1 /* $OpenBSD: rsa_eay.c,v 1.65 2023/08/09 12:09:06 tb Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 #include <string.h> 114 115 #include <openssl/opensslconf.h> 116 117 #include <openssl/bn.h> 118 #include <openssl/err.h> 119 #include <openssl/rsa.h> 120 121 #include "bn_local.h" 122 #include "rsa_local.h" 123 124 static int 125 rsa_public_encrypt(int flen, const unsigned char *from, unsigned char *to, 126 RSA *rsa, int padding) 127 { 128 BIGNUM *f, *ret; 129 int i, j, k, num = 0, r = -1; 130 unsigned char *buf = NULL; 131 BN_CTX *ctx = NULL; 132 133 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 134 RSAerror(RSA_R_MODULUS_TOO_LARGE); 135 return -1; 136 } 137 138 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 139 RSAerror(RSA_R_BAD_E_VALUE); 140 return -1; 141 } 142 143 /* for large moduli, enforce exponent limit */ 144 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 145 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 146 RSAerror(RSA_R_BAD_E_VALUE); 147 return -1; 148 } 149 } 150 151 if ((ctx = BN_CTX_new()) == NULL) 152 goto err; 153 154 BN_CTX_start(ctx); 155 f = BN_CTX_get(ctx); 156 ret = BN_CTX_get(ctx); 157 num = BN_num_bytes(rsa->n); 158 buf = malloc(num); 159 160 if (f == NULL || ret == NULL || buf == NULL) { 161 RSAerror(ERR_R_MALLOC_FAILURE); 162 goto err; 163 } 164 165 switch (padding) { 166 case RSA_PKCS1_PADDING: 167 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); 168 break; 169 #ifndef OPENSSL_NO_SHA 170 case RSA_PKCS1_OAEP_PADDING: 171 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); 172 break; 173 #endif 174 case RSA_NO_PADDING: 175 i = RSA_padding_add_none(buf, num, from, flen); 176 break; 177 default: 178 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 179 goto err; 180 } 181 if (i <= 0) 182 goto err; 183 184 if (BN_bin2bn(buf, num, f) == NULL) 185 goto err; 186 187 if (BN_ucmp(f, rsa->n) >= 0) { 188 /* usually the padding functions would catch this */ 189 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 190 goto err; 191 } 192 193 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { 194 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 195 CRYPTO_LOCK_RSA, rsa->n, ctx)) 196 goto err; 197 } 198 199 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 200 rsa->_method_mod_n)) 201 goto err; 202 203 /* put in leading 0 bytes if the number is less than the 204 * length of the modulus */ 205 j = BN_num_bytes(ret); 206 i = BN_bn2bin(ret, &(to[num - j])); 207 for (k = 0; k < num - i; k++) 208 to[k] = 0; 209 210 r = num; 211 err: 212 if (ctx != NULL) { 213 BN_CTX_end(ctx); 214 BN_CTX_free(ctx); 215 } 216 freezero(buf, num); 217 return r; 218 } 219 220 static BN_BLINDING * 221 rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 222 { 223 BN_BLINDING *ret; 224 int got_write_lock = 0; 225 226 CRYPTO_r_lock(CRYPTO_LOCK_RSA); 227 228 if (rsa->blinding == NULL) { 229 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 230 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 231 got_write_lock = 1; 232 233 if (rsa->blinding == NULL) 234 rsa->blinding = RSA_setup_blinding(rsa, ctx); 235 } 236 237 if ((ret = rsa->blinding) == NULL) 238 goto err; 239 240 /* 241 * We need a shared blinding. Accesses require locks and a copy of the 242 * blinding factor needs to be retained on use. 243 */ 244 if ((*local = BN_BLINDING_is_local(ret)) == 0) { 245 if (rsa->mt_blinding == NULL) { 246 if (!got_write_lock) { 247 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 248 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 249 got_write_lock = 1; 250 } 251 252 if (rsa->mt_blinding == NULL) 253 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 254 } 255 ret = rsa->mt_blinding; 256 } 257 258 err: 259 if (got_write_lock) 260 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 261 else 262 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 263 264 return ret; 265 } 266 267 static int 268 rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx) 269 { 270 if (unblind == NULL) 271 /* 272 * Local blinding: store the unblinding factor 273 * in BN_BLINDING. 