]>
Commit | Line | Data |
---|---|---|
2039c421 | 1 | /* |
edea42c6 | 2 | * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. |
46a64376 | 3 | * |
2039c421 RS |
4 | * Licensed under the OpenSSL license (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
46a64376 | 8 | */ |
58964a49 | 9 | |
b39fc560 | 10 | #include "internal/cryptlib.h" |
18125f7f | 11 | #include "internal/bn_int.h" |
9862e9aa | 12 | #include "rsa_locl.h" |
58964a49 | 13 | |
bf160551 | 14 | static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, |
0f113f3e | 15 | unsigned char *to, RSA *rsa, int padding); |
bf160551 | 16 | static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, |
0f113f3e | 17 | unsigned char *to, RSA *rsa, int padding); |
bf160551 | 18 | static int rsa_ossl_public_decrypt(int flen, const unsigned char *from, |
0f113f3e | 19 | unsigned char *to, RSA *rsa, int padding); |
bf160551 | 20 | static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, |
0f113f3e | 21 | unsigned char *to, RSA *rsa, int padding); |
bf160551 | 22 | static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, |
0f113f3e | 23 | BN_CTX *ctx); |
bf160551 RS |
24 | static int rsa_ossl_init(RSA *rsa); |
25 | static int rsa_ossl_finish(RSA *rsa); | |
26 | static RSA_METHOD rsa_pkcs1_ossl_meth = { | |
076fc555 | 27 | "OpenSSL PKCS#1 RSA", |
bf160551 RS |
28 | rsa_ossl_public_encrypt, |
29 | rsa_ossl_public_decrypt, /* signature verification */ | |
30 | rsa_ossl_private_encrypt, /* signing */ | |
31 | rsa_ossl_private_decrypt, | |
32 | rsa_ossl_mod_exp, | |
0f113f3e MC |
33 | BN_mod_exp_mont, /* XXX probably we should not use Montgomery |
34 | * if e == 3 */ | |
bf160551 RS |
35 | rsa_ossl_init, |
36 | rsa_ossl_finish, | |
0f113f3e MC |
37 | RSA_FLAG_FIPS_METHOD, /* flags */ |
38 | NULL, | |
39 | 0, /* rsa_sign */ | |
40 | 0, /* rsa_verify */ | |
41 | NULL /* rsa_keygen */ | |
42 | }; | |
58964a49 | 43 | |
076fc555 RS |
44 | static const RSA_METHOD *default_RSA_meth = &rsa_pkcs1_ossl_meth; |
45 | ||
46 | void RSA_set_default_method(const RSA_METHOD *meth) | |
47 | { | |
48 | default_RSA_meth = meth; | |
49 | } | |
50 | ||
51 | const RSA_METHOD *RSA_get_default_method(void) | |
52 | { | |
53 | return default_RSA_meth; | |
54 | } | |
55 | ||
b0700d2c | 56 | const RSA_METHOD *RSA_PKCS1_OpenSSL(void) |
0f113f3e | 57 | { |
bf160551 | 58 | return &rsa_pkcs1_ossl_meth; |
0f113f3e | 59 | } |
58964a49 | 60 | |
076fc555 RS |
61 | const RSA_METHOD *RSA_null_method(void) |
62 | { | |
63 | return NULL; | |
64 | } | |
65 | ||
bf160551 | 66 | static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, |
0f113f3e MC |
67 | unsigned char *to, RSA *rsa, int padding) |
68 | { | |
69 | BIGNUM *f, *ret; | |
70 | int i, j, k, num = 0, r = -1; | |
71 | unsigned char *buf = NULL; | |
72 | BN_CTX *ctx = NULL; | |
73 | ||
74 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { | |
bf160551 | 75 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); |
0f113f3e MC |
76 | return -1; |
77 | } | |
78 | ||
79 | if (BN_ucmp(rsa->n, rsa->e) <= 0) { | |
bf160551 | 80 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); |
0f113f3e MC |
81 | return -1; |
82 | } | |
83 | ||
84 | /* for large moduli, enforce exponent limit */ | |
85 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { | |
86 | if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { | |
bf160551 | 87 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); |
0f113f3e MC |
88 | return -1; |
89 | } | |
90 | } | |
91 | ||
92 | if ((ctx = BN_CTX_new()) == NULL) | |
93 | goto err; | |
94 | BN_CTX_start(ctx); | |
