[thirdparty/openssl.git] / crypto / rsa / rsa_eay.c

/* crypto/rsa/rsa_eay.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */

#include <stdio.h>
#include "cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/rand.h>

static int RSA_eay_public_encrypt(int flen, unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_private_encrypt(int flen, unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_public_decrypt(int flen, unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_private_decrypt(int flen, unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *i, RSA *rsa);
static int RSA_eay_init(RSA *rsa);
static int RSA_eay_finish(RSA *rsa);
static RSA_METHOD rsa_pkcs1_eay_meth={
	"Eric Young's PKCS#1 RSA",
	RSA_eay_public_encrypt,
	RSA_eay_public_decrypt,
	RSA_eay_private_encrypt,
	RSA_eay_private_decrypt,
	RSA_eay_mod_exp,
	BN_mod_exp_mont,
	RSA_eay_init,
	RSA_eay_finish,
	0,
	NULL,
	};

RSA_METHOD *RSA_PKCS1_SSLeay(void)
	{
	return(&rsa_pkcs1_eay_meth);
	}

static int RSA_eay_public_encrypt(int flen, unsigned char *from,
	     unsigned char *to, RSA *rsa, int padding)
	{
	BIGNUM f,ret;
	int i,j,k,num=0,r= -1;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	BN_init(&f);
	BN_init(&ret);
	if ((ctx=BN_CTX_new()) == NULL) goto err;
	num=BN_num_bytes(rsa->n);
	if ((buf=(unsigned char *)Malloc(num)) == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
		break;
#ifndef NO_SHA
	case RSA_PKCS1_OAEP_PADDING:
	        i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
		break;
#endif
	case RSA_SSLV23_PADDING:
		i=RSA_padding_add_SSLv23(buf,num,from,flen);
		break;
	case RSA_NO_PADDING:
		i=RSA_padding_add_none(buf,num,from,flen);
		break;
	default:
		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (i <= 0) goto err;

	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
	
	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
		{
		if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
			if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
			    goto err;
		}

	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
		rsa->_method_mod_n)) goto err;

	/* put in leading 0 bytes if the number is less than the
	 * length of the modulus */
	j=BN_num_bytes(&ret);
	i=BN_bn2bin(&ret,&(to[num-j]));
	for (k=0; k<(num-i); k++)
		to[k]=0;

	r=num;
err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&f);
	BN_clear_free(&ret);
	if (buf != NULL) 
		{
		memset(buf,0,num);
		Free(buf);
		}
	return(r);
	}

static int RSA_eay_private_encrypt(int flen, unsigned char *from,
	     unsigned char *to, RSA *rsa, int padding)
	{
	BIGNUM f,ret;
	int i,j,k,num=0,r= -1;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	BN_init(&f);
	BN_init(&ret);

	if ((ctx=BN_CTX_new()) == NULL) goto err;
	num=BN_num_bytes(rsa->n);
	if ((buf=(unsigned char *)Malloc(num)) == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
		break;
	case RSA_NO_PADDING:
		i=RSA_padding_add_none(buf,num,from,flen);
		break;
	case RSA_SSLV23_PADDING:
	default:
		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (i <= 0) goto err;

	if (BN_bin2bn(buf,num,&f) == NULL) goto err;

	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
		RSA_blinding_on(rsa,ctx);
	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;

	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
		((rsa->p != NULL) &&
		(rsa->q != NULL) &&
		(rsa->dmp1 != NULL) &&
		(rsa->dmq1 != NULL) &&
		(rsa->iqmp != NULL)) )
		{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
	else
		{
		if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
		}

	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;

	/* put in leading 0 bytes if the number is less than the
	 * length of the modulus */
	j=BN_num_bytes(&ret);
	i=BN_bn2bin(&ret,&(to[num-j]));
	for (k=0; k<(num-i); k++)
		to[k]=0;

	r=num;
err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&ret);
	BN_clear_free(&f);
	if (buf != NULL)
		{
		memset(buf,0,num);
		Free(buf);
		}
	return(r);
	}

static int RSA_eay_private_decrypt(int flen, unsigned char *from,
	     unsigned char *to, RSA *rsa, int padding)
	{
	BIGNUM f,ret;
	int j,num=0,r= -1;
	unsigned char *p;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	BN_init(&f);
	BN_init(&ret);
	ctx=BN_CTX_new();
	if (ctx == NULL) goto err;

	num=BN_num_bytes(rsa->n);

	if ((buf=(unsigned char *)Malloc(num)) == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	/* This check was for equallity but PGP does evil things
	 * and chops off the top '0' bytes */
	if (flen > num)
		{
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
		goto err;
		}

