diff options
| author | djm <> | 2006-06-27 05:05:42 +0000 |
|---|---|---|
| committer | djm <> | 2006-06-27 05:05:42 +0000 |
| commit | f6198d4d0ab97685dc56be2d48715ed39fcc74b9 (patch) | |
| tree | 6e28360095ed5ba5ef1760a419c43eef4ef6946b /src/lib/libcrypto/rsa/rsa_eay.c | |
| parent | 0ff0f9d99c40072de315264b0f602bd639e7f662 (diff) | |
| download | openbsd-f6198d4d0ab97685dc56be2d48715ed39fcc74b9.tar.gz openbsd-f6198d4d0ab97685dc56be2d48715ed39fcc74b9.tar.bz2 openbsd-f6198d4d0ab97685dc56be2d48715ed39fcc74b9.zip | |
import of openssl-0.9.7j
Diffstat (limited to 'src/lib/libcrypto/rsa/rsa_eay.c')
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_eay.c | 247 |
1 files changed, 147 insertions, 100 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c index d4caab3f95..be4ac96ce3 100644 --- a/src/lib/libcrypto/rsa/rsa_eay.c +++ b/src/lib/libcrypto/rsa/rsa_eay.c | |||
| @@ -55,6 +55,59 @@ | |||
| 55 | * copied and put under another distribution licence | 55 | * copied and put under another distribution licence |
| 56 | * [including the GNU Public Licence.] | 56 | * [including the GNU Public Licence.] |
| 57 | */ | 57 | */ |
| 58 | /* ==================================================================== | ||
| 59 | * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. | ||
| 60 | * | ||
| 61 | * Redistribution and use in source and binary forms, with or without | ||
| 62 | * modification, are permitted provided that the following conditions | ||
| 63 | * are met: | ||
| 64 | * | ||
| 65 | * 1. Redistributions of source code must retain the above copyright | ||
| 66 | * notice, this list of conditions and the following disclaimer. | ||
| 67 | * | ||
| 68 | * 2. Redistributions in binary form must reproduce the above copyright | ||
| 69 | * notice, this list of conditions and the following disclaimer in | ||
| 70 | * the documentation and/or other materials provided with the | ||
| 71 | * distribution. | ||
| 72 | * | ||
| 73 | * 3. All advertising materials mentioning features or use of this | ||
| 74 | * software must display the following acknowledgment: | ||
| 75 | * "This product includes software developed by the OpenSSL Project | ||
| 76 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | ||
| 77 | * | ||
| 78 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | ||
| 79 | * endorse or promote products derived from this software without | ||
| 80 | * prior written permission. For written permission, please contact | ||
| 81 | * openssl-core@openssl.org. | ||
| 82 | * | ||
| 83 | * 5. Products derived from this software may not be called "OpenSSL" | ||
| 84 | * nor may "OpenSSL" appear in their names without prior written | ||
| 85 | * permission of the OpenSSL Project. | ||
| 86 | * | ||
| 87 | * 6. Redistributions of any form whatsoever must retain the following | ||
| 88 | * acknowledgment: | ||
| 89 | * "This product includes software developed by the OpenSSL Project | ||
| 90 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | ||
| 91 | * | ||
| 92 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | ||
| 93 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
| 94 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | ||
| 95 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | ||
| 96 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||
| 97 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
| 98 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
| 99 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
| 100 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | ||
| 101 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
| 102 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | ||
| 103 | * OF THE POSSIBILITY OF SUCH DAMAGE. | ||
| 104 | * ==================================================================== | ||
| 105 | * | ||
| 106 | * This product includes cryptographic software written by Eric Young | ||
| 107 | * (eay@cryptsoft.com). This product includes software written by Tim | ||
