diff options
Diffstat (limited to 'src/lib/libssl/src/fips-1.0/rsa/fips_rsa_eay.c')
-rw-r--r-- | src/lib/libssl/src/fips-1.0/rsa/fips_rsa_eay.c | 788 |
1 files changed, 0 insertions, 788 deletions
diff --git a/src/lib/libssl/src/fips-1.0/rsa/fips_rsa_eay.c b/src/lib/libssl/src/fips-1.0/rsa/fips_rsa_eay.c deleted file mode 100644 index 2d0d973f1e..0000000000 --- a/src/lib/libssl/src/fips-1.0/rsa/fips_rsa_eay.c +++ /dev/null | |||
@@ -1,788 +0,0 @@ | |||
1 | /* crypto/rsa/rsa_eay.c */ | ||
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | ||
3 | * All rights reserved. | ||
4 | * | ||
5 | * This package is an SSL implementation written | ||
6 | * by Eric Young (eay@cryptsoft.com). | ||
7 | * The implementation was written so as to conform with Netscapes SSL. | ||
8 | * | ||
9 | * This library is free for commercial and non-commercial use as long as | ||
10 | * the following conditions are aheared to. The following conditions | ||
11 | * apply to all code found in this distribution, be it the RC4, RSA, | ||
12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | ||
13 | * included with this distribution is covered by the same copyright terms | ||
14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | ||
15 | * | ||
16 | * Copyright remains Eric Young's, and as such any Copyright notices in | ||
17 | * the code are not to be removed. | ||
18 | * If this package is used in a product, Eric Young should be given attribution | ||
19 | * as the author of the parts of the library used. | ||
20 | * This can be in the form of a textual message at program startup or | ||
21 | * in documentation (online or textual) provided with the package. | ||
22 | * | ||
23 | * Redistribution and use in source and binary forms, with or without | ||
24 | * modification, are permitted provided that the following conditions | ||
25 | * are met: | ||
26 | * 1. Redistributions of source code must retain the copyright | ||
27 | * notice, this list of conditions and the following disclaimer. | ||
28 | * 2. Redistributions in binary form must reproduce the above copyright | ||
29 | * notice, this list of conditions and the following disclaimer in the | ||
30 | * documentation and/or other materials provided with the distribution. | ||
31 | * 3. All advertising materials mentioning features or use of this software | ||
32 | * must display the following acknowledgement: | ||
33 | * "This product includes cryptographic software written by | ||
34 | * Eric Young (eay@cryptsoft.com)" | ||
35 | * The word 'cryptographic' can be left out if the rouines from the library | ||
36 | * being used are not cryptographic related :-). | ||
37 | * 4. If you include any Windows specific code (or a derivative thereof) from | ||
38 | * the apps directory (application code) you must include an acknowledgement: | ||
39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | ||
40 | * | ||
41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | ||
42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | ||
45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | ||
46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | ||
47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||
49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||
50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||
51 | * SUCH DAMAGE. | ||
52 | * | ||
53 | * The licence and distribution terms for any publically available version or | ||
54 | * derivative of this code cannot be changed. i.e. this code cannot simply be | ||
55 | * copied and put under another distribution licence | ||
56 | * [including the GNU Public Licence.] | ||
57 | */ | ||
