]>
Commit | Line | Data |
---|---|---|
2039c421 | 1 | /* |
1212818e | 2 | * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. |
46a64376 | 3 | * |
2a7b6f39 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
2039c421 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
46a64376 | 8 | */ |
58964a49 | 9 | |
b39fc560 | 10 | #include "internal/cryptlib.h" |
25f2138b | 11 | #include "crypto/bn.h" |
9862e9aa | 12 | #include "rsa_locl.h" |
89072e0c | 13 | #include "internal/constant_time_locl.h" |
58964a49 | 14 | |
bf160551 | 15 | static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, |
0f113f3e | 16 | unsigned char *to, RSA *rsa, int padding); |
bf160551 | 17 | static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, |
0f113f3e | 18 | unsigned char *to, RSA *rsa, int padding); |
bf160551 | 19 | static int rsa_ossl_public_decrypt(int flen, const unsigned char *from, |
0f113f3e | 20 | unsigned char *to, RSA *rsa, int padding); |
bf160551 | 21 | static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, |
0f113f3e | 22 | unsigned char *to, RSA *rsa, int padding); |
bf160551 | 23 | static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, |
0f113f3e | 24 | BN_CTX *ctx); |
bf160551 RS |
25 | static int rsa_ossl_init(RSA *rsa); |
26 | static int rsa_ossl_finish(RSA *rsa); | |
27 | static RSA_METHOD rsa_pkcs1_ossl_meth = { | |
076fc555 | 28 | "OpenSSL PKCS#1 RSA", |
bf160551 RS |
29 | rsa_ossl_public_encrypt, |
30 | rsa_ossl_public_decrypt, /* signature verification */ | |
31 | rsa_ossl_private_encrypt, /* signing */ | |
32 | rsa_ossl_private_decrypt, | |
33 | rsa_ossl_mod_exp, | |
0f113f3e MC |
34 | BN_mod_exp_mont, /* XXX probably we should not use Montgomery |
35 | * if e == 3 */ | |
bf160551 RS |
36 | rsa_ossl_init, |
37 | rsa_ossl_finish, | |
0f113f3e MC |
38 | RSA_FLAG_FIPS_METHOD, /* flags */ |
39 | NULL, | |
40 | 0, /* rsa_sign */ | |
41 | 0, /* rsa_verify */ | |
665d899f PY |
42 | NULL, /* rsa_keygen */ |
43 | NULL /* rsa_multi_prime_keygen */ | |
0f113f3e | 44 | }; |
58964a49 | 45 | |
076fc555 RS |
46 | static const RSA_METHOD *default_RSA_meth = &rsa_pkcs1_ossl_meth; |
47 | ||
48 | void RSA_set_default_method(const RSA_METHOD *meth) | |
49 | { | |
50 | default_RSA_meth = meth; | |
51 | } | |
52 | ||
53 | const RSA_METHOD *RSA_get_default_method(void) | |
54 | { | |
55 | return default_RSA_meth; | |
56 | } | |
57 | ||
b0700d2c | 58 | const RSA_METHOD *RSA_PKCS1_OpenSSL(void) |
0f113f3e | 59 | { |
bf160551 | 60 | return &rsa_pkcs1_ossl_meth; |
0f113f3e | 61 | } |
58964a49 | 62 | |
076fc555 RS |
63 | const RSA_METHOD *RSA_null_method(void) |
64 | { | |
65 | return NULL; | |
66 | } | |
67 | ||
bf160551 | 68 | static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, |
0f113f3e MC |
69 | unsigned char *to, RSA *rsa, int padding) |
70 | { | |
71 | BIGNUM *f, *ret; | |
582ad5d4 | 72 | int i, num = 0, r = -1; |
0f113f3e MC |
73 | unsigned char *buf = NULL; |
74 | BN_CTX *ctx = NULL; | |
75 | ||
76 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { | |
bf160551 | 77 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); |
0f113f3e MC |
78 | return -1; |
79 | } | |
80 | ||
81 | if (BN_ucmp(rsa->n, rsa->e) <= 0) { | |
bf160551 | 82 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); |
0f113f3e MC |
83 | return -1; |
84 | } | |
85 | ||
86 | /* for large moduli, enforce exponent limit */ | |
87 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { | |
88 | if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { | |
bf160551 | 89 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); |
0f113f3e MC |
90 | return -1; |
91 | } | |
92 | } | |
93 | ||
94 | if ((ctx = BN_CTX_new()) == NULL) | |
95 | goto err; | |
96 | BN_CTX_start(ctx); | |
97 | f = BN_CTX_get(ctx); | |
98 | ret = BN_CTX_get(ctx); | |
99 | num = BN_num_bytes(rsa->n); | |
100 | buf = OPENSSL_malloc(num); | |
edea42c6 | 101 | if (ret == NULL || buf == NULL) { |
bf160551 | 102 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
103 | goto err; |
104 | } | |
105 | ||
106 | switch (padding) { | |
107 | case RSA_PKCS1_PADDING: | |
108 | i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); | |
109 | break; | |
0f113f3e MC |
110 | case RSA_PKCS1_OAEP_PADDING: |
111 | i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); | |
112 | break; | |
0f113f3e MC |
113 | case RSA_SSLV23_PADDING: |
114 | i = RSA_padding_add_SSLv23(buf, num, from, flen); | |
115 | break; | |
116 | case RSA_NO_PADDING: | |
