1 /* $OpenBSD: rsa_eay.c,v 1.54 2022/01/20 11:10:11 inoguchi Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112 #include <stdio.h>
113 #include <string.h>
114
115 #include <openssl/opensslconf.h>
116
117 #include <openssl/bn.h>
118 #include <openssl/err.h>
119 #include <openssl/rsa.h>
120
121 #include "bn_lcl.h"
122 #include "rsa_locl.h"
123
124 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
125 unsigned char *to, RSA *rsa, int padding);
126 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
127 unsigned char *to, RSA *rsa, int padding);
128 static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
129 unsigned char *to, RSA *rsa, int padding);
130 static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
131 unsigned char *to, RSA *rsa, int padding);
132 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
133 static int RSA_eay_init(RSA *rsa);
134 static int RSA_eay_finish(RSA *rsa);
135
136 static RSA_METHOD rsa_pkcs1_eay_meth = {
137 .name = "Eric Young's PKCS#1 RSA",
138 .rsa_pub_enc = RSA_eay_public_encrypt,
139 .rsa_pub_dec = RSA_eay_public_decrypt, /* signature verification */
140 .rsa_priv_enc = RSA_eay_private_encrypt, /* signing */
141 .rsa_priv_dec = RSA_eay_private_decrypt,
142 .rsa_mod_exp = RSA_eay_mod_exp,
143 .bn_mod_exp = BN_mod_exp_mont_ct, /* XXX probably we should not use Montgomery if e == 3 */
144 .init = RSA_eay_init,
145 .finish = RSA_eay_finish,
146 };
147
148 const RSA_METHOD *
RSA_PKCS1_OpenSSL(void)149 RSA_PKCS1_OpenSSL(void)
150 {
151 return &rsa_pkcs1_eay_meth;
152 }
153
154 const RSA_METHOD *
RSA_PKCS1_SSLeay(void)155 RSA_PKCS1_SSLeay(void)
156 {
157 return &rsa_pkcs1_eay_meth;
158 }
159
160 static int
RSA_eay_public_encrypt(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)161 RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
162 RSA *rsa, int padding)
163 {
164 BIGNUM *f, *ret;
165 int i, j, k, num = 0, r = -1;
166 unsigned char *buf = NULL;
167 BN_CTX *ctx = NULL;
168
169 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
170 RSAerror(RSA_R_MODULUS_TOO_LARGE);
171 return -1;
172 }
173
174 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
175 RSAerror(RSA_R_BAD_E_VALUE);
176 return -1;
177 }
178
179 /* for large moduli, enforce exponent limit */
180 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
181 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
182 RSAerror(RSA_R_BAD_E_VALUE);
183 return -1;
184 }
185 }
186
187 if ((ctx = BN_CTX_new()) == NULL)
188 goto err;
189
190 BN_CTX_start(ctx);
191 f = BN_CTX_get(ctx);
192 ret = BN_CTX_get(ctx);
193 num = BN_num_bytes(rsa->n);
194 buf = malloc(num);
195
196 if (f == NULL || ret == NULL || buf == NULL) {
197 RSAerror(ERR_R_MALLOC_FAILURE);
198 goto err;
199 }
200
201 switch (padding) {
202 case RSA_PKCS1_PADDING:
203 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
204 break;
205 #ifndef OPENSSL_NO_SHA
206 case RSA_PKCS1_OAEP_PADDING:
207 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
208 break;
209 #endif
210 case RSA_NO_PADDING:
211 i = RSA_padding_add_none(buf, num, from, flen);
212 break;
213 default:
214 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
215 goto err;
216 }
217 if (i <= 0)
218 goto err;
219
220 if (BN_bin2bn(buf, num, f) == NULL)
221 goto err;
222
223 if (BN_ucmp(f, rsa->n) >= 0) {
224 /* usually the padding functions would catch this */
225 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
226 goto err;
227 }
228
229 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
230 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
231 CRYPTO_LOCK_RSA, rsa->n, ctx))
232 goto err;
233
234 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
235 rsa->_method_mod_n))
236 goto err;
237
