diff options
| author | markus <> | 2002-09-05 12:51:50 +0000 |
|---|---|---|
| committer | markus <> | 2002-09-05 12:51:50 +0000 |
| commit | 15b5d84f9da2ce4bfae8580e56e34a859f74ad71 (patch) | |
| tree | bf939e82d7fd73cc8a01cf6959002209972091bc /src/lib/libcrypto/rsa/rsa_eay.c | |
| parent | 027351f729b9e837200dae6e1520cda6577ab930 (diff) | |
| download | openbsd-15b5d84f9da2ce4bfae8580e56e34a859f74ad71.tar.gz openbsd-15b5d84f9da2ce4bfae8580e56e34a859f74ad71.tar.bz2 openbsd-15b5d84f9da2ce4bfae8580e56e34a859f74ad71.zip | |
import openssl-0.9.7-beta1
Diffstat (limited to 'src/lib/libcrypto/rsa/rsa_eay.c')
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_eay.c | 555 |
1 files changed, 445 insertions, 110 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c index 42a77f11cd..0eda816081 100644 --- a/src/lib/libcrypto/rsa/rsa_eay.c +++ b/src/lib/libcrypto/rsa/rsa_eay.c | |||
| @@ -1,13 +1,3 @@ | |||
| 1 | |||
| 2 | /* This file has been explicitly broken by ryker for OpenBSD, July | ||
| 3 | * 1, 1998. In spite of the title, there is no implementation of the | ||
| 4 | * RSA algorithm left in this file. All these routines will return an | ||
| 5 | * error and fail when called. They exist as stubs and can be | ||
| 6 | * ressurected from the bit bucket by someone in the free world once | ||
| 7 | * the RSA algorithm is no longer subject to patent problems. Eric | ||
| 8 | * Young's original copyright is below. | ||
| 9 | */ | ||
| 10 | |||
| 11 | /* crypto/rsa/rsa_eay.c */ | 1 | /* crypto/rsa/rsa_eay.c */ |
| 12 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 13 | * All rights reserved. | 3 | * All rights reserved. |
| @@ -68,207 +58,552 @@ | |||
| 68 | 58 | ||
| 69 | #include <stdio.h> | 59 | #include <stdio.h> |
| 70 | #include "cryptlib.h" | 60 | #include "cryptlib.h" |
| 71 | #include "bn.h" | 61 | #include <openssl/bn.h> |
| 72 | #include "rsa.h" | 62 | #include <openssl/rsa.h> |
| 73 | #include "rand.h" | 63 | #include <openssl/rand.h> |
| 64 | #include <openssl/engine.h> | ||
| 74 | 65 | ||
| 75 | #ifndef NOPROTO | 66 | #ifndef RSA_NULL |
| 76 | static int RSA_eay_public_encrypt(int flen, unsigned char *from, | 67 | |
| 68 | static int RSA_eay_public_encrypt(int flen, const unsigned char *from, | ||
| 77 | unsigned char *to, RSA *rsa,int padding); | 69 | unsigned char *to, RSA *rsa,int padding); |
| 78 | static int RSA_eay_private_encrypt(int flen, unsigned char *from, | 70 | static int RSA_eay_private_encrypt(int flen, const unsigned char *from, |
| 79 | unsigned char *to, RSA *rsa,int padding); | 71 | unsigned char *to, RSA *rsa,int padding); |
| 80 | static int RSA_eay_public_decrypt(int flen, unsigned char *from, | 72 | static int RSA_eay_public_decrypt(int flen, const unsigned char *from, |
| 81 | unsigned char *to, RSA *rsa,int padding); | 73 | unsigned char *to, RSA *rsa,int padding); |
| 82 | static int RSA_eay_private_decrypt(int flen, unsigned char *from, | 74 | static int RSA_eay_private_decrypt(int flen, const unsigned char *from, |
| 83 | unsigned char *to, RSA *rsa,int padding); | 75 | unsigned char *to, RSA *rsa,int padding); |
| 84 | static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *i, RSA *rsa); | 76 | static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa); |
| 85 | static int RSA_eay_init(RSA *rsa); | 77 | static int RSA_eay_init(RSA *rsa); |
