[331] | 1 | /*
|
---|
| 2 | * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
| 3 | *
|
---|
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
---|
| 6 | * in the file LICENSE in the source distribution or at
|
---|
| 7 | * https://www.openssl.org/source/license.html
|
---|
| 8 | */
|
---|
| 9 |
|
---|
| 10 | #include "internal/cryptlib.h"
|
---|
| 11 | #include "internal/bn_int.h"
|
---|
| 12 | #include "rsa_locl.h"
|
---|
| 13 |
|
---|
| 14 | #ifndef RSA_NULL
|
---|
| 15 |
|
---|
| 16 | static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
|
---|
| 17 | unsigned char *to, RSA *rsa, int padding);
|
---|
| 18 | static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
|
---|
| 19 | unsigned char *to, RSA *rsa, int padding);
|
---|
| 20 | static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
|
---|
| 21 | unsigned char *to, RSA *rsa, int padding);
|
---|
| 22 | static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
|
---|
| 23 | unsigned char *to, RSA *rsa, int padding);
|
---|
| 24 | static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
|
---|
| 25 | BN_CTX *ctx);
|
---|
| 26 | static int rsa_ossl_init(RSA *rsa);
|
---|
| 27 | static int rsa_ossl_finish(RSA *rsa);
|
---|
| 28 | static RSA_METHOD rsa_pkcs1_ossl_meth = {
|
---|
| 29 | "OpenSSL PKCS#1 RSA (from Eric Young)",
|
---|
| 30 | rsa_ossl_public_encrypt,
|
---|
| 31 | rsa_ossl_public_decrypt, /* signature verification */
|
---|
| 32 | rsa_ossl_private_encrypt, /* signing */
|
---|
| 33 | rsa_ossl_private_decrypt,
|
---|
| 34 | rsa_ossl_mod_exp,
|
---|
| 35 | BN_mod_exp_mont, /* XXX probably we should not use Montgomery
|
---|
| 36 | * if e == 3 */
|
---|
| 37 | rsa_ossl_init,
|
---|
| 38 | rsa_ossl_finish,
|
---|
| 39 | RSA_FLAG_FIPS_METHOD, /* flags */
|
---|
| 40 | NULL,
|
---|
| 41 | 0, /* rsa_sign */
|
---|
| 42 | 0, /* rsa_verify */
|
---|
| 43 | NULL /* rsa_keygen */
|
---|
| 44 | };
|
---|
| 45 |
|
---|
| 46 | const RSA_METHOD *RSA_PKCS1_OpenSSL(void)
|
---|
| 47 | {
|
---|
| 48 | return &rsa_pkcs1_ossl_meth;
|
---|
| 49 | }
|
---|
| 50 |
|
---|
| 51 | static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
|
---|
| 52 | unsigned char *to, RSA *rsa, int padding)
|
---|
| 53 | {
|
---|
| 54 | BIGNUM *f, *ret;
|
---|
| 55 | int i, j, k, num = 0, r = -1;
|
---|
| 56 | unsigned char *buf = NULL;
|
---|
| 57 | BN_CTX *ctx = NULL;
|
---|
| 58 |
|
---|
| 59 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
|
---|
| 60 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
|
---|
| 61 | return -1;
|
---|
| 62 | }
|
---|
| 63 |
|
---|
| 64 | if (BN_ucmp(rsa->n, rsa->e) <= 0) {
|
---|
| 65 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
|
---|
| 66 | return -1;
|
---|
| 67 | }
|
---|
| 68 |
|
---|
| 69 | /* for large moduli, enforce exponent limit */
|
---|
| 70 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
|
---|
| 71 | if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
|
---|
| 72 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
|
---|
| 73 | return -1;
|
---|
| 74 | }
|
---|
| 75 | }
|
---|
| 76 |
|
---|
| 77 | if ((ctx = BN_CTX_new()) == NULL)
|
---|
| 78 | goto err;
|
---|
| 79 | BN_CTX_start(ctx);
|
---|
| 80 | f = BN_CTX_get(ctx);
|
---|
| 81 | ret = BN_CTX_get(ctx);
|
---|
| 82 | num = BN_num_bytes(rsa->n);
|
---|
| 83 | buf = OPENSSL_malloc(num);
|
---|
| 84 | if (f == NULL || ret == NULL || buf == NULL) {
|
---|
| 85 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE);
|
---|
| 86 | goto err;
|
---|
| 87 | }
|
---|
| 88 |
|
---|
| 89 | switch (padding) {
|
---|
| 90 | case RSA_PKCS1_PADDING:
|
---|
