|
1 /* crypto/rsa/rsa_eay.c */ |
|
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
|
3 * All rights reserved. |
|
4 * |
|
5 * This package is an SSL implementation written |
|
6 * by Eric Young (eay@cryptsoft.com). |
|
7 * The implementation was written so as to conform with Netscapes SSL. |
|
8 * |
|
9 * This library is free for commercial and non-commercial use as long as |
|
10 * the following conditions are aheared to. The following conditions |
|
11 * apply to all code found in this distribution, be it the RC4, RSA, |
|
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
|
13 * included with this distribution is covered by the same copyright terms |
|
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
|
15 * |
|
16 * Copyright remains Eric Young's, and as such any Copyright notices in |
|
17 * the code are not to be removed. |
|
18 * If this package is used in a product, Eric Young should be given attribution |
|
19 * as the author of the parts of the library used. |
|
20 * This can be in the form of a textual message at program startup or |
|
21 * in documentation (online or textual) provided with the package. |
|
22 * |
|
23 * Redistribution and use in source and binary forms, with or without |
|
24 * modification, are permitted provided that the following conditions |
|
25 * are met: |
|
26 * 1. Redistributions of source code must retain the copyright |
|
27 * notice, this list of conditions and the following disclaimer. |
|
28 * 2. Redistributions in binary form must reproduce the above copyright |
|
29 * notice, this list of conditions and the following disclaimer in the |
|
30 * documentation and/or other materials provided with the distribution. |
|
31 * 3. All advertising materials mentioning features or use of this software |
|
32 * must display the following acknowledgement: |
|
33 * "This product includes cryptographic software written by |
|
34 * Eric Young (eay@cryptsoft.com)" |
|
35 * The word 'cryptographic' can be left out if the rouines from the library |
|
36 * being used are not cryptographic related :-). |
|
37 * 4. If you include any Windows specific code (or a derivative thereof) from |
|
38 * the apps directory (application code) you must include an acknowledgement: |
|
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
|
40 * |
|
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
|
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
|
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
|
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
|
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
|
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
|
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
|
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
|
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
|
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
|
51 * SUCH DAMAGE. |
|
52 * |
|
53 * The licence and distribution terms for any publically available version or |
|
54 * derivative of this code cannot be changed. i.e. this code cannot simply be |
|
55 * copied and put under another distribution licence |
|
56 * [including the GNU Public Licence.] |
|
57 */ |
|
58 /* ==================================================================== |
|
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. |
|
60 * |
|
61 * Redistribution and use in source and binary forms, with or without |
|
62 * modification, are permitted provided that the following conditions |
|
63 * are met: |
|
64 * |
|
65 * 1. Redistributions of source code must retain the above copyright |
|
66 * notice, this list of conditions and the following disclaimer. |
|
67 * |
|
68 * 2. Redistributions in binary form must reproduce the above copyright |
|