| 86 | static int RSA_eay_finish(RSA *rsa); | 78 | static int RSA_eay_finish(RSA *rsa); |
| 87 | #else | ||
| 88 | static int RSA_eay_public_encrypt(); | ||
| 89 | static int RSA_eay_private_encrypt(); | ||
| 90 | static int RSA_eay_public_decrypt(); | ||
| 91 | static int RSA_eay_private_decrypt(); | ||
| 92 | static int RSA_eay_mod_exp(); | ||
| 93 | static int RSA_eay_init(); | ||
| 94 | static int RSA_eay_finish(); | ||
| 95 | #endif | ||
| 96 | |||
| 97 | static RSA_METHOD rsa_pkcs1_eay_meth={ | 79 | static RSA_METHOD rsa_pkcs1_eay_meth={ |
| 98 | "Eric Young's PKCS#1 RSA", | 80 | "Eric Young's PKCS#1 RSA", |
| 99 | RSA_eay_public_encrypt, | 81 | RSA_eay_public_encrypt, |
| 100 | RSA_eay_public_decrypt, | 82 | RSA_eay_public_decrypt, /* signature verification */ |
| 101 | RSA_eay_private_encrypt, | 83 | RSA_eay_private_encrypt, /* signing */ |
| 102 | RSA_eay_private_decrypt, | 84 | RSA_eay_private_decrypt, |
| 103 | RSA_eay_mod_exp, | 85 | RSA_eay_mod_exp, |
| 104 | BN_mod_exp_mont, | 86 | BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ |
| 105 | RSA_eay_init, | 87 | RSA_eay_init, |
| 106 | RSA_eay_finish, | 88 | RSA_eay_finish, |
| 107 | 0, | 89 | 0, /* flags */ |
| 108 | NULL, | 90 | NULL, |
| 91 | 0, /* rsa_sign */ | ||
| 92 | 0 /* rsa_verify */ | ||
| 109 | }; | 93 | }; |
| 110 | 94 | ||
| 111 | RSA_METHOD *RSA_PKCS1_SSLeay() | 95 | const RSA_METHOD *RSA_PKCS1_SSLeay(void) |
| 112 | { | 96 | { |
| 113 | return(&rsa_pkcs1_eay_meth); | 97 | return(&rsa_pkcs1_eay_meth); |
| 114 | } | 98 | } |
| 115 | 99 | ||
| 116 | static int RSA_eay_public_encrypt(flen, from, to, rsa, padding) | 100 | static int RSA_eay_public_encrypt(int flen, const unsigned char *from, |
| 117 | int flen; | 101 | unsigned char *to, RSA *rsa, int padding) |
| 118 | unsigned char *from; | ||
| 119 | unsigned char *to; | ||
| 120 | RSA *rsa; | ||
| 121 | int padding; | ||
| 122 | { | 102 | { |
| 123 | BIGNUM *f=NULL,*ret=NULL; | 103 | BIGNUM f,ret; |
| 124 | int i,j,k,num=0,r= -1; | 104 | int i,j,k,num=0,r= -1; |
| 125 | unsigned char *buf=NULL; | 105 | unsigned char *buf=NULL; |
| 126 | BN_CTX *ctx=NULL; | 106 | BN_CTX *ctx=NULL; |
| 127 | 107 | ||
| 128 | /* Body of this routine removed for OpenBSD - will return | 108 | BN_init(&f); |
| 129 | * when the RSA patent expires | 109 | BN_init(&ret); |
| 130 | */ | 110 | if ((ctx=BN_CTX_new()) == NULL) goto err; |
| 111 | num=BN_num_bytes(rsa->n); | ||
| 112 | if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) | ||
| 113 | { | ||
| 114 | RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); | ||
| 115 | goto err; | ||
| 116 | } | ||
| 131 | 117 | ||
| 118 | switch (padding) | ||
| 119 | { | ||
| 120 | case RSA_PKCS1_PADDING: | ||
| 121 | i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen); | ||
| 122 | break; | ||
| 123 | #ifndef OPENSSL_NO_SHA | ||
| 124 | case RSA_PKCS1_OAEP_PADDING: | ||
| 125 | i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0); | ||
| 126 | break; | ||
| 127 | #endif | ||
| 128 | case RSA_SSLV23_PADDING: | ||
| 129 | i=RSA_padding_add_SSLv23(buf,num,from,flen); | ||
| 130 | break; | ||
| 131 | case RSA_NO_PADDING: | ||
| 132 | i=RSA_padding_add_none(buf,num,from,flen); | ||
| 133 | break; | ||
| 134 | default: | ||
| 135 | RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); | ||
| 136 | goto err; | ||
| 137 | } | ||
