kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1217 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 9f33fc63c6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9f33fc63c6'
${ noResults }
boringssl/crypto/rsa/rsa_impl.c

969 lines
25 KiB
Raw Blame History 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.] */

  56. 

  57. #include <openssl/rsa.h>

  58. 

  59. #include <string.h>

  60. 

  61. #include <openssl/bn.h>

  62. #include <openssl/err.h>

  63. #include <openssl/mem.h>

  64. #include <openssl/thread.h>

  65. 

  66. #include "internal.h"

  67. #include "../internal.h"

  68. 

  69. 

  70. #define OPENSSL_RSA_MAX_MODULUS_BITS 16384

  71. #define OPENSSL_RSA_SMALL_MODULUS_BITS 3072

  72. #define OPENSSL_RSA_MAX_PUBEXP_BITS \

  73.   64 /* exponent limit enforced for "large" modulus only */

  74. 

  75. 

  76. static int finish(RSA *rsa) {

  77.   if (rsa->_method_mod_n != NULL) {

  78.     BN_MONT_CTX_free(rsa->_method_mod_n);

  79.   }

  80.   if (rsa->_method_mod_p != NULL) {

  81.     BN_MONT_CTX_free(rsa->_method_mod_p);

  82.   }

  83.   if (rsa->_method_mod_q != NULL) {

  84.     BN_MONT_CTX_free(rsa->_method_mod_q);

  85.   }

  86. 

  87.   return 1;

  88. }

  89. 

  90. static size_t size(const RSA *rsa) {

  91.   return BN_num_bytes(rsa->n);

  92. }

  93. 

  94. static int encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,

  95.                    const uint8_t *in, size_t in_len, int padding) {

  96.   const unsigned rsa_size = RSA_size(rsa);

  97.   BIGNUM *f, *result;

  98.   uint8_t *buf = NULL;

  99.   BN_CTX *ctx = NULL;

  100.   int i, ret = 0;

  101. 

  102.   if (rsa_size > OPENSSL_RSA_MAX_MODULUS_BITS) {

  103.     OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_MODULUS_TOO_LARGE);

  104.     return 0;

  105.   }

  106. 

  107.   if (max_out < rsa_size) {

  108.     OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_OUTPUT_BUFFER_TOO_SMALL);

  109.     return 0;

  110.   }

  111. 

  112.   if (BN_ucmp(rsa->n, rsa->e) <= 0) {

  113.     OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_BAD_E_VALUE);

  114.     return 0;

  115.   }

  116. 

  117.   /* for large moduli, enforce exponent limit */

  118.   if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS &&

  119.       BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {

  120.     OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_BAD_E_VALUE);

  121.     return 0;

  122.   }

  123. 

  124.   ctx = BN_CTX_new();

  125.   if (ctx == NULL) {

  126.     goto err;

  127.   }

  128. 

  129.   BN_CTX_start(ctx);

  130.   f = BN_CTX_get(ctx);

  131.   result = BN_CTX_get(ctx);

  132.   buf = OPENSSL_malloc(rsa_size);

  133.   if (!f || !result || !buf) {

  134.     OPENSSL_PUT_ERROR(RSA, encrypt, ERR_R_MALLOC_FAILURE);

  135.     goto err;

  136.   }

  137. 

  138.   switch (padding) {

  139.     case RSA_PKCS1_PADDING:

  140.       i = RSA_padding_add_PKCS1_type_2(buf, rsa_size, in, in_len);

  141.       break;

  142.     case RSA_PKCS1_OAEP_PADDING:

  143.       /* Use the default parameters: SHA-1 for both hashes and no label. */

  144.       i = RSA_padding_add_PKCS1_OAEP_mgf1(buf, rsa_size, in, in_len,

  145.                                           NULL, 0, NULL, NULL);

  146.       break;

  147.     case RSA_NO_PADDING:

  148.       i = RSA_padding_add_none(buf, rsa_size, in, in_len);

  149.       break;

  150.     default:

  151.       OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_UNKNOWN_PADDING_TYPE);

  152.       goto err;

  153.   }

  154. 

  155.   if (i <= 0) {

  156.     goto err;

  157.   }

  158. 

  159.   if (BN_bin2bn(buf, rsa_size, f) == NULL) {

  160.     goto err;

  161.   }

  162. 

