]>
Commit | Line | Data |
---|---|---|
2039c421 | 1 | /* |
8020d79b | 2 | * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. |
46a64376 | 3 | * |
2a7b6f39 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
2039c421 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
46a64376 | 8 | */ |
58964a49 | 9 | |
c5f87134 P |
10 | /* |
11 | * RSA low level APIs are deprecated for public use, but still ok for | |
12 | * internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
b39fc560 | 16 | #include "internal/cryptlib.h" |
25f2138b | 17 | #include "crypto/bn.h" |
706457b7 DMSP |
18 | #include "rsa_local.h" |
19 | #include "internal/constant_time.h" | |
58964a49 | 20 | |
bf160551 | 21 | static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, |
0f113f3e | 22 | unsigned char *to, RSA *rsa, int padding); |
bf160551 | 23 | static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, |
0f113f3e | 24 | unsigned char *to, RSA *rsa, int padding); |
bf160551 | 25 | static int rsa_ossl_public_decrypt(int flen, const unsigned char *from, |
0f113f3e | 26 | unsigned char *to, RSA *rsa, int padding); |
bf160551 | 27 | static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, |
0f113f3e | 28 | unsigned char *to, RSA *rsa, int padding); |
bf160551 | 29 | static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, |
0f113f3e | 30 | BN_CTX *ctx); |
bf160551 RS |
31 | static int rsa_ossl_init(RSA *rsa); |
32 | static int rsa_ossl_finish(RSA *rsa); | |
33 | static RSA_METHOD rsa_pkcs1_ossl_meth = { | |
076fc555 | 34 | "OpenSSL PKCS#1 RSA", |
bf160551 RS |
35 | rsa_ossl_public_encrypt, |
36 | rsa_ossl_public_decrypt, /* signature verification */ | |
37 | rsa_ossl_private_encrypt, /* signing */ | |
38 | rsa_ossl_private_decrypt, | |
39 | rsa_ossl_mod_exp, | |
0f113f3e MC |
40 | BN_mod_exp_mont, /* XXX probably we should not use Montgomery |
41 | * if e == 3 */ | |
bf160551 RS |
42 | rsa_ossl_init, |
43 | rsa_ossl_finish, | |
0f113f3e MC |
44 | RSA_FLAG_FIPS_METHOD, /* flags */ |
45 | NULL, | |
46 | 0, /* rsa_sign */ | |
47 | 0, /* rsa_verify */ | |
665d899f PY |
48 | NULL, /* rsa_keygen */ |
49 | NULL /* rsa_multi_prime_keygen */ | |
0f113f3e | 50 | }; |
58964a49 | 51 | |
076fc555 RS |
52 | static const RSA_METHOD *default_RSA_meth = &rsa_pkcs1_ossl_meth; |
53 | ||
54 | void RSA_set_default_method(const RSA_METHOD *meth) | |
55 | { | |
56 | default_RSA_meth = meth; | |
57 | } | |
58 | ||
59 | const RSA_METHOD *RSA_get_default_method(void) | |
60 | { | |
61 | return default_RSA_meth; | |
62 | } | |
63 | ||
b0700d2c | 64 | const RSA_METHOD *RSA_PKCS1_OpenSSL(void) |
0f113f3e | 65 | { |
bf160551 | 66 | return &rsa_pkcs1_ossl_meth; |
0f113f3e | 67 | } |
58964a49 | 68 | |
076fc555 RS |
69 | const RSA_METHOD *RSA_null_method(void) |
70 | { | |
71 | return NULL; | |
72 | } | |
73 | ||
bf160551 | 74 | static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, |
0f113f3e MC |
75 | unsigned char *to, RSA *rsa, int padding) |
76 | { | |
77 | BIGNUM *f, *ret; | |
582ad5d4 | 78 | int i, num = 0, r = -1; |
0f113f3e MC |
79 | unsigned char *buf = NULL; |
80 | BN_CTX *ctx = NULL; | |
81 | ||
82 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { | |
9311d0c4 | 83 | ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE); |
0f113f3e MC |
84 | return -1; |
85 | } | |
86 | ||
87 | if (BN_ucmp(rsa->n, rsa->e) <= 0) { | |
9311d0c4 | 88 | ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE); |
0f113f3e MC |
89 | return -1; |
90 | } | |
91 | ||
92 | /* for large moduli, enforce exponent limit */ | |
93 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { | |
94 | if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { | |
9311d0c4 | 95 | ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE); |
0f113f3e MC |
96 | return -1; |
97 | } | |
98 | } | |
99 | ||
afb638f1 | 100 | if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL) |
0f113f3e MC |
101 | goto err; |
102 | BN_CTX_start(ctx); | |
103 | f = BN_CTX_get(ctx); | |
104 | ret = BN_CTX_get(ctx); | |
105 | num = BN_num_bytes(rsa->n); | |
106 | buf = OPENSSL_malloc(num); | |
edea42c6 | 107 | if (ret == NULL || buf == NULL) { |
9311d0c4 | 108 | ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
109 | goto err; |
110 | } | |
111 | ||
112 | switch (padding) { | |
113 | case RSA_PKCS1_PADDING: | |
23b2fc0b P |
114 | i = ossl_rsa_padding_add_PKCS1_type_2_ex(rsa->libctx, buf, num, |
115 | from, flen); | |
0f113f3e | 116 | break; |
0f113f3e | 117 | case RSA_PKCS1_OAEP_PADDING: |
23b2fc0b P |
118 | i = ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(rsa->libctx, buf, num, |