	/* make data into a big number */
	if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;

	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
		RSA_blinding_on(rsa,ctx);
	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;

	/* do the decrypt */
	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
		((rsa->p != NULL) &&
		(rsa->q != NULL) &&
		(rsa->dmp1 != NULL) &&
		(rsa->dmq1 != NULL) &&
		(rsa->iqmp != NULL)) )
		{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
	else
		{
		if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
			goto err;
		}

	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;

	p=buf;
	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
		break;
#ifndef NO_SHA
        case RSA_PKCS1_OAEP_PADDING:
	        r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
                break;
#endif
 	case RSA_SSLV23_PADDING:
		r=RSA_padding_check_SSLv23(to,num,buf,j,num);
		break;
	case RSA_NO_PADDING:
		r=RSA_padding_check_none(to,num,buf,j,num);
		break;
	default:
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (r < 0)
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);

err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&f);
	BN_clear_free(&ret);
	if (buf != NULL)
		{
		memset(buf,0,num);
		Free(buf);
		}
	return(r);
	}

static int RSA_eay_public_decrypt(int flen, unsigned char *from,
	     unsigned char *to, RSA *rsa, int padding)
	{
	BIGNUM f,ret;
	int i,num=0,r= -1;
	unsigned char *p;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	BN_init(&f);
	BN_init(&ret);
	ctx=BN_CTX_new();
	if (ctx == NULL) goto err;

	num=BN_num_bytes(rsa->n);
	buf=(unsigned char *)Malloc(num);
	if (buf == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	/* This check was for equallity but PGP does evil things
	 * and chops off the top '0' bytes */
	if (flen > num)
		{
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
		goto err;
		}

	if (BN_bin2bn(from,flen,&f) == NULL) goto err;
	/* do the decrypt */
	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
		{
		if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
			if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
			    goto err;
		}

	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
		rsa->_method_mod_n)) goto err;

	p=buf;
	i=BN_bn2bin(&ret,p);

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
		break;
	case RSA_NO_PADDING:
		r=RSA_padding_check_none(to,num,buf,i,num);
		break;
	default:
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (r < 0)
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);

err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&f);
	BN_clear_free(&ret);
	if (buf != NULL)
		{
		memset(buf,0,num);
		Free(buf);
		}
	return(r);
	}

static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
	{
	BIGNUM r1,m1;
	int ret=0;
	BN_CTX *ctx;

	if ((ctx=BN_CTX_new()) == NULL) goto err;
	BN_init(&m1);
	BN_init(&r1);

	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
		{
		if (rsa->_method_mod_p == NULL)
			{
			if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL)
				if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p,
						     ctx))
					goto err;
			}
		if (rsa->_method_mod_q == NULL)
			{
			if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL)
				if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q,
						     ctx))
					goto err;
			}
		}

	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
	if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
		rsa->_method_mod_q)) goto err;

	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
	if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
		rsa->_method_mod_p)) goto err;

	if (!BN_sub(r0,r0,&m1)) goto err;
	/* This will help stop the size of r0 increasing, which does
	 * affect the multiply if it optimised for a power of 2 size */
	if (r0->neg)
		if (!BN_add(r0,r0,rsa->p)) goto err;

	if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
	if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
	/* If p < q it is occasionally possible for the correction of
         * adding 'p' if r0 is negative above to leave the result still
	 * negative. This can break the private key operations: the following
	 * second correction should *always* correct this rare occurrence.
	 * This will *never* happen with OpenSSL generated keys because
         * they ensure p > q [steve]
         */
	if (r0->neg)
		if (!BN_add(r0,r0,rsa->p)) goto err;
	if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
	if (!BN_add(r0,&r1,&m1)) goto err;

	ret=1;
err:
	BN_clear_free(&m1);
	BN_clear_free(&r1);
	BN_CTX_free(ctx);
	return(ret);
	}

static int RSA_eay_init(RSA *rsa)
	{
	rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
	return(1);
	}

