155099Skris/* crypto/rsa/rsa_eay.c */ 255099Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355099Skris * All rights reserved. 455099Skris * 555099Skris * This package is an SSL implementation written 655099Skris * by Eric Young (eay@cryptsoft.com). 755099Skris * The implementation was written so as to conform with Netscapes SSL. 8280297Sjkim * 955099Skris * This library is free for commercial and non-commercial use as long as 1055099Skris * the following conditions are aheared to. The following conditions 1155099Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255099Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355099Skris * included with this distribution is covered by the same copyright terms 1455099Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15280297Sjkim * 1655099Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755099Skris * the code are not to be removed. 1855099Skris * If this package is used in a product, Eric Young should be given attribution 1955099Skris * as the author of the parts of the library used. 2055099Skris * This can be in the form of a textual message at program startup or 2155099Skris * in documentation (online or textual) provided with the package. 22280297Sjkim * 2355099Skris * Redistribution and use in source and binary forms, with or without 2455099Skris * modification, are permitted provided that the following conditions 2555099Skris * are met: 2655099Skris * 1. Redistributions of source code must retain the copyright 2755099Skris * notice, this list of conditions and the following disclaimer. 2855099Skris * 2. Redistributions in binary form must reproduce the above copyright 2955099Skris * notice, this list of conditions and the following disclaimer in the 3055099Skris * documentation and/or other materials provided with the distribution. 3155099Skris * 3. All advertising materials mentioning features or use of this software 3255099Skris * must display the following acknowledgement: 3355099Skris * "This product includes cryptographic software written by 3455099Skris * Eric Young (eay@cryptsoft.com)" 3555099Skris * The word 'cryptographic' can be left out if the rouines from the library 3655099Skris * being used are not cryptographic related :-). 37280297Sjkim * 4. If you include any Windows specific code (or a derivative thereof) from 3855099Skris * the apps directory (application code) you must include an acknowledgement: 3955099Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40280297Sjkim * 4155099Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255099Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355099Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455099Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555099Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655099Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755099Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855099Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955099Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055099Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155099Skris * SUCH DAMAGE. 52280297Sjkim * 5355099Skris * The licence and distribution terms for any publically available version or 5455099Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555099Skris * copied and put under another distribution licence 5655099Skris * [including the GNU Public Licence.] 5755099Skris */ 58160817Ssimon/* ==================================================================== 59348343Sjkim * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. 60160817Ssimon * 61160817Ssimon * Redistribution and use in source and binary forms, with or without 62160817Ssimon * modification, are permitted provided that the following conditions 63160817Ssimon * are met: 64160817Ssimon * 65160817Ssimon * 1. Redistributions of source code must retain the above copyright 66280297Sjkim * notice, this list of conditions and the following disclaimer. 67160817Ssimon * 68160817Ssimon * 2. Redistributions in binary form must reproduce the above copyright 69160817Ssimon * notice, this list of conditions and the following disclaimer in 70160817Ssimon * the documentation and/or other materials provided with the 71160817Ssimon * distribution. 72160817Ssimon * 73160817Ssimon * 3. All advertising materials mentioning features or use of this 74160817Ssimon * software must display the following acknowledgment: 75160817Ssimon * "This product includes software developed by the OpenSSL Project 76160817Ssimon * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77160817Ssimon * 78160817Ssimon * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79160817Ssimon * endorse or promote products derived from this software without 80160817Ssimon * prior written permission. For written permission, please contact 81160817Ssimon * openssl-core@openssl.org. 82160817Ssimon * 83160817Ssimon * 5. Products derived from this software may not be called "OpenSSL" 84160817Ssimon * nor may "OpenSSL" appear in their names without prior written 85160817Ssimon * permission of the OpenSSL Project. 86160817Ssimon * 87160817Ssimon * 6. Redistributions of any form whatsoever must retain the following 88160817Ssimon * acknowledgment: 89160817Ssimon * "This product includes software developed by the OpenSSL Project 90160817Ssimon * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91160817Ssimon * 92160817Ssimon * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93160817Ssimon * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94160817Ssimon * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95160817Ssimon * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96160817Ssimon * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97160817Ssimon * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98160817Ssimon * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99160817Ssimon * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100160817Ssimon * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101160817Ssimon * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102160817Ssimon * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103160817Ssimon * OF THE POSSIBILITY OF SUCH DAMAGE. 104160817Ssimon * ==================================================================== 105160817Ssimon * 106160817Ssimon * This product includes cryptographic software written by Eric Young 107160817Ssimon * (eay@cryptsoft.com). This product includes software written by Tim 108160817Ssimon * Hudson (tjh@cryptsoft.com). 109160817Ssimon * 110160817Ssimon */ 11155099Skris 11255099Skris#include <stdio.h> 11355099Skris#include "cryptlib.h" 11455099Skris#include <openssl/bn.h> 11555099Skris#include <openssl/rsa.h> 11655099Skris#include <openssl/rand.h> 117337982Sjkim#include "bn_int.h" 118344604Sjkim#include "constant_time_locl.h" 11955099Skris 120238405Sjkim#ifndef RSA_NULL 12168654Skris 122110007Smarkmstatic int RSA_eay_public_encrypt(int flen, const unsigned char *from, 123280297Sjkim unsigned char *to, RSA *rsa, int padding); 124110007Smarkmstatic int RSA_eay_private_encrypt(int flen, const unsigned char *from, 125280297Sjkim unsigned char *to, RSA *rsa, int padding); 126110007Smarkmstatic int RSA_eay_public_decrypt(int flen, const unsigned char *from, 127280297Sjkim unsigned char *to, RSA *rsa, int padding); 128110007Smarkmstatic int RSA_eay_private_decrypt(int flen, const unsigned char *from, 129280297Sjkim unsigned char *to, RSA *rsa, int padding); 130280297Sjkimstatic int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, 131280297Sjkim BN_CTX *ctx); 13255099Skrisstatic int RSA_eay_init(RSA *rsa); 13355099Skrisstatic int RSA_eay_finish(RSA *rsa); 134280297Sjkimstatic RSA_METHOD rsa_pkcs1_eay_meth = { 135280297Sjkim "Eric Young's PKCS#1 RSA", 136280297Sjkim RSA_eay_public_encrypt, 137280297Sjkim RSA_eay_public_decrypt, /* signature verification */ 138280297Sjkim RSA_eay_private_encrypt, /* signing */ 139280297Sjkim RSA_eay_private_decrypt, 140280297Sjkim RSA_eay_mod_exp, 141280297Sjkim BN_mod_exp_mont, /* XXX probably we should not use Montgomery 142280297Sjkim * if e == 3 */ 143280297Sjkim RSA_eay_init, 144280297Sjkim RSA_eay_finish, 145280297Sjkim 0, /* flags */ 146280297Sjkim NULL, 147280297Sjkim 0, /* rsa_sign */ 148280297Sjkim 0, /* rsa_verify */ 149280297Sjkim NULL /* rsa_keygen */ 150280297Sjkim}; 15155099Skris 152110007Smarkmconst RSA_METHOD *RSA_PKCS1_SSLeay(void) 153280297Sjkim{ 154280297Sjkim return (&rsa_pkcs1_eay_meth); 155280297Sjkim} 15655099Skris 157110007Smarkmstatic int RSA_eay_public_encrypt(int flen, const unsigned char *from, 158280297Sjkim unsigned char *to, RSA *rsa, int padding) 159280297Sjkim{ 160280297Sjkim BIGNUM *f, *ret; 161337982Sjkim int i, num = 0, r = -1; 162280297Sjkim unsigned char *buf = NULL; 163280297Sjkim BN_CTX *ctx = NULL; 16455099Skris 165280297Sjkim if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 166280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); 167280297Sjkim return -1; 168280297Sjkim } 169162914Ssimon 170280297Sjkim if (BN_ucmp(rsa->n, rsa->e) <= 0) { 171280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 172280297Sjkim return -1; 173280297Sjkim } 174162914Ssimon 175280297Sjkim /* for large moduli, enforce exponent limit */ 176280297Sjkim if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 177280297Sjkim if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 178280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 179280297Sjkim return -1; 180280297Sjkim } 181280297Sjkim } 18255099Skris 183280297Sjkim if ((ctx = BN_CTX_new()) == NULL) 184280297Sjkim goto err; 185280297Sjkim BN_CTX_start(ctx); 186280297Sjkim f = BN_CTX_get(ctx); 187280297Sjkim ret = BN_CTX_get(ctx); 188280297Sjkim num = BN_num_bytes(rsa->n); 189280297Sjkim buf = OPENSSL_malloc(num); 190280297Sjkim if (!f || !ret || !buf) { 