119 | from, flen, NULL, 0, | |
120 | NULL, NULL); | |
0f113f3e | 121 | break; |
0f113f3e MC |
122 | case RSA_NO_PADDING: |
123 | i = RSA_padding_add_none(buf, num, from, flen); | |
124 | break; | |
125 | default: | |
9311d0c4 | 126 | ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE); |
0f113f3e MC |
127 | goto err; |
128 | } | |
129 | if (i <= 0) | |
130 | goto err; | |
131 | ||
132 | if (BN_bin2bn(buf, num, f) == NULL) | |
133 | goto err; | |
134 | ||
135 | if (BN_ucmp(f, rsa->n) >= 0) { | |
136 | /* usually the padding functions would catch this */ | |
9311d0c4 | 137 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
0f113f3e MC |
138 | goto err; |
139 | } | |
140 | ||
141 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
41bfd5e7 AP |
142 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, |
143 | rsa->n, ctx)) | |
0f113f3e MC |
144 | goto err; |
145 | ||
146 | if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, | |
147 | rsa->_method_mod_n)) | |
148 | goto err; | |
149 | ||
150 | /* | |
582ad5d4 AP |
151 | * BN_bn2binpad puts in leading 0 bytes if the number is less than |
152 | * the length of the modulus. | |
0f113f3e | 153 | */ |
582ad5d4 | 154 | r = BN_bn2binpad(ret, to, num); |
0f113f3e | 155 | err: |
ce1415ed | 156 | BN_CTX_end(ctx); |
23a1d5e9 | 157 | BN_CTX_free(ctx); |
4b45c6e5 | 158 | OPENSSL_clear_free(buf, num); |
8686c474 | 159 | return r; |
0f113f3e | 160 | } |
58964a49 | 161 | |
675f605d | 162 | static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) |
800e400d | 163 | { |
0f113f3e | 164 | BN_BLINDING *ret; |
0f113f3e | 165 | |
cd3f8c1b RS |
166 | if (!CRYPTO_THREAD_write_lock(rsa->lock)) |
167 | return NULL; | |
0f113f3e MC |
168 | |
169 | if (rsa->blinding == NULL) { | |
d188a536 | 170 | rsa->blinding = RSA_setup_blinding(rsa, ctx); |
0f113f3e MC |
171 | } |
172 | ||
173 | ret = rsa->blinding; | |
174 | if (ret == NULL) | |
175 | goto err; | |
176 | ||
0b1a07c8 | 177 | if (BN_BLINDING_is_current_thread(ret)) { |
0f113f3e MC |
178 | /* rsa->blinding is ours! */ |
179 | ||
180 | *local = 1; | |
181 | } else { | |
182 | /* resort to rsa->mt_blinding instead */ | |
183 | ||
184 | /* | |
185 | * instructs rsa_blinding_convert(), rsa_blinding_invert() that the | |
186 | * BN_BLINDING is shared, meaning that accesses require locks, and | |
187 | * that the blinding factor must be stored outside the BN_BLINDING | |
188 | */ | |
189 | *local = 0; | |
190 | ||
191 | if (rsa->mt_blinding == NULL) { | |
d188a536 | 192 | rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); |
0f113f3e MC |
193 | } |
194 | ret = rsa->mt_blinding; | |
195 | } | |
5679bcce | 196 | |
675f605d | 197 | err: |
d188a536 | 198 | CRYPTO_THREAD_unlock(rsa->lock); |
0f113f3e | 199 | return ret; |
800e400d | 200 | } |
5679bcce | 201 | |
e5641d7f | 202 | static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, |
0f113f3e MC |
203 | BN_CTX *ctx) |
204 | { | |
90862ab4 | 205 | if (unblind == NULL) { |
0f113f3e MC |
206 | /* |
207 | * Local blinding: store the unblinding factor in BN_BLINDING. | |
208 | */ | |
209 | return BN_BLINDING_convert_ex(f, NULL, b, ctx); | |
90862ab4 | 210 | } else { |
0f113f3e MC |
211 | /* |
212 | * Shared blinding: store the unblinding factor outside BN_BLINDING. | |
213 | */ | |
214 | int ret; | |
0b1a07c8 AG |
215 | |
216 | BN_BLINDING_lock(b); | |
0f113f3e | 217 | ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); |
0b1a07c8 AG |
218 | BN_BLINDING_unlock(b); |
219 | ||
0f113f3e MC |
220 | return ret; |
221 | } | |
222 | } | |
e5641d7f BM |
223 | |
224 | static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, | |
0f113f3e MC |
225 | BN_CTX *ctx) |
226 | { | |
227 | /* | |
228 | * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex | |
229 | * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING | |
230 | * is shared between threads, unblind must be non-null: | |
231 | * BN_BLINDING_invert_ex will then use the local unblinding factor, and | |
232 | * will only read the modulus from BN_BLINDING. In both cases it's safe | |
233 | * to access the blinding without a lock. | |
234 | */ | |
235 | return BN_BLINDING_invert_ex(f, unblind, b, ctx); | |
236 | } | |
5679bcce | 237 | |
24cff6ce | 238 | /* signing */ |
bf160551 | 239 | static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, |
0f113f3e MC |
240 | unsigned char *to, RSA *rsa, int padding) |
241 | { | |
242 | BIGNUM *f, *ret, *res; | |
582ad5d4 | 243 | int i, num = 0, r = -1; |
0f113f3e MC |
244 | unsigned char *buf = NULL; |
245 | BN_CTX *ctx = NULL; | |