static int RSA_eay_finish(RSA *rsa)
	{
	if (rsa->_method_mod_n != NULL)
		BN_MONT_CTX_free(rsa->_method_mod_n);
	if (rsa->_method_mod_p != NULL)
		BN_MONT_CTX_free(rsa->_method_mod_p);
	if (rsa->_method_mod_q != NULL)
		BN_MONT_CTX_free(rsa->_method_mod_q);
	return(1);
	}
Commit	Line	Data
58964a49 RE	1	/* crypto/rsa/rsa_eay.c */
	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
	3	* All rights reserved.
	4	*
	5	* This package is an SSL implementation written
	6	* by Eric Young (eay@cryptsoft.com).
	7	* The implementation was written so as to conform with Netscapes SSL.
	8	*
	9	* This library is free for commercial and non-commercial use as long as
	10	* the following conditions are aheared to. The following conditions
	11	* apply to all code found in this distribution, be it the RC4, RSA,
	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
	13	* included with this distribution is covered by the same copyright terms
	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
	15	*
	16	* Copyright remains Eric Young's, and as such any Copyright notices in
	17	* the code are not to be removed.
	18	* If this package is used in a product, Eric Young should be given attribution
	19	* as the author of the parts of the library used.
	20	* This can be in the form of a textual message at program startup or
	21	* in documentation (online or textual) provided with the package.
	22	*
	23	* Redistribution and use in source and binary forms, with or without
	24	* modification, are permitted provided that the following conditions
	25	* are met:
	26	* 1. Redistributions of source code must retain the copyright
	27	* notice, this list of conditions and the following disclaimer.
	28	* 2. Redistributions in binary form must reproduce the above copyright
	29	* notice, this list of conditions and the following disclaimer in the
	30	* documentation and/or other materials provided with the distribution.
	31	* 3. All advertising materials mentioning features or use of this software
	32	* must display the following acknowledgement:
	33	* "This product includes cryptographic software written by
	34	* Eric Young (eay@cryptsoft.com)"
	35	* The word 'cryptographic' can be left out if the rouines from the library
	36	* being used are not cryptographic related :-).
	37	* 4. If you include any Windows specific code (or a derivative thereof) from
	38	* the apps directory (application code) you must include an acknowledgement:
	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
	40	*
	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	51	* SUCH DAMAGE.
	52	*
	53	* The licence and distribution terms for any publically available version or
	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
	55	* copied and put under another distribution licence
	56	* [including the GNU Public Licence.]
	57	*/
	58
	59	#include <stdio.h>
	60	#include "cryptlib.h"
ec577822 BM	61	#include <openssl/bn.h>
	62	#include <openssl/rsa.h>
	63	#include <openssl/rand.h>
58964a49	64
58964a49 RE	65	static int RSA_eay_public_encrypt(int flen, unsigned char *from,
	66	unsigned char to, RSA rsa,int padding);
	67	static int RSA_eay_private_encrypt(int flen, unsigned char *from,
	68	unsigned char to, RSA rsa,int padding);
	69	static int RSA_eay_public_decrypt(int flen, unsigned char *from,
	70	unsigned char to, RSA rsa,int padding);
	71	static int RSA_eay_private_decrypt(int flen, unsigned char *from,
	72	unsigned char to, RSA rsa,int padding);
	73	static int RSA_eay_mod_exp(BIGNUM r0, BIGNUM i, RSA *rsa);
	74	static int RSA_eay_init(RSA *rsa);
	75	static int RSA_eay_finish(RSA *rsa);
58964a49 RE	76	static RSA_METHOD rsa_pkcs1_eay_meth={
	77	"Eric Young's PKCS#1 RSA",
	78	RSA_eay_public_encrypt,
	79	RSA_eay_public_decrypt,
	80	RSA_eay_private_encrypt,
	81	RSA_eay_private_decrypt,
	82	RSA_eay_mod_exp,
	83	BN_mod_exp_mont,
	84	RSA_eay_init,
	85	RSA_eay_finish,
	86	0,
	87	NULL,
	88	};
	89
6b691a5c	90	RSA_METHOD *RSA_PKCS1_SSLeay(void)
58964a49 RE	91	{
	92	return(&rsa_pkcs1_eay_meth);
	93	}
	94
6b691a5c UM	95	static int RSA_eay_public_encrypt(int flen, unsigned char *from,