69 * notice, this list of conditions and the following disclaimer in |
|
70 * the documentation and/or other materials provided with the |
|
71 * distribution. |
|
72 * |
|
73 * 3. All advertising materials mentioning features or use of this |
|
74 * software must display the following acknowledgment: |
|
75 * "This product includes software developed by the OpenSSL Project |
|
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
|
77 * |
|
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
|
79 * endorse or promote products derived from this software without |
|
80 * prior written permission. For written permission, please contact |
|
81 * openssl-core@openssl.org. |
|
82 * |
|
83 * 5. Products derived from this software may not be called "OpenSSL" |
|
84 * nor may "OpenSSL" appear in their names without prior written |
|
85 * permission of the OpenSSL Project. |
|
86 * |
|
87 * 6. Redistributions of any form whatsoever must retain the following |
|
88 * acknowledgment: |
|
89 * "This product includes software developed by the OpenSSL Project |
|
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
|
91 * |
|
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
|
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
|
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
|
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
|
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
|
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
|
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
|
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
|
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
|
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
|
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
|
103 * OF THE POSSIBILITY OF SUCH DAMAGE. |
|
104 * ==================================================================== |
|
105 * |
|
106 * This product includes cryptographic software written by Eric Young |
|
107 * (eay@cryptsoft.com). This product includes software written by Tim |
|
108 * Hudson (tjh@cryptsoft.com). |
|
109 * |
|
110 */ |
|
111 /* |
|
112 © Portions copyright (c) 2006 Nokia Corporation. All rights reserved. |
|
113 */ |
|
114 |
|
115 |
|
116 #include <stdio.h> |
|
117 #include "cryptlib.h" |
|
118 #include <openssl/bn.h> |
|
119 #include <openssl/rsa.h> |
|
120 #include <openssl/rand.h> |
|
121 #if (defined(SYMBIAN) && (defined(__WINSCW__) || defined(__WINS__))) |
|
122 #include "libcrypto_wsd_macros.h" |
|
123 #include "libcrypto_wsd.h" |
|
124 #endif |
|
125 |
|
126 #ifndef RSA_NULL |
|
127 |
|
128 static int RSA_eay_public_encrypt(int flen, const unsigned char *from, |
|
129 unsigned char *to, RSA *rsa,int padding); |
|
130 static int RSA_eay_private_encrypt(int flen, const unsigned char *from, |
|
131 unsigned char *to, RSA *rsa,int padding); |
|
132 static int RSA_eay_public_decrypt(int flen, const unsigned char *from, |
|
133 unsigned char *to, RSA *rsa,int padding); |
|
134 static int RSA_eay_private_decrypt(int flen, const unsigned char *from, |
|
135 unsigned char *to, RSA *rsa,int padding); |
|
136 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); |
|
137 static int RSA_eay_init(RSA *rsa); |
|
138 static int RSA_eay_finish(RSA *rsa); |
|
139 |
|
140 #ifndef EMULATOR |
|
141 static RSA_METHOD rsa_pkcs1_eay_meth={ |
|
142 "Eric Young's PKCS#1 RSA", |
|
143 RSA_eay_public_encrypt, |
|
144 RSA_eay_public_decrypt, /* signature verification */ |
|
145 RSA_eay_private_encrypt, /* signing */ |
|
146 RSA_eay_private_decrypt, |
|
147 RSA_eay_mod_exp, |
|
148 BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ |
|
149 RSA_eay_init, |
|
150 RSA_eay_finish, |
|
151 0, /* flags */ |
|
152 NULL, |
|
153 0, /* rsa_sign */ |
|