246 | int local_blinding = 0; | |
247 | /* | |
248 | * Used only if the blinding structure is shared. A non-NULL unblind | |
249 | * instructs rsa_blinding_convert() and rsa_blinding_invert() to store | |
250 | * the unblinding factor outside the blinding structure. | |
251 | */ | |
252 | BIGNUM *unblind = NULL; | |
253 | BN_BLINDING *blinding = NULL; | |
254 | ||
afb638f1 | 255 | if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL) |
0f113f3e MC |
256 | goto err; |
257 | BN_CTX_start(ctx); | |
258 | f = BN_CTX_get(ctx); | |
259 | ret = BN_CTX_get(ctx); | |
260 | num = BN_num_bytes(rsa->n); | |
261 | buf = OPENSSL_malloc(num); | |
edea42c6 | 262 | if (ret == NULL || buf == NULL) { |
9311d0c4 | 263 | ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
264 | goto err; |
265 | } | |
266 | ||
267 | switch (padding) { | |
268 | case RSA_PKCS1_PADDING: | |
269 | i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); | |
270 | break; | |
271 | case RSA_X931_PADDING: | |
272 | i = RSA_padding_add_X931(buf, num, from, flen); | |
273 | break; | |
274 | case RSA_NO_PADDING: | |
275 | i = RSA_padding_add_none(buf, num, from, flen); | |
276 | break; | |
0f113f3e | 277 | default: |
9311d0c4 | 278 | ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE); |
0f113f3e MC |
279 | goto err; |
280 | } | |
281 | if (i <= 0) | |
282 | goto err; | |
283 | ||
284 | if (BN_bin2bn(buf, num, f) == NULL) | |
285 | goto err; | |
286 | ||
287 | if (BN_ucmp(f, rsa->n) >= 0) { | |
288 | /* usually the padding functions would catch this */ | |
9311d0c4 | 289 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
0f113f3e MC |
290 | goto err; |
291 | } | |
292 | ||
2cc3f68c AP |
293 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) |
294 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, | |
295 | rsa->n, ctx)) | |
296 | goto err; | |
297 | ||
0f113f3e MC |
298 | if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { |
299 | blinding = rsa_get_blinding(rsa, &local_blinding, ctx); | |
300 | if (blinding == NULL) { | |
9311d0c4 | 301 | ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); |
0f113f3e MC |
302 | goto err; |
303 | } | |
304 | } | |
305 | ||
306 | if (blinding != NULL) { | |
307 | if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { | |
9311d0c4 | 308 | ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
309 | goto err; |
310 | } | |
311 | if (!rsa_blinding_convert(blinding, f, unblind, ctx)) | |
312 | goto err; | |
313 | } | |
314 | ||
315 | if ((rsa->flags & RSA_FLAG_EXT_PKEY) || | |
665d899f | 316 | (rsa->version == RSA_ASN1_VERSION_MULTI) || |
0f113f3e MC |
317 | ((rsa->p != NULL) && |
318 | (rsa->q != NULL) && | |
319 | (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { | |
320 | if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) | |
321 | goto err; | |
322 | } else { | |
5584f65a MC |
323 | BIGNUM *d = BN_new(); |
324 | if (d == NULL) { | |
9311d0c4 | 325 | ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); |
5584f65a | 326 | goto err; |
fd7d2520 | 327 | } |
7408f675 | 328 | if (rsa->d == NULL) { |
9311d0c4 | 329 | ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY); |
7408f675 DO |
330 | BN_free(d); |
331 | goto err; | |
332 | } | |
5584f65a | 333 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); |
0f113f3e | 334 | |
0f113f3e MC |
335 | if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, |
336 | rsa->_method_mod_n)) { | |
5584f65a | 337 | BN_free(d); |
0f113f3e MC |
338 | goto err; |
339 | } | |
5584f65a MC |
340 | /* We MUST free d before any further use of rsa->d */ |
341 | BN_free(d); | |
0f113f3e MC |
342 | } |
343 | ||
344 | if (blinding) | |
345 | if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) | |
346 | goto err; | |
347 | ||
348 | if (padding == RSA_X931_PADDING) { | |
3d3cbce5 P |
349 | if (!BN_sub(f, rsa->n, ret)) |
350 | goto err; | |
0f113f3e MC |
351 | if (BN_cmp(ret, f) > 0) |
352 | res = f; | |
353 | else | |
354 | res = ret; | |
90862ab4 | 355 | } else { |
0f113f3e | 356 | res = ret; |
90862ab4 | 357 | } |
0f113f3e MC |
358 | |
359 | /* | |
582ad5d4 AP |
360 | * BN_bn2binpad puts in leading 0 bytes if the number is less than |
361 | * the length of the modulus. | |
0f113f3e | 362 | */ |
582ad5d4 | 363 | r = BN_bn2binpad(res, to, num); |
0f113f3e | 364 | err: |
ce1415ed | 365 | BN_CTX_end(ctx); |
23a1d5e9 | 366 | BN_CTX_free(ctx); |
4b45c6e5 | 367 | OPENSSL_clear_free(buf, num); |
8686c474 | 368 | return r; |
0f113f3e | 369 | } |
58964a49 | 370 | |
bf160551 | 371 | static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, |
0f113f3e MC |
