fips_rsa_eay.c revision 296465
1/* crypto/rsa/rsa_eay.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112#include <stdio.h> 113#include <openssl/bn.h> 114#include <openssl/rsa.h> 115#include <openssl/rand.h> 116#include <openssl/err.h> 117#include <openssl/fips.h> 118 119#if !defined(RSA_NULL) && defined(OPENSSL_FIPS) 120 121static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 122 unsigned char *to, RSA *rsa, int padding); 123static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 124 unsigned char *to, RSA *rsa, int padding); 125static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 126 unsigned char *to, RSA *rsa, int padding); 127static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 128 unsigned char *to, RSA *rsa, int padding); 129static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, 130 BN_CTX *ctx); 131static int RSA_eay_init(RSA *rsa); 132static int RSA_eay_finish(RSA *rsa); 133static RSA_METHOD rsa_pkcs1_eay_meth = { 134 "Eric Young's PKCS#1 RSA", 135 RSA_eay_public_encrypt, 136 RSA_eay_public_decrypt, /* signature verification */ 137 RSA_eay_private_encrypt, /* signing */ 138 RSA_eay_private_decrypt, 139 RSA_eay_mod_exp, 140 BN_mod_exp_mont, /* XXX probably we should not use Montgomery 141 * if e == 3 */ 142 RSA_eay_init, 143 RSA_eay_finish, 144 RSA_FLAG_FIPS_METHOD, /* flags */ 145 NULL, 146 0, /* rsa_sign */ 147 0, /* rsa_verify */ 148 NULL /* rsa_keygen */ 149}; 150 151const RSA_METHOD *RSA_PKCS1_SSLeay(void) 152{ 153 return (&rsa_pkcs1_eay_meth); 154} 155 156/* 157 * Usage example; MONT_HELPER(rsa, bn_ctx, p, rsa->flags & 158 * RSA_FLAG_CACHE_PRIVATE, goto err); 159 */ 160# define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \ 161 if ((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \ 162 !BN_MONT_CTX_set_locked(&((rsa)->_method_mod_##m), \ 163 CRYPTO_LOCK_RSA, \ 164 (rsa)->m, (ctx))) \ 165 err_instr 166 167static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 168 unsigned char *to, RSA *rsa, int padding) 169{ 170 BIGNUM *f, *ret; 171 int i, j, k, num = 0, r = -1; 172 unsigned char *buf = NULL; 173 BN_CTX *ctx = NULL; 174 175 if (FIPS_selftest_failed()) { 176 FIPSerr(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT, FIPS_R_FIPS_SELFTEST_FAILED); 177 goto err; 178 } 179 180 if (FIPS_mode() 181 && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { 182 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); 183 return -1; 184 } 185 186 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 187 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); 188 return -1; 189 } 190 191 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 192 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 193 return -1; 194 } 195 196 /* for large moduli, enforce exponent limit */ 197 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 198 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 199 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 200 return -1; 201 } 202 } 203 204 if ((ctx = BN_CTX_new()) == NULL) 205 goto err; 206 BN_CTX_start(ctx); 207 f = BN_CTX_get(ctx); 208 ret = BN_CTX_get(ctx); 209 num = BN_num_bytes(rsa->n); 210 buf = OPENSSL_malloc(num); 211 if (!f || !ret || !buf) { 212 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE); 213 goto err; 214 } 215 216 switch (padding) { 217 case RSA_PKCS1_PADDING: 218 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); 219 break; 220# ifndef OPENSSL_NO_SHA 221 case RSA_PKCS1_OAEP_PADDING: 222 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); 223 break; 224# endif 225 case RSA_SSLV23_PADDING: 226 i = RSA_padding_add_SSLv23(buf, num, from, flen); 227 break; 228 case RSA_NO_PADDING: 229 i = RSA_padding_add_none(buf, num, from, flen); 230 break; 231 default: 232 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 233 goto err; 234 } 235 if (i <= 0) 236 goto err; 237 238 if (BN_bin2bn(buf, num, f) == NULL) 239 goto err; 240 241 if (BN_ucmp(f, rsa->n) >= 0) { 242 /* usually the padding functions would catch this */ 243 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, 244 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 245 goto err; 246 } 247 248 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); 249 250 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 251 rsa->_method_mod_n)) 252 goto err; 253 254 /* 255 * put in