📄 rsa_eay.c

📁 OpenSSL 0.9.8k 最新版OpenSSL
💻 C
📖 第 1 页 / 共 2 页
字号:
上一页 12
		BN_sub(f, rsa->n, ret);		if (BN_cmp(ret, f))			res = f;		else			res = ret;		}	else		res = ret;	/* put in leading 0 bytes if the number is less than the	 * length of the modulus */	j=BN_num_bytes(res);	i=BN_bn2bin(res,&(to[num-j]));	for (k=0; k<(num-i); k++)		to[k]=0;	r=num;err:	if (ctx != NULL)		{		BN_CTX_end(ctx);		BN_CTX_free(ctx);		}	if (buf != NULL)		{		OPENSSL_cleanse(buf,num);		OPENSSL_free(buf);		}	return(r);	}static int RSA_eay_private_decrypt(int flen, const unsigned char *from,	     unsigned char *to, RSA *rsa, int padding)	{	BIGNUM *f, *ret, *br;	int j,num=0,r= -1;	unsigned char *p;	unsigned char *buf=NULL;	BN_CTX *ctx=NULL;	int local_blinding = 0;	BN_BLINDING *blinding = NULL;	if((ctx = BN_CTX_new()) == NULL) goto err;	BN_CTX_start(ctx);	f   = BN_CTX_get(ctx);	br  = BN_CTX_get(ctx);	ret = BN_CTX_get(ctx);	num = BN_num_bytes(rsa->n);	buf = OPENSSL_malloc(num);	if(!f || !ret || !buf)		{		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);		goto err;		}	/* This check was for equality but PGP does evil things	 * and chops off the top '0' bytes */	if (flen > num)		{		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);		goto err;		}	/* make data into a big number */	if (BN_bin2bn(from,(int)flen,f) == NULL) goto err;	if (BN_ucmp(f, rsa->n) >= 0)		{		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);		goto err;		}	if (!(rsa->flags & RSA_FLAG_NO_BLINDING))		{		blinding = rsa_get_blinding(rsa, &local_blinding, ctx);		if (blinding == NULL)			{			RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);			goto err;			}		}		if (blinding != NULL)		if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))			goto err;	/* do the decrypt */	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||		((rsa->p != NULL) &&		(rsa->q != NULL) &&		(rsa->dmp1 != NULL) &&		(rsa->dmq1 != NULL) &&		(rsa->iqmp != NULL)) )		{		if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;		}	else		{		BIGNUM local_d;		BIGNUM *d = NULL;				if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))			{			d = &local_d;			BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);			}		else			d = rsa->d;		if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)			if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))				goto err;		if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,				rsa->_method_mod_n))		  goto err;		}	if (blinding)		if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))			goto err;	p=buf;	j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */	switch (padding)		{	case RSA_PKCS1_PADDING:		r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);		break;#ifndef OPENSSL_NO_SHA        case RSA_PKCS1_OAEP_PADDING:	        r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);                break;#endif 	case RSA_SSLV23_PADDING:		r=RSA_padding_check_SSLv23(to,num,buf,j,num);		break;	case RSA_NO_PADDING:		r=RSA_padding_check_none(to,num,buf,j,num);		break;	default:		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);		goto err;		}	if (r < 0)		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);err:	if (ctx != NULL)		{		BN_CTX_end(ctx);		BN_CTX_free(ctx);		}	if (buf != NULL)		{		OPENSSL_cleanse(buf,num);		OPENSSL_free(buf);		}	return(r);	}/* signature verification */static int RSA_eay_public_decrypt(int flen, const unsigned char *from,	     unsigned char *to, RSA *rsa, int padding)	{	BIGNUM *f,*ret;	int i,num=0,r= -1;	unsigned char *p;	unsigned char *buf=NULL;	BN_CTX *ctx=NULL;	if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)		{		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);		return -1;		}	if (BN_ucmp(rsa->n, rsa->e) <= 0)		{		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);		return -1;		}	/* for large moduli, enforce exponent limit */	if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)		{		if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)			{			RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);			return -1;			}		}		if((ctx = BN_CTX_new()) == NULL) goto err;	BN_CTX_start(ctx);	f = BN_CTX_get(ctx);	ret = BN_CTX_get(ctx);	num=BN_num_bytes(rsa->n);	buf = OPENSSL_malloc(num);	if(!f || !ret || !buf)		{		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);		goto err;		}	/* This check was for equality but PGP does evil things	 * and chops off the top '0' bytes */	if (flen > num)		{		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);		goto err;		}	if (BN_bin2bn(from,flen,f) == NULL) goto err;	if (BN_ucmp(f, rsa->n) >= 0)		{		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);		goto err;		}	if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)		if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))			goto err;	if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,		rsa->_method_mod_n)) goto err;	if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))		BN_sub(ret, rsa->n, ret);	p=buf;	i=BN_bn2bin(ret,p);	switch (padding)		{	case RSA_PKCS1_PADDING:		r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);		break;	case RSA_X931_PADDING:		r=RSA_padding_check_X931(to,num,buf,i,num);		