summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa
diff options
context:
space:
mode:
authorcvs2svn <admin@example.com>2014-02-27 21:04:58 +0000
committercvs2svn <admin@example.com>2014-02-27 21:04:58 +0000
commit726818f36b5221c023cd04c4b90bdbc08e94cd96 (patch)
treecf8221f3aa5bf5a578ddf1ecf5677ad08c04d342 /src/lib/libcrypto/rsa
parent3b6d92e82b1421b811bcdec7f7fdfb31eeef18de (diff)
downloadopenbsd-OPENBSD_5_5_BASE.tar.gz
openbsd-OPENBSD_5_5_BASE.tar.bz2
openbsd-OPENBSD_5_5_BASE.zip
This commit was manufactured by cvs2git to create tag 'OPENBSD_5_5_BASE'.OPENBSD_5_5_BASE
Diffstat (limited to 'src/lib/libcrypto/rsa')
-rw-r--r--src/lib/libcrypto/rsa/rsa.h582
-rw-r--r--src/lib/libcrypto/rsa/rsa_ameth.c698
-rw-r--r--src/lib/libcrypto/rsa/rsa_asn1.c121
-rw-r--r--src/lib/libcrypto/rsa/rsa_chk.c184
-rw-r--r--src/lib/libcrypto/rsa/rsa_crpt.c257
-rw-r--r--src/lib/libcrypto/rsa/rsa_depr.c101
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c915
-rw-r--r--src/lib/libcrypto/rsa/rsa_err.c209
-rw-r--r--src/lib/libcrypto/rsa/rsa_gen.c234
-rw-r--r--src/lib/libcrypto/rsa/rsa_lib.c333
-rw-r--r--src/lib/libcrypto/rsa/rsa_locl.h4
-rw-r--r--src/lib/libcrypto/rsa/rsa_none.c98
-rw-r--r--src/lib/libcrypto/rsa/rsa_oaep.c235
-rw-r--r--src/lib/libcrypto/rsa/rsa_pk1.c224
-rw-r--r--src/lib/libcrypto/rsa/rsa_pmeth.c723
-rw-r--r--src/lib/libcrypto/rsa/rsa_prn.c93
-rw-r--r--src/lib/libcrypto/rsa/rsa_pss.c300
-rw-r--r--src/lib/libcrypto/rsa/rsa_saos.c150
-rw-r--r--src/lib/libcrypto/rsa/rsa_sign.c318
-rw-r--r--src/lib/libcrypto/rsa/rsa_ssl.c154
-rw-r--r--src/lib/libcrypto/rsa/rsa_x931.c177
21 files changed, 0 insertions, 6110 deletions
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
deleted file mode 100644
index 4814a2fc15..0000000000
--- a/src/lib/libcrypto/rsa/rsa.h
+++ /dev/null
@@ -1,582 +0,0 @@
1/* crypto/rsa/rsa.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_RSA_H
60#define HEADER_RSA_H
61
62#include <openssl/asn1.h>
63
64#ifndef OPENSSL_NO_BIO
65#include <openssl/bio.h>
66#endif
67#include <openssl/crypto.h>
68#include <openssl/ossl_typ.h>
69#ifndef OPENSSL_NO_DEPRECATED
70#include <openssl/bn.h>
71#endif
72
73#ifdef OPENSSL_NO_RSA
74#error RSA is disabled.
75#endif
76
77#ifdef __cplusplus
78extern "C" {
79#endif
80
81/* Declared already in ossl_typ.h */
82/* typedef struct rsa_st RSA; */
83/* typedef struct rsa_meth_st RSA_METHOD; */
84
85struct rsa_meth_st
86 {
87 const char *name;
88 int (*rsa_pub_enc)(int flen,const unsigned char *from,
89 unsigned char *to,
90 RSA *rsa,int padding);
91 int (*rsa_pub_dec)(int flen,const unsigned char *from,
92 unsigned char *to,
93 RSA *rsa,int padding);
94 int (*rsa_priv_enc)(int flen,const unsigned char *from,
95 unsigned char *to,
96 RSA *rsa,int padding);
97 int (*rsa_priv_dec)(int flen,const unsigned char *from,
98 unsigned char *to,
99 RSA *rsa,int padding);
100 int (*rsa_mod_exp)(BIGNUM *r0,const BIGNUM *I,RSA *rsa,BN_CTX *ctx); /* Can be null */
101 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
102 const BIGNUM *m, BN_CTX *ctx,
103 BN_MONT_CTX *m_ctx); /* Can be null */
104 int (*init)(RSA *rsa); /* called at new */
105 int (*finish)(RSA *rsa); /* called at free */
106 int flags; /* RSA_METHOD_FLAG_* things */
107 char *app_data; /* may be needed! */
108/* New sign and verify functions: some libraries don't allow arbitrary data
109 * to be signed/verified: this allows them to be used. Note: for this to work
110 * the RSA_public_decrypt() and RSA_private_encrypt() should *NOT* be used
111 * RSA_sign(), RSA_verify() should be used instead. Note: for backwards
112 * compatibility this functionality is only enabled if the RSA_FLAG_SIGN_VER
113 * option is set in 'flags'.
114 */
115 int (*rsa_sign)(int type,
116 const unsigned char *m, unsigned int m_length,
117 unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
118 int (*rsa_verify)(int dtype,
119 const unsigned char *m, unsigned int m_length,
120 const unsigned char *sigbuf, unsigned int siglen,
121 const RSA *rsa);
122/* If this callback is NULL, the builtin software RSA key-gen will be used. This
123 * is for behavioural compatibility whilst the code gets rewired, but one day
124 * it would be nice to assume there are no such things as "builtin software"
125 * implementations. */
126 int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
127 };
128
129struct rsa_st
130 {
131 /* The first parameter is used to pickup errors where
132 * this is passed instead of aEVP_PKEY, it is set to 0 */
133 int pad;
134 long version;
135 const RSA_METHOD *meth;
136 /* functional reference if 'meth' is ENGINE-provided */
137 ENGINE *engine;
138 BIGNUM *n;
139 BIGNUM *e;
140 BIGNUM *d;
141 BIGNUM *p;
142 BIGNUM *q;
143 BIGNUM *dmp1;
144 BIGNUM *dmq1;
145 BIGNUM *iqmp;
146 /* be careful using this if the RSA structure is shared */
147 CRYPTO_EX_DATA ex_data;
148 int references;
149 int flags;
150
151 /* Used to cache montgomery values */
152 BN_MONT_CTX *_method_mod_n;
153 BN_MONT_CTX *_method_mod_p;
154 BN_MONT_CTX *_method_mod_q;
155
156 /* all BIGNUM values are actually in the following data, if it is not
157 * NULL */
158 char *bignum_data;
159 BN_BLINDING *blinding;
160 BN_BLINDING *mt_blinding;
161 };
162
163#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
164# define OPENSSL_RSA_MAX_MODULUS_BITS 16384
165#endif
166
167#ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
168# define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
169#endif
170#ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
171# define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "large" modulus only */
172#endif
173
174#define RSA_3 0x3L
175#define RSA_F4 0x10001L
176
177#define RSA_METHOD_FLAG_NO_CHECK 0x0001 /* don't check pub/private match */
178
179#define RSA_FLAG_CACHE_PUBLIC 0x0002
180#define RSA_FLAG_CACHE_PRIVATE 0x0004
181#define RSA_FLAG_BLINDING 0x0008
182#define RSA_FLAG_THREAD_SAFE 0x0010
183/* This flag means the private key operations will be handled by rsa_mod_exp
184 * and that they do not depend on the private key components being present:
185 * for example a key stored in external hardware. Without this flag bn_mod_exp
186 * gets called when private key components are absent.
187 */
188#define RSA_FLAG_EXT_PKEY 0x0020
189
190/* This flag in the RSA_METHOD enables the new rsa_sign, rsa_verify functions.
191 */
192#define RSA_FLAG_SIGN_VER 0x0040
193
194#define RSA_FLAG_NO_BLINDING 0x0080 /* new with 0.9.6j and 0.9.7b; the built-in
195 * RSA implementation now uses blinding by
196 * default (ignoring RSA_FLAG_BLINDING),
197 * but other engines might not need it
198 */
199#define RSA_FLAG_NO_CONSTTIME 0x0100 /* new with 0.9.8f; the built-in RSA
200 * implementation now uses constant time
201 * operations by default in private key operations,
202 * e.g., constant time modular exponentiation,
203 * modular inverse without leaking branches,
204 * division without leaking branches. This
205 * flag disables these constant time
206 * operations and results in faster RSA
207 * private key operations.
208 */
209#ifndef OPENSSL_NO_DEPRECATED
210#define RSA_FLAG_NO_EXP_CONSTTIME RSA_FLAG_NO_CONSTTIME /* deprecated name for the flag*/
211 /* new with 0.9.7h; the built-in RSA
212 * implementation now uses constant time
213 * modular exponentiation for secret exponents
214 * by default. This flag causes the
215 * faster variable sliding window method to
216 * be used for all exponents.
217 */
218#endif
219
220
221#define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
222 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \
223 pad, NULL)
224
225#define EVP_PKEY_CTX_get_rsa_padding(ctx, ppad) \
226 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, \
227 EVP_PKEY_CTRL_GET_RSA_PADDING, 0, ppad)
228
229#define EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, len) \
230 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \
231 (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \
232 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, \
233 len, NULL)
234
235#define EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx, plen) \
236 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \
237 (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \
238 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, \
239 0, plen)
240
241#define EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) \
242 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \
243 EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL)
244
245#define EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp) \
246 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \
247 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp)
248
249#define EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md) \
250 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \
251 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)md)
252
253#define EVP_PKEY_CTX_get_rsa_mgf1_md(ctx, pmd) \
254 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \
255 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)pmd)
256
257#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1)
258#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2)
259
260#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3)
261#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4)
262#define EVP_PKEY_CTRL_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 5)
263
264#define EVP_PKEY_CTRL_GET_RSA_PADDING (EVP_PKEY_ALG_CTRL + 6)
265#define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 7)
266#define EVP_PKEY_CTRL_GET_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 8)
267
268#define RSA_PKCS1_PADDING 1
269#define RSA_SSLV23_PADDING 2
270#define RSA_NO_PADDING 3
271#define RSA_PKCS1_OAEP_PADDING 4
272#define RSA_X931_PADDING 5
273/* EVP_PKEY_ only */
274#define RSA_PKCS1_PSS_PADDING 6
275
276#define RSA_PKCS1_PADDING_SIZE 11
277
278#define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg)
279#define RSA_get_app_data(s) RSA_get_ex_data(s,0)
280
281RSA * RSA_new(void);
282RSA * RSA_new_method(ENGINE *engine);
283int RSA_size(const RSA *);
284
285/* Deprecated version */
286#ifndef OPENSSL_NO_DEPRECATED
287RSA * RSA_generate_key(int bits, unsigned long e,void
288 (*callback)(int,int,void *),void *cb_arg);
289#endif /* !defined(OPENSSL_NO_DEPRECATED) */
290
291/* New version */
292int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
293
294int RSA_check_key(const RSA *);
295 /* next 4 return -1 on error */
296int RSA_public_encrypt(int flen, const unsigned char *from,
297 unsigned char *to, RSA *rsa,int padding);
298int RSA_private_encrypt(int flen, const unsigned char *from,
299 unsigned char *to, RSA *rsa,int padding);
300int RSA_public_decrypt(int flen, const unsigned char *from,
301 unsigned char *to, RSA *rsa,int padding);
302int RSA_private_decrypt(int flen, const unsigned char *from,
303 unsigned char *to, RSA *rsa,int padding);
304void RSA_free (RSA *r);
305/* "up" the RSA object's reference count */
306int RSA_up_ref(RSA *r);
307
308int RSA_flags(const RSA *r);
309
310void RSA_set_default_method(const RSA_METHOD *meth);
311const RSA_METHOD *RSA_get_default_method(void);
312const RSA_METHOD *RSA_get_method(const RSA *rsa);
313int RSA_set_method(RSA *rsa, const RSA_METHOD *meth);
314
315/* This function needs the memory locking malloc callbacks to be installed */
316int RSA_memory_lock(RSA *r);
317
318/* these are the actual SSLeay RSA functions */
319const RSA_METHOD *RSA_PKCS1_SSLeay(void);
320
321const RSA_METHOD *RSA_null_method(void);
322
323DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPublicKey)
324DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPrivateKey)
325
326typedef struct rsa_pss_params_st
327 {
328 X509_ALGOR *hashAlgorithm;
329 X509_ALGOR *maskGenAlgorithm;
330 ASN1_INTEGER *saltLength;
331 ASN1_INTEGER *trailerField;
332 } RSA_PSS_PARAMS;
333
334DECLARE_ASN1_FUNCTIONS(RSA_PSS_PARAMS)
335
336#ifndef OPENSSL_NO_FP_API
337int RSA_print_fp(FILE *fp, const RSA *r,int offset);
338#endif
339
340#ifndef OPENSSL_NO_BIO
341int RSA_print(BIO *bp, const RSA *r,int offset);
342#endif
343
344#ifndef OPENSSL_NO_RC4
345int i2d_RSA_NET(const RSA *a, unsigned char **pp,
346 int (*cb)(char *buf, int len, const char *prompt, int verify),
347 int sgckey);
348RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,
349 int (*cb)(char *buf, int len, const char *prompt, int verify),
350 int sgckey);
351
352int i2d_Netscape_RSA(const RSA *a, unsigned char **pp,
353 int (*cb)(char *buf, int len, const char *prompt,
354 int verify));
355RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length,
356 int (*cb)(char *buf, int len, const char *prompt,
357 int verify));
358#endif
359
360/* The following 2 functions sign and verify a X509_SIG ASN1 object
361 * inside PKCS#1 padded RSA encryption */
362int RSA_sign(int type, const unsigned char *m, unsigned int m_length,
363 unsigned char *sigret, unsigned int *siglen, RSA *rsa);
364int RSA_verify(int type, const unsigned char *m, unsigned int m_length,
365 const unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
366
367/* The following 2 function sign and verify a ASN1_OCTET_STRING
368 * object inside PKCS#1 padded RSA encryption */
369int RSA_sign_ASN1_OCTET_STRING(int type,
370 const unsigned char *m, unsigned int m_length,
371 unsigned char *sigret, unsigned int *siglen, RSA *rsa);
372int RSA_verify_ASN1_OCTET_STRING(int type,
373 const unsigned char *m, unsigned int m_length,
374 unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
375
376int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
377void RSA_blinding_off(RSA *rsa);
378BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *ctx);
379
380int RSA_padding_add_PKCS1_type_1(unsigned char *to,int tlen,
381 const unsigned char *f,int fl);
382int RSA_padding_check_PKCS1_type_1(unsigned char *to,int tlen,
383 const unsigned char *f,int fl,int rsa_len);
384int RSA_padding_add_PKCS1_type_2(unsigned char *to,int tlen,
385 const unsigned char *f,int fl);
386int RSA_padding_check_PKCS1_type_2(unsigned char *to,int tlen,
387 const unsigned char *f,int fl,int rsa_len);
388int PKCS1_MGF1(unsigned char *mask, long len,
389 const unsigned char *seed, long seedlen, const EVP_MD *dgst);
390int RSA_padding_add_PKCS1_OAEP(unsigned char *to,int tlen,
391 const unsigned char *f,int fl,
392 const unsigned char *p,int pl);
393int RSA_padding_check_PKCS1_OAEP(unsigned char *to,int tlen,
394 const unsigned char *f,int fl,int rsa_len,
395 const unsigned char *p,int pl);
396int RSA_padding_add_SSLv23(unsigned char *to,int tlen,
397 const unsigned char *f,int fl);
398int RSA_padding_check_SSLv23(unsigned char *to,int tlen,
399 const unsigned char *f,int fl,int rsa_len);
400int RSA_padding_add_none(unsigned char *to,int tlen,
401 const unsigned char *f,int fl);
402int RSA_padding_check_none(unsigned char *to,int tlen,
403 const unsigned char *f,int fl,int rsa_len);
404int RSA_padding_add_X931(unsigned char *to,int tlen,
405 const unsigned char *f,int fl);
406int RSA_padding_check_X931(unsigned char *to,int tlen,
407 const unsigned char *f,int fl,int rsa_len);
408int RSA_X931_hash_id(int nid);
409
410int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
411 const EVP_MD *Hash, const unsigned char *EM, int sLen);
412int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
413 const unsigned char *mHash,
414 const EVP_MD *Hash, int sLen);
415
416int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
417 const EVP_MD *Hash, const EVP_MD *mgf1Hash,
418 const unsigned char *EM, int sLen);
419
420int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
421 const unsigned char *mHash,
422 const EVP_MD *Hash, const EVP_MD *mgf1Hash, int sLen);
423
424int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
425 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
426int RSA_set_ex_data(RSA *r,int idx,void *arg);
427void *RSA_get_ex_data(const RSA *r, int idx);
428
429RSA *RSAPublicKey_dup(RSA *rsa);
430RSA *RSAPrivateKey_dup(RSA *rsa);
431
432/* If this flag is set the RSA method is FIPS compliant and can be used
433 * in FIPS mode. This is set in the validated module method. If an
434 * application sets this flag in its own methods it is its responsibility
435 * to ensure the result is compliant.
436 */
437
438#define RSA_FLAG_FIPS_METHOD 0x0400
439
440/* If this flag is set the operations normally disabled in FIPS mode are
441 * permitted it is then the applications responsibility to ensure that the
442 * usage is compliant.
443 */
444
445#define RSA_FLAG_NON_FIPS_ALLOW 0x0400
446/* Application has decided PRNG is good enough to generate a key: don't
447 * check.
448 */
449#define RSA_FLAG_CHECKED 0x0800
450
451/* BEGIN ERROR CODES */
452/* The following lines are auto generated by the script mkerr.pl. Any changes
453 * made after this point may be overwritten when the script is next run.
