]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/rsa/rsa_ossl.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
This part fixes braces around if-else.
[thirdparty/openssl.git] / crypto / rsa / rsa_ossl.c
CommitLineData
2039c421 1/*
edea42c6 2 * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
46a64376 3 *
2039c421
RS		 4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
46a64376 8 */
58964a49 9
b39fc560 10#include "internal/cryptlib.h"
18125f7f 11#include "internal/bn_int.h"
9862e9aa 12#include "rsa_locl.h"
58964a49 13
bf160551 14static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
0f113f3e 15 unsigned char *to, RSA *rsa, int padding);
bf160551 16static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
0f113f3e 17 unsigned char *to, RSA *rsa, int padding);
bf160551 18static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
0f113f3e 19 unsigned char *to, RSA *rsa, int padding);
bf160551 20static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
0f113f3e 21 unsigned char *to, RSA *rsa, int padding);
bf160551 22static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
0f113f3e 23 BN_CTX *ctx);
bf160551
RS		 24static int rsa_ossl_init(RSA *rsa);
25static int rsa_ossl_finish(RSA *rsa);
26static RSA_METHOD rsa_pkcs1_ossl_meth = {
076fc555 27 "OpenSSL PKCS#1 RSA",
bf160551
RS		 28 rsa_ossl_public_encrypt,
29 rsa_ossl_public_decrypt, /* signature verification */
30 rsa_ossl_private_encrypt, /* signing */
31 rsa_ossl_private_decrypt,
32 rsa_ossl_mod_exp,
0f113f3e
MC		 33 BN_mod_exp_mont, /* XXX probably we should not use Montgomery
34 * if e == 3 */
bf160551
RS		 35 rsa_ossl_init,
36 rsa_ossl_finish,
0f113f3e
MC		 37 RSA_FLAG_FIPS_METHOD, /* flags */
38 NULL,
39 0, /* rsa_sign */
40 0, /* rsa_verify */
41 NULL /* rsa_keygen */
42};
58964a49 43
076fc555
RS		 44static const RSA_METHOD *default_RSA_meth = &rsa_pkcs1_ossl_meth;
45
46void RSA_set_default_method(const RSA_METHOD *meth)
47{
48 default_RSA_meth = meth;
49}
50
51const RSA_METHOD *RSA_get_default_method(void)
52{
53 return default_RSA_meth;
54}
55
b0700d2c 56const RSA_METHOD *RSA_PKCS1_OpenSSL(void)
0f113f3e 57{
bf160551 58 return &rsa_pkcs1_ossl_meth;
0f113f3e 59}
58964a49 60
076fc555
RS		 61const RSA_METHOD *RSA_null_method(void)
62{
63 return NULL;
64}
65
bf160551 66static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
0f113f3e
MC		 67 unsigned char *to, RSA *rsa, int padding)
68{
69 BIGNUM *f, *ret;
70 int i, j, k, num = 0, r = -1;
71 unsigned char *buf = NULL;
72 BN_CTX *ctx = NULL;
73
74 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
bf160551 75 RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
0f113f3e
MC		 76 return -1;
77 }
78
79 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
bf160551 80 RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 81 return -1;
82 }
83
84 /* for large moduli, enforce exponent limit */
85 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
86 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
bf160551 87 RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 88 return -1;
89 }
90 }
91
92 if ((ctx = BN_CTX_new()) == NULL)
93 goto err;
94 BN_CTX_start(ctx);
95 f = BN_CTX_get(ctx);
96 ret = BN_CTX_get(ctx);
97 num = BN_num_bytes(rsa->n);
98 buf = OPENSSL_malloc(num);
edea42c6 99 if (ret == NULL || buf == NULL) {
bf160551 100 RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 101 goto err;
102 }
103
104 switch (padding) {
105 case RSA_PKCS1_PADDING:
106 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
107 break;
0f113f3e
MC		 108 case RSA_PKCS1_OAEP_PADDING:
109 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
110 break;
0f113f3e
MC		 111 case RSA_SSLV23_PADDING:
112 i = RSA_padding_add_SSLv23(buf, num, from, flen);
113 break;
114 case RSA_NO_PADDING:
115 i = RSA_padding_add_none(buf, num, from, flen);
116 break;
117 default:
bf160551 118 RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 119 goto err;
