Home | History | Annotate | Download | only in rsa
      1 /* crypto/rsa/rsa_eay.c */
      2 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com)
      3  * All rights reserved.
      4  *
      5  * This package is an SSL implementation written
      6  * by Eric Young (eay (at) cryptsoft.com).
      7  * The implementation was written so as to conform with Netscapes SSL.
      8  *
      9  * This library is free for commercial and non-commercial use as long as
     10  * the following conditions are aheared to.  The following conditions
     11  * apply to all code found in this distribution, be it the RC4, RSA,
     12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
     13  * included with this distribution is covered by the same copyright terms
     14  * except that the holder is Tim Hudson (tjh (at) cryptsoft.com).
     15  *
     16  * Copyright remains Eric Young's, and as such any Copyright notices in
     17  * the code are not to be removed.
     18  * If this package is used in a product, Eric Young should be given attribution
     19  * as the author of the parts of the library used.
     20  * This can be in the form of a textual message at program startup or
     21  * in documentation (online or textual) provided with the package.
     22  *
     23  * Redistribution and use in source and binary forms, with or without
     24  * modification, are permitted provided that the following conditions
     25  * are met:
     26  * 1. Redistributions of source code must retain the copyright
     27  *    notice, this list of conditions and the following disclaimer.
     28  * 2. Redistributions in binary form must reproduce the above copyright
     29  *    notice, this list of conditions and the following disclaimer in the
     30  *    documentation and/or other materials provided with the distribution.
     31  * 3. All advertising materials mentioning features or use of this software
     32  *    must display the following acknowledgement:
     33  *    "This product includes cryptographic software written by
     34  *     Eric Young (eay (at) cryptsoft.com)"
     35  *    The word 'cryptographic' can be left out if the rouines from the library
     36  *    being used are not cryptographic related :-).
     37  * 4. If you include any Windows specific code (or a derivative thereof) from
     38  *    the apps directory (application code) you must include an acknowledgement:
     39  *    "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)"
     40  *
     41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
     42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
     45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     51  * SUCH DAMAGE.
     52  *
     53  * The licence and distribution terms for any publically available version or
     54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
     55  * copied and put under another distribution licence
     56  * [including the GNU Public Licence.]
     57  */
     58 /* ====================================================================
     59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
     60  *
     61  * Redistribution and use in source and binary forms, with or without
     62  * modification, are permitted provided that the following conditions
     63  * are met:
     64  *
     65  * 1. Redistributions of source code must retain the above copyright
     66  *    notice, this list of conditions and the following disclaimer.
     67  *
     68  * 2. Redistributions in binary form must reproduce the above copyright
     69  *    notice, this list of conditions and the following disclaimer in
     70  *    the documentation and/or other materials provided with the
     71  *    distribution.
     72  *
     73  * 3. All advertising materials mentioning features or use of this
     74  *    software must display the following acknowledgment:
     75  *    "This product includes software developed by the OpenSSL Project
     76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
     77  *
     78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     79  *    endorse or promote products derived from this software without
     80  *    prior written permission. For written permission, please contact
     81  *    openssl-core (at) openssl.org.
     82  *
     83  * 5. Products derived from this software may not be called "OpenSSL"
     84  *    nor may "OpenSSL" appear in their names without prior written
     85  *    permission of the OpenSSL Project.
     86  *
     87  * 6. Redistributions of any form whatsoever must retain the following
     88  *    acknowledgment:
     89  *    "This product includes software developed by the OpenSSL Project
     90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
     91  *
     92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
    101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
    103  * OF THE POSSIBILITY OF SUCH DAMAGE.
    104  * ====================================================================
    105  *
    106  * This product includes cryptographic software written by Eric Young
    107  * (eay (at) cryptsoft.com).  This product includes software written by Tim
    108  * Hudson (tjh (at) cryptsoft.com).