  163.   if (BN_ucmp(f, rsa->n) >= 0) {

  164.     /* usually the padding functions would catch this */

  165.     OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);

  166.     goto err;

  167.   }

  168. 

  169.   if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {

  170.     if (BN_MONT_CTX_set_locked(&rsa->_method_mod_n, &rsa->lock, rsa->n, ctx) ==

  171.         NULL) {

  172.       goto err;

  173.     }

  174.   }

  175. 

  176.   if (!rsa->meth->bn_mod_exp(result, f, rsa->e, rsa->n, ctx,

  177.                              rsa->_method_mod_n)) {

  178.     goto err;

  179.   }

  180. 

  181.   /* put in leading 0 bytes if the number is less than the length of the

  182.    * modulus */

  183.   if (!BN_bn2bin_padded(out, rsa_size, result)) {

  184.     OPENSSL_PUT_ERROR(RSA, encrypt, ERR_R_INTERNAL_ERROR);

  185.     goto err;

  186.   }

  187. 

  188.   *out_len = rsa_size;

  189.   ret = 1;

  190. 

  191. err:

  192.   if (ctx != NULL) {

  193.     BN_CTX_end(ctx);

  194.     BN_CTX_free(ctx);

  195.   }

  196.   if (buf != NULL) {

  197.     OPENSSL_cleanse(buf, rsa_size);

  198.     OPENSSL_free(buf);

  199.   }

  200. 

  201.   return ret;

  202. }

  203. 

  204. /* MAX_BLINDINGS_PER_RSA defines the maximum number of cached BN_BLINDINGs per

  205.  * RSA*. Then this limit is exceeded, BN_BLINDING objects will be created and

  206.  * destroyed as needed. */

  207. #define MAX_BLINDINGS_PER_RSA 1024

  208. 

  209. /* rsa_blinding_get returns a BN_BLINDING to use with |rsa|. It does this by

  210.  * allocating one of the cached BN_BLINDING objects in |rsa->blindings|. If

  211.  * none are free, the cache will be extended by a extra element and the new

  212.  * BN_BLINDING is returned.

  213.  *

  214.  * On success, the index of the assigned BN_BLINDING is written to

  215.  * |*index_used| and must be passed to |rsa_blinding_release| when finished. */

  216. static BN_BLINDING *rsa_blinding_get(RSA *rsa, unsigned *index_used,

  217.                                      BN_CTX *ctx) {

  218.   BN_BLINDING *ret = NULL;

  219.   BN_BLINDING **new_blindings;

  220.   uint8_t *new_blindings_inuse;

  221.   char overflow = 0;

  222. 

  223.   CRYPTO_MUTEX_lock_write(&rsa->lock);

  224. 

  225.   unsigned i;

  226.   for (i = 0; i < rsa->num_blindings; i++) {

  227.     if (rsa->blindings_inuse[i] == 0) {

  228.       rsa->blindings_inuse[i] = 1;

  229.       ret = rsa->blindings[i];

  230.       *index_used = i;

  231.       break;

  232.     }

  233.   }

  234. 

  235.   if (ret != NULL) {

  236.     CRYPTO_MUTEX_unlock(&rsa->lock);

  237.     return ret;

  238.   }

  239. 

  240.   overflow = rsa->num_blindings >= MAX_BLINDINGS_PER_RSA;

  241. 

  242.   /* We didn't find a free BN_BLINDING to use so increase the length of

  243.    * the arrays by one and use the newly created element. */

  244. 

  245.   CRYPTO_MUTEX_unlock(&rsa->lock);

  246.   ret = rsa_setup_blinding(rsa, ctx);

  247.   if (ret == NULL) {

  248.     return NULL;

  249.   }

  250. 

  251.   if (overflow) {

  252.     /* We cannot add any more cached BN_BLINDINGs so we use |ret|

  253.      * and mark it for destruction in |rsa_blinding_release|. */

  254.     *index_used = MAX_BLINDINGS_PER_RSA;

  255.     return ret;

  256.   }

  257. 

  258.   CRYPTO_MUTEX_lock_write(&rsa->lock);

  259. 

