2 * Copyright (c) 2000-2001,2011,2014 Apple Inc. All Rights Reserved.
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
19 /* crypto/rsa/rsa_eay.c */
20 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
21 * All rights reserved.
23 * This package is an SSL implementation written
24 * by Eric Young (eay@cryptsoft.com).
25 * The implementation was written so as to conform with Netscapes SSL.
27 * This library is free for commercial and non-commercial use as long as
28 * the following conditions are aheared to. The following conditions
29 * apply to all code found in this distribution, be it the RC4, RSA,
30 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
31 * included with this distribution is covered by the same copyright terms
32 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
34 * Copyright remains Eric Young's, and as such any Copyright notices in
35 * the code are not to be removed.
36 * If this package is used in a product, Eric Young should be given attribution
37 * as the author of the parts of the library used.
38 * This can be in the form of a textual message at program startup or
39 * in documentation (online or textual) provided with the package.
41 * Redistribution and use in source and binary forms, with or without
42 * modification, are permitted provided that the following conditions
44 * 1. Redistributions of source code must retain the copyright
45 * notice, this list of conditions and the following disclaimer.
46 * 2. Redistributions in binary form must reproduce the above copyright
47 * notice, this list of conditions and the following disclaimer in the
48 * documentation and/or other materials provided with the distribution.
49 * 3. All advertising materials mentioning features or use of this software
50 * must display the following acknowledgement:
51 * "This product includes cryptographic software written by
52 * Eric Young (eay@cryptsoft.com)"
53 * The word 'cryptographic' can be left out if the rouines from the library
54 * being used are not cryptographic related :-).
55 * 4. If you include any Windows specific code (or a derivative thereof) from
56 * the apps directory (application code) you must include an acknowledgement:
57 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
59 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
60 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
61 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
62 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
63 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
64 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
65 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
66 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
67 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
68 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
71 * The licence and distribution terms for any publically available version or
72 * derivative of this code cannot be changed. i.e. this code cannot simply be
73 * copied and put under another distribution licence
74 * [including the GNU Public Licence.]
79 #include <openssl/bn.h>
