]>
Commit | Line | Data |
---|---|---|
2039c421 | 1 | /* |
fecb3aae | 2 | * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. |
46a64376 | 3 | * |
2a7b6f39 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
2039c421 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
46a64376 | 8 | */ |
58964a49 | 9 | |
c5f87134 P |
10 | /* |
11 | * RSA low level APIs are deprecated for public use, but still ok for | |
12 | * internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
b39fc560 | 16 | #include "internal/cryptlib.h" |
25f2138b | 17 | #include "crypto/bn.h" |
706457b7 DMSP |
18 | #include "rsa_local.h" |
19 | #include "internal/constant_time.h" | |
7fc67e0a HK |
20 | #include <openssl/evp.h> |
21 | #include <openssl/sha.h> | |
22 | #include <openssl/hmac.h> | |
58964a49 | 23 | |
bf160551 | 24 | static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, |
0f113f3e | 25 | unsigned char *to, RSA *rsa, int padding); |
bf160551 | 26 | static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, |
0f113f3e | 27 | unsigned char *to, RSA *rsa, int padding); |
bf160551 | 28 | static int rsa_ossl_public_decrypt(int flen, const unsigned char *from, |
0f113f3e | 29 | unsigned char *to, RSA *rsa, int padding); |
bf160551 | 30 | static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, |
0f113f3e | 31 | unsigned char *to, RSA *rsa, int padding); |
bf160551 | 32 | static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, |
0f113f3e | 33 | BN_CTX *ctx); |
bf160551 RS |
34 | static int rsa_ossl_init(RSA *rsa); |
35 | static int rsa_ossl_finish(RSA *rsa); | |
36 | static RSA_METHOD rsa_pkcs1_ossl_meth = { | |
076fc555 | 37 | "OpenSSL PKCS#1 RSA", |
bf160551 RS |
38 | rsa_ossl_public_encrypt, |
39 | rsa_ossl_public_decrypt, /* signature verification */ | |
40 | rsa_ossl_private_encrypt, /* signing */ | |
41 | rsa_ossl_private_decrypt, | |
42 | rsa_ossl_mod_exp, | |
0f113f3e MC |
43 | BN_mod_exp_mont, /* XXX probably we should not use Montgomery |
44 | * if e == 3 */ | |
bf160551 RS |
45 | rsa_ossl_init, |
46 | rsa_ossl_finish, | |
0f113f3e MC |
47 | RSA_FLAG_FIPS_METHOD, /* flags */ |
48 | NULL, | |
49 | 0, /* rsa_sign */ | |
50 | 0, /* rsa_verify */ | |
665d899f PY |
51 | NULL, /* rsa_keygen */ |
52 | NULL /* rsa_multi_prime_keygen */ | |
0f113f3e | 53 | }; |
58964a49 | 54 | |
076fc555 RS |
55 | static const RSA_METHOD *default_RSA_meth = &rsa_pkcs1_ossl_meth; |
56 | ||
57 | void RSA_set_default_method(const RSA_METHOD *meth) | |
58 | { | |
59 | default_RSA_meth = meth; | |
60 | } | |
61 | ||
62 | const RSA_METHOD *RSA_get_default_method(void) | |
63 | { | |
64 | return default_RSA_meth; | |
65 | } | |
66 | ||
b0700d2c | 67 | const RSA_METHOD *RSA_PKCS1_OpenSSL(void) |
0f113f3e | 68 | { |
bf160551 | 69 | return &rsa_pkcs1_ossl_meth; |
0f113f3e | 70 | } |
58964a49 | 71 | |
076fc555 RS |
72 | const RSA_METHOD *RSA_null_method(void) |
73 | { | |
74 | return NULL; | |
75 | } | |
76 | ||
bf160551 | 77 | static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, |
0f113f3e MC |
78 | unsigned char *to, RSA *rsa, int padding) |
79 | { | |
80 | BIGNUM *f, *ret; | |
582ad5d4 | 81 | int i, num = 0, r = -1; |
0f113f3e MC |
82 | unsigned char *buf = NULL; |
83 | BN_CTX *ctx = NULL; | |
84 | ||
85 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { | |
9311d0c4 | 86 | ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE); |
0f113f3e MC |
87 | return -1; |
88 | } | |
89 | ||
90 | if (BN_ucmp(rsa->n, rsa->e) <= 0) { | |
9311d0c4 | 91 | ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE); |
0f113f3e MC |
92 | return -1; |
93 | } | |
94 | ||
95 | /* for large moduli, enforce exponent limit */ | |
96 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { | |
97 | if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { | |
9311d0c4 | 98 | ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE); |
0f113f3e MC |
99 | return -1; |
100 | } | |
101 | } | |
102 | ||
afb638f1 | 103 | if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL) |
0f113f3e MC |
104 | goto err; |
105 | BN_CTX_start(ctx); | |
106 | f = BN_CTX_get(ctx); | |
107 | ret = BN_CTX_get(ctx); | |
108 | num = BN_num_bytes(rsa->n); | |
109 | buf = OPENSSL_malloc(num); | |
e077455e | 110 | if (ret == NULL || buf == NULL) |
0f113f3e | 111 | goto err; |
0f113f3e MC |
112 | |
113 | switch (padding) { | |
114 | case RSA_PKCS1_PADDING: | |
23b2fc0b P |
115 | i = ossl_rsa_padding_add_PKCS1_type_2_ex(rsa->libctx, buf, num, |
116 | from, flen); | |
0f113f3e | 117 | break; |
0f113f3e | 118 | case RSA_PKCS1_OAEP_PADDING: |
23b2fc0b P |
119 | i = ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(rsa->libctx, buf, num, |
120 | from, flen, NULL, 0, | |
121 | NULL, NULL); | |
0f113f3e | 122 | break; |
0f113f3e MC |
123 | case RSA_NO_PADDING: |
124 | i = RSA_padding_add_none(buf, num, from, flen); | |
125 | break; | |
126 | default: | |
9311d0c4 | 127 | ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE); |
0f113f3e MC |
128 | goto err; |
129 | } | |
130 | if (i <= 0) | |
131 | goto err; | |
132 | ||
133 | if (BN_bin2bn(buf, num, f) == NULL) | |
134 | goto err; | |
135 | ||