117 | i = RSA_padding_add_none(buf, num, from, flen); | |
118 | break; | |
119 | default: | |
bf160551 | 120 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); |
0f113f3e MC |
121 | goto err; |
122 | } | |
123 | if (i <= 0) | |
124 | goto err; | |
125 | ||
126 | if (BN_bin2bn(buf, num, f) == NULL) | |
127 | goto err; | |
128 | ||
129 | if (BN_ucmp(f, rsa->n) >= 0) { | |
130 | /* usually the padding functions would catch this */ | |
bf160551 | 131 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, |
0f113f3e MC |
132 | RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
133 | goto err; | |
134 | } | |
135 | ||
136 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
41bfd5e7 AP |
137 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, |
138 | rsa->n, ctx)) | |
0f113f3e MC |
139 | goto err; |
140 | ||
141 | if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, | |
142 | rsa->_method_mod_n)) | |
143 | goto err; | |
144 | ||
145 | /* | |
582ad5d4 AP |
146 | * BN_bn2binpad puts in leading 0 bytes if the number is less than |
147 | * the length of the modulus. | |
0f113f3e | 148 | */ |
582ad5d4 | 149 | r = BN_bn2binpad(ret, to, num); |
0f113f3e | 150 | err: |
ce1415ed | 151 | BN_CTX_end(ctx); |
23a1d5e9 | 152 | BN_CTX_free(ctx); |
4b45c6e5 | 153 | OPENSSL_clear_free(buf, num); |
8686c474 | 154 | return r; |
0f113f3e | 155 | } |
58964a49 | 156 | |
675f605d | 157 | static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) |
800e400d | 158 | { |
0f113f3e | 159 | BN_BLINDING *ret; |
0f113f3e | 160 | |
d188a536 | 161 | CRYPTO_THREAD_write_lock(rsa->lock); |
0f113f3e MC |
162 | |
163 | if (rsa->blinding == NULL) { | |
d188a536 | 164 | rsa->blinding = RSA_setup_blinding(rsa, ctx); |
0f113f3e MC |
165 | } |
166 | ||
167 | ret = rsa->blinding; | |
168 | if (ret == NULL) | |
169 | goto err; | |
170 | ||
0b1a07c8 | 171 | if (BN_BLINDING_is_current_thread(ret)) { |
0f113f3e MC |
172 | /* rsa->blinding is ours! */ |
173 | ||
174 | *local = 1; | |
175 | } else { | |
176 | /* resort to rsa->mt_blinding instead */ | |
177 | ||
178 | /* | |
179 | * instructs rsa_blinding_convert(), rsa_blinding_invert() that the | |
180 | * BN_BLINDING is shared, meaning that accesses require locks, and | |
181 | * that the blinding factor must be stored outside the BN_BLINDING | |
182 | */ | |
183 | *local = 0; | |
184 | ||
185 | if (rsa->mt_blinding == NULL) { | |
d188a536 | 186 | rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); |
0f113f3e MC |
187 | } |
188 | ret = rsa->mt_blinding; | |
189 | } | |
5679bcce | 190 | |
675f605d | 191 | err: |
d188a536 | 192 | CRYPTO_THREAD_unlock(rsa->lock); |
0f113f3e | 193 | return ret; |
800e400d | 194 | } |
5679bcce | 195 | |
e5641d7f | 196 | static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, |
0f113f3e MC |
197 | BN_CTX *ctx) |
198 | { | |
90862ab4 | 199 | if (unblind == NULL) { |
0f113f3e MC |
200 | /* |
201 | * Local blinding: store the unblinding factor in BN_BLINDING. | |
202 | */ | |
203 | return BN_BLINDING_convert_ex(f, NULL, b, ctx); | |
90862ab4 | 204 | } else { |
0f113f3e MC |
205 | /* |
206 | * Shared blinding: store the unblinding factor outside BN_BLINDING. | |
207 | */ | |
208 | int ret; | |
0b1a07c8 AG |
209 | |
210 | BN_BLINDING_lock(b); | |
0f113f3e | 211 | ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); |
0b1a07c8 AG |
212 | BN_BLINDING_unlock(b); |
213 | ||
0f113f3e MC |
214 | return ret; |
215 | } | |
216 | } | |
e5641d7f BM |
217 | |
218 | static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, | |
0f113f3e MC |
219 | BN_CTX *ctx) |
220 | { | |
221 | /* | |
222 | * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex | |
223 | * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING | |
224 | * is shared between threads, unblind must be non-null: | |
225 | * BN_BLINDING_invert_ex will then use the local unblinding factor, and | |
226 | * will only read the modulus from BN_BLINDING. In both cases it's safe | |
227 | * to access the blinding without a lock. | |
228 | */ | |
229 | return BN_BLINDING_invert_ex(f, unblind, b, ctx); | |
230 | } | |
5679bcce | 231 | |
24cff6ce | 232 | /* signing */ |
bf160551 | 233 | static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, |
0f113f3e MC |
234 | unsigned char *to, RSA *rsa, int padding) |
235 | { | |
236 | BIGNUM *f, *ret, *res; | |
582ad5d4 | 237 | int i, num = 0, r = -1; |
0f113f3e MC |
238 | unsigned char *buf = NULL; |