154 0, /* rsa_verify */ |
|
155 NULL /* rsa_keygen */ |
|
156 }; |
|
157 #else |
|
158 GET_STATIC_VAR_FROM_TLS(rsa_pkcs1_eay_meth,rsa_eay,RSA_METHOD ) |
|
159 #define rsa_pkcs1_eay_meth (*GET_WSD_VAR_NAME(rsa_pkcs1_eay_meth,rsa_eay,s)()) |
|
160 const RSA_METHOD temp_s_rsa_pkcs1_eay_meth={ |
|
161 "Eric Young's PKCS#1 RSA", |
|
162 RSA_eay_public_encrypt, |
|
163 RSA_eay_public_decrypt, /* signature verification */ |
|
164 RSA_eay_private_encrypt, /* signing */ |
|
165 RSA_eay_private_decrypt, |
|
166 RSA_eay_mod_exp, |
|
167 BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ |
|
168 RSA_eay_init, |
|
169 RSA_eay_finish, |
|
170 0, /* flags */ |
|
171 NULL, |
|
172 0, /* rsa_sign */ |
|
173 0, /* rsa_verify */ |
|
174 NULL /* rsa_keygen */ |
|
175 }; |
|
176 |
|
177 #endif |
|
178 EXPORT_C const RSA_METHOD *RSA_PKCS1_SSLeay(void) |
|
179 { |
|
180 return(&rsa_pkcs1_eay_meth); |
|
181 } |
|
182 |
|
183 /* Usage example; |
|
184 * MONT_HELPER(rsa, bn_ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); |
|
185 */ |
|
186 #define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \ |
|
187 if((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \ |
|
188 !BN_MONT_CTX_set_locked(&((rsa)->_method_mod_##m), \ |
|
189 CRYPTO_LOCK_RSA, \ |
|
190 (rsa)->m, (ctx))) \ |
|
191 err_instr |
|
192 |
|
193 static int RSA_eay_public_encrypt(int flen, const unsigned char *from, |
|
194 unsigned char *to, RSA *rsa, int padding) |
|
195 { |
|
196 BIGNUM *f,*ret; |
|
197 int i,j,k,num=0,r= -1; |
|
198 unsigned char *buf=NULL; |
|
199 BN_CTX *ctx=NULL; |
|
200 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) |
|
201 { |
|
202 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); |
|
203 return -1; |
|
204 } |
|
205 |
|
206 if (BN_ucmp(rsa->n, rsa->e) <= 0) |
|
207 { |
|
208 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); |
|
209 return -1; |
|
210 } |
|
211 |
|
212 /* for large moduli, enforce exponent limit */ |
|
213 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) |
|
214 { |
|
215 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) |
|
216 { |
|
217 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); |
|
218 return -1; |
|
219 } |
|
220 } |
|
221 |
|
222 |
|
223 if ((ctx=BN_CTX_new()) == NULL) goto err; |
|
224 BN_CTX_start(ctx); |
|
225 f = BN_CTX_get(ctx); |
|
226 ret = BN_CTX_get(ctx); |
|
227 num=BN_num_bytes(rsa->n); |
|
228 buf = OPENSSL_malloc(num); |
|
229 if (!f || !ret || !buf) |
|
230 { |
|
231 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); |
|
232 goto err; |
|
233 } |
|
234 |
|
235 switch (padding) |
|
236 { |
|
237 case RSA_PKCS1_PADDING: |
|
238 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen); |
|
239 break; |
|
240 #ifndef OPENSSL_NO_SHA |
|
241 case RSA_PKCS1_OAEP_PADDING: |
|
242 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0); |
|
243 break; |
|
244 #endif |
|
245 case RSA_SSLV23_PADDING: |
|
246 i=RSA_padding_add_SSLv23(buf,num,from,flen); |
|
247 break; |
|
248 case RSA_NO_PADDING: |
|
249 i=RSA_padding_add_none(buf,num,from,flen); |
|
250 break; |
|
251 default: |
|
252 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); |
|
253 goto err; |
|
254 } |
|
255 if (i <= 0) goto err; |
|
256 |
|
257 if (BN_bin2bn(buf,num,f) == NULL) goto err; |
|
258 |
|
259 if (BN_ucmp(f, rsa->n) >= 0) |
|
260 { |
|
261 /* usually the padding functions would catch this */ |
|
262 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
|
263 goto err; |
|
264 } |
|
265 |
|
266 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); |
|
267 |
|
268 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, |
|
269 rsa->_method_mod_n)) goto err; |
|
270 |
|
271 /* put in leading 0 bytes if the number is less than the |
|
272 * length of the modulus */ |
