summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa/rsa_eay.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/rsa/rsa_eay.c')
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c539
1 files changed, 316 insertions, 223 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 610889dc80..bb77d0f67e 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -56,7 +56,7 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58/* ==================================================================== 58/* ====================================================================
59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 * 60 *
61 * Redistribution and use in source and binary forms, with or without 61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions 62 * modification, are permitted provided that the following conditions
@@ -115,7 +115,7 @@
115#include <openssl/rsa.h> 115#include <openssl/rsa.h>
116#include <openssl/rand.h> 116#include <openssl/rand.h>
117 117
118#if !defined(RSA_NULL) && !defined(OPENSSL_FIPS) 118#ifndef RSA_NULL
119 119
120static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 120static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
121 unsigned char *to, RSA *rsa,int padding); 121 unsigned char *to, RSA *rsa,int padding);
@@ -125,7 +125,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
125 unsigned char *to, RSA *rsa,int padding); 125 unsigned char *to, RSA *rsa,int padding);
126static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 126static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
127 unsigned char *to, RSA *rsa,int padding); 127 unsigned char *to, RSA *rsa,int padding);
128static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa); 128static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
129static int RSA_eay_init(RSA *rsa); 129static int RSA_eay_init(RSA *rsa);
130static int RSA_eay_finish(RSA *rsa); 130static int RSA_eay_finish(RSA *rsa);
131static RSA_METHOD rsa_pkcs1_eay_meth={ 131static RSA_METHOD rsa_pkcs1_eay_meth={
@@ -141,7 +141,8 @@ static RSA_METHOD rsa_pkcs1_eay_meth={
141 0, /* flags */ 141 0, /* flags */
142 NULL, 142 NULL,
143 0, /* rsa_sign */ 143 0, /* rsa_sign */
144 0 /* rsa_verify */ 144 0, /* rsa_verify */
145 NULL /* rsa_keygen */
145 }; 146 };
146 147
147const RSA_METHOD *RSA_PKCS1_SSLeay(void) 148const RSA_METHOD *RSA_PKCS1_SSLeay(void)
@@ -149,19 +150,53 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void)
149 return(&rsa_pkcs1_eay_meth); 150 return(&rsa_pkcs1_eay_meth);
150 } 151 }
151 152
153/* Usage example;
154 * MONT_HELPER(rsa->_method_mod_p, bn_ctx, rsa->p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
155 */
156#define MONT_HELPER(method_mod, ctx, m, pre_cond, err_instr) \
157 if ((pre_cond) && ((method_mod) == NULL) && \
158 !BN_MONT_CTX_set_locked(&(method_mod), \
159 CRYPTO_LOCK_RSA, \
160 (m), (ctx))) \
161 err_instr
162
152static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 163static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
153 unsigned char *to, RSA *rsa, int padding) 164 unsigned char *to, RSA *rsa, int padding)
154 { 165 {
155 BIGNUM f,ret; 166 BIGNUM *f,*ret;
156 int i,j,k,num=0,r= -1; 167 int i,j,k,num=0,r= -1;
157 unsigned char *buf=NULL; 168 unsigned char *buf=NULL;
158 BN_CTX *ctx=NULL; 169 BN_CTX *ctx=NULL;
159 170
160 BN_init(&f); 171 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
161 BN_init(&ret); 172 {
173 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
174 return -1;
175 }
176
177 if (BN_ucmp(rsa->n, rsa->e) <= 0)
178 {
179 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
180 return -1;
181 }
182
183 /* for large moduli, enforce exponent limit */
184 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
185 {
186 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
187 {
188 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
189 return -1;
190 }
191 }
192
162 if ((ctx=BN_CTX_new()) == NULL) goto err; 193 if ((ctx=BN_CTX_new()) == NULL) goto err;
194 BN_CTX_start(ctx);
195 f = BN_CTX_get(ctx);
196 ret = BN_CTX_get(ctx);
163 num=BN_num_bytes(rsa->n); 197 num=BN_num_bytes(rsa->n);