372 | unsigned char *to, RSA *rsa, int padding) |
373 | { | |
374 | BIGNUM *f, *ret; | |
375 | int j, num = 0, r = -1; | |
0f113f3e MC |
376 | unsigned char *buf = NULL; |
377 | BN_CTX *ctx = NULL; | |
378 | int local_blinding = 0; | |
379 | /* | |
380 | * Used only if the blinding structure is shared. A non-NULL unblind | |
381 | * instructs rsa_blinding_convert() and rsa_blinding_invert() to store | |
382 | * the unblinding factor outside the blinding structure. | |
383 | */ | |
384 | BIGNUM *unblind = NULL; | |
385 | BN_BLINDING *blinding = NULL; | |
386 | ||
afb638f1 | 387 | if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL) |
0f113f3e MC |
388 | goto err; |
389 | BN_CTX_start(ctx); | |
390 | f = BN_CTX_get(ctx); | |
391 | ret = BN_CTX_get(ctx); | |
392 | num = BN_num_bytes(rsa->n); | |
393 | buf = OPENSSL_malloc(num); | |
edea42c6 | 394 | if (ret == NULL || buf == NULL) { |
9311d0c4 | 395 | ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
396 | goto err; |
397 | } | |
398 | ||
399 | /* | |
400 | * This check was for equality but PGP does evil things and chops off the | |
401 | * top '0' bytes | |
402 | */ | |
403 | if (flen > num) { | |
9311d0c4 | 404 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_GREATER_THAN_MOD_LEN); |
0f113f3e MC |
405 | goto err; |
406 | } | |
407 | ||
408 | /* make data into a big number */ | |
409 | if (BN_bin2bn(from, (int)flen, f) == NULL) | |
410 | goto err; | |
411 | ||
412 | if (BN_ucmp(f, rsa->n) >= 0) { | |
9311d0c4 | 413 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
0f113f3e MC |
414 | goto err; |
415 | } | |
416 | ||
417 | if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { | |
418 | blinding = rsa_get_blinding(rsa, &local_blinding, ctx); | |
419 | if (blinding == NULL) { | |
9311d0c4 | 420 | ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); |
0f113f3e MC |
421 | goto err; |
422 | } | |
423 | } | |
424 | ||
425 | if (blinding != NULL) { | |
426 | if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { | |
9311d0c4 | 427 | ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
428 | goto err; |
429 | } | |
430 | if (!rsa_blinding_convert(blinding, f, unblind, ctx)) | |
431 | goto err; | |
432 | } | |
433 | ||
434 | /* do the decrypt */ | |
435 | if ((rsa->flags & RSA_FLAG_EXT_PKEY) || | |
665d899f | 436 | (rsa->version == RSA_ASN1_VERSION_MULTI) || |
0f113f3e MC |
437 | ((rsa->p != NULL) && |
438 | (rsa->q != NULL) && | |
439 | (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { | |
440 | if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) | |
441 | goto err; | |
442 | } else { | |
5584f65a MC |
443 | BIGNUM *d = BN_new(); |
444 | if (d == NULL) { | |
9311d0c4 | 445 | ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); |
5584f65a | 446 | goto err; |
7408f675 DO |
447 | } |
448 | if (rsa->d == NULL) { | |
9311d0c4 | 449 | ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY); |
7408f675 DO |
450 | BN_free(d); |
451 | goto err; | |
fd7d2520 | 452 | } |
5584f65a | 453 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); |
0f113f3e MC |
454 | |
455 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
41bfd5e7 AP |
456 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, |
457 | rsa->n, ctx)) { | |
5584f65a | 458 | BN_free(d); |
0f113f3e MC |
459 | goto err; |
460 | } | |
461 | if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, | |
462 | rsa->_method_mod_n)) { | |
5584f65a | 463 | BN_free(d); |
0f113f3e MC |
464 | goto err; |
465 | } | |
5584f65a MC |
466 | /* We MUST free d before any further use of rsa->d */ |
467 | BN_free(d); | |
0f113f3e MC |
468 | } |
469 | ||
470 | if (blinding) | |
471 | if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) | |
472 | goto err; | |
473 | ||
582ad5d4 | 474 | j = BN_bn2binpad(ret, buf, num); |
4a3dd629 P |
475 | if (j < 0) |
476 | goto err; | |
0f113f3e MC |
477 | |
478 | switch (padding) { | |
479 | case RSA_PKCS1_PADDING: | |
480 | r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); | |
481 | break; | |
0f113f3e MC |
482 | case RSA_PKCS1_OAEP_PADDING: |
483 | r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); | |
484 | break; | |
0f113f3e | 485 | case RSA_NO_PADDING: |
582ad5d4 | 486 | memcpy(to, buf, (r = j)); |
0f113f3e MC |
487 | break; |
488 | default: | |
9311d0c4 | 489 | ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE); |
0f113f3e MC |
490 | goto err; |
491 | } | |
f844f9eb | 492 | #ifndef FIPS_MODULE |
afb638f1 MC |
493 | /* |
494 | * This trick doesn't work in the FIPS provider because libcrypto manages | |