136 | if (BN_ucmp(f, rsa->n) >= 0) { | |
137 | /* usually the padding functions would catch this */ | |
9311d0c4 | 138 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
0f113f3e MC |
139 | goto err; |
140 | } | |
141 | ||
142 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
41bfd5e7 AP |
143 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, |
144 | rsa->n, ctx)) | |
0f113f3e MC |
145 | goto err; |
146 | ||
147 | if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, | |
148 | rsa->_method_mod_n)) | |
149 | goto err; | |
150 | ||
151 | /* | |
582ad5d4 AP |
152 | * BN_bn2binpad puts in leading 0 bytes if the number is less than |
153 | * the length of the modulus. | |
0f113f3e | 154 | */ |
582ad5d4 | 155 | r = BN_bn2binpad(ret, to, num); |
0f113f3e | 156 | err: |
ce1415ed | 157 | BN_CTX_end(ctx); |
23a1d5e9 | 158 | BN_CTX_free(ctx); |
4b45c6e5 | 159 | OPENSSL_clear_free(buf, num); |
8686c474 | 160 | return r; |
0f113f3e | 161 | } |
58964a49 | 162 | |
675f605d | 163 | static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) |
800e400d | 164 | { |
0f113f3e | 165 | BN_BLINDING *ret; |
0f113f3e | 166 | |
cd3f8c1b RS |
167 | if (!CRYPTO_THREAD_write_lock(rsa->lock)) |
168 | return NULL; | |
0f113f3e MC |
169 | |
170 | if (rsa->blinding == NULL) { | |
d188a536 | 171 | rsa->blinding = RSA_setup_blinding(rsa, ctx); |
0f113f3e MC |
172 | } |
173 | ||
174 | ret = rsa->blinding; | |
175 | if (ret == NULL) | |
176 | goto err; | |
177 | ||
0b1a07c8 | 178 | if (BN_BLINDING_is_current_thread(ret)) { |
0f113f3e MC |
179 | /* rsa->blinding is ours! */ |
180 | ||
181 | *local = 1; | |
182 | } else { | |
183 | /* resort to rsa->mt_blinding instead */ | |
184 | ||
185 | /* | |
186 | * instructs rsa_blinding_convert(), rsa_blinding_invert() that the | |
187 | * BN_BLINDING is shared, meaning that accesses require locks, and | |
188 | * that the blinding factor must be stored outside the BN_BLINDING | |
189 | */ | |
190 | *local = 0; | |
191 | ||
192 | if (rsa->mt_blinding == NULL) { | |
d188a536 | 193 | rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); |
0f113f3e MC |
194 | } |
195 | ret = rsa->mt_blinding; | |
196 | } | |
5679bcce | 197 | |
675f605d | 198 | err: |
d188a536 | 199 | CRYPTO_THREAD_unlock(rsa->lock); |
0f113f3e | 200 | return ret; |
800e400d | 201 | } |
5679bcce | 202 | |
e5641d7f | 203 | static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, |
0f113f3e MC |
204 | BN_CTX *ctx) |
205 | { | |
90862ab4 | 206 | if (unblind == NULL) { |
0f113f3e MC |
207 | /* |
208 | * Local blinding: store the unblinding factor in BN_BLINDING. | |
209 | */ | |
210 | return BN_BLINDING_convert_ex(f, NULL, b, ctx); | |
90862ab4 | 211 | } else { |
0f113f3e MC |
212 | /* |
213 | * Shared blinding: store the unblinding factor outside BN_BLINDING. | |
214 | */ | |
215 | int ret; | |
0b1a07c8 | 216 | |
aefbcde2 JJ |
217 | if (!BN_BLINDING_lock(b)) |
218 | return 0; | |
219 | ||
0f113f3e | 220 | ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); |
0b1a07c8 AG |
221 | BN_BLINDING_unlock(b); |
222 | ||
0f113f3e MC |
223 | return ret; |
224 | } | |
225 | } | |
e5641d7f BM |
226 | |
227 | static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, | |
0f113f3e MC |
228 | BN_CTX *ctx) |
229 | { | |
230 | /* | |
231 | * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex | |
232 | * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING | |
233 | * is shared between threads, unblind must be non-null: | |
234 | * BN_BLINDING_invert_ex will then use the local unblinding factor, and | |
235 | * will only read the modulus from BN_BLINDING. In both cases it's safe | |
236 | * to access the blinding without a lock. | |
237 | */ | |
238 | return BN_BLINDING_invert_ex(f, unblind, b, ctx); | |
239 | } | |
5679bcce | 240 | |
24cff6ce | 241 | /* signing */ |
bf160551 | 242 | static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, |
0f113f3e MC |
243 | unsigned char *to, RSA *rsa, int padding) |
244 | { | |
245 | BIGNUM *f, *ret, *res; | |
582ad5d4 | 246 | int i, num = 0, r = -1; |
0f113f3e MC |
247 | unsigned char *buf = NULL; |
248 | BN_CTX *ctx = NULL; | |
249 | int local_blinding = 0; | |
250 | /* | |
251 | * Used only if the blinding structure is shared. A non-NULL unblind | |
252 | * instructs rsa_blinding_convert() and rsa_blinding_invert() to store | |
253 | * the unblinding factor outside the blinding structure. | |
254 | */ | |
255 | BIGNUM *unblind = NULL; | |
256 | BN_BLINDING *blinding = NULL; | |
257 | ||
afb638f1 | 258 | if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL) |
0f113f3e MC |
259 | goto err; |
260 | BN_CTX_start(ctx); | |
261 | f = BN_CTX_get(ctx); | |
262 | ret = BN_CTX_get(ctx); | |
263 | num = BN_num_bytes(rsa->n); | |
264 | buf = OPENSSL_malloc(num); | |
e077455e | 265 | if (ret == NULL || buf == NULL) |
0f113f3e | 266 | goto err; |
0f113f3e MC |
267 | |
268 | switch (padding) { | |
269 | case RSA_PKCS1_PADDING: | |
270 | i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); | |
271 | break; | |
272 | case RSA_X931_PADDING: | |
273 | i = RSA_padding_add_X931(buf, num, from, flen); | |
274 | break; | |
