summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormiod <>2014-07-09 08:20:08 +0000
committermiod <>2014-07-09 08:20:08 +0000
commit8cbe58f0d357b14b0ce292d336469d0554a567bc (patch)
tree07872a7ef59da8cea3b3b4a101fa3580e4d658c0
parentbc1209e388500a20f5e75cab35d1b543ce0bbe74 (diff)
downloadopenbsd-8cbe58f0d357b14b0ce292d336469d0554a567bc.tar.gz
openbsd-8cbe58f0d357b14b0ce292d336469d0554a567bc.tar.bz2
openbsd-8cbe58f0d357b14b0ce292d336469d0554a567bc.zip
KNF
Diffstat
-rw-r--r--src/lib/libcrypto/rsa/rsa_ameth.c462
-rw-r--r--src/lib/libcrypto/rsa/rsa_asn1.c27
-rw-r--r--src/lib/libcrypto/rsa/rsa_chk.c145
-rw-r--r--src/lib/libcrypto/rsa/rsa_crpt.c151
-rw-r--r--src/lib/libcrypto/rsa/rsa_depr.c31
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c794
-rw-r--r--src/lib/libcrypto/rsa/rsa_gen.c204
-rw-r--r--src/lib/libcrypto/rsa/rsa_lib.c243
-rw-r--r--src/lib/libcrypto/rsa/rsa_none.c59
-rw-r--r--src/lib/libcrypto/rsa/rsa_null.c87
-rw-r--r--src/lib/libcrypto/rsa/rsa_oaep.c155
-rw-r--r--src/lib/libcrypto/rsa/rsa_pk1.c241
-rw-r--r--src/lib/libcrypto/rsa/rsa_pmeth.c426
-rw-r--r--src/lib/libcrypto/rsa/rsa_prn.c33
-rw-r--r--src/lib/libcrypto/rsa/rsa_pss.c190
-rw-r--r--src/lib/libcrypto/rsa/rsa_saos.c128
-rw-r--r--src/lib/libcrypto/rsa/rsa_sign.c291
-rw-r--r--src/lib/libcrypto/rsa/rsa_ssl.c137
-rw-r--r--src/lib/libcrypto/rsa/rsa_x931.c122
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_ameth.c462
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_asn1.c27
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_chk.c145
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_crpt.c151
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_depr.c31
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_eay.c794
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_gen.c204
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_lib.c243
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_none.c59
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_null.c87
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_oaep.c155
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_pk1.c241
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_pmeth.c426
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_prn.c33
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_pss.c190
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_saos.c128
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_sign.c291
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_ssl.c137
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_x931.c122
38 files changed, 3918 insertions, 3934 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c
index 2e2194e8b3..8e15e3f535 100644
--- a/src/lib/libcrypto/rsa/rsa_ameth.c
+++ b/src/lib/libcrypto/rsa/rsa_ameth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_ameth.c,v 1.6 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_ameth.c,v 1.7 2014/07/09 08:20:08 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006. 3 * project 2006.
4 */ 4 */
@@ -67,207 +67,213 @@
67#endif 67#endif
68#include "asn1_locl.h" 68#include "asn1_locl.h"
69 69
70static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) 70static int
71 { 71rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
72{
72 unsigned char *penc = NULL; 73 unsigned char *penc = NULL;
73 int penclen; 74 int penclen;
75
74 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc); 76 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
75 if (penclen <= 0) 77 if (penclen <= 0)
76 return 0; 78 return 0;
77 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_RSA), 79 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_RSA),
78 V_ASN1_NULL, NULL, penc, penclen)) 80 V_ASN1_NULL, NULL, penc, penclen))
79 return 1; 81 return 1;
80 82
81 free(penc); 83 free(penc);
82 return 0; 84 return 0;
83 } 85}
84 86
85static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) 87static int
86 { 88rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
89{
87 const unsigned char *p; 90 const unsigned char *p;
88 int pklen; 91 int pklen;
89 RSA *rsa = NULL; 92 RSA *rsa = NULL;
93
90 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey)) 94 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey))
91 return 0; 95 return 0;
92 if (!(rsa = d2i_RSAPublicKey(NULL, &p, pklen))) 96 if (!(rsa = d2i_RSAPublicKey(NULL, &p, pklen))) {
93 {
94 RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB); 97 RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB);
95 return 0; 98 return 0;
96 } 99 }
97 EVP_PKEY_assign_RSA (pkey, rsa); 100 EVP_PKEY_assign_RSA (pkey, rsa);
98 return 1; 101 return 1;
99 } 102}
100 103
101static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) 104static int
102 { 105rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
103 if (BN_cmp(b->pkey.rsa->n,a->pkey.rsa->n) != 0 106{
104 || BN_cmp(b->pkey.rsa->e,a->pkey.rsa->e) != 0) 107 if (BN_cmp(b->pkey.rsa->n,a->pkey.rsa->n) != 0 ||
105 return 0; 108 BN_cmp(b->pkey.rsa->e,a->pkey.rsa->e) != 0)
109 return 0;
106 return 1; 110 return 1;
107 } 111}
108 112
109static int old_rsa_priv_decode(EVP_PKEY *pkey, 113static int
110 const unsigned char **pder, int derlen) 114old_rsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
111 { 115{
112 RSA *rsa; 116 RSA *rsa;
113 if (!(rsa = d2i_RSAPrivateKey (NULL, pder, derlen))) 117
114 { 118 if (!(rsa = d2i_RSAPrivateKey (NULL, pder, derlen))) {
115 RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB); 119 RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
116 return 0; 120 return 0;
117 } 121 }
118 EVP_PKEY_assign_RSA(pkey, rsa); 122 EVP_PKEY_assign_RSA(pkey, rsa);
119 return 1; 123 return 1;
120 } 124}
121 125
122static int old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder) 126static int
123 { 127old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
128{
124 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder); 129 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
125 } 130}
126 131
127static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) 132static int
128 { 133rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
134{
129 unsigned char *rk = NULL; 135 unsigned char *rk = NULL;
130 int rklen; 136 int rklen;
137
131 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk); 138 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk);
132 139
133 if (rklen <= 0) 140 if (rklen <= 0) {
134 { 141 RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
135 RSAerr(RSA_F_RSA_PRIV_ENCODE,ERR_R_MALLOC_FAILURE);
136 return 0; 142 return 0;
137 } 143 }
138 144
139 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_rsaEncryption), 0, 145 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_rsaEncryption), 0,
140 V_ASN1_NULL, NULL, rk, rklen)) 146 V_ASN1_NULL, NULL, rk, rklen)) {
141 { 147 RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
142 RSAerr(RSA_F_RSA_PRIV_ENCODE,ERR_R_MALLOC_FAILURE);
143 return 0; 148 return 0;
144 } 149 }
145 150
146 return 1; 151 return 1;
147 } 152}
148 153
149static int rsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) 154static int
150 { 155rsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
156{
151 const unsigned char *p; 157 const unsigned char *p;
152 int pklen; 158 int pklen;
159
153 if (!PKCS8_pkey_get0(NULL, &p, &pklen, NULL, p8)) 160 if (!PKCS8_pkey_get0(NULL, &p, &pklen, NULL, p8))
154 return 0; 161 return 0;
155 return old_rsa_priv_decode(pkey, &p, pklen); 162 return old_rsa_priv_decode(pkey, &p, pklen);
156 } 163}
157 164
158static int int_rsa_size(const EVP_PKEY *pkey) 165static int
159 { 166int_rsa_size(const EVP_PKEY *pkey)
167{
160 return RSA_size(pkey->pkey.rsa); 168 return RSA_size(pkey->pkey.rsa);
161 } 169}
162 170
163static int rsa_bits(const EVP_PKEY *pkey) 171static int
164 { 172rsa_bits(const EVP_PKEY *pkey)
173{
165 return BN_num_bits(pkey->pkey.rsa->n); 174 return BN_num_bits(pkey->pkey.rsa->n);
166 } 175}
167 176
168static void int_rsa_free(EVP_PKEY *pkey) 177static void
169 { 178int_rsa_free(EVP_PKEY *pkey)
179{
170 RSA_free(pkey->pkey.rsa); 180 RSA_free(pkey->pkey.rsa);
171 } 181}
172
173 182
174static void update_buflen(const BIGNUM *b, size_t *pbuflen) 183static void
175 { 184update_buflen(const BIGNUM *b, size_t *pbuflen)
185{
176 size_t i; 186 size_t i;
187
177 if (!b) 188 if (!b)
178 return; 189 return;
179 if (*pbuflen < (i = (size_t)BN_num_bytes(b))) 190 if (*pbuflen < (i = (size_t)BN_num_bytes(b)))
180 *pbuflen = i; 191 *pbuflen = i;
181 } 192}
182 193
183static int do_rsa_print(BIO *bp, const RSA *x, int off, int priv) 194static int
184 { 195do_rsa_print(BIO *bp, const RSA *x, int off, int priv)
196{
185 char *str; 197 char *str;
186 const char *s; 198 const char *s;
187 unsigned char *m=NULL; 199 unsigned char *m = NULL;
188 int ret=0, mod_len = 0; 200 int ret = 0, mod_len = 0;
189 size_t buf_len=0; 201 size_t buf_len = 0;
190 202
191 update_buflen(x->n, &buf_len); 203 update_buflen(x->n, &buf_len);
192 update_buflen(x->e, &buf_len); 204 update_buflen(x->e, &buf_len);
193 205
194 if (priv) 206 if (priv) {
195 {
196 update_buflen(x->d, &buf_len); 207 update_buflen(x->d, &buf_len);
197 update_buflen(x->p, &buf_len); 208 update_buflen(x->p, &buf_len);
198 update_buflen(x->q, &buf_len); 209 update_buflen(x->q, &buf_len);
199 update_buflen(x->dmp1, &buf_len); 210 update_buflen(x->dmp1, &buf_len);
200 update_buflen(x->dmq1, &buf_len); 211 update_buflen(x->dmq1, &buf_len);
201 update_buflen(x->iqmp, &buf_len); 212 update_buflen(x->iqmp, &buf_len);
202 } 213 }
203 214
204 m = malloc(buf_len+10); 215 m = malloc(buf_len + 10);
205 if (m == NULL) 216 if (m == NULL) {
206 { 217 RSAerr(RSA_F_DO_RSA_PRINT, ERR_R_MALLOC_FAILURE);
207 RSAerr(RSA_F_DO_RSA_PRINT,ERR_R_MALLOC_FAILURE);
208 goto err; 218 goto err;
209 } 219 }
210 220
211 if (x->n != NULL) 221 if (x->n != NULL)
212 mod_len = BN_num_bits(x->n); 222 mod_len = BN_num_bits(x->n);
213 223
214 if(!BIO_indent(bp,off,128)) 224 if (!BIO_indent(bp, off, 128))
215 goto err; 225 goto err;
216 226
217 if (priv && x->d) 227 if (priv && x->d) {
218 { 228 if (BIO_printf(bp, "Private-Key: (%d bit)\n", mod_len) <= 0)
219 if (BIO_printf(bp,"Private-Key: (%d bit)\n", mod_len) 229 goto err;
220 <= 0) goto err;
221 str = "modulus:"; 230 str = "modulus:";
222 s = "publicExponent:"; 231 s = "publicExponent:";
223 } 232 } else {
224 else 233 if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0)
225 { 234 goto err;
226 if (BIO_printf(bp,"Public-Key: (%d bit)\n", mod_len)
227 <= 0) goto err;
228 str = "Modulus:"; 235 str = "Modulus:";
229 s= "Exponent:"; 236 s= "Exponent:";
230 } 237 }
231 if (!ASN1_bn_print(bp,str,x->n,m,off)) goto err; 238 if (!ASN1_bn_print(bp, str, x->n, m, off))
232 if (!ASN1_bn_print(bp,s,x->e,m,off))
233 goto err; 239 goto err;
234 if (priv) 240 if (!ASN1_bn_print(bp, s, x->e, m, off))
235 { 241 goto err;
236 if (!ASN1_bn_print(bp,"privateExponent:",x->d,m,off)) 242 if (priv) {
243 if (!ASN1_bn_print(bp, "privateExponent:", x->d,m, off))
237 goto err; 244 goto err;
238 if (!ASN1_bn_print(bp,"prime1:",x->p,m,off)) 245 if (!ASN1_bn_print(bp, "prime1:", x->p, m, off))
239 goto err; 246 goto err;
240 if (!ASN1_bn_print(bp,"prime2:",x->q,m,off)) 247 if (!ASN1_bn_print(bp, "prime2:", x->q, m, off))
241 goto err; 248 goto err;
242 if (!ASN1_bn_print(bp,"exponent1:",x->dmp1,m,off)) 249 if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, m, off))
243 goto err; 250 goto err;
244 if (!ASN1_bn_print(bp,"exponent2:",x->dmq1,m,off)) 251 if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, m, off))
245 goto err; 252 goto err;
246 if (!ASN1_bn_print(bp,"coefficient:",x->iqmp,m,off)) 253 if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, m, off))
247 goto err; 254 goto err;
248 } 255 }
249 ret=1; 256 ret = 1;
250err: 257err:
251 free(m); 258 free(m);
252 return(ret); 259 return(ret);
253 } 260}
254 261
255static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, 262static int
256 ASN1_PCTX *ctx) 263rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
257 { 264{
258 return do_rsa_print(bp, pkey->pkey.rsa, indent, 0); 265 return do_rsa_print(bp, pkey->pkey.rsa, indent, 0);
259 } 266}
260
261 267
262static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, 268static int
263 ASN1_PCTX *ctx) 269rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
264 { 270{
265 return do_rsa_print(bp, pkey->pkey.rsa, indent, 1); 271 return do_rsa_print(bp, pkey->pkey.rsa, indent, 1);
266 } 272}
267 273
268static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg, 274static RSA_PSS_PARAMS *
269 X509_ALGOR **pmaskHash) 275rsa_pss_decode(const X509_ALGOR *alg, X509_ALGOR **pmaskHash)
270 { 276{
271 const unsigned char *p; 277 const unsigned char *p;
272 int plen; 278 int plen;
273 RSA_PSS_PARAMS *pss; 279 RSA_PSS_PARAMS *pss;
@@ -283,31 +289,30 @@ static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg,
283 if (!pss) 289 if (!pss)
284 return NULL; 290 return NULL;
285 291
286 if (pss->maskGenAlgorithm) 292 if (pss->maskGenAlgorithm) {
287 {
288 ASN1_TYPE *param = pss->maskGenAlgorithm->parameter; 293 ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
289 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 294 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 &&
290 && param->type == V_ASN1_SEQUENCE) 295 param->type == V_ASN1_SEQUENCE) {
291 {
292 p = param->value.sequence->data; 296 p = param->value.sequence->data;
293 plen = param->value.sequence->length; 297 plen = param->value.sequence->length;
294 *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen); 298 *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen);
295 }
296 } 299 }
300 }
297 301
298 return pss; 302 return pss;
299 } 303}
300 304
301static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss, 305static int
302 X509_ALGOR *maskHash, int indent) 306rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss, X509_ALGOR *maskHash,
303 { 307 int indent)
308{
304 int rv = 0; 309 int rv = 0;
305 if (!pss) 310
306 { 311 if (!pss) {
307 if (BIO_puts(bp, " (INVALID PSS PARAMETERS)\n") <= 0) 312 if (BIO_puts(bp, " (INVALID PSS PARAMETERS)\n") <= 0)
308 return 0; 313 return 0;
309 return 1; 314 return 1;
310 } 315 }
311 if (BIO_puts(bp, "\n") <= 0) 316 if (BIO_puts(bp, "\n") <= 0)
312 goto err; 317 goto err;
313 if (!BIO_indent(bp, indent, 128)) 318 if (!BIO_indent(bp, indent, 128))
@@ -315,12 +320,10 @@ static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss,
315 if (BIO_puts(bp, "Hash Algorithm: ") <= 0) 320 if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
316 goto err; 321 goto err;
317 322
318 if (pss->hashAlgorithm) 323 if (pss->hashAlgorithm) {
319 {
320 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0) 324 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
321 goto err; 325 goto err;
322 } 326 } else if (BIO_puts(bp, "sha1 (default)") <= 0)
323 else if (BIO_puts(bp, "sha1 (default)") <= 0)
324 goto err; 327 goto err;
325 328
326 if (BIO_puts(bp, "\n") <= 0) 329 if (BIO_puts(bp, "\n") <= 0)
@@ -330,22 +333,18 @@ static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss,
330 goto err; 333 goto err;
331 334
332 if (BIO_puts(bp, "Mask Algorithm: ") <= 0) 335 if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
333 goto err; 336 goto err;
334 if (pss->maskGenAlgorithm) 337 if (pss->maskGenAlgorithm) {
335 {
336 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0) 338 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
337 goto err; 339 goto err;
338 if (BIO_puts(bp, " with ") <= 0) 340 if (BIO_puts(bp, " with ") <= 0)
339 goto err; 341 goto err;
340 if (maskHash) 342 if (maskHash) {
341 {
342 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0) 343 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
344 goto err;
345 } else if (BIO_puts(bp, "INVALID") <= 0)
343 goto err; 346 goto err;
344 } 347 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0)
345 else if (BIO_puts(bp, "INVALID") <= 0)
346 goto err;
347 }
348 else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0)
349 goto err; 348 goto err;
350 BIO_puts(bp, "\n"); 349 BIO_puts(bp, "\n");
351 350
@@ -353,41 +352,35 @@ static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss,
353 goto err; 352 goto err;
354 if (BIO_puts(bp, "Salt Length: 0x") <= 0) 353 if (BIO_puts(bp, "Salt Length: 0x") <= 0)
355 goto err; 354 goto err;
356 if (pss->saltLength) 355 if (pss->saltLength) {
357 {
358 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) 356 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
359 goto err; 357 goto err;
360 } 358 } else if (BIO_puts(bp, "0x14 (default)") <= 0)
361 else if (BIO_puts(bp, "0x14 (default)") <= 0)
362 goto err; 359 goto err;
363 BIO_puts(bp, "\n"); 360 BIO_puts(bp, "\n");
364 361
365 if (!BIO_indent(bp, indent, 128)) 362 if (!BIO_indent(bp, indent, 128))
366 goto err; 363 goto err;
367 if (BIO_puts(bp, "Trailer Field: 0x") <= 0) 364 if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
368 goto err; 365 goto err;
369 if (pss->trailerField) 366 if (pss->trailerField) {
370 {
371 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) 367 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
372 goto err; 368 goto err;
373 } 369 } else if (BIO_puts(bp, "BC (default)") <= 0)
374 else if (BIO_puts(bp, "BC (default)") <= 0)
375 goto err; 370 goto err;
376 BIO_puts(bp, "\n"); 371 BIO_puts(bp, "\n");
377 372
378 rv = 1; 373 rv = 1;
379 374
380 err: 375err:
381 return rv; 376 return rv;
377}
382 378
383 } 379static int
384 380rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig,
385static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, 381 int indent, ASN1_PCTX *pctx)
386 const ASN1_STRING *sig, 382{
387 int indent, ASN1_PCTX *pctx) 383 if (OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss) {
388 {
389 if (OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss)
390 {
391 int rv; 384 int rv;
392 RSA_PSS_PARAMS *pss; 385 RSA_PSS_PARAMS *pss;
393 X509_ALGOR *maskHash; 386 X509_ALGOR *maskHash;
@@ -399,147 +392,132 @@ static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
399 X509_ALGOR_free(maskHash); 392 X509_ALGOR_free(maskHash);
400 if (!rv) 393 if (!rv)
401 return 0; 394 return 0;
402 } 395 } else if (!sig && BIO_puts(bp, "\n") <= 0)
403 else if (!sig && BIO_puts(bp, "\n") <= 0)
404 return 0; 396 return 0;
405 if (sig) 397 if (sig)
406 return X509_signature_dump(bp, sig, indent); 398 return X509_signature_dump(bp, sig, indent);
407 return 1; 399 return 1;
408 } 400}
409 401
410static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) 402static int
411 { 403rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
404{
412 X509_ALGOR *alg = NULL; 405 X509_ALGOR *alg = NULL;
413 switch (op) 406 switch (op) {
414 { 407 case ASN1_PKEY_CTRL_PKCS7_SIGN:
415
416 case ASN1_PKEY_CTRL_PKCS7_SIGN:
417 if (arg1 == 0) 408 if (arg1 == 0)
418 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg); 409 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
419 break; 410 break;
420 411
421 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT: 412 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
422 if (arg1 == 0) 413 if (arg1 == 0)
423 PKCS7_RECIP_INFO_get0_alg(arg2, &alg); 414 PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
424 break; 415 break;
425#ifndef OPENSSL_NO_CMS 416#ifndef OPENSSL_NO_CMS
426 case ASN1_PKEY_CTRL_CMS_SIGN: 417 case ASN1_PKEY_CTRL_CMS_SIGN:
427 if (arg1 == 0) 418 if (arg1 == 0)
428 CMS_SignerInfo_get0_algs(arg2, NULL, NULL, NULL, &alg); 419 CMS_SignerInfo_get0_algs(arg2, NULL, NULL, NULL, &alg);
429 break; 420 break;
430 421
431 case ASN1_PKEY_CTRL_CMS_ENVELOPE: 422 case ASN1_PKEY_CTRL_CMS_ENVELOPE:
432 if (arg1 == 0) 423 if (arg1 == 0)
433 CMS_RecipientInfo_ktri_get0_algs(arg2, NULL, NULL, &alg); 424 CMS_RecipientInfo_ktri_get0_algs(arg2, NULL, NULL, &alg);
434 break; 425 break;
435#endif 426#endif
436 427
437 case ASN1_PKEY_CTRL_DEFAULT_MD_NID: 428 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
438 *(int *)arg2 = NID_sha1; 429 *(int *)arg2 = NID_sha1;
439 return 1; 430 return 1;
440 431
441 default: 432 default:
442 return -2; 433 return -2;
443 434 }
444 }
445 435
446 if (alg) 436 if (alg)
447 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), 437 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
448 V_ASN1_NULL, 0); 438 V_ASN1_NULL, 0);
449 439
450 return 1; 440 return 1;
451 441}
452 }
453 442
454/* Customised RSA item verification routine. This is called 443/* Customised RSA item verification routine. This is called
455 * when a signature is encountered requiring special handling. We 444 * when a signature is encountered requiring special handling. We
456 * currently only handle PSS. 445 * currently only handle PSS.
457 */ 446 */
458 447static int
459 448rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
460static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, 449 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, EVP_PKEY *pkey)
461 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, 450{
462 EVP_PKEY *pkey)
463 {
464 int rv = -1; 451 int rv = -1;
465 int saltlen; 452 int saltlen;
466 const EVP_MD *mgf1md = NULL, *md = NULL; 453 const EVP_MD *mgf1md = NULL, *md = NULL;
467 RSA_PSS_PARAMS *pss; 454 RSA_PSS_PARAMS *pss;
468 X509_ALGOR *maskHash; 455 X509_ALGOR *maskHash;
469 EVP_PKEY_CTX *pkctx; 456 EVP_PKEY_CTX *pkctx;
457
470 /* Sanity check: make sure it is PSS */ 458 /* Sanity check: make sure it is PSS */
471 if (OBJ_obj2nid(sigalg->algorithm) != NID_rsassaPss) 459 if (OBJ_obj2nid(sigalg->algorithm) != NID_rsassaPss) {
472 {
473 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE); 460 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
474 return -1; 461 return -1;
475 } 462 }
476 /* Decode PSS parameters */ 463 /* Decode PSS parameters */
477 pss = rsa_pss_decode(sigalg, &maskHash); 464 pss = rsa_pss_decode(sigalg, &maskHash);
478 465
479 if (pss == NULL) 466 if (pss == NULL) {
480 {
481 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_PSS_PARAMETERS); 467 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_PSS_PARAMETERS);
482 goto err; 468 goto err;
483 } 469 }
484 /* Check mask and lookup mask hash algorithm */ 470 /* Check mask and lookup mask hash algorithm */
485 if (pss->maskGenAlgorithm) 471 if (pss->maskGenAlgorithm) {
486 { 472 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) != NID_mgf1) {
487 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) != NID_mgf1) 473 RSAerr(RSA_F_RSA_ITEM_VERIFY,
488 { 474 RSA_R_UNSUPPORTED_MASK_ALGORITHM);
489 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_MASK_ALGORITHM);
490 goto err; 475 goto err;
491 } 476 }
492 if (!maskHash) 477 if (!maskHash) {
493 { 478 RSAerr(RSA_F_RSA_ITEM_VERIFY,
494 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_MASK_PARAMETER); 479 RSA_R_UNSUPPORTED_MASK_PARAMETER);
495 goto err; 480 goto err;
496 } 481 }
497 mgf1md = EVP_get_digestbyobj(maskHash->algorithm); 482 mgf1md = EVP_get_digestbyobj(maskHash->algorithm);
498 if (mgf1md == NULL) 483 if (mgf1md == NULL) {
499 { 484 RSAerr(RSA_F_RSA_ITEM_VERIFY,
500 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNKNOWN_MASK_DIGEST); 485 RSA_R_UNKNOWN_MASK_DIGEST);
501 goto err; 486 goto err;
502 }
503 } 487 }
504 else 488 } else
505 mgf1md = EVP_sha1(); 489 mgf1md = EVP_sha1();
506 490
507 if (pss->hashAlgorithm) 491 if (pss->hashAlgorithm) {
508 {
509 md = EVP_get_digestbyobj(pss->hashAlgorithm->algorithm); 492 md = EVP_get_digestbyobj(pss->hashAlgorithm->algorithm);
510 if (md == NULL) 493 if (md == NULL) {
511 {
512 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNKNOWN_PSS_DIGEST); 494 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNKNOWN_PSS_DIGEST);
513 goto err; 495 goto err;
514 }
515 } 496 }
516 else 497 } else
517 md = EVP_sha1(); 498 md = EVP_sha1();
518 499
519 if (pss->saltLength) 500 if (pss->saltLength) {
520 {
521 saltlen = ASN1_INTEGER_get(pss->saltLength); 501 saltlen = ASN1_INTEGER_get(pss->saltLength);
522 502
523 /* Could perform more salt length sanity checks but the main 503 /* Could perform more salt length sanity checks but the main
524 * RSA routines will trap other invalid values anyway. 504 * RSA routines will trap other invalid values anyway.
525 */ 505 */
526 if (saltlen < 0) 506 if (saltlen < 0) {
527 { 507 RSAerr(RSA_F_RSA_ITEM_VERIFY,
528 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_SALT_LENGTH); 508 RSA_R_INVALID_SALT_LENGTH);
529 goto err; 509 goto err;
530 }
531 } 510 }
532 else 511 } else
533 saltlen = 20; 512 saltlen = 20;
534 513
535 /* low-level routines support only trailer field 0xbc (value 1) 514 /* low-level routines support only trailer field 0xbc (value 1)
536 * and PKCS#1 says we should reject any other value anyway. 515 * and PKCS#1 says we should reject any other value anyway.
537 */ 516 */
538 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) 517 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) {
539 {
540 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_TRAILER); 518 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_TRAILER);
541 goto err; 519 goto err;
542 } 520 }
543 521
544 /* We have all parameters now set up context */ 522 /* We have all parameters now set up context */
545 523
@@ -557,31 +535,32 @@ static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
557 /* Carry on */ 535 /* Carry on */
558 rv = 2; 536 rv = 2;
559 537
560 err: 538err:
561 RSA_PSS_PARAMS_free(pss); 539 RSA_PSS_PARAMS_free(pss);
562 if (maskHash) 540 if (maskHash)
563 X509_ALGOR_free(maskHash); 541 X509_ALGOR_free(maskHash);
564 return rv; 542 return rv;
565 } 543}
566 544
567static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, 545static int
568 X509_ALGOR *alg1, X509_ALGOR *alg2, 546rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
569 ASN1_BIT_STRING *sig) 547 X509_ALGOR *alg1, X509_ALGOR *alg2, ASN1_BIT_STRING *sig)
570 { 548{
571 int pad_mode; 549 int pad_mode;
572 EVP_PKEY_CTX *pkctx = ctx->pctx; 550 EVP_PKEY_CTX *pkctx = ctx->pctx;
551
573 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) 552 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
574 return 0; 553 return 0;
575 if (pad_mode == RSA_PKCS1_PADDING) 554 if (pad_mode == RSA_PKCS1_PADDING)
576 return 2; 555 return 2;
577 if (pad_mode == RSA_PKCS1_PSS_PADDING) 556 if (pad_mode == RSA_PKCS1_PSS_PADDING) {
578 {
579 const EVP_MD *sigmd, *mgf1md; 557 const EVP_MD *sigmd, *mgf1md;
580 RSA_PSS_PARAMS *pss = NULL; 558 RSA_PSS_PARAMS *pss = NULL;
581 X509_ALGOR *mgf1alg = NULL; 559 X509_ALGOR *mgf1alg = NULL;
582 ASN1_STRING *os1 = NULL, *os2 = NULL; 560 ASN1_STRING *os1 = NULL, *os2 = NULL;
583 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx); 561 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
584 int saltlen, rv = 0; 562 int saltlen, rv = 0;
563
585 sigmd = EVP_MD_CTX_md(ctx); 564 sigmd = EVP_MD_CTX_md(ctx);
586 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0) 565 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
587 goto err; 566 goto err;
@@ -589,62 +568,56 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
589 goto err; 568 goto err;
590 if (saltlen == -1) 569 if (saltlen == -1)
591 saltlen = EVP_MD_size(sigmd); 570 saltlen = EVP_MD_size(sigmd);
592 else if (saltlen == -2) 571 else if (saltlen == -2) {
593 {
594 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2; 572 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
595 if (((EVP_PKEY_bits(pk) - 1) & 0x7) == 0) 573 if (((EVP_PKEY_bits(pk) - 1) & 0x7) == 0)
596 saltlen--; 574 saltlen--;
597 } 575 }
598 pss = RSA_PSS_PARAMS_new(); 576 pss = RSA_PSS_PARAMS_new();
599 if (!pss) 577 if (!pss)
600 goto err; 578 goto err;
601 if (saltlen != 20) 579 if (saltlen != 20) {
602 {
603 pss->saltLength = ASN1_INTEGER_new(); 580 pss->saltLength = ASN1_INTEGER_new();
604 if (!pss->saltLength) 581 if (!pss->saltLength)
605 goto err; 582 goto err;
606 if (!ASN1_INTEGER_set(pss->saltLength, saltlen)) 583 if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
607 goto err; 584 goto err;
608 } 585 }
609 if (EVP_MD_type(sigmd) != NID_sha1) 586 if (EVP_MD_type(sigmd) != NID_sha1) {
610 {
611 pss->hashAlgorithm = X509_ALGOR_new(); 587 pss->hashAlgorithm = X509_ALGOR_new();
612 if (!pss->hashAlgorithm) 588 if (!pss->hashAlgorithm)
613 goto err; 589 goto err;
614 X509_ALGOR_set_md(pss->hashAlgorithm, sigmd); 590 X509_ALGOR_set_md(pss->hashAlgorithm, sigmd);
615 } 591 }
616 if (EVP_MD_type(mgf1md) != NID_sha1) 592 if (EVP_MD_type(mgf1md) != NID_sha1) {
617 {
618 ASN1_STRING *stmp = NULL; 593 ASN1_STRING *stmp = NULL;
619 /* need to embed algorithm ID inside another */ 594 /* need to embed algorithm ID inside another */
620 mgf1alg = X509_ALGOR_new(); 595 mgf1alg = X509_ALGOR_new();
621 X509_ALGOR_set_md(mgf1alg, mgf1md); 596 X509_ALGOR_set_md(mgf1alg, mgf1md);
622 if (!ASN1_item_pack(mgf1alg, ASN1_ITEM_rptr(X509_ALGOR), 597 if (!ASN1_item_pack(mgf1alg, ASN1_ITEM_rptr(X509_ALGOR),
623 &stmp)) 598 &stmp))
624 goto err; 599 goto err;
625 pss->maskGenAlgorithm = X509_ALGOR_new(); 600 pss->maskGenAlgorithm = X509_ALGOR_new();
626 if (!pss->maskGenAlgorithm) 601 if (!pss->maskGenAlgorithm)
627 goto err; 602 goto err;
628 X509_ALGOR_set0(pss->maskGenAlgorithm, 603 X509_ALGOR_set0(pss->maskGenAlgorithm,
629 OBJ_nid2obj(NID_mgf1), 604 OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp);
630 V_ASN1_SEQUENCE, stmp); 605 }
631 }
632 /* Finally create string with pss parameter encoding. */ 606 /* Finally create string with pss parameter encoding. */
633 if (!ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), &os1)) 607 if (!ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), &os1))
634 goto err; 608 goto err;
635 if (alg2) 609 if (alg2) {
636 {
637 os2 = ASN1_STRING_dup(os1); 610 os2 = ASN1_STRING_dup(os1);
638 if (!os2) 611 if (!os2)
639 goto err; 612 goto err;
640 X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_rsassaPss), 613 X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_rsassaPss),
641 V_ASN1_SEQUENCE, os2); 614 V_ASN1_SEQUENCE, os2);
642 } 615 }
643 X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_rsassaPss), 616 X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_rsassaPss),
644 V_ASN1_SEQUENCE, os1); 617 V_ASN1_SEQUENCE, os1);
645 os1 = os2 = NULL; 618 os1 = os2 = NULL;
646 rv = 3; 619 rv = 3;
647 err: 620err:
648 if (mgf1alg) 621 if (mgf1alg)
649 X509_ALGOR_free(mgf1alg); 622 X509_ALGOR_free(mgf1alg);
650 if (pss) 623 if (pss)
@@ -652,10 +625,9 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
652 if (os1) 625 if (os1)
653 ASN1_STRING_free(os1); 626 ASN1_STRING_free(os1);
654 return rv; 627 return rv;
655
656 }
657 return 2;
658 } 628 }
629 return 2;
630}
659 631
660const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = { 632const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
661 { 633 {
diff --git a/src/lib/libcrypto/rsa/rsa_asn1.c b/src/lib/libcrypto/rsa/rsa_asn1.c
index b535c85141..e876dbdf49 100644
--- a/src/lib/libcrypto/rsa/rsa_asn1.c
+++ b/src/lib/libcrypto/rsa/rsa_asn1.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_asn1.c,v 1.6 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_asn1.c,v 1.7 2014/07/09 08:20:08 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000. 3 * project 2000.
4 */ 4 */
@@ -64,14 +64,15 @@
64#include <openssl/asn1t.h> 64#include <openssl/asn1t.h>
65 65
66/* Override the default free and new methods */ 66/* Override the default free and new methods */
67static int rsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, 67static int
68 void *exarg) 68rsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
69{ 69{
70 if(operation == ASN1_OP_NEW_PRE) { 70 if (operation == ASN1_OP_NEW_PRE) {
71 *pval = (ASN1_VALUE *)RSA_new(); 71 *pval = (ASN1_VALUE *)RSA_new();
72 if(*pval) return 2; 72 if (*pval)
73 return 2;
73 return 0; 74 return 0;
74 } else if(operation == ASN1_OP_FREE_PRE) { 75 } else if (operation == ASN1_OP_FREE_PRE) {
75 RSA_free((RSA *)*pval); 76 RSA_free((RSA *)*pval);
76 *pval = NULL; 77 *pval = NULL;
77 return 2; 78 return 2;
@@ -110,12 +111,14 @@ IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPrivateKey, RSAPrivateKey)
110 111
111IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPublicKey, RSAPublicKey) 112IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPublicKey, RSAPublicKey)
112 113
113RSA *RSAPublicKey_dup(RSA *rsa) 114RSA *
114 { 115RSAPublicKey_dup(RSA *rsa)
116{
115 return ASN1_item_dup(ASN1_ITEM_rptr(RSAPublicKey), rsa); 117 return ASN1_item_dup(ASN1_ITEM_rptr(RSAPublicKey), rsa);
116 } 118}
117 119
118RSA *RSAPrivateKey_dup(RSA *rsa) 120RSA *
119 { 121RSAPrivateKey_dup(RSA *rsa)
122{
120 return ASN1_item_dup(ASN1_ITEM_rptr(RSAPrivateKey), rsa); 123 return ASN1_item_dup(ASN1_ITEM_rptr(RSAPrivateKey), rsa);
121 } 124}
diff --git a/src/lib/libcrypto/rsa/rsa_chk.c b/src/lib/libcrypto/rsa/rsa_chk.c
index d7e496aab2..54113f89f6 100644
--- a/src/lib/libcrypto/rsa/rsa_chk.c
+++ b/src/lib/libcrypto/rsa/rsa_chk.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_chk.c,v 1.6 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_chk.c,v 1.7 2014/07/09 08:20:08 miod Exp $ */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
4 * 4 *
@@ -53,18 +53,18 @@
53#include <openssl/rsa.h> 53#include <openssl/rsa.h>
54 54
55 55
56int RSA_check_key(const RSA *key) 56int
57 { 57RSA_check_key(const RSA *key)
58{
58 BIGNUM *i, *j, *k, *l, *m; 59 BIGNUM *i, *j, *k, *l, *m;
59 BN_CTX *ctx; 60 BN_CTX *ctx;
60 int r; 61 int r;
61 int ret=1; 62 int ret = 1;
62 63
63 if (!key->p || !key->q || !key->n || !key->e || !key->d) 64 if (!key->p || !key->q || !key->n || !key->e || !key->d) {
64 {
65 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_VALUE_MISSING); 65 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_VALUE_MISSING);
66 return 0; 66 return 0;
67 } 67 }
68 68
69 i = BN_new(); 69 i = BN_new();
70 j = BN_new(); 70 j = BN_new();
@@ -72,119 +72,148 @@ int RSA_check_key(const RSA *key)
72 l = BN_new(); 72 l = BN_new();
73 m = BN_new(); 73 m = BN_new();
74 ctx = BN_CTX_new(); 74 ctx = BN_CTX_new();
75 if (i == NULL || j == NULL || k == NULL || l == NULL || 75 if (i == NULL || j == NULL || k == NULL || l == NULL || m == NULL ||
76 m == NULL || ctx == NULL) 76 ctx == NULL) {
77 {
78 ret = -1; 77 ret = -1;
79 RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE); 78 RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE);
80 goto err; 79 goto err;
81 } 80 }
82 81
83 /* p prime? */ 82 /* p prime? */
84 r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL); 83 r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL);
85 if (r != 1) 84 if (r != 1) {
86 {
87 ret = r; 85 ret = r;
88 if (r != 0) 86 if (r != 0)
89 goto err; 87 goto err;
90 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME); 88 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME);
91 } 89 }
92 90
93 /* q prime? */ 91 /* q prime? */
94 r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL); 92 r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL);
95 if (r != 1) 93 if (r != 1) {
96 {
97 ret = r; 94 ret = r;
98 if (r != 0) 95 if (r != 0)
99 goto err; 96 goto err;
100 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME); 97 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME);
101 } 98 }
102 99
103 /* n = p*q? */ 100 /* n = p*q? */
104 r = BN_mul(i, key->p, key->q, ctx); 101 r = BN_mul(i, key->p, key->q, ctx);
105 if (!r) { ret = -1; goto err; } 102 if (!r) {
103 ret = -1;
104 goto err;
105 }
106 106
107 if (BN_cmp(i, key->n) != 0) 107 if (BN_cmp(i, key->n) != 0) {
108 {
109 ret = 0; 108 ret = 0;
110 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q); 109 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q);
111 } 110 }
112 111
113 /* d*e = 1 mod lcm(p-1,q-1)? */ 112 /* d*e = 1 mod lcm(p-1,q-1)? */
114 113
115 r = BN_sub(i, key->p, BN_value_one()); 114 r = BN_sub(i, key->p, BN_value_one());
116 if (!r) { ret = -1; goto err; } 115 if (!r) {
116 ret = -1;
117 goto err;
118 }
117 r = BN_sub(j, key->q, BN_value_one()); 119 r = BN_sub(j, key->q, BN_value_one());
118 if (!r) { ret = -1; goto err; } 120 if (!r) {
121 ret = -1;
122 goto err;
123 }
119 124
120 /* now compute k = lcm(i,j) */ 125 /* now compute k = lcm(i,j) */
121 r = BN_mul(l, i, j, ctx); 126 r = BN_mul(l, i, j, ctx);
122 if (!r) { ret = -1; goto err; } 127 if (!r) {
128 ret = -1;
129 goto err;
130 }
123 r = BN_gcd(m, i, j, ctx); 131 r = BN_gcd(m, i, j, ctx);
124 if (!r) { ret = -1; goto err; } 132 if (!r) {
133 ret = -1;
134 goto err;
135 }
125 r = BN_div(k, NULL, l, m, ctx); /* remainder is 0 */ 136 r = BN_div(k, NULL, l, m, ctx); /* remainder is 0 */
126 if (!r) { ret = -1; goto err; } 137 if (!r) {
138 ret = -1;
139 goto err;
140 }
127 141
128 r = BN_mod_mul(i, key->d, key->e, k, ctx); 142 r = BN_mod_mul(i, key->d, key->e, k, ctx);
129 if (!r) { ret = -1; goto err; } 143 if (!r) {
144 ret = -1;
145 goto err;
146 }
130 147
131 if (!BN_is_one(i)) 148 if (!BN_is_one(i)) {
132 {
133 ret = 0; 149 ret = 0;
134 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1); 150 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1);
135 } 151 }
136 152
137 if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) 153 if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) {
138 {
139 /* dmp1 = d mod (p-1)? */ 154 /* dmp1 = d mod (p-1)? */
140 r = BN_sub(i, key->p, BN_value_one()); 155 r = BN_sub(i, key->p, BN_value_one());
141 if (!r) { ret = -1; goto err; } 156 if (!r) {
157 ret = -1;
158 goto err;
159 }
142 160
143 r = BN_mod(j, key->d, i, ctx); 161 r = BN_mod(j, key->d, i, ctx);
144 if (!r) { ret = -1; goto err; } 162 if (!r) {
163 ret = -1;
164 goto err;
165 }
145 166
146 if (BN_cmp(j, key->dmp1) != 0) 167 if (BN_cmp(j, key->dmp1) != 0) {
147 {
148 ret = 0; 168 ret = 0;
149 RSAerr(RSA_F_RSA_CHECK_KEY, 169 RSAerr(RSA_F_RSA_CHECK_KEY,
150 RSA_R_DMP1_NOT_CONGRUENT_TO_D); 170 RSA_R_DMP1_NOT_CONGRUENT_TO_D);
151 } 171 }
152 172
153 /* dmq1 = d mod (q-1)? */ 173 /* dmq1 = d mod (q-1)? */
154 r = BN_sub(i, key->q, BN_value_one()); 174 r = BN_sub(i, key->q, BN_value_one());
155 if (!r) { ret = -1; goto err; } 175 if (!r) {
176 ret = -1;
177 goto err;
178 }
156 179
157 r = BN_mod(j, key->d, i, ctx); 180 r = BN_mod(j, key->d, i, ctx);
158 if (!r) { ret = -1; goto err; } 181 if (!r) {
182 ret = -1;
183 goto err;
184 }
159 185
160 if (BN_cmp(j, key->dmq1) != 0) 186 if (BN_cmp(j, key->dmq1) != 0) {
161 {
162 ret = 0; 187 ret = 0;
163 RSAerr(RSA_F_RSA_CHECK_KEY, 188 RSAerr(RSA_F_RSA_CHECK_KEY,
164 RSA_R_DMQ1_NOT_CONGRUENT_TO_D); 189 RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
165 } 190 }
166 191
167 /* iqmp = q^-1 mod p? */ 192 /* iqmp = q^-1 mod p? */
168 if(!BN_mod_inverse(i, key->q, key->p, ctx)) 193 if (!BN_mod_inverse(i, key->q, key->p, ctx)) {
169 {
170 ret = -1; 194 ret = -1;
171 goto err; 195 goto err;
172 } 196 }
173 197
174 if (BN_cmp(i, key->iqmp) != 0) 198 if (BN_cmp(i, key->iqmp) != 0) {
175 {
176 ret = 0; 199 ret = 0;
177 RSAerr(RSA_F_RSA_CHECK_KEY, 200 RSAerr(RSA_F_RSA_CHECK_KEY,
178 RSA_R_IQMP_NOT_INVERSE_OF_Q); 201 RSA_R_IQMP_NOT_INVERSE_OF_Q);
179 }
180 } 202 }
203 }
181 204
182 err: 205 err:
183 if (i != NULL) BN_free(i); 206 if (i != NULL)
184 if (j != NULL) BN_free(j); 207 BN_free(i);
185 if (k != NULL) BN_free(k); 208 if (j != NULL)
186 if (l != NULL) BN_free(l); 209 BN_free(j);
187 if (m != NULL) BN_free(m); 210 if (k != NULL)
188 if (ctx != NULL) BN_CTX_free(ctx); 211 BN_free(k);
212 if (l != NULL)
213 BN_free(l);
214 if (m != NULL)
215 BN_free(m);
216 if (ctx != NULL)
217 BN_CTX_free(ctx);
189 return (ret); 218 return (ret);
190 } 219}
diff --git a/src/lib/libcrypto/rsa/rsa_crpt.c b/src/lib/libcrypto/rsa/rsa_crpt.c
index 2122e7baa4..16679cfd14 100644
--- a/src/lib/libcrypto/rsa/rsa_crpt.c
+++ b/src/lib/libcrypto/rsa/rsa_crpt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_crpt.c,v 1.4 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_crpt.c,v 1.5 2014/07/09 08:20:08 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -67,54 +67,61 @@
67#include <openssl/engine.h> 67#include <openssl/engine.h>
68#endif 68#endif
69 69
70int RSA_size(const RSA *r) 70int
71 { 71RSA_size(const RSA *r)
72 return(BN_num_bytes(r->n)); 72{
73 } 73 return BN_num_bytes(r->n);
74}
74 75
75int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, 76int
76 RSA *rsa, int padding) 77RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
77 { 78 RSA *rsa, int padding)
78 return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding)); 79{
79 } 80 return rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding);
81}
80 82
81int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to, 83int
82 RSA *rsa, int padding) 84RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
83 { 85 RSA *rsa, int padding)
84 return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding)); 86{
85 } 87 return rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding);
88}
86 89
87int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to, 90int
88 RSA *rsa, int padding) 91RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
89 { 92 RSA *rsa, int padding)
90 return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding)); 93{
91 } 94 return rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding);
95}
92 96
93int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, 97int
94 RSA *rsa, int padding) 98RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
95 { 99 RSA *rsa, int padding)
96 return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding)); 100{
97 } 101 return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding);
102}
98 103
99int RSA_flags(const RSA *r) 104int
100 { 105RSA_flags(const RSA *r)
101 return((r == NULL)?0:r->meth->flags); 106{
102 } 107 return r == NULL ? 0 : r->meth->flags;
108}
103 109
104void RSA_blinding_off(RSA *rsa) 110void
105 { 111RSA_blinding_off(RSA *rsa)
106 if (rsa->blinding != NULL) 112{
107 { 113 if (rsa->blinding != NULL) {
108 BN_BLINDING_free(rsa->blinding); 114 BN_BLINDING_free(rsa->blinding);
109 rsa->blinding=NULL; 115 rsa->blinding = NULL;
110 } 116 }
111 rsa->flags &= ~RSA_FLAG_BLINDING; 117 rsa->flags &= ~RSA_FLAG_BLINDING;
112 rsa->flags |= RSA_FLAG_NO_BLINDING; 118 rsa->flags |= RSA_FLAG_NO_BLINDING;
113 } 119}
114 120
115int RSA_blinding_on(RSA *rsa, BN_CTX *ctx) 121int
116 { 122RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
117 int ret=0; 123{
124 int ret = 0;
118 125
119 if (rsa->blinding != NULL) 126 if (rsa->blinding != NULL)
120 RSA_blinding_off(rsa); 127 RSA_blinding_off(rsa);
@@ -125,13 +132,14 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
125 132
126 rsa->flags |= RSA_FLAG_BLINDING; 133 rsa->flags |= RSA_FLAG_BLINDING;
127 rsa->flags &= ~RSA_FLAG_NO_BLINDING; 134 rsa->flags &= ~RSA_FLAG_NO_BLINDING;
128 ret=1; 135 ret = 1;
129err: 136err:
130 return(ret); 137 return(ret);
131 } 138}
132 139
133static BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p, 140static BIGNUM *
134 const BIGNUM *q, BN_CTX *ctx) 141rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p, const BIGNUM *q,
142 BN_CTX *ctx)
135{ 143{
136 BIGNUM *ret = NULL, *r0, *r1, *r2; 144 BIGNUM *ret = NULL, *r0, *r1, *r2;
137 145
@@ -145,9 +153,12 @@ static BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p,
145 if (r2 == NULL) 153 if (r2 == NULL)
146 goto err; 154 goto err;
147 155
148 if (!BN_sub(r1, p, BN_value_one())) goto err; 156 if (!BN_sub(r1, p, BN_value_one()))
149 if (!BN_sub(r2, q, BN_value_one())) goto err; 157 goto err;
150 if (!BN_mul(r0, r1, r2, ctx)) goto err; 158 if (!BN_sub(r2, q, BN_value_one()))
159 goto err;
160 if (!BN_mul(r0, r1, r2, ctx))
161 goto err;
151 162
152 ret = BN_mod_inverse(NULL, d, r0, ctx); 163 ret = BN_mod_inverse(NULL, d, r0, ctx);
153err: 164err:
@@ -155,62 +166,56 @@ err:
155 return ret; 166 return ret;
156} 167}
157 168
158BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx) 169BN_BLINDING *
170RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
159{ 171{
160 BIGNUM local_n; 172 BIGNUM local_n;
161 BIGNUM *e,*n; 173 BIGNUM *e, *n;
162 BN_CTX *ctx; 174 BN_CTX *ctx;
163 BN_BLINDING *ret = NULL; 175 BN_BLINDING *ret = NULL;
164 176
165 if (in_ctx == NULL) 177 if (in_ctx == NULL) {
166 { 178 if ((ctx = BN_CTX_new()) == NULL)
167 if ((ctx = BN_CTX_new()) == NULL) return 0; 179 return 0;
168 } 180 } else
169 else
170 ctx = in_ctx; 181 ctx = in_ctx;
171 182
172 BN_CTX_start(ctx); 183 BN_CTX_start(ctx);
173 e = BN_CTX_get(ctx); 184 e = BN_CTX_get(ctx);
174 if (e == NULL) 185 if (e == NULL) {
175 {
176 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE); 186 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
177 goto err; 187 goto err;
178 } 188 }
179 189
180 if (rsa->e == NULL) 190 if (rsa->e == NULL) {
181 {
182 e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx); 191 e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
183 if (e == NULL) 192 if (e == NULL) {
184 { 193 RSAerr(RSA_F_RSA_SETUP_BLINDING,
185 RSAerr(RSA_F_RSA_SETUP_BLINDING, RSA_R_NO_PUBLIC_EXPONENT); 194 RSA_R_NO_PUBLIC_EXPONENT);
186 goto err; 195 goto err;
187 }
188 } 196 }
189 else 197 } else
190 e = rsa->e; 198 e = rsa->e;
191 199
192 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 200 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
193 {
194 /* Set BN_FLG_CONSTTIME flag */ 201 /* Set BN_FLG_CONSTTIME flag */
195 n = &local_n; 202 n = &local_n;
196 BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME); 203 BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
197 } 204 } else
198 else
199 n = rsa->n; 205 n = rsa->n;
200 206
201 ret = BN_BLINDING_create_param(NULL, e, n, ctx, 207 ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp,
202 rsa->meth->bn_mod_exp, rsa->_method_mod_n); 208 rsa->_method_mod_n);
203 if (ret == NULL) 209 if (ret == NULL) {
204 {
205 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB); 210 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
206 goto err; 211 goto err;
207 } 212 }
208 CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret)); 213 CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret));
209err: 214err:
210 BN_CTX_end(ctx); 215 BN_CTX_end(ctx);
211 if (in_ctx == NULL) 216 if (in_ctx == NULL)
212 BN_CTX_free(ctx); 217 BN_CTX_free(ctx);
213 if(rsa->e == NULL) 218 if (rsa->e == NULL)
214 BN_free(e); 219 BN_free(e);
215 220
216 return ret; 221 return ret;
diff --git a/src/lib/libcrypto/rsa/rsa_depr.c b/src/lib/libcrypto/rsa/rsa_depr.c
index 5f60727255..6808b5aecb 100644
--- a/src/lib/libcrypto/rsa/rsa_depr.c
+++ b/src/lib/libcrypto/rsa/rsa_depr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_depr.c,v 1.3 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_depr.c,v 1.4 2014/07/09 08:20:08 miod Exp $ */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4 * 4 *
@@ -64,34 +64,37 @@
64 64
65#ifndef OPENSSL_NO_DEPRECATED 65#ifndef OPENSSL_NO_DEPRECATED
66 66
67RSA *RSA_generate_key(int bits, unsigned long e_value, 67RSA *
68 void (*callback)(int,int,void *), void *cb_arg) 68RSA_generate_key(int bits, unsigned long e_value,
69 { 69 void (*callback)(int, int, void *), void *cb_arg)
70{
70 BN_GENCB cb; 71 BN_GENCB cb;
71 int i; 72 int i;
72 RSA *rsa = RSA_new(); 73 RSA *rsa = RSA_new();
73 BIGNUM *e = BN_new(); 74 BIGNUM *e = BN_new();
74 75
75 if(!rsa || !e) goto err; 76 if (!rsa || !e)
77 goto err;
76 78
77 /* The problem is when building with 8, 16, or 32 BN_ULONG, 79 /* The problem is when building with 8, 16, or 32 BN_ULONG,
78 * unsigned long can be larger */ 80 * unsigned long can be larger */
79 for (i=0; i<(int)sizeof(unsigned long)*8; i++) 81 for (i = 0; i < (int)sizeof(unsigned long) * 8; i++) {
80 { 82 if (e_value & (1UL << i))
81 if (e_value & (1UL<<i)) 83 if (BN_set_bit(e, i) == 0)
82 if (BN_set_bit(e,i) == 0)
83 goto err; 84 goto err;
84 } 85 }
85 86
86 BN_GENCB_set_old(&cb, callback, cb_arg); 87 BN_GENCB_set_old(&cb, callback, cb_arg);
87 88
88 if(RSA_generate_key_ex(rsa, bits, e, &cb)) { 89 if (RSA_generate_key_ex(rsa, bits, e, &cb)) {
89 BN_free(e); 90 BN_free(e);
90 return rsa; 91 return rsa;
91 } 92 }
92err: 93err:
93 if(e) BN_free(e); 94 if (e)
94 if(rsa) RSA_free(rsa); 95 BN_free(e);
96 if (rsa)
97 RSA_free(rsa);
95 return 0; 98 return 0;
96 } 99}
97#endif 100#endif
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 9e17483e09..7b294e761e 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_eay.c,v 1.28 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_eay.c,v 1.29 2014/07/09 08:20:08 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -140,114 +140,114 @@ static RSA_METHOD rsa_pkcs1_eay_meth = {
140 .finish = RSA_eay_finish, 140 .finish = RSA_eay_finish,
141}; 141};
142 142
143const RSA_METHOD *RSA_PKCS1_SSLeay(void) 143const RSA_METHOD *
144 { 144RSA_PKCS1_SSLeay(void)
145 return(&rsa_pkcs1_eay_meth); 145{
146 } 146 return &rsa_pkcs1_eay_meth;
147}
147 148
148static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 149static int
149 unsigned char *to, RSA *rsa, int padding) 150RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
150 { 151 RSA *rsa, int padding)
151 BIGNUM *f,*ret; 152{
152 int i,j,k,num=0,r= -1; 153 BIGNUM *f, *ret;
153 unsigned char *buf=NULL; 154 int i, j, k, num = 0, r = -1;
154 BN_CTX *ctx=NULL; 155 unsigned char *buf = NULL;
156 BN_CTX *ctx = NULL;
155 157
156 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) 158 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
157 {
158 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); 159 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
159 return -1; 160 return -1;
160 } 161 }
161 162
162 if (BN_ucmp(rsa->n, rsa->e) <= 0) 163 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
163 {
164 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 164 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
165 return -1; 165 return -1;
166 } 166 }
167 167
168 /* for large moduli, enforce exponent limit */ 168 /* for large moduli, enforce exponent limit */
169 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) 169 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
170 { 170 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
171 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
172 {
173 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 171 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
174 return -1; 172 return -1;
175 }
176 } 173 }
174 }
177 175
178 if ((ctx=BN_CTX_new()) == NULL) goto err; 176 if ((ctx=BN_CTX_new()) == NULL)
177 goto err;
179 BN_CTX_start(ctx); 178 BN_CTX_start(ctx);
180 f = BN_CTX_get(ctx); 179 f = BN_CTX_get(ctx);
181 ret = BN_CTX_get(ctx); 180 ret = BN_CTX_get(ctx);
182 num=BN_num_bytes(rsa->n); 181 num = BN_num_bytes(rsa->n);
183 buf = malloc(num); 182 buf = malloc(num);
184 if (!f || !ret || !buf) 183 if (!f || !ret || !buf) {
185 {
186 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); 184 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
187 goto err; 185 goto err;
188 } 186 }
189 187
190 switch (padding) 188 switch (padding) {
191 {
192 case RSA_PKCS1_PADDING: 189 case RSA_PKCS1_PADDING:
193 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen); 190 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
194 break; 191 break;
195#ifndef OPENSSL_NO_SHA 192#ifndef OPENSSL_NO_SHA
196 case RSA_PKCS1_OAEP_PADDING: 193 case RSA_PKCS1_OAEP_PADDING:
197 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0); 194 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
198 break; 195 break;
199#endif 196#endif
200 case RSA_SSLV23_PADDING: 197 case RSA_SSLV23_PADDING:
201 i=RSA_padding_add_SSLv23(buf,num,from,flen); 198 i = RSA_padding_add_SSLv23(buf, num, from, flen);
202 break; 199 break;
203 case RSA_NO_PADDING: 200 case RSA_NO_PADDING:
204 i=RSA_padding_add_none(buf,num,from,flen); 201 i = RSA_padding_add_none(buf, num, from, flen);
205 break; 202 break;
206 default: 203 default:
207 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 204 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,
205 RSA_R_UNKNOWN_PADDING_TYPE);
206 goto err;
207 }
208 if (i <= 0)
208 goto err; 209 goto err;
209 }
210 if (i <= 0) goto err;
211 210
212 if (BN_bin2bn(buf,num,f) == NULL) goto err; 211 if (BN_bin2bn(buf, num, f) == NULL)
212 goto err;
213 213
214 if (BN_ucmp(f, rsa->n) >= 0) 214 if (BN_ucmp(f, rsa->n) >= 0) {
215 {
216 /* usually the padding functions would catch this */ 215 /* usually the padding functions would catch this */
217 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 216 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,
217 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
218 goto err; 218 goto err;
219 } 219 }
220 220
221 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 221 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
222 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 222 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
223 CRYPTO_LOCK_RSA, rsa->n, ctx))
223 goto err; 224 goto err;
224 225
225 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, 226 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, rsa->_method_mod_n))
226 rsa->_method_mod_n)) goto err; 227 goto err;
227 228
228 /* put in leading 0 bytes if the number is less than the 229 /* put in leading 0 bytes if the number is less than the
229 * length of the modulus */ 230 * length of the modulus */
230 j=BN_num_bytes(ret); 231 j = BN_num_bytes(ret);
231 i=BN_bn2bin(ret,&(to[num-j])); 232 i = BN_bn2bin(ret, &(to[num - j]));
232 for (k=0; k<(num-i); k++) 233 for (k = 0; k < num - i; k++)
233 to[k]=0; 234 to[k] = 0;
234 235
235 r=num; 236 r = num;
236err: 237err:
237 if (ctx != NULL) 238 if (ctx != NULL) {
238 {
239 BN_CTX_end(ctx); 239 BN_CTX_end(ctx);
240 BN_CTX_free(ctx); 240 BN_CTX_free(ctx);
241 } 241 }
242 if (buf != NULL) 242 if (buf != NULL) {
243 { 243 OPENSSL_cleanse(buf, num);
244 OPENSSL_cleanse(buf,num);
245 free(buf); 244 free(buf);
246 }
247 return(r);
248 } 245 }
246 return r;
247}
249 248
250static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 249static BN_BLINDING *
250rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
251{ 251{
252 BN_BLINDING *ret; 252 BN_BLINDING *ret;
253 int got_write_lock = 0; 253 int got_write_lock = 0;
@@ -255,53 +255,47 @@ static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
255 255
256 CRYPTO_r_lock(CRYPTO_LOCK_RSA); 256 CRYPTO_r_lock(CRYPTO_LOCK_RSA);
257 257
258 if (rsa->blinding == NULL) 258 if (rsa->blinding == NULL) {
259 {
260 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 259 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
261 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 260 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
262 got_write_lock = 1; 261 got_write_lock = 1;
263 262
264 if (rsa->blinding == NULL) 263 if (rsa->blinding == NULL)
265 rsa->blinding = RSA_setup_blinding(rsa, ctx); 264 rsa->blinding = RSA_setup_blinding(rsa, ctx);
266 } 265 }
267 266
268 ret = rsa->blinding; 267 ret = rsa->blinding;
269 if (ret == NULL) 268 if (ret == NULL)
270 goto err; 269 goto err;
271 270
272 CRYPTO_THREADID_current(&cur); 271 CRYPTO_THREADID_current(&cur);
273 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) 272 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) {
274 {
275 /* rsa->blinding is ours! */ 273 /* rsa->blinding is ours! */
276
277 *local = 1; 274 *local = 1;
278 } 275 } else {
279 else
280 {
281 /* resort to rsa->mt_blinding instead */ 276 /* resort to rsa->mt_blinding instead */
277 /*
278 * Instruct rsa_blinding_convert(), rsa_blinding_invert()
279 * that the BN_BLINDING is shared, meaning that accesses
280 * require locks, and that the blinding factor must be
281 * stored outside the BN_BLINDING
282 */
283 *local = 0;
282 284
283 *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert() 285 if (rsa->mt_blinding == NULL) {
284 * that the BN_BLINDING is shared, meaning that accesses 286 if (!got_write_lock) {
285 * require locks, and that the blinding factor must be
286 * stored outside the BN_BLINDING
287 */
288
289 if (rsa->mt_blinding == NULL)
290 {
291 if (!got_write_lock)
292 {
293 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 287 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
294 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 288 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
295 got_write_lock = 1; 289 got_write_lock = 1;
296 } 290 }
297 291
298 if (rsa->mt_blinding == NULL) 292 if (rsa->mt_blinding == NULL)
299 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 293 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
300 }
301 ret = rsa->mt_blinding;
302 } 294 }
295 ret = rsa->mt_blinding;
296 }
303 297
304 err: 298err:
305 if (got_write_lock) 299 if (got_write_lock)
306 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 300 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
307 else 301 else
@@ -309,29 +303,33 @@ static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
309 return ret; 303 return ret;
310} 304}
311 305
312static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 306static int
313 BN_CTX *ctx) 307rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx)
314 { 308{
315 if (unblind == NULL) 309 if (unblind == NULL)
316 /* Local blinding: store the unblinding factor 310 /*
317 * in BN_BLINDING. */ 311 * Local blinding: store the unblinding factor
312 * in BN_BLINDING.
