source: EcnlProtoTool/trunk/openssl-1.1.0e/crypto/rsa/rsa_ossl.c@ 331

Last change on this file since 331 was 331, checked in by coas-nagasima, 6 years ago

prototoolに関連するプロジェクトをnewlibからmuslを使うよう変更・更新
ntshellをnewlibの下位の実装から、muslのsyscallの実装に変更・更新
以下のOSSをアップデート
・mruby-1.3.0
・musl-1.1.18
・onigmo-6.1.3
・tcc-0.9.27
以下のOSSを追加
・openssl-1.1.0e
・curl-7.57.0
・zlib-1.2.11
以下のmrbgemsを追加
・iij/mruby-digest
・iij/mruby-env
・iij/mruby-errno
・iij/mruby-iijson
・iij/mruby-ipaddr
・iij/mruby-mock
・iij/mruby-require
・iij/mruby-tls-openssl
  • Property svn:eol-style set to native
  • Property svn:mime-type set to text/x-csrc
File size: 22.7 KB
Line 
1/*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include "internal/cryptlib.h"
11#include "internal/bn_int.h"
12#include "rsa_locl.h"
13
14#ifndef RSA_NULL
15
16static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
17 unsigned char *to, RSA *rsa, int padding);
18static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
19 unsigned char *to, RSA *rsa, int padding);
20static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
21 unsigned char *to, RSA *rsa, int padding);
22static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
23 unsigned char *to, RSA *rsa, int padding);
24static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
25 BN_CTX *ctx);
26static int rsa_ossl_init(RSA *rsa);
27static int rsa_ossl_finish(RSA *rsa);
28static RSA_METHOD rsa_pkcs1_ossl_meth = {
29 "OpenSSL PKCS#1 RSA (from Eric Young)",
30 rsa_ossl_public_encrypt,
31 rsa_ossl_public_decrypt, /* signature verification */
32 rsa_ossl_private_encrypt, /* signing */
33 rsa_ossl_private_decrypt,
34 rsa_ossl_mod_exp,
35 BN_mod_exp_mont, /* XXX probably we should not use Montgomery
36 * if e == 3 */
37 rsa_ossl_init,
38 rsa_ossl_finish,
39 RSA_FLAG_FIPS_METHOD, /* flags */
40 NULL,
41 0, /* rsa_sign */
42 0, /* rsa_verify */
43 NULL /* rsa_keygen */
44};
45
46const RSA_METHOD *RSA_PKCS1_OpenSSL(void)
47{
48 return &rsa_pkcs1_ossl_meth;
49}
50
51static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
52 unsigned char *to, RSA *rsa, int padding)
53{
54 BIGNUM *f, *ret;
55 int i, j, k, num = 0, r = -1;
56 unsigned char *buf = NULL;
57 BN_CTX *ctx = NULL;
58
59 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
60 RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
61 return -1;
62 }
63
64 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
65 RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
66 return -1;
67 }
68
69 /* for large moduli, enforce exponent limit */
70 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
71 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
72 RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
73 return -1;
74 }
75 }
76
77 if ((ctx = BN_CTX_new()) == NULL)
78 goto err;
79 BN_CTX_start(ctx);
80 f = BN_CTX_get(ctx);
81 ret = BN_CTX_get(ctx);
82 num = BN_num_bytes(rsa->n);
83 buf = OPENSSL_malloc(num);
84 if (f == NULL || ret == NULL || buf == NULL) {
85 RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE);
86 goto err;
87 }
88
89 switch (padding) {
90 case RSA_PKCS1_PADDING:
91 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
92 break;
93 case RSA_PKCS1_OAEP_PADDING:
94 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
95 break;
96 case RSA_SSLV23_PADDING:
97 i = RSA_padding_add_SSLv23(buf, num, from, flen);
98 break;
99 case RSA_NO_PADDING:
100 i = RSA_padding_add_none(buf, num, from, flen);
101 break;
102 default:
103 RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
104 goto err;
105 }
106 if (i <= 0)
107 goto err;
108
109 if (BN_bin2bn(buf, num, f) == NULL)
110 goto err;
111
112 if (BN_ucmp(f, rsa->n) >= 0) {
113 /* usually the padding functions would catch this */
114 RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT,
115 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
116 goto err;
117 }
118
119 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
120 if (!BN_MONT_CTX_set_locked
121 (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx))
122 goto err;
123
124 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
125 rsa->_method_mod_n))
126 goto err;
127
128 /*
129 * put in leading 0 bytes if the number is less than the length of the
130 * modulus
131 */
132 j = BN_num_bytes(ret);
133 i = BN_bn2bin(ret, &(to[num - j]));
134 for (k = 0; k < (num - i); k++)
135 to[k] = 0;
136
137 r = num;
138 err:
139 if (ctx != NULL)
140 BN_CTX_end(ctx);
141 BN_CTX_free(ctx);
142 OPENSSL_clear_free(buf, num);
143 return (r);
144}
145
146static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
147{
148 BN_BLINDING *ret;
149
150 CRYPTO_THREAD_write_lock(rsa->lock);
151
152 if (rsa->blinding == NULL) {
153 rsa->blinding = RSA_setup_blinding(rsa, ctx);
154 }
155
156 ret = rsa->blinding;
157 if (ret == NULL)
158 goto err;
159
160 if (BN_BLINDING_is_current_thread(ret)) {
161 /* rsa->blinding is ours! */
162
163 *local = 1;
164 } else {
165 /* resort to rsa->mt_blinding instead */
166
167 /*
168 * instructs rsa_blinding_convert(), rsa_blinding_invert() that the
169 * BN_BLINDING is shared, meaning that accesses require locks, and
170 * that the blinding factor must be stored outside the BN_BLINDING
171 */
172 *local = 0;
173
174 if (rsa->mt_blinding == NULL) {
175 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
176 }
177 ret = rsa->mt_blinding;
178 }
179
180 err:
181 CRYPTO_THREAD_unlock(rsa->lock);
182 return ret;
183}
184
185static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
186 BN_CTX *ctx)
187{
188 if (unblind == NULL)
189 /*
190 * Local blinding: store the unblinding factor in BN_BLINDING.
191 */
192 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
193 else {
194 /*
195 * Shared blinding: store the unblinding factor outside BN_BLINDING.
196 */
197 int ret;
198
199 BN_BLINDING_lock(b);
200 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
201 BN_BLINDING_unlock(b);
202
203 return ret;
204 }
205}
206
207static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
208 BN_CTX *ctx)
209{
210 /*
211 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
212 * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING
213 * is shared between threads, unblind must be non-null:
214 * BN_BLINDING_invert_ex will then use the local unblinding factor, and
215 * will only read the modulus from BN_BLINDING. In both cases it's safe
216 * to access the blinding without a lock.
217 */
218 return BN_BLINDING_invert_ex(f, unblind, b, ctx);
219}
220
221/* signing */
222static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
223 unsigned char *to, RSA *rsa, int padding)
224{
225 BIGNUM *f, *ret, *res;
226 int i, j, k, num = 0, r = -1;
227 unsigned char *buf = NULL;
228 BN_CTX *ctx = NULL;
229 int local_blinding = 0;
230 /*
231 * Used only if the blinding structure is shared. A non-NULL unblind
232 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
233 * the unblinding factor outside the blinding structure.