| 91 | i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
|
---|
| 92 | break;
|
---|
| 93 | case RSA_PKCS1_OAEP_PADDING:
|
---|
| 94 | i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
|
---|
| 95 | break;
|
---|
| 96 | case RSA_SSLV23_PADDING:
|
---|
| 97 | i = RSA_padding_add_SSLv23(buf, num, from, flen);
|
---|
| 98 | break;
|
---|
| 99 | case RSA_NO_PADDING:
|
---|
| 100 | i = RSA_padding_add_none(buf, num, from, flen);
|
---|
| 101 | break;
|
---|
| 102 | default:
|
---|
| 103 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
|
---|
| 104 | goto err;
|
---|
| 105 | }
|
---|
| 106 | if (i <= 0)
|
---|
| 107 | goto err;
|
---|
| 108 |
|
---|
| 109 | if (BN_bin2bn(buf, num, f) == NULL)
|
---|
| 110 | goto err;
|
---|
| 111 |
|
---|
| 112 | if (BN_ucmp(f, rsa->n) >= 0) {
|
---|
| 113 | /* usually the padding functions would catch this */
|
---|
| 114 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT,
|
---|
| 115 | RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
|
---|
| 116 | goto err;
|
---|
| 117 | }
|
---|
| 118 |
|
---|
| 119 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
---|
| 120 | if (!BN_MONT_CTX_set_locked
|
---|
| 121 | (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx))
|
---|
| 122 | goto err;
|
---|
| 123 |
|
---|
| 124 | if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
|
---|
| 125 | rsa->_method_mod_n))
|
---|
| 126 | goto err;
|
---|
| 127 |
|
---|
| 128 | /*
|
---|
| 129 | * put in leading 0 bytes if the number is less than the length of the
|
---|
| 130 | * modulus
|
---|
| 131 | */
|
---|
| 132 | j = BN_num_bytes(ret);
|
---|
| 133 | i = BN_bn2bin(ret, &(to[num - j]));
|
---|
| 134 | for (k = 0; k < (num - i); k++)
|
---|
| 135 | to[k] = 0;
|
---|
| 136 |
|
---|
| 137 | r = num;
|
---|
| 138 | err:
|
---|
| 139 | if (ctx != NULL)
|
---|
| 140 | BN_CTX_end(ctx);
|
---|
| 141 | BN_CTX_free(ctx);
|
---|
| 142 | OPENSSL_clear_free(buf, num);
|
---|
| 143 | return (r);
|
---|
| 144 | }
|
---|
| 145 |
|
---|
| 146 | static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
|
---|
| 147 | {
|
---|
| 148 | BN_BLINDING *ret;
|
---|
| 149 |
|
---|
| 150 | CRYPTO_THREAD_write_lock(rsa->lock);
|
---|
| 151 |
|
---|
| 152 | if (rsa->blinding == NULL) {
|
---|
| 153 | rsa->blinding = RSA_setup_blinding(rsa, ctx);
|
---|
| 154 | }
|
---|
| 155 |
|
---|
| 156 | ret = rsa->blinding;
|
---|
| 157 | if (ret == NULL)
|
---|
| 158 | goto err;
|
---|
| 159 |
|
---|
| 160 | if (BN_BLINDING_is_current_thread(ret)) {
|
---|
| 161 | /* rsa->blinding is ours! */
|
---|
| 162 |
|
---|
| 163 | *local = 1;
|
---|
| 164 | } else {
|
---|
| 165 | /* resort to rsa->mt_blinding instead */
|
---|
| 166 |
|
---|
| 167 | /*
|
---|
| 168 | * instructs rsa_blinding_convert(), rsa_blinding_invert() that the
|
---|
| 169 | * BN_BLINDING is shared, meaning that accesses require locks, and
|
---|
| 170 | * that the blinding factor must be stored outside the BN_BLINDING
|
---|
| 171 | */
|
---|
| 172 | *local = 0;
|
---|
| 173 |
|
---|
| 174 | if (rsa->mt_blinding == NULL) {
|
---|
| 175 | rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
|
---|
| 176 | }
|
---|
| 177 | ret = rsa->mt_blinding;
|
---|
| 178 | }
|
---|
| 179 |
|
---|
| 180 | err:
|
---|
| 181 | CRYPTO_THREAD_unlock(rsa->lock);
|
---|
| 182 | return ret;
|
---|
| 183 | }
|
---|
| 184 |
|
---|
| 185 | static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
|
---|
| 186 | BN_CTX *ctx)
|
---|
| 187 | {
|
---|
| 188 | if (unblind == NULL)
|
---|
| 189 | /*
|
---|
| 190 | * Local blinding: store the unblinding factor in BN_BLINDING.