274 */ 275 return BN_BLINDING_convert(f, NULL, b, ctx); 276 else { 277 /* 278 * Shared blinding: store the unblinding factor 279 * outside BN_BLINDING. 280 */ 281 int ret; 282 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 283 ret = BN_BLINDING_convert(f, unblind, b, ctx); 284 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 285 return ret; 286 } 287 } 288 289 static int 290 rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx) 291 { 292 /* 293 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert() 294 * will use the unblinding factor stored in BN_BLINDING. 295 * If BN_BLINDING is shared between threads, unblind must be non-null: 296 * BN_BLINDING_invert() will then use the local unblinding factor, 297 * and will only read the modulus from BN_BLINDING. 298 * In both cases it's safe to access the blinding without a lock. 299 */ 300 return BN_BLINDING_invert(f, unblind, b, ctx); 301 } 302 303 /* signing */ 304 static int 305 rsa_private_encrypt(int flen, const unsigned char *from, unsigned char *to, 306 RSA *rsa, int padding) 307 { 308 BIGNUM *f, *ret, *res; 309 int i, j, k, num = 0, r = -1; 310 unsigned char *buf = NULL; 311 BN_CTX *ctx = NULL; 312 int local_blinding = 0; 313 /* 314 * Used only if the blinding structure is shared. A non-NULL unblind 315 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 316 * the unblinding factor outside the blinding structure. 317 */ 318 BIGNUM *unblind = NULL; 319 BN_BLINDING *blinding = NULL; 320 321 if ((ctx = BN_CTX_new()) == NULL) 322 goto err; 323 324 BN_CTX_start(ctx); 325 f = BN_CTX_get(ctx); 326 ret = BN_CTX_get(ctx); 327 num = BN_num_bytes(rsa->n); 328 buf = malloc(num); 329 330 if (f == NULL || ret == NULL || buf == NULL) { 331 RSAerror(ERR_R_MALLOC_FAILURE); 332 goto err; 333 } 334 335 switch (padding) { 336 case RSA_PKCS1_PADDING: 337 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); 338 break; 339 case RSA_X931_PADDING: 340 i = RSA_padding_add_X931(buf, num, from, flen); 341 break; 342 case RSA_NO_PADDING: 343 i = RSA_padding_add_none(buf, num, from, flen); 344 break; 345 default: 346 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 347 goto err; 348 } 349 if (i <= 0) 350 goto err; 351 352 if (BN_bin2bn(buf, num, f) == NULL) 353 goto err; 354 355 if (BN_ucmp(f, rsa->n) >= 0) { 356 /* usually the padding functions would catch this */ 357 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 358 goto err; 359 } 360 361 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { 362 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 363 CRYPTO_LOCK_RSA, rsa->n, ctx)) 364 goto err; 365 } 366 367 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 368 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 369 if (blinding == NULL) { 370 RSAerror(ERR_R_INTERNAL_ERROR); 371 goto err; 372 } 373 } 374 375 if (blinding != NULL) { 376 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 377 RSAerror(ERR_R_MALLOC_FAILURE); 378 goto err; 379 } 380 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 381 goto err; 382 } 383 384 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 385 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL && 386 rsa->dmq1 != NULL && rsa->iqmp != NULL)) { 387 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 388 goto err; 389 } else { 390 BIGNUM d; 391 392 BN_init(&d); 393 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); 394 395 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, 396 rsa->_method_mod_n)) { 397 goto err; 398 } 399 } 400 401 if (blinding) 402 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 403 goto err; 404 405 if (padding == RSA_X931_PADDING) { 406 if (!BN_sub(f, rsa->n, ret)) 407 goto err; 408 if (BN_cmp(ret, f) > 0) 409 res = f; 410 else 411 res = ret; 412 } else 413 res = ret; 414 415 /* put in leading 0 bytes if the number is less than the 416 * length of the modulus */ 417 j = BN_num_bytes(res); 418 i = BN_bn2bin(res, &(to[num - j])); 419 for (k = 0; k < num - i; k++) 420 to[k] = 0; 421 422 r = num; 423 err: 424 if (ctx != NULL) { 425 BN_CTX_end(ctx); 426 BN_CTX_free(ctx); 427 } 428 freezero(buf, num); 429 return r; 430 } 431 432 static int 433 rsa_private_decrypt(int flen, const unsigned char *from, unsigned char *to, 434 RSA *rsa, int padding) 435 { 436 BIGNUM *f, *ret; 437 int j, num = 0, r = -1; 438 unsigned char *p; 439 unsigned char *buf = NULL; 440 BN_CTX *ctx = NULL; 441 int local_blinding = 0; 442 /* 443 * Used only if the blinding structure is shared. A non-NULL unblind 444 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 445 * the unblinding factor outside the blinding structure. 446 */ 447 BIGNUM *unblind = NULL; 448 BN_BLINDING *blinding = NULL; 449 450 if ((ctx = BN_CTX_new()) == NULL) 451 goto err; 452 453 BN_CTX_start(ctx); 454 f = BN_CTX_get(ctx); 455 ret = BN_CTX_get(ctx); 456 num = BN_num_bytes(rsa->n); 457 buf = malloc(num); 458 459 if (!f || !ret || !buf) { 460 RSAerror(ERR_R_MALLOC_FAILURE); 461 goto err; 462 } 463 464 /* This check was for equality but PGP does evil things 465 * and chops off the top '0' bytes */ 466 if (flen > num) { 467 RSAerror(RSA_R_DATA_GREATER_THAN_MOD_LEN); 468 goto err; 469 } 470 471 /* make data into a big number */ 472 if (BN_bin2bn(from, (int)flen, f) == NULL) 473 goto err; 474 475 if (BN_ucmp(f, rsa->n) >= 0) { 476 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 477 goto err; 478 } 479 480 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { 481 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 482 CRYPTO_LOCK_RSA, rsa->n, ctx)) 483 goto err; 484 } 485 486 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 487 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 488 if (blinding == NULL) { 489 RSAerror(ERR_R_INTERNAL_ERROR); 490 goto err; 491 } 492 } 493 494 if (blinding != NULL) { 495 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 496 RSAerror(ERR_R_MALLOC_FAILURE); 497 goto err; 498 } 499 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 500 goto err; 501 } 502 503 /* do the decrypt */ 504 if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 505 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL && 506 rsa->dmq1 != NULL && rsa->iqmp != NULL)) { 507 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 508 goto err; 509 } else { 510 BIGNUM d; 511 512 BN_init(&d); 513 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); 514 515 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, 516 rsa->_method_mod_n)) { 517 goto err; 518 } 519 } 520 521 if (blinding) 522 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 523 goto err; 524 525 p = buf; 526 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */ 527 528 switch (padding) { 529 case RSA_PKCS1_PADDING: 530 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); 531 break; 532 #ifndef OPENSSL_NO_SHA 533 case RSA_PKCS1_OAEP_PADDING: 534 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); 535 break; 536 #endif 537 case RSA_NO_PADDING: 538 r = RSA_padding_check_none(to, num, buf, j, num); 539 break; 540 default: 541 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 542 goto err; 543 } 544 if (r < 0) 545 RSAerror(RSA_R_PADDING_CHECK_FAILED); 546 547 err: 548 if (ctx != NULL) { 549 BN_CTX_end(ctx); 550 BN_CTX_free(ctx); 551 } 552 freezero(buf, num); 553 return r; 554 } 555 556 /* signature verification */ 557 static int 558 rsa_public_decrypt(int flen, const unsigned char *from, unsigned char *to, 559 RSA *rsa, int padding) 560 { 561 BIGNUM *f, *ret; 562 int i, num = 0, r = -1; 563 unsigned char *p; 564 unsigned char *buf = NULL; 565 BN_CTX *ctx = NULL; 566 567 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 568 RSAerror(RSA_R_MODULUS_TOO_LARGE); 569 return -1; 570 } 571 572 if (BN_ucmp(rsa->n, rsa->e) <= 0) { 573 RSAerror(RSA_R_BAD_E_VALUE); 574 return -1; 575 } 576 577 /* for large moduli, enforce exponent limit */ 578 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 579 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 580 