rsa_eay.c revision 76870 
1/* crypto/rsa/rsa_eay.c */
2/* $FreeBSD: head/crypto/openssl/crypto/rsa/rsa_eay.c 76870 2001-05-20 03:17:35Z kris $ */
3/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
4 * All rights reserved.
5 *
6 * This package is an SSL implementation written
7 * by Eric Young (eay@cryptsoft.com).
8 * The implementation was written so as to conform with Netscapes SSL.
9 *
10 * This library is free for commercial and non-commercial use as long as
11 * the following conditions are aheared to.  The following conditions
12 * apply to all code found in this distribution, be it the RC4, RSA,
13 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
14 * included with this distribution is covered by the same copyright terms
15 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 *
17 * Copyright remains Eric Young's, and as such any Copyright notices in
18 * the code are not to be removed.
19 * If this package is used in a product, Eric Young should be given attribution
20 * as the author of the parts of the library used.
21 * This can be in the form of a textual message at program startup or
22 * in documentation (online or textual) provided with the package.
23 *
24 * Redistribution and use in source and binary forms, with or without
25 * modification, are permitted provided that the following conditions
26 * are met:
27 * 1. Redistributions of source code must retain the copyright
28 *    notice, this list of conditions and the following disclaimer.
29 * 2. Redistributions in binary form must reproduce the above copyright
30 *    notice, this list of conditions and the following disclaimer in the
31 *    documentation and/or other materials provided with the distribution.
32 * 3. All advertising materials mentioning features or use of this software
33 *    must display the following acknowledgement:
34 *    "This product includes cryptographic software written by
35 *     Eric Young (eay@cryptsoft.com)"
36 *    The word 'cryptographic' can be left out if the rouines from the library
37 *    being used are not cryptographic related :-).
38 * 4. If you include any Windows specific code (or a derivative thereof) from
39 *    the apps directory (application code) you must include an acknowledgement:
40 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 *
42 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
43 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
44 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
45 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
46 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
47 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
48 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
49 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
50 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
51 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
52 * SUCH DAMAGE.
53 *
54 * The licence and distribution terms for any publically available version or
55 * derivative of this code cannot be changed.  i.e. this code cannot simply be
56 * copied and put under another distribution licence
57 * [including the GNU Public Licence.]
58 */
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/bn.h>
63#include <openssl/rsa.h>
64#include <openssl/rand.h>
65
66#ifndef RSA_NULL
67
68static int RSA_eay_public_encrypt(int flen, unsigned char *from,
69		unsigned char *to, RSA *rsa,int padding);
70static int RSA_eay_private_encrypt(int flen, unsigned char *from,
71		unsigned char *to, RSA *rsa,int padding);
72static int RSA_eay_public_decrypt(int flen, unsigned char *from,
73		unsigned char *to, RSA *rsa,int padding);
74static int RSA_eay_private_decrypt(int flen, unsigned char *from,
75		unsigned char *to, RSA *rsa,int padding);
76static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *i, RSA *rsa);
77static int RSA_eay_init(RSA *rsa);
78static int RSA_eay_finish(RSA *rsa);
79static RSA_METHOD rsa_pkcs1_eay_meth={
80	"Eric Young's PKCS#1 RSA",
81	RSA_eay_public_encrypt,
82	RSA_eay_public_decrypt,
83	RSA_eay_private_encrypt,
84	RSA_eay_private_decrypt,
85	RSA_eay_mod_exp,
86	BN_mod_exp_mont,
87	RSA_eay_init,
88	RSA_eay_finish,
89	0,
90	NULL,
91	};
92
93RSA_METHOD *RSA_PKCS1_SSLeay(void)
94	{
