1 | /*
|
---|
2 | * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
3 | *
|
---|
4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
5 | * this file except in compliance with the License. You can obtain a copy
|
---|
6 | * in the file LICENSE in the source distribution or at
|
---|
7 | * https://www.openssl.org/source/license.html
|
---|
8 | */
|
---|
9 |
|
---|
10 | #include "internal/cryptlib.h"
|
---|
11 | #include "internal/bn_int.h"
|
---|
12 | #include "rsa_locl.h"
|
---|
13 |
|
---|
14 | #ifndef RSA_NULL
|
---|
15 |
|
---|
16 | static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
|
---|
17 | unsigned char *to, RSA *rsa, int padding);
|
---|
18 | static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
|
---|
19 | unsigned char *to, RSA *rsa, int padding);
|
---|
20 | static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
|
---|
21 | unsigned char *to, RSA *rsa, int padding);
|
---|
22 | static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
|
---|
23 | unsigned char *to, RSA *rsa, int padding);
|
---|
24 | static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
|
---|
25 | BN_CTX *ctx);
|
---|
26 | static int rsa_ossl_init(RSA *rsa);
|
---|
27 | static int rsa_ossl_finish(RSA *rsa);
|
---|
28 | static RSA_METHOD rsa_pkcs1_ossl_meth = {
|
---|
29 | "OpenSSL PKCS#1 RSA (from Eric Young)",
|
---|
30 | rsa_ossl_public_encrypt,
|
---|
31 | rsa_ossl_public_decrypt, /* signature verification */
|
---|
32 | rsa_ossl_private_encrypt, /* signing */
|
---|
33 | rsa_ossl_private_decrypt,
|
---|
34 | rsa_ossl_mod_exp,
|
---|
35 | BN_mod_exp_mont, /* XXX probably we should not use Montgomery
|
---|
36 | * if e == 3 */
|
---|
37 | rsa_ossl_init,
|
---|
38 | rsa_ossl_finish,
|
---|
39 | RSA_FLAG_FIPS_METHOD, /* flags */
|
---|
40 | NULL,
|
---|
41 | 0, /* rsa_sign */
|
---|
42 | 0, /* rsa_verify */
|
---|
43 | NULL /* rsa_keygen */
|
---|
44 | };
|
---|
45 |
|
---|
46 | const RSA_METHOD *RSA_PKCS1_OpenSSL(void)
|
---|
47 | {
|
---|
48 | return &rsa_pkcs1_ossl_meth;
|
---|
49 | }
|
---|
50 |
|
---|
51 | static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
|
---|
52 | unsigned char *to, RSA *rsa, int padding)
|
---|
53 | {
|
---|
54 | BIGNUM *f, *ret;
|
---|
55 | int i, j, k, num = 0, r = -1;
|
---|
56 | unsigned char *buf = NULL;
|
---|
57 | BN_CTX *ctx = NULL;
|
---|
58 |
|
---|
59 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
|
---|
60 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
|
---|
61 | return -1;
|
---|
62 | }
|
---|
63 |
|
---|
64 | if (BN_ucmp(rsa->n, rsa->e) <= 0) {
|
---|
65 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
|
---|
66 | return -1;
|
---|
67 | }
|
---|
68 |
|
---|
69 | /* for large moduli, enforce exponent limit */
|
---|
70 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
|
---|
71 | if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
|
---|
72 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
|
---|
73 | return -1;
|
---|
74 | }
|
---|
75 | }
|
---|
76 |
|
---|
77 | if ((ctx = BN_CTX_new()) == NULL)
|
---|
78 | goto err;
|
---|
79 | BN_CTX_start(ctx);
|
---|
80 | f = BN_CTX_get(ctx);
|
---|
81 | ret = BN_CTX_get(ctx);
|
---|
82 | num = BN_num_bytes(rsa->n);
|
---|
83 | buf = OPENSSL_malloc(num);
|
---|
84 | if (f == NULL || ret == NULL || buf == NULL) {
|
---|
85 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE);
|
---|
86 | goto err;
|
---|
87 | }
|
---|
88 |
|
---|
89 | switch (padding) {
