]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/rsa/rsa_ossl.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Always check CRYPTO_LOCK_{read,write}_lock
[thirdparty/openssl.git] / crypto / rsa / rsa_ossl.c
CommitLineData
2039c421 1/*
8020d79b 2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
46a64376 3 *
2a7b6f39 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2039c421
RS		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
46a64376 8 */
58964a49 9
c5f87134
P		 10/*
11 * RSA low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14#include "internal/deprecated.h"
15
b39fc560 16#include "internal/cryptlib.h"
25f2138b 17#include "crypto/bn.h"
706457b7
DMSP		 18#include "rsa_local.h"
19#include "internal/constant_time.h"
58964a49 20
bf160551 21static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
0f113f3e 22 unsigned char *to, RSA *rsa, int padding);
bf160551 23static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
0f113f3e 24 unsigned char *to, RSA *rsa, int padding);
bf160551 25static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
0f113f3e 26 unsigned char *to, RSA *rsa, int padding);
bf160551 27static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
0f113f3e 28 unsigned char *to, RSA *rsa, int padding);
bf160551 29static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
0f113f3e 30 BN_CTX *ctx);
bf160551
RS		 31static int rsa_ossl_init(RSA *rsa);
32static int rsa_ossl_finish(RSA *rsa);
33static RSA_METHOD rsa_pkcs1_ossl_meth = {
076fc555 34 "OpenSSL PKCS#1 RSA",
bf160551
RS		 35 rsa_ossl_public_encrypt,
36 rsa_ossl_public_decrypt, /* signature verification */
37 rsa_ossl_private_encrypt, /* signing */
38 rsa_ossl_private_decrypt,
39 rsa_ossl_mod_exp,
0f113f3e
MC		 40 BN_mod_exp_mont, /* XXX probably we should not use Montgomery
41 * if e == 3 */
bf160551
RS		 42 rsa_ossl_init,
43 rsa_ossl_finish,
0f113f3e
MC		 44 RSA_FLAG_FIPS_METHOD, /* flags */
45 NULL,
46 0, /* rsa_sign */
47 0, /* rsa_verify */
665d899f
PY		 48 NULL, /* rsa_keygen */
49 NULL /* rsa_multi_prime_keygen */
0f113f3e 50};
58964a49 51
076fc555
RS		 52static const RSA_METHOD *default_RSA_meth = &rsa_pkcs1_ossl_meth;
53
54void RSA_set_default_method(const RSA_METHOD *meth)
55{
56 default_RSA_meth = meth;
57}
58
59const RSA_METHOD *RSA_get_default_method(void)
60{
61 return default_RSA_meth;
62}
63
b0700d2c 64const RSA_METHOD *RSA_PKCS1_OpenSSL(void)
0f113f3e 65{
bf160551 66 return &rsa_pkcs1_ossl_meth;
0f113f3e 67}
58964a49 68
076fc555
RS		 69const RSA_METHOD *RSA_null_method(void)
70{
71 return NULL;
72}
73
bf160551 74static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
0f113f3e
MC		 75 unsigned char *to, RSA *rsa, int padding)
76{
77 BIGNUM *f, *ret;
582ad5d4 78 int i, num = 0, r = -1;
0f113f3e
MC		 79 unsigned char *buf = NULL;
80 BN_CTX *ctx = NULL;
81
82 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
9311d0c4 83 ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
0f113f3e
MC		 84 return -1;
85 }
86
87 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
9311d0c4 88 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 89 return -1;
90 }
91
92 /* for large moduli, enforce exponent limit */
93 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
94 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
9311d0c4 95 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 96 return -1;
97 }
98 }
99
afb638f1 100 if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
0f113f3e
MC		 101 goto err;
102 BN_CTX_start(ctx);
103 f = BN_CTX_get(ctx);
104 ret = BN_CTX_get(ctx);
105 num = BN_num_bytes(rsa->n);
106 buf = OPENSSL_malloc(num);
edea42c6 107 if (ret == NULL || buf == NULL) {
9311d0c4 108 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 109 goto err;
110 }
111
112 switch (padding) {
113 case RSA_PKCS1_PADDING:
23b2fc0b
P		 114 i = ossl_rsa_padding_add_PKCS1_type_2_ex(rsa->libctx, buf, num,
115 from, flen);
0f113f3e 116 break;
0f113f3e 117 case RSA_PKCS1_OAEP_PADDING:
23b2fc0b
P		 118 i = ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(rsa->libctx, buf, num,
119 from, flen, NULL, 0,
120 NULL, NULL);
0f113f3e 121 break;
0f113f3e
MC		 122 case RSA_NO_PADDING:
123 i = RSA_padding_add_none(buf, num, from, flen);
124 break;
125 default:
9311d0c4 126 ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 127 goto err;
128 }
129 if (i <= 0)
130 goto err;
131
132 if (BN_bin2bn(buf, num, f) == NULL)
133 goto err;
134
135 if (BN_ucmp(f, rsa->n) >= 0) {
136 /* usually the padding functions would catch this */
9311d0c4 137 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
0f113f3e
MC		 138 goto err;
139 }
140
141 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
41bfd5e7
AP		 142 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
143 rsa->n, ctx))
0f113f3e
MC		 144 goto err;
145
146 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
147 rsa->_method_mod_n))
148 goto err;
149
150 /*
582ad5d4
AP		 151 * BN_bn2binpad puts in leading 0 bytes if the number is less than
152 * the length of the modulus.