313 */
318 return BN_BLINDING_convert_ex(f, NULL, b, ctx); 314 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
319 else 315 else {
320 { 316 /*
321 /* Shared blinding: store the unblinding factor 317 * Shared blinding: store the unblinding factor
322 * outside BN_BLINDING. */ 318 * outside BN_BLINDING.
319 */
323 int ret; 320 int ret;
324 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 321 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
325 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); 322 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
326 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 323 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
327 return ret; 324 return ret;
328 }
329 } 325 }
326}
330 327
331static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 328static int
332 BN_CTX *ctx) 329rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx)
333 { 330{
334 /* For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex 331 /*
332 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
335 * will use the unblinding factor stored in BN_BLINDING. 333 * will use the unblinding factor stored in BN_BLINDING.
336 * If BN_BLINDING is shared between threads, unblind must be non-null: 334 * If BN_BLINDING is shared between threads, unblind must be non-null:
337 * BN_BLINDING_invert_ex will then use the local unblinding factor, 335 * BN_BLINDING_invert_ex will then use the local unblinding factor,
@@ -339,402 +337,392 @@ static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
339 * In both cases it's safe to access the blinding without a lock. 337 * In both cases it's safe to access the blinding without a lock.
340 */ 338 */
341 return BN_BLINDING_invert_ex(f, unblind, b, ctx); 339 return BN_BLINDING_invert_ex(f, unblind, b, ctx);
342 } 340}
343 341
344/* signing */ 342/* signing */
345static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 343static int
346 unsigned char *to, RSA *rsa, int padding) 344RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
347 { 345 RSA *rsa, int padding)
346{
348 BIGNUM *f, *ret, *res; 347 BIGNUM *f, *ret, *res;
349 int i,j,k,num=0,r= -1; 348 int i, j, k, num = 0, r = -1;
350 unsigned char *buf=NULL; 349 unsigned char *buf = NULL;
351 BN_CTX *ctx=NULL; 350 BN_CTX *ctx = NULL;
352 int local_blinding = 0; 351 int local_blinding = 0;
353 /* Used only if the blinding structure is shared. A non-NULL unblind 352 /*
353 * Used only if the blinding structure is shared. A non-NULL unblind
354 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 354 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
355 * the unblinding factor outside the blinding structure. */ 355 * the unblinding factor outside the blinding structure.
356 */
356 BIGNUM *unblind = NULL; 357 BIGNUM *unblind = NULL;
357 BN_BLINDING *blinding = NULL; 358 BN_BLINDING *blinding = NULL;
358 359
359 if ((ctx=BN_CTX_new()) == NULL) goto err; 360 if ((ctx=BN_CTX_new()) == NULL)
361 goto err;
360 BN_CTX_start(ctx); 362 BN_CTX_start(ctx);
361 f = BN_CTX_get(ctx); 363 f = BN_CTX_get(ctx);
362 ret = BN_CTX_get(ctx); 364 ret = BN_CTX_get(ctx);
363 num = BN_num_bytes(rsa->n); 365 num = BN_num_bytes(rsa->n);
364 buf = malloc(num); 366 buf = malloc(num);
365 if(!f || !ret || !buf) 367 if (!f || !ret || !buf) {
366 { 368 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
367 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
368 goto err; 369 goto err;
369 } 370 }
370 371
371 switch (padding) 372 switch (padding) {
372 {
373 case RSA_PKCS1_PADDING: 373 case RSA_PKCS1_PADDING:
374 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); 374 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
375 break; 375 break;
376 case RSA_X931_PADDING: 376 case RSA_X931_PADDING:
377 i=RSA_padding_add_X931(buf,num,from,flen); 377 i = RSA_padding_add_X931(buf, num, from, flen);
378 break; 378 break;
379 case RSA_NO_PADDING: 379 case RSA_NO_PADDING:
380 i=RSA_padding_add_none(buf,num,from,flen); 380 i = RSA_padding_add_none(buf, num, from, flen);
381 break; 381 break;
382 case RSA_SSLV23_PADDING: 382 case RSA_SSLV23_PADDING:
383 default: 383 default:
384 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 384 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
385 RSA_R_UNKNOWN_PADDING_TYPE);
386 goto err;
387 }
388 if (i <= 0)
385 goto err; 389 goto err;
386 }
387 if (i <= 0) goto err;
388 390
389 if (BN_bin2bn(buf,num,f) == NULL) goto err; 391 if (BN_bin2bn(buf,num,f) == NULL)
392 goto err;
390 393
391 if (BN_ucmp(f, rsa->n) >= 0) 394 if (BN_ucmp(f, rsa->n) >= 0) {
392 {
393 /* usually the padding functions would catch this */ 395 /* usually the padding functions would catch this */
394 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 396 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
397 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
395 goto err; 398 goto err;
396 } 399 }
397 400
398 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 401 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
399 {
400 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 402 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
401 if (blinding == NULL) 403 if (blinding == NULL) {
402 { 404 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
403 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 405 ERR_R_INTERNAL_ERROR);
404 goto err; 406 goto err;
405 }
406 } 407 }
408 }
407 409
408 if (blinding != NULL) 410 if (blinding != NULL) {
409 { 411 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
410 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) 412 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
411 { 413 ERR_R_MALLOC_FAILURE);
412 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
413 goto err; 414 goto err;
414 } 415 }
415 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 416 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
416 goto err; 417 goto err;
417 } 418 }
418 419
419 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 420 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
420 ((rsa->p != NULL) && 421 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL &&
421 (rsa->q != NULL) && 422 rsa->dmq1 != NULL && rsa->iqmp != NULL)) {
422 (rsa->dmp1 != NULL) && 423 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
423 (rsa->dmq1 != NULL) && 424 goto err;
424 (rsa->iqmp != NULL)) ) 425 } else {
425 {
426 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
427 }
428 else
429 {
430 BIGNUM local_d; 426 BIGNUM local_d;
431 BIGNUM *d = NULL; 427 BIGNUM *d = NULL;
432 428
433 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 429 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
434 {
435 BN_init(&local_d); 430 BN_init(&local_d);
436 d = &local_d; 431 d = &local_d;
437 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 432 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
438 } 433 } else
439 else 434 d = rsa->d;
440 d= rsa->d;
441 435
442 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 436 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
443 if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 437 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
438 CRYPTO_LOCK_RSA, rsa->n, ctx))
444 goto err; 439 goto err;
445 440
446 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, 441 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n,ctx,
447 rsa->_method_mod_n)) goto err; 442 rsa->_method_mod_n))
448 } 443 goto err;
444 }
449 445
450 if (blinding) 446 if (blinding)
451 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 447 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
452 goto err; 448 goto err;
453 449
454 if (padding == RSA_X931_PADDING) 450 if (padding == RSA_X931_PADDING) {
455 {
456 BN_sub(f, rsa->n, ret); 451 BN_sub(f, rsa->n, ret);
457 if (BN_cmp(ret, f)) 452 if (BN_cmp(ret, f))
458 res = f; 453 res = f;
459 else 454 else
460 res = ret; 455 res = ret;
461 } 456 } else
462 else
463 res = ret; 457 res = ret;
464 458
465 /* put in leading 0 bytes if the number is less than the 459 /* put in leading 0 bytes if the number is less than the
466 * length of the modulus */ 460 * length of the modulus */
467 j=BN_num_bytes(res); 461 j = BN_num_bytes(res);
468 i=BN_bn2bin(res,&(to[num-j])); 462 i = BN_bn2bin(res, &(to[num - j]));
469 for (k=0; k<(num-i); k++) 463 for (k = 0; k < num - i; k++)
470 to[k]=0; 464 to[k] = 0;
471 465
472 r=num; 466 r = num;
473err: 467err:
474 if (ctx != NULL) 468 if (ctx != NULL) {
475 {
476 BN_CTX_end(ctx); 469 BN_CTX_end(ctx);
477 BN_CTX_free(ctx); 470 BN_CTX_free(ctx);
478 } 471 }
479 if (buf != NULL) 472 if (buf != NULL) {
480 { 473 OPENSSL_cleanse(buf, num);
481 OPENSSL_cleanse(buf,num);
482 free(buf); 474 free(buf);
483 }
484 return(r);
485 } 475 }
476 return r;
477}
486 478
487static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 479static int
488 unsigned char *to, RSA *rsa, int padding) 480RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
489 { 481 RSA *rsa, int padding)
482{
490 BIGNUM *f, *ret; 483 BIGNUM *f, *ret;
491 int j,num=0,r= -1; 484 int j, num = 0, r = -1;
492 unsigned char *p; 485 unsigned char *p;
493 unsigned char *buf=NULL; 486 unsigned char *buf = NULL;
494 BN_CTX *ctx=NULL; 487 BN_CTX *ctx = NULL;
495 int local_blinding = 0; 488 int local_blinding = 0;
496 /* Used only if the blinding structure is shared. A non-NULL unblind 489 /*
490 * Used only if the blinding structure is shared. A non-NULL unblind
497 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 491 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
498 * the unblinding factor outside the blinding structure. */ 492 * the unblinding factor outside the blinding structure.
493 */
499 BIGNUM *unblind = NULL; 494 BIGNUM *unblind = NULL;
500 BN_BLINDING *blinding = NULL; 495 BN_BLINDING *blinding = NULL;
501 496
502 if((ctx = BN_CTX_new()) == NULL) goto err; 497 if ((ctx = BN_CTX_new()) == NULL)
498 goto err;
503 BN_CTX_start(ctx); 499 BN_CTX_start(ctx);
504 f = BN_CTX_get(ctx); 500 f = BN_CTX_get(ctx);
505 ret = BN_CTX_get(ctx); 501 ret = BN_CTX_get(ctx);
506 num = BN_num_bytes(rsa->n); 502 num = BN_num_bytes(rsa->n);
507 buf = malloc(num); 503 buf = malloc(num);
508 if(!f || !ret || !buf) 504 if (!f || !ret || !buf) {
509 { 505 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
510 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
511 goto err; 506 goto err;
512 } 507 }
513 508
514 /* This check was for equality but PGP does evil things 509 /* This check was for equality but PGP does evil things
515 * and chops off the top '0' bytes */ 510 * and chops off the top '0' bytes */
516 if (flen > num) 511 if (flen > num) {
517 { 512 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
518 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 513 RSA_R_DATA_GREATER_THAN_MOD_LEN);
519 goto err; 514 goto err;
520 } 515 }
521 516
522 /* make data into a big number */ 517 /* make data into a big number */
523 if (BN_bin2bn(from,(int)flen,f) == NULL) goto err; 518 if (BN_bin2bn(from, (int)flen, f) == NULL)
519 goto err;
524 520
525 if (BN_ucmp(f, rsa->n) >= 0) 521 if (BN_ucmp(f, rsa->n) >= 0) {
526 { 522 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
527 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 523 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
528 goto err; 524 goto err;
529 } 525 }
530 526
531 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 527 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
532 {
533 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 528 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
534 if (blinding == NULL) 529 if (blinding == NULL) {
535 { 530 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
536 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 531 ERR_R_INTERNAL_ERROR);
537 goto err; 532 goto err;
538 }
539 } 533 }
534 }
540 535
541 if (blinding != NULL) 536 if (blinding != NULL) {
542 { 537 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
543 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) 538 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
544 { 539 ERR_R_MALLOC_FAILURE);
545 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
546 goto err; 540 goto err;
547 } 541 }
548 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 542 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
549 goto err; 543 goto err;
550 } 544 }
551 545
552 /* do the decrypt */ 546 /* do the decrypt */
553 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 547 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
554 ((rsa->p != NULL) && 548 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL &&
555 (rsa->q != NULL) && 549 rsa->dmq1 != NULL && rsa->iqmp != NULL)) {
556 (rsa->dmp1 != NULL) && 550 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
557 (rsa->dmq1 != NULL) && 551 goto err;
558 (rsa->iqmp != NULL)) ) 552 } else {
559 {
560 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
561 }
562 else
563 {
564 BIGNUM local_d; 553 BIGNUM local_d;
565 BIGNUM *d = NULL; 554 BIGNUM *d = NULL;
566 555
567 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 556 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
568 {
569 d = &local_d; 557 d = &local_d;
570 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 558 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
571 } 559 } else
572 else
573 d = rsa->d; 560 d = rsa->d;
574 561
575 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 562 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
576 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 563 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
564 CRYPTO_LOCK_RSA, rsa->n, ctx))
577 goto err; 565 goto err;
578 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, 566 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
579 rsa->_method_mod_n)) 567 rsa->_method_mod_n))
580 goto err; 568 goto err;
581 } 569 }
582 570
583 if (blinding) 571 if (blinding)
584 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 572 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
585 goto err; 573 goto err;
586 574
587 p=buf; 575 p = buf;
588 j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */ 576 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */
589 577
590 switch (padding) 578 switch (padding) {
591 {
592 case RSA_PKCS1_PADDING: 579 case RSA_PKCS1_PADDING:
593 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); 580 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
594 break; 581 break;
595#ifndef OPENSSL_NO_SHA 582#ifndef OPENSSL_NO_SHA
596 case RSA_PKCS1_OAEP_PADDING: 583 case RSA_PKCS1_OAEP_PADDING:
597 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); 584 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
598 break; 585 break;
599#endif 586#endif
600 case RSA_SSLV23_PADDING: 587 case RSA_SSLV23_PADDING:
601 r=RSA_padding_check_SSLv23(to,num,buf,j,num); 588 r = RSA_padding_check_SSLv23(to, num, buf, j, num);
602 break; 589 break;
603 case RSA_NO_PADDING: 590 case RSA_NO_PADDING:
604 r=RSA_padding_check_none(to,num,buf,j,num); 591 r = RSA_padding_check_none(to, num, buf, j, num);
605 break; 592 break;
606 default: 593 default:
607 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 594 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
595 RSA_R_UNKNOWN_PADDING_TYPE);
608 goto err; 596 goto err;
609 } 597 }
610 if (r < 0) 598 if (r < 0)
611 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 599 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
600 RSA_R_PADDING_CHECK_FAILED);
612 601
613err: 602err:
614 if (ctx != NULL) 603 if (ctx != NULL) {
615 {
616 BN_CTX_end(ctx); 604 BN_CTX_end(ctx);
617 BN_CTX_free(ctx); 605 BN_CTX_free(ctx);
618 } 606 }
619 if (buf != NULL) 607 if (buf != NULL) {
620 {
621 OPENSSL_cleanse(buf,num); 608 OPENSSL_cleanse(buf,num);
622 free(buf); 609 free(buf);
623 }
624 return(r);
625 } 610 }
611 return r;
612}
626 613
627/* signature verification */ 614/* signature verification */
628static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 615static int
629 unsigned char *to, RSA *rsa, int padding) 616RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
630 { 617 RSA *rsa, int padding)
631 BIGNUM *f,*ret; 618{
632 int i,num=0,r= -1; 619 BIGNUM *f, *ret;
620 int i, num = 0,r = -1;
633 unsigned char *p; 621 unsigned char *p;
634 unsigned char *buf=NULL; 622 unsigned char *buf = NULL;
635 BN_CTX *ctx=NULL; 623 BN_CTX *ctx = NULL;
636 624
637 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) 625 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
638 {
639 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); 626 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
640 return -1; 627 return -1;
641 } 628 }
642 629
643 if (BN_ucmp(rsa->n, rsa->e) <= 0) 630 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
644 {
645 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 631 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
646 return -1; 632 return -1;
647 } 633 }
648 634
649 /* for large moduli, enforce exponent limit */ 635 /* for large moduli, enforce exponent limit */
650 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) 636 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
651 { 637 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
652 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
653 {
654 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 638 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
655 return -1; 639 return -1;
656 }
657 } 640 }
641 }
658 642
659 if((ctx = BN_CTX_new()) == NULL) goto err; 643 if ((ctx = BN_CTX_new()) == NULL)
644 goto err;
660 BN_CTX_start(ctx); 645 BN_CTX_start(ctx);
661 f = BN_CTX_get(ctx); 646 f = BN_CTX_get(ctx);
662 ret = BN_CTX_get(ctx); 647 ret = BN_CTX_get(ctx);
663 num=BN_num_bytes(rsa->n); 648 num = BN_num_bytes(rsa->n);
664 buf = malloc(num); 649 buf = malloc(num);
665 if(!f || !ret || !buf) 650 if (!f || !ret || !buf) {
666 { 651 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
667 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
668 goto err; 652 goto err;
669 } 653 }
670 654
671 /* This check was for equality but PGP does evil things 655 /* This check was for equality but PGP does evil things
672 * and chops off the top '0' bytes */ 656 * and chops off the top '0' bytes */
673 if (flen > num) 657 if (flen > num) {
674 { 658 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
675 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 659 RSA_R_DATA_GREATER_THAN_MOD_LEN);
676 goto err; 660 goto err;
677 } 661 }
678 662
679 if (BN_bin2bn(from,flen,f) == NULL) goto err; 663 if (BN_bin2bn(from,flen,f) == NULL)
664 goto err;
680 665
681 if (BN_ucmp(f, rsa->n) >= 0) 666 if (BN_ucmp(f, rsa->n) >= 0) {
682 { 667 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
683 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 668 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
684 goto err; 669 goto err;
685 } 670 }
686 671
687 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 672 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
688 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 673 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
674 CRYPTO_LOCK_RSA, rsa->n, ctx))
689 goto err; 675 goto err;
690 676
691 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, 677 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
692 rsa->_method_mod_n)) goto err; 678 rsa->_method_mod_n))
679 goto err;
693 680
694 if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) 681 if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12)
695 if (!BN_sub(ret, rsa->n, ret)) goto err; 682 if (!BN_sub(ret, rsa->n, ret))
683 goto err;
696 684
697 p=buf; 685 p = buf;
698 i=BN_bn2bin(ret,p); 686 i = BN_bn2bin(ret, p);
699 687
700 switch (padding) 688 switch (padding) {
701 {
702 case RSA_PKCS1_PADDING: 689 case RSA_PKCS1_PADDING:
703 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); 690 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
704 break; 691 break;
705 case RSA_X931_PADDING: 692 case RSA_X931_PADDING:
706 r=RSA_padding_check_X931(to,num,buf,i,num); 693 r = RSA_padding_check_X931(to, num, buf, i, num);
707 break; 694 break;
708 case RSA_NO_PADDING: 695 case RSA_NO_PADDING:
709 r=RSA_padding_check_none(to,num,buf,i,num); 696 r = RSA_padding_check_none(to, num, buf, i, num);
710 break; 697 break;
711 default: 698 default:
712 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 699 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
700 RSA_R_UNKNOWN_PADDING_TYPE);
713 goto err; 701 goto err;
714 } 702 }
715 if (r < 0) 703 if (r < 0)
716 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 704 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
705 RSA_R_PADDING_CHECK_FAILED);
717 706
718err: 707err:
719 if (ctx != NULL) 708 if (ctx != NULL) {
720 {
721 BN_CTX_end(ctx); 709 BN_CTX_end(ctx);
722 BN_CTX_free(ctx); 710 BN_CTX_free(ctx);
723 } 711 }
724 if (buf != NULL) 712 if (buf != NULL) {
725 { 713 OPENSSL_cleanse(buf, num);
726 OPENSSL_cleanse(buf,num);
727 free(buf); 714 free(buf);
728 }
729 return(r);
730 } 715 }
716 return r;
717}
731 718
732static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 719static int
733 { 720RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
734 BIGNUM *r1,*m1,*vrfy; 721{
735 BIGNUM local_dmp1,local_dmq1,local_c,local_r1; 722 BIGNUM *r1, *m1, *vrfy;
736 BIGNUM *dmp1,*dmq1,*c,*pr1; 723 BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
737 int ret=0; 724 BIGNUM *dmp1, *dmq1, *c, *pr1;
725 int ret = 0;
738 726
739 BN_CTX_start(ctx); 727 BN_CTX_start(ctx);
740 r1 = BN_CTX_get(ctx); 728 r1 = BN_CTX_get(ctx);
@@ -745,11 +733,11 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
745 BIGNUM local_p, local_q; 733 BIGNUM local_p, local_q;
746 BIGNUM *p = NULL, *q = NULL; 734 BIGNUM *p = NULL, *q = NULL;
747 735
748 /* Make sure BN_mod_inverse in Montgomery intialization uses the 736 /*
737 * Make sure BN_mod_inverse in Montgomery intialization uses the
749 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) 738 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
750 */ 739 */
751 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 740 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
752 {
753 BN_init(&local_p); 741 BN_init(&local_p);
754 p = &local_p; 742 p = &local_p;
755 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 743 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
@@ -757,91 +745,92 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
757 BN_init(&local_q); 745 BN_init(&local_q);
758 q = &local_q; 746 q = &local_q;
759 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); 747 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
760 } 748 } else {
761 else
762 {
763 p = rsa->p; 749 p = rsa->p;
764 q = rsa->q; 750 q = rsa->q;
765 } 751 }
766 752
767 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) 753 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
768 { 754 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
769 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) 755 CRYPTO_LOCK_RSA, p, ctx))
770 goto err; 756 goto err;
771 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) 757 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
758 CRYPTO_LOCK_RSA, q, ctx))
772 goto err; 759 goto err;
773 } 760 }
774 } 761 }
775 762
776 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 763 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
777 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 764 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
765 CRYPTO_LOCK_RSA, rsa->n, ctx))
778 goto err; 766 goto err;
779 767
780 /* compute I mod q */ 768 /* compute I mod q */
781 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 769 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
782 {
783 c = &local_c; 770 c = &local_c;
784 BN_with_flags(c, I, BN_FLG_CONSTTIME); 771 BN_with_flags(c, I, BN_FLG_CONSTTIME);
785 if (!BN_mod(r1,c,rsa->q,ctx)) goto err; 772 if (!BN_mod(r1, c, rsa->q, ctx))
786 } 773 goto err;
787 else 774 } else {
788 { 775 if (!BN_mod(r1, I, rsa->q, ctx))
789 if (!BN_mod(r1,I,rsa->q,ctx)) goto err; 776 goto err;
790 } 777 }
791 778
792 /* compute r1^dmq1 mod q */ 779 /* compute r1^dmq1 mod q */
793 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 780 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
794 {
795 dmq1 = &local_dmq1; 781 dmq1 = &local_dmq1;
796 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 782 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
797 } 783 } else
798 else
799 dmq1 = rsa->dmq1; 784 dmq1 = rsa->dmq1;
800 if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx, 785 if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
801 rsa->_method_mod_q)) goto err; 786 rsa->_method_mod_q))
787 goto err;
802 788
803 /* compute I mod p */ 789 /* compute I mod p */
804 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 790 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
805 {
806 c = &local_c; 791 c = &local_c;
807 BN_with_flags(c, I, BN_FLG_CONSTTIME); 792 BN_with_flags(c, I, BN_FLG_CONSTTIME);
808 if (!BN_mod(r1,c,rsa->p,ctx)) goto err; 793 if (!BN_mod(r1, c, rsa->p, ctx))
809 } 794 goto err;
810 else 795 } else {
811 { 796 if (!BN_mod(r1, I, rsa->p, ctx))
812 if (!BN_mod(r1,I,rsa->p,ctx)) goto err; 797 goto err;
813 } 798 }
814 799
815 /* compute r1^dmp1 mod p */ 800 /* compute r1^dmp1 mod p */
816 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 801 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
817 {
818 dmp1 = &local_dmp1; 802 dmp1 = &local_dmp1;
819 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 803 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
820 } 804 } else
821 else
822 dmp1 = rsa->dmp1; 805 dmp1 = rsa->dmp1;
823 if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx, 806 if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p,ctx,
824 rsa->_method_mod_p)) goto err; 807 rsa->_method_mod_p))
808 goto err;
825 809
826 if (!BN_sub(r0,r0,m1)) goto err; 810 if (!BN_sub(r0, r0, m1))
827 /* This will help stop the size of r0 increasing, which does 811 goto err;
828 * affect the multiply if it optimised for a power of 2 size */ 812 /*
813 * This will help stop the size of r0 increasing, which does
814 * affect the multiply if it optimised for a power of 2 size
815 */
829 if (BN_is_negative(r0)) 816 if (BN_is_negative(r0))
830 if (!BN_add(r0,r0,rsa->p)) goto err; 817 if (!BN_add(r0, r0, rsa->p))
818 goto err;
831 819
832 if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err; 820 if (!BN_mul(r1, r0, rsa->iqmp, ctx))
821 goto err;
833 822
834 /* Turn BN_FLG_CONSTTIME flag on before division operation */ 823 /* Turn BN_FLG_CONSTTIME flag on before division operation */
835 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 824 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
836 {
837 pr1 = &local_r1; 825 pr1 = &local_r1;
838 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 826 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
839 } 827 } else
840 else
841 pr1 = r1; 828 pr1 = r1;
842 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err; 829 if (!BN_mod(r0, pr1, rsa->p,ctx))
830 goto err;
843 831
844 /* If p < q it is occasionally possible for the correction of 832 /*
833 * If p < q it is occasionally possible for the correction of
845 * adding 'p' if r0 is negative above to leave the result still 834 * adding 'p' if r0 is negative above to leave the result still
846 * negative. This can break the private key operations: the following 835 * negative. This can break the private key operations: the following
847 * second correction should *always* correct this rare occurrence. 836 * second correction should *always* correct this rare occurrence.
@@ -849,62 +838,73 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
849 * they ensure p > q [steve] 838 * they ensure p > q [steve]
850 */ 839 */
851 if (BN_is_negative(r0)) 840 if (BN_is_negative(r0))
852 if (!BN_add(r0,r0,rsa->p)) goto err; 841 if (!BN_add(r0, r0, rsa->p))
853 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; 842 goto err;
854 if (!BN_add(r0,r1,m1)) goto err; 843 if (!BN_mul(r1, r0, rsa->q, ctx))
855 844 goto err;
856 if (rsa->e && rsa->n) 845 if (!BN_add(r0, r1, m1))
857 { 846 goto err;
858 if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; 847
859 /* If 'I' was greater than (or equal to) rsa->n, the operation 848 if (rsa->e && rsa->n) {
849 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
850 rsa->_method_mod_n))
851 goto err;
852 /*
853 * If 'I' was greater than (or equal to) rsa->n, the operation
860 * will be equivalent to using 'I mod n'. However, the result of 854 * will be equivalent to using 'I mod n'. However, the result of
861 * the verify will *always* be less than 'n' so we don't check 855 * the verify will *always* be less than 'n' so we don't check
862 * for absolute equality, just congruency. */ 856 * for absolute equality, just congruency.
863 if (!BN_sub(vrfy, vrfy, I)) goto err; 857 */
864 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err; 858 if (!BN_sub(vrfy, vrfy, I))
859 goto err;
860 if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
861 goto err;
865 if (BN_is_negative(vrfy)) 862 if (BN_is_negative(vrfy))
866 if (!BN_add(vrfy, vrfy, rsa->n)) goto err; 863 if (!BN_add(vrfy, vrfy, rsa->n))
867 if (!BN_is_zero(vrfy)) 864 goto err;
868 { 865 if (!BN_is_zero(vrfy)) {
869 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak 866 /*
867 * 'I' and 'vrfy' aren't congruent mod n. Don't leak
870 * miscalculated CRT output, just do a raw (slower) 868 * miscalculated CRT output, just do a raw (slower)
871 * mod_exp and return that instead. */ 869 * mod_exp and return that instead.
870 */
872 871
873 BIGNUM local_d; 872 BIGNUM local_d;
874 BIGNUM *d = NULL; 873 BIGNUM *d = NULL;
875 874
876 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 875 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
877 {
878 d = &local_d; 876 d = &local_d;
879 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 877 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
880 } 878 } else
881 else
882 d = rsa->d; 879 d = rsa->d;
883 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx, 880 if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
884 rsa->_method_mod_n)) goto err; 881 rsa->_method_mod_n))
885 } 882 goto err;
886 } 883 }
887 ret=1; 884 }
885 ret = 1;
888err: 886err:
889 BN_CTX_end(ctx); 887 BN_CTX_end(ctx);
890 return(ret); 888 return ret;
891 } 889}
892 890
893static int RSA_eay_init(RSA *rsa) 891static int
894 { 892RSA_eay_init(RSA *rsa)
895 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; 893{
896 return(1); 894 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
897 } 895 return 1 ;
896}
898 897
899static int RSA_eay_finish(RSA *rsa) 898static int
900 { 899RSA_eay_finish(RSA *rsa)
900{
901 if (rsa->_method_mod_n != NULL) 901 if (rsa->_method_mod_n != NULL)
902 BN_MONT_CTX_free(rsa->_method_mod_n); 902 BN_MONT_CTX_free(rsa->_method_mod_n);
903 if (rsa->_method_mod_p != NULL) 903 if (rsa->_method_mod_p != NULL)
904 BN_MONT_CTX_free(rsa->_method_mod_p); 904 BN_MONT_CTX_free(rsa->_method_mod_p);
905 if (rsa->_method_mod_q != NULL) 905 if (rsa->_method_mod_q != NULL)
906 BN_MONT_CTX_free(rsa->_method_mod_q); 906 BN_MONT_CTX_free(rsa->_method_mod_q);
907 return(1); 907 return 1;
908 } 908}
909 909
910#endif 910#endif
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index 9745b6d6ed..3a6aa1ca7a 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_gen.c,v 1.13 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_gen.c,v 1.14 2014/07/09 08:20:08 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -70,150 +70,168 @@
70 70
71static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb); 71static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
72 72
73/* NB: this wrapper would normally be placed in rsa_lib.c and the static 73/*
74 * NB: this wrapper would normally be placed in rsa_lib.c and the static
74 * implementation would probably be in rsa_eay.c. Nonetheless, is kept here so 75 * implementation would probably be in rsa_eay.c. Nonetheless, is kept here so
75 * that we don't introduce a new linker dependency. Eg. any application that 76 * that we don't introduce a new linker dependency. Eg. any application that
76 * wasn't previously linking object code related to key-generation won't have to 77 * wasn't previously linking object code related to key-generation won't have to
77 * now just because key-generation is part of RSA_METHOD. */ 78 * now just because key-generation is part of RSA_METHOD.
78int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) 79 */
79 { 80int
80 if(rsa->meth->rsa_keygen) 81RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
82{
83 if (rsa->meth->rsa_keygen)
81 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); 84 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
82 return rsa_builtin_keygen(rsa, bits, e_value, cb); 85 return rsa_builtin_keygen(rsa, bits, e_value, cb);
83 } 86}
84 87
85static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) 88static int
86 { 89rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
87 BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp; 90{
88 BIGNUM local_r0,local_d,local_p; 91 BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
89 BIGNUM *pr0,*d,*p; 92 BIGNUM local_r0, local_d, local_p;
90 int bitsp,bitsq,ok= -1,n=0; 93 BIGNUM *pr0, *d, *p;
91 BN_CTX *ctx=NULL; 94 int bitsp, bitsq, ok = -1, n = 0;
92 95 BN_CTX *ctx = NULL;
93 ctx=BN_CTX_new(); 96
94 if (ctx == NULL) goto err; 97 ctx = BN_CTX_new();
98 if (ctx == NULL)
99 goto err;
95 BN_CTX_start(ctx); 100 BN_CTX_start(ctx);
96 r0 = BN_CTX_get(ctx); 101 r0 = BN_CTX_get(ctx);
97 r1 = BN_CTX_get(ctx); 102 r1 = BN_CTX_get(ctx);
98 r2 = BN_CTX_get(ctx); 103 r2 = BN_CTX_get(ctx);
99 r3 = BN_CTX_get(ctx); 104 r3 = BN_CTX_get(ctx);
100 if (r3 == NULL) goto err; 105 if (r3 == NULL)
106 goto err;
101 107
102 bitsp=(bits+1)/2; 108 bitsp = (bits + 1) / 2;
103 bitsq=bits-bitsp; 109 bitsq = bits - bitsp;
104 110
105 /* We need the RSA components non-NULL */ 111 /* We need the RSA components non-NULL */
106 if(!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err; 112 if (!rsa->n && ((rsa->n = BN_new()) == NULL))
107 if(!rsa->d && ((rsa->d=BN_new()) == NULL)) goto err; 113 goto err;
108 if(!rsa->e && ((rsa->e=BN_new()) == NULL)) goto err; 114 if (!rsa->d && ((rsa->d = BN_new()) == NULL))
109 if(!rsa->p && ((rsa->p=BN_new()) == NULL)) goto err; 115 goto err;
110 if(!rsa->q && ((rsa->q=BN_new()) == NULL)) goto err; 116 if (!rsa->e && ((rsa->e = BN_new()) == NULL))
111 if(!rsa->dmp1 && ((rsa->dmp1=BN_new()) == NULL)) goto err; 117 goto err;
112 if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err; 118 if (!rsa->p && ((rsa->p = BN_new()) == NULL))
113 if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err; 119 goto err;
120 if (!rsa->q && ((rsa->q = BN_new()) == NULL))
121 goto err;
122 if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL))
123 goto err;
124 if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL))
125 goto err;
126 if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
127 goto err;
114 128
115 BN_copy(rsa->e, e_value); 129 BN_copy(rsa->e, e_value);
116 130
117 /* generate p and q */ 131 /* generate p and q */
118 for (;;) 132 for (;;) {
119 { 133 if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
120 if(!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
121 goto err; 134 goto err;
122 if (!BN_sub(r2,rsa->p,BN_value_one())) goto err; 135 if (!BN_sub(r2, rsa->p, BN_value_one()))
123 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
124 if (BN_is_one(r1)) break;
125 if(!BN_GENCB_call(cb, 2, n++))
126 goto err; 136 goto err;
127 } 137 if (!BN_gcd(r1, r2, rsa->e, ctx))
128 if(!BN_GENCB_call(cb, 3, 0)) 138 goto err;
139 if (BN_is_one(r1))
140 break;
141 if (!BN_GENCB_call(cb, 2, n++))
142 goto err;
143 }
144 if (!BN_GENCB_call(cb, 3, 0))
129 goto err; 145 goto err;
130 for (;;) 146 for (;;) {
131 { 147 /*
132 /* When generating ridiculously small keys, we can get stuck 148 * When generating ridiculously small keys, we can get stuck
133 * continually regenerating the same prime values. Check for 149 * continually regenerating the same prime values. Check for
134 * this and bail if it happens 3 times. */ 150 * this and bail if it happens 3 times.
151 */
135 unsigned int degenerate = 0; 152 unsigned int degenerate = 0;
136 do 153 do {
137 { 154 if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL,
138 if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) 155 cb))
139 goto err; 156 goto err;
140 } while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3)); 157 } while (BN_cmp(rsa->p, rsa->q) == 0 &&
141 if(degenerate == 3) 158 ++degenerate < 3);
142 { 159 if (degenerate == 3) {
143 ok = 0; /* we set our own err */ 160 ok = 0; /* we set our own err */
144 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_KEY_SIZE_TOO_SMALL); 161 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,
162 RSA_R_KEY_SIZE_TOO_SMALL);
163 goto err;
164 }
165 if (!BN_sub(r2, rsa->q, BN_value_one()))
166 goto err;
167 if (!BN_gcd(r1, r2, rsa->e, ctx))
145 goto err; 168 goto err;
146 }
147 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
148 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
149 if (BN_is_one(r1)) 169 if (BN_is_one(r1))
150 break; 170 break;
151 if(!BN_GENCB_call(cb, 2, n++)) 171 if (!BN_GENCB_call(cb, 2, n++))
152 goto err; 172 goto err;
153 } 173 }
154 if(!BN_GENCB_call(cb, 3, 1)) 174 if (!BN_GENCB_call(cb, 3, 1))
155 goto err; 175 goto err;
156 if (BN_cmp(rsa->p,rsa->q) < 0) 176 if (BN_cmp(rsa->p,rsa->q) < 0) {
157 { 177 tmp = rsa->p;
158 tmp=rsa->p; 178 rsa->p = rsa->q;
159 rsa->p=rsa->q; 179 rsa->q = tmp;
160 rsa->q=tmp; 180 }
161 }
162 181
163 /* calculate n */ 182 /* calculate n */
164 if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err; 183 if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
184 goto err;
165 185
166 /* calculate d */ 186 /* calculate d */
167 if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */ 187 if (!BN_sub(r1, rsa->p, BN_value_one())) /* p-1 */
168 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */ 188 goto err;
169 if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */ 189 if (!BN_sub(r2, rsa->q, BN_value_one())) /* q-1 */
170 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 190 goto err;
171 { 191 if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */
192 goto err;
193 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
172 pr0 = &local_r0; 194 pr0 = &local_r0;
173 BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); 195 BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
174 } 196 } else
175 else 197 pr0 = r0;
176 pr0 = r0; 198 if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) /* d */
177 if (!BN_mod_inverse(rsa->d,rsa->e,pr0,ctx)) goto err; /* d */ 199 goto err;
178 200
179 /* set up d for correct BN_FLG_CONSTTIME flag */ 201 /* set up d for correct BN_FLG_CONSTTIME flag */
180 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 202 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
181 {
182 d = &local_d; 203 d = &local_d;
183 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 204 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
184 } 205 } else
185 else
186 d = rsa->d; 206 d = rsa->d;
187 207
188 /* calculate d mod (p-1) */ 208 /* calculate d mod (p-1) */
189 if (!BN_mod(rsa->dmp1,d,r1,ctx)) goto err; 209 if (!BN_mod(rsa->dmp1, d, r1, ctx))
210 goto err;
190 211
191 /* calculate d mod (q-1) */ 212 /* calculate d mod (q-1) */
192 if (!BN_mod(rsa->dmq1,d,r2,ctx)) goto err; 213 if (!BN_mod(rsa->dmq1, d, r2, ctx))
214 goto err;
193 215
194 /* calculate inverse of q mod p */ 216 /* calculate inverse of q mod p */
195 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 217 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
196 {
197 p = &local_p; 218 p = &local_p;
198 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 219 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
199 } 220 } else
200 else
201 p = rsa->p; 221 p = rsa->p;
202 if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err; 222 if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
223 goto err;
203 224
204 ok=1; 225 ok = 1;
205err: 226err:
206 if (ok == -1) 227 if (ok == -1) {
207 { 228 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
208 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN); 229 ok = 0;
209 ok=0; 230 }
210 } 231 if (ctx != NULL) {
211 if (ctx != NULL)
212 {
213 BN_CTX_end(ctx); 232 BN_CTX_end(ctx);
214 BN_CTX_free(ctx); 233 BN_CTX_free(ctx);
215 }
216
217 return ok;
218 } 234 }
219 235
236 return ok;
237}
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
index 05eb53cc83..054690cee6 100644
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_lib.c,v 1.20 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_lib.c,v 1.21 2014/07/09 08:20:08 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -67,148 +67,150 @@
67#include <openssl/engine.h> 67#include <openssl/engine.h>
68#endif 68#endif
69 69
70const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT; 70const char RSA_version[] = "RSA" OPENSSL_VERSION_PTEXT;
71 71
72static const RSA_METHOD *default_RSA_meth=NULL; 72static const RSA_METHOD *default_RSA_meth = NULL;
73 73
74RSA *RSA_new(void) 74RSA *
75 { 75RSA_new(void)
76 RSA *r=RSA_new_method(NULL); 76{
77 RSA *r = RSA_new_method(NULL);
77 78
78 return r; 79 return r;
79 } 80}
80 81
81void RSA_set_default_method(const RSA_METHOD *meth) 82void
82 { 83RSA_set_default_method(const RSA_METHOD *meth)
84{
83 default_RSA_meth = meth; 85 default_RSA_meth = meth;
84 } 86}
85 87
86const RSA_METHOD *RSA_get_default_method(void) 88const RSA_METHOD *
87 { 89RSA_get_default_method(void)
88 if (default_RSA_meth == NULL) 90{
89 { 91 if (default_RSA_meth == NULL) {
90#ifdef RSA_NULL 92#ifdef RSA_NULL
91 default_RSA_meth=RSA_null_method(); 93 default_RSA_meth = RSA_null_method();
92#else 94#else
93 default_RSA_meth=RSA_PKCS1_SSLeay(); 95 default_RSA_meth = RSA_PKCS1_SSLeay();
94#endif 96#endif
95 } 97 }
96 98
97 return default_RSA_meth; 99 return default_RSA_meth;
98 } 100}
99 101
100const RSA_METHOD *RSA_get_method(const RSA *rsa) 102const RSA_METHOD *
101 { 103RSA_get_method(const RSA *rsa)
104{
102 return rsa->meth; 105 return rsa->meth;
103 } 106}
104 107
105int RSA_set_method(RSA *rsa, const RSA_METHOD *meth) 108int
106 { 109RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
107 /* NB: The caller is specifically setting a method, so it's not up to us 110{
108 * to deal with which ENGINE it comes from. */ 111 /*
112 * NB: The caller is specifically setting a method, so it's not up to us
113 * to deal with which ENGINE it comes from.
