]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/rsa/rsa_eay.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
check CRT
[thirdparty/openssl.git] / crypto / rsa / rsa_eay.c
1 /* crypto/rsa/rsa_eay.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59 #include <stdio.h>
60 #include "cryptlib.h"
61 #include <openssl/bn.h>
62 #include <openssl/rsa.h>
63 #include <openssl/rand.h>
64 #include <openssl/engine.h>
65
66 #ifndef RSA_NULL
67
68 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
69 unsigned char *to, RSA *rsa,int padding);
70 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
71 unsigned char *to, RSA *rsa,int padding);
72 static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
73 unsigned char *to, RSA *rsa,int padding);
74 static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
75 unsigned char *to, RSA *rsa,int padding);
76 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa);
77 static int RSA_eay_init(RSA *rsa);
78 static int RSA_eay_finish(RSA *rsa);
79 static RSA_METHOD rsa_pkcs1_eay_meth={
80 "Eric Young's PKCS#1 RSA",
81 RSA_eay_public_encrypt,
82 RSA_eay_public_decrypt,
83 RSA_eay_private_encrypt,
84 RSA_eay_private_decrypt,
85 RSA_eay_mod_exp,
86 BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
87 RSA_eay_init,
88 RSA_eay_finish,
89 0,
90 NULL,
91 };
92
93 const RSA_METHOD *RSA_PKCS1_SSLeay(void)
94 {
95 return(&rsa_pkcs1_eay_meth);
96 }
97
98 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
99 unsigned char *to, RSA *rsa, int padding)
100 {
101 const RSA_METHOD *meth;
102 BIGNUM f,ret;
103 int i,j,k,num=0,r= -1;
104 unsigned char *buf=NULL;
105 BN_CTX *ctx=NULL;
106
107 meth = ENGINE_get_RSA(rsa->engine);
108 BN_init(&f);
109 BN_init(&ret);
110 if ((ctx=BN_CTX_new()) == NULL) goto err;
111 num=BN_num_bytes(rsa->n);
112 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
113 {
114 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
115 goto err;
116 }
117
118 switch (padding)
119 {
120 case RSA_PKCS1_PADDING:
121 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
122 break;
123 #ifndef OPENSSL_NO_SHA
124 case RSA_PKCS1_OAEP_PADDING:
125 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
126 break;
127 #endif
128 case RSA_SSLV23_PADDING:
129 i=RSA_padding_add_SSLv23(buf,num,from,flen);
130 break;
131 case RSA_NO_PADDING:
132 i=RSA_padding_add_none(buf,num,from,flen);
133 break;
134 default:
135 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
136 goto err;
137 }
138 if (i <= 0) goto err;
139
140 if (BN_bin2bn(buf,num,&f) == NULL) goto err;
141
142 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
143 {
144 BN_MONT_CTX* bn_mont_ctx;
145 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
146 goto err;
147 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
148 {
149 BN_MONT_CTX_free(bn_mont_ctx);
150 goto err;
151 }
152 if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
153 {
154 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
155 if (rsa->_method_mod_n == NULL)
156 {
157 rsa->_method_mod_n = bn_mont_ctx;
158 bn_mont_ctx = NULL;
159 }
160 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
161 }
162 if (bn_mont_ctx)
163 BN_MONT_CTX_free(bn_mont_ctx);
164 }
165
166 if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
167 rsa->_method_mod_n)) goto err;
168
169 /* put in leading 0 bytes if the number is less than the
170 * length of the modulus */
171 j=BN_num_bytes(&ret);
172 i=BN_bn2bin(&ret,&(to[num-j]));
173 for (k=0; k<(num-i); k++)
174 to[k]=0;
175
176 r=num;
177 err:
178 if (ctx != NULL) BN_CTX_free(ctx);
179 BN_clear_free(&f);
180 BN_clear_free(&ret);
181 if (buf != NULL)
182 {
183 memset(buf,0,num);
184 OPENSSL_free(buf);
185 }
186 return(r);
187 }
188
189 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
190 unsigned char *to, RSA *rsa, int padding)
191 {
192 const RSA_METHOD *meth;
193 BIGNUM f,ret;
194 int i,j,k,num=0,r= -1;
195 unsigned char *buf=NULL;
196 BN_CTX *ctx=NULL;
197
198 meth = ENGINE_get_RSA(rsa->engine);
199 BN_init(&f);
200 BN_init(&ret);
201
202 if ((ctx=BN_CTX_new()) == NULL) goto err;
203 num=BN_num_bytes(rsa->n);
204 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
205 {
206 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
207 goto err;
208 }
209
210 switch (padding)
211 {
212 case RSA_PKCS1_PADDING:
213 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
214 break;
215 case RSA_NO_PADDING:
216 i=RSA_padding_add_none(buf,num,from,flen);
217 break;
218 case RSA_SSLV23_PADDING:
219 default:
220 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
221 goto err;
222 }
223 if (i <= 0) goto err;
224
225 if (BN_bin2bn(buf,num,&f) == NULL) goto err;
226
227 if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
