summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa/rsa_eay.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/rsa/rsa_eay.c')
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c114
1 files changed, 72 insertions, 42 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index cde5ca27d5..d82dd15493 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -65,46 +65,46 @@
65 65
66#ifndef RSA_NULL 66#ifndef RSA_NULL
67 67
68static int RSA_eay_public_encrypt(int flen, unsigned char *from, 68static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
69 unsigned char *to, RSA *rsa,int padding); 69 unsigned char *to, RSA *rsa,int padding);
70static int RSA_eay_private_encrypt(int flen, unsigned char *from, 70static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
71 unsigned char *to, RSA *rsa,int padding); 71 unsigned char *to, RSA *rsa,int padding);
72static int RSA_eay_public_decrypt(int flen, unsigned char *from, 72static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
73 unsigned char *to, RSA *rsa,int padding); 73 unsigned char *to, RSA *rsa,int padding);
74static int RSA_eay_private_decrypt(int flen, unsigned char *from, 74static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
75 unsigned char *to, RSA *rsa,int padding); 75 unsigned char *to, RSA *rsa,int padding);
76static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *i, RSA *rsa); 76static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa);
77static int RSA_eay_init(RSA *rsa); 77static int RSA_eay_init(RSA *rsa);
78static int RSA_eay_finish(RSA *rsa); 78static int RSA_eay_finish(RSA *rsa);
79static RSA_METHOD rsa_pkcs1_eay_meth={ 79static RSA_METHOD rsa_pkcs1_eay_meth={
80 "Eric Young's PKCS#1 RSA", 80 "Eric Young's PKCS#1 RSA",
81 RSA_eay_public_encrypt, 81 RSA_eay_public_encrypt,
82 RSA_eay_public_decrypt, 82 RSA_eay_public_decrypt, /* signature verification */
83 RSA_eay_private_encrypt, 83 RSA_eay_private_encrypt, /* signing */
84 RSA_eay_private_decrypt, 84 RSA_eay_private_decrypt,
85 RSA_eay_mod_exp, 85 RSA_eay_mod_exp,
86 BN_mod_exp_mont, 86 BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
87 RSA_eay_init, 87 RSA_eay_init,
88 RSA_eay_finish, 88 RSA_eay_finish,
89 0, 89 0, /* flags */
90 NULL, 90 NULL,
91 0, /* rsa_sign */
92 0 /* rsa_verify */
91 }; 93 };
92 94
93RSA_METHOD *RSA_PKCS1_SSLeay(void) 95const RSA_METHOD *RSA_PKCS1_SSLeay(void)
94 { 96 {
95 return(&rsa_pkcs1_eay_meth); 97 return(&rsa_pkcs1_eay_meth);
96 } 98 }
97 99
98static int RSA_eay_public_encrypt(int flen, unsigned char *from, 100static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
99 unsigned char *to, RSA *rsa, int padding) 101 unsigned char *to, RSA *rsa, int padding)
100 { 102 {
101 const RSA_METHOD *meth;
102 BIGNUM f,ret; 103 BIGNUM f,ret;
103 int i,j,k,num=0,r= -1; 104 int i,j,k,num=0,r= -1;
104 unsigned char *buf=NULL; 105 unsigned char *buf=NULL;
105 BN_CTX *ctx=NULL; 106 BN_CTX *ctx=NULL;
106 107
107 meth = ENGINE_get_RSA(rsa->engine);
108 BN_init(&f); 108 BN_init(&f);
109 BN_init(&ret); 109 BN_init(&ret);
110 if ((ctx=BN_CTX_new()) == NULL) goto err; 110 if ((ctx=BN_CTX_new()) == NULL) goto err;
@@ -120,7 +120,7 @@ static int RSA_eay_public_encrypt(int flen, unsigned char *from,
120 case RSA_PKCS1_PADDING: 120 case RSA_PKCS1_PADDING:
121 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen); 121 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
122 break; 122 break;
123#ifndef NO_SHA 123#ifndef OPENSSL_NO_SHA
124 case RSA_PKCS1_OAEP_PADDING: 124 case RSA_PKCS1_OAEP_PADDING:
125 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0); 125 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
126 break; 126 break;
@@ -139,6 +139,13 @@ static int RSA_eay_public_encrypt(int flen, unsigned char *from,
139 139
140 if (BN_bin2bn(buf,num,&f) == NULL) goto err; 140 if (BN_bin2bn(buf,num,&f) == NULL) goto err;
141 141
142 if (BN_ucmp(&f, rsa->n) >= 0)
143 {
144 /* usually the padding functions would catch this */
145 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
146 goto err;
147 }
148
142 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) 149 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
143 { 150 {
144 BN_MONT_CTX* bn_mont_ctx; 151 BN_MONT_CTX* bn_mont_ctx;
@@ -162,8 +169,8 @@ static int RSA_eay_public_encrypt(int flen, unsigned char *from,
162 if (bn_mont_ctx) 169 if (bn_mont_ctx)
163 BN_MONT_CTX_free(bn_mont_ctx); 170 BN_MONT_CTX_free(bn_mont_ctx);
164 } 171 }
165 172
