[thirdparty/openssl.git] / crypto / rsa / rsa_eay.c

/* crypto/rsa/rsa_eay.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */

#include <stdio.h>
#include "cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/rand.h>

static int RSA_eay_public_encrypt(int flen, unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_private_encrypt(int flen, unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_public_decrypt(int flen, unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_private_decrypt(int flen, unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *i, RSA *rsa);
static int RSA_eay_init(RSA *rsa);
static int RSA_eay_finish(RSA *rsa);
static RSA_METHOD rsa_pkcs1_eay_meth={
	"Eric Young's PKCS#1 RSA",
	RSA_eay_public_encrypt,
	RSA_eay_public_decrypt,
	RSA_eay_private_encrypt,
	RSA_eay_private_decrypt,
	RSA_eay_mod_exp,
	BN_mod_exp_mont,
	RSA_eay_init,
	RSA_eay_finish,
	0,
	NULL,
	};

RSA_METHOD *RSA_PKCS1_SSLeay(void)
	{
	return(&rsa_pkcs1_eay_meth);
	}

static int RSA_eay_public_encrypt(int flen, unsigned char *from,
	     unsigned char *to, RSA *rsa, int padding)
	{
	BIGNUM f,ret;
	int i,j,k,num=0,r= -1;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	BN_init(&f);
	BN_init(&ret);
	if ((ctx=BN_CTX_new()) == NULL) goto err;
	num=BN_num_bytes(rsa->n);
	if ((buf=(unsigned char *)Malloc(num)) == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
		break;
#ifndef NO_SHA
	case RSA_PKCS1_OAEP_PADDING:
	        i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
		break;
#endif
	case RSA_SSLV23_PADDING:
		i=RSA_padding_add_SSLv23(buf,num,from,flen);
		break;
	case RSA_NO_PADDING:
		i=RSA_padding_add_none(buf,num,from,flen);
		break;
	default:
		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (i <= 0) goto err;

	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
	
	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
		{
		if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
			if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
			    goto err;
		}

	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
		rsa->_method_mod_n)) goto err;

	/* put in leading 0 bytes if the number is less than the
	 * length of the modulus */
	j=BN_num_bytes(&ret);
	i=BN_bn2bin(&ret,&(to[num-j]));
	for (k=0; k<(num-i); k++)
		to[k]=0;

	r=num;
err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&f);
	BN_clear_free(&ret);
	if (buf != NULL) 
		{
		memset(buf,0,num);
		Free(buf);
		}
	return(r);
	}

static int RSA_eay_private_encrypt(int flen, unsigned char *from,
	     unsigned char *to, RSA *rsa, int padding)
	{
	BIGNUM f,ret;
	int i,j,k,num=0,r= -1;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	BN_init(&f);
	BN_init(&ret);

	if ((ctx=BN_CTX_new()) == NULL) goto err;
	num=BN_num_bytes(rsa->n);
	if ((buf=(unsigned char *)Malloc(num)) == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
		break;
	case RSA_NO_PADDING:
		i=RSA_padding_add_none(buf,num,from,flen);
		break;
	case RSA_SSLV23_PADDING:
	default:
		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (i <= 0) goto err;

	if (BN_bin2bn(buf,num,&f) == NULL) goto err;

	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
		RSA_blinding_on(rsa,ctx);
	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;

	if (	(rsa->p != NULL) &&
		(rsa->q != NULL) &&
		(rsa->dmp1 != NULL) &&
		(rsa->dmq1 != NULL) &&
		(rsa->iqmp != NULL))
		{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
	else
		{
		if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
		}

	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;

	/* put in leading 0 bytes if the number is less than the
	 * length of the modulus */
	j=BN_num_bytes(&ret);
	i=BN_bn2bin(&ret,&(to[num-j]));
	for (k=0; k<(num-i); k++)
		to[k]=0;

	r=num;
err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&ret);
	BN_clear_free(&f);
	if (buf != NULL)
		{
		memset(buf,0,num);
		Free(buf);
		}
	return(r);
	}

static int RSA_eay_private_decrypt(int flen, unsigned char *from,
	     unsigned char *to, RSA *rsa, int padding)
	{
	BIGNUM f,ret;
	int j,num=0,r= -1;
	unsigned char *p;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	BN_init(&f);
	BN_init(&ret);
	ctx=BN_CTX_new();
	if (ctx == NULL) goto err;

	num=BN_num_bytes(rsa->n);

	if ((buf=(unsigned char *)Malloc(num)) == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	/* This check was for equallity but PGP does evil things
	 * and chops off the top '0' bytes */
	if (flen > num)
		{
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
		goto err;
		}