58 | /* ==================================================================== | ||
59 | * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. | ||
60 | * | ||
61 | * Redistribution and use in source and binary forms, with or without | ||
62 | * modification, are permitted provided that the following conditions | ||
63 | * are met: | ||
64 | * | ||
65 | * 1. Redistributions of source code must retain the above copyright | ||
66 | * notice, this list of conditions and the following disclaimer. | ||
67 | * | ||
68 | * 2. Redistributions in binary form must reproduce the above copyright | ||
69 | * notice, this list of conditions and the following disclaimer in | ||
70 | * the documentation and/or other materials provided with the | ||
71 | * distribution. | ||
72 | * | ||
73 | * 3. All advertising materials mentioning features or use of this | ||
74 | * software must display the following acknowledgment: | ||
75 | * "This product includes software developed by the OpenSSL Project | ||
76 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | ||
77 | * | ||
78 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | ||
79 | * endorse or promote products derived from this software without | ||
80 | * prior written permission. For written permission, please contact | ||
81 | * openssl-core@openssl.org. | ||
82 | * | ||
83 | * 5. Products derived from this software may not be called "OpenSSL" | ||
84 | * nor may "OpenSSL" appear in their names without prior written | ||
85 | * permission of the OpenSSL Project. | ||
86 | * | ||
87 | * 6. Redistributions of any form whatsoever must retain the following | ||
88 | * acknowledgment: | ||
89 | * "This product includes software developed by the OpenSSL Project | ||
90 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | ||
91 | * | ||
92 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | ||
93 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
94 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | ||
95 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | ||
96 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||
97 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
98 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
99 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
100 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | ||
101 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
102 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | ||
103 | * OF THE POSSIBILITY OF SUCH DAMAGE. | ||
104 | * ==================================================================== | ||
105 | * | ||
106 | * This product includes cryptographic software written by Eric Young | ||
107 | * (eay@cryptsoft.com). This product includes software written by Tim | ||
108 | * Hudson (tjh@cryptsoft.com). | ||
109 | * | ||
110 | */ | ||
111 | |||
112 | #include <stdio.h> | ||
113 | #include <openssl/err.h> | ||
114 | #include <openssl/bn.h> | ||
115 | #include <openssl/rsa.h> | ||
116 | #include <openssl/rand.h> | ||
117 | #include <openssl/fips.h> | ||
118 | |||
119 | #if !defined(RSA_NULL) && defined(OPENSSL_FIPS) | ||
120 | |||
121 | static int RSA_eay_public_encrypt(FIPS_RSA_SIZE_T flen, const unsigned char *from, | ||
122 | unsigned char *to, RSA *rsa,int padding); | ||
123 | static int RSA_eay_private_encrypt(FIPS_RSA_SIZE_T flen, const unsigned char *from, | ||
124 | unsigned char *to, RSA *rsa,int padding); | ||
125 | static int RSA_eay_public_decrypt(FIPS_RSA_SIZE_T flen, const unsigned char *from, | ||
126 | unsigned char *to, RSA *rsa,int padding); | ||
127 | static int RSA_eay_private_decrypt(FIPS_RSA_SIZE_T flen, const unsigned char *from, | ||
128 | unsigned char *to, RSA *rsa,int padding); | ||
