1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/os/ossrv/ssl/libcrypto/src/crypto/rsa/rsa_eay.c Fri Jun 15 03:10:57 2012 +0200
1.3 @@ -0,0 +1,911 @@
1.4 +/* crypto/rsa/rsa_eay.c */
1.5 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
1.6 + * All rights reserved.
1.7 + *
1.8 + * This package is an SSL implementation written
1.9 + * by Eric Young (eay@cryptsoft.com).
1.10 + * The implementation was written so as to conform with Netscapes SSL.
1.11 + *
1.12 + * This library is free for commercial and non-commercial use as long as
1.13 + * the following conditions are aheared to. The following conditions
1.14 + * apply to all code found in this distribution, be it the RC4, RSA,
1.15 + * lhash, DES, etc., code; not just the SSL code. The SSL documentation
1.16 + * included with this distribution is covered by the same copyright terms
1.17 + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
1.18 + *
1.19 + * Copyright remains Eric Young's, and as such any Copyright notices in
1.20 + * the code are not to be removed.
1.21 + * If this package is used in a product, Eric Young should be given attribution
1.22 + * as the author of the parts of the library used.
1.23 + * This can be in the form of a textual message at program startup or
1.24 + * in documentation (online or textual) provided with the package.
1.25 + *
1.26 + * Redistribution and use in source and binary forms, with or without
1.27 + * modification, are permitted provided that the following conditions
1.28 + * are met:
1.29 + * 1. Redistributions of source code must retain the copyright
1.30 + * notice, this list of conditions and the following disclaimer.
1.31 + * 2. Redistributions in binary form must reproduce the above copyright
1.32 + * notice, this list of conditions and the following disclaimer in the
1.33 + * documentation and/or other materials provided with the distribution.
1.34 + * 3. All advertising materials mentioning features or use of this software
1.35 + * must display the following acknowledgement:
1.36 + * "This product includes cryptographic software written by
1.37 + * Eric Young (eay@cryptsoft.com)"
1.38 + * The word 'cryptographic' can be left out if the rouines from the library
1.39 + * being used are not cryptographic related :-).
1.40 + * 4. If you include any Windows specific code (or a derivative thereof) from
1.41 + * the apps directory (application code) you must include an acknowledgement:
1.42 + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
1.43 + *
1.44 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
1.45 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.46 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1.47 + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
1.48 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1.49 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1.50 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.51 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1.52 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1.53 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1.54 + * SUCH DAMAGE.
1.55 + *
1.56 + * The licence and distribution terms for any publically available version or
1.57 + * derivative of this code cannot be changed. i.e. this code cannot simply be
1.58 + * copied and put under another distribution licence
1.59 + * [including the GNU Public Licence.]
1.60 + */
1.61 +/* ====================================================================
1.62 + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
1.63 + *
1.64 + * Redistribution and use in source and binary forms, with or without
1.65 + * modification, are permitted provided that the following conditions
1.66 + * are met:
1.67 + *
1.68 + * 1. Redistributions of source code must retain the above copyright
1.69 + * notice, this list of conditions and the following disclaimer.
1.70 + *
1.71 + * 2. Redistributions in binary form must reproduce the above copyright
1.72 + * notice, this list of conditions and the following disclaimer in
1.73 + * the documentation and/or other materials provided with the
1.74 + * distribution.
1.75 + *
1.76 + * 3. All advertising materials mentioning features or use of this
1.77 + * software must display the following acknowledgment:
1.78 + * "This product includes software developed by the OpenSSL Project
1.79 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
1.80 + *
1.81 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
1.82 + * endorse or promote products derived from this software without
1.83 + * prior written permission. For written permission, please contact
1.84 + * openssl-core@openssl.org.
1.85 + *
1.86 + * 5. Products derived from this software may not be called "OpenSSL"
1.87 + * nor may "OpenSSL" appear in their names without prior written
1.88 + * permission of the OpenSSL Project.
