1/* crypto/rsa/rsa_eay.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112#include <stdio.h> 113#include <openssl/bn.h> 114#include <openssl/rsa.h> 115#include <openssl/rand.h> 116#include <openssl/err.h> 117#include <openssl/fips.h> 118 119#if !defined(RSA_NULL) && defined(OPENSSL_FIPS) 120 121static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 122 unsigned char *to, RSA *rsa,int padding); 123static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 124 unsigned char *to, RSA *rsa,int padding); 125static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 126 unsigned char *to, RSA *rsa,int padding); 127static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 128 unsigned char *to, RSA *rsa,int padding); 129static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); 130static int RSA_eay_init(RSA *rsa); 131static int RSA_eay_finish(RSA *rsa); 132static RSA_METHOD rsa_pkcs1_eay_meth={ 133 "Eric Young's PKCS#1 RSA", 134 RSA_eay_public_encrypt, 135 RSA_eay_public_decrypt, /* signature verification */ 136 RSA_eay_private_encrypt, /* signing */ 137 RSA_eay_private_decrypt, 138 RSA_eay_mod_exp, 139 BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ 140 RSA_eay_init, 141 RSA_eay_finish, 142 RSA_FLAG_FIPS_METHOD, /* flags */ 143 NULL, 144 0, /* rsa_sign */ 145 0, /* rsa_verify */ 146 NULL /* rsa_keygen */ 147 }; 148 149const RSA_METHOD *RSA_PKCS1_SSLeay(void) 150 { 151 return(&rsa_pkcs1_eay_meth); 152 } 153 154/* Usage example; 155 * MONT_HELPER(rsa, bn_ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); 156 */ 157#define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \ 158 if((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \ 159 !BN_MONT_CTX_set_locked(&((rsa)->_method_mod_##m), \ 160 CRYPTO_LOCK_RSA, \ 161 (rsa)->m, (ctx))) \ 162 err_instr 163 164static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 165 unsigned char *to, RSA *rsa, int padding) 166 { 167 BIGNUM *f,*ret; 168 int i,j,k,num=0,r= -1; 169 unsigned char *buf=NULL; 170 BN_CTX *ctx=NULL; 171 172 if(FIPS_selftest_failed()) 173 { 174 FIPSerr(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED); 175 goto err; 176 } 177 178 if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) 179 { 180 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); 181 return -1; 182 } 183 184 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) 185 { 186 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); 187 return -1; 188 } 189 190 if (BN_ucmp(rsa->n, rsa->e) <= 0) 191 { 192 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 193 return -1; 194 } 195 196 /* for large moduli, enforce exponent limit */ 197 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) 198 { 199 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) 200 { 201 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 202 return -1; 203 } 204 } 205 206 if ((ctx=BN_CTX_new()) == NULL) goto err; 207 BN_CTX_start(ctx); 208 f = BN_CTX_get(ctx); 209 ret = BN_CTX_get(ctx); 210 num=BN_num_bytes(rsa->n); 211 buf = OPENSSL_malloc(num); 212 if (!f || !ret || !buf) 213 { 214 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); 215 goto err; 216 } 217 218 switch (padding) 219 { 220 case RSA_PKCS1_PADDING: 221 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen); 222 break; 223#ifndef OPENSSL_NO_SHA 224 case RSA_PKCS1_OAEP_PADDING: 225 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0); 226 break; 227#endif 228 case RSA_SSLV23_PADDING: 229 i=RSA_padding_add_SSLv23(buf,num,from,flen); 230 break; 231 case RSA_NO_PADDING: 232 i=RSA_padding_add_none(buf,num,from,flen); 233 break; 234 default: 235 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 236 goto err; 237 } 238 if (i <= 0) goto err; 239 240 if (BN_bin2bn(buf,num,f) == NULL) goto err; 241 242 if (BN_ucmp(f, rsa->n) >= 0) 243 { 244 /* usually the padding functions would catch this */ 245 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 246 goto err; 247 } 248 249 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); 250 251 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, 252 rsa->_method_mod_n)) goto err; 253 254 /* put in leading 0 bytes if the number is less than the 255 * length of the modulus */ 256 j=BN_num_bytes(ret); 257 