129 | static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa); | ||
130 | static int RSA_eay_init(RSA *rsa); | ||
131 | static int RSA_eay_finish(RSA *rsa); | ||
132 | static const RSA_METHOD rsa_pkcs1_eay_meth={ | ||
133 | "Eric Young's PKCS#1 RSA", | ||
134 | RSA_eay_public_encrypt, | ||
135 | RSA_eay_public_decrypt, /* signature verification */ | ||
136 | RSA_eay_private_encrypt, /* signing */ | ||
137 | RSA_eay_private_decrypt, | ||
138 | RSA_eay_mod_exp, | ||
139 | BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ | ||
140 | RSA_eay_init, | ||
141 | RSA_eay_finish, | ||
142 | 0, /* flags */ | ||
143 | NULL, | ||
144 | 0, /* rsa_sign */ | ||
145 | 0 /* rsa_verify */ | ||
146 | }; | ||
147 | |||
148 | const RSA_METHOD *RSA_PKCS1_SSLeay(void) | ||
149 | { | ||
150 | return(&rsa_pkcs1_eay_meth); | ||
151 | } | ||
152 | |||
153 | static int RSA_eay_public_encrypt(FIPS_RSA_SIZE_T flen, const unsigned char *from, | ||
154 | unsigned char *to, RSA *rsa, int padding) | ||
155 | { | ||
156 | BIGNUM f,ret; | ||
157 | int i,j,k,num=0,r= -1; | ||
158 | unsigned char *buf=NULL; | ||
159 | BN_CTX *ctx=NULL; | ||
160 | |||
161 | BN_init(&f); | ||
162 | BN_init(&ret); | ||
163 | |||
164 | if(FIPS_selftest_failed()) | ||
165 | { | ||
166 | FIPSerr(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED); | ||
167 | goto err; | ||
168 | } | ||
169 | |||
170 | if ((ctx=BN_CTX_new()) == NULL) goto err; | ||
171 | num=BN_num_bytes(rsa->n); | ||
172 | if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) | ||
173 | { | ||
174 | RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); | ||
175 | goto err; | ||
176 | } | ||
177 | |||
178 | switch (padding) | ||
179 | { | ||
180 | case RSA_PKCS1_PADDING: | ||
181 | i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen); | ||
182 | break; | ||
183 | #ifndef OPENSSL_NO_SHA | ||
184 | case RSA_PKCS1_OAEP_PADDING: | ||
185 | i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0); | ||
186 | break; | ||
187 | #endif | ||
188 | case RSA_SSLV23_PADDING: | ||
189 | i=RSA_padding_add_SSLv23(buf,num,from,flen); | ||
190 | break; | ||
191 | case RSA_NO_PADDING: | ||
192 | i=RSA_padding_add_none(buf,num,from,flen); | ||
193 | break; | ||
194 | default: | ||
195 | RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); | ||
196 | goto err; | ||
197 | } | ||
198 | if (i <= 0) goto err; | ||
199 | |||
200 | if (BN_bin2bn(buf,num,&f) == NULL) goto err; | ||
201 | |||
202 | if (BN_ucmp(&f, rsa->n) >= 0) | ||
203 | { | ||
204 | /* usually the padding functions would catch this */ | ||
205 | RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); | ||
206 | goto err; | ||
207 | } | ||
208 | |||
209 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | ||
210 | { | ||
211 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, | ||
212 | CRYPTO_LOCK_RSA, rsa->n, ctx)) | ||
213 | goto err; | ||
214 | } | ||
215 | |||
216 | if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, | ||
217 | rsa->_method_mod_n)) goto err; | ||
218 | |||
219 | /* put in leading 0 bytes if the number is less than the | ||
220 | * length of the modulus */ | ||
221 | j=BN_num_bytes(&ret); | ||
222 | i=BN_bn2bin(&ret,&(to[num-j])); | ||
223 | for (k=0; k<(num-i); k++) | ||
224 | to[k]=0; | ||
225 | |||
226 | r=num; | ||
227 | err: | ||
228 | if (ctx != NULL) BN_CTX_free(ctx); | ||
229 | BN_clear_free(&f); | ||
230 | BN_clear_free(&ret); | ||
231 | if (buf != NULL) | ||
232 | { | ||
233 | OPENSSL_cleanse(buf,num); | ||
234 | OPENSSL_free(buf); | ||
235 | } | ||
236 | return(r); | ||
237 | } | ||
238 | |||
239 | static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) | ||