0f113f3e 153 */
582ad5d4 154 r = BN_bn2binpad(ret, to, num);
0f113f3e 155 err:
ce1415ed 156 BN_CTX_end(ctx);
23a1d5e9 157 BN_CTX_free(ctx);
4b45c6e5 158 OPENSSL_clear_free(buf, num);
8686c474 159 return r;
0f113f3e 160}
58964a49 161
675f605d 162static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
800e400d 163{
0f113f3e 164 BN_BLINDING *ret;
0f113f3e 165
cd3f8c1b
RS		 166 if (!CRYPTO_THREAD_write_lock(rsa->lock))
167 return NULL;
0f113f3e
MC		 168
169 if (rsa->blinding == NULL) {
d188a536 170 rsa->blinding = RSA_setup_blinding(rsa, ctx);
0f113f3e
MC		 171 }
172
173 ret = rsa->blinding;
174 if (ret == NULL)
175 goto err;
176
0b1a07c8 177 if (BN_BLINDING_is_current_thread(ret)) {
0f113f3e
MC		 178 /* rsa->blinding is ours! */
179
180 *local = 1;
181 } else {
182 /* resort to rsa->mt_blinding instead */
183
184 /*
185 * instructs rsa_blinding_convert(), rsa_blinding_invert() that the
186 * BN_BLINDING is shared, meaning that accesses require locks, and
187 * that the blinding factor must be stored outside the BN_BLINDING
188 */
189 *local = 0;
190
191 if (rsa->mt_blinding == NULL) {
d188a536 192 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
0f113f3e
MC		 193 }
194 ret = rsa->mt_blinding;
195 }
5679bcce 196
675f605d 197 err:
d188a536 198 CRYPTO_THREAD_unlock(rsa->lock);
0f113f3e 199 return ret;
800e400d 200}
5679bcce 201
e5641d7f 202static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
0f113f3e
MC		 203 BN_CTX *ctx)
204{
90862ab4 205 if (unblind == NULL) {
0f113f3e
MC		 206 /*
207 * Local blinding: store the unblinding factor in BN_BLINDING.
208 */
209 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
90862ab4 210 } else {
0f113f3e
MC		 211 /*
212 * Shared blinding: store the unblinding factor outside BN_BLINDING.
213 */
214 int ret;
0b1a07c8
AG		 215
216 BN_BLINDING_lock(b);
0f113f3e 217 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
0b1a07c8
AG		 218 BN_BLINDING_unlock(b);
219
0f113f3e
MC		 220 return ret;
221 }
222}
e5641d7f
BM		 223
224static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
0f113f3e
MC		 225 BN_CTX *ctx)
226{
227 /*
228 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
229 * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING
230 * is shared between threads, unblind must be non-null:
231 * BN_BLINDING_invert_ex will then use the local unblinding factor, and
232 * will only read the modulus from BN_BLINDING. In both cases it's safe
233 * to access the blinding without a lock.
234 */
235 return BN_BLINDING_invert_ex(f, unblind, b, ctx);
236}
5679bcce 237
24cff6ce 238/* signing */
bf160551 239static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
0f113f3e
MC		 240 unsigned char *to, RSA *rsa, int padding)
241{
242 BIGNUM *f, *ret, *res;
582ad5d4 243 int i, num = 0, r = -1;
0f113f3e
MC		 244 unsigned char *buf = NULL;
245 BN_CTX *ctx = NULL;
246 int local_blinding = 0;
247 /*
248 * Used only if the blinding structure is shared. A non-NULL unblind
249 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
250 * the unblinding factor outside the blinding structure.
