summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa/rsa_eay.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/rsa/rsa_eay.c')
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c560
1 files changed, 336 insertions, 224 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index be4ac96ce3..ffadaab9a4 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -56,7 +56,7 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58/* ==================================================================== 58/* ====================================================================
59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 * 60 *
61 * Redistribution and use in source and binary forms, with or without 61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions 62 * modification, are permitted provided that the following conditions
@@ -115,7 +115,7 @@
115#include <openssl/rsa.h> 115#include <openssl/rsa.h>
116#include <openssl/rand.h> 116#include <openssl/rand.h>
117 117
118#if !defined(RSA_NULL) && !defined(OPENSSL_FIPS) 118#ifndef RSA_NULL
119 119
120static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 120static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
121 unsigned char *to, RSA *rsa,int padding); 121 unsigned char *to, RSA *rsa,int padding);
@@ -125,7 +125,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
125 unsigned char *to, RSA *rsa,int padding); 125 unsigned char *to, RSA *rsa,int padding);
126static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 126static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
127 unsigned char *to, RSA *rsa,int padding); 127 unsigned char *to, RSA *rsa,int padding);
128static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa); 128static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
129static int RSA_eay_init(RSA *rsa); 129static int RSA_eay_init(RSA *rsa);
130static int RSA_eay_finish(RSA *rsa); 130static int RSA_eay_finish(RSA *rsa);
131static RSA_METHOD rsa_pkcs1_eay_meth={ 131static RSA_METHOD rsa_pkcs1_eay_meth={
@@ -141,7 +141,8 @@ static RSA_METHOD rsa_pkcs1_eay_meth={
141 0, /* flags */ 141 0, /* flags */
142 NULL, 142 NULL,
143 0, /* rsa_sign */ 143 0, /* rsa_sign */
144 0 /* rsa_verify */ 144 0, /* rsa_verify */
145 NULL /* rsa_keygen */
145 }; 146 };
146 147
147const RSA_METHOD *RSA_PKCS1_SSLeay(void) 148const RSA_METHOD *RSA_PKCS1_SSLeay(void)
@@ -149,19 +150,53 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void)
149 return(&rsa_pkcs1_eay_meth); 150 return(&rsa_pkcs1_eay_meth);
150 } 151 }
151 152
153/* Usage example;
154 * MONT_HELPER(rsa->_method_mod_p, bn_ctx, rsa->p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
155 */
156#define MONT_HELPER(method_mod, ctx, m, pre_cond, err_instr) \
157 if ((pre_cond) && ((method_mod) == NULL) && \
158 !BN_MONT_CTX_set_locked(&(method_mod), \
159 CRYPTO_LOCK_RSA, \
160 (m), (ctx))) \
161 err_instr
162
152static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 163static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
153 unsigned char *to, RSA *rsa, int padding) 164 unsigned char *to, RSA *rsa, int padding)
154 { 165 {
155 BIGNUM f,ret; 166 BIGNUM *f,*ret;
156 int i,j,k,num=0,r= -1; 167 int i,j,k,num=0,r= -1;
157 unsigned char *buf=NULL; 168 unsigned char *buf=NULL;
158 BN_CTX *ctx=NULL; 169 BN_CTX *ctx=NULL;
159 170
160 BN_init(&f); 171 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
161 BN_init(&ret); 172 {
173 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
174 return -1;
175 }
176
177 if (BN_ucmp(rsa->n, rsa->e) <= 0)
178 {
179 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
180 return -1;
181 }
182
183 /* for large moduli, enforce exponent limit */
184 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
185 {
186 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
187 {
188 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
189 return -1;
190 }
191 }
192
162 if ((ctx=BN_CTX_new()) == NULL) goto err; 193 if ((ctx=BN_CTX_new()) == NULL) goto err;
194 BN_CTX_start(ctx);
195 f = BN_CTX_get(ctx);
196 ret = BN_CTX_get(ctx);
163 num=BN_num_bytes(rsa->n); 197 num=BN_num_bytes(rsa->n);