240 | { | ||
241 | int ret = 1; | ||
242 | CRYPTO_w_lock(CRYPTO_LOCK_RSA); | ||
243 | /* Check again inside the lock - the macro's check is racey */ | ||
244 | if(rsa->blinding == NULL) | ||
245 | ret = RSA_blinding_on(rsa, ctx); | ||
246 | CRYPTO_w_unlock(CRYPTO_LOCK_RSA); | ||
247 | return ret; | ||
248 | } | ||
249 | |||
250 | #define BLINDING_HELPER(rsa, ctx, err_instr) \ | ||
251 | do { \ | ||
252 | if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \ | ||
253 | ((rsa)->blinding == NULL) && \ | ||
254 | !rsa_eay_blinding(rsa, ctx)) \ | ||
255 | err_instr \ | ||
256 | } while(0) | ||
257 | |||
258 | static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx) | ||
259 | { | ||
260 | BIGNUM *A, *Ai; | ||
261 | BN_BLINDING *ret = NULL; | ||
262 | |||
263 | /* added in OpenSSL 0.9.6j and 0.9.7b */ | ||
264 | |||
265 | /* NB: similar code appears in RSA_blinding_on (rsa_lib.c); | ||
266 | * this should be placed in a new function of its own, but for reasons | ||
267 | * of binary compatibility can't */ | ||
268 | |||
269 | BN_CTX_start(ctx); | ||
270 | A = BN_CTX_get(ctx); | ||
271 | if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) | ||
272 | { | ||
273 | /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ | ||
274 | RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); | ||
275 | if (!BN_pseudo_rand_range(A,rsa->n)) goto err; | ||
276 | } | ||
277 | else | ||
278 | { | ||
279 | if (!BN_rand_range(A,rsa->n)) goto err; | ||
280 | } | ||
281 | if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; | ||
282 | |||
283 | if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) | ||
284 | goto err; | ||
285 | ret = BN_BLINDING_new(A,Ai,rsa->n); | ||
286 | BN_free(Ai); | ||
287 | err: | ||
288 | BN_CTX_end(ctx); | ||
289 | return ret; | ||
290 | } | ||
291 | |||
292 | /* signing */ | ||
293 | static int RSA_eay_private_encrypt(FIPS_RSA_SIZE_T flen, const unsigned char *from, | ||
294 | unsigned char *to, RSA *rsa, int padding) | ||
295 | { | ||
296 | BIGNUM f,ret, *res; | ||
297 | int i,j,k,num=0,r= -1; | ||
298 | unsigned char *buf=NULL; | ||
299 | BN_CTX *ctx=NULL; | ||
300 | int local_blinding = 0; | ||
301 | BN_BLINDING *blinding = NULL; | ||
302 | |||
303 | BN_init(&f); | ||
304 | BN_init(&ret); | ||
305 | |||
306 | if ((ctx=BN_CTX_new()) == NULL) goto err; | ||
307 | num=BN_num_bytes(rsa->n); | ||
308 | if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) | ||
309 | { | ||
310 | RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); | ||
311 | goto err; | ||
312 | } | ||
313 | |||
314 | switch (padding) | ||
315 | { | ||
316 | case RSA_PKCS1_PADDING: | ||
317 | i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); | ||
318 | break; | ||
319 | case RSA_NO_PADDING: | ||
320 | i=RSA_padding_add_none(buf,num,from,flen); | ||
321 | break; | ||
322 | case RSA_X931_PADDING: | ||
323 | i=RSA_padding_add_X931(buf,num,from,flen); | ||
324 | break; | ||
325 | case RSA_SSLV23_PADDING: | ||
326 | default: | ||
327 | RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); | ||
328 | goto err; | ||
329 | } | ||
330 | if (i <= 0) goto err; | ||
331 | |||
332 | if (BN_bin2bn(buf,num,&f) == NULL) goto err; | ||
333 | |||
334 | if (BN_ucmp(&f, rsa->n) >= 0) | ||
335 | { | ||
336 | /* usually the padding functions would catch this */ | ||
337 | RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); | ||
338 | goto err; | ||
339 | } | ||
340 | |||
341 | BLINDING_HELPER(rsa, ctx, goto err;); | ||
342 | blinding = rsa->blinding; | ||
343 | |||
344 | /* Now unless blinding is disabled, 'blinding' is non-NULL. | ||
345 | * But the BN_BLINDING object may be owned by some other thread | ||