95 | f = BN_CTX_get(ctx); | |
96 | ret = BN_CTX_get(ctx); | |
97 | num = BN_num_bytes(rsa->n); | |
98 | buf = OPENSSL_malloc(num); | |
edea42c6 | 99 | if (ret == NULL || buf == NULL) { |
bf160551 | 100 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
101 | goto err; |
102 | } | |
103 | ||
104 | switch (padding) { | |
105 | case RSA_PKCS1_PADDING: | |
106 | i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); | |
107 | break; | |
0f113f3e MC |
108 | case RSA_PKCS1_OAEP_PADDING: |
109 | i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); | |
110 | break; | |
0f113f3e MC |
111 | case RSA_SSLV23_PADDING: |
112 | i = RSA_padding_add_SSLv23(buf, num, from, flen); | |
113 | break; | |
114 | case RSA_NO_PADDING: | |
115 | i = RSA_padding_add_none(buf, num, from, flen); | |
116 | break; | |
117 | default: | |
bf160551 | 118 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); |
0f113f3e MC |
119 | goto err; |
120 | } | |
121 | if (i <= 0) | |
122 | goto err; | |
123 | ||
124 | if (BN_bin2bn(buf, num, f) == NULL) | |
125 | goto err; | |
126 | ||
127 | if (BN_ucmp(f, rsa->n) >= 0) { | |
128 | /* usually the padding functions would catch this */ | |
bf160551 | 129 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, |
0f113f3e MC |
130 | RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
131 | goto err; | |
132 | } | |
133 | ||
134 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
135 | if (!BN_MONT_CTX_set_locked | |
d188a536 | 136 | (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) |
0f113f3e MC |
137 | goto err; |
138 | ||
139 | if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, | |
140 | rsa->_method_mod_n)) | |
141 | goto err; | |
142 | ||
143 | /* | |
144 | * put in leading 0 bytes if the number is less than the length of the | |
145 | * modulus | |
146 | */ | |
147 | j = BN_num_bytes(ret); | |
148 | i = BN_bn2bin(ret, &(to[num - j])); | |
149 | for (k = 0; k < (num - i); k++) | |
150 | to[k] = 0; | |
151 | ||
152 | r = num; | |
153 | err: | |
23a1d5e9 | 154 | if (ctx != NULL) |
0f113f3e | 155 | BN_CTX_end(ctx); |
23a1d5e9 | 156 | BN_CTX_free(ctx); |
4b45c6e5 | 157 | OPENSSL_clear_free(buf, num); |
8686c474 | 158 | return r; |
0f113f3e | 159 | } |
58964a49 | 160 | |
675f605d | 161 | static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) |
800e400d | 162 | { |
0f113f3e | 163 | BN_BLINDING *ret; |
0f113f3e | 164 | |
d188a536 | 165 | CRYPTO_THREAD_write_lock(rsa->lock); |
0f113f3e MC |
166 | |
167 | if (rsa->blinding == NULL) { | |
d188a536 | 168 | rsa->blinding = RSA_setup_blinding(rsa, ctx); |
0f113f3e MC |
169 | } |
170 | ||
171 | ret = rsa->blinding; | |
172 | if (ret == NULL) | |
173 | goto err; | |
174 | ||
0b1a07c8 | 175 | if (BN_BLINDING_is_current_thread(ret)) { |
0f113f3e MC |
176 | /* rsa->blinding is ours! */ |
177 | ||
178 | *local = 1; | |
179 | } else { | |
180 | /* resort to rsa->mt_blinding instead */ | |
181 | ||
182 | /* | |
183 | * instructs rsa_blinding_convert(), rsa_blinding_invert() that the | |
184 | * BN_BLINDING is shared, meaning that accesses require locks, and | |
185 | * that the blinding factor must be stored outside the BN_BLINDING | |
186 | */ | |
187 | *local = 0; | |
188 | ||
189 | if (rsa->mt_blinding == NULL) { | |
d188a536 | 190 | rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); |
0f113f3e MC |
191 | } |
192 | ret = rsa->mt_blinding; | |
193 | } | |
5679bcce | 194 | |
675f605d | 195 | err: |
d188a536 | 196 | CRYPTO_THREAD_unlock(rsa->lock); |
0f113f3e | 197 | return ret; |
800e400d | 198 | } |
5679bcce | 199 | |