120 }
121 if (i <= 0)
122 goto err;
123
124 if (BN_bin2bn(buf, num, f) == NULL)
125 goto err;
126
127 if (BN_ucmp(f, rsa->n) >= 0) {
128 /* usually the padding functions would catch this */
bf160551 129 RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT,
0f113f3e
MC		 130 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
131 goto err;
132 }
133
134 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
135 if (!BN_MONT_CTX_set_locked
d188a536 136 (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx))
0f113f3e
MC		 137 goto err;
138
139 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
140 rsa->_method_mod_n))
141 goto err;
142
143 /*
144 * put in leading 0 bytes if the number is less than the length of the
145 * modulus
146 */
147 j = BN_num_bytes(ret);
148 i = BN_bn2bin(ret, &(to[num - j]));
149 for (k = 0; k < (num - i); k++)
150 to[k] = 0;
151
152 r = num;
153 err:
23a1d5e9 154 if (ctx != NULL)
0f113f3e 155 BN_CTX_end(ctx);
23a1d5e9 156 BN_CTX_free(ctx);
4b45c6e5 157 OPENSSL_clear_free(buf, num);
8686c474 158 return r;
0f113f3e 159}
58964a49 160
675f605d 161static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
800e400d 162{
0f113f3e 163 BN_BLINDING *ret;
0f113f3e 164
d188a536 165 CRYPTO_THREAD_write_lock(rsa->lock);
0f113f3e
MC		 166
167 if (rsa->blinding == NULL) {
d188a536 168 rsa->blinding = RSA_setup_blinding(rsa, ctx);
0f113f3e
MC		 169 }
170
171 ret = rsa->blinding;
172 if (ret == NULL)
173 goto err;
174
0b1a07c8 175 if (BN_BLINDING_is_current_thread(ret)) {
0f113f3e
MC		 176 /* rsa->blinding is ours! */
177
178 *local = 1;
179 } else {
180 /* resort to rsa->mt_blinding instead */
181
182 /*
183 * instructs rsa_blinding_convert(), rsa_blinding_invert() that the
184 * BN_BLINDING is shared, meaning that accesses require locks, and
185 * that the blinding factor must be stored outside the BN_BLINDING
186 */
187 *local = 0;
188
189 if (rsa->mt_blinding == NULL) {
d188a536 190 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
0f113f3e
MC		 191 }
192 ret = rsa->mt_blinding;
193 }
5679bcce 194
675f605d 195 err:
d188a536 196 CRYPTO_THREAD_unlock(rsa->lock);
0f113f3e 197 return ret;
800e400d 198}
5679bcce 199
e5641d7f 200static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
0f113f3e
MC		 201 BN_CTX *ctx)
202{
90862ab4 203 if (unblind == NULL) {
0f113f3e
MC		 204 /*
205 * Local blinding: store the unblinding factor in BN_BLINDING.
206 */
207 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
90862ab4 208 } else {
0f113f3e
MC		 209 /*
210 * Shared blinding: store the unblinding factor outside BN_BLINDING.
211 */
212 int ret;
0b1a07c8
AG		 213
214 BN_BLINDING_lock(b);
0f113f3e 215 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
0b1a07c8
AG		 216 BN_BLINDING_unlock(b);
217
0f113f3e
MC		 218 return ret;
219 }
220}
e5641d7f
BM		 221
222static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
0f113f3e
MC		 223 BN_CTX *ctx)
224{
225 /*
226 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
227 * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING
228 * is shared between threads, unblind must be non-null:
229 * BN_BLINDING_invert_ex will then use the local unblinding factor, and
230 * will only read the modulus from BN_BLINDING. In both cases it's safe
231 * to access the blinding without a lock.
232 */
233 return BN_BLINDING_invert_ex(f, unblind, b, ctx);
234}
5679bcce 235
24cff6ce 236/* signing */
bf160551 237static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
0f113f3e
MC		 238 unsigned char *to, RSA *rsa, int padding)
239{
240 BIGNUM *f, *ret, *res;
241 int i, j, k, num = 0, r = -1;
242 unsigned char *buf = NULL;
243 BN_CTX *ctx = NULL;
244 int local_blinding = 0;
245 /*
246 * Used only if the blinding structure is shared. A non-NULL unblind
247 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
248 * the unblinding factor outside the blinding structure.