    109  *
    110  */
    111 
    112 #include <stdio.h>
    113 #include "cryptlib.h"
    114 #include <openssl/bn.h>
    115 #include <openssl/rsa.h>
    116 #include <openssl/rand.h>
    117 
    118 #ifndef RSA_NULL
    119 
    120 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
    121 		unsigned char *to, RSA *rsa,int padding);
    122 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
    123 		unsigned char *to, RSA *rsa,int padding);
    124 static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
    125 		unsigned char *to, RSA *rsa,int padding);
    126 static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
    127 		unsigned char *to, RSA *rsa,int padding);
    128 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
    129 static int RSA_eay_init(RSA *rsa);
    130 static int RSA_eay_finish(RSA *rsa);
    131 static RSA_METHOD rsa_pkcs1_eay_meth={
    132 	"Eric Young's PKCS#1 RSA",
    133 	RSA_eay_public_encrypt,
    134 	RSA_eay_public_decrypt, /* signature verification */
    135 	RSA_eay_private_encrypt, /* signing */
    136 	RSA_eay_private_decrypt,
    137 	RSA_eay_mod_exp,
    138 	BN_mod_exp_mont, /* XXX probably we should not use Montgomery if  e == 3 */
    139 	RSA_eay_init,
    140 	RSA_eay_finish,
    141 	0, /* flags */
    142 	NULL,
    143 	0, /* rsa_sign */
    144 	0, /* rsa_verify */
    145 	NULL /* rsa_keygen */
    146 	};
    147 
    148 const RSA_METHOD *RSA_PKCS1_SSLeay(void)
    149 	{
    150 	return(&rsa_pkcs1_eay_meth);
    151 	}
    152 
    153 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
    154 	     unsigned char *to, RSA *rsa, int padding)
    155 	{
    156 	BIGNUM *f,*ret;
    157 	int i,j,k,num=0,r= -1;
    158 	unsigned char *buf=NULL;
    159 	BN_CTX *ctx=NULL;
    160 
    161 	if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
    162 		{
    163 		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
    164 		return -1;
    165 		}
    166 
    167 	if (BN_ucmp(rsa->n, rsa->e) <= 0)
    168 		{
    169 		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
    170 		return -1;
    171 		}
    172 
    173 	/* for large moduli, enforce exponent limit */
    174 	if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
    175 		{
    176 		if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
    177 			{
    178 			RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
    179 			return -1;
    180 			}
    181 		}
    182 
    183 	if ((ctx=BN_CTX_new()) == NULL) goto err;
    184 	BN_CTX_start(ctx);
    185 	f = BN_CTX_get(ctx);
    186 	ret = BN_CTX_get(ctx);
    187 	num=BN_num_bytes(rsa->n);
    188 	buf = OPENSSL_malloc(num);
    189 	if (!f || !ret || !buf)
    190 		{
    191 		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
    192 		goto err;
    193 		}
    194 
    195 	switch (padding)
    196 		{
    197 	case RSA_PKCS1_PADDING:
    198 		i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
    199 		break;
    200 #ifndef OPENSSL_NO_SHA
    201 	case RSA_PKCS1_OAEP_PADDING:
    202 	        i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
    203 		break;
    204 #endif
    205 	case RSA_SSLV23_PADDING:
    206 		i=RSA_padding_add_SSLv23(buf,num,from,flen);
    207 		break;
    208 	case RSA_NO_PADDING:
    209 		i=RSA_padding_add_none(buf,num,from,flen);
    210 		break;
    211 	default:
    212 		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
    213 		goto err;
    214 		}
    215 	if (i <= 0) goto err;
    216 
    217 	if (BN_bin2bn(buf,num,f) == NULL) goto err;
    218 
    219 	if (BN_ucmp(f, rsa->n) >= 0)
    220 		{
    221 		/* usually the padding functions would catch this */
    222 		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
    223 		goto err;
    224 		}
    225 
    226 	if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