e5641d7f | 200 | static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, |
0f113f3e MC |
201 | BN_CTX *ctx) |
202 | { | |
90862ab4 | 203 | if (unblind == NULL) { |
0f113f3e MC |
204 | /* |
205 | * Local blinding: store the unblinding factor in BN_BLINDING. | |
206 | */ | |
207 | return BN_BLINDING_convert_ex(f, NULL, b, ctx); | |
90862ab4 | 208 | } else { |
0f113f3e MC |
209 | /* |
210 | * Shared blinding: store the unblinding factor outside BN_BLINDING. | |
211 | */ | |
212 | int ret; | |
0b1a07c8 AG |
213 | |
214 | BN_BLINDING_lock(b); | |
0f113f3e | 215 | ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); |
0b1a07c8 AG |
216 | BN_BLINDING_unlock(b); |
217 | ||
0f113f3e MC |
218 | return ret; |
219 | } | |
220 | } | |
e5641d7f BM |
221 | |
222 | static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, | |
0f113f3e MC |
223 | BN_CTX *ctx) |
224 | { | |
225 | /* | |
226 | * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex | |
227 | * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING | |
228 | * is shared between threads, unblind must be non-null: | |
229 | * BN_BLINDING_invert_ex will then use the local unblinding factor, and | |
230 | * will only read the modulus from BN_BLINDING. In both cases it's safe | |
231 | * to access the blinding without a lock. | |
232 | */ | |
233 | return BN_BLINDING_invert_ex(f, unblind, b, ctx); | |
234 | } | |
5679bcce | 235 | |
24cff6ce | 236 | /* signing */ |
bf160551 | 237 | static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, |
0f113f3e MC |
238 | unsigned char *to, RSA *rsa, int padding) |
239 | { | |
240 | BIGNUM *f, *ret, *res; | |
241 | int i, j, k, num = 0, r = -1; | |
242 | unsigned char *buf = NULL; | |
243 | BN_CTX *ctx = NULL; | |
244 | int local_blinding = 0; | |
245 | /* | |
246 | * Used only if the blinding structure is shared. A non-NULL unblind | |
247 | * instructs rsa_blinding_convert() and rsa_blinding_invert() to store | |
248 | * the unblinding factor outside the blinding structure. | |
249 | */ | |
250 | BIGNUM *unblind = NULL; | |
251 | BN_BLINDING *blinding = NULL; | |
252 | ||
253 | if ((ctx = BN_CTX_new()) == NULL) | |
254 | goto err; | |
255 | BN_CTX_start(ctx); | |
256 | f = BN_CTX_get(ctx); | |
257 | ret = BN_CTX_get(ctx); | |
258 | num = BN_num_bytes(rsa->n); | |
259 | buf = OPENSSL_malloc(num); | |
edea42c6 | 260 | if (ret == NULL || buf == NULL) { |
bf160551 | 261 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
262 | goto err; |
263 | } | |
264 | ||
265 | switch (padding) { | |
266 | case RSA_PKCS1_PADDING: | |
267 | i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); | |
268 | break; | |
269 | case RSA_X931_PADDING: | |
270 | i = RSA_padding_add_X931(buf, num, from, flen); | |
271 | break; | |
272 | case RSA_NO_PADDING: | |
273 | i = RSA_padding_add_none(buf, num, from, flen); | |
274 | break; | |
275 | case RSA_SSLV23_PADDING: | |
276 | default: | |
bf160551 | 277 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); |
0f113f3e MC |
278 | goto err; |
279 | } | |
280 | if (i <= 0) | |
281 | goto err; | |
282 | ||
283 | if (BN_bin2bn(buf, num, f) == NULL) | |
284 | goto err; | |
285 | ||
286 | if (BN_ucmp(f, rsa->n) >= 0) { | |
287 | /* usually the padding functions would catch this */ | |
bf160551 | 288 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, |
0f113f3e MC |
289 | RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
290 | goto err; | |
291 | } | |
292 | ||
293 | if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { | |
294 | blinding = rsa_get_blinding(rsa, &local_blinding, ctx); | |
295 | if (blinding == NULL) { | |