164 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 198 buf = OPENSSL_malloc(num);
199 if (!f || !ret || !buf)
165 { 200 {
166 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); 201 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
167 goto err; 202 goto err;
@@ -189,37 +224,34 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
189 } 224 }
190 if (i <= 0) goto err; 225 if (i <= 0) goto err;
191 226
192 if (BN_bin2bn(buf,num,&f) == NULL) goto err; 227 if (BN_bin2bn(buf,num,f) == NULL) goto err;
193 228
194 if (BN_ucmp(&f, rsa->n) >= 0) 229 if (BN_ucmp(f, rsa->n) >= 0)
195 { 230 {
196 /* usually the padding functions would catch this */ 231 /* usually the padding functions would catch this */
197 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 232 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
198 goto err; 233 goto err;
199 } 234 }
200 235
201 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 236 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
202 {
203 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
204 CRYPTO_LOCK_RSA, rsa->n, ctx))
205 goto err;
206 }
207 237
208 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 238 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
209 rsa->_method_mod_n)) goto err; 239 rsa->_method_mod_n)) goto err;
210 240
211 /* put in leading 0 bytes if the number is less than the 241 /* put in leading 0 bytes if the number is less than the
212 * length of the modulus */ 242 * length of the modulus */
213 j=BN_num_bytes(&ret); 243 j=BN_num_bytes(ret);
214 i=BN_bn2bin(&ret,&(to[num-j])); 244 i=BN_bn2bin(ret,&(to[num-j]));
215 for (k=0; k<(num-i); k++) 245 for (k=0; k<(num-i); k++)
216 to[k]=0; 246 to[k]=0;
217 247
218 r=num; 248 r=num;
219err: 249err:
220 if (ctx != NULL) BN_CTX_free(ctx); 250 if (ctx != NULL)
221 BN_clear_free(&f); 251 {
222 BN_clear_free(&ret); 252 BN_CTX_end(ctx);
253 BN_CTX_free(ctx);
254 }
223 if (buf != NULL) 255 if (buf != NULL)
224 { 256 {
225 OPENSSL_cleanse(buf,num); 257 OPENSSL_cleanse(buf,num);
@@ -228,64 +260,101 @@ err:
228 return(r); 260 return(r);
229 } 261 }
230 262
231static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) 263static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
232 { 264{
233 int ret = 1; 265 BN_BLINDING *ret;
234 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 266 int got_write_lock = 0;
235 /* Check again inside the lock - the macro's check is racey */
236 if(rsa->blinding == NULL)
237 ret = RSA_blinding_on(rsa, ctx);
238 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
239 return ret;
240 }
241 267
242#define BLINDING_HELPER(rsa, ctx, err_instr) \ 268 CRYPTO_r_lock(CRYPTO_LOCK_RSA);
243 do { \
244 if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
245 ((rsa)->blinding == NULL) && \
246 !rsa_eay_blinding(rsa, ctx)) \
247 err_instr \
248 } while(0)
249 269
250static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx) 270 if (rsa->blinding == NULL)
251 { 271 {
252 BIGNUM *A, *Ai; 272 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
253 BN_BLINDING *ret = NULL; 273 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
274 got_write_lock = 1;
254 275
255 /* added in OpenSSL 0.9.6j and 0.9.7b */ 276 if (rsa->blinding == NULL)
277 rsa->blinding = RSA_setup_blinding(rsa, ctx);
278 }
256 279
257 /* NB: similar code appears in RSA_blinding_on (rsa_lib.c); 280 ret = rsa->blinding;
258 * this should be placed in a new function of its own, but for reasons 281 if (ret == NULL)
259 * of binary compatibility can't */ 282 goto err;
260 283
261 BN_CTX_start(ctx); 284 if (BN_BLINDING_get_thread_id(ret) == CRYPTO_thread_id())
262 A = BN_CTX_get(ctx);
263 if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
264 { 285 {
265 /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ 286 /* rsa->blinding is ours! */
266 RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); 287
267 if (!BN_pseudo_rand_range(A,rsa->n)) goto err; 288 *local = 1;
268 } 289 }
269 else 290 else
270 { 291 {
271 if (!BN_rand_range(A,rsa->n)) goto err; 292 /* resort to rsa->mt_blinding instead */
293
294 *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert()
