]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/rsa/rsa_ossl.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Update copyright year
[thirdparty/openssl.git] / crypto / rsa / rsa_ossl.c
CommitLineData
2039c421 1/*
8020d79b 2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
46a64376 3 *
2a7b6f39 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2039c421
RS		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
46a64376 8 */
58964a49 9
c5f87134
P		 10/*
11 * RSA low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14#include "internal/deprecated.h"
15
b39fc560 16#include "internal/cryptlib.h"
25f2138b 17#include "crypto/bn.h"
706457b7
DMSP		 18#include "rsa_local.h"
19#include "internal/constant_time.h"
58964a49 20
bf160551 21static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
0f113f3e 22 unsigned char *to, RSA *rsa, int padding);
bf160551 23static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
0f113f3e 24 unsigned char *to, RSA *rsa, int padding);
bf160551 25static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
0f113f3e 26 unsigned char *to, RSA *rsa, int padding);
bf160551 27static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
0f113f3e 28 unsigned char *to, RSA *rsa, int padding);
bf160551 29static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
0f113f3e 30 BN_CTX *ctx);
bf160551
RS		 31static int rsa_ossl_init(RSA *rsa);
32static int rsa_ossl_finish(RSA *rsa);
33static RSA_METHOD rsa_pkcs1_ossl_meth = {
076fc555 34 "OpenSSL PKCS#1 RSA",
bf160551
RS		 35 rsa_ossl_public_encrypt,
36 rsa_ossl_public_decrypt, /* signature verification */
37 rsa_ossl_private_encrypt, /* signing */
38 rsa_ossl_private_decrypt,
39 rsa_ossl_mod_exp,
0f113f3e
MC		 40 BN_mod_exp_mont, /* XXX probably we should not use Montgomery
41 * if e == 3 */
bf160551
RS		 42 rsa_ossl_init,
43 rsa_ossl_finish,
0f113f3e
MC		 44 RSA_FLAG_FIPS_METHOD, /* flags */
45 NULL,
46 0, /* rsa_sign */
47 0, /* rsa_verify */
665d899f
PY		 48 NULL, /* rsa_keygen */
49 NULL /* rsa_multi_prime_keygen */
0f113f3e 50};
58964a49 51
076fc555
RS		 52static const RSA_METHOD *default_RSA_meth = &rsa_pkcs1_ossl_meth;
53
54void RSA_set_default_method(const RSA_METHOD *meth)
55{
56 default_RSA_meth = meth;
57}
58
59const RSA_METHOD *RSA_get_default_method(void)
60{
61 return default_RSA_meth;
62}
63
b0700d2c 64const RSA_METHOD *RSA_PKCS1_OpenSSL(void)
0f113f3e 65{
bf160551 66 return &rsa_pkcs1_ossl_meth;
0f113f3e 67}
58964a49 68
076fc555
RS		 69const RSA_METHOD *RSA_null_method(void)
70{
71 return NULL;
72}
73
bf160551 74static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
0f113f3e
MC		 75 unsigned char *to, RSA *rsa, int padding)
76{
77 BIGNUM *f, *ret;
582ad5d4 78 int i, num = 0, r = -1;
0f113f3e
MC		 79 unsigned char *buf = NULL;
80 BN_CTX *ctx = NULL;
81
82 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
9311d0c4 83 ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
0f113f3e
MC		 84 return -1;
85 }
86
87 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
9311d0c4 88 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 89 return -1;
90 }
91
92 /* for large moduli, enforce exponent limit */
93 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
94 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
9311d0c4 95 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 96 return -1;
97 }
98 }
99
afb638f1 100 if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
0f113f3e
MC		 101 goto err;
102 BN_CTX_start(ctx);
103 f = BN_CTX_get(ctx);
104 ret = BN_CTX_get(ctx);
105 num = BN_num_bytes(rsa->n);
106 buf = OPENSSL_malloc(num);
edea42c6 107 if (ret == NULL || buf == NULL) {
9311d0c4 108 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 109 goto err;
110 }
111
112 switch (padding) {
113 case RSA_PKCS1_PADDING:
23b2fc0b
P		 114 i = ossl_rsa_padding_add_PKCS1_type_2_ex(rsa->libctx, buf, num,
115 from, flen);
0f113f3e 116 break;
0f113f3e 117 case RSA_PKCS1_OAEP_PADDING:
23b2fc0b
P		 118 i = ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(rsa->libctx, buf, num,
119 from, flen, NULL, 0,
120 NULL, NULL);
0f113f3e 121 break;
0f113f3e
MC		 122 case RSA_NO_PADDING:
123 i = RSA_padding_add_none(buf, num, from, flen);
124 break;
125 default:
9311d0c4 126 ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 127 goto err;
128 }
129 if (i <= 0)
130 goto err;
131
132 if (BN_bin2bn(buf, num, f) == NULL)
133 goto err;
134
135 if (BN_ucmp(f, rsa->n) >= 0) {
136 /* usually the padding functions would catch this */
9311d0c4 137 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
0f113f3e
MC		 138 goto err;
139 }
140
141 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
41bfd5e7
AP		 142 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
143 rsa->n, ctx))
0f113f3e
MC		 144 goto err;
145
146 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
147 rsa->_method_mod_n))
148 goto err;
149
150 /*
582ad5d4
AP		 151 * BN_bn2binpad puts in leading 0 bytes if the number is less than
152 * the length of the modulus.