|
---|
| 191 | */
|
---|
| 192 | return BN_BLINDING_convert_ex(f, NULL, b, ctx);
|
---|
| 193 | else {
|
---|
| 194 | /*
|
---|
| 195 | * Shared blinding: store the unblinding factor outside BN_BLINDING.
|
---|
| 196 | */
|
---|
| 197 | int ret;
|
---|
| 198 |
|
---|
| 199 | BN_BLINDING_lock(b);
|
---|
| 200 | ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
|
---|
| 201 | BN_BLINDING_unlock(b);
|
---|
| 202 |
|
---|
| 203 | return ret;
|
---|
| 204 | }
|
---|
| 205 | }
|
---|
| 206 |
|
---|
| 207 | static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
|
---|
| 208 | BN_CTX *ctx)
|
---|
| 209 | {
|
---|
| 210 | /*
|
---|
| 211 | * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
|
---|
| 212 | * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING
|
---|
| 213 | * is shared between threads, unblind must be non-null:
|
---|
| 214 | * BN_BLINDING_invert_ex will then use the local unblinding factor, and
|
---|
| 215 | * will only read the modulus from BN_BLINDING. In both cases it's safe
|
---|
| 216 | * to access the blinding without a lock.
|
---|
| 217 | */
|
---|
| 218 | return BN_BLINDING_invert_ex(f, unblind, b, ctx);
|
---|
| 219 | }
|
---|
| 220 |
|
---|
| 221 | /* signing */
|
---|
| 222 | static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
|
---|
| 223 | unsigned char *to, RSA *rsa, int padding)
|
---|
| 224 | {
|
---|
| 225 | BIGNUM *f, *ret, *res;
|
---|
| 226 | int i, j, k, num = 0, r = -1;
|
---|
| 227 | unsigned char *buf = NULL;
|
---|
| 228 | BN_CTX *ctx = NULL;
|
---|
| 229 | int local_blinding = 0;
|
---|
| 230 | /*
|
---|
| 231 | * Used only if the blinding structure is shared. A non-NULL unblind
|
---|
| 232 | * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
|
---|
| 233 | * the unblinding factor outside the blinding structure.
|
---|
| 234 | */
|
---|
| 235 | BIGNUM *unblind = NULL;
|
---|
| 236 | BN_BLINDING *blinding = NULL;
|
---|
| 237 |
|
---|
| 238 | if ((ctx = BN_CTX_new()) == NULL)
|
---|
| 239 | goto err;
|
---|
| 240 | BN_CTX_start(ctx);
|
---|
| 241 | f = BN_CTX_get(ctx);
|
---|
| 242 | ret = BN_CTX_get(ctx);
|
---|
| 243 | num = BN_num_bytes(rsa->n);
|
---|
| 244 | buf = OPENSSL_malloc(num);
|
---|
| 245 | if (f == NULL || ret == NULL || buf == NULL) {
|
---|
| 246 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
|
---|
| 247 | goto err;
|
---|
| 248 | }
|
---|
| 249 |
|
---|
| 250 | switch (padding) {
|
---|
| 251 | case RSA_PKCS1_PADDING:
|
---|
| 252 | i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
|
---|
| 253 | break;
|
---|
| 254 | case RSA_X931_PADDING:
|
---|
| 255 | i = RSA_padding_add_X931(buf, num, from, flen);
|
---|
| 256 | break;
|
---|
| 257 | case RSA_NO_PADDING:
|
---|
| 258 | i = RSA_padding_add_none(buf, num, from, flen);
|
---|
| 259 | break;
|
---|
| 260 | case RSA_SSLV23_PADDING:
|
---|
| 261 | default:
|
---|
| 262 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
|
---|
| 263 | goto err;
|
---|
| 264 | }
|
---|
| 265 | if (i <= 0)
|
---|
| 266 | goto err;
|
---|
| 267 |
|
---|
| 268 | if (BN_bin2bn(buf, num, f) == NULL)
|
---|
| 269 | goto err;
|
---|
| 270 |
|
---|
| 271 | if (BN_ucmp(f, rsa->n) >= 0) {
|
---|
| 272 | /* usually the padding functions would catch this */
|
---|
| 273 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT,
|
---|
| 274 | RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
|
---|
| 275 | goto err;
|
---|
| 276 | }
|
---|
