[thirdparty/openssl.git] / crypto / rsa / rsa_eay.c

/* crypto/rsa/rsa_eay.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */

#include <stdio.h>
#include "cryptlib.h"
#include "bn.h"
#include "rsa.h"
#include "rand.h"

#ifndef NOPROTO
static int RSA_eay_public_encrypt(int flen, unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_private_encrypt(int flen, unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_public_decrypt(int flen, unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_private_decrypt(int flen, unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *i, RSA *rsa);
static int RSA_eay_init(RSA *rsa);
static int RSA_eay_finish(RSA *rsa);
#else
static int RSA_eay_public_encrypt();
static int RSA_eay_private_encrypt();
static int RSA_eay_public_decrypt();
static int RSA_eay_private_decrypt();
static int RSA_eay_mod_exp();
static int RSA_eay_init();
static int RSA_eay_finish();
#endif

static RSA_METHOD rsa_pkcs1_eay_meth={
	"Eric Young's PKCS#1 RSA",
	RSA_eay_public_encrypt,
	RSA_eay_public_decrypt,
	RSA_eay_private_encrypt,
	RSA_eay_private_decrypt,
	RSA_eay_mod_exp,
	BN_mod_exp_mont,
	RSA_eay_init,
	RSA_eay_finish,
	0,
	NULL,
	};

RSA_METHOD *RSA_PKCS1_SSLeay()
	{
	return(&rsa_pkcs1_eay_meth);
	}

static int RSA_eay_public_encrypt(flen, from, to, rsa, padding)
int flen;
unsigned char *from;
unsigned char *to;
RSA *rsa;
int padding;
	{
	BIGNUM f,ret;
	int i,j,k,num=0,r= -1;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	BN_init(&f);
	BN_init(&ret);
	if ((ctx=BN_CTX_new()) == NULL) goto err;
	num=BN_num_bytes(rsa->n);
	if ((buf=(unsigned char *)Malloc(num)) == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
		break;
	case RSA_SSLV23_PADDING:
		i=RSA_padding_add_SSLv23(buf,num,from,flen);
		break;
	case RSA_NO_PADDING:
		i=RSA_padding_add_none(buf,num,from,flen);
		break;
	default:
		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (i <= 0) goto err;

	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
	
	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
		{
		if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
			if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
			    goto err;
		}

	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
		rsa->_method_mod_n)) goto err;

	/* put in leading 0 bytes if the number is less than the
	 * length of the modulus */
	j=BN_num_bytes(&ret);
	i=BN_bn2bin(&ret,&(to[num-j]));
	for (k=0; k<(num-i); k++)
		to[k]=0;

	r=num;
err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&f);
	BN_clear_free(&ret);
	if (buf != NULL) 
		{
		memset(buf,0,num);
		Free(buf);
		}
	return(r);
	}

static int RSA_eay_private_encrypt(flen, from, to, rsa, padding)
int flen;
unsigned char *from;
unsigned char *to;
RSA *rsa;
int padding;
	{
	BIGNUM f,ret;
	int i,j,k,num=0,r= -1;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	BN_init(&f);
	BN_init(&ret);

	if ((ctx=BN_CTX_new()) == NULL) goto err;
	num=BN_num_bytes(rsa->n);
	if ((buf=(unsigned char *)Malloc(num)) == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
		break;
	case RSA_NO_PADDING:
		i=RSA_padding_add_none(buf,num,from,flen);
		break;
	case RSA_SSLV23_PADDING:
	default:
		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (i <= 0) goto err;

	if (BN_bin2bn(buf,num,&f) == NULL) goto err;

	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
		RSA_blinding_on(rsa,ctx);
	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;

	if (	(rsa->p != NULL) &&
		(rsa->q != NULL) &&
		(rsa->dmp1 != NULL) &&
		(rsa->dmq1 != NULL) &&
		(rsa->iqmp != NULL))
		{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
	else
		{
		if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
		}

	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;

