1/* 2 * Copyright (c) 2011-12 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 25 * All rights reserved. 26 * 27 * This package is an SSL implementation written 28 * by Eric Young (eay@cryptsoft.com). 29 * The implementation was written so as to conform with Netscapes SSL. 30 * 31 * This library is free for commercial and non-commercial use as long as 32 * the following conditions are aheared to. The following conditions 33 * apply to all code found in this distribution, be it the RC4, RSA, 34 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 35 * included with this distribution is covered by the same copyright terms 36 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 37 * 38 * Copyright remains Eric Young's, and as such any Copyright notices in 39 * the code are not to be removed. 40 * If this package is used in a product, Eric Young should be given attribution 41 * as the author of the parts of the library used. 42 * This can be in the form of a textual message at program startup or 43 * in documentation (online or textual) provided with the package. 44 * 45 * Redistribution and use in source and binary forms, with or without 46 * modification, are permitted provided that the following conditions 47 * are met: 48 * 1. Redistributions of source code must retain the copyright 49 * notice, this list of conditions and the following disclaimer. 50 * 2. Redistributions in binary form must reproduce the above copyright 51 * notice, this list of conditions and the following disclaimer in the 52 * documentation and/or other materials provided with the distribution. 53 * 3. All advertising materials mentioning features or use of this software 54 * must display the following acknowledgement: 55 * "This product includes cryptographic software written by 56 * Eric Young (eay@cryptsoft.com)" 57 * The word 'cryptographic' can be left out if the rouines from the library 58 * being used are not cryptographic related :-). 59 * 4. If you include any Windows specific code (or a derivative thereof) from 60 * the apps directory (application code) you must include an acknowledgement: 61 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 62 * 63 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 64 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 65 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 66 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 67 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 68 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 69 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 70 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 71 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 72 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 73 * SUCH DAMAGE. 74 * 75 * The licence and distribution terms for any publically available version or 76 * derivative of this code cannot be changed. i.e. this code cannot simply be 77 * copied and put under another distribution licence 78 * [including the GNU Public Licence.] 79 */ 80 81#include "ossl-config.h" 82 83#include <stdio.h> 84#include <stdlib.h> 85#include <string.h> 86 87#include "ossl-bn.h" 88#include "ossl-rsa.h" 89#include "ossl-rand.h" 90 91#if !defined(PR_10783242_FIXED) || !defined(PR_8174774_FIXED) 92 93static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 94 unsigned char *to, RSA *rsa, int padding); 95static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 96 unsigned char *to, RSA *rsa, int padding); 97static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 98 unsigned char *to, RSA *rsa, int padding); 99static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 100 unsigned char *to, RSA *rsa, int padding); 101static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); 102static int RSA_eay_init(RSA *rsa); 103static int RSA_eay_finish(RSA *rsa); 104 105 106#ifndef RSA_MAX_MODULUS_BITS 107# define RSA_MAX_MODULUS_BITS 16384 108#endif 109#ifndef RSA_SMALL_MODULUS_BITS 110# define RSA_SMALL_MODULUS_BITS 3072 111#endif 112#ifndef RSA_MAX_PUBEXP_BITS 113# define RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "large" modulus only */ 114#endif 115 116static int 117RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, 118 const unsigned char *from, int flen) 119{ 120 int j; 121 unsigned char *p; 122 123 if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) { 124 /* RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); */ 125 return (0); 126 } 127 128 p = (unsigned char *)to; 129 130 *(p++) = 0; 131 *(p++) = 1; /* Private Key BT (Block Type) */ 132 133 /* pad out with 0xff data */ 134 j = tlen - 3 - flen; 135 memset(p, 0xff, j); 136 p += j; 137 *(p++) = '\0'; 138 memcpy(p, from, (unsigned int)flen); 139 return (1); 140} 141 142 143static int 144RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen, 145 const unsigned char *from, int flen, int num) 146{ 147 int i, j; 148 const unsigned char *p; 149 150 p = from; 151 if ((num != (flen+1)) || (*(p++) != 01)) { 152 /* RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BLOCK_TYPE_IS_NOT_01); */ 153 return (-1); 154 } 155 156 /* scan over padding data */ 157 j = flen - 1; /* one for type. */ 158 for (i = 0; i < j; i++) { 159 if (*p != 0xff) { 160 /* should decrypt to 0xff */ 161 if (*p == 0) { 162 p++; 163 break; 164 } else { 165 /* RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BAD_FIXED_HEADER_DECRYPT); */ 166 return (-1); 167 } 168 } 169 p++; 170 } 171 172 if (i == j) { 173 /* RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_NULL_BEFORE_BLOCK_MISSING); */ 174 return (-1); 175 } 176 177 if (i < 8) { 178 /* RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BAD_PAD_BYTE_COUNT); */ 179 return (-1); 180 } 181 i++; /* Skip over the '\0' */ 182 j -= i; 183 if (j > tlen) { 184 /* RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE); */ 185 return (-1); 186 } 187 memcpy(to, p, (unsigned int)j); 188 189 return (j); 190} 191 192 193static int 194RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen, 195 const unsigned char *from, int flen) 196{ 197 int i, j; 198 unsigned char *p; 199 200 if (flen > (tlen-11)) { 201 /* RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); */ 202 return (0); 203 } 204 205 p = (unsigned char *)to; 206 207 *(p++) = 0; 208 *(p++) = 2; /* Public Key BT (Block Type) */ 209 210 /* pad out with non-zero random data */ 211 j = tlen - 3 - flen; 212 213 if (RAND_bytes(p, j) <= 0) { 214 return (0); 215 } 216 for (i = 0; i < j; i++) { 217 if (*p == '\0') { 218 do { 219 if (RAND_bytes(p, 1) <= 0) { 220 return (0); 221 } 222 } while (*p == '\0'); 223 } 224 p++; 225 } 226 227 *(p++) = '\0'; 228 229 memcpy(p, from, (unsigned int)flen); 230 231 return (1); 232} 233 234 235static int 236RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, 237 const unsigned char *from, int flen, int num) 238{ 239 int i, j; 240 const unsigned char *p; 241 242 p = from; 243 if ((num != (flen+1)) || (*(p++) != 02)) { 244 /* RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BLOCK_TYPE_IS_NOT_02); */ 245 return (-1); 246 } 247#ifdef PKCS1_CHECK 248 return (num - 11); 249#endif 250 251 /* scan over padding data */ 252 j = flen - 1; /* one for type. */ 253 for (i = 0; i < j; i++) { 254 if (*(p++) == 0) { 255 break; 256 } 257 } 258 259 if (i == j) { 260 /* RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_NULL_BEFORE_BLOCK_MISSING); */ 261 return (-1); 262 } 263 264 if (i < 8) { 265 /* RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BAD_PAD_BYTE_COUNT); */ 266 return (-1); 267 } 268 i++; /* Skip over the '\0' */ 269 j -= i; 270 if (j > tlen) { 271 /* RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE); */ 272 return (-1); 273 } 274 memcpy(to, p, (unsigned int)j); 275 276 return (j); 277} 278 279 280static int 281RSA_eay_public_encrypt(int flen, const unsigned char *from, 282 unsigned char *to, RSA *rsa, int padding) 283{ 284 BIGNUM *f, *ret; 285 int i, j, k, num = 0, r = -1; 286 unsigned char *buf = NULL; 287 BN_CTX *ctx = NULL; 288 289 if (BN_num_bits(rsa->n) > RSA_MAX_MODULUS_BITS) { 290 /* RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); */ 291 return (-1); 292 } 293 294 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 