rsa_eay.c revision 120635
1819SN/A/* crypto/rsa/rsa_eay.c */ 2819SN/A/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3819SN/A * All rights reserved. 4819SN/A * 5819SN/A * This package is an SSL implementation written 6819SN/A * by Eric Young (eay@cryptsoft.com). 7819SN/A * The implementation was written so as to conform with Netscapes SSL. 8819SN/A * 9819SN/A * This library is free for commercial and non-commercial use as long as 10819SN/A * the following conditions are aheared to. The following conditions 11819SN/A * apply to all code found in this distribution, be it the RC4, RSA, 12819SN/A * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13819SN/A * included with this distribution is covered by the same copyright terms 14819SN/A * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15819SN/A * 16819SN/A * Copyright remains Eric Young's, and as such any Copyright notices in 17819SN/A * the code are not to be removed. 18819SN/A * If this package is used in a product, Eric Young should be given attribution 19819SN/A * as the author of the parts of the library used. 20819SN/A * This can be in the form of a textual message at program startup or 21819SN/A * in documentation (online or textual) provided with the package. 22819SN/A * 23819SN/A * Redistribution and use in source and binary forms, with or without 24819SN/A * modification, are permitted provided that the following conditions 25819SN/A * are met: 26819SN/A * 1. Redistributions of source code must retain the copyright 27819SN/A * notice, this list of conditions and the following disclaimer. 28819SN/A * 2. Redistributions in binary form must reproduce the above copyright 29819SN/A * notice, this list of conditions and the following disclaimer in the 30819SN/A * documentation and/or other materials provided with the distribution. 311551Sattila * 3. All advertising materials mentioning features or use of this software 321551Sattila * must display the following acknowledgement: 331551Sattila * "This product includes cryptographic software written by 34819SN/A * Eric Young (eay@cryptsoft.com)" 35819SN/A * The word 'cryptographic' can be left out if the rouines from the library 36819SN/A * being used are not cryptographic related :-). 37819SN/A * 4. If you include any Windows specific code (or a derivative thereof) from 38819SN/A * the apps directory (application code) you must include an acknowledgement: 39819SN/A * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40819SN/A * 41819SN/A * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42819SN/A * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43819SN/A * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44819SN/A * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45819SN/A * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46819SN/A * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47819SN/A * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48819SN/A * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49819SN/A * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50819SN/A * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51819SN/A * SUCH DAMAGE. 52819SN/A * 53819SN/A * The licence and distribution terms for any publically available version or 54819SN/A * derivative of this code cannot be changed. i.e. this code cannot simply be 55819SN/A * copied and put under another distribution licence 56819SN/A * [including the GNU Public Licence.] 