234 */
235 BIGNUM *unblind = NULL;
236 BN_BLINDING *blinding = NULL;
237
238 if ((ctx = BN_CTX_new()) == NULL)
239 goto err;
240 BN_CTX_start(ctx);
241 f = BN_CTX_get(ctx);
242 ret = BN_CTX_get(ctx);
243 num = BN_num_bytes(rsa->n);
244 buf = OPENSSL_malloc(num);
245 if (f == NULL || ret == NULL || buf == NULL) {
246 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
247 goto err;
248 }
249
250 switch (padding) {
251 case RSA_PKCS1_PADDING:
252 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
253 break;
254 case RSA_X931_PADDING:
255 i = RSA_padding_add_X931(buf, num, from, flen);
256 break;
257 case RSA_NO_PADDING:
258 i = RSA_padding_add_none(buf, num, from, flen);
259 break;
260 case RSA_SSLV23_PADDING:
261 default:
262 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
263 goto err;
264 }
265 if (i <= 0)
266 goto err;
267
268 if (BN_bin2bn(buf, num, f) == NULL)
269 goto err;
270
271 if (BN_ucmp(f, rsa->n) >= 0) {
272 /* usually the padding functions would catch this */
273 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT,
274 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
275 goto err;
276 }
277
278 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
279 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
280 if (blinding == NULL) {
281 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
282 goto err;
283 }
284 }
285
286 if (blinding != NULL) {
287 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
288 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
289 goto err;
290 }
291 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
292 goto err;
293 }
294
295 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
296 ((rsa->p != NULL) &&
297 (rsa->q != NULL) &&
298 (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
299 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
300 goto err;
301 } else {
302 BIGNUM *d = BN_new();
303 if (d == NULL) {
304 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
305 goto err;
306 }
307 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
308
309 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
310 if (!BN_MONT_CTX_set_locked
311 (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) {
312 BN_free(d);
313 goto err;
314 }
315
316 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
317 rsa->_method_mod_n)) {
318 BN_free(d);
319 goto err;
320 }
321 /* We MUST free d before any further use of rsa->d */
322 BN_free(d);
323 }
324
325 if (blinding)
326 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
327 goto err;
328
329 if (padding == RSA_X931_PADDING) {
330 BN_sub(f, rsa->n, ret);
331 if (BN_cmp(ret, f) > 0)
332 res = f;
333 else
334 res = ret;
335 } else
336 res = ret;
337
338 /*
339 * put in leading 0 bytes if the number is less than the length of the
340 * modulus
341 */
342 j = BN_num_bytes(res);
343 i = BN_bn2bin(res, &(to[num - j]));
344 for (k = 0; k < (num - i); k++)
345 to[k] = 0;
346
347 r = num;
348 err:
349 if (ctx != NULL)
350 BN_CTX_end(ctx);
351 BN_CTX_free(ctx);
352 OPENSSL_clear_free(buf, num);
353 return (r);
354}
355
356static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
357 unsigned char *to, RSA *rsa, int padding)
358{
359 BIGNUM *f, *ret;
360 int j, num = 0, r = -1;
361 unsigned char *p;
362 unsigned char *buf = NULL;
363 BN_CTX *ctx = NULL;
364 int local_blinding = 0;
365 /*
366 * Used only if the blinding structure is shared. A non-NULL unblind
367 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
368 * the unblinding factor outside the blinding structure.
369 */
370 BIGNUM *unblind = NULL;
371 BN_BLINDING *blinding = NULL;
372
373 if ((ctx = BN_CTX_new()) == NULL)
374 goto err;
375 BN_CTX_start(ctx);
376 f = BN_CTX_get(ctx);
377 ret = BN_CTX_get(ctx);
378 num = BN_num_bytes(rsa->n);
379 buf = OPENSSL_malloc(num);
380 if (f == NULL || ret == NULL || buf == NULL) {
381 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
382 goto err;
383 }
384
385 /*
386 * This check was for equality but PGP does evil things and chops off the
387 * top '0' bytes
388 */
389 if (flen > num) {
390 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT,
391 RSA_R_DATA_GREATER_THAN_MOD_LEN);
392 goto err;
393 }
394
395 /* make data into a big number */
396 if (BN_bin2bn(from, (int)flen, f) == NULL)
397 goto err;
398
399 if (BN_ucmp(f, rsa->n) >= 0) {
400 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT,
401 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
402 goto err;
403 }
404
405 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
406 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
407 if (blinding == NULL) {
408 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
409 goto err;
410 }
411 }
412
413 if (blinding != NULL) {
414 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