495 | * the error stack. Instead we opt not to put an error on the stack at all | |
496 | * in case of padding failure in the FIPS provider. | |
497 | */ | |
9311d0c4 | 498 | ERR_raise(ERR_LIB_RSA, RSA_R_PADDING_CHECK_FAILED); |
94dc53a3 | 499 | err_clear_last_constant_time(1 & ~constant_time_msb(r)); |
afb638f1 | 500 | #endif |
0f113f3e MC |
501 | |
502 | err: | |
ce1415ed | 503 | BN_CTX_end(ctx); |
23a1d5e9 | 504 | BN_CTX_free(ctx); |
4b45c6e5 | 505 | OPENSSL_clear_free(buf, num); |
8686c474 | 506 | return r; |
0f113f3e | 507 | } |
58964a49 | 508 | |
24cff6ce | 509 | /* signature verification */ |
bf160551 | 510 | static int rsa_ossl_public_decrypt(int flen, const unsigned char *from, |
0f113f3e MC |
511 | unsigned char *to, RSA *rsa, int padding) |
512 | { | |
513 | BIGNUM *f, *ret; | |
514 | int i, num = 0, r = -1; | |
0f113f3e MC |
515 | unsigned char *buf = NULL; |
516 | BN_CTX *ctx = NULL; | |
517 | ||
518 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { | |
9311d0c4 | 519 | ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE); |
0f113f3e MC |
520 | return -1; |
521 | } | |
522 | ||
523 | if (BN_ucmp(rsa->n, rsa->e) <= 0) { | |
9311d0c4 | 524 | ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE); |
0f113f3e MC |
525 | return -1; |
526 | } | |
527 | ||
528 | /* for large moduli, enforce exponent limit */ | |
529 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { | |
530 | if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { | |
9311d0c4 | 531 | ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE); |
0f113f3e MC |
532 | return -1; |
533 | } | |
534 | } | |
535 | ||
afb638f1 | 536 | if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL) |
0f113f3e MC |
537 | goto err; |
538 | BN_CTX_start(ctx); | |
539 | f = BN_CTX_get(ctx); | |
540 | ret = BN_CTX_get(ctx); | |
541 | num = BN_num_bytes(rsa->n); | |
542 | buf = OPENSSL_malloc(num); | |
edea42c6 | 543 | if (ret == NULL || buf == NULL) { |
9311d0c4 | 544 | ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
545 | goto err; |
546 | } | |
547 | ||
548 | /* | |
549 | * This check was for equality but PGP does evil things and chops off the | |
550 | * top '0' bytes | |
551 | */ | |
552 | if (flen > num) { | |
9311d0c4 | 553 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_GREATER_THAN_MOD_LEN); |
0f113f3e MC |
554 | goto err; |
555 | } | |
556 | ||
557 | if (BN_bin2bn(from, flen, f) == NULL) | |
558 | goto err; | |
559 | ||
560 | if (BN_ucmp(f, rsa->n) >= 0) { | |
9311d0c4 | 561 | ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
0f113f3e MC |
562 | goto err; |
563 | } | |
564 | ||
565 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
41bfd5e7 AP |
566 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, |
567 | rsa->n, ctx)) | |
0f113f3e MC |
568 | goto err; |
569 | ||
570 | if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, | |
571 | rsa->_method_mod_n)) | |
572 | goto err; | |
573 | ||
574 | if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12)) | |
575 | if (!BN_sub(ret, rsa->n, ret)) | |
576 | goto err; | |
577 | ||
582ad5d4 | 578 | i = BN_bn2binpad(ret, buf, num); |
4a3dd629 P |
579 | if (i < 0) |
580 | goto err; | |
0f113f3e MC |
581 | |
582 | switch (padding) { | |
583 | case RSA_PKCS1_PADDING: | |
584 | r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); | |
585 | break; | |
586 | case RSA_X931_PADDING: | |
587 | r = RSA_padding_check_X931(to, num, buf, i, num); | |
588 | break; | |
589 | case RSA_NO_PADDING: | |
582ad5d4 | 590 | memcpy(to, buf, (r = i)); |
0f113f3e MC |
591 | break; |
592 | default: | |
9311d0c4 | 593 | ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE); |
0f113f3e MC |
594 | goto err; |
595 | } | |
596 | if (r < 0) | |
9311d0c4 | 597 | ERR_raise(ERR_LIB_RSA, RSA_R_PADDING_CHECK_FAILED); |
0f113f3e MC |
598 | |
599 | err: | |
ce1415ed | 600 | BN_CTX_end(ctx); |
23a1d5e9 | 601 | BN_CTX_free(ctx); |
4b45c6e5 | 602 | OPENSSL_clear_free(buf, num); |
8686c474 | 603 | return r; |
0f113f3e | 604 | } |
58964a49 | 605 | |
bf160551 | 606 | static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) |
0f113f3e | 607 | { |
afb638f1 MC |
608 | BIGNUM *r1, *m1, *vrfy; |
609 | int ret = 0, smooth = 0; | |
f844f9eb | 610 | #ifndef FIPS_MODULE |
afb638f1 MC |
611 | BIGNUM *r2, *m[RSA_MAX_PRIME_NUM - 2]; |
612 | int i, ex_primes = 0; | |
665d899f | 613 | RSA_PRIME_INFO *pinfo; |
afb638f1 | 614 | #endif |
0f113f3e | 615 | |
c804d23d PC |
616 | BN_CTX_start(ctx); |
617 | ||
0f113f3e | 618 | r1 = BN_CTX_get(ctx); |
f844f9eb | 619 | #ifndef FIPS_MODULE |
665d899f | 620 | r2 = BN_CTX_get(ctx); |