1.89 + *
1.90 + * 6. Redistributions of any form whatsoever must retain the following
1.91 + * acknowledgment:
1.92 + * "This product includes software developed by the OpenSSL Project
1.93 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
1.94 + *
1.95 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
1.96 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.97 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1.98 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
1.99 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1.100 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1.101 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
1.102 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.103 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1.104 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1.105 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1.106 + * OF THE POSSIBILITY OF SUCH DAMAGE.
1.107 + * ====================================================================
1.108 + *
1.109 + * This product includes cryptographic software written by Eric Young
1.110 + * (eay@cryptsoft.com). This product includes software written by Tim
1.111 + * Hudson (tjh@cryptsoft.com).
1.112 + *
1.113 + */
1.114 + /*
1.115 + © Portions copyright (c) 2006 Nokia Corporation. All rights reserved.
1.116 + */
1.117 +
1.118 +
1.119 +#include <stdio.h>
1.120 +#include "cryptlib.h"
1.121 +#include <openssl/bn.h>
1.122 +#include <openssl/rsa.h>
1.123 +#include <openssl/rand.h>
1.124 +#if (defined(SYMBIAN) && (defined(__WINSCW__) || defined(__WINS__)))
1.125 +#include "libcrypto_wsd_macros.h"
1.126 +#include "libcrypto_wsd.h"
1.127 +#endif
1.128 +
1.129 +#ifndef RSA_NULL
1.130 +
1.131 +static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
1.132 + unsigned char *to, RSA *rsa,int padding);
1.133 +static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
1.134 + unsigned char *to, RSA *rsa,int padding);
1.135 +static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
1.136 + unsigned char *to, RSA *rsa,int padding);
1.137 +static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
1.138 + unsigned char *to, RSA *rsa,int padding);
1.139 +static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
1.140 +static int RSA_eay_init(RSA *rsa);
1.141 +static int RSA_eay_finish(RSA *rsa);
1.142 +
1.143 +#ifndef EMULATOR
1.144 +static RSA_METHOD rsa_pkcs1_eay_meth={
1.145 + "Eric Young's PKCS#1 RSA",
1.146 + RSA_eay_public_encrypt,
1.147 + RSA_eay_public_decrypt, /* signature verification */
1.148 + RSA_eay_private_encrypt, /* signing */
1.149 + RSA_eay_private_decrypt,
1.150 + RSA_eay_mod_exp,
1.151 + BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
1.152 + RSA_eay_init,
1.153 + RSA_eay_finish,
1.154 + 0, /* flags */
1.155 + NULL,
1.156 + 0, /* rsa_sign */
1.157 + 0, /* rsa_verify */
1.158 + NULL /* rsa_keygen */
1.159 + };
1.160 +#else
1.161 +GET_STATIC_VAR_FROM_TLS(rsa_pkcs1_eay_meth,rsa_eay,RSA_METHOD )
1.162 +#define rsa_pkcs1_eay_meth (*GET_WSD_VAR_NAME(rsa_pkcs1_eay_meth,rsa_eay,s)())
1.163 +const RSA_METHOD temp_s_rsa_pkcs1_eay_meth={
1.164 + "Eric Young's PKCS#1 RSA",
1.165 + RSA_eay_public_encrypt,
1.166 + RSA_eay_public_decrypt, /* signature verification */
1.167 + RSA_eay_private_encrypt, /* signing */
1.168 + RSA_eay_private_decrypt,
1.169 + RSA_eay_mod_exp,
1.170 + BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