80 #include <openssl/rsa.h>
81 #include <openssl/rand.h>
86 static int RSA_eay_public_encrypt(int flen
, unsigned char *from
,
87 unsigned char *to
, RSA
*rsa
,int padding
);
88 static int RSA_eay_private_encrypt(int flen
, unsigned char *from
,
89 unsigned char *to
, RSA
*rsa
,int padding
);
90 static int RSA_eay_public_decrypt(int flen
, unsigned char *from
,
91 unsigned char *to
, RSA
*rsa
,int padding
);
92 static int RSA_eay_private_decrypt(int flen
, unsigned char *from
,
93 unsigned char *to
, RSA
*rsa
,int padding
);
94 static int RSA_eay_mod_exp(BIGNUM
*r0
, BIGNUM
*i
, RSA
*rsa
);
95 static int RSA_eay_init(RSA
*rsa
);
96 static int RSA_eay_finish(RSA
*rsa
);
97 static const RSA_METHOD rsa_pkcs1_eay_meth
={
98 "Eric Young's PKCS#1 RSA",
99 RSA_eay_public_encrypt
,
100 RSA_eay_public_decrypt
,
101 RSA_eay_private_encrypt
,
102 RSA_eay_private_decrypt
,
111 const RSA_METHOD
*RSA_PKCS1_SSLeay(void)
113 return(&rsa_pkcs1_eay_meth
);
116 static int RSA_eay_public_encrypt(int flen
, unsigned char *from
,
117 unsigned char *to
, RSA
*rsa
, int padding
)
120 int i
,j
,k
,num
=0,r
= -1;
121 unsigned char *buf
=NULL
;
126 if ((ctx
=BN_CTX_new()) == NULL
) goto err
;
127 num
=BN_num_bytes(rsa
->n
);
128 if ((buf
=(unsigned char *)Malloc(num
)) == NULL
)
130 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT
,ERR_R_MALLOC_FAILURE
);
136 case RSA_PKCS1_PADDING
:
137 i
=RSA_padding_add_PKCS1_type_2(buf
,num
,from
,flen
);
139 #ifndef _OPENSSL_APPLE_CDSA_
141 case RSA_PKCS1_OAEP_PADDING
:
142 i
=RSA_padding_add_PKCS1_OAEP(buf
,num
,from
,flen
,NULL
,0);
146 case RSA_SSLV23_PADDING
:
147 i
=RSA_padding_add_SSLv23(buf
,num
,from
,flen
);
150 i
=RSA_padding_add_none(buf
,num
,from
,flen
);
153 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT
,RSA_R_UNKNOWN_PADDING_TYPE
);
156 if (i
<= 0) goto err
;
158 if (BN_bin2bn(buf
,num
,&f
) == NULL
) goto err
;
160 if ((rsa
->_method_mod_n
== NULL
) && (rsa
->flags
& RSA_FLAG_CACHE_PUBLIC
))
162 if ((rsa
->_method_mod_n
=BN_MONT_CTX_new()) != NULL
)
163 if (!BN_MONT_CTX_set(rsa
->_method_mod_n
,rsa
->n
,ctx
))
167 if (!rsa
->meth
->bn_mod_exp(&ret
,&f
,rsa
->e
,rsa
->n
,ctx
,
168 rsa
->_method_mod_n
)) goto err
;
170 /* put in leading 0 bytes if the number is less than the
171 * length of the modulus */
172 j
=BN_num_bytes(&ret
);
173 i
=BN_bn2bin(&ret
,&(to
[num
-j
]));
174 for (k
=0; k
<(num
-i
); k
++)
179 if (ctx
!= NULL
) BN_CTX_free(ctx
);
190 static int RSA_eay_private_encrypt(int flen
, unsigned char *from
,
191 unsigned char *to
, RSA
*rsa
, int padding
)
194 int i
,j
,k
,num
=0,r
= -1;
195 unsigned char *buf
=NULL
;
201 if ((ctx
=BN_CTX_new()) == NULL
) goto err
;
202 num
=BN_num_bytes(rsa
->n
);
203 if ((buf
=(unsigned char *)Malloc(num
)) == NULL
)
205 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT
,ERR_R_MALLOC_FAILURE
);
211 case RSA_PKCS1_PADDING
:
212 i
=RSA_padding_add_PKCS1_type_1(buf
,num
,from
,flen
);
215 i
=RSA_padding_add_none(buf
,num
,from
,flen
);
217 case RSA_SSLV23_PADDING
:
219 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT
,RSA_R_UNKNOWN_PADDING_TYPE
);
222 if (i