afb638f1 | 621 | #endif |
0f113f3e MC |
622 | m1 = BN_CTX_get(ctx); |
623 | vrfy = BN_CTX_get(ctx); | |
5625567f BE |
624 | if (vrfy == NULL) |
625 | goto err; | |
0f113f3e | 626 | |
f844f9eb | 627 | #ifndef FIPS_MODULE |
665d899f | 628 | if (rsa->version == RSA_ASN1_VERSION_MULTI |
a1471588 BE |
629 | && ((ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) <= 0 |
630 | || ex_primes > RSA_MAX_PRIME_NUM - 2)) | |
665d899f | 631 | goto err; |
afb638f1 | 632 | #endif |
665d899f | 633 | |
41bfd5e7 AP |
634 | if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { |
635 | BIGNUM *factor = BN_new(); | |
636 | ||
637 | if (factor == NULL) | |
638 | goto err; | |
0f113f3e MC |
639 | |
640 | /* | |
0d4fb843 | 641 | * Make sure BN_mod_inverse in Montgomery initialization uses the |
5584f65a | 642 | * BN_FLG_CONSTTIME flag |
0f113f3e | 643 | */ |
41bfd5e7 AP |
644 | if (!(BN_with_flags(factor, rsa->p, BN_FLG_CONSTTIME), |
645 | BN_MONT_CTX_set_locked(&rsa->_method_mod_p, rsa->lock, | |
646 | factor, ctx)) | |
647 | || !(BN_with_flags(factor, rsa->q, BN_FLG_CONSTTIME), | |
648 | BN_MONT_CTX_set_locked(&rsa->_method_mod_q, rsa->lock, | |
649 | factor, ctx))) { | |
650 | BN_free(factor); | |
5584f65a | 651 | goto err; |
0f113f3e | 652 | } |
f844f9eb | 653 | #ifndef FIPS_MODULE |
41bfd5e7 AP |
654 | for (i = 0; i < ex_primes; i++) { |
655 | pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i); | |
656 | BN_with_flags(factor, pinfo->r, BN_FLG_CONSTTIME); | |
657 | if (!BN_MONT_CTX_set_locked(&pinfo->m, rsa->lock, factor, ctx)) { | |
658 | BN_free(factor); | |
0f113f3e MC |
659 | goto err; |
660 | } | |
661 | } | |
afb638f1 | 662 | #endif |
fd7d2520 | 663 | /* |
41bfd5e7 | 664 | * We MUST free |factor| before any further use of the prime factors |
fd7d2520 | 665 | */ |
41bfd5e7 AP |
666 | BN_free(factor); |
667 | ||
afb638f1 | 668 | smooth = (rsa->meth->bn_mod_exp == BN_mod_exp_mont) |
f844f9eb | 669 | #ifndef FIPS_MODULE |
afb638f1 MC |
670 | && (ex_primes == 0) |
671 | #endif | |
41bfd5e7 | 672 | && (BN_num_bits(rsa->q) == BN_num_bits(rsa->p)); |
0f113f3e MC |
673 | } |
674 | ||
675 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
41bfd5e7 AP |
676 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, |
677 | rsa->n, ctx)) | |
678 | goto err; | |
679 | ||
680 | if (smooth) { | |
681 | /* | |
682 | * Conversion from Montgomery domain, a.k.a. Montgomery reduction, | |
683 | * accepts values in [0-m*2^w) range. w is m's bit width rounded up | |
684 | * to limb width. So that at the very least if |I| is fully reduced, | |
685 | * i.e. less than p*q, we can count on from-to round to perform | |
686 | * below modulo operations on |I|. Unlike BN_mod it's constant time. | |
687 | */ | |
688 | if (/* m1 = I moq q */ | |
689 | !bn_from_mont_fixed_top(m1, I, rsa->_method_mod_q, ctx) | |
690 | || !bn_to_mont_fixed_top(m1, m1, rsa->_method_mod_q, ctx) | |
691 | /* m1 = m1^dmq1 mod q */ | |
692 | || !BN_mod_exp_mont_consttime(m1, m1, rsa->dmq1, rsa->q, ctx, | |
693 | rsa->_method_mod_q) | |
694 | /* r1 = I mod p */ | |
695 | || !bn_from_mont_fixed_top(r1, I, rsa->_method_mod_p, ctx) | |
696 | || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx) | |
697 | /* r1 = r1^dmp1 mod p */ | |
698 | || !BN_mod_exp_mont_consttime(r1, r1, rsa->dmp1, rsa->p, ctx, | |
699 | rsa->_method_mod_p) | |
700 | /* r1 = (r1 - m1) mod p */ | |
701 | /* | |
702 | * bn_mod_sub_fixed_top is not regular modular subtraction, | |
703 | * it can tolerate subtrahend to be larger than modulus, but | |
704 | * not bit-wise wider. This makes up for uncommon q>p case, | |
705 | * when |m1| can be larger than |rsa->p|. | |
706 | */ | |
707 | || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p) | |
708 | ||
d1c008f6 | 709 | /* r1 = r1 * iqmp mod p */ |
41bfd5e7 AP |
710 | || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx) |
711 | || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p, | |
712 | ctx) | |
d1c008f6 | 713 | /* r0 = r1 * q + m1 */ |
41bfd5e7 AP |
714 | || !bn_mul_fixed_top(r0, r1, rsa->q, ctx) |
715 | || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n)) | |
0f113f3e MC |
716 | goto err; |
717 | ||
41bfd5e7 AP |
718 | goto tail; |
719 | } | |
720 | ||
0f113f3e | 721 | /* compute I mod q */ |
fd7d2520 | 722 | { |
5584f65a MC |
723 | BIGNUM *c = BN_new(); |
724 | if (c == NULL) | |
725 | goto err; | |
726 | BN_with_flags(c, I, BN_FLG_CONSTTIME); | |
727 | ||
fd7d2520 | 728 | if (!BN_mod(r1, c, rsa->q, ctx)) { |
5584f65a | 729 | BN_free(c); |
0f113f3e | 730 | goto err; |
fd7d2520 | 731 | } |