  260.   new_blindings =

  261.       OPENSSL_malloc(sizeof(BN_BLINDING *) * (rsa->num_blindings + 1));

  262.   if (new_blindings == NULL) {

  263.     goto err1;

  264.   }

  265.   memcpy(new_blindings, rsa->blindings,

  266.          sizeof(BN_BLINDING *) * rsa->num_blindings);

  267.   new_blindings[rsa->num_blindings] = ret;

  268. 

  269.   new_blindings_inuse = OPENSSL_malloc(rsa->num_blindings + 1);

  270.   if (new_blindings_inuse == NULL) {

  271.     goto err2;

  272.   }

  273.   memcpy(new_blindings_inuse, rsa->blindings_inuse, rsa->num_blindings);

  274.   new_blindings_inuse[rsa->num_blindings] = 1;

  275.   *index_used = rsa->num_blindings;

  276. 

  277.   if (rsa->blindings != NULL) {

  278.     OPENSSL_free(rsa->blindings);

  279.   }

  280.   rsa->blindings = new_blindings;

  281.   if (rsa->blindings_inuse != NULL) {

  282.     OPENSSL_free(rsa->blindings_inuse);

  283.   }

  284.   rsa->blindings_inuse = new_blindings_inuse;

  285.   rsa->num_blindings++;

  286. 

  287.   CRYPTO_MUTEX_unlock(&rsa->lock);

  288.   return ret;

  289. 

  290. err2:

  291.   OPENSSL_free(new_blindings);

  292. 

  293. err1:

  294.   CRYPTO_MUTEX_unlock(&rsa->lock);

  295.   BN_BLINDING_free(ret);

  296.   return NULL;

  297. }

  298. 

  299. /* rsa_blinding_release marks the cached BN_BLINDING at the given index as free

  300.  * for other threads to use. */

  301. static void rsa_blinding_release(RSA *rsa, BN_BLINDING *blinding,

  302.                                  unsigned blinding_index) {

  303.   if (blinding_index == MAX_BLINDINGS_PER_RSA) {

  304.     /* This blinding wasn't cached. */

  305.     BN_BLINDING_free(blinding);

  306.     return;

  307.   }

  308. 

  309.   CRYPTO_MUTEX_lock_write(&rsa->lock);

  310.   rsa->blindings_inuse[blinding_index] = 0;

  311.   CRYPTO_MUTEX_unlock(&rsa->lock);

  312. }

  313. 

  314. /* signing */

  315. static int sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,

  316.                     const uint8_t *in, size_t in_len, int padding) {

  317.   const unsigned rsa_size = RSA_size(rsa);

  318.   uint8_t *buf = NULL;

  319.   int i, ret = 0;

  320. 

  321.   if (max_out < rsa_size) {

  322.     OPENSSL_PUT_ERROR(RSA, sign_raw, RSA_R_OUTPUT_BUFFER_TOO_SMALL);

  323.     return 0;

  324.   }

  325. 

  326.   buf = OPENSSL_malloc(rsa_size);

  327.   if (buf == NULL) {

  328.     OPENSSL_PUT_ERROR(RSA, sign_raw, ERR_R_MALLOC_FAILURE);

  329.     goto err;

  330.   }

  331. 

  332.   switch (padding) {

  333.     case RSA_PKCS1_PADDING:

  334.       i = RSA_padding_add_PKCS1_type_1(buf, rsa_size, in, in_len);

  335.       break;

  336.     case RSA_NO_PADDING:

  337.       i = RSA_padding_add_none(buf, rsa_size, in, in_len);

  338.       break;

  339.     default:

  340.       OPENSSL_PUT_ERROR(RSA, sign_raw, RSA_R_UNKNOWN_PADDING_TYPE);

  341.       goto err;

  342.   }

  343. 

  344.   if (i <= 0) {

  345.     goto err;

  346.   }

  347. 

  348.   if (!RSA_private_transform(rsa, out, buf, rsa_size)) {

  349.     goto err;

  350.   }

  351. 

  352.   *out_len = rsa_size;

  353.   ret = 1;

  354. 

  355. err:

  356.   if (buf != NULL) {

  357.     OPENSSL_cleanse(buf, rsa_size);

  358.     OPENSSL_free(buf);

  359.   }

  360. 

  361.   return ret;

  362. }

  363. 

  364. static int decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,

  365.                    const uint8_t *in, size_t in_len, int padding) {

  366.   const unsigned rsa_size = RSA_size(rsa);

  367.   int r = -1;

  368.   uint8_t *buf = NULL;

  369.   int ret = 0;

  370. 

  371.   if (max_out < rsa_size) {

  372.     OPENSSL_PUT_ERROR(RSA, decrypt, RSA_R_OUTPUT_BUFFER_TOO_SMALL);

  373.     return 0;

  374.   }

  375. 

  376.   buf = OPENSSL_malloc(rsa_size);

  377.   if (buf == NULL) {

  378.     OPENSSL_PUT_ERROR(RSA, decrypt, ERR_R_MALLOC_FAILURE);

  379.     goto err;

  380.   }

  381. 

  382.   if (in_len != rsa_size) {

  383.     OPENSSL_PUT_ERROR(RSA, decrypt, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN);

  384.     goto err;

  385.   }

  386. 

  387.   if (!RSA_private_transform(rsa, buf, in, rsa_size)) {

  388.     goto err;

  389.   }

  390. 

  391.   switch (padding) {

  392.     case RSA_PKCS1_PADDING:

  393.       r = RSA_padding_check_PKCS1_type_2(out, rsa_size, buf, rsa_size);

  394.       break;

  395.     case RSA_PKCS1_OAEP_PADDING:

  396.       /* Use the default parameters: SHA-1 for both hashes and no label. */

  397.       r = RSA_padding_check_PKCS1_OAEP_mgf1(out, rsa_size, buf, rsa_size,

  398.                                             NULL, 0, NULL, NULL);

  399.       break;

  400.     case RSA_NO_PADDING:

  401.       r = RSA_padding_check_none(out, rsa_size, buf, rsa_size);

  402.       break;

  403.     default:

  404.       OPENSSL_PUT_ERROR(RSA, decrypt, RSA_R_UNKNOWN_PADDING_TYPE);

  405.       goto err;

  406.   }

  407. 

  408.   if (r < 0) {

  409.     OPENSSL_PUT_ERROR(RSA, decrypt, RSA_R_PADDING_CHECK_FAILED);

  410.   } else {

  411.     *out_len = r;

  412.     ret = 1;

  413.   }

  414. 

  415. err:

  416.   if (buf != NULL) {

  417.     OPENSSL_cleanse(buf, rsa_size);

  418.     OPENSSL_free(buf);

  419.   }

  420. 

  421.   return ret;

  422. }

  423. 

  424. static int verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,

  425.                       const uint8_t *in, size_t in_len, int padding) {

  426.   const unsigned rsa_size = RSA_size(rsa);

  427.   BIGNUM *f, *result;

  428.   int ret = 0;

  429.   int r = -1;

  430.   uint8_t *buf = NULL;

  431.   BN_CTX *ctx = NULL;

  432. 

  433.   if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {

  434.     OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_MODULUS_TOO_LARGE);

  435.     return 0;

  436.   }

  437. 

  438.   if (BN_ucmp(rsa->n, rsa->e) <= 0) {

  439.     OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_BAD_E_VALUE);

  440.     return 0;

  441.   }

  442. 

  443.   if (max_out < rsa_size) {

  444.     OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_OUTPUT_BUFFER_TOO_SMALL);

  445.     return 0;

  446.   }

  447. 

  448.   /* for large moduli, enforce exponent limit */

  449.   if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS &&

  450.       BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {

  451.     OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_BAD_E_VALUE);

  452.     return 0;

  453.   }

  454. 

  455.   ctx = BN_CTX_new();

  456.   if (ctx == NULL) {

  457.     goto err;

  458.   }

  459. 

  460.   BN_CTX_start(ctx);

  461.   f = BN_CTX_get(ctx);

  462.   result = BN_CTX_get(ctx);

  463.   buf = OPENSSL_malloc(rsa_size);

  464.   if (!f || !result || !buf) {

  465.     OPENSSL_PUT_ERROR(RSA, verify_raw, ERR_R_MALLOC_FAILURE);

  466.     goto err;

  467.   }

  468. 

  469.   if (in_len != rsa_size) {

  470.     OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN);

  471.     goto err;

  472.   }

  473. 

  474.   if (BN_bin2bn(in, in_len, f) == NULL) {

  475.     goto err;

  476.   }

  477. 

  478.   if (BN_ucmp(f, rsa->n) >= 0) {

  479.     OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);

  480.     goto err;

  481.   }

  482. 