|
---|
90 | case RSA_PKCS1_PADDING:
|
---|
91 | i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
|
---|
92 | break;
|
---|
93 | case RSA_PKCS1_OAEP_PADDING:
|
---|
94 | i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
|
---|
95 | break;
|
---|
96 | case RSA_SSLV23_PADDING:
|
---|
97 | i = RSA_padding_add_SSLv23(buf, num, from, flen);
|
---|
98 | break;
|
---|
99 | case RSA_NO_PADDING:
|
---|
100 | i = RSA_padding_add_none(buf, num, from, flen);
|
---|
101 | break;
|
---|
102 | default:
|
---|
103 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
|
---|
104 | goto err;
|
---|
105 | }
|
---|
106 | if (i <= 0)
|
---|
107 | goto err;
|
---|
108 |
|
---|
109 | if (BN_bin2bn(buf, num, f) == NULL)
|
---|
110 | goto err;
|
---|
111 |
|
---|
112 | if (BN_ucmp(f, rsa->n) >= 0) {
|
---|
113 | /* usually the padding functions would catch this */
|
---|
114 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT,
|
---|
115 | RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
|
---|
116 | goto err;
|
---|
117 | }
|
---|
118 |
|
---|
119 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
---|
120 | if (!BN_MONT_CTX_set_locked
|
---|
121 | (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx))
|
---|
122 | goto err;
|
---|
123 |
|
---|
124 | if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
|
---|
125 | rsa->_method_mod_n))
|
---|
126 | goto err;
|
---|
127 |
|
---|
128 | /*
|
---|
129 | * put in leading 0 bytes if the number is less than the length of the
|
---|
130 | * modulus
|
---|
131 | */
|
---|
132 | j = BN_num_bytes(ret);
|
---|
133 | i = BN_bn2bin(ret, &(to[num - j]));
|
---|
134 | for (k = 0; k < (num - i); k++)
|
---|
135 | to[k] = 0;
|
---|
136 |
|
---|
137 | r = num;
|
---|
138 | err:
|
---|
139 | if (ctx != NULL)
|
---|
140 | BN_CTX_end(ctx);
|
---|
141 | BN_CTX_free(ctx);
|
---|
142 | OPENSSL_clear_free(buf, num);
|
---|
143 | return (r);
|
---|
144 | }
|
---|
145 |
|
---|
146 | static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
|
---|
147 | {
|
---|
148 | BN_BLINDING *ret;
|
---|
149 |
|
---|
150 | CRYPTO_THREAD_write_lock(rsa->lock);
|
---|
151 |
|
---|
152 | if (rsa->blinding == NULL) {
|
---|
153 | rsa->blinding = RSA_setup_blinding(rsa, ctx);
|
---|
154 | }
|
---|
155 |
|
---|
156 | ret = rsa->blinding;
|
---|
157 | if (ret == NULL)
|
---|
158 | goto err;
|
---|
159 |
|
---|
160 | if (BN_BLINDING_is_current_thread(ret)) {
|
---|
161 | /* rsa->blinding is ours! */
|
---|
162 |
|
---|
163 | *local = 1;
|
---|
164 | } else {
|
---|
165 | /* resort to rsa->mt_blinding instead */
|
---|
166 |
|
---|
167 | /*
|
---|
168 | * instructs rsa_blinding_convert(), rsa_blinding_invert() that the
|
---|
169 | * BN_BLINDING is shared, meaning that accesses require locks, and
|
---|
170 | * that the blinding factor must be stored outside the BN_BLINDING
|
---|
171 | */
|
---|
172 | *local = 0;
|
---|
173 |
|
---|
174 | if (rsa->mt_blinding == NULL) {
|
---|
175 | rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
|
---|
176 | }
|
---|
177 | ret = rsa->mt_blinding;
|
---|
178 | }
|
---|
179 |
|
---|
180 | err:
|
---|
181 | CRYPTO_THREAD_unlock(rsa->lock);
|
---|
182 | return ret;
|
---|
183 | }
|
---|
184 |
|
---|
185 | static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
|
---|
186 | BN_CTX *ctx)
|
---|
187 | {
|
---|
188 | if (unblind == NULL)
|
---|
189 | /*
|
---|
190 | * Local blinding: store the unblinding factor in BN_BLINDING.
