summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa
diff options
context:
space:
mode:
authorcvs2svn <admin@example.com>2015-08-02 21:54:22 +0000
committercvs2svn <admin@example.com>2015-08-02 21:54:22 +0000
commit92262c9818409ff436c41f1e51c2cea5b227f152 (patch)
tree5609c82060f75c53af0a7641d9b33a88574876cd /src/lib/libcrypto/rsa
parented40f444ba01bcae1d8540f9c26d79537ab5baf2 (diff)
downloadopenbsd-OPENBSD_5_8_BASE.tar.gz
openbsd-OPENBSD_5_8_BASE.tar.bz2
openbsd-OPENBSD_5_8_BASE.zip
This commit was manufactured by cvs2git to create tag 'OPENBSD_5_8_BASE'.OPENBSD_5_8_BASE
Diffstat (limited to 'src/lib/libcrypto/rsa')
-rw-r--r--src/lib/libcrypto/rsa/rsa.h558
-rw-r--r--src/lib/libcrypto/rsa/rsa_ameth.c675
-rw-r--r--src/lib/libcrypto/rsa/rsa_asn1.c308
-rw-r--r--src/lib/libcrypto/rsa/rsa_chk.c213
-rw-r--r--src/lib/libcrypto/rsa/rsa_crpt.c217
-rw-r--r--src/lib/libcrypto/rsa/rsa_depr.c101
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c912
-rw-r--r--src/lib/libcrypto/rsa/rsa_err.c210
-rw-r--r--src/lib/libcrypto/rsa/rsa_gen.c240
-rw-r--r--src/lib/libcrypto/rsa/rsa_lib.c258
-rw-r--r--src/lib/libcrypto/rsa/rsa_locl.h4
-rw-r--r--src/lib/libcrypto/rsa/rsa_none.c98
-rw-r--r--src/lib/libcrypto/rsa/rsa_oaep.c236
-rw-r--r--src/lib/libcrypto/rsa/rsa_pk1.c224
-rw-r--r--src/lib/libcrypto/rsa/rsa_pmeth.c616
-rw-r--r--src/lib/libcrypto/rsa/rsa_prn.c93
-rw-r--r--src/lib/libcrypto/rsa/rsa_pss.c289
-rw-r--r--src/lib/libcrypto/rsa/rsa_saos.c149
-rw-r--r--src/lib/libcrypto/rsa/rsa_sign.c255
-rw-r--r--src/lib/libcrypto/rsa/rsa_ssl.c151
-rw-r--r--src/lib/libcrypto/rsa/rsa_x931.c167
21 files changed, 0 insertions, 5974 deletions
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
deleted file mode 100644
index 4045a6cbf3..0000000000
--- a/src/lib/libcrypto/rsa/rsa.h
+++ /dev/null
@@ -1,558 +0,0 @@
1/* $OpenBSD: rsa.h,v 1.27 2015/02/14 15:10:39 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_RSA_H
60#define HEADER_RSA_H
61
62#include <openssl/opensslconf.h>
63
64#include <openssl/asn1.h>
65
66#ifndef OPENSSL_NO_BIO
67#include <openssl/bio.h>
68#endif
69#include <openssl/crypto.h>
70#include <openssl/ossl_typ.h>
71#ifndef OPENSSL_NO_DEPRECATED
72#include <openssl/bn.h>
73#endif
74
75#ifdef OPENSSL_NO_RSA
76#error RSA is disabled.
77#endif
78
79#ifdef __cplusplus
80extern "C" {
81#endif
82
83/* Declared already in ossl_typ.h */
84/* typedef struct rsa_st RSA; */
85/* typedef struct rsa_meth_st RSA_METHOD; */
86
87struct rsa_meth_st {
88 const char *name;
89 int (*rsa_pub_enc)(int flen, const unsigned char *from,
90 unsigned char *to, RSA *rsa, int padding);
91 int (*rsa_pub_dec)(int flen, const unsigned char *from,
92 unsigned char *to, RSA *rsa, int padding);
93 int (*rsa_priv_enc)(int flen, const unsigned char *from,
94 unsigned char *to, RSA *rsa, int padding);
95 int (*rsa_priv_dec)(int flen, const unsigned char *from,
96 unsigned char *to, RSA *rsa, int padding);
97 int (*rsa_mod_exp)(BIGNUM *r0, const BIGNUM *I, RSA *rsa,
98 BN_CTX *ctx); /* Can be null */
99 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
100 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); /* Can be null */
101 int (*init)(RSA *rsa); /* called at new */
102 int (*finish)(RSA *rsa); /* called at free */
103 int flags; /* RSA_METHOD_FLAG_* things */
104 char *app_data; /* may be needed! */
105/* New sign and verify functions: some libraries don't allow arbitrary data
106 * to be signed/verified: this allows them to be used. Note: for this to work
107 * the RSA_public_decrypt() and RSA_private_encrypt() should *NOT* be used
108 * RSA_sign(), RSA_verify() should be used instead. Note: for backwards
109 * compatibility this functionality is only enabled if the RSA_FLAG_SIGN_VER
110 * option is set in 'flags'.
111 */
112 int (*rsa_sign)(int type, const unsigned char *m, unsigned int m_length,
113 unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
114 int (*rsa_verify)(int dtype, const unsigned char *m,
115 unsigned int m_length, const unsigned char *sigbuf,
116 unsigned int siglen, const RSA *rsa);
117/* If this callback is NULL, the builtin software RSA key-gen will be used. This
118 * is for behavioural compatibility whilst the code gets rewired, but one day
119 * it would be nice to assume there are no such things as "builtin software"
120 * implementations. */
121 int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
122};
123
124struct rsa_st {
125 /* The first parameter is used to pickup errors where
126 * this is passed instead of aEVP_PKEY, it is set to 0 */
127 int pad;
128 long version;
129 const RSA_METHOD *meth;
130 /* functional reference if 'meth' is ENGINE-provided */
131 ENGINE *engine;
132 BIGNUM *n;
133 BIGNUM *e;
134 BIGNUM *d;
135 BIGNUM *p;
136 BIGNUM *q;
137 BIGNUM *dmp1;
138 BIGNUM *dmq1;
139 BIGNUM *iqmp;
140 /* be careful using this if the RSA structure is shared */
141 CRYPTO_EX_DATA ex_data;
142 int references;
143 int flags;
144
145 /* Used to cache montgomery values */
146 BN_MONT_CTX *_method_mod_n;
147 BN_MONT_CTX *_method_mod_p;
148 BN_MONT_CTX *_method_mod_q;
149
150 /* all BIGNUM values are actually in the following data, if it is not
151 * NULL */
152 BN_BLINDING *blinding;
153 BN_BLINDING *mt_blinding;
154};
155
156#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
157# define OPENSSL_RSA_MAX_MODULUS_BITS 16384
158#endif
159
160#ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
161# define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
162#endif
163#ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
164# define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "large" modulus only */
165#endif
166
167#define RSA_3 0x3L
168#define RSA_F4 0x10001L
169
170/* Don't check pub/private match. */
171#define RSA_METHOD_FLAG_NO_CHECK 0x0001
172
173#define RSA_FLAG_CACHE_PUBLIC 0x0002
174#define RSA_FLAG_CACHE_PRIVATE 0x0004
175#define RSA_FLAG_BLINDING 0x0008
176#define RSA_FLAG_THREAD_SAFE 0x0010
177
178/*
179 * This flag means the private key operations will be handled by rsa_mod_exp
180 * and that they do not depend on the private key components being present:
181 * for example a key stored in external hardware. Without this flag bn_mod_exp
182 * gets called when private key components are absent.
183 */
184#define RSA_FLAG_EXT_PKEY 0x0020
185
186/*
187 * This flag in the RSA_METHOD enables the new rsa_sign, rsa_verify functions.
188 */
189#define RSA_FLAG_SIGN_VER 0x0040
190
191/*
192 * The built-in RSA implementation uses blinding by default, but other engines
193 * might not need it.
194 */
195#define RSA_FLAG_NO_BLINDING 0x0080
196
197/*
198 * The built-in RSA implementation uses constant time operations by default
199 * in private key operations, e.g., constant time modular exponentiation,
200 * modular inverse without leaking branches, division without leaking branches.
201 * This flag disables these constant time operations and results in faster RSA
202 * private key operations.
203 */
204#define RSA_FLAG_NO_CONSTTIME 0x0100
205
206
207#define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
208 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \
209 pad, NULL)
210
211#define EVP_PKEY_CTX_get_rsa_padding(ctx, ppad) \
212 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, \
213 EVP_PKEY_CTRL_GET_RSA_PADDING, 0, ppad)
214
215#define EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, len) \
216 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \
217 (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \
218 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, \
219 len, NULL)
220
221#define EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx, plen) \
222 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \
223 (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \
224 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, \
225 0, plen)
226
227#define EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) \
228 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \
229 EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL)
230
231#define EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp) \
232 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \
233 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp)
234
235#define EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md) \
236 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \
237 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)md)
238
239#define EVP_PKEY_CTX_get_rsa_mgf1_md(ctx, pmd) \
240 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \
241 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)pmd)
242
243#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1)
244#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2)
245
246#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3)
247#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4)
248#define EVP_PKEY_CTRL_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 5)
249
250#define EVP_PKEY_CTRL_GET_RSA_PADDING (EVP_PKEY_ALG_CTRL + 6)
251#define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 7)
252#define EVP_PKEY_CTRL_GET_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 8)
253
254#define RSA_PKCS1_PADDING 1
255#define RSA_SSLV23_PADDING 2
256#define RSA_NO_PADDING 3
257#define RSA_PKCS1_OAEP_PADDING 4
258#define RSA_X931_PADDING 5
259/* EVP_PKEY_ only */
260#define RSA_PKCS1_PSS_PADDING 6
261
262#define RSA_PKCS1_PADDING_SIZE 11
263
264#define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg)
265#define RSA_get_app_data(s) RSA_get_ex_data(s,0)
266
267RSA *RSA_new(void);
268RSA *RSA_new_method(ENGINE *engine);
269int RSA_size(const RSA *rsa);
270
271/* Deprecated version */
272#ifndef OPENSSL_NO_DEPRECATED
273RSA *RSA_generate_key(int bits, unsigned long e,
274 void (*callback)(int, int, void *), void *cb_arg);
275#endif /* !defined(OPENSSL_NO_DEPRECATED) */
276
277/* New version */
278int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
279
280int RSA_check_key(const RSA *);
281/* next 4 return -1 on error */
282int RSA_public_encrypt(int flen, const unsigned char *from,
283 unsigned char *to, RSA *rsa, int padding);
284int RSA_private_encrypt(int flen, const unsigned char *from,
285 unsigned char *to, RSA *rsa, int padding);
286int RSA_public_decrypt(int flen, const unsigned char *from,
287 unsigned char *to, RSA *rsa, int padding);
288int RSA_private_decrypt(int flen, const unsigned char *from,
289 unsigned char *to, RSA *rsa, int padding);
290void RSA_free(RSA *r);
291/* "up" the RSA object's reference count */
292int RSA_up_ref(RSA *r);
293
294int RSA_flags(const RSA *r);
295
296void RSA_set_default_method(const RSA_METHOD *meth);
297const RSA_METHOD *RSA_get_default_method(void);
298const RSA_METHOD *RSA_get_method(const RSA *rsa);
299int RSA_set_method(RSA *rsa, const RSA_METHOD *meth);
300
301/* these are the actual SSLeay RSA functions */
302const RSA_METHOD *RSA_PKCS1_SSLeay(void);
303
304const RSA_METHOD *RSA_null_method(void);
305
306DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPublicKey)
307DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPrivateKey)
308
309typedef struct rsa_pss_params_st {
310 X509_ALGOR *hashAlgorithm;
311 X509_ALGOR *maskGenAlgorithm;
312 ASN1_INTEGER *saltLength;
313 ASN1_INTEGER *trailerField;
314} RSA_PSS_PARAMS;
315
316DECLARE_ASN1_FUNCTIONS(RSA_PSS_PARAMS)
317
318int RSA_print_fp(FILE *fp, const RSA *r, int offset);
319
320#ifndef OPENSSL_NO_BIO
321int RSA_print(BIO *bp, const RSA *r, int offset);
322#endif
323
324#ifndef OPENSSL_NO_RC4
325int i2d_RSA_NET(const RSA *a, unsigned char **pp,
326 int (*cb)(char *buf, int len, const char *prompt, int verify), int sgckey);
327RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,
328 int (*cb)(char *buf, int len, const char *prompt, int verify), int sgckey);
329
330int i2d_Netscape_RSA(const RSA *a, unsigned char **pp,
331 int (*cb)(char *buf, int len, const char *prompt, int verify));
332RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length,
333 int (*cb)(char *buf, int len, const char *prompt, int verify));
334#endif
335
336/* The following 2 functions sign and verify a X509_SIG ASN1 object
337 * inside PKCS#1 padded RSA encryption */
338int RSA_sign(int type, const unsigned char *m, unsigned int m_length,
339 unsigned char *sigret, unsigned int *siglen, RSA *rsa);
340int RSA_verify(int type, const unsigned char *m, unsigned int m_length,
341 const unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
342
343/* The following 2 function sign and verify a ASN1_OCTET_STRING
344 * object inside PKCS#1 padded RSA encryption */
345int RSA_sign_ASN1_OCTET_STRING(int type, const unsigned char *m,
346 unsigned int m_length, unsigned char *sigret, unsigned int *siglen,
347 RSA *rsa);
348int RSA_verify_ASN1_OCTET_STRING(int type, const unsigned char *m,
349 unsigned int m_length, unsigned char *sigbuf, unsigned int siglen,
350 RSA *rsa);
351
352int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
353void RSA_blinding_off(RSA *rsa);
354BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *ctx);
355
356int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
357 const unsigned char *f, int fl);
358int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
359 const unsigned char *f, int fl, int rsa_len);
360int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
361 const unsigned char *f, int fl);
362int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
363 const unsigned char *f, int fl, int rsa_len);
364int PKCS1_MGF1(unsigned char *mask, long len,
365 const unsigned char *seed, long seedlen, const EVP_MD *dgst);
366int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
367 const unsigned char *f, int fl,
368 const unsigned char *p, int pl);
369int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
370 const unsigned char *f, int fl, int rsa_len,
371 const unsigned char *p, int pl);
372int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
373 const unsigned char *f, int fl);
374int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
375 const unsigned char *f, int fl, int rsa_len);
376int RSA_padding_add_none(unsigned char *to, int tlen,
377 const unsigned char *f, int fl);
378int RSA_padding_check_none(unsigned char *to, int tlen,
379 const unsigned char *f, int fl, int rsa_len);
380int RSA_padding_add_X931(unsigned char *to, int tlen,
381 const unsigned char *f, int fl);
382int RSA_padding_check_X931(unsigned char *to, int tlen,
383 const unsigned char *f, int fl, int rsa_len);
384int RSA_X931_hash_id(int nid);
385
386int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
387 const EVP_MD *Hash, const unsigned char *EM, int sLen);
388int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
389 const unsigned char *mHash, const EVP_MD *Hash, int sLen);
390
391int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
392 const EVP_MD *Hash, const EVP_MD *mgf1Hash, const unsigned char *EM,
393 int sLen);
394
395int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
396 const unsigned char *mHash, const EVP_MD *Hash, const EVP_MD *mgf1Hash,
397 int sLen);
398
399int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
400 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
401int RSA_set_ex_data(RSA *r, int idx, void *arg);
402void *RSA_get_ex_data(const RSA *r, int idx);
403
404RSA *RSAPublicKey_dup(RSA *rsa);
405RSA *RSAPrivateKey_dup(RSA *rsa);
406
407/* If this flag is set the RSA method is FIPS compliant and can be used
408 * in FIPS mode. This is set in the validated module method. If an
409 * application sets this flag in its own methods it is its responsibility
410 * to ensure the result is compliant.
411 */
412
413#define RSA_FLAG_FIPS_METHOD 0x0400
414
415/* If this flag is set the operations normally disabled in FIPS mode are
416 * permitted it is then the applications responsibility to ensure that the
417 * usage is compliant.
418 */
419
420#define RSA_FLAG_NON_FIPS_ALLOW 0x0400
421/* Application has decided PRNG is good enough to generate a key: don't
422 * check.
423 */
424#define RSA_FLAG_CHECKED 0x0800
425
426/* BEGIN ERROR CODES */
427/* The following lines are auto generated by the script mkerr.pl. Any changes
428 * made after this point may be overwritten when the script is next run.