0f113f3e 153 */
582ad5d4 154 r = BN_bn2binpad(ret, to, num);
0f113f3e 155 err:
ce1415ed 156 BN_CTX_end(ctx);
23a1d5e9 157 BN_CTX_free(ctx);
4b45c6e5 158 OPENSSL_clear_free(buf, num);
8686c474 159 return r;
0f113f3e 160}
58964a49 161
675f605d 162static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
800e400d 163{
0f113f3e 164 BN_BLINDING *ret;
0f113f3e 165
d188a536 166 CRYPTO_THREAD_write_lock(rsa->lock);
0f113f3e
MC		 167
168 if (rsa->blinding == NULL) {
d188a536 169 rsa->blinding = RSA_setup_blinding(rsa, ctx);
0f113f3e
MC		 170 }
171
172 ret = rsa->blinding;
173 if (ret == NULL)
174 goto err;
175
0b1a07c8 176 if (BN_BLINDING_is_current_thread(ret)) {
0f113f3e
MC		 177 /* rsa->blinding is ours! */
178
179 *local = 1;
180 } else {
181 /* resort to rsa->mt_blinding instead */
182
183 /*
184 * instructs rsa_blinding_convert(), rsa_blinding_invert() that the
185 * BN_BLINDING is shared, meaning that accesses require locks, and
186 * that the blinding factor must be stored outside the BN_BLINDING
187 */
188 *local = 0;
189
190 if (rsa->mt_blinding == NULL) {
d188a536 191 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
0f113f3e
MC		 192 }
193 ret = rsa->mt_blinding;
194 }
5679bcce 195
675f605d 196 err:
d188a536 197 CRYPTO_THREAD_unlock(rsa->lock);
0f113f3e 198 return ret;
800e400d 199}
5679bcce 200
e5641d7f 201static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
0f113f3e
MC		 202 BN_CTX *ctx)
203{
90862ab4 204 if (unblind == NULL) {
0f113f3e
MC		 205 /*
206 * Local blinding: store the unblinding factor in BN_BLINDING.
207 */
208 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
90862ab4 209 } else {
0f113f3e
MC		 210 /*
211 * Shared blinding: store the unblinding factor outside BN_BLINDING.
212 */
213 int ret;
0b1a07c8
AG		 214
215 BN_BLINDING_lock(b);
0f113f3e 216 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
0b1a07c8
AG		 217 BN_BLINDING_unlock(b);
218
0f113f3e
MC		 219 return ret;
220 }
221}
e5641d7f
BM		 222
223static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
0f113f3e
MC		 224 BN_CTX *ctx)
225{
226 /*
227 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
228 * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING
229 * is shared between threads, unblind must be non-null:
230 * BN_BLINDING_invert_ex will then use the local unblinding factor, and
231 * will only read the modulus from BN_BLINDING. In both cases it's safe
232 * to access the blinding without a lock.
233 */
234 return BN_BLINDING_invert_ex(f, unblind, b, ctx);
235}
5679bcce 236
24cff6ce 237/* signing */
bf160551 238static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
0f113f3e
MC		 239 unsigned char *to, RSA *rsa, int padding)
240{
241 BIGNUM *f, *ret, *res;
582ad5d4 242 int i, num = 0, r = -1;
0f113f3e
MC		 243 unsigned char *buf = NULL;
244 BN_CTX *ctx = NULL;
245 int local_blinding = 0;
246 /*
247 * Used only if the blinding structure is shared. A non-NULL unblind
248 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
249 * the unblinding factor outside the blinding structure.