| 277 |
|
---|
| 278 | if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
|
---|
| 279 | blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
|
---|
| 280 | if (blinding == NULL) {
|
---|
| 281 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
|
---|
| 282 | goto err;
|
---|
| 283 | }
|
---|
| 284 | }
|
---|
| 285 |
|
---|
| 286 | if (blinding != NULL) {
|
---|
| 287 | if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
|
---|
| 288 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
|
---|
| 289 | goto err;
|
---|
| 290 | }
|
---|
| 291 | if (!rsa_blinding_convert(blinding, f, unblind, ctx))
|
---|
| 292 | goto err;
|
---|
| 293 | }
|
---|
| 294 |
|
---|
| 295 | if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
|
---|
| 296 | ((rsa->p != NULL) &&
|
---|
| 297 | (rsa->q != NULL) &&
|
---|
| 298 | (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
|
---|
| 299 | if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
|
---|
| 300 | goto err;
|
---|
| 301 | } else {
|
---|
| 302 | BIGNUM *d = BN_new();
|
---|
| 303 | if (d == NULL) {
|
---|
| 304 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
|
---|
| 305 | goto err;
|
---|
| 306 | }
|
---|
| 307 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
|
---|
| 308 |
|
---|
| 309 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
---|
| 310 | if (!BN_MONT_CTX_set_locked
|
---|
| 311 | (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) {
|
---|
| 312 | BN_free(d);
|
---|
| 313 | goto err;
|
---|
| 314 | }
|
---|
| 315 |
|
---|
| 316 | if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
|
---|
| 317 | rsa->_method_mod_n)) {
|
---|
| 318 | BN_free(d);
|
---|
| 319 | goto err;
|
---|
| 320 | }
|
---|
| 321 | /* We MUST free d before any further use of rsa->d */
|
---|
| 322 | BN_free(d);
|
---|
| 323 | }
|
---|
| 324 |
|
---|
| 325 | if (blinding)
|
---|
| 326 | if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
|
---|
| 327 | goto err;
|
---|
| 328 |
|
---|
| 329 | if (padding == RSA_X931_PADDING) {
|
---|
| 330 | BN_sub(f, rsa->n, ret);
|
---|
| 331 | if (BN_cmp(ret, f) > 0)
|
---|
| 332 | res = f;
|
---|
| 333 | else
|
---|
| 334 | res = ret;
|
---|
| 335 | } else
|
---|
| 336 | res = ret;
|
---|
| 337 |
|
---|
| 338 | /*
|
---|
| 339 | * put in leading 0 bytes if the number is less than the length of the
|
---|
| 340 | * modulus
|
---|
| 341 | */
|
---|
| 342 | j = BN_num_bytes(res);
|
---|
| 343 | i = BN_bn2bin(res, &(to[num - j]));
|
---|
| 344 | for (k = 0; k < (num - i); k++)
|
---|
| 345 | to[k] = 0;
|
---|
| 346 |
|
---|
| 347 | r = num;
|
---|
| 348 | err:
|
---|
| 349 | if (ctx != NULL)
|
---|
| 350 | BN_CTX_end(ctx);
|
---|
| 351 | BN_CTX_free(ctx);
|
---|
| 352 | OPENSSL_clear_free(buf, num);
|
---|
| 353 | return (r);
|
---|
| 354 | }
|
---|
| 355 |
|
---|
| 356 | static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
|
---|
| 357 | unsigned char *to, RSA *rsa, int padding)
|
---|
| 358 | {
|
---|
| 359 | BIGNUM *f, *ret;
|
---|
| 360 | int j, num = 0, r = -1;
|
---|
| 361 | unsigned char *p;
|
---|
| 362 | unsigned char *buf = NULL;
|
---|
| 363 | BN_CTX *ctx = NULL;
|
---|
| 364 | int local_blinding = 0;
|
---|
| 365 | /*
|
---|
| 366 | * Used only if the blinding structure is shared. A non-NULL unblind
|
---|
| 367 | * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
|
---|
| 368 | * the unblinding factor outside the blinding structure.