bf160551 | 296 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); |
0f113f3e MC |
297 | goto err; |
298 | } | |
299 | } | |
300 | ||
301 | if (blinding != NULL) { | |
302 | if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { | |
bf160551 | 303 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
304 | goto err; |
305 | } | |
306 | if (!rsa_blinding_convert(blinding, f, unblind, ctx)) | |
307 | goto err; | |
308 | } | |
309 | ||
310 | if ((rsa->flags & RSA_FLAG_EXT_PKEY) || | |
311 | ((rsa->p != NULL) && | |
312 | (rsa->q != NULL) && | |
313 | (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { | |
314 | if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) | |
315 | goto err; | |
316 | } else { | |
5584f65a MC |
317 | BIGNUM *d = BN_new(); |
318 | if (d == NULL) { | |
319 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); | |
320 | goto err; | |
fd7d2520 | 321 | } |
5584f65a | 322 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); |
0f113f3e MC |
323 | |
324 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
325 | if (!BN_MONT_CTX_set_locked | |
d188a536 | 326 | (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) { |
5584f65a | 327 | BN_free(d); |
0f113f3e MC |
328 | goto err; |
329 | } | |
330 | ||
331 | if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, | |
332 | rsa->_method_mod_n)) { | |
5584f65a | 333 | BN_free(d); |
0f113f3e MC |
334 | goto err; |
335 | } | |
5584f65a MC |
336 | /* We MUST free d before any further use of rsa->d */ |
337 | BN_free(d); | |
0f113f3e MC |
338 | } |
339 | ||
340 | if (blinding) | |
341 | if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) | |
342 | goto err; | |
343 | ||
344 | if (padding == RSA_X931_PADDING) { | |
345 | BN_sub(f, rsa->n, ret); | |
346 | if (BN_cmp(ret, f) > 0) | |
347 | res = f; | |
348 | else | |
349 | res = ret; | |
90862ab4 | 350 | } else { |
0f113f3e | 351 | res = ret; |
90862ab4 | 352 | } |
0f113f3e MC |
353 | |
354 | /* | |
355 | * put in leading 0 bytes if the number is less than the length of the | |
356 | * modulus | |
357 | */ | |
358 | j = BN_num_bytes(res); | |
359 | i = BN_bn2bin(res, &(to[num - j])); | |
360 | for (k = 0; k < (num - i); k++) | |
361 | to[k] = 0; | |
362 | ||
363 | r = num; | |
364 | err: | |
23a1d5e9 | 365 | if (ctx != NULL) |
0f113f3e | 366 | BN_CTX_end(ctx); |
23a1d5e9 | 367 | BN_CTX_free(ctx); |
4b45c6e5 | 368 | OPENSSL_clear_free(buf, num); |
8686c474 | 369 | return r; |
0f113f3e | 370 | } |
58964a49 | 371 | |
bf160551 | 372 | static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, |
0f113f3e MC |
373 | unsigned char *to, RSA *rsa, int padding) |
374 | { | |
375 | BIGNUM *f, *ret; | |
376 | int j, num = 0, r = -1; | |
377 | unsigned char *p; | |
378 | unsigned char *buf = NULL; | |
379 | BN_CTX *ctx = NULL; | |
380 | int local_blinding = 0; | |
381 | /* | |
382 | * Used only if the blinding structure is shared. A non-NULL unblind | |
383 | * instructs rsa_blinding_convert() and rsa_blinding_invert() to store | |
384 | * the unblinding factor outside the blinding structure. | |
385 | */ | |
386 | BIGNUM *unblind = NULL; | |
387 | BN_BLINDING *blinding = NULL; | |
388 | ||
389 | if ((ctx = BN_CTX_new()) == NULL) | |
390 | goto err; | |
391 | BN_CTX_start(ctx); | |
392 | f = BN_CTX_get(ctx); | |
393 | ret = BN_CTX_get(ctx); | |
394 | num = BN_num_bytes(rsa->n); | |
395 | buf = OPENSSL_malloc(num); | |
edea42c6 | 396 | if (ret == NULL || buf == NULL) { |
bf160551 | 397 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
398 | goto err; |
399 | } | |
400 | ||
401 | /* | |
