OpenSSL  1.0.1c
 All Classes Files Functions Variables Typedefs Enumerations Enumerator Macros
rsa_eay.c
Go to the documentation of this file.
1 /* crypto/rsa/rsa_eay.c */
2 /* Copyright (C) 1995-1998 Eric Young ([email protected])
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young ([email protected]).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to. The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson ([email protected]).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  * notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  * notice, this list of conditions and the following disclaimer in the
30  * documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  * must display the following acknowledgement:
33  * "This product includes cryptographic software written by
34  * Eric Young ([email protected])"
35  * The word 'cryptographic' can be left out if the rouines from the library
36  * being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  * the apps directory (application code) you must include an acknowledgement:
39  * "This product includes software written by Tim Hudson ([email protected])"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed. i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  * notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  * notice, this list of conditions and the following disclaimer in
70  * the documentation and/or other materials provided with the
71  * distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  * software must display the following acknowledgment:
75  * "This product includes software developed by the OpenSSL Project
76  * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  * endorse or promote products derived from this software without
80  * prior written permission. For written permission, please contact
81  * [email protected].
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  * nor may "OpenSSL" appear in their names without prior written
85  * permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  * acknowledgment:
89  * "This product includes software developed by the OpenSSL Project
90  * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * ([email protected]). This product includes software written by Tim
108  * Hudson ([email protected]).
109  *
110  */
111 
112 #include <stdio.h>
113 #include "cryptlib.h"
114 #include <openssl/bn.h>
115 #include <openssl/rsa.h>
116 #include <openssl/rand.h>
117 
118 #ifndef RSA_NULL
119 
120 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
121  unsigned char *to, RSA *rsa,int padding);
122 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
123  unsigned char *to, RSA *rsa,int padding);
124 static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
125  unsigned char *to, RSA *rsa,int padding);
126 static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
127  unsigned char *to, RSA *rsa,int padding);
128 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
129 static int RSA_eay_init(RSA *rsa);
130 static int RSA_eay_finish(RSA *rsa);
131 static RSA_METHOD rsa_pkcs1_eay_meth={
132  "Eric Young's PKCS#1 RSA",
133  RSA_eay_public_encrypt,
134  RSA_eay_public_decrypt, /* signature verification */
135  RSA_eay_private_encrypt, /* signing */
136  RSA_eay_private_decrypt,
137  RSA_eay_mod_exp,
138  BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
139  RSA_eay_init,
140  RSA_eay_finish,
141  0, /* flags */
142  NULL,
143  0, /* rsa_sign */
144  0, /* rsa_verify */
145  NULL /* rsa_keygen */
146  };
147 
148 const RSA_METHOD *RSA_PKCS1_SSLeay(void)
149  {
150  return(&rsa_pkcs1_eay_meth);
151  }
152 
153 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
154  unsigned char *to, RSA *rsa, int padding)
155  {
156  BIGNUM *f,*ret;
157  int i,j,k,num=0,r= -1;
158  unsigned char *buf=NULL;
159  BN_CTX *ctx=NULL;
160 
161  if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
162  {
163  RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
164  return -1;
165  }
166 
167  if (BN_ucmp(rsa->n, rsa->e) <= 0)
168  {
169  RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
170  return -1;
171  }
172 
173  /* for large moduli, enforce exponent limit */
174  if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
175  {
176  if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
177  {
178  RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
179  return -1;
180  }
181  }