    227 		if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
    228 			goto err;
    229 
    230 	if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
    231 		rsa->_method_mod_n)) goto err;
    232 
    233 	/* put in leading 0 bytes if the number is less than the
    234 	 * length of the modulus */
    235 	j=BN_num_bytes(ret);
    236 	i=BN_bn2bin(ret,&(to[num-j]));
    237 	for (k=0; k<(num-i); k++)
    238 		to[k]=0;
    239 
    240 	r=num;
    241 err:
    242 	if (ctx != NULL)
    243 		{
    244 		BN_CTX_end(ctx);
    245 		BN_CTX_free(ctx);
    246 		}
    247 	if (buf != NULL)
    248 		{
    249 		OPENSSL_cleanse(buf,num);
    250 		OPENSSL_free(buf);
    251 		}
    252 	return(r);
    253 	}
    254 
    255 static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
    256 {
    257 	BN_BLINDING *ret;
    258 	int got_write_lock = 0;
    259 	CRYPTO_THREADID cur;
    260 
    261 	CRYPTO_r_lock(CRYPTO_LOCK_RSA);
    262 
    263 	if (rsa->blinding == NULL)
    264 		{
    265 		CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
    266 		CRYPTO_w_lock(CRYPTO_LOCK_RSA);
    267 		got_write_lock = 1;
    268 
    269 		if (rsa->blinding == NULL)
    270 			rsa->blinding = RSA_setup_blinding(rsa, ctx);
    271 		}
    272 
    273 	ret = rsa->blinding;
    274 	if (ret == NULL)
    275 		goto err;
    276 
    277 	CRYPTO_THREADID_current(&cur);
    278 	if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret)))
    279 		{
    280 		/* rsa->blinding is ours! */
    281 
    282 		*local = 1;
    283 		}
    284 	else
    285 		{
    286 		/* resort to rsa->mt_blinding instead */
    287 
    288 		*local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert()
    289 		             * that the BN_BLINDING is shared, meaning that accesses
    290 		             * require locks, and that the blinding factor must be
    291 		             * stored outside the BN_BLINDING
    292 		             */
    293 
    294 		if (rsa->mt_blinding == NULL)
    295 			{
    296 			if (!got_write_lock)
    297 				{
    298 				CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
    299 				CRYPTO_w_lock(CRYPTO_LOCK_RSA);
    300 				got_write_lock = 1;
    301 				}
    302 
    303 			if (rsa->mt_blinding == NULL)
    304 				rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
    305 			}
    306 		ret = rsa->mt_blinding;
    307 		}
    308 
    309  err:
    310 	if (got_write_lock)
    311 		CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
    312 	else
    313 		CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
    314 	return ret;
    315 }
    316 
    317 static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
    318 	BN_CTX *ctx)
    319 	{
    320 	if (unblind == NULL)
    321 		/* Local blinding: store the unblinding factor
    322 		 * in BN_BLINDING. */
    323 		return BN_BLINDING_convert_ex(f, NULL, b, ctx);
    324 	else
    325 		{
    326 		/* Shared blinding: store the unblinding factor
    327 		 * outside BN_BLINDING. */
    328 		int ret;
    329 		CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
    330 		ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
    331 		CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
    332 		return ret;
    333 		}
    334 	}
    335 
    336 static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
    337 	BN_CTX *ctx)
    338 	{
    339 	/* For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
    340 	 * will use the unblinding factor stored in BN_BLINDING.
    341 	 * If BN_BLINDING is shared between threads, unblind must be non-null:
    342 	 * BN_BLINDING_invert_ex will then use the local unblinding factor,
    343 	 * and will only read the modulus from BN_BLINDING.
    344 	 * In both cases it's safe to access the blinding without a lock.