295 * that the BN_BLINDING is shared, meaning that accesses
296 * require locks, and that the blinding factor must be
297 * stored outside the BN_BLINDING
298 */
299
300 if (rsa->mt_blinding == NULL)
301 {
302 if (!got_write_lock)
303 {
304 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
305 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
306 got_write_lock = 1;
307 }
308
309 if (rsa->mt_blinding == NULL)
310 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
311 }
312 ret = rsa->mt_blinding;
272 } 313 }
273 if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
274 314
275 if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) 315 err:
276 goto err; 316 if (got_write_lock)
277 ret = BN_BLINDING_new(A,Ai,rsa->n); 317 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
278 BN_free(Ai); 318 else
279err: 319 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
280 BN_CTX_end(ctx);
281 return ret; 320 return ret;
282 } 321}
322
323static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f,
324 BIGNUM *r, BN_CTX *ctx)
325{
326 if (local)
327 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
328 else
329 {
330 int ret;
331 CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING);
332 ret = BN_BLINDING_convert_ex(f, r, b, ctx);
333 CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING);
334 return ret;
335 }
336}
337
338static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f,
339 BIGNUM *r, BN_CTX *ctx)
340{
341 if (local)
342 return BN_BLINDING_invert_ex(f, NULL, b, ctx);
343 else
344 {
345 int ret;
346 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
347 ret = BN_BLINDING_invert_ex(f, r, b, ctx);
348 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
349 return ret;
350 }
351}
283 352
284/* signing */ 353/* signing */
285static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 354static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
286 unsigned char *to, RSA *rsa, int padding) 355 unsigned char *to, RSA *rsa, int padding)
287 { 356 {
288 BIGNUM f,ret, *res; 357 BIGNUM *f, *ret, *br, *res;
289 int i,j,k,num=0,r= -1; 358 int i,j,k,num=0,r= -1;
290 unsigned char *buf=NULL; 359 unsigned char *buf=NULL;
291 BN_CTX *ctx=NULL; 360 BN_CTX *ctx=NULL;
@@ -318,8 +387,13 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
318 } 387 }
319 388
320 if ((ctx=BN_CTX_new()) == NULL) goto err; 389 if ((ctx=BN_CTX_new()) == NULL) goto err;
321 num=BN_num_bytes(rsa->n); 390 BN_CTX_start(ctx);
322 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 391 f = BN_CTX_get(ctx);
392 br = BN_CTX_get(ctx);
393 ret = BN_CTX_get(ctx);
394 num = BN_num_bytes(rsa->n);
395 buf = OPENSSL_malloc(num);
396 if(!f || !ret || !buf)
323 { 397 {
324 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); 398 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
325 goto err; 399 goto err;
@@ -330,6 +404,9 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
330 case RSA_PKCS1_PADDING: 404 case RSA_PKCS1_PADDING:
331 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); 405 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
332 break; 406 break;
407 case RSA_X931_PADDING:
408 i=RSA_padding_add_X931(buf,num,from,flen);
409 break;
333 case RSA_NO_PADDING: 410 case RSA_NO_PADDING:
334 i=RSA_padding_add_none(buf,num,from,flen); 411 i=RSA_padding_add_none(buf,num,from,flen);
335 break; 412 break;
@@ -340,26 +417,18 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
340 } 417 }
341 if (i <= 0) goto err; 418 if (i <= 0) goto err;
342 419
343 if (BN_bin2bn(buf,num,&f) == NULL) goto err; 420 if (BN_bin2bn(buf,num,f) == NULL) goto err;
344 421
345 if (BN_ucmp(&f, rsa->n) >= 0) 422 if (BN_ucmp(f, rsa->n) >= 0)
346 { 423 {
347 /* usually the padding functions would catch this */ 424 /* usually the padding functions would catch this */
348 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 425 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
349 goto err; 426 goto err;
350 } 427 }
351 428
352 BLINDING_HELPER(rsa, ctx, goto err;);
353 blinding = rsa->blinding;
354
355 /* Now unless blinding is disabled, 'blinding' is non-NULL.