|
---|
191 | */
|
---|
192 | return BN_BLINDING_convert_ex(f, NULL, b, ctx);
|
---|
193 | else {
|
---|
194 | /*
|
---|
195 | * Shared blinding: store the unblinding factor outside BN_BLINDING.
|
---|
196 | */
|
---|
197 | int ret;
|
---|
198 |
|
---|
199 | BN_BLINDING_lock(b);
|
---|
200 | ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
|
---|
201 | BN_BLINDING_unlock(b);
|
---|
202 |
|
---|
203 | return ret;
|
---|
204 | }
|
---|
205 | }
|
---|
206 |
|
---|
207 | static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
|
---|
208 | BN_CTX *ctx)
|
---|
209 | {
|
---|
210 | /*
|
---|
211 | * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
|
---|
212 | * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING
|
---|
213 | * is shared between threads, unblind must be non-null:
|
---|
214 | * BN_BLINDING_invert_ex will then use the local unblinding factor, and
|
---|
215 | * will only read the modulus from BN_BLINDING. In both cases it's safe
|
---|
216 | * to access the blinding without a lock.
|
---|
217 | */
|
---|
218 | return BN_BLINDING_invert_ex(f, unblind, b, ctx);
|
---|
219 | }
|
---|
220 |
|
---|
221 | /* signing */
|
---|
222 | static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
|
---|
223 | unsigned char *to, RSA *rsa, int padding)
|
---|
224 | {
|
---|
225 | BIGNUM *f, *ret, *res;
|
---|
226 | int i, j, k, num = 0, r = -1;
|
---|
227 | unsigned char *buf = NULL;
|
---|
228 | BN_CTX *ctx = NULL;
|
---|
229 | int local_blinding = 0;
|
---|
230 | /*
|
---|
231 | * Used only if the blinding structure is shared. A non-NULL unblind
|
---|
232 | * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
|
---|
233 | * the unblinding factor outside the blinding structure.
|
---|
234 | */
|
---|
235 | BIGNUM *unblind = NULL;
|
---|
236 | BN_BLINDING *blinding = NULL;
|
---|
237 |
|
---|
238 | if ((ctx = BN_CTX_new()) == NULL)
|
---|
239 | goto err;
|
---|
240 | BN_CTX_start(ctx);
|
---|
241 | f = BN_CTX_get(ctx);
|
---|
242 | ret = BN_CTX_get(ctx);
|
---|
243 | num = BN_num_bytes(rsa->n);
|
---|
244 | buf = OPENSSL_malloc(num);
|
---|
245 | if (f == NULL || ret == NULL || buf == NULL) {
|
---|
246 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
|
---|
247 | goto err;
|
---|
248 | }
|
---|
249 |
|
---|
250 | switch (padding) {
|
---|
251 | case RSA_PKCS1_PADDING:
|
---|
252 | i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
|
---|
253 | break;
|
---|
254 | case RSA_X931_PADDING:
|
---|
255 | i = RSA_padding_add_X931(buf, num, from, flen);
|
---|
256 | break;
|
---|
257 | case RSA_NO_PADDING:
|
---|
258 | i = RSA_padding_add_none(buf, num, from, flen);
|
---|
259 | break;
|
---|
260 | case RSA_SSLV23_PADDING:
|
---|
261 | default:
|
---|
262 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
|
---|
263 | goto err;
|
---|
264 | }
|
---|
265 | if (i <= 0)
|
---|
266 | goto err;
|
---|
267 |
|
---|
268 | if (BN_bin2bn(buf, num, f) == NULL)
|
---|
269 | goto err;
|
---|
270 |
|
---|
271 | if (BN_ucmp(f, rsa->n) >= 0) {
|
---|
272 | /* usually the padding functions would catch this */
|
---|
273 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT,
|
---|
274 | RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
|
---|
275 | goto err;
|
---|
276 | }