|
---|
| 369 | */
|
---|
| 370 | BIGNUM *unblind = NULL;
|
---|
| 371 | BN_BLINDING *blinding = NULL;
|
---|
| 372 |
|
---|
| 373 | if ((ctx = BN_CTX_new()) == NULL)
|
---|
| 374 | goto err;
|
---|
| 375 | BN_CTX_start(ctx);
|
---|
| 376 | f = BN_CTX_get(ctx);
|
---|
| 377 | ret = BN_CTX_get(ctx);
|
---|
| 378 | num = BN_num_bytes(rsa->n);
|
---|
| 379 | buf = OPENSSL_malloc(num);
|
---|
| 380 | if (f == NULL || ret == NULL || buf == NULL) {
|
---|
| 381 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
|
---|
| 382 | goto err;
|
---|
| 383 | }
|
---|
| 384 |
|
---|
| 385 | /*
|
---|
| 386 | * This check was for equality but PGP does evil things and chops off the
|
---|
| 387 | * top '0' bytes
|
---|
| 388 | */
|
---|
| 389 | if (flen > num) {
|
---|
| 390 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT,
|
---|
| 391 | RSA_R_DATA_GREATER_THAN_MOD_LEN);
|
---|
| 392 | goto err;
|
---|
| 393 | }
|
---|
| 394 |
|
---|
| 395 | /* make data into a big number */
|
---|
| 396 | if (BN_bin2bn(from, (int)flen, f) == NULL)
|
---|
| 397 | goto err;
|
---|
| 398 |
|
---|
| 399 | if (BN_ucmp(f, rsa->n) >= 0) {
|
---|
| 400 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT,
|
---|
| 401 | RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
|
---|
| 402 | goto err;
|
---|
| 403 | }
|
---|
| 404 |
|
---|
| 405 | if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
|
---|
| 406 | blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
|
---|
| 407 | if (blinding == NULL) {
|
---|
| 408 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
|
---|
| 409 | goto err;
|
---|
| 410 | }
|
---|
| 411 | }
|
---|
| 412 |
|
---|
| 413 | if (blinding != NULL) {
|
---|
| 414 | if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
|
---|
| 415 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
|
---|
| 416 | goto err;
|
---|
| 417 | }
|
---|
| 418 | if (!rsa_blinding_convert(blinding, f, unblind, ctx))
|
---|
| 419 | goto err;
|
---|
| 420 | }
|
---|
| 421 |
|
---|
| 422 | /* do the decrypt */
|
---|
| 423 | if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
|
---|
| 424 | ((rsa->p != NULL) &&
|
---|
| 425 | (rsa->q != NULL) &&
|
---|
| 426 | (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
|
---|
| 427 | if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
|
---|
| 428 | goto err;
|
---|
| 429 | } else {
|
---|
| 430 | BIGNUM *d = BN_new();
|
---|
| 431 | if (d == NULL) {
|
---|
| 432 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
|
---|
| 433 | goto err;
|
---|
| 434 | }
|
---|
| 435 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
|
---|
| 436 |
|
---|
| 437 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
---|
| 438 | if (!BN_MONT_CTX_set_locked
|
---|
| 439 | (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) {
|
---|
| 440 | BN_free(d);
|
---|
| 441 | goto err;
|
---|
| 442 | }
|
---|
| 443 | if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
|
---|
| 444 | rsa->_method_mod_n)) {
|
---|
| 445 | BN_free(d);
|
---|
| 446 | goto err;
|
---|
| 447 | }
|
---|
| 448 | /* We MUST free d before any further use of rsa->d */
|
---|
| 449 | BN_free(d);
|
---|
| 450 | }
|
---|
| 451 |
|
---|
| 452 | if (blinding)
|
---|
| 453 | if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
|
---|
| 454 | goto err;
|
---|
| 455 |
|
---|
| 456 | p = buf;
|
---|
| 457 | j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */
|
---|
| 458 |
|
---|
| 459 | switch (padding) {
|
---|
| 460 | case RSA_PKCS1_PADDING:
|
---|
| 461 | r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
|
---|
| 462 | break;
|
---|
| 463 | case RSA_PKCS1_OAEP_PADDING:
|
---|
| 464 | r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
|
---|
| 465 | break;
|
---|
| 466 | case RSA_SSLV23_PADDING:
|
---|
| 467 | r = RSA_padding_check_SSLv23(to, num, buf, j, num);
|
---|
| 468 | break;
|
---|