leading 0 bytes if the number is less than the length of the 256 * modulus 257 */ 258 j = BN_num_bytes(ret); 259 i = BN_bn2bin(ret, &(to[num - j])); 260 for (k = 0; k < (num - i); k++) 261 to[k] = 0; 262 263 r = num; 264 err: 265 if (ctx != NULL) { 266 BN_CTX_end(ctx); 267 BN_CTX_free(ctx); 268 } 269 if (buf != NULL) { 270 OPENSSL_cleanse(buf, num); 271 OPENSSL_free(buf); 272 } 273 return (r); 274} 275 276static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 277{ 278 BN_BLINDING *ret; 279 int got_write_lock = 0; 280 281 CRYPTO_r_lock(CRYPTO_LOCK_RSA); 282 283 if (rsa->blinding == NULL) { 284 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 285 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 286 got_write_lock = 1; 287 288 if (rsa->blinding == NULL) 289 rsa->blinding = RSA_setup_blinding(rsa, ctx); 290 } 291 292 ret = rsa->blinding; 293 if (ret == NULL) 294 goto err; 295 296 if (BN_BLINDING_get_thread_id(ret) == CRYPTO_thread_id()) { 297 /* rsa->blinding is ours! */ 298 299 *local = 1; 300 } else { 301 /* resort to rsa->mt_blinding instead */ 302 303 /* 304 * instructs rsa_blinding_convert(), rsa_blinding_invert() that the 305 * BN_BLINDING is shared, meaning that accesses require locks, and 306 * that the blinding factor must be stored outside the BN_BLINDING 307 */ 308 *local = 0; 309 310 if (rsa->mt_blinding == NULL) { 311 if (!got_write_lock) { 312 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 313 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 314 got_write_lock = 1; 315 } 316 317 if (rsa->mt_blinding == NULL) 318 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 319 } 320 ret = rsa->mt_blinding; 321 } 322 323 err: 324 if (got_write_lock) 325 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 326 else 327 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 328 return ret; 329} 330 331static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f, 332 BIGNUM *r, BN_CTX *ctx) 333{ 334 if (local) 335 return BN_BLINDING_convert_ex(f, NULL, b, ctx); 336 else { 337 int ret; 338 CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING); 339 ret = BN_BLINDING_convert_ex(f, r, b, ctx); 340 CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING); 341 return ret; 342 } 343} 344 345static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f, 346 BIGNUM *r, BN_CTX *ctx) 347{ 348 if (local) 349 return BN_BLINDING_invert_ex(f, NULL, b, ctx); 350 else { 351 int ret; 352 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 353 ret = BN_BLINDING_invert_ex(f, r, b, ctx); 354 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 355 return ret; 356 } 357} 358 359/* signing */ 360static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 361 unsigned char *to, RSA *rsa, int padding) 362{ 363 BIGNUM *f, *ret, *br, *res; 364 int i, j, k, num = 0, r = -1; 365 unsigned char *buf = NULL; 366 BN_CTX *ctx = NULL; 367 int local_blinding = 0; 368 BN_BLINDING *blinding = NULL; 369 370 if (FIPS_selftest_failed()) { 371 FIPSerr(FIPS_F_RSA_EAY_PRIVATE_ENCRYPT, FIPS_R_FIPS_SELFTEST_FAILED); 372 goto err; 373 } 374 375 if (FIPS_mode() 376 && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { 377 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); 378 return -1; 379 } 380 381 if ((ctx = BN_CTX_new()) == NULL) 382 goto err; 383 BN_CTX_start(ctx); 384 f = BN_CTX_get(ctx); 385 br = BN_CTX_get(ctx); 386 ret = BN_CTX_get(ctx); 387 num = BN_num_bytes(rsa->n); 388 buf = OPENSSL_malloc(num); 389 if (!f || !ret || !buf) { 390 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); 391 goto err; 392 } 393 394 switch (padding) { 395 case RSA_PKCS1_PADDING: 396 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); 397 break; 398 case RSA_X931_PADDING: 399 i = RSA_padding_add_X931(buf, num, from, flen); 400 break; 401 case RSA_NO_PADDING: 402 i = RSA_padding_add_none(buf, num, from, flen); 403 break; 404 case RSA_SSLV23_PADDING: 405 default: 406 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 407 goto err; 408 } 409 if (i <= 0) 410 goto err; 411 412 if (BN_bin2bn(buf, num, f) == NULL) 413 goto err; 414 415 if (BN_ucmp(f, rsa->n) >= 0) { 416 /* usually the padding functions would catch this */ 417 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 418 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 419 goto err; 420 } 421 422 