250 */
251 BIGNUM *unblind = NULL;
252 BN_BLINDING *blinding = NULL;
253
afb638f1 254 if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
0f113f3e
MC		 255 goto err;
256 BN_CTX_start(ctx);
257 f = BN_CTX_get(ctx);
258 ret = BN_CTX_get(ctx);
259 num = BN_num_bytes(rsa->n);
260 buf = OPENSSL_malloc(num);
edea42c6 261 if (ret == NULL || buf == NULL) {
9311d0c4 262 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 263 goto err;
264 }
265
266 switch (padding) {
267 case RSA_PKCS1_PADDING:
268 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
269 break;
270 case RSA_X931_PADDING:
271 i = RSA_padding_add_X931(buf, num, from, flen);
272 break;
273 case RSA_NO_PADDING:
274 i = RSA_padding_add_none(buf, num, from, flen);
275 break;
0f113f3e 276 default:
9311d0c4 277 ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 278 goto err;
279 }
280 if (i <= 0)
281 goto err;
282
283 if (BN_bin2bn(buf, num, f) == NULL)
284 goto err;
285
286 if (BN_ucmp(f, rsa->n) >= 0) {
287 /* usually the padding functions would catch this */
9311d0c4 288 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
0f113f3e
MC		 289 goto err;
290 }
291
2cc3f68c
AP		 292 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
293 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
294 rsa->n, ctx))
295 goto err;
296
0f113f3e
MC		 297 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
298 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
299 if (blinding == NULL) {
9311d0c4 300 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
0f113f3e
MC		 301 goto err;
302 }
303 }
304
305 if (blinding != NULL) {
306 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
9311d0c4 307 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 308 goto err;
309 }
310 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
311 goto err;
312 }
313
314 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
665d899f 315 (rsa->version == RSA_ASN1_VERSION_MULTI) ||
0f113f3e
MC		 316 ((rsa->p != NULL) &&
317 (rsa->q != NULL) &&
318 (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
319 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
320 goto err;
321 } else {
5584f65a
MC		 322 BIGNUM *d = BN_new();
323 if (d == NULL) {
9311d0c4 324 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
5584f65a 325 goto err;
fd7d2520 326 }
7408f675 327 if (rsa->d == NULL) {
9311d0c4 328 ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY);
7408f675
DO		 329 BN_free(d);
330 goto err;
331 }
5584f65a 332 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
0f113f3e 333
0f113f3e
MC		 334 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
335 rsa->_method_mod_n)) {
5584f65a 336 BN_free(d);
0f113f3e
MC		 337 goto err;
338 }
5584f65a
MC		 339 /* We MUST free d before any further use of rsa->d */
340 BN_free(d);
0f113f3e
MC		 341 }
342
343 if (blinding)
344 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
345 goto err;
346
347 if (padding == RSA_X931_PADDING) {
3d3cbce5
P		 348 if (!BN_sub(f, rsa->n, ret))
349 goto err;
0f113f3e
MC		 350 if (BN_cmp(ret, f) > 0)
351 res = f;
352 else
353 res = ret;
90862ab4 354 } else {
0f113f3e 355 res = ret;
90862ab4 356 }
0f113f3e
MC		 357
358 /*
582ad5d4
AP		 359 * BN_bn2binpad puts in leading 0 bytes if the number is less than
360 * the length of the modulus.
0f113f3e 361 */
582ad5d4 362 r = BN_bn2binpad(res, to, num);
0f113f3e 363 err:
ce1415ed 364 BN_CTX_end(ctx);
23a1d5e9 365 BN_CTX_free(ctx);
4b45c6e5 366 OPENSSL_clear_free(buf, num);
8686c474 367 return r;
0f113f3e 368}
58964a49 369
bf160551 370static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
0f113f3e
MC		 371 unsigned char *to, RSA *rsa, int padding)
372{
373 BIGNUM *f, *ret;
374 int j, num = 0, r = -1;
0f113f3e
MC		 375 unsigned char *buf = NULL;
376 BN_CTX *ctx = NULL;
377 int local_blinding = 0;
378 /*
379 * Used only if the blinding structure is shared. A non-NULL unblind
380 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
381 * the unblinding factor outside the blinding structure.