454 */
455void ERR_load_RSA_strings(void);
456
457/* Error codes for the RSA functions. */
458
459/* Function codes. */
460#define RSA_F_CHECK_PADDING_MD 140
461#define RSA_F_DO_RSA_PRINT 146
462#define RSA_F_INT_RSA_VERIFY 145
463#define RSA_F_MEMORY_LOCK 100
464#define RSA_F_OLD_RSA_PRIV_DECODE 147
465#define RSA_F_PKEY_RSA_CTRL 143
466#define RSA_F_PKEY_RSA_CTRL_STR 144
467#define RSA_F_PKEY_RSA_SIGN 142
468#define RSA_F_PKEY_RSA_VERIFY 154
469#define RSA_F_PKEY_RSA_VERIFYRECOVER 141
470#define RSA_F_RSA_BUILTIN_KEYGEN 129
471#define RSA_F_RSA_CHECK_KEY 123
472#define RSA_F_RSA_EAY_PRIVATE_DECRYPT 101
473#define RSA_F_RSA_EAY_PRIVATE_ENCRYPT 102
474#define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103
475#define RSA_F_RSA_EAY_PUBLIC_ENCRYPT 104
476#define RSA_F_RSA_GENERATE_KEY 105
477#define RSA_F_RSA_GENERATE_KEY_EX 155
478#define RSA_F_RSA_ITEM_VERIFY 156
479#define RSA_F_RSA_MEMORY_LOCK 130
480#define RSA_F_RSA_NEW_METHOD 106
481#define RSA_F_RSA_NULL 124
482#define RSA_F_RSA_NULL_MOD_EXP 131
483#define RSA_F_RSA_NULL_PRIVATE_DECRYPT 132
484#define RSA_F_RSA_NULL_PRIVATE_ENCRYPT 133
485#define RSA_F_RSA_NULL_PUBLIC_DECRYPT 134
486#define RSA_F_RSA_NULL_PUBLIC_ENCRYPT 135
487#define RSA_F_RSA_PADDING_ADD_NONE 107
488#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
489#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
490#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 148
491#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
492#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
493#define RSA_F_RSA_PADDING_ADD_SSLV23 110
494#define RSA_F_RSA_PADDING_ADD_X931 127
495#define RSA_F_RSA_PADDING_CHECK_NONE 111
496#define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP 122
497#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1 112
498#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2 113
499#define RSA_F_RSA_PADDING_CHECK_SSLV23 114
500#define RSA_F_RSA_PADDING_CHECK_X931 128
501#define RSA_F_RSA_PRINT 115
502#define RSA_F_RSA_PRINT_FP 116
503#define RSA_F_RSA_PRIVATE_DECRYPT 150
504#define RSA_F_RSA_PRIVATE_ENCRYPT 151
505#define RSA_F_RSA_PRIV_DECODE 137
506#define RSA_F_RSA_PRIV_ENCODE 138
507#define RSA_F_RSA_PUBLIC_DECRYPT 152
508#define RSA_F_RSA_PUBLIC_ENCRYPT 153
509#define RSA_F_RSA_PUB_DECODE 139
510#define RSA_F_RSA_SETUP_BLINDING 136
511#define RSA_F_RSA_SIGN 117
512#define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
513#define RSA_F_RSA_VERIFY 119
514#define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
515#define RSA_F_RSA_VERIFY_PKCS1_PSS 126
516#define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 149
517
518/* Reason codes. */
519#define RSA_R_ALGORITHM_MISMATCH 100
520#define RSA_R_BAD_E_VALUE 101
521#define RSA_R_BAD_FIXED_HEADER_DECRYPT 102
522#define RSA_R_BAD_PAD_BYTE_COUNT 103
523#define RSA_R_BAD_SIGNATURE 104
524#define RSA_R_BLOCK_TYPE_IS_NOT_01 106
525#define RSA_R_BLOCK_TYPE_IS_NOT_02 107
526#define RSA_R_DATA_GREATER_THAN_MOD_LEN 108
527#define RSA_R_DATA_TOO_LARGE 109
528#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 110
529#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 132
530#define RSA_R_DATA_TOO_SMALL 111
531#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 122
532#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 112
533#define RSA_R_DMP1_NOT_CONGRUENT_TO_D 124
534#define RSA_R_DMQ1_NOT_CONGRUENT_TO_D 125
535#define RSA_R_D_E_NOT_CONGRUENT_TO_1 123
536#define RSA_R_FIRST_OCTET_INVALID 133
537#define RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 144
538#define RSA_R_INVALID_DIGEST_LENGTH 143
539#define RSA_R_INVALID_HEADER 137
540#define RSA_R_INVALID_KEYBITS 145
541#define RSA_R_INVALID_MESSAGE_LENGTH 131
542#define RSA_R_INVALID_MGF1_MD 156
543#define RSA_R_INVALID_PADDING 138
544#define RSA_R_INVALID_PADDING_MODE 141
545#define RSA_R_INVALID_PSS_PARAMETERS 149
546#define RSA_R_INVALID_PSS_SALTLEN 146
547#define RSA_R_INVALID_SALT_LENGTH 150
548#define RSA_R_INVALID_TRAILER 139
549#define RSA_R_INVALID_X931_DIGEST 142
550#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
551#define RSA_R_KEY_SIZE_TOO_SMALL 120
552#define RSA_R_LAST_OCTET_INVALID 134
553#define RSA_R_MODULUS_TOO_LARGE 105
554#define RSA_R_NON_FIPS_RSA_METHOD 157
555#define RSA_R_NO_PUBLIC_EXPONENT 140
556#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
557#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
558#define RSA_R_OAEP_DECODING_ERROR 121
559#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158
560#define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
561#define RSA_R_PADDING_CHECK_FAILED 114
562#define RSA_R_P_NOT_PRIME 128
563#define RSA_R_Q_NOT_PRIME 129
564#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130
565#define RSA_R_SLEN_CHECK_FAILED 136
566#define RSA_R_SLEN_RECOVERY_FAILED 135
567#define RSA_R_SSLV3_ROLLBACK_ATTACK 115
568#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116
569#define RSA_R_UNKNOWN_ALGORITHM_TYPE 117
570#define RSA_R_UNKNOWN_MASK_DIGEST 151
571#define RSA_R_UNKNOWN_PADDING_TYPE 118
572#define RSA_R_UNKNOWN_PSS_DIGEST 152
573#define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153
574#define RSA_R_UNSUPPORTED_MASK_PARAMETER 154
575#define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155
576#define RSA_R_VALUE_MISSING 147
577#define RSA_R_WRONG_SIGNATURE_LENGTH 119
578
579#ifdef __cplusplus
580}
581#endif
582#endif
diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c
deleted file mode 100644
index 2460910ab2..0000000000
--- a/src/lib/libcrypto/rsa/rsa_ameth.c
+++ /dev/null
@@ -1,698 +0,0 @@
1/* crypto/rsa/rsa_ameth.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1t.h>
62#include <openssl/x509.h>
63#include <openssl/rsa.h>
64#include <openssl/bn.h>
65#ifndef OPENSSL_NO_CMS
66#include <openssl/cms.h>
67#endif
68#include "asn1_locl.h"
69
70static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
71 {
72 unsigned char *penc = NULL;
73 int penclen;
74 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
75 if (penclen <= 0)
76 return 0;
77 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_RSA),
78 V_ASN1_NULL, NULL, penc, penclen))
79 return 1;
80
81 OPENSSL_free(penc);
82 return 0;
83 }
84
85static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
86 {
87 const unsigned char *p;
88 int pklen;
89 RSA *rsa = NULL;
90 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey))
91 return 0;
92 if (!(rsa = d2i_RSAPublicKey(NULL, &p, pklen)))
93 {
94 RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB);
95 return 0;
96 }
97 EVP_PKEY_assign_RSA (pkey, rsa);
98 return 1;
99 }
100
101static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
102 {
103 if (BN_cmp(b->pkey.rsa->n,a->pkey.rsa->n) != 0
104 || BN_cmp(b->pkey.rsa->e,a->pkey.rsa->e) != 0)
105 return 0;
106 return 1;
107 }
108
109static int old_rsa_priv_decode(EVP_PKEY *pkey,
110 const unsigned char **pder, int derlen)
111 {
112 RSA *rsa;
113 if (!(rsa = d2i_RSAPrivateKey (NULL, pder, derlen)))
114 {
115 RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
116 return 0;
117 }
118 EVP_PKEY_assign_RSA(pkey, rsa);
119 return 1;
120 }
121
122static int old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
123 {
124 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
125 }
126
127static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
128 {
129 unsigned char *rk = NULL;
130 int rklen;
131 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk);
132
133 if (rklen <= 0)
134 {
135 RSAerr(RSA_F_RSA_PRIV_ENCODE,ERR_R_MALLOC_FAILURE);
136 return 0;
137 }
138
139 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_rsaEncryption), 0,
140 V_ASN1_NULL, NULL, rk, rklen))
141 {
142 RSAerr(RSA_F_RSA_PRIV_ENCODE,ERR_R_MALLOC_FAILURE);
143 return 0;
144 }
145
146 return 1;
147 }
148
149static int rsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
150 {
151 const unsigned char *p;
152 int pklen;
153 if (!PKCS8_pkey_get0(NULL, &p, &pklen, NULL, p8))
154 return 0;
155 return old_rsa_priv_decode(pkey, &p, pklen);
156 }
157
158static int int_rsa_size(const EVP_PKEY *pkey)
159 {
160 return RSA_size(pkey->pkey.rsa);
161 }
162
163static int rsa_bits(const EVP_PKEY *pkey)
164 {
165 return BN_num_bits(pkey->pkey.rsa->n);
166 }
167
168static void int_rsa_free(EVP_PKEY *pkey)
169 {
170 RSA_free(pkey->pkey.rsa);
171 }
172
173
174static void update_buflen(const BIGNUM *b, size_t *pbuflen)
175 {
176 size_t i;
177 if (!b)
178 return;
179 if (*pbuflen < (i = (size_t)BN_num_bytes(b)))
180 *pbuflen = i;
181 }
182
183static int do_rsa_print(BIO *bp, const RSA *x, int off, int priv)
184 {
185 char *str;
186 const char *s;
187 unsigned char *m=NULL;
188 int ret=0, mod_len = 0;
189 size_t buf_len=0;
190
191 update_buflen(x->n, &buf_len);
192 update_buflen(x->e, &buf_len);
193
194 if (priv)
195 {
196 update_buflen(x->d, &buf_len);
197 update_buflen(x->p, &buf_len);
198 update_buflen(x->q, &buf_len);
199 update_buflen(x->dmp1, &buf_len);
200 update_buflen(x->dmq1, &buf_len);
201 update_buflen(x->iqmp, &buf_len);
202 }
203
204 m=(unsigned char *)OPENSSL_malloc(buf_len+10);
205 if (m == NULL)
206 {
207 RSAerr(RSA_F_DO_RSA_PRINT,ERR_R_MALLOC_FAILURE);
208 goto err;
209 }
210
211 if (x->n != NULL)
212 mod_len = BN_num_bits(x->n);
213
214 if(!BIO_indent(bp,off,128))
215 goto err;
216
217 if (priv && x->d)
218 {
219 if (BIO_printf(bp,"Private-Key: (%d bit)\n", mod_len)
220 <= 0) goto err;
221 str = "modulus:";
222 s = "publicExponent:";
223 }
224 else
225 {
226 if (BIO_printf(bp,"Public-Key: (%d bit)\n", mod_len)
227 <= 0) goto err;
228 str = "Modulus:";
229 s= "Exponent:";
230 }
231 if (!ASN1_bn_print(bp,str,x->n,m,off)) goto err;
232 if (!ASN1_bn_print(bp,s,x->e,m,off))
233 goto err;
234 if (priv)
235 {
236 if (!ASN1_bn_print(bp,"privateExponent:",x->d,m,off))
237 goto err;
238 if (!ASN1_bn_print(bp,"prime1:",x->p,m,off))
239 goto err;
240 if (!ASN1_bn_print(bp,"prime2:",x->q,m,off))
241 goto err;
242 if (!ASN1_bn_print(bp,"exponent1:",x->dmp1,m,off))
243 goto err;
244 if (!ASN1_bn_print(bp,"exponent2:",x->dmq1,m,off))
245 goto err;
246 if (!ASN1_bn_print(bp,"coefficient:",x->iqmp,m,off))
247 goto err;
248 }
249 ret=1;
250err:
251 if (m != NULL) OPENSSL_free(m);
252 return(ret);
253 }
254
255static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent,
256 ASN1_PCTX *ctx)
257 {
258 return do_rsa_print(bp, pkey->pkey.rsa, indent, 0);
259 }
260
261
262static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
263 ASN1_PCTX *ctx)
264 {
265 return do_rsa_print(bp, pkey->pkey.rsa, indent, 1);
266 }
267
268static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg,
269 X509_ALGOR **pmaskHash)
270 {
271 const unsigned char *p;
272 int plen;
273 RSA_PSS_PARAMS *pss;
274
275 *pmaskHash = NULL;
276
277 if (!alg->parameter || alg->parameter->type != V_ASN1_SEQUENCE)
278 return NULL;
279 p = alg->parameter->value.sequence->data;
280 plen = alg->parameter->value.sequence->length;
281 pss = d2i_RSA_PSS_PARAMS(NULL, &p, plen);
282
283 if (!pss)
284 return NULL;
285
286 if (pss->maskGenAlgorithm)
287 {
288 ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
289 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
290 && param->type == V_ASN1_SEQUENCE)
291 {
292 p = param->value.sequence->data;
293 plen = param->value.sequence->length;
294 *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen);
295 }
296 }
297
298 return pss;
299 }
300
301static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss,
302 X509_ALGOR *maskHash, int indent)
303 {
304 int rv = 0;
305 if (!pss)
306 {
307 if (BIO_puts(bp, " (INVALID PSS PARAMETERS)\n") <= 0)
308 return 0;
309 return 1;
310 }
311 if (BIO_puts(bp, "\n") <= 0)
312 goto err;
313 if (!BIO_indent(bp, indent, 128))
314 goto err;
315 if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
316 goto err;
317
318 if (pss->hashAlgorithm)
319 {
320 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
321 goto err;
322 }
323 else if (BIO_puts(bp, "sha1 (default)") <= 0)
324 goto err;
325
326 if (BIO_puts(bp, "\n") <= 0)
327 goto err;
328
329 if (!BIO_indent(bp, indent, 128))
330 goto err;
331
332 if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
333 goto err;
334 if (pss->maskGenAlgorithm)
335 {
336 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
337 goto err;
338 if (BIO_puts(bp, " with ") <= 0)
339 goto err;
340 if (maskHash)
341 {
342 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
343 goto err;
344 }
345 else if (BIO_puts(bp, "INVALID") <= 0)
346 goto err;
347 }
348 else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0)
349 goto err;
350 BIO_puts(bp, "\n");
351
352 if (!BIO_indent(bp, indent, 128))
353 goto err;
354 if (BIO_puts(bp, "Salt Length: ") <= 0)
355 goto err;
356 if (pss->saltLength)
357 {
358 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
359 goto err;
360 }
361 else if (BIO_puts(bp, "20 (default)") <= 0)
362 goto err;
363 BIO_puts(bp, "\n");
364
365 if (!BIO_indent(bp, indent, 128))
366 goto err;
367 if (BIO_puts(bp, "Trailer Field: ") <= 0)
368 goto err;
369 if (pss->trailerField)
370 {
371 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
372 goto err;
373 }
374 else if (BIO_puts(bp, "0xbc (default)") <= 0)
375 goto err;
376 BIO_puts(bp, "\n");
377
378 rv = 1;
379
380 err:
381 return rv;
382
383 }
384
385static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
386 const ASN1_STRING *sig,
387 int indent, ASN1_PCTX *pctx)
388 {
389 if (OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss)
390 {
391 int rv;
392 RSA_PSS_PARAMS *pss;
393 X509_ALGOR *maskHash;
394 pss = rsa_pss_decode(sigalg, &maskHash);
395 rv = rsa_pss_param_print(bp, pss, maskHash, indent);
396 if (pss)
397 RSA_PSS_PARAMS_free(pss);
398 if (maskHash)
399 X509_ALGOR_free(maskHash);
400 if (!rv)
401 return 0;
402 }
403 else if (!sig && BIO_puts(bp, "\n") <= 0)
404 return 0;
405 if (sig)
406 return X509_signature_dump(bp, sig, indent);
407 return 1;
408 }
409
410static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
411 {
412 X509_ALGOR *alg = NULL;
413 switch (op)
414 {
415
416 case ASN1_PKEY_CTRL_PKCS7_SIGN:
417 if (arg1 == 0)
418 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
419 break;
420
421 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
422 if (arg1 == 0)
423 PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
424 break;
425#ifndef OPENSSL_NO_CMS
426 case ASN1_PKEY_CTRL_CMS_SIGN:
427 if (arg1 == 0)
428 CMS_SignerInfo_get0_algs(arg2, NULL, NULL, NULL, &alg);
429 break;
430
431 case ASN1_PKEY_CTRL_CMS_ENVELOPE:
432 if (arg1 == 0)
433 CMS_RecipientInfo_ktri_get0_algs(arg2, NULL, NULL, &alg);
434 break;
435#endif
436
437 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
438 *(int *)arg2 = NID_sha1;
439 return 1;
440
441 default:
442 return -2;
443
444 }
445
446 if (alg)
447 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
448 V_ASN1_NULL, 0);
449
450 return 1;
451
452 }
453
454/* Customised RSA item verification routine. This is called
455 * when a signature is encountered requiring special handling. We
456 * currently only handle PSS.
457 */
458
459
460static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
461 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig,
462 EVP_PKEY *pkey)
463 {
464 int rv = -1;
465 int saltlen;
466 const EVP_MD *mgf1md = NULL, *md = NULL;
467 RSA_PSS_PARAMS *pss;
468 X509_ALGOR *maskHash;
469 EVP_PKEY_CTX *pkctx;
470 /* Sanity check: make sure it is PSS */
471 if (OBJ_obj2nid(sigalg->algorithm) != NID_rsassaPss)
472 {
473 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
474 return -1;
475 }
476 /* Decode PSS parameters */
477 pss = rsa_pss_decode(sigalg, &maskHash);
478
479 if (pss == NULL)
480 {
481 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_PSS_PARAMETERS);
482 goto err;
483 }
484 /* Check mask and lookup mask hash algorithm */
485 if (pss->maskGenAlgorithm)
486 {
487 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) != NID_mgf1)
488 {
489 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_MASK_ALGORITHM);
490 goto err;
491 }
492 if (!maskHash)
493 {
494 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_MASK_PARAMETER);
495 goto err;
496 }
497 mgf1md = EVP_get_digestbyobj(maskHash->algorithm);
498 if (mgf1md == NULL)
499 {
500 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNKNOWN_MASK_DIGEST);
501 goto err;
502 }
503 }
504 else
505 mgf1md = EVP_sha1();
506
507 if (pss->hashAlgorithm)
508 {
509 md = EVP_get_digestbyobj(pss->hashAlgorithm->algorithm);
510 if (md == NULL)
511 {
512 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNKNOWN_PSS_DIGEST);
513 goto err;
514 }
515 }
516 else
517 md = EVP_sha1();
518
519 if (pss->saltLength)
520 {
521 saltlen = ASN1_INTEGER_get(pss->saltLength);
522
523 /* Could perform more salt length sanity checks but the main
524 * RSA routines will trap other invalid values anyway.
525 */
526 if (saltlen < 0)
527 {
528 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_SALT_LENGTH);
529 goto err;
530 }
531 }
532 else
533 saltlen = 20;
534
535 /* low-level routines support only trailer field 0xbc (value 1)
536 * and PKCS#1 says we should reject any other value anyway.
