rsa_eay.c revision 76870
1/* crypto/rsa/rsa_eay.c */ 2/* $FreeBSD: head/crypto/openssl/crypto/rsa/rsa_eay.c 76870 2001-05-20 03:17:35Z kris $ */ 3/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 4 * All rights reserved. 5 * 6 * This package is an SSL implementation written 7 * by Eric Young (eay@cryptsoft.com). 8 * The implementation was written so as to conform with Netscapes SSL. 9 * 10 * This library is free for commercial and non-commercial use as long as 11 * the following conditions are aheared to. The following conditions 12 * apply to all code found in this distribution, be it the RC4, RSA, 13 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 14 * included with this distribution is covered by the same copyright terms 15 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 16 * 17 * Copyright remains Eric Young's, and as such any Copyright notices in 18 * the code are not to be removed. 19 * If this package is used in a product, Eric Young should be given attribution 20 * as the author of the parts of the library used. 21 * This can be in the form of a textual message at program startup or 22 * in documentation (online or textual) provided with the package. 23 * 24 * Redistribution and use in source and binary forms, with or without 25 * modification, are permitted provided that the following conditions 26 * are met: 27 * 1. Redistributions of source code must retain the copyright 28 * notice, this list of conditions and the following disclaimer. 29 * 2. Redistributions in binary form must reproduce the above copyright 30 * notice, this list of conditions and the following disclaimer in the 31 * documentation and/or other materials provided with the distribution. 32 * 3. All advertising materials mentioning features or use of this software 33 * must display the following acknowledgement: 34 * "This product includes cryptographic software written by 35 * Eric Young (eay@cryptsoft.com)" 36 * The word 'cryptographic' can be left out if the rouines from the library 37 * being used are not cryptographic related :-). 38 * 4. If you include any Windows specific code (or a derivative thereof) from 39 * the apps directory (application code) you must include an acknowledgement: 40 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 41 * 42 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 43 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 44 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 45 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 46 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 47 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 48 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 49 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 50 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 51 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 52 * SUCH DAMAGE. 53 * 54 * The licence and distribution terms for any publically available version or 55 * derivative of this code cannot be changed. i.e. this code cannot simply be 56 * copied and put under another distribution licence 57 * [including the GNU Public Licence.] 58 */ 59 60#include <stdio.h> 61#include "cryptlib.h" 62#include <openssl/bn.h> 63#include <openssl/rsa.h> 64#include <openssl/rand.h> 65 66#ifndef RSA_NULL 67 68static int RSA_eay_public_encrypt(int flen, unsigned char *from, 69 unsigned char *to, RSA *rsa,int padding); 70static int RSA_eay_private_encrypt(int flen, unsigned char *from, 71 unsigned char *to, RSA *rsa,int padding); 72static int RSA_eay_public_decrypt(int flen, unsigned char *from, 73 unsigned char *to, RSA *rsa,int padding); 74static int RSA_eay_private_decrypt(int flen, unsigned char *from, 75 unsigned char *to, RSA *rsa,int padding); 76static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *i, RSA *rsa); 77static int RSA_eay_init(RSA *rsa); 78static int RSA_eay_finish(RSA *rsa); 79static RSA_METHOD rsa_pkcs1_eay_meth={ 80 "Eric Young's PKCS#1 RSA", 81 RSA_eay_public_encrypt, 82 RSA_eay_public_decrypt, 83 RSA_eay_private_encrypt, 84 RSA_eay_private_decrypt, 85 RSA_eay_mod_exp, 86 BN_mod_exp_mont, 87 RSA_eay_init, 88 RSA_eay_finish, 