382 */
383 BIGNUM *unblind = NULL;
384 BN_BLINDING *blinding = NULL;
385
afb638f1 386 if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
0f113f3e
MC		 387 goto err;
388 BN_CTX_start(ctx);
389 f = BN_CTX_get(ctx);
390 ret = BN_CTX_get(ctx);
391 num = BN_num_bytes(rsa->n);
392 buf = OPENSSL_malloc(num);
edea42c6 393 if (ret == NULL || buf == NULL) {
9311d0c4 394 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 395 goto err;
396 }
397
398 /*
399 * This check was for equality but PGP does evil things and chops off the
400 * top '0' bytes
401 */
402 if (flen > num) {
9311d0c4 403 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_GREATER_THAN_MOD_LEN);
0f113f3e
MC		 404 goto err;
405 }
406
407 /* make data into a big number */
408 if (BN_bin2bn(from, (int)flen, f) == NULL)
409 goto err;
410
411 if (BN_ucmp(f, rsa->n) >= 0) {
9311d0c4 412 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
0f113f3e
MC		 413 goto err;
414 }
415
416 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
417 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
418 if (blinding == NULL) {
9311d0c4 419 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
0f113f3e
MC		 420 goto err;
421 }
422 }
423
424 if (blinding != NULL) {
425 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
9311d0c4 426 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 427 goto err;
428 }
429 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
430 goto err;
431 }
432
433 /* do the decrypt */
434 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
665d899f 435 (rsa->version == RSA_ASN1_VERSION_MULTI) ||
0f113f3e
MC		 436 ((rsa->p != NULL) &&
437 (rsa->q != NULL) &&
438 (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
439 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
440 goto err;
441 } else {
5584f65a
MC		 442 BIGNUM *d = BN_new();
443 if (d == NULL) {
9311d0c4 444 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
5584f65a 445 goto err;
7408f675
DO		 446 }
447 if (rsa->d == NULL) {
9311d0c4 448 ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY);
7408f675
DO		 449 BN_free(d);
450 goto err;
fd7d2520 451 }
5584f65a 452 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
0f113f3e
MC		 453
454 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
41bfd5e7
AP		 455 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
456 rsa->n, ctx)) {
5584f65a 457 BN_free(d);
0f113f3e
MC		 458 goto err;
459 }
460 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
461 rsa->_method_mod_n)) {
5584f65a 462 BN_free(d);
0f113f3e
MC		 463 goto err;
464 }
5584f65a
MC		 465 /* We MUST free d before any further use of rsa->d */
466 BN_free(d);
0f113f3e
MC		 467 }
468
469 if (blinding)
470 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
471 goto err;
472
582ad5d4 473 j = BN_bn2binpad(ret, buf, num);
4a3dd629
P		 474 if (j < 0)
475 goto err;
0f113f3e
MC		 476
477 switch (padding) {
478 case RSA_PKCS1_PADDING:
479 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
480 break;
0f113f3e
MC		 481 case RSA_PKCS1_OAEP_PADDING:
482 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
483 break;
0f113f3e 484 case RSA_NO_PADDING:
582ad5d4 485 memcpy(to, buf, (r = j));
0f113f3e
MC		 486 break;
487 default:
9311d0c4 488 ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 489 goto err;
490 }
f844f9eb 491#ifndef FIPS_MODULE
afb638f1
MC		 492 /*
493 * This trick doesn't work in the FIPS provider because libcrypto manages
494 * the error stack. Instead we opt not to put an error on the stack at all
495 * in case of padding failure in the FIPS provider.
496 */
9311d0c4 497 ERR_raise(ERR_LIB_RSA, RSA_R_PADDING_CHECK_FAILED);
94dc53a3 498 err_clear_last_constant_time(1 & ~constant_time_msb(r));
afb638f1 499#endif
0f113f3e
MC		 500
501 err:
ce1415ed 502 BN_CTX_end(ctx);
23a1d5e9 503 BN_CTX_free(ctx);
4b45c6e5 504 OPENSSL_clear_free(buf, num);
8686c474 505 return r;
0f113f3e 506}
58964a49 507
24cff6ce 508/* signature verification */
bf160551 509static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
0f113f3e
MC		 510 unsigned char *to, RSA *rsa, int padding)
511{
512 BIGNUM *f, *ret;
513 int i, num = 0, r = -1;
0f113f3e
MC		 514 unsigned char *buf = NULL;
515 BN_CTX *ctx = NULL;
516