537 */
538 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1)
539 {
540 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_TRAILER);
541 goto err;
542 }
543
544 /* We have all parameters now set up context */
545
546 if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey))
547 goto err;
548
549 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
550 goto err;
551
552 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
553 goto err;
554
555 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
556 goto err;
557 /* Carry on */
558 rv = 2;
559
560 err:
561 RSA_PSS_PARAMS_free(pss);
562 if (maskHash)
563 X509_ALGOR_free(maskHash);
564 return rv;
565 }
566
567static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
568 X509_ALGOR *alg1, X509_ALGOR *alg2,
569 ASN1_BIT_STRING *sig)
570 {
571 int pad_mode;
572 EVP_PKEY_CTX *pkctx = ctx->pctx;
573 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
574 return 0;
575 if (pad_mode == RSA_PKCS1_PADDING)
576 return 2;
577 if (pad_mode == RSA_PKCS1_PSS_PADDING)
578 {
579 const EVP_MD *sigmd, *mgf1md;
580 RSA_PSS_PARAMS *pss = NULL;
581 X509_ALGOR *mgf1alg = NULL;
582 ASN1_STRING *os1 = NULL, *os2 = NULL;
583 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
584 int saltlen, rv = 0;
585 sigmd = EVP_MD_CTX_md(ctx);
586 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
587 goto err;
588 if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen))
589 goto err;
590 if (saltlen == -1)
591 saltlen = EVP_MD_size(sigmd);
592 else if (saltlen == -2)
593 {
594 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
595 if (((EVP_PKEY_bits(pk) - 1) & 0x7) == 0)
596 saltlen--;
597 }
598 pss = RSA_PSS_PARAMS_new();
599 if (!pss)
600 goto err;
601 if (saltlen != 20)
602 {
603 pss->saltLength = ASN1_INTEGER_new();
604 if (!pss->saltLength)
605 goto err;
606 if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
607 goto err;
608 }
609 if (EVP_MD_type(sigmd) != NID_sha1)
610 {
611 pss->hashAlgorithm = X509_ALGOR_new();
612 if (!pss->hashAlgorithm)
613 goto err;
614 X509_ALGOR_set_md(pss->hashAlgorithm, sigmd);
615 }
616 if (EVP_MD_type(mgf1md) != NID_sha1)
617 {
618 ASN1_STRING *stmp = NULL;
619 /* need to embed algorithm ID inside another */
620 mgf1alg = X509_ALGOR_new();
621 X509_ALGOR_set_md(mgf1alg, mgf1md);
622 if (!ASN1_item_pack(mgf1alg, ASN1_ITEM_rptr(X509_ALGOR),
623 &stmp))
624 goto err;
625 pss->maskGenAlgorithm = X509_ALGOR_new();
626 if (!pss->maskGenAlgorithm)
627 goto err;
628 X509_ALGOR_set0(pss->maskGenAlgorithm,
629 OBJ_nid2obj(NID_mgf1),
630 V_ASN1_SEQUENCE, stmp);
631 }
632 /* Finally create string with pss parameter encoding. */
633 if (!ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), &os1))
634 goto err;
635 if (alg2)
636 {
637 os2 = ASN1_STRING_dup(os1);
638 if (!os2)
639 goto err;
640 X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_rsassaPss),
641 V_ASN1_SEQUENCE, os2);
642 }
643 X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_rsassaPss),
644 V_ASN1_SEQUENCE, os1);
645 os1 = os2 = NULL;
646 rv = 3;
647 err:
648 if (mgf1alg)
649 X509_ALGOR_free(mgf1alg);
650 if (pss)
651 RSA_PSS_PARAMS_free(pss);
652 if (os1)
653 ASN1_STRING_free(os1);
654 return rv;
655
656 }
657 return 2;
658 }
659
660const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] =
661 {
662 {
663 EVP_PKEY_RSA,
664 EVP_PKEY_RSA,
665 ASN1_PKEY_SIGPARAM_NULL,
666
667 "RSA",
668 "OpenSSL RSA method",
669
670 rsa_pub_decode,
671 rsa_pub_encode,
672 rsa_pub_cmp,
673 rsa_pub_print,
674
675 rsa_priv_decode,
676 rsa_priv_encode,
677 rsa_priv_print,
678
679 int_rsa_size,
680 rsa_bits,
681
682 0,0,0,0,0,0,
683
684 rsa_sig_print,
685 int_rsa_free,
686 rsa_pkey_ctrl,
687 old_rsa_priv_decode,
688 old_rsa_priv_encode,
689 rsa_item_verify,
690 rsa_item_sign
691 },
692
693 {
694 EVP_PKEY_RSA2,
695 EVP_PKEY_RSA,
696 ASN1_PKEY_ALIAS
697 }
698 };
diff --git a/src/lib/libcrypto/rsa/rsa_asn1.c b/src/lib/libcrypto/rsa/rsa_asn1.c
deleted file mode 100644
index 6ed5de3db4..0000000000
--- a/src/lib/libcrypto/rsa/rsa_asn1.c
+++ /dev/null
@@ -1,121 +0,0 @@
1/* rsa_asn1.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/x509.h>
64#include <openssl/asn1t.h>
65
66/* Override the default free and new methods */
67static int rsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
68 void *exarg)
69{
70 if(operation == ASN1_OP_NEW_PRE) {
71 *pval = (ASN1_VALUE *)RSA_new();
72 if(*pval) return 2;
73 return 0;
74 } else if(operation == ASN1_OP_FREE_PRE) {
75 RSA_free((RSA *)*pval);
76 *pval = NULL;
77 return 2;
78 }
79 return 1;
80}
81
82ASN1_SEQUENCE_cb(RSAPrivateKey, rsa_cb) = {
83 ASN1_SIMPLE(RSA, version, LONG),
84 ASN1_SIMPLE(RSA, n, BIGNUM),
85 ASN1_SIMPLE(RSA, e, BIGNUM),
86 ASN1_SIMPLE(RSA, d, BIGNUM),
87 ASN1_SIMPLE(RSA, p, BIGNUM),
88 ASN1_SIMPLE(RSA, q, BIGNUM),
89 ASN1_SIMPLE(RSA, dmp1, BIGNUM),
90 ASN1_SIMPLE(RSA, dmq1, BIGNUM),
91 ASN1_SIMPLE(RSA, iqmp, BIGNUM)
92} ASN1_SEQUENCE_END_cb(RSA, RSAPrivateKey)
93
94
95ASN1_SEQUENCE_cb(RSAPublicKey, rsa_cb) = {
96 ASN1_SIMPLE(RSA, n, BIGNUM),
97 ASN1_SIMPLE(RSA, e, BIGNUM),
98} ASN1_SEQUENCE_END_cb(RSA, RSAPublicKey)
99
100ASN1_SEQUENCE(RSA_PSS_PARAMS) = {
101 ASN1_EXP_OPT(RSA_PSS_PARAMS, hashAlgorithm, X509_ALGOR,0),
102 ASN1_EXP_OPT(RSA_PSS_PARAMS, maskGenAlgorithm, X509_ALGOR,1),
103 ASN1_EXP_OPT(RSA_PSS_PARAMS, saltLength, ASN1_INTEGER,2),
104 ASN1_EXP_OPT(RSA_PSS_PARAMS, trailerField, ASN1_INTEGER,3)
105} ASN1_SEQUENCE_END(RSA_PSS_PARAMS)
106
107IMPLEMENT_ASN1_FUNCTIONS(RSA_PSS_PARAMS)
108
109IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPrivateKey, RSAPrivateKey)
110
111IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPublicKey, RSAPublicKey)
112
113RSA *RSAPublicKey_dup(RSA *rsa)
114 {
115 return ASN1_item_dup(ASN1_ITEM_rptr(RSAPublicKey), rsa);
116 }
117
118RSA *RSAPrivateKey_dup(RSA *rsa)
119 {
120 return ASN1_item_dup(ASN1_ITEM_rptr(RSAPrivateKey), rsa);
121 }
diff --git a/src/lib/libcrypto/rsa/rsa_chk.c b/src/lib/libcrypto/rsa/rsa_chk.c
deleted file mode 100644
index 9d848db8c6..0000000000
--- a/src/lib/libcrypto/rsa/rsa_chk.c
+++ /dev/null
@@ -1,184 +0,0 @@
1/* crypto/rsa/rsa_chk.c -*- Mode: C; c-file-style: "eay" -*- */
2/* ====================================================================
3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 */
50
51#include <openssl/bn.h>
52#include <openssl/err.h>
53#include <openssl/rsa.h>
54
55
56int RSA_check_key(const RSA *key)
57 {
58 BIGNUM *i, *j, *k, *l, *m;
59 BN_CTX *ctx;
60 int r;
61 int ret=1;
62
63 i = BN_new();
64 j = BN_new();
65 k = BN_new();
66 l = BN_new();
67 m = BN_new();
68 ctx = BN_CTX_new();
69 if (i == NULL || j == NULL || k == NULL || l == NULL ||
70 m == NULL || ctx == NULL)
71 {
72 ret = -1;
73 RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE);
74 goto err;
75 }
76
77 /* p prime? */
78 r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL);
79 if (r != 1)
80 {
81 ret = r;
82 if (r != 0)
83 goto err;
84 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME);
85 }
86
87 /* q prime? */
88 r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL);
89 if (r != 1)
90 {
91 ret = r;
92 if (r != 0)
93 goto err;
94 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME);
95 }
96
97 /* n = p*q? */
98 r = BN_mul(i, key->p, key->q, ctx);
99 if (!r) { ret = -1; goto err; }
100
101 if (BN_cmp(i, key->n) != 0)
102 {
103 ret = 0;
104 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q);
105 }
106
107 /* d*e = 1 mod lcm(p-1,q-1)? */
108
109 r = BN_sub(i, key->p, BN_value_one());
110 if (!r) { ret = -1; goto err; }
111 r = BN_sub(j, key->q, BN_value_one());
112 if (!r) { ret = -1; goto err; }
113
114 /* now compute k = lcm(i,j) */
115 r = BN_mul(l, i, j, ctx);
116 if (!r) { ret = -1; goto err; }
117 r = BN_gcd(m, i, j, ctx);
118 if (!r) { ret = -1; goto err; }
119 r = BN_div(k, NULL, l, m, ctx); /* remainder is 0 */
120 if (!r) { ret = -1; goto err; }
121
122 r = BN_mod_mul(i, key->d, key->e, k, ctx);
123 if (!r) { ret = -1; goto err; }
124
125 if (!BN_is_one(i))
126 {
127 ret = 0;
128 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1);
129 }
130
131 if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL)
132 {
133 /* dmp1 = d mod (p-1)? */
134 r = BN_sub(i, key->p, BN_value_one());
135 if (!r) { ret = -1; goto err; }
136
137 r = BN_mod(j, key->d, i, ctx);
138 if (!r) { ret = -1; goto err; }
139
140 if (BN_cmp(j, key->dmp1) != 0)
141 {
142 ret = 0;
143 RSAerr(RSA_F_RSA_CHECK_KEY,
144 RSA_R_DMP1_NOT_CONGRUENT_TO_D);
145 }
146
147 /* dmq1 = d mod (q-1)? */
148 r = BN_sub(i, key->q, BN_value_one());
149 if (!r) { ret = -1; goto err; }
150
151 r = BN_mod(j, key->d, i, ctx);
152 if (!r) { ret = -1; goto err; }
153
154 if (BN_cmp(j, key->dmq1) != 0)
155 {
156 ret = 0;
157 RSAerr(RSA_F_RSA_CHECK_KEY,
158 RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
159 }
160
161 /* iqmp = q^-1 mod p? */
162 if(!BN_mod_inverse(i, key->q, key->p, ctx))
163 {
164 ret = -1;
165 goto err;
166 }
167
168 if (BN_cmp(i, key->iqmp) != 0)
169 {
170 ret = 0;
171 RSAerr(RSA_F_RSA_CHECK_KEY,
172 RSA_R_IQMP_NOT_INVERSE_OF_Q);
173 }
174 }
175
176 err:
177 if (i != NULL) BN_free(i);
178 if (j != NULL) BN_free(j);
179 if (k != NULL) BN_free(k);
180 if (l != NULL) BN_free(l);
181 if (m != NULL) BN_free(m);
182 if (ctx != NULL) BN_CTX_free(ctx);
183 return (ret);
184 }
diff --git a/src/lib/libcrypto/rsa/rsa_crpt.c b/src/lib/libcrypto/rsa/rsa_crpt.c
deleted file mode 100644
index d3e44785dc..0000000000
--- a/src/lib/libcrypto/rsa/rsa_crpt.c
+++ /dev/null
@@ -1,257 +0,0 @@
1/* crypto/rsa/rsa_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/crypto.h>
61#include "cryptlib.h"
62#include <openssl/lhash.h>
63#include <openssl/bn.h>
64#include <openssl/rsa.h>
65#include <openssl/rand.h>
66#ifndef OPENSSL_NO_ENGINE
67#include <openssl/engine.h>
68#endif
69
70int RSA_size(const RSA *r)
71 {
72 return(BN_num_bytes(r->n));
73 }
74
75int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
76 RSA *rsa, int padding)
77 {
78#ifdef OPENSSL_FIPS
79 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
80 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
81 {
82 RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
83 return -1;
84 }
85#endif
86 return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding));
87 }
88
89int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
90 RSA *rsa, int padding)
91 {
92#ifdef OPENSSL_FIPS
93 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
94 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
95 {
96 RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
97 return -1;
98 }
99#endif
100 return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
101 }
102
103int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
104 RSA *rsa, int padding)
105 {
106#ifdef OPENSSL_FIPS
107 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
108 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
109 {
110 RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
111 return -1;
112 }
113#endif
114 return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));
115 }
116
117int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
118 RSA *rsa, int padding)
119 {
120#ifdef OPENSSL_FIPS
121 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
122 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
123 {
124 RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
125 return -1;
126 }
127#endif
128 return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
129 }
130
131int RSA_flags(const RSA *r)
132 {
133 return((r == NULL)?0:r->meth->flags);
134 }
135
136void RSA_blinding_off(RSA *rsa)
137 {
138 if (rsa->blinding != NULL)
139 {
140 BN_BLINDING_free(rsa->blinding);
141 rsa->blinding=NULL;
142 }
143 rsa->flags &= ~RSA_FLAG_BLINDING;
144 rsa->flags |= RSA_FLAG_NO_BLINDING;
145 }
146
147int RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
148 {
149 int ret=0;
150
151 if (rsa->blinding != NULL)
152 RSA_blinding_off(rsa);
153
154 rsa->blinding = RSA_setup_blinding(rsa, ctx);
155 if (rsa->blinding == NULL)
156 goto err;
157
158 rsa->flags |= RSA_FLAG_BLINDING;
159 rsa->flags &= ~RSA_FLAG_NO_BLINDING;
160 ret=1;
161err:
162 return(ret);
163 }
164
165static BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p,
166 const BIGNUM *q, BN_CTX *ctx)
167{
168 BIGNUM *ret = NULL, *r0, *r1, *r2;
169
170 if (d == NULL || p == NULL || q == NULL)
171 return NULL;
172
173 BN_CTX_start(ctx);
174 r0 = BN_CTX_get(ctx);
175 r1 = BN_CTX_get(ctx);
176 r2 = BN_CTX_get(ctx);
177 if (r2 == NULL)
178 goto err;
179
180 if (!BN_sub(r1, p, BN_value_one())) goto err;
181 if (!BN_sub(r2, q, BN_value_one())) goto err;
182 if (!BN_mul(r0, r1, r2, ctx)) goto err;
183
184 ret = BN_mod_inverse(NULL, d, r0, ctx);
185err:
186 BN_CTX_end(ctx);
187 return ret;
188}
189
190BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
191{
192 BIGNUM local_n;
193 BIGNUM *e,*n;
194 BN_CTX *ctx;
195 BN_BLINDING *ret = NULL;
196
197 if (in_ctx == NULL)
198 {
199 if ((ctx = BN_CTX_new()) == NULL) return 0;
200 }
201 else
202 ctx = in_ctx;
203
204 BN_CTX_start(ctx);
205 e = BN_CTX_get(ctx);
206 if (e == NULL)
207 {
208 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
209 goto err;
210 }
211
212 if (rsa->e == NULL)
213 {
214 e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
215 if (e == NULL)
216 {
217 RSAerr(RSA_F_RSA_SETUP_BLINDING, RSA_R_NO_PUBLIC_EXPONENT);
218 goto err;
219 }
220 }
221 else
222 e = rsa->e;
223
224
225 if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
226 {
227 /* if PRNG is not properly seeded, resort to secret
228 * exponent as unpredictable seed */
229 RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0);
230 }
231
232 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
233 {
234 /* Set BN_FLG_CONSTTIME flag */
235 n = &local_n;
236 BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
237 }
238 else
239 n = rsa->n;
240
241 ret = BN_BLINDING_create_param(NULL, e, n, ctx,
242 rsa->meth->bn_mod_exp, rsa->_method_mod_n);
243 if (ret == NULL)
244 {
245 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
246 goto err;
247 }
248 CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret));
249err:
250 BN_CTX_end(ctx);
251 if (in_ctx == NULL)
252 BN_CTX_free(ctx);
253 if(rsa->e == NULL)
254 BN_free(e);
255
256 return ret;
257}
diff --git a/src/lib/libcrypto/rsa/rsa_depr.c b/src/lib/libcrypto/rsa/rsa_depr.c
deleted file mode 100644
index a859ded987..0000000000
--- a/src/lib/libcrypto/rsa/rsa_depr.c
+++ /dev/null
@@ -1,101 +0,0 @@
1/* crypto/rsa/rsa_depr.c */
2/* ====================================================================
3 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NB: This file contains deprecated functions (compatibility wrappers to the
57 * "new" versions). */
58
59#include <stdio.h>
60#include <time.h>
61#include "cryptlib.h"
62#include <openssl/bn.h>
63#include <openssl/rsa.h>
64
65#ifdef OPENSSL_NO_DEPRECATED
66
67static void *dummy=&dummy;
68
69#else
70
71RSA *RSA_generate_key(int bits, unsigned long e_value,
72 void (*callback)(int,int,void *), void *cb_arg)
73 {
74 BN_GENCB cb;
75 int i;
76 RSA *rsa = RSA_new();
77 BIGNUM *e = BN_new();
78
79 if(!rsa || !e) goto err;
80
81 /* The problem is when building with 8, 16, or 32 BN_ULONG,
82 * unsigned long can be larger */
83 for (i=0; i<(int)sizeof(unsigned long)*8; i++)
84 {
85 if (e_value & (1UL<<i))
86 if (BN_set_bit(e,i) == 0)
87 goto err;
88 }
89
90 BN_GENCB_set_old(&cb, callback, cb_arg);
91
92 if(RSA_generate_key_ex(rsa, bits, e, &cb)) {
93 BN_free(e);
94 return rsa;
95 }
96err:
97 if(e) BN_free(e);
98 if(rsa) RSA_free(rsa);
99 return 0;
100 }
101#endif
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
deleted file mode 100644
index 2e1ddd48d3..0000000000
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ /dev/null
@@ -1,915 +0,0 @@
1/* crypto/rsa/rsa_eay.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#include <stdio.h>
113#include "cryptlib.h"
114#include <openssl/bn.h>
115#include <openssl/rsa.h>
116#include <openssl/rand.h>
117
118#ifndef RSA_NULL
119
120static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
121 unsigned char *to, RSA *rsa,int padding);
122static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
123 unsigned char *to, RSA *rsa,int padding);
124static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
125 unsigned char *to, RSA *rsa,int padding);
126static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
127 unsigned char *to, RSA *rsa,int padding);
128static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
129static int RSA_eay_init(RSA *rsa);
130static int RSA_eay_finish(RSA *rsa);
131static RSA_METHOD rsa_pkcs1_eay_meth={
132 "Eric Young's PKCS#1 RSA",
133 RSA_eay_public_encrypt,
134 RSA_eay_public_decrypt, /* signature verification */
135 RSA_eay_private_encrypt, /* signing */
136 RSA_eay_private_decrypt,
137 RSA_eay_mod_exp,
138 BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
139 RSA_eay_init,
140 RSA_eay_finish,
141 0, /* flags */
142 NULL,
143 0, /* rsa_sign */
144 0, /* rsa_verify */
145 NULL /* rsa_keygen */
146 };
147
148const RSA_METHOD *RSA_PKCS1_SSLeay(void)
149 {
150 return(&rsa_pkcs1_eay_meth);
151 }
152
153static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
154 unsigned char *to, RSA *rsa, int padding)
155 {
156 BIGNUM *f,*ret;
157 int i,j,k,num=0,r= -1;
158 unsigned char *buf=NULL;
159 BN_CTX *ctx=NULL;
160
161 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
162 {
163 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
164 return -1;
165 }
166
167 if (BN_ucmp(rsa->n, rsa->e) <= 0)
168 {
169 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
170 return -1;
171 }
172
173 /* for large moduli, enforce exponent limit */
174 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
175 {
176 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
177 {
178 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
179 return -1;
180 }
181 }
182
183 if ((ctx=BN_CTX_new()) == NULL) goto err;
184 BN_CTX_start(ctx);
185 f = BN_CTX_get(ctx);
186 ret = BN_CTX_get(ctx);
187 num=BN_num_bytes(rsa->n);
188 buf = OPENSSL_malloc(num);
189 if (!f || !ret || !buf)
190 {
191 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
192 goto err;
193 }
194
195 switch (padding)
196 {
197 case RSA_PKCS1_PADDING:
198 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
199 break;
200#ifndef OPENSSL_NO_SHA
201 case RSA_PKCS1_OAEP_PADDING:
202 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
203 break;
204#endif
205 case RSA_SSLV23_PADDING:
206 i=RSA_padding_add_SSLv23(buf,num,from,flen);
207 break;
208 case RSA_NO_PADDING:
209 i=RSA_padding_add_none(buf,num,from,flen);
210 break;
211 default:
212 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
213 goto err;
214 }
215 if (i <= 0) goto err;
216
217 if (BN_bin2bn(buf,num,f) == NULL) goto err;
218
219 if (BN_ucmp(f, rsa->n) >= 0)
220 {
221 /* usually the padding functions would catch this */
222 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
223 goto err;
224 }
225
226 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
227 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
228 goto err;
229
230 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
231 rsa->_method_mod_n)) goto err;
232
233 /* put in leading 0 bytes if the number is less than the
234 * length of the modulus */
235 j=BN_num_bytes(ret);
236 i=BN_bn2bin(ret,&(to[num-j]));
237 for (k=0; k<(num-i); k++)
238 to[k]=0;
239
240 r=num;
241err:
242 if (ctx != NULL)
243 {
244 BN_CTX_end(ctx);
245 BN_CTX_free(ctx);
246 }
247 if (buf != NULL)
248 {
249 OPENSSL_cleanse(buf,num);
250 OPENSSL_free(buf);
251 }
252 return(r);
253 }
254
255static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
256{
257 BN_BLINDING *ret;
258 int got_write_lock = 0;
259 CRYPTO_THREADID cur;
260
261 CRYPTO_r_lock(CRYPTO_LOCK_RSA);
262
263 if (rsa->blinding == NULL)
264 {
265 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
266 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
267 got_write_lock = 1;
268
269 if (rsa->blinding == NULL)
270 rsa->blinding = RSA_setup_blinding(rsa, ctx);
271 }
272
273 ret = rsa->blinding;
274 if (ret == NULL)
275 goto err;
276
277 CRYPTO_THREADID_current(&cur);
278 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret)))
279 {
280 /* rsa->blinding is ours! */
281
282 *local = 1;
283 }
284 else
285 {
286 /* resort to rsa->mt_blinding instead */
287
288 *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert()
289 * that the BN_BLINDING is shared, meaning that accesses
290 * require locks, and that the blinding factor must be
291 * stored outside the BN_BLINDING
292 */
293
294 if (rsa->mt_blinding == NULL)
295 {
296 if (!got_write_lock)
297 {
298 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
299 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
300 got_write_lock = 1;
301 }
302
303 if (rsa->mt_blinding == NULL)
304 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
305 }
306 ret = rsa->mt_blinding;
307 }
308
309 err:
310 if (got_write_lock)
311 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
312 else
313 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
314 return ret;
315}
316
317static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
318 BN_CTX *ctx)
319 {
320 if (unblind == NULL)
321 /* Local blinding: store the unblinding factor
322 * in BN_BLINDING. */
323 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
324 else
325 {
326 /* Shared blinding: store the unblinding factor
327 * outside BN_BLINDING. */
328 int ret;
329 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
330 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
331 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
332 return ret;
333 }
334 }
335
336static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
337 BN_CTX *ctx)
338 {
339 /* For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
340 * will use the unblinding factor stored in BN_BLINDING.
341 * If BN_BLINDING is shared between threads, unblind must be non-null:
342 * BN_BLINDING_invert_ex will then use the local unblinding factor,
343 * and will only read the modulus from BN_BLINDING.
344 * In both cases it's safe to access the blinding without a lock.
345 */
346 return BN_BLINDING_invert_ex(f, unblind, b, ctx);
347 }
348
349/* signing */
350static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
351 unsigned char *to, RSA *rsa, int padding)
352 {
353 BIGNUM *f, *ret, *res;
354 int i,j,k,num=0,r= -1;
355 unsigned char *buf=NULL;
356 BN_CTX *ctx=NULL;
357 int local_blinding = 0;
358 /* Used only if the blinding structure is shared. A non-NULL unblind
359 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
360 * the unblinding factor outside the blinding structure. */
361 BIGNUM *unblind = NULL;
362 BN_BLINDING *blinding = NULL;
363
364 if ((ctx=BN_CTX_new()) == NULL) goto err;
365 BN_CTX_start(ctx);
366 f = BN_CTX_get(ctx);
367 ret = BN_CTX_get(ctx);
368 num = BN_num_bytes(rsa->n);
369 buf = OPENSSL_malloc(num);
370 if(!f || !ret || !buf)
371 {
372 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
373 goto err;
374 }
375
376 switch (padding)
377 {
378 case RSA_PKCS1_PADDING:
379 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
380 break;
381 case RSA_X931_PADDING:
382 i=RSA_padding_add_X931(buf,num,from,flen);
383 break;
384 case RSA_NO_PADDING:
385 i=RSA_padding_add_none(buf,num,from,flen);
386 break;
387 case RSA_SSLV23_PADDING:
388 default:
389 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
390 goto err;
391 }
392 if (i <= 0) goto err;
393
394 if (BN_bin2bn(buf,num,f) == NULL) goto err;
395
396 if (BN_ucmp(f, rsa->n) >= 0)
397 {
398 /* usually the padding functions would catch this */
399 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
400 goto err;
401 }
402
403 if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
404 {
405 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
406 if (blinding == NULL)
407 {
408 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
409 goto err;
410 }
411 }
412
413 if (blinding != NULL)
414 {
415 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
416 {
417 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
418 goto err;
419 }
420 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
421 goto err;
422 }
423
424 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
425 ((rsa->p != NULL) &&
426 (rsa->q != NULL) &&
427 (rsa->dmp1 != NULL) &&
428 (rsa->dmq1 != NULL) &&
429 (rsa->iqmp != NULL)) )
430 {
431 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
432 }
433 else
434 {
435 BIGNUM local_d;
436 BIGNUM *d = NULL;
437
438 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
439 {
440 BN_init(&local_d);
441 d = &local_d;
442 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
443 }
444 else
445 d= rsa->d;
446
447 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
448 if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
449 goto err;
450
451 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
452 rsa->_method_mod_n)) goto err;
453 }
454
455 if (blinding)
456 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
457 goto err;
458
459 if (padding == RSA_X931_PADDING)
460 {
461 BN_sub(f, rsa->n, ret);
462 if (BN_cmp(ret, f))
463 res = f;
464 else
465 res = ret;
466 }
467 else
468 res = ret;
469
470 /* put in leading 0 bytes if the number is less than the
471 * length of the modulus */
472 j=BN_num_bytes(res);
473 i=BN_bn2bin(res,&(to[num-j]));
474 for (k=0; k<(num-i); k++)
475 to[k]=0;
476
477 r=num;
478err:
479 if (ctx != NULL)
480 {
481 BN_CTX_end(ctx);
482 BN_CTX_free(ctx);
483 }
484 if (buf != NULL)
485 {
486 OPENSSL_cleanse(buf,num);
487 OPENSSL_free(buf);
488 }
489 return(r);
490 }
491
492static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
493 unsigned char *to, RSA *rsa, int padding)
494 {
495 BIGNUM *f, *ret;
496 int j,num=0,r= -1;
497 unsigned char *p;
498 unsigned char *buf=NULL;
499 BN_CTX *ctx=NULL;
500 int local_blinding = 0;
501 /* Used only if the blinding structure is shared. A non-NULL unblind
502 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
503 * the unblinding factor outside the blinding structure. */
504 BIGNUM *unblind = NULL;
505 BN_BLINDING *blinding = NULL;
506
507 if((ctx = BN_CTX_new()) == NULL) goto err;
508 BN_CTX_start(ctx);
509 f = BN_CTX_get(ctx);
510 ret = BN_CTX_get(ctx);
511 num = BN_num_bytes(rsa->n);
512 buf = OPENSSL_malloc(num);
513 if(!f || !ret || !buf)
514 {
515 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
516 goto err;
517 }
518
519 /* This check was for equality but PGP does evil things
520 * and chops off the top '0' bytes */
521 if (flen > num)
522 {
523 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
524 goto err;
525 }
526
527 /* make data into a big number */
528 if (BN_bin2bn(from,(int)flen,f) == NULL) goto err;
529
530 if (BN_ucmp(f, rsa->n) >= 0)
531 {
532 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
533 goto err;
534 }
535
536 if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
537 {
538 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
539 if (blinding == NULL)
540 {
541 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
542 goto err;
543 }
544 }
545
546 if (blinding != NULL)
547 {
548 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
549 {
550 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
551 goto err;
552 }
553 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
554 goto err;
555 }
556
557 /* do the decrypt */
558 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
559 ((rsa->p != NULL) &&
560 (rsa->q != NULL) &&
561 (rsa->dmp1 != NULL) &&
562 (rsa->dmq1 != NULL) &&
563 (rsa->iqmp != NULL)) )
564 {
565 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
566 }
567 else
568 {
569 BIGNUM local_d;
570 BIGNUM *d = NULL;
571
572 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
573 {
574 d = &local_d;
575 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
576 }
577 else
578 d = rsa->d;
579
580 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
581 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
582 goto err;
583 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
584 rsa->_method_mod_n))
585 goto err;
586 }
587
588 if (blinding)
589 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
590 goto err;
591
592 p=buf;
593 j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */
594
595 switch (padding)
596 {
597 case RSA_PKCS1_PADDING:
598 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
599 break;
600#ifndef OPENSSL_NO_SHA
601 case RSA_PKCS1_OAEP_PADDING:
602 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
603 break;
604#endif
605 case RSA_SSLV23_PADDING:
606 r=RSA_padding_check_SSLv23(to,num,buf,j,num);
607 break;
608 case RSA_NO_PADDING:
609 r=RSA_padding_check_none(to,num,buf,j,num);
610 break;
611 default:
612 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
613 goto err;
614 }
615 if (r < 0)
616 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
617
618err:
619 if (ctx != NULL)
620 {
621 BN_CTX_end(ctx);
622 BN_CTX_free(ctx);
623 }
624 if (buf != NULL)
625 {
626 OPENSSL_cleanse(buf,num);
627 OPENSSL_free(buf);
628 }
629 return(r);
630 }
631
632/* signature verification */
633static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
634 unsigned char *to, RSA *rsa, int padding)
635 {
636 BIGNUM *f,*ret;
637 int i,num=0,r= -1;
638 unsigned char *p;
639 unsigned char *buf=NULL;
640 BN_CTX *ctx=NULL;
641
642 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
643 {
644 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
645 return -1;
646 }
647
648 if (BN_ucmp(rsa->n, rsa->e) <= 0)
649 {
650 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
651 return -1;
652 }
653
654 /* for large moduli, enforce exponent limit */
655 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
656 {
657 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
658 {
659 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
660 return -1;
661 }
662 }
663
664 if((ctx = BN_CTX_new()) == NULL) goto err;
665 BN_CTX_start(ctx);
666 f = BN_CTX_get(ctx);
667 ret = BN_CTX_get(ctx);
668 num=BN_num_bytes(rsa->n);
669 buf = OPENSSL_malloc(num);
670 if(!f || !ret || !buf)
671 {
672 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
673 goto err;
674 }
675
676 /* This check was for equality but PGP does evil things
677 * and chops off the top '0' bytes */
678 if (flen > num)
679 {
680 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
681 goto err;
682 }
683
684 if (BN_bin2bn(from,flen,f) == NULL) goto err;
685
686 if (BN_ucmp(f, rsa->n) >= 0)
687 {
688 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
689 goto err;
690 }
691
692 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
693 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
694 goto err;
695
696 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
697 rsa->_method_mod_n)) goto err;
698
699 if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))
700 if (!BN_sub(ret, rsa->n, ret)) goto err;
701
702 p=buf;
703 i=BN_bn2bin(ret,p);
704
705 switch (padding)
706 {
707 case RSA_PKCS1_PADDING:
708 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
709 break;
710 case RSA_X931_PADDING:
711 r=RSA_padding_check_X931(to,num,buf,i,num);
712 break;
713 case RSA_NO_PADDING:
714 r=RSA_padding_check_none(to,num,buf,i,num);
715 break;
716 default:
717 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
718 goto err;
719 }
720 if (r < 0)
721 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
722
723err:
724 if (ctx != NULL)
725 {
726 BN_CTX_end(ctx);
727 BN_CTX_free(ctx);
728 }
729 if (buf != NULL)
730 {
731 OPENSSL_cleanse(buf,num);
732 OPENSSL_free(buf);
733 }
734 return(r);
735 }
736
737static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
738 {
739 BIGNUM *r1,*m1,*vrfy;
740 BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
741 BIGNUM *dmp1,*dmq1,*c,*pr1;
742 int ret=0;
743
744 BN_CTX_start(ctx);
745 r1 = BN_CTX_get(ctx);
746 m1 = BN_CTX_get(ctx);
747 vrfy = BN_CTX_get(ctx);
748
749 {
750 BIGNUM local_p, local_q;
751 BIGNUM *p = NULL, *q = NULL;
752
753 /* Make sure BN_mod_inverse in Montgomery intialization uses the
754 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
755 */
756 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
757 {
758 BN_init(&local_p);
759 p = &local_p;
760 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
761
762 BN_init(&local_q);
763 q = &local_q;
764 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
765 }
766 else
767 {
768 p = rsa->p;
769 q = rsa->q;
770 }
771
772 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
773 {
774 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
775 goto err;
776 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
777 goto err;
778 }
779 }
780
781 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
782 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
783 goto err;
784
785 /* compute I mod q */
786 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
787 {
788 c = &local_c;
789 BN_with_flags(c, I, BN_FLG_CONSTTIME);
790 if (!BN_mod(r1,c,rsa->q,ctx)) goto err;
791 }
792 else
793 {
794 if (!BN_mod(r1,I,rsa->q,ctx)) goto err;
795 }
796
797 /* compute r1^dmq1 mod q */
798 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
799 {
800 dmq1 = &local_dmq1;
801 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
802 }
803 else
804 dmq1 = rsa->dmq1;
805 if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx,
806 rsa->_method_mod_q)) goto err;
807
808 /* compute I mod p */
809 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
810 {
811 c = &local_c;
812 BN_with_flags(c, I, BN_FLG_CONSTTIME);
813 if (!BN_mod(r1,c,rsa->p,ctx)) goto err;
814 }
815 else
816 {
817 if (!BN_mod(r1,I,rsa->p,ctx)) goto err;
818 }
819
820 /* compute r1^dmp1 mod p */
821 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
822 {
823 dmp1 = &local_dmp1;
824 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
825 }
826 else
827 dmp1 = rsa->dmp1;
828 if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx,
829 rsa->_method_mod_p)) goto err;
830
831 if (!BN_sub(r0,r0,m1)) goto err;
832 /* This will help stop the size of r0 increasing, which does
833 * affect the multiply if it optimised for a power of 2 size */
834 if (BN_is_negative(r0))
835 if (!BN_add(r0,r0,rsa->p)) goto err;
836
837 if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err;
838
839 /* Turn BN_FLG_CONSTTIME flag on before division operation */
840 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
841 {
842 pr1 = &local_r1;
843 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
844 }
845 else
846 pr1 = r1;
847 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
848
849 /* If p < q it is occasionally possible for the correction of
850 * adding 'p' if r0 is negative above to leave the result still
851 * negative. This can break the private key operations: the following
852 * second correction should *always* correct this rare occurrence.