164 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 198 buf = OPENSSL_malloc(num);
199 if (!f || !ret || !buf)
165 { 200 {
166 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); 201 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
167 goto err; 202 goto err;
@@ -189,37 +224,34 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
189 } 224 }
190 if (i <= 0) goto err; 225 if (i <= 0) goto err;
191 226
192 if (BN_bin2bn(buf,num,&f) == NULL) goto err; 227 if (BN_bin2bn(buf,num,f) == NULL) goto err;
193 228
194 if (BN_ucmp(&f, rsa->n) >= 0) 229 if (BN_ucmp(f, rsa->n) >= 0)
195 { 230 {
196 /* usually the padding functions would catch this */ 231 /* usually the padding functions would catch this */
197 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 232 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
198 goto err; 233 goto err;
199 } 234 }
200 235
201 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 236 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
202 {
203 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
204 CRYPTO_LOCK_RSA, rsa->n, ctx))
205 goto err;
206 }
207 237
208 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 238 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
209 rsa->_method_mod_n)) goto err; 239 rsa->_method_mod_n)) goto err;
210 240
211 /* put in leading 0 bytes if the number is less than the 241 /* put in leading 0 bytes if the number is less than the
212 * length of the modulus */ 242 * length of the modulus */
213 j=BN_num_bytes(&ret); 243 j=BN_num_bytes(ret);
214 i=BN_bn2bin(&ret,&(to[num-j])); 244 i=BN_bn2bin(ret,&(to[num-j]));
215 for (k=0; k<(num-i); k++) 245 for (k=0; k<(num-i); k++)
216 to[k]=0; 246 to[k]=0;
217 247
218 r=num; 248 r=num;
219err: 249err:
220 if (ctx != NULL) BN_CTX_free(ctx); 250 if (ctx != NULL)
221 BN_clear_free(&f); 251 {
222 BN_clear_free(&ret); 252 BN_CTX_end(ctx);
253 BN_CTX_free(ctx);
254 }
223 if (buf != NULL) 255 if (buf != NULL)
224 { 256 {
225 OPENSSL_cleanse(buf,num); 257 OPENSSL_cleanse(buf,num);
@@ -228,76 +260,115 @@ err:
228 return(r); 260 return(r);
229 } 261 }
230 262
231static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) 263static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
232 { 264{
233 int ret = 1; 265 BN_BLINDING *ret;
234 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 266 int got_write_lock = 0;
235 /* Check again inside the lock - the macro's check is racey */
236 if(rsa->blinding == NULL)
237 ret = RSA_blinding_on(rsa, ctx);
238 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
239 return ret;
240 }
241 267
242#define BLINDING_HELPER(rsa, ctx, err_instr) \ 268 CRYPTO_r_lock(CRYPTO_LOCK_RSA);
243 do { \
244 if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
245 ((rsa)->blinding == NULL) && \
246 !rsa_eay_blinding(rsa, ctx)) \
247 err_instr \
248 } while(0)
249 269
250static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx) 270 if (rsa->blinding == NULL)
251 { 271 {
252 BIGNUM *A, *Ai; 272 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
253 BN_BLINDING *ret = NULL; 273 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
274 got_write_lock = 1;
254 275
255 /* added in OpenSSL 0.9.6j and 0.9.7b */ 276 if (rsa->blinding == NULL)
277 rsa->blinding = RSA_setup_blinding(rsa, ctx);
278 }
256 279
257 /* NB: similar code appears in RSA_blinding_on (rsa_lib.c); 280 ret = rsa->blinding;
258 * this should be placed in a new function of its own, but for reasons 281 if (ret == NULL)
259 * of binary compatibility can't */ 282 goto err;
260 283
261 BN_CTX_start(ctx); 284 if (BN_BLINDING_get_thread_id(ret) == CRYPTO_thread_id())
262 A = BN_CTX_get(ctx);
263 if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
264 { 285 {
265 /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ 286 /* rsa->blinding is ours! */
266 RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); 287
267 if (!BN_pseudo_rand_range(A,rsa->n)) goto err; 288 *local = 1;
268 } 289 }
269 else 290 else
270 { 291 {
271 if (!BN_rand_range(A,rsa->n)) goto err; 292 /* resort to rsa->mt_blinding instead */
293
294 *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert()
295 * that the BN_BLINDING is shared, meaning that accesses