191280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE); 192280297Sjkim goto err; 193280297Sjkim } 19455099Skris 195280297Sjkim switch (padding) { 196280297Sjkim case RSA_PKCS1_PADDING: 197280297Sjkim i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); 198280297Sjkim break; 199280297Sjkim# ifndef OPENSSL_NO_SHA 200280297Sjkim case RSA_PKCS1_OAEP_PADDING: 201280297Sjkim i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); 202280297Sjkim break; 203280297Sjkim# endif 204280297Sjkim case RSA_SSLV23_PADDING: 205280297Sjkim i = RSA_padding_add_SSLv23(buf, num, from, flen); 206280297Sjkim break; 207280297Sjkim case RSA_NO_PADDING: 208280297Sjkim i = RSA_padding_add_none(buf, num, from, flen); 209280297Sjkim break; 210280297Sjkim default: 211280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 212280297Sjkim goto err; 213280297Sjkim } 214280297Sjkim if (i <= 0) 215280297Sjkim goto err; 21689840Skris 217280297Sjkim if (BN_bin2bn(buf, num, f) == NULL) 218280297Sjkim goto err; 219160817Ssimon 220280297Sjkim if (BN_ucmp(f, rsa->n) >= 0) { 221280297Sjkim /* usually the padding functions would catch this */ 222280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, 223280297Sjkim RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 224280297Sjkim goto err; 225280297Sjkim } 22655099Skris 227280297Sjkim if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 228340704Sjkim if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, 229340704Sjkim rsa->n, ctx)) 230280297Sjkim goto err; 23155099Skris 232280297Sjkim if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 233280297Sjkim rsa->_method_mod_n)) 234280297Sjkim goto err; 23555099Skris 236280297Sjkim /* 237337982Sjkim * BN_bn2binpad puts in leading 0 bytes if the number is less than 238337982Sjkim * the length of the modulus. 239280297Sjkim */ 240337982Sjkim r = bn_bn2binpad(ret, to, num); 241280297Sjkim err: 242280297Sjkim if (ctx != NULL) { 243280297Sjkim BN_CTX_end(ctx); 244280297Sjkim BN_CTX_free(ctx); 245280297Sjkim } 246280297Sjkim if (buf != NULL) { 247280297Sjkim OPENSSL_cleanse(buf, num); 248280297Sjkim OPENSSL_free(buf); 249280297Sjkim } 250280297Sjkim return (r); 251280297Sjkim} 252280297Sjkim 253162914Ssimonstatic BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 254160817Ssimon{ 255280297Sjkim BN_BLINDING *ret; 256280297Sjkim int got_write_lock = 0; 257280297Sjkim CRYPTO_THREADID cur; 258112446Sjedgar 259280297Sjkim CRYPTO_r_lock(CRYPTO_LOCK_RSA); 260162914Ssimon 261280297Sjkim if (rsa->blinding == NULL) { 262280297Sjkim CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 263280297Sjkim CRYPTO_w_lock(CRYPTO_LOCK_RSA); 264280297Sjkim got_write_lock = 1; 265162914Ssimon 266280297Sjkim if (rsa->blinding == NULL) 267280297Sjkim rsa->blinding = RSA_setup_blinding(rsa, ctx); 268280297Sjkim } 269112446Sjedgar 270280297Sjkim ret = rsa->blinding; 271280297Sjkim if (ret == NULL) 272280297Sjkim goto err; 273120635Snectar 274280297Sjkim CRYPTO_THREADID_current(&cur); 275280297Sjkim if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) { 276280297Sjkim /* rsa->blinding is ours! */ 277162914Ssimon 278280297Sjkim *local = 1; 279280297Sjkim } else { 280280297Sjkim /* resort to rsa->mt_blinding instead */ 281162914Ssimon 282280297Sjkim /* 283280297Sjkim * instructs rsa_blinding_convert(), rsa_blinding_invert() that the 284280297Sjkim * BN_BLINDING is shared, meaning that accesses require locks, and 285280297Sjkim * that the blinding factor must be stored outside the BN_BLINDING 286280297Sjkim */ 287280297Sjkim *local = 0; 288162914Ssimon 289280297Sjkim if (rsa->mt_blinding == NULL) { 290280297Sjkim if (!got_write_lock) { 291280297Sjkim CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 292280297Sjkim CRYPTO_w_lock(CRYPTO_LOCK_RSA); 293280297Sjkim got_write_lock = 1; 294280297Sjkim } 295162914Ssimon 296280297Sjkim if (rsa->mt_blinding == NULL) 297280297Sjkim rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 298280297Sjkim } 299280297Sjkim ret = rsa->mt_blinding; 300280297Sjkim } 301280297Sjkim 302162914Ssimon err: 303280297Sjkim if (got_write_lock) 304280297Sjkim CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 305280297Sjkim else 306280297Sjkim CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 307280297Sjkim return ret; 308160817Ssimon} 309120635Snectar 310237657Sjkimstatic int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 311280297Sjkim BN_CTX *ctx) 312280297Sjkim{ 313280297Sjkim if (unblind == NULL) 314280297Sjkim /* 315280297Sjkim * Local blinding: store the unblinding factor in BN_BLINDING. 316280297Sjkim */ 317280297Sjkim return BN_BLINDING_convert_ex(f, NULL, b, ctx); 318280297Sjkim else { 319280297Sjkim /* 320280297Sjkim * Shared blinding: store the unblinding factor outside BN_BLINDING. 