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 423 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 424 if (blinding == NULL) { 425 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 426 goto err; 427 } 428 } 429 430 if (blinding != NULL) 431 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) 432 goto err; 433 434 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 435 ((rsa->p != NULL) && 436 (rsa->q != NULL) && 437 (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { 438 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 439 goto err; 440 } else { 441 BIGNUM local_d; 442 BIGNUM *d = NULL; 443 444 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 445 BN_init(&local_d); 446 d = &local_d; 447 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 448 } else 449 d = rsa->d; 450 451 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, 452 goto err); 453 454 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 455 rsa->_method_mod_n)) 456 goto err; 457 } 458 459 if (blinding) 460 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) 461 goto err; 462 463 if (padding == RSA_X931_PADDING) { 464 BN_sub(f, rsa->n, ret); 465 if (BN_cmp(ret, f)) 466 res = f; 467 else 468 res = ret; 469 } else 470 res = ret; 471 472 /* 473 * put in leading 0 bytes if the number is less than the length of the 474 * modulus 475 */ 476 j = BN_num_bytes(res); 477 i = BN_bn2bin(res, &(to[num - j])); 478 for (k = 0; k < (num - i); k++) 479 to[k] = 0; 480 481 r = num; 482 err: 483 if (ctx != NULL) { 484 BN_CTX_end(ctx); 485 BN_CTX_free(ctx); 486 } 487 if (buf != NULL) { 488 OPENSSL_cleanse(buf, num); 489 OPENSSL_free(buf); 490 } 491 return (r); 492} 493 494static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 495 unsigned char *to, RSA *rsa, int padding) 496{ 497 BIGNUM *f, *ret, *br; 498 int j, num = 0, r = -1; 499 unsigned char *p; 500 unsigned char *buf = NULL; 501 BN_CTX *ctx = NULL; 502 int local_blinding = 0; 503 BN_BLINDING *blinding = NULL; 504 505 if (FIPS_selftest_failed()) { 506 FIPSerr(FIPS_F_RSA_EAY_PRIVATE_DECRYPT, FIPS_R_FIPS_SELFTEST_FAILED); 507 goto err; 508 } 509 510 if (FIPS_mode() 511 && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { 512 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); 513 return -1; 514 } 515 516 if ((ctx = BN_CTX_new()) == NULL) 517 goto err; 518 BN_CTX_start(ctx); 519 f = BN_CTX_get(ctx); 520 br = BN_CTX_get(ctx); 521 ret = BN_CTX_get(ctx); 522 num = BN_num_bytes(rsa->n); 523 buf = OPENSSL_malloc(num); 524 if (!f || !ret || !buf) { 525 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); 526 goto err; 527 } 528 529 /* 530 * This check was for equality but PGP does evil things and chops off the 531 * top '0' bytes 532 */ 533 if (flen > num) { 534 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 535 RSA_R_DATA_GREATER_THAN_MOD_LEN); 536 goto err; 537 } 538 539 /* make data into a big number */ 540 if (BN_bin2bn(from, (int)flen, f) == NULL) 541 goto err; 542 543 if (BN_ucmp(f, rsa->n) >= 0) { 544 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 545 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 546 goto err; 547 } 548 549 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 550 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 551 if (blinding == NULL) { 552 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 553 goto err; 554 } 555 } 556 557 if (blinding != NULL) 558 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) 559 goto err; 560 561 /* do the decrypt */ 562 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 563 ((rsa->p != NULL) && 564 (rsa->q != NULL) && 565 (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { 566 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 567 goto err; 568 } else { 569 BIGNUM local_d; 570 BIGNUM *d = NULL; 571 572 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 573 d = &local_d; 574 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 575 } else 576 d = rsa->d; 577 578 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, 579 goto err); 580 if (!rsa-> 581 meth->bn_mod_exp(ret, f, d, rsa->n, ctx, rsa->_method_mod_n)) 582 goto err; 583 } 584 585 if (blinding) 586 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) 587 goto err; 588 589 p = buf; 590 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */ 591 592 switch (padding) { 593 case