275 | case RSA_NO_PADDING: | |
276 | i = RSA_padding_add_none(buf, num, from, flen); | |
277 | break; | |
0f113f3e | 278 | default: |
9311d0c4 | 279 | ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE); |
0f113f3e MC |
280 | goto err; |
281 | } | |
282 | if (i <= 0) | |
283 | goto err; | |
284 | ||
285 | if (BN_bin2bn(buf, num, f) == NULL) | |
286 | goto err; | |
287 | ||
288 | if (BN_ucmp(f, rsa->n) >= 0) { | |
289 | /* usually the padding functions would catch this */ | |
9311d0c4 | 290 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
0f113f3e MC |
291 | goto err; |
292 | } | |
293 | ||
2cc3f68c AP |
294 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) |
295 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, | |
296 | rsa->n, ctx)) | |
297 | goto err; | |
298 | ||
0f113f3e MC |
299 | if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { |
300 | blinding = rsa_get_blinding(rsa, &local_blinding, ctx); | |
301 | if (blinding == NULL) { | |
9311d0c4 | 302 | ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); |
0f113f3e MC |
303 | goto err; |
304 | } | |
305 | } | |
306 | ||
307 | if (blinding != NULL) { | |
308 | if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { | |
e077455e | 309 | ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB); |
0f113f3e MC |
310 | goto err; |
311 | } | |
312 | if (!rsa_blinding_convert(blinding, f, unblind, ctx)) | |
313 | goto err; | |
314 | } | |
315 | ||
316 | if ((rsa->flags & RSA_FLAG_EXT_PKEY) || | |
665d899f | 317 | (rsa->version == RSA_ASN1_VERSION_MULTI) || |
0f113f3e MC |
318 | ((rsa->p != NULL) && |
319 | (rsa->q != NULL) && | |
320 | (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { | |
321 | if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) | |
322 | goto err; | |
323 | } else { | |
5584f65a MC |
324 | BIGNUM *d = BN_new(); |
325 | if (d == NULL) { | |
e077455e | 326 | ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB); |
5584f65a | 327 | goto err; |
fd7d2520 | 328 | } |
7408f675 | 329 | if (rsa->d == NULL) { |
9311d0c4 | 330 | ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY); |
7408f675 DO |
331 | BN_free(d); |
332 | goto err; | |
333 | } | |
5584f65a | 334 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); |
0f113f3e | 335 | |
0f113f3e MC |
336 | if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, |
337 | rsa->_method_mod_n)) { | |
5584f65a | 338 | BN_free(d); |
0f113f3e MC |
339 | goto err; |
340 | } | |
5584f65a MC |
341 | /* We MUST free d before any further use of rsa->d */ |
342 | BN_free(d); | |
0f113f3e MC |
343 | } |
344 | ||
345 | if (blinding) | |
346 | if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) | |
347 | goto err; | |
348 | ||
349 | if (padding == RSA_X931_PADDING) { | |
3d3cbce5 P |
350 | if (!BN_sub(f, rsa->n, ret)) |
351 | goto err; | |
0f113f3e MC |
352 | if (BN_cmp(ret, f) > 0) |
353 | res = f; | |
354 | else | |
355 | res = ret; | |
90862ab4 | 356 | } else { |
0f113f3e | 357 | res = ret; |
90862ab4 | 358 | } |
0f113f3e MC |
359 | |
360 | /* | |
582ad5d4 AP |
361 | * BN_bn2binpad puts in leading 0 bytes if the number is less than |
362 | * the length of the modulus. | |
0f113f3e | 363 | */ |
582ad5d4 | 364 | r = BN_bn2binpad(res, to, num); |
0f113f3e | 365 | err: |
ce1415ed | 366 | BN_CTX_end(ctx); |
23a1d5e9 | 367 | BN_CTX_free(ctx); |
4b45c6e5 | 368 | OPENSSL_clear_free(buf, num); |
8686c474 | 369 | return r; |
0f113f3e | 370 | } |
58964a49 | 371 | |
b1892d21 DB |
372 | static int derive_kdk(int flen, const unsigned char *from, RSA *rsa, |
373 | unsigned char *buf, int num, unsigned char *kdk) | |
374 | { | |
375 | int ret = 0; | |
376 | HMAC_CTX *hmac = NULL; | |
377 | EVP_MD *md = NULL; | |
378 | unsigned int md_len = SHA256_DIGEST_LENGTH; | |
379 | unsigned char d_hash[SHA256_DIGEST_LENGTH] = {0}; | |
380 | /* | |
381 | * because we use d as a handle to rsa->d we need to keep it local and | |
382 | * free before any further use of rsa->d | |
383 | */ | |
384 | BIGNUM *d = BN_new(); | |
385 | ||
386 | if (d == NULL) { | |
387 | ERR_raise(ERR_LIB_RSA, ERR_R_CRYPTO_LIB); | |
388 | goto err; | |
389 | } | |
390 | if (rsa->d == NULL) { | |
391 | ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY); | |
392 | BN_free(d); | |
393 | goto err; | |
394 | } | |
395 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); | |
396 | if (BN_bn2binpad(d, buf, num) < 0) { | |
397 | ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | |
398 | BN_free(d); | |
399 | goto err; | |
400 | } | |
401 | BN_free(d); | |
402 | ||
403 | /* | |
404 | * we use hardcoded hash so that migrating between versions that use | |
405 | * different hash doesn't provide a Bleichenbacher oracle: | |
406 | * if the attacker can see that different versions return different | |
407 | * messages for the same ciphertext, they'll know that the message is | |
408 | * syntethically generated, which means that the padding check failed | |
409 | */ | |
410 | md = EVP_MD_fetch(rsa->libctx, "sha256", NULL); | |
411 | if (md == NULL) { | |
412 | ERR_raise(ERR_LIB_RSA, ERR_R_FETCH_FAILED); | |
413 | goto err; | |
414 | } | |