RSAerror(RSA_R_BAD_E_VALUE); 581 return -1; 582 } 583 } 584 585 if ((ctx = BN_CTX_new()) == NULL) 586 goto err; 587 588 BN_CTX_start(ctx); 589 f = BN_CTX_get(ctx); 590 ret = BN_CTX_get(ctx); 591 num = BN_num_bytes(rsa->n); 592 buf = malloc(num); 593 594 if (!f || !ret || !buf) { 595 RSAerror(ERR_R_MALLOC_FAILURE); 596 goto err; 597 } 598 599 /* This check was for equality but PGP does evil things 600 * and chops off the top '0' bytes */ 601 if (flen > num) { 602 RSAerror(RSA_R_DATA_GREATER_THAN_MOD_LEN); 603 goto err; 604 } 605 606 if (BN_bin2bn(from, flen, f) == NULL) 607 goto err; 608 609 if (BN_ucmp(f, rsa->n) >= 0) { 610 RSAerror(RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 611 goto err; 612 } 613 614 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { 615 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 616 CRYPTO_LOCK_RSA, rsa->n, ctx)) 617 goto err; 618 } 619 620 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 621 rsa->_method_mod_n)) 622 goto err; 623 624 if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12) 625 if (!BN_sub(ret, rsa->n, ret)) 626 goto err; 627 628 p = buf; 629 i = BN_bn2bin(ret, p); 630 631 switch (padding) { 632 case RSA_PKCS1_PADDING: 633 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); 634 break; 635 case RSA_X931_PADDING: 636 r = RSA_padding_check_X931(to, num, buf, i, num); 637 break; 638 case RSA_NO_PADDING: 639 r = RSA_padding_check_none(to, num, buf, i, num); 640 break; 641 default: 642 RSAerror(RSA_R_UNKNOWN_PADDING_TYPE); 643 goto err; 644 } 645 if (r < 0) 646 RSAerror(RSA_R_PADDING_CHECK_FAILED); 647 648 err: 649 if (ctx != NULL) { 650 BN_CTX_end(ctx); 651 BN_CTX_free(ctx); 652 } 653 freezero(buf, num); 654 return r; 655 } 656 657 static int 658 rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 659 { 660 BIGNUM *r1, *m1, *vrfy; 661 BIGNUM dmp1, dmq1, c, pr1; 662 int ret = 0; 663 664 BN_CTX_start(ctx); 665 r1 = BN_CTX_get(ctx); 666 m1 = BN_CTX_get(ctx); 667 vrfy = BN_CTX_get(ctx); 668 if (r1 == NULL || m1 == NULL || vrfy == NULL) { 669 RSAerror(ERR_R_MALLOC_FAILURE); 670 goto err; 671 } 672 673 { 674 BIGNUM p, q; 675 676 /* 677 * Make sure BN_mod_inverse in Montgomery initialization uses the 678 * BN_FLG_CONSTTIME flag 679 */ 680 BN_init(&p); 681 BN_init(&q); 682 BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME); 683 BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME); 684 685 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { 686 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, 687 CRYPTO_LOCK_RSA, &p, ctx) || 688 !BN_MONT_CTX_set_locked(&rsa->_method_mod_q, 689 CRYPTO_LOCK_RSA, &q, ctx)) { 690 goto err; 691 } 692 } 693 } 694 695 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { 696 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 697 CRYPTO_LOCK_RSA, rsa->n, ctx)) 698 goto err; 699 } 700 701 /* compute I mod q */ 702 BN_init(&c); 703 BN_with_flags(&c, I, BN_FLG_CONSTTIME); 704 705 if (!BN_mod_ct(r1, &c, rsa->q, ctx)) 706 goto err; 707 708 /* compute r1^dmq1 mod q */ 709 BN_init(&dmq1); 710 BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 711 712 if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx, 713 rsa->_method_mod_q)) 714 goto err; 715 716 /* compute I mod p */ 717 BN_init(&c); 718 BN_with_flags(&c, I, BN_FLG_CONSTTIME); 719 720 if (!BN_mod_ct(r1, &c, rsa->p, ctx)) 721 goto err; 722 723 /* compute r1^dmp1 mod p */ 724 BN_init(&dmp1); 725 BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 726 727 if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx, 728 rsa->_method_mod_p)) 729 goto err; 730 731 if (!BN_sub(r0, r0, m1)) 732 goto err; 733 734 /* 735 * This will help stop the size of r0 increasing, which does 736 * affect the multiply if it optimised for a power of 2 size 737 */ 738 if (BN_is_negative(r0)) 739 if (!BN_add(r0, r0, rsa->p)) 740 goto err; 741 742 if (!BN_mul(r1, r0, rsa->iqmp, ctx)) 743 goto err; 744 745 /* Turn BN_FLG_CONSTTIME flag on before division operation */ 746 BN_init(&pr1); 747 BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME); 748 749 if (!BN_mod_ct(r0, &pr1, rsa->p, ctx)) 750 goto err; 751 752 /* 753 * If p < q it is occasionally possible for the correction of 754 * adding 'p' if r0 is negative above to leave the result still 755 * negative. This can break the private key operations: the following 756 * second correction should *always* correct this rare occurrence. 