239 | BN_CTX *ctx = NULL; | |
240 | int local_blinding = 0; | |
241 | /* | |
242 | * Used only if the blinding structure is shared. A non-NULL unblind | |
243 | * instructs rsa_blinding_convert() and rsa_blinding_invert() to store | |
244 | * the unblinding factor outside the blinding structure. | |
245 | */ | |
246 | BIGNUM *unblind = NULL; | |
247 | BN_BLINDING *blinding = NULL; | |
248 | ||
249 | if ((ctx = BN_CTX_new()) == NULL) | |
250 | goto err; | |
251 | BN_CTX_start(ctx); | |
252 | f = BN_CTX_get(ctx); | |
253 | ret = BN_CTX_get(ctx); | |
254 | num = BN_num_bytes(rsa->n); | |
255 | buf = OPENSSL_malloc(num); | |
edea42c6 | 256 | if (ret == NULL || buf == NULL) { |
bf160551 | 257 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
258 | goto err; |
259 | } | |
260 | ||
261 | switch (padding) { | |
262 | case RSA_PKCS1_PADDING: | |
263 | i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); | |
264 | break; | |
265 | case RSA_X931_PADDING: | |
266 | i = RSA_padding_add_X931(buf, num, from, flen); | |
267 | break; | |
268 | case RSA_NO_PADDING: | |
269 | i = RSA_padding_add_none(buf, num, from, flen); | |
270 | break; | |
271 | case RSA_SSLV23_PADDING: | |
272 | default: | |
bf160551 | 273 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); |
0f113f3e MC |
274 | goto err; |
275 | } | |
276 | if (i <= 0) | |
277 | goto err; | |
278 | ||
279 | if (BN_bin2bn(buf, num, f) == NULL) | |
280 | goto err; | |
281 | ||
282 | if (BN_ucmp(f, rsa->n) >= 0) { | |
283 | /* usually the padding functions would catch this */ | |
bf160551 | 284 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, |
0f113f3e MC |
285 | RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
286 | goto err; | |
287 | } | |
288 | ||
2cc3f68c AP |
289 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) |
290 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, | |
291 | rsa->n, ctx)) | |
292 | goto err; | |
293 | ||
0f113f3e MC |
294 | if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { |
295 | blinding = rsa_get_blinding(rsa, &local_blinding, ctx); | |
296 | if (blinding == NULL) { | |
bf160551 | 297 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); |
0f113f3e MC |
298 | goto err; |
299 | } | |
300 | } | |
301 | ||
302 | if (blinding != NULL) { | |
303 | if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { | |
bf160551 | 304 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
305 | goto err; |
306 | } | |
307 | if (!rsa_blinding_convert(blinding, f, unblind, ctx)) | |
308 | goto err; | |
309 | } | |
310 | ||
311 | if ((rsa->flags & RSA_FLAG_EXT_PKEY) || | |
665d899f | 312 | (rsa->version == RSA_ASN1_VERSION_MULTI) || |
0f113f3e MC |
313 | ((rsa->p != NULL) && |
314 | (rsa->q != NULL) && | |
315 | (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { | |
316 | if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) | |
317 | goto err; | |
318 | } else { | |
5584f65a MC |
319 | BIGNUM *d = BN_new(); |
320 | if (d == NULL) { | |
321 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); | |
322 | goto err; | |
fd7d2520 | 323 | } |
7408f675 DO |
324 | if (rsa->d == NULL) { |
325 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_MISSING_PRIVATE_KEY); | |
326 | BN_free(d); | |
327 | goto err; | |
328 | } | |
5584f65a | 329 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); |
0f113f3e | 330 | |
0f113f3e MC |
331 | if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, |
332 | rsa->_method_mod_n)) { | |
5584f65a | 333 | BN_free(d); |
0f113f3e MC |
334 | goto err; |
335 | } | |
5584f65a MC |
336 | /* We MUST free d before any further use of rsa->d */ |
337 | BN_free(d); | |
0f113f3e MC |
338 | } |
339 | ||
340 | if (blinding) | |
341 | if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) | |
342 | goto err; | |
343 | ||
344 | if (padding == RSA_X931_PADDING) { | |
3d3cbce5 P |
345 | if (!BN_sub(f, rsa->n, ret)) |
346 | goto err; | |
0f113f3e MC |
347 | if (BN_cmp(ret, f) > 0) |
348 | res = f; | |
349 | else | |
350 | res = ret; | |
90862ab4 | 351 | } else { |
0f113f3e | 352 | res = ret; |
90862ab4 | 353 | } |
0f113f3e MC |
354 | |
355 | /* | |
582ad5d4 AP |
356 | * BN_bn2binpad puts in leading 0 bytes if the number is less than |
357 | * the length of the modulus. | |
0f113f3e | 358 | */ |
582ad5d4 | 359 | r = BN_bn2binpad(res, to, num); |
0f113f3e | 360 | err: |
ce1415ed | 361 | BN_CTX_end(ctx); |
23a1d5e9 | 362 | BN_CTX_free(ctx); |