	/* put in leading 0 bytes if the number is less than the
	 * length of the modulus */
	j=BN_num_bytes(&ret);
	i=BN_bn2bin(&ret,&(to[num-j]));
	for (k=0; k<(num-i); k++)
		to[k]=0;

	r=num;
err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&ret);
	BN_clear_free(&f);
	if (buf != NULL)
		{
		memset(buf,0,num);
		Free(buf);
		}
	return(r);
	}

static int RSA_eay_private_decrypt(flen, from, to, rsa,padding)
int flen;
unsigned char *from;
unsigned char *to;
RSA *rsa;
int padding;
	{
	BIGNUM f,ret;
	int j,num=0,r= -1;
	unsigned char *p;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	BN_init(&f);
	BN_init(&ret);
	ctx=BN_CTX_new();
	if (ctx == NULL) goto err;

	num=BN_num_bytes(rsa->n);

	if ((buf=(unsigned char *)Malloc(num)) == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	/* This check was for equallity but PGP does evil things
	 * and chops off the top '0' bytes */
	if (flen > num)
		{
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
		goto err;
		}

	/* make data into a big number */
	if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;

	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
		RSA_blinding_on(rsa,ctx);
	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;

	/* do the decrypt */
	if (	(rsa->p != NULL) &&
		(rsa->q != NULL) &&
		(rsa->dmp1 != NULL) &&
		(rsa->dmq1 != NULL) &&
		(rsa->iqmp != NULL))
		{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
	else
		{
		if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
			goto err;
		}

	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;

	p=buf;
	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
		break;
	case RSA_SSLV23_PADDING:
		r=RSA_padding_check_SSLv23(to,num,buf,j,num);
		break;
	case RSA_NO_PADDING:
		r=RSA_padding_check_none(to,num,buf,j,num);
		break;
	default:
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (r < 0)
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);

err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&f);
	BN_clear_free(&ret);
	if (buf != NULL)
		{
		memset(buf,0,num);
		Free(buf);
		}
	return(r);
	}

static int RSA_eay_public_decrypt(flen, from, to, rsa, padding)
int flen;
unsigned char *from;
unsigned char *to;
RSA *rsa;
int padding;
	{
	BIGNUM f,ret;
	int i,num=0,r= -1;
	unsigned char *p;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	BN_init(&f);
	BN_init(&ret);
	ctx=BN_CTX_new();
	if (ctx == NULL) goto err;

	num=BN_num_bytes(rsa->n);
	buf=(unsigned char *)Malloc(num);
	if (buf == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	/* This check was for equallity but PGP does evil things
	 * and chops off the top '0' bytes */
	if (flen > num)
		{
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
		goto err;
		}

	if (BN_bin2bn(from,flen,&f) == NULL) goto err;
	/* do the decrypt */
	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
		{
		if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
			if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
			    goto err;
		}

	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
		rsa->_method_mod_n)) goto err;

	p=buf;
	i=BN_bn2bin(&ret,p);

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
		break;
	case RSA_NO_PADDING:
		r=RSA_padding_check_none(to,num,buf,i,num);
		break;
	default:
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (r < 0)
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);

err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&f);
	BN_clear_free(&ret);
	if (buf != NULL)
		{
		memset(buf,0,num);
		Free(buf);
		}
	return(r);
	}

static int RSA_eay_mod_exp(r0, I, rsa)
BIGNUM *r0;
BIGNUM *I;
RSA *rsa;
	{
	BIGNUM r1,m1;
	int ret=0;
	BN_CTX *ctx;

	if ((ctx=BN_CTX_new()) == NULL) goto err;
	BN_init(&m1);
	BN_init(&r1);

	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
		{
		if (rsa->_method_mod_p == NULL)
			{
			if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL)
				if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p,
						     ctx))
					goto err;
			}
		if (rsa->_method_mod_q == NULL)
			{
			if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL)
				if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q,
						     ctx))
					goto err;
			}
		}

	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
	if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
		rsa->_method_mod_q)) goto err;

	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
	if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
		rsa->_method_mod_p)) goto err;

	if (!BN_sub(r0,r0,&m1)) goto err;
	/* This will help stop the size of r0 increasing, which does
	 * affect the multiply if it optimised for a power of 2 size */
	if (r0->neg)
		if (!BN_add(r0,r0,rsa->p)) goto err;

	if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
	if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
	if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
	if (!BN_add(r0,&r1,&m1)) goto err;

	ret=1;
err:
	BN_clear_free(&m1);
	BN_clear_free(&r1);
	BN_CTX_free(ctx);
	return(ret);
	}

static int RSA_eay_init(rsa)
RSA *rsa;
	{
	rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
	return(1);
	}

static int RSA_eay_finish(rsa)
RSA *rsa;
	{
	if (rsa->_method_mod_n != NULL)
		BN_MONT_CTX_free(rsa->_method_mod_n);
	if (rsa->_method_mod_p != NULL)
		BN_MONT_CTX_free(rsa->_method_mod_p);
	if (rsa->_method_mod_q != NULL)
		BN_MONT_CTX_free(rsa->_method_mod_q);
	return(1);
	}
Commit	Line	Data
58964a49 RE	1	/* crypto/rsa/rsa_eay.c */
	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
	3	* All rights reserved.
	4	*
	5	* This package is an SSL implementation written
	6	* by Eric Young (eay@cryptsoft.com).
	7	* The implementation was written so as to conform with Netscapes SSL.
	8	*
	9	* This library is free for commercial and non-commercial use as long as
	10	* the following conditions are aheared to. The following conditions
	11	* apply to all code found in this distribution, be it the RC4, RSA,
	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
	13	* included with this distribution is covered by the same copyright terms
	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
	15	*
	16	* Copyright remains Eric Young's, and as such any Copyright notices in
	17	* the code are not to be removed.
	18	* If this package is used in a product, Eric Young should be given attribution
	19	* as the author of the parts of the library used.
	20	* This can be in the form of a textual message at program startup or
	21	* in documentation (online or textual) provided with the package.
	22	*
	23	* Redistribution and use in source and binary forms, with or without
	24	* modification, are permitted provided that the following conditions
	25	* are met:
	26	* 1. Redistributions of source code must retain the copyright
	27	* notice, this list of conditions and the following disclaimer.
	28	* 2. Redistributions in binary form must reproduce the above copyright
	29	* notice, this list of conditions and the following disclaimer in the
	30	* documentation and/or other materials provided with the distribution.
	31	* 3. All advertising materials mentioning features or use of this software
	32	* must display the following acknowledgement:
	33	* "This product includes cryptographic software written by
	34	* Eric Young (eay@cryptsoft.com)"
	35	* The word 'cryptographic' can be left out if the rouines from the library
	36	* being used are not cryptographic related :-).
	37	* 4. If you include any Windows specific code (or a derivative thereof) from
	38	* the apps directory (application code) you must include an acknowledgement:
	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
	40	*
	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	51	* SUCH DAMAGE.
	52	*
	53	* The licence and distribution terms for any publically available version or
	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
	55	* copied and put under another distribution licence
	56	* [including the GNU Public Licence.]
	57	*/
	58
	59	#include <stdio.h>
	60	#include "cryptlib.h"
	61	#include "bn.h"
	62	#include "rsa.h"
	63	#include "rand.h"
	64
65	#ifndef NOPROTO
66	static int RSA_eay_public_encrypt(int flen, unsigned char *from,
67	unsigned char to, RSA rsa,int padding);
68	static int RSA_eay_private_encrypt(int flen, unsigned char *from,
69	unsigned char to, RSA rsa,int padding);
70	static int RSA_eay_public_decrypt(int flen, unsigned char *from,
71	unsigned char to, RSA rsa,int padding);
72	static int RSA_eay_private_decrypt(int flen, unsigned char *from,
73	unsigned char to, RSA rsa,int padding);
74	static int RSA_eay_mod_exp(BIGNUM r0, BIGNUM i, RSA *rsa);
75	static int RSA_eay_init(RSA *rsa);
76	static int RSA_eay_finish(RSA *rsa);
77	#else
78	static int RSA_eay_public_encrypt();
79	static int RSA_eay_private_encrypt();
80	static int RSA_eay_public_decrypt();
81	static int RSA_eay_private_decrypt();
82	static int RSA_eay_mod_exp();
83	static int RSA_eay_init();
84	static int RSA_eay_finish();
85	#endif
86
87	static RSA_METHOD rsa_pkcs1_eay_meth={
88	"Eric Young's PKCS#1 RSA",