296 * require locks, and that the blinding factor must be
297 * stored outside the BN_BLINDING
298 */
299
300 if (rsa->mt_blinding == NULL)
301 {
302 if (!got_write_lock)
303 {
304 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
305 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
306 got_write_lock = 1;
307 }
308
309 if (rsa->mt_blinding == NULL)
310 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
311 }
312 ret = rsa->mt_blinding;
272 } 313 }
273 if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
274 314
275 if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) 315 err:
276 goto err; 316 if (got_write_lock)
277 ret = BN_BLINDING_new(A,Ai,rsa->n); 317 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
278 BN_free(Ai); 318 else
279err: 319 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
280 BN_CTX_end(ctx);
281 return ret; 320 return ret;
282 } 321}
322
323static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f,
324 BIGNUM *r, BN_CTX *ctx)
325{
326 if (local)
327 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
328 else
329 {
330 int ret;
331 CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING);
332 ret = BN_BLINDING_convert_ex(f, r, b, ctx);
333 CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING);
334 return ret;
335 }
336}
337
338static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f,
339 BIGNUM *r, BN_CTX *ctx)
340{
341 if (local)
342 return BN_BLINDING_invert_ex(f, NULL, b, ctx);
343 else
344 {
345 int ret;
346 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
347 ret = BN_BLINDING_invert_ex(f, r, b, ctx);
348 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
349 return ret;
350 }
351}
283 352
284/* signing */ 353/* signing */
285static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 354static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
286 unsigned char *to, RSA *rsa, int padding) 355 unsigned char *to, RSA *rsa, int padding)
287 { 356 {
288 BIGNUM f,ret, *res; 357 BIGNUM *f, *ret, *br, *res;
289 int i,j,k,num=0,r= -1; 358 int i,j,k,num=0,r= -1;
290 unsigned char *buf=NULL; 359 unsigned char *buf=NULL;
291 BN_CTX *ctx=NULL; 360 BN_CTX *ctx=NULL;
292 int local_blinding = 0; 361 int local_blinding = 0;
293 BN_BLINDING *blinding = NULL; 362 BN_BLINDING *blinding = NULL;
294 363
295 BN_init(&f);
296 BN_init(&ret);
297
298 if ((ctx=BN_CTX_new()) == NULL) goto err; 364 if ((ctx=BN_CTX_new()) == NULL) goto err;
299 num=BN_num_bytes(rsa->n); 365 BN_CTX_start(ctx);
300 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 366 f = BN_CTX_get(ctx);
367 br = BN_CTX_get(ctx);
368 ret = BN_CTX_get(ctx);
369 num = BN_num_bytes(rsa->n);
370 buf = OPENSSL_malloc(num);
371 if(!f || !ret || !buf)
301 { 372 {
302 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); 373 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
303 goto err; 374 goto err;
@@ -308,6 +379,9 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
308 case RSA_PKCS1_PADDING: 379 case RSA_PKCS1_PADDING:
309 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); 380 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
310 break; 381 break;
382 case RSA_X931_PADDING:
383 i=RSA_padding_add_X931(buf,num,from,flen);
384 break;
311 case RSA_NO_PADDING: 385 case RSA_NO_PADDING:
312 i=RSA_padding_add_none(buf,num,from,flen); 386 i=RSA_padding_add_none(buf,num,from,flen);
313 break; 387 break;
@@ -318,26 +392,18 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
318 } 392 }
319 if (i <= 0) goto err; 393 if (i <= 0) goto err;
320 394
321 if (BN_bin2bn(buf,num,&f) == NULL) goto err; 395 if (BN_bin2bn(buf,num,f) == NULL) goto err;
322 396
323 if (BN_ucmp(&f, rsa->n) >= 0) 397 if (BN_ucmp(f, rsa->n) >= 0)
324 { 398 {
325 /* usually the padding functions would catch this */ 399 /* usually the padding functions would catch this */
326 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 400 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
327 goto err; 401 goto err;
328 } 402 }
329 403
330 BLINDING_HELPER(rsa, ctx, goto err;);
331 blinding = rsa->blinding;
332
333 /* Now unless blinding is disabled, 'blinding' is non-NULL.