249 */
250 BIGNUM *unblind = NULL;
251 BN_BLINDING *blinding = NULL;
252
253 if ((ctx = BN_CTX_new()) == NULL)
254 goto err;
255 BN_CTX_start(ctx);
256 f = BN_CTX_get(ctx);
257 ret = BN_CTX_get(ctx);
258 num = BN_num_bytes(rsa->n);
259 buf = OPENSSL_malloc(num);
edea42c6 260 if (ret == NULL || buf == NULL) {
bf160551 261 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 262 goto err;
263 }
264
265 switch (padding) {
266 case RSA_PKCS1_PADDING:
267 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
268 break;
269 case RSA_X931_PADDING:
270 i = RSA_padding_add_X931(buf, num, from, flen);
271 break;
272 case RSA_NO_PADDING:
273 i = RSA_padding_add_none(buf, num, from, flen);
274 break;
275 case RSA_SSLV23_PADDING:
276 default:
bf160551 277 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 278 goto err;
279 }
280 if (i <= 0)
281 goto err;
282
283 if (BN_bin2bn(buf, num, f) == NULL)
284 goto err;
285
286 if (BN_ucmp(f, rsa->n) >= 0) {
287 /* usually the padding functions would catch this */
bf160551 288 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT,
0f113f3e
MC		 289 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
290 goto err;
291 }
292
293 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
294 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
295 if (blinding == NULL) {
bf160551 296 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
0f113f3e
MC		 297 goto err;
298 }
299 }
300
301 if (blinding != NULL) {
302 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
bf160551 303 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 304 goto err;
305 }
306 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
307 goto err;
308 }
309
310 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
311 ((rsa->p != NULL) &&
312 (rsa->q != NULL) &&
313 (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
314 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
315 goto err;
316 } else {
5584f65a
MC		 317 BIGNUM *d = BN_new();
318 if (d == NULL) {
319 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
320 goto err;
fd7d2520 321 }
5584f65a 322 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
0f113f3e
MC		 323
324 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
325 if (!BN_MONT_CTX_set_locked
d188a536 326 (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) {
5584f65a 327 BN_free(d);
0f113f3e
MC		 328 goto err;
329 }
330
331 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
332 rsa->_method_mod_n)) {
5584f65a 333 BN_free(d);
0f113f3e
MC		 334 goto err;
335 }
5584f65a
MC		 336 /* We MUST free d before any further use of rsa->d */
337 BN_free(d);
0f113f3e
MC		 338 }
339
340 if (blinding)
341 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
342 goto err;
343
344 if (padding == RSA_X931_PADDING) {
345 BN_sub(f, rsa->n, ret);
346 if (BN_cmp(ret, f) > 0)
347 res = f;
348 else
349 res = ret;
90862ab4 350 } else {
0f113f3e 351 res = ret;
90862ab4 352 }
0f113f3e
MC		 353
354 /*
355 * put in leading 0 bytes if the number is less than the length of the
356 * modulus
357 */
358 j = BN_num_bytes(res);
359 i = BN_bn2bin(res, &(to[num - j]));
360 for (k = 0; k < (num - i); k++)
361 to[k] = 0;
362
363 r = num;
364 err:
23a1d5e9 365 if (ctx != NULL)
0f113f3e 366 BN_CTX_end(ctx);
23a1d5e9 367 BN_CTX_free(ctx);
4b45c6e5 368 OPENSSL_clear_free(buf, num);
8686c474 369 return r;
0f113f3e 370}
58964a49 371
bf160551 372static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
0f113f3e
MC		 373 unsigned char *to, RSA *rsa, int padding)
374{
375 BIGNUM *f, *ret;
376 int j, num = 0, r = -1;
377 unsigned char *p;
378 unsigned char *buf = NULL;
379 BN_CTX *ctx = NULL;
380 int local_blinding = 0;
381 /*
382 * Used only if the blinding structure is shared. A non-NULL unblind
383 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
384 * the unblinding factor outside the blinding structure.