571040Slagergren */ 58819SN/A/* $FreeBSD: head/crypto/openssl/crypto/rsa/rsa_eay.c 120635 2003-10-01 12:37:51Z nectar $ */ 59819SN/A 60819SN/A#include <stdio.h> 611101Slagergren#include "cryptlib.h" 62819SN/A#include <openssl/bn.h> 63819SN/A#include <openssl/rsa.h> 64819SN/A#include <openssl/rand.h> 65819SN/A 66819SN/A#ifndef RSA_NULL 67819SN/A 68819SN/Astatic int RSA_eay_public_encrypt(int flen, const unsigned char *from, 69819SN/A unsigned char *to, RSA *rsa,int padding); 70819SN/Astatic int RSA_eay_private_encrypt(int flen, const unsigned char *from, 71819SN/A unsigned char *to, RSA *rsa,int padding); 72819SN/Astatic int RSA_eay_public_decrypt(int flen, const unsigned char *from, 73819SN/A unsigned char *to, RSA *rsa,int padding); 74819SN/Astatic int RSA_eay_private_decrypt(int flen, const unsigned char *from, 75819SN/A unsigned char *to, RSA *rsa,int padding); 76819SN/Astatic int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa); 77819SN/Astatic int RSA_eay_init(RSA *rsa); 78819SN/Astatic int RSA_eay_finish(RSA *rsa); 79819SN/Astatic RSA_METHOD rsa_pkcs1_eay_meth={ 80819SN/A "Eric Young's PKCS#1 RSA", 81819SN/A RSA_eay_public_encrypt, 82819SN/A RSA_eay_public_decrypt, /* signature verification */ 83819SN/A RSA_eay_private_encrypt, /* signing */ 84819SN/A RSA_eay_private_decrypt, 85819SN/A RSA_eay_mod_exp, 861448Shannesw BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ 87819SN/A RSA_eay_init, 88819SN/A RSA_eay_finish, 89819SN/A 0, /* flags */ 90819SN/A NULL, 911073Slagergren 0, /* rsa_sign */ 92819SN/A 0 /* rsa_verify */ 93819SN/A }; 94819SN/A 95819SN/Aconst RSA_METHOD *RSA_PKCS1_SSLeay(void) 96819SN/A { 97819SN/A return(&rsa_pkcs1_eay_meth); 98819SN/A } 99819SN/A 100819SN/Astatic int RSA_eay_public_encrypt(int flen, const unsigned char *from, 1011844Shannesw unsigned char *to, RSA *rsa, int padding) 102819SN/A { 103819SN/A BIGNUM f,ret; 104819SN/A int i,j,k,num=0,r= -1; 105819SN/A unsigned char *buf=NULL; 106844SN/A BN_CTX *ctx=NULL; 107819SN/A 108819SN/A BN_init(&f); 109819SN/A BN_init(&ret); 110819SN/A if ((ctx=BN_CTX_new()) == NULL) goto err; 111844SN/A num=BN_num_bytes(rsa->n); 112819SN/A if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 113819SN/A { 114819SN/A RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); 115819SN/A goto err; 116844SN/A } 117819SN/A 118819SN/A switch (padding) 119819SN/A { 120819SN/A case RSA_PKCS1_PADDING: 121819SN/A i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen); 1221101Slagergren break; 123819SN/A#ifndef OPENSSL_NO_SHA 124819SN/A case RSA_PKCS1_OAEP_PADDING: 125819SN/A i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0); 126844SN/A break; 127819SN/A#endif 128819SN/A case RSA_SSLV23_PADDING: 129819SN/A i=RSA_padding_add_SSLv23(buf,num,from,flen); 130819SN/A break; 131844SN/A case RSA_NO_PADDING: 132819SN/A i=RSA_padding_add_none(buf,num,from,flen); 133819SN/A break; 134819SN/A default: 135819SN/A RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 1361073Slagergren goto err; 137819SN/A } 138819SN/A if (i <= 0) goto err; 139819SN/A 140819SN/A if (BN_bin2bn(buf,num,&f) == NULL) goto err; 141819SN/A 142819SN/A if (BN_ucmp(&f, rsa->n) >= 0) 143819SN/A { 144819SN/A /* usually the padding functions would catch this */ 145819SN/A RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 146844SN/A goto err; 147819SN/A } 148819SN/A 149819SN/A if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) 150819SN/A { 151819SN/A BN_MONT_CTX* bn_mont_ctx; 152819SN/A if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) 153819SN/A goto err; 154819SN/A if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) 155819SN/A { 156819SN/A BN_MONT_CTX_free(bn_mont_ctx); 157819SN/A goto err; 158819SN/A } 159819SN/A if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ 160819SN/A { 161819SN/A CRYPTO_w_lock(CRYPTO_LOCK_RSA); 162819SN/A if (rsa->_method_mod_n == NULL) 163819SN/A { 164819SN/A rsa->_method_mod_n = bn_mont_ctx; 165819SN/A bn_mont_ctx = NULL; 166819SN/A } 167819SN/A CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 168819SN/A } 169819SN/A if (bn_mont_ctx) 170819SN/A BN_MONT_CTX_free(bn_mont_ctx); 171819SN/A } 172819SN/A 173819SN/A if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 174819SN/A rsa->_method_mod_n)) goto err; 175819SN/A 176819SN/A /* put in leading 0 bytes if the number is less than the 177819SN/A * length of the modulus */ 178819SN/A j=BN_num_bytes(&ret); 179819SN/A i=BN_bn2bin(&ret,&(to[num-j])); 180819SN/A for (k=0; k<(num-i); k++) 181819SN/A to[k]=0; 182819SN/A 183819SN/A r=num; 184819SN/Aerr: 185819SN/A if (ctx != NULL) BN_CTX_free(ctx); 186819SN/A BN_clear_free(&f); 187819SN/A BN_clear_free(&ret); 188819SN/A if (buf != NULL) 189819SN/A { 190819SN/A OPENSSL_cleanse(buf,num); 191819SN/A OPENSSL_free(buf); 192819SN/A } 193819SN/A return(r); 194819SN/A } 195819SN/A 196819SN/Astatic int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) 197819SN/A { 198819SN/A int ret = 1; 199819SN/A CRYPTO_w_lock(CRYPTO_LOCK_RSA); 200819SN/A /* Check again inside the lock - the macro's check is racey */ 201819SN/A if(rsa->blinding == NULL) 202819SN/A ret = RSA_blinding_on(rsa, ctx); 203819SN/A CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 204819SN/A return ret; 205 } 206 207#define BLINDING_HELPER(rsa, ctx, err_instr) \ 208 do { \ 209 if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \ 210 ((rsa)->blinding == NULL) && \ 211 !rsa_eay_blinding(rsa, ctx)) \ 212 err_instr \ 213 } while(0) 214 215static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx) 216 { 217 BIGNUM *A, *Ai; 218 BN_BLINDING *ret = NULL; 219 220 /* added in OpenSSL 0.9.6j and 0.9.7b */ 221 222 /* NB: similar code appears in RSA_blinding_on (rsa_lib.c); 223 * this should be placed in a new function of its own, but for reasons 224 * of binary compatibility can't */ 225 226 BN_CTX_start(ctx); 227 A = BN_CTX_get(ctx); 228 if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) 229 { 230 /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ 231 RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); 232 if (!BN_pseudo_rand_range(A,rsa->n)) goto err; 233 } 234 else 235 { 236 if (!BN_rand_range(A,rsa->n)) goto err; 237 } 238 if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; 239 240 if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) 241 goto err; 242 ret = BN_BLINDING_new(A,Ai,rsa->n); 243 BN_free(Ai); 244err: 245 BN_CTX_end(ctx); 246 return ret; 247 } 248 249/* signing */ 250static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 251 unsigned char *to, RSA *rsa, int padding) 252 { 253 BIGNUM f,ret; 254 int i,j,k,num=0,r= -1; 255 unsigned char *buf=NULL; 256 BN_CTX *ctx=NULL; 257 int local_blinding = 0; 258 BN_BLINDING *blinding = NULL; 259 260 BN_init(&f); 261 BN_init(&ret); 262 263 if ((ctx=BN_CTX_new()) == NULL) goto err; 264 num=BN_num_bytes(rsa->n); 265 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 266 { 267 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); 268 goto err; 269 } 270 271 switch (padding) 272 { 273 case RSA_PKCS1_PADDING: 274 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); 275 break; 276 case RSA_NO_PADDING: 277 i=RSA_padding_add_none(buf,num,from,flen); 278 break; 279 case RSA_SSLV23_PADDING: 280 default: 281 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 282 goto err; 283 } 284 if (i <= 0) goto err; 285 286 if (BN_bin2bn(buf,num,&f) == NULL) goto err; 287 288 if (BN_ucmp(&f, rsa->n) >= 0) 289 { 290 /* usually the padding functions would catch this */ 291 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 292 goto err; 293 } 294 295 BLINDING_HELPER(rsa, ctx, goto err;); 296 blinding = rsa->blinding; 297 298 /* Now unless blinding is disabled, 'blinding' is non-NULL. 299 * But the BN_BLINDING object may be owned by some other thread 300 * (we don't want to keep it constant and we don't want to use 301 * lots of locking to avoid race conditions, so only a single 302 * thread