334 * But the BN_BLINDING object may be owned by some other thread
335 * (we don't want to keep it constant and we don't want to use
336 * lots of locking to avoid race conditions, so only a single
337 * thread can use it; other threads have to use local blinding
338 * factors) */
339 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 404 if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
340 { 405 {
406 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
341 if (blinding == NULL) 407 if (blinding == NULL)
342 { 408 {
343 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 409 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
@@ -346,20 +412,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
346 } 412 }
347 413
348 if (blinding != NULL) 414 if (blinding != NULL)
349 { 415 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
350 if (blinding->thread_id != CRYPTO_thread_id()) 416 goto err;
351 {
352 /* we need a local one-time blinding factor */
353
354 blinding = setup_blinding(rsa, ctx);
355 if (blinding == NULL)
356 goto err;
357 local_blinding = 1;
358 }
359 }
360
361 if (blinding)
362 if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
363 417
364 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 418 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
365 ((rsa->p != NULL) && 419 ((rsa->p != NULL) &&
@@ -368,37 +422,42 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
368 (rsa->dmq1 != NULL) && 422 (rsa->dmq1 != NULL) &&
369 (rsa->iqmp != NULL)) ) 423 (rsa->iqmp != NULL)) )
370 { 424 {
371 if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; 425 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
372 } 426 }
373 else 427 else
374 { 428 {
375 BIGNUM local_d; 429 BIGNUM local_d;
376 BIGNUM *d = NULL; 430 BIGNUM *d = NULL;
377 431
378 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 432 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
379 { 433 {
380 BN_init(&local_d); 434 BN_init(&local_d);
381 d = &local_d; 435 d = &local_d;
382 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); 436 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
383 } 437 }
384 else 438 else
385 d = rsa->d; 439 d= rsa->d;
386 if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) goto err; 440
441 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
442
443 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
444 rsa->_method_mod_n)) goto err;
387 } 445 }
388 446
389 if (blinding) 447 if (blinding)
390 if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; 448 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
449 goto err;
391 450
392 if (padding == RSA_X931_PADDING) 451 if (padding == RSA_X931_PADDING)
393 { 452 {
394 BN_sub(&f, rsa->n, &ret); 453 BN_sub(f, rsa->n, ret);
395 if (BN_cmp(&ret, &f)) 454 if (BN_cmp(ret, f))
396 res = &f; 455 res = f;
397 else 456 else
398 res = &ret; 457 res = ret;
399 } 458 }
400 else 459 else
401 res = &ret; 460 res = ret;
402 461
403 /* put in leading 0 bytes if the number is less than the 462 /* put in leading 0 bytes if the number is less than the
404 * length of the modulus */ 463 * length of the modulus */
@@ -409,11 +468,11 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
409 468
410 r=num; 469 r=num;
411err: 470err:
412 if (ctx != NULL) BN_CTX_free(ctx); 471 if (ctx != NULL)
413 BN_clear_free(&ret); 472 {
414 BN_clear_free(&f); 473 BN_CTX_end(ctx);
415 if (local_blinding) 474 BN_CTX_free(ctx);
416 BN_BLINDING_free(blinding); 475 }
417 if (buf != NULL) 476 if (buf != NULL)
418 { 477 {
419 OPENSSL_cleanse(buf,num); 478 OPENSSL_cleanse(buf,num);
@@ -425,7 +484,7 @@ err:
425static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 484static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
426 unsigned char *to, RSA *rsa, int padding) 485 unsigned char *to, RSA *rsa, int padding)
427 { 486 {
428 BIGNUM f,ret; 487 BIGNUM *f, *ret, *br;
429 int j,num=0,r= -1; 488 int j,num=0,r= -1;
430 unsigned char *p; 489 unsigned char *p;
431 unsigned char *buf=NULL; 490 unsigned char *buf=NULL;
@@ -433,14 +492,14 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