95	return(&rsa_pkcs1_eay_meth);
96	}
97
98static int RSA_eay_public_encrypt(int flen, unsigned char *from,
99	     unsigned char *to, RSA *rsa, int padding)
100	{
101	BIGNUM f,ret;
102	int i,j,k,num=0,r= -1;
103	unsigned char *buf=NULL;
104	BN_CTX *ctx=NULL;
105
106	BN_init(&f);
107	BN_init(&ret);
108	if ((ctx=BN_CTX_new()) == NULL) goto err;
109	num=BN_num_bytes(rsa->n);
110	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
111		{
112		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
113		goto err;
114		}
115
116	switch (padding)
117		{
118	case RSA_PKCS1_PADDING:
119		i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
120		break;
121#ifndef NO_SHA
122	case RSA_PKCS1_OAEP_PADDING:
123	        i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
124		break;
125#endif
126	case RSA_SSLV23_PADDING:
127		i=RSA_padding_add_SSLv23(buf,num,from,flen);
128		break;
129	case RSA_NO_PADDING:
130		i=RSA_padding_add_none(buf,num,from,flen);
131		break;
132	default:
133		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
134		goto err;
135		}
136	if (i <= 0) goto err;
137
138	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
139
140	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
141		{
142		BN_MONT_CTX* bn_mont_ctx;
143		if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
144			goto err;
145		if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
146			{
147			BN_MONT_CTX_free(bn_mont_ctx);
148			goto err;
149			}
150		if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
151			{
152			CRYPTO_w_lock(CRYPTO_LOCK_RSA);
153			if (rsa->_method_mod_n == NULL)
154				{
155				rsa->_method_mod_n = bn_mont_ctx;
156				bn_mont_ctx = NULL;
157				}
158			CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
159			}
160		if (bn_mont_ctx)
161			BN_MONT_CTX_free(bn_mont_ctx);
162		}
163
164	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
165		rsa->_method_mod_n)) goto err;
166
167	/* put in leading 0 bytes if the number is less than the
168	 * length of the modulus */
169	j=BN_num_bytes(&ret);
170	i=BN_bn2bin(&ret,&(to[num-j]));
171	for (k=0; k<(num-i); k++)
172		to[k]=0;
173
174	r=num;
175err:
176	if (ctx != NULL) BN_CTX_free(ctx);
177	BN_clear_free(&f);
178	BN_clear_free(&ret);
179	if (buf != NULL)
180		{
181		memset(buf,0,num);
182		OPENSSL_free(buf);
183		}
184	return(r);
185	}
186
187static int RSA_eay_private_encrypt(int flen, unsigned char *from,
188	     unsigned char *to, RSA *rsa, int padding)
189	{
190	BIGNUM f,ret;
191	int i,j,k,num=0,r= -1;
192	unsigned char *buf=NULL;
193	BN_CTX *ctx=NULL;
194
195	BN_init(&f);
196	BN_init(&ret);
197
198	if ((ctx=BN_CTX_new()) == NULL) goto err;
199	num=BN_num_bytes(rsa->n);
200	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
201		{
202		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
203		goto err;
204		}
205
206	switch (padding)
207		{
208	case RSA_PKCS1_PADDING:
209		i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
210		break;
211	case RSA_NO_PADDING:
212		i=RSA_padding_add_none(buf,num,from,flen);
213		break;
214	case RSA_SSLV23_PADDING:
215	default:
216		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
217		goto err;
218		}
219	if (i <= 0) goto err;
220
221	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
222
223	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
224		RSA_blinding_on(rsa,ctx);
225	if (rsa->flags & RSA_FLAG_BLINDING)
226		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
227
228	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
229		((rsa->p != NULL) &&
230		(rsa->q != NULL) &&
231		(rsa->dmp1 != NULL) &&
232		(rsa->dmq1 != NULL) &&
233		(rsa->iqmp != NULL)) )
234		{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
235	else
236		{
237		if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
238		}
239
240	if (rsa->flags & RSA_FLAG_BLINDING)
241		if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
242
243	/* put in leading 0 bytes if the number is less than the
244	 * length of the modulus */
245	j=BN_num_bytes(&ret);
246	i=BN_bn2bin(&ret,&(to[num-j]));
247	for (k=0; k<(num-i); k++)
248		to[k]=0;
249
250	r=num;
251err:
252	if (ctx != NULL) BN_CTX_free(ctx);
253	BN_clear_free(&ret);
254	BN_clear_free(&f);
255	if (buf != NULL)
256		{