can use it; other threads have to use local blinding 303 * factors) */ 304 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 305 { 306 if (blinding == NULL) 307 { 308 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 309 goto err; 310 } 311 } 312 313 if (blinding != NULL) 314 { 315 if (blinding->thread_id != CRYPTO_thread_id()) 316 { 317 /* we need a local one-time blinding factor */ 318 319 blinding = setup_blinding(rsa, ctx); 320 if (blinding == NULL) 321 goto err; 322 local_blinding = 1; 323 } 324 } 325 326 if (blinding) 327 if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err; 328 329 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 330 ((rsa->p != NULL) && 331 (rsa->q != NULL) && 332 (rsa->dmp1 != NULL) && 333 (rsa->dmq1 != NULL) && 334 (rsa->iqmp != NULL)) ) 335 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } 336 else 337 { 338 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err; 339 } 340 341 if (blinding) 342 if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; 343 344 /* put in leading 0 bytes if the number is less than the 345 * length of the modulus */ 346 j=BN_num_bytes(&ret); 347 i=BN_bn2bin(&ret,&(to[num-j])); 348 for (k=0; k<(num-i); k++) 349 to[k]=0; 350 351 r=num; 352err: 353 if (ctx != NULL) BN_CTX_free(ctx); 354 BN_clear_free(&ret); 355 BN_clear_free(&f); 356 if (local_blinding) 357 BN_BLINDING_free(blinding); 358 if (buf != NULL) 359 { 360 OPENSSL_cleanse(buf,num); 361 OPENSSL_free(buf); 362 } 363 return(r); 364 } 365 366static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 367 unsigned char *to, RSA *rsa, int padding) 368 { 369 BIGNUM f,ret; 370 int j,num=0,r= -1; 371 unsigned char *p; 372 unsigned char *buf=NULL; 373 BN_CTX *ctx=NULL; 374 int local_blinding = 0; 375 BN_BLINDING *blinding = NULL; 376 377 BN_init(&f); 378 BN_init(&ret); 379 ctx=BN_CTX_new(); 380 if (ctx == NULL) goto err; 381 382 num=BN_num_bytes(rsa->n); 383 384 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 385 { 386 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); 387 goto err; 388 } 389 390 /* This check was for equality but PGP does evil things 391 * and chops off the top '0' bytes */ 392 if (flen > num) 393 { 394 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 395 goto err; 396 } 397 398 /* make data into a big number */ 399 if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err; 400 401 if (BN_ucmp(&f, rsa->n) >= 0) 402 { 403 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 404 goto err; 405 } 406 407 BLINDING_HELPER(rsa, ctx, goto err;); 408 blinding = rsa->blinding; 409 410 /* Now unless blinding is disabled, 'blinding' is non-NULL. 411 * But the BN_BLINDING object may be owned by some other thread 412 * (we don't want to keep it constant and we don't want to use 413 * lots of locking to avoid race conditions, so only a single 414 * thread can use it; other threads have to use local blinding 415 * factors) */ 416 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 417 { 418 if (blinding == NULL) 419 { 420 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 421 goto err; 422 } 423 } 424 425 if (blinding != NULL) 426 { 427 if (blinding->thread_id != CRYPTO_thread_id()) 428 { 429 /* we need a local one-time blinding factor */ 430 431 blinding = setup_blinding(rsa, ctx); 432 if (blinding == NULL) 433 goto err; 434 local_blinding = 1; 435 } 436 } 437 438 if (blinding) 439 if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err; 440 441 /* do the decrypt */ 442 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 443 ((rsa->p != NULL) && 444 (rsa->q != NULL) && 445 (rsa->dmp1 != NULL) && 446 (rsa->dmq1 != NULL) && 447 (rsa->iqmp != NULL)) ) 448 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } 449 else 450 { 451 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) 