4b45c6e5 | 363 | OPENSSL_clear_free(buf, num); |
8686c474 | 364 | return r; |
0f113f3e | 365 | } |
58964a49 | 366 | |
bf160551 | 367 | static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, |
0f113f3e MC |
368 | unsigned char *to, RSA *rsa, int padding) |
369 | { | |
370 | BIGNUM *f, *ret; | |
371 | int j, num = 0, r = -1; | |
0f113f3e MC |
372 | unsigned char *buf = NULL; |
373 | BN_CTX *ctx = NULL; | |
374 | int local_blinding = 0; | |
375 | /* | |
376 | * Used only if the blinding structure is shared. A non-NULL unblind | |
377 | * instructs rsa_blinding_convert() and rsa_blinding_invert() to store | |
378 | * the unblinding factor outside the blinding structure. | |
379 | */ | |
380 | BIGNUM *unblind = NULL; | |
381 | BN_BLINDING *blinding = NULL; | |
382 | ||
383 | if ((ctx = BN_CTX_new()) == NULL) | |
384 | goto err; | |
385 | BN_CTX_start(ctx); | |
386 | f = BN_CTX_get(ctx); | |
387 | ret = BN_CTX_get(ctx); | |
388 | num = BN_num_bytes(rsa->n); | |
389 | buf = OPENSSL_malloc(num); | |
edea42c6 | 390 | if (ret == NULL || buf == NULL) { |
bf160551 | 391 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
392 | goto err; |
393 | } | |
394 | ||
395 | /* | |
396 | * This check was for equality but PGP does evil things and chops off the | |
397 | * top '0' bytes | |
398 | */ | |
399 | if (flen > num) { | |
bf160551 | 400 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, |
0f113f3e MC |
401 | RSA_R_DATA_GREATER_THAN_MOD_LEN); |
402 | goto err; | |
403 | } | |
404 | ||
405 | /* make data into a big number */ | |
406 | if (BN_bin2bn(from, (int)flen, f) == NULL) | |
407 | goto err; | |
408 | ||
409 | if (BN_ucmp(f, rsa->n) >= 0) { | |
bf160551 | 410 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, |
0f113f3e MC |
411 | RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
412 | goto err; | |
413 | } | |
414 | ||
415 | if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { | |
416 | blinding = rsa_get_blinding(rsa, &local_blinding, ctx); | |
417 | if (blinding == NULL) { | |
bf160551 | 418 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); |
0f113f3e MC |
419 | goto err; |
420 | } | |
421 | } | |
422 | ||
423 | if (blinding != NULL) { | |
424 | if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { | |
bf160551 | 425 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
426 | goto err; |
427 | } | |
428 | if (!rsa_blinding_convert(blinding, f, unblind, ctx)) | |
429 | goto err; | |
430 | } | |
431 | ||
432 | /* do the decrypt */ | |
433 | if ((rsa->flags & RSA_FLAG_EXT_PKEY) || | |
665d899f | 434 | (rsa->version == RSA_ASN1_VERSION_MULTI) || |
0f113f3e MC |
435 | ((rsa->p != NULL) && |
436 | (rsa->q != NULL) && | |
437 | (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { | |
438 | if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) | |
439 | goto err; | |
440 | } else { | |
5584f65a MC |
441 | BIGNUM *d = BN_new(); |
442 | if (d == NULL) { | |
443 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); | |
444 | goto err; | |
7408f675 DO |
445 | } |
446 | if (rsa->d == NULL) { | |
447 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_MISSING_PRIVATE_KEY); | |
448 | BN_free(d); | |
449 | goto err; | |
fd7d2520 | 450 | } |
5584f65a | 451 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); |
0f113f3e MC |
452 | |
453 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
41bfd5e7 AP |
454 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, |
455 | rsa->n, ctx)) { | |
5584f65a | 456 | BN_free(d); |
0f113f3e MC |
457 | goto err; |
458 | } | |
459 | if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, | |
460 | rsa->_method_mod_n)) { | |
5584f65a | 461 | BN_free(d); |
0f113f3e MC |
462 | goto err; |
463 | } | |
5584f65a MC |
464 | /* We MUST free d before any further use of rsa->d */ |
465 | BN_free(d); | |
0f113f3e MC |
466 | } |
467 | ||
468 | if (blinding) | |
469 | if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) | |
470 | goto err; | |
471 | ||
582ad5d4 | 472 | j = BN_bn2binpad(ret, buf, num); |
4a3dd629 P |
473 | if (j < 0) |
474 | goto err; | |
0f113f3e MC |
475 | |
476 | switch (padding) { | |
477 | case RSA_PKCS1_PADDING: | |
478 | r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); | |
479 | break; | |
0f113f3e MC |
480 | case RSA_PKCS1_OAEP_PADDING: |
481 | r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); | |
482 | break; | |
0f113f3e MC |
483 | case RSA_SSLV23_PADDING: |
484 | r = RSA_padding_check_SSLv23(to, num, buf, j, num); | |