238 /* put in leading 0 bytes if the number is less than the
239 * length of the modulus */
240 j = BN_num_bytes(ret);
241 i = BN_bn2bin(ret, &(to[num - j]));
242 for (k = 0; k < num - i; k++)
243 to[k] = 0;
244
245 r = num;
246 err:
247 if (ctx != NULL) {
248 BN_CTX_end(ctx);
249 BN_CTX_free(ctx);
250 }
251 freezero(buf, num);
252 return r;
253 }
254
255 static BN_BLINDING *
rsa_get_blinding(RSA * rsa,int * local,BN_CTX * ctx)256 rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
257 {
258 BN_BLINDING *ret;
259 int got_write_lock = 0;
260 CRYPTO_THREADID cur;
261
262 CRYPTO_r_lock(CRYPTO_LOCK_RSA);
263
264 if (rsa->blinding == NULL) {
265 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
266 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
267 got_write_lock = 1;
268
269 if (rsa->blinding == NULL)
270 rsa->blinding = RSA_setup_blinding(rsa, ctx);
271 }
272
273 ret = rsa->blinding;
274 if (ret == NULL)
275 goto err;
276
277 CRYPTO_THREADID_current(&cur);
278 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) {
279 /* rsa->blinding is ours! */
280 *local = 1;
281 } else {
282 /* resort to rsa->mt_blinding instead */
283 /*
284 * Instruct rsa_blinding_convert(), rsa_blinding_invert()
285 * that the BN_BLINDING is shared, meaning that accesses
286 * require locks, and that the blinding factor must be
287 * stored outside the BN_BLINDING
288 */
289 *local = 0;
290
291 if (rsa->mt_blinding == NULL) {
292 if (!got_write_lock) {
293 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
294 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
295 got_write_lock = 1;
296 }
297
298 if (rsa->mt_blinding == NULL)
299 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
300 }
301 ret = rsa->mt_blinding;
302 }
303
304 err:
305 if (got_write_lock)
306 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
307 else
308 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
309 return ret;
310 }
311
312 static int
rsa_blinding_convert(BN_BLINDING * b,BIGNUM * f,BIGNUM * unblind,BN_CTX * ctx)313 rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx)
314 {
315 if (unblind == NULL)
316 /*
317 * Local blinding: store the unblinding factor
318 * in BN_BLINDING.
319 */
320 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
321 else {
322 /*
323 * Shared blinding: store the unblinding factor
324 * outside BN_BLINDING.
325 */
326 int ret;
327 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
328 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
329 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
330 return ret;
331 }
332 }
333
334 static int
rsa_blinding_invert(BN_BLINDING * b,BIGNUM * f,BIGNUM * unblind,BN_CTX * ctx)335 rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx)
336 {
337 /*
338 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
339 * will use the unblinding factor stored in BN_BLINDING.
340 * If BN_BLINDING is shared between threads, unblind must be non-null:
341 * BN_BLINDING_invert_ex will then use the local unblinding factor,
342 * and will only read the modulus from BN_BLINDING.
343 * In both cases it's safe to access the blinding without a lock.
344 */
345 return BN_BLINDING_invert_ex(f, unblind, b, ctx);
346 }
347
348 /* signing */
349 static int
RSA_eay_private_encrypt(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)350 RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
351 RSA *rsa, int padding)
352 {
353 BIGNUM *f, *ret, *res;
354 int i, j, k, num = 0, r = -1;
355 unsigned char *buf = NULL;
356 BN_CTX *ctx = NULL;
357 int local_blinding = 0;
358 /*
359 * Used only if the blinding structure is shared. A non-NULL unblind
360 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
361 * the unblinding factor outside the blinding structure.