257		memset(buf,0,num);
258		OPENSSL_free(buf);
259		}
260	return(r);
261	}
262
263static int RSA_eay_private_decrypt(int flen, unsigned char *from,
264	     unsigned char *to, RSA *rsa, int padding)
265	{
266	BIGNUM f,ret;
267	int j,num=0,r= -1;
268	unsigned char *p;
269	unsigned char *buf=NULL;
270	BN_CTX *ctx=NULL;
271
272	BN_init(&f);
273	BN_init(&ret);
274	ctx=BN_CTX_new();
275	if (ctx == NULL) goto err;
276
277	num=BN_num_bytes(rsa->n);
278
279	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
280		{
281		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
282		goto err;
283		}
284
285	/* This check was for equality but PGP does evil things
286	 * and chops off the top '0' bytes */
287	if (flen > num)
288		{
289		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
290		goto err;
291		}
292
293	/* make data into a big number */
294	if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
295
296	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
297		RSA_blinding_on(rsa,ctx);
298	if (rsa->flags & RSA_FLAG_BLINDING)
299		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
300
301	/* do the decrypt */
302	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
303		((rsa->p != NULL) &&
304		(rsa->q != NULL) &&
305		(rsa->dmp1 != NULL) &&
306		(rsa->dmq1 != NULL) &&
307		(rsa->iqmp != NULL)) )
308		{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
309	else
310		{
311		if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
312			goto err;
313		}
314
315	if (rsa->flags & RSA_FLAG_BLINDING)
316		if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
317
318	p=buf;
319	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
320
321	switch (padding)
322		{
323	case RSA_PKCS1_PADDING:
324		r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
325		break;
326#ifndef NO_SHA
327        case RSA_PKCS1_OAEP_PADDING:
328	        r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
329                break;
330#endif
331 	case RSA_SSLV23_PADDING:
332		r=RSA_padding_check_SSLv23(to,num,buf,j,num);
333		break;
334	case RSA_NO_PADDING:
335		r=RSA_padding_check_none(to,num,buf,j,num);
336		break;
337	default:
338		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
339		goto err;
340		}
341	if (r < 0)
342		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
343
344err:
345	if (ctx != NULL) BN_CTX_free(ctx);
346	BN_clear_free(&f);
347	BN_clear_free(&ret);
348	if (buf != NULL)
349		{
350		memset(buf,0,num);
351		OPENSSL_free(buf);
352		}
353	return(r);
354	}
355
356static int RSA_eay_public_decrypt(int flen, unsigned char *from,
357	     unsigned char *to, RSA *rsa, int padding)
358	{
359	BIGNUM f,ret;
360	int i,num=0,r= -1;
361	unsigned char *p;
362	unsigned char *buf=NULL;
363	BN_CTX *ctx=NULL;
364
365	BN_init(&f);
366	BN_init(&ret);
367	ctx=BN_CTX_new();
368	if (ctx == NULL) goto err;
369
370	num=BN_num_bytes(rsa->n);
371	buf=(unsigned char *)OPENSSL_malloc(num);
372	if (buf == NULL)
373		{
374		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
375		goto err;
376		}
377
378	/* This check was for equality but PGP does evil things
379	 * and chops off the top '0' bytes */
380	if (flen > num)
381		{
382		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
383		goto err;
384		}
385
386	if (BN_bin2bn(from,flen,&f) == NULL) goto err;
387	/* do the decrypt */
388	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
389		{
390		BN_MONT_CTX* bn_mont_ctx;
391		if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
392			goto err;
393		if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
394			{
395			BN_MONT_CTX_free(bn_mont_ctx);
396			goto err;
397			}
398		if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
399			{
400			CRYPTO_w_lock(CRYPTO_LOCK_RSA);
401			if (rsa->_method_mod_n == NULL)
402				{
403				rsa->_method_mod_n = bn_mont_ctx;
404				bn_mont_ctx = NULL;
405				}
406			CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
407			}
408		if (bn_mont_ctx)
409			BN_MONT_CTX_free(bn_mont_ctx);
410		}
411
412	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
413		rsa->_method_mod_n)) goto err;
414
415	p=buf;
416	i=BN_bn2bin(&ret,p);
417
418	switch (padding)
419		{
420	case RSA_PKCS1_PADDING:
421		r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