429 */
430void ERR_load_RSA_strings(void);
431
432/* Error codes for the RSA functions. */
433
434/* Function codes. */
435#define RSA_F_CHECK_PADDING_MD 140
436#define RSA_F_DO_RSA_PRINT 146
437#define RSA_F_INT_RSA_VERIFY 145
438#define RSA_F_MEMORY_LOCK 100
439#define RSA_F_OLD_RSA_PRIV_DECODE 147
440#define RSA_F_PKEY_RSA_CTRL 143
441#define RSA_F_PKEY_RSA_CTRL_STR 144
442#define RSA_F_PKEY_RSA_SIGN 142
443#define RSA_F_PKEY_RSA_VERIFY 154
444#define RSA_F_PKEY_RSA_VERIFYRECOVER 141
445#define RSA_F_RSA_BUILTIN_KEYGEN 129
446#define RSA_F_RSA_CHECK_KEY 123
447#define RSA_F_RSA_EAY_MOD_EXP 157
448#define RSA_F_RSA_EAY_PRIVATE_DECRYPT 101
449#define RSA_F_RSA_EAY_PRIVATE_ENCRYPT 102
450#define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103
451#define RSA_F_RSA_EAY_PUBLIC_ENCRYPT 104
452#define RSA_F_RSA_GENERATE_KEY 105
453#define RSA_F_RSA_GENERATE_KEY_EX 155
454#define RSA_F_RSA_ITEM_VERIFY 156
455#define RSA_F_RSA_MEMORY_LOCK 130
456#define RSA_F_RSA_NEW_METHOD 106
457#define RSA_F_RSA_NULL 124
458#define RSA_F_RSA_NULL_MOD_EXP 131
459#define RSA_F_RSA_NULL_PRIVATE_DECRYPT 132
460#define RSA_F_RSA_NULL_PRIVATE_ENCRYPT 133
461#define RSA_F_RSA_NULL_PUBLIC_DECRYPT 134
462#define RSA_F_RSA_NULL_PUBLIC_ENCRYPT 135
463#define RSA_F_RSA_PADDING_ADD_NONE 107
464#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
465#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
466#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 148
467#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
468#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
469#define RSA_F_RSA_PADDING_ADD_SSLV23 110
470#define RSA_F_RSA_PADDING_ADD_X931 127
471#define RSA_F_RSA_PADDING_CHECK_NONE 111
472#define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP 122
473#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1 112
474#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2 113
475#define RSA_F_RSA_PADDING_CHECK_SSLV23 114
476#define RSA_F_RSA_PADDING_CHECK_X931 128
477#define RSA_F_RSA_PRINT 115
478#define RSA_F_RSA_PRINT_FP 116
479#define RSA_F_RSA_PRIVATE_DECRYPT 150
480#define RSA_F_RSA_PRIVATE_ENCRYPT 151
481#define RSA_F_RSA_PRIV_DECODE 137
482#define RSA_F_RSA_PRIV_ENCODE 138
483#define RSA_F_RSA_PUBLIC_DECRYPT 152
484#define RSA_F_RSA_PUBLIC_ENCRYPT 153
485#define RSA_F_RSA_PUB_DECODE 139
486#define RSA_F_RSA_SETUP_BLINDING 136
487#define RSA_F_RSA_SIGN 117
488#define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
489#define RSA_F_RSA_VERIFY 119
490#define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
491#define RSA_F_RSA_VERIFY_PKCS1_PSS 126
492#define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 149
493
494/* Reason codes. */
495#define RSA_R_ALGORITHM_MISMATCH 100
496#define RSA_R_BAD_E_VALUE 101
497#define RSA_R_BAD_FIXED_HEADER_DECRYPT 102
498#define RSA_R_BAD_PAD_BYTE_COUNT 103
499#define RSA_R_BAD_SIGNATURE 104
500#define RSA_R_BLOCK_TYPE_IS_NOT_01 106
501#define RSA_R_BLOCK_TYPE_IS_NOT_02 107
502#define RSA_R_DATA_GREATER_THAN_MOD_LEN 108
503#define RSA_R_DATA_TOO_LARGE 109
504#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 110
505#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 132
506#define RSA_R_DATA_TOO_SMALL 111
507#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 122
508#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 112
509#define RSA_R_DMP1_NOT_CONGRUENT_TO_D 124
510#define RSA_R_DMQ1_NOT_CONGRUENT_TO_D 125
511#define RSA_R_D_E_NOT_CONGRUENT_TO_1 123
512#define RSA_R_FIRST_OCTET_INVALID 133
513#define RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 144
514#define RSA_R_INVALID_DIGEST_LENGTH 143
515#define RSA_R_INVALID_HEADER 137
516#define RSA_R_INVALID_KEYBITS 145
517#define RSA_R_INVALID_MESSAGE_LENGTH 131
518#define RSA_R_INVALID_MGF1_MD 156
519#define RSA_R_INVALID_PADDING 138
520#define RSA_R_INVALID_PADDING_MODE 141
521#define RSA_R_INVALID_PSS_PARAMETERS 149
522#define RSA_R_INVALID_PSS_SALTLEN 146
523#define RSA_R_INVALID_SALT_LENGTH 150
524#define RSA_R_INVALID_TRAILER 139
525#define RSA_R_INVALID_X931_DIGEST 142
526#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
527#define RSA_R_KEY_SIZE_TOO_SMALL 120
528#define RSA_R_LAST_OCTET_INVALID 134
529#define RSA_R_MODULUS_TOO_LARGE 105
530#define RSA_R_NON_FIPS_RSA_METHOD 157
531#define RSA_R_NO_PUBLIC_EXPONENT 140
532#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
533#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
534#define RSA_R_OAEP_DECODING_ERROR 121
535#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158
536#define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
537#define RSA_R_PADDING_CHECK_FAILED 114
538#define RSA_R_P_NOT_PRIME 128
539#define RSA_R_Q_NOT_PRIME 129
540#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130
541#define RSA_R_SLEN_CHECK_FAILED 136
542#define RSA_R_SLEN_RECOVERY_FAILED 135
543#define RSA_R_SSLV3_ROLLBACK_ATTACK 115
544#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116
545#define RSA_R_UNKNOWN_ALGORITHM_TYPE 117
546#define RSA_R_UNKNOWN_MASK_DIGEST 151
547#define RSA_R_UNKNOWN_PADDING_TYPE 118
548#define RSA_R_UNKNOWN_PSS_DIGEST 152
549#define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153
550#define RSA_R_UNSUPPORTED_MASK_PARAMETER 154
551#define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155
552#define RSA_R_VALUE_MISSING 147
553#define RSA_R_WRONG_SIGNATURE_LENGTH 119
554
555#ifdef __cplusplus
556}
557#endif
558#endif
diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c
deleted file mode 100644
index 528b72b4b9..0000000000
--- a/src/lib/libcrypto/rsa/rsa_ameth.c
+++ /dev/null
@@ -1,675 +0,0 @@
1/* $OpenBSD: rsa_ameth.c,v 1.14 2015/02/11 04:05:14 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/opensslconf.h>
62
63#include <openssl/asn1t.h>
64#include <openssl/bn.h>
65#include <openssl/err.h>
66#include <openssl/rsa.h>
67#include <openssl/x509.h>
68
69#ifndef OPENSSL_NO_CMS
70#include <openssl/cms.h>
71#endif
72
73#include "asn1_locl.h"
74
75static int
76rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
77{
78 unsigned char *penc = NULL;
79 int penclen;
80
81 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
82 if (penclen <= 0)
83 return 0;
84 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_RSA),
85 V_ASN1_NULL, NULL, penc, penclen))
86 return 1;
87
88 free(penc);
89 return 0;
90}
91
92static int
93rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
94{
95 const unsigned char *p;
96 int pklen;
97 RSA *rsa = NULL;
98
99 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey))
100 return 0;
101 if (!(rsa = d2i_RSAPublicKey(NULL, &p, pklen))) {
102 RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB);
103 return 0;
104 }
105 EVP_PKEY_assign_RSA (pkey, rsa);
106 return 1;
107}
108
109static int
110rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
111{
112 if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 ||
113 BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
114 return 0;
115 return 1;
116}
117
118static int
119old_rsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
120{
121 RSA *rsa;
122
123 if (!(rsa = d2i_RSAPrivateKey (NULL, pder, derlen))) {
124 RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
125 return 0;
126 }
127 EVP_PKEY_assign_RSA(pkey, rsa);
128 return 1;
129}
130
131static int
132old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
133{
134 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
135}
136
137static int
138rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
139{
140 unsigned char *rk = NULL;
141 int rklen;
142
143 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk);
144
145 if (rklen <= 0) {
146 RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
147 return 0;
148 }
149
150 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_rsaEncryption), 0,
151 V_ASN1_NULL, NULL, rk, rklen)) {
152 RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
153 return 0;
154 }
155
156 return 1;
157}
158
159static int
160rsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
161{
162 const unsigned char *p;
163 int pklen;
164
165 if (!PKCS8_pkey_get0(NULL, &p, &pklen, NULL, p8))
166 return 0;
167 return old_rsa_priv_decode(pkey, &p, pklen);
168}
169
170static int
171int_rsa_size(const EVP_PKEY *pkey)
172{
173 return RSA_size(pkey->pkey.rsa);
174}
175
176static int
177rsa_bits(const EVP_PKEY *pkey)
178{
179 return BN_num_bits(pkey->pkey.rsa->n);
180}
181
182static void
183int_rsa_free(EVP_PKEY *pkey)
184{
185 RSA_free(pkey->pkey.rsa);
186}
187
188static void
189update_buflen(const BIGNUM *b, size_t *pbuflen)
190{
191 size_t i;
192
193 if (!b)
194 return;
195 if (*pbuflen < (i = (size_t)BN_num_bytes(b)))
196 *pbuflen = i;
197}
198
199static int
200do_rsa_print(BIO *bp, const RSA *x, int off, int priv)
201{
202 char *str;
203 const char *s;
204 unsigned char *m = NULL;
205 int ret = 0, mod_len = 0;
206 size_t buf_len = 0;
207
208 update_buflen(x->n, &buf_len);
209 update_buflen(x->e, &buf_len);
210
211 if (priv) {
212 update_buflen(x->d, &buf_len);
213 update_buflen(x->p, &buf_len);
214 update_buflen(x->q, &buf_len);
215 update_buflen(x->dmp1, &buf_len);
216 update_buflen(x->dmq1, &buf_len);
217 update_buflen(x->iqmp, &buf_len);
218 }
219
220 m = malloc(buf_len + 10);
221 if (m == NULL) {
222 RSAerr(RSA_F_DO_RSA_PRINT, ERR_R_MALLOC_FAILURE);
223 goto err;
224 }
225
226 if (x->n != NULL)
227 mod_len = BN_num_bits(x->n);
228
229 if (!BIO_indent(bp, off, 128))
230 goto err;
231
232 if (priv && x->d) {
233 if (BIO_printf(bp, "Private-Key: (%d bit)\n", mod_len) <= 0)
234 goto err;
235 str = "modulus:";
236 s = "publicExponent:";
237 } else {
238 if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0)
239 goto err;
240 str = "Modulus:";
241 s= "Exponent:";
242 }
243 if (!ASN1_bn_print(bp, str, x->n, m, off))
244 goto err;
245 if (!ASN1_bn_print(bp, s, x->e, m, off))
246 goto err;
247 if (priv) {
248 if (!ASN1_bn_print(bp, "privateExponent:", x->d,m, off))
249 goto err;
250 if (!ASN1_bn_print(bp, "prime1:", x->p, m, off))
251 goto err;
252 if (!ASN1_bn_print(bp, "prime2:", x->q, m, off))
253 goto err;
254 if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, m, off))
255 goto err;
256 if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, m, off))
257 goto err;
258 if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, m, off))
259 goto err;
260 }
261 ret = 1;
262err:
263 free(m);
264 return (ret);
265}
266
267static int
268rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
269{
270 return do_rsa_print(bp, pkey->pkey.rsa, indent, 0);
271}
272
273static int
274rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
275{
276 return do_rsa_print(bp, pkey->pkey.rsa, indent, 1);
277}
278
279static RSA_PSS_PARAMS *
280rsa_pss_decode(const X509_ALGOR *alg, X509_ALGOR **pmaskHash)
281{
282 const unsigned char *p;
283 int plen;
284 RSA_PSS_PARAMS *pss;
285
286 *pmaskHash = NULL;
287
288 if (!alg->parameter || alg->parameter->type != V_ASN1_SEQUENCE)
289 return NULL;
290
291 p = alg->parameter->value.sequence->data;
292 plen = alg->parameter->value.sequence->length;
293 pss = d2i_RSA_PSS_PARAMS(NULL, &p, plen);
294
295 if (!pss)
296 return NULL;
297
298 if (pss->maskGenAlgorithm) {
299 ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
300 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 &&
301 param->type == V_ASN1_SEQUENCE) {
302 p = param->value.sequence->data;
303 plen = param->value.sequence->length;
304 *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen);
305 }
306 }
307
308 return pss;
309}
310
311static int
312rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss, X509_ALGOR *maskHash,
313 int indent)
314{
315 int rv = 0;
316
317 if (!pss) {
318 if (BIO_puts(bp, " (INVALID PSS PARAMETERS)\n") <= 0)
319 return 0;
320 return 1;
321 }
322 if (BIO_puts(bp, "\n") <= 0)
323 goto err;
324 if (!BIO_indent(bp, indent, 128))
325 goto err;
326 if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
327 goto err;
328
329 if (pss->hashAlgorithm) {
330 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
331 goto err;
332 } else if (BIO_puts(bp, "sha1 (default)") <= 0)
333 goto err;
334
335 if (BIO_puts(bp, "\n") <= 0)
336 goto err;
337
338 if (!BIO_indent(bp, indent, 128))
339 goto err;
340
341 if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
342 goto err;
343 if (pss->maskGenAlgorithm) {
344 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
345 goto err;
346 if (BIO_puts(bp, " with ") <= 0)
347 goto err;
348 if (maskHash) {
349 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
350 goto err;
351 } else if (BIO_puts(bp, "INVALID") <= 0)
352 goto err;
353 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0)
354 goto err;
355 BIO_puts(bp, "\n");
356
357 if (!BIO_indent(bp, indent, 128))
358 goto err;
359 if (BIO_puts(bp, "Salt Length: 0x") <= 0)
360 goto err;
361 if (pss->saltLength) {
362 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
363 goto err;
364 } else if (BIO_puts(bp, "14 (default)") <= 0)
365 goto err;
366 BIO_puts(bp, "\n");
367
368 if (!BIO_indent(bp, indent, 128))
369 goto err;
370 if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
371 goto err;
372 if (pss->trailerField) {
373 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
374 goto err;
375 } else if (BIO_puts(bp, "BC (default)") <= 0)
376 goto err;
377 BIO_puts(bp, "\n");
378
379 rv = 1;
380
381err:
382 return rv;
383}
384
385static int
386rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig,
387 int indent, ASN1_PCTX *pctx)
388{
389 if (OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss) {
390 int rv;
391 RSA_PSS_PARAMS *pss;
392 X509_ALGOR *maskHash;
393 pss = rsa_pss_decode(sigalg, &maskHash);
394 rv = rsa_pss_param_print(bp, pss, maskHash, indent);
395 if (pss)
396 RSA_PSS_PARAMS_free(pss);
397 if (maskHash)
398 X509_ALGOR_free(maskHash);
399 if (!rv)
400 return 0;
401 } else if (!sig && BIO_puts(bp, "\n") <= 0)
402 return 0;
403 if (sig)
404 return X509_signature_dump(bp, sig, indent);
405 return 1;
406}
407
408static int
409rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
410{
411 X509_ALGOR *alg = NULL;
412
413 switch (op) {
414 case ASN1_PKEY_CTRL_PKCS7_SIGN:
415 if (arg1 == 0)
416 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
417 break;
418
419 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
420 if (arg1 == 0)
421 PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
422 break;
423#ifndef OPENSSL_NO_CMS
424 case ASN1_PKEY_CTRL_CMS_SIGN:
425 if (arg1 == 0)
426 CMS_SignerInfo_get0_algs(arg2, NULL, NULL, NULL, &alg);
427 break;
428
429 case ASN1_PKEY_CTRL_CMS_ENVELOPE:
430 if (arg1 == 0)
431 CMS_RecipientInfo_ktri_get0_algs(arg2, NULL, NULL, &alg);
432 break;
433#endif
434
435 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
436 *(int *)arg2 = NID_sha1;
437 return 1;
438
439 default:
440 return -2;
441 }
442
443 if (alg)
444 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
445 V_ASN1_NULL, 0);
446
447 return 1;
448}
449
450/* Customised RSA item verification routine. This is called
451 * when a signature is encountered requiring special handling. We
452 * currently only handle PSS.
453 */
454static int
455rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
456 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, EVP_PKEY *pkey)
457{
458 int rv = -1;
459 int saltlen;
460 const EVP_MD *mgf1md = NULL, *md = NULL;
461 RSA_PSS_PARAMS *pss;
462 X509_ALGOR *maskHash;
463 EVP_PKEY_CTX *pkctx;
464
465 /* Sanity check: make sure it is PSS */
466 if (OBJ_obj2nid(sigalg->algorithm) != NID_rsassaPss) {
467 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
468 return -1;
469 }
470
471 /* Decode PSS parameters */
472 pss = rsa_pss_decode(sigalg, &maskHash);
473
474 if (pss == NULL) {
475 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_PSS_PARAMETERS);
476 goto err;
477 }
478 /* Check mask and lookup mask hash algorithm */
479 if (pss->maskGenAlgorithm) {
480 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) != NID_mgf1) {
481 RSAerr(RSA_F_RSA_ITEM_VERIFY,
482 RSA_R_UNSUPPORTED_MASK_ALGORITHM);
483 goto err;
484 }
485 if (!maskHash) {
486 RSAerr(RSA_F_RSA_ITEM_VERIFY,
487 RSA_R_UNSUPPORTED_MASK_PARAMETER);
488 goto err;
489 }
490 mgf1md = EVP_get_digestbyobj(maskHash->algorithm);
491 if (mgf1md == NULL) {
492 RSAerr(RSA_F_RSA_ITEM_VERIFY,
493 RSA_R_UNKNOWN_MASK_DIGEST);
494 goto err;
495 }
496 } else
497 mgf1md = EVP_sha1();
498
499 if (pss->hashAlgorithm) {
500 md = EVP_get_digestbyobj(pss->hashAlgorithm->algorithm);
501 if (md == NULL) {
502 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNKNOWN_PSS_DIGEST);
503 goto err;
504 }
505 } else
506 md = EVP_sha1();
507
508 if (pss->saltLength) {
509 saltlen = ASN1_INTEGER_get(pss->saltLength);
510
511 /* Could perform more salt length sanity checks but the main
512 * RSA routines will trap other invalid values anyway.
513 */
514 if (saltlen < 0) {
515 RSAerr(RSA_F_RSA_ITEM_VERIFY,
516 RSA_R_INVALID_SALT_LENGTH);
517 goto err;
518 }
519 } else
520 saltlen = 20;
521
522 /* low-level routines support only trailer field 0xbc (value 1)
523 * and PKCS#1 says we should reject any other value anyway.