1.171 + RSA_eay_init,
1.172 + RSA_eay_finish,
1.173 + 0, /* flags */
1.174 + NULL,
1.175 + 0, /* rsa_sign */
1.176 + 0, /* rsa_verify */
1.177 + NULL /* rsa_keygen */
1.178 + };
1.179 +
1.180 +#endif
1.181 +EXPORT_C const RSA_METHOD *RSA_PKCS1_SSLeay(void)
1.182 + {
1.183 + return(&rsa_pkcs1_eay_meth);
1.184 + }
1.185 +
1.186 +/* Usage example;
1.187 + * MONT_HELPER(rsa, bn_ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
1.188 + */
1.189 +#define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \
1.190 + if((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \
1.191 + !BN_MONT_CTX_set_locked(&((rsa)->_method_mod_##m), \
1.192 + CRYPTO_LOCK_RSA, \
1.193 + (rsa)->m, (ctx))) \
1.194 + err_instr
1.195 +
1.196 +static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
1.197 + unsigned char *to, RSA *rsa, int padding)
1.198 + {
1.199 + BIGNUM *f,*ret;
1.200 + int i,j,k,num=0,r= -1;
1.201 + unsigned char *buf=NULL;
1.202 + BN_CTX *ctx=NULL;
1.203 + if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
1.204 + {
1.205 + RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
1.206 + return -1;
1.207 + }
1.208 +
1.209 + if (BN_ucmp(rsa->n, rsa->e) <= 0)
1.210 + {
1.211 + RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
1.212 + return -1;
1.213 + }
1.214 +
1.215 + /* for large moduli, enforce exponent limit */
1.216 + if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
1.217 + {
1.218 + if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
1.219 + {
1.220 + RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
1.221 + return -1;
1.222 + }
1.223 + }
1.224 +
1.225 +
1.226 + if ((ctx=BN_CTX_new()) == NULL) goto err;
1.227 + BN_CTX_start(ctx);
1.228 + f = BN_CTX_get(ctx);
1.229 + ret = BN_CTX_get(ctx);
1.230 + num=BN_num_bytes(rsa->n);
1.231 + buf = OPENSSL_malloc(num);
1.232 + if (!f || !ret || !buf)
1.233 + {
1.234 + RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
1.235 + goto err;
1.236 + }
1.237 +
1.238 + switch (padding)
1.239 + {
1.240 + case RSA_PKCS1_PADDING:
1.241 + i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
1.242 + break;
1.243 +#ifndef OPENSSL_NO_SHA
1.244 + case RSA_PKCS1_OAEP_PADDING:
1.245 + i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
1.246 + break;
1.247 +#endif
1.248 + case RSA_SSLV23_PADDING:
1.249 + i=RSA_padding_add_SSLv23(buf,num,from,flen);
1.250 + break;
1.251 + case RSA_NO_PADDING:
1.252 + i=RSA_padding_add_none(buf,num,from,flen);
1.253 + break;
1.254 + default:
1.255 + RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
1.256 + goto err;
1.257 + }
1.258 + if (i <= 0) goto err;
1.259 +
1.260 + if (BN_bin2bn(buf,num,f) == NULL) goto err;
1.261 +
1.262 + if (BN_ucmp(f, rsa->n) >= 0)
1.263 + {
1.264 + /* usually the padding functions would catch this */
1.265 + RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
1.266 + goto err;
1.267 + }
1.268 +
1.269 + MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
1.270 +
1.271 + if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
1.272 + rsa->_method_mod_n)) goto err;
1.273 +
1.274 + /* put in leading 0 bytes if the number is less than the
1.275 + * length of the modulus */
1.276 + j=BN_num_bytes(ret);
1.277 + i=BN_bn2bin(ret,&(to[num-j]));
1.278 + for (k=0; k<(num-i); k++)
1.279 + to[k]=0;
1.280 +
1.281 + r=num;
1.282 +err:
1.283 + if (ctx != NULL)
1.284 + {
1.285 + BN_CTX_end(ctx);
1.286 + BN_CTX_free(ctx);