	/* make data into a big number */
	if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;

	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
		RSA_blinding_on(rsa,ctx);
	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;

	/* do the decrypt */
	if (	(rsa->p != NULL) &&
		(rsa->q != NULL) &&
		(rsa->dmp1 != NULL) &&
		(rsa->dmq1 != NULL) &&
		(rsa->iqmp != NULL))
		{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
	else
		{
		if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
			goto err;
		}

	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;

	p=buf;
	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
		break;
#ifndef NO_SHA
        case RSA_PKCS1_OAEP_PADDING:
	        r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
                break;
#endif
 	case RSA_SSLV23_PADDING:
		r=RSA_padding_check_SSLv23(to,num,buf,j,num);
		break;
	case RSA_NO_PADDING:
		r=RSA_padding_check_none(to,num,buf,j,num);
		break;
	default:
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (r < 0)
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);

err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&f);
	BN_clear_free(&ret);
	if (buf != NULL)
		{
		memset(buf,0,num);
		Free(buf);
		}
	return(r);
	}

static int RSA_eay_public_decrypt(int flen, unsigned char *from,
	     unsigned char *to, RSA *rsa, int padding)
	{
	BIGNUM f,ret;
	int i,num=0,r= -1;
	unsigned char *p;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	BN_init(&f);
	BN_init(&ret);
	ctx=BN_CTX_new();
	if (ctx == NULL) goto err;

	num=BN_num_bytes(rsa->n);
	buf=(unsigned char *)Malloc(num);
	if (buf == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	/* This check was for equallity but PGP does evil things
	 * and chops off the top '0' bytes */
	if (flen > num)
		{
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
		goto err;
		}

	if (BN_bin2bn(from,flen,&f) == NULL) goto err;
	/* do the decrypt */
	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
		{
		if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
			if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
			    goto err;
		}

	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
		rsa->_method_mod_n)) goto err;

	p=buf;
	i=BN_bn2bin(&ret,p);

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
		break;
	case RSA_NO_PADDING:
		r=RSA_padding_check_none(to,num,buf,i,num);
		break;
	default:
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (r < 0)
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);

err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&f);
	BN_clear_free(&ret);
	if (buf != NULL)
		{
		memset(buf,0,num);
		Free(buf);
		}
	return(r);
	}

static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
	{
	BIGNUM r1,m1;
	int ret=0;
	BN_CTX *ctx;

	if ((ctx=BN_CTX_new()) == NULL) goto err;
	BN_init(&m1);
	BN_init(&r1);

	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
		{
		if (rsa->_method_mod_p == NULL)
			{
			if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL)
				if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p,
						     ctx))
					goto err;
			}
		if (rsa->_method_mod_q == NULL)
			{
			if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL)
				if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q,
						     ctx))
					goto err;
			}
		}

	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
	if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
		rsa->_method_mod_q)) goto err;

	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
	if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
		rsa->_method_mod_p)) goto err;

	if (!BN_sub(r0,r0,&m1)) goto err;
	/* This will help stop the size of r0 increasing, which does
	 * affect the multiply if it optimised for a power of 2 size */
	if (r0->neg)
		if (!BN_add(r0,r0,rsa->p)) goto err;

	if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
	if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
	/* If p < q it is occasionally possible for the correction of
         * adding 'p' if r0 is negative above to leave the result still
	 * negative. This can break the private key operations: the following
	 * second correction should *always* correct this rare occurrence.
	 * This will *never* happen with OpenSSL generated keys because
         * they ensure p > q [steve]
         */
	if (r0->neg)
		if (!BN_add(r0,r0,rsa->p)) goto err;
	if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
	if (!BN_add(r0,&r1,&m1)) goto err;

	ret=1;
err:
	BN_clear_free(&m1);
	BN_clear_free(&r1);
	BN_CTX_free(ctx);
	return(ret);
	}

static int RSA_eay_init(RSA *rsa)
	{
	rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
	return(1);
	}

