ 11155099Skris 11255099Skris#include <stdio.h> 11355099Skris#include "cryptlib.h" 11455099Skris#include <openssl/bn.h> 11555099Skris#include <openssl/rsa.h> 11655099Skris#include <openssl/rand.h> 11755099Skris 118238405Sjkim#ifndef RSA_NULL 11968654Skris 120110007Smarkmstatic int RSA_eay_public_encrypt(int flen, const unsigned char *from, 121296341Sdelphij unsigned char *to, RSA *rsa, int padding); 122110007Smarkmstatic int RSA_eay_private_encrypt(int flen, const unsigned char *from, 123296341Sdelphij unsigned char *to, RSA *rsa, int padding); 124110007Smarkmstatic int RSA_eay_public_decrypt(int flen, const unsigned char *from, 125296341Sdelphij unsigned char *to, RSA *rsa, int padding); 126110007Smarkmstatic int RSA_eay_private_decrypt(int flen, const unsigned char *from, 127296341Sdelphij unsigned char *to, RSA *rsa, int padding); 128296341Sdelphijstatic int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, 129296341Sdelphij BN_CTX *ctx); 13055099Skrisstatic int RSA_eay_init(RSA *rsa); 13155099Skrisstatic int RSA_eay_finish(RSA *rsa); 132296341Sdelphijstatic RSA_METHOD rsa_pkcs1_eay_meth = { 133296341Sdelphij "Eric Young's PKCS#1 RSA", 134296341Sdelphij RSA_eay_public_encrypt, 135296341Sdelphij RSA_eay_public_decrypt, /* signature verification */ 136296341Sdelphij RSA_eay_private_encrypt, /* signing */ 137296341Sdelphij RSA_eay_private_decrypt, 138296341Sdelphij RSA_eay_mod_exp, 139296341Sdelphij BN_mod_exp_mont, /* XXX probably we should not use Montgomery 140296341Sdelphij * if e == 3 */ 141296341Sdelphij RSA_eay_init, 142296341Sdelphij RSA_eay_finish, 143296341Sdelphij 0, /* flags */ 144296341Sdelphij NULL, 145296341Sdelphij 0, /* rsa_sign */ 146296341Sdelphij 0, /* rsa_verify */ 147296341Sdelphij NULL /* rsa_keygen */ 148296341Sdelphij}; 14955099Skris 150110007Smarkmconst RSA_METHOD *RSA_PKCS1_SSLeay(void) 151296341Sdelphij{ 152296341Sdelphij return (&rsa_pkcs1_eay_meth); 153296341Sdelphij} 15455099Skris 155110007Smarkmstatic int RSA_eay_public_encrypt(int flen, const unsigned char *from, 156296341Sdelphij unsigned char *to, RSA *rsa, int padding) 157296341Sdelphij{ 158296341Sdelphij BIGNUM *f, *ret; 159296341Sdelphij int i, j, k, num = 0, r = -1; 160296341Sdelphij unsigned char *buf = NULL; 161296341Sdelphij BN_CTX *ctx = NULL; 16255099Skris 163296341Sdelphij if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 164296341Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); 165296341Sdelphij return -1; 166296341Sdelphij } 167162914Ssimon 168296341Sdelphij if (BN_ucmp(rsa->n, rsa->e) <= 0) { 169296341Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 170296341Sdelphij return -1; 171296341Sdelphij } 172162914Ssimon 173296341Sdelphij /* for large moduli, enforce exponent limit */ 174296341Sdelphij if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 175296341Sdelphij if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 176296341Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 177296341Sdelphij return -1; 178296341Sdelphij } 179296341Sdelphij } 18055099Skris 181296341Sdelphij if ((ctx = BN_CTX_new()) == NULL) 182296341Sdelphij goto err; 183296341Sdelphij BN_CTX_start(ctx); 184296341Sdelphij f = BN_CTX_get(ctx); 185296341Sdelphij ret = BN_CTX_get(ctx); 186296341Sdelphij num = BN_num_bytes(rsa->n); 187296341Sdelphij buf = OPENSSL_malloc(num); 188296341Sdelphij if (!f || !ret || !buf) { 189296341Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE); 190296341Sdelphij goto err; 191296341Sdelphij } 19255099Skris 193296341Sdelphij switch (padding) { 194296341Sdelphij case RSA_PKCS1_PADDING: 195296341Sdelphij i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); 196296341Sdelphij break; 197296341Sdelphij# ifndef OPENSSL_NO_SHA 198296341Sdelphij case RSA_PKCS1_OAEP_PADDING: 199296341Sdelphij i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); 200296341Sdelphij break; 201296341Sdelphij# endif 202296341Sdelphij case RSA_SSLV23_PADDING: 203296341Sdelphij i = RSA_padding_add_SSLv23(buf, num, from, flen); 204296341Sdelphij break; 