517 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
9311d0c4 518 ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
0f113f3e
MC		 519 return -1;
520 }
521
522 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
9311d0c4 523 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 524 return -1;
525 }
526
527 /* for large moduli, enforce exponent limit */
528 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
529 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
9311d0c4 530 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 531 return -1;
532 }
533 }
534
afb638f1 535 if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
0f113f3e
MC		 536 goto err;
537 BN_CTX_start(ctx);
538 f = BN_CTX_get(ctx);
539 ret = BN_CTX_get(ctx);
540 num = BN_num_bytes(rsa->n);
541 buf = OPENSSL_malloc(num);
edea42c6 542 if (ret == NULL || buf == NULL) {
9311d0c4 543 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 544 goto err;
545 }
546
547 /*
548 * This check was for equality but PGP does evil things and chops off the
549 * top '0' bytes
550 */
551 if (flen > num) {
9311d0c4 552 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_GREATER_THAN_MOD_LEN);
0f113f3e
MC		 553 goto err;
554 }
555
556 if (BN_bin2bn(from, flen, f) == NULL)
557 goto err;
558
559 if (BN_ucmp(f, rsa->n) >= 0) {
9311d0c4 560 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
0f113f3e
MC		 561 goto err;
562 }
563
564 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
41bfd5e7
AP		 565 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
566 rsa->n, ctx))
0f113f3e
MC		 567 goto err;
568
569 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
570 rsa->_method_mod_n))
571 goto err;
572
573 if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12))
574 if (!BN_sub(ret, rsa->n, ret))
575 goto err;
576
582ad5d4 577 i = BN_bn2binpad(ret, buf, num);
4a3dd629
P		 578 if (i < 0)
579 goto err;
0f113f3e
MC		 580
581 switch (padding) {
582 case RSA_PKCS1_PADDING:
583 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
584 break;
585 case RSA_X931_PADDING:
586 r = RSA_padding_check_X931(to, num, buf, i, num);
587 break;
588 case RSA_NO_PADDING:
582ad5d4 589 memcpy(to, buf, (r = i));
0f113f3e
MC		 590 break;
591 default:
9311d0c4 592 ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 593 goto err;
594 }
595 if (r < 0)
9311d0c4 596 ERR_raise(ERR_LIB_RSA, RSA_R_PADDING_CHECK_FAILED);
0f113f3e
MC		 597
598 err:
ce1415ed 599 BN_CTX_end(ctx);
23a1d5e9 600 BN_CTX_free(ctx);
4b45c6e5 601 OPENSSL_clear_free(buf, num);
8686c474 602 return r;
0f113f3e 603}
58964a49 604
bf160551 605static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
0f113f3e 606{
afb638f1
MC		 607 BIGNUM *r1, *m1, *vrfy;
608 int ret = 0, smooth = 0;
f844f9eb 609#ifndef FIPS_MODULE
afb638f1
MC		 610 BIGNUM *r2, *m[RSA_MAX_PRIME_NUM - 2];
611 int i, ex_primes = 0;
665d899f 612 RSA_PRIME_INFO *pinfo;
afb638f1 613#endif
0f113f3e 614
c804d23d
PC		 615 BN_CTX_start(ctx);
616
0f113f3e 617 r1 = BN_CTX_get(ctx);
f844f9eb 618#ifndef FIPS_MODULE
665d899f 619 r2 = BN_CTX_get(ctx);
afb638f1 620#endif
0f113f3e
MC		 621 m1 = BN_CTX_get(ctx);
622 vrfy = BN_CTX_get(ctx);
5625567f
BE		 623 if (vrfy == NULL)
624 goto err;
0f113f3e 625
f844f9eb 626#ifndef FIPS_MODULE
665d899f 627 if (rsa->version == RSA_ASN1_VERSION_MULTI
a1471588
BE		 628 && ((ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) <= 0
629 || ex_primes > RSA_MAX_PRIME_NUM - 2))
665d899f 630 goto err;
afb638f1 631#endif
665d899f 632
41bfd5e7
AP		 633 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
634 BIGNUM *factor = BN_new();
635
636 if (factor == NULL)
637 goto err;
0f113f3e
MC		 638
639 /*
0d4fb843 640 * Make sure BN_mod_inverse in Montgomery initialization uses the
5584f65a 641 * BN_FLG_CONSTTIME flag
0f113f3e 642 */
41bfd5e7
AP		 643 if (!(BN_with_flags(factor, rsa->p, BN_FLG_CONSTTIME),
644 BN_MONT_CTX_set_locked(&rsa->_method_mod_p, rsa->lock,
645 factor, ctx))
646 || !(BN_with_flags(factor, rsa->q, BN_FLG_CONSTTIME),
647 BN_MONT_CTX_set_locked(&rsa->_method_mod_q, rsa->lock,
648 factor, ctx))) {
649 BN_free(factor);
5584f65a 650 goto err;
0f113f3e 651 }
f844f9eb 652#ifndef FIPS_MODULE
41bfd5e7
AP		 653 for (i = 0; i < ex_primes; i++) {