| 469 | case RSA_NO_PADDING:
|
---|
| 470 | r = RSA_padding_check_none(to, num, buf, j, num);
|
---|
| 471 | break;
|
---|
| 472 | default:
|
---|
| 473 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
|
---|
| 474 | goto err;
|
---|
| 475 | }
|
---|
| 476 | if (r < 0)
|
---|
| 477 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
|
---|
| 478 |
|
---|
| 479 | err:
|
---|
| 480 | if (ctx != NULL)
|
---|
| 481 | BN_CTX_end(ctx);
|
---|
| 482 | BN_CTX_free(ctx);
|
---|
| 483 | OPENSSL_clear_free(buf, num);
|
---|
| 484 | return (r);
|
---|
| 485 | }
|
---|
| 486 |
|
---|
| 487 | /* signature verification */
|
---|
| 488 | static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
|
---|
| 489 | unsigned char *to, RSA *rsa, int padding)
|
---|
| 490 | {
|
---|
| 491 | BIGNUM *f, *ret;
|
---|
| 492 | int i, num = 0, r = -1;
|
---|
| 493 | unsigned char *p;
|
---|
| 494 | unsigned char *buf = NULL;
|
---|
| 495 | BN_CTX *ctx = NULL;
|
---|
| 496 |
|
---|
| 497 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
|
---|
| 498 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
|
---|
| 499 | return -1;
|
---|
| 500 | }
|
---|
| 501 |
|
---|
| 502 | if (BN_ucmp(rsa->n, rsa->e) <= 0) {
|
---|
| 503 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
|
---|
| 504 | return -1;
|
---|
| 505 | }
|
---|
| 506 |
|
---|
| 507 | /* for large moduli, enforce exponent limit */
|
---|
| 508 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
|
---|
| 509 | if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
|
---|
| 510 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
|
---|
| 511 | return -1;
|
---|
| 512 | }
|
---|
| 513 | }
|
---|
| 514 |
|
---|
| 515 | if ((ctx = BN_CTX_new()) == NULL)
|
---|
| 516 | goto err;
|
---|
| 517 | BN_CTX_start(ctx);
|
---|
| 518 | f = BN_CTX_get(ctx);
|
---|
| 519 | ret = BN_CTX_get(ctx);
|
---|
| 520 | num = BN_num_bytes(rsa->n);
|
---|
| 521 | buf = OPENSSL_malloc(num);
|
---|
| 522 | if (f == NULL || ret == NULL || buf == NULL) {
|
---|
| 523 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
|
---|
| 524 | goto err;
|
---|
| 525 | }
|
---|
| 526 |
|
---|
| 527 | /*
|
---|
| 528 | * This check was for equality but PGP does evil things and chops off the
|
---|
| 529 | * top '0' bytes
|
---|
| 530 | */
|
---|
| 531 | if (flen > num) {
|
---|
| 532 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN);
|
---|
| 533 | goto err;
|
---|
| 534 | }
|
---|
| 535 |
|
---|
| 536 | if (BN_bin2bn(from, flen, f) == NULL)
|
---|
| 537 | goto err;
|
---|
| 538 |
|
---|
| 539 | if (BN_ucmp(f, rsa->n) >= 0) {
|
---|
| 540 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT,
|
---|
| 541 | RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
|
---|
| 542 | goto err;
|
---|
| 543 | }
|
---|
| 544 |
|
---|
| 545 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
---|
| 546 | if (!BN_MONT_CTX_set_locked
|
---|
| 547 | (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx))
|
---|
| 548 | goto err;
|
---|
| 549 |
|
---|
| 550 | if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
|
---|
| 551 | rsa->_method_mod_n))
|
---|
| 552 | goto err;
|
---|
| 553 |
|
---|
| 554 | if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12))
|
---|
| 555 | if (!BN_sub(ret, rsa->n, ret))
|
---|
| 556 | goto err;
|
---|
| 557 |
|
---|
| 558 | p = buf;
|
---|
| 559 | i = BN_bn2bin(ret, p);
|
---|
| 560 |
|
---|
| 561 | switch (padding) {
|
---|
| 562 | case RSA_PKCS1_PADDING:
|
---|
| 563 | r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
|
---|
| 564 | break;
|
---|
| 565 | case RSA_X931_PADDING:
|
---|
| 566 | r = RSA_padding_check_X931(to, num, buf, i, num);
|
---|
| 567 | break;
|
---|
| 568 | case RSA_NO_PADDING:
|
---|
| 569 | r = RSA_padding_check_none(to, num, buf, i, num);
|
---|
| 570 | break;
|
---|
| 571 | default:
|
---|
| 572 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