205296341Sdelphij case RSA_NO_PADDING: 206296341Sdelphij i = RSA_padding_add_none(buf, num, from, flen); 207296341Sdelphij break; 208296341Sdelphij default: 209296341Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 210296341Sdelphij goto err; 211296341Sdelphij } 212296341Sdelphij if (i <= 0) 213296341Sdelphij goto err; 21489840Skris 215296341Sdelphij if (BN_bin2bn(buf, num, f) == NULL) 216296341Sdelphij goto err; 217160817Ssimon 218296341Sdelphij if (BN_ucmp(f, rsa->n) >= 0) { 219296341Sdelphij /* usually the padding functions would catch this */ 220296341Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, 221296341Sdelphij RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 222296341Sdelphij goto err; 223296341Sdelphij } 22455099Skris 225296341Sdelphij if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 226296341Sdelphij if (!BN_MONT_CTX_set_locked 227296341Sdelphij (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 228296341Sdelphij goto err; 22955099Skris 230296341Sdelphij if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 231296341Sdelphij rsa->_method_mod_n)) 232296341Sdelphij goto err; 23355099Skris 234296341Sdelphij /* 235296341Sdelphij * put in leading 0 bytes if the number is less than the length of the 236296341Sdelphij * modulus 237296341Sdelphij */ 238296341Sdelphij j = BN_num_bytes(ret); 239296341Sdelphij i = BN_bn2bin(ret, &(to[num - j])); 240296341Sdelphij for (k = 0; k < (num - i); k++) 241296341Sdelphij to[k] = 0; 242296341Sdelphij 243296341Sdelphij r = num; 244296341Sdelphij err: 245296341Sdelphij if (ctx != NULL) { 246296341Sdelphij BN_CTX_end(ctx); 247296341Sdelphij BN_CTX_free(ctx); 248296341Sdelphij } 249296341Sdelphij if (buf != NULL) { 250296341Sdelphij OPENSSL_cleanse(buf, num); 251296341Sdelphij OPENSSL_free(buf); 252296341Sdelphij } 253296341Sdelphij return (r); 254296341Sdelphij} 255296341Sdelphij 256162914Ssimonstatic BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 257160817Ssimon{ 258296341Sdelphij BN_BLINDING *ret; 259296341Sdelphij int got_write_lock = 0; 260296341Sdelphij CRYPTO_THREADID cur; 261112446Sjedgar 262296341Sdelphij CRYPTO_r_lock(CRYPTO_LOCK_RSA); 263162914Ssimon 264296341Sdelphij if (rsa->blinding == NULL) { 265296341Sdelphij CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 266296341Sdelphij CRYPTO_w_lock(CRYPTO_LOCK_RSA); 267296341Sdelphij got_write_lock = 1; 268162914Ssimon 269296341Sdelphij if (rsa->blinding == NULL) 270296341Sdelphij rsa->blinding = RSA_setup_blinding(rsa, ctx); 271296341Sdelphij } 272112446Sjedgar 273296341Sdelphij ret = rsa->blinding; 274296341Sdelphij if (ret == NULL) 275296341Sdelphij goto err; 276120635Snectar 277296341Sdelphij CRYPTO_THREADID_current(&cur); 278296341Sdelphij if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) { 279296341Sdelphij /* rsa->blinding is ours! */ 280162914Ssimon 281296341Sdelphij *local = 1; 282296341Sdelphij } else { 283296341Sdelphij /* resort to rsa->mt_blinding instead */ 284162914Ssimon 285296341Sdelphij /* 286296341Sdelphij * instructs rsa_blinding_convert(), rsa_blinding_invert() that the 287296341Sdelphij * BN_BLINDING is shared, meaning that accesses require locks, and 288296341Sdelphij * that the blinding factor must be stored outside the BN_BLINDING 289296341Sdelphij */ 290296341Sdelphij *local = 0; 291162914Ssimon 292296341Sdelphij if (rsa->mt_blinding == NULL) { 293296341Sdelphij if (!got_write_lock) { 294296341Sdelphij CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 295296341Sdelphij CRYPTO_w_lock(CRYPTO_LOCK_RSA); 296296341Sdelphij got_write_lock = 1; 297296341Sdelphij } 298162914Ssimon 299296341Sdelphij if (rsa->mt_blinding == NULL) 300296341Sdelphij rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 301296341Sdelphij } 302296341Sdelphij ret = rsa->mt_blinding; 303296341Sdelphij } 304296341Sdelphij 305162914Ssimon err: 306296341Sdelphij if (got_write_lock) 307296341Sdelphij CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 308296341Sdelphij else 309296341Sdelphij CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 310296341Sdelphij return ret; 311160817Ssimon} 312120635Snectar 313237657Sjkimstatic int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 314296341Sdelphij BN_CTX *ctx) 315296341Sdelphij{ 316296341Sdelphij if (unblind == NULL) 317296341Sdelphij /* 318296341Sdelphij * Local blinding: store the unblinding factor in BN_BLINDING. 