524 */
525 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) {
526 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_TRAILER);
527 goto err;
528 }
529
530 /* We have all parameters now set up context */
531
532 if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey))
533 goto err;
534
535 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
536 goto err;
537
538 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
539 goto err;
540
541 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
542 goto err;
543 /* Carry on */
544 rv = 2;
545
546err:
547 RSA_PSS_PARAMS_free(pss);
548 if (maskHash)
549 X509_ALGOR_free(maskHash);
550 return rv;
551}
552
553static int
554rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
555 X509_ALGOR *alg1, X509_ALGOR *alg2, ASN1_BIT_STRING *sig)
556{
557 int pad_mode;
558 EVP_PKEY_CTX *pkctx = ctx->pctx;
559
560 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
561 return 0;
562 if (pad_mode == RSA_PKCS1_PADDING)
563 return 2;
564 if (pad_mode == RSA_PKCS1_PSS_PADDING) {
565 const EVP_MD *sigmd, *mgf1md;
566 RSA_PSS_PARAMS *pss = NULL;
567 X509_ALGOR *mgf1alg = NULL;
568 ASN1_STRING *os1 = NULL, *os2 = NULL;
569 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
570 int saltlen, rv = 0;
571
572 sigmd = EVP_MD_CTX_md(ctx);
573 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
574 goto err;
575 if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen))
576 goto err;
577 if (saltlen == -1)
578 saltlen = EVP_MD_size(sigmd);
579 else if (saltlen == -2) {
580 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
581 if (((EVP_PKEY_bits(pk) - 1) & 0x7) == 0)
582 saltlen--;
583 }
584 pss = RSA_PSS_PARAMS_new();
585 if (!pss)
586 goto err;
587 if (saltlen != 20) {
588 pss->saltLength = ASN1_INTEGER_new();
589 if (!pss->saltLength)
590 goto err;
591 if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
592 goto err;
593 }
594 if (EVP_MD_type(sigmd) != NID_sha1) {
595 pss->hashAlgorithm = X509_ALGOR_new();
596 if (!pss->hashAlgorithm)
597 goto err;
598 X509_ALGOR_set_md(pss->hashAlgorithm, sigmd);
599 }
600 if (EVP_MD_type(mgf1md) != NID_sha1) {
601 ASN1_STRING *stmp = NULL;
602 /* need to embed algorithm ID inside another */
603 mgf1alg = X509_ALGOR_new();
604 X509_ALGOR_set_md(mgf1alg, mgf1md);
605 if (!ASN1_item_pack(mgf1alg, ASN1_ITEM_rptr(X509_ALGOR),
606 &stmp))
607 goto err;
608 pss->maskGenAlgorithm = X509_ALGOR_new();
609 if (!pss->maskGenAlgorithm)
610 goto err;
611 X509_ALGOR_set0(pss->maskGenAlgorithm,
612 OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp);
613 }
614 /* Finally create string with pss parameter encoding. */
615 if (!ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), &os1))
616 goto err;
617 if (alg2) {
618 os2 = ASN1_STRING_dup(os1);
619 if (!os2)
620 goto err;
621 X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_rsassaPss),
622 V_ASN1_SEQUENCE, os2);
623 }
624 X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_rsassaPss),
625 V_ASN1_SEQUENCE, os1);
626 os1 = os2 = NULL;
627 rv = 3;
628err:
629 if (mgf1alg)
630 X509_ALGOR_free(mgf1alg);
631 if (pss)
632 RSA_PSS_PARAMS_free(pss);
633 ASN1_STRING_free(os1);
634 return rv;
635 }
636 return 2;
637}
638
639const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
640 {
641 .pkey_id = EVP_PKEY_RSA,
642 .pkey_base_id = EVP_PKEY_RSA,
643 .pkey_flags = ASN1_PKEY_SIGPARAM_NULL,
644
645 .pem_str = "RSA",
646 .info = "OpenSSL RSA method",
647
648 .pub_decode = rsa_pub_decode,
649 .pub_encode = rsa_pub_encode,
650 .pub_cmp = rsa_pub_cmp,
651 .pub_print = rsa_pub_print,
652
653 .priv_decode = rsa_priv_decode,
654 .priv_encode = rsa_priv_encode,
655 .priv_print = rsa_priv_print,
656
657 .pkey_size = int_rsa_size,
658 .pkey_bits = rsa_bits,
659
660 .sig_print = rsa_sig_print,
661
662 .pkey_free = int_rsa_free,
663 .pkey_ctrl = rsa_pkey_ctrl,
664 .old_priv_decode = old_rsa_priv_decode,
665 .old_priv_encode = old_rsa_priv_encode,
666 .item_verify = rsa_item_verify,
667 .item_sign = rsa_item_sign
668 },
669
670 {
671 .pkey_id = EVP_PKEY_RSA2,
672 .pkey_base_id = EVP_PKEY_RSA,
673 .pkey_flags = ASN1_PKEY_ALIAS
674 }
675};
diff --git a/src/lib/libcrypto/rsa/rsa_asn1.c b/src/lib/libcrypto/rsa/rsa_asn1.c
deleted file mode 100644
index 27afdece00..0000000000
--- a/src/lib/libcrypto/rsa/rsa_asn1.c
+++ /dev/null
@@ -1,308 +0,0 @@
1/* $OpenBSD: rsa_asn1.c,v 1.12 2015/02/14 15:06:55 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/asn1t.h>
62#include <openssl/bn.h>
63#include <openssl/rsa.h>
64#include <openssl/x509.h>
65
66/* Override the default free and new methods */
67static int
68rsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
69{
70 if (operation == ASN1_OP_NEW_PRE) {
71 *pval = (ASN1_VALUE *)RSA_new();
72 if (*pval)
73 return 2;
74 return 0;
75 } else if (operation == ASN1_OP_FREE_PRE) {
76 RSA_free((RSA *)*pval);
77 *pval = NULL;
78 return 2;
79 }
80 return 1;
81}
82
83static const ASN1_AUX RSAPrivateKey_aux = {
84 .app_data = NULL,
85 .flags = 0,
86 .ref_offset = 0,
87 .ref_lock = 0,
88 .asn1_cb = rsa_cb,
89 .enc_offset = 0,
90};
91static const ASN1_TEMPLATE RSAPrivateKey_seq_tt[] = {
92 {
93 .flags = 0,
94 .tag = 0,
95 .offset = offsetof(RSA, version),
96 .field_name = "version",
97 .item = &LONG_it,
98 },
99 {
100 .flags = 0,
101 .tag = 0,
102 .offset = offsetof(RSA, n),
103 .field_name = "n",
104 .item = &BIGNUM_it,
105 },
106 {
107 .flags = 0,
108 .tag = 0,
109 .offset = offsetof(RSA, e),
110 .field_name = "e",
111 .item = &BIGNUM_it,
112 },
113 {
114 .flags = 0,
115 .tag = 0,
116 .offset = offsetof(RSA, d),
117 .field_name = "d",
118 .item = &BIGNUM_it,
119 },
120 {
121 .flags = 0,
122 .tag = 0,
123 .offset = offsetof(RSA, p),
124 .field_name = "p",
125 .item = &BIGNUM_it,
126 },
127 {
128 .flags = 0,
129 .tag = 0,
130 .offset = offsetof(RSA, q),
131 .field_name = "q",
132 .item = &BIGNUM_it,
133 },
134 {
135 .flags = 0,
136 .tag = 0,
137 .offset = offsetof(RSA, dmp1),
138 .field_name = "dmp1",
139 .item = &BIGNUM_it,
140 },
141 {
142 .flags = 0,
143 .tag = 0,
144 .offset = offsetof(RSA, dmq1),
145 .field_name = "dmq1",
146 .item = &BIGNUM_it,
147 },
148 {
149 .flags = 0,
150 .tag = 0,
151 .offset = offsetof(RSA, iqmp),
152 .field_name = "iqmp",
153 .item = &BIGNUM_it,
154 },
155};
156
157const ASN1_ITEM RSAPrivateKey_it = {
158 .itype = ASN1_ITYPE_SEQUENCE,
159 .utype = V_ASN1_SEQUENCE,
160 .templates = RSAPrivateKey_seq_tt,
161 .tcount = sizeof(RSAPrivateKey_seq_tt) / sizeof(ASN1_TEMPLATE),
162 .funcs = &RSAPrivateKey_aux,
163 .size = sizeof(RSA),
164 .sname = "RSA",
165};
166
167
168static const ASN1_AUX RSAPublicKey_aux = {
169 .app_data = NULL,
170 .flags = 0,
171 .ref_offset = 0,
172 .ref_lock = 0,
173 .asn1_cb = rsa_cb,
174 .enc_offset = 0,
175};
176static const ASN1_TEMPLATE RSAPublicKey_seq_tt[] = {
177 {
178 .flags = 0,
179 .tag = 0,
180 .offset = offsetof(RSA, n),
181 .field_name = "n",
182 .item = &BIGNUM_it,
183 },
184 {
185 .flags = 0,
186 .tag = 0,
187 .offset = offsetof(RSA, e),
188 .field_name = "e",
189 .item = &BIGNUM_it,
190 },
191};
192
193const ASN1_ITEM RSAPublicKey_it = {
194 .itype = ASN1_ITYPE_SEQUENCE,
195 .utype = V_ASN1_SEQUENCE,
196 .templates = RSAPublicKey_seq_tt,
197 .tcount = sizeof(RSAPublicKey_seq_tt) / sizeof(ASN1_TEMPLATE),
198 .funcs = &RSAPublicKey_aux,
199 .size = sizeof(RSA),
200 .sname = "RSA",
201};
202
203static const ASN1_TEMPLATE RSA_PSS_PARAMS_seq_tt[] = {
204 {
205 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
206 .tag = 0,
207 .offset = offsetof(RSA_PSS_PARAMS, hashAlgorithm),
208 .field_name = "hashAlgorithm",
209 .item = &X509_ALGOR_it,
210 },
211 {
212 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
213 .tag = 1,
214 .offset = offsetof(RSA_PSS_PARAMS, maskGenAlgorithm),
215 .field_name = "maskGenAlgorithm",
216 .item = &X509_ALGOR_it,
217 },
218 {
219 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
220 .tag = 2,
221 .offset = offsetof(RSA_PSS_PARAMS, saltLength),
222 .field_name = "saltLength",
223 .item = &ASN1_INTEGER_it,
224 },
225 {
226 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
227 .tag = 3,
228 .offset = offsetof(RSA_PSS_PARAMS, trailerField),
229 .field_name = "trailerField",
230 .item = &ASN1_INTEGER_it,
231 },
232};
233
234const ASN1_ITEM RSA_PSS_PARAMS_it = {
235 .itype = ASN1_ITYPE_SEQUENCE,
236 .utype = V_ASN1_SEQUENCE,
237 .templates = RSA_PSS_PARAMS_seq_tt,
238 .tcount = sizeof(RSA_PSS_PARAMS_seq_tt) / sizeof(ASN1_TEMPLATE),
239 .funcs = NULL,
240 .size = sizeof(RSA_PSS_PARAMS),
241 .sname = "RSA_PSS_PARAMS",
242};
243
244
245RSA_PSS_PARAMS *
246d2i_RSA_PSS_PARAMS(RSA_PSS_PARAMS **a, const unsigned char **in, long len)
247{
248 return (RSA_PSS_PARAMS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
249 &RSA_PSS_PARAMS_it);
250}
251
252int
253i2d_RSA_PSS_PARAMS(RSA_PSS_PARAMS *a, unsigned char **out)
254{
255 return ASN1_item_i2d((ASN1_VALUE *)a, out, &RSA_PSS_PARAMS_it);
256}
257
258RSA_PSS_PARAMS *
259RSA_PSS_PARAMS_new(void)
260{
261 return (RSA_PSS_PARAMS *)ASN1_item_new(&RSA_PSS_PARAMS_it);
262}
263
264void
265RSA_PSS_PARAMS_free(RSA_PSS_PARAMS *a)
266{
267 ASN1_item_free((ASN1_VALUE *)a, &RSA_PSS_PARAMS_it);
268}
269
270
271RSA *
272d2i_RSAPrivateKey(RSA **a, const unsigned char **in, long len)
273{
274 return (RSA *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
275 &RSAPrivateKey_it);
276}
277
278int
279i2d_RSAPrivateKey(const RSA *a, unsigned char **out)
280{
281 return ASN1_item_i2d((ASN1_VALUE *)a, out, &RSAPrivateKey_it);
282}
283
284
285RSA *
286d2i_RSAPublicKey(RSA **a, const unsigned char **in, long len)
287{
288 return (RSA *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
289 &RSAPublicKey_it);
290}
291
292int
293i2d_RSAPublicKey(const RSA *a, unsigned char **out)
294{
295 return ASN1_item_i2d((ASN1_VALUE *)a, out, &RSAPublicKey_it);
296}
297
298RSA *
299RSAPublicKey_dup(RSA *rsa)
300{
301 return ASN1_item_dup(ASN1_ITEM_rptr(RSAPublicKey), rsa);
302}
303
304RSA *
305RSAPrivateKey_dup(RSA *rsa)
306{
307 return ASN1_item_dup(ASN1_ITEM_rptr(RSAPrivateKey), rsa);
308}
diff --git a/src/lib/libcrypto/rsa/rsa_chk.c b/src/lib/libcrypto/rsa/rsa_chk.c
deleted file mode 100644
index c247a8d80e..0000000000
--- a/src/lib/libcrypto/rsa/rsa_chk.c
+++ /dev/null
@@ -1,213 +0,0 @@
1/* $OpenBSD: rsa_chk.c,v 1.9 2014/07/10 07:43:11 jsing Exp $ */
2/* ====================================================================
3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 */
50
51#include <openssl/bn.h>
52#include <openssl/err.h>
53#include <openssl/rsa.h>
54
55int
56RSA_check_key(const RSA *key)
57{
58 BIGNUM *i, *j, *k, *l, *m;
59 BN_CTX *ctx;
60 int r;
61 int ret = 1;
62
63 if (!key->p || !key->q || !key->n || !key->e || !key->d) {
64 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_VALUE_MISSING);
65 return 0;
66 }
67
68 i = BN_new();
69 j = BN_new();
70 k = BN_new();
71 l = BN_new();
72 m = BN_new();
73 ctx = BN_CTX_new();
74 if (i == NULL || j == NULL || k == NULL || l == NULL || m == NULL ||
75 ctx == NULL) {
76 ret = -1;
77 RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE);
78 goto err;
79 }
80
81 /* p prime? */
82 r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL);
83 if (r != 1) {
84 ret = r;
85 if (r != 0)
86 goto err;
87 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME);
88 }
89
90 /* q prime? */
91 r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL);
92 if (r != 1) {
93 ret = r;
94 if (r != 0)
95 goto err;
96 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME);
97 }
98
99 /* n = p*q? */
100 r = BN_mul(i, key->p, key->q, ctx);
101 if (!r) {
102 ret = -1;
103 goto err;
104 }
105
106 if (BN_cmp(i, key->n) != 0) {
107 ret = 0;
108 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q);
109 }
110
111 /* d*e = 1 mod lcm(p-1,q-1)? */
112
113 r = BN_sub(i, key->p, BN_value_one());
114 if (!r) {
115 ret = -1;
116 goto err;
117 }
118 r = BN_sub(j, key->q, BN_value_one());
119 if (!r) {
120 ret = -1;
121 goto err;
122 }
123
124 /* now compute k = lcm(i,j) */
125 r = BN_mul(l, i, j, ctx);
126 if (!r) {
127 ret = -1;
128 goto err;
129 }
130 r = BN_gcd(m, i, j, ctx);
131 if (!r) {
132 ret = -1;
133 goto err;
134 }
135 r = BN_div(k, NULL, l, m, ctx); /* remainder is 0 */
136 if (!r) {
137 ret = -1;
138 goto err;
139 }
140
141 r = BN_mod_mul(i, key->d, key->e, k, ctx);
142 if (!r) {
143 ret = -1;
144 goto err;
145 }
146
147 if (!BN_is_one(i)) {
148 ret = 0;
149 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1);
150 }
151
152 if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) {
153 /* dmp1 = d mod (p-1)? */
154 r = BN_sub(i, key->p, BN_value_one());
155 if (!r) {
156 ret = -1;
157 goto err;
158 }
159
160 r = BN_mod(j, key->d, i, ctx);
161 if (!r) {
162 ret = -1;
163 goto err;
164 }
165
166 if (BN_cmp(j, key->dmp1) != 0) {
167 ret = 0;
168 RSAerr(RSA_F_RSA_CHECK_KEY,
169 RSA_R_DMP1_NOT_CONGRUENT_TO_D);
170 }
171
172 /* dmq1 = d mod (q-1)? */
173 r = BN_sub(i, key->q, BN_value_one());
174 if (!r) {
175 ret = -1;
176 goto err;
177 }
178
179 r = BN_mod(j, key->d, i, ctx);
180 if (!r) {
181 ret = -1;
182 goto err;
183 }
184
185 if (BN_cmp(j, key->dmq1) != 0) {
186 ret = 0;
187 RSAerr(RSA_F_RSA_CHECK_KEY,
188 RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
189 }
190
191 /* iqmp = q^-1 mod p? */
192 if (!BN_mod_inverse(i, key->q, key->p, ctx)) {
193 ret = -1;
194 goto err;
195 }
196
197 if (BN_cmp(i, key->iqmp) != 0) {
198 ret = 0;
199 RSAerr(RSA_F_RSA_CHECK_KEY,
200 RSA_R_IQMP_NOT_INVERSE_OF_Q);
201 }
202 }
203
204err:
205 BN_free(i);
206 BN_free(j);
207 BN_free(k);
208 BN_free(l);
209 BN_free(m);
210 BN_CTX_free(ctx);
211
212 return (ret);
213}
diff --git a/src/lib/libcrypto/rsa/rsa_crpt.c b/src/lib/libcrypto/rsa/rsa_crpt.c
deleted file mode 100644
index 809dd14c92..0000000000
--- a/src/lib/libcrypto/rsa/rsa_crpt.c
+++ /dev/null
@@ -1,217 +0,0 @@
1/* $OpenBSD: rsa_crpt.c,v 1.14 2015/02/11 03:19:37 doug Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60
61#include <openssl/opensslconf.h>
62
63#include <openssl/bn.h>
64#include <openssl/crypto.h>
65#include <openssl/err.h>
66#include <openssl/lhash.h>
67#include <openssl/rsa.h>
68
69#ifndef OPENSSL_NO_ENGINE
70#include <openssl/engine.h>
71#endif
72
73int
74RSA_size(const RSA *r)
75{
76 return BN_num_bytes(r->n);
77}
78
79int
80RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
81 RSA *rsa, int padding)
82{
83 return rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding);
84}
85
86int
87RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
88 RSA *rsa, int padding)
89{
90 return rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding);
91}
92
93int
94RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
95 RSA *rsa, int padding)
96{
97 return rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding);
98}
99
100int
101RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
102 RSA *rsa, int padding)
103{
104 return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding);
105}
106
107int
108RSA_flags(const RSA *r)
109{
110 return r == NULL ? 0 : r->meth->flags;
111}
112
113void
114RSA_blinding_off(RSA *rsa)
115{
116 BN_BLINDING_free(rsa->blinding);
117 rsa->blinding = NULL;
118 rsa->flags |= RSA_FLAG_NO_BLINDING;
119}
120
121int
122RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
123{
124 int ret = 0;
125
126 if (rsa->blinding != NULL)
127 RSA_blinding_off(rsa);
128
129 rsa->blinding = RSA_setup_blinding(rsa, ctx);
130 if (rsa->blinding == NULL)
131 goto err;
132
133 rsa->flags &= ~RSA_FLAG_NO_BLINDING;
134 ret = 1;
135err:
136 return (ret);
137}
138
139static BIGNUM *
140rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p, const BIGNUM *q,
141 BN_CTX *ctx)
142{
143 BIGNUM *ret = NULL, *r0, *r1, *r2;
144
145 if (d == NULL || p == NULL || q == NULL)
146 return NULL;
147
148 BN_CTX_start(ctx);
149 if ((r0 = BN_CTX_get(ctx)) == NULL)
150 goto err;
151 if ((r1 = BN_CTX_get(ctx)) == NULL)
152 goto err;
153 if ((r2 = BN_CTX_get(ctx)) == NULL)
154 goto err;
155
156 if (!BN_sub(r1, p, BN_value_one()))
157 goto err;
158 if (!BN_sub(r2, q, BN_value_one()))
159 goto err;
160 if (!BN_mul(r0, r1, r2, ctx))
161 goto err;
162
163 ret = BN_mod_inverse(NULL, d, r0, ctx);
164err:
165 BN_CTX_end(ctx);
166 return ret;
167}
168
169BN_BLINDING *
170RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
171{
172 BIGNUM local_n;
173 BIGNUM *e, *n;
174 BN_CTX *ctx;
175 BN_BLINDING *ret = NULL;
176
177 if (in_ctx == NULL) {
178 if ((ctx = BN_CTX_new()) == NULL)
179 return 0;
180 } else
181 ctx = in_ctx;
182
183 BN_CTX_start(ctx);
184
185 if (rsa->e == NULL) {
186 e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
187 if (e == NULL) {
188 RSAerr(RSA_F_RSA_SETUP_BLINDING,
189 RSA_R_NO_PUBLIC_EXPONENT);
190 goto err;
191 }
192 } else
193 e = rsa->e;
194
195 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
196 /* Set BN_FLG_CONSTTIME flag */
197 n = &local_n;
198 BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
199 } else
200 n = rsa->n;
201
202 ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp,
203 rsa->_method_mod_n);
204 if (ret == NULL) {
205 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
206 goto err;
207 }
208 CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret));
209err:
210 BN_CTX_end(ctx);
211 if (in_ctx == NULL)
212 BN_CTX_free(ctx);
213 if (rsa->e == NULL)
214 BN_free(e);
215
216 return ret;
217}
diff --git a/src/lib/libcrypto/rsa/rsa_depr.c b/src/lib/libcrypto/rsa/rsa_depr.c
deleted file mode 100644
index b830a2293c..0000000000
--- a/src/lib/libcrypto/rsa/rsa_depr.c
+++ /dev/null
@@ -1,101 +0,0 @@
1/* $OpenBSD: rsa_depr.c,v 1.8 2014/07/11 08:44:49 jsing Exp $ */
2/* ====================================================================
3 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NB: This file contains deprecated functions (compatibility wrappers to the
57 * "new" versions). */
58
59#include <stdio.h>
60#include <time.h>
61
62#include <openssl/opensslconf.h>
63
64#include <openssl/bn.h>
65#include <openssl/rsa.h>
66
67#ifndef OPENSSL_NO_DEPRECATED
68
69RSA *
70RSA_generate_key(int bits, unsigned long e_value,
71 void (*callback)(int, int, void *), void *cb_arg)
72{
73 BN_GENCB cb;
74 int i;
75 RSA *rsa = RSA_new();
76 BIGNUM *e = BN_new();
77
78 if (!rsa || !e)
79 goto err;
80
81 /* The problem is when building with 8, 16, or 32 BN_ULONG,
82 * unsigned long can be larger */
83 for (i = 0; i < (int)sizeof(unsigned long) * 8; i++) {
84 if (e_value & (1UL << i))
85 if (BN_set_bit(e, i) == 0)
86 goto err;
87 }
88
89 BN_GENCB_set_old(&cb, callback, cb_arg);
90
91 if (RSA_generate_key_ex(rsa, bits, e, &cb)) {
92 BN_free(e);
93 return rsa;
94 }
95err:
96 BN_free(e);
97 RSA_free(rsa);
98
99 return 0;
100}
101#endif
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
deleted file mode 100644
index 940964cac3..0000000000
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ /dev/null
@@ -1,912 +0,0 @@
1/* $OpenBSD: rsa_eay.c,v 1.39 2015/06/13 08:38:10 doug Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#include <stdio.h>
113
114#include <openssl/opensslconf.h>
115
116#include <openssl/bn.h>
117#include <openssl/err.h>
118#include <openssl/rsa.h>
119
120static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
121 unsigned char *to, RSA *rsa, int padding);
122static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
123 unsigned char *to, RSA *rsa, int padding);
124static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
125 unsigned char *to, RSA *rsa, int padding);
126static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