1.287 + }
1.288 + if (buf != NULL)
1.289 + {
1.290 + OPENSSL_cleanse(buf,num);
1.291 + OPENSSL_free(buf);
1.292 + }
1.293 + return(r);
1.294 + }
1.295 +
1.296 +static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
1.297 +{
1.298 + BN_BLINDING *ret;
1.299 + int got_write_lock = 0;
1.300 +
1.301 + CRYPTO_r_lock(CRYPTO_LOCK_RSA);
1.302 +
1.303 + if (rsa->blinding == NULL)
1.304 + {
1.305 + CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
1.306 + CRYPTO_w_lock(CRYPTO_LOCK_RSA);
1.307 + got_write_lock = 1;
1.308 +
1.309 + if (rsa->blinding == NULL)
1.310 + rsa->blinding = RSA_setup_blinding(rsa, ctx);
1.311 + }
1.312 +
1.313 + ret = rsa->blinding;
1.314 + if (ret == NULL)
1.315 + goto err;
1.316 +
1.317 + if (BN_BLINDING_get_thread_id(ret) == CRYPTO_thread_id())
1.318 + {
1.319 + /* rsa->blinding is ours! */
1.320 +
1.321 + *local = 1;
1.322 + }
1.323 + else
1.324 + {
1.325 + /* resort to rsa->mt_blinding instead */
1.326 +
1.327 + *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert()
1.328 + * that the BN_BLINDING is shared, meaning that accesses
1.329 + * require locks, and that the blinding factor must be
1.330 + * stored outside the BN_BLINDING
1.331 + */
1.332 +
1.333 + if (rsa->mt_blinding == NULL)
1.334 + {
1.335 + if (!got_write_lock)
1.336 + {
1.337 + CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
1.338 + CRYPTO_w_lock(CRYPTO_LOCK_RSA);
1.339 + got_write_lock = 1;
1.340 + }
1.341 +
1.342 + if (rsa->mt_blinding == NULL)
1.343 + rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
1.344 + }
1.345 + ret = rsa->mt_blinding;
1.346 + }
1.347 +
1.348 + err:
1.349 + if (got_write_lock)
1.350 + CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
1.351 + else
1.352 + CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
1.353 + return ret;
1.354 +}
1.355 +
1.356 +
1.357 +static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f,
1.358 + BIGNUM *r, BN_CTX *ctx)
1.359 +{
1.360 + if (local)
1.361 + return BN_BLINDING_convert_ex(f, NULL, b, ctx);
1.362 + else
1.363 + {
1.364 + int ret;
1.365 + CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING);
1.366 + ret = BN_BLINDING_convert_ex(f, r, b, ctx);
1.367 + CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING);
1.368 + return ret;
1.369 + }
1.370 +}
1.371 +
1.372 +static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f,
1.373 + BIGNUM *r, BN_CTX *ctx)
1.374 +{
1.375 + if (local)
1.376 + return BN_BLINDING_invert_ex(f, NULL, b, ctx);
1.377 + else
1.378 + {
1.379 + int ret;
1.380 + CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
1.381 + ret = BN_BLINDING_invert_ex(f, r, b, ctx);
1.382 + CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
1.383 + return ret;
1.384 + }
1.385 +}
1.386 +
1.387 +/* signing */
1.388 +static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
1.389 + unsigned char *to, RSA *rsa, int padding)
1.390 + {
1.391 + BIGNUM *f, *ret, *br, *res;
1.392 + int i,j,k,num=0,r= -1;
1.393 + unsigned char *buf=NULL;
1.394 + BN_CTX *ctx=NULL;
1.395 + int local_blinding = 0;
1.396 + BN_BLINDING *blinding = NULL;
1.397 +
1.398 + if ((ctx=BN_CTX_new()) == NULL) goto err;
1.399 + BN_CTX_start(ctx);
1.400 + f = BN_CTX_get(ctx);
1.401 + br = BN_CTX_get(ctx);
1.402 + ret = BN_CTX_get(ctx);
1.403 + num = BN_num_bytes(rsa->n);
1.404 + buf = OPENSSL_malloc(num);
1.405 + if(!f || !ret || !buf)
1.406 + {
1.407 + RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