433 int local_blinding = 0; 492 int local_blinding = 0;
434 BN_BLINDING *blinding = NULL; 493 BN_BLINDING *blinding = NULL;
435 494
436 BN_init(&f); 495 if((ctx = BN_CTX_new()) == NULL) goto err;
437 BN_init(&ret); 496 BN_CTX_start(ctx);
438 ctx=BN_CTX_new(); 497 f = BN_CTX_get(ctx);
439 if (ctx == NULL) goto err; 498 br = BN_CTX_get(ctx);
440 499 ret = BN_CTX_get(ctx);
441 num=BN_num_bytes(rsa->n); 500 num = BN_num_bytes(rsa->n);
442 501 buf = OPENSSL_malloc(num);
443 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 502 if(!f || !ret || !buf)
444 { 503 {
445 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); 504 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
446 goto err; 505 goto err;
@@ -455,25 +514,17 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
455 } 514 }
456 515
457 /* make data into a big number */ 516 /* make data into a big number */
458 if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err; 517 if (BN_bin2bn(from,(int)flen,f) == NULL) goto err;
459 518
460 if (BN_ucmp(&f, rsa->n) >= 0) 519 if (BN_ucmp(f, rsa->n) >= 0)
461 { 520 {
462 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 521 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
463 goto err; 522 goto err;
464 } 523 }
465 524
466 BLINDING_HELPER(rsa, ctx, goto err;);
467 blinding = rsa->blinding;
468
469 /* Now unless blinding is disabled, 'blinding' is non-NULL.
470 * But the BN_BLINDING object may be owned by some other thread
471 * (we don't want to keep it constant and we don't want to use
472 * lots of locking to avoid race conditions, so only a single
473 * thread can use it; other threads have to use local blinding
474 * factors) */
475 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 525 if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
476 { 526 {
527 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
477 if (blinding == NULL) 528 if (blinding == NULL)
478 { 529 {
479 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 530 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
@@ -482,20 +533,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
482 } 533 }
483 534
484 if (blinding != NULL) 535 if (blinding != NULL)
485 { 536 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
486 if (blinding->thread_id != CRYPTO_thread_id()) 537 goto err;
487 {
488 /* we need a local one-time blinding factor */
489
490 blinding = setup_blinding(rsa, ctx);
491 if (blinding == NULL)
492 goto err;
493 local_blinding = 1;
494 }
495 }
496
497 if (blinding)
498 if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
499 538
500 /* do the decrypt */ 539 /* do the decrypt */
501 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 540 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -505,29 +544,33 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
505 (rsa->dmq1 != NULL) && 544 (rsa->dmq1 != NULL) &&
506 (rsa->iqmp != NULL)) ) 545 (rsa->iqmp != NULL)) )
507 { 546 {
508 if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; 547 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
509 } 548 }
510 else 549 else
511 { 550 {
512 BIGNUM local_d; 551 BIGNUM local_d;
513 BIGNUM *d = NULL; 552 BIGNUM *d = NULL;
514 553
515 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 554 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
516 { 555 {
517 d = &local_d; 556 d = &local_d;
518 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); 557 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
519 } 558 }
520 else 559 else
521 d = rsa->d; 560 d = rsa->d;
522 if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) 561
523 goto err; 562 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
563 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
564 rsa->_method_mod_n))
565 goto err;
524 } 566 }
525 567
526 if (blinding) 568 if (blinding)
527 if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; 569 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
570 goto err;
528 571
529 p=buf; 572 p=buf;
530 j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */ 573 j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */
531 574