362 */
363 BIGNUM *unblind = NULL;
364 BN_BLINDING *blinding = NULL;
365
366 if ((ctx = BN_CTX_new()) == NULL)
367 goto err;
368
369 BN_CTX_start(ctx);
370 f = BN_CTX_get(ctx);
371 ret = BN_CTX_get(ctx);
372 num = BN_num_bytes(rsa->n);
373 buf = malloc(num);
374
375 if (f == NULL || ret == NULL || buf == NULL) {
376 RSAerror(ERR_R_MALLOC_FAILURE);
377 goto err;
378 }
379
380 switch (padding) {
381 case RSA_PKCS1_PADDING:
382 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
383 break;
384 case RSA_X931_PADDING:
385 i = RSA_padding_add_X931(buf, num, from, flen);
386 break;
387 case RSA_NO_PADDING:
388 i = RSA_padding_add_none(buf, num, from, flen);
389 break;
390 default:
391 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
392 goto err;
393 }
394 if (i <= 0)
395 goto err;
396
397 if (BN_bin2bn(buf, num, f) == NULL)
398 goto err;
399
400 if (BN_ucmp(f, rsa->n) >= 0) {
401 /* usually the padding functions would catch this */
402 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
403 goto err;
404 }
405
406 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
407 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
408 if (blinding == NULL) {
409 RSAerror(ERR_R_INTERNAL_ERROR);
410 goto err;
411 }
412 }
413
414 if (blinding != NULL) {
415 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
416 RSAerror(ERR_R_MALLOC_FAILURE);
417 goto err;
418 }
419 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
420 goto err;
421 }
422
423 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
424 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL &&
425 rsa->dmq1 != NULL && rsa->iqmp != NULL)) {
426 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
427 goto err;
428 } else {
429 BIGNUM d;
430
431 BN_init(&d);
432 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
433
434 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
435 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
436 CRYPTO_LOCK_RSA, rsa->n, ctx))
437 goto err;
438
439 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
440 rsa->_method_mod_n)) {
441 goto err;
442 }
443 }
444
445 if (blinding)
446 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
447 goto err;
448
449 if (padding == RSA_X931_PADDING) {
450 if (!BN_sub(f, rsa->n, ret))
451 goto err;
452 if (BN_cmp(ret, f) > 0)
453 res = f;
454 else
455 res = ret;
456 } else
457 res = ret;
458
459 /* put in leading 0 bytes if the number is less than the
460 * length of the modulus */
461 j = BN_num_bytes(res);
462 i = BN_bn2bin(res, &(to[num - j]));
463 for (k = 0; k < num - i; k++)
464 to[k] = 0;
465
466 r = num;
467 err:
468 if (ctx != NULL) {
469 BN_CTX_end(ctx);
470 BN_CTX_free(ctx);
471 }
472 freezero(buf, num);
473 return r;
474 }
475
476 static int
RSA_eay_private_decrypt(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)477 RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
478 RSA *rsa, int padding)
479 {
480 BIGNUM *f, *ret;
481 int j, num = 0, r = -1;
482 unsigned char *p;
483 unsigned char *buf = NULL;
484 BN_CTX *ctx = NULL;
485 int local_blinding = 0;
486 /*
487 * Used only if the blinding structure is shared. A non-NULL unblind
488 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
489 * the unblinding factor outside the blinding structure.
490 */
491 BIGNUM *unblind = NULL;
492 BN_BLINDING *blinding = NULL;
493
494 if ((ctx = BN_CTX_new()) == NULL)
495 goto err;
496
497 BN_CTX_start(ctx);
498 f = BN_CTX_get(ctx);
499 ret = BN_CTX_get(ctx);
500 num = BN_num_bytes(rsa->n);
501 buf = malloc(num);
502
503 if (!f || !ret || !buf) {
504 RSAerror(ERR_R_MALLOC_FAILURE);
505 goto err;
506 }
507
508 /* This check was for equality but PGP does evil things
509 * and chops off the top '0' bytes */
510 if (flen > num) {
511 RSAerror(RSA_R_DATA_GREATER_THAN_MOD_LEN);
512 goto err;
513 }
514
515 /* make data into a big number */
516 if (BN_bin2bn(from, (int)flen, f) == NULL)
517 goto err;
518
519 if (BN_ucmp(f, rsa->n) >= 0) {
520 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
521 goto err;
522 }
523
524 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
525 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
526 if (blinding == NULL) {
527 RSAerror(ERR_R_INTERNAL_ERROR);
528 goto err;
529 }
530 }
531
532 if (blinding != NULL) {
