summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa/rsa_eay.c
diff options
context:
space:
mode:
authormiod <>2014-07-09 08:20:08 +0000
committermiod <>2014-07-09 08:20:08 +0000
commit8cbe58f0d357b14b0ce292d336469d0554a567bc (patch)
tree07872a7ef59da8cea3b3b4a101fa3580e4d658c0 /src/lib/libcrypto/rsa/rsa_eay.c
parentbc1209e388500a20f5e75cab35d1b543ce0bbe74 (diff)
downloadopenbsd-8cbe58f0d357b14b0ce292d336469d0554a567bc.tar.gz
openbsd-8cbe58f0d357b14b0ce292d336469d0554a567bc.tar.bz2
openbsd-8cbe58f0d357b14b0ce292d336469d0554a567bc.zip
KNF
Diffstat (limited to 'src/lib/libcrypto/rsa/rsa_eay.c')
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c794
1 files changed, 397 insertions, 397 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 9e17483e09..7b294e761e 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_eay.c,v 1.28 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_eay.c,v 1.29 2014/07/09 08:20:08 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -140,114 +140,114 @@ static RSA_METHOD rsa_pkcs1_eay_meth = {
140 .finish = RSA_eay_finish, 140 .finish = RSA_eay_finish,
141}; 141};
142 142
143const RSA_METHOD *RSA_PKCS1_SSLeay(void) 143const RSA_METHOD *
144 { 144RSA_PKCS1_SSLeay(void)
145 return(&rsa_pkcs1_eay_meth); 145{
146 } 146 return &rsa_pkcs1_eay_meth;
147}
147 148
148static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 149static int
149 unsigned char *to, RSA *rsa, int padding) 150RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
150 { 151 RSA *rsa, int padding)
151 BIGNUM *f,*ret; 152{
152 int i,j,k,num=0,r= -1; 153 BIGNUM *f, *ret;
153 unsigned char *buf=NULL; 154 int i, j, k, num = 0, r = -1;
154 BN_CTX *ctx=NULL; 155 unsigned char *buf = NULL;
156 BN_CTX *ctx = NULL;
155 157
156 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) 158 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
157 {
158 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); 159 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
159 return -1; 160 return -1;
160 } 161 }
161 162
162 if (BN_ucmp(rsa->n, rsa->e) <= 0) 163 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
163 {
164 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 164 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
165 return -1; 165 return -1;
166 } 166 }
167 167
168 /* for large moduli, enforce exponent limit */ 168 /* for large moduli, enforce exponent limit */
169 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) 169 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
170 { 170 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
171 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
172 {
173 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 171 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
174 return -1; 172 return -1;
175 }
176 } 173 }
174 }
177 175
178 if ((ctx=BN_CTX_new()) == NULL) goto err; 176 if ((ctx=BN_CTX_new()) == NULL)
177 goto err;
179 BN_CTX_start(ctx); 178 BN_CTX_start(ctx);
180 f = BN_CTX_get(ctx); 179 f = BN_CTX_get(ctx);
181 ret = BN_CTX_get(ctx); 180 ret = BN_CTX_get(ctx);
182 num=BN_num_bytes(rsa->n); 181 num = BN_num_bytes(rsa->n);
183 buf = malloc(num); 182 buf = malloc(num);
184 if (!f || !ret || !buf) 183 if (!f || !ret || !buf) {
185 {
186 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); 184 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
187 goto err; 185 goto err;
188 } 186 }
189 187
190 switch (padding) 188 switch (padding) {
191 {
192 case RSA_PKCS1_PADDING: 189 case RSA_PKCS1_PADDING:
193 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen); 190 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
194 break; 191 break;
195#ifndef OPENSSL_NO_SHA 192#ifndef OPENSSL_NO_SHA
196 case RSA_PKCS1_OAEP_PADDING: 193 case RSA_PKCS1_OAEP_PADDING:
197 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0); 194 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
198 break; 195 break;
199#endif 196#endif
200 case RSA_SSLV23_PADDING: 197 case RSA_SSLV23_PADDING:
201 i=RSA_padding_add_SSLv23(buf,num,from,flen); 198 i = RSA_padding_add_SSLv23(buf, num, from, flen);
202 break; 199 break;
203 case RSA_NO_PADDING: 200 case RSA_NO_PADDING:
204 i=RSA_padding_add_none(buf,num,from,flen); 201 i = RSA_padding_add_none(buf, num, from, flen);
205 break; 202 break;
206 default: 203 default:
207 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 204 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,
205 RSA_R_UNKNOWN_PADDING_TYPE);
206 goto err;
207 }
208 if (i <= 0)
208 goto err; 209 goto err;
209 }
210 if (i <= 0) goto err;
211 210
212 if (BN_bin2bn(buf,num,f) == NULL) goto err; 211 if (BN_bin2bn(buf, num, f) == NULL)
212 goto err;
213 213
214 if (BN_ucmp(f, rsa->n) >= 0) 214 if (BN_ucmp(f, rsa->n) >= 0) {
215 {
216 /* usually the padding functions would catch this */ 215 /* usually the padding functions would catch this */
217 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 216 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,
217 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