422		break;
423	case RSA_NO_PADDING:
424		r=RSA_padding_check_none(to,num,buf,i,num);
425		break;
426	default:
427		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
428		goto err;
429		}
430	if (r < 0)
431		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
432
433err:
434	if (ctx != NULL) BN_CTX_free(ctx);
435	BN_clear_free(&f);
436	BN_clear_free(&ret);
437	if (buf != NULL)
438		{
439		memset(buf,0,num);
440		OPENSSL_free(buf);
441		}
442	return(r);
443	}
444
445static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
446	{
447	BIGNUM r1,m1,vrfy;
448	int ret=0;
449	BN_CTX *ctx;
450
451	if ((ctx=BN_CTX_new()) == NULL) goto err;
452	BN_init(&m1);
453	BN_init(&r1);
454	BN_init(&vrfy);
455
456	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
457		{
458		if (rsa->_method_mod_p == NULL)
459			{
460			BN_MONT_CTX* bn_mont_ctx;
461			if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
462				goto err;
463			if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx))
464				{
465				BN_MONT_CTX_free(bn_mont_ctx);
466				goto err;
467				}
468			if (rsa->_method_mod_p == NULL) /* other thread may have finished first */
469				{
470				CRYPTO_w_lock(CRYPTO_LOCK_RSA);
471				if (rsa->_method_mod_p == NULL)
472					{
473					rsa->_method_mod_p = bn_mont_ctx;
474					bn_mont_ctx = NULL;
475					}
476				CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
477				}
478			if (bn_mont_ctx)
479				BN_MONT_CTX_free(bn_mont_ctx);
480			}
481
482		if (rsa->_method_mod_q == NULL)
483			{
484			BN_MONT_CTX* bn_mont_ctx;
485			if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
486				goto err;
487			if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx))
488				{
489				BN_MONT_CTX_free(bn_mont_ctx);
490				goto err;
491				}
492			if (rsa->_method_mod_q == NULL) /* other thread may have finished first */
493				{
494				CRYPTO_w_lock(CRYPTO_LOCK_RSA);
495				if (rsa->_method_mod_q == NULL)
496					{
497					rsa->_method_mod_q = bn_mont_ctx;
498					bn_mont_ctx = NULL;
499					}
500				CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
501				}
502			if (bn_mont_ctx)
503				BN_MONT_CTX_free(bn_mont_ctx);
504			}
505		}
506
507	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
508	if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
509		rsa->_method_mod_q)) goto err;
510
511	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
512	if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
513		rsa->_method_mod_p)) goto err;
514
515	if (!BN_sub(r0,r0,&m1)) goto err;
516	/* This will help stop the size of r0 increasing, which does
517	 * affect the multiply if it optimised for a power of 2 size */
518	if (r0->neg)
519		if (!BN_add(r0,r0,rsa->p)) goto err;
520
521	if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
522	if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
523	/* If p < q it is occasionally possible for the correction of
524         * adding 'p' if r0 is negative above to leave the result still
525	 * negative. This can break the private key operations: the following
526	 * second correction should *always* correct this rare occurrence.
527	 * This will *never* happen with OpenSSL generated keys because
528         * they ensure p > q [steve]
529         */
530	if (r0->neg)
531		if (!BN_add(r0,r0,rsa->p)) goto err;
532	if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
533	if (!BN_add(r0,&r1,&m1)) goto err;
534
535	if (rsa->e && rsa->n)
536		{
537		if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err;
538		if (BN_cmp(I, &vrfy) != 0)
539			{
540			if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err;
541			}
542		}
543	ret=1;
544err:
545	BN_clear_free(&m1);
546	BN_clear_free(&r1);
547	BN_clear_free(&vrfy);
548	BN_CTX_free(ctx);
549	return(ret);
550	}
551
552static int RSA_eay_init(RSA *rsa)
553	{
554	rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
555	return(1);
556	}
557
558static int RSA_eay_finish(RSA *rsa)
559	{
560	if (rsa->_method_mod_n != NULL)
561		BN_MONT_CTX_free(rsa->_method_mod_n);
562	if (rsa->_method_mod_p != NULL)
563		BN_MONT_CTX_free(rsa->_method_mod_p);
564	if (rsa->_method_mod_q != NULL)
565		BN_MONT_CTX_free(rsa->_method_mod_q);
566	return(1);
567	}
568
569#endif
570