114 */
109 const RSA_METHOD *mtmp; 115 const RSA_METHOD *mtmp;
116
110 mtmp = rsa->meth; 117 mtmp = rsa->meth;
111 if (mtmp->finish) mtmp->finish(rsa); 118 if (mtmp->finish)
119 mtmp->finish(rsa);
112#ifndef OPENSSL_NO_ENGINE 120#ifndef OPENSSL_NO_ENGINE
113 if (rsa->engine) 121 if (rsa->engine) {
114 {
115 ENGINE_finish(rsa->engine); 122 ENGINE_finish(rsa->engine);
116 rsa->engine = NULL; 123 rsa->engine = NULL;
117 } 124 }
118#endif 125#endif
119 rsa->meth = meth; 126 rsa->meth = meth;
120 if (meth->init) meth->init(rsa); 127 if (meth->init)
128 meth->init(rsa);
121 return 1; 129 return 1;
122 } 130}
123 131
124RSA *RSA_new_method(ENGINE *engine) 132RSA *
125 { 133RSA_new_method(ENGINE *engine)
134{
126 RSA *ret; 135 RSA *ret;
127 136
128 ret = malloc(sizeof(RSA)); 137 ret = malloc(sizeof(RSA));
129 if (ret == NULL) 138 if (ret == NULL) {
130 { 139 RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_MALLOC_FAILURE);
131 RSAerr(RSA_F_RSA_NEW_METHOD,ERR_R_MALLOC_FAILURE);
132 return NULL; 140 return NULL;
133 } 141 }
134 142
135 ret->meth = RSA_get_default_method(); 143 ret->meth = RSA_get_default_method();
136#ifndef OPENSSL_NO_ENGINE 144#ifndef OPENSSL_NO_ENGINE
137 if (engine) 145 if (engine) {
138 { 146 if (!ENGINE_init(engine)) {
139 if (!ENGINE_init(engine))
140 {
141 RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB); 147 RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
142 free(ret); 148 free(ret);
143 return NULL; 149 return NULL;
144 }
145 ret->engine = engine;
146 } 150 }
147 else 151 ret->engine = engine;
152 } else
148 ret->engine = ENGINE_get_default_RSA(); 153 ret->engine = ENGINE_get_default_RSA();
149 if(ret->engine) 154 if(ret->engine) {
150 {
151 ret->meth = ENGINE_get_RSA(ret->engine); 155 ret->meth = ENGINE_get_RSA(ret->engine);
152 if(!ret->meth) 156 if (!ret->meth) {
153 { 157 RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
154 RSAerr(RSA_F_RSA_NEW_METHOD,
155 ERR_R_ENGINE_LIB);
156 ENGINE_finish(ret->engine); 158 ENGINE_finish(ret->engine);
157 free(ret); 159 free(ret);
158 return NULL; 160 return NULL;
159 }
160 } 161 }
162 }
161#endif 163#endif
162 164
163 ret->pad=0; 165 ret->pad = 0;
164 ret->version=0; 166 ret->version = 0;
165 ret->n=NULL; 167 ret->n = NULL;
166 ret->e=NULL; 168 ret->e = NULL;
167 ret->d=NULL; 169 ret->d = NULL;
168 ret->p=NULL; 170 ret->p = NULL;
169 ret->q=NULL; 171 ret->q = NULL;
170 ret->dmp1=NULL; 172 ret->dmp1 = NULL;
171 ret->dmq1=NULL; 173 ret->dmq1 = NULL;
172 ret->iqmp=NULL; 174 ret->iqmp = NULL;
173 ret->references=1; 175 ret->references = 1;
174 ret->_method_mod_n=NULL; 176 ret->_method_mod_n = NULL;
175 ret->_method_mod_p=NULL; 177 ret->_method_mod_p = NULL;
176 ret->_method_mod_q=NULL; 178 ret->_method_mod_q = NULL;
177 ret->blinding=NULL; 179 ret->blinding = NULL;
178 ret->mt_blinding=NULL; 180 ret->mt_blinding = NULL;
179 ret->bignum_data=NULL; 181 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
180 ret->flags=ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; 182 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
181 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
182 {
183#ifndef OPENSSL_NO_ENGINE 183#ifndef OPENSSL_NO_ENGINE
184 if (ret->engine) 184 if (ret->engine)
185 ENGINE_finish(ret->engine); 185 ENGINE_finish(ret->engine);
186#endif 186#endif
187 free(ret); 187 free(ret);
188 return(NULL); 188 return NULL;
189 } 189 }
190 190
191 if ((ret->meth->init != NULL) && !ret->meth->init(ret)) 191 if (ret->meth->init != NULL && !ret->meth->init(ret)) {
192 {
193#ifndef OPENSSL_NO_ENGINE 192#ifndef OPENSSL_NO_ENGINE
194 if (ret->engine) 193 if (ret->engine)
195 ENGINE_finish(ret->engine); 194 ENGINE_finish(ret->engine);
196#endif 195#endif
197 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data); 196 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
198 free(ret); 197 free(ret);
199 ret=NULL; 198 ret = NULL;
200 }
201 return(ret);
202 } 199 }
200 return ret;
201}
203 202
204void RSA_free(RSA *r) 203void
205 { 204RSA_free(RSA *r)
205{
206 int i; 206 int i;
207 207
208 if (r == NULL) return; 208 if (r == NULL)
209 return;
209 210
210 i=CRYPTO_add(&r->references,-1,CRYPTO_LOCK_RSA); 211 i = CRYPTO_add(&r->references, -1, CRYPTO_LOCK_RSA);
211 if (i > 0) return; 212 if (i > 0)
213 return;
212 214
213 if (r->meth->finish) 215 if (r->meth->finish)
214 r->meth->finish(r); 216 r->meth->finish(r);
@@ -219,42 +221,55 @@ void RSA_free(RSA *r)
219 221
220 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data); 222 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
221 223
222 if (r->n != NULL) BN_clear_free(r->n); 224 if (r->n != NULL)
223 if (r->e != NULL) BN_clear_free(r->e); 225 BN_clear_free(r->n);
224 if (r->d != NULL) BN_clear_free(r->d); 226 if (r->e != NULL)
225 if (r->p != NULL) BN_clear_free(r->p); 227 BN_clear_free(r->e);
226 if (r->q != NULL) BN_clear_free(r->q); 228 if (r->d != NULL)
227 if (r->dmp1 != NULL) BN_clear_free(r->dmp1); 229 BN_clear_free(r->d);
228 if (r->dmq1 != NULL) BN_clear_free(r->dmq1); 230 if (r->p != NULL)
229 if (r->iqmp != NULL) BN_clear_free(r->iqmp); 231 BN_clear_free(r->p);
230 if (r->blinding != NULL) BN_BLINDING_free(r->blinding); 232 if (r->q != NULL)
231 if (r->mt_blinding != NULL) BN_BLINDING_free(r->mt_blinding); 233 BN_clear_free(r->q);
232 free(r->bignum_data); 234 if (r->dmp1 != NULL)
235 BN_clear_free(r->dmp1);
236 if (r->dmq1 != NULL)
237 BN_clear_free(r->dmq1);
238 if (r->iqmp != NULL)
239 BN_clear_free(r->iqmp);
240 if (r->blinding != NULL)
241 BN_BLINDING_free(r->blinding);
242 if (r->mt_blinding != NULL)
243 BN_BLINDING_free(r->mt_blinding);
233 free(r); 244 free(r);
234 } 245}
235 246
236int RSA_up_ref(RSA *r) 247int
237 { 248RSA_up_ref(RSA *r)
249{
238 int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_RSA); 250 int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_RSA);
239 return ((i > 1) ? 1 : 0); 251 return i > 1 ? 1 : 0;
240 } 252}
241 253
242int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 254int
243 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 255RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
244 { 256 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
257{
245 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_RSA, argl, argp, 258 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_RSA, argl, argp,
246 new_func, dup_func, free_func); 259 new_func, dup_func, free_func);
247 } 260}
248 261
249int RSA_set_ex_data(RSA *r, int idx, void *arg) 262int
250 { 263RSA_set_ex_data(RSA *r, int idx, void *arg)
251 return(CRYPTO_set_ex_data(&r->ex_data,idx,arg)); 264{
252 } 265 return CRYPTO_set_ex_data(&r->ex_data, idx, arg);
266}
253 267
254void *RSA_get_ex_data(const RSA *r, int idx) 268void *
255 { 269RSA_get_ex_data(const RSA *r, int idx)
256 return(CRYPTO_get_ex_data(&r->ex_data,idx)); 270{
257 } 271 return CRYPTO_get_ex_data(&r->ex_data, idx);
272}
258 273
259int RSA_memory_lock(RSA *r) 274int RSA_memory_lock(RSA *r)
260 { 275 {
diff --git a/src/lib/libcrypto/rsa/rsa_none.c b/src/lib/libcrypto/rsa/rsa_none.c
index 1904c7c098..fde5eb6ef6 100644
--- a/src/lib/libcrypto/rsa/rsa_none.c
+++ b/src/lib/libcrypto/rsa/rsa_none.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_none.c,v 1.4 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_none.c,v 1.5 2014/07/09 08:20:08 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -62,37 +62,36 @@
62#include <openssl/rsa.h> 62#include <openssl/rsa.h>
63#include <openssl/rand.h> 63#include <openssl/rand.h>
64 64
65int RSA_padding_add_none(unsigned char *to, int tlen, 65int
66 const unsigned char *from, int flen) 66RSA_padding_add_none(unsigned char *to, int tlen, const unsigned char *from,
67 { 67 int flen)
68 if (flen > tlen) 68{
69 { 69 if (flen > tlen) {
70 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 70 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,
71 return(0); 71 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
72 } 72 return 0;
73
74 if (flen < tlen)
75 {
76 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);
77 return(0);
78 }
79
80 memcpy(to,from,(unsigned int)flen);
81 return(1);
82 } 73 }
83 74
84int RSA_padding_check_none(unsigned char *to, int tlen, 75 if (flen < tlen) {
85 const unsigned char *from, int flen, int num) 76 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,
86 { 77 RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);
87 78 return 0;
88 if (flen > tlen) 79 }
89 { 80
90 RSAerr(RSA_F_RSA_PADDING_CHECK_NONE,RSA_R_DATA_TOO_LARGE); 81 memcpy(to, from, (unsigned int)flen);
91 return(-1); 82 return 1;
92 } 83}
93 84
94 memset(to,0,tlen-flen); 85int
95 memcpy(to+tlen-flen,from,flen); 86RSA_padding_check_none(unsigned char *to, int tlen, const unsigned char *from,
96 return(tlen); 87 int flen, int num)
88{
89 if (flen > tlen) {
90 RSAerr(RSA_F_RSA_PADDING_CHECK_NONE, RSA_R_DATA_TOO_LARGE);
91 return -1;
97 } 92 }
98 93
94 memset(to, 0, tlen - flen);
95 memcpy(to + tlen - flen, from, flen);
96 return tlen;
97}
diff --git a/src/lib/libcrypto/rsa/rsa_null.c b/src/lib/libcrypto/rsa/rsa_null.c
index c4404fbe44..54f1cabc74 100644
--- a/src/lib/libcrypto/rsa/rsa_null.c
+++ b/src/lib/libcrypto/rsa/rsa_null.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_null.c,v 1.6 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_null.c,v 1.7 2014/07/09 08:20:08 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -62,7 +62,8 @@
62#include <openssl/rsa.h> 62#include <openssl/rsa.h>
63#include <openssl/rand.h> 63#include <openssl/rand.h>
64 64
65/* This is a dummy RSA implementation that just returns errors when called. 65/*
66 * This is a dummy RSA implementation that just returns errors when called.
66 * It is designed to allow some RSA functions to work while stopping those 67 * It is designed to allow some RSA functions to work while stopping those
67 * covered by the RSA patent. That is RSA, encryption, decryption, signing 68 * covered by the RSA patent. That is RSA, encryption, decryption, signing
68 * and verify is not allowed but RSA key generation, key checking and other 69 * and verify is not allowed but RSA key generation, key checking and other
@@ -92,53 +93,65 @@ static RSA_METHOD rsa_null_meth = {
92 .finish = RSA_null_finish, 93 .finish = RSA_null_finish,
93}; 94};
94 95
95const RSA_METHOD *RSA_null_method(void) 96const RSA_METHOD *
96 { 97RSA_null_method(void)
97 return(&rsa_null_meth); 98{
98 } 99 return &rsa_null_meth;
100}
99 101
100static int RSA_null_public_encrypt(int flen, const unsigned char *from, 102static int
101 unsigned char *to, RSA *rsa, int padding) 103RSA_null_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
102 { 104 RSA *rsa, int padding)
103 RSAerr(RSA_F_RSA_NULL_PUBLIC_ENCRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED); 105{
106 RSAerr(RSA_F_RSA_NULL_PUBLIC_ENCRYPT,
107 RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
104 return -1; 108 return -1;
105 } 109}
106 110
107static int RSA_null_private_encrypt(int flen, const unsigned char *from, 111static int
108 unsigned char *to, RSA *rsa, int padding) 112RSA_null_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
109 { 113 RSA *rsa, int padding)
110 RSAerr(RSA_F_RSA_NULL_PRIVATE_ENCRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED); 114{
115 RSAerr(RSA_F_RSA_NULL_PRIVATE_ENCRYPT,
116 RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
111 return -1; 117 return -1;
112 } 118}
113 119
114static int RSA_null_private_decrypt(int flen, const unsigned char *from, 120static int
115 unsigned char *to, RSA *rsa, int padding) 121RSA_null_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
116 { 122 RSA *rsa, int padding)
117 RSAerr(RSA_F_RSA_NULL_PRIVATE_DECRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED); 123{
124 RSAerr(RSA_F_RSA_NULL_PRIVATE_DECRYPT,
125 RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
118 return -1; 126 return -1;
119 } 127}
120 128
121static int RSA_null_public_decrypt(int flen, const unsigned char *from, 129static int
122 unsigned char *to, RSA *rsa, int padding) 130RSA_null_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
123 { 131 RSA *rsa, int padding)
124 RSAerr(RSA_F_RSA_NULL_PUBLIC_DECRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED); 132{
133 RSAerr(RSA_F_RSA_NULL_PUBLIC_DECRYPT,
134 RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
125 return -1; 135 return -1;
126 } 136}
127 137
128#if 0 /* not currently used */ 138#if 0 /* not currently used */
129static int RSA_null_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa) 139static int
130 { 140RSA_null_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
141{
131 ...err(RSA_F_RSA_NULL_MOD_EXP, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED); 142 ...err(RSA_F_RSA_NULL_MOD_EXP, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
132 return -1; 143 return -1;
133 } 144}
134#endif 145#endif
135 146
136static int RSA_null_init(RSA *rsa) 147static int
137 { 148RSA_null_init(RSA *rsa)
138 return(1); 149{
139 } 150 return 1;
151}
140 152
141static int RSA_null_finish(RSA *rsa) 153static int
142 { 154RSA_null_finish(RSA *rsa)
143 return(1); 155{
144 } 156 return 1;
157}
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
index 695df4e0a0..f8f9935fac 100644
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_oaep.c,v 1.16 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_oaep.c,v 1.17 2014/07/09 08:20:08 miod Exp $ */
2/* Written by Ulf Moeller. This software is distributed on an "AS IS" 2/* Written by Ulf Moeller. This software is distributed on an "AS IS"
3 basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */ 3 basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
4 4
@@ -28,29 +28,28 @@
28#include <openssl/rand.h> 28#include <openssl/rand.h>
29#include <openssl/sha.h> 29#include <openssl/sha.h>
30 30
31static int MGF1(unsigned char *mask, long len, 31static int MGF1(unsigned char *mask, long len, const unsigned char *seed,
32 const unsigned char *seed, long seedlen); 32 long seedlen);
33 33
34int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, 34int
35 const unsigned char *from, int flen, 35RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
36 const unsigned char *param, int plen) 36 const unsigned char *from, int flen, const unsigned char *param, int plen)
37 { 37{
38 int i, emlen = tlen - 1; 38 int i, emlen = tlen - 1;
39 unsigned char *db, *seed; 39 unsigned char *db, *seed;
40 unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH]; 40 unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
41 41
42 if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1) 42 if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1) {
43 {
44 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, 43 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
45 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 44 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
46 return 0; 45 return 0;
47 } 46 }
48 47
49 if (emlen < 2 * SHA_DIGEST_LENGTH + 1) 48 if (emlen < 2 * SHA_DIGEST_LENGTH + 1) {
50 { 49 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
51 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL); 50 RSA_R_KEY_SIZE_TOO_SMALL);
52 return 0; 51 return 0;
53 } 52 }
54 53
55 to[0] = 0; 54 to[0] = 0;
56 seed = to + 1; 55 seed = to + 1;
@@ -59,9 +58,9 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
59 if (!EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL)) 58 if (!EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL))
60 return 0; 59 return 0;
61 memset(db + SHA_DIGEST_LENGTH, 0, 60 memset(db + SHA_DIGEST_LENGTH, 0,
62 emlen - flen - 2 * SHA_DIGEST_LENGTH - 1); 61 emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
63 db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01; 62 db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
64 memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen); 63 memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int)flen);
65 if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0) 64 if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
66 return 0; 65 return 0;
67#ifdef PKCS_TESTVECT 66#ifdef PKCS_TESTVECT
@@ -71,65 +70,73 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
71#endif 70#endif
72 71
73 dbmask = malloc(emlen - SHA_DIGEST_LENGTH); 72 dbmask = malloc(emlen - SHA_DIGEST_LENGTH);
74 if (dbmask == NULL) 73 if (dbmask == NULL) {
75 {
76 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE); 74 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
77 return 0; 75 return 0;
78 } 76 }
79 77
80 if (MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH) < 0) 78 if (MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed,
79 SHA_DIGEST_LENGTH) < 0)
81 return 0; 80 return 0;
82 for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++) 81 for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
83 db[i] ^= dbmask[i]; 82 db[i] ^= dbmask[i];
84 83
85 if (MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH) < 0) 84 if (MGF1(seedmask, SHA_DIGEST_LENGTH, db,
85 emlen - SHA_DIGEST_LENGTH) < 0)
86 return 0; 86 return 0;
87 for (i = 0; i < SHA_DIGEST_LENGTH; i++) 87 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
88 seed[i] ^= seedmask[i]; 88 seed[i] ^= seedmask[i];
89 89
90 free(dbmask); 90 free(dbmask);
91 return 1; 91 return 1;
92 } 92}
93 93
94int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, 94int
95 const unsigned char *from, int flen, int num, 95RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
96 const unsigned char *param, int plen) 96 const unsigned char *from, int flen, int num, const unsigned char *param,
97 { 97 int plen)
98{
98 int i, dblen, mlen = -1; 99 int i, dblen, mlen = -1;
99 const unsigned char *maskeddb; 100 const unsigned char *maskeddb;
100 int lzero; 101 int lzero;
101 unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH]; 102 unsigned char *db = NULL;
103 unsigned char seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
102 unsigned char *padded_from; 104 unsigned char *padded_from;
103 int bad = 0; 105 int bad = 0;
104 106
105 if (--num < 2 * SHA_DIGEST_LENGTH + 1) 107 if (--num < 2 * SHA_DIGEST_LENGTH + 1)
106 /* 'num' is the length of the modulus, i.e. does not depend on the 108 /*
107 * particular ciphertext. */ 109 * 'num' is the length of the modulus, i.e. does not depend
110 * on the particular ciphertext.
111 */
108 goto decoding_err; 112 goto decoding_err;
109 113
110 lzero = num - flen; 114 lzero = num - flen;
111 if (lzero < 0) 115 if (lzero < 0) {
112 { 116 /*
113 /* signalling this error immediately after detection might allow 117 * signalling this error immediately after detection might allow
114 * for side-channel attacks (e.g. timing if 'plen' is huge 118 * for side-channel attacks (e.g. timing if 'plen' is huge
115 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal 119 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA
116 * Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001), 120 * Optimal Asymmetric Encryption Padding (OAEP) [...]",
117 * so we use a 'bad' flag */ 121 * CRYPTO 2001), so we use a 'bad' flag
122 */
118 bad = 1; 123 bad = 1;
119 lzero = 0; 124 lzero = 0;
120 flen = num; /* don't overflow the memcpy to padded_from */ 125 flen = num; /* don't overflow the memcpy to padded_from */
121 } 126 }
122 127
123 dblen = num - SHA_DIGEST_LENGTH; 128 dblen = num - SHA_DIGEST_LENGTH;
124 db = malloc(dblen + num); 129 db = malloc(dblen + num);
125 if (db == NULL) 130 if (db == NULL) {
126 { 131 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,
127 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, ERR_R_MALLOC_FAILURE); 132 ERR_R_MALLOC_FAILURE);
128 return -1; 133 return -1;
129 } 134 }
130 135
131 /* Always do this zero-padding copy (even when lzero == 0) 136 /*
132 * to avoid leaking timing info about the value of lzero. */ 137 * Always do this zero-padding copy (even when lzero == 0)
138 * to avoid leaking timing info about the value of lzero.
139 */
133 padded_from = db + dblen; 140 padded_from = db + dblen;
134 memset(padded_from, 0, lzero); 141 memset(padded_from, 0, lzero);
135 memcpy(padded_from + lzero, from, flen); 142 memcpy(padded_from + lzero, from, flen);
@@ -151,41 +158,41 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
151 158
152 if (CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) 159 if (CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
153 goto decoding_err; 160 goto decoding_err;
154 else 161 else {
155 {
156 for (i = SHA_DIGEST_LENGTH; i < dblen; i++) 162 for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
157 if (db[i] != 0x00) 163 if (db[i] != 0x00)
158 break; 164 break;
159 if (i == dblen || db[i] != 0x01) 165 if (i == dblen || db[i] != 0x01)
160 goto decoding_err; 166 goto decoding_err;
161 else 167 else {
162 {
163 /* everything looks OK */ 168 /* everything looks OK */
164 169
165 mlen = dblen - ++i; 170 mlen = dblen - ++i;
166 if (tlen < mlen) 171 if (tlen < mlen) {
167 { 172 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,
168 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE); 173 RSA_R_DATA_TOO_LARGE);
169 mlen = -1; 174 mlen = -1;
170 } 175 } else
171 else
172 memcpy(to, db + i, mlen); 176 memcpy(to, db + i, mlen);
173 }
174 } 177 }
178 }
175 free(db); 179 free(db);
176 return mlen; 180 return mlen;
177 181
178decoding_err: 182decoding_err:
179 /* to avoid chosen ciphertext attacks, the error message should not reveal 183 /*
180 * which kind of decoding error happened */ 184 * To avoid chosen ciphertext attacks, the error message should not
185 * reveal which kind of decoding error happened
186 */
181 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR); 187 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
182 free(db); 188 free(db);
183 return -1; 189 return -1;
184 } 190}
185 191
186int PKCS1_MGF1(unsigned char *mask, long len, 192int
187 const unsigned char *seed, long seedlen, const EVP_MD *dgst) 193PKCS1_MGF1(unsigned char *mask, long len, const unsigned char *seed,
188 { 194 long seedlen, const EVP_MD *dgst)
195{
189 long i, outlen = 0; 196 long i, outlen = 0;
190 unsigned char cnt[4]; 197 unsigned char cnt[4];
191 EVP_MD_CTX c; 198 EVP_MD_CTX c;
@@ -197,39 +204,35 @@ int PKCS1_MGF1(unsigned char *mask, long len,
197 mdlen = EVP_MD_size(dgst); 204 mdlen = EVP_MD_size(dgst);
198 if (mdlen < 0) 205 if (mdlen < 0)
199 goto err; 206 goto err;
200 for (i = 0; outlen < len; i++) 207 for (i = 0; outlen < len; i++) {
201 {
202 cnt[0] = (unsigned char)((i >> 24) & 255); 208 cnt[0] = (unsigned char)((i >> 24) & 255);
203 cnt[1] = (unsigned char)((i >> 16) & 255); 209 cnt[1] = (unsigned char)((i >> 16) & 255);
204 cnt[2] = (unsigned char)((i >> 8)) & 255; 210 cnt[2] = (unsigned char)((i >> 8)) & 255;
205 cnt[3] = (unsigned char)(i & 255); 211 cnt[3] = (unsigned char)(i & 255);
206 if (!EVP_DigestInit_ex(&c,dgst, NULL) 212 if (!EVP_DigestInit_ex(&c,dgst, NULL) ||
207 || !EVP_DigestUpdate(&c, seed, seedlen) 213 !EVP_DigestUpdate(&c, seed, seedlen) ||
208 || !EVP_DigestUpdate(&c, cnt, 4)) 214 !EVP_DigestUpdate(&c, cnt, 4))
209 goto err; 215 goto err;
210 if (outlen + mdlen <= len) 216 if (outlen + mdlen <= len) {
211 {
212 if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL)) 217 if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL))
213 goto err; 218 goto err;
214 outlen += mdlen; 219 outlen += mdlen;
215 } 220 } else {
216 else
217 {
218 if (!EVP_DigestFinal_ex(&c, md, NULL)) 221 if (!EVP_DigestFinal_ex(&c, md, NULL))
219 goto err; 222 goto err;
220 memcpy(mask + outlen, md, len - outlen); 223 memcpy(mask + outlen, md, len - outlen);
221 outlen = len; 224 outlen = len;
222 }
223 } 225 }
226 }
224 rv = 0; 227 rv = 0;
225 err: 228err:
226 EVP_MD_CTX_cleanup(&c); 229 EVP_MD_CTX_cleanup(&c);
227 return rv; 230 return rv;
228 } 231}
229 232
230static int MGF1(unsigned char *mask, long len, const unsigned char *seed, 233static int
231 long seedlen) 234MGF1(unsigned char *mask, long len, const unsigned char *seed, long seedlen)
232 { 235{
233 return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1()); 236 return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1());
234 } 237}
235#endif 238#endif
diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c
index 36133b6d12..f5492315cc 100644
--- a/src/lib/libcrypto/rsa/rsa_pk1.c
+++ b/src/lib/libcrypto/rsa/rsa_pk1.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_pk1.c,v 1.7 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_pk1.c,v 1.8 2014/07/09 08:20:08 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -62,160 +62,163 @@
62#include <openssl/rsa.h> 62#include <openssl/rsa.h>
63#include <openssl/rand.h> 63#include <openssl/rand.h>
64 64
65int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, 65int
66 const unsigned char *from, int flen) 66RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
67 { 67 const unsigned char *from, int flen)
68{
68 int j; 69 int j;
69 unsigned char *p; 70 unsigned char *p;
70 71
71 if (flen > (tlen-RSA_PKCS1_PADDING_SIZE)) 72 if (flen > (tlen-RSA_PKCS1_PADDING_SIZE)) {
72 { 73 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,
73 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 74 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
74 return(0); 75 return 0;
75 } 76 }
76 77
77 p=(unsigned char *)to; 78 p = (unsigned char *)to;
78 79
79 *(p++)=0; 80 *(p++) = 0;
80 *(p++)=1; /* Private Key BT (Block Type) */ 81 *(p++) = 1; /* Private Key BT (Block Type) */
81 82
82 /* pad out with 0xff data */ 83 /* pad out with 0xff data */
83 j=tlen-3-flen; 84 j = tlen - 3 - flen;
84 memset(p,0xff,j); 85 memset(p, 0xff, j);
85 p+=j; 86 p += j;
86 *(p++)='\0'; 87 *(p++) = '\0';
87 memcpy(p,from,(unsigned int)flen); 88 memcpy(p, from, (unsigned int)flen);
88 return(1); 89 return 1;
89 } 90}
90 91
91int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen, 92int
92 const unsigned char *from, int flen, int num) 93RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
93 { 94 const unsigned char *from, int flen, int num)
94 int i,j; 95{
96 int i, j;
95 const unsigned char *p; 97 const unsigned char *p;
96 98
97 p=from; 99 p = from;
98 if ((num != (flen+1)) || (*(p++) != 01)) 100 if (num != flen + 1 || *(p++) != 01) {
99 { 101 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
100 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BLOCK_TYPE_IS_NOT_01); 102 RSA_R_BLOCK_TYPE_IS_NOT_01);
101 return(-1); 103 return -1;
102 } 104 }
103 105
104 /* scan over padding data */ 106 /* scan over padding data */
105 j=flen-1; /* one for type. */ 107 j = flen - 1; /* one for type. */
106 for (i=0; i<j; i++) 108 for (i = 0; i < j; i++) {
107 { 109 if (*p != 0xff) { /* should decrypt to 0xff */
108 if (*p != 0xff) /* should decrypt to 0xff */ 110 if (*p == 0) {
109 { 111 p++;
110 if (*p == 0) 112 break;
111 { p++; break; } 113 } else {
112 else { 114 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
113 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BAD_FIXED_HEADER_DECRYPT); 115 RSA_R_BAD_FIXED_HEADER_DECRYPT);
114 return(-1); 116 return -1;
115 }
116 } 117 }
117 p++;
118 } 118 }
119 p++;
120 }
119 121
120 if (i == j) 122 if (i == j) {
121 { 123 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
122 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_NULL_BEFORE_BLOCK_MISSING); 124 RSA_R_NULL_BEFORE_BLOCK_MISSING);
123 return(-1); 125 return -1;
124 } 126 }
125 127
126 if (i < 8) 128 if (i < 8) {
127 { 129 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
128 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BAD_PAD_BYTE_COUNT); 130 RSA_R_BAD_PAD_BYTE_COUNT);
129 return(-1); 131 return -1;
130 } 132 }
131 i++; /* Skip over the '\0' */ 133 i++; /* Skip over the '\0' */
132 j-=i; 134 j -= i;
133 if (j > tlen) 135 if (j > tlen) {
134 { 136 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
135 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE); 137 RSA_R_DATA_TOO_LARGE);
136 return(-1); 138 return -1;
137 }
138 memcpy(to,p,(unsigned int)j);
139
140 return(j);
141 } 139 }
140 memcpy(to, p, (unsigned int)j);
142 141
143int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen, 142 return j;
144 const unsigned char *from, int flen) 143}
145 { 144
145int
146RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
147 const unsigned char *from, int flen)
148{
146 int i,j; 149 int i,j;
147 unsigned char *p; 150 unsigned char *p;
148 151
149 if (flen > (tlen-11)) 152 if (flen > tlen - 11) {
150 { 153 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,
151 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 154 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
152 return(0); 155 return 0;
153 } 156 }
154 157
155 p=(unsigned char *)to; 158 p = (unsigned char *)to;
156 159
157 *(p++)=0; 160 *(p++) = 0;
158 *(p++)=2; /* Public Key BT (Block Type) */ 161 *(p++) = 2; /* Public Key BT (Block Type) */
159 162
160 /* pad out with non-zero random data */ 163 /* pad out with non-zero random data */
161 j=tlen-3-flen; 164 j = tlen - 3 - flen;
162 165
163 if (RAND_bytes(p,j) <= 0) 166 if (RAND_bytes(p, j) <= 0)
164 return(0); 167 return 0;
165 for (i=0; i<j; i++) 168 for (i = 0; i < j; i++) {
166 {
167 if (*p == '\0') 169 if (*p == '\0')
168 do { 170 do {
169 if (RAND_bytes(p,1) <= 0) 171 if (RAND_bytes(p, 1) <= 0)
170 return(0); 172 return 0;
171 } while (*p == '\0'); 173 } while (*p == '\0');
172 p++; 174 p++;
173 } 175 }
174 176
175 *(p++)='\0'; 177 *(p++) = '\0';
176 178
177 memcpy(p,from,(unsigned int)flen); 179 memcpy(p, from, (unsigned int)flen);
178 return(1); 180 return 1;
179 } 181}
180 182
181int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, 183int
182 const unsigned char *from, int flen, int num) 184RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
183 { 185 const unsigned char *from, int flen, int num)
184 int i,j; 186{
187 int i, j;
185 const unsigned char *p; 188 const unsigned char *p;
186 189
187 p=from; 190 p = from;
188 if ((num != (flen+1)) || (*(p++) != 02)) 191 if (num != flen + 1 || *(p++) != 02) {
189 { 192 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
190 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BLOCK_TYPE_IS_NOT_02); 193 RSA_R_BLOCK_TYPE_IS_NOT_02);
191 return(-1); 194 return -1;
192 } 195 }
193 196
194 /* scan over padding data */ 197 /* scan over padding data */
195 j=flen-1; /* one for type. */ 198 j = flen - 1; /* one for type. */
196 for (i=0; i<j; i++) 199 for (i = 0; i < j; i++)
197 if (*(p++) == 0) break; 200 if (*(p++) == 0)
198 201 break;
199 if (i == j) 202
200 { 203 if (i == j) {
201 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_NULL_BEFORE_BLOCK_MISSING); 204 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
202 return(-1); 205 RSA_R_NULL_BEFORE_BLOCK_MISSING);
203 } 206 return -1;
207 }
204 208
205 if (i < 8) 209 if (i < 8) {
206 { 210 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
207 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BAD_PAD_BYTE_COUNT); 211 RSA_R_BAD_PAD_BYTE_COUNT);
208 return(-1); 212 return -1;
209 } 213 }
210 i++; /* Skip over the '\0' */ 214 i++; /* Skip over the '\0' */
211 j-=i; 215 j -= i;
212 if (j > tlen) 216 if (j > tlen) {
213 { 217 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
214 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE); 218 RSA_R_DATA_TOO_LARGE);
215 return(-1); 219 return -1;
216 }
217 memcpy(to,p,(unsigned int)j);
218
219 return(j);
220 } 220 }
221 memcpy(to, p, (unsigned int)j);
221 222
223 return j;
224}
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
index 1f9d826014..4a662c2894 100644
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_pmeth.c,v 1.8 2014/06/12 20:40:57 deraadt Exp $ */ 1/* $OpenBSD: rsa_pmeth.c,v 1.9 2014/07/09 08:20:08 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006. 3 * project 2006.
4 */ 4 */
@@ -72,8 +72,7 @@
72 72
73/* RSA pkey context structure */ 73/* RSA pkey context structure */
74 74
75typedef struct 75typedef struct {
76 {
77 /* Key gen parameters */ 76 /* Key gen parameters */
78 int nbits; 77 int nbits;
79 BIGNUM *pub_exp; 78 BIGNUM *pub_exp;
@@ -89,11 +88,13 @@ typedef struct
89 int saltlen; 88 int saltlen;
90 /* Temp buffer */ 89 /* Temp buffer */
91 unsigned char *tbuf; 90 unsigned char *tbuf;
92 } RSA_PKEY_CTX; 91} RSA_PKEY_CTX;
93 92
94static int pkey_rsa_init(EVP_PKEY_CTX *ctx) 93static int
95 { 94pkey_rsa_init(EVP_PKEY_CTX *ctx)
95{
96 RSA_PKEY_CTX *rctx; 96 RSA_PKEY_CTX *rctx;
97
97 rctx = malloc(sizeof(RSA_PKEY_CTX)); 98 rctx = malloc(sizeof(RSA_PKEY_CTX));
98 if (!rctx) 99 if (!rctx)
99 return 0; 100 return 0;
@@ -111,424 +112,390 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
111 ctx->keygen_info_count = 2; 112 ctx->keygen_info_count = 2;
112 113
113 return 1; 114 return 1;
114 } 115}
115 116
116static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) 117static int
117 { 118pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
119{
118 RSA_PKEY_CTX *dctx, *sctx; 120 RSA_PKEY_CTX *dctx, *sctx;
121
119 if (!pkey_rsa_init(dst)) 122 if (!pkey_rsa_init(dst))
120 return 0; 123 return 0;
121 sctx = src->data; 124 sctx = src->data;
122 dctx = dst->data; 125 dctx = dst->data;
123 dctx->nbits = sctx->nbits; 126 dctx->nbits = sctx->nbits;
124 if (sctx->pub_exp) 127 if (sctx->pub_exp) {
125 {
126 dctx->pub_exp = BN_dup(sctx->pub_exp); 128 dctx->pub_exp = BN_dup(sctx->pub_exp);
127 if (!dctx->pub_exp) 129 if (!dctx->pub_exp)
128 return 0; 130 return 0;
129 } 131 }
130 dctx->pad_mode = sctx->pad_mode; 132 dctx->pad_mode = sctx->pad_mode;
131 dctx->md = sctx->md; 133 dctx->md = sctx->md;
132 return 1; 134 return 1;
133 } 135}
134 136
135static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) 137static int
136 { 138setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
139{
137 if (ctx->tbuf) 140 if (ctx->tbuf)
138 return 1; 141 return 1;
139 ctx->tbuf = malloc(EVP_PKEY_size(pk->pkey)); 142 ctx->tbuf = malloc(EVP_PKEY_size(pk->pkey));
140 if (!ctx->tbuf) 143 if (!ctx->tbuf)
141 return 0; 144 return 0;
142 return 1; 145 return 1;
143 } 146}
144 147
145static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) 148static void
146 { 149pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
150{
147 RSA_PKEY_CTX *rctx = ctx->data; 151 RSA_PKEY_CTX *rctx = ctx->data;
148 if (rctx) 152
149 { 153 if (rctx) {
150 if (rctx->pub_exp) 154 if (rctx->pub_exp)
151 BN_free(rctx->pub_exp); 155 BN_free(rctx->pub_exp);
152 free(rctx->tbuf); 156 free(rctx->tbuf);
153 free(rctx); 157 free(rctx);
154 }
155 } 158 }
156static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, 159}
157 const unsigned char *tbs, size_t tbslen) 160
158 { 161static int
162pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
163 const unsigned char *tbs, size_t tbslen)
164{
159 int ret; 165 int ret;
160 RSA_PKEY_CTX *rctx = ctx->data; 166 RSA_PKEY_CTX *rctx = ctx->data;
161 RSA *rsa = ctx->pkey->pkey.rsa; 167 RSA *rsa = ctx->pkey->pkey.rsa;
162 168
163 if (rctx->md) 169 if (rctx->md) {
164 { 170 if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
165 if (tbslen != (size_t)EVP_MD_size(rctx->md))
166 {
167 RSAerr(RSA_F_PKEY_RSA_SIGN, 171 RSAerr(RSA_F_PKEY_RSA_SIGN,
168 RSA_R_INVALID_DIGEST_LENGTH); 172 RSA_R_INVALID_DIGEST_LENGTH);
169 return -1; 173 return -1;
170 } 174 }
171 175
172 if (EVP_MD_type(rctx->md) == NID_mdc2) 176 if (EVP_MD_type(rctx->md) == NID_mdc2) {
173 {
174 unsigned int sltmp; 177 unsigned int sltmp;
178
175 if (rctx->pad_mode != RSA_PKCS1_PADDING) 179 if (rctx->pad_mode != RSA_PKCS1_PADDING)
176 return -1; 180 return -1;
177 ret = RSA_sign_ASN1_OCTET_STRING(NID_mdc2, 181 ret = RSA_sign_ASN1_OCTET_STRING(NID_mdc2, tbs, tbslen,
178 tbs, tbslen, sig, &sltmp, rsa); 182 sig, &sltmp, rsa);
179 183
180 if (ret <= 0) 184 if (ret <= 0)
181 return ret; 185 return ret;
182 ret = sltmp; 186 ret = sltmp;
183 } 187 } else if (rctx->pad_mode == RSA_X931_PADDING) {
184 else if (rctx->pad_mode == RSA_X931_PADDING)
185 {
186 if (!setup_tbuf(rctx, ctx)) 188 if (!setup_tbuf(rctx, ctx))
187 return -1; 189 return -1;
188 memcpy(rctx->tbuf, tbs, tbslen); 190 memcpy(rctx->tbuf, tbs, tbslen);
189 rctx->tbuf[tbslen] = 191 rctx->tbuf[tbslen] =
190 RSA_X931_hash_id(EVP_MD_type(rctx->md)); 192 RSA_X931_hash_id(EVP_MD_type(rctx->md));
191 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, 193 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, sig,
192 sig, rsa, RSA_X931_PADDING); 194 rsa, RSA_X931_PADDING);
193 } 195 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
194 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
195 {
196 unsigned int sltmp; 196 unsigned int sltmp;
197 ret = RSA_sign(EVP_MD_type(rctx->md), 197
198 tbs, tbslen, sig, &sltmp, rsa); 198 ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig,
199 &sltmp, rsa);
199 if (ret <= 0) 200 if (ret <= 0)
200 return ret; 201 return ret;
201 ret = sltmp; 202 ret = sltmp;
202 } 203 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
203 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
204 {
205 if (!setup_tbuf(rctx, ctx)) 204 if (!setup_tbuf(rctx, ctx))
206 return -1; 205 return -1;
207 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, 206 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, rctx->tbuf,
208 rctx->tbuf, tbs, 207 tbs, rctx->md, rctx->mgf1md, rctx->saltlen))
209 rctx->md, rctx->mgf1md,
210 rctx->saltlen))
211 return -1; 208 return -1;
212 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, 209 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
213 sig, rsa, RSA_NO_PADDING); 210 sig, rsa, RSA_NO_PADDING);
214 } 211 } else
215 else
216 return -1; 212 return -1;
217 } 213 } else
218 else
219 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, 214 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
220 rctx->pad_mode); 215 rctx->pad_mode);
221 if (ret < 0) 216 if (ret < 0)
222 return ret; 217 return ret;
223 *siglen = ret; 218 *siglen = ret;
224 return 1; 219 return 1;
225 } 220}
226
227 221
228static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, 222static int
229 unsigned char *rout, size_t *routlen, 223pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen,
230 const unsigned char *sig, size_t siglen) 224 const unsigned char *sig, size_t siglen)
231 { 225{
232 int ret; 226 int ret;
233 RSA_PKEY_CTX *rctx = ctx->data; 227 RSA_PKEY_CTX *rctx = ctx->data;
234 228
235 if (rctx->md) 229 if (rctx->md) {
236 { 230 if (rctx->pad_mode == RSA_X931_PADDING) {
237 if (rctx->pad_mode == RSA_X931_PADDING)
238 {
239 if (!setup_tbuf(rctx, ctx)) 231 if (!setup_tbuf(rctx, ctx))
240 return -1; 232 return -1;
241 ret = RSA_public_decrypt(siglen, sig, 233 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
242 rctx->tbuf, ctx->pkey->pkey.rsa, 234 ctx->pkey->pkey.rsa, RSA_X931_PADDING);
243 RSA_X931_PADDING);
244 if (ret < 1) 235 if (ret < 1)
245 return 0; 236 return 0;
246 ret--; 237 ret--;
247 if (rctx->tbuf[ret] != 238 if (rctx->tbuf[ret] !=
248 RSA_X931_hash_id(EVP_MD_type(rctx->md))) 239 RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
249 {
250 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, 240 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
251 RSA_R_ALGORITHM_MISMATCH); 241 RSA_R_ALGORITHM_MISMATCH);
252 return 0; 242 return 0;
253 } 243 }
254 if (ret != EVP_MD_size(rctx->md)) 244 if (ret != EVP_MD_size(rctx->md)) {
255 {
256 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, 245 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
257 RSA_R_INVALID_DIGEST_LENGTH); 246 RSA_R_INVALID_DIGEST_LENGTH);
258 return 0; 247 return 0;
259 } 248 }
260 if (rout) 249 if (rout)
261 memcpy(rout, rctx->tbuf, ret); 250 memcpy(rout, rctx->tbuf, ret);
262 } 251 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
263 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
264 {
265 size_t sltmp; 252 size_t sltmp;
266 ret = int_rsa_verify(EVP_MD_type(rctx->md), 253
267 NULL, 0, rout, &sltmp, 254 ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
268 sig, siglen, ctx->pkey->pkey.rsa); 255 rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
269 if (ret <= 0) 256 if (ret <= 0)
270 return 0; 257 return 0;
271 ret = sltmp; 258 ret = sltmp;
272 } 259 } else
273 else
274 return -1; 260 return -1;
275 } 261 } else
276 else
277 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa, 262 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
278 rctx->pad_mode); 263 rctx->pad_mode);
279 if (ret < 0) 264 if (ret < 0)
280 return ret; 265 return ret;
281 *routlen = ret; 266 *routlen = ret;
282 return 1; 267 return 1;
283 } 268}
284 269
285static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, 270static int
286 const unsigned char *sig, size_t siglen, 271pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
287 const unsigned char *tbs, size_t tbslen) 272 const unsigned char *tbs, size_t tbslen)
288 { 273{
289 RSA_PKEY_CTX *rctx = ctx->data; 274 RSA_PKEY_CTX *rctx = ctx->data;
290 RSA *rsa = ctx->pkey->pkey.rsa; 275 RSA *rsa = ctx->pkey->pkey.rsa;
291 size_t rslen; 276 size_t rslen;
292 if (rctx->md) 277
293 { 278 if (rctx->md) {
294 if (rctx->pad_mode == RSA_PKCS1_PADDING) 279 if (rctx->pad_mode == RSA_PKCS1_PADDING)
295 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, 280 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
296 sig, siglen, rsa); 281 sig, siglen, rsa);
297 if (rctx->pad_mode == RSA_X931_PADDING) 282 if (rctx->pad_mode == RSA_X931_PADDING) {
298 { 283 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig,
299 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, 284 siglen) <= 0)
300 sig, siglen) <= 0)
301 return 0; 285 return 0;
302 } 286 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
303 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
304 {
305 int ret; 287 int ret;
288
306 if (!setup_tbuf(rctx, ctx)) 289 if (!setup_tbuf(rctx, ctx))
307 return -1; 290 return -1;
308 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, 291 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
309 rsa, RSA_NO_PADDING); 292 rsa, RSA_NO_PADDING);
310 if (ret <= 0) 293 if (ret <= 0)
311 return 0; 294 return 0;
312 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, 295 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
313 rctx->md, rctx->mgf1md, 296 rctx->mgf1md, rctx->tbuf, rctx->saltlen);
314 rctx->tbuf, rctx->saltlen);
315 if (ret <= 0) 297 if (ret <= 0)
316 return 0; 298 return 0;
317 return 1; 299 return 1;
318 } 300 } else
319 else
320 return -1; 301 return -1;
321 } 302 } else {
322 else
323 {
324 if (!setup_tbuf(rctx, ctx)) 303 if (!setup_tbuf(rctx, ctx))
325 return -1; 304 return -1;
326 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, 305 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa,
327 rsa, rctx->pad_mode); 306 rctx->pad_mode);
328 if (rslen == 0) 307 if (rslen == 0)
329 return 0; 308 return 0;
330 } 309 }
331 310
332 if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen)) 311 if (rslen != tbslen || memcmp(tbs, rctx->tbuf, rslen))
333 return 0; 312 return 0;
334 313
335 return 1; 314 return 1;
336 315}
337 }
338
339 316
340static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, 317static int
341 unsigned char *out, size_t *outlen, 318pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
342 const unsigned char *in, size_t inlen) 319 const unsigned char *in, size_t inlen)
343 { 320{
344 int ret; 321 int ret;
345 RSA_PKEY_CTX *rctx = ctx->data; 322 RSA_PKEY_CTX *rctx = ctx->data;
323
346 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, 324 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
347 rctx->pad_mode); 325 rctx->pad_mode);
348 if (ret < 0) 326 if (ret < 0)
349 return ret; 327 return ret;
350 *outlen = ret; 328 *outlen = ret;
351 return 1; 329 return 1;
352 } 330}
353 331
354static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, 332static int
355 unsigned char *out, size_t *outlen, 333pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
356 const unsigned char *in, size_t inlen) 334 const unsigned char *in, size_t inlen)
357 { 335{
358 int ret; 336 int ret;
359 RSA_PKEY_CTX *rctx = ctx->data; 337 RSA_PKEY_CTX *rctx = ctx->data;
338
360 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, 339 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
361 rctx->pad_mode); 340 rctx->pad_mode);
362 if (ret < 0) 341 if (ret < 0)
363 return ret; 342 return ret;
364 *outlen = ret; 343 *outlen = ret;
365 return 1; 344 return 1;
366 } 345}
367 346
368static int check_padding_md(const EVP_MD *md, int padding) 347static int
369 { 348check_padding_md(const EVP_MD *md, int padding)
349{
370 if (!md) 350 if (!md)
371 return 1; 351 return 1;
372 352
373 if (padding == RSA_NO_PADDING) 353 if (padding == RSA_NO_PADDING) {
374 {
375 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE); 354 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
376 return 0; 355 return 0;
377 } 356 }
378 357
379 if (padding == RSA_X931_PADDING) 358 if (padding == RSA_X931_PADDING) {
380 { 359 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) {
381 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1)
382 {
383 RSAerr(RSA_F_CHECK_PADDING_MD, 360 RSAerr(RSA_F_CHECK_PADDING_MD,
384 RSA_R_INVALID_X931_DIGEST); 361 RSA_R_INVALID_X931_DIGEST);
385 return 0; 362 return 0;
386 }
387 return 1;
388 } 363 }
364 return 1;
365 }
389 366
390 return 1; 367 return 1;
391 } 368}
392
393 369
394static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) 370static int
395 { 371pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
372{
396 RSA_PKEY_CTX *rctx = ctx->data; 373 RSA_PKEY_CTX *rctx = ctx->data;
397 switch (type) 374 switch (type) {
398 { 375 case EVP_PKEY_CTRL_RSA_PADDING:
399 case EVP_PKEY_CTRL_RSA_PADDING: 376 if (p1 >= RSA_PKCS1_PADDING && p1 <= RSA_PKCS1_PSS_PADDING) {
400 if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING))
401 {
402 if (!check_padding_md(rctx->md, p1)) 377 if (!check_padding_md(rctx->md, p1))
403 return 0; 378 return 0;
404 if (p1 == RSA_PKCS1_PSS_PADDING) 379 if (p1 == RSA_PKCS1_PSS_PADDING) {
405 {
406 if (!(ctx->operation & 380 if (!(ctx->operation &
407 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) 381 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
408 goto bad_pad; 382 goto bad_pad;
409 if (!rctx->md) 383 if (!rctx->md)
410 rctx->md = EVP_sha1(); 384 rctx->md = EVP_sha1();
411 } 385 }
412 if (p1 == RSA_PKCS1_OAEP_PADDING) 386 if (p1 == RSA_PKCS1_OAEP_PADDING) {
413 {
414 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT)) 387 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
415 goto bad_pad; 388 goto bad_pad;
416 if (!rctx->md) 389 if (!rctx->md)
417 rctx->md = EVP_sha1(); 390 rctx->md = EVP_sha1();
418 } 391 }
419 rctx->pad_mode = p1; 392 rctx->pad_mode = p1;
420 return 1; 393 return 1;
421 } 394 }
422 bad_pad: 395bad_pad:
423 RSAerr(RSA_F_PKEY_RSA_CTRL, 396 RSAerr(RSA_F_PKEY_RSA_CTRL,
424 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 397 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
425 return -2; 398 return -2;
426 399
427 case EVP_PKEY_CTRL_GET_RSA_PADDING: 400 case EVP_PKEY_CTRL_GET_RSA_PADDING:
428 *(int *)p2 = rctx->pad_mode; 401 *(int *)p2 = rctx->pad_mode;
429 return 1; 402 return 1;
430 403
431 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: 404 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
432 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: 405 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
433 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) 406 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
434 {
435 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); 407 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
436 return -2; 408 return -2;
437 } 409 }
438 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) 410 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN)
439 *(int *)p2 = rctx->saltlen; 411 *(int *)p2 = rctx->saltlen;
440 else 412 else {
441 {
442 if (p1 < -2) 413 if (p1 < -2)
443 return -2; 414 return -2;
444 rctx->saltlen = p1; 415 rctx->saltlen = p1;
445 } 416 }
446 return 1; 417 return 1;
447 418
448 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: 419 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
449 if (p1 < 256) 420 if (p1 < 256) {
450 {
451 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS); 421 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS);
452 return -2; 422 return -2;
453 } 423 }
454 rctx->nbits = p1; 424 rctx->nbits = p1;
455 return 1; 425 return 1;
456 426
457 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: 427 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
458 if (!p2) 428 if (!p2)
459 return -2; 429 return -2;
460 rctx->pub_exp = p2; 430 rctx->pub_exp = p2;
461 return 1; 431 return 1;
462 432
463 case EVP_PKEY_CTRL_MD: 433 case EVP_PKEY_CTRL_MD:
464 if (!check_padding_md(p2, rctx->pad_mode)) 434 if (!check_padding_md(p2, rctx->pad_mode))
465 return 0; 435 return 0;
466 rctx->md = p2; 436 rctx->md = p2;
467 return 1; 437 return 1;
468 438
469 case EVP_PKEY_CTRL_RSA_MGF1_MD: 439 case EVP_PKEY_CTRL_RSA_MGF1_MD:
470 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: 440 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
471 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) 441 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
472 {
473 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD); 442 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
474 return -2; 443 return -2;
475 } 444 }
476 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) 445 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
477 {
478 if (rctx->mgf1md) 446 if (rctx->mgf1md)
479 *(const EVP_MD **)p2 = rctx->mgf1md; 447 *(const EVP_MD **)p2 = rctx->mgf1md;
480 else 448 else
481 *(const EVP_MD **)p2 = rctx->md; 449 *(const EVP_MD **)p2 = rctx->md;
482 } 450 } else
483 else
484 rctx->mgf1md = p2; 451 rctx->mgf1md = p2;
485 return 1; 452 return 1;
486 453
487 case EVP_PKEY_CTRL_DIGESTINIT: 454 case EVP_PKEY_CTRL_DIGESTINIT:
488 case EVP_PKEY_CTRL_PKCS7_ENCRYPT: 455 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
489 case EVP_PKEY_CTRL_PKCS7_DECRYPT: 456 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
490 case EVP_PKEY_CTRL_PKCS7_SIGN: 457 case EVP_PKEY_CTRL_PKCS7_SIGN:
491 return 1; 458 return 1;
492#ifndef OPENSSL_NO_CMS 459#ifndef OPENSSL_NO_CMS
493 case EVP_PKEY_CTRL_CMS_DECRYPT: 460 case EVP_PKEY_CTRL_CMS_DECRYPT:
494 { 461 {
495 X509_ALGOR *alg = NULL; 462 X509_ALGOR *alg = NULL;
496 ASN1_OBJECT *encalg = NULL; 463 ASN1_OBJECT *encalg = NULL;
464
497 if (p2) 465 if (p2)
498 CMS_RecipientInfo_ktri_get0_algs(p2, NULL, NULL, &alg); 466 CMS_RecipientInfo_ktri_get0_algs(p2, NULL, NULL, &alg);
499 if (alg) 467 if (alg)
500 X509_ALGOR_get0(&encalg, NULL, NULL, alg); 468 X509_ALGOR_get0(&encalg, NULL, NULL, alg);
501 if (encalg && OBJ_obj2nid(encalg) == NID_rsaesOaep) 469 if (encalg && OBJ_obj2nid(encalg) == NID_rsaesOaep)
502 rctx->pad_mode = RSA_PKCS1_OAEP_PADDING; 470 rctx->pad_mode = RSA_PKCS1_OAEP_PADDING;
503 } 471 }
504 case EVP_PKEY_CTRL_CMS_ENCRYPT: 472 /* FALLTHROUGH */
505 case EVP_PKEY_CTRL_CMS_SIGN: 473
474 case EVP_PKEY_CTRL_CMS_ENCRYPT:
475 case EVP_PKEY_CTRL_CMS_SIGN:
506 return 1; 476 return 1;
507#endif 477#endif
508 case EVP_PKEY_CTRL_PEER_KEY: 478 case EVP_PKEY_CTRL_PEER_KEY:
509 RSAerr(RSA_F_PKEY_RSA_CTRL, 479 RSAerr(RSA_F_PKEY_RSA_CTRL,
510 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); 480 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
511 return -2; 481 return -2;
512 482
513 default: 483 default:
514 return -2; 484 return -2;
515
516 }
517 } 485 }
486}
518 487
519static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, 488static int
520 const char *type, const char *value) 489pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
521 { 490{
522 long lval; 491 long lval;
523 char *ep; 492 char *ep;
524 493
525 if (!value) 494 if (!value) {
526 {
527 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING); 495 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
528 return 0; 496 return 0;
529 } 497 }
530 if (!strcmp(type, "rsa_padding_mode")) 498 if (!strcmp(type, "rsa_padding_mode")) {
531 {
532 int pm; 499 int pm;
533 if (!strcmp(value, "pkcs1")) 500 if (!strcmp(value, "pkcs1"))
534 pm = RSA_PKCS1_PADDING; 501 pm = RSA_PKCS1_PADDING;
@@ -544,14 +511,13 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
544 pm = RSA_X931_PADDING; 511 pm = RSA_X931_PADDING;
545 else if (!strcmp(value, "pss")) 512 else if (!strcmp(value, "pss"))
546 pm = RSA_PKCS1_PSS_PADDING; 513 pm = RSA_PKCS1_PSS_PADDING;
547 else 514 else {
548 {
549 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, 515 RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
550 RSA_R_UNKNOWN_PADDING_TYPE); 516 RSA_R_UNKNOWN_PADDING_TYPE);
551 return -2; 517 return -2;
552 }
553 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
554 } 518 }
519 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
520 }
555 521
556 if (!strcmp(type, "rsa_pss_saltlen")) { 522 if (!strcmp(type, "rsa_pss_saltlen")) {
557 int saltlen; 523 int saltlen;
@@ -560,7 +526,8 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
560 lval = strtol(value, &ep, 10); 526 lval = strtol(value, &ep, 10);
561 if (value[0] == '\0' || *ep != '\0') 527 if (value[0] == '\0' || *ep != '\0')
562 goto not_a_number; 528 goto not_a_number;
563 if ((errno == ERANGE && (lval == LONG_MAX || lval == LONG_MIN)) || 529 if ((errno == ERANGE &&
530 (lval == LONG_MAX || lval == LONG_MIN)) ||
564 (lval > INT_MAX || lval < INT_MIN)) 531 (lval > INT_MAX || lval < INT_MIN))
565 goto out_of_range; 532 goto out_of_range;
566 saltlen = lval; 533 saltlen = lval;
@@ -574,7 +541,8 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
574 lval = strtol(value, &ep, 10); 541 lval = strtol(value, &ep, 10);
575 if (value[0] == '\0' || *ep != '\0') 542 if (value[0] == '\0' || *ep != '\0')
576 goto not_a_number; 543 goto not_a_number;
577 if ((errno == ERANGE && (lval == LONG_MAX || lval == LONG_MIN)) || 544 if ((errno == ERANGE &&
545 (lval == LONG_MAX || lval == LONG_MIN)) ||
578 (lval > INT_MAX || lval < INT_MIN)) 546 (lval > INT_MAX || lval < INT_MIN))
579 goto out_of_range; 547 goto out_of_range;
580 nbits = lval; 548 nbits = lval;
@@ -584,6 +552,7 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
584 if (!strcmp(type, "rsa_keygen_pubexp")) { 552 if (!strcmp(type, "rsa_keygen_pubexp")) {
585 int ret; 553 int ret;
586 BIGNUM *pubexp = NULL; 554 BIGNUM *pubexp = NULL;
555
587 if (!BN_asc2bn(&pubexp, value)) 556 if (!BN_asc2bn(&pubexp, value))
588 return 0; 557 return 0;
589 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp); 558 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
@@ -597,27 +566,26 @@ out_of_range:
597 return -2; 566 return -2;
598} 567}
599 568
600static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) 569static int
601 { 570pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
571{
602 RSA *rsa = NULL; 572 RSA *rsa = NULL;
603 RSA_PKEY_CTX *rctx = ctx->data; 573 RSA_PKEY_CTX *rctx = ctx->data;
604 BN_GENCB *pcb, cb; 574 BN_GENCB *pcb, cb;
605 int ret; 575 int ret;
606 if (!rctx->pub_exp) 576
607 { 577 if (!rctx->pub_exp) {
608 rctx->pub_exp = BN_new(); 578 rctx->pub_exp = BN_new();
609 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) 579 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4))
610 return 0; 580 return 0;
611 } 581 }
612 rsa = RSA_new(); 582 rsa = RSA_new();
613 if (!rsa) 583 if (!rsa)
614 return 0; 584 return 0;
615 if (ctx->pkey_gencb) 585 if (ctx->pkey_gencb) {
616 {
617 pcb = &cb; 586 pcb = &cb;
618 evp_pkey_set_cb_translate(pcb, ctx); 587 evp_pkey_set_cb_translate(pcb, ctx);
619 } 588 } else
620 else
621 pcb = NULL; 589 pcb = NULL;
622 ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb); 590 ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
623 if (ret > 0) 591 if (ret > 0)
@@ -625,7 +593,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
625 else 593 else
626 RSA_free(rsa); 594 RSA_free(rsa);
627 return ret; 595 return ret;
628 } 596}
629 597
630const EVP_PKEY_METHOD rsa_pkey_meth = { 598const EVP_PKEY_METHOD rsa_pkey_meth = {
631 .pkey_id = EVP_PKEY_RSA, 599 .pkey_id = EVP_PKEY_RSA,
diff --git a/src/lib/libcrypto/rsa/rsa_prn.c b/src/lib/libcrypto/rsa/rsa_prn.c
index 2d7bcb62b0..89cf2b45b0 100644
--- a/src/lib/libcrypto/rsa/rsa_prn.c
+++ b/src/lib/libcrypto/rsa/rsa_prn.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_prn.c,v 1.3 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_prn.c,v 1.4 2014/07/09 08:20:08 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006. 3 * project 2006.