356 * But the BN_BLINDING object may be owned by some other thread
357 * (we don't want to keep it constant and we don't want to use
358 * lots of locking to avoid race conditions, so only a single
359 * thread can use it; other threads have to use local blinding
360 * factors) */
361 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 429 if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
362 { 430 {
431 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
363 if (blinding == NULL) 432 if (blinding == NULL)
364 { 433 {
365 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 434 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
@@ -368,20 +437,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
368 } 437 }
369 438
370 if (blinding != NULL) 439 if (blinding != NULL)
371 { 440 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
372 if (blinding->thread_id != CRYPTO_thread_id()) 441 goto err;
373 {
374 /* we need a local one-time blinding factor */
375
376 blinding = setup_blinding(rsa, ctx);
377 if (blinding == NULL)
378 goto err;
379 local_blinding = 1;
380 }
381 }
382
383 if (blinding)
384 if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
385 442
386 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 443 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
387 ((rsa->p != NULL) && 444 ((rsa->p != NULL) &&
@@ -390,37 +447,42 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
390 (rsa->dmq1 != NULL) && 447 (rsa->dmq1 != NULL) &&
391 (rsa->iqmp != NULL)) ) 448 (rsa->iqmp != NULL)) )
392 { 449 {
393 if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; 450 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
394 } 451 }
395 else 452 else
396 { 453 {
397 BIGNUM local_d; 454 BIGNUM local_d;
398 BIGNUM *d = NULL; 455 BIGNUM *d = NULL;
399 456
400 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 457 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
401 { 458 {
402 BN_init(&local_d); 459 BN_init(&local_d);
403 d = &local_d; 460 d = &local_d;
404 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); 461 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
405 } 462 }
406 else 463 else
407 d = rsa->d; 464 d= rsa->d;
408 if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) goto err; 465
466 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
467
468 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
469 rsa->_method_mod_n)) goto err;
409 } 470 }
410 471
411 if (blinding) 472 if (blinding)
412 if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; 473 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
474 goto err;
413 475
414 if (padding == RSA_X931_PADDING) 476 if (padding == RSA_X931_PADDING)
415 { 477 {
416 BN_sub(&f, rsa->n, &ret); 478 BN_sub(f, rsa->n, ret);
417 if (BN_cmp(&ret, &f)) 479 if (BN_cmp(ret, f))
418 res = &f; 480 res = f;
419 else 481 else
420 res = &ret; 482 res = ret;
421 } 483 }
422 else 484 else
423 res = &ret; 485 res = ret;
424 486
425 /* put in leading 0 bytes if the number is less than the 487 /* put in leading 0 bytes if the number is less than the
426 * length of the modulus */ 488 * length of the modulus */
@@ -431,11 +493,11 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
431 493
432 r=num; 494 r=num;
433err: 495err:
434 if (ctx != NULL) BN_CTX_free(ctx); 496 if (ctx != NULL)
435 BN_clear_free(&ret); 497 {
436 BN_clear_free(&f); 498 BN_CTX_end(ctx);
437 if (local_blinding) 499 BN_CTX_free(ctx);
438 BN_BLINDING_free(blinding); 500 }
439 if (buf != NULL) 501 if (buf != NULL)
440 { 502 {
441 OPENSSL_cleanse(buf,num); 503 OPENSSL_cleanse(buf,num);
@@ -447,7 +509,7 @@ err:
447static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 509static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
448 unsigned char *to, RSA *rsa, int padding) 510 unsigned char *to, RSA *rsa, int padding)
449 { 511 {
450 BIGNUM f,ret; 512 BIGNUM *f, *ret, *br;
451 int j,num=0,r= -1; 513 int j,num=0,r= -1;
452 unsigned char *p; 514 unsigned char *p;
453 unsigned char *buf=NULL; 515 unsigned char *buf=NULL;