| 138 | if (i <= 0) goto err; | ||
| 139 | |||
| 140 | if (BN_bin2bn(buf,num,&f) == NULL) goto err; | ||
| 141 | |||
| 142 | if (BN_ucmp(&f, rsa->n) >= 0) | ||
| 143 | { | ||
| 144 | /* usually the padding functions would catch this */ | ||
| 145 | RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); | ||
| 146 | goto err; | ||
| 147 | } | ||
| 148 | |||
| 149 | if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) | ||
| 150 | { | ||
| 151 | BN_MONT_CTX* bn_mont_ctx; | ||
| 152 | if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) | ||
| 153 | goto err; | ||
| 154 | if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) | ||
| 155 | { | ||
| 156 | BN_MONT_CTX_free(bn_mont_ctx); | ||
| 157 | goto err; | ||
| 158 | } | ||
| 159 | if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ | ||
| 160 | { | ||
| 161 | CRYPTO_w_lock(CRYPTO_LOCK_RSA); | ||
| 162 | if (rsa->_method_mod_n == NULL) | ||
| 163 | { | ||
| 164 | rsa->_method_mod_n = bn_mont_ctx; | ||
| 165 | bn_mont_ctx = NULL; | ||
| 166 | } | ||
| 167 | CRYPTO_w_unlock(CRYPTO_LOCK_RSA); | ||
| 168 | } | ||
| 169 | if (bn_mont_ctx) | ||
| 170 | BN_MONT_CTX_free(bn_mont_ctx); | ||
| 171 | } | ||
| 172 | |||
| 173 | if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, | ||
| 174 | rsa->_method_mod_n)) goto err; | ||
| 175 | |||
| 176 | /* put in leading 0 bytes if the number is less than the | ||
| 177 | * length of the modulus */ | ||
| 178 | j=BN_num_bytes(&ret); | ||
| 179 | i=BN_bn2bin(&ret,&(to[num-j])); | ||
| 180 | for (k=0; k<(num-i); k++) | ||
| 181 | to[k]=0; | ||
| 182 | |||
| 183 | r=num; | ||
| 132 | err: | 184 | err: |
| 133 | if (ctx != NULL) BN_CTX_free(ctx); | 185 | if (ctx != NULL) BN_CTX_free(ctx); |
| 134 | if (f != NULL) BN_free(f); | 186 | BN_clear_free(&f); |
| 135 | if (ret != NULL) BN_free(ret); | 187 | BN_clear_free(&ret); |
| 136 | if (buf != NULL) | 188 | if (buf != NULL) |
| 137 | { | 189 | { |
| 138 | memset(buf,0,num); | 190 | memset(buf,0,num); |
| 139 | Free(buf); | 191 | OPENSSL_free(buf); |
| 140 | } | 192 | } |
| 141 | return(r); | 193 | return(r); |
| 142 | } | 194 | } |
| 143 | 195 | ||
| 144 | static int RSA_eay_private_encrypt(flen, from, to, rsa, padding) | 196 | /* signing */ |
| 145 | int flen; | 197 | static int RSA_eay_private_encrypt(int flen, const unsigned char *from, |
| 146 | unsigned char *from; | 198 | unsigned char *to, RSA *rsa, int padding) |
| 147 | unsigned char *to; | ||
| 148 | RSA *rsa; | ||
| 149 | int padding; | ||
| 150 | { | 199 | { |
| 151 | BIGNUM *f=NULL,*ret=NULL; | 200 | BIGNUM f,ret; |
| 152 | int i,j,k,num=0,r= -1; | 201 | int i,j,k,num=0,r= -1; |
| 153 | unsigned char *buf=NULL; | 202 | unsigned char *buf=NULL; |
| 154 | BN_CTX *ctx=NULL; | 203 | BN_CTX *ctx=NULL; |
| 155 | 204 | ||
| 156 | /* Body of this routine removed for OpenBSD - will return | 205 | BN_init(&f); |
| 157 | * when the RSA patent expires | 206 | BN_init(&ret); |
| 158 | */ | ||
| 159 | 207 | ||
| 208 | if ((ctx=BN_CTX_new()) == NULL) goto err; | ||
| 209 | num=BN_num_bytes(rsa->n); | ||
| 210 | if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) | ||
| 211 | { | ||
| 212 | RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); | ||
| 213 | goto err; | ||
| 214 | } | ||
| 215 | |||
| 216 | switch (padding) | ||
| 217 | { | ||
| 218 | case RSA_PKCS1_PADDING: | ||
