1193645Ssimon/* crypto/rsa/rsa_eay.c */ 2193645Ssimon/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3193645Ssimon * All rights reserved. 4193645Ssimon * 5193645Ssimon * This package is an SSL implementation written 6193645Ssimon * by Eric Young (eay@cryptsoft.com). 7193645Ssimon * The implementation was written so as to conform with Netscapes SSL. 8296465Sdelphij * 9193645Ssimon * This library is free for commercial and non-commercial use as long as 10193645Ssimon * the following conditions are aheared to. The following conditions 11193645Ssimon * apply to all code found in this distribution, be it the RC4, RSA, 12193645Ssimon * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13193645Ssimon * included with this distribution is covered by the same copyright terms 14193645Ssimon * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15296465Sdelphij * 16193645Ssimon * Copyright remains Eric Young's, and as such any Copyright notices in 17193645Ssimon * the code are not to be removed. 18193645Ssimon * If this package is used in a product, Eric Young should be given attribution 19193645Ssimon * as the author of the parts of the library used. 20193645Ssimon * This can be in the form of a textual message at program startup or 21193645Ssimon * in documentation (online or textual) provided with the package. 22296465Sdelphij * 23193645Ssimon * Redistribution and use in source and binary forms, with or without 24193645Ssimon * modification, are permitted provided that the following conditions 25193645Ssimon * are met: 26193645Ssimon * 1. Redistributions of source code must retain the copyright 27193645Ssimon * notice, this list of conditions and the following disclaimer. 28193645Ssimon * 2. Redistributions in binary form must reproduce the above copyright 29193645Ssimon * notice, this list of conditions and the following disclaimer in the 30193645Ssimon * documentation and/or other materials provided with the distribution. 31193645Ssimon * 3. All advertising materials mentioning features or use of this software 32193645Ssimon * must display the following acknowledgement: 33193645Ssimon * "This product includes cryptographic software written by 34193645Ssimon * Eric Young (eay@cryptsoft.com)" 35193645Ssimon * The word 'cryptographic' can be left out if the rouines from the library 36193645Ssimon * being used are not cryptographic related :-). 37296465Sdelphij * 4. If you include any Windows specific code (or a derivative thereof) from 38193645Ssimon * the apps directory (application code) you must include an acknowledgement: 39193645Ssimon * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40296465Sdelphij * 41193645Ssimon * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42193645Ssimon * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43193645Ssimon * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44193645Ssimon * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45193645Ssimon * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46193645Ssimon * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47193645Ssimon * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48193645Ssimon * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49193645Ssimon * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50193645Ssimon * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51193645Ssimon * SUCH DAMAGE. 52296465Sdelphij * 53193645Ssimon * The licence and distribution terms for any publically available version or 54193645Ssimon * derivative of this code cannot be changed. i.e. this code cannot simply be 55193645Ssimon * copied and put under another distribution licence 56193645Ssimon * [including the GNU Public Licence.] 57193645Ssimon */ 58193645Ssimon/* ==================================================================== 59193645Ssimon * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60193645Ssimon * 61193645Ssimon * Redistribution and use in source and binary forms, with or without 62193645Ssimon * modification, are permitted provided that the following conditions 63193645Ssimon * are met: 64193645Ssimon * 65193645Ssimon * 1. Redistributions of source code must retain the above copyright 66296465Sdelphij * notice, this list of conditions and the following disclaimer. 67193645Ssimon * 68193645Ssimon * 2. Redistributions in binary form must reproduce the above copyright 69193645Ssimon * notice, this list of conditions and the following disclaimer in 70193645Ssimon * the documentation and/or other materials provided with the 71193645Ssimon * distribution. 