485 | break; | |
486 | case RSA_NO_PADDING: | |
582ad5d4 | 487 | memcpy(to, buf, (r = j)); |
0f113f3e MC |
488 | break; |
489 | default: | |
bf160551 | 490 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); |
0f113f3e MC |
491 | goto err; |
492 | } | |
89072e0c | 493 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); |
94dc53a3 | 494 | err_clear_last_constant_time(1 & ~constant_time_msb(r)); |
0f113f3e MC |
495 | |
496 | err: | |
ce1415ed | 497 | BN_CTX_end(ctx); |
23a1d5e9 | 498 | BN_CTX_free(ctx); |
4b45c6e5 | 499 | OPENSSL_clear_free(buf, num); |
8686c474 | 500 | return r; |
0f113f3e | 501 | } |
58964a49 | 502 | |
24cff6ce | 503 | /* signature verification */ |
bf160551 | 504 | static int rsa_ossl_public_decrypt(int flen, const unsigned char *from, |
0f113f3e MC |
505 | unsigned char *to, RSA *rsa, int padding) |
506 | { | |
507 | BIGNUM *f, *ret; | |
508 | int i, num = 0, r = -1; | |
0f113f3e MC |
509 | unsigned char *buf = NULL; |
510 | BN_CTX *ctx = NULL; | |
511 | ||
512 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { | |
bf160551 | 513 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); |
0f113f3e MC |
514 | return -1; |
515 | } | |
516 | ||
517 | if (BN_ucmp(rsa->n, rsa->e) <= 0) { | |
bf160551 | 518 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); |
0f113f3e MC |
519 | return -1; |
520 | } | |
521 | ||
522 | /* for large moduli, enforce exponent limit */ | |
523 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { | |
524 | if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { | |
bf160551 | 525 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); |
0f113f3e MC |
526 | return -1; |
527 | } | |
528 | } | |
529 | ||
530 | if ((ctx = BN_CTX_new()) == NULL) | |
531 | goto err; | |
532 | BN_CTX_start(ctx); | |
533 | f = BN_CTX_get(ctx); | |
534 | ret = BN_CTX_get(ctx); | |
535 | num = BN_num_bytes(rsa->n); | |
536 | buf = OPENSSL_malloc(num); | |
edea42c6 | 537 | if (ret == NULL || buf == NULL) { |
bf160551 | 538 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
539 | goto err; |
540 | } | |
541 | ||
542 | /* | |
543 | * This check was for equality but PGP does evil things and chops off the | |
544 | * top '0' bytes | |
545 | */ | |
546 | if (flen > num) { | |
bf160551 | 547 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN); |
0f113f3e MC |
548 | goto err; |
549 | } | |
550 | ||
551 | if (BN_bin2bn(from, flen, f) == NULL) | |
552 | goto err; | |
553 | ||
554 | if (BN_ucmp(f, rsa->n) >= 0) { | |
bf160551 | 555 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, |
0f113f3e MC |
556 | RSA_R_DATA_TOO_LARGE_FOR_MODULUS); |
557 | goto err; | |
558 | } | |
559 | ||
560 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
41bfd5e7 AP |
561 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, |
562 | rsa->n, ctx)) | |
0f113f3e MC |
563 | goto err; |
564 | ||
565 | if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, | |
566 | rsa->_method_mod_n)) | |
567 | goto err; | |
568 | ||
569 | if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12)) | |
570 | if (!BN_sub(ret, rsa->n, ret)) | |
571 | goto err; | |
572 | ||
582ad5d4 | 573 | i = BN_bn2binpad(ret, buf, num); |
4a3dd629 P |
574 | if (i < 0) |
575 | goto err; | |
0f113f3e MC |
576 | |
577 | switch (padding) { | |
578 | case RSA_PKCS1_PADDING: | |
579 | r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); | |
580 | break; | |
581 | case RSA_X931_PADDING: | |
582 | r = RSA_padding_check_X931(to, num, buf, i, num); | |
583 | break; | |
584 | case RSA_NO_PADDING: | |
582ad5d4 | 585 | memcpy(to, buf, (r = i)); |
0f113f3e MC |
586 | break; |
587 | default: | |
bf160551 | 588 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); |
0f113f3e MC |
589 | goto err; |
590 | } | |
591 | if (r < 0) | |
bf160551 | 592 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED); |
0f113f3e MC |
593 | |
594 | err: | |
ce1415ed | 595 | BN_CTX_end(ctx); |
23a1d5e9 | 596 | BN_CTX_free(ctx); |
4b45c6e5 | 597 | OPENSSL_clear_free(buf, num); |
8686c474 | 598 | return r; |
0f113f3e | 599 | } |
58964a49 | 600 | |
bf160551 | 601 | static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) |
0f113f3e | 602 | { |
a1471588 | 603 | BIGNUM *r1, *m1, *vrfy, *r2, *m[RSA_MAX_PRIME_NUM - 2]; |
41bfd5e7 | 604 | int ret = 0, i, ex_primes = 0, smooth = 0; |
665d899f | 605 | RSA_PRIME_INFO *pinfo; |
0f113f3e | 606 | |
c804d23d PC |
607 | BN_CTX_start(ctx); |
608 | ||