182 
183  if ((ctx=BN_CTX_new()) == NULL) goto err;
184  BN_CTX_start(ctx);
185  f = BN_CTX_get(ctx);
186  ret = BN_CTX_get(ctx);
187  num=BN_num_bytes(rsa->n);
188  buf = OPENSSL_malloc(num);
189  if (!f || !ret || !buf)
190  {
191  RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
192  goto err;
193  }
194 
195  switch (padding)
196  {
197  case RSA_PKCS1_PADDING:
198  i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
199  break;
200 #ifndef OPENSSL_NO_SHA
201  case RSA_PKCS1_OAEP_PADDING:
202  i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
203  break;
204 #endif
205  case RSA_SSLV23_PADDING:
206  i=RSA_padding_add_SSLv23(buf,num,from,flen);
207  break;
208  case RSA_NO_PADDING:
209  i=RSA_padding_add_none(buf,num,from,flen);
210  break;
211  default:
212  RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
213  goto err;
214  }
215  if (i <= 0) goto err;
216 
217  if (BN_bin2bn(buf,num,f) == NULL) goto err;
218 
219  if (BN_ucmp(f, rsa->n) >= 0)
220  {
221  /* usually the padding functions would catch this */
222  RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
223  goto err;
224  }
225 
226  if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
227  if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
228  goto err;
229 
230  if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
231  rsa->_method_mod_n)) goto err;
232 
233  /* put in leading 0 bytes if the number is less than the
234  * length of the modulus */
235  j=BN_num_bytes(ret);
236  i=BN_bn2bin(ret,&(to[num-j]));
237  for (k=0; k<(num-i); k++)
238  to[k]=0;
239 
240  r=num;
241 err:
242  if (ctx != NULL)
243  {
244  BN_CTX_end(ctx);
245  BN_CTX_free(ctx);
246  }
247  if (buf != NULL)
248  {
249  OPENSSL_cleanse(buf,num);
250  OPENSSL_free(buf);
251  }
252  return(r);
253  }
254 
255 static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
256 {
257  BN_BLINDING *ret;
258  int got_write_lock = 0;
259  CRYPTO_THREADID cur;
260 
261  CRYPTO_r_lock(CRYPTO_LOCK_RSA);
262 
263  if (rsa->blinding == NULL)
264  {
265  CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
266  CRYPTO_w_lock(CRYPTO_LOCK_RSA);
267  got_write_lock = 1;
268 
269  if (rsa->blinding == NULL)
270  rsa->blinding = RSA_setup_blinding(rsa, ctx);
271  }
272 
273  ret = rsa->blinding;
274  if (ret == NULL)
275  goto err;
276 
277  CRYPTO_THREADID_current(&cur);
278  if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret)))
279  {
280  /* rsa->blinding is ours! */
281 
282  *local = 1;
283  }
284  else
285  {
286  /* resort to rsa->mt_blinding instead */
287 
288  *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert()
289  * that the BN_BLINDING is shared, meaning that accesses
290  * require locks, and that the blinding factor must be
291  * stored outside the BN_BLINDING
292  */
293 
294  if (rsa->mt_blinding == NULL)
295  {
296  if (!got_write_lock)
297  {
298  CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
299  CRYPTO_w_lock(CRYPTO_LOCK_RSA);
300  got_write_lock = 1;
301  }
302 
303  if (rsa->mt_blinding == NULL)
304  rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
305  }
306  ret = rsa->mt_blinding;
307  }
308 
309  err:
310  if (got_write_lock)
311  CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
312  else
313  CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
314  return ret;
315 }
316 
317 static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
318  BN_CTX *ctx)
319  {
320  if (unblind == NULL)
321  /* Local blinding: store the unblinding factor
322  * in BN_BLINDING. */
323  return BN_BLINDING_convert_ex(f, NULL, b, ctx);
324  else
325  {
326  /* Shared blinding: store the unblinding factor
327  * outside BN_BLINDING. */
328  int ret;
329  CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
330  ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
331  CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
332  return ret;
333  }
334  }
335 
336 static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
337  BN_CTX *ctx)
338  {
339  /* For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
340  * will use the unblinding factor stored in BN_BLINDING.
341  * If BN_BLINDING is shared between threads, unblind must be non-null:
342  * BN_BLINDING_invert_ex will then use the local unblinding factor,
343  * and will only read the modulus from BN_BLINDING.
344  * In both cases it's safe to access the blinding without a lock.