@@ -455,14 +517,14 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
455 int local_blinding = 0; 517 int local_blinding = 0;
456 BN_BLINDING *blinding = NULL; 518 BN_BLINDING *blinding = NULL;
457 519
458 BN_init(&f); 520 if((ctx = BN_CTX_new()) == NULL) goto err;
459 BN_init(&ret); 521 BN_CTX_start(ctx);
460 ctx=BN_CTX_new(); 522 f = BN_CTX_get(ctx);
461 if (ctx == NULL) goto err; 523 br = BN_CTX_get(ctx);
462 524 ret = BN_CTX_get(ctx);
463 num=BN_num_bytes(rsa->n); 525 num = BN_num_bytes(rsa->n);
464 526 buf = OPENSSL_malloc(num);
465 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) 527 if(!f || !ret || !buf)
466 { 528 {
467 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); 529 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
468 goto err; 530 goto err;
@@ -477,25 +539,17 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
477 } 539 }
478 540
479 /* make data into a big number */ 541 /* make data into a big number */
480 if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err; 542 if (BN_bin2bn(from,(int)flen,f) == NULL) goto err;
481 543
482 if (BN_ucmp(&f, rsa->n) >= 0) 544 if (BN_ucmp(f, rsa->n) >= 0)
483 { 545 {
484 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 546 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
485 goto err; 547 goto err;
486 } 548 }
487 549
488 BLINDING_HELPER(rsa, ctx, goto err;);
489 blinding = rsa->blinding;
490
491 /* Now unless blinding is disabled, 'blinding' is non-NULL.
492 * But the BN_BLINDING object may be owned by some other thread
493 * (we don't want to keep it constant and we don't want to use
494 * lots of locking to avoid race conditions, so only a single
495 * thread can use it; other threads have to use local blinding
496 * factors) */
497 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 550 if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
498 { 551 {
552 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
499 if (blinding == NULL) 553 if (blinding == NULL)
500 { 554 {
501 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 555 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
@@ -504,20 +558,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
504 } 558 }
505 559
506 if (blinding != NULL) 560 if (blinding != NULL)
507 { 561 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
508 if (blinding->thread_id != CRYPTO_thread_id()) 562 goto err;
509 {
510 /* we need a local one-time blinding factor */
511
512 blinding = setup_blinding(rsa, ctx);
513 if (blinding == NULL)
514 goto err;
515 local_blinding = 1;
516 }
517 }
518
519 if (blinding)
520 if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
521 563
522 /* do the decrypt */ 564 /* do the decrypt */
523 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 565 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -527,29 +569,33 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
527 (rsa->dmq1 != NULL) && 569 (rsa->dmq1 != NULL) &&
528 (rsa->iqmp != NULL)) ) 570 (rsa->iqmp != NULL)) )
529 { 571 {
530 if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; 572 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
531 } 573 }
532 else 574 else
533 { 575 {
534 BIGNUM local_d; 576 BIGNUM local_d;
535 BIGNUM *d = NULL; 577 BIGNUM *d = NULL;
536 578
537 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 579 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
538 { 580 {
539 d = &local_d; 581 d = &local_d;
540 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); 582 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
541 } 583 }
542 else 584 else
543 d = rsa->d; 585 d = rsa->d;
544 if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) 586
545 goto err; 587 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
588 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
589 rsa->_method_mod_n))
590 goto err;
546 } 591 }
547 592
548 if (blinding) 593 if (blinding)
549 if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; 594 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