295 /* RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); */ 296 return (-1); 297 } 298 299 /* for large moduli, enforce exponent limit */ 300 if (BN_num_bits(rsa->n) > RSA_SMALL_MODULUS_BITS) { 301 if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS) { 302 /* RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); */ 303 return (-1); 304 } 305 } 306 307 if ((ctx = BN_CTX_new()) == NULL) { 308 goto err; 309 } 310 BN_CTX_start(ctx); 311 f = BN_CTX_get(ctx); 312 ret = BN_CTX_get(ctx); 313 num = BN_num_bytes(rsa->n); 314 buf = malloc(num); 315 if (!f || !ret || !buf) { 316 /* RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); */ 317 goto err; 318 } 319 320 switch (padding) { 321 case RSA_PKCS1_PADDING: 322 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); 323 break; 324 325#if 0 326 case RSA_PKCS1_OAEP_PADDING: 327 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); 328 break; 329 330 case RSA_SSLV23_PADDING: 331 i = RSA_padding_add_SSLv23(buf, num, from, flen); 332 break; 333 334 case RSA_NO_PADDING: 335 i = RSA_padding_add_none(buf, num, from, flen); 336 break; 337#endif 338 default: 339 /* RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); */ 340 goto err; 341 } 342 if (i <= 0) { 343 goto err; 344 } 345 346 if (BN_bin2bn(buf, num, f) == NULL) { 347 goto err; 348 } 349 350 if (BN_ucmp(f, rsa->n) >= 0) { 351 /* usually the padding functions would catch this */ 352 /* RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); */ 353 goto err; 354 } 355 356#if 0 357 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { 358 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) { 359 goto err; 360 } 361 } 362#endif /* #if 0 */ 363 364 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 365 rsa->_method_mod_n)) { 366 goto err; 367 } 368 369 /* put in leading 0 bytes if the number is less than the 370 * length of the modulus */ 371 j = BN_num_bytes(ret); 372 i = BN_bn2bin(ret, &(to[num-j])); 373 for (k = 0; k < (num - i); k++) { 374 to[k] = 0; 375 } 376 377 r = num; 378err: 379 if (ctx != NULL) { 380 BN_CTX_end(ctx); 381 BN_CTX_free(ctx); 382 } 383 if (buf != NULL) { 384 memset(buf, 0, num); 385 free(buf); 386 } 387 return (r); 388} 389 390 391#if 0 392static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 393{ 394 BN_BLINDING *ret; 395 int got_write_lock = 0; 396 397 CRYPTO_r_lock(CRYPTO_LOCK_RSA); 398 399 if (rsa->blinding == NULL) { 400 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 401 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 402 got_write_lock = 1; 403 404 if (rsa->blinding == NULL) { 405 rsa->blinding = RSA_setup_blinding(rsa, ctx); 406 } 407 } 408 409 ret = rsa->blinding; 410 if (ret == NULL) { 411 goto err; 412 } 413 414 if (BN_BLINDING_get_thread_id(ret) == CRYPTO_thread_id()) { 415 /* rsa->blinding is ours! */ 416 417 *local = 1; 418 }else { 419 /* resort to rsa->mt_blinding instead */ 420 421 *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert() 422 * that the BN_BLINDING is shared, meaning that accesses 423 * require locks, and that the blinding factor must be 424 * stored outside the BN_BLINDING 425 */ 426 427 if (rsa->mt_blinding == NULL) { 428 if (!got_write_lock) { 429 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 430 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 431 got_write_lock = 1; 432 } 433 434 if (rsa->mt_blinding == NULL) { 435 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 436 } 437 } 438 ret = rsa->mt_blinding; 439 } 440 441err: 442 if (got_write_lock) { 443 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 444 } else{ 445 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 446 } 447 return (ret); 448} 449 450 451static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f, 452 BIGNUM *r, BN_CTX *ctx) 453{ 454 if (local) { 455 return (BN_BLINDING_convert_ex(f, NULL, b, ctx)); 456 } else{ 457 int ret; 458 CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING); 459 ret = BN_BLINDING_convert_ex(f, r, b, ctx); 460 CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING); 461 return (ret); 462 } 