385 */
386 BIGNUM *unblind = NULL;
387 BN_BLINDING *blinding = NULL;
388
389 if ((ctx = BN_CTX_new()) == NULL)
390 goto err;
391 BN_CTX_start(ctx);
392 f = BN_CTX_get(ctx);
393 ret = BN_CTX_get(ctx);
394 num = BN_num_bytes(rsa->n);
395 buf = OPENSSL_malloc(num);
edea42c6 396 if (ret == NULL || buf == NULL) {
bf160551 397 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 398 goto err;
399 }
400
401 /*
402 * This check was for equality but PGP does evil things and chops off the
403 * top '0' bytes
404 */
405 if (flen > num) {
bf160551 406 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT,
0f113f3e
MC		 407 RSA_R_DATA_GREATER_THAN_MOD_LEN);
408 goto err;
409 }
410
411 /* make data into a big number */
412 if (BN_bin2bn(from, (int)flen, f) == NULL)
413 goto err;
414
415 if (BN_ucmp(f, rsa->n) >= 0) {
bf160551 416 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT,
0f113f3e
MC		 417 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
418 goto err;
419 }
420
421 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
422 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
423 if (blinding == NULL) {
bf160551 424 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
0f113f3e
MC		 425 goto err;
426 }
427 }
428
429 if (blinding != NULL) {
430 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
bf160551 431 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 432 goto err;
433 }
434 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
435 goto err;
436 }
437
438 /* do the decrypt */
439 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
440 ((rsa->p != NULL) &&
441 (rsa->q != NULL) &&
442 (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
443 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
444 goto err;
445 } else {
5584f65a
MC		 446 BIGNUM *d = BN_new();
447 if (d == NULL) {
448 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
449 goto err;
fd7d2520 450 }
5584f65a 451 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
0f113f3e
MC		 452
453 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
454 if (!BN_MONT_CTX_set_locked
d188a536 455 (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) {
5584f65a 456 BN_free(d);
0f113f3e
MC		 457 goto err;
458 }
459 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
460 rsa->_method_mod_n)) {
5584f65a 461 BN_free(d);
0f113f3e
MC		 462 goto err;
463 }
5584f65a
MC		 464 /* We MUST free d before any further use of rsa->d */
465 BN_free(d);
0f113f3e
MC		 466 }
467
468 if (blinding)
469 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
470 goto err;
471
472 p = buf;
473 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */
474
475 switch (padding) {
476 case RSA_PKCS1_PADDING:
477 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
478 break;
0f113f3e
MC		 479 case RSA_PKCS1_OAEP_PADDING:
480 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
481 break;
0f113f3e
MC		 482 case RSA_SSLV23_PADDING:
483 r = RSA_padding_check_SSLv23(to, num, buf, j, num);
484 break;
485 case RSA_NO_PADDING:
486 r = RSA_padding_check_none(to, num, buf, j, num);
487 break;
488 default:
bf160551 489 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 490 goto err;
491 }
492 if (r < 0)
bf160551 493 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
0f113f3e
MC		 494
495 err:
23a1d5e9 496 if (ctx != NULL)
0f113f3e 497 BN_CTX_end(ctx);
23a1d5e9 498 BN_CTX_free(ctx);
4b45c6e5 499 OPENSSL_clear_free(buf, num);
8686c474 500 return r;
0f113f3e 501}
58964a49 502
24cff6ce 503/* signature verification */
bf160551 504static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
0f113f3e
MC		 505 unsigned char *to, RSA *rsa, int padding)
506{
507 BIGNUM *f, *ret;
508 int i, num = 0, r = -1;
509 unsigned char *p;
510 unsigned char *buf = NULL;
511 BN_CTX *ctx = NULL;
512
513 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
bf160551 514 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
0f113f3e
MC		 515 return -1;
516 }
517
518 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
bf160551 519 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 520 return -1;
521 }
522
523 /* for large moduli, enforce exponent limit */