|
---|
277 |
|
---|
278 | if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
|
---|
279 | blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
|
---|
280 | if (blinding == NULL) {
|
---|
281 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
|
---|
282 | goto err;
|
---|
283 | }
|
---|
284 | }
|
---|
285 |
|
---|
286 | if (blinding != NULL) {
|
---|
287 | if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
|
---|
288 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
|
---|
289 | goto err;
|
---|
290 | }
|
---|
291 | if (!rsa_blinding_convert(blinding, f, unblind, ctx))
|
---|
292 | goto err;
|
---|
293 | }
|
---|
294 |
|
---|
295 | if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
|
---|
296 | ((rsa->p != NULL) &&
|
---|
297 | (rsa->q != NULL) &&
|
---|
298 | (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
|
---|
299 | if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
|
---|
300 | goto err;
|
---|
301 | } else {
|
---|
302 | BIGNUM *d = BN_new();
|
---|
303 | if (d == NULL) {
|
---|
304 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
|
---|
305 | goto err;
|
---|
306 | }
|
---|
307 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
|
---|
308 |
|
---|
309 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
---|
310 | if (!BN_MONT_CTX_set_locked
|
---|
311 | (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) {
|
---|
312 | BN_free(d);
|
---|
313 | goto err;
|
---|
314 | }
|
---|
315 |
|
---|
316 | if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
|
---|
317 | rsa->_method_mod_n)) {
|
---|
318 | BN_free(d);
|
---|
319 | goto err;
|
---|
320 | }
|
---|
321 | /* We MUST free d before any further use of rsa->d */
|
---|
322 | BN_free(d);
|
---|
323 | }
|
---|
324 |
|
---|
325 | if (blinding)
|
---|
326 | if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
|
---|
327 | goto err;
|
---|
328 |
|
---|
329 | if (padding == RSA_X931_PADDING) {
|
---|
330 | BN_sub(f, rsa->n, ret);
|
---|
331 | if (BN_cmp(ret, f) > 0)
|
---|
332 | res = f;
|
---|
333 | else
|
---|
334 | res = ret;
|
---|
335 | } else
|
---|
336 | res = ret;
|
---|
337 |
|
---|
338 | /*
|
---|
339 | * put in leading 0 bytes if the number is less than the length of the
|
---|
340 | * modulus
|
---|
341 | */
|
---|
342 | j = BN_num_bytes(res);
|
---|
343 | i = BN_bn2bin(res, &(to[num - j]));
|
---|
344 | for (k = 0; k < (num - i); k++)
|
---|
345 | to[k] = 0;
|
---|
346 |
|
---|
347 | r = num;
|
---|
348 | err:
|
---|
349 | if (ctx != NULL)
|
---|
350 | BN_CTX_end(ctx);
|
---|
351 | BN_CTX_free(ctx);
|
---|
352 | OPENSSL_clear_free(buf, num);
|
---|
353 | return (r);
|
---|
354 | }
|
---|
355 |
|
---|
356 | static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
|
---|
357 | unsigned char *to, RSA *rsa, int padding)
|
---|
358 | {
|
---|
359 | BIGNUM *f, *ret;
|
---|
360 | int j, num = 0, r = -1;
|
---|
361 | unsigned char *p;
|
---|
362 | unsigned char *buf = NULL;
|
---|
363 | BN_CTX *ctx = NULL;
|
---|
364 | int local_blinding = 0;
|
---|
365 | /*
|
---|
366 | * Used only if the blinding structure is shared. A non-NULL unblind
|
---|
367 | * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
|
---|
368 | * the unblinding factor outside the blinding structure.