1.408 + goto err;
1.409 + }
1.410 +
1.411 + switch (padding)
1.412 + {
1.413 + case RSA_PKCS1_PADDING:
1.414 + i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
1.415 + break;
1.416 + case RSA_X931_PADDING:
1.417 + i=RSA_padding_add_X931(buf,num,from,flen);
1.418 + break;
1.419 + case RSA_NO_PADDING:
1.420 + i=RSA_padding_add_none(buf,num,from,flen);
1.421 + break;
1.422 + case RSA_SSLV23_PADDING:
1.423 + default:
1.424 + RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
1.425 + goto err;
1.426 + }
1.427 + if (i <= 0) goto err;
1.428 +
1.429 + if (BN_bin2bn(buf,num,f) == NULL) goto err;
1.430 +
1.431 + if (BN_ucmp(f, rsa->n) >= 0)
1.432 + {
1.433 + /* usually the padding functions would catch this */
1.434 + RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
1.435 + goto err;
1.436 + }
1.437 +
1.438 + if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
1.439 + {
1.440 + blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
1.441 +
1.442 + if (blinding == NULL)
1.443 + {
1.444 + RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
1.445 + goto err;
1.446 + }
1.447 + }
1.448 +
1.449 + if (blinding != NULL)
1.450 + if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
1.451 + goto err;
1.452 +
1.453 + if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
1.454 + ((rsa->p != NULL) &&
1.455 + (rsa->q != NULL) &&
1.456 + (rsa->dmp1 != NULL) &&
1.457 + (rsa->dmq1 != NULL) &&
1.458 + (rsa->iqmp != NULL)) )
1.459 + {
1.460 + if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
1.461 + }
1.462 + else
1.463 + {
1.464 + BIGNUM local_d;
1.465 + BIGNUM *d = NULL;
1.466 +
1.467 + if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
1.468 + {
1.469 + BN_init(&local_d);
1.470 + d = &local_d;
1.471 + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
1.472 + }
1.473 + else
1.474 + d = rsa->d;
1.475 +
1.476 + MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
1.477 +
1.478 + if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
1.479 + rsa->_method_mod_n)) goto err;
1.480 + }
1.481 +
1.482 + if (blinding)
1.483 + if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
1.484 + goto err;
1.485 +
1.486 + if (padding == RSA_X931_PADDING)
1.487 + {
1.488 + BN_sub(f, rsa->n, ret);
1.489 + if (BN_cmp(ret, f))
1.490 + res = f;
1.491 + else
1.492 + res = ret;
1.493 + }
1.494 + else
1.495 + res = ret;
1.496 +
1.497 + /* put in leading 0 bytes if the number is less than the
1.498 + * length of the modulus */
1.499 + j=BN_num_bytes(res);
1.500 + i=BN_bn2bin(res,&(to[num-j]));
1.501 + for (k=0; k<(num-i); k++)
1.502 + to[k]=0;
1.503 +
1.504 + r=num;
1.505 +err:
1.506 + if (ctx != NULL)
1.507 + {
1.508 + BN_CTX_end(ctx);
1.509 + BN_CTX_free(ctx);
1.510 + }
1.511 + if (buf != NULL)
1.512 + {
1.513 + OPENSSL_cleanse(buf,num);
1.514 + OPENSSL_free(buf);
1.515 + }
1.516 + return(r);
1.517 + }
1.518 +
1.519 +static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
1.520 + unsigned char *to, RSA *rsa, int padding)
1.521 + {
1.522 + BIGNUM *f, *ret, *br;
1.523 + int j,num=0,r= -1;
1.524 + unsigned char *p;
1.525 + unsigned char *buf=NULL;
1.526 + BN_CTX *ctx=NULL;
1.527 + int local_blinding = 0;
1.528 + BN_BLINDING *blinding = NULL;
1.529 +
1.530 + if((ctx = BN_CTX_new()) == NULL) goto err;
1.531 + BN_CTX_start(ctx);
1.532 + f = BN_CTX_get(ctx);
1.533 + br = BN_CTX_get(ctx);
1.534 + ret = BN_CTX_get(ctx);
