1238384Sjkim/* crypto/rsa/rsa_lib.c */ 2238384Sjkim/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3238384Sjkim * All rights reserved. 4238384Sjkim * 5238384Sjkim * This package is an SSL implementation written 6238384Sjkim * by Eric Young (eay@cryptsoft.com). 7238384Sjkim * The implementation was written so as to conform with Netscapes SSL. 8280304Sjkim * 9238384Sjkim * This library is free for commercial and non-commercial use as long as 10238384Sjkim * the following conditions are aheared to. The following conditions 11238384Sjkim * apply to all code found in this distribution, be it the RC4, RSA, 12238384Sjkim * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13238384Sjkim * included with this distribution is covered by the same copyright terms 14238384Sjkim * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15280304Sjkim * 16238384Sjkim * Copyright remains Eric Young's, and as such any Copyright notices in 17238384Sjkim * the code are not to be removed. 18238384Sjkim * If this package is used in a product, Eric Young should be given attribution 19238384Sjkim * as the author of the parts of the library used. 20238384Sjkim * This can be in the form of a textual message at program startup or 21238384Sjkim * in documentation (online or textual) provided with the package. 22280304Sjkim * 23238384Sjkim * Redistribution and use in source and binary forms, with or without 24238384Sjkim * modification, are permitted provided that the following conditions 25238384Sjkim * are met: 26238384Sjkim * 1. Redistributions of source code must retain the copyright 27238384Sjkim * notice, this list of conditions and the following disclaimer. 28238384Sjkim * 2. Redistributions in binary form must reproduce the above copyright 29238384Sjkim * notice, this list of conditions and the following disclaimer in the 30238384Sjkim * documentation and/or other materials provided with the distribution. 31238384Sjkim * 3. All advertising materials mentioning features or use of this software 32238384Sjkim * must display the following acknowledgement: 33238384Sjkim * "This product includes cryptographic software written by 34238384Sjkim * Eric Young (eay@cryptsoft.com)" 35238384Sjkim * The word 'cryptographic' can be left out if the rouines from the library 36238384Sjkim * being used are not cryptographic related :-). 37280304Sjkim * 4. If you include any Windows specific code (or a derivative thereof) from 38238384Sjkim * the apps directory (application code) you must include an acknowledgement: 39238384Sjkim * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40280304Sjkim * 41238384Sjkim * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42238384Sjkim * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43238384Sjkim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44238384Sjkim * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45238384Sjkim * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46238384Sjkim * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47238384Sjkim * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48238384Sjkim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49238384Sjkim * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50238384Sjkim * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51238384Sjkim * SUCH DAMAGE. 52280304Sjkim * 53238384Sjkim * The licence and distribution terms for any publically available version or 54238384Sjkim * derivative of this code cannot be changed. i.e. this code cannot simply be 55238384Sjkim * copied and put under another distribution licence 56238384Sjkim * [including the GNU Public Licence.] 57238384Sjkim */ 58238384Sjkim 59238384Sjkim#include <stdio.h> 60238384Sjkim#include <openssl/crypto.h> 61238384Sjkim#include "cryptlib.h" 62238384Sjkim#include <openssl/lhash.h> 63238384Sjkim#include <openssl/bn.h> 64238384Sjkim#include <openssl/rsa.h> 65238384Sjkim#include <openssl/rand.h> 66238384Sjkim#ifndef OPENSSL_NO_ENGINE 67280304Sjkim# include <openssl/engine.h> 68238384Sjkim#endif 69238384Sjkim 70238384Sjkimint RSA_size(const RSA *r) 71280304Sjkim{ 72280304Sjkim return (BN_num_bytes(r->n)); 73280304Sjkim} 74238384Sjkim 75238384Sjkimint RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, 76280304Sjkim RSA *rsa, int padding) 77280304Sjkim{ 78238384Sjkim#ifdef OPENSSL_FIPS 79280304Sjkim if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) 80280304Sjkim && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { 81280304Sjkim RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD); 82280304Sjkim return -1; 83280304Sjkim } 84238384Sjkim#endif 85280304Sjkim return (rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding)); 86280304Sjkim} 87238384Sjkim 88280304Sjkimint RSA_private_encrypt(int flen, const unsigned char *from, 89280304Sjkim unsigned char *to, RSA *rsa, int padding) 90280304Sjkim{ 91238384Sjkim#ifdef OPENSSL_FIPS 92280304Sjkim if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) 93280304Sjkim && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { 94280304Sjkim RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD); 95280304Sjkim return -1; 96280304Sjkim } 97238384Sjkim#endif 98280304Sjkim return (rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding)); 99280304Sjkim} 100238384Sjkim 