463} 464 465 466static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f, 467 BIGNUM *r, BN_CTX *ctx) 468{ 469 if (local) { 470 return (BN_BLINDING_invert_ex(f, NULL, b, ctx)); 471 } else{ 472 int ret; 473 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 474 ret = BN_BLINDING_invert_ex(f, r, b, ctx); 475 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 476 return (ret); 477 } 478} 479 480 481#endif 482 483/* signing */ 484static int 485RSA_eay_private_encrypt(int flen, const unsigned char *from, 486 unsigned char *to, RSA *rsa, int padding) 487{ 488 BIGNUM *f, *ret, *br, *res; 489 int i, j, k, num = 0, r = -1; 490 unsigned char *buf = NULL; 491 BN_CTX *ctx = NULL; 492 493#if 0 494 int local_blinding = 0; 495 BN_BLINDING *blinding = NULL; 496#endif 497 498 if ((ctx = BN_CTX_new()) == NULL) { 499 goto err; 500 } 501 BN_CTX_start(ctx); 502 f = BN_CTX_get(ctx); 503 br = BN_CTX_get(ctx); 504 ret = BN_CTX_get(ctx); 505 num = BN_num_bytes(rsa->n); 506 buf = malloc(num); 507 if (!f || !ret || !buf) { 508 /* RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); */ 509 goto err; 510 } 511 512 switch (padding) { 513 case RSA_PKCS1_PADDING: 514 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); 515 break; 516 517#if 0 518 case RSA_X931_PADDING: 519 i = RSA_padding_add_X931(buf, num, from, flen); 520 break; 521 522 case RSA_NO_PADDING: 523 i = RSA_padding_add_none(buf, num, from, flen); 524 break; 525 526 case RSA_SSLV23_PADDING: 527#endif 528 default: 529 /* RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); */ 530 goto err; 531 } 532 if (i <= 0) { 533 goto err; 534 } 535 536 if (BN_bin2bn(buf, num, f) == NULL) { 537 goto err; 538 } 539 540 if (BN_ucmp(f, rsa->n) >= 0) { 541 /* usually the padding functions would catch this */ 542 /* RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); */ 543 goto err; 544 } 545 546#if 0 547 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 548 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 549 if (blinding == NULL) { 550 /* RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); */ 551 goto err; 552 } 553 } 554 555 if (blinding != NULL) { 556 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) { 557 goto err; 558 } 559 } 560#endif 561 562 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 563 ((rsa->p != NULL) && 564 (rsa->q != NULL) && 565 (rsa->dmp1 != NULL) && 566 (rsa->dmq1 != NULL) && 567 (rsa->iqmp != NULL))) { 568 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) { 569 goto err; 570 } 571 } else { 572 BIGNUM local_d; 573 BIGNUM *d = NULL; 574 575 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 576 BN_init(&local_d); 577 d = &local_d; 578 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 579 } else{ 580 d = rsa->d; 581 } 582 583#if 0 584 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { 585 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) { 586 goto err; 587 } 588 } 589#endif 590 591 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 592 rsa->_method_mod_n)) { 593 goto err; 594 } 595 } 596 597#if 0 598 if (blinding) { 599 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) { 600 goto err; 601 } 602 } 603 604 if (padding == RSA_X931_PADDING) { 605 BN_sub(f, rsa->n, ret); 606 if (BN_cmp(ret, f)) { 607 res = f; 608 } else{ 609 res = ret; 610 } 611 }else 612#endif 613 res = ret; 614 615 /* put in leading 0 bytes if the number is less than the 616 * length of the modulus */ 617 j = BN_num_bytes(res); 618 i = BN_bn2bin(res, &(to[num - j])); 619 for (k = 0; k < (num - i); k++) { 620 to[k] = 0; 621 } 622 623 r = num; 624err: 625 if (ctx != NULL) { 626 BN_CTX_end(ctx); 627 BN_CTX_free(ctx); 628 } 629 if (buf != NULL) { 630 memset(buf, 0, num); 631 free(buf); 632 } 633 return (r); 634} 635 636 637static int 638RSA_eay_private_decrypt(int flen, const unsigned char *from, 639 unsigned char *to, RSA *rsa, int padding) 640{ 641 BIGNUM *f, *ret, *br; 642 int j, num = 0, r = -1; 643 unsigned char *p; 644 unsigned char *buf = NULL; 645 BN_CTX *ctx = NULL; 646 647#if 0 648 int local_blinding = 0; 649 BN_BLINDING *blinding = NULL; 