    345 	 */
    346 	return BN_BLINDING_invert_ex(f, unblind, b, ctx);
    347 	}
    348 
    349 /* signing */
    350 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
    351 	     unsigned char *to, RSA *rsa, int padding)
    352 	{
    353 	BIGNUM *f, *ret, *res;
    354 	int i,j,k,num=0,r= -1;
    355 	unsigned char *buf=NULL;
    356 	BN_CTX *ctx=NULL;
    357 	int local_blinding = 0;
    358 	/* Used only if the blinding structure is shared. A non-NULL unblind
    359 	 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
    360 	 * the unblinding factor outside the blinding structure. */
    361 	BIGNUM *unblind = NULL;
    362 	BN_BLINDING *blinding = NULL;
    363 
    364 	if ((ctx=BN_CTX_new()) == NULL) goto err;
    365 	BN_CTX_start(ctx);
    366 	f   = BN_CTX_get(ctx);
    367 	ret = BN_CTX_get(ctx);
    368 	num = BN_num_bytes(rsa->n);
    369 	buf = OPENSSL_malloc(num);
    370 	if(!f || !ret || !buf)
    371 		{
    372 		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
    373 		goto err;
    374 		}
    375 
    376 	switch (padding)
    377 		{
    378 	case RSA_PKCS1_PADDING:
    379 		i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
    380 		break;
    381 	case RSA_X931_PADDING:
    382 		i=RSA_padding_add_X931(buf,num,from,flen);
    383 		break;
    384 	case RSA_NO_PADDING:
    385 		i=RSA_padding_add_none(buf,num,from,flen);
    386 		break;
    387 	case RSA_SSLV23_PADDING:
    388 	default:
    389 		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
    390 		goto err;
    391 		}
    392 	if (i <= 0) goto err;
    393 
    394 	if (BN_bin2bn(buf,num,f) == NULL) goto err;
    395 
    396 	if (BN_ucmp(f, rsa->n) >= 0)
    397 		{
    398 		/* usually the padding functions would catch this */
    399 		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
    400 		goto err;
    401 		}
    402 
    403 	if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
    404 		{
    405 		blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
    406 		if (blinding == NULL)
    407 			{
    408 			RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
    409 			goto err;
    410 			}
    411 		}
    412 
    413 	if (blinding != NULL)
    414 		{
    415 		if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
    416 			{
    417 			RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
    418 			goto err;
    419 			}
    420 		if (!rsa_blinding_convert(blinding, f, unblind, ctx))
    421 			goto err;
    422 		}
    423 
    424 	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
    425 		((rsa->p != NULL) &&
    426 		(rsa->q != NULL) &&
    427 		(rsa->dmp1 != NULL) &&
    428 		(rsa->dmq1 != NULL) &&
    429 		(rsa->iqmp != NULL)) )
    430 		{
    431 		if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
    432 		}
    433 	else
    434 		{
    435 		BIGNUM local_d;
    436 		BIGNUM *d = NULL;
    437 
    438 		if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
    439 			{
    440 			BN_init(&local_d);
    441 			d = &local_d;
    442 			BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
    443 			}
    444 		else
    445 			d= rsa->d;
    446 
    447 		if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
    448 			if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
    449 				goto err;
    450 
    451 		if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
    452 				rsa->_method_mod_n)) goto err;
    453 		}
    454 
    455 	if (blinding)
    456 		if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
    457 			goto err;
    458 
    459 	if (padding == RSA_X931_PADDING)
    460 		{
    461 		BN_sub(f, rsa->n, ret);
    462 		if (BN_cmp(ret, f))
    463 			res = f;
    464 		else
    465 			res = ret;
    466 		}
    467 	else
    468 		res = ret;
    469 
    470 	/* put in leading 0 bytes if the number is less than the
    471 	 * length of the modulus */
    472 	j=BN_num_bytes(res);
    473 	i=BN_bn2bin(res,&(to[num-j]));
    474 	for (k=0; k<(num-i); k++)
    475 		to[k]=0;
    476 
    477 	r=num;
    478 err:
    479 	if (ctx != NULL)
    480 		{
    481 		BN_CTX_end(ctx);
    482 		BN_CTX_free(ctx);
    483 		}
    484 	if (buf != NULL)
    485 		{
    486 		OPENSSL_cleanse(buf,num);
    487 		OPENSSL_free(buf);
    488 		}
    489 	return(r);
    490 	}
    491 
    492 static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
    493 	     unsigned char *to, RSA *rsa, int padding)
    494 	{
    495 	BIGNUM *f, *ret;