| 219 | i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); | ||
| 220 | break; | ||
| 221 | case RSA_NO_PADDING: | ||
| 222 | i=RSA_padding_add_none(buf,num,from,flen); | ||
| 223 | break; | ||
| 224 | case RSA_SSLV23_PADDING: | ||
| 225 | default: | ||
| 226 | RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); | ||
| 227 | goto err; | ||
| 228 | } | ||
| 229 | if (i <= 0) goto err; | ||
| 230 | |||
| 231 | if (BN_bin2bn(buf,num,&f) == NULL) goto err; | ||
| 232 | |||
| 233 | if (BN_ucmp(&f, rsa->n) >= 0) | ||
| 234 | { | ||
| 235 | /* usually the padding functions would catch this */ | ||
| 236 | RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); | ||
| 237 | goto err; | ||
| 238 | } | ||
| 239 | |||
| 240 | if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) | ||
| 241 | RSA_blinding_on(rsa,ctx); | ||
| 242 | if (rsa->flags & RSA_FLAG_BLINDING) | ||
| 243 | if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; | ||
| 244 | |||
| 245 | if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || | ||
| 246 | ((rsa->p != NULL) && | ||
| 247 | (rsa->q != NULL) && | ||
| 248 | (rsa->dmp1 != NULL) && | ||
| 249 | (rsa->dmq1 != NULL) && | ||
| 250 | (rsa->iqmp != NULL)) ) | ||
| 251 | { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } | ||
| 252 | else | ||
| 253 | { | ||
| 254 | if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err; | ||
| 255 | } | ||
| 256 | |||
| 257 | if (rsa->flags & RSA_FLAG_BLINDING) | ||
| 258 | if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; | ||
| 259 | |||
| 260 | /* put in leading 0 bytes if the number is less than the | ||
| 261 | * length of the modulus */ | ||
| 262 | j=BN_num_bytes(&ret); | ||
| 263 | i=BN_bn2bin(&ret,&(to[num-j])); | ||
| 264 | for (k=0; k<(num-i); k++) | ||
| 265 | to[k]=0; | ||
| 266 | |||
| 267 | r=num; | ||
| 160 | err: | 268 | err: |
| 161 | if (ctx != NULL) BN_CTX_free(ctx); | 269 | if (ctx != NULL) BN_CTX_free(ctx); |
| 162 | if (ret != NULL) BN_free(ret); | 270 | BN_clear_free(&ret); |
| 163 | if (f != NULL) BN_free(f); | 271 | BN_clear_free(&f); |
| 164 | if (buf != NULL) | 272 | if (buf != NULL) |
| 165 | { | 273 | { |
| 166 | memset(buf,0,num); | 274 | memset(buf,0,num); |
| 167 | Free(buf); | 275 | OPENSSL_free(buf); |
| 168 | } | 276 | } |
| 169 | return(r); | 277 | return(r); |
| 170 | } | 278 | } |
| 171 | 279 | ||
| 172 | static int RSA_eay_private_decrypt(flen, from, to, rsa,padding) | 280 | static int RSA_eay_private_decrypt(int flen, const unsigned char *from, |
| 173 | int flen; | 281 | unsigned char *to, RSA *rsa, int padding) |
| 174 | unsigned char *from; | ||
| 175 | unsigned char *to; | ||
| 176 | RSA *rsa; | ||
| 177 | int padding; | ||
| 178 | { | 282 | { |
| 179 | BIGNUM *f=NULL,*ret=NULL; | 283 | BIGNUM f,ret; |
| 180 | int j,num=0,r= -1; | 284 | int j,num=0,r= -1; |
| 181 | unsigned char *p; | 285 | unsigned char *p; |
| 182 | unsigned char *buf=NULL; | 286 | unsigned char *buf=NULL; |
| 183 | BN_CTX *ctx=NULL; | 287 | BN_CTX *ctx=NULL; |
| 184 | 288 | ||
| 185 | /* Body of this routine removed for OpenBSD - will return | 289 | BN_init(&f); |
| 186 | * when the RSA patent expires | 290 | BN_init(&ret); |
| 187 | */ | 291 | ctx=BN_CTX_new(); |
| 292 | if (ctx == NULL) goto err; | ||
| 293 | |||
| 294 | num=BN_num_bytes(rsa->n); | ||
| 295 | |||