319296341Sdelphij */ 320296341Sdelphij return BN_BLINDING_convert_ex(f, NULL, b, ctx); 321296341Sdelphij else { 322296341Sdelphij /* 323296341Sdelphij * Shared blinding: store the unblinding factor outside BN_BLINDING. 324296341Sdelphij */ 325296341Sdelphij int ret; 326296341Sdelphij CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 327296341Sdelphij ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); 328296341Sdelphij CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 329296341Sdelphij return ret; 330296341Sdelphij } 331296341Sdelphij} 332120635Snectar 333237657Sjkimstatic int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 334296341Sdelphij BN_CTX *ctx) 335296341Sdelphij{ 336296341Sdelphij /* 337296341Sdelphij * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex 338296341Sdelphij * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING 339296341Sdelphij * is shared between threads, unblind must be non-null: 340296341Sdelphij * BN_BLINDING_invert_ex will then use the local unblinding factor, and 341296341Sdelphij * will only read the modulus from BN_BLINDING. In both cases it's safe 342296341Sdelphij * to access the blinding without a lock. 343296341Sdelphij */ 344296341Sdelphij return BN_BLINDING_invert_ex(f, unblind, b, ctx); 345296341Sdelphij} 346237657Sjkim 34789840Skris/* signing */ 348110007Smarkmstatic int RSA_eay_private_encrypt(int flen, const unsigned char *from, 349296341Sdelphij unsigned char *to, RSA *rsa, int padding) 350296341Sdelphij{ 351296341Sdelphij BIGNUM *f, *ret, *res; 352296341Sdelphij int i, j, k, num = 0, r = -1; 353296341Sdelphij unsigned char *buf = NULL; 354296341Sdelphij BN_CTX *ctx = NULL; 355296341Sdelphij int local_blinding = 0; 356296341Sdelphij /* 357296341Sdelphij * Used only if the blinding structure is shared. A non-NULL unblind 358296341Sdelphij * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 359296341Sdelphij * the unblinding factor outside the blinding structure. 360296341Sdelphij */ 361296341Sdelphij BIGNUM *unblind = NULL; 362296341Sdelphij BN_BLINDING *blinding = NULL; 36355099Skris 364296341Sdelphij if ((ctx = BN_CTX_new()) == NULL) 365296341Sdelphij goto err; 366296341Sdelphij BN_CTX_start(ctx); 367296341Sdelphij f = BN_CTX_get(ctx); 368296341Sdelphij ret = BN_CTX_get(ctx); 369296341Sdelphij num = BN_num_bytes(rsa->n); 370296341Sdelphij buf = OPENSSL_malloc(num); 371296341Sdelphij if (!f || !ret || !buf) { 372296341Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); 373296341Sdelphij goto err; 374296341Sdelphij } 37555099Skris 376296341Sdelphij switch (padding) { 377296341Sdelphij case RSA_PKCS1_PADDING: 378296341Sdelphij i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); 379296341Sdelphij break; 380296341Sdelphij case RSA_X931_PADDING: 381296341Sdelphij i = RSA_padding_add_X931(buf, num, from, flen); 382296341Sdelphij break; 383296341Sdelphij case RSA_NO_PADDING: 384296341Sdelphij i = RSA_padding_add_none(buf, num, from, flen); 385296341Sdelphij break; 386296341Sdelphij case RSA_SSLV23_PADDING: 387296341Sdelphij default: 388296341Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 389296341Sdelphij goto err; 390296341Sdelphij } 391296341Sdelphij if (i <= 0) 392296341Sdelphij goto err; 39355099Skris 394296341Sdelphij if (BN_bin2bn(buf, num, f) == NULL) 395296341Sdelphij goto err; 39655099Skris 397296341Sdelphij if (BN_ucmp(f, rsa->n) >= 0) { 398296341Sdelphij /* usually the padding functions would catch this */ 399296341Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 400296341Sdelphij RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 401296341Sdelphij goto err; 402296341Sdelphij } 403112446Sjedgar 