|
---|
369 | */
|
---|
370 | BIGNUM *unblind = NULL;
|
---|
371 | BN_BLINDING *blinding = NULL;
|
---|
372 |
|
---|
373 | if ((ctx = BN_CTX_new()) == NULL)
|
---|
374 | goto err;
|
---|
375 | BN_CTX_start(ctx);
|
---|
376 | f = BN_CTX_get(ctx);
|
---|
377 | ret = BN_CTX_get(ctx);
|
---|
378 | num = BN_num_bytes(rsa->n);
|
---|
379 | buf = OPENSSL_malloc(num);
|
---|
380 | if (f == NULL || ret == NULL || buf == NULL) {
|
---|
381 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
|
---|
382 | goto err;
|
---|
383 | }
|
---|
384 |
|
---|
385 | /*
|
---|
386 | * This check was for equality but PGP does evil things and chops off the
|
---|
387 | * top '0' bytes
|
---|
388 | */
|
---|
389 | if (flen > num) {
|
---|
390 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT,
|
---|
391 | RSA_R_DATA_GREATER_THAN_MOD_LEN);
|
---|
392 | goto err;
|
---|
393 | }
|
---|
394 |
|
---|
395 | /* make data into a big number */
|
---|
396 | if (BN_bin2bn(from, (int)flen, f) == NULL)
|
---|
397 | goto err;
|
---|
398 |
|
---|
399 | if (BN_ucmp(f, rsa->n) >= 0) {
|
---|
400 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT,
|
---|
401 | RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
|
---|
402 | goto err;
|
---|
403 | }
|
---|
404 |
|
---|
405 | if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
|
---|
406 | blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
|
---|
407 | if (blinding == NULL) {
|
---|
408 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
|
---|
409 | goto err;
|
---|
410 | }
|
---|
411 | }
|
---|
412 |
|
---|
413 | if (blinding != NULL) {
|
---|
414 | if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
|
---|
415 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
|
---|
416 | goto err;
|
---|
417 | }
|
---|
418 | if (!rsa_blinding_convert(blinding, f, unblind, ctx))
|
---|
419 | goto err;
|
---|
420 | }
|
---|
421 |
|
---|
422 | /* do the decrypt */
|
---|
423 | if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
|
---|
424 | ((rsa->p != NULL) &&
|
---|
425 | (rsa->q != NULL) &&
|
---|
426 | (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
|
---|
427 | if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
|
---|
428 | goto err;
|
---|
429 | } else {
|
---|
430 | BIGNUM *d = BN_new();
|
---|
431 | if (d == NULL) {
|
---|
432 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
|
---|
433 | goto err;
|
---|
434 | }
|
---|
435 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
|
---|
436 |
|
---|
437 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
---|
438 | if (!BN_MONT_CTX_set_locked
|
---|
439 | (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) {
|
---|
440 | BN_free(d);
|
---|
441 | goto err;
|
---|
442 | }
|
---|
443 | if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
|
---|
444 | rsa->_method_mod_n)) {
|
---|
445 | BN_free(d);
|
---|
446 | goto err;
|
---|
447 | }
|
---|
448 | /* We MUST free d before any further use of rsa->d */
|
---|
449 | BN_free(d);
|
---|
450 | }
|
---|
451 |
|
---|
452 | if (blinding)
|
---|
453 | if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
|
---|
454 | goto err;
|
---|
455 |
|
---|
456 | p = buf;
|
---|
457 | j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */
|
---|
458 |
|
---|
459 | switch (padding) {
|
---|
460 | case RSA_PKCS1_PADDING:
|
---|
461 | r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
|
---|
462 | break;
|
---|
463 | case RSA_PKCS1_OAEP_PADDING:
|
---|
464 | r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
|
---|
465 | break;
|
---|
466 | case RSA_SSLV23_PADDING:
|
---|
467 | r = RSA_padding_check_SSLv23(to, num, buf, j, num);
|
---|
468 | break;
|