345  */
346  return BN_BLINDING_invert_ex(f, unblind, b, ctx);
347  }
348 
349 /* signing */
350 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
351  unsigned char *to, RSA *rsa, int padding)
352  {
353  BIGNUM *f, *ret, *res;
354  int i,j,k,num=0,r= -1;
355  unsigned char *buf=NULL;
356  BN_CTX *ctx=NULL;
357  int local_blinding = 0;
358  /* Used only if the blinding structure is shared. A non-NULL unblind
359  * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
360  * the unblinding factor outside the blinding structure. */
361  BIGNUM *unblind = NULL;
362  BN_BLINDING *blinding = NULL;
363 
364  if ((ctx=BN_CTX_new()) == NULL) goto err;
365  BN_CTX_start(ctx);
366  f = BN_CTX_get(ctx);
367  ret = BN_CTX_get(ctx);
368  num = BN_num_bytes(rsa->n);
369  buf = OPENSSL_malloc(num);
370  if(!f || !ret || !buf)
371  {
372  RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
373  goto err;
374  }
375 
376  switch (padding)
377  {
378  case RSA_PKCS1_PADDING:
379  i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
380  break;
381  case RSA_X931_PADDING:
382  i=RSA_padding_add_X931(buf,num,from,flen);
383  break;
384  case RSA_NO_PADDING:
385  i=RSA_padding_add_none(buf,num,from,flen);
386  break;
387  case RSA_SSLV23_PADDING:
388  default:
389  RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
390  goto err;
391  }
392  if (i <= 0) goto err;
393 
394  if (BN_bin2bn(buf,num,f) == NULL) goto err;
395 
396  if (BN_ucmp(f, rsa->n) >= 0)
397  {
398  /* usually the padding functions would catch this */
399  RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
400  goto err;
401  }
402 
403  if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
404  {
405  blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
406  if (blinding == NULL)
407  {
408  RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
409  goto err;
410  }
411  }
412 
413  if (blinding != NULL)
414  {
415  if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
416  {
417  RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
418  goto err;
419  }
420  if (!rsa_blinding_convert(blinding, f, unblind, ctx))
421  goto err;
422  }
423 
424  if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
425  ((rsa->p != NULL) &&
426  (rsa->q != NULL) &&
427  (rsa->dmp1 != NULL) &&
428  (rsa->dmq1 != NULL) &&
429  (rsa->iqmp != NULL)) )
430  {
431  if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
432  }
433  else
434  {
435  BIGNUM local_d;
436  BIGNUM *d = NULL;
437 
438  if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
439  {
440  BN_init(&local_d);
441  d = &local_d;
442  BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
443  }
444  else
445  d= rsa->d;
446 
447  if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
448  if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
449  goto err;
450 
451  if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
452  rsa->_method_mod_n)) goto err;
453  }
454 
455  if (blinding)
456  if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
457  goto err;
458 
459  if (padding == RSA_X931_PADDING)
460  {
461  BN_sub(f, rsa->n, ret);
462  if (BN_cmp(ret, f))
463  res = f;
464  else
465  res = ret;
466  }
467  else
468  res = ret;
469 
470  /* put in leading 0 bytes if the number is less than the
471  * length of the modulus */
472  j=BN_num_bytes(res);
473  i=BN_bn2bin(res,&(to[num-j]));
474  for (k=0; k<(num-i); k++)
475  to[k]=0;
476 
477  r=num;
478 err:
479  if (ctx != NULL)
480  {
481  BN_CTX_end(ctx);
482  BN_CTX_free(ctx);
483  }
484  if (buf != NULL)
485  {
486  OPENSSL_cleanse(buf,num);
487  OPENSSL_free(buf);
488  }
489  return(r);
490  }
491 
492 static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
493  unsigned char *to, RSA *rsa, int padding)
494  {
495  BIGNUM *f, *ret;
496  int j,num=0,r= -1;
497  unsigned char *p;
498  unsigned char *buf=NULL;
499  BN_CTX *ctx=NULL;
500  int local_blinding = 0;
501  /* Used only if the blinding structure is shared. A non-NULL unblind
502  * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
503  * the unblinding factor outside the blinding structure. */
504  BIGNUM *unblind = NULL;
505  BN_BLINDING *blinding = NULL;
506 
507  if((ctx = BN_CTX_new()) == NULL) goto err;
508  BN_CTX_start(ctx);
509  f = BN_CTX_get(ctx);
510  ret = BN_CTX_get(ctx);
511  num = BN_num_bytes(rsa->n);
512  buf = OPENSSL_malloc(num);
513  if(!f || !ret || !buf)
514  {
515  RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
516  goto err;
517  }
518 
519  /* This check was for equality but PGP does evil things
520  * and chops off the top '0' bytes */
521  if (flen > num)
522  {
523  RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
524  goto err;
525  }
526 
527  /* make data into a big number */
528  if (BN_bin2bn(from,(int)flen,f) == NULL) goto err;
529 
530  if (BN_ucmp(f, rsa->n) >= 0)
531  {
532  RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
533  goto err;
534  }
535 
536  if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
537  {
538  blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
539  if (blinding == NULL)