654 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
655 BN_with_flags(factor, pinfo->r, BN_FLG_CONSTTIME);
656 if (!BN_MONT_CTX_set_locked(&pinfo->m, rsa->lock, factor, ctx)) {
657 BN_free(factor);
0f113f3e
MC		 658 goto err;
659 }
660 }
afb638f1 661#endif
fd7d2520 662 /*
41bfd5e7 663 * We MUST free |factor| before any further use of the prime factors
fd7d2520 664 */
41bfd5e7
AP		 665 BN_free(factor);
666
afb638f1 667 smooth = (rsa->meth->bn_mod_exp == BN_mod_exp_mont)
f844f9eb 668#ifndef FIPS_MODULE
afb638f1
MC		 669 && (ex_primes == 0)
670#endif
41bfd5e7 671 && (BN_num_bits(rsa->q) == BN_num_bits(rsa->p));
0f113f3e
MC		 672 }
673
674 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
41bfd5e7
AP		 675 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
676 rsa->n, ctx))
677 goto err;
678
679 if (smooth) {
680 /*
681 * Conversion from Montgomery domain, a.k.a. Montgomery reduction,
682 * accepts values in [0-m*2^w) range. w is m's bit width rounded up
683 * to limb width. So that at the very least if |I| is fully reduced,
684 * i.e. less than p*q, we can count on from-to round to perform
685 * below modulo operations on |I|. Unlike BN_mod it's constant time.
686 */
687 if (/* m1 = I moq q */
688 !bn_from_mont_fixed_top(m1, I, rsa->_method_mod_q, ctx)
689 || !bn_to_mont_fixed_top(m1, m1, rsa->_method_mod_q, ctx)
690 /* m1 = m1^dmq1 mod q */
691 || !BN_mod_exp_mont_consttime(m1, m1, rsa->dmq1, rsa->q, ctx,
692 rsa->_method_mod_q)
693 /* r1 = I mod p */
694 || !bn_from_mont_fixed_top(r1, I, rsa->_method_mod_p, ctx)
695 || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
696 /* r1 = r1^dmp1 mod p */
697 || !BN_mod_exp_mont_consttime(r1, r1, rsa->dmp1, rsa->p, ctx,
698 rsa->_method_mod_p)
699 /* r1 = (r1 - m1) mod p */
700 /*
701 * bn_mod_sub_fixed_top is not regular modular subtraction,
702 * it can tolerate subtrahend to be larger than modulus, but
703 * not bit-wise wider. This makes up for uncommon q>p case,
704 * when |m1| can be larger than |rsa->p|.
705 */
706 || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p)
707
d1c008f6 708 /* r1 = r1 * iqmp mod p */
41bfd5e7
AP		 709 || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
710 || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p,
711 ctx)
d1c008f6 712 /* r0 = r1 * q + m1 */
41bfd5e7
AP		 713 || !bn_mul_fixed_top(r0, r1, rsa->q, ctx)
714 || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n))
0f113f3e
MC		 715 goto err;
716
41bfd5e7
AP		 717 goto tail;
718 }
719
0f113f3e 720 /* compute I mod q */
fd7d2520 721 {
5584f65a
MC		 722 BIGNUM *c = BN_new();
723 if (c == NULL)
724 goto err;
725 BN_with_flags(c, I, BN_FLG_CONSTTIME);
726
fd7d2520 727 if (!BN_mod(r1, c, rsa->q, ctx)) {
5584f65a 728 BN_free(c);
0f113f3e 729 goto err;
fd7d2520 730 }
0f113f3e 731
fd7d2520 732 {
5584f65a
MC		 733 BIGNUM *dmq1 = BN_new();
734 if (dmq1 == NULL) {
735 BN_free(c);
736 goto err;
fd7d2520 737 }
5584f65a
MC		 738 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
739
740 /* compute r1^dmq1 mod q */
fd7d2520 741 if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
41bfd5e7 742 rsa->_method_mod_q)) {
5584f65a
MC		 743 BN_free(c);
744 BN_free(dmq1);
fd7d2520
MC		 745 goto err;
746 }
5584f65a
MC		 747 /* We MUST free dmq1 before any further use of rsa->dmq1 */
748 BN_free(dmq1);
fd7d2520 749 }
0f113f3e 750
fd7d2520
MC		 751 /* compute I mod p */
752 if (!BN_mod(r1, c, rsa->p, ctx)) {
5584f65a 753 BN_free(c);
0f113f3e 754 goto err;
fd7d2520 755 }
5584f65a
MC		 756 /* We MUST free c before any further use of I */
757 BN_free(c);
0f113f3e
MC		 758 }
759
fd7d2520 760 {
5584f65a
MC		 761 BIGNUM *dmp1 = BN_new();
762 if (dmp1 == NULL)
763 goto err;
764 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
765
fd7d2520 766 /* compute r1^dmp1 mod p */
fd7d2520
MC		 767 if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
768 rsa->_method_mod_p)) {
5584f65a 769 BN_free(dmp1);
fd7d2520
MC		 770 goto err;
771 }
5584f65a
MC		 772 /* We MUST free dmp1 before any further use of rsa->dmp1 */
773 BN_free(dmp1);
fd7d2520 774 }
0f113f3e 775
f844f9eb 776#ifndef FIPS_MODULE
665d899f
PY		 777 /*
778 * calculate m_i in multi-prime case
779 *
780 * TODO:
781 * 1. squash the following two loops and calculate |m_i| there.