6b691a5c UM	96	unsigned char to, RSA rsa, int padding)
58964a49	97	{
dfeab068	98	BIGNUM f,ret;
58964a49 RE	99	int i,j,k,num=0,r= -1;
	100	unsigned char *buf=NULL;
	101	BN_CTX *ctx=NULL;
	102
dfeab068 RE	103	BN_init(&f);
dfeab068 RE	104	BN_init(&ret);
58964a49 RE	105	if ((ctx=BN_CTX_new()) == NULL) goto err;
	106	num=BN_num_bytes(rsa->n);
	107	if ((buf=(unsigned char *)Malloc(num)) == NULL)
	108	{
	109	RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
	110	goto err;
	111	}
	112
	113	switch (padding)
	114	{
	115	case RSA_PKCS1_PADDING:
	116	i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
	117	break;
79df9d62	118	#ifndef NO_SHA
a4949896 BL	119	case RSA_PKCS1_OAEP_PADDING:
	120	i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
	121	break;
79df9d62	122	#endif
58964a49 RE	123	case RSA_SSLV23_PADDING:
	124	i=RSA_padding_add_SSLv23(buf,num,from,flen);
	125	break;
	126	case RSA_NO_PADDING:
	127	i=RSA_padding_add_none(buf,num,from,flen);
	128	break;
	129	default:
	130	RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	131	goto err;
	132	}
	133	if (i <= 0) goto err;
	134
dfeab068	135	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
58964a49	136
03f8b042	137	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
58964a49	138	{
03f8b042 BL	139	if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
	140	if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
	141	goto err;
58964a49 RE	142	}
58964a49 RE	143
dfeab068	144	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
03f8b042	145	rsa->_method_mod_n)) goto err;
58964a49 RE	146
	147	/* put in leading 0 bytes if the number is less than the
	148	* length of the modulus */
dfeab068 RE	149	j=BN_num_bytes(&ret);
dfeab068 RE	150	i=BN_bn2bin(&ret,&(to[num-j]));
58964a49 RE	151	for (k=0; k<(num-i); k++)
	152	to[k]=0;
	153
	154	r=num;
	155	err:
	156	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	157	BN_clear_free(&f);
dfeab068 RE	158	BN_clear_free(&ret);
58964a49 RE	159	if (buf != NULL)
	160	{
	161	memset(buf,0,num);
	162	Free(buf);
	163	}
	164	return(r);
	165	}
	166
6b691a5c UM	167	static int RSA_eay_private_encrypt(int flen, unsigned char *from,
6b691a5c UM	168	unsigned char to, RSA rsa, int padding)
58964a49	169	{
dfeab068	170	BIGNUM f,ret;
58964a49 RE	171	int i,j,k,num=0,r= -1;
	172	unsigned char *buf=NULL;
	173	BN_CTX *ctx=NULL;
	174
dfeab068 RE	175	BN_init(&f);
	176	BN_init(&ret);
	177
58964a49 RE	178	if ((ctx=BN_CTX_new()) == NULL) goto err;
	179	num=BN_num_bytes(rsa->n);
	180	if ((buf=(unsigned char *)Malloc(num)) == NULL)
	181	{
	182	RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
	183	goto err;
	184	}
	185
	186	switch (padding)
	187	{
	188	case RSA_PKCS1_PADDING:
	189	i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
	190	break;
	191	case RSA_NO_PADDING:
	192	i=RSA_padding_add_none(buf,num,from,flen);
	193	break;
	194	case RSA_SSLV23_PADDING:
	195	default:
	196	RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	197	goto err;
	198	}
	199	if (i <= 0) goto err;
	200
dfeab068	201	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
58964a49 RE	202
	203	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
	204	RSA_blinding_on(rsa,ctx);
	205	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	206	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
58964a49	207
770d19b8 DSH	208	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|
770d19b8 DSH	209	((rsa->p != NULL) &&
58964a49 RE	210	(rsa->q != NULL) &&
	211	(rsa->dmp1 != NULL) &&
	212	(rsa->dmq1 != NULL) &&
770d19b8	213	(rsa->iqmp != NULL)) )
dfeab068	214	{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
58964a49 RE	215	else
58964a49 RE	216	{
dfeab068	217	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
58964a49 RE	218	}
	219
	220	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	221	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
58964a49 RE	222
	223	/* put in leading 0 bytes if the number is less than the
	224	* length of the modulus */
dfeab068 RE	225	j=BN_num_bytes(&ret);
dfeab068 RE	226	i=BN_bn2bin(&ret,&(to[num-j]));
58964a49 RE	227	for (k=0; k<(num-i); k++)