853 * This will *never* happen with OpenSSL generated keys because
854 * they ensure p > q [steve]
855 */
856 if (BN_is_negative(r0))
857 if (!BN_add(r0,r0,rsa->p)) goto err;
858 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
859 if (!BN_add(r0,r1,m1)) goto err;
860
861 if (rsa->e && rsa->n)
862 {
863 if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err;
864 /* If 'I' was greater than (or equal to) rsa->n, the operation
865 * will be equivalent to using 'I mod n'. However, the result of
866 * the verify will *always* be less than 'n' so we don't check
867 * for absolute equality, just congruency. */
868 if (!BN_sub(vrfy, vrfy, I)) goto err;
869 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err;
870 if (BN_is_negative(vrfy))
871 if (!BN_add(vrfy, vrfy, rsa->n)) goto err;
872 if (!BN_is_zero(vrfy))
873 {
874 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
875 * miscalculated CRT output, just do a raw (slower)
876 * mod_exp and return that instead. */
877
878 BIGNUM local_d;
879 BIGNUM *d = NULL;
880
881 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
882 {
883 d = &local_d;
884 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
885 }
886 else
887 d = rsa->d;
888 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,
889 rsa->_method_mod_n)) goto err;
890 }
891 }
892 ret=1;
893err:
894 BN_CTX_end(ctx);
895 return(ret);
896 }
897
898static int RSA_eay_init(RSA *rsa)
899 {
900 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
901 return(1);
902 }
903
904static int RSA_eay_finish(RSA *rsa)
905 {
906 if (rsa->_method_mod_n != NULL)
907 BN_MONT_CTX_free(rsa->_method_mod_n);
908 if (rsa->_method_mod_p != NULL)
909 BN_MONT_CTX_free(rsa->_method_mod_p);
910 if (rsa->_method_mod_q != NULL)
911 BN_MONT_CTX_free(rsa->_method_mod_q);
912 return(1);
913 }
914
915#endif
diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c
deleted file mode 100644
index 46e0bf9980..0000000000
--- a/src/lib/libcrypto/rsa/rsa_err.c
+++ /dev/null
@@ -1,209 +0,0 @@
1/* crypto/rsa/rsa_err.c */
2/* ====================================================================
3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/rsa.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_RSA,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_RSA,0,reason)
70
71static ERR_STRING_DATA RSA_str_functs[]=
72 {
73{ERR_FUNC(RSA_F_CHECK_PADDING_MD), "CHECK_PADDING_MD"},
74{ERR_FUNC(RSA_F_DO_RSA_PRINT), "DO_RSA_PRINT"},
75{ERR_FUNC(RSA_F_INT_RSA_VERIFY), "INT_RSA_VERIFY"},
76{ERR_FUNC(RSA_F_MEMORY_LOCK), "MEMORY_LOCK"},
77{ERR_FUNC(RSA_F_OLD_RSA_PRIV_DECODE), "OLD_RSA_PRIV_DECODE"},
78{ERR_FUNC(RSA_F_PKEY_RSA_CTRL), "PKEY_RSA_CTRL"},
79{ERR_FUNC(RSA_F_PKEY_RSA_CTRL_STR), "PKEY_RSA_CTRL_STR"},
80{ERR_FUNC(RSA_F_PKEY_RSA_SIGN), "PKEY_RSA_SIGN"},
81{ERR_FUNC(RSA_F_PKEY_RSA_VERIFY), "PKEY_RSA_VERIFY"},
82{ERR_FUNC(RSA_F_PKEY_RSA_VERIFYRECOVER), "PKEY_RSA_VERIFYRECOVER"},
83{ERR_FUNC(RSA_F_RSA_BUILTIN_KEYGEN), "RSA_BUILTIN_KEYGEN"},
84{ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"},
85{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_DECRYPT), "RSA_EAY_PRIVATE_DECRYPT"},
86{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_ENCRYPT), "RSA_EAY_PRIVATE_ENCRYPT"},
87{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"},
88{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"},
89{ERR_FUNC(RSA_F_RSA_GENERATE_KEY), "RSA_generate_key"},
90{ERR_FUNC(RSA_F_RSA_GENERATE_KEY_EX), "RSA_generate_key_ex"},
91{ERR_FUNC(RSA_F_RSA_ITEM_VERIFY), "RSA_ITEM_VERIFY"},
92{ERR_FUNC(RSA_F_RSA_MEMORY_LOCK), "RSA_memory_lock"},
93{ERR_FUNC(RSA_F_RSA_NEW_METHOD), "RSA_new_method"},
94{ERR_FUNC(RSA_F_RSA_NULL), "RSA_NULL"},
95{ERR_FUNC(RSA_F_RSA_NULL_MOD_EXP), "RSA_NULL_MOD_EXP"},
96{ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_DECRYPT), "RSA_NULL_PRIVATE_DECRYPT"},
97{ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_ENCRYPT), "RSA_NULL_PRIVATE_ENCRYPT"},
98{ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_DECRYPT), "RSA_NULL_PUBLIC_DECRYPT"},
99{ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_ENCRYPT), "RSA_NULL_PUBLIC_ENCRYPT"},
100{ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE), "RSA_padding_add_none"},
101{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP), "RSA_padding_add_PKCS1_OAEP"},
102{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS), "RSA_padding_add_PKCS1_PSS"},
103{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1), "RSA_padding_add_PKCS1_PSS_mgf1"},
104{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1), "RSA_padding_add_PKCS1_type_1"},
105{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2), "RSA_padding_add_PKCS1_type_2"},
106{ERR_FUNC(RSA_F_RSA_PADDING_ADD_SSLV23), "RSA_padding_add_SSLv23"},
107{ERR_FUNC(RSA_F_RSA_PADDING_ADD_X931), "RSA_padding_add_X931"},
108{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_NONE), "RSA_padding_check_none"},
109{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP), "RSA_padding_check_PKCS1_OAEP"},
110{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1), "RSA_padding_check_PKCS1_type_1"},
111{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2), "RSA_padding_check_PKCS1_type_2"},
112{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_SSLV23), "RSA_padding_check_SSLv23"},
113{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931), "RSA_padding_check_X931"},
114{ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"},
115{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"},
116{ERR_FUNC(RSA_F_RSA_PRIVATE_DECRYPT), "RSA_private_decrypt"},
117{ERR_FUNC(RSA_F_RSA_PRIVATE_ENCRYPT), "RSA_private_encrypt"},
118{ERR_FUNC(RSA_F_RSA_PRIV_DECODE), "RSA_PRIV_DECODE"},
119{ERR_FUNC(RSA_F_RSA_PRIV_ENCODE), "RSA_PRIV_ENCODE"},
120{ERR_FUNC(RSA_F_RSA_PUBLIC_DECRYPT), "RSA_public_decrypt"},
121{ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"},
122{ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"},
123{ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
124{ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
125{ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"},
126{ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"},
127{ERR_FUNC(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING), "RSA_verify_ASN1_OCTET_STRING"},
128{ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS), "RSA_verify_PKCS1_PSS"},
129{ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1), "RSA_verify_PKCS1_PSS_mgf1"},
130{0,NULL}
131 };
132
133static ERR_STRING_DATA RSA_str_reasons[]=
134 {
135{ERR_REASON(RSA_R_ALGORITHM_MISMATCH) ,"algorithm mismatch"},
136{ERR_REASON(RSA_R_BAD_E_VALUE) ,"bad e value"},
137{ERR_REASON(RSA_R_BAD_FIXED_HEADER_DECRYPT),"bad fixed header decrypt"},
138{ERR_REASON(RSA_R_BAD_PAD_BYTE_COUNT) ,"bad pad byte count"},
139{ERR_REASON(RSA_R_BAD_SIGNATURE) ,"bad signature"},
140{ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_01) ,"block type is not 01"},
141{ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_02) ,"block type is not 02"},
142{ERR_REASON(RSA_R_DATA_GREATER_THAN_MOD_LEN),"data greater than mod len"},
143{ERR_REASON(RSA_R_DATA_TOO_LARGE) ,"data too large"},
144{ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
145{ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_MODULUS),"data too large for modulus"},
146{ERR_REASON(RSA_R_DATA_TOO_SMALL) ,"data too small"},
147{ERR_REASON(RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE),"data too small for key size"},
148{ERR_REASON(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY),"digest too big for rsa key"},
149{ERR_REASON(RSA_R_DMP1_NOT_CONGRUENT_TO_D),"dmp1 not congruent to d"},
150{ERR_REASON(RSA_R_DMQ1_NOT_CONGRUENT_TO_D),"dmq1 not congruent to d"},
151{ERR_REASON(RSA_R_D_E_NOT_CONGRUENT_TO_1),"d e not congruent to 1"},
152{ERR_REASON(RSA_R_FIRST_OCTET_INVALID) ,"first octet invalid"},
153{ERR_REASON(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE),"illegal or unsupported padding mode"},
154{ERR_REASON(RSA_R_INVALID_DIGEST_LENGTH) ,"invalid digest length"},
155{ERR_REASON(RSA_R_INVALID_HEADER) ,"invalid header"},
156{ERR_REASON(RSA_R_INVALID_KEYBITS) ,"invalid keybits"},
157{ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH),"invalid message length"},
158{ERR_REASON(RSA_R_INVALID_MGF1_MD) ,"invalid mgf1 md"},
159{ERR_REASON(RSA_R_INVALID_PADDING) ,"invalid padding"},
160{ERR_REASON(RSA_R_INVALID_PADDING_MODE) ,"invalid padding mode"},
161{ERR_REASON(RSA_R_INVALID_PSS_PARAMETERS),"invalid pss parameters"},
162{ERR_REASON(RSA_R_INVALID_PSS_SALTLEN) ,"invalid pss saltlen"},
163{ERR_REASON(RSA_R_INVALID_SALT_LENGTH) ,"invalid salt length"},
164{ERR_REASON(RSA_R_INVALID_TRAILER) ,"invalid trailer"},
165{ERR_REASON(RSA_R_INVALID_X931_DIGEST) ,"invalid x931 digest"},
166{ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"},
167{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},
168{ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"},
169{ERR_REASON(RSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
170{ERR_REASON(RSA_R_NON_FIPS_RSA_METHOD) ,"non fips rsa method"},
171{ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) ,"no public exponent"},
172{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},
173{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},
174{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},
175{ERR_REASON(RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE),"operation not allowed in fips mode"},
176{ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),"operation not supported for this keytype"},
177{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"},
178{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"},
179{ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"},
180{ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},
181{ERR_REASON(RSA_R_SLEN_CHECK_FAILED) ,"salt length check failed"},
182{ERR_REASON(RSA_R_SLEN_RECOVERY_FAILED) ,"salt length recovery failed"},
183{ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) ,"sslv3 rollback attack"},
184{ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"},
185{ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE),"unknown algorithm type"},
186{ERR_REASON(RSA_R_UNKNOWN_MASK_DIGEST) ,"unknown mask digest"},
187{ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) ,"unknown padding type"},
188{ERR_REASON(RSA_R_UNKNOWN_PSS_DIGEST) ,"unknown pss digest"},
189{ERR_REASON(RSA_R_UNSUPPORTED_MASK_ALGORITHM),"unsupported mask algorithm"},
190{ERR_REASON(RSA_R_UNSUPPORTED_MASK_PARAMETER),"unsupported mask parameter"},
191{ERR_REASON(RSA_R_UNSUPPORTED_SIGNATURE_TYPE),"unsupported signature type"},
192{ERR_REASON(RSA_R_VALUE_MISSING) ,"value missing"},
193{ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
194{0,NULL}
195 };
196
197#endif
198
199void ERR_load_RSA_strings(void)
200 {
201#ifndef OPENSSL_NO_ERR
202
203 if (ERR_func_error_string(RSA_str_functs[0].error) == NULL)
204 {
205 ERR_load_strings(0,RSA_str_functs);
206 ERR_load_strings(0,RSA_str_reasons);
207 }
208#endif
209 }
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
deleted file mode 100644
index 42290cce66..0000000000
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ /dev/null
@@ -1,234 +0,0 @@
1/* crypto/rsa/rsa_gen.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59
60/* NB: these functions have been "upgraded", the deprecated versions (which are
61 * compatibility wrappers using these functions) are in rsa_depr.c.
62 * - Geoff
63 */
64
65#include <stdio.h>
66#include <time.h>
67#include "cryptlib.h"
68#include <openssl/bn.h>
69#include <openssl/rsa.h>
70#ifdef OPENSSL_FIPS
71#include <openssl/fips.h>
72#endif
73
74static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
75
76/* NB: this wrapper would normally be placed in rsa_lib.c and the static
77 * implementation would probably be in rsa_eay.c. Nonetheless, is kept here so
78 * that we don't introduce a new linker dependency. Eg. any application that
79 * wasn't previously linking object code related to key-generation won't have to
80 * now just because key-generation is part of RSA_METHOD. */
81int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
82 {
83#ifdef OPENSSL_FIPS
84 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
85 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
86 {
87 RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
88 return 0;
89 }
90#endif
91 if(rsa->meth->rsa_keygen)
92 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
93#ifdef OPENSSL_FIPS
94 if (FIPS_mode())
95 return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
96#endif
97 return rsa_builtin_keygen(rsa, bits, e_value, cb);
98 }
99
100static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
101 {
102 BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp;
103 BIGNUM local_r0,local_d,local_p;
104 BIGNUM *pr0,*d,*p;
105 int bitsp,bitsq,ok= -1,n=0;
106 BN_CTX *ctx=NULL;
107
108 ctx=BN_CTX_new();
109 if (ctx == NULL) goto err;
110 BN_CTX_start(ctx);
111 r0 = BN_CTX_get(ctx);
112 r1 = BN_CTX_get(ctx);
113 r2 = BN_CTX_get(ctx);
114 r3 = BN_CTX_get(ctx);
115 if (r3 == NULL) goto err;
116
117 bitsp=(bits+1)/2;
118 bitsq=bits-bitsp;
119
120 /* We need the RSA components non-NULL */
121 if(!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err;
122 if(!rsa->d && ((rsa->d=BN_new()) == NULL)) goto err;
123 if(!rsa->e && ((rsa->e=BN_new()) == NULL)) goto err;
124 if(!rsa->p && ((rsa->p=BN_new()) == NULL)) goto err;
125 if(!rsa->q && ((rsa->q=BN_new()) == NULL)) goto err;
126 if(!rsa->dmp1 && ((rsa->dmp1=BN_new()) == NULL)) goto err;
127 if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err;
128 if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err;
129
130 BN_copy(rsa->e, e_value);
131
132 /* generate p and q */
133 for (;;)
134 {
135 if(!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
136 goto err;
137 if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
138 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
139 if (BN_is_one(r1)) break;
140 if(!BN_GENCB_call(cb, 2, n++))
141 goto err;
142 }
143 if(!BN_GENCB_call(cb, 3, 0))
144 goto err;
145 for (;;)
146 {
147 /* When generating ridiculously small keys, we can get stuck
148 * continually regenerating the same prime values. Check for
149 * this and bail if it happens 3 times. */
150 unsigned int degenerate = 0;
151 do
152 {
153 if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
154 goto err;
155 } while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
156 if(degenerate == 3)
157 {
158 ok = 0; /* we set our own err */
159 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_KEY_SIZE_TOO_SMALL);
160 goto err;
161 }
162 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
163 if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
164 if (BN_is_one(r1))
165 break;
166 if(!BN_GENCB_call(cb, 2, n++))
167 goto err;
168 }
169 if(!BN_GENCB_call(cb, 3, 1))
170 goto err;
171 if (BN_cmp(rsa->p,rsa->q) < 0)
172 {
173 tmp=rsa->p;
174 rsa->p=rsa->q;
175 rsa->q=tmp;
176 }
177
178 /* calculate n */
179 if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;
180
181 /* calculate d */
182 if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */
183 if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */
184 if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */
185 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
186 {
187 pr0 = &local_r0;
188 BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
189 }
190 else
191 pr0 = r0;
192 if (!BN_mod_inverse(rsa->d,rsa->e,pr0,ctx)) goto err; /* d */
193
194 /* set up d for correct BN_FLG_CONSTTIME flag */
195 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
196 {
197 d = &local_d;
198 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
199 }
200 else
201 d = rsa->d;
202
203 /* calculate d mod (p-1) */
204 if (!BN_mod(rsa->dmp1,d,r1,ctx)) goto err;
205
206 /* calculate d mod (q-1) */
207 if (!BN_mod(rsa->dmq1,d,r2,ctx)) goto err;
208
209 /* calculate inverse of q mod p */
210 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
211 {
212 p = &local_p;
213 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
214 }
215 else
216 p = rsa->p;
217 if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
218
219 ok=1;
220err:
221 if (ok == -1)
222 {
223 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN);
224 ok=0;
225 }
226 if (ctx != NULL)
227 {
228 BN_CTX_end(ctx);
229 BN_CTX_free(ctx);
230 }
231
232 return ok;
233 }
234
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
deleted file mode 100644
index c95ceafc82..0000000000
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ /dev/null
@@ -1,333 +0,0 @@
1/* crypto/rsa/rsa_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/crypto.h>
61#include "cryptlib.h"
62#include <openssl/lhash.h>
63#include <openssl/bn.h>
64#include <openssl/rsa.h>
65#include <openssl/rand.h>
66#ifndef OPENSSL_NO_ENGINE
67#include <openssl/engine.h>
68#endif
69
70#ifdef OPENSSL_FIPS
71#include <openssl/fips.h>
72#endif
73
74const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT;
75
76static const RSA_METHOD *default_RSA_meth=NULL;
77
78RSA *RSA_new(void)
79 {
80 RSA *r=RSA_new_method(NULL);
81
82 return r;
83 }
84
85void RSA_set_default_method(const RSA_METHOD *meth)
86 {
87 default_RSA_meth = meth;
88 }
89
90const RSA_METHOD *RSA_get_default_method(void)
91 {
92 if (default_RSA_meth == NULL)
93 {
94#ifdef OPENSSL_FIPS
95 if (FIPS_mode())
96 return FIPS_rsa_pkcs1_ssleay();
97 else
98 return RSA_PKCS1_SSLeay();
99#else
100#ifdef RSA_NULL
101 default_RSA_meth=RSA_null_method();
102#else
103 default_RSA_meth=RSA_PKCS1_SSLeay();
104#endif
105#endif
106 }
107
108 return default_RSA_meth;
109 }
110
111const RSA_METHOD *RSA_get_method(const RSA *rsa)
112 {
113 return rsa->meth;
114 }
115
116int RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
117 {
118 /* NB: The caller is specifically setting a method, so it's not up to us
119 * to deal with which ENGINE it comes from. */
120 const RSA_METHOD *mtmp;
121 mtmp = rsa->meth;
122 if (mtmp->finish) mtmp->finish(rsa);
123#ifndef OPENSSL_NO_ENGINE
124 if (rsa->engine)
125 {
126 ENGINE_finish(rsa->engine);
127 rsa->engine = NULL;
128 }
129#endif
130 rsa->meth = meth;
131 if (meth->init) meth->init(rsa);
132 return 1;
133 }
134
135RSA *RSA_new_method(ENGINE *engine)
136 {
137 RSA *ret;
138
139 ret=(RSA *)OPENSSL_malloc(sizeof(RSA));
140 if (ret == NULL)
141 {
142 RSAerr(RSA_F_RSA_NEW_METHOD,ERR_R_MALLOC_FAILURE);
143 return NULL;
144 }
145
146 ret->meth = RSA_get_default_method();
147#ifndef OPENSSL_NO_ENGINE
148 if (engine)
149 {
150 if (!ENGINE_init(engine))
151 {
152 RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
153 OPENSSL_free(ret);