| 296 | if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) | ||
| 297 | { | ||
| 298 | RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); | ||
| 299 | goto err; | ||
| 300 | } | ||
| 301 | |||
| 302 | /* This check was for equality but PGP does evil things | ||
| 303 | * and chops off the top '0' bytes */ | ||
| 304 | if (flen > num) | ||
| 305 | { | ||
| 306 | RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); | ||
| 307 | goto err; | ||
| 308 | } | ||
| 309 | |||
| 310 | /* make data into a big number */ | ||
| 311 | if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err; | ||
| 312 | |||
| 313 | if (BN_ucmp(&f, rsa->n) >= 0) | ||
| 314 | { | ||
| 315 | RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); | ||
| 316 | goto err; | ||
| 317 | } | ||
| 318 | |||
| 319 | if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) | ||
| 320 | RSA_blinding_on(rsa,ctx); | ||
| 321 | if (rsa->flags & RSA_FLAG_BLINDING) | ||
| 322 | if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; | ||
| 323 | |||
| 324 | /* do the decrypt */ | ||
| 325 | if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || | ||
| 326 | ((rsa->p != NULL) && | ||
| 327 | (rsa->q != NULL) && | ||
| 328 | (rsa->dmp1 != NULL) && | ||
| 329 | (rsa->dmq1 != NULL) && | ||
| 330 | (rsa->iqmp != NULL)) ) | ||
| 331 | { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } | ||
| 332 | else | ||
| 333 | { | ||
| 334 | if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) | ||
| 335 | goto err; | ||
| 336 | } | ||
| 337 | |||
| 338 | if (rsa->flags & RSA_FLAG_BLINDING) | ||
| 339 | if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; | ||
| 340 | |||
| 341 | p=buf; | ||
| 342 | j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */ | ||
| 343 | |||
| 344 | switch (padding) | ||
| 345 | { | ||
| 346 | case RSA_PKCS1_PADDING: | ||
| 347 | r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); | ||
| 348 | break; | ||
| 349 | #ifndef OPENSSL_NO_SHA | ||
| 350 | case RSA_PKCS1_OAEP_PADDING: | ||
| 351 | r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); | ||
| 352 | break; | ||
| 353 | #endif | ||
| 354 | case RSA_SSLV23_PADDING: | ||
| 355 | r=RSA_padding_check_SSLv23(to,num,buf,j,num); | ||
| 356 | break; | ||
| 357 | case RSA_NO_PADDING: | ||
| 358 | r=RSA_padding_check_none(to,num,buf,j,num); | ||
| 359 | break; | ||
| 360 | default: | ||
| 361 | RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); | ||
| 362 | goto err; | ||
| 363 | } | ||
| 364 | if (r < 0) | ||
| 365 | RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); | ||
| 188 | 366 | ||
| 189 | err: | 367 | err: |
| 190 | if (ctx != NULL) BN_CTX_free(ctx); | 368 | if (ctx != NULL) BN_CTX_free(ctx); |
| 191 | if (f != NULL) BN_free(f); | 369 | BN_clear_free(&f); |
| 192 | if (ret != NULL) BN_free(ret); | 370 | BN_clear_free(&ret); |
| 193 | if (buf != NULL) | 371 | if (buf != NULL) |
| 194 | { | 372 | { |
| 195 | memset(buf,0,num); | 373 | memset(buf,0,num); |
| 196 | Free(buf); | 374 | OPENSSL_free(buf); |
| 197 | } | 375 | } |
| 198 | return(r); | 376 | return(r); |
| 199 | } | 377 | } |
| 200 | 378 | ||
| 201 | static int RSA_eay_public_decrypt(flen, from, to, rsa, padding) | 379 | /* signature verification */ |
| 202 | int flen; | 380 | static int RSA_eay_public_decrypt(int flen, const unsigned char *from, |
| 203 | unsigned char *from; | 381 | unsigned char *to, RSA *rsa, int padding) |
| 204 | unsigned char *to; | ||
| 205 | RSA *rsa; | ||
| 206 | int padding; | ||
| 207 | { | 382 | { |
| 208 | BIGNUM *f=NULL,*ret=NULL; | 383 | BIGNUM f,ret; |
| 209 | int i,num=0,r= -1; | 384 | int i,num=0,r= -1; |
| 210 | unsigned char *p; | 385 | unsigned char *p; |
| 211 | unsigned char *buf=NULL; | 386 | unsigned char *buf=NULL; |
| 212 | BN_CTX *ctx=NULL; | 387 | BN_CTX *ctx=NULL; |
| 213 | 388 | ||
| 389 | BN_init(&f); | ||
| 390 | BN_init(&ret); | ||
| 391 | ctx=BN_CTX_new(); | ||
| 392 | if (ctx == NULL) goto err; | ||
| 393 | |||
| 394 | num=BN_num_bytes(rsa->n); | ||
| 395 | buf=(unsigned char *)OPENSSL_malloc(num); | ||
| 396 | if (buf == NULL) | ||
| 397 | { | ||
| 398 | RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); | ||
| 399 | goto err; | ||
| 400 | } | ||
| 401 | |||
| 402 | /* This check was for equality but PGP does evil things | ||
| 403 | * and chops off the top '0' bytes */ | ||
| 404 | if (flen > num) | ||
| 405 | { | ||
| 406 | RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); | ||
| 407 | goto err; | ||
| 408 | } | ||
| 214 | 409 | ||
| 215 | /* Body of this routine removed for OpenBSD - will return | 410 | if (BN_bin2bn(from,flen,&f) == NULL) goto err; |
| 216 | * when the RSA patent expires | 411 | |
| 217 | */ | 412 | if (BN_ucmp(&f, rsa->n) >= 0) |
| 413 | { | ||
| 414 | RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); | ||
| 415 | goto err; | ||
| 416 | } | ||
| 417 | |||
| 418 | /* do the decrypt */ | ||
| 419 | if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) | ||
| 420 | { | ||
| 421 | BN_MONT_CTX* bn_mont_ctx; | ||
| 422 | if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) | ||
| 423 | goto err; | ||
| 424 | if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) | ||
| 425 | { | ||
| 426 | BN_MONT_CTX_free(bn_mont_ctx); | ||
| 427 | goto err; | ||
| 428 | } | ||
| 429 | if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ | ||
| 430 | { | ||
| 431 | CRYPTO_w_lock(CRYPTO_LOCK_RSA); | ||
| 432 | if (rsa->_method_mod_n == NULL) | ||
| 433 | { | ||
| 434 | rsa->_method_mod_n = bn_mont_ctx; | ||
| 435 | bn_mont_ctx = NULL; | ||
| 436 | } | ||
| 437 | CRYPTO_w_unlock(CRYPTO_LOCK_RSA); | ||
| 438 | } | ||
| 439 | if (bn_mont_ctx) | ||
| 440 | BN_MONT_CTX_free(bn_mont_ctx); | ||
| 441 | } | ||
| 442 | |||
| 443 | if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, | ||
| 444 | rsa->_method_mod_n)) goto err; | ||
| 445 | |||
| 446 | p=buf; | ||
| 447 | i=BN_bn2bin(&ret,p); | ||
| 448 | |||
| 449 | switch (padding) | ||
| 450 | { | ||
| 451 | case RSA_PKCS1_PADDING: | ||
| 452 | r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); | ||
| 453 | break; | ||
| 454 | case RSA_NO_PADDING: | ||
| 455 | r=RSA_padding_check_none(to,num,buf,i,num); | ||
| 456 | break; | ||
| 457 | default: | ||
| 458 | RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); | ||
| 459 | goto err; | ||
| 460 | } | ||
| 461 | if (r < 0) | ||
| 462 | RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); | ||
| 218 | 463 | ||
| 219 | err: | 464 | err: |
| 220 | if (ctx != NULL) BN_CTX_free(ctx); | 465 | if (ctx != NULL) BN_CTX_free(ctx); |
| 221 | if (f != NULL) BN_free(f); | 466 | BN_clear_free(&f); |
| 222 | if (ret != NULL) BN_free(ret); | 467 | BN_clear_free(&ret); |
| 223 | if (buf != NULL) | 468 | if (buf != NULL) |
| 224 | { | 469 | { |
| 225 | memset(buf,0,num); | 470 | memset(buf,0,num); |
| 226 | Free(buf); | 471 | OPENSSL_free(buf); |
| 227 | } | 472 | } |
| 228 | return(r); | 473 | return(r); |
| 229 | } | 474 | } |
| 230 | 475 | ||
| 231 | static int RSA_eay_mod_exp(r0, I, rsa) | 476 | static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) |
| 232 | BIGNUM *r0; | ||
| 233 | BIGNUM *I; | ||
| 234 | RSA *rsa; | ||
| 235 | { | 477 | { |
| 236 | BIGNUM *r1=NULL,*m1=NULL; | 478 | BIGNUM r1,m1,vrfy; |
| 237 | int ret=0; | 479 | int ret=0; |
| 238 | BN_CTX *ctx; | 480 | BN_CTX *ctx; |
| 239 | 481 | ||
| 482 | BN_init(&m1); | ||
| 483 | BN_init(&r1); | ||
| 484 | BN_init(&vrfy); | ||
| 240 | if ((ctx=BN_CTX_new()) == NULL) goto err; | 485 | if ((ctx=BN_CTX_new()) == NULL) goto err; |
| 241 | m1=BN_new(); | ||
| 242 | r1=BN_new(); | ||
| 243 | if ((m1 == NULL) || (r1 == NULL)) goto err; | ||
| 244 | 486 | ||
| 245 | /* Body of this routine removed for OpenBSD - will return | 487 | if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) |
| 246 | * when the RSA patent expires | 488 | { |
| 247 | */ | 489 | if (rsa->_method_mod_p == NULL) |
| 490 | { | ||
| 491 | BN_MONT_CTX* bn_mont_ctx; | ||
| 492 | if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) | ||
| 493 | goto err; | ||
| 494 | if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx)) | ||
| 495 | { | ||
| 496 | BN_MONT_CTX_free(bn_mont_ctx); | ||
| 497 | goto err; | ||
| 498 | } | ||
| 499 | if (rsa->_method_mod_p == NULL) /* other thread may have finished first */ | ||
| 500 | { | ||
| 501 | CRYPTO_w_lock(CRYPTO_LOCK_RSA); | ||
| 502 | if (rsa->_method_mod_p == NULL) | ||
| 503 | { | ||
| 504 | rsa->_method_mod_p = bn_mont_ctx; | ||
| 505 | bn_mont_ctx = NULL; | ||
| 506 | } | ||
| 507 | CRYPTO_w_unlock(CRYPTO_LOCK_RSA); | ||
| 508 | } | ||
| 509 | if (bn_mont_ctx) | ||
| 510 | BN_MONT_CTX_free(bn_mont_ctx); | ||
| 511 | } | ||
| 512 | |||
| 513 | if (rsa->_method_mod_q == NULL) | ||
| 514 | { | ||
| 515 | BN_MONT_CTX* bn_mont_ctx; | ||
| 516 | if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) | ||
| 517 | goto err; | ||
| 518 | if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx)) | ||
| 519 | { | ||
| 520 | BN_MONT_CTX_free(bn_mont_ctx); | ||
| 521 | goto err; | ||
| 522 | } | ||
| 523 | if (rsa->_method_mod_q == NULL) /* other thread may have finished first */ | ||
| 524 | { | ||
| 525 | CRYPTO_w_lock(CRYPTO_LOCK_RSA); | ||
| 526 | if (rsa->_method_mod_q == NULL) | ||
| 527 | { | ||
| 528 | rsa->_method_mod_q = bn_mont_ctx; | ||
| 529 | bn_mont_ctx = NULL; | ||
| 530 | } | ||
| 531 | CRYPTO_w_unlock(CRYPTO_LOCK_RSA); | ||
| 532 | } | ||
| 533 | if (bn_mont_ctx) | ||
| 534 | BN_MONT_CTX_free(bn_mont_ctx); | ||
| 535 | } | ||
| 536 | } | ||
| 537 | |||
| 538 | if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; | ||
| 539 | if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx, | ||
| 540 | rsa->_method_mod_q)) goto err; | ||
| 541 | |||
| 542 | if (!BN_mod(&r1,I,rsa->p,ctx)) goto err; | ||
| 543 | if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx, | ||
| 544 | rsa->_method_mod_p)) goto err; | ||
| 545 | |||
| 546 | if (!BN_sub(r0,r0,&m1)) goto err; | ||
| 547 | /* This will help stop the size of r0 increasing, which does | ||
| 548 | * affect the multiply if it optimised for a power of 2 size */ | ||
