1 /* $OpenBSD: rsa_eay.c,v 1.54 2022/01/20 11:10:11 inoguchi Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 #include <string.h> 114 115 #include <openssl/opensslconf.h> 116 117 #include <openssl/bn.h> 118 #include <openssl/err.h> 119 #include <openssl/rsa.h> 120 121 #include "bn_lcl.h" 122 #include "rsa_locl.h" 123 124 static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 125 unsigned char *to, RSA *rsa, int padding); 126 static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 127 unsigned char *to, RSA *rsa, int padding); 128 static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 129 unsigned char *to, RSA *rsa, int padding); 130 static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 131 unsigned char *to, RSA *rsa, int padding); 132 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); 133 static int RSA_eay_init(RSA *rsa); 134 static int RSA_eay_finish(RSA *rsa); 135 136 static RSA_METHOD rsa_pkcs1_eay_meth = { 137 .name = "Eric Young's PKCS#1 RSA", 138 .rsa_pub_enc = RSA_eay_public_encrypt, 139 .rsa_pub_dec = RSA_eay_public_decrypt, /* signature verification */ 140 .rsa_priv_enc = RSA_eay_private_encrypt, /* signing */ 141 .rsa_priv_dec = RSA_eay_private_decrypt, 142 .rsa_mod_exp = RSA_eay_mod_exp, 143 .bn_mod_exp = BN_mod_exp_mont_ct, /* XXX probably we should not use Montgomery if e == 3 */ 144 .init = RSA_eay_init, 145 .finish = RSA_eay_finish, 146 }; 147 148 const RSA_METHOD * 149 RSA_PKCS1_OpenSSL(void) 150 { 151 return &rsa_pkcs1_eay_meth; 152 } 153 154 const RSA_METHOD * 155 RSA_PKCS1_SSLeay(void) 156 { 157 return &rsa_pkcs1_eay_meth; 158 } 159 160 static int 161 RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, 162 RSA *rsa, int padding) 163 { 164 BIGNUM *f, *ret; 165 int i, j, k, num = 0, r = -1; 166 unsigned char *buf = NULL; 167 BN_CTX *ctx = NULL; 168 169 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 170 RSAerror(RSA_R_MODULUS_TOO_LARGE); 171 return -1; 172 } 173 174 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 175 RSAerror(RSA_R_BAD_E_VALUE); 176 return -1; 177 } 178 179 /* for large moduli, enforce exponent limit */ 180 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 181 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 182 RSAerror(RSA_R_BAD_E_VALUE); 183 return -1; 184 } 185 } 186 187 if ((ctx = BN_CTX_new()) == NULL) 188 goto err; 189 190 BN_CTX_start(ctx); 191 f = BN_CTX_get(ctx); 192 ret = BN_CTX_get(ctx); 193 num = BN_num_bytes(rsa->n); 194 buf = malloc(num); 195 196 if (f == NULL || ret == NULL || buf == NULL) { 197 RSAerror(ERR_R_MALLOC_FAILURE); 198 goto err; 199 } 200 201 switch (padding) { 202 case RSA_PKCS1_PADDING: 203 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); 204 break; 205 #ifndef OPENSSL_NO_SHA 206 case RSA_PKCS1_OAEP_PADDING: 207 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); 208 break; 209 #endif 210 case RSA_NO_PADDING: 211 i = RSA_padding_add_none(buf, num, from, flen); 212 break; 213 default: 214 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 215 goto err; 216 } 217 if (i <= 0) 218 goto err; 219 220 if (BN_bin2bn(buf, num, f) == NULL) 221 goto err; 222 223 if (BN_ucmp(f, rsa->n) >= 0) { 224 /* usually the padding functions would catch this */ 225 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 226 goto err; 227 } 228 229 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 230 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 231 CRYPTO_LOCK_RSA, rsa->n, ctx)) 232 goto err; 233 234 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 235 rsa->_method_mod_n)) 236 goto err; 237 238 /* put in leading 0 bytes if the number is less than the 239 * length of the modulus */ 240 j = BN_num_bytes(ret); 241 i = BN_bn2bin(ret, &(to[num - j])); 242 for (k = 0; k < num - i; k++) 243 to[k] = 0; 244 245 r = num; 246 err: 247 if (ctx != NULL) { 248 BN_CTX_end(ctx); 249 BN_CTX_free(ctx); 250 } 251 freezero(buf, num); 252 return r; 253 } 254 255 static BN_BLINDING * 256 rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 257 { 258 BN_BLINDING *ret; 259 int got_write_lock = 0; 260 CRYPTO_THREADID cur; 261 262 CRYPTO_r_lock(CRYPTO_LOCK_RSA); 263 264 if (rsa->blinding == NULL) { 265 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 266 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 267 got_write_lock = 1; 268 269 if (rsa->blinding == NULL) 270 rsa->blinding = RSA_setup_blinding(rsa, ctx); 271 } 272 273 ret = rsa->blinding; 274 if (ret == NULL) 275 goto err; 276 277 CRYPTO_THREADID_current(&cur); 278 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) { 279 /* rsa->blinding is ours! */ 280 *local = 1; 281 } else { 282 /* resort to rsa->mt_blinding instead */ 283 /* 284 * Instruct rsa_blinding_convert(), rsa_blinding_invert() 285 * that the BN_BLINDING is shared, meaning that accesses 286 * require locks, and that the blinding factor must be 287 * stored outside the BN_BLINDING 288 */ 289 *local = 0; 290 291 if (rsa->mt_blinding == NULL) { 292 if (!got_write_lock) { 293 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 294 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 295 got_write_lock = 1; 296 } 297 298 if (rsa->mt_blinding == NULL) 299 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 300 } 301 ret = rsa->mt_blinding; 302 } 303 304 err: 305 if (got_write_lock) 306 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 307 else 308 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 309 return ret; 310 } 311 312 static int 313 rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx) 314 { 315 if (unblind == NULL) 316 /* 317 * Local blinding: store the unblinding factor 318 * in BN_BLINDING. 319 */ 320 return BN_BLINDING_convert_ex(f, NULL, b, ctx); 321 else { 322 /* 323 * Shared blinding: store the unblinding factor 324 * outside BN_BLINDING. 325 */ 326 int ret; 327 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 328 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); 329 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 330 return ret; 331 } 332 } 333 334 static int 335 rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx) 336 { 337 /* 338 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex 339 * will use the unblinding factor stored in BN_BLINDING. 340 * If BN_BLINDING is shared between threads, unblind must be non-null: 341 * BN_BLINDING_invert_ex will then use the local unblinding factor, 342 * and will only read the modulus from BN_BLINDING. 343 * In both cases it's safe to access the blinding without a lock. 344 */ 345 return BN_BLINDING_invert_ex(f, unblind, b, ctx); 346 } 347 348 /* signing */ 349 static int 350 RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, 351 RSA *rsa, int padding) 352 { 353 BIGNUM *f, *ret, *res; 354 int i, j, k, num = 0, r = -1; 355 unsigned char *buf = NULL; 356 BN_CTX *ctx = NULL; 357 int local_blinding = 0; 358 /* 359 * Used only if the blinding structure is shared. A non-NULL unblind 360 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 361 * the unblinding factor outside the blinding structure. 362 */ 363 BIGNUM *unblind = NULL; 364 BN_BLINDING *blinding = NULL; 365 366 if ((ctx = BN_CTX_new()) == NULL) 367 goto err; 368 369 BN_CTX_start(ctx); 370 f = BN_CTX_get(ctx); 371 ret = BN_CTX_get(ctx); 372 num = BN_num_bytes(rsa->n); 373 buf = malloc(num); 374 375 if (f == NULL || ret == NULL || buf == NULL) { 376 RSAerror(ERR_R_MALLOC_FAILURE); 377 goto err; 378 } 379 380 switch (padding) { 381 case RSA_PKCS1_PADDING: 382 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); 383 break; 384 case RSA_X931_PADDING: 385 i = RSA_padding_add_X931(buf, num, from, flen); 386 break; 387 case RSA_NO_PADDING: 388 i = RSA_padding_add_none(buf, num, from, flen); 389 break; 390 default: 391 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 392 goto err; 393 } 394 if (i <= 0) 395 goto err; 396 397 if (BN_bin2bn(buf, num, f) == NULL) 398 goto err; 399 400 if (BN_ucmp(f, rsa->n) >= 0) { 401 /* usually the padding functions would catch this */ 402 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 403 goto err; 404 } 405 406 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 407 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 408 if (blinding == NULL) { 409 RSAerror(ERR_R_INTERNAL_ERROR); 410 goto err; 411 } 412 } 413 414 if (blinding != NULL) { 415 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 416 RSAerror(ERR_R_MALLOC_FAILURE); 417 goto err; 418 } 419 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 420 goto err; 421 } 422 423 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 424 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL && 425 rsa->dmq1 != NULL && rsa->iqmp != NULL)) { 426 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 427 goto err; 428 } else { 429 BIGNUM d; 430 431 BN_init(&d); 432 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); 433 434 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 435 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 436 CRYPTO_LOCK_RSA, rsa->n, ctx)) 437 goto err; 438 439 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, 440 rsa->_method_mod_n)) { 441 goto err; 442 } 443 } 444 445 if (blinding) 446 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 447 goto err; 448 449 if (padding == RSA_X931_PADDING) { 450 if (!BN_sub(f, rsa->n, ret)) 451 goto err; 452 if (BN_cmp(ret, f) > 0) 453 res = f; 454 else 455 res = ret; 456 } else 457 res = ret; 458 459 /* put in leading 0 bytes if the number is less than the 460 * length of the modulus */ 461 j = BN_num_bytes(res); 462 i = BN_bn2bin(res, &(to[num - j])); 463 for (k = 0; k < num - i; k++) 464 to[k] = 0; 465 466 r = num; 467 err: 468 if (ctx != NULL) { 469 BN_CTX_end(ctx); 470 BN_CTX_free(ctx); 471 } 472 freezero(buf, num); 473 return r; 474 } 475 476 static int 477 RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to, 478 RSA *rsa, int padding) 479 { 480 BIGNUM *f, *ret; 481 int j, num = 0, r = -1; 482 unsigned char *p; 483 unsigned char *buf = NULL; 484 BN_CTX *ctx = NULL; 485 int local_blinding = 0; 486 /* 487 * Used only if the blinding structure is shared. A non-NULL unblind 488 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 489 * the unblinding factor outside the blinding structure. 490 */ 491 BIGNUM *unblind = NULL; 492 BN_BLINDING *blinding = NULL; 493 494 if ((ctx = BN_CTX_new()) == NULL) 495 goto err; 496 497 BN_CTX_start(ctx); 498 f = BN_CTX_get(ctx); 499 ret = BN_CTX_get(ctx); 500 num = BN_num_bytes(rsa->n); 501 buf = malloc(num); 502 503 if (!f || !ret || !buf) { 504 RSAerror(ERR_R_MALLOC_FAILURE); 505 goto err; 506 } 507 508 /* This check was for equality but PGP does evil things 509 * and chops off the top '0' bytes */ 510 if (flen > num) { 511 RSAerror(RSA_R_DATA_GREATER_THAN_MOD_LEN); 512 goto err; 513 } 514 515 /* make data into a big number */ 516 if (BN_bin2bn(from, (int)flen, f) == NULL) 517 goto err; 518 519 if (BN_ucmp(f, rsa->n) >= 0) { 520 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 521 goto err; 522 } 523 524 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 525 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 526 if (blinding == NULL) { 527 RSAerror(ERR_R_INTERNAL_ERROR); 528 goto err; 529 } 530 } 531 532 if (blinding != NULL) { 533 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 534 RSAerror(ERR_R_MALLOC_FAILURE); 535 goto err; 536 } 537 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 538 goto err; 539 } 540 541 /* do the decrypt */ 542 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 543 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL && 544 rsa->dmq1 != NULL && rsa->iqmp != NULL)) { 545 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 546 goto err; 547 } else { 548 BIGNUM d; 549 550 BN_init(&d); 551 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); 