static int RSA_eay_finish(RSA *rsa)
	{
	if (rsa->_method_mod_n != NULL)
		BN_MONT_CTX_free(rsa->_method_mod_n);
	if (rsa->_method_mod_p != NULL)
		BN_MONT_CTX_free(rsa->_method_mod_p);
	if (rsa->_method_mod_q != NULL)
		BN_MONT_CTX_free(rsa->_method_mod_q);
	return(1);
	}
Commit	Line	Data
58964a49 RE	1	/* crypto/rsa/rsa_eay.c */
	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
	3	* All rights reserved.
	4	*
	5	* This package is an SSL implementation written
	6	* by Eric Young (eay@cryptsoft.com).
	7	* The implementation was written so as to conform with Netscapes SSL.
	8	*
	9	* This library is free for commercial and non-commercial use as long as
	10	* the following conditions are aheared to. The following conditions
	11	* apply to all code found in this distribution, be it the RC4, RSA,
	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
	13	* included with this distribution is covered by the same copyright terms
	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
	15	*
	16	* Copyright remains Eric Young's, and as such any Copyright notices in
	17	* the code are not to be removed.
	18	* If this package is used in a product, Eric Young should be given attribution
	19	* as the author of the parts of the library used.
	20	* This can be in the form of a textual message at program startup or
	21	* in documentation (online or textual) provided with the package.
	22	*
	23	* Redistribution and use in source and binary forms, with or without
	24	* modification, are permitted provided that the following conditions
	25	* are met:
	26	* 1. Redistributions of source code must retain the copyright
	27	* notice, this list of conditions and the following disclaimer.
	28	* 2. Redistributions in binary form must reproduce the above copyright
	29	* notice, this list of conditions and the following disclaimer in the
	30	* documentation and/or other materials provided with the distribution.
	31	* 3. All advertising materials mentioning features or use of this software
	32	* must display the following acknowledgement:
	33	* "This product includes cryptographic software written by
	34	* Eric Young (eay@cryptsoft.com)"
	35	* The word 'cryptographic' can be left out if the rouines from the library
	36	* being used are not cryptographic related :-).
	37	* 4. If you include any Windows specific code (or a derivative thereof) from
	38	* the apps directory (application code) you must include an acknowledgement:
	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
	40	*
	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	51	* SUCH DAMAGE.
	52	*
	53	* The licence and distribution terms for any publically available version or
	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
	55	* copied and put under another distribution licence
	56	* [including the GNU Public Licence.]
	57	*/
	58
	59	#include <stdio.h>
	60	#include "cryptlib.h"
ec577822 BM	61	#include <openssl/bn.h>
	62	#include <openssl/rsa.h>
	63	#include <openssl/rand.h>
58964a49	64
58964a49 RE	65	static int RSA_eay_public_encrypt(int flen, unsigned char *from,
	66	unsigned char to, RSA rsa,int padding);
	67	static int RSA_eay_private_encrypt(int flen, unsigned char *from,
	68	unsigned char to, RSA rsa,int padding);
	69	static int RSA_eay_public_decrypt(int flen, unsigned char *from,
	70	unsigned char to, RSA rsa,int padding);
	71	static int RSA_eay_private_decrypt(int flen, unsigned char *from,
	72	unsigned char to, RSA rsa,int padding);
	73	static int RSA_eay_mod_exp(BIGNUM r0, BIGNUM i, RSA *rsa);
	74	static int RSA_eay_init(RSA *rsa);
	75	static int RSA_eay_finish(RSA *rsa);
58964a49 RE	76	static RSA_METHOD rsa_pkcs1_eay_meth={
	77	"Eric Young's PKCS#1 RSA",
	78	RSA_eay_public_encrypt,
	79	RSA_eay_public_decrypt,
	80	RSA_eay_private_encrypt,
	81	RSA_eay_private_decrypt,
	82	RSA_eay_mod_exp,
	83	BN_mod_exp_mont,
	84	RSA_eay_init,
	85	RSA_eay_finish,
	86	0,
	87	NULL,
	88	};
	89
6b691a5c	90	RSA_METHOD *RSA_PKCS1_SSLeay(void)
58964a49 RE	91	{
	92	return(&rsa_pkcs1_eay_meth);
	93	}
	94