	228	to[k]=0;
	229
	230	r=num;
	231	err:
	232	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	233	BN_clear_free(&ret);
dfeab068 RE	234	BN_clear_free(&f);
58964a49 RE	235	if (buf != NULL)
	236	{
	237	memset(buf,0,num);
	238	Free(buf);
	239	}
	240	return(r);
	241	}
	242
6b691a5c UM	243	static int RSA_eay_private_decrypt(int flen, unsigned char *from,
6b691a5c UM	244	unsigned char to, RSA rsa, int padding)
58964a49	245	{
dfeab068	246	BIGNUM f,ret;
58964a49 RE	247	int j,num=0,r= -1;
	248	unsigned char *p;
	249	unsigned char *buf=NULL;
	250	BN_CTX *ctx=NULL;
	251
dfeab068 RE	252	BN_init(&f);
dfeab068 RE	253	BN_init(&ret);
58964a49 RE	254	ctx=BN_CTX_new();
	255	if (ctx == NULL) goto err;
	256
	257	num=BN_num_bytes(rsa->n);
	258
	259	if ((buf=(unsigned char *)Malloc(num)) == NULL)
	260	{
	261	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
	262	goto err;
	263	}
	264
	265	/* This check was for equallity but PGP does evil things
	266	* and chops off the top '0' bytes */
	267	if (flen > num)
	268	{
	269	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
	270	goto err;
	271	}
	272
	273	/* make data into a big number */
dfeab068	274	if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
58964a49 RE	275
	276	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
	277	RSA_blinding_on(rsa,ctx);
	278	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	279	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
58964a49 RE	280
58964a49 RE	281	/* do the decrypt */
770d19b8 DSH	282	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|
770d19b8 DSH	283	((rsa->p != NULL) &&
58964a49 RE	284	(rsa->q != NULL) &&
	285	(rsa->dmp1 != NULL) &&
	286	(rsa->dmq1 != NULL) &&
770d19b8	287	(rsa->iqmp != NULL)) )
dfeab068	288	{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
58964a49 RE	289	else
58964a49 RE	290	{
dfeab068	291	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
58964a49 RE	292	goto err;
	293	}
	294
	295	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	296	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
58964a49 RE	297
58964a49 RE	298	p=buf;
dfeab068	299	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
58964a49 RE	300
	301	switch (padding)
	302	{
	303	case RSA_PKCS1_PADDING:
dfeab068	304	r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
58964a49	305	break;
79df9d62	306	#ifndef NO_SHA
a4949896 BL	307	case RSA_PKCS1_OAEP_PADDING:
	308	r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
	309	break;
79df9d62	310	#endif
a4949896	311	case RSA_SSLV23_PADDING:
dfeab068	312	r=RSA_padding_check_SSLv23(to,num,buf,j,num);
58964a49 RE	313	break;
58964a49 RE	314	case RSA_NO_PADDING:
dfeab068	315	r=RSA_padding_check_none(to,num,buf,j,num);
58964a49 RE	316	break;
	317	default:
	318	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	319	goto err;
	320	}
	321	if (r < 0)
	322	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
	323
	324	err:
	325	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	326	BN_clear_free(&f);
dfeab068 RE	327	BN_clear_free(&ret);
58964a49 RE	328	if (buf != NULL)
	329	{
	330	memset(buf,0,num);
	331	Free(buf);
	332	}
	333	return(r);
	334	}
	335
6b691a5c UM	336	static int RSA_eay_public_decrypt(int flen, unsigned char *from,
6b691a5c UM	337	unsigned char to, RSA rsa, int padding)
58964a49	338	{
dfeab068	339	BIGNUM f,ret;
58964a49 RE	340	int i,num=0,r= -1;
	341	unsigned char *p;
	342	unsigned char *buf=NULL;
	343	BN_CTX *ctx=NULL;
	344
dfeab068 RE	345	BN_init(&f);
dfeab068 RE	346	BN_init(&ret);
58964a49 RE	347	ctx=BN_CTX_new();
	348	if (ctx == NULL) goto err;
	349
	350	num=BN_num_bytes(rsa->n);
	351	buf=(unsigned char *)Malloc(num);
	352	if (buf == NULL)
	353	{
	354	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
	355	goto err;
	356	}
	357
	358	/* This check was for equallity but PGP does evil things
	359	* and chops off the top '0' bytes */
	360	if (flen > num)
	361	{
	362	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
	363	goto err;
	364	}
	365
dfeab068	366	if (BN_bin2bn(from,flen,&f) == NULL) goto err;
58964a49	367	/* do the decrypt */