break;	case RSA_NO_PADDING:		r=RSA_padding_check_none(to,num,buf,i,num);		break;	default:		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);		goto err;		}	if (r < 0)		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);err:	if (ctx != NULL)		{		BN_CTX_end(ctx);		BN_CTX_free(ctx);		}	if (buf != NULL)		{		OPENSSL_cleanse(buf,num);		OPENSSL_free(buf);		}	return(r);	}static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)	{	BIGNUM *r1,*m1,*vrfy;	BIGNUM local_dmp1,local_dmq1,local_c,local_r1;	BIGNUM *dmp1,*dmq1,*c,*pr1;	int ret=0;	BN_CTX_start(ctx);	r1 = BN_CTX_get(ctx);	m1 = BN_CTX_get(ctx);	vrfy = BN_CTX_get(ctx);	{		BIGNUM local_p, local_q;		BIGNUM *p = NULL, *q = NULL;		/* Make sure BN_mod_inverse in Montgomery intialization uses the		 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)		 */		if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))			{			BN_init(&local_p);			p = &local_p;			BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);			BN_init(&local_q);			q = &local_q;			BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);			}		else			{			p = rsa->p;			q = rsa->q;			}		if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)			{			if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))				goto err;			if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))				goto err;			}	}	if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)		if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))			goto err;	/* compute I mod q */	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))		{		c = &local_c;		BN_with_flags(c, I, BN_FLG_CONSTTIME);		if (!BN_mod(r1,c,rsa->q,ctx)) goto err;		}	else		{		if (!BN_mod(r1,I,rsa->q,ctx)) goto err;		}	/* compute r1^dmq1 mod q */	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))		{		dmq1 = &local_dmq1;		BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);		}	else		dmq1 = rsa->dmq1;	if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx,		rsa->_method_mod_q)) goto err;	/* compute I mod p */	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))		{		c = &local_c;		BN_with_flags(c, I, BN_FLG_CONSTTIME);		if (!BN_mod(r1,c,rsa->p,ctx)) goto err;		}	else		{		if (!BN_mod(r1,I,rsa->p,ctx)) goto err;		}	/* compute r1^dmp1 mod p */	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))		{		dmp1 = &local_dmp1;		BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);		}	else		dmp1 = rsa->dmp1;	if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx,		rsa->_method_mod_p)) goto err;	if (!BN_sub(r0,r0,m1)) goto err;	/* This will help stop the size of r0 increasing, which does	 * affect the multiply if it optimised for a power of 2 size */	if (BN_is_negative(r0))		if (!BN_add(r0,r0,rsa->p)) goto err;	if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err;	/* Turn BN_FLG_CONSTTIME flag on before division operation */	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))		{		pr1 = &local_r1;		BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);		}	else		pr1 = r1;	if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;	/* If p < q it is occasionally possible for the correction of         * adding 'p' if r0 is negative above to leave the result still	 * negative. This can break the private key operations: the following	 * second correction should *always* correct this rare occurrence.	 * This will *never* happen with OpenSSL generated keys because         * they ensure p > q [steve]         */	if (BN_is_negative(r0))		if (!BN_add(r0,r0,rsa->p)) goto err;	if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;	if (!BN_add(r0,r1,m1)) goto err;	if (rsa->e && rsa->n)		{		if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err;		/* If 'I' was greater than (or equal to) rsa->n, the operation		 * will be equivalent to using 'I mod n'. However, the result of		 * the verify will *always* be less than 'n' so we don't check		 * for absolute equality, just congruency. */		if (!BN_sub(vrfy, vrfy, I)) goto err;		if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err;		if (BN_is_negative(vrfy))			if (!BN_add(vrfy, vrfy, rsa->n)) goto err;		if (!BN_is_zero(vrfy))			{			/* 'I' and 'vrfy' aren't congruent mod n. Don't leak			 * miscalculated CRT output, just do a raw (slower)			 * mod_exp and return that instead. */			BIGNUM local_d;			BIGNUM *d = NULL;					if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))				{				d = &local_d;				BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);				}			else				d = rsa->d;			if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,						   rsa->_method_mod_n)) goto err;			}		}	ret=1;err:	BN_CTX_end(ctx);	return(ret);	}static int RSA_eay_init(RSA *rsa)	{	rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;	return(1);	}static int RSA_eay_finish(RSA *rsa)	{	if (rsa->_method_mod_n != NULL)		BN_MONT_CTX_free(rsa->_method_mod_n);	if (rsa->_method_mod_p != NULL)		BN_MONT_CTX_free(rsa->_method_mod_p);	if (rsa->_method_mod_q != NULL)		BN_MONT_CTX_free(rsa->_method_mod_q);	return(1);	}#endif
上一页 12
💿 文件大小 2870 K
👤 上传用户 dan_che
📂 所属分类 CA认证
🏷️ 相关标签

#OpenSSL
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -