1656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* crypto/rsa/rsa_eay.c */ 2656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * All rights reserved. 4656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 5656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This package is an SSL implementation written 6656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * by Eric Young (eay@cryptsoft.com). 7656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * The implementation was written so as to conform with Netscapes SSL. 8656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 9656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This library is free for commercial and non-commercial use as long as 10656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the following conditions are aheared to. The following conditions 11656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * apply to all code found in this distribution, be it the RC4, RSA, 12656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * included with this distribution is covered by the same copyright terms 14656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 16656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Copyright remains Eric Young's, and as such any Copyright notices in 17656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the code are not to be removed. 18656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * If this package is used in a product, Eric Young should be given attribution 19656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * as the author of the parts of the library used. 20656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This can be in the form of a textual message at program startup or 21656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * in documentation (online or textual) provided with the package. 22656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 23656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Redistribution and use in source and binary forms, with or without 24656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * modification, are permitted provided that the following conditions 25656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * are met: 26656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 1. Redistributions of source code must retain the copyright 27656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * notice, this list of conditions and the following disclaimer. 28656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 2. Redistributions in binary form must reproduce the above copyright 29656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * notice, this list of conditions and the following disclaimer in the 30656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * documentation and/or other materials provided with the distribution. 31656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 3. All advertising materials mentioning features or use of this software 32656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * must display the following acknowledgement: 33656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * "This product includes cryptographic software written by 34656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Eric Young (eay@cryptsoft.com)" 35656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * The word 'cryptographic' can be left out if the rouines from the library 36656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * being used are not cryptographic related :-). 37656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 4. If you include any Windows specific code (or a derivative thereof) from 38656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the apps directory (application code) you must include an acknowledgement: 39656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 41656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * SUCH DAMAGE. 52656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 53656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * The licence and distribution terms for any publically available version or 54656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * derivative of this code cannot be changed. i.e. this code cannot simply be 55656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * copied and put under another distribution licence 56656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * [including the GNU Public Licence.] 57656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 58656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* ==================================================================== 59656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 61656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Redistribution and use in source and binary forms, with or without 62656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * modification, are permitted provided that the following conditions 63656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * are met: 64656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 65656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 1. Redistributions of source code must retain the above copyright 66656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * notice, this list of conditions and the following disclaimer. 67656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 68656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 2. Redistributions in binary form must reproduce the above copyright 69656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * notice, this list of conditions and the following disclaimer in 70656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the documentation and/or other materials provided with the 71656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * distribution. 72656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 73656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 3. All advertising materials mentioning features or use of this 74656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * software must display the following acknowledgment: 75656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * "This product includes software developed by the OpenSSL Project 76656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 78656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * endorse or promote products derived from this software without 80656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * prior written permission. For written permission, please contact 81656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * openssl-core@openssl.org. 82656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 83656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 5. Products derived from this software may not be called "OpenSSL" 84656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * nor may "OpenSSL" appear in their names without prior written 85656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * permission of the OpenSSL Project. 86656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 87656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 6. Redistributions of any form whatsoever must retain the following 88656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * acknowledgment: 89656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * "This product includes software developed by the OpenSSL Project 90656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 92656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * OF THE POSSIBILITY OF SUCH DAMAGE. 104656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ==================================================================== 105656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 106656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This product includes cryptographic software written by Eric Young 107656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * (eay@cryptsoft.com). This product includes software written by Tim 108656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Hudson (tjh@cryptsoft.com). 109656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 110656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 111656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 112656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <stdio.h> 113656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include "cryptlib.h" 114656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/bn.h> 115656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/rsa.h> 116656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/rand.h> 117656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 118221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom#ifndef RSA_NULL 119656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 120656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int RSA_eay_public_encrypt(int flen, const unsigned char *from, 121656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *to, RSA *rsa,int padding); 122656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int RSA_eay_private_encrypt(int flen, const unsigned char *from, 123656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *to, RSA *rsa,int padding); 124656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int RSA_eay_public_decrypt(int flen, const unsigned char *from, 125656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *to, RSA *rsa,int padding); 126656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int RSA_eay_private_decrypt(int flen, const unsigned char *from, 127656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *to, RSA *rsa,int padding); 128656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); 129656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int RSA_eay_init(RSA *rsa); 130656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int RSA_eay_finish(RSA *rsa); 131656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic RSA_METHOD rsa_pkcs1_eay_meth={ 132656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project "Eric Young's PKCS#1 RSA", 133656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSA_eay_public_encrypt, 134656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSA_eay_public_decrypt, /* signature verification */ 135656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSA_eay_private_encrypt, /* signing */ 136656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSA_eay_private_decrypt, 137656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSA_eay_mod_exp, 138656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ 139656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSA_eay_init, 140656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSA_eay_finish, 141656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 0, /* flags */ 142656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project NULL, 143656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 0, /* rsa_sign */ 144656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 0, /* rsa_verify */ 145656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project