89	RSA_eay_public_encrypt,
90	RSA_eay_public_decrypt,
91	RSA_eay_private_encrypt,
92	RSA_eay_private_decrypt,
93	RSA_eay_mod_exp,
94	BN_mod_exp_mont,
95	RSA_eay_init,
96	RSA_eay_finish,
97	0,
98	NULL,
99	};
100
101	RSA_METHOD *RSA_PKCS1_SSLeay()
102	{
103	return(&rsa_pkcs1_eay_meth);
104	}
105
106	static int RSA_eay_public_encrypt(flen, from, to, rsa, padding)
107	int flen;
108	unsigned char *from;
109	unsigned char *to;
110	RSA *rsa;
111	int padding;
112	{
dfeab068	113	BIGNUM f,ret;
58964a49 RE	114	int i,j,k,num=0,r= -1;
	115	unsigned char *buf=NULL;
	116	BN_CTX *ctx=NULL;
	117
dfeab068 RE	118	BN_init(&f);
dfeab068 RE	119	BN_init(&ret);
58964a49 RE	120	if ((ctx=BN_CTX_new()) == NULL) goto err;
	121	num=BN_num_bytes(rsa->n);
	122	if ((buf=(unsigned char *)Malloc(num)) == NULL)
	123	{
	124	RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
	125	goto err;
	126	}
	127
	128	switch (padding)
	129	{
	130	case RSA_PKCS1_PADDING:
	131	i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
	132	break;
	133	case RSA_SSLV23_PADDING:
	134	i=RSA_padding_add_SSLv23(buf,num,from,flen);
	135	break;
	136	case RSA_NO_PADDING:
	137	i=RSA_padding_add_none(buf,num,from,flen);
	138	break;
	139	default:
	140	RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	141	goto err;
	142	}
	143	if (i <= 0) goto err;
	144
dfeab068	145	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
58964a49	146
03f8b042	147	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
58964a49	148	{
03f8b042 BL	149	if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
	150	if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
	151	goto err;
58964a49 RE	152	}
58964a49 RE	153
dfeab068	154	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
03f8b042	155	rsa->_method_mod_n)) goto err;
58964a49 RE	156
	157	/* put in leading 0 bytes if the number is less than the
	158	* length of the modulus */
dfeab068 RE	159	j=BN_num_bytes(&ret);
dfeab068 RE	160	i=BN_bn2bin(&ret,&(to[num-j]));
58964a49 RE	161	for (k=0; k<(num-i); k++)
	162	to[k]=0;
	163
	164	r=num;
	165	err:
	166	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	167	BN_clear_free(&f);
dfeab068 RE	168	BN_clear_free(&ret);
58964a49 RE	169	if (buf != NULL)
	170	{
	171	memset(buf,0,num);
	172	Free(buf);
	173	}
	174	return(r);
	175	}
	176
	177	static int RSA_eay_private_encrypt(flen, from, to, rsa, padding)
	178	int flen;
	179	unsigned char *from;
	180	unsigned char *to;
	181	RSA *rsa;
	182	int padding;
	183	{
dfeab068	184	BIGNUM f,ret;
58964a49 RE	185	int i,j,k,num=0,r= -1;
	186	unsigned char *buf=NULL;
	187	BN_CTX *ctx=NULL;
	188
dfeab068 RE	189	BN_init(&f);
	190	BN_init(&ret);
	191
58964a49 RE	192	if ((ctx=BN_CTX_new()) == NULL) goto err;
	193	num=BN_num_bytes(rsa->n);
	194	if ((buf=(unsigned char *)Malloc(num)) == NULL)
	195	{
	196	RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
	197	goto err;
	198	}
	199
	200	switch (padding)
	201	{
	202	case RSA_PKCS1_PADDING:
	203	i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
	204	break;
	205	case RSA_NO_PADDING:
	206	i=RSA_padding_add_none(buf,num,from,flen);
	207	break;
	208	case RSA_SSLV23_PADDING:
	209	default:
	210	RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	211	goto err;
	212	}
	213	if (i <= 0) goto err;
	214
dfeab068	215	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
58964a49 RE	216
	217	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
	218	RSA_blinding_on(rsa,ctx);
	219	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	220	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
58964a49 RE	221
	222	if ( (rsa->p != NULL) &&
	223	(rsa->q != NULL) &&
	224	(rsa->dmp1 != NULL) &&
	225	(rsa->dmq1 != NULL) &&
	226	(rsa->iqmp != NULL))
dfeab068	227	{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
58964a49 RE	228	else
58964a49 RE	229	{
dfeab068	230	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
58964a49 RE	231	}