321280297Sjkim */ 322280297Sjkim int ret; 323280297Sjkim CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 324280297Sjkim ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); 325280297Sjkim CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 326280297Sjkim return ret; 327280297Sjkim } 328280297Sjkim} 329120635Snectar 330237657Sjkimstatic int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 331280297Sjkim BN_CTX *ctx) 332280297Sjkim{ 333280297Sjkim /* 334280297Sjkim * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex 335280297Sjkim * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING 336280297Sjkim * is shared between threads, unblind must be non-null: 337280297Sjkim * BN_BLINDING_invert_ex will then use the local unblinding factor, and 338280297Sjkim * will only read the modulus from BN_BLINDING. In both cases it's safe 339280297Sjkim * to access the blinding without a lock. 340280297Sjkim */ 341280297Sjkim return BN_BLINDING_invert_ex(f, unblind, b, ctx); 342280297Sjkim} 343237657Sjkim 34489840Skris/* signing */ 345110007Smarkmstatic int RSA_eay_private_encrypt(int flen, const unsigned char *from, 346280297Sjkim unsigned char *to, RSA *rsa, int padding) 347280297Sjkim{ 348280297Sjkim BIGNUM *f, *ret, *res; 349337982Sjkim int i, num = 0, r = -1; 350280297Sjkim unsigned char *buf = NULL; 351280297Sjkim BN_CTX *ctx = NULL; 352280297Sjkim int local_blinding = 0; 353280297Sjkim /* 354280297Sjkim * Used only if the blinding structure is shared. A non-NULL unblind 355280297Sjkim * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 356280297Sjkim * the unblinding factor outside the blinding structure. 357280297Sjkim */ 358280297Sjkim BIGNUM *unblind = NULL; 359280297Sjkim BN_BLINDING *blinding = NULL; 36055099Skris 361280297Sjkim if ((ctx = BN_CTX_new()) == NULL) 362280297Sjkim goto err; 363280297Sjkim BN_CTX_start(ctx); 364280297Sjkim f = BN_CTX_get(ctx); 365280297Sjkim ret = BN_CTX_get(ctx); 366280297Sjkim num = BN_num_bytes(rsa->n); 367280297Sjkim buf = OPENSSL_malloc(num); 368280297Sjkim if (!f || !ret || !buf) { 369280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); 370280297Sjkim goto err; 371280297Sjkim } 37255099Skris 373280297Sjkim switch (padding) { 374280297Sjkim case RSA_PKCS1_PADDING: 375280297Sjkim i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); 376280297Sjkim break; 377280297Sjkim case RSA_X931_PADDING: 378280297Sjkim i = RSA_padding_add_X931(buf, num, from, flen); 379280297Sjkim break; 380280297Sjkim case RSA_NO_PADDING: 381280297Sjkim i = RSA_padding_add_none(buf, num, from, flen); 382280297Sjkim break; 383280297Sjkim case RSA_SSLV23_PADDING: 384280297Sjkim default: 385280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 386280297Sjkim goto err; 387280297Sjkim } 388280297Sjkim if (i <= 0) 389280297Sjkim goto err; 39055099Skris 391280297Sjkim if (BN_bin2bn(buf, num, f) == NULL) 392280297Sjkim goto err; 39355099Skris 394280297Sjkim if (BN_ucmp(f, rsa->n) >= 0) { 395280297Sjkim /* usually the padding functions would catch this */ 396280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 397280297Sjkim RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 398280297Sjkim goto err; 399280297Sjkim } 400112446Sjedgar 401344604Sjkim if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 402344604Sjkim if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, 403344604Sjkim rsa->n, ctx)) 404344604Sjkim goto err; 405344604Sjkim 406280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 407280297Sjkim blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 408280297Sjkim if (blinding == NULL) { 409280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 410280297Sjkim goto err; 411280297Sjkim } 412280297Sjkim } 413160817Ssimon 414280297Sjkim if (blinding != NULL) { 415280297Sjkim if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 416280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); 417280297Sjkim goto err; 418280297Sjkim } 419280297Sjkim if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 420280297Sjkim goto err; 421280297Sjkim } 422160817Ssimon 423280297Sjkim if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 424280297Sjkim ((rsa->p != NULL) && 425280297Sjkim (rsa->q != NULL) && 426280297Sjkim (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { 427280297Sjkim if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 428280297Sjkim goto err; 429280297Sjkim } else { 430280297Sjkim BIGNUM local_d; 431280297Sjkim BIGNUM *d = NULL; 43255099Skris 433280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 434280297Sjkim BN_init(&local_d); 435280297Sjkim d = &local_d; 436280297Sjkim BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 437280297Sjkim } else 438280297Sjkim d = rsa->d; 43955099Skris 440280297Sjkim if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 441280297Sjkim rsa->_method_mod_n)) 442280297Sjkim goto err; 443280297Sjkim } 44455099Skris 445280297Sjkim if (blinding) 446280297Sjkim if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 447280297Sjkim goto err; 44855099Skris 449280297Sjkim if (padding == RSA_X931_PADDING) { 450280297Sjkim BN_sub(f, rsa->n, ret); 451280297Sjkim if (BN_cmp(ret, f) > 0) 452280297Sjkim res = f; 453280297Sjkim else 454280297Sjkim res = ret; 455280297Sjkim } else 456280297Sjkim res = ret; 457280297Sjkim 458280297Sjkim /* 459337982Sjkim * BN_bn2binpad puts in leading 0 bytes if the number is less than 460337982Sjkim * the length of the modulus. 