1.535 + num = BN_num_bytes(rsa->n);
1.536 + buf = OPENSSL_malloc(num);
1.537 + if(!f || !ret || !buf)
1.538 + {
1.539 + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
1.540 + goto err;
1.541 + }
1.542 +
1.543 + /* This check was for equality but PGP does evil things
1.544 + * and chops off the top '0' bytes */
1.545 + if (flen > num)
1.546 + {
1.547 + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
1.548 + goto err;
1.549 + }
1.550 +
1.551 + /* make data into a big number */
1.552 + if (BN_bin2bn(from,(int)flen,f) == NULL) goto err;
1.553 +
1.554 + if (BN_ucmp(f, rsa->n) >= 0)
1.555 + {
1.556 + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
1.557 + goto err;
1.558 + }
1.559 +
1.560 + if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
1.561 + {
1.562 + blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
1.563 + if (blinding == NULL)
1.564 + {
1.565 + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
1.566 + goto err;
1.567 + }
1.568 + }
1.569 +
1.570 + if (blinding != NULL)
1.571 + if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
1.572 + goto err;
1.573 +
1.574 + /* do the decrypt */
1.575 + if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
1.576 + ((rsa->p != NULL) &&
1.577 + (rsa->q != NULL) &&
1.578 + (rsa->dmp1 != NULL) &&
1.579 + (rsa->dmq1 != NULL) &&
1.580 + (rsa->iqmp != NULL)) )
1.581 + {
1.582 + if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
1.583 + }
1.584 + else
1.585 + {
1.586 + BIGNUM local_d;
1.587 + BIGNUM *d = NULL;
1.588 +
1.589 + if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
1.590 + {
1.591 + d = &local_d;
1.592 + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
1.593 + }
1.594 + else
1.595 + d = rsa->d;
1.596 +
1.597 + MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
1.598 + if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
1.599 + rsa->_method_mod_n))
1.600 + goto err;
1.601 + }
1.602 +
1.603 + if (blinding)
1.604 + if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
1.605 + goto err;
1.606 +
1.607 + p=buf;
1.608 + j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */
1.609 +
1.610 + switch (padding)
1.611 + {
1.612 + case RSA_PKCS1_PADDING:
1.613 + r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
1.614 + break;
1.615 +#ifndef OPENSSL_NO_SHA
1.616 + case RSA_PKCS1_OAEP_PADDING:
1.617 + r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
1.618 + break;
1.619 +#endif
1.620 + case RSA_SSLV23_PADDING:
1.621 + r=RSA_padding_check_SSLv23(to,num,buf,j,num);
1.622 + break;
1.623 + case RSA_NO_PADDING:
1.624 + r=RSA_padding_check_none(to,num,buf,j,num);
1.625 + break;
1.626 + default:
1.627 + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
1.628 + goto err;
1.629 + }
1.630 + if (r < 0)
1.631 + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
1.632 +
1.633 +err:
1.634 + if (ctx != NULL)
1.635 + {
1.636 + BN_CTX_end(ctx);
1.637 + BN_CTX_free(ctx);
1.638 + }
1.639 + if (buf != NULL)
1.640 + {
1.641 + OPENSSL_cleanse(buf,num);
1.642 + OPENSSL_free(buf);
1.643 + }
1.644 + return(r);
1.645 + }
1.646 +
1.647 +/* signature verification */
1.648 +static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
1.649 + unsigned char *to, RSA *rsa, int padding)
1.650 + {
1.651 + BIGNUM *f,*ret;
1.652 + int i,num=0,r= -1;
1.653 + unsigned char *p;
1.654 + unsigned char *buf=NULL;
1.655 + BN_CTX *ctx=NULL;
1.656 + if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