404296341Sdelphij if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 405296341Sdelphij blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 406296341Sdelphij if (blinding == NULL) { 407296341Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 408296341Sdelphij goto err; 409296341Sdelphij } 410296341Sdelphij } 411160817Ssimon 412296341Sdelphij if (blinding != NULL) { 413296341Sdelphij if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 414296341Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); 415296341Sdelphij goto err; 416296341Sdelphij } 417296341Sdelphij if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 418296341Sdelphij goto err; 419296341Sdelphij } 420160817Ssimon 421296341Sdelphij if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 422296341Sdelphij ((rsa->p != NULL) && 423296341Sdelphij (rsa->q != NULL) && 424296341Sdelphij (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { 425296341Sdelphij if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 426296341Sdelphij goto err; 427296341Sdelphij } else { 428296341Sdelphij BIGNUM local_d; 429296341Sdelphij BIGNUM *d = NULL; 43055099Skris 431296341Sdelphij if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 432296341Sdelphij BN_init(&local_d); 433296341Sdelphij d = &local_d; 434296341Sdelphij BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 435296341Sdelphij } else 436296341Sdelphij d = rsa->d; 43755099Skris 438296341Sdelphij if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 439296341Sdelphij if (!BN_MONT_CTX_set_locked 440296341Sdelphij (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 441296341Sdelphij goto err; 442160817Ssimon 443296341Sdelphij if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 444296341Sdelphij rsa->_method_mod_n)) 445296341Sdelphij goto err; 446296341Sdelphij } 44755099Skris 448296341Sdelphij if (blinding) 449296341Sdelphij if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 450296341Sdelphij goto err; 45155099Skris 452296341Sdelphij if (padding == RSA_X931_PADDING) { 453296341Sdelphij BN_sub(f, rsa->n, ret); 454296341Sdelphij if (BN_cmp(ret, f) > 0) 455296341Sdelphij res = f; 456296341Sdelphij else 457296341Sdelphij res = ret; 458296341Sdelphij } else 459296341Sdelphij res = ret; 460296341Sdelphij 461296341Sdelphij /* 462296341Sdelphij * put in leading 0 bytes if the number is less than the length of the 463296341Sdelphij * modulus 464296341Sdelphij */ 465296341Sdelphij j = BN_num_bytes(res); 466296341Sdelphij i = BN_bn2bin(res, &(to[num - j])); 467296341Sdelphij for (k = 0; k < (num - i); k++) 468296341Sdelphij to[k] = 0; 469296341Sdelphij 470296341Sdelphij r = num; 471296341Sdelphij err: 472296341Sdelphij if (ctx != NULL) { 473296341Sdelphij BN_CTX_end(ctx); 474296341Sdelphij BN_CTX_free(ctx); 475296341Sdelphij } 476296341Sdelphij if (buf != NULL) { 477296341Sdelphij OPENSSL_cleanse(buf, num); 478296341Sdelphij OPENSSL_free(buf); 479296341Sdelphij } 480296341Sdelphij return (r); 481296341Sdelphij} 482296341Sdelphij 483110007Smarkmstatic int RSA_eay_private_decrypt(int flen, const unsigned char *from, 484296341Sdelphij unsigned char *to, RSA *rsa, int padding) 485296341Sdelphij{ 486296341Sdelphij BIGNUM *f, *ret; 487296341Sdelphij int j, num = 0, r = -1; 488296341Sdelphij unsigned char *p; 489296341Sdelphij unsigned char *buf = NULL; 490296341Sdelphij BN_CTX *ctx = NULL; 491296341Sdelphij int local_blinding = 0; 492296341Sdelphij /* 493296341Sdelphij * Used only if the blinding structure is shared. A non-NULL unblind 494296341Sdelphij * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 495296341Sdelphij * the unblinding factor outside the blinding structure. 