452 goto err; 453 } 454 455 if (blinding) 456 if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; 457 458 p=buf; 459 j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */ 460 461 switch (padding) 462 { 463 case RSA_PKCS1_PADDING: 464 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); 465 break; 466#ifndef OPENSSL_NO_SHA 467 case RSA_PKCS1_OAEP_PADDING: 468 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); 469 break; 470#endif 471 case RSA_SSLV23_PADDING: 472 r=RSA_padding_check_SSLv23(to,num,buf,j,num); 473 break; 474 case RSA_NO_PADDING: 475 r=RSA_padding_check_none(to,num,buf,j,num); 476 break; 477 default: 478 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 479 goto err; 480 } 481 if (r < 0) 482 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 483 484err: 485 if (ctx != NULL) BN_CTX_free(ctx); 486 BN_clear_free(&f); 487 BN_clear_free(&ret); 488 if (local_blinding) 489 BN_BLINDING_free(blinding); 490 if (buf != NULL) 491 { 492 OPENSSL_cleanse(buf,num); 493 OPENSSL_free(buf); 494 } 495 return(r); 496 } 497 498/* signature verification */ 499static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 500 unsigned char *to, RSA *rsa, int padding) 501 { 502 BIGNUM f,ret; 503 int i,num=0,r= -1; 504 unsigned char *p; 505 unsigned char *buf=NULL; 506 BN_CTX *ctx=NULL; 507 508 BN_init(&f); 509 BN_init(&ret); 510 ctx=BN_CTX_new(); 511 if (ctx == NULL) goto err; 512 513 num=BN_num_bytes(rsa->n); 514 buf=(unsigned char *)OPENSSL_malloc(num); 515 if (buf == NULL) 516 { 517 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); 518 goto err; 519 } 520 521 /* This check was for equality but PGP does evil things 522 * and chops off the top '0' bytes */ 523 if (flen > num) 524 { 525 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 526 goto err; 527 } 528 529 if (BN_bin2bn(from,flen,&f) == NULL) goto err; 530 531 if (BN_ucmp(&f, rsa->n) >= 0) 532 { 533 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 534 goto err; 535 } 536 537 /* do the decrypt */ 538 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) 539 { 540 BN_MONT_CTX* bn_mont_ctx; 541 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) 542 goto err; 543 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) 544 { 545 BN_MONT_CTX_free(bn_mont_ctx); 546 goto err; 547 } 548 if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ 549 { 550 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 551 if (rsa->_method_mod_n == NULL) 552 { 553 rsa->_method_mod_n = bn_mont_ctx; 554 bn_mont_ctx = NULL; 555 } 556 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 557 } 558 if (bn_mont_ctx) 559 BN_MONT_CTX_free(bn_mont_ctx); 560 } 561 562 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 563 rsa->_method_mod_n)) goto err; 564 565 p=buf; 566 i=BN_bn2bin(&ret,p); 567 568 switch (padding) 569 { 570 case RSA_PKCS1_PADDING: 571 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); 572 break; 573 case RSA_NO_PADDING: 574 r=RSA_padding_check_none(to,num,buf,i,num); 575 break; 576 default: 577 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 578 goto err; 579 } 580 if (r < 0) 581 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 582 583err: 584 if (ctx != NULL) BN_CTX_free(ctx); 585 BN_clear_free(&f); 586 BN_clear_free(&ret); 587 if (buf != NULL) 588 { 589 OPENSSL_cleanse(buf,num); 590 OPENSSL_free(buf); 591 } 592 return(r); 593 } 594 595static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) 596 { 597 BIGNUM r1,m1,vrfy; 598 int ret=0; 599 BN_CTX *ctx; 600 601 BN_init(&m1); 602 BN_init(&r1); 603 BN_init(&vrfy); 604 if ((ctx=BN_CTX_new()) == NULL) goto err; 605 606 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) 607 { 608 if (rsa->_method_mod_p == NULL) 609 { 610 BN_MONT_CTX* bn_mont_ctx; 611 