6b691a5c UM	95	static int RSA_eay_public_encrypt(int flen, unsigned char *from,
6b691a5c UM	96	unsigned char to, RSA rsa, int padding)
58964a49	97	{
dfeab068	98	BIGNUM f,ret;
58964a49 RE	99	int i,j,k,num=0,r= -1;
	100	unsigned char *buf=NULL;
	101	BN_CTX *ctx=NULL;
	102
dfeab068 RE	103	BN_init(&f);
dfeab068 RE	104	BN_init(&ret);
58964a49 RE	105	if ((ctx=BN_CTX_new()) == NULL) goto err;
	106	num=BN_num_bytes(rsa->n);
	107	if ((buf=(unsigned char *)Malloc(num)) == NULL)
	108	{
	109	RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
	110	goto err;
	111	}
	112
	113	switch (padding)
	114	{
	115	case RSA_PKCS1_PADDING:
	116	i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
	117	break;
79df9d62	118	#ifndef NO_SHA
a4949896 BL	119	case RSA_PKCS1_OAEP_PADDING:
	120	i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
	121	break;
79df9d62	122	#endif
58964a49 RE	123	case RSA_SSLV23_PADDING:
	124	i=RSA_padding_add_SSLv23(buf,num,from,flen);
	125	break;
	126	case RSA_NO_PADDING:
	127	i=RSA_padding_add_none(buf,num,from,flen);
	128	break;
	129	default:
	130	RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	131	goto err;
	132	}
	133	if (i <= 0) goto err;
	134
dfeab068	135	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
58964a49	136
03f8b042	137	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
58964a49	138	{
03f8b042 BL	139	if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
	140	if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
	141	goto err;
58964a49 RE	142	}
58964a49 RE	143
dfeab068	144	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
03f8b042	145	rsa->_method_mod_n)) goto err;
58964a49 RE	146
	147	/* put in leading 0 bytes if the number is less than the
	148	* length of the modulus */
dfeab068 RE	149	j=BN_num_bytes(&ret);
dfeab068 RE	150	i=BN_bn2bin(&ret,&(to[num-j]));
58964a49 RE	151	for (k=0; k<(num-i); k++)
	152	to[k]=0;
	153
	154	r=num;
	155	err:
	156	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	157	BN_clear_free(&f);
dfeab068 RE	158	BN_clear_free(&ret);
58964a49 RE	159	if (buf != NULL)
	160	{
	161	memset(buf,0,num);
	162	Free(buf);
	163	}
	164	return(r);
	165	}
	166
6b691a5c UM	167	static int RSA_eay_private_encrypt(int flen, unsigned char *from,
6b691a5c UM	168	unsigned char to, RSA rsa, int padding)
58964a49	169	{
dfeab068	170	BIGNUM f,ret;
58964a49 RE	171	int i,j,k,num=0,r= -1;
	172	unsigned char *buf=NULL;
	173	BN_CTX *ctx=NULL;
	174
dfeab068 RE	175	BN_init(&f);
	176	BN_init(&ret);
	177
58964a49 RE	178	if ((ctx=BN_CTX_new()) == NULL) goto err;
	179	num=BN_num_bytes(rsa->n);
	180	if ((buf=(unsigned char *)Malloc(num)) == NULL)
	181	{
	182	RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
	183	goto err;
	184	}
	185
	186	switch (padding)
	187	{
	188	case RSA_PKCS1_PADDING:
	189	i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
	190	break;
	191	case RSA_NO_PADDING:
	192	i=RSA_padding_add_none(buf,num,from,flen);
	193	break;
	194	case RSA_SSLV23_PADDING:
	195	default:
	196	RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	197	goto err;
	198	}
	199	if (i <= 0) goto err;
	200
dfeab068	201	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
58964a49 RE	202
	203	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
	204	RSA_blinding_on(rsa,ctx);
	205	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	206	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
58964a49 RE	207
	208	if ( (rsa->p != NULL) &&
	209	(rsa->q != NULL) &&
	210	(rsa->dmp1 != NULL) &&
	211	(rsa->dmq1 != NULL) &&
	212	(rsa->iqmp != NULL))
dfeab068	213	{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
58964a49 RE	214	else
58964a49 RE	215	{
dfeab068	216	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
58964a49 RE	217	}
	218
	219	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	220	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
58964a49 RE	221
	222	/* put in leading 0 bytes if the number is less than the
	223	* length of the modulus */
dfeab068 RE	224	j=BN_num_bytes(&ret);
dfeab068 RE	225	i=BN_bn2bin(&ret,&(to[num-j]));