1.657 + {
1.658 + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
1.659 + return -1;
1.660 + }
1.661 +
1.662 + if (BN_ucmp(rsa->n, rsa->e) <= 0)
1.663 + {
1.664 + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
1.665 + return -1;
1.666 + }
1.667 +
1.668 + /* for large moduli, enforce exponent limit */
1.669 + if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
1.670 + {
1.671 + if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
1.672 + {
1.673 + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
1.674 + return -1;
1.675 + }
1.676 + }
1.677 + if((ctx = BN_CTX_new()) == NULL) goto err;
1.678 + BN_CTX_start(ctx);
1.679 + f = BN_CTX_get(ctx);
1.680 + ret = BN_CTX_get(ctx);
1.681 + num=BN_num_bytes(rsa->n);
1.682 + buf = OPENSSL_malloc(num);
1.683 + if(!f || !ret || !buf)
1.684 + {
1.685 + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
1.686 + goto err;
1.687 + }
1.688 +
1.689 + /* This check was for equality but PGP does evil things
1.690 + * and chops off the top '0' bytes */
1.691 + if (flen > num)
1.692 + {
1.693 + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
1.694 + goto err;
1.695 + }
1.696 +
1.697 + if (BN_bin2bn(from,flen,f) == NULL) goto err;
1.698 +
1.699 + if (BN_ucmp(f, rsa->n) >= 0)
1.700 + {
1.701 + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
1.702 + goto err;
1.703 + }
1.704 +
1.705 + MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
1.706 +
1.707 + if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
1.708 + rsa->_method_mod_n)) goto err;
1.709 +
1.710 + if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))
1.711 + BN_sub(ret, rsa->n, ret);
1.712 +
1.713 + p=buf;
1.714 + i=BN_bn2bin(ret,p);
1.715 +
1.716 + switch (padding)
1.717 + {
1.718 + case RSA_PKCS1_PADDING:
1.719 + r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
1.720 + break;
1.721 + case RSA_X931_PADDING:
1.722 + r=RSA_padding_check_X931(to,num,buf,i,num);
1.723 + break;
1.724 + case RSA_NO_PADDING:
1.725 + r=RSA_padding_check_none(to,num,buf,i,num);
1.726 + break;
1.727 + default:
1.728 + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
1.729 + goto err;
1.730 + }
1.731 + if (r < 0)
1.732 + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
1.733 +
1.734 +err:
1.735 + if (ctx != NULL)
1.736 + {
1.737 + BN_CTX_end(ctx);
1.738 + BN_CTX_free(ctx);
1.739 + }
1.740 + if (buf != NULL)
1.741 + {
1.742 + OPENSSL_cleanse(buf,num);
1.743 + OPENSSL_free(buf);
1.744 + }
1.745 + return(r);
1.746 + }
1.747 +
1.748 +static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
1.749 + {
1.750 + BIGNUM *r1,*m1,*vrfy;
1.751 + BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
1.752 + BIGNUM *dmp1,*dmq1,*c,*pr1;
1.753 + int bn_flags;
1.754 + int ret=0;
1.755 +
1.756 + BN_CTX_start(ctx);
1.757 + r1 = BN_CTX_get(ctx);
1.758 + m1 = BN_CTX_get(ctx);
1.759 + vrfy = BN_CTX_get(ctx);
1.760 +
1.761 + /* Make sure mod_inverse in montgomerey intialization use correct
1.762 + * BN_FLG_CONSTTIME flag.
1.763 + */
1.764 + bn_flags = rsa->p->flags;
1.765 + if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
1.766 + {
1.767 + rsa->p->flags |= BN_FLG_CONSTTIME;
1.768 + }
1.769 + MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
1.770 + /* We restore bn_flags back */
1.771 + rsa->p->flags = bn_flags;
1.772 +
1.773 + /* Make sure mod_inverse in montgomerey intialization use correct
1.774 + * BN_FLG_CONSTTIME flag.