251 */
252 BIGNUM *unblind = NULL;
253 BN_BLINDING *blinding = NULL;
254
afb638f1 255 if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
0f113f3e
MC		 256 goto err;
257 BN_CTX_start(ctx);
258 f = BN_CTX_get(ctx);
259 ret = BN_CTX_get(ctx);
260 num = BN_num_bytes(rsa->n);
261 buf = OPENSSL_malloc(num);
edea42c6 262 if (ret == NULL || buf == NULL) {
9311d0c4 263 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 264 goto err;
265 }
266
267 switch (padding) {
268 case RSA_PKCS1_PADDING:
269 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
270 break;
271 case RSA_X931_PADDING:
272 i = RSA_padding_add_X931(buf, num, from, flen);
273 break;
274 case RSA_NO_PADDING:
275 i = RSA_padding_add_none(buf, num, from, flen);
276 break;
0f113f3e 277 default:
9311d0c4 278 ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 279 goto err;
280 }
281 if (i <= 0)
282 goto err;
283
284 if (BN_bin2bn(buf, num, f) == NULL)
285 goto err;
286
287 if (BN_ucmp(f, rsa->n) >= 0) {
288 /* usually the padding functions would catch this */
9311d0c4 289 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
0f113f3e
MC		 290 goto err;
291 }
292
2cc3f68c
AP		 293 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
294 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
295 rsa->n, ctx))
296 goto err;
297
0f113f3e
MC		 298 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
299 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
300 if (blinding == NULL) {
9311d0c4 301 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
0f113f3e
MC		 302 goto err;
303 }
304 }
305
306 if (blinding != NULL) {
307 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
9311d0c4 308 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 309 goto err;
310 }
311 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
312 goto err;
313 }
314
315 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
665d899f 316 (rsa->version == RSA_ASN1_VERSION_MULTI) ||
0f113f3e
MC		 317 ((rsa->p != NULL) &&
318 (rsa->q != NULL) &&
319 (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
320 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
321 goto err;
322 } else {
5584f65a
MC		 323 BIGNUM *d = BN_new();
324 if (d == NULL) {
9311d0c4 325 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
5584f65a 326 goto err;
fd7d2520 327 }
7408f675 328 if (rsa->d == NULL) {
9311d0c4 329 ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY);
7408f675
DO		 330 BN_free(d);
331 goto err;
332 }
5584f65a 333 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
0f113f3e 334
0f113f3e
MC		 335 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
336 rsa->_method_mod_n)) {
5584f65a 337 BN_free(d);
0f113f3e
MC		 338 goto err;
339 }
5584f65a
MC		 340 /* We MUST free d before any further use of rsa->d */
341 BN_free(d);
0f113f3e
MC		 342 }
343
344 if (blinding)
345 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
346 goto err;
347
348 if (padding == RSA_X931_PADDING) {
3d3cbce5
P		 349 if (!BN_sub(f, rsa->n, ret))
350 goto err;
0f113f3e
MC		 351 if (BN_cmp(ret, f) > 0)
352 res = f;
353 else
354 res = ret;
90862ab4 355 } else {
0f113f3e 356 res = ret;
90862ab4 357 }
0f113f3e
MC		 358
359 /*
582ad5d4
AP		 360 * BN_bn2binpad puts in leading 0 bytes if the number is less than
361 * the length of the modulus.
0f113f3e 362 */
582ad5d4 363 r = BN_bn2binpad(res, to, num);
0f113f3e 364 err:
ce1415ed 365 BN_CTX_end(ctx);
23a1d5e9 366 BN_CTX_free(ctx);
4b45c6e5 367 OPENSSL_clear_free(buf, num);
8686c474 368 return r;
0f113f3e 369}
58964a49 370
bf160551 371static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
0f113f3e
MC		 372 unsigned char *to, RSA *rsa, int padding)
373{
374 BIGNUM *f, *ret;
375 int j, num = 0, r = -1;
0f113f3e
MC		 376 unsigned char *buf = NULL;
377 BN_CTX *ctx = NULL;
378 int local_blinding = 0;
379 /*
380 * Used only if the blinding structure is shared. A non-NULL unblind
381 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
382 * the unblinding factor outside the blinding structure.