89 0, 90 NULL, 91 }; 92 93RSA_METHOD *RSA_PKCS1_SSLeay(void) 94 { 95 return(&rsa_pkcs1_eay_meth); 96 } 97 98static int RSA_eay_public_encrypt(int flen, unsigned char *from, 99 unsigned char *to, RSA *rsa, int padding) 100 { 101 BIGNUM f,ret; 102 int i,j,k,num=0,r= -1; 103 unsigned char *buf=NULL; 104 BN_CTX *ctx=NULL; 105 106 BN_init(&f); 107 BN_init(&ret); 108 if ((ctx=BN_CTX_new()) == NULL) goto err; 109 num=BN_num_bytes(rsa->n); 110 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 111 { 112 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); 113 goto err; 114 } 115 116 switch (padding) 117 { 118 case RSA_PKCS1_PADDING: 119 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen); 120 break; 121#ifndef NO_SHA 122 case RSA_PKCS1_OAEP_PADDING: 123 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0); 124 break; 125#endif 126 case RSA_SSLV23_PADDING: 127 i=RSA_padding_add_SSLv23(buf,num,from,flen); 128 break; 129 case RSA_NO_PADDING: 130 i=RSA_padding_add_none(buf,num,from,flen); 131 break; 132 default: 133 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 134 goto err; 135 } 136 if (i <= 0) goto err; 137 138 if (BN_bin2bn(buf,num,&f) == NULL) goto err; 139 140 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) 141 { 142 BN_MONT_CTX* bn_mont_ctx; 143 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) 144 goto err; 145 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) 146 { 147 BN_MONT_CTX_free(bn_mont_ctx); 148 goto err; 149 } 150 if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ 151 { 152 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 153 if (rsa->_method_mod_n == NULL) 154 { 155 rsa->_method_mod_n = bn_mont_ctx; 156 bn_mont_ctx = NULL; 157 } 158 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 159 } 160 if (bn_mont_ctx) 161 BN_MONT_CTX_free(bn_mont_ctx); 162 } 163 164 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 165 rsa->_method_mod_n)) goto err; 166 167 /* put in leading 0 bytes if the number is less than the 168 * length of the modulus */ 169 j=BN_num_bytes(&ret); 170 i=BN_bn2bin(&ret,&(to[num-j])); 171 for (k=0; k<(num-i); k++) 172 to[k]=0; 173 174 r=num; 175err: 176 if (ctx != NULL) BN_CTX_free(ctx); 177 BN_clear_free(&f); 178 BN_clear_free(&ret); 179 if (buf != NULL) 180 { 181 memset(buf,0,num); 182 OPENSSL_free(buf); 183 } 184 return(r); 185 } 186 187static int RSA_eay_private_encrypt(int flen, unsigned char *from, 188 unsigned char *to, RSA *rsa, int padding) 189 { 190 BIGNUM f,ret; 191 int i,j,k,num=0,r= -1; 192 unsigned char *buf=NULL; 193 BN_CTX *ctx=NULL; 194 195 BN_init(&f); 196 BN_init(&ret); 197 198 if ((ctx=BN_CTX_new()) == NULL) goto err; 199 num=BN_num_bytes(rsa->n); 200 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 201 { 202 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); 203 goto err; 204 } 205 206 switch (padding) 207 { 208 case RSA_PKCS1_PADDING: 209 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); 210 break; 211 case RSA_NO_PADDING: 212 i=RSA_padding_add_none(buf,num,from,flen); 213 break; 214 case RSA_SSLV23_PADDING: 215 default: 216 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 217 goto err; 218 } 219 if (i <= 0) goto err; 220 221 if (BN_bin2bn(buf,num,&f) == NULL) goto err; 222 223 if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) 224 RSA_blinding_on(rsa,ctx); 225 if (rsa->flags & RSA_FLAG_BLINDING) 226 if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; 227 228 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 229 ((rsa->p != NULL) && 230 (rsa->q != NULL) && 231 (rsa->dmp1 != NULL) && 232 (rsa->dmq1 != NULL) && 233 (rsa->iqmp != NULL)) ) 234 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } 235 else 236 { 237 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err; 238 } 239 240 if (rsa->flags & RSA_FLAG_BLINDING) 241 if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; 242 243 /* put in leading 0 bytes if the number is less than the 244 * length of the modulus */ 245 j=BN_num_bytes(&ret); 246 i=BN_bn2bin(&ret,&(to[num-j])); 247 for (k=0; k<(num-i); k++) 248 to[k]=0; 249 250 r=num; 251err: 252 if (ctx != NULL) BN_CTX_free(ctx); 253 