RSA_PKCS1_PADDING: 594 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); 595 break; 596# ifndef OPENSSL_NO_SHA 597 case RSA_PKCS1_OAEP_PADDING: 598 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); 599 break; 600# endif 601 case RSA_SSLV23_PADDING: 602 r = RSA_padding_check_SSLv23(to, num, buf, j, num); 603 break; 604 case RSA_NO_PADDING: 605 r = RSA_padding_check_none(to, num, buf, j, num); 606 break; 607 default: 608 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 609 goto err; 610 } 611 if (r < 0) 612 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); 613 614 err: 615 if (ctx != NULL) { 616 BN_CTX_end(ctx); 617 BN_CTX_free(ctx); 618 } 619 if (buf != NULL) { 620 OPENSSL_cleanse(buf, num); 621 OPENSSL_free(buf); 622 } 623 return (r); 624} 625 626/* signature verification */ 627static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 628 unsigned char *to, RSA *rsa, int padding) 629{ 630 BIGNUM *f, *ret; 631 int i, num = 0, r = -1; 632 unsigned char *p; 633 unsigned char *buf = NULL; 634 BN_CTX *ctx = NULL; 635 636 if (FIPS_selftest_failed()) { 637 FIPSerr(FIPS_F_RSA_EAY_PUBLIC_DECRYPT, FIPS_R_FIPS_SELFTEST_FAILED); 638 goto err; 639 } 640 641 if (FIPS_mode() 642 && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { 643 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); 644 return -1; 645 } 646 647 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 648 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); 649 return -1; 650 } 651 652 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 653 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 654 return -1; 655 } 656 657 /* for large moduli, enforce exponent limit */ 658 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 659 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 660 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 661 return -1; 662 } 663 } 664 665 if ((ctx = BN_CTX_new()) == NULL) 666 goto err; 667 BN_CTX_start(ctx); 668 f = BN_CTX_get(ctx); 669 ret = BN_CTX_get(ctx); 670 num = BN_num_bytes(rsa->n); 671 buf = OPENSSL_malloc(num); 672 if (!f || !ret || !buf) { 673 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE); 674 goto err; 675 } 676 677 /* 678 * This check was for equality but PGP does evil things and chops off the 679 * top '0' bytes 680 */ 681 if (flen > num) { 682 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN); 683 goto err; 684 } 685 686 if (BN_bin2bn(from, flen, f) == NULL) 687 goto err; 688 689 if (BN_ucmp(f, rsa->n) >= 0) { 690 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, 691 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 692 goto err; 693 } 694 695 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); 696 697 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 698 rsa->_method_mod_n)) 699 goto err; 700 701 if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) 702 BN_sub(ret, rsa->n, ret); 703 704 p = buf; 705 i = BN_bn2bin(ret, p); 706 707 switch (padding) { 708 case RSA_PKCS1_PADDING: 709 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); 710 break; 711 case RSA_X931_PADDING: 712 r = RSA_padding_check_X931(to, num, buf, i, num); 713 break; 714 case RSA_NO_PADDING: 715 r = RSA_padding_check_none(to, num, buf, i, num); 716 break; 717 default: 718 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 719 goto err; 720 } 721 if (r < 0) 722 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED); 723 724 err: 725 if (ctx != NULL) { 726 BN_CTX_end(ctx); 727 BN_CTX_free(ctx); 728 } 729 if (buf != NULL) { 730 OPENSSL_cleanse(buf, num); 731 OPENSSL_free(buf); 732 } 733 return (r); 734} 735 736static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 737{ 738 BIGNUM *r1, *m1, *vrfy; 739 BIGNUM local_dmp1, local_dmq1, local_c, local_r1; 740 BIGNUM *dmp1, *dmq1, *c, *pr1; 741 int bn_flags; 742 int ret = 0; 743 744 BN_CTX_start(ctx); 745 r1 = BN_CTX_get(ctx); 746 m1 = BN_CTX_get(ctx); 747 vrfy = BN_CTX_get(ctx); 748 749 /* 750 * Make sure mod_inverse in montgomerey intialization use correct 751 * BN_FLG_CONSTTIME flag. 752 */ 753 bn_flags = rsa->p->flags; 754 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 755 rsa->p->flags |= BN_FLG_CONSTTIME; 756 } 757 MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); 758 /* We restore bn_flags back */ 759 rsa->p->flags = bn_flags; 760 761 /* 762 * Make