58964a49 RE	226	for (k=0; k<(num-i); k++)
	227	to[k]=0;
	228
	229	r=num;
	230	err:
	231	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	232	BN_clear_free(&ret);
dfeab068 RE	233	BN_clear_free(&f);
58964a49 RE	234	if (buf != NULL)
	235	{
	236	memset(buf,0,num);
	237	Free(buf);
	238	}
	239	return(r);
	240	}
	241
6b691a5c UM	242	static int RSA_eay_private_decrypt(int flen, unsigned char *from,
6b691a5c UM	243	unsigned char to, RSA rsa, int padding)
58964a49	244	{
dfeab068	245	BIGNUM f,ret;
58964a49 RE	246	int j,num=0,r= -1;
	247	unsigned char *p;
	248	unsigned char *buf=NULL;
	249	BN_CTX *ctx=NULL;
	250
dfeab068 RE	251	BN_init(&f);
dfeab068 RE	252	BN_init(&ret);
58964a49 RE	253	ctx=BN_CTX_new();
	254	if (ctx == NULL) goto err;
	255
	256	num=BN_num_bytes(rsa->n);
	257
	258	if ((buf=(unsigned char *)Malloc(num)) == NULL)
	259	{
	260	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
	261	goto err;
	262	}
	263
	264	/* This check was for equallity but PGP does evil things
	265	* and chops off the top '0' bytes */
	266	if (flen > num)
	267	{
	268	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
	269	goto err;
	270	}
	271
	272	/* make data into a big number */
dfeab068	273	if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
58964a49 RE	274
	275	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
	276	RSA_blinding_on(rsa,ctx);
	277	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	278	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
58964a49 RE	279
	280	/* do the decrypt */
	281	if ( (rsa->p != NULL) &&
	282	(rsa->q != NULL) &&
	283	(rsa->dmp1 != NULL) &&
	284	(rsa->dmq1 != NULL) &&
	285	(rsa->iqmp != NULL))
dfeab068	286	{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
58964a49 RE	287	else
58964a49 RE	288	{
dfeab068	289	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
58964a49 RE	290	goto err;
	291	}
	292
	293	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	294	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
58964a49 RE	295
58964a49 RE	296	p=buf;
dfeab068	297	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
58964a49 RE	298
	299	switch (padding)
	300	{
	301	case RSA_PKCS1_PADDING:
dfeab068	302	r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
58964a49	303	break;
79df9d62	304	#ifndef NO_SHA
a4949896 BL	305	case RSA_PKCS1_OAEP_PADDING:
	306	r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
	307	break;
79df9d62	308	#endif
a4949896	309	case RSA_SSLV23_PADDING:
dfeab068	310	r=RSA_padding_check_SSLv23(to,num,buf,j,num);
58964a49 RE	311	break;
58964a49 RE	312	case RSA_NO_PADDING:
dfeab068	313	r=RSA_padding_check_none(to,num,buf,j,num);
58964a49 RE	314	break;
	315	default:
	316	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	317	goto err;
	318	}
	319	if (r < 0)
	320	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
	321
	322	err:
	323	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	324	BN_clear_free(&f);
dfeab068 RE	325	BN_clear_free(&ret);
58964a49 RE	326	if (buf != NULL)
	327	{
	328	memset(buf,0,num);
	329	Free(buf);
	330	}
	331	return(r);
	332	}
	333
6b691a5c UM	334	static int RSA_eay_public_decrypt(int flen, unsigned char *from,
6b691a5c UM	335	unsigned char to, RSA rsa, int padding)
58964a49	336	{
dfeab068	337	BIGNUM f,ret;
58964a49 RE	338	int i,num=0,r= -1;
	339	unsigned char *p;
	340	unsigned char *buf=NULL;
	341	BN_CTX *ctx=NULL;
	342
dfeab068 RE	343	BN_init(&f);
dfeab068 RE	344	BN_init(&ret);
58964a49 RE	345	ctx=BN_CTX_new();
	346	if (ctx == NULL) goto err;
	347
	348	num=BN_num_bytes(rsa->n);
	349	buf=(unsigned char *)Malloc(num);
	350	if (buf == NULL)
	351	{
	352	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
	353	goto err;
	354	}
	355
	356	/* This check was for equallity but PGP does evil things
	357	* and chops off the top '0' bytes */
	358	if (flen > num)
	359	{
	360	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
	361	goto err;
	362	}
	363
dfeab068	364	if (BN_bin2bn(from,flen,&f) == NULL) goto err;
58964a49	365	/* do the decrypt */
03f8b042	366	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