NULL /* rsa_keygen */ 146656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project }; 147656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 148656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectconst RSA_METHOD *RSA_PKCS1_SSLeay(void) 149656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 150656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(&rsa_pkcs1_eay_meth); 151656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 152656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 153656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int RSA_eay_public_encrypt(int flen, const unsigned char *from, 154656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *to, RSA *rsa, int padding) 155656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 156656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BIGNUM *f,*ret; 157656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i,j,k,num=0,r= -1; 158656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *buf=NULL; 159656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX *ctx=NULL; 160656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 161656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) 162656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 163656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); 164656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return -1; 165656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 166656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 167656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_ucmp(rsa->n, rsa->e) <= 0) 168656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 169656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 170656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return -1; 171656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 172656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 173656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* for large moduli, enforce exponent limit */ 174656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) 175656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 176656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) 177656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 178656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 179656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return -1; 180656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 181656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 182656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 183656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((ctx=BN_CTX_new()) == NULL) goto err; 184656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX_start(ctx); 185656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project f = BN_CTX_get(ctx); 186656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret = BN_CTX_get(ctx); 187656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project num=BN_num_bytes(rsa->n); 188656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project buf = OPENSSL_malloc(num); 189656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!f || !ret || !buf) 190656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 191656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); 192656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 193656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 194656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 195656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project switch (padding) 196656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 197656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case RSA_PKCS1_PADDING: 198656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen); 199656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 200656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_SHA 201656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case RSA_PKCS1_OAEP_PADDING: 202656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0); 203656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 204656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 205656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case RSA_SSLV23_PADDING: 206656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=RSA_padding_add_SSLv23(buf,num,from,flen); 207656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 208656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case RSA_NO_PADDING: 209656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=RSA_padding_add_none(buf,num,from,flen); 210656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 211656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project default: 212656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 213656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 214656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 215656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i <= 0) goto err; 216656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 217656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_bin2bn(buf,num,f) == NULL) goto err; 218656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 219656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_ucmp(f, rsa->n) >= 0) 220656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 221656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* usually the padding functions would catch this */ 222656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 223656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 224656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 225656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 226e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 227e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 228e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu goto err; 229656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 230656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, 231656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project rsa->_method_mod_n)) goto err; 232656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 233656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* put in leading 0 bytes if the number is less than the 234656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * length of the modulus */ 235656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project j=BN_num_bytes(ret); 236656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=BN_bn2bin(ret,&(to[num-j])); 237656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (k=0; k<(num-i); k++) 238656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project to[k]=0; 239656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 240656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r=num; 241656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projecterr: 242656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx != NULL) 243656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 244656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX_end(ctx); 245656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX_free(ctx); 246656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 247656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (buf != NULL) 248656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 249656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project OPENSSL_cleanse(buf,num); 250656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project OPENSSL_free(buf); 251656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 252656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(r); 253656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 254656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 255656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 256656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project{ 257656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_BLINDING *ret; 258656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int got_write_lock = 0; 259221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom CRYPTO_THREADID cur; 260656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 261656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project CRYPTO_r_lock(CRYPTO_LOCK_RSA); 262656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 263656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (rsa->blinding == NULL) 264656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 265656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 266656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project CRYPTO_w_lock(CRYPTO_LOCK_RSA); 267656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project got_write_lock = 1; 268656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 269656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (rsa->blinding == NULL) 270656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project rsa->blinding = RSA_setup_blinding(rsa, ctx); 271656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 272656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 273656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret = rsa->blinding; 274656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret == NULL) 275656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 276656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 277221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom CRYPTO_THREADID_current(&cur); 278221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) 279656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 280656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* rsa->blinding is ours! */ 281656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 282656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *local = 1; 283656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 284656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 285656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 286656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* resort to rsa->mt_blinding instead */ 287656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 288656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert() 289656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * that the BN_BLINDING is shared, meaning that accesses 290656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * require locks, and that the blinding factor must be 291656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * stored outside the BN_BLINDING 292656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 293656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 294656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (rsa->mt_blinding == NULL) 295656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 296656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!got_write_lock) 297656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 298656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 299656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project CRYPTO_w_lock(CRYPTO_LOCK_RSA); 