346 | * (we don't want to keep it constant and we don't want to use | ||
347 | * lots of locking to avoid race conditions, so only a single | ||
348 | * thread can use it; other threads have to use local blinding | ||
349 | * factors) */ | ||
350 | if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) | ||
351 | { | ||
352 | if (blinding == NULL) | ||
353 | { | ||
354 | RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); | ||
355 | goto err; | ||
356 | } | ||
357 | } | ||
358 | |||
359 | if (blinding != NULL) | ||
360 | { | ||
361 | if (blinding->thread_id != CRYPTO_thread_id()) | ||
362 | { | ||
363 | /* we need a local one-time blinding factor */ | ||
364 | |||
365 | blinding = setup_blinding(rsa, ctx); | ||
366 | if (blinding == NULL) | ||
367 | goto err; | ||
368 | local_blinding = 1; | ||
369 | } | ||
370 | } | ||
371 | |||
372 | if (blinding) | ||
373 | if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err; | ||
374 | |||
375 | if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || | ||
376 | ((rsa->p != NULL) && | ||
377 | (rsa->q != NULL) && | ||
378 | (rsa->dmp1 != NULL) && | ||
379 | (rsa->dmq1 != NULL) && | ||
380 | (rsa->iqmp != NULL)) ) | ||
381 | { | ||
382 | if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; | ||
383 | } | ||
384 | else | ||
385 | { | ||
386 | BIGNUM local_d; | ||
387 | BIGNUM *d = NULL; | ||
388 | |||
389 | if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) | ||
390 | { | ||
391 | BN_init(&local_d); | ||
392 | d = &local_d; | ||
393 | BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); | ||
394 | } | ||
395 | else | ||
396 | d = rsa->d; | ||
397 | if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) goto err; | ||
398 | } | ||
399 | |||
400 | if (blinding) | ||
401 | if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; | ||
402 | |||
403 | if (padding == RSA_X931_PADDING) | ||
404 | { | ||
405 | BN_sub(&f, rsa->n, &ret); | ||
406 | if (BN_cmp(&ret, &f)) | ||
407 | res = &f; | ||
408 | else | ||
409 | res = &ret; | ||
410 | } | ||
411 | else | ||
412 | res = &ret; | ||
413 | |||
414 | /* put in leading 0 bytes if the number is less than the | ||
415 | * length of the modulus */ | ||
416 | j=BN_num_bytes(res); | ||
417 | i=BN_bn2bin(res,&(to[num-j])); | ||
418 | for (k=0; k<(num-i); k++) | ||
419 | to[k]=0; | ||
420 | |||
421 | r=num; | ||
422 | err: | ||
423 | if (ctx != NULL) BN_CTX_free(ctx); | ||
424 | BN_clear_free(&ret); | ||
425 | BN_clear_free(&f); | ||
426 | if (local_blinding) | ||
427 | BN_BLINDING_free(blinding); | ||
428 | if (buf != NULL) | ||
429 | { | ||
430 | OPENSSL_cleanse(buf,num); | ||
431 | OPENSSL_free(buf); | ||
432 | } | ||
433 | return(r); | ||
434 | } | ||
435 | |||
436 | static int RSA_eay_private_decrypt(FIPS_RSA_SIZE_T flen, const unsigned char *from, | ||
437 | unsigned char *to, RSA *rsa, int padding) | ||
438 | { | ||
439 | BIGNUM f,ret; | ||
440 | int j,num=0,r= -1; | ||
441 | unsigned char *p; | ||
442 | unsigned char *buf=NULL; | ||
443 | BN_CTX *ctx=NULL; | ||
444 | int local_blinding = 0; | ||
445 | BN_BLINDING *blinding = NULL; | ||
446 | |||
447 | BN_init(&f); | ||
448 | BN_init(&ret); | ||
449 | ctx=BN_CTX_new(); | ||
450 | if (ctx == NULL) goto err; | ||
451 | |||
452 | num=BN_num_bytes(rsa->n); | ||
453 | |||
454 | if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) | ||
455 | { | ||
456 | RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); | ||
457 | goto err; | ||
458 | } | ||
459 | |||
460 | /* This check was for equality but PGP does evil things | ||
461 | * and chops off the top '0' bytes */ | ||
462 | if (flen > num) | ||
463 | { | ||
464 | RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); | ||