782 * 2. remove cc and reuse |c|.
783 * 3. remove |dmq1| and |dmp1| in previous block and use |di|.
784 *
785 * If these things are done, the code will be more readable.
786 */
787 if (ex_primes > 0) {
788 BIGNUM *di = BN_new(), *cc = BN_new();
789
790 if (cc == NULL || di == NULL) {
791 BN_free(cc);
792 BN_free(di);
793 goto err;
794 }
795
796 for (i = 0; i < ex_primes; i++) {
797 /* prepare m_i */
798 if ((m[i] = BN_CTX_get(ctx)) == NULL) {
799 BN_free(cc);
800 BN_free(di);
801 goto err;
802 }
803
804 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
805
806 /* prepare c and d_i */
807 BN_with_flags(cc, I, BN_FLG_CONSTTIME);
808 BN_with_flags(di, pinfo->d, BN_FLG_CONSTTIME);
809
810 if (!BN_mod(r1, cc, pinfo->r, ctx)) {
811 BN_free(cc);
812 BN_free(di);
813 goto err;
814 }
815 /* compute r1 ^ d_i mod r_i */
816 if (!rsa->meth->bn_mod_exp(m[i], r1, di, pinfo->r, ctx, pinfo->m)) {
817 BN_free(cc);
818 BN_free(di);
819 goto err;
820 }
821 }
822
823 BN_free(cc);
824 BN_free(di);
825 }
afb638f1 826#endif
665d899f 827
0f113f3e
MC		 828 if (!BN_sub(r0, r0, m1))
829 goto err;
830 /*
831 * This will help stop the size of r0 increasing, which does affect the
832 * multiply if it optimised for a power of 2 size
833 */
834 if (BN_is_negative(r0))
835 if (!BN_add(r0, r0, rsa->p))
836 goto err;
837
838 if (!BN_mul(r1, r0, rsa->iqmp, ctx))
839 goto err;
840
fd7d2520 841 {
5584f65a
MC		 842 BIGNUM *pr1 = BN_new();
843 if (pr1 == NULL)
844 goto err;
845 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
846
fd7d2520 847 if (!BN_mod(r0, pr1, rsa->p, ctx)) {
5584f65a 848 BN_free(pr1);
fd7d2520
MC		 849 goto err;
850 }
5584f65a
MC		 851 /* We MUST free pr1 before any further use of r1 */
852 BN_free(pr1);
fd7d2520 853 }
0f113f3e
MC		 854
855 /*
856 * If p < q it is occasionally possible for the correction of adding 'p'
857 * if r0 is negative above to leave the result still negative. This can
858 * break the private key operations: the following second correction
859 * should *always* correct this rare occurrence. This will *never* happen
860 * with OpenSSL generated keys because they ensure p > q [steve]
861 */
862 if (BN_is_negative(r0))
863 if (!BN_add(r0, r0, rsa->p))
864 goto err;
865 if (!BN_mul(r1, r0, rsa->q, ctx))
866 goto err;
867 if (!BN_add(r0, r1, m1))
868 goto err;
869
f844f9eb 870#ifndef FIPS_MODULE
665d899f
PY		 871 /* add m_i to m in multi-prime case */
872 if (ex_primes > 0) {
873 BIGNUM *pr2 = BN_new();
874
875 if (pr2 == NULL)
876 goto err;
877
878 for (i = 0; i < ex_primes; i++) {
879 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
880 if (!BN_sub(r1, m[i], r0)) {
881 BN_free(pr2);
882 goto err;
883 }
884
885 if (!BN_mul(r2, r1, pinfo->t, ctx)) {
886 BN_free(pr2);
887 goto err;
888 }
889
890 BN_with_flags(pr2, r2, BN_FLG_CONSTTIME);
891
892 if (!BN_mod(r1, pr2, pinfo->r, ctx)) {
893 BN_free(pr2);
894 goto err;
895 }
896
897 if (BN_is_negative(r1))
898 if (!BN_add(r1, r1, pinfo->r)) {
899 BN_free(pr2);
900 goto err;
901 }
902 if (!BN_mul(r1, r1, pinfo->pp, ctx)) {
903 BN_free(pr2);
904 goto err;