415 | ||
416 | if (EVP_Digest(buf, num, d_hash, NULL, md, NULL) <= 0) { | |
417 | ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | |
418 | goto err; | |
419 | } | |
420 | ||
421 | hmac = HMAC_CTX_new(); | |
422 | if (hmac == NULL) { | |
423 | ERR_raise(ERR_LIB_RSA, ERR_R_CRYPTO_LIB); | |
424 | goto err; | |
425 | } | |
426 | ||
427 | if (HMAC_Init_ex(hmac, d_hash, sizeof(d_hash), md, NULL) <= 0) { | |
428 | ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | |
429 | goto err; | |
430 | } | |
431 | ||
432 | if (flen < num) { | |
433 | memset(buf, 0, num - flen); | |
434 | if (HMAC_Update(hmac, buf, num - flen) <= 0) { | |
435 | ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | |
436 | goto err; | |
437 | } | |
438 | } | |
439 | if (HMAC_Update(hmac, from, flen) <= 0) { | |
440 | ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | |
441 | goto err; | |
442 | } | |
443 | ||
444 | md_len = SHA256_DIGEST_LENGTH; | |
445 | if (HMAC_Final(hmac, kdk, &md_len) <= 0) { | |
446 | ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); | |
447 | goto err; | |
448 | } | |
449 | ret = 1; | |
450 | ||
451 | err: | |
452 | HMAC_CTX_free(hmac); | |
453 | EVP_MD_free(md); | |
454 | return ret; | |
455 | } | |
456 | ||
bf160551 | 457 | static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, |
0f113f3e MC |
458 | unsigned char *to, RSA *rsa, int padding) |
459 | { | |
460 | BIGNUM *f, *ret; | |
461 | int j, num = 0, r = -1; | |
0f113f3e | 462 | unsigned char *buf = NULL; |
7fc67e0a | 463 | unsigned char kdk[SHA256_DIGEST_LENGTH] = {0}; |
0f113f3e MC |
464 | BN_CTX *ctx = NULL; |
465 | int local_blinding = 0; | |
466 | /* | |
467 | * Used only if the blinding structure is shared. A non-NULL unblind | |
468 | * instructs rsa_blinding_convert() and rsa_blinding_invert() to store | |
469 | * the unblinding factor outside the blinding structure. | |
470 | */ | |
471 | BIGNUM *unblind = NULL; | |
472 | BN_BLINDING *blinding = NULL; | |
473 | ||
5ab3ec1b HK |
474 | /* |
475 | * we need the value of the private exponent to perform implicit rejection | |
476 | */ | |
477 | if ((rsa->flags & RSA_FLAG_EXT_PKEY) && (padding == RSA_PKCS1_PADDING)) | |
478 | padding = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; | |
479 | ||
afb638f1 | 480 | if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL) |
0f113f3e MC |
481 | goto err; |
482 | BN_CTX_start(ctx); | |
483 | f = BN_CTX_get(ctx); | |
484 | ret = BN_CTX_get(ctx); | |
e077455e RL |
485 | if (ret == NULL) { |
486 | ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB); | |
487 | goto err; | |
488 | } | |
0f113f3e MC |
489 | num = BN_num_bytes(rsa->n); |
490 | buf = OPENSSL_malloc(num); | |
e077455e | 491 | if (buf == NULL) |
0f113f3e | 492 | goto err; |
0f113f3e MC |
493 | |
494 | /* | |
495 | * This check was for equality but PGP does evil things and chops off the | |
496 | * top '0' bytes | |
497 | */ | |
498 | if (flen > num) { | |
9311d0c4 | 499 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_GREATER_THAN_MOD_LEN); |
0f113f3e MC |
500 | goto err; |
501 | } | |
502 | ||
7fc67e0a HK |
503 | if (flen < 1) { |
504 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL); | |
505 | goto err; | |
506 | } | |
507 | ||
0f113f3e MC |
508 | /* make data into a big number */ |
509 | if (BN_bin2bn(from, (int)flen, f) == NULL) | |
510 | goto err; | |
511 | ||
512 | if (BN_ucmp(f, rsa->n) >= 0) { | |
9311d0c4 | 513 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
0f113f3e MC |
514 | goto err; |
515 | } | |
516 | ||
517 | if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { | |
518 | blinding = rsa_get_blinding(rsa, &local_blinding, ctx); | |
519 | if (blinding == NULL) { | |
9311d0c4 | 520 | ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); |
0f113f3e MC |
521 | goto err; |
522 | } | |
523 | } | |
524 | ||
525 | if (blinding != NULL) { | |
526 | if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { | |
e077455e | 527 | ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB); |
0f113f3e MC |
528 | goto err; |
529 | } | |
530 | if (!rsa_blinding_convert(blinding, f, unblind, ctx)) | |
531 | goto err; | |
532 | } | |
533 | ||
534 | /* do the decrypt */ | |
535 | if ((rsa->flags & RSA_FLAG_EXT_PKEY) || | |
665d899f | 536 | (rsa->version == RSA_ASN1_VERSION_MULTI) || |
0f113f3e MC |
537 | ((rsa->p != NULL) && |
538 | (rsa->q != NULL) && | |
539 | (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { | |
540 | if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) | |
541 | goto err; | |
542 | } else { | |
5584f65a MC |
543 | BIGNUM *d = BN_new(); |
544 | if (d == NULL) { | |
e077455e | 545 | ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB); |
5584f65a | 546 | goto err; |
7408f675 DO |
547 | } |
548 | if (rsa->d == NULL) { | |
9311d0c4 | 549 | ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY); |
7408f675 DO |
550 | BN_free(d); |
551 | goto err; | |
fd7d2520 | 552 | } |
5584f65a | 553 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); |
0f113f3e MC |
554 | |
555 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
41bfd5e7 AP |