sure mod_inverse in montgomerey intialization use correct 763 * BN_FLG_CONSTTIME flag. 764 */ 765 bn_flags = rsa->q->flags; 766 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 767 rsa->q->flags |= BN_FLG_CONSTTIME; 768 } 769 MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); 770 /* We restore bn_flags back */ 771 rsa->q->flags = bn_flags; 772 773 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); 774 775 /* compute I mod q */ 776 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 777 c = &local_c; 778 BN_with_flags(c, I, BN_FLG_CONSTTIME); 779 if (!BN_mod(r1, c, rsa->q, ctx)) 780 goto err; 781 } else { 782 if (!BN_mod(r1, I, rsa->q, ctx)) 783 goto err; 784 } 785 786 /* compute r1^dmq1 mod q */ 787 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 788 dmq1 = &local_dmq1; 789 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 790 } else 791 dmq1 = rsa->dmq1; 792 if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q)) 793 goto err; 794 795 /* compute I mod p */ 796 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 797 c = &local_c; 798 BN_with_flags(c, I, BN_FLG_CONSTTIME); 799 if (!BN_mod(r1, c, rsa->p, ctx)) 800 goto err; 801 } else { 802 if (!BN_mod(r1, I, rsa->p, ctx)) 803 goto err; 804 } 805 806 /* compute r1^dmp1 mod p */ 807 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 808 dmp1 = &local_dmp1; 809 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 810 } else 811 dmp1 = rsa->dmp1; 812 if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p)) 813 goto err; 814 815 if (!BN_sub(r0, r0, m1)) 816 goto err; 817 /* 818 * This will help stop the size of r0 increasing, which does affect the 819 * multiply if it optimised for a power of 2 size 820 */ 821 if (BN_is_negative(r0)) 822 if (!BN_add(r0, r0, rsa->p)) 823 goto err; 824 825 if (!BN_mul(r1, r0, rsa->iqmp, ctx)) 826 goto err; 827 828 /* Turn BN_FLG_CONSTTIME flag on before division operation */ 829 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 830 pr1 = &local_r1; 831 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 832 } else 833 pr1 = r1; 834 if (!BN_mod(r0, pr1, rsa->p, ctx)) 835 goto err; 836 837 /* 838 * If p < q it is occasionally possible for the correction of adding 'p' 839 * if r0 is negative above to leave the result still negative. This can 840 * break the private key operations: the following second correction 841 * should *always* correct this rare occurrence. This will *never* happen 842 * with OpenSSL generated keys because they ensure p > q [steve] 843 */ 844 if (BN_is_negative(r0)) 845 if (!BN_add(r0, r0, rsa->p)) 846 goto err; 847 if (!BN_mul(r1, r0, rsa->q, ctx)) 848 goto err; 849 if (!BN_add(r0, r1, m1)) 850 goto err; 851 852 if (rsa->e && rsa->n) { 853 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, 854 rsa->_method_mod_n)) 855 goto err; 856 /* 857 * If 'I' was greater than (or equal to) rsa->n, the operation will 858 * be equivalent to using 'I mod n'. However, the result of the 859 * verify will *always* be less than 'n' so we don't check for 860 * absolute equality, just congruency. 861 */ 862 if (!BN_sub(vrfy, vrfy, I)) 863 goto err; 864 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) 865 goto err; 866 if (BN_is_negative(vrfy)) 867 if (!BN_add(vrfy, vrfy, rsa->n)) 868 goto err; 869 if (!BN_is_zero(vrfy)) { 870 /* 871 * 'I' and 'vrfy' aren't congruent mod n. Don't leak 872 * miscalculated CRT output, just do a raw (slower) mod_exp and 873 * return that instead. 874 */ 875 876 BIGNUM local_d; 877 BIGNUM *d = NULL; 878 879 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 880 d = &local_d; 881 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 882 } else 883 d = rsa->d; 884 if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, 885 rsa->_method_mod_n)) 886 goto err; 887 } 888 } 889 ret = 1; 890 err: 891 BN_CTX_end(ctx); 892 return (ret); 893} 894 895static int RSA_eay_init(RSA *rsa) 896{ 897 FIPS_selftest_check(); 898 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; 899 return (1); 900} 901 902static int RSA_eay_finish(RSA *rsa) 903{ 904 if (rsa->_method_mod_n != NULL) 905 BN_MONT_CTX_free(rsa->_method_mod_n); 906 if (rsa->_method_mod_p != NULL) 907 BN_MONT_CTX_free(rsa->_method_mod_p); 908 if (rsa->_method_mod_q != NULL) 909 BN_MONT_CTX_free(rsa->_method_mod_q); 910 return (1); 911} 912 913#endif 914