]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/rsa/rsa_eay.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
There have been a number of complaints from a number of sources that names
[thirdparty/openssl.git] / crypto / rsa / rsa_eay.c
1 /* crypto/rsa/rsa_eay.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59 #include <stdio.h>
60 #include "cryptlib.h"
61 #include <openssl/bn.h>
62 #include <openssl/rsa.h>
63 #include <openssl/rand.h>
64
65 #ifndef RSA_NULL
66
67 static int RSA_eay_public_encrypt(int flen, unsigned char *from,
68 unsigned char *to, RSA *rsa,int padding);
69 static int RSA_eay_private_encrypt(int flen, unsigned char *from,
70 unsigned char *to, RSA *rsa,int padding);
71 static int RSA_eay_public_decrypt(int flen, unsigned char *from,
72 unsigned char *to, RSA *rsa,int padding);
73 static int RSA_eay_private_decrypt(int flen, unsigned char *from,
74 unsigned char *to, RSA *rsa,int padding);
75 static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *i, RSA *rsa);
76 static int RSA_eay_init(RSA *rsa);
77 static int RSA_eay_finish(RSA *rsa);
78 static RSA_METHOD rsa_pkcs1_eay_meth={
79 "Eric Young's PKCS#1 RSA",
80 RSA_eay_public_encrypt,
81 RSA_eay_public_decrypt,
82 RSA_eay_private_encrypt,
83 RSA_eay_private_decrypt,
84 RSA_eay_mod_exp,
85 BN_mod_exp_mont,
86 RSA_eay_init,
87 RSA_eay_finish,
88 0,
89 NULL,
90 };
91
92 RSA_METHOD *RSA_PKCS1_SSLeay(void)
93 {
94 return(&rsa_pkcs1_eay_meth);
95 }
96
97 static int RSA_eay_public_encrypt(int flen, unsigned char *from,
98 unsigned char *to, RSA *rsa, int padding)
99 {
100 BIGNUM f,ret;
101 int i,j,k,num=0,r= -1;
102 unsigned char *buf=NULL;
103 BN_CTX *ctx=NULL;
104
105 BN_init(&f);
106 BN_init(&ret);
107 if ((ctx=BN_CTX_new()) == NULL) goto err;
108 num=BN_num_bytes(rsa->n);
109 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
110 {
111 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
112 goto err;
113 }
114
115 switch (padding)
116 {
117 case RSA_PKCS1_PADDING:
118 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
119 break;
120 #ifndef NO_SHA
121 case RSA_PKCS1_OAEP_PADDING:
122 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
123 break;
124 #endif
125 case RSA_SSLV23_PADDING:
126 i=RSA_padding_add_SSLv23(buf,num,from,flen);
127 break;
128 case RSA_NO_PADDING:
129 i=RSA_padding_add_none(buf,num,from,flen);
130 break;
131 default:
132 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
133 goto err;
134 }
135 if (i <= 0) goto err;
136
137 if (BN_bin2bn(buf,num,&f) == NULL) goto err;
138
139 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
140 {
141 if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
142 if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
143 goto err;
144 }
145
146 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
147 rsa->_method_mod_n)) goto err;
148
149 /* put in leading 0 bytes if the number is less than the
150 * length of the modulus */
151 j=BN_num_bytes(&ret);
152 i=BN_bn2bin(&ret,&(to[num-j]));
153 for (k=0; k<(num-i); k++)
154 to[k]=0;
155
156 r=num;
157 err:
158 if (ctx != NULL) BN_CTX_free(ctx);
159 BN_clear_free(&f);
160 BN_clear_free(&ret);
161 if (buf != NULL)
162 {
163 memset(buf,0,num);
164 OPENSSL_free(buf);
165 }
166 return(r);
167 }
168
169 static int RSA_eay_private_encrypt(int flen, unsigned char *from,
170 unsigned char *to, RSA *rsa, int padding)
171 {
172 BIGNUM f,ret;
173 int i,j,k,num=0,r= -1;
174 unsigned char *buf=NULL;
175 BN_CTX *ctx=NULL;
176
177 BN_init(&f);
178 BN_init(&ret);
179
180 if ((ctx=BN_CTX_new()) == NULL) goto err;
181 num=BN_num_bytes(rsa->n);
182 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
183 {
184 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
185 goto err;
186 }
187
188 switch (padding)
189 {
190 case RSA_PKCS1_PADDING:
191 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
192 break;
193 case RSA_NO_PADDING:
194 i=RSA_padding_add_none(buf,num,from,flen);