127 unsigned char *to, RSA *rsa, int padding);
128static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
129static int RSA_eay_init(RSA *rsa);
130static int RSA_eay_finish(RSA *rsa);
131
132static RSA_METHOD rsa_pkcs1_eay_meth = {
133 .name = "Eric Young's PKCS#1 RSA",
134 .rsa_pub_enc = RSA_eay_public_encrypt,
135 .rsa_pub_dec = RSA_eay_public_decrypt, /* signature verification */
136 .rsa_priv_enc = RSA_eay_private_encrypt, /* signing */
137 .rsa_priv_dec = RSA_eay_private_decrypt,
138 .rsa_mod_exp = RSA_eay_mod_exp,
139 .bn_mod_exp = BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
140 .init = RSA_eay_init,
141 .finish = RSA_eay_finish,
142};
143
144const RSA_METHOD *
145RSA_PKCS1_SSLeay(void)
146{
147 return &rsa_pkcs1_eay_meth;
148}
149
150static int
151RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
152 RSA *rsa, int padding)
153{
154 BIGNUM *f, *ret;
155 int i, j, k, num = 0, r = -1;
156 unsigned char *buf = NULL;
157 BN_CTX *ctx = NULL;
158
159 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
160 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
161 return -1;
162 }
163
164 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
165 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
166 return -1;
167 }
168
169 /* for large moduli, enforce exponent limit */
170 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
171 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
172 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
173 return -1;
174 }
175 }
176
177 if ((ctx = BN_CTX_new()) == NULL)
178 goto err;
179 BN_CTX_start(ctx);
180 f = BN_CTX_get(ctx);
181 ret = BN_CTX_get(ctx);
182 num = BN_num_bytes(rsa->n);
183 buf = malloc(num);
184 if (f == NULL || ret == NULL || buf == NULL) {
185 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE);
186 goto err;
187 }
188
189 switch (padding) {
190 case RSA_PKCS1_PADDING:
191 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
192 break;
193#ifndef OPENSSL_NO_SHA
194 case RSA_PKCS1_OAEP_PADDING:
195 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
196 break;
197#endif
198 case RSA_SSLV23_PADDING:
199 i = RSA_padding_add_SSLv23(buf, num, from, flen);
200 break;
201 case RSA_NO_PADDING:
202 i = RSA_padding_add_none(buf, num, from, flen);
203 break;
204 default:
205 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,
206 RSA_R_UNKNOWN_PADDING_TYPE);
207 goto err;
208 }
209 if (i <= 0)
210 goto err;
211
212 if (BN_bin2bn(buf, num, f) == NULL)
213 goto err;
214
215 if (BN_ucmp(f, rsa->n) >= 0) {
216 /* usually the padding functions would catch this */
217 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,
218 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
219 goto err;
220 }
221
222 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
223 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
224 CRYPTO_LOCK_RSA, rsa->n, ctx))
225 goto err;
226
227 if (!rsa->meth->bn_mod_exp(ret, f,rsa->e, rsa->n, ctx,
228 rsa->_method_mod_n))
229 goto err;
230
231 /* put in leading 0 bytes if the number is less than the
232 * length of the modulus */
233 j = BN_num_bytes(ret);
234 i = BN_bn2bin(ret, &(to[num - j]));
235 for (k = 0; k < num - i; k++)
236 to[k] = 0;
237
238 r = num;
239err:
240 if (ctx != NULL) {
241 BN_CTX_end(ctx);
242 BN_CTX_free(ctx);
243 }
244 if (buf != NULL) {
245 OPENSSL_cleanse(buf, num);
246 free(buf);
247 }
248 return r;
249}
250
251static BN_BLINDING *
252rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
253{
254 BN_BLINDING *ret;
255 int got_write_lock = 0;
256 CRYPTO_THREADID cur;
257
258 CRYPTO_r_lock(CRYPTO_LOCK_RSA);
259
260 if (rsa->blinding == NULL) {
261 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
262 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
263 got_write_lock = 1;
264
265 if (rsa->blinding == NULL)
266 rsa->blinding = RSA_setup_blinding(rsa, ctx);
267 }
268
269 ret = rsa->blinding;
270 if (ret == NULL)
271 goto err;
272
273 CRYPTO_THREADID_current(&cur);
274 if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) {
275 /* rsa->blinding is ours! */
276 *local = 1;
277 } else {
278 /* resort to rsa->mt_blinding instead */
279 /*
280 * Instruct rsa_blinding_convert(), rsa_blinding_invert()
281 * that the BN_BLINDING is shared, meaning that accesses
282 * require locks, and that the blinding factor must be
283 * stored outside the BN_BLINDING
284 */
285 *local = 0;
286
287 if (rsa->mt_blinding == NULL) {
288 if (!got_write_lock) {
289 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
290 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
291 got_write_lock = 1;
292 }
293
294 if (rsa->mt_blinding == NULL)
295 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
296 }
297 ret = rsa->mt_blinding;
298 }
299
300err:
301 if (got_write_lock)
302 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
303 else
304 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
305 return ret;
306}
307
308static int
309rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx)
310{
311 if (unblind == NULL)
312 /*
313 * Local blinding: store the unblinding factor
314 * in BN_BLINDING.
315 */
316 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
317 else {
318 /*
319 * Shared blinding: store the unblinding factor
320 * outside BN_BLINDING.
321 */
322 int ret;
323 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
324 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
325 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
326 return ret;
327 }
328}
329
330static int
331rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, BN_CTX *ctx)
332{
333 /*
334 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
335 * will use the unblinding factor stored in BN_BLINDING.
336 * If BN_BLINDING is shared between threads, unblind must be non-null:
337 * BN_BLINDING_invert_ex will then use the local unblinding factor,
338 * and will only read the modulus from BN_BLINDING.
339 * In both cases it's safe to access the blinding without a lock.
340 */
341 return BN_BLINDING_invert_ex(f, unblind, b, ctx);
342}
343
344/* signing */
345static int
346RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
347 RSA *rsa, int padding)
348{
349 BIGNUM *f, *ret, *res;
350 int i, j, k, num = 0, r = -1;
351 unsigned char *buf = NULL;
352 BN_CTX *ctx = NULL;
353 int local_blinding = 0;
354 /*
355 * Used only if the blinding structure is shared. A non-NULL unblind
356 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
357 * the unblinding factor outside the blinding structure.
358 */
359 BIGNUM *unblind = NULL;
360 BN_BLINDING *blinding = NULL;
361
362 if ((ctx = BN_CTX_new()) == NULL)
363 goto err;
364 BN_CTX_start(ctx);
365 f = BN_CTX_get(ctx);
366 ret = BN_CTX_get(ctx);
367 num = BN_num_bytes(rsa->n);
368 buf = malloc(num);
369 if (f == NULL || ret == NULL || buf == NULL) {
370 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
371 goto err;
372 }
373
374 switch (padding) {
375 case RSA_PKCS1_PADDING:
376 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
377 break;
378 case RSA_X931_PADDING:
379 i = RSA_padding_add_X931(buf, num, from, flen);
380 break;
381 case RSA_NO_PADDING:
382 i = RSA_padding_add_none(buf, num, from, flen);
383 break;
384 case RSA_SSLV23_PADDING:
385 default:
386 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
387 RSA_R_UNKNOWN_PADDING_TYPE);
388 goto err;
389 }
390 if (i <= 0)
391 goto err;
392
393 if (BN_bin2bn(buf, num, f) == NULL)
394 goto err;
395
396 if (BN_ucmp(f, rsa->n) >= 0) {
397 /* usually the padding functions would catch this */
398 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
399 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
400 goto err;
401 }
402
403 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
404 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
405 if (blinding == NULL) {
406 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
407 ERR_R_INTERNAL_ERROR);
408 goto err;
409 }
410 }
411
412 if (blinding != NULL) {
413 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
414 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
415 ERR_R_MALLOC_FAILURE);
416 goto err;
417 }
418 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
419 goto err;
420 }
421
422 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
423 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL &&
424 rsa->dmq1 != NULL && rsa->iqmp != NULL)) {
425 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
426 goto err;
427 } else {
428 BIGNUM local_d;
429 BIGNUM *d = NULL;
430
431 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
432 BN_init(&local_d);
433 d = &local_d;
434 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
435 } else
436 d = rsa->d;
437
438 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
439 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
440 CRYPTO_LOCK_RSA, rsa->n, ctx))
441 goto err;
442
443 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
444 rsa->_method_mod_n))
445 goto err;
446 }
447
448 if (blinding)
449 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
450 goto err;
451
452 if (padding == RSA_X931_PADDING) {
453 BN_sub(f, rsa->n, ret);
454 if (BN_cmp(ret, f) > 0)
455 res = f;
456 else
457 res = ret;
458 } else
459 res = ret;
460
461 /* put in leading 0 bytes if the number is less than the
462 * length of the modulus */
463 j = BN_num_bytes(res);
464 i = BN_bn2bin(res, &(to[num - j]));
465 for (k = 0; k < num - i; k++)
466 to[k] = 0;
467
468 r = num;
469err:
470 if (ctx != NULL) {
471 BN_CTX_end(ctx);
472 BN_CTX_free(ctx);
473 }
474 if (buf != NULL) {
475 OPENSSL_cleanse(buf, num);
476 free(buf);
477 }
478 return r;
479}
480
481static int
482RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
483 RSA *rsa, int padding)
484{
485 BIGNUM *f, *ret;
486 int j, num = 0, r = -1;
487 unsigned char *p;
488 unsigned char *buf = NULL;
489 BN_CTX *ctx = NULL;
490 int local_blinding = 0;
491 /*
492 * Used only if the blinding structure is shared. A non-NULL unblind
493 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
494 * the unblinding factor outside the blinding structure.
495 */
496 BIGNUM *unblind = NULL;
497 BN_BLINDING *blinding = NULL;
498
499 if ((ctx = BN_CTX_new()) == NULL)
500 goto err;
501 BN_CTX_start(ctx);
502 f = BN_CTX_get(ctx);
503 ret = BN_CTX_get(ctx);
504 num = BN_num_bytes(rsa->n);
505 buf = malloc(num);
506 if (!f || !ret || !buf) {
507 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
508 goto err;
509 }
510
511 /* This check was for equality but PGP does evil things
512 * and chops off the top '0' bytes */
513 if (flen > num) {
514 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
515 RSA_R_DATA_GREATER_THAN_MOD_LEN);
516 goto err;
517 }
518
519 /* make data into a big number */
520 if (BN_bin2bn(from, (int)flen, f) == NULL)
521 goto err;
522
523 if (BN_ucmp(f, rsa->n) >= 0) {
524 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
525 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
526 goto err;
527 }
528
529 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
530 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
531 if (blinding == NULL) {
532 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
533 ERR_R_INTERNAL_ERROR);
534 goto err;
535 }
536 }
537
538 if (blinding != NULL) {
539 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
540 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
541 ERR_R_MALLOC_FAILURE);
542 goto err;
543 }
544 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
545 goto err;
546 }
547
548 /* do the decrypt */
549 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
550 (rsa->p != NULL && rsa->q != NULL && rsa->dmp1 != NULL &&
551 rsa->dmq1 != NULL && rsa->iqmp != NULL)) {
552 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
553 goto err;
554 } else {
555 BIGNUM local_d;
556 BIGNUM *d = NULL;
557
558 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
559 d = &local_d;
560 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
561 } else
562 d = rsa->d;
563
564 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
565 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
566 CRYPTO_LOCK_RSA, rsa->n, ctx))
567 goto err;
568 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
569 rsa->_method_mod_n))
570 goto err;
571 }
572
573 if (blinding)
574 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
575 goto err;
576
577 p = buf;
578 j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */
579
580 switch (padding) {
581 case RSA_PKCS1_PADDING:
582 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
583 break;
584#ifndef OPENSSL_NO_SHA
585 case RSA_PKCS1_OAEP_PADDING:
586 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
587 break;
588#endif
589 case RSA_SSLV23_PADDING:
590 r = RSA_padding_check_SSLv23(to, num, buf, j, num);
591 break;
592 case RSA_NO_PADDING:
593 r = RSA_padding_check_none(to, num, buf, j, num);
594 break;
595 default:
596 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
597 RSA_R_UNKNOWN_PADDING_TYPE);
598 goto err;
599 }
600 if (r < 0)
601 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
602 RSA_R_PADDING_CHECK_FAILED);
603
604err:
605 if (ctx != NULL) {
606 BN_CTX_end(ctx);
607 BN_CTX_free(ctx);
608 }
609 if (buf != NULL) {
610 OPENSSL_cleanse(buf, num);
611 free(buf);
612 }
613 return r;
614}
615
616/* signature verification */
617static int
618RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
619 RSA *rsa, int padding)
620{
621 BIGNUM *f, *ret;
622 int i, num = 0, r = -1;
623 unsigned char *p;
624 unsigned char *buf = NULL;
625 BN_CTX *ctx = NULL;
626
627 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
628 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
629 return -1;
630 }
631
632 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
633 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
634 return -1;
635 }
636
637 /* for large moduli, enforce exponent limit */
638 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
639 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
640 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
641 return -1;
642 }
643 }
644
645 if ((ctx = BN_CTX_new()) == NULL)
646 goto err;
647 BN_CTX_start(ctx);
648 f = BN_CTX_get(ctx);
649 ret = BN_CTX_get(ctx);
650 num = BN_num_bytes(rsa->n);
651 buf = malloc(num);
652 if (!f || !ret || !buf) {
653 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
654 goto err;
655 }
656
657 /* This check was for equality but PGP does evil things
658 * and chops off the top '0' bytes */
659 if (flen > num) {
660 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
661 RSA_R_DATA_GREATER_THAN_MOD_LEN);
662 goto err;
663 }
664
665 if (BN_bin2bn(from, flen, f) == NULL)
666 goto err;
667
668 if (BN_ucmp(f, rsa->n) >= 0) {
669 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
670 RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
671 goto err;
672 }
673
674 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
675 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
676 CRYPTO_LOCK_RSA, rsa->n, ctx))
677 goto err;
678
679 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
680 rsa->_method_mod_n))
681 goto err;
682
683 if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12)
684 if (!BN_sub(ret, rsa->n, ret))
685 goto err;
686
687 p = buf;
688 i = BN_bn2bin(ret, p);
689
690 switch (padding) {
691 case RSA_PKCS1_PADDING:
692 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
693 break;
694 case RSA_X931_PADDING:
695 r = RSA_padding_check_X931(to, num, buf, i, num);
696 break;
697 case RSA_NO_PADDING:
698 r = RSA_padding_check_none(to, num, buf, i, num);
699 break;
700 default:
701 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
702 RSA_R_UNKNOWN_PADDING_TYPE);
703 goto err;
704 }
705 if (r < 0)
706 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
707 RSA_R_PADDING_CHECK_FAILED);
708
709err:
710 if (ctx != NULL) {
711 BN_CTX_end(ctx);
712 BN_CTX_free(ctx);
713 }
714 if (buf != NULL) {
715 OPENSSL_cleanse(buf, num);
716 free(buf);
717 }
718 return r;
719}
720
721static int
722RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
723{
724 BIGNUM *r1, *m1, *vrfy;
725 BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
726 BIGNUM *dmp1, *dmq1, *c, *pr1;
727 int ret = 0;
728
729 BN_CTX_start(ctx);
730 r1 = BN_CTX_get(ctx);
731 m1 = BN_CTX_get(ctx);
732 vrfy = BN_CTX_get(ctx);
733 if (r1 == NULL || m1 == NULL || vrfy == NULL) {
734 RSAerr(RSA_F_RSA_EAY_MOD_EXP, ERR_R_MALLOC_FAILURE);
735 goto err;
736 }
737
738 {
739 BIGNUM local_p, local_q;
740 BIGNUM *p = NULL, *q = NULL;
741
742 /*
743 * Make sure BN_mod_inverse in Montgomery intialization uses the
744 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
745 */
746 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
747 BN_init(&local_p);
748 p = &local_p;
749 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
750
751 BN_init(&local_q);
752 q = &local_q;
753 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
754 } else {
755 p = rsa->p;
756 q = rsa->q;
757 }
758
759 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
760 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
761 CRYPTO_LOCK_RSA, p, ctx))
762 goto err;
763 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
764 CRYPTO_LOCK_RSA, q, ctx))
765 goto err;
766 }
767 }
768
769 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
770 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
771 CRYPTO_LOCK_RSA, rsa->n, ctx))
772 goto err;
773
774 /* compute I mod q */
775 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
776 c = &local_c;
777 BN_with_flags(c, I, BN_FLG_CONSTTIME);
778 if (!BN_mod(r1, c, rsa->q, ctx))
779 goto err;
780 } else {
781 if (!BN_mod(r1, I, rsa->q, ctx))
782 goto err;
783 }
784
785 /* compute r1^dmq1 mod q */
786 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
787 dmq1 = &local_dmq1;
788 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
789 } else
790 dmq1 = rsa->dmq1;
791 if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
792 rsa->_method_mod_q))
793 goto err;
794
795 /* compute I mod p */
796 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
797 c = &local_c;
798 BN_with_flags(c, I, BN_FLG_CONSTTIME);
799 if (!BN_mod(r1, c, rsa->p, ctx))
800 goto err;
801 } else {
802 if (!BN_mod(r1, I, rsa->p, ctx))
803 goto err;
804 }
805
806 /* compute r1^dmp1 mod p */
807 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
808 dmp1 = &local_dmp1;
809 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
810 } else
811 dmp1 = rsa->dmp1;
812 if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
813 rsa->_method_mod_p))
814 goto err;
815
816 if (!BN_sub(r0, r0, m1))
817 goto err;
818 /*
819 * This will help stop the size of r0 increasing, which does
820 * affect the multiply if it optimised for a power of 2 size
821 */
822 if (BN_is_negative(r0))
823 if (!BN_add(r0, r0, rsa->p))
824 goto err;
825
826 if (!BN_mul(r1, r0, rsa->iqmp, ctx))
827 goto err;
828
829 /* Turn BN_FLG_CONSTTIME flag on before division operation */
830 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
831 pr1 = &local_r1;
832 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
833 } else
834 pr1 = r1;
835 if (!BN_mod(r0, pr1, rsa->p, ctx))
836 goto err;
837
838 /*
839 * If p < q it is occasionally possible for the correction of
840 * adding 'p' if r0 is negative above to leave the result still
841 * negative. This can break the private key operations: the following
842 * second correction should *always* correct this rare occurrence.