300656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project got_write_lock = 1; 301656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 302656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 303656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (rsa->mt_blinding == NULL) 304656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 305656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 306656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret = rsa->mt_blinding; 307656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 308656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 309656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project err: 310656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (got_write_lock) 311656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 312656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 313656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 314656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return ret; 315656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project} 316656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3177b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstromstatic int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 3187b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom BN_CTX *ctx) 3197b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom { 3207b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom if (unblind == NULL) 3217b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom /* Local blinding: store the unblinding factor 3227b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom * in BN_BLINDING. */ 323656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return BN_BLINDING_convert_ex(f, NULL, b, ctx); 324656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 325656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3267b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom /* Shared blinding: store the unblinding factor 3277b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom * outside BN_BLINDING. */ 328656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int ret; 329656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 3307b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); 331656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 332656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return ret; 333656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3347b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom } 3357b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom 3367b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstromstatic int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 3377b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom BN_CTX *ctx) 3387b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom { 3397b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom /* For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex 3407b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom * will use the unblinding factor stored in BN_BLINDING. 3417b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom * If BN_BLINDING is shared between threads, unblind must be non-null: 3427b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom * BN_BLINDING_invert_ex will then use the local unblinding factor, 3437b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom * and will only read the modulus from BN_BLINDING. 3447b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom * In both cases it's safe to access the blinding without a lock. 3457b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom */ 3467b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom return BN_BLINDING_invert_ex(f, unblind, b, ctx); 3477b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom } 348656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 349656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* signing */ 350656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int RSA_eay_private_encrypt(int flen, const unsigned char *from, 351656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *to, RSA *rsa, int padding) 352656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3537b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom BIGNUM *f, *ret, *res; 354656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i,j,k,num=0,r= -1; 355656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *buf=NULL; 356656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX *ctx=NULL; 357656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int local_blinding = 0; 3587b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom /* Used only if the blinding structure is shared. A non-NULL unblind 3597b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 3607b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom * the unblinding factor outside the blinding structure. */ 3617b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom BIGNUM *unblind = NULL; 362656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_BLINDING *blinding = NULL; 363656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 364656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((ctx=BN_CTX_new()) == NULL) goto err; 365656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX_start(ctx); 366656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project f = BN_CTX_get(ctx); 367656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret = BN_CTX_get(ctx); 368656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project num = BN_num_bytes(rsa->n); 369656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project buf = OPENSSL_malloc(num); 370656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if(!f || !ret || !buf) 371656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 372656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); 373656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 374656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 375656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 376656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project switch (padding) 377656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 378656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case RSA_PKCS1_PADDING: 379656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); 380656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 381656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case RSA_X931_PADDING: 382656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=RSA_padding_add_X931(buf,num,from,flen); 383656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 384656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case RSA_NO_PADDING: 385656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=RSA_padding_add_none(buf,num,from,flen); 386656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 387656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case RSA_SSLV23_PADDING: 388656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project default: 389656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 390656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 391656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 392656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i <= 0) goto err; 393656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 394656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_bin2bn(buf,num,f) == NULL) goto err; 395656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 396656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_ucmp(f, rsa->n) >= 0) 397656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 398656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* usually the padding functions would catch this */ 399656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 400656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 401656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 402656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 403656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 404656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 405656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 406656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (blinding == NULL) 407656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 408656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 409656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 410656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 411656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 412656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 413656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (blinding != NULL) 4147b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom { 4157b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) 4167b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom { 4177b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); 4187b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom goto err; 4197b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom } 4207b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 421656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 4227b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom } 423656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 424656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 425656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ((rsa->p != NULL) && 426656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (rsa->q != NULL) && 427656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (rsa->dmp1 != NULL) && 428656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (rsa->dmq1 != NULL) && 429656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (rsa->iqmp != NULL)) ) 430656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 431656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; 432656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 433656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 434656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 435656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BIGNUM local_d; 436656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BIGNUM *d = NULL; 437656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 438656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 439656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 440656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_init(&local_d); 441656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project d = &local_d; 442656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 443656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 444656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 445656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project d= rsa->d; 446656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 447e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 448e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 449e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu goto err; 450656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 