524 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
525 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
bf160551 526 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 527 return -1;
528 }
529 }
530
531 if ((ctx = BN_CTX_new()) == NULL)
532 goto err;
533 BN_CTX_start(ctx);
534 f = BN_CTX_get(ctx);
535 ret = BN_CTX_get(ctx);
536 num = BN_num_bytes(rsa->n);
537 buf = OPENSSL_malloc(num);
edea42c6 538 if (ret == NULL || buf == NULL) {
bf160551 539 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 540 goto err;
541 }
542
543 /*
544 * This check was for equality but PGP does evil things and chops off the
545 * top '0' bytes
546 */
547 if (flen > num) {
bf160551 548 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN);
0f113f3e
MC		 549 goto err;
550 }
551
552 if (BN_bin2bn(from, flen, f) == NULL)
553 goto err;
554
555 if (BN_ucmp(f, rsa->n) >= 0) {
bf160551 556 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT,
0f113f3e
MC		 557 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
558 goto err;
559 }
560
561 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
562 if (!BN_MONT_CTX_set_locked
d188a536 563 (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx))
0f113f3e
MC		 564 goto err;
565
566 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
567 rsa->_method_mod_n))
568 goto err;
569
570 if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12))
571 if (!BN_sub(ret, rsa->n, ret))
572 goto err;
573
574 p = buf;
575 i = BN_bn2bin(ret, p);
576
577 switch (padding) {
578 case RSA_PKCS1_PADDING:
579 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
580 break;
581 case RSA_X931_PADDING:
582 r = RSA_padding_check_X931(to, num, buf, i, num);
583 break;
584 case RSA_NO_PADDING:
585 r = RSA_padding_check_none(to, num, buf, i, num);
586 break;
587 default:
bf160551 588 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 589 goto err;
590 }
591 if (r < 0)
bf160551 592 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
0f113f3e
MC		 593
594 err:
23a1d5e9 595 if (ctx != NULL)
0f113f3e 596 BN_CTX_end(ctx);
23a1d5e9 597 BN_CTX_free(ctx);
4b45c6e5 598 OPENSSL_clear_free(buf, num);
8686c474 599 return r;
0f113f3e 600}
58964a49 601
bf160551 602static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
0f113f3e
MC		 603{
604 BIGNUM *r1, *m1, *vrfy;
0f113f3e
MC		 605 int ret = 0;
606
c804d23d
PC		 607 BN_CTX_start(ctx);
608
0f113f3e
MC		 609 r1 = BN_CTX_get(ctx);
610 m1 = BN_CTX_get(ctx);
611 vrfy = BN_CTX_get(ctx);
5625567f
BE		 612 if (vrfy == NULL)
613 goto err;
0f113f3e
MC		 614
615 {
5584f65a 616 BIGNUM *p = BN_new(), *q = BN_new();
0f113f3e
MC		 617
618 /*
0d4fb843 619 * Make sure BN_mod_inverse in Montgomery initialization uses the
5584f65a 620 * BN_FLG_CONSTTIME flag
0f113f3e 621 */
5584f65a
MC		 622 if (p == NULL || q == NULL) {
623 BN_free(p);
624 BN_free(q);
625 goto err;
0f113f3e 626 }
5584f65a
MC		 627 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
628 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
0f113f3e
MC		 629
630 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
631 if (!BN_MONT_CTX_set_locked
d188a536 632 (&rsa->_method_mod_p, rsa->lock, p, ctx)
0f113f3e 633 || !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
d188a536 634 rsa->lock, q, ctx)) {
5584f65a
MC		 635 BN_free(p);
636 BN_free(q);
0f113f3e
MC		 637 goto err;
638 }
639 }
fd7d2520 640 /*
5584f65a 641 * We MUST free p and q before any further use of rsa->p and rsa->q
fd7d2520 642 */
5584f65a
MC		 643 BN_free(p);
644 BN_free(q);
0f113f3e
MC		 645 }
646
647 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
648 if (!BN_MONT_CTX_set_locked
d188a536 649 (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx))
0f113f3e
MC		 650 goto err;
651
652 /* compute I mod q */
fd7d2520 653 {
5584f65a
MC		 654 BIGNUM *c = BN_new();
655 if (c == NULL)
656 goto err;
657 BN_with_flags(c, I, BN_FLG_CONSTTIME);
658
fd7d2520 659 if (!BN_mod(r1, c, rsa->q, ctx)) {
5584f65a 660 BN_free(c);
0f113f3e 661 goto err;
fd7d2520 662 }
0f113f3e 663
fd7d2520 664 {
5584f65a
MC		 665 BIGNUM *dmq1 = BN_new();
666 if (dmq1 == NULL) {
667 BN_free(c);
668 goto err;
fd7d2520 669 }
5584f65a
MC		 670 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