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) 612 goto err; 613 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx)) 614 { 615 BN_MONT_CTX_free(bn_mont_ctx); 616 goto err; 617 } 618 if (rsa->_method_mod_p == NULL) /* other thread may have finished first */ 619 { 620 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 621 if (rsa->_method_mod_p == NULL) 622 { 623 rsa->_method_mod_p = bn_mont_ctx; 624 bn_mont_ctx = NULL; 625 } 626 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 627 } 628 if (bn_mont_ctx) 629 BN_MONT_CTX_free(bn_mont_ctx); 630 } 631 632 if (rsa->_method_mod_q == NULL) 633 { 634 BN_MONT_CTX* bn_mont_ctx; 635 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) 636 goto err; 637 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx)) 638 { 639 BN_MONT_CTX_free(bn_mont_ctx); 640 goto err; 641 } 642 if (rsa->_method_mod_q == NULL) /* other thread may have finished first */ 643 { 644 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 645 if (rsa->_method_mod_q == NULL) 646 { 647 rsa->_method_mod_q = bn_mont_ctx; 648 bn_mont_ctx = NULL; 649 } 650 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 651 } 652 if (bn_mont_ctx) 653 BN_MONT_CTX_free(bn_mont_ctx); 654 } 655 } 656 657 if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; 658 if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx, 659 rsa->_method_mod_q)) goto err; 660 661 if (!BN_mod(&r1,I,rsa->p,ctx)) goto err; 662 if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx, 663 rsa->_method_mod_p)) goto err; 664 665 if (!BN_sub(r0,r0,&m1)) goto err; 666 /* This will help stop the size of r0 increasing, which does 667 * affect the multiply if it optimised for a power of 2 size */ 668 if (r0->neg) 669 if (!BN_add(r0,r0,rsa->p)) goto err; 670 671 if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err; 672 if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err; 673 /* If p < q it is occasionally possible for the correction of 674 * adding 'p' if r0 is negative above to leave the result still 675 * negative. This can break the private key operations: the following 676 * second correction should *always* correct this rare occurrence. 677 * This will *never* happen with OpenSSL generated keys because 678 * they ensure p > q [steve] 679 */ 680 if (r0->neg) 681 if (!BN_add(r0,r0,rsa->p)) goto err; 682 if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err; 683 if (!BN_add(r0,&r1,&m1)) goto err; 684 685 if (rsa->e && rsa->n) 686 { 687 if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err; 688 /* If 'I' was greater than (or equal to) rsa->n, the operation 689 * will be equivalent to using 'I mod n'. However, the result of 690 * the verify will *always* be less than 'n' so we don't check 691 * for absolute equality, just congruency. */ 692 if (!BN_sub(&vrfy, &vrfy, I)) goto err; 693 if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err; 694 if (vrfy.neg) 695 if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err; 696 if (!BN_is_zero(&vrfy)) 697 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak 698 * miscalculated CRT output, just do a raw (slower) 699 * mod_exp and return that instead. */ 700 if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err; 701 } 702 ret=1; 703err: 704 BN_clear_free(&m1); 705 BN_clear_free(&r1); 706 BN_clear_free(&vrfy); 707 BN_CTX_free(ctx); 708 return(ret); 709 } 710 711static int RSA_eay_init(RSA *rsa) 712 { 713 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; 714 return(1); 715 } 716 717static int RSA_eay_finish(RSA *rsa) 718 { 719 if (rsa->_method_mod_n != NULL) 720 BN_MONT_CTX_free(rsa->_method_mod_n); 721 if (rsa->_method_mod_p != NULL) 722 BN_MONT_CTX_free(rsa->_method_mod_p); 723 if (rsa->_method_mod_q != NULL) 724 BN_MONT_CTX_free(rsa->_method_mod_q); 725 return(1); 726 } 727 728#endif 729