72193645Ssimon * 73193645Ssimon * 3. All advertising materials mentioning features or use of this 74193645Ssimon * software must display the following acknowledgment: 75193645Ssimon * "This product includes software developed by the OpenSSL Project 76193645Ssimon * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77193645Ssimon * 78193645Ssimon * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79193645Ssimon * endorse or promote products derived from this software without 80193645Ssimon * prior written permission. For written permission, please contact 81193645Ssimon * openssl-core@openssl.org. 82193645Ssimon * 83193645Ssimon * 5. Products derived from this software may not be called "OpenSSL" 84193645Ssimon * nor may "OpenSSL" appear in their names without prior written 85193645Ssimon * permission of the OpenSSL Project. 86193645Ssimon * 87193645Ssimon * 6. Redistributions of any form whatsoever must retain the following 88193645Ssimon * acknowledgment: 89193645Ssimon * "This product includes software developed by the OpenSSL Project 90193645Ssimon * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91193645Ssimon * 92193645Ssimon * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93193645Ssimon * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94193645Ssimon * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95193645Ssimon * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96193645Ssimon * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97193645Ssimon * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98193645Ssimon * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99193645Ssimon * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100193645Ssimon * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101193645Ssimon * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102193645Ssimon * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103193645Ssimon * OF THE POSSIBILITY OF SUCH DAMAGE. 104193645Ssimon * ==================================================================== 105193645Ssimon * 106193645Ssimon * This product includes cryptographic software written by Eric Young 107193645Ssimon * (eay@cryptsoft.com). This product includes software written by Tim 108193645Ssimon * Hudson (tjh@cryptsoft.com). 109193645Ssimon * 110193645Ssimon */ 111193645Ssimon 112193645Ssimon#include <stdio.h> 113193645Ssimon#include <openssl/bn.h> 114193645Ssimon#include <openssl/rsa.h> 115193645Ssimon#include <openssl/rand.h> 116193645Ssimon#include <openssl/err.h> 117193645Ssimon#include <openssl/fips.h> 118193645Ssimon 119193645Ssimon#if !defined(RSA_NULL) && defined(OPENSSL_FIPS) 120193645Ssimon 121193645Ssimonstatic int RSA_eay_public_encrypt(int flen, const unsigned char *from, 122296465Sdelphij unsigned char *to, RSA *rsa, int padding); 123193645Ssimonstatic int RSA_eay_private_encrypt(int flen, const unsigned char *from, 124296465Sdelphij unsigned char *to, RSA *rsa, int padding); 125193645Ssimonstatic int RSA_eay_public_decrypt(int flen, const unsigned char *from, 126296465Sdelphij unsigned char *to, RSA *rsa, int padding); 127193645Ssimonstatic int RSA_eay_private_decrypt(int flen, const unsigned char *from, 128296465Sdelphij unsigned char *to, RSA *rsa, int padding); 129296465Sdelphijstatic int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, 130296465Sdelphij BN_CTX *ctx); 131193645Ssimonstatic int RSA_eay_init(RSA *rsa); 132193645Ssimonstatic int RSA_eay_finish(RSA *rsa); 133296465Sdelphijstatic RSA_METHOD rsa_pkcs1_eay_meth = { 134296465Sdelphij "Eric Young's PKCS#1 RSA", 135296465Sdelphij RSA_eay_public_encrypt, 136296465Sdelphij RSA_eay_public_decrypt, /* signature verification */ 137296465Sdelphij RSA_eay_private_encrypt, /* signing */ 138296465Sdelphij RSA_eay_private_decrypt, 139296465Sdelphij RSA_eay_mod_exp, 140296465Sdelphij BN_mod_exp_mont, /* XXX probably we should not use Montgomery 141296465Sdelphij * if e == 3 */ 142296465Sdelphij RSA_eay_init, 143296465Sdelphij RSA_eay_finish, 144296465Sdelphij RSA_FLAG_FIPS_METHOD, /* flags */ 145296465Sdelphij NULL, 146296465Sdelphij 0, /* rsa_sign */ 147296465Sdelphij 0, /* rsa_verify */ 148296465Sdelphij NULL /* rsa_keygen */ 149296465Sdelphij}; 150193645Ssimon 151193645Ssimonconst RSA_METHOD *RSA_PKCS1_SSLeay(void) 152296465Sdelphij{ 153296465Sdelphij return (&rsa_pkcs1_eay_meth); 154296465Sdelphij} 155193645Ssimon 156296465Sdelphij/* 157296465Sdelphij * Usage example; MONT_HELPER(rsa, bn_ctx, p, rsa->flags & 158296465Sdelphij * RSA_FLAG_CACHE_PRIVATE, goto err); 159193645Ssimon */ 160296465Sdelphij# define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \ 161296465Sdelphij if ((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \ 162296465Sdelphij !BN_MONT_CTX_set_locked(&((rsa)->_method_mod_##m), \ 163296465Sdelphij CRYPTO_LOCK_RSA, \ 164296465Sdelphij (rsa)->m, (ctx))) \ 165296465Sdelphij err_instr 166193645Ssimon 167193645Ssimonstatic int RSA_eay_public_encrypt(int flen, const unsigned char *from, 168296465Sdelphij unsigned char *to, RSA *rsa, int padding) 169296465Sdelphij{ 170296465Sdelphij BIGNUM *f, *ret; 171296465Sdelphij int i, j, k, num = 0, r = -1; 172296465Sdelphij unsigned char *buf = NULL; 173296465Sdelphij BN_CTX *ctx = NULL; 174193645Ssimon 175296465Sdelphij if (FIPS_selftest_failed()) { 176296465Sdelphij FIPSerr(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT, FIPS_R_FIPS_SELFTEST_FAILED); 177296465Sdelphij goto err; 178296465Sdelphij } 179193645Ssimon 180296465Sdelphij if (FIPS_mode() 181296465Sdelphij && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { 182296465Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); 183296465Sdelphij return -1; 184296465Sdelphij } 185193645Ssimon 186296465Sdelphij if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 187296465Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); 188296465Sdelphij return -1; 189296465Sdelphij } 190193645Ssimon 191296465Sdelphij if (BN_ucmp(rsa->n, rsa->e) <= 0) { 192296465Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 193296465Sdelphij return -1; 194296465Sdelphij } 195193645Ssimon 196296465Sdelphij /* for large moduli, enforce exponent limit */ 197296465Sdelphij if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 198296465Sdelphij if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 199296465Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 200296465Sdelphij return -1; 201296465Sdelphij } 202296465Sdelphij } 203193645Ssimon 204296465Sdelphij if ((ctx = BN_CTX_new()) == NULL) 205296465Sdelphij goto err; 206296465Sdelphij BN_CTX_start(ctx); 207296465Sdelphij f = BN_CTX_get(ctx); 208296465Sdelphij ret = BN_CTX_get(ctx); 209296465Sdelphij num = BN_num_bytes(rsa->n); 210296465Sdelphij buf = OPENSSL_malloc(num); 211296465Sdelphij if (!f || !ret || !buf) { 212296465Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE); 213296465Sdelphij goto err; 214296465Sdelphij } 215193645Ssimon 216296465Sdelphij switch (padding) { 217296465Sdelphij case RSA_PKCS1_PADDING: 218296465Sdelphij i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); 219296465Sdelphij break; 220296465Sdelphij# ifndef OPENSSL_NO_SHA 221296465Sdelphij case RSA_PKCS1_OAEP_PADDING: 222296465Sdelphij i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); 223296465Sdelphij break; 224296465Sdelphij# endif 225296465Sdelphij case RSA_SSLV23_PADDING: 226296465Sdelphij i = RSA_padding_add_SSLv23(buf, num, from, flen); 227296465Sdelphij break; 228296465Sdelphij case RSA_NO_PADDING: 229296465Sdelphij i = RSA_padding_add_none(buf, num, from, flen); 230296465Sdelphij break; 231296465Sdelphij default: 232296465Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 233296465Sdelphij goto err; 234296465Sdelphij } 235296465Sdelphij if (i <= 0) 236296465Sdelphij goto err; 237193645Ssimon 238296465Sdelphij if (BN_bin2bn(buf, num, f) == NULL) 239296465Sdelphij goto err; 240193645Ssimon 241296465Sdelphij if (BN_ucmp(f, rsa->n) >= 0) { 242296465Sdelphij /* usually the padding functions would catch this */ 243296465Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, 244296465Sdelphij RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 245296465Sdelphij goto err; 246296465Sdelphij } 247193645Ssimon 248296465Sdelphij MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); 249193645Ssimon 250296465Sdelphij if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 251296465Sdelphij rsa->_method_mod_n)) 252296465Sdelphij goto err; 253193645Ssimon 254296465Sdelphij /* 255296465Sdelphij * put in leading 0 bytes if the number is less than the length of the 256296465Sdelphij * modulus 257296465Sdelphij */ 258296465Sdelphij j = BN_num_bytes(ret); 259296465Sdelphij i = BN_bn2bin(ret, &(to[num - j])); 260296465Sdelphij for (k = 0; k < (num - i); k++) 261296465Sdelphij to[k] = 0; 262296465Sdelphij 263296465Sdelphij r = num; 264296465Sdelphij err: 265296465Sdelphij if (ctx != NULL) { 266296465Sdelphij BN_CTX_end(ctx); 267296465Sdelphij BN_CTX_free(ctx); 268296465Sdelphij } 269296465Sdelphij if (buf != NULL) { 270296465Sdelphij OPENSSL_cleanse(buf, num); 271296465Sdelphij OPENSSL_free(buf); 272296465Sdelphij } 273296465Sdelphij return (r); 274296465Sdelphij} 275296465Sdelphij 276193645Ssimonstatic BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 277193645Ssimon{ 278296465Sdelphij BN_BLINDING *ret; 279296465Sdelphij int got_write_lock = 0; 280193645Ssimon 281296465Sdelphij CRYPTO_r_lock(CRYPTO_LOCK_RSA); 282193645Ssimon 283296465Sdelphij if (rsa->blinding == NULL) { 284296465Sdelphij CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 285296465Sdelphij CRYPTO_w_lock(CRYPTO_LOCK_RSA); 286296465Sdelphij got_write_lock = 1; 287193645Ssimon 288296465Sdelphij if (rsa->blinding == NULL) 289296465Sdelphij rsa->blinding = RSA_setup_blinding(rsa, ctx); 290296465Sdelphij } 291193645Ssimon 292296465Sdelphij ret = rsa->blinding; 293296465Sdelphij if (ret == NULL) 294296465Sdelphij goto err; 295193645Ssimon 296296465Sdelphij if (BN_BLINDING_get_thread_id(ret) == CRYPTO_thread_id()) { 297296465Sdelphij /* rsa->blinding is ours! */ 298193645Ssimon 299296465Sdelphij *local = 1; 300296465Sdelphij } else { 301296465Sdelphij /* resort to rsa->mt_blinding instead */ 302193645Ssimon 