671
672 /* compute r1^dmq1 mod q */
fd7d2520
MC		 673 if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
674 rsa->_method_mod_q)) {
5584f65a
MC		 675 BN_free(c);
676 BN_free(dmq1);
fd7d2520
MC		 677 goto err;
678 }
5584f65a
MC		 679 /* We MUST free dmq1 before any further use of rsa->dmq1 */
680 BN_free(dmq1);
fd7d2520 681 }
0f113f3e 682
fd7d2520
MC		 683 /* compute I mod p */
684 if (!BN_mod(r1, c, rsa->p, ctx)) {
5584f65a 685 BN_free(c);
0f113f3e 686 goto err;
fd7d2520 687 }
5584f65a
MC		 688 /* We MUST free c before any further use of I */
689 BN_free(c);
0f113f3e
MC		 690 }
691
fd7d2520 692 {
5584f65a
MC		 693 BIGNUM *dmp1 = BN_new();
694 if (dmp1 == NULL)
695 goto err;
696 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
697
fd7d2520 698 /* compute r1^dmp1 mod p */
fd7d2520
MC		 699 if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
700 rsa->_method_mod_p)) {
5584f65a 701 BN_free(dmp1);
fd7d2520
MC		 702 goto err;
703 }
5584f65a
MC		 704 /* We MUST free dmp1 before any further use of rsa->dmp1 */
705 BN_free(dmp1);
fd7d2520 706 }
0f113f3e
MC		 707
708 if (!BN_sub(r0, r0, m1))
709 goto err;
710 /*
711 * This will help stop the size of r0 increasing, which does affect the
712 * multiply if it optimised for a power of 2 size
713 */
714 if (BN_is_negative(r0))
715 if (!BN_add(r0, r0, rsa->p))
716 goto err;
717
718 if (!BN_mul(r1, r0, rsa->iqmp, ctx))
719 goto err;
720
fd7d2520 721 {
5584f65a
MC		 722 BIGNUM *pr1 = BN_new();
723 if (pr1 == NULL)
724 goto err;
725 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
726
fd7d2520 727 if (!BN_mod(r0, pr1, rsa->p, ctx)) {
5584f65a 728 BN_free(pr1);
fd7d2520
MC		 729 goto err;
730 }
5584f65a
MC		 731 /* We MUST free pr1 before any further use of r1 */
732 BN_free(pr1);
fd7d2520 733 }
0f113f3e
MC		 734
735 /*
736 * If p < q it is occasionally possible for the correction of adding 'p'
737 * if r0 is negative above to leave the result still negative. This can
738 * break the private key operations: the following second correction
739 * should *always* correct this rare occurrence. This will *never* happen
740 * with OpenSSL generated keys because they ensure p > q [steve]
741 */
742 if (BN_is_negative(r0))
743 if (!BN_add(r0, r0, rsa->p))
744 goto err;
745 if (!BN_mul(r1, r0, rsa->q, ctx))
746 goto err;
747 if (!BN_add(r0, r1, m1))
748 goto err;
749
750 if (rsa->e && rsa->n) {
739a5eee
MC		 751 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
752 rsa->_method_mod_n))
0f113f3e
MC		 753 goto err;
754 /*
755 * If 'I' was greater than (or equal to) rsa->n, the operation will
756 * be equivalent to using 'I mod n'. However, the result of the
757 * verify will *always* be less than 'n' so we don't check for
758 * absolute equality, just congruency.
759 */
760 if (!BN_sub(vrfy, vrfy, I))
761 goto err;
762 if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
763 goto err;
764 if (BN_is_negative(vrfy))
765 if (!BN_add(vrfy, vrfy, rsa->n))
766 goto err;
767 if (!BN_is_zero(vrfy)) {
768 /*
769 * 'I' and 'vrfy' aren't congruent mod n. Don't leak
770 * miscalculated CRT output, just do a raw (slower) mod_exp and
771 * return that instead.
772 */
773
5584f65a
MC		 774 BIGNUM *d = BN_new();
775 if (d == NULL)
776 goto err;
777 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
0f113f3e 778
0f113f3e
MC		 779 if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
780 rsa->_method_mod_n)) {
5584f65a 781 BN_free(d);
0f113f3e
MC		 782 goto err;
783 }
5584f65a
MC		 784 /* We MUST free d before any further use of rsa->d */
785 BN_free(d);
0f113f3e
MC		 786 }
787 }
788 ret = 1;
789 err:
0f113f3e 790 BN_CTX_end(ctx);
8686c474 791 return ret;
0f113f3e 792}
58964a49 793
bf160551 794static int rsa_ossl_init(RSA *rsa)
0f113f3e
MC		 795{
796 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
8686c474 797 return 1;
0f113f3e 798}
58964a49 799
bf160551 800static int rsa_ossl_finish(RSA *rsa)
0f113f3e 801{
23a1d5e9
RS		 802 BN_MONT_CTX_free(rsa->_method_mod_n);
803 BN_MONT_CTX_free(rsa->_method_mod_p);
804 BN_MONT_CTX_free(rsa->_method_mod_q);
8686c474 805 return 1;
0f113f3e 806}
A mirror of the official openssl repository