---|
469 | case RSA_NO_PADDING:
|
---|
470 | r = RSA_padding_check_none(to, num, buf, j, num);
|
---|
471 | break;
|
---|
472 | default:
|
---|
473 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
|
---|
474 | goto err;
|
---|
475 | }
|
---|
476 | if (r < 0)
|
---|
477 | RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
|
---|
478 |
|
---|
479 | err:
|
---|
480 | if (ctx != NULL)
|
---|
481 | BN_CTX_end(ctx);
|
---|
482 | BN_CTX_free(ctx);
|
---|
483 | OPENSSL_clear_free(buf, num);
|
---|
484 | return (r);
|
---|
485 | }
|
---|
486 |
|
---|
487 | /* signature verification */
|
---|
488 | static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
|
---|
489 | unsigned char *to, RSA *rsa, int padding)
|
---|
490 | {
|
---|
491 | BIGNUM *f, *ret;
|
---|
492 | int i, num = 0, r = -1;
|
---|
493 | unsigned char *p;
|
---|
494 | unsigned char *buf = NULL;
|
---|
495 | BN_CTX *ctx = NULL;
|
---|
496 |
|
---|
497 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
|
---|
498 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
|
---|
499 | return -1;
|
---|
500 | }
|
---|
501 |
|
---|
502 | if (BN_ucmp(rsa->n, rsa->e) <= 0) {
|
---|
503 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
|
---|
504 | return -1;
|
---|
505 | }
|
---|
506 |
|
---|
507 | /* for large moduli, enforce exponent limit */
|
---|
508 | if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
|
---|
509 | if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
|
---|
510 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
|
---|
511 | return -1;
|
---|
512 | }
|
---|
513 | }
|
---|
514 |
|
---|
515 | if ((ctx = BN_CTX_new()) == NULL)
|
---|
516 | goto err;
|
---|
517 | BN_CTX_start(ctx);
|
---|
518 | f = BN_CTX_get(ctx);
|
---|
519 | ret = BN_CTX_get(ctx);
|
---|
520 | num = BN_num_bytes(rsa->n);
|
---|
521 | buf = OPENSSL_malloc(num);
|
---|
522 | if (f == NULL || ret == NULL || buf == NULL) {
|
---|
523 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
|
---|
524 | goto err;
|
---|
525 | }
|
---|
526 |
|
---|
527 | /*
|
---|
528 | * This check was for equality but PGP does evil things and chops off the
|
---|
529 | * top '0' bytes
|
---|
530 | */
|
---|
531 | if (flen > num) {
|
---|
532 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN);
|
---|
533 | goto err;
|
---|
534 | }
|
---|
535 |
|
---|
536 | if (BN_bin2bn(from, flen, f) == NULL)
|
---|
537 | goto err;
|
---|
538 |
|
---|
539 | if (BN_ucmp(f, rsa->n) >= 0) {
|
---|
540 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT,
|
---|
541 | RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
|
---|
542 | goto err;
|
---|
543 | }
|
---|
544 |
|
---|
545 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
---|
546 | if (!BN_MONT_CTX_set_locked
|
---|
547 | (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx))
|
---|
548 | goto err;
|
---|
549 |
|
---|
550 | if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
|
---|
551 | rsa->_method_mod_n))
|
---|
552 | goto err;
|
---|
553 |
|
---|
554 | if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12))
|
---|
555 | if (!BN_sub(ret, rsa->n, ret))
|
---|
556 | goto err;
|
---|
557 |
|
---|
558 | p = buf;
|
---|
559 | i = BN_bn2bin(ret, p);
|
---|
560 |
|
---|
561 | switch (padding) {
|
---|
562 | case RSA_PKCS1_PADDING:
|
---|
563 | r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
|
---|
564 | break;
|
---|
565 | case RSA_X931_PADDING:
|
---|
566 | r = RSA_padding_check_X931(to, num, buf, i, num);
|
---|
567 | break;
|
---|
568 | case RSA_NO_PADDING:
|
---|
569 | r = RSA_padding_check_none(to, num, buf, i, num);
|
---|
570 | break;
|
---|
571 | default:
|
---|