303296465Sdelphij /* 304296465Sdelphij * instructs rsa_blinding_convert(), rsa_blinding_invert() that the 305296465Sdelphij * BN_BLINDING is shared, meaning that accesses require locks, and 306296465Sdelphij * that the blinding factor must be stored outside the BN_BLINDING 307296465Sdelphij */ 308296465Sdelphij *local = 0; 309193645Ssimon 310296465Sdelphij if (rsa->mt_blinding == NULL) { 311296465Sdelphij if (!got_write_lock) { 312296465Sdelphij CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 313296465Sdelphij CRYPTO_w_lock(CRYPTO_LOCK_RSA); 314296465Sdelphij got_write_lock = 1; 315296465Sdelphij } 316193645Ssimon 317296465Sdelphij if (rsa->mt_blinding == NULL) 318296465Sdelphij rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 319296465Sdelphij } 320296465Sdelphij ret = rsa->mt_blinding; 321296465Sdelphij } 322296465Sdelphij 323193645Ssimon err: 324296465Sdelphij if (got_write_lock) 325296465Sdelphij CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 326296465Sdelphij else 327296465Sdelphij CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 328296465Sdelphij return ret; 329193645Ssimon} 330193645Ssimon 331193645Ssimonstatic int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f, 332296465Sdelphij BIGNUM *r, BN_CTX *ctx) 333193645Ssimon{ 334296465Sdelphij if (local) 335296465Sdelphij return BN_BLINDING_convert_ex(f, NULL, b, ctx); 336296465Sdelphij else { 337296465Sdelphij int ret; 338296465Sdelphij CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING); 339296465Sdelphij ret = BN_BLINDING_convert_ex(f, r, b, ctx); 340296465Sdelphij CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING); 341296465Sdelphij return ret; 342296465Sdelphij } 343193645Ssimon} 344193645Ssimon 345193645Ssimonstatic int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f, 346296465Sdelphij BIGNUM *r, BN_CTX *ctx) 347193645Ssimon{ 348296465Sdelphij if (local) 349296465Sdelphij return BN_BLINDING_invert_ex(f, NULL, b, ctx); 350296465Sdelphij else { 351296465Sdelphij int ret; 352296465Sdelphij CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 353296465Sdelphij ret = BN_BLINDING_invert_ex(f, r, b, ctx); 354296465Sdelphij CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 355296465Sdelphij return ret; 356296465Sdelphij } 357193645Ssimon} 358193645Ssimon 359193645Ssimon/* signing */ 360193645Ssimonstatic int RSA_eay_private_encrypt(int flen, const unsigned char *from, 361296465Sdelphij unsigned char *to, RSA *rsa, int padding) 362296465Sdelphij{ 363296465Sdelphij BIGNUM *f, *ret, *br, *res; 364296465Sdelphij int i, j, k, num = 0, r = -1; 365296465Sdelphij unsigned char *buf = NULL; 366296465Sdelphij BN_CTX *ctx = NULL; 367296465Sdelphij int local_blinding = 0; 368296465Sdelphij BN_BLINDING *blinding = NULL; 369193645Ssimon 370296465Sdelphij if (FIPS_selftest_failed()) { 371296465Sdelphij FIPSerr(FIPS_F_RSA_EAY_PRIVATE_ENCRYPT, FIPS_R_FIPS_SELFTEST_FAILED); 372296465Sdelphij goto err; 373296465Sdelphij } 374193645Ssimon 375296465Sdelphij if (FIPS_mode() 376296465Sdelphij && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { 377296465Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); 378296465Sdelphij return -1; 379296465Sdelphij } 380193645Ssimon 381296465Sdelphij if ((ctx = BN_CTX_new()) == NULL) 382296465Sdelphij goto err; 383296465Sdelphij BN_CTX_start(ctx); 384296465Sdelphij f = BN_CTX_get(ctx); 385296465Sdelphij br = BN_CTX_get(ctx); 386296465Sdelphij ret = BN_CTX_get(ctx); 387296465Sdelphij num = BN_num_bytes(rsa->n); 388296465Sdelphij buf = OPENSSL_malloc(num); 389296465Sdelphij if (!f || !ret || !buf) { 390296465Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); 391296465Sdelphij goto err; 392296465Sdelphij } 393193645Ssimon 394296465Sdelphij switch (padding) { 395296465Sdelphij case RSA_PKCS1_PADDING: 396296465Sdelphij i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); 397296465Sdelphij break; 398296465Sdelphij case RSA_X931_PADDING: 399296465Sdelphij i = RSA_padding_add_X931(buf, num, from, flen); 400296465Sdelphij break; 401296465Sdelphij case RSA_NO_PADDING: 402296465Sdelphij i = RSA_padding_add_none(buf, num, from, flen); 403296465Sdelphij break; 404296465Sdelphij case RSA_SSLV23_PADDING: 405296465Sdelphij default: 406296465Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 407296465Sdelphij goto err; 408296465Sdelphij } 409296465Sdelphij if (i <= 0) 410296465Sdelphij goto err; 411193645Ssimon 412296465Sdelphij if (BN_bin2bn(buf, num, f) == NULL) 413296465Sdelphij goto err; 414193645Ssimon 415296465Sdelphij if (BN_ucmp(f, rsa->n) >= 0) { 416296465Sdelphij /* usually the padding functions would catch this */ 417296465Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 418296465Sdelphij RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 419296465Sdelphij goto err; 420296465Sdelphij } 421193645Ssimon 422296465Sdelphij if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 