|
---|
| 573 | goto err;
|
---|
| 574 | }
|
---|
| 575 | if (r < 0)
|
---|
| 576 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
|
---|
| 577 |
|
---|
| 578 | err:
|
---|
| 579 | if (ctx != NULL)
|
---|
| 580 | BN_CTX_end(ctx);
|
---|
| 581 | BN_CTX_free(ctx);
|
---|
| 582 | OPENSSL_clear_free(buf, num);
|
---|
| 583 | return (r);
|
---|
| 584 | }
|
---|
| 585 |
|
---|
| 586 | static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
|
---|
| 587 | {
|
---|
| 588 | BIGNUM *r1, *m1, *vrfy;
|
---|
| 589 | int ret = 0;
|
---|
| 590 |
|
---|
| 591 | BN_CTX_start(ctx);
|
---|
| 592 |
|
---|
| 593 | r1 = BN_CTX_get(ctx);
|
---|
| 594 | m1 = BN_CTX_get(ctx);
|
---|
| 595 | vrfy = BN_CTX_get(ctx);
|
---|
| 596 |
|
---|
| 597 | {
|
---|
| 598 | BIGNUM *p = BN_new(), *q = BN_new();
|
---|
| 599 |
|
---|
| 600 | /*
|
---|
| 601 | * Make sure BN_mod_inverse in Montgomery initialization uses the
|
---|
| 602 | * BN_FLG_CONSTTIME flag
|
---|
| 603 | */
|
---|
| 604 | if (p == NULL || q == NULL) {
|
---|
| 605 | BN_free(p);
|
---|
| 606 | BN_free(q);
|
---|
| 607 | goto err;
|
---|
| 608 | }
|
---|
| 609 | BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
|
---|
| 610 | BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
|
---|
| 611 |
|
---|
| 612 | if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
|
---|
| 613 | if (!BN_MONT_CTX_set_locked
|
---|
| 614 | (&rsa->_method_mod_p, rsa->lock, p, ctx)
|
---|
| 615 | || !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
|
---|
| 616 | rsa->lock, q, ctx)) {
|
---|
| 617 | BN_free(p);
|
---|
| 618 | BN_free(q);
|
---|
| 619 | goto err;
|
---|
| 620 | }
|
---|
| 621 | }
|
---|
| 622 | /*
|
---|
| 623 | * We MUST free p and q before any further use of rsa->p and rsa->q
|
---|
| 624 | */
|
---|
| 625 | BN_free(p);
|
---|
| 626 | BN_free(q);
|
---|
| 627 | }
|
---|
| 628 |
|
---|
| 629 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
---|
| 630 | if (!BN_MONT_CTX_set_locked
|
---|
| 631 | (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx))
|
---|
| 632 | goto err;
|
---|
| 633 |
|
---|
| 634 | /* compute I mod q */
|
---|
| 635 | {
|
---|
| 636 | BIGNUM *c = BN_new();
|
---|
| 637 | if (c == NULL)
|
---|
| 638 | goto err;
|
---|
| 639 | BN_with_flags(c, I, BN_FLG_CONSTTIME);
|
---|
| 640 |
|
---|
| 641 | if (!BN_mod(r1, c, rsa->q, ctx)) {
|
---|
| 642 | BN_free(c);
|
---|
| 643 | goto err;
|
---|
| 644 | }
|
---|
| 645 |
|
---|
| 646 | {
|
---|
| 647 | BIGNUM *dmq1 = BN_new();
|
---|
| 648 | if (dmq1 == NULL) {
|
---|
| 649 | BN_free(c);
|
---|
| 650 | goto err;
|
---|
| 651 | }
|
---|
| 652 | BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
|
---|
| 653 |
|
---|
| 654 | /* compute r1^dmq1 mod q */
|
---|
| 655 | if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
|
---|
| 656 | rsa->_method_mod_q)) {
|
---|
| 657 | BN_free(c);
|
---|
| 658 | BN_free(dmq1);
|
---|
| 659 | goto err;
|
---|
| 660 | }
|
---|
| 661 | /* We MUST free dmq1 before any further use of rsa->dmq1 */
|
---|
| 662 | BN_free(dmq1);
|
---|
| 663 | }
|
---|
| 664 |
|
---|
| 665 | /* compute I mod p */
|
---|
| 666 | if (!BN_mod(r1, c, rsa->p, ctx)) {
|
---|
| 667 | BN_free(c);
|
---|
| 668 | goto err;
|
---|
| 669 | }
|
---|
| 670 | /* We MUST free c before any further use of I */
|
---|
| 671 | BN_free(c);
|
---|
| 672 | }
|
---|
| 673 |
|
---|
| 674 | {
|
---|
| 675 | BIGNUM *dmp1 = BN_new();
|
---|
| 676 | if (dmp1 == NULL)
|
---|
| 677 | goto err;
|
---|
| 678 | BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
|
---|
| 679 |
|
---|
| 680 | /* compute r1^dmp1 mod p */
|
---|
| 681 | if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
|
---|
| 682 | rsa->_method_mod_p)) {
|
---|
| 683 | BN_free(dmp1);
|
---|
| 684 | goto err;
|
---|
| 685 | }
|
---|
| 686 | /* We MUST free dmp1 before any further use of rsa->dmp1 */
|
---|