    496 	int j,num=0,r= -1;
    497 	unsigned char *p;
    498 	unsigned char *buf=NULL;
    499 	BN_CTX *ctx=NULL;
    500 	int local_blinding = 0;
    501 	/* Used only if the blinding structure is shared. A non-NULL unblind
    502 	 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
    503 	 * the unblinding factor outside the blinding structure. */
    504 	BIGNUM *unblind = NULL;
    505 	BN_BLINDING *blinding = NULL;
    506 
    507 	if((ctx = BN_CTX_new()) == NULL) goto err;
    508 	BN_CTX_start(ctx);
    509 	f   = BN_CTX_get(ctx);
    510 	ret = BN_CTX_get(ctx);
    511 	num = BN_num_bytes(rsa->n);
    512 	buf = OPENSSL_malloc(num);
    513 	if(!f || !ret || !buf)
    514 		{
    515 		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
    516 		goto err;
    517 		}
    518 
    519 	/* This check was for equality but PGP does evil things
    520 	 * and chops off the top '0' bytes */
    521 	if (flen > num)
    522 		{
    523 		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
    524 		goto err;
    525 		}
    526 
    527 	/* make data into a big number */
    528 	if (BN_bin2bn(from,(int)flen,f) == NULL) goto err;
    529 
    530 	if (BN_ucmp(f, rsa->n) >= 0)
    531 		{
    532 		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
    533 		goto err;
    534 		}
    535 
    536 	if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
    537 		{
    538 		blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
    539 		if (blinding == NULL)
    540 			{
    541 			RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
    542 			goto err;
    543 			}
    544 		}
    545 
    546 	if (blinding != NULL)
    547 		{
    548 		if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
    549 			{
    550 			RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
    551 			goto err;
    552 			}
    553 		if (!rsa_blinding_convert(blinding, f, unblind, ctx))
    554 			goto err;
    555 		}
    556 
    557 	/* do the decrypt */
    558 	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
    559 		((rsa->p != NULL) &&
    560 		(rsa->q != NULL) &&
    561 		(rsa->dmp1 != NULL) &&
    562 		(rsa->dmq1 != NULL) &&
    563 		(rsa->iqmp != NULL)) )
    564 		{
    565 		if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
    566 		}
    567 	else
    568 		{
    569 		BIGNUM local_d;
    570 		BIGNUM *d = NULL;
    571 
    572 		if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
    573 			{
    574 			d = &local_d;
    575 			BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
    576 			}
    577 		else
    578 			d = rsa->d;
    579 
    580 		if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
    581 			if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
    582 				goto err;
    583 		if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
    584 				rsa->_method_mod_n))
    585 		  goto err;
    586 		}
    587 
    588 	if (blinding)
    589 		if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
    590 			goto err;
    591 
    592 	p=buf;
    593 	j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */
    594 
    595 	switch (padding)
    596 		{
    597 	case RSA_PKCS1_PADDING:
    598 		r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
    599 		break;
    600 #ifndef OPENSSL_NO_SHA
    601         case RSA_PKCS1_OAEP_PADDING:
    602 	        r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
    603                 break;
    604 #endif
    605  	case RSA_SSLV23_PADDING:
    606 		r=RSA_padding_check_SSLv23(to,num,buf,j,num);
    607 		break;
    608 	case RSA_NO_PADDING:
    609 		r=RSA_padding_check_none(to,num,buf,j,num);
    610 		break;
    611 	default:
    612 		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
    613 		goto err;
    614 		}
    615 	if (r < 0)
    616 		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
    617 
    618 err:
    619 	if (ctx != NULL)
    620 		{
    621 		BN_CTX_end(ctx);
    622 		BN_CTX_free(ctx);
    623 		}
    624 	if (buf != NULL)
    625 		{
    626 		OPENSSL_cleanse(buf,num);
    627 		OPENSSL_free(buf);
    628 		}
    629 	return(r);
    630 	}
    631 
    632 /* signature verification */
    633 static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
    634 	     unsigned char *to, RSA *rsa, int padding)
    635 	{
    636 	BIGNUM *f,*ret;
    637 	int i,num=0,r= -1;
    638 	unsigned char *p;
    639 	unsigned char *buf=NULL;
    640 	BN_CTX *ctx=NULL;
    641 