423296465Sdelphij blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 424296465Sdelphij if (blinding == NULL) { 425296465Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 426296465Sdelphij goto err; 427296465Sdelphij } 428296465Sdelphij } 429193645Ssimon 430296465Sdelphij if (blinding != NULL) 431296465Sdelphij if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) 432296465Sdelphij goto err; 433193645Ssimon 434296465Sdelphij if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 435296465Sdelphij ((rsa->p != NULL) && 436296465Sdelphij (rsa->q != NULL) && 437296465Sdelphij (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { 438296465Sdelphij if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 439296465Sdelphij goto err; 440296465Sdelphij } else { 441296465Sdelphij BIGNUM local_d; 442296465Sdelphij BIGNUM *d = NULL; 443193645Ssimon 444296465Sdelphij if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 445296465Sdelphij BN_init(&local_d); 446296465Sdelphij d = &local_d; 447296465Sdelphij BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 448296465Sdelphij } else 449296465Sdelphij d = rsa->d; 450193645Ssimon 451296465Sdelphij MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, 452296465Sdelphij goto err); 453193645Ssimon 454296465Sdelphij if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 455296465Sdelphij rsa->_method_mod_n)) 456296465Sdelphij goto err; 457296465Sdelphij } 458193645Ssimon 459296465Sdelphij if (blinding) 460296465Sdelphij if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) 461296465Sdelphij goto err; 462193645Ssimon 463296465Sdelphij if (padding == RSA_X931_PADDING) { 464296465Sdelphij BN_sub(f, rsa->n, ret); 465296465Sdelphij if (BN_cmp(ret, f)) 466296465Sdelphij res = f; 467296465Sdelphij else 468296465Sdelphij res = ret; 469296465Sdelphij } else 470296465Sdelphij res = ret; 471296465Sdelphij 472296465Sdelphij /* 473296465Sdelphij * put in leading 0 bytes if the number is less than the length of the 474296465Sdelphij * modulus 475296465Sdelphij */ 476296465Sdelphij j = BN_num_bytes(res); 477296465Sdelphij i = BN_bn2bin(res, &(to[num - j])); 478296465Sdelphij for (k = 0; k < (num - i); k++) 479296465Sdelphij to[k] = 0; 480296465Sdelphij 481296465Sdelphij r = num; 482296465Sdelphij err: 483296465Sdelphij if (ctx != NULL) { 484296465Sdelphij BN_CTX_end(ctx); 485296465Sdelphij BN_CTX_free(ctx); 486296465Sdelphij } 487296465Sdelphij if (buf != NULL) { 488296465Sdelphij OPENSSL_cleanse(buf, num); 489296465Sdelphij OPENSSL_free(buf); 490296465Sdelphij } 491296465Sdelphij return (r); 492296465Sdelphij} 493296465Sdelphij 494193645Ssimonstatic int RSA_eay_private_decrypt(int flen, const unsigned char *from, 495296465Sdelphij unsigned char *to, RSA *rsa, int padding) 496296465Sdelphij{ 497296465Sdelphij BIGNUM *f, *ret, *br; 498296465Sdelphij int j, num = 0, r = -1; 499296465Sdelphij unsigned char *p; 500296465Sdelphij unsigned char *buf = NULL; 501296465Sdelphij BN_CTX *ctx = NULL; 502296465Sdelphij int local_blinding = 0; 503296465Sdelphij BN_BLINDING *blinding = NULL; 504193645Ssimon 505296465Sdelphij if (FIPS_selftest_failed()) { 506296465Sdelphij FIPSerr(FIPS_F_RSA_EAY_PRIVATE_DECRYPT, FIPS_R_FIPS_SELFTEST_FAILED); 507296465Sdelphij goto err; 508296465Sdelphij } 509193645Ssimon 510296465Sdelphij if (FIPS_mode() 511296465Sdelphij && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { 512296465Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); 513296465Sdelphij return -1; 514296465Sdelphij } 515193645Ssimon 516296465Sdelphij if ((ctx = BN_CTX_new()) == NULL) 517296465Sdelphij goto err; 518296465Sdelphij BN_CTX_start(ctx); 519296465Sdelphij f = BN_CTX_get(ctx); 520296465Sdelphij br = BN_CTX_get(ctx); 521296465Sdelphij ret = BN_CTX_get(ctx); 522296465Sdelphij num = BN_num_bytes(rsa->n); 523296465Sdelphij buf = OPENSSL_malloc(num); 524296465Sdelphij if (!f || !ret || !buf) { 525296465Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); 526296465Sdelphij goto err; 527296465Sdelphij } 528193645Ssimon 529296465Sdelphij /* 530296465Sdelphij * This check was for equality but PGP does evil things and chops off the 531296465Sdelphij * top '0' bytes 532296465Sdelphij */ 533296465Sdelphij if (flen > num) { 534296465Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 535296465Sdelphij RSA_R_DATA_GREATER_THAN_MOD_LEN); 536296465Sdelphij goto err; 537296465Sdelphij } 538193645Ssimon 539296465Sdelphij /* make data into a big number */ 540296465Sdelphij if (BN_bin2bn(from, (int)flen, f) == NULL) 541296465Sdelphij goto err; 542193645Ssimon 543296465Sdelphij if (BN_ucmp(f, rsa->n) >= 0) { 544296465Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 545296465Sdelphij RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 546296465Sdelphij goto err; 547296465Sdelphij } 548193645Ssimon 549296465Sdelphij if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 550296465Sdelphij blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 551296465Sdelphij if (blinding == NULL) { 552296465Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 553296465Sdelphij goto err; 554296465Sdelphij } 555296465Sdelphij } 556193645Ssimon 557296465Sdelphij if (blinding != NULL) 558296465Sdelphij if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) 559296465Sdelphij goto err; 560193645Ssimon 561296465Sdelphij /* do the decrypt */ 562296465Sdelphij if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 563296465Sdelphij ((rsa->p != NULL) && 564296465Sdelphij (rsa->q != NULL) && 565296465Sdelphij (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { 566296465Sdelphij if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 567296465Sdelphij goto err; 568296465Sdelphij } else { 569296465Sdelphij BIGNUM local_d; 570296465Sdelphij BIGNUM *d = NULL; 571193645Ssimon 572296465Sdelphij if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 573296465Sdelphij d = &local_d; 574296465Sdelphij BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 575296465Sdelphij } else 576296465Sdelphij d = rsa->d; 577193645Ssimon 578296465Sdelphij MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, 579296465Sdelphij goto err); 580296465Sdelphij if (!rsa-> 581296465Sdelphij meth->bn_mod_exp(ret, f, d, rsa->n, ctx, rsa->_method_mod_n)) 582296465Sdelphij goto err; 583296465Sdelphij } 584193645Ssimon 585296465Sdelphij if (blinding) 586296465Sdelphij if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) 587296465Sdelphij goto err; 588193645Ssimon 589296465Sdelphij p = buf; 590296465Sdelphij j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */ 591193645Ssimon 592296465Sdelphij switch (padding) { 593296465Sdelphij case RSA_PKCS1_PADDING: 594296465Sdelphij r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); 595296465Sdelphij break; 596296465Sdelphij# ifndef OPENSSL_NO_SHA 597296465Sdelphij case RSA_PKCS1_OAEP_PADDING: 598296465Sdelphij r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); 599296465Sdelphij break; 600296465Sdelphij# endif 601296465Sdelphij case RSA_SSLV23_PADDING: 602296465Sdelphij r = RSA_padding_check_SSLv23(to, num, buf, j, num); 603296465Sdelphij break; 604296465Sdelphij case RSA_NO_PADDING: 605296465Sdelphij r = RSA_padding_check_none(to, num, buf, j, num); 606296465Sdelphij break; 607296465Sdelphij default: 608296465Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 609296465Sdelphij goto err; 610296465Sdelphij } 611296465Sdelphij if (r < 0) 612296465Sdelphij RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); 613296465Sdelphij 614296465Sdelphij err: 615296465Sdelphij if (ctx != NULL) { 616296465Sdelphij BN_CTX_end(ctx); 617296465Sdelphij BN_CTX_free(ctx); 618296465Sdelphij } 619296465Sdelphij if (buf != NULL) { 620296465Sdelphij OPENSSL_cleanse(buf, num); 621296465Sdelphij OPENSSL_free(buf); 622296465Sdelphij } 623296465Sdelphij return (r); 624296465Sdelphij} 625296465Sdelphij 626193645Ssimon/* signature verification */ 627193645Ssimonstatic int RSA_eay_public_decrypt(int flen, const unsigned char *from, 628296465Sdelphij unsigned char *to, RSA *rsa, int padding) 629296465Sdelphij{ 630296465Sdelphij BIGNUM *f, *ret; 631296465Sdelphij int i, num = 0, r = -1; 632296465Sdelphij unsigned char *p; 633296465Sdelphij unsigned char *buf = NULL; 634296465Sdelphij BN_CTX *ctx = NULL; 635193645Ssimon 636296465Sdelphij if (FIPS_selftest_failed()) { 637296465Sdelphij FIPSerr(FIPS_F_RSA_EAY_PUBLIC_DECRYPT, FIPS_R_FIPS_SELFTEST_FAILED); 638296465Sdelphij goto err; 639296465Sdelphij } 640193645Ssimon 641296465Sdelphij if (FIPS_mode() 642296465Sdelphij && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { 643296465Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); 644296465Sdelphij return -1; 645296465Sdelphij } 646193645Ssimon 647296465Sdelphij if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 648296465Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); 649296465Sdelphij return -1; 650296465Sdelphij } 651193645Ssimon 652296465Sdelphij if (BN_ucmp(rsa->n, rsa->e) <= 0) { 653296465Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 654296465Sdelphij return -1; 655296465Sdelphij } 656193645Ssimon 657296465Sdelphij /* for large moduli, enforce exponent limit */ 658296465Sdelphij if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 659296465Sdelphij if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 660296465Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 661296465Sdelphij return -1; 662296465Sdelphij } 663296465Sdelphij } 664193645Ssimon 665296465Sdelphij if ((ctx = BN_CTX_new()) == NULL) 666296465Sdelphij goto err; 667296465Sdelphij BN_CTX_start(ctx); 668296465Sdelphij f = BN_CTX_get(ctx); 669296465Sdelphij ret = BN_CTX_get(ctx); 670296465Sdelphij num = BN_num_bytes(rsa->n); 671296465Sdelphij buf = OPENSSL_malloc(num); 672296465Sdelphij if (!f || !ret || !buf) { 673296465Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE); 