465 | goto err; | ||
466 | } | ||
467 | |||
468 | /* make data into a big number */ | ||
469 | if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err; | ||
470 | |||
471 | if (BN_ucmp(&f, rsa->n) >= 0) | ||
472 | { | ||
473 | RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); | ||
474 | goto err; | ||
475 | } | ||
476 | |||
477 | BLINDING_HELPER(rsa, ctx, goto err;); | ||
478 | blinding = rsa->blinding; | ||
479 | |||
480 | /* Now unless blinding is disabled, 'blinding' is non-NULL. | ||
481 | * But the BN_BLINDING object may be owned by some other thread | ||
482 | * (we don't want to keep it constant and we don't want to use | ||
483 | * lots of locking to avoid race conditions, so only a single | ||
484 | * thread can use it; other threads have to use local blinding | ||
485 | * factors) */ | ||
486 | if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) | ||
487 | { | ||
488 | if (blinding == NULL) | ||
489 | { | ||
490 | RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); | ||
491 | goto err; | ||
492 | } | ||
493 | } | ||
494 | |||
495 | if (blinding != NULL) | ||
496 | { | ||
497 | if (blinding->thread_id != CRYPTO_thread_id()) | ||
498 | { | ||
499 | /* we need a local one-time blinding factor */ | ||
500 | |||
501 | blinding = setup_blinding(rsa, ctx); | ||
502 | if (blinding == NULL) | ||
503 | goto err; | ||
504 | local_blinding = 1; | ||
505 | } | ||
506 | } | ||
507 | |||
508 | if (blinding) | ||
509 | if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err; | ||
510 | |||
511 | /* do the decrypt */ | ||
512 | if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || | ||
513 | ((rsa->p != NULL) && | ||
514 | (rsa->q != NULL) && | ||
515 | (rsa->dmp1 != NULL) && | ||
516 | (rsa->dmq1 != NULL) && | ||
517 | (rsa->iqmp != NULL)) ) | ||
518 | { | ||
519 | if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; | ||
520 | } | ||
521 | else | ||
522 | { | ||
523 | BIGNUM local_d; | ||
524 | BIGNUM *d = NULL; | ||
525 | |||
526 | if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) | ||
527 | { | ||
528 | d = &local_d; | ||
529 | BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); | ||
530 | } | ||
531 | else | ||
532 | d = rsa->d; | ||
533 | if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) | ||
534 | goto err; | ||
535 | } | ||
536 | |||
537 | if (blinding) | ||
538 | if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; | ||
539 | |||
540 | p=buf; | ||
541 | j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */ | ||
542 | |||
543 | switch (padding) | ||
544 | { | ||
545 | case RSA_PKCS1_PADDING: | ||
546 | r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); | ||
547 | break; | ||
548 | #ifndef OPENSSL_NO_SHA | ||
549 | case RSA_PKCS1_OAEP_PADDING: | ||
550 | r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); | ||
551 | break; | ||
552 | #endif | ||
553 | case RSA_SSLV23_PADDING: | ||
554 | r=RSA_padding_check_SSLv23(to,num,buf,j,num); | ||
555 | break; | ||
556 | case RSA_NO_PADDING: | ||
557 | r=RSA_padding_check_none(to,num,buf,j,num); | ||
558 | break; | ||
559 | default: | ||
560 | RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); | ||
561 | goto err; | ||
562 | } | ||
563 | if (r < 0) | ||
564 | RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); | ||
565 | |||
566 | err: | ||
567 | if (ctx != NULL) BN_CTX_free(ctx); | ||
568 | BN_clear_free(&f); | ||
569 | BN_clear_free(&ret); | ||
570 | if (local_blinding) | ||
571 | BN_BLINDING_free(blinding); | ||
572 | if (buf != NULL) | ||
573 | { | ||
574 | OPENSSL_cleanse(buf,num); | ||
575 | OPENSSL_free(buf); | ||
576 | } | ||
577 | return(r); | ||
578 | } | ||