58964a49	367	{
03f8b042 BL	368	if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
	369	if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
	370	goto err;
58964a49 RE	371	}
58964a49 RE	372
dfeab068	373	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
03f8b042	374	rsa->_method_mod_n)) goto err;
58964a49 RE	375
58964a49 RE	376	p=buf;
dfeab068	377	i=BN_bn2bin(&ret,p);
58964a49 RE	378
	379	switch (padding)
	380	{
	381	case RSA_PKCS1_PADDING:
dfeab068	382	r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
58964a49 RE	383	break;
58964a49 RE	384	case RSA_NO_PADDING:
dfeab068	385	r=RSA_padding_check_none(to,num,buf,i,num);
58964a49 RE	386	break;
	387	default:
	388	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	389	goto err;
	390	}
	391	if (r < 0)
	392	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
	393
	394	err:
	395	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	396	BN_clear_free(&f);
dfeab068 RE	397	BN_clear_free(&ret);
58964a49 RE	398	if (buf != NULL)
	399	{
	400	memset(buf,0,num);
	401	Free(buf);
	402	}
	403	return(r);
	404	}
	405
6b691a5c	406	static int RSA_eay_mod_exp(BIGNUM r0, BIGNUM I, RSA *rsa)
58964a49	407	{
dfeab068	408	BIGNUM r1,m1;
58964a49 RE	409	int ret=0;
	410	BN_CTX *ctx;
	411
	412	if ((ctx=BN_CTX_new()) == NULL) goto err;
dfeab068 RE	413	BN_init(&m1);
dfeab068 RE	414	BN_init(&r1);
58964a49 RE	415
	416	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
	417	{
03f8b042	418	if (rsa->_method_mod_p == NULL)
58964a49	419	{
03f8b042 BL	420	if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL)
	421	if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p,
	422	ctx))
58964a49 RE	423	goto err;
58964a49 RE	424	}
03f8b042	425	if (rsa->_method_mod_q == NULL)
58964a49	426	{
03f8b042 BL	427	if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL)
	428	if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q,
	429	ctx))
58964a49 RE	430	goto err;
	431	}
	432	}
	433
dfeab068 RE	434	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
dfeab068 RE	435	if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
03f8b042	436	rsa->_method_mod_q)) goto err;
58964a49	437
dfeab068 RE	438	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
dfeab068 RE	439	if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
03f8b042	440	rsa->_method_mod_p)) goto err;
58964a49	441
dfeab068 RE	442	if (!BN_sub(r0,r0,&m1)) goto err;
	443	/* This will help stop the size of r0 increasing, which does
	444	* affect the multiply if it optimised for a power of 2 size */
	445	if (r0->neg)
	446	if (!BN_add(r0,r0,rsa->p)) goto err;
58964a49	447
dfeab068 RE	448	if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
dfeab068 RE	449	if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
abd4c915 DSH	450	/* If p < q it is occasionally possible for the correction of
	451	* adding 'p' if r0 is negative above to leave the result still
	452	* negative. This can break the private key operations: the following
	453	* second correction should always correct this rare occurrence.
	454	* This will never happen with OpenSSL generated keys because
	455	* they ensure p > q [steve]
	456	*/
	457	if (r0->neg)
	458	if (!BN_add(r0,r0,rsa->p)) goto err;
dfeab068 RE	459	if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
dfeab068 RE	460	if (!BN_add(r0,&r1,&m1)) goto err;
58964a49 RE	461
	462	ret=1;
	463	err:
dfeab068 RE	464	BN_clear_free(&m1);
dfeab068 RE	465	BN_clear_free(&r1);
e03ddfae	466	BN_CTX_free(ctx);
58964a49 RE	467	return(ret);
	468	}
	469
6b691a5c	470	static int RSA_eay_init(RSA *rsa)
58964a49 RE	471	{
	472	rsa->flags\|=RSA_FLAG_CACHE_PUBLIC\|RSA_FLAG_CACHE_PRIVATE;
	473	return(1);
	474	}
	475
6b691a5c	476	static int RSA_eay_finish(RSA *rsa)
58964a49	477	{
03f8b042 BL	478	if (rsa->_method_mod_n != NULL)
	479	BN_MONT_CTX_free(rsa->_method_mod_n);
	480	if (rsa->_method_mod_p != NULL)
	481	BN_MONT_CTX_free(rsa->_method_mod_p);
	482	if (rsa->_method_mod_q != NULL)
	483	BN_MONT_CTX_free(rsa->_method_mod_q);
58964a49 RE	484	return(1);
	485	}
	486
	487