383 */
384 BIGNUM *unblind = NULL;
385 BN_BLINDING *blinding = NULL;
386
afb638f1 387 if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
0f113f3e
MC		 388 goto err;
389 BN_CTX_start(ctx);
390 f = BN_CTX_get(ctx);
391 ret = BN_CTX_get(ctx);
392 num = BN_num_bytes(rsa->n);
393 buf = OPENSSL_malloc(num);
edea42c6 394 if (ret == NULL || buf == NULL) {
9311d0c4 395 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 396 goto err;
397 }
398
399 /*
400 * This check was for equality but PGP does evil things and chops off the
401 * top '0' bytes
402 */
403 if (flen > num) {
9311d0c4 404 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_GREATER_THAN_MOD_LEN);
0f113f3e
MC		 405 goto err;
406 }
407
408 /* make data into a big number */
409 if (BN_bin2bn(from, (int)flen, f) == NULL)
410 goto err;
411
412 if (BN_ucmp(f, rsa->n) >= 0) {
9311d0c4 413 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
0f113f3e
MC		 414 goto err;
415 }
416
417 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
418 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
419 if (blinding == NULL) {
9311d0c4 420 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
0f113f3e
MC		 421 goto err;
422 }
423 }
424
425 if (blinding != NULL) {
426 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
9311d0c4 427 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 428 goto err;
429 }
430 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
431 goto err;
432 }
433
434 /* do the decrypt */
435 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
665d899f 436 (rsa->version == RSA_ASN1_VERSION_MULTI) ||
0f113f3e
MC		 437 ((rsa->p != NULL) &&
438 (rsa->q != NULL) &&
439 (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
440 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
441 goto err;
442 } else {
5584f65a
MC		 443 BIGNUM *d = BN_new();
444 if (d == NULL) {
9311d0c4 445 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
5584f65a 446 goto err;
7408f675
DO		 447 }
448 if (rsa->d == NULL) {
9311d0c4 449 ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY);
7408f675
DO		 450 BN_free(d);
451 goto err;
fd7d2520 452 }
5584f65a 453 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
0f113f3e
MC		 454
455 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
41bfd5e7
AP		 456 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
457 rsa->n, ctx)) {
5584f65a 458 BN_free(d);
0f113f3e
MC		 459 goto err;
460 }
461 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
462 rsa->_method_mod_n)) {
5584f65a 463 BN_free(d);
0f113f3e
MC		 464 goto err;
465 }
5584f65a
MC		 466 /* We MUST free d before any further use of rsa->d */
467 BN_free(d);
0f113f3e
MC		 468 }
469
470 if (blinding)
471 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
472 goto err;
473
582ad5d4 474 j = BN_bn2binpad(ret, buf, num);
4a3dd629
P		 475 if (j < 0)
476 goto err;
0f113f3e
MC		 477
478 switch (padding) {
479 case RSA_PKCS1_PADDING:
480 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
481 break;
0f113f3e
MC		 482 case RSA_PKCS1_OAEP_PADDING:
483 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
484 break;
0f113f3e 485 case RSA_NO_PADDING:
582ad5d4 486 memcpy(to, buf, (r = j));
0f113f3e
MC		 487 break;
488 default:
9311d0c4 489 ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 490 goto err;
491 }
f844f9eb 492#ifndef FIPS_MODULE
afb638f1
MC		 493 /*
494 * This trick doesn't work in the FIPS provider because libcrypto manages
495 * the error stack. Instead we opt not to put an error on the stack at all
496 * in case of padding failure in the FIPS provider.