BN_clear_free(&ret); 254 BN_clear_free(&f); 255 if (buf != NULL) 256 { 257 memset(buf,0,num); 258 OPENSSL_free(buf); 259 } 260 return(r); 261 } 262 263static int RSA_eay_private_decrypt(int flen, unsigned char *from, 264 unsigned char *to, RSA *rsa, int padding) 265 { 266 BIGNUM f,ret; 267 int j,num=0,r= -1; 268 unsigned char *p; 269 unsigned char *buf=NULL; 270 BN_CTX *ctx=NULL; 271 272 BN_init(&f); 273 BN_init(&ret); 274 ctx=BN_CTX_new(); 275 if (ctx == NULL) goto err; 276 277 num=BN_num_bytes(rsa->n); 278 279 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 280 { 281 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); 282 goto err; 283 } 284 285 /* This check was for equality but PGP does evil things 286 * and chops off the top '0' bytes */ 287 if (flen > num) 288 { 289 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 290 goto err; 291 } 292 293 /* make data into a big number */ 294 if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err; 295 296 if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) 297 RSA_blinding_on(rsa,ctx); 298 if (rsa->flags & RSA_FLAG_BLINDING) 299 if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; 300 301 /* do the decrypt */ 302 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 303 ((rsa->p != NULL) && 304 (rsa->q != NULL) && 305 (rsa->dmp1 != NULL) && 306 (rsa->dmq1 != NULL) && 307 (rsa->iqmp != NULL)) ) 308 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } 309 else 310 { 311 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) 312 goto err; 313 } 314 315 if (rsa->flags & RSA_FLAG_BLINDING) 316 if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; 317 318 p=buf; 319 j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */ 320 321 switch (padding) 322 { 323 case RSA_PKCS1_PADDING: 324 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); 325 break; 326#ifndef NO_SHA 327 case RSA_PKCS1_OAEP_PADDING: 328 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); 329 break; 330#endif 331 case RSA_SSLV23_PADDING: 332 r=RSA_padding_check_SSLv23(to,num,buf,j,num); 333 break; 334 case RSA_NO_PADDING: 335 r=RSA_padding_check_none(to,num,buf,j,num); 336 break; 337 default: 338 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 339 goto err; 340 } 341 if (r < 0) 342 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 343 344err: 345 if (ctx != NULL) BN_CTX_free(ctx); 346 BN_clear_free(&f); 347 BN_clear_free(&ret); 348 if (buf != NULL) 349 { 350 memset(buf,0,num); 351 OPENSSL_free(buf); 352 } 353 return(r); 354 } 355 356static int RSA_eay_public_decrypt(int flen, unsigned char *from, 357 unsigned char *to, RSA *rsa, int padding) 358 { 359 BIGNUM f,ret; 360 int i,num=0,r= -1; 361 unsigned char *p; 362 unsigned char *buf=NULL; 363 BN_CTX *ctx=NULL; 364 365 BN_init(&f); 366 BN_init(&ret); 367 ctx=BN_CTX_new(); 368 if (ctx == NULL) goto err; 369 370 num=BN_num_bytes(rsa->n); 371 buf=(unsigned char *)OPENSSL_malloc(num); 372 if (buf == NULL) 373 { 374 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); 375 goto err; 376 } 377 378 /* This check was for equality but PGP does evil things 379 * and chops off the top '0' bytes */ 380 if (flen > num) 381 { 382 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 383 goto err; 384 } 385 386 if (BN_bin2bn(from,flen,&f) == NULL) goto err; 387 /* do the decrypt */ 388 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) 389 { 390 BN_MONT_CTX* bn_mont_ctx; 391 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) 392 goto err; 393 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) 394 { 395 BN_MONT_CTX_free(bn_mont_ctx); 396 goto err; 397 } 398 if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ 399 { 400 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 401 if (rsa->_method_mod_n == NULL) 402 { 403 rsa->_method_mod_n = bn_mont_ctx; 404 bn_mont_ctx = NULL; 405 } 406 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 407 } 408 if (bn_mont_ctx) 409 BN_MONT_CTX_free(bn_mont_ctx); 410 } 411 412 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 413 rsa->_method_mod_n)) goto err; 414 415 p=buf; 416 i=BN_bn2bin(&ret,p); 417 418 switch (padding) 419 { 420 case