461280297Sjkim */ 462337982Sjkim r = bn_bn2binpad(res, to, num); 463280297Sjkim err: 464280297Sjkim if (ctx != NULL) { 465280297Sjkim BN_CTX_end(ctx); 466280297Sjkim BN_CTX_free(ctx); 467280297Sjkim } 468280297Sjkim if (buf != NULL) { 469280297Sjkim OPENSSL_cleanse(buf, num); 470280297Sjkim OPENSSL_free(buf); 471280297Sjkim } 472280297Sjkim return (r); 473280297Sjkim} 474280297Sjkim 475110007Smarkmstatic int RSA_eay_private_decrypt(int flen, const unsigned char *from, 476280297Sjkim unsigned char *to, RSA *rsa, int padding) 477280297Sjkim{ 478280297Sjkim BIGNUM *f, *ret; 479280297Sjkim int j, num = 0, r = -1; 480280297Sjkim unsigned char *buf = NULL; 481280297Sjkim BN_CTX *ctx = NULL; 482280297Sjkim int local_blinding = 0; 483280297Sjkim /* 484280297Sjkim * Used only if the blinding structure is shared. A non-NULL unblind 485280297Sjkim * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 486280297Sjkim * the unblinding factor outside the blinding structure. 487280297Sjkim */ 488280297Sjkim BIGNUM *unblind = NULL; 489280297Sjkim BN_BLINDING *blinding = NULL; 49055099Skris 491280297Sjkim if ((ctx = BN_CTX_new()) == NULL) 492280297Sjkim goto err; 493280297Sjkim BN_CTX_start(ctx); 494280297Sjkim f = BN_CTX_get(ctx); 495280297Sjkim ret = BN_CTX_get(ctx); 496280297Sjkim num = BN_num_bytes(rsa->n); 497280297Sjkim buf = OPENSSL_malloc(num); 498280297Sjkim if (!f || !ret || !buf) { 499280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); 500280297Sjkim goto err; 501280297Sjkim } 50255099Skris 503280297Sjkim /* 504280297Sjkim * This check was for equality but PGP does evil things and chops off the 505280297Sjkim * top '0' bytes 506280297Sjkim */ 507280297Sjkim if (flen > num) { 508280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 509280297Sjkim RSA_R_DATA_GREATER_THAN_MOD_LEN); 510280297Sjkim goto err; 511280297Sjkim } 51255099Skris 513280297Sjkim /* make data into a big number */ 514280297Sjkim if (BN_bin2bn(from, (int)flen, f) == NULL) 515280297Sjkim goto err; 51655099Skris 517280297Sjkim if (BN_ucmp(f, rsa->n) >= 0) { 518280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 519280297Sjkim RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 520280297Sjkim goto err; 521280297Sjkim } 52289840Skris 523280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 524280297Sjkim blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 525280297Sjkim if (blinding == NULL) { 526280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 527280297Sjkim goto err; 528280297Sjkim } 529280297Sjkim } 530112446Sjedgar 531280297Sjkim if (blinding != NULL) { 532280297Sjkim if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 533280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); 534280297Sjkim goto err; 535280297Sjkim } 536280297Sjkim if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 537280297Sjkim goto err; 538280297Sjkim } 539160817Ssimon 540280297Sjkim /* do the decrypt */ 541280297Sjkim if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 542280297Sjkim ((rsa->p != NULL) && 543280297Sjkim (rsa->q != NULL) && 544280297Sjkim (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { 545280297Sjkim if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 546280297Sjkim goto err; 547280297Sjkim } else { 548280297Sjkim BIGNUM local_d; 549280297Sjkim BIGNUM *d = NULL; 55055099Skris 551280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 552280297Sjkim d = &local_d; 553280297Sjkim BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 554280297Sjkim } else 555280297Sjkim d = rsa->d; 55655099Skris 557280297Sjkim if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 558340704Sjkim if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, 559340704Sjkim rsa->n, ctx)) 560280297Sjkim goto err; 561280297Sjkim if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 562280297Sjkim rsa->_method_mod_n)) 563280297Sjkim goto err; 564280297Sjkim } 56555099Skris 566280297Sjkim if (blinding) 567280297Sjkim if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 568280297Sjkim goto err; 56955099Skris 570337982Sjkim j = bn_bn2binpad(ret, buf, num); 57155099Skris 572280297Sjkim switch (padding) { 573280297Sjkim case RSA_PKCS1_PADDING: 574280297Sjkim r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); 575280297Sjkim break; 576280297Sjkim# ifndef OPENSSL_NO_SHA 577280297Sjkim case RSA_PKCS1_OAEP_PADDING: 578280297Sjkim r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); 579280297Sjkim break; 580280297Sjkim# endif 581280297Sjkim case RSA_SSLV23_PADDING: 582280297Sjkim r = RSA_padding_check_SSLv23(to, num, buf, j, num); 583280297Sjkim break; 584280297Sjkim case RSA_NO_PADDING: 585337982Sjkim memcpy(to, buf, (r = j)); 586280297Sjkim break; 587280297Sjkim default: 588280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 589280297Sjkim goto err; 590280297Sjkim } 591344604Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); 592348343Sjkim err_clear_last_constant_time(1 & ~constant_time_msb(r)); 593280297Sjkim 594280297Sjkim err: 595280297Sjkim if (ctx != NULL) { 596280297Sjkim BN_CTX_end(ctx); 597280297Sjkim BN_CTX_free(ctx); 598280297Sjkim } 599280297Sjkim if (buf != NULL) { 600280297Sjkim OPENSSL_cleanse(buf, num); 601280297Sjkim OPENSSL_free(buf); 602280297Sjkim } 603280297Sjkim return (r); 604280297Sjkim} 605280297Sjkim 60689840Skris/* signature verification */ 607110007Smarkmstatic int RSA_eay_public_decrypt(int flen, const unsigned char *from, 608280297Sjkim unsigned char *to, RSA *rsa, int padding) 609280297Sjkim{ 610280297Sjkim BIGNUM *f, *ret; 611280297Sjkim int i, num = 0, r = -1; 612280297Sjkim unsigned char *buf = NULL; 613280297Sjkim BN_CTX *ctx = NULL; 61455099Skris 615280297Sjkim if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 616280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); 617280297Sjkim return -1; 618280297Sjkim } 619162914Ssimon 620280297Sjkim if (BN_ucmp(rsa->n, rsa->e) <= 0) { 621280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 622280297Sjkim return -1; 623280297Sjkim } 624162914Ssimon 625280297Sjkim /* for large moduli, enforce exponent limit */ 626280297Sjkim if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 627280297Sjkim if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 628280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 629280297Sjkim return -1; 630280297Sjkim } 631280297Sjkim } 63255099Skris 633280297Sjkim if ((ctx = BN_CTX_new()) == NULL) 634280297Sjkim goto err; 635280297Sjkim BN_CTX_start(ctx); 636280297Sjkim f = BN_CTX_get(ctx); 637280297Sjkim ret = BN_CTX_get(ctx); 638280297Sjkim num = BN_num_bytes(rsa->n); 639280297Sjkim buf = OPENSSL_malloc(num); 640280297Sjkim if (!f || !ret || !buf) { 641280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE); 642280297Sjkim goto err; 643280297Sjkim } 64455099Skris 645280297Sjkim /* 646280297Sjkim * This check was for equality but PGP does evil things and chops off the 647280297Sjkim * top '0' bytes 648280297Sjkim */ 649280297Sjkim if (flen > num) { 650280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN); 651280297Sjkim goto err; 652280297Sjkim } 65389840Skris 654280297Sjkim if (BN_bin2bn(from, flen, f) == NULL) 655280297Sjkim goto err; 65689840Skris 657280297Sjkim if (BN_ucmp(f, rsa->n) >= 0) { 658280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, 659280297Sjkim RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 660280297Sjkim goto err; 661280297Sjkim } 662160817Ssimon 663280297Sjkim if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 664340704Sjkim if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, 665340704Sjkim rsa->n, ctx)) 666280297Sjkim goto err; 66755099Skris 668280297Sjkim if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 669280297Sjkim rsa->_method_mod_n)) 670280297Sjkim goto err; 671160817Ssimon 672280297Sjkim if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) 673280297Sjkim if (!BN_sub(ret, rsa->n, ret)) 674280297Sjkim goto err; 67555099Skris 676337982Sjkim i = bn_bn2binpad(ret, buf, num); 67755099Skris 678280297Sjkim switch (padding) { 679280297Sjkim case RSA_PKCS1_PADDING: 680280297Sjkim r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); 681280297Sjkim break; 682280297Sjkim case RSA_X931_PADDING: 683280297Sjkim r = RSA_padding_check_X931(to, num, buf, i, num); 684280297Sjkim break; 685280297Sjkim case RSA_NO_PADDING: 686337982Sjkim memcpy(to, buf, (r = i)); 687280297Sjkim break; 688280297Sjkim default: 689280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 690280297Sjkim goto err; 691280297Sjkim } 692280297Sjkim if (r < 0) 693280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED); 69455099Skris 695280297Sjkim err: 696280297Sjkim if (ctx != NULL) { 697280297Sjkim BN_CTX_end(ctx); 698280297Sjkim BN_CTX_free(ctx); 699280297Sjkim } 700280297Sjkim if (buf != NULL) { 701280297Sjkim OPENSSL_cleanse(buf, num); 702280297Sjkim OPENSSL_free(buf); 703280297Sjkim } 704280297Sjkim return (r); 705280297Sjkim} 706280297Sjkim 707160817Ssimonstatic int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 708280297Sjkim{ 709280297Sjkim BIGNUM *r1, *m1, *vrfy; 710280297Sjkim BIGNUM local_dmp1, local_dmq1, local_c, local_r1; 711280297Sjkim BIGNUM *dmp1, *dmq1, *c, *pr1; 712340704Sjkim int ret = 0, smooth = 0; 71355099Skris 714280297Sjkim BN_CTX_start(ctx); 715280297Sjkim r1 = BN_CTX_get(ctx); 716280297Sjkim m1 = BN_CTX_get(ctx); 717280297Sjkim vrfy = BN_CTX_get(ctx); 71855099Skris 719280297Sjkim { 720280297Sjkim BIGNUM local_p, local_q; 