905 }
906 if (!BN_add(r0, r0, r1)) {
907 BN_free(pr2);
908 goto err;
909 }
910 }
911 BN_free(pr2);
912 }
afb638f1 913#endif
665d899f 914
41bfd5e7 915 tail:
0f113f3e 916 if (rsa->e && rsa->n) {
41bfd5e7
AP		 917 if (rsa->meth->bn_mod_exp == BN_mod_exp_mont) {
918 if (!BN_mod_exp_mont(vrfy, r0, rsa->e, rsa->n, ctx,
919 rsa->_method_mod_n))
920 goto err;
921 } else {
922 bn_correct_top(r0);
923 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
924 rsa->_method_mod_n))
925 goto err;
926 }
0f113f3e
MC		 927 /*
928 * If 'I' was greater than (or equal to) rsa->n, the operation will
929 * be equivalent to using 'I mod n'. However, the result of the
930 * verify will *always* be less than 'n' so we don't check for
931 * absolute equality, just congruency.
932 */
933 if (!BN_sub(vrfy, vrfy, I))
934 goto err;
41bfd5e7
AP		 935 if (BN_is_zero(vrfy)) {
936 bn_correct_top(r0);
937 ret = 1;
938 goto err; /* not actually error */
939 }
0f113f3e
MC		 940 if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
941 goto err;
942 if (BN_is_negative(vrfy))
943 if (!BN_add(vrfy, vrfy, rsa->n))
944 goto err;
945 if (!BN_is_zero(vrfy)) {
946 /*
947 * 'I' and 'vrfy' aren't congruent mod n. Don't leak
948 * miscalculated CRT output, just do a raw (slower) mod_exp and
949 * return that instead.
950 */
951
5584f65a
MC		 952 BIGNUM *d = BN_new();
953 if (d == NULL)
954 goto err;
955 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
0f113f3e 956
0f113f3e
MC		 957 if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
958 rsa->_method_mod_n)) {
5584f65a 959 BN_free(d);
0f113f3e
MC		 960 goto err;
961 }
5584f65a
MC		 962 /* We MUST free d before any further use of rsa->d */
963 BN_free(d);
0f113f3e
MC		 964 }
965 }
41bfd5e7
AP		 966 /*
967 * It's unfortunate that we have to bn_correct_top(r0). What hopefully
968 * saves the day is that correction is highly unlike, and private key
969 * operations are customarily performed on blinded message. Which means
970 * that attacker won't observe correlation with chosen plaintext.
971 * Secondly, remaining code would still handle it in same computational
972 * time and even conceal memory access pattern around corrected top.
973 */
974 bn_correct_top(r0);
0f113f3e
MC		 975 ret = 1;
976 err:
0f113f3e 977 BN_CTX_end(ctx);
8686c474 978 return ret;
0f113f3e 979}
58964a49 980
bf160551 981static int rsa_ossl_init(RSA *rsa)
0f113f3e
MC		 982{
983 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
8686c474 984 return 1;
0f113f3e 985}
58964a49 986
bf160551 987static int rsa_ossl_finish(RSA *rsa)
0f113f3e 988{
f844f9eb 989#ifndef FIPS_MODULE
665d899f
PY		 990 int i;
991 RSA_PRIME_INFO *pinfo;
992
665d899f
PY		 993 for (i = 0; i < sk_RSA_PRIME_INFO_num(rsa->prime_infos); i++) {
994 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
995 BN_MONT_CTX_free(pinfo->m);
996 }
afb638f1
MC		 997#endif
998
999 BN_MONT_CTX_free(rsa->_method_mod_n);
1000 BN_MONT_CTX_free(rsa->_method_mod_p);
1001 BN_MONT_CTX_free(rsa->_method_mod_q);
8686c474 1002 return 1;
0f113f3e 1003}
A mirror of the official openssl repository