556 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, |
557 | rsa->n, ctx)) { | |
5584f65a | 558 | BN_free(d); |
0f113f3e MC |
559 | goto err; |
560 | } | |
561 | if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, | |
562 | rsa->_method_mod_n)) { | |
5584f65a | 563 | BN_free(d); |
0f113f3e MC |
564 | goto err; |
565 | } | |
5584f65a MC |
566 | /* We MUST free d before any further use of rsa->d */ |
567 | BN_free(d); | |
0f113f3e MC |
568 | } |
569 | ||
7fc67e0a HK |
570 | /* |
571 | * derive the Key Derivation Key from private exponent and public | |
572 | * ciphertext | |
573 | */ | |
5ab3ec1b | 574 | if (padding == RSA_PKCS1_PADDING) { |
b1892d21 | 575 | if (derive_kdk(flen, from, rsa, buf, num, kdk) == 0) |
7fc67e0a | 576 | goto err; |
b1892d21 | 577 | } |
7fc67e0a | 578 | |
b1892d21 | 579 | if (blinding) { |
7fc67e0a | 580 | /* |
b1892d21 DB |
581 | * ossl_bn_rsa_do_unblind() combines blinding inversion and |
582 | * 0-padded BN BE serialization | |
7fc67e0a | 583 | */ |
b1892d21 DB |
584 | j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx, |
585 | buf, num); | |
586 | if (j == 0) | |
7fc67e0a | 587 | goto err; |
b1892d21 DB |
588 | } else { |
589 | j = BN_bn2binpad(ret, buf, num); | |
590 | if (j < 0) | |
7fc67e0a | 591 | goto err; |
7fc67e0a HK |
592 | } |
593 | ||
0f113f3e | 594 | switch (padding) { |
5ab3ec1b HK |
595 | case RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING: |
596 | r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); | |
597 | break; | |
0f113f3e | 598 | case RSA_PKCS1_PADDING: |
5ab3ec1b | 599 | r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk); |
0f113f3e | 600 | break; |
0f113f3e MC |
601 | case RSA_PKCS1_OAEP_PADDING: |
602 | r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); | |
603 | break; | |
0f113f3e | 604 | case RSA_NO_PADDING: |
582ad5d4 | 605 | memcpy(to, buf, (r = j)); |
0f113f3e MC |
606 | break; |
607 | default: | |
9311d0c4 | 608 | ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE); |
0f113f3e MC |
609 | goto err; |
610 | } | |
f844f9eb | 611 | #ifndef FIPS_MODULE |
afb638f1 MC |
612 | /* |
613 | * This trick doesn't work in the FIPS provider because libcrypto manages | |
614 | * the error stack. Instead we opt not to put an error on the stack at all | |
615 | * in case of padding failure in the FIPS provider. | |
616 | */ | |
9311d0c4 | 617 | ERR_raise(ERR_LIB_RSA, RSA_R_PADDING_CHECK_FAILED); |
94dc53a3 | 618 | err_clear_last_constant_time(1 & ~constant_time_msb(r)); |
afb638f1 | 619 | #endif |
0f113f3e MC |
620 | |
621 | err: | |
ce1415ed | 622 | BN_CTX_end(ctx); |
23a1d5e9 | 623 | BN_CTX_free(ctx); |
4b45c6e5 | 624 | OPENSSL_clear_free(buf, num); |
8686c474 | 625 | return r; |
0f113f3e | 626 | } |
58964a49 | 627 | |
24cff6ce | 628 | /* signature verification */ |
bf160551 | 629 | static int rsa_ossl_public_decrypt(int flen, const unsigned char *from, |
0f113f3e MC |
630 | unsigned char *to, RSA *rsa, int padding) |
631 | { | |
632 | BIGNUM *f, *ret; | |
633 | int i, num = 0, r = -1; | |
0f113f3e MC |
634 | unsigned char *buf = NULL; |
635 | BN_CTX *ctx = NULL; | |
636 | ||
637 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { | |
9311d0c4 | 638 | ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE); |
0f113f3e MC |
639 | return -1; |
640 | } | |
641 | ||
642 | if (BN_ucmp(rsa->n, rsa->e) <= 0) { | |
9311d0c4 | 643 | ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE); |
0f113f3e MC |
644 | return -1; |
645 | } | |
646 | ||
647 | /* for large moduli, enforce exponent limit */ | |
648 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { | |
649 | if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { | |
9311d0c4 | 650 | ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE); |
0f113f3e MC |
651 | return -1; |
652 | } | |
653 | } | |
654 | ||
afb638f1 | 655 | if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL) |
0f113f3e MC |
656 | goto err; |
657 | BN_CTX_start(ctx); | |
658 | f = BN_CTX_get(ctx); | |
659 | ret = BN_CTX_get(ctx); | |
e077455e RL |
660 | if (ret == NULL) { |
661 | ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB); | |
662 | goto err; | |
663 | } | |
0f113f3e MC |
664 | num = BN_num_bytes(rsa->n); |
665 | buf = OPENSSL_malloc(num); | |
e077455e | 666 | if (buf == NULL) |
0f113f3e | 667 | goto err; |
0f113f3e MC |
668 | |
669 | /* | |
670 | * This check was for equality but PGP does evil things and chops off the | |
671 | * top '0' bytes | |
672 | */ | |
673 | if (flen > num) { | |
9311d0c4 | 674 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_GREATER_THAN_MOD_LEN); |
0f113f3e MC |
675 | goto err; |
676 | } | |
677 | ||
678 | if (BN_bin2bn(from, flen, f) == NULL) | |
679 | goto err; | |
680 | ||
681 | if (BN_ucmp(f, rsa->n) >= 0) { | |
9311d0c4 | 682 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
0f113f3e MC |
683 | goto err; |
684 | } | |
685 | ||
686 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
41bfd5e7 AP |
687 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, |
688 | rsa->n, ctx)) | |
0f113f3e MC |
689 | goto err; |
690 | ||
691 | if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, | |