| 687 | BN_free(dmp1);
|
---|
| 688 | }
|
---|
| 689 |
|
---|
| 690 | if (!BN_sub(r0, r0, m1))
|
---|
| 691 | goto err;
|
---|
| 692 | /*
|
---|
| 693 | * This will help stop the size of r0 increasing, which does affect the
|
---|
| 694 | * multiply if it optimised for a power of 2 size
|
---|
| 695 | */
|
---|
| 696 | if (BN_is_negative(r0))
|
---|
| 697 | if (!BN_add(r0, r0, rsa->p))
|
---|
| 698 | goto err;
|
---|
| 699 |
|
---|
| 700 | if (!BN_mul(r1, r0, rsa->iqmp, ctx))
|
---|
| 701 | goto err;
|
---|
| 702 |
|
---|
| 703 | {
|
---|
| 704 | BIGNUM *pr1 = BN_new();
|
---|
| 705 | if (pr1 == NULL)
|
---|
| 706 | goto err;
|
---|
| 707 | BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
|
---|
| 708 |
|
---|
| 709 | if (!BN_mod(r0, pr1, rsa->p, ctx)) {
|
---|
| 710 | BN_free(pr1);
|
---|
| 711 | goto err;
|
---|
| 712 | }
|
---|
| 713 | /* We MUST free pr1 before any further use of r1 */
|
---|
| 714 | BN_free(pr1);
|
---|
| 715 | }
|
---|
| 716 |
|
---|
| 717 | /*
|
---|
| 718 | * If p < q it is occasionally possible for the correction of adding 'p'
|
---|
| 719 | * if r0 is negative above to leave the result still negative. This can
|
---|
| 720 | * break the private key operations: the following second correction
|
---|
| 721 | * should *always* correct this rare occurrence. This will *never* happen
|
---|
| 722 | * with OpenSSL generated keys because they ensure p > q [steve]
|
---|
| 723 | */
|
---|
| 724 | if (BN_is_negative(r0))
|
---|
| 725 | if (!BN_add(r0, r0, rsa->p))
|
---|
| 726 | goto err;
|
---|
| 727 | if (!BN_mul(r1, r0, rsa->q, ctx))
|
---|
| 728 | goto err;
|
---|
| 729 | if (!BN_add(r0, r1, m1))
|
---|
| 730 | goto err;
|
---|
| 731 |
|
---|
| 732 | if (rsa->e && rsa->n) {
|
---|
| 733 | if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
|
---|
| 734 | rsa->_method_mod_n))
|
---|
| 735 | goto err;
|
---|
| 736 | /*
|
---|
| 737 | * If 'I' was greater than (or equal to) rsa->n, the operation will
|
---|
| 738 | * be equivalent to using 'I mod n'. However, the result of the
|
---|
| 739 | * verify will *always* be less than 'n' so we don't check for
|
---|
| 740 | * absolute equality, just congruency.
|
---|
| 741 | */
|
---|
| 742 | if (!BN_sub(vrfy, vrfy, I))
|
---|
| 743 | goto err;
|
---|
| 744 | if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
|
---|
| 745 | goto err;
|
---|
| 746 | if (BN_is_negative(vrfy))
|
---|
| 747 | if (!BN_add(vrfy, vrfy, rsa->n))
|
---|
| 748 | goto err;
|
---|
| 749 | if (!BN_is_zero(vrfy)) {
|
---|
| 750 | /*
|
---|
| 751 | * 'I' and 'vrfy' aren't congruent mod n. Don't leak
|
---|
| 752 | * miscalculated CRT output, just do a raw (slower) mod_exp and
|
---|
| 753 | * return that instead.
|
---|
| 754 | */
|
---|
| 755 |
|
---|
| 756 | BIGNUM *d = BN_new();
|
---|
| 757 | if (d == NULL)
|
---|
| 758 | goto err;
|
---|
| 759 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
|
---|
| 760 |
|
---|
| 761 | if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
|
---|
| 762 | rsa->_method_mod_n)) {
|
---|
| 763 | BN_free(d);
|
---|
| 764 | goto err;
|
---|
| 765 | }
|
---|
| 766 | /* We MUST free d before any further use of rsa->d */
|
---|
| 767 | BN_free(d);
|
---|
| 768 | }
|
---|
| 769 | }
|
---|
| 770 | ret = 1;
|
---|
| 771 | err:
|
---|
| 772 | BN_CTX_end(ctx);
|
---|
| 773 | return (ret);
|
---|
| 774 | }
|
---|
| 775 |
|
---|
| 776 | static int rsa_ossl_init(RSA *rsa)
|
---|
| 777 | {
|
---|
| 778 | rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
|
---|
| 779 | return (1);
|
---|
| 780 | }
|
---|
| 781 |
|
---|
| 782 | static int rsa_ossl_finish(RSA *rsa)
|
---|
| 783 | {
|
---|
| 784 | BN_MONT_CTX_free(rsa->_method_mod_n);
|
---|
| 785 | BN_MONT_CTX_free(rsa->_method_mod_p);
|
---|
| 786 | BN_MONT_CTX_free(rsa->_method_mod_q);
|
---|
| 787 | return (1);
|
---|
| 788 | }
|
---|
| 789 |
|
---|
| 790 | #endif
|
---|