| 108 | * Hudson (tjh@cryptsoft.com). | ||
| 109 | * | ||
| 110 | */ | ||
| 58 | 111 | ||
| 59 | #include <stdio.h> | 112 | #include <stdio.h> |
| 60 | #include "cryptlib.h" | 113 | #include "cryptlib.h" |
| @@ -145,30 +198,13 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from, | |||
| 145 | goto err; | 198 | goto err; |
| 146 | } | 199 | } |
| 147 | 200 | ||
| 148 | if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) | 201 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) |
| 149 | { | 202 | { |
| 150 | BN_MONT_CTX* bn_mont_ctx; | 203 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, |
| 151 | if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) | 204 | CRYPTO_LOCK_RSA, rsa->n, ctx)) |
| 152 | goto err; | ||
| 153 | if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) | ||
| 154 | { | ||
| 155 | BN_MONT_CTX_free(bn_mont_ctx); | ||
| 156 | goto err; | 205 | goto err; |
| 157 | } | ||
| 158 | if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ | ||
| 159 | { | ||
| 160 | CRYPTO_w_lock(CRYPTO_LOCK_RSA); | ||
| 161 | if (rsa->_method_mod_n == NULL) | ||
| 162 | { | ||
| 163 | rsa->_method_mod_n = bn_mont_ctx; | ||
| 164 | bn_mont_ctx = NULL; | ||
| 165 | } | ||
| 166 | CRYPTO_w_unlock(CRYPTO_LOCK_RSA); | ||
| 167 | } | ||
| 168 | if (bn_mont_ctx) | ||
| 169 | BN_MONT_CTX_free(bn_mont_ctx); | ||
| 170 | } | 206 | } |
| 171 | 207 | ||
| 172 | if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, | 208 | if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, |
| 173 | rsa->_method_mod_n)) goto err; | 209 | rsa->_method_mod_n)) goto err; |
| 174 | 210 | ||
| @@ -249,7 +285,7 @@ err: | |||
| 249 | static int RSA_eay_private_encrypt(int flen, const unsigned char *from, | 285 | static int RSA_eay_private_encrypt(int flen, const unsigned char *from, |
| 250 | unsigned char *to, RSA *rsa, int padding) | 286 | unsigned char *to, RSA *rsa, int padding) |
| 251 | { | 287 | { |
| 252 | BIGNUM f,ret; | 288 | BIGNUM f,ret, *res; |
| 253 | int i,j,k,num=0,r= -1; | 289 | int i,j,k,num=0,r= -1; |
| 254 | unsigned char *buf=NULL; | 290 | unsigned char *buf=NULL; |
| 255 | BN_CTX *ctx=NULL; | 291 | BN_CTX *ctx=NULL; |
| @@ -331,19 +367,43 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, | |||
| 331 | (rsa->dmp1 != NULL) && | 367 | (rsa->dmp1 != NULL) && |
| 332 | (rsa->dmq1 != NULL) && | 368 | (rsa->dmq1 != NULL) && |
| 333 | (rsa->iqmp != NULL)) ) | 369 | (rsa->iqmp != NULL)) ) |
| 334 | { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } | 370 | { |
| 371 | if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; | ||
| 372 | } | ||
| 335 | else | 373 | else |
| 336 | { | 374 | { |
| 337 | if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err; | 375 | BIGNUM local_d; |
| 376 | BIGNUM *d = NULL; | ||
| 377 | |||
| 378 | if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) | ||
| 379 | { | ||
| 380 | BN_init(&local_d); | ||
| 381 | d = &local_d; | ||
| 382 | BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); | ||
| 383 | } | ||
| 384 | else | ||
| 385 | d = rsa->d; | ||
| 386 | if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) goto err; | ||
| 338 | } | 387 | } |
| 339 | 388 | ||
| 340 | if (blinding) | 389 | if (blinding) |
| 341 | if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; | 390 | if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; |
| 342 | 391 | ||
| 392 | if (padding == RSA_X931_PADDING) | ||
| 393 | { | ||
| 394 | BN_sub(&f, rsa->n, &ret); | ||
| 395 | if (BN_cmp(&ret, &f)) | ||
| 396 | res = &f; | ||
| 397 | else | ||
| 398 | res = &ret; | ||
| 399 | } | ||
| 400 | else | ||
| 401 | res = &ret; | ||
| 402 | |||
| 343 | /* put in leading 0 bytes if the number is less than the | 403 | /* put in leading 0 bytes if the number is less than the |
| 344 | * length of the modulus */ | 404 | * length of the modulus */ |
| 345 | j=BN_num_bytes(&ret); | 405 | j=BN_num_bytes(res); |
| 346 | i=BN_bn2bin(&ret,&(to[num-j])); | 406 | i=BN_bn2bin(res,&(to[num-j])); |
| 347 | for (k=0; k<(num-i); k++) | 407 | for (k=0; k<(num-i); k++) |
| 348 | to[k]=0; | 408 | to[k]=0; |
| 349 | 409 | ||
| @@ -444,10 +504,22 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, | |||
| 444 | (rsa->dmp1 != NULL) && | 504 | (rsa->dmp1 != NULL) && |
| 445 | (rsa->dmq1 != NULL) && | 505 | (rsa->dmq1 != NULL) && |
| 446 | (rsa->iqmp != NULL)) ) | 506 | (rsa->iqmp != NULL)) ) |
| 447 | { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } | 507 | { |
| 508 | if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; | ||
| 509 | } | ||
| 448 | else | 510 | else |
| 449 | { | 511 | { |
| 450 | if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) | 512 | BIGNUM local_d; |
| 513 | BIGNUM *d = NULL; | ||
| 514 | |||
| 515 | if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) | ||
| 516 | { | ||
| 517 | d = &local_d; | ||
| 518 | BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); | ||
| 519 | } | ||
| 520 | else | ||
| 521 | d = rsa->d; | ||
| 522 | if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) | ||
| 451 | goto err; | 523 | goto err; |
| 452 | } | 524 | } |
| 453 | 525 | ||
| @@ -534,33 +606,20 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from, | |||
| 534 | } | 606 | } |
| 535 | 607 | ||
| 536 | /* do the decrypt */ | 608 | /* do the decrypt */ |
| 537 | if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) | 609 | |
| 610 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | ||
| 538 | { | 611 | { |
| 539 | BN_MONT_CTX* bn_mont_ctx; | 612 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, |
| 540 | if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) | 613 | CRYPTO_LOCK_RSA, rsa->n, ctx)) |
| 541 | goto err; | ||
| 542 | if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) | ||
| 543 | { | ||
| 544 | BN_MONT_CTX_free(bn_mont_ctx); | ||
| 545 | goto err; | 614 | goto err; |
| 546 | } | ||
| 547 | if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ | ||
| 548 | { | ||
| 549 | CRYPTO_w_lock(CRYPTO_LOCK_RSA); | ||
| 550 | if (rsa->_method_mod_n == NULL) | ||
| 551 | { | ||
| 552 | rsa->_method_mod_n = bn_mont_ctx; | ||
| 553 | bn_mont_ctx = NULL; | ||
| 554 | } | ||
| 555 | CRYPTO_w_unlock(CRYPTO_LOCK_RSA); | ||
| 556 | } | ||
| 557 | if (bn_mont_ctx) | ||
| 558 | BN_MONT_CTX_free(bn_mont_ctx); | ||
| 559 | } | 615 | } |
| 560 | 616 | ||
| 561 | if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, | 617 | if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, |
| 562 | rsa->_method_mod_n)) goto err; | 618 | rsa->_method_mod_n)) goto err; |
| 563 | 619 | ||
| 620 | if ((padding == RSA_X931_PADDING) && ((ret.d[0] & 0xf) != 12)) | ||
| 621 | BN_sub(&ret, rsa->n, &ret); | ||
| 622 | |||
| 564 | p=buf; | 623 | p=buf; |
| 565 | i=BN_bn2bin(&ret,p); | 624 | i=BN_bn2bin(&ret,p); |
| 566 | 625 | ||
| @@ -594,6 +653,8 @@ err: | |||
| 594 | static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) | 653 | static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) |
| 595 | { | 654 | { |
| 596 | BIGNUM r1,m1,vrfy; | 655 | BIGNUM r1,m1,vrfy; |
| 656 | BIGNUM local_dmp1, local_dmq1; | ||
| 657 | BIGNUM *dmp1, *dmq1; | ||
| 597 | int ret=0; | 658 | int ret=0; |
| 598 | BN_CTX *ctx; | 659 | BN_CTX *ctx; |
| 599 | 660 | ||
| @@ -604,61 +665,34 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) | |||
| 604 | 665 | ||
| 605 | if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) | 666 | if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) |
| 606 | { | 667 | { |
| 607 | if (rsa->_method_mod_p == NULL) | 668 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, |
| 608 | { | 669 | CRYPTO_LOCK_RSA, rsa->p, ctx)) |
| 609 | BN_MONT_CTX* bn_mont_ctx; | 670 | goto err; |
| 610 | if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) | 671 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, |
| 611 | goto err; | 672 | CRYPTO_LOCK_RSA, rsa->q, ctx)) |
| 612 | if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx)) | 673 | goto err; |