692 | rsa->_method_mod_n)) | |
693 | goto err; | |
694 | ||
695 | if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12)) | |
696 | if (!BN_sub(ret, rsa->n, ret)) | |
697 | goto err; | |
698 | ||
582ad5d4 | 699 | i = BN_bn2binpad(ret, buf, num); |
4a3dd629 P |
700 | if (i < 0) |
701 | goto err; | |
0f113f3e MC |
702 | |
703 | switch (padding) { | |
704 | case RSA_PKCS1_PADDING: | |
705 | r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); | |
706 | break; | |
707 | case RSA_X931_PADDING: | |
708 | r = RSA_padding_check_X931(to, num, buf, i, num); | |
709 | break; | |
710 | case RSA_NO_PADDING: | |
582ad5d4 | 711 | memcpy(to, buf, (r = i)); |
0f113f3e MC |
712 | break; |
713 | default: | |
9311d0c4 | 714 | ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE); |
0f113f3e MC |
715 | goto err; |
716 | } | |
717 | if (r < 0) | |
9311d0c4 | 718 | ERR_raise(ERR_LIB_RSA, RSA_R_PADDING_CHECK_FAILED); |
0f113f3e MC |
719 | |
720 | err: | |
ce1415ed | 721 | BN_CTX_end(ctx); |
23a1d5e9 | 722 | BN_CTX_free(ctx); |
4b45c6e5 | 723 | OPENSSL_clear_free(buf, num); |
8686c474 | 724 | return r; |
0f113f3e | 725 | } |
58964a49 | 726 | |
bf160551 | 727 | static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) |
0f113f3e | 728 | { |
afb638f1 MC |
729 | BIGNUM *r1, *m1, *vrfy; |
730 | int ret = 0, smooth = 0; | |
f844f9eb | 731 | #ifndef FIPS_MODULE |
afb638f1 MC |
732 | BIGNUM *r2, *m[RSA_MAX_PRIME_NUM - 2]; |
733 | int i, ex_primes = 0; | |
665d899f | 734 | RSA_PRIME_INFO *pinfo; |
afb638f1 | 735 | #endif |
0f113f3e | 736 | |
c804d23d PC |
737 | BN_CTX_start(ctx); |
738 | ||
0f113f3e | 739 | r1 = BN_CTX_get(ctx); |
f844f9eb | 740 | #ifndef FIPS_MODULE |
665d899f | 741 | r2 = BN_CTX_get(ctx); |
afb638f1 | 742 | #endif |
0f113f3e MC |
743 | m1 = BN_CTX_get(ctx); |
744 | vrfy = BN_CTX_get(ctx); | |
5625567f BE |
745 | if (vrfy == NULL) |
746 | goto err; | |
0f113f3e | 747 | |
f844f9eb | 748 | #ifndef FIPS_MODULE |
665d899f | 749 | if (rsa->version == RSA_ASN1_VERSION_MULTI |
a1471588 BE |
750 | && ((ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) <= 0 |
751 | || ex_primes > RSA_MAX_PRIME_NUM - 2)) | |
665d899f | 752 | goto err; |
afb638f1 | 753 | #endif |
665d899f | 754 | |
41bfd5e7 AP |
755 | if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { |
756 | BIGNUM *factor = BN_new(); | |
757 | ||
758 | if (factor == NULL) | |
759 | goto err; | |
0f113f3e MC |
760 | |
761 | /* | |
0d4fb843 | 762 | * Make sure BN_mod_inverse in Montgomery initialization uses the |
5584f65a | 763 | * BN_FLG_CONSTTIME flag |
0f113f3e | 764 | */ |
41bfd5e7 AP |
765 | if (!(BN_with_flags(factor, rsa->p, BN_FLG_CONSTTIME), |
766 | BN_MONT_CTX_set_locked(&rsa->_method_mod_p, rsa->lock, | |
767 | factor, ctx)) | |
768 | || !(BN_with_flags(factor, rsa->q, BN_FLG_CONSTTIME), | |
769 | BN_MONT_CTX_set_locked(&rsa->_method_mod_q, rsa->lock, | |
770 | factor, ctx))) { | |
771 | BN_free(factor); | |
5584f65a | 772 | goto err; |
0f113f3e | 773 | } |
f844f9eb | 774 | #ifndef FIPS_MODULE |
41bfd5e7 AP |
775 | for (i = 0; i < ex_primes; i++) { |
776 | pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i); | |
777 | BN_with_flags(factor, pinfo->r, BN_FLG_CONSTTIME); | |
778 | if (!BN_MONT_CTX_set_locked(&pinfo->m, rsa->lock, factor, ctx)) { | |
779 | BN_free(factor); | |
0f113f3e MC |
780 | goto err; |
781 | } | |
782 | } | |
afb638f1 | 783 | #endif |
fd7d2520 | 784 | /* |
41bfd5e7 | 785 | * We MUST free |factor| before any further use of the prime factors |
fd7d2520 | 786 | */ |
41bfd5e7 AP |
787 | BN_free(factor); |
788 | ||
afb638f1 | 789 | smooth = (rsa->meth->bn_mod_exp == BN_mod_exp_mont) |
f844f9eb | 790 | #ifndef FIPS_MODULE |
afb638f1 MC |
791 | && (ex_primes == 0) |
792 | #endif | |
41bfd5e7 | 793 | && (BN_num_bits(rsa->q) == BN_num_bits(rsa->p)); |
0f113f3e MC |
794 | } |
795 | ||
796 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
41bfd5e7 AP |
797 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, |
798 | rsa->n, ctx)) | |
799 | goto err; | |
800 | ||
801 | if (smooth) { | |
802 | /* | |
803 | * Conversion from Montgomery domain, a.k.a. Montgomery reduction, | |
804 | * accepts values in [0-m*2^w) range. w is m's bit width rounded up | |
805 | * to limb width. So that at the very least if |I| is fully reduced, | |
806 | * i.e. less than p*q, we can count on from-to round to perform | |
807 | * below modulo operations on |I|. Unlike BN_mod it's constant time. | |
808 | */ | |
809 | if (/* m1 = I moq q */ | |
810 | !bn_from_mont_fixed_top(m1, I, rsa->_method_mod_q, ctx) | |
811 | || !bn_to_mont_fixed_top(m1, m1, rsa->_method_mod_q, ctx) | |
41bfd5e7 AP |
812 | /* r1 = I mod p */ |
813 | || !bn_from_mont_fixed_top(r1, I, rsa->_method_mod_p, ctx) | |
814 | || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx) | |
c781eb1c AM |
815 | /* |
816 | * Use parallel exponentiations optimization if possible, | |
817 | * otherwise fallback to two sequential exponentiations: | |
818 | * m1 = m1^dmq1 mod q | |
819 | * r1 = r1^dmp1 mod p | |
820 | */ | |
821 | || !BN_mod_exp_mont_consttime_x2(m1, m1, rsa->dmq1, rsa->q, | |