0f113f3e | 732 | |
fd7d2520 | 733 | { |
5584f65a MC |
734 | BIGNUM *dmq1 = BN_new(); |
735 | if (dmq1 == NULL) { | |
736 | BN_free(c); | |
737 | goto err; | |
fd7d2520 | 738 | } |
5584f65a MC |
739 | BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); |
740 | ||
741 | /* compute r1^dmq1 mod q */ | |
fd7d2520 | 742 | if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, |
41bfd5e7 | 743 | rsa->_method_mod_q)) { |
5584f65a MC |
744 | BN_free(c); |
745 | BN_free(dmq1); | |
fd7d2520 MC |
746 | goto err; |
747 | } | |
5584f65a MC |
748 | /* We MUST free dmq1 before any further use of rsa->dmq1 */ |
749 | BN_free(dmq1); | |
fd7d2520 | 750 | } |
0f113f3e | 751 | |
fd7d2520 MC |
752 | /* compute I mod p */ |
753 | if (!BN_mod(r1, c, rsa->p, ctx)) { | |
5584f65a | 754 | BN_free(c); |
0f113f3e | 755 | goto err; |
fd7d2520 | 756 | } |
5584f65a MC |
757 | /* We MUST free c before any further use of I */ |
758 | BN_free(c); | |
0f113f3e MC |
759 | } |
760 | ||
fd7d2520 | 761 | { |
5584f65a MC |
762 | BIGNUM *dmp1 = BN_new(); |
763 | if (dmp1 == NULL) | |
764 | goto err; | |
765 | BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); | |
766 | ||
fd7d2520 | 767 | /* compute r1^dmp1 mod p */ |
fd7d2520 MC |
768 | if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, |
769 | rsa->_method_mod_p)) { | |
5584f65a | 770 | BN_free(dmp1); |
fd7d2520 MC |
771 | goto err; |
772 | } | |
5584f65a MC |
773 | /* We MUST free dmp1 before any further use of rsa->dmp1 */ |
774 | BN_free(dmp1); | |
fd7d2520 | 775 | } |
0f113f3e | 776 | |
f844f9eb | 777 | #ifndef FIPS_MODULE |
665d899f PY |
778 | /* |
779 | * calculate m_i in multi-prime case | |
780 | * | |
781 | * TODO: | |
782 | * 1. squash the following two loops and calculate |m_i| there. | |
783 | * 2. remove cc and reuse |c|. | |
784 | * 3. remove |dmq1| and |dmp1| in previous block and use |di|. | |
785 | * | |
786 | * If these things are done, the code will be more readable. | |
787 | */ | |
788 | if (ex_primes > 0) { | |
789 | BIGNUM *di = BN_new(), *cc = BN_new(); | |
790 | ||
791 | if (cc == NULL || di == NULL) { | |
792 | BN_free(cc); | |
793 | BN_free(di); | |
794 | goto err; | |
795 | } | |
796 | ||
797 | for (i = 0; i < ex_primes; i++) { | |
798 | /* prepare m_i */ | |
799 | if ((m[i] = BN_CTX_get(ctx)) == NULL) { | |
800 | BN_free(cc); | |
801 | BN_free(di); | |
802 | goto err; | |
803 | } | |
804 | ||
805 | pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i); | |
806 | ||
807 | /* prepare c and d_i */ | |
808 | BN_with_flags(cc, I, BN_FLG_CONSTTIME); | |
809 | BN_with_flags(di, pinfo->d, BN_FLG_CONSTTIME); | |
810 | ||
811 | if (!BN_mod(r1, cc, pinfo->r, ctx)) { | |
812 | BN_free(cc); | |
813 | BN_free(di); | |
814 | goto err; | |
815 | } | |
816 | /* compute r1 ^ d_i mod r_i */ | |
817 | if (!rsa->meth->bn_mod_exp(m[i], r1, di, pinfo->r, ctx, pinfo->m)) { | |
818 | BN_free(cc); | |
819 | BN_free(di); | |
820 | goto err; | |
821 | } | |
822 | } | |
823 | ||
824 | BN_free(cc); | |
825 | BN_free(di); | |
826 | } | |
afb638f1 | 827 | #endif |
665d899f | 828 | |
0f113f3e MC |
829 | if (!BN_sub(r0, r0, m1)) |
830 | goto err; | |
831 | /* | |
832 | * This will help stop the size of r0 increasing, which does affect the | |
833 | * multiply if it optimised for a power of 2 size | |
834 | */ | |
835 | if (BN_is_negative(r0)) | |
836 | if (!BN_add(r0, r0, rsa->p)) | |
837 | goto err; | |
838 | ||
839 | if (!BN_mul(r1, r0, rsa->iqmp, ctx)) | |
840 | goto err; | |
841 | ||
fd7d2520 | 842 | { |
5584f65a MC |
843 | BIGNUM *pr1 = BN_new(); |
844 | if (pr1 == NULL) | |
845 | goto err; | |
846 | BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); | |
847 | ||
fd7d2520 | 848 | if (!BN_mod(r0, pr1, rsa->p, ctx)) { |
5584f65a | 849 | BN_free(pr1); |
fd7d2520 MC |
850 | goto err; |
851 | } | |
5584f65a MC |
852 | /* We MUST free pr1 before any further use of r1 */ |
853 | BN_free(pr1); | |
fd7d2520 | 854 | } |
0f113f3e MC |
855 | |
856 | /* | |
857 | * If p < q it is occasionally possible for the correction of adding 'p' | |
858 | * if r0 is negative above to leave the result still negative. This can | |
859 | * break the private key operations: the following second correction | |
860 | * should *always* correct this rare occurrence. This will *never* happen | |
861 | * with OpenSSL generated keys because they ensure p > q [steve] | |
862 | */ | |
863 | if (BN_is_negative(r0)) | |
864 | if (!BN_add(r0, r0, rsa->p)) | |
865 | goto err; | |
866 | if (!BN_mul(r1, r0, rsa->q, ctx)) | |
867 | goto err; | |
868 | if (!BN_add(r0, r1, m1)) | |
869 | goto err; | |