496296341Sdelphij */ 497296341Sdelphij BIGNUM *unblind = NULL; 498296341Sdelphij BN_BLINDING *blinding = NULL; 49955099Skris 500296341Sdelphij if ((ctx = BN_CTX_new()) == NULL) 501296341Sdelphij goto err; 502296341Sdelphij BN_CTX_start(ctx); 503296341Sdelphij f = BN_CTX_get(ctx); 504296341Sdelphij ret = BN_CTX_get(ctx); 505296341Sdelphij num = BN_num_bytes(rsa->n); 506296341Sdelphij buf = OPENSSL_malloc(num); 507296341Sdelphij if (!f || !ret || !buf) { 508296341Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); 509296341Sdelphij goto err; 510296341Sdelphij } 51155099Skris 512296341Sdelphij /* 513296341Sdelphij * This check was for equality but PGP does evil things and chops off the 514296341Sdelphij * top '0' bytes 515296341Sdelphij */ 516296341Sdelphij if (flen > num) { 517296341Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 518296341Sdelphij RSA_R_DATA_GREATER_THAN_MOD_LEN); 519296341Sdelphij goto err; 520296341Sdelphij } 52155099Skris 522296341Sdelphij /* make data into a big number */ 523296341Sdelphij if (BN_bin2bn(from, (int)flen, f) == NULL) 524296341Sdelphij goto err; 52555099Skris 526296341Sdelphij if (BN_ucmp(f, rsa->n) >= 0) { 527296341Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 528296341Sdelphij RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 529296341Sdelphij goto err; 530296341Sdelphij } 53189840Skris 532296341Sdelphij if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 533296341Sdelphij blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 534296341Sdelphij if (blinding == NULL) { 535296341Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 536296341Sdelphij goto err; 537296341Sdelphij } 538296341Sdelphij } 539112446Sjedgar 540296341Sdelphij if (blinding != NULL) { 541296341Sdelphij if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 542296341Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); 543296341Sdelphij goto err; 544296341Sdelphij } 545296341Sdelphij if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 546296341Sdelphij goto err; 547296341Sdelphij } 548160817Ssimon 549296341Sdelphij /* do the decrypt */ 550296341Sdelphij if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 551296341Sdelphij ((rsa->p != NULL) && 552296341Sdelphij (rsa->q != NULL) && 553296341Sdelphij (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { 554296341Sdelphij if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 555296341Sdelphij goto err; 556296341Sdelphij } else { 557296341Sdelphij BIGNUM local_d; 558296341Sdelphij BIGNUM *d = NULL; 55955099Skris 560296341Sdelphij if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 561296341Sdelphij d = &local_d; 562296341Sdelphij BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 563296341Sdelphij } else 564296341Sdelphij d = rsa->d; 56555099Skris 566296341Sdelphij if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 567296341Sdelphij if (!BN_MONT_CTX_set_locked 568296341Sdelphij (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 569296341Sdelphij goto err; 570296341Sdelphij if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 571296341Sdelphij rsa->_method_mod_n)) 572296341Sdelphij goto err; 573296341Sdelphij } 57455099Skris 575296341Sdelphij if (blinding) 576296341Sdelphij if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 577296341Sdelphij goto err; 57855099Skris 579296341Sdelphij p = buf; 580296341Sdelphij j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */ 58155099Skris 582296341Sdelphij switch (padding) { 583296341Sdelphij case RSA_PKCS1_PADDING: 584296341Sdelphij r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); 585296341Sdelphij break; 586296341Sdelphij# ifndef OPENSSL_NO_SHA 587296341Sdelphij case RSA_PKCS1_OAEP_PADDING: 588296341Sdelphij r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); 589296341Sdelphij break; 590296341Sdelphij# endif 591296341Sdelphij case RSA_SSLV23_PADDING: 592296341Sdelphij r = RSA_padding_check_SSLv23(to, num, buf, j, num); 593296341Sdelphij break; 594296341Sdelphij case RSA_NO_PADDING: 595296341Sdelphij r = RSA_padding_check_none(to, num, buf, j, num); 596296341Sdelphij break; 597296341Sdelphij default: 598296341Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 599296341Sdelphij goto err; 600296341Sdelphij } 601296341Sdelphij if (r < 0) 602296341Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); 603296341Sdelphij 604296341Sdelphij err: 