822 | rsa->_method_mod_q, | |
823 | r1, r1, rsa->dmp1, rsa->p, | |
824 | rsa->_method_mod_p, | |
825 | ctx) | |
41bfd5e7 AP |
826 | /* r1 = (r1 - m1) mod p */ |
827 | /* | |
828 | * bn_mod_sub_fixed_top is not regular modular subtraction, | |
829 | * it can tolerate subtrahend to be larger than modulus, but | |
830 | * not bit-wise wider. This makes up for uncommon q>p case, | |
831 | * when |m1| can be larger than |rsa->p|. | |
832 | */ | |
833 | || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p) | |
834 | ||
d1c008f6 | 835 | /* r1 = r1 * iqmp mod p */ |
41bfd5e7 AP |
836 | || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx) |
837 | || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p, | |
838 | ctx) | |
d1c008f6 | 839 | /* r0 = r1 * q + m1 */ |
41bfd5e7 AP |
840 | || !bn_mul_fixed_top(r0, r1, rsa->q, ctx) |
841 | || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n)) | |
0f113f3e MC |
842 | goto err; |
843 | ||
41bfd5e7 AP |
844 | goto tail; |
845 | } | |
846 | ||
0f113f3e | 847 | /* compute I mod q */ |
fd7d2520 | 848 | { |
5584f65a MC |
849 | BIGNUM *c = BN_new(); |
850 | if (c == NULL) | |
851 | goto err; | |
852 | BN_with_flags(c, I, BN_FLG_CONSTTIME); | |
853 | ||
fd7d2520 | 854 | if (!BN_mod(r1, c, rsa->q, ctx)) { |
5584f65a | 855 | BN_free(c); |
0f113f3e | 856 | goto err; |
fd7d2520 | 857 | } |
0f113f3e | 858 | |
fd7d2520 | 859 | { |
5584f65a MC |
860 | BIGNUM *dmq1 = BN_new(); |
861 | if (dmq1 == NULL) { | |
862 | BN_free(c); | |
863 | goto err; | |
fd7d2520 | 864 | } |
5584f65a MC |
865 | BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); |
866 | ||
867 | /* compute r1^dmq1 mod q */ | |
fd7d2520 | 868 | if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, |
41bfd5e7 | 869 | rsa->_method_mod_q)) { |
5584f65a MC |
870 | BN_free(c); |
871 | BN_free(dmq1); | |
fd7d2520 MC |
872 | goto err; |
873 | } | |
5584f65a MC |
874 | /* We MUST free dmq1 before any further use of rsa->dmq1 */ |
875 | BN_free(dmq1); | |
fd7d2520 | 876 | } |
0f113f3e | 877 | |
fd7d2520 MC |
878 | /* compute I mod p */ |
879 | if (!BN_mod(r1, c, rsa->p, ctx)) { | |
5584f65a | 880 | BN_free(c); |
0f113f3e | 881 | goto err; |
fd7d2520 | 882 | } |
5584f65a MC |
883 | /* We MUST free c before any further use of I */ |
884 | BN_free(c); | |
0f113f3e MC |
885 | } |
886 | ||
fd7d2520 | 887 | { |
5584f65a MC |
888 | BIGNUM *dmp1 = BN_new(); |
889 | if (dmp1 == NULL) | |
890 | goto err; | |
891 | BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); | |
892 | ||
fd7d2520 | 893 | /* compute r1^dmp1 mod p */ |
fd7d2520 MC |
894 | if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, |
895 | rsa->_method_mod_p)) { | |
5584f65a | 896 | BN_free(dmp1); |
fd7d2520 MC |
897 | goto err; |
898 | } | |
5584f65a MC |
899 | /* We MUST free dmp1 before any further use of rsa->dmp1 */ |
900 | BN_free(dmp1); | |
fd7d2520 | 901 | } |
0f113f3e | 902 | |
f844f9eb | 903 | #ifndef FIPS_MODULE |
665d899f PY |
904 | if (ex_primes > 0) { |
905 | BIGNUM *di = BN_new(), *cc = BN_new(); | |
906 | ||
907 | if (cc == NULL || di == NULL) { | |
908 | BN_free(cc); | |
909 | BN_free(di); | |
910 | goto err; | |
911 | } | |
912 | ||
913 | for (i = 0; i < ex_primes; i++) { | |
914 | /* prepare m_i */ | |
915 | if ((m[i] = BN_CTX_get(ctx)) == NULL) { | |
916 | BN_free(cc); | |
917 | BN_free(di); | |
918 | goto err; | |
919 | } | |
920 | ||
921 | pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i); | |
922 | ||
923 | /* prepare c and d_i */ | |
924 | BN_with_flags(cc, I, BN_FLG_CONSTTIME); | |
925 | BN_with_flags(di, pinfo->d, BN_FLG_CONSTTIME); | |
926 | ||
927 | if (!BN_mod(r1, cc, pinfo->r, ctx)) { | |
928 | BN_free(cc); | |
929 | BN_free(di); | |
930 | goto err; | |
931 | } | |
932 | /* compute r1 ^ d_i mod r_i */ | |
933 | if (!rsa->meth->bn_mod_exp(m[i], r1, di, pinfo->r, ctx, pinfo->m)) { | |
934 | BN_free(cc); | |
935 | BN_free(di); | |
936 | goto err; | |
937 | } | |
938 | } | |
939 | ||
940 | BN_free(cc); | |
941 | BN_free(di); | |
942 | } | |
afb638f1 | 943 | #endif |
665d899f | 944 | |
0f113f3e MC |
945 | if (!BN_sub(r0, r0, m1)) |
946 | goto err; | |
947 | /* | |
948 | * This will help stop the size of r0 increasing, which does affect the | |
949 | * multiply if it optimised for a power of 2 size | |
950 | */ | |
951 | if (BN_is_negative(r0)) | |
952 | if (!BN_add(r0, r0, rsa->p)) | |
953 | goto err; | |
954 | ||
955 | if (!BN_mul(r1, r0, rsa->iqmp, ctx)) | |
956 | goto err; | |
957 | ||
fd7d2520 | 958 | { |
5584f65a MC |
959 | BIGNUM *pr1 = BN_new(); |
960 | if (pr1 == NULL) | |
961 | goto err; | |
962 | BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); | |
963 | ||
fd7d2520 | 964 | if (!BN_mod(r0, pr1, rsa->p, ctx)) { |
5584f65a | 965 | BN_free(pr1); |
fd7d2520 MC |
966 | goto err; |
967 | } | |
5584f65a MC |
968 | /* We MUST free pr1 before any further use of r1 */ |
969 | BN_free(pr1); | |
fd7d2520 | 970 | } |
0f113f3e MC |
971 | |
972 | /* | |
973 | * If p < q it is occasionally possible for the correction of adding 'p' | |
974 | * if r0 is negative above to leave the result still negative. This can | |