533 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
534 RSAerror(ERR_R_MALLOC_FAILURE);
535 goto err;
536 }
537 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
538 goto err;
539 }
540
541 /* do the decrypt */
542 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
543 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL &&
544 rsa->dmq1 != NULL && rsa->iqmp != NULL)) {
545 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
546 goto err;
547 } else {
548 BIGNUM d;
549
550 BN_init(&d);
551 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
552
553 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
554 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
555 CRYPTO_LOCK_RSA, rsa->n, ctx))
556 goto err;
557
558 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
559 rsa->_method_mod_n)) {
560 goto err;
561 }
562 }
563
564 if (blinding)
565 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
566 goto err;
567
568 p = buf;
569 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */
570
571 switch (padding) {
572 case RSA_PKCS1_PADDING:
573 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
574 break;
575 #ifndef OPENSSL_NO_SHA
576 case RSA_PKCS1_OAEP_PADDING:
577 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
578 break;
579 #endif
580 case RSA_NO_PADDING:
581 r = RSA_padding_check_none(to, num, buf, j, num);
582 break;
583 default:
584 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
585 goto err;
586 }
587 if (r < 0)
588 RSAerror(RSA_R_PADDING_CHECK_FAILED);
589
590 err:
591 if (ctx != NULL) {
592 BN_CTX_end(ctx);
593 BN_CTX_free(ctx);
594 }
595 freezero(buf, num);
596 return r;
597 }
598
599 /* signature verification */
600 static int
RSA_eay_public_decrypt(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)601 RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
602 RSA *rsa, int padding)
603 {
604 BIGNUM *f, *ret;
605 int i, num = 0, r = -1;
606 unsigned char *p;
607 unsigned char *buf = NULL;
608 BN_CTX *ctx = NULL;
609
610 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
611 RSAerror(RSA_R_MODULUS_TOO_LARGE);
612 return -1;
613 }
614
615 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
616 RSAerror(RSA_R_BAD_E_VALUE);
617 return -1;
618 }
619
620 /* for large moduli, enforce exponent limit */
621 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
622 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
623 RSAerror(RSA_R_BAD_E_VALUE);
624 return -1;
625 }
626 }
627
628 if ((ctx = BN_CTX_new()) == NULL)
629 goto err;
630
631 BN_CTX_start(ctx);
632 f = BN_CTX_get(ctx);
633 ret = BN_CTX_get(ctx);
634 num = BN_num_bytes(rsa->n);
635 buf = malloc(num);
636
637 if (!f || !ret || !buf) {
638 RSAerror(ERR_R_MALLOC_FAILURE);
639 goto err;
640 }
641
642 /* This check was for equality but PGP does evil things
643 * and chops off the top '0' bytes */
644 if (flen > num) {
645 RSAerror(RSA_R_DATA_GREATER_THAN_MOD_LEN);
646 goto err;
647 }
648
649 if (BN_bin2bn(from, flen, f) == NULL)
650 goto err;
651
652 if (BN_ucmp(f, rsa->n) >= 0) {
653 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
654 goto err;
655 }
656
657 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
658 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
659 CRYPTO_LOCK_RSA, rsa->n, ctx))
660 goto err;
661
662 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
663 rsa->_method_mod_n))
664 goto err;
665
666 if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12)
667 if (!BN_sub(ret, rsa->n, ret))
668 goto err;
669
670 p = buf;
671 i = BN_bn2bin(ret, p);
672
673 switch (padding) {
674 case RSA_PKCS1_PADDING:
675 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
676 break;
677 case RSA_X931_PADDING:
678 r = RSA_padding_check_X931(to, num, buf, i, num);
679 break;
680 case RSA_NO_PADDING:
681 r = RSA_padding_check_none(to, num, buf, i, num);
682 break;
683 default:
684 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
685 goto err;
686 }
687 if (r < 0)
688 RSAerror(RSA_R_PADDING_CHECK_FAILED);
689
690 err:
691 if (ctx != NULL) {
692 BN_CTX_end(ctx);
693 BN_CTX_free(ctx);
694 }
695 freezero(buf, num);
696 return r;
697 }
698
699 static int
RSA_eay_mod_exp(BIGNUM * r0,const BIGNUM * I,RSA * rsa,BN_CTX * ctx)700 RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
701 {
702 BIGNUM *r1, *m1, *vrfy;