451656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, 452656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project rsa->_method_mod_n)) goto err; 453656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 454656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 455656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (blinding) 4567b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 457656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 458656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 459656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (padding == RSA_X931_PADDING) 460656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 461656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_sub(f, rsa->n, ret); 462c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root if (BN_cmp(ret, f) > 0) 463656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project res = f; 464656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 465656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project res = ret; 466656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 467656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 468656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project res = ret; 469656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 470656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* put in leading 0 bytes if the number is less than the 471656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * length of the modulus */ 472656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project j=BN_num_bytes(res); 473656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=BN_bn2bin(res,&(to[num-j])); 474656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (k=0; k<(num-i); k++) 475656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project to[k]=0; 476656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 477656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r=num; 478656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projecterr: 479656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx != NULL) 480656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 481656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX_end(ctx); 482656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX_free(ctx); 483656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 484656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (buf != NULL) 485656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 486656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project OPENSSL_cleanse(buf,num); 487656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project OPENSSL_free(buf); 488656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 489656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(r); 490656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 491656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 492656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int RSA_eay_private_decrypt(int flen, const unsigned char *from, 493656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *to, RSA *rsa, int padding) 494656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 4957b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom BIGNUM *f, *ret; 496656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int j,num=0,r= -1; 497656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *p; 498656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *buf=NULL; 499656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX *ctx=NULL; 500656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int local_blinding = 0; 5017b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom /* Used only if the blinding structure is shared. A non-NULL unblind 5027b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 5037b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom * the unblinding factor outside the blinding structure. */ 5047b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom BIGNUM *unblind = NULL; 505656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_BLINDING *blinding = NULL; 506656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 507656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if((ctx = BN_CTX_new()) == NULL) goto err; 508656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX_start(ctx); 509656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project f = BN_CTX_get(ctx); 510656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret = BN_CTX_get(ctx); 511656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project num = BN_num_bytes(rsa->n); 512656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project buf = OPENSSL_malloc(num); 513656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if(!f || !ret || !buf) 514656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 515656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); 516656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 517656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 518656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 519656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* This check was for equality but PGP does evil things 520656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * and chops off the top '0' bytes */ 521656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (flen > num) 522656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 523656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 524656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 525656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 526656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 527656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* make data into a big number */ 528656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_bin2bn(from,(int)flen,f) == NULL) goto err; 529656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 530656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_ucmp(f, rsa->n) >= 0) 531656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 532656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 533656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 534656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 535656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 536656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 537656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 538656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 539656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (blinding == NULL) 540656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 541656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 542656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 543656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 544656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 545656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 546656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (blinding != NULL) 5477b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom { 5487b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) 5497b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom { 5507b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); 551656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 5527b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom } 5537b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 5547b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom goto err; 5557b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom } 556656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 557656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* do the decrypt */ 558656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 559656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ((rsa->p != NULL) && 560656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (rsa->q != NULL) && 561656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (rsa->dmp1 != NULL) && 562656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (rsa->dmq1 != NULL) && 563656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (rsa->iqmp != NULL)) ) 564656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 565656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; 566656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 567656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 568656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 569656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BIGNUM local_d; 570656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BIGNUM *d = NULL; 571656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 572656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 573656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 574656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project d = &local_d; 575656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 576656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 577656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 578656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project d = rsa->d; 579656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 580e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 581e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 582e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu goto err; 583656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, 584656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project rsa->_method_mod_n)) 585656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 586656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 587656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 588656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (blinding) 5897b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 590656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 591656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 592656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p=buf; 593656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */ 594656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 595656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project switch (padding) 596656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 597656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case RSA_PKCS1_PADDING: 598656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); 599656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 600656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_SHA 601656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case RSA_PKCS1_OAEP_PADDING: 602656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); 603656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 604656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 605656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case RSA_SSLV23_PADDING: 606656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r=RSA_padding_check_SSLv23(to,num,buf,j,num); 607656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 