0f113f3e | 609 | r1 = BN_CTX_get(ctx); |
665d899f | 610 | r2 = BN_CTX_get(ctx); |
0f113f3e MC |
611 | m1 = BN_CTX_get(ctx); |
612 | vrfy = BN_CTX_get(ctx); | |
5625567f BE |
613 | if (vrfy == NULL) |
614 | goto err; | |
0f113f3e | 615 | |
665d899f | 616 | if (rsa->version == RSA_ASN1_VERSION_MULTI |
a1471588 BE |
617 | && ((ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) <= 0 |
618 | || ex_primes > RSA_MAX_PRIME_NUM - 2)) | |
665d899f PY |
619 | goto err; |
620 | ||
41bfd5e7 AP |
621 | if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { |
622 | BIGNUM *factor = BN_new(); | |
623 | ||
624 | if (factor == NULL) | |
625 | goto err; | |
0f113f3e MC |
626 | |
627 | /* | |
0d4fb843 | 628 | * Make sure BN_mod_inverse in Montgomery initialization uses the |
5584f65a | 629 | * BN_FLG_CONSTTIME flag |
0f113f3e | 630 | */ |
41bfd5e7 AP |
631 | if (!(BN_with_flags(factor, rsa->p, BN_FLG_CONSTTIME), |
632 | BN_MONT_CTX_set_locked(&rsa->_method_mod_p, rsa->lock, | |
633 | factor, ctx)) | |
634 | || !(BN_with_flags(factor, rsa->q, BN_FLG_CONSTTIME), | |
635 | BN_MONT_CTX_set_locked(&rsa->_method_mod_q, rsa->lock, | |
636 | factor, ctx))) { | |
637 | BN_free(factor); | |
5584f65a | 638 | goto err; |
0f113f3e | 639 | } |
41bfd5e7 AP |
640 | for (i = 0; i < ex_primes; i++) { |
641 | pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i); | |
642 | BN_with_flags(factor, pinfo->r, BN_FLG_CONSTTIME); | |
643 | if (!BN_MONT_CTX_set_locked(&pinfo->m, rsa->lock, factor, ctx)) { | |
644 | BN_free(factor); | |
0f113f3e MC |
645 | goto err; |
646 | } | |
647 | } | |
fd7d2520 | 648 | /* |
41bfd5e7 | 649 | * We MUST free |factor| before any further use of the prime factors |
fd7d2520 | 650 | */ |
41bfd5e7 AP |
651 | BN_free(factor); |
652 | ||
653 | smooth = (ex_primes == 0) | |
654 | && (rsa->meth->bn_mod_exp == BN_mod_exp_mont) | |
655 | && (BN_num_bits(rsa->q) == BN_num_bits(rsa->p)); | |
0f113f3e MC |
656 | } |
657 | ||
658 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | |
41bfd5e7 AP |
659 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, |
660 | rsa->n, ctx)) | |
661 | goto err; | |
662 | ||
663 | if (smooth) { | |
664 | /* | |
665 | * Conversion from Montgomery domain, a.k.a. Montgomery reduction, | |
666 | * accepts values in [0-m*2^w) range. w is m's bit width rounded up | |
667 | * to limb width. So that at the very least if |I| is fully reduced, | |
668 | * i.e. less than p*q, we can count on from-to round to perform | |
669 | * below modulo operations on |I|. Unlike BN_mod it's constant time. | |
670 | */ | |
671 | if (/* m1 = I moq q */ | |
672 | !bn_from_mont_fixed_top(m1, I, rsa->_method_mod_q, ctx) | |
673 | || !bn_to_mont_fixed_top(m1, m1, rsa->_method_mod_q, ctx) | |
674 | /* m1 = m1^dmq1 mod q */ | |
675 | || !BN_mod_exp_mont_consttime(m1, m1, rsa->dmq1, rsa->q, ctx, | |
676 | rsa->_method_mod_q) | |
677 | /* r1 = I mod p */ | |
678 | || !bn_from_mont_fixed_top(r1, I, rsa->_method_mod_p, ctx) | |
679 | || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx) | |
680 | /* r1 = r1^dmp1 mod p */ | |
681 | || !BN_mod_exp_mont_consttime(r1, r1, rsa->dmp1, rsa->p, ctx, | |
682 | rsa->_method_mod_p) | |
683 | /* r1 = (r1 - m1) mod p */ | |
684 | /* | |
685 | * bn_mod_sub_fixed_top is not regular modular subtraction, | |
686 | * it can tolerate subtrahend to be larger than modulus, but | |
687 | * not bit-wise wider. This makes up for uncommon q>p case, | |
688 | * when |m1| can be larger than |rsa->p|. | |
689 | */ | |
690 | || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p) | |
691 | ||
d1c008f6 | 692 | /* r1 = r1 * iqmp mod p */ |
41bfd5e7 AP |
693 | || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx) |
694 | || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p, | |
695 | ctx) | |
d1c008f6 | 696 | /* r0 = r1 * q + m1 */ |
41bfd5e7 AP |
697 | || !bn_mul_fixed_top(r0, r1, rsa->q, ctx) |
698 | || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n)) | |
0f113f3e MC |
699 | goto err; |
700 | ||
41bfd5e7 AP |
701 | goto tail; |
702 | } | |
703 | ||
0f113f3e | 704 | /* compute I mod q */ |
fd7d2520 | 705 | { |
5584f65a MC |
706 | BIGNUM *c = BN_new(); |
707 | if (c == NULL) | |
708 | goto err; | |
709 | BN_with_flags(c, I, BN_FLG_CONSTTIME); | |
710 | ||
fd7d2520 | 711 | if (!BN_mod(r1, c, rsa->q, ctx)) { |
5584f65a | 712 | BN_free(c); |
0f113f3e | 713 | goto err; |
fd7d2520 | 714 | } |
0f113f3e | 715 | |
fd7d2520 | 716 | { |
5584f65a MC |