650#endif 651 652 if ((ctx = BN_CTX_new()) == NULL) { 653 goto err; 654 } 655 BN_CTX_start(ctx); 656 f = BN_CTX_get(ctx); 657 br = BN_CTX_get(ctx); 658 ret = BN_CTX_get(ctx); 659 num = BN_num_bytes(rsa->n); 660 buf = malloc(num); 661 if (!f || !ret || !buf) { 662 /* RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); */ 663 goto err; 664 } 665 666 /* This check was for equality but PGP does evil things 667 * and chops off the top '0' bytes */ 668 if (flen > num) { 669 /* RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); */ 670 goto err; 671 } 672 673 /* make data into a big number */ 674 if (BN_bin2bn(from, (int)flen, f) == NULL) { 675 goto err; 676 } 677 678 if (BN_ucmp(f, rsa->n) >= 0) { 679 /* RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); */ 680 goto err; 681 } 682 683#if 0 684 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 685 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 686 if (blinding == NULL) { 687 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 688 goto err; 689 } 690 } 691 692 if (blinding != NULL) { 693 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) { 694 goto err; 695 } 696 } 697#endif 698 699 /* do the decrypt */ 700 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 701 ((rsa->p != NULL) && 702 (rsa->q != NULL) && 703 (rsa->dmp1 != NULL) && 704 (rsa->dmq1 != NULL) && 705 (rsa->iqmp != NULL))) { 706 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) { 707 goto err; 708 } 709 } else { 710 BIGNUM local_d; 711 BIGNUM *d = NULL; 712 713 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 714 d = &local_d; 715 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 716 } else{ 717 d = rsa->d; 718 } 719 720#if 0 721 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { 722 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) { 723 goto err; 724 } 725 } 726#endif 727 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, rsa->_method_mod_n)) { 728 goto err; 729 } 730 } 731 732#if 0 733 if (blinding) { 734 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) { 735 goto err; 736 } 737 } 738#endif 739 740 p = buf; 741 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */ 742 743 switch (padding) { 744 case RSA_PKCS1_PADDING: 745 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); 746 break; 747 748#if 0 749 case RSA_PKCS1_OAEP_PADDING: 750 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); 751 break; 752 753 case RSA_SSLV23_PADDING: 754 r = RSA_padding_check_SSLv23(to, num, buf, j, num); 755 break; 756 757 case RSA_NO_PADDING: 758 r = RSA_padding_check_none(to, num, buf, j, num); 759 break; 760#endif 761 default: 762 /* RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); */ 763 goto err; 764 } 765#if 0 766 if (r < 0) { 767 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); 768 } 769#endif 770 771err: 772 if (ctx != NULL) { 773 BN_CTX_end(ctx); 774 BN_CTX_free(ctx); 775 } 776 if (buf != NULL) { 777 memset(buf, 0, num); 778 free(buf); 779 } 780 return (r); 781} 782 783 784/* signature verification */ 785static int 786RSA_eay_public_decrypt(int flen, const unsigned char *from, 787 unsigned char *to, RSA *rsa, int padding) 788{ 789 BIGNUM *f, *ret; 790 int i, num = 0, r = -1; 791 unsigned char *p; 792 unsigned char *buf = NULL; 793 BN_CTX *ctx = NULL; 794 795 if (BN_num_bits(rsa->n) > RSA_MAX_MODULUS_BITS) { 796 /* RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); */ 797 return (-1); 798 } 799 800 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 801 /* RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); */ 802 return (-1); 803 } 804 805 /* for large moduli, enforce exponent limit */ 806 if (BN_num_bits(rsa->n) > RSA_SMALL_MODULUS_BITS) { 807 if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS) { 808 /* RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); */ 809 return (-1); 810 } 811 } 812 813 if ((ctx = BN_CTX_new()) == NULL) { 814 goto err; 815 } 816 BN_CTX_start(ctx); 817 f = BN_CTX_get(ctx); 818 ret = BN_CTX_get(ctx); 819 num = BN_num_bytes(rsa->n); 820 buf = malloc(num); 821 if (!f || !ret || !buf) { 822 /* RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); */ 823 goto err; 824 } 825 826 /* This check was for equality but PGP does evil things 827 * and chops off the top '0' bytes */ 828 if (flen > num) { 829 /* RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); */ 830 goto err; 831 } 832 833 if (BN_bin2bn(from, flen, f) == NULL) { 834 goto err; 835 } 836 837 if (BN_ucmp(f, rsa->n) >= 0) { 838 /* RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); */ 839 goto err; 840 } 841 842#if 0 843 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { 844 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) { 845 goto err; 846 } 847 } 848#endif 849 850 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, rsa->_method_mod_n)) { 851 goto err; 852 } 853 854#if 0 855 if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) { 856 if (!BN_sub(ret, rsa->n, ret)) { 857 goto err; 858 } 859 } 860#endif 861 862 p = buf; 863 i = BN_bn2bin(ret, p); 864 865 switch (padding) { 866 case RSA_PKCS1_PADDING: 867 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); 868 break; 869 870#if 0 871 case RSA_X931_PADDING: 872 r = RSA_padding_check_X931(to, num, buf, i, num); 873 break; 874 875 case RSA_NO_PADDING: 876 r = RSA_padding_check_none(to, num, buf, i, num); 877 break; 878#endif 879 default: 880 /* RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); */ 881 goto err; 882 } 883#if 0 884 if (r < 0) { 885 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED); 886 } 887#endif 888 889err: 890 if (ctx != NULL) { 891 BN_CTX_end(ctx); 892 BN_CTX_free(ctx); 893 } 894 if (buf != NULL) { 895 memset(buf, 0, num); 896 free(buf); 897 } 898 return (r); 899} 900 901 902static int 903RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 904{ 905 BIGNUM *r1, *m1, *vrfy; 906 BIGNUM local_dmp1, local_dmq1, local_c, local_r1; 907 BIGNUM *dmp1, *dmq1, *c, *pr1; 908 int ret = 0; 909 910 BN_CTX_start(ctx); 911 r1 = BN_CTX_get(ctx); 912 m1 = BN_CTX_get(ctx); 913 vrfy = BN_CTX_get(ctx); 914 915 { 916 BIGNUM local_p, local_q; 917 BIGNUM *p = NULL, *q = NULL; 918 919 /* Make sure BN_mod_inverse in Montgomery intialization uses the 920 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) 921 */ 922 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 923 BN_init(&local_p); 924 p = &local_p; 925 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 926 927 BN_init(&local_q); 928 q = &local_q; 929 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); 930 } else { 931 p = rsa->p; 932 q = rsa->q; 933 } 934 935#if 0 936 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { 937 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) { 938 goto err; 939 } 940 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) { 941 goto err; 942 } 943 } 944#endif 945 } 946 947#if 0 948 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { 949 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) { 950 goto err; 951 } 952 } 953#endif 954 955 /* compute I mod q */ 956 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 957 c = &local_c; 958 BN_with_flags(c, I, BN_FLG_CONSTTIME); 959 if (!BN_mod(r1, c, rsa->q, ctx)) { 960 goto err; 961 } 962 } else { 963 if (!BN_mod(r1, I, rsa->q, ctx)) { 964 goto err; 965 } 966 } 967 968 /* compute r1^dmq1 mod q */ 969 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 970 dmq1 = &local_dmq1; 971 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 972 } else{ 973 dmq1 = rsa->dmq1; 974 } 975 if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q)) { 976 goto err; 977 } 978 979 /* compute I mod p */ 980 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 981 c = &local_c; 982 BN_with_flags(c, I, BN_FLG_CONSTTIME); 983 if (!BN_mod(r1, c, rsa->p, ctx)) { 984 goto err; 985 } 986 } else { 987 if (!BN_mod(r1, I, rsa->p, ctx)) { 988 goto err; 989 } 990 } 991 992 /* compute r1^dmp1 mod p */ 993 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 994 dmp1 = &local_dmp1; 995 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 996 } else{ 997 dmp1 = rsa->dmp1; 998 } 999 if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p)) { 1000 