	232
	233	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	234	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
58964a49 RE	235
	236	/* put in leading 0 bytes if the number is less than the
	237	* length of the modulus */
dfeab068 RE	238	j=BN_num_bytes(&ret);
dfeab068 RE	239	i=BN_bn2bin(&ret,&(to[num-j]));
58964a49 RE	240	for (k=0; k<(num-i); k++)
	241	to[k]=0;
	242
	243	r=num;
	244	err:
	245	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	246	BN_clear_free(&ret);
dfeab068 RE	247	BN_clear_free(&f);
58964a49 RE	248	if (buf != NULL)
	249	{
	250	memset(buf,0,num);
	251	Free(buf);
	252	}
	253	return(r);
	254	}
	255
	256	static int RSA_eay_private_decrypt(flen, from, to, rsa,padding)
	257	int flen;
	258	unsigned char *from;
	259	unsigned char *to;
	260	RSA *rsa;
	261	int padding;
	262	{
dfeab068	263	BIGNUM f,ret;
58964a49 RE	264	int j,num=0,r= -1;
	265	unsigned char *p;
	266	unsigned char *buf=NULL;
	267	BN_CTX *ctx=NULL;
	268
dfeab068 RE	269	BN_init(&f);
dfeab068 RE	270	BN_init(&ret);
58964a49 RE	271	ctx=BN_CTX_new();
	272	if (ctx == NULL) goto err;
	273
	274	num=BN_num_bytes(rsa->n);
	275
	276	if ((buf=(unsigned char *)Malloc(num)) == NULL)
	277	{
	278	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
	279	goto err;
	280	}
	281
	282	/* This check was for equallity but PGP does evil things
	283	* and chops off the top '0' bytes */
	284	if (flen > num)
	285	{
	286	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
	287	goto err;
	288	}
	289
	290	/* make data into a big number */
dfeab068	291	if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
58964a49 RE	292
	293	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
	294	RSA_blinding_on(rsa,ctx);
	295	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	296	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
58964a49 RE	297
	298	/* do the decrypt */
	299	if ( (rsa->p != NULL) &&
	300	(rsa->q != NULL) &&
	301	(rsa->dmp1 != NULL) &&
	302	(rsa->dmq1 != NULL) &&
	303	(rsa->iqmp != NULL))
dfeab068	304	{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
58964a49 RE	305	else
58964a49 RE	306	{
dfeab068	307	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
58964a49 RE	308	goto err;
	309	}
	310
	311	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	312	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
58964a49 RE	313
58964a49 RE	314	p=buf;
dfeab068	315	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
58964a49 RE	316
	317	switch (padding)
	318	{
	319	case RSA_PKCS1_PADDING:
dfeab068	320	r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
58964a49 RE	321	break;
58964a49 RE	322	case RSA_SSLV23_PADDING:
dfeab068	323	r=RSA_padding_check_SSLv23(to,num,buf,j,num);
58964a49 RE	324	break;
58964a49 RE	325	case RSA_NO_PADDING:
dfeab068	326	r=RSA_padding_check_none(to,num,buf,j,num);
58964a49 RE	327	break;
	328	default:
	329	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	330	goto err;
	331	}
	332	if (r < 0)
	333	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
	334
	335	err:
	336	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	337	BN_clear_free(&f);
dfeab068 RE	338	BN_clear_free(&ret);
58964a49 RE	339	if (buf != NULL)
	340	{
	341	memset(buf,0,num);
	342	Free(buf);
	343	}
	344	return(r);
	345	}
	346
	347	static int RSA_eay_public_decrypt(flen, from, to, rsa, padding)
	348	int flen;
	349	unsigned char *from;
	350	unsigned char *to;
	351	RSA *rsa;
	352	int padding;
	353	{
dfeab068	354	BIGNUM f,ret;
58964a49 RE	355	int i,num=0,r= -1;
	356	unsigned char *p;
	357	unsigned char *buf=NULL;
	358	BN_CTX *ctx=NULL;
	359
dfeab068 RE	360	BN_init(&f);
dfeab068 RE	361	BN_init(&ret);
58964a49 RE	362	ctx=BN_CTX_new();
	363	if (ctx == NULL) goto err;
	364
	365	num=BN_num_bytes(rsa->n);
	366	buf=(unsigned char *)Malloc(num);
	367	if (buf == NULL)
	368	{
	369	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
	370	goto err;
	371	}
	372