540  {
541  RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
542  goto err;
543  }
544  }
545 
546  if (blinding != NULL)
547  {
548  if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
549  {
550  RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
551  goto err;
552  }
553  if (!rsa_blinding_convert(blinding, f, unblind, ctx))
554  goto err;
555  }
556 
557  /* do the decrypt */
558  if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
559  ((rsa->p != NULL) &&
560  (rsa->q != NULL) &&
561  (rsa->dmp1 != NULL) &&
562  (rsa->dmq1 != NULL) &&
563  (rsa->iqmp != NULL)) )
564  {
565  if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
566  }
567  else
568  {
569  BIGNUM local_d;
570  BIGNUM *d = NULL;
571 
572  if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
573  {
574  d = &local_d;
575  BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
576  }
577  else
578  d = rsa->d;
579 
580  if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
581  if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
582  goto err;
583  if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
584  rsa->_method_mod_n))
585  goto err;
586  }
587 
588  if (blinding)
589  if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
590  goto err;
591 
592  p=buf;
593  j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */
594 
595  switch (padding)
596  {
597  case RSA_PKCS1_PADDING:
598  r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
599  break;
600 #ifndef OPENSSL_NO_SHA
601  case RSA_PKCS1_OAEP_PADDING:
602  r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
603  break;
604 #endif
605  case RSA_SSLV23_PADDING:
606  r=RSA_padding_check_SSLv23(to,num,buf,j,num);
607  break;
608  case RSA_NO_PADDING:
609  r=RSA_padding_check_none(to,num,buf,j,num);
610  break;
611  default:
612  RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
613  goto err;
614  }
615  if (r < 0)
616  RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
617 
618 err:
619  if (ctx != NULL)
620  {
621  BN_CTX_end(ctx);
622  BN_CTX_free(ctx);
623  }
624  if (buf != NULL)
625  {
626  OPENSSL_cleanse(buf,num);
627  OPENSSL_free(buf);
628  }
629  return(r);
630  }
631 
632 /* signature verification */
633 static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
634  unsigned char *to, RSA *rsa, int padding)
635  {
636  BIGNUM *f,*ret;
637  int i,num=0,r= -1;
638  unsigned char *p;
639  unsigned char *buf=NULL;
640  BN_CTX *ctx=NULL;
641 
642  if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
643  {
644  RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
645  return -1;
646  }
647 
648  if (BN_ucmp(rsa->n, rsa->e) <= 0)
649  {
650  RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
651  return -1;
652  }
653 
654  /* for large moduli, enforce exponent limit */
655  if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
656  {
657  if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
658  {
659  RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
660  return -1;
661  }
662  }
663 
664  if((ctx = BN_CTX_new()) == NULL) goto err;
665  BN_CTX_start(ctx);
666  f = BN_CTX_get(ctx);
667  ret = BN_CTX_get(ctx);
668  num=BN_num_bytes(rsa->n);
669  buf = OPENSSL_malloc(num);
670  if(!f || !ret || !buf)
671  {
672  RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
673  goto err;
674  }
675 
676  /* This check was for equality but PGP does evil things
677  * and chops off the top '0' bytes */
678  if (flen > num)
679  {
680  RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
681  goto err;
682  }
683 
684  if (BN_bin2bn(from,flen,f) == NULL) goto err;
685 
686  if (BN_ucmp(f, rsa->n) >= 0)
687  {
688  RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
689  goto err;
690  }
691 
692  if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
693  if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
694  goto err;
695 
696  if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
697  rsa->_method_mod_n)) goto err;
698 
699  if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))
700  if (!BN_sub(ret, rsa->n, ret)) goto err;
701 
702  p=buf;
703  i=BN_bn2bin(ret,p);
704 
705  switch (padding)
706  {
707  case RSA_PKCS1_PADDING:
708  r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
709  break;
710  case RSA_X931_PADDING:
711  r=RSA_padding_check_X931(to,num,buf,i,num);
712  break;
713  case RSA_NO_PADDING:
714  r=RSA_padding_check_none(to,num,buf,i,num);
715  break;
716  default:
717  RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
718  goto err;
719  }
720  if (r < 0)
721  RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
722 
723 err:
724  if (ctx != NULL)
725  {
726  BN_CTX_end(ctx);
727  BN_CTX_free(ctx);
728  }
729  if (buf != NULL)
730  {
731  OPENSSL_cleanse(buf,num);
732  OPENSSL_free(buf);
733  }
734  return(r);
735  }
736 
737 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
738  {
739  BIGNUM *r1,*m1,*vrfy;
740  BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
741  BIGNUM *dmp1,*dmq1,*c,*pr1;
742  int ret=0;
743 
744  BN_CTX_start(ctx);
745  r1 = BN_CTX_get(ctx);