    642 	if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
    643 		{
    644 		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
    645 		return -1;
    646 		}
    647 
    648 	if (BN_ucmp(rsa->n, rsa->e) <= 0)
    649 		{
    650 		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
    651 		return -1;
    652 		}
    653 
    654 	/* for large moduli, enforce exponent limit */
    655 	if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
    656 		{
    657 		if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
    658 			{
    659 			RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
    660 			return -1;
    661 			}
    662 		}
    663 
    664 	if((ctx = BN_CTX_new()) == NULL) goto err;
    665 	BN_CTX_start(ctx);
    666 	f = BN_CTX_get(ctx);
    667 	ret = BN_CTX_get(ctx);
    668 	num=BN_num_bytes(rsa->n);
    669 	buf = OPENSSL_malloc(num);
    670 	if(!f || !ret || !buf)
    671 		{
    672 		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
    673 		goto err;
    674 		}
    675 
    676 	/* This check was for equality but PGP does evil things
    677 	 * and chops off the top '0' bytes */
    678 	if (flen > num)
    679 		{
    680 		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
    681 		goto err;
    682 		}
    683 
    684 	if (BN_bin2bn(from,flen,f) == NULL) goto err;
    685 
    686 	if (BN_ucmp(f, rsa->n) >= 0)
    687 		{
    688 		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
    689 		goto err;
    690 		}
    691 
    692 	if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
    693 		if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
    694 			goto err;
    695 
    696 	if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
    697 		rsa->_method_mod_n)) goto err;
    698 
    699 	if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))
    700 		if (!BN_sub(ret, rsa->n, ret)) goto err;
    701 
    702 	p=buf;
    703 	i=BN_bn2bin(ret,p);
    704 
    705 	switch (padding)
    706 		{
    707 	case RSA_PKCS1_PADDING:
    708 		r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
    709 		break;
    710 	case RSA_X931_PADDING:
    711 		r=RSA_padding_check_X931(to,num,buf,i,num);
    712 		break;
    713 	case RSA_NO_PADDING:
    714 		r=RSA_padding_check_none(to,num,buf,i,num);
    715 		break;
    716 	default:
    717 		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
    718 		goto err;
    719 		}
    720 	if (r < 0)
    721 		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
    722 
    723 err:
    724 	if (ctx != NULL)
    725 		{
    726 		BN_CTX_end(ctx);
    727 		BN_CTX_free(ctx);
    728 		}
    729 	if (buf != NULL)
    730 		{
    731 		OPENSSL_cleanse(buf,num);
    732 		OPENSSL_free(buf);
    733 		}
    734 	return(r);
    735 	}
    736 
    737 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
    738 	{
    739 	BIGNUM *r1,*m1,*vrfy;
    740 	BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
    741 	BIGNUM *dmp1,*dmq1,*c,*pr1;
    742 	int ret=0;
    743 
    744 	BN_CTX_start(ctx);
    745 	r1 = BN_CTX_get(ctx);
    746 	m1 = BN_CTX_get(ctx);
    747 	vrfy = BN_CTX_get(ctx);
    748 
    749 	{
    750 		BIGNUM local_p, local_q;
    751 		BIGNUM *p = NULL, *q = NULL;
    752 
    753 		/* Make sure BN_mod_inverse in Montgomery intialization uses the
    754 		 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
    755 		 */
    756 		if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
    757 			{
    758 			BN_init(&local_p);
    759 			p = &local_p;
    760 			BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
    761 
    762 			BN_init(&local_q);
    763 			q = &local_q;
    764 			BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
    765 			}
    766 		else
    767 			{
    768 			p = rsa->p;
    769 			q = rsa->q;
    770 			}
    771 
    772 		if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
    773 			{
    774 			if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
    775 				goto err;
    776 			if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
    777 				goto err;
    778 			}
    779 	}
    780 
    781 	if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
    782 		if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
    783 			goto err;
    784 
    785 	/* compute I mod q */
    786 	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
    787 		{
    788 		c = &local_c;
    789 		BN_with_flags(c, I, BN_FLG_CONSTTIME);