228 RSA_blinding_on(rsa,ctx);
229 if (rsa->flags & RSA_FLAG_BLINDING)
230 if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
231
232 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
233 ((rsa->p != NULL) &&
234 (rsa->q != NULL) &&
235 (rsa->dmp1 != NULL) &&
236 (rsa->dmq1 != NULL) &&
237 (rsa->iqmp != NULL)) )
238 { if (!meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
239 else
240 {
241 if (!meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
242 }
243
244 if (rsa->flags & RSA_FLAG_BLINDING)
245 if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
246
247 /* put in leading 0 bytes if the number is less than the
248 * length of the modulus */
249 j=BN_num_bytes(&ret);
250 i=BN_bn2bin(&ret,&(to[num-j]));
251 for (k=0; k<(num-i); k++)
252 to[k]=0;
253
254 r=num;
255 err:
256 if (ctx != NULL) BN_CTX_free(ctx);
257 BN_clear_free(&ret);
258 BN_clear_free(&f);
259 if (buf != NULL)
260 {
261 memset(buf,0,num);
262 OPENSSL_free(buf);
263 }
264 return(r);
265 }
266
267 static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
268 unsigned char *to, RSA *rsa, int padding)
269 {
270 const RSA_METHOD *meth;
271 BIGNUM f,ret;
272 int j,num=0,r= -1;
273 unsigned char *p;
274 unsigned char *buf=NULL;
275 BN_CTX *ctx=NULL;
276
277 meth = ENGINE_get_RSA(rsa->engine);
278 BN_init(&f);
279 BN_init(&ret);
280 ctx=BN_CTX_new();
281 if (ctx == NULL) goto err;
282
283 num=BN_num_bytes(rsa->n);
284
285 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
286 {
287 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
288 goto err;
289 }
290
291 /* This check was for equality but PGP does evil things
292 * and chops off the top '0' bytes */
293 if (flen > num)
294 {
295 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
296 goto err;
297 }
298
299 /* make data into a big number */
300 if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
301
302 if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
303 RSA_blinding_on(rsa,ctx);
304 if (rsa->flags & RSA_FLAG_BLINDING)
305 if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
306
307 /* do the decrypt */
308 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
309 ((rsa->p != NULL) &&
310 (rsa->q != NULL) &&
311 (rsa->dmp1 != NULL) &&
312 (rsa->dmq1 != NULL) &&
313 (rsa->iqmp != NULL)) )
314 { if (!meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
315 else
316 {
317 if (!meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
318 goto err;
319 }
320
321 if (rsa->flags & RSA_FLAG_BLINDING)
322 if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
323
324 p=buf;
325 j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
326
327 switch (padding)
328 {
329 case RSA_PKCS1_PADDING:
330 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
331 break;
332 #ifndef OPENSSL_NO_SHA
333 case RSA_PKCS1_OAEP_PADDING:
334 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
335 break;
336 #endif
337 case RSA_SSLV23_PADDING:
338 r=RSA_padding_check_SSLv23(to,num,buf,j,num);
339 break;
340 case RSA_NO_PADDING:
341 r=RSA_padding_check_none(to,num,buf,j,num);
342 break;
343 default:
344 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
345 goto err;
346 }
347 if (r < 0)
348 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
349
350 err:
351 if (ctx != NULL) BN_CTX_free(ctx);
352 BN_clear_free(&f);
353 BN_clear_free(&ret);
354 if (buf != NULL)
355 {
356 memset(buf,0,num);
357 OPENSSL_free(buf);
358 }
359 return(r);
360 }
361
362 static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
363 unsigned char *to, RSA *rsa, int padding)
364 {
365 const RSA_METHOD *meth;
366 BIGNUM f,ret;
367 int i,num=0,r= -1;
368 unsigned char *p;
369 unsigned char *buf=NULL;
370 BN_CTX *ctx=NULL;
371
372 meth = ENGINE_get_RSA(rsa->engine);
373 BN_init(&f);
374 BN_init(&ret);
375 ctx=BN_CTX_new();
376 if (ctx == NULL) goto err;
377
378 num=BN_num_bytes(rsa->n);
379 buf=(unsigned char *)OPENSSL_malloc(num);
380 if (buf == NULL)
381 {
382 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
383 goto err;
384 }
385
386 /* This check was for equality but PGP does evil things
387 * and chops off the top '0' bytes */
388 if (flen > num)
389 {
390 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
391 goto err;
392 }
393
394 if (BN_bin2bn(from,flen,&f) == NULL) goto err;
395 /* do the decrypt */
396 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
397 {
398 BN_MONT_CTX* bn_mont_ctx;
399 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
400 goto err;
401 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
402 {
403 BN_MONT_CTX_free(bn_mont_ctx);
404 goto err;
405 }
406 if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
407 {
408 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