<= 0) goto err
;
224 if (BN_bin2bn(buf
,num
,&f
) == NULL
) goto err
;
226 if ((rsa
->flags
& RSA_FLAG_BLINDING
) && (RSA_get_thread_blinding_ptr(rsa
) == NULL
))
227 RSA_blinding_on(rsa
,ctx
);
228 if (rsa
->flags
& RSA_FLAG_BLINDING
)
229 if (!BN_BLINDING_convert(&f
,RSA_get_thread_blinding_ptr(rsa
),ctx
)) goto err
;
231 if ( (rsa
->flags
& RSA_FLAG_EXT_PKEY
) ||
234 (rsa
->dmp1
!= NULL
) &&
235 (rsa
->dmq1
!= NULL
) &&
236 (rsa
->iqmp
!= NULL
)) )
237 { if (!rsa
->meth
->rsa_mod_exp(&ret
,&f
,rsa
)) goto err
; }
240 if (!rsa
->meth
->bn_mod_exp(&ret
,&f
,rsa
->d
,rsa
->n
,ctx
,NULL
)) goto err
;
243 if (rsa
->flags
& RSA_FLAG_BLINDING
)
244 if (!BN_BLINDING_invert(&ret
,RSA_get_thread_blinding_ptr(rsa
),ctx
)) goto err
;
246 /* put in leading 0 bytes if the number is less than the
247 * length of the modulus */
248 j
=BN_num_bytes(&ret
);
249 i
=BN_bn2bin(&ret
,&(to
[num
-j
]));
250 for (k
=0; k
<(num
-i
); k
++)
255 if (ctx
!= NULL
) BN_CTX_free(ctx
);
266 static int RSA_eay_private_decrypt(int flen
, unsigned char *from
,
267 unsigned char *to
, RSA
*rsa
, int padding
)
272 unsigned char *buf
=NULL
;
278 if (ctx
== NULL
) goto err
;
280 num
=BN_num_bytes(rsa
->n
);
282 if ((buf
=(unsigned char *)Malloc(num
)) == NULL
)
284 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT
,ERR_R_MALLOC_FAILURE
);
288 /* This check was for equality but PGP does evil things
289 * and chops off the top '0' bytes */
292 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT
,RSA_R_DATA_GREATER_THAN_MOD_LEN
);
296 /* make data into a big number */
297 if (BN_bin2bn(from
,(int)flen
,&f
) == NULL
) goto err
;
299 if ((rsa
->flags
& RSA_FLAG_BLINDING
) && (RSA_get_thread_blinding_ptr(rsa
) == NULL
))
300 RSA_blinding_on(rsa
,ctx
);
301 if (rsa
->flags
& RSA_FLAG_BLINDING
)
302 if (!BN_BLINDING_convert(&f
,RSA_get_thread_blinding_ptr(rsa
),ctx
)) goto err
;
305 if ( (rsa
->flags
& RSA_FLAG_EXT_PKEY
) ||
308 (rsa
->dmp1
!= NULL
) &&
309 (rsa
->dmq1
!= NULL
) &&
310 (rsa
->iqmp
!= NULL
)) )
311 { if (!rsa
->meth
->rsa_mod_exp(&ret
,&f
,rsa
)) goto err
; }
314 if (!rsa
->meth
->bn_mod_exp(&ret
,&f
,rsa
->d
,rsa
->n
,ctx
,NULL
))
318 if (rsa
->flags
& RSA_FLAG_BLINDING
)
319 if (!BN_BLINDING_invert(&ret
,RSA_get_thread_blinding_ptr(rsa
),ctx
)) goto err
;
322 j
=BN_bn2bin(&ret
,p
); /* j is only used with no-padding mode */
326 case RSA_PKCS1_PADDING
:
327 r
=RSA_padding_check_PKCS1_type_2(to
,num
,buf
,j
,num
);
329 #ifndef _OPENSSL_APPLE_CDSA_
331 case RSA_PKCS1_OAEP_PADDING
:
332 r
=RSA_padding_check_PKCS1_OAEP(to
,num
,buf
,j
,num
,NULL
,0);
336 case RSA_SSLV23_PADDING
:
337 r
=RSA_padding_check_SSLv23(to
,num
,buf
,j
,num
);
340 r
=RSA_padding_check_none(to
,num
,buf
,j
,num
);
343 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT
,RSA_R_UNKNOWN_PADDING_TYPE
);
347 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT
,RSA_R_PADDING_CHECK_FAILED
);
350 if (ctx
!= NULL
) BN_CTX_free(ctx
);
361 static int RSA_eay_public_decrypt(int flen
, unsigned char *from
,
362 unsigned char *to
, RSA
*rsa
, int padding
)
367 unsigned char *buf
=NULL
;
373 if (ctx
== NULL