    790 		if (!BN_mod(r1,c,rsa->q,ctx)) goto err;
    791 		}
    792 	else
    793 		{
    794 		if (!BN_mod(r1,I,rsa->q,ctx)) goto err;
    795 		}
    796 
    797 	/* compute r1^dmq1 mod q */
    798 	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
    799 		{
    800 		dmq1 = &local_dmq1;
    801 		BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
    802 		}
    803 	else
    804 		dmq1 = rsa->dmq1;
    805 	if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx,
    806 		rsa->_method_mod_q)) goto err;
    807 
    808 	/* compute I mod p */
    809 	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
    810 		{
    811 		c = &local_c;
    812 		BN_with_flags(c, I, BN_FLG_CONSTTIME);
    813 		if (!BN_mod(r1,c,rsa->p,ctx)) goto err;
    814 		}
    815 	else
    816 		{
    817 		if (!BN_mod(r1,I,rsa->p,ctx)) goto err;
    818 		}
    819 
    820 	/* compute r1^dmp1 mod p */
    821 	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
    822 		{
    823 		dmp1 = &local_dmp1;
    824 		BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
    825 		}
    826 	else
    827 		dmp1 = rsa->dmp1;
    828 	if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx,
    829 		rsa->_method_mod_p)) goto err;
    830 
    831 	if (!BN_sub(r0,r0,m1)) goto err;
    832 	/* This will help stop the size of r0 increasing, which does
    833 	 * affect the multiply if it optimised for a power of 2 size */
    834 	if (BN_is_negative(r0))
    835 		if (!BN_add(r0,r0,rsa->p)) goto err;
    836 
    837 	if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err;
    838 
    839 	/* Turn BN_FLG_CONSTTIME flag on before division operation */
    840 	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
    841 		{
    842 		pr1 = &local_r1;
    843 		BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
    844 		}
    845 	else
    846 		pr1 = r1;
    847 	if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
    848 
    849 	/* If p < q it is occasionally possible for the correction of
    850          * adding 'p' if r0 is negative above to leave the result still
    851 	 * negative. This can break the private key operations: the following
    852 	 * second correction should *always* correct this rare occurrence.
    853 	 * This will *never* happen with OpenSSL generated keys because
    854          * they ensure p > q [steve]
    855          */
    856 	if (BN_is_negative(r0))
    857 		if (!BN_add(r0,r0,rsa->p)) goto err;
    858 	if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
    859 	if (!BN_add(r0,r1,m1)) goto err;
    860 
    861 	if (rsa->e && rsa->n)
    862 		{
    863 		if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err;
    864 		/* If 'I' was greater than (or equal to) rsa->n, the operation
    865 		 * will be equivalent to using 'I mod n'. However, the result of
    866 		 * the verify will *always* be less than 'n' so we don't check
    867 		 * for absolute equality, just congruency. */
    868 		if (!BN_sub(vrfy, vrfy, I)) goto err;
    869 		if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err;
    870 		if (BN_is_negative(vrfy))
    871 			if (!BN_add(vrfy, vrfy, rsa->n)) goto err;
    872 		if (!BN_is_zero(vrfy))
    873 			{
    874 			/* 'I' and 'vrfy' aren't congruent mod n. Don't leak
    875 			 * miscalculated CRT output, just do a raw (slower)
    876 			 * mod_exp and return that instead. */
    877 
    878 			BIGNUM local_d;
    879 			BIGNUM *d = NULL;
    880 
    881 			if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
    882 				{
    883 				d = &local_d;
    884 				BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
    885 				}
    886 			else
    887 				d = rsa->d;
    888 			if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,
    889 						   rsa->_method_mod_n)) goto err;
    890 			}
    891 		}
    892 	ret=1;
    893 err:
    894 	BN_CTX_end(ctx);
    895 	return(ret);
    896 	}
    897 
    898 static int RSA_eay_init(RSA *rsa)
    899 	{
    900 	rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
    901 	return(1);
    902 	}
    903 
    904 static int RSA_eay_finish(RSA *rsa)
    905 	{
    906 	if (rsa->_method_mod_n != NULL)
    907 		BN_MONT_CTX_free(rsa->_method_mod_n);
    908 	if (rsa->_method_mod_p != NULL)
    909 		BN_MONT_CTX_free(rsa->_method_mod_p);
    910 	if (rsa->_method_mod_q != NULL)
    911 		BN_MONT_CTX_free(rsa->_method_mod_q);
    912 	return(1);
    913 	}
    914 
    915 #endif
    916