  483.   if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {

  484.     if (BN_MONT_CTX_set_locked(&rsa->_method_mod_n, &rsa->lock, rsa->n, ctx) ==

  485.         NULL) {

  486.       goto err;

  487.     }

  488.   }

  489. 

  490.   if (!rsa->meth->bn_mod_exp(result, f, rsa->e, rsa->n, ctx,

  491.                              rsa->_method_mod_n)) {

  492.     goto err;

  493.   }

  494. 

  495.   if (!BN_bn2bin_padded(buf, rsa_size, result)) {

  496.     OPENSSL_PUT_ERROR(RSA, verify_raw, ERR_R_INTERNAL_ERROR);

  497.     goto err;

  498.   }

  499. 

  500.   switch (padding) {

  501.     case RSA_PKCS1_PADDING:

  502.       r = RSA_padding_check_PKCS1_type_1(out, rsa_size, buf, rsa_size);

  503.       break;

  504.     case RSA_NO_PADDING:

  505.       r = RSA_padding_check_none(out, rsa_size, buf, rsa_size);

  506.       break;

  507.     default:

  508.       OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_UNKNOWN_PADDING_TYPE);

  509.       goto err;

  510.   }

  511. 

  512.   if (r < 0) {

  513.     OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_PADDING_CHECK_FAILED);

  514.   } else {

  515.     *out_len = r;

  516.     ret = 1;

  517.   }

  518. 

  519. err:

  520.   if (ctx != NULL) {

  521.     BN_CTX_end(ctx);

  522.     BN_CTX_free(ctx);

  523.   }

  524.   if (buf != NULL) {

  525.     OPENSSL_cleanse(buf, rsa_size);

  526.     OPENSSL_free(buf);

  527.   }

  528.   return ret;

  529. }

  530. 

  531. static int private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,

  532.                              size_t len) {

  533.   BIGNUM *f, *result;

  534.   BN_CTX *ctx = NULL;

  535.   unsigned blinding_index = 0;

  536.   BN_BLINDING *blinding = NULL;

  537.   int ret = 0;

  538. 

  539.   ctx = BN_CTX_new();

  540.   if (ctx == NULL) {

  541.     goto err;

  542.   }

  543.   BN_CTX_start(ctx);

  544.   f = BN_CTX_get(ctx);

  545.   result = BN_CTX_get(ctx);

  546. 

  547.   if (f == NULL || result == NULL) {

  548.     OPENSSL_PUT_ERROR(RSA, private_transform, ERR_R_MALLOC_FAILURE);

  549.     goto err;

  550.   }

  551. 

  552.   if (BN_bin2bn(in, len, f) == NULL) {

  553.     goto err;

  554.   }

  555. 

  556.   if (BN_ucmp(f, rsa->n) >= 0) {

  557.     /* Usually the padding functions would catch this. */

  558.     OPENSSL_PUT_ERROR(RSA, private_transform, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);

  559.     goto err;

  560.   }

  561. 

  562.   if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {

  563.     blinding = rsa_blinding_get(rsa, &blinding_index, ctx);

  564.     if (blinding == NULL) {

  565.       OPENSSL_PUT_ERROR(RSA, private_transform, ERR_R_INTERNAL_ERROR);

  566.       goto err;

  567.     }

  568.     if (!BN_BLINDING_convert_ex(f, NULL, blinding, ctx)) {

  569.       goto err;

  570.     }

  571.   }

  572. 

  573.   if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||

  574.       ((rsa->p != NULL) && (rsa->q != NULL) && (rsa->dmp1 != NULL) &&

  575.        (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {

  576.     if (!rsa->meth->mod_exp(result, f, rsa, ctx)) {

  577.       goto err;

  578.     }

  579.   } else {

  580.     BIGNUM local_d;

  581.     BIGNUM *d = NULL;

  582. 

  583.     BN_init(&local_d);

  584.     d = &local_d;

  585.     BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);

  586. 

  587.     if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {

  588.       if (BN_MONT_CTX_set_locked(&rsa->_method_mod_n, &rsa->lock, rsa->n,

  589.                                  ctx) == NULL) {

  590.         goto err;

  591.       }

  592.     }

  593. 

  594.     if (!rsa->meth->bn_mod_exp(result, f, d, rsa->n, ctx, rsa->_method_mod_n)) {

  595.       goto err;

  596.     }

  597.   }

  598. 