03f8b042	368	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
58964a49	369	{
03f8b042 BL	370	if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
	371	if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
	372	goto err;
58964a49 RE	373	}
58964a49 RE	374
dfeab068	375	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
03f8b042	376	rsa->_method_mod_n)) goto err;
58964a49 RE	377
58964a49 RE	378	p=buf;
dfeab068	379	i=BN_bn2bin(&ret,p);
58964a49 RE	380
	381	switch (padding)
	382	{
	383	case RSA_PKCS1_PADDING:
dfeab068	384	r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
58964a49 RE	385	break;
58964a49 RE	386	case RSA_NO_PADDING:
dfeab068	387	r=RSA_padding_check_none(to,num,buf,i,num);
58964a49 RE	388	break;
	389	default:
	390	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	391	goto err;
	392	}
	393	if (r < 0)
	394	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
	395
	396	err:
	397	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	398	BN_clear_free(&f);
dfeab068 RE	399	BN_clear_free(&ret);
58964a49 RE	400	if (buf != NULL)
	401	{
	402	memset(buf,0,num);
	403	Free(buf);
	404	}
	405	return(r);
	406	}
	407
6b691a5c	408	static int RSA_eay_mod_exp(BIGNUM r0, BIGNUM I, RSA *rsa)
58964a49	409	{
dfeab068	410	BIGNUM r1,m1;
58964a49 RE	411	int ret=0;
	412	BN_CTX *ctx;
	413
	414	if ((ctx=BN_CTX_new()) == NULL) goto err;
dfeab068 RE	415	BN_init(&m1);
dfeab068 RE	416	BN_init(&r1);
58964a49 RE	417
	418	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
	419	{
03f8b042	420	if (rsa->_method_mod_p == NULL)
58964a49	421	{
03f8b042 BL	422	if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL)
	423	if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p,
	424	ctx))
58964a49 RE	425	goto err;
58964a49 RE	426	}
03f8b042	427	if (rsa->_method_mod_q == NULL)
58964a49	428	{
03f8b042 BL	429	if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL)
	430	if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q,
	431	ctx))
58964a49 RE	432	goto err;
	433	}
	434	}
	435
dfeab068 RE	436	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
dfeab068 RE	437	if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
03f8b042	438	rsa->_method_mod_q)) goto err;
58964a49	439
dfeab068 RE	440	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
dfeab068 RE	441	if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
03f8b042	442	rsa->_method_mod_p)) goto err;
58964a49	443
dfeab068 RE	444	if (!BN_sub(r0,r0,&m1)) goto err;
	445	/* This will help stop the size of r0 increasing, which does
	446	* affect the multiply if it optimised for a power of 2 size */
	447	if (r0->neg)
	448	if (!BN_add(r0,r0,rsa->p)) goto err;
58964a49	449
dfeab068 RE	450	if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
dfeab068 RE	451	if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
abd4c915 DSH	452	/* If p < q it is occasionally possible for the correction of
	453	* adding 'p' if r0 is negative above to leave the result still
	454	* negative. This can break the private key operations: the following
	455	* second correction should always correct this rare occurrence.
	456	* This will never happen with OpenSSL generated keys because
	457	* they ensure p > q [steve]
	458	*/
	459	if (r0->neg)
	460	if (!BN_add(r0,r0,rsa->p)) goto err;
dfeab068 RE	461	if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
dfeab068 RE	462	if (!BN_add(r0,&r1,&m1)) goto err;
58964a49 RE	463
	464	ret=1;
	465	err:
dfeab068 RE	466	BN_clear_free(&m1);
dfeab068 RE	467	BN_clear_free(&r1);
e03ddfae	468	BN_CTX_free(ctx);
58964a49 RE	469	return(ret);
	470	}
	471
6b691a5c	472	static int RSA_eay_init(RSA *rsa)
58964a49 RE	473	{
	474	rsa->flags\|=RSA_FLAG_CACHE_PUBLIC\|RSA_FLAG_CACHE_PRIVATE;
	475	return(1);
	476	}
	477
6b691a5c	478	static int RSA_eay_finish(RSA *rsa)
58964a49	479	{
03f8b042 BL	480	if (rsa->_method_mod_n != NULL)
	481	BN_MONT_CTX_free(rsa->_method_mod_n);
	482	if (rsa->_method_mod_p != NULL)
	483	BN_MONT_CTX_free(rsa->_method_mod_p);
	484	if (rsa->_method_mod_q != NULL)
	485	BN_MONT_CTX_free(rsa->_method_mod_q);
58964a49 RE	486	return(1);
	487	}
	488
	489