721280297Sjkim BIGNUM *p = NULL, *q = NULL; 722160817Ssimon 723280297Sjkim /* 724280297Sjkim * Make sure BN_mod_inverse in Montgomery intialization uses the 725280297Sjkim * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) 726280297Sjkim */ 727280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 728280297Sjkim BN_init(&local_p); 729280297Sjkim p = &local_p; 730280297Sjkim BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 731194206Ssimon 732280297Sjkim BN_init(&local_q); 733280297Sjkim q = &local_q; 734280297Sjkim BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); 735280297Sjkim } else { 736280297Sjkim p = rsa->p; 737280297Sjkim q = rsa->q; 738280297Sjkim } 739194206Ssimon 740280297Sjkim if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { 741340704Sjkim if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, 742340704Sjkim p, ctx)) 743280297Sjkim goto err; 744340704Sjkim if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, 745340704Sjkim q, ctx)) 746280297Sjkim goto err; 747340704Sjkim 748340704Sjkim smooth = (rsa->meth->bn_mod_exp == BN_mod_exp_mont) 749340704Sjkim && (BN_num_bits(q) == BN_num_bits(p)); 750280297Sjkim } 751280297Sjkim } 752194206Ssimon 753280297Sjkim if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 754340704Sjkim if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, 755340704Sjkim rsa->n, ctx)) 756280297Sjkim goto err; 757194206Ssimon 758340704Sjkim if (smooth) { 759340704Sjkim /* 760340704Sjkim * Conversion from Montgomery domain, a.k.a. Montgomery reduction, 761340704Sjkim * accepts values in [0-m*2^w) range. w is m's bit width rounded up 762340704Sjkim * to limb width. So that at the very least if |I| is fully reduced, 763340704Sjkim * i.e. less than p*q, we can count on from-to round to perform 764340704Sjkim * below modulo operations on |I|. Unlike BN_mod it's constant time. 765340704Sjkim */ 766340704Sjkim if (/* m1 = I moq q */ 767340704Sjkim !bn_from_mont_fixed_top(m1, I, rsa->_method_mod_q, ctx) 768340704Sjkim || !bn_to_mont_fixed_top(m1, m1, rsa->_method_mod_q, ctx) 769340704Sjkim /* m1 = m1^dmq1 mod q */ 770340704Sjkim || !BN_mod_exp_mont_consttime(m1, m1, rsa->dmq1, rsa->q, ctx, 771340704Sjkim rsa->_method_mod_q) 772340704Sjkim /* r1 = I mod p */ 773340704Sjkim || !bn_from_mont_fixed_top(r1, I, rsa->_method_mod_p, ctx) 774340704Sjkim || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx) 775340704Sjkim /* r1 = r1^dmp1 mod p */ 776340704Sjkim || !BN_mod_exp_mont_consttime(r1, r1, rsa->dmp1, rsa->p, ctx, 777340704Sjkim rsa->_method_mod_p) 778340704Sjkim /* r1 = (r1 - m1) mod p */ 779340704Sjkim /* 780340704Sjkim * bn_mod_sub_fixed_top is not regular modular subtraction, 781340704Sjkim * it can tolerate subtrahend to be larger than modulus, but 782340704Sjkim * not bit-wise wider. This makes up for uncommon q>p case, 783340704Sjkim * when |m1| can be larger than |rsa->p|. 784340704Sjkim */ 785340704Sjkim || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p) 786340704Sjkim 787340704Sjkim /* r1 = r1 * iqmp mod p */ 788340704Sjkim || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx) 789340704Sjkim || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p, 790340704Sjkim ctx) 791340704Sjkim /* r0 = r1 * q + m1 */ 792340704Sjkim || !bn_mul_fixed_top(r0, r1, rsa->q, ctx) 793340704Sjkim || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n)) 794340704Sjkim goto err; 795340704Sjkim 796340704Sjkim goto tail; 797340704Sjkim } 798340704Sjkim 799280297Sjkim /* compute I mod q */ 800280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 801280297Sjkim c = &local_c; 802280297Sjkim BN_with_flags(c, I, BN_FLG_CONSTTIME); 803280297Sjkim if (!BN_mod(r1, c, rsa->q, ctx)) 804280297Sjkim goto err; 805280297Sjkim } else { 806280297Sjkim if (!BN_mod(r1, I, rsa->q, ctx)) 807280297Sjkim goto err; 808280297Sjkim } 809194206Ssimon 810280297Sjkim /* compute r1^dmq1 mod q */ 811280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 812280297Sjkim dmq1 = &local_dmq1; 813280297Sjkim BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 814280297Sjkim } else 815280297Sjkim dmq1 = rsa->dmq1; 816280297Sjkim if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q)) 817280297Sjkim goto err; 81855099Skris 819280297Sjkim /* compute I mod p */ 820280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 821280297Sjkim c = &local_c; 822280297Sjkim BN_with_flags(c, I, BN_FLG_CONSTTIME); 823280297Sjkim if (!BN_mod(r1, c, rsa->p, ctx)) 824280297Sjkim goto err; 825280297Sjkim } else { 826280297Sjkim if (!BN_mod(r1, I, rsa->p, ctx)) 827280297Sjkim goto err; 828280297Sjkim } 829194206Ssimon 830280297Sjkim /* compute r1^dmp1 mod p */ 831280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 832280297Sjkim dmp1 = &local_dmp1; 833280297Sjkim BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 834280297Sjkim } else 835280297Sjkim dmp1 = rsa->dmp1; 836280297Sjkim if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p)) 