608656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case RSA_NO_PADDING: 609656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r=RSA_padding_check_none(to,num,buf,j,num); 610656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 611656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project default: 612656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 613656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 614656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 615656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (r < 0) 616656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 617656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 618656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projecterr: 619656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx != NULL) 620656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 621656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX_end(ctx); 622656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX_free(ctx); 623656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 624656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (buf != NULL) 625656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 626656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project OPENSSL_cleanse(buf,num); 627656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project OPENSSL_free(buf); 628656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 629656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(r); 630656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 631656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 632656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* signature verification */ 633656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int RSA_eay_public_decrypt(int flen, const unsigned char *from, 634656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *to, RSA *rsa, int padding) 635656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 636656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BIGNUM *f,*ret; 637656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i,num=0,r= -1; 638656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *p; 639656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *buf=NULL; 640656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX *ctx=NULL; 641656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 642656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) 643656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 644656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); 645656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return -1; 646656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 647656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 648656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_ucmp(rsa->n, rsa->e) <= 0) 649656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 650656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 651656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return -1; 652656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 653656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 654656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* for large moduli, enforce exponent limit */ 655656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) 656656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 657656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) 658656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 659656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 660656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return -1; 661656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 662656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 663656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 664656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if((ctx = BN_CTX_new()) == NULL) goto err; 665656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX_start(ctx); 666656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project f = BN_CTX_get(ctx); 667656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret = BN_CTX_get(ctx); 668656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project num=BN_num_bytes(rsa->n); 669656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project buf = OPENSSL_malloc(num); 670656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if(!f || !ret || !buf) 671656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 672656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); 673656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 674656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 675656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 676656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* This check was for equality but PGP does evil things 677656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * and chops off the top '0' bytes */ 678656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (flen > num) 679656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 680656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 681656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 682656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 683656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 684656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_bin2bn(from,flen,f) == NULL) goto err; 685656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 686656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_ucmp(f, rsa->n) >= 0) 687656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 688656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 689656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 690656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 691656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 692e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 693e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 694e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu goto err; 695656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 696656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, 697656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project rsa->_method_mod_n)) goto err; 698656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 699656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) 70043c12e3d4f9bbbbd4a8ba7b149686437514bc6b6Brian Carlstrom if (!BN_sub(ret, rsa->n, ret)) goto err; 701656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 702656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p=buf; 703656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=BN_bn2bin(ret,p); 704656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 705656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project switch (padding) 706656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 707656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case RSA_PKCS1_PADDING: 708656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); 709656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 710656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case RSA_X931_PADDING: 711656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r=RSA_padding_check_X931(to,num,buf,i,num); 712656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 713656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case RSA_NO_PADDING: 714656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r=RSA_padding_check_none(to,num,buf,i,num); 715656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 716656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project default: 717656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 718656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 719656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 720656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (r < 0) 721656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 722656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 723656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projecterr: 724656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx != NULL) 725656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 726656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX_end(ctx); 727656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX_free(ctx); 728656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 729656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (buf != NULL) 730656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 731656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project OPENSSL_cleanse(buf,num); 732656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project OPENSSL_free(buf); 733656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 734656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(r); 735656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 736656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 737656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 738656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 739656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BIGNUM *r1,*m1,*vrfy; 740656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BIGNUM local_dmp1,local_dmq1,local_c,local_r1; 741656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BIGNUM *dmp1,*dmq1,*c,*pr1; 742656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int ret=0; 743656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 744656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX_start(ctx); 745656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r1 = BN_CTX_get(ctx); 746656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project m1 = BN_CTX_get(ctx); 747656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project vrfy = BN_CTX_get(ctx); 748656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 749656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 750656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BIGNUM local_p, local_q; 751656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BIGNUM *p = NULL, *q = NULL; 752656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 753656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Make sure BN_mod_inverse in Montgomery intialization uses the 754656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) 755656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 756656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 757656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 758656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_init(&local_p); 759656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p = &local_p; 760656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 761656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 762656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_init(&local_q); 763656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project q = &local_q; 764656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); 765656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 766656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 