605296341Sdelphij if (ctx != NULL) { 606296341Sdelphij BN_CTX_end(ctx); 607296341Sdelphij BN_CTX_free(ctx); 608296341Sdelphij } 609296341Sdelphij if (buf != NULL) { 610296341Sdelphij OPENSSL_cleanse(buf, num); 611296341Sdelphij OPENSSL_free(buf); 612296341Sdelphij } 613296341Sdelphij return (r); 614296341Sdelphij} 615296341Sdelphij 61689840Skris/* signature verification */ 617110007Smarkmstatic int RSA_eay_public_decrypt(int flen, const unsigned char *from, 618296341Sdelphij unsigned char *to, RSA *rsa, int padding) 619296341Sdelphij{ 620296341Sdelphij BIGNUM *f, *ret; 621296341Sdelphij int i, num = 0, r = -1; 622296341Sdelphij unsigned char *p; 623296341Sdelphij unsigned char *buf = NULL; 624296341Sdelphij BN_CTX *ctx = NULL; 62555099Skris 626296341Sdelphij if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 627296341Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); 628296341Sdelphij return -1; 629296341Sdelphij } 630162914Ssimon 631296341Sdelphij if (BN_ucmp(rsa->n, rsa->e) <= 0) { 632296341Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 633296341Sdelphij return -1; 634296341Sdelphij } 635162914Ssimon 636296341Sdelphij /* for large moduli, enforce exponent limit */ 637296341Sdelphij if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 638296341Sdelphij if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 639296341Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 640296341Sdelphij return -1; 641296341Sdelphij } 642296341Sdelphij } 64355099Skris 644296341Sdelphij if ((ctx = BN_CTX_new()) == NULL) 645296341Sdelphij goto err; 646296341Sdelphij BN_CTX_start(ctx); 647296341Sdelphij f = BN_CTX_get(ctx); 648296341Sdelphij ret = BN_CTX_get(ctx); 649296341Sdelphij num = BN_num_bytes(rsa->n); 650296341Sdelphij buf = OPENSSL_malloc(num); 651296341Sdelphij if (!f || !ret || !buf) { 652296341Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE); 653296341Sdelphij goto err; 654296341Sdelphij } 65555099Skris 656296341Sdelphij /* 657296341Sdelphij * This check was for equality but PGP does evil things and chops off the 658296341Sdelphij * top '0' bytes 659296341Sdelphij */ 660296341Sdelphij if (flen > num) { 661296341Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN); 662296341Sdelphij goto err; 663296341Sdelphij } 66489840Skris 665296341Sdelphij if (BN_bin2bn(from, flen, f) == NULL) 666296341Sdelphij goto err; 66789840Skris 668296341Sdelphij if (BN_ucmp(f, rsa->n) >= 0) { 669296341Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, 670296341Sdelphij RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 671296341Sdelphij goto err; 672296341Sdelphij } 673160817Ssimon 674296341Sdelphij if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 675296341Sdelphij if (!BN_MONT_CTX_set_locked 676296341Sdelphij (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 677296341Sdelphij goto err; 67855099Skris 679296341Sdelphij if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 680296341Sdelphij rsa->_method_mod_n)) 681296341Sdelphij goto err; 682160817Ssimon 683296341Sdelphij if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) 684296341Sdelphij if (!BN_sub(ret, rsa->n, ret)) 685296341Sdelphij goto err; 68655099Skris 687296341Sdelphij p = buf; 688296341Sdelphij i = BN_bn2bin(ret, p); 68955099Skris 690296341Sdelphij switch (padding) { 691296341Sdelphij case RSA_PKCS1_PADDING: 692296341Sdelphij r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); 693296341Sdelphij break; 694296341Sdelphij case RSA_X931_PADDING: 695296341Sdelphij r = RSA_padding_check_X931(to, num, buf, i, num); 696296341Sdelphij break; 697296341Sdelphij case RSA_NO_PADDING: 698296341Sdelphij r = RSA_padding_check_none(to, num, buf, i, num); 699296341Sdelphij break; 700296341Sdelphij default: 701296341Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 702296341Sdelphij goto err; 703296341Sdelphij } 704296341Sdelphij if (r < 0) 705296341Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED); 70655099Skris 707296341Sdelphij err: 708296341Sdelphij if (ctx != NULL) { 