532 switch (padding) 575 switch (padding)
533 { 576 {
@@ -553,11 +596,11 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
553 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 596 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
554 597
555err: 598err:
556 if (ctx != NULL) BN_CTX_free(ctx); 599 if (ctx != NULL)
557 BN_clear_free(&f); 600 {
558 BN_clear_free(&ret); 601 BN_CTX_end(ctx);
559 if (local_blinding) 602 BN_CTX_free(ctx);
560 BN_BLINDING_free(blinding); 603 }
561 if (buf != NULL) 604 if (buf != NULL)
562 { 605 {
563 OPENSSL_cleanse(buf,num); 606 OPENSSL_cleanse(buf,num);
@@ -570,20 +613,41 @@ err:
570static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 613static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
571 unsigned char *to, RSA *rsa, int padding) 614 unsigned char *to, RSA *rsa, int padding)
572 { 615 {
573 BIGNUM f,ret; 616 BIGNUM *f,*ret;
574 int i,num=0,r= -1; 617 int i,num=0,r= -1;
575 unsigned char *p; 618 unsigned char *p;
576 unsigned char *buf=NULL; 619 unsigned char *buf=NULL;
577 BN_CTX *ctx=NULL; 620 BN_CTX *ctx=NULL;
578 621
579 BN_init(&f); 622 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
580 BN_init(&ret); 623 {
581 ctx=BN_CTX_new(); 624 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
582 if (ctx == NULL) goto err; 625 return -1;
626 }
583 627
628 if (BN_ucmp(rsa->n, rsa->e) <= 0)
629 {
630 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
631 return -1;
632 }
633
634 /* for large moduli, enforce exponent limit */
635 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
636 {
637 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
638 {
639 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
640 return -1;
641 }
642 }
643
644 if((ctx = BN_CTX_new()) == NULL) goto err;
645 BN_CTX_start(ctx);
646 f = BN_CTX_get(ctx);
647 ret = BN_CTX_get(ctx);
584 num=BN_num_bytes(rsa->n); 648 num=BN_num_bytes(rsa->n);
585 buf=(unsigned char *)OPENSSL_malloc(num); 649 buf = OPENSSL_malloc(num);
586 if (buf == NULL) 650 if(!f || !ret || !buf)
587 { 651 {
588 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); 652 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
589 goto err; 653 goto err;
@@ -597,37 +661,33 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
597 goto err; 661 goto err;
598 } 662 }
599 663
600 if (BN_bin2bn(from,flen,&f) == NULL) goto err; 664 if (BN_bin2bn(from,flen,f) == NULL) goto err;
601 665
602 if (BN_ucmp(&f, rsa->n) >= 0) 666 if (BN_ucmp(f, rsa->n) >= 0)
603 { 667 {
604 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 668 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
605 goto err; 669 goto err;
606 } 670 }
607 671
608 /* do the decrypt */ 672 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
609
610 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
611 {
612 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
613 CRYPTO_LOCK_RSA, rsa->n, ctx))
614 goto err;
615 }
616 673
617 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 674 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
618 rsa->_method_mod_n)) goto err; 675 rsa->_method_mod_n)) goto err;
619 676
620 if ((padding == RSA_X931_PADDING) && ((ret.d[0] & 0xf) != 12)) 677 if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))
621 BN_sub(&ret, rsa->n, &ret); 678 BN_sub(ret, rsa->n, ret);
622 679
623 p=buf; 680 p=buf;
624 i=BN_bn2bin(&ret,p); 681 i=BN_bn2bin(ret,p);
625 682
626 switch (padding) 683 switch (padding)
627 { 684 {
628 case RSA_PKCS1_PADDING: 685 case RSA_PKCS1_PADDING:
629 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); 686 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
630 break; 687 break;
688 case RSA_X931_PADDING:
689 r=RSA_padding_check_X931(to,num,buf,i,num);
690 break;
631 case RSA_NO_PADDING: 691 case RSA_NO_PADDING:
632 r=RSA_padding_check_none(to,num,buf,i,num); 692 r=RSA_padding_check_none(to,num,buf,i,num);
633 break; 693 break;
@@ -639,9 +699,11 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
639 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 699 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
640 700