674296465Sdelphij goto err; 675296465Sdelphij } 676193645Ssimon 677296465Sdelphij /* 678296465Sdelphij * This check was for equality but PGP does evil things and chops off the 679296465Sdelphij * top '0' bytes 680296465Sdelphij */ 681296465Sdelphij if (flen > num) { 682296465Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN); 683296465Sdelphij goto err; 684296465Sdelphij } 685193645Ssimon 686296465Sdelphij if (BN_bin2bn(from, flen, f) == NULL) 687296465Sdelphij goto err; 688193645Ssimon 689296465Sdelphij if (BN_ucmp(f, rsa->n) >= 0) { 690296465Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, 691296465Sdelphij RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 692296465Sdelphij goto err; 693296465Sdelphij } 694193645Ssimon 695296465Sdelphij MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); 696193645Ssimon 697296465Sdelphij if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 698296465Sdelphij rsa->_method_mod_n)) 699296465Sdelphij goto err; 700193645Ssimon 701296465Sdelphij if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) 702296465Sdelphij BN_sub(ret, rsa->n, ret); 703193645Ssimon 704296465Sdelphij p = buf; 705296465Sdelphij i = BN_bn2bin(ret, p); 706193645Ssimon 707296465Sdelphij switch (padding) { 708296465Sdelphij case RSA_PKCS1_PADDING: 709296465Sdelphij r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); 710296465Sdelphij break; 711296465Sdelphij case RSA_X931_PADDING: 712296465Sdelphij r = RSA_padding_check_X931(to, num, buf, i, num); 713296465Sdelphij break; 714296465Sdelphij case RSA_NO_PADDING: 715296465Sdelphij r = RSA_padding_check_none(to, num, buf, i, num); 716296465Sdelphij break; 717296465Sdelphij default: 718296465Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 719296465Sdelphij goto err; 720296465Sdelphij } 721296465Sdelphij if (r < 0) 722296465Sdelphij RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED); 723193645Ssimon 724296465Sdelphij err: 725296465Sdelphij if (ctx != NULL) { 726296465Sdelphij BN_CTX_end(ctx); 727296465Sdelphij BN_CTX_free(ctx); 728296465Sdelphij } 729296465Sdelphij if (buf != NULL) { 730296465Sdelphij OPENSSL_cleanse(buf, num); 731296465Sdelphij OPENSSL_free(buf); 732296465Sdelphij } 733296465Sdelphij return (r); 734296465Sdelphij} 735296465Sdelphij 736193645Ssimonstatic int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 737296465Sdelphij{ 738296465Sdelphij BIGNUM *r1, *m1, *vrfy; 739296465Sdelphij BIGNUM local_dmp1, local_dmq1, local_c, local_r1; 740296465Sdelphij BIGNUM *dmp1, *dmq1, *c, *pr1; 741296465Sdelphij int bn_flags; 742296465Sdelphij int ret = 0; 743193645Ssimon 744296465Sdelphij BN_CTX_start(ctx); 745296465Sdelphij r1 = BN_CTX_get(ctx); 746296465Sdelphij m1 = BN_CTX_get(ctx); 747296465Sdelphij vrfy = BN_CTX_get(ctx); 748193645Ssimon 749296465Sdelphij /* 750296465Sdelphij * Make sure mod_inverse in montgomerey intialization use correct 751296465Sdelphij * BN_FLG_CONSTTIME flag. 752296465Sdelphij */ 753296465Sdelphij bn_flags = rsa->p->flags; 754296465Sdelphij if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 755296465Sdelphij rsa->p->flags |= BN_FLG_CONSTTIME; 756296465Sdelphij } 757296465Sdelphij MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); 758296465Sdelphij /* We restore bn_flags back */ 759296465Sdelphij rsa->p->flags = bn_flags; 760193645Ssimon 761296465Sdelphij /* 762296465Sdelphij * Make sure mod_inverse in montgomerey intialization use correct 763296465Sdelphij * BN_FLG_CONSTTIME flag. 764296465Sdelphij */ 765296465Sdelphij bn_flags = rsa->q->flags; 766296465Sdelphij if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 767296465Sdelphij rsa->q->flags |= BN_FLG_CONSTTIME; 768296465Sdelphij } 769296465Sdelphij MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); 770296465Sdelphij /* We restore bn_flags back */ 771296465Sdelphij rsa->q->flags = bn_flags; 772193645Ssimon 773296465Sdelphij MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); 774193645Ssimon 775296465Sdelphij /* compute I mod q */ 776296465Sdelphij if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 777296465Sdelphij c = &local_c; 778296465Sdelphij BN_with_flags(c, I, BN_FLG_CONSTTIME); 779296465Sdelphij if (!BN_mod(r1, c, rsa->q, ctx)) 780296465Sdelphij goto err; 781296465Sdelphij } else { 782296465Sdelphij if (!BN_mod(r1, I, rsa->q, ctx)) 783296465Sdelphij goto err; 784296465Sdelphij } 785193645Ssimon 786296465Sdelphij /* compute r1^dmq1 mod q */ 787296465Sdelphij if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 788296465Sdelphij dmq1 = &local_dmq1; 789296465Sdelphij BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 790296465Sdelphij } else 791296465Sdelphij dmq1 = rsa->dmq1; 792296465Sdelphij if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q)) 793296465Sdelphij goto err; 794193645Ssimon 795296465Sdelphij /* compute I mod p */ 796296465Sdelphij if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 