RSA_PKCS1_PADDING: 421 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); 422 break; 423 case RSA_NO_PADDING: 424 r=RSA_padding_check_none(to,num,buf,i,num); 425 break; 426 default: 427 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 428 goto err; 429 } 430 if (r < 0) 431 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 432 433err: 434 if (ctx != NULL) BN_CTX_free(ctx); 435 BN_clear_free(&f); 436 BN_clear_free(&ret); 437 if (buf != NULL) 438 { 439 memset(buf,0,num); 440 OPENSSL_free(buf); 441 } 442 return(r); 443 } 444 445static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa) 446 { 447 BIGNUM r1,m1,vrfy; 448 int ret=0; 449 BN_CTX *ctx; 450 451 if ((ctx=BN_CTX_new()) == NULL) goto err; 452 BN_init(&m1); 453 BN_init(&r1); 454 BN_init(&vrfy); 455 456 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) 457 { 458 if (rsa->_method_mod_p == NULL) 459 { 460 BN_MONT_CTX* bn_mont_ctx; 461 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) 462 goto err; 463 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx)) 464 { 465 BN_MONT_CTX_free(bn_mont_ctx); 466 goto err; 467 } 468 if (rsa->_method_mod_p == NULL) /* other thread may have finished first */ 469 { 470 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 471 if (rsa->_method_mod_p == NULL) 472 { 473 rsa->_method_mod_p = bn_mont_ctx; 474 bn_mont_ctx = NULL; 475 } 476 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 477 } 478 if (bn_mont_ctx) 479 BN_MONT_CTX_free(bn_mont_ctx); 480 } 481 482 if (rsa->_method_mod_q == NULL) 483 { 484 BN_MONT_CTX* bn_mont_ctx; 485 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) 486 goto err; 487 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx)) 488 { 489 BN_MONT_CTX_free(bn_mont_ctx); 490 goto err; 491 } 492 if (rsa->_method_mod_q == NULL) /* other thread may have finished first */ 493 { 494 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 495 if (rsa->_method_mod_q == NULL) 496 { 497 rsa->_method_mod_q = bn_mont_ctx; 498 bn_mont_ctx = NULL; 499 } 500 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 501 } 502 if (bn_mont_ctx) 503 BN_MONT_CTX_free(bn_mont_ctx); 504 } 505 } 506 507 if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; 508 if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx, 509 rsa->_method_mod_q)) goto err; 510 511 if (!BN_mod(&r1,I,rsa->p,ctx)) goto err; 512 if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx, 513 rsa->_method_mod_p)) goto err; 514 515 if (!BN_sub(r0,r0,&m1)) goto err; 516 /* This will help stop the size of r0 increasing, which does 517 * affect the multiply if it optimised for a power of 2 size */ 518 if (r0->neg) 519 if (!BN_add(r0,r0,rsa->p)) goto err; 520 521 if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err; 522 if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err; 523 /* If p < q it is occasionally possible for the correction of 524 * adding 'p' if r0 is negative above to leave the result still 525 * negative. This can break the private key operations: the following 526 * second correction should *always* correct this rare occurrence. 527 * This will *never* happen with OpenSSL generated keys because 528 * they ensure p > q [steve] 529 */ 530 if (r0->neg) 531 if (!BN_add(r0,r0,rsa->p)) goto err; 532 if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err; 533 if (!BN_add(r0,&r1,&m1)) goto err; 534 535 if (rsa->e && rsa->n) 536 { 537 if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err; 538 if (BN_cmp(I, &vrfy) != 0) 539 { 540 if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err; 541 } 542 } 543 ret=1; 544err: 545 BN_clear_free(&m1); 546 BN_clear_free(&r1); 547 BN_clear_free(&vrfy); 548 BN_CTX_free(ctx); 549 return(ret); 550 } 551 552static int RSA_eay_init(RSA *rsa) 553 { 554 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; 555 return(1); 556 } 557 558static int RSA_eay_finish(RSA *rsa) 559 { 560 if (rsa->_method_mod_n != NULL) 561 BN_MONT_CTX_free(rsa->_method_mod_n); 562 if (rsa->_method_mod_p != NULL) 563 BN_MONT_CTX_free(rsa->_method_mod_p); 564 if (rsa->_method_mod_q != NULL) 565 BN_MONT_CTX_free(rsa->_method_mod_q); 566 return(1); 567 } 568 569#endif 570