717 | BIGNUM *dmq1 = BN_new(); |
718 | if (dmq1 == NULL) { | |
719 | BN_free(c); | |
720 | goto err; | |
fd7d2520 | 721 | } |
5584f65a MC |
722 | BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); |
723 | ||
724 | /* compute r1^dmq1 mod q */ | |
fd7d2520 | 725 | if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, |
41bfd5e7 | 726 | rsa->_method_mod_q)) { |
5584f65a MC |
727 | BN_free(c); |
728 | BN_free(dmq1); | |
fd7d2520 MC |
729 | goto err; |
730 | } | |
5584f65a MC |
731 | /* We MUST free dmq1 before any further use of rsa->dmq1 */ |
732 | BN_free(dmq1); | |
fd7d2520 | 733 | } |
0f113f3e | 734 | |
fd7d2520 MC |
735 | /* compute I mod p */ |
736 | if (!BN_mod(r1, c, rsa->p, ctx)) { | |
5584f65a | 737 | BN_free(c); |
0f113f3e | 738 | goto err; |
fd7d2520 | 739 | } |
5584f65a MC |
740 | /* We MUST free c before any further use of I */ |
741 | BN_free(c); | |
0f113f3e MC |
742 | } |
743 | ||
fd7d2520 | 744 | { |
5584f65a MC |
745 | BIGNUM *dmp1 = BN_new(); |
746 | if (dmp1 == NULL) | |
747 | goto err; | |
748 | BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); | |
749 | ||
fd7d2520 | 750 | /* compute r1^dmp1 mod p */ |
fd7d2520 MC |
751 | if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, |
752 | rsa->_method_mod_p)) { | |
5584f65a | 753 | BN_free(dmp1); |
fd7d2520 MC |
754 | goto err; |
755 | } | |
5584f65a MC |
756 | /* We MUST free dmp1 before any further use of rsa->dmp1 */ |
757 | BN_free(dmp1); | |
fd7d2520 | 758 | } |
0f113f3e | 759 | |
665d899f PY |
760 | /* |
761 | * calculate m_i in multi-prime case | |
762 | * | |
763 | * TODO: | |
764 | * 1. squash the following two loops and calculate |m_i| there. | |
765 | * 2. remove cc and reuse |c|. | |
766 | * 3. remove |dmq1| and |dmp1| in previous block and use |di|. | |
767 | * | |
768 | * If these things are done, the code will be more readable. | |
769 | */ | |
770 | if (ex_primes > 0) { | |
771 | BIGNUM *di = BN_new(), *cc = BN_new(); | |
772 | ||
773 | if (cc == NULL || di == NULL) { | |
774 | BN_free(cc); | |
775 | BN_free(di); | |
776 | goto err; | |
777 | } | |
778 | ||
779 | for (i = 0; i < ex_primes; i++) { | |
780 | /* prepare m_i */ | |
781 | if ((m[i] = BN_CTX_get(ctx)) == NULL) { | |
782 | BN_free(cc); | |
783 | BN_free(di); | |
784 | goto err; | |
785 | } | |
786 | ||
787 | pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i); | |
788 | ||
789 | /* prepare c and d_i */ | |
790 | BN_with_flags(cc, I, BN_FLG_CONSTTIME); | |
791 | BN_with_flags(di, pinfo->d, BN_FLG_CONSTTIME); | |
792 | ||
793 | if (!BN_mod(r1, cc, pinfo->r, ctx)) { | |
794 | BN_free(cc); | |
795 | BN_free(di); | |
796 | goto err; | |
797 | } | |
798 | /* compute r1 ^ d_i mod r_i */ | |
799 | if (!rsa->meth->bn_mod_exp(m[i], r1, di, pinfo->r, ctx, pinfo->m)) { | |
800 | BN_free(cc); | |
801 | BN_free(di); | |
802 | goto err; | |
803 | } | |
804 | } | |
805 | ||
806 | BN_free(cc); | |
807 | BN_free(di); | |
808 | } | |
809 | ||
0f113f3e MC |
810 | if (!BN_sub(r0, r0, m1)) |
811 | goto err; | |
812 | /* | |
813 | * This will help stop the size of r0 increasing, which does affect the | |
814 | * multiply if it optimised for a power of 2 size | |
815 | */ | |
816 | if (BN_is_negative(r0)) | |
817 | if (!BN_add(r0, r0, rsa->p)) | |
818 | goto err; | |
819 | ||
820 | if (!BN_mul(r1, r0, rsa->iqmp, ctx)) | |
821 | goto err; | |
822 | ||
fd7d2520 | 823 | { |
5584f65a MC |
824 | BIGNUM *pr1 = BN_new(); |
825 | if (pr1 == NULL) | |
826 | goto err; | |
827 | BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); | |
828 | ||
fd7d2520 | 829 | if (!BN_mod(r0, pr1, rsa->p, ctx)) { |
5584f65a | 830 | BN_free(pr1); |
fd7d2520 MC |
831 | goto err; |
832 | } | |
5584f65a MC |
833 | /* We MUST free pr1 before any further use of r1 */ |
834 | BN_free(pr1); | |
fd7d2520 | 835 | } |
0f113f3e MC |
836 | |
837 | /* | |
838 | * If p < q it is occasionally possible for the correction of adding 'p' | |
839 | * if r0 is negative above to leave the result still negative. This can | |
840 | * break the private key operations: the following second correction | |
841 | * should *always* correct this rare occurrence. This will *never* happen | |
842 | * with OpenSSL generated keys because they ensure p > q [steve] | |
843 | */ | |
844 | if (BN_is_negative(r0)) | |
845 | if (!BN_add(r0, r0, rsa->p)) | |
846 | goto err; | |
847 | if (!BN_mul(r1, r0, rsa->q, ctx)) | |
848 | goto err; | |
849 | if (!BN_add(r0, r1, m1)) | |