166 if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 173 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
167 rsa->_method_mod_n)) goto err; 174 rsa->_method_mod_n)) goto err;
168 175
169 /* put in leading 0 bytes if the number is less than the 176 /* put in leading 0 bytes if the number is less than the
@@ -186,16 +193,15 @@ err:
186 return(r); 193 return(r);
187 } 194 }
188 195
189static int RSA_eay_private_encrypt(int flen, unsigned char *from, 196/* signing */
197static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
190 unsigned char *to, RSA *rsa, int padding) 198 unsigned char *to, RSA *rsa, int padding)
191 { 199 {
192 const RSA_METHOD *meth;
193 BIGNUM f,ret; 200 BIGNUM f,ret;
194 int i,j,k,num=0,r= -1; 201 int i,j,k,num=0,r= -1;
195 unsigned char *buf=NULL; 202 unsigned char *buf=NULL;
196 BN_CTX *ctx=NULL; 203 BN_CTX *ctx=NULL;
197 204
198 meth = ENGINE_get_RSA(rsa->engine);
199 BN_init(&f); 205 BN_init(&f);
200 BN_init(&ret); 206 BN_init(&ret);
201 207
@@ -223,6 +229,13 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
223 if (i <= 0) goto err; 229 if (i <= 0) goto err;
224 230
225 if (BN_bin2bn(buf,num,&f) == NULL) goto err; 231 if (BN_bin2bn(buf,num,&f) == NULL) goto err;
232
233 if (BN_ucmp(&f, rsa->n) >= 0)
234 {
235 /* usually the padding functions would catch this */
236 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
237 goto err;
238 }
226 239
227 if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) 240 if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
228 RSA_blinding_on(rsa,ctx); 241 RSA_blinding_on(rsa,ctx);
@@ -235,10 +248,10 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
235 (rsa->dmp1 != NULL) && 248 (rsa->dmp1 != NULL) &&
236 (rsa->dmq1 != NULL) && 249 (rsa->dmq1 != NULL) &&
237 (rsa->iqmp != NULL)) ) 250 (rsa->iqmp != NULL)) )
238 { if (!meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } 251 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
239 else 252 else
240 { 253 {
241 if (!meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err; 254 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
242 } 255 }
243 256
244 if (rsa->flags & RSA_FLAG_BLINDING) 257 if (rsa->flags & RSA_FLAG_BLINDING)
@@ -264,17 +277,15 @@ err:
264 return(r); 277 return(r);
265 } 278 }
266 279
267static int RSA_eay_private_decrypt(int flen, unsigned char *from, 280static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
268 unsigned char *to, RSA *rsa, int padding) 281 unsigned char *to, RSA *rsa, int padding)
269 { 282 {
270 const RSA_METHOD *meth;
271 BIGNUM f,ret; 283 BIGNUM f,ret;
272 int j,num=0,r= -1; 284 int j,num=0,r= -1;
273 unsigned char *p; 285 unsigned char *p;
274 unsigned char *buf=NULL; 286 unsigned char *buf=NULL;
275 BN_CTX *ctx=NULL; 287 BN_CTX *ctx=NULL;
276 288
277 meth = ENGINE_get_RSA(rsa->engine);
278 BN_init(&f); 289 BN_init(&f);
279 BN_init(&ret); 290 BN_init(&ret);
280 ctx=BN_CTX_new(); 291 ctx=BN_CTX_new();
@@ -299,6 +310,12 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
299 /* make data into a big number */ 310 /* make data into a big number */
300 if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err; 311 if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
301 312
313 if (BN_ucmp(&f, rsa->n) >= 0)
314 {
315 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
316 goto err;
317 }
318
302 if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) 319 if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
303 RSA_blinding_on(rsa,ctx); 320 RSA_blinding_on(rsa,ctx);
304 if (rsa->flags & RSA_FLAG_BLINDING) 321 if (rsa->flags & RSA_FLAG_BLINDING)
@@ -311,10 +328,10 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
311 (rsa->dmp1 != NULL) && 328 (rsa->dmp1 != NULL) &&
312 (rsa->dmq1 != NULL) && 329 (rsa->dmq1 != NULL) &&
313 (rsa->iqmp != NULL)) ) 330 (rsa->iqmp != NULL)) )
314 { if (!meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } 331 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
315 else 332 else
316 { 333 {
317 if (!meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) 334 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
318 goto err; 335 goto err;
319 } 336 }
320 337
@@ -329,7 +346,7 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
329 case RSA_PKCS1_PADDING: 346 case RSA_PKCS1_PADDING:
330 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); 347 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
331 break; 348 break;
332#ifndef NO_SHA 349#ifndef OPENSSL_NO_SHA