i=BN_bn2bin(ret,&(to[num-j])); 258 for (k=0; k<(num-i); k++) 259 to[k]=0; 260 261 r=num; 262err: 263 if (ctx != NULL) 264 { 265 BN_CTX_end(ctx); 266 BN_CTX_free(ctx); 267 } 268 if (buf != NULL) 269 { 270 OPENSSL_cleanse(buf,num); 271 OPENSSL_free(buf); 272 } 273 return(r); 274 } 275 276static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 277{ 278 BN_BLINDING *ret; 279 int got_write_lock = 0; 280 281 CRYPTO_r_lock(CRYPTO_LOCK_RSA); 282 283 if (rsa->blinding == NULL) 284 { 285 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 286 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 287 got_write_lock = 1; 288 289 if (rsa->blinding == NULL) 290 rsa->blinding = RSA_setup_blinding(rsa, ctx); 291 } 292 293 ret = rsa->blinding; 294 if (ret == NULL) 295 goto err; 296 297 if (BN_BLINDING_get_thread_id(ret) == CRYPTO_thread_id()) 298 { 299 /* rsa->blinding is ours! */ 300 301 *local = 1; 302 } 303 else 304 { 305 /* resort to rsa->mt_blinding instead */ 306 307 *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert() 308 * that the BN_BLINDING is shared, meaning that accesses 309 * require locks, and that the blinding factor must be 310 * stored outside the BN_BLINDING 311 */ 312 313 if (rsa->mt_blinding == NULL) 314 { 315 if (!got_write_lock) 316 { 317 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 318 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 319 got_write_lock = 1; 320 } 321 322 if (rsa->mt_blinding == NULL) 323 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 324 } 325 ret = rsa->mt_blinding; 326 } 327 328 err: 329 if (got_write_lock) 330 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 331 else 332 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 333 return ret; 334} 335 336static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f, 337 BIGNUM *r, BN_CTX *ctx) 338{ 339 if (local) 340 return BN_BLINDING_convert_ex(f, NULL, b, ctx); 341 else 342 { 343 int ret; 344 CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING); 345 ret = BN_BLINDING_convert_ex(f, r, b, ctx); 346 CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING); 347 return ret; 348 } 349} 350 351static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f, 352 BIGNUM *r, BN_CTX *ctx) 353{ 354 if (local) 355 return BN_BLINDING_invert_ex(f, NULL, b, ctx); 356 else 357 { 358 int ret; 359 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 360 ret = BN_BLINDING_invert_ex(f, r, b, ctx); 361 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 362 return ret; 363 } 364} 365 366/* signing */ 367static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 368 unsigned char *to, RSA *rsa, int padding) 369 { 370 BIGNUM *f, *ret, *br, *res; 371 int i,j,k,num=0,r= -1; 372 unsigned char *buf=NULL; 373 BN_CTX *ctx=NULL; 374 int local_blinding = 0; 375 BN_BLINDING *blinding = NULL; 376 377 if(FIPS_selftest_failed()) 378 { 379 FIPSerr(FIPS_F_RSA_EAY_PRIVATE_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED); 380 goto err; 381 } 382 383 if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) 384 { 385 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); 386 return -1; 387 } 388 389 if ((ctx=BN_CTX_new()) == NULL) goto err; 390 BN_CTX_start(ctx); 391 f = BN_CTX_get(ctx); 392 br = BN_CTX_get(ctx); 393 ret = BN_CTX_get(ctx); 394 num = BN_num_bytes(rsa->n); 395 buf = OPENSSL_malloc(num); 396 if(!f || !ret || !buf) 397 { 398 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); 399 goto err; 400 } 401 402 switch (padding) 403 { 404 case RSA_PKCS1_PADDING: 405 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); 406 break; 407 case RSA_X931_PADDING: 408 i=RSA_padding_add_X931(buf,num,from,flen); 409 break; 410 case RSA_NO_PADDING: 411 i=RSA_padding_add_none(buf,num,from,flen); 412 break; 413 case RSA_SSLV23_PADDING: 414 default: 415 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 416 goto err; 417 } 418 if (i <= 0) goto err; 419 420 if (BN_bin2bn(buf,num,f) == NULL) goto err; 421 422 if (BN_ucmp(f, rsa->n) >= 0) 423 { 424 /* usually the padding functions would catch this */ 425 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 426 goto err; 427 } 428 429 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 430 { 431 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 