595 goto err;
550 596
551 p=buf; 597 p=buf;
552 j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */ 598 j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */
553 599
554 switch (padding) 600 switch (padding)
555 { 601 {
@@ -575,11 +621,11 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
575 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 621 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
576 622
577err: 623err:
578 if (ctx != NULL) BN_CTX_free(ctx); 624 if (ctx != NULL)
579 BN_clear_free(&f); 625 {
580 BN_clear_free(&ret); 626 BN_CTX_end(ctx);
581 if (local_blinding) 627 BN_CTX_free(ctx);
582 BN_BLINDING_free(blinding); 628 }
583 if (buf != NULL) 629 if (buf != NULL)
584 { 630 {
585 OPENSSL_cleanse(buf,num); 631 OPENSSL_cleanse(buf,num);
@@ -592,7 +638,7 @@ err:
592static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 638static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
593 unsigned char *to, RSA *rsa, int padding) 639 unsigned char *to, RSA *rsa, int padding)
594 { 640 {
595 BIGNUM f,ret; 641 BIGNUM *f,*ret;
596 int i,num=0,r= -1; 642 int i,num=0,r= -1;
597 unsigned char *p; 643 unsigned char *p;
598 unsigned char *buf=NULL; 644 unsigned char *buf=NULL;
@@ -619,15 +665,14 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
619 return -1; 665 return -1;
620 } 666 }
621 } 667 }
622 668
623 BN_init(&f); 669 if((ctx = BN_CTX_new()) == NULL) goto err;
624 BN_init(&ret); 670 BN_CTX_start(ctx);
625 ctx=BN_CTX_new(); 671 f = BN_CTX_get(ctx);
626 if (ctx == NULL) goto err; 672 ret = BN_CTX_get(ctx);
627
628 num=BN_num_bytes(rsa->n); 673 num=BN_num_bytes(rsa->n);
629 buf=(unsigned char *)OPENSSL_malloc(num); 674 buf = OPENSSL_malloc(num);
630 if (buf == NULL) 675 if(!f || !ret || !buf)
631 { 676 {
632 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); 677 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
633 goto err; 678 goto err;
@@ -641,37 +686,33 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
641 goto err; 686 goto err;
642 } 687 }
643 688
644 if (BN_bin2bn(from,flen,&f) == NULL) goto err; 689 if (BN_bin2bn(from,flen,f) == NULL) goto err;
645 690
646 if (BN_ucmp(&f, rsa->n) >= 0) 691 if (BN_ucmp(f, rsa->n) >= 0)
647 { 692 {
648 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 693 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
649 goto err; 694 goto err;
650 } 695 }
651 696
652 /* do the decrypt */ 697 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
653
654 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
655 {
656 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
657 CRYPTO_LOCK_RSA, rsa->n, ctx))
658 goto err;
659 }
660 698
661 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 699 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
662 rsa->_method_mod_n)) goto err; 700 rsa->_method_mod_n)) goto err;
663 701
664 if ((padding == RSA_X931_PADDING) && ((ret.d[0] & 0xf) != 12)) 702 if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))
665 BN_sub(&ret, rsa->n, &ret); 703 BN_sub(ret, rsa->n, ret);
666 704
667 p=buf; 705 p=buf;
668 i=BN_bn2bin(&ret,p); 706 i=BN_bn2bin(ret,p);
669 707
670 switch (padding) 708 switch (padding)
671 { 709 {
672 case RSA_PKCS1_PADDING: 710 case RSA_PKCS1_PADDING:
673 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); 711 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
674 break; 712 break;
713 case RSA_X931_PADDING:
714 r=RSA_padding_check_X931(to,num,buf,i,num);
715 break;
675 case RSA_NO_PADDING: 716 case RSA_NO_PADDING:
676 r=RSA_padding_check_none(to,num,buf,i,num); 717 r=RSA_padding_check_none(to,num,buf,i,num);
677 break; 718 break;
@@ -683,9 +724,11 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
683 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 724 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
684 725
685err: 726err:
686 if (ctx != NULL) BN_CTX_free(ctx); 727 if (ctx != NULL)
687 BN_clear_free(&f); 728 {
688 BN_clear_free(&ret); 729 BN_CTX_end(ctx);
730 BN_CTX_free(ctx);
731 }