1.775 + */
1.776 + bn_flags = rsa->q->flags;
1.777 + if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
1.778 + {
1.779 + rsa->q->flags |= BN_FLG_CONSTTIME;
1.780 + }
1.781 + MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
1.782 + /* We restore bn_flags back */
1.783 + rsa->q->flags = bn_flags;
1.784 + MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
1.785 +
1.786 + /* compute I mod q */
1.787 + if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
1.788 + {
1.789 + c = &local_c;
1.790 + BN_with_flags(c, I, BN_FLG_CONSTTIME);
1.791 + if (!BN_mod(r1,c,rsa->q,ctx)) goto err;
1.792 + }
1.793 + else
1.794 + {
1.795 + if (!BN_mod(r1,I,rsa->q,ctx)) goto err;
1.796 + }
1.797 + /* compute r1^dmq1 mod q */
1.798 + if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
1.799 + {
1.800 + dmq1 = &local_dmq1;
1.801 + BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
1.802 + }
1.803 + else
1.804 + dmq1 = rsa->dmq1;
1.805 + if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx,
1.806 + rsa->_method_mod_q)) goto err;
1.807 +
1.808 + /* compute I mod p */
1.809 + if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
1.810 + {
1.811 + c = &local_c;
1.812 + BN_with_flags(c, I, BN_FLG_CONSTTIME);
1.813 + if (!BN_mod(r1,c,rsa->p,ctx)) goto err;
1.814 + }
1.815 + else
1.816 + {
1.817 + if (!BN_mod(r1,I,rsa->p,ctx)) goto err;
1.818 + }
1.819 + /* compute r1^dmp1 mod p */
1.820 + if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
1.821 + {
1.822 + dmp1 = &local_dmp1;
1.823 + BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
1.824 + }
1.825 + else
1.826 + dmp1 = rsa->dmp1;
1.827 + if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx,
1.828 + rsa->_method_mod_p)) goto err;
1.829 +
1.830 + if (!BN_sub(r0,r0,m1)) goto err;
1.831 + /* This will help stop the size of r0 increasing, which does
1.832 + * affect the multiply if it optimised for a power of 2 size */
1.833 + if (BN_is_negative(r0))
1.834 + if (!BN_add(r0,r0,rsa->p)) goto err;
1.835 +
1.836 + if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err;
1.837 +
1.838 + /* Turn BN_FLG_CONSTTIME flag on before division operation */
1.839 + if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
1.840 + {
1.841 + pr1 = &local_r1;
1.842 + BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
1.843 + }
1.844 + else
1.845 + pr1 = r1;
1.846 + if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
1.847 +
1.848 + /* If p < q it is occasionally possible for the correction of
1.849 + * adding 'p' if r0 is negative above to leave the result still
1.850 + * negative. This can break the private key operations: the following
1.851 + * second correction should *always* correct this rare occurrence.
1.852 + * This will *never* happen with OpenSSL generated keys because
1.853 + * they ensure p > q [steve]
1.854 + */
1.855 + if (BN_is_negative(r0))
1.856 + if (!BN_add(r0,r0,rsa->p)) goto err;
1.857 + if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
1.858 + if (!BN_add(r0,r1,m1)) goto err;
1.859 +
1.860 + if (rsa->e && rsa->n)
1.861 + {
1.862 + if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err;
1.863 + /* If 'I' was greater than (or equal to) rsa->n, the operation
1.864 + * will be equivalent to using 'I mod n'. However, the result of
1.865 + * the verify will *always* be less than 'n' so we don't check
1.866 + * for absolute equality, just congruency. */
1.867 + if (!BN_sub(vrfy, vrfy, I)) goto err;
1.868 + if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err;
1.869 + if (BN_is_negative(vrfy))
1.870 + if (!BN_add(vrfy, vrfy, rsa->n)) goto err;
1.871 + if (!BN_is_zero(vrfy))
1.872 + {
1.873 + /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
1.874 + * miscalculated CRT output, just do a raw (slower)
1.875 + * mod_exp and return that instead. */
1.876 +
1.877 + BIGNUM local_d;
1.878 + BIGNUM *d = NULL;
1.879 +
1.880 + if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
1.881 + {
1.882 + d = &local_d;
1.883 + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
1.884 + }
1.885 + else
1.886 + d = rsa->d;
1.887 + if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,
1.888 + rsa->_method_mod_n)) goto err;
1.889 + }
1.890 + }
1.891 + ret=1;
1.892 +err:
1.893 + BN_CTX_end(ctx);
1.894 + return(ret);
1.895 + }
1.896 +
1.897 +static int RSA_eay_init(RSA *rsa)
1.898 + {
1.899 + rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
1.900 + return(1);
1.901 + }
1.902 +
1.903 +static int RSA_eay_finish(RSA *rsa)
1.904 + {
1.905 + if (rsa->_method_mod_n != NULL)
1.906 + BN_MONT_CTX_free(rsa->_method_mod_n);
1.907 + if (rsa->_method_mod_p != NULL)
1.908 + BN_MONT_CTX_free(rsa->_method_mod_p);
1.909 + if (rsa->_method_mod_q != NULL)
1.910 + BN_MONT_CTX_free(rsa->_method_mod_q);
1.911 + return(1);
1.912 + }
1.913 +
1.914 +#endif