goto err; 1001 } 1002 1003 if (!BN_sub(r0, r0, m1)) { 1004 goto err; 1005 } 1006 1007 /* This will help stop the size of r0 increasing, which does 1008 * affect the multiply if it optimised for a power of 2 size */ 1009 if (BN_is_negative(r0)) { 1010 if (!BN_add(r0, r0, rsa->p)) { 1011 goto err; 1012 } 1013 } 1014 1015 if (!BN_mul(r1, r0, rsa->iqmp, ctx)) { 1016 goto err; 1017 } 1018 1019 /* Turn BN_FLG_CONSTTIME flag on before division operation */ 1020 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 1021 pr1 = &local_r1; 1022 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 1023 } else{ 1024 pr1 = r1; 1025 } 1026 if (!BN_mod(r0, pr1, rsa->p, ctx)) { 1027 goto err; 1028 } 1029 1030 /* If p < q it is occasionally possible for the correction of 1031 * adding 'p' if r0 is negative above to leave the result still 1032 * negative. This can break the private key operations: the following 1033 * second correction should *always* correct this rare occurrence. 1034 * This will *never* happen with OpenSSL generated keys because 1035 * they ensure p > q [steve] 1036 */ 1037 if (BN_is_negative(r0)) { 1038 if (!BN_add(r0, r0, rsa->p)) { 1039 goto err; 1040 } 1041 } 1042 if (!BN_mul(r1, r0, rsa->q, ctx)) { 1043 goto err; 1044 } 1045 if (!BN_add(r0, r1, m1)) { 1046 goto err; 1047 } 1048 1049 if (rsa->e && rsa->n) { 1050 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, 1051 rsa->_method_mod_n)) { 1052 goto err; 1053 } 1054 1055 /* If 'I' was greater than (or equal to) rsa->n, the operation 1056 * will be equivalent to using 'I mod n'. However, the result of 1057 * the verify will *always* be less than 'n' so we don't check 1058 * for absolute equality, just congruency. */ 1059 if (!BN_sub(vrfy, vrfy, I)) { 1060 goto err; 1061 } 1062 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) { 1063 goto err; 1064 } 1065 if (BN_is_negative(vrfy)) { 1066 if (!BN_add(vrfy, vrfy, rsa->n)) { 1067 goto err; 1068 } 1069 } 1070 if (!BN_is_zero(vrfy)) { 1071 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak 1072 * miscalculated CRT output, just do a raw (slower) 1073 * mod_exp and return that instead. */ 1074 1075 BIGNUM local_d; 1076 BIGNUM *d = NULL; 1077 1078 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 1079 d = &local_d; 1080 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 1081 } else{ 1082 d = rsa->d; 1083 } 1084 if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, 1085 rsa->_method_mod_n)) { 1086 goto err; 1087 } 1088 } 1089 } 1090 ret = 1; 1091err: 1092 BN_CTX_end(ctx); 1093 return (ret); 1094} 1095 1096 1097static int 1098RSA_eay_init(RSA *rsa) 1099{ 1100 /* rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; */ 1101 return (1); 1102} 1103 1104 1105static int RSA_eay_finish(RSA *rsa) 1106{ 1107#if 0 1108 if (rsa->_method_mod_n != NULL) { 1109 BN_MONT_CTX_free(rsa->_method_mod_n); 1110 } 1111 if (rsa->_method_mod_p != NULL) { 1112 BN_MONT_CTX_free(rsa->_method_mod_p); 1113 } 1114 if (rsa->_method_mod_q != NULL) { 1115 BN_MONT_CTX_free(rsa->_method_mod_q); 1116 } 1117#endif 1118 return (1); 1119} 1120 1121 1122static int 1123eay_rsa_generate_key(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) 1124{ 1125 BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp; 1126 BIGNUM local_r0, local_d, local_p; 1127 BIGNUM *pr0, *d, *p; 1128 int bitsp, bitsq, ok = -1, n = 0; 1129 BN_CTX *ctx = NULL; 1130 1131 ctx = BN_CTX_new(); 1132 if (ctx == NULL) { 1133 goto err; 1134 } 1135 BN_CTX_start(ctx); 1136 r0 = BN_CTX_get(ctx); 1137 r1 = BN_CTX_get(ctx); 1138 r2 = BN_CTX_get(ctx); 1139 r3 = BN_CTX_get(ctx); 1140 if (r3 == NULL) { 1141 goto err; 1142 } 1143 1144 bitsp = (bits + 1) / 2; 1145 bitsq = bits - bitsp; 1146 1147 /* We need the RSA components to be non-NULL */ 1148 if (!rsa->n && ((rsa->n = BN_new()) == NULL)) { 1149 goto err; 1150 } 1151 if (!rsa->d && ((rsa->d = BN_new()) == NULL)) { 1152 goto err; 1153 } 1154 if (!rsa->e && ((rsa->e = BN_new()) == NULL)) { 1155 goto err; 1156 } 1157 if (!rsa->p && ((rsa->p = BN_new()) == NULL)) { 1158 goto err; 1159 } 1160 if (!rsa->q && ((rsa->q = BN_new()) == NULL)) { 