767656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 768656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p = rsa->p; 769656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project q = rsa->q; 770656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 771656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 772e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) 773e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu { 774e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) 775e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu goto err; 776e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) 777e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu goto err; 778e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu } 779656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 780656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 781e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 782e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 783e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu goto err; 784656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 785656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* compute I mod q */ 786656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 787656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 788656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project c = &local_c; 789656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_with_flags(c, I, BN_FLG_CONSTTIME); 790656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BN_mod(r1,c,rsa->q,ctx)) goto err; 791656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 792656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 793656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 794656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BN_mod(r1,I,rsa->q,ctx)) goto err; 795656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 796656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 797656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* compute r1^dmq1 mod q */ 798656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 799656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 800656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project dmq1 = &local_dmq1; 801656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 802656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 803656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 804656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project dmq1 = rsa->dmq1; 805656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx, 806656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project rsa->_method_mod_q)) goto err; 807656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 808656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* compute I mod p */ 809656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 810656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 811656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project c = &local_c; 812656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_with_flags(c, I, BN_FLG_CONSTTIME); 813656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BN_mod(r1,c,rsa->p,ctx)) goto err; 814656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 815656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 816656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 817656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BN_mod(r1,I,rsa->p,ctx)) goto err; 818656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 819656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 820656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* compute r1^dmp1 mod p */ 821656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 822656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 823656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project dmp1 = &local_dmp1; 824656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 825656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 826656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 827656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project dmp1 = rsa->dmp1; 828656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx, 829656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project rsa->_method_mod_p)) goto err; 830656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 831656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BN_sub(r0,r0,m1)) goto err; 832656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* This will help stop the size of r0 increasing, which does 833656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * affect the multiply if it optimised for a power of 2 size */ 834656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_is_negative(r0)) 835656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BN_add(r0,r0,rsa->p)) goto err; 836656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 837656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err; 838656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 839656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Turn BN_FLG_CONSTTIME flag on before division operation */ 840656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 841656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 842656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project pr1 = &local_r1; 843656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 844656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 845656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 846656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project pr1 = r1; 847656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err; 848656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 849656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* If p < q it is occasionally possible for the correction of 85004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom * adding 'p' if r0 is negative above to leave the result still 851656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * negative. This can break the private key operations: the following 852656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * second correction should *always* correct this rare occurrence. 853656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This will *never* happen with OpenSSL generated keys because 85404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom * they ensure p > q [steve] 85504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom */ 856656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_is_negative(r0)) 857656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BN_add(r0,r0,rsa->p)) goto err; 858656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; 859656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BN_add(r0,r1,m1)) goto err; 860656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 861656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (rsa->e && rsa->n) 862656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 863656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; 864656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* If 'I' was greater than (or equal to) rsa->n, the operation 865656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * will be equivalent to using 'I mod n'. However, the result of 866656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the verify will *always* be less than 'n' so we don't check 867656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * for absolute equality, just congruency. */ 868656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BN_sub(vrfy, vrfy, I)) goto err; 869656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err; 870656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_is_negative(vrfy)) 871656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BN_add(vrfy, vrfy, rsa->n)) goto err; 872656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BN_is_zero(vrfy)) 873656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 874656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* 'I' and 'vrfy' aren't congruent mod n. Don't leak 875656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * miscalculated CRT output, just do a raw (slower) 876656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * mod_exp and return that instead. */ 877656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 878656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BIGNUM local_d; 879656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BIGNUM *d = NULL; 880656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 881656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 882656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 883656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project d = &local_d; 884656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 885656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 886656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 887656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project d = rsa->d; 888656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx, 889656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project rsa->_method_mod_n)) goto err; 890656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 891656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 892656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret=1; 893656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projecterr: 894656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX_end(ctx); 895656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(ret); 896656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 897656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 898656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int RSA_eay_init(RSA *rsa) 899656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 900656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; 901656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(1); 902656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 903656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 904656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int RSA_eay_finish(RSA *rsa) 905656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 906656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (rsa->_method_mod_n != NULL) 907656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_MONT_CTX_free(rsa->_method_mod_n); 908656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (rsa->_method_mod_p != NULL) 909656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_MONT_CTX_free(rsa->_method_mod_p); 910656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (rsa->_method_mod_q != NULL) 911656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_MONT_CTX_free(rsa->_method_mod_q); 912656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(1); 913656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 914656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 915656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 916