843 * This will *never* happen with OpenSSL generated keys because
844 * they ensure p > q [steve]
845 */
846 if (BN_is_negative(r0))
847 if (!BN_add(r0, r0, rsa->p))
848 goto err;
849 if (!BN_mul(r1, r0, rsa->q, ctx))
850 goto err;
851 if (!BN_add(r0, r1, m1))
852 goto err;
853
854 if (rsa->e && rsa->n) {
855 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
856 rsa->_method_mod_n))
857 goto err;
858 /*
859 * If 'I' was greater than (or equal to) rsa->n, the operation
860 * will be equivalent to using 'I mod n'. However, the result of
861 * the verify will *always* be less than 'n' so we don't check
862 * for absolute equality, just congruency.
863 */
864 if (!BN_sub(vrfy, vrfy, I))
865 goto err;
866 if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
867 goto err;
868 if (BN_is_negative(vrfy))
869 if (!BN_add(vrfy, vrfy, rsa->n))
870 goto err;
871 if (!BN_is_zero(vrfy)) {
872 /*
873 * 'I' and 'vrfy' aren't congruent mod n. Don't leak
874 * miscalculated CRT output, just do a raw (slower)
875 * mod_exp and return that instead.
876 */
877
878 BIGNUM local_d;
879 BIGNUM *d = NULL;
880
881 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
882 d = &local_d;
883 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
884 } else
885 d = rsa->d;
886 if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
887 rsa->_method_mod_n))
888 goto err;
889 }
890 }
891 ret = 1;
892err:
893 BN_CTX_end(ctx);
894 return ret;
895}
896
897static int
898RSA_eay_init(RSA *rsa)
899{
900 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
901 return 1;
902}
903
904static int
905RSA_eay_finish(RSA *rsa)
906{
907 BN_MONT_CTX_free(rsa->_method_mod_n);
908 BN_MONT_CTX_free(rsa->_method_mod_p);
909 BN_MONT_CTX_free(rsa->_method_mod_q);
910
911 return 1;
912}
diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c
deleted file mode 100644
index 81622c6099..0000000000
--- a/src/lib/libcrypto/rsa/rsa_err.c
+++ /dev/null
@@ -1,210 +0,0 @@
1/* $OpenBSD: rsa_err.c,v 1.16 2015/02/15 14:35:30 miod Exp $ */
2/* ====================================================================
3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62
63#include <openssl/opensslconf.h>
64
65#include <openssl/err.h>
66#include <openssl/rsa.h>
67
68/* BEGIN ERROR CODES */
69#ifndef OPENSSL_NO_ERR
70
71#define ERR_FUNC(func) ERR_PACK(ERR_LIB_RSA,func,0)
72#define ERR_REASON(reason) ERR_PACK(ERR_LIB_RSA,0,reason)
73
74static ERR_STRING_DATA RSA_str_functs[] = {
75 {ERR_FUNC(RSA_F_CHECK_PADDING_MD), "CHECK_PADDING_MD"},
76 {ERR_FUNC(RSA_F_DO_RSA_PRINT), "DO_RSA_PRINT"},
77 {ERR_FUNC(RSA_F_INT_RSA_VERIFY), "INT_RSA_VERIFY"},
78 {ERR_FUNC(RSA_F_MEMORY_LOCK), "MEMORY_LOCK"},
79 {ERR_FUNC(RSA_F_OLD_RSA_PRIV_DECODE), "OLD_RSA_PRIV_DECODE"},
80 {ERR_FUNC(RSA_F_PKEY_RSA_CTRL), "PKEY_RSA_CTRL"},
81 {ERR_FUNC(RSA_F_PKEY_RSA_CTRL_STR), "PKEY_RSA_CTRL_STR"},
82 {ERR_FUNC(RSA_F_PKEY_RSA_SIGN), "PKEY_RSA_SIGN"},
83 {ERR_FUNC(RSA_F_PKEY_RSA_VERIFY), "PKEY_RSA_VERIFY"},
84 {ERR_FUNC(RSA_F_PKEY_RSA_VERIFYRECOVER), "PKEY_RSA_VERIFYRECOVER"},
85 {ERR_FUNC(RSA_F_RSA_BUILTIN_KEYGEN), "RSA_BUILTIN_KEYGEN"},
86 {ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"},
87 {ERR_FUNC(RSA_F_RSA_EAY_MOD_EXP), "RSA_EAY_MOD_EXP"},
88 {ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_DECRYPT), "RSA_EAY_PRIVATE_DECRYPT"},
89 {ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_ENCRYPT), "RSA_EAY_PRIVATE_ENCRYPT"},
90 {ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"},
91 {ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"},
92 {ERR_FUNC(RSA_F_RSA_GENERATE_KEY), "RSA_generate_key"},
93 {ERR_FUNC(RSA_F_RSA_GENERATE_KEY_EX), "RSA_generate_key_ex"},
94 {ERR_FUNC(RSA_F_RSA_ITEM_VERIFY), "RSA_ITEM_VERIFY"},
95 {ERR_FUNC(RSA_F_RSA_MEMORY_LOCK), "RSA_memory_lock"},
96 {ERR_FUNC(RSA_F_RSA_NEW_METHOD), "RSA_new_method"},
97 {ERR_FUNC(RSA_F_RSA_NULL), "RSA_NULL"},
98 {ERR_FUNC(RSA_F_RSA_NULL_MOD_EXP), "RSA_NULL_MOD_EXP"},
99 {ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_DECRYPT), "RSA_NULL_PRIVATE_DECRYPT"},
100 {ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_ENCRYPT), "RSA_NULL_PRIVATE_ENCRYPT"},
101 {ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_DECRYPT), "RSA_NULL_PUBLIC_DECRYPT"},
102 {ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_ENCRYPT), "RSA_NULL_PUBLIC_ENCRYPT"},
103 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE), "RSA_padding_add_none"},
104 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP), "RSA_padding_add_PKCS1_OAEP"},
105 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS), "RSA_padding_add_PKCS1_PSS"},
106 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1), "RSA_padding_add_PKCS1_PSS_mgf1"},
107 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1), "RSA_padding_add_PKCS1_type_1"},
108 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2), "RSA_padding_add_PKCS1_type_2"},
109 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_SSLV23), "RSA_padding_add_SSLv23"},
110 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_X931), "RSA_padding_add_X931"},
111 {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_NONE), "RSA_padding_check_none"},
112 {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP), "RSA_padding_check_PKCS1_OAEP"},
113 {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1), "RSA_padding_check_PKCS1_type_1"},
114 {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2), "RSA_padding_check_PKCS1_type_2"},
115 {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_SSLV23), "RSA_padding_check_SSLv23"},
116 {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931), "RSA_padding_check_X931"},
117 {ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"},
118 {ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"},
119 {ERR_FUNC(RSA_F_RSA_PRIVATE_DECRYPT), "RSA_private_decrypt"},
120 {ERR_FUNC(RSA_F_RSA_PRIVATE_ENCRYPT), "RSA_private_encrypt"},
121 {ERR_FUNC(RSA_F_RSA_PRIV_DECODE), "RSA_PRIV_DECODE"},
122 {ERR_FUNC(RSA_F_RSA_PRIV_ENCODE), "RSA_PRIV_ENCODE"},
123 {ERR_FUNC(RSA_F_RSA_PUBLIC_DECRYPT), "RSA_public_decrypt"},
124 {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"},
125 {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"},
126 {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
127 {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
128 {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"},
129 {ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"},
130 {ERR_FUNC(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING), "RSA_verify_ASN1_OCTET_STRING"},
131 {ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS), "RSA_verify_PKCS1_PSS"},
132 {ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1), "RSA_verify_PKCS1_PSS_mgf1"},
133 {0, NULL}
134};
135
136static ERR_STRING_DATA RSA_str_reasons[] = {
137 {ERR_REASON(RSA_R_ALGORITHM_MISMATCH) , "algorithm mismatch"},
138 {ERR_REASON(RSA_R_BAD_E_VALUE) , "bad e value"},
139 {ERR_REASON(RSA_R_BAD_FIXED_HEADER_DECRYPT), "bad fixed header decrypt"},
140 {ERR_REASON(RSA_R_BAD_PAD_BYTE_COUNT) , "bad pad byte count"},
141 {ERR_REASON(RSA_R_BAD_SIGNATURE) , "bad signature"},
142 {ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_01) , "block type is not 01"},
143 {ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_02) , "block type is not 02"},
144 {ERR_REASON(RSA_R_DATA_GREATER_THAN_MOD_LEN), "data greater than mod len"},
145 {ERR_REASON(RSA_R_DATA_TOO_LARGE) , "data too large"},
146 {ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE), "data too large for key size"},
147 {ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_MODULUS), "data too large for modulus"},
148 {ERR_REASON(RSA_R_DATA_TOO_SMALL) , "data too small"},
149 {ERR_REASON(RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE), "data too small for key size"},
150 {ERR_REASON(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY), "digest too big for rsa key"},
151 {ERR_REASON(RSA_R_DMP1_NOT_CONGRUENT_TO_D), "dmp1 not congruent to d"},
152 {ERR_REASON(RSA_R_DMQ1_NOT_CONGRUENT_TO_D), "dmq1 not congruent to d"},
153 {ERR_REASON(RSA_R_D_E_NOT_CONGRUENT_TO_1), "d e not congruent to 1"},
154 {ERR_REASON(RSA_R_FIRST_OCTET_INVALID) , "first octet invalid"},
155 {ERR_REASON(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE), "illegal or unsupported padding mode"},
156 {ERR_REASON(RSA_R_INVALID_DIGEST_LENGTH) , "invalid digest length"},
157 {ERR_REASON(RSA_R_INVALID_HEADER) , "invalid header"},
158 {ERR_REASON(RSA_R_INVALID_KEYBITS) , "invalid keybits"},
159 {ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH), "invalid message length"},
160 {ERR_REASON(RSA_R_INVALID_MGF1_MD) , "invalid mgf1 md"},
161 {ERR_REASON(RSA_R_INVALID_PADDING) , "invalid padding"},
162 {ERR_REASON(RSA_R_INVALID_PADDING_MODE) , "invalid padding mode"},
163 {ERR_REASON(RSA_R_INVALID_PSS_PARAMETERS), "invalid pss parameters"},
164 {ERR_REASON(RSA_R_INVALID_PSS_SALTLEN) , "invalid pss saltlen"},
165 {ERR_REASON(RSA_R_INVALID_SALT_LENGTH) , "invalid salt length"},
166 {ERR_REASON(RSA_R_INVALID_TRAILER) , "invalid trailer"},
167 {ERR_REASON(RSA_R_INVALID_X931_DIGEST) , "invalid x931 digest"},
168 {ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) , "iqmp not inverse of q"},
169 {ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) , "key size too small"},
170 {ERR_REASON(RSA_R_LAST_OCTET_INVALID) , "last octet invalid"},
171 {ERR_REASON(RSA_R_MODULUS_TOO_LARGE) , "modulus too large"},
172 {ERR_REASON(RSA_R_NON_FIPS_RSA_METHOD) , "non fips rsa method"},
173 {ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) , "no public exponent"},
174 {ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING), "null before block missing"},
175 {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) , "n does not equal p q"},
176 {ERR_REASON(RSA_R_OAEP_DECODING_ERROR) , "oaep decoding error"},
177 {ERR_REASON(RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE), "operation not allowed in fips mode"},
178 {ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), "operation not supported for this keytype"},
179 {ERR_REASON(RSA_R_PADDING_CHECK_FAILED) , "padding check failed"},
180 {ERR_REASON(RSA_R_P_NOT_PRIME) , "p not prime"},
181 {ERR_REASON(RSA_R_Q_NOT_PRIME) , "q not prime"},
182 {ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED), "rsa operations not supported"},
183 {ERR_REASON(RSA_R_SLEN_CHECK_FAILED) , "salt length check failed"},
184 {ERR_REASON(RSA_R_SLEN_RECOVERY_FAILED) , "salt length recovery failed"},
185 {ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) , "sslv3 rollback attack"},
186 {ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD), "the asn1 object identifier is not known for this md"},
187 {ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE), "unknown algorithm type"},
188 {ERR_REASON(RSA_R_UNKNOWN_MASK_DIGEST) , "unknown mask digest"},
189 {ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) , "unknown padding type"},
190 {ERR_REASON(RSA_R_UNKNOWN_PSS_DIGEST) , "unknown pss digest"},
191 {ERR_REASON(RSA_R_UNSUPPORTED_MASK_ALGORITHM), "unsupported mask algorithm"},
192 {ERR_REASON(RSA_R_UNSUPPORTED_MASK_PARAMETER), "unsupported mask parameter"},
193 {ERR_REASON(RSA_R_UNSUPPORTED_SIGNATURE_TYPE), "unsupported signature type"},
194 {ERR_REASON(RSA_R_VALUE_MISSING) , "value missing"},
195 {ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH), "wrong signature length"},
196 {0, NULL}
197};
198
199#endif
200
201void
202ERR_load_RSA_strings(void)
203{
204#ifndef OPENSSL_NO_ERR
205 if (ERR_func_error_string(RSA_str_functs[0].error) == NULL) {
206 ERR_load_strings(0, RSA_str_functs);
207 ERR_load_strings(0, RSA_str_reasons);
208 }
209#endif
210}
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
deleted file mode 100644
index f6f051c442..0000000000
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ /dev/null
@@ -1,240 +0,0 @@
1/* $OpenBSD: rsa_gen.c,v 1.17 2015/02/09 15:49:22 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59
60/* NB: these functions have been "upgraded", the deprecated versions (which are
61 * compatibility wrappers using these functions) are in rsa_depr.c.
62 * - Geoff
63 */
64
65#include <stdio.h>
66#include <time.h>
67
68#include <openssl/bn.h>
69#include <openssl/err.h>
70#include <openssl/rsa.h>
71
72static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
73
74/*
75 * NB: this wrapper would normally be placed in rsa_lib.c and the static
76 * implementation would probably be in rsa_eay.c. Nonetheless, is kept here so
77 * that we don't introduce a new linker dependency. Eg. any application that
78 * wasn't previously linking object code related to key-generation won't have to
79 * now just because key-generation is part of RSA_METHOD.
80 */
81int
82RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
83{
84 if (rsa->meth->rsa_keygen)
85 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
86 return rsa_builtin_keygen(rsa, bits, e_value, cb);
87}
88
89static int
90rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
91{
92 BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
93 BIGNUM local_r0, local_d, local_p;
94 BIGNUM *pr0, *d, *p;
95 int bitsp, bitsq, ok = -1, n = 0;
96 BN_CTX *ctx = NULL;
97
98 ctx = BN_CTX_new();
99 if (ctx == NULL)
100 goto err;
101 BN_CTX_start(ctx);
102 if ((r0 = BN_CTX_get(ctx)) == NULL)
103 goto err;
104 if ((r1 = BN_CTX_get(ctx)) == NULL)
105 goto err;
106 if ((r2 = BN_CTX_get(ctx)) == NULL)
107 goto err;
108 if ((r3 = BN_CTX_get(ctx)) == NULL)
109 goto err;
110
111 bitsp = (bits + 1) / 2;
112 bitsq = bits - bitsp;
113
114 /* We need the RSA components non-NULL */
115 if (!rsa->n && ((rsa->n = BN_new()) == NULL))
116 goto err;
117 if (!rsa->d && ((rsa->d = BN_new()) == NULL))
118 goto err;
119 if (!rsa->e && ((rsa->e = BN_new()) == NULL))
120 goto err;
121 if (!rsa->p && ((rsa->p = BN_new()) == NULL))
122 goto err;
123 if (!rsa->q && ((rsa->q = BN_new()) == NULL))
124 goto err;
125 if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL))
126 goto err;
127 if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL))
128 goto err;
129 if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
130 goto err;
131
132 BN_copy(rsa->e, e_value);
133
134 /* generate p and q */
135 for (;;) {
136 if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
137 goto err;
138 if (!BN_sub(r2, rsa->p, BN_value_one()))
139 goto err;
140 if (!BN_gcd(r1, r2, rsa->e, ctx))
141 goto err;
142 if (BN_is_one(r1))
143 break;
144 if (!BN_GENCB_call(cb, 2, n++))
145 goto err;
146 }
147 if (!BN_GENCB_call(cb, 3, 0))
148 goto err;
149 for (;;) {
150 /*
151 * When generating ridiculously small keys, we can get stuck
152 * continually regenerating the same prime values. Check for
153 * this and bail if it happens 3 times.