432 if (blinding == NULL) 433 { 434 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 435 goto err; 436 } 437 } 438 439 if (blinding != NULL) 440 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) 441 goto err; 442 443 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 444 ((rsa->p != NULL) && 445 (rsa->q != NULL) && 446 (rsa->dmp1 != NULL) && 447 (rsa->dmq1 != NULL) && 448 (rsa->iqmp != NULL)) ) 449 { 450 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; 451 } 452 else 453 { 454 BIGNUM local_d; 455 BIGNUM *d = NULL; 456 457 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 458 { 459 BN_init(&local_d); 460 d = &local_d; 461 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 462 } 463 else 464 d = rsa->d; 465 466 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); 467 468 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, 469 rsa->_method_mod_n)) goto err; 470 } 471 472 if (blinding) 473 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) 474 goto err; 475 476 if (padding == RSA_X931_PADDING) 477 { 478 BN_sub(f, rsa->n, ret); 479 if (BN_cmp(ret, f)) 480 res = f; 481 else 482 res = ret; 483 } 484 else 485 res = ret; 486 487 /* put in leading 0 bytes if the number is less than the 488 * length of the modulus */ 489 j=BN_num_bytes(res); 490 i=BN_bn2bin(res,&(to[num-j])); 491 for (k=0; k<(num-i); k++) 492 to[k]=0; 493 494 r=num; 495err: 496 if (ctx != NULL) 497 { 498 BN_CTX_end(ctx); 499 BN_CTX_free(ctx); 500 } 501 if (buf != NULL) 502 { 503 OPENSSL_cleanse(buf,num); 504 OPENSSL_free(buf); 505 } 506 return(r); 507 } 508 509static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 510 unsigned char *to, RSA *rsa, int padding) 511 { 512 BIGNUM *f, *ret, *br; 513 int j,num=0,r= -1; 514 unsigned char *p; 515 unsigned char *buf=NULL; 516 BN_CTX *ctx=NULL; 517 int local_blinding = 0; 518 BN_BLINDING *blinding = NULL; 519 520 if(FIPS_selftest_failed()) 521 { 522 FIPSerr(FIPS_F_RSA_EAY_PRIVATE_DECRYPT,FIPS_R_FIPS_SELFTEST_FAILED); 523 goto err; 524 } 525 526 if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) 527 { 528 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); 529 return -1; 530 } 531 532 if((ctx = BN_CTX_new()) == NULL) goto err; 533 BN_CTX_start(ctx); 534 f = BN_CTX_get(ctx); 535 br = BN_CTX_get(ctx); 536 ret = BN_CTX_get(ctx); 537 num = BN_num_bytes(rsa->n); 538 buf = OPENSSL_malloc(num); 539 if(!f || !ret || !buf) 540 { 541 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); 542 goto err; 543 } 544 545 /* This check was for equality but PGP does evil things 546 * and chops off the top '0' bytes */ 547 if (flen > num) 548 { 549 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 550 goto err; 551 } 552 553 /* make data into a big number */ 554 if (BN_bin2bn(from,(int)flen,f) == NULL) goto err; 555 556 if (BN_ucmp(f, rsa->n) >= 0) 557 { 558 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 559 goto err; 560 } 561 562 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 563 { 564 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 565 if (blinding == NULL) 566 { 567 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 568 goto err; 569 } 570 } 571 572 if (blinding != NULL) 573 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) 574 goto err; 575 576 /* do the decrypt */ 577 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 578 ((rsa->p != NULL) && 579 (rsa->q != NULL) && 580 (rsa->dmp1 != NULL) && 581 (rsa->dmq1 != NULL) && 582 (rsa->iqmp != NULL)) ) 583 { 584 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; 585 } 586 else 587 { 588 BIGNUM local_d; 589 BIGNUM *d = NULL; 590 591 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 592 { 593 d = &local_d; 594 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 595 } 596 else 597 d = rsa->d; 598 599 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); 600 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, 601 rsa->_method_mod_n)) 602 goto err; 603 } 604 605 if (blinding) 606 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) 607 goto err; 608 609 p=buf; 610 j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */ 611 612 switch (padding) 613 { 614 case RSA_PKCS1_PADDING: 615 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); 