154 return NULL;
155 }
156 ret->engine = engine;
157 }
158 else
159 ret->engine = ENGINE_get_default_RSA();
160 if(ret->engine)
161 {
162 ret->meth = ENGINE_get_RSA(ret->engine);
163 if(!ret->meth)
164 {
165 RSAerr(RSA_F_RSA_NEW_METHOD,
166 ERR_R_ENGINE_LIB);
167 ENGINE_finish(ret->engine);
168 OPENSSL_free(ret);
169 return NULL;
170 }
171 }
172#endif
173
174 ret->pad=0;
175 ret->version=0;
176 ret->n=NULL;
177 ret->e=NULL;
178 ret->d=NULL;
179 ret->p=NULL;
180 ret->q=NULL;
181 ret->dmp1=NULL;
182 ret->dmq1=NULL;
183 ret->iqmp=NULL;
184 ret->references=1;
185 ret->_method_mod_n=NULL;
186 ret->_method_mod_p=NULL;
187 ret->_method_mod_q=NULL;
188 ret->blinding=NULL;
189 ret->mt_blinding=NULL;
190 ret->bignum_data=NULL;
191 ret->flags=ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
192 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
193 {
194#ifndef OPENSSL_NO_ENGINE
195 if (ret->engine)
196 ENGINE_finish(ret->engine);
197#endif
198 OPENSSL_free(ret);
199 return(NULL);
200 }
201
202 if ((ret->meth->init != NULL) && !ret->meth->init(ret))
203 {
204#ifndef OPENSSL_NO_ENGINE
205 if (ret->engine)
206 ENGINE_finish(ret->engine);
207#endif
208 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
209 OPENSSL_free(ret);
210 ret=NULL;
211 }
212 return(ret);
213 }
214
215void RSA_free(RSA *r)
216 {
217 int i;
218
219 if (r == NULL) return;
220
221 i=CRYPTO_add(&r->references,-1,CRYPTO_LOCK_RSA);
222#ifdef REF_PRINT
223 REF_PRINT("RSA",r);
224#endif
225 if (i > 0) return;
226#ifdef REF_CHECK
227 if (i < 0)
228 {
229 fprintf(stderr,"RSA_free, bad reference count\n");
230 abort();
231 }
232#endif
233
234 if (r->meth->finish)
235 r->meth->finish(r);
236#ifndef OPENSSL_NO_ENGINE
237 if (r->engine)
238 ENGINE_finish(r->engine);
239#endif
240
241 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
242
243 if (r->n != NULL) BN_clear_free(r->n);
244 if (r->e != NULL) BN_clear_free(r->e);
245 if (r->d != NULL) BN_clear_free(r->d);
246 if (r->p != NULL) BN_clear_free(r->p);
247 if (r->q != NULL) BN_clear_free(r->q);
248 if (r->dmp1 != NULL) BN_clear_free(r->dmp1);
249 if (r->dmq1 != NULL) BN_clear_free(r->dmq1);
250 if (r->iqmp != NULL) BN_clear_free(r->iqmp);
251 if (r->blinding != NULL) BN_BLINDING_free(r->blinding);
252 if (r->mt_blinding != NULL) BN_BLINDING_free(r->mt_blinding);
253 if (r->bignum_data != NULL) OPENSSL_free_locked(r->bignum_data);
254 OPENSSL_free(r);
255 }
256
257int RSA_up_ref(RSA *r)
258 {
259 int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_RSA);
260#ifdef REF_PRINT
261 REF_PRINT("RSA",r);
262#endif
263#ifdef REF_CHECK
264 if (i < 2)
265 {
266 fprintf(stderr, "RSA_up_ref, bad reference count\n");
267 abort();
268 }
269#endif
270 return ((i > 1) ? 1 : 0);
271 }
272
273int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
274 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
275 {
276 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_RSA, argl, argp,
277 new_func, dup_func, free_func);
278 }
279
280int RSA_set_ex_data(RSA *r, int idx, void *arg)
281 {
282 return(CRYPTO_set_ex_data(&r->ex_data,idx,arg));
283 }
284
285void *RSA_get_ex_data(const RSA *r, int idx)
286 {
287 return(CRYPTO_get_ex_data(&r->ex_data,idx));
288 }
289
290int RSA_memory_lock(RSA *r)
291 {
292 int i,j,k,off;
293 char *p;
294 BIGNUM *bn,**t[6],*b;
295 BN_ULONG *ul;
296
297 if (r->d == NULL) return(1);
298 t[0]= &r->d;
299 t[1]= &r->p;
300 t[2]= &r->q;
301 t[3]= &r->dmp1;
302 t[4]= &r->dmq1;
303 t[5]= &r->iqmp;
304 k=sizeof(BIGNUM)*6;
305 off=k/sizeof(BN_ULONG)+1;
306 j=1;
307 for (i=0; i<6; i++)
308 j+= (*t[i])->top;
309 if ((p=OPENSSL_malloc_locked((off+j)*sizeof(BN_ULONG))) == NULL)
310 {
311 RSAerr(RSA_F_RSA_MEMORY_LOCK,ERR_R_MALLOC_FAILURE);
312 return(0);
313 }
314 bn=(BIGNUM *)p;
315 ul=(BN_ULONG *)&(p[off]);
316 for (i=0; i<6; i++)
317 {
318 b= *(t[i]);
319 *(t[i])= &(bn[i]);
320 memcpy((char *)&(bn[i]),(char *)b,sizeof(BIGNUM));
321 bn[i].flags=BN_FLG_STATIC_DATA;
322 bn[i].d=ul;
323 memcpy((char *)ul,b->d,sizeof(BN_ULONG)*b->top);
324 ul+=b->top;
325 BN_clear_free(b);
326 }
327
328 /* I should fix this so it can still be done */
329 r->flags&= ~(RSA_FLAG_CACHE_PRIVATE|RSA_FLAG_CACHE_PUBLIC);
330
331 r->bignum_data=p;
332 return(1);
333 }
diff --git a/src/lib/libcrypto/rsa/rsa_locl.h b/src/lib/libcrypto/rsa/rsa_locl.h
deleted file mode 100644
index f5d2d56628..0000000000
--- a/src/lib/libcrypto/rsa/rsa_locl.h
+++ /dev/null
@@ -1,4 +0,0 @@
1extern int int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len,
2 unsigned char *rm, size_t *prm_len,
3 const unsigned char *sigbuf, size_t siglen,
4 RSA *rsa);
diff --git a/src/lib/libcrypto/rsa/rsa_none.c b/src/lib/libcrypto/rsa/rsa_none.c
deleted file mode 100644
index e6f3e627ca..0000000000
--- a/src/lib/libcrypto/rsa/rsa_none.c
+++ /dev/null
@@ -1,98 +0,0 @@
1/* crypto/rsa/rsa_none.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/rand.h>
64
65int RSA_padding_add_none(unsigned char *to, int tlen,
66 const unsigned char *from, int flen)
67 {
68 if (flen > tlen)
69 {
70 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
71 return(0);
72 }
73
74 if (flen < tlen)
75 {
76 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);
77 return(0);
78 }
79
80 memcpy(to,from,(unsigned int)flen);
81 return(1);
82 }
83
84int RSA_padding_check_none(unsigned char *to, int tlen,
85 const unsigned char *from, int flen, int num)
86 {
87
88 if (flen > tlen)
89 {
90 RSAerr(RSA_F_RSA_PADDING_CHECK_NONE,RSA_R_DATA_TOO_LARGE);
91 return(-1);
92 }
93
94 memset(to,0,tlen-flen);
95 memcpy(to+tlen-flen,from,flen);
96 return(tlen);
97 }
98
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
deleted file mode 100644
index e08ac151ff..0000000000
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ /dev/null
@@ -1,235 +0,0 @@
1/* crypto/rsa/rsa_oaep.c */
2/* Written by Ulf Moeller. This software is distributed on an "AS IS"
3 basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
4
5/* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
6
7/* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
8 * <URL: http://www.shoup.net/papers/oaep.ps.Z>
9 * for problems with the security proof for the
10 * original OAEP scheme, which EME-OAEP is based on.
11 *
12 * A new proof can be found in E. Fujisaki, T. Okamoto,
13 * D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
14 * Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
15 * The new proof has stronger requirements for the
16 * underlying permutation: "partial-one-wayness" instead
17 * of one-wayness. For the RSA function, this is
18 * an equivalent notion.
19 */
20
21
22#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
23#include <stdio.h>
24#include "cryptlib.h"
25#include <openssl/bn.h>
26#include <openssl/rsa.h>
27#include <openssl/evp.h>
28#include <openssl/rand.h>
29#include <openssl/sha.h>
30
31static int MGF1(unsigned char *mask, long len,
32 const unsigned char *seed, long seedlen);
33
34int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
35 const unsigned char *from, int flen,
36 const unsigned char *param, int plen)
37 {
38 int i, emlen = tlen - 1;
39 unsigned char *db, *seed;
40 unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
41
42 if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
43 {
44 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
45 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
46 return 0;
47 }
48
49 if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
50 {
51 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
52 return 0;
53 }
54
55 to[0] = 0;
56 seed = to + 1;
57 db = to + SHA_DIGEST_LENGTH + 1;
58
59 if (!EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL))
60 return 0;
61 memset(db + SHA_DIGEST_LENGTH, 0,
62 emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
63 db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
64 memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
65 if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
66 return 0;
67#ifdef PKCS_TESTVECT
68 memcpy(seed,
69 "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
70 20);
71#endif
72
73 dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);
74 if (dbmask == NULL)
75 {
76 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
77 return 0;
78 }
79
80 if (MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH) < 0)
81 return 0;
82 for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
83 db[i] ^= dbmask[i];
84
85 if (MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH) < 0)
86 return 0;
87 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
88 seed[i] ^= seedmask[i];
89
90 OPENSSL_free(dbmask);
91 return 1;
92 }
93
94int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
95 const unsigned char *from, int flen, int num,
96 const unsigned char *param, int plen)
97 {
98 int i, dblen, mlen = -1;
99 const unsigned char *maskeddb;
100 int lzero;
101 unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
102 unsigned char *padded_from;
103 int bad = 0;
104
105 if (--num < 2 * SHA_DIGEST_LENGTH + 1)
106 /* 'num' is the length of the modulus, i.e. does not depend on the
107 * particular ciphertext. */
108 goto decoding_err;
109
110 lzero = num - flen;
111 if (lzero < 0)
112 {
113 /* signalling this error immediately after detection might allow
114 * for side-channel attacks (e.g. timing if 'plen' is huge
115 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
116 * Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001),
117 * so we use a 'bad' flag */
118 bad = 1;
119 lzero = 0;
120 flen = num; /* don't overflow the memcpy to padded_from */
121 }
122
123 dblen = num - SHA_DIGEST_LENGTH;
124 db = OPENSSL_malloc(dblen + num);
125 if (db == NULL)
126 {
127 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
128 return -1;
129 }
130
131 /* Always do this zero-padding copy (even when lzero == 0)
132 * to avoid leaking timing info about the value of lzero. */
133 padded_from = db + dblen;
134 memset(padded_from, 0, lzero);
135 memcpy(padded_from + lzero, from, flen);
136
137 maskeddb = padded_from + SHA_DIGEST_LENGTH;
138
139 if (MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen))
140 return -1;
141 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
142 seed[i] ^= padded_from[i];
143
144 if (MGF1(db, dblen, seed, SHA_DIGEST_LENGTH))
145 return -1;
146 for (i = 0; i < dblen; i++)
147 db[i] ^= maskeddb[i];
148
149 if (!EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL))
150 return -1;
151
152 if (timingsafe_bcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
153 goto decoding_err;
154 else
155 {
156 for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
157 if (db[i] != 0x00)
158 break;
159 if (i == dblen || db[i] != 0x01)
160 goto decoding_err;
161 else
162 {
163 /* everything looks OK */
164
165 mlen = dblen - ++i;
166 if (tlen < mlen)
167 {
168 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
169 mlen = -1;
170 }
171 else
172 memcpy(to, db + i, mlen);
173 }
174 }
175 OPENSSL_free(db);
176 return mlen;
177
178decoding_err:
179 /* to avoid chosen ciphertext attacks, the error message should not reveal
180 * which kind of decoding error happened */
181 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
182 if (db != NULL) OPENSSL_free(db);
183 return -1;
184 }
185
186int PKCS1_MGF1(unsigned char *mask, long len,
187 const unsigned char *seed, long seedlen, const EVP_MD *dgst)
188 {
189 long i, outlen = 0;
190 unsigned char cnt[4];
191 EVP_MD_CTX c;
192 unsigned char md[EVP_MAX_MD_SIZE];
193 int mdlen;
194 int rv = -1;
195
196 EVP_MD_CTX_init(&c);
197 mdlen = EVP_MD_size(dgst);
198 if (mdlen < 0)
199 goto err;
200 for (i = 0; outlen < len; i++)
201 {
202 cnt[0] = (unsigned char)((i >> 24) & 255);
203 cnt[1] = (unsigned char)((i >> 16) & 255);
204 cnt[2] = (unsigned char)((i >> 8)) & 255;
205 cnt[3] = (unsigned char)(i & 255);
206 if (!EVP_DigestInit_ex(&c,dgst, NULL)
207 || !EVP_DigestUpdate(&c, seed, seedlen)
208 || !EVP_DigestUpdate(&c, cnt, 4))
209 goto err;
210 if (outlen + mdlen <= len)
211 {
212 if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL))
213 goto err;
214 outlen += mdlen;
215 }
216 else
217 {
218 if (!EVP_DigestFinal_ex(&c, md, NULL))
219 goto err;
220 memcpy(mask + outlen, md, len - outlen);
221 outlen = len;
222 }
223 }
224 rv = 0;
225 err:
226 EVP_MD_CTX_cleanup(&c);
227 return rv;
228 }
229
230static int MGF1(unsigned char *mask, long len, const unsigned char *seed,
231 long seedlen)
232 {
233 return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1());
234 }
235#endif
diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c
deleted file mode 100644
index 8560755f1d..0000000000
--- a/src/lib/libcrypto/rsa/rsa_pk1.c
+++ /dev/null
@@ -1,224 +0,0 @@
1/* crypto/rsa/rsa_pk1.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/rand.h>
64
65int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
66 const unsigned char *from, int flen)
67 {
68 int j;
69 unsigned char *p;
70
71 if (flen > (tlen-RSA_PKCS1_PADDING_SIZE))
72 {
73 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
74 return(0);
75 }
76
77 p=(unsigned char *)to;
78
79 *(p++)=0;
80 *(p++)=1; /* Private Key BT (Block Type) */
81
82 /* pad out with 0xff data */
83 j=tlen-3-flen;
84 memset(p,0xff,j);
85 p+=j;
86 *(p++)='\0';
87 memcpy(p,from,(unsigned int)flen);
88 return(1);
89 }
90
91int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
92 const unsigned char *from, int flen, int num)
93 {
94 int i,j;
95 const unsigned char *p;
96
97 p=from;
98 if ((num != (flen+1)) || (*(p++) != 01))
99 {
100 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BLOCK_TYPE_IS_NOT_01);
101 return(-1);
102 }
103
104 /* scan over padding data */
105 j=flen-1; /* one for type. */
106 for (i=0; i<j; i++)
107 {
108 if (*p != 0xff) /* should decrypt to 0xff */
109 {
110 if (*p == 0)
111 { p++; break; }
112 else {
113 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BAD_FIXED_HEADER_DECRYPT);
114 return(-1);
115 }
116 }
117 p++;
118 }
119
120 if (i == j)
121 {
122 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_NULL_BEFORE_BLOCK_MISSING);
123 return(-1);
124 }
125
126 if (i < 8)
127 {
128 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BAD_PAD_BYTE_COUNT);
129 return(-1);
130 }
131 i++; /* Skip over the '\0' */
132 j-=i;
133 if (j > tlen)
134 {
135 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE);
136 return(-1);
137 }
138 memcpy(to,p,(unsigned int)j);
139
140 return(j);
141 }
142
143int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
144 const unsigned char *from, int flen)
145 {
146 int i,j;
147 unsigned char *p;
148
149 if (flen > (tlen-11))
150 {
151 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
152 return(0);
153 }
154
155 p=(unsigned char *)to;
156
157 *(p++)=0;
158 *(p++)=2; /* Public Key BT (Block Type) */
159
160 /* pad out with non-zero random data */
161 j=tlen-3-flen;
162
163 if (RAND_bytes(p,j) <= 0)
164 return(0);
165 for (i=0; i<j; i++)
166 {
167 if (*p == '\0')
168 do {
169 if (RAND_bytes(p,1) <= 0)
170 return(0);
171 } while (*p == '\0');
172 p++;
173 }
174
175 *(p++)='\0';
176
177 memcpy(p,from,(unsigned int)flen);
178 return(1);
179 }
180
181int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
182 const unsigned char *from, int flen, int num)
183 {
184 int i,j;
185 const unsigned char *p;
186
187 p=from;
188 if ((num != (flen+1)) || (*(p++) != 02))
189 {
190 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BLOCK_TYPE_IS_NOT_02);
191 return(-1);
192 }
193#ifdef PKCS1_CHECK
194 return(num-11);
195#endif
196
197 /* scan over padding data */
198 j=flen-1; /* one for type. */
199 for (i=0; i<j; i++)
200 if (*(p++) == 0) break;
201
202 if (i == j)
203 {
204 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_NULL_BEFORE_BLOCK_MISSING);
205 return(-1);
206 }
207
208 if (i < 8)
209 {
210 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BAD_PAD_BYTE_COUNT);
211 return(-1);
212 }
213 i++; /* Skip over the '\0' */
214 j-=i;
215 if (j > tlen)
216 {
217 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE);
218 return(-1);
219 }
220 memcpy(to,p,(unsigned int)j);
221
222 return(j);
223 }
224
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
deleted file mode 100644
index 5b2ecf56ad..0000000000
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ /dev/null
@@ -1,723 +0,0 @@
1/* crypto/rsa/rsa_pmeth.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1t.h>
62#include <openssl/x509.h>
63#include <openssl/rsa.h>
64#include <openssl/bn.h>
65#include <openssl/evp.h>
66#ifndef OPENSSL_NO_CMS
67#include <openssl/cms.h>
68#endif
69#ifdef OPENSSL_FIPS
70#include <openssl/fips.h>
71#endif
72#include "evp_locl.h"
73#include "rsa_locl.h"
74
75/* RSA pkey context structure */
76
77typedef struct
78 {
79 /* Key gen parameters */
80 int nbits;
81 BIGNUM *pub_exp;
82 /* Keygen callback info */
83 int gentmp[2];
84 /* RSA padding mode */
85 int pad_mode;
86 /* message digest */
87 const EVP_MD *md;
88 /* message digest for MGF1 */
89 const EVP_MD *mgf1md;
90 /* PSS/OAEP salt length */
91 int saltlen;
92 /* Temp buffer */
93 unsigned char *tbuf;
94 } RSA_PKEY_CTX;
95
96static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
97 {
98 RSA_PKEY_CTX *rctx;
99 rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX));
100 if (!rctx)
101 return 0;
102 rctx->nbits = 1024;
103 rctx->pub_exp = NULL;
104 rctx->pad_mode = RSA_PKCS1_PADDING;
105 rctx->md = NULL;
106 rctx->mgf1md = NULL;
107 rctx->tbuf = NULL;
108
109 rctx->saltlen = -2;
110
111 ctx->data = rctx;
112 ctx->keygen_info = rctx->gentmp;
113 ctx->keygen_info_count = 2;
114
115 return 1;
116 }
117
118static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
119 {
120 RSA_PKEY_CTX *dctx, *sctx;
121 if (!pkey_rsa_init(dst))
122 return 0;
123 sctx = src->data;
124 dctx = dst->data;
125 dctx->nbits = sctx->nbits;
126 if (sctx->pub_exp)
127 {
128 dctx->pub_exp = BN_dup(sctx->pub_exp);
129 if (!dctx->pub_exp)
130 return 0;
131 }
132 dctx->pad_mode = sctx->pad_mode;
133 dctx->md = sctx->md;
134 return 1;
135 }
136
137static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
138 {
139 if (ctx->tbuf)
140 return 1;
141 ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey));
142 if (!ctx->tbuf)
143 return 0;
144 return 1;
145 }
146
147static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
148 {
149 RSA_PKEY_CTX *rctx = ctx->data;
150 if (rctx)
151 {
152 if (rctx->pub_exp)
153 BN_free(rctx->pub_exp);
154 if (rctx->tbuf)
155 OPENSSL_free(rctx->tbuf);
156 OPENSSL_free(rctx);
157 }
158 }
159#ifdef OPENSSL_FIPS
160/* FIP checker. Return value indicates status of context parameters:
161 * 1 : redirect to FIPS.
162 * 0 : don't redirect to FIPS.
163 * -1 : illegal operation in FIPS mode.