154 */
155 unsigned int degenerate = 0;
156 do {
157 if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL,
158 cb))
159 goto err;
160 } while (BN_cmp(rsa->p, rsa->q) == 0 &&
161 ++degenerate < 3);
162 if (degenerate == 3) {
163 ok = 0; /* we set our own err */
164 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,
165 RSA_R_KEY_SIZE_TOO_SMALL);
166 goto err;
167 }
168 if (!BN_sub(r2, rsa->q, BN_value_one()))
169 goto err;
170 if (!BN_gcd(r1, r2, rsa->e, ctx))
171 goto err;
172 if (BN_is_one(r1))
173 break;
174 if (!BN_GENCB_call(cb, 2, n++))
175 goto err;
176 }
177 if (!BN_GENCB_call(cb, 3, 1))
178 goto err;
179 if (BN_cmp(rsa->p, rsa->q) < 0) {
180 tmp = rsa->p;
181 rsa->p = rsa->q;
182 rsa->q = tmp;
183 }
184
185 /* calculate n */
186 if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
187 goto err;
188
189 /* calculate d */
190 if (!BN_sub(r1, rsa->p, BN_value_one())) /* p-1 */
191 goto err;
192 if (!BN_sub(r2, rsa->q, BN_value_one())) /* q-1 */
193 goto err;
194 if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */
195 goto err;
196 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
197 pr0 = &local_r0;
198 BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
199 } else
200 pr0 = r0;
201 if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) /* d */
202 goto err;
203
204 /* set up d for correct BN_FLG_CONSTTIME flag */
205 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
206 d = &local_d;
207 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
208 } else
209 d = rsa->d;
210
211 /* calculate d mod (p-1) */
212 if (!BN_mod(rsa->dmp1, d, r1, ctx))
213 goto err;
214
215 /* calculate d mod (q-1) */
216 if (!BN_mod(rsa->dmq1, d, r2, ctx))
217 goto err;
218
219 /* calculate inverse of q mod p */
220 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
221 p = &local_p;
222 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
223 } else
224 p = rsa->p;
225 if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
226 goto err;
227
228 ok = 1;
229err:
230 if (ok == -1) {
231 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
232 ok = 0;
233 }
234 if (ctx != NULL) {
235 BN_CTX_end(ctx);
236 BN_CTX_free(ctx);
237 }
238
239 return ok;
240}
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
deleted file mode 100644
index 51dc94a134..0000000000
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ /dev/null
@@ -1,258 +0,0 @@
1/* $OpenBSD: rsa_lib.c,v 1.30 2015/02/11 03:19:37 doug Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60
61#include <openssl/opensslconf.h>
62
63#include <openssl/bn.h>
64#include <openssl/crypto.h>
65#include <openssl/err.h>
66#include <openssl/lhash.h>
67#include <openssl/rsa.h>
68
69#ifndef OPENSSL_NO_ENGINE
70#include <openssl/engine.h>
71#endif
72
73static const RSA_METHOD *default_RSA_meth = NULL;
74
75RSA *
76RSA_new(void)
77{
78 RSA *r = RSA_new_method(NULL);
79
80 return r;
81}
82
83void
84RSA_set_default_method(const RSA_METHOD *meth)
85{
86 default_RSA_meth = meth;
87}
88
89const RSA_METHOD *
90RSA_get_default_method(void)
91{
92 if (default_RSA_meth == NULL)
93 default_RSA_meth = RSA_PKCS1_SSLeay();
94
95 return default_RSA_meth;
96}
97
98const RSA_METHOD *
99RSA_get_method(const RSA *rsa)
100{
101 return rsa->meth;
102}
103
104int
105RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
106{
107 /*
108 * NB: The caller is specifically setting a method, so it's not up to us
109 * to deal with which ENGINE it comes from.
110 */
111 const RSA_METHOD *mtmp;
112
113 mtmp = rsa->meth;
114 if (mtmp->finish)
115 mtmp->finish(rsa);
116#ifndef OPENSSL_NO_ENGINE
117 if (rsa->engine) {
118 ENGINE_finish(rsa->engine);
119 rsa->engine = NULL;
120 }
121#endif
122 rsa->meth = meth;
123 if (meth->init)
124 meth->init(rsa);
125 return 1;
126}
127
128RSA *
129RSA_new_method(ENGINE *engine)
130{
131 RSA *ret;
132
133 ret = malloc(sizeof(RSA));
134 if (ret == NULL) {
135 RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_MALLOC_FAILURE);
136 return NULL;
137 }
138
139 ret->meth = RSA_get_default_method();
140#ifndef OPENSSL_NO_ENGINE
141 if (engine) {
142 if (!ENGINE_init(engine)) {
143 RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
144 free(ret);
145 return NULL;
146 }
147 ret->engine = engine;
148 } else
149 ret->engine = ENGINE_get_default_RSA();
150 if (ret->engine) {
151 ret->meth = ENGINE_get_RSA(ret->engine);
152 if (!ret->meth) {
153 RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
154 ENGINE_finish(ret->engine);
155 free(ret);
156 return NULL;
157 }
158 }
159#endif
160
161 ret->pad = 0;
162 ret->version = 0;
163 ret->n = NULL;
164 ret->e = NULL;
165 ret->d = NULL;
166 ret->p = NULL;
167 ret->q = NULL;
168 ret->dmp1 = NULL;
169 ret->dmq1 = NULL;
170 ret->iqmp = NULL;
171 ret->references = 1;
172 ret->_method_mod_n = NULL;
173 ret->_method_mod_p = NULL;
174 ret->_method_mod_q = NULL;
175 ret->blinding = NULL;
176 ret->mt_blinding = NULL;
177 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
178 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
179#ifndef OPENSSL_NO_ENGINE
180 if (ret->engine)
181 ENGINE_finish(ret->engine);
182#endif
183 free(ret);
184 return NULL;
185 }
186
187 if (ret->meth->init != NULL && !ret->meth->init(ret)) {
188#ifndef OPENSSL_NO_ENGINE
189 if (ret->engine)
190 ENGINE_finish(ret->engine);
191#endif
192 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
193 free(ret);
194 ret = NULL;
195 }
196 return ret;
197}
198
199void
200RSA_free(RSA *r)
201{
202 int i;
203
204 if (r == NULL)
205 return;
206
207 i = CRYPTO_add(&r->references, -1, CRYPTO_LOCK_RSA);
208 if (i > 0)
209 return;
210
211 if (r->meth->finish)
212 r->meth->finish(r);
213#ifndef OPENSSL_NO_ENGINE
214 if (r->engine)
215 ENGINE_finish(r->engine);
216#endif
217
218 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
219
220 BN_clear_free(r->n);
221 BN_clear_free(r->e);
222 BN_clear_free(r->d);
223 BN_clear_free(r->p);
224 BN_clear_free(r->q);
225 BN_clear_free(r->dmp1);
226 BN_clear_free(r->dmq1);
227 BN_clear_free(r->iqmp);
228 BN_BLINDING_free(r->blinding);
229 BN_BLINDING_free(r->mt_blinding);
230 free(r);
231}
232
233int
234RSA_up_ref(RSA *r)
235{
236 int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_RSA);
237 return i > 1 ? 1 : 0;
238}
239
240int
241RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
242 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
243{
244 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_RSA, argl, argp,
245 new_func, dup_func, free_func);
246}
247
248int
249RSA_set_ex_data(RSA *r, int idx, void *arg)
250{
251 return CRYPTO_set_ex_data(&r->ex_data, idx, arg);
252}
253
254void *
255RSA_get_ex_data(const RSA *r, int idx)
256{
257 return CRYPTO_get_ex_data(&r->ex_data, idx);
258}
diff --git a/src/lib/libcrypto/rsa/rsa_locl.h b/src/lib/libcrypto/rsa/rsa_locl.h
deleted file mode 100644
index 24da0dc179..0000000000
--- a/src/lib/libcrypto/rsa/rsa_locl.h
+++ /dev/null
@@ -1,4 +0,0 @@
1/* $OpenBSD: rsa_locl.h,v 1.3 2014/07/09 19:51:31 jsing Exp $ */
2extern int int_rsa_verify(int dtype, const unsigned char *m,
3 unsigned int m_len, unsigned char *rm, size_t *prm_len,
4 const unsigned char *sigbuf, size_t siglen, RSA *rsa);
diff --git a/src/lib/libcrypto/rsa/rsa_none.c b/src/lib/libcrypto/rsa/rsa_none.c
deleted file mode 100644
index 5222b3c1eb..0000000000
--- a/src/lib/libcrypto/rsa/rsa_none.c
+++ /dev/null
@@ -1,98 +0,0 @@
1/* $OpenBSD: rsa_none.c,v 1.10 2014/10/18 17:20:40 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/bn.h>
63#include <openssl/err.h>
64#include <openssl/rsa.h>
65
66int
67RSA_padding_add_none(unsigned char *to, int tlen, const unsigned char *from,
68 int flen)
69{
70 if (flen > tlen) {
71 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,
72 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
73 return 0;
74 }
75
76 if (flen < tlen) {
77 RSAerr(RSA_F_RSA_PADDING_ADD_NONE,
78 RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);
79 return 0;
80 }
81
82 memcpy(to, from, flen);
83 return 1;
84}
85
86int
87RSA_padding_check_none(unsigned char *to, int tlen, const unsigned char *from,
88 int flen, int num)
89{
90 if (flen > tlen) {
91 RSAerr(RSA_F_RSA_PADDING_CHECK_NONE, RSA_R_DATA_TOO_LARGE);
92 return -1;
93 }
94
95 memset(to, 0, tlen - flen);
96 memcpy(to + tlen - flen, from, flen);
97 return tlen;
98}
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
deleted file mode 100644
index 86e2bfc34f..0000000000
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ /dev/null
@@ -1,236 +0,0 @@
1/* $OpenBSD: rsa_oaep.c,v 1.25 2015/06/20 12:01:14 jsing Exp $ */
2/* Written by Ulf Moeller. This software is distributed on an "AS IS"
3 basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
4
5/* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
6
7/* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
8 * <URL: http://www.shoup.net/papers/oaep.ps.Z>
9 * for problems with the security proof for the
10 * original OAEP scheme, which EME-OAEP is based on.
11 *
12 * A new proof can be found in E. Fujisaki, T. Okamoto,
13 * D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
14 * Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
15 * The new proof has stronger requirements for the
16 * underlying permutation: "partial-one-wayness" instead
17 * of one-wayness. For the RSA function, this is
18 * an equivalent notion.
19 */
20
21#include <stdio.h>
22#include <stdlib.h>
23#include <string.h>
24
25#include <openssl/opensslconf.h>
26
27#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
28
29#include <openssl/bn.h>
30#include <openssl/err.h>
31#include <openssl/evp.h>
32#include <openssl/rsa.h>
33#include <openssl/sha.h>
34
35static int MGF1(unsigned char *mask, long len, const unsigned char *seed,
36 long seedlen);
37
38int
39RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
40 const unsigned char *from, int flen, const unsigned char *param, int plen)
41{
42 int i, emlen = tlen - 1;
43 unsigned char *db, *seed;
44 unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
45
46 if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1) {
47 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
48 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
49 return 0;
50 }
51
52 if (emlen < 2 * SHA_DIGEST_LENGTH + 1) {
53 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
54 RSA_R_KEY_SIZE_TOO_SMALL);
55 return 0;
56 }
57
58 to[0] = 0;
59 seed = to + 1;
60 db = to + SHA_DIGEST_LENGTH + 1;
61
62 if (!EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL))
63 return 0;
64 memset(db + SHA_DIGEST_LENGTH, 0,
65 emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
66 db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
67 memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, flen);
68 arc4random_buf(seed, SHA_DIGEST_LENGTH);
69
70 dbmask = malloc(emlen - SHA_DIGEST_LENGTH);
71 if (dbmask == NULL) {
72 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
73 return 0;
74 }
75
76 if (MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed,
77 SHA_DIGEST_LENGTH) < 0)
78 return 0;
79 for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
80 db[i] ^= dbmask[i];
81
82 if (MGF1(seedmask, SHA_DIGEST_LENGTH, db,
83 emlen - SHA_DIGEST_LENGTH) < 0)
84 return 0;
85 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
86 seed[i] ^= seedmask[i];
87
88 free(dbmask);
89 return 1;
90}
91
92int
93RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
94 const unsigned char *from, int flen, int num, const unsigned char *param,
95 int plen)
96{
97 int i, dblen, mlen = -1;
98 const unsigned char *maskeddb;
99 int lzero;
100 unsigned char *db = NULL;
101 unsigned char seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
102 unsigned char *padded_from;
103 int bad = 0;
104
105 if (--num < 2 * SHA_DIGEST_LENGTH + 1)
106 /*
107 * 'num' is the length of the modulus, i.e. does not depend
108 * on the particular ciphertext.
109 */
110 goto decoding_err;
111
112 lzero = num - flen;
113 if (lzero < 0) {
114 /*
115 * signalling this error immediately after detection might allow
116 * for side-channel attacks (e.g. timing if 'plen' is huge
117 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA
118 * Optimal Asymmetric Encryption Padding (OAEP) [...]",
119 * CRYPTO 2001), so we use a 'bad' flag
120 */
121 bad = 1;
122 lzero = 0;
123 flen = num; /* don't overflow the memcpy to padded_from */
124 }
125
126 dblen = num - SHA_DIGEST_LENGTH;
127 db = malloc(dblen + num);
128 if (db == NULL) {
129 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,
130 ERR_R_MALLOC_FAILURE);
131 return -1;
132 }
133
134 /*
135 * Always do this zero-padding copy (even when lzero == 0)
136 * to avoid leaking timing info about the value of lzero.
137 */
138 padded_from = db + dblen;
139 memset(padded_from, 0, lzero);
140 memcpy(padded_from + lzero, from, flen);
141
142 maskeddb = padded_from + SHA_DIGEST_LENGTH;
143
144 if (MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen))
145 return -1;
146 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
147 seed[i] ^= padded_from[i];
148
149 if (MGF1(db, dblen, seed, SHA_DIGEST_LENGTH))
150 return -1;
151 for (i = 0; i < dblen; i++)
152 db[i] ^= maskeddb[i];
153
154 if (!EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL))
155 return -1;
156
157 if (timingsafe_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
158 goto decoding_err;
159 else {
160 for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
161 if (db[i] != 0x00)
162 break;
163 if (i == dblen || db[i] != 0x01)
164 goto decoding_err;
165 else {
166 /* everything looks OK */
167
168 mlen = dblen - ++i;
169 if (tlen < mlen) {
170 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,
171 RSA_R_DATA_TOO_LARGE);
172 mlen = -1;
173 } else
174 memcpy(to, db + i, mlen);
175 }
176 }
177 free(db);
178 return mlen;
179
180decoding_err:
181 /*
182 * To avoid chosen ciphertext attacks, the error message should not
183 * reveal which kind of decoding error happened
184 */
185 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
186 free(db);
187 return -1;
188}
189
190int
191PKCS1_MGF1(unsigned char *mask, long len, const unsigned char *seed,
192 long seedlen, const EVP_MD *dgst)
193{
194 long i, outlen = 0;
195 unsigned char cnt[4];
196 EVP_MD_CTX c;
197 unsigned char md[EVP_MAX_MD_SIZE];
198 int mdlen;
199 int rv = -1;
200
201 EVP_MD_CTX_init(&c);
202 mdlen = EVP_MD_size(dgst);
203 if (mdlen < 0)
204 goto err;
205 for (i = 0; outlen < len; i++) {
206 cnt[0] = (unsigned char)((i >> 24) & 255);
207 cnt[1] = (unsigned char)((i >> 16) & 255);
208 cnt[2] = (unsigned char)((i >> 8)) & 255;
209 cnt[3] = (unsigned char)(i & 255);
210 if (!EVP_DigestInit_ex(&c, dgst, NULL) ||
211 !EVP_DigestUpdate(&c, seed, seedlen) ||
212 !EVP_DigestUpdate(&c, cnt, 4))
213 goto err;
214 if (outlen + mdlen <= len) {
215 if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL))
216 goto err;
217 outlen += mdlen;
218 } else {
219 if (!EVP_DigestFinal_ex(&c, md, NULL))
220 goto err;
221 memcpy(mask + outlen, md, len - outlen);
222 outlen = len;
223 }
224 }
225 rv = 0;
226err:
227 EVP_MD_CTX_cleanup(&c);
228 return rv;
229}
230
231static int
232MGF1(unsigned char *mask, long len, const unsigned char *seed, long seedlen)
233{
234 return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1());
235}
236#endif
diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c
deleted file mode 100644
index 6c3e7fb846..0000000000
--- a/src/lib/libcrypto/rsa/rsa_pk1.c
+++ /dev/null
@@ -1,224 +0,0 @@
1/* $OpenBSD: rsa_pk1.c,v 1.14 2014/10/22 13:02:04 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <string.h>
62
63#include <openssl/bn.h>
64#include <openssl/err.h>
65#include <openssl/rsa.h>
66
67int
68RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
69 const unsigned char *from, int flen)
70{
71 int j;
72 unsigned char *p;
73
74 if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) {
75 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,
76 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
77 return 0;
78 }
79
80 p = (unsigned char *)to;
81
82 *(p++) = 0;
83 *(p++) = 1; /* Private Key BT (Block Type) */
84
85 /* pad out with 0xff data */
86 j = tlen - 3 - flen;
87 memset(p, 0xff, j);
88 p += j;
89 *(p++) = '\0';
90 memcpy(p, from, flen);
91
92 return 1;
93}
94
95int
96RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
97 const unsigned char *from, int flen, int num)
98{
99 int i, j;
100 const unsigned char *p;
101
102 p = from;
103 if (num != flen + 1 || *(p++) != 01) {
104 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
105 RSA_R_BLOCK_TYPE_IS_NOT_01);
106 return -1;
107 }
108
109 /* scan over padding data */
110 j = flen - 1; /* one for type. */
111 for (i = 0; i < j; i++) {
112 if (*p != 0xff) {
113 /* should decrypt to 0xff */
114 if (*p == 0) {
115 p++;
116 break;
117 } else {
118 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
119 RSA_R_BAD_FIXED_HEADER_DECRYPT);
120 return -1;
121 }
122 }
123 p++;
124 }
125
126 if (i == j) {
127 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
128 RSA_R_NULL_BEFORE_BLOCK_MISSING);
129 return -1;
130 }
131
132 if (i < 8) {
133 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
134 RSA_R_BAD_PAD_BYTE_COUNT);
135 return -1;
136 }
137 i++; /* Skip over the '\0' */
138 j -= i;
139 if (j > tlen) {
140 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
141 RSA_R_DATA_TOO_LARGE);
142 return -1;
143 }
144 memcpy(to, p, j);
145
146 return j;
147}
148
149int
150RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
151 const unsigned char *from, int flen)
152{
153 int i, j;
154 unsigned char *p;
155
156 if (flen > tlen - 11) {
157 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,
158 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
159 return 0;
160 }
161
162 p = (unsigned char *)to;
163
164 *(p++) = 0;
165 *(p++) = 2; /* Public Key BT (Block Type) */
166
167 /* pad out with non-zero random data */
168 j = tlen - 3 - flen;
169
170 arc4random_buf(p, j);
171 for (i = 0; i < j; i++) {
172 while (*p == '\0')
173 arc4random_buf(p, 1);
174 p++;
175 }
176
177 *(p++) = '\0';
178
179 memcpy(p, from, flen);
180 return 1;
181}
182
183int
184RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
185 const unsigned char *from, int flen, int num)
186{
187 int i, j;
188 const unsigned char *p;
189
190 p = from;
191 if (num != flen + 1 || *(p++) != 02) {
192 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
193 RSA_R_BLOCK_TYPE_IS_NOT_02);
194 return -1;
195 }
196
197 /* scan over padding data */
198 j = flen - 1; /* one for type. */
199 for (i = 0; i < j; i++)
200 if (*(p++) == 0)
201 break;
202
203 if (i == j) {
204 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
205 RSA_R_NULL_BEFORE_BLOCK_MISSING);
206 return -1;
207 }
208
209 if (i < 8) {
210 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
211 RSA_R_BAD_PAD_BYTE_COUNT);
212 return -1;
213 }
214 i++; /* Skip over the '\0' */
215 j -= i;
216 if (j > tlen) {
217 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
218 RSA_R_DATA_TOO_LARGE);
219 return -1;
220 }
221 memcpy(to, p, j);
222
223 return j;
224}
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
deleted file mode 100644
index 0b648138ee..0000000000
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ /dev/null
@@ -1,616 +0,0 @@
1/* $OpenBSD: rsa_pmeth.c,v 1.17 2015/06/20 01:07:25 doug Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <limits.h>
60#include <stdio.h>
61#include <string.h>
62
63#include <openssl/opensslconf.h>
64
65#include <openssl/asn1t.h>
66#include <openssl/bn.h>
67#include <openssl/err.h>
68#include <openssl/evp.h>
69#include <openssl/rsa.h>
70#include <openssl/x509.h>
71
72#ifndef OPENSSL_NO_CMS
73#include <openssl/cms.h>
74#endif
75
76#include "evp_locl.h"