| 613 | { | ||
| 614 | BN_MONT_CTX_free(bn_mont_ctx); | ||
| 615 | goto err; | ||
| 616 | } | ||
| 617 | if (rsa->_method_mod_p == NULL) /* other thread may have finished first */ | ||
| 618 | { | ||
| 619 | CRYPTO_w_lock(CRYPTO_LOCK_RSA); | ||
| 620 | if (rsa->_method_mod_p == NULL) | ||
| 621 | { | ||
| 622 | rsa->_method_mod_p = bn_mont_ctx; | ||
| 623 | bn_mont_ctx = NULL; | ||
| 624 | } | ||
| 625 | CRYPTO_w_unlock(CRYPTO_LOCK_RSA); | ||
| 626 | } | ||
| 627 | if (bn_mont_ctx) | ||
| 628 | BN_MONT_CTX_free(bn_mont_ctx); | ||
| 629 | } | ||
| 630 | |||
| 631 | if (rsa->_method_mod_q == NULL) | ||
| 632 | { | ||
| 633 | BN_MONT_CTX* bn_mont_ctx; | ||
| 634 | if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) | ||
| 635 | goto err; | ||
| 636 | if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx)) | ||
| 637 | { | ||
| 638 | BN_MONT_CTX_free(bn_mont_ctx); | ||
| 639 | goto err; | ||
| 640 | } | ||
| 641 | if (rsa->_method_mod_q == NULL) /* other thread may have finished first */ | ||
| 642 | { | ||
| 643 | CRYPTO_w_lock(CRYPTO_LOCK_RSA); | ||
| 644 | if (rsa->_method_mod_q == NULL) | ||
| 645 | { | ||
| 646 | rsa->_method_mod_q = bn_mont_ctx; | ||
| 647 | bn_mont_ctx = NULL; | ||
| 648 | } | ||
| 649 | CRYPTO_w_unlock(CRYPTO_LOCK_RSA); | ||
| 650 | } | ||
| 651 | if (bn_mont_ctx) | ||
| 652 | BN_MONT_CTX_free(bn_mont_ctx); | ||
| 653 | } | ||
| 654 | } | 674 | } |
| 655 | 675 | ||
| 656 | if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; | 676 | if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; |
| 657 | if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx, | 677 | if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) |
| 678 | { | ||
| 679 | dmq1 = &local_dmq1; | ||
| 680 | BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME); | ||
| 681 | } | ||
| 682 | else | ||
| 683 | dmq1 = rsa->dmq1; | ||
| 684 | if (!rsa->meth->bn_mod_exp(&m1,&r1,dmq1,rsa->q,ctx, | ||
| 658 | rsa->_method_mod_q)) goto err; | 685 | rsa->_method_mod_q)) goto err; |
| 659 | 686 | ||
| 660 | if (!BN_mod(&r1,I,rsa->p,ctx)) goto err; | 687 | if (!BN_mod(&r1,I,rsa->p,ctx)) goto err; |
| 661 | if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx, | 688 | if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) |
| 689 | { | ||
| 690 | dmp1 = &local_dmp1; | ||
| 691 | BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME); | ||
| 692 | } | ||
| 693 | else | ||
| 694 | dmp1 = rsa->dmp1; | ||
| 695 | if (!rsa->meth->bn_mod_exp(r0,&r1,dmp1,rsa->p,ctx, | ||
| 662 | rsa->_method_mod_p)) goto err; | 696 | rsa->_method_mod_p)) goto err; |
| 663 | 697 | ||
| 664 | if (!BN_sub(r0,r0,&m1)) goto err; | 698 | if (!BN_sub(r0,r0,&m1)) goto err; |
| @@ -693,10 +727,23 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) | |||
| 693 | if (vrfy.neg) | 727 | if (vrfy.neg) |
| 694 | if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err; | 728 | if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err; |
| 695 | if (!BN_is_zero(&vrfy)) | 729 | if (!BN_is_zero(&vrfy)) |
| 730 | { | ||
| 696 | /* 'I' and 'vrfy' aren't congruent mod n. Don't leak | 731 | /* 'I' and 'vrfy' aren't congruent mod n. Don't leak |
| 697 | * miscalculated CRT output, just do a raw (slower) | 732 | * miscalculated CRT output, just do a raw (slower) |
| 698 | * mod_exp and return that instead. */ | 733 | * mod_exp and return that instead. */ |
| 699 | if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err; | 734 | |
| 735 | BIGNUM local_d; | ||
| 736 | BIGNUM *d = NULL; | ||
| 737 | |||
| 738 | if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) | ||
| 739 | { | ||
| 740 | d = &local_d; | ||
| 741 | BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); | ||
| 742 | } | ||
| 743 | else | ||
| 744 | d = rsa->d; | ||
| 745 | if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,NULL)) goto err; | ||
| 746 | } | ||
| 700 | } | 747 | } |
| 701 | ret=1; | 748 | ret=1; |
| 702 | err: | 749 | err: |