689 if (buf != NULL) 732 if (buf != NULL)
690 { 733 {
691 OPENSSL_cleanse(buf,num); 734 OPENSSL_cleanse(buf,num);
@@ -694,59 +737,111 @@ err:
694 return(r); 737 return(r);
695 } 738 }
696 739
697static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) 740static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
698 { 741 {
699 BIGNUM r1,m1,vrfy; 742 BIGNUM *r1,*m1,*vrfy;
700 BIGNUM local_dmp1, local_dmq1; 743 BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
701 BIGNUM *dmp1, *dmq1; 744 BIGNUM *dmp1,*dmq1,*c,*pr1;
702 int ret=0; 745 int ret=0;
703 BN_CTX *ctx;
704 746
705 BN_init(&m1); 747 BN_CTX_start(ctx);
706 BN_init(&r1); 748 r1 = BN_CTX_get(ctx);
707 BN_init(&vrfy); 749 m1 = BN_CTX_get(ctx);
708 if ((ctx=BN_CTX_new()) == NULL) goto err; 750 vrfy = BN_CTX_get(ctx);
751
752 {
753 BIGNUM local_p, local_q;
754 BIGNUM *p = NULL, *q = NULL;
755
756 /* Make sure BN_mod_inverse in Montgomery intialization uses the
757 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
758 */
759 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
760 {
761 BN_init(&local_p);
762 p = &local_p;
763 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
764
765 BN_init(&local_q);
766 q = &local_q;
767 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
768 }
769 else
770 {
771 p = rsa->p;
772 q = rsa->q;
773 }
774
775 MONT_HELPER(rsa->_method_mod_p, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
776 MONT_HELPER(rsa->_method_mod_q, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
777 }
709 778
710 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) 779 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
780
781 /* compute I mod q */
782 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
711 { 783 {
712 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, 784 c = &local_c;
713 CRYPTO_LOCK_RSA, rsa->p, ctx)) 785 BN_with_flags(c, I, BN_FLG_CONSTTIME);
714 goto err; 786 if (!BN_mod(r1,c,rsa->q,ctx)) goto err;
715 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, 787 }
716 CRYPTO_LOCK_RSA, rsa->q, ctx)) 788 else
717 goto err; 789 {
790 if (!BN_mod(r1,I,rsa->q,ctx)) goto err;
718 } 791 }
719 792
720 if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; 793 /* compute r1^dmq1 mod q */
721 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 794 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
722 { 795 {
723 dmq1 = &local_dmq1; 796 dmq1 = &local_dmq1;
724 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME); 797 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
725 } 798 }
726 else 799 else
727 dmq1 = rsa->dmq1; 800 dmq1 = rsa->dmq1;
728 if (!rsa->meth->bn_mod_exp(&m1,&r1,dmq1,rsa->q,ctx, 801 if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx,
729 rsa->_method_mod_q)) goto err; 802 rsa->_method_mod_q)) goto err;
730 803
731 if (!BN_mod(&r1,I,rsa->p,ctx)) goto err; 804 /* compute I mod p */
732 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 805 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
806 {
807 c = &local_c;
808 BN_with_flags(c, I, BN_FLG_CONSTTIME);
809 if (!BN_mod(r1,c,rsa->p,ctx)) goto err;
810 }
811 else
812 {
813 if (!BN_mod(r1,I,rsa->p,ctx)) goto err;
814 }
815
816 /* compute r1^dmp1 mod p */
817 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
733 { 818 {
734 dmp1 = &local_dmp1; 819 dmp1 = &local_dmp1;
735 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME); 820 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
736 } 821 }
737 else 822 else
738 dmp1 = rsa->dmp1; 823 dmp1 = rsa->dmp1;
739 if (!rsa->meth->bn_mod_exp(r0,&r1,dmp1,rsa->p,ctx, 824 if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx,
740 rsa->_method_mod_p)) goto err; 825 rsa->_method_mod_p)) goto err;
741 826
742 if (!BN_sub(r0,r0,&m1)) goto err; 827 if (!BN_sub(r0,r0,m1)) goto err;
743 /* This will help stop the size of r0 increasing, which does 828 /* This will help stop the size of r0 increasing, which does
744 * affect the multiply if it optimised for a power of 2 size */ 829 * affect the multiply if it optimised for a power of 2 size */