552 553 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 554 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 555 CRYPTO_LOCK_RSA, rsa->n, ctx)) 556 goto err; 557 558 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, 559 rsa->_method_mod_n)) { 560 goto err; 561 } 562 } 563 564 if (blinding) 565 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 566 goto err; 567 568 p = buf; 569 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */ 570 571 switch (padding) { 572 case RSA_PKCS1_PADDING: 573 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); 574 break; 575 #ifndef OPENSSL_NO_SHA 576 case RSA_PKCS1_OAEP_PADDING: 577 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); 578 break; 579 #endif 580 case RSA_NO_PADDING: 581 r = RSA_padding_check_none(to, num, buf, j, num); 582 break; 583 default: 584 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 585 goto err; 586 } 587 if (r < 0) 588 RSAerror(RSA_R_PADDING_CHECK_FAILED); 589 590 err: 591 if (ctx != NULL) { 592 BN_CTX_end(ctx); 593 BN_CTX_free(ctx); 594 } 595 freezero(buf, num); 596 return r; 597 } 598 599 /* signature verification */ 600 static int 601 RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to, 602 RSA *rsa, int padding) 603 { 604 BIGNUM *f, *ret; 605 int i, num = 0, r = -1; 606 unsigned char *p; 607 unsigned char *buf = NULL; 608 BN_CTX *ctx = NULL; 609 610 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 611 RSAerror(RSA_R_MODULUS_TOO_LARGE); 612 return -1; 613 } 614 615 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 616 RSAerror(RSA_R_BAD_E_VALUE); 617 return -1; 618 } 619 620 /* for large moduli, enforce exponent limit */ 621 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 622 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 623 RSAerror(RSA_R_BAD_E_VALUE); 624 return -1; 625 } 626 } 627 628 if ((ctx = BN_CTX_new()) == NULL) 629 goto err; 630 631 BN_CTX_start(ctx); 632 f = BN_CTX_get(ctx); 633 ret = BN_CTX_get(ctx); 634 num = BN_num_bytes(rsa->n); 635 buf = malloc(num); 636 637 if (!f || !ret || !buf) { 638 RSAerror(ERR_R_MALLOC_FAILURE); 639 goto err; 640 } 641 642 /* This check was for equality but PGP does evil things 643 * and chops off the top '0' bytes */ 644 if (flen > num) { 645 RSAerror(RSA_R_DATA_GREATER_THAN_MOD_LEN); 646 goto err; 647 } 648 649 if (BN_bin2bn(from, flen, f) == NULL) 650 goto err; 651 652 if (BN_ucmp(f, rsa->n) >= 0) { 653 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 654 goto err; 655 } 656 657 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 658 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 659 CRYPTO_LOCK_RSA, rsa->n, ctx)) 660 goto err; 661 662 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 663 rsa->_method_mod_n)) 664 goto err; 665 666 if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12) 667 if (!BN_sub(ret, rsa->n, ret)) 668 goto err; 669 670 p = buf; 671 i = BN_bn2bin(ret, p); 672 673 switch (padding) { 674 case RSA_PKCS1_PADDING: 675 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); 676 break; 677 case RSA_X931_PADDING: 678 r = RSA_padding_check_X931(to, num, buf, i, num); 679 break; 680 case RSA_NO_PADDING: 681 r = RSA_padding_check_none(to, num, buf, i, num); 682 break; 683 default: 684 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 685 goto err; 686 } 687 if (r < 0) 688 RSAerror(RSA_R_PADDING_CHECK_FAILED); 689 690 err: 691 if (ctx != NULL) { 692 BN_CTX_end(ctx); 693 BN_CTX_free(ctx); 694 } 695 freezero(buf, num); 696 return r; 697 } 698 699 static int 700 RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 701 { 702 BIGNUM *r1, *m1, *vrfy; 703 BIGNUM dmp1, dmq1, c, pr1; 704 int ret = 0; 705 706 BN_CTX_start(ctx); 707 r1 = BN_CTX_get(ctx); 708 m1 = BN_CTX_get(ctx); 709 vrfy = BN_CTX_get(ctx); 710 if (r1 == NULL || m1 == NULL || vrfy == NULL) { 711 RSAerror(ERR_R_MALLOC_FAILURE); 712 goto err; 713 } 714 715 { 716 BIGNUM p, q; 717 718 /* 719 * Make sure BN_mod_inverse in Montgomery intialization uses the 720 * BN_FLG_CONSTTIME flag 721 */ 722 BN_init(&p); 723 BN_init(&q); 724 BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME); 725 BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME); 726 727 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { 728 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, 729 CRYPTO_LOCK_RSA, &p, ctx) || 730 !BN_MONT_CTX_set_locked(&rsa->_method_mod_q, 731 CRYPTO_LOCK_RSA, &q, ctx)) { 732 goto err; 733 } 734 } 735 } 736 737 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 738 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 739 CRYPTO_LOCK_RSA, rsa->n, ctx)) 740 goto err; 741 742 /* compute I mod q */ 743 BN_init(&c); 744 BN_with_flags(&c, I, BN_FLG_CONSTTIME); 745 746 if (!BN_mod_ct(r1, &c, rsa->q, ctx)) 747 goto err; 748 749 /* compute r1^dmq1 mod q */ 750 BN_init(&dmq1); 751 BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 752 753 if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx, 754 rsa->_method_mod_q)) 755 goto err; 756 757 /* compute I mod p */ 758 BN_init(&c); 759 BN_with_flags(&c, I, BN_FLG_CONSTTIME); 760 761 if (!BN_mod_ct(r1, &c, rsa->p, ctx)) 762 goto err; 763 764 /* compute r1^dmp1 mod p */ 765 BN_init(&dmp1); 766 BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 767 768 if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx, 769 rsa->_method_mod_p)) 770 goto err; 771 772 if (!BN_sub(r0, r0, m1)) 773 goto err; 774 775 /* 776 * This will help stop the size of r0 increasing, which does 777 * affect the multiply if it optimised for a power of 2 size 778 */ 779 if (BN_is_negative(r0)) 780 if (!BN_add(r0, r0, rsa->p)) 781 goto err; 782 783 if (!BN_mul(r1, r0, rsa->iqmp, ctx)) 784 goto err; 785 786 /* Turn BN_FLG_CONSTTIME flag on before division operation */ 787 BN_init(&pr1); 788 BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME); 789 790 if (!BN_mod_ct(r0, &pr1, rsa->p, ctx)) 791 goto err; 792 793 /* 794 * If p < q it is occasionally possible for the correction of 795 * adding 'p' if r0 is negative above to leave the result still 796 * negative. This can break the private key operations: the following 797 * second correction should *always* correct this rare occurrence. 798 * This will *never* happen with OpenSSL generated keys because 799 * they ensure p > q [steve] 800 */ 801 if (BN_is_negative(r0)) 802 if (!BN_add(r0, r0, rsa->p)) 803 goto err; 804 if (!BN_mul(r1, r0, rsa->q, ctx)) 805 goto err; 806 if (!BN_add(r0, r1, m1)) 807 goto err; 808 809 if (rsa->e && rsa->n) { 810 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, 811 rsa->_method_mod_n)) 812 goto err; 813 /* 814 * If 'I' was greater than (or equal to) rsa->n, the operation 815 * will be equivalent to using 'I mod n'. However, the result of 816 * the verify will *always* be less than 'n' so we don't check 817 * for absolute equality, just congruency. 818 */ 819 if (!BN_sub(vrfy, vrfy, I)) 820 goto err; 821 if (!BN_mod_ct(vrfy, vrfy, rsa->n, ctx)) 822 goto err; 823 if (BN_is_negative(vrfy)) 824 if (!BN_add(vrfy, vrfy, rsa->n)) 825 goto err; 826 if (!BN_is_zero(vrfy)) { 827 /* 828 * 'I' and 'vrfy' aren't congruent mod n. Don't leak 829 * miscalculated CRT output, just do a raw (slower) 830 * mod_exp and return that instead. 831 */ 832 BIGNUM d; 833 834 BN_init(&d); 835 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); 836 837 if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx, 838 rsa->_method_mod_n)) { 839 goto err; 840 } 841 } 842 } 843 ret = 1; 844 err: 845 BN_CTX_end(ctx); 846 return ret; 847 } 848 849 static int 850 RSA_eay_init(RSA *rsa) 851 { 852 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; 853 return 1; 854 } 855 856 static int 857 RSA_eay_finish(RSA *rsa) 858 { 859 BN_MONT_CTX_free(rsa->_method_mod_n); 860 BN_MONT_CTX_free(rsa->_method_mod_p); 861 BN_MONT_CTX_free(rsa->_method_mod_q); 862 863 return 1; 864 } 865