218 goto err; 218 goto err;
219 } 219 }
220 220
221 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 221 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
222 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 222 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
223 CRYPTO_LOCK_RSA, rsa->n, ctx))
223 goto err; 224 goto err;
224 225
225 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, 226 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, rsa->_method_mod_n))
226 rsa->_method_mod_n)) goto err; 227 goto err;
227 228
228 /* put in leading 0 bytes if the number is less than the 229 /* put in leading 0 bytes if the number is less than the
229 * length of the modulus */ 230 * length of the modulus */
230 j=BN_num_bytes(ret); 231 j = BN_num_bytes(ret);
231 i=BN_bn2bin(ret,&(to[num-j])); 232 i = BN_bn2bin(ret, &(to[num - j]));
232 for (k=0; k<(num-i); k++) 233 for (k = 0; k < num - i; k++)
233 to[k]=0; 234 to[k] = 0;
234 235
235 r=num; 236 r = num;
236err: 237err:
237 if (ctx != NULL) 238 if (ctx != NULL) {
238 {
239 BN_CTX_end(ctx); 239 BN_CTX_end(ctx);
240 BN_CTX_free(ctx); 240 BN_CTX_free(ctx);
241 } 241 }
242 if (buf != NULL) 242 if (buf != NULL) {
243 { 243 OPENSSL_cleanse(buf, num);
244 OPENSSL_cleanse(buf,num);
245 free(buf); 244 free(buf);
246 }
247 return(r);
248 } 245 }
246 return r;
247}
249 248
250static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 249static BN_BLINDING *
250rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
251{ 251{
252 BN_BLINDING *ret; 252 BN_BLINDING *ret;
253 int got_write_lock = 0; 253 int got_write_lock = 0;
@@ -255,53 +255,47 @@ static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
255 255
256 CRYPTO_r_lock(CRYPTO_LOCK_RSA); 256 CRYPTO_r_lock(CRYPTO_LOCK_RSA);
257 257
258 if (rsa->blinding == NULL) 258 if (rsa->blinding == NULL) {
259 {
260 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 259 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
261 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 260 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
262 got_write_lock = 1; 261 got_write_lock = 1;
263 262
264 if (rsa->blinding == NULL) 263 if (rsa->blinding == NULL)
265 rsa->blinding = RSA_setup_blinding(rsa, ctx); 264 rsa->blinding = RSA_setup_blinding(rsa, ctx);
266 } 265 }
267 266
268 ret = rsa->blinding; 267 ret = rsa->blinding;
269 if (ret == NULL) 268 if (ret == NULL)
270 goto err; 269 goto err;
271 270
272 CRYPTO_THREADID_current(&cur); 271 CRYPTO_THREADID_current(&cur);
273 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) 272 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) {
274 {
275 /* rsa->blinding is ours! */ 273 /* rsa->blinding is ours! */
276
277 *local = 1; 274 *local = 1;
278 } 275 } else {
279 else
280 {
281 /* resort to rsa->mt_blinding instead */ 276 /* resort to rsa->mt_blinding instead */
277 /*
278 * Instruct rsa_blinding_convert(), rsa_blinding_invert()
279 * that the BN_BLINDING is shared, meaning that accesses
280 * require locks, and that the blinding factor must be
281 * stored outside the BN_BLINDING
282 */
283 *local = 0;
282 284
283 *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert() 285 if (rsa->mt_blinding == NULL) {
284 * that the BN_BLINDING is shared, meaning that accesses 286 if (!got_write_lock) {
285 * require locks, and that the blinding factor must be
286 * stored outside the BN_BLINDING
287 */
288
289 if (rsa->mt_blinding == NULL)
290 {
291 if (!got_write_lock)
292 {
293 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 287 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
294 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 288 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
295 got_write_lock = 1; 289 got_write_lock = 1;
296 } 290 }
297 291
298 if (rsa->mt_blinding == NULL) 292 if (rsa->mt_blinding == NULL)
299 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 293 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
300 }
301 ret = rsa->mt_blinding;
302 } 294 }
295 ret = rsa->mt_blinding;
296 }
303 297
304 err: 298err:
305 if (got_write_lock) 299 if (got_write_lock)
306 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 300 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
307 else 301 else
@@ -309,29 +303,33 @@ static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
309 return ret; 303 return ret;
310} 304}
311 305
312static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 306static int
313 BN_CTX *ctx) 307rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx)
314 { 308{
315 if (unblind == NULL) 309 if (unblind == NULL)
316 /* Local blinding: store the unblinding factor 310 /*
317 * in BN_BLINDING. */ 311 * Local blinding: store the unblinding factor
312 * in BN_BLINDING.
313 */
318 return BN_BLINDING_convert_ex(f, NULL, b, ctx); 314 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
319 else 315 else {
320 { 316 /*
321 /* Shared blinding: store the unblinding factor 317 * Shared blinding: store the unblinding factor
322 * outside BN_BLINDING. */ 318 * outside BN_BLINDING.