|
273 j=BN_num_bytes(ret); |
|
274 i=BN_bn2bin(ret,&(to[num-j])); |
|
275 for (k=0; k<(num-i); k++) |
|
276 to[k]=0; |
|
277 |
|
278 r=num; |
|
279 err: |
|
280 if (ctx != NULL) |
|
281 { |
|
282 BN_CTX_end(ctx); |
|
283 BN_CTX_free(ctx); |
|
284 } |
|
285 if (buf != NULL) |
|
286 { |
|
287 OPENSSL_cleanse(buf,num); |
|
288 OPENSSL_free(buf); |
|
289 } |
|
290 return(r); |
|
291 } |
|
292 |
|
293 static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) |
|
294 { |
|
295 BN_BLINDING *ret; |
|
296 int got_write_lock = 0; |
|
297 |
|
298 CRYPTO_r_lock(CRYPTO_LOCK_RSA); |
|
299 |
|
300 if (rsa->blinding == NULL) |
|
301 { |
|
302 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); |
|
303 CRYPTO_w_lock(CRYPTO_LOCK_RSA); |
|
304 got_write_lock = 1; |
|
305 |
|
306 if (rsa->blinding == NULL) |
|
307 rsa->blinding = RSA_setup_blinding(rsa, ctx); |
|
308 } |
|
309 |
|
310 ret = rsa->blinding; |
|
311 if (ret == NULL) |
|
312 goto err; |
|
313 |
|
314 if (BN_BLINDING_get_thread_id(ret) == CRYPTO_thread_id()) |
|
315 { |
|
316 /* rsa->blinding is ours! */ |
|
317 |
|
318 *local = 1; |
|
319 } |
|
320 else |
|
321 { |
|
322 /* resort to rsa->mt_blinding instead */ |
|
323 |
|
324 *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert() |
|
325 * that the BN_BLINDING is shared, meaning that accesses |
|
326 * require locks, and that the blinding factor must be |
|
327 * stored outside the BN_BLINDING |
|
328 */ |
|
329 |
|
330 if (rsa->mt_blinding == NULL) |
|
331 { |
|
332 if (!got_write_lock) |
|
333 { |
|
334 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); |
|
335 CRYPTO_w_lock(CRYPTO_LOCK_RSA); |
|
336 got_write_lock = 1; |
|
337 } |
|
338 |
|
339 if (rsa->mt_blinding == NULL) |
|
340 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); |
|
341 } |
|
342 ret = rsa->mt_blinding; |
|
343 } |
|
344 |
|
345 err: |
|
346 if (got_write_lock) |
|
347 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); |
|
348 else |
|
349 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); |
|
350 return ret; |
|
351 } |
|
352 |
|
353 |
|
354 static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f, |
|
355 BIGNUM *r, BN_CTX *ctx) |
|
356 { |
|
357 if (local) |
|
358 return BN_BLINDING_convert_ex(f, NULL, b, ctx); |
|
359 else |
|
360 { |
|
361 int ret; |
|
362 CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING); |
|
363 ret = BN_BLINDING_convert_ex(f, r, b, ctx); |
|
364 CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING); |
|
365 return ret; |
|
366 } |
|
367 } |
|
368 |
|
369 static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f, |
|
370 BIGNUM *r, BN_CTX *ctx) |
|
371 { |
|
372 if (local) |
|
373 return BN_BLINDING_invert_ex(f, NULL, b, ctx); |
|
374 else |
|
375 { |
|
376 int ret; |
|
377 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); |
|
378 ret = BN_BLINDING_invert_ex(f, r, b, ctx); |
|
379 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); |
|
380 return ret; |
|
381 } |
|
382 } |
|
383 |
|
384 /* signing */ |
|
385 static int RSA_eay_private_encrypt(int flen, const unsigned char *from, |
|
386 unsigned char *to, RSA *rsa, int padding) |
|
387 { |
|
388 BIGNUM *f, *ret, *br, *res; |
|
389 int i,j,k,num=0,r= -1; |
|
390 unsigned char *buf=NULL; |
|
391 BN_CTX *ctx=NULL; |
|
392 int local_blinding = 0; |
|
393 BN_BLINDING *blinding = NULL; |
|
394 |
|
395 if ((ctx=BN_CTX_new()) == NULL) goto err; |
|
396 BN_CTX_start(ctx); |
|
397 f = BN_CTX_get(ctx); |
|
398 br = BN_CTX_get(ctx); |
|
399 ret = BN_CTX_get(ctx); |
|
400 num = BN_num_bytes(rsa->n); |
|
401 buf = OPENSSL_malloc(num); |
|
402 if(!f || !ret || !buf) |
|
403 { |
|
404 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); |
|
405 goto err; |
|
406 } |
|
407 |
|