870 | ||
f844f9eb | 871 | #ifndef FIPS_MODULE |
665d899f PY |
872 | /* add m_i to m in multi-prime case */ |
873 | if (ex_primes > 0) { | |
874 | BIGNUM *pr2 = BN_new(); | |
875 | ||
876 | if (pr2 == NULL) | |
877 | goto err; | |
878 | ||
879 | for (i = 0; i < ex_primes; i++) { | |
880 | pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i); | |
881 | if (!BN_sub(r1, m[i], r0)) { | |
882 | BN_free(pr2); | |
883 | goto err; | |
884 | } | |
885 | ||
886 | if (!BN_mul(r2, r1, pinfo->t, ctx)) { | |
887 | BN_free(pr2); | |
888 | goto err; | |
889 | } | |
890 | ||
891 | BN_with_flags(pr2, r2, BN_FLG_CONSTTIME); | |
892 | ||
893 | if (!BN_mod(r1, pr2, pinfo->r, ctx)) { | |
894 | BN_free(pr2); | |
895 | goto err; | |
896 | } | |
897 | ||
898 | if (BN_is_negative(r1)) | |
899 | if (!BN_add(r1, r1, pinfo->r)) { | |
900 | BN_free(pr2); | |
901 | goto err; | |
902 | } | |
903 | if (!BN_mul(r1, r1, pinfo->pp, ctx)) { | |
904 | BN_free(pr2); | |
905 | goto err; | |
906 | } | |
907 | if (!BN_add(r0, r0, r1)) { | |
908 | BN_free(pr2); | |
909 | goto err; | |
910 | } | |
911 | } | |
912 | BN_free(pr2); | |
913 | } | |
afb638f1 | 914 | #endif |
665d899f | 915 | |
41bfd5e7 | 916 | tail: |
0f113f3e | 917 | if (rsa->e && rsa->n) { |
41bfd5e7 AP |
918 | if (rsa->meth->bn_mod_exp == BN_mod_exp_mont) { |
919 | if (!BN_mod_exp_mont(vrfy, r0, rsa->e, rsa->n, ctx, | |
920 | rsa->_method_mod_n)) | |
921 | goto err; | |
922 | } else { | |
923 | bn_correct_top(r0); | |
924 | if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, | |
925 | rsa->_method_mod_n)) | |
926 | goto err; | |
927 | } | |
0f113f3e MC |
928 | /* |
929 | * If 'I' was greater than (or equal to) rsa->n, the operation will | |
930 | * be equivalent to using 'I mod n'. However, the result of the | |
931 | * verify will *always* be less than 'n' so we don't check for | |
932 | * absolute equality, just congruency. | |
933 | */ | |
934 | if (!BN_sub(vrfy, vrfy, I)) | |
935 | goto err; | |
41bfd5e7 AP |
936 | if (BN_is_zero(vrfy)) { |
937 | bn_correct_top(r0); | |
938 | ret = 1; | |
939 | goto err; /* not actually error */ | |
940 | } | |
0f113f3e MC |
941 | if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) |
942 | goto err; | |
943 | if (BN_is_negative(vrfy)) | |
944 | if (!BN_add(vrfy, vrfy, rsa->n)) | |
945 | goto err; | |
946 | if (!BN_is_zero(vrfy)) { | |
947 | /* | |
948 | * 'I' and 'vrfy' aren't congruent mod n. Don't leak | |
949 | * miscalculated CRT output, just do a raw (slower) mod_exp and | |
950 | * return that instead. | |
951 | */ | |
952 | ||
5584f65a MC |
953 | BIGNUM *d = BN_new(); |
954 | if (d == NULL) | |
955 | goto err; | |
956 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); | |
0f113f3e | 957 | |
0f113f3e MC |
958 | if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, |
959 | rsa->_method_mod_n)) { | |
5584f65a | 960 | BN_free(d); |
0f113f3e MC |
961 | goto err; |
962 | } | |
5584f65a MC |
963 | /* We MUST free d before any further use of rsa->d */ |
964 | BN_free(d); | |
0f113f3e MC |
965 | } |
966 | } | |
41bfd5e7 AP |
967 | /* |
968 | * It's unfortunate that we have to bn_correct_top(r0). What hopefully | |
969 | * saves the day is that correction is highly unlike, and private key | |
970 | * operations are customarily performed on blinded message. Which means | |
971 | * that attacker won't observe correlation with chosen plaintext. | |
972 | * Secondly, remaining code would still handle it in same computational | |
973 | * time and even conceal memory access pattern around corrected top. | |
974 | */ | |
975 | bn_correct_top(r0); | |
0f113f3e MC |
976 | ret = 1; |
977 | err: | |
0f113f3e | 978 | BN_CTX_end(ctx); |
8686c474 | 979 | return ret; |
0f113f3e | 980 | } |
58964a49 | 981 | |
bf160551 | 982 | static int rsa_ossl_init(RSA *rsa) |
0f113f3e MC |
983 | { |
984 | rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; | |
8686c474 | 985 | return 1; |
0f113f3e | 986 | } |
58964a49 | 987 | |
bf160551 | 988 | static int rsa_ossl_finish(RSA *rsa) |
0f113f3e | 989 | { |
f844f9eb | 990 | #ifndef FIPS_MODULE |
665d899f PY |
991 | int i; |
992 | RSA_PRIME_INFO *pinfo; | |
993 | ||
665d899f PY |
994 | for (i = 0; i < sk_RSA_PRIME_INFO_num(rsa->prime_infos); i++) { |
995 | pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i); | |
996 | BN_MONT_CTX_free(pinfo->m); | |
997 | } | |
afb638f1 MC |
998 | #endif |
999 | ||
1000 | BN_MONT_CTX_free(rsa->_method_mod_n); | |
1001 | BN_MONT_CTX_free(rsa->_method_mod_p); | |
1002 | BN_MONT_CTX_free(rsa->_method_mod_q); | |
8686c474 | 1003 | return 1; |
0f113f3e | 1004 | } |