402 | * This check was for equality but PGP does evil things and chops off the | |
403 | * top '0' bytes | |
404 | */ | |
405 | if (flen > num) { | |
bf160551 | 406 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, |
0f113f3e MC |
407 | RSA_R_DATA_GREATER_THAN_MOD_LEN); |
408 | goto err; | |
409 | } | |
410 | ||
411 | /* make data into a big number */ | |
412 | if (BN_bin2bn(from, (int)flen, f) == NULL) | |
413 | goto err; | |
414 | ||
415 | if (BN_ucmp(f, rsa->n) >= 0) { | |
bf160551 | 416 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, |
0f113f3e MC |
417 | RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
418 | goto err; | |
419 | } | |
420 | ||
421 | if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { | |
422 | blinding = rsa_get_blinding(rsa, &local_blinding, ctx); | |
423 | if (blinding == NULL) { | |
bf160551 | 424 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); |
0f113f3e MC |
425 | goto err; |
426 | } | |
427 | } | |
428 | ||
429 | if (blinding != NULL) { | |
430 | if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { | |
bf160551 | 431 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
432 | goto err; |
433 | } | |
434 | if (!rsa_blinding_convert(blinding, f, unblind, ctx)) | |
435 | goto err; | |
436 | } | |
437 | ||
438 | /* do the decrypt */ | |
439 | if ((rsa->flags & RSA_FLAG_EXT_PKEY) || | |
440 | ((rsa->p != NULL) && | |
441 | (rsa->q != NULL) && | |
442 | (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { | |
443 | if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) | |
444 | goto err; | |
445 | } else { | |
5584f65a MC |
446 | BIGNUM *d = BN_new(); |
447 | if (d == NULL) { | |
448 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); | |
449 | goto err; | |
fd7d2520 | 450 | } |
5584f65a | 451 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); |
0f113f3e MC |
452 | |
453 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
454 | if (!BN_MONT_CTX_set_locked | |
d188a536 | 455 | (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) { |
5584f65a | 456 | BN_free(d); |
0f113f3e MC |
457 | goto err; |
458 | } | |
459 | if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, | |
460 | rsa->_method_mod_n)) { | |
5584f65a | 461 | BN_free(d); |
0f113f3e MC |
462 | goto err; |
463 | } | |
5584f65a MC |
464 | /* We MUST free d before any further use of rsa->d */ |
465 | BN_free(d); | |
0f113f3e MC |
466 | } |
467 | ||
468 | if (blinding) | |
469 | if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) | |
470 | goto err; | |
471 | ||
472 | p = buf; | |
473 | j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */ | |
474 | ||
475 | switch (padding) { | |
476 | case RSA_PKCS1_PADDING: | |
477 | r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); | |
478 | break; | |
0f113f3e MC |
479 | case RSA_PKCS1_OAEP_PADDING: |
480 | r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); | |
481 | break; | |
0f113f3e MC |
482 | case RSA_SSLV23_PADDING: |
483 | r = RSA_padding_check_SSLv23(to, num, buf, j, num); | |
484 | break; | |
485 | case RSA_NO_PADDING: | |
486 | r = RSA_padding_check_none(to, num, buf, j, num); | |
487 | break; | |
488 | default: | |
bf160551 | 489 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); |
0f113f3e MC |
490 | goto err; |
491 | } | |
492 | if (r < 0) | |
bf160551 | 493 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); |
0f113f3e MC |
494 | |
495 | err: | |
23a1d5e9 | 496 | if (ctx != NULL) |
0f113f3e | 497 | BN_CTX_end(ctx); |
23a1d5e9 | 498 | BN_CTX_free(ctx); |
4b45c6e5 | 499 | OPENSSL_clear_free(buf, num); |
8686c474 | 500 | return r; |