4 */ 4 */
@@ -61,31 +61,32 @@
61#include <openssl/rsa.h> 61#include <openssl/rsa.h>
62#include <openssl/evp.h> 62#include <openssl/evp.h>
63 63
64int RSA_print_fp(FILE *fp, const RSA *x, int off) 64int
65 { 65RSA_print_fp(FILE *fp, const RSA *x, int off)
66{
66 BIO *b; 67 BIO *b;
67 int ret; 68 int ret;
68 69
69 if ((b=BIO_new(BIO_s_file())) == NULL) 70 if ((b = BIO_new(BIO_s_file())) == NULL) {
70 { 71 RSAerr(RSA_F_RSA_PRINT_FP, ERR_R_BUF_LIB);
71 RSAerr(RSA_F_RSA_PRINT_FP,ERR_R_BUF_LIB); 72 return 0;
72 return(0);
73 }
74 BIO_set_fp(b,fp,BIO_NOCLOSE);
75 ret=RSA_print(b,x,off);
76 BIO_free(b);
77 return(ret);
78 } 73 }
74 BIO_set_fp(b, fp, BIO_NOCLOSE);
75 ret = RSA_print(b, x, off);
76 BIO_free(b);
77 return ret;
78}
79 79
80int RSA_print(BIO *bp, const RSA *x, int off) 80int
81 { 81RSA_print(BIO *bp, const RSA *x, int off)
82{
82 EVP_PKEY *pk; 83 EVP_PKEY *pk;
83 int ret; 84 int ret;
85
84 pk = EVP_PKEY_new(); 86 pk = EVP_PKEY_new();
85 if (!pk || !EVP_PKEY_set1_RSA(pk, (RSA *)x)) 87 if (!pk || !EVP_PKEY_set1_RSA(pk, (RSA *)x))
86 return 0; 88 return 0;
87 ret = EVP_PKEY_print_private(bp, pk, off, NULL); 89 ret = EVP_PKEY_print_private(bp, pk, off, NULL);
88 EVP_PKEY_free(pk); 90 EVP_PKEY_free(pk);
89 return ret; 91 return ret;
90 } 92}
91
diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c
index d26839a5fb..4c6a90c1c7 100644
--- a/src/lib/libcrypto/rsa/rsa_pss.c
+++ b/src/lib/libcrypto/rsa/rsa_pss.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_pss.c,v 1.5 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_pss.c,v 1.6 2014/07/09 08:20:08 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2005. 3 * project 2005.
4 */ 4 */
@@ -64,18 +64,20 @@
64#include <openssl/rand.h> 64#include <openssl/rand.h>
65#include <openssl/sha.h> 65#include <openssl/sha.h>
66 66
67static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0}; 67static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
68 68
69int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, 69int
70 const EVP_MD *Hash, const unsigned char *EM, int sLen) 70RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, const EVP_MD *Hash,
71 { 71 const unsigned char *EM, int sLen)
72{
72 return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen); 73 return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
73 } 74}
74 75
75int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, 76int
76 const EVP_MD *Hash, const EVP_MD *mgf1Hash, 77RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
77 const unsigned char *EM, int sLen) 78 const EVP_MD *Hash, const EVP_MD *mgf1Hash, const unsigned char *EM,
78 { 79 int sLen)
80{
79 int i; 81 int i;
80 int ret = 0; 82 int ret = 0;
81 int hLen, maskedDBLen, MSBits, emLen; 83 int hLen, maskedDBLen, MSBits, emLen;
@@ -83,6 +85,7 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
83 unsigned char *DB = NULL; 85 unsigned char *DB = NULL;
84 EVP_MD_CTX ctx; 86 EVP_MD_CTX ctx;
85 unsigned char H_[EVP_MAX_MD_SIZE]; 87 unsigned char H_[EVP_MAX_MD_SIZE];
88
86 EVP_MD_CTX_init(&ctx); 89 EVP_MD_CTX_init(&ctx);
87 90
88 if (mgf1Hash == NULL) 91 if (mgf1Hash == NULL)
@@ -97,99 +100,96 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
97 * -2 salt length is autorecovered from signature 100 * -2 salt length is autorecovered from signature
98 * -N reserved 101 * -N reserved
99 */ 102 */
100 if (sLen == -1) sLen = hLen; 103 if (sLen == -1)
101 else if (sLen == -2) sLen = -2; 104 sLen = hLen;
102 else if (sLen < -2) 105 else if (sLen == -2)
103 { 106 sLen = -2;
104 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED); 107 else if (sLen < -2) {
108 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
109 RSA_R_SLEN_CHECK_FAILED);
105 goto err; 110 goto err;
106 } 111 }
107 112
108 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; 113 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
109 emLen = RSA_size(rsa); 114 emLen = RSA_size(rsa);
110 if (EM[0] & (0xFF << MSBits)) 115 if (EM[0] & (0xFF << MSBits)) {
111 { 116 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
112 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID); 117 RSA_R_FIRST_OCTET_INVALID);
113 goto err; 118 goto err;
114 } 119 }
115 if (MSBits == 0) 120 if (MSBits == 0) {
116 {
117 EM++; 121 EM++;
118 emLen--; 122 emLen--;
119 } 123 }
120 if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */ 124 if (emLen < (hLen + sLen + 2)) { /* sLen can be small negative */
121 {
122 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE); 125 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
123 goto err; 126 goto err;
124 } 127 }
125 if (EM[emLen - 1] != 0xbc) 128 if (EM[emLen - 1] != 0xbc) {
126 { 129 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
127 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID); 130 RSA_R_LAST_OCTET_INVALID);
128 goto err; 131 goto err;
129 } 132 }
130 maskedDBLen = emLen - hLen - 1; 133 maskedDBLen = emLen - hLen - 1;
131 H = EM + maskedDBLen; 134 H = EM + maskedDBLen;
132 DB = malloc(maskedDBLen); 135 DB = malloc(maskedDBLen);
133 if (!DB) 136 if (!DB) {
134 {
135 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE); 137 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
136 goto err; 138 goto err;
137 } 139 }
138 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) 140 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
139 goto err; 141 goto err;
140 for (i = 0; i < maskedDBLen; i++) 142 for (i = 0; i < maskedDBLen; i++)
141 DB[i] ^= EM[i]; 143 DB[i] ^= EM[i];
142 if (MSBits) 144 if (MSBits)
143 DB[0] &= 0xFF >> (8 - MSBits); 145 DB[0] &= 0xFF >> (8 - MSBits);
144 for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ; 146 for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++)
145 if (DB[i++] != 0x1) 147 ;
146 { 148 if (DB[i++] != 0x1) {
147 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED); 149 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
150 RSA_R_SLEN_RECOVERY_FAILED);
148 goto err; 151 goto err;
149 } 152 }
150 if (sLen >= 0 && (maskedDBLen - i) != sLen) 153 if (sLen >= 0 && (maskedDBLen - i) != sLen) {
151 { 154 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
152 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED); 155 RSA_R_SLEN_CHECK_FAILED);
153 goto err; 156 goto err;
154 } 157 }
155 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) 158 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
156 || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) 159 !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
157 || !EVP_DigestUpdate(&ctx, mHash, hLen)) 160 !EVP_DigestUpdate(&ctx, mHash, hLen))
158 goto err; 161 goto err;
159 if (maskedDBLen - i) 162 if (maskedDBLen - i) {
160 {
161 if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i)) 163 if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i))
162 goto err; 164 goto err;
163 } 165 }
164 if (!EVP_DigestFinal_ex(&ctx, H_, NULL)) 166 if (!EVP_DigestFinal_ex(&ctx, H_, NULL))
165 goto err; 167 goto err;
166 if (memcmp(H_, H, hLen)) 168 if (memcmp(H_, H, hLen)) {
167 {
168 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE); 169 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
169 ret = 0; 170 ret = 0;
170 } 171 } else
171 else
172 ret = 1; 172 ret = 1;
173 173
174 err: 174err:
175 free(DB); 175 free(DB);
176 EVP_MD_CTX_cleanup(&ctx); 176 EVP_MD_CTX_cleanup(&ctx);
177 177
178 return ret; 178 return ret;
179}
179 180
180 } 181int
181 182RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
182int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM, 183 const unsigned char *mHash, const EVP_MD *Hash, int sLen)
183 const unsigned char *mHash, 184{
184 const EVP_MD *Hash, int sLen)
185 {
186 return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen); 185 return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
187 } 186}
188 187
189int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, 188int
190 const unsigned char *mHash, 189RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
191 const EVP_MD *Hash, const EVP_MD *mgf1Hash, int sLen) 190 const unsigned char *mHash, const EVP_MD *Hash, const EVP_MD *mgf1Hash,
192 { 191 int sLen)
192{
193 int i; 193 int i;
194 int ret = 0; 194 int ret = 0;
195 int hLen, maskedDBLen, MSBits, emLen; 195 int hLen, maskedDBLen, MSBits, emLen;
@@ -208,47 +208,45 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
208 * -2 salt length is maximized 208 * -2 salt length is maximized
209 * -N reserved 209 * -N reserved
210 */ 210 */
211 if (sLen == -1) sLen = hLen; 211 if (sLen == -1)
212 else if (sLen == -2) sLen = -2; 212 sLen = hLen;
213 else if (sLen < -2) 213 else if (sLen == -2)
214 { 214 sLen = -2;
215 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED); 215 else if (sLen < -2) {
216 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
217 RSA_R_SLEN_CHECK_FAILED);
216 goto err; 218 goto err;
217 } 219 }
218 220
219 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; 221 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
220 emLen = RSA_size(rsa); 222 emLen = RSA_size(rsa);
221 if (MSBits == 0) 223 if (MSBits == 0) {
222 {
223 *EM++ = 0; 224 *EM++ = 0;
224 emLen--; 225 emLen--;
225 } 226 }
226 if (sLen == -2) 227 if (sLen == -2)
227 {
228 sLen = emLen - hLen - 2; 228 sLen = emLen - hLen - 2;
229 } 229 else if (emLen < (hLen + sLen + 2)) {
230 else if (emLen < (hLen + sLen + 2)) 230 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
231 { 231 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
232 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
233 goto err; 232 goto err;
234 } 233 }
235 if (sLen > 0) 234 if (sLen > 0) {
236 {
237 salt = malloc(sLen); 235 salt = malloc(sLen);
238 if (!salt) 236 if (!salt) {
239 { 237 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
240 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,ERR_R_MALLOC_FAILURE); 238 ERR_R_MALLOC_FAILURE);
241 goto err; 239 goto err;
242 } 240 }
243 if (RAND_bytes(salt, sLen) <= 0) 241 if (RAND_bytes(salt, sLen) <= 0)
244 goto err; 242 goto err;
245 } 243 }
246 maskedDBLen = emLen - hLen - 1; 244 maskedDBLen = emLen - hLen - 1;
247 H = EM + maskedDBLen; 245 H = EM + maskedDBLen;
248 EVP_MD_CTX_init(&ctx); 246 EVP_MD_CTX_init(&ctx);
249 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) 247 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
250 || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) 248 !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
251 || !EVP_DigestUpdate(&ctx, mHash, hLen)) 249 !EVP_DigestUpdate(&ctx, mHash, hLen))
252 goto err; 250 goto err;
253 if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen)) 251 if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen))
254 goto err; 252 goto err;
@@ -262,29 +260,27 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
262 260
263 p = EM; 261 p = EM;
264 262
265 /* Initial PS XORs with all zeroes which is a NOP so just update 263 /*
264 * Initial PS XORs with all zeroes which is a NOP so just update
266 * pointer. Note from a test above this value is guaranteed to 265 * pointer. Note from a test above this value is guaranteed to
267 * be non-negative. 266 * be non-negative.
268 */ 267 */
269 p += emLen - sLen - hLen - 2; 268 p += emLen - sLen - hLen - 2;
270 *p++ ^= 0x1; 269 *p++ ^= 0x1;
271 if (sLen > 0) 270 if (sLen > 0) {
272 {
273 for (i = 0; i < sLen; i++) 271 for (i = 0; i < sLen; i++)
274 *p++ ^= salt[i]; 272 *p++ ^= salt[i];
275 } 273 }
276 if (MSBits) 274 if (MSBits)
277 EM[0] &= 0xFF >> (8 - MSBits); 275 EM[0] &= 0xFF >> (8 - MSBits);
278 276
279 /* H is already in place so just set final 0xbc */ 277 /* H is already in place so just set final 0xbc */
280
281 EM[emLen - 1] = 0xbc; 278 EM[emLen - 1] = 0xbc;
282 279
283 ret = 1; 280 ret = 1;
284 281
285 err: 282err:
286 free(salt); 283 free(salt);
287 284
288 return ret; 285 return ret;
289 286}
290 }
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c
index cca503e026..50dfef7e71 100644
--- a/src/lib/libcrypto/rsa/rsa_saos.c
+++ b/src/lib/libcrypto/rsa/rsa_saos.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_saos.c,v 1.11 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_saos.c,v 1.12 2014/07/09 08:20:08 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -63,88 +63,86 @@
63#include <openssl/objects.h> 63#include <openssl/objects.h>
64#include <openssl/x509.h> 64#include <openssl/x509.h>
65 65
66int RSA_sign_ASN1_OCTET_STRING(int type, 66int
67 const unsigned char *m, unsigned int m_len, 67RSA_sign_ASN1_OCTET_STRING(int type, const unsigned char *m, unsigned int m_len,
68 unsigned char *sigret, unsigned int *siglen, RSA *rsa) 68 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
69 { 69{
70 ASN1_OCTET_STRING sig; 70 ASN1_OCTET_STRING sig;
71 int i,j,ret=1; 71 int i, j, ret = 1;
72 unsigned char *p,*s; 72 unsigned char *p,*s;
73 73
74 sig.type=V_ASN1_OCTET_STRING; 74 sig.type = V_ASN1_OCTET_STRING;
75 sig.length=m_len; 75 sig.length = m_len;
76 sig.data=(unsigned char *)m; 76 sig.data = (unsigned char *)m;
77 77
78 i=i2d_ASN1_OCTET_STRING(&sig,NULL); 78 i = i2d_ASN1_OCTET_STRING(&sig, NULL);
79 j=RSA_size(rsa); 79 j = RSA_size(rsa);
80 if (i > (j-RSA_PKCS1_PADDING_SIZE)) 80 if (i > (j - RSA_PKCS1_PADDING_SIZE)) {
81 { 81 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,
82 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); 82 RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
83 return(0); 83 return 0;
84 } 84 }
85 s = malloc((unsigned int)j+1); 85 s = malloc((unsigned int)j + 1);
86 if (s == NULL) 86 if (s == NULL) {
87 { 87 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING, ERR_R_MALLOC_FAILURE);
88 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE); 88 return 0;
89 return(0); 89 }
90 } 90 p = s;
91 p=s; 91 i2d_ASN1_OCTET_STRING(&sig, &p);
92 i2d_ASN1_OCTET_STRING(&sig,&p); 92 i = RSA_private_encrypt(i, s, sigret, rsa, RSA_PKCS1_PADDING);
93 i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
94 if (i <= 0) 93 if (i <= 0)
95 ret=0; 94 ret = 0;
96 else 95 else
97 *siglen=i; 96 *siglen = i;
98 97
99 OPENSSL_cleanse(s,(unsigned int)j+1); 98 OPENSSL_cleanse(s, (unsigned int)j + 1);
100 free(s); 99 free(s);
101 return(ret); 100 return ret;
102 } 101}
103 102
104int RSA_verify_ASN1_OCTET_STRING(int dtype, 103int
105 const unsigned char *m, 104RSA_verify_ASN1_OCTET_STRING(int dtype, const unsigned char *m,
106 unsigned int m_len, unsigned char *sigbuf, unsigned int siglen, 105 unsigned int m_len, unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
107 RSA *rsa) 106{
108 { 107 int i, ret = 0;
109 int i,ret=0;
110 unsigned char *s; 108 unsigned char *s;
111 const unsigned char *p; 109 const unsigned char *p;
112 ASN1_OCTET_STRING *sig=NULL; 110 ASN1_OCTET_STRING *sig = NULL;
113 111
114 if (siglen != (unsigned int)RSA_size(rsa)) 112 if (siglen != (unsigned int)RSA_size(rsa)) {
115 { 113 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,
116 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,RSA_R_WRONG_SIGNATURE_LENGTH); 114 RSA_R_WRONG_SIGNATURE_LENGTH);
117 return(0); 115 return 0;
118 } 116 }
119 117
120 s = malloc((unsigned int)siglen); 118 s = malloc((unsigned int)siglen);
121 if (s == NULL) 119 if (s == NULL) {
122 { 120 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,
123 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE); 121 ERR_R_MALLOC_FAILURE);
124 goto err; 122 goto err;
125 } 123 }
126 i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING); 124 i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING);
127 125
128 if (i <= 0) goto err; 126 if (i <= 0)
127 goto err;
129 128
130 p=s; 129 p = s;
131 sig=d2i_ASN1_OCTET_STRING(NULL,&p,(long)i); 130 sig = d2i_ASN1_OCTET_STRING(NULL, &p, (long)i);
132 if (sig == NULL) goto err; 131 if (sig == NULL)
132 goto err;
133 133
134 if ( ((unsigned int)sig->length != m_len) || 134 if ((unsigned int)sig->length != m_len ||
135 (memcmp(m,sig->data,m_len) != 0)) 135 memcmp(m,sig->data, m_len) != 0) {
136 { 136 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,
137 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,RSA_R_BAD_SIGNATURE); 137 RSA_R_BAD_SIGNATURE);
138 } 138 } else
139 else 139 ret = 1;
140 ret=1;
141err: 140err:
142 if (sig != NULL) M_ASN1_OCTET_STRING_free(sig); 141 if (sig != NULL)
143 if (s != NULL) 142 M_ASN1_OCTET_STRING_free(sig);
144 { 143 if (s != NULL) {
145 OPENSSL_cleanse(s,(unsigned int)siglen); 144 OPENSSL_cleanse(s, (unsigned int)siglen);
146 free(s); 145 free(s);
147 }
148 return(ret);
149 } 146 }
150 147 return ret;
148}
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index 4642775964..239435fe91 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_sign.c,v 1.17 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_sign.c,v 1.18 2014/07/09 08:20:08 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -67,233 +67,212 @@
67/* Size of an SSL signature: MD5+SHA1 */ 67/* Size of an SSL signature: MD5+SHA1 */
68#define SSL_SIG_LENGTH 36 68#define SSL_SIG_LENGTH 36
69 69
70int RSA_sign(int type, const unsigned char *m, unsigned int m_len, 70int
71 unsigned char *sigret, unsigned int *siglen, RSA *rsa) 71RSA_sign(int type, const unsigned char *m, unsigned int m_len,
72 { 72 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
73{
73 X509_SIG sig; 74 X509_SIG sig;
74 ASN1_TYPE parameter; 75 ASN1_TYPE parameter;
75 int i,j,ret=1; 76 int i, j, ret = 1;
76 unsigned char *p, *tmps = NULL; 77 unsigned char *p, *tmps = NULL;
77 const unsigned char *s = NULL; 78 const unsigned char *s = NULL;
78 X509_ALGOR algor; 79 X509_ALGOR algor;
79 ASN1_OCTET_STRING digest; 80 ASN1_OCTET_STRING digest;
80 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) 81
81 { 82 if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
82 return rsa->meth->rsa_sign(type, m, m_len, 83 return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
83 sigret, siglen, rsa); 84
84 }
85 /* Special case: SSL signature, just check the length */ 85 /* Special case: SSL signature, just check the length */
86 if(type == NID_md5_sha1) { 86 if (type == NID_md5_sha1) {
87 if(m_len != SSL_SIG_LENGTH) { 87 if (m_len != SSL_SIG_LENGTH) {
88 RSAerr(RSA_F_RSA_SIGN,RSA_R_INVALID_MESSAGE_LENGTH); 88 RSAerr(RSA_F_RSA_SIGN, RSA_R_INVALID_MESSAGE_LENGTH);
89 return(0); 89 return 0;
90 } 90 }
91 i = SSL_SIG_LENGTH; 91 i = SSL_SIG_LENGTH;
92 s = m; 92 s = m;
93 } else { 93 } else {
94 sig.algor= &algor; 94 sig.algor = &algor;
95 sig.algor->algorithm=OBJ_nid2obj(type); 95 sig.algor->algorithm = OBJ_nid2obj(type);
96 if (sig.algor->algorithm == NULL) 96 if (sig.algor->algorithm == NULL) {
97 { 97 RSAerr(RSA_F_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE);
98 RSAerr(RSA_F_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE); 98 return 0;
99 return(0); 99 }
100 } 100 if (sig.algor->algorithm->length == 0) {
101 if (sig.algor->algorithm->length == 0) 101 RSAerr(RSA_F_RSA_SIGN,
102 { 102 RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
103 RSAerr(RSA_F_RSA_SIGN,RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD); 103 return 0;
104 return(0); 104 }
105 } 105 parameter.type = V_ASN1_NULL;
106 parameter.type=V_ASN1_NULL; 106 parameter.value.ptr = NULL;
107 parameter.value.ptr=NULL; 107 sig.algor->parameter = &parameter;
108 sig.algor->parameter= &parameter;
109 108
110 sig.digest= &digest; 109 sig.digest = &digest;
111 sig.digest->data=(unsigned char *)m; /* TMP UGLY CAST */ 110 sig.digest->data = (unsigned char *)m; /* TMP UGLY CAST */
112 sig.digest->length=m_len; 111 sig.digest->length = m_len;
113 112
114 i=i2d_X509_SIG(&sig,NULL); 113 i = i2d_X509_SIG(&sig, NULL);
114 }
115 j = RSA_size(rsa);
116 if (i > j - RSA_PKCS1_PADDING_SIZE) {
117 RSAerr(RSA_F_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
118 return 0;
115 } 119 }
116 j=RSA_size(rsa); 120 if (type != NID_md5_sha1) {
117 if (i > (j-RSA_PKCS1_PADDING_SIZE)) 121 tmps = malloc((unsigned int)j + 1);
118 { 122 if (tmps == NULL) {
119 RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); 123 RSAerr(RSA_F_RSA_SIGN, ERR_R_MALLOC_FAILURE);
120 return(0); 124 return 0;
121 } 125 }
122 if(type != NID_md5_sha1) { 126 p = tmps;
123 tmps = malloc((unsigned int)j+1); 127 i2d_X509_SIG(&sig, &p);
124 if (tmps == NULL) 128 s = tmps;
125 {
126 RSAerr(RSA_F_RSA_SIGN,ERR_R_MALLOC_FAILURE);
127 return(0);
128 }
129 p=tmps;
130 i2d_X509_SIG(&sig,&p);
131 s=tmps;
132 } 129 }
133 i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING); 130 i = RSA_private_encrypt(i, s, sigret, rsa, RSA_PKCS1_PADDING);
134 if (i <= 0) 131 if (i <= 0)
135 ret=0; 132 ret = 0;
136 else 133 else
137 *siglen=i; 134 *siglen = i;
138 135
139 if(type != NID_md5_sha1) { 136 if (type != NID_md5_sha1) {
140 OPENSSL_cleanse(tmps,(unsigned int)j+1); 137 OPENSSL_cleanse(tmps, (unsigned int)j + 1);
141 free(tmps); 138 free(tmps);
142 } 139 }
143 return(ret); 140 return(ret);
144 } 141}
145 142
146int int_rsa_verify(int dtype, const unsigned char *m, 143int
147 unsigned int m_len, 144int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len,
148 unsigned char *rm, size_t *prm_len, 145 unsigned char *rm, size_t *prm_len, const unsigned char *sigbuf,
149 const unsigned char *sigbuf, size_t siglen, 146 size_t siglen, RSA *rsa)
150 RSA *rsa) 147{
151 { 148 int i, ret = 0, sigtype;
152 int i,ret=0,sigtype;
153 unsigned char *s; 149 unsigned char *s;
154 X509_SIG *sig=NULL; 150 X509_SIG *sig = NULL;
155 151
156 if (siglen != (unsigned int)RSA_size(rsa)) 152 if (siglen != (unsigned int)RSA_size(rsa)) {
157 { 153 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_WRONG_SIGNATURE_LENGTH);
158 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH); 154 return 0;
159 return(0); 155 }
160 }
161 156
162 if((dtype == NID_md5_sha1) && rm) 157 if ((dtype == NID_md5_sha1) && rm) {
163 { 158 i = RSA_public_decrypt((int)siglen, sigbuf, rm, rsa,
164 i = RSA_public_decrypt((int)siglen, 159 RSA_PKCS1_PADDING);
165 sigbuf,rm,rsa,RSA_PKCS1_PADDING);
166 if (i <= 0) 160 if (i <= 0)
167 return 0; 161 return 0;
168 *prm_len = i; 162 *prm_len = i;
169 return 1; 163 return 1;
170 } 164 }
171 165
172 s = malloc((unsigned int)siglen); 166 s = malloc((unsigned int)siglen);
173 if (s == NULL) 167 if (s == NULL) {
174 { 168 RSAerr(RSA_F_INT_RSA_VERIFY, ERR_R_MALLOC_FAILURE);
175 RSAerr(RSA_F_INT_RSA_VERIFY,ERR_R_MALLOC_FAILURE); 169 goto err;
170 }
171 if (dtype == NID_md5_sha1 && m_len != SSL_SIG_LENGTH) {
172 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_MESSAGE_LENGTH);
176 goto err; 173 goto err;
177 }
178 if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) {
179 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
180 goto err;
181 } 174 }
182 i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING); 175 i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING);
183 176
184 if (i <= 0) goto err; 177 if (i <= 0)
185 /* Oddball MDC2 case: signature can be OCTET STRING. 178 goto err;
179
180 /*
181 * Oddball MDC2 case: signature can be OCTET STRING.
186 * check for correct tag and length octets. 182 * check for correct tag and length octets.
187 */ 183 */
188 if (dtype == NID_mdc2 && i == 18 && s[0] == 0x04 && s[1] == 0x10) 184 if (dtype == NID_mdc2 && i == 18 && s[0] == 0x04 && s[1] == 0x10) {
189 { 185 if (rm) {
190 if (rm)
191 {
192 memcpy(rm, s + 2, 16); 186 memcpy(rm, s + 2, 16);
193 *prm_len = 16; 187 *prm_len = 16;
194 ret = 1; 188 ret = 1;
195 } 189 } else if (memcmp(m, s + 2, 16))
196 else if(memcmp(m, s + 2, 16)) 190 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
197 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
198 else 191 else
199 ret = 1; 192 ret = 1;
200 } 193 }
201 194
202 /* Special case: SSL signature */ 195 /* Special case: SSL signature */
203 if(dtype == NID_md5_sha1) { 196 if (dtype == NID_md5_sha1) {
204 if((i != SSL_SIG_LENGTH) || memcmp(s, m, SSL_SIG_LENGTH)) 197 if (i != SSL_SIG_LENGTH || memcmp(s, m, SSL_SIG_LENGTH))
205 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE); 198 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
206 else ret = 1; 199 else
200 ret = 1;
207 } else { 201 } else {
208 const unsigned char *p=s; 202 const unsigned char *p=s;
209 sig=d2i_X509_SIG(NULL,&p,(long)i);
210 203
211 if (sig == NULL) goto err; 204 sig = d2i_X509_SIG(NULL, &p, (long)i);
205
206 if (sig == NULL)
207 goto err;
212 208
213 /* Excess data can be used to create forgeries */ 209 /* Excess data can be used to create forgeries */
214 if(p != s+i) 210 if (p != s + i) {
215 { 211 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
216 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
217 goto err; 212 goto err;
218 } 213 }
219 214
220 /* Parameters to the signature algorithm can also be used to 215 /* Parameters to the signature algorithm can also be used to
221 create forgeries */ 216 create forgeries */
222 if(sig->algor->parameter 217 if (sig->algor->parameter &&
223 && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) 218 ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) {
224 { 219 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
225 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
226 goto err; 220 goto err;
227 } 221 }
228
229 sigtype=OBJ_obj2nid(sig->algor->algorithm);
230 222
223 sigtype = OBJ_obj2nid(sig->algor->algorithm);
231 224
232 #ifdef RSA_DEBUG 225 if (sigtype != dtype) {
233 /* put a backward compatibility flag in EAY */ 226 if ((dtype == NID_md5 &&
234 fprintf(stderr,"in(%s) expect(%s)\n",OBJ_nid2ln(sigtype), 227 sigtype == NID_md5WithRSAEncryption) ||
235 OBJ_nid2ln(dtype)); 228 (dtype == NID_md2 &&
236 #endif 229 sigtype == NID_md2WithRSAEncryption)) {
237 if (sigtype != dtype)
238 {
239 if (((dtype == NID_md5) &&
240 (sigtype == NID_md5WithRSAEncryption)) ||
241 ((dtype == NID_md2) &&
242 (sigtype == NID_md2WithRSAEncryption)))
243 {
244 /* ok, we will let it through */ 230 /* ok, we will let it through */
245 fprintf(stderr,"signature has problems, re-make with post SSLeay045\n"); 231 fprintf(stderr,
246 } 232 "signature has problems, "
247 else 233 "re-make with post SSLeay045\n");
248 { 234 } else {
249 RSAerr(RSA_F_INT_RSA_VERIFY, 235 RSAerr(RSA_F_INT_RSA_VERIFY,
250 RSA_R_ALGORITHM_MISMATCH); 236 RSA_R_ALGORITHM_MISMATCH);
251 goto err; 237 goto err;
252 }
253 } 238 }
254 if (rm) 239 }
255 { 240 if (rm) {
256 const EVP_MD *md; 241 const EVP_MD *md;
242
257 md = EVP_get_digestbynid(dtype); 243 md = EVP_get_digestbynid(dtype);
258 if (md && (EVP_MD_size(md) != sig->digest->length)) 244 if (md && (EVP_MD_size(md) != sig->digest->length))
259 RSAerr(RSA_F_INT_RSA_VERIFY, 245 RSAerr(RSA_F_INT_RSA_VERIFY,
260 RSA_R_INVALID_DIGEST_LENGTH); 246 RSA_R_INVALID_DIGEST_LENGTH);
261 else 247 else {
262 {
263 memcpy(rm, sig->digest->data, 248 memcpy(rm, sig->digest->data,
264 sig->digest->length); 249 sig->digest->length);
265 *prm_len = sig->digest->length; 250 *prm_len = sig->digest->length;
266 ret = 1; 251 ret = 1;
267 }
268 } 252 }
269 else if (((unsigned int)sig->digest->length != m_len) || 253 } else if ((unsigned int)sig->digest->length != m_len ||
270 (memcmp(m,sig->digest->data,m_len) != 0)) 254 memcmp(m,sig->digest->data,m_len) != 0) {
271 { 255 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
272 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE); 256 } else
273 } 257 ret = 1;
274 else
275 ret=1;
276 } 258 }
277err: 259err:
278 if (sig != NULL) X509_SIG_free(sig); 260 if (sig != NULL)
279 if (s != NULL) 261 X509_SIG_free(sig);
280 { 262 if (s != NULL) {
281 OPENSSL_cleanse(s,(unsigned int)siglen); 263 OPENSSL_cleanse(s, (unsigned int)siglen);
282 free(s); 264 free(s);
283 }
284 return(ret);
285 } 265 }
266 return ret;
267}
286 268
287int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, 269int
288 const unsigned char *sigbuf, unsigned int siglen, 270RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
289 RSA *rsa) 271 const unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
290 { 272{
291 273 if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)
292 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) 274 return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen,
293 { 275 rsa);
294 return rsa->meth->rsa_verify(dtype, m, m_len,
295 sigbuf, siglen, rsa);
296 }
297 276
298 return int_rsa_verify(dtype, m, m_len, NULL, NULL, sigbuf, siglen, rsa); 277 return int_rsa_verify(dtype, m, m_len, NULL, NULL, sigbuf, siglen, rsa);
299 } 278}
diff --git a/src/lib/libcrypto/rsa/rsa_ssl.c b/src/lib/libcrypto/rsa/rsa_ssl.c
index 3f4ec95a6e..c6ab71c674 100644
--- a/src/lib/libcrypto/rsa/rsa_ssl.c
+++ b/src/lib/libcrypto/rsa/rsa_ssl.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_ssl.c,v 1.7 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_ssl.c,v 1.8 2014/07/09 08:20:08 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -62,93 +62,92 @@
62#include <openssl/rsa.h> 62#include <openssl/rsa.h>
63#include <openssl/rand.h> 63#include <openssl/rand.h>
64 64
65int RSA_padding_add_SSLv23(unsigned char *to, int tlen, 65int
66 const unsigned char *from, int flen) 66RSA_padding_add_SSLv23(unsigned char *to, int tlen, const unsigned char *from,
67 { 67 int flen)
68{
68 int i,j; 69 int i,j;
69 unsigned char *p; 70 unsigned char *p;
70 71
71 if (flen > (tlen-11)) 72 if (flen > tlen - 11) {
72 { 73 RSAerr(RSA_F_RSA_PADDING_ADD_SSLV23,
73 RSAerr(RSA_F_RSA_PADDING_ADD_SSLV23,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 74 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
74 return(0); 75 return 0;
75 } 76 }
76 77
77 p=(unsigned char *)to; 78 p = (unsigned char *)to;
78 79
79 *(p++)=0; 80 *(p++) = 0;
80 *(p++)=2; /* Public Key BT (Block Type) */ 81 *(p++) = 2; /* Public Key BT (Block Type) */
81 82
82 /* pad out with non-zero random data */ 83 /* pad out with non-zero random data */
83 j=tlen-3-8-flen; 84 j = tlen - 3 - 8 - flen;
84 85
85 if (RAND_bytes(p,j) <= 0) 86 if (RAND_bytes(p, j) <= 0)
86 return(0); 87 return 0;
87 for (i=0; i<j; i++) 88 for (i = 0; i < j; i++) {
88 {
89 if (*p == '\0') 89 if (*p == '\0')
90 do { 90 do {
91 if (RAND_bytes(p,1) <= 0) 91 if (RAND_bytes(p, 1) <= 0)
92 return(0); 92 return 0;
93 } while (*p == '\0'); 93 } while (*p == '\0');
94 p++; 94 p++;
95 } 95 }
96 96
97 memset(p,3,8); 97 memset(p, 3, 8);
98 p+=8; 98 p += 8;
99 *(p++)='\0'; 99 *(p++) = '\0';
100 100
101 memcpy(p,from,(unsigned int)flen); 101 memcpy(p, from, (unsigned int)flen);
102 return(1); 102 return 1;
103 } 103}
104 104
105int RSA_padding_check_SSLv23(unsigned char *to, int tlen, 105int
106 const unsigned char *from, int flen, int num) 106RSA_padding_check_SSLv23(unsigned char *to, int tlen, const unsigned char *from,
107 { 107 int flen, int num)
108 int i,j,k; 108{
109 int i, j, k;
109 const unsigned char *p; 110 const unsigned char *p;
110 111
111 p=from; 112 p = from;
112 if (flen < 10) 113 if (flen < 10) {
113 { 114 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL);
114 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_DATA_TOO_SMALL); 115 return -1;
115 return(-1); 116 }
116 } 117 if (num != flen + 1 || *(p++) != 02) {
117 if ((num != (flen+1)) || (*(p++) != 02)) 118 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,
118 { 119 RSA_R_BLOCK_TYPE_IS_NOT_02);
119 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_BLOCK_TYPE_IS_NOT_02); 120 return -1;
120 return(-1); 121 }
121 }
122 122
123 /* scan over padding data */ 123 /* scan over padding data */
124 j=flen-1; /* one for type */ 124 j = flen - 1; /* one for type */
125 for (i=0; i<j; i++) 125 for (i = 0; i < j; i++)
126 if (*(p++) == 0) break; 126 if (*(p++) == 0)
127 break;
127 128
128 if ((i == j) || (i < 8)) 129 if (i == j || i < 8) {
129 { 130 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,
130 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_NULL_BEFORE_BLOCK_MISSING); 131 RSA_R_NULL_BEFORE_BLOCK_MISSING);
131 return(-1); 132 return -1;
132 } 133 }
133 for (k = -9; k<-1; k++) 134 for (k = -9; k < -1; k++) {
134 { 135 if (p[k] != 0x03)
135 if (p[k] != 0x03) break; 136 break;
136 } 137 }
137 if (k == -1) 138 if (k == -1) {
138 { 139 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,
139 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_SSLV3_ROLLBACK_ATTACK); 140 RSA_R_SSLV3_ROLLBACK_ATTACK);
140 return(-1); 141 return -1;
141 } 142 }
142 143
143 i++; /* Skip over the '\0' */ 144 i++; /* Skip over the '\0' */
144 j-=i; 145 j -= i;
145 if (j > tlen) 146 if (j > tlen) {
146 { 147 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_LARGE);
147 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_DATA_TOO_LARGE); 148 return -1;
148 return(-1);
149 }
150 memcpy(to,p,(unsigned int)j);
151
152 return(j);
153 } 149 }
150 memcpy(to, p, (unsigned int)j);
154 151
152 return j;
153}
diff --git a/src/lib/libcrypto/rsa/rsa_x931.c b/src/lib/libcrypto/rsa/rsa_x931.c
index 6592c22ee5..f22c50ba13 100644
--- a/src/lib/libcrypto/rsa/rsa_x931.c
+++ b/src/lib/libcrypto/rsa/rsa_x931.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_x931.c,v 1.2 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_x931.c,v 1.3 2014/07/09 08:20:08 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2005. 3 * project 2005.
4 */ 4 */
@@ -63,115 +63,103 @@
63#include <openssl/rand.h> 63#include <openssl/rand.h>
64#include <openssl/objects.h> 64#include <openssl/objects.h>
65 65
66int RSA_padding_add_X931(unsigned char *to, int tlen, 66int
67 const unsigned char *from, int flen) 67RSA_padding_add_X931(unsigned char *to, int tlen, const unsigned char *from,
68 { 68 int flen)
69{
69 int j; 70 int j;
70 unsigned char *p; 71 unsigned char *p;
71 72
72 /* Absolute minimum amount of padding is 1 header nibble, 1 padding 73 /*
74 * Absolute minimum amount of padding is 1 header nibble, 1 padding
73 * nibble and 2 trailer bytes: but 1 hash if is already in 'from'. 75 * nibble and 2 trailer bytes: but 1 hash if is already in 'from'.
74 */ 76 */
75
76 j = tlen - flen - 2; 77 j = tlen - flen - 2;
77 78
78 if (j < 0) 79 if (j < 0) {
79 { 80 RSAerr(RSA_F_RSA_PADDING_ADD_X931,
80 RSAerr(RSA_F_RSA_PADDING_ADD_X931,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 81 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
81 return -1; 82 return -1;
82 } 83 }
83 84
84 p=(unsigned char *)to; 85 p = (unsigned char *)to;
85 86
86 /* If no padding start and end nibbles are in one byte */ 87 /* If no padding start and end nibbles are in one byte */
87 if (j == 0) 88 if (j == 0)
88 *p++ = 0x6A; 89 *p++ = 0x6A;
89 else 90 else {
90 {
91 *p++ = 0x6B; 91 *p++ = 0x6B;
92 if (j > 1) 92 if (j > 1) {
93 {
94 memset(p, 0xBB, j - 1); 93 memset(p, 0xBB, j - 1);
95 p += j - 1; 94 p += j - 1;
96 }
97 *p++ = 0xBA;
98 } 95 }
99 memcpy(p,from,(unsigned int)flen); 96 *p++ = 0xBA;
97 }
98 memcpy(p, from, (unsigned int)flen);
100 p += flen; 99 p += flen;
101 *p = 0xCC; 100 *p = 0xCC;
102 return(1); 101 return 1;
103 } 102}
104 103
105int RSA_padding_check_X931(unsigned char *to, int tlen, 104int
106 const unsigned char *from, int flen, int num) 105RSA_padding_check_X931(unsigned char *to, int tlen, const unsigned char *from,
107 { 106 int flen, int num)
108 int i = 0,j; 107{
109 const unsigned char *p; 108 int i = 0, j;
110 109 const unsigned char *p = from;
111 p=from; 110
112 if ((num != flen) || ((*p != 0x6A) && (*p != 0x6B))) 111 if (num != flen || (*p != 0x6A && *p != 0x6B)) {
113 { 112 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_HEADER);
114 RSAerr(RSA_F_RSA_PADDING_CHECK_X931,RSA_R_INVALID_HEADER);
115 return -1; 113 return -1;
116 } 114 }
117 115
118 if (*p++ == 0x6B) 116 if (*p++ == 0x6B) {
119 { 117 j = flen - 3;
120 j=flen-3; 118 for (i = 0; i < j; i++) {
121 for (i = 0; i < j; i++)
122 {
123 unsigned char c = *p++; 119 unsigned char c = *p++;
124 if (c == 0xBA) 120 if (c == 0xBA)
125 break; 121 break;
126 if (c != 0xBB) 122 if (c != 0xBB) {
127 {
128 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, 123 RSAerr(RSA_F_RSA_PADDING_CHECK_X931,
129 RSA_R_INVALID_PADDING); 124 RSA_R_INVALID_PADDING);
130 return -1; 125 return -1;
131 }
132 } 126 }
127 }
133 128
134 j -= i; 129 if (i == 0) {
135
136 if (i == 0)
137 {
138 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_PADDING); 130 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_PADDING);
139 return -1; 131 return -1;
140 }
141
142 } 132 }
143 else j = flen - 2;
144 133
145 if (p[j] != 0xCC) 134 j -= i;
146 { 135 } else
136 j = flen - 2;
137
138 if (p[j] != 0xCC) {
147 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_TRAILER); 139 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_TRAILER);
148 return -1; 140 return -1;
149 } 141 }
150 142
151 memcpy(to,p,(unsigned int)j); 143 memcpy(to, p, (unsigned int)j);
152 144
153 return(j); 145 return j;
154 } 146}
155 147
156/* Translate between X931 hash ids and NIDs */ 148/* Translate between X931 hash ids and NIDs */
157 149
158int RSA_X931_hash_id(int nid) 150int
159 { 151RSA_X931_hash_id(int nid)
160 switch (nid) 152{
161 { 153 switch (nid) {
162 case NID_sha1: 154 case NID_sha1:
163 return 0x33; 155 return 0x33;
164 156 case NID_sha256:
165 case NID_sha256:
166 return 0x34; 157 return 0x34;
167 158 case NID_sha384:
168 case NID_sha384:
169 return 0x36; 159 return 0x36;
170 160 case NID_sha512:
171 case NID_sha512:
172 return 0x35; 161 return 0x35;
173
174 }
175 return -1;
176 } 162 }
177 163
164 return -1;
165}
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_ameth.c b/src/lib/libssl/src/crypto/rsa/rsa_ameth.c
index 2e2194e8b3..8e15e3f535 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_ameth.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_ameth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_ameth.c,v 1.6 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_ameth.c,v 1.7 2014/07/09 08:20:08 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006. 3 * project 2006.