709296341Sdelphij BN_CTX_end(ctx); 710296341Sdelphij BN_CTX_free(ctx); 711296341Sdelphij } 712296341Sdelphij if (buf != NULL) { 713296341Sdelphij OPENSSL_cleanse(buf, num); 714296341Sdelphij OPENSSL_free(buf); 715296341Sdelphij } 716296341Sdelphij return (r); 717296341Sdelphij} 718296341Sdelphij 719160817Ssimonstatic int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 720296341Sdelphij{ 721296341Sdelphij BIGNUM *r1, *m1, *vrfy; 722296341Sdelphij BIGNUM local_dmp1, local_dmq1, local_c, local_r1; 723296341Sdelphij BIGNUM *dmp1, *dmq1, *c, *pr1; 724296341Sdelphij int ret = 0; 72555099Skris 726296341Sdelphij BN_CTX_start(ctx); 727296341Sdelphij r1 = BN_CTX_get(ctx); 728296341Sdelphij m1 = BN_CTX_get(ctx); 729296341Sdelphij vrfy = BN_CTX_get(ctx); 73055099Skris 731296341Sdelphij { 732296341Sdelphij BIGNUM local_p, local_q; 733296341Sdelphij BIGNUM *p = NULL, *q = NULL; 734160817Ssimon 735296341Sdelphij /* 736296341Sdelphij * Make sure BN_mod_inverse in Montgomery intialization uses the 737296341Sdelphij * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) 738296341Sdelphij */ 739296341Sdelphij if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 740296341Sdelphij BN_init(&local_p); 741296341Sdelphij p = &local_p; 742296341Sdelphij BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 743194206Ssimon 744296341Sdelphij BN_init(&local_q); 745296341Sdelphij q = &local_q; 746296341Sdelphij BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); 747296341Sdelphij } else { 748296341Sdelphij p = rsa->p; 749296341Sdelphij q = rsa->q; 750296341Sdelphij } 751194206Ssimon 752296341Sdelphij if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { 753296341Sdelphij if (!BN_MONT_CTX_set_locked 754296341Sdelphij (&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) 755296341Sdelphij goto err; 756296341Sdelphij if (!BN_MONT_CTX_set_locked 757296341Sdelphij (&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) 758296341Sdelphij goto err; 759296341Sdelphij } 760296341Sdelphij } 761194206Ssimon 762296341Sdelphij if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 763296341Sdelphij if (!BN_MONT_CTX_set_locked 764296341Sdelphij (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 765296341Sdelphij goto err; 766194206Ssimon 767296341Sdelphij /* compute I mod q */ 768296341Sdelphij if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 769296341Sdelphij c = &local_c; 770296341Sdelphij BN_with_flags(c, I, BN_FLG_CONSTTIME); 771296341Sdelphij if (!BN_mod(r1, c, rsa->q, ctx)) 772296341Sdelphij goto err; 773296341Sdelphij } else { 774296341Sdelphij if (!BN_mod(r1, I, rsa->q, ctx)) 775296341Sdelphij goto err; 776296341Sdelphij } 777194206Ssimon 778296341Sdelphij /* compute r1^dmq1 mod q */ 779296341Sdelphij if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 780296341Sdelphij dmq1 = &local_dmq1; 781296341Sdelphij BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 782296341Sdelphij } else 783296341Sdelphij dmq1 = rsa->dmq1; 784296341Sdelphij if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q)) 785296341Sdelphij goto err; 78655099Skris 787296341Sdelphij /* compute I mod p */ 788296341Sdelphij if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 789296341Sdelphij c = &local_c; 790296341Sdelphij BN_with_flags(c, I, BN_FLG_CONSTTIME); 791296341Sdelphij if (!BN_mod(r1, c, rsa->p, ctx)) 792296341Sdelphij goto err; 793296341Sdelphij } else { 794296341Sdelphij if (!BN_mod(r1, I, rsa->p, ctx)) 795296341Sdelphij goto err; 796296341Sdelphij } 797194206Ssimon 798296341Sdelphij /* compute r1^dmp1 mod p */ 799296341Sdelphij if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 800296341Sdelphij dmp1 = &local_dmp1; 801296341Sdelphij BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 802296341Sdelphij } else 803296341Sdelphij dmp1 = rsa->dmp1; 804296341Sdelphij if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p)) 805296341Sdelphij goto err; 80655099Skris 807296341Sdelphij if (!BN_sub(r0, r0, m1)) 808296341Sdelphij goto err; 809296341Sdelphij /* 