837280297Sjkim goto err; 83855099Skris 839280297Sjkim if (!BN_sub(r0, r0, m1)) 840280297Sjkim goto err; 841280297Sjkim /* 842280297Sjkim * This will help stop the size of r0 increasing, which does affect the 843280297Sjkim * multiply if it optimised for a power of 2 size 844280297Sjkim */ 845280297Sjkim if (BN_is_negative(r0)) 846280297Sjkim if (!BN_add(r0, r0, rsa->p)) 847280297Sjkim goto err; 84855099Skris 849280297Sjkim if (!BN_mul(r1, r0, rsa->iqmp, ctx)) 850280297Sjkim goto err; 851194206Ssimon 852280297Sjkim /* Turn BN_FLG_CONSTTIME flag on before division operation */ 853280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 854280297Sjkim pr1 = &local_r1; 855280297Sjkim BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 856280297Sjkim } else 857280297Sjkim pr1 = r1; 858280297Sjkim if (!BN_mod(r0, pr1, rsa->p, ctx)) 859280297Sjkim goto err; 860194206Ssimon 861280297Sjkim /* 862280297Sjkim * If p < q it is occasionally possible for the correction of adding 'p' 863280297Sjkim * if r0 is negative above to leave the result still negative. This can 864280297Sjkim * break the private key operations: the following second correction 865280297Sjkim * should *always* correct this rare occurrence. This will *never* happen 866280297Sjkim * with OpenSSL generated keys because they ensure p > q [steve] 867280297Sjkim */ 868280297Sjkim if (BN_is_negative(r0)) 869280297Sjkim if (!BN_add(r0, r0, rsa->p)) 870280297Sjkim goto err; 871280297Sjkim if (!BN_mul(r1, r0, rsa->q, ctx)) 872280297Sjkim goto err; 873280297Sjkim if (!BN_add(r0, r1, m1)) 874280297Sjkim goto err; 87555099Skris 876340704Sjkim tail: 877280297Sjkim if (rsa->e && rsa->n) { 878340704Sjkim if (rsa->meth->bn_mod_exp == BN_mod_exp_mont) { 879340704Sjkim if (!BN_mod_exp_mont(vrfy, r0, rsa->e, rsa->n, ctx, 880340704Sjkim rsa->_method_mod_n)) 881340704Sjkim goto err; 882340704Sjkim } else { 883340704Sjkim bn_correct_top(r0); 884340704Sjkim if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, 885340704Sjkim rsa->_method_mod_n)) 886340704Sjkim goto err; 887340704Sjkim } 888280297Sjkim /* 889280297Sjkim * If 'I' was greater than (or equal to) rsa->n, the operation will 890280297Sjkim * be equivalent to using 'I mod n'. However, the result of the 891280297Sjkim * verify will *always* be less than 'n' so we don't check for 892280297Sjkim * absolute equality, just congruency. 893280297Sjkim */ 894280297Sjkim if (!BN_sub(vrfy, vrfy, I)) 895280297Sjkim goto err; 896340704Sjkim if (BN_is_zero(vrfy)) { 897340704Sjkim bn_correct_top(r0); 898340704Sjkim ret = 1; 899340704Sjkim goto err; /* not actually error */ 900340704Sjkim } 901280297Sjkim if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) 902280297Sjkim goto err; 903280297Sjkim if (BN_is_negative(vrfy)) 904280297Sjkim if (!BN_add(vrfy, vrfy, rsa->n)) 905280297Sjkim goto err; 906280297Sjkim if (!BN_is_zero(vrfy)) { 907280297Sjkim /* 908280297Sjkim * 'I' and 'vrfy' aren't congruent mod n. Don't leak 909280297Sjkim * miscalculated CRT output, just do a raw (slower) mod_exp and 910280297Sjkim * return that instead. 911280297Sjkim */ 912160817Ssimon 913280297Sjkim BIGNUM local_d; 914280297Sjkim BIGNUM *d = NULL; 91555099Skris 916280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 917280297Sjkim d = &local_d; 918280297Sjkim BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 919280297Sjkim } else 920280297Sjkim d = rsa->d; 921280297Sjkim if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, 922280297Sjkim rsa->_method_mod_n)) 923280297Sjkim goto err; 924280297Sjkim } 925280297Sjkim } 926340704Sjkim /* 927340704Sjkim * It's unfortunate that we have to bn_correct_top(r0). What hopefully 928340704Sjkim * saves the day is that correction is highly unlike, and private key 929340704Sjkim * operations are customarily performed on blinded message. Which means 930340704Sjkim * that attacker won't observe correlation with chosen plaintext. 931340704Sjkim * Secondly, remaining code would still handle it in same computational 932340704Sjkim * time and even conceal memory access pattern around corrected top. 933340704Sjkim */ 934340704Sjkim bn_correct_top(r0); 935280297Sjkim ret = 1; 936280297Sjkim err: 937280297Sjkim BN_CTX_end(ctx); 938280297Sjkim return (ret); 939280297Sjkim} 940280297Sjkim 94155099Skrisstatic int RSA_eay_init(RSA *rsa) 942280297Sjkim{ 943280297Sjkim rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; 944280297Sjkim return (1); 945280297Sjkim} 94655099Skris 94755099Skrisstatic int RSA_eay_finish(RSA *rsa) 948280297Sjkim{ 949280297Sjkim if (rsa->_method_mod_n != NULL) 950280297Sjkim BN_MONT_CTX_free(rsa->_method_mod_n); 951280297Sjkim if (rsa->_method_mod_p != NULL) 952280297Sjkim BN_MONT_CTX_free(rsa->_method_mod_p); 953280297Sjkim if (rsa->_method_mod_q != NULL) 954280297Sjkim BN_MONT_CTX_free(rsa->_method_mod_q); 955280297Sjkim return (1); 956280297Sjkim} 95755099Skris 95868654Skris#endif 959