4 */ 4 */
@@ -67,207 +67,213 @@
67#endif 67#endif
68#include "asn1_locl.h" 68#include "asn1_locl.h"
69 69
70static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) 70static int
71 { 71rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
72{
72 unsigned char *penc = NULL; 73 unsigned char *penc = NULL;
73 int penclen; 74 int penclen;
75
74 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc); 76 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
75 if (penclen <= 0) 77 if (penclen <= 0)
76 return 0; 78 return 0;
77 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_RSA), 79 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_RSA),
78 V_ASN1_NULL, NULL, penc, penclen)) 80 V_ASN1_NULL, NULL, penc, penclen))
79 return 1; 81 return 1;
80 82
81 free(penc); 83 free(penc);
82 return 0; 84 return 0;
83 } 85}
84 86
85static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) 87static int
86 { 88rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
89{
87 const unsigned char *p; 90 const unsigned char *p;
88 int pklen; 91 int pklen;
89 RSA *rsa = NULL; 92 RSA *rsa = NULL;
93
90 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey)) 94 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey))
91 return 0; 95 return 0;
92 if (!(rsa = d2i_RSAPublicKey(NULL, &p, pklen))) 96 if (!(rsa = d2i_RSAPublicKey(NULL, &p, pklen))) {
93 {
94 RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB); 97 RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB);
95 return 0; 98 return 0;
96 } 99 }
97 EVP_PKEY_assign_RSA (pkey, rsa); 100 EVP_PKEY_assign_RSA (pkey, rsa);
98 return 1; 101 return 1;
99 } 102}
100 103
101static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) 104static int
102 { 105rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
103 if (BN_cmp(b->pkey.rsa->n,a->pkey.rsa->n) != 0 106{
104 || BN_cmp(b->pkey.rsa->e,a->pkey.rsa->e) != 0) 107 if (BN_cmp(b->pkey.rsa->n,a->pkey.rsa->n) != 0 ||
105 return 0; 108 BN_cmp(b->pkey.rsa->e,a->pkey.rsa->e) != 0)
109 return 0;
106 return 1; 110 return 1;
107 } 111}
108 112
109static int old_rsa_priv_decode(EVP_PKEY *pkey, 113static int
110 const unsigned char **pder, int derlen) 114old_rsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
111 { 115{
112 RSA *rsa; 116 RSA *rsa;
113 if (!(rsa = d2i_RSAPrivateKey (NULL, pder, derlen))) 117
114 { 118 if (!(rsa = d2i_RSAPrivateKey (NULL, pder, derlen))) {
115 RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB); 119 RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
116 return 0; 120 return 0;
117 } 121 }
118 EVP_PKEY_assign_RSA(pkey, rsa); 122 EVP_PKEY_assign_RSA(pkey, rsa);
119 return 1; 123 return 1;
120 } 124}
121 125
122static int old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder) 126static int
123 { 127old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
128{
124 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder); 129 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
125 } 130}
126 131
127static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) 132static int
128 { 133rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
134{
129 unsigned char *rk = NULL; 135 unsigned char *rk = NULL;
130 int rklen; 136 int rklen;
137
131 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk); 138 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk);
132 139
133 if (rklen <= 0) 140 if (rklen <= 0) {
134 { 141 RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
135 RSAerr(RSA_F_RSA_PRIV_ENCODE,ERR_R_MALLOC_FAILURE);
136 return 0; 142 return 0;
137 } 143 }
138 144
139 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_rsaEncryption), 0, 145 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_rsaEncryption), 0,
140 V_ASN1_NULL, NULL, rk, rklen)) 146 V_ASN1_NULL, NULL, rk, rklen)) {
141 { 147 RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
142 RSAerr(RSA_F_RSA_PRIV_ENCODE,ERR_R_MALLOC_FAILURE);
143 return 0; 148 return 0;
144 } 149 }
145 150
146 return 1; 151 return 1;
147 } 152}
148 153
149static int rsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) 154static int
150 { 155rsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
156{
151 const unsigned char *p; 157 const unsigned char *p;
152 int pklen; 158 int pklen;
159
153 if (!PKCS8_pkey_get0(NULL, &p, &pklen, NULL, p8)) 160 if (!PKCS8_pkey_get0(NULL, &p, &pklen, NULL, p8))
154 return 0; 161 return 0;
155 return old_rsa_priv_decode(pkey, &p, pklen); 162 return old_rsa_priv_decode(pkey, &p, pklen);
156 } 163}
157 164
158static int int_rsa_size(const EVP_PKEY *pkey) 165static int
159 { 166int_rsa_size(const EVP_PKEY *pkey)
167{
160 return RSA_size(pkey->pkey.rsa); 168 return RSA_size(pkey->pkey.rsa);
161 } 169}
162 170
163static int rsa_bits(const EVP_PKEY *pkey) 171static int
164 { 172rsa_bits(const EVP_PKEY *pkey)
173{
165 return BN_num_bits(pkey->pkey.rsa->n); 174 return BN_num_bits(pkey->pkey.rsa->n);
166 } 175}
167 176
168static void int_rsa_free(EVP_PKEY *pkey) 177static void
169 { 178int_rsa_free(EVP_PKEY *pkey)
179{
170 RSA_free(pkey->pkey.rsa); 180 RSA_free(pkey->pkey.rsa);
171 } 181}
172
173 182
174static void update_buflen(const BIGNUM *b, size_t *pbuflen) 183static void
175 { 184update_buflen(const BIGNUM *b, size_t *pbuflen)
185{
176 size_t i; 186 size_t i;
187
177 if (!b) 188 if (!b)
178 return; 189 return;
179 if (*pbuflen < (i = (size_t)BN_num_bytes(b))) 190 if (*pbuflen < (i = (size_t)BN_num_bytes(b)))
180 *pbuflen = i; 191 *pbuflen = i;
181 } 192}
182 193
183static int do_rsa_print(BIO *bp, const RSA *x, int off, int priv) 194static int
184 { 195do_rsa_print(BIO *bp, const RSA *x, int off, int priv)
196{
185 char *str; 197 char *str;
186 const char *s; 198 const char *s;
187 unsigned char *m=NULL; 199 unsigned char *m = NULL;
188 int ret=0, mod_len = 0; 200 int ret = 0, mod_len = 0;
189 size_t buf_len=0; 201 size_t buf_len = 0;
190 202
191 update_buflen(x->n, &buf_len); 203 update_buflen(x->n, &buf_len);
192 update_buflen(x->e, &buf_len); 204 update_buflen(x->e, &buf_len);
193 205
194 if (priv) 206 if (priv) {
195 {
196 update_buflen(x->d, &buf_len); 207 update_buflen(x->d, &buf_len);
197 update_buflen(x->p, &buf_len); 208 update_buflen(x->p, &buf_len);
198 update_buflen(x->q, &buf_len); 209 update_buflen(x->q, &buf_len);
199 update_buflen(x->dmp1, &buf_len); 210 update_buflen(x->dmp1, &buf_len);
200 update_buflen(x->dmq1, &buf_len); 211 update_buflen(x->dmq1, &buf_len);
201 update_buflen(x->iqmp, &buf_len); 212 update_buflen(x->iqmp, &buf_len);
202 } 213 }
203 214
204 m = malloc(buf_len+10); 215 m = malloc(buf_len + 10);
205 if (m == NULL) 216 if (m == NULL) {
206 { 217 RSAerr(RSA_F_DO_RSA_PRINT, ERR_R_MALLOC_FAILURE);
207 RSAerr(RSA_F_DO_RSA_PRINT,ERR_R_MALLOC_FAILURE);
208 goto err; 218 goto err;
209 } 219 }
210 220
211 if (x->n != NULL) 221 if (x->n != NULL)
212 mod_len = BN_num_bits(x->n); 222 mod_len = BN_num_bits(x->n);
213 223
214 if(!BIO_indent(bp,off,128)) 224 if (!BIO_indent(bp, off, 128))
215 goto err; 225 goto err;
216 226
217 if (priv && x->d) 227 if (priv && x->d) {
218 { 228 if (BIO_printf(bp, "Private-Key: (%d bit)\n", mod_len) <= 0)
219 if (BIO_printf(bp,"Private-Key: (%d bit)\n", mod_len) 229 goto err;
220 <= 0) goto err;
221 str = "modulus:"; 230 str = "modulus:";
222 s = "publicExponent:"; 231 s = "publicExponent:";
223 } 232 } else {
224 else 233 if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0)
225 { 234 goto err;
226 if (BIO_printf(bp,"Public-Key: (%d bit)\n", mod_len)
227 <= 0) goto err;
228 str = "Modulus:"; 235 str = "Modulus:";
229 s= "Exponent:"; 236 s= "Exponent:";
230 } 237 }
231 if (!ASN1_bn_print(bp,str,x->n,m,off)) goto err; 238 if (!ASN1_bn_print(bp, str, x->n, m, off))
232 if (!ASN1_bn_print(bp,s,x->e,m,off))
233 goto err; 239 goto err;
234 if (priv) 240 if (!ASN1_bn_print(bp, s, x->e, m, off))
235 { 241 goto err;
236 if (!ASN1_bn_print(bp,"privateExponent:",x->d,m,off)) 242 if (priv) {
243 if (!ASN1_bn_print(bp, "privateExponent:", x->d,m, off))
237 goto err; 244 goto err;
238 if (!ASN1_bn_print(bp,"prime1:",x->p,m,off)) 245 if (!ASN1_bn_print(bp, "prime1:", x->p, m, off))
239 goto err; 246 goto err;
240 if (!ASN1_bn_print(bp,"prime2:",x->q,m,off)) 247 if (!ASN1_bn_print(bp, "prime2:", x->q, m, off))
241 goto err; 248 goto err;
242 if (!ASN1_bn_print(bp,"exponent1:",x->dmp1,m,off)) 249 if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, m, off))
243 goto err; 250 goto err;
244 if (!ASN1_bn_print(bp,"exponent2:",x->dmq1,m,off)) 251 if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, m, off))
245 goto err; 252 goto err;
246 if (!ASN1_bn_print(bp,"coefficient:",x->iqmp,m,off)) 253 if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, m, off))
247 goto err; 254 goto err;
248 } 255 }
249 ret=1; 256 ret = 1;
250err: 257err:
251 free(m); 258 free(m);
252 return(ret); 259 return(ret);
253 } 260}
254 261
255static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, 262static int
256 ASN1_PCTX *ctx) 263rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
257 { 264{
258 return do_rsa_print(bp, pkey->pkey.rsa, indent, 0); 265 return do_rsa_print(bp, pkey->pkey.rsa, indent, 0);
259 } 266}
260
261 267
262static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, 268static int
263 ASN1_PCTX *ctx) 269rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
264 { 270{
265 return do_rsa_print(bp, pkey->pkey.rsa, indent, 1); 271 return do_rsa_print(bp, pkey->pkey.rsa, indent, 1);
266 } 272}
267 273
268static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg, 274static RSA_PSS_PARAMS *
269 X509_ALGOR **pmaskHash) 275rsa_pss_decode(const X509_ALGOR *alg, X509_ALGOR **pmaskHash)
270 { 276{
271 const unsigned char *p; 277 const unsigned char *p;
272 int plen; 278 int plen;
273 RSA_PSS_PARAMS *pss; 279 RSA_PSS_PARAMS *pss;
@@ -283,31 +289,30 @@ static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg,
283 if (!pss) 289 if (!pss)
284 return NULL; 290 return NULL;
285 291
286 if (pss->maskGenAlgorithm) 292 if (pss->maskGenAlgorithm) {
287 {
288 ASN1_TYPE *param = pss->maskGenAlgorithm->parameter; 293 ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
289 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 294 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 &&
290 && param->type == V_ASN1_SEQUENCE) 295 param->type == V_ASN1_SEQUENCE) {
291 {
292 p = param->value.sequence->data; 296 p = param->value.sequence->data;
293 plen = param->value.sequence->length; 297 plen = param->value.sequence->length;
294 *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen); 298 *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen);
295 }
296 } 299 }
300 }
297 301
298 return pss; 302 return pss;
299 } 303}
300 304
301static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss, 305static int
302 X509_ALGOR *maskHash, int indent) 306rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss, X509_ALGOR *maskHash,
303 { 307 int indent)
308{
304 int rv = 0; 309 int rv = 0;
305 if (!pss) 310
306 { 311 if (!pss) {
307 if (BIO_puts(bp, " (INVALID PSS PARAMETERS)\n") <= 0) 312 if (BIO_puts(bp, " (INVALID PSS PARAMETERS)\n") <= 0)
308 return 0; 313 return 0;
309 return 1; 314 return 1;
310 } 315 }
311 if (BIO_puts(bp, "\n") <= 0) 316 if (BIO_puts(bp, "\n") <= 0)
312 goto err; 317 goto err;
313 if (!BIO_indent(bp, indent, 128)) 318 if (!BIO_indent(bp, indent, 128))
@@ -315,12 +320,10 @@ static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss,
315 if (BIO_puts(bp, "Hash Algorithm: ") <= 0) 320 if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
316 goto err; 321 goto err;
317 322
318 if (pss->hashAlgorithm) 323 if (pss->hashAlgorithm) {
319 {
320 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0) 324 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
321 goto err; 325 goto err;
322 } 326 } else if (BIO_puts(bp, "sha1 (default)") <= 0)
323 else if (BIO_puts(bp, "sha1 (default)") <= 0)
324 goto err; 327 goto err;
325 328
326 if (BIO_puts(bp, "\n") <= 0) 329 if (BIO_puts(bp, "\n") <= 0)
@@ -330,22 +333,18 @@ static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss,
330 goto err; 333 goto err;
331 334
332 if (BIO_puts(bp, "Mask Algorithm: ") <= 0) 335 if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
333 goto err; 336 goto err;
334 if (pss->maskGenAlgorithm) 337 if (pss->maskGenAlgorithm) {
335 {
336 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0) 338 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
337 goto err; 339 goto err;
338 if (BIO_puts(bp, " with ") <= 0) 340 if (BIO_puts(bp, " with ") <= 0)
339 goto err; 341 goto err;
340 if (maskHash) 342 if (maskHash) {
341 {
342 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0) 343 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
344 goto err;
345 } else if (BIO_puts(bp, "INVALID") <= 0)
343 goto err; 346 goto err;
344 } 347 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0)
345 else if (BIO_puts(bp, "INVALID") <= 0)
346 goto err;
347 }
348 else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0)
349 goto err; 348 goto err;
350 BIO_puts(bp, "\n"); 349 BIO_puts(bp, "\n");
351 350
@@ -353,41 +352,35 @@ static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss,
353 goto err; 352 goto err;
354 if (BIO_puts(bp, "Salt Length: 0x") <= 0) 353 if (BIO_puts(bp, "Salt Length: 0x") <= 0)
355 goto err; 354 goto err;
356 if (pss->saltLength) 355 if (pss->saltLength) {
357 {
358 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) 356 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
359 goto err; 357 goto err;
360 } 358 } else if (BIO_puts(bp, "0x14 (default)") <= 0)
361 else if (BIO_puts(bp, "0x14 (default)") <= 0)
362 goto err; 359 goto err;
363 BIO_puts(bp, "\n"); 360 BIO_puts(bp, "\n");
364 361
365 if (!BIO_indent(bp, indent, 128)) 362 if (!BIO_indent(bp, indent, 128))
366 goto err; 363 goto err;
367 if (BIO_puts(bp, "Trailer Field: 0x") <= 0) 364 if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
368 goto err; 365 goto err;
369 if (pss->trailerField) 366 if (pss->trailerField) {
370 {
371 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) 367 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
372 goto err; 368 goto err;
373 } 369 } else if (BIO_puts(bp, "BC (default)") <= 0)
374 else if (BIO_puts(bp, "BC (default)") <= 0)
375 goto err; 370 goto err;
376 BIO_puts(bp, "\n"); 371 BIO_puts(bp, "\n");
377 372
378 rv = 1; 373 rv = 1;
379 374
380 err: 375err:
381 return rv; 376 return rv;
377}
382 378
383 } 379static int
384 380rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig,
385static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, 381 int indent, ASN1_PCTX *pctx)
386 const ASN1_STRING *sig, 382{
387 int indent, ASN1_PCTX *pctx) 383 if (OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss) {
388 {
389 if (OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss)
390 {
391 int rv; 384 int rv;
392 RSA_PSS_PARAMS *pss; 385 RSA_PSS_PARAMS *pss;
393 X509_ALGOR *maskHash; 386 X509_ALGOR *maskHash;
@@ -399,147 +392,132 @@ static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
399 X509_ALGOR_free(maskHash); 392 X509_ALGOR_free(maskHash);
400 if (!rv) 393 if (!rv)
401 return 0; 394 return 0;
402 } 395 } else if (!sig && BIO_puts(bp, "\n") <= 0)
403 else if (!sig && BIO_puts(bp, "\n") <= 0)
404 return 0; 396 return 0;
405 if (sig) 397 if (sig)
406 return X509_signature_dump(bp, sig, indent); 398 return X509_signature_dump(bp, sig, indent);
407 return 1; 399 return 1;
408 } 400}
409 401
410static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) 402static int
411 { 403rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
404{
412 X509_ALGOR *alg = NULL; 405 X509_ALGOR *alg = NULL;
413 switch (op) 406 switch (op) {
414 { 407 case ASN1_PKEY_CTRL_PKCS7_SIGN:
415
416 case ASN1_PKEY_CTRL_PKCS7_SIGN:
417 if (arg1 == 0) 408 if (arg1 == 0)
418 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg); 409 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
419 break; 410 break;
420 411
421 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT: 412 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
422 if (arg1 == 0) 413 if (arg1 == 0)
423 PKCS7_RECIP_INFO_get0_alg(arg2, &alg); 414 PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
424 break; 415 break;
425#ifndef OPENSSL_NO_CMS 416#ifndef OPENSSL_NO_CMS
426 case ASN1_PKEY_CTRL_CMS_SIGN: 417 case ASN1_PKEY_CTRL_CMS_SIGN:
427 if (arg1 == 0) 418 if (arg1 == 0)
428 CMS_SignerInfo_get0_algs(arg2, NULL, NULL, NULL, &alg); 419 CMS_SignerInfo_get0_algs(arg2, NULL, NULL, NULL, &alg);
429 break; 420 break;
430 421
431 case ASN1_PKEY_CTRL_CMS_ENVELOPE: 422 case ASN1_PKEY_CTRL_CMS_ENVELOPE:
432 if (arg1 == 0) 423 if (arg1 == 0)
433 CMS_RecipientInfo_ktri_get0_algs(arg2, NULL, NULL, &alg); 424 CMS_RecipientInfo_ktri_get0_algs(arg2, NULL, NULL, &alg);
434 break; 425 break;
435#endif 426#endif
436 427
437 case ASN1_PKEY_CTRL_DEFAULT_MD_NID: 428 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
438 *(int *)arg2 = NID_sha1; 429 *(int *)arg2 = NID_sha1;
439 return 1; 430 return 1;
440 431
441 default: 432 default:
442 return -2; 433 return -2;
443 434 }
444 }
445 435
446 if (alg) 436 if (alg)
447 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), 437 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
448 V_ASN1_NULL, 0); 438 V_ASN1_NULL, 0);
449 439
450 return 1; 440 return 1;
451 441}
452 }
453 442
454/* Customised RSA item verification routine. This is called 443/* Customised RSA item verification routine. This is called
455 * when a signature is encountered requiring special handling. We 444 * when a signature is encountered requiring special handling. We
456 * currently only handle PSS. 445 * currently only handle PSS.
457 */ 446 */
458 447static int
459 448rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
460static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, 449 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, EVP_PKEY *pkey)
461 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, 450{
462 EVP_PKEY *pkey)
463 {
464 int rv = -1; 451 int rv = -1;
465 int saltlen; 452 int saltlen;
466 const EVP_MD *mgf1md = NULL, *md = NULL; 453 const EVP_MD *mgf1md = NULL, *md = NULL;
467 RSA_PSS_PARAMS *pss; 454 RSA_PSS_PARAMS *pss;
468 X509_ALGOR *maskHash; 455 X509_ALGOR *maskHash;
469 EVP_PKEY_CTX *pkctx; 456 EVP_PKEY_CTX *pkctx;
457
470 /* Sanity check: make sure it is PSS */ 458 /* Sanity check: make sure it is PSS */
471 if (OBJ_obj2nid(sigalg->algorithm) != NID_rsassaPss) 459 if (OBJ_obj2nid(sigalg->algorithm) != NID_rsassaPss) {
472 {
473 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE); 460 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
474 return -1; 461 return -1;
475 } 462 }
476 /* Decode PSS parameters */ 463 /* Decode PSS parameters */
477 pss = rsa_pss_decode(sigalg, &maskHash); 464 pss = rsa_pss_decode(sigalg, &maskHash);
478 465
479 if (pss == NULL) 466 if (pss == NULL) {
480 {
481 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_PSS_PARAMETERS); 467 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_PSS_PARAMETERS);
482 goto err; 468 goto err;
483 } 469 }
484 /* Check mask and lookup mask hash algorithm */ 470 /* Check mask and lookup mask hash algorithm */
485 if (pss->maskGenAlgorithm) 471 if (pss->maskGenAlgorithm) {
486 { 472 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) != NID_mgf1) {
487 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) != NID_mgf1) 473 RSAerr(RSA_F_RSA_ITEM_VERIFY,
488 { 474 RSA_R_UNSUPPORTED_MASK_ALGORITHM);
489 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_MASK_ALGORITHM);
490 goto err; 475 goto err;
491 } 476 }
492 if (!maskHash) 477 if (!maskHash) {
493 { 478 RSAerr(RSA_F_RSA_ITEM_VERIFY,
494 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_MASK_PARAMETER); 479 RSA_R_UNSUPPORTED_MASK_PARAMETER);
495 goto err; 480 goto err;
496 } 481 }
497 mgf1md = EVP_get_digestbyobj(maskHash->algorithm); 482 mgf1md = EVP_get_digestbyobj(maskHash->algorithm);
498 if (mgf1md == NULL) 483 if (mgf1md == NULL) {
499 { 484 RSAerr(RSA_F_RSA_ITEM_VERIFY,
500 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNKNOWN_MASK_DIGEST); 485 RSA_R_UNKNOWN_MASK_DIGEST);
501 goto err; 486 goto err;
502 }
503 } 487 }
504 else 488 } else
505 mgf1md = EVP_sha1(); 489 mgf1md = EVP_sha1();
506 490
507 if (pss->hashAlgorithm) 491 if (pss->hashAlgorithm) {
508 {
509 md = EVP_get_digestbyobj(pss->hashAlgorithm->algorithm); 492 md = EVP_get_digestbyobj(pss->hashAlgorithm->algorithm);
510 if (md == NULL) 493 if (md == NULL) {
511 {
512 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNKNOWN_PSS_DIGEST); 494 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNKNOWN_PSS_DIGEST);
513 goto err; 495 goto err;
514 }
515 } 496 }
516 else 497 } else
517 md = EVP_sha1(); 498 md = EVP_sha1();
518 499
519 if (pss->saltLength) 500 if (pss->saltLength) {
520 {
521 saltlen = ASN1_INTEGER_get(pss->saltLength); 501 saltlen = ASN1_INTEGER_get(pss->saltLength);
522 502
523 /* Could perform more salt length sanity checks but the main 503 /* Could perform more salt length sanity checks but the main
524 * RSA routines will trap other invalid values anyway. 504 * RSA routines will trap other invalid values anyway.
525 */ 505 */
526 if (saltlen < 0) 506 if (saltlen < 0) {
527 { 507 RSAerr(RSA_F_RSA_ITEM_VERIFY,
528 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_SALT_LENGTH); 508 RSA_R_INVALID_SALT_LENGTH);
529 goto err; 509 goto err;
530 }
531 } 510 }
532 else 511 } else
533 saltlen = 20; 512 saltlen = 20;
534 513
535 /* low-level routines support only trailer field 0xbc (value 1) 514 /* low-level routines support only trailer field 0xbc (value 1)
536 * and PKCS#1 says we should reject any other value anyway. 515 * and PKCS#1 says we should reject any other value anyway.
537 */ 516 */
538 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) 517 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) {
539 {
540 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_TRAILER); 518 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_TRAILER);
541 goto err; 519 goto err;
542 } 520 }
543 521
544 /* We have all parameters now set up context */ 522 /* We have all parameters now set up context */
545 523
@@ -557,31 +535,32 @@ static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
557 /* Carry on */ 535 /* Carry on */
558 rv = 2; 536 rv = 2;
559 537
560 err: 538err:
561 RSA_PSS_PARAMS_free(pss); 539 RSA_PSS_PARAMS_free(pss);
562 if (maskHash) 540 if (maskHash)
563 X509_ALGOR_free(maskHash); 541 X509_ALGOR_free(maskHash);
564 return rv; 542 return rv;
565 } 543}
566 544
567static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, 545static int
568 X509_ALGOR *alg1, X509_ALGOR *alg2, 546rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
569 ASN1_BIT_STRING *sig) 547 X509_ALGOR *alg1, X509_ALGOR *alg2, ASN1_BIT_STRING *sig)
570 { 548{
571 int pad_mode; 549 int pad_mode;
572 EVP_PKEY_CTX *pkctx = ctx->pctx; 550 EVP_PKEY_CTX *pkctx = ctx->pctx;
551
573 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) 552 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
574 return 0; 553 return 0;
575 if (pad_mode == RSA_PKCS1_PADDING) 554 if (pad_mode == RSA_PKCS1_PADDING)
576 return 2; 555 return 2;
577 if (pad_mode == RSA_PKCS1_PSS_PADDING) 556 if (pad_mode == RSA_PKCS1_PSS_PADDING) {
578 {
579 const EVP_MD *sigmd, *mgf1md; 557 const EVP_MD *sigmd, *mgf1md;
580 RSA_PSS_PARAMS *pss = NULL; 558 RSA_PSS_PARAMS *pss = NULL;
581 X509_ALGOR *mgf1alg = NULL; 559 X509_ALGOR *mgf1alg = NULL;
582 ASN1_STRING *os1 = NULL, *os2 = NULL; 560 ASN1_STRING *os1 = NULL, *os2 = NULL;
583 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx); 561 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
584 int saltlen, rv = 0; 562 int saltlen, rv = 0;
563
585 sigmd = EVP_MD_CTX_md(ctx); 564 sigmd = EVP_MD_CTX_md(ctx);
586 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0) 565 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
587 goto err; 566 goto err;
@@ -589,62 +568,56 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
589 goto err; 568 goto err;
590 if (saltlen == -1) 569 if (saltlen == -1)
591 saltlen = EVP_MD_size(sigmd); 570 saltlen = EVP_MD_size(sigmd);
592 else if (saltlen == -2) 571 else if (saltlen == -2) {
593 {
594 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2; 572 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
595 if (((EVP_PKEY_bits(pk) - 1) & 0x7) == 0) 573 if (((EVP_PKEY_bits(pk) - 1) & 0x7) == 0)
596 saltlen--; 574 saltlen--;
597 } 575 }
598 pss = RSA_PSS_PARAMS_new(); 576 pss = RSA_PSS_PARAMS_new();
599 if (!pss) 577 if (!pss)
600 goto err; 578 goto err;
601 if (saltlen != 20) 579 if (saltlen != 20) {
602 {
603 pss->saltLength = ASN1_INTEGER_new(); 580 pss->saltLength = ASN1_INTEGER_new();
604 if (!pss->saltLength) 581 if (!pss->saltLength)
605 goto err; 582 goto err;
606 if (!ASN1_INTEGER_set(pss->saltLength, saltlen)) 583 if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
607 goto err; 584 goto err;
608 } 585 }
609 if (EVP_MD_type(sigmd) != NID_sha1) 586 if (EVP_MD_type(sigmd) != NID_sha1) {
610 {
611 pss->hashAlgorithm = X509_ALGOR_new(); 587 pss->hashAlgorithm = X509_ALGOR_new();
612 if (!pss->hashAlgorithm) 588 if (!pss->hashAlgorithm)
613 goto err; 589 goto err;
614 X509_ALGOR_set_md(pss->hashAlgorithm, sigmd); 590 X509_ALGOR_set_md(pss->hashAlgorithm, sigmd);
615 } 591 }
616 if (EVP_MD_type(mgf1md) != NID_sha1) 592 if (EVP_MD_type(mgf1md) != NID_sha1) {
617 {
618 ASN1_STRING *stmp = NULL; 593 ASN1_STRING *stmp = NULL;
619 /* need to embed algorithm ID inside another */ 594 /* need to embed algorithm ID inside another */
620 mgf1alg = X509_ALGOR_new(); 595 mgf1alg = X509_ALGOR_new();
621 X509_ALGOR_set_md(mgf1alg, mgf1md); 596 X509_ALGOR_set_md(mgf1alg, mgf1md);
622 if (!ASN1_item_pack(mgf1alg, ASN1_ITEM_rptr(X509_ALGOR), 597 if (!ASN1_item_pack(mgf1alg, ASN1_ITEM_rptr(X509_ALGOR),
623 &stmp)) 598 &stmp))
624 goto err; 599 goto err;
625 pss->maskGenAlgorithm = X509_ALGOR_new(); 600 pss->maskGenAlgorithm = X509_ALGOR_new();
626 if (!pss->maskGenAlgorithm) 601 if (!pss->maskGenAlgorithm)
627 goto err; 602 goto err;
628 X509_ALGOR_set0(pss->maskGenAlgorithm, 603 X509_ALGOR_set0(pss->maskGenAlgorithm,
629 OBJ_nid2obj(NID_mgf1), 604 OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp);
630 V_ASN1_SEQUENCE, stmp); 605 }
631 }
632 /* Finally create string with pss parameter encoding. */ 606 /* Finally create string with pss parameter encoding. */
633 if (!ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), &os1)) 607 if (!ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), &os1))
634 goto err; 608 goto err;
635 if (alg2) 609 if (alg2) {
636 {
637 os2 = ASN1_STRING_dup(os1); 610 os2 = ASN1_STRING_dup(os1);
638 if (!os2) 611 if (!os2)
639 goto err; 612 goto err;
640 X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_rsassaPss), 613 X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_rsassaPss),
641 V_ASN1_SEQUENCE, os2); 614 V_ASN1_SEQUENCE, os2);
642 } 615 }
643 X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_rsassaPss), 616 X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_rsassaPss),
644 V_ASN1_SEQUENCE, os1); 617 V_ASN1_SEQUENCE, os1);
645 os1 = os2 = NULL; 618 os1 = os2 = NULL;
646 rv = 3; 619 rv = 3;
647 err: 620err:
648 if (mgf1alg) 621 if (mgf1alg)
649 X509_ALGOR_free(mgf1alg); 622 X509_ALGOR_free(mgf1alg);
650 if (pss) 623 if (pss)
@@ -652,10 +625,9 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
652 if (os1) 625 if (os1)
653 ASN1_STRING_free(os1); 626 ASN1_STRING_free(os1);
654 return rv; 627 return rv;
655
656 }
657 return 2;
658 } 628 }
629 return 2;
630}
659 631
660const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = { 632const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
661 { 633 {
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_asn1.c b/src/lib/libssl/src/crypto/rsa/rsa_asn1.c
index b535c85141..e876dbdf49 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_asn1.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_asn1.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_asn1.c,v 1.6 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_asn1.c,v 1.7 2014/07/09 08:20:08 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000. 3 * project 2000.
4 */ 4 */
@@ -64,14 +64,15 @@
64#include <openssl/asn1t.h> 64#include <openssl/asn1t.h>
65 65
66/* Override the default free and new methods */ 66/* Override the default free and new methods */
67static int rsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, 67static int
68 void *exarg) 68rsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
69{ 69{
70 if(operation == ASN1_OP_NEW_PRE) { 70 if (operation == ASN1_OP_NEW_PRE) {
71 *pval = (ASN1_VALUE *)RSA_new(); 71 *pval = (ASN1_VALUE *)RSA_new();
72 if(*pval) return 2; 72 if (*pval)
73 return 2;
73 return 0; 74 return 0;
74 } else if(operation == ASN1_OP_FREE_PRE) { 75 } else if (operation == ASN1_OP_FREE_PRE) {
75 RSA_free((RSA *)*pval); 76 RSA_free((RSA *)*pval);
76 *pval = NULL; 77 *pval = NULL;
77 return 2; 78 return 2;
@@ -110,12 +111,14 @@ IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPrivateKey, RSAPrivateKey)
110 111
111IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPublicKey, RSAPublicKey) 112IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPublicKey, RSAPublicKey)
112 113
113RSA *RSAPublicKey_dup(RSA *rsa) 114RSA *
114 { 115RSAPublicKey_dup(RSA *rsa)
116{
115 return ASN1_item_dup(ASN1_ITEM_rptr(RSAPublicKey), rsa); 117 return ASN1_item_dup(ASN1_ITEM_rptr(RSAPublicKey), rsa);
116 } 118}
117 119
118RSA *RSAPrivateKey_dup(RSA *rsa) 120RSA *
119 { 121RSAPrivateKey_dup(RSA *rsa)
122{
120 return ASN1_item_dup(ASN1_ITEM_rptr(RSAPrivateKey), rsa); 123 return ASN1_item_dup(ASN1_ITEM_rptr(RSAPrivateKey), rsa);
121 } 124}
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_chk.c b/src/lib/libssl/src/crypto/rsa/rsa_chk.c
index d7e496aab2..54113f89f6 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_chk.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_chk.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_chk.c,v 1.6 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_chk.c,v 1.7 2014/07/09 08:20:08 miod Exp $ */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
4 * 4 *
@@ -53,18 +53,18 @@
53#include <openssl/rsa.h> 53#include <openssl/rsa.h>
54 54
55 55
56int RSA_check_key(const RSA *key) 56int
57 { 57RSA_check_key(const RSA *key)
58{
58 BIGNUM *i, *j, *k, *l, *m; 59 BIGNUM *i, *j, *k, *l, *m;
59 BN_CTX *ctx; 60 BN_CTX *ctx;
60 int r; 61 int r;
61 int ret=1; 62 int ret = 1;
62 63
63 if (!key->p || !key->q || !key->n || !key->e || !key->d) 64 if (!key->p || !key->q || !key->n || !key->e || !key->d) {
64 {
65 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_VALUE_MISSING); 65 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_VALUE_MISSING);
66 return 0; 66 return 0;
67 } 67 }
68 68
69 i = BN_new(); 69 i = BN_new();
70 j = BN_new(); 70 j = BN_new();
@@ -72,119 +72,148 @@ int RSA_check_key(const RSA *key)
72 l = BN_new(); 72 l = BN_new();
73 m = BN_new(); 73 m = BN_new();
74 ctx = BN_CTX_new(); 74 ctx = BN_CTX_new();
75 if (i == NULL || j == NULL || k == NULL || l == NULL || 75 if (i == NULL || j == NULL || k == NULL || l == NULL || m == NULL ||
76 m == NULL || ctx == NULL) 76 ctx == NULL) {
77 {
78 ret = -1; 77 ret = -1;
79 RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE); 78 RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE);
80 goto err; 79 goto err;
81 } 80 }
82 81
83 /* p prime? */ 82 /* p prime? */
84 r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL); 83 r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL);
85 if (r != 1) 84 if (r != 1) {
86 {
87 ret = r; 85 ret = r;
88 if (r != 0) 86 if (r != 0)
89 goto err; 87 goto err;
90 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME); 88 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME);
91 } 89 }
92 90
93 /* q prime? */ 91 /* q prime? */
94 r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL); 92 r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL);
95 if (r != 1) 93 if (r != 1) {
96 {
97 ret = r; 94 ret = r;
98 if (r != 0) 95 if (r != 0)
99 goto err; 96 goto err;
100 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME); 97 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME);
101 } 98 }
102 99
103 /* n = p*q? */ 100 /* n = p*q? */
104 r = BN_mul(i, key->p, key->q, ctx); 101 r = BN_mul(i, key->p, key->q, ctx);
105 if (!r) { ret = -1; goto err; } 102 if (!r) {
103 ret = -1;
104 goto err;
105 }
106 106
107 if (BN_cmp(i, key->n) != 0) 107 if (BN_cmp(i, key->n) != 0) {
108 {
109 ret = 0; 108 ret = 0;
110 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q); 109 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q);
111 } 110 }
112 111
113 /* d*e = 1 mod lcm(p-1,q-1)? */ 112 /* d*e = 1 mod lcm(p-1,q-1)? */
114 113
115 r = BN_sub(i, key->p, BN_value_one()); 114 r = BN_sub(i, key->p, BN_value_one());
116 if (!r) { ret = -1; goto err; } 115 if (!r) {
116 ret = -1;
117 goto err;
118 }
117 r = BN_sub(j, key->q, BN_value_one()); 119 r = BN_sub(j, key->q, BN_value_one());
118 if (!r) { ret = -1; goto err; } 120 if (!r) {
121 ret = -1;
122 goto err;
123 }
119 124
120 /* now compute k = lcm(i,j) */ 125 /* now compute k = lcm(i,j) */
121 r = BN_mul(l, i, j, ctx); 126 r = BN_mul(l, i, j, ctx);
122 if (!r) { ret = -1; goto err; } 127 if (!r) {
128 ret = -1;
129 goto err;
130 }
123 r = BN_gcd(m, i, j, ctx); 131 r = BN_gcd(m, i, j, ctx);
124 if (!r) { ret = -1; goto err; } 132 if (!r) {
133 ret = -1;
134 goto err;
135 }
125 r = BN_div(k, NULL, l, m, ctx); /* remainder is 0 */ 136 r = BN_div(k, NULL, l, m, ctx); /* remainder is 0 */
126 if (!r) { ret = -1; goto err; } 137 if (!r) {
138 ret = -1;
139 goto err;
140 }
127 141
128 r = BN_mod_mul(i, key->d, key->e, k, ctx); 142 r = BN_mod_mul(i, key->d, key->e, k, ctx);
129 if (!r) { ret = -1; goto err; } 143 if (!r) {
144 ret = -1;
145 goto err;
146 }
130 147
131 if (!BN_is_one(i)) 148 if (!BN_is_one(i)) {
132 {
133 ret = 0; 149 ret = 0;
134 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1); 150 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1);
135 } 151 }
136 152
137 if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) 153 if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) {
138 {
139 /* dmp1 = d mod (p-1)? */ 154 /* dmp1 = d mod (p-1)? */
140 r = BN_sub(i, key->p, BN_value_one()); 155 r = BN_sub(i, key->p, BN_value_one());
141 if (!r) { ret = -1; goto err; } 156 if (!r) {
157 ret = -1;
158 goto err;
159 }
142 160
143 r = BN_mod(j, key->d, i, ctx); 161 r = BN_mod(j, key->d, i, ctx);
144 if (!r) { ret = -1; goto err; } 162 if (!r) {
163 ret = -1;
164 goto err;
165 }
145 166
146 if (BN_cmp(j, key->dmp1) != 0) 167 if (BN_cmp(j, key->dmp1) != 0) {
147 {
148 ret = 0; 168 ret = 0;
149 RSAerr(RSA_F_RSA_CHECK_KEY, 169 RSAerr(RSA_F_RSA_CHECK_KEY,
150 RSA_R_DMP1_NOT_CONGRUENT_TO_D); 170 RSA_R_DMP1_NOT_CONGRUENT_TO_D);
151 } 171 }
152 172
153 /* dmq1 = d mod (q-1)? */ 173 /* dmq1 = d mod (q-1)? */
154 r = BN_sub(i, key->q, BN_value_one()); 174 r = BN_sub(i, key->q, BN_value_one());
155 if (!r) { ret = -1; goto err; } 175 if (!r) {
176 ret = -1;
177 goto err;
178 }
156 179
157 r = BN_mod(j, key->d, i, ctx); 180 r = BN_mod(j, key->d, i, ctx);
158 if (!r) { ret = -1; goto err; } 181 if (!r) {
182 ret = -1;
183 goto err;
184 }
159 185
160 if (BN_cmp(j, key->dmq1) != 0) 186 if (BN_cmp(j, key->dmq1) != 0) {
161 {
162 ret = 0; 187 ret = 0;
163 RSAerr(RSA_F_RSA_CHECK_KEY, 188 RSAerr(RSA_F_RSA_CHECK_KEY,
164 RSA_R_DMQ1_NOT_CONGRUENT_TO_D); 189 RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
165 } 190 }
166 191
167 /* iqmp = q^-1 mod p? */ 192 /* iqmp = q^-1 mod p? */
168 if(!BN_mod_inverse(i, key->q, key->p, ctx)) 193 if (!BN_mod_inverse(i, key->q, key->p, ctx)) {
169 {
170 ret = -1; 194 ret = -1;
171 goto err; 195 goto err;
172 } 196 }
173 197
174 if (BN_cmp(i, key->iqmp) != 0) 198 if (BN_cmp(i, key->iqmp) != 0) {
175 {
176 ret = 0; 199 ret = 0;
177 RSAerr(RSA_F_RSA_CHECK_KEY, 200 RSAerr(RSA_F_RSA_CHECK_KEY,
178 RSA_R_IQMP_NOT_INVERSE_OF_Q); 201 RSA_R_IQMP_NOT_INVERSE_OF_Q);
179 }
180 } 202 }
203 }
181 204
182 err: 205 err:
183 if (i != NULL) BN_free(i); 206 if (i != NULL)
184 if (j != NULL) BN_free(j); 207 BN_free(i);
185 if (k != NULL) BN_free(k); 208 if (j != NULL)
186 if (l != NULL) BN_free(l); 209 BN_free(j);
187 if (m != NULL) BN_free(m); 210 if (k != NULL)
188 if (ctx != NULL) BN_CTX_free(ctx); 211 BN_free(k);
212 if (l != NULL)
213 BN_free(l);
214 if (m != NULL)
215 BN_free(m);
216 if (ctx != NULL)
217 BN_CTX_free(ctx);
189 return (ret); 218 return (ret);
190 } 219}
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_crpt.c b/src/lib/libssl/src/crypto/rsa/rsa_crpt.c
index 2122e7baa4..16679cfd14 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_crpt.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_crpt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_crpt.c,v 1.4 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_crpt.c,v 1.5 2014/07/09 08:20:08 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -67,54 +67,61 @@
67#include <openssl/engine.h> 67#include <openssl/engine.h>
68#endif 68#endif
69 69
70int RSA_size(const RSA *r) 70int
71 { 71RSA_size(const RSA *r)
72 return(BN_num_bytes(r->n)); 72{
73 } 73 return BN_num_bytes(r->n);
74}
74 75
75int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, 76int
76 RSA *rsa, int padding) 77RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
77 { 78 RSA *rsa, int padding)
78 return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding)); 79{
79 } 80 return rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding);
81}
80 82
81int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to, 83int
82 RSA *rsa, int padding) 84RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
83 { 85 RSA *rsa, int padding)
84 return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding)); 86{
85 } 87 return rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding);
88}
86 89
87int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to, 90int
88 RSA *rsa, int padding) 91RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
89 { 92 RSA *rsa, int padding)
90 return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding)); 93{
91 } 94 return rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding);
95}
92 96
93int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, 97int
94 RSA *rsa, int padding) 98RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
95 { 99 RSA *rsa, int padding)
96 return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding)); 100{
97 } 101 return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding);
102}
98 103
99int RSA_flags(const RSA *r) 104int
100 { 105RSA_flags(const RSA *r)
101 return((r == NULL)?0:r->meth->flags); 106{
102 } 107 return r == NULL ? 0 : r->meth->flags;
108}
103 109
104void RSA_blinding_off(RSA *rsa) 110void
105 { 111RSA_blinding_off(RSA *rsa)
106 if (rsa->blinding != NULL) 112{
107 { 113 if (rsa->blinding != NULL) {
108 BN_BLINDING_free(rsa->blinding); 114 BN_BLINDING_free(rsa->blinding);
109 rsa->blinding=NULL; 115 rsa->blinding = NULL;
110 } 116 }
111 rsa->flags &= ~RSA_FLAG_BLINDING; 117 rsa->flags &= ~RSA_FLAG_BLINDING;
112 rsa->flags |= RSA_FLAG_NO_BLINDING; 118 rsa->flags |= RSA_FLAG_NO_BLINDING;
113 } 119}
114 120
115int RSA_blinding_on(RSA *rsa, BN_CTX *ctx) 121int
116 { 122RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
117 int ret=0; 123{
124 int ret = 0;
118 125
119 if (rsa->blinding != NULL) 126 if (rsa->blinding != NULL)
120 RSA_blinding_off(rsa); 127 RSA_blinding_off(rsa);
@@ -125,13 +132,14 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
125 132
126 rsa->flags |= RSA_FLAG_BLINDING; 133 rsa->flags |= RSA_FLAG_BLINDING;
127 rsa->flags &= ~RSA_FLAG_NO_BLINDING; 134 rsa->flags &= ~RSA_FLAG_NO_BLINDING;
128 ret=1; 135 ret = 1;
129err: 136err:
130 return(ret); 137 return(ret);
131 } 138}
132 139
133static BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p, 140static BIGNUM *
134 const BIGNUM *q, BN_CTX *ctx) 141rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p, const BIGNUM *q,
142 BN_CTX *ctx)
135{ 143{
136 BIGNUM *ret = NULL, *r0, *r1, *r2; 144 BIGNUM *ret = NULL, *r0, *r1, *r2;
137 145
@@ -145,9 +153,12 @@ static BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p,
145 if (r2 == NULL) 153 if (r2 == NULL)
146 goto err; 154 goto err;
147 155
148 if (!BN_sub(r1, p, BN_value_one())) goto err; 156 if (!BN_sub(r1, p, BN_value_one()))
149 if (!BN_sub(r2, q, BN_value_one())) goto err; 157 goto err;
150 if (!BN_mul(r0, r1, r2, ctx)) goto err; 158 if (!BN_sub(r2, q, BN_value_one()))
159 goto err;
160 if (!BN_mul(r0, r1, r2, ctx))
161 goto err;
151 162
152 ret = BN_mod_inverse(NULL, d, r0, ctx); 163 ret = BN_mod_inverse(NULL, d, r0, ctx);
153err: 164err:
@@ -155,62 +166,56 @@ err:
155 return ret; 166 return ret;
156} 167}
157 168
158BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx) 169BN_BLINDING *
170RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
159{ 171{
160 BIGNUM local_n; 172 BIGNUM local_n;
161 BIGNUM *e,*n; 173 BIGNUM *e, *n;
162 BN_CTX *ctx; 174 BN_CTX *ctx;
163 BN_BLINDING *ret = NULL; 175 BN_BLINDING *ret = NULL;
164 176
165 if (in_ctx == NULL) 177 if (in_ctx == NULL) {
166 { 178 if ((ctx = BN_CTX_new()) == NULL)
167 if ((ctx = BN_CTX_new()) == NULL) return 0; 179 return 0;
168 } 180 } else
169 else
170 ctx = in_ctx; 181 ctx = in_ctx;
171 182
172 BN_CTX_start(ctx); 183 BN_CTX_start(ctx);
173 e = BN_CTX_get(ctx); 184 e = BN_CTX_get(ctx);
174 if (e == NULL) 185 if (e == NULL) {
175 {
176 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE); 186 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
177 goto err; 187 goto err;
178 } 188 }
179 189
180 if (rsa->e == NULL) 190 if (rsa->e == NULL) {
181 {
182 e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx); 191 e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
183 if (e == NULL) 192 if (e == NULL) {
184 { 193 RSAerr(RSA_F_RSA_SETUP_BLINDING,
185 RSAerr(RSA_F_RSA_SETUP_BLINDING, RSA_R_NO_PUBLIC_EXPONENT); 194 RSA_R_NO_PUBLIC_EXPONENT);
186 goto err; 195 goto err;
187 }
188 } 196 }
189 else 197 } else
190 e = rsa->e; 198 e = rsa->e;
191 199
192 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 200 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
193 {
194 /* Set BN_FLG_CONSTTIME flag */ 201 /* Set BN_FLG_CONSTTIME flag */
195 n = &local_n; 202 n = &local_n;
196 BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME); 203 BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
197 } 204 } else
198 else
199 n = rsa->n; 205 n = rsa->n;
200 206
201 ret = BN_BLINDING_create_param(NULL, e, n, ctx, 207 ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp,
202 rsa->meth->bn_mod_exp, rsa->_method_mod_n); 208 rsa->_method_mod_n);
203 if (ret == NULL) 209 if (ret == NULL) {
204 {
205 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB); 210 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
206 goto err; 211 goto err;
207 } 212 }
208 CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret)); 213 CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret));
209err: 214err:
210 BN_CTX_end(ctx); 215 BN_CTX_end(ctx);
211 if (in_ctx == NULL) 216 if (in_ctx == NULL)
212 BN_CTX_free(ctx); 217 BN_CTX_free(ctx);
213 if(rsa->e == NULL) 218 if (rsa->e == NULL)
214 BN_free(e); 219 BN_free(e);
215 220
216 return ret; 221 return ret;
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_depr.c b/src/lib/libssl/src/crypto/rsa/rsa_depr.c
index 5f60727255..6808b5aecb 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_depr.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_depr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_depr.c,v 1.3 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_depr.c,v 1.4 2014/07/09 08:20:08 miod Exp $ */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4 * 4 *
@@ -64,34 +64,37 @@
64 64
65#ifndef OPENSSL_NO_DEPRECATED 65#ifndef OPENSSL_NO_DEPRECATED
66 66
67RSA *RSA_generate_key(int bits, unsigned long e_value, 67RSA *
68 void (*callback)(int,int,void *), void *cb_arg) 68RSA_generate_key(int bits, unsigned long e_value,
69 { 69 void (*callback)(int, int, void *), void *cb_arg)
70{
70 BN_GENCB cb; 71 BN_GENCB cb;
71 int i; 72 int i;
72 RSA *rsa = RSA_new(); 73 RSA *rsa = RSA_new();
73 BIGNUM *e = BN_new(); 74 BIGNUM *e = BN_new();
74 75
75 if(!rsa || !e) goto err; 76 if (!rsa || !e)
77 goto err;
76 78
77 /* The problem is when building with 8, 16, or 32 BN_ULONG, 79 /* The problem is when building with 8, 16, or 32 BN_ULONG,
78 * unsigned long can be larger */ 80 * unsigned long can be larger */
79 for (i=0; i<(int)sizeof(unsigned long)*8; i++) 81 for (i = 0; i < (int)sizeof(unsigned long) * 8; i++) {
80 { 82 if (e_value & (1UL << i))
81 if (e_value & (1UL<<i)) 83 if (BN_set_bit(e, i) == 0)
82 if (BN_set_bit(e,i) == 0)
83 goto err; 84 goto err;
84 } 85 }
85 86
86 BN_GENCB_set_old(&cb, callback, cb_arg); 87 BN_GENCB_set_old(&cb, callback, cb_arg);
87 88
88 if(RSA_generate_key_ex(rsa, bits, e, &cb)) { 89 if (RSA_generate_key_ex(rsa, bits, e, &cb)) {
89 BN_free(e); 90 BN_free(e);
90 return rsa; 91 return rsa;
91 } 92 }
92err: 93err:
93 if(e) BN_free(e); 94 if (e)
94 if(rsa) RSA_free(rsa); 95 BN_free(e);
96 if (rsa)
97 RSA_free(rsa);
95 return 0; 98 return 0;
96 } 99}
97#endif 100#endif
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_eay.c b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
index 9e17483e09..7b294e761e 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_eay.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_eay.c,v 1.28 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_eay.c,v 1.29 2014/07/09 08:20:08 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -140,114 +140,114 @@ static RSA_METHOD rsa_pkcs1_eay_meth = {
140 .finish = RSA_eay_finish, 140 .finish = RSA_eay_finish,
141}; 141};
142 142
143const RSA_METHOD *RSA_PKCS1_SSLeay(void) 143const RSA_METHOD *
144 { 144RSA_PKCS1_SSLeay(void)
145 return(&rsa_pkcs1_eay_meth); 145{
146 } 146 return &rsa_pkcs1_eay_meth;
147}
147 148
148static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 149static int
149 unsigned char *to, RSA *rsa, int padding) 150RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
150 { 151 RSA *rsa, int padding)
151 BIGNUM *f,*ret; 152{
152 int i,j,k,num=0,r= -1; 153 BIGNUM *f, *ret;
153 unsigned char *buf=NULL; 154 int i, j, k, num = 0, r = -1;
154 BN_CTX *ctx=NULL; 155 unsigned char *buf = NULL;
156 BN_CTX *ctx = NULL;
155 157
156 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) 158 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
157 {
158 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); 159 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
159 return -1; 160 return -1;
160 } 161 }
161 162
162 if (BN_ucmp(rsa->n, rsa->e) <= 0) 163 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
163 {
164 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 164 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
165 return -1; 165 return -1;
166 } 166 }
167 167
168 /* for large moduli, enforce exponent limit */ 168 /* for large moduli, enforce exponent limit */
169 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) 169 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
170 { 170 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
171 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
172 {
173 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 171 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
174 return -1; 172 return -1;
175 }
176 } 173 }
174 }
177 175
178 if ((ctx=BN_CTX_new()) == NULL) goto err; 176 if ((ctx=BN_CTX_new()) == NULL)
177 goto err;
179 BN_CTX_start(ctx); 178 BN_CTX_start(ctx);
180 f = BN_CTX_get(ctx); 179 f = BN_CTX_get(ctx);
181 ret = BN_CTX_get(ctx); 180 ret = BN_CTX_get(ctx);
182 num=BN_num_bytes(rsa->n); 181 num = BN_num_bytes(rsa->n);
183 buf = malloc(num); 182 buf = malloc(num);
184 if (!f || !ret || !buf) 183 if (!f || !ret || !buf) {
185 {
186 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); 184 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
187 goto err; 185 goto err;
188 } 186 }
189 187
190 switch (padding) 188 switch (padding) {
191 {
192 case RSA_PKCS1_PADDING: 189 case RSA_PKCS1_PADDING:
193 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen); 190 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
194 break; 191 break;
195#ifndef OPENSSL_NO_SHA 192#ifndef OPENSSL_NO_SHA
196 case RSA_PKCS1_OAEP_PADDING: 193 case RSA_PKCS1_OAEP_PADDING:
197 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0); 194 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
198 break; 195 break;
199#endif 196#endif
200 case RSA_SSLV23_PADDING: 197 case RSA_SSLV23_PADDING:
201 i=RSA_padding_add_SSLv23(buf,num,from,flen); 198 i = RSA_padding_add_SSLv23(buf, num, from, flen);
202 break; 199 break;
203 case RSA_NO_PADDING: 200 case RSA_NO_PADDING:
204 i=RSA_padding_add_none(buf,num,from,flen); 201 i = RSA_padding_add_none(buf, num, from, flen);
205 break; 202 break;
206 default: 203 default:
207 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 204 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,
205 RSA_R_UNKNOWN_PADDING_TYPE);
206 goto err;
207 }
208 if (i <= 0)
208 goto err; 209 goto err;
209 }
210 if (i <= 0) goto err;
211 210
212 if (BN_bin2bn(buf,num,f) == NULL) goto err; 211 if (BN_bin2bn(buf, num, f) == NULL)
212 goto err;
213 213
214 if (BN_ucmp(f, rsa->n) >= 0) 214 if (BN_ucmp(f, rsa->n) >= 0) {
215 {
216 /* usually the padding functions would catch this */ 215 /* usually the padding functions would catch this */
217 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 216 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,
217 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
218 goto err; 218 goto err;
219 } 219 }
220 220
221 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 221 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
222 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 222 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
223 CRYPTO_LOCK_RSA, rsa->n, ctx))
223 goto err; 224 goto err;
224 225
225 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, 226 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, rsa->_method_mod_n))
226 rsa->_method_mod_n)) goto err; 227 goto err;
227 228
228 /* put in leading 0 bytes if the number is less than the 229 /* put in leading 0 bytes if the number is less than the
229 * length of the modulus */ 230 * length of the modulus */
230 j=BN_num_bytes(ret); 231 j = BN_num_bytes(ret);
231 i=BN_bn2bin(ret,&(to[num-j])); 232 i = BN_bn2bin(ret, &(to[num - j]));
232 for (k=0; k<(num-i); k++) 233 for (k = 0; k < num - i; k++)
233 to[k]=0; 234 to[k] = 0;
234 235
235 r=num; 236 r = num;
236err: 237err:
237 if (ctx != NULL) 238 if (ctx != NULL) {
238 {
239 BN_CTX_end(ctx); 239 BN_CTX_end(ctx);
240 BN_CTX_free(ctx); 240 BN_CTX_free(ctx);
241 } 241 }
242 if (buf != NULL) 242 if (buf != NULL) {
243 { 243 OPENSSL_cleanse(buf, num);
244 OPENSSL_cleanse(buf,num);
245 free(buf); 244 free(buf);
246 }
247 return(r);
248 } 245 }
246 return r;
247}
249 248
250static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 249static BN_BLINDING *
250rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
251{ 251{
252 BN_BLINDING *ret; 252 BN_BLINDING *ret;
253 int got_write_lock = 0; 253 int got_write_lock = 0;
@@ -255,53 +255,47 @@ static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
255 255
256 CRYPTO_r_lock(CRYPTO_LOCK_RSA); 256 CRYPTO_r_lock(CRYPTO_LOCK_RSA);
257 257
258 if (rsa->blinding == NULL) 258 if (rsa->blinding == NULL) {
259 {
260 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 259 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
261 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 260 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
262 got_write_lock = 1; 261 got_write_lock = 1;
263 262
264 if (rsa->blinding == NULL) 263 if (rsa->blinding == NULL)
265 rsa->blinding = RSA_setup_blinding(rsa, ctx); 264 rsa->blinding = RSA_setup_blinding(rsa, ctx);
266 } 265 }
267 266
268 ret = rsa->blinding; 267 ret = rsa->blinding;
269 if (ret == NULL) 268 if (ret == NULL)
270 goto err; 269 goto err;
271 270
272 CRYPTO_THREADID_current(&cur); 271 CRYPTO_THREADID_current(&cur);
273 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) 272 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) {
274 {
275 /* rsa->blinding is ours! */ 273 /* rsa->blinding is ours! */
276
277 *local = 1; 274 *local = 1;
278 } 275 } else {
279 else
280 {
281 /* resort to rsa->mt_blinding instead */ 276 /* resort to rsa->mt_blinding instead */
277 /*
278 * Instruct rsa_blinding_convert(), rsa_blinding_invert()
279 * that the BN_BLINDING is shared, meaning that accesses
280 * require locks, and that the blinding factor must be
281 * stored outside the BN_BLINDING
282 */
283 *local = 0;
282 284
283 *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert() 285 if (rsa->mt_blinding == NULL) {
284 * that the BN_BLINDING is shared, meaning that accesses 286 if (!got_write_lock) {
285 * require locks, and that the blinding factor must be
286 * stored outside the BN_BLINDING
287 */
288
289 if (rsa->mt_blinding == NULL)
290 {
291 if (!got_write_lock)
292 {
293 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 287 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
294 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 288 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
295 got_write_lock = 1; 289 got_write_lock = 1;
296 } 290 }
297 291
298 if (rsa->mt_blinding == NULL) 292 if (rsa->mt_blinding == NULL)
299 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 293 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
300 }
301 ret = rsa->mt_blinding;
302 } 294 }
295 ret = rsa->mt_blinding;
296 }
303 297
304 err: 298err:
305 if (got_write_lock) 299 if (got_write_lock)
306 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 300 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
307 else 301 else
@@ -309,29 +303,33 @@ static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
309 return ret; 303 return ret;
310} 304}
311 305
312static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 306static int
313 BN_CTX *ctx) 307rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx)
314 { 308{
315 if (unblind == NULL) 309 if (unblind == NULL)
316 /* Local blinding: store the unblinding factor 310 /*
317 * in BN_BLINDING. */ 311 * Local blinding: store the unblinding factor
312 * in BN_BLINDING.