77#include "rsa_locl.h"
78
79/* RSA pkey context structure */
80
81typedef struct {
82 /* Key gen parameters */
83 int nbits;
84 BIGNUM *pub_exp;
85 /* Keygen callback info */
86 int gentmp[2];
87 /* RSA padding mode */
88 int pad_mode;
89 /* message digest */
90 const EVP_MD *md;
91 /* message digest for MGF1 */
92 const EVP_MD *mgf1md;
93 /* PSS/OAEP salt length */
94 int saltlen;
95 /* Temp buffer */
96 unsigned char *tbuf;
97} RSA_PKEY_CTX;
98
99static int
100pkey_rsa_init(EVP_PKEY_CTX *ctx)
101{
102 RSA_PKEY_CTX *rctx;
103
104 rctx = malloc(sizeof(RSA_PKEY_CTX));
105 if (!rctx)
106 return 0;
107 rctx->nbits = 2048;
108 rctx->pub_exp = NULL;
109 rctx->pad_mode = RSA_PKCS1_PADDING;
110 rctx->md = NULL;
111 rctx->mgf1md = NULL;
112 rctx->tbuf = NULL;
113
114 rctx->saltlen = -2;
115
116 ctx->data = rctx;
117 ctx->keygen_info = rctx->gentmp;
118 ctx->keygen_info_count = 2;
119
120 return 1;
121}
122
123static int
124pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
125{
126 RSA_PKEY_CTX *dctx, *sctx;
127
128 if (!pkey_rsa_init(dst))
129 return 0;
130 sctx = src->data;
131 dctx = dst->data;
132 dctx->nbits = sctx->nbits;
133 if (sctx->pub_exp) {
134 dctx->pub_exp = BN_dup(sctx->pub_exp);
135 if (!dctx->pub_exp)
136 return 0;
137 }
138 dctx->pad_mode = sctx->pad_mode;
139 dctx->md = sctx->md;
140 return 1;
141}
142
143static int
144setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
145{
146 if (ctx->tbuf)
147 return 1;
148 ctx->tbuf = malloc(EVP_PKEY_size(pk->pkey));
149 if (!ctx->tbuf)
150 return 0;
151 return 1;
152}
153
154static void
155pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
156{
157 RSA_PKEY_CTX *rctx = ctx->data;
158
159 if (rctx) {
160 BN_free(rctx->pub_exp);
161 free(rctx->tbuf);
162 free(rctx);
163 }
164}
165
166static int
167pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
168 const unsigned char *tbs, size_t tbslen)
169{
170 int ret;
171 RSA_PKEY_CTX *rctx = ctx->data;
172 RSA *rsa = ctx->pkey->pkey.rsa;
173
174 if (rctx->md) {
175 if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
176 RSAerr(RSA_F_PKEY_RSA_SIGN,
177 RSA_R_INVALID_DIGEST_LENGTH);
178 return -1;
179 }
180
181 if (rctx->pad_mode == RSA_X931_PADDING) {
182 if (!setup_tbuf(rctx, ctx))
183 return -1;
184 memcpy(rctx->tbuf, tbs, tbslen);
185 rctx->tbuf[tbslen] =
186 RSA_X931_hash_id(EVP_MD_type(rctx->md));
187 ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, sig,
188 rsa, RSA_X931_PADDING);
189 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
190 unsigned int sltmp;
191
192 ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig,
193 &sltmp, rsa);
194 if (ret <= 0)
195 return ret;
196 ret = sltmp;
197 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
198 if (!setup_tbuf(rctx, ctx))
199 return -1;
200 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, rctx->tbuf,
201 tbs, rctx->md, rctx->mgf1md, rctx->saltlen))
202 return -1;
203 ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
204 sig, rsa, RSA_NO_PADDING);
205 } else
206 return -1;
207 } else
208 ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
209 rctx->pad_mode);
210 if (ret < 0)
211 return ret;
212 *siglen = ret;
213 return 1;
214}
215
216static int
217pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen,
218 const unsigned char *sig, size_t siglen)
219{
220 int ret;
221 RSA_PKEY_CTX *rctx = ctx->data;
222
223 if (rctx->md) {
224 if (rctx->pad_mode == RSA_X931_PADDING) {
225 if (!setup_tbuf(rctx, ctx))
226 return -1;
227 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
228 ctx->pkey->pkey.rsa, RSA_X931_PADDING);
229 if (ret < 1)
230 return 0;
231 ret--;
232 if (rctx->tbuf[ret] !=
233 RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
234 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
235 RSA_R_ALGORITHM_MISMATCH);
236 return 0;
237 }
238 if (ret != EVP_MD_size(rctx->md)) {
239 RSAerr(RSA_F_PKEY_RSA_VERIFYRECOVER,
240 RSA_R_INVALID_DIGEST_LENGTH);
241 return 0;
242 }
243 if (rout)
244 memcpy(rout, rctx->tbuf, ret);
245 } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
246 size_t sltmp;
247
248 ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
249 rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
250 if (ret <= 0)
251 return 0;
252 ret = sltmp;
253 } else
254 return -1;
255 } else
256 ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
257 rctx->pad_mode);
258 if (ret < 0)
259 return ret;
260 *routlen = ret;
261 return 1;
262}
263
264static int
265pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
266 const unsigned char *tbs, size_t tbslen)
267{
268 RSA_PKEY_CTX *rctx = ctx->data;
269 RSA *rsa = ctx->pkey->pkey.rsa;
270 size_t rslen;
271
272 if (rctx->md) {
273 if (rctx->pad_mode == RSA_PKCS1_PADDING)
274 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
275 sig, siglen, rsa);
276 if (rctx->pad_mode == RSA_X931_PADDING) {
277 if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig,
278 siglen) <= 0)
279 return 0;
280 } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
281 int ret;
282
283 if (!setup_tbuf(rctx, ctx))
284 return -1;
285 ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
286 rsa, RSA_NO_PADDING);
287 if (ret <= 0)
288 return 0;
289 ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
290 rctx->mgf1md, rctx->tbuf, rctx->saltlen);
291 if (ret <= 0)
292 return 0;
293 return 1;
294 } else
295 return -1;
296 } else {
297 if (!setup_tbuf(rctx, ctx))
298 return -1;
299 rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa,
300 rctx->pad_mode);
301 if (rslen == 0)
302 return 0;
303 }
304
305 if (rslen != tbslen || memcmp(tbs, rctx->tbuf, rslen))
306 return 0;
307
308 return 1;
309}
310
311static int
312pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
313 const unsigned char *in, size_t inlen)
314{
315 int ret;
316 RSA_PKEY_CTX *rctx = ctx->data;
317
318 ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
319 rctx->pad_mode);
320 if (ret < 0)
321 return ret;
322 *outlen = ret;
323 return 1;
324}
325
326static int
327pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
328 const unsigned char *in, size_t inlen)
329{
330 int ret;
331 RSA_PKEY_CTX *rctx = ctx->data;
332
333 ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
334 rctx->pad_mode);
335 if (ret < 0)
336 return ret;
337 *outlen = ret;
338 return 1;
339}
340
341static int
342check_padding_md(const EVP_MD *md, int padding)
343{
344 if (!md)
345 return 1;
346
347 if (padding == RSA_NO_PADDING) {
348 RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
349 return 0;
350 }
351
352 if (padding == RSA_X931_PADDING) {
353 if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) {
354 RSAerr(RSA_F_CHECK_PADDING_MD,
355 RSA_R_INVALID_X931_DIGEST);
356 return 0;
357 }
358 return 1;
359 }
360
361 return 1;
362}
363
364static int
365pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
366{
367 RSA_PKEY_CTX *rctx = ctx->data;
368
369 switch (type) {
370 case EVP_PKEY_CTRL_RSA_PADDING:
371 if (p1 >= RSA_PKCS1_PADDING && p1 <= RSA_PKCS1_PSS_PADDING) {
372 if (!check_padding_md(rctx->md, p1))
373 return 0;
374 if (p1 == RSA_PKCS1_PSS_PADDING) {
375 if (!(ctx->operation &
376 (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)))
377 goto bad_pad;
378 if (!rctx->md)
379 rctx->md = EVP_sha1();
380 }
381 if (p1 == RSA_PKCS1_OAEP_PADDING) {
382 if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))
383 goto bad_pad;
384 if (!rctx->md)
385 rctx->md = EVP_sha1();
386 }
387 rctx->pad_mode = p1;
388 return 1;
389 }
390bad_pad:
391 RSAerr(RSA_F_PKEY_RSA_CTRL,
392 RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
393 return -2;
394
395 case EVP_PKEY_CTRL_GET_RSA_PADDING:
396 *(int *)p2 = rctx->pad_mode;
397 return 1;
398
399 case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:
400 case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
401 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
402 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
403 return -2;
404 }
405 if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN)
406 *(int *)p2 = rctx->saltlen;
407 else {
408 if (p1 < -2)
409 return -2;
410 rctx->saltlen = p1;
411 }
412 return 1;
413
414 case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
415 if (p1 < 256) {
416 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS);
417 return -2;
418 }
419 rctx->nbits = p1;
420 return 1;
421
422 case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
423 if (!p2)
424 return -2;
425 rctx->pub_exp = p2;
426 return 1;
427
428 case EVP_PKEY_CTRL_MD:
429 if (!check_padding_md(p2, rctx->pad_mode))
430 return 0;
431 rctx->md = p2;
432 return 1;
433
434 case EVP_PKEY_CTRL_RSA_MGF1_MD:
435 case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
436 if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
437 RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
438 return -2;
439 }
440 if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
441 if (rctx->mgf1md)
442 *(const EVP_MD **)p2 = rctx->mgf1md;
443 else
444 *(const EVP_MD **)p2 = rctx->md;
445 } else
446 rctx->mgf1md = p2;
447 return 1;
448
449 case EVP_PKEY_CTRL_DIGESTINIT:
450 case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
451 case EVP_PKEY_CTRL_PKCS7_DECRYPT:
452 case EVP_PKEY_CTRL_PKCS7_SIGN:
453 return 1;
454#ifndef OPENSSL_NO_CMS
455 case EVP_PKEY_CTRL_CMS_DECRYPT:
456 {
457 X509_ALGOR *alg = NULL;
458 ASN1_OBJECT *encalg = NULL;
459
460 if (p2)
461 CMS_RecipientInfo_ktri_get0_algs(p2, NULL,
462 NULL, &alg);
463 if (alg)
464 X509_ALGOR_get0(&encalg, NULL, NULL, alg);
465 if (encalg && OBJ_obj2nid(encalg) == NID_rsaesOaep)
466 rctx->pad_mode = RSA_PKCS1_OAEP_PADDING;
467 }
468 /* FALLTHROUGH */
469
470 case EVP_PKEY_CTRL_CMS_ENCRYPT:
471 case EVP_PKEY_CTRL_CMS_SIGN:
472 return 1;
473#endif
474 case EVP_PKEY_CTRL_PEER_KEY:
475 RSAerr(RSA_F_PKEY_RSA_CTRL,
476 RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
477 return -2;
478
479 default:
480 return -2;
481 }
482}
483
484static int
485pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
486{
487 long lval;
488 char *ep;
489
490 if (!value) {
491 RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
492 return 0;
493 }
494 if (!strcmp(type, "rsa_padding_mode")) {
495 int pm;
496 if (!strcmp(value, "pkcs1"))
497 pm = RSA_PKCS1_PADDING;
498 else if (!strcmp(value, "sslv23"))
499 pm = RSA_SSLV23_PADDING;
500 else if (!strcmp(value, "none"))
501 pm = RSA_NO_PADDING;
502 else if (!strcmp(value, "oeap"))
503 pm = RSA_PKCS1_OAEP_PADDING;
504 else if (!strcmp(value, "oaep"))
505 pm = RSA_PKCS1_OAEP_PADDING;
506 else if (!strcmp(value, "x931"))
507 pm = RSA_X931_PADDING;
508 else if (!strcmp(value, "pss"))
509 pm = RSA_PKCS1_PSS_PADDING;
510 else {
511 RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
512 RSA_R_UNKNOWN_PADDING_TYPE);
513 return -2;
514 }
515 return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
516 }
517
518 if (!strcmp(type, "rsa_pss_saltlen")) {
519 int saltlen;
520
521 errno = 0;
522 lval = strtol(value, &ep, 10);
523 if (value[0] == '\0' || *ep != '\0')
524 goto not_a_number;
525 if ((errno == ERANGE &&
526 (lval == LONG_MAX || lval == LONG_MIN)) ||
527 (lval > INT_MAX || lval < INT_MIN))
528 goto out_of_range;
529 saltlen = lval;
530 return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
531 }
532
533 if (!strcmp(type, "rsa_keygen_bits")) {
534 int nbits;
535
536 errno = 0;
537 lval = strtol(value, &ep, 10);
538 if (value[0] == '\0' || *ep != '\0')
539 goto not_a_number;
540 if ((errno == ERANGE &&
541 (lval == LONG_MAX || lval == LONG_MIN)) ||
542 (lval > INT_MAX || lval < INT_MIN))
543 goto out_of_range;
544 nbits = lval;
545 return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
546 }
547
548 if (!strcmp(type, "rsa_keygen_pubexp")) {
549 int ret;
550 BIGNUM *pubexp = NULL;
551
552 if (!BN_asc2bn(&pubexp, value))
553 return 0;
554 ret = EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp);
555 if (ret <= 0)
556 BN_free(pubexp);
557 return ret;
558 }
559
560not_a_number:
561out_of_range:
562 return -2;
563}
564
565static int
566pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
567{
568 RSA *rsa = NULL;
569 RSA_PKEY_CTX *rctx = ctx->data;
570 BN_GENCB *pcb, cb;
571 int ret;
572
573 if (!rctx->pub_exp) {
574 rctx->pub_exp = BN_new();
575 if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4))
576 return 0;
577 }
578 rsa = RSA_new();
579 if (!rsa)
580 return 0;
581 if (ctx->pkey_gencb) {
582 pcb = &cb;
583 evp_pkey_set_cb_translate(pcb, ctx);
584 } else
585 pcb = NULL;
586 ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
587 if (ret > 0)
588 EVP_PKEY_assign_RSA(pkey, rsa);
589 else
590 RSA_free(rsa);
591 return ret;
592}
593
594const EVP_PKEY_METHOD rsa_pkey_meth = {
595 .pkey_id = EVP_PKEY_RSA,
596 .flags = EVP_PKEY_FLAG_AUTOARGLEN,
597
598 .init = pkey_rsa_init,
599 .copy = pkey_rsa_copy,
600 .cleanup = pkey_rsa_cleanup,
601
602 .keygen = pkey_rsa_keygen,
603
604 .sign = pkey_rsa_sign,
605
606 .verify = pkey_rsa_verify,
607
608 .verify_recover = pkey_rsa_verifyrecover,
609
610 .encrypt = pkey_rsa_encrypt,
611
612 .decrypt = pkey_rsa_decrypt,
613
614 .ctrl = pkey_rsa_ctrl,
615 .ctrl_str = pkey_rsa_ctrl_str
616};
diff --git a/src/lib/libcrypto/rsa/rsa_prn.c b/src/lib/libcrypto/rsa/rsa_prn.c
deleted file mode 100644
index db82dab5be..0000000000
--- a/src/lib/libcrypto/rsa/rsa_prn.c
+++ /dev/null
@@ -1,93 +0,0 @@
1/* $OpenBSD: rsa_prn.c,v 1.6 2014/07/11 08:44:49 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/err.h>
62#include <openssl/evp.h>
63#include <openssl/rsa.h>
64
65int
66RSA_print_fp(FILE *fp, const RSA *x, int off)
67{
68 BIO *b;
69 int ret;
70
71 if ((b = BIO_new(BIO_s_file())) == NULL) {
72 RSAerr(RSA_F_RSA_PRINT_FP, ERR_R_BUF_LIB);
73 return 0;
74 }
75 BIO_set_fp(b, fp, BIO_NOCLOSE);
76 ret = RSA_print(b, x, off);
77 BIO_free(b);
78 return ret;
79}
80
81int
82RSA_print(BIO *bp, const RSA *x, int off)
83{
84 EVP_PKEY *pk;
85 int ret;
86
87 pk = EVP_PKEY_new();
88 if (!pk || !EVP_PKEY_set1_RSA(pk, (RSA *)x))
89 return 0;
90 ret = EVP_PKEY_print_private(bp, pk, off, NULL);
91 EVP_PKEY_free(pk);
92 return ret;
93}
diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c
deleted file mode 100644
index 5e137a3090..0000000000
--- a/src/lib/libcrypto/rsa/rsa_pss.c
+++ /dev/null
@@ -1,289 +0,0 @@
1/* $OpenBSD: rsa_pss.c,v 1.11 2014/10/22 13:02:04 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <string.h>
62
63#include <openssl/bn.h>
64#include <openssl/err.h>
65#include <openssl/evp.h>
66#include <openssl/rsa.h>
67#include <openssl/sha.h>
68
69static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
70
71int
72RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, const EVP_MD *Hash,
73 const unsigned char *EM, int sLen)
74{
75 return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen);
76}
77
78int
79RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
80 const EVP_MD *Hash, const EVP_MD *mgf1Hash, const unsigned char *EM,
81 int sLen)
82{
83 int i;
84 int ret = 0;
85 int hLen, maskedDBLen, MSBits, emLen;
86 const unsigned char *H;
87 unsigned char *DB = NULL;
88 EVP_MD_CTX ctx;
89 unsigned char H_[EVP_MAX_MD_SIZE];
90
91 EVP_MD_CTX_init(&ctx);
92
93 if (mgf1Hash == NULL)
94 mgf1Hash = Hash;
95
96 hLen = EVP_MD_size(Hash);
97 if (hLen < 0)
98 goto err;
99 /*
100 * Negative sLen has special meanings:
101 * -1 sLen == hLen
102 * -2 salt length is autorecovered from signature
103 * -N reserved
104 */
105 if (sLen == -1)
106 sLen = hLen;
107 else if (sLen == -2)
108 sLen = -2;
109 else if (sLen < -2) {
110 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
111 RSA_R_SLEN_CHECK_FAILED);
112 goto err;
113 }
114
115 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
116 emLen = RSA_size(rsa);
117 if (EM[0] & (0xFF << MSBits)) {
118 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
119 RSA_R_FIRST_OCTET_INVALID);
120 goto err;
121 }
122 if (MSBits == 0) {
123 EM++;
124 emLen--;
125 }
126 if (emLen < (hLen + sLen + 2)) {
127 /* sLen can be small negative */
128 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
129 goto err;
130 }
131 if (EM[emLen - 1] != 0xbc) {
132 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
133 RSA_R_LAST_OCTET_INVALID);
134 goto err;
135 }
136 maskedDBLen = emLen - hLen - 1;
137 H = EM + maskedDBLen;
138 DB = malloc(maskedDBLen);
139 if (!DB) {
140 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
141 goto err;
142 }
143 if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0)
144 goto err;
145 for (i = 0; i < maskedDBLen; i++)
146 DB[i] ^= EM[i];
147 if (MSBits)
148 DB[0] &= 0xFF >> (8 - MSBits);
149 for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++)
150 ;
151 if (DB[i++] != 0x1) {
152 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
153 RSA_R_SLEN_RECOVERY_FAILED);
154 goto err;
155 }
156 if (sLen >= 0 && (maskedDBLen - i) != sLen) {
157 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1,
158 RSA_R_SLEN_CHECK_FAILED);
159 goto err;
160 }
161 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
162 !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
163 !EVP_DigestUpdate(&ctx, mHash, hLen))
164 goto err;
165 if (maskedDBLen - i) {
166 if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i))
167 goto err;
168 }
169 if (!EVP_DigestFinal_ex(&ctx, H_, NULL))
170 goto err;
171 if (memcmp(H_, H, hLen)) {
172 RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
173 ret = 0;
174 } else
175 ret = 1;
176
177err:
178 free(DB);
179 EVP_MD_CTX_cleanup(&ctx);
180
181 return ret;
182}
183
184int
185RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
186 const unsigned char *mHash, const EVP_MD *Hash, int sLen)
187{
188 return RSA_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, NULL, sLen);
189}
190
191int
192RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
193 const unsigned char *mHash, const EVP_MD *Hash, const EVP_MD *mgf1Hash,
194 int sLen)
195{
196 int i;
197 int ret = 0;
198 int hLen, maskedDBLen, MSBits, emLen;
199 unsigned char *H, *salt = NULL, *p;
200 EVP_MD_CTX ctx;
201
202 EVP_MD_CTX_init(&ctx);
203
204 if (mgf1Hash == NULL)
205 mgf1Hash = Hash;
206
207 hLen = EVP_MD_size(Hash);
208 if (hLen < 0)
209 goto err;
210 /*
211 * Negative sLen has special meanings:
212 * -1 sLen == hLen
213 * -2 salt length is maximized
214 * -N reserved
215 */
216 if (sLen == -1)
217 sLen = hLen;
218 else if (sLen == -2)
219 sLen = -2;
220 else if (sLen < -2) {
221 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
222 RSA_R_SLEN_CHECK_FAILED);
223 goto err;
224 }
225
226 MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
227 emLen = RSA_size(rsa);
228 if (MSBits == 0) {
229 *EM++ = 0;
230 emLen--;
231 }
232 if (sLen == -2)
233 sLen = emLen - hLen - 2;
234 else if (emLen < (hLen + sLen + 2)) {
235 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
236 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
237 goto err;
238 }
239 if (sLen > 0) {
240 salt = malloc(sLen);
241 if (!salt) {
242 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
243 ERR_R_MALLOC_FAILURE);
244 goto err;
245 }
246 arc4random_buf(salt, sLen);
247 }
248 maskedDBLen = emLen - hLen - 1;
249 H = EM + maskedDBLen;
250 if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||
251 !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes) ||
252 !EVP_DigestUpdate(&ctx, mHash, hLen))
253 goto err;
254 if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen))
255 goto err;
256 if (!EVP_DigestFinal_ex(&ctx, H, NULL))
257 goto err;
258
259 /* Generate dbMask in place then perform XOR on it */
260 if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
261 goto err;
262
263 p = EM;
264
265 /*
266 * Initial PS XORs with all zeroes which is a NOP so just update
267 * pointer. Note from a test above this value is guaranteed to
268 * be non-negative.