810296341Sdelphij * This will help stop the size of r0 increasing, which does affect the 811296341Sdelphij * multiply if it optimised for a power of 2 size 812296341Sdelphij */ 813296341Sdelphij if (BN_is_negative(r0)) 814296341Sdelphij if (!BN_add(r0, r0, rsa->p)) 815296341Sdelphij goto err; 81655099Skris 817296341Sdelphij if (!BN_mul(r1, r0, rsa->iqmp, ctx)) 818296341Sdelphij goto err; 819194206Ssimon 820296341Sdelphij /* Turn BN_FLG_CONSTTIME flag on before division operation */ 821296341Sdelphij if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 822296341Sdelphij pr1 = &local_r1; 823296341Sdelphij BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 824296341Sdelphij } else 825296341Sdelphij pr1 = r1; 826296341Sdelphij if (!BN_mod(r0, pr1, rsa->p, ctx)) 827296341Sdelphij goto err; 828194206Ssimon 829296341Sdelphij /* 830296341Sdelphij * If p < q it is occasionally possible for the correction of adding 'p' 831296341Sdelphij * if r0 is negative above to leave the result still negative. This can 832296341Sdelphij * break the private key operations: the following second correction 833296341Sdelphij * should *always* correct this rare occurrence. This will *never* happen 834296341Sdelphij * with OpenSSL generated keys because they ensure p > q [steve] 835296341Sdelphij */ 836296341Sdelphij if (BN_is_negative(r0)) 837296341Sdelphij if (!BN_add(r0, r0, rsa->p)) 838296341Sdelphij goto err; 839296341Sdelphij if (!BN_mul(r1, r0, rsa->q, ctx)) 840296341Sdelphij goto err; 841296341Sdelphij if (!BN_add(r0, r1, m1)) 842296341Sdelphij goto err; 84355099Skris 844296341Sdelphij if (rsa->e && rsa->n) { 845296341Sdelphij if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, 846296341Sdelphij rsa->_method_mod_n)) 847296341Sdelphij goto err; 848296341Sdelphij /* 849296341Sdelphij * If 'I' was greater than (or equal to) rsa->n, the operation will 850296341Sdelphij * be equivalent to using 'I mod n'. However, the result of the 851296341Sdelphij * verify will *always* be less than 'n' so we don't check for 852296341Sdelphij * absolute equality, just congruency. 853296341Sdelphij */ 854296341Sdelphij if (!BN_sub(vrfy, vrfy, I)) 855296341Sdelphij goto err; 856296341Sdelphij if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) 857296341Sdelphij goto err; 858296341Sdelphij if (BN_is_negative(vrfy)) 859296341Sdelphij if (!BN_add(vrfy, vrfy, rsa->n)) 860296341Sdelphij goto err; 861296341Sdelphij if (!BN_is_zero(vrfy)) { 862296341Sdelphij /* 863296341Sdelphij * 'I' and 'vrfy' aren't congruent mod n. Don't leak 864296341Sdelphij * miscalculated CRT output, just do a raw (slower) mod_exp and 865296341Sdelphij * return that instead. 866296341Sdelphij */ 867160817Ssimon 868296341Sdelphij BIGNUM local_d; 869296341Sdelphij BIGNUM *d = NULL; 87055099Skris 871296341Sdelphij if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 872296341Sdelphij d = &local_d; 873296341Sdelphij BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 874296341Sdelphij } else 875296341Sdelphij d = rsa->d; 876296341Sdelphij if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, 877296341Sdelphij rsa->_method_mod_n)) 878296341Sdelphij goto err; 879296341Sdelphij } 880296341Sdelphij } 881296341Sdelphij ret = 1; 882296341Sdelphij err: 883296341Sdelphij BN_CTX_end(ctx); 884296341Sdelphij return (ret); 885296341Sdelphij} 886296341Sdelphij 88755099Skrisstatic int RSA_eay_init(RSA *rsa) 888296341Sdelphij{ 889296341Sdelphij rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; 890296341Sdelphij return (1); 891296341Sdelphij} 89255099Skris 89355099Skrisstatic int RSA_eay_finish(RSA *rsa) 894296341Sdelphij{ 895296341Sdelphij if (rsa->_method_mod_n != NULL) 896296341Sdelphij BN_MONT_CTX_free(rsa->_method_mod_n); 897296341Sdelphij if (rsa->_method_mod_p != NULL) 898296341Sdelphij BN_MONT_CTX_free(rsa->_method_mod_p); 899296341Sdelphij if (rsa->_method_mod_q != NULL) 900296341Sdelphij BN_MONT_CTX_free(rsa->_method_mod_q); 901296341Sdelphij return (1); 902296341Sdelphij} 90355099Skris 90468654Skris#endif 905