313 */
318 return BN_BLINDING_convert_ex(f, NULL, b, ctx); 314 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
319 else 315 else {
320 { 316 /*
321 /* Shared blinding: store the unblinding factor 317 * Shared blinding: store the unblinding factor
322 * outside BN_BLINDING. */ 318 * outside BN_BLINDING.
319 */
323 int ret; 320 int ret;
324 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 321 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
325 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); 322 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
326 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 323 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
327 return ret; 324 return ret;
328 }
329 } 325 }
326}
330 327
331static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 328static int
332 BN_CTX *ctx) 329rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx)
333 { 330{
334 /* For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex 331 /*
332 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
335 * will use the unblinding factor stored in BN_BLINDING. 333 * will use the unblinding factor stored in BN_BLINDING.
336 * If BN_BLINDING is shared between threads, unblind must be non-null: 334 * If BN_BLINDING is shared between threads, unblind must be non-null:
337 * BN_BLINDING_invert_ex will then use the local unblinding factor, 335 * BN_BLINDING_invert_ex will then use the local unblinding factor,
@@ -339,402 +337,392 @@ static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
339 * In both cases it's safe to access the blinding without a lock. 337 * In both cases it's safe to access the blinding without a lock.
340 */ 338 */
341 return BN_BLINDING_invert_ex(f, unblind, b, ctx); 339 return BN_BLINDING_invert_ex(f, unblind, b, ctx);
342 } 340}
343 341
344/* signing */ 342/* signing */
345static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 343static int
346 unsigned char *to, RSA *rsa, int padding) 344RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
347 { 345 RSA *rsa, int padding)
346{
348 BIGNUM *f, *ret, *res; 347 BIGNUM *f, *ret, *res;
349 int i,j,k,num=0,r= -1; 348 int i, j, k, num = 0, r = -1;
350 unsigned char *buf=NULL; 349 unsigned char *buf = NULL;
351 BN_CTX *ctx=NULL; 350 BN_CTX *ctx = NULL;
352 int local_blinding = 0; 351 int local_blinding = 0;
353 /* Used only if the blinding structure is shared. A non-NULL unblind 352 /*
353 * Used only if the blinding structure is shared. A non-NULL unblind
354 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 354 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
355 * the unblinding factor outside the blinding structure. */ 355 * the unblinding factor outside the blinding structure.
356 */
356 BIGNUM *unblind = NULL; 357 BIGNUM *unblind = NULL;
357 BN_BLINDING *blinding = NULL; 358 BN_BLINDING *blinding = NULL;
358 359
359 if ((ctx=BN_CTX_new()) == NULL) goto err; 360 if ((ctx=BN_CTX_new()) == NULL)
361 goto err;
360 BN_CTX_start(ctx); 362 BN_CTX_start(ctx);
361 f = BN_CTX_get(ctx); 363 f = BN_CTX_get(ctx);
362 ret = BN_CTX_get(ctx); 364 ret = BN_CTX_get(ctx);
363 num = BN_num_bytes(rsa->n); 365 num = BN_num_bytes(rsa->n);
364 buf = malloc(num); 366 buf = malloc(num);
365 if(!f || !ret || !buf) 367 if (!f || !ret || !buf) {
366 { 368 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
367 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
368 goto err; 369 goto err;
369 } 370 }
370 371
371 switch (padding) 372 switch (padding) {
372 {
373 case RSA_PKCS1_PADDING: 373 case RSA_PKCS1_PADDING:
374 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); 374 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
375 break; 375 break;
376 case RSA_X931_PADDING: 376 case RSA_X931_PADDING:
377 i=RSA_padding_add_X931(buf,num,from,flen); 377 i = RSA_padding_add_X931(buf, num, from, flen);
378 break; 378 break;
379 case RSA_NO_PADDING: 379 case RSA_NO_PADDING:
380 i=RSA_padding_add_none(buf,num,from,flen); 380 i = RSA_padding_add_none(buf, num, from, flen);
381 break; 381 break;
382 case RSA_SSLV23_PADDING: 382 case RSA_SSLV23_PADDING:
383 default: 383 default:
384 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 384 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
385 RSA_R_UNKNOWN_PADDING_TYPE);
386 goto err;
387 }
388 if (i <= 0)
385 goto err; 389 goto err;
386 }
387 if (i <= 0) goto err;
388 390
389 if (BN_bin2bn(buf,num,f) == NULL) goto err; 391 if (BN_bin2bn(buf,num,f) == NULL)
392 goto err;
390 393
391 if (BN_ucmp(f, rsa->n) >= 0) 394 if (BN_ucmp(f, rsa->n) >= 0) {
392 {
393 /* usually the padding functions would catch this */ 395 /* usually the padding functions would catch this */
394 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 396 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
397 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
395 goto err; 398 goto err;
396 } 399 }
397 400
398 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 401 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
399 {
400 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 402 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
401 if (blinding == NULL) 403 if (blinding == NULL) {
402 { 404 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
403 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 405 ERR_R_INTERNAL_ERROR);
404 goto err; 406 goto err;
405 }
406 } 407 }
408 }
407 409
408 if (blinding != NULL) 410 if (blinding != NULL) {
409 { 411 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
410 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) 412 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
411 { 413 ERR_R_MALLOC_FAILURE);
412 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
413 goto err; 414 goto err;
414 } 415 }
415 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 416 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
416 goto err; 417 goto err;
417 } 418 }
418 419
419 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 420 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
420 ((rsa->p != NULL) && 421 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL &&
421 (rsa->q != NULL) && 422 rsa->dmq1 != NULL && rsa->iqmp != NULL)) {
422 (rsa->dmp1 != NULL) && 423 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
423 (rsa->dmq1 != NULL) && 424 goto err;
424 (rsa->iqmp != NULL)) ) 425 } else {
425 {
426 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
427 }
428 else
429 {
430 BIGNUM local_d; 426 BIGNUM local_d;
431 BIGNUM *d = NULL; 427 BIGNUM *d = NULL;
432 428
433 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 429 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
434 {
435 BN_init(&local_d); 430 BN_init(&local_d);
436 d = &local_d; 431 d = &local_d;
437 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 432 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
438 } 433 } else
439 else 434 d = rsa->d;
440 d= rsa->d;
441 435
442 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 436 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
443 if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 437 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
438 CRYPTO_LOCK_RSA, rsa->n, ctx))
444 goto err; 439 goto err;
445 440
446 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, 441 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n,ctx,
447 rsa->_method_mod_n)) goto err; 442 rsa->_method_mod_n))
448 } 443 goto err;
444 }
449 445
450 if (blinding) 446 if (blinding)
451 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 447 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
452 goto err; 448 goto err;
453 449
454 if (padding == RSA_X931_PADDING) 450 if (padding == RSA_X931_PADDING) {
455 {
456 BN_sub(f, rsa->n, ret); 451 BN_sub(f, rsa->n, ret);
457 if (BN_cmp(ret, f)) 452 if (BN_cmp(ret, f))
458 res = f; 453 res = f;
459 else 454 else
460 res = ret; 455 res = ret;
461 } 456 } else
462 else
463 res = ret; 457 res = ret;
464 458
465 /* put in leading 0 bytes if the number is less than the 459 /* put in leading 0 bytes if the number is less than the
466 * length of the modulus */ 460 * length of the modulus */
467 j=BN_num_bytes(res); 461 j = BN_num_bytes(res);
468 i=BN_bn2bin(res,&(to[num-j])); 462 i = BN_bn2bin(res, &(to[num - j]));
469 for (k=0; k<(num-i); k++) 463 for (k = 0; k < num - i; k++)
470 to[k]=0; 464 to[k] = 0;
471 465
472 r=num; 466 r = num;
473err: 467err:
474 if (ctx != NULL) 468 if (ctx != NULL) {
475 {
476 BN_CTX_end(ctx); 469 BN_CTX_end(ctx);
477 BN_CTX_free(ctx); 470 BN_CTX_free(ctx);
478 } 471 }
479 if (buf != NULL) 472 if (buf != NULL) {
480 { 473 OPENSSL_cleanse(buf, num);
481 OPENSSL_cleanse(buf,num);
482 free(buf); 474 free(buf);
483 }
484 return(r);
485 } 475 }
476 return r;
477}
486 478
487static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 479static int
488 unsigned char *to, RSA *rsa, int padding) 480RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
489 { 481 RSA *rsa, int padding)
482{
490 BIGNUM *f, *ret; 483 BIGNUM *f, *ret;
491 int j,num=0,r= -1; 484 int j, num = 0, r = -1;
492 unsigned char *p; 485 unsigned char *p;
493 unsigned char *buf=NULL; 486 unsigned char *buf = NULL;
494 BN_CTX *ctx=NULL; 487 BN_CTX *ctx = NULL;
495 int local_blinding = 0; 488 int local_blinding = 0;
496 /* Used only if the blinding structure is shared. A non-NULL unblind 489 /*
490 * Used only if the blinding structure is shared. A non-NULL unblind
497 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 491 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
498 * the unblinding factor outside the blinding structure. */ 492 * the unblinding factor outside the blinding structure.
493 */
499 BIGNUM *unblind = NULL; 494 BIGNUM *unblind = NULL;
500 BN_BLINDING *blinding = NULL; 495 BN_BLINDING *blinding = NULL;
501 496
502 if((ctx = BN_CTX_new()) == NULL) goto err; 497 if ((ctx = BN_CTX_new()) == NULL)
498 goto err;
503 BN_CTX_start(ctx); 499 BN_CTX_start(ctx);
504 f = BN_CTX_get(ctx); 500 f = BN_CTX_get(ctx);
505 ret = BN_CTX_get(ctx); 501 ret = BN_CTX_get(ctx);
506 num = BN_num_bytes(rsa->n); 502 num = BN_num_bytes(rsa->n);
507 buf = malloc(num); 503 buf = malloc(num);
508 if(!f || !ret || !buf) 504 if (!f || !ret || !buf) {
509 { 505 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
510 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
511 goto err; 506 goto err;
512 } 507 }
513 508
514 /* This check was for equality but PGP does evil things 509 /* This check was for equality but PGP does evil things
515 * and chops off the top '0' bytes */ 510 * and chops off the top '0' bytes */
516 if (flen > num) 511 if (flen > num) {
517 { 512 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
518 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 513 RSA_R_DATA_GREATER_THAN_MOD_LEN);
519 goto err; 514 goto err;
520 } 515 }
521 516
522 /* make data into a big number */ 517 /* make data into a big number */
523 if (BN_bin2bn(from,(int)flen,f) == NULL) goto err; 518 if (BN_bin2bn(from, (int)flen, f) == NULL)
519 goto err;
524 520
525 if (BN_ucmp(f, rsa->n) >= 0) 521 if (BN_ucmp(f, rsa->n) >= 0) {
526 { 522 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
527 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 523 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
528 goto err; 524 goto err;
529 } 525 }
530 526
531 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 527 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
532 {
533 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 528 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
534 if (blinding == NULL) 529 if (blinding == NULL) {
535 { 530 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
536 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 531 ERR_R_INTERNAL_ERROR);
537 goto err; 532 goto err;
538 }
539 } 533 }
534 }
540 535
541 if (blinding != NULL) 536 if (blinding != NULL) {
542 { 537 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
543 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) 538 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
544 { 539 ERR_R_MALLOC_FAILURE);
545 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
546 goto err; 540 goto err;
547 } 541 }
548 if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 542 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
549 goto err; 543 goto err;
550 } 544 }
551 545
552 /* do the decrypt */ 546 /* do the decrypt */
553 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 547 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
554 ((rsa->p != NULL) && 548 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL &&
555 (rsa->q != NULL) && 549 rsa->dmq1 != NULL && rsa->iqmp != NULL)) {
556 (rsa->dmp1 != NULL) && 550 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
557 (rsa->dmq1 != NULL) && 551 goto err;
558 (rsa->iqmp != NULL)) ) 552 } else {
559 {
560 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
561 }
562 else
563 {
564 BIGNUM local_d; 553 BIGNUM local_d;
565 BIGNUM *d = NULL; 554 BIGNUM *d = NULL;
566 555
567 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 556 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
568 {
569 d = &local_d; 557 d = &local_d;
570 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 558 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
571 } 559 } else
572 else
573 d = rsa->d; 560 d = rsa->d;
574 561
575 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 562 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
576 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 563 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
564 CRYPTO_LOCK_RSA, rsa->n, ctx))
577 goto err; 565 goto err;
578 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, 566 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
579 rsa->_method_mod_n)) 567 rsa->_method_mod_n))
580 goto err; 568 goto err;
581 } 569 }
582 570
583 if (blinding) 571 if (blinding)
584 if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 572 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
585 goto err; 573 goto err;
586 574
587 p=buf; 575 p = buf;
588 j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */ 576 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */
589 577
590 switch (padding) 578 switch (padding) {
591 {
592 case RSA_PKCS1_PADDING: 579 case RSA_PKCS1_PADDING:
593 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); 580 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
594 break; 581 break;
595#ifndef OPENSSL_NO_SHA 582#ifndef OPENSSL_NO_SHA
596 case RSA_PKCS1_OAEP_PADDING: 583 case RSA_PKCS1_OAEP_PADDING:
597 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); 584 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
598 break; 585 break;
599#endif 586#endif
600 case RSA_SSLV23_PADDING: 587 case RSA_SSLV23_PADDING:
601 r=RSA_padding_check_SSLv23(to,num,buf,j,num); 588 r = RSA_padding_check_SSLv23(to, num, buf, j, num);
602 break; 589 break;
603 case RSA_NO_PADDING: 590 case RSA_NO_PADDING:
604 r=RSA_padding_check_none(to,num,buf,j,num); 591 r = RSA_padding_check_none(to, num, buf, j, num);
605 break; 592 break;
606 default: 593 default:
607 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 594 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
595 RSA_R_UNKNOWN_PADDING_TYPE);
608 goto err; 596 goto err;
609 } 597 }
610 if (r < 0) 598 if (r < 0)
611 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 599 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
600 RSA_R_PADDING_CHECK_FAILED);
612 601
613err: 602err:
614 if (ctx != NULL) 603 if (ctx != NULL) {
615 {
616 BN_CTX_end(ctx); 604 BN_CTX_end(ctx);
617 BN_CTX_free(ctx); 605 BN_CTX_free(ctx);
618 } 606 }
619 if (buf != NULL) 607 if (buf != NULL) {
620 {
621 OPENSSL_cleanse(buf,num); 608 OPENSSL_cleanse(buf,num);
622 free(buf); 609 free(buf);
623 }
624 return(r);
625 } 610 }
611 return r;
612}
626 613
627/* signature verification */ 614/* signature verification */
628static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 615static int
629 unsigned char *to, RSA *rsa, int padding) 616RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
630 { 617 RSA *rsa, int padding)
631 BIGNUM *f,*ret; 618{
632 int i,num=0,r= -1; 619 BIGNUM *f, *ret;
620 int i, num = 0,r = -1;
633 unsigned char *p; 621 unsigned char *p;
634 unsigned char *buf=NULL; 622 unsigned char *buf = NULL;
635 BN_CTX *ctx=NULL; 623 BN_CTX *ctx = NULL;
636 624
637 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) 625 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
638 {
639 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); 626 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
640 return -1; 627 return -1;
641 } 628 }
642 629
643 if (BN_ucmp(rsa->n, rsa->e) <= 0) 630 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
644 {
645 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 631 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
646 return -1; 632 return -1;
647 } 633 }
648 634
649 /* for large moduli, enforce exponent limit */ 635 /* for large moduli, enforce exponent limit */
650 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) 636 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
651 { 637 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
652 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
653 {
654 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 638 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
655 return -1; 639 return -1;
656 }
657 } 640 }
641 }
658 642
659 if((ctx = BN_CTX_new()) == NULL) goto err; 643 if ((ctx = BN_CTX_new()) == NULL)
644 goto err;
660 BN_CTX_start(ctx); 645 BN_CTX_start(ctx);
661 f = BN_CTX_get(ctx); 646 f = BN_CTX_get(ctx);
662 ret = BN_CTX_get(ctx); 647 ret = BN_CTX_get(ctx);
663 num=BN_num_bytes(rsa->n); 648 num = BN_num_bytes(rsa->n);
664 buf = malloc(num); 649 buf = malloc(num);
665 if(!f || !ret || !buf) 650 if (!f || !ret || !buf) {
666 { 651 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
667 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
668 goto err; 652 goto err;
669 } 653 }
670 654
671 /* This check was for equality but PGP does evil things 655 /* This check was for equality but PGP does evil things
672 * and chops off the top '0' bytes */ 656 * and chops off the top '0' bytes */
673 if (flen > num) 657 if (flen > num) {
674 { 658 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
675 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 659 RSA_R_DATA_GREATER_THAN_MOD_LEN);
676 goto err; 660 goto err;
677 } 661 }
678 662
679 if (BN_bin2bn(from,flen,f) == NULL) goto err; 663 if (BN_bin2bn(from,flen,f) == NULL)
664 goto err;
680 665
681 if (BN_ucmp(f, rsa->n) >= 0) 666 if (BN_ucmp(f, rsa->n) >= 0) {
682 { 667 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
683 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 668 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
684 goto err; 669 goto err;
685 } 670 }
686 671
687 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 672 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
688 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 673 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
674 CRYPTO_LOCK_RSA, rsa->n, ctx))
689 goto err; 675 goto err;
690 676
691 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, 677 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
692 rsa->_method_mod_n)) goto err; 678 rsa->_method_mod_n))
679 goto err;
693 680
694 if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) 681 if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12)
695 if (!BN_sub(ret, rsa->n, ret)) goto err; 682 if (!BN_sub(ret, rsa->n, ret))
683 goto err;
696 684
697 p=buf; 685 p = buf;
698 i=BN_bn2bin(ret,p); 686 i = BN_bn2bin(ret, p);
699 687
700 switch (padding) 688 switch (padding) {
701 {
702 case RSA_PKCS1_PADDING: 689 case RSA_PKCS1_PADDING:
703 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); 690 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
704 break; 691 break;
705 case RSA_X931_PADDING: 692 case RSA_X931_PADDING:
706 r=RSA_padding_check_X931(to,num,buf,i,num); 693 r = RSA_padding_check_X931(to, num, buf, i, num);
707 break; 694 break;
708 case RSA_NO_PADDING: 695 case RSA_NO_PADDING:
709 r=RSA_padding_check_none(to,num,buf,i,num); 696 r = RSA_padding_check_none(to, num, buf, i, num);
710 break; 697 break;
711 default: 698 default:
712 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 699 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
700 RSA_R_UNKNOWN_PADDING_TYPE);
713 goto err; 701 goto err;
714 } 702 }
715 if (r < 0) 703 if (r < 0)
716 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 704 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
705 RSA_R_PADDING_CHECK_FAILED);
717 706
718err: 707err:
719 if (ctx != NULL) 708 if (ctx != NULL) {
720 {
721 BN_CTX_end(ctx); 709 BN_CTX_end(ctx);
722 BN_CTX_free(ctx); 710 BN_CTX_free(ctx);
723 } 711 }
724 if (buf != NULL) 712 if (buf != NULL) {
725 { 713 OPENSSL_cleanse(buf, num);
726 OPENSSL_cleanse(buf,num);
727 free(buf); 714 free(buf);
728 }
729 return(r);
730 } 715 }
716 return r;
717}
731 718
732static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 719static int
733 { 720RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
734 BIGNUM *r1,*m1,*vrfy; 721{
735 BIGNUM local_dmp1,local_dmq1,local_c,local_r1; 722 BIGNUM *r1, *m1, *vrfy;
736 BIGNUM *dmp1,*dmq1,*c,*pr1; 723 BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
737 int ret=0; 724 BIGNUM *dmp1, *dmq1, *c, *pr1;
725 int ret = 0;
738 726
739 BN_CTX_start(ctx); 727 BN_CTX_start(ctx);
740 r1 = BN_CTX_get(ctx); 728 r1 = BN_CTX_get(ctx);
@@ -745,11 +733,11 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
745 BIGNUM local_p, local_q; 733 BIGNUM local_p, local_q;
746 BIGNUM *p = NULL, *q = NULL; 734 BIGNUM *p = NULL, *q = NULL;
747 735
748 /* Make sure BN_mod_inverse in Montgomery intialization uses the 736 /*
737 * Make sure BN_mod_inverse in Montgomery intialization uses the
749 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) 738 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
750 */ 739 */
751 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 740 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
752 {
753 BN_init(&local_p); 741 BN_init(&local_p);
754 p = &local_p; 742 p = &local_p;
755 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 743 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
@@ -757,91 +745,92 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
757 BN_init(&local_q); 745 BN_init(&local_q);
758 q = &local_q; 746 q = &local_q;
759 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); 747 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
760 } 748 } else {
761 else
762 {
763 p = rsa->p; 749 p = rsa->p;
764 q = rsa->q; 750 q = rsa->q;
765 } 751 }
766 752
767 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) 753 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
768 { 754 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
769 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) 755 CRYPTO_LOCK_RSA, p, ctx))
770 goto err; 756 goto err;
771 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) 757 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
758 CRYPTO_LOCK_RSA, q, ctx))
772 goto err; 759 goto err;
773 } 760 }
774 } 761 }
775 762
776 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 763 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
777 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 764 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
765 CRYPTO_LOCK_RSA, rsa->n, ctx))
778 goto err; 766 goto err;
779 767
780 /* compute I mod q */ 768 /* compute I mod q */
781 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 769 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
782 {
783 c = &local_c; 770 c = &local_c;
784 BN_with_flags(c, I, BN_FLG_CONSTTIME); 771 BN_with_flags(c, I, BN_FLG_CONSTTIME);
785 if (!BN_mod(r1,c,rsa->q,ctx)) goto err; 772 if (!BN_mod(r1, c, rsa->q, ctx))
786 } 773 goto err;
787 else 774 } else {
788 { 775 if (!BN_mod(r1, I, rsa->q, ctx))
789 if (!BN_mod(r1,I,rsa->q,ctx)) goto err; 776 goto err;
790 } 777 }
791 778
792 /* compute r1^dmq1 mod q */ 779 /* compute r1^dmq1 mod q */
793 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 780 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
794 {
795 dmq1 = &local_dmq1; 781 dmq1 = &local_dmq1;
796 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 782 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
797 } 783 } else
798 else
799 dmq1 = rsa->dmq1; 784 dmq1 = rsa->dmq1;
800 if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx, 785 if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
801 rsa->_method_mod_q)) goto err; 786 rsa->_method_mod_q))
787 goto err;
802 788
803 /* compute I mod p */ 789 /* compute I mod p */
804 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 790 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
805 {
806 c = &local_c; 791 c = &local_c;
807 BN_with_flags(c, I, BN_FLG_CONSTTIME); 792 BN_with_flags(c, I, BN_FLG_CONSTTIME);
808 if (!BN_mod(r1,c,rsa->p,ctx)) goto err; 793 if (!BN_mod(r1, c, rsa->p, ctx))
809 } 794 goto err;
810 else 795 } else {
811 { 796 if (!BN_mod(r1, I, rsa->p, ctx))
812 if (!BN_mod(r1,I,rsa->p,ctx)) goto err; 797 goto err;
813 } 798 }
814 799
815 /* compute r1^dmp1 mod p */ 800 /* compute r1^dmp1 mod p */
816 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 801 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
817 {
818 dmp1 = &local_dmp1; 802 dmp1 = &local_dmp1;
819 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 803 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
820 } 804 } else
821 else
822 dmp1 = rsa->dmp1; 805 dmp1 = rsa->dmp1;
823 if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx, 806 if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p,ctx,
824 rsa->_method_mod_p)) goto err; 807 rsa->_method_mod_p))
808 goto err;
825 809
826 if (!BN_sub(r0,r0,m1)) goto err; 810 if (!BN_sub(r0, r0, m1))
827 /* This will help stop the size of r0 increasing, which does 811 goto err;
828 * affect the multiply if it optimised for a power of 2 size */ 812 /*
813 * This will help stop the size of r0 increasing, which does
814 * affect the multiply if it optimised for a power of 2 size
815 */
829 if (BN_is_negative(r0)) 816 if (BN_is_negative(r0))
830 if (!BN_add(r0,r0,rsa->p)) goto err; 817 if (!BN_add(r0, r0, rsa->p))
818 goto err;
831 819
832 if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err; 820 if (!BN_mul(r1, r0, rsa->iqmp, ctx))
821 goto err;
833 822
834 /* Turn BN_FLG_CONSTTIME flag on before division operation */ 823 /* Turn BN_FLG_CONSTTIME flag on before division operation */
835 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 824 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
836 {
837 pr1 = &local_r1; 825 pr1 = &local_r1;
838 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 826 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
839 } 827 } else
840 else
841 pr1 = r1; 828 pr1 = r1;
842 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err; 829 if (!BN_mod(r0, pr1, rsa->p,ctx))
830 goto err;
843 831
844 /* If p < q it is occasionally possible for the correction of 832 /*
833 * If p < q it is occasionally possible for the correction of
845 * adding 'p' if r0 is negative above to leave the result still 834 * adding 'p' if r0 is negative above to leave the result still
846 * negative. This can break the private key operations: the following 835 * negative. This can break the private key operations: the following
847 * second correction should *always* correct this rare occurrence. 836 * second correction should *always* correct this rare occurrence.
@@ -849,62 +838,73 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
849 * they ensure p > q [steve] 838 * they ensure p > q [steve]
850 */ 839 */
851 if (BN_is_negative(r0)) 840 if (BN_is_negative(r0))
852 if (!BN_add(r0,r0,rsa->p)) goto err; 841 if (!BN_add(r0, r0, rsa->p))
853 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; 842 goto err;
854 if (!BN_add(r0,r1,m1)) goto err; 843 if (!BN_mul(r1, r0, rsa->q, ctx))
855 844 goto err;
856 if (rsa->e && rsa->n) 845 if (!BN_add(r0, r1, m1))
857 { 846 goto err;
858 if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; 847
859 /* If 'I' was greater than (or equal to) rsa->n, the operation 848 if (rsa->e && rsa->n) {
849 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
850 rsa->_method_mod_n))
851 goto err;
852 /*
853 * If 'I' was greater than (or equal to) rsa->n, the operation
860 * will be equivalent to using 'I mod n'. However, the result of 854 * will be equivalent to using 'I mod n'. However, the result of
861 * the verify will *always* be less than 'n' so we don't check 855 * the verify will *always* be less than 'n' so we don't check
862 * for absolute equality, just congruency. */ 856 * for absolute equality, just congruency.
863 if (!BN_sub(vrfy, vrfy, I)) goto err; 857 */
864 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err; 858 if (!BN_sub(vrfy, vrfy, I))
859 goto err;
860 if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
861 goto err;
865 if (BN_is_negative(vrfy)) 862 if (BN_is_negative(vrfy))
866 if (!BN_add(vrfy, vrfy, rsa->n)) goto err; 863 if (!BN_add(vrfy, vrfy, rsa->n))
867 if (!BN_is_zero(vrfy)) 864 goto err;
868 { 865 if (!BN_is_zero(vrfy)) {
869 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak 866 /*
867 * 'I' and 'vrfy' aren't congruent mod n. Don't leak
870 * miscalculated CRT output, just do a raw (slower) 868 * miscalculated CRT output, just do a raw (slower)
871 * mod_exp and return that instead. */ 869 * mod_exp and return that instead.
870 */
872 871
873 BIGNUM local_d; 872 BIGNUM local_d;
874 BIGNUM *d = NULL; 873 BIGNUM *d = NULL;
875 874
876 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 875 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
877 {
878 d = &local_d; 876 d = &local_d;
879 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 877 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
880 } 878 } else
881 else
882 d = rsa->d; 879 d = rsa->d;
883 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx, 880 if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
884 rsa->_method_mod_n)) goto err; 881 rsa->_method_mod_n))
885 } 882 goto err;
886 } 883 }
887 ret=1; 884 }
885 ret = 1;
888err: 886err:
889 BN_CTX_end(ctx); 887 BN_CTX_end(ctx);
890 return(ret); 888 return ret;
891 } 889}
892 890
893static int RSA_eay_init(RSA *rsa) 891static int
894 { 892RSA_eay_init(RSA *rsa)
895 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; 893{
896 return(1); 894 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
897 } 895 return 1 ;
896}
898 897
899static int RSA_eay_finish(RSA *rsa) 898static int
900 { 899RSA_eay_finish(RSA *rsa)
900{
901 if (rsa->_method_mod_n != NULL) 901 if (rsa->_method_mod_n != NULL)
902 BN_MONT_CTX_free(rsa->_method_mod_n); 902 BN_MONT_CTX_free(rsa->_method_mod_n);
903 if (rsa->_method_mod_p != NULL) 903 if (rsa->_method_mod_p != NULL)
904 BN_MONT_CTX_free(rsa->_method_mod_p); 904 BN_MONT_CTX_free(rsa->_method_mod_p);
905 if (rsa->_method_mod_q != NULL) 905 if (rsa->_method_mod_q != NULL)
906 BN_MONT_CTX_free(rsa->_method_mod_q); 906 BN_MONT_CTX_free(rsa->_method_mod_q);
907 return(1); 907 return 1;
908 } 908}
909 909
910#endif 910#endif
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_gen.c b/src/lib/libssl/src/crypto/rsa/rsa_gen.c
index 9745b6d6ed..3a6aa1ca7a 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_gen.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_gen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_gen.c,v 1.13 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_gen.c,v 1.14 2014/07/09 08:20:08 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -70,150 +70,168 @@
70 70
71static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb); 71static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
72 72
73/* NB: this wrapper would normally be placed in rsa_lib.c and the static 73/*
74 * NB: this wrapper would normally be placed in rsa_lib.c and the static
74 * implementation would probably be in rsa_eay.c. Nonetheless, is kept here so 75 * implementation would probably be in rsa_eay.c. Nonetheless, is kept here so
75 * that we don't introduce a new linker dependency. Eg. any application that 76 * that we don't introduce a new linker dependency. Eg. any application that
76 * wasn't previously linking object code related to key-generation won't have to 77 * wasn't previously linking object code related to key-generation won't have to
77 * now just because key-generation is part of RSA_METHOD. */ 78 * now just because key-generation is part of RSA_METHOD.
78int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) 79 */
79 { 80int
80 if(rsa->meth->rsa_keygen) 81RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
82{
83 if (rsa->meth->rsa_keygen)
81 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); 84 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
82 return rsa_builtin_keygen(rsa, bits, e_value, cb); 85 return rsa_builtin_keygen(rsa, bits, e_value, cb);
83 } 86}
84 87
85static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) 88static int
86 { 89rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
87 BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp; 90{
88 BIGNUM local_r0,local_d,local_p; 91 BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
89 BIGNUM *pr0,*d,*p; 92 BIGNUM local_r0, local_d, local_p;
90 int bitsp,bitsq,ok= -1,n=0; 93 BIGNUM *pr0, *d, *p;
91 BN_CTX *ctx=NULL; 94 int bitsp, bitsq, ok = -1, n = 0;
92 95 BN_CTX *ctx = NULL;
93 ctx=BN_CTX_new(); 96
94 if (ctx == NULL) goto err; 97 ctx = BN_CTX_new();
98 if (ctx == NULL)
99 goto err;
95 BN_CTX_start(ctx); 100 BN_CTX_start(ctx);
96 r0 = BN_CTX_get(ctx); 101 r0 = BN_CTX_get(ctx);
97 r1 = BN_CTX_get(ctx); 102 r1 = BN_CTX_get(ctx);
98 r2 = BN_CTX_get(ctx); 103 r2 = BN_CTX_get(ctx);
99 r3 = BN_CTX_get(ctx); 104 r3 = BN_CTX_get(ctx);
100 if (r3 == NULL) goto err; 105 if (r3 == NULL)
106 goto err;
101 107
102 bitsp=(bits+1)/2; 108 bitsp = (bits + 1) / 2;
103 bitsq=bits-bitsp; 109 bitsq = bits - bitsp;
104 110
105 /* We need the RSA components non-NULL */ 111 /* We need the RSA components non-NULL */
106 if(!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err; 112 if (!rsa->n && ((rsa->n = BN_new()) == NULL))
107 if(!rsa->d && ((rsa->d=BN_new()) == NULL)) goto err; 113 goto err;
108 if(!rsa->e && ((rsa->e=BN_new()) == NULL)) goto err; 114 if (!rsa->d && ((rsa->d = BN_new()) == NULL))
109 if(!rsa->p && ((rsa->p=BN_new()) == NULL)) goto err; 115 goto err;
110 if(!rsa->q && ((rsa->q=BN_new()) == NULL)) goto err; 116 if (!rsa->e && ((rsa->e = BN_new()) == NULL))
111 if(!rsa->dmp1 && ((rsa->dmp1=BN_new()) == NULL)) goto err; 117 goto err;
112 if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err; 118 if (!rsa->p && ((rsa->p = BN_new()) == NULL))
113 if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err; 119 goto err;
120 if (!rsa->q && ((rsa->q = BN_new()) == NULL))
121 goto err;
122 if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL))
123 goto err;
124 if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL))
125 goto err;
126 if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
127 goto err;
114 128
115 BN_copy(rsa->e, e_value); 129 BN_copy(rsa->e, e_value);
116 130
117 /* generate p and q */ 131 /* generate p and q */
118 for (;;) 132 for (;;) {
119 { 133 if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
120 if(!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
121 goto err; 134 goto err;
122 if (!BN_sub(r2,rsa->p,BN_value_one())) goto err; 135 if (!BN_sub(r2, rsa->p, BN_value_one()))
123 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
124 if (BN_is_one(r1)) break;
125 if(!BN_GENCB_call(cb, 2, n++))
126 goto err; 136 goto err;
127 } 137 if (!BN_gcd(r1, r2, rsa->e, ctx))
128 if(!BN_GENCB_call(cb, 3, 0)) 138 goto err;
139 if (BN_is_one(r1))
140 break;
141 if (!BN_GENCB_call(cb, 2, n++))
142 goto err;
143 }
144 if (!BN_GENCB_call(cb, 3, 0))
129 goto err; 145 goto err;
130 for (;;) 146 for (;;) {
131 { 147 /*
132 /* When generating ridiculously small keys, we can get stuck 148 * When generating ridiculously small keys, we can get stuck
133 * continually regenerating the same prime values. Check for 149 * continually regenerating the same prime values. Check for
134 * this and bail if it happens 3 times. */ 150 * this and bail if it happens 3 times.
151 */
135 unsigned int degenerate = 0; 152 unsigned int degenerate = 0;
136 do 153 do {
137 { 154 if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL,
138 if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) 155 cb))
139 goto err; 156 goto err;
140 } while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3)); 157 } while (BN_cmp(rsa->p, rsa->q) == 0 &&
141 if(degenerate == 3) 158 ++degenerate < 3);
142 { 159 if (degenerate == 3) {
143 ok = 0; /* we set our own err */ 160 ok = 0; /* we set our own err */
144 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_KEY_SIZE_TOO_SMALL); 161 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,
162 RSA_R_KEY_SIZE_TOO_SMALL);
163 goto err;
164 }
165 if (!BN_sub(r2, rsa->q, BN_value_one()))
166 goto err;
167 if (!BN_gcd(r1, r2, rsa->e, ctx))
145 goto err; 168 goto err;
146 }
147 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
148 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
149 if (BN_is_one(r1)) 169 if (BN_is_one(r1))
150 break; 170 break;
151 if(!BN_GENCB_call(cb, 2, n++)) 171 if (!BN_GENCB_call(cb, 2, n++))
152 goto err; 172 goto err;
153 } 173 }
154 if(!BN_GENCB_call(cb, 3, 1)) 174 if (!BN_GENCB_call(cb, 3, 1))
155 goto err; 175 goto err;
156 if (BN_cmp(rsa->p,rsa->q) < 0) 176 if (BN_cmp(rsa->p,rsa->q) < 0) {
157 { 177 tmp = rsa->p;
158 tmp=rsa->p; 178 rsa->p = rsa->q;
159 rsa->p=rsa->q; 179 rsa->q = tmp;
160 rsa->q=tmp; 180 }
161 }
162 181
163 /* calculate n */ 182 /* calculate n */
164 if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err; 183 if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
184 goto err;
165 185
166 /* calculate d */ 186 /* calculate d */
167 if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */ 187 if (!BN_sub(r1, rsa->p, BN_value_one())) /* p-1 */
168 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */ 188 goto err;
169 if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */ 189 if (!BN_sub(r2, rsa->q, BN_value_one())) /* q-1 */
170 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 190 goto err;
171 { 191 if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */
192 goto err;
193 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
172 pr0 = &local_r0; 194 pr0 = &local_r0;
173 BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); 195 BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
174 } 196 } else
175 else 197 pr0 = r0;
176 pr0 = r0; 198 if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) /* d */
177 if (!BN_mod_inverse(rsa->d,rsa->e,pr0,ctx)) goto err; /* d */ 199 goto err;
178 200
179 /* set up d for correct BN_FLG_CONSTTIME flag */ 201 /* set up d for correct BN_FLG_CONSTTIME flag */
180 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 202 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
181 {
182 d = &local_d; 203 d = &local_d;
183 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 204 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
184 } 205 } else
185 else
186 d = rsa->d; 206 d = rsa->d;
187 207
188 /* calculate d mod (p-1) */ 208 /* calculate d mod (p-1) */
189 if (!BN_mod(rsa->dmp1,d,r1,ctx)) goto err; 209 if (!BN_mod(rsa->dmp1, d, r1, ctx))
210 goto err;
190 211
191 /* calculate d mod (q-1) */ 212 /* calculate d mod (q-1) */
192 if (!BN_mod(rsa->dmq1,d,r2,ctx)) goto err; 213 if (!BN_mod(rsa->dmq1, d, r2, ctx))
214 goto err;
193 215
194 /* calculate inverse of q mod p */ 216 /* calculate inverse of q mod p */
195 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 217 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
196 {
197 p = &local_p; 218 p = &local_p;
198 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 219 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
199 } 220 } else
200 else
201 p = rsa->p; 221 p = rsa->p;
202 if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err; 222 if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
223 goto err;
203 224
204 ok=1; 225 ok = 1;
205err: 226err:
206 if (ok == -1) 227 if (ok == -1) {
207 { 228 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
208 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN); 229 ok = 0;
209 ok=0; 230 }
210 } 231 if (ctx != NULL) {
211 if (ctx != NULL)
212 {
213 BN_CTX_end(ctx); 232 BN_CTX_end(ctx);
214 BN_CTX_free(ctx); 233 BN_CTX_free(ctx);
215 }
216
217 return ok;
218 } 234 }
219 235
236 return ok;
237}
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_lib.c b/src/lib/libssl/src/crypto/rsa/rsa_lib.c
index 05eb53cc83..054690cee6 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_lib.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_lib.c,v 1.20 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_lib.c,v 1.21 2014/07/09 08:20:08 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -67,148 +67,150 @@
67#include <openssl/engine.h> 67#include <openssl/engine.h>
68#endif 68#endif
69 69
70const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT; 70const char RSA_version[] = "RSA" OPENSSL_VERSION_PTEXT;
71 71
72static const RSA_METHOD *default_RSA_meth=NULL; 72static const RSA_METHOD *default_RSA_meth = NULL;
73 73
74RSA *RSA_new(void) 74RSA *
75 { 75RSA_new(void)
76 RSA *r=RSA_new_method(NULL); 76{
77 RSA *r = RSA_new_method(NULL);
77 78
78 return r; 79 return r;
79 } 80}
80 81
81void RSA_set_default_method(const RSA_METHOD *meth) 82void
82 { 83RSA_set_default_method(const RSA_METHOD *meth)
84{
83 default_RSA_meth = meth; 85 default_RSA_meth = meth;
84 } 86}
85 87
86const RSA_METHOD *RSA_get_default_method(void) 88const RSA_METHOD *
87 { 89RSA_get_default_method(void)
88 if (default_RSA_meth == NULL) 90{
89 { 91 if (default_RSA_meth == NULL) {
90#ifdef RSA_NULL 92#ifdef RSA_NULL
91 default_RSA_meth=RSA_null_method(); 93 default_RSA_meth = RSA_null_method();
92#else 94#else
93 default_RSA_meth=RSA_PKCS1_SSLeay(); 95 default_RSA_meth = RSA_PKCS1_SSLeay();
94#endif 96#endif
95 } 97 }
96 98
97 return default_RSA_meth; 99 return default_RSA_meth;
98 } 100}
99 101
100const RSA_METHOD *RSA_get_method(const RSA *rsa) 102const RSA_METHOD *
101 { 103RSA_get_method(const RSA *rsa)
104{
102 return rsa->meth; 105 return rsa->meth;
103 } 106}
104 107
105int RSA_set_method(RSA *rsa, const RSA_METHOD *meth) 108int
106 { 109RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
107 /* NB: The caller is specifically setting a method, so it's not up to us 110{
108 * to deal with which ENGINE it comes from. */ 111 /*
112 * NB: The caller is specifically setting a method, so it's not up to us
113 * to deal with which ENGINE it comes from.