579 | |||
580 | /* signature verification */ | ||
581 | static int RSA_eay_public_decrypt(FIPS_RSA_SIZE_T flen, const unsigned char *from, | ||
582 | unsigned char *to, RSA *rsa, int padding) | ||
583 | { | ||
584 | BIGNUM f,ret; | ||
585 | int i,num=0,r= -1; | ||
586 | unsigned char *p; | ||
587 | unsigned char *buf=NULL; | ||
588 | BN_CTX *ctx=NULL; | ||
589 | |||
590 | BN_init(&f); | ||
591 | BN_init(&ret); | ||
592 | ctx=BN_CTX_new(); | ||
593 | if (ctx == NULL) goto err; | ||
594 | |||
595 | num=BN_num_bytes(rsa->n); | ||
596 | buf=(unsigned char *)OPENSSL_malloc(num); | ||
597 | if (buf == NULL) | ||
598 | { | ||
599 | RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); | ||
600 | goto err; | ||
601 | } | ||
602 | |||
603 | /* This check was for equality but PGP does evil things | ||
604 | * and chops off the top '0' bytes */ | ||
605 | if (flen > num) | ||
606 | { | ||
607 | RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); | ||
608 | goto err; | ||
609 | } | ||
610 | |||
611 | if (BN_bin2bn(from,flen,&f) == NULL) goto err; | ||
612 | |||
613 | if (BN_ucmp(&f, rsa->n) >= 0) | ||
614 | { | ||
615 | RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); | ||
616 | goto err; | ||
617 | } | ||
618 | |||
619 | /* do the decrypt */ | ||
620 | |||
621 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | ||
622 | { | ||
623 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, | ||
624 | CRYPTO_LOCK_RSA, rsa->n, ctx)) | ||
625 | goto err; | ||
626 | } | ||
627 | |||
628 | if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, | ||
629 | rsa->_method_mod_n)) goto err; | ||
630 | |||
631 | if ((padding == RSA_X931_PADDING) && ((ret.d[0] & 0xf) != 12)) | ||
632 | BN_sub(&ret, rsa->n, &ret); | ||
633 | |||
634 | p=buf; | ||
635 | i=BN_bn2bin(&ret,p); | ||
636 | |||
637 | switch (padding) | ||
638 | { | ||
639 | case RSA_PKCS1_PADDING: | ||
640 | r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); | ||
641 | break; | ||
642 | case RSA_X931_PADDING: | ||
643 | r=RSA_padding_check_X931(to,num,buf,i,num); | ||
644 | break; | ||
645 | case RSA_NO_PADDING: | ||
646 | r=RSA_padding_check_none(to,num,buf,i,num); | ||
647 | break; | ||
648 | default: | ||
649 | RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); | ||
650 | goto err; | ||
651 | } | ||
652 | if (r < 0) | ||
653 | RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); | ||
654 | |||
655 | err: | ||
656 | if (ctx != NULL) BN_CTX_free(ctx); | ||
657 | BN_clear_free(&f); | ||
658 | BN_clear_free(&ret); | ||
659 | if (buf != NULL) | ||
660 | { | ||
661 | OPENSSL_cleanse(buf,num); | ||
662 | OPENSSL_free(buf); | ||
663 | } | ||
664 | return(r); | ||
665 | } | ||
666 | |||
667 | static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) | ||
668 | { | ||
669 | BIGNUM r1,m1,vrfy; | ||
670 | BIGNUM local_dmp1, local_dmq1; | ||
671 | BIGNUM *dmp1, *dmq1; | ||
672 | int ret=0; | ||
673 | BN_CTX *ctx; | ||
674 | |||
675 | BN_init(&m1); | ||
676 | BN_init(&r1); | ||
677 | BN_init(&vrfy); | ||
678 | if ((ctx=BN_CTX_new()) == NULL) goto err; | ||
679 | |||
680 | if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) | ||
681 | { | ||
682 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, | ||
683 | CRYPTO_LOCK_RSA, rsa->p, ctx)) | ||
684 | goto err; | ||
685 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, | ||
686 | CRYPTO_LOCK_RSA, rsa->q, ctx)) | ||
687 | goto err; | ||
688 | } | ||
689 | |||
690 | if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; | ||
691 | if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) | ||
692 | { | ||
693 | dmq1 = &local_dmq1; | ||
694 | BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME); | ||