| 549 | if (r0->neg) | ||
| 550 | if (!BN_add(r0,r0,rsa->p)) goto err; | ||
| 551 | |||
| 552 | if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err; | ||
| 553 | if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err; | ||
| 554 | /* If p < q it is occasionally possible for the correction of | ||
| 555 | * adding 'p' if r0 is negative above to leave the result still | ||
| 556 | * negative. This can break the private key operations: the following | ||
| 557 | * second correction should *always* correct this rare occurrence. | ||
| 558 | * This will *never* happen with OpenSSL generated keys because | ||
| 559 | * they ensure p > q [steve] | ||
| 560 | */ | ||
| 561 | if (r0->neg) | ||
| 562 | if (!BN_add(r0,r0,rsa->p)) goto err; | ||
| 563 | if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err; | ||
| 564 | if (!BN_add(r0,&r1,&m1)) goto err; | ||
| 565 | |||
| 566 | if (rsa->e && rsa->n) | ||
| 567 | { | ||
| 568 | if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err; | ||
| 569 | /* If 'I' was greater than (or equal to) rsa->n, the operation | ||
| 570 | * will be equivalent to using 'I mod n'. However, the result of | ||
| 571 | * the verify will *always* be less than 'n' so we don't check | ||
| 572 | * for absolute equality, just congruency. */ | ||
| 573 | if (!BN_sub(&vrfy, &vrfy, I)) goto err; | ||
| 574 | if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err; | ||
| 575 | if (vrfy.neg) | ||
| 576 | if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err; | ||
| 577 | if (!BN_is_zero(&vrfy)) | ||
| 578 | /* 'I' and 'vrfy' aren't congruent mod n. Don't leak | ||
| 579 | * miscalculated CRT output, just do a raw (slower) | ||
| 580 | * mod_exp and return that instead. */ | ||
| 581 | if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err; | ||
| 582 | } | ||
| 583 | ret=1; | ||
| 248 | err: | 584 | err: |
| 249 | if (m1 != NULL) BN_free(m1); | 585 | BN_clear_free(&m1); |
| 250 | if (r1 != NULL) BN_free(r1); | 586 | BN_clear_free(&r1); |
| 587 | BN_clear_free(&vrfy); | ||
| 251 | BN_CTX_free(ctx); | 588 | BN_CTX_free(ctx); |
| 252 | return(ret); | 589 | return(ret); |
| 253 | } | 590 | } |
| 254 | 591 | ||
| 255 | static int RSA_eay_init(rsa) | 592 | static int RSA_eay_init(RSA *rsa) |
| 256 | RSA *rsa; | ||
| 257 | { | 593 | { |
| 258 | rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; | 594 | rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; |
| 259 | return(1); | 595 | return(1); |
| 260 | } | 596 | } |
| 261 | 597 | ||
| 262 | static int RSA_eay_finish(rsa) | 598 | static int RSA_eay_finish(RSA *rsa) |
| 263 | RSA *rsa; | ||
| 264 | { | 599 | { |
| 265 | if (rsa->method_mod_n != NULL) | 600 | if (rsa->_method_mod_n != NULL) |
| 266 | BN_MONT_CTX_free((BN_MONT_CTX *)rsa->method_mod_n); | 601 | BN_MONT_CTX_free(rsa->_method_mod_n); |
| 267 | if (rsa->method_mod_p != NULL) | 602 | if (rsa->_method_mod_p != NULL) |
| 268 | BN_MONT_CTX_free((BN_MONT_CTX *)rsa->method_mod_p); | 603 | BN_MONT_CTX_free(rsa->_method_mod_p); |
| 269 | if (rsa->method_mod_q != NULL) | 604 | if (rsa->_method_mod_q != NULL) |
| 270 | BN_MONT_CTX_free((BN_MONT_CTX *)rsa->method_mod_q); | 605 | BN_MONT_CTX_free(rsa->_method_mod_q); |
| 271 | return(1); | 606 | return(1); |
| 272 | } | 607 | } |
| 273 | 608 | ||
| 274 | 609 | #endif | |