114 */
109 const RSA_METHOD *mtmp; 115 const RSA_METHOD *mtmp;
116
110 mtmp = rsa->meth; 117 mtmp = rsa->meth;
111 if (mtmp->finish) mtmp->finish(rsa); 118 if (mtmp->finish)
119 mtmp->finish(rsa);
112#ifndef OPENSSL_NO_ENGINE 120#ifndef OPENSSL_NO_ENGINE
113 if (rsa->engine) 121 if (rsa->engine) {
114 {
115 ENGINE_finish(rsa->engine); 122 ENGINE_finish(rsa->engine);
116 rsa->engine = NULL; 123 rsa->engine = NULL;
117 } 124 }
118#endif 125#endif
119 rsa->meth = meth; 126 rsa->meth = meth;
120 if (meth->init) meth->init(rsa); 127 if (meth->init)
128 meth->init(rsa);
121 return 1; 129 return 1;
122 } 130}
123 131
124RSA *RSA_new_method(ENGINE *engine) 132RSA *
125 { 133RSA_new_method(ENGINE *engine)
134{
126 RSA *ret; 135 RSA *ret;
127 136
128 ret = malloc(sizeof(RSA)); 137 ret = malloc(sizeof(RSA));
129 if (ret == NULL) 138 if (ret == NULL) {
130 { 139 RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_MALLOC_FAILURE);
131 RSAerr(RSA_F_RSA_NEW_METHOD,ERR_R_MALLOC_FAILURE);
132 return NULL; 140 return NULL;
133 } 141 }
134 142
135 ret->meth = RSA_get_default_method(); 143 ret->meth = RSA_get_default_method();
136#ifndef OPENSSL_NO_ENGINE 144#ifndef OPENSSL_NO_ENGINE
137 if (engine) 145 if (engine) {
138 { 146 if (!ENGINE_init(engine)) {
139 if (!ENGINE_init(engine))
140 {
141 RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB); 147 RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
142 free(ret); 148 free(ret);
143 return NULL; 149 return NULL;
144 }
145 ret->engine = engine;
146 } 150 }
147 else 151 ret->engine = engine;
152 } else
148 ret->engine = ENGINE_get_default_RSA(); 153 ret->engine = ENGINE_get_default_RSA();
149 if(ret->engine) 154 if(ret->engine) {
150 {
151 ret->meth = ENGINE_get_RSA(ret->engine); 155 ret->meth = ENGINE_get_RSA(ret->engine);
152 if(!ret->meth) 156 if (!ret->meth) {
153 { 157 RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
154 RSAerr(RSA_F_RSA_NEW_METHOD,
155 ERR_R_ENGINE_LIB);
156 ENGINE_finish(ret->engine); 158 ENGINE_finish(ret->engine);
157 free(ret); 159 free(ret);
158 return NULL; 160 return NULL;
159 }
160 } 161 }
162 }
161#endif 163#endif
162 164
163 ret->pad=0; 165 ret->pad = 0;
164 ret->version=0; 166 ret->version = 0;
165 ret->n=NULL; 167 ret->n = NULL;
166 ret->e=NULL; 168 ret->e = NULL;
167 ret->d=NULL; 169 ret->d = NULL;
168 ret->p=NULL; 170 ret->p = NULL;
169 ret->q=NULL; 171 ret->q = NULL;
170 ret->dmp1=NULL; 172 ret->dmp1 = NULL;
171 ret->dmq1=NULL; 173 ret->dmq1 = NULL;
172 ret->iqmp=NULL; 174 ret->iqmp = NULL;
173 ret->references=1; 175 ret->references = 1;
174 ret->_method_mod_n=NULL; 176 ret->_method_mod_n = NULL;
175 ret->_method_mod_p=NULL; 177 ret->_method_mod_p = NULL;
176 ret->_method_mod_q=NULL; 178 ret->_method_mod_q = NULL;
177 ret->blinding=NULL; 179 ret->blinding = NULL;
178 ret->mt_blinding=NULL; 180 ret->mt_blinding = NULL;
179 ret->bignum_data=NULL; 181 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
180 ret->flags=ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; 182 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
181 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
182 {
183#ifndef OPENSSL_NO_ENGINE 183#ifndef OPENSSL_NO_ENGINE
184 if (ret->engine) 184 if (ret->engine)
185 ENGINE_finish(ret->engine); 185 ENGINE_finish(ret->engine);
186#endif 186#endif
187 free(ret); 187 free(ret);
188 return(NULL); 188 return NULL;
189 } 189 }
190 190
191 if ((ret->meth->init != NULL) && !ret->meth->init(ret)) 191 if (ret->meth->init != NULL && !ret->meth->init(ret)) {
192 {
193#ifndef OPENSSL_NO_ENGINE 192#ifndef OPENSSL_NO_ENGINE
194 if (ret->engine) 193 if (ret->engine)
195 ENGINE_finish(ret->engine); 194 ENGINE_finish(ret->engine);
196#endif 195#endif
197 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data); 196 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
198 free(ret); 197 free(ret);
199 ret=NULL; 198 ret = NULL;
200 }
201 return(ret);
202 } 199 }
200 return ret;
201}
203 202
204void RSA_free(RSA *r) 203void
205 { 204RSA_free(RSA *r)
205{
206 int i; 206 int i;
207 207
208 if (r == NULL) return; 208 if (r == NULL)
209 return;
209 210
210 i=CRYPTO_add(&r->references,-1,CRYPTO_LOCK_RSA); 211 i = CRYPTO_add(&r->references, -1, CRYPTO_LOCK_RSA);
211 if (i > 0) return; 212 if (i > 0)
213 return;
212 214
213 if (r->meth->finish) 215 if (r->meth->finish)
214 r->meth->finish(r); 216 r->meth->finish(r);
@@ -219,42 +221,55 @@ void RSA_free(RSA *r)
219 221
220 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data); 222 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
221 223
222 if (r->n != NULL) BN_clear_free(r->n); 224 if (r->n != NULL)
223 if (r->e != NULL) BN_clear_free(r->e); 225 BN_clear_free(r->n);
224 if (r->d != NULL) BN_clear_free(r->d); 226 if (r->e != NULL)
225 if (r->p != NULL) BN_clear_free(r->p); 227 BN_clear_free(r->e);
226 if (r->q != NULL) BN_clear_free(r->q); 228 if (r->d != NULL)
227 if (r->dmp1 != NULL) BN_clear_free(r->dmp1); 229 BN_clear_free(r->d);
228 if (r->dmq1 != NULL) BN_clear_free(r->dmq1); 230 if (r->p != NULL)
229 if (r->iqmp != NULL) BN_clear_free(r->iqmp); 231 BN_clear_free(r->p);
230 if (r->blinding != NULL) BN_BLINDING_free(r->blinding); 232 if (r->q != NULL)
231 if (r->mt_blinding != NULL) BN_BLINDING_free(r->mt_blinding); 233 BN_clear_free(r->q);
232 free(r->bignum_data); 234 if (r->dmp1 != NULL)
235 BN_clear_free(r->dmp1);
236 if (r->dmq1 != NULL)
237 BN_clear_free(r->dmq1);
238 if (r->iqmp != NULL)
239 BN_clear_free(r->iqmp);
240 if (r->blinding != NULL)
241 BN_BLINDING_free(r->blinding);
242 if (r->mt_blinding != NULL)
243 BN_BLINDING_free(r->mt_blinding);
233 free(r); 244 free(r);
234 } 245}
235 246
236int RSA_up_ref(RSA *r) 247int
237 { 248RSA_up_ref(RSA *r)
249{
238 int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_RSA); 250 int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_RSA);
239 return ((i > 1) ? 1 : 0); 251 return i > 1 ? 1 : 0;
240 } 252}
241 253
242int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 254int
243 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 255RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
244 { 256 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
257{
245 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_RSA, argl, argp, 258 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_RSA, argl, argp,
246 new_func, dup_func, free_func); 259 new_func, dup_func, free_func);
247 } 260}
248 261
249int RSA_set_ex_data(RSA *r, int idx, void *arg) 262int
250 { 263RSA_set_ex_data(RSA *r, int idx, void *arg)
251 return(CRYPTO_set_ex_data(&r->ex_data,idx,arg)); 264{
252 } 265 return CRYPTO_set_ex_data(&r->ex_data, idx, arg);
266}
253 267
254void *RSA_get_ex_data(const RSA *r, int idx) 268void *
255 { 269RSA_get_ex_data(const RSA *r, int idx)
256 return(CRYPTO_get_ex_data(&r->ex_data,idx)); 270{
257 } 271 return CRYPTO_get_ex_data(&r->ex_data, idx);
272}
258 273
259int RSA_memory_lock(RSA *r) 274int RSA_memory_lock(RSA *r)
260 { 275 {
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_none.c b/src/lib/libssl/src/crypto/rsa/rsa_none.c
index 1904c7c098..fde5eb6ef6 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_none.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_none.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_none.c,v 1.4 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_none.c,v 1.5 2014/07/09 08:20:08 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -62,37 +62,36 @@
62#include <openssl/rsa.h> 62#include <openssl/rsa.h>
63#include <openssl/rand.h> 63#include <openssl/rand.h>
64 64
65int RSA_padding_add_none(unsigned char *to, int tlen, 65int
66 const unsigned char *from, int flen) 66RSA_padding_add_none(unsigned char *to, int tlen, const unsigned char *from,
67 { 67 int flen)
68 if (flen > tlen) 68{
69 { 69 if (flen > tlen) {
70 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 70 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,
71 return(0); 71 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
72 } 72 return 0;
73
74 if (flen < tlen)
75 {
76 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);
77 return(0);
78 }
79
80 memcpy(to,from,(unsigned int)flen);
81 return(1);
82 } 73 }
83 74
84int RSA_padding_check_none(unsigned char *to, int tlen, 75 if (flen < tlen) {
85 const unsigned char *from, int flen, int num) 76 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,
86 { 77 RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);
87 78 return 0;
88 if (flen > tlen) 79 }
89 { 80
90 RSAerr(RSA_F_RSA_PADDING_CHECK_NONE,RSA_R_DATA_TOO_LARGE); 81 memcpy(to, from, (unsigned int)flen);
91 return(-1); 82 return 1;
92 } 83}
93 84
94 memset(to,0,tlen-flen); 85int
95 memcpy(to+tlen-flen,from,flen); 86RSA_padding_check_none(unsigned char *to, int tlen, const unsigned char *from,
96 return(tlen); 87 int flen, int num)
88{
89 if (flen > tlen) {
90 RSAerr(RSA_F_RSA_PADDING_CHECK_NONE, RSA_R_DATA_TOO_LARGE);
91 return -1;
97 } 92 }
98 93
94 memset(to, 0, tlen - flen);
95 memcpy(to + tlen - flen, from, flen);
96 return tlen;
97}
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_null.c b/src/lib/libssl/src/crypto/rsa/rsa_null.c
index c4404fbe44..54f1cabc74 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_null.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_null.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_null.c,v 1.6 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_null.c,v 1.7 2014/07/09 08:20:08 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -62,7 +62,8 @@
62#include <openssl/rsa.h> 62#include <openssl/rsa.h>
63#include <openssl/rand.h> 63#include <openssl/rand.h>
64 64
65/* This is a dummy RSA implementation that just returns errors when called. 65/*
66 * This is a dummy RSA implementation that just returns errors when called.
66 * It is designed to allow some RSA functions to work while stopping those 67 * It is designed to allow some RSA functions to work while stopping those
67 * covered by the RSA patent. That is RSA, encryption, decryption, signing 68 * covered by the RSA patent. That is RSA, encryption, decryption, signing
68 * and verify is not allowed but RSA key generation, key checking and other 69 * and verify is not allowed but RSA key generation, key checking and other
@@ -92,53 +93,65 @@ static RSA_METHOD rsa_null_meth = {
92 .finish = RSA_null_finish, 93 .finish = RSA_null_finish,
93}; 94};
94 95
95const RSA_METHOD *RSA_null_method(void) 96const RSA_METHOD *
96 { 97RSA_null_method(void)
97 return(&rsa_null_meth); 98{
98 } 99 return &rsa_null_meth;
100}
99 101
100static int RSA_null_public_encrypt(int flen, const unsigned char *from, 102static int
101 unsigned char *to, RSA *rsa, int padding) 103RSA_null_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
102 { 104 RSA *rsa, int padding)
103 RSAerr(RSA_F_RSA_NULL_PUBLIC_ENCRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED); 105{
106 RSAerr(RSA_F_RSA_NULL_PUBLIC_ENCRYPT,
107 RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
104 return -1; 108 return -1;
105 } 109}
106 110
107static int RSA_null_private_encrypt(int flen, const unsigned char *from, 111static int
108 unsigned char *to, RSA *rsa, int padding) 112RSA_null_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
109 { 113 RSA *rsa, int padding)
110 RSAerr(RSA_F_RSA_NULL_PRIVATE_ENCRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED); 114{
115 RSAerr(RSA_F_RSA_NULL_PRIVATE_ENCRYPT,
116 RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
111 return -1; 117 return -1;
112 } 118}
113 119
114static int RSA_null_private_decrypt(int flen, const unsigned char *from, 120static int
115 unsigned char *to, RSA *rsa, int padding) 121RSA_null_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
116 { 122 RSA *rsa, int padding)
117 RSAerr(RSA_F_RSA_NULL_PRIVATE_DECRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED); 123{
124 RSAerr(RSA_F_RSA_NULL_PRIVATE_DECRYPT,
125 RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
118 return -1; 126 return -1;
119 } 127}
120 128
121static int RSA_null_public_decrypt(int flen, const unsigned char *from, 129static int
122 unsigned char *to, RSA *rsa, int padding) 130RSA_null_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
123 { 131 RSA *rsa, int padding)
124 RSAerr(RSA_F_RSA_NULL_PUBLIC_DECRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED); 132{
133 RSAerr(RSA_F_RSA_NULL_PUBLIC_DECRYPT,
134 RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
125 return -1; 135 return -1;
126 } 136}
127 137
128#if 0 /* not currently used */ 138#if 0 /* not currently used */
129static int RSA_null_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa) 139static int
130 { 140RSA_null_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
141{
131 ...err(RSA_F_RSA_NULL_MOD_EXP, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED); 142 ...err(RSA_F_RSA_NULL_MOD_EXP, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
132 return -1; 143 return -1;
133 } 144}
134#endif 145#endif
135 146
136static int RSA_null_init(RSA *rsa) 147static int
137 { 148RSA_null_init(RSA *rsa)
138 return(1); 149{
139 } 150 return 1;
151}
140 152
141static int RSA_null_finish(RSA *rsa) 153static int
142 { 154RSA_null_finish(RSA *rsa)
143 return(1); 155{
144 } 156 return 1;
157}
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_oaep.c b/src/lib/libssl/src/crypto/rsa/rsa_oaep.c
index 695df4e0a0..f8f9935fac 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_oaep.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_oaep.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_oaep.c,v 1.16 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_oaep.c,v 1.17 2014/07/09 08:20:08 miod Exp $ */
2/* Written by Ulf Moeller. This software is distributed on an "AS IS" 2/* Written by Ulf Moeller. This software is distributed on an "AS IS"
3 basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */ 3 basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
4 4
@@ -28,29 +28,28 @@
28#include <openssl/rand.h> 28#include <openssl/rand.h>
29#include <openssl/sha.h> 29#include <openssl/sha.h>
30 30
31static int MGF1(unsigned char *mask, long len, 31static int MGF1(unsigned char *mask, long len, const unsigned char *seed,
32 const unsigned char *seed, long seedlen); 32 long seedlen);
33 33
34int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, 34int
35 const unsigned char *from, int flen, 35RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
36 const unsigned char *param, int plen) 36 const unsigned char *from, int flen, const unsigned char *param, int plen)
37 { 37{
38 int i, emlen = tlen - 1; 38 int i, emlen = tlen - 1;
39 unsigned char *db, *seed; 39 unsigned char *db, *seed;
40 unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH]; 40 unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
41 41
42 if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1) 42 if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1) {
43 {
44 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, 43 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
45 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 44 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
46 return 0; 45 return 0;
47 } 46 }
48 47
49 if (emlen < 2 * SHA_DIGEST_LENGTH + 1) 48 if (emlen < 2 * SHA_DIGEST_LENGTH + 1) {
50 { 49 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
51 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL); 50 RSA_R_KEY_SIZE_TOO_SMALL);
52 return 0; 51 return 0;
53 } 52 }
54 53
55 to[0] = 0; 54 to[0] = 0;
56 seed = to + 1; 55 seed = to + 1;
@@ -59,9 +58,9 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
59 if (!EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL)) 58 if (!EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL))
60 return 0; 59 return 0;
61 memset(db + SHA_DIGEST_LENGTH, 0, 60 memset(db + SHA_DIGEST_LENGTH, 0,
62 emlen - flen - 2 * SHA_DIGEST_LENGTH - 1); 61 emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
63 db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01; 62 db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
64 memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen); 63 memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int)flen);
65 if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0) 64 if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
66 return 0; 65 return 0;
67#ifdef PKCS_TESTVECT 66#ifdef PKCS_TESTVECT
@@ -71,65 +70,73 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
71#endif 70#endif
72 71
73 dbmask = malloc(emlen - SHA_DIGEST_LENGTH); 72 dbmask = malloc(emlen - SHA_DIGEST_LENGTH);
74 if (dbmask == NULL) 73 if (dbmask == NULL) {
75 {
76 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE); 74 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
77 return 0; 75 return 0;
78 } 76 }
79 77
80 if (MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH) < 0) 78 if (MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed,
79 SHA_DIGEST_LENGTH) < 0)
81 return 0; 80 return 0;
82 for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++) 81 for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
83 db[i] ^= dbmask[i]; 82 db[i] ^= dbmask[i];
84 83
85 if (MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH) < 0) 84 if (MGF1(seedmask, SHA_DIGEST_LENGTH, db,
85 emlen - SHA_DIGEST_LENGTH) < 0)
86 return 0; 86 return 0;
87 for (i = 0; i < SHA_DIGEST_LENGTH; i++) 87 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
88 seed[i] ^= seedmask[i]; 88 seed[i] ^= seedmask[i];
89 89
90 free(dbmask); 90 free(dbmask);
91 return 1; 91 return 1;
92 } 92}
93 93
94int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, 94int
95 const unsigned char *from, int flen, int num, 95RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
96 const unsigned char *param, int plen) 96 const unsigned char *from, int flen, int num, const unsigned char *param,
97 { 97 int plen)
98{
98 int i, dblen, mlen = -1; 99 int i, dblen, mlen = -1;
99 const unsigned char *maskeddb; 100 const unsigned char *maskeddb;
100 int lzero; 101 int lzero;
101 unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH]; 102 unsigned char *db = NULL;
103 unsigned char seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
102 unsigned char *padded_from; 104 unsigned char *padded_from;
103 int bad = 0; 105 int bad = 0;
104 106
105 if (--num < 2 * SHA_DIGEST_LENGTH + 1) 107 if (--num < 2 * SHA_DIGEST_LENGTH + 1)
106 /* 'num' is the length of the modulus, i.e. does not depend on the 108 /*
107 * particular ciphertext. */ 109 * 'num' is the length of the modulus, i.e. does not depend
110 * on the particular ciphertext.
111 */
108 goto decoding_err; 112 goto decoding_err;
109 113
110 lzero = num - flen; 114 lzero = num - flen;
111 if (lzero < 0) 115 if (lzero < 0) {
112 { 116 /*
113 /* signalling this error immediately after detection might allow 117 * signalling this error immediately after detection might allow
114 * for side-channel attacks (e.g. timing if 'plen' is huge 118 * for side-channel attacks (e.g. timing if 'plen' is huge
115 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal 119 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA
116 * Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001), 120 * Optimal Asymmetric Encryption Padding (OAEP) [...]",
117 * so we use a 'bad' flag */ 121 * CRYPTO 2001), so we use a 'bad' flag
122 */
118 bad = 1; 123 bad = 1;
119 lzero = 0; 124 lzero = 0;
120 flen = num; /* don't overflow the memcpy to padded_from */ 125 flen = num; /* don't overflow the memcpy to padded_from */
121 } 126 }
122 127
123 dblen = num - SHA_DIGEST_LENGTH; 128 dblen = num - SHA_DIGEST_LENGTH;
124 db = malloc(dblen + num); 129 db = malloc(dblen + num);
125 if (db == NULL) 130 if (db == NULL) {
126 { 131 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,
127 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, ERR_R_MALLOC_FAILURE); 132 ERR_R_MALLOC_FAILURE);
128 return -1; 133 return -1;
129 } 134 }
130 135
131 /* Always do this zero-padding copy (even when lzero == 0) 136 /*
132 * to avoid leaking timing info about the value of lzero. */ 137 * Always do this zero-padding copy (even when lzero == 0)
138 * to avoid leaking timing info about the value of lzero.
139 */
133 padded_from = db + dblen; 140 padded_from = db + dblen;
134 memset(padded_from, 0, lzero); 141 memset(padded_from, 0, lzero);
135 memcpy(padded_from + lzero, from, flen); 142 memcpy(padded_from + lzero, from, flen);
@@ -151,41 +158,41 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
151 158
152 if (CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) 159 if (CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
153 goto decoding_err; 160 goto decoding_err;
154 else 161 else {
155 {
156 for (i = SHA_DIGEST_LENGTH; i < dblen; i++) 162 for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
157 if (db[i] != 0x00) 163 if (db[i] != 0x00)
158 break; 164 break;
159 if (i == dblen || db[i] != 0x01) 165 if (i == dblen || db[i] != 0x01)
160 goto decoding_err; 166 goto decoding_err;
161 else 167 else {
162 {
163 /* everything looks OK */ 168 /* everything looks OK */
164 169
165 mlen = dblen - ++i; 170 mlen = dblen - ++i;
166 if (tlen < mlen) 171 if (tlen < mlen) {
167 { 172 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,
168 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE); 173 RSA_R_DATA_TOO_LARGE);
169 mlen = -1; 174 mlen = -1;
170 } 175 } else
171 else
172 memcpy(to, db + i, mlen); 176 memcpy(to, db + i, mlen);
173 }
174 } 177 }
178 }
175 free(db); 179 free(db);
176 return mlen; 180 return mlen;
177 181
178decoding_err: 182decoding_err:
179 /* to avoid chosen ciphertext attacks, the error message should not reveal 183 /*
180 * which kind of decoding error happened */ 184 * To avoid chosen ciphertext attacks, the error message should not
185 * reveal which kind of decoding error happened
186 */
181 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR); 187 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
182 free(db); 188 free(db);
183 return -1; 189 return -1;
184 } 190}
185 191
186int PKCS1_MGF1(unsigned char *mask, long len, 192int
187 const unsigned char *seed, long seedlen, const EVP_MD *dgst) 193PKCS1_MGF1(unsigned char *mask, long len, const unsigned char *seed,
188 { 194 long seedlen, const EVP_MD *dgst)
195{
189 long i, outlen = 0; 196 long i, outlen = 0;
190 unsigned char cnt[4]; 197 unsigned char cnt[4];
191 EVP_MD_CTX c; 198 EVP_MD_CTX c;
@@ -197,39 +204,35 @@ int PKCS1_MGF1(unsigned char *mask, long len,
197 mdlen = EVP_MD_size(dgst); 204 mdlen = EVP_MD_size(dgst);
198 if (mdlen < 0) 205 if (mdlen < 0)
199 goto err; 206 goto err;
200 for (i = 0; outlen < len; i++) 207 for (i = 0; outlen < len; i++) {
201 {
202 cnt[0] = (unsigned char)((i >> 24) & 255); 208 cnt[0] = (unsigned char)((i >> 24) & 255);
203 cnt[1] = (unsigned char)((i >> 16) & 255); 209 cnt[1] = (unsigned char)((i >> 16) & 255);
204 cnt[2] = (unsigned char)((i >> 8)) & 255; 210 cnt[2] = (unsigned char)((i >> 8)) & 255;
205 cnt[3] = (unsigned char)(i & 255); 211 cnt[3] = (unsigned char)(i & 255);
206 if (!EVP_DigestInit_ex(&c,dgst, NULL) 212 if (!EVP_DigestInit_ex(&c,dgst, NULL) ||
207 || !EVP_DigestUpdate(&c, seed, seedlen) 213 !EVP_DigestUpdate(&c, seed, seedlen) ||
208 || !EVP_DigestUpdate(&c, cnt, 4)) 214 !EVP_DigestUpdate(&c, cnt, 4))
209 goto err; 215 goto err;
210 if (outlen + mdlen <= len) 216 if (outlen + mdlen <= len) {
211 {
212 if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL)) 217 if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL))
213 goto err; 218 goto err;
214 outlen += mdlen; 219 outlen += mdlen;
215 } 220 } else {
216 else
217 {
218 if (!EVP_DigestFinal_ex(&c, md, NULL)) 221 if (!EVP_DigestFinal_ex(&c, md, NULL))
219 goto err; 222 goto err;
220 memcpy(mask + outlen, md, len - outlen); 223 memcpy(mask + outlen, md, len - outlen);
221 outlen = len; 224 outlen = len;
222 }
223 } 225 }
226 }
224 rv = 0; 227 rv = 0;
225 err: 228err:
226 EVP_MD_CTX_cleanup(&c); 229 EVP_MD_CTX_cleanup(&c);
227 return rv; 230 return rv;
228 } 231}
229 232
230static int MGF1(unsigned char *mask, long len, const unsigned char *seed, 233static int
231 long seedlen) 234MGF1(unsigned char *mask, long len, const unsigned char *seed, long seedlen)
232 { 235{
233 return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1()); 236 return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1());
234 } 237}
235#endif 238#endif
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_pk1.c b/src/lib/libssl/src/crypto/rsa/rsa_pk1.c
index 36133b6d12..f5492315cc 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_pk1.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_pk1.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_pk1.c,v 1.7 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_pk1.c,v 1.8 2014/07/09 08:20:08 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -62,160 +62,163 @@
62#include <openssl/rsa.h> 62#include <openssl/rsa.h>
63#include <openssl/rand.h> 63#include <openssl/rand.h>
64 64
65int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, 65int
66 const unsigned char *from, int flen) 66RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
67 { 67 const unsigned char *from, int flen)
68{
68 int j; 69 int j;
69 unsigned char *p; 70 unsigned char *p;
70 71
71 if (flen > (tlen-RSA_PKCS1_PADDING_SIZE)) 72 if (flen > (tlen-RSA_PKCS1_PADDING_SIZE)) {
72 { 73 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,
73 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 74 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
74 return(0); 75 return 0;
75 } 76 }
76 77
77 p=(unsigned char *)to; 78 p = (unsigned char *)to;
78 79
79 *(p++)=0; 80 *(p++) = 0;
80 *(p++)=1; /* Private Key BT (Block Type) */ 81 *(p++) = 1; /* Private Key BT (Block Type) */
81 82
82 /* pad out with 0xff data */ 83 /* pad out with 0xff data */
83 j=tlen-3-flen; 84 j = tlen - 3 - flen;
84 memset(p,0xff,j); 85 memset(p, 0xff, j);
85 p+=j; 86 p += j;
86 *(p++)='\0'; 87 *(p++) = '\0';
87 memcpy(p,from,(unsigned int)flen); 88 memcpy(p, from, (unsigned int)flen);
88 return(1); 89 return 1;
89 } 90}
90 91
91int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen, 92int
92 const unsigned char *from, int flen, int num) 93RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
93 { 94 const unsigned char *from, int flen, int num)
94 int i,j; 95{
96 int i, j;
95 const unsigned char *p; 97 const unsigned char *p;
96 98
97 p=from; 99 p = from;
98 if ((num != (flen+1)) || (*(p++) != 01)) 100 if (num != flen + 1 || *(p++) != 01) {
99 { 101 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
100 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BLOCK_TYPE_IS_NOT_01); 102 RSA_R_BLOCK_TYPE_IS_NOT_01);
101 return(-1); 103 return -1;
102 } 104 }
103 105
104 /* scan over padding data */ 106 /* scan over padding data */
105 j=flen-1; /* one for type. */ 107 j = flen - 1; /* one for type. */
106 for (i=0; i<j; i++) 108 for (i = 0; i < j; i++) {
107 { 109 if (*p != 0xff) { /* should decrypt to 0xff */
108 if (*p != 0xff) /* should decrypt to 0xff */ 110 if (*p == 0) {
109 { 111 p++;
110 if (*p == 0) 112 break;
111 { p++; break; } 113 } else {
112 else { 114 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
113 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BAD_FIXED_HEADER_DECRYPT); 115 RSA_R_BAD_FIXED_HEADER_DECRYPT);
114 return(-1); 116 return -1;
115 }
116 } 117 }
117 p++;
118 } 118 }
119 p++;
120 }
119 121
120 if (i == j) 122 if (i == j) {
121 { 123 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
122 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_NULL_BEFORE_BLOCK_MISSING); 124 RSA_R_NULL_BEFORE_BLOCK_MISSING);
123 return(-1); 125 return -1;
124 } 126 }
125 127
126 if (i < 8) 128 if (i < 8) {
127 { 129 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
128 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BAD_PAD_BYTE_COUNT); 130 RSA_R_BAD_PAD_BYTE_COUNT);
129 return(-1); 131 return -1;
130 } 132 }
131 i++; /* Skip over the '\0' */ 133 i++; /* Skip over the '\0' */
132 j-=i; 134 j -= i;
133 if (j > tlen) 135 if (j > tlen) {
134 { 136 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
135 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE); 137 RSA_R_DATA_TOO_LARGE);
136 return(-1); 138 return -1;
137 }
138 memcpy(to,p,(unsigned int)j);
139
140 return(j);
141 } 139 }
140 memcpy(to, p, (unsigned int)j);
142 141
143int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen, 142 return j;
144 const unsigned char *from, int flen) 143}
145 { 144
145int
146RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
147 const unsigned char *from, int flen)
148{
146 int i,j; 149 int i,j;
147 unsigned char *p; 150 unsigned char *p;
148 151
149 if (flen > (tlen-11)) 152 if (flen > tlen - 11) {
150 { 153 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,
151 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 154 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
152 return(0); 155 return 0;
153 } 156 }
154 157
155 p=(unsigned char *)to; 158 p = (unsigned char *)to;
156 159
157 *(p++)=0; 160 *(p++) = 0;
158 *(p++)=2; /* Public Key BT (Block Type) */ 161 *(p++) = 2; /* Public Key BT (Block Type) */
159 162
160 /* pad out with non-zero random data */ 163 /* pad out with non-zero random data */
161 j=tlen-3-flen; 164 j = tlen - 3 - flen;
162 165
163 if (RAND_bytes(p,j) <= 0) 166 if (RAND_bytes(p, j) <= 0)
164 return(0); 167 return 0;
165 for (i=0; i<j; i++) 168 for (i = 0; i < j; i++) {
166 {
167 if (*p == '\0') 169 if (*p == '\0')
168 do { 170 do {
169 if (RAND_bytes(p,1) <= 0) 171 if (RAND_bytes(p, 1) <= 0)
170 return(0); 172 return 0;
171 } while (*p == '\0'); 173 } while (*p == '\0');
172 p++; 174 p++;
173 } 175 }
174 176
175 *(p++)='\0'; 177 *(p++) = '\0';
176 178
177 memcpy(p,from,(unsigned int)flen); 179 memcpy(p, from, (unsigned int)flen);
178 return(1); 180 return 1;
179 } 181}
180 182
181int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, 183int
182 const unsigned char *from, int flen, int num) 184RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
183 { 185 const unsigned char *from, int flen, int num)
184 int i,j; 186{
187 int i, j;
185 const unsigned char *p; 188 const unsigned char *p;
186 189
187 p=from; 190 p = from;
188 if ((num != (flen+1)) || (*(p++) != 02)) 191 if (num != flen + 1 || *(p++) != 02) {
189 { 192 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
190 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BLOCK_TYPE_IS_NOT_02); 193 RSA_R_BLOCK_TYPE_IS_NOT_02);
191 return(-1); 194 return -1;
192 } 195 }
193 196
194 /* scan over padding data */ 197 /* scan over padding data */
195 j=flen-1; /* one for type. */ 198 j = flen - 1; /* one for type. */
196 for (i=0; i<j; i++) 199 for (i = 0; i < j; i++)
197 if (*(p++) == 0) break; 200 if (*(p++) == 0)
198 201 break;
199 if (i == j) 202
200 { 203 if (i == j) {
201 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_NULL_BEFORE_BLOCK_MISSING); 204 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
202 return(-1); 205 RSA_R_NULL_BEFORE_BLOCK_MISSING);
203 } 206 return -1;
207 }
204 208
205 if (i < 8) 209 if (i < 8) {
206 { 210 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
207 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BAD_PAD_BYTE_COUNT); 211 RSA_R_BAD_PAD_BYTE_COUNT);
208 return(-1); 212 return -1;
209 } 213 }
210 i++; /* Skip over the '\0' */ 214 i++; /* Skip over the '\0' */
211 j-=i; 215 j -= i;
212 if (j > tlen) 216 if (j > tlen) {
213 { 217 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
214 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE); 218 RSA_R_DATA_TOO_LARGE);
215 return(-1); 219 return -1;
216 }
217 memcpy(to,p,(unsigned int)j);
218
219 return(j);
220 } 220 }
221 memcpy(to, p, (unsigned int)j);
221 222
223 return j;
224}
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_pmeth.c b/src/lib/libssl/src/crypto/rsa/rsa_pmeth.c
index 1f9d826014..4a662c2894 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_pmeth.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_pmeth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_pmeth.c,v 1.8 2014/06/12 20:40:57 deraadt Exp $ */ 1/* $OpenBSD: rsa_pmeth.c,v 1.9 2014/07/09 08:20:08 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006. 3 * project 2006.
4 */ 4 */
@@ -72,8 +72,7 @@
72 72
73/* RSA pkey context structure */ 73/* RSA pkey context structure */
74 74
75typedef struct 75typedef struct {
76 {
77 /* Key gen parameters */ 76 /* Key gen parameters */
78 int nbits; 77 int nbits;
79 BIGNUM *pub_exp; 78 BIGNUM *pub_exp;
@@ -89,11 +88,13 @@ typedef struct
89 int saltlen; 88 int saltlen;
90 /* Temp buffer */ 89 /* Temp buffer */
91 unsigned char *tbuf; 90 unsigned char *tbuf;
92 } RSA_PKEY_CTX; 91} RSA_PKEY_CTX;
93 92
94static int pkey_rsa_init(EVP_PKEY_CTX *ctx) 93static int
95 { 94pkey_rsa_init(EVP_PKEY_CTX *ctx)
95{
96 RSA_PKEY_CTX *rctx; 96 RSA_PKEY_CTX *rctx;
97
97 rctx = malloc(sizeof(RSA_PKEY_CTX)); 98 rctx = malloc(sizeof(RSA_PKEY_CTX));
98 if (!rctx) 99 if (!rctx)
99 return 0; 100 return 0;
@@ -111,424 +112,390 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
111 ctx->keygen_info_count = 2; 112 ctx->keygen_info_count = 2;
112 113
113 return 1; 114 return 1;
114 } 115}
115 116
116static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) 117static int
117 { 118pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
119{
118 RSA_PKEY_CTX *dctx, *sctx; 120 RSA_PKEY_CTX *dctx, *sctx;
121
119 if (!pkey_rsa_init(dst)) 122 if (!pkey_rsa_init(dst))
120 return 0; 123 return 0;
121 sctx = src->data; 124 sctx = src->data;
122 dctx = dst->data; 125 dctx = dst->data;
123 dctx->nbits = sctx->nbits; 126 dctx->nbits = sctx->nbits;
124 if (sctx->pub_exp) 127 if (sctx->pub_exp) {
125 {
126 dctx->pub_exp = BN_dup(sctx->pub_exp); 128 dctx->pub_exp = BN_dup(sctx->pub_exp);
127 if (!dctx->pub_exp) 129 if (!dctx->pub_exp)
128 return 0; 130 return 0;
129 } 131 }
130 dctx->pad_mode = sctx->pad_mode; 132 dctx->pad_mode = sctx->pad_mode;
131 dctx->md = sctx->md; 133 dctx->md = sctx->md;
132 return 1; 134 return 1;
133 } 135}
134 136
135static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) 137static int
136 { 138setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
139{
137 if (ctx->tbuf) 140 if (ctx->tbuf)
138 return 1; 141 return 1;
139 ctx->tbuf = malloc(EVP_PKEY_size(pk->pkey)); 142 ctx->tbuf = malloc(EVP_PKEY_size(pk->pkey));
140 if (!ctx->tbuf) 143 if (!ctx->tbuf)
141 return 0; 144 return 0;
142 return 1; 145 return 1;
143 } 146}
144 147
145static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) 148static void
146 { 149pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
150{
147 RSA_PKEY_CTX *rctx = ctx->data; 151 RSA_PKEY_CTX *rctx = ctx->data;
148 if (rctx) 152
149 { 153 if (rctx) {
150 if (rctx->pub_exp) 154 if (rctx->pub_exp)
151 BN_free(rctx->pub_exp); 155 BN_free(rctx->pub_exp);
152 free(rctx->tbuf); 156 free(rctx->tbuf);
153 free(rctx); 157 free(rctx);
154 }
155 } 158 }
156static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, 159}
157 const unsigned char *tbs, size_t tbslen) 160
158 { 161static int
162pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
163 const unsigned char *tbs, size_t tbslen)
164{
159 int ret; 165 int ret;
160 RSA_PKEY_CTX *rctx = ctx->data; 166 RSA_PKEY_CTX *rctx = ctx->data;
161 RSA *rsa = ctx->pkey->pkey.rsa; 167 RSA *rsa = ctx->pkey->pkey.rsa;
162 168
163 if (rctx->md) 169 if (rctx->md) {
164 { 170 if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
165 if (tbslen != (size_t)EVP_MD_size(rctx->md))
166 {
167 RSAerr(RSA_F_PKEY_RSA_SIGN, 171 RSAerr(RSA_F_PKEY_RSA_SIGN,
168 RSA_R_INVALID_DIGEST_LENGTH); 172 RSA_R_INVALID_DIGEST_LENGTH);
169 return -1; 173 return -1;
170 } 174 }
171 175
172 if (EVP_MD_type(rctx->md) == NID_mdc2) 176 if (EVP_MD_type(rctx->md) == NID_mdc2) {
173 {
174 unsigned int sltmp; 177 unsigned int sltmp;
178
175 if (rctx->pad_mode != RSA_PKCS1_PADDING) 179 if (rctx->pad_mode != RSA_PKCS1_PADDING)
176 return -1; 180 return -1;
177 ret = RSA_sign_ASN1_OCTET_STRING(NID_mdc2, 181 ret = RSA_sign_ASN1_OCTET_STRING(NID_mdc2, tbs, tbslen,
178 tbs, tbslen, sig, &sltmp, rsa); 182 sig, &sltmp, rsa);
179 183
180 if (ret <= 0) 184 if (ret <= 0)
181 return ret; 185 return ret;
182 ret = sltmp; 186 ret = sltmp;
183 } 187 } else if (rctx->pad_mode == RSA_X931_PADDING) {
184 else if (rctx->pad_mode == RSA_X931_PADDING)
185 {
186 if (!setup_tbuf(rctx, ctx)) 188 if (!setup_tbuf(rctx, ctx))
187 return -1; 189 return -1;
188 memcpy(rctx->tbuf, tbs, tbslen); 190 memcpy(rctx->tbuf, tbs, tbslen);
189 rctx->tbuf[tbslen] = 191 rctx->tbuf[tbslen] =
190 RSA_X931_hash_id(EVP_MD_type(rctx->md)); 192 RSA_X931_hash_id(EVP_MD_type(rctx->md));
191 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, 193 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, sig,
192 sig, rsa, RSA_X931_PADDING); 194 rsa, RSA_X931_PADDING);
193 } 195 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
194 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
195 {
196 unsigned int sltmp; 196 unsigned int sltmp;
197 ret = RSA_sign(EVP_MD_type(rctx->md), 197
198 tbs, tbslen, sig, &sltmp, rsa); 198 ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig,
199 &sltmp, rsa);
199 if (ret <= 0) 200 if (ret <= 0)
200 return ret; 201 return ret;
201 ret = sltmp; 202 ret = sltmp;
202 } 203 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
203 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
204 {
205 if (!setup_tbuf(rctx, ctx)) 204 if (!setup_tbuf(rctx, ctx))
206 return -1; 205 return -1;
207 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, 206 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, rctx->tbuf,
208 rctx->tbuf, tbs, 207 tbs, rctx->md, rctx->mgf1md, rctx->saltlen))
209 rctx->md, rctx->mgf1md,
210 rctx->saltlen))
211 return -1; 208 return -1;
212 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, 209 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
213 sig, rsa, RSA_NO_PADDING); 210 sig, rsa, RSA_NO_PADDING);
214 } 211 } else
215 else
216 return -1; 212 return -1;
217 } 213 } else
218 else
219 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, 214 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
220 rctx->pad_mode); 215 rctx->pad_mode);
221 if (ret < 0) 216 if (ret < 0)
222 return ret; 217 return ret;
223 *siglen = ret; 218 *siglen = ret;
224 return 1; 219 return 1;
225 } 220}
226
227 221
228static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, 222static int
229 unsigned char *rout, size_t *routlen, 223pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen,
230 const unsigned char *sig, size_t siglen) 224 const unsigned char *sig, size_t siglen)
231 { 225{
232 int ret; 226 int ret;
233 RSA_PKEY_CTX *rctx = ctx->data; 227 RSA_PKEY_CTX *rctx = ctx->data;
234 228
235 if (rctx->md) 229 if (rctx->md) {
236 { 230 if (rctx->pad_mode == RSA_X931_PADDING) {
237 if (rctx->pad_mode == RSA_X931_PADDING)
238 {
239 if (!setup_tbuf(rctx, ctx)) 231 if (!setup_tbuf(rctx, ctx))
240 return -1; 232 return -1;
241 ret = RSA_public_decrypt(siglen, sig, 233 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
242 rctx->tbuf, ctx->pkey->pkey.rsa, 234 ctx->pkey->pkey.rsa, RSA_X931_PADDING);
243 RSA_X931_PADDING);
244 if (ret < 1) 235 if (ret < 1)
245 return 0; 236 return 0;
246 ret--; 237 ret--;
247 if (rctx->tbuf[ret] != 238 if (rctx->tbuf[ret] !=
248 RSA_X931_hash_id(EVP_MD_type(rctx->md))) 239 RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
249 {
250 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, 240 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
251 RSA_R_ALGORITHM_MISMATCH); 241 RSA_R_ALGORITHM_MISMATCH);
252 return 0; 242 return 0;
253 } 243 }
254 if (ret != EVP_MD_size(rctx->md)) 244 if (ret != EVP_MD_size(rctx->md)) {
255 {
256 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER, 245 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
257 RSA_R_INVALID_DIGEST_LENGTH); 246 RSA_R_INVALID_DIGEST_LENGTH);
258 return 0; 247 return 0;
259 } 248 }
260 if (rout) 249 if (rout)
261 memcpy(rout, rctx->tbuf, ret); 250 memcpy(rout, rctx->tbuf, ret);
262 } 251 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
263 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
264 {
265 size_t sltmp; 252 size_t sltmp;
266 ret = int_rsa_verify(EVP_MD_type(rctx->md), 253
267 NULL, 0, rout, &sltmp, 254 ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
268 sig, siglen, ctx->pkey->pkey.rsa); 255 rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
269 if (ret <= 0) 256 if (ret <= 0)
270 return 0; 257 return 0;
271 ret = sltmp; 258 ret = sltmp;
272 } 259 } else
273 else
274 return -1; 260 return -1;
275 } 261 } else
276 else
277 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa, 262 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
278 rctx->pad_mode); 263 rctx->pad_mode);
279 if (ret < 0) 264 if (ret < 0)
280 return ret; 265 return ret;
281 *routlen = ret; 266 *routlen = ret;
282 return 1; 267 return 1;
283 } 268}
284 269
285static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, 270static int
286 const unsigned char *sig, size_t siglen, 271pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
287 const unsigned char *tbs, size_t tbslen) 272 const unsigned char *tbs, size_t tbslen)
288 { 273{
289 RSA_PKEY_CTX *rctx = ctx->data; 274 RSA_PKEY_CTX *rctx = ctx->data;
290 RSA *rsa = ctx->pkey->pkey.rsa; 275 RSA *rsa = ctx->pkey->pkey.rsa;
291 size_t rslen; 276 size_t rslen;
292 if (rctx->md) 277
293 { 278 if (rctx->md) {
294 if (rctx->pad_mode == RSA_PKCS1_PADDING) 279 if (rctx->pad_mode == RSA_PKCS1_PADDING)
295 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, 280 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
296 sig, siglen, rsa); 281 sig, siglen, rsa);
297 if (rctx->pad_mode == RSA_X931_PADDING) 282 if (rctx->pad_mode == RSA_X931_PADDING) {
298 { 283 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig,
299 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, 284 siglen) <= 0)
300 sig, siglen) <= 0)
301 return 0; 285 return 0;
302 } 286 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
303 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
304 {
305 int ret; 287 int ret;
288
306 if (!setup_tbuf(rctx, ctx)) 289 if (!setup_tbuf(rctx, ctx))
307 return -1; 290 return -1;
308 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, 291 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
309 rsa, RSA_NO_PADDING); 292 rsa, RSA_NO_PADDING);
310 if (ret <= 0) 293 if (ret <= 0)
311 return 0; 294 return 0;
312 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, 295 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
313 rctx->md, rctx->mgf1md, 296 rctx->mgf1md, rctx->tbuf, rctx->saltlen);
314 rctx->tbuf, rctx->saltlen);
315 if (ret <= 0) 297 if (ret <= 0)
316 return 0; 298 return 0;
317 return 1; 299 return 1;
318 } 300 } else
319 else
320 return -1; 301 return -1;
321 } 302 } else {
322 else
323 {
324 if (!setup_tbuf(rctx, ctx)) 303 if (!setup_tbuf(rctx, ctx))
325 return -1; 304 return -1;
326 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, 305 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa,
327 rsa, rctx->pad_mode); 306 rctx->pad_mode);
328 if (rslen == 0) 307 if (rslen == 0)
329 return 0; 308 return 0;
330 } 309 }
331 310
332 if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen)) 311 if (rslen != tbslen || memcmp(tbs, rctx->tbuf, rslen))
333 return 0; 312 return 0;
334 313
335 return 1; 314 return 1;
336 315}
337 }
338
339 316
340static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, 317static int
341 unsigned char *out, size_t *outlen, 318pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
342 const unsigned char *in, size_t inlen) 319 const unsigned char *in, size_t inlen)
343 { 320{
344 int ret; 321 int ret;
345 RSA_PKEY_CTX *rctx = ctx->data; 322 RSA_PKEY_CTX *rctx = ctx->data;
323
346 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, 324 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
347 rctx->pad_mode); 325 rctx->pad_mode);
348 if (ret < 0) 326 if (ret < 0)
349 return ret; 327 return ret;
350 *outlen = ret; 328 *outlen = ret;
351 return 1; 329 return 1;
352 } 330}
353 331
354static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, 332static int
355 unsigned char *out, size_t *outlen, 333pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
356 const unsigned char *in, size_t inlen) 334 const unsigned char *in, size_t inlen)
357 { 335{
358 int ret; 336 int ret;
359 RSA_PKEY_CTX *rctx = ctx->data; 337 RSA_PKEY_CTX *rctx = ctx->data;
338
360 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, 339 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
361 rctx->pad_mode); 340 rctx->pad_mode);
362 if (ret < 0) 341 if (ret < 0)
363 return ret; 342 return ret;
364 *outlen = ret; 343 *outlen = ret;
365 return 1; 344 return 1;
366 } 345}
367 346
368static int check_padding_md(const EVP_MD *md, int padding) 347static int
369 { 348check_padding_md(const EVP_MD *md, int padding)
349{
370 if (!md) 350 if (!md)
371 return 1; 351 return 1;
372 352
373 if (padding == RSA_NO_PADDING) 353 if (padding == RSA_NO_PADDING) {
374 {
375 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE); 354 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
376 return 0; 355 return 0;
377 } 356 }
378 357
379 if (padding == RSA_X931_PADDING) 358 if (padding == RSA_X931_PADDING) {
380 { 359 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) {
381 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1)
382 {
383 RSAerr(RSA_F_CHECK_PADDING_MD, 360 RSAerr(RSA_F_CHECK_PADDING_MD,
384 RSA_R_INVALID_X931_DIGEST); 361 RSA_R_INVALID_X931_DIGEST);
385 return 0; 362 return 0;
386 }
387 return 1;
388 } 363 }
364 return 1;
365 }
389 366
390 return 1; 367 return 1;
391 } 368}
392
393 369
394static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) 370static int
395 { 371pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
372{
396 RSA_PKEY_CTX *rctx = ctx->data; 373 RSA_PKEY_CTX *rctx = ctx->data;
397 switch (type) 374 switch (type) {
398 { 375 case EVP_PKEY_CTRL_RSA_PADDING:
399 case EVP_PKEY_CTRL_RSA_PADDING: 376 if (p1 >= RSA_PKCS1_PADDING && p1 <= RSA_PKCS1_PSS_PADDING) {
400 if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING))
401 {
402 if (!check_padding_md(rctx->md, p1)) 377 if (!check_padding_md(rctx->md, p1))
403 return 0; 378 return 0;
404 if (p1 == RSA_PKCS1_PSS_PADDING) 379 if (p1 == RSA_PKCS1_PSS_PADDING) {
405 {
406 if (!(ctx->operation & 380 if (!(ctx->operation &
407 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) 381 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
408 goto bad_pad; 382 goto bad_pad;
409 if (!rctx->md) 383 if (!rctx->md)
410 rctx->md = EVP_sha1(); 384 rctx->md = EVP_sha1();
411 } 385 }
412 if (p1 == RSA_PKCS1_OAEP_PADDING) 386 if (p1 == RSA_PKCS1_OAEP_PADDING) {
413 {
414 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT)) 387 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
415 goto bad_pad; 388 goto bad_pad;
416 if (!rctx->md) 389 if (!rctx->md)
417 rctx->md = EVP_sha1(); 390 rctx->md = EVP_sha1();
418 } 391 }
419 rctx->pad_mode = p1; 392 rctx->pad_mode = p1;
420 return 1; 393 return 1;
421 } 394 }
422 bad_pad: 395bad_pad:
423 RSAerr(RSA_F_PKEY_RSA_CTRL, 396 RSAerr(RSA_F_PKEY_RSA_CTRL,
424 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 397 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
425 return -2; 398 return -2;
426 399
427 case EVP_PKEY_CTRL_GET_RSA_PADDING: 400 case EVP_PKEY_CTRL_GET_RSA_PADDING:
428 *(int *)p2 = rctx->pad_mode; 401 *(int *)p2 = rctx->pad_mode;
429 return 1; 402 return 1;
430 403
431 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: 404 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
432 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: 405 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
433 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) 406 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
434 {
435 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN); 407 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
436 return -2; 408 return -2;
437 } 409 }
438 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) 410 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN)
439 *(int *)p2 = rctx->saltlen; 411 *(int *)p2 = rctx->saltlen;
440 else 412 else {
441 {
442 if (p1 < -2) 413 if (p1 < -2)
443 return -2; 414 return -2;
444 rctx->saltlen = p1; 415 rctx->saltlen = p1;
445 } 416 }
446 return 1; 417 return 1;
447 418
448 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: 419 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
449 if (p1 < 256) 420 if (p1 < 256) {
450 {
451 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS); 421 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS);
452 return -2; 422 return -2;
453 } 423 }
454 rctx->nbits = p1; 424 rctx->nbits = p1;
455 return 1; 425 return 1;
456 426
457 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: 427 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
458 if (!p2) 428 if (!p2)
459 return -2; 429 return -2;
460 rctx->pub_exp = p2; 430 rctx->pub_exp = p2;
461 return 1; 431 return 1;
462 432
463 case EVP_PKEY_CTRL_MD: 433 case EVP_PKEY_CTRL_MD:
464 if (!check_padding_md(p2, rctx->pad_mode)) 434 if (!check_padding_md(p2, rctx->pad_mode))
465 return 0; 435 return 0;
466 rctx->md = p2; 436 rctx->md = p2;
467 return 1; 437 return 1;
468 438
469 case EVP_PKEY_CTRL_RSA_MGF1_MD: 439 case EVP_PKEY_CTRL_RSA_MGF1_MD:
470 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: 440 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
471 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) 441 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
472 {
473 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD); 442 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
474 return -2; 443 return -2;
475 } 444 }
476 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) 445 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
477 {
478 if (rctx->mgf1md) 446 if (rctx->mgf1md)
479 *(const EVP_MD **)p2 = rctx->mgf1md; 447 *(const EVP_MD **)p2 = rctx->mgf1md;
480 else 448 else
481 *(const EVP_MD **)p2 = rctx->md; 449 *(const EVP_MD **)p2 = rctx->md;
482 } 450 } else
483 else
484 rctx->mgf1md = p2; 451 rctx->mgf1md = p2;
485 return 1; 452 return 1;
486 453
487 case EVP_PKEY_CTRL_DIGESTINIT: 454 case EVP_PKEY_CTRL_DIGESTINIT:
488 case EVP_PKEY_CTRL_PKCS7_ENCRYPT: 455 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
489 case EVP_PKEY_CTRL_PKCS7_DECRYPT: 456 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
490 case EVP_PKEY_CTRL_PKCS7_SIGN: 457 case EVP_PKEY_CTRL_PKCS7_SIGN:
491 return 1; 458 return 1;
492#ifndef OPENSSL_NO_CMS 459#ifndef OPENSSL_NO_CMS
493 case EVP_PKEY_CTRL_CMS_DECRYPT: 460 case EVP_PKEY_CTRL_CMS_DECRYPT:
494 { 461 {
495 X509_ALGOR *alg = NULL; 462 X509_ALGOR *alg = NULL;
496 ASN1_OBJECT *encalg = NULL; 463 ASN1_OBJECT *encalg = NULL;
464
497 if (p2) 465 if (p2)
498 CMS_RecipientInfo_ktri_get0_algs(p2, NULL, NULL, &alg); 466 CMS_RecipientInfo_ktri_get0_algs(p2, NULL, NULL, &alg);
499 if (alg) 467 if (alg)
500 X509_ALGOR_get0(&encalg, NULL, NULL, alg); 468 X509_ALGOR_get0(&encalg, NULL, NULL, alg);
501 if (encalg && OBJ_obj2nid(encalg) == NID_rsaesOaep) 469 if (encalg && OBJ_obj2nid(encalg) == NID_rsaesOaep)
502 rctx->pad_mode = RSA_PKCS1_OAEP_PADDING; 470 rctx->pad_mode = RSA_PKCS1_OAEP_PADDING;
503 } 471 }
504 case EVP_PKEY_CTRL_CMS_ENCRYPT: 472 /* FALLTHROUGH */
505 case EVP_PKEY_CTRL_CMS_SIGN: 473
474 case EVP_PKEY_CTRL_CMS_ENCRYPT:
475 case EVP_PKEY_CTRL_CMS_SIGN:
506 return 1; 476 return 1;
507#endif 477#endif
508 case EVP_PKEY_CTRL_PEER_KEY: 478 case EVP_PKEY_CTRL_PEER_KEY:
509 RSAerr(RSA_F_PKEY_RSA_CTRL, 479 RSAerr(RSA_F_PKEY_RSA_CTRL,
510 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); 480 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
511 return -2; 481 return -2;
512 482
513 default: 483 default:
514 return -2; 484 return -2;
515
516 }
517 } 485 }
486}
518 487
519static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, 488static int
520 const char *type, const char *value) 489pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
521 { 490{
522 long lval; 491 long lval;
523 char *ep; 492 char *ep;
524 493
525 if (!value) 494 if (!value) {
526 {
527 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING); 495 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
528 return 0; 496 return 0;
529 } 497 }
530 if (!strcmp(type, "rsa_padding_mode")) 498 if (!strcmp(type, "rsa_padding_mode")) {
531 {
532 int pm; 499 int pm;
533 if (!strcmp(value, "pkcs1")) 500 if (!strcmp(value, "pkcs1"))
534 pm = RSA_PKCS1_PADDING; 501 pm = RSA_PKCS1_PADDING;
@@ -544,14 +511,13 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
544 pm = RSA_X931_PADDING; 511 pm = RSA_X931_PADDING;
545 else if (!strcmp(value, "pss")) 512 else if (!strcmp(value, "pss"))
546 pm = RSA_PKCS1_PSS_PADDING; 513 pm = RSA_PKCS1_PSS_PADDING;
547 else 514 else {
548 {
549 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, 515 RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
550 RSA_R_UNKNOWN_PADDING_TYPE); 516 RSA_R_UNKNOWN_PADDING_TYPE);
551 return -2; 517 return -2;
552 }
553 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
554 } 518 }
519 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
520 }
555 521
556 if (!strcmp(type, "rsa_pss_saltlen")) { 522 if (!strcmp(type, "rsa_pss_saltlen")) {
557 int saltlen; 523 int saltlen;
@@ -560,7 +526,8 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
560 lval = strtol(value, &ep, 10); 526 lval = strtol(value, &ep, 10);
561 if (value[0] == '\0' || *ep != '\0') 527 if (value[0] == '\0' || *ep != '\0')
562 goto not_a_number; 528 goto not_a_number;
563 if ((errno == ERANGE && (lval == LONG_MAX || lval == LONG_MIN)) || 529 if ((errno == ERANGE &&
530 (lval == LONG_MAX || lval == LONG_MIN)) ||
564 (lval > INT_MAX || lval < INT_MIN)) 531 (lval > INT_MAX || lval < INT_MIN))
565 goto out_of_range; 532 goto out_of_range;
566 saltlen = lval; 533 saltlen = lval;
@@ -574,7 +541,8 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
574 lval = strtol(value, &ep, 10); 541 lval = strtol(value, &ep, 10);
575 if (value[0] == '\0' || *ep != '\0') 542 if (value[0] == '\0' || *ep != '\0')
576 goto not_a_number; 543 goto not_a_number;
577 if ((errno == ERANGE && (lval == LONG_MAX || lval == LONG_MIN)) || 544 if ((errno == ERANGE &&
545 (lval == LONG_MAX || lval == LONG_MIN)) ||
578 (lval > INT_MAX || lval < INT_MIN)) 546 (lval > INT_MAX || lval < INT_MIN))
579 goto out_of_range; 547 goto out_of_range;
580 nbits = lval; 548 nbits = lval;
@@ -584,6 +552,7 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
584 if (!strcmp(type, "rsa_keygen_pubexp")) { 552 if (!strcmp(type, "rsa_keygen_pubexp")) {
585 int ret; 553 int ret;
586 BIGNUM *pubexp = NULL; 554 BIGNUM *pubexp = NULL;
555
587 if (!BN_asc2bn(&pubexp, value)) 556 if (!BN_asc2bn(&pubexp, value))
588 return 0; 557 return 0;
589 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp); 558 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
@@ -597,27 +566,26 @@ out_of_range:
597 return -2; 566 return -2;
598} 567}
599 568
600static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) 569static int
601 { 570pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
571{
602 RSA *rsa = NULL; 572 RSA *rsa = NULL;
603 RSA_PKEY_CTX *rctx = ctx->data; 573 RSA_PKEY_CTX *rctx = ctx->data;
604 BN_GENCB *pcb, cb; 574 BN_GENCB *pcb, cb;
605 int ret; 575 int ret;
606 if (!rctx->pub_exp) 576
607 { 577 if (!rctx->pub_exp) {
608 rctx->pub_exp = BN_new(); 578 rctx->pub_exp = BN_new();
609 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) 579 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4))
610 return 0; 580 return 0;
611 } 581 }
612 rsa = RSA_new(); 582 rsa = RSA_new();
613 if (!rsa) 583 if (!rsa)
614 return 0; 584 return 0;
615 if (ctx->pkey_gencb) 585 if (ctx->pkey_gencb) {
616 {
617 pcb = &cb; 586 pcb = &cb;
618 evp_pkey_set_cb_translate(pcb, ctx); 587 evp_pkey_set_cb_translate(pcb, ctx);
619 } 588 } else
620 else
621 pcb = NULL; 589 pcb = NULL;
622 ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb); 590 ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
623 if (ret > 0) 591 if (ret > 0)
@@ -625,7 +593,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
625 else 593 else
626 RSA_free(rsa); 594 RSA_free(rsa);
627 return ret; 595 return ret;
628 } 596}
629 597
630const EVP_PKEY_METHOD rsa_pkey_meth = { 598const EVP_PKEY_METHOD rsa_pkey_meth = {
631 .pkey_id = EVP_PKEY_RSA, 599 .pkey_id = EVP_PKEY_RSA,
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_prn.c b/src/lib/libssl/src/crypto/rsa/rsa_prn.c
index 2d7bcb62b0..89cf2b45b0 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_prn.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_prn.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_prn.c,v 1.3 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_prn.c,v 1.4 2014/07/09 08:20:08 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006. 3 * project 2006.