101280304Sjkimint RSA_private_decrypt(int flen, const unsigned char *from, 102280304Sjkim unsigned char *to, RSA *rsa, int padding) 103280304Sjkim{ 104238384Sjkim#ifdef OPENSSL_FIPS 105280304Sjkim if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) 106280304Sjkim && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { 107280304Sjkim RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD); 108280304Sjkim return -1; 109280304Sjkim } 110238384Sjkim#endif 111280304Sjkim return (rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding)); 112280304Sjkim} 113238384Sjkim 114238384Sjkimint RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, 115280304Sjkim RSA *rsa, int padding) 116280304Sjkim{ 117238384Sjkim#ifdef OPENSSL_FIPS 118280304Sjkim if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) 119280304Sjkim && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { 120280304Sjkim RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD); 121280304Sjkim return -1; 122280304Sjkim } 123238384Sjkim#endif 124280304Sjkim return (rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding)); 125280304Sjkim} 126238384Sjkim 127238384Sjkimint RSA_flags(const RSA *r) 128280304Sjkim{ 129280304Sjkim return ((r == NULL) ? 0 : r->meth->flags); 130280304Sjkim} 131238384Sjkim 132238384Sjkimvoid RSA_blinding_off(RSA *rsa) 133280304Sjkim{ 134280304Sjkim if (rsa->blinding != NULL) { 135280304Sjkim BN_BLINDING_free(rsa->blinding); 136280304Sjkim rsa->blinding = NULL; 137280304Sjkim } 138280304Sjkim rsa->flags &= ~RSA_FLAG_BLINDING; 139280304Sjkim rsa->flags |= RSA_FLAG_NO_BLINDING; 140280304Sjkim} 141238384Sjkim 142238384Sjkimint RSA_blinding_on(RSA *rsa, BN_CTX *ctx) 143280304Sjkim{ 144280304Sjkim int ret = 0; 145238384Sjkim 146280304Sjkim if (rsa->blinding != NULL) 147280304Sjkim RSA_blinding_off(rsa); 148238384Sjkim 149280304Sjkim rsa->blinding = RSA_setup_blinding(rsa, ctx); 150280304Sjkim if (rsa->blinding == NULL) 151280304Sjkim goto err; 152238384Sjkim 153280304Sjkim rsa->flags |= RSA_FLAG_BLINDING; 154280304Sjkim rsa->flags &= ~RSA_FLAG_NO_BLINDING; 155280304Sjkim ret = 1; 156280304Sjkim err: 157280304Sjkim return (ret); 158280304Sjkim} 159238384Sjkim 160238384Sjkimstatic BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p, 161280304Sjkim const BIGNUM *q, BN_CTX *ctx) 162238384Sjkim{ 163280304Sjkim BIGNUM *ret = NULL, *r0, *r1, *r2; 164238384Sjkim 165280304Sjkim if (d == NULL || p == NULL || q == NULL) 166280304Sjkim return NULL; 167238384Sjkim 168280304Sjkim BN_CTX_start(ctx); 169280304Sjkim r0 = BN_CTX_get(ctx); 170280304Sjkim r1 = BN_CTX_get(ctx); 171280304Sjkim r2 = BN_CTX_get(ctx); 172280304Sjkim if (r2 == NULL) 173280304Sjkim goto err; 174238384Sjkim 175280304Sjkim if (!BN_sub(r1, p, BN_value_one())) 176280304Sjkim goto err; 177280304Sjkim if (!BN_sub(r2, q, BN_value_one())) 178280304Sjkim goto err; 179280304Sjkim if (!BN_mul(r0, r1, r2, ctx)) 180280304Sjkim goto err; 181238384Sjkim 182280304Sjkim ret = BN_mod_inverse(NULL, d, r0, ctx); 183280304Sjkim err: 184280304Sjkim BN_CTX_end(ctx); 185280304Sjkim return ret; 186238384Sjkim} 187238384Sjkim 188238384SjkimBN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx) 189238384Sjkim{ 190280304Sjkim BIGNUM local_n; 191280304Sjkim BIGNUM *e, *n; 192280304Sjkim BN_CTX *ctx; 193280304Sjkim BN_BLINDING *ret = NULL; 194238384Sjkim 195280304Sjkim if (in_ctx == NULL) { 196280304Sjkim if ((ctx = BN_CTX_new()) == NULL) 197280304Sjkim return 0; 198280304Sjkim } else 199280304Sjkim ctx = in_ctx; 200238384Sjkim 201280304Sjkim BN_CTX_start(ctx); 202280304Sjkim e = BN_CTX_get(ctx); 203280304Sjkim if (e == NULL) { 204280304Sjkim RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE); 205280304Sjkim goto err; 206280304Sjkim } 207238384Sjkim 208280304Sjkim if (rsa->e == NULL) { 209280304Sjkim e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx); 210280304Sjkim if (e == NULL) { 211280304Sjkim RSAerr(RSA_F_RSA_SETUP_BLINDING, RSA_R_NO_PUBLIC_EXPONENT); 212280304Sjkim goto err; 213280304Sjkim } 214280304Sjkim } else 215280304Sjkim e = rsa->e; 216238384Sjkim 217280304Sjkim if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) { 218280304Sjkim /* 219280304Sjkim * if PRNG is not properly seeded, resort to secret exponent as 220280304Sjkim * unpredictable seed 221280304Sjkim */ 222280304Sjkim RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0); 223280304Sjkim } 224238384Sjkim 225280304Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 226280304Sjkim /* Set BN_FLG_CONSTTIME flag */ 227280304Sjkim n = &local_n; 228280304Sjkim BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME); 229280304Sjkim } else 230280304Sjkim n = rsa->n; 231238384Sjkim 232280304Sjkim ret = BN_BLINDING_create_param(NULL, e, n, ctx, 233280304Sjkim rsa->meth->bn_mod_exp, rsa->_method_mod_n); 234280304Sjkim if (ret == NULL) { 235280304Sjkim RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB); 236280304Sjkim goto err; 237280304Sjkim } 238280304Sjkim CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret)); 239280304Sjkim err: 240280304Sjkim BN_CTX_end(ctx); 241280304Sjkim if (in_ctx == NULL) 242280304Sjkim BN_CTX_free(ctx); 243280304Sjkim if (rsa->e == NULL) 244280304Sjkim BN_free(e); 245238384Sjkim 246280304Sjkim return ret; 247238384Sjkim} 248