641err: 701err:
642 if (ctx != NULL) BN_CTX_free(ctx); 702 if (ctx != NULL)
643 BN_clear_free(&f); 703 {
644 BN_clear_free(&ret); 704 BN_CTX_end(ctx);
705 BN_CTX_free(ctx);
706 }
645 if (buf != NULL) 707 if (buf != NULL)
646 { 708 {
647 OPENSSL_cleanse(buf,num); 709 OPENSSL_cleanse(buf,num);
@@ -650,59 +712,111 @@ err:
650 return(r); 712 return(r);
651 } 713 }
652 714
653static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) 715static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
654 { 716 {
655 BIGNUM r1,m1,vrfy; 717 BIGNUM *r1,*m1,*vrfy;
656 BIGNUM local_dmp1, local_dmq1; 718 BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
657 BIGNUM *dmp1, *dmq1; 719 BIGNUM *dmp1,*dmq1,*c,*pr1;
658 int ret=0; 720 int ret=0;
659 BN_CTX *ctx;
660 721
661 BN_init(&m1); 722 BN_CTX_start(ctx);
662 BN_init(&r1); 723 r1 = BN_CTX_get(ctx);
663 BN_init(&vrfy); 724 m1 = BN_CTX_get(ctx);
664 if ((ctx=BN_CTX_new()) == NULL) goto err; 725 vrfy = BN_CTX_get(ctx);
726
727 {
728 BIGNUM local_p, local_q;
729 BIGNUM *p = NULL, *q = NULL;
730
731 /* Make sure BN_mod_inverse in Montgomery intialization uses the
732 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
733 */
734 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
735 {
736 BN_init(&local_p);
737 p = &local_p;
738 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
739
740 BN_init(&local_q);
741 q = &local_q;
742 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
743 }
744 else
745 {
746 p = rsa->p;
747 q = rsa->q;
748 }
749
750 MONT_HELPER(rsa->_method_mod_p, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
751 MONT_HELPER(rsa->_method_mod_q, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
752 }
753
754 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
665 755
666 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) 756 /* compute I mod q */
757 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
667 { 758 {
668 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, 759 c = &local_c;
669 CRYPTO_LOCK_RSA, rsa->p, ctx)) 760 BN_with_flags(c, I, BN_FLG_CONSTTIME);
670 goto err; 761 if (!BN_mod(r1,c,rsa->q,ctx)) goto err;
671 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, 762 }
672 CRYPTO_LOCK_RSA, rsa->q, ctx)) 763 else
673 goto err; 764 {
765 if (!BN_mod(r1,I,rsa->q,ctx)) goto err;
674 } 766 }
675 767
676 if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; 768 /* compute r1^dmq1 mod q */
677 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 769 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
678 { 770 {
679 dmq1 = &local_dmq1; 771 dmq1 = &local_dmq1;
680 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME); 772 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
681 } 773 }
682 else 774 else
683 dmq1 = rsa->dmq1; 775 dmq1 = rsa->dmq1;
684 if (!rsa->meth->bn_mod_exp(&m1,&r1,dmq1,rsa->q,ctx, 776 if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx,
685 rsa->_method_mod_q)) goto err; 777 rsa->_method_mod_q)) goto err;
686 778
687 if (!BN_mod(&r1,I,rsa->p,ctx)) goto err; 779 /* compute I mod p */
688 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 780 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
781 {
782 c = &local_c;
783 BN_with_flags(c, I, BN_FLG_CONSTTIME);
784 if (!BN_mod(r1,c,rsa->p,ctx)) goto err;
785 }
786 else
787 {
788 if (!BN_mod(r1,I,rsa->p,ctx)) goto err;
789 }
790
791 /* compute r1^dmp1 mod p */
792 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
689 { 793 {
690 dmp1 = &local_dmp1; 794 dmp1 = &local_dmp1;
691 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME); 795 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
692 } 796 }
693 else 797 else
694 dmp1 = rsa->dmp1; 798 dmp1 = rsa->dmp1;
695 if (!rsa->meth->bn_mod_exp(r0,&r1,dmp1,rsa->p,ctx, 799 if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx,
696 rsa->_method_mod_p)) goto err; 800 rsa->_method_mod_p)) goto err;
697 801
698 if (!BN_sub(r0,r0,&m1)) goto err; 802 if (!BN_sub(r0,r0,m1)) goto err;
699 /* This will help stop the size of r0 increasing, which does 803 /* This will help stop the size of r0 increasing, which does