4 */ 4 */
@@ -61,31 +61,32 @@
61#include <openssl/rsa.h> 61#include <openssl/rsa.h>
62#include <openssl/evp.h> 62#include <openssl/evp.h>
63 63
64int RSA_print_fp(FILE *fp, const RSA *x, int off) 64int
65 { 65RSA_print_fp(FILE *fp, const RSA *x, int off)
66{
66 BIO *b; 67 BIO *b;
67 int ret; 68 int ret;
68 69
69 if ((b=BIO_new(BIO_s_file())) == NULL) 70 if ((b = BIO_new(BIO_s_file())) == NULL) {
70 { 71 RSAerr(RSA_F_RSA_PRINT_FP, ERR_R_BUF_LIB);
71 RSAerr(RSA_F_RSA_PRINT_FP,ERR_R_BUF_LIB); 72 return 0;
72 return(0);
73 }
74 BIO_set_fp(b,fp,BIO_NOCLOSE);
75 ret=RSA_print(b,x,off);
76 BIO_free(b);
77 return(ret);
78 } 73 }
74 BIO_set_fp(b, fp, BIO_NOCLOSE);
75 ret = RSA_print(b, x, off);
76 BIO_free(b);
77 return ret;
78}
79 79
80int RSA_print(BIO *bp, const RSA *x, int off) 80int
81 { 81RSA_print(BIO *bp, const RSA *x, int off)
82{
82 EVP_PKEY *pk; 83 EVP_PKEY *pk;
83 int ret; 84 int ret;
85
84 pk = EVP_PKEY_new(); 86 pk = EVP_PKEY_new();
85 if (!pk || !EVP_PKEY_set1_RSA(pk, (RSA *)x)) 87 if (!pk || !EVP_PKEY_set1_RSA(pk, (RSA *)x))
86 return 0; 88 return 0;
87 ret = EVP_PKEY_print_private(bp, pk, off, NULL); 89 ret = EVP_PKEY_print_private(bp, pk, off, NULL);
88 EVP_PKEY_free(pk); 90 EVP_PKEY_free(pk);
89 return ret; 91 return ret;
90 } 92}
91
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_pss.c b/src/lib/libssl/src/crypto/rsa/rsa_pss.c
index d26839a5fb..4c6a90c1c7 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_pss.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_pss.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_pss.c,v 1.5 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_pss.c,v 1.6 2014/07/09 08:20:08 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2005. 3 * project 2005.
4 */ 4 */
@@ -64,18 +64,20 @@
64#include <openssl/rand.h> 64#include <openssl/rand.h>
65#include <openssl/sha.h> 65#include <openssl/sha.h>
66 66
67static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0}; 67static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
68 68
69int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, 69int
70 const EVP_MD *Hash, const unsigned char *EM, int sLen) 70RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, const EVP_MD *Hash,
71 { 71 const unsigned char *EM, int sLen)
72{
72 return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen); 73 return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
73 } 74}
74 75
75int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, 76int
76 const EVP_MD *Hash, const EVP_MD *mgf1Hash, 77RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
77 const unsigned char *EM, int sLen) 78 const EVP_MD *Hash, const EVP_MD *mgf1Hash, const unsigned char *EM,
78 { 79 int sLen)
80{
79 int i; 81 int i;
80 int ret = 0; 82 int ret = 0;
81 int hLen, maskedDBLen, MSBits, emLen; 83 int hLen, maskedDBLen, MSBits, emLen;
@@ -83,6 +85,7 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
83 unsigned char *DB = NULL; 85 unsigned char *DB = NULL;
84 EVP_MD_CTX ctx; 86 EVP_MD_CTX ctx;
85 unsigned char H_[EVP_MAX_MD_SIZE]; 87 unsigned char H_[EVP_MAX_MD_SIZE];
88
86 EVP_MD_CTX_init(&ctx); 89 EVP_MD_CTX_init(&ctx);
87 90
88 if (mgf1Hash == NULL) 91 if (mgf1Hash == NULL)
@@ -97,99 +100,96 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
97 * -2 salt length is autorecovered from signature 100 * -2 salt length is autorecovered from signature
98 * -N reserved 101 * -N reserved
99 */ 102 */
100 if (sLen == -1) sLen = hLen; 103 if (sLen == -1)
101 else if (sLen == -2) sLen = -2; 104 sLen = hLen;
102 else if (sLen < -2) 105 else if (sLen == -2)
103 { 106 sLen = -2;
104 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED); 107 else if (sLen < -2) {
108 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
109 RSA_R_SLEN_CHECK_FAILED);
105 goto err; 110 goto err;
106 } 111 }
107 112
108 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; 113 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
109 emLen = RSA_size(rsa); 114 emLen = RSA_size(rsa);
110 if (EM[0] & (0xFF << MSBits)) 115 if (EM[0] & (0xFF << MSBits)) {
111 { 116 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
112 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID); 117 RSA_R_FIRST_OCTET_INVALID);
113 goto err; 118 goto err;
114 } 119 }
115 if (MSBits == 0) 120 if (MSBits == 0) {
116 {
117 EM++; 121 EM++;
118 emLen--; 122 emLen--;
119 } 123 }
120 if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */ 124 if (emLen < (hLen + sLen + 2)) { /* sLen can be small negative */
121 {
122 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE); 125 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
123 goto err; 126 goto err;
124 } 127 }
125 if (EM[emLen - 1] != 0xbc) 128 if (EM[emLen - 1] != 0xbc) {
126 { 129 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
127 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID); 130 RSA_R_LAST_OCTET_INVALID);
128 goto err; 131 goto err;
129 } 132 }
130 maskedDBLen = emLen - hLen - 1; 133 maskedDBLen = emLen - hLen - 1;
131 H = EM + maskedDBLen; 134 H = EM + maskedDBLen;
132 DB = malloc(maskedDBLen); 135 DB = malloc(maskedDBLen);
133 if (!DB) 136 if (!DB) {
134 {
135 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE); 137 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
136 goto err; 138 goto err;
137 } 139 }
138 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) 140 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
139 goto err; 141 goto err;
140 for (i = 0; i < maskedDBLen; i++) 142 for (i = 0; i < maskedDBLen; i++)
141 DB[i] ^= EM[i]; 143 DB[i] ^= EM[i];
142 if (MSBits) 144 if (MSBits)
143 DB[0] &= 0xFF >> (8 - MSBits); 145 DB[0] &= 0xFF >> (8 - MSBits);
144 for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ; 146 for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++)
145 if (DB[i++] != 0x1) 147 ;
146 { 148 if (DB[i++] != 0x1) {
147 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED); 149 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
150 RSA_R_SLEN_RECOVERY_FAILED);
148 goto err; 151 goto err;
149 } 152 }
150 if (sLen >= 0 && (maskedDBLen - i) != sLen) 153 if (sLen >= 0 && (maskedDBLen - i) != sLen) {
151 { 154 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
152 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED); 155 RSA_R_SLEN_CHECK_FAILED);
153 goto err; 156 goto err;
154 } 157 }
155 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) 158 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
156 || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) 159 !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
157 || !EVP_DigestUpdate(&ctx, mHash, hLen)) 160 !EVP_DigestUpdate(&ctx, mHash, hLen))
158 goto err; 161 goto err;
159 if (maskedDBLen - i) 162 if (maskedDBLen - i) {
160 {
161 if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i)) 163 if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i))
162 goto err; 164 goto err;
163 } 165 }
164 if (!EVP_DigestFinal_ex(&ctx, H_, NULL)) 166 if (!EVP_DigestFinal_ex(&ctx, H_, NULL))
165 goto err; 167 goto err;
166 if (memcmp(H_, H, hLen)) 168 if (memcmp(H_, H, hLen)) {
167 {
168 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE); 169 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
169 ret = 0; 170 ret = 0;
170 } 171 } else
171 else
172 ret = 1; 172 ret = 1;
173 173
174 err: 174err:
175 free(DB); 175 free(DB);
176 EVP_MD_CTX_cleanup(&ctx); 176 EVP_MD_CTX_cleanup(&ctx);
177 177
178 return ret; 178 return ret;
179}
179 180
180 } 181int
181 182RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
182int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM, 183 const unsigned char *mHash, const EVP_MD *Hash, int sLen)
183 const unsigned char *mHash, 184{
184 const EVP_MD *Hash, int sLen)
185 {
186 return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen); 185 return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
187 } 186}
188 187
189int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, 188int
190 const unsigned char *mHash, 189RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
191 const EVP_MD *Hash, const EVP_MD *mgf1Hash, int sLen) 190 const unsigned char *mHash, const EVP_MD *Hash, const EVP_MD *mgf1Hash,
192 { 191 int sLen)
192{
193 int i; 193 int i;
194 int ret = 0; 194 int ret = 0;
195 int hLen, maskedDBLen, MSBits, emLen; 195 int hLen, maskedDBLen, MSBits, emLen;
@@ -208,47 +208,45 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
208 * -2 salt length is maximized 208 * -2 salt length is maximized
209 * -N reserved 209 * -N reserved
210 */ 210 */
211 if (sLen == -1) sLen = hLen; 211 if (sLen == -1)
212 else if (sLen == -2) sLen = -2; 212 sLen = hLen;
213 else if (sLen < -2) 213 else if (sLen == -2)
214 { 214 sLen = -2;
215 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED); 215 else if (sLen < -2) {
216 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
217 RSA_R_SLEN_CHECK_FAILED);
216 goto err; 218 goto err;
217 } 219 }
218 220
219 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; 221 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
220 emLen = RSA_size(rsa); 222 emLen = RSA_size(rsa);
221 if (MSBits == 0) 223 if (MSBits == 0) {
222 {
223 *EM++ = 0; 224 *EM++ = 0;
224 emLen--; 225 emLen--;
225 } 226 }
226 if (sLen == -2) 227 if (sLen == -2)
227 {
228 sLen = emLen - hLen - 2; 228 sLen = emLen - hLen - 2;
229 } 229 else if (emLen < (hLen + sLen + 2)) {
230 else if (emLen < (hLen + sLen + 2)) 230 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
231 { 231 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
232 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
233 goto err; 232 goto err;
234 } 233 }
235 if (sLen > 0) 234 if (sLen > 0) {
236 {
237 salt = malloc(sLen); 235 salt = malloc(sLen);
238 if (!salt) 236 if (!salt) {
239 { 237 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
240 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,ERR_R_MALLOC_FAILURE); 238 ERR_R_MALLOC_FAILURE);
241 goto err; 239 goto err;
242 } 240 }
243 if (RAND_bytes(salt, sLen) <= 0) 241 if (RAND_bytes(salt, sLen) <= 0)
244 goto err; 242 goto err;
245 } 243 }
246 maskedDBLen = emLen - hLen - 1; 244 maskedDBLen = emLen - hLen - 1;
247 H = EM + maskedDBLen; 245 H = EM + maskedDBLen;
248 EVP_MD_CTX_init(&ctx); 246 EVP_MD_CTX_init(&ctx);
249 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) 247 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
250 || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) 248 !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
251 || !EVP_DigestUpdate(&ctx, mHash, hLen)) 249 !EVP_DigestUpdate(&ctx, mHash, hLen))
252 goto err; 250 goto err;
253 if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen)) 251 if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen))
254 goto err; 252 goto err;
@@ -262,29 +260,27 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
262 260
263 p = EM; 261 p = EM;
264 262
265 /* Initial PS XORs with all zeroes which is a NOP so just update 263 /*
264 * Initial PS XORs with all zeroes which is a NOP so just update
266 * pointer. Note from a test above this value is guaranteed to 265 * pointer. Note from a test above this value is guaranteed to
267 * be non-negative. 266 * be non-negative.
268 */ 267 */
269 p += emLen - sLen - hLen - 2; 268 p += emLen - sLen - hLen - 2;
270 *p++ ^= 0x1; 269 *p++ ^= 0x1;
271 if (sLen > 0) 270 if (sLen > 0) {
272 {
273 for (i = 0; i < sLen; i++) 271 for (i = 0; i < sLen; i++)
274 *p++ ^= salt[i]; 272 *p++ ^= salt[i];
275 } 273 }
276 if (MSBits) 274 if (MSBits)
277 EM[0] &= 0xFF >> (8 - MSBits); 275 EM[0] &= 0xFF >> (8 - MSBits);
278 276
279 /* H is already in place so just set final 0xbc */ 277 /* H is already in place so just set final 0xbc */
280
281 EM[emLen - 1] = 0xbc; 278 EM[emLen - 1] = 0xbc;
282 279
283 ret = 1; 280 ret = 1;
284 281
285 err: 282err:
286 free(salt); 283 free(salt);
287 284
288 return ret; 285 return ret;
289 286}
290 }
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_saos.c b/src/lib/libssl/src/crypto/rsa/rsa_saos.c
index cca503e026..50dfef7e71 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_saos.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_saos.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_saos.c,v 1.11 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_saos.c,v 1.12 2014/07/09 08:20:08 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -63,88 +63,86 @@
63#include <openssl/objects.h> 63#include <openssl/objects.h>
64#include <openssl/x509.h> 64#include <openssl/x509.h>
65 65
66int RSA_sign_ASN1_OCTET_STRING(int type, 66int
67 const unsigned char *m, unsigned int m_len, 67RSA_sign_ASN1_OCTET_STRING(int type, const unsigned char *m, unsigned int m_len,
68 unsigned char *sigret, unsigned int *siglen, RSA *rsa) 68 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
69 { 69{
70 ASN1_OCTET_STRING sig; 70 ASN1_OCTET_STRING sig;
71 int i,j,ret=1; 71 int i, j, ret = 1;
72 unsigned char *p,*s; 72 unsigned char *p,*s;
73 73
74 sig.type=V_ASN1_OCTET_STRING; 74 sig.type = V_ASN1_OCTET_STRING;
75 sig.length=m_len; 75 sig.length = m_len;
76 sig.data=(unsigned char *)m; 76 sig.data = (unsigned char *)m;
77 77
78 i=i2d_ASN1_OCTET_STRING(&sig,NULL); 78 i = i2d_ASN1_OCTET_STRING(&sig, NULL);
79 j=RSA_size(rsa); 79 j = RSA_size(rsa);
80 if (i > (j-RSA_PKCS1_PADDING_SIZE)) 80 if (i > (j - RSA_PKCS1_PADDING_SIZE)) {
81 { 81 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,
82 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); 82 RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
83 return(0); 83 return 0;
84 } 84 }
85 s = malloc((unsigned int)j+1); 85 s = malloc((unsigned int)j + 1);
86 if (s == NULL) 86 if (s == NULL) {
87 { 87 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING, ERR_R_MALLOC_FAILURE);
88 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE); 88 return 0;
89 return(0); 89 }
90 } 90 p = s;
91 p=s; 91 i2d_ASN1_OCTET_STRING(&sig, &p);
92 i2d_ASN1_OCTET_STRING(&sig,&p); 92 i = RSA_private_encrypt(i, s, sigret, rsa, RSA_PKCS1_PADDING);
93 i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
94 if (i <= 0) 93 if (i <= 0)
95 ret=0; 94 ret = 0;
96 else 95 else
97 *siglen=i; 96 *siglen = i;
98 97
99 OPENSSL_cleanse(s,(unsigned int)j+1); 98 OPENSSL_cleanse(s, (unsigned int)j + 1);
100 free(s); 99 free(s);
101 return(ret); 100 return ret;
102 } 101}
103 102
104int RSA_verify_ASN1_OCTET_STRING(int dtype, 103int
105 const unsigned char *m, 104RSA_verify_ASN1_OCTET_STRING(int dtype, const unsigned char *m,
106 unsigned int m_len, unsigned char *sigbuf, unsigned int siglen, 105 unsigned int m_len, unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
107 RSA *rsa) 106{
108 { 107 int i, ret = 0;
109 int i,ret=0;
110 unsigned char *s; 108 unsigned char *s;
111 const unsigned char *p; 109 const unsigned char *p;
112 ASN1_OCTET_STRING *sig=NULL; 110 ASN1_OCTET_STRING *sig = NULL;
113 111
114 if (siglen != (unsigned int)RSA_size(rsa)) 112 if (siglen != (unsigned int)RSA_size(rsa)) {
115 { 113 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,
116 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,RSA_R_WRONG_SIGNATURE_LENGTH); 114 RSA_R_WRONG_SIGNATURE_LENGTH);
117 return(0); 115 return 0;
118 } 116 }
119 117
120 s = malloc((unsigned int)siglen); 118 s = malloc((unsigned int)siglen);
121 if (s == NULL) 119 if (s == NULL) {
122 { 120 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,
123 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE); 121 ERR_R_MALLOC_FAILURE);
124 goto err; 122 goto err;
125 } 123 }
126 i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING); 124 i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING);
127 125
128 if (i <= 0) goto err; 126 if (i <= 0)
127 goto err;
129 128
130 p=s; 129 p = s;
131 sig=d2i_ASN1_OCTET_STRING(NULL,&p,(long)i); 130 sig = d2i_ASN1_OCTET_STRING(NULL, &p, (long)i);
132 if (sig == NULL) goto err; 131 if (sig == NULL)
132 goto err;
133 133
134 if ( ((unsigned int)sig->length != m_len) || 134 if ((unsigned int)sig->length != m_len ||
135 (memcmp(m,sig->data,m_len) != 0)) 135 memcmp(m,sig->data, m_len) != 0) {
136 { 136 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,
137 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,RSA_R_BAD_SIGNATURE); 137 RSA_R_BAD_SIGNATURE);
138 } 138 } else
139 else 139 ret = 1;
140 ret=1;
141err: 140err:
142 if (sig != NULL) M_ASN1_OCTET_STRING_free(sig); 141 if (sig != NULL)
143 if (s != NULL) 142 M_ASN1_OCTET_STRING_free(sig);
144 { 143 if (s != NULL) {
145 OPENSSL_cleanse(s,(unsigned int)siglen); 144 OPENSSL_cleanse(s, (unsigned int)siglen);
146 free(s); 145 free(s);
147 }
148 return(ret);
149 } 146 }
150 147 return ret;
148}
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_sign.c b/src/lib/libssl/src/crypto/rsa/rsa_sign.c
index 4642775964..239435fe91 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_sign.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_sign.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_sign.c,v 1.17 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_sign.c,v 1.18 2014/07/09 08:20:08 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -67,233 +67,212 @@
67/* Size of an SSL signature: MD5+SHA1 */ 67/* Size of an SSL signature: MD5+SHA1 */
68#define SSL_SIG_LENGTH 36 68#define SSL_SIG_LENGTH 36
69 69
70int RSA_sign(int type, const unsigned char *m, unsigned int m_len, 70int
71 unsigned char *sigret, unsigned int *siglen, RSA *rsa) 71RSA_sign(int type, const unsigned char *m, unsigned int m_len,
72 { 72 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
73{
73 X509_SIG sig; 74 X509_SIG sig;
74 ASN1_TYPE parameter; 75 ASN1_TYPE parameter;
75 int i,j,ret=1; 76 int i, j, ret = 1;
76 unsigned char *p, *tmps = NULL; 77 unsigned char *p, *tmps = NULL;
77 const unsigned char *s = NULL; 78 const unsigned char *s = NULL;
78 X509_ALGOR algor; 79 X509_ALGOR algor;
79 ASN1_OCTET_STRING digest; 80 ASN1_OCTET_STRING digest;
80 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) 81
81 { 82 if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
82 return rsa->meth->rsa_sign(type, m, m_len, 83 return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
83 sigret, siglen, rsa); 84
84 }
85 /* Special case: SSL signature, just check the length */ 85 /* Special case: SSL signature, just check the length */
86 if(type == NID_md5_sha1) { 86 if (type == NID_md5_sha1) {
87 if(m_len != SSL_SIG_LENGTH) { 87 if (m_len != SSL_SIG_LENGTH) {
88 RSAerr(RSA_F_RSA_SIGN,RSA_R_INVALID_MESSAGE_LENGTH); 88 RSAerr(RSA_F_RSA_SIGN, RSA_R_INVALID_MESSAGE_LENGTH);
89 return(0); 89 return 0;
90 } 90 }
91 i = SSL_SIG_LENGTH; 91 i = SSL_SIG_LENGTH;
92 s = m; 92 s = m;
93 } else { 93 } else {
94 sig.algor= &algor; 94 sig.algor = &algor;
95 sig.algor->algorithm=OBJ_nid2obj(type); 95 sig.algor->algorithm = OBJ_nid2obj(type);
96 if (sig.algor->algorithm == NULL) 96 if (sig.algor->algorithm == NULL) {
97 { 97 RSAerr(RSA_F_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE);
98 RSAerr(RSA_F_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE); 98 return 0;
99 return(0); 99 }
100 } 100 if (sig.algor->algorithm->length == 0) {
101 if (sig.algor->algorithm->length == 0) 101 RSAerr(RSA_F_RSA_SIGN,
102 { 102 RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
103 RSAerr(RSA_F_RSA_SIGN,RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD); 103 return 0;
104 return(0); 104 }
105 } 105 parameter.type = V_ASN1_NULL;
106 parameter.type=V_ASN1_NULL; 106 parameter.value.ptr = NULL;
107 parameter.value.ptr=NULL; 107 sig.algor->parameter = &parameter;
108 sig.algor->parameter= &parameter;
109 108
110 sig.digest= &digest; 109 sig.digest = &digest;
111 sig.digest->data=(unsigned char *)m; /* TMP UGLY CAST */ 110 sig.digest->data = (unsigned char *)m; /* TMP UGLY CAST */
112 sig.digest->length=m_len; 111 sig.digest->length = m_len;
113 112
114 i=i2d_X509_SIG(&sig,NULL); 113 i = i2d_X509_SIG(&sig, NULL);
114 }
115 j = RSA_size(rsa);
116 if (i > j - RSA_PKCS1_PADDING_SIZE) {
117 RSAerr(RSA_F_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
118 return 0;
115 } 119 }
116 j=RSA_size(rsa); 120 if (type != NID_md5_sha1) {
117 if (i > (j-RSA_PKCS1_PADDING_SIZE)) 121 tmps = malloc((unsigned int)j + 1);
118 { 122 if (tmps == NULL) {
119 RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); 123 RSAerr(RSA_F_RSA_SIGN, ERR_R_MALLOC_FAILURE);
120 return(0); 124 return 0;
121 } 125 }
122 if(type != NID_md5_sha1) { 126 p = tmps;
123 tmps = malloc((unsigned int)j+1); 127 i2d_X509_SIG(&sig, &p);
124 if (tmps == NULL) 128 s = tmps;
125 {
126 RSAerr(RSA_F_RSA_SIGN,ERR_R_MALLOC_FAILURE);
127 return(0);
128 }
129 p=tmps;
130 i2d_X509_SIG(&sig,&p);
131 s=tmps;
132 } 129 }
133 i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING); 130 i = RSA_private_encrypt(i, s, sigret, rsa, RSA_PKCS1_PADDING);
134 if (i <= 0) 131 if (i <= 0)
135 ret=0; 132 ret = 0;
136 else 133 else
137 *siglen=i; 134 *siglen = i;
138 135
139 if(type != NID_md5_sha1) { 136 if (type != NID_md5_sha1) {
140 OPENSSL_cleanse(tmps,(unsigned int)j+1); 137 OPENSSL_cleanse(tmps, (unsigned int)j + 1);
141 free(tmps); 138 free(tmps);
142 } 139 }
143 return(ret); 140 return(ret);
144 } 141}
145 142
146int int_rsa_verify(int dtype, const unsigned char *m, 143int
147 unsigned int m_len, 144int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len,
148 unsigned char *rm, size_t *prm_len, 145 unsigned char *rm, size_t *prm_len, const unsigned char *sigbuf,
149 const unsigned char *sigbuf, size_t siglen, 146 size_t siglen, RSA *rsa)
150 RSA *rsa) 147{
151 { 148 int i, ret = 0, sigtype;
152 int i,ret=0,sigtype;
153 unsigned char *s; 149 unsigned char *s;
154 X509_SIG *sig=NULL; 150 X509_SIG *sig = NULL;
155 151
156 if (siglen != (unsigned int)RSA_size(rsa)) 152 if (siglen != (unsigned int)RSA_size(rsa)) {
157 { 153 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_WRONG_SIGNATURE_LENGTH);
158 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH); 154 return 0;
159 return(0); 155 }
160 }
161 156
162 if((dtype == NID_md5_sha1) && rm) 157 if ((dtype == NID_md5_sha1) && rm) {
163 { 158 i = RSA_public_decrypt((int)siglen, sigbuf, rm, rsa,
164 i = RSA_public_decrypt((int)siglen, 159 RSA_PKCS1_PADDING);
165 sigbuf,rm,rsa,RSA_PKCS1_PADDING);
166 if (i <= 0) 160 if (i <= 0)
167 return 0; 161 return 0;
168 *prm_len = i; 162 *prm_len = i;
169 return 1; 163 return 1;
170 } 164 }
171 165
172 s = malloc((unsigned int)siglen); 166 s = malloc((unsigned int)siglen);
173 if (s == NULL) 167 if (s == NULL) {
174 { 168 RSAerr(RSA_F_INT_RSA_VERIFY, ERR_R_MALLOC_FAILURE);
175 RSAerr(RSA_F_INT_RSA_VERIFY,ERR_R_MALLOC_FAILURE); 169 goto err;
170 }
171 if (dtype == NID_md5_sha1 && m_len != SSL_SIG_LENGTH) {
172 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_MESSAGE_LENGTH);
176 goto err; 173 goto err;
177 }
178 if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) {
179 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
180 goto err;
181 } 174 }
182 i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING); 175 i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING);
183 176
184 if (i <= 0) goto err; 177 if (i <= 0)
185 /* Oddball MDC2 case: signature can be OCTET STRING. 178 goto err;
179
180 /*
181 * Oddball MDC2 case: signature can be OCTET STRING.
186 * check for correct tag and length octets. 182 * check for correct tag and length octets.
187 */ 183 */
188 if (dtype == NID_mdc2 && i == 18 && s[0] == 0x04 && s[1] == 0x10) 184 if (dtype == NID_mdc2 && i == 18 && s[0] == 0x04 && s[1] == 0x10) {
189 { 185 if (rm) {
190 if (rm)
191 {
192 memcpy(rm, s + 2, 16); 186 memcpy(rm, s + 2, 16);
193 *prm_len = 16; 187 *prm_len = 16;
194 ret = 1; 188 ret = 1;
195 } 189 } else if (memcmp(m, s + 2, 16))
196 else if(memcmp(m, s + 2, 16)) 190 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
197 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
198 else 191 else
199 ret = 1; 192 ret = 1;
200 } 193 }
201 194
202 /* Special case: SSL signature */ 195 /* Special case: SSL signature */
203 if(dtype == NID_md5_sha1) { 196 if (dtype == NID_md5_sha1) {
204 if((i != SSL_SIG_LENGTH) || memcmp(s, m, SSL_SIG_LENGTH)) 197 if (i != SSL_SIG_LENGTH || memcmp(s, m, SSL_SIG_LENGTH))
205 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE); 198 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
206 else ret = 1; 199 else
200 ret = 1;
207 } else { 201 } else {
208 const unsigned char *p=s; 202 const unsigned char *p=s;
209 sig=d2i_X509_SIG(NULL,&p,(long)i);
210 203
211 if (sig == NULL) goto err; 204 sig = d2i_X509_SIG(NULL, &p, (long)i);
205
206 if (sig == NULL)
207 goto err;
212 208
213 /* Excess data can be used to create forgeries */ 209 /* Excess data can be used to create forgeries */
214 if(p != s+i) 210 if (p != s + i) {
215 { 211 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
216 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
217 goto err; 212 goto err;
218 } 213 }
219 214
220 /* Parameters to the signature algorithm can also be used to 215 /* Parameters to the signature algorithm can also be used to
221 create forgeries */ 216 create forgeries */
222 if(sig->algor->parameter 217 if (sig->algor->parameter &&
223 && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) 218 ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) {
224 { 219 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
225 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
226 goto err; 220 goto err;
227 } 221 }
228
229 sigtype=OBJ_obj2nid(sig->algor->algorithm);
230 222
223 sigtype = OBJ_obj2nid(sig->algor->algorithm);
231 224
232 #ifdef RSA_DEBUG 225 if (sigtype != dtype) {
233 /* put a backward compatibility flag in EAY */ 226 if ((dtype == NID_md5 &&
234 fprintf(stderr,"in(%s) expect(%s)\n",OBJ_nid2ln(sigtype), 227 sigtype == NID_md5WithRSAEncryption) ||
235 OBJ_nid2ln(dtype)); 228 (dtype == NID_md2 &&
236 #endif 229 sigtype == NID_md2WithRSAEncryption)) {
237 if (sigtype != dtype)
238 {
239 if (((dtype == NID_md5) &&
240 (sigtype == NID_md5WithRSAEncryption)) ||
241 ((dtype == NID_md2) &&
242 (sigtype == NID_md2WithRSAEncryption)))
243 {
244 /* ok, we will let it through */ 230 /* ok, we will let it through */
245 fprintf(stderr,"signature has problems, re-make with post SSLeay045\n"); 231 fprintf(stderr,
246 } 232 "signature has problems, "
247 else 233 "re-make with post SSLeay045\n");
248 { 234 } else {
249 RSAerr(RSA_F_INT_RSA_VERIFY, 235 RSAerr(RSA_F_INT_RSA_VERIFY,
250 RSA_R_ALGORITHM_MISMATCH); 236 RSA_R_ALGORITHM_MISMATCH);
251 goto err; 237 goto err;
252 }
253 } 238 }
254 if (rm) 239 }
255 { 240 if (rm) {
256 const EVP_MD *md; 241 const EVP_MD *md;
242
257 md = EVP_get_digestbynid(dtype); 243 md = EVP_get_digestbynid(dtype);
258 if (md && (EVP_MD_size(md) != sig->digest->length)) 244 if (md && (EVP_MD_size(md) != sig->digest->length))
259 RSAerr(RSA_F_INT_RSA_VERIFY, 245 RSAerr(RSA_F_INT_RSA_VERIFY,
260 RSA_R_INVALID_DIGEST_LENGTH); 246 RSA_R_INVALID_DIGEST_LENGTH);
261 else 247 else {
262 {
263 memcpy(rm, sig->digest->data, 248 memcpy(rm, sig->digest->data,
264 sig->digest->length); 249 sig->digest->length);
265 *prm_len = sig->digest->length; 250 *prm_len = sig->digest->length;
266 ret = 1; 251 ret = 1;
267 }
268 } 252 }
269 else if (((unsigned int)sig->digest->length != m_len) || 253 } else if ((unsigned int)sig->digest->length != m_len ||
270 (memcmp(m,sig->digest->data,m_len) != 0)) 254 memcmp(m,sig->digest->data,m_len) != 0) {
271 { 255 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
272 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE); 256 } else
273 } 257 ret = 1;
274 else
275 ret=1;
276 } 258 }
277err: 259err:
278 if (sig != NULL) X509_SIG_free(sig); 260 if (sig != NULL)
279 if (s != NULL) 261 X509_SIG_free(sig);
280 { 262 if (s != NULL) {
281 OPENSSL_cleanse(s,(unsigned int)siglen); 263 OPENSSL_cleanse(s, (unsigned int)siglen);
282 free(s); 264 free(s);
283 }
284 return(ret);
285 } 265 }
266 return ret;
267}
286 268
287int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, 269int
288 const unsigned char *sigbuf, unsigned int siglen, 270RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
289 RSA *rsa) 271 const unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
290 { 272{
291 273 if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)
292 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) 274 return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen,
293 { 275 rsa);
294 return rsa->meth->rsa_verify(dtype, m, m_len,
295 sigbuf, siglen, rsa);
296 }
297 276
298 return int_rsa_verify(dtype, m, m_len, NULL, NULL, sigbuf, siglen, rsa); 277 return int_rsa_verify(dtype, m, m_len, NULL, NULL, sigbuf, siglen, rsa);
299 } 278}
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_ssl.c b/src/lib/libssl/src/crypto/rsa/rsa_ssl.c
index 3f4ec95a6e..c6ab71c674 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_ssl.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_ssl.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_ssl.c,v 1.7 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_ssl.c,v 1.8 2014/07/09 08:20:08 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -62,93 +62,92 @@
62#include <openssl/rsa.h> 62#include <openssl/rsa.h>
63#include <openssl/rand.h> 63#include <openssl/rand.h>
64 64
65int RSA_padding_add_SSLv23(unsigned char *to, int tlen, 65int
66 const unsigned char *from, int flen) 66RSA_padding_add_SSLv23(unsigned char *to, int tlen, const unsigned char *from,
67 { 67 int flen)
68{
68 int i,j; 69 int i,j;
69 unsigned char *p; 70 unsigned char *p;
70 71
71 if (flen > (tlen-11)) 72 if (flen > tlen - 11) {
72 { 73 RSAerr(RSA_F_RSA_PADDING_ADD_SSLV23,
73 RSAerr(RSA_F_RSA_PADDING_ADD_SSLV23,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 74 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
74 return(0); 75 return 0;
75 } 76 }
76 77
77 p=(unsigned char *)to; 78 p = (unsigned char *)to;
78 79
79 *(p++)=0; 80 *(p++) = 0;
80 *(p++)=2; /* Public Key BT (Block Type) */ 81 *(p++) = 2; /* Public Key BT (Block Type) */
81 82
82 /* pad out with non-zero random data */ 83 /* pad out with non-zero random data */
83 j=tlen-3-8-flen; 84 j = tlen - 3 - 8 - flen;
84 85
85 if (RAND_bytes(p,j) <= 0) 86 if (RAND_bytes(p, j) <= 0)
86 return(0); 87 return 0;
87 for (i=0; i<j; i++) 88 for (i = 0; i < j; i++) {
88 {
89 if (*p == '\0') 89 if (*p == '\0')
90 do { 90 do {
91 if (RAND_bytes(p,1) <= 0) 91 if (RAND_bytes(p, 1) <= 0)
92 return(0); 92 return 0;
93 } while (*p == '\0'); 93 } while (*p == '\0');
94 p++; 94 p++;
95 } 95 }
96 96
97 memset(p,3,8); 97 memset(p, 3, 8);
98 p+=8; 98 p += 8;
99 *(p++)='\0'; 99 *(p++) = '\0';
100 100
101 memcpy(p,from,(unsigned int)flen); 101 memcpy(p, from, (unsigned int)flen);
102 return(1); 102 return 1;
103 } 103}
104 104
105int RSA_padding_check_SSLv23(unsigned char *to, int tlen, 105int
106 const unsigned char *from, int flen, int num) 106RSA_padding_check_SSLv23(unsigned char *to, int tlen, const unsigned char *from,
107 { 107 int flen, int num)
108 int i,j,k; 108{
109 int i, j, k;
109 const unsigned char *p; 110 const unsigned char *p;
110 111
111 p=from; 112 p = from;
112 if (flen < 10) 113 if (flen < 10) {
113 { 114 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL);
114 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_DATA_TOO_SMALL); 115 return -1;
115 return(-1); 116 }
116 } 117 if (num != flen + 1 || *(p++) != 02) {
117 if ((num != (flen+1)) || (*(p++) != 02)) 118 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,
118 { 119 RSA_R_BLOCK_TYPE_IS_NOT_02);
119 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_BLOCK_TYPE_IS_NOT_02); 120 return -1;
120 return(-1); 121 }
121 }
122 122
123 /* scan over padding data */ 123 /* scan over padding data */
124 j=flen-1; /* one for type */ 124 j = flen - 1; /* one for type */
125 for (i=0; i<j; i++) 125 for (i = 0; i < j; i++)
126 if (*(p++) == 0) break; 126 if (*(p++) == 0)
127 break;
127 128
128 if ((i == j) || (i < 8)) 129 if (i == j || i < 8) {
129 { 130 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,
130 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_NULL_BEFORE_BLOCK_MISSING); 131 RSA_R_NULL_BEFORE_BLOCK_MISSING);
131 return(-1); 132 return -1;
132 } 133 }
133 for (k = -9; k<-1; k++) 134 for (k = -9; k < -1; k++) {
134 { 135 if (p[k] != 0x03)
135 if (p[k] != 0x03) break; 136 break;
136 } 137 }
137 if (k == -1) 138 if (k == -1) {
138 { 139 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,
139 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_SSLV3_ROLLBACK_ATTACK); 140 RSA_R_SSLV3_ROLLBACK_ATTACK);
140 return(-1); 141 return -1;
141 } 142 }
142 143
143 i++; /* Skip over the '\0' */ 144 i++; /* Skip over the '\0' */
144 j-=i; 145 j -= i;
145 if (j > tlen) 146 if (j > tlen) {
146 { 147 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_LARGE);
147 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_DATA_TOO_LARGE); 148 return -1;
148 return(-1);
149 }
150 memcpy(to,p,(unsigned int)j);
151
152 return(j);
153 } 149 }
150 memcpy(to, p, (unsigned int)j);
154 151
152 return j;
153}
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_x931.c b/src/lib/libssl/src/crypto/rsa/rsa_x931.c
index 6592c22ee5..f22c50ba13 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_x931.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_x931.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_x931.c,v 1.2 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: rsa_x931.c,v 1.3 2014/07/09 08:20:08 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2005. 3 * project 2005.
4 */ 4 */
@@ -63,115 +63,103 @@
63#include <openssl/rand.h> 63#include <openssl/rand.h>
64#include <openssl/objects.h> 64#include <openssl/objects.h>
65 65
66int RSA_padding_add_X931(unsigned char *to, int tlen, 66int
67 const unsigned char *from, int flen) 67RSA_padding_add_X931(unsigned char *to, int tlen, const unsigned char *from,
68 { 68 int flen)
69{
69 int j; 70 int j;
70 unsigned char *p; 71 unsigned char *p;
71 72
72 /* Absolute minimum amount of padding is 1 header nibble, 1 padding 73 /*
74 * Absolute minimum amount of padding is 1 header nibble, 1 padding
73 * nibble and 2 trailer bytes: but 1 hash if is already in 'from'. 75 * nibble and 2 trailer bytes: but 1 hash if is already in 'from'.
74 */ 76 */
75
76 j = tlen - flen - 2; 77 j = tlen - flen - 2;
77 78
78 if (j < 0) 79 if (j < 0) {
79 { 80 RSAerr(RSA_F_RSA_PADDING_ADD_X931,
80 RSAerr(RSA_F_RSA_PADDING_ADD_X931,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); 81 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
81 return -1; 82 return -1;
82 } 83 }
83 84
84 p=(unsigned char *)to; 85 p = (unsigned char *)to;
85 86
86 /* If no padding start and end nibbles are in one byte */ 87 /* If no padding start and end nibbles are in one byte */
87 if (j == 0) 88 if (j == 0)
88 *p++ = 0x6A; 89 *p++ = 0x6A;
89 else 90 else {
90 {
91 *p++ = 0x6B; 91 *p++ = 0x6B;
92 if (j > 1) 92 if (j > 1) {
93 {
94 memset(p, 0xBB, j - 1); 93 memset(p, 0xBB, j - 1);
95 p += j - 1; 94 p += j - 1;
96 }
97 *p++ = 0xBA;
98 } 95 }
99 memcpy(p,from,(unsigned int)flen); 96 *p++ = 0xBA;
97 }
98 memcpy(p, from, (unsigned int)flen);
100 p += flen; 99 p += flen;
101 *p = 0xCC; 100 *p = 0xCC;
102 return(1); 101 return 1;
103 } 102}
104 103
105int RSA_padding_check_X931(unsigned char *to, int tlen, 104int
106 const unsigned char *from, int flen, int num) 105RSA_padding_check_X931(unsigned char *to, int tlen, const unsigned char *from,
107 { 106 int flen, int num)
108 int i = 0,j; 107{
109 const unsigned char *p; 108 int i = 0, j;
110 109 const unsigned char *p = from;
111 p=from; 110
112 if ((num != flen) || ((*p != 0x6A) && (*p != 0x6B))) 111 if (num != flen || (*p != 0x6A && *p != 0x6B)) {
113 { 112 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_HEADER);
114 RSAerr(RSA_F_RSA_PADDING_CHECK_X931,RSA_R_INVALID_HEADER);
115 return -1; 113 return -1;
116 } 114 }
117 115
118 if (*p++ == 0x6B) 116 if (*p++ == 0x6B) {
119 { 117 j = flen - 3;
120 j=flen-3; 118 for (i = 0; i < j; i++) {
121 for (i = 0; i < j; i++)
122 {
123 unsigned char c = *p++; 119 unsigned char c = *p++;
124 if (c == 0xBA) 120 if (c == 0xBA)
125 break; 121 break;
126 if (c != 0xBB) 122 if (c != 0xBB) {
127 {
128 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, 123 RSAerr(RSA_F_RSA_PADDING_CHECK_X931,
129 RSA_R_INVALID_PADDING); 124 RSA_R_INVALID_PADDING);
130 return -1; 125 return -1;
131 }
132 } 126 }
127 }
133 128
134 j -= i; 129 if (i == 0) {
135
136 if (i == 0)
137 {
138 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_PADDING); 130 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_PADDING);
139 return -1; 131 return -1;
140 }
141
142 } 132 }
143 else j = flen - 2;
144 133
145 if (p[j] != 0xCC) 134 j -= i;
146 { 135 } else
136 j = flen - 2;
137
138 if (p[j] != 0xCC) {
147 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_TRAILER); 139 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_TRAILER);
148 return -1; 140 return -1;
149 } 141 }
150 142
151 memcpy(to,p,(unsigned int)j); 143 memcpy(to, p, (unsigned int)j);
152 144
153 return(j); 145 return j;
154 } 146}
155 147
156/* Translate between X931 hash ids and NIDs */ 148/* Translate between X931 hash ids and NIDs */
157 149
158int RSA_X931_hash_id(int nid) 150int
159 { 151RSA_X931_hash_id(int nid)
160 switch (nid) 152{
161 { 153 switch (nid) {
162 case NID_sha1: 154 case NID_sha1:
163 return 0x33; 155 return 0x33;
164 156 case NID_sha256:
165 case NID_sha256:
166 return 0x34; 157 return 0x34;
167 158 case NID_sha384:
168 case NID_sha384:
169 return 0x36; 159 return 0x36;
170 160 case NID_sha512:
171 case NID_sha512:
172 return 0x35; 161 return 0x35;
173
174 }
175 return -1;
176 } 162 }
177 163
164 return -1;
165}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 22:05:13 +0000