333 case RSA_PKCS1_OAEP_PADDING: 350 case RSA_PKCS1_OAEP_PADDING:
334 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); 351 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
335 break; 352 break;
@@ -359,17 +376,16 @@ err:
359 return(r); 376 return(r);
360 } 377 }
361 378
362static int RSA_eay_public_decrypt(int flen, unsigned char *from, 379/* signature verification */
380static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
363 unsigned char *to, RSA *rsa, int padding) 381 unsigned char *to, RSA *rsa, int padding)
364 { 382 {
365 const RSA_METHOD *meth;
366 BIGNUM f,ret; 383 BIGNUM f,ret;
367 int i,num=0,r= -1; 384 int i,num=0,r= -1;
368 unsigned char *p; 385 unsigned char *p;
369 unsigned char *buf=NULL; 386 unsigned char *buf=NULL;
370 BN_CTX *ctx=NULL; 387 BN_CTX *ctx=NULL;
371 388
372 meth = ENGINE_get_RSA(rsa->engine);
373 BN_init(&f); 389 BN_init(&f);
374 BN_init(&ret); 390 BN_init(&ret);
375 ctx=BN_CTX_new(); 391 ctx=BN_CTX_new();
@@ -392,6 +408,13 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from,
392 } 408 }
393 409
394 if (BN_bin2bn(from,flen,&f) == NULL) goto err; 410 if (BN_bin2bn(from,flen,&f) == NULL) goto err;
411
412 if (BN_ucmp(&f, rsa->n) >= 0)
413 {
414 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
415 goto err;
416 }
417
395 /* do the decrypt */ 418 /* do the decrypt */
396 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) 419 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
397 { 420 {
@@ -416,8 +439,8 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from,
416 if (bn_mont_ctx) 439 if (bn_mont_ctx)
417 BN_MONT_CTX_free(bn_mont_ctx); 440 BN_MONT_CTX_free(bn_mont_ctx);
418 } 441 }
419 442
420 if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, 443 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
421 rsa->_method_mod_n)) goto err; 444 rsa->_method_mod_n)) goto err;
422 445
423 p=buf; 446 p=buf;
@@ -450,14 +473,12 @@ err:
450 return(r); 473 return(r);
451 } 474 }
452 475
453static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa) 476static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
454 { 477 {
455 const RSA_METHOD *meth;
456 BIGNUM r1,m1,vrfy; 478 BIGNUM r1,m1,vrfy;
457 int ret=0; 479 int ret=0;
458 BN_CTX *ctx; 480 BN_CTX *ctx;
459 481
460 meth = ENGINE_get_RSA(rsa->engine);
461 if ((ctx=BN_CTX_new()) == NULL) goto err; 482 if ((ctx=BN_CTX_new()) == NULL) goto err;
462 BN_init(&m1); 483 BN_init(&m1);
463 BN_init(&r1); 484 BN_init(&r1);
@@ -515,11 +536,11 @@ static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
515 } 536 }
516 537
517 if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; 538 if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
518 if (!meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx, 539 if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
519 rsa->_method_mod_q)) goto err; 540 rsa->_method_mod_q)) goto err;
520 541
521 if (!BN_mod(&r1,I,rsa->p,ctx)) goto err; 542 if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
522 if (!meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx, 543 if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
523 rsa->_method_mod_p)) goto err; 544 rsa->_method_mod_p)) goto err;
524 545
525 if (!BN_sub(r0,r0,&m1)) goto err; 546 if (!BN_sub(r0,r0,&m1)) goto err;
@@ -544,11 +565,20 @@ static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
544 565
545 if (rsa->e && rsa->n) 566 if (rsa->e && rsa->n)
546 { 567 {
547 if (!meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err; 568 if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err;
548 if (BN_cmp(I, &vrfy) != 0) 569 /* If 'I' was greater than (or equal to) rsa->n, the operation
549 { 570 * will be equivalent to using 'I mod n'. However, the result of
550 if (!meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err; 571 * the verify will *always* be less than 'n' so we don't check
551 } 572 * for absolute equality, just congruency. */
573 if (!BN_sub(&vrfy, &vrfy, I)) goto err;
574 if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err;
575 if (vrfy.neg)
576 if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;
577 if (!BN_is_zero(&vrfy))
578 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
579 * miscalculated CRT output, just do a raw (slower)
580 * mod_exp and return that instead. */
581 if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err;
552 } 582 }
553 ret=1; 583 ret=1;
554err: 584err:
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 13:09:43 +0000