497 */
9311d0c4 498 ERR_raise(ERR_LIB_RSA, RSA_R_PADDING_CHECK_FAILED);
94dc53a3 499 err_clear_last_constant_time(1 & ~constant_time_msb(r));
afb638f1 500#endif
0f113f3e
MC		 501
502 err:
ce1415ed 503 BN_CTX_end(ctx);
23a1d5e9 504 BN_CTX_free(ctx);
4b45c6e5 505 OPENSSL_clear_free(buf, num);
8686c474 506 return r;
0f113f3e 507}
58964a49 508
24cff6ce 509/* signature verification */
bf160551 510static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
0f113f3e
MC		 511 unsigned char *to, RSA *rsa, int padding)
512{
513 BIGNUM *f, *ret;
514 int i, num = 0, r = -1;
0f113f3e
MC		 515 unsigned char *buf = NULL;
516 BN_CTX *ctx = NULL;
517
518 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
9311d0c4 519 ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
0f113f3e
MC		 520 return -1;
521 }
522
523 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
9311d0c4 524 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 525 return -1;
526 }
527
528 /* for large moduli, enforce exponent limit */
529 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
530 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
9311d0c4 531 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 532 return -1;
533 }
534 }
535
afb638f1 536 if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
0f113f3e
MC		 537 goto err;
538 BN_CTX_start(ctx);
539 f = BN_CTX_get(ctx);
540 ret = BN_CTX_get(ctx);
541 num = BN_num_bytes(rsa->n);
542 buf = OPENSSL_malloc(num);
edea42c6 543 if (ret == NULL || buf == NULL) {
9311d0c4 544 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 545 goto err;
546 }
547
548 /*
549 * This check was for equality but PGP does evil things and chops off the
550 * top '0' bytes
551 */
552 if (flen > num) {
9311d0c4 553 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_GREATER_THAN_MOD_LEN);
0f113f3e
MC		 554 goto err;
555 }
556
557 if (BN_bin2bn(from, flen, f) == NULL)
558 goto err;
559
560 if (BN_ucmp(f, rsa->n) >= 0) {
9311d0c4 561 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
0f113f3e
MC		 562 goto err;
563 }
564
565 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
41bfd5e7
AP		 566 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
567 rsa->n, ctx))
0f113f3e
MC		 568 goto err;
569
570 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
571 rsa->_method_mod_n))
572 goto err;
573
574 if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12))
575 if (!BN_sub(ret, rsa->n, ret))
576 goto err;
577
582ad5d4 578 i = BN_bn2binpad(ret, buf, num);
4a3dd629
P		 579 if (i < 0)
580 goto err;
0f113f3e
MC		 581
582 switch (padding) {
583 case RSA_PKCS1_PADDING:
584 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
585 break;
586 case RSA_X931_PADDING:
587 r = RSA_padding_check_X931(to, num, buf, i, num);
588 break;
589 case RSA_NO_PADDING:
582ad5d4 590 memcpy(to, buf, (r = i));
0f113f3e
MC		 591 break;
592 default:
9311d0c4 593 ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 594 goto err;
595 }
596 if (r < 0)
9311d0c4 597 ERR_raise(ERR_LIB_RSA, RSA_R_PADDING_CHECK_FAILED);
0f113f3e
MC		 598
599 err:
ce1415ed 600 BN_CTX_end(ctx);
23a1d5e9 601 BN_CTX_free(ctx);
4b45c6e5 602 OPENSSL_clear_free(buf, num);
8686c474 603 return r;
0f113f3e 604}
58964a49 605
bf160551 606static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
0f113f3e 607{
afb638f1
MC		 608 BIGNUM *r1, *m1, *vrfy;
609 int ret = 0, smooth = 0;
f844f9eb 610#ifndef FIPS_MODULE
afb638f1
MC		 611 BIGNUM *r2, *m[RSA_MAX_PRIME_NUM - 2];
612 int i, ex_primes = 0;
665d899f 613 RSA_PRIME_INFO *pinfo;
afb638f1 614#endif
0f113f3e 615
c804d23d
PC		 616 BN_CTX_start(ctx);
617
0f113f3e 618 r1 = BN_CTX_get(ctx);
f844f9eb 619#ifndef FIPS_MODULE
665d899f 620 r2 = BN_CTX_get(ctx);
afb638f1 621#endif
0f113f3e
MC		 622 m1 = BN_CTX_get(ctx);
623 vrfy = BN_CTX_get(ctx);
5625567f
BE		 624 if (vrfy == NULL)
625 goto err;
0f113f3e 626
f844f9eb 627#ifndef FIPS_MODULE
665d899f 628 if (rsa->version == RSA_ASN1_VERSION_MULTI
a1471588
BE		 629 && ((ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) <= 0
630 || ex_primes > RSA_MAX_PRIME_NUM - 2))
665d899f 631 goto err;
afb638f1 632#endif
665d899f 633
41bfd5e7
AP		 634 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
635 BIGNUM *factor = BN_new();
636
637 if (factor == NULL)
638 goto err;
0f113f3e
MC		 639
640 /*
0d4fb843 641 * Make sure BN_mod_inverse in Montgomery initialization uses the
5584f65a 642 * BN_FLG_CONSTTIME flag
0f113f3e 643 */
41bfd5e7
AP		 644 if (!(BN_with_flags(factor, rsa->p, BN_FLG_CONSTTIME),
645 BN_MONT_CTX_set_locked(&rsa->_method_mod_p, rsa->lock,