0f113f3e | 501 | } |
58964a49 | 502 | |
24cff6ce | 503 | /* signature verification */ |
bf160551 | 504 | static int rsa_ossl_public_decrypt(int flen, const unsigned char *from, |
0f113f3e MC |
505 | unsigned char *to, RSA *rsa, int padding) |
506 | { | |
507 | BIGNUM *f, *ret; | |
508 | int i, num = 0, r = -1; | |
509 | unsigned char *p; | |
510 | unsigned char *buf = NULL; | |
511 | BN_CTX *ctx = NULL; | |
512 | ||
513 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { | |
bf160551 | 514 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); |
0f113f3e MC |
515 | return -1; |
516 | } | |
517 | ||
518 | if (BN_ucmp(rsa->n, rsa->e) <= 0) { | |
bf160551 | 519 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); |
0f113f3e MC |
520 | return -1; |
521 | } | |
522 | ||
523 | /* for large moduli, enforce exponent limit */ | |
524 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { | |
525 | if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { | |
bf160551 | 526 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); |
0f113f3e MC |
527 | return -1; |
528 | } | |
529 | } | |
530 | ||
531 | if ((ctx = BN_CTX_new()) == NULL) | |
532 | goto err; | |
533 | BN_CTX_start(ctx); | |
534 | f = BN_CTX_get(ctx); | |
535 | ret = BN_CTX_get(ctx); | |
536 | num = BN_num_bytes(rsa->n); | |
537 | buf = OPENSSL_malloc(num); | |
edea42c6 | 538 | if (ret == NULL || buf == NULL) { |
bf160551 | 539 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
540 | goto err; |
541 | } | |
542 | ||
543 | /* | |
544 | * This check was for equality but PGP does evil things and chops off the | |
545 | * top '0' bytes | |
546 | */ | |
547 | if (flen > num) { | |
bf160551 | 548 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN); |
0f113f3e MC |
549 | goto err; |
550 | } | |
551 | ||
552 | if (BN_bin2bn(from, flen, f) == NULL) | |
553 | goto err; | |
554 | ||
555 | if (BN_ucmp(f, rsa->n) >= 0) { | |
bf160551 | 556 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, |
0f113f3e MC |
557 | RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
558 | goto err; | |
559 | } | |
560 | ||
561 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
562 | if (!BN_MONT_CTX_set_locked | |
d188a536 | 563 | (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) |
0f113f3e MC |
564 | goto err; |
565 | ||
566 | if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, | |
567 | rsa->_method_mod_n)) | |
568 | goto err; | |
569 | ||
570 | if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12)) | |
571 | if (!BN_sub(ret, rsa->n, ret)) | |
572 | goto err; | |
573 | ||
574 | p = buf; | |
575 | i = BN_bn2bin(ret, p); | |
576 | ||
577 | switch (padding) { | |
578 | case RSA_PKCS1_PADDING: | |
579 | r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); | |
580 | break; | |
581 | case RSA_X931_PADDING: | |
582 | r = RSA_padding_check_X931(to, num, buf, i, num); | |
583 | break; | |
584 | case RSA_NO_PADDING: | |
585 | r = RSA_padding_check_none(to, num, buf, i, num); | |
586 | break; | |
587 | default: | |
bf160551 | 588 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); |
0f113f3e MC |
589 | goto err; |
590 | } | |
591 | if (r < 0) | |
bf160551 | 592 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED); |
0f113f3e MC |
593 | |
594 | err: | |
23a1d5e9 | 595 | if (ctx != NULL) |
0f113f3e | 596 | BN_CTX_end(ctx); |
23a1d5e9 | 597 | BN_CTX_free(ctx); |
4b45c6e5 | 598 | OPENSSL_clear_free(buf, num); |
8686c474 | 599 | return r; |
0f113f3e | 600 | } |
58964a49 | 601 | |
bf160551 | 602 | static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) |
0f113f3e MC |