703 BIGNUM dmp1, dmq1, c, pr1;
704 int ret = 0;
705
706 BN_CTX_start(ctx);
707 r1 = BN_CTX_get(ctx);
708 m1 = BN_CTX_get(ctx);
709 vrfy = BN_CTX_get(ctx);
710 if (r1 == NULL || m1 == NULL || vrfy == NULL) {
711 RSAerror(ERR_R_MALLOC_FAILURE);
712 goto err;
713 }
714
715 {
716 BIGNUM p, q;
717
718 /*
719 * Make sure BN_mod_inverse in Montgomery intialization uses the
720 * BN_FLG_CONSTTIME flag
721 */
722 BN_init(&p);
723 BN_init(&q);
724 BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
725 BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME);
726
727 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
728 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
729 CRYPTO_LOCK_RSA, &p, ctx) ||
730 !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
731 CRYPTO_LOCK_RSA, &q, ctx)) {
732 goto err;
733 }
734 }
735 }
736
737 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
738 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
739 CRYPTO_LOCK_RSA, rsa->n, ctx))
740 goto err;
741
742 /* compute I mod q */
743 BN_init(&c);
744 BN_with_flags(&c, I, BN_FLG_CONSTTIME);
745
746 if (!BN_mod_ct(r1, &c, rsa->q, ctx))
747 goto err;
748
749 /* compute r1^dmq1 mod q */
750 BN_init(&dmq1);
751 BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
752
753 if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx,
754 rsa->_method_mod_q))
755 goto err;
756
757 /* compute I mod p */
758 BN_init(&c);
759 BN_with_flags(&c, I, BN_FLG_CONSTTIME);
760
761 if (!BN_mod_ct(r1, &c, rsa->p, ctx))
762 goto err;
763
764 /* compute r1^dmp1 mod p */
765 BN_init(&dmp1);
766 BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
767
768 if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx,
769 rsa->_method_mod_p))
770 goto err;
771
772 if (!BN_sub(r0, r0, m1))
773 goto err;
774
775 /*
776 * This will help stop the size of r0 increasing, which does
777 * affect the multiply if it optimised for a power of 2 size
778 */
779 if (BN_is_negative(r0))
780 if (!BN_add(r0, r0, rsa->p))
781 goto err;
782
783 if (!BN_mul(r1, r0, rsa->iqmp, ctx))
784 goto err;
785
786 /* Turn BN_FLG_CONSTTIME flag on before division operation */
787 BN_init(&pr1);
788 BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME);
789
790 if (!BN_mod_ct(r0, &pr1, rsa->p, ctx))
791 goto err;
792
793 /*
794 * If p < q it is occasionally possible for the correction of
795 * adding 'p' if r0 is negative above to leave the result still
796 * negative. This can break the private key operations: the following
797 * second correction should *always* correct this rare occurrence.
798 * This will *never* happen with OpenSSL generated keys because
799 * they ensure p > q [steve]
800 */
801 if (BN_is_negative(r0))
802 if (!BN_add(r0, r0, rsa->p))
803 goto err;
804 if (!BN_mul(r1, r0, rsa->q, ctx))
805 goto err;
806 if (!BN_add(r0, r1, m1))
807 goto err;
808
809 if (rsa->e && rsa->n) {
810 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
811 rsa->_method_mod_n))
812 goto err;
813 /*
814 * If 'I' was greater than (or equal to) rsa->n, the operation
815 * will be equivalent to using 'I mod n'. However, the result of
816 * the verify will *always* be less than 'n' so we don't check
817 * for absolute equality, just congruency.
818 */
819 if (!BN_sub(vrfy, vrfy, I))
820 goto err;
821 if (!BN_mod_ct(vrfy, vrfy, rsa->n, ctx))
822 goto err;
823 if (BN_is_negative(vrfy))
824 if (!BN_add(vrfy, vrfy, rsa->n))
825 goto err;
826 if (!BN_is_zero(vrfy)) {
827 /*
828 * 'I' and 'vrfy' aren't congruent mod n. Don't leak
829 * miscalculated CRT output, just do a raw (slower)
830 * mod_exp and return that instead.
831 */
832 BIGNUM d;
833
834 BN_init(&d);
835 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
836
837 if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx,
838 rsa->_method_mod_n)) {
839 goto err;
840 }
841 }
842 }
843 ret = 1;
844 err:
845 BN_CTX_end(ctx);
846 return ret;
847 }
848
849 static int
RSA_eay_init(RSA * rsa)850 RSA_eay_init(RSA *rsa)
851 {
852 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
853 return 1;
854 }
855
856 static int
RSA_eay_finish(RSA * rsa)857 RSA_eay_finish(RSA *rsa)
858 {
859 BN_MONT_CTX_free(rsa->_method_mod_n);
860 BN_MONT_CTX_free(rsa->_method_mod_p);
861 BN_MONT_CTX_free(rsa->_method_mod_q);
862
863 return 1;
864 }
865