646 factor, ctx))
647 || !(BN_with_flags(factor, rsa->q, BN_FLG_CONSTTIME),
648 BN_MONT_CTX_set_locked(&rsa->_method_mod_q, rsa->lock,
649 factor, ctx))) {
650 BN_free(factor);
5584f65a 651 goto err;
0f113f3e 652 }
f844f9eb 653#ifndef FIPS_MODULE
41bfd5e7
AP		 654 for (i = 0; i < ex_primes; i++) {
655 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
656 BN_with_flags(factor, pinfo->r, BN_FLG_CONSTTIME);
657 if (!BN_MONT_CTX_set_locked(&pinfo->m, rsa->lock, factor, ctx)) {
658 BN_free(factor);
0f113f3e
MC		 659 goto err;
660 }
661 }
afb638f1 662#endif
fd7d2520 663 /*
41bfd5e7 664 * We MUST free |factor| before any further use of the prime factors
fd7d2520 665 */
41bfd5e7
AP		 666 BN_free(factor);
667
afb638f1 668 smooth = (rsa->meth->bn_mod_exp == BN_mod_exp_mont)
f844f9eb 669#ifndef FIPS_MODULE
afb638f1
MC		 670 && (ex_primes == 0)
671#endif
41bfd5e7 672 && (BN_num_bits(rsa->q) == BN_num_bits(rsa->p));
0f113f3e
MC		 673 }
674
675 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
41bfd5e7
AP		 676 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
677 rsa->n, ctx))
678 goto err;
679
680 if (smooth) {
681 /*
682 * Conversion from Montgomery domain, a.k.a. Montgomery reduction,
683 * accepts values in [0-m*2^w) range. w is m's bit width rounded up
684 * to limb width. So that at the very least if |I| is fully reduced,
685 * i.e. less than p*q, we can count on from-to round to perform
686 * below modulo operations on |I|. Unlike BN_mod it's constant time.
687 */
688 if (/* m1 = I moq q */
689 !bn_from_mont_fixed_top(m1, I, rsa->_method_mod_q, ctx)
690 || !bn_to_mont_fixed_top(m1, m1, rsa->_method_mod_q, ctx)
691 /* m1 = m1^dmq1 mod q */
692 || !BN_mod_exp_mont_consttime(m1, m1, rsa->dmq1, rsa->q, ctx,
693 rsa->_method_mod_q)
694 /* r1 = I mod p */
695 || !bn_from_mont_fixed_top(r1, I, rsa->_method_mod_p, ctx)
696 || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
697 /* r1 = r1^dmp1 mod p */
698 || !BN_mod_exp_mont_consttime(r1, r1, rsa->dmp1, rsa->p, ctx,
699 rsa->_method_mod_p)
700 /* r1 = (r1 - m1) mod p */
701 /*
702 * bn_mod_sub_fixed_top is not regular modular subtraction,
703 * it can tolerate subtrahend to be larger than modulus, but
704 * not bit-wise wider. This makes up for uncommon q>p case,
705 * when |m1| can be larger than |rsa->p|.
706 */
707 || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p)
708
d1c008f6 709 /* r1 = r1 * iqmp mod p */
41bfd5e7
AP		 710 || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
711 || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p,
712 ctx)
d1c008f6 713 /* r0 = r1 * q + m1 */
41bfd5e7
AP		 714 || !bn_mul_fixed_top(r0, r1, rsa->q, ctx)
715 || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n))
0f113f3e
MC		 716 goto err;
717
41bfd5e7
AP		 718 goto tail;
719 }
720
0f113f3e 721 /* compute I mod q */
fd7d2520 722 {
5584f65a
MC		 723 BIGNUM *c = BN_new();
724 if (c == NULL)
725 goto err;
726 BN_with_flags(c, I, BN_FLG_CONSTTIME);
727
fd7d2520 728 if (!BN_mod(r1, c, rsa->q, ctx)) {
5584f65a 729 BN_free(c);
0f113f3e 730 goto err;
fd7d2520 731 }
0f113f3e 732
fd7d2520 733 {
5584f65a
MC		 734 BIGNUM *dmq1 = BN_new();
735 if (dmq1 == NULL) {
736 BN_free(c);
737 goto err;
fd7d2520 738 }
5584f65a
MC		 739 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
740
741 /* compute r1^dmq1 mod q */
fd7d2520 742 if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
41bfd5e7 743 rsa->_method_mod_q)) {
5584f65a
MC		 744 BN_free(c);
745 BN_free(dmq1);
fd7d2520
MC		 746 goto err;
747 }
5584f65a
MC		 748 /* We MUST free dmq1 before any further use of rsa->dmq1 */
749 BN_free(dmq1);
fd7d2520 750 }
0f113f3e 751
fd7d2520
MC		 752 /* compute I mod p */
753 if (!BN_mod(r1, c, rsa->p, ctx)) {
5584f65a 754 BN_free(c);
0f113f3e 755 goto err;
fd7d2520 756 }
5584f65a
MC		 757 /* We MUST free c before any further use of I */
758 BN_free(c);
0f113f3e
MC		 759 }
760
fd7d2520 761 {
5584f65a
MC		 762 BIGNUM *dmp1 = BN_new();
763 if (dmp1 == NULL)
764 goto err;
765 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
766
fd7d2520 767 /* compute r1^dmp1 mod p */
fd7d2520
MC		 768 if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
769 rsa->_method_mod_p)) {
5584f65a 770 BN_free(dmp1);
fd7d2520
MC		 771 goto err;
772 }
5584f65a
MC		 773 /* We MUST free dmp1 before any further use of rsa->dmp1 */
774 BN_free(dmp1);
fd7d2520 775 }
0f113f3e 776
f844f9eb 777#ifndef FIPS_MODULE
665d899f
PY		 778 /*
779 * calculate m_i in multi-prime case
780 *
781 * TODO:
782 * 1. squash the following two loops and calculate |m_i| there.