319 */
323 int ret; 320 int ret;
324 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 321 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
325 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); 322 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
326 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 323 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
327 return ret; 324 return ret;
328 }
329 } 325 }
326}
330 327
331static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 328static int
332 BN_CTX *ctx) 329rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx)
333 { 330{
334 /* For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex 331 /*
332 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
335 * will use the unblinding factor stored in BN_BLINDING. 333 * will use the unblinding factor stored in BN_BLINDING.
336 * If BN_BLINDING is shared between threads, unblind must be non-null: 334 * If BN_BLINDING is shared between threads, unblind must be non-null:
337 * BN_BLINDING_invert_ex will then use the local unblinding factor, 335 * BN_BLINDING_invert_ex will then use the local unblinding factor,
@@ -339,402 +337,392 @@ static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
339 * In both cases it's safe to access the blinding without a lock. 337 * In both cases it's safe to access the blinding without a lock.
340 */ 338 */
341 return BN_BLINDING_invert_ex(f, unblind, b, ctx); 339 return BN_BLINDING_invert_ex(f, unblind, b, ctx);
342 } 340}
343 341
344/* signing */ 342/* signing */
345static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 343static int
346 unsigned char *to, RSA *rsa, int padding) 344RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
347 { 345 RSA *rsa, int padding)
346{
348 BIGNUM *f, *ret, *res; 347 BIGNUM *f, *ret, *res;
349 int i,j,k,num=0,r= -1; 348 int i, j, k, num = 0, r = -1;
350 unsigned char *buf=NULL; 349 unsigned char *buf = NULL;
351 BN_CTX *ctx=NULL; 350 BN_CTX *ctx = NULL;
352 int local_blinding = 0; 351 int local_blinding = 0;
353 /* Used only if the blinding structure is shared. A non-NULL unblind 352 /*
353 * Used only if the blinding structure is shared. A non-NULL unblind
354 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 354 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
355 * the unblinding factor outside the blinding structure. */ 355 * the unblinding factor outside the blinding structure.
356 */
356 BIGNUM *unblind = NULL; 357 BIGNUM *unblind = NULL;
357 BN_BLINDING *blinding = NULL; 358 BN_BLINDING *blinding = NULL;
358 359
359 if ((ctx=BN_CTX_new()) == NULL) goto err; 360 if ((ctx=BN_CTX_new()) == NULL)
361 goto err;
360 BN_CTX_start(ctx); 362 BN_CTX_start(ctx);
361 f = BN_CTX_get(ctx); 363 f = BN_CTX_get(ctx);
362 ret = BN_CTX_get(ctx); 364 ret = BN_CTX_get(ctx);
363 num = BN_num_bytes(rsa->n); 365 num = BN_num_bytes(rsa->n);
364 buf = malloc(num); 366 buf = malloc(num);
365 if(!f || !ret || !buf) 367 if (!f || !ret || !buf) {
366 { 368 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
367 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
368 goto err; 369 goto err;
369 } 370 }
370 371
371 switch (padding) 372 switch (padding) {
372 {
373 case RSA_PKCS1_PADDING: 373 case RSA_PKCS1_PADDING:
374 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); 374 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
375 break; 375 break;
376 case RSA_X931_PADDING: 376 case RSA_X931_PADDING:
377 i=RSA_padding_add_X931(buf,num,from,flen); 377 i = RSA_padding_add_X931(buf, num, from, flen);
378 break; 378 break;
379 case RSA_NO_PADDING: 379 case RSA_NO_PADDING:
380 i=RSA_padding_add_none(buf,num,from,flen); 380 i = RSA_padding_add_none(buf, num, from, flen);
381 break; 381 break;
382 case RSA_SSLV23_PADDING: 382 case RSA_SSLV23_PADDING:
383 default: 383 default:
384 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 384 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
385 RSA_R_UNKNOWN_PADDING_TYPE);
386 goto err;
387 }
388 if (i <= 0)
385 goto err; 389 goto err;
386 }
387 if (i <= 0) goto err;
388 390
389 if (BN_bin2bn(buf,num,f) == NULL) goto err; 391 if (BN_bin2bn(buf,num,f) == NULL)
392 goto err;
390 393
391 if (BN_ucmp(f, rsa->n) >= 0) 394 if (BN_ucmp(f, rsa->n) >= 0) {
392 {
393 /* usually the padding functions would catch this */ 395 /* usually the padding functions would catch this */
394 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 396 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
397 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
395 goto err; 398 goto err;
396 } 399 }
397 400
398 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 401 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