572 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
|
---|
573 | goto err;
|
---|
574 | }
|
---|
575 | if (r < 0)
|
---|
576 | RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
|
---|
577 |
|
---|
578 | err:
|
---|
579 | if (ctx != NULL)
|
---|
580 | BN_CTX_end(ctx);
|
---|
581 | BN_CTX_free(ctx);
|
---|
582 | OPENSSL_clear_free(buf, num);
|
---|
583 | return (r);
|
---|
584 | }
|
---|
585 |
|
---|
586 | static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
|
---|
587 | {
|
---|
588 | BIGNUM *r1, *m1, *vrfy;
|
---|
589 | int ret = 0;
|
---|
590 |
|
---|
591 | BN_CTX_start(ctx);
|
---|
592 |
|
---|
593 | r1 = BN_CTX_get(ctx);
|
---|
594 | m1 = BN_CTX_get(ctx);
|
---|
595 | vrfy = BN_CTX_get(ctx);
|
---|
596 |
|
---|
597 | {
|
---|
598 | BIGNUM *p = BN_new(), *q = BN_new();
|
---|
599 |
|
---|
600 | /*
|
---|
601 | * Make sure BN_mod_inverse in Montgomery initialization uses the
|
---|
602 | * BN_FLG_CONSTTIME flag
|
---|
603 | */
|
---|
604 | if (p == NULL || q == NULL) {
|
---|
605 | BN_free(p);
|
---|
606 | BN_free(q);
|
---|
607 | goto err;
|
---|
608 | }
|
---|
609 | BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
|
---|
610 | BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
|
---|
611 |
|
---|
612 | if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
|
---|
613 | if (!BN_MONT_CTX_set_locked
|
---|
614 | (&rsa->_method_mod_p, rsa->lock, p, ctx)
|
---|
615 | || !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
|
---|
616 | rsa->lock, q, ctx)) {
|
---|
617 | BN_free(p);
|
---|
618 | BN_free(q);
|
---|
619 | goto err;
|
---|
620 | }
|
---|
621 | }
|
---|
622 | /*
|
---|
623 | * We MUST free p and q before any further use of rsa->p and rsa->q
|
---|
624 | */
|
---|
625 | BN_free(p);
|
---|
626 | BN_free(q);
|
---|
627 | }
|
---|
628 |
|
---|
629 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
---|
630 | if (!BN_MONT_CTX_set_locked
|
---|
631 | (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx))
|
---|
632 | goto err;
|
---|
633 |
|
---|
634 | /* compute I mod q */
|
---|
635 | {
|
---|
636 | BIGNUM *c = BN_new();
|
---|
637 | if (c == NULL)
|
---|
638 | goto err;
|
---|
639 | BN_with_flags(c, I, BN_FLG_CONSTTIME);
|
---|
640 |
|
---|
641 | if (!BN_mod(r1, c, rsa->q, ctx)) {
|
---|
642 | BN_free(c);
|
---|
643 | goto err;
|
---|
644 | }
|
---|
645 |
|
---|
646 | {
|
---|
647 | BIGNUM *dmq1 = BN_new();
|
---|
648 | if (dmq1 == NULL) {
|
---|
649 | BN_free(c);
|
---|
650 | goto err;
|
---|
651 | }
|
---|
652 | BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
|
---|
653 |
|
---|
654 | /* compute r1^dmq1 mod q */
|
---|
655 | if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
|
---|
656 | rsa->_method_mod_q)) {
|
---|
657 | BN_free(c);
|
---|
658 | BN_free(dmq1);
|
---|
659 | goto err;
|
---|
660 | }
|
---|
661 | /* We MUST free dmq1 before any further use of rsa->dmq1 */
|
---|
662 | BN_free(dmq1);
|
---|
663 | }
|
---|
664 |
|
---|
665 | /* compute I mod p */
|
---|
666 | if (!BN_mod(r1, c, rsa->p, ctx)) {
|
---|
667 | BN_free(c);
|
---|
668 | goto err;
|
---|
669 | }
|
---|
670 | /* We MUST free c before any further use of I */
|
---|
671 | BN_free(c);
|
---|
672 | }
|
---|
673 |
|
---|
674 | {
|
---|
675 | BIGNUM *dmp1 = BN_new();
|
---|
676 | if (dmp1 == NULL)
|
---|
677 | goto err;
|
---|
678 | BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
|
---|
679 |
|
---|
680 | /* compute r1^dmp1 mod p */
|
---|
681 | if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
|
---|
682 | rsa->_method_mod_p)) {
|
---|
683 | BN_free(dmp1);
|
---|
684 | goto err;
|
---|
685 | }
|
---|
686 | /* We MUST free dmp1 before any further use of rsa->dmp1 */
|
---|