745 if (r0->neg) 830 if (BN_is_negative(r0))
746 if (!BN_add(r0,r0,rsa->p)) goto err; 831 if (!BN_add(r0,r0,rsa->p)) goto err;
747 832
748 if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err; 833 if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err;
749 if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err; 834
835 /* Turn BN_FLG_CONSTTIME flag on before division operation */
836 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
837 {
838 pr1 = &local_r1;
839 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
840 }
841 else
842 pr1 = r1;
843 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
844
750 /* If p < q it is occasionally possible for the correction of 845 /* If p < q it is occasionally possible for the correction of
751 * adding 'p' if r0 is negative above to leave the result still 846 * adding 'p' if r0 is negative above to leave the result still
752 * negative. This can break the private key operations: the following 847 * negative. This can break the private key operations: the following
@@ -754,23 +849,23 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
754 * This will *never* happen with OpenSSL generated keys because 849 * This will *never* happen with OpenSSL generated keys because
755 * they ensure p > q [steve] 850 * they ensure p > q [steve]
756 */ 851 */
757 if (r0->neg) 852 if (BN_is_negative(r0))
758 if (!BN_add(r0,r0,rsa->p)) goto err; 853 if (!BN_add(r0,r0,rsa->p)) goto err;
759 if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err; 854 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
760 if (!BN_add(r0,&r1,&m1)) goto err; 855 if (!BN_add(r0,r1,m1)) goto err;
761 856
762 if (rsa->e && rsa->n) 857 if (rsa->e && rsa->n)
763 { 858 {
764 if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err; 859 if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err;
765 /* If 'I' was greater than (or equal to) rsa->n, the operation 860 /* If 'I' was greater than (or equal to) rsa->n, the operation
766 * will be equivalent to using 'I mod n'. However, the result of 861 * will be equivalent to using 'I mod n'. However, the result of
767 * the verify will *always* be less than 'n' so we don't check 862 * the verify will *always* be less than 'n' so we don't check
768 * for absolute equality, just congruency. */ 863 * for absolute equality, just congruency. */
769 if (!BN_sub(&vrfy, &vrfy, I)) goto err; 864 if (!BN_sub(vrfy, vrfy, I)) goto err;
770 if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err; 865 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err;
771 if (vrfy.neg) 866 if (BN_is_negative(vrfy))
772 if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err; 867 if (!BN_add(vrfy, vrfy, rsa->n)) goto err;
773 if (!BN_is_zero(&vrfy)) 868 if (!BN_is_zero(vrfy))
774 { 869 {
775 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak 870 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
776 * miscalculated CRT output, just do a raw (slower) 871 * miscalculated CRT output, just do a raw (slower)
@@ -779,22 +874,20 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
779 BIGNUM local_d; 874 BIGNUM local_d;
780 BIGNUM *d = NULL; 875 BIGNUM *d = NULL;
781 876
782 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) 877 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
783 { 878 {
784 d = &local_d; 879 d = &local_d;
785 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); 880 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
786 } 881 }
787 else 882 else
788 d = rsa->d; 883 d = rsa->d;
789 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,NULL)) goto err; 884 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,
885 rsa->_method_mod_n)) goto err;
790 } 886 }
791 } 887 }
792 ret=1; 888 ret=1;
793err: 889err:
794 BN_clear_free(&m1); 890 BN_CTX_end(ctx);
795 BN_clear_free(&r1);
796 BN_clear_free(&vrfy);
797 BN_CTX_free(ctx);
798 return(ret); 891 return(ret);
799 } 892 }
800 893
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-24 16:26:52 +0000