408 switch (padding) |
|
409 { |
|
410 case RSA_PKCS1_PADDING: |
|
411 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); |
|
412 break; |
|
413 case RSA_X931_PADDING: |
|
414 i=RSA_padding_add_X931(buf,num,from,flen); |
|
415 break; |
|
416 case RSA_NO_PADDING: |
|
417 i=RSA_padding_add_none(buf,num,from,flen); |
|
418 break; |
|
419 case RSA_SSLV23_PADDING: |
|
420 default: |
|
421 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); |
|
422 goto err; |
|
423 } |
|
424 if (i <= 0) goto err; |
|
425 |
|
426 if (BN_bin2bn(buf,num,f) == NULL) goto err; |
|
427 |
|
428 if (BN_ucmp(f, rsa->n) >= 0) |
|
429 { |
|
430 /* usually the padding functions would catch this */ |
|
431 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
|
432 goto err; |
|
433 } |
|
434 |
|
435 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) |
|
436 { |
|
437 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); |
|
438 |
|
439 if (blinding == NULL) |
|
440 { |
|
441 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); |
|
442 goto err; |
|
443 } |
|
444 } |
|
445 |
|
446 if (blinding != NULL) |
|
447 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) |
|
448 goto err; |
|
449 |
|
450 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || |
|
451 ((rsa->p != NULL) && |
|
452 (rsa->q != NULL) && |
|
453 (rsa->dmp1 != NULL) && |
|
454 (rsa->dmq1 != NULL) && |
|
455 (rsa->iqmp != NULL)) ) |
|
456 { |
|
457 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; |
|
458 } |
|
459 else |
|
460 { |
|
461 BIGNUM local_d; |
|
462 BIGNUM *d = NULL; |
|
463 |
|
464 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) |
|
465 { |
|
466 BN_init(&local_d); |
|
467 d = &local_d; |
|
468 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); |
|
469 } |
|
470 else |
|
471 d = rsa->d; |
|
472 |
|
473 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); |
|
474 |
|
475 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, |
|
476 rsa->_method_mod_n)) goto err; |
|
477 } |
|
478 |
|
479 if (blinding) |
|
480 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) |
|
481 goto err; |
|
482 |
|
483 if (padding == RSA_X931_PADDING) |
|
484 { |
|
485 BN_sub(f, rsa->n, ret); |
|
486 if (BN_cmp(ret, f)) |
|
487 res = f; |
|
488 else |
|
489 res = ret; |
|
490 } |
|
491 else |
|
492 res = ret; |
|
493 |
|
494 /* put in leading 0 bytes if the number is less than the |
|
495 * length of the modulus */ |
|
496 j=BN_num_bytes(res); |
|
497 i=BN_bn2bin(res,&(to[num-j])); |
|
498 for (k=0; k<(num-i); k++) |
|
499 to[k]=0; |
|
500 |
|
501 r=num; |
|
502 err: |
|
503 if (ctx != NULL) |
|
504 { |
|
505 BN_CTX_end(ctx); |
|
506 BN_CTX_free(ctx); |
|
507 } |
|
508 if (buf != NULL) |
|
509 { |
|
510 OPENSSL_cleanse(buf,num); |
|
511 OPENSSL_free(buf); |
|
512 } |
|
513 return(r); |
|
514 } |
|
515 |
|
516 static int RSA_eay_private_decrypt(int flen, const unsigned char *from, |
|
517 unsigned char *to, RSA *rsa, int padding) |
|
518 { |
|
519 BIGNUM *f, *ret, *br; |
|
520 int j,num=0,r= -1; |
|
521 unsigned char *p; |
|
522 unsigned char *buf=NULL; |
|
523 BN_CTX *ctx=NULL; |
|
524 int local_blinding = 0; |
|
525 BN_BLINDING *blinding = NULL; |
|
526 |
|
527 if((ctx = BN_CTX_new()) == NULL) goto err; |
|
528 BN_CTX_start(ctx); |
|
529 f = BN_CTX_get(ctx); |
|
530 br = BN_CTX_get(ctx); |
|
531 ret = BN_CTX_get(ctx); |
|
532 num = BN_num_bytes(rsa->n); |
|
533 buf = OPENSSL_malloc(num); |
|
534 if(!f || !ret || !buf) |
|
535 { |
|
536 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); |
|
537 goto err; |
|
538 } |
|
539 |
|
540 /* This check was for equality but PGP does evil things |
|
541 * and chops off the top '0' bytes */ |
|
542 if (flen > num) |
|
543 { |
|
544 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); |