700 * affect the multiply if it optimised for a power of 2 size */ 804 * affect the multiply if it optimised for a power of 2 size */
701 if (r0->neg) 805 if (BN_is_negative(r0))
702 if (!BN_add(r0,r0,rsa->p)) goto err; 806 if (!BN_add(r0,r0,rsa->p)) goto err;
703 807
704 if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err; 808 if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err;
705 if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err; 809
810 /* Turn BN_FLG_CONSTTIME flag on before division operation */
811 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
812 {
813 pr1 = &local_r1;
814 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
815 }
816 else
817 pr1 = r1;
818 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
819
706 /* If p < q it is occasionally possible for the correction of 820 /* If p < q it is occasionally possible for the correction of
707 * adding 'p' if r0 is negative above to leave the result still 821 * adding 'p' if r0 is negative above to leave the result still
708 * negative. This can break the private key operations: the following 822 * negative. This can break the private key operations: the following
@@ -710,23 +824,23 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
710 * This will *never* happen with OpenSSL generated keys because 824 * This will *never* happen with OpenSSL generated keys because
711 * they ensure p > q [steve] 825 * they ensure p > q [steve]
712 */ 826 */
713 if (r0->neg) 827 if (BN_is_negative(r0))
714 if (!BN_add(r0,r0,rsa->p)) goto err; 828 if (!BN_add(r0,r0,rsa->p)) goto err;
715 if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err; 829 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
716 if (!BN_add(r0,&r1,&m1)) goto err; 830 if (!BN_add(r0,r1,m1)) goto err;
717 831
718 if (rsa->e && rsa->n) 832 if (rsa->e && rsa->n)
719 { 833 {
720 if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err; 834 if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err;
721 /* If 'I' was greater than (or equal to) rsa->n, the operation 835 /* If 'I' was greater than (or equal to) rsa->n, the operation
722 * will be equivalent to using 'I mod n'. However, the result of 836 * will be equivalent to using 'I mod n'. However, the result of
723 * the verify will *always* be less than 'n' so we don't check 837 * the verify will *always* be less than 'n' so we don't check
724 * for absolute equality, just congruency. */ 838 * for absolute equality, just congruency. */
725 if (!BN_sub(&vrfy, &vrfy, I)) goto err; 839 if (!BN_sub(vrfy, vrfy, I)) goto err;
726 if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err; 840 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err;
727 if (vrfy.neg) 841 if (BN_is_negative(vrfy))
728 if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err; 842 if (!BN_add(vrfy, vrfy, rsa->n)) goto err;
729 if (!BN_is_zero(&vrfy)) 843 if (!BN_is_zero(vrfy))
730 { 844 {
731 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak 845 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
732 * miscalculated CRT output, just do a raw (slower) 846 * miscalculated CRT output, just do a raw (slower)
@@ -735,22 +849,20 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
735 BIGNUM local_d; 849 BIGNUM local_d;
736 BIGNUM *d = NULL; 850 BIGNUM *d = NULL;
737 851
738 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 852 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
739 { 853 {
740 d = &local_d; 854 d = &local_d;
741 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); 855 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
742 } 856 }
743 else 857 else
744 d = rsa->d; 858 d = rsa->d;
745 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,NULL)) goto err; 859 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,
860 rsa->_method_mod_n)) goto err;
746 } 861 }
747 } 862 }
748 ret=1; 863 ret=1;
749err: 864err:
750 BN_clear_free(&m1); 865 BN_CTX_end(ctx);
751 BN_clear_free(&r1);
752 BN_clear_free(&vrfy);
753 BN_CTX_free(ctx);
754 return(ret); 866 return(ret);
755 } 867 }
756 868
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-02 16:39:41 +0000