164 */
165
166static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx)
167 {
168 RSA_PKEY_CTX *rctx = ctx->data;
169 RSA *rsa = ctx->pkey->pkey.rsa;
170 int rv = -1;
171 if (!FIPS_mode())
172 return 0;
173 if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
174 rv = 0;
175 if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv)
176 return -1;
177 if (rctx->md && !(rctx->md->flags & EVP_MD_FLAG_FIPS))
178 return rv;
179 if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS))
180 return rv;
181 return 1;
182 }
183#endif
184
185static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
186 const unsigned char *tbs, size_t tbslen)
187 {
188 int ret;
189 RSA_PKEY_CTX *rctx = ctx->data;
190 RSA *rsa = ctx->pkey->pkey.rsa;
191
192#ifdef OPENSSL_FIPS
193 ret = pkey_fips_check_ctx(ctx);
194 if (ret < 0)
195 {
196 RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
197 return -1;
198 }
199#endif
200
201 if (rctx->md)
202 {
203 if (tbslen != (size_t)EVP_MD_size(rctx->md))
204 {
205 RSAerr(RSA_F_PKEY_RSA_SIGN,
206 RSA_R_INVALID_DIGEST_LENGTH);
207 return -1;
208 }
209#ifdef OPENSSL_FIPS
210 if (ret > 0)
211 {
212 unsigned int slen;
213 ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
214 rctx->pad_mode,
215 rctx->saltlen,
216 rctx->mgf1md,
217 sig, &slen);
218 if (ret > 0)
219 *siglen = slen;
220 else
221 *siglen = 0;
222 return ret;
223 }
224#endif
225
226 if (EVP_MD_type(rctx->md) == NID_mdc2)
227 {
228 unsigned int sltmp;
229 if (rctx->pad_mode != RSA_PKCS1_PADDING)
230 return -1;
231 ret = RSA_sign_ASN1_OCTET_STRING(NID_mdc2,
232 tbs, tbslen, sig, &sltmp, rsa);
233
234 if (ret <= 0)
235 return ret;
236 ret = sltmp;
237 }
238 else if (rctx->pad_mode == RSA_X931_PADDING)
239 {
240 if (!setup_tbuf(rctx, ctx))
241 return -1;
242 memcpy(rctx->tbuf, tbs, tbslen);
243 rctx->tbuf[tbslen] =
244 RSA_X931_hash_id(EVP_MD_type(rctx->md));
245 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
246 sig, rsa, RSA_X931_PADDING);
247 }
248 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
249 {
250 unsigned int sltmp;
251 ret = RSA_sign(EVP_MD_type(rctx->md),
252 tbs, tbslen, sig, &sltmp, rsa);
253 if (ret <= 0)
254 return ret;
255 ret = sltmp;
256 }
257 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
258 {
259 if (!setup_tbuf(rctx, ctx))
260 return -1;
261 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
262 rctx->tbuf, tbs,
263 rctx->md, rctx->mgf1md,
264 rctx->saltlen))
265 return -1;
266 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
267 sig, rsa, RSA_NO_PADDING);
268 }
269 else
270 return -1;
271 }
272 else
273 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
274 rctx->pad_mode);
275 if (ret < 0)
276 return ret;
277 *siglen = ret;
278 return 1;
279 }
280
281
282static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
283 unsigned char *rout, size_t *routlen,
284 const unsigned char *sig, size_t siglen)
285 {
286 int ret;
287 RSA_PKEY_CTX *rctx = ctx->data;
288
289 if (rctx->md)
290 {
291 if (rctx->pad_mode == RSA_X931_PADDING)
292 {
293 if (!setup_tbuf(rctx, ctx))
294 return -1;
295 ret = RSA_public_decrypt(siglen, sig,
296 rctx->tbuf, ctx->pkey->pkey.rsa,
297 RSA_X931_PADDING);
298 if (ret < 1)
299 return 0;
300 ret--;
301 if (rctx->tbuf[ret] !=
302 RSA_X931_hash_id(EVP_MD_type(rctx->md)))
303 {
304 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
305 RSA_R_ALGORITHM_MISMATCH);
306 return 0;
307 }
308 if (ret != EVP_MD_size(rctx->md))
309 {
310 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
311 RSA_R_INVALID_DIGEST_LENGTH);
312 return 0;
313 }
314 if (rout)
315 memcpy(rout, rctx->tbuf, ret);
316 }
317 else if (rctx->pad_mode == RSA_PKCS1_PADDING)
318 {
319 size_t sltmp;
320 ret = int_rsa_verify(EVP_MD_type(rctx->md),
321 NULL, 0, rout, &sltmp,
322 sig, siglen, ctx->pkey->pkey.rsa);
323 if (ret <= 0)
324 return 0;
325 ret = sltmp;
326 }
327 else
328 return -1;
329 }
330 else
331 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
332 rctx->pad_mode);
333 if (ret < 0)
334 return ret;
335 *routlen = ret;
336 return 1;
337 }
338
339static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
340 const unsigned char *sig, size_t siglen,
341 const unsigned char *tbs, size_t tbslen)
342 {
343 RSA_PKEY_CTX *rctx = ctx->data;
344 RSA *rsa = ctx->pkey->pkey.rsa;
345 size_t rslen;
346#ifdef OPENSSL_FIPS
347 int rv;
348 rv = pkey_fips_check_ctx(ctx);
349 if (rv < 0)
350 {
351 RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
352 return -1;
353 }
354#endif
355 if (rctx->md)
356 {
357#ifdef OPENSSL_FIPS
358 if (rv > 0)
359 {
360 return FIPS_rsa_verify_digest(rsa,
361 tbs, tbslen,
362 rctx->md,
363 rctx->pad_mode,
364 rctx->saltlen,
365 rctx->mgf1md,
366 sig, siglen);
367
368 }
369#endif
370 if (rctx->pad_mode == RSA_PKCS1_PADDING)
371 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
372 sig, siglen, rsa);
373 if (rctx->pad_mode == RSA_X931_PADDING)
374 {
375 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen,
376 sig, siglen) <= 0)
377 return 0;
378 }
379 else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING)
380 {
381 int ret;
382 if (!setup_tbuf(rctx, ctx))
383 return -1;
384 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
385 rsa, RSA_NO_PADDING);
386 if (ret <= 0)
387 return 0;
388 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
389 rctx->md, rctx->mgf1md,
390 rctx->tbuf, rctx->saltlen);
391 if (ret <= 0)
392 return 0;
393 return 1;
394 }
395 else
396 return -1;
397 }
398 else
399 {
400 if (!setup_tbuf(rctx, ctx))
401 return -1;
402 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
403 rsa, rctx->pad_mode);
404 if (rslen == 0)
405 return 0;
406 }
407
408 if ((rslen != tbslen) || memcmp(tbs, rctx->tbuf, rslen))
409 return 0;
410
411 return 1;
412
413 }
414
415
416static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
417 unsigned char *out, size_t *outlen,
418 const unsigned char *in, size_t inlen)
419 {
420 int ret;
421 RSA_PKEY_CTX *rctx = ctx->data;
422 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
423 rctx->pad_mode);
424 if (ret < 0)
425 return ret;
426 *outlen = ret;
427 return 1;
428 }
429
430static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
431 unsigned char *out, size_t *outlen,
432 const unsigned char *in, size_t inlen)
433 {
434 int ret;
435 RSA_PKEY_CTX *rctx = ctx->data;
436 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
437 rctx->pad_mode);
438 if (ret < 0)
439 return ret;
440 *outlen = ret;
441 return 1;
442 }
443
444static int check_padding_md(const EVP_MD *md, int padding)
445 {
446 if (!md)
447 return 1;
448
449 if (padding == RSA_NO_PADDING)
450 {
451 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
452 return 0;
453 }
454
455 if (padding == RSA_X931_PADDING)
456 {
457 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1)
458 {
459 RSAerr(RSA_F_CHECK_PADDING_MD,
460 RSA_R_INVALID_X931_DIGEST);
461 return 0;
462 }
463 return 1;
464 }
465
466 return 1;
467 }
468
469
470static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
471 {
472 RSA_PKEY_CTX *rctx = ctx->data;
473 switch (type)
474 {
475 case EVP_PKEY_CTRL_RSA_PADDING:
476 if ((p1 >= RSA_PKCS1_PADDING) && (p1 <= RSA_PKCS1_PSS_PADDING))
477 {
478 if (!check_padding_md(rctx->md, p1))
479 return 0;
480 if (p1 == RSA_PKCS1_PSS_PADDING)
481 {
482 if (!(ctx->operation &
483 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
484 goto bad_pad;
485 if (!rctx->md)
486 rctx->md = EVP_sha1();
487 }
488 if (p1 == RSA_PKCS1_OAEP_PADDING)
489 {
490 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
491 goto bad_pad;
492 if (!rctx->md)
493 rctx->md = EVP_sha1();
494 }
495 rctx->pad_mode = p1;
496 return 1;
497 }
498 bad_pad:
499 RSAerr(RSA_F_PKEY_RSA_CTRL,
500 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
501 return -2;
502
503 case EVP_PKEY_CTRL_GET_RSA_PADDING:
504 *(int *)p2 = rctx->pad_mode;
505 return 1;
506
507 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
508 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
509 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
510 {
511 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
512 return -2;
513 }
514 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN)
515 *(int *)p2 = rctx->saltlen;
516 else
517 {
518 if (p1 < -2)
519 return -2;
520 rctx->saltlen = p1;
521 }
522 return 1;
523
524 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
525 if (p1 < 256)
526 {
527 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS);
528 return -2;
529 }
530 rctx->nbits = p1;
531 return 1;
532
533 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
534 if (!p2)
535 return -2;
536 rctx->pub_exp = p2;
537 return 1;
538
539 case EVP_PKEY_CTRL_MD:
540 if (!check_padding_md(p2, rctx->pad_mode))
541 return 0;
542 rctx->md = p2;
543 return 1;
544
545 case EVP_PKEY_CTRL_RSA_MGF1_MD:
546 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
547 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
548 {
549 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
550 return -2;
551 }
552 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD)
553 {
554 if (rctx->mgf1md)
555 *(const EVP_MD **)p2 = rctx->mgf1md;
556 else
557 *(const EVP_MD **)p2 = rctx->md;
558 }
559 else
560 rctx->mgf1md = p2;
561 return 1;
562
563 case EVP_PKEY_CTRL_DIGESTINIT:
564 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
565 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
566 case EVP_PKEY_CTRL_PKCS7_SIGN:
567 return 1;
568#ifndef OPENSSL_NO_CMS
569 case EVP_PKEY_CTRL_CMS_DECRYPT:
570 {
571 X509_ALGOR *alg = NULL;
572 ASN1_OBJECT *encalg = NULL;
573 if (p2)
574 CMS_RecipientInfo_ktri_get0_algs(p2, NULL, NULL, &alg);
575 if (alg)
576 X509_ALGOR_get0(&encalg, NULL, NULL, alg);
577 if (encalg && OBJ_obj2nid(encalg) == NID_rsaesOaep)
578 rctx->pad_mode = RSA_PKCS1_OAEP_PADDING;
579 }
580 case EVP_PKEY_CTRL_CMS_ENCRYPT:
581 case EVP_PKEY_CTRL_CMS_SIGN:
582 return 1;
583#endif
584 case EVP_PKEY_CTRL_PEER_KEY:
585 RSAerr(RSA_F_PKEY_RSA_CTRL,
586 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
587 return -2;
588
589 default:
590 return -2;
591
592 }
593 }
594
595static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
596 const char *type, const char *value)
597 {
598 if (!value)
599 {
600 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
601 return 0;
602 }
603 if (!strcmp(type, "rsa_padding_mode"))
604 {
605 int pm;
606 if (!strcmp(value, "pkcs1"))
607 pm = RSA_PKCS1_PADDING;
608 else if (!strcmp(value, "sslv23"))
609 pm = RSA_SSLV23_PADDING;
610 else if (!strcmp(value, "none"))
611 pm = RSA_NO_PADDING;
612 else if (!strcmp(value, "oeap"))
613 pm = RSA_PKCS1_OAEP_PADDING;
614 else if (!strcmp(value, "x931"))
615 pm = RSA_X931_PADDING;
616 else if (!strcmp(value, "pss"))
617 pm = RSA_PKCS1_PSS_PADDING;
618 else
619 {
620 RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
621 RSA_R_UNKNOWN_PADDING_TYPE);
622 return -2;
623 }
624 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
625 }
626
627 if (!strcmp(type, "rsa_pss_saltlen"))
628 {
629 int saltlen;
630 saltlen = atoi(value);
631 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
632 }
633
634 if (!strcmp(type, "rsa_keygen_bits"))
635 {
636 int nbits;
637 nbits = atoi(value);
638 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
639 }
640
641 if (!strcmp(type, "rsa_keygen_pubexp"))
642 {
643 int ret;
644 BIGNUM *pubexp = NULL;
645 if (!BN_asc2bn(&pubexp, value))
646 return 0;
647 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
648 if (ret <= 0)
649 BN_free(pubexp);
650 return ret;
651 }
652
653 return -2;
654 }
655
656static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
657 {
658 RSA *rsa = NULL;
659 RSA_PKEY_CTX *rctx = ctx->data;
660 BN_GENCB *pcb, cb;
661 int ret;
662 if (!rctx->pub_exp)
663 {
664 rctx->pub_exp = BN_new();
665 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4))
666 return 0;
667 }
668 rsa = RSA_new();
669 if (!rsa)
670 return 0;
671 if (ctx->pkey_gencb)
672 {
673 pcb = &cb;
674 evp_pkey_set_cb_translate(pcb, ctx);
675 }
676 else
677 pcb = NULL;
678 ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
679 if (ret > 0)
680 EVP_PKEY_assign_RSA(pkey, rsa);
681 else
682 RSA_free(rsa);
683 return ret;
684 }
685
686const EVP_PKEY_METHOD rsa_pkey_meth =
687 {
688 EVP_PKEY_RSA,
689 EVP_PKEY_FLAG_AUTOARGLEN,
690 pkey_rsa_init,
691 pkey_rsa_copy,
692 pkey_rsa_cleanup,
693
694 0,0,
695
696 0,
697 pkey_rsa_keygen,
698
699 0,
700 pkey_rsa_sign,
701
702 0,
703 pkey_rsa_verify,
704
705 0,
706 pkey_rsa_verifyrecover,
707
708
709 0,0,0,0,
710
711 0,
712 pkey_rsa_encrypt,
713
714 0,
715 pkey_rsa_decrypt,
716
717 0,0,
718
719 pkey_rsa_ctrl,
720 pkey_rsa_ctrl_str
721
722
723 };
diff --git a/src/lib/libcrypto/rsa/rsa_prn.c b/src/lib/libcrypto/rsa/rsa_prn.c
deleted file mode 100644
index 224db0fae5..0000000000
--- a/src/lib/libcrypto/rsa/rsa_prn.c
+++ /dev/null
@@ -1,93 +0,0 @@
1/* crypto/rsa/rsa_prn.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/rsa.h>
62#include <openssl/evp.h>
63
64#ifndef OPENSSL_NO_FP_API
65int RSA_print_fp(FILE *fp, const RSA *x, int off)
66 {
67 BIO *b;
68 int ret;
69
70 if ((b=BIO_new(BIO_s_file())) == NULL)
71 {
72 RSAerr(RSA_F_RSA_PRINT_FP,ERR_R_BUF_LIB);
73 return(0);
74 }
75 BIO_set_fp(b,fp,BIO_NOCLOSE);
76 ret=RSA_print(b,x,off);
77 BIO_free(b);
78 return(ret);
79 }
80#endif
81
82int RSA_print(BIO *bp, const RSA *x, int off)
83 {
84 EVP_PKEY *pk;
85 int ret;
86 pk = EVP_PKEY_new();
87 if (!pk || !EVP_PKEY_set1_RSA(pk, (RSA *)x))
88 return 0;
89 ret = EVP_PKEY_print_private(bp, pk, off, NULL);
90 EVP_PKEY_free(pk);
91 return ret;
92 }
93
diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c
deleted file mode 100644
index 5f9f533d0c..0000000000
--- a/src/lib/libcrypto/rsa/rsa_pss.c
+++ /dev/null
@@ -1,300 +0,0 @@
1/* rsa_pss.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/evp.h>
64#include <openssl/rand.h>
65#include <openssl/sha.h>
66
67static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
68
69#if defined(_MSC_VER) && defined(_ARM_)
70#pragma optimize("g", off)
71#endif
72
73int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
74 const EVP_MD *Hash, const unsigned char *EM, int sLen)
75 {
76 return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
77 }
78
79int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
80 const EVP_MD *Hash, const EVP_MD *mgf1Hash,
81 const unsigned char *EM, int sLen)
82 {
83 int i;
84 int ret = 0;
85 int hLen, maskedDBLen, MSBits, emLen;
86 const unsigned char *H;
87 unsigned char *DB = NULL;
88 EVP_MD_CTX ctx;
89 unsigned char H_[EVP_MAX_MD_SIZE];
90 EVP_MD_CTX_init(&ctx);
91
92 if (mgf1Hash == NULL)
93 mgf1Hash = Hash;
94
95 hLen = EVP_MD_size(Hash);
96 if (hLen < 0)
97 goto err;
98 /*
99 * Negative sLen has special meanings:
100 * -1 sLen == hLen
101 * -2 salt length is autorecovered from signature
102 * -N reserved
103 */
104 if (sLen == -1) sLen = hLen;
105 else if (sLen == -2) sLen = -2;
106 else if (sLen < -2)
107 {
108 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
109 goto err;
110 }
111
112 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
113 emLen = RSA_size(rsa);
114 if (EM[0] & (0xFF << MSBits))
115 {
116 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_FIRST_OCTET_INVALID);
117 goto err;
118 }
119 if (MSBits == 0)
120 {
121 EM++;
122 emLen--;
123 }
124 if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */
125 {
126 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
127 goto err;
128 }
129 if (EM[emLen - 1] != 0xbc)
130 {
131 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_LAST_OCTET_INVALID);
132 goto err;
133 }
134 maskedDBLen = emLen - hLen - 1;
135 H = EM + maskedDBLen;
136 DB = OPENSSL_malloc(maskedDBLen);
137 if (!DB)
138 {
139 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
140 goto err;
141 }
142 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
143 goto err;
144 for (i = 0; i < maskedDBLen; i++)
145 DB[i] ^= EM[i];
146 if (MSBits)
147 DB[0] &= 0xFF >> (8 - MSBits);
148 for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ;
149 if (DB[i++] != 0x1)
150 {
151 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED);
152 goto err;
153 }
154 if (sLen >= 0 && (maskedDBLen - i) != sLen)
155 {
156 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
157 goto err;
158 }
159 if (!EVP_DigestInit_ex(&ctx, Hash, NULL)
160 || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)
161 || !EVP_DigestUpdate(&ctx, mHash, hLen))
162 goto err;
163 if (maskedDBLen - i)
164 {
165 if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i))
166 goto err;
167 }
168 if (!EVP_DigestFinal_ex(&ctx, H_, NULL))
169 goto err;
170 if (memcmp(H_, H, hLen))
171 {
172 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
173 ret = 0;
174 }
175 else
176 ret = 1;
177
178 err:
179 if (DB)
180 OPENSSL_free(DB);
181 EVP_MD_CTX_cleanup(&ctx);
182
183 return ret;
184
185 }
186
187int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
188 const unsigned char *mHash,
189 const EVP_MD *Hash, int sLen)
190 {
191 return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
192 }
193
194int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
195 const unsigned char *mHash,
196 const EVP_MD *Hash, const EVP_MD *mgf1Hash, int sLen)
197 {
198 int i;
199 int ret = 0;
200 int hLen, maskedDBLen, MSBits, emLen;
201 unsigned char *H, *salt = NULL, *p;
202 EVP_MD_CTX ctx;
203
204 if (mgf1Hash == NULL)
205 mgf1Hash = Hash;
206
207 hLen = EVP_MD_size(Hash);
208 if (hLen < 0)
209 goto err;
210 /*
211 * Negative sLen has special meanings:
212 * -1 sLen == hLen
213 * -2 salt length is maximized
214 * -N reserved
215 */
216 if (sLen == -1) sLen = hLen;
217 else if (sLen == -2) sLen = -2;
218 else if (sLen < -2)
219 {
220 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
221 goto err;
222 }
223
224 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
225 emLen = RSA_size(rsa);
226 if (MSBits == 0)
227 {
228 *EM++ = 0;
229 emLen--;
230 }
231 if (sLen == -2)
232 {
233 sLen = emLen - hLen - 2;
234 }
235 else if (emLen < (hLen + sLen + 2))
236 {
237 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
238 goto err;
239 }
240 if (sLen > 0)
241 {
242 salt = OPENSSL_malloc(sLen);
243 if (!salt)
244 {
245 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,ERR_R_MALLOC_FAILURE);
246 goto err;
247 }
248 if (RAND_bytes(salt, sLen) <= 0)
249 goto err;
250 }
251 maskedDBLen = emLen - hLen - 1;
252 H = EM + maskedDBLen;
253 EVP_MD_CTX_init(&ctx);
254 if (!EVP_DigestInit_ex(&ctx, Hash, NULL)
255 || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)
256 || !EVP_DigestUpdate(&ctx, mHash, hLen))
257 goto err;
258 if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen))
259 goto err;
260 if (!EVP_DigestFinal_ex(&ctx, H, NULL))
261 goto err;
262 EVP_MD_CTX_cleanup(&ctx);
263
264 /* Generate dbMask in place then perform XOR on it */
265 if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
266 goto err;
267
268 p = EM;
269
270 /* Initial PS XORs with all zeroes which is a NOP so just update
271 * pointer. Note from a test above this value is guaranteed to
272 * be non-negative.