616 break; 617#ifndef OPENSSL_NO_SHA 618 case RSA_PKCS1_OAEP_PADDING: 619 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); 620 break; 621#endif 622 case RSA_SSLV23_PADDING: 623 r=RSA_padding_check_SSLv23(to,num,buf,j,num); 624 break; 625 case RSA_NO_PADDING: 626 r=RSA_padding_check_none(to,num,buf,j,num); 627 break; 628 default: 629 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 630 goto err; 631 } 632 if (r < 0) 633 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 634 635err: 636 if (ctx != NULL) 637 { 638 BN_CTX_end(ctx); 639 BN_CTX_free(ctx); 640 } 641 if (buf != NULL) 642 { 643 OPENSSL_cleanse(buf,num); 644 OPENSSL_free(buf); 645 } 646 return(r); 647 } 648 649/* signature verification */ 650static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 651 unsigned char *to, RSA *rsa, int padding) 652 { 653 BIGNUM *f,*ret; 654 int i,num=0,r= -1; 655 unsigned char *p; 656 unsigned char *buf=NULL; 657 BN_CTX *ctx=NULL; 658 659 if(FIPS_selftest_failed()) 660 { 661 FIPSerr(FIPS_F_RSA_EAY_PUBLIC_DECRYPT,FIPS_R_FIPS_SELFTEST_FAILED); 662 goto err; 663 } 664 665 if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) 666 { 667 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); 668 return -1; 669 } 670 671 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) 672 { 673 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); 674 return -1; 675 } 676 677 if (BN_ucmp(rsa->n, rsa->e) <= 0) 678 { 679 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 680 return -1; 681 } 682 683 /* for large moduli, enforce exponent limit */ 684 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) 685 { 686 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) 687 { 688 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 689 return -1; 690 } 691 } 692 693 if((ctx = BN_CTX_new()) == NULL) goto err; 694 BN_CTX_start(ctx); 695 f = BN_CTX_get(ctx); 696 ret = BN_CTX_get(ctx); 697 num=BN_num_bytes(rsa->n); 698 buf = OPENSSL_malloc(num); 699 if(!f || !ret || !buf) 700 { 701 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); 702 goto err; 703 } 704 705 /* This check was for equality but PGP does evil things 706 * and chops off the top '0' bytes */ 707 if (flen > num) 708 { 709 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 710 goto err; 711 } 712 713 if (BN_bin2bn(from,flen,f) == NULL) goto err; 714 715 if (BN_ucmp(f, rsa->n) >= 0) 716 { 717 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 718 goto err; 719 } 720 721 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); 722 723 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, 724 rsa->_method_mod_n)) goto err; 725 726 if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) 727 BN_sub(ret, rsa->n, ret); 728 729 p=buf; 730 i=BN_bn2bin(ret,p); 731 732 switch (padding) 733 { 734 case RSA_PKCS1_PADDING: 735 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); 736 break; 737 case RSA_X931_PADDING: 738 r=RSA_padding_check_X931(to,num,buf,i,num); 739 break; 740 case RSA_NO_PADDING: 741 r=RSA_padding_check_none(to,num,buf,i,num); 742 break; 743 default: 744 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 745 goto err; 746 } 747 if (r < 0) 748 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 749 750err: 751 if (ctx != NULL) 752 { 753 BN_CTX_end(ctx); 754 BN_CTX_free(ctx); 755 } 756 if (buf != NULL) 757 { 758 OPENSSL_cleanse(buf,num); 759 OPENSSL_free(buf); 760 } 761 return(r); 762 } 763 764static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 765 { 766 BIGNUM *r1,*m1,*vrfy; 767 BIGNUM local_dmp1,local_dmq1,local_c,local_r1; 768 BIGNUM *dmp1,*dmq1,*c,*pr1; 769 int bn_flags; 770 int ret=0; 771 772 BN_CTX_start(ctx); 773 r1 = BN_CTX_get(ctx); 774 m1 = BN_CTX_get(ctx); 775 vrfy = BN_CTX_get(ctx); 776 777 /* Make sure mod_inverse in montgomerey intialization use correct 778 * BN_FLG_CONSTTIME flag. 779 */ 780 bn_flags = rsa->p->flags; 781 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 782 { 783 rsa->p->flags |= BN_FLG_CONSTTIME; 784 } 785 MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); 786 /* We restore bn_flags back */ 787 rsa->p->flags = bn_flags; 788 789 /* Make sure mod_inverse in montgomerey intialization use correct 790 * BN_FLG_CONSTTIME flag. 791 */ 792 