399 {
400 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 402 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
401 if (blinding == NULL) 403 if (blinding == NULL) {
402 { 404 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
403 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 405 ERR_R_INTERNAL_ERROR);
404 goto err; 406 goto err;
405 }
406 } 407 }
408 }
407 409
408 if (blinding != NULL) 410 if (blinding != NULL) {
409 { 411 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
410 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) 412 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
411 { 413 ERR_R_MALLOC_FAILURE);
412 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
413 goto err; 414 goto err;
414 } 415 }
415 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 416 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
416 goto err; 417 goto err;
417 } 418 }
418 419
419 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 420 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
420 ((rsa->p != NULL) && 421 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL &&
421 (rsa->q != NULL) && 422 rsa->dmq1 != NULL && rsa->iqmp != NULL)) {
422 (rsa->dmp1 != NULL) && 423 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
423 (rsa->dmq1 != NULL) && 424 goto err;
424 (rsa->iqmp != NULL)) ) 425 } else {
425 {
426 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
427 }
428 else
429 {
430 BIGNUM local_d; 426 BIGNUM local_d;
431 BIGNUM *d = NULL; 427 BIGNUM *d = NULL;
432 428
433 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 429 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
434 {
435 BN_init(&local_d); 430 BN_init(&local_d);
436 d = &local_d; 431 d = &local_d;
437 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 432 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
438 } 433 } else
439 else 434 d = rsa->d;
440 d= rsa->d;
441 435
442 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 436 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
443 if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 437 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
438 CRYPTO_LOCK_RSA, rsa->n, ctx))
444 goto err; 439 goto err;
445 440
446 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, 441 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n,ctx,
447 rsa->_method_mod_n)) goto err; 442 rsa->_method_mod_n))
448 } 443 goto err;
444 }
449 445
450 if (blinding) 446 if (blinding)
451 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 447 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
452 goto err; 448 goto err;
453 449
454 if (padding == RSA_X931_PADDING) 450 if (padding == RSA_X931_PADDING) {
455 {
456 BN_sub(f, rsa->n, ret); 451 BN_sub(f, rsa->n, ret);
457 if (BN_cmp(ret, f)) 452 if (BN_cmp(ret, f))
458 res = f; 453 res = f;
459 else 454 else
460 res = ret; 455 res = ret;
461 } 456 } else
462 else
463 res = ret; 457 res = ret;
464 458
465 /* put in leading 0 bytes if the number is less than the 459 /* put in leading 0 bytes if the number is less than the
466 * length of the modulus */ 460 * length of the modulus */
467 j=BN_num_bytes(res); 461 j = BN_num_bytes(res);
468 i=BN_bn2bin(res,&(to[num-j])); 462 i = BN_bn2bin(res, &(to[num - j]));
469 for (k=0; k<(num-i); k++) 463 for (k = 0; k < num - i; k++)
470 to[k]=0; 464 to[k] = 0;
471 465
472 r=num; 466 r = num;
473err: 467err:
474 if (ctx != NULL) 468 if (ctx != NULL) {
475 {
476 BN_CTX_end(ctx); 469 BN_CTX_end(ctx);
477 BN_CTX_free(ctx); 470 BN_CTX_free(ctx);
478 } 471 }
479 if (buf != NULL) 472 if (buf != NULL) {
480 { 473 OPENSSL_cleanse(buf, num);
481 OPENSSL_cleanse(buf,num);
482 free(buf); 474 free(buf);
483 }
484 return(r);
485 } 475 }
476 return r;
477}
486 478
487static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 479static int
488 unsigned char *to, RSA *rsa, int padding) 480RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
489 { 481 RSA *rsa, int padding)
482{
490 BIGNUM *f, *ret; 483 BIGNUM *f, *ret;
491 int j,num=0,r= -1; 484 int j, num = 0, r = -1;
492 unsigned char *p; 485 unsigned char *p;
493 unsigned char *buf=NULL; 486 unsigned char *buf = NULL;
494 BN_CTX *ctx=NULL; 487 BN_CTX *ctx = NULL;
495 int local_blinding = 0; 488 int local_blinding = 0;
496 /* Used only if the blinding structure is shared. A non-NULL unblind 489 /*
490 * Used only if the blinding structure is shared. A non-NULL unblind
497 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 491 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
498 * the unblinding factor outside the blinding structure. */ 492 * the unblinding factor outside the blinding structure.
