1238384Sjkim/* crypto/rsa/rsa_lib.c */ 2238384Sjkim/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3238384Sjkim * All rights reserved. 4238384Sjkim * 5238384Sjkim * This package is an SSL implementation written 6238384Sjkim * by Eric Young (eay@cryptsoft.com). 7238384Sjkim * The implementation was written so as to conform with Netscapes SSL. 8280297Sjkim * 9238384Sjkim * This library is free for commercial and non-commercial use as long as 10238384Sjkim * the following conditions are aheared to. The following conditions 11238384Sjkim * apply to all code found in this distribution, be it the RC4, RSA, 12238384Sjkim * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13238384Sjkim * included with this distribution is covered by the same copyright terms 14238384Sjkim * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15280297Sjkim * 16238384Sjkim * Copyright remains Eric Young's, and as such any Copyright notices in 17238384Sjkim * the code are not to be removed. 18238384Sjkim * If this package is used in a product, Eric Young should be given attribution 19238384Sjkim * as the author of the parts of the library used. 20238384Sjkim * This can be in the form of a textual message at program startup or 21238384Sjkim * in documentation (online or textual) provided with the package. 22280297Sjkim * 23238384Sjkim * Redistribution and use in source and binary forms, with or without 24238384Sjkim * modification, are permitted provided that the following conditions 25238384Sjkim * are met: 26238384Sjkim * 1. Redistributions of source code must retain the copyright 27238384Sjkim * notice, this list of conditions and the following disclaimer. 28238384Sjkim * 2. Redistributions in binary form must reproduce the above copyright 29238384Sjkim * notice, this list of conditions and the following disclaimer in the 30238384Sjkim * documentation and/or other materials provided with the distribution. 31238384Sjkim * 3. All advertising materials mentioning features or use of this software 32238384Sjkim * must display the following acknowledgement: 33238384Sjkim * "This product includes cryptographic software written by 34238384Sjkim * Eric Young (eay@cryptsoft.com)" 35238384Sjkim * The word 'cryptographic' can be left out if the rouines from the library 36238384Sjkim * being used are not cryptographic related :-). 37280297Sjkim * 4. If you include any Windows specific code (or a derivative thereof) from 38238384Sjkim * the apps directory (application code) you must include an acknowledgement: 39238384Sjkim * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40280297Sjkim * 41238384Sjkim * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42238384Sjkim * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43238384Sjkim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44238384Sjkim * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45238384Sjkim * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46238384Sjkim * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47238384Sjkim * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48238384Sjkim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49238384Sjkim * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50238384Sjkim * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51238384Sjkim * SUCH DAMAGE. 52280297Sjkim * 53238384Sjkim * The licence and distribution terms for any publically available version or 54238384Sjkim * derivative of this code cannot be changed. i.e. this code cannot simply be 55238384Sjkim * copied and put under another distribution licence 56238384Sjkim * [including the GNU Public Licence.] 57238384Sjkim */ 58238384Sjkim 59238384Sjkim#include <stdio.h> 60238384Sjkim#include <openssl/crypto.h> 61238384Sjkim#include "cryptlib.h" 62238384Sjkim#include <openssl/lhash.h> 63238384Sjkim#include <openssl/bn.h> 64238384Sjkim#include <openssl/rsa.h> 65238384Sjkim#include <openssl/rand.h> 66238384Sjkim#ifndef OPENSSL_NO_ENGINE 67280297Sjkim# include <openssl/engine.h> 68238384Sjkim#endif 69238384Sjkim 70238384Sjkimint RSA_size(const RSA *r) 71280297Sjkim{ 72280297Sjkim return (BN_num_bytes(r->n)); 73280297Sjkim} 74238384Sjkim 75238384Sjkimint RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, 76280297Sjkim RSA *rsa, int padding) 77280297Sjkim{ 78238384Sjkim#ifdef OPENSSL_FIPS 79280297Sjkim if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) 80280297Sjkim && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { 81280297Sjkim RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD); 82280297Sjkim return -1; 83280297Sjkim } 84238384Sjkim#endif 85280297Sjkim return (rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding)); 86280297Sjkim} 87238384Sjkim 88280297Sjkimint RSA_private_encrypt(int flen, const unsigned char *from, 89280297Sjkim unsigned char *to, RSA *rsa, int padding) 90280297Sjkim{ 91238384Sjkim#ifdef OPENSSL_FIPS 92280297Sjkim if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) 93280297Sjkim && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { 94280297Sjkim RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD); 95280297Sjkim return -1; 96280297Sjkim } 97238384Sjkim#endif 98280297Sjkim return (rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding)); 99280297Sjkim} 100238384Sjkim 