bn_flags = rsa->q->flags; 793 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 794 { 795 rsa->q->flags |= BN_FLG_CONSTTIME; 796 } 797 MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); 798 /* We restore bn_flags back */ 799 rsa->q->flags = bn_flags; 800 801 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); 802 803 /* compute I mod q */ 804 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 805 { 806 c = &local_c; 807 BN_with_flags(c, I, BN_FLG_CONSTTIME); 808 if (!BN_mod(r1,c,rsa->q,ctx)) goto err; 809 } 810 else 811 { 812 if (!BN_mod(r1,I,rsa->q,ctx)) goto err; 813 } 814 815 /* compute r1^dmq1 mod q */ 816 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 817 { 818 dmq1 = &local_dmq1; 819 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 820 } 821 else 822 dmq1 = rsa->dmq1; 823 if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx, 824 rsa->_method_mod_q)) goto err; 825 826 /* compute I mod p */ 827 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 828 { 829 c = &local_c; 830 BN_with_flags(c, I, BN_FLG_CONSTTIME); 831 if (!BN_mod(r1,c,rsa->p,ctx)) goto err; 832 } 833 else 834 { 835 if (!BN_mod(r1,I,rsa->p,ctx)) goto err; 836 } 837 838 /* compute r1^dmp1 mod p */ 839 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 840 { 841 dmp1 = &local_dmp1; 842 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 843 } 844 else 845 dmp1 = rsa->dmp1; 846 if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx, 847 rsa->_method_mod_p)) goto err; 848 849 if (!BN_sub(r0,r0,m1)) goto err; 850 /* This will help stop the size of r0 increasing, which does 851 * affect the multiply if it optimised for a power of 2 size */ 852 if (BN_is_negative(r0)) 853 if (!BN_add(r0,r0,rsa->p)) goto err; 854 855 if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err; 856 857 /* Turn BN_FLG_CONSTTIME flag on before division operation */ 858 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 859 { 860 pr1 = &local_r1; 861 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 862 } 863 else 864 pr1 = r1; 865 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err; 866 867 /* If p < q it is occasionally possible for the correction of 868 * adding 'p' if r0 is negative above to leave the result still 869 * negative. This can break the private key operations: the following 870 * second correction should *always* correct this rare occurrence. 871 * This will *never* happen with OpenSSL generated keys because 872 * they ensure p > q [steve] 873 */ 874 if (BN_is_negative(r0)) 875 if (!BN_add(r0,r0,rsa->p)) goto err; 876 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; 877 if (!BN_add(r0,r1,m1)) goto err; 878 879 if (rsa->e && rsa->n) 880 { 881 if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; 882 /* If 'I' was greater than (or equal to) rsa->n, the operation 883 * will be equivalent to using 'I mod n'. However, the result of 884 * the verify will *always* be less than 'n' so we don't check 885 * for absolute equality, just congruency. */ 886 if (!BN_sub(vrfy, vrfy, I)) goto err; 887 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err; 888 if (BN_is_negative(vrfy)) 889 if (!BN_add(vrfy, vrfy, rsa->n)) goto err; 890 if (!BN_is_zero(vrfy)) 891 { 892 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak 893 * miscalculated CRT output, just do a raw (slower) 894 * mod_exp and return that instead. */ 895 896 BIGNUM local_d; 897 BIGNUM *d = NULL; 898 899 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 900 { 901 d = &local_d; 902 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 903 } 904 else 905 d = rsa->d; 906 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx, 907 rsa->_method_mod_n)) goto err; 908 } 909 } 910 ret=1; 911err: 912 BN_CTX_end(ctx); 913 return(ret); 914 } 915 916static int RSA_eay_init(RSA *rsa) 917 { 918 FIPS_selftest_check(); 919 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; 920 return(1); 921 } 922 923static int RSA_eay_finish(RSA *rsa) 924 { 925 if (rsa->_method_mod_n != NULL) 926 BN_MONT_CTX_free(rsa->_method_mod_n); 927 if (rsa->_method_mod_p != NULL) 928 BN_MONT_CTX_free(rsa->_method_mod_p); 929 if (rsa->_method_mod_q != NULL) 930 BN_MONT_CTX_free(rsa->_method_mod_q); 931 return(1); 932 } 933 934#endif 935