493 */
499 BIGNUM *unblind = NULL; 494 BIGNUM *unblind = NULL;
500 BN_BLINDING *blinding = NULL; 495 BN_BLINDING *blinding = NULL;
501 496
502 if((ctx = BN_CTX_new()) == NULL) goto err; 497 if ((ctx = BN_CTX_new()) == NULL)
498 goto err;
503 BN_CTX_start(ctx); 499 BN_CTX_start(ctx);
504 f = BN_CTX_get(ctx); 500 f = BN_CTX_get(ctx);
505 ret = BN_CTX_get(ctx); 501 ret = BN_CTX_get(ctx);
506 num = BN_num_bytes(rsa->n); 502 num = BN_num_bytes(rsa->n);
507 buf = malloc(num); 503 buf = malloc(num);
508 if(!f || !ret || !buf) 504 if (!f || !ret || !buf) {
509 { 505 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
510 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
511 goto err; 506 goto err;
512 } 507 }
513 508
514 /* This check was for equality but PGP does evil things 509 /* This check was for equality but PGP does evil things
515 * and chops off the top '0' bytes */ 510 * and chops off the top '0' bytes */
516 if (flen > num) 511 if (flen > num) {
517 { 512 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
518 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 513 RSA_R_DATA_GREATER_THAN_MOD_LEN);
519 goto err; 514 goto err;
520 } 515 }
521 516
522 /* make data into a big number */ 517 /* make data into a big number */
523 if (BN_bin2bn(from,(int)flen,f) == NULL) goto err; 518 if (BN_bin2bn(from, (int)flen, f) == NULL)
519 goto err;
524 520
525 if (BN_ucmp(f, rsa->n) >= 0) 521 if (BN_ucmp(f, rsa->n) >= 0) {
526 { 522 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
527 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 523 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
528 goto err; 524 goto err;
529 } 525 }
530 526
531 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 527 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
532 {
533 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 528 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
534 if (blinding == NULL) 529 if (blinding == NULL) {
535 { 530 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
536 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 531 ERR_R_INTERNAL_ERROR);
537 goto err; 532 goto err;
538 }
539 } 533 }
534 }
540 535
541 if (blinding != NULL) 536 if (blinding != NULL) {
542 { 537 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
543 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) 538 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
544 { 539 ERR_R_MALLOC_FAILURE);
545 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
546 goto err; 540 goto err;
547 } 541 }
548 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 542 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
549 goto err; 543 goto err;
550 } 544 }
551 545
552 /* do the decrypt */ 546 /* do the decrypt */
553 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 547 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
554 ((rsa->p != NULL) && 548 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL &&
555 (rsa->q != NULL) && 549 rsa->dmq1 != NULL && rsa->iqmp != NULL)) {
556 (rsa->dmp1 != NULL) && 550 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
557 (rsa->dmq1 != NULL) && 551 goto err;
558 (rsa->iqmp != NULL)) ) 552 } else {
559 {
560 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
561 }
562 else
563 {
564 BIGNUM local_d; 553 BIGNUM local_d;
565 BIGNUM *d = NULL; 554 BIGNUM *d = NULL;
566 555
567 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 556 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
568 {
569 d = &local_d; 557 d = &local_d;
570 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 558 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
571 } 559 } else
572 else
573 d = rsa->d; 560 d = rsa->d;
574 561
575 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 562 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
576 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 563 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
564 CRYPTO_LOCK_RSA, rsa->n, ctx))
577 goto err; 565 goto err;
578 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, 566 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
579 rsa->_method_mod_n)) 567 rsa->_method_mod_n))
580 goto err; 568 goto err;
581 } 569 }
582 570
583 if (blinding) 571 if (blinding)
584 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 572 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
585 goto err; 573 goto err;
586 574
587 p=buf; 575 p = buf;
588 j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */ 576 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */
589 577
590 switch (padding) 578 switch (padding) {
591 {
592 case RSA_PKCS1_PADDING: 579 case RSA_PKCS1_PADDING:
593 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); 580 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
594 break; 581 break;
595#ifndef OPENSSL_NO_SHA 582#ifndef OPENSSL_NO_SHA
596 case RSA_PKCS1_OAEP_PADDING: 583 case RSA_PKCS1_OAEP_PADDING:
597 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); 584 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
598 break; 585 break;
599#endif 586#endif
600 case RSA_SSLV23_PADDING: 587 case RSA_SSLV23_PADDING:
601 r=RSA_padding_check_SSLv23(to,num,buf,j,num); 588 r = RSA_padding_check_SSLv23(to, num, buf, j, num);
602 break; 589 break;
603 case RSA_NO_PADDING: 590 case RSA_NO_PADDING:
604 r=RSA_padding_check_none(to,num,buf,j,num); 591 r = RSA_padding_check_none(to, num, buf, j, num);
605 break; 592 break;
606 default: 593 default:
607 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 594 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
595 RSA_R_UNKNOWN_PADDING_TYPE);
608 goto err; 596 goto err;
609 } 597 }
610 if (r < 0) 598 if (r < 0)
611 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 599 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
600 RSA_R_PADDING_CHECK_FAILED);
612 601
613err: 602err:
614 if (ctx != NULL) 603 if (ctx != NULL) {
615 {
616 BN_CTX_end(ctx); 604 BN_CTX_end(ctx);
617 BN_CTX_free(ctx); 605 BN_CTX_free(ctx);
618 } 606 }