273 */
274 p += emLen - sLen - hLen - 2;
275 *p++ ^= 0x1;
276 if (sLen > 0)
277 {
278 for (i = 0; i < sLen; i++)
279 *p++ ^= salt[i];
280 }
281 if (MSBits)
282 EM[0] &= 0xFF >> (8 - MSBits);
283
284 /* H is already in place so just set final 0xbc */
285
286 EM[emLen - 1] = 0xbc;
287
288 ret = 1;
289
290 err:
291 if (salt)
292 OPENSSL_free(salt);
293
294 return ret;
295
296 }
297
298#if defined(_MSC_VER)
299#pragma optimize("",on)
300#endif
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c
deleted file mode 100644
index f98e0a80a6..0000000000
--- a/src/lib/libcrypto/rsa/rsa_saos.c
+++ /dev/null
@@ -1,150 +0,0 @@
1/* crypto/rsa/rsa_saos.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/objects.h>
64#include <openssl/x509.h>
65
66int RSA_sign_ASN1_OCTET_STRING(int type,
67 const unsigned char *m, unsigned int m_len,
68 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
69 {
70 ASN1_OCTET_STRING sig;
71 int i,j,ret=1;
72 unsigned char *p,*s;
73
74 sig.type=V_ASN1_OCTET_STRING;
75 sig.length=m_len;
76 sig.data=(unsigned char *)m;
77
78 i=i2d_ASN1_OCTET_STRING(&sig,NULL);
79 j=RSA_size(rsa);
80 if (i > (j-RSA_PKCS1_PADDING_SIZE))
81 {
82 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
83 return(0);
84 }
85 s=(unsigned char *)OPENSSL_malloc((unsigned int)j+1);
86 if (s == NULL)
87 {
88 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE);
89 return(0);
90 }
91 p=s;
92 i2d_ASN1_OCTET_STRING(&sig,&p);
93 i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
94 if (i <= 0)
95 ret=0;
96 else
97 *siglen=i;
98
99 OPENSSL_cleanse(s,(unsigned int)j+1);
100 OPENSSL_free(s);
101 return(ret);
102 }
103
104int RSA_verify_ASN1_OCTET_STRING(int dtype,
105 const unsigned char *m,
106 unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
107 RSA *rsa)
108 {
109 int i,ret=0;
110 unsigned char *s;
111 const unsigned char *p;
112 ASN1_OCTET_STRING *sig=NULL;
113
114 if (siglen != (unsigned int)RSA_size(rsa))
115 {
116 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,RSA_R_WRONG_SIGNATURE_LENGTH);
117 return(0);
118 }
119
120 s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen);
121 if (s == NULL)
122 {
123 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE);
124 goto err;
125 }
126 i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
127
128 if (i <= 0) goto err;
129
130 p=s;
131 sig=d2i_ASN1_OCTET_STRING(NULL,&p,(long)i);
132 if (sig == NULL) goto err;
133
134 if ( ((unsigned int)sig->length != m_len) ||
135 (memcmp(m,sig->data,m_len) != 0))
136 {
137 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,RSA_R_BAD_SIGNATURE);
138 }
139 else
140 ret=1;
141err:
142 if (sig != NULL) M_ASN1_OCTET_STRING_free(sig);
143 if (s != NULL)
144 {
145 OPENSSL_cleanse(s,(unsigned int)siglen);
146 OPENSSL_free(s);
147 }
148 return(ret);
149 }
150
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
deleted file mode 100644
index b6f6037ae0..0000000000
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ /dev/null
@@ -1,318 +0,0 @@
1/* crypto/rsa/rsa_sign.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/objects.h>
64#include <openssl/x509.h>
65#include "rsa_locl.h"
66
67/* Size of an SSL signature: MD5+SHA1 */
68#define SSL_SIG_LENGTH 36
69
70int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
71 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
72 {
73 X509_SIG sig;
74 ASN1_TYPE parameter;
75 int i,j,ret=1;
76 unsigned char *p, *tmps = NULL;
77 const unsigned char *s = NULL;
78 X509_ALGOR algor;
79 ASN1_OCTET_STRING digest;
80#ifdef OPENSSL_FIPS
81 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
82 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
83 {
84 RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD);
85 return 0;
86 }
87#endif
88 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
89 {
90 return rsa->meth->rsa_sign(type, m, m_len,
91 sigret, siglen, rsa);
92 }
93 /* Special case: SSL signature, just check the length */
94 if(type == NID_md5_sha1) {
95 if(m_len != SSL_SIG_LENGTH) {
96 RSAerr(RSA_F_RSA_SIGN,RSA_R_INVALID_MESSAGE_LENGTH);
97 return(0);
98 }
99 i = SSL_SIG_LENGTH;
100 s = m;
101 } else {
102 sig.algor= &algor;
103 sig.algor->algorithm=OBJ_nid2obj(type);
104 if (sig.algor->algorithm == NULL)
105 {
106 RSAerr(RSA_F_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);
107 return(0);
108 }
109 if (sig.algor->algorithm->length == 0)
110 {
111 RSAerr(RSA_F_RSA_SIGN,RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
112 return(0);
113 }
114 parameter.type=V_ASN1_NULL;
115 parameter.value.ptr=NULL;
116 sig.algor->parameter= &parameter;
117
118 sig.digest= &digest;
119 sig.digest->data=(unsigned char *)m; /* TMP UGLY CAST */
120 sig.digest->length=m_len;
121
122 i=i2d_X509_SIG(&sig,NULL);
123 }
124 j=RSA_size(rsa);
125 if (i > (j-RSA_PKCS1_PADDING_SIZE))
126 {
127 RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
128 return(0);
129 }
130 if(type != NID_md5_sha1) {
131 tmps=(unsigned char *)OPENSSL_malloc((unsigned int)j+1);
132 if (tmps == NULL)
133 {
134 RSAerr(RSA_F_RSA_SIGN,ERR_R_MALLOC_FAILURE);
135 return(0);
136 }
137 p=tmps;
138 i2d_X509_SIG(&sig,&p);
139 s=tmps;
140 }
141 i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
142 if (i <= 0)
143 ret=0;
144 else
145 *siglen=i;
146
147 if(type != NID_md5_sha1) {
148 OPENSSL_cleanse(tmps,(unsigned int)j+1);
149 OPENSSL_free(tmps);
150 }
151 return(ret);
152 }
153
154int int_rsa_verify(int dtype, const unsigned char *m,
155 unsigned int m_len,
156 unsigned char *rm, size_t *prm_len,
157 const unsigned char *sigbuf, size_t siglen,
158 RSA *rsa)
159 {
160 int i,ret=0,sigtype;
161 unsigned char *s;
162 X509_SIG *sig=NULL;
163
164#ifdef OPENSSL_FIPS
165 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
166 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
167 {
168 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_NON_FIPS_RSA_METHOD);
169 return 0;
170 }
171#endif
172
173 if (siglen != (unsigned int)RSA_size(rsa))
174 {
175 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH);
176 return(0);
177 }
178
179 if((dtype == NID_md5_sha1) && rm)
180 {
181 i = RSA_public_decrypt((int)siglen,
182 sigbuf,rm,rsa,RSA_PKCS1_PADDING);
183 if (i <= 0)
184 return 0;
185 *prm_len = i;
186 return 1;
187 }
188
189 s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen);
190 if (s == NULL)
191 {
192 RSAerr(RSA_F_INT_RSA_VERIFY,ERR_R_MALLOC_FAILURE);
193 goto err;
194 }
195 if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) {
196 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
197 goto err;
198 }
199 i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
200
201 if (i <= 0) goto err;
202 /* Oddball MDC2 case: signature can be OCTET STRING.
203 * check for correct tag and length octets.
204 */
205 if (dtype == NID_mdc2 && i == 18 && s[0] == 0x04 && s[1] == 0x10)
206 {
207 if (rm)
208 {
209 memcpy(rm, s + 2, 16);
210 *prm_len = 16;
211 ret = 1;
212 }
213 else if(memcmp(m, s + 2, 16))
214 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
215 else
216 ret = 1;
217 }
218
219 /* Special case: SSL signature */
220 if(dtype == NID_md5_sha1) {
221 if((i != SSL_SIG_LENGTH) || memcmp(s, m, SSL_SIG_LENGTH))
222 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
223 else ret = 1;
224 } else {
225 const unsigned char *p=s;
226 sig=d2i_X509_SIG(NULL,&p,(long)i);
227
228 if (sig == NULL) goto err;
229
230 /* Excess data can be used to create forgeries */
231 if(p != s+i)
232 {
233 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
234 goto err;
235 }
236
237 /* Parameters to the signature algorithm can also be used to
238 create forgeries */
239 if(sig->algor->parameter
240 && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL)
241 {
242 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
243 goto err;
244 }
245
246 sigtype=OBJ_obj2nid(sig->algor->algorithm);
247
248
249 #ifdef RSA_DEBUG
250 /* put a backward compatibility flag in EAY */
251 fprintf(stderr,"in(%s) expect(%s)\n",OBJ_nid2ln(sigtype),
252 OBJ_nid2ln(dtype));
253 #endif
254 if (sigtype != dtype)
255 {
256 if (((dtype == NID_md5) &&
257 (sigtype == NID_md5WithRSAEncryption)) ||
258 ((dtype == NID_md2) &&
259 (sigtype == NID_md2WithRSAEncryption)))
260 {
261 /* ok, we will let it through */
262#if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16)
263 fprintf(stderr,"signature has problems, re-make with post SSLeay045\n");
264#endif
265 }
266 else
267 {
268 RSAerr(RSA_F_INT_RSA_VERIFY,
269 RSA_R_ALGORITHM_MISMATCH);
270 goto err;
271 }
272 }
273 if (rm)
274 {
275 const EVP_MD *md;
276 md = EVP_get_digestbynid(dtype);
277 if (md && (EVP_MD_size(md) != sig->digest->length))
278 RSAerr(RSA_F_INT_RSA_VERIFY,
279 RSA_R_INVALID_DIGEST_LENGTH);
280 else
281 {
282 memcpy(rm, sig->digest->data,
283 sig->digest->length);
284 *prm_len = sig->digest->length;
285 ret = 1;
286 }
287 }
288 else if (((unsigned int)sig->digest->length != m_len) ||
289 (memcmp(m,sig->digest->data,m_len) != 0))
290 {
291 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
292 }
293 else
294 ret=1;
295 }
296err:
297 if (sig != NULL) X509_SIG_free(sig);
298 if (s != NULL)
299 {
300 OPENSSL_cleanse(s,(unsigned int)siglen);
301 OPENSSL_free(s);
302 }
303 return(ret);
304 }
305
306int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
307 const unsigned char *sigbuf, unsigned int siglen,
308 RSA *rsa)
309 {
310
311 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)
312 {
313 return rsa->meth->rsa_verify(dtype, m, m_len,
314 sigbuf, siglen, rsa);
315 }
316
317 return int_rsa_verify(dtype, m, m_len, NULL, NULL, sigbuf, siglen, rsa);
318 }
diff --git a/src/lib/libcrypto/rsa/rsa_ssl.c b/src/lib/libcrypto/rsa/rsa_ssl.c
deleted file mode 100644
index cfeff15bc9..0000000000
--- a/src/lib/libcrypto/rsa/rsa_ssl.c
+++ /dev/null
@@ -1,154 +0,0 @@
1/* crypto/rsa/rsa_ssl.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/rand.h>
64
65int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
66 const unsigned char *from, int flen)
67 {
68 int i,j;
69 unsigned char *p;
70
71 if (flen > (tlen-11))
72 {
73 RSAerr(RSA_F_RSA_PADDING_ADD_SSLV23,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
74 return(0);
75 }
76
77 p=(unsigned char *)to;
78
79 *(p++)=0;
80 *(p++)=2; /* Public Key BT (Block Type) */
81
82 /* pad out with non-zero random data */
83 j=tlen-3-8-flen;
84
85 if (RAND_bytes(p,j) <= 0)
86 return(0);
87 for (i=0; i<j; i++)
88 {
89 if (*p == '\0')
90 do {
91 if (RAND_bytes(p,1) <= 0)
92 return(0);
93 } while (*p == '\0');
94 p++;
95 }
96
97 memset(p,3,8);
98 p+=8;
99 *(p++)='\0';
100
101 memcpy(p,from,(unsigned int)flen);
102 return(1);
103 }
104
105int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
106 const unsigned char *from, int flen, int num)
107 {
108 int i,j,k;
109 const unsigned char *p;
110
111 p=from;
112 if (flen < 10)
113 {
114 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_DATA_TOO_SMALL);
115 return(-1);
116 }
117 if ((num != (flen+1)) || (*(p++) != 02))
118 {
119 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_BLOCK_TYPE_IS_NOT_02);
120 return(-1);
121 }
122
123 /* scan over padding data */
124 j=flen-1; /* one for type */
125 for (i=0; i<j; i++)
126 if (*(p++) == 0) break;
127
128 if ((i == j) || (i < 8))
129 {
130 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_NULL_BEFORE_BLOCK_MISSING);
131 return(-1);
132 }
133 for (k = -9; k<-1; k++)
134 {
135 if (p[k] != 0x03) break;
136 }
137 if (k == -1)
138 {
139 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_SSLV3_ROLLBACK_ATTACK);
140 return(-1);
141 }
142
143 i++; /* Skip over the '\0' */
144 j-=i;
145 if (j > tlen)
146 {
147 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_DATA_TOO_LARGE);
148 return(-1);
149 }
150 memcpy(to,p,(unsigned int)j);
151
152 return(j);
153 }
154
diff --git a/src/lib/libcrypto/rsa/rsa_x931.c b/src/lib/libcrypto/rsa/rsa_x931.c
deleted file mode 100644
index 21548e37ed..0000000000
--- a/src/lib/libcrypto/rsa/rsa_x931.c
+++ /dev/null
@@ -1,177 +0,0 @@
1/* rsa_x931.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rsa.h>
63#include <openssl/rand.h>
64#include <openssl/objects.h>
65
66int RSA_padding_add_X931(unsigned char *to, int tlen,
67 const unsigned char *from, int flen)
68 {
69 int j;
70 unsigned char *p;
71
72 /* Absolute minimum amount of padding is 1 header nibble, 1 padding
73 * nibble and 2 trailer bytes: but 1 hash if is already in 'from'.
74 */
75
76 j = tlen - flen - 2;
77
78 if (j < 0)
79 {
80 RSAerr(RSA_F_RSA_PADDING_ADD_X931,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
81 return -1;
82 }
83
84 p=(unsigned char *)to;
85
86 /* If no padding start and end nibbles are in one byte */
87 if (j == 0)
88 *p++ = 0x6A;
89 else
90 {
91 *p++ = 0x6B;
92 if (j > 1)
93 {
94 memset(p, 0xBB, j - 1);
95 p += j - 1;
96 }
97 *p++ = 0xBA;
98 }
99 memcpy(p,from,(unsigned int)flen);
100 p += flen;
101 *p = 0xCC;
102 return(1);
103 }
104
105int RSA_padding_check_X931(unsigned char *to, int tlen,
106 const unsigned char *from, int flen, int num)
107 {
108 int i = 0,j;
109 const unsigned char *p;
110
111 p=from;
112 if ((num != flen) || ((*p != 0x6A) && (*p != 0x6B)))
113 {
114 RSAerr(RSA_F_RSA_PADDING_CHECK_X931,RSA_R_INVALID_HEADER);
115 return -1;
116 }
117
118 if (*p++ == 0x6B)
119 {
120 j=flen-3;
121 for (i = 0; i < j; i++)
122 {
123 unsigned char c = *p++;
124 if (c == 0xBA)
125 break;
126 if (c != 0xBB)
127 {
128 RSAerr(RSA_F_RSA_PADDING_CHECK_X931,
129 RSA_R_INVALID_PADDING);
130 return -1;
131 }
132 }
133
134 j -= i;
135
136 if (i == 0)
137 {
138 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_PADDING);
139 return -1;
140 }
141
142 }
143 else j = flen - 2;
144
145 if (p[j] != 0xCC)
146 {
147 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_TRAILER);
148 return -1;
149 }
150
151 memcpy(to,p,(unsigned int)j);
152
153 return(j);
154 }
155
156/* Translate between X931 hash ids and NIDs */
157
158int RSA_X931_hash_id(int nid)
159 {
160 switch (nid)
161 {
162 case NID_sha1:
163 return 0x33;
164
165 case NID_sha256:
166 return 0x34;
167
168 case NID_sha384:
169 return 0x36;
170
171 case NID_sha512:
172 return 0x35;
173
174 }
175 return -1;
176 }
177
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-19 18:05:59 +0000