  599.   if (blinding) {

  600.     if (!BN_BLINDING_invert_ex(result, NULL, blinding, ctx)) {

  601.       goto err;

  602.     }

  603.   }

  604. 

  605.   if (!BN_bn2bin_padded(out, len, result)) {

  606.     OPENSSL_PUT_ERROR(RSA, private_transform, ERR_R_INTERNAL_ERROR);

  607.     goto err;

  608.   }

  609. 

  610.   ret = 1;

  611. 

  612. err:

  613.   if (ctx != NULL) {

  614.     BN_CTX_end(ctx);

  615.     BN_CTX_free(ctx);

  616.   }

  617.   if (blinding != NULL) {

  618.     rsa_blinding_release(rsa, blinding, blinding_index);

  619.   }

  620. 

  621.   return ret;

  622. }

  623. 

  624. static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) {

  625.   BIGNUM *r1, *m1, *vrfy;

  626.   BIGNUM local_dmp1, local_dmq1, local_c, local_r1;

  627.   BIGNUM *dmp1, *dmq1, *c, *pr1;

  628.   int ret = 0;

  629. 

  630.   BN_CTX_start(ctx);

  631.   r1 = BN_CTX_get(ctx);

  632.   m1 = BN_CTX_get(ctx);

  633.   vrfy = BN_CTX_get(ctx);

  634. 

  635.   {

  636.     BIGNUM local_p, local_q;

  637.     BIGNUM *p = NULL, *q = NULL;

  638. 

  639.     /* Make sure BN_mod_inverse in Montgomery intialization uses the

  640.      * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) */

  641.     BN_init(&local_p);

  642.     p = &local_p;

  643.     BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);

  644. 

  645.     BN_init(&local_q);

  646.     q = &local_q;

  647.     BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);

  648. 

  649.     if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {

  650.       if (BN_MONT_CTX_set_locked(&rsa->_method_mod_p, &rsa->lock, p, ctx) ==

  651.           NULL) {

  652.         goto err;

  653.       }

  654.       if (BN_MONT_CTX_set_locked(&rsa->_method_mod_q, &rsa->lock, q, ctx) ==

  655.           NULL) {

  656.         goto err;

  657.       }

  658.     }

  659.   }

  660. 

  661.   if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {

  662.     if (BN_MONT_CTX_set_locked(&rsa->_method_mod_n, &rsa->lock, rsa->n, ctx) ==

  663.         NULL) {

  664.       goto err;

  665.     }

  666.   }

  667. 

  668.   /* compute I mod q */

  669.   c = &local_c;

  670.   BN_with_flags(c, I, BN_FLG_CONSTTIME);

  671.   if (!BN_mod(r1, c, rsa->q, ctx)) {

  672.     goto err;

  673.   }

  674. 

  675.   /* compute r1^dmq1 mod q */

  676.   dmq1 = &local_dmq1;

  677.   BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);

  678.   if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q)) {

  679.     goto err;

  680.   }

  681. 

  682.   /* compute I mod p */

  683.   c = &local_c;

  684.   BN_with_flags(c, I, BN_FLG_CONSTTIME);

  685.   if (!BN_mod(r1, c, rsa->p, ctx)) {

  686.     goto err;

  687.   }

  688. 

  689.   /* compute r1^dmp1 mod p */

  690.   dmp1 = &local_dmp1;

  691.   BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);

  692.   if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p)) {

  693.     goto err;

  694.   }

  695. 

  696.   if (!BN_sub(r0, r0, m1)) {

  697.     goto err;

  698.   }

  699.   /* This will help stop the size of r0 increasing, which does

  700.    * affect the multiply if it optimised for a power of 2 size */

  701.   if (BN_is_negative(r0)) {

  702.     if (!BN_add(r0, r0, rsa->p)) {

  703.       goto err;

  704.     }

  705.   }

  706. 

  707.   if (!BN_mul(r1, r0, rsa->iqmp, ctx)) {

  708.     goto err;

  709.   }

  710. 

  711.   /* Turn BN_FLG_CONSTTIME flag on before division operation */

  712.   pr1 = &local_r1;

  713.   BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);

  714. 

  715.   if (!BN_mod(r0, pr1, rsa->p, ctx)) {

  716.     goto err;

  717.   }

  718. 