415 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
416 goto err;
417 }
418 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
419 goto err;
420 }
421
422 /* do the decrypt */
423 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
424 ((rsa->p != NULL) &&
425 (rsa->q != NULL) &&
426 (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
427 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
428 goto err;
429 } else {
430 BIGNUM *d = BN_new();
431 if (d == NULL) {
432 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
433 goto err;
434 }
435 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
436
437 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
438 if (!BN_MONT_CTX_set_locked
439 (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) {
440 BN_free(d);
441 goto err;
442 }
443 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
444 rsa->_method_mod_n)) {
445 BN_free(d);
446 goto err;
447 }
448 /* We MUST free d before any further use of rsa->d */
449 BN_free(d);
450 }
451
452 if (blinding)
453 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
454 goto err;
455
456 p = buf;
457 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */
458
459 switch (padding) {
460 case RSA_PKCS1_PADDING:
461 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
462 break;
463 case RSA_PKCS1_OAEP_PADDING:
464 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
465 break;
466 case RSA_SSLV23_PADDING:
467 r = RSA_padding_check_SSLv23(to, num, buf, j, num);
468 break;
469 case RSA_NO_PADDING:
470 r = RSA_padding_check_none(to, num, buf, j, num);
471 break;
472 default:
473 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
474 goto err;
475 }
476 if (r < 0)
477 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
478
479 err:
480 if (ctx != NULL)
481 BN_CTX_end(ctx);
482 BN_CTX_free(ctx);
483 OPENSSL_clear_free(buf, num);
484 return (r);
485}
486
487/* signature verification */
488static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
489 unsigned char *to, RSA *rsa, int padding)
490{
491 BIGNUM *f, *ret;
492 int i, num = 0, r = -1;
493 unsigned char *p;
494 unsigned char *buf = NULL;
495 BN_CTX *ctx = NULL;
496
497 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
498 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
499 return -1;
500 }
501
502 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
503 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
504 return -1;
505 }
506
507 /* for large moduli, enforce exponent limit */
508 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
509 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
510 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
511 return -1;
512 }
513 }
514
515 if ((ctx = BN_CTX_new()) == NULL)
516 goto err;
517 BN_CTX_start(ctx);
518 f = BN_CTX_get(ctx);
519 ret = BN_CTX_get(ctx);
520 num = BN_num_bytes(rsa->n);
521 buf = OPENSSL_malloc(num);
522 if (f == NULL || ret == NULL || buf == NULL) {
523 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
524 goto err;
525 }
526
527 /*
528 * This check was for equality but PGP does evil things and chops off the
529 * top '0' bytes
530 */
531 if (flen > num) {
532 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN);
533 goto err;
534 }
535
536 if (BN_bin2bn(from, flen, f) == NULL)
537 goto err;
538
539 if (BN_ucmp(f, rsa->n) >= 0) {
540 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT,
541 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
542 goto err;
543 }
544
545 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
546 if (!BN_MONT_CTX_set_locked
547 (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx))
548 goto err;
549
550 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
551 rsa->_method_mod_n))
552 goto err;
553
554 if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12))
555 if (!BN_sub(ret, rsa->n, ret))
556 goto err;
557
558 p = buf;
559 i = BN_bn2bin(ret, p);
560
561 switch (padding) {
562 case RSA_PKCS1_PADDING:
563 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
564 break;
565 case RSA_X931_PADDING:
566 r = RSA_padding_check_X931(to, num, buf, i, num);
567 break;
568 case RSA_NO_PADDING:
569 r = RSA_padding_check_none(to, num, buf, i, num);
570 break;
571 default:
572 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
573 goto err;
574 }
575 if (r < 0)
576 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
577
578 err:
579 if (ctx != NULL)
580 BN_CTX_end(ctx);
581 BN_CTX_free(ctx);
582 OPENSSL_clear_free(buf, num);
583 return (r);
584}
585
586static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
587{
588 BIGNUM *r1, *m1, *vrfy;
589 int ret = 0;
590
591 BN_CTX_start(ctx);
592
593 r1 = BN_CTX_get(ctx);
594 m1 = BN_CTX_get(ctx);
595 vrfy = BN_CTX_get(ctx);
596
597 {
598 BIGNUM *p = BN_new(), *q = BN_new();
599
600 /*