101280297Sjkimint RSA_private_decrypt(int flen, const unsigned char *from, 102280297Sjkim unsigned char *to, RSA *rsa, int padding) 103280297Sjkim{ 104238384Sjkim#ifdef OPENSSL_FIPS 105280297Sjkim if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) 106280297Sjkim && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { 107280297Sjkim RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD); 108280297Sjkim return -1; 109280297Sjkim } 110238384Sjkim#endif 111280297Sjkim return (rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding)); 112280297Sjkim} 113238384Sjkim 114238384Sjkimint RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, 115280297Sjkim RSA *rsa, int padding) 116280297Sjkim{ 117238384Sjkim#ifdef OPENSSL_FIPS 118280297Sjkim if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) 119280297Sjkim && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { 120280297Sjkim RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD); 121280297Sjkim return -1; 122280297Sjkim } 123238384Sjkim#endif 124280297Sjkim return (rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding)); 125280297Sjkim} 126238384Sjkim 127238384Sjkimint RSA_flags(const RSA *r) 128280297Sjkim{ 129280297Sjkim return ((r == NULL) ? 0 : r->meth->flags); 130280297Sjkim} 131238384Sjkim 132238384Sjkimvoid RSA_blinding_off(RSA *rsa) 133280297Sjkim{ 134280297Sjkim if (rsa->blinding != NULL) { 135280297Sjkim BN_BLINDING_free(rsa->blinding); 136280297Sjkim rsa->blinding = NULL; 137280297Sjkim } 138280297Sjkim rsa->flags &= ~RSA_FLAG_BLINDING; 139280297Sjkim rsa->flags |= RSA_FLAG_NO_BLINDING; 140280297Sjkim} 141238384Sjkim 142238384Sjkimint RSA_blinding_on(RSA *rsa, BN_CTX *ctx) 143280297Sjkim{ 144280297Sjkim int ret = 0; 145238384Sjkim 146280297Sjkim if (rsa->blinding != NULL) 147280297Sjkim RSA_blinding_off(rsa); 148238384Sjkim 149280297Sjkim rsa->blinding = RSA_setup_blinding(rsa, ctx); 150280297Sjkim if (rsa->blinding == NULL) 151280297Sjkim goto err; 152238384Sjkim 153280297Sjkim rsa->flags |= RSA_FLAG_BLINDING; 154280297Sjkim rsa->flags &= ~RSA_FLAG_NO_BLINDING; 155280297Sjkim ret = 1; 156280297Sjkim err: 157280297Sjkim return (ret); 158280297Sjkim} 159238384Sjkim 160238384Sjkimstatic BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p, 161280297Sjkim const BIGNUM *q, BN_CTX *ctx) 162238384Sjkim{ 163280297Sjkim BIGNUM *ret = NULL, *r0, *r1, *r2; 164238384Sjkim 165280297Sjkim if (d == NULL || p == NULL || q == NULL) 166280297Sjkim return NULL; 167238384Sjkim 168280297Sjkim BN_CTX_start(ctx); 169280297Sjkim r0 = BN_CTX_get(ctx); 170280297Sjkim r1 = BN_CTX_get(ctx); 171280297Sjkim r2 = BN_CTX_get(ctx); 172280297Sjkim if (r2 == NULL) 173280297Sjkim goto err; 174238384Sjkim 175280297Sjkim if (!BN_sub(r1, p, BN_value_one())) 176280297Sjkim goto err; 177280297Sjkim if (!BN_sub(r2, q, BN_value_one())) 178280297Sjkim goto err; 179280297Sjkim if (!BN_mul(r0, r1, r2, ctx)) 180280297Sjkim goto err; 181238384Sjkim 182280297Sjkim ret = BN_mod_inverse(NULL, d, r0, ctx); 183280297Sjkim err: 184280297Sjkim BN_CTX_end(ctx); 185280297Sjkim return ret; 186238384Sjkim} 187238384Sjkim 188238384SjkimBN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx) 189238384Sjkim{ 190280297Sjkim BIGNUM local_n; 191280297Sjkim BIGNUM *e, *n; 192280297Sjkim BN_CTX *ctx; 193280297Sjkim BN_BLINDING *ret = NULL; 194238384Sjkim 195280297Sjkim if (in_ctx == NULL) { 196280297Sjkim if ((ctx = BN_CTX_new()) == NULL) 197280297Sjkim return 0; 198280297Sjkim } else 199280297Sjkim ctx = in_ctx; 200238384Sjkim 201280297Sjkim BN_CTX_start(ctx); 202280297Sjkim e = BN_CTX_get(ctx); 203280297Sjkim if (e == NULL) { 204280297Sjkim RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE); 205280297Sjkim goto err; 206280297Sjkim } 207238384Sjkim 208280297Sjkim if (rsa->e == NULL) { 209280297Sjkim e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx); 210280297Sjkim if (e == NULL) { 211280297Sjkim RSAerr(RSA_F_RSA_SETUP_BLINDING, RSA_R_NO_PUBLIC_EXPONENT); 212280297Sjkim goto err; 213280297Sjkim } 214280297Sjkim } else 215280297Sjkim e = rsa->e; 216238384Sjkim 217280297Sjkim if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) { 218280297Sjkim /* 219280297Sjkim * if PRNG is not properly seeded, resort to secret exponent as 220280297Sjkim * unpredictable seed 221280297Sjkim */ 222331638Sjkim RAND_add(rsa->d->d, rsa->d->dmax * sizeof(rsa->d->d[0]), 0.0); 223280297Sjkim } 224238384Sjkim 225280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 226280297Sjkim /* Set BN_FLG_CONSTTIME flag */ 227280297Sjkim n = &local_n; 228280297Sjkim BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME); 229280297Sjkim } else 230280297Sjkim n = rsa->n; 231238384Sjkim 232280297Sjkim ret = BN_BLINDING_create_param(NULL, e, n, ctx, 233280297Sjkim rsa->meth->bn_mod_exp, rsa->_method_mod_n); 234280297Sjkim if (ret == NULL) { 235280297Sjkim RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB); 236280297Sjkim goto err; 237280297Sjkim } 238280297Sjkim CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret)); 239280297Sjkim err: 240280297Sjkim BN_CTX_end(ctx); 241280297Sjkim if (in_ctx == NULL) 242280297Sjkim BN_CTX_free(ctx); 243280297Sjkim if (rsa->e == NULL) 244280297Sjkim BN_free(e); 245238384Sjkim 246280297Sjkim return ret; 247238384Sjkim} 248