757 * This will *never* happen with OpenSSL generated keys because 758 * they ensure p > q [steve] 759 */ 760 if (BN_is_negative(r0)) 761 if (!BN_add(r0, r0, rsa->p)) 762 goto err; 763 if (!BN_mul(r1, r0, rsa->q, ctx)) 764 goto err; 765 if (!BN_add(r0, r1, m1)) 766 goto err; 767 768 if (rsa->e && rsa->n) { 769 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, 770 rsa->_method_mod_n)) 771 goto err; 772 /* 773 * If 'I' was greater than (or equal to) rsa->n, the operation 774 * will be equivalent to using 'I mod n'. However, the result of 775 * the verify will *always* be less than 'n' so we don't check 776 * for absolute equality, just congruency. 777 */ 778 if (!BN_sub(vrfy, vrfy, I)) 779 goto err; 780 if (!BN_mod_ct(vrfy, vrfy, rsa->n, ctx)) 781 goto err; 782 if (BN_is_negative(vrfy)) 783 if (!BN_add(vrfy, vrfy, rsa->n)) 784 goto err; 785 if (!BN_is_zero(vrfy)) { 786 /* 787 * 'I' and 'vrfy' aren't congruent mod n. Don't leak 788 * miscalculated CRT output, just do a raw (slower) 789 * mod_exp and return that instead. 790 */ 791 BIGNUM d; 792 793 BN_init(&d); 794 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); 795 796 if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx, 797 rsa->_method_mod_n)) { 798 goto err; 799 } 800 } 801 } 802 ret = 1; 803 err: 804 BN_CTX_end(ctx); 805 return ret; 806 } 807 808 static int 809 rsa_init(RSA *rsa) 810 { 811 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; 812 return 1; 813 } 814 815 static int 816 rsa_finish(RSA *rsa) 817 { 818 BN_MONT_CTX_free(rsa->_method_mod_n); 819 BN_MONT_CTX_free(rsa->_method_mod_p); 820 BN_MONT_CTX_free(rsa->_method_mod_q); 821 822 return 1; 823 } 824 825 static const RSA_METHOD rsa_pkcs1_meth = { 826 .name = "OpenSSL PKCS#1 RSA", 827 .rsa_pub_enc = rsa_public_encrypt, 828 .rsa_pub_dec = rsa_public_decrypt, /* signature verification */ 829 .rsa_priv_enc = rsa_private_encrypt, /* signing */ 830 .rsa_priv_dec = rsa_private_decrypt, 831 .rsa_mod_exp = rsa_mod_exp, 832 .bn_mod_exp = BN_mod_exp_mont_ct, /* XXX probably we should not use Montgomery if e == 3 */ 833 .init = rsa_init, 834 .finish = rsa_finish, 835 }; 836 837 const RSA_METHOD * 838 RSA_PKCS1_OpenSSL(void) 839 { 840 return &rsa_pkcs1_meth; 841 } 842 LCRYPTO_ALIAS(RSA_PKCS1_OpenSSL); 843 844 const RSA_METHOD * 845 RSA_PKCS1_SSLeay(void) 846 { 847 return RSA_PKCS1_OpenSSL(); 848 } 849 LCRYPTO_ALIAS(RSA_PKCS1_SSLeay); 850 851 int 852 RSA_bits(const RSA *r) 853 { 854 return BN_num_bits(r->n); 855 } 856 LCRYPTO_ALIAS(RSA_bits); 857 858 int 859 RSA_size(const RSA *r) 860 { 861 return BN_num_bytes(r->n); 862 } 863 LCRYPTO_ALIAS(RSA_size); 864 865 int 866 RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, 867 RSA *rsa, int padding) 868 { 869 return rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding); 870 } 871 LCRYPTO_ALIAS(RSA_public_encrypt); 872 873 int 874 RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to, 875 RSA *rsa, int padding) 876 { 877 return rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding); 878 } 879 LCRYPTO_ALIAS(RSA_private_encrypt); 880 881 int 882 RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to, 883 RSA *rsa, int padding) 884 { 885 return rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding); 886 } 887 LCRYPTO_ALIAS(RSA_private_decrypt); 888 889 int 890 RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, 891 RSA *rsa, int padding) 892 { 893 return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding); 894 } 895 LCRYPTO_ALIAS(RSA_public_decrypt); 896 897 int 898 RSA_flags(const RSA *r) 899 { 900 return r == NULL ? 0 : r->meth->flags; 901 } 902 LCRYPTO_ALIAS(RSA_flags); 903