  719.   /* If p < q it is occasionally possible for the correction of

  720.    * adding 'p' if r0 is negative above to leave the result still

  721.    * negative. This can break the private key operations: the following

  722.    * second correction should *always* correct this rare occurrence.

  723.    * This will *never* happen with OpenSSL generated keys because

  724.    * they ensure p > q [steve] */

  725.   if (BN_is_negative(r0)) {

  726.     if (!BN_add(r0, r0, rsa->p)) {

  727.       goto err;

  728.     }

  729.   }

  730.   if (!BN_mul(r1, r0, rsa->q, ctx)) {

  731.     goto err;

  732.   }

  733.   if (!BN_add(r0, r1, m1)) {

  734.     goto err;

  735.   }

  736. 

  737.   if (rsa->e && rsa->n) {

  738.     if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,

  739.                                rsa->_method_mod_n)) {

  740.       goto err;

  741.     }

  742.     /* If 'I' was greater than (or equal to) rsa->n, the operation

  743.      * will be equivalent to using 'I mod n'. However, the result of

  744.      * the verify will *always* be less than 'n' so we don't check

  745.      * for absolute equality, just congruency. */

  746.     if (!BN_sub(vrfy, vrfy, I)) {

  747.       goto err;

  748.     }

  749.     if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) {

  750.       goto err;

  751.     }

  752.     if (BN_is_negative(vrfy)) {

  753.       if (!BN_add(vrfy, vrfy, rsa->n)) {

  754.         goto err;

  755.       }

  756.     }

  757.     if (!BN_is_zero(vrfy)) {

  758.       /* 'I' and 'vrfy' aren't congruent mod n. Don't leak

  759.        * miscalculated CRT output, just do a raw (slower)

  760.        * mod_exp and return that instead. */

  761. 

  762.       BIGNUM local_d;

  763.       BIGNUM *d = NULL;

  764. 

  765.       d = &local_d;

  766.       BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);

  767.       if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, rsa->_method_mod_n)) {

  768.         goto err;

  769.       }

  770.     }

  771.   }

  772.   ret = 1;

  773. 

  774. err:

  775.   BN_CTX_end(ctx);

  776.   return ret;

  777. }

  778. 

  779. static int keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {

  780.   BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;

  781.   BIGNUM local_r0, local_d, local_p;

  782.   BIGNUM *pr0, *d, *p;

  783.   int bitsp, bitsq, ok = -1, n = 0;

  784.   BN_CTX *ctx = NULL;

  785. 

  786.   ctx = BN_CTX_new();

  787.   if (ctx == NULL) {

  788.     goto err;

  789.   }

  790.   BN_CTX_start(ctx);

  791.   r0 = BN_CTX_get(ctx);

  792.   r1 = BN_CTX_get(ctx);

  793.   r2 = BN_CTX_get(ctx);

  794.   r3 = BN_CTX_get(ctx);

  795.   if (r3 == NULL) {

  796.     goto err;

  797.   }

  798. 

  799.   bitsp = (bits + 1) / 2;

  800.   bitsq = bits - bitsp;

  801. 

  802.   /* We need the RSA components non-NULL */

  803.   if (!rsa->n && ((rsa->n = BN_new()) == NULL)) {

  804.     goto err;

  805.   }

  806.   if (!rsa->d && ((rsa->d = BN_new()) == NULL)) {

  807.     goto err;

  808.   }

  809.   if (!rsa->e && ((rsa->e = BN_new()) == NULL)) {

  810.     goto err;

  811.   }

  812.   if (!rsa->p && ((rsa->p = BN_new()) == NULL)) {

  813.     goto err;

  814.   }

  815.   if (!rsa->q && ((rsa->q = BN_new()) == NULL)) {

  816.     goto err;

  817.   }

  818.   if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL)) {

  819.     goto err;

  820.   }

  821.   if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL)) {

  822.     goto err;

  823.   }

  824.   if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL)) {

  825.     goto err;

  826.   }

  827. 

  828.   BN_copy(rsa->e, e_value);

  829. 