603 | { |
604 | BIGNUM *r1, *m1, *vrfy; | |
0f113f3e MC |
605 | int ret = 0; |
606 | ||
c804d23d PC |
607 | BN_CTX_start(ctx); |
608 | ||
0f113f3e MC |
609 | r1 = BN_CTX_get(ctx); |
610 | m1 = BN_CTX_get(ctx); | |
611 | vrfy = BN_CTX_get(ctx); | |
5625567f BE |
612 | if (vrfy == NULL) |
613 | goto err; | |
0f113f3e MC |
614 | |
615 | { | |
5584f65a | 616 | BIGNUM *p = BN_new(), *q = BN_new(); |
0f113f3e MC |
617 | |
618 | /* | |
0d4fb843 | 619 | * Make sure BN_mod_inverse in Montgomery initialization uses the |
5584f65a | 620 | * BN_FLG_CONSTTIME flag |
0f113f3e | 621 | */ |
5584f65a MC |
622 | if (p == NULL || q == NULL) { |
623 | BN_free(p); | |
624 | BN_free(q); | |
625 | goto err; | |
0f113f3e | 626 | } |
5584f65a MC |
627 | BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); |
628 | BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); | |
0f113f3e MC |
629 | |
630 | if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { | |
631 | if (!BN_MONT_CTX_set_locked | |
d188a536 | 632 | (&rsa->_method_mod_p, rsa->lock, p, ctx) |
0f113f3e | 633 | || !BN_MONT_CTX_set_locked(&rsa->_method_mod_q, |
d188a536 | 634 | rsa->lock, q, ctx)) { |
5584f65a MC |
635 | BN_free(p); |
636 | BN_free(q); | |
0f113f3e MC |
637 | goto err; |
638 | } | |
639 | } | |
fd7d2520 | 640 | /* |
5584f65a | 641 | * We MUST free p and q before any further use of rsa->p and rsa->q |
fd7d2520 | 642 | */ |
5584f65a MC |
643 | BN_free(p); |
644 | BN_free(q); | |
0f113f3e MC |
645 | } |
646 | ||
647 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
648 | if (!BN_MONT_CTX_set_locked | |
d188a536 | 649 | (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) |
0f113f3e MC |
650 | goto err; |
651 | ||
652 | /* compute I mod q */ | |
fd7d2520 | 653 | { |
5584f65a MC |
654 | BIGNUM *c = BN_new(); |
655 | if (c == NULL) | |
656 | goto err; | |
657 | BN_with_flags(c, I, BN_FLG_CONSTTIME); | |
658 | ||
fd7d2520 | 659 | if (!BN_mod(r1, c, rsa->q, ctx)) { |
5584f65a | 660 | BN_free(c); |
0f113f3e | 661 | goto err; |
fd7d2520 | 662 | } |
0f113f3e | 663 | |
fd7d2520 | 664 | { |
5584f65a MC |
665 | BIGNUM *dmq1 = BN_new(); |
666 | if (dmq1 == NULL) { | |
667 | BN_free(c); | |
668 | goto err; | |
fd7d2520 | 669 | } |
5584f65a MC |
670 | BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); |
671 | ||
672 | /* compute r1^dmq1 mod q */ | |
fd7d2520 MC |
673 | if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, |
674 | rsa->_method_mod_q)) { | |
5584f65a MC |
675 | BN_free(c); |
676 | BN_free(dmq1); | |
fd7d2520 MC |
677 | goto err; |
678 | } | |
5584f65a MC |
679 | /* We MUST free dmq1 before any further use of rsa->dmq1 */ |
680 | BN_free(dmq1); | |
fd7d2520 | 681 | } |
0f113f3e | 682 | |
fd7d2520 MC |
683 | /* compute I mod p */ |
684 | if (!BN_mod(r1, c, rsa->p, ctx)) { | |
5584f65a | 685 | BN_free(c); |
0f113f3e | 686 | goto err; |
fd7d2520 | 687 | } |
5584f65a MC |
688 | /* We MUST free c before any further use of I */ |
689 | BN_free(c); | |
0f113f3e MC |
690 | } |
691 | ||
fd7d2520 | 692 | { |
5584f65a MC |
693 | BIGNUM *dmp1 = BN_new(); |
694 | if (dmp1 == NULL) | |
695 | goto err; | |
696 | BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); | |
697 | ||
fd7d2520 | 698 | /* compute r1^dmp1 mod p */ |
fd7d2520 MC |
699 | if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, |
700 | rsa->_method_mod_p)) { | |
5584f65a | 701 | BN_free(dmp1); |
fd7d2520 MC |
702 | goto err; |
703 | } | |
5584f65a MC |
704 | /* We MUST free dmp1 before any further use of rsa->dmp1 */ |
705 | BN_free(dmp1); | |
fd7d2520 | 706 | } |
0f113f3e MC |
707 | |