783 * 2. remove cc and reuse |c|.
784 * 3. remove |dmq1| and |dmp1| in previous block and use |di|.
785 *
786 * If these things are done, the code will be more readable.
787 */
788 if (ex_primes > 0) {
789 BIGNUM *di = BN_new(), *cc = BN_new();
790
791 if (cc == NULL || di == NULL) {
792 BN_free(cc);
793 BN_free(di);
794 goto err;
795 }
796
797 for (i = 0; i < ex_primes; i++) {
798 /* prepare m_i */
799 if ((m[i] = BN_CTX_get(ctx)) == NULL) {
800 BN_free(cc);
801 BN_free(di);
802 goto err;
803 }
804
805 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
806
807 /* prepare c and d_i */
808 BN_with_flags(cc, I, BN_FLG_CONSTTIME);
809 BN_with_flags(di, pinfo->d, BN_FLG_CONSTTIME);
810
811 if (!BN_mod(r1, cc, pinfo->r, ctx)) {
812 BN_free(cc);
813 BN_free(di);
814 goto err;
815 }
816 /* compute r1 ^ d_i mod r_i */
817 if (!rsa->meth->bn_mod_exp(m[i], r1, di, pinfo->r, ctx, pinfo->m)) {
818 BN_free(cc);
819 BN_free(di);
820 goto err;
821 }
822 }
823
824 BN_free(cc);
825 BN_free(di);
826 }
afb638f1 827#endif
665d899f 828
0f113f3e
MC		 829 if (!BN_sub(r0, r0, m1))
830 goto err;
831 /*
832 * This will help stop the size of r0 increasing, which does affect the
833 * multiply if it optimised for a power of 2 size
834 */
835 if (BN_is_negative(r0))
836 if (!BN_add(r0, r0, rsa->p))
837 goto err;
838
839 if (!BN_mul(r1, r0, rsa->iqmp, ctx))
840 goto err;
841
fd7d2520 842 {
5584f65a
MC		 843 BIGNUM *pr1 = BN_new();
844 if (pr1 == NULL)
845 goto err;
846 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
847
fd7d2520 848 if (!BN_mod(r0, pr1, rsa->p, ctx)) {
5584f65a 849 BN_free(pr1);
fd7d2520
MC		 850 goto err;
851 }
5584f65a
MC		 852 /* We MUST free pr1 before any further use of r1 */
853 BN_free(pr1);
fd7d2520 854 }
0f113f3e
MC		 855
856 /*
857 * If p < q it is occasionally possible for the correction of adding 'p'
858 * if r0 is negative above to leave the result still negative. This can
859 * break the private key operations: the following second correction
860 * should *always* correct this rare occurrence. This will *never* happen
861 * with OpenSSL generated keys because they ensure p > q [steve]
862 */
863 if (BN_is_negative(r0))
864 if (!BN_add(r0, r0, rsa->p))
865 goto err;
866 if (!BN_mul(r1, r0, rsa->q, ctx))
867 goto err;
868 if (!BN_add(r0, r1, m1))
869 goto err;
870
f844f9eb 871#ifndef FIPS_MODULE
665d899f
PY		 872 /* add m_i to m in multi-prime case */
873 if (ex_primes > 0) {
874 BIGNUM *pr2 = BN_new();
875
876 if (pr2 == NULL)
877 goto err;
878
879 for (i = 0; i < ex_primes; i++) {
880 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
881 if (!BN_sub(r1, m[i], r0)) {
882 BN_free(pr2);
883 goto err;
884 }
885
886 if (!BN_mul(r2, r1, pinfo->t, ctx)) {
887 BN_free(pr2);
888 goto err;
889 }
890
891 BN_with_flags(pr2, r2, BN_FLG_CONSTTIME);
892
893 if (!BN_mod(r1, pr2, pinfo->r, ctx)) {
894 BN_free(pr2);
895 goto err;
896 }
897
898 if (BN_is_negative(r1))
899 if (!BN_add(r1, r1, pinfo->r)) {
900 BN_free(pr2);
901 goto err;
902 }
903 if (!BN_mul(r1, r1, pinfo->pp, ctx)) {
904 BN_free(pr2);
905 goto err;