|
545 goto err; |
|
546 } |
|
547 |
|
548 /* make data into a big number */ |
|
549 if (BN_bin2bn(from,(int)flen,f) == NULL) goto err; |
|
550 |
|
551 if (BN_ucmp(f, rsa->n) >= 0) |
|
552 { |
|
553 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
|
554 goto err; |
|
555 } |
|
556 |
|
557 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) |
|
558 { |
|
559 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); |
|
560 if (blinding == NULL) |
|
561 { |
|
562 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); |
|
563 goto err; |
|
564 } |
|
565 } |
|
566 |
|
567 if (blinding != NULL) |
|
568 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) |
|
569 goto err; |
|
570 |
|
571 /* do the decrypt */ |
|
572 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || |
|
573 ((rsa->p != NULL) && |
|
574 (rsa->q != NULL) && |
|
575 (rsa->dmp1 != NULL) && |
|
576 (rsa->dmq1 != NULL) && |
|
577 (rsa->iqmp != NULL)) ) |
|
578 { |
|
579 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; |
|
580 } |
|
581 else |
|
582 { |
|
583 BIGNUM local_d; |
|
584 BIGNUM *d = NULL; |
|
585 |
|
586 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) |
|
587 { |
|
588 d = &local_d; |
|
589 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); |
|
590 } |
|
591 else |
|
592 d = rsa->d; |
|
593 |
|
594 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); |
|
595 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, |
|
596 rsa->_method_mod_n)) |
|
597 goto err; |
|
598 } |
|
599 |
|
600 if (blinding) |
|
601 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) |
|
602 goto err; |
|
603 |
|
604 p=buf; |
|
605 j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */ |
|
606 |
|
607 switch (padding) |
|
608 { |
|
609 case RSA_PKCS1_PADDING: |
|
610 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); |
|
611 break; |
|
612 #ifndef OPENSSL_NO_SHA |
|
613 case RSA_PKCS1_OAEP_PADDING: |
|
614 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); |
|
615 break; |
|
616 #endif |
|
617 case RSA_SSLV23_PADDING: |
|
618 r=RSA_padding_check_SSLv23(to,num,buf,j,num); |
|
619 break; |
|
620 case RSA_NO_PADDING: |
|
621 r=RSA_padding_check_none(to,num,buf,j,num); |
|
622 break; |
|
623 default: |
|
624 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); |
|
625 goto err; |
|
626 } |
|
627 if (r < 0) |
|
628 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); |
|
629 |
|
630 err: |
|
631 if (ctx != NULL) |
|
632 { |
|
633 BN_CTX_end(ctx); |
|
634 BN_CTX_free(ctx); |
|
635 } |
|
636 if (buf != NULL) |
|
637 { |
|
638 OPENSSL_cleanse(buf,num); |
|
639 OPENSSL_free(buf); |
|
640 } |
|
641 return(r); |
|
642 } |
|
643 |
|
644 /* signature verification */ |
|
645 static int RSA_eay_public_decrypt(int flen, const unsigned char *from, |
|
646 unsigned char *to, RSA *rsa, int padding) |
|
647 { |
|
648 BIGNUM *f,*ret; |
|
649 int i,num=0,r= -1; |
|
650 unsigned char *p; |
|
651 unsigned char *buf=NULL; |
|
652 BN_CTX *ctx=NULL; |
|
653 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) |
|
654 { |
|
655 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); |
|
656 return -1; |
|
657 } |
|
658 |
|
659 if (BN_ucmp(rsa->n, rsa->e) <= 0) |
|
660 { |
|
661 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); |
|
662 return -1; |
|
663 } |
|
664 |
|
665 /* for large moduli, enforce exponent limit */ |
|
666 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) |
|
667 { |
|
668 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) |
|
669 { |
|
670 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); |
|
671 return -1; |
|
672 } |
|
673 } |
|
674 if((ctx = BN_CTX_new()) == NULL) goto err; |
|
675 BN_CTX_start(ctx); |
|
676 f = BN_CTX_get(ctx); |
|
677 ret = BN_CTX_get(ctx); |