746  m1 = BN_CTX_get(ctx);
747  vrfy = BN_CTX_get(ctx);
748 
749  {
750  BIGNUM local_p, local_q;
751  BIGNUM *p = NULL, *q = NULL;
752 
753  /* Make sure BN_mod_inverse in Montgomery intialization uses the
754  * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
755  */
756  if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
757  {
758  BN_init(&local_p);
759  p = &local_p;
760  BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
761 
762  BN_init(&local_q);
763  q = &local_q;
764  BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
765  }
766  else
767  {
768  p = rsa->p;
769  q = rsa->q;
770  }
771 
772  if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
773  {
774  if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
775  goto err;
776  if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
777  goto err;
778  }
779  }
780 
781  if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
782  if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
783  goto err;
784 
785  /* compute I mod q */
786  if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
787  {
788  c = &local_c;
789  BN_with_flags(c, I, BN_FLG_CONSTTIME);
790  if (!BN_mod(r1,c,rsa->q,ctx)) goto err;
791  }
792  else
793  {
794  if (!BN_mod(r1,I,rsa->q,ctx)) goto err;
795  }
796 
797  /* compute r1^dmq1 mod q */
798  if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
799  {
800  dmq1 = &local_dmq1;
801  BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
802  }
803  else
804  dmq1 = rsa->dmq1;
805  if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx,
806  rsa->_method_mod_q)) goto err;
807 
808  /* compute I mod p */
809  if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
810  {
811  c = &local_c;
812  BN_with_flags(c, I, BN_FLG_CONSTTIME);
813  if (!BN_mod(r1,c,rsa->p,ctx)) goto err;
814  }
815  else
816  {
817  if (!BN_mod(r1,I,rsa->p,ctx)) goto err;
818  }
819 
820  /* compute r1^dmp1 mod p */
821  if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
822  {
823  dmp1 = &local_dmp1;
824  BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
825  }
826  else
827  dmp1 = rsa->dmp1;
828  if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx,
829  rsa->_method_mod_p)) goto err;
830 
831  if (!BN_sub(r0,r0,m1)) goto err;
832  /* This will help stop the size of r0 increasing, which does
833  * affect the multiply if it optimised for a power of 2 size */
834  if (BN_is_negative(r0))
835  if (!BN_add(r0,r0,rsa->p)) goto err;
836 
837  if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err;
838 
839  /* Turn BN_FLG_CONSTTIME flag on before division operation */
840  if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
841  {
842  pr1 = &local_r1;
843  BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
844  }
845  else
846  pr1 = r1;
847  if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
848 
849  /* If p < q it is occasionally possible for the correction of
850  * adding 'p' if r0 is negative above to leave the result still
851  * negative. This can break the private key operations: the following
852  * second correction should *always* correct this rare occurrence.
853  * This will *never* happen with OpenSSL generated keys because
854  * they ensure p > q [steve]
855  */
856  if (BN_is_negative(r0))
857  if (!BN_add(r0,r0,rsa->p)) goto err;
858  if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
859  if (!BN_add(r0,r1,m1)) goto err;
860 
861  if (rsa->e && rsa->n)
862  {
863  if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err;
864  /* If 'I' was greater than (or equal to) rsa->n, the operation
865  * will be equivalent to using 'I mod n'. However, the result of
866  * the verify will *always* be less than 'n' so we don't check
867  * for absolute equality, just congruency. */
868  if (!BN_sub(vrfy, vrfy, I)) goto err;
869  if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err;
870  if (BN_is_negative(vrfy))
871  if (!BN_add(vrfy, vrfy, rsa->n)) goto err;
872  if (!BN_is_zero(vrfy))
873  {
874  /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
875  * miscalculated CRT output, just do a raw (slower)
876  * mod_exp and return that instead. */
877 
878  BIGNUM local_d;
879  BIGNUM *d = NULL;
880 
881  if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
882  {
883  d = &local_d;
884  BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
885  }
886  else
887  d = rsa->d;
888  if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,
889  rsa->_method_mod_n)) goto err;
890  }
891  }
892  ret=1;
893 err:
894  BN_CTX_end(ctx);
895  return(ret);
896  }
897 
898 static int RSA_eay_init(RSA *rsa)
899  {
900  rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
901  return(1);
902  }
903 
904 static int RSA_eay_finish(RSA *rsa)
905  {
906  if (rsa->_method_mod_n != NULL)
907  BN_MONT_CTX_free(rsa->_method_mod_n);
908  if (rsa->_method_mod_p != NULL)
909  BN_MONT_CTX_free(rsa->_method_mod_p);
910  if (rsa->_method_mod_q != NULL)
911  BN_MONT_CTX_free(rsa->_method_mod_q);
912  return(1);
913  }
914 
915 #endif
Generated on Thu Jan 10 2013 09:53:38 for OpenSSL by   doxygen 1.8.2