) goto err
;
375 num
=BN_num_bytes(rsa
->n
);
376 buf
=(unsigned char *)Malloc(num
);
379 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT
,ERR_R_MALLOC_FAILURE
);
383 /* This check was for equality but PGP does evil things
384 * and chops off the top '0' bytes */
387 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT
,RSA_R_DATA_GREATER_THAN_MOD_LEN
);
391 if (BN_bin2bn(from
,flen
,&f
) == NULL
) goto err
;
393 if ((rsa
->_method_mod_n
== NULL
) && (rsa
->flags
& RSA_FLAG_CACHE_PUBLIC
))
395 if ((rsa
->_method_mod_n
=BN_MONT_CTX_new()) != NULL
)
396 if (!BN_MONT_CTX_set(rsa
->_method_mod_n
,rsa
->n
,ctx
))
400 if (!rsa
->meth
->bn_mod_exp(&ret
,&f
,rsa
->e
,rsa
->n
,ctx
,
401 rsa
->_method_mod_n
)) goto err
;
408 case RSA_PKCS1_PADDING
:
409 r
=RSA_padding_check_PKCS1_type_1(to
,num
,buf
,i
,num
);
412 r
=RSA_padding_check_none(to
,num
,buf
,i
,num
);
415 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT
,RSA_R_UNKNOWN_PADDING_TYPE
);
419 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT
,RSA_R_PADDING_CHECK_FAILED
);
422 if (ctx
!= NULL
) BN_CTX_free(ctx
);
433 static int RSA_eay_mod_exp(BIGNUM
*r0
, BIGNUM
*I
, RSA
*rsa
)
439 if ((ctx
=BN_CTX_new()) == NULL
) goto err
;
443 if (rsa
->flags
& RSA_FLAG_CACHE_PRIVATE
)
445 if (rsa
->_method_mod_p
== NULL
)
447 if ((rsa
->_method_mod_p
=BN_MONT_CTX_new()) != NULL
)
448 if (!BN_MONT_CTX_set(rsa
->_method_mod_p
,rsa
->p
,
452 if (rsa
->_method_mod_q
== NULL
)
454 if ((rsa
->_method_mod_q
=BN_MONT_CTX_new()) != NULL
)
455 if (!BN_MONT_CTX_set(rsa
->_method_mod_q
,rsa
->q
,
461 if (!BN_mod(&r1
,I
,rsa
->q
,ctx
)) goto err
;
462 if (!rsa
->meth
->bn_mod_exp(&m1
,&r1
,rsa
->dmq1
,rsa
->q
,ctx
,
463 rsa
->_method_mod_q
)) goto err
;
465 if (!BN_mod(&r1
,I
,rsa
->p
,ctx
)) goto err
;
466 if (!rsa
->meth
->bn_mod_exp(r0
,&r1
,rsa
->dmp1
,rsa
->p
,ctx
,
467 rsa
->_method_mod_p
)) goto err
;
469 if (!BN_sub(r0
,r0
,&m1
)) goto err
;
470 /* This will help stop the size of r0 increasing, which does
471 * affect the multiply if it optimised for a power of 2 size */
473 if (!BN_add(r0
,r0
,rsa
->p
)) goto err
;
475 if (!BN_mul(&r1
,r0
,rsa
->iqmp
,ctx
)) goto err
;
476 if (!BN_mod(r0
,&r1
,rsa
->p
,ctx
)) goto err
;
477 /* If p < q it is occasionally possible for the correction of
478 * adding 'p' if r0 is negative above to leave the result still
479 * negative. This can break the private key operations: the following
480 * second correction should *always* correct this rare occurrence.
481 * This will *never* happen with OpenSSL generated keys because
482 * they ensure p > q [steve]
485 if (!BN_add(r0
,r0
,rsa
->p
)) goto err
;
486 if (!BN_mul(&r1
,r0
,rsa
->q
,ctx
)) goto err
;
487 if (!BN_add(r0
,&r1
,&m1
)) goto err
;
497 static int RSA_eay_init(RSA
*rsa
)
499 rsa
->flags
|=RSA_FLAG_CACHE_PUBLIC
|RSA_FLAG_CACHE_PRIVATE
;
503 static int RSA_eay_finish(RSA
*rsa
)
505 if (rsa
->_method_mod_n
!= NULL
)
506 BN_MONT_CTX_free(rsa
->_method_mod_n
);
507 if (rsa
->_method_mod_p
!= NULL
)
508 BN_MONT_CTX_free(rsa
->_method_mod_p
);
509 if (rsa
->_method_mod_q
!= NULL
)
510 BN_MONT_CTX_free(rsa
->_method_mod_q
);