269 */
270 p += emLen - sLen - hLen - 2;
271 *p++ ^= 0x1;
272 if (sLen > 0) {
273 for (i = 0; i < sLen; i++)
274 *p++ ^= salt[i];
275 }
276 if (MSBits)
277 EM[0] &= 0xFF >> (8 - MSBits);
278
279 /* H is already in place so just set final 0xbc */
280 EM[emLen - 1] = 0xbc;
281
282 ret = 1;
283
284err:
285 free(salt);
286 EVP_MD_CTX_cleanup(&ctx);
287
288 return ret;
289}
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c
deleted file mode 100644
index 3a07a7af4a..0000000000
--- a/src/lib/libcrypto/rsa/rsa_saos.c
+++ /dev/null
@@ -1,149 +0,0 @@
1/* $OpenBSD: rsa_saos.c,v 1.17 2015/07/19 18:29:31 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/bn.h>
63#include <openssl/err.h>
64#include <openssl/objects.h>
65#include <openssl/rsa.h>
66#include <openssl/x509.h>
67
68int
69RSA_sign_ASN1_OCTET_STRING(int type, const unsigned char *m, unsigned int m_len,
70 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
71{
72 ASN1_OCTET_STRING sig;
73 int i, j, ret = 1;
74 unsigned char *p, *s;
75
76 sig.type = V_ASN1_OCTET_STRING;
77 sig.length = m_len;
78 sig.data = (unsigned char *)m;
79
80 i = i2d_ASN1_OCTET_STRING(&sig, NULL);
81 j = RSA_size(rsa);
82 if (i > (j - RSA_PKCS1_PADDING_SIZE)) {
83 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,
84 RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
85 return 0;
86 }
87 s = malloc(j + 1);
88 if (s == NULL) {
89 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING, ERR_R_MALLOC_FAILURE);
90 return 0;
91 }
92 p = s;
93 i2d_ASN1_OCTET_STRING(&sig, &p);
94 i = RSA_private_encrypt(i, s, sigret, rsa, RSA_PKCS1_PADDING);
95 if (i <= 0)
96 ret = 0;
97 else
98 *siglen = i;
99
100 OPENSSL_cleanse(s, (unsigned int)j + 1);
101 free(s);
102 return ret;
103}
104
105int
106RSA_verify_ASN1_OCTET_STRING(int dtype, const unsigned char *m,
107 unsigned int m_len, unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
108{
109 int i, ret = 0;
110 unsigned char *s;
111 const unsigned char *p;
112 ASN1_OCTET_STRING *sig = NULL;
113
114 if (siglen != (unsigned int)RSA_size(rsa)) {
115 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,
116 RSA_R_WRONG_SIGNATURE_LENGTH);
117 return 0;
118 }
119
120 s = malloc(siglen);
121 if (s == NULL) {
122 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,
123 ERR_R_MALLOC_FAILURE);
124 goto err;
125 }
126 i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING);
127
128 if (i <= 0)
129 goto err;
130
131 p = s;
132 sig = d2i_ASN1_OCTET_STRING(NULL, &p, (long)i);
133 if (sig == NULL)
134 goto err;
135
136 if ((unsigned int)sig->length != m_len ||
137 memcmp(m, sig->data, m_len) != 0) {
138 RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,
139 RSA_R_BAD_SIGNATURE);
140 } else
141 ret = 1;
142err:
143 M_ASN1_OCTET_STRING_free(sig);
144 if (s != NULL) {
145 OPENSSL_cleanse(s, (unsigned int)siglen);
146 free(s);
147 }
148 return ret;
149}
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
deleted file mode 100644
index db63c5f038..0000000000
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ /dev/null
@@ -1,255 +0,0 @@
1/* $OpenBSD: rsa_sign.c,v 1.24 2015/07/19 18:29:31 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/bn.h>
63#include <openssl/err.h>
64#include <openssl/objects.h>
65#include <openssl/rsa.h>
66#include <openssl/x509.h>
67
68#include "rsa_locl.h"
69
70/* Size of an SSL signature: MD5+SHA1 */
71#define SSL_SIG_LENGTH 36
72
73int
74RSA_sign(int type, const unsigned char *m, unsigned int m_len,
75 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
76{
77 X509_SIG sig;
78 ASN1_TYPE parameter;
79 int i, j, ret = 1;
80 unsigned char *p, *tmps = NULL;
81 const unsigned char *s = NULL;
82 X509_ALGOR algor;
83 ASN1_OCTET_STRING digest;
84
85 if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
86 return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
87
88 /* Special case: SSL signature, just check the length */
89 if (type == NID_md5_sha1) {
90 if (m_len != SSL_SIG_LENGTH) {
91 RSAerr(RSA_F_RSA_SIGN, RSA_R_INVALID_MESSAGE_LENGTH);
92 return 0;
93 }
94 i = SSL_SIG_LENGTH;
95 s = m;
96 } else {
97 sig.algor = &algor;
98 sig.algor->algorithm = OBJ_nid2obj(type);
99 if (sig.algor->algorithm == NULL) {
100 RSAerr(RSA_F_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE);
101 return 0;
102 }
103 if (sig.algor->algorithm->length == 0) {
104 RSAerr(RSA_F_RSA_SIGN,
105 RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
106 return 0;
107 }
108 parameter.type = V_ASN1_NULL;
109 parameter.value.ptr = NULL;
110 sig.algor->parameter = &parameter;
111
112 sig.digest = &digest;
113 sig.digest->data = (unsigned char *)m; /* TMP UGLY CAST */
114 sig.digest->length = m_len;
115
116 i = i2d_X509_SIG(&sig, NULL);
117 }
118 j = RSA_size(rsa);
119 if (i > j - RSA_PKCS1_PADDING_SIZE) {
120 RSAerr(RSA_F_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
121 return 0;
122 }
123 if (type != NID_md5_sha1) {
124 tmps = malloc(j + 1);
125 if (tmps == NULL) {
126 RSAerr(RSA_F_RSA_SIGN, ERR_R_MALLOC_FAILURE);
127 return 0;
128 }
129 p = tmps;
130 i2d_X509_SIG(&sig, &p);
131 s = tmps;
132 }
133 i = RSA_private_encrypt(i, s, sigret, rsa, RSA_PKCS1_PADDING);
134 if (i <= 0)
135 ret = 0;
136 else
137 *siglen = i;
138
139 if (type != NID_md5_sha1) {
140 OPENSSL_cleanse(tmps, (unsigned int)j + 1);
141 free(tmps);
142 }
143 return (ret);
144}
145
146int
147int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len,
148 unsigned char *rm, size_t *prm_len, const unsigned char *sigbuf,
149 size_t siglen, RSA *rsa)
150{
151 int i, ret = 0, sigtype;
152 unsigned char *s;
153 X509_SIG *sig = NULL;
154
155 if (siglen != (unsigned int)RSA_size(rsa)) {
156 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_WRONG_SIGNATURE_LENGTH);
157 return 0;
158 }
159
160 if ((dtype == NID_md5_sha1) && rm) {
161 i = RSA_public_decrypt((int)siglen, sigbuf, rm, rsa,
162 RSA_PKCS1_PADDING);
163 if (i <= 0)
164 return 0;
165 *prm_len = i;
166 return 1;
167 }
168
169 s = malloc(siglen);
170 if (s == NULL) {
171 RSAerr(RSA_F_INT_RSA_VERIFY, ERR_R_MALLOC_FAILURE);
172 goto err;
173 }
174 if (dtype == NID_md5_sha1 && m_len != SSL_SIG_LENGTH) {
175 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_MESSAGE_LENGTH);
176 goto err;
177 }
178 i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING);
179
180 if (i <= 0)
181 goto err;
182
183 /* Special case: SSL signature */
184 if (dtype == NID_md5_sha1) {
185 if (i != SSL_SIG_LENGTH || memcmp(s, m, SSL_SIG_LENGTH))
186 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
187 else
188 ret = 1;
189 } else {
190 const unsigned char *p = s;
191
192 sig = d2i_X509_SIG(NULL, &p, (long)i);
193
194 if (sig == NULL)
195 goto err;
196
197 /* Excess data can be used to create forgeries */
198 if (p != s + i) {
199 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
200 goto err;
201 }
202
203 /* Parameters to the signature algorithm can also be used to
204 create forgeries */
205 if (sig->algor->parameter &&
206 ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) {
207 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
208 goto err;
209 }
210
211 sigtype = OBJ_obj2nid(sig->algor->algorithm);
212
213 if (sigtype != dtype) {
214 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_ALGORITHM_MISMATCH);
215 goto err;
216 }
217 if (rm) {
218 const EVP_MD *md;
219
220 md = EVP_get_digestbynid(dtype);
221 if (md && (EVP_MD_size(md) != sig->digest->length))
222 RSAerr(RSA_F_INT_RSA_VERIFY,
223 RSA_R_INVALID_DIGEST_LENGTH);
224 else {
225 memcpy(rm, sig->digest->data,
226 sig->digest->length);
227 *prm_len = sig->digest->length;
228 ret = 1;
229 }
230 } else if ((unsigned int)sig->digest->length != m_len ||
231 memcmp(m, sig->digest->data, m_len) != 0) {
232 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
233 } else
234 ret = 1;
235 }
236err:
237 if (sig != NULL)
238 X509_SIG_free(sig);
239 if (s != NULL) {
240 OPENSSL_cleanse(s, (unsigned int)siglen);
241 free(s);
242 }
243 return ret;
244}
245
246int
247RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
248 const unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
249{
250 if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)
251 return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen,
252 rsa);
253
254 return int_rsa_verify(dtype, m, m_len, NULL, NULL, sigbuf, siglen, rsa);
255}
diff --git a/src/lib/libcrypto/rsa/rsa_ssl.c b/src/lib/libcrypto/rsa/rsa_ssl.c
deleted file mode 100644
index 73262f29c1..0000000000
--- a/src/lib/libcrypto/rsa/rsa_ssl.c
+++ /dev/null
@@ -1,151 +0,0 @@
1/* $OpenBSD: rsa_ssl.c,v 1.14 2014/10/22 13:02:04 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <string.h>
62
63#include <openssl/bn.h>
64#include <openssl/err.h>
65#include <openssl/rsa.h>
66
67int
68RSA_padding_add_SSLv23(unsigned char *to, int tlen, const unsigned char *from,
69 int flen)
70{
71 int i, j;
72 unsigned char *p;
73
74 if (flen > tlen - 11) {
75 RSAerr(RSA_F_RSA_PADDING_ADD_SSLV23,
76 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
77 return 0;
78 }
79
80 p = (unsigned char *)to;
81
82 *(p++) = 0;
83 *(p++) = 2; /* Public Key BT (Block Type) */
84
85 /* pad out with non-zero random data */
86 j = tlen - 3 - 8 - flen;
87
88 arc4random_buf(p, j);
89 for (i = 0; i < j; i++) {
90 while (*p == '\0')
91 arc4random_buf(p, 1);
92 p++;
93 }
94
95 memset(p, 3, 8);
96 p += 8;
97 *(p++) = '\0';
98
99 memcpy(p, from, flen);
100 return 1;
101}
102
103int
104RSA_padding_check_SSLv23(unsigned char *to, int tlen, const unsigned char *from,
105 int flen, int num)
106{
107 int i, j, k;
108 const unsigned char *p;
109
110 p = from;
111 if (flen < 10) {
112 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL);
113 return -1;
114 }
115 if (num != flen + 1 || *(p++) != 02) {
116 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,
117 RSA_R_BLOCK_TYPE_IS_NOT_02);
118 return -1;
119 }
120
121 /* scan over padding data */
122 j = flen - 1; /* one for type */
123 for (i = 0; i < j; i++)
124 if (*(p++) == 0)
125 break;
126
127 if (i == j || i < 8) {
128 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,
129 RSA_R_NULL_BEFORE_BLOCK_MISSING);
130 return -1;
131 }
132 for (k = -9; k < -1; k++) {
133 if (p[k] != 0x03)
134 break;
135 }
136 if (k == -1) {
137 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,
138 RSA_R_SSLV3_ROLLBACK_ATTACK);
139 return -1;
140 }
141
142 i++; /* Skip over the '\0' */
143 j -= i;
144 if (j > tlen) {
145 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_LARGE);
146 return -1;
147 }
148 memcpy(to, p, j);
149
150 return j;
151}
diff --git a/src/lib/libcrypto/rsa/rsa_x931.c b/src/lib/libcrypto/rsa/rsa_x931.c
deleted file mode 100644
index 2993b4028d..0000000000
--- a/src/lib/libcrypto/rsa/rsa_x931.c
+++ /dev/null
@@ -1,167 +0,0 @@
1/* $OpenBSD: rsa_x931.c,v 1.9 2014/10/18 17:20:40 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/bn.h>
63#include <openssl/err.h>
64#include <openssl/objects.h>
65#include <openssl/rsa.h>
66
67int
68RSA_padding_add_X931(unsigned char *to, int tlen, const unsigned char *from,
69 int flen)
70{
71 int j;
72 unsigned char *p;
73
74 /*
75 * Absolute minimum amount of padding is 1 header nibble, 1 padding
76 * nibble and 2 trailer bytes: but 1 hash if is already in 'from'.
77 */
78 j = tlen - flen - 2;
79
80 if (j < 0) {
81 RSAerr(RSA_F_RSA_PADDING_ADD_X931,
82 RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
83 return -1;
84 }
85
86 p = (unsigned char *)to;
87
88 /* If no padding start and end nibbles are in one byte */
89 if (j == 0)
90 *p++ = 0x6A;
91 else {
92 *p++ = 0x6B;
93 if (j > 1) {
94 memset(p, 0xBB, j - 1);
95 p += j - 1;
96 }
97 *p++ = 0xBA;
98 }
99 memcpy(p, from, flen);
100 p += flen;
101 *p = 0xCC;
102 return 1;
103}
104
105int
106RSA_padding_check_X931(unsigned char *to, int tlen, const unsigned char *from,
107 int flen, int num)
108{
109 int i = 0, j;
110 const unsigned char *p = from;
111
112 if (num != flen || (*p != 0x6A && *p != 0x6B)) {
113 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_HEADER);
114 return -1;
115 }
116
117 if (*p++ == 0x6B) {
118 j = flen - 3;
119 for (i = 0; i < j; i++) {
120 unsigned char c = *p++;
121 if (c == 0xBA)
122 break;
123 if (c != 0xBB) {
124 RSAerr(RSA_F_RSA_PADDING_CHECK_X931,
125 RSA_R_INVALID_PADDING);
126 return -1;
127 }
128 }
129
130 if (i == 0) {
131 RSAerr(RSA_F_RSA_PADDING_CHECK_X931,
132 RSA_R_INVALID_PADDING);
133 return -1;
134 }
135
136 j -= i;
137 } else
138 j = flen - 2;
139
140 if (j < 0 || p[j] != 0xCC) {
141 RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_TRAILER);
142 return -1;
143 }
144
145 memcpy(to, p, j);
146
147 return j;
148}
149
150/* Translate between X931 hash ids and NIDs */
151
152int
153RSA_X931_hash_id(int nid)
154{
155 switch (nid) {
156 case NID_sha1:
157 return 0x33;
158 case NID_sha256:
159 return 0x34;
160 case NID_sha384:
161 return 0x36;
162 case NID_sha512:
163 return 0x35;
164 }
165
166 return -1;
167}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-23 23:16:20 +0000