906 }
907 if (!BN_add(r0, r0, r1)) {
908 BN_free(pr2);
909 goto err;
910 }
911 }
912 BN_free(pr2);
913 }
afb638f1 914#endif
665d899f 915
41bfd5e7 916 tail:
0f113f3e 917 if (rsa->e && rsa->n) {
41bfd5e7
AP		 918 if (rsa->meth->bn_mod_exp == BN_mod_exp_mont) {
919 if (!BN_mod_exp_mont(vrfy, r0, rsa->e, rsa->n, ctx,
920 rsa->_method_mod_n))
921 goto err;
922 } else {
923 bn_correct_top(r0);
924 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
925 rsa->_method_mod_n))
926 goto err;
927 }
0f113f3e
MC		 928 /*
929 * If 'I' was greater than (or equal to) rsa->n, the operation will
930 * be equivalent to using 'I mod n'. However, the result of the
931 * verify will *always* be less than 'n' so we don't check for
932 * absolute equality, just congruency.
933 */
934 if (!BN_sub(vrfy, vrfy, I))
935 goto err;
41bfd5e7
AP		 936 if (BN_is_zero(vrfy)) {
937 bn_correct_top(r0);
938 ret = 1;
939 goto err; /* not actually error */
940 }
0f113f3e
MC		 941 if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
942 goto err;
943 if (BN_is_negative(vrfy))
944 if (!BN_add(vrfy, vrfy, rsa->n))
945 goto err;
946 if (!BN_is_zero(vrfy)) {
947 /*
948 * 'I' and 'vrfy' aren't congruent mod n. Don't leak
949 * miscalculated CRT output, just do a raw (slower) mod_exp and
950 * return that instead.
951 */
952
5584f65a
MC		 953 BIGNUM *d = BN_new();
954 if (d == NULL)
955 goto err;
956 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
0f113f3e 957
0f113f3e
MC		 958 if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
959 rsa->_method_mod_n)) {
5584f65a 960 BN_free(d);
0f113f3e
MC		 961 goto err;
962 }
5584f65a
MC		 963 /* We MUST free d before any further use of rsa->d */
964 BN_free(d);
0f113f3e
MC		 965 }
966 }
41bfd5e7
AP		 967 /*
968 * It's unfortunate that we have to bn_correct_top(r0). What hopefully
969 * saves the day is that correction is highly unlike, and private key
970 * operations are customarily performed on blinded message. Which means
971 * that attacker won't observe correlation with chosen plaintext.
972 * Secondly, remaining code would still handle it in same computational
973 * time and even conceal memory access pattern around corrected top.
974 */
975 bn_correct_top(r0);
0f113f3e
MC		 976 ret = 1;
977 err:
0f113f3e 978 BN_CTX_end(ctx);
8686c474 979 return ret;
0f113f3e 980}
58964a49 981
bf160551 982static int rsa_ossl_init(RSA *rsa)
0f113f3e
MC		 983{
984 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
8686c474 985 return 1;
0f113f3e 986}
58964a49 987
bf160551 988static int rsa_ossl_finish(RSA *rsa)
0f113f3e 989{
f844f9eb 990#ifndef FIPS_MODULE
665d899f
PY		 991 int i;
992 RSA_PRIME_INFO *pinfo;
993
665d899f
PY		 994 for (i = 0; i < sk_RSA_PRIME_INFO_num(rsa->prime_infos); i++) {
995 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
996 BN_MONT_CTX_free(pinfo->m);
997 }
afb638f1
MC		 998#endif
999
1000 BN_MONT_CTX_free(rsa->_method_mod_n);
1001 BN_MONT_CTX_free(rsa->_method_mod_p);
1002 BN_MONT_CTX_free(rsa->_method_mod_q);
8686c474 1003 return 1;
0f113f3e 1004}
A mirror of the official openssl repository