195 break;
196 case RSA_SSLV23_PADDING:
197 default:
198 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
199 goto err;
200 }
201 if (i <= 0) goto err;
202
203 if (BN_bin2bn(buf,num,&f) == NULL) goto err;
204
205 if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
206 RSA_blinding_on(rsa,ctx);
207 if (rsa->flags & RSA_FLAG_BLINDING)
208 if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
209
210 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
211 ((rsa->p != NULL) &&
212 (rsa->q != NULL) &&
213 (rsa->dmp1 != NULL) &&
214 (rsa->dmq1 != NULL) &&
215 (rsa->iqmp != NULL)) )
216 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
217 else
218 {
219 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
220 }
221
222 if (rsa->flags & RSA_FLAG_BLINDING)
223 if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
224
225 /* put in leading 0 bytes if the number is less than the
226 * length of the modulus */
227 j=BN_num_bytes(&ret);
228 i=BN_bn2bin(&ret,&(to[num-j]));
229 for (k=0; k<(num-i); k++)
230 to[k]=0;
231
232 r=num;
233 err:
234 if (ctx != NULL) BN_CTX_free(ctx);
235 BN_clear_free(&ret);
236 BN_clear_free(&f);
237 if (buf != NULL)
238 {
239 memset(buf,0,num);
240 OPENSSL_free(buf);
241 }
242 return(r);
243 }
244
245 static int RSA_eay_private_decrypt(int flen, unsigned char *from,
246 unsigned char *to, RSA *rsa, int padding)
247 {
248 BIGNUM f,ret;
249 int j,num=0,r= -1;
250 unsigned char *p;
251 unsigned char *buf=NULL;
252 BN_CTX *ctx=NULL;
253
254 BN_init(&f);
255 BN_init(&ret);
256 ctx=BN_CTX_new();
257 if (ctx == NULL) goto err;
258
259 num=BN_num_bytes(rsa->n);
260
261 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
262 {
263 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
264 goto err;
265 }
266
267 /* This check was for equality but PGP does evil things
268 * and chops off the top '0' bytes */
269 if (flen > num)
270 {
271 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
272 goto err;
273 }
274
275 /* make data into a big number */
276 if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
277
278 if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
279 RSA_blinding_on(rsa,ctx);
280 if (rsa->flags & RSA_FLAG_BLINDING)
281 if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
282
283 /* do the decrypt */
284 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
285 ((rsa->p != NULL) &&
286 (rsa->q != NULL) &&
287 (rsa->dmp1 != NULL) &&
288 (rsa->dmq1 != NULL) &&
289 (rsa->iqmp != NULL)) )
290 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
291 else
292 {
293 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
294 goto err;
295 }
296
297 if (rsa->flags & RSA_FLAG_BLINDING)
298 if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
299
300 p=buf;
301 j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
302
303 switch (padding)
304 {
305 case RSA_PKCS1_PADDING:
306 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
307 break;
308 #ifndef NO_SHA
309 case RSA_PKCS1_OAEP_PADDING:
310 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
311 break;
312 #endif
313 case RSA_SSLV23_PADDING:
314 r=RSA_padding_check_SSLv23(to,num,buf,j,num);
315 break;
316 case RSA_NO_PADDING:
317 r=RSA_padding_check_none(to,num,buf,j,num);
318 break;
319 default:
320 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
321 goto err;
322 }
323 if (r < 0)
324 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
325
326 err:
327 if (ctx != NULL) BN_CTX_free(ctx);
328 BN_clear_free(&f);
329 BN_clear_free(&ret);
330 if (buf != NULL)
331 {
332 memset(buf,0,num);
333 OPENSSL_free(buf);
334 }
335 return(r);
336 }
337
338 static int RSA_eay_public_decrypt(int flen, unsigned char *from,
339 unsigned char *to, RSA *rsa, int padding)
340 {
341 BIGNUM f,ret;
342 int i,num=0,r= -1;
343 unsigned char *p;
344 unsigned char *buf=NULL;
345 BN_CTX *ctx=NULL;
346
347 BN_init(&f);
348 BN_init(&ret);
349 ctx=BN_CTX_new();