409 if (rsa->_method_mod_n == NULL)
410 {
411 rsa->_method_mod_n = bn_mont_ctx;
412 bn_mont_ctx = NULL;
413 }
414 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
415 }
416 if (bn_mont_ctx)
417 BN_MONT_CTX_free(bn_mont_ctx);
418 }
419
420 if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
421 rsa->_method_mod_n)) goto err;
422
423 p=buf;
424 i=BN_bn2bin(&ret,p);
425
426 switch (padding)
427 {
428 case RSA_PKCS1_PADDING:
429 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
430 break;
431 case RSA_NO_PADDING:
432 r=RSA_padding_check_none(to,num,buf,i,num);
433 break;
434 default:
435 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
436 goto err;
437 }
438 if (r < 0)
439 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
440
441 err:
442 if (ctx != NULL) BN_CTX_free(ctx);
443 BN_clear_free(&f);
444 BN_clear_free(&ret);
445 if (buf != NULL)
446 {
447 memset(buf,0,num);
448 OPENSSL_free(buf);
449 }
450 return(r);
451 }
452
453 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
454 {
455 const RSA_METHOD *meth;
456 BIGNUM r1,m1,vrfy;
457 int ret=0;
458 BN_CTX *ctx;
459
460 meth = ENGINE_get_RSA(rsa->engine);
461 if ((ctx=BN_CTX_new()) == NULL) goto err;
462 BN_init(&m1);
463 BN_init(&r1);
464 BN_init(&vrfy);
465
466 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
467 {
468 if (rsa->_method_mod_p == NULL)
469 {
470 BN_MONT_CTX* bn_mont_ctx;
471 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
472 goto err;
473 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx))
474 {
475 BN_MONT_CTX_free(bn_mont_ctx);
476 goto err;
477 }
478 if (rsa->_method_mod_p == NULL) /* other thread may have finished first */
479 {
480 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
481 if (rsa->_method_mod_p == NULL)
482 {
483 rsa->_method_mod_p = bn_mont_ctx;
484 bn_mont_ctx = NULL;
485 }
486 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
487 }
488 if (bn_mont_ctx)
489 BN_MONT_CTX_free(bn_mont_ctx);
490 }
491
492 if (rsa->_method_mod_q == NULL)
493 {
494 BN_MONT_CTX* bn_mont_ctx;
495 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
496 goto err;
497 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx))
498 {
499 BN_MONT_CTX_free(bn_mont_ctx);
500 goto err;
501 }
502 if (rsa->_method_mod_q == NULL) /* other thread may have finished first */
503 {
504 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
505 if (rsa->_method_mod_q == NULL)
506 {
507 rsa->_method_mod_q = bn_mont_ctx;
508 bn_mont_ctx = NULL;
509 }
510 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
511 }
512 if (bn_mont_ctx)
513 BN_MONT_CTX_free(bn_mont_ctx);
514 }
515 }
516
517 if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
518 if (!meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
519 rsa->_method_mod_q)) goto err;
520
521 if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
522 if (!meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
523 rsa->_method_mod_p)) goto err;
524
525 if (!BN_sub(r0,r0,&m1)) goto err;
526 /* This will help stop the size of r0 increasing, which does
527 * affect the multiply if it optimised for a power of 2 size */
528 if (r0->neg)
529 if (!BN_add(r0,r0,rsa->p)) goto err;
530
531 if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
532 if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
533 /* If p < q it is occasionally possible for the correction of
534 * adding 'p' if r0 is negative above to leave the result still
535 * negative. This can break the private key operations: the following
536 * second correction should *always* correct this rare occurrence.
537 * This will *never* happen with OpenSSL generated keys because
538 * they ensure p > q [steve]
539 */
540 if (r0->neg)
541 if (!BN_add(r0,r0,rsa->p)) goto err;
542 if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
543 if (!BN_add(r0,&r1,&m1)) goto err;
544
545 if (rsa->e && rsa->n)
546 {
547 if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err;
548 if (BN_cmp(I, &vrfy) != 0)
549 {
550 if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err;
551 }
552 }
553 ret=1;
554 err:
555 BN_clear_free(&m1);
556 BN_clear_free(&r1);
557 BN_clear_free(&vrfy);
558 BN_CTX_free(ctx);
559 return(ret);
560 }
561
562 static int RSA_eay_init(RSA *rsa)
563 {
564 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
565 return(1);
566 }
567
568 static int RSA_eay_finish(RSA *rsa)
569 {
570 if (rsa->_method_mod_n != NULL)
571 BN_MONT_CTX_free(rsa->_method_mod_n);
572 if (rsa->_method_mod_p != NULL)
573 BN_MONT_CTX_free(rsa->_method_mod_p);
574 if (rsa->_method_mod_q != NULL)
575 BN_MONT_CTX_free(rsa->_method_mod_q);
576 return(1);
577 }
578
579 #endif
A mirror of the official openssl repository