	373	/* This check was for equallity but PGP does evil things
	374	* and chops off the top '0' bytes */
	375	if (flen > num)
	376	{
	377	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
	378	goto err;
	379	}
	380
dfeab068	381	if (BN_bin2bn(from,flen,&f) == NULL) goto err;
58964a49	382	/* do the decrypt */
03f8b042	383	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
58964a49	384	{
03f8b042 BL	385	if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
	386	if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
	387	goto err;
58964a49 RE	388	}
58964a49 RE	389
dfeab068	390	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
03f8b042	391	rsa->_method_mod_n)) goto err;
58964a49 RE	392
58964a49 RE	393	p=buf;
dfeab068	394	i=BN_bn2bin(&ret,p);
58964a49 RE	395
	396	switch (padding)
	397	{
	398	case RSA_PKCS1_PADDING:
dfeab068	399	r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
58964a49 RE	400	break;
58964a49 RE	401	case RSA_NO_PADDING:
dfeab068	402	r=RSA_padding_check_none(to,num,buf,i,num);
58964a49 RE	403	break;
	404	default:
	405	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	406	goto err;
	407	}
	408	if (r < 0)
	409	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
	410
	411	err:
	412	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	413	BN_clear_free(&f);
dfeab068 RE	414	BN_clear_free(&ret);
58964a49 RE	415	if (buf != NULL)
	416	{
	417	memset(buf,0,num);
	418	Free(buf);
	419	}
	420	return(r);
	421	}
	422
	423	static int RSA_eay_mod_exp(r0, I, rsa)
	424	BIGNUM *r0;
	425	BIGNUM *I;
	426	RSA *rsa;
	427	{
dfeab068	428	BIGNUM r1,m1;
58964a49 RE	429	int ret=0;
	430	BN_CTX *ctx;
	431
	432	if ((ctx=BN_CTX_new()) == NULL) goto err;
dfeab068 RE	433	BN_init(&m1);
dfeab068 RE	434	BN_init(&r1);
58964a49 RE	435
	436	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
	437	{
03f8b042	438	if (rsa->_method_mod_p == NULL)
58964a49	439	{
03f8b042 BL	440	if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL)
	441	if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p,
	442	ctx))
58964a49 RE	443	goto err;
58964a49 RE	444	}
03f8b042	445	if (rsa->_method_mod_q == NULL)
58964a49	446	{
03f8b042 BL	447	if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL)
	448	if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q,
	449	ctx))
58964a49 RE	450	goto err;
	451	}
	452	}
	453
dfeab068 RE	454	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
dfeab068 RE	455	if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
03f8b042	456	rsa->_method_mod_q)) goto err;
58964a49	457
dfeab068 RE	458	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
dfeab068 RE	459	if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
03f8b042	460	rsa->_method_mod_p)) goto err;
58964a49	461
dfeab068 RE	462	if (!BN_sub(r0,r0,&m1)) goto err;
	463	/* This will help stop the size of r0 increasing, which does
	464	* affect the multiply if it optimised for a power of 2 size */
	465	if (r0->neg)
	466	if (!BN_add(r0,r0,rsa->p)) goto err;
58964a49	467
dfeab068 RE	468	if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
	469	if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
	470	if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
	471	if (!BN_add(r0,&r1,&m1)) goto err;
58964a49 RE	472
	473	ret=1;
	474	err:
dfeab068 RE	475	BN_clear_free(&m1);
dfeab068 RE	476	BN_clear_free(&r1);
e03ddfae	477	BN_CTX_free(ctx);
58964a49 RE	478	return(ret);
	479	}
	480
	481	static int RSA_eay_init(rsa)
	482	RSA *rsa;
	483	{
	484	rsa->flags\|=RSA_FLAG_CACHE_PUBLIC\|RSA_FLAG_CACHE_PRIVATE;
	485	return(1);
	486	}
	487
	488	static int RSA_eay_finish(rsa)
	489	RSA *rsa;
	490	{
03f8b042 BL	491	if (rsa->_method_mod_n != NULL)
	492	BN_MONT_CTX_free(rsa->_method_mod_n);
	493	if (rsa->_method_mod_p != NULL)
	494	BN_MONT_CTX_free(rsa->_method_mod_p);
	495	if (rsa->_method_mod_q != NULL)
	496	BN_MONT_CTX_free(rsa->_method_mod_q);
58964a49 RE	497	return(1);
	498	}
	499
	500