850 | goto err; | |
851 | ||
665d899f PY |
852 | /* add m_i to m in multi-prime case */ |
853 | if (ex_primes > 0) { | |
854 | BIGNUM *pr2 = BN_new(); | |
855 | ||
856 | if (pr2 == NULL) | |
857 | goto err; | |
858 | ||
859 | for (i = 0; i < ex_primes; i++) { | |
860 | pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i); | |
861 | if (!BN_sub(r1, m[i], r0)) { | |
862 | BN_free(pr2); | |
863 | goto err; | |
864 | } | |
865 | ||
866 | if (!BN_mul(r2, r1, pinfo->t, ctx)) { | |
867 | BN_free(pr2); | |
868 | goto err; | |
869 | } | |
870 | ||
871 | BN_with_flags(pr2, r2, BN_FLG_CONSTTIME); | |
872 | ||
873 | if (!BN_mod(r1, pr2, pinfo->r, ctx)) { | |
874 | BN_free(pr2); | |
875 | goto err; | |
876 | } | |
877 | ||
878 | if (BN_is_negative(r1)) | |
879 | if (!BN_add(r1, r1, pinfo->r)) { | |
880 | BN_free(pr2); | |
881 | goto err; | |
882 | } | |
883 | if (!BN_mul(r1, r1, pinfo->pp, ctx)) { | |
884 | BN_free(pr2); | |
885 | goto err; | |
886 | } | |
887 | if (!BN_add(r0, r0, r1)) { | |
888 | BN_free(pr2); | |
889 | goto err; | |
890 | } | |
891 | } | |
892 | BN_free(pr2); | |
893 | } | |
894 | ||
41bfd5e7 | 895 | tail: |
0f113f3e | 896 | if (rsa->e && rsa->n) { |
41bfd5e7 AP |
897 | if (rsa->meth->bn_mod_exp == BN_mod_exp_mont) { |
898 | if (!BN_mod_exp_mont(vrfy, r0, rsa->e, rsa->n, ctx, | |
899 | rsa->_method_mod_n)) | |
900 | goto err; | |
901 | } else { | |
902 | bn_correct_top(r0); | |
903 | if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, | |
904 | rsa->_method_mod_n)) | |
905 | goto err; | |
906 | } | |
0f113f3e MC |
907 | /* |
908 | * If 'I' was greater than (or equal to) rsa->n, the operation will | |
909 | * be equivalent to using 'I mod n'. However, the result of the | |
910 | * verify will *always* be less than 'n' so we don't check for | |
911 | * absolute equality, just congruency. | |
912 | */ | |
913 | if (!BN_sub(vrfy, vrfy, I)) | |
914 | goto err; | |
41bfd5e7 AP |
915 | if (BN_is_zero(vrfy)) { |
916 | bn_correct_top(r0); | |
917 | ret = 1; | |
918 | goto err; /* not actually error */ | |
919 | } | |
0f113f3e MC |
920 | if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) |
921 | goto err; | |
922 | if (BN_is_negative(vrfy)) | |
923 | if (!BN_add(vrfy, vrfy, rsa->n)) | |
924 | goto err; | |
925 | if (!BN_is_zero(vrfy)) { | |
926 | /* | |
927 | * 'I' and 'vrfy' aren't congruent mod n. Don't leak | |
928 | * miscalculated CRT output, just do a raw (slower) mod_exp and | |
929 | * return that instead. | |
930 | */ | |
931 | ||
5584f65a MC |
932 | BIGNUM *d = BN_new(); |
933 | if (d == NULL) | |
934 | goto err; | |
935 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); | |
0f113f3e | 936 | |
0f113f3e MC |
937 | if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, |
938 | rsa->_method_mod_n)) { | |
5584f65a | 939 | BN_free(d); |
0f113f3e MC |
940 | goto err; |
941 | } | |
5584f65a MC |
942 | /* We MUST free d before any further use of rsa->d */ |
943 | BN_free(d); | |
0f113f3e MC |
944 | } |
945 | } | |
41bfd5e7 AP |
946 | /* |
947 | * It's unfortunate that we have to bn_correct_top(r0). What hopefully | |
948 | * saves the day is that correction is highly unlike, and private key | |
949 | * operations are customarily performed on blinded message. Which means | |
950 | * that attacker won't observe correlation with chosen plaintext. | |
951 | * Secondly, remaining code would still handle it in same computational | |
952 | * time and even conceal memory access pattern around corrected top. | |
953 | */ | |
954 | bn_correct_top(r0); | |
0f113f3e MC |
955 | ret = 1; |
956 | err: | |
0f113f3e | 957 | BN_CTX_end(ctx); |
8686c474 | 958 | return ret; |
0f113f3e | 959 | } |
58964a49 | 960 | |
bf160551 | 961 | static int rsa_ossl_init(RSA *rsa) |
0f113f3e MC |
962 | { |
963 | rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; | |
8686c474 | 964 | return 1; |
0f113f3e | 965 | } |
58964a49 | 966 | |
bf160551 | 967 | static int rsa_ossl_finish(RSA *rsa) |
0f113f3e | 968 | { |
665d899f PY |
969 | int i; |
970 | RSA_PRIME_INFO *pinfo; | |
971 | ||
23a1d5e9 RS |
972 | BN_MONT_CTX_free(rsa->_method_mod_n); |
973 | BN_MONT_CTX_free(rsa->_method_mod_p); | |
974 | BN_MONT_CTX_free(rsa->_method_mod_q); | |
665d899f PY |
975 | for (i = 0; i < sk_RSA_PRIME_INFO_num(rsa->prime_infos); i++) { |
976 | pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i); | |
977 | BN_MONT_CTX_free(pinfo->m); | |
978 | } | |
8686c474 | 979 | return 1; |
0f113f3e | 980 | } |