350 if (ctx == NULL) goto err;
351
352 num=BN_num_bytes(rsa->n);
353 buf=(unsigned char *)OPENSSL_malloc(num);
354 if (buf == NULL)
355 {
356 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
357 goto err;
358 }
359
360 /* This check was for equality but PGP does evil things
361 * and chops off the top '0' bytes */
362 if (flen > num)
363 {
364 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
365 goto err;
366 }
367
368 if (BN_bin2bn(from,flen,&f) == NULL) goto err;
369 /* do the decrypt */
370 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
371 {
372 if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
373 if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
374 goto err;
375 }
376
377 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
378 rsa->_method_mod_n)) goto err;
379
380 p=buf;
381 i=BN_bn2bin(&ret,p);
382
383 switch (padding)
384 {
385 case RSA_PKCS1_PADDING:
386 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
387 break;
388 case RSA_NO_PADDING:
389 r=RSA_padding_check_none(to,num,buf,i,num);
390 break;
391 default:
392 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
393 goto err;
394 }
395 if (r < 0)
396 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
397
398 err:
399 if (ctx != NULL) BN_CTX_free(ctx);
400 BN_clear_free(&f);
401 BN_clear_free(&ret);
402 if (buf != NULL)
403 {
404 memset(buf,0,num);
405 OPENSSL_free(buf);
406 }
407 return(r);
408 }
409
410 static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
411 {
412 BIGNUM r1,m1;
413 int ret=0;
414 BN_CTX *ctx;
415
416 if ((ctx=BN_CTX_new()) == NULL) goto err;
417 BN_init(&m1);
418 BN_init(&r1);
419
420 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
421 {
422 if (rsa->_method_mod_p == NULL)
423 {
424 if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL)
425 if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p,
426 ctx))
427 goto err;
428 }
429 if (rsa->_method_mod_q == NULL)
430 {
431 if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL)
432 if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q,
433 ctx))
434 goto err;
435 }
436 }
437
438 if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
439 if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
440 rsa->_method_mod_q)) goto err;
441
442 if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
443 if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
444 rsa->_method_mod_p)) goto err;
445
446 if (!BN_sub(r0,r0,&m1)) goto err;
447 /* This will help stop the size of r0 increasing, which does
448 * affect the multiply if it optimised for a power of 2 size */
449 if (r0->neg)
450 if (!BN_add(r0,r0,rsa->p)) goto err;
451
452 if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
453 if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
454 /* If p < q it is occasionally possible for the correction of
455 * adding 'p' if r0 is negative above to leave the result still
456 * negative. This can break the private key operations: the following
457 * second correction should *always* correct this rare occurrence.
458 * This will *never* happen with OpenSSL generated keys because
459 * they ensure p > q [steve]
460 */
461 if (r0->neg)
462 if (!BN_add(r0,r0,rsa->p)) goto err;
463 if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
464 if (!BN_add(r0,&r1,&m1)) goto err;
465
466 ret=1;
467 err:
468 BN_clear_free(&m1);
469 BN_clear_free(&r1);
470 BN_CTX_free(ctx);
471 return(ret);
472 }
473
474 static int RSA_eay_init(RSA *rsa)
475 {
476 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
477 return(1);
478 }
479
480 static int RSA_eay_finish(RSA *rsa)
481 {
482 if (rsa->_method_mod_n != NULL)
483 BN_MONT_CTX_free(rsa->_method_mod_n);
484 if (rsa->_method_mod_p != NULL)
485 BN_MONT_CTX_free(rsa->_method_mod_p);
486 if (rsa->_method_mod_q != NULL)
487 BN_MONT_CTX_free(rsa->_method_mod_q);
488 return(1);
489 }
490
491 #endif
A mirror of the official openssl repository