619 if (buf != NULL) 607 if (buf != NULL) {
620 {
621 OPENSSL_cleanse(buf,num); 608 OPENSSL_cleanse(buf,num);
622 free(buf); 609 free(buf);
623 }
624 return(r);
625 } 610 }
611 return r;
612}
626 613
627/* signature verification */ 614/* signature verification */
628static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 615static int
629 unsigned char *to, RSA *rsa, int padding) 616RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
630 { 617 RSA *rsa, int padding)
631 BIGNUM *f,*ret; 618{
632 int i,num=0,r= -1; 619 BIGNUM *f, *ret;
620 int i, num = 0,r = -1;
633 unsigned char *p; 621 unsigned char *p;
634 unsigned char *buf=NULL; 622 unsigned char *buf = NULL;
635 BN_CTX *ctx=NULL; 623 BN_CTX *ctx = NULL;
636 624
637 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) 625 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
638 {
639 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); 626 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
640 return -1; 627 return -1;
641 } 628 }
642 629
643 if (BN_ucmp(rsa->n, rsa->e) <= 0) 630 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
644 {
645 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 631 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
646 return -1; 632 return -1;
647 } 633 }
648 634
649 /* for large moduli, enforce exponent limit */ 635 /* for large moduli, enforce exponent limit */
650 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) 636 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
651 { 637 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
652 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
653 {
654 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 638 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
655 return -1; 639 return -1;
656 }
657 } 640 }
641 }
658 642
659 if((ctx = BN_CTX_new()) == NULL) goto err; 643 if ((ctx = BN_CTX_new()) == NULL)
644 goto err;
660 BN_CTX_start(ctx); 645 BN_CTX_start(ctx);
661 f = BN_CTX_get(ctx); 646 f = BN_CTX_get(ctx);
662 ret = BN_CTX_get(ctx); 647 ret = BN_CTX_get(ctx);
663 num=BN_num_bytes(rsa->n); 648 num = BN_num_bytes(rsa->n);
664 buf = malloc(num); 649 buf = malloc(num);
665 if(!f || !ret || !buf) 650 if (!f || !ret || !buf) {
666 { 651 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
667 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
668 goto err; 652 goto err;
669 } 653 }
670 654
671 /* This check was for equality but PGP does evil things 655 /* This check was for equality but PGP does evil things
672 * and chops off the top '0' bytes */ 656 * and chops off the top '0' bytes */
673 if (flen > num) 657 if (flen > num) {
674 { 658 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
675 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 659 RSA_R_DATA_GREATER_THAN_MOD_LEN);
676 goto err; 660 goto err;
677 } 661 }
678 662
679 if (BN_bin2bn(from,flen,f) == NULL) goto err; 663 if (BN_bin2bn(from,flen,f) == NULL)
664 goto err;
680 665
681 if (BN_ucmp(f, rsa->n) >= 0) 666 if (BN_ucmp(f, rsa->n) >= 0) {
682 { 667 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
683 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 668 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
684 goto err; 669 goto err;
685 } 670 }
686 671
687 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 672 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
688 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 673 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
674 CRYPTO_LOCK_RSA, rsa->n, ctx))
689 goto err; 675 goto err;
690 676
691 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, 677 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
692 rsa->_method_mod_n)) goto err; 678 rsa->_method_mod_n))
679 goto err;
693 680
694 if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) 681 if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12)
695 if (!BN_sub(ret, rsa->n, ret)) goto err; 682 if (!BN_sub(ret, rsa->n, ret))
683 goto err;
696 684
697 p=buf; 685 p = buf;
698 i=BN_bn2bin(ret,p); 686 i = BN_bn2bin(ret, p);
699 687
700 switch (padding) 688 switch (padding) {
701 {
702 case RSA_PKCS1_PADDING: 689 case RSA_PKCS1_PADDING:
703 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); 690 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
704 break; 691 break;
705 case RSA_X931_PADDING: 692 case RSA_X931_PADDING:
706 r=RSA_padding_check_X931(to,num,buf,i,num); 693 r = RSA_padding_check_X931(to, num, buf, i, num);
707 break; 694 break;
708 case RSA_NO_PADDING: 695 case RSA_NO_PADDING:
709 r=RSA_padding_check_none(to,num,buf,i,num); 696 r = RSA_padding_check_none(to, num, buf, i, num);
710 break; 697 break;
711 default: 698 default:
712 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 699 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
700 RSA_R_UNKNOWN_PADDING_TYPE);
713 goto err; 701 goto err;
714 } 702 }
715 if (r < 0) 703 if (r < 0)
716 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 704 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
705 RSA_R_PADDING_CHECK_FAILED);
717 706
718err: 707err:
719 if (ctx != NULL) 708 if (ctx != NULL) {
720 {
721 BN_CTX_end(ctx); 709 BN_CTX_end(ctx);
722 BN_CTX_free(ctx); 710 BN_CTX_free(ctx);
723 } 711 }
724 if (buf != NULL) 712 if (buf != NULL) {
725 { 713 OPENSSL_cleanse(buf, num);
726 OPENSSL_cleanse(buf,num);
727 free(buf); 714 free(buf);
728 }
729 return(r);
730 } 715 }
716 return r;
717}
731 718
732static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 719static int
733 { 720RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
734 BIGNUM *r1,*m1,*vrfy; 721{
735 BIGNUM local_dmp1,local_dmq1,local_c,local_r1; 722 BIGNUM *r1, *m1, *vrfy;
736 BIGNUM *dmp1,*dmq1,*c,*pr1; 723 BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
737 int ret=0; 724 BIGNUM *dmp1, *dmq1, *c, *pr1;
725 int ret = 0;
738 726
739 BN_CTX_start(ctx); 727 BN_CTX_start(ctx);
740 r1 = BN_CTX_get(ctx); 728 r1 = BN_CTX_get(ctx);
@@ -745,11 +733,11 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