797296465Sdelphij c = &local_c; 798296465Sdelphij BN_with_flags(c, I, BN_FLG_CONSTTIME); 799296465Sdelphij if (!BN_mod(r1, c, rsa->p, ctx)) 800296465Sdelphij goto err; 801296465Sdelphij } else { 802296465Sdelphij if (!BN_mod(r1, I, rsa->p, ctx)) 803296465Sdelphij goto err; 804296465Sdelphij } 805193645Ssimon 806296465Sdelphij /* compute r1^dmp1 mod p */ 807296465Sdelphij if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 808296465Sdelphij dmp1 = &local_dmp1; 809296465Sdelphij BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 810296465Sdelphij } else 811296465Sdelphij dmp1 = rsa->dmp1; 812296465Sdelphij if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p)) 813296465Sdelphij goto err; 814193645Ssimon 815296465Sdelphij if (!BN_sub(r0, r0, m1)) 816296465Sdelphij goto err; 817296465Sdelphij /* 818296465Sdelphij * This will help stop the size of r0 increasing, which does affect the 819296465Sdelphij * multiply if it optimised for a power of 2 size 820296465Sdelphij */ 821296465Sdelphij if (BN_is_negative(r0)) 822296465Sdelphij if (!BN_add(r0, r0, rsa->p)) 823296465Sdelphij goto err; 824193645Ssimon 825296465Sdelphij if (!BN_mul(r1, r0, rsa->iqmp, ctx)) 826296465Sdelphij goto err; 827193645Ssimon 828296465Sdelphij /* Turn BN_FLG_CONSTTIME flag on before division operation */ 829296465Sdelphij if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 830296465Sdelphij pr1 = &local_r1; 831296465Sdelphij BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 832296465Sdelphij } else 833296465Sdelphij pr1 = r1; 834296465Sdelphij if (!BN_mod(r0, pr1, rsa->p, ctx)) 835296465Sdelphij goto err; 836193645Ssimon 837296465Sdelphij /* 838296465Sdelphij * If p < q it is occasionally possible for the correction of adding 'p' 839296465Sdelphij * if r0 is negative above to leave the result still negative. This can 840296465Sdelphij * break the private key operations: the following second correction 841296465Sdelphij * should *always* correct this rare occurrence. This will *never* happen 842296465Sdelphij * with OpenSSL generated keys because they ensure p > q [steve] 843296465Sdelphij */ 844296465Sdelphij if (BN_is_negative(r0)) 845296465Sdelphij if (!BN_add(r0, r0, rsa->p)) 846296465Sdelphij goto err; 847296465Sdelphij if (!BN_mul(r1, r0, rsa->q, ctx)) 848296465Sdelphij goto err; 849296465Sdelphij if (!BN_add(r0, r1, m1)) 850296465Sdelphij goto err; 851296465Sdelphij 852296465Sdelphij if (rsa->e && rsa->n) { 853296465Sdelphij if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, 854296465Sdelphij rsa->_method_mod_n)) 855296465Sdelphij goto err; 856296465Sdelphij /* 857296465Sdelphij * If 'I' was greater than (or equal to) rsa->n, the operation will 858296465Sdelphij * be equivalent to using 'I mod n'. However, the result of the 859296465Sdelphij * verify will *always* be less than 'n' so we don't check for 860296465Sdelphij * absolute equality, just congruency. 861193645Ssimon */ 862296465Sdelphij if (!BN_sub(vrfy, vrfy, I)) 863296465Sdelphij goto err; 864296465Sdelphij if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) 865296465Sdelphij goto err; 866296465Sdelphij if (BN_is_negative(vrfy)) 867296465Sdelphij if (!BN_add(vrfy, vrfy, rsa->n)) 868296465Sdelphij goto err; 869296465Sdelphij if (!BN_is_zero(vrfy)) { 870296465Sdelphij /* 871296465Sdelphij * 'I' and 'vrfy' aren't congruent mod n. Don't leak 872296465Sdelphij * miscalculated CRT output, just do a raw (slower) mod_exp and 873296465Sdelphij * return that instead. 874296465Sdelphij */ 875193645Ssimon 876296465Sdelphij BIGNUM local_d; 877296465Sdelphij BIGNUM *d = NULL; 878193645Ssimon 879296465Sdelphij if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 880296465Sdelphij d = &local_d; 881296465Sdelphij BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 882296465Sdelphij } else 883296465Sdelphij d = rsa->d; 884296465Sdelphij if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, 885296465Sdelphij rsa->_method_mod_n)) 886296465Sdelphij goto err; 887296465Sdelphij } 888296465Sdelphij } 889296465Sdelphij ret = 1; 890296465Sdelphij err: 891296465Sdelphij BN_CTX_end(ctx); 892296465Sdelphij return (ret); 893296465Sdelphij} 894193645Ssimon 895193645Ssimonstatic int RSA_eay_init(RSA *rsa) 896296465Sdelphij{ 897296465Sdelphij FIPS_selftest_check(); 898296465Sdelphij rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; 899296465Sdelphij return (1); 900296465Sdelphij} 901193645Ssimon 902193645Ssimonstatic int RSA_eay_finish(RSA *rsa) 903296465Sdelphij{ 904296465Sdelphij if (rsa->_method_mod_n != NULL) 905296465Sdelphij BN_MONT_CTX_free(rsa->_method_mod_n); 906296465Sdelphij if (rsa->_method_mod_p != NULL) 907296465Sdelphij BN_MONT_CTX_free(rsa->_method_mod_p); 908296465Sdelphij if (rsa->_method_mod_q != NULL) 909296465Sdelphij BN_MONT_CTX_free(rsa->_method_mod_q); 910296465Sdelphij return (1); 911296465Sdelphij} 912193645Ssimon 913193645Ssimon#endif 914