695 | } | ||
696 | else | ||
697 | dmq1 = rsa->dmq1; | ||
698 | if (!rsa->meth->bn_mod_exp(&m1,&r1,dmq1,rsa->q,ctx, | ||
699 | rsa->_method_mod_q)) goto err; | ||
700 | |||
701 | if (!BN_mod(&r1,I,rsa->p,ctx)) goto err; | ||
702 | if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) | ||
703 | { | ||
704 | dmp1 = &local_dmp1; | ||
705 | BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME); | ||
706 | } | ||
707 | else | ||
708 | dmp1 = rsa->dmp1; | ||
709 | if (!rsa->meth->bn_mod_exp(r0,&r1,dmp1,rsa->p,ctx, | ||
710 | rsa->_method_mod_p)) goto err; | ||
711 | |||
712 | if (!BN_sub(r0,r0,&m1)) goto err; | ||
713 | /* This will help stop the size of r0 increasing, which does | ||
714 | * affect the multiply if it optimised for a power of 2 size */ | ||
715 | if (r0->neg) | ||
716 | if (!BN_add(r0,r0,rsa->p)) goto err; | ||
717 | |||
718 | if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err; | ||
719 | if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err; | ||
720 | /* If p < q it is occasionally possible for the correction of | ||
721 | * adding 'p' if r0 is negative above to leave the result still | ||
722 | * negative. This can break the private key operations: the following | ||
723 | * second correction should *always* correct this rare occurrence. | ||
724 | * This will *never* happen with OpenSSL generated keys because | ||
725 | * they ensure p > q [steve] | ||
726 | */ | ||
727 | if (r0->neg) | ||
728 | if (!BN_add(r0,r0,rsa->p)) goto err; | ||
729 | if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err; | ||
730 | if (!BN_add(r0,&r1,&m1)) goto err; | ||
731 | |||
732 | if (rsa->e && rsa->n) | ||
733 | { | ||
734 | if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err; | ||
735 | /* If 'I' was greater than (or equal to) rsa->n, the operation | ||
736 | * will be equivalent to using 'I mod n'. However, the result of | ||
737 | * the verify will *always* be less than 'n' so we don't check | ||
738 | * for absolute equality, just congruency. */ | ||
739 | if (!BN_sub(&vrfy, &vrfy, I)) goto err; | ||
740 | if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err; | ||
741 | if (vrfy.neg) | ||
742 | if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err; | ||
743 | if (!BN_is_zero(&vrfy)) | ||
744 | { | ||
745 | /* 'I' and 'vrfy' aren't congruent mod n. Don't leak | ||
746 | * miscalculated CRT output, just do a raw (slower) | ||
747 | * mod_exp and return that instead. */ | ||
748 | |||
749 | BIGNUM local_d; | ||
750 | BIGNUM *d = NULL; | ||
751 | |||
752 | if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) | ||
753 | { | ||
754 | d = &local_d; | ||
755 | BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); | ||
756 | } | ||
757 | else | ||
758 | d = rsa->d; | ||
759 | if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,NULL)) goto err; | ||
760 | } | ||
761 | } | ||
762 | ret=1; | ||
763 | err: | ||
764 | BN_clear_free(&m1); | ||
765 | BN_clear_free(&r1); | ||
766 | BN_clear_free(&vrfy); | ||
767 | BN_CTX_free(ctx); | ||
768 | return(ret); | ||
769 | } | ||
770 | |||
771 | static int RSA_eay_init(RSA *rsa) | ||
772 | { | ||
773 | rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; | ||
774 | return(1); | ||
775 | } | ||
776 | |||
777 | static int RSA_eay_finish(RSA *rsa) | ||
778 | { | ||
779 | if (rsa->_method_mod_n != NULL) | ||
780 | BN_MONT_CTX_free(rsa->_method_mod_n); | ||
781 | if (rsa->_method_mod_p != NULL) | ||
782 | BN_MONT_CTX_free(rsa->_method_mod_p); | ||
783 | if (rsa->_method_mod_q != NULL) | ||
784 | BN_MONT_CTX_free(rsa->_method_mod_q); | ||
785 | return(1); | ||
786 | } | ||
787 | |||
788 | #endif | ||