745 BIGNUM local_p, local_q; 733 BIGNUM local_p, local_q;
746 BIGNUM *p = NULL, *q = NULL; 734 BIGNUM *p = NULL, *q = NULL;
747 735
748 /* Make sure BN_mod_inverse in Montgomery intialization uses the 736 /*
737 * Make sure BN_mod_inverse in Montgomery intialization uses the
749 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) 738 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
750 */ 739 */
751 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 740 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
752 {
753 BN_init(&local_p); 741 BN_init(&local_p);
754 p = &local_p; 742 p = &local_p;
755 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 743 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
@@ -757,91 +745,92 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
757 BN_init(&local_q); 745 BN_init(&local_q);
758 q = &local_q; 746 q = &local_q;
759 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); 747 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
760 } 748 } else {
761 else
762 {
763 p = rsa->p; 749 p = rsa->p;
764 q = rsa->q; 750 q = rsa->q;
765 } 751 }
766 752
767 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) 753 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
768 { 754 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
769 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) 755 CRYPTO_LOCK_RSA, p, ctx))
770 goto err; 756 goto err;
771 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) 757 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
758 CRYPTO_LOCK_RSA, q, ctx))
772 goto err; 759 goto err;
773 } 760 }
774 } 761 }
775 762
776 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 763 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
777 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 764 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
765 CRYPTO_LOCK_RSA, rsa->n, ctx))
778 goto err; 766 goto err;
779 767
780 /* compute I mod q */ 768 /* compute I mod q */
781 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 769 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
782 {
783 c = &local_c; 770 c = &local_c;
784 BN_with_flags(c, I, BN_FLG_CONSTTIME); 771 BN_with_flags(c, I, BN_FLG_CONSTTIME);
785 if (!BN_mod(r1,c,rsa->q,ctx)) goto err; 772 if (!BN_mod(r1, c, rsa->q, ctx))
786 } 773 goto err;
787 else 774 } else {
788 { 775 if (!BN_mod(r1, I, rsa->q, ctx))
789 if (!BN_mod(r1,I,rsa->q,ctx)) goto err; 776 goto err;
790 } 777 }
791 778
792 /* compute r1^dmq1 mod q */ 779 /* compute r1^dmq1 mod q */
793 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 780 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
794 {
795 dmq1 = &local_dmq1; 781 dmq1 = &local_dmq1;
796 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 782 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
797 } 783 } else
798 else
799 dmq1 = rsa->dmq1; 784 dmq1 = rsa->dmq1;
800 if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx, 785 if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
801 rsa->_method_mod_q)) goto err; 786 rsa->_method_mod_q))
787 goto err;
802 788
803 /* compute I mod p */ 789 /* compute I mod p */
804 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 790 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
805 {
806 c = &local_c; 791 c = &local_c;
807 BN_with_flags(c, I, BN_FLG_CONSTTIME); 792 BN_with_flags(c, I, BN_FLG_CONSTTIME);
808 if (!BN_mod(r1,c,rsa->p,ctx)) goto err; 793 if (!BN_mod(r1, c, rsa->p, ctx))
809 } 794 goto err;
810 else 795 } else {
811 { 796 if (!BN_mod(r1, I, rsa->p, ctx))
812 if (!BN_mod(r1,I,rsa->p,ctx)) goto err; 797 goto err;
813 } 798 }
814 799
815 /* compute r1^dmp1 mod p */ 800 /* compute r1^dmp1 mod p */
816 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 801 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
817 {
818 dmp1 = &local_dmp1; 802 dmp1 = &local_dmp1;
819 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 803 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
820 } 804 } else
821 else
822 dmp1 = rsa->dmp1; 805 dmp1 = rsa->dmp1;
823 if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx, 806 if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p,ctx,
824 rsa->_method_mod_p)) goto err; 807 rsa->_method_mod_p))
808 goto err;
825 809
826 if (!BN_sub(r0,r0,m1)) goto err; 810 if (!BN_sub(r0, r0, m1))
827 /* This will help stop the size of r0 increasing, which does 811 goto err;
828 * affect the multiply if it optimised for a power of 2 size */ 812 /*
813 * This will help stop the size of r0 increasing, which does
814 * affect the multiply if it optimised for a power of 2 size
815 */
829 if (BN_is_negative(r0)) 816 if (BN_is_negative(r0))
830 if (!BN_add(r0,r0,rsa->p)) goto err; 817 if (!BN_add(r0, r0, rsa->p))
818 goto err;
831 819
832 if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err; 820 if (!BN_mul(r1, r0, rsa->iqmp, ctx))
821 goto err;
833 822
834 /* Turn BN_FLG_CONSTTIME flag on before division operation */ 823 /* Turn BN_FLG_CONSTTIME flag on before division operation */
835 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 824 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
836 {
837 pr1 = &local_r1; 825 pr1 = &local_r1;
838 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 826 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
839 } 827 } else
840 else
841 pr1 = r1; 828 pr1 = r1;
842 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err; 829 if (!BN_mod(r0, pr1, rsa->p,ctx))
830 goto err;
843 831
844 /* If p < q it is occasionally possible for the correction of 832 /*
833 * If p < q it is occasionally possible for the correction of
845 * adding 'p' if r0 is negative above to leave the result still 834 * adding 'p' if r0 is negative above to leave the result still
846 * negative. This can break the private key operations: the following 835 * negative. This can break the private key operations: the following
847 * second correction should *always* correct this rare occurrence. 836 * second correction should *always* correct this rare occurrence.