975 | * break the private key operations: the following second correction | |
976 | * should *always* correct this rare occurrence. This will *never* happen | |
977 | * with OpenSSL generated keys because they ensure p > q [steve] | |
978 | */ | |
979 | if (BN_is_negative(r0)) | |
980 | if (!BN_add(r0, r0, rsa->p)) | |
981 | goto err; | |
982 | if (!BN_mul(r1, r0, rsa->q, ctx)) | |
983 | goto err; | |
984 | if (!BN_add(r0, r1, m1)) | |
985 | goto err; | |
986 | ||
f844f9eb | 987 | #ifndef FIPS_MODULE |
665d899f PY |
988 | /* add m_i to m in multi-prime case */ |
989 | if (ex_primes > 0) { | |
990 | BIGNUM *pr2 = BN_new(); | |
991 | ||
992 | if (pr2 == NULL) | |
993 | goto err; | |
994 | ||
995 | for (i = 0; i < ex_primes; i++) { | |
996 | pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i); | |
997 | if (!BN_sub(r1, m[i], r0)) { | |
998 | BN_free(pr2); | |
999 | goto err; | |
1000 | } | |
1001 | ||
1002 | if (!BN_mul(r2, r1, pinfo->t, ctx)) { | |
1003 | BN_free(pr2); | |
1004 | goto err; | |
1005 | } | |
1006 | ||
1007 | BN_with_flags(pr2, r2, BN_FLG_CONSTTIME); | |
1008 | ||
1009 | if (!BN_mod(r1, pr2, pinfo->r, ctx)) { | |
1010 | BN_free(pr2); | |
1011 | goto err; | |
1012 | } | |
1013 | ||
1014 | if (BN_is_negative(r1)) | |
1015 | if (!BN_add(r1, r1, pinfo->r)) { | |
1016 | BN_free(pr2); | |
1017 | goto err; | |
1018 | } | |
1019 | if (!BN_mul(r1, r1, pinfo->pp, ctx)) { | |
1020 | BN_free(pr2); | |
1021 | goto err; | |
1022 | } | |
1023 | if (!BN_add(r0, r0, r1)) { | |
1024 | BN_free(pr2); | |
1025 | goto err; | |
1026 | } | |
1027 | } | |
1028 | BN_free(pr2); | |
1029 | } | |
afb638f1 | 1030 | #endif |
665d899f | 1031 | |
41bfd5e7 | 1032 | tail: |
0f113f3e | 1033 | if (rsa->e && rsa->n) { |
41bfd5e7 AP |
1034 | if (rsa->meth->bn_mod_exp == BN_mod_exp_mont) { |
1035 | if (!BN_mod_exp_mont(vrfy, r0, rsa->e, rsa->n, ctx, | |
1036 | rsa->_method_mod_n)) | |
1037 | goto err; | |
1038 | } else { | |
1039 | bn_correct_top(r0); | |
1040 | if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, | |
1041 | rsa->_method_mod_n)) | |
1042 | goto err; | |
1043 | } | |
0f113f3e MC |
1044 | /* |
1045 | * If 'I' was greater than (or equal to) rsa->n, the operation will | |
1046 | * be equivalent to using 'I mod n'. However, the result of the | |
1047 | * verify will *always* be less than 'n' so we don't check for | |
1048 | * absolute equality, just congruency. | |
1049 | */ | |
1050 | if (!BN_sub(vrfy, vrfy, I)) | |
1051 | goto err; | |
41bfd5e7 AP |
1052 | if (BN_is_zero(vrfy)) { |
1053 | bn_correct_top(r0); | |
1054 | ret = 1; | |
1055 | goto err; /* not actually error */ | |
1056 | } | |
0f113f3e MC |
1057 | if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) |
1058 | goto err; | |
1059 | if (BN_is_negative(vrfy)) | |
1060 | if (!BN_add(vrfy, vrfy, rsa->n)) | |
1061 | goto err; | |
1062 | if (!BN_is_zero(vrfy)) { | |
1063 | /* | |
1064 | * 'I' and 'vrfy' aren't congruent mod n. Don't leak | |
1065 | * miscalculated CRT output, just do a raw (slower) mod_exp and | |
1066 | * return that instead. | |
1067 | */ | |
1068 | ||
5584f65a MC |
1069 | BIGNUM *d = BN_new(); |
1070 | if (d == NULL) | |
1071 | goto err; | |
1072 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); | |
0f113f3e | 1073 | |
0f113f3e MC |
1074 | if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, |
1075 | rsa->_method_mod_n)) { | |
5584f65a | 1076 | BN_free(d); |
0f113f3e MC |
1077 | goto err; |
1078 | } | |
5584f65a MC |
1079 | /* We MUST free d before any further use of rsa->d */ |
1080 | BN_free(d); | |
0f113f3e MC |
1081 | } |
1082 | } | |
41bfd5e7 AP |
1083 | /* |
1084 | * It's unfortunate that we have to bn_correct_top(r0). What hopefully | |
1085 | * saves the day is that correction is highly unlike, and private key | |
1086 | * operations are customarily performed on blinded message. Which means | |
1087 | * that attacker won't observe correlation with chosen plaintext. | |
1088 | * Secondly, remaining code would still handle it in same computational | |
1089 | * time and even conceal memory access pattern around corrected top. | |
1090 | */ | |
1091 | bn_correct_top(r0); | |
0f113f3e MC |
1092 | ret = 1; |
1093 | err: | |
0f113f3e | 1094 | BN_CTX_end(ctx); |
8686c474 | 1095 | return ret; |
0f113f3e | 1096 | } |
58964a49 | 1097 | |
bf160551 | 1098 | static int rsa_ossl_init(RSA *rsa) |
0f113f3e MC |
1099 | { |
1100 | rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; | |
8686c474 | 1101 | return 1; |
0f113f3e | 1102 | } |
58964a49 | 1103 | |
bf160551 | 1104 | static int rsa_ossl_finish(RSA *rsa) |
0f113f3e | 1105 | { |
f844f9eb | 1106 | #ifndef FIPS_MODULE |
665d899f PY |
1107 | int i; |
1108 | RSA_PRIME_INFO *pinfo; | |
1109 | ||
665d899f PY |
1110 | for (i = 0; i < sk_RSA_PRIME_INFO_num(rsa->prime_infos); i++) { |
1111 | pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i); | |
1112 | BN_MONT_CTX_free(pinfo->m); | |
1113 | } | |
afb638f1 MC |
1114 | #endif |
1115 | ||
1116 | BN_MONT_CTX_free(rsa->_method_mod_n); | |
1117 | BN_MONT_CTX_free(rsa->_method_mod_p); | |
1118 | BN_MONT_CTX_free(rsa->_method_mod_q); | |
8686c474 | 1119 | return 1; |
0f113f3e | 1120 | } |