|
678 num=BN_num_bytes(rsa->n); |
|
679 buf = OPENSSL_malloc(num); |
|
680 if(!f || !ret || !buf) |
|
681 { |
|
682 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); |
|
683 goto err; |
|
684 } |
|
685 |
|
686 /* This check was for equality but PGP does evil things |
|
687 * and chops off the top '0' bytes */ |
|
688 if (flen > num) |
|
689 { |
|
690 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); |
|
691 goto err; |
|
692 } |
|
693 |
|
694 if (BN_bin2bn(from,flen,f) == NULL) goto err; |
|
695 |
|
696 if (BN_ucmp(f, rsa->n) >= 0) |
|
697 { |
|
698 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
|
699 goto err; |
|
700 } |
|
701 |
|
702 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); |
|
703 |
|
704 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, |
|
705 rsa->_method_mod_n)) goto err; |
|
706 |
|
707 if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) |
|
708 BN_sub(ret, rsa->n, ret); |
|
709 |
|
710 p=buf; |
|
711 i=BN_bn2bin(ret,p); |
|
712 |
|
713 switch (padding) |
|
714 { |
|
715 case RSA_PKCS1_PADDING: |
|
716 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); |
|
717 break; |
|
718 case RSA_X931_PADDING: |
|
719 r=RSA_padding_check_X931(to,num,buf,i,num); |
|
720 break; |
|
721 case RSA_NO_PADDING: |
|
722 r=RSA_padding_check_none(to,num,buf,i,num); |
|
723 break; |
|
724 default: |
|
725 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); |
|
726 goto err; |
|
727 } |
|
728 if (r < 0) |
|
729 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); |
|
730 |
|
731 err: |
|
732 if (ctx != NULL) |
|
733 { |
|
734 BN_CTX_end(ctx); |
|
735 BN_CTX_free(ctx); |
|
736 } |
|
737 if (buf != NULL) |
|
738 { |
|
739 OPENSSL_cleanse(buf,num); |
|
740 OPENSSL_free(buf); |
|
741 } |
|
742 return(r); |
|
743 } |
|
744 |
|
745 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) |
|
746 { |
|
747 BIGNUM *r1,*m1,*vrfy; |
|
748 BIGNUM local_dmp1,local_dmq1,local_c,local_r1; |
|
749 BIGNUM *dmp1,*dmq1,*c,*pr1; |
|
750 int bn_flags; |
|
751 int ret=0; |
|
752 |
|
753 BN_CTX_start(ctx); |
|
754 r1 = BN_CTX_get(ctx); |
|
755 m1 = BN_CTX_get(ctx); |
|
756 vrfy = BN_CTX_get(ctx); |
|
757 |
|
758 /* Make sure mod_inverse in montgomerey intialization use correct |
|
759 * BN_FLG_CONSTTIME flag. |
|
760 */ |
|
761 bn_flags = rsa->p->flags; |
|
762 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) |
|
763 { |
|
764 rsa->p->flags |= BN_FLG_CONSTTIME; |
|
765 } |
|
766 MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); |
|
767 /* We restore bn_flags back */ |
|
768 rsa->p->flags = bn_flags; |
|
769 |
|
770 /* Make sure mod_inverse in montgomerey intialization use correct |
|
771 * BN_FLG_CONSTTIME flag. |
|
772 */ |
|
773 bn_flags = rsa->q->flags; |
|
774 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) |
|
775 { |
|
776 rsa->q->flags |= BN_FLG_CONSTTIME; |
|
777 } |
|
778 MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); |
|
779 /* We restore bn_flags back */ |
|
780 rsa->q->flags = bn_flags; |
|
781 MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); |
|
782 |
|
783 /* compute I mod q */ |
|
784 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) |
|
785 { |
|
786 c = &local_c; |
|
787 BN_with_flags(c, I, BN_FLG_CONSTTIME); |
|
788 if (!BN_mod(r1,c,rsa->q,ctx)) goto err; |
|
789 } |
|
790 else |
|
791 { |
|
792 if (!BN_mod(r1,I,rsa->q,ctx)) goto err; |
|
793 } |
|
794 /* compute r1^dmq1 mod q */ |
|
795 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) |
|
796 { |
|
797 dmq1 = &local_dmq1; |
|
798 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); |
|
799 } |
|
800 else |
|
801 dmq1 = rsa->dmq1; |
|
802 if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx, |
|
803 rsa->_method_mod_q)) goto err; |