@@ -849,62 +838,73 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
849 * they ensure p > q [steve] 838 * they ensure p > q [steve]
850 */ 839 */
851 if (BN_is_negative(r0)) 840 if (BN_is_negative(r0))
852 if (!BN_add(r0,r0,rsa->p)) goto err; 841 if (!BN_add(r0, r0, rsa->p))
853 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; 842 goto err;
854 if (!BN_add(r0,r1,m1)) goto err; 843 if (!BN_mul(r1, r0, rsa->q, ctx))
855 844 goto err;
856 if (rsa->e && rsa->n) 845 if (!BN_add(r0, r1, m1))
857 { 846 goto err;
858 if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; 847
859 /* If 'I' was greater than (or equal to) rsa->n, the operation 848 if (rsa->e && rsa->n) {
849 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
850 rsa->_method_mod_n))
851 goto err;
852 /*
853 * If 'I' was greater than (or equal to) rsa->n, the operation
860 * will be equivalent to using 'I mod n'. However, the result of 854 * will be equivalent to using 'I mod n'. However, the result of
861 * the verify will *always* be less than 'n' so we don't check 855 * the verify will *always* be less than 'n' so we don't check
862 * for absolute equality, just congruency. */ 856 * for absolute equality, just congruency.
863 if (!BN_sub(vrfy, vrfy, I)) goto err; 857 */
864 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err; 858 if (!BN_sub(vrfy, vrfy, I))
859 goto err;
860 if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
861 goto err;
865 if (BN_is_negative(vrfy)) 862 if (BN_is_negative(vrfy))
866 if (!BN_add(vrfy, vrfy, rsa->n)) goto err; 863 if (!BN_add(vrfy, vrfy, rsa->n))
867 if (!BN_is_zero(vrfy)) 864 goto err;
868 { 865 if (!BN_is_zero(vrfy)) {
869 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak 866 /*
867 * 'I' and 'vrfy' aren't congruent mod n. Don't leak
870 * miscalculated CRT output, just do a raw (slower) 868 * miscalculated CRT output, just do a raw (slower)
871 * mod_exp and return that instead. */ 869 * mod_exp and return that instead.
870 */
872 871
873 BIGNUM local_d; 872 BIGNUM local_d;
874 BIGNUM *d = NULL; 873 BIGNUM *d = NULL;
875 874
876 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 875 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
877 {
878 d = &local_d; 876 d = &local_d;
879 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 877 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
880 } 878 } else
881 else
882 d = rsa->d; 879 d = rsa->d;
883 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx, 880 if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
884 rsa->_method_mod_n)) goto err; 881 rsa->_method_mod_n))
885 } 882 goto err;
886 } 883 }
887 ret=1; 884 }
885 ret = 1;
888err: 886err:
889 BN_CTX_end(ctx); 887 BN_CTX_end(ctx);
890 return(ret); 888 return ret;
891 } 889}
892 890
893static int RSA_eay_init(RSA *rsa) 891static int
894 { 892RSA_eay_init(RSA *rsa)
895 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; 893{
896 return(1); 894 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
897 } 895 return 1 ;
896}
898 897
899static int RSA_eay_finish(RSA *rsa) 898static int
900 { 899RSA_eay_finish(RSA *rsa)
900{
901 if (rsa->_method_mod_n != NULL) 901 if (rsa->_method_mod_n != NULL)
902 BN_MONT_CTX_free(rsa->_method_mod_n); 902 BN_MONT_CTX_free(rsa->_method_mod_n);
903 if (rsa->_method_mod_p != NULL) 903 if (rsa->_method_mod_p != NULL)
904 BN_MONT_CTX_free(rsa->_method_mod_p); 904 BN_MONT_CTX_free(rsa->_method_mod_p);
905 if (rsa->_method_mod_q != NULL) 905 if (rsa->_method_mod_q != NULL)
906 BN_MONT_CTX_free(rsa->_method_mod_q); 906 BN_MONT_CTX_free(rsa->_method_mod_q);
907 return(1); 907 return 1;
908 } 908}
909 909
910#endif 910#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-23 00:16:02 +0000