1161 goto err; 1162 } 1163 if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL)) { 1164 goto err; 1165 } 1166 if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL)) { 1167 goto err; 1168 } 1169 if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL)) { 1170 goto err; 1171 } 1172 1173 BN_copy(rsa->e, e_value); 1174 1175 /* generate p and q */ 1176 for ( ; ; ) { 1177 if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, NULL)) { 1178 goto err; 1179 } 1180 if (!BN_sub(r2, rsa->p, BN_value_one())) { 1181 goto err; 1182 } 1183 if (!BN_gcd(r1, r2, rsa->e, ctx)) { 1184 goto err; 1185 } 1186 if (BN_is_one(r1)) { 1187 break; 1188 } 1189 } 1190 for ( ; ; ) { 1191 /* When generating ridiculously small keys, we can get stuck 1192 * continually regenerating the same prime values. Check for 1193 * this and bail if it happens 3 times. */ 1194 unsigned int degenerate = 0; 1195 do { 1196 if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, NULL)) { 1197 goto err; 1198 } 1199 } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3)); 1200 if (degenerate == 3) { 1201 ok = 0; /* we set our own err */ 1202 /* RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_KEY_SIZE_TOO_SMALL); */ 1203 goto err; 1204 } 1205 if (!BN_sub(r2, rsa->q, BN_value_one())) { 1206 goto err; 1207 } 1208 if (!BN_gcd(r1, r2, rsa->e, ctx)) { 1209 goto err; 1210 } 1211 if (BN_is_one(r1)) { 1212 break; 1213 } 1214 } 1215 if (BN_cmp(rsa->p, rsa->q) < 0) { 1216 tmp = rsa->p; 1217 rsa->p = rsa->q; 1218 rsa->q = tmp; 1219 } 1220 1221 /* calculate n */ 1222 if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx)) { 1223 goto err; 1224 } 1225 1226 /* calculate d */ 1227 if (!BN_sub(r1, rsa->p, BN_value_one())) { 1228 goto err; /* p-1 */ 1229 } 1230 if (!BN_sub(r2, rsa->q, BN_value_one())) { 1231 goto err; /* q-1 */ 1232 } 1233 if (!BN_mul(r0, r1, r2, ctx)) { 1234 goto err; /* (p-1)(q-1) */ 1235 } 1236 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 1237 pr0 = &local_r0; 1238 BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); 1239 } else{ 1240 pr0 = r0; 1241 } 1242 1243 if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) { 1244 goto err; /* d */ 1245 } 1246 /* set up d for correct BN_FLG_CONSTTIME flag */ 1247 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 1248 d = &local_d; 1249 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 1250 } else{ 1251 d = rsa->d; 1252 } 1253 1254 /* calculate d mod (p-1) */ 1255 if (!BN_mod(rsa->dmp1, d, r1, ctx)) { 1256 goto err; 1257 } 1258 1259 /* calculate d mod (q-1) */ 1260 if (!BN_mod(rsa->dmq1, d, r2, ctx)) { 1261 goto err; 1262 } 1263 1264 /* calculate inverse of q mod p */ 1265 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 1266 p = &local_p; 1267 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 1268 } else{ 1269 p = rsa->p; 1270 } 1271 if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) { 1272 goto err; 1273 } 1274 1275 ok = 1; 1276err: 1277 if (ok == -1) { 1278 /* RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN); */ 1279 ok = 0; 1280 } 1281 if (ctx != NULL) { 1282 BN_CTX_end(ctx); 1283 BN_CTX_free(ctx); 1284 } 1285 1286 return (ok); 1287} 1288 1289 1290const RSA_METHOD _ossl_rsa_eay_method = 1291{ 1292 .name = "Eric Young's PKCS#1 RSA", 1293 .rsa_pub_enc = RSA_eay_public_encrypt, 1294 .rsa_pub_dec = RSA_eay_public_decrypt, /* signature verification */ 1295 .rsa_priv_enc = RSA_eay_private_encrypt, /* signing */ 1296 .rsa_priv_dec = RSA_eay_private_decrypt, 1297 .rsa_mod_exp = RSA_eay_mod_exp, 1298 .bn_mod_exp = BN_mod_exp_mont, 1299 .init = RSA_eay_init, 1300 .finish = RSA_eay_finish, 1301 .flags = 0, /* flags */ 1302 .app_data = NULL, 1303 .rsa_sign = 0, /* rsa_sign */ 1304 .rsa_verify = 0, /* rsa_verify */ 1305 .rsa_keygen = eay_rsa_generate_key /* rsa_keygen */ 1306}; 1307#endif /* ! defined(PR_10783242_FIXED) || ! defined(PR_8174774_FIXED) */ 1308 1309const RSA_METHOD * 1310RSA_eay_method(void) 1311{ 1312#if !defined(PR_10783242_FIXED) || !defined(PR_8174774_FIXED) 1313 return (&_ossl_rsa_eay_method); 1314 1315#else 1316 return (NULL); 1317#endif 1318} 1319