601 * Make sure BN_mod_inverse in Montgomery initialization uses the
602 * BN_FLG_CONSTTIME flag
603 */
604 if (p == NULL || q == NULL) {
605 BN_free(p);
606 BN_free(q);
607 goto err;
608 }
609 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
610 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
611
612 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
613 if (!BN_MONT_CTX_set_locked
614 (&rsa->_method_mod_p, rsa->lock, p, ctx)
615 || !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
616 rsa->lock, q, ctx)) {
617 BN_free(p);
618 BN_free(q);
619 goto err;
620 }
621 }
622 /*
623 * We MUST free p and q before any further use of rsa->p and rsa->q
624 */
625 BN_free(p);
626 BN_free(q);
627 }
628
629 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
630 if (!BN_MONT_CTX_set_locked
631 (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx))
632 goto err;
633
634 /* compute I mod q */
635 {
636 BIGNUM *c = BN_new();
637 if (c == NULL)
638 goto err;
639 BN_with_flags(c, I, BN_FLG_CONSTTIME);
640
641 if (!BN_mod(r1, c, rsa->q, ctx)) {
642 BN_free(c);
643 goto err;
644 }
645
646 {
647 BIGNUM *dmq1 = BN_new();
648 if (dmq1 == NULL) {
649 BN_free(c);
650 goto err;
651 }
652 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
653
654 /* compute r1^dmq1 mod q */
655 if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
656 rsa->_method_mod_q)) {
657 BN_free(c);
658 BN_free(dmq1);
659 goto err;
660 }
661 /* We MUST free dmq1 before any further use of rsa->dmq1 */
662 BN_free(dmq1);
663 }
664
665 /* compute I mod p */
666 if (!BN_mod(r1, c, rsa->p, ctx)) {
667 BN_free(c);
668 goto err;
669 }
670 /* We MUST free c before any further use of I */
671 BN_free(c);
672 }
673
674 {
675 BIGNUM *dmp1 = BN_new();
676 if (dmp1 == NULL)
677 goto err;
678 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
679
680 /* compute r1^dmp1 mod p */
681 if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
682 rsa->_method_mod_p)) {
683 BN_free(dmp1);
684 goto err;
685 }
686 /* We MUST free dmp1 before any further use of rsa->dmp1 */
687 BN_free(dmp1);
688 }
689
690 if (!BN_sub(r0, r0, m1))
691 goto err;
692 /*
693 * This will help stop the size of r0 increasing, which does affect the
694 * multiply if it optimised for a power of 2 size
695 */
696 if (BN_is_negative(r0))
697 if (!BN_add(r0, r0, rsa->p))
698 goto err;
699
700 if (!BN_mul(r1, r0, rsa->iqmp, ctx))
701 goto err;
702
703 {
704 BIGNUM *pr1 = BN_new();
705 if (pr1 == NULL)
706 goto err;
707 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
708
709 if (!BN_mod(r0, pr1, rsa->p, ctx)) {
710 BN_free(pr1);
711 goto err;
712 }
713 /* We MUST free pr1 before any further use of r1 */
714 BN_free(pr1);
715 }
716
717 /*
718 * If p < q it is occasionally possible for the correction of adding 'p'
719 * if r0 is negative above to leave the result still negative. This can
720 * break the private key operations: the following second correction
721 * should *always* correct this rare occurrence. This will *never* happen
722 * with OpenSSL generated keys because they ensure p > q [steve]
723 */
724 if (BN_is_negative(r0))
725 if (!BN_add(r0, r0, rsa->p))
726 goto err;
727 if (!BN_mul(r1, r0, rsa->q, ctx))
728 goto err;
729 if (!BN_add(r0, r1, m1))
730 goto err;
731
732 if (rsa->e && rsa->n) {
733 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
734 rsa->_method_mod_n))
735 goto err;
736 /*
737 * If 'I' was greater than (or equal to) rsa->n, the operation will
738 * be equivalent to using 'I mod n'. However, the result of the
739 * verify will *always* be less than 'n' so we don't check for
740 * absolute equality, just congruency.
741 */
742 if (!BN_sub(vrfy, vrfy, I))
743 goto err;
744 if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
745 goto err;
746 if (BN_is_negative(vrfy))
747 if (!BN_add(vrfy, vrfy, rsa->n))
748 goto err;
749 if (!BN_is_zero(vrfy)) {
750 /*
751 * 'I' and 'vrfy' aren't congruent mod n. Don't leak
752 * miscalculated CRT output, just do a raw (slower) mod_exp and
753 * return that instead.
754 */
755
756 BIGNUM *d = BN_new();
757 if (d == NULL)
758 goto err;
759 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
760
761 if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
762 rsa->_method_mod_n)) {
763 BN_free(d);
764 goto err;
765 }
766 /* We MUST free d before any further use of rsa->d */
767 BN_free(d);
768 }
769 }
770 ret = 1;
771 err:
772 BN_CTX_end(ctx);
773 return (ret);
774}
775
776static int rsa_ossl_init(RSA *rsa)
777{
778 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
779 return (1);
780}
781
782static int rsa_ossl_finish(RSA *rsa)
783{
784 BN_MONT_CTX_free(rsa->_method_mod_n);
785 BN_MONT_CTX_free(rsa->_method_mod_p);
786 BN_MONT_CTX_free(rsa->_method_mod_q);
787 return (1);
788}
789
790#endif
Note: See TracBrowser for help on using the repository browser.