|
804 |
|
805 /* compute I mod p */ |
|
806 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) |
|
807 { |
|
808 c = &local_c; |
|
809 BN_with_flags(c, I, BN_FLG_CONSTTIME); |
|
810 if (!BN_mod(r1,c,rsa->p,ctx)) goto err; |
|
811 } |
|
812 else |
|
813 { |
|
814 if (!BN_mod(r1,I,rsa->p,ctx)) goto err; |
|
815 } |
|
816 /* compute r1^dmp1 mod p */ |
|
817 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) |
|
818 { |
|
819 dmp1 = &local_dmp1; |
|
820 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); |
|
821 } |
|
822 else |
|
823 dmp1 = rsa->dmp1; |
|
824 if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx, |
|
825 rsa->_method_mod_p)) goto err; |
|
826 |
|
827 if (!BN_sub(r0,r0,m1)) goto err; |
|
828 /* This will help stop the size of r0 increasing, which does |
|
829 * affect the multiply if it optimised for a power of 2 size */ |
|
830 if (BN_is_negative(r0)) |
|
831 if (!BN_add(r0,r0,rsa->p)) goto err; |
|
832 |
|
833 if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err; |
|
834 |
|
835 /* Turn BN_FLG_CONSTTIME flag on before division operation */ |
|
836 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) |
|
837 { |
|
838 pr1 = &local_r1; |
|
839 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); |
|
840 } |
|
841 else |
|
842 pr1 = r1; |
|
843 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err; |
|
844 |
|
845 /* If p < q it is occasionally possible for the correction of |
|
846 * adding 'p' if r0 is negative above to leave the result still |
|
847 * negative. This can break the private key operations: the following |
|
848 * second correction should *always* correct this rare occurrence. |
|
849 * This will *never* happen with OpenSSL generated keys because |
|
850 * they ensure p > q [steve] |
|
851 */ |
|
852 if (BN_is_negative(r0)) |
|
853 if (!BN_add(r0,r0,rsa->p)) goto err; |
|
854 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; |
|
855 if (!BN_add(r0,r1,m1)) goto err; |
|
856 |
|
857 if (rsa->e && rsa->n) |
|
858 { |
|
859 if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; |
|
860 /* If 'I' was greater than (or equal to) rsa->n, the operation |
|
861 * will be equivalent to using 'I mod n'. However, the result of |
|
862 * the verify will *always* be less than 'n' so we don't check |
|
863 * for absolute equality, just congruency. */ |
|
864 if (!BN_sub(vrfy, vrfy, I)) goto err; |
|
865 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err; |
|
866 if (BN_is_negative(vrfy)) |
|
867 if (!BN_add(vrfy, vrfy, rsa->n)) goto err; |
|
868 if (!BN_is_zero(vrfy)) |
|
869 { |
|
870 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak |
|
871 * miscalculated CRT output, just do a raw (slower) |
|
872 * mod_exp and return that instead. */ |
|
873 |
|
874 BIGNUM local_d; |
|
875 BIGNUM *d = NULL; |
|
876 |
|
877 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) |
|
878 { |
|
879 d = &local_d; |
|
880 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); |
|
881 } |
|
882 else |
|
883 d = rsa->d; |
|
884 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx, |
|
885 rsa->_method_mod_n)) goto err; |
|
886 } |
|
887 } |
|
888 ret=1; |
|
889 err: |
|
890 BN_CTX_end(ctx); |
|
891 return(ret); |
|
892 } |
|
893 |
|
894 static int RSA_eay_init(RSA *rsa) |
|
895 { |
|
896 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; |
|
897 return(1); |
|
898 } |
|
899 |
|
900 static int RSA_eay_finish(RSA *rsa) |
|
901 { |
|
902 if (rsa->_method_mod_n != NULL) |
|
903 BN_MONT_CTX_free(rsa->_method_mod_n); |
|
904 if (rsa->_method_mod_p != NULL) |
|
905 BN_MONT_CTX_free(rsa->_method_mod_p); |
|
906 if (rsa->_method_mod_q != NULL) |
|
907 BN_MONT_CTX_free(rsa->_method_mod_q); |
|
908 return(1); |
|
909 } |
|
910 |
|
911 #endif |