687 | BN_free(dmp1);
|
---|
688 | }
|
---|
689 |
|
---|
690 | if (!BN_sub(r0, r0, m1))
|
---|
691 | goto err;
|
---|
692 | /*
|
---|
693 | * This will help stop the size of r0 increasing, which does affect the
|
---|
694 | * multiply if it optimised for a power of 2 size
|
---|
695 | */
|
---|
696 | if (BN_is_negative(r0))
|
---|
697 | if (!BN_add(r0, r0, rsa->p))
|
---|
698 | goto err;
|
---|
699 |
|
---|
700 | if (!BN_mul(r1, r0, rsa->iqmp, ctx))
|
---|
701 | goto err;
|
---|
702 |
|
---|
703 | {
|
---|
704 | BIGNUM *pr1 = BN_new();
|
---|
705 | if (pr1 == NULL)
|
---|
706 | goto err;
|
---|
707 | BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
|
---|
708 |
|
---|
709 | if (!BN_mod(r0, pr1, rsa->p, ctx)) {
|
---|
710 | BN_free(pr1);
|
---|
711 | goto err;
|
---|
712 | }
|
---|
713 | /* We MUST free pr1 before any further use of r1 */
|
---|
714 | BN_free(pr1);
|
---|
715 | }
|
---|
716 |
|
---|
717 | /*
|
---|
718 | * If p < q it is occasionally possible for the correction of adding 'p'
|
---|
719 | * if r0 is negative above to leave the result still negative. This can
|
---|
720 | * break the private key operations: the following second correction
|
---|
721 | * should *always* correct this rare occurrence. This will *never* happen
|
---|
722 | * with OpenSSL generated keys because they ensure p > q [steve]
|
---|
723 | */
|
---|
724 | if (BN_is_negative(r0))
|
---|
725 | if (!BN_add(r0, r0, rsa->p))
|
---|
726 | goto err;
|
---|
727 | if (!BN_mul(r1, r0, rsa->q, ctx))
|
---|
728 | goto err;
|
---|
729 | if (!BN_add(r0, r1, m1))
|
---|
730 | goto err;
|
---|
731 |
|
---|
732 | if (rsa->e && rsa->n) {
|
---|
733 | if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
|
---|
734 | rsa->_method_mod_n))
|
---|
735 | goto err;
|
---|
736 | /*
|
---|
737 | * If 'I' was greater than (or equal to) rsa->n, the operation will
|
---|
738 | * be equivalent to using 'I mod n'. However, the result of the
|
---|
739 | * verify will *always* be less than 'n' so we don't check for
|
---|
740 | * absolute equality, just congruency.
|
---|
741 | */
|
---|
742 | if (!BN_sub(vrfy, vrfy, I))
|
---|
743 | goto err;
|
---|
744 | if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
|
---|
745 | goto err;
|
---|
746 | if (BN_is_negative(vrfy))
|
---|
747 | if (!BN_add(vrfy, vrfy, rsa->n))
|
---|
748 | goto err;
|
---|
749 | if (!BN_is_zero(vrfy)) {
|
---|
750 | /*
|
---|
751 | * 'I' and 'vrfy' aren't congruent mod n. Don't leak
|
---|
752 | * miscalculated CRT output, just do a raw (slower) mod_exp and
|
---|
753 | * return that instead.
|
---|
754 | */
|
---|
755 |
|
---|
756 | BIGNUM *d = BN_new();
|
---|
757 | if (d == NULL)
|
---|
758 | goto err;
|
---|
759 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
|
---|
760 |
|
---|
761 | if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
|
---|
762 | rsa->_method_mod_n)) {
|
---|
763 | BN_free(d);
|
---|
764 | goto err;
|
---|
765 | }
|
---|
766 | /* We MUST free d before any further use of rsa->d */
|
---|
767 | BN_free(d);
|
---|
768 | }
|
---|
769 | }
|
---|
770 | ret = 1;
|
---|
771 | err:
|
---|
772 | BN_CTX_end(ctx);
|
---|
773 | return (ret);
|
---|
774 | }
|
---|
775 |
|
---|
776 | static int rsa_ossl_init(RSA *rsa)
|
---|
777 | {
|
---|
778 | rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
|
---|
779 | return (1);
|
---|
780 | }
|
---|
781 |
|
---|
782 | static int rsa_ossl_finish(RSA *rsa)
|
---|
783 | {
|
---|
784 | BN_MONT_CTX_free(rsa->_method_mod_n);
|
---|
785 | BN_MONT_CTX_free(rsa->_method_mod_p);
|
---|
786 | BN_MONT_CTX_free(rsa->_method_mod_q);
|
---|
787 | return (1);
|
---|
788 | }
|
---|
789 |
|
---|
790 | #endif
|
---|