708 | if (!BN_sub(r0, r0, m1)) | |
709 | goto err; | |
710 | /* | |
711 | * This will help stop the size of r0 increasing, which does affect the | |
712 | * multiply if it optimised for a power of 2 size | |
713 | */ | |
714 | if (BN_is_negative(r0)) | |
715 | if (!BN_add(r0, r0, rsa->p)) | |
716 | goto err; | |
717 | ||
718 | if (!BN_mul(r1, r0, rsa->iqmp, ctx)) | |
719 | goto err; | |
720 | ||
fd7d2520 | 721 | { |
5584f65a MC |
722 | BIGNUM *pr1 = BN_new(); |
723 | if (pr1 == NULL) | |
724 | goto err; | |
725 | BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); | |
726 | ||
fd7d2520 | 727 | if (!BN_mod(r0, pr1, rsa->p, ctx)) { |
5584f65a | 728 | BN_free(pr1); |
fd7d2520 MC |
729 | goto err; |
730 | } | |
5584f65a MC |
731 | /* We MUST free pr1 before any further use of r1 */ |
732 | BN_free(pr1); | |
fd7d2520 | 733 | } |
0f113f3e MC |
734 | |
735 | /* | |
736 | * If p < q it is occasionally possible for the correction of adding 'p' | |
737 | * if r0 is negative above to leave the result still negative. This can | |
738 | * break the private key operations: the following second correction | |
739 | * should *always* correct this rare occurrence. This will *never* happen | |
740 | * with OpenSSL generated keys because they ensure p > q [steve] | |
741 | */ | |
742 | if (BN_is_negative(r0)) | |
743 | if (!BN_add(r0, r0, rsa->p)) | |
744 | goto err; | |
745 | if (!BN_mul(r1, r0, rsa->q, ctx)) | |
746 | goto err; | |
747 | if (!BN_add(r0, r1, m1)) | |
748 | goto err; | |
749 | ||
750 | if (rsa->e && rsa->n) { | |
739a5eee MC |
751 | if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, |
752 | rsa->_method_mod_n)) | |
0f113f3e MC |
753 | goto err; |
754 | /* | |
755 | * If 'I' was greater than (or equal to) rsa->n, the operation will | |
756 | * be equivalent to using 'I mod n'. However, the result of the | |
757 | * verify will *always* be less than 'n' so we don't check for | |
758 | * absolute equality, just congruency. | |
759 | */ | |
760 | if (!BN_sub(vrfy, vrfy, I)) | |
761 | goto err; | |
762 | if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) | |
763 | goto err; | |
764 | if (BN_is_negative(vrfy)) | |
765 | if (!BN_add(vrfy, vrfy, rsa->n)) | |
766 | goto err; | |
767 | if (!BN_is_zero(vrfy)) { | |
768 | /* | |
769 | * 'I' and 'vrfy' aren't congruent mod n. Don't leak | |
770 | * miscalculated CRT output, just do a raw (slower) mod_exp and | |
771 | * return that instead. | |
772 | */ | |
773 | ||
5584f65a MC |
774 | BIGNUM *d = BN_new(); |
775 | if (d == NULL) | |
776 | goto err; | |
777 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); | |
0f113f3e | 778 | |
0f113f3e MC |
779 | if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, |
780 | rsa->_method_mod_n)) { | |
5584f65a | 781 | BN_free(d); |
0f113f3e MC |
782 | goto err; |
783 | } | |
5584f65a MC |
784 | /* We MUST free d before any further use of rsa->d */ |
785 | BN_free(d); | |
0f113f3e MC |
786 | } |
787 | } | |
788 | ret = 1; | |
789 | err: | |
0f113f3e | 790 | BN_CTX_end(ctx); |
8686c474 | 791 | return ret; |
0f113f3e | 792 | } |
58964a49 | 793 | |
bf160551 | 794 | static int rsa_ossl_init(RSA *rsa) |
0f113f3e MC |
795 | { |
796 | rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; | |
8686c474 | 797 | return 1; |
0f113f3e | 798 | } |
58964a49 | 799 | |
bf160551 | 800 | static int rsa_ossl_finish(RSA *rsa) |
0f113f3e | 801 | { |
23a1d5e9 RS |
802 | BN_MONT_CTX_free(rsa->_method_mod_n); |
803 | BN_MONT_CTX_free(rsa->_method_mod_p); | |
804 | BN_MONT_CTX_free(rsa->_method_mod_q); | |
8686c474 | 805 | return 1; |
0f113f3e | 806 | } |