  830.   /* generate p and q */

  831.   for (;;) {

  832.     if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb) ||

  833.         !BN_sub(r2, rsa->p, BN_value_one()) ||

  834.         !BN_gcd(r1, r2, rsa->e, ctx)) {

  835.       goto err;

  836.     }

  837.     if (BN_is_one(r1)) {

  838.       break;

  839.     }

  840.     if (!BN_GENCB_call(cb, 2, n++)) {

  841.       goto err;

  842.     }

  843.   }

  844.   if (!BN_GENCB_call(cb, 3, 0)) {

  845.     goto err;

  846.   }

  847.   for (;;) {

  848.     /* When generating ridiculously small keys, we can get stuck

  849.      * continually regenerating the same prime values. Check for

  850.      * this and bail if it happens 3 times. */

  851.     unsigned int degenerate = 0;

  852.     do {

  853.       if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) {

  854.         goto err;

  855.       }

  856.     } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));

  857.     if (degenerate == 3) {

  858.       ok = 0; /* we set our own err */

  859.       OPENSSL_PUT_ERROR(RSA, keygen, RSA_R_KEY_SIZE_TOO_SMALL);

  860.       goto err;

  861.     }

  862.     if (!BN_sub(r2, rsa->q, BN_value_one()) ||

  863.         !BN_gcd(r1, r2, rsa->e, ctx)) {

  864.       goto err;

  865.     }

  866.     if (BN_is_one(r1)) {

  867.       break;

  868.     }

  869.     if (!BN_GENCB_call(cb, 2, n++)) {

  870.       goto err;

  871.     }

  872.   }

  873.   if (!BN_GENCB_call(cb, 3, 1)) {

  874.     goto err;

  875.   }

  876.   if (BN_cmp(rsa->p, rsa->q) < 0) {

  877.     tmp = rsa->p;

  878.     rsa->p = rsa->q;

  879.     rsa->q = tmp;

  880.   }

  881. 

  882.   /* calculate n */

  883.   if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx)) {

  884.     goto err;

  885.   }

  886. 

  887.   /* calculate d */

  888.   if (!BN_sub(r1, rsa->p, BN_value_one())) {

  889.     goto err; /* p-1 */

  890.   }

  891.   if (!BN_sub(r2, rsa->q, BN_value_one())) {

  892.     goto err; /* q-1 */

  893.   }

  894.   if (!BN_mul(r0, r1, r2, ctx)) {

  895.     goto err; /* (p-1)(q-1) */

  896.   }

  897.   pr0 = &local_r0;

  898.   BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);

  899.   if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) {

  900.     goto err; /* d */

  901.   }

  902. 

  903.   /* set up d for correct BN_FLG_CONSTTIME flag */

  904.   d = &local_d;

  905.   BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);

  906. 

  907.   /* calculate d mod (p-1) */

  908.   if (!BN_mod(rsa->dmp1, d, r1, ctx)) {

  909.     goto err;

  910.   }

  911. 

  912.   /* calculate d mod (q-1) */

  913.   if (!BN_mod(rsa->dmq1, d, r2, ctx)) {

  914.     goto err;

  915.   }

  916. 

  917.   /* calculate inverse of q mod p */

  918.   p = &local_p;

  919.   BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);

  920. 

  921.   if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {

  922.     goto err;

  923.   }

  924. 

  925.   ok = 1;

  926. 

  927. err:

  928.   if (ok == -1) {

  929.     OPENSSL_PUT_ERROR(RSA, keygen, ERR_LIB_BN);

  930.     ok = 0;

  931.   }

  932.   if (ctx != NULL) {

  933.     BN_CTX_end(ctx);

  934.     BN_CTX_free(ctx);

  935.   }

  936. 

  937.   return ok;

  938. }

  939. 

  940. const struct rsa_meth_st RSA_default_method = {

  941.   {

  942.     0 /* references */,

  943.     1 /* is_static */,

  944.   },

  945.   NULL /* app_data */,

  946. 

  947.   NULL /* init */,

  948.   finish,

  949. 

  950.   size,

  951. 

  952.   NULL /* sign */,

  953.   NULL /* verify */,

  954. 

  955.   encrypt,

  956.   sign_raw,

  957.   decrypt,

  958.   verify_raw,

  959. 

  960.   private_transform,

  961. 

  962.   mod_exp /* mod_exp */,

  963.   BN_mod_exp_mont /* bn_mod_exp */,

  964. 

  965.   RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE,

  966. 

  967.   keygen,

  968. };